December 2012 - baseband-devel

Engagetted !

by Sébastien Lorquet

http://www.engadget.com/2010/12/29/researchers-eavesdrop-on-encrypted-gsm-c… Congrats!

8 months

5
5
0 0

Sniffing GPRS

by canarion

Hi, After compiling osmocom-bb and apply sylvain/burst_ind branch and gprs_multi.patch, I execute it and try to sniff gprs traffic. I loaded the layer1 into my C139 and I obtained an ARFCN code (883). When I run ccch_scan -a 883 I get the next result: opyright (C) 2010 Harald Welte <laforge(a)gnumonks.org> Contributions by Holger Hans Peter Freyther License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Failed to connect to '/tmp/osmocom_sap'. Failed during sap_open(), no SIM reader <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(1476410343) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(1207963561) <0001> app_ccch_scan.c:400 Paging1: Normal paging chan tch/f to TMSI M(0x1ad1cda) <0001> app_ccch_scan.c:403 Paging2: Normal paging chan tch/f to TMSI M(0x41ae98f9) <0001> app_ccch_scan.c:426 Paging3: Normal paging chan n/a to imsi M(214031385056117) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3306441249) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to imsi M(214031482053520) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to imsi M(214036185306441) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(4207880193) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(4135931713) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(4214223105) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3388536385) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(134915836) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3961436929) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(4229756769) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(531909) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to imsi M(214034185316455) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3829437761) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to imsi M(214033485554660) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3639403521) <0001> app_ccch_scan.c:105 SI1 received. <0001> app_ccch_scan.c:464 unknown PCH/AGCH type 0x00 <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3827744513) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(335734299) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3561969409) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(4294310401) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3698994241) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3682615617) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(67866789) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(4003487553) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3770351169) <0001> app_ccch_scan.c:400 Paging1: Normal paging chan tch/f to TMSI M(0x41ae98f9) <0001> app_ccch_scan.c:403 Paging2: Normal paging chan tch/f to TMSI M(0x1ad1cda) <0001> app_ccch_scan.c:426 Paging3: Normal paging chan n/a to imsi M(214031385056117) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3306441249) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to imsi M(214031482053520) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to imsi M(214036185306441) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(4102036289) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(4135931713) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to imsi M(214032485273805) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3798414145) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(134915836) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3988859137) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(3735175681) <0001> app_ccch_scan.c:360 Paging1: Normal paging chan tch/f to tmsi M(531909) <0001> app_ccch_scan.c:248 GSM48 IMM ASS (ra=0x78, chan_nr=0x0f, HSN=24, MAIO=1, TS=7, SS=0, TSC=1) Dropping frame with 55 bit errors <000c> l1ctl.c:238 Dropping frame with 55 bit errors <000c> l1ctl.c:290 BURST IND: @(830928 = 0626/20/36) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830928 = 0626/20/36) (-110 dBm, SNR 8) <000c> l1ctl.c:290 BURST IND: @(830929 = 0626/21/37) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830929 = 0626/21/37) ( -83 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830930 = 0626/22/38) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830930 = 0626/22/38) ( -87 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830931 = 0626/23/39) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830931 = 0626/23/39) ( -83 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830932 = 0626/24/40) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830932 = 0626/24/40) ( -88 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830933 = 0626/25/41) (-105 dBm, SNR 8, UL, SACCH) <000c> l1ctl.c:290 BURST IND: @(830933 = 0626/25/41) (-107 dBm, SNR 5, SACCH) <000c> l1ctl.c:290 BURST IND: @(830934 = 0626/00/42) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830934 = 0626/00/42) ( -88 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830935 = 0626/01/43) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830935 = 0626/01/43) ( -83 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830936 = 0626/02/44) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830936 = 0626/02/44) ( -88 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830937 = 0626/03/45) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830937 = 0626/03/45) ( -89 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830938 = 0626/04/46) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830938 = 0626/04/46) ( -88 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830939 = 0626/05/47) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830939 = 0626/05/47) ( -82 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830940 = 0626/06/48) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830940 = 0626/06/48) ( -87 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830941 = 0626/07/49) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830941 = 0626/07/49) ( -87 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830942 = 0626/08/50) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830942 = 0626/08/50) ( -86 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830943 = 0626/09/00) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830943 = 0626/09/00) ( -86 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830944 = 0626/10/01) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830944 = 0626/10/01) ( -87 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830945 = 0626/11/02) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830945 = 0626/11/02) ( -87 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830947 = 0626/13/04) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830947 = 0626/13/04) ( -84 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830948 = 0626/14/05) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830948 = 0626/14/05) ( -85 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830949 = 0626/15/06) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830949 = 0626/15/06) ( -88 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830950 = 0626/16/07) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830950 = 0626/16/07) ( -89 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830951 = 0626/17/08) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830951 = 0626/17/08) ( -88 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830952 = 0626/18/09) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830952 = 0626/18/09) ( -85 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830953 = 0626/19/10) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830953 = 0626/19/10) ( -87 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830954 = 0626/20/11) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830954 = 0626/20/11) ( -87 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830955 = 0626/21/12) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830955 = 0626/21/12) (-106 dBm, SNR 0) <000c> l1ctl.c:290 BURST IND: @(830956 = 0626/22/13) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830956 = 0626/22/13) (-107 dBm, SNR 5) <000c> l1ctl.c:290 BURST IND: @(830957 = 0626/23/14) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830957 = 0626/23/14) (-106 dBm, SNR 2) <000c> l1ctl.c:290 BURST IND: @(830958 = 0626/24/15) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830958 = 0626/24/15) (-108 dBm, SNR 1) <000c> l1ctl.c:290 BURST IND: @(830959 = 0626/25/16) (-106 dBm, SNR 2, UL, SACCH) <000c> l1ctl.c:290 BURST IND: @(830959 = 0626/25/16) (-109 dBm, SNR 5, SACCH) <000c> l1ctl.c:290 BURST IND: @(830960 = 0626/00/17) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830960 = 0626/00/17) (-108 dBm, SNR 3) <000c> l1ctl.c:290 BURST IND: @(830961 = 0626/01/18) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830961 = 0626/01/18) (-106 dBm, SNR 2) <000c> l1ctl.c:290 BURST IND: @(830962 = 0626/02/19) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830962 = 0626/02/19) (-108 dBm, SNR 3) <000c> l1ctl.c:290 BURST IND: @(830963 = 0626/03/20) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830963 = 0626/03/20) (-107 dBm, SNR 0) <000c> l1ctl.c:290 BURST IND: @(830964 = 0626/04/21) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830964 = 0626/04/21) ( -85 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830965 = 0626/05/22) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830965 = 0626/05/22) ( -87 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830966 = 0626/06/23) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830966 = 0626/06/23) ( -85 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830967 = 0626/07/24) ( -47 dBm, SNR 255, UL) <000c> l1ctl.c:290 BURST IND: @(830967 = 0626/07/24) ( -86 dBm, SNR 255) <000c> l1ctl.c:290 BURST IND: @(830968 = 0626/08/25) (-107 dBm, SNR 6, UL) <000c> l1ctl.c:290 BURST IND: @(830968 = 0626/08/25) (-109 dBm, SNR 0) <000c> l1ctl.c:290 BURST IND: @(830969 = 0626/09/26) (-101 dBm, SNR 6, UL) But it stop to capture frames, seems to be left in a standby state and I don't know why that is. With gprsdecode I can see the next image in the wireshark: http://baseband-devel.722152.n3.nabble.com/file/n3712433/wireshark-capture.… If someone knows what is the problem, please tell me. Thanks in advance. Cheers, Dani -- View this message in context: http://baseband-devel.722152.n3.nabble.com/Sniffing-GPRS-tp3712433p3712433.… Sent from the baseband-devel mailing list archive at Nabble.com.

7 years, 6 months

8
12
0 0

Please can anyone advise me - FMTOOL Error and no further processing

by Raz Sharif

Dear all, I vae the C115 with a T1 USB to Serial cable with the Prolific chipset. When i run osmocon i get :- an its just sits there with no further processing. ./osmocon -p /dev/ttyUSB0 -m c123xor ../../target/firmware/board/compal_e88/loader.compalram.bin read_file(../../target/firmware/board/compal_e88/loader.compalram.bin): file_size=17120, hdr_len=4, dnload_len=17127 read_file(../../target/firmware/board/compal_e88/loader.compalram.bin): file_size=17120, hdr_len=4, dnload_len=17127 got 1 bytes from modem, data looks like: 00 . got 2 bytes from modem, data looks like: 2f 00 /. got 1 bytes from modem, data looks like: 1b . got 3 bytes from modem, data looks like: f6 02 00 ... got 1 bytes from modem, data looks like: 41 A got 1 bytes from modem, data looks like: 01 . got 1 bytes from modem, data looks like: 40 @ Received PROMPT1 from phone, responding with CMD got 1 bytes from modem, data looks like: 66 f got 1 bytes from modem, data looks like: 74 t got 1 bytes from modem, data looks like: 6d m got 1 bytes from modem, data looks like: 74 t got 1 bytes from modem, data looks like: 6f o got 1 bytes from modem, data looks like: 6f o got 1 bytes from modem, data looks like: 6c l Received FTMTOOL from phone, ramloader has aborted got 1 bytes from modem, data looks like: 65 e got 1 bytes from modem, data looks like: 72 r got 1 bytes from modem, data looks like: 72 r got 1 bytes from modem, data looks like: 6f o got 1 bytes from modem, data looks like: 72 r got 1 bytes from modem, data looks like: 00 . got 1 bytes from modem, data looks like: 00 . I think the cable is ok as when i run my fingers on the tip i get random Zeros so it appears to be talking to the cable. Also when i tried to run Mobile i get the :- even though i created the Mobile.cfg file in /etc/osmoco Failed to parse the config file: '/home/raz/.osmocom/bb/mobile.cfg' Please check or create config file using: 'touch /home/raz/.osmocom/bb/mobile.cfg' I have spent some hours researching the lists and trying various things to no avail but I want to continue until I resolve this issues and use this great stack to learn about the GSM network. Please advise. Great full for any help or pointers but this maybe a timing issue that is difficult to debug. Thanks Raz

8 years

5
6
0 0

cell re-selection

by Andreas.Eversberg

hi, i did a lot of resarch and testing on cell selection and re-selection process the last two week. the cell selection process, network selection process (manual and automatic) and mobility management process were already implemented in OsmocomBB a long time, but turned out to be buggy and incomplete. i made test drives to check the process and debugged it. the re-selection process is new. it is used to track surrounding cells while listening to the BCCH of the current cell (camping on a cell). special extension to the layer1 firmare is used to measure neighbour cells. if an neighbour cell becomes 'better', the mobile switches to that cell, depening on different criteria. now it is possible to move with OsmocomBB. the re-selection process is not handover! handover is a process where a phone switches between cells while doing a call. handover is one next step to implement. the process is a little more complex, because it requires not only neighbour cell measurements, but also syncing to them without interrupting the traffic channel. most layer 3 stuff of handover is already implemented. if you like to play and test your moving OsmocomBB, you can check out the "jolly/roaming" branch. it contains the extension to layer1, as well as sim reader and fixes from "sylvain/testing" branch. use both "mobile" and "layer1" firmware from this branch. in order to see some process at VTY, you can do: enable monitor network 1 (continously display the strongest cell and neighbour cells) show ms 1 (to see current states) show neighbour-cells 1 (to see a more detailed current list of neighbours) andreas

8 years, 3 months

3
3
0 0

Set fixed TMSI and Kc

by Simian Denson

Hi, in the osmocom bb mobile.cfg I don't see any posibility to set a fixed Kc encryption key and the tmsi. How could I achieve that osmocom uses my defined Kc and tmsi? cheers, Simian

8 years, 3 months

5
21
0 0

Location update problems on Motorola C118

by Maciej Grela

Hi, I'm trying to run the latest osmocom-bb git on a Motorola C118 phone. After a minor problem with the build (as you may've noticed in the patch I've sent). I got to the point of successfuly running layer1 on the phone and the mobile app on the PC (I have also enabled TX). The process seems to be stuck on trying to perform a location update. The status of the ms is always either: show ms MS '1' is up, MM connection active IMEI: 000000000000000 IMEISV: 0000000000000000 IMEI generation: fixed automatic network selection state: A1 trying RPLMN MCC=104 MNC=002 (104, 002) cell selection state: connected mode 1 ARFCN=19 MCC=104 MNC=002 LAC=0xb00f CELLID=0x4fd9 (104, 002) radio ressource layer state: connection pending mobility management layer state: wait for RR connection (location updating) OsmocomBB> or show ms MS '1' is up, service is limited (pending) IMEI: 000000000000000 IMEISV: 0000000000000000 IMEI generation: fixed automatic network selection state: A1 trying RPLMN MCC=104 MNC=002 (104, 002) cell selection state: C3 camped normally ARFCN=19 MCC=104 MNC=002 LAC=0xb00f CELLID=0x4fd9 (104, 002) radio ressource layer state: idle mobility management layer state: MM idle, attempting to update OsmocomBB> I think, that because of this I can't make any calls or send sms (all the requests are being rejected): OsmocomBB# call 1 <X> call 1 <X> OsmocomBB# % (MS 1) % Call has been rejected The log information from mobile when it's trying to do a location update is show below: <000b> gsm48_rr.c:2174 PAGING REQUEST 1 <000b> gsm48_rr.c:2141 IMSI 260021964220249 (not for us) <000b> gsm48_rr.c:2132 TMSI fd82a501 (not for us) <000e> gsm48_mm.c:344 Location update retry <0005> gsm48_mm.c:345 timer T3211 (loc. upd. retry delay) has fired <0005> gsm48_mm.c:4311 (ms 1) Received 'MM_EVENT_TIMEOUT_T3211' event in state MM IDLE, attempting to update <000e> gsm48_mm.c:2199 Perform location update (MCC 104, MNC 002 LAC 0xb00f) <0005> gsm48_mm.c:2333 LOCATION UPDATING REQUEST <0005> gsm48_mm.c:2355 using LAI (mcc 104 mnc 002 lac 0xb00f) <0005> gsm48_mm.c:2363 using TMSI 0x28a3d62e <0005> gsm48_mm.c:914 new state MM IDLE, attempting to update -> wait for RR connection (location updating) <0001> gsm48_rr.c:5428 (ms 1) Message 'RR_EST_REQ' received in state idle (sapi 0) <000e> gsm48_rr.c:1318 Establish radio link due to mobility management request <0003> gsm322.c:4037 (ms 1) Event 'EVENT_LEAVE_IDLE' for Cell selection in state 'C3 camped normally' <0003> gsm322.c:823 new state 'C3 camped normally' -> 'connected mode 1' <0003> gsm322.c:3653 Going to camping (normal) ARFCN 19. <0003> gsm322.c:463 Sync to ARFCN=19 rxlev=-74 (Sysinfo, ccch mode NON-COMB) <0001> gsm48_rr.c:366 new state idle -> connection pending <0001> gsm48_rr.c:1465 CHANNEL REQUEST: 00 (Location Update with NECI) <0003> gsm322.c:2938 Channel synched. (ARFCN=19, snr=16, BSIC=17) <0001> gsm322.c:2959 using DSC of 90 <0003> gsm48_rr.c:4816 Channel provides data. <0001> gsm48_rr.c:1601 RANDOM ACCESS (requests left 5) <0001> gsm48_rr.c:1658 RANDOM ACCESS (Tx-integer 50 combined no S(lots) 0 ra 0x0e) <0001> gsm48_rr.c:1697 Use MS-TXPWR-MAX-CCH power value 5 (33 dBm) <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:1601 RANDOM ACCESS (requests left 4) <0001> gsm48_rr.c:1658 RANDOM ACCESS (Tx-integer 50 combined no S(lots) 55 ra 0x07) <0001> gsm48_rr.c:1697 Use MS-TXPWR-MAX-CCH power value 5 (33 dBm) <0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT: <0001> gsm48_rr.c:2462 (ta 2/1107m ra 0x75 chan_nr 0x0a MAIO 0 HSN 38 TS 2 SS 0 TSC 0) <0001> gsm48_rr.c:2503 Request, but not for us. <0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT: <0001> gsm48_rr.c:2462 (ta 2/1107m ra 0x75 chan_nr 0x0a MAIO 0 HSN 38 TS 2 SS 0 TSC 0) <0001> gsm48_rr.c:2503 Request, but not for us. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:673 MON: f=19 lev=-78 snr= 0 ber= 0 LAI=104 002 b00f ID=4fd9 <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:1601 RANDOM ACCESS (requests left 3) <0001> gsm48_rr.c:1658 RANDOM ACCESS (Tx-integer 50 combined no S(lots) 55 ra 0x0f) <0001> gsm48_rr.c:1697 Use MS-TXPWR-MAX-CCH power value 5 (33 dBm) <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:1601 RANDOM ACCESS (requests left 2) <0001> gsm48_rr.c:1658 RANDOM ACCESS (Tx-integer 50 combined no S(lots) 55 ra 0x01) <0001> gsm48_rr.c:1697 Use MS-TXPWR-MAX-CCH power value 5 (33 dBm) <0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT: <0001> gsm48_rr.c:2473 (ta 1/553m ra 0x18 chan_nr 0x59 ARFCN 19 TS 1 SS 3 TSC 1) <0001> gsm48_rr.c:2503 Request, but not for us. <0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT: <0001> gsm48_rr.c:2473 (ta 1/553m ra 0x18 chan_nr 0x59 ARFCN 19 TS 1 SS 3 TSC 1) <0001> gsm48_rr.c:2503 Request, but not for us. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:1601 RANDOM ACCESS (requests left 1) <0001> gsm48_rr.c:1658 RANDOM ACCESS (Tx-integer 50 combined no S(lots) 55 ra 0x0a) <0001> gsm48_rr.c:1697 Use MS-TXPWR-MAX-CCH power value 5 (33 dBm) <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:673 MON: f=19 lev=-78 snr= 0 ber= 1 LAI=104 002 b00f ID=4fd9 <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:1601 RANDOM ACCESS (requests left 0) <0001> gsm48_rr.c:1605 Done with sending RANDOM ACCESS bursts <0001> gsm48_rr.c:836 starting T3126 with 5.000 seconds <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2225 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:673 MON: f=19 lev=-78 snr= 0 ber= 0 LAI=104 002 b00f ID=4fd9 <0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT: <0001> gsm48_rr.c:2473 (ta 2/1107m ra 0x0a chan_nr 0x41 ARFCN 19 TS 1 SS 0 TSC 1) <0001> gsm48_rr.c:2393 request 0a matches but not frame number (IMM.ASS fn=22,6,30 != RACH fn=22,5,25) <0001> gsm48_rr.c:2503 Request, but not for us. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT: <0001> gsm48_rr.c:2473 (ta 2/1107m ra 0x05 chan_nr 0x49 ARFCN 19 TS 1 SS 1 TSC 1) <0001> gsm48_rr.c:2503 Request, but not for us. <0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT: <0001> gsm48_rr.c:2473 (ta 2/1107m ra 0x05 chan_nr 0x49 ARFCN 19 TS 1 SS 1 TSC 1) <0001> gsm48_rr.c:2503 Request, but not for us. <0001> gsm48_rr.c:2225 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:673 MON: f=19 lev=-77 snr= 0 ber= 6 LAI=104 002 b00f ID=4fd9 <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT: <0001> gsm48_rr.c:2473 (ta 2/1107m ra 0x00 chan_nr 0x61 ARFCN 19 TS 1 SS 4 TSC 1) <0001> gsm48_rr.c:2503 Request, but not for us. <0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT: <0001> gsm48_rr.c:2473 (ta 2/1107m ra 0x00 chan_nr 0x61 ARFCN 19 TS 1 SS 4 TSC 1) <0001> gsm48_rr.c:2503 Request, but not for us. <0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT: <0001> gsm48_rr.c:2462 (ta 2/1107m ra 0x7d chan_nr 0x0b MAIO 0 HSN 38 TS 3 SS 0 TSC 0) <0001> gsm48_rr.c:2503 Request, but not for us. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT: <0001> gsm48_rr.c:2462 (ta 2/1107m ra 0x7d chan_nr 0x0b MAIO 0 HSN 38 TS 3 SS 0 TSC 0) <0001> gsm48_rr.c:2503 Request, but not for us. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:673 MON: f=19 lev=-78 snr= 0 ber= 0 LAI=104 002 b00f ID=4fd9 <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2225 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2225 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:673 MON: f=19 lev=-78 snr= 0 ber= 3 LAI=104 002 b00f ID=4fd9 <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT: <0001> gsm48_rr.c:2462 (ta 2/1107m ra 0x77 chan_nr 0x09 MAIO 0 HSN 38 TS 1 SS 0 TSC 0) <0001> gsm48_rr.c:2503 Request, but not for us. <0001> gsm48_rr.c:2450 IMMEDIATE ASSIGNMENT: <0001> gsm48_rr.c:2462 (ta 2/1107m ra 0x77 chan_nr 0x09 MAIO 0 HSN 38 TS 1 SS 0 TSC 0) <0001> gsm48_rr.c:2503 Request, but not for us. <0001> gsm48_rr.c:2225 PAGING ignored, we are not camping. <0001> gsm48_rr.c:2170 PAGING ignored, we are not camping. <0001> gsm48_rr.c:673 MON: f=19 lev=-78 snr= 0 ber= 6 LAI=104 002 b00f ID=4fd9 <0001> gsm48_rr.c:765 timer T3126 has fired <000e> gsm48_rr.c:770 Requesting channel failed <0001> gsm48_rr.c:366 new state connection pending -> idle <0003> gsm322.c:4037 (ms 1) Event 'EVENT_RET_IDLE' for Cell selection in state 'connected mode 1' <0003> gsm322.c:3565 Selecting ARFCN 19. after LOC.UPD. <0003> gsm322.c:463 Sync to ARFCN=19 rxlev=-74 (Sysinfo, ccch mode NON-COMB) <0003> gsm322.c:823 new state 'connected mode 1' -> 'C3 camped normally' <0005> gsm48_mm.c:3902 (ms 1) Received 'RR_REL_IND' from RR in state wait for RR connection (location updating) (sapi 0) <0005> gsm48_mm.c:2732 RR link released after loc. upd. <000e> gsm48_mm.c:2676 Location update failed <000e> gsm48_mm.c:2686 Try location update later <0005> gsm48_mm.c:2688 Loc. upd. failed, retry #0 <0005> gsm48_mm.c:413 starting T3211 (loc. upd. retry delay) with 15.0 seconds <0005> gsm48_mm.c:1143 We are camping normally as returning to MM IDLE <0005> gsm48_mm.c:1159 Loc. upd. allowed. <0005> gsm48_mm.c:919 new state wait for RR connection (location updating) -> MM IDLE, location updating needed <0005> gsm48_mm.c:909 new MM IDLE state location updating needed -> attempting to update <0005> gsm48_mm.c:2215 Loc. upd. already pending. <0005> gsm48_mm.c:4311 (ms 1) Received 'MM_EVENT_CELL_SELECTED' event in state MM IDLE, attempting to update <0005> gsm48_mm.c:2215 Loc. upd. already pending. <0003> gsm322.c:2938 Channel synched. (ARFCN=19, snr=16, BSIC=17) <0001> gsm322.c:2959 using DSC of 90 Can you provide me any hints on how to debug this ? Why is the location update failing constantly ? Thanks in advance for your help. Best regards, Maciej Grela

9 years, 7 months

6
9
0 0

Re: Any interest for Osmocom meetings in Bavaria ?

by Dieter Spaar

So far three persons have indicated their interest to join a meeting at my place. Considering the time it takes to drive to my place, it probably makes sense to have the meeting at the weekend (either Saturday or Sunday) so that there is more time for the meeting itself. I can suggest one of the following dates for the first meeting, somewhere between 10:00 to 18:00 on each day: 25.8. (Sa) or 26.8. (Su) 1.9. (Sa) or 2.9. (Su) 8.9. (Sa) or 9.9. (Su) So please let me know when you have time and also make suggestions in which Osmocom topic you are interested in so that we can have some sort of agenda for the meeting to make best use of the time. Best regards, Dieter -- Dieter Spaar, Germany spaar(a)mirider.augusta.de

11 years

13
42
0 0

asn.1 compilation

by ☎

Hello. I'm having troubles compiling asn.1 files from http://www.3gpp.org/ftp/Specs/archive/24_series/24.080/ASN.1/ I'm getting syntax error (syntax error at line 264 in module SS-Operations.asn: got 'SEQUENCE' expected ':') while running erlc SS-Operations.asn using Erlang version 15.b.1 As far as I recall Harald has done this for MAP asn.1 Are there any hints on what might be wrong? Tried online compiler but it gives different errors in different places. Should I use different version? Compile smth else before attempting to compile this file? Fix syntax using some clever trick? Do some rtfm? Any advices would be greatly appreciated. -- best regards, Max, http://fairwaves.ru

11 years, 2 months

3
5
0 0

AW: The call has been rejected

by Andreas.Eversberg

hi josephli, > Read stored BA list mnc=01 the mobile application stores the last cells and neighbour cells (band allocation) of each network. this way the scanning is much faster when restarting. because you use the SIM card with MNC == 02 the first time, there is no band allocation stored for that. the mobile will do a full scan in this case. > while the sim card service I am tesing is actually with mnc 00 and 02. i know that MNC == 0 will not work until i commited improvements of cell selection process last sunday. you should retry that, but first try with an MNC > 0. can you provide debug output when trying a call? also can you provide VTY output of "show ms" before you make the call? regards, andreas

11 years, 2 months

3
2
0 0

status report layer1 and layer23

by Andreas.Eversberg

hi, i just fixed some locking issues the last days. fix will follow. it took a bit longer, because there were some race conditions. it took up to about one hour until it crashed. my way to detect the area where the crash happened, was to turn on buzzer before that area, and turn it off after that area. after many hours of approximation, i finally found out that the major crash happend during _talloc_zero. (first it looks for a free memory chunk, then it allocates it.) since it can be called from all contexts (main, irq, fiq), it need to be locked against any interrupt, otherwise the memory chunk can be assigned multiple times. (the process of _talloc_free is "atomic" and requires no locking.) because it seems pretty stable, i think it is time to merge some branches into the master. (i made a 6 hours call yesterday. and no crash after bugfix ever since.) i will do that together with sylvain, if we find the time this weekend. currently i use the jolly/voice together with the sylvain/traffic branch. i am able to use an isdn phone togehter with linux-call-router and make/receive calls. audio is passed both ways. i think this is a stage where it actually become "usable". (if not moving arround.) one of my major work for the next weeks/months will be the neighbour cell measurement, cell re-selection, and handover. this is essential when moving with the phone. regards, andreas

11 years, 2 months

2
1
0 0

is the Viterbi decode for the AFS provided by Sylvain right?

by bob

Hi ,List: search some materials, find that the decode method of AFS convolutional code is different from the EFS`, it use RSC, and need SOVA(soft output viterbi algorithm). am i right? -- View this message in context: http://baseband-devel.722152.n3.nabble.com/is-the-Viterbi-decode-for-the-AF… Sent from the baseband-devel mailing list archive at Nabble.com.

11 years, 3 months

4
7
0 0

sylvains talk from 29c3

by Vic Delorge

Speaker: Sylvain Munaut or how to turn a phone into a BTS The calypso baseband and its companion chips are used on the Motorola C123 among other and are now well known for being supported by the Osmocom-BB open source GSM baseband implementation. A couple years ago, it was hacked a little further by using it as a raw bits capture device allowing the interception of GSM traffic very cheaply. This talk will present some further work on that platform, showing that just because a device wasn't design for a given task doesn't mean it can't do it. More specifically how you can hack this phone to act as a GSM basestation and broadcast your own network. http://youtu.be/xFjVcxMpA6c

11 years, 5 months

3
3
0 0

OsmoDevCon 2013 brainstorming

by Harald Welte

Hi all, as the year 2012 has already ended or will soon end depending on your timezone, it might be a good occasion to start thinking of an OsmoDevCon 2013. I personally percevied OsmoDevCon 2012 as a big success, and it was fun to bring everyone together. Generally, I prefer to keep the spirit of an invitation-only developer+contributor-only event of those involved in Osmocom. At the same time, I would consider it a good idea to add a one day user-conference to the schedule, where we try to get interested users up to speed with the various projects, possibly including some workshops and the like. So schedule-wise, I would suggest something like: * one day user conference * two day developer/contributor event * optionally: 1-2 "hacking days". The concept of "hacking days" has proven to be quite useful for the netfilter project in the past (Pablo and I can acknowledge to that fact). I'm not sure how many people would be able to spend even more days of their schedule, but even if it's a much smaller group it would still be useful, IMHO. I'd like you to 1) provide feedback on the ideas about the one-day user event and the hacking days 2) consider whether late march (like 2012) would be a good schedule again 3) what we can improve from the last event In terms of improvements, I so far have noted down: * larger venue needs to be found * complaints about the venue not having sufficient heating Venue-wise, I would again suggest to hold it in Berlin, as it's reasonbly well connected, has lots of low-cost flights to it, accomodation is not too expensive and holger/me/sysmocom can take care of local organization related activities. Hoewver, if somebody has a strong opinion against berlin _and_ is willing to organize it, I'm not completely against another venue. Regards and happy new year, Harald -- - Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)

11 years, 5 months

4
7
0 0

29c3 youtube video

by Vic Delorge

this is the 29c3 talk about GSM DOS and SMS sniffing . awesome work osmocom team. layer 1,2,3 now runs all on the phone :) http://youtu.be/a1iZV2nl28A

11 years, 5 months

6
10
0 0

Filter replacement

by Clemens Gruber

Hi, yesterday I fucked up the second C123 while trying to replace the filters, so I decided to buy one model from Sysmocom (with the filters already replaced), but due to too many orders they do not offer this service anymore. Is somebody on this list able and willing to sell me one C123 with the filter kit already built in (and tested)? I'd really appreciate if someone, who is more experienced in SMD soldering than me, could help me out. If so, please contact me at: clemensgru(a)gmail.com I live in Austria, so delivery from Europe should not be a problem. Thanks. Clemens

11 years, 5 months

2
1
0 0

Filter replacement

by Clemens Gruber

Hi, yesterday I fucked up the second C123 while trying to replace the filters, so I decided to buy one model from Sysmocom (with the filters already replaced), but due to too many orders they do not offer this service anymore. Is somebody on this list able and willing to sell me one C123 with the filter kit already built in (and tested)? I'd really appreciate if someone, who is more experienced in SMD soldering than me, could help me out. If so, please contact me at: clemensgru(a)gmail.com I live in Austria, so delivery from Europe should not be a problem. Thanks. Clemens

11 years, 5 months

1
0
0 0

Need guidance for LNA and PA

by Akib Sayyed

Dear List I wanted to buy LNA and PA for my phone what specification should i use for purpose increasing signalling strength. please guide me thanks -- Akib Sayyed Matrix-Shell akibsayyed(a)gmail.com akibsayyed(a)matrixshell.com Mob:- +91-966-514-2243

11 years, 5 months

1
0
0 0

Question on saving burst information

by Bhaskar11

In ccch_scan the burst information is first saved to file, then local_burst_decode is applied before sending to GSMTAP. Would it not be more useful to save burst data after local_burst_decode? Is there some utility in storing it in its raw form? Looks like I am missing something? B.

11 years, 5 months

2
2
0 0

kraken for uplink bursts

by g.roelant＠telenet.be

Hi, Is there a kraken version vailable for uplink? what do i need to change on the source code in order to find the kc for uplink bursts? thanks ps. all downlink frames seem to have random padding here...

11 years, 5 months

1
0
0 0

Osmocom-BTS

by Akib Sayyed

Congrats Sylvain for such great engineering work.its really a good and cheap solution who want to learn about GSM. there are certain questions didnt get chance to be asked in conference. here are some 1.is it possible in future to implement one phone and atleast 4 timeslot cell? means 3 voice and 1 BCCH. 2. what about encryption? is it possible to implement encryption ? 3.also how can be solve relying on commercial cell? 4.the code which will be released will contain single slot operation or multi slot with voice (after work and developement) Thankx and again congrats :) cheers -- Akib Sayyed Matrix-Shell akibsayyed(a)gmail.com akibsayyed(a)matrixshell.com Mob:- +91-966-514-2243

11 years, 5 months

2
2
0 0

Re: Bug in switching baud rates in burst_ind branch?

by Bhaskar11

Sysmocom sells pre-modified CP201x. You can use them as they are. "mostly" LAPDm and Paging messages is normal. You should also see call setups and SMSs as they are used, much less frequently depending on local traffic. :-) If you have your cellphone on the same ARFCN, you should be able to see your cell making/receiving calls and sending messages. B. On Fri, Dec 28, 2012 at 4:12 PM, Erich Dachleger <edachleger(a)yahoo.com>wrote: > I am also using CP210x from sysmocom and haven't modified it since I > thought it didn't require modification. > Is that wrong? > When I use burst_ind with unmodified CP210x I receive mostly LAPDM and > System 4 messages in wireshark. > Regards > Erich > >

11 years, 5 months

2
1
0 0

Beginner question of firmware and C139

by david＠frinet.es

Hi all, I am starting with this project and i have problems downloading the firmware to a c139, i built the t191 and i'm using a FTDI usb-serial. I use the command that is described in "Motorola C140" section: ./osmocon -p /dev/ttyUSB0 -m c140 -c ../../target/firmware/board/compal_e86/layer1.highram.bin ../../target/firmware/board/compal_e86/chainload.compalram.bin and also i have used it with "-m c140xor" but when i push briefly power button, shows it in next lines "got 1 byte from modem, data looks like: ff .", the data are changing in next lines, some times the bytes received are more than 1, are 2, 5, 6. I have some questions: Which is the sequence that have to receive the osmocon to start the comunication with the phone? Is posible that the compilation of osmocon has been badly? Thanks and regards.

11 years, 5 months

1
0
0 0

Bug in switching baud rates in burst_ind branch?

by Bhaskar11

Using burst_ind branch, the code switches to a higher speed in function serial_up_to_eleven like this: int serial_up_to_eleven(void) { int rv; /* Attempt custom baudrate */ rv = osmo_serial_set_custom_baudrate(dnload.serial_fd.fd, 406250); if (rv == 0) return 0; #ifdef I_HAVE_A_CP210x /* and I know what I'm doing, I swear ! */ /* Try closest standard baudrate (CP210x reprogrammed adapters) */ rv = osmo_serial_set_baudrate(dnload.serial_fd.fd, B460800); if (rv == 0) return 0; #endif etc.... If the first attempt to switch to 406250 succeeds, the function exits and never reaches the I_HAVE_A_CP210x code which would switch to a higher speed! Is this a bug? Or is the lower speed good enough for burst_ind? In which case why bother with the I_HAVE_A_CP210x option? Or have I missed something obvious? B.

11 years, 5 months

2
2
0 0

Beginner question of firmware and C139

by david＠frinet.es

Hi all, I am starting with this project and i have problems downloading the firmware to a c139, i built the t191 and i'm using a FTDI usb-serial. I use the command that is described in "Motorola C140" section: ./osmocon -p /dev/ttyUSB0 -m c140 -c ../../target/firmware/board/compal_e86/layer1.highram.bin ../../target/firmware/board/compal_e86/chainload.compalram.bin and also i have used it with "-m c140xor" but when i push briefly power button, shows it in next lines "got 1 byte from modem, data looks like: ff .", the data are changing in next lines, some times the bytes received are more than 1, are 2, 5, 6. I have some questions: Which is the sequence that have to receive the osmocon to start the comunication with the phone? Is posible that the compilation of osmocon has been badly? Thanks and regards.

11 years, 5 months

1
0
0 0

frame guessing

by g.roelant＠telenet.be

Hi group, what is the most succesful: guessing uplink frames or downlink. i see some very simple uplink frames that make a good candidate. or is it all the same... kind regards

11 years, 5 months

1
0
0 0

Frimware problem

by Mikhail Zisman

Hello, I am working with a project Osmocom-bb. I did compile the project. But when the firmware command : ./osmocon -p /dev/ttyUSB0-m c123xor ../../target/firmware/board/compal_e88/hello_world.compalram.bin screen is just hangs (the power button I also click) , or most likely expects to input a sequence of bytes, i.e., no information no longer appears. The phone is switched on. I used this instructions for checking the operation of the http://lists.osmocom.org/pipermail/baseband-devel/2011-August/002230.html . 1) I use the FTDI cable, it is OK. Port is OK. 2) Note : I don't see FMTTOOL ERROR (!!!) when i press the power button. I tried the next model C113,C115,C118. Why this may happen? Thank you!

11 years, 5 months

1
0
0 0

double frames in burst file

by g.roelant＠telenet.be

Hi Group, i'm using the testing/sylvain burst branch. sometimes i get double frames in the bursts files taken with ccch_scan. what does this mean? bad reception? kind regards

11 years, 5 months

2
6
0 0

How can I see the RAND/SRES

by dagar

Hello, I am in the process of setting up OsmocomBB but I was wondering where/which files in the firmware responsible for receiving/processing the RAND/SRES values from the network/SIM. Does anyone know this or can point me in the right direction? -- View this message in context: http://baseband-devel.722152.n3.nabble.com/How-can-I-see-the-RAND-SRES-tp40… Sent from the baseband-devel mailing list archive at Nabble.com.

11 years, 5 months

2
1
0 0

problems after last update

by Vic Delorge

hello first off al these phone's and tools RULE . i already tested a couple branches . burst_ind work'd and captured packet's , sylvain/testing also worked a week or 2 ago and i could make a call en see it in wireshark :) . but now i saw that there were some updates in the sylvain testing branch i updated like the sim reader page on the wiki told me . could it be that the last commits broke the sylvain/testing branch ? i get error while loading libosmocore.so.4 i followed the tutorial on the wiki for sim reader . 2 weeks ago it worked fine . checked the code in the last updates and it seems that lib osmocore is now changed ? or am i doing wrong ?? thx in advance grts vic

11 years, 5 months

2
1
0 0

usim programming

by ☎

Hello. I'm struggling with a5/3 test - I've got osmocom usim (http://shop.sysmocom.de/products/sysmousim-gr1) which I've programmed with pySim-prog.py Unfortunately when I plug it into samsung galaxy s2 it indicates (via classmark) that it only supports a5/1 What am I doing wrong? I've tried operator's sim with the same phone - a5/3 support is indicated just fine. -- best regards, Max, http://fairwaves.ru

11 years, 5 months

2
1
0 0

Can't compile after last pull

by Dario Lombardo

I've pulled git repo today, but the RSSI firmware gets an error. apps/rssi/main.c: In function `main': apps/rssi/main.c:896: warning: 'a' might be used uninitialized in this function apps/rssi/main.c:896: warning: 'e' might be used uninitialized in this function CC board/compal_e88/rssi.compalram.manifest.o LD board/compal_e88/rssi.compalram.elf OBJ board/compal_e88/rssi.compalram.bin CC board/compal_e88/rssi.highram.manifest.o LD board/compal_e88/rssi.highram.elf OBJ board/compal_e88/rssi.highram.bin CC board/compal_e88/rssi.e88loader.manifest.o LD board/compal_e88/rssi.e88loader.elf OBJ board/compal_e88/rssi.e88loader.bin CC board/compal_e88/rssi.e88flash.manifest.o LD board/compal_e88/rssi.e88flash.elf OBJ board/compal_e88/rssi.e88flash.bin CC board/compal_e86/rssi.compalram.manifest.o LD board/compal_e86/rssi.compalram.elf arm-elf-ld: region LRAM is full (board/compal_e86/rssi.compalram.elf section .data) make[1]: *** [board/compal_e86/rssi.compalram.elf] Error 1 make[1]: Leaving directory src/target/firmware' make: *** [firmware] Error 2 $ git pull Already up-to-date. $ Anyone experiencing the same issue?

11 years, 6 months

9
11
0 0

graphical gsmtap helper

by ☎

Hello. It's often handy to have a high-level look at message exchange between ms and gsm network captured via gsmtap. There are some tools to do that for ip captures but they completely ignore uplink-downlink semantics so are next to useless in this case. Attached is little helper which can be used to make proper descriptions for mscgen to produce nice message sequence charts. Usage instructions are inside the script. In short: .pcap in - .png out It requires mscgen and recent (>=1.9) tshark so you have to use git to get and build tshark binary yourself until wireshark 1.10 is released: git clone http://code.wireshark.org/git/wireshark Apologies if you received this message multiple times but I personally find this little helper to be very useful so I'd like to reach as wide audience as possible. -- best regards, Max, http://fairwaves.ru

11 years, 6 months

1
0
0 0

restart layer1 from remote?

by Tim Ehlers

Hi, I have the problem, that after running for quite a while, lets say a week, the layer1 seems to crash. This crash is random and only happens on single phones (I have 6 phones connected to one mobile app). This phone is unusable, even after "shutdown/no shutdown" or complete restart of mobile, this phone stays like this: OsmocomBB# show ms 3 MS '3' is up, service is limited IMEI: XXXXXXXXXXXX IMEISV: XXXXXXXXXXXXX IMEI generation: fixed automatic network selection state: A1 trying RPLMN MCC=262 MNC=07 (Germany, O2) cell selection state: C1 normal cell selection radio ressource layer state: idle mobility management layer state: MM idle, PLMN search By restarting the phone (pressing power on the phone, and reloading layer1) its working again. But this need physical access to the phone. Is there a way to somehow "reboot" or restart the layer1 by software? And if not, could that easily be implemented? Thanks Tim

11 years, 6 months

2
3
0 0

System information type 5 & 6

by g.roelant＠telenet.be

Hi, i'm capturing my own voice calls in wireshark. i can see a system information type packet just before ciphering command. 204 frames further there is a system information type 6 packet. but these 2 packets don't resamble... how can i subtract a key out of these 2 different packets? this doesn't make any sens.... if i look for the same type 5 packet... they are never at the same location.... :( is my reasoning wrong? kind regards

11 years, 6 months

1
0
0 0

question about l1ctl_burst_ind structure

by g.roelant＠telenet.be

Hi, In the L1ctl_burst_ind structure is: uint8_t bits[15]; /* 114 bits + 2 steal bits. Filled MSB first */ if i do 8 * 15 = 120 that would make 6 bits extra... not 2 bits should i discard the last 6 bits of the last byte? thanks

11 years, 6 months

2
1
0 0

burst_ind branch

by g.roelant＠telenet.be

Please correct me if i'm wrong: i'm writing a small c program to process to burst files. run ccch_scan and follow the frames in wireshark. if you see an "inrtresting" frame, note his number get the correct frame out of the burst file and display its bit stream. than this bitstream can be further used for processing add a certain offset to the framecounter and get that frame out of the burst file and display its bit stream. the rest.... i still have to figure that out... can anyone confirm i am doing the write thing? thanks

11 years, 6 months

1
0
0 0

Questions about filter replacement and fbsb_req

by Pe

Hi list! I'm playing with ccch_scan from burst_ind branch. I have some troubles with going SDCCH - FCCH\SCH - TCH After receiving "assignment command" i call fbsb_req to L1 for waiting FCCH\SCH sync bursts. When fbsb_resp is coming, i call dm_est_req_h1 with channel and hopping params. But SNR of incoming tch bursts is less then 10 most of time. What did i wrong? Is it needs to synchronize only timers by SCH without FCCH freq sync? And why we lose sync when goes from SDCCH to TCH? And a question about filter replacement. After filter change on baluns i see -128 dBm on all ARFCNs when mobile app from master branch is started. After that i tried to connect balanced line to the former filter pad and unbalanced line to the ground via cap(on the EGSM channel), as Sylvain wrote. But it didnt help. Photo after filter rework on C115: http://s9.postimage.org/r50qtx73z/lastrep.jpg As i understand, the input tract with 2 caps, 2 inductors and band-pass filter just needs for image frequency disabling? -- View this message in context: http://baseband-devel.722152.n3.nabble.com/Questions-about-filter-replaceme… Sent from the baseband-devel mailing list archive at Nabble.com.

11 years, 6 months

1
1
0 0

Re: imm ass packages

by g.roelant＠telenet.be

sorry, i made a type in wireshark i see 31 06 3f in documentation is see 2d 06 3f now you tell me that only the 3f is responsible for detecting a imm ass packet. if i wanted to detect (grep) for imm ass., shall i look for 31 06 3f or 2d 06 3f? ----- Oorspronkelijk e-mail ----- Van: "oxccoxcc oxccoxcc" <oxccoxcc(a)yandex.ru> Aan: "g roelant" <g.roelant(a)telenet.be>, "osmocomBB" <baseband-devel(a)lists.osmocom.org> Verzonden: Vrijdag 14 december 2012 16:03:34 Onderwerp: Re: imm ass packages wireshark processing of imm ass packets seems normally. Looks like a bug with partial release complete messages. But wireshark has a signature for it: http://anonsvn.wireshark.org/wireshark/trunk/epan/dissectors/packet-gsm_a_r… Try to write in the wireshark forum. 14.12.2012, 14:22, "g.roelant(a)telenet.be" <g.roelant(a)telenet.be>: > In wireshark i see immediate assignment packages... > they are like 31 06 0f > but in the documentation they are like 2d 06 3f > what am i doing wrong? > i'm listening to a belgium operator called proximus. > kind regards

11 years, 6 months

2
1
0 0

stupid question

by g.roelant＠telenet.be

Are the bursts captured with ccch_scan in burst_ind branch the same as the bursts captured with usrp2? do they result in the same file? i guess not... kind regards

11 years, 6 months

2
1
0 0

imm ass packages

by g.roelant＠telenet.be

In wireshark i see immediate assignment packages... they are like 31 06 0f but in the documentation they are like 2d 06 3f what am i doing wrong? i'm listening to a belgium operator called proximus. kind regards

11 years, 6 months

1
0
0 0

bursts dat files

by g.roelant＠telenet.be

Hi, I'm using the sylvain/burst_ind branch and ccch_scan. this produces bursts files. with which application can i view them? what is the format of these dat files? i cannot open them with wireshark... any hints? kind regards

11 years, 6 months

4
5
0 0

another newbie question

by g.roelant＠telenet.be

I want to try to alter the mobile app (in gsm48_rr.c) to listen to all tmsi's. i changed the code and altered all if statements where in the else part was the log 'Not for us' i'm hoping the phone will start following the conversation with the immediate assignment packages... this way i can start logging the beginning of the encryption.... am i doing stupid things? or is there already an app that does this? thanks

11 years, 6 months

4
4
0 0

AW: Re: AW: Re: beginners question

by Denis Simonet

For example. (reply-to doesn't seem to be set correctly in the list, btw?) Von Samsung Mobile gesendetg.roelant(a)telenet.be hat geschrieben:and than write the file with wireshark? i'm already using the mobile app with succes. Van: "Denis Simonet" <denis.simonet(a)bluewin.ch> Aan: "g roelant" <g.roelant(a)telenet.be> Verzonden: Zaterdag 8 december 2012 18:26:19 Onderwerp: AW: Re: beginners question You probably want to use the -i switch with a layer23 app and capture gsmtap with Wireshark. Best regards Denis Von Samsung Mobile gesendet g.roelant(a)telenet.be hat geschrieben: I want to write the raw data to a file. is that possible with a command? tune the gsm to a channel (for inst. 67) and capture all raw data into a file. ----- Oorspronkelijk e-mail ----- Van: "Alexander Huemer" <alexander.huemer(a)xx.vu> Aan: baseband-devel(a)lists.osmocom.org Verzonden: Vrijdag 7 december 2012 22:54:46 Onderwerp: Re: beginners question Hi g, On Fri, Dec 07, 2012 at 10:09:06PM +0100, g.roelant(a)telenet.be wrote: > How can i write the burst frames? Your question is very unspecific and therefore unlikely to be answered. You may want to rethink what exactly you want to know. Then, rephrase your question. Kind regards, -Alexander Huemer

11 years, 6 months

2
1
0 0

beginners question

by g.roelant＠telenet.be

Hi, How can i write the burst frames? thanks

11 years, 6 months

2
2
0 0

[PATCH] Add a5/3 support.

by ☎

Hello. Attached patch will bring a5/3 support to osmo_a5. The implementatin is done based on spec, results are compared to reference implementation from standard and test vectors. Unfortunately there are several deficiencies: - it doesn't work with real phonein test network yet - no tests included - code is probably suboptimal here and there Anyway I would love to read your comments. It would be especially great if someone will manage to test it against real phones in actual network. -- best regards, Max, http://fairwaves.ru

11 years, 6 months

5
11
0 0

Possible bug in "gsm48_decode_lai" code

by Bhaskar11

While running Cell-Log application, I found that the main branch of OsmocomBB gives wrong value of MCC/MNC in hex (but correct one in decimal), but the Sylvain testing branch gives correct value. In practice this means compiling Cell-Log in testing branch gives the name of the country, but the compiling it in main branch does not recognise the country. Other side-effects are unknown to me at present. Tracing through the source leads to the "gsm48_decode_lai" as the culprit. The code seems correct in the testing branch, but has not been updated in the main. Moreover, the code is shifted out from gsm48.c to sysinfo.c in the testing branch. Testing branch decodes MCC/MNC to hex: *mcc = ((lai->digits[0] & 0x0f) << 8) | (lai->digits[0] & 0xf0) | (lai->digits[1] & 0x0f); But main branch decodes MCC/MNC to decimal: *mcc = (lai->digits[0] & 0x0f) * 100 + (lai->digits[0] >> 4) * 10 + (lai->digits[1] & 0x0f); The comment in main branch states that "/* Attention: this function retunrs true integers, not hex! */". There is no such comment in the testing branch. So is this a problem because Cell_Log wrongly uses gsm48_decode_lai? Or does gsm48_decode_lai need to be updated in the main branch? B.

11 years, 6 months

4
4
0 0

[PATCH 3/3] Add A5/3 support.

by Max Suraev

--- src/gsm/a5.c | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/src/gsm/a5.c b/src/gsm/a5.c index 93b22c7..5815aa7 100644 --- a/src/gsm/a5.c +++ b/src/gsm/a5.c @@ -39,6 +39,7 @@ #include <string.h> #include <osmocom/core/bits.h> #include <osmocom/gsm/a5.h> +#include <osmocom/gsm/kasumi.h> /*! \brief Main method to generate a A5/x cipher stream * \param[in] n Which A5/x method to use @@ -71,6 +72,10 @@ osmo_a5(int n, const uint8_t *key, uint32_t fn, ubit_t *dl, ubit_t *ul) osmo_a5_2(key, fn, dl, ul); break; + case 3: + osmo_a5_3(key, fn, dl, ul); + break; + default: /* a5/[4..7] not supported here/yet */ return -ENOTSUP; @@ -368,4 +373,42 @@ osmo_a5_2(const uint8_t *key, uint32_t fn, ubit_t *dl, ubit_t *ul) } } +/* ------------------------------------------------------------------------ */ +/* A5/3 */ +/* ------------------------------------------------------------------------ */ + +/*! \brief Generate a GSM A5/3 cipher stream + * \param[in] key 8 byte array for the key (as received from the SIM) + * \param[in] fn Frame number + * \param[out] dl Pointer to array of ubits to return Downlink cipher stream + * \param[out] ul Pointer to array of ubits to return Uplink cipher stream + * + * Either (or both) of dl/ul should be NULL if not needed. + * + * Implementation based on specifications from 3GPP TS 55.216, 3GPP TR 55.919 and ETSI TS 135 202 + * with slight simplifications (CE hardcoded to 0). + */ +void +osmo_a5_3(const uint8_t *key, uint32_t fn, ubit_t *dl, ubit_t *ul) +{ + /* internal function require 128 bit key so we expand by concatenating supplied 64 bit key */ + uint8_t i, ck[16], gamma[32], _key[8]; + memcpy(_key, key, 8); + osmo_revbytes_buf(_key, 8); /* reverse key byte order to match the way it's stored in SIM */ + memcpy(ck, _key, 8); + memcpy(ck + 8, _key, 8); + + uint32_t fn_count = osmo_a5_fn_count(fn); /* Frame count load */ + if (dl) { + kgcore(0xF, 0, fn_count, 0, ck, gamma, 114); + osmo_pbit2ubit(dl, gamma, 114); + } + if (ul) { + kgcore(0xF, 0, fn_count, 0, ck, gamma, 228); + uint8_t uplink[15]; + for(i = 0; i < 15; i++) uplink[i] = (gamma[i + 14] << 2) + (gamma[i + 15] >> 6); + osmo_pbit2ubit(ul, uplink, 114); + } +} + /*! @} */ -- 1.7.10.4 --------------000004050908040808070403--

11 years, 6 months

1
0
0 0

[PATCH 2/3] Add Kasumi implementation.

by Max Suraev

--- include/Makefile.am | 1 + include/osmocom/gsm/kasumi.h | 25 ++++++ src/gsm/Makefile.am | 2 +- src/gsm/kasumi.c | 192 ++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 219 insertions(+), 1 deletion(-) create mode 100644 include/osmocom/gsm/kasumi.h create mode 100644 src/gsm/kasumi.c diff --git a/include/Makefile.am b/include/Makefile.am index 60b9ea9..d6f262d 100644 --- a/include/Makefile.am +++ b/include/Makefile.am @@ -38,6 +38,7 @@ nobase_include_HEADERS = \ osmocom/gprs/protocol/gsm_08_16.h \ osmocom/gprs/protocol/gsm_08_18.h \ osmocom/gsm/a5.h \ + osmocom/gsm/kasumi.h \ osmocom/gsm/abis_nm.h \ osmocom/gsm/comp128.h \ osmocom/gsm/gan.h \ diff --git a/include/osmocom/gsm/kasumi.h b/include/osmocom/gsm/kasumi.h new file mode 100644 index 0000000..39d8b8a --- /dev/null +++ b/include/osmocom/gsm/kasumi.h @@ -0,0 +1,25 @@ +/* + * COMP128 header + * + * See comp128.c for details + */ + +#ifndef __KASUMI_H__ +#define __KASUMI_H__ + +#include <stdint.h> + +/* + * Implementation of the KGCORE algorithm (used by A3/5, GEA3 and ECSD) + * + * CA : uint8_t + * cb : uint8_t + * cc : uint32_t + * cd : uint8_t + * ck : uint8_t [8] + * co : uint8_t [output, cl-dependent] + * cl : uint16_t + */ +void kgcore(uint8_t CA, uint8_t cb, uint32_t cc, uint8_t cd, uint8_t *ck, uint8_t *co, uint16_t cl); +#endif /* __KASUMI_H__ */ + diff --git a/src/gsm/Makefile.am b/src/gsm/Makefile.am index 0544e0a..c30a70c 100644 --- a/src/gsm/Makefile.am +++ b/src/gsm/Makefile.am @@ -12,7 +12,7 @@ noinst_HEADERS = milenage/aes.h milenage/aes_i.h milenage/aes_wrap.h \ lib_LTLIBRARIES = libosmogsm.la -libosmogsm_la_SOURCES = a5.c rxlev_stat.c tlv_parser.c comp128.c gsm_utils.c \ +libosmogsm_la_SOURCES = a5.c kasumi.c rxlev_stat.c tlv_parser.c comp128.c gsm_utils.c \ rsl.c gsm48.c gsm48_ie.c gsm0808.c sysinfo.c \ gprs_cipher_core.c gsm0480.c abis_nm.c gsm0502.c \ gsm0411_utils.c gsm0411_smc.c gsm0411_smr.c \ diff --git a/src/gsm/kasumi.c b/src/gsm/kasumi.c new file mode 100644 index 0000000..27015f8 --- /dev/null +++ b/src/gsm/kasumi.c @@ -0,0 +1,192 @@ +/* Kasumi cipher and KGcore functions */ + +/* (C) 2012 by Max.Suraev(a)fairwaves.ru <Max.Suraev(a)fairwaves.ru> + * + * All Rights Reserved + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + */ + +#include <stdint.h> +#include <osmocom/core/bits.h> + +static uint16_t +_kasumi_FI(uint16_t I, uint16_t skey) +{ + static uint16_t S7[] = { + 54, 50, 62, 56, 22, 34, 94, 96, 38, 6, 63, 93, 2, 18, 123, 33, + 55, 113, 39, 114, 21, 67, 65, 12, 47, 73, 46, 27, 25, 111, 124, 81, + 53, 9, 121, 79, 52, 60, 58, 48, 101, 127, 40, 120, 104, 70, 71, 43, + 20, 122, 72, 61, 23, 109, 13, 100, 77, 1, 16, 7, 82, 10, 105, 98, + 117, 116, 76, 11, 89, 106, 0,125,118, 99, 86, 69, 30, 57, 126, 87, + 112, 51, 17, 5, 95, 14, 90, 84, 91, 8, 35,103, 32, 97, 28, 66, + 102, 31, 26, 45, 75, 4, 85, 92, 37, 74, 80, 49, 68, 29, 115, 44, + 64, 107, 108, 24, 110, 83, 36, 78, 42, 19, 15, 41, 88, 119, 59, 3 + }; + static uint16_t S9[] = { + 167, 239, 161, 379, 391, 334, 9, 338, 38, 226, 48, 358, 452, 385, 90, 397, + 183, 253, 147, 331, 415, 340, 51, 362, 306, 500, 262, 82, 216, 159, 356, 177, + 175, 241, 489, 37, 206, 17, 0, 333, 44, 254, 378, 58, 143, 220, 81, 400, + 95, 3, 315, 245, 54, 235, 218, 405, 472, 264, 172, 494, 371, 290, 399, 76, + 165, 197, 395, 121, 257, 480, 423, 212, 240, 28, 462, 176, 406, 507, 288, 223, + 501, 407, 249, 265, 89, 186, 221, 428,164, 74, 440, 196, 458, 421, 350, 163, + 232, 158, 134, 354, 13, 250, 491, 142,191, 69, 193, 425, 152, 227, 366, 135, + 344, 300, 276, 242, 437, 320, 113, 278, 11, 243, 87, 317, 36, 93, 496, 27, + 487, 446, 482, 41, 68, 156, 457, 131, 326, 403, 339, 20, 39, 115, 442, 124, + 475, 384, 508, 53, 112, 170, 479, 151, 126, 169, 73, 268, 279, 321, 168, 364, + 363, 292, 46, 499, 393, 327, 324, 24, 456, 267, 157, 460, 488, 426, 309, 229, + 439, 506, 208, 271, 349, 401, 434, 236, 16, 209, 359, 52, 56, 120, 199, 277, + 465, 416, 252, 287, 246, 6, 83, 305, 420, 345, 153,502, 65, 61, 244, 282, + 173, 222, 418, 67, 386, 368, 261, 101, 476, 291, 195,430, 49, 79, 166, 330, + 280, 383, 373, 128, 382, 408, 155, 495, 367, 388, 274, 107, 459, 417, 62, 454, + 132, 225, 203, 316, 234, 14, 301, 91, 503, 286, 424, 211, 347, 307, 140, 374, + 35, 103, 125, 427, 19, 214, 453, 146, 498, 314, 444, 230, 256, 329, 198, 285, + 50, 116, 78, 410, 10, 205, 510, 171, 231, 45, 139, 467, 29, 86, 505, 32, + 72, 26, 342, 150, 313, 490, 431, 238, 411, 325, 149, 473, 40, 119, 174, 355, + 185, 233, 389, 71, 448, 273, 372, 55, 110, 178, 322, 12, 469, 392, 369, 190, + 1, 109, 375, 137, 181, 88, 75, 308, 260, 484, 98, 272, 370, 275, 412, 111, + 336, 318, 4, 504, 492, 259, 304, 77, 337, 435, 21, 357, 303, 332, 483, 18, + 47, 85, 25, 497, 474, 289, 100, 269, 296, 478, 270, 106, 31, 104, 433, 84, + 414, 486, 394, 96, 99, 154, 511, 148, 413, 361, 409, 255, 162, 215, 302, 201, + 266, 351, 343, 144, 441, 365, 108, 298, 251, 34, 182, 509, 138, 210, 335, 133, + 311, 352, 328, 141, 396, 346, 123, 319, 450, 281, 429, 228, 443, 481, 92, 404, + 485, 422, 248, 297, 23, 213, 130, 466, 22, 217, 283, 70, 294, 360, 419, 127, + 312, 377, 7, 468, 194, 2, 117, 295, 463, 258, 224, 447, 247, 187, 80, 398, + 284, 353, 105, 390, 299, 471, 470, 184, 57, 200, 348, 63, 204, 188, 33, 451, + 97, 30, 310, 219, 94, 160, 129, 493, 64, 179, 263, 102, 189, 207, 114, 402, + 438, 477, 387, 122, 192, 42, 381, 5, 145, 118, 180, 449, 293, 323, 136, 380, + 43, 66, 60, 455, 341, 445, 202, 432, 8, 237, 15, 376, 436, 464, 59, 461 + }; + uint16_t L, R; + + /* Split 16 bit input into two unequal halves: 9 and 7 bits, same for subkey */ + L = I >> 7; /* take 9 bits */ + R = I & 0x7F; /* take 7 bits */ + + L = S9[L] ^ R; + R = S7[R] ^ (L & 0x7F); + + L ^= (skey & 0x1FF); + R ^= (skey >> 9); + + L = S9[L] ^ R; + R = S7[R] ^ (L & 0x7F); + + return (R << 9) + L; +} + +static uint32_t +_kasumi_FO(uint32_t I, uint16_t *KOi1, uint16_t *KOi2, uint16_t *KOi3, uint16_t *KIi1, uint16_t *KIi2, uint16_t *KIi3, unsigned i) +{ + uint16_t L = I >> 16, R = I; /* Split 32 bit input into Left and Right parts */ + + L ^= KOi1[i]; + L = _kasumi_FI(L, KIi1[i]); + L ^= R; + + R ^= KOi2[i]; + R = _kasumi_FI(R, KIi2[i]); + R ^= L; + + L ^= KOi3[i]; + L = _kasumi_FI(L, KIi3[i]); + L ^= R; + + return (((uint32_t)R) << 16) + L; +} + +static uint32_t +_kasumi_FL(uint32_t I, uint16_t *KLi1, uint16_t *KLi2, unsigned i) +{ + uint16_t L = I >> 16, R = I, tmp; /* Split 32 bit input into Left and Right parts */ + + tmp = L & KLi1[i]; + R ^= rol16(tmp, 1); + + tmp = R | KLi2[i]; + L ^= rol16(tmp, 1); + + return (((uint32_t)L) << 16) + R; +} + +static uint64_t +_kasumi(uint64_t P, uint16_t *KLi1, uint16_t *KLi2, uint16_t *KOi1, uint16_t *KOi2, uint16_t *KOi3, uint16_t *KIi1, uint16_t *KIi2, uint16_t *KIi3) +{ + uint32_t i, L = P >> 32, R = P; /* Split 64 bit input into Left and Right parts */ + + for (i = 0; i < 8; i++) + { + R ^= _kasumi_FO(_kasumi_FL(L, KLi1, KLi2, i), KOi1, KOi2, KOi3, KIi1, KIi2, KIi3, i); /* odd round */ + i++; + L ^= _kasumi_FL(_kasumi_FO(R, KOi1, KOi2, KOi3, KIi1, KIi2, KIi3, i), KLi1, KLi2, i); /* even round */ + } + return (((uint64_t)L) << 32) + R; /* Concatenate Left and Right 32 bits into 64 bit ciphertext */ +} + +/*! \brief Expand key into set of subkeys + * \param[in] key (128 bits) as array of bytes + * \param[out] arrays of round-specific subkeys - see TS 135 202 for details + */ +static void +_kasumi_key_expand(uint8_t *key, uint16_t *KLi1, uint16_t *KLi2, uint16_t *KOi1, uint16_t *KOi2, uint16_t *KOi3, uint16_t *KIi1, uint16_t *KIi2, uint16_t *KIi3) +{ + uint16_t i, C[] = { 0x0123, 0x4567, 0x89AB, 0xCDEF, 0xFEDC, 0xBA98, 0x7654, 0x3210 }; + + for (i = 0; i < 8; i++) /* Work with 16 bit subkeys and create prime subkeys */ + { + C[i] ^= osmo_get2bytes(key + i * 2); + } + /* C[] now stores K-prime[] */ + for (i = 0; i < 8; i++) /* Create round-specific subkeys */ + { + KLi1[i] = rol16(osmo_get2bytes(key + i * 2), 1); + KLi2[i] = C[(i + 2) & 0x7]; + + KOi1[i] = rol16(osmo_get2bytes(key + ((2 * (i + 1)) & 0xE)), 5); + KOi2[i] = rol16(osmo_get2bytes(key + ((2 * (i + 5)) & 0xE)), 8); + KOi3[i] = rol16(osmo_get2bytes(key + ((2 * (i + 6)) & 0xE)), 13); + + KIi1[i] = C[(i + 4) & 0x7]; + KIi2[i] = C[(i + 3) & 0x7]; + KIi3[i] = C[(i + 7) & 0x7]; + } +} + +void +kgcore(uint8_t CA, uint8_t cb, uint32_t cc, uint8_t cd, uint8_t *ck, uint8_t *co, uint16_t cl) +{ + uint16_t KLi1[8], KLi2[8], KOi1[8], KOi2[8], KOi3[8], KIi1[8], KIi2[8], KIi3[8], i; + uint64_t A = ((uint64_t)cc) << 32, BLK = 0, _ca = ((uint64_t)CA << 16) ; + A |= _ca; + _ca = (uint64_t)((cb << 3) | (cd << 2)) << 24; + A |= _ca; + /* Register loading complete: see TR 55.919 8.2 and TS 55.216 3.2 */ + + uint8_t ck_km[16]; + for (i = 0; i < 16; i++) ck_km[i] = ck[i] ^ 0x55; /* Modified key established */ + + /* preliminary round with modified key */ + _kasumi_key_expand(ck_km, KLi1, KLi2, KOi1, KOi2, KOi3, KIi1, KIi2, KIi3); + A = _kasumi(A, KLi1, KLi2, KOi1, KOi2, KOi3, KIi1, KIi2, KIi3); + + /* Run Kasumi in OFB to obtain enough data for gamma. */ + _kasumi_key_expand(ck, KLi1, KLi2, KOi1, KOi2, KOi3, KIi1, KIi2, KIi3); + for (i = 0; i < cl / 64 + 1; i++) /* i is a block counter */ + { + BLK = _kasumi(A ^ i ^ BLK, KLi1, KLi2, KOi1, KOi2, KOi3, KIi1, KIi2, KIi3); + osmo_64pack2pbit(BLK, co + (i * 8)); + } +} -- 1.7.10.4 --------------000004050908040808070403 Content-Type: text/x-patch; name="0003-Add-A5-3-support.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0003-Add-A5-3-support.patch"

11 years, 6 months

1
0
0 0

[PATCH 1/3] Add helper functions for a5/3.

by Max Suraev

--- include/osmocom/core/bits.h | 14 +++++++++++++- src/bits.c | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+), 1 deletion(-) diff --git a/include/osmocom/core/bits.h b/include/osmocom/core/bits.h index 4c68532..29a99ff 100644 --- a/include/osmocom/core/bits.h +++ b/include/osmocom/core/bits.h @@ -2,7 +2,7 @@ #define _OSMO_BITS_H #include <stdint.h> - +#include <stddef.h> /*! \defgroup bits soft, unpacked and packed bits * @{ */ @@ -73,6 +73,18 @@ uint32_t osmo_revbytebits_8(uint8_t x); /* \brief reverse the bits of each byte in a given buffer */ void osmo_revbytebits_buf(uint8_t *buf, int len); +/* \brief reverse the order of the bytes in a given buffer */ +void osmo_revbytes_buf(uint8_t *buf, size_t len); + +/* \brief left circular shift */ +uint16_t rol16(uint16_t in, unsigned shift); + +/* return 2 bytes from a given array glued into single uint16_t */ +uint16_t osmo_get2bytes(uint8_t *a); + +/* convert uint64_t into array of 8 bytes in out */ +void osmo_64pack2pbit(uint64_t in, pbit_t *out); + /*! @} */ #endif /* _OSMO_BITS_H */ diff --git a/src/bits.c b/src/bits.c index 4c67bdd..1df332b 100644 --- a/src/bits.c +++ b/src/bits.c @@ -185,4 +185,37 @@ void osmo_revbytebits_buf(uint8_t *buf, int len) } } +void osmo_revbytes_buf(uint8_t *buf, size_t len) +{ + uint8_t *end = buf + len - 1, tmp; + + while (buf < end) { + tmp = *buf; + *buf++ = *end; + *end-- = tmp; + } +} + +/* left circular shift */ +uint16_t rol16(uint16_t in, unsigned shift) +{ + return (in << shift) | (in >> (16 - shift)); +} + +/* return 2 bytes from a given array glued into single uint16_t */ +uint16_t osmo_get2bytes(uint8_t *a) +{ /* UNSAFE! Do NOT use unless you know what you are doing! */ + return (uint16_t)((((uint16_t)a[0]) << 8) + (uint16_t)a[1]); +} + +/* convert uint64_t into array of 8 bytes in out */ +void osmo_64pack2pbit(uint64_t in, pbit_t *out) +{ + int i; + for (i = 7; i >=0; i--) { + out[i] = in & 0xFF; + in >>= 8; + } +} + /*! @} */ -- 1.7.10.4 --------------000004050908040808070403 Content-Type: text/x-patch; name="0002-Add-Kasumi-implementation.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0002-Add-Kasumi-implementation.patch"

11 years, 6 months

1
0
0 0

Is airprobe still being developed?

by Philip Peter

The last changes in the airprobe svn seem to be 17 months ago. I was wondering whether airprobe is assumed to be stable, without need for further development, has been superseded by a different toolkit or if it has been abandonded.

11 years, 6 months

3
4
0 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

baseband-devel December 2012