Difference between revisions of "AirProbe: Howto"
Onnowpurbo (talk | contribs) (New page: Sumber: https://srlabs.de/airprobe-how-to/ Follow these steps to use "gsm-receiver" from Airprobe to debug non-hopping, single ARFCN cells in the downlink direction. - Capture some down...) |
Onnowpurbo (talk | contribs) |
||
Line 111: | Line 111: | ||
* https://srlabs.de/airprobe-how-to/ | * https://srlabs.de/airprobe-how-to/ | ||
+ | * https://opensource.srlabs.de/projects/a51-decrypt/files |
Revision as of 03:07, 25 February 2014
Sumber: https://srlabs.de/airprobe-how-to/
Follow these steps to use "gsm-receiver" from
Airprobe to debug non-hopping, single ARFCN cells in the
downlink direction.
- Capture some downlink traffic of a non-hopping, single ARFCN cell
using either the USRP or USRP2 (recommended decimation rate for the USRP2 is 174, the default decimation rate for the USRP is 112). A sample USRP2 capture is here:
http://reflextor.com/vf_call6_a725_d174_g5_Kc1EF00BAB3BAC7002.cfile.gz
(This capture was recorded with: usrp2_rx_cfile.py -f `arfcncalc -a 725 -d -b 1800` -d 174 -g 5 output.cfile )
- Start a recent Wireshark version listening to the GSMTAP port
(UDP 4729).
- Note: "174" in the following samples is the decimation rate used
for the USRP2 capture, "go_usrp2.sh" is used because it is a USRP2 capture. For the USRP1 "go.sh" would be used instead of "go_usrp2.sh" and "112" instead of "174".
- Decode TS0 as "Non-combined" BTS configuration ("0B" parameter).
For a "Combined" configuration specify "0C". If not sure, try both and take the one which makes more sense or look at "SYSTEM INFORMATION 3", "Control Channel Description".
./go_usrp2.sh vf_call6_a725_d174_g5_Kc1EF00BAB3BAC7002.cfile 174 0B > vf_call6
- Look for an "Immediate Assignment" in the Wireshark GSMTAP trace.
==> SDCCH/8 on TS1 is assigned
- Decode TS1 as "SDCCH/8" ("1S" parameter)
./go_usrp2.sh vf_call6_a725_d174_g5_Kc1EF00BAB3BAC7002.cfile 174 1S > vf_call6
- The unencrypted part of the SDCCH/8 is displayed in Wireshark. The
encrypted part of SDCCH/8 is contained in the file "vf_call6", those are the frames where an error is displayed (e.g. "cannot decode fnr=0x0d288b (862347) ts=1").
- File "vf_call6" contains the burst of the frames, for the first encrypted
frame the bursts are:
C1 862344 1332354: 001111000110000100101110000110111111000101111000101001011111001100100110010011011000000100000101010011001000010010 P1 862344 1332354: 001111000110000100101110000110111111000101111000101001011111001100100110010011011000000100000101010011001000010010 S1 862344 1332354: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C0 862345 1332387: 010001100001111000010010111111000101101100011010101010001011100010101101001000100101010110001011011010110111001010 P0 862345 1332387: 010001100001111000010010111111000101101100011010101010001011100010101101001000100101010110001011011010110111001010 S0 862345 1332387: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C0 862346 1332420: 110100001010010101100110001101001010100011001011100010010110000011010111110000111001110110000011000001110100101011 P0 862346 1332420: 110100001010010101100110001101001010100011001011100010010110000011010111110000111001110110000011000001110100101011 S0 862346 1332420: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C0 862347 1332453: 111110000111111010100110101000000100101100001000011111011100001111010001101111001001111001101111111001110101001000 P0 862347 1332453: 111110000111111010100110101000000100101100001000011111011100001111010001101111001001111001101111111001110101001000 S0 862347 1332453: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 error: sacch: parity error (-1 fn=862347) cannot decode fnr=0x0d288b (862347) ts=1
"Cx" are the encrypted burst bits, "Px" are the decrypted burst bits and "Sx" are the keystream bits (encrypted bits XOR decrypted bits). We do not decrypt right now so the decrypted burst bits are the same as the encrypted burst bits. If "x" is "1" than this is the first burst of a frame.
The second number is the frame number, the third number is the "modified" frame number as required by the A5/1 algorithm.
- Choose a burst where the content of the frame is known and use it
to find Kc. Use the Kraken tool to find Kc.
The resulting Kc is 1EF00BAB3BAC7002.
Note: this step is not as easy as it sounds. Usually capture some calls of your own phone where you know the Kc (it can be read from the SIM or displayed by the Engineering Mode Screen of some phones) and look for known-plain-text candidates. An example are "SYSTEM INFORMATION 5/6/5ter" in the SACCH or "LAPDM U, func=UI" frames. Also keep in mind that there could be wrong bits in a burst due to distortion.
- Decode TS1 as "SDCCH/8" ("1S" parameter) and decrypt (Kc is specified
as parameter)
./go_usrp2.sh vf_call6_a725_d174_g5_Kc1EF00BAB3BAC7002.cfile 174 1S 1EF00BAB3BAC7002 > vf_call6
- Look for the "Assignment Command" in the Wireshark GSMTAP trace
==> TCH/F on TS5 is assigned
- Decode and decrypt the speech traffic on TS5 ("5T" parameter, Kc is
specified)
./go_usrp2.sh vf_call6_a725_d174_g5_Kc1EF00BAB3BAC7002.cfile 174 5T 1EF00BAB3BAC7002 > vf_call6
- The file "speech.au.gsm" contains the speech traffic. It can be converted
with "toast" (http://www.quut.com/gsm/) to an audio file:
toast -d speech.au.gsm
The resulting file "speech.au" can be played back.