Recently my friend asked me for help to diagnose 4G modem "Yota Many", which sometimes stops its normal operation. But after several hours investigations I realized that I need many days for to find an answer. I return device, but one question don't give me rest in this short story - how I can diagnose process of establishing GSM connection. Some months ago I bought HackRF, which all this time remained untouched ...
Step 1: Install software
Since the last installation of Gnuradio much has changed. Today developers give me nice tool, which allows quickly install all required software. I installed: gnuradio, gr-gsm, gqrx, kalibrate-hackrf (replace one line in kal.lwr).
Step 2: Analyze frequency
GSM-900: chan: 32 (941.4MHz + 38.247kHz) power: 7444660.99 chan: 33 (941.6MHz - 22.350kHz) power: 7466304.92 chan: 34 (941.8MHz - 18.478kHz) power: 7540613.95 chan: 35 (942.0MHz - 39.813kHz) power: 7552806.56 chan: 48 (944.6MHz + 5.646kHz) power: 4942581.43 chan: 49 (944.8MHz - 19.927kHz) power: 4954548.64 chan: 50 (945.0MHz - 35.739kHz) power: 4887829.45 chan: 89 (952.8MHz + 28.981kHz) power: 5072783.56 chan: 90 (953.0MHz + 13.806kHz) power: 5033690.18 chan: 91 (953.2MHz + 15.153kHz) power: 5080999.80 chan: 92 (953.4MHz - 36.926kHz) power: 5159798.17 chan: 93 (953.6MHz - 37.204kHz) power: 5185691.52 chan: 122 (959.4MHz + 7.180kHz) power: 7805109.83
Step 3: Device for searching
Welcome to minicom 2.6.2 OPTIONS: I18n Compiled on Jun 10 2014, 03:20:53. Port /dev/ttyUSB0, 19:29:36 Press CTRL-A Z for help on special keys ATI Manufacturer: huawei Model: E1752 Revision: 11.126.13.00.00 IMEI: 354639040322239 +GCAP: +CGSM,+FCLASS,+DS OK AT+CREG=2 OK AT+CREG? +CREG: 2,1, 10E, 5278 OK AT+CSIM=14,"A0A40000026F7E" +CSIM: 4,"9F0F" OK AT+CSIM=10, "A0B000000B" +CSIM: 26,"4B534AEE52F010010E50009000" OK
Device often moved between BTS and I need list of cell towers (cellid, frequency):
Step 4: Inbound call
Download GSM dump
- Automatic search BTS, frequency hopping.
- Automatic search TMSI, frequency hopping.