GSM Passive Recon Box
To capture GSM downstream data we need some specific hardware and the correct tools. Nowadays is easy to capture GSM broadcast data and some mobile exchange data with inexpensive gear.
- RaspberryPI 4 or RPI3
- USB RTL SDR
What BTS are around us?
What are the BTS Identification Codes?
What is the BTS Location?
What Frequencies the BTS use?
What T-IMSI are attached to a BTS?
Sniff GSM Networks
After all equipment power up and all tools installed its time to detect the Base Stations signals broadcasted unencrypted. To detect the information broadcasted by BTSs we will use the grgsm_scanner tool with a few parameters.
Grgsm_scanner tool can verify different frequency bands in my country (PT) we use GSM900 his point it is possible to detect all Cell Cellular Broadcast info
Detect GSM frequency and channels from BTSs around us
Capture Broadcast Cell Information
┌──(root💀OffSec)-[~] └─$ grgsm_scanner --band=GSM900 --gain=34 --speed=5 --args=rtl=0 -v ARFCN: 105, Freq: 956.0M, CID: 21997, LAC: 1157, MCC: 268, MNC: 6, Pwr: -32 |---- Configuration: 1 CCCH, not combined |---- Cell ARFCNs: |---- Neighbour Cells: 91, 100, 105, 167, 169, 110, 163, 165, 168, 169
ARFCN and Freq
Absolute Radio Frequency Channel Number – The number 105 identify the pair of dedicated radio carriers to Downlink and Uplink. Our Example is 105 it uses the frequency 956.0M to downstream and 911.0M to upstream on this tutorial we only use the Downstream frequency 956.0M our RTLSDR can only receive (RX) data.
CID – GSM Cell Identification
The CID code 211997 identify the BTS or a group of BTSs in the Location Area Code 1157 LAC
MCC and MNC
The Mobile Country Code 268 defines de country (PT) inside the GSM networks and the Mobile Network Country number 6 (MNC) identify the network operator on this case number 6 is Vodafone PT.
Capture data on specific GSM ARFCN (channel)
┌──(kali㉿OffSec)-[/] └─$ grgsm_livemon_headless -p 30.250 -f 956.0e6
CCCH – Common Control Channel Packets
Open Wireshark and verify ccch packets
┌──(kali㉿OffSec)-[/] └─$ wireshark -k -f udp -Y gsm_a.ccch -i lo
SI System Information Messages
CCCH – System Information Type 1
This message is sent on the BCCH by the network to all mobile stations within the cell giving information of control of the RACH and of the cell allocation.ip a
CCCH – System Information Type 2
CCCH – System Information Type 3
CCCH – System Information Type 4
CCCH – System Information Type 13