Decode GSM with RTL-SDR for $ 30

Good time of day, Habr!

We live in an amazing pre-singular time. Technologies are developing rapidly. What seemed a fantasy a few years ago is becoming a reality today. Surprisingly, now if you have a computer with a simple TV tuner, you can receive the coordinates of aircraft and ships, satellite images, data from weather balloons.
I am not an expert in the field of information security, all operations were carried out exclusively for training purposes. In this text, we will talk about how to decode (not decrypt) GSM traffic. According to tradition, instead of an epigraph:

Article 138 of the Criminal Code. Violation of the secrecy of correspondence, telephone conversations, postal, telegraphic or other messages
1. Violation of the secrecy of correspondence, telephone conversations, postal, telegraphic or other messages of citizens - shall be punishable by a fine in the amount of up to eighty thousand rubles or in the amount of the convicted person's salary or other income six months, or compulsory labor for up to three hundred and sixty hours, or correctional labor for up to one year.


  • 1991 - the first specifications of the GSM standard are published.
  • 2005 - the first mention in the annals of TV tuners on the E4000 chip.
  • 2008 - At the Black Hat conference, GSM hacking was demonstrated using the USRP SDR receiver for about $ 1,000.
  • 2008 - the first commit in the Osmocom OpenBSC public repository that implements GSM base station controller software.
  • 2008 - the first commits in the Airprobe project . Attention, the link problems with the certificate.
  • 2009 - Carsten Nol demonstrates a way to crack the A5 / 1 encryption algorithm.
  • 2010 - the first commit in the public repository of the OsmocomBB project , which implements the GSM protocol stack on the hardware of ordinary phones .
  • 2010 - presentation of Kraken - software that allows you to decrypt GSM data encrypted using the A5 / 1 algorithm. The demonstration was carried out using a regular telephone.
  • 2013 - A manual on decoding GSM traffic was published on the RTL-SDR blog .
  • 2013 - Domonkosh Tomchaniy published another way to crack GSM.


To intercept, we need:
  • The tuner itself is based on the E4000. The deposit of these chips has been exhausted, so the price of tuners based on them grows with time. The remaining chips are also suitable, but they do not support the GSM1800 / 1900 range.
  • 75 ohm antenna. It will also go full-time from the tuner. I placed the usual television antenna on the windowsill in such an extravagant way, throwing a USB extension cable.
  • A machine with a Debian family distribution installed. Ubuntu will do. I used an old laptop with Kali Linux, which I connected to via ssh via Wi-Fi. I couldn’t open the software for Fedor on the first attempt, I decided not to rack my brains and act as in the example. Rake number 0 : if you will do the installation flash drive with Kali Linux - read this . Unetbootin will not create a working image.
  • A fair amount of patience and this instruction .

Everything is painted in rather detail, I will only comment on only the rake that I stepped on.
Rake number 1 : do not put the latest version of GNURadio. Starting with version 3.7.0, namespaces are changing and software cannot be assembled. Use version 3.6.5. Also check out the branches in the airprobe git repository. Tags and comments there indicate which version of GNURadio you need to collect projects.
Rake number 2 : do not forget to put dev-packages in addition to all of the above.
Rake number 3 : finding the working GSM frequency using SDRSharp is often not easy. Domonososh Tomchaniy offers the kalibrate-rtl program for this purpose . She will give out something like:

username@hostname:~$ kal -s GSM900
Found 1 device(s):
  0:  Terratec T Stick PLUS
Using device 0: Terratec T Stick PLUS
Found Elonics E4000 tuner
Exact sample rate is: 270833.002142 Hz
kal: Scanning for GSM-900 base stations.
        chan: 10 (937.0MHz - 20.572kHz) power: 1467419.20
        chan: 12 (937.4MHz - 20.602kHz) power: 242714.33
        chan: 25 (940.0MHz - 20.308kHz) power: 364373.98
        chan: 32 (941.4MHz - 20.340kHz) power: 1562694.12
        chan: 52 (945.4MHz - 20.100kHz) power: 206568.21
        chan: 54 (945.8MHz - 20.184kHz) power: 628970.43
        chan: 71 (949.2MHz - 20.052kHz) power: 396199.27
        chan: 86 (952.2MHz - 20.081kHz) power: 1095374.22
        chan: 112 (957.4MHz - 20.047kHz)        power: 594273.38

We select a channel with a larger amplitude and start interception on it. The bytes of GSM traffic will appear in the console:

168815 0: 49 06 1b 0a 35 52 f0 10 00 e8 c8 02 28 13 65 45 bd 00 00 83 1f 40 1b
168819 0: 15 06 21 00 01 f0 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
168825 0: 41 06 21 a0 05 f4 44 46 03 b7 17 05 f4 16 4e fc 29 2b 2b 2b 2b 2b 2b
168829 0: 41 06 21 a0 05 f4 41 4d ef 18 17 05 f4 1d 5c 2a 63 2b 2b 2b 2b 2b 2b
168835 0: 4d 06 24 a0 f6 ce c3 7a df d4 7e 21 fc 80 0a 40 cb 25 e2 3c d3 2b 2b
168839 0: 49 06 22 a0 d1 6c 9f 44 11 40 57 92 17 05 f4 ef 59 34 1d cb 2b 2b 2b
168845 0: 41 06 21 a0 05 f4 35 4a 5b 9d 17 05 f4 20 4a 56 e2 2b 2b 2b 2b 2b 2b
168849 0: 25 06 21 20 05 f4 e8 24 47 7f 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
168855 0: 49 06 22 a0 c8 9c 63 0a ee e8 45 0c 17 05 f4 d3 04 7f 49 cb 2b 2b 2b
168859 0: 41 06 21 a0 05 f4 d8 5f d2 1f 17 05 f4 51 42 81 53 2b 2b 2b 2b 2b 2b


A few words about decryption. For him, apparently, in addition to $ 30 per tuner, he will have to spend another two terabyte hard drive for rainbow tables. The script for their generation was found in the Airprobe repository, it seems that Kraken will not be a problem to find.

What exactly is this method interesting for? The fact that it is possible to build on its basis cheap, but rather serious universal interception systems . After all, there is still DECT (there will be no link, the Osmocom DECT website is temporarily lying), which is widely used in offices. Encryption is weaker there, and secrets are more serious.
Well, two-factor authentication is now in question.

"Is it so bad?" - you ask.
Not really. Intercept 3G traffic in this way for nowif it fails, the signal band is too wide. But no one forbids an attacker to intercept in a place where there is no such coverage or with jamming. And progress does not stand still. When hardware like HackRF Jawbreaker becomes cheaper and more popular, 3G interception on it will not take long.

Thank you for attention.

Also popular now: