I recently received a one of these Chinese watches that communicates over GPRS. I am trying to decipher the protocol used, as well as trying to figure out why it does not work.
I was thinking that there might be various approaches to inspecting the network traffic in this case.
GPRS is what I'd call an extension to GSM. As that, it's encrypted.
So simply sniffing airborne traffic won't do. It's possible, though not overly likely, that your network operator uses weak encryption (slides), but deciphering GPRS traffic might be a bit much if you haven't done something like that before. Hence, your two approaches sound reasonable.
- Maybe there is a 3G/GSM operator that lets me inspect the network traffic? (does this exist?)
No. At least, I don't think so (and on some level, I hope they don't. The potential for abuse is just too high).
However, you could be your own operator, as you notice yourself:
- Create a fake base-station using software defined radio (seems incredibly overkill)
How's that overkill? You want to play man in the middle in a complex infrastructure. Becoming infrastructure does sound like the logical next step.
As a matter of fact, Osmocom's OpenBSC freshly supports GPRS modes. You can program your own sim card and use it, without faking anything, within your own network. It's noteworthy that under any jurisdiction I can think of, you'll need a spectrum license to operate a mobile phone network, so you should only do this within a well-shielded enclosure.
Another approach that sounds far more viable and financially sound: Disassemble one watch, look out for the different ICs/modules, identify whether there's an isolated GPRS modem. Find the serial lines between that and your watch's CPU, and tap electrically into that with a <10USD serial-to-USB converter. Out of curiosity, I think we'd all like to know which model you got from where :D