├── README.md └── gprs_new_patch /README.md: -------------------------------------------------------------------------------- 1 | gprs_sniff 2 | ========== 3 | 4 | This repo will contain stuff I create while trying out GPRS sniffing based on Karsten Nohl's and Luca Melette's 5 | presentation and tutorial: 6 | 7 | https://srlabs.de/gprs 8 | 9 | It currently contains: 10 | - an updated version of the patch needed to enable GPRS-sniffing with OsmocomBB. This patch works with the latest burst_ind branch of Sylvain Munaut. 11 | 12 | 13 | Credits and everything goes to the great people behind the tutorial and the Osmocom project, thank you! 14 | -------------------------------------------------------------------------------- /gprs_new_patch: -------------------------------------------------------------------------------- 1 | diff --git a/src/host/layer23/src/misc/app_ccch_scan.c b/src/host/layer23/src/misc/app_ccch_scan.c 2 | index ecf934d..5568cb7 100644 3 | --- a/src/host/layer23/src/misc/app_ccch_scan.c 4 | +++ b/src/host/layer23/src/misc/app_ccch_scan.c 5 | @@ -209,7 +209,7 @@ static int gsm48_rx_imm_ass(struct msgb *msg, struct osmocom_ms *ms) 6 | int rv; 7 | 8 | /* Discard packet TBF assignement */ 9 | - if (ia->page_mode & 0xf0) 10 | + if ((ia->page_mode & 0xf0) != 0x10) 11 | return 0; 12 | 13 | /* If we're not ready yet, or just busy ... */ 14 | @@ -649,7 +649,7 @@ void layer3_rx_burst(struct osmocom_ms *ms, struct msgb *msg) 15 | app_state.dch_badcnt = 0; 16 | 17 | /* Release condition */ 18 | - do_rel = app_state.dch_badcnt >= 6; 19 | + do_rel = app_state.dch_badcnt >= 600; 20 | } 21 | } 22 | 23 | diff --git a/src/target/firmware/include/layer1/tdma_sched.h b/src/target/firmware/include/layer1/tdma_sched.h 24 | index f58d59b..3a8c91a 100644 25 | --- a/src/target/firmware/include/layer1/tdma_sched.h 26 | +++ b/src/target/firmware/include/layer1/tdma_sched.h 27 | @@ -10,8 +10,8 @@ 28 | * bucket contains of a list of callbacks which are executed when the bucket 29 | * index reaches that particular bucket. */ 30 | 31 | -#define TDMASCHED_NUM_FRAMES 25 32 | -#define TDMASCHED_NUM_CB 8 33 | +#define TDMASCHED_NUM_FRAMES 32 34 | +#define TDMASCHED_NUM_CB 16 35 | 36 | #define TDMA_IFLG_TPU (1<<0) 37 | #define TDMA_IFLG_DSP (1<<1) 38 | diff --git a/src/target/firmware/include/stdint.h b/src/target/firmware/include/stdint.h 39 | index 627403f..279e74f 100644 40 | --- a/src/target/firmware/include/stdint.h 41 | +++ b/src/target/firmware/include/stdint.h 42 | @@ -16,7 +16,7 @@ 43 | one of the compilers producing working code right now. */ 44 | 45 | #if __GNUC__ > 3 46 | -#include_next 47 | +//#include_next 48 | #endif 49 | 50 | #ifndef __int8_t_defined 51 | diff --git a/src/target/firmware/layer1/prim_sniff.c b/src/target/firmware/layer1/prim_sniff.c 52 | index 37dcd32..46c1d58 100644 53 | --- a/src/target/firmware/layer1/prim_sniff.c 54 | +++ b/src/target/firmware/layer1/prim_sniff.c 55 | @@ -175,15 +175,17 @@ l1s_sniff_resp(uint8_t ul, uint8_t burst_id, uint16_t p3) 56 | bi->frame_nr = htonl(rx_time.fn); 57 | 58 | /* ARFCN */ 59 | - if (ul) 60 | + if (ul) { 61 | rf_arfcn |= ARFCN_UPLINK; 62 | + burst_id += 3; 63 | + } 64 | bi->band_arfcn = htons(rf_arfcn); 65 | 66 | /* Set Channel Number depending on MFrame Task ID */ 67 | - bi->chan_nr = mframe_task2chan_nr(mf_task_id, tn); 68 | + bi->chan_nr = mframe_task2chan_nr(mf_task_id, (tn+burst_id)%8); 69 | 70 | /* Set burst id */ 71 | - bi->flags = burst_id; 72 | + bi->flags = 0; //burst_id; 73 | 74 | /* Set SACCH indication */ 75 | if (mf_task_flags & MF_F_SACCH) 76 | @@ -242,9 +244,9 @@ l1s_sniff_cmd(uint8_t ul, __unused uint8_t burst_id, __unused uint16_t p3) 77 | dsp_api.db_w->d_ctrl_system |= (1 << B_BCCH_FREQ_IND); 78 | 79 | if (ul) { 80 | - l1s_rx_win_ctrl(arfcn | ARFCN_UPLINK, L1_RXWIN_NB, 3); 81 | + l1s_rx_win_ctrl(arfcn | ARFCN_UPLINK, L1_RXWIN_NB, burst_id); 82 | } else { 83 | - l1s_rx_win_ctrl(arfcn, L1_RXWIN_NB, 0); 84 | + l1s_rx_win_ctrl(arfcn, L1_RXWIN_NB, burst_id); 85 | } 86 | 87 | return 0; 88 | @@ -252,28 +254,56 @@ l1s_sniff_cmd(uint8_t ul, __unused uint8_t burst_id, __unused uint16_t p3) 89 | 90 | const struct tdma_sched_item sniff_xcch_dl_sched_set[] = { 91 | SCHED_ITEM_DT(l1s_sniff_cmd, 0, 0, 0), SCHED_END_FRAME(), 92 | - SCHED_ITEM_DT(l1s_sniff_cmd, 0, 0, 1), SCHED_END_FRAME(), 93 | - SCHED_ITEM(l1s_sniff_resp, -5, 0, 0), SCHED_ITEM_DT(l1s_sniff_cmd, 0, 0, 2), SCHED_END_FRAME(), 94 | - SCHED_ITEM(l1s_sniff_resp, -5, 0, 1), SCHED_ITEM_DT(l1s_sniff_cmd, 0, 0, 3), SCHED_END_FRAME(), 95 | - SCHED_ITEM(l1s_sniff_resp, -5, 0, 2), SCHED_END_FRAME(), 96 | - SCHED_ITEM(l1s_sniff_resp, -5, 0, 3), SCHED_END_FRAME(), 97 | + SCHED_ITEM_DT(l1s_sniff_cmd, 0, 0, 0), SCHED_END_FRAME(), 98 | + SCHED_ITEM(l1s_sniff_resp, -5, 0, 0), SCHED_ITEM_DT(l1s_sniff_cmd, 0, 0, 0), SCHED_END_FRAME(), 99 | + SCHED_ITEM(l1s_sniff_resp, -5, 0, 0), SCHED_ITEM_DT(l1s_sniff_cmd, 0, 0, 0), SCHED_END_FRAME(), 100 | + SCHED_ITEM(l1s_sniff_resp, -5, 0, 0), SCHED_END_FRAME(), 101 | + SCHED_ITEM(l1s_sniff_resp, -5, 0, 0), SCHED_END_FRAME(), 102 | SCHED_END_SET() 103 | }; 104 | 105 | const struct tdma_sched_item sniff_xcch_ul_sched_set[] = { 106 | SCHED_ITEM_DT(l1s_sniff_cmd, 3, 1, 0), SCHED_END_FRAME(), 107 | - SCHED_ITEM_DT(l1s_sniff_cmd, 3, 1, 1), SCHED_END_FRAME(), 108 | - SCHED_ITEM(l1s_sniff_resp, -4, 1, 0), SCHED_ITEM_DT(l1s_sniff_cmd, 3, 1, 2), SCHED_END_FRAME(), 109 | - SCHED_ITEM(l1s_sniff_resp, -4, 1, 1), SCHED_ITEM_DT(l1s_sniff_cmd, 3, 1, 3), SCHED_END_FRAME(), 110 | - SCHED_ITEM(l1s_sniff_resp, -4, 1, 2), SCHED_END_FRAME(), 111 | - SCHED_ITEM(l1s_sniff_resp, -4, 1, 3), SCHED_END_FRAME(), 112 | + SCHED_ITEM_DT(l1s_sniff_cmd, 3, 1, 0), SCHED_END_FRAME(), 113 | + SCHED_ITEM(l1s_sniff_resp, -4, 1, 0), SCHED_ITEM_DT(l1s_sniff_cmd, 3, 1, 0), SCHED_END_FRAME(), 114 | + SCHED_ITEM(l1s_sniff_resp, -4, 1, 0), SCHED_ITEM_DT(l1s_sniff_cmd, 3, 1, 0), SCHED_END_FRAME(), 115 | + SCHED_ITEM(l1s_sniff_resp, -4, 1, 0), SCHED_END_FRAME(), 116 | + SCHED_ITEM(l1s_sniff_resp, -4, 1, 0), SCHED_END_FRAME(), 117 | SCHED_END_SET() 118 | }; 119 | 120 | +/* Single slot capture */ 121 | +#if 0 122 | const struct tdma_sched_item sniff_tch_sched_set[] = { 123 | - SCHED_ITEM_DT(l1s_sniff_cmd, 0, 0, 0), SCHED_ITEM_DT(l1s_sniff_cmd, 3, 1, 0), SCHED_END_FRAME(), 124 | + SCHED_ITEM_DT(l1s_sniff_cmd, 0, 0, 0), SCHED_ITEM_DT(l1s_sniff_cmd, 0, 1, 0), SCHED_END_FRAME(), 125 | SCHED_END_FRAME(), 126 | - SCHED_ITEM(l1s_sniff_resp, -5, 0, 0), SCHED_ITEM(l1s_sniff_resp, -4, 1, 0), SCHED_END_FRAME(), 127 | + SCHED_ITEM(l1s_sniff_resp, -5, 0, 0), SCHED_ITEM(l1s_sniff_resp, -5, 1, 0), SCHED_END_FRAME(), 128 | SCHED_END_SET() 129 | }; 130 | +#endif 131 | 132 | +/* Multislot capture */ 133 | + 134 | +// Downlink 135 | +#if 1 136 | +const struct tdma_sched_item sniff_tch_sched_set[] = { 137 | + SCHED_ITEM_DT(l1s_sniff_cmd, 0, 0, 0), SCHED_ITEM_DT(l1s_sniff_cmd, 2, 0, 2), 138 | + SCHED_ITEM_DT(l1s_sniff_cmd, 4, 0, 4), SCHED_ITEM_DT(l1s_sniff_cmd, 6, 0, 6), SCHED_END_FRAME(), 139 | + SCHED_END_FRAME(), 140 | + SCHED_ITEM(l1s_sniff_resp, -5, 0, 0), SCHED_ITEM(l1s_sniff_resp, -4, 0, 2), 141 | + SCHED_ITEM(l1s_sniff_resp, -3, 0, 4), SCHED_ITEM(l1s_sniff_resp, -2, 0, 6), SCHED_END_FRAME(), 142 | + SCHED_END_SET() 143 | +}; 144 | + 145 | +#else 146 | + 147 | +// Uplink 148 | +const struct tdma_sched_item sniff_tch_sched_set[] = { 149 | + SCHED_ITEM_DT(l1s_sniff_cmd, 0, 1, 0), SCHED_ITEM_DT(l1s_sniff_cmd, 2, 1, 2), 150 | + SCHED_ITEM_DT(l1s_sniff_cmd, 4, 1, 4), SCHED_ITEM_DT(l1s_sniff_cmd, 6, 1, 6), SCHED_END_FRAME(), 151 | + SCHED_END_FRAME(), 152 | + SCHED_ITEM(l1s_sniff_resp, -5, 1, 0), SCHED_ITEM(l1s_sniff_resp, -4, 1, 2), 153 | + SCHED_ITEM(l1s_sniff_resp, -3, 1, 4), SCHED_ITEM(l1s_sniff_resp, -2, 1, 6), SCHED_END_FRAME(), 154 | + SCHED_END_SET() 155 | +}; 156 | +#endif 157 | --------------------------------------------------------------------------------