Gsm Scanner

download Gsm Scanner

of 35

  • date post

  • Category


  • view

  • download


Embed Size (px)

Transcript of Gsm Scanner

gsm - THC Wiki


The GSM Software Project

CURRENT ACTIVITIES (2008-04-04): 1. Merging gsmsp's channel decoding and gsmdecode into gsm-tvoid (2008-04-04 DONE) 1. Implementing channel hopping on USRP chip

Contenuti 1. LICENSE 2. About 1. What we want to do 2. Who we are 3. Howto use this site 4. Contact 5. Legal Issues 3. NEWS 4. The Projects 1. The GSM Receiver Project 2. The GSM Sending and Channel Hopping Project 3. The OpenTsm Project 4. The A5 Cracking Project 5. The GSM Decoding Project 6. The Debug Trace Project 7. The SimCom Trace Project 8. The UMTS/3G Project 9. The SIM Tookit Research Project 5. The GSM/USRP Receiver Project 1. Priorities 2. Wanted 3. Different approaches 4. Project Stages and Schedule 1. Receiving Stages 2. Tips and Tricks 5. Hardware requirements / Where to buy 6. First Steps 1. Understanding GSM 2. Beginners Guide to GSM in MatLab

1 di 35

12/08/2008 11.14

gsm - THC Wiki

3. Analyzing GSM data in Octave by Piotr 4. Analyzing BS signals with Gnu Radio 5. Challenge 1 1. Tore's results 2. Frank J.'s results 3. SignalScamp's results 6. OT460 Trace Mobile - An Excursion 7. Installing GnuRadio / Cygwin 8. NetMonitor 9. BTS searching by Robert 10. Build your own Antenna - by Robert 7. Design Proposal 8. ISI, Timing Recovery and others 9. Viterbi and Channel Estimation and Equalization 10. The Nokia Approach 1. Decoding SMS 2. Decoding TCH 11. The Ericcson TEMS Approach 12. The Vitel TSM30 Approach 13. The MADos Approach 14. Mysteries 1. Mystery 1: TMSI f 2. Mystery 2: Unknown RRM 06 07 3. Mystery: Pseudo Length 0 but data 15. Converting ARFCN to Frequency 6. RELEASES 1. Tips and Tricks 2. Sample Data for peoples without USRP 3. Developer Source Code Access 4. GSSM 5. GSM tvoid 6. GSMSP 7. Gsmdecode 7. HELP 1. Donations 2. Who can help 3. How to help 8. Links 1. Similiar Projects 2. Specs & Docs 3. Suggested reading 4. Hardware

1. LICENSEGSM Software Project License Version 1, January 2007

All code, information or data [from now on "data"]

2 di 35

12/08/2008 11.14

gsm - THC Wiki

available from the GSM Software Project or any other project linked from this or other pages is owned by the creator who created the data. The copyright, license right, distribution right and any other rights lies with the creator. It is prohibitied to use the data without the written agreement of the creator. This included using ideas in other projects (commercial or not commercial). Where data was created by more than 1 creator a written agreement from each of the creators has to be obtained. If the creator decides to release the data under a difference license (like GPL) then he is free to do so. This license is for all data not covered by a license. Please contact steve [at] for any questions.

2. About2.1. What we want to do We want to bring together all the folks that are interested in building a gsm receiver. GSM is the worlds largest mobile phone standard. GSM 2.5 is currently in use and some countries are (slowly) migrating to GSM 3 (3G, UMTS, ..). Available GSM analyzer cost a shitload of money for no good reason. Our goal is to build a GSM analyzer for less than $1000. From there we have an unlimited number of possibilties of what we can do: 1. Understand GSM and verify the implementation and what kind of data is flying through the ether. 2. Analyzing debug traces from dct3 mobiles See DCT3 Debug Trace Project. 3. Track/Locate a gsm mobile. This can be done with just 1 GSMSP receiver. 4. Crack A5 and proof to the public that GSM is insecure. See A5 Cracking Project. 5. Create our own baby cells. Imagine running your own BaseStation in your house, university campus, convention or local area. Calling inside the baby cell would be free and calling others via an asterisk/skype gateway would be extremly cheap. 6. Analyze and learn about OTA messages that the operator use to upgrade our phones (without our knowledge). (That's sim toolkit, ringtones, logos, ...) 7. We can detect if a GSM MitM attack is happening in our area. (e.g. we can detect if somebody else is sniffing a conversation in a 7+ miles radius). A seperate Project is designing their own RF board to receive GSM signals. Please take a look at 2.2. Who we are

3 di 35

12/08/2008 11.14

gsm - THC Wiki

This is a research project by people who feel passionate about GSM and gnuradio. We started this because we could not find a site where people can share ideas about homebuild GSM receivers/scanners and we think gsm software receivers are a cool thing to have. And DECT too... 2.3. Howto use this site There is a mailinglist for discussions. To subscribe send an empty email to . To retrieve an archive please send a mail to for the last 30 messages. Please read the ezmlm howto for other commands. Please feel free to edit this page and add your comments and ideas. Please start your comments with "(yyyy/mm/dd, name, comment here)". Use our web-share at to upload and share files with others. There are some photos online at 2.4. Contact I can be reached at steve at (PGP Key) Some of us are hanging out on the freenode IRC channel #gnuradio and #gsm. 2.5. Legal Issues I have consulted a lawyer in London to find out if what we do is legal or not. These are the results: There is no direct law that forbids what we are doing (Companies like Nokia and Sagem are doing exactly the same: Manufacturing GSM scanners that anyone can buy). These are the legal implications in UK: 1. 2. 3. 4. 5. 6. 7. Security Research in general is not forbidden. Designing a GSM receiver is ALLOWED (Nokia does it. Sagem does it). Publishing the design/research is ALLOWED. Receiving GSM signals is ALLOWED. Decoding (e.g. cracking) your own GSM signals is ALLOWED Decoding somebodys else GSM signals is NOT allowed (DANGER). Setting up a baby cell is allowed if you aquire a license (Any bank building in Canary Warf/London runs its own GSM baby cell).

The bottom line is: Publishing the research is ok. As long as you receive your own traffic and only send after you got the license you are on good ground. This is based on UK law. European law is similiar (if not more relaxed). USA law might be completly different and I highly advice to check with a lawyer. If you do so please let me know the results.


4 di 35

12/08/2008 11.14

gsm - THC Wiki

2008/06/13 Lyrtech Releases GSM Femto Cell SDR SDK 2008/04/04 Sending and Channel Hopping Project started. 2008/03/31 First Pictures of A5 Cracker available. 2008/03/12 SIM Toolkit Research Project started. 2008/01/06 SimCom Trace Project started. 2007/12/13 Piotr shows how to simulate a GSM decoder in Octave 2007/11/21 [http;// UMTS Project] started. 2007/10/22 Split into sub-projects. GSM Decoder Project online 2007/10/12 Pawel's GSM Scanner Tutorial 2007/08/16 OpenTSM Project started. 2007/08/14 CCC Camp07 GSM Software Project and A5 Cracking Talk online. 2007/08/04 TSM Challenge updated. 2007/07/25 How to build your own GSM antenna - UPDATED VERSION. 2007/07/11 Photo section online. Add your own photos and screenshots. 2007/07/09 gssm-v0.1.1a released. 2007/07/02 How to build your own GSM antenna. 2007/07/01 gsm-tvoid-0.0.2 released. 2007/06/25 gsm-tvoid-0.0.1 released. 2007/06/08 gsmdecode-0.7bis released. 2007/06/05 GSMSP released. Alternative GSM implementation. 2007/06/04 GSSM released. Alpha but stable. 2007/05/22 Wanted Section added. 2007/05/20 gsmdecode-0.5 released (with SMS decoding support) 2007/04/27 gsmdecode-0.4 released. 2007/04/16 Decoded SMS published and gsmdecode-0.2. 2007/04/11 Nokia DCT3 Trace Mobile results and ideas online 2007/04/01 Finding a BaseStation with the USRP by Robert 2007/03/13 gsmsp v0.0.1a released (alpha alpha) 2007/03/02 MatLab Toolkit and a Beginners Guide of how to analyze GSM data released. 2007/02/19 Tore won the Challenge. His results are public. Also published some infos regarding the OT460 Trace Mobile. 2007/02/16 Survey started. Please fill out and help us understand who/what we are/need. 2007/02/08 Challenge started to win a USRP + Extensions. Deadline is Sun 18th of February 2007 23:59. 2007/01/25 We decided for the USRP ( (Chip vendors do not like us and wont give us documentation. Motivation++. You may hide the docs from us but you can not hide the GSM frames from us!) 2007/01/12 Tore joined our team as first RF engineer. Welcome on board Tore! 2007/01/10 THC donated $999 as a research fund! Please contact me if you can donate ettus hardware or help otherwise.

5 di 35

12/08/2008 11.14

gsm - THC Wiki

2007/01/10 Project announced. 2007/01/04 wiki online

4. The ProjectsThis wiki started as a project for receiving GSM signals. Over time many other projects surfaced. Each of the projects deserves its own wiki. A short description and link to the wiki are listed here. 4.1. The GSM Receiver Project Location: This project is about receiving GSM signals using the USRP. 4.2. The GSM Sending and Channel Hopping Project Location: This project is about sending GSM signals using the USRP and implementing channel hopping for receiving. 4.3. The OpenTsm Project Loc