Mobile phone hacking.

GSM or Global System for Mobile Communication is a technology that’s widely used in mobile communications, especially mobile phones. This technology utilizes microwave and signal transmission divided by time, so that the signal information sent will arrive at the destination. The GSM standard for mobile communications as well as mobile technology is deployed more than its counterparts around the world, like CDMA. At this time we will discuss how to track a cell phone by using theDoppler effect, in other words we will make it easier to know the whereabouts of a person just by having information such as cell phone numbers.

GSM Network Architecture

Typical GSM network architecture is divided into 3 parts:

  1. Mobile Station (MS)
  2. Base Station Sub-system (BSS)
  3. Network Sub-system (NSS)

All elements of the network at the top form a PLMN (Public Land Mobile Network).

Picture 1. GSM network architecture

Mobile Station or MS is a device used by the customer for making phone calls. This device consists of:

  • Mobile Equipment (ME) or the handset (UM) is a GSM device that is located on the user or customer end that serves as a terminal transceiver (transmitter and receiver) to communicate with other GSM devices.
  • Subscriber Identity Module (SIM) or SIM card is a card that contains all customer information and some information about services. ME can’t be used without a SIM in it, except for emergency calls. The data stored in the SIM in general are:
  • International Mobile Subscriber Identity (IMSI)
  • Mobile Subscriber ISDN (MSISDN)
  • Encryption mechanism

Base Station System or BSS consists of:

  • Base Transceiver Station (BTS), a GSM device that is directly related to MS and serves as the sender and receiver.
  • Base Station Controller (BSC), a controller device for base stations which is located between the BTS and MSC.

Network Sub System or NSS consists of:

  • Mobile Switching Center (MSC), a central network element in a GSM network. The MSC works as the core of a cellular network, where its main role is for interconnection, both among the cellular or wired network PSTN or with the data network.
  • Home Location Register (HLR), a database that saves the data and customer information permanently.
  • Visitor Location Register (VLR), a database of the subscribers who have roamed into the jurisdiction of the Mobile Switching Center (MSC) which it serves.
  • Authentication Center (AuC) authenticates each SIM card that attempts to connect to the GSM core network (typically when the phone is powered on). This also checks the validity of the customer.
  • Equipment Identity Registration (EIR), is often integrated to the HLR. The EIR keeps a list of mobile phones (identified by their IMEI) which are to be banned from the network or monitored. This is designed to allow tracking of stolen mobile phones.

GSM Layers

There are 3 layers in the GSM network:

  • Layer 1 or the physical layer, for setting the channels.
  • Layer 2 or the data-link layer’s main role is to identify the data that is sent from UM to BTS.
  • Layer 3 consists of 3 parts: Radio Resource (RR), Mobility Management (MM) and Call Control (CC) that serve as regulators for radio, mobile management and call control.

Picture 2. Illustration of how GSM works

  1. Mobile phone is input with the destination number and connects to the nearest BTS.
  2. BSC and BTS sends to MSC and proceeds to AuC for checking the user identification.
  3. MSC proceeds to the HLR / VLR to check for the existence of the mobile phone.
  4. BSC and MSC proceed to the nearest BTS where the destination mobile located.

How Doppler Works

Doppler is a change in the frequency or wavelength of a wave source that is received by the observer. This is the Doppler effect formula which is not affected by wind:


 is frequency of the receiver.

 is a transmitter frequency.

 is the speed of the wave.

 is the speed of the wave source relative to the medium; positive if the source approaches the observer, negative if the source is moving away from the observer.

 is the observer’s speed relative to the medium; positive if the observer is moving away from the source of sound or wave, negative if the observer is approaching the source of wave/sound.

Doppler effect formula which is influenced by the wind:


 is the observer (receiver) frequency.

 is the source frequency.

 is the speed of wave/sound.

 is the speed of the wave/sound relative to the medium; its value is positive if the observer is approaching the source of the wave/sound and negative if the observer is moving away from the source of the wave/sound.

 is the speed of the observer (receiver) relative to the medium; positive if the source of the wave/sound is moving away from the observer, and negative if the source of the wave/sound is approaching the observer (receiver).

 is wind speed; positive if the wind direction is from the source to the observer, and negative if the wind direction is from the observer to the source of the wave/sound.

 is a constant 340 m/s. If the observer or the source wave/sound did not move, the constant value is 0 m/s.

This is the illustration of Doppler effect:

Picture 3. Doppler effect illustration

From the above picture, there are 3 persons: A, B and C. A is the person in the middle who could detect the source of the wave/sound from B or C. Because the wave/sound that came from B or C travels in a certain frequency and distance, the Aperson could distinct the source of the wave/sound.


In this article, we are proposing a GSM radar using the Doppler effect, where the Doppler effect itself will be used to listen for the mobile phone uplink. There are some literature and references that mention about the Doppler effect being used to identify a signal if the Doppler effect is combined with the right filter processing according to the signal characteristic being transmitted.


1. OpenBTS Installation

This article won’t go further step by step on this OpenBTS installation until it could be used, because there are already a lot of tutorials which cover the installation process. For this research, we are using USRP N200 from Ettus Research. But as we proceed using OpenBTS with USRP N200, we realize that there is an anomaly in the signal transmitted by USRP N200. So, we are using a spectrum analyzer to figure out and find a solution for the signal anomaly. This is the setup we are using:

Picture 4. Using spectrum analyzer to figure out USRP N200 signal anomaly

Picture 5. Signal anomaly as seen on spectrum analyzerPicture 5

As you can see from the picture above, the signal generated by USRP N200 looks like a horn and the noise is quite high. The possible cause for that anomaly is USRP N200 clock is not accurate, and the solution for that is by adding a filter, so the final result will be a correct GSM modulation like this picture:

Picture 6. Correct GSM modulation after adding a filterPicture 6

2. Doppler Design

After doing some research on Doppler design, we found out that some design is not capable for a frequency of 900 MHz, but we have a workaround and modified existing Doppler design so it capable of reaching 900 MHz and even higher. This is the block diagram for modified Doppler design (courtesy of Ramsey):




Picture 7. Modified Doppler design

Picture 8. Tracking mobile phone illustration


From the above explanation, we could conclude that the Doppler effect could be used to lookup the position of a device transmitting a signal in a certain frequency. We could take this research further to detect any kind of living creature (e.g. endangered species) that in some way is transmitting a signal in a certain frequency, as long as we have the sound sample of that creature.

Click to rate this post!
[Total: 4 Average: 3.5]

Специалист в области кибер-безопасности. Работал в ведущих компаниях занимающихся защитой и аналитикой компьютерных угроз. Цель данного блога - простым языком рассказать о сложных моментах защиты IT инфраструктур и сетей.

3 comments On Mobile phone hacking.

Leave a reply:

Your email address will not be published.