The big GSM write-up – how to capture, analyze and crack GSM? – 3.

So. I had some requests asking me about how I did what I did with GSM. What tools did I use, what hardware and what options?
Since I believe strongly that GSM needs to be “out in the hands of the people” meaning everybody should have access to cheap hardware and free, opensource software that helps understanding GSM in practice I thought I will create a series of write-ups describing the whole process from the beginning.
Enjoy! :-)

Third step: uncover the TMSI

The script I used at Hacktivity needs to be finalized, also the Android app (SilentSMS) needs some re-factoring, so this step is going to be released later.

UPDATE (19/10/2013): I started fixing the code, first up is the Android app which seems to be ready from my point of view, but since I haven’t checked it with anyone else I am going to say it is alpha quality code, a little bit better than a PoC.
https://github.com/domi007/silentSMS

This entry was posted in Ethical Hacking, Publikációk. Bookmark the permalink.

10 Responses to The big GSM write-up – how to capture, analyze and crack GSM? – 3.

  1. Pingback: Receiving, Decoding and Decrypting GSM Signals with the RTL-SDR - rtl-sdr.com

  2. cagon says:

    hi domi,
    i try to install SilentSMS to my samsung device, but i couldnt see any shortcut on app list.
    i use cyanogenmode and device gt-19100 android ver 4.3.1
    after the installation i check list of app in system/app/ folder i see silentSMS.apk

    any idea ?

    • domi007 says:

      You need to use the signed apk or disable signature checking via CWM

      • Will says:

        I tried both the signed and unsigned apks on cyanonogenmod and other roms and the app isn’t appearing in my app draw. I can’t figure out how to disable signature checking. I have an HTC one with TWRP.

        • domi007 says:

          That’s odd, dis you encounter any issues when you copied the apk over to the /system dir of the device?

  3. Gabriel says:

    Hi. I’m trying to use airprobe, without success until now.

    Following another website (with similar steps to this):

    http://www.rtl-sdr.com/rtl-sdr-tutorial-analyzing-gsm-with-airprobe-and-wireshark/

    I’ve applied the patch mentioned and could run airprobe with gnuradio 3.7. However, I couldn’t decode the example file nor live signals using RTL-SDR. When I run:

    ./go.sh capture_941.8M_112.cfile 64 0b

    I get:

    Using Volk machine: ssse3_32_orc
    Key: ’0000000000000000′
    Configuration: ’0B’
    Configuration TS: 0
    configure_receiver
    gr::buffer::allocate_buffer: warning: tried to allocate
    115 items of size 568. Due to alignment requirements
    512 were allocated. If this isn’t OK, consider padding
    your structure to a power-of-two bytes.
    On this platform, our allocation granularity is 4096 bytes.

    And after a few seconds the prompt returns. In the mean, nothing appeears in wireshark sniffing in lo, as it should. I’ve also tried using gsmdecode instead of wireshark and this is what I got:

    gr::buffer::allocate_buffer: warning: tried to allocate
    115 items of size 568. Due to alignment requirements
    0: ac WARN: packet to short
    512 were allocated. If this isn’t OK, consider padding
    your structure to a power-of-two bytes.
    HEX l2_data_out_Bbis:462 Format Bbis DATA
    On this platform, our allocation granularity is 4096 bytes.
    000: ac ee 33 2c 00 00 00 00 – 00 00 00 00 00 00 00 00
    001: 00 00 00 00 00 00 00
    0: ac 101011– Pseudo Length: 43
    1: ee 1——- Direction: To originating site
    1: ee -110—- 6 TransactionID
    1: ee —-1110 Extension of the PD to one octet length [FIXME]
    1: ee XXXXXXXX UNKNOWN DATA (3 bytes)
    1: ee YYYYYYYY REST OCTETS (22)
    0: e0 WARN: packet to short
    HEX l2_data_out_Bbis:462 Format Bbis DATA
    000: e0 00 00 00 00 00 00 00 – 00 00 00 00 00 00 00 00
    001: 00 00 00 00 00 00 00
    0: e0 111000– Pseudo Length: 56
    1: 00 0——- Direction: From originating site
    1: 00 -000—- 0 TransactionID
    1: 00 —-0000 Group Call Control [FIXME]
    1: 00 XXXXXXXX UNKNOWN DATA (7 bytes)
    1: 00 YYYYYYYY REST OCTETS (22)
    0: cf WARN: packet to short
    HEX l2_data_out_Bbis:462 Format Bbis DATA
    000: cf a0 b0 00 00 00 00 00 – 00 00 00 00 00 00 00 00
    001: 00 00 00 00 00 00 00
    0: cf 110011– Pseudo Length: 51
    1: a0 1——- Direction: To originating site
    1: a0 -010—- 2 TransactionID
    1: a0 —-0000 Group Call Control [FIXME]
    1: a0 XXXXXXXX UNKNOWN DATA (1 bytes)
    1: a0 YYYYYYYY REST OCTETS (22)
    0: cf WARN: packet to short
    HEX l2_data_out_Bbis:462 Format Bbis DATA
    000: cf a0 00 00 00 00 00 00 – 00 00 00 00 00 00 00 00
    001: 00 00 00 00 00 00 00
    0: cf 110011– Pseudo Length: 51
    1: a0 1——- Direction: To originating site
    1: a0 -010—- 2 TransactionID
    1: a0 —-0000 Group Call Control [FIXME]
    1: a0 XXXXXXXX UNKNOWN DATA (1 bytes)
    1: a0 YYYYYYYY REST OCTETS (22)
    0: cf WARN: packet to short
    HEX l2_data_out_Bbis:462 Format Bbis DATA
    000: cf ee ce e0 00 00 00 00 – 00 00 00 00 00 00 00 00
    001: 00 00 00 00 00 00 00
    0: cf 110011– Pseudo Length: 51
    1: ee 1——- Direction: To originating site
    1: ee -110—- 6 TransactionID
    1: ee —-1110 Extension of the PD to one octet length [FIXME]
    1: ee XXXXXXXX UNKNOWN DATA (2 bytes)
    1: ee YYYYYYYY REST OCTETS (22)

    I’ve also tried with different decimation ratios, without success. I’d appreciate any hints on this.Thanks in advance!

    • domi007 says:

      I’m sorry for getting back to you so late. I have experienced the same once or twice as far as I remember I just restarted my VM.

  4. Chip Musgrave says:

    Are you selling your app on Google Play? Because someone is.

  5. Rtller says:

    I know I need to buy a new phone; I have the micro usb port burned: but can you tell me where to put files and what other files modify?

    Let me know if is possible to do this without the cable!

    Thanks a lot for your work, I really appreciate it!! :D

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>