2013 2nd National Conference on Information Assurance (NCIA)
GSM Downlinkk Protocol Analysis andd Decoding
using Open-S
Source Hardware and Software
S
Jehanzeb Burki, Member IEEE Fahad Malik
National University of Sciences & National University of Sciences &
Technology (NUST) Technology (NUST)
Pakistan Pakistan
Jehanzeb.ahmad@cae.nust.edu.pk
Abstract— Since its introduction in 1992, Global
G System for
Mobile Communications (GSM) has evolved to t become a world-
wide standard in mobile telephony. Security inn GSM, albeit being
one of the most important issues, has not yet beeen scrutinized to a
level it deserves owing mainly to the exxpensive hardware
requirements and lack of thorough underrstanding of GSM
protocols in general. This scenario is changingg significantly with
the growing rate of development of open-sourrce tools, which can
serve to harness the RF signaling and enablle processing on a
general purpose workstation. In this paper, these open-source
tools are utilized to study the feasibility of developing
d a GSM
Protocol Analyzer and investigating the th heoretical security
protocols and procedures through practical implementation of
such system. Universal Software Proggrammable Radio
Peripheral (USRP) was selected as the RF F frontend for the
protocol analyzer. The USRP is a generaal purpose, open-
hardware transceiver that can be linked to a workstation via an
RJ45 Gigabit Ethernet link. Various open-sourrce software, based
primarily on GNU Radio, are then utilizeed to synchronize,
demodulate and decode the received signal.
Index Terms— GSM, open-source, Softwaare Defined Radio,
USRP, AirProbe, GNU Radio, GSM Protocool Analysis, Ethical
hacking.
I. INTRODUCTION
It is quite impossible to imagine lifee without mobile
telephony. With the cellular telephone subscriptions being an
estimated 6 billion worldwide [1]–[2], annd the increase in
usage of faster and more efficient value addded services, GSM
protocol analysis has become a matter of viital importance for
law enforcing agencies and cellular servicce providers, who
need to analyze the network traffic for securrity and efficiency
requirements, respectively. This paper excluusively focuses on
the standards in the Global Systeem of Mobile
Communications (GSM) as part of the seconnd generation (2G)
mobile communications standards, whhich, albeit the
introduction of third generation (3G) and fourth generation
(4G) mobile communications standards, remainsr the most
widely used mobile telephony standard woorldwide, with an
estimated 4 out of 6 billion subscribers [2]. The generic
architecture of GSM with its entities and innterfaces is shown
in Fig. 1. In this paper, the GSM signals aree intercepted at the
978-1-4799-1288-9/13/$31.00 ©2013 IEEE
Mudassar Mushtaq
Natiional University of Sciences &
Technology (NUST)
Pakistan
Um interface, i.e., the interfacce between the Mobile Station
(MS) and Base Transceiver Staation (BTS).
Fig. 1. GS
SM Architecture
GSM is known to be vulneerable to eavesdropping attacks
soon after it was first implemeented commercially [3]. Since a
BTS does not need to authennticate itself to the MS and the
Public Land Mobile Network (PLMN) service providers are
not obligated to use encrypption, the system is rendered
inefficient to cater for the securrity and privacy requirements of
the subscribers. These reasons lead to a possibility of active or
passive attacks, respectively, on
o the GSM networks. Although
specialized GSM interceptiing equipment is available
commercially, availability andd eventual acquisition of such
tools is subject to approval by government agencies. This
greatly hinders efforts directeed at understanding and testing
the GSM infrastructure. In thiis paper, the use of a Software
Defined Radio (SDR) and openn-source tools is analyzed to test
the PLMNs for such vulnerabillities.
The basic design philosophyy of a USRP is to handle generic
and resource intensive tasks using
u the on-board FPGA and
carry out other lesser intensivve processing operations on the
host CPU [4]. Fig. 2 shows a block schematic of the USRP
depicting digital signal processsing that is carried out onboard.
The Antenna serves to enhancce the reception of an RF signal
before it is fed to a preprocesssor on the daughterboard which
houses a super-heterodyne receiver and an analog complex
down-converter. The signal is then passed onto an Analog to
Digital Converter (ADC) whicch samples it with the sampling
rate fs. The sampled data is then decimated with a user-
configurable decimation rate, which essentially acts as a low
39
pass filter. The resulting I and Q signals are then transferred to II. THEORETICCAL BACKGROUND
the workstation for further processing via a Gigabit Ethernet
GSM operates in several diffferent frequency bands owing to
interface.
Fig. 2. Block diagram of USR
RP
different regulations per counttry. Pakistan uses the 900 MHz
band, and also the Extended GSM (E-GSM) band, as was
discovered during the coursee of research. The uplink and
downlink frequencies, suppleemented by the E-GSM band,
are:-
(a) Uplink: 880-915 MHz (MS to BTS)
(b) Downlink: 9225-960 MHz (BTS to MS)

In this paper, the use of term

t GSM band refers to the
combination of the original GS
SM band and the E-GSM band.

Since radio spectrum is a scarce commodity, GSM uses a

combination of time- and freqquency-division multiple access
USRP, paired with an appropriate daaughterboard, can
(TDMA/FDMA) to divide thhe bandwidth among as many
process signals ranging from DC to 6 GHzz [5]. Table I lists
users as possible. The FDMA A part involves the division of
current daughter boards that can be used wiith the USRP. Out
available 35 MHz band into 175 carrier frequencies having a
of the available options, DBSRX2, WBX, SBX S and RFX900
bandwidth of 200 kHz each. This corresponds to 175 full
cover the frequency band used by GSM9900. Additionally,
duplex channels, where each channel within a BTS is referred
since GSM uses 13 MHz clock for operatioon, the stock clock
to as an Absolute Radio Frequency Channel Number
of 64 MHz installed in USRP cannot providee the accuracy and
(ARFCN).
stability required for GSM operations. To adddress the need of
a better clock reference, a GPS Disciiplined Oscillator
The ARFCN represents the pair of frequencies, one uplink
(GPSDO) is used which can provide a veery accurate clock
and the other downlink, and is given a channel index between
reference with ±50 ns over 1 Pulse Per Seccond (PPS). Fig. 3
0 and 174, with 0 designateed as the beacon channel [6].
shows the USRP with WBX daughterbooard and GPSDO
Multiple service providers who operate with different
installed.
frequencies may allocate any channel
c index to the frequencies
Table I: USRP Daughterboards
available to them, but the ARRFCN cannot be changed and is
given by the following equationns,
Nomenclature Frequency band Functionality
BasicRX 1 – 250 MHz Receiver
BasicTX 1 – 250 MHz Transmitter For GSM-900 band, (125 Channels)
LFRX DC – 30 MHz Receiver
LFTX DC – 30 MHz Transmitter Fuplink (n) = 890+0.2n, 1≤n≤125
TVRX2 50 – 860 MHz Receiver Fdownlink (n) = Fuplink (n) + 45, 1≤n≤125
BBSRX2 800 – 2350 MHz Receiver
WBX 50 – 2200 MHz Transceiver
SBX 400 – 4400 MHz Transceiver
For E-GSM band, (50 Channels)
C
RFX900 750 – 1050 MHz Transceiver
RFX1200 1150 – 1450 MHz Transceiver Fuplink (n) = 890+0.2(n-1024)), 975≤n≤1025
RFX1800 1500 – 2100 MHz Transceiver Fdownlink (n) = Fuplink (n-1024) + 45, 975≤n≤1025
RFX2400 2300– 2900 MHz Transceiver
XCVR2450 2.4 – 2.5 GHz & 4.9 – 5.9 GHz Transceiver
CBX 1.2 – 6 GHz Transceiver
Each frequency channel is further
f divided in time, using a
TDMA scheme. A fundamenttal unit of time in this TDMA
Fig. 3. USRP with WBX daughterboard and
a GPSDO scheme is called a burst period and it lasts approximately
0.577 ms. This is the time coveered by one timeslot in a TDMA
frame. A TDMA frame is forrmed by combining eight such
timeslots, and hence it lasts approximately 4.615 ms, and
forms a basic unit for the deffinition of logical channels [6].
One burst period per TDMA frame per ARFCN defines one
physical channel. This conceptt is further elaborated in Fig. 4,
where the highlighted timeeslot represents one physical
channel.
Fig. 4. G
GSM timeslots

40
 Since GSM is a wireless communication network, and there
is a need to keep track of all the subscribers and equipment,
GSM specifies user, equipment and location identifiers. These
addresses serve the purpose of mobility management and
addressing of network elements [7]. Most important of these
identifiers are International Mobile Subscriber Identity (IMSI),
Temporary Mobile Subscriber Identity (TMSI), Mobile
Subscriber ISDN Number (MSISDN), International Mobile
Equipment Identity (IMEI), Location Area Identifier (LAI)
and Base Station Identity Code (BSIC).
In GSM terminology, there is a stark distinction between a
physical channel and a logical channel. Physical channels are
defined in terms of frequency and time, which are the actual
frequencies and timeslots used by MS or BTS for
communication. The logical channels, on the other hand, are
mapped onto these physical channels. At any particular instant
in time a frequency/timeslot used by GSM PLMN may either
be a traffic channel or one of the control channels depending
on the channel configuration used by that network.
Alternatively, a logical channel defines the function and
operation of a physical channel at a particular point in time
[8].
The logical channels in GSM are broadly categorized in two
types: Common Channels (CCH) and Dedicated Channels
(DCH). As illustrated by Fig. 5, the CCH consists of
Broadcast Channels (BCH) and Common Control Channels
(CCCH), whereas the DCH is divided into Dedicated Control
Channels (DCCH) and the Traffic Channels (TCH).
Fig. 5. GSM Logical Channel hierarchy
The BCH are defined in the downlink only and are used by
the BTS to send out the same information to all MSs in a cell.
The BCH include three subtypes of channels each with a
distinct functionality; the Frequency Correction Channel
(FCCH), which is broadcasted by a BTS to enable all MSs in
the cell to synchronize their carrier frequency and bit timings
with the BTS, the Synchronization Channel (SCH), through
which the BTS broadcasts synchronization signals that contain
the TDMA frame number (FN) and the BSIC, and the
Broadcast Control Channel (BCCH), which informs the MS of
41
specific system parameters such as the location area and
network codes, frequency hopping sequence (if used),
neighboring cell information, channel configuration and
required power level. The FCCH->SCH->BCCH cycle is used
by the MS to identify its home network.
The CCCH are generally used to carry signaling
information necessary for execution of management functions
[8]. They are divided into three subtypes; the Paging Channel
(PCH), which is used on downlink to ‘page’ a MS of incoming
traffic, which might be voice or data, the Random Access
Channel (RACH), which is the uplink counterpart to the PCH,
used by the MS to initiate a request to the network, (e.g., to
make a call or send an SMS), and the Access Grant Channel
(AGCH), used after the MS initiates a request on RACH or
responds to paging on PCH to allocate another logical channel
to the MS, so that the resources on broadcast channel are not
overwhelmed by the signaling taking place between the MS
and the BTS.
The DCCH are generally used for various types of traffic
channels as well as for power control, timing advance,
signaling, and other call related information exchange. Three
subtypes constitute the DCCH; the Standalone Dedicated
Control Channel (SDCCH), which is a two way signaling
channel used for exchange of messages associated with call
establishment, authentication, cyphering parameter exchange,
location updating, SMS, and other management functions, the
Slow Associated Control Channels (SACCH), associated to an
SDCCH or a traffic channel and used by the BTS to inform
the MS of neighboring cell frequencies, time alignment and
power control, or by the MS to inform the BTS about received
signal’s strength, and the Fast Associated Control Channels
(FACCH), which are always associated with a traffic channel
and are used to transmit urgent signaling messages by
‘stealing’ time-slots [6].
The TCH constitutes of Half-rate Traffic Channel (TCH/H)
and the Full-rate Traffic Channel (TCH/F), both used to
transmit voice and data traffic, at 22.8 Kbps and 11.4 Kbps,
respectively [8].
Although GSM uses full duplex frequency bands, the MS
and the BTS do not need to transmit at the same time. This
leads to the concept of Time Division Duplex (TDD) in which
the MS transmits three timeslots later than the corresponding
timeslot in downlink. This enables the GSM signaling to be
carried out by relatively simpler, and cheaper, transceivers,
and is one of the prime reasons for the remarkable success of
GSM. The time delay in receiving and transmitting ensures
that a single transceiver chain can handle the entire operation
satisfactorily. This concept can also be utilized when
attempting to eavesdrop on the uplink signals for GSM
protocol analysis.
To tackle interference and protect the integrity of the data,
GSM uses block and convolutional coding to generate
redundancy bits. This is known as chaannel coding and
employs different algorithms for signaling annd data channels.
For speech signals, the 260 bits are divided
d into three
classes: Class Ia, Class Ib and Class II bits. This
T trifurcation is
done according to the function and importannce of the bits [9].
50 bits are assigned to Class Ia, which is thhe most important
class. Class Ib and Class II are assigned 132 and 78 bits,
respectively. Three parity bits for Class Ia are computed and
prepended to the class Ib bits, raising the number of bits in
Class Ib to 135. Class Ia and Class Ib are thent concatenated,
making the total number of bits in Class I to 185. Additional 4
bits (all 0s) are then appended to Classs I, which is a
requirement of actual convolutional encodinng, and hence the
total number of bits rises to 189. The enncoding operation
outputs two bits for every input bit, thus the number of Class I
bits are doubled to 378 from 189. Finaally, the 78 least
significant bits from Class II are appended to the Class I bits
without protection, resulting in a speech blocck of 456 bits.
As for the signaling information, which coonsists of 184 bits,
a 40 bit fire code is appended to the innformation block,
followed by 4 bits (again all 0s), raising the number of bits to
228. The same convolution coding as used for speech bits, is
carried out for the 228 signaling bits, resultting in a signaling
information block of 456 bits.
The complex coding schemes of speeech and signaling
channel are shown in Fig. 6.
Fig. 6. Channel Coding
The channel coding described above is of no use if
the entire 456-bit block is lost or corrupted [10]. Interleaving
is a technique used to alleviate this problem m. In interleaving,
the bits are ‘interleaved’, or spread, into manny bursts such that
the errors can be corrected by simple forwarrd error correction
methods.
From a 456-bit speech block, eight sub--blocks of 57 bits
each are created. These sub-blocks are thenn interleaved onto
eight separate bursts, as shown in Fig. 7. The
T first four sub-
blocks are mapped onto the even-numbeered bits of four
42
consecutive bursts and the othher four sub-blocks are mapped
onto the odd-numbered bits of o next four consecutive bursts.
This way, each normal burstt, which can carry two 57 bit
payloads, contains traffic from
m two separate 456-bit speech
blocks, and each speech blocck is divided into 16 separate
payloads. This adds robustnesss and error tolerance to GSM
signals.
Fig. 7. Speech block
b interleaving [10]
Most signaling blocks usedd on logical channels have an
identical interleaving scheme; the only difference being that
they are spread across four, instead of eight, interleaving
bursts [10].
Frequency hopping is also emmployed in GSM (optionally) to
improve radio performance thhrough diversity in fading and
interference. SFH is essentially done by using different
frequencies for the transmisssion of adjacent bursts at a
hopping rate of about 216.685 channels per second,
corresponding to the TDMA A frame duration. Frequency
hopping in GSM can employ either Cyclic Hopping algorithm,
in which the next frequency iss determined in accordance to a
predefined list of frequencies, or Random Hopping algorithm,
in which the frequencies folloow a predefined pseudo-random
pattern. In hardware, there are a two methods available to
implement frequency hopping; Baseband Hopping, in which N
fixed-frequency transceivers are connected to N baseband
processors through a switch orr commutator, allowing Channel
Allocation (CA) of N ARF FCNs, where CA is list of
frequencies available for hoppping, and Synthesizer Hopping,
in which each of N basebaand processors connects to a
dedicated transceiver, allowingg CA to have much more than N
ARFCNs.
III. DOWNLLINK DECODING
Up until recently, significannt efforts to acquire and decode
downlink GSM traffic could not n be carried out, primarily due
to the complex signaling invoolved and lack of inexpensive
hardware. However, the emerggence of open-source tools, such
as inexpensive SDRs, OpenBT TS, GNU Radio and AirProbe,
have changed the scenario signnificantly. These tools enable a
researcher to investigate the strength of theoretical security
principles through practical attaacks on the GSM networks.
 Multiple versatile and inexpensive SDRs have
h emerged that
bring the RF domain within the reach of ann average security
investigator. Some of these SDRs are:-
(a) RTL2832U based SDRs
(b) FUNcube Dongle
(c) Universal Software Radio Perippheral (USRP)
(d) Modified Motorola Phones
USRP was selected for further investigatiion, primarily due
to its high sampling rate, wide banndwidth, modular
architecture and wide and efficient knowledge and support
base [11].
On software-end, GNU Radio annd AirProbe were
used in conjunction with Wireshark to cappture, decode and
analyze the GSM signalling. GNU Radiio is open-source
software used in a variety of DSP applicattions [12] offering
extensive support in communication with an external hardware
(such as a USRP). Performance critical bloccks in GNU Radio
are written in C++ using GNU Radio AP PI, and then these
blocks are inter-connected using Python. AirrProbe is, or more
appropriately, was, a software project aimedd at developing an
open-source tool for GSM Um innterface analysis.
Development of AirProbe slowed down in 2008, with the
project development being almost dead by 2010. Despite the
fact that work on AirProbe has all but stoppped, it still remains
a great skeleton to build upon for an open-source
o GSM
Analyzer. It is divided into three main m sub-projects;
Acquisition module, Demodulation module, and an Analysis
module. The Analysis module can be effecttively replaced by
using Wireshark.
In downlink decoding, first of all, a using a Fast
Fourier Transform (FFT) flow graph in GN NU Radio, active
channels in an area are identified visually [113]. The output of
the FFT program for the GSM signals interceepted in our IDEA
(Innovation, Development and Engineerinng Advancements)
Lab is shown in Fig. 8. It is worth mentionning here that the
system is location independent; the onlyy location based
difference observed during the experiment beeing the frequency
usage and relative sizes of cells, which are easily catered for
by analyzing the FFT for active channels.
Fig. 8. FFT of GSM spectrum
m ability to dissect GSM frames,, provides an efficient front end
43
Here, the beacon channels aree differentiated from the traffic
channels by expanding the freequency base and using the fact
that the beacon channels have bandwidth of 200 kHz (Fig. 9),
and have a strong periodic peaak that occurs 68 kHz above the
center frequency (FCCH burrst). This peak can be easily
identified using the ‘Peak-Holdd’ function available in the WX
FFT GUI.
Fig. 9. Expanded FFT
F of a single ARFCN
Then, the USRP N210 cann be used to capture raw GSM
frames from the Um interface [12]. These frames are captured
using GNU Radio UHD and are stored as complex floats in a
file named ‘<filename>.cfile’. This completes the acquisition
block of downlink decoding.
Next, AirProbe’s demodulaation module is used to extract
bits out of the raw captured file. The result of this is a bit
stream that can be used for synchronization and eventual
extraction of signaling traffic from the captured signal. After
conversion to a bit stream, FC CCH burst is searched for and
when found, it identifies the next
n burst by using 140 0s from
the SCH; after this point onwarrds, the demarcation of bursts is
relatively straight forward, whhich is done based on channel
configuration.
A temporary buffer is creaated which holds the identified
burst. The burst is then sent to the socket 127.0.0.1:4729;
which represents the port gsm mtap on loopback. Though the
packet is received and discardded by the destination, it can be
captured by Wireshark while it is ‘alive’ by using capture
filter on port 4729 (on loopbaack). Wireshark, which has the
user interface to the GSM Protoocol Analyzer.
Frequency hopping, when ussed in GSM networks, proves to
be a major hurdle in successfful decoding of GSM signaling
traffic. There are two schoolss of thought when it comes to
tackling frequency hopping in i GSM. First approach is to
utilize USRP’s FPGA to decode and follow the hopping
sequence. The second approacch is to capture of large amount
of data of all channels and dettermine hopping sequence later.
It was observed that all the networks
n in Pakistan employing
frequency hopping use channnels that are grouped together
(which is an important considderation, since USRP captures
only continuous spectrum), hence the secondd approach seemed Fig. 11. RR Immediaate Assignment Message
more appropriate to tackle frequency hoopping in current
scenario.

If it is required to eavesdrop on multiple

m ARFCNs
simultaneously, one option is to dedicate onne USRP to every
ARFCN used in the area. This would reqquire at least five
USRPs to capture ARFCNs associated withh each of the five
PLMNs used in Pakistan. The second, and morem cost-effective,
solution is to use two USRPs and a larger storage media, to
capture the entire uplink and dow wnlink spectrum
simultaneously, and then discarding the ARFCNs
A with no
traffic. This approach was pursued using GNU G Radio’s pfb
blocks, and a daemon program running in i background to
check for valid GSM traffic in the ARFCNs. If a channel void
The system information is periodically
p broadcasted by the
matically discarded
of signaling is identified, the program autom
BTS to advertise its netwoork, cell identity, neighboring
the associated file as soon as it was geneerated, freeing up
ARFCNs and other informatioon. This helps MSs distinguish
valuable memory for further use. The remainning files could be
an alien network from its hom
me network, and to find out the
used as normal cfiles (each having datta from available
correct frame structure used by the GSM PLMN. Fig. 12
ARFCNs), and decoded accordingly.
shows an example of System Innformation Type 3 message.
III. RESULTS Fig. 12. System infoormation Type 3 message
Using the procedures and tools discussed above, GSM
signals were captured, decoded and anallyzed to test the
developed GSM protocol analyzer in real world scenarios.
Special care was taken not to infringe on GSM
G subscribers’
privacy by capturing only the broadcassted messages or
signaling intended only for MSISDN used in the lab testing
environment. These results are discussed as under.
u

The RR Paging Request is sent on downnlink on the PCH.

Fig. 10 shows an example of RR Paging Reequest using IMSI
and TMSI to identify the MS. The MSIN of the IMSI has been
masked because it uniquely identifies a mobiile subscriber.
Based on these messages, a table for PLMNs operational in
Fig. 10. RR Paging Request
Pakistan and their associated parameters was constructed. This
is shown in Table II.

Table II: PL
LMN Analysis

Service Allocated Frequeencies Hopping

Encryption
Provider (MHz) TCH

CM-Pak (Zong) 925.2-935 None Yes

Warid 935.2-944 A5/1 As Required

Ufone 944.2-947.44 A5/1 As Required

Telenor-PK 947.6-950 A5/1 No

Mobilink 950.2-959.88 A5/1 As Required

The CC Call Setup message is sent on downlink in case of a
Mobile-Terminating Call (MTC). Example of this message is
RR Immediate Assignment message, shoown in Fig. 11, is shown in Fig. 13, where the MSISDN
M of the calling party has
sent on downlink on the AGCH at AR RFCN 1003. This been masked to due to privacy concerns.
message assigns a dedicated channel to the MS
M and it includes
a specific timeslot, a list of ARFCNs, the HS
SN and the MAIO.

44
 Fig. 13. CC Call Setup message This procedure was tested in lab by using two MSs
that were using same PLMN annd ARFCN. This meant that the
downlink signaling for botth the MSs were captured
simultaneously since they werew using the same BTS for
communication. MS1 was callled from MS2 for one minute
and the timing was calculatedd using the procedure described
above. The calculation yieldedd the call duration as 59.316595
seconds, which proved the procedure
p valid. Also, it was
determined that the associatedd TMSI remains the same even
after making the call, which is a definite security concern.

SMS CP-DATA+RP-DATA message, seent on SDCCH on IV. FUTURE WORK

the downlink, is used to deliver Short Messaage Service (SMS) Even though AirProbe suppports Full Rate traffic channel
text message to the MS. In Fig. 14, the Orriginating Address decoding, there is still room for
fo improvement as a Half Rate
(Or MSISDN) of the SMS can be seen accompanyinga the traffic channel decoder remainns unimplemented. Furthermore,
original text that was sent. As seen in the Figg. 14, this message without the capability to handdle baseband hopping, the GSM
also contains a timestamp. protocol analysis cannot be effficiently applied to commercial
Fig. 14. SMS CP-DATA+RP-DATA message
m
PLMNs, since it was observedd that Zong (CM-Pak) uses such
frequency hopping. Uplink rem mains an unexplored area where
there is a lot of room for futuree research endeavors. Only after
these milestones are achieved,, can the current framework be
used for further investigation.

V. CON
NCLUSION
Finally, it can be stated thatt the GSM communications are
demonstrated to be unsafe, andd the task of GSM interception is
no longer limited to governmeent agencies. Today, an average
hacker can purchase the requireed hardware for less than $3000
to capture raw GSM traffic or to t perform an active attack. The
By using tshark instead of Wireshark, andd a string finding- knowledge of how GSM operates is, of course, available
dependent algorithm on MATLAB, the data captured can also openly, and for a potential eavesdropper with significant
be stored in a text file in a fixed format. Thhis can be used to knowledge of GSM specifications, creating and debugging the
provide a summary of the entire signaling taking place in a software remains the only challlenge. In this paper, few of the
given cell. The filter used on tshark to for few
f message types open-source tools are discusssed along with the developed
are listed in Table III. system for eventual extractioon of useful information from
captured downlink GSM burstts, and thus, awareness is raised
Table III: tshark filters by proving that GSM netwoorks are unsafe, so that users,
operators and equipment mannufacturers can further enhance
CC Call Setup gsm_a.dtap_msg_cc__type == 0x05
Release gsm_a.dtap_msg_cc__type == 0x2d
the security of the GSM operattions. Uplink, however, remains
Release Complete gsm_a.dtap_msg_cc__type == 0x2a an area that remains a challeenge to be captured passively
owing to the difficulties arisinng from lack of synchronization
Using the resulting frame number from the first filter in information. Only through uplinku decoding can valuable
Table III as the frame number when the caall is initiated, and information, such as IMSI-TM MSI association, call durations,
the other two filters in conjunction to get end of call frame and geo-location, be made acccessible for the creation of a
(since without uplink, the call duration can only
o be calculated complete GSM Protocol Analyyzer and Decoder.
if both the phones are connected to the samee ARFCN on same
BTS), the total call duration can be calcculated using the REFERRENCES
following equations, [1] International Telecommunication Union
U (ITU), “The World in 2011: ICT
Facts and Figures,” October 2011.
.
[2] I. Mansfield, “Worldwide Mobile Subscriptions Number More Than Five
Billion,” October 2010.

. [3] F. Van den Broek, “Eavesdroppinng on gsm: state-of-affairs,” November

2010.

[4] J. Malsbury, Ettus LLC. Application Note - Selecting a USRP Device.

http://www.ettus.com. October, 2012

45
[5] J. Malsbury, Ettus LLC. Application Note - Selecting an RF
Daughterboard. http://www.ettus.com. October, 2012.

[6] ETSI. Digital cellular telecommunications system (Phase 2+); Physical

Layer on the Radio Path (General Description) (GSM 05.01 version 8.4.0
Release 1999), July 2000.

[7] ITU-T. Recommendation E.164, The International Public

Telecommunication Numbering Plan.

[8] ETSI.Digital cellular telecommunications system (Phase 2+); Mobile

Station - Base Station System (MS - BSS) interface; Channel structures and
access capabilities (GSM 04.03 version 8.0.1 Release 1999), September 2001.

[9] J. A. Audestad. Technologies and Systems for Access and Transport

Networks. Artech House, 2008.

[10] F. Van den Broek, “Catching and understanding gsm-signals,” June

2010 (MS Thesis).

[11] D. D. Cabric, “Software Defined Radio; Lecture Notes,” EE 209AS,

University of California, Los Angeles, Winter 2009.

[12] http://gnuradio.org/

[13] R. Fitzsimons. Find a GSM base station manually using a USRP April,
2007

46