LTE sniff

De HackBBS
Révision datée du 10 septembre 2018 à 00:35 par Korigan (discussion | contributions)
(diff) ← Version précédente | Voir la version actuelle (diff) | Version suivante → (diff)
Aller à la navigation Aller à la recherche

1- Information on the environment


We use an Android phone configured to connect with 4G Networks. The android app CellInfo Viewer confirm our *Earfcn*, for us it's 6300. The frequency our phone is listening to can be deduced from the Earfcn. We can calculate the frequency with niviuk.free.fr. Earfcn 6300 correspond to 806Mhz on LTE frequency band. 

 LTE-Cell-Scanner/build/src$ ./CellSearch -g 40 -s 806000000
 LTE CellSearch (release) beginning. 1.0 to 1.1.0: OpenCL/TDD/HACKRF/bladeRF/ext-LNB added by Jiao Xianjun(putaoshu@gmail.com)
   PPM: 0
   correction: 1
 HACKRF device FOUND!
 Use  HW  begin with 806MHz actual 806MHz 1.92e+06MHz
     Search frequency: 806 to 806 MHz
 with freq correction: 0 kHz
     Search PSS at fo: -140 to 135 kHz
 
 Examining center frequency 806 MHz ... try 0
 
 input level: avg abs(real) 0.0901816 avg abs(imag) 0.0900797
 Hit        PAR [13.4983 12.8747]dB
 PSS XCORR  cost 5.65892s
 Hit  num peaks 3
 try peak 0 tdd_flag 0
   Detected a FDD cell! At freqeuncy 806MHz, try 0
     cell ID: 476
      PSS ID: 2
     RX power level: -25.3461 dB
     residual frequency offset: -3301.78 Hz
                      k_factor: 1
 try peak 0 tdd_flag 1
 try peak 1 tdd_flag 0
   Detected a FDD cell! At freqeuncy 806MHz, try 0
     cell ID: 232
      PSS ID: 1
     RX power level: -26.449 dB
     residual frequency offset: -3310.88 Hz
                      k_factor: 1
 try peak 1 tdd_flag 1
 try peak 2 tdd_flag 0
   Detected a FDD cell! At freqeuncy 806MHz, try 0
     cell ID: 181
      PSS ID: 1
     RX power level: -27.9678 dB
     residual frequency offset: -3330.92 Hz
                      k_factor: 1
 try peak 2 tdd_flag 1
 Detected the following cells:
 DPX:TDD/FDD; A: #antenna ports C: CP type ; P: PHICH duration ; PR: PHICH resource type
 DPX CID A      fc   freq-offset RXPWR C nRB P  PR CrystalCorrection  ppm
 FDD 476 2    806M         -3.3k -25.3 N  50 N 1/6 0.999995903521185  -4.1
 FDD 232 2    806M        -3.31k -26.4 N  50 N 1/6 0.999995892223039 -4.11
 FDD 181 2    806M        -3.33k   -28 N  50 N 1/6 0.999995867358836 -4.13

We can now track signal received from antenna around us. 

 LTE-Cell-Scanner/build/src$ ./LTE-Tracker -f 806000000

LTE-Tracker confirm that our phone listening on physical antenna number 476 correspond to a physical antenna sniffed by the hackrf.

Récupérée de « https://wiki.hackbbs.org/index.php?title=LTE_sniff&oldid=5798 »