22 Jul
2011
22 Jul
'11
3:41 p.m.
Can someone help with these?
1) With the GSM debugger phone, how difficult is it to get only IMEI numbers
of received packets?
2) Can the debugger phone report the signal strength of received packets? If
not, is it possible?
3) Is there any way with mods to get I/Q out of the DSP?
4) Is there any work going on to make a CDMA debugger phone?
5) Are there any GSM phones that have an option to force calls to be made
only on 3G/4G?
Thank you,
Ben
24 Jul
24 Jul
4:15 a.m.
Anyone?
On Fri, Jul 22, 2011 at 9:41 AM, <miprom68(a)gmail.com> wrote:
Can someone help with these?
1) With the GSM debugger phone, how difficult is it to get only IMEI numbers
of received packets?
2) Can the debugger phone report the signal strength of received packets? If
not, is it possible?
3) Is there any way with mods to get I/Q out of the DSP?
4) Is there any work going on to make a CDMA debugger phone?
5) Are there any GSM phones that have an option to force calls to be made
only on 3G/4G?
Thank you,
Ben
5:36 p.m.
Hi Ben!
Yes, the gsmtap output contains the signal strength on every frame.
Anyone?
On Fri, Jul 22, 2011 at 9:41 AM, <miprom68(a)gmail.com> wrote:
First of all, it's unclear what exactly you mean by "the GSM debugger phone"
as osmocom-bb is primary an implementation of a gsm stack like it's found in any
standard cell phone. There is a debug output via gsmtap to e.g. wireshark where you see
all received and send frames to/from your osmocom-bb.
Inherent to its hardware and open source approach it's possible to get it to dump
frames received, independent of normal gsm operation. To do that at the moment it's
necessary to do some work of your own, based on existing branches.
I will try to answer your questions based on what's theoretically possible.
The IMEI is not send very often in conversations between phone and network, in fact the
operator configures when (and if) it's requested from the phone. Practically some
operators request it when doing an authentication request, others only when a location
update using an IMSI happened. And I've never seen it transmitted in the clear, only
after encryption started. So answering your question: Very difficult, exept you know the
key, e.g. on your own phone and receive at the right moment.
Can someone help with these?
1) With the GSM debugger phone, how difficult is it to get only IMEI
numbers
> of received packets? 2) Can the
debugger phone report the signal strength of received packets?
If
> not, is it possible? > 3) Is there any way with mods to get I/Q out of
the DSP?
I'm not sure, I think Sylvain knows more about that.
> 4) Is there any work going on to make a CDMA
debugger phone?
As osmocom-bb is (yet) an explicit GSM stack, no. And I've not heard of approaches to
do so
> 5) Are there any GSM phones that have an option
to force calls to be made
> only on 3G/4G?
GSM phones are not capable to use 3G/4G networks. Certainly you mean 3G/4G phones and
disallowing 2G/GSM fallback. I've not seen that in featurephones yet (but some may
allow that) but I heard it's possible on jailbreaked iphones. You should find
something by searching about that.
Regards,
Mad
6:17 p.m.
> 3) Is
there any way with mods to get I/Q out of the DSP?
I'm not sure, I think Sylvain knows more about that.
7:21 p.m.
Hi Sylvain!
I have not done it, but it's possible to do.
But I won't explain how to do it because anyone that would understand
those explanations enough to make something of it would already know
how to do it ... kind of a chicken and egg problem.
Ok, I had in my mind that it was mentioned somehow but never cared that much about DSP
level yet.
BTW, it is possible and you haven't done it yet? I'm suprised! ;-D
Regards,
Mad
> 3) Is there any way with mods to get I/Q out of
the DSP?
I'm not sure, I think Sylvain knows more about that.
7:38 p.m.
BTW, it is possible and you haven't done it yet?
I'm suprised! ;-D
Well it's because I think it's not a good idea ...
The DSP has a very good demodulator, way better than airprobe ... why
would I bother moving _more_ data out of the DSP to use them with an
inferior demodulator ...
Cheers,
Sylvain
10:41 p.m.
BTW, it is
possible and you haven't done it yet? I'm suprised! ;-D
Well it's because I think it's not a good idea ...
The DSP has a very good demodulator, way better than airprobe ... why
would I bother moving _more_ data out of the DSP to use them with an
inferior demodulator ...
10:52 p.m.
Hi,
That's right for GMSK but it would allow to use
other modulations than aren't supported by the DSP like 8-PSK(?), 16-QAM and 32-QAM
for EDGE. GNU Radio should have dempdulators for that.
True ... I tought about that myself. but until someone does it for the
USRP first, it's not much use.
Of course it's more or less useless without having
an implementation for GPRS first.
Have a look at the CCC camp talks :)
Beside the coolness of using these devices as a
frontend for GNU Radio. :-)
Well capturing a continuous stream of IQ sample (vs a burst) would be
pretty hard ...
Besides 2 * 16 * 270833 is a lot of data ... about 10 times more than
you can send through the serial port so getting them out the DSP into
the ARM is only half (ok, make 3/4) of the problem.
Cheers,
Sylvain
11:20 p.m.
Of course
it's more or less useless without having an implementation for
GPRS first.
Have a look at the CCC camp talks :) Beside the coolness of using these devices as a
frontend for GNU Radio.
:-)
Well capturing a continuous stream of IQ sample (vs a burst) would be
pretty hard ...
Besides 2 * 16 * 270833 is a lot of data ... about 10 times more than
you can send through the serial port so getting them out the DSP into
the ARM is only half (ok, make 3/4) of the problem.
8:22 p.m.
Why just you, explain it, and thats it.. let the mail list archive
and internet bots to solve you worries for later.
If somebody dont speak and said, "hey, think this can be done
this way..." how you expect others to follow?
But I won't explain how to do it because anyone
that would understand
those explanations enough to make something of it would already know
how to do it ... kind of a chicken and egg problem.
8:37 p.m.
Thanks! So, you're saying making an IMEI sniffer would not be easy?
Seems like it'd be easier to get just the IMEI numbers from all phones
in range than getting voice from just one.
Ben
On Sun, Jul 24, 2011 at 11:36 AM, mad <mad(a)auth.se> wrote:
Hi Ben!
Yes, the gsmtap output contains the signal strength on every frame.
Anyone?
On Fri, Jul 22, 2011 at 9:41 AM, <miprom68(a)gmail.com> wrote:
First of all, it's unclear what exactly you mean by "the GSM debugger
phone" as osmocom-bb is primary an implementation of a gsm stack like it's found
in any standard cell phone. There is a debug output via gsmtap to e.g. wireshark where you
see all received and send frames to/from your osmocom-bb.
Inherent to its hardware and open source approach it's possible to get it to dump
frames received, independent of normal gsm operation. To do that at the moment it's
necessary to do some work of your own, based on existing branches.
I will try to answer your questions based on what's theoretically possible.
The IMEI is not send very often in conversations between phone and network, in fact the
operator configures when (and if) it's requested from the phone. Practically some
operators request it when doing an authentication request, others only when a location
update using an IMSI happened. And I've never seen it transmitted in the clear, only
after encryption started. So answering your question: Very difficult, exept you know the
key, e.g. on your own phone and receive at the right moment.
Can someone help with these?
1) With the GSM debugger phone, how difficult is it to get only IMEI
numbers
> of received packets? 2) Can
the debugger phone report the signal strength of received packets?
If
> not, is it possible? > 3) Is there any way with mods to get I/Q out
of the DSP?
I'm not sure, I think Sylvain knows more about that.
> 4) Is there any work going on to make a CDMA
debugger phone?
As osmocom-bb is (yet) an explicit GSM stack, no. And I've not heard of approaches to
do so
> 5) Are there any GSM phones that have an
option to force calls to be made
> only on 3G/4G?
GSM phones are not capable to use 3G/4G networks. Certainly you mean 3G/4G phones and
disallowing 2G/GSM fallback. I've not seen that in featurephones yet (but some may
allow that) but I heard it's possible on jailbreaked iphones. You should find
something by searching about that.
Regards,
Mad
10:49 p.m.
Thanks! So, you're saying making an IMEI sniffer
would not be easy?
Seems like it'd be easier to get just the IMEI numbers from all phones
in range than getting voice from just one.
As I said, the phones are not sending their IMEI around all the time, it's not like a
MAC in a LAN. Just at specific points (which can be rare) in their interaction with the
network they send it out over an encrypted channel.
Regards,
Mad
26 Jul
26 Jul
3 p.m.
You guys are great. Next stupid question...
I've read a lot about how secretive and insecure GSM is, but nothing
about IS-95 (the CDMA 2G equivalent). Why not? It is more secure, or
do not many phones support it anymore, or does it not have enough
worldwide market penetration to be relevant?
Ben
On Sun, Jul 24, 2011 at 4:49 PM, mad <mad(a)auth.se> wrote:
Thanks! So,
you're saying making an IMEI sniffer would not be easy?
Seems like it'd be easier to get just the IMEI numbers from all phones
in range than getting voice from just one.
As I said, the phones are not sending their IMEI around all the time, it's not like a
MAC in a LAN. Just at specific points (which can be rare) in their interaction with the
network they send it out over an encrypted channel.
Regards,
Mad
27 Jul
27 Jul
9:17 a.m.
New subject: IS-95 / CDMA
On Tue, Jul 26, 2011 at 09:00:34AM -0400, miprom68(a)gmail.com wrote:
I've read a lot about how secretive and insecure
GSM is, but nothing
about IS-95 (the CDMA 2G equivalent). Why not? It is more secure, or
do not many phones support it anymore, or does it not have enough
worldwide market penetration to be relevant?
Is that actually still used anywhere on this planet? I know that there
are CDMA2K/EV-DO networks, but 2G CDMA?
Also, the research always depends on the initiative of individuals. So
far, all the people I know in the 'open GSM research' community tend to
be from Europe, with a strong focus on Germany.
OpenBTS folks are in the US, but their focus is not really that much on
the security side.
So if you want to do research in other mobile communications systems /
protocols, by all means do so. It depends on people like you who have
an interest in it to simply do it.
osmocom.org would be more than happy to provide you with hosting, trac, git,
etc. if you are going to work in that field.
Regards,
Harald
--
- Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
4680
days inactive
4685
days old
baseband-devel@lists.osmocom.org
13 comments
5 participants
participants (5)
-
Cristian Paul Peñaranda Rojas -
Harald Welte -
mad -
miprom68@gmail.com -
Sylvain Munaut