AirProbe: Howto

From OnnoWiki
Revision as of 03:07, 25 February 2014 by Onnowpurbo (talk | contribs) (New page: Sumber: https://srlabs.de/airprobe-how-to/ Follow these steps to use "gsm-receiver" from Airprobe to debug non-hopping, single ARFCN cells in the downlink direction. - Capture some down...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Sumber: https://srlabs.de/airprobe-how-to/


Follow these steps to use "gsm-receiver" from Airprobe to debug non-hopping, single ARFCN cells in the downlink direction.

- Capture some downlink traffic of a non-hopping, single ARFCN cell 

 using either the USRP or USRP2 (recommended decimation rate for the
 USRP2 is 174, the default decimation rate for the USRP is 112).
 A sample USRP2 capture is here:

  http://reflextor.com/vf_call6_a725_d174_g5_Kc1EF00BAB3BAC7002.cfile.gz

 (This capture was recorded with:
  usrp2_rx_cfile.py -f `arfcncalc -a 725 -d -b 1800` -d 174 -g 5 output.cfile )

- Start a recent Wireshark version listening to the GSMTAP port 

 (UDP 4729).

- Note: "174" in the following samples is the decimation rate used 

 for the USRP2 capture, "go_usrp2.sh" is used because it is a USRP2
 capture. For the USRP1 "go.sh" would be used instead of "go_usrp2.sh"
 and "112" instead of "174".

- Decode TS0 as "Non-combined" BTS configuration ("0B" parameter). 

 For a "Combined" configuration specify "0C". If not sure, try
 both and take the one which makes more sense or look at "SYSTEM
 INFORMATION 3", "Control Channel Description".

./go_usrp2.sh vf_call6_a725_d174_g5_Kc1EF00BAB3BAC7002.cfile 174 0B > vf_call6

- Look for an "Immediate Assignment" in the Wireshark GSMTAP trace. 

 ==> SDCCH/8 on TS1 is assigned

- Decode TS1 as "SDCCH/8" ("1S" parameter) 

 ./go_usrp2.sh vf_call6_a725_d174_g5_Kc1EF00BAB3BAC7002.cfile 174 1S > vf_call6

- The unencrypted part of the SDCCH/8 is displayed in Wireshark. The 

 encrypted part of SDCCH/8 is contained in the file "vf_call6", those are
 the frames where an error is displayed (e.g. "cannot decode fnr=0x0d288b
 (862347) ts=1").

- File "vf_call6" contains the burst of the frames, for the first encrypted 

 frame the bursts are:

  C1 862344 1332354: 001111000110000100101110000110111111000101111000101001011111001100100110010011011000000100000101010011001000010010
  P1 862344 1332354: 001111000110000100101110000110111111000101111000101001011111001100100110010011011000000100000101010011001000010010
  S1 862344 1332354: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
  C0 862345 1332387: 010001100001111000010010111111000101101100011010101010001011100010101101001000100101010110001011011010110111001010
  P0 862345 1332387: 010001100001111000010010111111000101101100011010101010001011100010101101001000100101010110001011011010110111001010
  S0 862345 1332387: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
  C0 862346 1332420: 110100001010010101100110001101001010100011001011100010010110000011010111110000111001110110000011000001110100101011
  P0 862346 1332420: 110100001010010101100110001101001010100011001011100010010110000011010111110000111001110110000011000001110100101011
  S0 862346 1332420: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
  C0 862347 1332453: 111110000111111010100110101000000100101100001000011111011100001111010001101111001001111001101111111001110101001000
  P0 862347 1332453: 111110000111111010100110101000000100101100001000011111011100001111010001101111001001111001101111111001110101001000
  S0 862347 1332453: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
  error: sacch: parity error (-1 fn=862347)
  cannot decode fnr=0x0d288b (862347) ts=1

 "Cx" are the encrypted burst bits, "Px" are the decrypted burst bits and
 "Sx" are the keystream bits (encrypted bits XOR decrypted bits). We do not
 decrypt right now so the decrypted burst bits are the same as the encrypted
 burst bits. If "x" is "1" than this is the first burst of a frame.

 The second number is the frame number, the third number is the "modified"
 frame number as required by the A5/1 algorithm.

- Choose a burst where the content of the frame is known and use it 

 to find Kc. Use the Kraken tool to find Kc.

 The resulting Kc is 1EF00BAB3BAC7002.

 Note: this step is not as easy as it sounds. Usually capture some
 calls of your own phone where you know the Kc (it can be read from
 the SIM or displayed by the Engineering Mode Screen of some phones)
 and look for known-plain-text candidates. An example are "SYSTEM
 INFORMATION 5/6/5ter" in the SACCH or "LAPDM U, func=UI" frames.
 Also keep in mind that there could be wrong bits in a burst due to
 distortion.

- Decode TS1 as "SDCCH/8" ("1S" parameter) and decrypt (Kc is specified 

 as parameter)

 ./go_usrp2.sh vf_call6_a725_d174_g5_Kc1EF00BAB3BAC7002.cfile 174 1S 1EF00BAB3BAC7002 > vf_call6

- Look for the "Assignment Command" in the Wireshark GSMTAP trace 

 ==> TCH/F on TS5 is assigned

- Decode and decrypt the speech traffic on TS5 ("5T" parameter, Kc is 

 specified)

./go_usrp2.sh vf_call6_a725_d174_g5_Kc1EF00BAB3BAC7002.cfile 174 5T 1EF00BAB3BAC7002 > vf_call6

- The file "speech.au.gsm" contains the speech traffic. It can be converted 

 with "toast" (http://www.quut.com/gsm/) to an audio file:

   toast -d speech.au.gsm

 The resulting file "speech.au" can be played back.



Referensi

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=AirProbe:_Howto&oldid=39805"