[srslte-users] Trying to pickup broadcast messages [2]

Ronning, Anthony AnthonyRonning at my.unt.edu
Wed Feb 17 20:53:06 UTC 2016

Sending again because there were problems sending the first time and it seems to be working again..


I'm an undergraduate researcher entering grad school next fall and I've picked up an interest in LTE networks and this srsLTE library. I have a USRP B200 and what I'm trying to do is pickup broadcast messages from LTE networks around me.

I've used "cell_search" to find a couple frequencies I want to test on and then used pdsch_ue and cell_measurement on those frequencies. There's a couple things I have been trying to do but the end goal is all the same.

Goal: Grab the GUTI/IMSI from broadcast messages that are being sent from the eNodeB.

Possible solutions:

    1) I'd like to view all of these messages in wireshark, but nothing shows up when I scan the localhost in wireshark. I tried using the '-s' option with pdsch_ue/cell_measurement to send UDP packets somewhere on the localhost, in an attempt for the data to go through wireshark, but nothing shows up. This might be out of the scope of srslte, but if anyone has any clue on doing so, that'd be great.

    2) Alternatively, if I could extract them from within the program itself to a file, that'd be great. I have C knowledge and was looking through the header files from ue_dl.h, but I had trouble finding anything, and not sure if that's even the right place to look.

    3)If there's a way to get the binary of the messages instead, I've seen some library's used to decode ASN.1 LTE messages so maybe I could use those.

I'm tasked with some research based on a research paper a couple months ago (http://arxiv.org/pdf/1510.07563v1.pdf) where it says on page 4:

"In order to sniff LTE broadcast channels, we utilized parts of srsLTE.  It  is  a  free  library  for  software-defined  radio mobile  terminals  and  base  stations.  Currently,  the  project  is developing a UE-side LTE baseband implementation.srsLTEuses Universal Hardware Device library to communicate with the USRP B210. Since all the passive sniffing is done in real-time, it is recommended to have a high-speed host (laptop) in order to handle the high (30.72 MHz) sampling rates with out data  loss  and  also  to  maintain  constant  sync  with  eNodeBs.In  particular,  we  used  the pdsch-ue application  to  scan a  specified  frequency  and  detect  surrounding  eNodeBs.  It can  listen  and  decode  SIB  messages  broadcast  by  eNodeB.Further, we modified pdsch-ue to decode paging messages which are identified over-the-air with a Paging-Radio Network Temporary  Identifier  (P-RNTI).  Upon  its  detection,  GUTI(s)and/or IMSI(s) can be extracted out of paging messages"

Any insight as to how to go about this, or places to look within the code, would be greatly appreciated. I have researched out to one of those researchers just in case, but no response back (which is fine and to be expected). I've been at it for a couple weeks now, also researching other software, but no luck so far. I'm assuming it's the 65534 RNTI value I should be looking for here, but don't know how I would get any data from it when I use the pdsch-ue application.

Thanks in advance,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.softwareradiosystems.com/pipermail/srslte-users/attachments/20160217/8484e22e/attachment.html>

More information about the srslte-users mailing list