From fca59bea770346cf1c1f9b0e00cb48a61b44a8f3 Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Sun, 25 Oct 2015 21:00:20 +0100 Subject: import of old now defunct presentation slides svn repo --- 2009/airprobe-har2009/airprobe.mgp | 176 +++++++++++++++++++++++++++++++++++++ 2009/airprobe-har2009/default.mgp | 21 +++++ 2 files changed, 197 insertions(+) create mode 100644 2009/airprobe-har2009/airprobe.mgp create mode 100644 2009/airprobe-har2009/default.mgp (limited to '2009/airprobe-har2009') diff --git a/2009/airprobe-har2009/airprobe.mgp b/2009/airprobe-har2009/airprobe.mgp new file mode 100644 index 0000000..ab4d6c0 --- /dev/null +++ b/2009/airprobe-har2009/airprobe.mgp @@ -0,0 +1,176 @@ +%include "default.mgp" +%default 1 bgrad +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +%nodefault +%back "blue" + +%center +%size 7 + +Airprobe + +%size 5 +Monitoring GSM traffic +with USRP + +%center +%size 4 +by + +Harald Welte + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Monitoring GSM traffic +Why? + + +Why would you monitor GSM traffic + For the same reason you might monitor other networks + To learn and experiment with technology + To boldly go where no [free] man has gone before ;) + Practical demonstration of known GSM security problems + Raise public awareness abut GSM [in]security + thus increase the incentive for the market to improve + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Monitoring GSM traffic +Legal Disclaimer + + +Legal Disclaimer + Don't try this with public networks! + GSM operates on LICENSED spectrum + Most countries have telecommunications privacy laws! + Only capture/mointor/analyze traffic of your own networks + The software is strictly for research purpose only + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Monitoring GSM traffic +Airprobe.org + + +What is airprobe.org? + A platform for various GSM protocol decoding software + Including web site, wiki, mailing list, git repository + Formed by people who first met at the THC GSM list + Now hosted by the Chaos Computer Club + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Monitoring GSM traffic +Airprobe.org + +What is our goal? + To produce a 100% open source GSM protocol decoder + using gnuradio Software Defined Radio (SDR) + GSM layer 1 demodulation / decode + GSM TDMA demultiplex + recombining bursts into mac blocks + handing off mac blocks to protocol analyzer like wireshark + implement missing dissectors in wireshark + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Monitoring GSM traffic +What's SDR? + + + Software defined radio + a modern technique where analog hardware is replaced by software + digital signal processing replaces analog electronics + Variants + directly capturing carrier frequency with ADC + expensive, only for low/medium carrier frequencies + very high computing power required + replaces all analog parts by digital parts + downconverting before ADC using analogue mixer + most commonly found SDR variant today + replaces only detection/demodulation/synchronization + demodulating in hardware and using ADC for baseband + not really SDR, more like traditional analogue receiver + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Monitoring GSM traffic +What's gnuradio? + + gnuradio is + a GPL licensed FOSS project for SDR + for general-purpose PC rather than special DSP + implements building blocks like filters, demodulators, fft + uses python scripts to glue bulding blocks together + portable, runs on Linux/BSD/MacOS/Windows + supports different SDR and data acquisition hardware + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Monitoring GSM traffic +What's the USRP? + + USRP is + Universal Software Radio Peripheral + A open hardware project for SDR hardware + provides the ideal companion for gnuradio + modular mainboard with FPGA and ADC/DAC + pluggable Rx and Tx frontends + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Monitoring GSM traffic +Using USRP for GSM + + USRP mainboard with one of the following frontends + USRP RFX900 frontend for GSM 850/900 + USRP RFX1800 frontend for GSM 1800/1900 + DBSRX frontend for GSM 850/900/1800/1900 + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Monitoring GSM traffic +Airprobe.org software + + gsmsp + gssm + the two early implementations by Joshua Lockey + considered alpha-level, many receive errors even with good signal + gsm-tvoid + For a long time the best decoder by tvoid + very comfortable UI + gsm-receiver + Latest GSM decoder by Piotr Krysik + much better decoding + gsmdecode + GSM layer2+ decoder from hex bytes to human readable + gsmstack + GSM MAC layer from demodulated bits to MAC blocks + A5.1 + A5/1 algorithm in C, MyHDL, CUDA and Verilog + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Monitoring GSM traffic +Thanks + + +Thanks to + zecke, alphaone, Stefan, Jan for their work on OpenBSC + W. for his extensive A-bis protocol traces and MA-10 + Dieter Spaar for his most excellent input + Karsten Keil for mISDN + Andreas Eversberg for LCR interface and HFC-E1 driver + Stichting Hxx for getting the license + all the voluntary testers at HAR2009 + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Monitoring GSM traffic +Live Demo + + +LIVE DEMO diff --git a/2009/airprobe-har2009/default.mgp b/2009/airprobe-har2009/default.mgp new file mode 100644 index 0000000..a0fcfc2 --- /dev/null +++ b/2009/airprobe-har2009/default.mgp @@ -0,0 +1,21 @@ +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%% +%% This default.mgp is "Xft2" oriented. +%deffont "standard" xfont "serif" +%deffont "thick" xfont "sans-serif" +%deffont "typewriter" xfont "monospace" +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%% +%% Default settings per each line numbers. +%% +%default 1 area 90 90, leftfill, size 2, fore "white", back "black", font "thick" +%default 2 size 7, vgap 10, prefix " " +%default 3 size 2, bar "gray70", vgap 10 +%default 4 size 5, fore "white", vgap 30, prefix " ", font "standard" +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%% +%% Default settings that are applied to TAB-indented lines. +%% +%tab 1 size 5, vgap 40, prefix " ", icon box "green" 50 +%tab 2 size 4, vgap 40, prefix " ", icon arc "yellow" 50 +%tab 3 size 3, vgap 40, prefix " ", icon delta3 "white" 40 -- cgit v1.2.3