Hacking Guide To Gsm
Essay Preview: Hacking Guide To Gsm
Report this essay
Section 1: The Introduction Originally developed as a European standard for mobile telephony, GSM has quickly gained grounds all over the world. However, for much of the world this is still new technology, and therefore there are many people with many questions to ask. One of the ones I most commonly hear from time to time when I idle in Hackers Lounge is “how do you hack gsm phones?”. This is understandable
For much of the world this is still new technology, and there are a lot of people who want to know about all the fun things they can do with these new phones. Well, this tutorial is for all of you. A complete guide for all your gsm hacking needs. Enjoy
Section 2: How GSM Operates As Ive said in past tutorials, in order to hack anything in any sense of the word you have to first understand how it operates. Therefore in this section you will learn the details on GSM to have a better understanding of how it operates. Therefore, you will have a better understanding of how it can be exploited. GSM (Global System for Mobile communication) is fundamentally different from some of its older counterparts like AMP in the sense that it operates using digital technology, instead of using the traditional analog technology. GSM being a cellular system is of course divided into cells. These cells correspond to their covering area of one trasmitter, or a small collection of transmitters. The size of these cells depend on the power of their transmitter. GSM, as with other cellular systems, uses low power transmitters so that frequencies can be reused efficiently. The frequency band used by a cellular mobile radio system is distributed over a group of cells, which is repeated in all the covering area of an operator. All the radio channels that are available can then be used in each group of cells that form the covering area of an operator. The frequencies that are used then will be reused several cells away. There are four different types of cells that are used. Macrocells, microcells, selective cells, and umbrella cells. Macrocells are large cells that are used for remote and sparsely populated areas. Microcells on the other hand are used for densely populated areas. With using these types of cells in densely populated areas, the number of channels available is increased as well as the capacity of the cells. Transmitters under these types of cells use less power in order to reduce the possibility of interference between neighboring calls. In areas where a full 360 degrees of coverage is not needed, selective cells are used to specify a certain area of coverage.
Umbrella cells are used in correlation with microcells in order to solve the issue with handovers when traversing through microcell areas. The power levels within an umbrella cell is increased compared to the power levels within the microcells that the umbrella cell covers. The cells themselves are grouped into clusters. The number of cells used within a cluster is determined so that the cluster can be repeated continuously within the covering area of an operator. Your typical cluster usually contains either 4, 7, 12, or 21 cells. The number of cells used within a cluster is very important. The smaller the number of cells per cluster is, the bigger the number of channels per cell will be, which will therefore increase the capacity of each cell. The total number of channels used in each cell depends on the number of available channels and the type of cluster used. A balance must be established when setting up these clusters in order to avoid interference with neighboring clusters. Now lets discuss the architecture of the GSM network. A GSM network can be divided into four main parts. The MS (Mobile Station), the BSS (Base Station Subsystem), the NSS (Network and Switching Subsystem), and the OSS (Operation and Support Subsystem). The two main elements of an MS is the terminal, and the SIM (Subscriber Identity Module). There are different types of terminals within the MS architecture that are distinguished based on their power and application. The fixed terminals are the ones installed in cars, and have a maximum output of 20 watts. The GSM portable terminals can also be installed in cars, and have a maximum output of 8 watts. Then finally handheld terminals, which has a maximum output of 2 watts, but nowadays these terminals can and do transmit at 0.8 watts. The SIM is a smart card that is used for identifying the terminal. This SIM card is protected by a PIN (Personal Idenfitication Number), and in order to identify the user to the system also includes other parameters of the user such as its IMSI (International Mobile Subscriber Identity). This is what allows the terminal to operate within the GSM network. Without the SIM card, the terminal itself is a useless device
The BSS is in charge of transmission and reception, and is what connects the MS and the NSS. There are two parts that make up the BSS; the BTS (Base Transceiver Station, also known as a Base Station), and the BSC (Base Station Controller). The BTS corresponds with the tranceivers and antennas used in each cell within the network, and are usually located in the center of the cell. The transmission power of the BTS is what defines the size of its cell. Each BTS has between 1 and 16 transceivers, depending on the density of users within the cell. TheBSC is what manages the BTSs, and is primarily in charge of handovers, frequency hopping, exchange functions, and is in charge of the radio frequency powers levels of the BTSs. The NSS is in charge of managing the communications between the mobile users, and other users. This part of the GSM architecture is separated into 7 parts. The MSC (Mobile services Switching Center), the GMSC (Gateway Mobile services Switching Center), the HLR (Home Location Register), the VLR (Visitor Location Register), the AuC (Authentication Center), the EIR (Equipment Identity Register), and the GIWU (GSM Interworking Unit). The center component of the NSS is the MSC, which performs the switching functions of the network, as well as provides connectivity to other networks. Next is the GMSC, which is provided as the interface between the cellular network and the PSTN (Public Switched Telephone Network). This is in charge of routing calls from the fixed network to a GSM user, and this is usually implemented in the same machine as the MSC. The HLR is in charge of storing information of the subscribers belonging to the covering area of the MSC, as well as stores the current location of these subscribers and the services that they have access to. The location of the subscriber corresponds to the ss7 (short for Common Channel Signaling System 7, the protocol used by modern PSTNs) address of the VLR. The VLR is in charge of storing information from a subscribers HLR that is necessary in order to provide the