IMPORTANT clarifications about 27C3 GSM Sniff Talk

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at

Sylvain Munaut 246tnt at
Fri Dec 31 16:29:36 UTC 2010


Since a lot of people are asking the same questions and there seems to
be a rush on the C123 on ebay I tought some clarification is needed.

Short version:
 - The exact tools I used on stage are _not_ and will _not_ be
released (or sold ... several people asked ...)
 - Any one willing to re-code them without any apriori knowledge of
GSM would most likely need months to read/understand both the
specifications and the way the code works. (That's thousands of page
of GSM spec and thousands of line of code)
 - Osmocom-BB project is not designed to be a sniffer, it's a baseband
implementation, I just used part of it as a base.

 So basically, unless you are really interested in GSM and are willing
to dedicate time to understand it deeply and to contribute the various
projects, there is not much point in you buying phones, or hanging out
in the ml/irc or whatever ...

For those who are still reading and interested here's a little more detail:

 * The HLR query step:
   -> Go watch the awesome 25C3 talk about it

 * The TMSI recovering step
   - Won't be published
   - If you know how paging works, you know what to do anyway and it's
trivial. Method is in the talk,
 there is nothing to it.

 * The targeted sniffing application
  - Won't be published either
  - Some improvements to the layer23 app frame work will be done but
these are generic framework stuff, not app-specific
  - Again, if you know how L2 works and have looked at several traces,
it's obvious what to do.
  - The 'DSP' part of the sniffer is public for a while with a small
demo app (single phone and doesn't exploit the full potential of the
DSP patch) and it's perfectly sufficient to debug things on your o
wn controlled network. (This is basically what I showed at Deepsec 2010).

 * The tool to generate the input to Kraken
  - Won't be published either
  - Making the guesses is easy for anyone that knows what he's doing.

 * The improved Kraken
  - No idea about it, see with Karsten / Sacha / Frank, I only got
access to it 1 hour or so before the talk :)

 * Conversion from burst to audio
  - This was a hacked software mostly with airprobe code.
  - The exact app will not be released but I'd like to see the
capability put in some clean library we
 can re-use from airprobe and other application without having to
multiply the code each time.
  - ... But since I'd like it to support AMR and viterbi softoutput
before that happens, it could take
 some time.
  - Anyone familiar with GSM, airprobe and C could re-hack the same
thing in an hour ...

As you can see, everything you need to analyze your own network / your
own traffic, even at the burst level is already published and has been
for more than a month.
The other tools have been written only so that we could demonstrate
that what we _say_ is possible for about year, we can now do it
_practically_. It's apparently needed to get people attentions,
"theoretical" attacks are not enough to get the operators / gsma to
react. We'll see if that did it ...

A few advices that are always good:

 - Make sure to checkout the a5/1 project ML and airprobe project ML and try
   to ask your questions in the proper mailing list as much as possible.
 - Check the wiki and mailing list archives toroughly before asking questions.


     Sylvain Munaut

PS: I only posted on this list because it seems a lot of people were
pointed here while in fact airprobe would probably be more appropriate
to discuss attack scenarios and such, so make sure to answer / start
new discussion on the right list.

More information about the baseband-devel mailing list