As I have mentioned in my previous article that I'll discuss Kalibrating Device for GSM and Decoding ADS-B messages in my upcoming article so here is the useful guide to get familiar with these methods.
This article is the second part of Software Defined Radios
RTLSDR also allows us to view GSM traffic using a tool called kal or kalibrate-rtl. This tool can scan for GSM base stations in a frequency band. In this recipe, we will learn about using kalibrate and then confirm the channel in gqrx.
Following are the steps to use kalibrate:
Most of the countries use the GSM900 band. In the USA, it's 850. We will use the following command to scan for GSM base stations:
kal -s GSM900 -g 40
The following screenshot shows the output of the preceding command:
In a few minutes, it will show us a list of base stations:
We note the frequency; in our case, we will use 947.6 MHz along with the offset.
Now we open GQRX and enter it in the Receiver Options window:
We can see in the waterfall that the device is able to catch signals perfectly.
Now we will look at this data at the packet level. We will use a tool known as gr-gsm.
It can be installed using apt install gr-gsm:
Once it is done, if we type grgsm_ and press the Tab key, we will see a list of different tools available for us.
First, we will use grgsm_livemon to monitor the GSM packets live. We'll open the terminal and type grgsm_livemon:
In the new window that opens, we will switch to the frequency we captured in the previous steps using kalibrate:
We can zoom into a particular range by dragging and selecting the area on the graphical window.
In the new terminal window, we start Wireshark by typing wireshark.
We then set the adapter to Loopback: lo and start our packet capture.
Next, we add the filter gsmtap:
We should see the packets in the info window. We should see a packet with label System Information Type 3; let's open it:
We will see the system information such as Mobile Country Code, Network Code, and Location Area Code:
Now with this article, we have learned how GSM packets travel.
Here are some great videos to give you a better understanding of GSM sniffing.
ADS-B stands for Automatic Dependent Surveillance-Broadcast. It is a system in which electronic equipment onboard an aircraft automatically broadcasts the precise location of the aircraft via a digital data link.
As described in the official readme of the tool, Dump1090 is a Mode S decoder specifically designed for RTLSDR devices.
The main features are:
In this section, we will use the tool to look at air traffic with visuals.
Following are the steps to use Dump1090:
We can download the tool from the Git repo using the command
git clone https://github.com/antirez/dump1090.git:
The following screenshot shows the output of the preceding command:
In a few minutes, we should see the flights, and by opening the browser to http://localhost:8080, we will be able to see the flights on the map as well.
More about this can be learned from here. Now let me recommend you some other practical guides about penetration testing of Remote Access Protocols, Remote Desktop Protocol, SSH Network Protocol, Network Routers, Wordpress website using WPSeku,
This article is the second part of Software Defined Radios
RTLSDR also allows us to view GSM traffic using a tool called kal or kalibrate-rtl. This tool can scan for GSM base stations in a frequency band. In this recipe, we will learn about using kalibrate and then confirm the channel in gqrx.
Following are the steps to use kalibrate:
Most of the countries use the GSM900 band. In the USA, it's 850. We will use the following command to scan for GSM base stations:
kal -s GSM900 -g 40
The following screenshot shows the output of the preceding command:
In a few minutes, it will show us a list of base stations:
We note the frequency; in our case, we will use 947.6 MHz along with the offset.
Now we open GQRX and enter it in the Receiver Options window:
We can see in the waterfall that the device is able to catch signals perfectly.
Now we will look at this data at the packet level. We will use a tool known as gr-gsm.
It can be installed using apt install gr-gsm:
Once it is done, if we type grgsm_ and press the Tab key, we will see a list of different tools available for us.
First, we will use grgsm_livemon to monitor the GSM packets live. We'll open the terminal and type grgsm_livemon:
In the new window that opens, we will switch to the frequency we captured in the previous steps using kalibrate:
We can zoom into a particular range by dragging and selecting the area on the graphical window.
In the new terminal window, we start Wireshark by typing wireshark.
We then set the adapter to Loopback: lo and start our packet capture.
Next, we add the filter gsmtap:
We should see the packets in the info window. We should see a packet with label System Information Type 3; let's open it:
We will see the system information such as Mobile Country Code, Network Code, and Location Area Code:
Now with this article, we have learned how GSM packets travel.
Here are some great videos to give you a better understanding of GSM sniffing.
Decoding ADS-B messages with Dump1090
ADS-B stands for Automatic Dependent Surveillance-Broadcast. It is a system in which electronic equipment onboard an aircraft automatically broadcasts the precise location of the aircraft via a digital data link.
As described in the official readme of the tool, Dump1090 is a Mode S decoder specifically designed for RTLSDR devices.
The main features are:
- Robust decoding of weak messages. With mode1090, many users observed improved range compared to other popular decoders.
- Network support—TCP30003 stream (MSG5), raw packets, HTTP.
- Embedded HTTP server that displays the currently detected aircrafts on Google Maps.
- Single-bit error correction using 24-bit CRC.
- Ability to decode DF11 and DF17 messages.
- Ability to decode DF formats such as DF0, DF4, DF5, DF16, DF20, and DF21, where the checksum is XOR-ed with the ICAO address by brute-forcing the checksum field using ICAO addresses, which we've covered.
- Decode raw IQ samples from file (using the --ifile command-line switch).
- Interactive CLI mode where aircrafts currently detected are shown as a list, refreshing as more data arrives.
- CPR coordinate decoding and track calculation from velocity.
- TCP server streaming and receiving raw data to/from connected clients (using --net).
In this section, we will use the tool to look at air traffic with visuals.
Following are the steps to use Dump1090:
We can download the tool from the Git repo using the command
git clone https://github.com/antirez/dump1090.git:
Once downloaded, we go the folder and run make.
We should now have an executable. We can run the tool using the following command:
./dump1090 --interactive -net
The following screenshot shows the output of the preceding command:
In a few minutes, we should see the flights, and by opening the browser to http://localhost:8080, we will be able to see the flights on the map as well.
More about this can be learned from here. Now let me recommend you some other practical guides about penetration testing of Remote Access Protocols, Remote Desktop Protocol, SSH Network Protocol, Network Routers, Wordpress website using WPSeku,
COMMENTS