Find a GSM base station manually using a USRP

GSM Pages - GSM Books - The GSM Software Project (External) - Digg it

A mobile phone will normally look for a suitable GSM base station on a channel in the GSM-900 band. The GSM-900 band is made up of the following frequency bands:

Standard or Primary GSM-900 Band, P-GSM (Channels 1 to 124)
890 MHz to 915 MHz: mobile TX, base RX
935 MHz to 960 MHz: base TX, mobile RX
Extended GSM-900 Band, E-GSM (Channels 0 to 124 and 975 to 1023)
880 MHz to 915 MHz: mobile TX, base RX
925 MHz to 960 MHz: base TX, mobile RX
Railways GSM-900 Band, R-GSM (Channels 0 to 124 and 955 to 1023)
876 MHz to 915 MHz: mobile TX, base RX
921 MHz to 960 MHz: base TX, mobile RX

Update 2008-01-25: There are a number of GSM bands a mobile phone can use and these bands can be different depending on the country you are in. Most of the world uses the GSM-900 and GSM-1800 bands, the most notable exceptions are the United States, Canada and other parts of the Americas which use the GSM-850 and GSM-1900 bands.

These are the details of the other common frequency bands:

GSM-850 Band (Channels 128 to 251)
825 MHz to 849 MHz: mobile TX, base RX
869 MHz to 894 MHz: base TX, mobile RX
GSM-1800 or DCS-1800 Band (Channels 512 to 885)
1710 MHz to 1785 MHz: mobile TX, base RX
1805 MHz to 1880 MHz: base TX, mobile RX
GSM-1900 or PCS-1900 Band (Channels 512 to 810)
1850 MHz to 1910 MHz: mobile TX, base RX
1930 MHz to 1990 MHz: base TX, mobile RX

Update 2008-01-25: The rest of the techniques in this article can be adjusted to work in the different bands, by using the different base TX to mobile RX frequency ranges.

Each channel is made up of two radio frequency's a TX and RX frequency each 45 MHz apart, the frequency's have a 200 kHz carrier spacing, for example channel 12 uses the frequency's 892.4 MHz and 937.4 MHz.

A base station (cell) will be allocated a set of channels, one of these channels is called the BCCH carrier. This channel contains lots of useful information about the base station (BCCH (Broadcast Control Channel)) and provides a mechanism for the mobile phone to find the base station (FCCH (Frequency correction channel)).

We can use the FCCH to manually find an active base station using GnuRadio software an USRP hardware with a DBSRX module. Setting up a GnuRadio environment is not covered in this howto.

The FCCH generates a Frequency correction burst (FB) which can be seen on a spectrum (frequency-domain) plot as a peek frequency offset 66.7 kHz (+1625/24 kHz) above the carrier center. A suitable spectrum plot can be generated by the command. --decim=32 --gain=26 --freq=921M

When this above command is run, a plot window similar to Image 1 is shown with a random moving blue line which represents the amplitude of the signal detected at that frequency. The frequency range shown is -1 MHz to +1 MHz below and above the center frequency of 921 MHz. The plots vertical divisions are 200 kHz apart.

Image 1: Showing window.

A possible active channel should be visible in plot display as wide bump centered around a vertical division. There are no active channels shown in Image 1.

The center frequency can be modified by typing a new value into the Center freq: text box and pressing enter key. Scan forward through the frequency range by typing 922M [enter], 923M [enter], etc. look for interesting channel bumps in the blue line centered around a vertical division.

In my scan the first interesting channel bump appeared near center frequency 937 MHz (Image 2). Note: the slight bump to the left is an artifact and can be ignored.

Image 2: Interesting channel bump.

To investigate the possible channel further we change the center frequency to 937.8 MHz, this centers us in on the possible channel. Notice in Image 3 that the spectrum to the right of the center channel has a similar amplitude, this tells me that other channels might be in use for traffic data or that I'm picking up more then one base station.

Image 3: Centered channel bump, possible traffic.

By right clicking on the plot window and selecting the Peek Hold option the plot shows the highest amplitude received. After about 30 seconds any Frequency correction bursts should be clearly visible as narrow peeks in the plot. Image 4 show three Frequency correction bursts highlight with red arrow and possible two more others. It would not be normal to expect so many BCCH carriers so close together and it is most like we are picking up more then base station (FIXME is this correct?).

Image 4: Marked frequency correction bursts.

We should continue scanning for a more suitable base station. Right click again and select Peek Hold to deselect that option. Enter the next center frequency.

The next interesting center frequency is 941 MHz (Image 5). This possible channel bump is as significant higher amplitude which would indicate that the base station is closer. The Peek Hold plot (Image 6) shows a very clear Frequency correction bursts. Also the peeks to the right would seem to indicate active traffic channels.

Image 5: Another interesting channel bump.
Image 6: This is a strong clean channel signal with FB, it might even show traffic channels?

We can be pretty sure that this is a local base station channel and we should record it's center frequency for future in-depth investigation. We can continue scanning for more base stations.

GSM Pages - GSM Books - The GSM Scanner Project (External)

Last updated 2008-01-23. Copyright © 2007-2008 Robert Fitzsimons. robfitz at 273k dot net