What about OpenTSM project? It is about turning a TSM30 phone into a sniffer. Did anyone has a success with it? It has a public firmware source code.
http://www.google.com/search?hl=mo&q=cache:wiki.thc.org/gsm/opentsm&btnG=C%C4%83utare --- On Mon, 1/4/10, Clemens Gruber <[email protected]> wrote: > From: Clemens Gruber <[email protected]> > Subject: Re: [A51] Truth about this work > To: [email protected] > Date: Monday, January 4, 2010, 5:01 AM > I thought not of building a phone > itself but we could use some of the > parts which have been used in the nokia 3210. > Same approach as airprobe with usrp just another > specialised radio > peripheral with a fast and huge fpga and a logic to downmix > just the GSM > bands. We have fixed frequency bands , the downmixing > should be > implemented the same way as the nokia 3210 does it, maybe > we can reuse > the technology / copy the layout until the point where we > got the > IF-signal. > All further tasks can be done via the FPGA, just as it was > planned with > the USRP2, or via software. > What do you think? > > On Mon, 2010-01-04 at 15:50 +0330, p q wrote: > > you can not just build a phone . it needs a dozen of > legal steps to > > take , huge investment and very huge production line . > i dont even go > > far to explain how complicated and expensive this is . > to use a phone > > as a GSM receiver you need to hack into the baseband > processor to be > > able to control the L1 IC . its usually a DSP > implementing the layer-1 > > Radio interface . you can not own such chip . there > are a few > > producers offering it only to huge vendors , NDA , > Legal subjects . > > etc . your only chance is to hack into baseband . > > that'd be a very difficult job i must confess but not > impossible . if > > somebody can hack into a baseband processor and > control the L1 DSP > > that's only the start of this work because you need to > put a phone > > into a scanner , learn about active channels , then > tune the other > > phones to follow that channel . still , this is not > going to be cheap > > and most certainly not going to be easy . if you do > that and put the > > hacked firmware on the internet if the phone is old > you have low > > chances to be able to buy it , if its new the vendor > will make a > > little change and present the newly built ones get > hacked . after > > all , this is a billion dollars business and people > who design and > > build phones know what they are doing > > > > > > > > ---------- > Forwarded message ---------- > > From: Evgeniy > Shelepov <[email protected]> > > Date: Mon, Jan > 4, 2010 at 3:43 PM > > Subject: Re: > [A51] Truth about this work > > > > To: a51 <[email protected]> > > > > > > Hello, > > > > > > Yes, it looks a > good idea to make a phone. BTW, why isn't it > > possible > > to make a > sniffer from a cell phone, it has all the components > > that > > are needed. > Probably it is possible to write a firmware and to > > simulate some > tricky simcard to make it do what we need. > > > > 2010/1/4 Clemens > Gruber <[email protected]>: > > > > > see this > listing of the nokia 3210 hardware: > > > https://www.pqgruber.com/other/Portable.pdf > > > Maybe we > can use similar parts and build our own peripheral > > perfectly > > > fitting our > needs.. it should be much cheaper than 2 usrp2s > > with > > > > daughterboards etc. > > > if there > are enough interested people, it will be possible. > > > > > > on the > other hand, the idea of combining a usrp1 with a new > > fpga-card > > > (spartan, > virtex, ...) sounds very good because the fpga > > seems to be the > > > > bottleneck. > > > does > anybody know if it's possible to create a fast > > > > data-transfer-connection between these 2 devices? > > > > > > On Mon, > 2010-01-04 at 14:16 +0330, p q wrote: > > > > > > >> thanks > for the last two questions > > >> this > was also the important facts that nobody mentioned > > them . to do > > >> a > successful attack to A5/1 enabled GSM you need to capture > > signal on > > >> a > wide-band style meaning you need to capture all the bands > > that may > > >> have > carrier on them . this is highly depended on the > > network > > >> > configuration specially the design on BTS . > > >> > > >> > > >> real > world BTSs are offering services on different bands > > and calls are > > >> always > get handover between the bands due to radio resource > > >> > management . for a sucsessful GSM interception you at least > > need to > > >> capture > Downlink . considering the current opensource and > > cheap > > >> > hardware you can simple forget to capture both uplink and > > downlink , > > >> that's > just not possible . > > >> > > >> > > >> to > capture Downlink of a BTS that offers GSM1800 you need > > to capture > > >> at > least 75 MB of the spectrum space . this is far more > > than USRP and > > >> also > beyond USRP2 > > >> yes its > possible to do this on GSM900 but you have to first > > find a BTS > > >> that > only offers downlink on GSM900 and this is not going > > to be easy > > >> > > >> > > >> the > idea of being able to build the RF part of a GSM > > interceptor > that > > >> works > on real world BTSs across the world using cheap stuff > > like USRP > > >> is just > delusional . never gonna happen . this is another > > truth about > > >> this > work . giving ourselves promises that's just not > > technically > > >> > possible is not going to go far > > >> > > >> > > >> what is > possible to do ? it is possible to build a > > GSM900-only > capture > > >> system > using at least two USRP2 and still it depends on the > > number of > > >> TRXs > that's installed on the BTS . if we want to go out > > there and > > >> really > capture data from a real BTS we need to consider > > these things > > >> before > getting ahead of ourselves . a two-unit USRP2 system > > might be > > >> able to > fully capture the downlink of a real BTS operating > > in GSM900 > > >> only in > a not so crowded area > > >> > > >> > > >> i saw > people are fantasizing this work to put it on some > > hacker CD > > >> like > Wifi and WEP stuff . i'm going to go out and say it : > > people , > > >> this is > far more complicated and more expensive than that . > > this is > > >> all > just because of the expensive and close nature of > > cellular > network > > >> > business and RF problems , not just because of the > > cryptography > like i > > >> said > before A5/1 is just a part of the problem . even if we > > can prove > > >> we can > crack A5/1 which is not happened yet next step is > > the real pain > > >> in the > ass > > >> > > >> > > >> > regards > > >> > > >> > > >> > > >> > > >> On Mon, > Jan 4, 2010 at 1:58 PM, Gregory Maxwell > > <[email protected]> > > >> wrote: > > >> > [Please don't send HTML mail > to mailing lists] > > >> > On Mon, Jan 4, 2010 at 4:31 > AM, p q > > <[email protected]> > > >> > wrote: > > >> > > > > >> > > USRP even in a two-unit > configuration is no good > > since it > > >> > can not handle GSM1800 > > >> > > >> > > >> > I was under the impression > that provider > > allocations are > still > > >> > no more > > >> > than 10mhz wide in the > 1800mhz band, are they not? > > >> > > >> > > > > >> > ______________________________________________ > > > > > > > > _______________________________________________ > > A51 mailing list > > [email protected] > > http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51 > > _______________________________________________ > A51 mailing list > [email protected] > http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51 > _______________________________________________ A51 mailing list [email protected] http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
