Contents
Description
This reference explains how to listen for local mobile networks using a cheap RTL-SDR
Requirements
- An internet connection
- A cellular base station (cell tower) within a few kilometers of your location.
- A computer running Debian-based Linux (Debian, Mint, Ubuntu)
An RTL-SDR usb dongle like this one: (search for "Dvb-t Dab Fm Rtl2832u" on AliExpress)
Steps
1. Installation
On the computer open a terminal(emulator) and run the following to install the gr-gsm packet:
sudo apt-get update sudo apt-get upgrade sudo apt-get install gr-gsm
2. Setup
Plug the RTL-SDR into your computer, and place the antenna away from any large metal objects, preferably close to a window or outside.
3. Scanning
Run the next command to scan for cell towers
sudo grgsm_scanner --band=GSM900 -v
This command takes a little while to complete (+-5 minutes)
Note that GSM-900 is used in most of the world, but in America GSM-850 and GSM-1900 is used. Because of the limitations of the cheap SDR the GSM-1900 band's frequency is too high to capture this way. For more information look at the Wikipedia page
If the scanner can find any cell towers it will list them like this:
ARFCN: 986, Freq: 926.2M, CID: 60688, LAC: 739, MCC: 204, MNC: 4, Pwr: -35 |---- Configuration: 1 CCCH, not combined |---- Cell ARFCNs: 986, 990 |---- Neighbour Cells: 996, 999, 1010, 1011, 1020, 1023
Abbreviation |
Meaning |
ARFCN |
|
Freq |
The radio frequency in Hz |
CID |
unique Cell ID, identifies a sector antenna on a cell tower (within LAC or GSM network) |
LAC |
Location Area Code spanning a group of base stations sharing a single controller |
MCC |
|
MNC |
Mobile Network Code, assigned to a telecom provider |
Pwr |
The received signal power, measured in dBmW |
CCCH |
Online search
On the internet, take a look al https://www.free-hlr.com/. Here you can find various information about a mobile phone. It depends on your mobile provider which information is visible.
Making sense of the data
If you go to https://www.mcc-mnc.com/ and search for your country, a list will be shown with your countries MNCs. Look for the entry that matches one of your scan results (in the case of the example 04) to find out what network the tower is part of. Now go to https://www.cellmapper.net/.
- In the 'Provider' field search for your country, then click the provider that matched the tower you found.
- In the 'Network' field choose 2G - GSM. You only scanned for GSM towers, so there shouldn't be any 3-5G towers in your results.
- Set 'Bands' to All Bands.
- Now, you can either look for the cell tower by and, or use the Tower Search functionality.
Manual Search: Look on the map for a tower near your location, matching the CID for the scan result you're looking for. Beware to ignore the last digit from the scan-result-CID, for this identifies the specific sector of the celltower, and usually this digit isn't shown on CellMapper's general view.
Automatic seach: Scroll down on the left hand side menu to "Tower Search", expand and type in the CID, omitting the last digit. If CellMapper can find any, it will list them as clickable links. If it doesn't, it will still say "Click a tower above in order to centre on it", but it won't actually show any.
- Once you have found the tower, click on it to see the available data, including all present sectors. Now you can look for the sector your scanner found (again, this is usually the CID's last digit).
Can't find your scan result(s) back on CellMapper?
There are multiple possible reasons why you might not be able to find a cell tower right away:
Sometimes, the Sector Id is the first digit in your CID 1
CellMapper is built on crowd-sourced data. This means the data for your area might be deprecated, or nonexistent. This might be the reason some (newer) towers aren't shown. There tends to see more activity on roads and railroads, due to people driving by while collecting cell data.
- It might be possible that your scanner made an error and displayed some incorrect information
Rogue cell towers exist, and these can be picked up by your scanner. Usually they aren't in one place for a long time, so they will not be in CellMapper's database.