Shulou(Shulou.com)06/01 Report--

GSM sniffer practice report

I. statement

This thing is very sensitive at home. It has been played abroad for two or three years, but it has only become popular at home. In a word, this report is only for research purposes, not for illegal purposes, and violators are conceited!

II. Brief introduction of OsmocomBB

OsmocomBB is an open source implementation of GSM protocol stack (Protocols stack), the full name is Open source mobile communication Baseband. The aim is to realize the three-layer implementation of the mobile phone from the physical layer (layer1) to the layer3. But at present, the real physical layer (physical layer) does not have a real open source implementation, and there is no implementation plan for the time being. Only the physical layer controls. Because the real physical layer runs on the DSP core of baseband processor, it involves the implementation of many signal processing algorithms and a lot of hardware RF.

The OsmocomBB project began in 2010, and so far, there is no real-time operating system support, no implementation of GPRS, and implementation of mobile management (Mobility Management), so many volunteers are needed.

So far, the cheapest listening equipment costs only a few dozen yuan. For example, the Motorola C118 we used in this experiment only needs the skills to understand English and compile Linux programs. So far, the technology is quite mature and has an open source implementation. It is known that some people can use this technology to experiment with SMS sniffing, call monitoring, GPRS traffic monitoring, real-time location monitoring, signal interference and so on. The harm is still quite great. Now there are quite mature SMS sniffing tutorials on the Internet, while other technologies are basically hidden. If you want to do research, you have to go to foreign websites to learn.

III. Preliminary preparation

If you want to carry out the OsmocomBB experiment, you must first buy the relevant hardware. Take the individual as an example, first go to Taobao.

Http://item.taobao.com/item.htm?id=35569340806 buys Motorola C118

Then go to radiowar's Taobao store to buy related accessories.

Http://meal.taobao.com/mealDetail.htm?spm=2013.1.1000371.d9.oqhSSm&meal_id=88452519&item_num_id=35107847811&seller_id=817724908

After buying the equipment, there are some places that need to be paid attention to, first of all, the connection of the wire.

GND = black TX=, red, RX= and white, as shown in the following figure

One small thing to pay attention to here is that it is best to connect the reverse side of the TX= red (note the details in the intention). According to the experience during the experiment, it will have a higher success rate when writing firmware to the phone. Next, the interface of the data line needs to be cut, otherwise there will be bad contact (history of blood and tears! ).

Then you just need to connect the data cable to Motorola's audio port and the USB port to the USB port of the computer. When connected to the USB port of the computer, the blue light will light up, and when the orange light is always on, it means it is successful.

IV. OsmocomBB installation process

My experimental environment here is:

VMware8.0+Ubuntu12.04 (32 bit)

Download address of Ubuntul12.04:

Http://120.198.238.81/down2.chinaunix.net/57165595ee21902bcb5cc9d2751e1bdc/disc/ubuntu/12.04/ubuntu-12.04-desktop-i386.iso

After installing Ubuntul12.04, type on the command line

$sudo passwd root

Change the password of a root user and how to restart the system and log in as a root user

The next step is to install the packages needed to compile osmocomBB:

# aptitude install libtool shtool autoconf git-core pkg-config make gcc

Install GnuARM ToolChain

# wget http://gnuarm.com/bu-2.15_gcc-3.4.3-c-c++-java_nl-1.12.0_gi-6.1.tar.bz2

# tar xf bu-2.15_gcc-3.4.3-c-c++-java_nl-1.12.0_gi-6.1.tar.bz2

# mv gnuarm-* ~ / gnuar

Set environment variabl

# export PATH=~/gnuarm/bin:$PATH

Compile libosmocore

# git clone git://git.osmocom.org/libosmocore.git

Cd libosmocore/

Autoreconf-I

. / configure

Make

Make install

Cd..

Ldconfig

Compile OsmocomBB:

Git clone git://git.osmocom.org/osmocom-bb.git

Cd osmocom-bb

Git checkout-track origin/luca/gsmmap

Cd src

Make

During the installation process, you can refer to the following websites:

Osmocombb-sms-sniffer of http://www.creturn.com/radiowar-

Http://wiki.radiowar.org/OsmocomBBInstallation

Http://wulujia.com/2013/11/10/OsmocomBB-Guide/

5. Start the experiment

Next, assign the computer's USB interface to the virtual machine, as shown in the figure.

After USB is connected to the virtual machine, then we write the firmware into the phone. Here is a point to be noted. Many people say that they are brushing the firmware, which causes many people to mistake it for brushing the machine. In fact, they just put the

The firmware is loaded into the phone's raw for execution, so don't worry that the phone won't work after entering the firmware.

Enter the command:

# cd ~ / osmocom-bb/src/host/osmocon/

#. / osmocon-m c123xor-p / dev/ttyUSB0.. / target/firmware/board/compal_e88/layer1.compalram.bin

After running the command, gently press the red boot button of the phone, just light the machine and do not need to enter the phone's system! When the content shown in the figure appears, it indicates success

When successfully written, the phone screen displays:

Layer 1

Osmocom bb

Words like this

Next, open another window and enter the command to scan nearby base stations:

~ / osmocom-bb/src/host/layer23/src/misc/cell_log

Here is a brief description of the returned results. A total of Unicom base stations are scanned this time. Look at the "(china,china Unicom)" in parentheses, and then there is the parameter ARFCN, which represents the meaning of the channel. This parameter is used later and needs to be recorded. The value of PWR represents the strength of the signal. If the value of PWR is less than-100, it can basically be considered as no signal.

Next, we open another window and start scanning a base station to sniff for SMS messages, such as scanning 709:

~ / osmocom-bb/src/host/layer23/src/misc/ccch_scan-I 127.0.0.1-a 709

Before officially running this command, let's enter the following command to save the packets of the scanned base station locally:

Dumpcap-I lo-w / sniffer.log

Of course, you can also open wireshare to monitor relevant information in real time:

Wireshark-k-I lo-f 'port 4729'

OK, let's start sniffing

When blue appears, it means that the sniffing is successful, and the phone is already sniffing the packets of the base station. If the following picture is red, it means that the surrounding signal is not good, that is, if the value of PWR mentioned earlier is less than-100, then the program will not be able to synchronize with the base station, so it will crash and start all over again. If not, change to a place where the signal is good.

6. View data packets

Open sniffer.log with wireshark

You can see that there are a lot of packets inside, and we need to filter them. Type gsm_sms in the filter and click App.

Finally, I would like to mention that in theory, eight mobile phones can smell the communications of all nearby base stations, including sending and receiving text messages. Some people have tried it on the Internet, but of course poor students cannot afford to play such a high-end one, and they will have a chance to study it again later.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.