LTESniffer: An Open-Source LTE Downlink/Uplink Eavesdropper
153 points
7 hours ago
| 4 comments
| github.com
| HN
anilakar
2 hours ago
[-]
Mobile network standards are full of acronyms. I love it.

In case you did not know, the letter Q in PHICH stands for "request".

reply
derefr
1 hour ago
[-]
If anyone is wondering what the parent poster is talking about — the abbreviation PHICH (which isn't mentioned in the referenced project, but is just an example of a weird mobile-network acronym) expands to "Physical channel HybridARQ Indicator Channel"; and then the embedded "ARQ" inside it, purportedly expands to https://en.wikipedia.org/wiki/Automatic_repeat_request .

Some might claim that the "Q" in "ARQ" is actually "query"; and that people who choose to expand the "Q" as "request" just have a dim view of the average person's vocabulary level.

Personally, though, I'd argue that, if you think about it, the "Q" is probably not "request" or "query", but rather just another appearance of the conventional opaque "Q" that appears in https://en.wikipedia.org/wiki/Q_code.

reply
Havoc
30 minutes ago
[-]
There are also some 4G dongles with known broken debug modes that can be used to extract info
reply
slwvx
6 hours ago
[-]
Nice!

I see that it supports FDD only (no TDD) and is limited to 20MHz, so some limitations.

I see that it can do some amount of real-time decoding, which is interesting. In cell towers, a big part of the processing is done by fairly general-purpose processors, but still much more tightly integrated with the hardware than this software is.

reply
wkat4242
5 hours ago
[-]
Too bad the hardware for this is eyewateringly expensive :'(
reply
tinix
3 hours ago
[-]
It uses srsRAN which supports SoapySDR which is vendor agnostic.

this should work with limesdr as well.

for something cheaper, try antsdr or adalm-pluto: https://github.com/srsran/zynq_timestamping

lots of good notes here: https://www.quantulum.co.uk/blog/private-lte-with-analog-ada...

reply
wkat4242
47 minutes ago
[-]
I thought it needs 2xUSRP if you want to receive both sides? And it's a lot less useful without that.
reply
teruakohatu
5 hours ago
[-]
Seems like if you had a PC already, you could get away with a bladeRF 2.0 micro xA5 for $670, but this can sniff downlink only.
reply
wkat4242
46 minutes ago
[-]
Yeah for me that is already eye-wateringly expensive :) (Being in Spain where purchasing power is low).
reply
RachelF
4 hours ago
[-]
Yes, there is cheaper hardware like the Adalm Pluto with enough bandwidth and dynamic range, but it is not supported by the looks of things.
reply
superkuh
4 hours ago
[-]
For those interested in a more accessible LTE meta-data decoder check out https://github.com/JiaoXianjun/LTE-Cell-Scanner which can work with even cheap rtl-sdr dongles (for some things). It is a fork of an older https://github.com/Evrytania/LTE-Cell-Scanner
reply
wkat4242
47 minutes ago
[-]
Huh how can that work? It's only got 2Mhz bandwidth. An LTE cell is much wider.
reply
dezgeg
28 minutes ago
[-]
Possibly it's decoding MIB only, which is only 1.080 MHz wide.
reply
HeatrayEnjoyer
2 hours ago
[-]
True? How are phone modems inexpensive?
reply
paweladamczuk
1 hour ago
[-]
I'm wondering the same thing.

Can someone outline the architectural limitations of using a smartphone modem for such network debugging/sniffing tasks?

reply
wkat4242
46 minutes ago
[-]
Simple: Mass production, dedicated hardware for that single purpose (but not able to do full monitoring like this).
reply
binary_marbl
3 hours ago
[-]
What does it require?
reply