Re: finding my cell phone signal in the spectrum

[John Byrne]

Found it!

I started trying to decipher the various items in the Service Mode list (which I mentioned earlier I can get by dialing *#0011#). Previously, it clearly said "2G", PCS1900, and it showed a channel no., but at some point since I started all this, it changed so that it no longer told me which type of service it was or the channel number. But I did see "uarfcn" with the number 9713 beside it. I found out that this means Universal Absolute Radio Frequency Channel, and I found a calculator that turns it into the actual freqs: https://www.cellmapper.net/arfcn?net=UMTS&ARFCN=9713&MCC=302

The catch is that you have to know the type of cell service (2G, 3G etc). The results I got for 2G pointed me to 927Mhz, but I didn't find anything there. So then I tried turning on my mobile data and making a call, and lo and behold, the data switched to 3G instead of turning off. So it looks like my phone recently switched from 2G to 3G for calls for some reason.

Using the above calculator with the 3G option, and my uarfcn, I got 1942.6 for the downlink and 1862.6 for the uplink, and when I looked at 1862.6 in GRC, there it was! A nice bright 200Khz channel that corresponds to my phone calls and distance from the hackrf antenna.

Previously, I was looking in the 194x range, which I now realize was the downlink frequencies. I didn't realize that the uplink would be so far away from that. I still don't know exactly how to find the uplink freq for a given channel other than by using that calculator, but I'll figure it out eventually.

Thanks for all the help everyone :)

-John

On Thu, 18 Feb 2021, at 11:26 AM, John Byrne wrote:

Thanks for the input everyone, that has been very helpful.

I did some more searching and I found out that by dialing *#0011# you can get some connection info. For me, it showed an LTE connection, but as I said earlier, I suspected based on the info from the T-Mobile site that this is not being used for calls. So I tried making a call and then going back to the phone app and dialing that code again, and sure enough it showed that I was connected via 2G on PCS1900. I don't know how to interpret all the info, but it there was a value that looked like a channel number, 564. I don't see this channel on kalibrate-hackrf, but I do see 561, 562, 563 and so I guessed from the info from kalibrate that 564 should be 1940.6Mhz. But I don't see my signal there on a call. When I checked the magic code again, it looks like my connection details have changed, but it now no longer says 2G or LTE and doens't provide anything that looks like a channel number. So maybe I need to catch it at the right moment.

I'll take a look at LTE Disccovery too.

Gqrx may be a good suggestion - thanks for that. But I'm having a hard time figuring it out. It appears to ignore the bandwidth option in the settings, and sets the bandwidth based only on the sample rate. I can't get it lower than 8Mhz, which I think might make it hard to spot the 2G channel, which I believe is 200Khz wide. I also can't seem to get the FFT overlap to be anything but 0% no matter what I do with the other settings.

I'll keep at it though.

Thanks again!

On Thu, 18 Feb 2021, at 10:40 AM, Andi Kita wrote:

If you have an Android download the Network Cell info lite or Lte Discovery app. It will show what you need for you to figure out where to look. 

Gqrx is good to look at the spectrum and also gr-gsm to sniff packets over 2G-3G networks. I see TMobile still has 2G <>=1990mhzand all you need is a good receiver. 

There's plenty of stuff online to research for. Good  luck. 

On Thu, Feb 18, 2021, 8:53 AM John Byrne <jhnbyrn@fastmail.com> wrote:

Hi, have just started learning about gnuradio and sdr in general. I have a hackrf one and I've been using it to experiment. I was hoping I'd be able to locate my cell phone's signal, just out of curiosity. I'm not looking to do anything with it - just see it. But it's proving to be harder to find than I thought. Could anyone offer any tips to help me find things like this?

I hoped it would be like this video - around the 4:00 mark he starts a call and you can see a clear signal of around 5Mhz wide:

https://www.youtube.com/watch?v=aFHWAEb3sn4&t=268s

But I can't find anything similar on the gnuradio companion FFT or waterfall displays that corresponds to making a call on my phone.

Regarding which band to look at, I'm in the US and using T-Mobile. I've looked at their info here (https://www.t-mobile.com/support/coverage/t-mobile-network) to get some ideas of where to look. This is where it gets tricky for me. How do I know which service my phone is using? I usually have 4G mobile data. But my phone was bought as an "international" model and according to T-Mobile, based on the IMEI it doesn't support VoLTE. So that leaves 3G and 2G for calls. I know from experience that I don't get mobile data when I'm on a call, so based on the above web page, that only leaves 2G, which they say should be 1900Mhz. So that's where I've done most of my searching.

I wonder if the problem is that the channel is so narrow that I don't see it. In the video above, the guy gets a ~5Mhz wide signal, but my 2G call is presumably much narrower than that right?

Another thing I tried was running a program called kalibrate-hackrf that scans for base stations and shows you the frequencies. It does find lots of them in the 1900Mhz band, but I seem to get different results every time I run it. And I still couldn't find my signal.

I just want to see something that turns on/off when I start/end a call. Initially I wanted to do it out of curiosity - now I'm determined to do it because it's proving so tricky. Is it reasonably to expect to find this? Or is there some kind of frequency hopping that makes it impossible to see? Any suggestions for how to go about it? Thanks!

-John