Receiving FLEX Pager with the HackRF and GNU Radio 3.7

This weekend I was browsing through the RF spectrum with my HackRF and found some pretty strong FSK signals:

FLEX Pager in GQRX

They showed up frequently and on various channels. My first thought was: POCSAG pagers. It turned out that I was wrong, not POCSAG but FLEX pagers. After some more research it seems like TELUS is using FLEX pagers here on Vancouver Island (http://www.nettwerked.net/FLEX_Frequencies.txt).

I also found an example GNU Radio script from Parker Thompson (https://github.com/mothran/flex_hackrf). He is pointing out that it is a modification of the original script from Johnathan Corgan, who wrote the GNU Radio blocks for FLEX. Unfortunately it was incompatible with GNU Radio 3.7, so I had to change some pieces.

Here can you find my modified version:
https://github.com/demantz/flex_hackrf

Except for some scrambled messages it works like a charm ;) See for yourself:

running the flex.py script to receive pager messages. Somebody spilled urine ^^

As you can see, there are also lots of bit errors... I might have to work on the tuning. Also the error correction mechanism isn't implemented in the GNU Radio FLEX blocks yet.

But nevertheless, I had some fun ;) Hope someone finds this useful. Feel free to leave a comment!

Airprobe with GNU Radio 3.7

I'm very excited right now.. I ordered a HackRF and can't wait for it to be delivered to me now.

Since I heard of the HackRF project from Michael Ossmann (http://greatscottgadgets.com/hackrf/) I knew at some day I will buy one. I've started my way to SDR last year by buying a RTL-SDR stick and also did a little project with an USRP1, which I borrowed from my university.

So now I'm trying to set up my GNU Radio environment again and prepare it for the HackRF. And by doing so I've stumbled across a little problem:

Airprobe (a software to  decode GSM) wouldn't compile with the new GNU Radio version 3.7+. The problem is that GNU Radio changed the API with the 3.7 version and therefore breaking the compatibility with airprobe. Fortunately, I found out somebody has already patched airprobe to compile and run (didn't do extensive testing, since my HackRF has not arrived yet) with GNU Radio 3.7. Nevertheless, there where some difficulties and therefore I wrote this post the next day. I hope I remembered every step I did. Please write me a comment if you find mistakes or if you have problems in following the steps...

Installing GNU Radio 3.7

GNU Radio 3.7 comes with PyBombs (which is awesome). That means we don't need the build-gnuradio script anymore (you can still use it though). With PyBombs you do it like this:
(here is the detailed tutorial: http://gnuradio.org/redmine/projects/pybombs/wiki)

 $ cd /opt

 $ sudo mkdir pybombs target

 $ sudo chown dennis:dennis pybombs target

 $ git clone https://github.com/pybombs/pybombs.git
 $ cd pybombs
 $ ./pybombs install gnuradio
 $ /opt/target/setup_env.sh

Now it will ask you some questions (e.g. which install prefix to use; I use /opt/target) and then it will start installing all dependencies (first by looking for .deb packets; only if no packets where found it uses the sources) and finally download and compile GNU Radio 3.7.

Note that I don't have to run the installation as root, since the two directories '/opt/pybombs' and '/opt/target' are belonging to my user. GNU Radio will install in /opt/target and not under /usr/local.

That is also the reason for the setup_env.sh script. It sets the environment variables correctly. You will have to run this script every time you restart your machine and want to use gnu radio.

That was easy. On my system (Ubuntu 14.04) this worked without any problems (it took some hours though^^). But note that my system wasn't a 'fresh' Ubuntu, but one with all kinds of stuff already installed on it. So you might run in some errors I didn't had. Just write a commend if you stuck at this point...

By the way:

PyBombs can be used to install all kinds of stuff, just run

 /opt/pybombs$ ./app_store.py

to have a look what other modules can be installed. Some of them might not work though...

For example airprobe -.-

So we have to do that the old fashion way.

Installing libosmocore

Airprobe depends on libosmocore, so we have to install that first:

 $ cd /opt/pybombs/src
 $ git clone git://git.osmocom.org/libosmocore.git
 $ cd libosmocore/
 $ ./configure --prefix=/opt/target
 $ make
 $ make install
 $ sudo ldconfig

Installing Airprobe

When I first tried to install airprobe, I did it via the app_store. What this does is just downloading the
sources from git://svn.berlin.ccc.de/airprobe to /opt/pybombs/src/ and that's it. Unfortunately I found out, that the patch I found online, doesn't match with this version of airprobe. So if you also tried it this way, delete the airprobe directory in /opt/pybombs/src. We'll use another repository.

First we download the sources:

 $ cd /opt/pybombs/src
 $ git clone git://git.gnumonks.org/airprobe.git
 $ cd airprobe

Now we download and apply the patch from zmiana. You can find the patch on github at this link: https://github.com/scateu/airprobe-3.7-hackrf-patch. It is called zmiana.patch. A howto is also provided at the page, but you can also read on here.. Btw a big thanks to zmiana for doing all the work for us!

 /opt/pybombs/src/airprobe$ patch -p1 < zmiana.patch
 /opt/pybombs/src/airprobe$ cd gsmdecode

 /opt/pybombs/src/airprobe/gsmdecode$ ./bootstrap

 /opt/pybombs/src/airprobe/gsmdecode$ ./configure --prefix=/opt/target

 /opt/pybombs/src/airprobe/gsmdecode$ make

 /opt/pybombs/src/airprobe/gsmdecode$ cd ../gsm-receiver

 /opt/pybombs/src/airprobe/gsm-receiver$ ./bootstrap

 /opt/pybombs/src/airprobe/gsm-receiver$ ./configure --prefix=/opt/target

 /opt/pybombs/src/airprobe/gsm-receiver$ make

Now we should be able to do a quick test. Download this capture file: cfile

Also start a instance of wireshark and start listening on the loopback interface. Then we start decoding the cfile:

 $ cd src/python

 $ ./go.sh ~/Downloads/capture_941.8M_112.cfile

The result should be decoded packets flushing down the terminal and you should also be able to see them in your wireshark trace.

That's it. I didn't test anything else since I don't have my HackRF yet. However, note that on https://github.com/scateu/airprobe-3.7-hackrf-patch there is also a python program called gsm_receive_hackrf_3.7.py that hopefully enables GSM capturing with the HackRF. Somebody out there who can confirm that?

Have fun and leave a comment!