GSM Capturing, Decoding with USRP and SDR in Kali Linux Rolling Edition

This is a full, step by step, tutorial installing GR-GSM, libosmocore, gnuradio companion and everything  needed to capture GSM packets and decode in Wireshark. Using the USRP device Hackrf One and rtl-sdr.

By Community member Scoyok (Scott)

 I could not put this together without community member Slick97477 (Bryon)

(He has also modified this tutorial for compatibility with Kali Sana 2.0 KDE(rtl-sdr) coming soon)

I got all the information contained herein from too many places to name them all, here is a few:

https://github.com/mossmann/hackrf

http://www.rtl-sdr.com/tag/airprobe/

https://gnuradio.org/redmine/projects/gnuradio/wiki/GNURadioCompanion

http://sdr.osmocom.org/trac/wiki/GrOsmoSDR#HackRFSourceSink

https://z4ziggy.wordpress.com/2015/05/17/sniffing-gsm-traffic-with-hackrf/

https://github.com/ptrkrysik/gr-gsm/wiki

http://bb.osmocom.org/trac/wiki/libosmocore

http://hackaday.com/2015/10/10/sdr-tutorials-from-michael-ossmann/

DISCLAIMER:

IF YOU BREAK ANY OF YOUR DEVICES IN ANY WAY, CAUSE THE END OF THE WORLD, GET ARRESTED, OR NERD RAGE ON YOUR FAMILY, I AM NOT RESPONSIBLE.

I AM NOT RESPONSIBLE FOR HOW YOU USE ANY INFORMATION CONTAINED HEREIN, IT IS INTENDED FOR EDUCATIONAL AND RESEARCH PURPOSES ONLY. IT IS SOLELY YOUR RESPONSIBILITY TO UNDERSTAND AND FOLLOW LOCAL, AND INTERNATIONAL LAWS. DO NOT INTERACT WITH ANY SIGNAL BUT YOUR OWN!

Equipment: Software Defined Radio device, I used the Hackrf One to make this tutorial, it was modified to work in Kali Sana 2.0 with the Rtl-Sdr by Slick97477 aka Bryon (he will post that separately)I installed this dual booting with windows 10 on an amd quad core laptop and on my primary custom machine. Keep in mind that if you have a different SDR you may have to change a few of the drivers specific to yours.

Recommended: I tested this tutorial with fresh install, I only ran these commands before starting this tutorial.

apt update

apt upgrade -y

apt-get install kali-linux-all

apt-get install flashplugin-nonfree

update-flashplugin-nonfree --install

I suggest your install be as fresh as possible, brand new if you can.

WARNING: You have probably noticed that there isn’t a working tutorial up anywhere else yet for Sana or Rolling release. I tried all the different methods from all the sites I could find before coming to this exact order and combInation. DO NOT USE PYBOMBS! DO NOT TRY USING ORIGINAL AIRPROBE! (or the patch airprobe method) these methods will pretty much nuke your install. We are gonna be installing a whole bunch of dependencies that are not native to Kali, the exact order and directory you are in while compiling (using a lot make cmds) has everything to do with success. If you mess up you may have to re-install Kali so have an .iso handy. I run as root all the time, add sudo to the majority of commands if you do not.

Feel free to email me with any questions and I will provide as much support as possible. The second email is Bryon and I’s linked development account solely for support, one of us will get back to you.

Just for me (Scott) scoyok@gmail.com               or for both of us twobrothersdevs@gmail.com 

Just for Bryon   slick97477@gmail.com 

Finally, this isn’t perfect, I spent a couple of hours late night for a week working on this so there may be a few extra packages that get installed. Posting my progress to Bryon via comments in google docs then playing catch up after working 14 hour days and coming home to a wife and kids. Bryon and I have made the decision to become more publicly active, so look for more coming from us in the future. This is our passion and our work, but family always come first. Be respectful and patient, one of us will get back to you. We want to learn from others and help others learn. If you happen to catch something feel free to let us know.

Keep in mind that some are installed twice on purpose.  For whatever reason the package talloc, for example, can be installed now and then later during make it will say “...make failed package libtalloc…” not found. So then you go back into package manager and search again and all of the sudden more talloc dev packages pop up. So, I ask that you just follow the tutorial all the way through step by step and if you have the Hackrf One I know it will work.

Updating the Hackrf One to its current firmware release

Download firmware from here:

https://github.com/mossmann/hackrf/wiki/Updating-Firmware

Follow the step by step instructions to make sure your Hackrf One is updated and the drivers are installed. You can check by running hackrf_info:

Selection_031.png

STEP 1: Package Downloader

Applications (drop down menu), then to Usual Applications (drop down) then System and Select Package Downloader (has picture of a blue down arrow)

Selection_001.png

Once opened search in the search bar for “osmo” and download everything that you even think has anything to do with SDR, GSM, or gr-gsm. Since the programs run on std=gnu++11 and std=c++11 do the same, now we are going to search Talloc (for the first time) as well and select ALL packages for install to meet requirements for libosmocore.

This is necessary to integrate C++ and Python, gr-gsm/gnuradio relies primarily on C++

DOWNLOAD IT ALL, TRUST ME YOU WOULD RATHER HAVE MORE THAN LESS!

STEP: 2 Commands for Dependencies

More dependencies through apt-get and git commands, these are pretty self explanatory

apt-get install hackrf libhackrf-dev libhackrf0          

apt-get -y install git-core autoconf automake libtool g++ python-dev swig libpcap0.8-dev

apt-get install gnuradio gnuradio-dev gr-osmosdr gr-osmosdr

apt-get install git cmake libboost-all-dev libcppunit-dev swig doxygen liblog4cpp5-dev python-scipy

STEP3: Libosmocore

Have to have libosmocore and you will need the following tools:

apt-get install build-essential libtool shtool autoconf automake git-core pkg-config make gcc

and the following (optional) libraries:

apt-get install libpcsclite-dev

git clone https://github.com/ptrkrysik/gr-gsm.git

cd gr-gsm        ************PAUSE***********

Go back to Package Downloader and search for Talloc again, there should be somewhere around 7 more 2.1.x packages now the other dependencies have opened up, download them or you will return a “make” failure. Trust me do it.

So, things should be going good, make sure you are in the right directory and that you do this in the right order or any one of these could become very frustrating.

From the gr-gsm directory clone into Libosmocore

git clone git://git.osmocom.org/libosmocore.git

cd libosmocore

autoreconf -i

./configure

make

make install

ldconfig -i

cd ..

STEP 4: Back to setting up gr-gsm now that the dependencies are resolved

****START****

mkdir build

cd build

cmake ..

make

make install

ldconfig

now using a text editor, create a text file named:

config.conf

then paste the following into it

[grc]

local_blocks_path=/usr/local/share/gnuradio/grc/blocks

****NOTE****

(the places “Home” function in rolling release does not search actual root, go to computer)

You may have to manually locate the file using Places, click Home, click Other Locations (at the bottom), click Computer, (this is the REAL root) open ETC, then Gnuradio, then you save as in text editor ( I used GEDIT) to this location. (If you have a different desktop environment this could be different, email Bryon at  slick97477@gmail.com with any issues)

So when you're done, wherever your gnuradio folder is located in the root of your drive /gnuradio (you will see a conf.d folder in there, that is where the global gnu config file is) place your text file next to it. Your ~/etc/gnuradio folder should look like this:

Selection_002.png

STEP: 5 Time for Kalibrate-hackrf

EDIT: If you have the rtl-sdr skip to next step 5b

If you are NOT using the Hackrf One you may have to do a little googling to see how to get the correct version for your device. Bryon used the rtl-sdr version located here https://github.com/steve-m/kalibrate-rtl 

Now we need Kalibrate-hackrf(dependent on which device you have)

git clone https://github.com/scateu/kalibrate-hackrf.git

cd kalibrate-hackrf

./bootstrap

./configure

make

make install

ldconfig

STEP: 5b (thank you slick!)

git clone https://github.com/steve-m/kalibrate-rtl.git

cd kalibrate-rtl

./bootstrap

./configure

make

make install

ldconfig

You should have had no errors thus far, if you did more than likely you didn’t fill a dependency or installed something in the wrong directory.

Now let’s test everything out and run a scan for GSM base stations using Kalibrate. You will have to use the proper GSM parameter (‘-s’) to correspond to your local operator, check your countries band range here:

http://www.worldtimezone.com/gsm.html 

Here is the United States copied from the website for quick reference:

United States (USA)     1900 850

3G 850/1900 Verizon; 3G 1700/2100 T-Mobile USA; 3G 850/1900 AT&T; 3G 800/1900 Sprint; 3G 800/1900 boost; 3G 1700/2100 MetroPCS; 3G 1700/2100 VTel Wireless; 3G 1900 Alaska Wireless; 3G 1700/2100 New Mexico RSA; 3G 1700/2100 Iowa Wireless; 3G 850 Cordova Wireless; 3G 1700/2100 Cincinnati Bell; 3G 1700/2100 CTC Telcom; 3G 1700/2100 Big River;

4G LTE Verizon 700/850/1700/2100Mhz; 4G LTE T-Mobile USA 700/1700/2100Mhz; 4G LTE AT& T 700/850/1700/1900Mhz; 4G LTE Sprint 800/1900/2500Mhz; 4G LTE boost 800/1900Mhz; 4G LTE MetroPCS 700/1700/2100Mhz; 4G LTE NewCore Wireless 1900Mhz; 4G LTE SRT Wireless 1900Mhz; 4G LTE U.S. Cellular 700/850/1900/2100Mhz; 4G LTE Adams Networks 700Mhz; 4G LTE AlaskaComm / GCI 1700Mhz; 4G LTE Big River Broadband 1700Mhz; 4G LTE Bluegrass Cellular 700Mhz; 4G LTE C Spire 1700/1900Mhz; 4G LTE Colorado Valley 700Mhz; 4G LTE ETC 700Mhz; 4G LTE Evolve Broadband 700Mhz; 4G LTE Fuego Wireless 700Mhz; 4G LTE miSpot 700Mhz; 4G LTE Mosaic Telecom 700/1700Mhz; 4G LTE Nex-Tech Wireless 700Mhz; 4G LTE Nortex 700Mhz; 4G LTE nTelos 1900Mhz; 4G LTE PTCI 700Mhz; 4G LTE Peoples Telephone Cooperative 700Mhz; 4G LTE Space Data Corporation 1700Mhz; 4G LTE Syringa 700Mhz4G LTE United Wireless 700Mhz; 4G LTE VTel 700Mhz

Here was my terminal output:

Selection_004.png

Note: it may take a bit to scan, just let it run the more options you have the better for later.

Sometimes you will only get a few results, and others you will have about 7 channels. It all depends on GSM traffic at that time.

Now you have narrowed down a frequency or two and we need to open up GQRX get an exact frequency for the next step. From terminal type:

root@OFF:~# gqrx

Selection_005.png

(see above)

Now gqrx should open up and just be sitting there. You want to take the frequencies that you scanned with kalibrate and enter them in the top left digital Mhz display, then set your filter to “Wide” and your mode to “AM”, then the “Power” button is almost directly underneath the file tab (again top left). I only mention this because apparently some people had the power button default to the same color as the background.

After adjusting your settings and adding your frequency click power to activate gqrx and it should look something like the first screenshot. Now you can see that the heavier traffic (GSM) is indicated by the thicker yellow bar and wider range on the graph, which means we have to dial it in just a little. The easiest way (so you do not lose your center) is to click into the digital dialer and use the arrow keys on your keyboard to go up or down until the little spectrum graph shows a sharper (bottom right of gqrx) drop and you can hear a high pitched squeal with little or no static, you can see this in the second screenshot below.

Selection_006.png

(After entering the initial scan results from Kalibrate)

Selection_007.png

(Dialed in on the GSM signal) 

Now it is time to record the dialed in frequency somewhere so we can close gqrx and start capturing and decoding through gnu radio companion and gr-gsm (formerly airprobe, you will notice the commands still say airprobe).

Close gqrx, from root terminal change directories cd  /gr-gsm/apps -see below:

Selection_008.png

Now enter the following command:

gnuradio-companion airprobe_rtlsdr.grc        (note the hyphen and underscore)

EDIT: As of the recent update to gr-gsm this command no longer works, it is now:

gnuradio-companion grgsm_livemon.grc  (Thank you Kali.org community member jsa91)

The goal is to point gnuradio companion at the corresponding location within the /gr-gsm/apps directory. -see below

Selection_009.png

after entering the proper command (gnuradio-companion grgsm_livemon.grc) your terminal output should be this right before opening gnuradio.

Selection_010.png

With gnuradio companion open you should now be looking at this screen:

Selection_011.png

The first thing I recommend you do is adjust your QT GUI Range block, by default it starts at 900Mhz and some areas you are going need at least 800Mhz to start. So, from top left, double click on the second QT GUI Range block and it will open to look like the screenshot below. Now you can see the area I highlighted says:         Start    800e6                I changed mine previously, yours should look like this:                         Start    900e6                You guessed it, change the “9” in yours to an “8” then click on apply to save your changes. From this point forward your beginning frequency will always be 800Mhz.

Selection_012.png

Now we are ready to generate our GSM block tree by clicking this little button on the top command bar

Selection_013.png        Click one time and in the bottom terminal window it will read:

Selection_014.png

Now we will execute the block tree with the play button next to the generate button

Selection_015.png                Now watch your terminal window output the following, and almost instantly afterwards the Volk radio will open there will be NO SOUND.Selection_016.png

The Volk radio should look like this:

Selection_017.png

This part is a little confusing, highlight the frequency indicator, then type in your EXACT frequency you recorded from gqrx earlier and hit enter. It should dial into your frequency, IF your calculations from earlier were perfect, then you will see another terminal open instantly decoding the signal with gr-gsm IT WILL SAY airprobe much like the top of Volk radio in the above screenshot.

(Below)

Selection_018.png

Notice the wider range frequency appeared indicating GSM traffic, now after a week of practice I have got pretty good about narrowing down the frequency through gqrx radio by the visual and audio indicators. Do not get discouraged, it took me 3 hours to get it decoding the first time.

I hit the frequency dead on the terminal output within the gnuradio companion GUI is now decoding AND another root terminal has opened doing the same the output will look the same in both:

(the terminal output from gnuradio companion GUI)Selection_019.png

(terminal output from the root terminal)

Selection_020.png

Okay so we are now successfully capturing and decoding (not decrypting OR saving) my personal GSM signal. You know that this when you see the “2b” in the code stream, this is the most common code filler used in GSM traffic. If you want to learn more then I highly recommend watching this lecture via youtube, it has a ton of educational information delivered by the leading industry expert Karsten Nohl. Just search his name and you will find it.

Now we need to send the streaming signal into wireshark for analysis. Open another terminal window and enter the following command:

wireshark -k -Y 'gsmtap && !icmp' -i lo        (do not forget to enter “sudo” if your non root)                

Now you should have the live stream feeding into wireshark partially decoded readed to be interpreted, it will look like the screenshot below Notice that there are paging requests with different categories assigned to them, these are where you get important information for later decryption of your own signal. For now open them up and get to know the GSM signal I will show the important information in numerous smaller screenshots below.

 I will not be going over decryption in this tutorial

Selection_021.png

(sorry for the crappy screenshot, was trying select window shot- will not be doing that again)

The next screenshot I want you to look at (below) is a “Location Updating Request” coming in from the provider, it is also listed below Cingular Wireless (AT&T). You will also see that the cipher is not listed as it is encrypted.

Selection_024.png

This next one is the rest of the location update request, notice it has the IMSI number listed.

Selection_025.png

Let’s look at one more, we will look at a paging request. System level 1 paging request are essentially just filler containing status information, i.e. channel, power level etc… We are going to look at some more important information from a system information type 1, again this basic system information but we are working our way up the ladder.

Selection_026.png 

I just got a text message so it has worked out for you to see the output when there is a lot of encrypted data contained in a message. This is a system information type 13

Selection_027.png

(these continue into each other)

Selection_028.png

(these continue into each other)

Selection_029.png

Selection_030.png

This is from the bottom of the page in Wireshark, this where you would see text messages appear if you had the key.

There is quite a bit of information in all of these requests, including the encryption type A51, but again, I won’t be getting into rainbow tables or decrypting. I will say that there will a lot more to come from TwoBrothersDevs in the future!

This concludes this tutorial, I noticed I have gone up to 20 pages, I apologize. GSM information is hard to find in one place, and near impossible for GSM and Kali Linux. I hope this has helped you learn about this subject.  The internet is one thing, but GSM is the big picture, mastering GSM signals opens infinite possibilities!

Thanks for reading this far,

Scott (Scoyok) and Bryon (Slick97477)

For support or questions email twobrothersdevs@gmail.com 

For individual questions for Scott scoyok@gmail.com

For individual questions for Bryon slick97477@gmail.com

Look for Slick97477’s modified version of this tutorial for Kali Linux Sana 2.0 coming soon!