GRGSM Scanner – GSM Passive Recon Box

Cell Broadcast – To capture GSM downstream data we need some specific hardware and the correct tools. Nowadays is easy to capture GSM broadcast data and some mobile exchange data with inexpensive gear.

  • RaspberryPI 4 or RPI3
  • USB RTL SDR
  • PowerBank

Tools

Questions

Sniff GSM Networks

After all, the equipment is powered up and all tools installed it’s time to detect the Base Stations signals broadcasted unencrypted. To detect the information broadcasted by BTSs we will use the grgsm_scanner tool with a few parameters.

Cell Broadcast
GSM BTS Broadcast info

Grgsm_scanner tool can verify different frequency bands in my country (PT) we use GSM900 his point it is possible to detect all Cell Cellular Broadcast info

grgsm_scanner options
grgsm_scanner options

Detect GSM frequency and channels from BTSs around us

Capture Broadcast Cell Information

grgsm_scanner --band=GSM900 --gain=34 --speed=5 --args=rtl=0 -v

ARFCN:  105, Freq:  956.0M, CID: 21997, LAC:  1157, MCC: 268, MNC:   6, Pwr: -32
  |---- Configuration: 1 CCCH, not combined
  |---- Cell ARFCNs: 
  |---- Neighbour Cells: 91, 100, 105, 167, 169, 110, 163, 165, 168, 169
ARFCNFreq.CIDLACMCCMNCPWR
105956.0M21199711572686-39
Cell broadcast Info

ARFCN and Freq

Absolute Radio Frequency Channel Number – The number 105 identify the pair of dedicated radio carriers to Downlink and Uplink. Our Example is 105 it uses the frequency 956.0M to downstream and 911.0M to upstream on this tutorial we only use the Downstream frequency 956.0M our RTLSDR can only receive (RX) data.

GSM Cell Identification and Location Area Code

The CID code 211997 identify the BTS or a group of BTSs in the LAC 1157.

GSM CID and LAC
GSM CID and LAC

MCC and MNC

The Mobile Country Code 268 defines the country (PT) inside the GSM networks and the Mobile Network Country number 6 (MNC) identify the network operator on this case number 6 is MEO PT.

Capture data on specific GSM ARFCN (channel)

Cell Broadcast
grgsm_livemon
grgsm_livemon_headless -p 30.250 -f 956.0e6
Cell Broadcast
grgsm_livemon_headless

CCCH – Common Control Channel Packets

Open Wireshark and verify ccch packets

wireshark -k -f udp -Y gsm_a.ccch -i lo
CCCH - Common Control Channel Packets
CCCH – Common Control Channel Packets

SI System Information Messages

CCCH – System Information Type 1

This message is sent on the BCCH by the network to all mobile stations within the cell giving information of control of the RACH and of the cell allocation.ip a

CCCH - System Information Type 1
CCCH – System Information Type 1
INFORMATION TYPE 1 message content
INFORMATION TYPE 1 message content

CCCH – System Information Type 2

CCCH - System Information Type 2
CCCH – System Information Type 2

CCCH – System Information Type 3

CCCH - System Information Type 3
CCCH – System Information Type 3

CCCH – System Information Type 4

CCCH - System Information Type 4
CCCH – System Information Type 4

CCCH – System Information Type 13

CCCH - System Information Type 13
CCCH – System Information Type 13

Cell Broadcast

Paging Request Messages

https://osmocom.org

GSM ARFCN frequency calculator

How to Install srsLTE on Kali Linux

Categorized in:

GSM Hacking,