Sniffing GSM900 and DCS1800

Warning

note grgsm_capture wants a PPM integer, not a float.

HRF – the default sample rate of 1M is fine – decoding fails w/ sample rate 2M.

RTL – nothing comes out at 299e3. Next available sample rate is 901e3.

    # --samp-rate=901e3

Capture downlink

    mkdir -p ~/capture/
    cd ~/capture/

echo $arfcn
echo $ppm

# RTL
grgsm_capture --arfcn=$arfcn --freq-corr="$ppm" --rec-length=10 \
    --args=rtl=0 --gain=34 --cfile=$arfcn.cfile
    # --gain=42
ls -lhF $arfcn.cfile

# HRF
grgsm_capture --arfcn=$arfcn --freq-corr="$ppm" --rec-length=10 \
    --args=hackrf=0 --if-gain=40 --bb-gain=24 $arfcn.cfile
    # FAILS --samp-rate=2e6
ls -lhF $arfcn.cfile # 10s 77M

older syntax

--ppm=
--cfile=

you can now inspect the capture and visually check whether you’re right in the middle of your targeted 2G channel.

inspectrum --rate 1e6 $arfcn.cfile
# --rate 2e6

BCCH timeslot 0

    wireshark -k -Y '!icmp && gsmtap' -i lo &
#'!icmp && !tcp && !mdns'

echo $arfcn

grgsm_decode --mode=BCCH --timeslot=0 --cfile=$arfcn.cfile -v --arfcn=$arfcn
# --samp-rate=2e6

slot=
sub=

SDCCH/8 timeslot X subslot Y

echo $arfcn
echo $slot
echo $sub

grgsm_decode --cfile=$arfcn.cfile --arfcn=$arfcn --mode=SDCCH8 \
    --timeslot=$slot --subslot=$sub --print-bursts > $arfcn.${slot}S$sub

wc -l $arfcn.${slot}S$sub

Getting a PCAP instead

instead of reviewing the frames through wshark, you might prefer to use tshark. For that you have two solutions: tcpdump

    tcpdump -i lo -w 0C.pcap &
    grgsm_decode ...
    pkill tcpdump && echo killed

or wshark - save as PCAPNG

    STOP
    Save As...      $arfcn.0C.pcapng

as a result you can use handy filters from the command line

    tshark -r 0C7S.pcap -Y 'FILTER' -V
    #-2 -R 'FILTER'

A5/1 Cracking

once you’ve gone through the painful process of cracking A5/1

grgsm_decode --cfile=$arfcn.hrf.cfile --arfcn=$arfcn --mode=SDCCH8 \
    --timeslot=$ --subslot=$sub --a5=1 --kc=KEY-HERE

TODO - features

• capture and livemon at the same time – in view to see if we got some IA channel descr already

• RTL hardware AGC instead of --gain=

• HRF headless also + RF=14
• (HRF offset?)
• why not headless on SDDCH?
• …and all timeslots?

Troubles

Aug 14, 2016 grgsm_capture.py sample rate error #208 https://github.com/ptrkrysik/gr-gsm/issues/208

Aug 16, 2015 Recording traffic data #114 https://github.com/ptrkrysik/gr-gsm/issues/114

Jun 20, 2015 Code refactoring from other projects (Osmocom, OpenBTS…) #70 https://github.com/ptrkrysik/gr-gsm/issues/70

Resources

https://git.osmocom.org/gr-gsm/about/

https://osmocom.org/projects/gr-gsm/wiki/Gr-gsm’s_wiki

https://github.com/ptrkrysik/gr-gsm/wiki/Usage

gr-gsm mailing-list https://groups.google.com/forum/#!forum/gr-gsm

https://lists.osmocom.org/mailman/listinfo/gr-gsm

Um interface https://en.wikipedia.org/wiki/Um_interface

Sniffing GSM traffic with HackRF. https://z4ziggy.wordpress.com/2015/05/17/sniffing-gsm-traffic-with-hackrf/

GSM Hacking Part① ：使用SDR扫描嗅探GSM网络 https://www.bbsmax.com/A/Gkz1okPZ5R/