LTE sniff

De HackBBS
Révision datée du 10 septembre 2018 à 00:33 par 109.155.130.63 (discussion) (Page créée avec « 1- Information on the environment We use an Android phone configured to connect with 4G Networks. The android app CellInfo Viewer confirm our *Earfcn*, for us it's 6300. T... »)
(diff) ← Version précédente | Voir la version actuelle (diff) | Version suivante → (diff)
Aller à la navigation Aller à la recherche

1- Information on the environment We use an Android phone configured to connect with 4G Networks. The android app CellInfo Viewer confirm our *Earfcn*, for us it's 6300. The frequency our phone is listening to can be deduced from the Earfcn. We can calculate the frequency with niviuk.free.fr. Earfcn 6300 correspond to 806Mhz on LTE frequency band.

LTE-Cell-Scanner/build/src$ ./CellSearch -g 40 -s 806000000 LTE CellSearch (release) beginning. 1.0 to 1.1.0: OpenCL/TDD/HACKRF/bladeRF/ext-LNB added by Jiao Xianjun(putaoshu@gmail.com) 

 PPM: 0
 correction: 1

HACKRF device FOUND! Use HW begin with 806MHz actual 806MHz 1.92e+06MHz 

   Search frequency: 806 to 806 MHz

with freq correction: 0 kHz 

   Search PSS at fo: -140 to 135 kHz

Examining center frequency 806 MHz ... try 0

input level: avg abs(real) 0.0901816 avg abs(imag) 0.0900797 Hit PAR [13.4983 12.8747]dB PSS XCORR cost 5.65892s Hit num peaks 3 try peak 0 tdd_flag 0 

 Detected a FDD cell! At freqeuncy 806MHz, try 0
   cell ID: 476
    PSS ID: 2
   RX power level: -25.3461 dB
   residual frequency offset: -3301.78 Hz
                    k_factor: 1

try peak 0 tdd_flag 1 try peak 1 tdd_flag 0 

 Detected a FDD cell! At freqeuncy 806MHz, try 0
   cell ID: 232
    PSS ID: 1
   RX power level: -26.449 dB
   residual frequency offset: -3310.88 Hz
                    k_factor: 1

try peak 1 tdd_flag 1 try peak 2 tdd_flag 0 

 Detected a FDD cell! At freqeuncy 806MHz, try 0
   cell ID: 181
    PSS ID: 1
   RX power level: -27.9678 dB
   residual frequency offset: -3330.92 Hz
                    k_factor: 1

try peak 2 tdd_flag 1 Detected the following cells: DPX:TDD/FDD; A: #antenna ports C: CP type ; P: PHICH duration ; PR: PHICH resource type DPX CID A fc freq-offset RXPWR C nRB P PR CrystalCorrection ppm FDD 476 2 806M -3.3k -25.3 N 50 N 1/6 0.999995903521185 -4.1 FDD 232 2 806M -3.31k -26.4 N 50 N 1/6 0.999995892223039 -4.11 FDD 181 2 806M -3.33k -28 N 50 N 1/6 0.999995867358836 -4.13


We can now track signal received from antenna around us. LTE-Cell-Scanner/build/src$ ./LTE-Tracker -f 806000000

LTE-Tracker confirm that our phone listening on physical antenna number 476 correspond to a physical antenna sniffed by the hackrf.

Récupérée de « https://wiki.hackbbs.org/index.php?title=LTE_sniff&oldid=5797 »