The big GSM write-up – how to capture, analyze and crack GSM? – 3.
So. I had some requests asking me about how I did what I did with GSM. What tools did I use, what hardware and what options?
Since I believe strongly that GSM needs to be “out in the hands of the people†meaning everybody should have access to cheap hardware and free, opensource software that helps understanding GSM in practice I thought I will create a series of write-ups describing the whole process from the beginning.
Enjoy! 
Third step: uncover the TMSI
The script I used at Hacktivity needs to be finalized, also the Android app (SilentSMS) needs some re-factoring, so this step is going to be released later.
UPDATE (19/10/2013): I started fixing the code, first up is the Android app which seems to be ready from my point of view, but since I haven’t checked it with anyone else I am going to say it is alpha quality code, a little bit better than a PoC.
https://github.com/domi007/silentSMS
UPDATE (05/09/2014): Since I didn’t have time in the past to release tmsi_buster.py I will at least add some guidance here if someone wants to create it:
- Install my SilentSMS application onto an Android phone, then decide which way to connect to the phone (USB tethering/WiFi/WiFi tethering all are options)
- Start the app, it will start listening on the port 1337
- You can telnet to this port, and enter a phone number and hit enter – the app will send a silentSMS to that phone number
So, you now have a way of sending silent text messages, so you now you just need to monitor all the paging requests. You can use RTL-SDR for that or osmocomBB. The thing left is to collect all the TMSIs, and try to figure out from them which is the one you are looking for.
First observe the paging requests (especially the TMSIs in them) on the console – how many times is the same TMSI paged? Some networks page 2, even 3 times and then continue with the transaction, so if you sent 3 SMSes you will see a TMSI being paged 6 times, not 3 times as one would expect. So you need to create a script that counts how many times is a TMSI paged based on the output of RTL-SDR (+ tshark + a good wireshark filter) or osmocomBB and while doing that it sends out silent SMS messages via the telnet interface. After 2-3 messages you can see how many TMSIs you have with 2 (or 4)-3 (or 6) pagings. If you get multiple results you can eliminate the wrong ones easily by sending more SMSes, but monitoring only the TMSIs you got from the previous run.
Receiving, Decoding and Decrypting GSM Signals with the RTL-SDR - rtl-sdr.com
October 14, 2013 @ 08:52
[…] an introduction to GSM, then focuses on setting up the environment and required software, then uncovering the TMSI (step to be released later), and then finally shows how to actually receive and decrypt your cell […]
February 14, 2014 @ 11:43
hi domi,
i try to install SilentSMS to my samsung device, but i couldnt see any shortcut on app list.
i use cyanogenmode and device gt-19100 android ver 4.3.1
after the installation i check list of app in system/app/ folder i see silentSMS.apk
any idea ?
February 16, 2014 @ 21:39
You need to use the signed apk or disable signature checking via CWM
August 17, 2014 @ 13:21
I tried both the signed and unsigned apks on cyanonogenmod and other roms and the app isn’t appearing in my app draw. I can’t figure out how to disable signature checking. I have an HTC one with TWRP.
August 17, 2014 @ 23:13
That’s odd, dis you encounter any issues when you copied the apk over to the /system dir of the device?
August 22, 2014 @ 19:16
No errors what so ever I just transferred it across
using adb. However IIRC the apk file deleted itself after I checked again after a reboot. What versions of CM have you tried that will definitely work ? perhaps I should give those ago.
February 21, 2014 @ 13:58
Hi. I’m trying to use airprobe, without success until now.
Following another website (with similar steps to this):
http://www.rtl-sdr.com/rtl-sdr-tutorial-analyzing-gsm-with-airprobe-and-wireshark/
I’ve applied the patch mentioned and could run airprobe with gnuradio 3.7. However, I couldn’t decode the example file nor live signals using RTL-SDR. When I run:
./go.sh capture_941.8M_112.cfile 64 0b
I get:
Using Volk machine: ssse3_32_orc
Key: ‘0000000000000000’
Configuration: ‘0B’
Configuration TS: 0
configure_receiver
gr::buffer::allocate_buffer: warning: tried to allocate
115 items of size 568. Due to alignment requirements
512 were allocated. If this isn’t OK, consider padding
your structure to a power-of-two bytes.
On this platform, our allocation granularity is 4096 bytes.
And after a few seconds the prompt returns. In the mean, nothing appeears in wireshark sniffing in lo, as it should. I’ve also tried using gsmdecode instead of wireshark and this is what I got:
gr::buffer::allocate_buffer: warning: tried to allocate
115 items of size 568. Due to alignment requirements
0: ac WARN: packet to short
512 were allocated. If this isn’t OK, consider padding
your structure to a power-of-two bytes.
HEX l2_data_out_Bbis:462 Format Bbis DATA
On this platform, our allocation granularity is 4096 bytes.
000: ac ee 33 2c 00 00 00 00 – 00 00 00 00 00 00 00 00
001: 00 00 00 00 00 00 00
0: ac 101011– Pseudo Length: 43
1: ee 1——- Direction: To originating site
1: ee -110—- 6 TransactionID
1: ee —-1110 Extension of the PD to one octet length [FIXME]
1: ee XXXXXXXX UNKNOWN DATA (3 bytes)
1: ee YYYYYYYY REST OCTETS (22)
0: e0 WARN: packet to short
HEX l2_data_out_Bbis:462 Format Bbis DATA
000: e0 00 00 00 00 00 00 00 – 00 00 00 00 00 00 00 00
001: 00 00 00 00 00 00 00
0: e0 111000– Pseudo Length: 56
1: 00 0——- Direction: From originating site
1: 00 -000—- 0 TransactionID
1: 00 —-0000 Group Call Control [FIXME]
1: 00 XXXXXXXX UNKNOWN DATA (7 bytes)
1: 00 YYYYYYYY REST OCTETS (22)
0: cf WARN: packet to short
HEX l2_data_out_Bbis:462 Format Bbis DATA
000: cf a0 b0 00 00 00 00 00 – 00 00 00 00 00 00 00 00
001: 00 00 00 00 00 00 00
0: cf 110011– Pseudo Length: 51
1: a0 1——- Direction: To originating site
1: a0 -010—- 2 TransactionID
1: a0 —-0000 Group Call Control [FIXME]
1: a0 XXXXXXXX UNKNOWN DATA (1 bytes)
1: a0 YYYYYYYY REST OCTETS (22)
0: cf WARN: packet to short
HEX l2_data_out_Bbis:462 Format Bbis DATA
000: cf a0 00 00 00 00 00 00 – 00 00 00 00 00 00 00 00
001: 00 00 00 00 00 00 00
0: cf 110011– Pseudo Length: 51
1: a0 1——- Direction: To originating site
1: a0 -010—- 2 TransactionID
1: a0 —-0000 Group Call Control [FIXME]
1: a0 XXXXXXXX UNKNOWN DATA (1 bytes)
1: a0 YYYYYYYY REST OCTETS (22)
0: cf WARN: packet to short
HEX l2_data_out_Bbis:462 Format Bbis DATA
000: cf ee ce e0 00 00 00 00 – 00 00 00 00 00 00 00 00
001: 00 00 00 00 00 00 00
0: cf 110011– Pseudo Length: 51
1: ee 1——- Direction: To originating site
1: ee -110—- 6 TransactionID
1: ee —-1110 Extension of the PD to one octet length [FIXME]
1: ee XXXXXXXX UNKNOWN DATA (2 bytes)
1: ee YYYYYYYY REST OCTETS (22)
I’ve also tried with different decimation ratios, without success. I’d appreciate any hints on this.Thanks in advance!
March 14, 2014 @ 16:20
I’m sorry for getting back to you so late. I have experienced the same once or twice as far as I remember I just restarted my VM.
March 25, 2014 @ 18:13
Are you selling your app on Google Play? Because someone is.
March 25, 2014 @ 19:56
Give me a link and I will file a complain
July 13, 2014 @ 01:18
I know I need to buy a new phone; I have the micro usb port burned: but can you tell me where to put files and what other files modify?
Let me know if is possible to do this without the cable!
Thanks a lot for your work, I really appreciate it!! 😀
January 3, 2015 @ 22:46
Hi,
is there any new version from SilentSMS.apk? because it does not start on Androide 5..
thanks
January 11, 2016 @ 20:47
Hi. Can you tell where, where I can find example code tmsi_buster.py? Thanx a lot for some answer.
April 18, 2017 @ 11:40
I don’t think I opensourced it, it was a dirty hacked version which was barely stable. Recreating the script shouldn’t be too hard.
January 12, 2016 @ 11:21
Hey Domi007,
Great writeup ! I really appreciate the effort you put into it .
I was just encountering a single problem.
I was unable to install libosmocore due to some problems.
So I just downloaded gnuradio live-dvd and captured some gsm signals(.pcapng format) using its inbuilt tools.(gr-gsm)
The problem is –
even though I got a huge number of Paging Requests, I am unable to spot the TMSI while analyzing them in Wireshark.
I can send you the pcapng file if you want
Thanks again for such a nice article 🙂
April 18, 2017 @ 11:40
Try to filter for the TMSI.