Sep15 09 Otterbach GSM

Hands-on GSM Analysis with GNU Radio and
AirProbe
GNU Radio Conference 2014
Nico Otterbach | September 15, 2014 | Washington, D.C.
A. Background
The Project
September 2014
1
A. Background
The Project
GSM emergency call handling
September 2014
1
A. Background
The Project
Creation of protocol traces
September 2014
1
A. Background
The Project

eCalls should be rejected (w/o SIM)
September 2014
1
A. Background
The Project

eCalls should be rejected (w/o SIM)
Source: rohde-schwarz.com
September 2014
1
A. Background
The Challenge
September 2014
2
A. Background
The Challenge
Technical Challenges
Connect to the network w/o SIM
Base station and channel assignment
September 2014
2
A. Background
The Challenge
Legal Challenges
Calling 110/911 in a real network
Recording of real network traffic
September 2014
2
A. Background
The Challenge
Legal Challenges
Available open-source projects

GNU Radio
AirProbe
OsmocomBB
September 2014
2
A. Background
The Challenge
Legal Challenges
Available open-source projects

GNU Radio
AirProbe
OsmocomBB
Create required GSM protocol traces with open source tools!
September 2014
2
Outline
A. Background
B. GSM Basics
C. OsmocomBB
D. GNU Radio & AirProbe
E. Summary & Outlook
September 2014
3
B. GSM Basics
Basic GSM Terminology
September 2014
4
B. GSM Basics
SIM (Subscriber Identity Module)
[uthmag.com]
September 2014
4
B. GSM Basics

IMSI (International Mobile Subscriber Identity)
[uthmag.com]
September 2014
4
B. GSM Basics

IMEI (International Mobile Equipment Identity)

[uthmag.com]
September 2014
4
B. GSM Basics

IMEI (International Mobile Equipment Identity)

[uthmag.com]
ARFCN (Absoulte Radio Frequency Channel Number)

Logical GSM channels
Up- & Downlink separated by 45 MHz
(Frequency Hopping)

200
= + 200
September 2014
4
A.
GSM Basics
GSM Emergency Call Handling (w/o SIM)
September 2014
5
A.
GSM Basics
No SIM, no IMSI!
IMEI used as quasi IMSI
[techmtaa.com]
September 2014
5
A.
GSM Basics
No SIM, no IMSI!
eCall rejection without valid IMSI

Actually omitted redirection in base station
Optional in GSM standard (mandatory in EU)
[techmtaa.com]
To avoid malpractice
September 2014
5
A.
GSM Basics
No SIM, no IMSI!

[techmtaa.com]
Possible evidence of eCall rejection
September 2014
5
A.
GSM Basics
No SIM, no IMSI!

[techmtaa.com]

o Complete protocol trace
(including negotiation and rejection by the network)
September 2014
5
A.
GSM Basics
No SIM, no IMSI!

[techmtaa.com]

o Ideally available in Wireshark
September 2014
5
A.
GSM Basics
No SIM, no IMSI!

[techmtaa.com]

o Ideally available in Wireshark
o Ideally based on cheap hardware
September 2014
5
Outline
A. Background
B. GSM Basics
C. OsmocomBB
September 2014
6
C. OsmocomBB
Introducing OsmocomBB
September 2014
7
C. OsmocomBB
Open-source GSM baseband software

Layer 1 on phone, higher layers on host
September 2014
7
C. OsmocomBB

Works with cheap hardware

Motorola phones (based on TI Calypso)
Serial adapter (~ 20-30 EUR)

Phones available on eBay (~ 10-20 EUR)
September 2014
7
C. OsmocomBB



September 2014
7
C. OsmocomBB



Provides Wireshark-Output
September 2014
7
C. OsmocomBB



Provides Wireshark-Output
Very promising approach that suits our needs!
September 2014
7
C. OsmocomBB
Utilizing OsmocomBB
September 2014
8
C. OsmocomBB
Utilizing OsmocomBB
September 2014
8
C. OsmocomBB
Utilizing OsmocomBB
Needed adjustments
Enable TX-support
Configuration w/o SIM
September 2014
8
C. OsmocomBB
Utilizing OsmocomBB
Needed adjustments
Enable TX-support
Problems with OsmocomBB

Little documentation
Camp on base station
Segfault when trying to initiate an
eCall w/o SIM
September 2014
8
C. OsmocomBB
Utilizing OsmocomBB
Needed adjustments
Enable TX-support
Problems with OsmocomBB

Little documentation
Camp on base station
Segfault when trying to initiate an
eCall w/o SIM
Great tool for GSM analysis, but problems w/o SIM!
September 2014
8
Outline
A. Background
B. GSM Basics
C. OsmocomBB
September 2014
9
D. GNU Radio & Airprobe
Whats next?
September 2014
10
Whats next?
AirProbe GSM Sniffer

Open-source software
Acquisition based on GNU Radio (3.6)
RTL-SDR / Hack RF / USRP support

Complete DeModulation module
[rtl-sdr.com]
September 2014
10
Whats next?


Challenges
[rtl-sdr.com]
AirProbe takes only one channel a time
Channel identification
Lacks Frequency Hopping support
September 2014
10
Whats next?


Challenges
[rtl-sdr.com]
AirProbe takes only one channel a time
Channel identification
Lacks Frequency Hopping support
Record entire
band
Identify
ARFCN
Segment
channel(s)
Demodulation
with AirProbe
September 2014
10
First approach: Use Available Hardware
Record
entire band
Identify
ARFCN
Segment
channel(s)
Demodulati
on with
AirProbe
September 2014
11
Record
entire band
Identify
ARFCN
Segment
channel(s)
Demodulati
on with
AirProbe
September 2014
11
Hack RF
Record
entire band
Identify
ARFCN
Segment
channel(s)
Demodulati
on with
AirProbe
Terratec NOXON DAB (rev. 2)
GSM 900 & GSM 1800
Limited to GSM-900
High bandwidth
Low bandwidth
ARFCN identification (Uplink)
Parallel Downlink recording
September 2014
11
Hack RF
Record
entire band
Identify
ARFCN
Segment
channel(s)
Demodulati
on with
AirProbe
Terratec NOXON DAB (rev. 2)
GSM 900 & GSM 1800
Limited to GSM-900
High bandwidth
Low bandwidth
ARFCN identification (Uplink)
Parallel Downlink recording
ARFCN must be known prior to measurement!

September 2014
11
First approach ARFCN Identification
Record
entire band
Identify
ARFCN
Segment
channel(s)
Demodulati
on with
AirProbe
September 2014
12
Record
entire band
Identify
ARFCN
Segment
channel(s)
Demodulati
on with
AirProbe
Idea: Locate ARFCN in frequency domain
September 2014
12
Record
entire band
Identify
ARFCN
Segment
channel(s)
Demodulati
on with
AirProbe
September 2014
12
Record
entire band
Identify
ARFCN
Segment
channel(s)
Demodulati
on with
AirProbe
Use Peak-Hold to identify nearby Tx
September 2014
12
Record
entire band
Identify
ARFCN
Segment
channel(s)
Demodulati
on with
AirProbe

No real Short-Time Fourier-Transformation (windowing)!
September 2014
12
Record
entire band
Identify
ARFCN
Segment
channel(s)
Demodulati
on with
AirProbe

No real Short-Time Fourier-Transformation (windowing)!
Keep it simple and stupid!

September 2014
12
First approach Results
Record
entire band
Identify
ARFCN
Segment
channel(s)
Demodulati
on with
AirProbe
September 2014
13
Record
entire band
Identify
ARFCN
Segment
channel(s)
Demodulati
on with
AirProbe
September 2014
13
Record
entire band
Identify
ARFCN
Segment
channel(s)
Demodulati
on with
AirProbe
# of possible ARFCNs reduced to 5 - 10
September 2014
13
Record
entire band
Identify
ARFCN
Segment
channel(s)
Demodulati
on with
AirProbe
No clear ARFCN identification possible (must be known prior to recording)
September 2014
13
Record
entire band
Identify
ARFCN
Segment
channel(s)
Demodulati
on with
AirProbe
No clear ARFCN identification possible (must be known prior to recording)
Doesnt suit our needs in this constellation!
September 2014
13
Whats next?
September 2014
14
Whats next?
Reduce # of possible ARFCNs

Rural area, ideally a secluded valley
September 2014
14
Whats next?

September 2014
14
Whats next?

OR
September 2014
14
Whats next?

OR
Use of professional hardware
September 2014
14
Whats next?

OR
Use of professional hardware
September 2014
14
Second approach Professional Hardware
Record
entire band
Identify
ARFCN
Segment
channel(s)
Demodulati
on with
AirProbe
September 2014
15
Record
entire band
Identify
ARFCN
Segment
channel(s)
Demodulati
on with
AirProbe
September 2014
15
Record
entire band
Identify
ARFCN
Segment
channel(s)
Demodulati
on with
AirProbe
2 USRP B200 (up to 56 MHz real time bandwidth)
September 2014
15
Record
entire band
Identify
ARFCN
Segment
channel(s)
Demodulati
on with
AirProbe

Simultaneous Up- & Downlink recording of (almost) entire band
September 2014
15
Record
entire band
Identify
ARFCN
Segment
channel(s)
Demodulati
on with
AirProbe

Simultaneous Up- & Downlink recording of (almost) entire band
No a priori knowledge of ARFCN needed anymore!
September 2014
15
Second approach Channel Segmentation
Record
entire band
Identify
ARFCN
Segment
channel(s)
Demodulati
on with
AirProbe
September 2014
16
Record
entire band
Identify
ARFCN
Segment
channel(s)
Demodulati
on with
AirProbe
Offline Filtering of single ARFCN
September 2014
16
Record
entire band
Identify
ARFCN
Segment
channel(s)
Demodulati
on with
AirProbe
September 2014
16
Record
entire band
Identify
ARFCN
Segment
channel(s)
Demodulati
on with
AirProbe

ARFCN selection by chan_num
September 2014
16
Record
entire band
Identify
ARFCN
Segment
channel(s)
Demodulati
on with
AirProbe

= chan_num 200 + 100 16
September 2014
16
Record
entire band
Identify
ARFCN
Segment
channel(s)
Demodulati
on with
AirProbe

= chan_num 200 + 100 16
Automated execution from python script for all possible ARFCNs

September 2014
16
Second approach Demodulation & Analysis
Record
entire band
Identify
ARFCN
Segment
channel(s)
Demodulati
on with
AirProbe
September 2014
17
Record
entire band
Identify
ARFCN
Segment
channel(s)
Demodulati
on with
AirProbe
Automated demodulation with AirProbe
September 2014
17
Record
entire band
Identify
ARFCN
Segment
channel(s)
Demodulati
on with
AirProbe

Multiple channels merged in Wireshark trace
September 2014
17
Record
entire band
Identify
ARFCN
Segment
channel(s)
Demodulati
on with
AirProbe

September 2014
17
Record
entire band
Identify
ARFCN
Segment
channel(s)
Demodulati
on with
AirProbe

Wireshark filter: gsm_a.ie.mobileid.type=2/3
September 2014
17
Record
entire band
Identify
ARFCN
Segment
channel(s)
Demodulati
on with
AirProbe

Wireshark filter: gsm_a.ie.mobileid.type=2/3
Demodulation of uplink channels not possible!

September 2014
17
Outline
A. Background
B. GSM Basics
C. OsmocomBB
September 2014
18
Summary & Outlook
September 2014
19
Summary & Outlook
GNU Radio & python are great tools for offline data analysis
September 2014
19
Summary & Outlook
GNU Radio can be used as a library of DSP algorithms
September 2014
19
Summary & Outlook
AirProbe out-dated (last commit in 2011)
September 2014
19
Summary & Outlook
September 2014
19
Summary & Outlook
+
September 2014
19
Summary & Outlook
September 2014
19
Summary & Outlook
September 2014
19
Summary & Outlook
Low-cost, open source GSM protocol analyzer feasible,

but additional development effort needed!
September 2014
19
Questions?
Fennec Research UG (haftungsbeschrnkt)

Scheffelstrae 2
76135 Karlsruhe
Germany
info@fennec-research.com
www.fennec-research.com
September 2014

Sep15 09 Otterbach GSM

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sep15 09 Otterbach GSM

Uploaded by

Copyright:

Available Formats

Hands-on GSM Analysis with GNU Radio and

Nico Otterbach | September 15, 2014 | Washington, D.C.

GSM emergency call handling

GSM emergency call handling

Creation of protocol traces

GSM emergency call handling

Creation of protocol traces

GSM emergency call handling

Creation of protocol traces

Available open-source projects

Available open-source projects

Create required GSM protocol traces with open source tools!

Basic GSM Terminology

Basic GSM Terminology

SIM (Subscriber Identity Module)

Basic GSM Terminology

SIM (Subscriber Identity Module)

Basic GSM Terminology

SIM (Subscriber Identity Module)

IMEI (International Mobile Equipment Identity)

Basic GSM Terminology

SIM (Subscriber Identity Module)

IMEI (International Mobile Equipment Identity)

ARFCN (Absoulte Radio Frequency Channel Number)

GSM Emergency Call Handling (w/o SIM)

GSM Emergency Call Handling (w/o SIM)

GSM Emergency Call Handling (w/o SIM)

eCall rejection without valid IMSI

GSM Emergency Call Handling (w/o SIM)

eCall rejection without valid IMSI

Possible evidence of eCall rejection

GSM Emergency Call Handling (w/o SIM)

eCall rejection without valid IMSI

Possible evidence of eCall rejection

GSM Emergency Call Handling (w/o SIM)

eCall rejection without valid IMSI

Possible evidence of eCall rejection

GSM Emergency Call Handling (w/o SIM)

eCall rejection without valid IMSI

Possible evidence of eCall rejection

Open-source GSM baseband software

Open-source GSM baseband software

Works with cheap hardware

Serial adapter (~ 20-30 EUR)

Open-source GSM baseband software

Works with cheap hardware

Serial adapter (~ 20-30 EUR)

Open-source GSM baseband software

Works with cheap hardware

Serial adapter (~ 20-30 EUR)

Open-source GSM baseband software

Works with cheap hardware

Serial adapter (~ 20-30 EUR)

Very promising approach that suits our needs!

Problems with OsmocomBB

Problems with OsmocomBB

Great tool for GSM analysis, but problems w/o SIM!

D. GNU Radio & Airprobe

D. GNU Radio & Airprobe

AirProbe GSM Sniffer

RTL-SDR / Hack RF / USRP support

D. GNU Radio & Airprobe

AirProbe GSM Sniffer

RTL-SDR / Hack RF / USRP support