From app at iki.fi Mon Dec 17 13:12:48 2012 From: app at iki.fi (Anssi Porttikivi) Date: Mon, 17 Dec 2012 05:12:48 -0800 (PST) Subject: Can't compile after last pull In-Reply-To: <1329120378294-3739436.post@n3.nabble.com> References: <1328769716758-3728600.post@n3.nabble.com> <4F33BFAC.3020106@steve-m.de> <1329120378294-3739436.post@n3.nabble.com> Message-ID: <1355749968271-4025529.post@n3.nabble.com> This also worked for me. As a beginner, I remind everybody to edit the files in "compal", not the ram.lds in "mediatek" like I first did after "find". -- View this message in context: http://baseband-devel.722152.n3.nabble.com/Can-t-compile-after-last-pull-tp3725729p4025529.html Sent from the baseband-devel mailing list archive at Nabble.com. From app at iki.fi Mon Dec 17 13:14:19 2012 From: app at iki.fi (Anssi Porttikivi) Date: Mon, 17 Dec 2012 05:14:19 -0800 (PST) Subject: Can't compile after last pull In-Reply-To: <1355749968271-4025529.post@n3.nabble.com> References: <1328769716758-3728600.post@n3.nabble.com> <4F33BFAC.3020106@steve-m.de> <1329120378294-3739436.post@n3.nabble.com> <1355749968271-4025529.post@n3.nabble.com> Message-ID: <1355750059745-4025530.post@n3.nabble.com> Uh, my reply was to the post with the LRAM and IRAM addresses. No hierarchy in threading on this forum? -- View this message in context: http://baseband-devel.722152.n3.nabble.com/Can-t-compile-after-last-pull-tp3725729p4025530.html Sent from the baseband-devel mailing list archive at Nabble.com. From 246tnt at gmail.com Thu Dec 20 22:26:24 2012 From: 246tnt at gmail.com (Sylvain Munaut) Date: Thu, 20 Dec 2012 23:26:24 +0100 Subject: Can't compile after last pull In-Reply-To: <1355750059745-4025530.post@n3.nabble.com> References: <1328769716758-3728600.post@n3.nabble.com> <4F33BFAC.3020106@steve-m.de> <1329120378294-3739436.post@n3.nabble.com> <1355749968271-4025529.post@n3.nabble.com> <1355750059745-4025530.post@n3.nabble.com> Message-ID: > Uh, my reply was to the post with the LRAM and IRAM addresses. No hierarchy > in threading on this forum? It's not a forum, it's a mailing list ... And you should use sylvain/testing branch, it contains a revised build system that should work without modifications Cheers, Sylvain From zero-kelvin at gmx.de Mon Dec 3 10:30:17 2012 From: zero-kelvin at gmx.de (dexter) Date: Mon, 03 Dec 2012 11:30:17 +0100 Subject: Osmocom Berlin User Group meeting In-Reply-To: <20120818115942.GV29525@prithivi.gnumonks.org> References: <502d01a9.mirider@mirider.augusta.de> <20120818115942.GV29525@prithivi.gnumonks.org> Message-ID: <50BC7F39.3020107@gmx.de> Hi folks. This is the announcement for the next Osmocom Berlin meeting. Dec 05, 8pm @ CCC Berlin, Marienstr. 11, 10113 Berlin There is no formal presentation scheduled for this meeting. If you are interested to show up, feel free to do so. There is no registration required. The meeting is free as in "free beer", despite no actual free beer being around. Regards, Philipp Maier From peter at stuge.se Mon Dec 3 18:10:21 2012 From: peter at stuge.se (Peter Stuge) Date: Mon, 3 Dec 2012 19:10:21 +0100 Subject: 29c3 GSM planning [was: Osmocom Berlin User Group meeting] In-Reply-To: <50BC7F39.3020107@gmx.de> References: <502d01a9.mirider@mirider.augusta.de> <20120818115942.GV29525@prithivi.gnumonks.org> <50BC7F39.3020107@gmx.de> Message-ID: <20121203181021.14684.qmail@stuge.se> dexter wrote: > Dec 05, 8pm @ CCC Berlin, Marienstr. 11, 10113 Berlin > > There is no formal presentation scheduled for this meeting. There will however be some discussion of the 29c3 field test of OpenBSC[1] and maybe even a bit of work done on the system that we used both at the last CCC Camp and at 28c3. For those who will participate at 29c3 but can't make it to CCCB on Wednesday we'll try to bridge between the meeting and the internets. //Peter [1] http://openbsc.osmocom.org/trac/wiki/FieldTests/29c3 (The wiki page will get some more updates in the next days.) From zero-kelvin at gmx.de Tue Dec 18 09:02:47 2012 From: zero-kelvin at gmx.de (dexter) Date: Tue, 18 Dec 2012 10:02:47 +0100 Subject: Osmocom Berlin User Group meeting In-Reply-To: <20120818115942.GV29525@prithivi.gnumonks.org> References: <502d01a9.mirider@mirider.augusta.de> <20120818115942.GV29525@prithivi.gnumonks.org> Message-ID: <50D03137.4020805@gmx.de> Hi folks. This is the announcement for the next Osmocom Berlin meeting. Dec 19, 8pm @ CCC Berlin, Marienstr. 11, 10113 Berlin There is no formal presentation scheduled for this meeting. If you are interested to show up, feel free to do so. There is no registration required. The meeting is free as in "free beer", despite no actual free beer being around. Regards, Philipp Maier From g.roelant at telenet.be Tue Dec 4 13:52:24 2012 From: g.roelant at telenet.be (g.roelant at telenet.be) Date: Tue, 04 Dec 2012 14:52:24 +0100 (CET) Subject: Is airprobe still being developed? In-Reply-To: Message-ID: So in other words: if one would start to snif on gsm traffic, you would suggest a c123 instead of an ettus usrp? ----- Oorspronkelijk e-mail ----- Van: "Sylvain Munaut" <246tnt at gmail.com> Aan: "Philip Peter" Cc: baseband-devel at lists.osmocom.org Verzonden: Woensdag 24 oktober 2012 16:18:28 Onderwerp: Re: Is airprobe still being developed? Hi, >> pretty much abandonded >> > Has any replacement emerged? Not that I know of ... it's been on my TODO list for ... so long ... Everyone I know uses C123 for GSM sniffing, just easier and the demo algo works so much better than airprobe's ... Cheers, Sylvain From niceguy108 at gmail.com Sun Dec 2 06:49:34 2012 From: niceguy108 at gmail.com (Bhaskar11) Date: Sun, 2 Dec 2012 12:19:34 +0530 Subject: Possible bug in "gsm48_decode_lai" code Message-ID: <01aa01cdd059$43f3cb90$1100a8c0@notebook> While running Cell-Log application, I found that the main branch of OsmocomBB gives wrong value of MCC/MNC in hex (but correct one in decimal), but the Sylvain testing branch gives correct value. In practice this means compiling Cell-Log in testing branch gives the name of the country, but the compiling it in main branch does not recognise the country. Other side-effects are unknown to me at present. Tracing through the source leads to the "gsm48_decode_lai" as the culprit. The code seems correct in the testing branch, but has not been updated in the main. Moreover, the code is shifted out from gsm48.c to sysinfo.c in the testing branch. Testing branch decodes MCC/MNC to hex: *mcc = ((lai->digits[0] & 0x0f) << 8) | (lai->digits[0] & 0xf0) | (lai->digits[1] & 0x0f); But main branch decodes MCC/MNC to decimal: *mcc = (lai->digits[0] & 0x0f) * 100 + (lai->digits[0] >> 4) * 10 + (lai->digits[1] & 0x0f); The comment in main branch states that "/* Attention: this function retunrs true integers, not hex! */". There is no such comment in the testing branch. So is this a problem because Cell_Log wrongly uses gsm48_decode_lai? Or does gsm48_decode_lai need to be updated in the main branch? B. -------------- next part -------------- An HTML attachment was scrubbed... URL: From 246tnt at gmail.com Sun Dec 2 08:57:04 2012 From: 246tnt at gmail.com (Sylvain Munaut) Date: Sun, 2 Dec 2012 09:57:04 +0100 Subject: Possible bug in "gsm48_decode_lai" code In-Reply-To: <01aa01cdd059$43f3cb90$1100a8c0@notebook> References: <01aa01cdd059$43f3cb90$1100a8c0@notebook> Message-ID: On Sun, Dec 2, 2012 at 7:49 AM, Bhaskar11 wrote: > While running Cell-Log application, I found that the main branch of > OsmocomBB gives wrong value of MCC/MNC in hex (but correct one in decimal), > but the Sylvain testing branch gives correct value. Your branches are not up to date ... testing has only two commits added to it and they have nothing to do with gsm48_decode_lai. So please update and re-test. Now when looking at the history of this function, it looks very weird to me : You find: ---- commit a8ce4ea4696a385d18beb785eef8f510c6fed143 Author: Harald Welte Date: Sat Sep 8 22:43:50 2012 +0200 layer23: gsm48_decode_lai() is now in libosmogsm ---- followed by: ---- commit 07f83456460a2cdb8d288ac647f04a5bc09dc1cf Author: Andreas Eversberg Date: Tue Oct 30 10:26:20 2012 +0100 Fixed decoding of hexadecimal LAI components libosmocore has changed its LAI decoding from hex to decimal. This caused wrong decoding of MCC and MNC. In order to provide required hex transcoding, special hex encoding and decoding function are added to mobile/sysinfo.c. ---- and in libosmocore: --- commit 774a9de8b36a53c9e4e4dca4efbb9944cd39ff65 Author: Harald Welte Date: Fri Jul 13 21:35:13 2012 +0200 import gsm48_decode_lai() function from osmocom-bb/mobile sysinfo.c commit a9250b9ebcdab7134e5d062e8ca37f9532eca5e8 Author: Harald Welte Date: Fri Jul 13 22:57:31 2012 +0200 gsm48_decode_lai(): return real integers for mcc/mnc, not hex! This is to make it orthogonal with gsm48_encode_lai() --- Now ... this look a little bit like a SNAFU. Now if the goal was to put common code in libosmocore, that didn't quite endup like that because now osmocom-bb has a gsm48_decode_lai_hex function that does the exact same thing as the previous gsm48_decode_lai function and it doesn't use the libosmocore gsm48_decode_lai function at all. And having those two different interface looks silly to me ... So which one is the more practical ? Cheers, Sylvain From andreas at eversberg.eu Tue Dec 4 17:48:21 2012 From: andreas at eversberg.eu (Andreas Eversberg) Date: Tue, 04 Dec 2012 18:48:21 +0100 Subject: Possible bug in "gsm48_decode_lai" code In-Reply-To: References: <01aa01cdd059$43f3cb90$1100a8c0@notebook> Message-ID: <50BE3765.6070205@eversberg.eu> Sylvain Munaut wrote: > Now ... this look a little bit like a SNAFU. hi sylvain, i don't like having two functions with different results too. the problem is that osmocom-bb uses hex lai everywhere, and openbsc uses decimal lai. changing osmocom-bb would result in loosing support for 3-digits-MNC. (02 is not 002 and neither 02x) harald mentioned to maybe change lai at openbsc in the future, so 3-digits-MNC are correctly supported there too. then i would suggest to use hex MCC also. also it would make sense to move the "input" and "print" functions for hex type MCC/MNC to libosmocore too. regards, andreas From 246tnt at gmail.com Thu Dec 6 20:14:15 2012 From: 246tnt at gmail.com (Sylvain Munaut) Date: Thu, 6 Dec 2012 21:14:15 +0100 Subject: Possible bug in "gsm48_decode_lai" code In-Reply-To: <50BE3765.6070205@eversberg.eu> References: <01aa01cdd059$43f3cb90$1100a8c0@notebook> <50BE3765.6070205@eversberg.eu> Message-ID: > i don't like having two functions with different results too. the problem is > that osmocom-bb uses hex lai everywhere, and openbsc uses decimal lai. > changing osmocom-bb would result in loosing support for 3-digits-MNC. (02 is > not 002 and neither 02x) harald mentioned to maybe change lai at openbsc in > the future, so 3-digits-MNC are correctly supported there too. then i would > suggest to use hex MCC also. also it would make sense to move the "input" > and "print" functions for hex type MCC/MNC to libosmocore too. Ok thanks for the explanation, that makes it clear why and this certainly indicates that the hex version are the "right" way. Then I'd suggest to put both encode_hex decode_hex version in libosmocore and put a note deprecating use of the decimal version since they can't be used to support all mnc/mcc combination like they should. This way we avoid writing new software against functions that have these limitations. Sounds good to everyone ? If no objections, I'll do that. Cheers, Sylvain From laforge at gnumonks.org Thu Dec 6 20:34:37 2012 From: laforge at gnumonks.org (Harald Welte) Date: Thu, 6 Dec 2012 21:34:37 +0100 Subject: Possible bug in "gsm48_decode_lai" code In-Reply-To: References: <01aa01cdd059$43f3cb90$1100a8c0@notebook> <50BE3765.6070205@eversberg.eu> Message-ID: <20121206203437.GI7055@prithivi.gnumonks.org> On Thu, Dec 06, 2012 at 09:14:15PM +0100, Sylvain Munaut wrote: > Then I'd suggest to put both encode_hex decode_hex version in > libosmocore and put a note deprecating use of the decimal version > since they can't be used to support all mnc/mcc combination like they > should. This way we avoid writing new software against functions that > have these limitations. agreed. > Sounds good to everyone ? If no objections, I'll do that. yes. Will you also check for any users of the decimal version and convert them to the hex version? Regards, Harald -- - Harald Welte http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6) From akibsayyed at gmail.com Sun Dec 2 07:27:52 2012 From: akibsayyed at gmail.com (Akib Sayyed) Date: Sun, 2 Dec 2012 10:27:52 +0300 Subject: Simulator Message-ID: Guys i want to test my code for errors. i want to know is there any simulator for calypso please let me know -- Akib Sayyed Matrix-Shell akibsayyed at gmail.com akibsayyed at matrixshell.com Mob:- +91-966-514-2243 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Max.Suraev at fairwaves.ru Wed Dec 5 19:36:35 2012 From: Max.Suraev at fairwaves.ru (=?UTF-8?B?4piO?=) Date: Wed, 05 Dec 2012 20:36:35 +0100 Subject: [PATCH] Add a5/3 support. Message-ID: <50BFA243.9070706@fairwaves.ru> Hello. Attached patch will bring a5/3 support to osmo_a5. The implementatin is done based on spec, results are compared to reference implementation from standard and test vectors. Unfortunately there are several deficiencies: - it doesn't work with real phonein test network yet - no tests included - code is probably suboptimal here and there Anyway I would love to read your comments. It would be especially great if someone will manage to test it against real phones in actual network. -- best regards, Max, http://fairwaves.ru From 246tnt at gmail.com Thu Dec 6 07:24:23 2012 From: 246tnt at gmail.com (Sylvain Munaut) Date: Thu, 6 Dec 2012 08:24:23 +0100 Subject: [PATCH] Add a5/3 support. In-Reply-To: <50BFA243.9070706@fairwaves.ru> References: <50BFA243.9070706@fairwaves.ru> Message-ID: > Attached patch will bring a5/3 support to osmo_a5. The implementatin is done based on > spec, results are compared to reference implementation from standard and test vectors. > > Unfortunately there are several deficiencies: > - it doesn't work with real phonein test network yet Maybe you need to accept the 8 byte of the key in the inverse order. There is always a mixup there because different spec refer to the key in different order and n osmo_a5() we want the key in the same order as we received from the SIM. > - no tests included Addind a test vector to ../../tests/a5/a5_test.c should be trivial. That test is far from exhaustive but it does show gross errors. > Anyway I would love to read your comments. It would be especially great if someone > will manage to test it against real phones in actual network. I think it'd be useful to split the kasumi impl in its own file, so that we can use it to implement GEA3 GPRS cipher as well. Also, use TAB for indentation, that's the proper style in osmocom projects. (basically the kernek coding style). I extracted and merged the return -ENOTSUP part of this patch. Cheers, Sylvain From laforge at gnumonks.org Thu Dec 6 10:43:04 2012 From: laforge at gnumonks.org (Harald Welte) Date: Thu, 6 Dec 2012 11:43:04 +0100 Subject: [PATCH] Add a5/3 support. In-Reply-To: Message-ID: <20121206104304.GN7055@prithivi.gnumonks.org> On Thu, Dec 06, 2012 at 08:24:23AM +0100, Sylvain Munaut wrote: > I think it'd be useful to split the kasumi impl in its own file, so > that we can use it to implement GEA3 GPRS cipher as well. please note that there is already a libosmo-crypt-a53 (http://cgit.osmocom.org/cgit/libosmo-crypt-a53) which implements A5/3 and GEA3. However, it's based on the reference code, which may be problematic to distribute. I belive Erik Tews was working on a clean re-implementation without copyrighted reference code, but I'm not sure what was the result of it (maybe I don't remember) There -- - Harald Welte http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6) From Max.Suraev at fairwaves.ru Thu Dec 6 13:11:18 2012 From: Max.Suraev at fairwaves.ru (=?UTF-8?B?4piO?=) Date: Thu, 06 Dec 2012 14:11:18 +0100 Subject: [PATCH] Add a5/3 support. In-Reply-To: <20121206104304.GN7055@prithivi.gnumonks.org> References: <20121206104304.GN7055@prithivi.gnumonks.org> Message-ID: <50C09976.3010308@fairwaves.ru> 06.12.2012 11:43, Harald Welte ?????: > On Thu, Dec 06, 2012 at 08:24:23AM +0100, Sylvain Munaut wrote: >> I think it'd be useful to split the kasumi impl in its own file, so >> that we can use it to implement GEA3 GPRS cipher as well. I'd do that in 2nd version of a patch: both Kasumi and KGcore functions are shared so it make sense. > please note that there is already a libosmo-crypt-a53 > (http://cgit.osmocom.org/cgit/libosmo-crypt-a53) which implements A5/3 > and GEA3. However, it's based on the reference code, which may be > problematic to distribute. Awesome, I can use it for easier testing :) Is there build instructions somewhere? Has it bean tested against actual phones? > -- best regards, Max, http://fairwaves.ru From 246tnt at gmail.com Thu Dec 6 13:41:07 2012 From: 246tnt at gmail.com (Sylvain Munaut) Date: Thu, 6 Dec 2012 14:41:07 +0100 Subject: [PATCH] Add a5/3 support. In-Reply-To: <50C09976.3010308@fairwaves.ru> References: <20121206104304.GN7055@prithivi.gnumonks.org> <50C09976.3010308@fairwaves.ru> Message-ID: Hi, >>> I think it'd be useful to split the kasumi impl in its own file, so >>> that we can use it to implement GEA3 GPRS cipher as well. > I'd do that in 2nd version of a patch: both Kasumi and KGcore functions are shared so > it make sense. Also, please put any internal method as 'static' so we can avoid polluting the namespace. >> please note that there is already a libosmo-crypt-a53 >> (http://cgit.osmocom.org/cgit/libosmo-crypt-a53) which implements A5/3 >> and GEA3. However, it's based on the reference code, which may be >> problematic to distribute. > Awesome, I can use it for easier testing :) > Is there build instructions somewhere? Has it bean tested against actual phones? It's automake ... I think GEA3 has been tested, but not A5/3. It's doesn't even integrate with the osmo_a5(...) functions. GPRS cipher and Auth use a sort of plugin system, mostly because the algorithm used in there are still secret and so implementation is sometime provided by external devices / libraries / processes. For the A5/x ciphers, they're all public so they use direct linking and not a dynamic plugin system. Cheers, Sylvain From Max.Suraev at fairwaves.ru Thu Dec 6 16:38:02 2012 From: Max.Suraev at fairwaves.ru (=?UTF-8?B?4piO?=) Date: Thu, 06 Dec 2012 17:38:02 +0100 Subject: [PATCH] Add a5/3 support. In-Reply-To: References: <20121206104304.GN7055@prithivi.gnumonks.org> <50C09976.3010308@fairwaves.ru> Message-ID: <50C0C9EA.7040605@fairwaves.ru> 06.12.2012 14:41, Sylvain Munaut ?????: > Hi, > >>>> I think it'd be useful to split the kasumi impl in its own file, so >>>> that we can use it to implement GEA3 GPRS cipher as well. >> I'd do that in 2nd version of a patch: both Kasumi and KGcore functions are shared so >> it make sense. > > Also, please put any internal method as 'static' so we can avoid > polluting the namespace. Done. I still didn't managed to make it work with phones but now patch is split into logical parts so I hope at least some of the code will be useful. I've tried to compile libosmo-crypt-a53 but got multitude of errors like: configure.in:5: error: possibly undefined macro: AM_INIT_AUTOMAKE If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. configure.in:15: error: possibly undefined macro: AC_PROG_LIBTOOL configure.in:35: error: possibly undefined macro: AM_CONFIG_HEADER and ./configure day 341, ??????? 0\0\ ./configure: line 1979: syntax error near unexpected token `dist-bzip2' ./configure: line 1979: `AM_INIT_AUTOMAKE(dist-bzip2)' Anyway, this is exactly version from standards against which I've already tested mine. I do not want to add any test vectors until I make the code compatible with real phones. -- best regards, Max, http://fairwaves.ru From Max.Suraev at fairwaves.ru Thu Dec 6 16:23:51 2012 From: Max.Suraev at fairwaves.ru (Max Suraev) Date: Thu, 6 Dec 2012 17:23:51 +0100 Subject: [PATCH 1/3] Add helper functions for a5/3. Message-ID: --- include/osmocom/core/bits.h | 14 +++++++++++++- src/bits.c | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+), 1 deletion(-) diff --git a/include/osmocom/core/bits.h b/include/osmocom/core/bits.h index 4c68532..29a99ff 100644 --- a/include/osmocom/core/bits.h +++ b/include/osmocom/core/bits.h @@ -2,7 +2,7 @@ #define _OSMO_BITS_H #include - +#include /*! \defgroup bits soft, unpacked and packed bits * @{ */ @@ -73,6 +73,18 @@ uint32_t osmo_revbytebits_8(uint8_t x); /* \brief reverse the bits of each byte in a given buffer */ void osmo_revbytebits_buf(uint8_t *buf, int len); +/* \brief reverse the order of the bytes in a given buffer */ +void osmo_revbytes_buf(uint8_t *buf, size_t len); + +/* \brief left circular shift */ +uint16_t rol16(uint16_t in, unsigned shift); + +/* return 2 bytes from a given array glued into single uint16_t */ +uint16_t osmo_get2bytes(uint8_t *a); + +/* convert uint64_t into array of 8 bytes in out */ +void osmo_64pack2pbit(uint64_t in, pbit_t *out); + /*! @} */ #endif /* _OSMO_BITS_H */ diff --git a/src/bits.c b/src/bits.c index 4c67bdd..1df332b 100644 --- a/src/bits.c +++ b/src/bits.c @@ -185,4 +185,37 @@ void osmo_revbytebits_buf(uint8_t *buf, int len) } } +void osmo_revbytes_buf(uint8_t *buf, size_t len) +{ + uint8_t *end = buf + len - 1, tmp; + + while (buf < end) { + tmp = *buf; + *buf++ = *end; + *end-- = tmp; + } +} + +/* left circular shift */ +uint16_t rol16(uint16_t in, unsigned shift) +{ + return (in << shift) | (in >> (16 - shift)); +} + +/* return 2 bytes from a given array glued into single uint16_t */ +uint16_t osmo_get2bytes(uint8_t *a) +{ /* UNSAFE! Do NOT use unless you know what you are doing! */ + return (uint16_t)((((uint16_t)a[0]) << 8) + (uint16_t)a[1]); +} + +/* convert uint64_t into array of 8 bytes in out */ +void osmo_64pack2pbit(uint64_t in, pbit_t *out) +{ + int i; + for (i = 7; i >=0; i--) { + out[i] = in & 0xFF; + in >>= 8; + } +} + /*! @} */ -- 1.7.10.4 --------------000004050908040808070403 Content-Type: text/x-patch; name="0002-Add-Kasumi-implementation.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0002-Add-Kasumi-implementation.patch" From Max.Suraev at fairwaves.ru Thu Dec 6 16:24:59 2012 From: Max.Suraev at fairwaves.ru (Max Suraev) Date: Thu, 6 Dec 2012 17:24:59 +0100 Subject: [PATCH 2/3] Add Kasumi implementation. Message-ID: --- include/Makefile.am | 1 + include/osmocom/gsm/kasumi.h | 25 ++++++ src/gsm/Makefile.am | 2 +- src/gsm/kasumi.c | 192 ++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 219 insertions(+), 1 deletion(-) create mode 100644 include/osmocom/gsm/kasumi.h create mode 100644 src/gsm/kasumi.c diff --git a/include/Makefile.am b/include/Makefile.am index 60b9ea9..d6f262d 100644 --- a/include/Makefile.am +++ b/include/Makefile.am @@ -38,6 +38,7 @@ nobase_include_HEADERS = \ osmocom/gprs/protocol/gsm_08_16.h \ osmocom/gprs/protocol/gsm_08_18.h \ osmocom/gsm/a5.h \ + osmocom/gsm/kasumi.h \ osmocom/gsm/abis_nm.h \ osmocom/gsm/comp128.h \ osmocom/gsm/gan.h \ diff --git a/include/osmocom/gsm/kasumi.h b/include/osmocom/gsm/kasumi.h new file mode 100644 index 0000000..39d8b8a --- /dev/null +++ b/include/osmocom/gsm/kasumi.h @@ -0,0 +1,25 @@ +/* + * COMP128 header + * + * See comp128.c for details + */ + +#ifndef __KASUMI_H__ +#define __KASUMI_H__ + +#include + +/* + * Implementation of the KGCORE algorithm (used by A3/5, GEA3 and ECSD) + * + * CA : uint8_t + * cb : uint8_t + * cc : uint32_t + * cd : uint8_t + * ck : uint8_t [8] + * co : uint8_t [output, cl-dependent] + * cl : uint16_t + */ +void kgcore(uint8_t CA, uint8_t cb, uint32_t cc, uint8_t cd, uint8_t *ck, uint8_t *co, uint16_t cl); +#endif /* __KASUMI_H__ */ + diff --git a/src/gsm/Makefile.am b/src/gsm/Makefile.am index 0544e0a..c30a70c 100644 --- a/src/gsm/Makefile.am +++ b/src/gsm/Makefile.am @@ -12,7 +12,7 @@ noinst_HEADERS = milenage/aes.h milenage/aes_i.h milenage/aes_wrap.h \ lib_LTLIBRARIES = libosmogsm.la -libosmogsm_la_SOURCES = a5.c rxlev_stat.c tlv_parser.c comp128.c gsm_utils.c \ +libosmogsm_la_SOURCES = a5.c kasumi.c rxlev_stat.c tlv_parser.c comp128.c gsm_utils.c \ rsl.c gsm48.c gsm48_ie.c gsm0808.c sysinfo.c \ gprs_cipher_core.c gsm0480.c abis_nm.c gsm0502.c \ gsm0411_utils.c gsm0411_smc.c gsm0411_smr.c \ diff --git a/src/gsm/kasumi.c b/src/gsm/kasumi.c new file mode 100644 index 0000000..27015f8 --- /dev/null +++ b/src/gsm/kasumi.c @@ -0,0 +1,192 @@ +/* Kasumi cipher and KGcore functions */ + +/* (C) 2012 by Max.Suraev at fairwaves.ru + * + * All Rights Reserved + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + */ + +#include +#include + +static uint16_t +_kasumi_FI(uint16_t I, uint16_t skey) +{ + static uint16_t S7[] = { + 54, 50, 62, 56, 22, 34, 94, 96, 38, 6, 63, 93, 2, 18, 123, 33, + 55, 113, 39, 114, 21, 67, 65, 12, 47, 73, 46, 27, 25, 111, 124, 81, + 53, 9, 121, 79, 52, 60, 58, 48, 101, 127, 40, 120, 104, 70, 71, 43, + 20, 122, 72, 61, 23, 109, 13, 100, 77, 1, 16, 7, 82, 10, 105, 98, + 117, 116, 76, 11, 89, 106, 0,125,118, 99, 86, 69, 30, 57, 126, 87, + 112, 51, 17, 5, 95, 14, 90, 84, 91, 8, 35,103, 32, 97, 28, 66, + 102, 31, 26, 45, 75, 4, 85, 92, 37, 74, 80, 49, 68, 29, 115, 44, + 64, 107, 108, 24, 110, 83, 36, 78, 42, 19, 15, 41, 88, 119, 59, 3 + }; + static uint16_t S9[] = { + 167, 239, 161, 379, 391, 334, 9, 338, 38, 226, 48, 358, 452, 385, 90, 397, + 183, 253, 147, 331, 415, 340, 51, 362, 306, 500, 262, 82, 216, 159, 356, 177, + 175, 241, 489, 37, 206, 17, 0, 333, 44, 254, 378, 58, 143, 220, 81, 400, + 95, 3, 315, 245, 54, 235, 218, 405, 472, 264, 172, 494, 371, 290, 399, 76, + 165, 197, 395, 121, 257, 480, 423, 212, 240, 28, 462, 176, 406, 507, 288, 223, + 501, 407, 249, 265, 89, 186, 221, 428,164, 74, 440, 196, 458, 421, 350, 163, + 232, 158, 134, 354, 13, 250, 491, 142,191, 69, 193, 425, 152, 227, 366, 135, + 344, 300, 276, 242, 437, 320, 113, 278, 11, 243, 87, 317, 36, 93, 496, 27, + 487, 446, 482, 41, 68, 156, 457, 131, 326, 403, 339, 20, 39, 115, 442, 124, + 475, 384, 508, 53, 112, 170, 479, 151, 126, 169, 73, 268, 279, 321, 168, 364, + 363, 292, 46, 499, 393, 327, 324, 24, 456, 267, 157, 460, 488, 426, 309, 229, + 439, 506, 208, 271, 349, 401, 434, 236, 16, 209, 359, 52, 56, 120, 199, 277, + 465, 416, 252, 287, 246, 6, 83, 305, 420, 345, 153,502, 65, 61, 244, 282, + 173, 222, 418, 67, 386, 368, 261, 101, 476, 291, 195,430, 49, 79, 166, 330, + 280, 383, 373, 128, 382, 408, 155, 495, 367, 388, 274, 107, 459, 417, 62, 454, + 132, 225, 203, 316, 234, 14, 301, 91, 503, 286, 424, 211, 347, 307, 140, 374, + 35, 103, 125, 427, 19, 214, 453, 146, 498, 314, 444, 230, 256, 329, 198, 285, + 50, 116, 78, 410, 10, 205, 510, 171, 231, 45, 139, 467, 29, 86, 505, 32, + 72, 26, 342, 150, 313, 490, 431, 238, 411, 325, 149, 473, 40, 119, 174, 355, + 185, 233, 389, 71, 448, 273, 372, 55, 110, 178, 322, 12, 469, 392, 369, 190, + 1, 109, 375, 137, 181, 88, 75, 308, 260, 484, 98, 272, 370, 275, 412, 111, + 336, 318, 4, 504, 492, 259, 304, 77, 337, 435, 21, 357, 303, 332, 483, 18, + 47, 85, 25, 497, 474, 289, 100, 269, 296, 478, 270, 106, 31, 104, 433, 84, + 414, 486, 394, 96, 99, 154, 511, 148, 413, 361, 409, 255, 162, 215, 302, 201, + 266, 351, 343, 144, 441, 365, 108, 298, 251, 34, 182, 509, 138, 210, 335, 133, + 311, 352, 328, 141, 396, 346, 123, 319, 450, 281, 429, 228, 443, 481, 92, 404, + 485, 422, 248, 297, 23, 213, 130, 466, 22, 217, 283, 70, 294, 360, 419, 127, + 312, 377, 7, 468, 194, 2, 117, 295, 463, 258, 224, 447, 247, 187, 80, 398, + 284, 353, 105, 390, 299, 471, 470, 184, 57, 200, 348, 63, 204, 188, 33, 451, + 97, 30, 310, 219, 94, 160, 129, 493, 64, 179, 263, 102, 189, 207, 114, 402, + 438, 477, 387, 122, 192, 42, 381, 5, 145, 118, 180, 449, 293, 323, 136, 380, + 43, 66, 60, 455, 341, 445, 202, 432, 8, 237, 15, 376, 436, 464, 59, 461 + }; + uint16_t L, R; + + /* Split 16 bit input into two unequal halves: 9 and 7 bits, same for subkey */ + L = I >> 7; /* take 9 bits */ + R = I & 0x7F; /* take 7 bits */ + + L = S9[L] ^ R; + R = S7[R] ^ (L & 0x7F); + + L ^= (skey & 0x1FF); + R ^= (skey >> 9); + + L = S9[L] ^ R; + R = S7[R] ^ (L & 0x7F); + + return (R << 9) + L; +} + +static uint32_t +_kasumi_FO(uint32_t I, uint16_t *KOi1, uint16_t *KOi2, uint16_t *KOi3, uint16_t *KIi1, uint16_t *KIi2, uint16_t *KIi3, unsigned i) +{ + uint16_t L = I >> 16, R = I; /* Split 32 bit input into Left and Right parts */ + + L ^= KOi1[i]; + L = _kasumi_FI(L, KIi1[i]); + L ^= R; + + R ^= KOi2[i]; + R = _kasumi_FI(R, KIi2[i]); + R ^= L; + + L ^= KOi3[i]; + L = _kasumi_FI(L, KIi3[i]); + L ^= R; + + return (((uint32_t)R) << 16) + L; +} + +static uint32_t +_kasumi_FL(uint32_t I, uint16_t *KLi1, uint16_t *KLi2, unsigned i) +{ + uint16_t L = I >> 16, R = I, tmp; /* Split 32 bit input into Left and Right parts */ + + tmp = L & KLi1[i]; + R ^= rol16(tmp, 1); + + tmp = R | KLi2[i]; + L ^= rol16(tmp, 1); + + return (((uint32_t)L) << 16) + R; +} + +static uint64_t +_kasumi(uint64_t P, uint16_t *KLi1, uint16_t *KLi2, uint16_t *KOi1, uint16_t *KOi2, uint16_t *KOi3, uint16_t *KIi1, uint16_t *KIi2, uint16_t *KIi3) +{ + uint32_t i, L = P >> 32, R = P; /* Split 64 bit input into Left and Right parts */ + + for (i = 0; i < 8; i++) + { + R ^= _kasumi_FO(_kasumi_FL(L, KLi1, KLi2, i), KOi1, KOi2, KOi3, KIi1, KIi2, KIi3, i); /* odd round */ + i++; + L ^= _kasumi_FL(_kasumi_FO(R, KOi1, KOi2, KOi3, KIi1, KIi2, KIi3, i), KLi1, KLi2, i); /* even round */ + } + return (((uint64_t)L) << 32) + R; /* Concatenate Left and Right 32 bits into 64 bit ciphertext */ +} + +/*! \brief Expand key into set of subkeys + * \param[in] key (128 bits) as array of bytes + * \param[out] arrays of round-specific subkeys - see TS 135 202 for details + */ +static void +_kasumi_key_expand(uint8_t *key, uint16_t *KLi1, uint16_t *KLi2, uint16_t *KOi1, uint16_t *KOi2, uint16_t *KOi3, uint16_t *KIi1, uint16_t *KIi2, uint16_t *KIi3) +{ + uint16_t i, C[] = { 0x0123, 0x4567, 0x89AB, 0xCDEF, 0xFEDC, 0xBA98, 0x7654, 0x3210 }; + + for (i = 0; i < 8; i++) /* Work with 16 bit subkeys and create prime subkeys */ + { + C[i] ^= osmo_get2bytes(key + i * 2); + } + /* C[] now stores K-prime[] */ + for (i = 0; i < 8; i++) /* Create round-specific subkeys */ + { + KLi1[i] = rol16(osmo_get2bytes(key + i * 2), 1); + KLi2[i] = C[(i + 2) & 0x7]; + + KOi1[i] = rol16(osmo_get2bytes(key + ((2 * (i + 1)) & 0xE)), 5); + KOi2[i] = rol16(osmo_get2bytes(key + ((2 * (i + 5)) & 0xE)), 8); + KOi3[i] = rol16(osmo_get2bytes(key + ((2 * (i + 6)) & 0xE)), 13); + + KIi1[i] = C[(i + 4) & 0x7]; + KIi2[i] = C[(i + 3) & 0x7]; + KIi3[i] = C[(i + 7) & 0x7]; + } +} + +void +kgcore(uint8_t CA, uint8_t cb, uint32_t cc, uint8_t cd, uint8_t *ck, uint8_t *co, uint16_t cl) +{ + uint16_t KLi1[8], KLi2[8], KOi1[8], KOi2[8], KOi3[8], KIi1[8], KIi2[8], KIi3[8], i; + uint64_t A = ((uint64_t)cc) << 32, BLK = 0, _ca = ((uint64_t)CA << 16) ; + A |= _ca; + _ca = (uint64_t)((cb << 3) | (cd << 2)) << 24; + A |= _ca; + /* Register loading complete: see TR 55.919 8.2 and TS 55.216 3.2 */ + + uint8_t ck_km[16]; + for (i = 0; i < 16; i++) ck_km[i] = ck[i] ^ 0x55; /* Modified key established */ + + /* preliminary round with modified key */ + _kasumi_key_expand(ck_km, KLi1, KLi2, KOi1, KOi2, KOi3, KIi1, KIi2, KIi3); + A = _kasumi(A, KLi1, KLi2, KOi1, KOi2, KOi3, KIi1, KIi2, KIi3); + + /* Run Kasumi in OFB to obtain enough data for gamma. */ + _kasumi_key_expand(ck, KLi1, KLi2, KOi1, KOi2, KOi3, KIi1, KIi2, KIi3); + for (i = 0; i < cl / 64 + 1; i++) /* i is a block counter */ + { + BLK = _kasumi(A ^ i ^ BLK, KLi1, KLi2, KOi1, KOi2, KOi3, KIi1, KIi2, KIi3); + osmo_64pack2pbit(BLK, co + (i * 8)); + } +} -- 1.7.10.4 --------------000004050908040808070403 Content-Type: text/x-patch; name="0003-Add-A5-3-support.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Add-A5-3-support.patch" From Max.Suraev at fairwaves.ru Thu Dec 6 16:25:35 2012 From: Max.Suraev at fairwaves.ru (Max Suraev) Date: Thu, 6 Dec 2012 17:25:35 +0100 Subject: [PATCH 3/3] Add A5/3 support. Message-ID: --- src/gsm/a5.c | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/src/gsm/a5.c b/src/gsm/a5.c index 93b22c7..5815aa7 100644 --- a/src/gsm/a5.c +++ b/src/gsm/a5.c @@ -39,6 +39,7 @@ #include #include #include +#include /*! \brief Main method to generate a A5/x cipher stream * \param[in] n Which A5/x method to use @@ -71,6 +72,10 @@ osmo_a5(int n, const uint8_t *key, uint32_t fn, ubit_t *dl, ubit_t *ul) osmo_a5_2(key, fn, dl, ul); break; + case 3: + osmo_a5_3(key, fn, dl, ul); + break; + default: /* a5/[4..7] not supported here/yet */ return -ENOTSUP; @@ -368,4 +373,42 @@ osmo_a5_2(const uint8_t *key, uint32_t fn, ubit_t *dl, ubit_t *ul) } } +/* ------------------------------------------------------------------------ */ +/* A5/3 */ +/* ------------------------------------------------------------------------ */ + +/*! \brief Generate a GSM A5/3 cipher stream + * \param[in] key 8 byte array for the key (as received from the SIM) + * \param[in] fn Frame number + * \param[out] dl Pointer to array of ubits to return Downlink cipher stream + * \param[out] ul Pointer to array of ubits to return Uplink cipher stream + * + * Either (or both) of dl/ul should be NULL if not needed. + * + * Implementation based on specifications from 3GPP TS 55.216, 3GPP TR 55.919 and ETSI TS 135 202 + * with slight simplifications (CE hardcoded to 0). + */ +void +osmo_a5_3(const uint8_t *key, uint32_t fn, ubit_t *dl, ubit_t *ul) +{ + /* internal function require 128 bit key so we expand by concatenating supplied 64 bit key */ + uint8_t i, ck[16], gamma[32], _key[8]; + memcpy(_key, key, 8); + osmo_revbytes_buf(_key, 8); /* reverse key byte order to match the way it's stored in SIM */ + memcpy(ck, _key, 8); + memcpy(ck + 8, _key, 8); + + uint32_t fn_count = osmo_a5_fn_count(fn); /* Frame count load */ + if (dl) { + kgcore(0xF, 0, fn_count, 0, ck, gamma, 114); + osmo_pbit2ubit(dl, gamma, 114); + } + if (ul) { + kgcore(0xF, 0, fn_count, 0, ck, gamma, 228); + uint8_t uplink[15]; + for(i = 0; i < 15; i++) uplink[i] = (gamma[i + 14] << 2) + (gamma[i + 15] >> 6); + osmo_pbit2ubit(ul, uplink, 114); + } +} + /*! @} */ -- 1.7.10.4 --------------000004050908040808070403-- From e_tews at seceng.informatik.tu-darmstadt.de Thu Dec 6 14:06:46 2012 From: e_tews at seceng.informatik.tu-darmstadt.de (Erik Tews) Date: Thu, 06 Dec 2012 15:06:46 +0100 Subject: [PATCH] Add a5/3 support. In-Reply-To: <20121206104304.GN7055@prithivi.gnumonks.org> References: <20121206104304.GN7055@prithivi.gnumonks.org> Message-ID: <1354802806.8173.1.camel@lima> Am Donnerstag, den 06.12.2012, 11:43 +0100 schrieb Harald Welte: > > I belive Erik Tews was working on a clean re-implementation without > copyrighted reference code, but I'm not sure what was the result of it > (maybe I don't remember) Hi Yes, a student started working on the project. However, unfortunately just before she was about to finish, a colleague decided to change the schedule and she had to speed up her work. As a result, I would not reconment to use the code. Also I should add, I wasn't ever able to use the code by myself :-( -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From Max.Suraev at fairwaves.ru Thu Dec 6 16:39:49 2012 From: Max.Suraev at fairwaves.ru (=?UTF-8?B?4piO?=) Date: Thu, 06 Dec 2012 17:39:49 +0100 Subject: [PATCH] Add a5/3 support. In-Reply-To: <1354802806.8173.1.camel@lima> References: <20121206104304.GN7055@prithivi.gnumonks.org> <1354802806.8173.1.camel@lima> Message-ID: <50C0CA55.2000002@fairwaves.ru> 06.12.2012 15:06, Erik Tews ?????: > Am Donnerstag, den 06.12.2012, 11:43 +0100 schrieb Harald Welte: >> I belive Erik Tews was working on a clean re-implementation without >> copyrighted reference code, but I'm not sure what was the result of it >> (maybe I don't remember) > Hi > > Yes, a student started working on the project. However, unfortunately > just before she was about to finish, a colleague decided to change the > schedule and she had to speed up her work. As a result, I would not > reconment to use the code. Also I should add, I wasn't ever able to use > the code by myself :-( Do you know any details about test setup used for this code? I'm still puzzled why I'm unable to make it work in real networks so any advices would be greatly appreciated. -- best regards, Max, http://fairwaves.ru From 246tnt at gmail.com Thu Dec 6 16:43:17 2012 From: 246tnt at gmail.com (Sylvain Munaut) Date: Thu, 6 Dec 2012 17:43:17 +0100 Subject: [PATCH] Add a5/3 support. In-Reply-To: <50C0CA55.2000002@fairwaves.ru> References: <20121206104304.GN7055@prithivi.gnumonks.org> <1354802806.8173.1.camel@lima> <50C0CA55.2000002@fairwaves.ru> Message-ID: > Do you know any details about test setup used for this code? I'm still puzzled why > I'm unable to make it work in real networks so any advices would be greatly appreciated. Did you try to swap the byte order of the key like I originally suggested ? Cheers, Sylvain From Max.Suraev at fairwaves.ru Thu Dec 6 16:53:36 2012 From: Max.Suraev at fairwaves.ru (=?UTF-8?B?4piO?=) Date: Thu, 06 Dec 2012 17:53:36 +0100 Subject: [PATCH] Add a5/3 support. In-Reply-To: References: <20121206104304.GN7055@prithivi.gnumonks.org> <1354802806.8173.1.camel@lima> <50C0CA55.2000002@fairwaves.ru> Message-ID: <50C0CD90.6010500@fairwaves.ru> 06.12.2012 17:43, Sylvain Munaut ?????: >> Do you know any details about test setup used for this code? I'm still puzzled why >> I'm unable to make it work in real networks so any advices would be greatly appreciated. > Did you try to swap the byte order of the key like I originally suggested ? > Yes, result is still wrong :( Either I'm doing it wrong or there's smth else which got to be swapped... or some other bugs lurking in shadows :) -- best regards, Max, http://fairwaves.ru From frank at hvitehus.no Fri Dec 7 23:45:29 2012 From: frank at hvitehus.no (Frank A. Stevenson) Date: Sat, 08 Dec 2012 00:45:29 +0100 Subject: [PATCH] Add a5/3 support. In-Reply-To: <50BFA243.9070706@fairwaves.ru> References: <50BFA243.9070706@fairwaves.ru> Message-ID: <1354923929.6193.111.camel@quant> When testing A5/3 one should be wary of using Samsung phones, from what I hear they have shipped models with broken A5/3 support, something which has in turn caused delays for operators wishing to roll out A5/3. The core network components have to resort to IMEI filtering to work around these incompatibilities. f On Wed, 2012-12-05 at 20:36 +0100, ? wrote: > Hello. > > Attached patch will bring a5/3 support to osmo_a5... > Unfortunately there are several deficiencies: > - it doesn't work with real phonein test network yet From Max.Suraev at fairwaves.ru Sat Dec 8 13:36:35 2012 From: Max.Suraev at fairwaves.ru (=?UTF-8?B?4piO?=) Date: Sat, 08 Dec 2012 14:36:35 +0100 Subject: [PATCH] Add a5/3 support. In-Reply-To: <1354923929.6193.111.camel@quant> References: <50BFA243.9070706@fairwaves.ru> <1354923929.6193.111.camel@quant> Message-ID: <50C34263.5020401@fairwaves.ru> 08.12.2012 00:45, Frank A. Stevenson ?????: > When testing A5/3 one should be wary of using Samsung phones, from what > I hear they have shipped models with broken A5/3 support, something > which has in turn caused delays for operators wishing to roll out A5/3. > The core network components have to resort to IMEI filtering to work > around these incompatibilities. > > Are there list of affected models somewhere? Or list of phones known to work reliable with a5/3 (everything except samsung)? -- best regards, Max, http://fairwaves.ru From g.roelant at telenet.be Fri Dec 7 21:09:06 2012 From: g.roelant at telenet.be (g.roelant at telenet.be) Date: Fri, 07 Dec 2012 22:09:06 +0100 (CET) Subject: beginners question Message-ID: Hi, How can i write the burst frames? thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From alexander.huemer at xx.vu Fri Dec 7 21:54:46 2012 From: alexander.huemer at xx.vu (Alexander Huemer) Date: Fri, 7 Dec 2012 22:54:46 +0100 Subject: beginners question In-Reply-To: References: Message-ID: <20121207215446.GA5915@de.xx.vu> Hi g, On Fri, Dec 07, 2012 at 10:09:06PM +0100, g.roelant at telenet.be wrote: > How can i write the burst frames? Your question is very unspecific and therefore unlikely to be answered. You may want to rethink what exactly you want to know. Then, rephrase your question. Kind regards, -Alexander Huemer From g.roelant at telenet.be Sat Dec 8 16:34:43 2012 From: g.roelant at telenet.be (g.roelant at telenet.be) Date: Sat, 08 Dec 2012 17:34:43 +0100 (CET) Subject: beginners question In-Reply-To: <20121207215446.GA5915@de.xx.vu> Message-ID: <3bd52760-76af-42c4-a3e9-5b9fcace251c@chipo.telenet-ops.be> I want to write the raw data to a file. is that possible with a command? tune the gsm to a channel (for inst. 67) and capture all raw data into a file. ----- Oorspronkelijk e-mail ----- Van: "Alexander Huemer" Aan: baseband-devel at lists.osmocom.org Verzonden: Vrijdag 7 december 2012 22:54:46 Onderwerp: Re: beginners question Hi g, On Fri, Dec 07, 2012 at 10:09:06PM +0100, g.roelant at telenet.be wrote: > How can i write the burst frames? Your question is very unspecific and therefore unlikely to be answered. You may want to rethink what exactly you want to know. Then, rephrase your question. Kind regards, -Alexander Huemer From denis.simonet at bluewin.ch Sat Dec 8 18:25:04 2012 From: denis.simonet at bluewin.ch (Denis Simonet) Date: Sat, 08 Dec 2012 19:25:04 +0100 Subject: AW: Re: AW: Re: beginners question Message-ID: <70pnipuae14llps1qx5wa9y4.1354991104786@email.android.com> For example. (reply-to doesn't seem to be set correctly in the list, btw?) Von Samsung Mobile gesendetg.roelant at telenet.be hat geschrieben:and than write the file with wireshark? ? i'm already using the mobile app with succes. ? Van: "Denis Simonet" Aan: "g roelant" Verzonden: Zaterdag 8 december 2012 18:26:19 Onderwerp: AW: Re: beginners question You probably want to use the -i switch with a layer23 app and capture gsmtap with Wireshark. Best regards Denis Von Samsung Mobile gesendet g.roelant at telenet.be hat geschrieben: I want to write the raw data to a file. is that possible with a command? tune the gsm to a channel (for inst. 67) and capture all raw data into a file. ----- Oorspronkelijk e-mail ----- Van: "Alexander Huemer" Aan: baseband-devel at lists.osmocom.org Verzonden: Vrijdag 7 december 2012 22:54:46 Onderwerp: Re: beginners question Hi g, On Fri, Dec 07, 2012 at 10:09:06PM +0100, g.roelant at telenet.be wrote: > How can i write the burst frames? Your question is very unspecific and therefore unlikely to be answered. You may want to rethink what exactly you want to know. Then, rephrase your question. Kind regards, -Alexander Huemer -------------- next part -------------- An HTML attachment was scrubbed... URL: From g.roelant at telenet.be Sat Dec 8 20:42:16 2012 From: g.roelant at telenet.be (g.roelant at telenet.be) Date: Sat, 08 Dec 2012 21:42:16 +0100 (CET) Subject: AW: Re: AW: Re: beginners question In-Reply-To: <70pnipuae14llps1qx5wa9y4.1354991104786@email.android.com> Message-ID: and to have access to the real data than, i have to cut off the udp header right? ----- Oorspronkelijk e-mail ----- Van: "Denis Simonet" Aan: baseband-devel at lists.osmocom.org Verzonden: Zaterdag 8 december 2012 19:25:04 Onderwerp: AW: Re: AW: Re: beginners question For example. (reply-to doesn't seem to be set correctly in the list, btw?) Von Samsung Mobile gesendet g.roelant at telenet.be hat geschrieben: and than write the file with wireshark? ? i'm already using the mobile app with succes. ? ----- Oorspronkelijk e-mail ----- Van: "Denis Simonet" Aan: "g roelant" Verzonden: Zaterdag 8 december 2012 18:26:19 Onderwerp: AW: Re: beginners question You probably want to use the -i switch with a layer23 app and capture gsmtap with Wireshark. Best regards Denis Von Samsung Mobile gesendet g.roelant at telenet.be hat geschrieben: I want to write the raw data to a file. is that possible with a command? tune the gsm to a channel (for inst. 67) and capture all raw data into a file. ----- Oorspronkelijk e-mail ----- Van: "Alexander Huemer" Aan: baseband-devel at lists.osmocom.org Verzonden: Vrijdag 7 december 2012 22:54:46 Onderwerp: Re: beginners question Hi g, On Fri, Dec 07, 2012 at 10:09:06PM +0100, g.roelant at telenet.be wrote: > How can i write the burst frames? Your question is very unspecific and therefore unlikely to be answered. You may want to rethink what exactly you want to know. Then, rephrase your question. Kind regards, -Alexander Huemer -------------- next part -------------- An HTML attachment was scrubbed... URL: From g.roelant at telenet.be Sun Dec 9 13:00:14 2012 From: g.roelant at telenet.be (g.roelant at telenet.be) Date: Sun, 09 Dec 2012 14:00:14 +0100 (CET) Subject: another newbie question In-Reply-To: Message-ID: I want to try to alter the mobile app (in gsm48_rr.c) to listen to all tmsi's. i changed the code and altered all if statements where in the else part was the log 'Not for us' i'm hoping the phone will start following the conversation with the immediate assignment packages... this way i can start logging the beginning of the encryption.... am i doing stupid things? or is there already an app that does this? thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From ml at mail.tsaitgaist.info Sun Dec 9 18:17:57 2012 From: ml at mail.tsaitgaist.info (Kevin Redon) Date: Sun, 09 Dec 2012 19:17:57 +0100 Subject: another newbie question In-Reply-To: References: Message-ID: <1355076766-sup-5028@dennou> Hi, ccch_log already does show the paging requests and immediate assignments. have a look at the layer23 apps that are already existing. as for logging a call, neither you modification nor this application can do it. this is because calls are on TCH logical channels (+channel hopping in real networks), but you only listen to the CCCH logical channel. kevin Excerpts from g.roelant's message of Sun Dec 09 14:00:14 +0100 2012: > > > I want to try to alter the mobile app (in gsm48_rr.c) to listen to all tmsi's. > i changed the code and altered all if statements where in the else part was the log 'Not for us' > > i'm hoping the phone will start following the conversation with the immediate assignment packages... > this way i can start logging the beginning of the encryption.... > > am i doing stupid things? or is there already an app that does this? > thanks From denis.simonet at bluewin.ch Sun Dec 9 19:44:32 2012 From: denis.simonet at bluewin.ch (Denis Simonet) Date: Sun, 9 Dec 2012 20:44:32 +0100 Subject: another newbie question In-Reply-To: <1355076766-sup-5028@dennou> References: <1355076766-sup-5028@dennou> Message-ID: <731F2DFB-6185-475E-B372-68A2DF4C4ED7@bluewin.ch> Heya > ccch_log already does show the paging requests and immediate assignments. > have a look at the layer23 apps that are already existing. Actually it is ccch_scan :). Also take into consideration Sylvain's explanations[1] as pointed out in the documentation[2]. Kind regards Denis [1] http://lists.osmocom.org/pipermail/baseband-devel/2010-December/000912.html [2] http://bb.osmocom.org/trac/wiki/Sniffing -------------- next part -------------- An HTML attachment was scrubbed... URL: From g.roelant at telenet.be Sun Dec 9 21:39:02 2012 From: g.roelant at telenet.be (g.roelant at telenet.be) Date: Sun, 09 Dec 2012 22:39:02 +0100 (CET) Subject: another newbie question In-Reply-To: <731F2DFB-6185-475E-B372-68A2DF4C4ED7@bluewin.ch> Message-ID: in the help of ccch_scan there is not mentioned the -a option can this be added to the inline help of this app? kind regards ps. what can i do with the burst files? how can i analyze them? ----- Oorspronkelijk e-mail ----- Van: "Denis Simonet" Aan: "osmocomBB" Verzonden: Zondag 9 december 2012 20:44:32 Onderwerp: Re: another newbie question Heya ccch_log already does show the paging requests and immediate assignments. have a look at the layer23 apps that are already existing. Actually it is ccch_scan :). Also take into consideration Sylvain's explanations[1] as pointed out in the documentation[2]. Kind regards Denis [1]? http://lists.osmocom.org/pipermail/baseband-devel/2010-December/000912.html [2]? http://bb.osmocom.org/trac/wiki/Sniffing -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at stuge.se Mon Dec 10 01:14:49 2012 From: peter at stuge.se (Peter Stuge) Date: Mon, 10 Dec 2012 02:14:49 +0100 Subject: another newbie question In-Reply-To: References: <731F2DFB-6185-475E-B372-68A2DF4C4ED7@bluewin.ch> Message-ID: <20121210011449.12209.qmail@stuge.se> g.roelant at telenet.be wrote: > in the help of ccch_scan there is not mentioned the -a option > can this be added to the inline help of this app? Would you mind sending the patch? Thanks //Peter From g.roelant at telenet.be Mon Dec 10 11:36:49 2012 From: g.roelant at telenet.be (g.roelant at telenet.be) Date: Mon, 10 Dec 2012 12:36:49 +0100 (CET) Subject: bursts dat files In-Reply-To: <75f63f31-a5df-4fcc-8dd7-45aadf5c968d@chipo.telenet-ops.be> Message-ID: <253f6388-968b-441f-a0dd-eed423721407@chipo.telenet-ops.be> Hi, I'm using the sylvain/burst_ind branch and ccch_scan. this produces bursts files. with which application can i view them? what is the format of these dat files? i cannot open them with wireshark... any hints? kind regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From 246tnt at gmail.com Mon Dec 10 13:38:15 2012 From: 246tnt at gmail.com (Sylvain Munaut) Date: Mon, 10 Dec 2012 14:38:15 +0100 Subject: bursts dat files In-Reply-To: <253f6388-968b-441f-a0dd-eed423721407@chipo.telenet-ops.be> References: <75f63f31-a5df-4fcc-8dd7-45aadf5c968d@chipo.telenet-ops.be> <253f6388-968b-441f-a0dd-eed423721407@chipo.telenet-ops.be> Message-ID: > with which application can i view them? what None. You have to write a custom application to use them however you want to use them ... > is the format of these dat files? See the l1ctl_burst_ind structure definition in the code. They're raw bits from the air with a small header, if you haven't read and understood the GSM 05.03 specs, they'll be pretty useless for you. > i cannot open them with wireshark... They're at a much lower level of the protocol stack than what wireshark can display. Cheers, Sylvain From g.roelant at telenet.be Mon Dec 10 13:46:26 2012 From: g.roelant at telenet.be (g.roelant at telenet.be) Date: Mon, 10 Dec 2012 14:46:26 +0100 (CET) Subject: bursts dat files In-Reply-To: <253f6388-968b-441f-a0dd-eed423721407@chipo.telenet-ops.be> Message-ID: Is this the structure of the dat files? struct l1ctl_burst_ind { uint32_t frame_nr; uint16_t band_arfcn;??? /* ARFCN + band + ul indicator?????????????? */ uint8_t chan_nr;??????? /* GSM 08.58 channel number (9.3.1)????????? */ uint8_t flags;????????? /* BI_FLG_xxx + burst_id = 2LSBs???????????? */ uint8_t rx_level;?????? /* 0 .. 63 in typical GSM notation (dBm+110) */ uint8_t snr;??????????? /* Reported SNR >> 8 (0-255)???????????????? */ uint8_t bits[15];?????? /* 114 bits + 2 steal bits. Filled MSB first */ } __attribute__((packed)); what does packed mean? ----- Oorspronkelijk e-mail ----- Van: "g roelant" Aan: "osmocomBB" Verzonden: Maandag 10 december 2012 12:36:49 Onderwerp: bursts dat files Hi, ? I'm using the sylvain/burst_ind branch and ccch_scan. this produces bursts files. ? with which application can i view them? what is the format of these dat files? ? i cannot open them with wireshark... ? any hints? ? kind regards ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From 246tnt at gmail.com Mon Dec 10 14:59:58 2012 From: 246tnt at gmail.com (Sylvain Munaut) Date: Mon, 10 Dec 2012 15:59:58 +0100 Subject: bursts dat files In-Reply-To: References: <253f6388-968b-441f-a0dd-eed423721407@chipo.telenet-ops.be> Message-ID: Hi, > Is this the structure of the dat files? Yes. If you had read the code that write those files, you would have known that already. > struct l1ctl_burst_ind { > uint32_t frame_nr; > uint16_t band_arfcn; /* ARFCN + band + ul indicator */ > uint8_t chan_nr; /* GSM 08.58 channel number (9.3.1) */ > uint8_t flags; /* BI_FLG_xxx + burst_id = 2LSBs */ > uint8_t rx_level; /* 0 .. 63 in typical GSM notation (dBm+110) */ > uint8_t snr; /* Reported SNR >> 8 (0-255) */ > uint8_t bits[15]; /* 114 bits + 2 steal bits. Filled MSB first */ > } __attribute__((packed)); > > what does packed mean? http://lmgtfy.com/?q=__attribute__%28%28packed%29%29%3B&l=1 Cheers, Sylvain From sebastien at lorquet.fr Mon Dec 10 15:11:27 2012 From: sebastien at lorquet.fr (Sebastien Lorquet) Date: Mon, 10 Dec 2012 16:11:27 +0100 Subject: bursts dat files In-Reply-To: References: Message-ID: <50C5FB9F.8090904@lorquet.fr> it means that no padding is used to align struct field on word boundaries. This is a normal way to do things when a struct is to be written in a file or any other data stream. Regards Sebastien Le 10/12/2012 14:46, g.roelant at telenet.be a ?crit : > > Is this the structure of the dat files? > > > > struct l1ctl_burst_ind { > uint32_t frame_nr; > uint16_t band_arfcn; /* ARFCN + band + ul indicator */ > uint8_t chan_nr; /* GSM 08.58 channel number (9.3.1) */ > uint8_t flags; /* BI_FLG_xxx + burst_id = 2LSBs */ > uint8_t rx_level; /* 0 .. 63 in typical GSM notation (dBm+110) */ > uint8_t snr; /* Reported SNR >> 8 (0-255) */ > uint8_t bits[15]; /* 114 bits + 2 steal bits. Filled MSB first */ > } __attribute__((packed)); > > what does packed mean? > > -------------------------------------------------------------------------------- > *Van: *"g roelant" > *Aan: *"osmocomBB" > *Verzonden: *Maandag 10 december 2012 12:36:49 > *Onderwerp: *bursts dat files > > > Hi, > > > > I'm using the sylvain/burst_ind branch and ccch_scan. > > this produces bursts files. > > > > with which application can i view them? what is the format of these dat files? > > > > i cannot open them with wireshark... > > > > any hints? > > > > kind regards > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From holger at freyther.de Mon Dec 10 15:31:25 2012 From: holger at freyther.de (Holger Hans Peter Freyther) Date: Mon, 10 Dec 2012 16:31:25 +0100 Subject: bursts dat files In-Reply-To: References: <253f6388-968b-441f-a0dd-eed423721407@chipo.telenet-ops.be> Message-ID: <20121210153125.GE12569@xiaoyu.lan> On Mon, Dec 10, 2012 at 02:46:26PM +0100, g.roelant at telenet.be wrote: > } __attribute__((packed)); > > what does packed mean? http://gcc.gnu.org/onlinedocs/gcc-4.7.1/gcc/Type-Attributes.html#Type-Attributes From osmocom at ehlers.info Mon Dec 10 13:36:23 2012 From: osmocom at ehlers.info (Tim Ehlers) Date: Mon, 10 Dec 2012 14:36:23 +0100 (CET) Subject: restart layer1 from remote? Message-ID: Hi, I have the problem, that after running for quite a while, lets say a week, the layer1 seems to crash. This crash is random and only happens on single phones (I have 6 phones connected to one mobile app). This phone is unusable, even after "shutdown/no shutdown" or complete restart of mobile, this phone stays like this: OsmocomBB# show ms 3 MS '3' is up, service is limited IMEI: XXXXXXXXXXXX IMEISV: XXXXXXXXXXXXX IMEI generation: fixed automatic network selection state: A1 trying RPLMN MCC=262 MNC=07 (Germany, O2) cell selection state: C1 normal cell selection radio ressource layer state: idle mobility management layer state: MM idle, PLMN search By restarting the phone (pressing power on the phone, and reloading layer1) its working again. But this need physical access to the phone. Is there a way to somehow "reboot" or restart the layer1 by software? And if not, could that easily be implemented? Thanks Tim From 246tnt at gmail.com Mon Dec 10 14:48:24 2012 From: 246tnt at gmail.com (Sylvain Munaut) Date: Mon, 10 Dec 2012 15:48:24 +0100 Subject: restart layer1 from remote? In-Reply-To: References: Message-ID: > Is there a way to somehow "reboot" or restart the layer1 by software? And if > not, could that easily be implemented? Yes there is the L1CTL_RESET but I think shutdown/no shutdown already sends that command (check the osmocon output) meaning the L1 is no longer responding at all ... Does the osmocon console does anything at all when it's in that state ? Does that phone have anything special ? (connected to a different network or doing different things ?). Some people wire-up one of the serial port control line to the enable line of a power supply they use to power the phone so they can do full power off/on, but it requires external hw. Cheers, Sylvain From osmocom at ehlers.info Mon Dec 10 15:28:08 2012 From: osmocom at ehlers.info (Tim Ehlers) Date: Mon, 10 Dec 2012 16:28:08 +0100 (CET) Subject: restart layer1 from remote? In-Reply-To: References: Message-ID: On Mon, 10 Dec 2012, Sylvain Munaut wrote: Hi Sylvain, >> Is there a way to somehow "reboot" or restart the layer1 by software? >> And if not, could that easily be implemented? > > Yes there is the L1CTL_RESET but I think shutdown/no shutdown already > sends that command (check the osmocon output) meaning the L1 is no > longer responding at all ... > > Does the osmocon console does anything at all when it's in that state > ? Does that phone have anything special ? (connected to a different > network or doing different things ?). Nothing special and it is not only THIS phone. Randomly any of the phones are crashing. Unfortunately I start the osmocon processes like this: ( /usr/local/bin/osmocon -s /tmp/osmocom_l2 -l /tmp/osmocom_loader -p /dev/ttyS0 -m c123xor /usr/local/bin/layer1.compalram.bin ) < /dev/null > /dev/null 2>&1 & I could now start all of them in a screen session, where I could see the latest output afterwards. Since it is so much output coming, I don't want to keep it in a logfile. If it helps I could do that, too. In any case I have to wait for the next crash... But when I look at the cpu time used, it seems that the osmocon process is still doing something. I could now test any command you tell me on the mobile application. Today in the evening, when I am home I will restart it (with osmocon in screen). > Some people wire-up one of the serial port control line to the enable > line of a power supply they use to power the phone so they can do full > power off/on, but it requires external hw. Ok, you mean using an unused serial line and raising the control line to control a relais, which virtually presses the power button then? With such a solution I would have another problem. Often, when I switch off the phone, I can't switch it back on. Even without the connected serial line, I can't switch it on booting the original firmware. I have to remove the power (which is a altered batteriepack, hooked on a powersupply with ~4 Volts [like the battery had before]), wait 30 seconds and put it back on. Then I can start it again. Is that a known problem, or looks it like to be a problem of my altered powersupply? Thanks Tim From osmocom at ehlers.info Tue Dec 18 13:49:46 2012 From: osmocom at ehlers.info (Tim Ehlers) Date: Tue, 18 Dec 2012 14:49:46 +0100 (CET) Subject: restart layer1 from remote? In-Reply-To: References: Message-ID: On Mon, 10 Dec 2012, Sylvain Munaut wrote: Hi Sylvain, >> Is there a way to somehow "reboot" or restart the layer1 by software? And if >> not, could that easily be implemented? > > Yes there is the L1CTL_RESET but I think shutdown/no shutdown already > sends that command (check the osmocon output) meaning the L1 is no > longer responding at all ... > > Does the osmocon console does anything at all when it's in that state > ? Does that phone have anything special ? (connected to a different > network or doing different things ?). now phone number 6 is crashed. I started the osmocon processes in a screen session. A lot of messages are loged now in the session like this: [...] FB1 (862461:1): TOA= 451, Power= -78dBm, Angle= 3182Hz fn_offset=862460 (fn=862461 + attempt=1 + ntdma = 0) delay=9 (fn_offset=862460 + 11 - fn=862461 - 1 scheduling next FB/SB detection task with delay 9 FB1 (862481:10): TOA=11703, Power= -78dBm, Angle= 3129Hz fn_offset=862480 (fn=862481 + attempt=10 + ntdma = 9) delay=9 (fn_offset=862480 + 11 - fn=862481 - 1 scheduling next FB/SB detection task with delay 9 FB1 (862501:10): TOA=11703, Power= -78dBm, Angle= 3135Hz fn_offset=862500 (fn=862501 + attempt=10 + ntdma = 9) delay=9 (fn_offset=862500 + 11 - fn=862501 - 1 scheduling next FB/SB detection task with delay 9 FB1 (862512:1): TOA= 451, Power= -78dBm, Angle= 3171Hz fn_offset=862511 (fn=862512 + attempt=1 + ntdma = 0) delay=9 (fn_offset=862511 + 11 - fn=862512 - 1 scheduling next FB/SB detection task with delay 9 FB1 (862532:10): TOA=11703, Power= -78dBm, Angle= 3113Hz fn_offset=862531 (fn=862532 + attempt=10 + ntdma = 9) delay=9 (fn_offset=862531 + 11 - fn=862532 - 1 scheduling next FB/SB detection task with delay 9 [...] And mobile says: OsmocomBB# show ms 6 MS '6' is up, service is limited IMEI: XXXXXXXXXXXX IMEISV: XXXXXXXXXXXXX IMEI generation: fixed automatic network selection state: A1 trying RPLMN MCC=262 MNC=07 (Germany, O2) cell selection state: C2 stored cell selection radio ressource layer state: idle mobility management layer state: MM idle, PLMN search I now restated the mobile process and deleted 6.ba. Now it says: OsmocomBB# show ms 6 MS '6' is up, service is limited IMEI: XXXXXXXXXXXX IMEISV: XXXXXXXXXXXXX IMEI generation: fixed automatic network selection state: A1 trying RPLMN MCC=262 MNC=07 (Germany, O2) cell selection state: C1 normal cell selection radio ressource layer state: idle mobility management layer state: MM idle, PLMN search shutdown/no shutdown doesn't change a thing. Now the question again: Could it be because of my hardware situation (special battery simulation with one power supply)? Or in other words has anybody running a steady service with osmocombb and experiences no problem over weeks? Thanks Tim From oxccoxcc at yandex.ru Wed Dec 12 13:55:58 2012 From: oxccoxcc at yandex.ru (Pe) Date: Wed, 12 Dec 2012 05:55:58 -0800 (PST) Subject: Questions about filter replacement and fbsb_req Message-ID: <1355320558522-4025518.post@n3.nabble.com> Hi list! I'm playing with ccch_scan from burst_ind branch. I have some troubles with going SDCCH - FCCH\SCH - TCH After receiving "assignment command" i call fbsb_req to L1 for waiting FCCH\SCH sync bursts. When fbsb_resp is coming, i call dm_est_req_h1 with channel and hopping params. But SNR of incoming tch bursts is less then 10 most of time. What did i wrong? Is it needs to synchronize only timers by SCH without FCCH freq sync? And why we lose sync when goes from SDCCH to TCH? And a question about filter replacement. After filter change on baluns i see -128 dBm on all ARFCNs when mobile app from master branch is started. After that i tried to connect balanced line to the former filter pad and unbalanced line to the ground via cap(on the EGSM channel), as Sylvain wrote. But it didnt help. Photo after filter rework on C115: http://s9.postimage.org/r50qtx73z/lastrep.jpg As i understand, the input tract with 2 caps, 2 inductors and band-pass filter just needs for image frequency disabling? -- View this message in context: http://baseband-devel.722152.n3.nabble.com/Questions-about-filter-replacement-and-fbsb-req-tp4025518.html Sent from the baseband-devel mailing list archive at Nabble.com. From oxccoxcc at yandex.ru Fri Dec 14 17:23:51 2012 From: oxccoxcc at yandex.ru (Pe) Date: Fri, 14 Dec 2012 09:23:51 -0800 (PST) Subject: Questions about filter replacement and fbsb_req In-Reply-To: <1355320558522-4025518.post@n3.nabble.com> References: <1355320558522-4025518.post@n3.nabble.com> Message-ID: <1355505831991-4025524.post@n3.nabble.com> Problem with baluns was solved by soldering a piece of cable(antenna :)) to the former filter's input pad. -- View this message in context: http://baseband-devel.722152.n3.nabble.com/Questions-about-filter-replacement-and-fbsb-req-tp4025518p4025524.html Sent from the baseband-devel mailing list archive at Nabble.com. From g.roelant at telenet.be Fri Dec 14 09:45:43 2012 From: g.roelant at telenet.be (g.roelant at telenet.be) Date: Fri, 14 Dec 2012 10:45:43 +0100 (CET) Subject: stupid question Message-ID: <74b0f793-41f1-42e0-b1e7-c58928f687d8@chipo.telenet-ops.be> Are the bursts captured with ccch_scan in burst_ind branch the same as the bursts captured with usrp2? do they result in the same file? i guess not... kind regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From akibsayyed at gmail.com Fri Dec 14 10:32:53 2012 From: akibsayyed at gmail.com (Akib Sayyed) Date: Fri, 14 Dec 2012 13:32:53 +0300 Subject: stupid question In-Reply-To: <74b0f793-41f1-42e0-b1e7-c58928f687d8@chipo.telenet-ops.be> References: <74b0f793-41f1-42e0-b1e7-c58928f687d8@chipo.telenet-ops.be> Message-ID: no they dont but i would like to give one suggestion that please explore code as much as you can. then you will understand such things on own it will take time but u will get more knowledge On Fri, Dec 14, 2012 at 12:45 PM, wrote: > > Are the bursts captured with ccch_scan in burst_ind branch the same as the > bursts captured with usrp2? > > do they result in the same file? > > i guess not... > > > > kind regards > > > -- Akib Sayyed Matrix-Shell akibsayyed at gmail.com akibsayyed at matrixshell.com Mob:- +91-966-514-2243 -------------- next part -------------- An HTML attachment was scrubbed... URL: From g.roelant at telenet.be Fri Dec 14 09:46:47 2012 From: g.roelant at telenet.be (g.roelant at telenet.be) Date: Fri, 14 Dec 2012 10:46:47 +0100 (CET) Subject: imm ass packages Message-ID: <00c984c8-cab0-424c-8021-da5a965b6ba7@chipo.telenet-ops.be> In wireshark i see immediate assignment packages... they are like 31 06 0f but in the documentation they are like 2d 06 3f what am i doing wrong? i'm listening to a belgium operator called proximus. kind regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From g.roelant at telenet.be Fri Dec 14 15:12:00 2012 From: g.roelant at telenet.be (g.roelant at telenet.be) Date: Fri, 14 Dec 2012 16:12:00 +0100 (CET) Subject: imm ass packages In-Reply-To: <1890661355497414@web19g.yandex.ru> Message-ID: sorry, i made a type in wireshark i see 31 06 3f in documentation is see 2d 06 3f now you tell me that only the 3f is responsible for detecting a imm ass packet. if i wanted to detect (grep) for imm ass., shall i look for 31 06 3f or 2d 06 3f? ----- Oorspronkelijk e-mail ----- Van: "oxccoxcc oxccoxcc" Aan: "g roelant" , "osmocomBB" Verzonden: Vrijdag 14 december 2012 16:03:34 Onderwerp: Re: imm ass packages wireshark processing of imm ass packets seems normally. Looks like a bug with partial release complete messages. But wireshark has a signature for it: http://anonsvn.wireshark.org/wireshark/trunk/epan/dissectors/packet-gsm_a_rr.c Try to write in the wireshark forum. 14.12.2012, 14:22, "g.roelant at telenet.be" : > In wireshark i see immediate assignment packages... > they are like 31 06 0f > but in the documentation they are like 2d 06 3f > what am i doing wrong? > i'm listening to a belgium operator called proximus. > kind regards From oxccoxcc at yandex.ru Fri Dec 14 16:07:14 2012 From: oxccoxcc at yandex.ru (Pe) Date: Fri, 14 Dec 2012 08:07:14 -0800 (PST) Subject: imm ass packages In-Reply-To: References: <00c984c8-cab0-424c-8021-da5a965b6ba7@chipo.telenet-ops.be> Message-ID: <1355501234651-4025523.post@n3.nabble.com> Imm ass has a various length. In your case- your network just don`t support frequency hopping, i think. Just see in 3gpp docs. -- View this message in context: http://baseband-devel.722152.n3.nabble.com/imm-ass-packages-tp4025520p4025523.html Sent from the baseband-devel mailing list archive at Nabble.com. From g.roelant at telenet.be Sat Dec 15 17:15:21 2012 From: g.roelant at telenet.be (g.roelant at telenet.be) Date: Sat, 15 Dec 2012 18:15:21 +0100 (CET) Subject: burst_ind branch In-Reply-To: <5c28e3df-1485-4a0b-9c69-dd83094a51bc@chipo.telenet-ops.be> Message-ID: Please correct me if i'm wrong: i'm writing a small c program to process to burst files. run ccch_scan and follow the frames in wireshark. if you see an "inrtresting" frame, note his number get the correct frame out of the burst file and display its bit stream. than this bitstream can be further used for processing add a certain offset to the framecounter and get that frame out of the burst file and display its bit stream. the rest.... i still have to figure that out... can anyone confirm i am doing the write thing? thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From g.roelant at telenet.be Sat Dec 15 21:55:17 2012 From: g.roelant at telenet.be (g.roelant at telenet.be) Date: Sat, 15 Dec 2012 22:55:17 +0100 (CET) Subject: question about l1ctl_burst_ind structure In-Reply-To: <7df9aac5-1ca9-432e-aff4-bd8b62bf4fc8@chipo.telenet-ops.be> Message-ID: Hi, In the L1ctl_burst_ind structure is: uint8_t bits[15];??????/* 114 bits + 2 steal bits. Filled MSB first */ if i do 8 * 15 = 120 that would make 6 bits extra... not 2 bits should i discard the last 6 bits of the last byte? thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From 246tnt at gmail.com Sat Dec 15 22:37:45 2012 From: 246tnt at gmail.com (Sylvain Munaut) Date: Sat, 15 Dec 2012 23:37:45 +0100 Subject: question about l1ctl_burst_ind structure In-Reply-To: References: <7df9aac5-1ca9-432e-aff4-bd8b62bf4fc8@chipo.telenet-ops.be> Message-ID: Hi, > uint8_t bits[15]; /* 114 bits + 2 steal bits. Filled MSB first */ > > if i do 8 * 15 = 120 > > that would make 6 bits extra... not 2 bits And how exactly would you pack 116 bits in an integer number of bytes ... > should i discard the last 6 bits of the last byte? The very comment you quoted above says there are 114+2 bits of payload ... 120 - (114+2) = 4 padding bits, not 6 ... Or maybe you're under the misguided impression that "steal bits" are "padding bits" in which case it just shows you need to reread the GSM 05.xx series of specifications. Cheers, Sylvain From g.roelant at telenet.be Sat Dec 15 23:41:01 2012 From: g.roelant at telenet.be (g.roelant at telenet.be) Date: Sun, 16 Dec 2012 00:41:01 +0100 (CET) Subject: System information type 5 & 6 In-Reply-To: <9cf59e6b-7b0e-4ef8-87a5-f4015a59785e@chipo.telenet-ops.be> Message-ID: Hi, i'm capturing my own voice calls in wireshark. i can see a system information type packet just before ciphering command. 204 frames further there is a system information type 6 packet. but these 2 packets don't resamble... how can i subtract a key out of these 2 different packets? this doesn't make any sens.... if i look for the same type 5 packet... they are never at the same location.... :( is my reasoning wrong? kind regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From Max.Suraev at fairwaves.ru Wed Dec 19 19:15:25 2012 From: Max.Suraev at fairwaves.ru (=?UTF-8?B?4piO?=) Date: Wed, 19 Dec 2012 20:15:25 +0100 Subject: graphical gsmtap helper Message-ID: <50D2124D.900@fairwaves.ru> Hello. It's often handy to have a high-level look at message exchange between ms and gsm network captured via gsmtap. There are some tools to do that for ip captures but they completely ignore uplink-downlink semantics so are next to useless in this case. Attached is little helper which can be used to make proper descriptions for mscgen to produce nice message sequence charts. Usage instructions are inside the script. In short: .pcap in - .png out It requires mscgen and recent (>=1.9) tshark so you have to use git to get and build tshark binary yourself until wireshark 1.10 is released: git clone http://code.wireshark.org/git/wireshark Apologies if you received this message multiple times but I personally find this little helper to be very useful so I'd like to reach as wide audience as possible. -- best regards, Max, http://fairwaves.ru -------------- next part -------------- A non-text attachment was scrubbed... Name: gsmtap2msc.awk Type: application/x-awk Size: 622 bytes Desc: not available URL: From Max.Suraev at fairwaves.ru Fri Dec 21 18:23:00 2012 From: Max.Suraev at fairwaves.ru (=?UTF-8?B?4piO?=) Date: Fri, 21 Dec 2012 19:23:00 +0100 Subject: usim programming Message-ID: <50D4A904.5030401@fairwaves.ru> Hello. I'm struggling with a5/3 test - I've got osmocom usim (http://shop.sysmocom.de/products/sysmousim-gr1) which I've programmed with pySim-prog.py Unfortunately when I plug it into samsung galaxy s2 it indicates (via classmark) that it only supports a5/1 What am I doing wrong? I've tried operator's sim with the same phone - a5/3 support is indicated just fine. -- best regards, Max, http://fairwaves.ru From 246tnt at gmail.com Fri Dec 21 19:35:49 2012 From: 246tnt at gmail.com (Sylvain Munaut) Date: Fri, 21 Dec 2012 20:35:49 +0100 Subject: usim programming In-Reply-To: <50D4A904.5030401@fairwaves.ru> References: <50D4A904.5030401@fairwaves.ru> Message-ID: Hi, > Unfortunately when I plug it into samsung galaxy s2 it indicates (via classmark) that > it only supports a5/1 > > What am I doing wrong? > > I've tried operator's sim with the same phone - a5/3 support is indicated just fine. Mmm, the phone might have a database of which cipher to use with which operator ... Cheers, Sylvain From g.roelant at telenet.be Sun Dec 23 15:25:53 2012 From: g.roelant at telenet.be (g.roelant at telenet.be) Date: Sun, 23 Dec 2012 16:25:53 +0100 (CET) Subject: double frames in burst file Message-ID: Hi Group, i'm using the testing/sylvain burst branch. sometimes i get double frames in the bursts files taken with ccch_scan. what does this mean? bad reception? kind regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From 246tnt at gmail.com Sun Dec 23 17:51:31 2012 From: 246tnt at gmail.com (Sylvain Munaut) Date: Sun, 23 Dec 2012 18:51:31 +0100 Subject: double frames in burst file In-Reply-To: References: Message-ID: Hi, > sometimes i get double frames in the bursts files taken with ccch_scan. What do you mean by "double frames" ? Cheers, Sylvain From g.roelant at telenet.be Sun Dec 23 19:58:10 2012 From: g.roelant at telenet.be (g.roelant at telenet.be) Date: Sun, 23 Dec 2012 20:58:10 +0100 (CET) Subject: double frames in burst file In-Reply-To: Message-ID: <40ef798f-0c45-4f65-b67b-5ae4781bafdd@chipo.telenet-ops.be> double frame numbers ----- Oorspronkelijk e-mail ----- Van: "Sylvain Munaut" <246tnt at gmail.com> Aan: "g roelant" Cc: "osmocomBB" Verzonden: Zondag 23 december 2012 18:51:31 Onderwerp: Re: double frames in burst file Hi, > sometimes i get double frames in the bursts files taken with ccch_scan. What do you mean by "double frames" ? Cheers, Sylvain From 246tnt at gmail.com Mon Dec 24 08:45:10 2012 From: 246tnt at gmail.com (Sylvain Munaut) Date: Mon, 24 Dec 2012 09:45:10 +0100 Subject: double frames in burst file In-Reply-To: <40ef798f-0c45-4f65-b67b-5ae4781bafdd@chipo.telenet-ops.be> References: <40ef798f-0c45-4f65-b67b-5ae4781bafdd@chipo.telenet-ops.be> Message-ID: > double frame numbers Just means some are from uplink and some from downlink frequencies. Some subchannels of SDCCH have uplink and downlink on the same frame and if the target phone is clone enough you can receive the frames from the phone as well. The 'arfcn' field should have the ARFCN_UPLINK flag set (grep libosmocore to know the value). Cheers, Sylvain From g.roelant at telenet.be Mon Dec 24 09:11:47 2012 From: g.roelant at telenet.be (g.roelant at telenet.be) Date: Mon, 24 Dec 2012 10:11:47 +0100 (CET) Subject: double frames in burst file In-Reply-To: Message-ID: it's correct. the phenomenon only occurs with my own tests... so tx gsm is very close to rx gsm... what should i do in my program that parse the bursts? skip the double frame and read on? or skip all frames with uplink flag set? i shall investigate this evening... cheers, ps. can i ask you a question about weak frames? what i noticed: the offset between si5, si5ter, si6 and the first si6 frame after encryption is not always 204 frames is this correct? ----- Oorspronkelijk e-mail ----- Van: "Sylvain Munaut" <246tnt at gmail.com> Aan: "g roelant" Cc: "osmocomBB" Verzonden: Maandag 24 december 2012 09:45:10 Onderwerp: Re: double frames in burst file > double frame numbers Just means some are from uplink and some from downlink frequencies. Some subchannels of SDCCH have uplink and downlink on the same frame and if the target phone is clone enough you can receive the frames from the phone as well. The 'arfcn' field should have the ARFCN_UPLINK flag set (grep libosmocore to know the value). Cheers, Sylvain From 246tnt at gmail.com Mon Dec 24 13:47:26 2012 From: 246tnt at gmail.com (Sylvain Munaut) Date: Mon, 24 Dec 2012 14:47:26 +0100 Subject: double frames in burst file In-Reply-To: References: Message-ID: Hi, > what should i do in my program that parse the bursts? skip the double frame and read on? > or skip all frames with uplink flag set? Do whatever you want with them depending on what your needs are ... > ps. can i ask you a question about weak frames? > what i noticed: the offset between si5, si5ter, si6 and the first si6 frame after encryption is not always 204 frames > is this correct? Yes, there is no specs so operator do what they want and for some of them it's pseudo-random. Cheers, Sylvain From g.roelant at telenet.be Mon Dec 24 15:23:11 2012 From: g.roelant at telenet.be (g.roelant at telenet.be) Date: Mon, 24 Dec 2012 16:23:11 +0100 (CET) Subject: double frames in burst file In-Reply-To: Message-ID: <7b49024e-b70f-466b-b4de-c0f69ac3f663@chipo.telenet-ops.be> So there will always be a try and guess method involved...? Are the possible frames always a multitude of 102 apart? Or are there other offsets? Is the kraken version which does 4 frames at the same available somewhere? ----- Oorspronkelijk bericht ----- Van: Sylvain Munaut <246tnt at gmail.com> Aan: g roelant Cc: osmocomBB Verzonden: Mon, 24 Dec 2012 14:47:26 +0100 (CET) Onderwerp: Re: double frames in burst file Hi, > what should i do in my program that parse the bursts? skip the double frame and read on? > or skip all frames with uplink flag set? Do whatever you want with them depending on what your needs are ... > ps. can i ask you a question about weak frames? > what i noticed: the offset between si5, si5ter, si6 and the first si6 frame after encryption is not always 204 frames > is this correct? Yes, there is no specs so operator do what they want and for some of them it's pseudo-random. Cheers, Sylvain From cityhnet at gmail.com Mon Dec 24 05:25:37 2012 From: cityhnet at gmail.com (Vic Delorge) Date: Mon, 24 Dec 2012 06:25:37 +0100 Subject: problems after last update Message-ID: hello first off al these phone's and tools RULE . i already tested a couple branches . burst_ind work'd and captured packet's , sylvain/testing also worked a week or 2 ago and i could make a call en see it in wireshark :) . but now i saw that there were some updates in the sylvain testing branch i updated like the sim reader page on the wiki told me . could it be that the last commits broke the sylvain/testing branch ? i get error while loading libosmocore.so.4 i followed the tutorial on the wiki for sim reader . 2 weeks ago it worked fine . checked the code in the last updates and it seems that lib osmocore is now changed ? or am i doing wrong ?? thx in advance grts vic -------------- next part -------------- An HTML attachment was scrubbed... URL: From 246tnt at gmail.com Mon Dec 24 08:43:25 2012 From: 246tnt at gmail.com (Sylvain Munaut) Date: Mon, 24 Dec 2012 09:43:25 +0100 Subject: problems after last update In-Reply-To: References: Message-ID: > could it be that the last commits broke the sylvain/testing branch ? > i get error while loading libosmocore.so.4 First off with the latest sylvain/testing update you probably need to start from a fresh checkout. Then you also need to download/compile/install libosmocore separately now. The instructions are not up to date yet (because this hasn't reached master yet, but it will soon) but you can use the instructions in http://openbsc.osmocom.org/trac/wiki/Building_OpenBSC to build libosmocore. Cheers, Sylvain From dagar1935 at hotmail.co.uk Mon Dec 24 07:11:44 2012 From: dagar1935 at hotmail.co.uk (dagar) Date: Sun, 23 Dec 2012 23:11:44 -0800 (PST) Subject: How can I see the RAND/SRES Message-ID: <1356333104239-4025541.post@n3.nabble.com> Hello, I am in the process of setting up OsmocomBB but I was wondering where/which files in the firmware responsible for receiving/processing the RAND/SRES values from the network/SIM. Does anyone know this or can point me in the right direction? -- View this message in context: http://baseband-devel.722152.n3.nabble.com/How-can-I-see-the-RAND-SRES-tp4025541.html Sent from the baseband-devel mailing list archive at Nabble.com. From 246tnt at gmail.com Mon Dec 24 08:47:17 2012 From: 246tnt at gmail.com (Sylvain Munaut) Date: Mon, 24 Dec 2012 09:47:17 +0100 Subject: How can I see the RAND/SRES In-Reply-To: <1356333104239-4025541.post@n3.nabble.com> References: <1356333104239-4025541.post@n3.nabble.com> Message-ID: Hi, > I am in the process of setting up OsmocomBB but I was wondering where/which > files in the firmware responsible for receiving/processing the RAND/SRES > values from the network/SIM. > > Does anyone know this or can point me in the right direction? src/host/layer23/src/mobile/gsm48_mm.c just grep for sres Cheers, Sylvain From niceguy108 at gmail.com Tue Dec 25 14:35:03 2012 From: niceguy108 at gmail.com (Bhaskar11) Date: Tue, 25 Dec 2012 20:05:03 +0530 Subject: Bug in switching baud rates in burst_ind branch? Message-ID: Using burst_ind branch, the code switches to a higher speed in function serial_up_to_eleven like this: int serial_up_to_eleven(void) { int rv; /* Attempt custom baudrate */ rv = osmo_serial_set_custom_baudrate(dnload.serial_fd.fd, 406250); if (rv == 0) return 0; #ifdef I_HAVE_A_CP210x /* and I know what I'm doing, I swear ! */ /* Try closest standard baudrate (CP210x reprogrammed adapters) */ rv = osmo_serial_set_baudrate(dnload.serial_fd.fd, B460800); if (rv == 0) return 0; #endif etc.... If the first attempt to switch to 406250 succeeds, the function exits and never reaches the I_HAVE_A_CP210x code which would switch to a higher speed! Is this a bug? Or is the lower speed good enough for burst_ind? In which case why bother with the I_HAVE_A_CP210x option? Or have I missed something obvious? B. -------------- next part -------------- An HTML attachment was scrubbed... URL: From vogelchr at vogel.cx Tue Dec 25 20:35:48 2012 From: vogelchr at vogel.cx (Christian Vogel) Date: Tue, 25 Dec 2012 21:35:48 +0100 Subject: Bug in switching baud rates in burst_ind branch? In-Reply-To: References: Message-ID: Hi Bhaskar11, On Tue, 25 Dec 2012 15:35:03 +0100, Bhaskar11 wrote: > If the first attempt to switch to 406250 succeeds, the function exits and > never reaches the I_HAVE_A_CP210x code which would switch to a higher > speed! > Is this a bug? Or is the lower speed good enough for burst_ind? In which > case why bother with the I_HAVE_A_CP210x option? that logic is correct. > Or have I missed something obvious? It's not about switching to a slighly higher baudrate of B460800 but rather to switch to the highest baudrate that can sensibly be used on the phone uart which is the non-standard 406250. Some USB/Serial converter chips allow to select almost any baudrate you want out of the box, but CP210x doesn't. If you have a CP210x you modify the eeprom in the serial adapter so that when Linux requests the "Standard" 460k, it actually uses the odd 406k. http://bb.osmocom.org/trac/wiki/Hardware/CP210xTutorial In src/target/firmware/calypso/uart.c there's the uint16_t divider[] table of baudrate dividers, and the two highest speeds supported by the calypso chipset are 406,250 or 812,500 bits per second. Silabs Application note AN205 explains the Silabs side of things. http://www.silabs.com/Support%20Documents/TechnicalDocs/an205.pdf Greetings, Chris From niceguy108 at gmail.com Fri Dec 28 06:16:04 2012 From: niceguy108 at gmail.com (Bhaskar11) Date: Fri, 28 Dec 2012 11:46:04 +0530 Subject: Bug in switching baud rates in burst_ind branch? In-Reply-To: References: Message-ID: Hi Chris, Thank you for the detailed explanation. I am using a CP210x from Sysmocon. I understand that this has a pre-programmed EEPROM and so does not require a driver. Yet, when I run ccch_scan in burst_ind branch on Debian Linux, it fails both speeds. The Tutorial does not mention need for installing a SiLabs driver, and all attempts to install the Linux version of their driver fails. Can you confirm if the driver is required? But the same code in Windows works just fine as Windows permits selection of any arbitrary speed. Of course I needed to install the SiLabs USB to UART bridge driver for Windows to recognise the device in the first place. B. On Wed, Dec 26, 2012 at 2:05 AM, Christian Vogel wrote: > Hi Bhaskar11, > > > On Tue, 25 Dec 2012 15:35:03 +0100, Bhaskar11 > wrote: > >> If the first attempt to switch to 406250 succeeds, the function exits and >> never reaches the I_HAVE_A_CP210x code which would switch to a higher >> speed! >> > > Is this a bug? Or is the lower speed good enough for burst_ind? In which >> case why bother with the I_HAVE_A_CP210x option? >> > > that logic is correct. > > > Or have I missed something obvious? >> > > It's not about switching to a slighly higher baudrate of B460800 but > rather to > switch to the highest baudrate that can sensibly be used on the phone uart > which > is the non-standard 406250. Some USB/Serial converter chips allow to > select almost > any baudrate you want out of the box, but CP210x doesn't. If you have a > CP210x you > modify the eeprom in the serial adapter so that when Linux requests the > "Standard" > 460k, it actually uses the odd 406k. > > http://bb.osmocom.org/trac/**wiki/Hardware/CP210xTutorial > > In src/target/firmware/calypso/**uart.c there's the uint16_t divider[] > table > of baudrate dividers, and the two highest speeds supported by the calypso > chipset are 406,250 or 812,500 bits per second. > > Silabs Application note AN205 explains the Silabs side of things. > http://www.silabs.com/Support%**20Documents/TechnicalDocs/**an205.pdf > > Greetings, > > Chris > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From niceguy108 at gmail.com Fri Dec 28 19:03:51 2012 From: niceguy108 at gmail.com (Bhaskar11) Date: Sat, 29 Dec 2012 00:33:51 +0530 Subject: Bug in switching baud rates in burst_ind branch? In-Reply-To: <1356691339.59033.YahooMailNeo@web133202.mail.ir2.yahoo.com> References: <1356691339.59033.YahooMailNeo@web133202.mail.ir2.yahoo.com> Message-ID: Sysmocom sells pre-modified CP201x. You can use them as they are. "mostly" LAPDm and Paging messages is normal. You should also see call setups and SMSs as they are used, much less frequently depending on local traffic. :-) If you have your cellphone on the same ARFCN, you should be able to see your cell making/receiving calls and sending messages. B. On Fri, Dec 28, 2012 at 4:12 PM, Erich Dachleger wrote: > I am also using CP210x from sysmocom and haven't modified it since I > thought it didn't require modification. > Is that wrong? > When I use burst_ind with unmodified CP210x I receive mostly LAPDM and > System 4 messages in wireshark. > Regards > Erich > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jtd1959 at gmail.com Sat Dec 29 06:13:55 2012 From: jtd1959 at gmail.com (J T Dsouza) Date: Sat, 29 Dec 2012 11:43:55 +0530 Subject: Bug in switching baud rates in burst_ind branch? In-Reply-To: References: <1356691339.59033.YahooMailNeo@web133202.mail.ir2.yahoo.com> Message-ID: http://cp210x-program.sourceforge.net/ works nicely for me, except I have never used it to change the baudrate table. On Sat, Dec 29, 2012 at 12:33 AM, Bhaskar11 wrote: > Sysmocom sells pre-modified CP201x. You can use them as they are. > > "mostly" LAPDm and Paging messages is normal. You should also see call > setups and SMSs as they are used, much less frequently depending on local > traffic. :-) > > If you have your cellphone on the same ARFCN, you should be able to see > your cell making/receiving calls and sending messages. > > B. > > > On Fri, Dec 28, 2012 at 4:12 PM, Erich Dachleger wrote: > >> I am also using CP210x from sysmocom and haven't modified it since I >> thought it didn't require modification. >> Is that wrong? >> When I use burst_ind with unmodified CP210x I receive mostly LAPDM and >> System 4 messages in wireshark. >> Regards >> Erich >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From zismikhail at gmail.com Wed Dec 26 11:14:29 2012 From: zismikhail at gmail.com (Mikhail Zisman) Date: Wed, 26 Dec 2012 16:14:29 +0500 Subject: Frimware problem Message-ID: Hello, I am working with a project Osmocom-bb. I did compile the project. But when the firmware command : ./osmocon -p /dev/ttyUSB0-m c123xor ../../target/firmware/board/compal_e88/hello_world.compalram.bin screen is just hangs (the power button I also click) , or most likely expects to input a sequence of bytes, i.e., no information no longer appears. The phone is switched on. I used this instructions for checking the operation of the http://lists.osmocom.org/pipermail/baseband-devel/2011-August/002230.html . 1) I use the FTDI cable, it is OK. Port is OK. 2) Note : I don't see FMTTOOL ERROR (!!!) when i press the power button. I tried the next model C113,C115,C118. Why this may happen? Thank you! -------------- next part -------------- An HTML attachment was scrubbed... URL: From g.roelant at telenet.be Wed Dec 26 16:06:27 2012 From: g.roelant at telenet.be (g.roelant at telenet.be) Date: Wed, 26 Dec 2012 17:06:27 +0100 (CET) Subject: frame guessing Message-ID: <9ddd502b-d41d-4798-a478-ea6ca09be23b@chipo.telenet-ops.be> Hi group, what is the most succesful: guessing uplink frames or downlink. i see some very simple uplink frames that make a good candidate. or is it all the same... kind regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From david at frinet.es Thu Dec 27 16:38:12 2012 From: david at frinet.es (david at frinet.es) Date: Thu, 27 Dec 2012 17:38:12 +0100 Subject: Beginner question of firmware and C139 Message-ID: <20121227173812.r3f0dsbaqs0oo4g8@webmail.frinet.es> Hi all, I am starting with this project and i have problems downloading the firmware to a c139, i built the t191 and i'm using a FTDI usb-serial. I use the command that is described in "Motorola C140" section: ./osmocon -p /dev/ttyUSB0 -m c140 -c ../../target/firmware/board/compal_e86/layer1.highram.bin ../../target/firmware/board/compal_e86/chainload.compalram.bin and also i have used it with "-m c140xor" but when i push briefly power button, shows it in next lines "got 1 byte from modem, data looks like: ff .", the data are changing in next lines, some times the bytes received are more than 1, are 2, 5, 6. I have some questions: Which is the sequence that have to receive the osmocon to start the comunication with the phone? Is posible that the compilation of osmocon has been badly? Thanks and regards. From david at frinet.es Fri Dec 28 23:06:16 2012 From: david at frinet.es (david at frinet.es) Date: Sat, 29 Dec 2012 00:06:16 +0100 Subject: Beginner question of firmware and C139 Message-ID: <20121229000616.tjtzdxylgkwc00go@webmail.frinet.es> Hi all, I am starting with this project and i have problems downloading the firmware to a c139, i built the t191 and i'm using a FTDI usb-serial. I use the command that is described in "Motorola C140" section: ./osmocon -p /dev/ttyUSB0 -m c140 -c ../../target/firmware/board/compal_e86/layer1.highram.bin ../../target/firmware/board/compal_e86/chainload.compalram.bin and also i have used it with "-m c140xor" but when i push briefly power button, shows it in next lines "got 1 byte from modem, data looks like: ff .", the data are changing in next lines, some times the bytes received are more than 1, are 2, 5, 6. I have some questions: Which is the sequence that have to receive the osmocon to start the comunication with the phone? Is posible that the compilation of osmocon has been badly? Thanks and regards. From cityhnet at gmail.com Sat Dec 29 05:24:18 2012 From: cityhnet at gmail.com (Vic Delorge) Date: Sat, 29 Dec 2012 06:24:18 +0100 Subject: 29c3 youtube video Message-ID: this is the 29c3 talk about GSM DOS and SMS sniffing . awesome work osmocom team. layer 1,2,3 now runs all on the phone :) http://youtu.be/a1iZV2nl28A -------------- next part -------------- An HTML attachment was scrubbed... URL: From akibsayyed at gmail.com Sat Dec 29 09:04:22 2012 From: akibsayyed at gmail.com (Akib Sayyed) Date: Sat, 29 Dec 2012 12:04:22 +0300 Subject: 29c3 youtube video In-Reply-To: References: Message-ID: is code is online for all layer 1 2 3 ? On Sat, Dec 29, 2012 at 8:24 AM, Vic Delorge wrote: > this is the 29c3 talk about GSM DOS and SMS sniffing . > awesome work osmocom team. layer 1,2,3 now runs all on the phone :) > http://youtu.be/a1iZV2nl28A > > -- Akib Sayyed Matrix-Shell akibsayyed at gmail.com akibsayyed at matrixshell.com Mob:- +91-966-514-2243 -------------- next part -------------- An HTML attachment was scrubbed... URL: From 246tnt at gmail.com Sat Dec 29 09:07:50 2012 From: 246tnt at gmail.com (Sylvain Munaut) Date: Sat, 29 Dec 2012 10:07:50 +0100 Subject: 29c3 youtube video In-Reply-To: References: Message-ID: Hi, > layer 1,2,3 now runs all on the phone :) Not really ... AFAIK the L2/3 running on the phone on that demo are just minimal implementation to just do what the demo showed and be as fast as possible (since being fast was the whole point here). It's not the full mobile application. Cheers, Sylvain From osmocom at ngolde.de Sat Dec 29 10:18:11 2012 From: osmocom at ngolde.de (Nico Golde) Date: Sat, 29 Dec 2012 11:18:11 +0100 Subject: 29c3 youtube video In-Reply-To: References: Message-ID: <20121229101810.GA13977@nybble.binarybase.org> Hi, * Vic Delorge [2012-12-29 11:15]: > this is the 29c3 talk about GSM DOS and SMS sniffing . Please check the slides of the presentation or watch the youtube recording. This is not related to sniffing at all. > awesome work osmocom team. layer 1,2,3 now runs all on the phone :) This is not true, it is just a minimal subset of layer2 and an even more stripped down subset of layer3 messages that are required just for the attack. Cheers Nico From akibsayyed at gmail.com Sat Dec 29 10:46:45 2012 From: akibsayyed at gmail.com (Akib Sayyed) Date: Sat, 29 Dec 2012 13:46:45 +0300 Subject: 29c3 youtube video In-Reply-To: <20121229101810.GA13977@nybble.binarybase.org> References: <20121229101810.GA13977@nybble.binarybase.org> Message-ID: dear Nico Please share slides :) On Sat, Dec 29, 2012 at 1:18 PM, Nico Golde wrote: > Hi, > * Vic Delorge [2012-12-29 11:15]: > > this is the 29c3 talk about GSM DOS and SMS sniffing . > > Please check the slides of the presentation or watch the > youtube recording. This is not related to sniffing at all. > > > awesome work osmocom team. layer 1,2,3 now runs all on the phone :) > > This is not true, it is just a minimal subset of layer2 > and an even more stripped down subset of layer3 messages > that are required just for the attack. > > Cheers > Nico > > -- Akib Sayyed Matrix-Shell akibsayyed at gmail.com akibsayyed at matrixshell.com Mob:- +91-966-514-2243 -------------- next part -------------- An HTML attachment was scrubbed... URL: From osmocom at ngolde.de Sat Dec 29 11:07:47 2012 From: osmocom at ngolde.de (Nico Golde) Date: Sat, 29 Dec 2012 12:07:47 +0100 Subject: 29c3 youtube video In-Reply-To: References: <20121229101810.GA13977@nybble.binarybase.org> Message-ID: <20121229110747.GA23849@nybble.binarybase.org> Hi, * Akib Sayyed [2012-12-29 11:51]: > dear Nico > > Please share slides :) http://fandango.binarybase.org/~nion/let_me_answer_that_for_you.pdf Cheers Nico From akibsayyed at gmail.com Sat Dec 29 12:11:46 2012 From: akibsayyed at gmail.com (Akib Sayyed) Date: Sat, 29 Dec 2012 15:11:46 +0300 Subject: 29c3 youtube video In-Reply-To: <20121229110747.GA23849@nybble.binarybase.org> References: <20121229101810.GA13977@nybble.binarybase.org> <20121229110747.GA23849@nybble.binarybase.org> Message-ID: Thanks :) nice one. I would like to stdy your code. cause I am implementing l23 mobile app on phone. currently CCCH_app is ported completely but there is some memory management issue going on.:( lets hope it will solved in next code :) cheers On Sat, Dec 29, 2012 at 2:07 PM, Nico Golde wrote: > Hi, > * Akib Sayyed [2012-12-29 11:51]: > > dear Nico > > > > Please share slides :) > > http://fandango.binarybase.org/~nion/let_me_answer_that_for_you.pdf > > Cheers > Nico > > -- Akib Sayyed Matrix-Shell akibsayyed at gmail.com akibsayyed at matrixshell.com Mob:- +91-966-514-2243 -------------- next part -------------- An HTML attachment was scrubbed... URL: From akibsayyed at gmail.com Sun Dec 30 07:20:52 2012 From: akibsayyed at gmail.com (Akib Sayyed) Date: Sun, 30 Dec 2012 10:20:52 +0300 Subject: Osmocom-BTS Message-ID: Congrats Sylvain for such great engineering work.its really a good and cheap solution who want to learn about GSM. there are certain questions didnt get chance to be asked in conference. here are some 1.is it possible in future to implement one phone and atleast 4 timeslot cell? means 3 voice and 1 BCCH. 2. what about encryption? is it possible to implement encryption ? 3.also how can be solve relying on commercial cell? 4.the code which will be released will contain single slot operation or multi slot with voice (after work and developement) Thankx and again congrats :) cheers -- Akib Sayyed Matrix-Shell akibsayyed at gmail.com akibsayyed at matrixshell.com Mob:- +91-966-514-2243 -------------- next part -------------- An HTML attachment was scrubbed... URL: From 246tnt at gmail.com Sun Dec 30 12:41:09 2012 From: 246tnt at gmail.com (Sylvain Munaut) Date: Sun, 30 Dec 2012 13:41:09 +0100 Subject: Osmocom-BTS In-Reply-To: References: Message-ID: > 1.is it possible in future to implement one phone and atleast 4 timeslot > cell? I don't see why not ... No idea when or even if I will ever get to it though. > 2. what about encryption? is it possible to implement encryption ? That's handled by OpenBTS, nothing special to do on the trx / phone sice. > 3.also how can be solve relying on commercial cell? You could replace the internal crystal by a OCXO but that's a HW mod and they're big and very power hungry so batter would be dead in a few minutes :p > 4.the code which will be released will contain single slot operation or > multi slot with voice (after work and developement) The code that will be released is the only thing I have and that's single slot operation, the rest doesn't work yet ... if it ever does, it will be released. Cheers, Sylvain From akibsayyed at gmail.com Sun Dec 30 13:10:29 2012 From: akibsayyed at gmail.com (Akib Sayyed) Date: Sun, 30 Dec 2012 16:10:29 +0300 Subject: Osmocom-BTS In-Reply-To: References: Message-ID: Thanks For info On Sun, Dec 30, 2012 at 3:41 PM, Sylvain Munaut <246tnt at gmail.com> wrote: > > 1.is it possible in future to implement one phone and atleast 4 timeslot > > cell? > > I don't see why not ... No idea when or even if I will ever get to it > though. > > > > 2. what about encryption? is it possible to implement encryption ? > > That's handled by OpenBTS, nothing special to do on the trx / phone sice. > > > > 3.also how can be solve relying on commercial cell? > > You could replace the internal crystal by a OCXO but that's a HW mod > and they're big and very power hungry so batter would be dead in a few > minutes :p > > > > 4.the code which will be released will contain single slot operation or > > multi slot with voice (after work and developement) > > The code that will be released is the only thing I have and that's > single slot operation, the rest doesn't work yet ... if it ever does, > it will be released. > > > Cheers, > > Sylvain > -- Akib Sayyed Matrix-Shell akibsayyed at gmail.com akibsayyed at matrixshell.com Mob:- +91-966-514-2243 -------------- next part -------------- An HTML attachment was scrubbed... URL: From niceguy108 at gmail.com Sun Dec 30 11:22:03 2012 From: niceguy108 at gmail.com (Bhaskar11) Date: Sun, 30 Dec 2012 16:52:03 +0530 Subject: Question on saving burst information Message-ID: In ccch_scan the burst information is first saved to file, then local_burst_decode is applied before sending to GSMTAP. Would it not be more useful to save burst data after local_burst_decode? Is there some utility in storing it in its raw form? Looks like I am missing something? B. -------------- next part -------------- An HTML attachment was scrubbed... URL: From 246tnt at gmail.com Sun Dec 30 12:36:58 2012 From: 246tnt at gmail.com (Sylvain Munaut) Date: Sun, 30 Dec 2012 13:36:58 +0100 Subject: Question on saving burst information In-Reply-To: References: Message-ID: Hi, > Would it not be more useful to save burst data after local_burst_decode? After local_burst_decode they are not bursts anymore, they are L2 packets and that call only works if either it's unciphered or if you know the key. If you want to save the cleartext decoded burst, use tcpdump or wireshark. > Is there some utility in storing it in its raw form? Looks like I am missing > something? They're stored by by ccch_scan ... but there are no utility to use those data, you have to write an utility to use those data in any way you'd like. Cheers, Sylvain From niceguy108 at gmail.com Sun Dec 30 16:47:47 2012 From: niceguy108 at gmail.com (Bhaskar11) Date: Sun, 30 Dec 2012 22:17:47 +0530 Subject: Question on saving burst information In-Reply-To: References: Message-ID: Thanks for the clarification. I'm developing in an unencrypted private network so it did not strike me! >>If you want to save the cleartext decoded burst, use tcpdump or wireshark. I would like to extract only the SMS messages sent to me and save the text only automatically from within my modified ccch_scan, without using external monitoring tools like wireshark. 1. From what I have figured out so far, I need to catch the L2 packets at the point where they are sent on gsmtap_send(), and then apply my own decode to filter out SMS messages and extract data. Is this correct so far? 2. What reference material would you recommend for L2 packet formats? I checked the 3gpp website, but there are so many versions of all specs that I cannot figure what to use, and could not figure out where the format definitions are given. Is there a better site generally for GSM specs? Or should I be able to figure this out from the mobile app code alone? (I tried that but kind of got lost in the call setup process. I will try again anyway!) Thanks for your prompt guidance. B. On Sun, Dec 30, 2012 at 6:06 PM, Sylvain Munaut <246tnt at gmail.com> wrote: > Hi, > > > > Would it not be more useful to save burst data after local_burst_decode? > > After local_burst_decode they are not bursts anymore, they are L2 > packets and that call only works if either it's unciphered or if you > know the key. > > If you want to save the cleartext decoded burst, use tcpdump or wireshark. > > > > Is there some utility in storing it in its raw form? Looks like I am > missing > > something? > > They're stored by by ccch_scan ... but there are no utility to use > those data, you have to write an utility to use those data in any way > you'd like. > > > Cheers, > > Sylvain > -------------- next part -------------- An HTML attachment was scrubbed... URL: From g.roelant at telenet.be Sun Dec 30 14:05:40 2012 From: g.roelant at telenet.be (g.roelant at telenet.be) Date: Sun, 30 Dec 2012 15:05:40 +0100 (CET) Subject: kraken for uplink bursts Message-ID: <896f299f-a104-4778-b5cf-1d07157d4023@chipo.telenet-ops.be> Hi, Is there a kraken version vailable for uplink? what do i need to change on the source code in order to find the kc for uplink bursts? thanks ps. all downlink frames seem to have random padding here... -------------- next part -------------- An HTML attachment was scrubbed... URL: From cityhnet at gmail.com Sun Dec 30 16:26:21 2012 From: cityhnet at gmail.com (Vic Delorge) Date: Sun, 30 Dec 2012 17:26:21 +0100 Subject: sylvains talk from 29c3 Message-ID: Speaker: Sylvain Munaut or how to turn a phone into a BTS The calypso baseband and its companion chips are used on the Motorola C123 among other and are now well known for being supported by the Osmocom-BB open source GSM baseband implementation. A couple years ago, it was hacked a little further by using it as a raw bits capture device allowing the interception of GSM traffic very cheaply. This talk will present some further work on that platform, showing that just because a device wasn't design for a given task doesn't mean it can't do it. More specifically how you can hack this phone to act as a GSM basestation and broadcast your own network. http://youtu.be/xFjVcxMpA6c -------------- next part -------------- An HTML attachment was scrubbed... URL: From akibsayyed at gmail.com Mon Dec 31 07:58:33 2012 From: akibsayyed at gmail.com (Akib Sayyed) Date: Mon, 31 Dec 2012 10:58:33 +0300 Subject: Need guidance for LNA and PA Message-ID: Dear List I wanted to buy LNA and PA for my phone what specification should i use for purpose increasing signalling strength. please guide me thanks -- Akib Sayyed Matrix-Shell akibsayyed at gmail.com akibsayyed at matrixshell.com Mob:- +91-966-514-2243 -------------- next part -------------- An HTML attachment was scrubbed... URL: From clemensgru at gmail.com Mon Dec 31 10:13:02 2012 From: clemensgru at gmail.com (Clemens Gruber) Date: Mon, 31 Dec 2012 11:13:02 +0100 Subject: Filter replacement Message-ID: <4C8FBFA6-50D6-4BB8-A9B3-5923C9631DC8@gmail.com> Hi, yesterday I fucked up the second C123 while trying to replace the filters, so I decided to buy one model from Sysmocom (with the filters already replaced), but due to too many orders they do not offer this service anymore. Is somebody on this list able and willing to sell me one C123 with the filter kit already built in (and tested)? I'd really appreciate if someone, who is more experienced in SMD soldering than me, could help me out. If so, please contact me at: clemensgru at gmail.com I live in Austria, so delivery from Europe should not be a problem. Thanks. Clemens From clemensgru at gmail.com Mon Dec 31 15:48:43 2012 From: clemensgru at gmail.com (Clemens Gruber) Date: Mon, 31 Dec 2012 16:48:43 +0100 Subject: Filter replacement Message-ID: <6C352EEE-59DE-4A23-8719-EBAA2FE390F2@gmail.com> Hi, yesterday I fucked up the second C123 while trying to replace the filters, so I decided to buy one model from Sysmocom (with the filters already replaced), but due to too many orders they do not offer this service anymore. Is somebody on this list able and willing to sell me one C123 with the filter kit already built in (and tested)? I'd really appreciate if someone, who is more experienced in SMD soldering than me, could help me out. If so, please contact me at: clemensgru at gmail.com I live in Austria, so delivery from Europe should not be a problem. Thanks. Clemens -------------- next part -------------- An HTML attachment was scrubbed... URL: From laforge at gnumonks.org Mon Dec 31 17:37:36 2012 From: laforge at gnumonks.org (Harald Welte) Date: Mon, 31 Dec 2012 18:37:36 +0100 Subject: OsmoDevCon 2013 brainstorming Message-ID: <20121231173736.GD21955@prithivi.gnumonks.org> Hi all, as the year 2012 has already ended or will soon end depending on your timezone, it might be a good occasion to start thinking of an OsmoDevCon 2013. I personally percevied OsmoDevCon 2012 as a big success, and it was fun to bring everyone together. Generally, I prefer to keep the spirit of an invitation-only developer+contributor-only event of those involved in Osmocom. At the same time, I would consider it a good idea to add a one day user-conference to the schedule, where we try to get interested users up to speed with the various projects, possibly including some workshops and the like. So schedule-wise, I would suggest something like: * one day user conference * two day developer/contributor event * optionally: 1-2 "hacking days". The concept of "hacking days" has proven to be quite useful for the netfilter project in the past (Pablo and I can acknowledge to that fact). I'm not sure how many people would be able to spend even more days of their schedule, but even if it's a much smaller group it would still be useful, IMHO. I'd like you to 1) provide feedback on the ideas about the one-day user event and the hacking days 2) consider whether late march (like 2012) would be a good schedule again 3) what we can improve from the last event In terms of improvements, I so far have noted down: * larger venue needs to be found * complaints about the venue not having sufficient heating Venue-wise, I would again suggest to hold it in Berlin, as it's reasonbly well connected, has lots of low-cost flights to it, accomodation is not too expensive and holger/me/sysmocom can take care of local organization related activities. Hoewver, if somebody has a strong opinion against berlin _and_ is willing to organize it, I'm not completely against another venue. Regards and happy new year, Harald -- - Harald Welte http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)