02/08/2023 2G GSM Sniffing using Software Defined Radio

2G GSM Sniffing using

Software Defined Radio

This blog content mainly deals with the implementation of GSM Sniffing using
gr-GSM module and further validating using USRP X310.

The GSM which is abbreviated as Global System for Mobile communication

system is a 2nd generation standards which was developed for the purpose of
digital voice communication system with TDMA /CDMA as a multiplexing
techniques used. It is the standard which evolved in 1980 and lasted till 1990, but
still the architecture of GSM structure is considered as base reference for the
generation like 3G, 4G and for the upcoming 5G technology.

By the end of this blog , we will be able to sniff out the network for 2nd
generation (I.e. performing the process of capturing and monitoring the data
which passes through the network using Sniffing tool). The information like the
location of mobile station and the identification of BTS to which the mobile
station is currently connected with Source port address and destination port
address can be extracted.

read://http_blogspot.tenettech.net/?url=http%3A%2F%2Fblogspot.tenettech.net%2F2019%2F10%2F24%2F2g-gsm-sniffing-using-software-defi… 1/10
02/08/2023 2G GSM Sniffing using Software Defined Radio

Description about USRP X310

We are going to make use of USRP X310 series which is having two RF daughter
board slots supporting the radio frequency signals ranging from DC range to 6
GHz.

What is GSM Sniffing?

The GSM Sniffing as defined above is a process of extracting the complete

information regarding the Mobile station dealing from the source port address to
destination port address, from the country location to the mobile connected
network location, from the amount the packet transmission to the amount of
packet received etc. It is a process of continuously tracking or monitoring the
information for the dedicated mobile users. One can also extract the information
like which mobile user is currently hopping or which user is currently requesting
for the secured end to end channel. It also defines the communication protocols
supported by the particular mobile system.

The Terminologies used in GSM standards

Some of the important terminologies are defined below:

1. MCC (Mobile Country Codes )

read://http_blogspot.tenettech.net/?url=http%3A%2F%2Fblogspot.tenettech.net%2F2019%2F10%2F24%2F2g-gsm-sniffing-using-software-defi… 2/10
02/08/2023 2G GSM Sniffing using Software Defined Radio

It is abbreviated as Mobile Country codes which is defined as a unique three digit

decimal number dedicated for the Countries worldwide. The First digit of country
code indicate the geographical area for example

2 indicate europium countries,

4 is for the Asia and middle eastern areas,
3 indicate North American and
7 are for central and southern part of America.

The Second digit defines the country. For example for India it is represented with
a number zero (0). Hence the India is represented 40 country code. The Third
digit indicates the State allocated based on the communication operators in the
Country. For example, in India Reliance Jio supports

404-MNC for states like Assam, Himachal Pradesh, Bihar, Orrisa etc .

405-MNC for states like Maharashtra, Karnataka, Gujarat, Madhya Pradesh,

Punjab etc.

2. MNC (Mobile Network Codes)

MNC is abbreviated as Mobile Network Codes which is used in the combination

with the MCC as mentioned above in order to uniquely identify the subscribers in
a given particular areas . For example

404-44 indicates Karnataka by the Spice communication PVT ltd

operator.
404-45 indicates Karnataka by the Airtel operator.
404-71 indicates Karnataka by the BSNL Service operator.
404-86 indicate Karnataka by the Vodafone operator.
405-10 indicates Karnataka by the Reliance Jio operator.
405-803 indicates Karnataka by the AIRCEL operator.

3. ARFCN

ARFCN is abbreviated as Absolute radio frequency channel Number which is

defined as an allocation of a unique number to each radio channel in GSM
standard. With the help of ARFCN, one can identify the uplink and the downlink
frequency used by particular mobile users.

4. BCCH

read://http_blogspot.tenettech.net/?url=http%3A%2F%2Fblogspot.tenettech.net%2F2019%2F10%2F24%2F2g-gsm-sniffing-using-software-defi… 3/10
02/08/2023 2G GSM Sniffing using Software Defined Radio

BCCH is abbreviated as Broadcast control channel is a type of logical channel

used by the base station in a GSM network in order to send information about the
identity of the network. The information obtained by the base station is used by
the mobile user in order to access the network.

5. CCCH

CCCH is abbreviated as the Common control channel is a type of channel which

is used for transferring the control information from all the mobiles stations to the
BTS. It normally occurs when the mobile users is trying to initiate a call or else is
responding to a page.

The Installation of Gr-GSM

Install all needed prerequisites with following command mention bellow:

sudo apt-get update

sudo apt-get install

sudo apt-get cmake

sudo apt-get autoconf

sudo apt-get libtool

sudo apt-get pkg-config

sudo apt-get build-essential

sudo apt-get python-docutils

sudo apt-get libcppunit-dev

sudo apt-get swig

sudo apt-get doxygen

sudo apt-get liblog4cpp5-dev

sudo apt-get python-scipy

read://http_blogspot.tenettech.net/?url=http%3A%2F%2Fblogspot.tenettech.net%2F2019%2F10%2F24%2F2g-gsm-sniffing-using-software-defi… 4/10
02/08/2023 2G GSM Sniffing using Software Defined Radio

sudo apt-get python-gtk2

sudo apt-get gnuradio-dev

sudo apt-get gr-osmosdrsudo apt-get libosmocore-dev

Then download the gr-gsm source and build it with following commands:

git clone https://git.osmocom.org/gr-gsm

cd gr-gsm

mkdir build

cd build

cmake ..

mkdir $HOME/.grc_gnuradio/ $HOME/.gnuradio/

make

sudo make install

sudo ldconfig

Now your gr-gsm module is properly installed.

The Installation of Wireshark Sniffing tool

In order to add the PPA follow the instruction. PPA is used to install the
Wireshark sniffing tool.

sudo add-apt-repository ppa:wireshark-dev/stable

Update the system and install the Wireshark tool using the instruction mentioned
bellow

sudo apt-get update

sudo apt-get install wireshark

read://http_blogspot.tenettech.net/?url=http%3A%2F%2Fblogspot.tenettech.net%2F2019%2F10%2F24%2F2g-gsm-sniffing-using-software-defi… 5/10
02/08/2023 2G GSM Sniffing using Software Defined Radio

Hence Now the Wireshark sniffing tool is installed. Run the command in order to
open the wireshark

Run: wireshark or else sudo wireshark. A page will open like mentioned bellow:

Wireshark

The figure above represents an image of Wireshark Network Analyzer, indicating

the connection of devices to the network via LAN, Ethernet, Wi-Fi, SDR. SDR is
represented by loop back network interfaced using wired medium i.e. Ethernet
cable wire.

Gnu radio flow graph

The figure below represents a flow graph of GSM sniffing. The received signals
from the Base station, the signal are further processed to GSM input adapter. The
GSM input adapter is an adapter of input stream for the GSM receiver. It contains
frequency offset corrector and re-sampler to correct the carrier frequency and
sampling frequency offsets. The GSM clock offset control, provides a limit to the
frequency offset signals with the cut off frequency of 941.4 MHz as a threshold.

read://http_blogspot.tenettech.net/?url=http%3A%2F%2Fblogspot.tenettech.net%2F2019%2F10%2F24%2F2g-gsm-sniffing-using-software-defi… 6/10
02/08/2023 2G GSM Sniffing using Software Defined Radio

Flow graph

The signals are further allowed to pass through the BCCH+CCCH demapper,
which demap the control channels; hence it corresponds to the channel
combination specified in GSM. SDCCH is a type of standalone dedicated control
channel which is used in the GSM standards in order to provide a reliable
connection to signaling and SMS messages. Hence these signals are demapped
using SDCCH/B receiver. In fig above, two Socket PDU is used; one for the UDP
client and other is for UDP Server. The GSM message printer will prepend the
frame count as mentioned in the figure. The receiver is tuned to 941.4 MHz center
frequency in order to receive the 2G signals from the BTS with a channel
Bandwidth 650 KHz.

Results

read://http_blogspot.tenettech.net/?url=http%3A%2F%2Fblogspot.tenettech.net%2F2019%2F10%2F24%2F2g-gsm-sniffing-using-software-defi… 7/10
02/08/2023 2G GSM Sniffing using Software Defined Radio

Result indicating a flat response (NO reception of packages).

Result indicating a reception of packages from BTS.

read://http_blogspot.tenettech.net/?url=http%3A%2F%2Fblogspot.tenettech.net%2F2019%2F10%2F24%2F2g-gsm-sniffing-using-software-defi… 8/10
02/08/2023 2G GSM Sniffing using Software Defined Radio

Received signals decoded and displayed using Wireshark.

Run the Gnu radio flow graph or else type command as

grgsm_livemon

Open the terminal and then type the command to open the Wireshark sniffing tool
to decode the message signal received from the BTS. Click on the loopback
network.

Wireshark or else type sudo wireshark

Tuning the GSM receiver to proper center frequency is very important. Identify
the ARFCN code for any mobile user and then calculate the uplink and downlink
frequency based on the ARFCN. Further substitute the center frequency with the
downlink frequency. In the figure above we can see that a GSM receiver is tuned
with the downlink frequency of 946.2 MHz. Hence some curve frequency
response of signals is obtained. Further analyze the signal in Wireshark .

The extracted information for the selected network provides a information like the
mobile system is in the attempt of connecting to the channel, as it receives the
signals from base station via BCCCH for the identity of network. The ARFCN is
noted as 34 with transmission of packages as zero.It also describe an information
about the source port address and the destination port address with the local area
identification of a mobile user. The mobile user is subscribed to spice
communication PVT ltd, Karnataka with MNC as 44 having MCC as 404
indicating the number is from India.

read://http_blogspot.tenettech.net/?url=http%3A%2F%2Fblogspot.tenettech.net%2F2019%2F10%2F24%2F2g-gsm-sniffing-using-software-defi… 9/10
02/08/2023 2G GSM Sniffing using Software Defined Radio

Inference

While tuning the GSM receiver, proper care is needed in the selection of center
frequency which can help in identifying the reception of packages from BTS.
Hence identify the ARFCN of mobile user and calculate the uplink and downlink
frequency and replace it in the center frequency. Hence some variation in the
frequency plot will be seen. The loopback network has to be selected as it
receives the information from the USRP X310 having a gain of 50 db.

For some more implementation of real time wireless application using Software
defined radio , you can refer the book on ” Practical approach to software
defined radio ”

Amazon : https://www.amazon.in/dp/9389113628

Flipkart : https://www.flipkart.com/practical-approach-software-defined-
radios/p/itm24afc57f04c29

For SDR product related information ,refer

http://tenettech.net/SDR/

read://http_blogspot.tenettech.net/?url=http%3A%2F%2Fblogspot.tenettech.net%2F2019%2F10%2F24%2F2g-gsm-sniffing-using-software-def… 10/10