Installing GR-GSM With Gnuradio-38 in Ubuntu-2004 Using LimeSDR
Installing GR-GSM With Gnuradio-38 in Ubuntu-2004 Using LimeSDR
04 using
LimeSDR
medium.com/@Dr.Signal/gr-gsm-with-gnuradio-3-8-in-ubuntu-20-04-using-limesdr-e4ef9c9377a8
😆
Well, This gr-gsm tool is so famous that it made other domain hackers / people search about
what is SDR . Yes, that’s true. So, what is this gr-gsm? Why is it famous? Let’s understand
a little about this. What does it do, How does it work.
gr-gsm is developed by ‘’ back in 2014 or so. He and a few others tried how to sniff GSM
packets and break the Algos, retrieve the SMS or voice data as part of their security research
after those vulnerabilities in GSM.
You might be wondering where does this actually work in real life, how does it capture
packets in real life? etc… etc… So, let’s begin.
1/16
Let us only consider the initial part of the above figure and leave the rest because we are not
setting up a rouge BTS here. So, you can notice that there is a mobile station which is
basically your mobile phone or 2G medium directly communicating with the Base
Transceiver Station. BTS transmits and receives information wirelessly in specific frequency
that it is set to.
The carrier(AT&T, Airtel, etc) owners are allocated specific frequency range to communicate
with the MS — A regulatory from Department of Telecommunication. So, once your MS is
turned on, it continuously communicates with the BTS which it is supposed to connect to.
When I say BTS, people think about a huge tower with antennas… Rectangular or Parabloic.
Something like this.
2/16
3/16
But this only a tower with just the antennas. It just receives and transmits signal.
Original BTS looks something like this. I mean to say the processing and computation
part(Electronic Unit) looks like this.
Now, what gr-gsm does is, with the help of SDR, it tries to capture the signal from the BTS
and then convert it into digital data.
4/16
Please check out how to install before we go further.
cd $HOME
mkdir rf; cd rf
Once this setup is done, you should be able to see the installed apps.
5/16
grgsm_decode - program for decoding C0 channel which is most close in terms of
functionality to the old gsm-receiver from Airprobe project with ability to decode
signalling channels and traffic channels with speech (analysis of the data can be
performed in Wireshark, decoded sound is stored to an audio file),
grgsm_livemon - interactive monitor of a single C0 channel with analysis performed
by Wireshark,
grgsm_scanner - an application that scans GSM bands and prints information about
base transceiver stations transmitting in the area,
grgsm_capture - program for capturing GSM signal to a file that can be later
processed by grgsm_decode,
grgsm_channelize - splits wideband capture file into multiple files - each contain
single GSM channel.
grgsm_scanner
You can check all the BTS which are located near you are displayed in the terminal.
6/16
CID — A GSM Cell ID (CID) is a generally unique number used to identify each base
transceiver station (BTS) or sector of a BTS within a location area code (LAC) if not within a
GSM network.
LAC — A location area code (LAC): To find the location of the MS, and each of the GSM
PLMN to cover the entire region is divided into a different location area. LAC is used to
identify the different location area.
MCC — Mobile Country Codes (MCC) are used to identify the country which a mobile
subscriber belongs to. In order to uniquely identify a mobile subscribers network the MCC is
combined with a Mobile Network Code (MNC).
MNC — MNC is used to uniquely identify a specific GSM PLMN network in a certain
country (decided by MCC). … MNC is used in international mobile subscriber identity
(IMSI) and location area identity (LAI).
You can also you to calculate the frequency from ARFCN value.
7/16
You can check the frequency — 948.4 in gqrx to know the strength.
Now, you know what is ARFCN, MCC, MNC values. Choose specific channel values to
proceed further. I choose ARFCN 67 with frequency 948.4MHz.
8/16
If you tune correctly, you should be able to see 2b packets flooding in immediately.
9/16
10/16
Select 2G only option in your mobile
11/16
12/16
I selected the first option there. Because That is exactly ARFCN 67 channel.
13/16
There are actually different types or paging request numbers, system information numbers
which are exchanged for different purposes.
14/16
In this DTAP packet — location update request, You can check out the MCC, LAC, A5/1 used to
communicate. LAC is basically a location code.
You can check the System Information type 6. Which is tower information exchange
15/16
Like this you can get a lot of information from livemon. You can also use grgsm_capture to
capture the packets and then use grgsm_decode to decode the captured data according to the
type of channel. Also, decryption keys like Kc or A5 are necessary depending channel.
***I will leave you with this and let you play with the rest. Please leave me
comments if you want me to write about grgsm_capture and grgsm_decode.
Thank You
Am writing this blog after wasting a lot of hours on how to setup proper SDR lab and to help a
lot of beginners who are looking for solutions in RF | SDR setup. Who face alot of trouble
installing the software stacks and wasting time. This might save a lot of time for few. Yes, I had
many thoughts about Ubuntu-20.04 like how will it support many of the dependencies for SDR
software. TBH, it made very easy for most of the setups.
16/16