Re: [A51] Reporting in.. (what's there, what's missing and some ideas?)

[Sylvain Munaut]

> So the known plain text is a fixed length string, or can it differ 
> dramatically.
> If it is somewhat fixed we can ask the members to contribute their
> known plain text into a database in order for others to use.

Not read far enough into GSM 04.08 I see :)

That plain text will depend on the cell you're on. But by establishing
a channel yourself you can gather most of it.

Trust me, I know for a fact that using SI5/SI6 (and SI5bis SI5ter if
applicable) provide plenty of easily generated plain text. Playing
with the CIPHER MODE RESPONSE or the LAPDm ACKs isn't even needed ...


Sylvain
___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51

Re: [A51] Reporting in.. (what's there, what's missing and some ideas?)

[Dinos Pastos]

So the known plain text is a fixed length string, or can it differ dramatically.
If it is somewhat fixed we can ask the members to contribute their
known plain text into a database in order for others to use.

On Wed, Jul 28, 2010 at 10:34 PM, Frank A. Stevenson  wrote:
> On Wed, 2010-07-28 at 19:20 +0200, Fabio Pietrosanti (naif) wrote:
>
>> 1) Airprobe dump the phone call traffic
>>     - We know that it require important improvement for demodulation of
>> real signals
>>     - We have to see which is the best pratical approach to do it, to
>> detect the call, to follow it and which procedure must be implemented
>>
>> 2) Kraken crack the call a5/1 Kc key (that's the most important piece)
>>
>> 3) Some piece of sw decrypt the a5/1 encrypted dump generated by
>> Airprobe with the Kc cracked by Kraken.
>>
>
> There is a intermediate step here which one shouldn't forget. One needs
> to find and identify known plaintext, which can be different from
> network to network. So for initial decryption one will gave to find a
> way to get Kc from ones SIM card, and use that to decrypt and analyze
> call setup (on own conversations). This item is probably already made,
> but should be on the list. An alternative may be to use a straight dump
> from a Nokia phone.
>
> Frank
>
>
> ___
> A51 mailing list
> A51@lists.reflextor.com
> http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
>
___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51

Re: [A51] Reporting in.. (what's there, what's missing and some ideas?)

[Frank A. Stevenson]

On Wed, 2010-07-28 at 19:20 +0200, Fabio Pietrosanti (naif) wrote:

> 1) Airprobe dump the phone call traffic
> - We know that it require important improvement for demodulation of
> real signals
> - We have to see which is the best pratical approach to do it, to
> detect the call, to follow it and which procedure must be implemented
> 
> 2) Kraken crack the call a5/1 Kc key (that's the most important piece)
> 
> 3) Some piece of sw decrypt the a5/1 encrypted dump generated by
> Airprobe with the Kc cracked by Kraken.
> 

There is a intermediate step here which one shouldn't forget. One needs
to find and identify known plaintext, which can be different from
network to network. So for initial decryption one will gave to find a
way to get Kc from ones SIM card, and use that to decrypt and analyze
call setup (on own conversations). This item is probably already made,
but should be on the list. An alternative may be to use a straight dump
from a Nokia phone.

Frank


___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51

Re: [A51] Reporting in.. (what's there, what's missing and some ideas?)

[Fabio Pietrosanti (naif)]

On 25/07/10 19.40, Harald Welte wrote:
> seems fine to me.
>   

USRP1 hardware are coming.
The 2TB tables are coming (will share it online over a 50Mbps connection
for 2-3 months).
Next week i should be able to start practical hands-on hacking on the
gsm security stuff.

By looking at the documentation and at the tools currently available it
seems to me that's still something else missing.

Let me over-summarize the flow for a typical use:

0) USRP1 + DBRX + 900mhz antenna listen to airtraffic

1) Airprobe dump the phone call traffic
- We know that it require important improvement for demodulation of
real signals
- We have to see which is the best pratical approach to do it, to
detect the call, to follow it and which procedure must be implemented

2) Kraken crack the call a5/1 Kc key (that's the most important piece)

3) Some piece of sw decrypt the a5/1 encrypted dump generated by
Airprobe with the Kc cracked by Kraken.

4) Some piece of sw must have the capability to extract from the
decrypted dump the audio flow in GSM or AMR audio format

5) Mplayer replay the intercepted, recorded, decrypted phone call

I understand that there are those limits of airprobe that require strong
improvement in progress.

But point "3" and "4" (like post-processing) are already implemented or
on-the-way somehow in some of the sub projects ?

Fabio
___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51

Re: [A51] Reporting in..

[Dinos Pastos]

if someone has this please send :) dinopio .(@). gmail.com

On Mon, Jul 26, 2010 at 4:24 PM, javier falbo  wrote:
> Yes, this is the main paper, but there are some extras and more information
> concerning the algorythm.
> It could be decoded in seconds in a "normal" PC computer. :)
> The main problem is to have a hardware with bigg bandwith nowadays all
> of them are militar equipment.
> Javier
>
>> Date: Mon, 26 Jul 2010 16:19:51 +0300
>> Subject: Re: [A51] Reporting in..
>> From: dino...@gmail.com
>> To: javier_fa...@hotmail.com
>> CC: sur...@stud.ntnu.no; pe...@stuge.se; a51@lists.reflextor.com
>>
>> http://eprint.iacr.org/2010/013.pdf Kasumi whitepaper
>>
>> On Mon, Jul 26, 2010 at 4:13 PM, javier falbo 
>> wrote:
>> > Yes Max.
>> > Contact me in private to my email.
>> > Javier
>> >
>> >> Date: Mon, 26 Jul 2010 13:12:03 +0200
>> >> From: sur...@stud.ntnu.no
>> >> To: javier_fa...@hotmail.com
>> >> CC: pe...@stuge.se; a51@lists.reflextor.com
>> >> Subject: Re: Re: [A51] Reporting in..
>> >>
>> >> Quoting javier falbo :
>> >>
>> >> > In order to monitor more data channel simultaneosly, and prepare the
>> >> > next step which is the 3g (kasumi), which is not so difficult as the
>> >> > algorythm could be decoded very fast with last Asiacrypt paper.
>> >>
>> >> Do you have a link to this paper by any chance?
>> >> I managed to miss it somehow :(
>> >>
>> >> kind regards,
>> >> Max.
>> >>
>> >>
>> >
>> > 
>> > Porque tu vida necesita más espacio y comodidad. Muy pronto descubrí un
>> > nuevo Hotmail. Ver más
>> > ___
>> > A51 mailing list
>> > A51@lists.reflextor.com
>> > http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
>> >
>> >
>
> 
> Descubrí un nuevo Hotmail: con más herramientas para una vida más práctica.
> Muy pronto. Ver más
___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51

Re: [A51] Reporting in..

[javier falbo]

Yes, this is the main paper, but there are some extras and more information 
concerning the algorythm.
It could be decoded in seconds in a "normal" PC computer. :)
The main problem is to have a hardware with bigg bandwith nowadays all of 
them are militar equipment.
Javier

> Date: Mon, 26 Jul 2010 16:19:51 +0300
> Subject: Re: [A51] Reporting in..
> From: dino...@gmail.com
> To: javier_fa...@hotmail.com
> CC: sur...@stud.ntnu.no; pe...@stuge.se; a51@lists.reflextor.com
> 
> http://eprint.iacr.org/2010/013.pdf Kasumi whitepaper
> 
> On Mon, Jul 26, 2010 at 4:13 PM, javier falbo  
> wrote:
> > Yes Max.
> > Contact me in private to my email.
> > Javier
> >
> >> Date: Mon, 26 Jul 2010 13:12:03 +0200
> >> From: sur...@stud.ntnu.no
> >> To: javier_fa...@hotmail.com
> >> CC: pe...@stuge.se; a51@lists.reflextor.com
> >> Subject: Re: Re: [A51] Reporting in..
> >>
> >> Quoting javier falbo :
> >>
> >> > In order to monitor more data channel simultaneosly, and prepare the
> >> > next step which is the 3g (kasumi), which is not so difficult as the
> >> > algorythm could be decoded very fast with last Asiacrypt paper.
> >>
> >> Do you have a link to this paper by any chance?
> >> I managed to miss it somehow :(
> >>
> >> kind regards,
> >> Max.
> >>
> >>
> >
> > 
> > Porque tu vida necesita más espacio y comodidad. Muy pronto descubrí un
> > nuevo Hotmail. Ver más
> > ___
> > A51 mailing list
> > A51@lists.reflextor.com
> > http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
> >
> >
  
_
En Hotmail estamos reinventando un nuevo correo. Preparate para lo que se 
viene. Ver más
http://www.nuevohotmail.com___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51

Re: [A51] Reporting in..

[Dinos Pastos]

http://eprint.iacr.org/2010/013.pdf Kasumi whitepaper

On Mon, Jul 26, 2010 at 4:13 PM, javier falbo  wrote:
> Yes Max.
> Contact me in private to my email.
> Javier
>
>> Date: Mon, 26 Jul 2010 13:12:03 +0200
>> From: sur...@stud.ntnu.no
>> To: javier_fa...@hotmail.com
>> CC: pe...@stuge.se; a51@lists.reflextor.com
>> Subject: Re: Re: [A51] Reporting in..
>>
>> Quoting javier falbo :
>>
>> > In order to monitor more data channel simultaneosly, and prepare the
>> > next step which is the 3g (kasumi), which is not so difficult as the
>> > algorythm could be decoded very fast with last Asiacrypt paper.
>>
>> Do you have a link to this paper by any chance?
>> I managed to miss it somehow :(
>>
>> kind regards,
>> Max.
>>
>>
>
> 
> Porque tu vida necesita más espacio y comodidad. Muy pronto descubrí un
> nuevo Hotmail. Ver más
> ___
> A51 mailing list
> A51@lists.reflextor.com
> http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
>
>
___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51

Re: [A51] Reporting in..

[javier falbo]

Yes Max.
Contact me in private to my email. 
Javier

> Date: Mon, 26 Jul 2010 13:12:03 +0200
> From: sur...@stud.ntnu.no
> To: javier_fa...@hotmail.com
> CC: pe...@stuge.se; a51@lists.reflextor.com
> Subject: Re:  Re: [A51] Reporting in..
> 
> Quoting javier falbo :
> 
> > In order to monitor more data channel simultaneosly, and prepare the  
> > next step which is the 3g (kasumi), which is not so difficult as the  
> > algorythm could be decoded very fast with last Asiacrypt paper.
> 
> Do you have a link to this paper by any chance?
> I managed to miss it somehow :(
> 
> kind regards,
> Max.
> 
> 
  
_
Pronto descubrirás un nuevo Hotmail. Nos estamos reinventando. Preparate para 
lo que se viene.
http://www.nuevohotmail.com___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51

Re: [A51] Reporting in..

[suraev]

Quoting javier falbo :

> In order to monitor more data channel simultaneosly, and prepare the  
> next step which is the 3g (kasumi), which is not so difficult as the  
> algorythm could be decoded very fast with last Asiacrypt paper.

Do you have a link to this paper by any chance?
I managed to miss it somehow :(

kind regards,
Max.


___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51

Re: [A51] Reporting in.. (what's there, what's missing and some ideas?)

[Sylvain Munaut]

Hi,

> Ok, i just ordered USRP1 + DBRX + Antenna with express shipping and i'm
> seeing to retrieve a copy of the 2TB rainbow tables.
> So i should be equiped to be able to run with both OpenBTS and Airprobe.

OpenBTS won't work without a RX/TX setup obviously ...
(You can extract the RX code and try to run it separatly but that's
not out of the box stuff)


> I think that basically it's just illegal to receive and transmit on
> exclusively licensed frequencies such as 900mhz and 1800mhz,
> independently from the fact that you are listening and cracking your own
> SIM card connected to your the mobile operator.

Transmitting without authorization in licensed bands, I'm sure it's
illegal in nearly all countries.

For reception only tough I think it depends on where you are. In
belgium, in all the legislation I read, it's not illegal to receive
only. (Of course, targeting other people conversation and/or
deciphering other things than your own is illegal, but that's covered
by 'privacy/wiretapping' laws rather than purely radiotelecom ones)


> So in theory also making TX/TR with Siemens BS-11 BTS plus or ip.access
> nanoBTS would just be illegal.

You can get experimental low power licences relatively cheaply in some
countries.
(Here in belgium you'll have to go through a company that must have
some telecom related business but that's not hard to do)

Also you can skip the 'air' step with a big attenuator in the middle
works just great. i.e. Connect the BTS output directly to the USRP via
an attenuator. (DO NOT forget the attenuator or your usrp will be
short lived !)


> But just now the code that can be downloaded from the SVN already works
> with USRP1 and with USRP2 or it require code hacking to basically work
> with one of them?

I think airprobe just require code hacking anyway :)


> And both USRP1 and USRP2 will be usable with the upcoming airprobe
> improvements or there is some code logic that's specific to USRP1 or USRP2?
> If both are compatible, which are the practical advantages/disadvantages
> of using USRP1 respect to using USRP2 for playing with airprobe?

airprobe currently uses a 'standard' gnuradio graph. The only USRP1
specific block is the signal source, just remove it and instanciate a
USRP2 rx block in the python code and it shoudl work fine, pretty easy
to do.


Cheers,

Sylvain
___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51

Re: [A51] Reporting in.. (what's there, what's missing and some ideas?)

[Dinos Pastos]

Im in the same waiting list.
I ordered a USRP2 + a couple of receivers for other research also so
Im killing 2 birds with 1 stone in my case.

Ive started to read everything out there on the subject and its very
enlightening.
Regarding legalities, please keep us informed, although each country varies.



On Sun, Jul 25, 2010 at 11:47 PM, Fabio Pietrosanti (naif)
 wrote:
> On 25/07/10 19.40, Harald Welte wrote:
>> Sure.  But this hasn't really changed much in a number of years for now.
>> The various projects that form airprobe are around for 2-3 years (at least),
>> and none of the people who have managed to reproduce the setup have
>> decided to write documentation or improve the projects much.
>>
> Ok, i just ordered USRP1 + DBRX + Antenna with express shipping and i'm
> seeing to retrieve a copy of the 2TB rainbow tables.
> So i should be equiped to be able to run with both OpenBTS and Airprobe.
>
> When hardware will arrive i will start playing with it to get enough
> basic knowledge of the software setup and see which are the difficulties
> i will encounter, documenting the setup process, what would require
> better explanation and basic tool usage in a "howto" approach.
>
> I hope that most of the information would be provided also by Karsten in
> the BH talk, in order to make even easier that job of writing down an
> howto for non-gsm-protocol-stack-coder and non-hardcore-cryptoanalyst . :-)
>> sure, but you can just work with existing capture/sample files of GSM and
>> work on them.  Of course you shouldn't do this on real-world data from
>> real-world operators - but there are more than 70 people who have bought
>> an inexpensive Siemens BS-11 BTS plus more people with ip.access nanoBTS
>> who can run OpenBSC (which has encryption + authentication support) and
>> establish encrypted calls on suhc a cell.  Samples from that traffic
>> can legally be distributed without any legal issues.  And everyoen can
>> test, play with and improve the software tools before he decides on buying
>> any hardware.
>>
> Let's discuss about the legal framework more in details.
>
> I think that basically it's just illegal to receive and transmit on
> exclusively licensed frequencies such as 900mhz and 1800mhz,
> independently from the fact that you are listening and cracking your own
> SIM card connected to your the mobile operator.
> So in theory also making TX/TR with Siemens BS-11 BTS plus or ip.access
> nanoBTS would just be illegal.
>
> I am going to write to the mailing list Italian Lawyer Association for
> IT Laws (www.csig.it) to check and get a picture about it regarding
> italian laws (or whether there's some european wide regulation).
>
> I know for sure that there are 2 different authorization, one for being
> ham radio (TX/RX on certain freq.) and one for being a radio listener
> (that i don't know if there are freq. limits).
> I am going to write to the mailing list Italian Lawyer Association for
> IT Laws (www.csig.it) to check and get a picture about it.
>
> Are there in germany specific rules related to:
> - Acquiring permission for research
> - Acquiring permission for limited radio emission
> - Acquiring permission for radio listening
> ?
>
> If there's a legal framework that allow to transmit and receive on those
> frequencies, which kind of laws interpretation affect the differences
> between listening your own BTS respect to listening the mobile operator
> BTS by cracking SIM card of your subscription? You are on the same
> frequency in both case.
> I think that regarding the privacy and monitoring laws if i am aware of
> the tapping or i am authorized by the owner of the subscription, the
> subject's privacy would not be broken.
> So, give the permission to make radio listening on certain frequencies,
> there would be different accusation related to listening mobile operator
> specific channels (given that you are listening only yourself).
>
> Additionally, does the airprobe allow to filter precisely which on-air
> data to dump (a specific IMSI) or does it read and work on other radio
> streams that does not strictly relate to the specific IMSI connection?
>
> For example with WiFi hacking and cracking you are listening on 2.4ghz
> frequency spectrum where a lot of AP exist, but you record and crack
> only the data related to the AP or user you want to hack (and for which
> may be authorized).
>
>>> @ Airprobe is GSM network sniffer whose oline documentation refer to USRP1
>>>
>> ACK. You can use any frontend, and you can also use it with USRP2.  In fact,
>> you can use it with any
>>
> Ok, i got the point.
> But just now the code that can be downloaded from the SVN already works
> with USRP1 and with USRP2 or it require code hacking to basically work
> with one of them?
> And both USRP1 and USRP2 will be usable with the upcoming airprobe
> improvements or there is some code logic that's specific to USRP1 or USRP2?
> If both are compatible, which are the practical advantages/disadvantages
> of u

Re: [A51] Reporting in.. (what's there, what's missing and some ideas?)

[Fabio Pietrosanti (naif)]

On 25/07/10 19.40, Harald Welte wrote:
> Sure.  But this hasn't really changed much in a number of years for now.
> The various projects that form airprobe are around for 2-3 years (at least),
> and none of the people who have managed to reproduce the setup have
> decided to write documentation or improve the projects much.
>   
Ok, i just ordered USRP1 + DBRX + Antenna with express shipping and i'm
seeing to retrieve a copy of the 2TB rainbow tables.
So i should be equiped to be able to run with both OpenBTS and Airprobe.

When hardware will arrive i will start playing with it to get enough
basic knowledge of the software setup and see which are the difficulties
i will encounter, documenting the setup process, what would require
better explanation and basic tool usage in a "howto" approach.

I hope that most of the information would be provided also by Karsten in
the BH talk, in order to make even easier that job of writing down an
howto for non-gsm-protocol-stack-coder and non-hardcore-cryptoanalyst . :-)
> sure, but you can just work with existing capture/sample files of GSM and
> work on them.  Of course you shouldn't do this on real-world data from
> real-world operators - but there are more than 70 people who have bought
> an inexpensive Siemens BS-11 BTS plus more people with ip.access nanoBTS
> who can run OpenBSC (which has encryption + authentication support) and
> establish encrypted calls on suhc a cell.  Samples from that traffic
> can legally be distributed without any legal issues.  And everyoen can
> test, play with and improve the software tools before he decides on buying
> any hardware.
>   
Let's discuss about the legal framework more in details.

I think that basically it's just illegal to receive and transmit on
exclusively licensed frequencies such as 900mhz and 1800mhz,
independently from the fact that you are listening and cracking your own
SIM card connected to your the mobile operator.
So in theory also making TX/TR with Siemens BS-11 BTS plus or ip.access
nanoBTS would just be illegal.

I am going to write to the mailing list Italian Lawyer Association for
IT Laws (www.csig.it) to check and get a picture about it regarding
italian laws (or whether there's some european wide regulation).

I know for sure that there are 2 different authorization, one for being
ham radio (TX/RX on certain freq.) and one for being a radio listener
(that i don't know if there are freq. limits).
I am going to write to the mailing list Italian Lawyer Association for
IT Laws (www.csig.it) to check and get a picture about it.

Are there in germany specific rules related to:
- Acquiring permission for research
- Acquiring permission for limited radio emission
- Acquiring permission for radio listening
?

If there's a legal framework that allow to transmit and receive on those
frequencies, which kind of laws interpretation affect the differences
between listening your own BTS respect to listening the mobile operator
BTS by cracking SIM card of your subscription? You are on the same
frequency in both case.
I think that regarding the privacy and monitoring laws if i am aware of
the tapping or i am authorized by the owner of the subscription, the
subject's privacy would not be broken.
So, give the permission to make radio listening on certain frequencies,
there would be different accusation related to listening mobile operator
specific channels (given that you are listening only yourself).

Additionally, does the airprobe allow to filter precisely which on-air
data to dump (a specific IMSI) or does it read and work on other radio
streams that does not strictly relate to the specific IMSI connection?

For example with WiFi hacking and cracking you are listening on 2.4ghz
frequency spectrum where a lot of AP exist, but you record and crack
only the data related to the AP or user you want to hack (and for which
may be authorized).

>> @ Airprobe is GSM network sniffer whose oline documentation refer to USRP1
>> 
> ACK. You can use any frontend, and you can also use it with USRP2.  In fact,
> you can use it with any
>   
Ok, i got the point.
But just now the code that can be downloaded from the SVN already works
with USRP1 and with USRP2 or it require code hacking to basically work
with one of them?
And both USRP1 and USRP2 will be usable with the upcoming airprobe
improvements or there is some code logic that's specific to USRP1 or USRP2?
If both are compatible, which are the practical advantages/disadvantages
of using USRP1 respect to using USRP2 for playing with airprobe?

>> @ OpenBSC is a Base Station Controller (BSC) to be used with BTS Siemens
>> BS11 microBTS and ip.access nanoBTS and require an E1 telephony card for
>> interconnection
>> 
> E1 only in case of the BS11
>   
On the BTS procurement, which are the most accessible sources (shops,
distributors, etc) to acquire it in Europe (or even in South America,
USA and Asia?
That way we can provide hints on how to get the hardware for BTS.
>> @ A 

Re: [A51] Reporting in..

[Harald Welte]

On Sat, Jul 24, 2010 at 08:17:02PM +0200, Sylvain Munaut wrote:

[...]

> OTOH, as you said creating a brand new board based on those chips
> would be a loss of time.

Agreed.

I also believe that it is very hard to make a significantly cheaper design,
if you factor in the R&D cost, the small quantities that you'll be building,
etc.  You might end up with let's say 500 USD - but you will not be able to
build a USD 50 board that has a wideband receiver with high dynamic range
to capture the full GSM900 band...

So if you want to work on a single-ARFCN solution, using one of the
Calypso/Iota/Rita phones is definitely sufficient and cheap.  We have
the software to get the raw samples from the DSP, so you can run the full
airprobe code on the data that you receive.

If you want to work on multi-ARFCN, the USRP1 with a single receive-board
or a USRP2 is actually not all the expensive given the bandwidth you get from
it.

Regards,
Harald
-- 
- Harald Weltehttp://laforge.gnumonks.org/

"Privacy in residential applications is a desirable marketing option."
  (ETSI EN 300 175-7 Ch. A6)


signature.asc
Description: Digital signature
___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51

Re: [A51] Reporting in..

[Harald Welte]

Hi all,

On Sat, Jul 24, 2010 at 09:11:19PM +0200, Clemens Gruber wrote:

> > Yeah. The focus isn't on PCBs. As you say, this is a software
> > intensive area, the required hardware is "simple".
> > 
> > Hardware in hand of course does not bring any software, but already
> > thinking about that hardware helps identify what software to focus
> > on, and next step, hardware availability helps people get involved. 
> 
> Exactly, the point is.. there are many students (like me) and other
> possible contributors out there who are not able to spend 1000 US
> Dollars for buying a USRP1+Daughterboards+Antenna + UPS to Europe
> (delivery itself is about 100USD + taxes?)
>
> How do you want people to contribute code to the airprobe project if
> they have not enough money to buy a USRP?
 
There are plenty of available USRP-captured file with GSM samples available.

Based on those samples, you can do any of the receiver optimizations or
reimplementations or any other work in this project.  Whatever improved
software is the result of such work will work with any receiver hardware,
whether existing or future, whether expensive or cheap.

-- 
- Harald Weltehttp://laforge.gnumonks.org/

"Privacy in residential applications is a desirable marketing option."
  (ETSI EN 300 175-7 Ch. A6)
___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51

Re: [A51] Reporting in..

[Harald Welte]

Hi all,

On Sat, Jul 24, 2010 at 08:40:42PM +0100, Cal Leeming [Simplicity Media Ltd] 
wrote:
> Yeah, technically someone with a USRP could seed a 20 minute airwave dump,
> and you could replay it into whatever software you were using, but again, it
> wouldn't be as fun.. Not sure about the legal implication either :S This is
> what the guys at THC did tho back in 2008 I believe...

Anyone with a Siemens BS-11 and OpenBSC (which is more than 70 people in this
"open GSM community") can run a cell that does encryption, and more recently
even with frequency hopping.

Running a USRP1 or USRP2 in the vicinity while making phoen calls and
sending/receiving SMS on that cell is also possible for many of those
people.

There are no legal issues working with such a set of test data!

And regarding the "not as much fun" aspect:  Whether or not you have the
hardware will not change your ability to improve the codebase.  I think
people fool themselves by buying+owning the hardware, testing it with
airprobe and then simply waiting for somebody else to improve the software.

Why not do it the other way around: improve the software and once you
have reached your goal, reward yourself with buying the hardware. Or
alternatively: See the reward by everyone else being happy about the
improved code, and then start to work on less expensive hardware,
if there really is a need for it.  But that new hardware without better
software will not make it any easier for other people to play with
airprobe.

-- 
- Harald Weltehttp://laforge.gnumonks.org/

"Privacy in residential applications is a desirable marketing option."
  (ETSI EN 300 175-7 Ch. A6)


signature.asc
Description: Digital signature
___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51

Re: [A51] Reporting in.. (what's there, what's missing and some ideas?)

[Harald Welte]

Hi Fabio,

On Sun, Jul 25, 2010 at 12:48:16PM +0200, Fabio Pietrosanti (naif) wrote:
> On 24/07/10 19.30, Harald Welte wrote:
> > Please focus your scarce resources where it is really needed...
> >   
> 
> Harald, i think that you are absolutely right however let me say that
> doing r&d in telephony it's really a pain and it's a kind of knowledge
> not very widespread into the hacking community.

yes.  But like everything else in computer sciece, it's something
that everyone with a basic background in CS or EE can learn with
reasomable effort.

> If i got the point, now we are in a stage where the various technologies
> require final improvement (from networking side) and different pieces of
> various projects could be reused for such improvements, particularly for
> airprobe.
> 
> From outside, trying to deal with the various projects, the feeling is
> that is still a quite disperse set of projects.
> At 1st attempt it's still quite difficult to understand which are the
> pieces of the puzzle and how to make what you want to do.
> That's not easy like playing with the WiFi hacking stuff .

Sure.  But this hasn't really changed much in a number of years for now.
The various projects that form airprobe are around for 2-3 years (at least),
and none of the people who have managed to reproduce the setup have
decided to write documentation or improve the projects much.
 
> People will get crazy when GSM hacking will become something similar to
> WiFi hacking, in practical term, and more people involved and more
> people acquiring knowledge on that stuff but at higher level. :-)
> But security people that want to play with a51 stuff just for security
> (not being tlc protocol experts) before investing money to buy the
> hardware typically want to be sure to be able to use it.
 
sure, but you can just work with existing capture/sample files of GSM and
work on them.  Of course you shouldn't do this on real-world data from
real-world operators - but there are more than 70 people who have bought
an inexpensive Siemens BS-11 BTS plus more people with ip.access nanoBTS
who can run OpenBSC (which has encryption + authentication support) and
establish encrypted calls on suhc a cell.  Samples from that traffic
can legally be distributed without any legal issues.  And everyoen can
test, play with and improve the software tools before he decides on buying
any hardware.

> From what i understood of the various pieces (pls correct me if i am wrong):
> @ OpenBTS is a BTS software hooked directly (no BSC support )with
> Asterisk for telephony service, that works with USRP1

ACK.  It can be used with other USRP frontends or even other SDR with relatively
few code changes.  Some of thoes changes have been posted as patches to the 
list.

> @ Airprobe is GSM network sniffer whose oline documentation refer to USRP1

ACK. You can use any frontend, and you can also use it with USRP2.  In fact,
you can use it with any

> @ OsmocomBB provide:
>   - Baseband processor firmware including all gsm layers protocol stack
> implementation (cool!)
>   - Radio driver that's compatible with certain Motorola, Sony Ericsson
> and and OpenMoko

ACK.  you can use this to "run a phone" with control over all layers of
the protocol stack.

> @ OpenBSC is a Base Station Controller (BSC) to be used with BTS Siemens
> BS11 microBTS and ip.access nanoBTS and require an E1 telephony card for
> interconnection

E1 only in case of the BS11

> Do i got the point or i am missing / misunderstood something?

seems fine to me.

> So to summarize, from what i understood, to make the gsm cracking
> working in real-world environment we still miss:
> 
> @ Improvement of Airprobe monitoring software (proper demodoulation) to
> stay up with recording long call and properly following channels (Part
> of it getting improved by Sascha, part by Piotr?)

ACK.

> @ A first full howto on detailed setup hw/sw instruction for a working
> setup to let ppl start with higher level hacking (should come from
> Karsten at BH next week?)

ACK

> @ A community / system for Rainbowtable distribution that can scale-up
> to hundreds of users

ACK.

> Do i understood properly or there's something else?

It might be worth publishing a summary paper  that covers all the available
tools, just like your outline above.

> @ About missing code of airprobe / other tools?
> Regarding what's still missing, would it reasonable also to provide
> something bounties like "Google summer of code" for specific features /
> module?

I don't think bounties will help.  There should be plenty of people with
motivation, but apparently not enough people with the combination of
available time, skill set and "self-esteem" (i.e. they can do it even
if there is no 1:1 detailed instructions they can follow)

> @ About documentation
> I am available to come for a weekend with the proper hardware (within
> Europe), together with who have the deep project knowledge prepare a
> setup from scratch, by writing in the mean

Re: [A51] Reporting in..

[Harald Welte]

Hi Sascha,

On Sat, Jul 24, 2010 at 08:41:41PM +0200, sascha wrote:
> > As mentionned OpenBTS laurent's decomposition demod seems to be way
> > better than the current one (from the limited testing I did). Another
> > benefit is that you can exploit CUDA _a_lot_ for the first stage of a
> > multi ARFCN receiver. (when you do the math you'll see that things fit
> > together nicely and you end up with a bunch of complex MACs and at the
> > output you have N channels of I/Q samples pre-multiplied for
> > laurent's).
> 
> i am currently implementing a freq_xlating_fir_filter_ccf and a
> fractional_interpolator_cc in cuda. 

fractional resampling is one of the steps required if your sample clock
is truly free-running and not tunable - like in a typical "true" SDR
receiver like USRP1/USRP2.  It is the most cpu-intensive operation
of the receive process, and having that in CUDA (or the ATI equivalent)
is definitely going to help.

> next would be the viterbi decoder.

that one is also important, but it is only the last step.  Make sure you
implement a soft-input viterbi decoder.

> is this not the optimal algorithm to implement?

What is also needed is the actual demodulator ahead of all this,
i.e. what you do after the resampling and before the viterbi decoder.

Something that gives you the 'soft output' bits that you feed into
the 'soft input' viterbi.  And that is where OpenBTS is much better
than what you see in the current airprobe code.

Regards,
Harald
-- 
- Harald Weltehttp://laforge.gnumonks.org/

"Privacy in residential applications is a desirable marketing option."
  (ETSI EN 300 175-7 Ch. A6)


signature.asc
Description: Digital signature
___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51

Re: [A51] Reporting in.. (what's there, what's missing and some ideas?)

[Fabio Pietrosanti (naif)]

On 24/07/10 19.30, Harald Welte wrote:
> Please focus your scarce resources where it is really needed...
>   

Harald, i think that you are absolutely right however let me say that
doing r&d in telephony it's really a pain and it's a kind of knowledge
not very widespread into the hacking community.
Usually that's more considered like a techie stuff for TLC experts,
radio frequency, difficult protocol to deal with, closed hardware, legal
issues and so the environment it's still not knowledgeable enough.
Few hackers i know, know what TCH or GPRS Reliability class mean.

The entrance barrier (due to telco technology lobbying) to play with
those stuff was very high and you and all you guys have the very great
and fantastic merit to have opened this environment by providing the
building-blocks of software and hardware interaction to play with it.

I would like to try to summarize what i understood of the situation and
status of the projects and propose some ideas.

If i got the point, now we are in a stage where the various technologies
require final improvement (from networking side) and different pieces of
various projects could be reused for such improvements, particularly for
airprobe.

>From outside, trying to deal with the various projects, the feeling is
that is still a quite disperse set of projects.
At 1st attempt it's still quite difficult to understand which are the
pieces of the puzzle and how to make what you want to do.
That's not easy like playing with the WiFi hacking stuff .

People will get crazy when GSM hacking will become something similar to
WiFi hacking, in practical term, and more people involved and more
people acquiring knowledge on that stuff but at higher level. :-)
But security people that want to play with a51 stuff just for security
(not being tlc protocol experts) before investing money to buy the
hardware typically want to be sure to be able to use it.

Still some not major but very important works (compared to previous
activity) need to be done to reach that stage (i mean respect to people
using it only for security playground without having to know the wide
GSM protocol stacks in details).

>From what i understood of the various pieces (pls correct me if i am wrong):
@ OpenBTS is a BTS software hooked directly (no BSC support )with
Asterisk for telephony service, that works with USRP1
@ Airprobe is GSM network sniffer whose oline documentation refer to USRP1
@ OsmocomBB provide:
  - Baseband processor firmware including all gsm layers protocol stack
implementation (cool!)
  - Radio driver that's compatible with certain Motorola, Sony Ericsson
and and OpenMoko
@ OpenBSC is a Base Station Controller (BSC) to be used with BTS Siemens
BS11 microBTS and ip.access nanoBTS and require an E1 telephony card for
interconnection
@ A5/1 Security project make the software for cracking by generating and
using rainbow tables (recently improved by Frank Stevenson). It has been
reported that it worked (with airprobe?) with two USRP2 units (but no
public technical setup instruction).
@ A5/1 Rainbow tables in size of 2TB are ready and already available to
several people in the community

Do i got the point or i am missing / misunderstood something?

So to summarize, from what i understood, to make the gsm cracking
working in real-world environment we still miss:

@ Improvement of Airprobe monitoring software (proper demodoulation) to
stay up with recording long call and properly following channels (Part
of it getting improved by Sascha, part by Piotr?)
@ A first full howto on detailed setup hw/sw instruction for a working
setup to let ppl start with higher level hacking (should come from
Karsten at BH next week?)
@ A community / system for Rainbowtable distribution that can scale-up
to hundreds of users

Do i understood properly or there's something else?

Below some ideas about that.

@ About missing code of airprobe / other tools?
Regarding what's still missing, would it reasonable also to provide
something bounties like "Google summer of code" for specific features /
module?
I mean, it's true that voluntary based development it's the best things
but providing some economic incentive for opensource development always
help, also getting smart young ppl on-board (you do something fun and
challenging and earn some money for holidays).
We can arrange some fund raising to support also a bounty based
development program on the projects.
In past i organized oss development funding with osxcrypt.org project
and in 2 days collected 1500USD among the security community. Probably
we can get much more.
Does this could be an approach that help?

@ About documentation
I am available to come for a weekend with the proper hardware (within
Europe), together with who have the deep project knowledge prepare a
setup from scratch, by writing in the meantime the documentation for the
hw/sw setup for who don't know anything about the internals/details of
the projects but want to start playing with it.
It's summer an

Re: [A51] Reporting in..

[Cal Leeming [Simplicity Media Ltd]]

Yeah, technically someone with a USRP could seed a 20 minute airwave dump,
and you could replay it into whatever software you were using, but again, it
wouldn't be as fun.. Not sure about the legal implication either :S This is
what the guys at THC did tho back in 2008 I believe...


On Sat, Jul 24, 2010 at 8:34 PM, Peter Stuge  wrote:

> Clemens Gruber wrote:
> > How do you want people to contribute code to the airprobe project
> > if they have not enough money to buy a USRP?
>
> It is quite possible even without hardware to test on. It's just not
> as rewarding.
>
>
> //Peter
> ___
> A51 mailing list
> A51@lists.reflextor.com
> http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
>



-- 

Cal Leeming

Operational Security & Support Team

*Out of Hours: *+44 (07534) 971120 | *Support Tickets: *
supp...@simplicitymedialtd.co.uk
*Fax: *+44 (02476) 578987 | *Email: *cal.leem...@simplicitymedialtd.co.uk
Simplicity Media Ltd. All rights reserved.
Registered company number 7143564
___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51

Re: [A51] Reporting in..

[Peter Stuge]

Clemens Gruber wrote:
> How do you want people to contribute code to the airprobe project
> if they have not enough money to buy a USRP?

It is quite possible even without hardware to test on. It's just not
as rewarding.


//Peter
___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51

Re: [A51] Reporting in..

[Clemens Gruber]

On Sat, 2010-07-24 at 20:29 +0200, Peter Stuge wrote:
> Affordable hardware options mean more people are likely to get
> involved with open source GSM development in general. True for
> every other hardware-related open source project I've seen..
> 
> 
> > Please focus your scarce resources where it is really needed...
> 
> Yeah. The focus isn't on PCBs. As you say, this is a software
> intensive area, the required hardware is "simple".
> 
> Hardware in hand of course does not bring any software, but already
> thinking about that hardware helps identify what software to focus
> on, and next step, hardware availability helps people get involved. 

Exactly, the point is.. there are many students (like me) and other
possible contributors out there who are not able to spend 1000 US
Dollars for buying a USRP1+Daughterboards+Antenna + UPS to Europe
(delivery itself is about 100USD + taxes?)

So the benefit of new hardware would definitely be that much more people
would buy this diy-pcb + components, solder it themselves and are then
able to contribute software to the project without having spent 1000$.

How do you want people to contribute code to the airprobe project if
they have not enough money to buy a USRP?

A downlink "module" would be sufficient for the beginning, a "uplink
module" could follow if needed. But at first a less expensive rx-module,
designed especially for receiving gsm signals, could help the project to
rapidly get more contributors.

Btw. I wouldn't say that the hardware is "that" simple, as Harald Welte
stated, professional measurement equipment is necessary, all guys at
university may be able to use stuff from the faculty, but it may still
be very hard to coordinate such a project just over the net/mailinglist.

___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51

Re: [A51] Reporting in..

[sascha]

> As mentionned OpenBTS laurent's decomposition demod seems to be way
> better than the current one (from the limited testing I did). Another
> benefit is that you can exploit CUDA _a_lot_ for the first stage of a
> multi ARFCN receiver. (when you do the math you'll see that things fit
> together nicely and you end up with a bunch of complex MACs and at the
> output you have N channels of I/Q samples pre-multiplied for
> laurent's).

i am currently implementing a freq_xlating_fir_filter_ccf and a
fractional_interpolator_cc in cuda. next would be the viterbi decoder.
is this not the optimal algorithm to implement?

___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51

Re: [A51] Reporting in..

[Peter Stuge]

Harald Welte wrote:
> what is wrong with you (sorry)?

No need to apologize, I think you make a very good point.


> The problem with regard to practical GSM A5 cracking is not that
> hardware is too expensive or that you need to do your own custom
> hardware.
> 
> The problem is that everybody wants a solution / software / ... but
> very few people actually are willing to put in the required time,
> sit down, get their hands dirty and make it work.

I think that there's a lot of excitement because Enemy-of-the-State-like
call interception seems to be at the fingertips of the masses, but for
most people that would like to try it out, the hardware setup is
prohibitively expensive - leading to more or less accurate
brainstorming for cheaper solutions.

The tradeoff between spending development time on hardware and
spending money on USRP is easy with goals such as demonstrating A5/1
brokenness or creating open source GSM software, however not so easy
for individuals with anything less than a very strong interest.

OsmocomBB is a fantastic development, making consumer electronics
usable for open source GSM development and experiments.

But it seems to me that it might be(come) difficult to source the
relevant hardware which is also problematic, just in another way,
for everyone but core contributors.


> The state of airprobe's various receivers (tvoid, gsmsp, gsm-receiver) has
> only improved marginally throughout the last years.  Even today, they are
> nothing more than a proof of concept.  They're far from what somebody would
> want to do actual real-world intercept.  They don't even support the various
> GSM channel types, they don't contain the neccessarry frequency / gain control
> loops for long-time reception, ...
> 
> This has all been clear for years.  Work in this area is completely unrelated
> to the actual A5/1 cracking and the rainbow tables.  There was no dependency
> on the rainbow tables needing to be completed before work on the airprobe
> receiver code could have been done.

That's certainly true. However, without the clear utility for a work,
many find it difficult to motivate themselves to produce it.

Baby steps basically. But since something very exciting is just
around a corner, many are quite eager and want to rush..


> During the same timeframe, a really great Free Software GSM receiver
> implementation has been released publicly:  That of OpenBTS.

Yes! I agree completely. And if there should be any open GSM hardware
then I think it must optimize for, and work closely together with
OpenBTS. I've spent the last few days reading up and am awed by their
progress.


> Yet, nobody has lifted a finger and transformed that implementation
> (and its contained laurent approximation based demodulation code)
> into a new airprobe receiver.

I think many if not most have overlooked the significance of
airprobe. I certainly have.


> But whether you use a USRP2, a USD 20,000 military SDR or a small
> custom cheap board will not change the fact that somebody still
> needs to write good demodulaton/decoding software.

And/or hardware. I think OpenBTS and OsmocomBB are two amazing
sources of code, and there is clearly overlap among them and airprobe
- or at least there should be! I'm pretty sure that it'd make sense
to move some things which are already finished or at least in good
condition in both projects into hardware.


> And any work spent on new hardware development is not going to
> bring any progress to the project.

Affordable hardware options mean more people are likely to get
involved with open source GSM development in general. True for
every other hardware-related open source project I've seen..


> Please focus your scarce resources where it is really needed...

Yeah. The focus isn't on PCBs. As you say, this is a software
intensive area, the required hardware is "simple".

Hardware in hand of course does not bring any software, but already
thinking about that hardware helps identify what software to focus
on, and next step, hardware availability helps people get involved.


//Peter
___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51

Re: [A51] Reporting in..

[Sylvain Munaut]

> But whether you use a USRP2, a USD 20,000 military SDR or a small custom
> cheap board will not change the fact that somebody still needs to write good
> demodulaton/decoding software.  And any work spent on new hardware development
> is not going to bring any progress to the project.

That's the point I was trying to raise when I suggested that efforts
would be better spend exploiting to the full extend the HW we have
rather than building new one.

A single USRP with 2 db should be able to capture at least 3 MHz of
uplink and downlink synchronized. If the ARFCN of your hopping
sequence fit into those 3 MHz, then you're good.

As mentionned OpenBTS laurent's decomposition demod seems to be way
better than the current one (from the limited testing I did). Another
benefit is that you can exploit CUDA _a_lot_ for the first stage of a
multi ARFCN receiver. (when you do the math you'll see that things fit
together nicely and you end up with a bunch of complex MACs and at the
output you have N channels of I/Q samples pre-multiplied for
laurent's).

But yeah ... need time to implement all that :(


> Next problem is: If you ever want to tune into the uplink, you need custom
> hardware as the filters for the frequencies are reversed.  Plus, it is 
> impossible
> to find any SAW filters for the reverse bands in the same or similar 
> mechanical
> dimensions - not even speaking of the same impedance and 
> balanced/unbalanced-ness
> as needed.  Thus, it is impossible to simply replace the filters on existing
> hardware.

Well, on that point I don't agree ...

1) You can just ignore the filter: Works fine as long as the handset
is close enough, or if you're using a good antenna. Those filter are
just not that good.

2) You can do it 'brutally' and put a pre-amp in front of the antenna.
Definitely not the cleanest solution but it'll work. And if you want
to bring the uplink and the downlink 'in the same ballpark', just add
a filter to attenuate downlink as well.

3) There are simple SMD 'baluns' that will convert the unbalanced
50ohm to balanced 50ohm with a pinout close enough that soldering them
in place of the other could works. They (that one I haven't tried yet,
but I'll order a couple and see what I can work out when I have some
spare time)

The hardware is definitely limited but for demonstration purposes it
can do the trick IMHO. Workaround 1 is good for that use-case.
Workaround 2 is an option if you already have the parts laying around
from other GSM experiments. The option 3 ... well not tested yet so
can't really say anything.


OTOH, as you said creating a brand new board based on those chips
would be a loss of time.


Cheers,

Sylvain
___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51

Re: [A51] Reporting in..

[Harald Welte]

On Sat, Jul 24, 2010 at 01:26:31AM +0100, Cal Leeming [Simplicity Media Ltd] 
wrote:

> Besides, you gotta remember, that the USRP is a very expensive piece of kit,
> and just having one might not be enough depending on what you need it for.
> See Sylvain's earlier post reply for a good explaination about this.
> 
> Personally, I think it would be a really cool idea to start up work shops
> which would look primarily at extracting the transceivers out of
> cheap/unwanted handsets, and putting them to a good use. It would certainly
> be a lot more fun than just paying for the hardware :)

Well, you can try to look at the work that we've been doing as part of
OsmocomBB (http://bb.osmocom.org/).  We've done all the code you need to
drive the transceiver of the TI Calypso chipset (TRF6151 / Rita), the 
analog baseband (TWL3025 / Iota) and the digital baseband (Calypso /
HERCROM400G2).

Next problem is: If you ever want to tune into the uplink, you need custom
hardware as the filters for the frequencies are reversed.  Plus, it is 
impossible
to find any SAW filters for the reverse bands in the same or similar mechanical
dimensions - not even speaking of the same impedance and 
balanced/unbalanced-ness
as needed.  Thus, it is impossible to simply replace the filters on existing
hardware.

More modern GSM phone designs use a 'frontend module', i.e. an integrated
component that contains the RF transceiver, the filters and often also the PA.
In such a module, you simply cannot change the filter characteristics
anymore.

Also, I would not waste time at developing your own hardware based on an
old / end-of-life RF transceiver.  Don't underestimate the time you will
have to spend on doing analog RF design at frequencies that come close to 2GHz.
Without the proper skills/experience and particularly measurement equipment,
you will not be able to design something that will be close to the performance
of a commercial handset.

I've analyzed this long enough and I think it's simply not worth putting so
much time and effort into something that inevitably only very few people will
show an interest in.

Regards,
Harald.
-- 
- Harald Weltehttp://laforge.gnumonks.org/

"Privacy in residential applications is a desirable marketing option."
  (ETSI EN 300 175-7 Ch. A6)
___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51

Re: [A51] Reporting in..

[Harald Welte]

Guys,

what is wrong with you (sorry)?

I've been doing software development related to GSM for quite some time now,
have contributed to airprobe and am now mostly working on OpenBSC and
OsmocomBB.

The problem with regard to practical GSM A5 cracking is not that hardware
is too expensive or that you need to do your own custom hardware.

The problem is that everybody wants a solution / software / ... but very
few people actually are willing to put in the required time, sit down,
get their hands dirty and make it work.

The state of airprobe's various receivers (tvoid, gsmsp, gsm-receiver) has
only improved marginally throughout the last years.  Even today, they are
nothing more than a proof of concept.  They're far from what somebody would
want to do actual real-world intercept.  They don't even support the various
GSM channel types, they don't contain the neccessarry frequency / gain control
loops for long-time reception, ...

This has all been clear for years.  Work in this area is completely unrelated
to the actual A5/1 cracking and the rainbow tables.  There was no dependency
on the rainbow tables needing to be completed before work on the airprobe
receiver code could have been done.

During the same timeframe, a really great Free Software GSM receiver
implementation has been released publicly:  That of OpenBTS.  Yet, nobody
has lifted a finger and transformed that implementation (and its contained
laurent approximation based demodulation code) into a new airprobe receiver.

Piotr is one of the few guys who actually contributed, and I'd like to express
my gratitude for his work.

But whether you use a USRP2, a USD 20,000 military SDR or a small custom
cheap board will not change the fact that somebody still needs to write good
demodulaton/decoding software.  And any work spent on new hardware development
is not going to bring any progress to the project.

Please focus your scarce resources where it is really needed...

-- 
- Harald Weltehttp://laforge.gnumonks.org/

"Privacy in residential applications is a desirable marketing option."
  (ETSI EN 300 175-7 Ch. A6)
___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51

Re: [A51] Reporting in..

[Clemens Gruber]

Yes, it's not about rushing to buy big and expensive hardware, it's
about rather building something minimal and less expensive, than buying
two ursp's.
We would only have to plan and produce the pcb's altogether. Maybe the
ordering of the components could also be done together for getting a
better price, but that's not absolutely necessary.

Especially for people from Europe ( particularly students ;) ), the USRP
is a little bit too expensive (in my opinion).

What do you think?

On Sat, 2010-07-24 at 17:14 +0200, Peter Stuge wrote:
> Sylvain Munaut wrote:
> > Seems to me that suddenly everybody is rushing to buy big and
> > expensive hardware 
> 
> This is getting a little off-topic, but I would instead build
> something minimal from scratch.
> 
> 
> //Peter
> ___
> A51 mailing list
> A51@lists.reflextor.com
> http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51


___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51

Re: [A51] Reporting in..

[Peter Stuge]

Sylvain Munaut wrote:
> Seems to me that suddenly everybody is rushing to buy big and
> expensive hardware 

This is getting a little off-topic, but I would instead build
something minimal from scratch.


//Peter
___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51

Re: [A51] Reporting in..

[Cal Leeming [Simplicity Media Ltd]]

I think this is one of those subjects which could be debated over and over,
but really only practical tests will ever provide real proof that a method
does or doesn't work. Yes, it would take a considerable amount of time, but
you also have to factor in the amount of knowledge you would gain by
effectively building your own hardware to replace that of the USRP.
Obviously, using old hardware would probably limit you to only a few
channels at a time, but at the same time, if you wanted to watch the whole
GSM spectrum, you'd need more than just a single USRP, and that's when it
starts getting expensive!

Sometimes, these projects aren't just about the end goal, but also how much
fun you have and what you learn along the way, you know?


On Sat, Jul 24, 2010 at 3:04 PM, Sylvain Munaut <246...@gmail.com> wrote:

> > I agree with Peter. It is completely useless to waste time on old
> hardware.
>
> But it'd make for dead cheap sniffer ...
>
> > There are many groups that try that without success, as each hardware was
> > done with physical limitations.
>
> Really ? do you have any specific examples of failed attempt and their
> reason ?
>
>
> > What i consider, is to contact Ettus people and ask them to prepare a new
> > device with more Mhz of bandwith. (maybe we could join interested people
> > here to setup an initial multi-group list order).
>
> Just my 2cent but before building better hardware, maybe it'd be
> useful to just exploit the one we have. AFAICT airprobe isn't exactly
> very advanced yet ...
>
> Seems to me that suddenly everybody is rushing to buy big and
> expensive hardware 
>
>
> Cheers,
>
>Sylvain
> ___
> A51 mailing list
> A51@lists.reflextor.com
> http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
>



-- 

Cal Leeming

Operational Security & Support Team

*Out of Hours: *+44 (07534) 971120 | *Support Tickets: *
supp...@simplicitymedialtd.co.uk
*Fax: *+44 (02476) 578987 | *Email: *cal.leem...@simplicitymedialtd.co.uk
Simplicity Media Ltd. All rights reserved.
Registered company number 7143564
___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51

Re: [A51] Reporting in..

[Sylvain Munaut]

> I agree with Peter. It is completely useless to waste time on old hardware.

But it'd make for dead cheap sniffer ...

> There are many groups that try that without success, as each hardware was
> done with physical limitations.

Really ? do you have any specific examples of failed attempt and their reason ?


> What i consider, is to contact Ettus people and ask them to prepare a new
> device with more Mhz of bandwith. (maybe we could join interested people
> here to setup an initial multi-group list order).

Just my 2cent but before building better hardware, maybe it'd be
useful to just exploit the one we have. AFAICT airprobe isn't exactly
very advanced yet ...

Seems to me that suddenly everybody is rushing to buy big and
expensive hardware 


Cheers,

Sylvain
___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51

Re: [A51] Reporting in..

[javier falbo]

I agree with Peter. It is completely useless to waste time on old hardware. 
There are many groups that try that without success, as each hardware was done 
with physical limitations.

What i consider, is to contact Ettus people and ask them to prepare a new 
device with more Mhz of bandwith. (maybe we could join interested people here 
to setup an initial multi-group list order). 

In order to monitor more data channel simultaneosly, and prepare the next step 
which is the 3g (kasumi), which is not so difficult as the algorythm could be 
decoded very fast with last Asiacrypt paper.

Javier

> Date: Sat, 24 Jul 2010 06:26:32 +0200
> From: pe...@stuge.se
> To: a51@lists.reflextor.com
> Subject: Re: [A51] Reporting in..
> 
> Cal Leeming [Simplicity Media Ltd] wrote:
> > Personally, I think it would be a really cool idea to start up work
> > shops which would look primarily at extracting the transceivers out
> > of cheap/unwanted handsets, and putting them to a good use. It
> > would certainly be a lot more fun than just paying for the hardware
> > :)
> 
> Sorry to ruin the fun, but I am more than certain that the reverse
> engineering effort required per handset platform and the fairly high
> integration level of handsets make that a much too inefficient
> option.
> 
> 
> //Peter
> ___
> A51 mailing list
> A51@lists.reflextor.com
> http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
  
_
Preparate para un nuevo Hotmail con mucho más de lo que tu vida necesita. Ver 
más
http://www.nuevohotmail.com___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51

Re: [A51] Reporting in..

[Peter Stuge]

Cal Leeming [Simplicity Media Ltd] wrote:
> Personally, I think it would be a really cool idea to start up work
> shops which would look primarily at extracting the transceivers out
> of cheap/unwanted handsets, and putting them to a good use. It
> would certainly be a lot more fun than just paying for the hardware
> :)

Sorry to ruin the fun, but I am more than certain that the reverse
engineering effort required per handset platform and the fairly high
integration level of handsets make that a much too inefficient
option.


//Peter
___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51

Re: [A51] Reporting in..

[Cal Leeming [Simplicity Media Ltd]]

I've actually been thinking of ways this could be done...

Here's some random ideas:


   - Try and arrange a deal with Ettus Research, in which we could purchase
   the hardware at a cheaper price for academic based research.

   - Go to 2600 meetings, and suggest starting up a ccc.de style work shop
   in your local district, and for everyone to donate towards the hardware. I
   know this is quite a big thing in Germany, and there is at least one group
   in the UK which is trying to do the same (see www.fizzpop.org.uk)

   - Figure out how to build our own boards on the cheap, or build
   instructions on how to take apart other equipment to provide us with the
   necessary parts to build a transceiver on all gsm/cdma/utms bands etc.

   - Apply for a research grant, or an academic grant. (i wouldnt know much
   about this, but i know fizzpop have done something similar, so might be
   worth asking them)

   - Save up! :/


Besides, you gotta remember, that the USRP is a very expensive piece of kit,
and just having one might not be enough depending on what you need it for.
See Sylvain's earlier post reply for a good explaination about this.

Personally, I think it would be a really cool idea to start up work shops
which would look primarily at extracting the transceivers out of
cheap/unwanted handsets, and putting them to a good use. It would certainly
be a lot more fun than just paying for the hardware :)

On Sat, Jul 24, 2010 at 1:11 AM, Abdalaleem Andy James Potter <
ajpot...@youdinar.com> wrote:

> Cal,
>
> Can you find any creative way of raising funding for hackers to afford the
> USRP hardware and boards...? There must be a smart way of doing this...
>
> One idea is to have a completely open source GSM phone using the USRP and
> just free software.
>
>
>
> Begin forwarded message:
>
> *From: *Abdalaleem Andy James Potter 
> *Date: *24 July 2010 01:08:55 BST
> *To: *discuss-gnura...@gnu.org, openbts-disc...@lists.sourceforge.net
> *Cc: *Joshua Lackey 
> *Subject: **Re: [Openbts-discuss] [Discuss-gnuradio] Software mobile phone
> *
>
> Fantastic stuff!
>
>
> On 23 Jul 2010, at 22:26, Joshua Lackey wrote:
>
> And leveraging the work from the osmocombb project
>
> (http://bb.osmocom.org/trac/) will get you a far ways towards the goal.
>
>
>
> Quoting John Gilmore (g...@toad.com):
>
> Dear All,
>
>
> Do we think it is possible to create a software mobile phone using the
>
> USRP, with the OpenBTS code or something else?
>
>
> I mean everything would be in software, plus the USRP?
>
>
> It is absolutely possible.  So far I don't know anyone who has
>
> tried to do it.  The OpenBTS code would give you a big head start.
>
>
> I also think it would be interesting to port the resulting code into a
>
> mobile phone.  Generally the GSM protocols in a phone are run in a
>
> "baseband processor" separate from the user interface processor.
>
> Every phone I know of uses secret, proprietary code running in the
>
> baseband processor, even when the user interface is largely free
>
> software.  Once you had working code running in GNU Radio on a Linux
>
> machine, the challenge would be finding a well-documented baseband
>
> chip (in which the manufacturer tells you where to find the radio I/O
>
> gear on the chip, and how it works, etc).  Porting clean GSM code to
>
> run in that chip in realtime would require some adaptation to exploit
>
> unusual on-chip DSP hardware, mastering an embedded debugging
>
> environment, and perhaps shrinking the memory consumption of the GNU
>
> Radio-based code.
>
>
> I think it's not only doable, but well worth doing.  It should be
>
> worth a couple of PhDs at least.  You would certainly know the GSM
>
> protocols inside and out by the time you were done!
>
>
> John
>
>
>
> --
>
> This SF.net email is sponsored by Sprint
>
> What will you do first with EVO, the first 4G phone?
>
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
>
> ___
>
> Openbts-discuss mailing list
>
> openbts-disc...@lists.sourceforge.net
>
> https://lists.sourceforge.net/lists/listinfo/openbts-discuss
>
>
>
> On 23 Jul 2010, at 12:33, Cal Leeming [Simplicity Media Ltd] wrote:
>
> Hey all,
>
> Just came across this board yesterday... Pretty amazing stuff tbh.
>
> I've always taken a really active interest in anything cellular related,
> however things went a bit stale about a year ago, and I found myself with
> less and less time available.
>
> But now I really want to get back into it again, and therefore volunteering
> for any duties which would (or could) involved the following:
>
>- *anything* python / stackless python related (5+ years experience)
>- *anything* gsm stack related (might need some time on this one, as
>it's been a while and my memory is fuzzy!)
>- *anything* linux/kernel/firmware related (done several
>kernel/firmware modifications i

Re: [A51] Reporting in..

[Cal Leeming [Simplicity Media Ltd]]

Hey,

Probably most of you already seen this, but, for anyone who doesn't already
know about this:

https://svn.berlin.ccc.de/projects/airprobe/wiki/DeCryption

There's some
rather interesting stuff on that page.. Quite detailed too!


On Fri, Jul 23, 2010 at 12:33 PM, Cal Leeming [Simplicity Media Ltd] <
cal.leem...@simplicitymedialtd.co.uk> wrote:

> Hey all,
>
> Just came across this board yesterday... Pretty amazing stuff tbh.
>
> I've always taken a really active interest in anything cellular related,
> however things went a bit stale about a year ago, and I found myself with
> less and less time available.
>
> But now I really want to get back into it again, and therefore volunteering
> for any duties which would (or could) involved the following:
>
>- *anything* python / stackless python related (5+ years experience)
>- *anything* gsm stack related (might need some time on this one, as
>it's been a while and my memory is fuzzy!)
>- *anything* linux/kernel/firmware related (done several
>kernel/firmware modifications in the past for embedded routers etc)
>- providing any bandwidth required (around 10-30tb/month)
>- arranging meet ups in the east/west midlands area of the UK
>- various other bits.. just ask! :)
>
> You'll have to forgive my somewhat limited knowledge of the project so far,
> but I've put some time aside this weekend to do as much reading as possible
> on everything you guys have released, and also on the work over at
> osmocom.org.
>
> --
>
> Cal Leeming
>
> Operational Security & Support Team
>
> *Out of Hours: *+44 (07534) 971120 | *Support Tickets: *
> supp...@simplicitymedialtd.co.uk
> *Fax: *+44 (02476) 578987 | *Email: *cal.leem...@simplicitymedialtd.co.uk
> Simplicity Media Ltd.
> Registered company number 7143564
>
>


-- 

Cal Leeming

Operational Security & Support Team

*Out of Hours: *+44 (07534) 971120 | *Support Tickets: *
supp...@simplicitymedialtd.co.uk
*Fax: *+44 (02476) 578987 | *Email: *cal.leem...@simplicitymedialtd.co.uk
Simplicity Media Ltd. All rights reserved.
Registered company number 7143564
___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51