Description

In this video I show how to capture GSM traffic over the air, and decrypt parts of our own voice call. As frequency hopping is enabled in our case, a “test call” is decrypted subsequently, to show the full process until I get my new SDR, and record a new video.

Please note that the pace in this video is quite fast at times, to keep the time on the video down a bit.

It’s also highly recommended to check out the previous videos, in case this is the first time you’re doing GSM sniffing and decryption.

Generally speaking, decoding voice where frequency/channel hopping is disabled/off, is almost the same as decrypting SMS’s. The only difference is an extra step at the end, where the TCH/F channel is used for speech data.

New topics covered in this video:
– Voice calls decryption (Traffic channels (TCH/F), channel hopping, etc.)
– RTL-SDR limitations in relation to frequency hopping
– Decrypting the test call file by “Security Research Labs”

Topics already covered in the SMS decryption video:
– Switching USB mode on a Samsung Galaxy phone
– ARFCN conversion to downlink and uplink frequencies
– Testing the GSM downlink frequency
– Capturing RTL-SDR GSM traffic for later use
– Decoding RTL-SDR GSM traffic
– GSM packets (Immediate Assignment, Cipher Mode Command, etc.)
– Decrypting GSM traffic with a known Kc (symmetric encryption key)

Tools:
– usbswitcher (https://github.com/ud2/advisories/blob/master/android/samsung/nocve-2016-0004/usbswitcher.c)
– minicom
– kalibrate-rtl (kal)
– grgsm_livemon
– grgsm_capture
– grgsm_decode
– wireshark
– vlc

Hardware requirements:
– RTL-SDR (Default antenna) for non-frequency hopping
– Cellphone that has an AT interface you can access.

Stay tuned and subscribe for more upcoming videos showing actual hacks!