Analyze and Crack GSM Downlink with a USRP

A fairly-well documented article has already been written about this for RTL-SDRs. But what about the USRP folks out there? The article’s cited files to use are even RTL-SDR geared. The easy response to that would be to suck it up, and purchase an RTL-SDR dongle. Well, you would be mistaken. Not every location has GSM bands that fall under 1.7GHz (specifically 850MHz for AT&T and T-Mobile). In some locations, CDMA rides on these bands. This can be a bit frustrating. Well, look no further than here. Fire up your USRP (read: HackRF, BladeRF, USRP, etc.) and follow the directions for the RTL-SDR here and stop at the point where it asks you to load their cfile for testing.

From here on out, follow these directions.

  1. Find out where GSM is transmitting on a non-hopping frequency. For me, this is 1.9826GHz. Now, determine your gain necessary to receive GSM correctly. This depends on your antenna and device, so you may need to tweak this a bit before airprobe starts receiving data. 34 worked well for my setup. We will also record at a sample rate of 1,000,000 (1e6).
  2. Load wireshark in another tab and set it to listen on lo and use the filter gsmtap.
  3. cd airprobe/gsm-receiver/python/src/
  4. ./ -f 1982600000 -s 1e6 -g 34
  5. A GNURadio FFT will appear. This will give us a good idea if the signal is strong and working with airprobe. Mess with the gain and click on the center of the peak each time you alter the gain. You should see a wave of hex absorb your terminal session when you hit the right spot, as well as in wireshark.
  6. To record this for cracking, execute the command below:
  7. uhd_rx_cfile –samp-rate=1.0e6 -f 1982600000 -g 34 /location/of/file/to/save/gsmRX.cfile
  8. Download and install pytacle; you will also need kraken and the kraken rainbow table for pytacle to work
  9. Pytacle should be pretty straight forward. Follow his YouTube video for more guidance, but all you need to do is point to the full directory and file location of each field found within the Properties section of the application. After that, you will have a cracked GSM session!


This entry was posted in Uncategorized. Bookmark the permalink.

One Response to Analyze and Crack GSM Downlink with a USRP

  1. Pingback: youjizz

Leave a Reply

Your email address will not be published. Required fields are marked *