Mechanism
A GSM deployment is a grid of cells, each served by a base station (BTS) that broadcasts on one or more 200 kHz carriers. The carrier is identified by its Absolute Radio Frequency Channel Number (ARFCN): the carrier-to-frequency mapping, the 200 kHz channel spacing and the GMSK modulation at 270.833 kbit/s are defined in 3GPP TS 45.005 [ts45005]. Bands are regional — GSM-850 / E-GSM-900 in the Americas and the 900/1800 split elsewhere — and the ARFCN ranges and the FDD duplex offsets (45 MHz on the 900 band, 95 MHz on the 1800 band) follow the standard band plan [arfcn][ts45005]. Each carrier is divided by TDMA into 8 timeslots, so one 200 kHz channel carries up to 8 logical-channel streams [ts45002].
Because a downlink BCCH carrier transmits continuously, a live cell shows on a waterfall as a steady 200 kHz picket. But the reliable detector is the synchronisation structure rather than the eye: every BTS sends a Frequency Correction Channel (FCCH) burst and a Synchronisation Channel (SCH) burst in timeslot 0 of the BCCH carrier, on a fixed schedule within the 51-frame control multiframe [ts45002]. The FCCH burst is an all-zeros sequence that, after GMSK modulation, produces a pure tone at one quarter of the bit rate — (1625000/6)/4 ≈ 67.708 kHz above the carrier — so a receiver can find a GSM carrier, and measure its own oscillator error, by searching each candidate channel for that tone [ts45002][kalibrate]. This is exactly what kalibrate does: it sweeps a band, reports every ARFCN with a live BTS, its relative power, and the ppm clock offset to feed forward into the capture step [kalibrate].
The survey is also the entry point of GSM identity reconnaissance. GSM authenticates the network to the phone one-way only — the cell never proves itself — and the broadcast/synchronisation channels are unprotected, so any receiver in range can locate the carrier and read the cell’s broadcast without a credential [dabrowski2014]. Once the BCCH carrier is demodulated, the cell pages handsets and, during attach / location update, exposes the IMSI in the clear; Dabrowski et al. show this cleartext identity exposure and one-way authentication are what make passive identity collection and fake-base-station IMSI catchers practical [dabrowski2014]. This control owns the spectrum-layer half — find the live carrier and confirm it is captureable; the GMSK demodulation and BCCH/CCCH/SDCCH decode are the work of the GSM capture (PHY/LL) controls, which run gr-gsm on the ARFCN found here [grgsm].
Procedure
Authorised testing only. Every step below is receive-only — you read what the network already broadcasts. Do not transmit on licensed cellular spectrum.
-
Pick the band for your region and confirm your radio reaches it. Decide which GSM band the operators use locally — GSM-850/900 and DCS-1800 are within an RTL-SDR Blog V4’s range; PCS-1900 sits at the top of its tuning range, so prefer a HackRF / bladeRF / USRP there [ts45005][arfcn].
-
Sweep the band for live carriers with kalibrate. Point
kalat the chosen band and let it lock onto FCCH/SCH bursts:kal -s GSM900 -g 40Expected output is one line per ARFCN that carries a live BTS, with its detected power, for example:
GSM-900: chan: 12 (937.4MHz - 8.146kHz) power: 124847.16 chan: 50 (945.0MHz + 1.215kHz) power: 98213.44Each
chan:line is a captureable carrier; the frequency offset is the per-channel clock error and thepowerranks signal strength [kalibrate]. Record the ARFCNs and pick the strongest as your capture target. -
Measure the radio’s clock offset (ppm) against the strongest carrier. Re-run
kalin single-channel mode on a strong ARFCN so it averages the FCCH tone into a stable ppm figure:kal -c 12Expected tail of the output is an average absolute error you carry forward to the capture tools, for example:
average [+/- 0.022] overruns: 0 not found: 0 average absolute error: 1.243 ppmA small, stable ppm and zero overruns mean a clean lock; feed this ppm to gr-gsm so its tuning lands on the carrier centre [kalibrate].
-
Eyeball the carrier to confirm the 200 kHz picket with gqrx as a sanity check before committing a capture:
gqrxIn the GUI set the device to your SDR, tune to the ARFCN’s centre frequency and watch the waterfall. A live downlink BCCH carrier shows as a steady, continuous ~200 kHz block; confirm its width and that it does not drift, then note its centre frequency [ts45005].
-
Record the inventory. For each carrier capture: band, ARFCN, downlink centre frequency, relative power, and the measured ppm offset. Mark which carriers fall inside your SDR’s tuning envelope (RFSAM-RES-01) — those are the sniffable targets that scope the GSM capture controls, which run gr-gsm on the chosen ARFCN to demodulate and decode the downlink [grgsm].
Field case
Authorised testing only — receive-only carrier survey on your own equipment.
The kalibrate-rtl README ships a documented example of exactly this workflow, which we use here as a public reference run rather than our own live capture; reproduce the same steps on your own authorised equipment and record your own ARFCN, power and ppm before treating any number as an engagement finding.
In the README’s documented GSM-850 scan, kal -s GSM850 surfaces several live ARFCNs and the strongest reading is chan: 145 (872.6MHz - 7Hz) power: 33605.48 [kalibrate]. Re-running kal -c 145 on that carrier averages the FCCH tone into a tight clock offset — average -1Hz [-8, 7] (range 14, stddev 3.948722) with overruns: 0 and not found: 0 — a clean lock to carry forward (current kalibrate-rtl builds print the equivalent trailing line as an average absolute error: %.3f ppm figure, per src/offset.cc) [kalibrate]. Tuning gqrx to that centre would confirm a steady 200 kHz downlink picket. Carried forward into the capture step, grgsm_livemon -f 872.6M on the same ARFCN (with the measured offset) demodulates the BCCH and streams GSMTAP into Wireshark — at which point the Oros42 IMSI-catcher reads the GSMTAP feed and prints the IMSI/TMSI the cell pages, with no transmit [grgsm][imsicatcher]. The carrier survey is the prerequisite: without the ARFCN, power and offset from this step, the capture is aimed at nothing.
Remediation
This is an environmental baseline and target-selection step, not a device defect — the “weakness” it surfaces (a continuously-broadcast, unauthenticated carrier whose synchronisation bursts advertise the cell) is inherent to GSM’s air-interface design [ts45002][dabrowski2014]. Layered guidance for what can be hardened around it:
-
Network operator — you cannot hide the BCCH carrier or its FCCH/SCH bursts, but you can limit what the post-survey capture yields: page by TMSI rather than IMSI and minimise IMSI exposure during location update, run the strongest available ciphering (A5/3, not A5/1), and monitor for anomalous carriers / unexpected ARFCNs that signal a fake cell mimicking your network [dabrowski2014]. Where possible, retire 2G or gate downgrade from 4G/5G, since legacy GSM is what makes this survey-then-capture chain reachable.
-
Device integrator — select basebands that resist silent downgrade to GSM and that surface 2G/rogue-cell indicators to the user; a device that never falls back to an unauthenticated GSM carrier removes itself from the population this survey targets [dabrowski2014].
-
Auditor / operator of the test — keep this step strictly receive-only; do not transmit on licensed cellular spectrum. Treat the band/ARFCN/power/ppm inventory as scoping data, confirm each target carrier is inside your receiver’s tuning envelope before committing capture hardware (RFSAM-RES-01), and conduct any identity-harvesting or active follow-on (rogue cell, decrypt) only on your own equipment with test SIMs, RF shielding and explicit written permission [dabrowski2014].