gr-gsm projects
libosmocore
uhd
gnuradio
rtl-sdr
osmo-sdr
libosmo-dsp
gr-iqbal
bladeRF
hackrf
airspy
gr-osmosdr
gr-gsm
china gsm frequency
中国移动
GSM900 上行/下行:890-909/935-954
EGSM900 上行/下行:885-890/930-935(中国铁通GSM-R:885-889/930-934)
GSM1800M 上行/下行:1710-1725/1805-1820
3G TDD 1880-1900MHz和2010-2025
中国联通
GSM900 上行/下行:909-915/954-960
GSM1800 上行/下行:1745-1755/1840-1850
3G FDD 上行/下行:1940-1955/2130-2145
中国电信
CDMA800 上行/下行:825-840/870-885
3G FDD 上行/下行:1920-1935/2110-2125
cellid to co-ordinates
http://cellidfinder.com
http://cellidfinder.com/mcc-mnc
http://opencellid.org/
arfcn
('P-GSM', {'first_freq': 890.2e6, 'first_arfcn': 1, 'last_arfcn': 124, 'downlink_dist': 45e6}),
('DCS1800', {'first_freq': 1710.2e6, 'first_arfcn': 512, 'last_arfcn': 885, 'downlink_dist': 95e6}),
('PCS1900', {'first_freq': 1850.2e6, 'first_arfcn': 512, 'last_arfcn': 810, 'downlink_dist': 80e6}),
('E-GSM', {'first_freq': 880.2e6, 'first_arfcn': 975, 'last_arfcn': 1023, 'downlink_dist': 45e6}),
('R-GSM', {'first_freq': 876.2e6, 'first_arfcn': 955, 'last_arfcn': 1023, 'downlink_dist': 45e6}),
('GSM450', {'first_freq': 450.6e6, 'first_arfcn': 259, 'last_arfcn': 293, 'downlink_dist': 10e6}),
('GSM480', {'first_freq': 479e6, 'first_arfcn': 306, 'last_arfcn': 340, 'downlink_dist': 10e6}),
('GSM850', {'first_freq': 824.2e6, 'first_arfcn': 128, 'last_arfcn': 251, 'downlink_dist': 45e6})
arfcn scanned by rtl2832u-r820t using grgsm-scanner in china
P-GSM:
ARFCN: 46, Freq: 944.2M, CID: 4243, LAC: 10173, MCC: 460, MNC: 0, Pwr: -29
|---- Configuration: 1 CCCH, not combined
|---- Cell ARFCNs: 46, 73, 83
|---- Neighbour Cells: 13, 16, 46, 48, 64, 68, 76, 94
ARFCN: 48, Freq: 944.6M, CID: 4944, LAC: 10173, MCC: 460, MNC: 0, Pwr: -29
|---- Configuration: 4 CCCH, not combined
|---- Cell ARFCNs:
|---- Neighbour Cells: 28, 46, 48, 49, 50, 52, 56, 64, 66, 68, 76, 80, 82, 84, 94, 559, 562, 568, 578, 580, 582, 588, 598, 600, 606
ARFCN: 68, Freq: 948.6M, CID: 0, LAC: 10173, MCC: 460, MNC: 0, Pwr: -29
|---- Configuration: Unknown
|---- Cell ARFCNs: 4, 18, 68
|---- Neighbour Cells:
ARFCN: 78, Freq: 950.6M, CID: 3702, LAC: 9721, MCC: 460, MNC: 0, Pwr: -28
|---- Configuration: 2 CCCH, not combined
|---- Cell ARFCNs:
|---- Neighbour Cells: 13, 16, 28, 46, 48, 49, 50, 52, 54, 60, 62, 64, 72, 74, 76, 78, 84, 94
ARFCN: 84, Freq: 951.8M, CID: 4942, LAC: 10173, MCC: 460, MNC: 0, Pwr: -30
|---- Configuration: 4 CCCH, not combined
|---- Cell ARFCNs:
|---- Neighbour Cells:
ARFCN: 94, Freq: 953.8M, CID: 4943, LAC: 10173, MCC: 460, MNC: 0, Pwr: -27
|---- Configuration: 4 CCCH, not combined
|---- Cell ARFCNs: 57, 61, 69, 94
|---- Neighbour Cells: 13, 28, 31, 46, 48, 52, 56, 64, 66, 68, 82, 84, 94, 544, 550, 560, 562, 564, 568, 574, 590, 596, 598, 600, 604, 606
ARFCN: 103, Freq: 955.6M, CID: 15293, LAC: 9519, MCC: 460, MNC: 1, Pwr: -31
|---- Configuration: 1 CCCH, not combined
|---- Cell ARFCNs:
|---- Neighbour Cells: 100, 103, 109, 110, 112, 114, 639, 641, 644, 646, 648, 650, 652, 653, 656, 657, 659, 660, 661, 662, 666, 667
ARFCN: 106, Freq: 956.2M, CID: 15211, LAC: 9519, MCC: 460, MNC: 1, Pwr: -31
|---- Configuration: 1 CCCH, not combined
|---- Cell ARFCNs:
|---- Neighbour Cells:
ARFCN: 108, Freq: 956.6M, CID: 39182, LAC: 9533, MCC: 460, MNC: 1, Pwr: -32
|---- Configuration: 2 CCCH, not combined
|---- Cell ARFCNs:
|---- Neighbour Cells: 108, 112, 114, 121, 123, 637, 639, 646, 648, 649, 650, 652, 653, 657, 658, 660, 661, 666, 667
ARFCN: 121, Freq: 959.2M, CID: 39181, LAC: 9533, MCC: 460, MNC: 1, Pwr: -28
|---- Configuration: 2 CCCH, not combined
|---- Cell ARFCNs: 106, 121
|---- Neighbour Cells: 108, 110, 112, 114, 115, 117, 121, 639, 643, 646, 648, 650, 655, 657, 659, 660, 661, 664, 667
ARFCN: 123, Freq: 959.6M, CID: 39331, LAC: 9533, MCC: 460, MNC: 1, Pwr: -33
|---- Configuration: 2 CCCH, not combined
|---- Cell ARFCNs: 97, 123
|---- Neighbour Cells:
ARFCN: 124, Freq: 959.8M, CID: 39479, LAC: 9533, MCC: 460, MNC: 1, Pwr: -32
|---- Configuration: 2 CCCH, not combined
|---- Cell ARFCNs:
|---- Neighbour Cells:
IMSI-Catcher
IMSI-Catcher: Masquerade like a real BTS and send with more power than the original, so a cell phone would connect to it. But if the connection is established it is still using the TIMSI (Temporary IMSI).
One possibility to get the IMSI: Change the LAC of the BTS, so that the Location Update Procedure is initiated. If the MSC (Controller of a group of BTS) is also changing with this location update, then the phone would have to send the IMSI. Or if the location update fails it will also send the IMSI. See Figure 4.1.1.1 [http://www.qtc.jp/3GPP/Specs/23012-520.pdf].
AIMSICD - Android-IMSI-Catcher-Detector
AIMSICD • Fight IMSI-Catcher, StingRay and silent SMS!
https://github.com/CellularPrivacy/Android-IMSI-Catcher-Detector.git
https://cellularprivacy.github.io/Android-IMSI-Catcher-Detector/
https://opensource.srlabs.de/projects/mobile-network-assessment-tools/wiki/CatcherCatcher
Netmonitor - Monitor GSM/CDMA/LTE network: current and neighboring cell infos, signal strength.
Abbreviations
CCH, 控制信道
1,BCH, 广播信道
1.1,FCCH, Frequency Correction Channel, 频率校正信道
1.2,SCH, Synchronization Channel, 同步信道
1.3,BCCH, Broadcast Control Channel, 广播控制信道
2,CCCH, Common Control Channel, 公共控制信道
2.1,PCH, Paging Channel, 寻呼信道
2.2,RACH, 随机接入信道
2.3,AGCH, 准许接入信道
2.4,CBCH, Cell Broadcast Channel, 小区广播信道
3,DCCH, 专用控制信道
3,1, SDCCH, 独立专用控制信道
3,2, ACCH, 伴随信道
TCH, Traffic Channel, 业务信道
LAI, Location Area Identity
LAI = MCC + MNC + LAC
MCC, Mobile Country Code, 移动国家码
MNC, Mobile Network Code, 移动网络号码
LAC, Location Area Code, describes a set of Cell Towers (with different IDs)
IMEI = TAC + FAC + SNR + SP
TAC, Type Approval Code, 型号校准码, 代表机型, 6位
FAC, Final Assembly Code, 最终装配码, 识别厂商, 2位
SNR, 流水号, 识别具体设备, 6位
SP, 校验码, 1位
MSISDN, Mobile Station International Subscriber Directory Number, 移动台国际用户目录号, 又称为手机号码
MSISDN = CC + NDC + SN
CC, 国家码, 中国为86
NDC, 国内目的地码
SN, 客户号码
IMSI, International Mobile Subscriber Identity, 国际移动用户识别码, 15bytes
IMSI = MCC + MNC + MSIN
MSIN, Mobile Subscriber Identification Number, 移动用户识别号码
MSIN = EF + M0M1M2M3 + ABCD
EF由运营商分配, M0M1M2M3和MDN(Mobile Directory Number, 移动用户号码簿号码)中的H0H1H2H3可存在对应关系, ABCD自由分配
TMSI, Temporary Mobile Subscriber Identity,
ARFCN, Absolute Radio Frequency Channel Number, 绝对无线频道编号