GSM Sniffing: Voice Decryption 101 - Software Defined Radio Series #11

Sharing buttons:

hello and welcome to crazy Danish hacker

today we're going to look at sniffing a

voice call and frequency hopping so

first up we are going to look at the

channel in service mode and that is 82

so that's arfcn 82 and the frequency for

that is 951 point four megahertz so here

it is and now we will just convert that

to Hertz that's very simple there we go

and now we can use gr GSM live Mun and

we also need Wireshark so we have

Wireshark click okay loopback double

click on that move this oh just copy the

frequency and run this program

and yeah that's fine up here gain 30

here we can work with that copy and

paste click here and it looks like it's

working so now that we've confirmed that

we can capture data on this channel and

the packages look nice you know they

look like it's it's working we'll just

close this nope and now we will minimize

my shark and capture some real data like

from ourselves obviously because that's

what we want to look at so we are going

to use gr GSM capture and then we will

capture on this frequency we can also

specify just a and then 82 but we're

going to use the use the frequency in

this case sample rate is 1 million or 1

e 6 the max sample rates that you should

use for an RTLS the eyes around civilian

maybe 2.4 but not anything higher so we

can use gain 40 voice

one dot C file time is thirty seconds

and it ends up so now we can try call


see if it's calling

answer testing testing and we can see in

service mode that frequency hopping is

on as well if you're looking at that so

yeah so we'll just hang up again and now

we want to get the Tim C and Casey so

we'll just get that now so we will use

the USB switch make sure that our phone

is connected through the computer

because we need to talk to the USB modem

now it's switched and we can just

confirm it here yep we will use mini

come to ft to ICM 0 question mark

it's working now control a set e and 80

and this should be the keys that we will

need to decode some of the traffic at

least so just save it here don't need to

- bytes and we will just hang up so yep

and now we can try and decode the data

so voice 1

yep that looks like a nice file it's 229


we will run grg SMD code frequency is

this one here sample rate is 1 million 1

e 6 we will need to run let's see see is

voice M is BCCH time slot is 0 and open


and make sure that we're listening on

Lubeck and hit enter and look for our

team see

and string packet details and here we

can see that this is our phone that it's

not our phone it's a message to our

phone saying hey I want to talk to you

let's chat on SD c CH x dot one time

slot one know having channels and some

some good information because we know

that channel hopping was in use is to

look at system information type one

you'll just sort it by this see if we

can find it type one and basically this

tower or BTS seems to work on these

channels so it's 80 to 110 one one one

twelve just alright so that's important

to note for future reference so this

close this minimize and now we will talk

on all the talk the code sdcch

eight times that one make sure loopback

is on here that it's capturing from

loopback and we will just hit enter and

now we will search for our team z again

so we will just make sure that it's

there find and we will look for the

sipping mode command to begin with let's

see cut it here suffering mode setting a

5/3 here that looks like what my phone

wants to talk doesn't want to talk a 5-1

at least not at the moment

so basically the peaches or yeah it's

cell tower including the control you

know the computers and stuff is telling

me iPhone so let's communicate but only

with a 5s if I free like in create that

it needs to be encrypted so let's just

close this and since we have the KC

right here we can look at some of the

more stuff so we need to specify III

that's a 5-3 key is this here make sure

that we're listening on loopback and now

let's search for RTMC again

let's try again nope well I know that

it's there because we we have a CC setup

right here that's basically a package

telling us that we are about to get a

call and that's basically the package

that's that's telling who's calling and

then we have the assignment command and

that's telling us like where to where to

call for example so we got here we got

the challenge used for channel hopping

again and I think it is channel

description yep here we can see that it

wants to talk on time slots Slevin so

it's TCH f so that's that's the good

that's the traffic channel and its time

slot seven and it's training sequence

four and it's hopping channel yes my o

is zero HSN is 60 so from here on if we

were not hopping channel if it was

hopping channel is equal to no then we

could try and decode the voice call as

follows so what we would do is that we

would say m tch ft7 e3 key and then type

in the key and then these full-rate most

likely speech file temp test1 dot Utah

GSM now the problem is that because

we're helping channel we're not going to

get all or maybe any of the packets even

though we have the decryption key but

the thing is we've only captured data

from this frequency so that means that

we're not getting all of the data so

that's a major issue so we can see that

it is zero bytes so that's a major issue

so when I encountered this issue I was

looking at some stuff I was looking

I was looking into it if there were any

solutions and yes they are but you also

need to understand the limitations that

we have with an rtl-sdr so and rtl-sdr

can typically look at 2.4 megahertz at a

time maximum 3.2 megahertz but that's

with probable packet loss so that's

really really bad so let's see if it

would be even possible in our case so we

go back to this website here and we look

at this this is 91 yes because that's

this channel is most likely used and

let's see 110 it may also be specified

that's not so it may also be specified

here so that's nine hundred and

fifty-seven and 117

just minimize this window and now as we

can see here like it could be that our

voice is only transmitted on these

channels here because that would only

bring us a gap of nine hundred and one

hundred fifty seven to nine hundred 58.4

so that's equal to one point four

megahertz which we could pick up even if

we just allow room for like zero point

two megahertz or two hundred thousand

yeah kilohertz so we could look at that

but like even if it was like that it was

something like one point six but the

thing is if our voice is just

transmitted just one like every we every

few milliseconds on this channel then we

won't be able to decode it and the

problem is that if it is included here

then the range is 950 8.4 megahertz and

that's equal to seven megahertz so even

if we had a lot of space you can see we

only have one rtl-sdr and even if we're

maxing it out we won't be able to to to

listen because even if we're listening

and this this is both ways so that means

that if we're listening on for example

950 and let's say we are listening with

3.0 megahertz then if we're listening on

this channel here then we have to then

then for white band capture file we are

listening on 1.4 megahertz on both sides

that's plus minus so that means that it

is the sub channel is 950 one point five

and the lower one is nine hundred and

forty eight point five right nine fifty

year so as you can see in this case we

need something like a plate RF or a u.s.

LP or bigger do with less but basically

I need to buy

we're a software-defined radio to

capture myself talking on the phone if

I'm using channel hopping is on of

course so that that's a major issue even

though there are programs to decode both

the sdcch hopping and even the TCF TCH f

hopping as well so that's what I'm going

to try and do in the future but for now

I won't be able to decode my own voice

call but I have a test file that we can

try and decode instead so let's try and

decode a sample test file instead that I

have so this is from some of the

researchers that originally published

some issues with a 5-1 or they release

the tool called Kraken so we will decode

this file and I will show you how it

works because this file is recorded and

it doesn't have channel hopping on so

that means that we can decode it we have

the sample rate here and we have the

channel and key so that's all we need

really so what we are going to do is

that we are going to get this file first

so we will just choose him be a test

file test file and beak it shouldn't

take too long hopefully

so now that we have to test file as in

this is the test file right here VF coal

we'll just rename it to test file or

whatever test file let's test out C file

we will use this file and decode it as

we normally could with a voice file but

this this is not channel hopping so it

is much easier and in case I was not

channel hopping on my phone which

doesn't seem to be possible to disable

then we could have done it on my phone

but I'll have to get a new STR as I said

anyway let's decode this file and do

some magic so we will see our GSM

decodes and in this case it is this

channel here sample raid is this here a

bit odd I know and MBC CH time slot zero

make sure we're listening capturing on

loopback yes and we also need the C file

obviously we go and we don't have deets

impsy but that should be fine we don't

really need it let's see aging aging

notification I wonder if it's the

notification instead that it's not the

notification that's not the immediate

assignment in this case let's just have

a look at one of these notifications no

I don't think so

let's see notification notification I

have a better idea because this is

taking way too long just there we go

it's packet two eight seven or two eight

six so we'll just look at the channel

description sdcch times that one let's

have a look at this one times that one

hopping channel this off okay good

closed loop back and see just MC sdcch

h one time slot one okay there we go so

we got a paging response that was what

that's what we expecting you can see

that it is that there's some information

here there is the CMC right here and the

sipping mode command is yeah a 5-1 so

now we just need to decode it again

through this close and listen on the

loopback again and this time we will say

it still title at one but we need to

specify a 5-1 and the key as follows and

decode it and here we can see that it

says CC setup that's call setup I think

so we can see here is the calling party

number right here and here is the

assignment command and if we look here

we can see that it's TCH if and it's

time plus five and helping channel this

knows that's very convenient because

that means that we can decode this file

so now we just need to remember that

it's time times dot five and it's TCH if

so what we are going to do is that we

are going to just go back here time slot

five CCHF we just need to make sure that

it's capital letters I believe and just

help because I can't remember the

arguments speech is Bob probably full

raid output file timp test file speech

you to GSM run it and we can see some

stuff here going on as well but let's

have a look at that file here test

speech test one speech eight point eight

kilobytes and let's just move that file

here we may have to play it on a Windows

machine but we'll just see so I'm beggin

windows so travel look at this file with

VLC because some reason it's not working

in Kali so let's have a look let's see

if we can hear it I'm not sure if you

heard that so I'll just turn up the


turn it up max you know if it has call

six so this that you probably heard so

just turn it down again so don't blow my

own ears out

so that's how you can decode non channel

hopping files but when it's channel

hopping then we need some additional

hardware such as a blade RF maybe a heck

RF or I use USRP although

software-defined radios can do but if

you want to do some serious STRs that

are not like crazy expensive but they

also not they also not too bad but they

are pretty good then you need some one

of these for example

so that's pretty much it stay tuned then