Hacker Remix

LTESniffer: An Open-Source LTE Downlink/Uplink Eavesdropper

245 points by transpute 1 day ago | 46 comments

anilakar 1 day ago

Mobile network standards are full of acronyms. I love it.

In case you did not know, the letter Q in PHICH stands for "request".

derefr 1 day ago

If anyone is wondering what the parent poster is talking about — the abbreviation PHICH (which isn't mentioned in the referenced project, but is just an example of a weird mobile-network acronym) expands to "Physical channel HybridARQ Indicator Channel"; and then the embedded "ARQ" inside it, purportedly expands to https://en.wikipedia.org/wiki/Automatic_repeat_request .

Some might claim that the "Q" in "ARQ" is actually "query"; and that people who choose to expand the "Q" as "request" just have a dim view of the average person's vocabulary level.

Personally, though, I'd argue that, if you think about it, the "Q" is probably not "request" or "query", but rather just another appearance of the conventional opaque "Q" that appears in https://en.wikipedia.org/wiki/Q_code.

dylan604 18 hours ago

It's up there with the accepted Tx/Rx for transmit and receive.

hnuser123456 15 hours ago

At least "receive" makes more sense for Rx than "prescription"

derefr 12 hours ago

Rx actually stands for "recipe"!

Which makes sense, if you remember that there used to not be such a thing as pre-compounded drugs. Rather, a prescription was literally a recipe a doctor would write out for you to give to your friendly neighbourhood compounding pharmacist, who would follow that recipe to produce a drug for you.

Which in turn lends an interesting clarity to the traditional roles and competencies of "medical doctors" vs "pharmacists". In the 1800s, a trained doctor was someone who would be expected to come up with a — potentially de-novo! — drug formulation, on the spot, as a treatment for a patient; and a trained pharmacist is someone who would be expected to take your prescription, walk into a lab in the back of their shop, and come out having converted that — potentially never-before-encountered — drug formulation into something you could put in your mouth. If the active ingredient was something unusual, they would even be expected to synthesize it themselves! (Which explains why we used to call pharmacists "chemists". They were!)

withinboredom 12 hours ago

Interestingly, compounding pharmacists still exist. When my son was less than a year old, he needed some medicine, but there was nothing we could buy over the counter for his weight. So, the doctor literally wrote the recipe down and sent us to a compounding pharmacist across town.

twojacobtwo 16 hours ago

I always saw those as parameters for some reason. Transmit(x), Receive(x).

froh 23 hours ago

I thought you were kidding me...

here is the letter Q in PHICH:

https://github.com/srsran/srsRAN_4G/blob/master/lib/src/phy/...

as the sibling comment states, q is the reQuest

ajsnigrutin 17 hours ago

Meh, this is not rare.

In colors (design, printing,...), the "K" in CMYK stands for "blacK"

selectodude 15 hours ago

The K in CMYK stands for “Key”, which is the backing plate, usually black inked.

BenjiWiebe 9 hours ago

Notice there is no Q in PHICH even.

slwvx 1 day ago

Nice!

I see that it supports FDD only (no TDD) and is limited to 20MHz, so some limitations.

I see that it can do some amount of real-time decoding, which is interesting. In cell towers, a big part of the processing is done by fairly general-purpose processors, but still much more tightly integrated with the hardware than this software is.

rnhmjoj 12 hours ago

Only tangentially related, but has anyone ever tried to eavesdrop on DSL? Modern DSL (VDSL2 in particular) is essentially a HF signal guided on an unshielded twisted pair (with line stubs and what not), so it should easily leak out and radiate. Apparently it does so much that radio hamateurs in the UK have been complaining[1] about it a lot. I wonder if the signal can still be demodulated or it's just an annoying baseline on the spectrum.

[1]: https://rsgb.services/public/publications/vdsl/measuring_and...

wkat4242 1 day ago

Too bad the hardware for this is eyewateringly expensive :'(

tinix 1 day ago

It uses srsRAN which supports SoapySDR which is vendor agnostic.

this should work with limesdr as well.

for something cheaper, try antsdr or adalm-pluto: https://github.com/srsran/zynq_timestamping

lots of good notes here: https://www.quantulum.co.uk/blog/private-lte-with-analog-ada...

wkat4242 24 hours ago

I thought it needs 2xUSRP if you want to receive both sides? And it's a lot less useful without that.

AnarchismIsCool 14 hours ago

Pluto and USRP are almost exactly the same thing at this point, just USB2 vs USB3 so you're limited on data rates outside of the device an technically a different chip but they're an old node and binned, so they're the same in practice. You can still install an external clock into the UFL connector on the Pluto though so you can sync a few if you want or use a GPSDO for frequency accuracy. You can also install the extra Tx/Rx pair onto the UFL connectors they added recently-ish.

teruakohatu 1 day ago

Seems like if you had a PC already, you could get away with a bladeRF 2.0 micro xA5 for $670, but this can sniff downlink only.

fhsm 22 hours ago

> xA5 for $670

No longer for sale (out of stock with no plan to restock https://www.nuand.com/product/bladerf-xa5/ )

wkat4242 24 hours ago

Yeah for me that is already eye-wateringly expensive :) (Being in Spain where purchasing power is low).

RachelF 1 day ago

Yes, there is cheaper hardware like the Adalm Pluto with enough bandwidth and dynamic range, but it is not supported by the looks of things.

superkuh 1 day ago

For those interested in a more accessible LTE meta-data decoder check out https://github.com/JiaoXianjun/LTE-Cell-Scanner which can work with even cheap rtl-sdr dongles (for some things). It is a fork of an older https://github.com/Evrytania/LTE-Cell-Scanner

wkat4242 24 hours ago

Huh how can that work? It's only got 2Mhz bandwidth. An LTE cell is much wider.

dezgeg 23 hours ago

Possibly it's decoding MIB only, which is only 1.080 MHz wide.