Reconnoitering Local 4G/5G Base Stations Using the FALCON Tool

Introduction

The tutorial builds on earlier articles that explained how to locate a local base station’s frequency and Cell ID (CID). Those parameters are required to connect to and monitor a base station.

Toolchain

The analysis uses FALCON (LTE Control‑Channel Fast Analyzer) developed by falkenberg9. It is built on the srsLTE (now srsRAN) library and runs on a standard x86 PC with an SDR such as Ettus USRP or LimeSDR Mini. The operating system is DragonOS , a Lubuntu‑based distribution pre‑installed with all required tools.

FALCON Core Functionality

PDCCH: Air‑Traffic Control for 4G/5G

FALCON, designed by researchers at the University of Dortmund, captures the Physical Downlink Control Channel (PDCCH). PDCCH carries Downlink Control Information (DCI) that tells a device when and where to listen for incoming data and when it may transmit.

Decoding failure prevents the phone from locating the correct frequency grid, causing connection loss.

The DCI includes:

Downlink allocation : tells the phone which resources to read.

Uplink grant : defines how the phone may transmit on the Physical Uplink Shared Channel (PUSCH).

Power control command : adjusts transmit power to save battery and reduce interference.

Key Features of FALCON

LTE monitoring : decodes the base station’s PDCCH and displays the number of active devices, their temporary RNTI identifiers, and resource allocations, allowing precise load assessment.

Robust decoding : maintains accurate parsing even under poor signal conditions.

Potential Attacker Use Cases

Traffic interception : By capturing scheduling information, an attacker can passively track how data is allocated to active users and target specific flows.

User tracking : The tool reveals active devices’ RNTI values, which can be mapped to geographic areas and correlated with traffic to trace individual movements.

Targeted denial‑of‑service : Knowing bandwidth and resource utilization lets an attacker calculate the traffic needed to saturate a base station, causing localized outages.

Environment Preparation

DragonOS Requirements

Avoid running other GUI applications (e.g., browsers, email clients) while using FALCON.

CPU with at least four physical cores; hyper‑threading should be disabled.

Disable power‑saving features such as DVFS and set the CPU to performance mode.

Connecting the LimeSDR

Plug the LimeSDR into a USB 3.0 port, then verify detection: lsusb Confirm the driver is recognized by the SoapySDR library:

SoapySDRUtil –find="driver=lime"

Step‑by‑Step Operation

Step 1: Launch DragonOS

Open the "Amateur Radio" menu and start the pre‑installed FALCON application.

Step 2: Connect SDR and Start FALCON

After confirming the LimeSDR is recognized (repeat the lsusb and SoapySDRUtil commands), launch FALCON.

Step 3: Configure Base‑Station Parameters

Click the "Start" button in the top‑left corner.

Enter the target base‑station frequency.

Enter the Cell ID (CID) of the base station.

Click "Start" again to begin capture.

Step 4: View Device Activity

After synchronization and PDCCH decoding, select the "UE Activity" tab. The interface shows a list of connected devices with their RNTI, total throughput, MCS index, resource‑block sub‑frames, and an RNTI histogram.

Conclusion and Security Implications

Understanding the LTE/5G protocol stack and base‑station operation is essential for defending against foreign‑state intrusion. Attackers can use tools like FALCON to track users, intercept traffic, and launch precise DoS attacks.

Recommendations

Ordinary users should prefer encrypted connections and avoid transmitting sensitive data over public mobile networks.

Security researchers are encouraged to study the 4G/5G protocol stack and base‑station behavior to develop better defenses.