16_android_cell_analysis
Part 16: 4G/5G Analysis Toolkit — Mobile & PC
Learning Objective: Use freely available mobile apps and PC-based tools to observe, simulate, and analyze real-world cellular network behavior — tying directly into the theory from Parts 1–3 and the labs from Parts 4–6.
Table of Contents
- Why Analyze Your Own Network?
- Android Apps
- What to Look For
- Hands-On Mobile Exercises
- PC-Based Tools
- Security Research Tools
Why Analyze Your Own Network?
Everything from Parts 1–3 (EPC architecture, NSA dual connectivity, SA network functions) exists in the real world on your phone right now. These apps let you see:
- Which cell tower (eNB/gNB) you're connected to
- Whether you're on 4G LTE, 5G NSA (EN-DC), or 5G SA
- Your Tracking Area Code (TAC) — the same TAC from Part 1's TAU procedure
- Signal quality metrics that determine when your phone triggers a handover
- The PLMN (MCC/MNC) identifying your carrier
Android Apps
General Cell Analysis
| App | Best For | Root Required | Cost |
|---|---|---|---|
| Network Cell Info Lite | All-in-one: cell info, signal maps, tower locations | No | Free |
| CellMapper | Crowdsourced tower maps, sector coverage visualization | No | Free |
| NetMonster | Clean UI, EN-DC (NSA) detection, neighboring cells | No | Free |
Network Cell Info Lite
Best all-rounder — shows everything from Parts 1–3 in real-time.
Key screens:
- Cell Info: Serving cell details (PCI, EARFCN, TAC, RSRP/RSRQ)
- Signal: Real-time signal strength graph
- Map: Tower locations plotted on a map with your position
- Neighbors: All nearby cells your phone can see (relevant for handover decisions)
Enable "Show NR info" in settings to see 5G NR details when connected in EN-DC (NSA) mode.
CellMapper
Best for tower mapping — crowdsourced database of cell tower locations worldwide.
How it works:
- App collects cell info from your phone (PCI, EARFCN, signal strength, GPS)
- Uploads to CellMapper database (anonymized)
- Tower locations are triangulated from many users' data
- Browse the map at cellmapper.net to see all mapped towers
CellMapper is passive — it only reads data your phone already has. It does not transmit anything to cell towers.
NetMonster
Best for EN-DC / NSA detection — clearly shows when you have dual connectivity.
What stands out:
- Explicitly labels LTE + NR when in EN-DC mode (Part 2)
- Shows both the LTE anchor (e.g., Band 2) and NR secondary (e.g., Band n41)
- Color-coded neighboring cells by technology (2G/3G/4G/5G)
- Detects and displays PLMN (MCC/MNC) — e.g., 310/260 = T-Mobile US
What to Look For
Mapping App Fields to Lab Concepts
| What you see in the app | Concept from your notes | Part |
|---|---|---|
| EARFCN (e.g., 2175) | LTE frequency/band the eNB is using | Part 1 |
| NR-ARFCN (e.g., 520110) | 5G NR frequency the gNB is using | Part 2/3 |
| PCI (Physical Cell ID, 0–503) | Uniquely identifies a cell sector within a site | Part 1 |
| TAC (Tracking Area Code) | Tracking Area — triggers TAU when you cross boundaries | Part 1 |
| RSRP (e.g., –85 dBm) | Reference Signal Received Power — signal strength from serving cell | Part 1 |
| RSRQ (e.g., –10 dB) | Reference Signal Received Quality — signal quality (accounts for interference) | Part 1 |
| MCC/MNC (e.g., 310/260) | PLMN — identifies the carrier (T-Mobile, AT&T, etc.) | Part 1 |
| NR NSA connected | EN-DC mode — your phone has dual connectivity (Part 2) | Part 2 |
| Band 71 + n41 | LTE anchor (Band 71, 600 MHz) + NR secondary (n41, 2.5 GHz) | Part 2 |
| NR SA connected | Full 5G Standalone — using 5G Core (AMF, SMF, UPF) | Part 3 |
Signal Strength Ranges
| RSRP Range | Signal Quality | What it means |
|---|---|---|
| –80 dBm or better | 🟢 Excellent | Close to tower, strong signal |
| –80 to –100 dBm | 🟡 Good | Normal indoor/outdoor coverage |
| –100 to –110 dBm | 🟠 Fair | Cell edge, may see handovers |
| –110 dBm or worse | 🔴 Poor | Far from tower, potential drops |
Understanding Connection Types
📱 Your phone screen says "5G" — but which kind?
"LTE" → Pure 4G (Part 1 architecture)
"LTE+" → 4G with Carrier Aggregation (multiple LTE bands)
"5G" → Usually NSA / EN-DC (Part 2) — LTE anchor + NR secondary
"5G UC/UW" → NSA on mmWave or mid-band (carrier branding)
"5G SA" → True Standalone (Part 3) — rare, only a few carriers
Most phones showing "5G" are actually in NSA (EN-DC) mode — the control plane is still 4G LTE (MME), and only the user plane adds NR capacity. You can verify this in NetMonster or Network Cell Info by checking if both an LTE and NR connection are shown simultaneously.
Hands-On Mobile Exercises
Exercise 1: Identify Your Serving Cell
- Open Network Cell Info Lite or NetMonster
- Note your serving cell: PCI, EARFCN, TAC, RSRP
- Answer:
- What band are you on? (look up EARFCN → band mapping)
- What is your TAC? (this is your Tracking Area from Part 1)
- What is your MCC/MNC? (this is your carrier's PLMN)
Exercise 2: Observe a Handover
- Open the signal graph in Network Cell Info Lite
- Walk or drive while watching the PCI and RSRP values
- When PCI changes → you just witnessed a handover (Part 1: eNB handover signaling)
- When TAC changes → you just triggered a TAU (Tracking Area Update) procedure
Exercise 3: Detect EN-DC (NSA Mode)
- Open NetMonster
- If you see both LTE and NR connections listed → you are in EN-DC mode
- Note:
- LTE band = Master node (eNB) — handles control plane
- NR band = Secondary node (gNB) — adds data capacity
- Walk into a building or area with weak signal and watch if the NR connection drops (gNB removed, fallback to LTE-only)
Exercise 4: Map Cell Towers
- Install CellMapper and let it collect data for a day as you move around
- Visit cellmapper.net and find your area
- Filter by your carrier (MCC/MNC)
- Identify: How many towers cover your usual area? What bands do they use?
Exercise 5: Compare Carriers
- If you have access to SIM cards from two different carriers (or a dual-SIM phone):
- Note the TAC, EARFCN, and PCI for each carrier at the same location
- Are they on the same tower (different sectors) or different towers?
- Which carrier has better RSRP at your location?
Security Research Tools
These tools are for defensive research and education only. Actively intercepting cellular traffic you are not authorized to capture is illegal in most jurisdictions.
SnoopSnitch (Advanced)
Purpose: Detects potential IMSI catchers, silent SMS, and network anomalies.
Requirements:
- Rooted Android phone
- Qualcomm baseband chipset (Snapdragon SoC)
- Download from opensource.srlabs.de
What it detects:
- IMSI catcher indicators: Unexpected identity requests, forced 2G downgrades, encryption changes
- Silent SMS: Invisible SMS used for location tracking (Type 0 SMS)
- SS7 anomalies: Suspicious signaling that could indicate network-level attacks (Part 11)
How it relates to the labs:
- Detects the exact attacks described in Part 11 (SS7/Signaling) and Part 12 (SIM/Identity)
- In Part 1, we noted that S1-U is not encrypted — SnoopSnitch can flag when a base station deliberately disables encryption (EEA0 / EIA0)
AIMSICD (Archived)
Purpose: Open-source IMSI Catcher Detector.
- Repository: github.com/CellularPrivacy/Android-IMSI-Catcher-Detector
- Status: Archived/unmaintained — useful for learning concepts but not reliable for active detection
- What it looked for: Cell tower anomalies (unexpected CID changes, LAC inconsistencies, silent SMS activity)
PC-Based Tools
Run Your Own Core Network
These are the same tools powering your Docker labs (Parts 4–6) — install them to build a complete 4G/5G network on your laptop.
| Tool | What it does | Language | Platform |
|---|---|---|---|
| Open5GS | Full 4G EPC + 5G Core — the stack from your Docker labs | C | Linux, Mac (Docker) |
| UERANSIM | Simulates 5G gNB + UE — pairs with Open5GS for a complete 5G SA lab | C++ | Linux, Mac (Docker) |
| srsRAN 4G | Software-defined LTE eNB + EPC — works with real SDR hardware or in simulation | C++ | Linux |
| srsRAN Project | 5G NR gNB — the next-gen evolution of srsRAN | C++ | Linux |
| free5GC | Alternative 5G Core — good for comparing implementations | Go | Linux |
Recommended starting path: You already have Open5GS + UERANSIM from your Docker labs. Run Part 4 or Part 6, then capture the traffic in Wireshark — you'll see real S1AP, Diameter, GTP-C, and PFCP messages matching your Part 1–3 notes.
Traffic Capture & Analysis
| Tool | What it does | Platform |
|---|---|---|
| Wireshark | Decode GTP, Diameter, S1AP, NGAP, PFCP, SIP — the essential tool for understanding every interface | All |
| tshark | CLI Wireshark — great for scripting captures inside Docker containers | All |
Wireshark has built-in dissectors for every protocol in your notes:
| Protocol | Port | Where you see it |
|---|---|---|
| S1AP | 36412 | eNB ↔ MME (Part 1) |
| Diameter | 3868 | MME ↔ HSS, PGW-C ↔ PCRF (Part 1) |
| GTP-C | 2123 | MME ↔ SGW-C, SGW-C ↔ PGW-C (Part 1) |
| GTP-U | 2152 | eNB ↔ SGW-U, SGW-U ↔ PGW-U (Part 1) |
| PFCP | 8805 | SGW-C ↔ SGW-U, PGW-C ↔ PGW-U (CUPS, Part 1) |
| NGAP | 38412 | gNB ↔ AMF (Part 3) |
| HTTP/2 (SBI) | 7777+ | All 5G NF communication (Part 3) |
SDR (Software Defined Radio) — Advanced
For scanning and decoding real over-the-air LTE/NR signals. Requires SDR hardware.
| Tool | What it does | Hardware |
|---|---|---|
| GNU Radio | Signal processing framework — visualize LTE/NR radio signals | RTL-SDR (~$25) or USRP |
| LTE-Cell-Scanner | Scan and decode LTE cell broadcasts (MIB/SIB) from the air | RTL-SDR dongle |
| gr-lte | GNU Radio LTE receiver blocks — decode downlink LTE | RTL-SDR dongle |
SDR receive-only tools (RTL-SDR) are legal in most jurisdictions. Transmitting on cellular frequencies without a license is illegal. Use srsRAN in simulation mode or with a Faraday cage for TX testing.
3GPP Specs & Resources
| Resource | What it provides |
|---|---|
| 3GPP Portal | All 3GPP specifications (TS 23.501 for 5G architecture, TS 29.244 for PFCP, etc.) |
| 3GPP Spec Finder | Browse specs by series (23.x = architecture, 29.x = protocols, 33.x = security) |
| Mermaid Live Editor | Visualize/edit the Mermaid diagrams from your notes |
| ETSI Forge | OpenAPI specs for 5G SBI — actual HTTP/2 API definitions from 3GPP |
🏆 Recommended Learning Path
1. Wireshark ← Install first, use with your Docker labs
2. Open5GS + UERANSIM ← You already have these (Parts 4–6)
3. srsRAN 4G ← When ready for real LTE radio (with SDR hardware)
4. RTL-SDR + Cell Scanner ← When ready to scan real cell towers from the air
5. 3GPP Specs ← Reference when you need the exact protocol details
Key Takeaways
| Concept | How you see it in real life |
|---|---|
| eNB / gNB | Every PCI on your phone = a cell sector on a tower |
| TAU | Walk far enough and watch TAC change in the app |
| EN-DC | NetMonster shows LTE + NR simultaneously |
| PLMN | MCC/MNC in the app = the carrier's network identity |
| Handover | PCI changes as you move = your MME/AMF coordinated a handover |
| RSRP | The number that determines if your phone stays connected or drops |
| S1AP / Diameter / GTP | Visible in Wireshark when running your Docker labs |
| PFCP | Capture on port 8805 to see CUPS control ↔ user plane signaling |
Summary
You now understand:
- ✅ Android apps for real-time cell tower analysis (Network Cell Info, CellMapper, NetMonster)
- ✅ How to map app fields to EPC/5G concepts from Parts 1–3
- ✅ How to observe real-world handovers, TAU, and EN-DC
- ✅ Signal strength interpretation (RSRP/RSRQ ranges)
- ✅ PC-based tools for building and analyzing 4G/5G networks (Open5GS, Wireshark, srsRAN)
- ✅ SDR options for over-the-air analysis
- ✅ Security research tools for IMSI catcher detection (SnoopSnitch, AIMSICD)
Previous: Part 15: Real-World Attack Matrix