On 31/07/10 14.09, sakin wrote: > It is known that Kc is determined by A8 algorithm when A3 is executed. > Normally, it is during authentication and when network issues "RUN GSM > ALGORITHM" command. I don't know the frequency of Kc change in a normal > network operation. > Mmmm interesting, but regarding the well known plain text in a GSM transmission i am also thinking about the audio speech encoded in AMR. The GSM networks can use GSM codec and AMR codec, even if most modern phones and networks run AMR codec that's extremely more efficient.
AMR codec is said to have a 1 byte header. AMR run at various bitrate 4.75, 5.15, 5.90, 6.70, 7.40, 7.95, 10.2 or 12.2 kbit/s and each bitrate provide different sized output blocks of 95, 103, 118, 134, 148, 159, 204, and 244 bits. In the 1 byte header it's written which is the encoding bitrate of the specific AMR 20ms encoded audio sample. In particular the top 4 bits tell the bitrate (CMR) while the lower bits are reserved and not used (all 0 or all 1). *CMR* * MODE* *FRAME SIZE( in bytes )* 0 AMR 4.75 13 1 AMR 5.15 14 2 AMR 5.9 16 3 AMR 6.7 18 4 AMR 7.4 20 5 AMR 7.95 21 6 AMR 10.2 27 7 AMR 12.2 32 So in theory, but i can be missing something, we can use the AMR header as known plaintext of every call: - the 1 byte header describe the sampling bitrate - we can identify the sampling bitrate by looking at the size of the AMR 20ms sample Could it be possible, or does the particular way the GSM transmission occur prevent from such kind of plaintext retrieval by guessing the AMR header content by looking at the speech packet size? Fabio AMR Reference: http://wiki.forum.nokia.com/index.php/AMR_format http://en.wikipedia.org/wiki/Adaptive_Multi-Rate_audio_codec
_______________________________________________ A51 mailing list [email protected] http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
