Decoding of Voice Traffic for Downlink Hopping Channel

303 views
Skip to first unread message

Hamza

unread,
Apr 11, 2022, 4:06:05 AM4/11/22
to gr-gsm
I am currently working on gsm voice decoding using grgsm. I make a call by forcing my phone on GSM. The duration of a call is approx 1 minute.Currently I am facing issues with decoding voice traffic on hopping channel (TCHF).

SDR: USRP B210

My sim card is latched to 939.2Mhz freq which gives me arfcn of 21

Decoding BCCH:
  • grgsm_decode -a 21 -c call_2g.cfile -t 0 -s 1000000 -m BCCH
(In Immediate assignment --> SDCCH8  time slot= 1)
(In System Information Type 1 --> ARFCN: (775,779,785)

The operator is not using any encryption but frequency hopping is quite a challenge for me.
Decoding SDCCH8:
  •  grgsm_decode -a 21 -c call_2g.cfile -t 1 -s 1000000 -m SDCCH8
(In Assignment command: TCH/F Time slot:6 Training sequence:7 Hopping: Yes MAIO:2 HSN:46)

Decoding TCHF:

  • Moreover, I tried to use grgsm_channelize tool to obtain individual arfcn file and gave those as inputs to the grc as source files:
  • grgsm_channelize.py -i call_2g.cfile -f 939.2e6  775,779,785
It generated cfiles for each arfcn but I am unable to see any output.

  • After that i took a mean of 775,779& 785 and use that frequency as a center frequency while using grgsm_channelize script but still i didn't get anything from those files.I used those cfiles  as inputs to the GRC as source files but all goes in vein.
Assignment Command.png

nbal...@gmail.com

unread,
Apr 20, 2022, 1:13:08 AM4/20/22
to gr-gsm
Hi Hamda,

Only Piotr here has some experience with hoppers:(
Could you send us your call_2g.cfile, to take a look?

BR,
Nikos

Pierre-Philipp Braun

unread,
Apr 20, 2022, 10:56:24 AM4/20/22
to nbal...@gmail.com, gr-gsm
> Only Piotr here has some experience with hoppers:( > Could you send us your call_2g.cfile, to take a look?

I also played with hopping once using two RTL dongles, it was hard but I
was successful. The dongles had either to be soldered or with same PPM.
With an USRP it should be flawless.

https://pub.nethence.com/radio/hopping

--
Pierre-Philipp Braun
SMTP Health Campaign: enforce STARTTLS and verify MX certificates
<https://nethence.com/smtp/>

Nikos Balkanas

unread,
Apr 20, 2022, 12:02:27 PM4/20/22
to Pierre-Philipp Braun, gr-gsm
I have an X-300 with 2 daughterboards. That was meant to decode uplink/downlink.
But I guess it could do also hopping. Just haven't gone around it, yet:(

Nikos
Message has been deleted

Hamza

unread,
Apr 21, 2022, 3:49:13 AM4/21/22
to gr-gsm
Thanks Nikos for your quick response.

I have captured a new file:
SDR: USRP B210
My sim card is latched to 938.4Mhz freq which gives me arfcn of 17
sudo grgsm_capture -f 938.4M call_2g.cfile -T 300 -s 1e6

Decoding BCCH:
  • grgsm_decode -a 17 -c call_2g.cfile -t 0 -s 1e6 -m BCCH
(In Immediate assignment --> SDCCH8  time slot= 2)
(In System Information Type 1 --> ARFCN: (10,17,765,767,786)


Decoding SDCCH8:
  •  grgsm_decode -a 17 -c call_2g.cfile  -s 1e6 -m SDCCH8  -t 2
  • (In Assignment command: TCH/H Time slot:3 Training sequence:1 Hopping: Yes MAIO:0 HSN:36)
  • ARFCN List: (765,767,786)
assignment.png





The link of  my cfile is attached below:


Please take a look and let me know what i am doing wrong.

mg gyi

unread,
Nov 7, 2022, 2:57:09 AM11/7/22
to gr-gsm
If channel hopping = yes , you can't extract voice.
Find channel hopping = no.

Kali Linux

unread,
Jul 30, 2023, 2:37:27 AM7/30/23
to gr-gsm
When I want to decrypt by hackRF it does not work and I try all attempts it records the frequency but it does not work on decryption I use the Dragon system and this is the code that I used
grgsm_decode -p -v -f 935.8M -s 1e6 -c capture1_f935.8M_s1e6.cfile -m BCCH -t 0
Reply all
Reply to author
Forward
0 new messages