On Dec 9, 2009, at 11:56 AM, p q wrote: > the message you are refering to is sent on uplink . its always hard > near to impossible to capture uplink since we truly dont know where > the users are located and they can be moving too which makes the > capture even harder . the practical solution is to capture as much > as uplink and downlink that's possible but relay on downlink for > encryption breaking . now , what's the best solution ? anyone from > Airprobe reads here ?
We rely only on downlink data. The number of packets available depends on the mode in which the call is setup. There are a total of six modes mobile-terminated/cell-terminated X very-early/early/late channel assignment. Even in the worst case (mobile-terminated, early assignment) we should be able to see three known plaintext messages on the downlink: a. Empty Ack after "Assignment Complete" b. Empty Ack after "Alterting" c. "Connect Acknowledge This is assuming we can guess the first channel of the secret hopping sequence through observing which channel starts to show activity at the right moment. > From: sascha <[email protected]> > Date: Wed, Dec 9, 2009 at 2:19 PM > Subject: Re: [A51] Capture > To: [email protected] > > > On Wed, Dec 09, 2009 at 12:32:42PM +0330, p q wrote: > > the source of known plain text has been discussed before but its > not clear > > to me how many GSM frames we can certainly obtain on every single > call . we > > will capture it from Downlink , right ? how many frames are > guaranteed to be > > always there ? > > the folks at airprobe.org can give a better answer to that. But last > time > i asked them they all had the 'not sure bout that' syndrome. > I am quite optimistic about the cipher mode complete message since it > is sent from the mobile where a software update is not as easily > done as > in a BTS. I also doubt that the BTSs can be software-updated to insert > random bits instead of known padding bytes, since the handset may rely > on the padding to have that particular value. > > _______________________________________________ > A51 mailing list > [email protected] > http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51 > > > _______________________________________________ > A51 mailing list > [email protected] > http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51 _______________________________________________ A51 mailing list [email protected] http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
