Guys, I'm sorry, but you can build sniffer from a phone only if frequency hopping is not enabled (rare case). Otherwise you need to capture *whole* frequency band, in which hopping it performed. Phone hardware cannot do this, it can capture *single* channel.
Also note, that phone can capture only downlink and isn't able to capture uplink (because it is configured to send on uplink). On Mon, Jan 4, 2010 at 23:26, 31337 <[email protected]> wrote: > So... why not also Neo Freerunner or 1973?! > > http://wiki.openmoko.org/wiki/Main_Page > > http://wiki.openmoko.org/wiki/Neo_FreeRunner > > Regards > > Red > > > On 04/gen/2010, 20.47, Maxim wrote: > >> What about OpenTSM project? It is about turning a TSM30 phone into a >> sniffer. Did anyone has a success with it? It has a public firmware source >> code. >> >> http://www.google.com/search?hl=mo&q=cache:wiki.thc.org/gsm/opentsm&btnG=C%C4%83utare >> >> >> --- On Mon, 1/4/10, Clemens Gruber <[email protected]> wrote: >> >>> From: Clemens Gruber <[email protected]> >>> Subject: Re: [A51] Truth about this work >>> To: [email protected] >>> Date: Monday, January 4, 2010, 5:01 AM >>> I thought not of building a phone >>> itself but we could use some of the >>> parts which have been used in the nokia 3210. >>> Same approach as airprobe with usrp just another >>> specialised radio >>> peripheral with a fast and huge fpga and a logic to downmix >>> just the GSM >>> bands. We have fixed frequency bands , the downmixing >>> should be >>> implemented the same way as the nokia 3210 does it, maybe >>> we can reuse >>> the technology / copy the layout until the point where we >>> got the >>> IF-signal. >>> All further tasks can be done via the FPGA, just as it was >>> planned with >>> the USRP2, or via software. >>> What do you think? >>> >>> On Mon, 2010-01-04 at 15:50 +0330, p q wrote: >>>> you can not just build a phone . it needs a dozen of >>> legal steps to >>>> take , huge investment and very huge production line . >>> i dont even go >>>> far to explain how complicated and expensive this is . >>> to use a phone >>>> as a GSM receiver you need to hack into the baseband >>> processor to be >>>> able to control the L1 IC . its usually a DSP >>> implementing the layer-1 >>>> Radio interface . you can not own such chip . there >>> are a few >>>> producers offering it only to huge vendors , NDA , >>> Legal subjects . >>>> etc . your only chance is to hack into baseband . >>>> that'd be a very difficult job i must confess but not >>> impossible . if >>>> somebody can hack into a baseband processor and >>> control the L1 DSP >>>> that's only the start of this work because you need to >>> put a phone >>>> into a scanner , learn about active channels , then >>> tune the other >>>> phones to follow that channel . still , this is not >>> going to be cheap >>>> and most certainly not going to be easy . if you do >>> that and put the >>>> hacked firmware on the internet if the phone is old >>> you have low >>>> chances to be able to buy it , if its new the vendor >>> will make a >>>> little change and present the newly built ones get >>> hacked . after >>>> all , this is a billion dollars business and people >>> who design and >>>> build phones know what they are doing >>>> >>>> >>>> >>>> ---------- >>> Forwarded message ---------- >>>> From: Evgeniy >>> Shelepov <[email protected]> >>>> Date: Mon, Jan >>> 4, 2010 at 3:43 PM >>>> Subject: Re: >>> [A51] Truth about this work >>>> >>>> To: a51 <[email protected]> >>>> >>>> >>>> Hello, >>>> >>>> >>>> Yes, it looks a >>> good idea to make a phone. BTW, why isn't it >>>> possible >>>> to make a >>> sniffer from a cell phone, it has all the components >>>> that >>>> are needed. >>> Probably it is possible to write a firmware and to >>>> simulate some >>> tricky simcard to make it do what we need. >>>> >>>> 2010/1/4 Clemens >>> Gruber <[email protected]>: >>>> >>>> > see this >>> listing of the nokia 3210 hardware: >>>> > https://www.pqgruber.com/other/Portable.pdf >>>> > Maybe we >>> can use similar parts and build our own peripheral >>>> perfectly >>>> > fitting our >>> needs.. it should be much cheaper than 2 usrp2s >>>> with >>>> > >>> daughterboards etc. >>>> > if there >>> are enough interested people, it will be possible. >>>> > >>>> > on the >>> other hand, the idea of combining a usrp1 with a new >>>> fpga-card >>>> > (spartan, >>> virtex, ...) sounds very good because the fpga >>>> seems to be the >>>> > >>> bottleneck. >>>> > does >>> anybody know if it's possible to create a fast >>>> > >>> data-transfer-connection between these 2 devices? >>>> > >>>> > On Mon, >>> 2010-01-04 at 14:16 +0330, p q wrote: >>>> >>>> >>>> >> thanks >>> for the last two questions >>>> >> this >>> was also the important facts that nobody mentioned >>>> them . to do >>>> >> a >>> successful attack to A5/1 enabled GSM you need to capture >>>> signal on >>>> >> a >>> wide-band style meaning you need to capture all the bands >>>> that may >>>> >> have >>> carrier on them . this is highly depended on the >>>> network >>>> >> >>> configuration specially the design on BTS . >>>> >> >>>> >> >>>> >> real >>> world BTSs are offering services on different bands >>>> and calls are >>>> >> always >>> get handover between the bands due to radio resource >>>> >> >>> management . for a sucsessful GSM interception you at least >>>> need to >>>> >> capture >>> Downlink . considering the current opensource and >>>> cheap >>>> >> >>> hardware you can simple forget to capture both uplink and >>>> downlink , >>>> >> that's >>> just not possible . >>>> >> >>>> >> >>>> >> to >>> capture Downlink of a BTS that offers GSM1800 you need >>>> to capture >>>> >> at >>> least 75 MB of the spectrum space . this is far more >>>> than USRP and >>>> >> also >>> beyond USRP2 >>>> >> yes its >>> possible to do this on GSM900 but you have to first >>>> find a BTS >>>> >> that >>> only offers downlink on GSM900 and this is not going >>>> to be easy >>>> >> >>>> >> >>>> >> the >>> idea of being able to build the RF part of a GSM >>>> interceptor >>> that >>>> >> works >>> on real world BTSs across the world using cheap stuff >>>> like USRP >>>> >> is just >>> delusional . never gonna happen . this is another >>>> truth about >>>> >> this >>> work . giving ourselves promises that's just not >>>> technically >>>> >> >>> possible is not going to go far >>>> >> >>>> >> >>>> >> what is >>> possible to do ? it is possible to build a >>>> GSM900-only >>> capture >>>> >> system >>> using at least two USRP2 and still it depends on the >>>> number of >>>> >> TRXs >>> that's installed on the BTS . if we want to go out >>>> there and >>>> >> really >>> capture data from a real BTS we need to consider >>>> these things >>>> >> before >>> getting ahead of ourselves . a two-unit USRP2 system >>>> might be >>>> >> able to >>> fully capture the downlink of a real BTS operating >>>> in GSM900 >>>> >> only in >>> a not so crowded area >>>> >> >>>> >> >>>> >> i saw >>> people are fantasizing this work to put it on some >>>> hacker CD >>>> >> like >>> Wifi and WEP stuff . i'm going to go out and say it : >>>> people , >>>> >> this is >>> far more complicated and more expensive than that . >>>> this is >>>> >> all >>> just because of the expensive and close nature of >>>> cellular >>> network >>>> >> >>> business and RF problems , not just because of the >>>> cryptography >>> like i >>>> >> said >>> before A5/1 is just a part of the problem . even if we >>>> can prove >>>> >> we can >>> crack A5/1 which is not happened yet next step is >>>> the real pain >>>> >> in the >>> ass >>>> >> >>>> >> >>>> >> >>> regards >>>> >> >>>> >> >>>> >> >>>> >> >>>> >> On Mon, >>> Jan 4, 2010 at 1:58 PM, Gregory Maxwell >>>> <[email protected]> >>>> >> wrote: >>>> >> >>> [Please don't send HTML mail >>> to mailing lists] >>>> >> >>> On Mon, Jan 4, 2010 at 4:31 >>> AM, p q >>>> <[email protected]> >>>> >> >>> wrote: >>>> >> >>> > >>>> >> >>> > USRP even in a two-unit >>> configuration is no good >>>> since it >>>> >> >>> can not handle GSM1800 >>>> >> >>>> >> >>>> >> >>> I was under the impression >>> that provider >>>> allocations are >>> still >>>> >> >>> no more >>>> >> >>> than 10mhz wide in the >>> 1800mhz band, are they not? >>>> >> >>>> >> >>>> >>>> >> >>> ______________________________________________ >>>> >>>> >>>> >>>> _______________________________________________ >>>> A51 mailing list >>>> [email protected] >>>> http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51 >>> >>> _______________________________________________ >>> A51 mailing list >>> [email protected] >>> http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51 >>> >> _______________________________________________ >> A51 mailing list >> [email protected] >> http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51 > > _______________________________________________ > A51 mailing list > [email protected] > http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51 > -- Regards, Alexander Chemeris. _______________________________________________ A51 mailing list [email protected] http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
