GSM frequency hopping: Help still desperately required, please.
308 views
Skip to first unread message
Rob VK8FOES
Aug 12, 2023, 9:13:14 AM8/12/23
to gr-gsm
Greetings group.
I am once again asking for assistance with getting my frequency hopping decoding workflow functioning. Despite believing that I have configured everything correctly, I still can't get decoded GSM packets to display in Wireshark and no raw bursts are printed in my terminal window.
Using a genuine HackRF, I captured a GSM base station downlink with a BCCH ARFCN of 103, and the hopping channels are allocated from ARFCN 124 to 107 (yes, in reverse order).
ARFCN 103 = 955.6 MHz
ARFCN 124 = 959.8 MHz
Separation = 4.2 MHz
So, I captured the cfile with 'grgsm_capture' at a sample rate of 8e6 and with a center frequency of 957.7 MHz. I have channelized the cfile perfectly with 'grgsm_channelize' and the BCCH on ARFCN 103 (955.6 MHz) decodes perfectly.
Here is the SI1 packet displaying the hopping channel ARFCN's:
"GSM CCCH - System Information Type 1
L2 Pseudo Length
.... 0110 = Protocol discriminator: Radio Resources Management messages (0x6)
Message Type: System Information Type 1
Cell Channel Description
00.. 111. = Format Identifier: Unknown (0x07)
List of ARFCNs = 124 123 122 121 120 119 118 117 116 115 114 113 112 111 110 109 108 107 103
RACH Control Parameters
SI 1 Rest Octets"
Here is the Immediate Assignment packet I am targeting:
"GSM CCCH - Immediate Assignment
L2 Pseudo Length
.... 0110 = Protocol discriminator: Radio Resources Management messages (0x6)
Message Type: Immediate Assignment
Page Mode
Dedicated mode or TBF
Channel Description
0101 1... = SDCCH/8 + SACCH/C8 or CBCH (SDCCH/8): 11
Subchannel: 3
.... .001 = Timeslot: 1
111. .... = Training Sequence: 7
...1 .... = Hopping Channel: Yes
Hopping channel MAIO: 4
HSN: 4
Request Reference
Timing Advance
Mobile Allocation
IA Rest Octets"
And here is my GRC flowchart (grgsm_hopping_example.grc):
I can get some decoded bursts from the channelized ARFCN 107 cfile by decoding the SDCCH8 on timeslot 1:
And, I can also get decoded bursts from the channelized ARFCN 122 cfile by decoding the SDCCH8 on timeslot 1:
My RF setup is as follows:
- Genuine HackRF One
- High gain GSM base station antenna
- LMR-195 coaxial cable
- High vantage point, with line-of-sight to cell tower
- Excellent SNR, even with gain set to 1
If anybody could assist me in getting wideband GSM capture files decoded successfully with 'grgsm_hopping_example.grc', that would be greatly appreciated. I would be willing to paying a very generous bounty via Fiverr if somebody was willing to spend some time on solving my problem via SSH or remote desktop.
Regards,
Rob.
I am once again asking for assistance with getting my frequency hopping decoding workflow functioning. Despite believing that I have configured everything correctly, I still can't get decoded GSM packets to display in Wireshark and no raw bursts are printed in my terminal window.
Using a genuine HackRF, I captured a GSM base station downlink with a BCCH ARFCN of 103, and the hopping channels are allocated from ARFCN 124 to 107 (yes, in reverse order).
ARFCN 103 = 955.6 MHz
ARFCN 124 = 959.8 MHz
Separation = 4.2 MHz
So, I captured the cfile with 'grgsm_capture' at a sample rate of 8e6 and with a center frequency of 957.7 MHz. I have channelized the cfile perfectly with 'grgsm_channelize' and the BCCH on ARFCN 103 (955.6 MHz) decodes perfectly.
Here is the SI1 packet displaying the hopping channel ARFCN's:
"GSM CCCH - System Information Type 1
L2 Pseudo Length
.... 0110 = Protocol discriminator: Radio Resources Management messages (0x6)
Message Type: System Information Type 1
Cell Channel Description
00.. 111. = Format Identifier: Unknown (0x07)
List of ARFCNs = 124 123 122 121 120 119 118 117 116 115 114 113 112 111 110 109 108 107 103
RACH Control Parameters
SI 1 Rest Octets"
Here is the Immediate Assignment packet I am targeting:
"GSM CCCH - Immediate Assignment
L2 Pseudo Length
.... 0110 = Protocol discriminator: Radio Resources Management messages (0x6)
Message Type: Immediate Assignment
Page Mode
Dedicated mode or TBF
Channel Description
0101 1... = SDCCH/8 + SACCH/C8 or CBCH (SDCCH/8): 11
Subchannel: 3
.... .001 = Timeslot: 1
111. .... = Training Sequence: 7
...1 .... = Hopping Channel: Yes
Hopping channel MAIO: 4
HSN: 4
Request Reference
Timing Advance
Mobile Allocation
IA Rest Octets"
And here is my GRC flowchart (grgsm_hopping_example.grc):
(training sequence is configured to 7 in "GSM Receiver" block)
And, I can also get decoded bursts from the channelized ARFCN 122 cfile by decoding the SDCCH8 on timeslot 1:
This is indicative that the cfile GSM data capture file is good. But I feel like there might be a configuration error on my part.
- Genuine HackRF One
- High gain GSM base station antenna
- LMR-195 coaxial cable
- High vantage point, with line-of-sight to cell tower
- Excellent SNR, even with gain set to 1
If anybody could assist me in getting wideband GSM capture files decoded successfully with 'grgsm_hopping_example.grc', that would be greatly appreciated. I would be willing to paying a very generous bounty via Fiverr if somebody was willing to spend some time on solving my problem via SSH or remote desktop.
Regards,
Rob.
Merjoma Kerjosa
Oct 24, 2023, 2:31:58 AM10/24/23
to gr-gsm
Hi Rob VK8FOES, did you find any solution for this?
суббота, 12 августа 2023 г. в 18:13:14 UTC+5, Rob VK8FOES:
Reply all
Reply to author
Forward
0 new messages