there is only wrong imsi numbers

[aleen42]

• When I use the condition: p[71:][:2]=='\x08\x29' and p[62:][:2]=='\x08\x29', I have get no any imsi numbers output, and I think I have set the correct frequency.
• When I use a condition: p[71:][:2]=='\x08\x49' and p[62:][:2]=='\x08\x49', there are some numbers output on the screen, but they all do not belong to any devices I want to track. So what can I do with this catcher?

[Oros42]

Sorry, I'm not en expert in GSM and I have test it only on a french network.
But first step to investigate is to use wireshark :

sudo wireshark -k -Y '!icmp && gsmtap' -i lo

And if you can send me a wireshark capture, it would be useful to debug.

[aleen42]

So, May I ask you a question, and can I also get IMEI from the gsm package?

[Oros42]

Ooh IMEI and ISMI are not the same thing.
ISMI is used to identify the user (SIM card). It's not link to the phone https://en.wikipedia.org/wiki/International_mobile_subscriber_identity
IMEI is a number to identify the phone. And it's not link to the SIM https://en.wikipedia.org/wiki/IMEI

In my wireshark sniffing, I've never seen IMEI.

[aleen42]

According to some suggestions, IMEI may not be transmitted with GSM packages and of course we won't get this number in the sniffed package, unless the situation that service providers has asked phones for IMEI. 😢

[Oros42]

Yes.
You can found your own ISMI number to track your phone but it's not easy.
This is how I process :
1- check that your phone use GSM (2G) network
2- run gqrx (http://gqrx.dk/)
3- with your phone phone, call a second phone and find which frequency is used to upload (phone to antenna, around 876Mhz to 914Mhz)
4- if you get the frequency, add an offset of 45Mhz (ex : 880Mhz->924Mhz)
5- use this frequency with my program and «normally», you will have your ISMI in the list of ISMI found.
6- repeat step 1 to 5 in other network area and check if you have see a common number in the list

good luck

[aleen42]

Ok, I'll check your process and see whether it's okay, Thx.

[stenroot]

Hello, today published an updated program in GNU Radio release v3.7.10.1, how to you can add your IMSI-Catcher?

[Oros42]

Sorry, I don't understand this part "how to you can add your IMSI-Catcher" :-/

[SenseProg]

Hi,

We need UHF reader with radius-polarisations, up 30 db/m transmit power, up 6-10 m (minimum 5) recommend read range, frequency range -- 860Mhz-875Mhz . With four ports for ANT.

And also we need UHF reader with around (radius) polarisations antenna up 9 dbi.

Their size must be up 250x250.

Must be readed 200-300 tags in one moment.

Can you propose something?

Thank you very much for answers!

Best regards,

Bogdan Parfenyuk,

Embedded developer,

SenseSystems

From: Oros42 [mailto:notifications@github.com]
Sent: Wednesday, September 14, 2016 10:20 AM
To: Oros42/IMSI-catcher IMSI-catcher@noreply.github.com
Subject: Re: [Oros42/IMSI-catcher] there is only wrong imsi numbers (#1)

Sorry, I don't understand this part "how to you can add your IMSI-Catcher" :-/

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub #1 (comment) , or mute the thread https://github.com/notifications/unsubscribe-auth/ALABy2YI8xzv06Ys5UaGsBAqbsMA1zWRks5qp6A5gaJpZM4IX8LR . https://github.com/notifications/beacon/ALABywOj4bFYbbO9Qixzw-O6nr8jsYa2ks5qp6A5gaJpZM4IX8LR.gif

[Oros42]

Wooow WTF?
I have just made this script for fun with the USB DVB-T key RTL2832U. I didn't sell anything.

[aleen42]

:-), WTF, an ad email?

[stenroot]

Hello I'm using GNU Radio v3.7.10.1(http://gnuradio.org/news/gnu-radio-v3-7-10-1-release/) installed on the USB, how to add your IMSI-Catcher?

[Oros42]

Mmmh I haven't try to setup GNU Radio without using pybombs :-/

[Oros42]

@stenroot : I have found a new way to setup gr-gsm :

sudo add-apt-repository -y ppa:ptrkrysik/gr-gsm
sudo apt update
sudo apt install gr-gsm python-numpy python-scipy python-scapy

[Oros42]

I have made some fixes in the code.

[Oros42]

MCC and MNC are store in mcc-mnc/mcc_codes.json
mcc-mnc/update_codes.py is used to update mcc-mnc/mcc_codes.json with data from https://en.wikipedia.org/wiki/Mobile_Network_Code

[HaxorGaruda]

work perfectly bro... thanks for update your code...

[onoff0]

perfect, I can find many IMSI, but also forcing my cell phone in 2G mode I can not find my IMSI. I also tried to analyze with wireshark on the downlink frequency of my phone but nothing. you have ideas?

[aleen42]

@onoff0 This catcher will always lose some IMSIs, when it's not included in GSM headers. According to some experts, IMSIs won't be transferred between phones and base stations after the connection at the first time. Therefore, I advise you to try to force to break the connection between them, so that phones can transfer IMSIs again to reconnect.

[Oros42]

@onoff0 You should check if 2G and 3G use the same frequency.

[onoff0]

thanks for the answers. I make some tests I noticed that the phone in GSM mode when LAC changes or switching on can wait for an update. Just then an SMS to force the network to request a location update, and then take its IMSI.

[onoff0]

it would be possible to implement the catcher for TMSI, with a grouping counter of unique values? thanks !!

[Oros42]

Work in progress for TMSI since last week ;-)
Coming soon.

[onoff0]

great !!! good job ;)

[aleen42]

@onoff0 During forcing network to request a location update, IMSIs will be transferred in the GSM package?

[onoff0]

@aleen42 Yes,
personally I have only tried it with phones in GSM. with wireshark you can see in detail the network packets received from mobile phones under a specific frequency assigned by the telephone operators. The IMSIs newly assigned (change LAC, telephone turned on, location update) will be visible in wireshark via a paging request, after which the network will assign to mobile phones in the same area a TMSI that will remain so for some time.

[Oros42]

Hello everyone !
I have add the display of TMSI ! :-)
And bonus, you can filter IMSIs and follow one special IMSI by using this :

sudo python IMSI-TMSI-catcher.py -m "123 45 6789101112"

or

sudo python IMSI-TMSI-catcher.py -m 123456789101112

[onoff0]

great, I'm trying.
I do not mean a lot of programming, it would be possible to implement a function that picks up only the TMSI in a given frequency with the possibility to filter only those that repeat more. example, only displays the TMSI that is repeated in 'area for more than 3 or 4 times ++.
Congratulations for your work!

[stevevaius]

Hi, for an NGO project, we are looking a way to determine the number of mobile cells around a radius. We need to count the unique mobiles via detecting their IMSI or something unique. Your tool looks like built for it. How we can implement? Any help appreciated!

[BlackPhreaker]

Good day ... In my opinion it would be nice to add the output log !!!

[Oros42]

Hello
You can do this :

sudo -s
python IMSI-TMSI-catcher.py > log.csv&
tail -f log.csv

;-)

[BlackPhreaker]

It is possible and so I agree !!! But I was referring to the script, with the date and time ...

[Oros42]

This ?

date > log.csv
python IMSI-TMSI-catcher.py >> log.csv&
tail -f log.csv

:-D

[BlackPhreaker]

Perhaps esle Could you be able to help me here in this example ...

---

def write_log(x):
file_object = open("./gsm.log", "a+")
try:
file_object.write(x)
finally:
file_object.close()

---

Not like it is impossible to add to your script ((

[Oros42]

Add your function in my code and change «print» to «write_log» at lines 172, 174 and 185.

[BlackPhreaker]

Can add your script log many think it will come in handy in the future ... For Rania sposibo for pomasch !!!

[Oros42]

You need to indent your code.
This :

# Log Start
def write_log(x):
file_object = open("./gsm.log", "a+")
try:
file_object.write(x)
finally:
file_object.close()
# Log End

should be :

# Log Start
def write_log(x):
    file_object = open("./gsm.log", "a+")
    try:
    file_object.write(x)
    finally:
    file_object.close()
# Log End

Sorry, but I'm not sure to understand your last message :-s

[BlackPhreaker]

I mean ... Thank you for helping me ...

[Oros42]

Okay ;-)

[BlackPhreaker]

Currently tuning a script ... If you want I can send you then that ye have put him at ???

[BlackPhreaker]

Hi Oros42 !!! Thank you for your previous help ... There was such Problem I can not add on your display example (LAC) and (CID) ... Esle Could you not mogliby help ???

[Oros42]

Oooh yes, I've got a script for that. I clean it and publish it soon ;-)

[BlackPhreaker]

It has helped me very much ... Thank you'll be waiting !!!

[Oros42]

I've add find_cell_id.py and immediate_assignment_catcher.py.
Could you try it?

[BlackPhreaker]

Thank you very much ... your code works perfectly !!! I hope I have for your example will create a script with the final conclusion ...

Nb IMSI ; TMSI-1 ; TMSI-2 ; IMSI ; Country ; Brand ; Operator ; MCC ; MNC ; LAC ; CID ;

[BlackPhreaker]

And also add the output ARFCN MHz dBm and all this in one script!!!

[BlackPhreaker]

Oooh There was a lot of problems combining pre script ... It's a pity I will do next

[BlackPhreaker]

Tell me what I am doing wrong ???

https://github.com/BlackPhreaker/GSM/blob/master/IMSI_Catcher_Ver1.0.7.py

[BlackPhreaker]

The head has burst !!!

[Oros42]

Oooh yes ARFCN in MHz....
Need to write this https://en.wikipedia.org/wiki/ARFCN in python.

For your code, lac and cell are not defined in show_imsi() (lines 172 and 175).

In find_imsi() lines 198 and 199 can't works. It's need «Channel Type: BCCH (1)» (ord(p[0x36]) == 0x01) and «Message Type: System Information Type 3» (ord(p[0x3c]) == 0x1b).

This days, I don't have time to work more on my IMSI-Cather :-/

[BlackPhreaker]

Thanks for the tips !!! I will try to cope myself ...

[BlackPhreaker]

I will try to combine 3 of your script in one esle out ... Thank you for your time on me

[Oros42]

I've thinking about it but it's not simple.
The point who block me is «which ISMI/T-IMSI is affected to the timeslot».
I recommend you to run wireshark to check what append.
Good luck.

[richalonso]

got this error bro , all other .py working fine but as soon it detects traffic bum goes like this
WARNING: No route found for IPv6 destination :: (no default route?)
MCC ; MNC ; LAC ; CellId ; Country ; Brand ; Operator
Traceback (most recent call last):
File "find_cell_id.py", line 88, in
sniff(iface=options.iface, filter="port {} and not icmp and udp".format(options.port), prn=find_cell, store=0)
File "/usr/lib/python2.7/dist-packages/scapy/sendrecv.py", line 586, in sniff
r = prn(p)
File "find_cell_id.py", line 75, in find_cell
operator=mcc_codes[mcc]['MNC'][mnc][1]
KeyError: '05'

[Oros42]

Oooh yes, need a «elif» line 72.
Could you show me the content of the «Channel Type: BCCH (1), Message Type: System Information Type 3» like lines 17 to 23. Use wireshark for this.