The document discusses modifying a Motorola C123 phone to perform passive listening on GSM networks and turn the phone into a basic base transceiver station (BTS). It provides background on GSM, describes dumping the phone's DSP firmware to analyze it, implementing custom tasks to perform passive listening, and work in progress on proof-of-concept efforts to transmit synchronization bursts and dummy traffic to function as a BTS. The presentation concludes by thanking contributors to open source GSM projects.
This document discusses open sourcing GSM baseband firmware to allow for free cellphone firmware, security research of cellphone networks, and disruptive competition. It notes challenges include closed chipset and network equipment industries and lack of learning materials. It promotes GSM due to its simplicity, worldwide deployment, and hackable hardware. It introduces the Osmocom project which produces open source GSM baseband software and describes its features and code structure.
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
There are over 2.9 BILLION subscribers on GSM networks today. How many of these subscribers are susceptible to trivial attacks that can leave phone calls, text messages and web surfing habits accessible to an attacker? This talk intends to discuss the reasons why GSM networks are still vulnerable today and demonstrate attack tools that might make you re-think how you handle sensitive data via your phone. The presenter will discuss his own experience of analysing GSM environments and provide a demonstration of GreedyBTS which can be used to compromise a targets phone calls, messaging and web surfing habits. Mobile Phones will be harmed during this presentation.
44Con 2014: GreedyBTS - Hacking Adventures in GSMiphonepentest
This presentation examines insecurities in the 2.5G GSM protocol and demonstrates GreedyBTS; a platform for fingerprinting and exploiting cellular devices, including interception of SMS and voice data.
Speaker: Michael Iedema
"OpenBTS implements a complete GSM stack for voice and SMS. It also supports GPRS and UMTS 3G data standards. With an off-the-shelf server and SDR (software defined radio), it is now possible to build real mobile networks. These networks can be used to support true fixed-mobile convergence, bring coverage to remote areas or just experiment and innovate within the cellular network itself. Because OpenBTS converts all cellular signalling and media directly to SIP and RTP, the development environment should be familiar!"
ElastixWorld
Santiago de Chile
October 2014
GSM encryption needs to be shown insecure
- GSM is constantly under attack through demonstrated weaknesses in its A5/1 cipher and lack of network authentication
- However, GSM is used for sensitive applications like banking and access control
- To rectify perceptions of GSM security, the presentation will demonstrate its practical weaknesses through cracking the A5/1 cipher
- The community has already done the computational work needed and the presentation will detail next steps for a public demonstration cracking GSM encryption to raise awareness of ongoing security issues.
This document provides instructions for installing and configuring OpenBTS software to create an open source GSM network. It describes the necessary hardware including a computer, USRP software defined radio, and antennas. It also outlines installing GNU Radio, Boost libraries, and OpenBTS software. The configuration section explains setting parameters such as the mobile country code, network code, frequency band, and channel in the OpenBTS configuration file.
Practical Attacks Against Encrypted VoIP Communicationsiphonepentest
The slides from MDSec's presentation at HackInTheBox KUL 2013. The presentation describes attacks that can be used to deduce spoken conversations from encrypted VoIP communications. The presentation uses Skype as a case study.
This document summarizes optional transmission features for UMTS software packages, including:
1. ATM transmission features such as overbooking, ATM switching for hub node Bs, and fractional ATM functions.
2. IP transmission features such as IP routing for hub node Bs, header compression, UDP multiplexing, transmission resource pooling, and clock synchronization over Ethernet.
3. The purpose is to provide reference for promoting optional transmission features, with basic features described elsewhere. It includes benefits of features to improve efficiency and support smooth evolution of transmission technologies.
This document discusses open sourcing GSM baseband firmware to allow for free cellphone firmware, security research of cellphone networks, and disruptive competition. It notes challenges include closed chipset and network equipment industries and lack of learning materials. It promotes GSM due to its simplicity, worldwide deployment, and hackable hardware. It introduces the Osmocom project which produces open source GSM baseband software and describes its features and code structure.
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
There are over 2.9 BILLION subscribers on GSM networks today. How many of these subscribers are susceptible to trivial attacks that can leave phone calls, text messages and web surfing habits accessible to an attacker? This talk intends to discuss the reasons why GSM networks are still vulnerable today and demonstrate attack tools that might make you re-think how you handle sensitive data via your phone. The presenter will discuss his own experience of analysing GSM environments and provide a demonstration of GreedyBTS which can be used to compromise a targets phone calls, messaging and web surfing habits. Mobile Phones will be harmed during this presentation.
44Con 2014: GreedyBTS - Hacking Adventures in GSMiphonepentest
This presentation examines insecurities in the 2.5G GSM protocol and demonstrates GreedyBTS; a platform for fingerprinting and exploiting cellular devices, including interception of SMS and voice data.
Speaker: Michael Iedema
"OpenBTS implements a complete GSM stack for voice and SMS. It also supports GPRS and UMTS 3G data standards. With an off-the-shelf server and SDR (software defined radio), it is now possible to build real mobile networks. These networks can be used to support true fixed-mobile convergence, bring coverage to remote areas or just experiment and innovate within the cellular network itself. Because OpenBTS converts all cellular signalling and media directly to SIP and RTP, the development environment should be familiar!"
ElastixWorld
Santiago de Chile
October 2014
GSM encryption needs to be shown insecure
- GSM is constantly under attack through demonstrated weaknesses in its A5/1 cipher and lack of network authentication
- However, GSM is used for sensitive applications like banking and access control
- To rectify perceptions of GSM security, the presentation will demonstrate its practical weaknesses through cracking the A5/1 cipher
- The community has already done the computational work needed and the presentation will detail next steps for a public demonstration cracking GSM encryption to raise awareness of ongoing security issues.
This document provides instructions for installing and configuring OpenBTS software to create an open source GSM network. It describes the necessary hardware including a computer, USRP software defined radio, and antennas. It also outlines installing GNU Radio, Boost libraries, and OpenBTS software. The configuration section explains setting parameters such as the mobile country code, network code, frequency band, and channel in the OpenBTS configuration file.
Practical Attacks Against Encrypted VoIP Communicationsiphonepentest
The slides from MDSec's presentation at HackInTheBox KUL 2013. The presentation describes attacks that can be used to deduce spoken conversations from encrypted VoIP communications. The presentation uses Skype as a case study.
This document summarizes optional transmission features for UMTS software packages, including:
1. ATM transmission features such as overbooking, ATM switching for hub node Bs, and fractional ATM functions.
2. IP transmission features such as IP routing for hub node Bs, header compression, UDP multiplexing, transmission resource pooling, and clock synchronization over Ethernet.
3. The purpose is to provide reference for promoting optional transmission features, with basic features described elsewhere. It includes benefits of features to improve efficiency and support smooth evolution of transmission technologies.
This document provides an overview of 3G technology, including:
- The development of 3G standards including WCDMA, CDMA2000, and TD-SCDMA to meet demands for high-speed data and multimedia services.
- Key aspects of 3G including universal frequency bands, high spectral efficiency, quality of service, and support for data rates up to 2Mbps.
- An overview of the WCDMA system architecture including its radio access network components like Node B and RNC, and core network evolution from R99 to R5 specifications.
This document provides an overview of Orthogonal Frequency Division Multiplexing (OFDM). It discusses how OFDM works by dividing a high bit rate stream into several parallel low bit rate streams. It also explains how OFDM is robust against frequency selective fading due to multipath propagation. Key aspects of OFDM like guard intervals, cyclic prefixes, and bit loading are described to mitigate issues like intersymbol interference and intercarrier interference. Common OFDM applications like WiFi, WiMax, DAB, and HDTV are listed.
This document discusses traditional time-division multiplexing (TDM) voice networks. It describes the basic components of TDM voice networks including analog phones, digital phones, fax machines, private branch exchanges (PBXs), and the public switched telephone network (PSTN). It also covers traditional voice signaling protocols like loop start signaling, ground start signaling, channel associated signaling (CAS), and common channel signaling (CCS) protocols like ISDN PRI and SS7. The document provides an overview of how traditional TDM voice networks were structured and operated.
The document describes the hardware structure and features of the Huawei BTS3900 base station system. The BTS3900 system includes a BBU3900 unit, MRFU units, and an indoor cabinet. The BBU3900 processes signals and manages resources, and contains boards like the GTMU, WMPT, WBBP, and UPEU. The system supports GSM, dual-mode GSM/UMTS, and UMTS networks and provides functions such as high capacity, transmission sharing, and flexible clock synchronization.
This document discusses UMTS signaling trace and analysis from Huawei Technologies. It provides an overview of standard trace operations including tracing by IMSI, MSISDN, IMEI, or TMSI. It also discusses debug trace, cell trace, trace on M2000 equipment, and trace review methods. Additionally, it covers basic concepts like typical network topology and interfaces. Finally, it provides examples of using trace analysis to investigate a VIP complaint and locate a network issue related to inter-RAT handover success rate.
This document provides an overview of GSM principles and network structure. It discusses key aspects of the GSM system including frequency reuse, multiple access techniques, network components, numbering plans and identifiers. The objectives are to understand the GSM system, its structure, protocols, channel combinations, radio techniques and the introduction of GPRS and EDGE. It contains detailed descriptions and illustrations of concepts such as cells, frequency division duplexing, time division multiple access, frequency planning and network interfaces.
This document provides instructions on basic GPON configuration, including provisioning PONs, ONT software management, ONT provisioning, ONT card provisioning, and ONT Ethernet port provisioning. The key steps covered are preparing the system to accept HiCAP boards, PON provisioning using TL1 and CLI, downloading ONT software to the AMS server and NE, provisioning ONTs using serial number or SLID both while connected and pre-provisioned, provisioning ONT cards and their port types, and bringing ONT Ethernet ports into service. The document includes screenshots and commands for completing each provisioning task in the GPON network management system.
Accelerating MIPI Interface Development and Validation - Introspect TechnologyJean-Marc Robillard
Modern MIPI interfaces enable remarkable user experiences through the deployment of highly innovative electrical signaling and protocol technologies. Extending well beyond mobile, these interfaces are finding use in autonomous driving systems, augmented reality systems, and rugged or embedded computing applications. Understanding the various interactions between the multitude of physical and protocol layers is critical to achieving successful design and validation of MIPI links, especially when conceived as part of larger system contexts.
The document discusses SDH/SONET alarms and performance monitoring. It begins with an introduction to relevant standards bodies and then covers:
- Alarm types like LOF, AIS, and RDI found in different sections of the SDH frame including the regenerator, multiplex, and path overhead areas.
- Defect naming conventions and how defects are correlated to avoid unnecessary alarms.
- Performance monitoring parameters and what different path levels in the SDH hierarchy represent.
- Examples of how circuits like DS1 and DS3 are carried by SONET through different layers.
The document discusses procedures for configuring NodeB data in a wireless network. It describes configuring physical equipment such as boards, subracks, and peripheral devices. It then covers configuring transport links over ATM, including adding physical links like UNI links, IMA groups, and IMA links to establish connectivity between the NodeB and RNC. The overall goal is to master the procedure for NodeB data configuration using the CME tool to initially configure or modify radio network data.
The document describes an eNodeB LTE base station product. It discusses the functions of an eNodeB including radio resource management and scheduling. It then explains the logical structure of an eNodeB including components like the BBU and RF units. Finally, it covers topics like the subsystems of an eNodeB involved in control, transport, baseband processing and reliability measures.
The document discusses OpenBTS, an open source software that implements a GSM cellular network using software-defined radio (SDR) technology. It can be used to provide cellular coverage in rural areas at a lower cost than traditional networks. The document outlines OpenBTS' capabilities, how it works using SDR hardware and software, potential customers, and the group's progress and future plans to implement a multi-cell system with additional technologies like GPRS and EDGE.
LTE (Long Term Evolution) is a wireless communication standard that provides higher peak data rates, improved spectral efficiency, and reduced latency compared to previous standards. It utilizes technologies like OFDMA, MIMO, and flexible bandwidths between 1.4-20MHz. LTE is developed by 3GPP and supports both FDD and TDD duplexing schemes across various licensed frequency bands for cellular networks worldwide. It provides theoretical data rates up to 300Mbps downlink and 170Mbps uplink.
Opti x rtn 910950980 hardware description windnctgayaranga
The OptiX RTN 910/950 is a split microwave transmission system that provides TDM and hybrid microwave solutions. It consists of an indoor unit (IDU), outdoor unit (ODU), antenna, and other optional components. The IDU supports multiple interface boards and protection schemes. The ODU performs signal conversion and amplification. Adaptive modulation and other functions provide flexibility. The system supports both legacy TDM services and new packet-based Ethernet services.
The document describes the Codan 8800 Series Digital Microwave Radio (DMR). Key features include its split indoor and outdoor unit configuration, robust modulation scheme, redundancy options like 1+1 hot standby and space diversity, flexible data interface units supporting Ethernet and TDM, and compliance with international standards. The DMR provides reliable point-to-point wireless connectivity over long distances.
This document provides an overview of Huawei's NodeB equipment configurations for UMTS networks. It describes the main components of macro indoor and outdoor NodeBs including the BTS3812E, as well as distributed NodeBs and components like the BBU3806. It explains the principles of NodeB configuration for macro and distributed network scenarios.
The document discusses Synchronous Digital Hierarchy (SDH) and provides details on:
1. SDH frame structure including section overhead, path overhead, pointer, and information payload areas.
2. SDH multiplexing methods allowing lower rate signals like E1, E3, E4 to be mapped and multiplexed into higher rate SDH frames like STM-1, STM-4.
3. Overhead bytes including framing bytes A1/A2, data communications channel bytes D1-D12, orderwire bytes E1/E2, parity check bytes B1/B2, and remote error indication byte M1.
5g technology is a unique combination of high speed internet access , low latency , high reliability & seamless coverage which will support no. of vehicles & transport infrastructure. 5G platform will impact many industries like automotive , entertainment, agriculture , manufacturing and IT. As per the research forecast “IOT will account for one quarter of the global 41 million 5G connections in 2024”, out of these ¾ of the devices will be auto industry via embedded vehicle connections.
There are wide range of applications that will benefit from 5G ultra fast networks and real time responsiveness of the network.These properties of 5G technology are very important for many applications of IOT e.g self driven cars , intelligent transportation which demands very low latency .This will be a great boom for interactive mobile gaming which is bandwidth hungry application. 5G technology enables us to control more devices remotely in various applications where real time network performance is critical, like remote control of vehicles. It focuses on worker safety as well as monitoring environment. 5G technology is not focusing on improving speed , but this will prove best in evolution of business etc. IOT in 5G have excelled in connecting number of phones , tablets and other devices, however connecting cars , meters, sensors require more advanced business models.
This document provides an overview of GPON (Gigabit-capable Passive Optical Network) technology. It discusses the basic concepts and working principles of PON networks, comparing GPON to other PON standards like EPON. The document also analyzes key GPON standards and specifications, describes the GPON network model reference, and reviews basic GPON performance parameters and network protection modes.
The document discusses open-source hardware for a basic GSM base station. It describes UmTRX, an open-source transceiver designed for low-cost, mid-range, power-efficient GSM base stations. The transceiver works with open-source GSM software like OpenBTS and OpenBSC. The presentation also outlines the Mayotte project, which aims to build an affordable, low-cost GSM network for the island of Mayotte using open technology.
This document provides an overview of 3G technology, including:
- The development of 3G standards including WCDMA, CDMA2000, and TD-SCDMA to meet demands for high-speed data and multimedia services.
- Key aspects of 3G including universal frequency bands, high spectral efficiency, quality of service, and support for data rates up to 2Mbps.
- An overview of the WCDMA system architecture including its radio access network components like Node B and RNC, and core network evolution from R99 to R5 specifications.
This document provides an overview of Orthogonal Frequency Division Multiplexing (OFDM). It discusses how OFDM works by dividing a high bit rate stream into several parallel low bit rate streams. It also explains how OFDM is robust against frequency selective fading due to multipath propagation. Key aspects of OFDM like guard intervals, cyclic prefixes, and bit loading are described to mitigate issues like intersymbol interference and intercarrier interference. Common OFDM applications like WiFi, WiMax, DAB, and HDTV are listed.
This document discusses traditional time-division multiplexing (TDM) voice networks. It describes the basic components of TDM voice networks including analog phones, digital phones, fax machines, private branch exchanges (PBXs), and the public switched telephone network (PSTN). It also covers traditional voice signaling protocols like loop start signaling, ground start signaling, channel associated signaling (CAS), and common channel signaling (CCS) protocols like ISDN PRI and SS7. The document provides an overview of how traditional TDM voice networks were structured and operated.
The document describes the hardware structure and features of the Huawei BTS3900 base station system. The BTS3900 system includes a BBU3900 unit, MRFU units, and an indoor cabinet. The BBU3900 processes signals and manages resources, and contains boards like the GTMU, WMPT, WBBP, and UPEU. The system supports GSM, dual-mode GSM/UMTS, and UMTS networks and provides functions such as high capacity, transmission sharing, and flexible clock synchronization.
This document discusses UMTS signaling trace and analysis from Huawei Technologies. It provides an overview of standard trace operations including tracing by IMSI, MSISDN, IMEI, or TMSI. It also discusses debug trace, cell trace, trace on M2000 equipment, and trace review methods. Additionally, it covers basic concepts like typical network topology and interfaces. Finally, it provides examples of using trace analysis to investigate a VIP complaint and locate a network issue related to inter-RAT handover success rate.
This document provides an overview of GSM principles and network structure. It discusses key aspects of the GSM system including frequency reuse, multiple access techniques, network components, numbering plans and identifiers. The objectives are to understand the GSM system, its structure, protocols, channel combinations, radio techniques and the introduction of GPRS and EDGE. It contains detailed descriptions and illustrations of concepts such as cells, frequency division duplexing, time division multiple access, frequency planning and network interfaces.
This document provides instructions on basic GPON configuration, including provisioning PONs, ONT software management, ONT provisioning, ONT card provisioning, and ONT Ethernet port provisioning. The key steps covered are preparing the system to accept HiCAP boards, PON provisioning using TL1 and CLI, downloading ONT software to the AMS server and NE, provisioning ONTs using serial number or SLID both while connected and pre-provisioned, provisioning ONT cards and their port types, and bringing ONT Ethernet ports into service. The document includes screenshots and commands for completing each provisioning task in the GPON network management system.
Accelerating MIPI Interface Development and Validation - Introspect TechnologyJean-Marc Robillard
Modern MIPI interfaces enable remarkable user experiences through the deployment of highly innovative electrical signaling and protocol technologies. Extending well beyond mobile, these interfaces are finding use in autonomous driving systems, augmented reality systems, and rugged or embedded computing applications. Understanding the various interactions between the multitude of physical and protocol layers is critical to achieving successful design and validation of MIPI links, especially when conceived as part of larger system contexts.
The document discusses SDH/SONET alarms and performance monitoring. It begins with an introduction to relevant standards bodies and then covers:
- Alarm types like LOF, AIS, and RDI found in different sections of the SDH frame including the regenerator, multiplex, and path overhead areas.
- Defect naming conventions and how defects are correlated to avoid unnecessary alarms.
- Performance monitoring parameters and what different path levels in the SDH hierarchy represent.
- Examples of how circuits like DS1 and DS3 are carried by SONET through different layers.
The document discusses procedures for configuring NodeB data in a wireless network. It describes configuring physical equipment such as boards, subracks, and peripheral devices. It then covers configuring transport links over ATM, including adding physical links like UNI links, IMA groups, and IMA links to establish connectivity between the NodeB and RNC. The overall goal is to master the procedure for NodeB data configuration using the CME tool to initially configure or modify radio network data.
The document describes an eNodeB LTE base station product. It discusses the functions of an eNodeB including radio resource management and scheduling. It then explains the logical structure of an eNodeB including components like the BBU and RF units. Finally, it covers topics like the subsystems of an eNodeB involved in control, transport, baseband processing and reliability measures.
The document discusses OpenBTS, an open source software that implements a GSM cellular network using software-defined radio (SDR) technology. It can be used to provide cellular coverage in rural areas at a lower cost than traditional networks. The document outlines OpenBTS' capabilities, how it works using SDR hardware and software, potential customers, and the group's progress and future plans to implement a multi-cell system with additional technologies like GPRS and EDGE.
LTE (Long Term Evolution) is a wireless communication standard that provides higher peak data rates, improved spectral efficiency, and reduced latency compared to previous standards. It utilizes technologies like OFDMA, MIMO, and flexible bandwidths between 1.4-20MHz. LTE is developed by 3GPP and supports both FDD and TDD duplexing schemes across various licensed frequency bands for cellular networks worldwide. It provides theoretical data rates up to 300Mbps downlink and 170Mbps uplink.
Opti x rtn 910950980 hardware description windnctgayaranga
The OptiX RTN 910/950 is a split microwave transmission system that provides TDM and hybrid microwave solutions. It consists of an indoor unit (IDU), outdoor unit (ODU), antenna, and other optional components. The IDU supports multiple interface boards and protection schemes. The ODU performs signal conversion and amplification. Adaptive modulation and other functions provide flexibility. The system supports both legacy TDM services and new packet-based Ethernet services.
The document describes the Codan 8800 Series Digital Microwave Radio (DMR). Key features include its split indoor and outdoor unit configuration, robust modulation scheme, redundancy options like 1+1 hot standby and space diversity, flexible data interface units supporting Ethernet and TDM, and compliance with international standards. The DMR provides reliable point-to-point wireless connectivity over long distances.
This document provides an overview of Huawei's NodeB equipment configurations for UMTS networks. It describes the main components of macro indoor and outdoor NodeBs including the BTS3812E, as well as distributed NodeBs and components like the BBU3806. It explains the principles of NodeB configuration for macro and distributed network scenarios.
The document discusses Synchronous Digital Hierarchy (SDH) and provides details on:
1. SDH frame structure including section overhead, path overhead, pointer, and information payload areas.
2. SDH multiplexing methods allowing lower rate signals like E1, E3, E4 to be mapped and multiplexed into higher rate SDH frames like STM-1, STM-4.
3. Overhead bytes including framing bytes A1/A2, data communications channel bytes D1-D12, orderwire bytes E1/E2, parity check bytes B1/B2, and remote error indication byte M1.
5g technology is a unique combination of high speed internet access , low latency , high reliability & seamless coverage which will support no. of vehicles & transport infrastructure. 5G platform will impact many industries like automotive , entertainment, agriculture , manufacturing and IT. As per the research forecast “IOT will account for one quarter of the global 41 million 5G connections in 2024”, out of these ¾ of the devices will be auto industry via embedded vehicle connections.
There are wide range of applications that will benefit from 5G ultra fast networks and real time responsiveness of the network.These properties of 5G technology are very important for many applications of IOT e.g self driven cars , intelligent transportation which demands very low latency .This will be a great boom for interactive mobile gaming which is bandwidth hungry application. 5G technology enables us to control more devices remotely in various applications where real time network performance is critical, like remote control of vehicles. It focuses on worker safety as well as monitoring environment. 5G technology is not focusing on improving speed , but this will prove best in evolution of business etc. IOT in 5G have excelled in connecting number of phones , tablets and other devices, however connecting cars , meters, sensors require more advanced business models.
This document provides an overview of GPON (Gigabit-capable Passive Optical Network) technology. It discusses the basic concepts and working principles of PON networks, comparing GPON to other PON standards like EPON. The document also analyzes key GPON standards and specifications, describes the GPON network model reference, and reviews basic GPON performance parameters and network protection modes.
The document discusses open-source hardware for a basic GSM base station. It describes UmTRX, an open-source transceiver designed for low-cost, mid-range, power-efficient GSM base stations. The transceiver works with open-source GSM software like OpenBTS and OpenBSC. The presentation also outlines the Mayotte project, which aims to build an affordable, low-cost GSM network for the island of Mayotte using open technology.
This document summarizes the evolution of attacks against mobile networks and industry responses. It discusses past attacks against SIM cards, including cracking DES keys using error responses. More advanced SIMs are fully programmable computers running Java with various security layers, but some still have crackable cryptographic keys. The talk will cover SIM attacks, GSM intercept techniques, and efforts to ensure network operator honesty.
Estandard de comunicaciones LTE (Long term evolution)Sebas Escobar
This document contains a sumary of the history of the LTE, a description of te LTE standard, the operation of the LTE tecnology,the frecuencies and velocities used to work with LTE and some diferencies between LTE and WIMAX (the most neraby competition to LTE).
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Luca Bongiorni
Quick overview of some case studies about: IMSI-Catcher (Stingray phone tracker), tracking phones, GPRS sniffing, GSM-R catching and DoS, POS, gambling machines, etc.
Перехват беспроводных гаджетов — от квадрокоптеров до мышекPositive Hack Days
Автор: Артур Гарипов
Доклад посвящен общим аспектам применения SDR (software-defined radio) в анализе радиоэфира. Ведущий покажет, как происходят поиск и определение беспроводных устройств, анализ протоколов и их спуфинг, перехват управления беспроводным оборудованием, атака Mousejack.
Introduction to Packet Radio, covering keyboard to keyboard QSOs, unproto mode, nodes, routing, digipeaters, packet via the ISS, APRS and WinLink.
Covers hardware TNCs as well as software soundmodems like UZ7HO and Direwolf
The document describes BLOSMM, a system developed by AhlTek Entree Wireless to provide beyond line-of-sight mobile mesh networking capabilities. It consists of a communication payload that can be installed on small tactical UAVs to extend network connectivity to forward-deployed teams. The payload uses electronically-steered antenna technology and works with existing radios to relay voice, video and data between teams over long ranges. It is intended for both military and disaster relief applications to provide bandwidth where it is most needed.
The document summarizes a review of the Nanoxx 9600 IP satellite receiver. It has a network interface that allows for software updates and future personal video recording functionality. The receiver has a clear display, supports various languages and formats, and performed well in tests. Its channel list and transponder data could use updating, and playing recordings from the PC is not yet implemented. Overall the receiver provides full functionality with reliability.
This document provides instructions for installing and configuring OpenBTS software to create an open source GSM network. It describes the necessary hardware including a computer, USRP software defined radio, and antennas. It also outlines installing GNU Radio, Boost libraries, and OpenBTS software. The configuration section explains setting parameters such as the mobile country code, network code, frequency band, and channel in the OpenBTS configuration file.
The document provides installation and configuration instructions for OpenBTS, an open-source GSM base station. It outlines the required hardware including a computer, USRP software defined radio, and daughterboards. It also lists the necessary software including GNU Radio, OpenBTS, and Asterisk. The steps provided explain how to install and configure these components, set parameters in the OpenBTS configuration file like the mobile country code and channel number, and test that the system is functioning correctly.
Exploring LTE security and protocol exploits with open source software and lo...EC-Council
The security flaws of legacy GSM networks, which lack of mutual authentication and implement an outdated encryption algorithm, are well understood among the technology community and have been extensively discussed for years. However, my smartphone’s settings do not provide the means to shut down the GSM radio to prevent my phone from connecting to a potentially insecure GSM access point. Instead, I have the option to turn off LTE, the fastest mobile network.
This is not the only confusing aspect of mobile network security. Given LTE’s mutual authentication and strong encryption scheme result, there is a general assumption that LTE rogue base stations are not possible. However, before the connection authentication step, any mobile device implicitly trusts (and exchanges a substantial amount of messages with) any LTE base station, legitimate or not, that advertises itself with the right parameters. Such implicit trust and unprotected messages can be exploited to block mobile devices and track their location.
Finally, it is generally assumed that Stingrays and IMSI catchers are expensive equipment that require downgrading the connection of mobile devices to GSM. However, a basic fully-LTE IMSI catcher can be implemented by means of low-cost software radio and slight modification of a well known open-source implementation of the LTE stack.
This talk will present an exploration of the security of LTE networks, as well as experimentation results of passive eavesdropping threats, LTE protocol exploits to block mobile devices and a location leak that allows tracking mobile devices as the connection is handed off from tower to tower.
Dean Bubley's Presentation at Emerging Communication Conference & Awards 2009...eCommConf
This document summarizes a presentation given by Dean Bubley at the eComm Europe 2009 conference about issues with supporting voice services on LTE networks. It notes that 3GPP has standardized IMS voice (MMTel) and circuit switched fallback for LTE, but both have significant drawbacks. IMS voice has not gained traction, while circuit switched fallback requires extra network components and drops the data connection. Supporting SMS on LTE was also an afterthought and led to interoperability problems. As a result, the document argues that LTE networks may not be ready to fully replace 3G networks for providing voice and messaging services until these issues are resolved.
Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...DefconRussia
This document discusses telecom signaling attacks on 3G and LTE networks. It begins with an overview of SS7 and its role in international interconnection. It then covers the evolution to IP-based signaling standards like SIGTRAN, Diameter, and SIP. The document outlines current research areas like scanning open SS7 and GTP interfaces, exploiting femtocell vulnerabilities, and attacking core network elements over SIGTRAN. It emphasizes that each telecom environment has unique security challenges due to legacy systems.
Telecom security from ss7 to all ip all-open-v3-zeronightsP1Security
Telecom security is way more than SIP-breaking some peripheral PBXs and raking a few thousands of dollars of free calls. From the formerly closed garden of SS7 to new all-IP telecom protocols such as Diameter and LTE protocols, the telecom domain faces now both the challenges of availability -one minute of downtime costs literally millions- and signaling vulnerabilities cutting down entire countries, causing massive frauds and the all new networking protocols. These new telecom protocols are rolled out in IP-centric fashion, with its myriad of standard IP security pitfalls and vulnerabilities, as well as very specific telecom vulnerabilities. The HLR is not only using TCP/IP for OAM and business workflow, but also now being named an HSS, it uses IP-only protocols such as Diameter for its Core Network signaling operations. That means that now telecom are facing new security risks both in term of exposure and threats, with its Core Network being exposed to unsophisticated IP-centered attackers, and the continuous waves of telecom-centered defrauders. In this presentation, we'll demo the new technologies of 3G and LTE networks and how to attack and defend them. We'll also show what kind of exposure one telecom companies, Mobile Network Operators and SS7 providers shows to external attackers.
Introduction To Cellular And Wireless NetworksYoram Orzach
This document provides an overview of cellular and wireless networks. It discusses the history and evolution of 1G to 4G cellular networks, including the development of technologies like GSM, CDMA, UMTS, HSPA and LTE. It also covers the basics of wireless local area networks (WiFi) and describes the IEEE 802.11 standards including 802.11b, 802.11g and 802.11n. Finally, it discusses future trends in both cellular and wireless networks.
The document summarizes the history of mobile communication from 1G to 4G technologies. It discusses the evolution from early analog 1G systems developed in the 1970s-80s to 2G digital GSM networks in the 1980s-90s capable of voice and limited data. 3G systems launched in the late 1990s provided improved voice quality and higher speed data up to 2Mbps. Emerging 4G technologies are expected to offer data rates from 20-100Mbps. The document also provides an overview of the fundamental principles of cellular networks and discusses GSM as the most widely used 2G digital standard globally.
There was a time when mobile phones were of the size of a shoe and had no features other than calling and sms and at that time I used to play the game - Snake on my dads phone :p Now as the time has passed we have reached the age of smart phones which are capable of doing lot of stuff and world wide web of application causing serious concern where an attacker can use this platform to steal data. This issue of CHMag is dedicated Mobile/Telecom Hacking and Security.
The coverpage of this December issue was released at ClubHack 2011, India’s Pioneer International Hacking Conference held last week. Talking about ClubHack Conference, if you missed ClubHack here are the presentations available at - http://www.slideshare.net/clubhack and videos at http://www.clubhack.tv/event/2011/
We recently released CHMag's Collector's Edition Volume II. If you wish to buy the Collectors Editions (vol1 – from issue 1 to 10 & vol2- from issue 11 to 20), please write back to us: info@chmag.in. As of now its on demand printing.
Like the game - Snake, I have played lots of other games too which have reflected in the previous coverpages I have designed and yes I promise another awesome coverpage based on a game on the theme of android security which would be the theme for an upcoming issue, for which send in your articles to info@chmag.in
The document discusses the Telecommunications Technical Interest Group (TIG) at Georgia Tech, which focuses on digital communications. It provides an overview of undergraduate and graduate coursework in physical layer communications and networking. Examples are also given of research conducted at Georgia Tech on topics such as optical data storage, satellite communications using adaptive antennas, and high-speed wireless network prototypes.
This document provides an overview and review of installing and using Enigma alternative firmware on AB IPBox HD satellite receivers. It discusses why alternative firmware was more useful in the past for advanced features and unlocked potential. Installing Enigma firmware requires downloading the image file and transferring it to the receiver via USB. Some additional configuration is required to set up channels and satellites not included by default. The review finds the automatic channel scanning to be slow and additional work still needed to fully support configuring and editing the satellite lineup.
M2M, IOT, Device Managment: COAP/LWM2M to rule them all?Julien Vermillard
M2M is rapidly growing and since its early days different “standard” protocols have emerged (e.g. OMA-DM, TR-069, MQTT, …) or are emerging (e.g. CoAP or Lightweight M2M).
Understanding which protocol to use for which application can be intimidating, therefore we propose to give an overview of these protocols to help you understand their goals and characteristics.
We’ll present common M2M use cases and why they usually require more than just one protocol ; we will also see whether CoAP associated with Lightweight M2M allows to forge “one protocol to rule them all”.
The document provides an overview of the history and architecture of GSM cellular networks. It discusses the evolution from analog 1G networks to digital 2G and 2.5G networks. The key components of GSM architecture include the BTS, BSC, MSC, HLR, VLR, and AuC. GSM uses TDMA and FDMA to allow multiple users to share the frequency spectrum. It also relies on the SS7 protocol for signaling communication between network components to enable features like roaming.
The document provides an overview of the history and architecture of GSM cellular networks. It discusses the evolution from analog 1G networks to digital 2G and 2.5G networks. The key components of GSM architecture include the BTS, BSC, MSC, HLR, VLR, and AuC. GSM uses TDMA and FDMA to allow multiple users to share the frequency spectrum. It also relies on the SS7 protocol for signaling communication between network components to enable features like roaming.
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
1. Основные понятия и определения: продукт, пакет, связи между ними.
2. Как узнать, какие изменения произошли в продукте?
3. Проблемы changelog и release note.
4. Решение: инструмент ChangelogBuilder для автоматической подготовки Release Notes
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
1. Обзор Windows Docker (кратко)
2. Как мы построили систему билда приложений в Docker (Visual Studio\Mongo\Posgresql\etc)
3. Примеры Dockerfile (выложенные на github)
4. Отличия процессов DockerWindows от DockerLinux (Долгий билд, баги, remote-регистр.)
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
1. Проблемы в построении CI процессов в компании
2. Структура типовой сборки
3. Пример реализации типовой сборки
4. Плюсы и минусы от использования типовой сборки
1. Что такое BI. Зачем он нужен.
2. Что такое Qlik View / Sense
3. Способ интеграции. Как это работает.
4. Метрики, KPI, планирование ресурсов команд, ретроспектива релиза продукта, тренды.
5. Подключение внешних источников данных (Excel, БД СКУД, переговорные комнаты).
Approof — статический анализатор кода для проверки веб-приложений на наличие уязвимых компонентов. В своей работе анализатор основывается на правилах, хранящих сигнатуры искомых компонентов. В докладе рассматривается базовая структура правила для Approof и процесс автоматизации его создания.
Задумывались ли вы когда-нибудь о том, как устроены современные механизмы защиты приложений? Какая теория стоит за реализацией WAF и SAST? Каковы пределы их возможностей? Насколько их можно подвинуть за счет более широкого взгляда на проблематику безопасности приложений?
На мастер-классе будут рассмотрены основные методы и алгоритмы двух основополагающих технологий защиты приложений — межсетевого экранирования уровня приложения и статического анализа кода. На примерах конкретных инструментов с открытым исходным кодом, разработанных специально для этого мастер-класса, будут рассмотрены проблемы, возникающие на пути у разработчиков средств защиты приложений, и возможные пути их решения, а также даны ответы на все упомянутые вопросы.
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
Разработка наукоемкого программного обеспечения отличается тем, что нет ни четкой постановки задачи, ни понимания, что получится в результате. Однако даже этом надо программировать то, что надо, и как надо. Докладчик расскажет о том, как ее команда успешно разработала и вывела в промышленную эксплуатацию несколько наукоемких продуктов, пройдя непростой путь от эксперимента, результатом которого был прототип, до промышленных версий, которые успешно продаются как на российском, так и на зарубежном рынках. Этот путь был насыщен сложностями и качественными управленческими решениями, которыми поделится докладчик
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
Немногие разработчики закладывают безопасность в архитектуру приложения на этапе проектирования. Часто для этого нет ни денег, ни времени. Еще меньше — понимания моделей нарушителя и моделей угроз. Защита приложения выходит на передний план, когда уязвимости начинают стоить денег. К этому времени приложение уже работает и внесение существенных изменений в код становится нелегкой задачей.
К счастью, разработчики тоже люди, и в коде разных приложений можно встретить однотипные недостатки. В докладе речь пойдет об опасных ошибках, которые чаще всего допускают разработчики Android-приложений. Затрагиваются особенности ОС Android, приводятся примеры реальных приложений и уязвимостей в них, описываются способы устранения.
Разработка любого софта так или иначе базируется на требованиях. Полный перечень составляют бизнес-цели приложения, различные ограничения и ожидания по качеству (их еще называют NFR). Требования к безопасности ПО относятся к последнему пункту. В ходе доклада будут рассматриваться появление этих требований, управление ими и выбор наиболее важных.
Отдельно будут освещены принципы построения архитектуры приложения, при наличии таких требований и без, и продемонстрировано, как современные (и хорошо известные) подходы к проектированию приложения помогают лучше строить архитектуру приложения для минимизации ландшафта угроз.
Доклад посвящен разработке корректного программного обеспечения с применением одного из видов статического анализа кода. Будут освещены вопросы применения подобных методов, их слабые стороны и ограничения, а также рассмотрены результаты, которые они могут дать. На конкретных примерах будет продемонстрировано, как выглядят разработка спецификаций для кода на языке Си и доказательство соответствия кода спецификациям.
The document discusses preventing attacks in ASP.NET Core. It provides an overview of topics like preventing open redirect attacks, cross-site request forgery (CSRF), cross-site scripting (XSS) attacks, using and architecture of cookies, data protection, session management, and content security policy (CSP). The speaker is an independent developer and consultant who will discuss built-in mechanisms in ASP.NET Core for addressing these security issues.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
1. Introduction GSM background Passive Listening Work In Progress Conclusion
Abusing Calypso phones
Sylvain Munaut
PHDays, May 30/31, 2012
Sylvain Munaut Abusing Calypso phones
2. Introduction GSM background Passive Listening Work In Progress Conclusion
About the speaker
Linux and free software ”geek” since 1999
M.Sc. in C.S. + some E.E.
General orientation towards low level
Embedded, Kernel, Drivers and such.
Hardware (Digital stuff, FPGA, RF, ...)
Interest in GSM projects for about 3 years
OpenBTS, OpenBSC, Airprobe, Osmocom-BB, ...
27C3 GSM Intercept demo
Mostly in my spare time
Sylvain Munaut Abusing Calypso phones
3. Introduction GSM background Passive Listening Work In Progress Conclusion
Outline
1 Introduction
2 GSM background
3 Passive Listening
4 Work In Progress
5 Conclusion
Sylvain Munaut Abusing Calypso phones
4. Introduction GSM background Passive Listening Work In Progress Conclusion
Motivation
Modify a phone to make it do what we want rather than what it
was designed to.
Why ?
Gain access to lower layers of the communication stack
Other projects paved the way for GSM (OpenBTS, OpenBSC,
Osmocom-BB, ...)
However they don’t all allow to go down to L1 and some
depend on expensive hardware
Create the tool allowing security research
Just for fun: Usefulness is overrated anyway
Sylvain Munaut Abusing Calypso phones
5. Introduction GSM background Passive Listening Work In Progress Conclusion
Today’s target
Target hardware: Motorola C123
Supported by Osmocom-BB
Classic TI Calypso design
Lots of alternative platforms if needed
Some leaked sources and documentation
available
Cheap (20 EUR new, down to 1 EUR on ebay)
Readily available
Sylvain Munaut Abusing Calypso phones
6. Introduction GSM background Passive Listening Work In Progress Conclusion
GSM background
Sylvain Munaut Abusing Calypso phones
7. Introduction GSM background Passive Listening Work In Progress Conclusion
GSM
Network overview
We’ll be focusing on the GSM Air Interface: Um.
Sylvain Munaut Abusing Calypso phones
8. Introduction GSM background Passive Listening Work In Progress Conclusion
GSM Um: Layer 1
Frequencies
Several bands
GSM-850, EGSM-900, DCS1800, PCS1900, ...
http://en.wikipedia.org/wiki/GSM_frequency_bands
Each band has two frequency range (FDD)
Downlink, from Network to MS (e.g. DCS1800: 1710.2 to
1784.8 MHz)
Uplink, from MS to Network (e.g. DCS1800: 1805.2 to 1879.8
MHz)
ARFCN = Absolute Radio-Frequency Channel Number
maps to a given frequency pair (UL/DL)
200 kHz spacing
Sylvain Munaut Abusing Calypso phones
9. Introduction GSM background Passive Listening Work In Progress Conclusion
GSM Um: Layer 1
TDMA
Fully synchronous
Described as a TDMA nightmare
Each frame in multi-frame has a specific purpose
1 frame = 8 timeslots (bursts)
Physical channel = 1 timeslot on 1 ARFCN
Sylvain Munaut Abusing Calypso phones
10. Introduction GSM background Passive Listening Work In Progress Conclusion
GSM Um: Layer 1
Bursts
4 types of bursts :
Normal burst: Used to carry ”real” data traffic.
Frequency correction burst: (FCCH) Allow MS to sync its
clock and coarse TDMA
Synchronization burst: (SCH) Allow MS to preicsely sync to
TDMA
Access burst: (RACH) Used by the MS to request a dedicated
channel
Sylvain Munaut Abusing Calypso phones
11. Introduction GSM background Passive Listening Work In Progress Conclusion
Passive Listening
Sylvain Munaut Abusing Calypso phones
12. Introduction GSM background Passive Listening Work In Progress Conclusion
A bit of history
Osmocom-BB is an Free Software GSM Baseband implementation.
Early timeline (2010):
Early February: Osmocom-BB is initiated
Late February: Osmocom-BB is announced publicly
BCCH reception mostly
March-July: Progressive work to get TX, SDCCH, LUR, ...
August: First phone call
Already a big advance
Full L2 & L3 control on the MS side
But I wanted more ;)
Sylvain Munaut Abusing Calypso phones
13. Introduction GSM background Passive Listening Work In Progress Conclusion
Goal
Turn a phone into a passive listener
Raw bursts data
Uplink and Downlink
Frequency Hopping
Timeline
Work started almost directly after Osmocom-BB was initiated
First prototype in Q3 2010
Shown at Deepsec 2010 & 27C3
Sylvain Munaut Abusing Calypso phones
14. Introduction GSM background Passive Listening Work In Progress Conclusion
Typical RX path
Antenna: not an issue, can be replaced if needed
RX filter: not an issue for lab tests, can be removed if needed
RF mixer: tests shows it works just fine tuning at UL/DL
Analog baseband: not an issue
DSP core: ROM based and limited. Need a solution.
ARM core: firmware under our control thanks to osmocom-bb
Host interface: serial can be made fast enough
Sylvain Munaut Abusing Calypso phones
15. Introduction GSM background Passive Listening Work In Progress Conclusion
DSP
The problem
ROM based firmware
But supports executing code from RAM
Official firmwares load ’patches’ somehow (fix bugs, ...)
The ARM schedules ”tasks” to be executed by the DSP
No existing tasks does what we want
DSP converts from L2 packets to L1 bursts internally
Need to patch it
Dump ROM
Analyze it and figure how patching works
Write custom ”tasks” to do what we want
Sylvain Munaut Abusing Calypso phones
16. Introduction GSM background Passive Listening Work In Progress Conclusion
DSP
Dumping (1)
Architecture
Distinct program, data & IO address space
Different instructions to access them
Some zones mapped in both program and data space
Communicates with the ARM by shared memory zone
Called API RAM
Mapped in both program and data address space
ROM Bootloader
Leaked TSM30 sources hinted at ROM bootloader
TI documention for similar DSP provided the details
Allows to download custom code/data and jump to it
Reading ROM
Upload custom stub to copy chunk of ROM to API RAM
But it didn’t work ... only read 0xffff
Security feature: code executing from RAM can’t read ROM
Sylvain Munaut Abusing Calypso phones
17. Introduction GSM background Passive Listening Work In Progress Conclusion
DSP
Dumping (2)
If we can’t read the ROM from code executing from RAM, we’ll
have to read it from code executing from ROM ...
There has to be a memcpy equivalent somewhere
Look at known DSP code for this architecture
Often inlined, so only part will be usable
Looking for:
mvdd *AR?, *AR? for data space
reada *AR? for program space
Bruteforce it
1 Use bootloader to launch stub
2 Setup registers with a ’guess’
3 Jump to a location
4 Halt the DSP from the ARM a bit later
5 Check for result in API RAM
6 Retry ...
Sylvain Munaut Abusing Calypso phones
18. Introduction GSM background Passive Listening Work In Progress Conclusion
DSP
Dumping (3)
Program space
Data space
The ret instructions are added bonuses
Sylvain Munaut Abusing Calypso phones
19. Introduction GSM background Passive Listening Work In Progress Conclusion
DSP
Analyzing (1)
CPU supported by IDA Pro Advanced
Added support for IO port definitions and memory mappings
Now in mainline
Entry point is known
Mix of C and hand-crafted assembly
No clear conventions
Lots of indirect calls
Using function pointers in RAM copied from ROM at startup
We can replace those by our own !
This is how to add custom tasks, extend the DSP, ...
Screws a bit with IDA autoanalysis
Several different tables and call mechanisms
Sylvain Munaut Abusing Calypso phones
20. Introduction GSM background Passive Listening Work In Progress Conclusion
DSP
Analyzing (2)
Use interrupts and IO access to trace important functions
Frame interrupt: Tasks
DMA interrupt: IQ samples buffer and demodulation
A5 unit IO: Cipher setup
DMA unit IO: Burst RX setup
RIF unit IO: Burst TX buffer
And finally write custom task to do what we want ...
Sylvain Munaut Abusing Calypso phones
21. Introduction GSM background Passive Listening Work In Progress Conclusion
Work In Progress
Sylvain Munaut Abusing Calypso phones
22. Introduction GSM background Passive Listening Work In Progress Conclusion
Phone as a BTS
Goal
Attempt to convert a phone into a working BTS
Not full featured, not compliant with specs, ...
Provide minimal service
Motivation
Another cheap tool for GSM research
Fuzz cell phones
Portable fake BTS
Just prove it’s doable
First post on the mailing list about this about 2 years ago
Only the base idea, not real work done
First very rough work at CCCamp 11
Idea popped up again at OsmoDevCon 2012
Sylvain Munaut Abusing Calypso phones
23. Introduction GSM background Passive Listening Work In Progress Conclusion
Phone as a BTS
Differences between MS & BTS
What does a BTS do that a phone doesn’t ?
Layer 1:
Uplink / Downlink frequencies
Simultaneous RX & TX
Continuous C0 beacon to allow phone to ’find’ the cell
MS usually TX 3 timeslots after RX
Transmit FCCH / SCH
Receive RACH
Clock master
Layer 2 & 3: Role swapped
Sylvain Munaut Abusing Calypso phones
24. Introduction GSM background Passive Listening Work In Progress Conclusion
Phone as a BTS
Typical TX & RX path
Sylvain Munaut Abusing Calypso phones
25. Introduction GSM background Passive Listening Work In Progress Conclusion
Phone as a BTS
Proof of concept
DSP patch
FCCH, SCH, NB & Dummy TX
Multi slot TX
RACH detection (detect with power and send IQ samples to
host)
Use OpenBTS
Already split between main OpenBTS and actual radio
interface
Replace the transceiver
Attempt half duplex operation
Timeslot layout: Tt R ttt
Use commercial cell as timing reference
Sylvain Munaut Abusing Calypso phones
26. Introduction GSM background Passive Listening Work In Progress Conclusion
Phone as a BTS
Spectrum view
Multiframe
Zoom
Sylvain Munaut Abusing Calypso phones
27. Introduction GSM background Passive Listening Work In Progress Conclusion
Phone as a BTS
Demonstration
Hopefully, it’ll work ...
Keep in mind :
Just a proof of concept
Long time to go to clean up and make it usable and reliable
Sylvain Munaut Abusing Calypso phones
28. Introduction GSM background Passive Listening Work In Progress Conclusion
Thanks
Thanks to anyone contributing to the various Open Source GSM /
GSM security projects. Most notably here :
Harald ”LaF0rge” Welte
Dieter Spaar
David Burgess and his team at KestrelSP
Andreas ”jolly” Eversberg
Steve ”steve-m” Markgraf
And of course, thanks to the PHDays team for having me here.
Sylvain Munaut Abusing Calypso phones
29. Introduction GSM background Passive Listening Work In Progress Conclusion
Further reading
Airprobe http://airprobe.org/
OsmocomBB http://bb.osmocom.org/
OpenBSC http://openbsc.osmocom.org/
OpenBTS http://openbts.sourceforge.net/
GSM Specs http://webapp.etsi.org/key/queryform.asp
Sylvain Munaut Abusing Calypso phones