-
Nico Otterbach | September 15, 2014 | Washington, D.C.
Hands-on GSM Analysis with GNU Radio and
AirProbe
GNU Radio Conference 2014
-
September 2014
The Project
A. Background
1
-
September 2014
The Project
A. Background
GSM emergency call handling
1
-
September 2014
The Project
A. Background
GSM emergency call handling
Creation of protocol traces
1
-
September 2014
The Project
A. Background
GSM emergency call handling
Creation of protocol traces
eCalls should be rejected (w/o SIM)
1
-
September 2014
The Project
A. Background
GSM emergency call handling
Creation of protocol traces
eCalls should be rejected (w/o SIM)
1
Source: rohde-schwarz.com
-
September 2014
The Challenge
A. Background
2
-
September 2014
The Challenge
Technical Challenges
Connect to the network w/o SIM
Base station and channel assignment
A. Background
2
-
September 2014
The Challenge
Technical Challenges
Connect to the network w/o SIM
Base station and channel assignment
Legal Challenges
Calling 110/911 in a real network
Recording of real network traffic
A. Background
2
-
September 2014
The Challenge
Technical Challenges
Connect to the network w/o SIM
Base station and channel assignment
Legal Challenges
Calling 110/911 in a real network
Recording of real network traffic
Available open-source projects
GNU Radio
AirProbe
OsmocomBB
A. Background
2
-
September 2014
The Challenge
Technical Challenges
Connect to the network w/o SIM
Base station and channel assignment
Legal Challenges
Calling 110/911 in a real network
Recording of real network traffic
Available open-source projects
GNU Radio
AirProbe
OsmocomBB
A. Background
Create required GSM protocol traces with open source tools!
2
-
September 2014
Outline
A. Background
B. GSM Basics
C. OsmocomBB
D. GNU Radio & AirProbe
E. Summary & Outlook
3
-
September 2014
Basic GSM Terminology
B. GSM Basics
4
-
September 2014
Basic GSM Terminology
B. GSM Basics
SIM (Subscriber Identity Module)
[uthmag.com]
4
-
September 2014
Basic GSM Terminology
B. GSM Basics
SIM (Subscriber Identity Module)
IMSI (International Mobile Subscriber Identity)
[uthmag.com]
4
-
September 2014
Basic GSM Terminology
B. GSM Basics
SIM (Subscriber Identity Module)
IMSI (International Mobile Subscriber Identity)
IMEI (International Mobile Equipment Identity)
[uthmag.com]
4
-
September 2014
Basic GSM Terminology
B. GSM Basics
SIM (Subscriber Identity Module)
IMSI (International Mobile Subscriber Identity)
IMEI (International Mobile Equipment Identity)
ARFCN (Absoulte Radio Frequency Channel Number)
Logical GSM channels
Up- & Downlink separated by 45 MHz
(Frequency Hopping)
=
200
= + 200
[uthmag.com]
4
-
September 2014
GSM Emergency Call Handling (w/o SIM)
A. GSM Basics
5
-
September 2014
GSM Emergency Call Handling (w/o SIM)
A. GSM Basics
No SIM, no IMSI!
IMEI used as quasi IMSI
[techmtaa.com]
5
-
September 2014
GSM Emergency Call Handling (w/o SIM)
A. GSM Basics
No SIM, no IMSI!
IMEI used as quasi IMSI
eCall rejection without valid IMSI
Actually omitted redirection in base station
Optional in GSM standard (mandatory in EU)
To avoid malpractice
[techmtaa.com]
5
-
September 2014
GSM Emergency Call Handling (w/o SIM)
A. GSM Basics
No SIM, no IMSI!
IMEI used as quasi IMSI
eCall rejection without valid IMSI
Actually omitted redirection in base station
Optional in GSM standard (mandatory in EU)
To avoid malpractice
Possible evidence of eCall rejection
[techmtaa.com]
5
-
September 2014
GSM Emergency Call Handling (w/o SIM)
A. GSM Basics
No SIM, no IMSI!
IMEI used as quasi IMSI
eCall rejection without valid IMSI
Actually omitted redirection in base station
Optional in GSM standard (mandatory in EU)
To avoid malpractice
Possible evidence of eCall rejection o Complete protocol
trace
(including negotiation and rejection by the network)
[techmtaa.com]
5
-
September 2014
GSM Emergency Call Handling (w/o SIM)
A. GSM Basics
No SIM, no IMSI!
IMEI used as quasi IMSI
eCall rejection without valid IMSI
Actually omitted redirection in base station
Optional in GSM standard (mandatory in EU)
To avoid malpractice
Possible evidence of eCall rejection o Complete protocol
trace
(including negotiation and rejection by the network)
o Ideally available in Wireshark
[techmtaa.com]
5
-
September 2014
GSM Emergency Call Handling (w/o SIM)
A. GSM Basics
No SIM, no IMSI!
IMEI used as quasi IMSI
eCall rejection without valid IMSI
Actually omitted redirection in base station
Optional in GSM standard (mandatory in EU)
To avoid malpractice
Possible evidence of eCall rejection o Complete protocol
trace
(including negotiation and rejection by the network)
o Ideally available in Wireshark
o Ideally based on cheap hardware
[techmtaa.com]
5
-
September 2014
Outline
A. Background
B. GSM Basics
C. OsmocomBB
D. GNU Radio & AirProbe
E. Summary & Outlook
6
-
September 2014
Introducing OsmocomBB
C. OsmocomBB
7
-
September 2014
Introducing OsmocomBB
C. OsmocomBB
Open-source GSM baseband software
Layer 1 on phone, higher layers on host
7
-
September 2014
Introducing OsmocomBB
C. OsmocomBB
Open-source GSM baseband software
Layer 1 on phone, higher layers on host
Works with cheap hardware
Motorola phones (based on TI Calypso)
Serial adapter (~ 20-30 EUR)
Phones available on eBay (~ 10-20 EUR)
7
-
September 2014
Introducing OsmocomBB
C. OsmocomBB
Open-source GSM baseband software
Layer 1 on phone, higher layers on host
Works with cheap hardware
Motorola phones (based on TI Calypso)
Serial adapter (~ 20-30 EUR)
Phones available on eBay (~ 10-20 EUR)
7
-
September 2014
Introducing OsmocomBB
C. OsmocomBB
Open-source GSM baseband software
Layer 1 on phone, higher layers on host
Works with cheap hardware
Motorola phones (based on TI Calypso)
Serial adapter (~ 20-30 EUR)
Phones available on eBay (~ 10-20 EUR)
Provides Wireshark-Output
7
-
September 2014
Introducing OsmocomBB
C. OsmocomBB
Open-source GSM baseband software
Layer 1 on phone, higher layers on host
Works with cheap hardware
Motorola phones (based on TI Calypso)
Serial adapter (~ 20-30 EUR)
Phones available on eBay (~ 10-20 EUR)
Provides Wireshark-Output
Very promising approach that suits our needs!
7
-
September 2014
Utilizing OsmocomBB
C. OsmocomBB
8
-
September 2014
Utilizing OsmocomBB
C. OsmocomBB
8
-
September 2014
Utilizing OsmocomBB
C. OsmocomBB
Needed adjustments
Enable TX-support
Configuration w/o SIM
8
-
September 2014
Utilizing OsmocomBB
C. OsmocomBB
Needed adjustments
Enable TX-support
Configuration w/o SIM
Problems with OsmocomBB
Little documentation
Camp on base station
Segfault when trying to initiate an
eCall w/o SIM
8
-
September 2014
Utilizing OsmocomBB
C. OsmocomBB
Needed adjustments
Enable TX-support
Configuration w/o SIM
Problems with OsmocomBB
Little documentation
Camp on base station
Segfault when trying to initiate an
eCall w/o SIM
Great tool for GSM analysis, but problems w/o SIM!
8
-
September 2014
Outline
A. Background
B. GSM Basics
C. OsmocomBB
D. GNU Radio & AirProbe
E. Summary & Outlook
9
-
September 2014
Whats next?
D. GNU Radio & Airprobe
10
-
September 2014
Whats next?
D. GNU Radio & Airprobe
AirProbe GSM Sniffer
Open-source software
Acquisition based on GNU Radio (3.6)
RTL-SDR / Hack RF / USRP support
Complete DeModulation module
10
[rtl-sdr.com]
-
September 2014
Whats next?
D. GNU Radio & Airprobe
AirProbe GSM Sniffer
Open-source software
Acquisition based on GNU Radio (3.6)
RTL-SDR / Hack RF / USRP support
Complete DeModulation module
Challenges
AirProbe takes only one channel a time
Channel identification
Lacks Frequency Hopping support
10
[rtl-sdr.com]
-
September 2014
Whats next?
D. GNU Radio & Airprobe
AirProbe GSM Sniffer
Open-source software
Acquisition based on GNU Radio (3.6)
RTL-SDR / Hack RF / USRP support
Complete DeModulation module
Challenges
AirProbe takes only one channel a time
Channel identification
Lacks Frequency Hopping support
Record entire band
Identify ARFCN
Segment channel(s)
Demodulation with AirProbe
[rtl-sdr.com]
10
-
September 2014
First approach: Use Available Hardware
D. GNU Radio & Airprobe
Record entire band
Identify ARFCN
Segment channel(s)
Demodulation with
AirProbe
11
-
September 2014
First approach: Use Available Hardware
D. GNU Radio & Airprobe
Record entire band
Identify ARFCN
Segment channel(s)
Demodulation with
AirProbe
11
-
September 2014
First approach: Use Available Hardware
D. GNU Radio & Airprobe
Record entire band
Identify ARFCN
Segment channel(s)
Demodulation with
AirProbe
Hack RF Terratec NOXON DAB (rev. 2)
GSM 900 & GSM 1800 Limited to GSM-900
High bandwidth Low bandwidth
ARFCN identification (Uplink) Parallel Downlink recording
11
-
September 2014
First approach: Use Available Hardware
D. GNU Radio & Airprobe
ARFCN must be known prior to measurement!
Record entire band
Identify ARFCN
Segment channel(s)
Demodulation with
AirProbe
Hack RF Terratec NOXON DAB (rev. 2)
GSM 900 & GSM 1800 Limited to GSM-900
High bandwidth Low bandwidth
ARFCN identification (Uplink) Parallel Downlink recording
11
-
September 2014
First approach ARFCN Identification Record entire band Identify
ARFCN Segment channel(s) Demodulati
on with AirProbe
D. GNU Radio & Airprobe
12
-
September 2014
First approach ARFCN Identification Record entire band Identify
ARFCN Segment channel(s) Demodulati
on with AirProbe
Idea: Locate ARFCN in frequency domain
D. GNU Radio & Airprobe
12
-
September 2014
First approach ARFCN Identification Record entire band Identify
ARFCN Segment channel(s) Demodulati
on with AirProbe
Idea: Locate ARFCN in frequency domain
D. GNU Radio & Airprobe
12
-
September 2014
First approach ARFCN Identification Record entire band Identify
ARFCN Segment channel(s) Demodulati
on with AirProbe
Idea: Locate ARFCN in frequency domain
Use Peak-Hold to identify nearby Tx
D. GNU Radio & Airprobe
12
-
September 2014
First approach ARFCN Identification Record entire band Identify
ARFCN Segment channel(s) Demodulati
on with AirProbe
Idea: Locate ARFCN in frequency domain
Use Peak-Hold to identify nearby Tx
No real Short-Time Fourier-Transformation (windowing)!
D. GNU Radio & Airprobe
12
-
September 2014
First approach ARFCN Identification Record entire band Identify
ARFCN Segment channel(s) Demodulati
on with AirProbe
Idea: Locate ARFCN in frequency domain
Use Peak-Hold to identify nearby Tx
No real Short-Time Fourier-Transformation (windowing)!
D. GNU Radio & Airprobe
Keep it simple and stupid!
12
-
September 2014
First approach Results Record entire band Identify ARFCN Segment
channel(s) Demodulati
on with AirProbe
D. GNU Radio & Airprobe
13
-
September 2014
First approach Results Record entire band Identify ARFCN Segment
channel(s) Demodulati
on with AirProbe
D. GNU Radio & Airprobe
13
-
September 2014
First approach Results Record entire band Identify ARFCN Segment
channel(s) Demodulati
on with AirProbe
# of possible ARFCNs reduced to 5 - 10
D. GNU Radio & Airprobe
13
-
September 2014
First approach Results Record entire band Identify ARFCN Segment
channel(s) Demodulati
on with AirProbe
# of possible ARFCNs reduced to 5 - 10
No clear ARFCN identification possible (must be known prior to
recording)
D. GNU Radio & Airprobe
13
-
September 2014
First approach Results Record entire band Identify ARFCN Segment
channel(s) Demodulati
on with AirProbe
# of possible ARFCNs reduced to 5 - 10
No clear ARFCN identification possible (must be known prior to
recording)
Doesnt suit our needs in this constellation!
D. GNU Radio & Airprobe
13
-
September 2014
Whats next?
D. GNU Radio & Airprobe
14
-
September 2014
Whats next?
Reduce # of possible ARFCNs
Rural area, ideally a secluded valley
D. GNU Radio & Airprobe
14
-
September 2014
Whats next?
Reduce # of possible ARFCNs
Rural area, ideally a secluded valley
D. GNU Radio & Airprobe
14
-
September 2014
Whats next?
Reduce # of possible ARFCNs
Rural area, ideally a secluded valley
OR
D. GNU Radio & Airprobe
14
-
September 2014
Whats next?
Reduce # of possible ARFCNs
Rural area, ideally a secluded valley
OR
Use of professional hardware
D. GNU Radio & Airprobe
14
-
September 2014
Whats next?
Reduce # of possible ARFCNs
Rural area, ideally a secluded valley
OR
Use of professional hardware
D. GNU Radio & Airprobe
14
-
September 2014
Second approach Professional Hardware Record entire band
Identify ARFCN Segment channel(s) Demodulati
on with AirProbe
D. GNU Radio & Airprobe
15
-
September 2014
Second approach Professional Hardware Record entire band
Identify ARFCN Segment channel(s) Demodulati
on with AirProbe
D. GNU Radio & Airprobe
15
-
September 2014
Second approach Professional Hardware Record entire band
Identify ARFCN Segment channel(s) Demodulati
on with AirProbe
2 USRP B200 (up to 56 MHz real time bandwidth)
D. GNU Radio & Airprobe
15
-
September 2014
Second approach Professional Hardware Record entire band
Identify ARFCN Segment channel(s) Demodulati
on with AirProbe
2 USRP B200 (up to 56 MHz real time bandwidth)
Simultaneous Up- & Downlink recording of (almost) entire
band
D. GNU Radio & Airprobe
15
-
September 2014
Second approach Professional Hardware Record entire band
Identify ARFCN Segment channel(s) Demodulati
on with AirProbe
2 USRP B200 (up to 56 MHz real time bandwidth)
Simultaneous Up- & Downlink recording of (almost) entire
band
No a priori knowledge of ARFCN needed anymore!
D. GNU Radio & Airprobe
15
-
September 2014
Second approach Channel Segmentation Record entire band Identify
ARFCN Segment channel(s) Demodulati
on with AirProbe
D. GNU Radio & Airprobe
16
-
September 2014
Second approach Channel Segmentation Record entire band Identify
ARFCN Segment channel(s) Demodulati
on with AirProbe
Offline Filtering of single ARFCN
D. GNU Radio & Airprobe
16
-
September 2014
Second approach Channel Segmentation Record entire band Identify
ARFCN Segment channel(s) Demodulati
on with AirProbe
Offline Filtering of single ARFCN
D. GNU Radio & Airprobe
16
-
September 2014
Second approach Channel Segmentation Record entire band Identify
ARFCN Segment channel(s) Demodulati
on with AirProbe
Offline Filtering of single ARFCN
ARFCN selection by chan_num
D. GNU Radio & Airprobe
16
-
September 2014
Second approach Channel Segmentation Record entire band Identify
ARFCN Segment channel(s) Demodulati
on with AirProbe
Offline Filtering of single ARFCN
ARFCN selection by chan_num
= chan_num 200 + 100 16
D. GNU Radio & Airprobe
16
-
September 2014
Second approach Channel Segmentation Record entire band Identify
ARFCN Segment channel(s) Demodulati
on with AirProbe
Offline Filtering of single ARFCN
ARFCN selection by chan_num
= chan_num 200 + 100 16
Automated execution from python script for all possible
ARFCNs
D. GNU Radio & Airprobe
16
-
September 2014
Second approach Demodulation & Analysis Record entire band
Identify ARFCN Segment channel(s) Demodulati
on with AirProbe
D. GNU Radio & Airprobe
17
-
September 2014
Second approach Demodulation & Analysis Record entire band
Identify ARFCN Segment channel(s) Demodulati
on with AirProbe
Automated demodulation with AirProbe
D. GNU Radio & Airprobe
17
-
September 2014
Second approach Demodulation & Analysis Record entire band
Identify ARFCN Segment channel(s) Demodulati
on with AirProbe
Automated demodulation with AirProbe
Multiple channels merged in Wireshark trace
D. GNU Radio & Airprobe
17
-
September 2014
Second approach Demodulation & Analysis Record entire band
Identify ARFCN Segment channel(s) Demodulati
on with AirProbe
Automated demodulation with AirProbe
Multiple channels merged in Wireshark trace
D. GNU Radio & Airprobe
17
-
September 2014
Second approach Demodulation & Analysis Record entire band
Identify ARFCN Segment channel(s) Demodulati
on with AirProbe
Automated demodulation with AirProbe
Multiple channels merged in Wireshark trace
Wireshark filter: gsm_a.ie.mobileid.type=2/3
D. GNU Radio & Airprobe
17
-
September 2014
Second approach Demodulation & Analysis Record entire band
Identify ARFCN Segment channel(s) Demodulati
on with AirProbe
Automated demodulation with AirProbe
Multiple channels merged in Wireshark trace
Wireshark filter: gsm_a.ie.mobileid.type=2/3
Demodulation of uplink channels not possible!
D. GNU Radio & Airprobe
17
-
September 2014
Outline
A. Background
B. GSM Basics
C. OsmocomBB
D. GNU Radio & AirProbe
E. Summary & Outlook
18
-
September 2014
Summary & Outlook
E. Summary & Outlook
19
-
September 2014
Summary & Outlook
GNU Radio & python are great tools for offline data
analysis
E. Summary & Outlook
19
-
September 2014
Summary & Outlook
GNU Radio & python are great tools for offline data
analysis
GNU Radio can be used as a library of DSP algorithms
E. Summary & Outlook
19
-
September 2014
Summary & Outlook
GNU Radio & python are great tools for offline data
analysis
GNU Radio can be used as a library of DSP algorithms
AirProbe out-dated (last commit in 2011)
E. Summary & Outlook
19
-
September 2014
Summary & Outlook
GNU Radio & python are great tools for offline data
analysis
GNU Radio can be used as a library of DSP algorithms
AirProbe out-dated (last commit in 2011)
E. Summary & Outlook
19
-
September 2014
Summary & Outlook
GNU Radio & python are great tools for offline data
analysis
GNU Radio can be used as a library of DSP algorithms
AirProbe out-dated (last commit in 2011)
E. Summary & Outlook
+
19
-
September 2014
Summary & Outlook
GNU Radio & python are great tools for offline data
analysis
GNU Radio can be used as a library of DSP algorithms
AirProbe out-dated (last commit in 2011)
E. Summary & Outlook
Source: rohde-schwarz.com
+ =
19
-
September 2014
Summary & Outlook
GNU Radio & python are great tools for offline data
analysis
GNU Radio can be used as a library of DSP algorithms
AirProbe out-dated (last commit in 2011)
E. Summary & Outlook
+ = ?
19
Source: rohde-schwarz.com
-
September 2014
Summary & Outlook
GNU Radio & python are great tools for offline data
analysis
GNU Radio can be used as a library of DSP algorithms
AirProbe out-dated (last commit in 2011)
E. Summary & Outlook
+ = ?
Low-cost, open source GSM protocol analyzer feasible,
but additional development effort needed!
19
Source: rohde-schwarz.com
-
September 2014
Fennec Research UG (haftungsbeschrnkt)
Scheffelstrae 2
76135 Karlsruhe
Germany
[email protected]
www.fennec-research.com
Questions?
