[Noisebridge-discuss] Noisebridge (GSM) cell phone equipment
Jonathan Lassoff
jof at thejof.com
Sat Mar 7 05:16:54 UTC 2009
Encapsulated within <49B091D7.8020709 at appelbaum.net> on Thu, Mar 05, 2009 at 07:00:39PM -0800, Jacob Appelbaum <jacob at appelbaum.net> wrote:
> From: Jacob Appelbaum <jacob at appelbaum.net>
> To: "noisebridge-discuss at lists.noisebridge.net" <noisebridge-discuss at lists.noisebridge.net>
> Subject: [Noisebridge-discuss] Noisebridge (GSM) cell phone equipment
>
> Most interestingly is a cell phone base station. Technically, it's a GSM
> Base Transceiver Station: http://bs11-abis.gnumonks.org/trac/wiki/BS11
After you mentioned picking this up, it struck my curiosity (awakening
the inner phreak?) and I started reading a little about GSM signalling
and some of the protocols spoken over the air and then wire/fibre.
I have yet to get a chance to poke around with some real bitstreams, but
I would definitely be interested in examining some real mobile
stations.
>
> I also have a few extra GSM phones and some extra SIM cards (a few
> functional, a few non-functional). I'll bring these in soon and we can
> use them for whatever it is that we need to use them for...
>
> My hope for the BS-11 is to use it with OpenBSC:
> http://bs11-abis.gnumonks.org/trac/wiki/OpenBSC
Wow! Amazing work this team has done reversing support for this BTS
(Base Transceiver Station) and getting it to work with their system.
This seems like the kind of setup that could be installed for regular
use / research.
>
>
> Additionally, I'm working on acquiring the proper daughter board for my
> USRP. If all goes well, we'll be able to run OpenBTS with such a setup:
> http://gnuradio.org/trac/wiki/OpenBTS
Another amazing GSM project. Their write-up of their experience at
Burning Man is a treat: http://www.kestrelsp.com/FieldTest/index.html
This seems like a more ideal research platform since one can interact with
the RF spectrum all the way up to the data payloads directly.
Maybe not so great for regular use since it would tie up a USRP and
related daughterboards while online.
> That should give us two totally different GSM networks in our space, it
> should be useful for anyone interested in GSM hardware, security,
> implementation, etc.
While reading about what's going on over the wireless/air interface, I
became interested in a couple of potential areas of study.
Tracking mobile stations - while their IMEI/IMSI identity is supposedly
protected by generating a unique identifier (TMSI) with a mobile
carrier. Apparently, it may be possible to get a mobile station to
reveal its IMEI/TMSI mapping by running a rogue transceiver/controller.
I'm curious to observe the normal operation of mobile stations on normal
networks.
Implementation bugs - mobile stations also speak LAPD/ITU Q.92{0,1}
(ISDN flashbacks!) over a control channel to a Base Station Controller.
How robust do you think a system implemented by a small number of
vendors interacting with an even smaller number of carriers is. I'm
guessing we might be able to find at least some bugs fuzzing around at this
layer.
> It also looks like David Burgess is interested in giving a talk about
> OpenBTS next week at 83c.
Squee! Can't wait!
> Is anyone other than me interested in this stuff?
Phones? Ever since I kicked out of a Pacific Bell CO as a kid :)
--j
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.noisebridge.net/pipermail/noisebridge-discuss/attachments/20090306/f82e2eaf/attachment-0003.sig>
More information about the Noisebridge-discuss
mailing list