Shulou(Shulou.com)06/01 Report--

What is the principle of GSM SMS sniffing? I believe many inexperienced people don't know what to do about it. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

A preliminary study of GSM

You should all have heard of the HTTP protocol and the WEB service, and there is a protocol working behind every service. The so-called "no rules can not be square", what is said is this truth, every small part has been stipulated, as long as it is implemented in accordance with the agreement, there will be no problems. Similarly, GSM mobile phones can make calls, which is inseparable from the support of relevant protocols. Here is an introduction to the GSM protocol. Global Mobile Communication system (Global System for Mobile Communication), known as GSM, is the most widely used mobile phone standard at present. More than 1 billion people in more than 200 countries and regions around the world are using GSM phones.

GSM is a cellular network, the reason for cellular network is because of a mathematical conclusion, that is, covering a plane with a circle of the same radius, when the center of the circle is in the center of each regular hexagon of the regular hexagonal grid, that is, when the center of the circle is in the lattice point of the regular triangular grid, the number of circles used is the least. As an operator, in order to consider the cost, will not build a large number of redundant base stations, then the use of cellular network can cover the area and reduce the number of base stations, which is not very good? Yeah, that's good. Let's talk about the base station together.

Approach the base station

First of all, look at a picture, this is the base station. Everyone must have seen it, but have you ever noticed that there is always a small house under the tower? what is in that house? Please look at the picture. It's just a bunch of machines. What on earth is in it? The group is composed of base station subsystem (base station BS), which is composed of base station transceiver station (BTS) and base station controller (BSC). The network subsystem is composed of mobile switching center (MSC) and operation and maintenance center (OMC), as well as local location register (HLR), access location register (VLR), authentication center (AUC) and equipment sign register (EIR).

Explore the communication mode between base station and mobile phone

On this topic, let's talk about how the base station communicates with the mobile phone. Here is only a general introduction, because the water in it is very deep, and our understanding is not particularly clear.

First of all, explain some common situations, why mobile phone cards belong to different places? Why are local calls cheap and long-distance expensive? Why do you charge roaming fees? What do you exchange with the base station when the phone turns on the search signal? What did you exchange with the base station when the phone was turned off? Next, I will uncover the fog for you.

In the base station section, we analyze the composition of the base station, in which there is an in-situ location register (HLR). The HLR stores local mobile phone number information, while the access location register (VLR) stores foreign mobile phone number information. By judging the place of ownership of the mobile phone number, you can distinguish between local and non-local mobile phones, which is the reason to distinguish the place of belonging.

When you make a call, you will first make a request to the base station. The base station will determine the base station where the mobile phone number is located, and then establish a connection with the base station and the target mobile phone. For the target is local, the data will only be transmitted in the local base station system, which is equivalent to the local area network in the computer, so the price is cheap. When the target mobile phone is not local, it is necessary to connect to the base station outside the place. The transmission distance is long, and the process is relatively complex. Therefore, the fee is higher.

When I am out of town, have you ever thought about how the base station finds you when others call you? In fact, the base station to which your mobile phone is connected all the time, when you are out of town, the connected base station will register in the access location register (VLR), request relevant information from the base station of origin, and tell each other its location, so that the base station of origin will know its location. At this point, others will dial their own phone first through the local base station-> current base station-> mobile phone, so additional roaming charges are required. There is not much difference between local dialing and local dialing.

The base station will constantly broadcast its own signal and related information. As long as the mobile phone searches for the signal, it can choose the corresponding connection. During the connection process, it will register some information, such as Imel, mobile phone number and so on. When your mobile phone is turned off normally, it will also send a logout message to the base station, so that when someone calls your phone, it will tell you that it has been turned off. If your mobile phone is suddenly powered off, it will be accidentally disconnected from the base station, and the base station side does not complete the normal logout operation, so that when someone calls you, it will prompt you to be temporarily unable to connect or not in the service area.

Speaking of which, in the face of a large base station, the base station itself will not communicate with you for signals in a particular direction, but will send signals in the form of broadcasting around. Then it can be said that our mobile phones can actually receive signals from other mobile phones, yes, that's right, this is wireless, unlike cable, which has a special line, as long as the received signal is decrypted, you can sniff other people's text messages and voice calls. You can even fake someone else's identity to make a phone call (of course, if you can break through the current authentication methods). This is the end of the story about base stations and mobile phones. Next, I would like to introduce the famous project OsmocomBB that cracked GSM.

Introduction of OsmocomBB Project

I talked about the magical OsmocomBB project before, so this section will give a brief introduction.

OsmocomBB is a foreign open source project, is the open source implementation of GSM protocol stack (Protocols stack), the full name is Open source mobile communication Baseband. The aim is to realize the three-layer implementation of the mobile phone from the physical layer (layer1) to the layer3.

In this respect, the domestic Chinese material is very good, and it is a very sensitive topic, even if it is reported in the dark clouds, the operators also ignore it. The plaintext transmission of text messages is no longer a secret.

Well, although we don't know much about this project, we can explain it from a macro point of view. As mentioned earlier, services and agreements complement each other. As long as we can understand the complete GSM communication protocol, we can capture the relevant signal from the physical layer, through the cracking of GSM, we can decrypt the signal and obtain the original text.

Now, we do not need in-depth understanding of how GSM works, using this open source project, simple configuration, we can sniff! In the next section, we will talk about the configuration of the experiment in detail. The point is in the back. Here, for the beginner, I will not delve into it for the time being.

Lab environment configuration 4.1 hardware inventory

1. A compatible platform is required (that is, the hardware is compatible with the cross-compilation environment, mainly for mobile phones):

Several types of mobile phones are officially recommended here.

Designed + Manufactured by Compal, OEM by Motorola

MotorolaC115/C117 (E87)

MotorolaC123/C121/C118 (E88)-our primary target

MotorolaC140/C139 (E86)

MotorolaC155 (E99)-our secondary target

MotorolaV171 (E68/E69)

SonyEricssonJ100i

Designed by Pirelli/Foxconn?, manufactured by Foxconn

Pirelli DP-L10

Designed by Openmoko, manufactured by FIC

Neo 1973 (GTA01)

OpenMoko-Neo Freerunner (GTA02)

A list of potential targets that may be worth adding support for in the future is available at PotentialCalypsoTargets.

MTK based

Information specific to Mediatek phones that we support.

Designed + Manufactured by Bluelans

SciphoneDreamG2 (MT6235 based)

This is the recommendation of the official website, here we use MTC118, the price of Taobao is only dozens of yuan.

2. USB serial port conversion module is also needed.

The above picture is the recommended model of the official website, here we use FT232, although a little expensive, but relatively stable, the effect is good.

Below, the previous picture, is all the hardware.

1. Vim / etc/apt/sources.list2, deb http://mirrors.ustc.edu.cn/kali kali main non-free contribdeb-src http://mirrors.ustc.edu.cn/kali kali main non-free contribdeb http://mirrors.ustc.edu.cn/kali-security kali/updates main non-free / / add these three lines Wq saves 3, apt-get update4, aptitude install libtool shtool autoconf git-core pkg-config make gcc5, apt-get install build-essential libgmp3-dev libmpfr-dev libx11- 6 libx11-dev texinfo flex bison libncurses5\ libncurses5-dbg libncurses5-dev libncursesw5 libncursesw5-dbg libncursesw5-dev zlibc zlib1g-dev libmpfr4 libmpc-dev6, wget-c http://bb.osmocom.org/trac/raw-attachment/wiki/GnuArmToolchain/gnu-arm-build.2.sh7, chmod + x gnu-arm-build.2.sh8, mkdir build install src9, cd src/10, Wget http://ftp.gnu.org/gnu/gcc/gcc-4.5.2/gcc-4.5.2.tar.bz2wget http://ftp.gnu.org/gnu/binutils/binutils-2.21.1a.tar.bz2wget ftp://sources.redhat.com/pub/newlib/newlib-1.19.0.tar.gz11, cd.. 12,. / gnu-arm-build.2.sh13, echo "export PATH=\ $PATH:/root/install/bin" > > / root/.bashrc14, source / root/.bashrc15, Cd ~ 16, git clone git://git.osmocom.org/libosmocore.git17, cd libosmocore/18, autoreconf-i19,. / configure20, make21, make install22, cd.. 23, .ldconfig24, cd.. 25, git clone git://git.osmocom.org/osmocom-bb.git26, cd ~ / osmocom-bb27, git checkout-- track origin/luca/gsmmap28\ cd src29\ make

If present, prove that the hardware connection is successful.

Step 2:

To brush the firmware is to burn and write the program into the phone.

Enter the command:

. / osmocon-m c123xor-p / dev/ttyUSB0.. / target/firmware/board/compal_e88/layer1.compalram.bin

Then press the boot button, start brushing, and then the process code will appear.

After about 15 seconds, after completion, the following prompt will appear on the phone screen, indicating that the firmware has been brushed successfully.

Step 3:

Create a new terminal and enter the command:

Cd ~ / osmocom-bb/src/host/layer23/src/misc./cell_log-O

This command scans the available channels and lists the relevant channel information

The ARFCN that appears is the channel number.

Step 4:

Create a new terminal and enter the command:

. / ccch_scan-I 127.0.0.1-a 655

The last number represents the ARFCN number, which is based on the result of the previous terminal. This command represents sniffing on channel 655.

Step 5:

Open a new terminal and enter the command:

Wireshark-k-I lo-f 'port 4729'

And the filter of wireshark chooses gsm_sms, you can wait quietly.

After reading the above, have you mastered the principle of GSM SMS sniffing? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.