What can I learn about a GSM base station without doing any decryption ?

Sylvain Munaut 246tnt at gmail.com
Fri Oct 9 06:51:50 UTC 2015


> But what else can be learned about a particular base station with simply passive observation and no decryption (and no sim card) ?  If all I have is a passive monitor with a SDR, what else can I learn frmo the beacon channel or from the station itself ?
> Is it possible to learn things like software version, protocols supported, connectivity to network, or to other base stations ?

Software Version is not a concept known to GSM, nothing about it or
about the manufacturer will be broadcaster.
Base Stations won't TX anything if they don't have connectivity to the
network. And they also don't talk to other base stations at all. (at
least not on a GSM layer).

Not sure what you mean by "protocol supported" but you can definitely
see if the cell supports GPRS/EDGE in the SI messages.

As for other info you can obviously get the operator, location area id
and cell id (and cross reference with opencellmap for instance). You
can also follow the assignements and the first few messages are not
ciphered and you can see if/how authentication is done and or what
kind of service is requested.

> My goal is to learn about the GSM networks around me and I wonder how deeply I can understand them with just passive observation of the beacon channel (or other sources of info that can be seen with SDR).

Just look at all the System Informations messages in wireshark and
look at each field and the corresponding documentation for it in the
spec to know what they mean. ( GSM 04.08 will contain most of it ).
That's pretty much how I learned a lot.



More information about the baseband-devel mailing list