gssm-v0.1
Groupe Special (Software) Mobile
or
The Global Software System for Mobile communications
SUMMARY
Okay, calling gssm “The Global Software System for Mobile
communications” is a bit of a stretch as all it does is monitor GSM
control channels.
What this package does is use the USRP and various daughterboards to
capture live data, GNU Radio and custom modules to demodulate and decode
the GSM packets, and then Wireshark to display the data.
Get it here: http://thre.at/gsm
Install instructions: http://thre.at/gsm/index.html#install.
Talk about it here: [email protected].
More here: http://wiki.thc.org/gsm.
WHAT
This package monitors GSM base station control channels. It uses the
USRP and various daughterboards to capture live data, GNU Radio and
custom modules to demodulate and decode the GSM packets, and then
Wireshark to display the data.
This version of gssm decodes most of the control channels. The control
channels contain the information necessary for a mobile to communicate
with a base station. The control channels gssm currently decodes are:
FCCH The frequency correction channel.
SCH The synchronization channel.
BCCH The broadcast control channel.
PCH The paging channel. Downlink only, used to page mobiles.
AGCH The access grant channel. Downlink only, used to
allocate an SDCCH or directly a TCH.
SACCH Slow associated control channel.
SDCCH Stand-alone dedicated control channel.
gssm displays the decoded data using Wireshark. Not only does this give
us a very nice graphical front end to examine the dissected packets, but
Wireshark already has quite a bit of code to dissect GSM data.
Unfortunately, the current implementation of Wireshark does not dissect
packets unique to the wireless interface. Up to now, there was no reason
to include code to dissect these packets. I include a patch for
wireshark-0.99.5 which adds partial Um packet dissection capability
and a new custom ethertype to interface with the USRP.
While gssm has basic functionality now, it really is alpha-quality
software and there are a number of enhancements which must be made
before it becomes truly useful.
-
The Mueller and Muller clock recovery method doesn’t always
handle the quarter-bits present in a GSM burst. A more reliable
method must be implemented. Until then, this software will
suffer from a large number of receive errors even with a high
signal-to-noise ratio. -
Wireshark dissects most GSM packets except those specific to
the Um interface, the wireless interface between the mobile and
the BTS, the Base Transciever Station.
a. I've only implemented a small portion of the Um
interface. Much more work must be done to complete this.
b. Only the Bbis frame type is implemented. When packets
arrive in Wireshark which are "malformed" or with
strange protocol descriptors, it is because they were
sent using some other frame type.
c. The interface between gssm and Wireshark is extremely
hacky, to say the least. It would be nice to eventually
standardize a GNU Radio interface for Wireshark. I also
want to clean up my Um interface and submit that there
as well.
-
You need to find your local GSM tower by hand. Once you’ve
found it, you need to edit the python script and enter the
information by hand. It would be very nice if this information
were automatically generated. -
The code is designed to support all frequency bands but I
haven’t implemented anything but U.S. support. -
This code is receive-only and currently can only monitor
tower to mobile transmissions. -
Lots more.
WHERE
This code is being adopted by the GSM Scanner Project and any updates to
this code will be found there. Questions and suggestions can certainly
be sent to me, but they also should be directed to the mailing list –
[email protected]. Also, check out the wiki at
http://wiki.thc.org/gsm.
The current version of this code can be found here:
http://thre.at/gsm/gsm-v0.1.tar.bz2. Updates and bug-fixes will be
located at the GSM Scanner Project, http://wiki.thc.org.
–
Joshua L., Ph.D. ([email protected])