Cant capture and decrypt SMS

[Andriy Lyubar]

Hello,
I am using Samsung Galaxy S 3 with a german simcard(EGSM). This phone allows me to get the TMSI and Kc, but i am not able to get the ARFCN or CellID.  The only thing that Ive got is the MMC, MNC and LAC. So i am used to put my simcard into another phone to figure out the usuall celllID which my phone connects to. I am pretty sure that i am using the correct downlink channel but i still cant capture an SMS. I cant even see my TMSI in any of the SDCCH packages. I have also tried various timeslots and downlink channels of different cell towers. Nothing works for me.

Thank you in advance!

[Al Higgins]

Hi Andriy,

Try installing an Android App called g-mon, this will give you the LAC and CellID your phone is camped on. Then you can work out the frequency information from results of grgsm_scanner.

I don't know if it will be supported by an older phone, but g-mon pro (still free) will give you the ARFCN which can be used to work out the frequency. 

Hope that helps. 

Al

--
You received this message because you are subscribed to the Google Groups "gr-gsm" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gr-gsm+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gr-gsm/0f7e2723-1292-4c64-a047-2866515b6796n%40googlegroups.com.

[Andriy Lyubar]

Hi AI,
thank you for  your reply. I have downloaded this app. It shows me the CellID but not the arfcn unfortunetly. I made a lookup on the cell and it shows me that it is an LTE cell. The app shows me that it is using EDGE. very strange. There is one more thing that confuses me. When i was trying to capture the GSM traffic on some cells I could find my TMSI in some BCCH packages, but never in SCHH8 packages. Does the MS transmit its TMSI to the neighbour cells too?

[Al Higgins]

Andriy,

The TMSI will be sent as part of the same paging message sent from every cell in the network in your location area (LAC), the network only routine track a cell phone to a LAC and dont know what cell you are connected to until your phone responds to the page. In a rural area a LAC can be very large. So you would expect to see your TMSI sent from multiple cells simultaneously. 

If you run grgsm_scanner first you can keep a note of all the cells in your area and match up the cell ID with your gmon results. 

An LTE Cell will have a very different cellID, a EDGE or GSM cell will have a maximum 5 digits (16 bit so maximum value 65535); LTE is 28 bits. What did you use to lookup the cell? I've found Open Cell ID or Mozilla datasets to be most accurate. 

Al

To view this discussion on the web visit https://groups.google.com/d/msgid/gr-gsm/24dcf6c9-6f94-445c-84d0-4f3d2012ddb5n%40googlegroups.com.

[Andriy Lyubar]

I used the app u have mentioned before to see the cell i am connected to. To lookup the information about it i used this website: https://www.opencellid.org/
grgsm scanner doesnt show me all the cells(shows only 2). I am living in the city center and i have 1000 cells around me. 

[Andriy Lyubar]

I am happy to tell u that i managed to capture and encrypt a message. Thank u so much for your help(g-mon helped a lot). I switched the simcard to another phone to check the arfcn and than i switched it back and was able to capture it. So the problem was the wrong afcn. The problem is that i am not able to get the arfcn with the galaxy s3 mini. And it is the only phone which has the vulnerability to get the Kc and TMSI with AT commands. So i need to figure out, how to get the arfcn with samsung.

[Tomcsanyi, Domonkos]

Have you tried *#0011# from the dialer?

Cheers

Domi

22.02.2021 dátummal, 23:05 időpontban 'Andriy Lyubar' via gr-gsm <gr-...@googlegroups.com> írta:

I am happy to tell u that i managed to capture and encrypt a message. Thank u so much for your help(g-mon helped a lot). I switched the simcard to another phone to check the arfcn and than i switched it back and was able to capture it. So the problem was the wrong afcn. The problem is that i am not able to get the arfcn with the galaxy s3 mini. And it is the only phone which has the vulnerability to get the Kc and TMSI with AT commands. So i need to figure out, how to get the arfcn with samsung.

To view this discussion on the web visit https://groups.google.com/d/msgid/gr-gsm/a43582b2-718c-4dd0-9b11-437148baab2fn%40googlegroups.com.

[Nikos Balkanas]

Hi,

If you know the frequency, there are tons of utilities in web, that can give you the arfcn...

I have written a few myself for Linux, that can arfcn upto 5g:)

Nikos

To view this discussion on the web visit https://groups.google.com/d/msgid/gr-gsm/2C6B2662-3797-4CA0-B16A-D02EF9FB7B99%40tomcsanyi.net.

[Andriy Lyubar]

Hey Domi,

Yes. It was the first thing that i have tried. Its probably not possible on this phone.

[Nikos Balkanas]

SMS can use WTLS, another encryption on top of 2G...

To view this discussion on the web visit https://groups.google.com/d/msgid/gr-gsm/28808d6e-f408-4448-8641-217a8191dcedn%40googlegroups.com.

[Nikos Balkanas]

By 2G encryption, I mean A5.1. Gr-gsm understands A5.1, but not wtls;(

[Nikos Balkanas]

Please address the list, so that others may benefit/help:)

You can get the wtls code from www.kannel.org. It is an open source sms gateway. I authored the wtls code in it:)

Or you can read the SMS spec...

Good luck merging it to gr-gsm. It is a truckfull:(

BR,

Nikos

On Fri, Feb 26, 2021 at 10:53 AM Amoko Stephen <amo...@gmail.com> wrote:

Share the code please.Thank you

To view this discussion on the web visit https://groups.google.com/d/msgid/gr-gsm/CAAxXO2HyyZJMsyf_5Oq4gXNk35wAgkmFZXma0jyy3foOZuqakw%40mail.gmail.com.