Introduction: SMART SNIFFING GSM TRAFFIC ON WINDOWS WORKSTATION AND VMWARE WITH HACKRF AND RTL_SDR
SMART SNIFFING GSM TRAFFIC ON WINDOWS WORKSTATION AND VMWARE WITH HACKRF AND RTL_SDR
This is a modified procedure found online and tested to ensure functionality
fast, simply, no deploy or compiler ......
few step maximum 10 .....
64 bit compatible
- VMware Workstation Player
- GNU Radio Live SDR Environment
Windows system machine with 4gb of ram and dual core processor, hackrf or rtl sdr device.
- Download GNU Radio Live SDR Environment
- Download VMware Workstation Player
- Install VMware Workstation Player
- Start VMware Workstation Player
- Create a new virtual machine , installer disc image file (iso) with GNU Radio Live SDR Environment image
- Open virtual machine
- Connect hackrfopen terminal and insert hackrf_info and verify the functionality
Found HackRF board.
Board ID Number: 2 (HackRF One)
Firmware Version: 2014.08.1
Part ID Number: 0x00574745 0x00274746
Serial Number: 0x00000000 0x00000000 0x14d473dc 0x2f5339e1
- Install kalibrate-hackrf, a tool that will hop among known GSM frequencies and will tell you which your country is using:
sudo make install
- Finding GSM Frequencies:
Each operator in each country uses a different frequency in the GSM possible spectrum, which usually starts from 900Mhz. You can use hackrf_kalibrate to find the frequencies you want to sniff:
./kal -s GSM900 -g 40 -l 40
Note the two gain values, those are important in order to get some results. Leave kalibrate running and after a while you should see an output similar to Figure 1
Step 1: Open Airprobe_rtlsdr.py
open terminal and insert airprobe_rtlsdr.py
you should see an output similar to Figure 2
Step 2: Receive Data GSM
when you receive see Figure 3
- close airprobe with Ctrl+z
- install wireshark, in the terminal insert sudo apt-get install wireshark
Step 3: Procedure
Sometimes you might want to see the frequencies in order to ensure correct results from hackrf_kalibrate, or to save yourself from calculating the correct frequency given by hackrf_kalibrate (notice the +/- Khz sign of each result – this means the top peak with the corresponding power,not 100% correct frequency). Open gqrx and tune it to the first frequency you got from hackrf_kalibrate, for example 940.6Mhz, and you’ll see something like the following picture.
- open terminal and insert ./kal -s GSM900 -g 40 -l 40 and displays the characteristics of the channel
- open terminal and insert airprobe_rtlsdr.py and center frequency
Once you know the GSM channels frequencies, you can start gr-gsm by running the python script ./airprobe_rtlsdr.py or load the airprobe_rtlsdr.grc file using gnuradio-companion and set one of the channel frequencies you just found in the frequency field. Don’t forget to add ‘gain’ value again, move back to the frequency field and start pressing the UP/DOWN arrows on your keyboard to start scrolling the frequencies in 200Khz steps until you start seeing some data in your console window. The whole process should look something like Figure
Step 4: Procedure
Now you only need to launch wireshark from another terminal tab with the following command:
- open terminal and insert sudo wireshark -i lo
you should be able to see decoded GSM traffic sniffed by your hackrf and more. (Figure)
Step 5: Usage Gr-gsm
There are many possible applications of gr-gsm. At this moment there is one application that is ready out of the box. It is improved replacement of the old Airprobe - the program that lets you receive and decode GSM control messages from timeslot 0 on the broadcasting channel of a BTS. After installation of gr-gsm there are three python executables that will be installed:
Airprobe with RTL-SDR input
This program uses cheap RTL-SDR receivers as a source of the signal. It can be started by running from a terminal:
The window of the program contains amplitude spectrum of the signal drawn in real-time. The central frequency of the signal can be changed by moving fc slider. The GSM signal has bandwidth of around 200kHz. By looking for constant hills on the spectrum of such width you can find a GSM broadcasting channel. After setting the fc slider to a carrier frequency of a broadcasting channel the program should immediately print content of subsequent messages on the standard output.
If it doesn't happen, set ppm slider into different positions. The slider is responsible for setting devices clock offset correction. If the clock offset is too large the clock offset correction algorithm that is implemented in the program won't work. There is intentionally added upper of allowable clock offset - it was done in order to avoid adaptation of the algorithm to neighbour channels that would inevitably lead to instability. You can use the value set later by passing it as argument of the program:
Capturing and saving with RTL-SDR
This program provides capability to save captured data to file. It supports both raw data in cfile format and gr-gsm's burst format, which are pre-processed GSM-bursts instead of raw signal data:
We will add more information about capturing using this program later, for more information about the available options you can start the program with the -h flag:
This program provides capability to decode GSM messages from saved captures, for example recorded with airprobe_rtlsdr_capture.py:
The program supports both cfile and burst captures, and decoding of BCCH, SDCCH, TCH/F. Supported A5 ciphers for decryption are A5/1, A5/2 and A5/3. airprobe_decode.py is able to decode full-rate voice codecs GSM-FR, GSM-EFR, AMR 12.2, AMR 10.2, AMR 7.95, AMR 7.4, AMR 6.7, AMR 5.9, AMR 5.15, AMR 4.75.
For more information about the available options you can start the program with the -h flag:
A more detailed how to on the usage of airprobe_decode.py can be found in the Decoding How To
Analyzing GSM messages in the Wireshark
The Airprobe (file, rtlsdr) application sends GSM messages in GSMTAP format that was created by Harald Welte to the UDP port number 4729. Wireshark interprets packets coming on this port as GSM data with GSMTAP header and it is able to dissect messages.
On Debian like systems Wireshark can be installed with:
sudo apt-get install wireshark
To start Wireshark straight to analysis of the GSMTAP packets obtained from gr-gsm's airprobe use following command:
sudo wireshark -k -f udp -Y gsmtap -i lo
If you want to avoid the risks caused by running Wireshark with root privileges follow this short howto:
Decoding hopping channels
Decoding hopping channels can be achieved by feeding one input stream per hopping channel into the GSM Receiver block and connecting the CX port to a CX Channel Hopper block. At the current stage of development however, it is computationally expensive to split a wideband capture into multiple streams in real time. Therefore, the gsm_channelize.py app should be used to perform this task as a preprocessing step.
As an example, the following command will channelize my_wideband_capture.cfile, in this case a cfile captured at 925.2 MHz centered (ARFCN 975) and 20 Msps. As a result, 12 files will be generated for ARFCNs 975 - 1023 at 1 Msps each:
gsm_channelize.py -f my_wideband_capture.cfile -c 925.2e6 990 991 992 993 994 995 1019 1020
Step 6: Bibliography and Link