A mobile phone will normally look for a suitable GSM base station on a channel in the GSM-900 band. The GSM-900 band is made up of the following frequency bands:
Update 2008-01-25: There are a number of GSM bands a mobile phone can use and these bands can be different depending on the country you are in. Most of the world uses the GSM-900 and GSM-1800 bands, the most notable exceptions are the United States, Canada and other parts of the Americas which use the GSM-850 and GSM-1900 bands.
These are the details of the other common frequency bands:
Update 2008-01-25: The rest of the techniques in this article can be adjusted to work in the different bands, by using the different base TX to mobile RX frequency ranges.
Each channel is made up of two radio frequency's a TX and RX frequency each 45 MHz apart, the frequency's have a 200 kHz carrier spacing, for example channel 12 uses the frequency's 892.4 MHz and 937.4 MHz.
A base station (cell) will be allocated a set of channels, one of these channels is called the BCCH carrier. This channel contains lots of useful information about the base station (BCCH (Broadcast Control Channel)) and provides a mechanism for the mobile phone to find the base station (FCCH (Frequency correction channel)).
We can use the FCCH to manually find an active base station using GnuRadio software an USRP hardware with a DBSRX module. Setting up a GnuRadio environment is not covered in this howto.
The FCCH generates a Frequency correction burst (FB) which can be seen on a spectrum (frequency-domain) plot as a peek frequency offset 66.7 kHz (+1625/24 kHz) above the carrier center. A suitable spectrum plot can be generated by the usrp_fft.py command.
usrp_fft.py --decim=32 --gain=26 --freq=921M
When this above command is run, a plot window similar to Image 1 is shown with a random moving blue line which represents the amplitude of the signal detected at that frequency. The frequency range shown is -1 MHz to +1 MHz below and above the center frequency of 921 MHz. The plots vertical divisions are 200 kHz apart.
A possible active channel should be visible in plot display as wide bump centered around a vertical division. There are no active channels shown in Image 1.
The center frequency can be modified by typing a new value into the Center freq: text box and pressing enter key. Scan forward through the frequency range by typing 922M [enter], 923M [enter], etc. look for interesting channel bumps in the blue line centered around a vertical division.
In my scan the first interesting channel bump appeared near center frequency 937 MHz (Image 2). Note: the slight bump to the left is an artifact and can be ignored.
To investigate the possible channel further we change the center frequency to 937.8 MHz, this centers us in on the possible channel. Notice in Image 3 that the spectrum to the right of the center channel has a similar amplitude, this tells me that other channels might be in use for traffic data or that I'm picking up more then one base station.
By right clicking on the plot window and selecting the Peek Hold option the plot shows the highest amplitude received. After about 30 seconds any Frequency correction bursts should be clearly visible as narrow peeks in the plot. Image 4 show three Frequency correction bursts highlight with red arrow and possible two more others. It would not be normal to expect so many BCCH carriers so close together and it is most like we are picking up more then base station (FIXME is this correct?).
We should continue scanning for a more suitable base station. Right click again and select Peek Hold to deselect that option. Enter the next center frequency.
The next interesting center frequency is 941 MHz (Image 5). This possible channel bump is as significant higher amplitude which would indicate that the base station is closer. The Peek Hold plot (Image 6) shows a very clear Frequency correction bursts. Also the peeks to the right would seem to indicate active traffic channels.
We can be pretty sure that this is a local base station channel and we should record it's center frequency for future in-depth investigation. We can continue scanning for more base stations.