it will only be buried correctly if the media is informed. I am attempting to build a wokring USRP 1 or 2 setup in order to demonstrate it in Cyprus
I need some assistance in selecting the right stuff to save time. Please post your tested setup if you have time. Regards dinopio On Sun, Jul 18, 2010 at 12:25 PM, Frank A. Stevenson <fr...@hvitehus.no> wrote: > I made a very simple command line interface to Kraken, which has only 1 > useful command (crack). Once fired up, you can then try to crack > multiple bursts without reloading the tables every time. > > If you have some bursts that you want to crack such as: > > 3811417: > 011100101011101011101111110101101001110111110111010110111001111100101100010110000110100011010110010101110111101111 > > 3811424: > 111000110011110100011100001000100001011111010101110001101001111010011000010111110001110000101110111000111100111101 > > The first number is the frame COUNT used for mixing into A5/1 - it can > be derived from the frame number in the following way: > > unsigned int fn2count(unsigned int fn) { > unsigned int t1 = fn/1326; > unsigned int t2 = fn % 26; > unsigned int t3 = fn % 51; > return (t1<<11)|(t3<<5)|t2; > } > > > The second burst can be cracked, and the command to and output from > Kraken looks like this: > > Kraken> crack > 111000110011110100011100001000100001011111010101110001101001111010011000010111110001110000101110111000111100111101 > > Cracking > 111000110011110100011100001000100001011111010101110001101001111010011000010111110001110000101110111000111100111101 > Found a56290409b507d75 @ 37 > > Kraken> > > This means a56290409b507d75 is the key that produces the output at > postion 37 after 100 clockings. These numbers can then be fed into my > latest tool: find_kc. This program will perform the backclocking, > reverses the frame count mix, and the key setup mixing (based on some > earlier programs that I wrote) - finally it can as an option take a > second frame count together with the burst data as input, and use that > to eliminate the wrong candidate Kcs from the backclocking. Example: > > fr...@quant:~/gsm/tmto-svn/tinkering/A5Util$ ./find_kc a56290409b507d75 > 37 3811424 3811417 > 011100101011101011101111110101101001110111110111010110111001111100101100010110000110100011010110010101110111101111 > #### Found potential key (bits: 37)#### > db18a071e4d1f057 -> db18a071e4d1f057 > Framecount is 3811424 > KC(0): 2e 61 10 5e 80 93 5e 1c *** MATCHED *** > KC(1): bc 44 48 ed 03 04 02 53 mismatch > KC(2): d4 37 41 cf 3d 04 05 a5 mismatch > KC(3): da 74 09 51 60 07 7b c7 mismatch > KC(4): f3 f7 a8 3b f6 76 e6 5a mismatch > > The correct Kc is here: 2e 61 10 5e 80 93 5e 1c , and will produce both > cipherstreams correctly, as well as all other cipherstreams, and can > consequently be used to decrypt the entire call or SMS. (Byte order may > have to be changed, depending on your other tools) > > How many more nails are needed for A5/1s coffin? :-) > > Frank > > > _______________________________________________ > A51 mailing list > A51@lists.reflextor.com > http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51 > _______________________________________________ A51 mailing list A51@lists.reflextor.com http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51