> Also you *have to* capture full band before you find a key, > because you do not know hopping sequence without > deciphering. >
Not entirely true. 1) If the network uses Very early assignement, you will see the hopping sequence parameters in clear 2) If you stay on the sdcch (sms), you will see the hopping sequence in clear as well 3) If you know on which BTS your target is (more on that later), you only need to spy on the frequencies used by that BTS. And these are available in the clear message 4) A cell doesn't use the entire spectrum. Actually on the cell in my area, I could capture the entire uplink or downlink (not both at the same time) with a single USRP1 ... 5) You could try to 'brute force' the hopping parameters by just looking at the enery in each timeslot at given time. For a given cell, only the 'timeslot' & 'index' changes. But that would need FPGA code changes to just get the energy back and not the samples themselves. PS: To know on which BTS your target is, you can send silent sms (doable via some provider on the web) and correlate that with the paging request you see on the network to find on which bts he is and his TMSI. If the network isn't too busy that would work (and here in my small city, there isnt that many paging request so that would be easy).
_______________________________________________ A51 mailing list [email protected] http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
