Hi all, I've installed airprobe, uhd and kraken with 2TB tables. Trying to decrypt some traffic to have working example. But, I have few questions that I couldn't find any reference that can help me to give good answers.
So here is the case: when I follow this reference: http://www.ks.uni-freiburg.de/download/misc/practical_exercise_a51.pdf I can find Kc and reveal voice data in example recording (http://reflextor.com/vf_call6_a725_d174_g5_Kc1EF00BAB3BAC7002.cfile.gz). But when I try to do the same with my own recordings (I have usrp2 too), then I've got nothing. And during reading this I realized that some issues are very blurry described there. First of all, as this original reference says (http://srlabs.de/uncategorized/airprobe-how-to/): Usually capture some calls of your own phone where you know the Kc (it can be read from the SIM or displayed by the Engineering Mode Screen of some phones) and look for known-plain-text candidates. An example are "SYSTEM INFORMATION 5/6/5ter" in the SACCH or "LAPDM U, func=UI" frames. So, what is the purpose of tracking down bursts encoded by my own Kc when I'm trying to decrypt something else? Is this only tip for demonstration purposes only? If I got it okay Kc is different for each MS (http://gsmfordummies.com/encryption/encryption.shtml). So this thing confuses me a lot. My next question refers to the "204" number in above pdf. If I got it okay, the idea is to catch "system information 5" at two frames, one before and one after cyphering mode command? If it is so, why then 204, why not 102 ? This reference (http://gsmfordummies.com/tdma/logical.shtml) says that "SACCH that is associated with an SDCCH is only transmitted every other multiframe", so SACCH burst blocks repeat every 102 frames, don't they? Where can I find any information regarding this, when each of those "SYSTEM INFORMATION 5/6/5ter" are repeated at all within SACCH? Is there any other tip regarding finding Kc?? Is this network configuration dependent (and if it is - how it is)? So, another point... I'm following in Wireshark some data.... On CCCH I found "Immediate assignment" and I see it's timeslot 1 that is assigned. Then, decoding timeslot 1, and playing around "System Information 5" before/after cypher .... If I cannot find any match with Kraken does this mean that I should forget this data I'm tracking? Again, I'm back on my first question: what does found Kc mean in practice at all? Ability to decrypt that one specific call or maybe more? And one observation I'd say ... There is a gsmframecoder tool recommended for burst synthesis. In my recordings it's usually timing advance = 0 so no need for change. But when I put data on gsmframecoder anyway it's output is sometimes different comparing to original. I figured out that it happens when airprobe prompts with warning about errors (i.e.: WRN: errors=5 fn=2196887). When no warning - output is the same. So I guess that framecoder corrects those errors or what? I started few hours ago with following approach: find several "System Information 5" bursts unencrypted and trying to isolate those that are the same and use them for xor later in order to have 100% non-error bits. Am I going in wrong direction? Any help, tip, reference, whatever ... is appreciated, thanks a lot ! Ljubomir _______________________________________________ A51 mailing list [email protected] http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
