Onnowpurbo: /* Referensi */

2014-02-24T23:59:36Z

Referensi

Onnowpurbo at 20:07, 24 February 2014

2014-02-24T20:07:22Z

← Older revision		Revision as of 20:07, 24 February 2014
Line 111:		Line 111:

	* https://srlabs.de/airprobe-how-to/		* https://srlabs.de/airprobe-how-to/
			* https://opensource.srlabs.de/projects/a51-decrypt/files

Onnowpurbo: New page: Sumber: https://srlabs.de/airprobe-how-to/ Follow these steps to use "gsm-receiver" from Airprobe to debug non-hopping, single ARFCN cells in the downlink direction. - Capture some down...

2014-02-24T20:07:03Z

New page: Sumber: https://srlabs.de/airprobe-how-to/ Follow these steps to use "gsm-receiver" from Airprobe to debug non-hopping, single ARFCN cells in the downlink direction. - Capture some down...

New page

Sumber: https://srlabs.de/airprobe-how-to/

Follow these steps to use "gsm-receiver" from
Airprobe to debug non-hopping, single ARFCN cells in the
downlink direction.

- Capture some downlink traffic of a non-hopping, single ARFCN cell
using either the USRP or USRP2 (recommended decimation rate for the
USRP2 is 174, the default decimation rate for the USRP is 112).
A sample USRP2 capture is here:

http://reflextor.com/vf_call6_a725_d174_g5_Kc1EF00BAB3BAC7002.cfile.gz

(This capture was recorded with:
usrp2_rx_cfile.py -f `arfcncalc -a 725 -d -b 1800` -d 174 -g 5 output.cfile )

- Start a recent Wireshark version listening to the GSMTAP port
(UDP 4729).

- Note: "174" in the following samples is the decimation rate used
for the USRP2 capture, "go_usrp2.sh" is used because it is a USRP2
capture. For the USRP1 "go.sh" would be used instead of "go_usrp2.sh"
and "112" instead of "174".

- Decode TS0 as "Non-combined" BTS configuration ("0B" parameter).
For a "Combined" configuration specify "0C". If not sure, try
both and take the one which makes more sense or look at "SYSTEM
INFORMATION 3", "Control Channel Description".

./go_usrp2.sh vf_call6_a725_d174_g5_Kc1EF00BAB3BAC7002.cfile 174 0B > vf_call6

- Look for an "Immediate Assignment" in the Wireshark GSMTAP trace.

==> SDCCH/8 on TS1 is assigned

- Decode TS1 as "SDCCH/8" ("1S" parameter)

./go_usrp2.sh vf_call6_a725_d174_g5_Kc1EF00BAB3BAC7002.cfile 174 1S > vf_call6

- The unencrypted part of the SDCCH/8 is displayed in Wireshark. The
encrypted part of SDCCH/8 is contained in the file "vf_call6", those are
the frames where an error is displayed (e.g. "cannot decode fnr=0x0d288b
(862347) ts=1").

- File "vf_call6" contains the burst of the frames, for the first encrypted
frame the bursts are:

C1 862344 1332354: 001111000110000100101110000110111111000101111000101001011111001100100110010011011000000100000101010011001000010010
P1 862344 1332354: 001111000110000100101110000110111111000101111000101001011111001100100110010011011000000100000101010011001000010010
S1 862344 1332354: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
C0 862345 1332387: 010001100001111000010010111111000101101100011010101010001011100010101101001000100101010110001011011010110111001010
P0 862345 1332387: 010001100001111000010010111111000101101100011010101010001011100010101101001000100101010110001011011010110111001010
S0 862345 1332387: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
C0 862346 1332420: 110100001010010101100110001101001010100011001011100010010110000011010111110000111001110110000011000001110100101011
P0 862346 1332420: 110100001010010101100110001101001010100011001011100010010110000011010111110000111001110110000011000001110100101011
S0 862346 1332420: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
C0 862347 1332453: 111110000111111010100110101000000100101100001000011111011100001111010001101111001001111001101111111001110101001000
P0 862347 1332453: 111110000111111010100110101000000100101100001000011111011100001111010001101111001001111001101111111001110101001000
S0 862347 1332453: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
error: sacch: parity error (-1 fn=862347)
cannot decode fnr=0x0d288b (862347) ts=1

"Cx" are the encrypted burst bits, "Px" are the decrypted burst bits and
"Sx" are the keystream bits (encrypted bits XOR decrypted bits). We do not
decrypt right now so the decrypted burst bits are the same as the encrypted
burst bits. If "x" is "1" than this is the first burst of a frame.

The second number is the frame number, the third number is the "modified"
frame number as required by the A5/1 algorithm.

- Choose a burst where the content of the frame is known and use it
to find Kc. Use the Kraken tool to find Kc.

The resulting Kc is 1EF00BAB3BAC7002.

Note: this step is not as easy as it sounds. Usually capture some
calls of your own phone where you know the Kc (it can be read from
the SIM or displayed by the Engineering Mode Screen of some phones)
and look for known-plain-text candidates. An example are "SYSTEM
INFORMATION 5/6/5ter" in the SACCH or "LAPDM U, func=UI" frames.
Also keep in mind that there could be wrong bits in a burst due to
distortion.

- Decode TS1 as "SDCCH/8" ("1S" parameter) and decrypt (Kc is specified
as parameter)

./go_usrp2.sh vf_call6_a725_d174_g5_Kc1EF00BAB3BAC7002.cfile 174 1S 1EF00BAB3BAC7002 > vf_call6

- Look for the "Assignment Command" in the Wireshark GSMTAP trace

==> TCH/F on TS5 is assigned

- Decode and decrypt the speech traffic on TS5 ("5T" parameter, Kc is
specified)

./go_usrp2.sh vf_call6_a725_d174_g5_Kc1EF00BAB3BAC7002.cfile 174 5T 1EF00BAB3BAC7002 > vf_call6

- The file "speech.au.gsm" contains the speech traffic. It can be converted
with "toast" (http://www.quut.com/gsm/) to an audio file:

toast -d speech.au.gsm

The resulting file "speech.au" can be played back.

==Referensi==

* https://srlabs.de/airprobe-how-to/

AirProbe: Howto - Revision history

Onnowpurbo: /* Referensi */

Onnowpurbo at 20:07, 24 February 2014

Onnowpurbo: New page: Sumber: https://srlabs.de/airprobe-how-to/ Follow these steps to use "gsm-receiver" from Airprobe to debug non-hopping, single ARFCN cells in the downlink direction. - Capture some down...