The big GSM write-up – how to capture, analyze and crack GSM? – 3.

So. I had some requests asking me about how I did what I did with GSM. What tools did I use, what hardware and what options?
Since I believe strongly that GSM needs to be “out in the hands of the people” meaning everybody should have access to cheap hardware and free, opensource software that helps understanding GSM in practice I thought I will create a series of write-ups describing the whole process from the beginning.
Enjoy! :-)

Third step: uncover the TMSI

The script I used at Hacktivity needs to be finalized, also the Android app (SilentSMS) needs some re-factoring, so this step is going to be released later.

UPDATE (19/10/2013): I started fixing the code, first up is the Android app which seems to be ready from my point of view, but since I haven’t checked it with anyone else I am going to say it is alpha quality code, a little bit better than a PoC.
https://github.com/domi007/silentSMS

UPDATE (05/09/2014): Since I didn’t have time in the past to release tmsi_buster.py I will at least add some guidance here if someone wants to create it:

  1. Install my SilentSMS application onto an Android phone, then decide which way to connect to the phone (USB tethering/WiFi/WiFi tethering all are options)
  2. Start the app, it will start listening on the port 1337
  3. You can telnet to this port, and enter a phone number and hit enter – the app will send a silentSMS to that phone number

So, you now have a way of sending silent text messages, so you now you just need to monitor all the paging requests. You can use RTL-SDR for that or osmocomBB. The thing left is to collect all the TMSIs, and try to figure out from them which is the one you are looking for.

First observe the paging requests (especially the TMSIs in them) on the console – how many times is the same TMSI paged? Some networks page 2, even 3 times and then continue with the transaction, so if you sent 3 SMSes you will see a TMSI being paged 6 times, not 3 times as one would expect. So you need to create a script that counts how many times is a TMSI paged based on the output of RTL-SDR (+ tshark + a good wireshark filter) or osmocomBB and while doing that it sends out silent SMS messages via the telnet interface. After 2-3 messages you can see how many TMSIs you have with 2 (or 4)-3 (or 6) pagings. If you get multiple results you can eliminate the wrong ones easily by sending more SMSes, but monitoring only the TMSIs you got from the previous run.