multirtl | hackrf-sox & channelize | hopping
First make sure you’ve got a valid broadcast capture by decoding BCCH
wireshark -k -Y 'gsm_a.dtap.msg_rr_type == 0x3f' -i lo & grgsm_decode -a $arfcn -m BCCH -t 0 -c CFILE grgsm_decode -a 673 -m BCCH -t 0 -c tele2hop.hrf/out_673.cfile #-s $rate --ppm=$ppm
Then check if some frames are passing through without hopping on dedicated control channel, that happens (probably thanks to heavy-duty error correction, as Sylvain M. suggested)
!icmp && !tcp && !mdns grgsm_decode -a $arfcn -m SDCCH8 -t $slot -c CFILE grgsm_decode -a 673 -m SDCCH8 -t 1 -c tele2hop.hrf/out_673.cfile
also check the very subchannel you would be targetting according to the IA and add
-u 0
–or– further tune with the wireshark filter
gsmtap.sub_slot == 0
Grab the GRC template
wget https://github.com/ptrkrysik/examples/raw/master/frequency_hopping/airprobe_rtlsdr_multi.grc wget https://github.com/ptrkrysik/examples/raw/master/frequency_hopping/grgsm_hopping_example.grc #https://raw.githubusercontent.com/ptrkrysik/examples/... gnuradio-companion grgsm_hopping_example.grc
and tune many things
fc – frequency to ARFCN1sample_rate – same as capture or channelize (1M)[number]Note: ARFCN order+order or disorder+disorder works here on Tele2
Run while watching the frames live
#gsmtap && !icmp
!icmp && !tcp && !mdns
gsmtap.sub_slot == 0 && !icmp
and look more precisely for SI5, SI6, idling frames and Ciphering Mode Command
gsm_a.dtap.msg_rr_type == 0x35 && !icmp #gsm_a.rr.algorithm_identifier == 0 && !icmp #gsm_a.rr.SC == 1
examples/frequency_hopping/ https://github.com/ptrkrysik/examples/tree/master/frequency_hopping
13 Feb 2019 - Frequency hopping https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/gr-gsm/0VgwCrHmb_M/Xe7iznuHCwAJ —> connect C0 if BCCH is part of the ARFCN list —> channelized sample rate needs to be multiple of wide band sample rate –> USRP wideband capture –> channelize –> smaller decoding sample rate e.g. 800e3
28 Aug 2018 - hopping channel https://groups.google.com/forum/#!topic/gr-gsm/ueyCxh3sZUY
Sep 4, 2017 Decrypt SMS on hopping SDCCH8 channel #328 https://github.com/ptrkrysik/gr-gsm/issues/328 –> CM Service Request shows called TMSI
Oct 17 2016 Russian style troubleshooting https://dmyt.ru/forum/viewtopic.php?t=1726
Jul 21, 2015 uplink-decoding #94 https://github.com/ptrkrysik/gr-gsm/issues/94 –> issues with hopping on uplink –> TSEQ
15/06/2017 Immediate Assignment with hopping
https://groups.google.com/forum/#!topic/gr-gsm/jDHG6X5gOqA
–> no chance with Packet Channel Description
Aug 9, 2015 Channel hopping improvements #105 https://github.com/ptrkrysik/gr-gsm/issues/105
May 18, 2015 - Proposal: channel hopping #51 https://github.com/ptrkrysik/gr-gsm/issues/51 –> sample hopping –> step by step process with grc blocks
GSM receiver with gr-gsm and Wireshark https://sourceforge.isae.fr/projects/ralf/wiki/GSM_receiver_with_gr-gsm_and_Wireshark
Page 19 / Layers https://www.etsi.org/deliver/etsi_gts/05/0501/05.04.00_60/gsmts_0501v050400p.pdf
Page 12 / TSEQ & Page 15 / MAIO https://www.etsi.org/deliver/etsi_gts/05/0502/05.00.00_60/gsmts_0502v050000p.pdf
Training sequence in a GSM frame? https://electronics.stackexchange.com/questions/122257/training-sequence-in-a-gsm-frame
Page 117 Hopping http://www.qtc.jp/3GPP/Specs/34123-3-530.pdf