Cellular Network Discovery Methodology and IMSI Analysis

What is GSM (Global System for Mobile Communications)? In this article, we will explore the working principles of GSM networks through field research with the assistance of a PortaPack device.

The terms we will use throughout this article and their brief explanations are as follows:
GSM (Global System for Mobile Communications): The most widely used telecommunication standard worldwide that allows mobile devices to connect to cellular networks.
SDR (Software Defined Radio): Systems where traditional hardware-based radio components (such as filters and modulators) are controlled via software, capable of listening and broadcasting over wide frequency ranges (e.g., HackRF, PortaPack).
I/Q Data (In-phase and Quadrature): The raw data format used to mathematically store the amplitude and phase information of a radio frequency signal without loss (saved as .C16 or .cfile).
BTS (Base Transceiver Station): The base station that provides direct RF (Radio Frequency) communication with mobile devices in 2G networks.
eNodeB (Evolved Node B): The more advanced base station hardware that replaces the BTS in 4G/LTE architectures and is directly connected to the IP network.
Downlink / Uplink: Downlink refers to the communication from the base station to the mobile device (download); whereas Uplink refers to the communication from the mobile device to the base station (upload).
IMSI (International Mobile Subscriber Identity): A permanent hardware identification number, typically 15 digits long, that uniquely identifies the SIM card in the cellular network. Completely different from the phone numbers used in daily life, it is the actual secret key used in the background by the network to recognize and authorize the device.
TMSI (Temporary Mobile Subscriber Identity): A temporary identity number assigned to the device by the network and continuously changed to enhance privacy.

Table of Contents

1. Legal Disclaimer and Limitation of Liability
2. Theoretical Framework and the Privacy Dimension
3. Network Access and Handshake Stages
4. Field Application and Operator Mapping
5. References

1. Legal Disclaimer and Limitation of Liability

All technical analyses, signal capturing, and decoding processes in this article were conducted exclusively for cybersecurity research and educational purposes. Operations were strictly limited to the passive interception of open, unencrypted broadcast channels (BCCH). No encrypted personal communications (voice, SMS, data) were intercepted or manipulated.

• Electronic Communications Law No. 5809: Violating communication privacy or engaging in unauthorized frequency broadcasting is a criminal offense.
• Limitation of Liability: The author assumes no responsibility for any legal, penal, or financial consequences arising from the misuse of the hardware tools and reverse-engineering methodologies detailed herein against real-world systems.

CHAPTER 2 : Theoretical Background and Privacy

The working principle of GSM relies on dividing large geographical areas into cells and managing each cell by its own base station. As devices change location, uninterrupted communication is ensured through handover processes between base stations.

1. Evolution of Cellular Network Architectures

Mobile communication architectures are divided into generations (G) based on data transfer speeds and modulation techniques:

2G (GSM): The first digital network, circuit-switched, focused solely on voice and SMS. It uses GMSK modulation. It is the architecture with the highest security vulnerability, where system identities and handshake stages can be most easily listened to passively.

3G (UMTS): The network where data (internet) transfer began, using CDMA (Code Division Multiple Access) technology. Security and encryption algorithms were improved compared to 2G.

4G / LTE (Long Term Evolution): Meaning “Long Term Evolution,” LTE represents the transition of cellular networks to a fully IP (Internet Protocol) based, packet-switched structure. Even voice is transmitted as data packets (VoLTE). It offers much higher speeds and advanced encryption.

4.5G / LTE Advanced: While not architecturally different from 4G, it stands out by being faster and capable of carrying more data. It is widely used in Turkiye. It can be considered a bridge in the transition from 4G to 5G.

5G (NR – New Radio): The most current architecture, offering ultra-low latency and massive device capacity (IoT) using millimeter wave (mmWave) frequencies.

2. Identity Parameters, Integrated Structure (CGI) and Passive Tracking Vulnerability

In cellular networks, base stations continuously broadcast unencrypted identity information over the “Broadcast Control Channel (BCCH)” to allow nearby devices to join the network. These broadcasts include the following blocks:

• MCC (Mobile Country Code): Mobile Country Code (e.g., 286 for Turkiye).
• MNC (Mobile Network Code): Mobile Network Code (e.g., Turkcell 01, Vodafone 02).
• LAC (Location Area Code): Location Area Code.
• Cell ID (CID): The hardware identity of the base station cell currently providing service.

These codes do not stand alone in the field; they combine to create globally unique addresses. For example, the complete identity of a base station worldwide is called CGI (Cell Global Identity) and is formed using the following formula: CGI = MCC + MNC + LAC + Cell ID

3. Privacy Aspect and Passive Tracking Vulnerability

When cellular networks want to reach a device (when a call or SMS arrives), they send an unencrypted “Paging Request” to all devices in that area. For security reasons, the network tries to use temporarily assigned TMSI (Temporary Mobile Subscriber Identity) numbers instead of the IMSI, which is the permanent hardware identity of the device. However, during the initial registration moments or when TMSI synchronization is lost, IMSI values fly through the air as cleartext. This architecture allows a passive listener to track devices and locations in the area.

4. Working Principle of PortaPack Tools

We see the following menus in the main screen of our H2M PortaPack device.

-Receive: Where applications that only listen (passive) and convert specific signals coming from the air
into meaningful data are located.
-Transmit: Tools that generates signals and broadcast them into air. Used for generating fake GPS
signals , sending morse code to radios , running a signal jammer…
-Tranceiver: Modules that can perform both listening and sending processes simultaneously or
sequentially, requiring bidirectional interaction
-Recon: Allows you to quickly scan a frequency range and find where there is movement.
-Capture: Saves the raw radio wave to SD card without any decrypting process. ( Usually .C16 format)
-Replay: Re-broadcasts the data recorded with Capture into the air.
-Remote: Used for the imitate remote controls (Sub-GHz) of devices like garage doors, barriers,
televisions, or smart plugs via the interface.
-Looking Glass: Turns the device into a spectrum analyzer. Shows intensities over a wide frequency band in a waterfall graph.
-Utilities: System tools such as managing files inside the SD card, antenna testing, signal generator, or wiping memory.
-Games: Just for wasting the time in boring times.
-Settings: Screen, interface , date/time , audio and general hardware settings.
-HackRF: Used to activate the HackRF mode, which is the other function of the device.

CHAPTER 3 : Joining The Network and Handshake Stages

The process of a mobile device joining the cellular network and initiating a call goes through the following “handshake” steps respectively:

Listening and Synchronization: The device catches the strongest base station broadcast nearby and locks onto the frequency.

Access Request: To join the network, the device sends an unencrypted connection request over the “Random Access Channel”.

Channel Assignment: The base station allocates a dedicated signaling channel to the device over the “Access Grant Channel”.

Authentication and Encryption: In this assigned channel, the device identifies itself, and the communication is encrypted.

Traffic Channel: Encrypted call or data transfer is initiated.

Note: IMSI Catchers and passive reconnaissance hardware do not target the device’s encrypted traffic on TCH or SDCCH channels, but rather the unencrypted identification announcements flying through the air on BCCH and RACH channels in the 1st and 2nd stages.

The image demonstrates capturing the signal in the air using the Capture mode of the PortaPack device. The green lines seen in the scan performed at the 439.4257 MHz signal level are for illustrative purposes. Throughout this article, we will perform operations in the 930MHz – 960MHz range.

CHAPTER 4 : Field Application and Operator Mapping

From the PortaPack main screen, the Search mode is selected via the Receiver menu, and the 930MHz-960MHz range is scanned for field discovery. This range is the active communication range in Turkiye. The frequencies obtained as a result of the scan are recorded (e.g., 936.1500, 945.9450, 958.5825…).

These recorded frequencies give us information such as MNC, MCC, and LAC of the
network providing the connection. The detected frequencies are graphically recorded via
the PortaPack using the Capture mode. As a result of this recording, two files are saved
to the device’s SD card, one being a .TXT file and the other a .C16 file. While the TXT file
provides information about the frequency values, the C16 file provides information
about the content.

To analyze the network, we must analyze / decode the C16 file. For this, we can use
online tools, or we can solve it by installing a tool named gr-gsm on our computer and
converting the file to a 32-bit float (.cfile) format using python3. We perform the Python
conversion process by writing the following commands in the terminal:

1- sudo podman run -it –privileged –net=host -v “$PWD”:/workspace
docker.io/kalilinux/kali-rolling/bin/bash apt update && apt install gr-gsm python3-
numpy -y

2- python3 -c “import numpy as np; (np.fromfile(‘FILE_NAME.C16’,
dtype=np.int16).astype(np.float32) / 32768.0).tofile(‘FILE_NAME.cfile’)”

3-grgsm_decode -c FILE_NAME.cfile -f 936150000 -s 2000000 -m BCCH -t 0 –print-bursts

The raw Hex data obtained as a result of the above process was converted into meaningful data on the BitBench platform using the 32h 24h 16h 24h format string.

Parsed Result:

• Header (Layer Header): 49061b00
• MCC & MNC (LAI): 002861 (Note: Read as MCC: 286 (Turkey), MNC: 01 (Turkcell)
  with Reverse Nibble logic).
• LAC (Location Area Code): 1003
• Cell ID: 521a2b
  

Through these steps, a radio signal was converted into a logical network topology map, and the cellular network structure was passively resolved.

References and Useful Links

• BitBench platform: https://triq.net/bitbench
• Nolto Bilişim Technical Publications: “What is GSM? Its History and Technology.” A
  comprehensive technical review on the basic communication protocols of cellular networks, frequency allocations, and the development of mobile communication architecture.
• Wikipedia: “Global System for Mobile Communications (GSM).” The basic architecture,
  signaling protocols, and telecommunication infrastructure standards of second-generation (2G) cellular networks.
• Wikipedia: “International Mobile Subscriber Identity (IMSI).” The global standardization of
  mobile subscriber identity numbers; the hardware-based identification and mapping
  methodology of the MCC, MNC, and MSIN structure in cellular networks