LTESniffer: An Open-Source LTE Downlink/Uplink Eavesdropper

Too bad the hardware for this is eyewateringly expensive :'(

True? How are phone modems inexpensive?

I'm wondering the same thing.

Can someone outline the architectural limitations of using a smartphone modem for such network debugging/sniffing tasks?

Smartphone modems (baseband) are super optimised for battery life. They don't send any traffic that isn't meant for the device itself on to the CPU. That would only cause unnecessary load.

They could perhaps be modified to do that but the baseband firmware is usually very closed source.

There is only one example I know, there was one particular dumbphone from the 2G era for which the baseband sourcecode was available due to a hack. You could use several (one for uplink and one for downlink) of these with modified firmware to sniff 2G traffic. I forget which model it was exactly but obviously the price ballooned on eBay :)

Haven't heard of this happening with later models. Baseband sourcecode firmware is really rare.

Certainly Qualcomm modems can have their diagnostic mode enabled when you have access to /dev/diag - usually on rooted devices but occasionally on stock.

You can ask the processor to send higher layer information via diag, including the messages the base stations send. There’s also commands to lock on to a specific base station so you’re not constantly moving from cell to cell.

There’s plenty of commercial devices that use this functionality to provide network monitoring and management capabilities for mobile network operators checking out base station functionality in the field. TEMS comes to mind for that but they’re certainly not the only ones.

It’s a deep rabbit hole :-)