Mobile network standards are full of acronyms. I love it.
In case you did not know, the letter Q in PHICH stands for "request".
Nice!
I see that it supports FDD only (no TDD) and is limited to 20MHz, so some limitations.
I see that it can do some amount of real-time decoding, which is interesting. In cell towers, a big part of the processing is done by fairly general-purpose processors, but still much more tightly integrated with the hardware than this software is.
Too bad the hardware for this is eyewateringly expensive :'(
Seems like if you had a PC already, you could get away with a bladeRF 2.0 micro xA5 for $670, but this can sniff downlink only.
> xA5 for $670
No longer for sale (out of stock with no plan to restock https://www.nuand.com/product/bladerf-xa5/ )
Yeah for me that is already eye-wateringly expensive :) (Being in Spain where purchasing power is low).
It uses srsRAN which supports SoapySDR which is vendor agnostic.
this should work with limesdr as well.
for something cheaper, try antsdr or adalm-pluto: https://github.com/srsran/zynq_timestamping
lots of good notes here: https://www.quantulum.co.uk/blog/private-lte-with-analog-ada...
I thought it needs 2xUSRP if you want to receive both sides? And it's a lot less useful without that.
Yes, there is cheaper hardware like the Adalm Pluto with enough bandwidth and dynamic range, but it is not supported by the looks of things.
For those interested in a more accessible LTE meta-data decoder check out https://github.com/JiaoXianjun/LTE-Cell-Scanner which can work with even cheap rtl-sdr dongles (for some things). It is a fork of an older https://github.com/Evrytania/LTE-Cell-Scanner
Huh how can that work? It's only got 2Mhz bandwidth. An LTE cell is much wider.
Possibly it's decoding MIB only, which is only 1.080 MHz wide.
True? How are phone modems inexpensive?
I'm wondering the same thing.
Can someone outline the architectural limitations of using a smartphone modem for such network debugging/sniffing tasks?
Smartphone modems (baseband) are super optimised for battery life. They don't send any traffic that isn't meant for the device itself on to the CPU. That would only cause unnecessary load.
They could perhaps be modified to do that but the baseband firmware is usually very closed source.
There is only one example I know, there was one particular dumbphone from the 2G era for which the baseband sourcecode was available due to a hack. You could use several (one for uplink and one for downlink) of these with modified firmware to sniff 2G traffic. I forget which model it was exactly but obviously the price ballooned on eBay :)
Haven't heard of this happening with later models. Baseband sourcecode firmware is really rare.
Simple: Mass production, dedicated hardware for that single purpose (but not able to do full monitoring like this).
What does it require?
There are also some 4G dongles with known broken debug modes that can be used to extract info
Not easy to search for... I found 3G https://github.com/P1sec/LTE_monitor_c2xx
If anyone is wondering what the parent poster is talking about — the abbreviation PHICH (which isn't mentioned in the referenced project, but is just an example of a weird mobile-network acronym) expands to "Physical channel HybridARQ Indicator Channel"; and then the embedded "ARQ" inside it, purportedly expands to https://en.wikipedia.org/wiki/Automatic_repeat_request .
Some might claim that the "Q" in "ARQ" is actually "query"; and that people who choose to expand the "Q" as "request" just have a dim view of the average person's vocabulary level.
Personally, though, I'd argue that, if you think about it, the "Q" is probably not "request" or "query", but rather just another appearance of the conventional opaque "Q" that appears in https://en.wikipedia.org/wiki/Q_code.
I thought you were kidding me...
here is the letter Q in PHICH:
https://github.com/srsran/srsRAN_4G/blob/master/lib/src/phy/...
as the sibling comment states, q is the reQuest