[A51] gsm-receiver tutorial

[Sylvain Munaut]

Hi,

This is not exact steps, but that's a start :)


>  Note: this step is not as easy as it sounds. Usually capture some
>  calls of your own phone where you know the Kc (it can be read from
>  the SIM or displayed by the Engineering Mode Screen of some phones)
>  and look for known-plain-text candidates. An example are "SYSTEM
>  INFORMATION 5/6/5ter" in the SACCH or "LAPDM U, func=UI" frames.

The SI5/5ter/6 are indeed the easiest.

There are two aspects to find good plain text:

 * Know the plain text _content_ in question
 * Know _when_ that frame will be sent.


The content:
------------

SI5/5ter/6 content can be divided in 4 part:
 - The SACCH L1 header (2 bytes)
 - The LAPDm header (3 bytes)
 - The SI message content (variable)
 - Padding (fills up the rest up to 23 bytes)

On a given cell, the last 3 elements will be constant (except for
exceptional conditions). So that means that for each type of message,
the last 21 bytes are known and you can just save them somewhere.

The first 2 bytes contain some variable information, but:
 - That header is the same for all type of SI5/6/ter
 - On a given channel, it's unlikely that it will change fast. So if
at the start of the dedicated channel you get any type of SI5/6/5ter
in clear (and you will!), you can just take the first two bytes and
use them as the header for all types

So by combining theses two, you can get known content of 23 bytes for
theses 3 types of frames. You just need to convert those 23 bytes into
4 bursts (not sure if there is any ready app for that yet).

Note that there is a 'shortcut' to get some plain text quickly. Since
you will have at least one of SI5/SI6/SI5ter in clear before the
CIPHER starts, you can get those 4 bursts easily. In some case you
will be lucky and even have a sample in clear text of all 3 types
SI5/SI6/SI5ter ... So start with those you have and if that's not
enough to find Kc, then come back and do it the hardway.


When
----

Those are only sent in the downlink in the SACCH, so you know where to
look for them.

If you refer to GSM 05.01 Figure 3 "Channel organization in the
51-frame multiframe" you can find their position in the 51 multiframe.
Just take the frame number modulo 102 and compare it to what the graph
shows. For example for the SACCH of SDCCH/8 [0], you will find those
messages when fn % 102 == 32,33,34 & 35  (4 burts at a time
obviously).

The order of SI5/SI6/SI5ter _inside_ the SACCH is apparently not
specified. But as far as I've seen, the operator just has a fixed
sequence (like SI5 SI5ter SI6 SI5 SI5ter SI6 ...). So since at the
start of the channel you have at least one in clear, you can see where
in the sequence you are and align yourself.


>  Also keep in mind that there could be wrong bits in a burst due to
>  distortion.

That's where a soft bit output from the demodulator would be nice :P


     Sylvain