I thought not of building a phone itself but we could use some of the parts which have been used in the nokia 3210. Same approach as airprobe with usrp just another specialised radio peripheral with a fast and huge fpga and a logic to downmix just the GSM bands. We have fixed frequency bands , the downmixing should be implemented the same way as the nokia 3210 does it, maybe we can reuse the technology / copy the layout until the point where we got the IF-signal. All further tasks can be done via the FPGA, just as it was planned with the USRP2, or via software. What do you think?
On Mon, 2010-01-04 at 15:50 +0330, p q wrote: > you can not just build a phone . it needs a dozen of legal steps to > take , huge investment and very huge production line . i dont even go > far to explain how complicated and expensive this is . to use a phone > as a GSM receiver you need to hack into the baseband processor to be > able to control the L1 IC . its usually a DSP implementing the layer-1 > Radio interface . you can not own such chip . there are a few > producers offering it only to huge vendors , NDA , Legal subjects . > etc . your only chance is to hack into baseband . > that'd be a very difficult job i must confess but not impossible . if > somebody can hack into a baseband processor and control the L1 DSP > that's only the start of this work because you need to put a phone > into a scanner , learn about active channels , then tune the other > phones to follow that channel . still , this is not going to be cheap > and most certainly not going to be easy . if you do that and put the > hacked firmware on the internet if the phone is old you have low > chances to be able to buy it , if its new the vendor will make a > little change and present the newly built ones get hacked . after > all , this is a billion dollars business and people who design and > build phones know what they are doing > > > > ---------- Forwarded message ---------- > From: Evgeniy Shelepov <[email protected]> > Date: Mon, Jan 4, 2010 at 3:43 PM > Subject: Re: [A51] Truth about this work > > To: a51 <[email protected]> > > > Hello, > > > Yes, it looks a good idea to make a phone. BTW, why isn't it > possible > to make a sniffer from a cell phone, it has all the components > that > are needed. Probably it is possible to write a firmware and to > simulate some tricky simcard to make it do what we need. > > 2010/1/4 Clemens Gruber <[email protected]>: > > > see this listing of the nokia 3210 hardware: > > https://www.pqgruber.com/other/Portable.pdf > > Maybe we can use similar parts and build our own peripheral > perfectly > > fitting our needs.. it should be much cheaper than 2 usrp2s > with > > daughterboards etc. > > if there are enough interested people, it will be possible. > > > > on the other hand, the idea of combining a usrp1 with a new > fpga-card > > (spartan, virtex, ...) sounds very good because the fpga > seems to be the > > bottleneck. > > does anybody know if it's possible to create a fast > > data-transfer-connection between these 2 devices? > > > > On Mon, 2010-01-04 at 14:16 +0330, p q wrote: > > > >> thanks for the last two questions > >> this was also the important facts that nobody mentioned > them . to do > >> a successful attack to A5/1 enabled GSM you need to capture > signal on > >> a wide-band style meaning you need to capture all the bands > that may > >> have carrier on them . this is highly depended on the > network > >> configuration specially the design on BTS . > >> > >> > >> real world BTSs are offering services on different bands > and calls are > >> always get handover between the bands due to radio resource > >> management . for a sucsessful GSM interception you at least > need to > >> capture Downlink . considering the current opensource and > cheap > >> hardware you can simple forget to capture both uplink and > downlink , > >> that's just not possible . > >> > >> > >> to capture Downlink of a BTS that offers GSM1800 you need > to capture > >> at least 75 MB of the spectrum space . this is far more > than USRP and > >> also beyond USRP2 > >> yes its possible to do this on GSM900 but you have to first > find a BTS > >> that only offers downlink on GSM900 and this is not going > to be easy > >> > >> > >> the idea of being able to build the RF part of a GSM > interceptor that > >> works on real world BTSs across the world using cheap stuff > like USRP > >> is just delusional . never gonna happen . this is another > truth about > >> this work . giving ourselves promises that's just not > technically > >> possible is not going to go far > >> > >> > >> what is possible to do ? it is possible to build a > GSM900-only capture > >> system using at least two USRP2 and still it depends on the > number of > >> TRXs that's installed on the BTS . if we want to go out > there and > >> really capture data from a real BTS we need to consider > these things > >> before getting ahead of ourselves . a two-unit USRP2 system > might be > >> able to fully capture the downlink of a real BTS operating > in GSM900 > >> only in a not so crowded area > >> > >> > >> i saw people are fantasizing this work to put it on some > hacker CD > >> like Wifi and WEP stuff . i'm going to go out and say it : > people , > >> this is far more complicated and more expensive than that . > this is > >> all just because of the expensive and close nature of > cellular network > >> business and RF problems , not just because of the > cryptography like i > >> said before A5/1 is just a part of the problem . even if we > can prove > >> we can crack A5/1 which is not happened yet next step is > the real pain > >> in the ass > >> > >> > >> regards > >> > >> > >> > >> > >> On Mon, Jan 4, 2010 at 1:58 PM, Gregory Maxwell > <[email protected]> > >> wrote: > >> [Please don't send HTML mail to mailing lists] > >> On Mon, Jan 4, 2010 at 4:31 AM, p q > <[email protected]> > >> wrote: > >> > > >> > USRP even in a two-unit configuration is no good > since it > >> can not handle GSM1800 > >> > >> > >> I was under the impression that provider > allocations are still > >> no more > >> than 10mhz wide in the 1800mhz band, are they not? > >> > >> > > >> ______________________________________________ > > > > _______________________________________________ > A51 mailing list > [email protected] > http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51 _______________________________________________ A51 mailing list [email protected] http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
