Sniffing GSM with HackRF

HackRF Tutorials

Sniffing GSM with HackRF

Postby admin » Wed Aug 14, 2013 1:29 am

I will open by saying only sniff your own system or a system you have been given permission to work on, Sniffing a public network in your country may be illegal.

I recently had a play with sniffing some gsm using the HackRF, The clock was a little unstable and drifted quite a bit but in the end I was able to view lots of different system messages etc. I will assume you have a working linux system with gnuradio and hackrf running for this turotial, If not you can use the live cd which I referenced in the software section of the forum its a great tool and the hackrf works right out of the box.

First thing to do is find out the freq of a local gsm tower for this I used gqrx which is pre loaded on the live cd, open it up and have a look around the 900mhz band and you should see something like the image below.

gqerx.png
gqerx.png (274.82 KiB) Viewed 16102 times


You can see the non hopping channel at 952Mhz and another at 944.2Mhz write down the approximate frequency for the later step.

Now we need to install Airprobe using the following commands.

git clone git://git.gnumonks.org/airprobe.git

cd airprobe/gsmdecode
./bootstrap
./configure
make

cd airprobe/gsm-receiver
./bootstrap
./configure
make


Thats all there is too it we can now start recieving some gsm first things first start wireshark with the following command:

sudo wireshark

Select "lo" as the capture device and enter gsmtap in the filter window like in the image below:

wireshark.png
wireshark.png (66.89 KiB) Viewed 16102 times


Now go back to your terminal window and enter the following:

cd airprobe/gsm-receiver/src/python
./gsm_receive_rtl.py -s 2e6


A window will pop up and the first thing is to do is uncheck auto gain and set the slider to full, then enter the gsm frequency you noted before as the center frequency. Also select peak hold and average in the top windows trace options like so:

spectrum.png
spectrum.png (109.9 KiB) Viewed 16102 times


You will see that only signal on the right (blue line) consitently stays in place over the peak hold (green line) indicating that it is the non hopping channel, All we need to do to start decoding is in the top window click on the center of that frequency hump. You may see some error coming up but that is ok eventually it will start to capture data something like this:

data.png
data.png (225.52 KiB) Viewed 16102 times


You can now see the gsm data popping up in wireshark, as I said at the beginning the hackrf clock does drift so you will need to keep clicking to re-center the correct frequency but all in all it works pretty good. As silly as it may sound wraping your hack rf in a towel or similar really helps the thermal stability of the clock and reduces drift. Now this "hack" is obviously not very usefull on its own but I think atleast it helps to show the massive amounts of potential there is in the HackRF.
admin
Site Admin
 
Posts: 28
Joined: Mon Nov 19, 2012 11:54 pm

Re: Sniffing GSM with HackRF

Postby px43 » Thu Aug 15, 2013 8:33 pm

Awesome writeup. This is exactly what I needed to get started on a project I have been meaning to get around to for a long time. Did you use any special antennas to make this happen? I also hear that with some wirecutters and a paper clip can do wonders. Have you disabled the embedded antenna in the HackRF yet? I'm curious how any of this will effect the results. Awesome tip with the towel thing.

Also you're on the reddits :-D

Log in or register to see all links
px43
 
Posts: 1
Joined: Thu Aug 15, 2013 8:13 pm

Re: Sniffing GSM with HackRF

Postby admin » Thu Aug 15, 2013 10:07 pm

You can use the internal antenna but its not great, For this though I did use an external antenna and I did disable the onboard one and it made a huge difference, the antenna itself was a home made discone based on a few designs I found online, it only cost me about $10 to make but the performance was great. I will prb do a write up on the build when I get some spare time.
admin
Site Admin
 
Posts: 28
Joined: Mon Nov 19, 2012 11:54 pm

Re: Sniffing GSM with HackRF

Postby daniel » Thu Sep 12, 2013 6:56 am

thanks again,

nice tutorial.
daniel
 
Posts: 7
Joined: Sun Jul 28, 2013 4:46 am


Return to Tutorial

Who is online

Users browsing this forum: No registered users and 1 guest

cron