ranchu Posted April 18, 2017 Share Posted April 18, 2017 I am trying to understand how to achieve direction finder (DF), for mobile GSM devices. I have found the following description: http://www.pki-electronic.com/products/interception-and-monitoring-systems/gsm-direction-finder/ & http://www.pki-electronic.com/products/interception-and-monitoring-systems/active-gsm-monitoring-system/ It seems to describe the following configuration: <IMSI catacher>-------- <handset (mobile)> | |-------- <target mobile device> so it is composed of IMSI catcher (probably), i.e. active base station, which force the target mobile to transmit, and probably the attacker base station (SDR radio) can detect the exact direction/signal strength of the attacked device. Why does it require the additional handset (mobile) , i.e. What is the concept direction finder of GSM ? Is it possible to achieve direction finder using simple radio such as USRP (https://www.ettus.com/) ? Thanks. Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted April 19, 2017 Share Posted April 19, 2017 (edited) 21 hours ago, ranchu said: Why does it require the additional handset (mobile) , i.e. What is the concept direction finder of GSM ? Maths. You need 3 reference points to plot a point in 3D space. Either that, or it requires some sort of data from the mobile device, using it as a addition to it's own hardware. Edited April 19, 2017 by haze1434 Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted April 19, 2017 Share Posted April 19, 2017 (edited) If you are looking to pinpoint a phone within a small degree of inaccuracy, on the cheap, you can use it's WiFi signal. All devices with WiFi enabled broadcast their MAC. Getting a target's MAC is easy enough, then you can use a few cheap antennas and some scripting, or heat map utility, to narrow down the position of the station (phone). Or, simply walk around until the signal strength goes up or down. The problem with this is that you need to be within about 100m of the phone, so you have to have a rough idea of where they are, then you can use the WiFi broadcast to narrow down exactly where. You could also set up Kismet or Aircrack, war-drive around collecting stations, then use this to narrow down over a wider distance. Just search for the station MAC within the Kismet / Aircrack Data and overlay it on Google Maps. Of course, this is slow. If you need to narrow them down quickly, for whatever reason, stick with the GSM devices. Edited April 19, 2017 by haze1434 Quote Link to comment Share on other sites More sharing options...
ranchu Posted April 19, 2017 Author Share Posted April 19, 2017 Thanks. I am looking for sort of GSM solution , something similar to what they done here: http://www.pki-electronic.com/products/interception-and-monitoring-systems/gsm-direction-finder/ The problem is that I don't really understand how it works yet... I have a USRP GSM transmitter and I try to understand the concept of doing it. Trying to understand how it is done I think about the following: It seems to be some sort of IMSI catcher, which makes that attacked phone keep transmitting (maybe by keep sending silence sms ). So this already can give some sort of signal to the transmitter , which can know the signal strength, but can't know yet where it is in 2D (and ofcourse in 3D). So here comes the other device in the hand of the searching man... But I don't yet understand how it helps. It is probably a mobile device( ?). So it can give its own signal strength to the base station. But it does not yet helps in 2D mapping, because it is just a signal strength number , (but not indexes in 2D...) I have found some theses about direction finder with USRP https://hal.archives-ouvertes.fr/tel-01182898/file/these_archivage_3160048.pdf The wifi solution is OK, but if the system in whole(IMSI catcher) depends on GSM base station and mobiles, then I think I better try to find a solution in this area. I am sure I am not the first one who tries to understand the concept behind doing it with GSM, but I probably missing something.... Thanks for your comments, Ranchu Quote Link to comment Share on other sites More sharing options...
barry99705 Posted April 20, 2017 Share Posted April 20, 2017 Looks like it's just standard fox and hound signal locating. Quote Link to comment Share on other sites More sharing options...
ranchu Posted April 20, 2017 Author Share Posted April 20, 2017 Thanks, I think I understand the general concept how the "IMSI catcher" DF device works: As described in that web site the configuration is composed of: target (attacked) mobile, base station, and another handset. Probably the other handset is actually a receiver which also listens on the same "target" mobile (uplink) frequency. The base station force the target mobile to keep transmit (by sending silent sms) So we have 2 receivers (the base station and the other handset which is walking and getting near the target), both of them recieve the transmission from the target . Signal strength (RSSI) can be converted to distance in meters. So the target can be anywhere in the radius(distance) around these 2 receivers. We can draw these 2 circles like a map, and so the target direction is according to the merge points of these 2 circles. Does it make sense ? I think that 2 circles still give too many possible solutions, so we actually need a 3rd receiver ? and handset: 1. the Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted April 24, 2017 Share Posted April 24, 2017 On 20/04/2017 at 1:13 PM, barry99705 said: Looks like it's just standard fox and hound signal locating. Hiya barry, Sorry to be a pain, but are you able to elaborate or provide a link? I did a search for 'fox and hound signal locating' but didn't have much luck finding a good explanation. Cheers. Quote Link to comment Share on other sites More sharing options...
barry99705 Posted April 24, 2017 Share Posted April 24, 2017 (edited) It's a ham radio term. The "fox" is your target. The "hounds" are your radios. It's also the same way we find radio tagged animals in the wild. You have your listening device with a directional antenna. Tune it to the target frequency, and start pointing it till the signal get strongest. Note the direction on your map(draw a line). Move to a location not towards your target and find it again, note the direction('nother line). Where the two lines cross, is close to your target. Go to that spot and start over. I've done the same thing to find rogue access points using a sharp zaurus and a modified compact flash wireless card. https://goo.gl/photos/XWfj3P7ardqm9jZJ7 Edited April 24, 2017 by barry99705 Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted April 24, 2017 Share Posted April 24, 2017 19 minutes ago, barry99705 said: It's a ham radio term. The "fox" is your target. The "hounds" are your radios. It's also the same way we find radio tagged animals in the wild. You have your listening device with a directional antenna. Tune it to the target frequency, and start pointing it till the signal get strongest. Note the direction on your map(draw a line). Move to a location not towards your target and find it again, note the direction('nother line). Where the two lines cross, is close to your target. Go to that spot and start over. I've done the same thing to find rogue access points using a sharp zaurus and a modified compact flash wireless card. https://goo.gl/photos/XWfj3P7ardqm9jZJ7 Much appreciated, thank you. Quote Link to comment Share on other sites More sharing options...
ranchu Posted April 28, 2017 Author Share Posted April 28, 2017 Hi, I am trying to understand if we can use the same simple concept you described with mobile devices: The uplink frequency is shared among several devices, so trying to apply this same method will probably fail, Right ? So if this product: http://www.pki-electronic.com/products/interception-and-monitoring-systems/gsm-direction-finder/ used such simple method , how can if locate the exact device among other using the same uplink ? Thanks a lot. Ranchu Quote Link to comment Share on other sites More sharing options...
barry99705 Posted May 2, 2017 Share Posted May 2, 2017 For this answer, you'd probably have to email pki's support. This is waaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaay out of scope for this forum. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.