On Wed, Dec 09, 2009 at 04:24:27AM -0500, Gregory Maxwell wrote: > On Wed, Dec 9, 2009 at 4:03 AM, p q <[email protected]> wrote: > > even USRP2 is not good for capturing GSM1800 traffic so we are stuck with > > GSM900 only . is this correct ? > > I have no clue why you couldn't capture up and downlink with two separate > RX daughter boards on USRP1. > > The USRP2 ADC does complex sampling at 100mhz, so it can capture a 100mhz > bandpass. It can't cram that much over the ethernet but someone could > create a FPGA image that grabs two 10mhz windows separated by the 90mhz > offset. > I don't know if any of the existing daughter boards have a bandpass that wide.
people at airprobe.org can give better answers to those questions than we can. With the proper programming of the USRP hardware you should be able to capture up and downlink of a conversation with ease with a single DB since even the cheapest handset can do it. The disadvantage of the attacker is that after encryption is enabled and before the key is found, the channel allocation and frequency hopping sequence is renegotiated between BTS and handset. So you end up having to record the whole band (and also both up and downlink), so that you can later extract from that the bursts at the correct time offset and frequency. The whole band is shared between all the networks though, but whether that sharing means that ARFCNs belonging to one network are adjacent is unclear belonging to one network are adjacent is unclear (to me). The people at airprobe.org can give a more detailed answer to that. The proper solution would be to have a single USRP with 2 daughterboards and do the demodulation on the FPGA, but i doubt the FPGA is beefy enough for that. _______________________________________________ A51 mailing list [email protected] http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
