Top Banner
gsm The GSM Software Project CURRENT ACTIVITIES (2008-04-04): 1. Merging gsmsp's channel decoding and gsmdecode into gsm-tvoid (2008-04-04 DONE) 1. Implementing channel hopping on USRP chip Contenuti LICENSE 1. About What we want to do 1. Who we are 2. Howto use this site 3. Contact 4. Legal Issues 5. 2. NEWS 3. The Projects The GSM Receiver Project 1. The GSM Sending and Channel Hopping Project 2. The OpenTsm Project 3. The A5 Cracking Project 4. The GSM Decoding Project 5. The Debug Trace Project 6. The SimCom Trace Project 7. The UMTS/3G Project 8. The SIM Tookit Research Project 9. 4. The GSM/USRP Receiver Project Priorities 1. Wanted 2. Different approaches 3. Project Stages and Schedule Receiving Stages 1. Tips and Tricks 2. 4. Hardware requirements / Where to buy 5. First Steps Understanding GSM 1. Beginners Guide to GSM in MatLab 2. 6. 5. gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject 1 di 35 12/08/2008 11.14
35

Gsm Scanner

Apr 11, 2015

Download

Documents

api-26400509
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Gsm Scanner

gsm

The GSM Software Project

CURRENT ACTIVITIES (2008-04-04):

1. Merging gsmsp's channel decoding and gsmdecode into

gsm-tvoid (2008-04-04 DONE)

1. Implementing channel hopping on USRP chip

Contenuti

LICENSE1.About

What we want to do1.Who we are2.Howto use this site3.Contact4.Legal Issues5.

2.

NEWS3.The Projects

The GSM Receiver Project1.The GSM Sending and Channel Hopping Project2.The OpenTsm Project3.The A5 Cracking Project4.The GSM Decoding Project5.The Debug Trace Project6.The SimCom Trace Project7.The UMTS/3G Project8.The SIM Tookit Research Project9.

4.

The GSM/USRP Receiver ProjectPriorities1.Wanted2.Different approaches3.Project Stages and Schedule

Receiving Stages1.Tips and Tricks2.

4.

Hardware requirements / Where to buy5.First Steps

Understanding GSM1.Beginners Guide to GSM in MatLab2.

6.

5.

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

1 di 35 12/08/2008 11.14

Page 2: Gsm Scanner

Analyzing GSM data in Octave by Piotr3.Analyzing BS signals with Gnu Radio4.Challenge 1

Tore's results1.Frank J.'s results2.SignalScamp's results3.

5.

OT460 Trace Mobile - An Excursion6.Installing GnuRadio / Cygwin7.NetMonitor8.BTS searching by Robert9.Build your own Antenna - by Robert10.

Design Proposal7.ISI, Timing Recovery and others8.Viterbi and Channel Estimation and Equalization9.The Nokia Approach

Decoding SMS1.Decoding TCH2.

10.

The Ericcson TEMS Approach11.The Vitel TSM30 Approach12.The MADos Approach13.Mysteries

Mystery 1: TMSI f1.Mystery 2: Unknown RRM 06 072.Mystery: Pseudo Length 0 but data3.

14.

Converting ARFCN to Frequency15.RELEASES

Tips and Tricks1.Sample Data for peoples without USRP2.Developer Source Code Access3.GSSM4.GSM tvoid5.GSMSP6.Gsmdecode7.

6.

HELPDonations1.Who can help2.How to help3.

7.

LinksSimiliar Projects1.Specs & Docs2.Suggested reading3.Hardware4.

8.

1. LICENSE

GSM Software Project License

Version 1, January 2007

All code, information or data [from now on "data"]

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

2 di 35 12/08/2008 11.14

Page 3: Gsm Scanner

available from the GSM Software Project or any other

project linked from this or other pages is owned by the

creator who created the data. The copyright, license

right, distribution right and any other rights lies with

the creator.

It is prohibitied to use the data without the written

agreement of the creator. This included using ideas in

other projects (commercial or not commercial).

Where data was created by more than 1 creator a written

agreement from each of the creators has to be obtained.

If the creator decides to release the data under a

difference license (like GPL) then he is free to do so.

This license is for all data not covered by a license.

Please contact steve [at] segfault.net for any questions.

2. About

2.1. What we want to do

We want to bring together all the folks that are interested in building a gsm receiver.

GSM is the worlds largest mobile phone standard. GSM 2.5 is currently in use and somecountries are (slowly) migrating to GSM 3 (3G, UMTS, ..).

Available GSM analyzer cost a shitload of money for no good reason. Our goal is to build aGSM analyzer for less than $1000.

From there we have an unlimited number of possibilties of what we can do:

Understand GSM and verify the implementation and what kind of data is flyingthrough the ether.

1.

Analyzing debug traces from dct3 mobiles See DCT3 Debug Trace Project.2.Track/Locate a gsm mobile. This can be done with just 1 GSMSP receiver.3.Crack A5 and proof to the public that GSM is insecure. See A5 Cracking Project.4.Create our own baby cells. Imagine running your own BaseStation in your house,university campus, convention or local area. Calling inside the baby cell would befree and calling others via an asterisk/skype gateway would be extremly cheap.

5.

Analyze and learn about OTA messages that the operator use to upgrade our phones(without our knowledge). (That's sim toolkit, ringtones, logos, ...)

6.

We can detect if a GSM MitM attack is happening in our area. (e.g. we can detect ifsomebody else is sniffing a conversation in a 7+ miles radius).

7.

A seperate Project is designing their own RF board to receive GSM signals. Please take alook at http://wiki.thc.org/gsm/rfboard.

2.2. Who we are

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

3 di 35 12/08/2008 11.14

Page 4: Gsm Scanner

This is a research project by people who feel passionate about GSM and gnuradio. Westarted this because we could not find a site where people can share ideas about homebuildGSM receivers/scanners and we think gsm software receivers are a cool thing to have. AndDECT too...

2.3. Howto use this site

There is a mailinglist for discussions. To subscribe send an empty email [email protected] .

To retrieve an archive please send a mail to [email protected] for the last 30messages. Please read the ezmlm howto for other commands.

Please feel free to edit this page and add your comments and ideas. Please start yourcomments with "(yyyy/mm/dd, name, comment here)".

Use our web-share at http://www.segfault.net/gsm/resources to upload and share files withothers.

There are some photos online at http://wiki.thc.org/gsm/photos.

2.4. Contact

I can be reached at steve at segfault.net. (PGP Key)

Some of us are hanging out on the freenode IRC channel #gnuradio and #gsm.

2.5. Legal Issues

I have consulted a lawyer in London to find out if what we do is legal or not. These are theresults:

There is no direct law that forbids what we are doing (Companies like Nokia and Sagemare doing exactly the same: Manufacturing GSM scanners that anyone can buy). Theseare the legal implications in UK:

Security Research in general is not forbidden.1.Designing a GSM receiver is ALLOWED (Nokia does it. Sagem does it).2.Publishing the design/research is ALLOWED.3.Receiving GSM signals is ALLOWED.4.Decoding (e.g. cracking) your own GSM signals is ALLOWED5.Decoding somebodys else GSM signals is NOT allowed (DANGER).6.Setting up a baby cell is allowed if you aquire a license (Any bank building in CanaryWarf/London runs its own GSM baby cell).

7.

The bottom line is: Publishing the research is ok. As long as you receive your own trafficand only send after you got the license you are on good ground.

This is based on UK law. European law is similiar (if not more relaxed). USA law might becompletly different and I highly advice to check with a lawyer. If you do so please let meknow the results.

3. NEWS

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

4 di 35 12/08/2008 11.14

Page 5: Gsm Scanner

2008/06/13 Lyrtech Releases GSM Femto Cell SDR SDK2008/04/04 Sending and Channel Hopping Project started.2008/03/31 First Pictures of A5 Cracker available.2008/03/12 SIM Toolkit Research Project started.2008/01/06 SimCom Trace Project started.2007/12/13 Piotr shows how to simulate a GSM decoder in Octave2007/11/21 [http;//wiki.thc.org/gsm/umts UMTS Project] started.2007/10/22 Split into sub-projects. GSM Decoder Project online2007/10/12 Pawel's GSM Scanner Tutorial2007/08/16 OpenTSM Project started.2007/08/14 CCC Camp07 GSM Software Project and A5 Cracking Talk online.2007/08/04 TSM Challenge updated.2007/07/25 How to build your own GSM antenna - UPDATED VERSION.2007/07/11 Photo section online. Add your own photos and screenshots.2007/07/09 gssm-v0.1.1a released.2007/07/02 How to build your own GSM antenna.2007/07/01 gsm-tvoid-0.0.2 released.2007/06/25 gsm-tvoid-0.0.1 released.2007/06/08 gsmdecode-0.7bis released.2007/06/05 GSMSP released. Alternative GSM implementation.2007/06/04 GSSM released. Alpha but stable.2007/05/22 Wanted Section added.2007/05/20 gsmdecode-0.5 released (with SMS decoding support)2007/04/27 gsmdecode-0.4 released.2007/04/16 Decoded SMS published and gsmdecode-0.2.2007/04/11 Nokia DCT3 Trace Mobile results and ideas online2007/04/01 Finding a BaseStation with the USRP by Robert2007/03/13 gsmsp v0.0.1a released (alpha alpha)2007/03/02 MatLab Toolkit and a Beginners Guide of how to analyze GSM datareleased.2007/02/19 Tore won the Challenge. His results are public. Also published someinfos regarding the OT460 Trace Mobile.2007/02/16 Survey started. Please fill out and help us understand who/what weare/need.2007/02/08 Challenge started to win a USRP + Extensions. Deadline is Sun 18th ofFebruary 2007 23:59.2007/01/25 We decided for the USRP (www.ettus.com). (Chip vendors do not likeus and wont give us documentation. Motivation++. You may hide the docs from usbut you can not hide the GSM frames from us!)2007/01/12 Tore joined our team as first RF engineer. Welcome on board Tore!2007/01/10 THC donated $999 as a research fund! Please contact me if you candonate ettus hardware or help otherwise.

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

5 di 35 12/08/2008 11.14

Page 6: Gsm Scanner

2007/01/10 Project announced.2007/01/04 wiki online

4. The Projects

This wiki started as a project for receiving GSM signals. Over time many other projectssurfaced. Each of the projects deserves its own wiki. A short description and link to thewiki are listed here.

4.1. The GSM Receiver Project

Location: http://wiki.thc.org/gsmThis project is about receiving GSM signals using the USRP.

4.2. The GSM Sending and Channel Hopping Project

Location: http://wiki.thc.org/gsm/txThis project is about sending GSM signals using the USRP and implementing channelhopping for receiving.

4.3. The OpenTsm Project

Location: http://wiki.thc.org/gsm/opentsmIts goal is to modify the firmware of the Vitel TSM30 mobile phone. It will enable us toreceive (trace) and send traffic and have fund with the mobile network.

4.4. The A5 Cracking Project

Location: http://wiki.thc.org/cracking_a5The project is about cracking (decrypting) the A5/1 encryption algorithm used in GSM.

4.5. The GSM Decoding Project

Location: http://wiki.thc.org/gsm/decodeThe project is about decoding and converting data from the Traffic CHannle (TCH). Theproject's goal is to convert the speech channel data into PCM/WAV/MP3 and the SMSdata into text files.

4.6. The Debug Trace Project

Location: http://wiki.thc.org/gsm/debugtraceThe project is about using a nokia 3310 or similiar phone and turning it into a trace mobile.The webpage lists examples traces. Please submit interesting traces.

4.7. The SimCom Trace Project

Location: http://wiki.thc.org/gsm/simcomThe project is about using a SIM5210 module to receive debug information from the digitalbaseband. This debug information includes beacon and possibly TCH traffic.

4.8. The UMTS/3G Project

Location: http://wiki.thc.org/gsm/umtsThe project just started and is about how UMTS works. The goal is to receive/send onUMTS and assess the security of UMTS.

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

6 di 35 12/08/2008 11.14

Page 7: Gsm Scanner

4.9. The SIM Tookit Research Project

Locatoin: http://wiki.thc.org/gsm/simtoolkitThe project is about understanding how the SIM works and what's possible with the SIM.It's related to security and applets that are installed remotely (via OTA) by the operator.

5. The GSM/USRP Receiver Project

5.1. Priorities

An overview of our 4 most urgent problems. This chart changes over time. It shows whatpeople are currently doing. (last updated: 2007/04/20).

Viterbi / ISI: This is the single most important stuff people are currently workingon. This can either fail the project or make it a success. The mission is to get better(error-free) bit data out of the GSM signal. We are currently suffering from high biterrors.

1.

Channel Hopping: Required if we want to go beyond camping on the BCCH. Thetheory is there. It has to be tested. (Especially if it's fast enough and/or if we have toflush the USRP buffer?!)

2.

Release: If we pack our source into a release tar-ball other people will be able toplay around with it and come back with better ideas.

3.

Misc: Everything not covered above (like channel decoding)4.

5.2. Wanted

If you can help with any of the items below please contact steve or write on the mailinglist!

Viterbi / ISI help1.Comp128v3 source or binary dump from any GSM baseband chip.2.GEA / GRPS encryption algorithm or source/binary from any GSM baseband chip.3.CDMA documentation.4.

5.3. Different approaches

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

7 di 35 12/08/2008 11.14

Page 8: Gsm Scanner

I see three different ways to get this done:

Use a commercial baseband transceiver chip (silabs.com? analog.com?). (Requireselectronic engineer and those folks seem to be rare).

1.

Use the USRP (Universal Software Radio Peripheral) board from Ettus and developthe rest in software (C++ python) and/or verilog (firmware of USRP). (Still requireselectronic engineer /ettus person. We are software developers. Anyone?)

2.

Patch the Baseband Processor of an existing mobile phone (possible but notportable).

3.

Attach the baseband signal of an existing mobile phone to a digitizer (for examplethe USRP or a simpeler AD/DA converter board with at least 1 Mhz samplerate)(This option is also not very portable and hard to connect to those tiny traces (hasbeen tried). The best shot is using a very old big phone but then you only get the low900 Mhz band (and not the 1800/1900 Mhz band)) (comment: 3 and 4 are alsodead-ends in the long run as we would only be able to receive but certainly never beable to transmit. Both approaches also limit us to 1 channel (not?))

4.

Using a nokia phone or the MC351i from Siemens. For both devices is it possible toupdate the firmware on the baseband processor. This would mean we would have todisassemble the firmware and do binary patching. Probably limited to 1 channel (butwe can use 128 phones at the same time:>). Not as flexible as the USRP.

5.

Use Analog's development board. This way we do not have to bother with DSP andcan use example source!

6.

The Sagem OT460 is a trace phone which connects via USB to a PC. It comes withmonitoring software. It captures data from the Control Channel (Channel Dm, uplink+ downlink) and transfers the captured date in realtime to the PC.

7.

A Watkins Johnson 8691A receiver can trace 6 phone calls at the same time. Itrequires PC software that is impossible to get. The company currently refused thatthey even manufactures this device.

8.

The IZT CCT is a commercial multiband receiver with a bandwith of 16 mbit. It'sconnected via Ethernet. [email protected] is working on this one. We currently believethat the USRP is the cheaper solution but we are keen to compare results.

9.

Using http://www.comblock.com/ hardware to capture data to a IQ file, then usingMATLAB and the modified GSMSim scripts to parse the file. Perhaps convert theCOMBLOCK IQ file to the format from USRP for use with the GNURadio software.(Comblock setup RF amp >> COM-3006 >> COM-8002 >> COM-5003)

10.

Using USRP and software is the right way to go. Vanu Inc apperently got a software gsmmodem working (but not using ettus?!). PC's are fast enough. See gnu-radio list archive andsearch for Vanu.

What about MAX2323 Eval kit?

5.4. Project Stages and Schedule

Stage 1: Proof of Concept device that can read 'raw' GSM traffic from at least 1channel.Stage 2: Decode GSM traffic. Display all non-crypted information (BaseStation,Signal strength, Call-request, SMS, ...)

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

8 di 35 12/08/2008 11.14

Page 9: Gsm Scanner

Stage 3: Decipher GSM traffic. (wuha)Stage 4: Send GSM traffic.

and a litte time later a DECT (european standard for cordless phones) receiver. DECT isunencrypted in the most cases.

Comment from a RF engineer: About Stage 1. It seems not too difficult to develop thedevice that can read from air. Channel switching can be easily done using PLL based LO.The most critical part here is the DSP based GMSK demodulation. Do we haveDSP-friendly people here? About Ready-to-use hardware. GSM air interface has veryspecial requirements (band filter, LNA, AGC etc). It is nearly impossible to satisfy themusing general purpose RF hardware. As for me, it should be dedicated device. There aretwo options here: to develop it from zero point using basic blocks (LNA, Mixer,Quadrature decoder etc) OR to use a semi-dedicated ICs which combine some neededfunctionality. I don't think we can use any of mass-volume GSM-chipset because it will beabsolutelly unflexible, thus useless.

2007/01/25 Comment from an electrical engineer: Last year I looked into doing GSMreceive operation only, and concluded that the easiest solution would be to use the USRPpaired with a suitable RF daughterboard. They have a daughterboard that will tune the PCSband (receive only). The IF bandwidth is wide @ 43 MHz, but the USRP has a very largedynamic range. Also, GMSK is constant envelope, so if the A/D saturates it shouldn't bethe end of things. I doubt it would meet all the GSM RF requirements, but it might be closeenough to work, albeit with worse noise figure etc. However I remember thinking that theFPGA resources might be too limiting for the high-rate signal processing. Moreinvestigation would be necessary.

5.4.1. Receiving Stages

Send signal through low-pass/fir filter1.Send filtered signals through GMSK block (already implemented in gnu-radio)2.Differentially deocde the bitstream- Find FCCH, SCH (get channel config, FrameNumber, ...)- 3GPP TS 04.03 MS-BSS interface, Channel structures- 3GPP TS 44.004 Layer 1 - General requirements- 3GPP TS 04.05 MS-BSS interface, Data Link layer - General aspects- 3GPP TS 04.06 MS-BSS interface, Data Link Layer- 3GPP TS 44.018 Layer 3 specs - Radio Resource Control (was 04.18, referencedby 04.08)- 3GPP TS 45.002 Multiplexing and multiple access on the radio path (was 0502)- 3GPP TS 05.03 Channel coding

3.

Concatenate GSM bursts4.De-interleave the correct blocks.5.Viterbi decode the blocks6.Check/Correct bit errors with FIRE code7.Parse GSM messages- GSM 04.07 Layer 3 - General aspects- 3GPP TS 23.108 Layer 3 specs - Core network protocols, stage 2- 3GPP TS 24.008 Layer 3 specs - Core network protocols, stage 3

8.

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

9 di 35 12/08/2008 11.14

Page 10: Gsm Scanner

5.4.2. Tips and Tricks

A collection of random tips and tricks.

RF interface- EMPTY

1.

Decoding packets I- Search for the FCCH before the bits are differentialy decoded. Search for the 64 bitSCH trainigsequence before the differential decoding as well. This speeds up theprocess. Accepts FCCH's and SCH's with up to 11 bit errors (or even more?).- Once you know where the 156 bit bursts start always set the first 3 bit to 0. Thesefirst 3 bits are the training bit and ought to be 0. 5% of my received data has a biterror in the training bit. Otherwise the differential decoding process will propagate abit error in the first 3 bits through the entire burst.- Skip dummy bursts (do not differential decode, do not de-interleave, do notconvolution decode it).

2.

5.5. Hardware requirements / Where to buy

(Offical approach. Receive only. visit ettus sales.)

USRP board (700 USD)DBSRX daugtherboard (150 USD)LP0926 900 Mhz - 2.6 Ghz Log Periodic PCB Antenna (35 USD)SMA-M to SMA-M Cable (20 USD)

Optional Antenna:

Low Noise Amplifier ($79.00)Antenna All-Band Yagi ($209.95)Build your own GSM antenna.http://www.imo.de/cgi-bin/verteiler.pl?url=gsm-antennas_e.html

Note: A different antenna is required depending on the frequency range. You should haveone for GSM900 and another one for GSM1800. The same antenna wont work on bothfrequency ranges.

5.6. First Steps

GSM Frequencies:

850 MHz [US rural areas] (824.2 - 848.8 MHz Tx; 869.2 - 893.8 MHz Rx)P-GSM (914.8 Mhz Tx, 925 - 959.8 Mhz Rx, Channel 0 - 124)P-GSM extension 880 - 889.8 Mhz Tx;925 - 934.8 Mhz Rx, Channel 975 - 1023)GSM-R [Railway] (876 - 879.8 Mhz Tx; 921 - 924.8 Mhz Rx, Channel 955 - 974)1800 MHz [Europe] (1710.2 - 1784.8 MHz Tx; 1805.2 - 1879.8 MHz Rx)1900 MHz [US city] (1850.2 - 1909.8 MHz Tx; 1930.2 - 1989.8 MHz Rx)

See also GSM/3GPP 05.05 and apicture of gsm frequencies.

Europe used 900Mhz only and later also started to use 1800Mhz. US started with 1900Mhz

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

10 di 35 12/08/2008 11.14

Page 11: Gsm Scanner

and later used 850Mhz. 850 Mhz is mostly used in rural areas but sometimes can be foundin cities. T-Mobile is not available on the 850Mhz.

The frequency for receiving data from the BTS to the mobile is 45Mhz above the TXfrequency.

5.6.1. Understanding GSM

These two articles give a fairly good understanding of how GSM looks like.

http://www.pulsewan.com/data101/gsm_basics.htm1.http://www.cs.ucl.ac.uk/staff/t.pagtzis/wireless/gsm/radio.html2.

Another good article is availabe at http://www2.informatik.hu-berlin.de/~goeller/. Irecommend reading the book "Signaling in Mobile Radio Communication" ISBN-103-936318-24-7, ISBN-13 978-3-936318-24-1. It comes with a GSM analyzing software(OTDrivePC) and many live off-the-air example traces that can be analyzed withOTDrivePc. It's a real mind-opener.

5.6.2. Beginners Guide to GSM in MatLab

We are proud to release a complete MatLab example and documentation of how toanalyze USRP GSM data dumps in MatLab. The Beginners Guide to analzying GSM datain MatLab is part of the toolkit and contains step-by-step instructions on how to useMatLab and how to interpret the decodec GSM bursts.

Toolkit: GSMSP_Analyzing_GSM_data_in_MatLab.zip

This toolkit is based on the fantastic work from Jan and Arne. Please check out theirMatlab GSM Simulator as well.

If you need help understanding MatLab please read The MatLab Manual.

5.6.3. Analyzing GSM data in Octave by Piotr

Download: GSMSP_Analyzing_GSM_data_in_Octave.tar.bz2

I've prepared version of "GSMSP Analyzing GSM data in Matlab" which runs underOctave with installed octave-forge functions.

To use it under *buntu you should install gnuplot and octave-forge (it depends onoctave2.1). Run command:

$ sudo apt-get install octave-forge gnuplot

My changes:

little changes in plots from plotframe2.m and find_fcch.m1.files doing similar things are now placed in their own directories2.new function file resample.m written by me - works like this from Matlab. This was3.

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

11 di 35 12/08/2008 11.14

Page 12: Gsm Scanner

needed because resample function from Octave doesn't work with GSMsim.

I think GSMsim is good reference implementation of Viterbi Equalizer for GSM. Tvoid haswritten already functions which works like this from files find_fcch.m, find_sch.m,calc_freq_offset.m and xlat_freq.m.

I think we can use Viterbi Equalizer which works like this from GSMsim and put it infunctions of Tvoid release – in get_sch_burst() and get_norm_burst() (or in equalize()).

Regards

Piotr Krysik

5.6.4. Analyzing BS signals with Gnu Radio

Pawel uploaded a 945.6 Mhz USRP dump(Warsaw).

Screenshot from life application (not the recorded dump above):

Screenshot 11.Screenshot 22.Screenshot 33.

On the screenshots we can see frequency correction FCCH packet (only zeros aretransmitted), and Training Sequence # 4 (1,1,1,1,0,1,1,0,1,0,0,0,1,0,0,0) in the middle oftwo different packets.

After fm demodulation block, due to differencial modulation in gsm, we can interpret highvalue of signal as a repeated bit and lower value of signal as a changed bit. One bit lastsabout 3.69 microseconds, so you will have to switch to different scale/div.

Use Pawel's gnu radio script fix to read the data from a file (and not from a live feed).

5.6.5. Challenge 1

This is a challenge and the winner get's a FREE starter kit ($975):

USRPDBSRXAntennaCable

Deadline: Sunday 18th of February 2007

The Challenge:

Get most information out of Robert's samples.

The one who can identify most frames and information from Robert's samples wins thechallenge and gets the FREE USRP Starter Kit.

To take part in the challenge please submit:

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

12 di 35 12/08/2008 11.14

Page 13: Gsm Scanner

The frames you could identifyOther information you found out from the samples (signal strength, number ofbasestations, base station identify, ....)List of programs and tools you used.Short Explanation

to steve at segfault.net before the 18th of February 2007 23:59. Your work will besubmitted to the Mailinglist and published on our website (http://www.thc.org/gsm)

I'll announce the winner of the USRP Starter Kit on the 19th!

The next big step is to get it working with gnu-radio.

5.6.5.1. Tore's results

Tore uses MatLab and the GSMsim plugins to extract informations from robert's off-the-aircaptures. Using the GSMsim plugin helps him to extract a lot of information in a shortperiod of time.

Sample Analysis Whitepaper.Matlab files.

5.6.5.2. Frank J.'s results

Also fank J.'s decides to use MatLab. Here are his results.

5.6.5.3. SignalScamp's results

Here are SignalScamp's Results. He uses MatLab to analyserobert_dbsrx_941.0Mhz_128.cfile. The three graphics show his results.

Bursts: chart1.pngFCH in Slot0: chart2.pngSlot0: chart3.png

5.6.6. OT460 Trace Mobile - An Excursion

The Sagem OT460 does not offer the full functionality that we require. It is limited tothe GSM Dm channel and can not transmit. Nevertheless it's an exciting device thatcomes with a powerfull analyzing software.

The Sagem OT460 is a Trace Mobile. It connects to the PC via a USB cable. It can capturelive data from the GSM Dm Channel. It captures frames from the entire GSM band at thesame time. It comes with software to display and analyize the captures frames. It costaround 3499 EUR and is sold by sagem.com or www.ers.fr.

The OT460 is visible as a COM port under windows. It is possible to write custom softwareto configure and retrieve information from the OT460. An outdated protocol abstract isavailable. The full spec of the protocol is available for developers directly from sagem.com

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

13 di 35 12/08/2008 11.14

Page 14: Gsm Scanner

(you have to buy a OT460 first).

Dr.-Ing. Joachim Goeller was so friendly to capture some data for us. He used his own tool(EDGEView) to analyze the data and disassemble the packets.

Here is a Screenshot of the OTDrive Capture Software in action.

The first example is a off-the-air capture:

MOC.txt - the captured data (raw)MOC-Translated.rtf - the data analyzed (with EDGEView)

The second example is a capture when a phone was turned on, pin entered and then turnedoff again:

OnOff.txt - the captured data (raw)OnOff-All.rtf - the analyzed dataOnOff-RR-NAS-LAPDm.rtf - the analyzed Link Access Procedure D channel

We might be able to use his EDGEView software to analyze our data as well. We canbenchmark our captures against the OT460 device.

EDGEView is the successor of GSMView. GSMView is available on a CD that come withthe "Signaling in Mobile Radio Communication" Book.

The EDGEView description files are available at http://www.segfault.net/gsm/EDGEView.The will become handy when we want to parse GSM messages.

5.6.7. Installing GnuRadio / Cygwin

I do not recommend using Windows / cygwin. Use Linux (ubuntu or gentoo) instead. Thisis a short howto install gnu-radio and usrp under windows / cygwin. If you run intoproblems please ask me or modify this text.

There are a couple of install guides on the net. They are all incomplete:

http://gnuradio.org/trac/wiki/CygwinInstallMain1.http://www.comsec.com/wiki?Cygwin2.

These are the steps that worked for me:

Extract all source packages to /tmp. Source packages are installed with ./configure, makeall install. It only depends on the parameters...

export PATH=$PATH:/usr/local/bin:/usr/local/sbin1.export PYTHONPATH=/usr/local/lib/python2.4/site-packages/2.Install cygwin with python, swig, pkg-config3.install sdcc from http://sdcc.sf.net4.Install Boost C++ from http://www.boost.org5.Install LibUSB-Win32 to C:\LibUSB-Win32 (libusb-win32-filter-bin-0.1.12.0.exe)6.

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

14 di 35 12/08/2008 11.14

Page 15: Gsm Scanner

(Note: Apperently you can also just install libusb-win from the cygwin setup).- cd /cygdrive/c/LibUSB-Win32/src- make all- cp libusb0.sys libusb0.dll /tmp/gnuradio-3.0.2/usrp- now follow USRP Install Guide.Install Cppunit with this patch- cd cppunit-1.10.2; patch -p1 -u <../cppunit-win32.patch- ./configure --enable-shared --disable-static- make LDFLAGS=-no-undefined all install

7.

Install fftw-3.1.2- ./configure- make LDFLAGS=-noundefined all install

8.

Install gnuradio-3.0.2.- There is a conflict with the max() and min() macros and windows.h include fromLibUSB-Win32. Apply this patch.- CFLAGS="-I/cygdrive/c/LibUSB-Win32/include" LDFLAGS="-L/cygdrive/c/LibUSB-Win32/lib/gcc" libusbwin32path="/cygdrive/c/LibUSB-Win32/bin"./configure --with-boost-include-dir=/tmp/boost_1_33_1 --with-md-cpu=generic--disable-static --enable-usrp --enable-gr-usrp- make CPPFLAGS="-I/cygdrive/c/LibUSB-Win32/include"- make CPPFLAGS="-I/cygdrive/c/LibUSB-Win32/include" install

9.

Use the example from Josh page to test your gnu-radio installation.

5.6.8. NetMonitor

Nokia phones can be used in Monitor mode. The NetMonitor software displays all kind ofusefull information. It helps you to find out your current TMSI, the BCH you are on, thedistance the the base station, neighbouring cells, signal strength and much more. Search ingoogle for the software or use these links:

NetMonitor (OperatorFtdwk39v7.sis)NetMonitor Guide

I used the netmonitor to confirm which beacon carrier i was able to find and to filter onlypackets for my TMSI.

edited: Not only Nokia phones can be used in net monitor mode, but majority of phonescan be used, just check google or forum.gsmhosting.com about your phone.

5.6.9. BTS searching by Robert

Robert wrote a nice article on how to find a Base station manually using a USRP. Hisarticle is available at http://273k.net/gsm/find-a-gsm-base-station-manually-using-a-usrp/.It gives you a good introduction into the tools and some nice graphical results.

5.6.10. Build your own Antenna - by Robert

Robert explains how to build your own GSM antenne at http://273k.net/gsm/designing-

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

15 di 35 12/08/2008 11.14

Page 16: Gsm Scanner

and-building-a-gsm-antenna/.

5.7. Design Proposal

We talked via phone to better understand where our problem is and how we can split itinto smaller pieces. Below is the email from Achilleas.

I spent some time looking at the Matlab code that was

available

on the wiki and the uploaded off-the-air samples.

I think I have a much better understanding of what is

going on now.

Here is how I envision a first-cut implementation of a

receiver that

processes a single GSM frequency channel from the Base

station to

the Mobiles.

1) The outermost loop (process) acquires FCCH bursts and

uses them to perform rough frequency correction

(non-coherent operation)

and rough burst alignement. This process essentially cuts

the input

stream into blocks of GUARD+156.25*OSR+GUARD samples

(OSR=samples/bit),

each respresenting a burst (padded from left and right so

that you don't

miss anything due to missallignment).

2) Next, SCH bursts are used (those follow FCCH bursts

after 8 bursts)

for acquisition/tracking/estimation of

a) bit timing

b) channel impulse response

Simple least-squares (LS) channel estimation

(oversampled) and

timing estimation (accuracy of 1 sample) can

easily be done here (they worked fine for me).

Both estimates seem to be pretty stable between two SCH

bursts, so at this point I do not even see a need for

tracking.

Note1: ISI is significant. Modeling the GMSK signal as a

filtered MSK

signal you get channel estimates of the form:

0.0568

0.0455

0.0038

0.0127

0.0174

0.0175

0.0170

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

16 di 35 12/08/2008 11.14

Page 17: Gsm Scanner

0.0298

0.0308

0.1146

0.1289

0.1687

0.1898

0.1904

0.1917

0.1296

0.1186

0.0552

0.0303

0.0053

0.0184

0.0196

0.0563

0.0397

(this is the absolute values of the estimated channel for

OSR=4).

Note2: I also noticed a slight drift (successive channel

estimates

differing by a constant phase) which suggests that the

frequency

correction is not perfect. The result is an unknown phase

(almost

constant) within a burst. This was observed both on:

GSMSP_20070204_robert_dbsrx_953.6MHz_64.cfile

GSMSP_20070204_robert_dbsrx_941.0MHz_128.cfile

but not on

GSMSP_20070204_robert_dbsrx_953.6MHz_128.cfile

The SCH burst can be further demodulated to extract the

information

about which training sequence is used in this cell.

In fact I was able to find that by simply correlating

normal bursts with

all 6 possible training sequences and find the best

match, so one can

avoid this step...so that physical layer processing does

not depend

on higher layer information (but ultimately this cannot

be avoided...)

Once timing information has been extracted (accuracy of 1

sample)

and a channel estimate is there, all other bursts can be

processed

in the following way (this also holds for the SCH burst

itself):

Matched filtering, symbol-spaced sampling followed by

your favorite

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

17 di 35 12/08/2008 11.14

Page 18: Gsm Scanner

detection technique (Viterbi, DFE, etc) to extract the

information on

the MSK signal, followed by the differential processing

to extract the

actual information bits.

So as a first order of business I see the implementation

of 1 and 2a,

2b. I haven't given much thought as to what is the most

efficient

way to implement this in gnuradio, but I may do that if I

get some time...

5.8. ISI, Timing Recovery and others

This section is all about M&M clock recovery and ISI.

Matched filtering and timing recovery in digital receivers - A good introduction.1.Book: Heinrich Meyr; Marc Moeneclaey; Stefan Fechtel: "Digital CommunicationReceivers : Synchronization, Channel Estimation"

2.

5.9. Viterbi and Channel Estimation and Equalization

Piotr made a collection of documents that help to undestand Viterbi and channelequalization.

How I Learned To Love Trellis. This article was very helpful for me at thebeginning. It explains what Inter Symbol Interferences (ISI) are and introduces theconcept of detection signals which contain such distortion using Viterbi algorithm.

1.

a MatLab implementation of a GSM Simulation Platform. Great documentation ofreceiver working in theory and, according to Tore's results, working in practice.Documentation contains brief theory of estimating channel impulse response andMLSE.

2.

GSM Simulator in Octave and Source. Octave is open source software available foreveryone and has similar to MATLAB syntax. This implementation doesn't includesynchronization (GSMsim has same form of finding first sample in a burst) but it hasLeast Squares channel estimation (GSMsim uses convolution of received sequencewith known training sequence

3.

Equalization in GSM using a priori information. first 30 pages of it containsinteresting theory in a straightforward from a especially channel estimation.

4.

3GPP TS 05.05 "Radio Access Network; Radio transmission and and Reception.some raw data from ETSI regarding this topic, for example typical channel impulseresponses in Annex C

5.

Soft output M-algorithm equalizer and trellis-coded modulation for mobile radiocommunication. Algorithm with reduced complexity.

6.

Adaptive T-Algorithm in MLSD/MLSDE Receivers for Fading Channels. Anotherreduced-complexity algorithm.

7.

Maximum-Likelihood Sequence Estimation of Digital Sequences in the Presence ofIntersymbol Interference. Very theoretical and hard to read article which introducedMLSE detection.

8.

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

18 di 35 12/08/2008 11.14

Page 19: Gsm Scanner

Channel Estimation Modeling. Least squares channel estimation and iterativechannel estimation.

9.

http://www2.imm.dtu.dk/pubdb/views/edoc_download.php/2522/pdf/imm2522.pdf.Viterbi in UMTS.

10.

We know of two open source projects that implement the algorithm:

http://www.vovida.org/protocols/gsml/. The GSM Source Module Library (GSML)provides a library of modules which can be used to implement the GSM Signallingprotocols.

1.

http://www.wireless3g4free.com/. 100% Software implementation of a UMTSreceiver stack using Real Time Linux (RTLinux).

2.

5.10. The Nokia Approach

The main development is happening on the USRP hardware. Nevertheless it seems thatsignificant amount of data can be gathered by using a off the shelf nokia handset. Frankand Saugumas have choosen to investigate further and see what's possible.

TODO:

Can we enable TCH (traffic) frames?1.Why do we not see the number that is beeing called in the Call Setup message?2.

Advantages:

Simple and quickFollows channel hopping

Disadvantages:

Only 1 tuner (e.g. Can only listen to 1 frequency).Works only with (old) DCT3 mobiles (like the nokia 3310 and 3410)Receives only uplink frames that the mobiles sends. Can not receive uplink framesthat other mobiles send.Can not send frames. Receive only.

In 2003 there was the Blacksphere Project. They reversed the undocumented debugprotocol of DCT3 mobile phones. It is possible to enable a debug trace and receive manyof the layer2/layer3 frames.

The latest project update to the dct3 debug tracer can be found at http://tudor.rdslink.ro/blacksphere/nokia.htm.

Nokia's Netmonitor can be used on the phone the tune to a certain BTS. It's currentlyunknown if a *bus command exists to change the tuner to a different frequency.

Gammu is a command line tool which we prefer. There exists also a gui (N-Monitor byAnderas Schmidt) for any DCT3 trace mobile. Please see Nuukiaworld for more details.

This command can be used to enable layer2/layer3 tracing. It generates the file out.xml anda lot of debug output.

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

19 di 35 12/08/2008 11.14

Page 20: Gsm Scanner

gammu --nokiadebug nhm5_587.txt v20-25,v18-19

The out.xml file can then be parsed with gsmdecode:

gsmdecode -x <out.xml

The best mobile for testing is the Nokia 3310. You need a special MBUS data cable(NK-33) available at http://ucables.com/ref/NK-33.

If you are using a USB to SERIAL adapter you must configure it on com1 or com2.

The debug trace forwards most layer2/layer3 frames that the mobile processes. Thisincludes the BCCH on the beacon frequency on the downlink and most frames the mobilesends (uplink). It does not forward TCH (traffic) frames.

Here are two traces.

call_init.xmlsms.xmlsms2.xml (SMS content "abc")call_1525.xml

We have created a sub project for sharing traces. Please take a look at the DCT3 DebugTrace Project and submit your traces to me.

Download: http://www.gammu.org We are using version 1.15.90. To make it work underwindows you must install the windows binary and copy the nhm5_587.txt file from thesource distribution into your c:\Program Files\Gammu 1.15.90\bin\ directory.

5.10.1. Decoding SMS

This trace was generated with a Nokia DCT3. It's downlink only. A SMS was send from themobile to the mobile. The decoding was done with gsmdecode-0.2.tar.gz . I only displaythe relevant information for the receiving part of the SMS. If you are interested in theBCCH messages (BBis format, Immediate Assignment etc etc) please run gsmdecode withthe -i command.

The trace file: sms2.xml

The following commands have been used to analyze the sms2.xml file:

gsmdecode -x <sms2.xml >sms2.txt

Some Facts:

OpenGPA does not decode the interesting messages. We used our own decoder(gsmdecode).It seems that SMS are send encrypted from the BTS to the MS.See 3GPP 04.11 Appendix F, Figure F2 for exchange of messagesSee 3GPP 03.38 for SMS data coding

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

20 di 35 12/08/2008 11.14

Page 21: Gsm Scanner

Questions:

Are all SMS send encrypted?1.Why is the destination length value wrong?2.Why do we receive a TMSI realloc message? Coincident?3.Why dont we see a AUTH REQ message?4.Why does the Paging Response from the BTS contain the IMEI and not the TMSI?This should not happen especially because the MS just send a SMS and the systemshould know the TMSI by now. IMEIs should not appear on the network!

5.

Negotiation only shows A5/3 and A5/2. What happened to A2/1? How is thatnegotiated?

6.

SDCCH, Page response Message.

000: 01 73 41 06 27 03 03 33 - 19 81 08 29 64 30 07 01

001: 02 74 66 2b 2b 2b 2b

0: 01 -------1 Extended Address: 1 octet long

0: 01 ------0- C/R: Response

0: 01 ---000-- SAPI: RR, MM and CC

0: 01 -00----- Link Protocol Disciminator: normal GSM

(not Cell Broadcasting)

1: 73 ------11 Unnumbered Frame

1: 73 ---1---- P

1: 73 011-00-- UA frame (Unnumbered achknowledgement)

2: 41 -------1 EL, Extended Length: yes [FIXME]

2: 41 ------0- M, segmentation: N

2: 41 010000-- Length: 16

3: 06 0------- Direction: From originating site

3: 06 -000---- 0 TransactionID

3: 06 ----0110 Radio Resouce Management

4: 27 0-100111 RRpagingResponse

4: 27 -x------ Send sequence number: 0

5: 03 -----011 Ciphering key sequence: 3

5: 03 -000---- Ciphering key sequence: 0

6: 03 00000011 MS Classmark 2 length: 3

7: 33 -01----- Revision Level: Phase 2

7: 33 ---1---- Controlled early classmark sending:

Implemented

7: 33 -----011 RF power class capability: Class 4

8: 19 -1------ Pseudo Sync Capability: not present

8: 19 --01---- SS Screening: Phase 2 error handling

8: 19 ----1--- Mobile Terminated Point to Point SMS:

supported

8: 19 -----0-- VoiceBroadcastService: not supported

8: 19 ------0- VoiceGroupCallService: not supported

8: 19 -------1 MS supports E-GSM or R-GSM: supported

9: 81 1------- CM3 option: supported

9: 81 --0----- LocationServiceValueAdded Capability:

not supported

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

21 di 35 12/08/2008 11.14

Page 22: Gsm Scanner

9: 81 ----0--- SoLSA Capability: not supported

9: 81 ------0- A5/3 not available

9: 81 -------1 A5/2: available

11: 29 -----001 Type of identity: IMSI

12: 64 -------- ID(7/odd): 246037010204766

Note: The Auth Request Message is missing here. Is this because the mobile is alreadyauthenticated to the BTS because we send a SMS before?

SDCCH, Cipher Mode Command Message

000: 03 20 0d 06 35 01 2b 2b - 2b 2b 2b 2b 2b 2b 2b 2b

001: 2b 2b 2b 2b 2b 2b 2b

0: 03 -------1 Extended Address: 1 octet long

0: 03 ------1- C/R: Command

0: 03 ---000-- SAPI: RR, MM and CC

0: 03 -00----- Link Protocol Disciminator: normal GSM

(not Cell Broadcasting)

1: 20 -------0 Information Frame

1: 20 ----000- N(S), Sequence counter: 0

1: 20 ---0---- P

1: 20 001----- N(R), Retransmission counter: 1

2: 0d -------1 EL, Extended Length: yes [FIXME]

2: 0d ------0- M, segmentation: N

2: 0d 000011-- Length: 3

3: 06 0------- Direction: From originating site

3: 06 -000---- 0 TransactionID

3: 06 ----0110 Radio Resouce Management

4: 35 00110101 RRciphModCmd

5: 01 ----000- Cipher: A5/1

5: 01 -------1 Start ciphering

5: 01 ---0---- Cipher Response: IMEISV shall not be

included

Note: Not sure why next message is a TMSI realloc. Not needed but maybe the BTSdecided that it should also assign a new TMSI to the mobile. Good as well.

SDCCH, TMSI Realloc

000: 03 42 35 05 1a 42 f6 30 - 00 04 05 f4 2d 81 fb 3e

001: 2b 2b 2b 2b 2b 2b 2b

0: 03 -------1 Extended Address: 1 octet long

0: 03 ------1- C/R: Command

0: 03 ---000-- SAPI: RR, MM and CC

0: 03 -00----- Link Protocol Disciminator: normal GSM

(not Cell Broadcasting)

1: 42 -------0 Information Frame

1: 42 ----001- N(S), Sequence counter: 1

1: 42 ---0---- P

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

22 di 35 12/08/2008 11.14

Page 23: Gsm Scanner

1: 42 010----- N(R), Retransmission counter: 2

2: 35 -------1 EL, Extended Length: yes [FIXME]

2: 35 ------0- M, segmentation: N

2: 35 001101-- Length: 13

3: 05 0------- Direction: From originating site

3: 05 -000---- 0 TransactionID

3: 05 ----0101 Mobile Management Message (non GPRS)

4: 1a 00------ SendSequenceNumber: 0

4: 1a --011010 TMSI Realloc Command

5: 42 246 Mobile Country Code

6: f6 03f Mobile Network Code

8: 00 4 [0x0004] Local Area Code

11: f4 -----100 Type of identity: TMSI/P-TMSI

12: 2d -------- ID(4/even): 2D81FB3E

SDCCH, SABM (SAPI=3) message:

000: 0f 00 53 19 01 22 01 00 - 07 91 73 60 48 99 91 f9

001: 00 16 04 0b 91 73 60

0: 0f -------1 Extended Address: 1 octet long

0: 0f ------1- C/R: Command

0: 0f ---011-- SAPI: SMS and SS

0: 0f -00----- Link Protocol Disciminator: normal GSM

(not Cell Broadcasting)

1: 00 -------0 Information Frame

1: 00 ----000- N(S), Sequence counter: 0

1: 00 ---0---- P

1: 00 000----- N(R), Retransmission counter: 0

2: 53 -------1 EL, Extended Length: yes [FIXME]

2: 53 ------1- M, segmentation: Y

2: 53 010100-- Length: 20

3: 19 0------- Direction: From originating site

3: 19 -001---- 1 TransactionID

3: 19 ----1001 SMS messages

4: 01 00000001 Type: CP-DATA

5: 22 00100010 Length: 34

6: 01 00000001 Parameter

7: 00 00000000 Parameter

8: 07 00000111 SMSC Address Length: 7

9: 91 1------- Extension

9: 91 -001---- International Number

9: 91 ----0001 Numbering plan: ISDN/telephone

(E164/E.163)

10: 73 -------- Number(6): 37068499199

16: 00 00000000 TP-MTI, TP-MMS, TP-SRI, TP-UDIH,

TP-RP: 0

17: 16 00010110 Reference number: 22

18: 04 00000100 Parameter

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

23 di 35 12/08/2008 11.14

Page 24: Gsm Scanner

19: 0b 00001011 Destination Address Length: 11

20: 91 1------- Extension

20: 91 -001---- International Number

20: 91 ----0001 Numbering plan: ISDN/telephone

(E164/E.163)

21: 73 -------- Number(10): 3706

Note: The 'segmentation' flag is set. Next SABM message is part of this message. I had todecode this message manualle. gsmdecode-0.2 does not support segmentation yet.

SDCCH: SABM (SAPI=3) message [continued]

000: 0f 02 45 67 95 67 f6 00 - 00 70 40 21 02 63 43 21

001: 03 61 f1 18 2b 2b 2b

0: 0f -------1 Extended Address: 1 octet long

0: 0f ------1- C/R: Command

0: 0f ---011-- SAPI: SMS and SS

0: 0f -00----- Link Protocol Disciminator: normal GSM

(not Cell Broadcasting)

1: 02 -------0 Information Frame

1: 02 ----001- N(S), Sequence counter: 1

1: 02 ---0---- P

1: 02 000----- N(R), Retransmission counter: 0

2: 45 -------1 EL, Extended Length: yes [FIXME]

2: 45 ------0- M, segmentation: N

2: 45 010001-- Length: 17

3: 67 -------- Number(continoues, 8 left): 7659766

7: 00 -------- Protocol Identifier: 0

8: 00 00------ Data Coding Sheme: 0x00

8: 00 --0----- Uncompressed

8: 00 ---0---- Bit 0, 1 are reserved (no class!)

8: 00 ----00-- Default Alphabet

8: 00 ------00 (reserved or sim specific)

9: 00 -------- 7 octets Parameters (unknown meaning?!)

16: 03 ------11 CP-DATA Length: 3

17: 61 -------- Data: "abc" (GSM 03.38)

Note: Why is length of destination address set to 11? It's only 6 bytes long.

SDCCH, CP-ACK

000: 0f 44 09 19 04 2b 2b 2b - 2b 2b 2b 2b 2b 2b 2b 2b

001: 2b 2b 2b 2b 2b 2b 2b

0: 0f -------1 Extended Address: 1 octet long

0: 0f ------1- C/R: Command

0: 0f ---011-- SAPI: SMS and SS

0: 0f -00----- Link Protocol Disciminator: normal GSM

(not Cell Broadcasting)

1: 44 -------0 Information Frame

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

24 di 35 12/08/2008 11.14

Page 25: Gsm Scanner

1: 44 ----010- N(S), Sequence counter: 2

1: 44 ---0---- P

1: 44 010----- N(R), Retransmission counter: 2

2: 09 -------1 EL, Extended Length: yes [FIXME]

2: 09 ------0- M, segmentation: N

2: 09 000010-- Length: 2

3: 19 0------- Direction: From originating site

3: 19 -001---- 1 TransactionID

3: 19 ----1001 SMS messages

4: 04 00000100 Type: CP-ACK

SDCCH, Channel Release (all done!)

000: 03 64 0d 06 0d 00 2b 2b - 2b 2b 2b 2b 2b 2b 2b 2b

001: 2b 2b 2b 2b 2b 2b 2b

0: 03 -------1 Extended Address: 1 octet long

0: 03 ------1- C/R: Command

0: 03 ---000-- SAPI: RR, MM and CC

0: 03 -00----- Link Protocol Disciminator: normal GSM

(not Cell Broadcasting)

1: 64 -------0 Information Frame

1: 64 ----010- N(S), Sequence counter: 2

1: 64 ---0---- P

1: 64 011----- N(R), Retransmission counter: 3

2: 0d -------1 EL, Extended Length: yes [FIXME]

2: 0d ------0- M, segmentation: N

2: 0d 000011-- Length: 3

3: 06 0------- Direction: From originating site

3: 06 -000---- 0 TransactionID

3: 06 ----0110 Radio Resouce Management

4: 0d 00001101 Channel Release

5: 00 00000000 RR-Cause (reason of event) = Normal

event

5.10.2. Decoding TCH

We wanted to find out if the Nokia DCT3 mobile in trace mode also forwards TCH framesto the Computer. We did not receive any. Does his have to be enabled specificly?

Download: attachment:call_1525.xml The MS called the number 1525 and stayedconnected for 2-3 seconds. The xml file contains uplink and downlink traffic as sniffed bydefault DCT3 tracer.

Some interesting packets below.

Question:

I could not find where to phone calls 1525 (e.g. the number itself. anyone?)1.

SDCCH, from BTS to MS:

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

25 di 35 12/08/2008 11.14

Page 26: Gsm Scanner

000: 01 73 35 05 24 31 03 33 - 19 81 05 f4 2e 48 41 15

001: 2b 2b 2b 2b 2b 2b 2b

0: 01 -------1 Extended Address: 1 octet long

0: 01 ------0- C/R: Response

0: 01 ---000-- SAPI: RR, MM and CC

0: 01 -00----- Link Protocol Disciminator: normal GSM

(not Cell Broadcasting)

1: 73 ------11 Unnumbered Frame

1: 73 ---1---- P

1: 73 011-00-- UA frame (Unnumbered achknowledgement)

2: 35 -------1 EL, Extended Length: y

2: 35 ------0- M, segmentation: N

2: 35 001101-- Length: 13

3: 05 0------- Direction: From originating site

3: 05 -000---- 0 TransactionID

3: 05 ----0101 Mobile Management Message (non GPRS)

4: 24 00------ SendSequenceNumber: 0

4: 24 --100100 MMcmServiceRequest

5: 31 -011---- Ciphering key sequence: 3

5: 31 ----0001 Request Service Type: MS originated

call

6: 03 00000011 MS Classmark 2 length: 3

7: 33 -01----- Revision Level: Phase 2

7: 33 ---1---- Controlled early classmark sending:

Implemented

7: 33 -----011 RF power class capability: Class 4

8: 19 -1------ Pseudo Sync Capability: not present

8: 19 --01---- SS Screening: Phase 2 error handling

8: 19 ----1--- Mobile Terminated Point to Point SMS:

supported

8: 19 -----0-- VoiceBroadcastService: not supported

8: 19 ------0- VoiceGroupCallService: not supported

8: 19 -------1 MS supports E-GSM or R-GSM: supported

9: 81 1------- CM3 option: supported

9: 81 --0----- LocationServiceValueAdded Capability:

not supported

9: 81 ----0--- SoLSA Capability: not supported

9: 81 ------0- A5/3 not available

9: 81 -------1 A5/2: available

11: f4 -----100 Type of identity: TMSI/P-TMSI

12: 2e -------- ID(4/even): 2E484115

SDCCH, from BTS to MS:

000: 03 20 0d 06 35 11 2b 2b - 2b 2b 2b 2b 2b 2b 2b 2b

001: 2b 2b 2b 2b 2b 2b 2b

0: 03 -------1 Extended Address: 1 octet long

0: 03 ------1- C/R: Command

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

26 di 35 12/08/2008 11.14

Page 27: Gsm Scanner

0: 03 ---000-- SAPI: RR, MM and CC

0: 03 -00----- Link Protocol Disciminator: normal GSM

(not Cell Broadcasting)

1: 20 -------0 Information Frame

1: 20 ----000- N(S), Sequence counter: 0

1: 20 ---0---- P

1: 20 001----- N(R), Retransmission counter: 1

2: 0d -------1 EL, Extended Length: y

2: 0d ------0- M, segmentation: N

2: 0d 000011-- Length: 3

3: 06 0------- Direction: From originating site

3: 06 -000---- 0 TransactionID

3: 06 ----0110 Radio Resouce Management

4: 35 00110101 RRciphModCmd

5: 11 ----000- Cipher: A5/1

5: 11 -------1 Start ciphering

5: 11 ---1---- Cipher Response: IMEISV shall be

included

SDCCH, from BTS to MS:

000: 03 86 21 06 2e 0d c3 ff - 05 63 21 2b 2b 2b 2b 2b

001: 2b 2b 2b 2b 2b 2b 2b

0: 03 -------1 Extended Address: 1 octet long

0: 03 ------1- C/R: Command

0: 03 ---000-- SAPI: RR, MM and CC

0: 03 -00----- Link Protocol Disciminator: normal GSM

(not Cell Broadcasting)

1: 86 -------0 Information Frame

1: 86 ----011- N(S), Sequence counter: 3

1: 86 ---0---- P

1: 86 100----- N(R), Retransmission counter: 4

2: 21 -------1 EL, Extended Length: y

2: 21 ------0- M, segmentation: N

2: 21 001000-- Length: 8

3: 06 0------- Direction: From originating site

3: 06 -000---- 0 TransactionID

3: 06 ----0110 Radio Resouce Management

4: 2e 00101110 RRassignCommand

5: 0d -----101 Timeslot: 5

5: 0d 00001--- TCH/F + ACCHs

6: c3 110----- Training sequence code: 6

6: c3 ---000-- Single Channel

7: ff ........ Absolute RF channel number: 1023

8: 05 ----0101 Power Level: 5

10: 21 00100001 Channel Mode: TCH/F or TCH/H rev 2

SDCCH, from BTS to MS:

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

27 di 35 12/08/2008 11.14

Page 28: Gsm Scanner

000: 03 22 19 83 01 1e 02 ea - 88 2b 2b 2b 2b 2b 2b 2b

001: 2b 2b 2b 2b 2b 2b 2b

0: 03 -------1 Extended Address: 1 octet long

0: 03 ------1- C/R: Command

0: 03 ---000-- SAPI: RR, MM and CC

0: 03 -00----- Link Protocol Disciminator: normal GSM

(not Cell Broadcasting)

1: 22 -------0 Information Frame

1: 22 ----001- N(S), Sequence counter: 1

1: 22 ---0---- P

1: 22 001----- N(R), Retransmission counter: 1

2: 19 -------1 EL, Extended Length: y

2: 19 ------0- M, segmentation: N

2: 19 000110-- Length: 6

3: 83 1------- Direction: To originating site

3: 83 -000---- 0 TransactionID

3: 83 ----0011 Call control. call related SS messages

4: 01 00------ Send Sequence Number: 0

4: 01 --000001 Call Alerting

6: 02 00000010 L of IE Progress Indicator: 2

7: ea -11----- Coding standard: GSM-PLMNS

7: ea ----1010 Location: Network beyong interworking

point

8: 88 -0001000 Progress: In-band information or appr.

pattern available

SDCCH, from BTS to MS:

000: 03 24 09 83 07 2b 2b 2b - 2b 2b 2b 2b 2b 2b 2b 2b

001: 2b 2b 2b 2b 2b 2b 2b

0: 03 -------1 Extended Address: 1 octet long

0: 03 ------1- C/R: Command

0: 03 ---000-- SAPI: RR, MM and CC

0: 03 -00----- Link Protocol Disciminator: normal GSM

(not Cell Broadcasting)

1: 24 -------0 Information Frame

1: 24 ----010- N(S), Sequence counter: 2

1: 24 ---0---- P

1: 24 001----- N(R), Retransmission counter: 1

2: 09 -------1 EL, Extended Length: y

2: 09 ------0- M, segmentation: N

2: 09 000010-- Length: 2

3: 83 1------- Direction: To originating site

3: 83 -000---- 0 TransactionID

3: 83 ----0011 Call control. call related SS messages

4: 07 00------ Send Sequence Number: 0

4: 07 --000111 Call Connect

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

28 di 35 12/08/2008 11.14

Page 29: Gsm Scanner

SDCCH, from BTS to MS:

000: 03 88 0d 06 0d 00 2b 2b - 2b 2b 2b 2b 2b 2b 2b 2b

001: 2b 2b 2b 2b 2b 2b 2b

0: 03 -------1 Extended Address: 1 octet long

0: 03 ------1- C/R: Command

0: 03 ---000-- SAPI: RR, MM and CC

0: 03 -00----- Link Protocol Disciminator: normal GSM

(not Cell Broadcasting)

1: 88 -------0 Information Frame

1: 88 ----100- N(S), Sequence counter: 4

1: 88 ---0---- P

1: 88 100----- N(R), Retransmission counter: 4

2: 0d -------1 EL, Extended Length: y

2: 0d ------0- M, segmentation: N

2: 0d 000011-- Length: 3

3: 06 0------- Direction: From originating site

3: 06 -000---- 0 TransactionID

3: 06 ----0110 Radio Resouce Management

4: 0d 00001101 Channel Release

5: 00 00000000 RR-Cause (reason of event) = Normal

event

5.11. The Ericcson TEMS Approach

Various Ericcson phones can be used for tracing. Womax is using the t28s together withthe tems-investigation software. Screenshots:

Cipher Mode Complete Command1.Classmark Change2.

More:

http://www.ericsson.com/solutions/tems/index.shtml1.

5.12. The Vitel TSM30 Approach

This project has been moved to http://wiki.thc.org/gsm/opentsm. The goal is to modify andcompile the source of the TSM30 and reflash it with our modifications. Projects are turningthe TSM30 into a trace mobile and sending custom gsm messages. This in itself is cool. Theresearch will also help us getting the USRP to send gsm messages and maybe building ourown basestation.

5.13. The MADos Approach

MADos is a free open source OS for the Nokia DCT-3 series. We would like to evaluate ifwe can modify the source and send/receive gsm messages.

Download Source: MADos.rar

Links:

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

29 di 35 12/08/2008 11.14

Page 30: Gsm Scanner

http://www.g3gg0.de/wordpress/projects/mados/http://nokix.pasjagsm.pl/help/blacksphere/sub_250software/sub_mados.htm

It seems that there is not DSP message control with MADos (yet). Little information aboutreversing the protocol between MCU and DSP is here: http://nokix.pasjagsm.pl/help/blacksphere/sub_100hardware/sub_dsp/sub_mdi.htm

5.14. Mysteries

This is a collection of mysteries. Here we collect everything that we can not explain.SOLVE A MYSTERY TODAY - EDIT THIS SECTION AND EXPLAIN IT!

5.14.1. Mystery 1: TMSI f

BCCH carrier. I see Radio Resource Management -> Paging Request Type 1 that contain aTMSI that is set to 'f'. I see hundrets of these packtes. Why f?

000: 15 06 21 00 01 f0 2b 2b - 2b 2b 2b 2b 2b 2b 2b 2b

001: 2b 2b 2b 2b 2b 2b 2b

0: 15 000101-- Pseudo Length: 5

1: 06 0------- Direction: From originating site

1: 06 -000---- 0 TransactionID

1: 06 ----0110 Radio Resouce Management

2: 21 00100001 Paging Request Type 1

3: 00 ------00 Page Mode: Normal paging

5: f0 -----000 Type of identity: No Identity

The lenght is set to 1. This means one octet follows: Just the type of identity but no actualnumber.

Question: What is f in 0xf0?Answer: "1111" = end marker code (3GPP TS 24.008, Table 10.5.4)

1.

Question: Why is this sent?Anser: Sent to fill idle time on the CCCH.

2.

5.14.2. Mystery 2: Unknown RRM 06 07

Received:

05 06 07 c0 1c 04 aa 63 43 74 7f e0 12 e8 4a bc ...

05 = Pseudo Length 1 (hu?)

06 = Protocol discriminator: RRM

07 = Hu? what this?

Question: Why is pseudo length set to 1 but i still see valid data? It can not be 1 inthe first place because no layer 3 message is only 1 byte long

1.

Question: What is 07?2.

5.14.3. Mystery: Pseudo Length 0 but data

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

30 di 35 12/08/2008 11.14

Page 31: Gsm Scanner

Received (2 examples):

01 06 03 df f4 a0 00 00 00 00 00 00 ...

01 06 00 80 f7 81 70 db 09 13 69 26 ...

01 = Pseudo Length 0

Length is set to 0 but packet contains data.

Question: Anything hidden in here?1.Answer: These are Rest Octets. They are a GSM extention. Some rest octets andtheir coding are defined in GSM 04.08:10.5.2.16. Putting data in the rest octets cameabout with GPRS. In order to maintain compatibility with GSM, GPRS informationcan be transmitted in the rest octets and a GPRS capable phone will use theinformation, but a GSM phone will ignore it.

2.

5.15. Converting ARFCN to Frequency

GSM-935:

frequency = 935 + 0.2 * ARFCN

Example (ARFCN == 27):

940.4 = 935 + 0.2 * 27

GSM-1800:

frequency = 1805.2 + 0.2 * (ARFCN - 512)

Example (ARFCN == 591):

1821 = 1805.2 + (591 - 512)

6. RELEASES

6.1. Tips and Tricks

All releases are tested on live networks in the United Kingdom and the US (andmany other countries).

1.

First find a beacon carrier. Either use the method that robert describes or use theNetmonitor to check your current beacon channel and calculate the frequency fromit.

2.

Even when you have a perfect looking beacon carrier you might not receive anytraffic. This is because of Inter-Symbol-Interference (ISI). Try to enhance the signalquality by using a directional antenna (yagi).

3.

Try setting decimation to 64 (or 32) in gsm_run.py (for gsmsp release) or ingssm_usrp.py (for gssm release).

4.

6.2. Sample Data for peoples without USRP

You can analyze GSM traffic without a USRP as well. A lot of people captures data anduploaded them to the webserver at http://www.segfault.net/gsm/resources. You candownload any of the files and analyze them with any of our releases even without a USRP.If you are interested in any particular frequency range please ask on the mailinglist forsomebody to sample a file for you.

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

31 di 35 12/08/2008 11.14

Page 32: Gsm Scanner

If you own a USRP you can create your own capture file (cfile) like this (10 seconds,frequence 940.4Mhz):

usrp_rx_cfile.py -d 112 -f 940.4M -N 5714280

myfirstdump.cfile

6.3. Developer Source Code Access

The team releases stable tar packages every once in a while. They are listed below. Thereis also a anonymous git repository for the latest version:

$ git clone git://romeo.thc.org/gsm.git gsm

Compile gsm-tvoid and gsmdecode by running in both directories:

./bootstrap

./configure

make

To analyze the example dump file from robert pipe the output of gsm-tvoid intogsmdecode:

cd gsm-tvoid/src/pyton

./gsm_scan.py -SN -pd -d 112 -I GSMSP_940.8Mhz_118.cfile

| ../../../gsmdecode/src/gsmdecode -i

Write-access is given to active developers. To become an active developer you mustsubmit one useful patches to the mailinglist first. To create a patch please execute:

git diff >myname.diff

6.4. GSSM

2007/07/09GSSM is joshua's release of a USRP GSM implementation. Please see http://wiki.thc.org/gsm/gssm for the release notes.

Receiving all messages on beacon channelPatch to analyze messages in wireshark.Linux only. Requires tap + wireshark for analyzing packets.

Download: gssm-v0.1.1a.tar.bz2.

6.5. GSM tvoid

2007/07/01This is Tempest Void's GSM Software Project release. This is the most stable release andthe latest version is available from the git server.

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

32 di 35 12/08/2008 11.14

Page 33: Gsm Scanner

Calculate Frequency correctionDoes not use GMSK block anymore. Until today the best bit receiver.Fixed 1-bit DFE to remove Inter-Symbol-Interference (ISI)Channel and Message decoding (layer1).

The release is availabe at http://wiki.thc.org/gsm/tvoid.

You should use this release if you want to:

Learn about the RF partLearn about ISI and 1bit DFE's.Learn how to calculate frequency offsets.Experiment without GMSK

Quick start to analyze a cfile dump:

cd gsm-tvoid/src/python

./gsm_scan.py -SN -pd -d 112 -I myfirstdump.cfile |

../../../gsmdecode/src/gsmdecode -i

6.6. GSMSP

A GNU radio GSM Software implementation. This is probably the easier package to startwith.

Difference to GSSM:

Compiles under windows/cygwin and linux/gentoo1.Works without wireshark. Come with a build in packet analyzer.2.Does not support live capture3.

Download: gsmsp-0.2a.tar.gz

6.7. Gsmdecode

Gsmdecode is used to decode the gsm messages from the gammu trace log and a nokiadct3 mobile. In the future GSMSP outputs the data in a format that gsmdecode can decodeor we directly implement it into GSMSP (as a library).

2007/06/08 Download: gsmdecode-0.7bis.tar.gz source

SIM Toolkit supportConcatenated SMS supported (e.g. sms longer than 140 octets).Service request support (e.g. *#100# requests).Other layer 3 support (long (23+ octet) RR messages, ...)

Older versions:2007/04/16 Download: gsmdecode-0.2.tar.gz2007/04/19 Download: gsmdecode-0.3.tar.gz2007/04/27 Download: gsmdecode-0.4 source or windows binary2007/05/21 Download: gsmdecode-0.5 source or win32 binary

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

33 di 35 12/08/2008 11.14

Page 34: Gsm Scanner

7. HELP

7.1. Donations

Go to http://www.segfault.net/gsm/ if you like what we are doing. Your sponsorship isappreciated. Contact steve [at] segfault.net for details or bank account information.

7.2. Who can help

People passionate about GSM.Baseband engineers.GnuRadio enthusiasts and Ettus programmers.

7.3. How to help

Subscribe to the mailinglist.Write here if you have any information that can be helpful.Contact me: steve at segfault.netLet's get together the people who work on similar projects. Add links of similarprojects below.You can also talk to some of us on IRC, join #gnuradio on irc.freenode.net.

8. Links

8.1. Similiar Projects

iPhone JerrySIM (from http://code.google.com/p/iphone-elite/wiki/JerrySim).Executing shellcode on the gsm baseband.Homebrew mobile phone clubGnuRadio, the software that makes it all possible.Eric's GnuRadio Presentation (video, 108 MB)USPR and gnu Radio ProjectsSMS Receiver Projecthttp://www.eccpage.com/ Example source for Viterbi, convolutional decoding, CRC,...MADos Free OS for Nokia DCT3 phonesBuilding a Super Receiver using a TV receiverhttp://www.vovida.org - a open-source GSM Signalling Protocol stack. (also containsviterbi equalization, voice codecs, mm/cc/rr layer 1 message parsing, ...)Lyrtech Femto Cell SDR Video

8.2. Specs & Docs

3GPP SpecsBaseband specsGSM encryption algorithms and flawsBruce Schneier on A5 securityGSM frequency rangeA5/3 Encryption Algorithms for GSM and EDGE, and the GEA3 Encryption

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

34 di 35 12/08/2008 11.14

Page 35: Gsm Scanner

Algorithm for GPRSUK GSM info / photos (BTS) and CellIdsUK Mobile Phone Base Station DatabasePinpointing a DE Mobile Phone Base StationEstimating the Computational Requirements of a Software GSM Base StationA Brief Overview of the GSM Radio Interface

8.3. Suggested reading

Understanding Digital Signal Processing in 7 pagesPawel's GSM Scanner TutorialDSP, Suggested reading, Richard Lyons bookGoeller: GSM control channelGSM Switching, Services, and Protocols (READ IT!)MatLab ManualArticle & Video Sniffing GSM off the air

8.4. Hardware

silabs.com Silabs GSM transceiver chipUSRP boardAnalog GSM baseband chipCP028 ozzi clock

gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject

35 di 35 12/08/2008 11.14