Re: finding my cell phone signal in the spectrum

[John Byrne]

Thanks, that's helpful to know. It looks like the channel numbers quoted in some sources (including kalibrate) are the same as the ARFCN numbers.

I just realized I made a big mistake in my measurement earlier. I saw that the channel looked like about 200Khz, and I had read that this is what 2G uses. And since the channels seem to be spaced by that amount it made sense. But then I noticed that changing the bandwidth of my QT sinks didn't scale the signal the way I expected. It turns out I didn't realize that you need to set the "bandwidth" setting to your sample rate, and instead thought I could set it to the width I want to see within the 20Mhz limit of the hardware. Having corrected that, the signal now shows as 5Mhz. And wouldn't you know it, now that I know where it is, I can easily spot it using QSpectrumanalyzer, even on a full sweep from 1Mhz to 6Ghz. Don't know why I couldn't see it before!

On Thu, 18 Feb 2021, at 12:36 PM, Christophe Seguinot wrote:

564 is an ARFCN

see https://en.wikipedia.org/wiki/Absolute_radio-frequency_channel_number

to calculate Downlink (Mobile ->network) frequency FDL

On 18/02/2021 17:26, John Byrne wrote:

Thanks for the input everyone, that has been very helpful.

I did some more searching and I found out that by dialing *#0011# you can get some connection info. For me, it showed an LTE connection, but as I said earlier, I suspected based on the info from the T-Mobile site that this is not being used for calls. So I tried making a call and then going back to the phone app and dialing that code again, and sure enough it showed that I was connected via 2G on PCS1900. I don't know how to interpret all the info, but it there was a value that looked like a channel number, 564. I don't see this channel on kalibrate-hackrf, but I do see 561, 562, 563 and so I guessed from the info from kalibrate that 564 should be 1940.6Mhz. But I don't see my signal there on a call. When I checked the magic code again, it looks like my connection details have changed, but it now no longer says 2G or LTE and doens't provide anything that looks like a channel number. So maybe I need to catch it at the right moment.

I'll take a look at LTE Disccovery too.

Gqrx may be a good suggestion - thanks for that. But I'm having a hard time figuring it out. It appears to ignore the bandwidth option in the settings, and sets the bandwidth based only on the sample rate. I can't get it lower than 8Mhz, which I think might make it hard to spot the 2G channel, which I believe is 200Khz wide. I also can't seem to get the FFT overlap to be anything but 0% no matter what I do with the other settings.

I'll keep at it though.

Thanks again!

On Thu, 18 Feb 2021, at 10:40 AM, Andi Kita wrote:

If you have an Android download the Network Cell info lite or Lte Discovery app. It will show what you need for you to figure out where to look. 

Gqrx is good to look at the spectrum and also gr-gsm to sniff packets over 2G-3G networks. I see TMobile still has 2G <>=1990mhzand all you need is a good receiver. 

There's plenty of stuff online to research for. Good  luck. 

On Thu, Feb 18, 2021, 8:53 AM John Byrne <jhnbyrn@fastmail.com> wrote:

Hi, have just started learning about gnuradio and sdr in general. I have a hackrf one and I've been using it to experiment. I was hoping I'd be able to locate my cell phone's signal, just out of curiosity. I'm not looking to do anything with it - just see it. But it's proving to be harder to find than I thought. Could anyone offer any tips to help me find things like this?

I hoped it would be like this video - around the 4:00 mark he starts a call and you can see a clear signal of around 5Mhz wide:

https://www.youtube.com/watch?v=aFHWAEb3sn4&t=268s

But I can't find anything similar on the gnuradio companion FFT or waterfall displays that corresponds to making a call on my phone.

Regarding which band to look at, I'm in the US and using T-Mobile. I've looked at their info here (https://www.t-mobile.com/support/coverage/t-mobile-network) to get some ideas of where to look. This is where it gets tricky for me. How do I know which service my phone is using? I usually have 4G mobile data. But my phone was bought as an "international" model and according to T-Mobile, based on the IMEI it doesn't support VoLTE. So that leaves 3G and 2G for calls. I know from experience that I don't get mobile data when I'm on a call, so based on the above web page, that only leaves 2G, which they say should be 1900Mhz. So that's where I've done most of my searching.

I wonder if the problem is that the channel is so narrow that I don't see it. In the video above, the guy gets a ~5Mhz wide signal, but my 2G call is presumably much narrower than that right?

Another thing I tried was running a program called kalibrate-hackrf that scans for base stations and shows you the frequencies. It does find lots of them in the 1900Mhz band, but I seem to get different results every time I run it. And I still couldn't find my signal.

I just want to see something that turns on/off when I start/end a call. Initially I wanted to do it out of curiosity - now I'm determined to do it because it's proving so tricky. Is it reasonably to expect to find this? Or is there some kind of frequency hopping that makes it impossible to see? Any suggestions for how to go about it? Thanks!

-John