GSM Wireshark Capture over OpenBTS System Wireshark Capture over OpenBTS System Cruz Tovar ... GSM phones. This report details how RTL-SDR ... The logical architecture used to capture GSM

Download GSM Wireshark Capture over OpenBTS System  Wireshark Capture over OpenBTS System Cruz Tovar ... GSM phones. This report details how RTL-SDR ... The logical architecture used to capture GSM

Post on 15-Mar-2018

214 views

Category:

Documents

1 download

Embed Size (px)

TRANSCRIPT

<ul><li><p>ctovar@hawk.iit.edu Project Report 1 </p><p>GSM Wireshark Capture over OpenBTS System </p><p>Cruz Tovar </p><p>A20277095 </p><p>May 2, 2014 </p></li><li><p>ctovar@hawk.iit.edu Project Report 2 </p><p>Abstract In the Fall and Spring semesters of 2013 and 2014, my colleague Sushma Sitaram implemented a </p><p>GSM access point using OpenBTS that is able to use GSM-compatible phones over a VoIP </p><p>network. To further the project, a software defined radio (SDR) device and open source </p><p>applications were implemented to allow the capturing of GSM signals. The project report </p><p>includes the process that was involved with implementing an Software Defined Radio (SDR) </p><p>device and outlines how the signals traverse in the network using Wireshark. </p></li><li><p>ctovar@hawk.iit.edu Project Report 3 </p><p>Table of Contents </p><p>Abstract .................................................................................................................................................... 2 </p><p>1. Introduction ....................................................................................................................................... 4 </p><p>2. RTL-SDR ............................................................................................................................................... 4 </p><p>3. Airprobe ............................................................................................................................................... 4 </p><p>4. GNU Radio ............................................................................................................................................ 4 </p><p>5. Configuration of Software .............................................................................................................. 4 5.1 Airprobe Basic Dependencies ........................................................................................................................... 5 5.2 Install libosmocore library ................................................................................................................................ 5 5.3 Clone Airprobe ........................................................................................................................................................ 5 5.4 Install gsmdecode .................................................................................................................................................. 5 5.5 Install gsm-reciever .............................................................................................................................................. 5 </p><p>6. Receiving a Live Channel ................................................................................................................ 5 </p><p>7. Logical Architecture ........................................................................................................................ 7 7.1 Base Station Subsystem (BSS) .......................................................................................................................... 7 7.2 Capture Station ....................................................................................................................................................... 7 7.3 Mobile Station (MS) .............................................................................................................................................. 7 </p><p>8. Physical Architecture ...................................................................................................................... 8 </p><p>9. Ladder Diagram ................................................................................................................................ 9 </p><p>10. Conclusion ...................................................................................................................................... 10 </p><p>References ............................................................................................................................................. 12 </p></li><li><p>ctovar@hawk.iit.edu Project Report 4 </p><p>1. Introduction Global System for Mobile communications (GSM) initially was designed as a circuit-switched </p><p>telecommunications system and allows a direct connection between the caller and recipient of </p><p>the call. Overtime GSM has evolved and can now be virtualized using IP broadband </p><p>connections, little difference is noticed with the old implementation of GSM and virtualized </p><p>GSM systems. The GSM setup at IIT uses Open Base Transceiver Station (OpenBTS). </p><p>OpenBTS uses software radio to become a GSM access point and allow calls to be made to other </p><p>GSM phones. This report details how RTL-SDR hardware and other open source software were </p><p>used to capture bearer and management signals on the GSM network. This report also gives the </p><p>physical and logical architecture of Capture Station and how a GSM call would be transmitted </p><p>over the network. </p><p>2. RTL-SDR RTL-SDR is an affordable DVB-T TV tuner dongle that uses RealTeks RTL2832U chip. What </p><p>make this device so popular in the radio frequency community is that it was found that the device </p><p>is able to function as software defined radio receiver. By pairing RTL-SDR hardware with </p><p>software, it is possible to implement this device to pick up various RF signals such as ham radio, </p><p>police scanner, listening to FM radio, and many more. In this project the hardware and software </p><p>are implemented to capture GSM signals. </p><p>3. Airprobe Airprobe originally started from a previous project known as the GSM-Sniffer project. Airprobe </p><p>developed further into a project that could capture GSM signals from an air interface. Airprobe </p><p>uses various repositories to receive and decode signals. The gsm-receiver repository from </p><p>Airprobe is used to receive the signals from the air. Currently Airprobe is only capable of </p><p>decoding the downstream signals (GSM network to mobile phone), but is able to handle </p><p>management channels. </p><p>4. GNU Radio GNU Radio functions well with RF based hardware to implement software-defined radio </p><p>devices. GNU Radio is software development tool kit that allows RF signals to be processed to a </p><p>hardware device. On its own GNU Radio is not capable of capturing GSM signals. However, </p><p>when paired with Airprobe it does become capable to capture GSM signals. </p><p>5. Configuration of Software Using Kali Linux is a simple way to implement an RTL-SDR device, but there are some other </p><p>software and dependencies that need to be installed prior to using the device. By using Kali </p><p>Linux GNU Radio version 3.6 is already installed. Using this version of GNU Radio is essential </p><p>as Airprobe is incompatible with version 3.7. After you have a version of Linux and GNU Radio </p><p>3.6 installed you can then install dependencies needed by Airprobe and additional libraries that </p><p>are needed. </p></li><li><p>ctovar@hawk.iit.edu Project Report 5 </p><p>5.1 Airprobe Basic Dependencies sudo apt-get y install git-core autoconf automake libtool g++ </p><p>python-dev swig libpcap0.8-dev gnuradio-dev cmake git libboost-</p><p>all-dev libusb-1.0-0 libusb-1.0-0-dev libfftw3-dev swig python-</p><p>numpy </p><p>5.2 Install libosmocore library git clone git://git.osmocom.org/libosmocore.git </p><p>cd libosmocore </p><p>autoreconf i </p><p>./configure </p><p>make </p><p>sudo make install </p><p>sudo ldconfig </p><p>5.3 Clone Airprobe git clone git://git.gnumonks.org/airprobe.git </p><p> 5.4 Install gsmdecode cd airprobe/gsmdecode </p><p>./bootstrap </p><p>./configure </p><p>make </p><p> 5.5 Install gsm-reciever cd airprobe/gsm-receiver </p><p>./bootstrap </p><p>./configure </p><p>make </p><p>6. Receiving a Channel After all dependencies, libraries, and additional software have been installed the RTL-SDR </p><p>device should be able to decode a live channel. First open a terminal window and type </p><p>wireshark and press the enter key to start wireshark. </p><p>Next, navigate to the below directory using the terminal window. </p><p> cd airprobe/gsm-receiver/src/python </p><p>After navigating to the above directory enter the following code in the terminal window to </p><p>receive a GSM channel. The s flag is used to sample at a rate of 1.0 MSPS, if you are to leave </p><p>out this flag the default sample rate is 1.8 MSPS. </p><p> ./gsm_receive_rtl.py -s 1e6 </p></li><li><p>ctovar@hawk.iit.edu Project Report 6 </p><p> Figure 1: Receiving a GSM Signal [1] </p><p> In Figure 1, there is a window titled Top Block. This is the spectrum of the GSM channel, and </p><p>you will need to click in the middle of the GSM channel to start capturing traffic. After you have </p><p>clicked you should start seeing traffic in Wireshark. To stop capturing traffic, go back to the </p><p>terminal window with the gsm-receive command and break the command using ctrl + c. </p></li><li><p>ctovar@hawk.iit.edu Project Report 7 </p><p>7. Logical Architecture </p><p> Figure 2: Logical Architecture of Capture Station and Test Bed Architecture </p><p>The logical architecture used to capture GSM signals are comprised of three components: the </p><p>Capture Station, the Base Station Subsystem (BSS), and Mobile Station (MS). </p><p>7.1 Base Station Subsystem (BSS) </p><p>The BSS is responsible for managing mobile subscribers over a radio interface to the network </p><p>they are attempting to access [1]. There are two components that comprise the BSS: Open Base </p><p>Transceiver Station (OpenBTS) and the Base Station Controller (BSC). The OpenBTS, used in </p><p>this BSS setup is open source product and is normally called BTS. However OpenBTS functions </p><p>in the same manner as a normal BTS. OpenBTS allows for a call to be maintained while being </p><p>used over the network and tries to minimize any interference over the air that may occur. While </p><p>OpenBTS maintains the connection, the BSC manages the network. BSC manages incoming and </p><p>outgoing calls from the MS, manages transfer of a connection when an MS is in motion and </p><p>other management functions. </p><p>7.2 Capture Station </p><p>The capture station is comprised of two components as well, a computer running Linux and the </p><p>Software Defined Radio dongle device. </p><p>7.3 Mobile Station (MS) </p><p>The Mobile Station is the cellular device, in this case a GSM phone as well as the GSM SIM </p><p>card. </p></li><li><p>ctovar@hawk.iit.edu Project Report 8 </p><p>8. Physical Architecture </p><p>Figure 3: Physical Architecture of Capture Station and Test Bed </p><p> The BSS and Capture Station are fairly independent of each other. However, the capture station </p><p>can be used to scan the network when a MS and BSS are communicating. This is completed </p><p>through the radio frequency signals generated from the GSM network. The RTL-SDR device </p><p>scans the GSM frequency to find a signal and then captures the packets between the MS and </p><p>BSS. There is no direct wired link as everything is being captured over an air interface. </p></li><li><p>ctovar@hawk.iit.edu Project Report 9 </p><p>9. Ladder Diagram </p><p> Figure 4: Establishment of Signaling Channel [2] </p><p> In theory this is what would have been captured if we had been successful implementing a trace </p><p>of the packets over the OpenBTS network. However since we were not able to complete a call </p><p>via the network, this is how GSM signaling would have been captured. In Figure 3, the first </p><p>message that is shown on the ladder diagram is the mobile device sending a channel request to </p><p>the BTS. The RACH message stands for Random Access Channel and is sent by the mobile </p><p>device to the network when establishing an initial connection to establish a channel. When a </p><p>dedicated channel can be established to the mobile device the network sends a Standalone </p><p>Dedicated Control Channel (SDCCH) message. This message is signaled from the BSC to the </p><p>BTS and is used to establish a dedicated channel. Once the BTS acknowledges that this will be </p><p>the dedicated channel the BSC then assigns the channel to the mobile device. In this example we </p><p>see that there is an AGCH message sent to the mobile device before the dedicated channel </p><p>established. The AGCH message contains information about what channel will be dedicated to </p><p>the subscriber. After this message is received to the mobile device, SDCCH is used to establish </p><p>the dedicated channel between the mobile device (subscriber) and the network. </p></li><li><p>ctovar@hawk.iit.edu Project Report 10 </p><p> Figure 5: Establishment of Bearer Channel [2] </p><p> After a signaling connection has been established it is now possible for traffic to occur. </p><p>However, there are a few additional messages that must be sent in order to establish a voice call. </p><p>In Figure 3, the last transmission message sent is the SDCCH. This message travels through the </p><p>BTS and BSC and is then passed on to the Mobile Switching Center (MSC). The primary </p><p>responsibility of the MSC is to establish a link between the mobile-originated call and mobile-</p><p>terminated call as well manage the mobile services such as registration, authentication, location </p><p>update, handovers, and call routing. The MSC then sends a Traffic Channel (TCH) message </p><p>which then verifies with the BSC that has traffic channel available. Once the BTS verifies a </p><p>channel is available it then sends an acknowledge message to the BSC. The BSC then sends a </p><p>SDCCH message to the mobile device that states that a TCH is available for the call. From this </p><p>point you can see on the left side of Figure 4 that the top half was established by SDCCH and the </p><p>lower half of the communication is established using FACCH, TCH. The mobile device then </p><p>sends a Fast Associated Control Channel (FACCH) message to the BSC. FACCH is used to </p><p>send high priority control messages, in this case to inform the MSC that TCH has been </p><p>established. </p><p>10. Conclusion While I was not able to capture the traffic over the OpenBTS network Sushma created, I was </p><p>able to test the SDR device with Martin OSheilds GSM network. However due to time </p><p>constraints I was unable to capture any packets through Wireshark. The RTL-SDR dongle </p><p>requires some finesse when using it. It is necessary to calibrate the dongle because there is an </p><p>offset of the actual frequency that is transmitted by the network and the frequency that the dongle </p><p>receives. An impromptu scan of a GSM network was completed, however in my haste I was </p><p>unable to capture anything in Wireshark due to not specifying the interface to scan. However, </p><p>what was hopeful is that in previous test captures, the terminal window displayed zeros when </p><p>scanning the OpenBTS network. This was in part because the GSM phone could not </p><p>authenticate with the OpenBTS, or that OpenBTS network did not properly work. It was </p></li><li><p>ctovar@hawk.iit.edu Project Report 11 </p><p>discovered that there could be some issues with the Range Network device that doesnt allow </p><p>any sort of signal to be broadcast. This could be another reason why I only picked up zeros </p><p>during a packet capture. In the impromptu testing of OSheilds GSM network, I no longer saw </p><p>zeros in the terminal screen, data started to come through which I wish I would have screen </p><p>captured to show results, but I ended up exiting the terminal before realizing I should have taken </p><p>a screenshot. </p><p>I am hopeful now that the RTL-SDR device does in fact pick up GSM signals, now it is a matter </p><p>of getting the proper commands to properly calibrate the RLT-SDR, then taking that calibration </p><p>info to use it to receive a...</p></li></ul>