gsm_bursts_printer
445 views
Skip to first unread message
tom mc loughlin
Nov 22, 2015, 5:43:55 PM11/22/15
to gr-gsm
Have grgsm working with USRP but need to know how this burst_printer works to produce output for kraken. Does anybody know how to get it working.
Tom
Tom
Piotr Krysik
Nov 23, 2015, 2:05:59 AM11/23/15
to gr-...@googlegroups.com
W dniu 22.11.2015 o 23:43, tom mc loughlin pisze:
You can probably do what you need by modifying this function:
https://github.com/ptrkrysik/gr-gsm/blob/master/lib/misc_utils/bursts_printer_impl.cc#L55
What bursts_printer does is:
-it gets bursts with GSMTAP header on the input,
-it prints bursts bits,
-there is possibility to turn on printing of frame numbers and frame
count (raw GSM frame counter that is used to initialize A5/1 algorithm).
--
Best Regards,
Piotr Krysik
https://github.com/ptrkrysik/gr-gsm/blob/master/lib/misc_utils/bursts_printer_impl.cc#L55
What bursts_printer does is:
-it gets bursts with GSMTAP header on the input,
-it prints bursts bits,
-there is possibility to turn on printing of frame numbers and frame
count (raw GSM frame counter that is used to initialize A5/1 algorithm).
--
Best Regards,
Piotr Krysik
tom mc loughlin
Nov 23, 2015, 7:22:04 AM11/23/15
to gr-gsm
Poitr
Sorry my programming knowledge does not stretch far enough to modify code. Has anybody done this already.
Tom
Sorry my programming knowledge does not stretch far enough to modify code. Has anybody done this already.
Tom
Tomcsányi Domonkos
Nov 23, 2015, 5:19:25 PM11/23/15
to tom mc loughlin, gr-gsm
The misunderstanding as far as I see is that the input to Kraken is not the same as the raw frame numbers (you still need to do the known plaintext attack).
What you, Tom need as far as I understand is simply the same output format as airprobe’s, and that is covered:
"What bursts_printer does is:
-it prints bursts bits,
-there is possibility to turn on printing of frame numbers and frame
count (raw GSM frame counter that is used to initialize A5/1 algorithm).”
Cheers,
Domi
--
Otrzymujesz tę wiadomość, bo subskrybujesz grupę „gr-gsm” w Grupach dyskusyjnych Google.
Aby anulować subskrypcję tej grupy i przestać otrzymywać od niej wiadomości, wyślij e-maila na gr-gsm+un...@googlegroups.com.
Aby opublikować wpis w tej grupie, wyślij e-maila na gr-...@googlegroups.com.
Aby wyświetlić tę dyskusję w internecie, otwórz https://groups.google.com/d/msgid/gr-gsm/45690162-281c-4558-9dc9-50b836cf90e4%40googlegroups.com.
Więcej opcji znajdziesz na https://groups.google.com/d/optout.
tom mc loughlin
Nov 23, 2015, 5:58:02 PM11/23/15
to gr-gsm
Got it sorted and ready for a trial run.
Thanks to all for the help.
Thanks to all for the help.
Tom
On Sunday, November 22, 2015 at 10:43:55 PM UTC, tom mc loughlin wrote:
tom mc loughlin
Nov 29, 2015, 5:36:35 PM11/29/15
to gr-gsm
Roman
I have a few questions about how to run burst_file_printer.py. I will try to explain what I am doing.
1 I make a capture with my USRP1 as a -b file i.e. burst file.
2 I now decode the control ch using decode program.
3 using wire shark I examine the output looking for immediate assignments.
3 Finding the TS and sdcch I run again, this time looking for SI5 Si6 usually on T7
4 At this point I need burst_file_printer.py to give me a chance to pass on the data to kraken.
5 When I run burst_file_printer.py in GRC I use my burst capture file as source and T7 in the middle box, it does generate an output similar to the old airprobe. But using T7 I find all lines are the same so XOR produces nothing other than 000000000000000
If I run burst_file_printer.py using T0 then there seems to be difference.
So am I using this right or is there some problem elsewhere.
I have a few questions about how to run burst_file_printer.py. I will try to explain what I am doing.
1 I make a capture with my USRP1 as a -b file i.e. burst file.
2 I now decode the control ch using decode program.
3 using wire shark I examine the output looking for immediate assignments.
3 Finding the TS and sdcch I run again, this time looking for SI5 Si6 usually on T7
4 At this point I need burst_file_printer.py to give me a chance to pass on the data to kraken.
5 When I run burst_file_printer.py in GRC I use my burst capture file as source and T7 in the middle box, it does generate an output similar to the old airprobe. But using T7 I find all lines are the same so XOR produces nothing other than 000000000000000
If I run burst_file_printer.py using T0 then there seems to be difference.
So am I using this right or is there some problem elsewhere.
Tom
On Sunday, November 22, 2015 at 10:43:55 PM UTC, tom mc loughlin wrote:
Tomcsányi, Domonkos
Nov 30, 2015, 5:25:51 AM11/30/15
to tom mc loughlin, gr-gsm
T7? Are you sure? Usually the control channel is on T1. T7 is mostly used for voice data, although there is no regulation about this in the specs.
Here is what you want to do:
1. Find the immediate assignment on T0, understand what it says (where does it send the phone)
2. Decode the Ts from the previous step as a control channel and print the raw bursts
3. Do whatever you need to do for Kraken (not going to detail it here for obvious reasons)
4. After having the encryption key decode the Ts from the first step again but now with decryption
5. Find the new assignment in wireshark (this was sent encrypted so only now can you see it) assigning the phone a voice Ts
6. Decode the Ts from the previous step as traffic
7. Play back the audio file
Note: there are some cells which use a combined setup where T0 carries both control and broadcast data. In that case you do basically the same but without changing Ts at step 2.
Cheers,
Domi
--
Otrzymujesz tę wiadomość, bo subskrybujesz grupę „gr-gsm” w Grupach dyskusyjnych Google.
Aby anulować subskrypcję tej grupy i przestać otrzymywać od niej wiadomości, wyślij e-maila na gr-gsm+un...@googlegroups.com.
Aby opublikować wpis w tej grupie, wyślij e-maila na gr-...@googlegroups.com.
Aby wyświetlić tę dyskusję w internecie, otwórz https://groups.google.com/d/msgid/gr-gsm/9ea8a36d-2a9a-4211-8ae0-46c841556f63%40googlegroups.com.
Tomcsányi Domonkos
Nov 30, 2015, 6:22:39 AM11/30/15
to gr-gsm
I’m not sure if the burst printer uses exactly the same format with the C P S letters in front.
I think it only outputs the frames once, so you need to know based on the output/wireshark which ones are already encrypted and which are not.
I’m not sure what .dat file are you referring to.
Cheers,
Domi
I’m not sure what .dat file are you referring to.
Cheers,
Domi
2015. nov. 30. dátummal, 12:19 időpontban tom <tome...@gmail.com> írta:Domi
Yes I understand the method used as I have done it before with the old Airprobe. Only on SMS as the old Airprobe not work so good.
My problem is getting this burst_file_printer.py program to generate the frame in 10101010101 structure, as I said when I run this on the .dat file and using the TS allocated to the call I only get all frames with same output. If I pass this onto my script I have written to select the bursts for kraken then all 000000000000000000000000.
I must be making mistake in the .dat file.
Tom
On 30/11/15 10:24, Tomcsányi, Domonkos wrote:
T7? Are you sure? Usually the control channel is on T1. T7 is mostly used for voice data, although there is no regulation about this in the specs.
Here is what you want to do:1. Find the immediate assignment on T0, understand what it says (where does it send the phone)2. Decode the Ts from the previous step as a control channel and print the raw bursts3. Do whatever you need to do for Kraken (not going to detail it here for obvious reasons)4. After having the encryption key decode the Ts from the first step again but now with decryption5. Find the new assignment in wireshark (this was sent encrypted so only now can you see it) assigning the phone a voice Ts6. Decode the Ts from the previous step as traffic7. Play back the audio file
Note: there are some cells which use a combined setup where T0 carries both control and broadcast data. In that case you do basically the same but without changing Ts at step 2.
Cheers,Domi
Roman
I have a few questions about how to run burst_file_printer.py. I will try to explain what I am doing.
1 I make a capture with my USRP1 as a -b file i.e. burst file.
2 I now decode the control ch using decode program.
3 using wire shark I examine the output looking for immediate assignments.
3 Finding the TS and sdcch I run again, this time looking for SI5 Si6 usually on T7
4 At this point I need burst_file_printer.py to give me a chance to pass on the data to kraken.
5 When I run burst_file_pr.pyrinte in GRC I use my burst capture file as source and T7 in the middle box, it does generate an output similar to the old airprobe. But using T7 I find all lines are the same so XOR produces nothing other than 000000000000000
If I run burst_file_printer.py using T0 then there seems to be difference.
So am I using this right or is there some problem elsewhere.
Tom
On Sunday, November 22, 2015 at 10:43:55 PM UTC, tom mc loughlin wrote:Have grgsm working with USRP but need to know how this burst_printer works to produce output for kraken. Does anybody know how to get it working.
Tom
roman khassraf
Dec 1, 2015, 2:36:37 AM12/1/15
to gr-gsm
Hi all,
I’m not sure if the burst printer uses exactly the same format with the C P S letters in front.
the burst printer just prints the bursts payload bits, not more.
5 When I run burst_file_pr.pyrinte in GRC I use my burst capture file as source and T7 in the middle box, it does generate an output similar to the old airprobe. But using T7 I find all lines are the same so XOR produces nothing other than 000000000000000
0000... is because you are applying the xor on two identical inputs. You need to use the busts of an unencrypted message as well as of an encrypted message with the same content. If the bursts on timeslot 7 are all the same, timeslot 7 is not correct as domi already suggested. Did you see an assignment message for timeslot 7 on sdcch ? And is it really for the ARFCN you captured ? The BTS may have assigned timeslot 7 on a different ARFCN.
tom mc loughlin
Dec 1, 2015, 3:15:30 AM12/1/15
to gr-gsm
Roman
Yes I have selected the right TS as seen on sdcch and yes the ARFCN is the right one. I understand your take on how to find the right bursts both ency and non ency I have done this before with both the old Airprobe and Osmocom-bb.
The confusing bit is how burst_printer works. The orignal .dat file captured is maybe 70MB but when I run burst_printer on T7 it returns 3MB and the lines look all the same but for a few.
Maybe I should run it with T0 and see what happens.
Yes I have selected the right TS as seen on sdcch and yes the ARFCN is the right one. I understand your take on how to find the right bursts both ency and non ency I have done this before with both the old Airprobe and Osmocom-bb.
The confusing bit is how burst_printer works. The orignal .dat file captured is maybe 70MB but when I run burst_printer on T7 it returns 3MB and the lines look all the same but for a few.
Maybe I should run it with T0 and see what happens.
Tom
On Sunday, November 22, 2015 at 10:43:55 PM UTC, tom mc loughlin wrote:
roman khassraf
Dec 1, 2015, 8:16:38 AM12/1/15
to gr-gsm
Maybe you mixed up two different file formats.
The capturing app supports two formats for saving the captured transmissions:
- cfile: raw signal data
- bursts: preprocessed gsm bursts, serialized
Files with cfile format are larger, and in most cases the process of "receiving" the bursts out of the cfile is repetitive.
The burst file printer was intended for the second format, bursts files.
It wont work correctly with cfile input.
So, I guess you saved your capture to cfile, is that possible ?
The capturing app supports two formats for saving the captured transmissions:
- cfile: raw signal data
- bursts: preprocessed gsm bursts, serialized
Files with cfile format are larger, and in most cases the process of "receiving" the bursts out of the cfile is repetitive.
The burst file printer was intended for the second format, bursts files.
It wont work correctly with cfile input.
So, I guess you saved your capture to cfile, is that possible ?
tom mc loughlin
Dec 1, 2015, 3:12:05 PM12/1/15
to gr-gsm
Roman
No not possible I saved it as a burst file not a cfile. I then use this file in burst_printer using TS7, should I have used TS0
No not possible I saved it as a burst file not a cfile. I then use this file in burst_printer using TS7, should I have used TS0
Tom
On Sunday, November 22, 2015 at 10:43:55 PM UTC, tom mc loughlin wrote:
roman khassraf
Dec 4, 2015, 9:13:41 AM12/4/15
to gr-gsm
If you like, you can send me your capture and I will have a look on it
Reply all
Reply to author
Forward
0 new messages