Intercept your own GSM signal with RTL SDR

In this tutorial I use Kali 2.0 Sana ( it should work with debian too) and a rtl-sdr dongle. Now if have them, you can open up a shell…
First step : Dependencies

# sudo apt-get -y install git-core cmake g++ python-dev swig \
pkg-config libfftw3-dev libboost-all-dev libcppunit-dev libgsl0-dev \
libusb-dev libsdl1.2-dev python-wxgtk3.0 python-numpy \
python-cheetah python-lxml doxygen libxi-dev python-sip \
libqt4-opengl-dev libqwt-dev libfontconfig1-dev libxrender-dev \
python-sip python-sip-dev gnuradio libtalloc-dev libpcsclite-dev

Second step : Libosmocore

# cd /root
# git clone git://git.osmocom.org/libosmocore.git
# cd libosmocore
# autoreconf -i
# ./configure –prefix=/root
# make
# make install
# ldconfig

Third step : Airprobe and zmania patch :

# cd /root
# git clone  git://github.com/scateu/airprobe-3.7-hackrf-patch
# git clone git://github.com/ksnieck/airprobe
# cp /root/airprobe-3.7-hackrf-patch/zmiana.patch /root/airprobe/zmiana.patch
# cd airprobe
# export PKG_CONFIG_PATH=/root/lib/pkgconfig
# patch -p1 < zmiana.patch
# cd gsm-receiver
# ./bootstrap
# autoreconf -i
# ./configure –prefix=/root
# make
# make install
# ldconfig
# cd ../gsmdecode
# ./bootstrap
# ./configure –prefix=/root
# make
# make install
# ldconfig

Last step of install on PC : Java RE and Topguw
Download JRE

# cd /root
# git clone git://github.com/bastienjalbert/topguw

Now you can run topguw by typing

# cd topguw
# cd dist
# ‘path_to_your_jre/bin/java’ -jar topguw_git.jar

Now you have two choices you can download 1.6TB of rainbow tables to feed kraken and find kc (ciphering key) close to your antenna or if you have mediatek devices (wiko[Confirmed with wiko Lenny], HTC, Huawei[Confirmed with the Y330-U01]…) and if you are rooted you can retrieve your kc by opening a shell on your phone and type

$ su
# cat /dev/radio/atci1 &
# kc () {
echo -e “AT+CRSM=176,20256,0,0,9\r” > /dev/radio/atci1

Now on your terminal emulator you just have to type kc to retrieve your kc, do not forget to kill cat process when you have finish by typing kill -9 2345 when 2345 is your process id. You have to know your ARFCN to retrieve your frequency. To do that download MTK engineering mode on Google play. Open it, in telephony > Go to network selecting and choose GSM only, then go to network info sélect RR Meas Rep and then check information you will see your ARFCN.
Run topguw, start sniff, select your frequency corresponding to your ARFCN. Send à SMS to yourself. Stop sniffing check go.sh configuration choosen by topguw.
Open wireshark, listen to interface lo.
Then open a shell and type

# cd /root/airprobe/gsm-receiver/src/python
# ./go.sh capture.cfile 64 0B 1234567890ABCDEF

where capture.cfile is your capture generated by topguw, 64 is thé decimation rate of any RTL-SDR, 0B is the configuration found in topguw and 1234567890ABCDEF is your kc.
At this step you should be able to see GSM-SMS in wireshark and read your sms. Hope this help…

Exit mobile version