GSM Wireshark Capture over OpenBTS System Cruz Tovar A20277095 May 2, 2014 [email protected] Project Report 1 Abstract In the Fall and Spring semesters of 2013 and 2014, my colleague Sushma Sitaram implemented a GSM access point using OpenBTS that is able to use GSM-compatible phones over a VoIP network. To further the project, a software defined radio (SDR) device and open source applications were implemented to allow the capturing of GSM signals. The project report includes the process that was involved with implementing an Software Defined Radio (SDR) device and outlines how the signals traverse in the network using Wireshark. [email protected] Project Report 2 Table of Contents Abstract .................................................................................................................................................... 2 1. Introduction ....................................................................................................................................... 4 2. RTL-SDR ............................................................................................................................................... 4 3. Airprobe ............................................................................................................................................... 4 4. GNU Radio ............................................................................................................................................ 4 5. Configuration of Software .............................................................................................................. 4 5.1 Airprobe Basic Dependencies ........................................................................................................................... 5 5.2 Install libosmocore library ................................................................................................................................ 5 5.3 Clone Airprobe ........................................................................................................................................................ 5 5.4 Install gsmdecode .................................................................................................................................................. 5 5.5 Install gsm-reciever .............................................................................................................................................. 5 6. Receiving a Live Channel ................................................................................................................ 5 7. Logical Architecture ........................................................................................................................ 7 7.1 Base Station Subsystem (BSS) .......................................................................................................................... 7 7.2 Capture Station ....................................................................................................................................................... 7 7.3 Mobile Station (MS) .............................................................................................................................................. 7 8. Physical Architecture ...................................................................................................................... 8 9. Ladder Diagram ................................................................................................................................ 9 10. Conclusion ...................................................................................................................................... 10 References ............................................................................................................................................. 12 [email protected] Project Report 3 1. Introduction Global System for Mobile communications (GSM) initially was designed as a circuit-switched telecommunications system and allows a direct connection between the caller and recipient of the call. Overtime GSM has evolved and can now be virtualized using IP broadband connections, little difference is noticed with the old implementation of GSM and virtualized GSM systems. The GSM setup at IIT uses Open Base Transceiver Station (OpenBTS). OpenBTS uses software radio to become a GSM access point and allow calls to be made to other GSM phones. This report details how RTL-SDR hardware and other open source software were used to capture bearer and management signals on the GSM network. This report also gives the physical and logical architecture of Capture Station and how a GSM call would be transmitted over the network. 2. RTL-SDR RTL-SDR is an affordable DVB-T TV tuner dongle that uses RealTek’s RTL2832U chip. What make this device so popular in the radio frequency community is that it was found that the device is able to function as software defined radio receiver. By pairing RTL-SDR hardware with software, it is possible to implement this device to pick up various RF signals such as ham radio, police scanner, listening to FM radio, and many more. In this project the hardware and software are implemented to capture GSM signals. 3. Airprobe Airprobe originally started from a previous project known as the GSM-Sniffer project. Airprobe developed further into a project that could capture GSM signals from an air interface. Airprobe uses various repositories to receive and decode signals. The gsm-receiver repository from Airprobe is used to receive the signals from the air. Currently Airprobe is only capable of decoding the downstream signals (GSM network to mobile phone), but is able to handle management channels. 4. GNU Radio GNU Radio functions well with RF based hardware to implement software-defined radio devices. GNU Radio is software development tool kit that allows RF signals to be processed to a hardware device. On its own GNU Radio is not capable of capturing GSM signals. However, when paired with Airprobe it does become capable to capture GSM signals. 5. Configuration of Software Using Kali Linux is a simple way to implement an RTL-SDR device, but there are some other software and dependencies that need to be installed prior to using the device. By using Kali Linux GNU Radio version 3.6 is already installed. Using this version of GNU Radio is essential as Airprobe is incompatible with version 3.7. After you have a version of Linux and GNU Radio 3.6 installed you can then install dependencies needed by Airprobe and additional libraries that are needed. [email protected] Project Report 4 5.1 Airprobe Basic Dependencies sudo apt-get –y install git-core autoconf automake libtool g++ python-dev swig libpcap0.8-dev gnuradio-dev cmake git libboost- all-dev libusb-1.0-0 libusb-1.0-0-dev libfftw3-dev swig python- numpy 5.2 Install libosmocore library git clone git://git.osmocom.org/libosmocore.git cd libosmocore autoreconf –i ./configure make sudo make install sudo ldconfig 5.3 Clone Airprobe git clone git://git.gnumonks.org/airprobe.git 5.4 Install gsmdecode cd airprobe/gsmdecode ./bootstrap ./configure make 5.5 Install gsm-reciever cd airprobe/gsm-receiver ./bootstrap ./configure make 6. Receiving a Channel After all dependencies, libraries, and additional software have been installed the RTL-SDR device should be able to decode a live channel. First open a terminal window and type wireshark and press the enter key to start wireshark. Next, navigate to the below directory using the terminal window. cd airprobe/gsm-receiver/src/python After navigating to the above directory enter the following code in the terminal window to receive a GSM channel. The –s flag is used to sample at a rate of 1.0 MSPS, if you are to leave out this flag the default sample rate is 1.8 MSPS. ./gsm_receive_rtl.py -s 1e6 [email protected] Project Report 5 Figure 1: Receiving a GSM Signal [1] In Figure 1, there is a window titled “Top Block”. This is the spectrum of the GSM channel, and you will need to click in the middle of the GSM channel to start capturing traffic. After you have clicked you should start seeing traffic in Wireshark. To stop capturing traffic, go back to the terminal window with the gsm-receive command and break the command using ctrl + c. [email protected] Project Report 6 7. Logical Architecture Figure 2: Logical Architecture of Capture Station and Test Bed Architecture The logical architecture used to capture GSM signals are comprised of three components: the Capture Station, the Base Station Subsystem (BSS), and Mobile Station (MS). 7.1 Base Station Subsystem (BSS) The BSS is responsible for managing mobile subscribers over a radio interface to the network they are attempting to access [1]. There are two components that comprise the BSS: Open Base Transceiver Station (OpenBTS) and the Base Station Controller (BSC). The OpenBTS, used in this BSS setup is open source product and is normally called BTS. However OpenBTS functions in the same manner as a normal BTS. OpenBTS allows for a call to be maintained while being used over the network and tries to minimize any interference over the air that may occur. While OpenBTS maintains the connection, the BSC manages the network. BSC manages incoming and outgoing calls from the MS, manages transfer of a connection when an MS is in motion and other management functions. 7.2 Capture Station The capture station is comprised of two components as well, a computer running Linux and the Software Defined Radio dongle device. 7.3 Mobile Station (MS) The Mobile Station