[A51] General questions regarding kraken

Jan Hrach jenda at yakumo.hrach.eu
Tue Sep 13 00:06:53 CEST 2016


> If you have a Samsung phone and you dial *#0011# it gives you a simple GSM info screen. i can see MCC, MNC , BAND , ARFCN,Timing Advance. is this TA parameter the same Timing advance parameter in the L1 header?

I think so. The phone knows no other timing info than what the BTS tells it. Of course the firmware of the phone may somewhat offset/scale the number.

> How can i use subslot to make a better filter to find the right frame to guess?

What do you mean by subslot? You see which timeslot you should decode from the immediate assignment.

> When using the find_kc tool it gives you a found potential bits number.

It just copies the input parameter, at least in my copy of find_kc:

    int pos;
    sscanf(argv[2],"%i",&pos);
    printf("#### Found potential key (bits: %i)####\n", pos);

(more about its parameters: https://jenda.hrach.eu/gitweb/?p=gsmtk;a=blob;f=bin/tknapalmex.py;h=d5c46afce9a4fde2d04354e196eb4ddf6c313c80;hb=HEAD#l138)

And I don't think you will have better chance when you are more advanced in the stream. You will have more candidates, but IMHO the chance is the same.

> how did he exactly guess the encrypted frame number?

I don't know about Karsten's approach, but we just try all the frames. When you have lots of communications from the same network, you can try to build statistics and then guess more accurately (https://brmlab.cz/project/gsm/guesser)

> I experimented with various SIs and it seems they all have the same +204 frame repeat pattern but empty packets seem better candidates.
> II read somewhere in the mailing list that Mr Nohl said empty frames appear at the start/end of SDCCH trace. can you please elaborate more on this since there seems to be no patterns for empty frames.

On networks we have tested, there seems to be no pattern in SI5/6/5ter frames, but there is some pattern in empty frames. We didn't investigate it further, we just sort all frames on a given position by relative occurrence and then use it.

> When i view my own captured there are often many TMSI's which are being paged. does the BTS actually want to do something with them or is it just paging?

I was told that they are paging the TMSI in the entire LAC at once, so there is lot of traffic. I didn't checked it, though.


On 12.9.2016 22:42, Dable dable wrote:
> Hello list !
> 
> sorry the previous mail didn't have a subject
> 
> I've got my kraken going finally and successfully decoded the sample file. however i still have some question which I could not find the answers to. I'd really appreciate if anyone could shed some light on these matters.
> 
> 1-
> 
> If you have a Samsung phone and you dial *#0011# it gives you a simple GSM info screen. i can see MCC, MNC , BAND , ARFCN,Timing Advance. is this TA parameter the same Timing advance parameter in the L1 header? if yes how would this be related to the packets send from BTS to my MS? should i inspect packets with TA of my phone for myself?
> 
> 2- 
> 
> How can i use subslot to make a better filter to find the right frame to guess? i read somewhere you can only use the same subslot to guess the encrypted frame. could you please elaborate more on this?
> 
> 3-
> 
> When using the find_kc tool it gives you a found potential bits number. I learned that the higher this value is the better the chances of finding a key. but what does it exactly mean?
> 
> 4-
> 
> I used the SI5 in the sample file instead of an empty packet and could recover the key but in this post:
> https://lists.srlabs.de/pipermail/a51/2011-January/001058.html <https://lists.srlabs.de/pipermail/a51/2011-January/001058.html>
> 
> the empty frame is used just like the talk Mr /Karsten Nohl used in his talk. how did he exactly guess the encrypted frame number?
> /
> 
> /I experimented with various SIs and it seems they all have the same +204 frame repeat pattern but empty packets seem better candidates.
> II read somewhere in the mailing list that Mr//Nohl said empty frames appear at the start/end of SDCCH trace. can you please elaborate more on this since there seems to be no patterns for empty frames.
> 5-
> /
> 
> /When i view my own captured there are often many TMSI's which are being paged. does the BTS actually want to do something with them or is it just paging? (this is more of a gsm question sorry)
> 
> /
> 
> /6- In my own capture files sometimes i see ciphering mode command frame 2 times with a short time between them and a paging request or response. is it possible that the BTS issues ciphering command on random or it happens only when it wants to communicate with a specific MS?
> /
> 
> /also sometimes the paging request before the Immediate assignment contains 3 to 4 TMSIs. How each MS knows that the Assignment is or isn't for it?
> 
> /
> 
> /7- Which paging request is the one used for Immediate assignment ? is it paging request type 1 / 2 / 3 ? or it doesn't matter really?
> 
> /
> 
> /sorry for the long mail.
> 
> /
> 
> /if it's necessary i can provide more data or sample capture files.
> 
> /
> 
> /Best regards,
> /
> 
> /Daniel H/
> 
> 
> 
> _______________________________________________
> A51 mailing list
> A51 at lists.srlabs.de
> https://lists.srlabs.de/cgi-bin/mailman/listinfo/a51
> 

-- 
Jan Hrach | http://jenda.hrach.eu/
GPG CD98 5440 4372 0C6D 164D A24D F019 2F8E 6527 282E



More information about the A51 mailing list