Bursts and Deka
97 views
Skip to first unread message
Digger Pop
Aug 21, 2023, 4:26:22 AM8/21/23
to gr-gsm
Hello!
I dont understend what I should do to take Kc using Deka or Kraken.
I capture the file:
grgsm_capture -f 940.2M --rec-length=100 test_a26_f940.2cfile
Next step I take burst and cap files:
For SDCCH channel
grgsm_decode -c ./test_a26_f940.2.cfile -a 26 -m SDCCH8 -t 1 -p >>Burst_file_SDCCH.txt
For BCCH channel
grgsm_decode -c ./test_a26_f940.2.cfile -a 26 -m BCCH -t 0 -p >>Burst_file_BCCH.txt
I found package "U, func-=UI" and look frame number = "2489781"
I add +102 to frame number and take next frame "2489883". This frame in packet
"N(R)=1, N(S)=0)DTAP) (RR) Ciphering Mode Command"
I take bursts from Burst_file_SDCCH.txt
2489778 3844402: 000000011011101110001001001100001101100011011100101001110111000111111010000011010000111000101111100001000010000001
2489779 3844435: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2489780 3844468: 111010100011101110001000100010001011111101110010110001000010111011000011011111011101011000000001001100100111001100
2489781 3844501: 101010000101011101110101001000101001010001011101010100000010110000000011111100010000001000010000010101110110000011
2489782 3844534: 001011101011111111000100000010101011101101110100000001101010111110110111010101010010001010101011011111110101101000
2489783 3844567: 100001001101110100010100000011010100010101110101000010100001010001011101010001001100000001000001110111000000000010
2489784 3844600: 000001000010001111101111010100000000101000101010111101010101010110101010101011111101010101000010101010111101011100
2489785 3844633: 101010110100010101111001010110101010010100011111000101000010101000000010111110010000101000010100001011110100000110
and
2489880 3844400: 011001010001011000111100011011010100101011111010000111100111100110101110011011010000011001101100010000000100010011
2489881 3844433: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2489882 3844466: 111010100011101110001000100010001011110101110010110001000010111011000011011001000001100101110100010101101001000011
2489883 3844499: 101010000101011101110101001000101001010001011101010100000010100000000011111100010000001000010000010101110100000010
2489884 3844532: 001011101011111111000100000010101011100101110100000001101010111110100111010101111010001010101001011111110101101000
2489885 3844565: 100000001101110100010100000010010100010101110101000010110001010001011101010001011000000001000001110111000000000010
2489886 3844598: 000001000010001111101111010100000000101000101010111101010101010110101010101011111101010101000010101010011001011101
2489887 3844631: 101010010100001101011101011000100011010101011111010101010010100000000000111110000000001000110100000011111100000101
MAke XOR 2489778 and 2489880
2489779 and 2489881
2489780 and 2489882
2489781 and 2489883
2489782 and 2489884
2489783 and 2489885
2489784 and 2489886
2489785 and 2489887
AND TRY to crack by Deka.
And no result(((.
Can you help me. Maybe my algorithm is not correct?
How I should do to take a KC?
How i should to prepare bursts to using it by Deka?
I dont understend what I should do to take Kc using Deka or Kraken.
I capture the file:
grgsm_capture -f 940.2M --rec-length=100 test_a26_f940.2cfile
Next step I take burst and cap files:
For SDCCH channel
grgsm_decode -c ./test_a26_f940.2.cfile -a 26 -m SDCCH8 -t 1 -p >>Burst_file_SDCCH.txt
For BCCH channel
grgsm_decode -c ./test_a26_f940.2.cfile -a 26 -m BCCH -t 0 -p >>Burst_file_BCCH.txt
I found package "U, func-=UI" and look frame number = "2489781"
I add +102 to frame number and take next frame "2489883". This frame in packet
"N(R)=1, N(S)=0)DTAP) (RR) Ciphering Mode Command"
I take bursts from Burst_file_SDCCH.txt
2489778 3844402: 000000011011101110001001001100001101100011011100101001110111000111111010000011010000111000101111100001000010000001
2489779 3844435: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2489780 3844468: 111010100011101110001000100010001011111101110010110001000010111011000011011111011101011000000001001100100111001100
2489781 3844501: 101010000101011101110101001000101001010001011101010100000010110000000011111100010000001000010000010101110110000011
2489782 3844534: 001011101011111111000100000010101011101101110100000001101010111110110111010101010010001010101011011111110101101000
2489783 3844567: 100001001101110100010100000011010100010101110101000010100001010001011101010001001100000001000001110111000000000010
2489784 3844600: 000001000010001111101111010100000000101000101010111101010101010110101010101011111101010101000010101010111101011100
2489785 3844633: 101010110100010101111001010110101010010100011111000101000010101000000010111110010000101000010100001011110100000110
and
2489880 3844400: 011001010001011000111100011011010100101011111010000111100111100110101110011011010000011001101100010000000100010011
2489881 3844433: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2489882 3844466: 111010100011101110001000100010001011110101110010110001000010111011000011011001000001100101110100010101101001000011
2489883 3844499: 101010000101011101110101001000101001010001011101010100000010100000000011111100010000001000010000010101110100000010
2489884 3844532: 001011101011111111000100000010101011100101110100000001101010111110100111010101111010001010101001011111110101101000
2489885 3844565: 100000001101110100010100000010010100010101110101000010110001010001011101010001011000000001000001110111000000000010
2489886 3844598: 000001000010001111101111010100000000101000101010111101010101010110101010101011111101010101000010101010011001011101
2489887 3844631: 101010010100001101011101011000100011010101011111010101010010100000000000111110000000001000110100000011111100000101
MAke XOR 2489778 and 2489880
2489779 and 2489881
2489780 and 2489882
2489781 and 2489883
2489782 and 2489884
2489783 and 2489885
2489784 and 2489886
2489785 and 2489887
AND TRY to crack by Deka.
And no result(((.
Can you help me. Maybe my algorithm is not correct?
How I should do to take a KC?
How i should to prepare bursts to using it by Deka?
Message has been deleted
Rob VK8FOES
Aug 21, 2023, 10:31:47 AM8/21/23
to gr-gsm
Hi.
In my experience, modern 2G networks implement randomization of predictable frames before, and sometimes after encryption is turned on. Which of course, renders Kraken/Deka useless.
You can try to print all the bursts with 'grgsm_decode' and see if the known 'LAPDm func=UI' packets match the following four bursts in this particular order:
100000010001110101010000000010100000000111111101010000001010000100010111010100000000101000010000010101010100000010
101010111111111101000000101010101111111111110100000000100010111111111111010101000000001010101011011101010000001000
000000011111010101010000100000010001010111010101000010100001010001111101010001000010000000000101110101010100000010
000100001010101010111101110101010000000010101110111111010100010000001010101011011101010001000010001011101111010101
If the known LAPDm FUNC=UI frames don't match these four bursts exactly, it could be an indication that the BTS is using randomization. Kraken and Deka will not work.
In my experience, modern 2G networks implement randomization of predictable frames before, and sometimes after encryption is turned on. Which of course, renders Kraken/Deka useless.
You can try to print all the bursts with 'grgsm_decode' and see if the known 'LAPDm func=UI' packets match the following four bursts in this particular order:
100000010001110101010000000010100000000111111101010000001010000100010111010100000000101000010000010101010100000010
101010111111111101000000101010101111111111110100000000100010111111111111010101000000001010101011011101010000001000
000000011111010101010000100000010001010111010101000010100001010001111101010001000010000000000101110101010100000010
000100001010101010111101110101010000000010101110111111010100010000001010101011011101010001000010001011101111010101
If the known LAPDm FUNC=UI frames don't match these four bursts exactly, it could be an indication that the BTS is using randomization. Kraken and Deka will not work.
Regards,
Rob.
Bastien Baranoff
Aug 21, 2023, 10:43:03 AM8/21/23
to Rob VK8FOES, gr-gsm
Hello i have made a tape about installing deka
you have also bursts for testing here
Have a good day
--
You received this message because you are subscribed to the Google Groups "gr-gsm" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gr-gsm+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gr-gsm/f23a0e48-938e-4bb8-b209-09c408154033n%40googlegroups.com.
Digger Pop
Aug 28, 2023, 9:22:19 AM8/28/23
to gr-gsm
Thanks for your answers. I find the data. But now I cant recover Kc.
I take some bursts:
From packet Type "System Information Type 5"
2490723 3847297: 101100111001101001101000101000111000011010100000010010000010110000000001000101010000010000000000000010100000110100
2490724 3847330: 000011101110001010000110100000110101100000101100000000010001000001000100010001000010100000001101001011001110111000
2490725 3847363: 000000110000101000010000101101000100001100010101110010000101001000101000000101000000000000000000001000110000100011
2490726 3847396: 011010001001110001000011000100000100010000010010000010000000010110101000011000100011000100111000000000001010101000
AND encrypted bursts (number frames +204)
2490927 3847319: 000101001001110000000110001110101011000101111010010000101111100101101001111010001011001100011111011101001001100000
2490928 3847352: 000000000000110010100111010001101000000001110100100011010100001011111111110111001110011100010011110000000111110011
2490929 3847385: 001110011011111001100100010101011011110001110010010100111110010100011110100111000111111100101110101000110001110000
2490930 3847392: 110001011110000101111111010011101110000111000100110100111010100000010111110101001101100111101111001000001100111111
2490724 3847330: 000011101110001010000110100000110101100000101100000000010001000001000100010001000010100000001101001011001110111000
2490725 3847363: 000000110000101000010000101101000100001100010101110010000101001000101000000101000000000000000000001000110000100011
2490726 3847396: 011010001001110001000011000100000100010000010010000010000000010110101000011000100011000100111000000000001010101000
AND encrypted bursts (number frames +204)
2490927 3847319: 000101001001110000000110001110101011000101111010010000101111100101101001111010001011001100011111011101001001100000
2490928 3847352: 000000000000110010100111010001101000000001110100100011010100001011111111110111001110011100010011110000000111110011
2490929 3847385: 001110011011111001100100010101011011110001110010010100111110010100011110100111000111111100101110101000110001110000
2490930 3847392: 110001011110000101111111010011101110000111000100110100111010100000010111110101001101100111101111001000001100111111
Make XOR
C:\python27\python.exe XOR.py 101100111001101001101000101000111000011010100000010010000010110000000001000101010000010000000000000010100000110100 000101001001110000000110001110101011000101111010010000101111100101101001111010001011001100011111011101001001100000 >>test_2.txt
101001110000011001101110100110010011011111011010000010101101010101101000111111011011011100011111011111101001010100
C:\python27\python.exe XOR.py 000011101110001010000110100000110101100000101100000000010001000001000100010001000010100000001101001011001110111000 000000000000110010100111010001101000000001110100100011010100001011111111110111001110011100010011110000000111110011 >>test_2.txt
000011101110111000100001110001011101100001011000100011000101001010111011100110001100111100011110111011001001001011
C:\python27\python.exe XOR.py 000000110000101000010000101101000100001100010101110010000101001000101000000101000000000000000000001000110000100011 001110011011111001100100010101011011110001110010010100111110010100011110100111000111111100101110101000110001110000 >>test_2.txt
001110101011010001110100111000011111111101100111100110111011011100110110100010000111111100101110100000000001010011
C:\python27\python.exe XOR.py 011010001001110001000011000100000100010000010010000010000000010110101000011000100011000100111000000000001010101000 110001011110000101111111010011101110000111000100110100111010100000010111110101001101100111101111001000001100111111 >>test_2.txt
101011010111110100111100010111101010010111010110110110111010110110111111101101101110100011010111001000000110010111
101001110000011001101110100110010011011111011010000010101101010101101000111111011011011100011111011111101001010100
C:\python27\python.exe XOR.py 000011101110001010000110100000110101100000101100000000010001000001000100010001000010100000001101001011001110111000 000000000000110010100111010001101000000001110100100011010100001011111111110111001110011100010011110000000111110011 >>test_2.txt
000011101110111000100001110001011101100001011000100011000101001010111011100110001100111100011110111011001001001011
C:\python27\python.exe XOR.py 000000110000101000010000101101000100001100010101110010000101001000101000000101000000000000000000001000110000100011 001110011011111001100100010101011011110001110010010100111110010100011110100111000111111100101110101000110001110000 >>test_2.txt
001110101011010001110100111000011111111101100111100110111011011100110110100010000111111100101110100000000001010011
C:\python27\python.exe XOR.py 011010001001110001000011000100000100010000010010000010000000010110101000011000100011000100111000000000001010101000 110001011110000101111111010011101110000111000100110100111010100000010111110101001101100111101111001000001100111111 >>test_2.txt
101011010111110100111100010111101010010111010110110110111010110110111111101101101110100011010111001000000110010111
AND crack it.
1,2,3 bursts kraken didnt find.
4 it wrote me "Found 16661134333702853355x @ 23 #3 (table:238)"
I explore find_kc
./find_kc 16661134333702853355x 23 3847392 3847319 101001110000011001101110100110010011011111011010000010101101010101101000111111011011011100011111011111101001010100
and no candidate
only
73e6a26f427c6a1 -> c73e6a26f427c6a1
Framecount is 3847392
KC(0): 82 d0 fe 5b 94 ac 62 8b mismatch
Framecount is 3847392
KC(0): 82 d0 fe 5b 94 ac 62 8b mismatch
Can somebody explain me where is my mistake?
понедельник, 21 августа 2023 г. в 17:43:03 UTC+3, bastien...@gmail.com:
Reply all
Reply to author
Forward
0 new messages