The big GSM write-up – how to capture, analyze and crack GSM? – 2.

So. I had some requests asking me about how I did what I did with GSM. What tools did I use, what hardware and what options?
Since I believe strongly that GSM needs to be “out in the hands of the people” meaning everybody should have access to cheap hardware and free, opensource software that helps understanding GSM in practice I thought I will create a series of write-ups describing the whole process from the beginning.
Enjoy! :-)

Second step: get your environment up and running


native (!) Linux system for OsmocomBB, virtualized/native Linux for RTL-SDR

An easy way to install a native Linux system is using Wubi.

1. RTL-SDR :
This article is the best, it simply covers the whole process from A to Z.

To get the best reception you should always calibrate your RTL-SDR dongle:

It is important to know that decoding GSM requires quite an amount of processing power (even more if you do it in real-time using gsm_receive) so if you use it in a virtual machine don’t forget to give it at least 2 processor cores. On my machine (Core i5 first generation) using just one core gsm_receive wasn’t usable at all.

2. OsmocomBB:

I assume you completed the first step, so you already have libosmocore installed (!).
First of all you will need to set up an ARM cross compiler, like this:

  tar xf bu-2.15_gcc-3.4.3-c-c++-java_nl-1.12.0_gi-6.1.tar.bz2

UPDATE: instead of the above use this tutorial to get a toolchain:

Then clone the OsmocomBB git repository and compile it:

  git clone git://
  cd osmocom-bb/src
  export PATH=$PATH:/path/to/the/toolchain/gnuarm-3.4.3/bin

Now it is a good time to do some testing whether OsmocomBB compiled fine or not. Connect your OsmocomBB phone to your PC and run the following command (assuming you are in the src directory):

./host/osmocon/osmocon -p /dev/ttyUSB0 -m c123xor -c ./target/firmware/board/compal_e88/rssi.highram.bin ./target/firmware/board/compal_e88/chainload.compalram.bin

If everything is fine your phone should have the RSSI firmware loaded. If you get errors while loading the firmware you need to make sure your cable is fine and you are not using a virtual machine (the virtualized USB controller tends to mess up timings causing the chainloader code to fail).

Now that you can compile and run OsmocomBB code you will be able to run the my modified version of it (will be posted soon).

This entry was posted in Ethical Hacking, Publikációk. Bookmark the permalink.

14 Responses to The big GSM write-up – how to capture, analyze and crack GSM? – 2.

  1. Pingback: Receiving, Decoding and Decrypting GSM Signals with the RTL-SDR -

  2. Caleb says:

    when will you post the modified OsmocomBB code? :D

    this could just be me, but “native linux system for SomeSoftware” sounds like ubuntu, not specifically a device which will receive firmware.

    • domi007 says:

      The patch file needs to be cleaned, but after that I will upload it to my gsm repo for sure.

      When I say native linux I mean ubuntu, debian, even OS X could be fine. What I wanted to emphasize with that is virtualized Linux envuronment will not work for you, because Osmocom heavily relies on timing and the virtualized USB drivers tend to fail on this area.
      I had a half day of debugging to figure it out why the code doesn’t work in VMware Ubuntu – turned out a native installation did the job.

    • domi007 says:

      I just tried it and it works for me.

      • teja says:

        can i know the processor how you done this one
        and the coding step by step if you dont mine

        Gsm sniffers using rtl sdr

        in this i should find the strong gsm signal using spectrum
        frequency analyser and
        i should dcode the data
        so i need some help plz
        thnk you

  3. Max says:

    for what you take osmocom-bb in your instructions?

    That has nothing to do with rtl-sdr? What do you want to read it?

    thank you

    • domi007 says:

      I used osmocom-bb to do the TMSI-uncover attack (phone number to TMSI). It has nothing to do with RTL-SDR, but in a classic attack scenario when you only have a phone number this would be your step #1.

  4. inesa says:

    The link downloading from gnuarm is you have other link,please

  5. sumesh says:

    Very nice write up. I have a question. It is said as “Connect your OsmocomBB phone to your PC…”. Well, mine is iPhone. Can I do the steps with that?


    • domi007 says:

      I’m not sure, OsmocomBB is really picky about compilers, it’s better to stick with the one that works

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>