On Fri, Jul 23, 2010 at 3:11 PM, Cal Leeming [Simplicity Media Ltd]
<[email protected]> wrote:
> Silly question but, when a new tmsi is issued by the vlr, how does the
> handset get told what its new TMSI is (or does it never know itself?)
New TMSI are only issue during "LOCATION UPDATE REQUEST" procedures
which are at the request of the phone.
> Also,
> the handset has to be told by the (bsc/bss?) what channel it needs to use
> for the phone call, and updates it when this channel changes right? so if
> you caught a call just as it was initiated, does this mean you could track
> which channels its hopping between by decrypting what the bss/bsc is telling
> the handset to use, or does it not work like that?
It doesn't work like that.
When the phone receives a call:
- The phones monitors a broadcast channel and see there is a phone
call waiting for it.
- The phone xmit a packet on RACH requesting a channel (this packet
has _no_ information allowing to identify what phone is doing this
request)
- The BTS answers on a broadcast channel with an IMMEDIATE ASSIGNMENT
(or variant thereof) to go on a dedicated channel. (again, this
assignment has _no_ information to identify which one it is, it just
references which RACH request it responds to. So the _phone_ knows
it's for him, but everybody else has no way to know for who it is ...)
- TMSI identity will be exchanged in clear on the dedicated channel
- All private identity and phone numbers will be ciphered on the
dedicated channel
When the phone makes a call, same thing except you skip the first step
and the phone requests a channel directly.
So when you see an IMMEDIATE ASSIGNMENT you don't know who it's for
and you can follow it to discover it, but you'll loose a bunch of
other IMMEDIATE ASSIGNMENT in the mean time while you're not on the
control channel anymore.
Cheers,
Sylvain
_______________________________________________
A51 mailing list
[email protected]
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
