On Wed, Jun 02, 2010 at 08:15:23AM +0200, Frank A. Stevenson wrote: > On Wed, 2010-06-02 at 06:55 +0200, Frank A. Stevenson wrote: > > > This line of reasoning would suggest that the first encrypted downlink > > TDMA frame is completely known, regardless of the data content. > > > > I am afraid I have to correct myself at this point, it seems that SDCCH > use block rectangular interleaving (57 bits), and not diagonal (6 bits). > The confusion is due to some poorly labeled illustrations in a book that > I am reading. Assuming the LAPDm frames are aligned to the 4 frames that > are interleaved, this heightens the known plaintext requirements quite a > bit. > > Studying raw intercepted frames would be a great help at this stage... >
I have uploaded some traces (downlink only) to http://reflextor.com/trac/a51/wiki/GSMBasics (see attachments) there are also some complete traces including uplink in the tarballs at: https://svn.berlin.ccc.de/projects/airprobe/wiki/DeModulation the xml files can be opened with wireshark. in moc_downlink, i count 2 SI5 frames with 21 bytes known plaintext, the call proceeding with 18 bytes, assignment command 14 bytes. that should be enough. _______________________________________________ A51 mailing list [email protected] http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
