On Tue, 2010-06-01 at 23:34 +0200, Sascha Krissler wrote: > This seems to be the case: the HSN and MAIO are transmitted in the "Channel > Description" IE (04.08/10.5.2.5) > which is included in the ASSIGNMENT COMMAND frame (04.08/9.1.2). In addition > the "Frequency List" (whatever > that is) and "Mobile Allocation" IE (10.5.2.21) are present in the ASSIGNMENT > COMMAND, which is all there is to > know about the hopping. > > This is something a USRP1 should be capable to do: > * listen on the CCCH for IMMEDIATE ASSIGNMENT frames > * tune to the SDCCH+SACCH and fetch some frames > (now Kc would be broken, the ASSIGNMENT COMMAND message would be decrypted) > * follow the hopping sequence of the TCH > > The USRP1 just needs to learn to change frequencies each TDMA frame. > > Problem: if a new mobile allocation is handed to the MS on the CCH of the > TCH, we would not be able to > sniff it. That is for the first 10 seconds we need for the lookup.
Thanks for the link to the explanation and examples. Obviously it should be possible to follow a SDCCH from the beginning, and it may be easier to just use a regular phone, like the OsmocomBB C123 (especially when they get the hopping sorted out.) But the TCH may be reallocated to a new physical channel within the encrypted part of the CCH, so a fast crack will be a big advantage. But I have some thoughts on taking the problem of interleaving and turning it to our advantage. Between the CIPHER MODE COMMAND and next real (encrypted) packet from the BST there has to be some sort of idle filling which can be read in clear. And suppose the next layer3 downlink packet is SI6, or whatever the first encrypted downlink packet is. Because of interleaving, the first encrypted TDMA frame will only contain 6 bits of data from the LAPDm frame (beginning with 01111110 binary), the rest has to be a continuation of the idle mode filling, which in principle should be known, unless it random. This line of reasoning would suggest that the first encrypted downlink TDMA frame is completely known, regardless of the data content. F _______________________________________________ A51 mailing list [email protected] http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
