RTL-SDR Tutorial: Analyzing GSM with Airprobe/GR-GSM and Wireshark

The RTL-SDR software defined radio can be used to analyze cellular phone GSM signals, using Linux based tools GR-GSM (or Airprobe) and Wireshark. This tutorial shows how to set up these tools for use with the RTL-SDR.

Example - Analysing GSM with RTL-SDR Software Defined Radio

Here is a screenshot and video showing an example of the type of data you can receive. You can see the unencrypted GSM packet information. You will not be able to see any sensitive information like voice or text message data since that part is encrypted. Decryption of messages that are not your own is very difficult, illegal and is not covered in this tutorial.

Analyzing Cellular GSM with RTL-SDR (RTL2832), Airprobe and Wireshark

Kali Linux with Airprobe and Wireshark and RTL-SDR Software Defined Radio First, you will need to find out at what frequencies you have GSM signals in your area. For most of the world, the primary GSM band is 900 MHz, in the USA it starts from 850 MHz. If you have an E4000 RTL-SDR, you may also find GSM signals in the 1800 MHz band for most of the world, and 1900 MHz band for the USA. Open up SDRSharp, and scan around the 900 MHz (or 850 MHz) band for a signal that looks like the waterfall image below. This is a non-hopping GSM downlink signal. Using NFM, it will sound something like the example audio provided below. Note down the strongest GSM frequencies you can find. GSM Non Hopping Waterfall Image

The rest of the tutorial is performed in Linux and we assume that you have basic Linux skills in using the terminal. For this tutorial we used Ubuntu 14.04 in a VMWare session. You can download the various ready to go Ubuntu VMWare images from here, and the free VMWare player from here. Note that virtual box is reported not to work well with the RTL-SDR, as its USB bandwidth capabilities are poor, so VMWare player should be used. 

Install GR-GSM

This tutorial is heavily based on the instructions from the gr-gsm GitHub readme at https://github.com/ptrkrysik/gr-gsm.

  1. The easiest way to install gr-gsm is to use Pybombs. Pybombs will automatically install gr-gsm, and all the required dependencies including GNU Radio.
    $ sudo apt-get update
    $ sudo apt-get install git python-pip
    $ sudo pip install PyBOMBS
    $ sudo pybombs prefix init /usr/local -a default_prx
    $ sudo pybombs config default_prefix default_prx
    $ sudo pybombs recipes add gr-recipes git+https://github.com/gnuradio/gr-recipes.git
    $ sudo pybombs recipes add gr-etcetera git+https://github.com/gnuradio/gr-etcetera.git
    $ sudo pybombs install gr-gsm
    $ sudo ldconfig
  2. Plug in your RTL-SDR and connect it to your VM if necessary. Run grgsm_livemon by typing grgsm_livemon at the terminal. A new window should open.
  3. In the new window tune to a GSM downlink frequency which you determined while browsing in SDR# and set the gain appropriately.
  4. Start Wireshark by using sudo wireshark -k -Y '!icmp && gsmtap' -i lo which will automatically start wireshark in the loopback mode with the gsmtap filter activated. You may get an error when opening Wireshark but this can be ignored.
  5. You should now see the GSM data scrolling along in Wireshark.

[expand title = "Old Method using Airprobe (Click to Expand)"]

Install GNU Radio

You will need to install GNU Radio first in order to get RTL-SDR to work. An excellent video tutorial showing how to install GNU Radio in Kali Linux can be found in this video shown below. Note that I had to run apt-get update in terminal first, before running the build script, as I got 404 not found errors otherwise. You can also use March Leech's install script to install the latest version of GNU Radio on any Linux OS. Installation instructions can be found here. I recommend installing from source to get the latest version. http://www.youtube.com/watch?v=B8Acp6_3DA0

Update: The new version 3.7 GNU Radio is not compatible with AirProbe. You will need to install GNU Radio 3.6. However, neeo from the comments section of this post has created a patch which makes AirProbe compatible with GNU Radio 3.7. To run it, place the patch file in your airprobe folder and then run patch -p1 < zmiana3.patch.

Install Airprobe

Airprobe is the tool that will decode the GSM signal. I used multiple tutorials to get airprobe to install. First from this University of Freiberg tutorial, I used their instructions to ensure that the needed dependencies that airprobe requires were installed.

Install Basic Dependencies

sudo apt-get –y install git-core autoconf automake libtool g++ python-dev swig libpcap0.8-dev

Update: Thanks to shyam jos from the comments section who has let us know that some extra dependencies are required when using the new Kali Linux (1.0.5) for airprobe to compile. If you've skipped installing GNURadio because you're using the new Kali 1.0.5 with SDR tools preinstalled, use the following command to install the extra required dependencies.

 sudo apt-get install gnuradio gnuradio-dev cmake git libboost-all-dev libusb-1.0-0 libusb-1.0-0-dev libfftw3-dev swig python-numpy

Install libosmocore

git clone git://git.osmocom.org/libosmocore.git
cd libosmocore
autoreconf –i
./configure
make
sudo make install
sudo ldconfig

Clone Airprobe

Now, I discovered that the airprobe git repository used in the University tutorial  (berlin.ccc.de) was out of date, and would not compile. From this reddit thread I discovered a more up to date airprobe git repository that does compile. Clone airprobe using the following git command.

git clone git://git.gnumonks.org/airprobe.git

Now install gsmdecode and gsm-receiver.

Install gsmdecode

cd airprobe/gsmdecode
./bootstrap
./configure
make

Install gsm-receiver

cd airprobe/gsm-receiver
./bootstrap
./configure
make

Testing Airprobe

Now, cd into to the airprobe/gsm-receiver/src/python directory. First we will test Airprobe on a sample GSM cfile. Get the sample cfile which I found from this tutorial by typing into terminal.

cd airprobe/gsm-receiver/src/python
wget ​https://svn.berlin.ccc.de/projects/airprobe/raw-attachment/wiki/DeModulation/capture_941.8M_112.cfile

Note: The tutorial and cfile link is sometimes dead. I have mirrored the cfile on megaupload at this link. Place the cfile in the airprobe/gsm-receiver/src/python folder. Now open wireshark, by typing wireshark into a second terminal window. Wireshark is already installed in Kali Linux, but may not be in other Linux distributions. Since Airprobe dumps data to a UDP port, we must set Wireshark to listen to this. Under Start in Wireshark, first set the capture interface to lo (loopback), and then press Start. Then in the filter box, type in gsmtap. This will ensure only airprobe GSM data is displayed. Back in the first terminal that is in the python directory, type in

./go.sh capture_941.8M_112.cfile

If everything installed correctly, you should now be able to see the sample GSM data in wireshark.

Receive a Live Channel

To decode a live channel using RTL-SDR type in terminal

./gsm_receive_rtl.py -s 1e6

A new window will pop up. Tune to a known non-hopping GSM channel that you found earlier using SDRSharp by entering the Center Frequency. Then, click in the middle of the GSM channel in the Wideband Spectrum window. Within a few seconds some GSM data should begin to show constantly in wireshark. Type ./gsm_receive_rtl.py -h for information on more options. The -s flag is used here to set the sample rate to 1.0 MSPS, which seems to work much better than the default of 1.8 MSPS as it seems that there should be only one GSM peak in the wideband spectrum window. GSM Decoding with Airprobe and Wireshark and RTL-SDR Software Defined Radio

Capturing a cfile with the RTL-SDR (Added: 13/06/13)

I wasn't able to find a way to use airprobe to capture my own cfile. I did find a way to capture one using ./rtl_sdr and GNU Radio however. First save a rtl_sdr .bin data file using where -s is the sample rate, -f is the GSM signal frequency and -g is the gain setting. (rtl_sdr is stored in 'gnuradio-src/rtl-sdr/src')

./rtl_sdr /tmp/rtl_sdr_capture.bin -s 1.0e6 -f 936.6e6 -g 44.5

Next, download this GNU Radio Companion (GRC) flow graph (scroll all the way down for the link), which will convert the rtl_sdr .bin file into a .cfile. Set the file source to the capture.bin file, and set the file output for a file called capture.cfile which should be located in the 'airprobe/gsm-receiver/src/python' folder. Also, make sure that 'Repeat' in the File Source block is set to 'No'. Now execute the GRC flow graph by clicking on the icon that looks like grey cogs. This will create the capture.cfile. The flow chart will not stop by itself when it's done, so once the file has been written press the red X icon in GRC to stop the flow chart running. The capture.cfile can now be used in airprobe. However, to use this cfile, I found that I had to use ./gsm_receive.py, rather than ./go.sh as a custom decimation rate is required. I'm not sure why, but a decimation rate of 64 worked for me, which is set with the -d flag.

./gsm_receive.py -I rtl_sdr_capture.cfile -d 64

[/expand]

Going Further with Decryption

We don't cover how to decode the actual encrypted GSM data here, but this is possible to do with messages going to your own phone once you extract the encryption code for your sim card. But note that if you want to do this you'll need to put in some good study and research into understanding how GSM actually works before you can even think about trying it. Disclaimer: Only decrypt signals that you are legally allowed to (such as from/to your own cell phone) to avoid breaching privacy.

The most complete video guide is probably the YouTube tutorial by Crazy Danish Hacker, and the most complete web guide is the one by Domonkos P. Tomcsanyi available on his blog here.

A reader wrote in to let us know some information on obtaining the TMSI and Kc numbers, which are useful if you wish to go further and actually decode messages coming from your own phone. He writes:

For some reason, most of posts on the Internet concerning GSM sniffing provide very few examples of how to get our own TMSI and Kc numbers. These rely either on the BlackBerry engineering screen or the use of a SIM-card reader (see for example http://domonkos.tomcsanyi.net/?p=369). I know there are other methods like the one you describe in www.rtl-sdr.com/rtl-sdr-cell-phone-imsi-tmsi-key-sniffer/.

However, I have rarely seen anything related to the Android IMSI-Catcher Detector app. This can be easily installed via the standard repositories and it allows us to send AT commands to the modem provided we root the MS. This procedure works on many devices (I checked it on a Motorola Moto E).

Just a quick reminder of the basic AT+commands:

1. Extraction of IMSI -> AT+CRSM=176,28423,0,0,3.

2. Extraction of Ciphering Key Kc -> AT+CRSM=176,28448,0,0,9 (for SIM),
AT+CRSM=176,20256,0,0,9 (for USIM). First 16 entries.

3. Extraction of TMSI -> AT+CRSM=176,28542,0,0,11. First 8 entries.

The Android IMSI-Catcher Detector provides some additional interesting data, like the cell ID the device is connected to, the LAI, etc.

We note that software such as SimSpyII together with a Sim Card reader can also be used to easily acquire the Kc value.

If you enjoyed this tutorial you may like our book available on Amazon. Available in eBook and paperback formats.

The Hobbyist's Guide to the RTL-SDR: Really Cheap Software Defined radio.

Subscribe
Notify of
guest

139 Comments
Inline Feedbacks
View all comments
neeo

hi,
i’ve updated the patch for 3.7 a little bit – link http://speedy.sh/A7aP7/zmiana2.patch – now gsm_receive_rtl.py works as well (can be used to live capture)

as noticed by Storyman, the go.sh doesn’t work for example capture file mentioned in article – maybe the file needs some other clock_rate (it wasn’t my testing target in the first place). I was able however to decode srlabs file correctly (with clockrate 100e6) and with 64e6 (default) I’m able to decode files captured with my rtl-sdr.

Storyman

Thanks for the update, and the extra info. I was able to replicate your result!
In the process of messing around with it, I uncovered a problem, too. I noticed that when I clicked the coarse tune window, it was behaving oddly. I tracked the bug down to this:
When gr moved from 3.6 to 3.7, gr::filter::freq_xlating_fir_filter_XXX changed to require the negative of the old value. that is, an offset of -200000 in gr3.6 should be +200000 in gr3.7.
The fix — change this line:
self.offset = -x
to
self.offset = x

However, that got me thinking about what else that sign change could be messing up. Sure enough… there is a tuner correction function built in there, where the gsm receiver function sends back a frequency correction to the top_block.

So I performed the following minor surgery to gsm_receive.py:

class tuner(gr.feval_dd):
def __init__(self, top_block):
gr.feval_dd.__init__(self)
self.top_block = top_block
def eval(self, freq_offset):
self.top_block.set_center_frequency(freq_offset)
return freq_offset

becomes:

class tuner(gr.feval_dd):
def __init__(self, top_block):
gr.feval_dd.__init__(self)
self.top_block = top_block
def eval(self, freq_offset):
self.top_block.set_center_frequency(0 - freq_offset)
return 0 - freq_offset

Aaaaand just like that — capture_941.8M_112.cfile decodes properly under gr3.7 now 🙂

Storyman

Oh, just wanted to say, there’s probably a cleaner approach to fixing these errors. There may be a central point where we can just do a sign change and fix them all or something. I haven’t really investigated any further yet. I was just so happy to get the example cfile to read, finally, that I just rushed here to say how 😉

neeo

you’re absolutely right Storyman – the http://gnuradio.org/redmine/projects/gnuradio/wiki/Move_3-6_to_3-7 clearly states that the change of the sign is needed (but I did abs() – so that’s my mistake).

new version: http://speedy.sh/NBRYB/zmiana3.patch (I did the change in a different location – but it works as well).

ahmad

Well, i went through all the comments on this page.
It does appear from the comments that airprobe only works on kali-linux.
Is that so?
As i m trying to install airprobe on relatively older version of ubuntu i.e. ubuntu 10.04.
So is that worth-less to do so?

Christopher

Also forgot to mention, as per SopaXorzTaker, that one should do make in /src/python/lib and copy gsm.py into /src/python

Christopher
Christopher

Forgot to mention neither patches are mine, first is by scateu and second is (c) 2014 SopaXorzTaker

Storyman

Christopher,

I’ve applied both patches, and the programs run, but they don’t produce valid output like they do for me under gr3.6. Have you (or anyone, really) actually gotten to a 100% usable state with gr3.7?

Even testing against the capture_941.8M_112.cfile file produces a stream of “sch.c:260 ERR: conv_decode 11” under gr3.7, doing the same test in the same manner as under gr3.6 (which worked perfectly).

Has ANYONE overcome this problem yet? And if so, are you able to share any hints as to how?

Thanks!

mcme

Hi Guys…

I have tried to install the Kali 1.0.6 and then GNURadio 3.7. I have read about the incompatibility with airprobe and I also applied a patch and all worked ok.

When I run the with caputer*.cfile it fails like this:

root@kali:~/airprobe/gsm-receiver/src/python# ./go.sh capture_941.8M_112.cfile 112 0b
Using Volk machine: avx_64_mmx_orc
Key: ‘0000000000000000’
Configuration: ‘0B’
Configuration TS: 0
configure_receiver
gr::buffer::allocate_buffer: warning: tried to allocate
115 items of size 568. Due to alignment requirements
512 were allocated. If this isn’t OK, consider padding
your structure to a power-of-two bytes.
On this platform, our allocation granularity is 4096 bytes.
sch.c:260 ERR: conv_decode 11
sch.c:260 ERR: conv_decode 11
sch.c:260 ERR: conv_decode 10
sch.c:260 ERR: conv_decode 11
sch.c:260 ERR: conv_decode 12
sch.c:260 ERR: conv_decode 11
sch.c:260 ERR: conv_decode 11
sch.c:260 ERR: conv_decode 10
….

And nothing shows up on Wireshark.

Worst if I try to run:

root@kali:~/airprobe/gsm-receiver/src/python# ./gsm_receive_rtl.py -f 939.363M -c 0B
Traceback (most recent call last):
File “./gsm_receive_rtl.py”, line 16, in
from gnuradio import gr, gru, eng_notation, blks2, optfir
ImportError: cannot import name blks2

I get this python error. Seems like there is no patch applied to the IMPORT function of python related to GNURadio 3.7

Any idea?

Mark B.

Problem with python too ;(

OFFTOPIC: go away scriptkiddies!

Mcme

I solved the problem by installing Kali 1.0.6 where GNURadio 3.6.5 is pre-installed. Then downloaded and compiled airprobe.

I have also installed osmocombb RTLSDR libraries to make Kalibrate working.

By running the live capture using gsm-receive i raised the gain to 52 and et voilà … 20 seconds later GSM dataflow showing up on Wireshark.

My advise is not to install GNURadio 3.7 and keep on working with pre installed version on GNURadio on Kali Linux 1.0.6

Mark B.

Now fixed and working on Ubuntu

| |
| |
\ /
V

radie

for step 1 i.e. identifying the exact GSM frequency, one can use kal its self to determine the GSM frequency (instead of of via SDR# or gqrx) as long as you know the GSM band (quite easy)

e.g. kal -s 900 (scan GSM band 900 for all GSM signals)
output will be something along the lines of

chan: 1 (908.3MHz – 21.3243kHz) power:xxxxx.xx
chan: 2 (909.5MHz – 22.1231kHz) power:xxxxx.xx
chan: 3 (907.2MHz – 20.3223kHz) power:xxxxx.xx

choose a channel which shows a high power value (i.e. good reception)
translate the corresponding frequency to hz e.g. assuming channel 3 has the highest power value of the received channels 907.2Mhz would translate to 907 200 000hz

modify your frequency in the gsm_receive_rtl.py to the corresponding frequency e.g.
gsm_receive_rtl.py -s 1e6 -f 907200000

tages

Not sure if anyone else had issues running the apt-get install commands, but I did. I ended up installing Ubuntu’s software center and was able to search for the various packages through there. When I tried installing packages through the command line more than half said they did not exist (?) Just thought I’d share this tip in case anyone has the same issue. I used Kali Linux.

Eru

How to execute .patch file?

Domi

cd thedirectorycontainingthesource
patch -p1 < mypatch.patch

If that doesn't work try with -p0 instead of -p1.

Monti

hello when i try to compile airprobe to decode GSM signals with gnuradio radio i follow the steps, my problem is when I compile the gsm-receiver with the command make,
comethe error I get is the next one:

compilation terminated. make[5]: * [cch.lo] Error 1 make[5]: se sale del directorio «/home/usuari/Documentos/SDR/airprobe/airprobe/gsm-receiver/src/lib/decoder» make[4]: [all-recursive] Error 1 make[4]: se sale del directorio «/home/usuari/Documentos/SDR/airprobe/airprobe/gsm-receiver/src/lib/decoder» make[3]: [all-recursive] Error 1 make[3]: se sale del directorio «/home/usuari/Documentos/SDR/airprobe/airprobe/gsm-receiver/src/lib» make[2]: [all-recursive] Error 1 make[2]: se sale del directorio «/home/usuari/Documentos/SDR/airprobe/airprobe/gsm-receiver/src» make[1]: [all-recursive] Error 1 make[1]: se sale del directorio «/home/usuari/Documentos/SDR/airprobe/airprobe/gsm-receiver» make: * [all] Error 2

And then when I try to test the application i get another error:

Traceback (most recent call last): File “./gsm_receive_rtl.py”, line 16, in from gnuradio import gr, gru, eng_notation, blks2, optfir File “/usr/local/lib/python2.7/dist-packages/gnuradio/blks2/init.py”, line 37, in exec “from gnuradio.blks2impl.%s import *” % (f,) File “”, line 1, in File “/usr/local/lib/python2.7/dist-packages/gnuradio/blks2impl/pfb_interpolator.py”, line 23, in from gnuradio import gr, optfir File “/usr/local/lib/python2.7/dist-packages/gnuradio/optfir.py”, line 33, in remez = gr.remez AttributeError: ‘module’ object has no attribute ‘remez’

i have installed Kali Linux 1.06 new but dont work airprobe why
can someone help me please?

Monti

the error for comiling Airprobe
i have found the problem the path rt-sdr thre must be compiled with ./bootstrap and ….. make and airprobe gsm decode are going

adam

Hello!
When I am trying to use 1e6 on the sample rate, I can’t change the frequency or time/fne tune to the right frequency.
The wideband spectrum waves is moving very slow also the channel apectrum waves.
How can i fix it?
Thanks!

Domi

You need more CPU power. I had the same issue when I used a Vmware virtual machine, adding one more CPU core in the config solved this problem for me. Real-time sampling takes a lot of CPU power.

adam

Oh.. I’m trying to run it on atom processor. That’s bad.
I guess I can’t use other saple rate. Cause I can tune when I use the default sample rate.
Thank you!

Richard

Very interesting tutorial! Is it possible to see when a User End-device is opening and closing PDP-sessions for the GPRS?

murat

Hello , i have install gnuradio-3.6.5.1 and airprobe , okey its fine working i have see data my terminal and decode data in my wireshark window but I do not hear any sound . i dont know , fWhat should I do to hear sound , i must should install VMWare player or not ? Please help me ,thank you and best regards .

Mark B.

no, it should act like that.
also, how old are you?

Tlc

Well, despite I could install airprobe with gnuradio 3.7 using the patch, I still couldn’t decode any example file (tried with capture_941.8M_112.cfile and vf_call6_a725_d174_g5_Kc1EF00BAB3BAC7002). I get this:

./go.sh capture_941.8M_112.cfile 64 0b

Using Volk machine: ssse3_32_orc
Key: ’0000000000000000′
Configuration: ’0B’
Configuration TS: 0
configure_receiver
gr::buffer::allocate_buffer: warning: tried to allocate
115 items of size 568. Due to alignment requirements
512 were allocated. If this isn’t OK, consider padding
your structure to a power-of-two bytes.
On this platform, our allocation granularity is 4096 bytes.

And nothing appears in wireshark. If I use other decimation ratios, for example 112:

./go.sh capture_941.8M_112.cfile 112 0b
Using Volk machine: ssse3_32_orc
Key: ‘0000000000000000’
Configuration: ‘0B’
Configuration TS: 0
configure_receiver
gr::buffer::allocate_buffer: warning: tried to allocate
115 items of size 568. Due to alignment requirements
512 were allocated. If this isn’t OK, consider padding
your structure to a power-of-two bytes.
On this platform, our allocation granularity is 4096 bytes.
sch.c:260 ERR: conv_decode 11
sch.c:260 ERR: conv_decode 11
sch.c:260 ERR: conv_decode 11

Any ideas? Thanks!

Tlc

Hi, I’m having a problem very similar to OI. When I run:
./go.sh capture_941.8M_112.cfile
I get:
Traceback (most recent call last):
File “./gsm_receive.py”, line 15, in
import gsm
File “../lib/gsm.py”, line 26, in
_gsm = swig_import_helper()
File “../lib/gsm.py”, line 18, in swig_import_helper
import _gsm
ImportError: ../lib/.libs/_gsm.so: undefined symbol: _Z14gr_fast_atan2fff

I’ve seen the comment from Andy, but my libfftw3-dev package is in its most recent version. Any ideas? Thanks!

Tlc

Sorry, I hadn’t noticed that my problem could be related with the gnuradio version. I tryed with the neeo patch, and now it seems to work. Thanks!

neeo

I’ve made a patch to make gsm-receiver (from gnumonks airprobe) compatible with gnuradio >= 3.7. it is a little bit hacky im some places, but it works for me 😉

you can get it here:

neeo

sorry, link didn’t show up: http://speedy.sh/9rYp7/zmiana.patch

neeo

i’ve also created a new version of grc file, that can be loaded in gnuradio-companion (grc) 3.7

http://speedy.sh/pbEZX/rtl2832-cfile.grc

ge0rg

Could you please provide the patch in a way that does not require an EXE file to download? You could create a fork of the code on github.com for example (or e-mail the patch to me so I can host it, my email is linked from my homepage).

Tehrasha

No need to use their executable downloader… just click the filename at the top of the page and it will download normally with the browser.

Jonas

Nice one neeo, but how did you get past the error concerning gnuradio-core, since it was removed in 3.7 you must have solved this problem as well 🙂 This happens when you try to run the ./configure script.

Errors like this:

checking for GNURADIO_CORE... configure: error: Package requirements (gnuradio-core >= 3) were not met:

No package 'gnuradio-core' found

Consider adjusting the PKG_CONFIG_PATH environment variable if you
installed software in a non-standard prefix.

Alternatively, you may set the environment variables GNURADIO_CORE_CFLAGS
and GNURADIO_CORE_LIBS to avoid the need to call pkg-config.
See the pkg-config man page for more details.

Jonas

And suddenly it worked, after running bootstrap again 🙂

helloj0ker

When I install gsm-receiver of airprobe,the error occurred.How to fix this:
========================================
In file included from GSMCommon.h:34:0,
from GSMCommon.cpp:23:
./Timeval.h: In function ‘void msleep(long int)’:
./Timeval.h:32:49: error: ‘usleep’ was not declared in this scope
In file included from GSMCommon.cpp:23:0:
GSMCommon.h: In function ‘void GSM::sleepFrames(unsigned int)’:
GSMCommon.h:62:36: error: ‘usleep’ was not declared in this scope
GSMCommon.h: In function ‘void GSM::sleepFrame()’:
GSMCommon.h:66:29: error: ‘usleep’ was not declared in this scope
make[5]: *** [GSMCommon.lo] error 1
make[5]: Leaving directory `/root/airprobe/gsm-receiver/src/lib/decoder/openbtsstuff’
make[4]: *** [all-recursive] error 1
make[4]: Leaving directory `/root/airprobe/gsm-receiver/src/lib/decoder’
make[3]: *** [all-recursive] error 1
make[3]: Leaving directory `/root/airprobe/gsm-receiver/src/lib’
make[2]: *** [all-recursive] error 1
make[2]: Leaving directory `/root/airprobe/gsm-receiver/src’
make[1]: *** [all-recursive] error 1
make[1]: Leaving directory `/root/airprobe/gsm-receiver’
make: *** [all] error 2
=============================================

dsound

Has anyone used Kraken? I have it installed on my machine with tables and I’m not sure how to point or configure Kraken or find_kc toward the tables on the HD. I’m a rather new Linux user.

x

I get an error i don.t understand. im using latest version of debian :/

./gsm_receive_rtl.py
linux; GNU C++ version 4.7.2; Boost_104900; UHD_003.006.002-1-g8f0f045c

gr-osmosdr v0.0.2-42-g86ecf305 (0.0.3git) gnuradio 3.6.5.1
built-in source types: file fcd rtl rtl_tcp uhd hackrf bladerf netsdr
Using device #0 Realtek RTL2838UHIDIR SN: 00000001
Found Rafael Micro R820T tuner
sample rate: 1800000
>>> gr_fir_ccc: using SSE
>>> gr_fir_ccf: using SSE
Key: ‘ad6a3ec2b442e400’
Configuration: ‘0B’
Configuration TS: 0
configure_receiver
Using Volk machine: sse4_2_64_orc
The program ‘python’ received an X Window System error.
This probably reflects a bug in the program.
The error was ‘BadWindow (invalid Window parameter)’.
(Details: serial 629 error_code 3 request_code 137 minor_code 4)
(Note to programmers: normally, X errors are reported asynchronously;
that is, you will receive the error a while after causing it.
To debug your program, run it with the –sync command line
option to change this behavior. You can then get a meaningful
backtrace from your debugger if you break on the gdk_x_error() function.)

roflcopter

Hey all,

For those of you in the states, have any of you guys had any luck with this? Our possible ranges leave only 1 of the 4 bands usable if using the RTL SDR seeing as the max range is ~1700 (GSM for the states for AT&T and T-Mobile are within 850, 1700, 1900, and 2100 I believe). Therefore, I have only been able to attempt 850mhz band, but with no such luck. I am currently using a simple TV Antenna. Given the comments for this article, even the stock antenna that comes with the RTL SDR can pick this up. Any thoughts as to what I may be doing wrong? I think that once I find a non-hopping signal, I will be set. In the meantime, I can only find MOTORBO signals within this range.

Thoughts?

Dennis

Thank you so much for the tutorial! As soon as I finished reading it, I went out and bought the Terratec E4000. Unfortunately, I am having the same troubles as some of the others. After I installed Airprobe, I got this error message:

root@XXXX:~/sdr/airprobe/gsm-receiver/src/python# ./go.sh capture_941.8M_112.cfile

Traceback (most recent call last):
File “./gsm_receive.py”, line 3, in
from gnuradio import gr, gru, blks2
ImportError: cannot import name blks2

I even tried removing the GNURadio that comes with Kali, and instead installed it in the fashion described in the video-tutorial in your post. But nothing seems to work.

I tried googling the problem, and have now spent several days trying to figure it out – unfortunately without any luck. I hope someone can help me with this problem.

All the best,

//Dennis

Johnson

Hi, I have installed the gnuradio 3.7. But when I tried to install gsm-receiver after step “./configure”, I got a error like this “Package requirements (gnuradio-core >= 3) were not met”. I googled the problem. It seems the new version gnuradio is not compatible with the airprobe. Do you have any ideal to fix it?
Many Thanks

dsound

Great tutorial…the clearest yet! I did have to download many dependencies on my fresh install of Kali in order to install gsm-receiver but now it installed correctly.

When I try to run gsm_receive_rtl.py I get the following errors:
linux; GNU C++ version 4.7.2; Boost_104900; UHD_003.005.003-0-unknown

gr-osmosdr v0.0.x-xxx-xunknown (0.0.3git) gnuradio 3.6.5.1
built-in source types: file fcd rtl rtl_tcp uhd hackrf

FATAL: Failed to open HackRF device (-5) HACKRF_ERROR_NOT_FOUND

Trying to fill up 1 missing channel(s) with gaussian noise.
This is being done to prevent the application from crashing
due to a gnuradio bug. The maintainers have been informed.

sample rate: 0
Traceback (most recent call last):
File “./gsm_receive_rtl.py”, line 230, in
tb = top_block()
File “./gsm_receive_rtl.py”, line 85, in __init__
taps = gr.firdes.low_pass(1.0, sample_rate, 145e3, 10e3, gr.firdes.WIN_HANN)
File “/usr/lib/python2.7/dist-packages/gnuradio/gr/gnuradio_core_general.py”, line 9493, in low_pass
return _gnuradio_core_general.firdes_low_pass(*args, **kwargs)
IndexError: gr_firdes check failed: sampling_freq > 0

any idea what this is?

Francisco

Attached rtl2832-cfile.grc does not work in modern version of gnuradio. Trying in v3.7 gives a lot of errors.

I know that asking for a port maybe asking too much. Could at least a picture of the schematic be posted?

ajay fuloria

This is Ajay here,
When I use ./go.sh with the downloaded cfile, everything is fine. When I make my own cfile using usrp+gnuradio+airprobe ./gsm_scan.py -pe -re -d174 -c643 I get the cfile but the decode does not happen using ./go.sh ?? Can anyone help me with how to capture a valid cfile using USRP+GNURADIO ? I have been trying for a long time, pls help.

Enic

Install Kali and simple run a script as root from /root folder:
apt-get -y install git-core autoconf automake libtool g++ python-dev swig libpcap0.8-dev
apt-get install gnuradio gnuradio-dev cmake git libboost-all-dev libusb-1.0-0 libusb-1.0-0-dev libfftw3-dev swig python-numpy

cd ~/sdr

git clone git://git.osmocom.org/libosmocore.git

cd libosmocore
autoreconf -i
./configure
make
sudo make install
sudo ldconfig

cd ~/sdr

git clone git://git.gnumonks.org/airprobe.git

cd airprobe/gsmdecode
./bootstrap
./configure
make

cd ~/sdr

cd airprobe/gsm-receiver
./bootstrap
./configure
make

cd ~/sdr

ahmed

how change ip in wireshark to 10.0.0.0/16

la

LAMER!

Sant K.A.

Hi, I’m a Noob here.
Running ./go.sh capture_941.8M_112.cfile 112 1S on the cfile mentioned in the tutorial shows SI 5 & 6 frames.
However, I’ve been unsuccessful in getting similar data off a live transmission and was hoping someone here could point me in the right direction.

My beacon is on ARFCN 22 and here’s what I’ve done so far:

1) ./gsm_receive_rtl.py -f 939.363M -c 0B
I see BCCH data with 2 different kinds of Immediate Assignments in Wireshark. Here’s a brief excerpt
——–
SDCCH/8 + SACCH/C8 or CBCH (SDCCH/8), Subchannel 4
Timeslot: 2
Hopping channel: No
Single channel : ARFCN 22
——–
Spare bits (ignored by receiver)
Timeslot: 4
Hopping channel: Yes
Hopping channel: MAIO 6
Hopping channel: HSN 38
——–

2) Since the Immediate Assignments to TS2 were frequent, I was hoping that monitoring TS2 on ARFCN 22 would show pre-encryption SI 5 and SI 6 frames. I ran the following command:
./gsm_receive_rtl.py -f 939.363M -c 2S
I do not see any output at all in Wireshark while I do see encrypted frames on the gsm_receive window.
I tried config 2C and setting the sampling rate to 1MHz but I still cannot see anything in Wireshark.

What am I missing ?

Sant K.A.

Needed to force the key to 0 to get it to work
./gsm_receive_rtl.py -f 939.363M -c 2S -k “00 00 00 00 00 00 00 00”

Domi

Hi there,
Just posted about decrypting the data captured on my blog, thought it might be interesting for you too
http://t.co/atlCy8ykqg

shyam jos

finaly i am able to run it in new Kali linux (version 1.0.5),
For those who getting error when compiling/make “gsm-receiver” ,this is beacuse of the missing dependencies with gnuradio installed in kali

run this command to fix it : sudo apt-get install gnuradio gnuradio-dev cmake git libboost-all-dev libusb-1.0-0 libusb-1.0-0-dev libfftw3-dev swig python-numpy
then try compile airprobe 🙂

FYI: tried this tutorial in ubuntu 13.04 but failed, worked fine in Kali linux (version 1.0.5)

shyam

correction, airprobe is not pre-installed in kali

speedfenix

I am trying to compile airprobe to decode GSM signals with gnuradio radio and wireshark following the steps, the problem is when I compile the gsm-receiver with the command make, the error I get is the next one:

compilation terminated. make[5]: * [cch.lo] Error 1 make[5]: se sale del directorio «/home/usuari/Documentos/SDR/airprobe/airprobe/gsm-receiver/src/lib/decoder» make[4]: [all-recursive] Error 1 make[4]: se sale del directorio «/home/usuari/Documentos/SDR/airprobe/airprobe/gsm-receiver/src/lib/decoder» make[3]: [all-recursive] Error 1 make[3]: se sale del directorio «/home/usuari/Documentos/SDR/airprobe/airprobe/gsm-receiver/src/lib» make[2]: [all-recursive] Error 1 make[2]: se sale del directorio «/home/usuari/Documentos/SDR/airprobe/airprobe/gsm-receiver/src» make[1]: [all-recursive] Error 1 make[1]: se sale del directorio «/home/usuari/Documentos/SDR/airprobe/airprobe/gsm-receiver» make: * [all] Error 2

And then when I try to test the application i get another error:

Traceback (most recent call last): File “./gsm_receive_rtl.py”, line 16, in from gnuradio import gr, gru, eng_notation, blks2, optfir File “/usr/local/lib/python2.7/dist-packages/gnuradio/blks2/init.py”, line 37, in exec “from gnuradio.blks2impl.%s import *” % (f,) File “”, line 1, in File “/usr/local/lib/python2.7/dist-packages/gnuradio/blks2impl/pfb_interpolator.py”, line 23, in from gnuradio import gr, optfir File “/usr/local/lib/python2.7/dist-packages/gnuradio/optfir.py”, line 33, in remez = gr.remez AttributeError: ‘module’ object has no attribute ‘remez’

I think that the problem comes from some kind of version incompatibility of python but I’m not sure, can someone help me please?

Lots of thanks!!!

Ol

Hi! I’m newby at this. Please, help. After execute a gsm_receive.py I have error:

root@kali:~/airprobe/gsm-receiver/src/python# ./gsm_receive.py
Traceback (most recent call last):
File “./gsm_receive.py”, line 12, in
import gsm
File “../lib/gsm.py”, line 26, in
_gsm = swig_import_helper()
File “../lib/gsm.py”, line 18, in swig_import_helper
import _gsm
ImportError: ../lib/.libs/_gsm.so: undefined symbol: _ZTI8gr_block

Andy

I encountered the same error on Kali Linux. The reason is, that the shared object (_gsm.o) doesn’t get correctly linked against gnuradio-core.so, because pkg-config fails during the build. It fails, because gnuradio-core depends on the package “fftw3f” which is installed in binary form, because otherwise gnuradio woulndn’t work, but the -dev package is mising.

Long story short: Install the missing package (apt-get install libfftw3-dev) and rebuild the gsm-receiver. Then it works.

hellojOker

It doesn’t work…
(I use kali 1.0.5)

Gabe

Hey, thanks for the excellent article.

So I’ve gotten up to the point of actually trying to do a live capture with wireshark, but for some reason, when I run gsm_receive_rtl.py, I get an error where each parse of a packet should be. It looks like this:

sch.c:260 ERR: conv_decode 12

The number seems to vary between 9 and 12.

Any idea how to fix this?

Thanks!

Gabe

Joe

Great tutorial, I have several questions though:
1) By using kalibrate I can correctly get 90%+ of all gsm downlink traffic for 20 seconds or so in wireshark, then I get a parity bit error for 10 seconds followed by around 15 seconds of ERR: conv_decode 11 and lastly a bunch of 0’s, any idea what can cause this? I am guessing either my antennae gets offset or I get offset on my packages.

2) I can see uplink traffic with SDR# but when I try to sniff it with airprobe I get absolutely nothing in wireshark, not even any error messages. Any ideas?

Thanks for any help you can give. I plan on trying to run uplink and downlink sniffing at the same time and will let you know my results. (using 2 dongles)

Domi

Hi Joe,

I think I can answer you since I have been down the same road.

1. I think you need to wait for the dongle to warm up (as admin said), and keep re-kalibrating it. It is actually quite random, sometimes I get the full traffic even when I use the exact value coming from arfcncalc, sometimes I need to calibrate. I think this is because my error (28-30kHz) is still in the width of a GSM channel (200 kHz). The parity errors could be ignored it means the traffic you tried to de-modulate and decode is encrypted. The ERR_CONV messages mean that you are not well calibrated, sometimes if you wait they disappear as the dongle gets in tact.
The 0s mean that you are so off from the frequency that airprobe couldn’t even find anything that looks like GSM so it just prints it the bits it finds.

2. There is no uplink support at all in airprobe. There was a little demonstration at one of the conferences but the code was never released. You can find some gitHUB repos claiming their airprobe is down and uplink compatible, but they don’t work.
According to a comment in the code “uplink can’t be decoded the way currently gsm-receive works”. Everybidy switched to osmocomBB therefore no more code is written for SDRs. I asked Dieter Spaar who presented uplink sniffing but he said the code is private and dirty so he will never release it.

I was also thinking about doing uplink and downlink simultaniously but it appears that for some reason you need to sync the two dongles for good results, so I decided to put this aside as it is a lot more complicated than I thought.

Good luck,
Domi

ahmad

Does airprobe work on ubuntu or it is only for kali linux?
Which version of ubuntu will be most suitable for airprobe?
As i m using ubuntu 10.04.4

Fahad

Hello,

Did you try it for uplink traffic as well..?

Fahad

Domi

I haven’t tried it yet, but it should be possible – uplink is just a different frequency, but uses the same kind of data-structure as far as I know, so it shuld be possible to demodulate and analyze it using the same tools.

Domi

It is totally possible, just need some computing power to be able to work with both sticks. The program arfncalc can give you the uplink frequency as well as the downlink.
I will look into this stuff in the coming days and will post some results to my blog.

Domi

Hi,
I have one issue that kind of bothers me:
I tune my rtl-sdr to the right frequency – I use arfcn-calc and an old Nokia 3310 in network monitor mode so I know what is the the phone’s tower’s ARFCN so I know the frequency – but I don’t always get data, most of the time I get sch.c:260 ERR: conv_decode 11 and similar messages. After that I decided to do a little calibration with kalibrate-rtl. It showed me an average of +24 kHz offset, so I subtracted around 24 000 from the frequency arfcncalc told me and now I am tresting this setup. It seems that it still starts with the ERR-messages, but after some seconds it actually starts to output GSM-data as expected.

Now my question is: since I am very new to radios and SDR especially is what I did with calibrating and changing the frequency manually correct (at least in theory)? Should I try to move closer to the tower? My phone shows around -59 dBi signal.
Thank you!

Domi

Hi,
great article, thank you for posting it. What kind of antenna did you use for this?

thanks!

Domi

Oh, great! 🙂
I already ordered an RTL-SDR from eBay, so I am just waiting for the mailman to bring it.

I am really interested about decrypting actual data, found this video which I think could be applied to RTL-SDR, what do you think?
https://www.youtube.com/watch?v=0hjn-BP8nro

vinnie

Nice tutorial. I could capture control data without any problem. But how to capture encrypted content ? It should be possible to capture encrypted data even without decrypting. Cant find much info except USRP.

Zeon

Great instruction! Thanks!
But I have a question. I trying to get burst data for kraken (magic 114 bits). I use osmocombb + motorola C123. I’m able to see receiving data in wireshark. But how to convert this captured data into necessary format?
Thanks in advance!

Z

I’ve been trying to hunt down a GSM frequency to try this out. I can’t seem to find one though. I browsed 900Mhz-1000Mhz, nothing that looked like data. Any tips in using the FCC website for looking it up? I imagine there is a better way than me browsing around randomly.

Keep up these great tutorials!

Z

Thanks, I’ll check those out. I also found this while I was searching: https://github.com/Evrytania/LTE-Cell-Scanner It allows you to locate and track LTE basestations. May be cool for your next article.

ali

hey.. i have gnuradio 3.6.5 installed on ubuntu 12.04..i m trying to install airprobe.. everything works fine according to this tutorial till the point i try to make gsm receiver… i got the following error
/usr/bin/ld: i386 architecture of input file `decoder/.libs/libdecoder.a(GSM660Tables.o)’ is incompatible with i386:x86-64 output
collect2: ld returned 1 exit status
make[4]: *** [_gsm.la] Error 1
make[4]: Leaving directory `/home/a/airprobe/gsm-receiver/src/lib’
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory `/home/a/airprobe/gsm-receiver/src/lib’
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/home/a/airprobe/gsm-receiver/src’
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/a/airprobe/gsm-receiver’
make: *** [all] Error 2
i m not sure about what this error is.. when i try to run gsm_receive.py file it again give an error which is probably due to the incomplete installation
Traceback (most recent call last):
File “./gsm_receive.py”, line 12, in
import gsm
File “../lib/gsm.py”, line 26, in
_gsm = swig_import_helper()
File “../lib/gsm.py”, line 18, in swig_import_helper
import _gsm
ImportError: No module named _gsm
is there anybody who can help me with this problem..???
thanx in advance, regards
ali