>Now that the tables are pretty much a done deal, (except for faster >lookup) we need to turn our attention to finding known plaintext in the >stream of GSM TDMA frames. So I am reading up on the 04.0x GSM >standards, but without access to a proper airprobe equipment, it is all >a bit theoretical. > >A number of likely target have been proposed, but they are all at layer3 >in the GSM stack. These messages will be packed in layer2 LDAPm frames, >bits will be stuffed, checksums and frame numbers will be added, before >they are expanded with convolution codes, chipped into little pieces >that are interleaved with each other and then A5/1 is finally applied >just before the data is transmitted over the air. > >Needless to say, we need to get a much better understanding of this >process (in the the airprobe / OsmocomBB way.) So reading this stuff, as >a layer123 n00b, I could not fail to notice that there is some known >plaintext in the establishment of the layer2 link (LAPDm SABM message). >But I have no idea if it is encrypted or not.
The first SABM message is sent MS->BTS after the IMMEDIATE ASSIGNMENT[BTS->MS] message (i.e. as the first message on the newly assigned SDCCH). This one is unencrypted. The second SABM message is sent MS->BTS after the ASSIGNMENT COMMAND[BTS->MS] on the newly allocated TCH (the FACCH of that TCH). This one is encrypted, but must be searched for among all the TCHs. Since the the ASSIGNMENT COMMAND before the second SABM is already ciphered, we won't know which channel to listen to. But we also do not have to try all of the ARFCNs carrying TCHs in a scattershot approach, because we have a few encrypted messages on the SDCCH that was assigned in the IMMEDIATE ASSIGNMENT message. These are: * cipher mode complete (U == uplink) * identity request (D == downlink) * identity response (U) * tmsi reallocation command (D) / complete (U) * setup (D) * call confirmed (U) * assignment command (D) some of these messages (identity req/res, tmti reallocation cmd/compl) are optional. reference: http://www.scribd.com/doc/4354329/GSM-Call-Setup-and-Location-Updating-13 i also seem to have remembered once that the FACCH of a given TCH can steal a burst from the TCH anywhere and that would mean to look for the needle (FACCH burst) in the haystack (TCH bursts). (Whereas the SACCH is inserted at regular intervals.) One question i have is where the parameters for frequency hopping are communicated to the MS, if they are included in the assignment command, then we should be able to find the TCH again after a few seconds that we need to do the lookup (to then decrypt the ASSIGNMENT COMMAND message). if we count the number of bursts transmitted in that time, we would know where in the hopping sequence the connection is for any later burst. ___________________________________________________________ NEU: WEB.DE DSL für 19,99 EUR/mtl. und ohne Mindest-Laufzeit! http://produkte.web.de/go/02/ _______________________________________________ A51 mailing list [email protected] http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
