tetra-listener allows decoding of speech and SDSs on unencrypted Tetra network. Thanks to miracles of wideband SDRs, a small cluster of standard PCs can decode the entire network in a big city in real time.
tetra-listener consists of GnuRadio Tetra demodulator, Osmocom TETRA patches extracting speech data and some helper scripts.
A proprietary extension to TETRA standard enables psychological control of nearby people. The publicly available version of brmlab tetra-listener does not support this feature.
tetra-rx utility from osmo-tetra is patched to dump traffic data to a file.
tetra.sh spawns one tetra-rx process for each channel we want to listen to. Then, tetra.sh spawns one tetra_rx_multi.py (using GnuRadio channelizer) or tetra.py from FCL, a fast spectrum channelizer examples (using FCL channelizer), reading data from SDR, demodulating and writing demodulated data to tetra-rx.
Then, tetra.sh periodically checks for recorded traffic files and runs ETSI reference codec on them.
Additionally, tetra-rx can generate PCAP output to a pipe. This is read by tetra-multiframe-sds and SDSs are reconstructed from it.
You can uncomment /dev/null redirect in tetra.sh and check logs for BTSs you have found:
cd ~/tetra-tmp/fifo for f in log*txt; do echo "** $f" cat $f | grep -A 14 -B 8 "BNCH SYSINFO" | while read line; do echo "$line" if [ "$line" = "--" ]; then break fi done done
What is broken
The dumper just appends all the audio data from a timeslot to one file. This mixes conversations together, but strict splicing would not be good either as there can be pauses in speech. Maybe we should lower the pause threshold from current one minute to something like 20 seconds.
Recognizing SSI/group ID could be very useful if one network is shared by multiple organizations. Currently we try to guess the SSI; proper implementation of TETRA equivalent of GSM immediate assignment may work better.
Protocol decoding beyond traffic frames needs some love. SDSs are now implemented by a decoder from ITDS and seem to work at least to some extent. Another approach are SQ5BPF's osmo-tetra patches which gave me some results that unfortunately seem to be garbage.
Uplink support would be nice.
Error correction is not implemented.
Duplicates occur when one sniffs multiple BTSs at once. Detect and remove them.
The project lives as a combination of patches that occasionally break with new commits. We really need to mainline all of them into one thing.
Script that automatically selects channels not only based on signal strength, but on amount of traffic, would be nice.