ranchu

Hi, I am trying to understand if we can use the same simple concept you described with mobile devices: The uplink frequency is shared among several devices, so trying to apply this same method will probably fail, Right ? So if this product: http://www.pki-electronic.com/products/interception-and-monitoring-systems/gsm-direction-finder/ used such simple method , how can if locate the exact device among other using the same uplink ? Thanks a lot. Ranchu

Thanks, I think I understand the general concept how the "IMSI catcher" DF device works: As described in that web site the configuration is composed of: target (attacked) mobile, base station, and another handset. Probably the other handset is actually a receiver which also listens on the same "target" mobile (uplink) frequency. The base station force the target mobile to keep transmit (by sending silent sms) So we have 2 receivers (the base station and the other handset which is walking and getting near the target), both of them recieve the transmission from the target . Signal strength (RSSI) can be converted to distance in meters. So the target can be anywhere in the radius(distance) around these 2 receivers. We can draw these 2 circles like a map, and so the target direction is according to the merge points of these 2 circles. Does it make sense ? I think that 2 circles still give too many possible solutions, so we actually need a 3rd receiver ? and handset: 1. the

Hello, When using IMSI catcher or GSM sniffing we can find IMSI/TMSI. But how can we find MSISDN ? Thanks, Ranchu

Thanks. I am looking for sort of GSM solution , something similar to what they done here: http://www.pki-electronic.com/products/interception-and-monitoring-systems/gsm-direction-finder/ The problem is that I don't really understand how it works yet... I have a USRP GSM transmitter and I try to understand the concept of doing it. Trying to understand how it is done I think about the following: It seems to be some sort of IMSI catcher, which makes that attacked phone keep transmitting (maybe by keep sending silence sms ). So this already can give some sort of signal to the transmitter , which can know the signal strength, but can't know yet where it is in 2D (and ofcourse in 3D). So here comes the other device in the hand of the searching man... But I don't yet understand how it helps. It is probably a mobile device( ?). So it can give its own signal strength to the base station. But it does not yet helps in 2D mapping, because it is just a signal strength number , (but not indexes in 2D...) I have found some theses about direction finder with USRP https://hal.archives-ouvertes.fr/tel-01182898/file/these_archivage_3160048.pdf The wifi solution is OK, but if the system in whole(IMSI catcher) depends on GSM base station and mobiles, then I think I better try to find a solution in this area. I am sure I am not the first one who tries to understand the concept behind doing it with GSM, but I probably missing something.... Thanks for your comments, Ranchu

I am trying to understand how to achieve direction finder (DF), for mobile GSM devices. I have found the following description: http://www.pki-electronic.com/products/interception-and-monitoring-systems/gsm-direction-finder/ & http://www.pki-electronic.com/products/interception-and-monitoring-systems/active-gsm-monitoring-system/ It seems to describe the following configuration: <IMSI catacher>-------- <handset (mobile)> | |-------- <target mobile device> so it is composed of IMSI catcher (probably), i.e. active base station, which force the target mobile to transmit, and probably the attacker base station (SDR radio) can detect the exact direction/signal strength of the attacked device. Why does it require the additional handset (mobile) , i.e. What is the concept direction finder of GSM ? Is it possible to achieve direction finder using simple radio such as USRP (https://www.ettus.com/) ? Thanks.

NotPike, Thanks a lot for this interesting post. Can you please explain what the idea of using the transmission with Yard Stick One? Is it just to make sure that there is no interference ? Does it matter if the base station is encrypted or not for the ineterferece ? " Another advantage of configuring a base station to be unencrypted is that it keeps it legal for hams to broadcast on the 900mhz HAM band :3. You just need to have another radio running on the same band as your base station's down link transmitting your call sign every 10 min in CW or RTTY. I'm using my Yard Stick One for that task." Thx