Hello,
I am using a SDR device (a BladeRF) and there is a nice tool called 'kal' that will show me all of my nearby GSM base stations.
In addition to listing base stations and their frequencies, I could also use that frequency info to monitor the beacon channel with gr-scan/airprobe.
So at this point I know:
- base station exists - I know its frequency - based on beacon channel assignments, etc., I *sort of* know how busy it is.
But what else can be learned about a particular base station with simply passive observation and no decryption (and no sim card) ? If all I have is a passive monitor with a SDR, what else can I learn frmo the beacon channel or from the station itself ?
Is it possible to learn things like software version, protocols supported, connectivity to network, or to other base stations ?
My goal is to learn about the GSM networks around me and I wonder how deeply I can understand them with just passive observation of the beacon channel (or other sources of info that can be seen with SDR).
Thank you.
Hi,
But what else can be learned about a particular base station with simply passive observation and no decryption (and no sim card) ? If all I have is a passive monitor with a SDR, what else can I learn frmo the beacon channel or from the station itself ?
Is it possible to learn things like software version, protocols supported, connectivity to network, or to other base stations ?
Software Version is not a concept known to GSM, nothing about it or about the manufacturer will be broadcaster. Base Stations won't TX anything if they don't have connectivity to the network. And they also don't talk to other base stations at all. (at least not on a GSM layer).
Not sure what you mean by "protocol supported" but you can definitely see if the cell supports GPRS/EDGE in the SI messages.
As for other info you can obviously get the operator, location area id and cell id (and cross reference with opencellmap for instance). You can also follow the assignements and the first few messages are not ciphered and you can see if/how authentication is done and or what kind of service is requested.
My goal is to learn about the GSM networks around me and I wonder how deeply I can understand them with just passive observation of the beacon channel (or other sources of info that can be seen with SDR).
Just look at all the System Informations messages in wireshark and look at each field and the corresponding documentation for it in the spec to know what they mean. ( GSM 04.08 will contain most of it ). That's pretty much how I learned a lot.
Cheers,
Sylvain
Hello Sylvain,
On Thursday, October 8, 2015 11:52 PM, Sylvain Munaut 246tnt@gmail.com wrote:
But what else can be learned about a particular base station with simply passive observation and no decryption (and no sim card) ? If all I have is a passive monitor with a SDR, what else can I learn frmo the beacon channel or from the station itself ?
Is it possible to learn things like software version, protocols supported, connectivity to network, or to other base stations ?
(snip)
Not sure what you mean by "protocol supported" but you can definitely see if the cell supports GPRS/EDGE in the SI messages.
Ok, thank you. Are all SI messages sent in the clear (unencrypted) and are they all available to a passive observer with just software radio (no phone or sim card) ?
As for other info you can obviously get the operator, location area id and cell id (and cross reference with opencellmap for instance). You can also follow the assignements and the first few messages are not ciphered and you can see if/how authentication is done and or what kind of service is requested.
Ok, and am I correct that by watching the volume of assignments (and maybe the volume of paging requests) a person could estimate the traffic, or utilization (or at least relative utilization) of that tower ?
My goal is to learn about the GSM networks around me and I wonder how deeply I can understand them with just passive observation of the beacon channel (or other sources of info that can be seen with SDR).
Ok, I will be looking at SI messages and those SI messages all take place on one fixed beacon channel, correct ?
Thank you.
baseband-devel@lists.osmocom.org
-
Mm Bsd -
Sylvain Munaut