Hacking GSM is a lot of fun, USRP, GnuRadio, Airprobe, OpenBTS, etc. are really great tools.
I have successfully reproduced capture and analysis of my own GSM downlink traffic in one of the Czech
2G networks (on a BTS which happened not to perform frequency hopping during the test),
using essentially the Karsten Nohl's HOWTO
. Incoming SMS messages were also successfully received and displayed in plaintext by Wireshark.
HOW to intercept the cell phone - SIM card communication and read out the Kc key for GSM traffic decryption
When experimenting with GSM decryption, it is very useful to know the correct Kc key in advance
to have a fixed point for debugging. This can be quite easily obtained by capturing
and analyzing the phone-SIM communication.
There are commercially available SIM adaptors, for example Turbo-kits by Bladox
, which offer logging of the MS-SIM traffic, but a much cheaper solution
with minimal hardware exists:
Take an expired pre-payed SIM card and using a micro-driller with an abrasive wheel (e.g. Proxxon)
carefully grind out the plastic to expose back of the contacts of the SIM. Then solder a thin
flat cable to the back side of the contacts and isolate it with insulation tape. When done
carefully, the thickness will not be increased much and the SIM adaptor fits to the phone.
There might be mechanical problems in some phones, but in my old Nokia 6310i it plugged in well.
Pin-out of the SIM card can be found in the Wiki
On the other side of the cable solder a little piece of universal PCB and connect the appropriate wires to corresponding pins of s SMD-mount SIM card socket. I have also added 100nF blocking capacitor between Vcc and GND and 680pF capacitor between Data and GND pins.
The GND and Data signals go to a connector, to which a serial RS232 cable adapted to 3V3 level
(like one would use to talk to a microcontroller) connects. Either you can adapt legacy RS232 port or USB-RS232 cable using MAX232CPE,
or use a USB-RS232 chip like FT232BM without conversion to RS232 levels.
The setup looks like this:
Now switch the phone on - it should recognize the SIM card -
and using oscilloscope check the baud rate of the data being sent,
since different phones might clock the SIM card at various frequencies.
(For example, N6310i clocks it at 3.25MHz.)
The rest is software:
1. setserial /dev/ttyUSB0 spd_cust baud_base 24000000 divisor 2748
Adapt the divisor for your measured baud rate. Note that some USB-serial chips do not support
the appropriate ioctl, use ttyS0 or FTDI USB adaptor if you have bad luck.
2. stty 38400 cstopb parodd -ixon -ixoff -crtscts cread clocal ignbrk -icrnl -opost -isig -icanon -iexten -echo -echoe -echok -echonl -noflsh -xcase -tostop -echoprt < /dev/ttyUSB0
Note: the setserial replaced 38400 by the custom baud rate
3. dump_sim < /dev/ttyUSB0
Here is the source of the trivial program which just flips and negates the bits: dump_sim.c
4. Look for a0 88 and a0 c0 GSM algorithm input and response to find the Kc
E.g. in the line a0 c0 00 00 0c c0 34 60 28 40 ad 6c 5f e4 bf 5c 20 00 90 00
Notice the zero bits at the end, the result of an intentional weakening of the GSM
encryption introduced in order to make the life of secret services easier :-).
Experiments with OpenBTS and Asterisk
... will be described later, not much time since it is just a hobby for me ...
For GSM experiments, I needed some simple antennas. I have constructed them myself, employing USRP as a simple antenna analyzer
Recommended reading on digital signal processing:
Steven W. Smith: The Scientist and Engineer's Guide to Digital Signal Processing, California technical publishing 1997, ISBN 0-9660176-3-3
Steven W. Smith: Digital Signal Processing: A Practical Guide for Engineers and Scientists, Elsevier 2003, ISBN 0-750674-44-X
Some useful internet references on Gnuradio and GSM
Anatomy of GSM cellphone hardware
Catching and understanding GSM signals
All your baseband belongs to us
DECT sniffing project
GSM ciphertext-only cryptanalysis
Back to my electronics page
My hobby page
My main page
TOP of my family pages