While my friend and colleague Simone was visiting our ZIMPERIUM – Enterprise Mobile Security TLV office, we got our hands on HackRF and hacked together the unguarded boarders of Radio Frequencies. Simone had the great patience to try and explain me the boring world of complex numbers and friends (more on that here), but my dyslexia won over again and left me to fill the gap by following Simone’s steps (and some mistakes, eh Simone? 🙂 ) and use my ‘trial & error’ approach until success. This tutorial is the result of our collaborate GSM hacking session, presented with the hope it will be useful for others.
First thing, you want to make sure you have all the required software installed, you can install most of them and their dependencies using your distribution package manager. Let’s start with the libraries and tools for the hackrf itself, on a Debian/Ubuntu distro you’ll install them like so:
sudo apt-get install hackrf libhackrf-dev libhackrf0
Once these libraries are installed, you can plug your hackrf into one of your USB ports and execute the hackrf_info command, at this point you should see something like the following:
# hackrf_info Found HackRF board. Board ID Number: 2 (HackRF One) Firmware Version: 2014.08.1 Part ID Number: 0x00574746 0x00574746 Serial Number: 0x00000000 0x00000000 0x14d463dc 0x2f4339e1
You will now install gnuradio which is the software we’ll use to decode the RF signals, gqrx a tool to visualize signal power on certain frequencies and everything else that will be needed in the next steps:
sudo apt-get install gnuradio gnuradio-dev gr-osmosdr gr-osmosdr gqrx-sdr wireshark
Proceed with gr-gsm, the GnuRadio blocks that will decode GSM packets:
sudo apt-get install git cmake libboost-all-dev libcppunit-dev swig doxygen liblog4cpp5-dev python-scipy git clone https://github.com/ptrkrysik/gr-gsm.git cd gr-gsm mkdir build cd build cmake .. make sudo make install sudo ldconfig
Now create the file ~/.gnuradio/config.conf and paste the following contents into it:
Finally install kalibrate-hackrf, a tool that will hop among known GSM frequencies and will tell you which your country is using:
git clone https://github.com/scateu/kalibrate-hackrf.git cd kalibrate-hackrf ./bootstrap ./configure make sudo make install
Finding GSM Frequencies:
Each operator in each country uses a different frequency in the GSM possible spectrum, which usually starts from 900Mhz. You can use hackrf_kalibrate to find the frequencies you want to sniff:
./kal -s GSM900 -g 40 -l 40
Note the two gain values, those are important in order to get some results. Leave kalibrate running and after a while you should see an output similar to this:
You will have to use the proper GSM parameter (‘-s’) to correspond to your local operator. Consult this list for verification.
Sometimes you might want to see the frequencies in order to ensure correct results from hackrf_kalibrate, or to save yourself from calculating the correct frequency given by hackrf_kalibrate (notice the +/- Khz sign of each result – this means the top peak with the corresponding power,not 100% correct frequency). Open gqrx and tune it to the first frequency you got from hackrf_kalibrate, for example 940.6Mhz, and you’ll see something like the following picture:
In the above screenshot you can visually see the activity is around 945Mhz.
Once you know the GSM channels frequencies, you can start gr-gsm by running the python script ./airprobe_rtlsdr.py or load the airprobe_rtlsdr.grc file using gnuradio-companion and set one of the channel frequencies you just found in the frequency field. Don’t forget to add ‘gain’ value again, move back to the frequency field and start pressing the UP/DOWN arrows on your keyboard to start scrolling the frequencies in 200Khz steps until you start seeing some data in your console window. The whole process should look something like this:
Now you only need to launch wireshark from another terminal tab with the following command:
sudo wireshark -k -Y 'gsmtap && !icmp' -i lo
If gr-gsm did his job, you should be able to see decoded GSM traffic sniffed by your hackrf.
43 thoughts on “Sniffing GSM traffic with HackRF.”
But what exactly is innovative in getting the GSM broadcast channel? Too many done it before. All testing equipment and modem manufacturers does it better and 20 years back.
Unless ofcourse your final goal is to exploit those poor Chinese modems.
I did according to your instructions, and it works.
However I can’t seem to get the Master Information Block, have any idea why?
havn’t messed with it since. perhaps try a diff channel or make sure a target is connected on GSM nearby. feel free to share your results.
False alarm. Seems 2G does not have a MIB, only 3G & 4G does.
How we can capore whole frequency..
bts give 30kb for 1 user so 1000 users took 60mb per second..
So how we can capore it.
if u mean ‘capture’ – well, we can’t. we can’t capture a whole spectrum using HackRF and other SDRs – only a specific channel at a time. For more robust capturing you will need to use better hardware.
oh 1 channel..ok..
i have 500gb hdd..
1. realy i want is how much data can be carried in a frequency..is there any formula to calculate it.
2. how much memmory needs for 1 channel of gsm per second…
3. How much users can be in 1 gsm channel.
4.. How diffrent opersters can active in 1 location.is arfcn divided them.
good questions, but I’m afraid I don’t have answers for you.
My only advice is for you to test this for yourself – as I demonstrated, it ain’t difficult.
Wo genaumuss ich die Datei .gnuradio / config.conf erstellen oder wie ..funtioniert das genau?
in your home directory.
Not a question, but you can count me as your fan 🙂 Great articles…
Goodwork my friend. Hopefully we will all ensure that highlighted issues rae fixed by these operators 🙂
Count me in your fan club also
Good job.. do we need any specific tools apart from computer to do this tutorial
HackRF or alike.
I would like to do the same test using my RF Explorer device but I do not have the library like you have for the HackRF. I have been trying to get something since 3 days and I am lost. Could you help me please.
Sorry I don’t have any experience with RF explorer. Since the HackRF is just the SDR I used here, and ensuring the RF Explorer supports GSM band, I think with some work this should/might be achievable.
Best of luck.
Hi nice article.. Need to know if there are any alternatives for hackRF.. Thanks in advance
yep, any SDR supporting the GSM range will do.
Reblogged this on HERI&CO and commented:
Great Idea for a weekend project
so you cant read incomming sms with this?
Since you’re the BTS, all traffic goes through you. So yes.
Thanks for reply.
So the only thing i would need to buy is the hackrf? https://greatscottgadgets.com/hackrf/
What about getting longer range? Like 100 m or so. DIdnt see anyting about the range so maybee its allready good. Im all new to this and my english is not the best so sorry if i ask stupid questions.
I have a pc like this, would i need to buy something else for it to work? https://www.amazon.com/Asus-14-Dual-Core-Processor-Bluetooth/dp/B01N1P0GDC/ref=sr_1_2?s=electronics&ie=UTF8&qid=1504880519&sr=1-2&keywords=asus+14+inch
I think i would be able to set this up but if i dont, could you help me on like teamwiver or something? I would pay you of course./ kristina
I applaud your interest in these stuff, and I encourage you to learn a bit more (RF/GSM/etc) before buying any equipment.
And thank you for your offer, but I think you’ll have more success with someone local in your area/city. Try to check close-by hackers-space, makers, etc. g’luck 🙂
i know but as you write in the post the things needed, its only the hackrf that costs monney all other stuff is free.
what is the range of this and how would you make it to have a longer range?
i dont know where to look really, please advise me. ive been looking for a gsm interceptor that can read incomming sms and this seem to be the ceapest way.
and whats to read? You seem to explain it all pretty well in the post as i understand.
What is The range of it?
With this hobbyist equipment, a few dozen meters. One may enhance it using an active antenna and/or a more professional SDR.
So only a Better antenna would not be enough to get a range if like 50 m? what to look for in a SDR? I guess as allways the more expensive the better but for be able to see GSM traffic and espassially sms, it might be some special specification to look for.
And also, how long does it take from time you sniffed signal to when you have decrypted it and see the sms in clear text?
This might be one of the biggest securityholes existed. Just think of how Phone and internet is used today. Hotmail, Facebook, Yahoo, PayPal, some know bitcoin sites like paxful and much much more could easily be hacked just by sending a “resett password with Phone” click.
You are controlling the BTS which routes the SMS, so you can obviously read them too. You simply instruct the clients not to use any encryption (eg, your BTS announcement doesn’t include any encryption ciphers, thus forces the clients to use plain text)
Since you seems eager to learn, I suggest you do more research on RF, BTS, GSM/3G/4G etc. There are many great videos from Chaos Communication Congress, DefCon, and even academics (some are more educational than others…).
Sorry I can’t help you more – I forgot most of this stuff already, and moved on to other/better things 😉
Ziggy, I have a question and I’d appreciate your comprehensive answer. Is it possible to intercept someone’s SMS with just their phone number ?
Not with the equipment we have.
Is there an equipment available that does something like that ? that you are aware of if I have to keep searching ?
Search for SS7. It’s outside the scope of this post.
Is it worth it experimenting this tutorial in 2020, or is it outdated?
I’d say it’s a good way to get familiar with establishing your own BTS and understand the basics since some 5G/4G attacks still involved in downgrading the target to 2G.
With that being said, I think you can start right a head with 5G and enjoy the latest & greatest. A learning curve is not a straight line 😉