GSM tracking

Description:

Recently my friend asked me for help to diagnose 4G modem "Yota Many", which sometimes stops its normal operation. But after several hours investigations I realized that I need many days for to find an answer. I return device, but one question don't give me rest in this short story - how I can diagnose process of establishing GSM connection. Some months ago I bought HackRF, which all this time remained untouched ...

Step 1: Install software


Since the last installation of Gnuradio much has changed. Today developers give me nice tool, which allows quickly install all required software. I installed: gnuradio, gr-gsm, gqrx, kalibrate-hackrf (replace one line in kal.lwr).

Step 2: Analyze frequency


gqrx

GSM-900:
        chan: 32 (941.4MHz + 38.247kHz) power: 7444660.99
        chan: 33 (941.6MHz - 22.350kHz) power: 7466304.92
        chan: 34 (941.8MHz - 18.478kHz) power: 7540613.95
        chan: 35 (942.0MHz - 39.813kHz) power: 7552806.56
        chan: 48 (944.6MHz + 5.646kHz)  power: 4942581.43
        chan: 49 (944.8MHz - 19.927kHz) power: 4954548.64
        chan: 50 (945.0MHz - 35.739kHz) power: 4887829.45
        chan: 89 (952.8MHz + 28.981kHz) power: 5072783.56
        chan: 90 (953.0MHz + 13.806kHz) power: 5033690.18
        chan: 91 (953.2MHz + 15.153kHz) power: 5080999.80
        chan: 92 (953.4MHz - 36.926kHz) power: 5159798.17
        chan: 93 (953.6MHz - 37.204kHz) power: 5185691.52
        chan: 122 (959.4MHz + 7.180kHz) power: 7805109.83


Step 3: Device for searching


In my example it was Huawei E1752, which I used with Freeswitch. What information I needed: MCC/MNC, LAC, CellID, TMSI.

Welcome to minicom 2.6.2

OPTIONS: I18n 
Compiled on Jun 10 2014, 03:20:53.
Port /dev/ttyUSB0, 19:29:36

Press CTRL-A Z for help on special keys

ATI

Manufacturer: huawei
Model: E1752
Revision: 11.126.13.00.00
IMEI: 354639040322239
+GCAP: +CGSM,+FCLASS,+DS

OK
AT+CREG=2

OK
AT+CREG?

+CREG: 2,1, 10E, 5278

OK
AT+CSIM=14,"A0A40000026F7E"

+CSIM: 4,"9F0F"

OK
AT+CSIM=10, "A0B000000B"

+CSIM: 26,"4B534AEE52F010010E50009000"

OK

Device often moved between BTS and I need list of cell towers (cellid, frequency):

  1. 30ad-940200000
  2. 5278-941600000
  3. 5279-942000000
  4. 2f82-944800000

yandex-bts

Step 4: Inbound call


all


Download GSM dump

Plans:

  1. Automatic search BTS, frequency hopping.
  2. Automatic search TMSI, frequency hopping.

Links:

  1. http://www.hughes.com/AT_Command_Reference.html
  2. https://web.archive.org/web/20090630004017/http://cheef.ru/docs/HowTo/APDU.info
  3. http://cellidfinder.com
  4. https://www.multitech.net/developer/wp-content/uploads/2010/10/S000483A.pdf
  5. http://www.etsi.org/deliver/etsi_gts/11/1111/05.03.00_60/gsmts_1111v050300p.pdf
  6. http://www.etsi.org/deliver/etsi_ts/131100_131199/131102/04.15.00_60/ts_131102v041500p.pdf
  7. http://openbsc.osmocom.org/trac/wiki/A5_GSM_AT_tricks