We would want to capture the 10 MHz typically assigned to a single carrier. Each of the USRPs (one for up- and one for downlink) would push 40 Mbyte/s over GBE.
More elegantly, the FPGA could decode the signals and only send active channels to the host at 12 kByte/s/channel (max: 64 channels in 8 ARFCNs). However, the decoder would have to be adaptive and programming it onto the FPGA on the USRP is not an easy task. Any FPGA experts on the list who could help? On Dec 9, 2009, at 11:58 AM, p q wrote: > capturing the full band of GSM1800 (wideband) needs more bandwidth > than USRP2 can handle at baseband . its impossible to capture all > the band and send it up to PC . so maybe parts of the work needs to > be done on FPGA . USRP2's FPGA us Spartan3 and it has enough room > for this ,i suppose . anybody here can confirm this ? > > > > ---------- Forwarded message ---------- > From: sascha <[email protected]> > Date: Wed, Dec 9, 2009 at 2:07 PM > Subject: Re: [A51] USRP2 > To: [email protected] > > > On Wed, Dec 09, 2009 at 04:24:27AM -0500, Gregory Maxwell wrote: > > On Wed, Dec 9, 2009 at 4:03 AM, p q <[email protected]> wrote: > > > even USRP2 is not good for capturing GSM1800 traffic so we are > stuck with > > > GSM900 only . is this correct ? > > > > I have no clue why you couldn't capture up and downlink with two > separate > > RX daughter boards on USRP1. > > > > The USRP2 ADC does complex sampling at 100mhz, so it can capture a > 100mhz > > bandpass. It can't cram that much over the ethernet but someone > could > > create a FPGA image that grabs two 10mhz windows separated by the > 90mhz offset. > > I don't know if any of the existing daughter boards have a > bandpass that wide. > > people at airprobe.org can give better answers to those questions > than we can. > With the proper programming of the USRP hardware you should be able to > capture up and downlink of a conversation with ease with a single DB > since > even the cheapest handset can do it. > The disadvantage of the attacker is that after encryption is enabled > and > before the key is found, the channel allocation and frequency hopping > sequence is renegotiated between BTS and handset. So you end up > having to > record the whole band (and also both up and downlink), so that you can > later extract from that the bursts at the correct time offset and > frequency. > The whole band is shared between all the networks though, but > whether that > sharing means that ARFCNs belonging to one network are adjacent is > unclear > belonging to one network are adjacent is unclear (to me). > The people at airprobe.org can give a more detailed answer to that. > The proper solution would be to have a single USRP with 2 > daughterboards > and do the demodulation on the FPGA, but i doubt the FPGA is beefy > enough > for that. > > _______________________________________________ > A51 mailing list > [email protected] > http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51 > > > _______________________________________________ > A51 mailing list > [email protected] > http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51 _______________________________________________ A51 mailing list [email protected] http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
