EFF Rayhunter
Electronic Frontier Foundation
Open-source IMSI Catcher / Cell-site Simulator Detection Tool
What is Rayhunter?
Rayhunter is an open-source tool developed by the Electronic Frontier Foundation (EFF) to detect potential IMSI catchers (also known as Stingrays or cell-site simulators) that may be operating nearby.
IMSI catchers are surveillance devices that masquerade as legitimate cell towers to trick phones into connecting to them. They can:
- Intercept phone calls and text messages
- Track the location of mobile devices
- Identify all phones in an area (via IMSI numbers)
- Potentially downgrade connections to weaker encryption
Important: Rayhunter is a detection tool - it helps identify potentially suspicious cell tower behavior. It cannot guarantee detection of all IMSI catchers, as sophisticated devices may be harder to detect.
Required Hardware
The ONLY Supported Device:
Device:
Orbic RC400L
Type:
Mobile Hotspot
Chipset:
Qualcomm MDM9607
Price:
~$20 USD (eBay/Amazon)
Carrier:
Verizon (unlockable)
Critical Feature:
/dev/diag access
Hardware Requirement is STRICT: Rayhunter requires access to Qualcomm's diagnostic interface (/dev/diag) which is only available on specific devices. The Orbic RC400L is currently the only known affordable, readily available device that works.
Why This Specific Device?
| Feature |
Orbic RC400L |
Most Other Devices |
| Qualcomm /dev/diag |
✓ Accessible |
✗ Locked/Missing |
| Root Access |
✓ Available |
✗ Usually blocked |
| ADB Debugging |
✓ Enabled |
◐ Varies |
| Cost |
~$20 |
$50-500+ |
Why not SIM7600 or other modems? Consumer cellular modems (like the SIM7600G-H in ClockworkPi) don't expose Qualcomm's diagnostic interface. They only provide AT command access, which lacks the low-level baseband data needed for IMSI catcher detection.
How Rayhunter Works
Detection Methods
Rayhunter analyzes baseband diagnostic data to look for anomalies that might indicate an IMSI catcher:
| Detection Type |
What It Checks |
| Encryption Downgrade |
Detects if tower requests weaker or no encryption (A5/0, A5/1) |
| IMSI Requests |
Flags unusual identity requests (real towers rarely need your IMSI) |
| Silent SMS |
Detects "Type 0" SMS used for tracking (invisible to user) |
| Location Updates |
Monitors for suspicious location area changes |
| Channel Behavior |
Analyzes signaling for non-standard patterns |
Official Resources
GitHub Repository
EFF Project Page
Blog Announcement
Installation Overview
Prerequisites
- Orbic RC400L hotspot device (~$20)
- Computer with ADB installed
- USB cable (Micro-USB)
- Active SIM card (for testing)
Basic Setup Steps
# 1. Clone the repository
git clone https://github.com/EFForg/rayhunter.git
cd rayhunter
# 2. Install dependencies
# (Follow README for your OS)
# 3. Connect Orbic RC400L via USB
# 4. Enable ADB on device
# (Dial *#*#33284#*#* on device)
# 5. Run the installer script
./install.sh
# 6. Access web interface
# Connect to device WiFi, browse to http://192.168.1.1:8080
Note: Installation requires building from source. See the GitHub repository for detailed, up-to-date instructions as the process may change.
Limitations
- 2G/3G Focus: Most effective against 2G IMSI catchers; 4G/5G detection is more limited
- False Positives: Legitimate network behavior can sometimes trigger alerts
- Single Device: Only the Orbic RC400L is currently supported
- Active SIM Required: Needs a working SIM to connect to towers
- Technical Knowledge: Setup requires comfort with command line tools
- Not 100% Detection: Sophisticated/modern IMSI catchers may evade detection
Where to Buy Orbic RC400L
| Source |
Typical Price |
Notes |
| eBay |
$15-25 |
Used units, check for ADB capability |
| Amazon |
$20-35 |
New/refurbished available |
| Swappa |
$15-20 |
Used marketplace |
| Facebook Marketplace |
$10-20 |
Local pickup, verify model |
Search Tips: Search for "Orbic RC400L" or "Verizon Orbic Speed". Ensure it's the RC400L model specifically, not other Orbic devices.
Alternatives & Related Projects
| Project |
Description |
Hardware Needed |
| SnoopSnitch (Android) |
Android app for detection (requires root + Qualcomm) |
Rooted Android with Qualcomm baseband |
| AIMSICD (Discontinued) |
Legacy Android IMSI catcher detector |
Old Android devices |
| Crocodile Hunter |
EFF's 4G detection research project |
SDR + specialized setup |
| OpenBTS/OpenBSC |
Research-grade tools (complex) |
SDR + extensive setup |
Legal & Ethical Notes
Rayhunter is for DETECTION only. It is a passive monitoring tool designed to help identify potential surveillance. Using Rayhunter is legal in most jurisdictions as it only analyzes your own device's connection.
IMSI catchers are used by:
- Law enforcement (with varying levels of oversight)
- Intelligence agencies
- Potentially malicious actors
Rayhunter helps journalists, activists, and privacy-conscious individuals understand if they might be under surveillance.