Sniff Tool Development offer for c118

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/baseband-devel@lists.osmocom.org/.

Marten Christophe technosabby at gmail.com
Tue Apr 26 15:14:54 UTC 2011


Hello List,


If any one on the list have time to take my assignment to develop tool
to tune C118 to sniff

it must be able to enter/input parameter with full signalling and voice support
also tell me you development Fees and remuneration for this work.

1 ARFCN
2 TS ( time slot)
3 Hoping sequence

I would like students or free time programmers to develop custom
application for sniffing on c118

it should be cable for manually entries for (as option of command line)
means the tool must be able to tune C118 in Mobile application mode(
under full voice function)
the desired parameter of user's choice

1 ARFCN
2 TS ( time slot)
3 Hoping sequence

it is something we can tune C118 in full voice support to our own
choice of  AFRCN TS and hopping sequence we must be able to manually
enter these parameter while MS is in mobile application mode( DSP in
full voice support)

I would like you to decide your remunerations /expanses/ development fees.

http://bb.osmocom.org/trac/wiki/Sniffing

Kind Regards,
Maten
On Mon, Apr 25, 2011 at 5:04 AM, Marten Christophe
<technosabby at gmail.com> wrote:
> Hello List,
>
> I would like students or free time programmers to develop custom
> application for sniffing
>
> it should be cable for manually entries for (as option of command line)
> means the tool must be able to tune C118 in Mobile application mode(
> under full voice function)
> the desired parameter of user's choice
>
> 1 ARFCN
> 2 TS ( time slot)
> 3 Hoping sequence
>
> it is something we can tune C131 in full voice support to our own
> choice of  AFRCN TS and hopping sequence we must be able to manually
> enter these parameter while MS is in mobile application mode( DSP in
> full voice support)
>
> I would like you to decide your remunerations /expanses/ development fees.
>
> http://bb.osmocom.org/trac/wiki/Sniffing
>
> Kind Regards,
> Maten
>
>
> ==========
> ========
> Hi,
>
>
> Since a lot of people are asking the same questions and there seems to
> be a rush on the C123 on ebay I tought some clarification is needed.
>
>
> Short version:
>  - The exact tools I used on stage are _not_ and will _not_ be
> released (or sold ... several people asked ...)
>  - Any one willing to re-code them without any apriori knowledge of
> GSM would most likely need months to read/understand both the
> specifications and the way the code works. (That's thousands of page
> of GSM spec and thousands of line of code)
>  - Osmocom-BB project is not designed to be a sniffer, it's a baseband
> implementation, I just used part of it as a base.
>
>  So basically, unless you are really interested in GSM and are willing
> to dedicate time to understand it deeply and to contribute the various
> projects, there is not much point in you buying phones, or hanging out
> in the ml/irc or whatever ...
>
>
> For those who are still reading and interested here's a little more detail:
>
>  * The HLR query step:
>   -> Go watch the awesome 25C3 talk about it
>
>  * The TMSI recovering step
>   - Won't be published
>   - If you know how paging works, you know what to do anyway and it's
> trivial. Method is in the talk,
>  there is nothing to it.
>
>  * The targeted sniffing application
>  - Won't be published either
>  - Some improvements to the layer23 app frame work will be done but
> these are generic framework stuff, not app-specific
>  - Again, if you know how L2 works and have looked at several traces,
> it's obvious what to do.
>  - The 'DSP' part of the sniffer is public for a while with a small
> demo app (single phone and doesn't exploit the full potential of the
> DSP patch) and it's perfectly sufficient to debug things on your o
> wn controlled network. (This is basically what I showed at Deepsec 2010).
>
>  * The tool to generate the input to Kraken
>  - Won't be published either
>  - Making the guesses is easy for anyone that knows what he's doing.
>
>  * The improved Kraken
>  - No idea about it, see with Karsten / Sacha / Frank, I only got
> access to it 1 hour or so before the talk :)
>
>  * Conversion from burst to audio
>  - This was a hacked software mostly with airprobe code.
>  - The exact app will not be released but I'd like to see the
> capability put in some clean library we
>  can re-use from airprobe and other application without having to
> multiply the code each time.
>  - ... But since I'd like it to support AMR and viterbi softoutput
> before that happens, it could take
>  some time.
>  - Anyone familiar with GSM, airprobe and C could re-hack the same
> thing in an hour ...
>
> As you can see, everything you need to analyze your own network / your
> own traffic, even at the burst level is already published and has been
> for more than a month.
> The other tools have been written only so that we could demonstrate
> that what we _say_ is possible for about year, we can now do it
> _practically_. It's apparently needed to get people attentions,
> "theoretical" attacks are not enough to get the operators / gsma to
> react. We'll see if that did it ...
>
>
> A few advices that are always good:
>
>  - Make sure to checkout the a5/1 project ML and airprobe project ML and try
>   to ask your questions in the proper mailing list as much as possible.
>  - Check the wiki and mailing list archives toroughly before asking questions.
>
>
> Cheers,
>
>     Sylvain Munaut
>
>
> PS: I only posted on this list because it seems a lot of people were
> pointed here while in fact airprobe would probably be more appropriate
> to discuss attack scenarios and such, so make sure to answer / start
> new discussion on the right list.
>




More information about the baseband-devel mailing list