Jump to content

Direction Finder (DF) of target mobile


ranchu

Recommended Posts

 

I am trying to understand how to achieve direction finder (DF), for mobile GSM devices.

I have found the following description:

http://www.pki-electronic.com/products/interception-and-monitoring-systems/gsm-direction-finder/

&

http://www.pki-electronic.com/products/interception-and-monitoring-systems/active-gsm-monitoring-system/

It seems to describe the following configuration:

<IMSI catacher>-------- <handset (mobile)>
|
|-------- <target mobile device>

so it is composed of IMSI catcher (probably), i.e. active base station, which force the target mobile to transmit, and probably the attacker base station (SDR radio) can detect the exact direction/signal strength of the attacked device.

Why does it require the additional handset (mobile) , i.e. What is the concept direction finder of GSM ?

Is it possible to achieve direction finder using simple radio such as USRP (https://www.ettus.com/) ?

Thanks.

Link to comment
Share on other sites

21 hours ago, ranchu said:
 

Why does it require the additional handset (mobile) , i.e. What is the concept direction finder of GSM ?

Maths. You need 3 reference points to plot a point in 3D space.

Either that, or it requires some sort of data from the mobile device, using it as a addition to it's own hardware.

Edited by haze1434
Link to comment
Share on other sites

If you are looking to pinpoint a phone within a small degree of inaccuracy, on the cheap, you can use it's WiFi signal.

All devices with WiFi enabled broadcast their MAC. Getting a target's MAC is easy enough, then you can use a few cheap antennas and some scripting, or heat map utility, to narrow down the position of the station (phone). Or, simply walk around until the signal strength goes up or down.

The problem with this is that you need to be within about 100m of the phone, so you have to have a rough idea of where they are, then you can use the WiFi broadcast to narrow down exactly where.

You could also set up Kismet or Aircrack, war-drive around collecting stations, then use this to narrow down over a wider distance. Just search for the station MAC within the Kismet / Aircrack Data and overlay it on Google Maps.

Of course, this is slow. If you need to narrow them down quickly, for whatever reason, stick with the GSM devices.

Edited by haze1434
Link to comment
Share on other sites

Thanks.

I am looking for sort of GSM solution , something similar to what they done here:

http://www.pki-electronic.com/products/interception-and-monitoring-systems/gsm-direction-finder/

The problem is that I don't really understand how it works yet...

I have a USRP GSM transmitter and I try to understand the concept of doing it.

Trying to understand how it is done I think about the following:

It seems to be some sort of IMSI catcher, which makes that attacked phone keep transmitting (maybe by keep sending silence sms ).

So this already can give some sort of signal to the transmitter , which can know the signal strength, but can't know yet where it is in 2D (and ofcourse in 3D).

So here comes the other device in the hand of the searching man... But I don't yet understand how it helps. It is probably  a mobile device( ?).

So it can give its own signal strength to the base station. But it does not yet helps in 2D mapping, because it is just a signal strength number , (but not  indexes in 2D...)

I have found some theses about direction finder with USRP 

https://hal.archives-ouvertes.fr/tel-01182898/file/these_archivage_3160048.pdf

The wifi solution is OK, but if the system in whole(IMSI catcher) depends on GSM base station and mobiles, then I think I better try to find a solution in this area.

I am sure I am not the first one who tries to understand the concept behind doing it with GSM, but I probably missing something....

Thanks for your comments,

Ranchu

Link to comment
Share on other sites

Thanks,

I think I understand the general concept how the "IMSI catcher" DF device works:

  •  As described in that web site the configuration is composed of: target (attacked) mobile, base station, and another handset.
  •  Probably the other handset is actually a receiver which also listens on the same "target" mobile (uplink) frequency.
  • The base station force the target mobile to keep transmit (by sending silent sms)
  • So we have 2 receivers (the base station and the other handset which is walking and getting near the target), both of them recieve the transmission from the target . Signal strength (RSSI) can be converted to distance in meters.
  • So the target can be anywhere in the radius(distance) around these 2 receivers.
  • We can draw these 2 circles like a map, and so the target direction is according to the merge points of these 2 circles.

Does it make sense ?

I think that 2 circles still give too many possible solutions, so we actually need a 3rd receiver ?

 

 

 

and handset:

1. the

 

 

Link to comment
Share on other sites

On ‎20‎/‎04‎/‎2017 at 1:13 PM, barry99705 said:

Looks like it's just standard fox and hound signal locating.

Hiya barry,

Sorry to be a pain, but are you able to elaborate or provide a link?

I did a search for 'fox and hound signal locating' but didn't have much luck finding a good explanation.

Cheers.

Link to comment
Share on other sites

It's a ham radio term.  The "fox" is your target.  The "hounds" are your radios.  It's also the same way we find radio tagged animals in the wild.  You have your listening device with a directional antenna.  Tune it to the target frequency, and start pointing it till the signal get strongest.  Note the direction on your map(draw a line).  Move to a location not towards your target and find it again, note the direction('nother line).  Where the two lines cross, is close to your target.  Go to that spot and start over.  I've done the same thing to find rogue access points using a sharp zaurus and a modified compact flash wireless card.

 

https://goo.gl/photos/XWfj3P7ardqm9jZJ7

Edited by barry99705
Link to comment
Share on other sites

19 minutes ago, barry99705 said:

It's a ham radio term.  The "fox" is your target.  The "hounds" are your radios.  It's also the same way we find radio tagged animals in the wild.  You have your listening device with a directional antenna.  Tune it to the target frequency, and start pointing it till the signal get strongest.  Note the direction on your map(draw a line).  Move to a location not towards your target and find it again, note the direction('nother line).  Where the two lines cross, is close to your target.  Go to that spot and start over.  I've done the same thing to find rogue access points using a sharp zaurus and a modified compact flash wireless card.

 

https://goo.gl/photos/XWfj3P7ardqm9jZJ7

Much appreciated, thank you.

Link to comment
Share on other sites

Hi,

I am trying to understand if we can use the same simple concept you described with mobile devices:

The uplink frequency is shared among several devices, so trying to apply this same method will probably fail, Right ?

So if this product:

http://www.pki-electronic.com/products/interception-and-monitoring-systems/gsm-direction-finder/

used such simple method , how can if locate the exact device among other using the same uplink ?

Thanks a lot.

Ranchu

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...