Dable dable
2016-09-12 20:42:40 UTC
Hello list !
sorry the previous mail didn't have a subject
I've got my kraken going finally and successfully decoded the sample file.
however i still have some question which I could not find the answers to.
I'd really appreciate if anyone could shed some light on these matters.
1-
If you have a Samsung phone and you dial *#0011# it gives you a simple
GSM info screen. i can see MCC, MNC , BAND , ARFCN,Timing Advance. is
this TA parameter the same Timing advance parameter in the L1 header?
if yes how would this be related to the packets send from BTS to my
MS? should i inspect packets with TA of my phone for myself?
2-
How can i use subslot to make a better filter to find the right frame
to guess? i read somewhere you can only use the same subslot to guess
the encrypted frame. could you please elaborate more on this?
3-
When using the find_kc tool it gives you a found potential bits
number. I learned that the higher this value is the better the chances
of finding a key. but what does it exactly mean?
4-
I used the SI5 in the sample file instead of an empty packet and could
recover the key but in this post:
https://lists.srlabs.de/pipermail/a51/2011-January/001058.html
the empty frame is used just like the talk Mr
*Karsten Nohl used in his talk. how did he exactly guess the encrypted
frame number?*
*I experimented with various SIs and it seems they all have the same
+204 frame repeat pattern but empty packets seem better candidates.II
read somewhere in the mailing list that Mr*
* Nohl said empty frames appear at the start/end of SDCCH trace. can
you please elaborate more on this since there seems to be no patterns
for empty frames.
5- *
*When i view my own captured there are often many TMSI's which are
being paged. does the BTS actually want to do something with them or
is it just paging? (this is more of a gsm question sorry)*
*6- In my own capture files sometimes i see ciphering mode command
frame 2 times with a short time between them and a paging request or
response. is it possible that the BTS issues ciphering command on
random or it happens only when it wants to communicate with a specific
MS?*
*also sometimes the paging request before the Immediate assignment
contains 3 to 4 TMSIs. How each MS knows that the Assignment is or
isn't for it?*
*7- Which paging request is the one used for Immediate assignment ? is
it paging request type 1 / 2 / 3 ? or it doesn't matter really?*
*sorry for the long mail.*
*if it's necessary i can provide more data or sample capture files.*
*Best regards,*
*Daniel H*
sorry the previous mail didn't have a subject
I've got my kraken going finally and successfully decoded the sample file.
however i still have some question which I could not find the answers to.
I'd really appreciate if anyone could shed some light on these matters.
1-
If you have a Samsung phone and you dial *#0011# it gives you a simple
GSM info screen. i can see MCC, MNC , BAND , ARFCN,Timing Advance. is
this TA parameter the same Timing advance parameter in the L1 header?
if yes how would this be related to the packets send from BTS to my
MS? should i inspect packets with TA of my phone for myself?
2-
How can i use subslot to make a better filter to find the right frame
to guess? i read somewhere you can only use the same subslot to guess
the encrypted frame. could you please elaborate more on this?
3-
When using the find_kc tool it gives you a found potential bits
number. I learned that the higher this value is the better the chances
of finding a key. but what does it exactly mean?
4-
I used the SI5 in the sample file instead of an empty packet and could
recover the key but in this post:
https://lists.srlabs.de/pipermail/a51/2011-January/001058.html
the empty frame is used just like the talk Mr
*Karsten Nohl used in his talk. how did he exactly guess the encrypted
frame number?*
*I experimented with various SIs and it seems they all have the same
+204 frame repeat pattern but empty packets seem better candidates.II
read somewhere in the mailing list that Mr*
* Nohl said empty frames appear at the start/end of SDCCH trace. can
you please elaborate more on this since there seems to be no patterns
for empty frames.
5- *
*When i view my own captured there are often many TMSI's which are
being paged. does the BTS actually want to do something with them or
is it just paging? (this is more of a gsm question sorry)*
*6- In my own capture files sometimes i see ciphering mode command
frame 2 times with a short time between them and a paging request or
response. is it possible that the BTS issues ciphering command on
random or it happens only when it wants to communicate with a specific
MS?*
*also sometimes the paging request before the Immediate assignment
contains 3 to 4 TMSIs. How each MS knows that the Assignment is or
isn't for it?*
*7- Which paging request is the one used for Immediate assignment ? is
it paging request type 1 / 2 / 3 ? or it doesn't matter really?*
*sorry for the long mail.*
*if it's necessary i can provide more data or sample capture files.*
*Best regards,*
*Daniel H*