This seems to be the case: the HSN and MAIO are transmitted in the "Channel Description" IE (04.08/10.5.2.5) which is included in the ASSIGNMENT COMMAND frame (04.08/9.1.2). In addition the "Frequency List" (whatever that is) and "Mobile Allocation" IE (10.5.2.21) are present in the ASSIGNMENT COMMAND, which is all there is to know about the hopping.
This is something a USRP1 should be capable to do: * listen on the CCCH for IMMEDIATE ASSIGNMENT frames * tune to the SDCCH+SACCH and fetch some frames (now Kc would be broken, the ASSIGNMENT COMMAND message would be decrypted) * follow the hopping sequence of the TCH The USRP1 just needs to learn to change frequencies each TDMA frame. Problem: if a new mobile allocation is handed to the MS on the CCH of the TCH, we would not be able to sniff it. That is for the first 10 seconds we need for the lookup. >One question i have is where the parameters for frequency hopping are >communicated to the MS, >if they are included in the assignment command, then we should be able to find >the TCH again after >a few seconds that we need to do the lookup (to then decrypt the ASSIGNMENT >COMMAND message). >if we count the number of bursts transmitted in that time, we would know where >in the hopping sequence >the connection is for any later burst. >___________________________________________________________ >NEU: WEB.DE DSL für 19,99 EUR/mtl. und ohne Mindest-Laufzeit! >http://produkte.web.de/go/02/ >_______________________________________________ >A51 mailing list >[email protected] >http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51 ___________________________________________________________ NEU: WEB.DE DSL für 19,99 EUR/mtl. und ohne Mindest-Laufzeit! http://produkte.web.de/go/02/ _______________________________________________ A51 mailing list [email protected] http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
