Back in 2007 I ran a post about probing Wi-Fi on Layer 1 with Wi-Spy (yes, it was really 6 years ago). I've used it many time since whenever I wanted to know who else and what else was online in the ISM band. All that time I wished I had a similar tool to also visualize cellular signals. Now I have one, and all it takes is a DVB-T stick for 20 Euros with cool open source Windows software.
Inspired by this talk at the recent Sigint 2013 conference I decided to have a closer look at SDR# (SDRSharp), an open source software that uses a DVB-T USB stick to visualize layer 1 data from a couple of megahertz up to 2.2 GHz. In the lower bands it can even decode AM and FM radio out of the IQ data the stick delivers but that's not what I was after of course. What I wanted to use it for is to hunt for GSM, UMTS and LTE carriers. There are a number of supported DVB-T sticks with different kinds of hardware and this page on Osmocom Hardware gives further details which hardware supports which frequency ranges and the products they are built into. As I wanted to visualize cellular channels in the 750 – 2200 MHz range I needed a stick with an Elonics E4000 front end so I got a Terratec Cinergy T Stick as shown on the left which costs around €20 online.
Installation of the Windows based software is pretty simple and also works well for my purposes in a Virtualbox VM with Ubuntu as host and Windows 7 as a guest OS. There's no need to install the drivers or any other software that comes with the stick, as a driver for accessing the Realtek chip on the device is part of the SDRSharp installation process described in more detail here. Once the driver is installed, SDRSharp can be started and after selecting a center frequency in the GSM 900 band (or the GSM 850 frequency range) one can immediately see signals like in the second picture on the left.
As you can see the channel bandwidth of the three main channels in the picture is 200 kHz, so yes, that's really GSM signals! Also interesting is the different waterflows the channels leave. I assume that the fat red channel on the left carries a broadcast channel (BCCH) and hence all timeslots are active all the time. The other channels in the picture seem to be additional carriers of this or other cells without a broadcast channel, as the signal strength varies sharply over time which could be because some timeslots are not used when I took the screenshot.
So much for observing GSM cells. In further posts I'll have a closer look at how UMTS and LTE uplink as well as downlink transmissions can be observed and how they look like in SDRSharp.
Kudos to all people who worked on the various parts of SDRSharp and the rtlsdr library, this is really cool stuff!!!
This is a GREAT post, thank you! I just purchased a similar dongle on eBay and hope to experiment as well! I have a portable USB spectrum analyzer but I think this inexpensive solution is what I was really looking for.