Regarding UpLink sniffing
276 views
Skip to first unread message
Abracadabra Abracadabra
Feb 26, 2022, 3:36:50 AM2/26/22
to gr-gsm
Hi,
I just wanted to know if it is possible to sniff the UpLink traffic of gsm (900 MHz) with grgsm using rtl sdr dongle?
If yes then please provide me the steps to do it. I tried but grgsm graph does not show any spike like it does in the Downlink sniffing
Warm regards
Aabracadabra
Nikos Balkanas
Feb 26, 2022, 5:57:17 AM2/26/22
to Abracadabra Abracadabra, gr-gsm
Hi,
It is very unlikely to get uplink traffic, unless the phone is right
next to your antenna.
BTS have ~30 W signal power, while mobiles ~50 mW:(
rtl-sdr dongles have especially weak antennas:(
HTH
Nikos
> --
> You received this message because you are subscribed to the Google Groups "gr-gsm" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to gr-gsm+un...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/gr-gsm/949ea4a0-9f6d-45c5-b719-b3ba37e0d86an%40googlegroups.com.
It is very unlikely to get uplink traffic, unless the phone is right
next to your antenna.
BTS have ~30 W signal power, while mobiles ~50 mW:(
rtl-sdr dongles have especially weak antennas:(
HTH
Nikos
> You received this message because you are subscribed to the Google Groups "gr-gsm" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to gr-gsm+un...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/gr-gsm/949ea4a0-9f6d-45c5-b719-b3ba37e0d86an%40googlegroups.com.
Abracadabra Abracadabra
Feb 26, 2022, 9:24:46 AM2/26/22
to Nikos Balkanas, gr-gsm
Hi,
Thank you for your reply😊
So, USRP b210 and N210, bladerf 2.0 micro xA9, and limesdr mini, limesdr etc are better in sniffing UpLink traffic than rtlsdr?
Just need a clarification before buying as they are quite expensive 😅
Warm regards
Abracadabra
Abdul wahab
Feb 26, 2022, 9:33:44 AM2/26/22
to Abracadabra Abracadabra, Nikos Balkanas, gr-gsm
Mobiles transmit at aprox. 50 mW, can you explain how the this much low power signal reaches BTS which in some cases is kilometers away from MS
To view this discussion on the web visit https://groups.google.com/d/msgid/gr-gsm/CAM5idn4WdSMSecXkSe11PuTvJsW7VtFRyhu0aNB2FdVpeOmLcw%40mail.gmail.com.
"Tomcsányi, Domonkos"
Feb 27, 2022, 1:59:19 AM2/27/22
to Abdul wahab, Abracadabra Abracadabra, Nikos Balkanas, gr-gsm
BTS has good enough antennas, filters and amplifiers exactly for this reason.
To view this discussion on the web visit https://groups.google.com/d/msgid/gr-gsm/CAKPUnynEERCRaHtN5%2BF-a9MGhdjWRzEBr_32y6Dg%3DxLfhjhY5w%40mail.gmail.com.
Nikos Balkanas
Feb 27, 2022, 5:04:15 AM2/27/22
to Abracadabra Abracadabra, gr-...@googlegroups.com
New smartphones are emitting ~50 mW. It's in the spec (4G & up)
So, AR is issued by the BTS (downlink) and RES by the mobile, uplink.
gr-gsm is agnostic. It will decode all gsm packages, if your antenna
can catch them:(
If you want really to capture RES packets, you should really connect
from your phone next to your antenna.
You will not be able to capture another mobile, more than 50 m away
with your dongle:(
Nikos
On Sun, Feb 27, 2022 at 7:44 AM Abracadabra Abracadabra
<aabraca...@gmail.com> wrote:
>
> Hi Nikos,
> Yes when searched correctly it says 100mW is the max rf power transmitter, 😅. Back in the olden days if analog communications the rf power used to be around 3-5 watts
>
> I just want to know I want to capture RES (Authentication Response) but it does not show up on the wireshark. I am able to see the CMC (Cophering Mode Command) and Authentication Request but not the RES Authentication Response command on the wireshark output (SDCCH8)
>
> Please advise any help
>
> Warm regards
> Abracadabra
>
> On Sun, Feb 27, 2022, 10:34 AM Nikos Balkanas <nbal...@gmail.com> wrote:
>>
>> *boil your brain.
>> Microwave doesn't fry, it boils:(
>>
>> On Sun, Feb 27, 2022 at 5:32 AM Nikos Balkanas <nbal...@gmail.com> wrote:
>> >
>> > Hi,,
>> >
>> > I don't know what older phones transmitted at 6 W, this could be
>> > enough to fry your brain:(
>> > All recent phones emit at 50 mW...
>> > BTS can receive them within a cell (~30 - 50 km) because they have a
>> > 20 m high antenna..
>> > @abra, try using your phone next to your rtl-sdr antenna...
>> >
>> > HTH
>> > Nikos..
>> >
>> > On Sat, Feb 26, 2022 at 5:28 PM Abdul wahab <abdulw...@gmail.com> wrote:
>> > >
>> > > You can see spikes in Gqrx but cannot decode using grgsm_decode
>> > >>
>> > >> 😅 I searched on net
>> > >>
>> > >> But still I am not able to capture the uplink traffic. It does not show any spike on the graph when using rtl sdr. So I am thinking to shift to Usrp or bladerf but they are quite expensive from an experiment point of view for a newbie like me..😅
So, AR is issued by the BTS (downlink) and RES by the mobile, uplink.
gr-gsm is agnostic. It will decode all gsm packages, if your antenna
can catch them:(
If you want really to capture RES packets, you should really connect
from your phone next to your antenna.
You will not be able to capture another mobile, more than 50 m away
with your dongle:(
Nikos
On Sun, Feb 27, 2022 at 7:44 AM Abracadabra Abracadabra
<aabraca...@gmail.com> wrote:
>
> Hi Nikos,
> Yes when searched correctly it says 100mW is the max rf power transmitter, 😅. Back in the olden days if analog communications the rf power used to be around 3-5 watts
>
> I just want to know I want to capture RES (Authentication Response) but it does not show up on the wireshark. I am able to see the CMC (Cophering Mode Command) and Authentication Request but not the RES Authentication Response command on the wireshark output (SDCCH8)
>
> Please advise any help
>
> Warm regards
> Abracadabra
>
> On Sun, Feb 27, 2022, 10:34 AM Nikos Balkanas <nbal...@gmail.com> wrote:
>>
>> *boil your brain.
>> Microwave doesn't fry, it boils:(
>>
>> On Sun, Feb 27, 2022 at 5:32 AM Nikos Balkanas <nbal...@gmail.com> wrote:
>> >
>> > Hi,,
>> >
>> > I don't know what older phones transmitted at 6 W, this could be
>> > enough to fry your brain:(
>> > All recent phones emit at 50 mW...
>> > BTS can receive them within a cell (~30 - 50 km) because they have a
>> > 20 m high antenna..
>> > @abra, try using your phone next to your rtl-sdr antenna...
>> >
>> > HTH
>> > Nikos..
>> >
>> > On Sat, Feb 26, 2022 at 5:28 PM Abdul wahab <abdulw...@gmail.com> wrote:
>> > >
>> > > You can see spikes in Gqrx but cannot decode using grgsm_decode
>> > >
>> > > On Sat, Feb 26, 2022, 7:47 PM Abracadabra Abracadabra <aabraca...@gmail.com> wrote:
>> > >>
>> > >> Hi,
>> > >> Cell phones transmit approximately 6W of power (power consumption is different), but this may vary on companies and also on how far or close we are from the tower
>> > > On Sat, Feb 26, 2022, 7:47 PM Abracadabra Abracadabra <aabraca...@gmail.com> wrote:
>> > >>
>> > >> Hi,
>> > >>
>> > >> 😅 I searched on net
>> > >>
>> > >> But still I am not able to capture the uplink traffic. It does not show any spike on the graph when using rtl sdr. So I am thinking to shift to Usrp or bladerf but they are quite expensive from an experiment point of view for a newbie like me..😅
Vasil Velichkov
Feb 28, 2022, 9:14:29 AM2/28/22
to Abracadabra Abracadabra, gr-gsm
Hi Aabracadabra,
On 26/02/2022 10.36, Abracadabra Abracadabra wrote:
> Hi,
> I just wanted to know if it is possible to sniff the UpLink traffic of gsm
> (900 MHz) with grgsm using rtl sdr dongle?
You need two rtlsdr dongles with a small hardware modification to synchronize their clocks. Read https://ptrkrysik.github.io/
> If yes then please provide me the steps to do it. I tried but grgsm graph
> does not show any spike like it does in the Downlink sniffing
With the current version you can't decode only the uplink without the downlink and you can't capture both downlink and uplink with a signle dongle.
Regards,
Vasil
On 26/02/2022 10.36, Abracadabra Abracadabra wrote:
> Hi,
> I just wanted to know if it is possible to sniff the UpLink traffic of gsm
> (900 MHz) with grgsm using rtl sdr dongle?
> If yes then please provide me the steps to do it. I tried but grgsm graph
> does not show any spike like it does in the Downlink sniffing
Regards,
Vasil
Abracadabra Abracadabra
Feb 28, 2022, 10:43:38 AM2/28/22
to Vasil Velichkov, gr-gsm
Hi Vasil,
I want to let you know my current situation 😅
I have Samsung J7 prime as the receiver (on 2g only mode), ARFCN is 66, freq is 947.8MHz (DL) and 903.2MHz(UL)
Sender phone is on 4g
When I use SDR like GQRX or SDRSharp I get a big bell shaped spike(~200kHz bandwidth) in freq 903.2 MHz (UL), when my J7 prime receives the SMS and then the spike fades away
But when using gr-gsm I don't get this bell shaped spike whatsoever (Only a very thin spike, maybe it is the noise )
So my question is, will I be able to decode the UL data using the Multi-rtl setup as suggested?
I went through site ---> https://ptrkrysik.github.io/ (nice tutorial !! )
Or I will have to do something else ?
Actually I going to invest on 2 rtl so I want to make sure 😅
I am attaching the screenshot (screenshot (116).png) of the spike that i was talking of
Warm regards
Abracadabra
Vasil Velichkov
Feb 28, 2022, 10:59:50 AM2/28/22
to Abracadabra Abracadabra, gr-gsm
Hi Abracadabra,
On 28/02/2022 17.43, Abracadabra Abracadabra wrote:
> So my question is, will I be able to decode the UL data using the Multi-rtl
> setup as suggested?
It should be possible as Piotr Krysik demonstrated in his tutorial, but I can't tell you whether you will be able replicate all this or not. It's not any easy task for sure.
On 28/02/2022 17.43, Abracadabra Abracadabra wrote:
> So my question is, will I be able to decode the UL data using the Multi-rtl
> setup as suggested?
Nikos Balkanas
Feb 28, 2022, 4:00:01 PM2/28/22
to Vasil Velichkov, Abracadabra Abracadabra, gr-gsm
Hi,
Thx Vasil about the info. Was not aware that grgsm cannot decode uplink alone.
But I can understand the reason if he can't do it.
As I have communicated to Abra, he needs also to boost his signal to ~ -10 dbm.
Currently, at -55 dbm, livemon doesn't even graph it:(
I don't see any reason with the fft wouldn't work right, so I assume it is just
a graphing (qt) limitation. The question is:
Even if grgsm doesn't graph the signal at - 55dbm, can it still decode
it, if downlink?
BR
Nikos
Thx Vasil about the info. Was not aware that grgsm cannot decode uplink alone.
But I can understand the reason if he can't do it.
As I have communicated to Abra, he needs also to boost his signal to ~ -10 dbm.
Currently, at -55 dbm, livemon doesn't even graph it:(
I don't see any reason with the fft wouldn't work right, so I assume it is just
a graphing (qt) limitation. The question is:
Even if grgsm doesn't graph the signal at - 55dbm, can it still decode
it, if downlink?
BR
Nikos
> --
> You received this message because you are subscribed to the Google Groups "gr-gsm" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to gr-gsm+un...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/gr-gsm/14be9792-0271-1814-21da-3a8f407a9ae0%40gmail.com.
> You received this message because you are subscribed to the Google Groups "gr-gsm" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to gr-gsm+un...@googlegroups.com.
Abracadabra Abracadabra
Mar 1, 2022, 2:09:27 AM3/1/22
to Nikos Balkanas, Vasil Velichkov, gr-gsm
Hi,
I am attaching a screenshot of the Downlink on ARFCN 66 (948.2 MHz), there is a correction, I mistakenly wrote ARFCN 66 as 947.8 MHz but it is 948.2 MHz
Please use this screenshot for the reference of the rx level of BTS to MS, I live very close to the tower only 80 meters away
My house has thick concrete walls so the signal is not that strong, it is about -25dbm
Warm regards
Abracadabra
Nikos Balkanas
Mar 1, 2022, 7:23:53 AM3/1/22
to Abracadabra Abracadabra, Vasil Velichkov, gr-gsm
Yup,
I see 3 downlinks there, 947.2, 948.2 & 948.8 Mhz.
Do you see them in livemon?
Nikos
I see 3 downlinks there, 947.2, 948.2 & 948.8 Mhz.
Do you see them in livemon?
Nikos
Vasil Velichkov
Mar 1, 2022, 7:53:46 AM3/1/22
to Nikos Balkanas, Abracadabra Abracadabra, gr-gsm
Hi Nikos, Abracadabra,
On 28/02/2022 22.59, Nikos Balkanas wrote:
> As I have communicated to Abra, he needs also to boost his signal to ~ -10 dbm.
> Currently, at -55 dbm, livemon doesn't even graph it:(
Be careful with the units, it's not dBm but dB as these SDR devices are not calibrated. See:
https://ham.stackexchange.com/a/9261
https://lists.gnu.org/archive/html/discuss-gnuradio/2017-06/msg00215.html
https://lists.gnu.org/archive/html/discuss-gnuradio/2016-06/msg00084.html
> I don't see any reason with the fft wouldn't work right, so I assume it is just
> a graphing (qt) limitation. The question is:
Yes most probably it is either GUI component limitation or the signal was captures with different settings (gain, etc...)
> Even if grgsm doesn't graph the signal at - 55dbm, can it still decode
> it, if downlink?
I don't not. These values are all relative.
Cheers,
Vasil
On 28/02/2022 22.59, Nikos Balkanas wrote:
> As I have communicated to Abra, he needs also to boost his signal to ~ -10 dbm.
> Currently, at -55 dbm, livemon doesn't even graph it:(
https://ham.stackexchange.com/a/9261
https://lists.gnu.org/archive/html/discuss-gnuradio/2017-06/msg00215.html
https://lists.gnu.org/archive/html/discuss-gnuradio/2016-06/msg00084.html
> I don't see any reason with the fft wouldn't work right, so I assume it is just
> a graphing (qt) limitation. The question is:
> Even if grgsm doesn't graph the signal at - 55dbm, can it still decode
> it, if downlink?
Cheers,
Vasil
mahan masoudi
Aug 28, 2022, 11:50:05 PM8/28/22
to gr-gsm
Hi
What did happen ?
did you find your answer ?
plz tell us
Reply all
Reply to author
Forward
0 new messages