当前位置:   article > 正文

HACK RF学习之旅记录4——HackRF嗅探GSM网络_hackrf gsm

hackrf gsm

参考文章
https://www.freebuf.com/articles/wireless/68736.html
https://www.freebuf.com/articles/wireless/110773.html(比较新)
http://www.freebuf.com/articles/wireless/111577.html(讲了解码)

标题1 准备环境过程

所用工具
1、hackrf-kalibrate
2、gnuradio-companion
3、gr-gsm
4、gqrx
5、wireshark
其中,2,4都已经装过了。在装1,3遇到一些问题,遇到make出错注意检查报错信息一般是缺乏依赖,./bootstrap和./configure 不能执行就sudo加权限执行。wireshark从Ubuntu软件中心就可以装
在这里插入图片描述
凡是遇到./configure 时候注意看提示报错的,缺什么就补什么。
注意gr-gsm/apps里面的py文件已经修改名称了,文档是老称呼,注意按照新的称呼执行,下面是网页里面说明
https://github.com/dholm/gr-gsm

This directory contains programs based on gr-gsm:

  • grgsm_decode (old name: airprobe_decode.py) - program for decoding C0 channel
    which is most close in terms of functionality to the old gsm-receiver
    from Airprobe project, with ability to decode signalling channels and traffic channels with speech
    (analysis of the data can be performed in Wireshark, decoded sound is stored to an audio file),
  • grgsm_livemon (old name: airprobe_rtlsdr.py) - interactive monitor of a single C0 channel with analysis
    performed by Wireshark (command to run wireshark: sudo wireshark -k -f udp -Y gsmtap -i lo),
  • grgsm_scanner (old name: airprobe_rtlsdr_scanner.py) - an application that scans GSM bands and prints
    information about base transceiver stations transmitting in the area.

There are following helper programs for grgsm_decode program:

  • grgsm_capture (old name: airprobe_rtlsdr_capture.py) - program for capturing GSM signal to a file
    that can be later processed by grgsm_decode,

  • grgsm_channelize (old name: gsm_channelize.py) - splits wideband capture file into multiple files - each contain
    single GSM channel.

  • grgsm_livemon_headless - command line version of grgsm_livemon. It
    is created by changing grgsm_livemon.grc like this:

                 - Change Options block->Generate Options from 'QT
                   GUI' to 'No GUI'.
                 - Set Options block->Run Options to 'Run to
                   Completion'.
                 - Remove the blocks 'QT GUI Range' (gain_slider,
                   fc_slider, ppm_slider) and the 'QT GUI Frequency
                   Sink'.
                 - Change all occurances of <param>_slider to
                   <param> in the XML file.
    
                After these changes are done, build the
                grgsm_livemon_headless python code using the grcc
                compiler.
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
  • grgsm_trx - a transceiver that together with Osmocom-BB (throught trxcon application)
    forms a GSM mobile station. Currently it works on non-hopping channels only.

文章漏了说明装airprobe
安装airprobe 参考https://blog.csdn.net/mouse1598189/article/details/8669547文中很快装好
git clone https://github.com/iamckn/airprobe
cd airprobe/gsmdecode
./bootstrap
./configure
make
cd airprobe/gsm-receiver
./bootstrap
./configure
make
以上工具安装结束,笔者也是遇到一些错误,靠补上依赖和加sudo过去的

标题2 开始运行

(1)在hackrf-kalibrate工具里面执行
kal -s GSM900 -g 40 -l 40
kal -s DCS1800 -g 40
结果如下(没有加./加了反而会出错)
在这里插入图片描述
(2)在gr-gsm目录操作,依然是不加./
zf@zf-TM1701:~/gr-gsm/apps$ ./grgsm_livemon
bash: ./grgsm_livemon: 没有那个文件或目录
zf@zf-TM1701:~/gr-gsm/apps$ grgsm_livemon
[INFO] [UHD] linux; GNU C++ version 8.3.0; Boost_106700; UHD_3.13.1.0-3build1

RtApiAlsa::getDeviceInfo: snd_pcm_open error for device (hw:0,0), 设备或资源忙.

gr-osmosdr 0.1.4 (0.1.4) gnuradio 3.7.13.4
built-in source types: file osmosdr fcd rtl rtl_tcp uhd miri hackrf bladerf rfspace airspy airspyhf soapy redpitaya freesrp
Using HackRF One with firmware git-ef5b907

抓一个,下面951.8MHZ的尖尖是DC OFFSET,左边951.6应该是一个载波区间

在这里插入图片描述
再加一个955的比较清楚的
在这里插入图片描述
再来一个DCS1800 1834.8MHZ
在这里插入图片描述
对比一下感觉用gqrx清楚
在这里插入图片描述在这里插入图片描述(3)接下来是运行gr-gsm+wireshark抓取了
gr-gsm需要输入频点参数并且加M单位,参考文章不加可以我试了不行。试了几个抓出的频点都不行,最后一怒之下手机上celluar-Z安卓应用的移动下行频点937.6MHZ

grgsm_livemon -f 937.6M 马上很多2b打印,
再开sudo wireshark -k -Y ‘gsmtap && !icmp’ -i lo 成功了。

在这里插入图片描述马上再来联通的,关闭刚才grgsm livemon的图形窗口,还是用手机获取1835.8MHZ,wireshark不需要重新开
grgsm_livemon -f 1835.8M
这个频确实是前面扫出来的,此时打个电话貌似没看出什么东东,存下来以后研究了
在这里插入图片描述(4)捕获和解码过程 最复杂的流程
参考此文章末尾http://www.freebuf.com/articles/wireless/111577.html

捕获过程需要/gr-gsm/apps/helpers下的grgsm_capture工具

原文的命令不可用了grgsm_capture.py -g 40 -a 12 -s 1000000 -c sms.cfile -T 20

看-h帮助修改
zf@zf-TM1701:~/gr-gsm/apps/helpersgrgsm_capture -h
Usage: grgsm_capture [options] output_filename

RTL-SDR capturing app of gr-gsm.

Options:
-h, --help show this help message and exit
-f FREQ, --freq=FREQ Set frequency [default=none]
-a ARFCN, --arfcn=ARFCN
Set ARFCN instead of frequency (for PCS1900 add0x8000
(2**15) to the ARFCN number)
-g GAIN, --gain=GAIN Set gain [default=30.0]
-s SAMP_RATE, --samp-rate=SAMP_RATE
Set samp_rate [default=1.0M]
-T REC_LENGTH, --rec-length=REC_LENGTH
Set length of recording in seconds [default=infinity]
-p FREQ_CORR, --freq-corr=FREQ_CORR
Set frequency correction in ppm [default=0]

增益和采样率等参数就用默认的,时间20秒,改为如下,需要制定文件目录。-a可以用手机应用cellular看到,再拨打个电话试试
sudo grgsm_capture -a 665 -T 20 ~/test.cfile
[INFO] [UHD] linux; GNU C++ version 8.3.0; Boost_106700; UHD_3.13.1.0-3build1

RtApiAlsa::getDeviceInfo: snd_pcm_open error for device (hw:0,0), Device or resource busy.

ALSA lib pcm_dmix.c:1108:(snd_pcm_dmix_open) unable to open slave

RtApiAlsa::getDeviceInfo: snd_pcm_open error for device (default), Device or resource busy.

gr-osmosdr 0.1.4 (0.1.4) gnuradio 3.7.13.4
built-in source types: file osmosdr fcd rtl rtl_tcp uhd miri hackrf bladerf rfspace airspy airspyhf soapy redpitaya freesrp
Using HackRF One with firmware git-ef5b907

发现/gr-gsm/apps/helpers生成了文件,81.8MB大小

在前面的wireshark抓取中知道,Immediate Assignment中,我们可以确定广播控制信道(HCCH)为: SDCCH、Timeslot:0

在这里插入图片描述grgsm_decode -a 665 -s $((100000000/174)) -c test.cfile -m SDCCH8 -t 0 先无脑试一下发现tmp目录没有东西,改看-h

grgsm_decode -h
Usage: grgsm_decode: [options]

Options:
-h, --help show this help message and exit
-m CHAN_MODE, --mode=CHAN_MODE
Channel mode. Valid options are ‘BCCH’ (Non-combined
C0), ‘BCCH_SDCCH4’(Combined C0), ‘SDCCH8’ (Stand-alone
control channel) ‘TCHF’ (Traffic Channel, Full rate),
‘TCHH’ (Traffic Channel, Half rate)
-t TIMESLOT, --timeslot=TIMESLOT
Timeslot to decode [default=0]
-u SUBSLOT, --subslot=SUBSLOT
Subslot to decode. Use in combination with channel
type BCCH_SDCCH4 and SDCCH8
-b BURST_FILE, --burst-file=BURST_FILE
Input file (bursts)
-c CFILE, --cfile=CFILE
Input file (cfile)
-v, --verbose If set, the decoded messages (with frame number and
count) are printed to stdout
-p, --print-bursts If set, the raw bursts (with frame number and count)
are printed to stdout

Cfile Options:
Options for decoding cfile input.

-f FC, --fc=FC      Frequency of cfile capture
-a ARFCN, --arfcn=ARFCN
                    Set ARFCN instead of frequency (for PCS1900 add 0x8000
                    (2**15) to the ARFCN number).
-s SAMP_RATE, --samp-rate=SAMP_RATE
                    Sample rate of cfile capture [default=1.0M]
--ppm=PPM           Set frequency offset correction [default=0]
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7

grgsm_decode -a 665 -c test.cfile -m SDCCH8 -t 0
下一步需要通过Ciphering Mode Command这一栏的数据包确定A5类型。但是观察wireshark没有抓到Ciphering Mode Command字样。重试还是不行。
最后跑一下原作者例程看看,原文的cfile文件目录变化了,正确目录是
https://github.com/ptrkrysik/test_data/blob/master/vf_call6_a725_d174_g5_Kc1EF00BAB3BAC7002.cfile
用wget出错只有几十kb大,解码出来文件是错误的,正确是70.1MB大小。用Firefox下载一半就挂了,改uget下载也是kb大小,最后Firefox重试几次终于下好了

在这里插入图片描述
下好的文件放在用户目录后改名test.cfile,然后直接运行
grgsm_decode -a 725 -s $((100000000/174)) -c test.cfile -m TCHF -t 5 -e 1 -k 0x1E,0xF0,0x0B,0xAB,0x3B,0xAC,0x70,0x02 -d FR -o /tmp/test.au.gsm
VLC在Ubuntu软件中心搜索下载,最后
vlc /tmp/test.au.gsm
听到了解出来的语音。

测试文件如下
vf_call6_a725_d174_g5_Kc1EF00BAB3BAC7002.cfile
test.au.gsm
链接: https://pan.baidu.com/s/1EoDm2uACMeJICQhiQKCE9Q 提取码: dhnp

另外收藏几个看全球网络覆盖的网站,分别是GSM,4G(含3G),5G
https://www.worldtimezone.com/gsm.html
https://www.worldtimezone.com/4g.html
https://www.worldtimezone.com/5g.html

在这里插入图片描述

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/花生_TL007/article/detail/493225
推荐阅读
相关标签
  

闽ICP备14008679号