Another question from me, regarding usrp2 reception.... I tried all the same but against one 1.8G bs which has more powerful signal in my local neighborhood. Result is that no matter how long I record data, after putting it on a Wireshark only few seconds at the beginning are decoded. When decode 0B for example I've got in log a loooooooot of messages like these:
cch.c:419 error: sacch: parity error (-1 fn=1848306) gsmstack.c:301 cannot decode fnr=0x1c33f2 (1848306) ts=0 cch.c:419 error: sacch: parity error (-1 fn=1848310) gsmstack.c:301 cannot decode fnr=0x1c33f6 (1848310) ts=0 sch.c:260 ERR: conv_decode 11 cch.c:419 error: sacch: parity error (-1 fn=1848316) gsmstack.c:301 cannot decode fnr=0x1c33fc (1848316) ts=0 cch.c:419 error: sacch: parity error (-1 fn=1848320) gsmstack.c:301 cannot decode fnr=0x1c3400 (1848320) ts=0 sch.c:260 ERR: conv_decode 11 cch.c:419 error: sacch: parity error (-1 fn=1848326) gsmstack.c:301 cannot decode fnr=0x1c3406 (1848326) ts=0 cch.c:419 error: sacch: parity error (-1 fn=1848330) gsmstack.c:301 cannot decode fnr=0x1c340a (1848330) ts=0 sch.c:260 ERR: conv_decode 11 cch.c:419 error: sacch: parity error (-1 fn=1848336) gsmstack.c:301 cannot decode fnr=0x1c3410 (1848336) ts=0 cch.c:419 error: sacch: parity error (-1 fn=1848340) gsmstack.c:301 cannot decode fnr=0x1c3414 (1848340) ts=0 sch.c:260 ERR: conv_decode 10 cch.c:419 error: sacch: parity error (-1 fn=1848347) gsmstack.c:301 cannot decode fnr=0x1c341b (1848347) ts=0 cch.c:419 error: sacch: parity error (-1 fn=1848351) gsmstack.c:301 cannot decode fnr=0x1c341f (1848351) ts=0 sch.c:260 ERR: conv_decode 8 cch.c:419 error: sacch: parity error (-1 fn=1848357) gsmstack.c:301 cannot decode fnr=0x1c3425 (1848357) ts=0 cch.c:419 error: sacch: parity error (-1 fn=1848361) gsmstack.c:301 cannot decode fnr=0x1c3429 (1848361) ts=0 sch.c:260 ERR: conv_decode 12 cch.c:419 error: sacch: parity error (-1 fn=1848367) gsmstack.c:301 cannot decode fnr=0x1c342f (1848367) ts=0 cch.c:419 error: sacch: parity error (-1 fn=1848371) gsmstack.c:301 cannot decode fnr=0x1c3433 (1848371) ts=0 At beginning there are only few. When doing the same with local 900M stations I've got a lot of these errors all the time. Here is recording command: sudo ./rx_samples_to_file --freq 1844e6 --rate 574712.64367816091954022988 --gain 60 --file ~/gsm/dumps/test.raw I don't have external clock attached (guess this is the problem, but it would be nice if someone can confirm that ...) Cheers, Ljubomir 2012/1/3 Љубомир Самарџић <[email protected]>: > Hi all, > > I've installed airprobe, uhd and kraken with 2TB tables. Trying to > decrypt some traffic to have working example. But, I have few > questions that I couldn't find any reference that can help me to give > good answers. > > So here is the case: when I follow this reference: > http://www.ks.uni-freiburg.de/download/misc/practical_exercise_a51.pdf > I can find Kc and reveal voice data in example recording > (http://reflextor.com/vf_call6_a725_d174_g5_Kc1EF00BAB3BAC7002.cfile.gz). > But when I try to do the same with my own recordings (I have usrp2 > too), then I've got nothing. And during reading this I realized that > some issues are very blurry described there. > > First of all, as this original reference says > (http://srlabs.de/uncategorized/airprobe-how-to/): Usually capture > some calls of your own phone where you know the Kc (it can be read > from the SIM or displayed by the Engineering Mode Screen of some > phones) and look for known-plain-text candidates. An example are > "SYSTEM INFORMATION 5/6/5ter" in the SACCH or "LAPDM U, func=UI" > frames. > > So, what is the purpose of tracking down bursts encoded by my own Kc > when I'm trying to decrypt something else? Is this only tip for > demonstration purposes only? If I got it okay Kc is different for each > MS (http://gsmfordummies.com/encryption/encryption.shtml). So this > thing confuses me a lot. > > My next question refers to the "204" number in above pdf. If I got it > okay, the idea is to catch "system information 5" at two frames, one > before and one after cyphering mode command? If it is so, why then > 204, why not 102 ? This reference > (http://gsmfordummies.com/tdma/logical.shtml) says that "SACCH that is > associated with an SDCCH is only transmitted every other multiframe", > so SACCH burst blocks repeat every 102 frames, don't they? > > Where can I find any information regarding this, when each of those > "SYSTEM INFORMATION 5/6/5ter" are repeated at all within SACCH? Is > there any other tip regarding finding Kc?? Is this network > configuration dependent (and if it is - how it is)? > > So, another point... I'm following in Wireshark some data.... On CCCH > I found "Immediate assignment" and I see it's timeslot 1 that is > assigned. Then, decoding timeslot 1, and playing around "System > Information 5" before/after cypher .... If I cannot find any match > with Kraken does this mean that I should forget this data I'm > tracking? Again, I'm back on my first question: what does found Kc > mean in practice at all? Ability to decrypt that one specific call or > maybe more? > > And one observation I'd say ... There is a gsmframecoder tool > recommended for burst synthesis. In my recordings it's usually timing > advance = 0 so no need for change. But when I put data on > gsmframecoder anyway it's output is sometimes different comparing to > original. I figured out that it happens when airprobe prompts with > warning about errors (i.e.: WRN: errors=5 fn=2196887). When no warning > - output is the same. So I guess that framecoder corrects those errors > or what? I started few hours ago with following approach: find several > "System Information 5" bursts unencrypted and trying to isolate those > that are the same and use them for xor later in order to have 100% > non-error bits. Am I going in wrong direction? > > Any help, tip, reference, whatever ... is appreciated, thanks a lot ! > > Ljubomir _______________________________________________ A51 mailing list [email protected] http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
