GSM Wireshark Capture over OpenBTS System
Cruz Tovar A20277095 May 2, 2014
[email protected] Project Report 1 Abstract In the Fall and Spring semesters of 2013 and 2014, my colleague Sushma Sitaram implemented a GSM access point using OpenBTS that is able to use GSM-compatible phones over a VoIP network. To further the project, a software defined radio (SDR) device and open source applications were implemented to allow the capturing of GSM signals. The project report includes the process that was involved with implementing an Software Defined Radio (SDR) device and outlines how the signals traverse in the network using Wireshark.
[email protected] Project Report 2 Table of Contents
Abstract ...... 2 1. Introduction ...... 4 2. RTL-SDR ...... 4 3. Airprobe ...... 4 4. GNU Radio ...... 4 5. Configuration of Software ...... 4 5.1 Airprobe Basic Dependencies ...... 5 5.2 Install libosmocore library ...... 5 5.3 Clone Airprobe ...... 5 5.4 Install gsmdecode ...... 5 5.5 Install gsm-reciever ...... 5 6. Receiving a Live Channel ...... 5 7. Logical Architecture ...... 7 7.1 Base Station Subsystem (BSS) ...... 7 7.2 Capture Station ...... 7 7.3 Mobile Station (MS) ...... 7 8. Physical Architecture ...... 8 9. Ladder Diagram ...... 9 10. Conclusion ...... 10 References ...... 12
[email protected] Project Report 3
1. Introduction Global System for Mobile communications (GSM) initially was designed as a circuit-switched telecommunications system and allows a direct connection between the caller and recipient of the call. Overtime GSM has evolved and can now be virtualized using IP broadband connections, little difference is noticed with the old implementation of GSM and virtualized GSM systems. The GSM setup at IIT uses Open Base Transceiver Station (OpenBTS). OpenBTS uses software radio to become a GSM access point and allow calls to be made to other GSM phones. This report details how RTL-SDR hardware and other open source software were used to capture bearer and management signals on the GSM network. This report also gives the physical and logical architecture of Capture Station and how a GSM call would be transmitted over the network. 2. RTL-SDR RTL-SDR is an affordable DVB-T TV tuner dongle that uses RealTek’s RTL2832U chip. What make this device so popular in the radio frequency community is that it was found that the device is able to function as software defined radio receiver. By pairing RTL-SDR hardware with software, it is possible to implement this device to pick up various RF signals such as ham radio, police scanner, listening to FM radio, and many more. In this project the hardware and software are implemented to capture GSM signals. 3. Airprobe Airprobe originally started from a previous project known as the GSM-Sniffer project. Airprobe developed further into a project that could capture GSM signals from an air interface. Airprobe uses various repositories to receive and decode signals. The gsm-receiver repository from Airprobe is used to receive the signals from the air. Currently Airprobe is only capable of decoding the downstream signals (GSM network to mobile phone), but is able to handle management channels. 4. GNU Radio GNU Radio functions well with RF based hardware to implement software-defined radio devices. GNU Radio is software development tool kit that allows RF signals to be processed to a hardware device. On its own GNU Radio is not capable of capturing GSM signals. However, when paired with Airprobe it does become capable to capture GSM signals.
5. Configuration of Software Using Kali Linux is a simple way to implement an RTL-SDR device, but there are some other software and dependencies that need to be installed prior to using the device. By using Kali Linux GNU Radio version 3.6 is already installed. Using this version of GNU Radio is essential as Airprobe is incompatible with version 3.7. After you have a version of Linux and GNU Radio 3.6 installed you can then install dependencies needed by Airprobe and additional libraries that are needed.
[email protected] Project Report 4 5.1 Airprobe Basic Dependencies sudo apt-get –y install git-core autoconf automake libtool g++ python-dev swig libpcap0.8-dev gnuradio-dev cmake git libboost- all-dev libusb-1.0-0 libusb-1.0-0-dev libfftw3-dev swig python- numpy
5.2 Install libosmocore library git clone git://git.osmocom.org/libosmocore.git cd libosmocore autoreconf –i ./configure make sudo make install sudo ldconfig
5.3 Clone Airprobe git clone git://git.gnumonks.org/airprobe.git
5.4 Install gsmdecode cd airprobe/gsmdecode ./bootstrap ./configure make
5.5 Install gsm-reciever cd airprobe/gsm-receiver ./bootstrap ./configure make
6. Receiving a Channel After all dependencies, libraries, and additional software have been installed the RTL-SDR device should be able to decode a live channel. First open a terminal window and type wireshark and press the enter key to start wireshark.
Next, navigate to the below directory using the terminal window. cd airprobe/gsm-receiver/src/python
After navigating to the above directory enter the following code in the terminal window to receive a GSM channel. The –s flag is used to sample at a rate of 1.0 MSPS, if you are to leave out this flag the default sample rate is 1.8 MSPS.
./gsm_receive_rtl.py -s 1e6
[email protected] Project Report 5
Figure 1: Receiving a GSM Signal [1]
In Figure 1, there is a window titled “Top Block”. This is the spectrum of the GSM channel, and you will need to click in the middle of the GSM channel to start capturing traffic. After you have clicked you should start seeing traffic in Wireshark. To stop capturing traffic, go back to the terminal window with the gsm-receive command and break the command using ctrl + c.
[email protected] Project Report 6 7. Logical Architecture
Figure 2: Logical Architecture of Capture Station and Test Bed Architecture
The logical architecture used to capture GSM signals are comprised of three components: the Capture Station, the Base Station Subsystem (BSS), and Mobile Station (MS).
7.1 Base Station Subsystem (BSS) The BSS is responsible for managing mobile subscribers over a radio interface to the network they are attempting to access [1]. There are two components that comprise the BSS: Open Base Transceiver Station (OpenBTS) and the Base Station Controller (BSC). The OpenBTS, used in this BSS setup is open source product and is normally called BTS. However OpenBTS functions in the same manner as a normal BTS. OpenBTS allows for a call to be maintained while being used over the network and tries to minimize any interference over the air that may occur. While OpenBTS maintains the connection, the BSC manages the network. BSC manages incoming and outgoing calls from the MS, manages transfer of a connection when an MS is in motion and other management functions.
7.2 Capture Station The capture station is comprised of two components as well, a computer running Linux and the Software Defined Radio dongle device.
7.3 Mobile Station (MS) The Mobile Station is the cellular device, in this case a GSM phone as well as the GSM SIM card.
[email protected] Project Report 7 8. Physical Architecture
Figure 3: Physical Architecture of Capture Station and Test Bed
The BSS and Capture Station are fairly independent of each other. However, the capture station can be used to scan the network when a MS and BSS are communicating. This is completed through the radio frequency signals generated from the GSM network. The RTL-SDR device scans the GSM frequency to find a signal and then captures the packets between the MS and BSS. There is no direct wired link as everything is being captured over an air interface.
[email protected] Project Report 8 9. Ladder Diagram
Figure 4: Establishment of Signaling Channel [2]
In theory this is what would have been captured if we had been successful implementing a trace of the packets over the OpenBTS network. However since we were not able to complete a call via the network, this is how GSM signaling would have been captured. In Figure 3, the first message that is shown on the ladder diagram is the mobile device sending a channel request to the BTS. The RACH message stands for Random Access Channel and is sent by the mobile device to the network when establishing an initial connection to establish a channel. When a dedicated channel can be established to the mobile device the network sends a Standalone Dedicated Control Channel (SDCCH) message. This message is signaled from the BSC to the BTS and is used to establish a dedicated channel. Once the BTS acknowledges that this will be the dedicated channel the BSC then assigns the channel to the mobile device. In this example we see that there is an AGCH message sent to the mobile device before the dedicated channel established. The AGCH message contains information about what channel will be dedicated to the subscriber. After this message is received to the mobile device, SDCCH is used to establish the dedicated channel between the mobile device (subscriber) and the network.
[email protected] Project Report 9
Figure 5: Establishment of Bearer Channel [2]
After a signaling connection has been established it is now possible for traffic to occur. However, there are a few additional messages that must be sent in order to establish a voice call. In Figure 3, the last transmission message sent is the SDCCH. This message travels through the BTS and BSC and is then passed on to the Mobile Switching Center (MSC). The primary responsibility of the MSC is to establish a link between the mobile-originated call and mobile- terminated call as well manage the mobile services such as registration, authentication, location update, handovers, and call routing. The MSC then sends a Traffic Channel (TCH) message which then verifies with the BSC that has traffic channel available. Once the BTS verifies a channel is available it then sends an acknowledge message to the BSC. The BSC then sends a SDCCH message to the mobile device that states that a TCH is available for the call. From this point you can see on the left side of Figure 4 that the top half was established by SDCCH and the lower half of the communication is established using FACCH, TCH. The mobile device then sends a Fast Associated Control Channel (FACCH) message to the BSC. FACCH is used to send high priority control messages, in this case to inform the MSC that TCH has been established. 10. Conclusion While I was not able to capture the traffic over the OpenBTS network Sushma created, I was able to test the SDR device with Martin O’Sheild’s GSM network. However due to time constraints I was unable to capture any packets through Wireshark. The RTL-SDR dongle requires some finesse when using it. It is necessary to calibrate the dongle because there is an offset of the actual frequency that is transmitted by the network and the frequency that the dongle receives. An impromptu scan of a GSM network was completed, however in my haste I was unable to capture anything in Wireshark due to not specifying the interface to scan. However, what was hopeful is that in previous test captures, the terminal window displayed zeros when scanning the OpenBTS network. This was in part because the GSM phone could not authenticate with the OpenBTS, or that OpenBTS network did not properly work. It was [email protected] Project Report 10 discovered that there could be some issues with the Range Network device that doesn’t allow any sort of signal to be broadcast. This could be another reason why I only picked up zeros during a packet capture. In the impromptu testing of O’Sheild’s GSM network, I no longer saw zeros in the terminal screen, data started to come through which I wish I would have screen captured to show results, but I ended up exiting the terminal before realizing I should have taken a screenshot.
I am hopeful now that the RTL-SDR device does in fact pick up GSM signals, now it is a matter of getting the proper commands to properly calibrate the RLT-SDR, then taking that calibration info to use it to receive a channel using the Airprobe libraries as well as specifying the proper interface for it to scan so that it can be captured on Wireshark.
[email protected] Project Report 11 References
[1]
[2] Sauter, M., “From GSM to LTE: An Introduction to Mobile Networks and Mobile Broadband” Wiley; 1 edition (February 7, 2011)
[email protected] Project Report 12