Embed Size (px)
Citation preview
[email protected] Project Report 1
GSM Wireshark Capture over OpenBTS System
Cruz Tovar
A20277095
May 2, 2014
[email protected] Project Report 2
Abstract In the Fall and Spring semesters of 2013 and 2014, my colleague Sushma Sitaram implemented a
GSM access point using OpenBTS that is able to use GSM-compatible phones over a VoIP
network. To further the project, a software defined radio (SDR) device and open source
applications were implemented to allow the capturing of GSM signals. The project report
includes the process that was involved with implementing an Software Defined Radio (SDR)
device and outlines how the signals traverse in the network using Wireshark.
[email protected] Project Report 3
Table of Contents
Abstract .................................................................................................................................................... 2
1. Introduction ....................................................................................................................................... 4
2. RTL-SDR ............................................................................................................................................... 4
3. Airprobe ............................................................................................................................................... 4
4. GNU Radio ............................................................................................................................................ 4
5. Configuration of Software .............................................................................................................. 4 5.1 Airprobe Basic Dependencies ........................................................................................................................... 5 5.2 Install libosmocore library ................................................................................................................................ 5 5.3 Clone Airprobe ........................................................................................................................................................ 5 5.4 Install gsmdecode .................................................................................................................................................. 5 5.5 Install gsm-reciever .............................................................................................................................................. 5
6. Receiving a Live Channel ................................................................................................................ 5
7. Logical Architecture ........................................................................................................................ 7 7.1 Base Station Subsystem (BSS) .......................................................................................................................... 7 7.2 Capture Station ....................................................................................................................................................... 7 7.3 Mobile Station (MS) .............................................................................................................................................. 7
8. Physical Architecture ...................................................................................................................... 8
9. Ladder Diagram ................................................................................................................................ 9
10. Conclusion ...................................................................................................................................... 10
References ............................................................................................................................................. 12
[email protected] Project Report 4
1. Introduction Global System for Mobile communications (GSM) initially was designed as a circuit-switched
telecommunications system and allows a direct connection between the caller and recipient of
the call. Overtime GSM has evolved and can now be virtualized using IP broadband
connections, little difference is noticed with the old implementation of GSM and virtualized
GSM systems. The GSM setup at IIT uses Open Base Transceiver Station (OpenBTS).
OpenBTS uses software radio to become a GSM access point and allow calls to be made to other
GSM phones. This report details how RTL-SDR hardware and other open source software were
used to capture bearer and management signals on the GSM network. This report also gives the
physical and logical architecture of Capture Station and how a GSM call would be transmitted
over the network.
2. RTL-SDR RTL-SDR is an affordable DVB-T TV tuner dongle that uses RealTek’s RTL2832U chip. What
make this device so popular in the radio frequency community is that it was found that the device
is able to function as software defined radio receiver. By pairing RTL-SDR hardware with
software, it is possible to implement this device to pick up various RF signals such as ham radio,
police scanner, listening to FM radio, and many more. In this project the hardware and software
are implemented to capture GSM signals.
3. Airprobe Airprobe originally started from a previous project known as the GSM-Sniffer project. Airprobe
developed further into a project that could capture GSM signals from an air interface. Airprobe
uses various repositories to receive and decode signals. The gsm-receiver repository from
Airprobe is used to receive the signals from the air. Currently Airprobe is only capable of
decoding the downstream signals (GSM network to mobile phone), but is able to handle
management channels.
4. GNU Radio GNU Radio functions well with RF based hardware to implement software-defined radio
devices. GNU Radio is software development tool kit that allows RF signals to be processed to a
hardware device. On its own GNU Radio is not capable of capturing GSM signals. However,
when paired with Airprobe it does become capable to capture GSM signals.
5. Configuration of Software Using Kali Linux is a simple way to implement an RTL-SDR device, but there are some other
software and dependencies that need to be installed prior to using the device. By using Kali
Linux GNU Radio version 3.6 is already installed. Using this version of GNU Radio is essential
as Airprobe is incompatible with version 3.7. After you have a version of Linux and GNU Radio
3.6 installed you can then install dependencies needed by Airprobe and additional libraries that
are needed.
[email protected] Project Report 5
5.1 Airprobe Basic Dependencies sudo apt-get –y install git-core autoconf automake libtool g++
python-dev swig libpcap0.8-dev gnuradio-dev cmake git libboost-
all-dev libusb-1.0-0 libusb-1.0-0-dev libfftw3-dev swig python-
numpy
5.2 Install libosmocore library git clone git://git.osmocom.org/libosmocore.git
cd libosmocore
autoreconf –i
./configure
make
sudo make install
sudo ldconfig
5.3 Clone Airprobe git clone git://git.gnumonks.org/airprobe.git
5.4 Install gsmdecode cd airprobe/gsmdecode
./bootstrap
./configure
make
5.5 Install gsm-reciever cd airprobe/gsm-receiver
./bootstrap
./configure
make
6. Receiving a Channel After all dependencies, libraries, and additional software have been installed the RTL-SDR
device should be able to decode a live channel. First open a terminal window and type
wireshark and press the enter key to start wireshark.
Next, navigate to the below directory using the terminal window.
cd airprobe/gsm-receiver/src/python
After navigating to the above directory enter the following code in the terminal window to
receive a GSM channel. The –s flag is used to sample at a rate of 1.0 MSPS, if you are to leave
out this flag the default sample rate is 1.8 MSPS.
./gsm_receive_rtl.py -s 1e6
[email protected] Project Report 6
Figure 1: Receiving a GSM Signal [1]
In Figure 1, there is a window titled “Top Block”. This is the spectrum of the GSM channel, and
you will need to click in the middle of the GSM channel to start capturing traffic. After you have
clicked you should start seeing traffic in Wireshark. To stop capturing traffic, go back to the
terminal window with the gsm-receive command and break the command using ctrl + c.
[email protected] Project Report 7
7. Logical Architecture
Figure 2: Logical Architecture of Capture Station and Test Bed Architecture
The logical architecture used to capture GSM signals are comprised of three components: the
Capture Station, the Base Station Subsystem (BSS), and Mobile Station (MS).
7.1 Base Station Subsystem (BSS)
The BSS is responsible for managing mobile subscribers over a radio interface to the network
they are attempting to access [1]. There are two components that comprise the BSS: Open Base
Transceiver Station (OpenBTS) and the Base Station Controller (BSC). The OpenBTS, used in
this BSS setup is open source product and is normally called BTS. However OpenBTS functions
in the same manner as a normal BTS. OpenBTS allows for a call to be maintained while being
used over the network and tries to minimize any interference over the air that may occur. While
OpenBTS maintains the connection, the BSC manages the network. BSC manages incoming and
outgoing calls from the MS, manages transfer of a connection when an MS is in motion and
other management functions.
7.2 Capture Station
The capture station is comprised of two components as well, a computer running Linux and the
Software Defined Radio dongle device.
7.3 Mobile Station (MS)
The Mobile Station is the cellular device, in this case a GSM phone as well as the GSM SIM
card.
[email protected] Project Report 8
8. Physical Architecture
Figure 3: Physical Architecture of Capture Station and Test Bed
The BSS and Capture Station are fairly independent of each other. However, the capture station
can be used to scan the network when a MS and BSS are communicating. This is completed
through the radio frequency signals generated from the GSM network. The RTL-SDR device
scans the GSM frequency to find a signal and then captures the packets between the MS and
BSS. There is no direct wired link as everything is being captured over an air interface.
[email protected] Project Report 9
9. Ladder Diagram
Figure 4: Establishment of Signaling Channel [2]
In theory this is what would have been captured if we had been successful implementing a trace
of the packets over the OpenBTS network. However since we were not able to complete a call
via the network, this is how GSM signaling would have been captured. In Figure 3, the first
message that is shown on the ladder diagram is the mobile device sending a channel request to
the BTS. The RACH message stands for Random Access Channel and is sent by the mobile
device to the network when establishing an initial connection to establish a channel. When a
dedicated channel can be established to the mobile device the network sends a Standalone
Dedicated Control Channel (SDCCH) message. This message is signaled from the BSC to the
BTS and is used to establish a dedicated channel. Once the BTS acknowledges that this will be
the dedicated channel the BSC then assigns the channel to the mobile device. In this example we
see that there is an AGCH message sent to the mobile device before the dedicated channel
established. The AGCH message contains information about what channel will be dedicated to
the subscriber. After this message is received to the mobile device, SDCCH is used to establish
the dedicated channel between the mobile device (subscriber) and the network.
[email protected] Project Report 10
Figure 5: Establishment of Bearer Channel [2]
After a signaling connection has been established it is now possible for traffic to occur.
However, there are a few additional messages that must be sent in order to establish a voice call.
In Figure 3, the last transmission message sent is the SDCCH. This message travels through the
BTS and BSC and is then passed on to the Mobile Switching Center (MSC). The primary
responsibility of the MSC is to establish a link between the mobile-originated call and mobile-
terminated call as well manage the mobile services such as registration, authentication, location
update, handovers, and call routing. The MSC then sends a Traffic Channel (TCH) message
which then verifies with the BSC that has traffic channel available. Once the BTS verifies a
channel is available it then sends an acknowledge message to the BSC. The BSC then sends a
SDCCH message to the mobile device that states that a TCH is available for the call. From this
point you can see on the left side of Figure 4 that the top half was established by SDCCH and the
lower half of the communication is established using FACCH, TCH. The mobile device then
sends a Fast Associated Control Channel (FACCH) message to the BSC. FACCH is used to
send high priority control messages, in this case to inform the MSC that TCH has been
established.
10. Conclusion While I was not able to capture the traffic over the OpenBTS network Sushma created, I was
able to test the SDR device with Martin O’Sheild’s GSM network. However due to time
constraints I was unable to capture any packets through Wireshark. The RTL-SDR dongle
requires some finesse when using it. It is necessary to calibrate the dongle because there is an
offset of the actual frequency that is transmitted by the network and the frequency that the dongle
receives. An impromptu scan of a GSM network was completed, however in my haste I was
unable to capture anything in Wireshark due to not specifying the interface to scan. However,
what was hopeful is that in previous test captures, the terminal window displayed zeros when
scanning the OpenBTS network. This was in part because the GSM phone could not
authenticate with the OpenBTS, or that OpenBTS network did not properly work. It was
[email protected] Project Report 11
discovered that there could be some issues with the Range Network device that doesn’t allow
any sort of signal to be broadcast. This could be another reason why I only picked up zeros
during a packet capture. In the impromptu testing of O’Sheild’s GSM network, I no longer saw
zeros in the terminal screen, data started to come through which I wish I would have screen
captured to show results, but I ended up exiting the terminal before realizing I should have taken
a screenshot.
I am hopeful now that the RTL-SDR device does in fact pick up GSM signals, now it is a matter
of getting the proper commands to properly calibrate the RLT-SDR, then taking that calibration
info to use it to receive a channel using the Airprobe libraries as well as specifying the proper
interface for it to scan so that it can be captured on Wireshark.
[email protected] Project Report 12
References [1] <http://www.rtl-sdr.com/rtl-sdr-tutorial-analyzing-gsm-with-airprobe-and-wireshark/>
[2] Sauter, M., “From GSM to LTE: An Introduction to Mobile Networks and Mobile
Broadband” Wiley; 1 edition (February 7, 2011)
![Exploring the Physical-layer Identification of GSM Devices...an ad-hoc GSM network based on the OpenBTS project [1]. In summary, in this work we address the following questions: 1](https://img.pdfslide.net/doc/110x75/5e69bec0fcdc9a63c420cdd5/exploring-the-physical-layer-identification-of-gsm-devices-an-ad-hoc-gsm-network.jpg)
![[eBook] OpenBTS Guide](https://img.pdfslide.net/doc/110x75/55cf9463550346f57ba1abfd/ebook-openbts-guide.jpg)
