[A51] Next Encrypted SI 5 - Timing Advance - FPC

Basse Ang b4ss3k at gmail.com
Tue Apr 12 12:52:21 CEST 2016


hi..

thank you for the explanation. seems I still need time to understand about
it more. anyway it will help me for another start.. thanks :)

regards,
Bass

On Tue, Apr 12, 2016 at 8:29 AM, Вадим Яницкий <axilirator at gmail.com> wrote:

> 1) I think this guide will help you (a great Sylvain's explanations):
> https://lists.srlabs.de/pipermail/a51/2010-July/000804.html
>
> Some networks broadcast SI packets in random sequence and also the
> Ciphering Mode Command
> is now always sent after constant count of frames. So, this method can be
> useless for you.
>
> You can use a frame number to guess if this burst is related to SI5,
> SI5ter of SI6.
> Also if you are use OsmocomBB, try to use this condition:
> if (burst->flags & BI_FLG_SACCH) { ... }
>
> SI5 is not the only message type you can use to find keystream. There are
> also SI5ter,
> SI6 and the "LAPDm U func=UI" packets. The last one is more difficult to
> guess.
>
> 2) I've never used the gsmframecoder. All I know is that Timing Advance is
> not
> the only changing value. There is also MS Power Level, and it can be
> changed
> (sometimes often) during transmission too. Both of these parameters
> negatively affect
> the cracking success, i.e if at least one of them will be changed, the
> Kraken will find
> nothing or even give you some false positive results.
>
> I think there is a way to solve this problem. We can try to brute force
> some range
> of possible values for TA and MS Power Level. This way we should prepare a
> couple
> of modified SI packets (4 bursts each) using the one original. And then we
> will be
> able to XOR every supposed encrypted SI packet with each prepared
> plaintext packet.
>
> С наилучшими пожеланиями,
> Яницкий Вадим.
>
> _______________________________________________
> A51 mailing list
> A51 at lists.srlabs.de
> https://lists.srlabs.de/cgi-bin/mailman/listinfo/a51
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.srlabs.de/pipermail/a51/attachments/20160412/ae9a5acf/attachment.html>


More information about the A51 mailing list