What can I learn about a GSM base station without doing any decryption ?

Mm Bsd mmbsd1982 at yahoo.com
Tue Oct 13 14:53:41 UTC 2015

Hello Sylvain,

On Thursday, October 8, 2015 11:52 PM, Sylvain Munaut <246tnt at gmail.com> wrote:

> But what else can be learned about a particular base station with simply passive observation and no decryption (and no sim card) ?  If all I have is a passive monitor with a SDR, what else can I learn frmo the beacon channel or from the station itself ?
> Is it possible to learn things like software version, protocols supported, connectivity to network, or to other base stations ?


Not sure what you mean by "protocol supported" but you can definitely
see if the cell supports GPRS/EDGE in the SI messages.

Ok, thank you.  Are all SI messages sent in the clear (unencrypted) and are they all available to a passive observer with just software radio (no phone or sim card) ?

As for other info you can obviously get the operator, location area id
and cell id (and cross reference with opencellmap for instance). You
can also follow the assignements and the first few messages are not
ciphered and you can see if/how authentication is done and or what
kind of service is requested.

Ok, and am I correct that by watching the volume of assignments (and maybe the volume of paging requests) a person could estimate the traffic, or utilization (or at least relative utilization) of that tower ?

> My goal is to learn about the GSM networks around me and I wonder how deeply I can understand them with just passive observation of the beacon channel (or other sources of info that can be seen with SDR).

Ok, I will be looking at SI messages and those SI messages all take place on one fixed beacon channel, correct ?

Thank you.

More information about the baseband-devel mailing list