Can someone help with these? 1) With the GSM debugger phone, how difficult is it to get only IMEI numbers of received packets? 2) Can the debugger phone report the signal strength of received packets? If not, is it possible? 3) Is there any way with mods to get I/Q out of the DSP? 4) Is there any work going on to make a CDMA debugger phone? 5) Are there any GSM phones that have an option to force calls to be made only on 3G/4G?
Thank you, Ben
Anyone?
On Fri, Jul 22, 2011 at 9:41 AM, miprom68@gmail.com wrote:
Can someone help with these?
- With the GSM debugger phone, how difficult is it to get only IMEI numbers
of received packets? 2) Can the debugger phone report the signal strength of received packets? If not, is it possible? 3) Is there any way with mods to get I/Q out of the DSP? 4) Is there any work going on to make a CDMA debugger phone? 5) Are there any GSM phones that have an option to force calls to be made only on 3G/4G?
Thank you, Ben
Hi Ben!
Anyone?
On Fri, Jul 22, 2011 at 9:41 AM, miprom68@gmail.com wrote:
Can someone help with these?
- With the GSM debugger phone, how difficult is it to get only IMEI
numbers
of received packets?
First of all, it's unclear what exactly you mean by "the GSM debugger phone" as osmocom-bb is primary an implementation of a gsm stack like it's found in any standard cell phone. There is a debug output via gsmtap to e.g. wireshark where you see all received and send frames to/from your osmocom-bb. Inherent to its hardware and open source approach it's possible to get it to dump frames received, independent of normal gsm operation. To do that at the moment it's necessary to do some work of your own, based on existing branches. I will try to answer your questions based on what's theoretically possible.
The IMEI is not send very often in conversations between phone and network, in fact the operator configures when (and if) it's requested from the phone. Practically some operators request it when doing an authentication request, others only when a location update using an IMSI happened. And I've never seen it transmitted in the clear, only after encryption started. So answering your question: Very difficult, exept you know the key, e.g. on your own phone and receive at the right moment.
- Can the debugger phone report the signal strength of received packets?
If
not, is it possible?
Yes, the gsmtap output contains the signal strength on every frame.
- Is there any way with mods to get I/Q out of the DSP?
I'm not sure, I think Sylvain knows more about that.
- Is there any work going on to make a CDMA debugger phone?
As osmocom-bb is (yet) an explicit GSM stack, no. And I've not heard of approaches to do so
- Are there any GSM phones that have an option to force calls to be made
only on 3G/4G?
GSM phones are not capable to use 3G/4G networks. Certainly you mean 3G/4G phones and disallowing 2G/GSM fallback. I've not seen that in featurephones yet (but some may allow that) but I heard it's possible on jailbreaked iphones. You should find something by searching about that.
Regards, Mad
- Is there any way with mods to get I/Q out of the DSP?
I'm not sure, I think Sylvain knows more about that.
I have not done it, but it's possible to do.
But I won't explain how to do it because anyone that would understand those explanations enough to make something of it would already know how to do it ... kind of a chicken and egg problem.
Cheers,
Sylvain
Hi Sylvain!
- Is there any way with mods to get I/Q out of the DSP?
I'm not sure, I think Sylvain knows more about that.
I have not done it, but it's possible to do.
But I won't explain how to do it because anyone that would understand those explanations enough to make something of it would already know how to do it ... kind of a chicken and egg problem.
Ok, I had in my mind that it was mentioned somehow but never cared that much about DSP level yet.
BTW, it is possible and you haven't done it yet? I'm suprised! ;-D
Regards, Mad
BTW, it is possible and you haven't done it yet? I'm suprised! ;-D
Well it's because I think it's not a good idea ...
The DSP has a very good demodulator, way better than airprobe ... why would I bother moving _more_ data out of the DSP to use them with an inferior demodulator ...
Cheers,
Sylvain
BTW, it is possible and you haven't done it yet? I'm suprised! ;-D
Well it's because I think it's not a good idea ...
The DSP has a very good demodulator, way better than airprobe ... why would I bother moving _more_ data out of the DSP to use them with an inferior demodulator ...
That's right for GMSK but it would allow to use other modulations than aren't supported by the DSP like 8-PSK(?), 16-QAM and 32-QAM for EDGE. GNU Radio should have dempdulators for that.
Of course it's more or less useless without having an implementation for GPRS first. Beside the coolness of using these devices as a frontend for GNU Radio. :-)
Regards, Mad
Hi,
That's right for GMSK but it would allow to use other modulations than aren't supported by the DSP like 8-PSK(?), 16-QAM and 32-QAM for EDGE. GNU Radio should have dempdulators for that.
True ... I tought about that myself. but until someone does it for the USRP first, it's not much use.
Of course it's more or less useless without having an implementation for GPRS first.
Have a look at the CCC camp talks :)
Beside the coolness of using these devices as a frontend for GNU Radio. :-)
Well capturing a continuous stream of IQ sample (vs a burst) would be pretty hard ... Besides 2 * 16 * 270833 is a lot of data ... about 10 times more than you can send through the serial port so getting them out the DSP into the ARM is only half (ok, make 3/4) of the problem.
Cheers,
Sylvain
Of course it's more or less useless without having an implementation for
GPRS first.
Have a look at the CCC camp talks :)
Ahhh ok, I will. Sadly I won't make it there in person.
Beside the coolness of using these devices as a frontend for GNU Radio.
:-)
Well capturing a continuous stream of IQ sample (vs a burst) would be pretty hard ... Besides 2 * 16 * 270833 is a lot of data ... about 10 times more than you can send through the serial port so getting them out the DSP into the ARM is only half (ok, make 3/4) of the problem.
That is quite much indeed. Perhaps some delta encoding and compression on the serial line would do the job if the ARM copes with that, too. Or with reduced sample size. But at least some timeslots for EGPRS should be possible.
Regards, Mad
Why just you, explain it, and thats it.. let the mail list archive and internet bots to solve you worries for later.
If somebody dont speak and said, "hey, think this can be done this way..." how you expect others to follow?
But I won't explain how to do it because anyone that would understand those explanations enough to make something of it would already know how to do it ... kind of a chicken and egg problem.
Thanks! So, you're saying making an IMEI sniffer would not be easy? Seems like it'd be easier to get just the IMEI numbers from all phones in range than getting voice from just one.
Ben
On Sun, Jul 24, 2011 at 11:36 AM, mad mad@auth.se wrote:
Hi Ben!
Anyone?
On Fri, Jul 22, 2011 at 9:41 AM, miprom68@gmail.com wrote:
Can someone help with these?
- With the GSM debugger phone, how difficult is it to get only IMEI
numbers
of received packets?
First of all, it's unclear what exactly you mean by "the GSM debugger phone" as osmocom-bb is primary an implementation of a gsm stack like it's found in any standard cell phone. There is a debug output via gsmtap to e.g. wireshark where you see all received and send frames to/from your osmocom-bb. Inherent to its hardware and open source approach it's possible to get it to dump frames received, independent of normal gsm operation. To do that at the moment it's necessary to do some work of your own, based on existing branches. I will try to answer your questions based on what's theoretically possible.
The IMEI is not send very often in conversations between phone and network, in fact the operator configures when (and if) it's requested from the phone. Practically some operators request it when doing an authentication request, others only when a location update using an IMSI happened. And I've never seen it transmitted in the clear, only after encryption started. So answering your question: Very difficult, exept you know the key, e.g. on your own phone and receive at the right moment.
- Can the debugger phone report the signal strength of received packets?
If
not, is it possible?
Yes, the gsmtap output contains the signal strength on every frame.
- Is there any way with mods to get I/Q out of the DSP?
I'm not sure, I think Sylvain knows more about that.
- Is there any work going on to make a CDMA debugger phone?
As osmocom-bb is (yet) an explicit GSM stack, no. And I've not heard of approaches to do so
- Are there any GSM phones that have an option to force calls to be made
only on 3G/4G?
GSM phones are not capable to use 3G/4G networks. Certainly you mean 3G/4G phones and disallowing 2G/GSM fallback. I've not seen that in featurephones yet (but some may allow that) but I heard it's possible on jailbreaked iphones. You should find something by searching about that.
Regards, Mad
Thanks! So, you're saying making an IMEI sniffer would not be easy? Seems like it'd be easier to get just the IMEI numbers from all phones in range than getting voice from just one.
As I said, the phones are not sending their IMEI around all the time, it's not like a MAC in a LAN. Just at specific points (which can be rare) in their interaction with the network they send it out over an encrypted channel.
Regards, Mad
You guys are great. Next stupid question...
I've read a lot about how secretive and insecure GSM is, but nothing about IS-95 (the CDMA 2G equivalent). Why not? It is more secure, or do not many phones support it anymore, or does it not have enough worldwide market penetration to be relevant?
Ben
On Sun, Jul 24, 2011 at 4:49 PM, mad mad@auth.se wrote:
Thanks! So, you're saying making an IMEI sniffer would not be easy? Seems like it'd be easier to get just the IMEI numbers from all phones in range than getting voice from just one.
As I said, the phones are not sending their IMEI around all the time, it's not like a MAC in a LAN. Just at specific points (which can be rare) in their interaction with the network they send it out over an encrypted channel.
Regards, Mad
On Tue, Jul 26, 2011 at 09:00:34AM -0400, miprom68@gmail.com wrote:
I've read a lot about how secretive and insecure GSM is, but nothing about IS-95 (the CDMA 2G equivalent). Why not? It is more secure, or do not many phones support it anymore, or does it not have enough worldwide market penetration to be relevant?
Is that actually still used anywhere on this planet? I know that there are CDMA2K/EV-DO networks, but 2G CDMA?
Also, the research always depends on the initiative of individuals. So far, all the people I know in the 'open GSM research' community tend to be from Europe, with a strong focus on Germany.
OpenBTS folks are in the US, but their focus is not really that much on the security side.
So if you want to do research in other mobile communications systems / protocols, by all means do so. It depends on people like you who have an interest in it to simply do it.
osmocom.org would be more than happy to provide you with hosting, trac, git, etc. if you are going to work in that field.
Regards, Harald
baseband-devel@lists.osmocom.org
-
Cristian Paul Peñaranda Rojas -
Harald Welte -
mad -
miprom68@gmail.com -
Sylvain Munaut