As I have mentioned in my previous article that I’ll discuss Kalibrating Device for GSM and Decoding ADS-B messages in my upcoming article so here is the useful guide to get familiar with these methods.

This article is the second part of Software Defined Radios

RTLSDR also allows us to view GSM traffic using a tool called kal or kalibrate-rtl. This tool can scan for GSM base stations in a frequency band. In this recipe, we will learn about using kalibrate and then confirm the channel in gqrx.


Following are the steps to use kalibrate:

Most of the countries use the GSM900 band. In the USA, it’s 850. We will use the following command to scan for GSM base stations:
kal -s GSM900 -g 40
The following screenshot shows the output of the preceding command:

Kalibrating Device Decoding ADS-B messages

In a few minutes, it will show us a list of base stations:

Kalibrating Device Decoding ADS-B messages

We note the frequency; in our case, we will use 947.6 MHz along with the offset.
Now we open GQRX and enter it in the Receiver Options window:

Kalibrating Device Decoding ADS-B messages

We can see in the waterfall that the device is able to catch signals perfectly.
Now we will look at this data at the packet level. We will use a tool known as gr-gsm.
It can be installed using apt install gr-gsm:

Kalibrating Device Decoding ADS-B messages

Once it is done, if we type grgsm_ and press the Tab key, we will see a list of different tools available for us.

First, we will use grgsm_livemon to monitor the GSM packets live. We’ll open the terminal and type grgsm_livemon:

Kalibrating Device Decoding ADS-B messages

In the new window that opens, we will switch to the frequency we captured in the previous steps using kalibrate:

Kalibrating Device Decoding ADS-B messages

We can zoom into a particular range by dragging and selecting the area on the graphical window.
In the new terminal window, we start Wireshark by typing wireshark.
We then set the adapter to Loopback: lo and start our packet capture.


Next, we add the filter gsmtap:

Kalibrating Device Decoding ADS-B messages

We should see the packets in the info window. We should see a packet with label System Information Type 3; let’s open it:

Kalibrating Device Decoding ADS-B messages

We will see the system information such as Mobile Country Code, Network Code, and Location Area Code:

Kalibrating Device Decoding ADS-B messages

Now with this article, we have learned how GSM packets travel.

Here are some great videos to give you a better understanding of GSM sniffing.

Decoding ADS-B messages with Dump1090

ADS-B stands for Automatic Dependent Surveillance-Broadcast. It is a system in which electronic equipment onboard an aircraft automatically broadcasts the precise location of the aircraft via a digital data link.

As described in the official readme of the tool, Dump1090 is a Mode S decoder specifically designed for RTLSDR devices.

The main features are:

  1. Robust decoding of weak messages. With mode1090, many users observed improved range compared to other popular decoders.
  2. Network support—TCP30003 stream (MSG5), raw packets, HTTP.
  3. Embedded HTTP server that displays the currently detected aircrafts on Google Maps.
  4. Single-bit error correction using 24-bit CRC.
  5. Ability to decode DF11 and DF17 messages.
  6. Ability to decode DF formats such as DF0, DF4, DF5, DF16, DF20, and DF21, where the checksum is XOR-ed with the ICAO address by brute-forcing the checksum field using ICAO addresses, which we’ve covered.
  7. Decode raw IQ samples from file (using the –ifile command-line switch).
  8. Interactive CLI mode where aircrafts currently detected are shown as a list, refreshing as more data arrives.
  9. CPR coordinate decoding and track calculation from velocity.
  10. TCP server streaming and receiving raw data to/from connected clients (using –net).

In this section, we will use the tool to look at air traffic with visuals.

Following are the steps to use Dump1090:

We can download the tool from the Git repo using the command

git clone https://github.com/antirez/dump1090.git:

Once downloaded, we go the folder and run make.
We should now have an executable. We can run the tool using the following command:
./dump1090 –interactive -net

The following screenshot shows the output of the preceding command:

Kalibrating Device Decoding ADS-B messages

In a few minutes, we should see the flights, and by opening the browser to http://localhost:8080, we will be able to see the flights on the map as well.


More about this can be learned from here. Now let me recommend you some other practical guides about penetration testing of Remote Access Protocols, Remote Desktop ProtocolSSH Network Protocol, Network RoutersWordPress website using WPSeku,

 

LEAVE A REPLY

Please enter your comment!
Please enter your name here