Decoding and decrypting with gr-gsm

[Jamie Walmsley]

Hi guys,

I'm attempting to decrypt an SMS I sent and have captured the .cfile using grgsm_capture and have the KC key which I extracted from my phone.

Firstly, I run grgsm_decode with the following options ./grgsm_decode -m BCCH -t 2 -c ~/arfcn115-new.cfile -s 2M -a 115  -k 6D07D3A2BF0DBB28

to get the broadcast channel.

Searching for my TMSI - which is 44BB8C5B I find the paging request message associated with my TMSI requesting a channel:

As you can see I'm requesting a TCH full rate channel.

Just down from there on wireshark you can see an Immediate Assignment message, which I believe is directed at me:

This assigns me a Standalone Dedicated Control Channel on sub channel 1, timeslot 0

I then run grgsm_decode with the following: ./grgsm_decode -m SDCCH8 -u 1 -t 0 -c ~/arfcn115-new.cfile -s 2M -a 115  -k 6D07D3A2BF0DBB28

However I'm not seeing anything of much use in there (looks like its still encrypted?)

One of the frame wireshark appears to have decoded it as (SMS) CP-DATA however the contents along with the rest of the output looks to still be encrypted.

Not sure where I'm going wrong here? Ive tried also decrypting it with gr_decode as a A5/3 key incase my provider is using A5/3 however I get the same...

Any suggestions?

I'm currently uploading the .cfile and will attach the link shortly incase anyone wishes to take a look

Thanks guys,

Jamie

[Jamie Walmsley]

.cfile link if anyone wishes to take a look https://drive.google.com/file/d/0B6GkYBmJKuC8c1lEcmlDdFFPS1U/view?usp=sharing

[Tomcsányi, Domonkos]

Hi Jamie,

See my answers inline.

2016. máj. 25. dátummal, 20:45 időpontban Jamie Walmsley <j4m...@gmail.com> írta:

Hi guys,

I'm attempting to decrypt an SMS I sent and have captured the .cfile using grgsm_capture and have the KC key which I extracted from my phone.

Firstly, I run grgsm_decode with the following options ./grgsm_decode -m BCCH -t 2 -c ~/arfcn115-new.cfile -s 2M -a 115  -k 6D07D3A2BF0DBB28

to get the broadcast channel.

Searching for my TMSI - which is 44BB8C5B I find the paging request message associated with my TMSI requesting a channel:

Wrong. You are not looking at the right data. A channel request would be a RACH sent on the uplink, which you cannot currently decode.

This is a paging request, which is step 1 in GSM communication if the tower wants to initiate contact with you.

As you can see I'm requesting a TCH full rate channel.

Just down from there on wireshark you can see an Immediate Assignment message, which I believe is directed at me:

This assigns me a Standalone Dedicated Control Channel on sub channel 1, timeslot 0

Indeed. But you are missing a crucial thing just 3 lines below the specified TS and channel:

Hopping channel: yes

If you don't know what this means look it up, it has been discussed many times. It also means that you'll need to capture and decode differently.

Cheers,

Domi

[Jamie]

Thanks for the quick response!

Ahh yes, I suspected it could related to that however I thought only channel hopping was used for call traffic and not SMS, thank you for pointing me in the right direction I shall go do some more reading!

Cheers Domi, appreciated.

[Tomcsányi, Domonkos]

Good luck.

Sadly some providers even make control channels hopping, which is allowed in GSM. It is quite interesting though, haven't seen this in the wild yet.

Cheers,

Domi

--
Otrzymujesz tę wiadomość, bo subskrybujesz grupę „gr-gsm” w Grupach dyskusyjnych Google.
Aby anulować subskrypcję tej grupy i przestać otrzymywać od niej wiadomości, wyślij e-maila na gr-gsm+un...@googlegroups.com.
Aby opublikować wpis w tej grupie, wyślij e-maila na gr-...@googlegroups.com.
Aby wyświetlić tę dyskusję w internecie, otwórz https://groups.google.com/d/msgid/gr-gsm/81862141-0919-409b-a11a-5d5c2b422a87%40googlegroups.com.
Więcej opcji znajdziesz na https://groups.google.com/d/optout.