Sat, 31 Jul 2010
Extending Airprobe's gsm-receiver

I spent some time to extend Airbrobe's gsm-receiver so that it now can be used to nearly fully decode the downlink traffic of a non-hopping, single ARFCN cell. "Nearly" means that it does not yet support Half-Rate speech TCH channels or TCH data channels (which are not widely used anyway with GPRS).

It might not be obvious, but I was also responsible for decoding/decrypting speech in gsm-receiver. In June 2009 I wrote a tool based mainly on parts of OpenBTS to solve a little "challenge" by Piotr Krysik posted on the Airprobe mailing list to get the speech out of an USRP capture. This standalone tool was later integrated into gsm-receiver by Piotr. Now at least you know who to blame why there is stuff from OpenBTS integrated into gsm-receiver ;-).

Besides being used in Karsten Nohl's A5/1 cracking attack, those features of gsm-receiver are quite handy for debugging OpenBSC or OpenBTS in the downlink direction.

A short tutorial of how to use gsm-receiver can be found here.

One of the next steps I plan to do is implementing the uplink direction. Please don't ask when this will be ready, if someone else is already working on it, please let me know so that the same thing is not done twice.

Starting to blog

I finally decided to start writing a small blog about what things I am working on. The reason is that it seems these days without talking or writing about what you do, your work won't get noticed or others might take what you have done and claim its theirs.

