A passive cellular-signalling analyser that detects IMSI-catcher behaviour by reading the modem's own Qualcomm diagnostic stream.
Platform support: TP-Link M7350 v8.0 (rooted, EU firmware). Qualcomm MDM9207 baseband.
| Heuristic | Signal |
|---|---|
| IMSI Requested | Cells requesting your device's IMSI |
| 2G Downgrade (Connection Release) | Forced redirect from LTE/UMTS to 2G |
| LTE SIB 6/7 Downgrade | LTE broadcasts steering you toward 2G/3G neighbours |
| Null Cipher (EEA0) | Cells asking your phone to disable encryption |
When a heuristic triggers, Norypt emits:
- A pulsing red banner on the dashboard at
http://192.168.0.1:8080 - A 3-tone audio beep
- A desktop browser notification
- A red-tinted row in the capture sessions table
All captures (PCAP + QMDL) and analysis results stay local on the device. Nothing is uploaded.
This is a passive monitor. It does not transmit to cells, MITM, or interfere with cellular networks.
See dist/m7350/README.md for a step-by-step install
guide for TP-Link M7350 v8.0.
Short version:
- Copy
dist/m7350/to a folder on your PC (e.g.C:\temp_norypt\). - Double-click
serve.bat. It starts a locked-down HTTP server that only accepts connections from the M7350 itself. telnet 192.168.0.1 2300on the M7350.- Paste the one-liner printed by
serve.bat. - Open
http://192.168.0.1:8080.
bin/ Daemon and web server (Rust)
lib/ Detection engine, QMDL parsing, analyzers (Rust)
telcom-parser/ LTE RRC ASN.1 parser
rootshell/ Setuid shim
serial/ AT-serial helper
dist/m7350/ Production installer for TP-Link M7350 v8.0
LICENSE GPL-3.0
NOTICE Third-party attribution and GPL notice
# Requires Rust toolchain + cargo-zigbuild for cross-compiling to ARMv7 musl
cargo zigbuild --release --target=armv7-unknown-linux-musleabihfThe binary lands at
target/armv7-unknown-linux-musleabihf/release/norypt-daemon. Copy it
into dist/m7350/ before running the installer.
GPL-3.0. See LICENSE and NOTICE.
Norypt is a passive cellular diagnostic tool. You are responsible for complying with your local laws regarding cellular monitoring and packet capture. In the EU, passive capture of signalling your own modem already processes is generally lawful, but rules vary by member state.
Heuristic detections can produce false positives (benign handovers can look like downgrades) and false negatives (sophisticated attackers can avoid all four tests). Treat warnings as signals worth investigating, not as proof of targeting.
Norypt — norypt.com