Hello list ! I've got my kraken going finally and successfully decoded the sample file. however i still have some question which I could not find the answers to. I'd really appreciate if anyone could shed some light on these matters.
1- If you have a Samsung phone and you dial *#0011# it gives you a simple GSM info screen. i can see MCC, MNC , BAND , ARFCN,Timing Advance. is this TA parameter the same Timing advance parameter in the L1 header? if yes how would this be related to the packets send from BTS to my MS? should i inspect packets with TA of my phone for myself? 2- How can i use subslot to make a better filter to find the right frame to guess? i read somewhere you can only use the same subslot to guess the encrypted frame. could you please elaborate more on this? 3- When using the find_kc tool it gives you a found potential bits number. I learned that the higher this value is the better the chances of finding a key. but what does it exactly mean? 4- I used the SI5 in the sample file instead of an empty packet and could recover the key but in this post: https://lists.srlabs.de/pipermail/a51/2011-January/001058.html the empty frame is used just like the talk Mr *Karsten Nohl used in his talk. how did he exactly guess the encrypted frame number?* *I experimented with various SIs and it seems they all have the same +204 frame repeat pattern but empty packets seem better candidates.II read somewhere in the mailing list that Mr* * Nohl said empty frames appear at the start/end of SDCCH trace. can you please elaborate more on this since there seems to be no patterns for empty frames. 5- * *When i view my own captured there are often many TMSI's which are being paged. does the BTS actually want to do something with them or is it just paging? (this is more of a gsm question sorry)* *6- In my own capture files sometimes i see ciphering mode command frame 2 times with a short time between them and a paging request or response. is it possible that the BTS issues ciphering command on random or it happens only when it wants to communicate with a specific MS?* *also sometimes the paging request before the Immediate assignment contains 3 to 4 TMSIs. How each MS knows that the Assignment is or isn't for it?* *7- Which paging request is the one used for Immediate assignment ? is it paging request type 1 / 2 / 3 ? or it doesn't matter really?* *sorry for the long mail.* *if it's necessary i can provide more data or sample capture files.* *Best regards,* *Daniel H*
_______________________________________________ A51 mailing list [email protected] https://lists.srlabs.de/cgi-bin/mailman/listinfo/a51
