GRGSM Scanner: Capture BTS Broadcast Unencrypted Data

How to Sniff GSM Networks with Kali Linux on RaspberryPI

GSM Passive Recon Box

To capture GSM downstream data we need some specific hardware and the correct tools. Nowadays is easy to capture GSM broadcast data and some mobile exchange data with inexpensive gear.

  • RaspberryPI 4 or RPI3
  • USB RTL SDR
  • PowerBank

Tools

Questions

What BTS are around us?

What are the BTS Identification Codes?

What is the BTS Location?

What Frequencies the BTS use?

What T-IMSI are attached to a BTS?

Sniff GSM Networks

After all equipment power up and all tools installed its time to detect the Base Stations signals broadcasted unencrypted. To detect the information broadcasted by BTSs we will use the grgsm_scanner tool with a few parameters.

grgsm scanner
GSM BTS Broadcast info

Grgsm_scanner tool can verify different frequency bands in my country (PT) we use GSM900 his point it is possible to detect all Cell Cellular Broadcast info

grgsm_scanner options
grgsm_scanner options

Detect GSM frequency and channels from BTSs around us

Capture Broadcast Cell Information

┌──(root💀OffSec)-[~]
└─$ grgsm_scanner --band=GSM900 --gain=34 --speed=5 --args=rtl=0 -v

ARFCN:  105, Freq:  956.0M, CID: 21997, LAC:  1157, MCC: 268, MNC:   6, Pwr: -32
  |---- Configuration: 1 CCCH, not combined
  |---- Cell ARFCNs: 
  |---- Neighbour Cells: 91, 100, 105, 167, 169, 110, 163, 165, 168, 169
ARFCNFreq.CIDLACMCCMNCPWR
105956.0M21199711572686-39
Cell broadcast Info

ARFCN and Freq

Absolute Radio Frequency Channel Number – The number 105 identify the pair of dedicated radio carriers to Downlink and Uplink. Our Example is 105 it uses the frequency 956.0M to downstream and 911.0M to upstream on this tutorial we only use the Downstream frequency 956.0M our RTLSDR can only receive (RX) data.

CID – GSM Cell Identification

The CID code 211997 identify the BTS or a group of BTSs in the Location Area Code 1157 LAC

GSM CID and LAC
GSM CID and LAC

MCC and MNC

The Mobile Country Code 268 defines de country (PT) inside the GSM networks and the Mobile Network Country number 6 (MNC) identify the network operator on this case number 6 is Vodafone PT.

Capture data on specific GSM ARFCN (channel)

grgsm scanner
grgsm_livemon
┌──(kali㉿OffSec)-[/]
└─$ grgsm_livemon_headless -p 30.250 -f 956.0e6
grgsm scanner
grgsm_livemon_headless

CCCH – Common Control Channel Packets

Open Wireshark and verify ccch packets

┌──(kali㉿OffSec)-[/]
└─$ wireshark -k -f udp -Y gsm_a.ccch -i lo
CCCH - Common Control Channel Packets
CCCH – Common Control Channel Packets

SI System Information Messages

CCCH – System Information Type 1

This message is sent on the BCCH by the network to all mobile stations within the cell giving information of control of the RACH and of the cell allocation.ip a

CCCH - System Information Type 1
CCCH – System Information Type 1
 INFORMATION TYPE 1 message content
INFORMATION TYPE 1 message content

CCCH – System Information Type 2

CCCH - System Information Type 2
CCCH – System Information Type 2

CCCH – System Information Type 3

CCCH - System Information Type 3
CCCH – System Information Type 3

CCCH – System Information Type 4

CCCH - System Information Type 4
CCCH – System Information Type 4

CCCH – System Information Type 13

CCCH - System Information Type 13
CCCH – System Information Type 13

Paging Request Messages

https://osmocom.org

GSM ARFCN frequency calculator

How to Install srsLTE on Kali Linux

https://www.mcc-mnc.com/