RTL-SDR Based LTE Signal Analyzer

Have you ever wanted to detect what network is installed at what tower? screenshot_01Interested to see how a network upgrade or overlay is progressing?  Or, maybe you are interested in getting a better idea of the relative signal strength of multiple LTE networks, with a passive receiver?  If so, this is the blog post for you.

This post will explain how to build a custom application for the Kali Linux system which will allow you to use a RTL-SDR DVB TV tuner chipset to perform spectrum analyzer functions on LTE signals.  Using the E4000 chipset, I have decoded LTE signals in 700MHz, 800MHz, 1900MHz (PCS) and 2300MHz (AWS) frequencies.

For this demonstration I have used:

  • RTL-SDR Tuner based on E4000 Chipset
  • VMWare Workstation and Kali Kinux 1.1.0 amd64
  • Dell Laptop with Intel i5 Processor
  • Working Knowledge of Linux and RF

(Installing Kali Linux is beyond the scope of this document, but you will need to have a working installation of Kali Linux.  Either use the instructions on making a persistent USB drive or you can install Kali Linux on VMWare.These instructions were created using the VMWare method, but both work equally well.)

      1. Before we begin, make sure your Kali distribution is up to date by opening the command window and running the following command:
        apt-get update && apt-get upgrade

        Answer “Y” when prompted if you want to continue.

        screenshot_02

        The update process can take awhile, especially on USB persistent installations.  Please allow ample time for the system to update.

      2. Once your system is up to date, it is time to install some of the packages necessary to compile the LTE Tools.
        apt-get install build-essential linux-headers-$(uname -r) cmake libitpp-dev libboost-dev libboost-all-dev libfftw3-dev librtlsdr-dev libncurses5-dev

        Like earlier, answer “Y” when asked if you wish to continue.screenshot_03The installation process may take several minutes.

      3. Download the LTE Tools source code by issuing the following command:
        git clone git://github.com/Evrytania/LTE-Cell-Scanner.git

        Allow a few minutes while the source code is retrieved.

      4. Edit the file LTE-Cell-Scanner/cmake/Modules/FindRTLSDR.cmake and add the path /usr/lib/x86_64-linux-gnu in the section FIND_LIBRARY (highlighted in red brackets)screenshot_04
      5. Edit the file /usr/share/cmake-2.8/Modules/FindCurses.cmake and add the two following lines at the beginning of the file:
        set(CURSES_LIBRARY "/usr/lib/x86_64-linux-gnu/libncurses.so")
        set(CURSES_INCLUDE_PATH "/usr/lib/x86-linux-gnu/")

        screenshot_05

      6. Make a directory called build within LTE-Cell-Scanner and issue the command cmake .. within that directory:
        cd LTE-Cell-Scanner
        mkdir build
        cd build
        cmake ..

        screenshot_06I have found that sometimes on the first run you may get a FAILURE_MESSAGE.  If that occurs issue the command cmake .. again and you should see a “Build files have been written” message similar to that displayed here:
        screenshot_07

      7. Issue the command to build and install LTE Tools
        make && make install

        screenshot_08screenshot_09

      8. Time to perform our first test scan.  In my area, Verizon 700MHz center frequency is 751MHz, so I can scan for LTE sites using the command:
        CellSearch -s 751e6

        screenshot_10
        In this example, I found a Verizon LTE cell carrier!  A much better explanation of the data on this screen can be found on the LTE CellSearch FAQ page

        Another command you can run is the LTE-Tracker utility.  For this example I am monitoring the same Verizon LTE network:

LTE-Tracker -f 751e6

screenshot_11

Of course each city and county has licenses assigned to each of the major LTE networks on different frequencies.  I’ve broken out the current assignments as of August 2015 for Linn county:

US Cellular 700MHz 10×10 @ 735MHz Center Frequency
Verizon 700MHz 10×10 @ 751MHz Center Frequency
Sprint 800MHz 5×5 @ 866.3MHz Center Frequency
Sprint 1900MHz 5×5 @ 1992.5MHz Center Frequency