TCH.. OsmocomBB

Sylvain Munaut 246tnt at
Thu Oct 21 20:44:36 UTC 2010


> Hello Deiter ,Sylvian

btw, it's Dieter and Sylvain :)

> I just want to know one thing that is , during the channel request MS
> send burst on  RACH with RA ref number, where this RAF or RA reference
> number stored on MS side

In the 'mobile' application (full phone stack), it's kept in a cr_hist
(Channel request history) list in gsm48_rr.c

In the test 'layer23' application, it's not stored and we just follow
the first assignement we see (which on a real network is probably not

> , because  when Immediate assignment send
> from the network it must be match before tuning to particular SDCCH, i
> want to apply a trick here i will copy the RA reference from the
> immediate assignment message and will replace with original one stored
> in MS,  hence MS will think this channel is for me and tune to the
> SDCCH accordingly, further  it will keep on listening all process like
> authentication, location updating

I assume you're talking about the 'mobile' application.
If you have TX enabled, all it's gonna do is jam the other mobile,
preventing any kind of traffic ... (because you'll TX at the same time
as the 'real' phone to which the assignement was for.

For this kind of work you shouldn't use the 'mobile' application stack
and just hack a small program like 'layer23' does.

> kindly tell me if it is feasible , or there is more i need to think.

Well you obviously missed a big point : You _shouldn't_ use the
'mobile' stack at all and just rewrite everything above l1ctl for your
own app ...



More information about the baseband-devel mailing list