Silly question but, when a new tmsi is issued by the vlr, how does the handset get told what its new TMSI is (or does it never know itself?) Also, the handset has to be told by the (bsc/bss?) what channel it needs to use for the phone call, and updates it when this channel changes right? so if you caught a call just as it was initiated, does this mean you could track which channels its hopping between by decrypting what the bss/bsc is telling the handset to use, or does it not work like that?
On Fri, Jul 23, 2010 at 2:01 PM, Sylvain Munaut <[email protected]> wrote: > > Talking hypothetically here... there's no way you could decode every > single > > one of those data streams on the fly, at least, not without investing > some > > serious cash. > > You could dedicate time. You could do some preprocessing on the FPGA > (demod) to reduce the amount of data to bring back. > > > Surely it would be better (and probably more fun) to get > > around the channel hopping problem, rather than just throwing resources > at > > something which is probably overkill for what you're trying to do? > > Actually, even if you could hop, that would not help picking up a > _specific_ call .. > > The info about what TMSI the channel is assigned to who is only > transmitted on the dedicated channel so you need to follow _all_ > immediate assignment and there can be a lot at the same time (or > close) so you need to follow a lot of channels at once, all at > different frequencies ... > > If you can hop, you can pickup random transmission. Good enough for a > demo the thing isn't secure tough ! > > > Sylvain > -- Cal Leeming Operational Security & Support Team *Out of Hours: *+44 (07534) 971120 | *Support Tickets: * [email protected] *Fax: *+44 (02476) 578987 | *Email: *[email protected] © 2010 Simplicity Media Ltd. All rights reserved. Registered company number 7143564
_______________________________________________ A51 mailing list [email protected] http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
