Description

In this video I show how to crack and decrypt SMS from start to finish with an RTL-SDR and a Kraken server! All of the required steps are shown, using a manual approach to better understand how input for Kraken is generated. Everything you need to know is in this video.

Note: Even with a working Kraken server, you’re not guaranteed to crack all A5/1 encrypted bursts. You may have to call your mobile phone (you’ll receive a new Kc), and then capture traffic from your mobile phone again while you send yourself SMS’.

Topics covered:
– Installing airprobe
– Installing gsmframecoder
– Using Make With Multiple Jobs
– Forcing 2G Mode on iPhone 4S
– Field Test Mode on iPhone 4S
– Finding the SDCCH8 Timeslot
– Finding the iPhone 4S TMSI Without Knowing It
– Verifying Our Device Uses A5/1 Encryption
– System Information Packets (SI5, SI5Ter, SI6)
– GSM Frame Numbers
– Finding Potentially Encrypted SI5 Candidates (i.e. packets/frames)
– Sorting Decoded GSM Packets by Subslot
– GSM Frame Bursts In Practice (i.e. How To Find Them and How They Work)
– Using gsmframecoder to Decode an Unencrypted Burst (SI5 Packet/Frame)
– Timing Advance with System Information 5 Packets
– Modified Frame Numbers (Used for A5/1 Decryption)
– XOR’ing the Unencrypted SI5 Bursts with the Encrypted SI5 Burst
– Using Kraken to Crack the XOR’d SI5 Bursts
– Using find_kc to Find the (Symmetric) Encryption/Decryption Key
– Using grgsm_decode to Decode the Encrypted SMS’

Tools covered:
– grgsm_decode (https://github.com/ptrkrysik/gr-gsm)
– go.sh (https://github.com/iamckn/airprobe)
– gsmframecoder (https://www.ks.uni-freiburg.de/download/misc/gsmframecoder.tar.gz)
– Kraken (https://github.com/joswr1ght/kraken)
– find_kc (See above)
– xor.py (https://github.com/joswr1ght/kraken/blob/master/Utilities/xor.py)

Disclaimer: The contents of this video is meant for educational purposes only. Only decrypt your own traffic. Anything else may be illegal.

Stay tuned and subscribe for more upcoming videos showing actual hacks!