Description
In this video I show how to capture GSM traffic over the air, and decrypt our own SMS!
It’s highly recommended to check out the previous videos, in case this is the first time you’re doing GSM sniffing and decryption.
Topics covered:
– Switching USB mode on a Samsung Galaxy phone
– ARFCN conversion to downlink and uplink frequencies
– Testing the GSM downlink frequency
– Capturing RTL-SDR GSM traffic for later use
– Decoding RTL-SDR GSM traffic
– GSM packets (Immediate Assignment, Cipher Mode Command, etc.)
– Decrypting GSM traffic with a known Kc (symmetric encryption key)
Tools:
– usbswitcher (https://github.com/ud2/advisories/blob/master/android/samsung/nocve-2016-0004/usbswitcher.c)
– minicom
– kalibrate-rtl (kal)
– grgsm_livemon
– grgsm_capture
– grgsm_decode
– wireshark
Hardware requirements:
– RTL-SDR (Default antenna)
– Cellphone that has an AT interface you can access.
Stay tuned and subscribe for more upcoming videos showing actual hacks!
Many thanks to RTL-SDR.com for sharing the GSM Sniffing & Hacking video playlist!
(https://www.rtl-sdr.com/gsm-sniffing-a-full-youtube-tutorial/)
Hello,
Thank you very much for your tuto. I have a problem with the command AT+CRSM=176,28448,0,0,9. My result is always +CRSM: 0,0. Where can I found a list of idFields for differents GSM ?
The easiest resource is the following: https://ccdcoe.org/uploads/2018/10/Art-16-Attacking-the-Baseband-Modem-of-Breach-the-Users-Privacy-and-Network-Security.pdf
Alternatively there are a few ETSI standards that you could look for that describe the UICC File system like this document:
https://www.etsi.org/deliver/etsi_ts/131100_131199/131102/04.15.00_60/ts_131102v041500p.pdf
thank you, I want to ask the questions
I’ve got this when try ./switcher
[*] Device found, 1 configuration(s)
switcher: switcher.c:66: main: Assertion `dev->descriptor.bNumConfigurations == 2′ failed.
Aborted
and I’ve seen your instruction on youtube comment
It’s because your phone does not have 2 USB modes, it either only 1 USB mode, or maybe it has 3 or more modes.
I recommend using “lsusb -v” and then check how many modes your ASUS device has. Once you’ve found out, and also which mode may be the correct one, then change these lines:
assert(dev->descriptor.bNumConfigurations == 2);
r = usb_set_configuration(udev, 2);
You may also want to update this line:
info(“Device opened, Switching to configuration #2”);
but I still confused for which mode that showing on device, how to know how many mode ?
and with what script should I change these lines?
sorry for bad english