GSM 900 sniffing

... or a short story about osmocomBB

This is going to be rather a short post, mainly because I played with it few years ago so this is sort of ancient stuff compared to the osmocomBB project now.
Also, I do not have much photos and movies :D
Most probably I'll do another round with current software branches and post results someday.

Story

I am sorta IT security nerd so I track various events, monitor new bugs, releases etc. I was watching a stream from 27C3 - 27th annual Chaos Communication Congress the other day and stumbled upon talk by Harald "LaForge" Welte
Harald talks are always awesome, decent and deeply technical.
He was presenting OsmocomBB project.
Project Osmocom focuses on various aspects of mobile communication and OsmocomBB is a part of it. Of course, it is an Open Source project.

Here is his talks overview:
https://events.ccc.de/congress/2010/Fahrplan/events/3952.en.html
And here is a video of it:

I instantly knew I'll give it a try in my spare time.

Hardware

All you need to start playing is an old phone with Calypso baseband chip in it, a serial converter and Linux box.
Supported phones are listed on projects website. I'am including it here for convenience.

Designed + Manufactured by Compal, OEM by Motorola

  • MotorolaC115/C117 (E87)
  • MotorolaC123/C121/C118 (E88) -- our primary target
  • MotorolaC140/C139 (E86)
  • MotorolaC155 (E99) -- our secondary target
  • MotorolaV171 (E68/E69)
  • SonyEricssonJ100i

Designed by Pirelli/Foxconn, manufactured by Foxconn

  • Pirelli DP-L10

Designed by Openmoko, manufactured by FIC

  • Neo 1973 (GTA01)
  • OpenMoko - Neo Freerunner (GTA02)

I've bought several of these since it is really cheap - 2-3$ a piece
The model that worked for me bet was Motorola C123.
Here is a photo of it:

Serial cable/converter

The connection is made through earphone jack which also happens to be a serial port in these phones. If it is about serial converter , there are three main options.

  • PL2303 (cheap, only standard baud rates)
  • FT232 (expensive, non-standard baud rates, the voltage levels are set with the pin VCCIO that you can measure)
  • CP2102 (medium price, non-standard baud rates)

I've checked all of above converters and I decided to stick with FT232.
Here is a photo with a slightly trimmed earphone jack:

Results

Up to date instructions can be found on project's website, so I'll skip it. Instead, just watch it in action :)

GSM 900 Sniffing from pit on Vimeo.

As you can see, I was able to route GSM traffic through Wireshark.
Also, I load a firmware via simple bash scripts just for convenience, so I don't have to type all those rather long commands.
This is only a tiny piece of what this project is capable of.
Stay tuned for future posts ;)

Cheers.

Drygol

Chaos is your redemption .... better run .... better hide

I come from Internetz :>