Active analysis of a GSM call through osmocom-bb

In the last blog, we learnt how to do passive sniffing of gsm data using a RTL-SDR.

I don’t wanna get much into what can be further done with passive analysis of GSM as it didn’t interest me much. Almost all of the operators now have upgraded their encryption standards, so sniffing GSM data using a USRP and cracking them using kraken is difficult now.

There are other cost effective approaches that researches have used to crack and find the key(Kc) from the sniffed GSM data like running osmocom-bb on multiple phones and hopping channels to capture data or just by using a RTL-SDR. But today, we will focus on active analysis of GSM as that is more interesting and useful for research purpose. If you still want to know what can be done with just passive analysis of gsm data, you can read the tutorials released by srlabs on how to decrypt gsm data. They have done an awesome job on this.

Objective

We will intercept a gsm call in wireshark using Osmocom-BB and a motorola C118 phone and then we will analyze the GSM packets and learn what we can make out of it.

What is Osmocom-BB?

OsmocomBB is an Open Source GSM Baseband software implementation. OsmocomBB implements the GSM protocol stack’s three lowest OSI Layers of the client side GSM protocol and device drivers. The protocol layers forming the kernel exists on the baseband processor, typically consisting of an ARM processor and a digital signal processor.

It has all the gsm protocol stack from Layer 1 to Layer 3. Hardware drivers and layer 1 runs on the phone whereas Layer 2,3 and the actual mobile application runs on PC.

GSM Layers

we will skip the setup and installation part of osmocom-bb as there are multiple sources on the Internet where you can find it but I would say that the installation and running of osmocom-bb can be a bit tricky and time consuming if anything was not done in a correct manner.

The handset we would be using is Motorola C118. It has a TI Calypso chipset on which our osomocom firmware can easily be loaded as this phone lacks many security protections when it comes to changing the firmware. On this phone, we will load our osmocom-bb layer 1 firmware which will be connected to PC over a USB serial cable.

Motorola C118 phone running Osmocom firmware

What can be done using osmocom-bb?

  • place a voice call
  • send sms
  • send arbitrary frames to the network
  • sim card emulation
  • Gsm Cell (Re)selection
  • and much more. .

You can actually modify the source code of osmocom-bb and recompile it and use it according to your requirements.

Ocmocom-bb terminal. Our TMSI and Kc are visible.

The process behind making a mobile call?

To know about the process behind making a mobile phone call, first we need to know the whole GSM architecture. It is difficult to explain the whole architecture in a single blogpost. However, there are multiple resources on Internet where we can understand this in an easy manner.

Here is an interesting and short video by Paul Delooze about what happens during the entire process of a call.

 

How a call is setup in GSM?

Here, we would talk only about what actually happens between the mobile station and the network provider instead of the whole process since we have to dissect the data captured by wireshark and find out what happens when a mobile phone places a call and when a call is received on the mobile phone.

Call setup process

In the above image MS1 and MS2 are two mobile phones where MS1 calls MS2. We will discuss in detail as what exactly happens between your mobile phone and network when you place a call.

calling a mobile phone

  1. MS1 will ask the MS1 provider for a radio channel and MS1 provider will allocate a unique radio channel to it through immediate assignment.
  2. MS1 will send the MS1 service provider a CM service request with it’s TMSI. If the TMSI exists in the VLR, then only the MS1 provider will reply with CM service accepted message or else the authentication process will happen again and then the MS1 will get a new TMSI after successful authentication.
  3. The MSC initiates ciphering of the data being sent on the channel. The BSC sends the CIPHERING MODE COMMAND to the mobile. Ciphering has already been enabled, so this message is transmitted with ciphering. The mobile replies back to it with mode CIPHERED.
  4. MS1 will send a SETUP request which includes the called party phone no.
  5. The MS1 provider will reply back to MS1 that the call is proceeding now.

we will call a mobile number through osmocom-bb and route the data through wireshark so that we can see what’s going on at packet level.

Calling a mobile through osmocom-bb

Now, we will analyze the gsm packets in wireshark and check what’s really happening over the air.

  1. Immediate assignment – Radio channel requested by MS1 and radio channel allocated to MS1 by the MS1 provider. We can also see what kind of control channel (SDCCH/SACCH) is being used here in the channel description.

 

Immediate assignment

2. CM service request – MS1 sends a CM Service request which includes the TMSI of the MS1. In this case the TMSI existed in the VLR, so it will not do re-authentication.

CM service request

3. Ciphering mode command – The BSC sends the CIPHERING MODE COMMAND to the mobile. Ciphering has already been enabled, so this message is transmitted with ciphering. The mobile replies back to it with mode CIPHERED. We can also see the Ciphering mode complete packet below. We can see that it is using A5/1 cipher.

Ciphering mode command

4. Setup – The MS1 sends a setup request which contains the called party number which i have blackened as I don’t want to reveal my personal number here! We can also see the Speech rate related data here in the details.

Call setup

5.  call proceeding – The MS1 provider will reply back to the mobile that the call is proceeding now.

Call proceeding

6. Alerting – The MS2 is getting an call alert now.

Call Alerting

Receiving a call

  1. The MS2 provider will send a paging request to all the mobile phones in a particular location area(LAI) with the mobile phone’s TMSI. The phone for which that TMSI belongs to, will connect back with the network taking this negotiation further.
  2. MS2 will ask for the allocation of a radio channel from MS2 provider. MS2 will be allocated a radio channel through immediate assignment. After getting a radio channel, MS2 will respond to that paging request and it will tell the network that it is here.
  3. After that, the ciphering mode command will be exchanged so that all the data now would be transferred as ciphered.
  4. The MS2 provider will send a SETUP request to MS2 which will include the calling party number.
  5. After the call is setup, the MS2 will send a call confirm message to MS2 Provider and then it will send the alert message.
  6. When the receiver picks up the phone, it gets connected and the MS2 provider will send a connect acknowledgment message to MS2.

receiving a call through osmocom-bb

we will accept an incoming call through osmocom-bb and route the data through wireshark so that we can see what’s going on at packet level.

1. Paging Request – The MS2 provider will send a paging request to all the mobile phones in a particular location area(LAI) with the mobile phone’s TMSI. The phone for which that TMSI belongs to, will talk back to the network taking this negotiation further.

2. Immediate assignment – MS2 will ask for the allocation of a radio channel from MS2 provider. MS2 will be allocated a radio channel through immediate assignment. After getting a radio channel, MS2 will respond to that paging request and it will tell the network that it is here. we can see the ARFCN number for our call form which we can calculate the frequency on which it is talking upon.

Immediate assignment

3. Ciphering mode command – After that, the ciphering mode command will be exchanged so that all the data would now be transferred as ciphered. We can see that it is using A5/1 cipher.

ciphering mode command

4. Call SETUP – The MS2 provider will send a SETUP request to MS2 which will include the calling party number.

call setup

5. Call Confirm – After the call is setup, the MS2 will send a call confirm message to MS2 Provider and then it will also send the alert message.

call confirmed

6. Call connected – When the receiver picks up the phone, it gets connected and the MS2 provider will send a connect acknowledgment message to MS2.

7. Disconnect – When is call is disconnected, it sends a disconnect message to the network and releases the allocated radio channel.

Call disconnect and release radio channel

What now?

GSM Security is a huge unexplored field where a lot has still to be explored and done. Now, when you know how to analyze the gsm data upto the lowest level, you can read, analyze and modify the code of osmocom in order to send arbitrary frames to the network or from the network to the phone. You can start fuzzing gsm level protocols in order to find out if you can actually crash any network device. There is a lot to do but that would require a very deep understanding of the gsm networks and also about the legal aspects around this. I would suggest you to create your own gsm network and run your tests on that if you want to go ahead with this. We will be posting more blog posts on gsm. Stay tuned!

Comment ( 1 )

  1. Please sent tutorial how to start setup osmocombb

Leave a Reply

Your email address will not be published. Required fields are marked *

20 − 17 =