GSM/5G basic radio signal interception

Johan Louwers
7 min readJun 25, 2024

--

GSM cell tower

GSM signal interception is the process of capturing and analyzing mobile communication signals using readily available civilian equipment. This method typically involves the use of software-defined radios (SDRs) and specialized software to decode GSM signals, which are the standard for 2G mobile networks.

To begin with, an SDR device such as a HackRF, RTL-SDR, or USRP is essential. These devices are relatively affordable and widely accessible to civilians. The SDR hardware is connected to a computer via USB and is capable of capturing raw radio frequency (RF) signals transmitted by GSM base stations. The captured signals are then processed using specialized software.

One of the most commonly used software tools for this purpose is GR-GSM, an open-source project built on the GNU Radio framework. GR-GSM facilitates the demodulation and decoding of GSM signals. Once installed on a computer, GR-GSM works with the SDR hardware to tune into the GSM frequency band and sample the RF signals. This step involves configuring the SDR to the specific frequencies used by GSM networks, which typically range from 900 MHz to 1800 MHz, depending on the region.

After capturing the signals, GR-GSM demodulates them, converting the modulated RF signals into baseband in-phase (I) and quadrature (Q) signals. This conversion is necessary to make the data readable and interpretable. Following demodulation, GR-GSM decodes the GSM protocol data, extracting useful information such as voice, text messages, and signaling information.

For a detailed examination of the decoded messages, a network protocol analyzer like Wireshark can be used. Wireshark allows users to analyze the decoded GSM messages, providing insights into call setups, SMS deliveries, and other network activities. This analysis is crucial for understanding the underlying operations of GSM networks and identifying any potential issues or vulnerabilities.

GSM signal interception using civilian equipment has several practical applications. It is widely used in security research to identify and test vulnerabilities within GSM networks. Network operators and engineers use this method to monitor and troubleshoot network performance, ensuring that the GSM infrastructure operates efficiently. Additionally, educational institutions and researchers leverage this technology to teach and study telecommunications and software-defined radio principles.

However, it is important to note that intercepting GSM signals must adhere to legal and ethical guidelines. Unauthorized interception of communications is illegal in many jurisdictions and can result in severe penalties. Therefore, this technology should be used responsibly and for legitimate purposes only.

The role of GR-GSM

GR-GSM is an open-source software project that enables the reception, demodulation, and decoding of GSM (Global System for Mobile Communications) signals. It is built on top of the GNU Radio framework, which is a powerful toolkit for building software-defined radios (SDRs). Key Functions of GR-GSM include the following;

Signal Reception:

  • Hardware Integration: GR-GSM interfaces with various SDR hardware, such as RTL-SDR, HackRF, and USRP devices. These hardware components capture the raw radio frequency (RF) signals transmitted by GSM base stations.
  • Tuning and Sampling: The SDR hardware is configured to tune to the specific GSM frequency bands and sample the RF signals at the appropriate rate for GSM (typically 1.92 MS/s for the GSM signal).
    Signal Demodulation:

GMSK Demodulation:

  • GSM signals use Gaussian Minimum Shift Keying (GMSK) modulation. GR-GSM includes demodulators that convert the modulated RF signals into baseband I/Q (In-phase and Quadrature) signals.
  • Burst Detection: The software identifies the time-slotted structure of GSM transmissions and extracts the individual bursts (200 kHz wide channels divided into time slots).

Signal Decoding:

  • Channel Decoding: GR-GSM implements GSM channel codecs to decode the Layer 1 (physical layer) data. This includes decoding the synchronization channels (SCH, BCCH) to extract system information and the traffic channels (TCH) for voice and data.
  • Error Correction: GSM signals include error correction codes (e.g., convolutional codes). GR-GSM decodes these to correct errors introduced by the transmission medium.

Protocol Analysis:

  • LAPDm and Layer 2/3 Decoding: GR-GSM decodes the Layer 2 (LAPDm) and Layer 3 messages, allowing the interpretation of signaling information such as call setup, SMS delivery, and mobility management messages.
  • Wireshark Integration: GR-GSM can export decoded messages to Wireshark, a network protocol analyzer, enabling detailed analysis of GSM protocol messages.

The role of LAPDm

In GSM networks, LAPDm stands for Link Access Protocol for the Dm channel. It is a data link layer protocol used in the GSM standard to manage the reliable transmission of control messages between the mobile station (MS) and the base transceiver station (BTS). Some of the key points about LAPDm are:

  • Role: LAPDm is responsible for the transmission of signaling messages over the air interface, ensuring that these messages are delivered reliably and in the correct order.
  • Layer: It operates at the Layer 2 (Data Link Layer) of the GSM protocol stack.
  • Protocol Type: LAPDm is a variant of the LAPD (Link Access Procedure, D-channel) protocol used in ISDN (Integrated Services Digital Network), but it is adapted for the mobile environment in GSM.

Some of the main functions of LAPDm:

  • Frame Delimitation and Synchronization: Ensures that the start and end of each frame are correctly identified.
  • Error Detection and Correction: Uses checksums and retransmission requests to handle errors in the transmitted data.
  • Flow Control: Manages the rate at which frames are sent to prevent congestion and ensure smooth communication.
  • Sequencing: Maintains the order of frames, so messages are received in the correct sequence.

LAPDm is crucial for the reliable exchange of control information, such as call setup, location updates, and SMS delivery, between the mobile device and the network infrastructure. By ensuring the integrity and reliability of signaling messages, LAPDm helps maintain the overall functionality and efficiency of GSM networks.

The role of GSMTap

GSMTAP is a pseudo-header that is used to transport frames from the GSM air interface (Um interface) inside UDP/IP packets. A pseudo-header is an additional header in front of a protocol message, which is not part of the actual protocol. GSMTAP was inspired by the radiotap header, which performs a similar function for 802.11 (WiFi) messages.

  • Purpose: GSMTAP is primarily used for debugging and analysis. It encapsulates GSM messages in a format that can be easily understood by network protocol analyzers.
  • Encapsulation: GSMTAP wraps GSM protocol data into IP packets. These packets can then be transmitted over a network, allowing the data to be captured and analyzed remotely.
  • Usage with Wireshark: Wireshark, a popular network protocol analyzer, supports GSMTAP. When GSMTAP packets are captured, Wireshark can decode and display the GSM protocol layers, making it easier for engineers and researchers to understand and troubleshoot GSM network issues.
  • Integration with SDR and GR-GSM: Tools like GR-GSM can use GSMTAP to encapsulate decoded GSM messages. This integration allows the output from software-defined radios (SDRs) to be analyzed in real-time with Wireshark.

Basic signal capture with grgsm_livemon_headless

Starting basic signal capture using gr-gsm components can be done by using the grgsm_livemon_headless util. grgsm_livemon_headless is a command-line tool that is part of the GR-GSM (General Radio-GSM) suite. GR-GSM is an open-source project based on GNU Radio, which provides tools for receiving, demodulating, and decoding GSM signals using software-defined radios (SDRs).

Unlike grgsm_livemon, which provides a graphical user interface (GUI) for real-time monitoring, grgsm_livemon_headless runs without a GUI. This makes it suitable for environments where graphical output is not needed or possible, such as remote servers or embedded systems.

grgsm_livemon_headless can spool decoded GSM messages to a local loopback interface using GSMTAP. This allows the data to be captured and analyzed by tools such as Wireshark running on the same machine. When grgsm_livemon_headless is configured to output to a local loopback interface, it encapsulates the decoded GSM messages in GSMTAP format and sends them to the loopback network interface. Wireshark or any other network protocol analyzer can then capture these packets for analysis.

The below is a command I used to start grgsm_livemon_headlessto monitor the 927.8M frequency using a HackRF device which was atatched to my Kali Linux instance (running in Oracle Virtualbox on a iMac);

grgsm_livemon_headless --f=927.8M --args=hackrf 

Additional arguments can be given to grgsm_livemon_headlessto finetune the capture of GSM data and where to spool the results, however for a basic capture the above will suffice and help you to take the first steps in analyzing mobile network traffic.

Analyse GSM data with Wireshark

As we now have ensured that we capture GSM data and spool this into the local loopback, shown in the previous step, we can use wireshark to actually listen into the data streaming through the local loopback address.

It is important to note that intercepting GSM signals must adhere to legal and ethical guidelines. Unauthorized interception of communications is illegal in many jurisdictions and can result in severe penalties. Therefore, this technology should be used responsibly and for legitimate purposes only. When using it for legitimate purposes using this technology will allow you to debug the GSM data to imporve the network and/or the technology you try to develop.

About the author(s)
Johan Louwers is currently Chief Enterprise Architect within Oracle as well as the lead architect for NATO and a number of militaries. Johan has a strong and long background in the field of Enterprise Architecture and complex system engineering. Having worked with enterprises in a diverse set of industries as (enterprise) architect, CTO and technical and strategic business advisor Johan brings both deep technical knowledge to the table as well as strong business oriented expertise. In addition to this Johan is a tech addict who tends to enjoy supporting open source initiatives and actively coding as a hobby. Views expressed in this post are personnel and do not necessarily reflect the views of my current employer.

--

--

Johan Louwers
Johan Louwers

Written by Johan Louwers

Johan Louwers is a technology enthousiasts with a long background in supporting enterprises and startups alike as CTO, Chief Enterprise Architect and developer.

No responses yet