2G GSM Sniffing using Software Defined Radio

This blog content mainly deals with the implementation of GSM Sniffing using gr-GSM module and further validating using USRP X310.

The GSM which is abbreviated as Global System for Mobile communication system is a 2^nd generation standards which was developed for the purpose of digital voice communication system with TDMA /CDMA as a multiplexing techniques used. It is the standard which evolved in 1980 and lasted till 1990, but still the architecture of GSM structure is considered as base reference for the generation like 3G, 4G and for the upcoming 5G technology.

By the end of this blog , we will be able to sniff out the network for 2^nd generation (I.e. performing the process of capturing and monitoring the data which passes through the network using Sniffing tool). The information like the location of mobile station and the identification of BTS to which the mobile station is currently connected with Source port address and destination port address can be extracted.

We are going to make use of USRP X310 series which is having two RF daughter board slots supporting the radio frequency signals ranging from DC range to 6 GHz.

What is GSM Sniffing?

The GSM Sniffing as defined above is a process of extracting the complete information regarding the Mobile station dealing from the source port address to destination port address, from the country location to the mobile connected network location, from the amount the packet transmission to the amount of packet received etc. It is a process of continuously tracking or monitoring the information for the dedicated mobile users. One can also extract the information like which mobile user is currently hopping or which user is currently requesting for the secured end to end channel. It also defines the communication protocols supported by the particular mobile system.

The Terminologies used in GSM standards

Some of the important terminologies are defined below:

MCC (Mobile Country Codes )

It is abbreviated as Mobile Country codes which is defined as a unique three digit decimal number dedicated for the Countries worldwide. The First digit of country code indicate the geographical area for example

2 indicate europium countries,
4 is for the Asia and middle eastern areas,
3 indicate North American and
7 are for central and southern part of America.

The Second digit defines the country. For example for India it is represented with a number zero (0). Hence the India is represented 40 country code. The Third digit indicates the State allocated based on the communication operators in the Country. For example, in India Reliance Jio supports

404-MNC for states like Assam, Himachal Pradesh, Bihar, Orrisa etc .

405-MNC for states like Maharashtra, Karnataka, Gujarat, Madhya Pradesh, Punjab etc.

2. MNC (Mobile Network Codes)

MNC is abbreviated as Mobile Network Codes which is used in the combination with the MCC as mentioned above in order to uniquely identify the subscribers in a given particular areas . For example

404-44 indicates Karnataka by the Spice communication PVT ltd operator.
404-45 indicates Karnataka by the Airtel operator.
404-71 indicates Karnataka by the BSNL Service operator.
404-86 indicate Karnataka by the Vodafone operator.
405-10 indicates Karnataka by the Reliance Jio operator.
405-803 indicates Karnataka by the AIRCEL operator.

3. ARFCN

ARFCN is abbreviated as Absolute radio frequency channel Number which is defined as an allocation of a unique number to each radio channel in GSM standard. With the help of ARFCN, one can identify the uplink and the downlink frequency used by particular mobile users.

4. BCCH

BCCH is abbreviated as Broadcast control channel is a type of logical channel used by the base station in a GSM network in order to send information about the identity of the network. The information obtained by the base station is used by the mobile user in order to access the network.

5. CCCH

CCCH is abbreviated as the Common control channel is a type of channel which is used for transferring the control information from all the mobiles stations to the BTS. It normally occurs when the mobile users is trying to initiate a call or else is responding to a page.

The Installation of Gr-GSM

Install all needed prerequisites with following command mention bellow:

sudo apt-get update

sudo apt-get install

sudo apt-get cmake

sudo apt-get autoconf

sudo apt-get libtool

sudo apt-get pkg-config

sudo apt-get build-essential

sudo apt-get python-docutils

sudo apt-get libcppunit-dev

sudo apt-get swig

sudo apt-get doxygen

sudo apt-get liblog4cpp5-dev

sudo apt-get python-scipy

sudo apt-get python-gtk2

sudo apt-get gnuradio-dev

sudo apt-get gr-osmosdrsudo apt-get libosmocore-dev

Then download the gr-gsm source and build it with following commands:

git clone https://git.osmocom.org/gr-gsm

cd gr-gsm

mkdir build

cd build

cmake ..

mkdir $HOME/.grc_gnuradio/ $HOME/.gnuradio/

make

sudo make install

sudo ldconfig

Now your gr-gsm module is properly installed.

The Installation of Wireshark Sniffing tool

In order to add the PPA follow the instruction. PPA is used to install the Wireshark sniffing tool.

sudo add-apt-repository ppa:wireshark-dev/stable

Update the system and install the Wireshark tool using the instruction mentioned bellow

sudo apt-get update

sudo apt-get install wireshark

Hence Now the Wireshark sniffing tool is installed. Run the command in order to open the wireshark

Run: wireshark or else sudo wireshark. A page will open like mentioned bellow:

The figure above represents an image of Wireshark Network Analyzer, indicating the connection of devices to the network via LAN, Ethernet, Wi-Fi, SDR. SDR is represented by loop back network interfaced using wired medium i.e. Ethernet cable wire.

Gnu radio flow graph

The figure below represents a flow graph of GSM sniffing. The received signals from the Base station, the signal are further processed to GSM input adapter. The GSM input adapter is an adapter of input stream for the GSM receiver. It contains frequency offset corrector and re-sampler to correct the carrier frequency and sampling frequency offsets. The GSM clock offset control, provides a limit to the frequency offset signals with the cut off frequency of 941.4 MHz as a threshold.

The signals are further allowed to pass through the BCCH+CCCH demapper, which demap the control channels; hence it corresponds to the channel combination specified in GSM. SDCCH is a type of standalone dedicated control channel which is used in the GSM standards in order to provide a reliable connection to signaling and SMS messages. Hence these signals are demapped using SDCCH/B receiver. In fig above, two Socket PDU is used; one for the UDP client and other is for UDP Server. The GSM message printer will prepend the frame count as mentioned in the figure. The receiver is tuned to 941.4 MHz center frequency in order to receive the 2G signals from the BTS with a channel Bandwidth 650 KHz.

Results

Result indicating a flat response (NO reception of packages).

Result indicating a reception of packages from BTS.

Received signals decoded and displayed using Wireshark.

Run the Gnu radio flow graph or else type command as

grgsm_livemon

Open the terminal and then type the command to open the Wireshark sniffing tool to decode the message signal received from the BTS. Click on the loopback network.

Wireshark or else type sudo wireshark

Tuning the GSM receiver to proper center frequency is very important. Identify the ARFCN code for any mobile user and then calculate the uplink and downlink frequency based on the ARFCN. Further substitute the center frequency with the downlink frequency. In the figure above we can see that a GSM receiver is tuned with the downlink frequency of 946.2 MHz. Hence some curve frequency response of signals is obtained. Further analyze the signal in Wireshark .

The extracted information for the selected network provides a information like the mobile system is in the attempt of connecting to the channel, as it receives the signals from base station via BCCCH for the identity of network. The ARFCN is noted as 34 with transmission of packages as zero.It also describe an information about the source port address and the destination port address with the local area identification of a mobile user. The mobile user is subscribed to spice communication PVT ltd, Karnataka with MNC as 44 having MCC as 404 indicating the number is from India.

Inference

While tuning the GSM receiver, proper care is needed in the selection of center frequency which can help in identifying the reception of packages from BTS. Hence identify the ARFCN of mobile user and calculate the uplink and downlink frequency and replace it in the center frequency. Hence some variation in the frequency plot will be seen. The loopback network has to be selected as it receives the information from the USRP X310 having a gain of 50 db.

For some more implementation of real time wireless application using Software defined radio , you can refer the book on ” Practical approach to software defined radio ”

Amazon : https://www.amazon.in/dp/9389113628

Flipkart : https://www.flipkart.com/practical-approach-software-defined-radios/p/itm24afc57f04c29

For SDR product related information ,refer
http://tenettech.net/SDR/