Installing gr-gsm with gnuradio-3.8 in Ubuntu-20.

04 using
LimeSDR
medium.com/@Dr.Signal/gr-gsm-with-gnuradio-3-8-in-ubuntu-20-04-using-limesdr-e4ef9c9377a8

Disclaimer: This is purely for educational and knowledge purpose!!!

😆
Well, This gr-gsm tool is so famous that it made other domain hackers / people search about
what is SDR . Yes, that’s true. So, what is this gr-gsm? Why is it famous? Let’s understand
a little about this. What does it do, How does it work.

gr-gsm is developed by ‘’ back in 2014 or so. He and a few others tried how to sniff GSM
packets and break the Algos, retrieve the SMS or voice data as part of their security research
after those vulnerabilities in GSM.

You might be wondering where does this actually work in real life, how does it capture
packets in real life? etc… etc… So, let’s begin.

1/16
Let us only consider the initial part of the above figure and leave the rest because we are not
setting up a rouge BTS here. So, you can notice that there is a mobile station which is
basically your mobile phone or 2G medium directly communicating with the Base
Transceiver Station. BTS transmits and receives information wirelessly in specific frequency
that it is set to.

The carrier(AT&T, Airtel, etc) owners are allocated specific frequency range to communicate
with the MS — A regulatory from Department of Telecommunication. So, once your MS is
turned on, it continuously communicates with the BTS which it is supposed to connect to.

When I say BTS, people think about a huge tower with antennas… Rectangular or Parabloic.
Something like this.

2/16
3/16
But this only a tower with just the antennas. It just receives and transmits signal.

Original BTS looks something like this. I mean to say the processing and computation
part(Electronic Unit) looks like this.

Processing Unit + Antenna + other setup = entire BTS setup.

Now, what gr-gsm does is, with the help of SDR, it tries to capture the signal from the BTS
and then convert it into digital data.

4/16
Please check out how to install before we go further.

Let’s see how to set it up in Ubuntu-20.04 for gnuradio-3.8.

export PYTHONPATH=/usr/local/lib/python3/dist-packages/:$PYTHONPATH(you might need to

set this before you start the installation process)

cd $HOME

mkdir rf; cd rf

git clone cd gr-gsmmkdir buildcd buildcmake ..mkdir $HOME/.grc_gnuradio/

$HOME/.gnuradio/makesudo make installsudo ldconfigsudo cp -r
/usr/local/lib/python3/dist-packages/grgsm/ /usr/lib/python3/dist-packages/

Once this setup is done, you should be able to see the installed apps.

Open terminal and type — grgsm and hit <TAB>

You can see the installed grgsm apps.

Let us discuss them a little.

5/16
 grgsm_decode - program for decoding C0 channel which is most close in terms of
functionality to the old gsm-receiver from Airprobe project with ability to decode
signalling channels and traffic channels with speech (analysis of the data can be
performed in Wireshark, decoded sound is stored to an audio file),
grgsm_livemon - interactive monitor of a single C0 channel with analysis performed
by Wireshark,
grgsm_scanner - an application that scans GSM bands and prints information about
base transceiver stations transmitting in the area,

There are following helper programs for grgsm_decode application:

grgsm_capture - program for capturing GSM signal to a file that can be later
processed by grgsm_decode,
grgsm_channelize - splits wideband capture file into multiple files - each contain
single GSM channel.

Let’s run few commands and check

grgsm_scanner

You can check all the BTS which are located near you are displayed in the terminal.

ARFCN — Absolute Radio-Frequency Channel Number is a code that specifies a pair of

physical radio carriers used for transmission and reception in a land mobile radio system,
one for the uplink signal and one for the downlink signal.

6/16
CID — A GSM Cell ID (CID) is a generally unique number used to identify each base
transceiver station (BTS) or sector of a BTS within a location area code (LAC) if not within a
GSM network.

LAC — A location area code (LAC): To find the location of the MS, and each of the GSM
PLMN to cover the entire region is divided into a different location area. LAC is used to
identify the different location area.

MCC — Mobile Country Codes (MCC) are used to identify the country which a mobile
subscriber belongs to. In order to uniquely identify a mobile subscribers network the MCC is
combined with a Mobile Network Code (MNC).

MNC — MNC is used to uniquely identify a specific GSM PLMN network in a certain
country (decided by MCC). … MNC is used in international mobile subscriber identity
(IMSI) and location area identity (LAI).

IMSI — An international mobile subscriber identity (IMSI) is a unique number, usually

fifteen digits, associated with Global System for Mobile Communications (GSM) and
Universal Mobile Telecommunications System (UMTS) network mobile phone users. The
IMSI is a unique number identifying a GSM subscriber.

TMSI — The Temporary Mobile Subscriber Identity (TMSI) is a temporary identification

number that is used in the GSM network instead of the IMSI to ensure the privacy of the
mobile subscriber. The TMSI prohibits tracing of the identity of a mobile subscriber by
interception of the traffic on the radio link.

You can also you to calculate the frequency from ARFCN value.

You can have a look at specific in Bangalore locality.

7/16
You can check the frequency — 948.4 in gqrx to know the strength.

Now, you know what is ARFCN, MCC, MNC values. Choose specific channel values to
proceed further. I choose ARFCN 67 with frequency 948.4MHz.

grgsm_livemon -hsudo wiresharkgrgsm_livemon -f 948.4M (I choose to ignore rest of

sample rate and gain values. Make sure gain should be > 23)

8/16
 If you tune correctly, you should be able to see 2b packets flooding in immediately.

Yyyaaaayyyy! Checkout those 2b packets in your terminal 😍.

Ok, What I have done for demo purpose is, I set my mobile in 2G mode and captured the(
MS← →BTS) handshake process.

9/16
10/16
Select 2G only option in your mobile

11/16
12/16
 I selected the first option there. Because That is exactly ARFCN 67 channel.

You can check out the TMSI in paging request 1.

13/16
There are actually different types or paging request numbers, system information numbers
which are exchanged for different purposes.

You can see NCC permitted in System Information 2.

You can see Hopping mode off System Information type 4

14/16
 In this DTAP packet — location update request, You can check out the MCC, LAC, A5/1 used to
communicate. LAC is basically a location code.

You can check the System Information type 6. Which is tower information exchange

Location Area Identification — MCC/MNC/LAC

15/16
Like this you can get a lot of information from livemon. You can also use grgsm_capture to
capture the packets and then use grgsm_decode to decode the captured data according to the
type of channel. Also, decryption keys like Kc or A5 are necessary depending channel.

***I will leave you with this and let you play with the rest. Please leave me
comments if you want me to write about grgsm_capture and grgsm_decode.

Thank You

Am writing this blog after wasting a lot of hours on how to setup proper SDR lab and to help a
lot of beginners who are looking for solutions in RF | SDR setup. Who face alot of trouble
installing the software stacks and wasting time. This might save a lot of time for few. Yes, I had
many thoughts about Ubuntu-20.04 like how will it support many of the dependencies for SDR
software. TBH, it made very easy for most of the setups.

16/16