------------------------------ پیام اصلی ------------------------------
از: ‪Jan Hrach <jenda@hrach.eu>‬
به: ‪Brmlab: Hackerspace Prague (main discussion) <brmlab@brmlab.cz>, m alizadehee <m.alizadehee@chmail.ir>‬
ارسال شده: پنج‌شنبه، 16 مهر 1394 03:51:28
موضوع: Re: [Brmlab] GMS cracking

> so, how could one determine where is the exact
> start frame number (DL) and start timeslot (if we assume there is no
> hopping) of the link?

No idea, but ccch_scan can work it out, so it is probably in its source. I would think it is in the assignment message and GSM specification somewhere.

It's undeniable that in the case of frequency hopping, the MS must be informed of what is the exact time slot and frame number for the transaction which is imposed by "immediate assignment" message! Otherwise the MS can't follow the frequency hopping pattern! 

What's your idea?? 

Best regards, 
Alizadeh 

 

> i.e. is it possible to
> separate data of different users

You can see TMSI and rarely IMSI and IMEI. Other possibilities? Probably not.


On 8.10.2015 14:08, alizadeh wrote:
> Hello all,
>
> I'm a GSM researcher like you. I read a lot about how to crack GSM
> via Um air interface. But there are still some unkown puzzles to me!
> If you share your knowledge I will be appreciated.
>
> - After "Immediate Assignment" message sent by the network, other
> messages such as "CM service request", after the assignment, will be
> sent on the SDCCH, so, how could one determine where is the exact
> start frame number (DL) and start timeslot (if we assume there is no
> hopping) of the link?
>
> - Is there any way to classify different data positions within the
> received signal with respect to each users i.e. is it possible to
> separate data of different users (again with the assumption of no
> hopping and in encrypted form)?
>
>
>
> Thanks in advance,
>
> M. A.
>
>
>
> _______________________________________________ Brmlab mailing list
> Brmlab@brmlab.cz https://brmlab.cz/cgi-bin/mailman/listinfo/brmlab
>