Académique Documents
Professionnel Documents
Culture Documents
action=show&redirect=GsmScannerProject
gsm
Contenuti
1. LICENSE
2. About
1. What we want to do
2. Who we are
3. Howto use this site
4. Contact
5. Legal Issues
3. NEWS
4. The Projects
1. The GSM Receiver Project
2. The GSM Sending and Channel Hopping Project
3. The OpenTsm Project
4. The A5 Cracking Project
5. The GSM Decoding Project
6. The Debug Trace Project
7. The SimCom Trace Project
8. The UMTS/3G Project
9. The SIM Tookit Research Project
5. The GSM/USRP Receiver Project
1. Priorities
2. Wanted
3. Different approaches
4. Project Stages and Schedule
1. Receiving Stages
2. Tips and Tricks
5. Hardware requirements / Where to buy
6. First Steps
1. Understanding GSM
2. Beginners Guide to GSM in MatLab
1 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
1. LICENSE
2 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
2. About
2.1. What we want to do
We want to bring together all the folks that are interested in building a gsm receiver.
GSM is the worlds largest mobile phone standard. GSM 2.5 is currently in use and some
countries are (slowly) migrating to GSM 3 (3G, UMTS, ..).
Available GSM analyzer cost a shitload of money for no good reason. Our goal is to build a
GSM analyzer for less than $1000.
1. Understand GSM and verify the implementation and what kind of data is flying
through the ether.
2. Analyzing debug traces from dct3 mobiles See DCT3 Debug Trace Project.
3. Track/Locate a gsm mobile. This can be done with just 1 GSMSP receiver.
4. Crack A5 and proof to the public that GSM is insecure. See A5 Cracking Project.
5. Create our own baby cells. Imagine running your own BaseStation in your house,
university campus, convention or local area. Calling inside the baby cell would be
free and calling others via an asterisk/skype gateway would be extremly cheap.
6. Analyze and learn about OTA messages that the operator use to upgrade our phones
(without our knowledge). (That's sim toolkit, ringtones, logos, ...)
7. We can detect if a GSM MitM attack is happening in our area. (e.g. we can detect if
somebody else is sniffing a conversation in a 7+ miles radius).
A seperate Project is designing their own RF board to receive GSM signals. Please take a
look at http://wiki.thc.org/gsm/rfboard.
3 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
This is a research project by people who feel passionate about GSM and gnuradio. We
started this because we could not find a site where people can share ideas about homebuild
GSM receivers/scanners and we think gsm software receivers are a cool thing to have. And
DECT too...
Please feel free to edit this page and add your comments and ideas. Please start your
comments with "(yyyy/mm/dd, name, comment here)".
2.4. Contact
I can be reached at steve at segfault.net. (PGP Key)
Some of us are hanging out on the freenode IRC channel #gnuradio and #gsm.
There is no direct law that forbids what we are doing (Companies like Nokia and Sagem
are doing exactly the same: Manufacturing GSM scanners that anyone can buy). These
are the legal implications in UK:
The bottom line is: Publishing the research is ok. As long as you receive your own traffic
and only send after you got the license you are on good ground.
This is based on UK law. European law is similiar (if not more relaxed). USA law might be
completly different and I highly advice to check with a lawyer. If you do so please let me
know the results.
3. NEWS
4 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
5 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
4. The Projects
This wiki started as a project for receiving GSM signals. Over time many other projects
surfaced. Each of the projects deserves its own wiki. A short description and link to the
wiki are listed here.
6 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
1. Viterbi / ISI: This is the single most important stuff people are currently working
on. This can either fail the project or make it a success. The mission is to get better
(error-free) bit data out of the GSM signal. We are currently suffering from high bit
errors.
2. Channel Hopping: Required if we want to go beyond camping on the BCCH. The
theory is there. It has to be tested. (Especially if it's fast enough and/or if we have to
flush the USRP buffer?!)
3. Release: If we pack our source into a release tar-ball other people will be able to
play around with it and come back with better ideas.
4. Misc: Everything not covered above (like channel decoding)
5.2. Wanted
If you can help with any of the items below please contact steve or write on the mailinglist!
7 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
Using USRP and software is the right way to go. Vanu Inc apperently got a software gsm
modem working (but not using ettus?!). PC's are fast enough. See gnu-radio list archive and
search for Vanu.
8 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
and a litte time later a DECT (european standard for cordless phones) receiver. DECT is
unencrypted in the most cases.
Comment from a RF engineer: About Stage 1. It seems not too difficult to develop the
device that can read from air. Channel switching can be easily done using PLL based LO.
The most critical part here is the DSP based GMSK demodulation. Do we have
DSP-friendly people here? About Ready-to-use hardware. GSM air interface has very
special requirements (band filter, LNA, AGC etc). It is nearly impossible to satisfy them
using general purpose RF hardware. As for me, it should be dedicated device. There are
two options here: to develop it from zero point using basic blocks (LNA, Mixer,
Quadrature decoder etc) OR to use a semi-dedicated ICs which combine some needed
functionality. I don't think we can use any of mass-volume GSM-chipset because it will be
absolutelly unflexible, thus useless.
2007/01/25 Comment from an electrical engineer: Last year I looked into doing GSM
receive operation only, and concluded that the easiest solution would be to use the USRP
paired with a suitable RF daughterboard. They have a daughterboard that will tune the PCS
band (receive only). The IF bandwidth is wide @ 43 MHz, but the USRP has a very large
dynamic range. Also, GMSK is constant envelope, so if the A/D saturates it shouldn't be
the end of things. I doubt it would meet all the GSM RF requirements, but it might be close
enough to work, albeit with worse noise figure etc. However I remember thinking that the
FPGA resources might be too limiting for the high-rate signal processing. More
investigation would be necessary.
9 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
1. RF interface
- EMPTY
2. Decoding packets I
- Search for the FCCH before the bits are differentialy decoded. Search for the 64 bit
SCH trainigsequence before the differential decoding as well. This speeds up the
process. Accepts FCCH's and SCH's with up to 11 bit errors (or even more?).
- Once you know where the 156 bit bursts start always set the first 3 bit to 0. These
first 3 bits are the training bit and ought to be 0. 5% of my received data has a bit
error in the training bit. Otherwise the differential decoding process will propagate a
bit error in the first 3 bits through the entire burst.
- Skip dummy bursts (do not differential decode, do not de-interleave, do not
convolution decode it).
Optional Antenna:
Note: A different antenna is required depending on the frequency range. You should have
one for GSM900 and another one for GSM1800. The same antenna wont work on both
frequency ranges.
850 MHz [US rural areas] (824.2 - 848.8 MHz Tx; 869.2 - 893.8 MHz Rx)
P-GSM (914.8 Mhz Tx, 925 - 959.8 Mhz Rx, Channel 0 - 124)
P-GSM extension 880 - 889.8 Mhz Tx;925 - 934.8 Mhz Rx, Channel 975 - 1023)
GSM-R [Railway] (876 - 879.8 Mhz Tx; 921 - 924.8 Mhz Rx, Channel 955 - 974)
1800 MHz [Europe] (1710.2 - 1784.8 MHz Tx; 1805.2 - 1879.8 MHz Rx)
1900 MHz [US city] (1850.2 - 1909.8 MHz Tx; 1930.2 - 1989.8 MHz Rx)
Europe used 900Mhz only and later also started to use 1800Mhz. US started with 1900Mhz
10 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
and later used 850Mhz. 850 Mhz is mostly used in rural areas but sometimes can be found
in cities. T-Mobile is not available on the 850Mhz.
The frequency for receiving data from the BTS to the mobile is 45Mhz above the TX
frequency.
These two articles give a fairly good understanding of how GSM looks like.
1. http://www.pulsewan.com/data101/gsm_basics.htm
2. http://www.cs.ucl.ac.uk/staff/t.pagtzis/wireless/gsm/radio.html
Toolkit: GSMSP_Analyzing_GSM_data_in_MatLab.zip
This toolkit is based on the fantastic work from Jan and Arne. Please check out their
Matlab GSM Simulator as well.
If you need help understanding MatLab please read The MatLab Manual.
Download: GSMSP_Analyzing_GSM_data_in_Octave.tar.bz2
I've prepared version of "GSMSP Analyzing GSM data in Matlab" which runs under
Octave with installed octave-forge functions.
To use it under *buntu you should install gnuplot and octave-forge (it depends on
octave2.1). Run command:
My changes:
11 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
needed because resample function from Octave doesn't work with GSMsim.
I think GSMsim is good reference implementation of Viterbi Equalizer for GSM. Tvoid has
written already functions which works like this from files find_fcch.m, find_sch.m,
calc_freq_offset.m and xlat_freq.m.
I think we can use Viterbi Equalizer which works like this from GSMsim and put it in
functions of Tvoid release – in get_sch_burst() and get_norm_burst() (or in equalize()).
Regards
Piotr Krysik
1. Screenshot 1
2. Screenshot 2
3. Screenshot 3
On the screenshots we can see frequency correction FCCH packet (only zeros are
transmitted), and Training Sequence # 4 (1,1,1,1,0,1,1,0,1,0,0,0,1,0,0,0) in the middle of
two different packets.
After fm demodulation block, due to differencial modulation in gsm, we can interpret high
value of signal as a repeated bit and lower value of signal as a changed bit. One bit lasts
about 3.69 microseconds, so you will have to switch to different scale/div.
Use Pawel's gnu radio script fix to read the data from a file (and not from a live feed).
5.6.5. Challenge 1
This is a challenge and the winner get's a FREE starter kit ($975):
USRP
DBSRX
Antenna
Cable
The Challenge:
The one who can identify most frames and information from Robert's samples wins the
challenge and gets the FREE USRP Starter Kit.
12 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
to steve at segfault.net before the 18th of February 2007 23:59. Your work will be
submitted to the Mailinglist and published on our website (http://www.thc.org/gsm)
I'll announce the winner of the USRP Starter Kit on the 19th!
Tore uses MatLab and the GSMsim plugins to extract informations from robert's off-the-air
captures. Using the GSMsim plugin helps him to extract a lot of information in a short
period of time.
Also fank J.'s decides to use MatLab. Here are his results.
Bursts: chart1.png
FCH in Slot0: chart2.png
Slot0: chart3.png
The Sagem OT460 does not offer the full functionality that we require. It is limited to
the GSM Dm channel and can not transmit. Nevertheless it's an exciting device that
comes with a powerfull analyzing software.
The Sagem OT460 is a Trace Mobile. It connects to the PC via a USB cable. It can capture
live data from the GSM Dm Channel. It captures frames from the entire GSM band at the
same time. It comes with software to display and analyize the captures frames. It cost
around 3499 EUR and is sold by sagem.com or www.ers.fr.
The OT460 is visible as a COM port under windows. It is possible to write custom software
to configure and retrieve information from the OT460. An outdated protocol abstract is
available. The full spec of the protocol is available for developers directly from sagem.com
13 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
Dr.-Ing. Joachim Goeller was so friendly to capture some data for us. He used his own tool
(EDGEView) to analyze the data and disassemble the packets.
The second example is a capture when a phone was turned on, pin entered and then turned
off again:
We might be able to use his EDGEView software to analyze our data as well. We can
benchmark our captures against the OT460 device.
I do not recommend using Windows / cygwin. Use Linux (ubuntu or gentoo) instead. This
is a short howto install gnu-radio and usrp under windows / cygwin. If you run into
problems please ask me or modify this text.
There are a couple of install guides on the net. They are all incomplete:
1. http://gnuradio.org/trac/wiki/CygwinInstallMain
2. http://www.comsec.com/wiki?Cygwin
Extract all source packages to /tmp. Source packages are installed with ./configure, make
all install. It only depends on the parameters...
1. export PATH=$PATH:/usr/local/bin:/usr/local/sbin
2. export PYTHONPATH=/usr/local/lib/python2.4/site-packages/
3. Install cygwin with python, swig, pkg-config
4. install sdcc from http://sdcc.sf.net
5. Install Boost C++ from http://www.boost.org
6. Install LibUSB-Win32 to C:\LibUSB-Win32 (libusb-win32-filter-bin-0.1.12.0.exe)
14 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
(Note: Apperently you can also just install libusb-win from the cygwin setup).
- cd /cygdrive/c/LibUSB-Win32/src
- make all
- cp libusb0.sys libusb0.dll /tmp/gnuradio-3.0.2/usrp
- now follow USRP Install Guide.
7. Install Cppunit with this patch
- cd cppunit-1.10.2; patch -p1 -u <../cppunit-win32.patch
- ./configure --enable-shared --disable-static
- make LDFLAGS=-no-undefined all install
8. Install fftw-3.1.2
- ./configure
- make LDFLAGS=-noundefined all install
9. Install gnuradio-3.0.2.
- There is a conflict with the max() and min() macros and windows.h include from
LibUSB-Win32. Apply this patch.
- CFLAGS="-I/cygdrive/c/LibUSB-Win32/include" LDFLAGS="-L/cygdrive
/c/LibUSB-Win32/lib/gcc" libusbwin32path="/cygdrive/c/LibUSB-Win32/bin"
./configure --with-boost-include-dir=/tmp/boost_1_33_1 --with-md-cpu=generic
--disable-static --enable-usrp --enable-gr-usrp
- make CPPFLAGS="-I/cygdrive/c/LibUSB-Win32/include"
- make CPPFLAGS="-I/cygdrive/c/LibUSB-Win32/include" install
Use the example from Josh page to test your gnu-radio installation.
5.6.8. NetMonitor
Nokia phones can be used in Monitor mode. The NetMonitor software displays all kind of
usefull information. It helps you to find out your current TMSI, the BCH you are on, the
distance the the base station, neighbouring cells, signal strength and much more. Search in
google for the software or use these links:
NetMonitor (OperatorFtdwk39v7.sis)
NetMonitor Guide
I used the netmonitor to confirm which beacon carrier i was able to find and to filter only
packets for my TMSI.
edited: Not only Nokia phones can be used in net monitor mode, but majority of phones
can be used, just check google or forum.gsmhosting.com about your phone.
Robert wrote a nice article on how to find a Base station manually using a USRP. His
article is available at http://273k.net/gsm/find-a-gsm-base-station-manually-using-a-usrp/.
It gives you a good introduction into the tools and some nice graphical results.
15 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
and-building-a-gsm-antenna/.
16 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
0.0298
0.0308
0.1146
0.1289
0.1687
0.1898
0.1904
0.1917
0.1296
0.1186
0.0552
0.0303
0.0053
0.0184
0.0196
0.0563
0.0397
(this is the absolute values of the estimated channel for
OSR=4).
Note2: I also noticed a slight drift (successive channel
estimates
differing by a constant phase) which suggests that the
frequency
correction is not perfect. The result is an unknown phase
(almost
constant) within a burst. This was observed both on:
GSMSP_20070204_robert_dbsrx_953.6MHz_64.cfile
GSMSP_20070204_robert_dbsrx_941.0MHz_128.cfile
but not on
GSMSP_20070204_robert_dbsrx_953.6MHz_128.cfile
The SCH burst can be further demodulated to extract the
information
about which training sequence is used in this cell.
In fact I was able to find that by simply correlating
normal bursts with
all 6 possible training sequences and find the best
match, so one can
avoid this step...so that physical layer processing does
not depend
on higher layer information (but ultimately this cannot
be avoided...)
Once timing information has been extracted (accuracy of 1
sample)
and a channel estimate is there, all other bursts can be
processed
in the following way (this also holds for the SCH burst
itself):
Matched filtering, symbol-spaced sampling followed by
your favorite
17 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
1. How I Learned To Love Trellis. This article was very helpful for me at the
beginning. It explains what Inter Symbol Interferences (ISI) are and introduces the
concept of detection signals which contain such distortion using Viterbi algorithm.
2. a MatLab implementation of a GSM Simulation Platform. Great documentation of
receiver working in theory and, according to Tore's results, working in practice.
Documentation contains brief theory of estimating channel impulse response and
MLSE.
3. GSM Simulator in Octave and Source. Octave is open source software available for
everyone and has similar to MATLAB syntax. This implementation doesn't include
synchronization (GSMsim has same form of finding first sample in a burst) but it has
Least Squares channel estimation (GSMsim uses convolution of received sequence
with known training sequence
4. Equalization in GSM using a priori information. first 30 pages of it contains
interesting theory in a straightforward from a especially channel estimation.
5. 3GPP TS 05.05 "Radio Access Network; Radio transmission and and Reception.
some raw data from ETSI regarding this topic, for example typical channel impulse
responses in Annex C
6. Soft output M-algorithm equalizer and trellis-coded modulation for mobile radio
communication. Algorithm with reduced complexity.
7. Adaptive T-Algorithm in MLSD/MLSDE Receivers for Fading Channels. Another
reduced-complexity algorithm.
8. Maximum-Likelihood Sequence Estimation of Digital Sequences in the Presence of
Intersymbol Interference. Very theoretical and hard to read article which introduced
MLSE detection.
18 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
TODO:
Advantages:
Disadvantages:
In 2003 there was the Blacksphere Project. They reversed the undocumented debug
protocol of DCT3 mobile phones. It is possible to enable a debug trace and receive many
of the layer2/layer3 frames.
The latest project update to the dct3 debug tracer can be found at http://tudor.rdslink.ro
/blacksphere/nokia.htm.
Nokia's Netmonitor can be used on the phone the tune to a certain BTS. It's currently
unknown if a *bus command exists to change the tuner to a different frequency.
Gammu is a command line tool which we prefer. There exists also a gui (N-Monitor by
Anderas Schmidt) for any DCT3 trace mobile. Please see Nuukiaworld for more details.
This command can be used to enable layer2/layer3 tracing. It generates the file out.xml and
a lot of debug output.
19 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
gsmdecode -x <out.xml
The best mobile for testing is the Nokia 3310. You need a special MBUS data cable
(NK-33) available at http://ucables.com/ref/NK-33.
If you are using a USB to SERIAL adapter you must configure it on com1 or com2.
The debug trace forwards most layer2/layer3 frames that the mobile processes. This
includes the BCCH on the beacon frequency on the downlink and most frames the mobile
sends (uplink). It does not forward TCH (traffic) frames.
call_init.xml
sms.xml
sms2.xml (SMS content "abc")
call_1525.xml
We have created a sub project for sharing traces. Please take a look at the DCT3 Debug
Trace Project and submit your traces to me.
This trace was generated with a Nokia DCT3. It's downlink only. A SMS was send from the
mobile to the mobile. The decoding was done with gsmdecode-0.2.tar.gz . I only display
the relevant information for the receiving part of the SMS. If you are interested in the
BCCH messages (BBis format, Immediate Assignment etc etc) please run gsmdecode with
the -i command.
The following commands have been used to analyze the sms2.xml file:
Some Facts:
OpenGPA does not decode the interesting messages. We used our own decoder
(gsmdecode).
It seems that SMS are send encrypted from the BTS to the MS.
See 3GPP 04.11 Appendix F, Figure F2 for exchange of messages
See 3GPP 03.38 for SMS data coding
20 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
Questions:
000: 01 73 41 06 27 03 03 33 - 19 81 08 29 64 30 07 01
001: 02 74 66 2b 2b 2b 2b
0: 01 -------1 Extended Address: 1 octet long
0: 01 ------0- C/R: Response
0: 01 ---000-- SAPI: RR, MM and CC
0: 01 -00----- Link Protocol Disciminator: normal GSM
(not Cell Broadcasting)
1: 73 ------11 Unnumbered Frame
1: 73 ---1---- P
1: 73 011-00-- UA frame (Unnumbered achknowledgement)
2: 41 -------1 EL, Extended Length: yes [FIXME]
2: 41 ------0- M, segmentation: N
2: 41 010000-- Length: 16
3: 06 0------- Direction: From originating site
3: 06 -000---- 0 TransactionID
3: 06 ----0110 Radio Resouce Management
4: 27 0-100111 RRpagingResponse
4: 27 -x------ Send sequence number: 0
5: 03 -----011 Ciphering key sequence: 3
5: 03 -000---- Ciphering key sequence: 0
6: 03 00000011 MS Classmark 2 length: 3
7: 33 -01----- Revision Level: Phase 2
7: 33 ---1---- Controlled early classmark sending:
Implemented
7: 33 -----011 RF power class capability: Class 4
8: 19 -1------ Pseudo Sync Capability: not present
8: 19 --01---- SS Screening: Phase 2 error handling
8: 19 ----1--- Mobile Terminated Point to Point SMS:
supported
8: 19 -----0-- VoiceBroadcastService: not supported
8: 19 ------0- VoiceGroupCallService: not supported
8: 19 -------1 MS supports E-GSM or R-GSM: supported
9: 81 1------- CM3 option: supported
9: 81 --0----- LocationServiceValueAdded Capability:
not supported
21 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
Note: The Auth Request Message is missing here. Is this because the mobile is already
authenticated to the BTS because we send a SMS before?
000: 03 20 0d 06 35 01 2b 2b - 2b 2b 2b 2b 2b 2b 2b 2b
001: 2b 2b 2b 2b 2b 2b 2b
0: 03 -------1 Extended Address: 1 octet long
0: 03 ------1- C/R: Command
0: 03 ---000-- SAPI: RR, MM and CC
0: 03 -00----- Link Protocol Disciminator: normal GSM
(not Cell Broadcasting)
1: 20 -------0 Information Frame
1: 20 ----000- N(S), Sequence counter: 0
1: 20 ---0---- P
1: 20 001----- N(R), Retransmission counter: 1
2: 0d -------1 EL, Extended Length: yes [FIXME]
2: 0d ------0- M, segmentation: N
2: 0d 000011-- Length: 3
3: 06 0------- Direction: From originating site
3: 06 -000---- 0 TransactionID
3: 06 ----0110 Radio Resouce Management
4: 35 00110101 RRciphModCmd
5: 01 ----000- Cipher: A5/1
5: 01 -------1 Start ciphering
5: 01 ---0---- Cipher Response: IMEISV shall not be
included
Note: Not sure why next message is a TMSI realloc. Not needed but maybe the BTS
decided that it should also assign a new TMSI to the mobile. Good as well.
000: 03 42 35 05 1a 42 f6 30 - 00 04 05 f4 2d 81 fb 3e
001: 2b 2b 2b 2b 2b 2b 2b
0: 03 -------1 Extended Address: 1 octet long
0: 03 ------1- C/R: Command
0: 03 ---000-- SAPI: RR, MM and CC
0: 03 -00----- Link Protocol Disciminator: normal GSM
(not Cell Broadcasting)
1: 42 -------0 Information Frame
1: 42 ----001- N(S), Sequence counter: 1
1: 42 ---0---- P
22 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
000: 0f 00 53 19 01 22 01 00 - 07 91 73 60 48 99 91 f9
001: 00 16 04 0b 91 73 60
0: 0f -------1 Extended Address: 1 octet long
0: 0f ------1- C/R: Command
0: 0f ---011-- SAPI: SMS and SS
0: 0f -00----- Link Protocol Disciminator: normal GSM
(not Cell Broadcasting)
1: 00 -------0 Information Frame
1: 00 ----000- N(S), Sequence counter: 0
1: 00 ---0---- P
1: 00 000----- N(R), Retransmission counter: 0
2: 53 -------1 EL, Extended Length: yes [FIXME]
2: 53 ------1- M, segmentation: Y
2: 53 010100-- Length: 20
3: 19 0------- Direction: From originating site
3: 19 -001---- 1 TransactionID
3: 19 ----1001 SMS messages
4: 01 00000001 Type: CP-DATA
5: 22 00100010 Length: 34
6: 01 00000001 Parameter
7: 00 00000000 Parameter
8: 07 00000111 SMSC Address Length: 7
9: 91 1------- Extension
9: 91 -001---- International Number
9: 91 ----0001 Numbering plan: ISDN/telephone
(E164/E.163)
10: 73 -------- Number(6): 37068499199
16: 00 00000000 TP-MTI, TP-MMS, TP-SRI, TP-UDIH,
TP-RP: 0
17: 16 00010110 Reference number: 22
18: 04 00000100 Parameter
23 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
Note: The 'segmentation' flag is set. Next SABM message is part of this message. I had to
decode this message manualle. gsmdecode-0.2 does not support segmentation yet.
000: 0f 02 45 67 95 67 f6 00 - 00 70 40 21 02 63 43 21
001: 03 61 f1 18 2b 2b 2b
0: 0f -------1 Extended Address: 1 octet long
0: 0f ------1- C/R: Command
0: 0f ---011-- SAPI: SMS and SS
0: 0f -00----- Link Protocol Disciminator: normal GSM
(not Cell Broadcasting)
1: 02 -------0 Information Frame
1: 02 ----001- N(S), Sequence counter: 1
1: 02 ---0---- P
1: 02 000----- N(R), Retransmission counter: 0
2: 45 -------1 EL, Extended Length: yes [FIXME]
2: 45 ------0- M, segmentation: N
2: 45 010001-- Length: 17
3: 67 -------- Number(continoues, 8 left): 7659766
7: 00 -------- Protocol Identifier: 0
8: 00 00------ Data Coding Sheme: 0x00
8: 00 --0----- Uncompressed
8: 00 ---0---- Bit 0, 1 are reserved (no class!)
8: 00 ----00-- Default Alphabet
8: 00 ------00 (reserved or sim specific)
9: 00 -------- 7 octets Parameters (unknown meaning?!)
16: 03 ------11 CP-DATA Length: 3
17: 61 -------- Data: "abc" (GSM 03.38)
Note: Why is length of destination address set to 11? It's only 6 bytes long.
SDCCH, CP-ACK
000: 0f 44 09 19 04 2b 2b 2b - 2b 2b 2b 2b 2b 2b 2b 2b
001: 2b 2b 2b 2b 2b 2b 2b
0: 0f -------1 Extended Address: 1 octet long
0: 0f ------1- C/R: Command
0: 0f ---011-- SAPI: SMS and SS
0: 0f -00----- Link Protocol Disciminator: normal GSM
(not Cell Broadcasting)
1: 44 -------0 Information Frame
24 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
000: 03 64 0d 06 0d 00 2b 2b - 2b 2b 2b 2b 2b 2b 2b 2b
001: 2b 2b 2b 2b 2b 2b 2b
0: 03 -------1 Extended Address: 1 octet long
0: 03 ------1- C/R: Command
0: 03 ---000-- SAPI: RR, MM and CC
0: 03 -00----- Link Protocol Disciminator: normal GSM
(not Cell Broadcasting)
1: 64 -------0 Information Frame
1: 64 ----010- N(S), Sequence counter: 2
1: 64 ---0---- P
1: 64 011----- N(R), Retransmission counter: 3
2: 0d -------1 EL, Extended Length: yes [FIXME]
2: 0d ------0- M, segmentation: N
2: 0d 000011-- Length: 3
3: 06 0------- Direction: From originating site
3: 06 -000---- 0 TransactionID
3: 06 ----0110 Radio Resouce Management
4: 0d 00001101 Channel Release
5: 00 00000000 RR-Cause (reason of event) = Normal
event
We wanted to find out if the Nokia DCT3 mobile in trace mode also forwards TCH frames
to the Computer. We did not receive any. Does his have to be enabled specificly?
Question:
1. I could not find where to phone calls 1525 (e.g. the number itself. anyone?)
25 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
000: 01 73 35 05 24 31 03 33 - 19 81 05 f4 2e 48 41 15
001: 2b 2b 2b 2b 2b 2b 2b
0: 01 -------1 Extended Address: 1 octet long
0: 01 ------0- C/R: Response
0: 01 ---000-- SAPI: RR, MM and CC
0: 01 -00----- Link Protocol Disciminator: normal GSM
(not Cell Broadcasting)
1: 73 ------11 Unnumbered Frame
1: 73 ---1---- P
1: 73 011-00-- UA frame (Unnumbered achknowledgement)
2: 35 -------1 EL, Extended Length: y
2: 35 ------0- M, segmentation: N
2: 35 001101-- Length: 13
3: 05 0------- Direction: From originating site
3: 05 -000---- 0 TransactionID
3: 05 ----0101 Mobile Management Message (non GPRS)
4: 24 00------ SendSequenceNumber: 0
4: 24 --100100 MMcmServiceRequest
5: 31 -011---- Ciphering key sequence: 3
5: 31 ----0001 Request Service Type: MS originated
call
6: 03 00000011 MS Classmark 2 length: 3
7: 33 -01----- Revision Level: Phase 2
7: 33 ---1---- Controlled early classmark sending:
Implemented
7: 33 -----011 RF power class capability: Class 4
8: 19 -1------ Pseudo Sync Capability: not present
8: 19 --01---- SS Screening: Phase 2 error handling
8: 19 ----1--- Mobile Terminated Point to Point SMS:
supported
8: 19 -----0-- VoiceBroadcastService: not supported
8: 19 ------0- VoiceGroupCallService: not supported
8: 19 -------1 MS supports E-GSM or R-GSM: supported
9: 81 1------- CM3 option: supported
9: 81 --0----- LocationServiceValueAdded Capability:
not supported
9: 81 ----0--- SoLSA Capability: not supported
9: 81 ------0- A5/3 not available
9: 81 -------1 A5/2: available
11: f4 -----100 Type of identity: TMSI/P-TMSI
12: 2e -------- ID(4/even): 2E484115
000: 03 20 0d 06 35 11 2b 2b - 2b 2b 2b 2b 2b 2b 2b 2b
001: 2b 2b 2b 2b 2b 2b 2b
0: 03 -------1 Extended Address: 1 octet long
0: 03 ------1- C/R: Command
26 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
000: 03 86 21 06 2e 0d c3 ff - 05 63 21 2b 2b 2b 2b 2b
001: 2b 2b 2b 2b 2b 2b 2b
0: 03 -------1 Extended Address: 1 octet long
0: 03 ------1- C/R: Command
0: 03 ---000-- SAPI: RR, MM and CC
0: 03 -00----- Link Protocol Disciminator: normal GSM
(not Cell Broadcasting)
1: 86 -------0 Information Frame
1: 86 ----011- N(S), Sequence counter: 3
1: 86 ---0---- P
1: 86 100----- N(R), Retransmission counter: 4
2: 21 -------1 EL, Extended Length: y
2: 21 ------0- M, segmentation: N
2: 21 001000-- Length: 8
3: 06 0------- Direction: From originating site
3: 06 -000---- 0 TransactionID
3: 06 ----0110 Radio Resouce Management
4: 2e 00101110 RRassignCommand
5: 0d -----101 Timeslot: 5
5: 0d 00001--- TCH/F + ACCHs
6: c3 110----- Training sequence code: 6
6: c3 ---000-- Single Channel
7: ff ........ Absolute RF channel number: 1023
8: 05 ----0101 Power Level: 5
10: 21 00100001 Channel Mode: TCH/F or TCH/H rev 2
27 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
000: 03 22 19 83 01 1e 02 ea - 88 2b 2b 2b 2b 2b 2b 2b
001: 2b 2b 2b 2b 2b 2b 2b
0: 03 -------1 Extended Address: 1 octet long
0: 03 ------1- C/R: Command
0: 03 ---000-- SAPI: RR, MM and CC
0: 03 -00----- Link Protocol Disciminator: normal GSM
(not Cell Broadcasting)
1: 22 -------0 Information Frame
1: 22 ----001- N(S), Sequence counter: 1
1: 22 ---0---- P
1: 22 001----- N(R), Retransmission counter: 1
2: 19 -------1 EL, Extended Length: y
2: 19 ------0- M, segmentation: N
2: 19 000110-- Length: 6
3: 83 1------- Direction: To originating site
3: 83 -000---- 0 TransactionID
3: 83 ----0011 Call control. call related SS messages
4: 01 00------ Send Sequence Number: 0
4: 01 --000001 Call Alerting
6: 02 00000010 L of IE Progress Indicator: 2
7: ea -11----- Coding standard: GSM-PLMNS
7: ea ----1010 Location: Network beyong interworking
point
8: 88 -0001000 Progress: In-band information or appr.
pattern available
000: 03 24 09 83 07 2b 2b 2b - 2b 2b 2b 2b 2b 2b 2b 2b
001: 2b 2b 2b 2b 2b 2b 2b
0: 03 -------1 Extended Address: 1 octet long
0: 03 ------1- C/R: Command
0: 03 ---000-- SAPI: RR, MM and CC
0: 03 -00----- Link Protocol Disciminator: normal GSM
(not Cell Broadcasting)
1: 24 -------0 Information Frame
1: 24 ----010- N(S), Sequence counter: 2
1: 24 ---0---- P
1: 24 001----- N(R), Retransmission counter: 1
2: 09 -------1 EL, Extended Length: y
2: 09 ------0- M, segmentation: N
2: 09 000010-- Length: 2
3: 83 1------- Direction: To originating site
3: 83 -000---- 0 TransactionID
3: 83 ----0011 Call control. call related SS messages
4: 07 00------ Send Sequence Number: 0
4: 07 --000111 Call Connect
28 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
000: 03 88 0d 06 0d 00 2b 2b - 2b 2b 2b 2b 2b 2b 2b 2b
001: 2b 2b 2b 2b 2b 2b 2b
0: 03 -------1 Extended Address: 1 octet long
0: 03 ------1- C/R: Command
0: 03 ---000-- SAPI: RR, MM and CC
0: 03 -00----- Link Protocol Disciminator: normal GSM
(not Cell Broadcasting)
1: 88 -------0 Information Frame
1: 88 ----100- N(S), Sequence counter: 4
1: 88 ---0---- P
1: 88 100----- N(R), Retransmission counter: 4
2: 0d -------1 EL, Extended Length: y
2: 0d ------0- M, segmentation: N
2: 0d 000011-- Length: 3
3: 06 0------- Direction: From originating site
3: 06 -000---- 0 TransactionID
3: 06 ----0110 Radio Resouce Management
4: 0d 00001101 Channel Release
5: 00 00000000 RR-Cause (reason of event) = Normal
event
More:
1. http://www.ericsson.com/solutions/tems/index.shtml
Links:
29 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
http://www.g3gg0.de/wordpress/projects/mados/
http://nokix.pasjagsm.pl/help/blacksphere/sub_250software/sub_mados.htm
It seems that there is not DSP message control with MADos (yet). Little information about
reversing the protocol between MCU and DSP is here: http://nokix.pasjagsm.pl
/help/blacksphere/sub_100hardware/sub_dsp/sub_mdi.htm
5.14. Mysteries
This is a collection of mysteries. Here we collect everything that we can not explain.
SOLVE A MYSTERY TODAY - EDIT THIS SECTION AND EXPLAIN IT!
BCCH carrier. I see Radio Resource Management -> Paging Request Type 1 that contain a
TMSI that is set to 'f'. I see hundrets of these packtes. Why f?
000: 15 06 21 00 01 f0 2b 2b - 2b 2b 2b 2b 2b 2b 2b 2b
001: 2b 2b 2b 2b 2b 2b 2b
0: 15 000101-- Pseudo Length: 5
1: 06 0------- Direction: From originating site
1: 06 -000---- 0 TransactionID
1: 06 ----0110 Radio Resouce Management
2: 21 00100001 Paging Request Type 1
3: 00 ------00 Page Mode: Normal paging
5: f0 -----000 Type of identity: No Identity
The lenght is set to 1. This means one octet follows: Just the type of identity but no actual
number.
Received:
05 06 07 c0 1c 04 aa 63 43 74 7f e0 12 e8 4a bc ...
05 = Pseudo Length 1 (hu?)
06 = Protocol discriminator: RRM
07 = Hu? what this?
1. Question: Why is pseudo length set to 1 but i still see valid data? It can not be 1 in
the first place because no layer 3 message is only 1 byte long
2. Question: What is 07?
30 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
Received (2 examples):
01 06 03 df f4 a0 00 00 00 00 00 00 ...
01 06 00 80 f7 81 70 db 09 13 69 26 ...
01 = Pseudo Length 0
GSM-1800:
6. RELEASES
6.1. Tips and Tricks
1. All releases are tested on live networks in the United Kingdom and the US (and
many other countries).
2. First find a beacon carrier. Either use the method that robert describes or use the
Netmonitor to check your current beacon channel and calculate the frequency from
it.
3. Even when you have a perfect looking beacon carrier you might not receive any
traffic. This is because of Inter-Symbol-Interference (ISI). Try to enhance the signal
quality by using a directional antenna (yagi).
4. Try setting decimation to 64 (or 32) in gsm_run.py (for gsmsp release) or in
gssm_usrp.py (for gssm release).
31 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
If you own a USRP you can create your own capture file (cfile) like this (10 seconds,
frequence 940.4Mhz):
./bootstrap
./configure
make
To analyze the example dump file from robert pipe the output of gsm-tvoid into
gsmdecode:
cd gsm-tvoid/src/pyton
./gsm_scan.py -SN -pd -d 112 -I GSMSP_940.8Mhz_118.cfile
| ../../../gsmdecode/src/gsmdecode -i
6.4. GSSM
2007/07/09
GSSM is joshua's release of a USRP GSM implementation. Please see http://wiki.thc.org
/gsm/gssm for the release notes.
Download: gssm-v0.1.1a.tar.bz2.
32 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
cd gsm-tvoid/src/python
./gsm_scan.py -SN -pd -d 112 -I myfirstdump.cfile |
../../../gsmdecode/src/gsmdecode -i
6.6. GSMSP
A GNU radio GSM Software implementation. This is probably the easier package to start
with.
Difference to GSSM:
Download: gsmsp-0.2a.tar.gz
6.7. Gsmdecode
Gsmdecode is used to decode the gsm messages from the gammu trace log and a nokia
dct3 mobile. In the future GSMSP outputs the data in a format that gsmdecode can decode
or we directly implement it into GSMSP (as a library).
Older versions:
2007/04/16 Download: gsmdecode-0.2.tar.gz
2007/04/19 Download: gsmdecode-0.3.tar.gz
2007/04/27 Download: gsmdecode-0.4 source or windows binary
2007/05/21 Download: gsmdecode-0.5 source or win32 binary
33 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
7. HELP
7.1. Donations
Go to http://www.segfault.net/gsm/ if you like what we are doing. Your sponsorship is
appreciated. Contact steve [at] segfault.net for details or bank account information.
8. Links
8.1. Similiar Projects
iPhone JerrySIM (from http://code.google.com/p/iphone-elite/wiki/JerrySim).
Executing shellcode on the gsm baseband.
Homebrew mobile phone club
GnuRadio, the software that makes it all possible.
Eric's GnuRadio Presentation (video, 108 MB)
USPR and gnu Radio Projects
SMS Receiver Project
http://www.eccpage.com/ Example source for Viterbi, convolutional decoding, CRC,
...
MADos Free OS for Nokia DCT3 phones
Building a Super Receiver using a TV receiver
http://www.vovida.org - a open-source GSM Signalling Protocol stack. (also contains
viterbi equalization, voice codecs, mm/cc/rr layer 1 message parsing, ...)
Lyrtech Femto Cell SDR Video
34 di 35 12/08/2008 11.14
gsm - THC Wiki http://wiki.thc.org/gsm?action=show&redirect=GsmScannerProject
8.4. Hardware
silabs.com Silabs GSM transceiver chip
USRP board
Analog GSM baseband chip
CP028 ozzi clock
35 di 35 12/08/2008 11.14