Can't see my update location request but kc has changed, general information about GSM
27 views
Skip to first unread message
Mattia Corrá
Aug 28, 2023, 8:27:05 AM8/28/23
to gr-gsm
Hi all, I need to ask your help because I feel I miss something in my train of thoughts.
So, I've installed gr-gsm with all the dependencies from a fresh docker
since I had problems with setting up from source all the required versions without conflicts.
I have bought a cheap rtl-sdr like this
and I hope I'm not missing packets due to the low cost choice...
I first checked what ARFCN my MS (a samsung J5) is using with the help of the service mode which displays the BCCH number and it was 50. I than started gr-gsm livemon on arfcn 50 and started receiving packets on wireshark, I than checked the System information Type 1 to see the list of ARFCNs involved in the frequency hopping plan and it says just 2 (50 and 79) but what I noticed was that in my area it doesn't seem to be any 79 channel advertising, I expected to see it in my gr-gsm-scan or in kalibrate (but correct me if I'm wrong, should all the hopping channels be visible by just scanning?), even looking on the BTSs map of my zone it seems no 79 arfcn is available near my house, I even tried to tune my rtl-sdr on the 79 downlink channel but it seems no data is transmitted on that frequency, than I tryed the uplink since on the service mode I saw switching the Transmitting channel from 50 to 79 but saw nothing but in this case I heard people talking about the problem of synchronization for uplink data without the downlink clock so I thounght this was normal and finally said ok! I basically have a single channel transmission and I can decode it with just one sdr!
So I managed to find an old card reader I had at home and sent some APDUS to the sim card removed from the phone to read the TMSI and the Kc, the APDUs are
'A02000010831313131ffffffff' verify pin 1111
'A0A40000027F20' enter folder DFGSM
'A0A40000026F20' file EF 6F20 (which should be the Kc)
'A0B0000008' read 8 bytes
I found other EF for GSMACCESS Kc but it says not found on my sim and I suppose it's a differend key.
'A0A40000027F20' enter folder DFGSM
'A0A40000026F20' file EF 6F20 (which should be the Kc)
'A0B0000008' read 8 bytes
I found other EF for GSMACCESS Kc but it says not found on my sim and I suppose it's a differend key.
Anyway I can read both the TMSI and Kc and the length are correct, even the IMSI is correct.
But I know the TMSI can change very often on any phone activity and on demand of the network with just a TMSI reallocation request which can be done in a ciphered manner and therefore I maybe can't spot any hint this is happening from my decoded captures. But the Kc should be updated via location update request or during the Authentication procedure but I can see reading the sim with my card-reader that it always changes without me capturing any Auth or location update, can that happen or I miss some packets?
Does it have something to do with the hopping protocol even with only one available channel?
I see many immediate assignment, some with the SDCCH8 and timeslot allocation and others different:
Packet Channel Description
0000 1... = Channel Type: 1
.... .101 = Timeslot: 5
010. .... = Training Sequence: 2
.... .0.. = Spare: 0x00
.... ..00 0000 .... = Hopping channel MAIO: 0
.... 0... = Hopping channel MA_NUMBER_IND: 0
.... ..01 = CHANGE_MARK_1: 1
But I know the TMSI can change very often on any phone activity and on demand of the network with just a TMSI reallocation request which can be done in a ciphered manner and therefore I maybe can't spot any hint this is happening from my decoded captures. But the Kc should be updated via location update request or during the Authentication procedure but I can see reading the sim with my card-reader that it always changes without me capturing any Auth or location update, can that happen or I miss some packets?
Does it have something to do with the hopping protocol even with only one available channel?
I see many immediate assignment, some with the SDCCH8 and timeslot allocation and others different:
Packet Channel Description
0000 1... = Channel Type: 1
.... .101 = Timeslot: 5
010. .... = Training Sequence: 2
.... .0.. = Spare: 0x00
.... ..00 0000 .... = Hopping channel MAIO: 0
.... 0... = Hopping channel MA_NUMBER_IND: 0
.... ..01 = CHANGE_MARK_1: 1
instead of
Channel Description
0111 0... = SDCCH/8 + SACCH/C8 or CBCH (SDCCH/8): 14
Subchannel: 6
.... .001 = Timeslot: 1
010. .... = Training Sequence: 2
...1 .... = Hopping Channel: Yes
Hopping channel MAIO: 0
HSN: 1
I don't know whether my phone activity is somewhere else than SDCCH8
My aim was to decrypt my SMS knowing the key but I would have to attach my reader to the sim WHILE is in the phone to see the Kc used in the specific SMS but before I want to figure out why I don't see some expected packets like Auth, Location update when my phone changes the Kc.
I hope someone can give me some hints or explanation, I'm very new to GSM
Thank you! Bye!
Channel Description
0111 0... = SDCCH/8 + SACCH/C8 or CBCH (SDCCH/8): 14
Subchannel: 6
.... .001 = Timeslot: 1
010. .... = Training Sequence: 2
...1 .... = Hopping Channel: Yes
Hopping channel MAIO: 0
HSN: 1
I don't know whether my phone activity is somewhere else than SDCCH8
My aim was to decrypt my SMS knowing the key but I would have to attach my reader to the sim WHILE is in the phone to see the Kc used in the specific SMS but before I want to figure out why I don't see some expected packets like Auth, Location update when my phone changes the Kc.
I hope someone can give me some hints or explanation, I'm very new to GSM
Thank you! Bye!
Reply all
Reply to author
Forward
0 new messages