a51_kraken

[hncaga]

Hi, im always encountering this exception everytime im trying to use the kraken module. is it because of my setup or a bug?

Here's my GAT output:

gat > analyze immediate --bursts /tmp/sample.bursts -m BCCH_SDCCH4
FNR  TYPE  TIMESLOT  TIMING ADVANCE  SUBCHANNEL HOPPING

==============================================================================
| FNR      | TYPE     | TIMESLOT  | TIMING ADVANCE  | SUBCHANNEL  | HOPPING  |
==============================================================================
| 1178789  | SDCCH/8  | 1         | 1               | 0           | N        |
------------------------------------------------------------------------------

gat > analyze cipher --bursts /tmp/sample.bursts -m SDCCH8 -t 1
CMCs:
Framenumber: 1178967   A5/1

gat > a51_kraken --bursts /tmp/sample.bursts --frame-cmc 1178967 -m SDCCH8 -t 1 -v
Cipher Mode Command at 1178967
Using SDCCH message bursts 1179018 - 1179022
Using SDCCH message bursts 1179069 - 1179073
Using SDCCH message bursts 1179120 - 1179124
Using SDCCH message bursts 1179171 - 1179175
ERROR: unhandled exception in Plugin command a51_kraken.
Message was:

gat >

Here's the output from my kraken server:

Allocated 41281052 bytes: ../indexes//250.idx
Allocated 41274520 bytes: ../indexes//124.idx
Tables: 132,324,364,388,268,148,260,156,164,356,348,436,172,500,180,372,428,188,492,196,140,420,204,212,292,412,220,396,100,230,340,380,404,108,238,116,332,276,250,124
Commands are: crack test quit
Cracking 110001011001011010011001101000001101100001101001001100001101011101101100011100010011011100001100011100111110001110
crack #0 took 163580 msec
Cracking 110010001000001000001111001011101101000110000100011111011111111011011111001011111111100010001000010001001111101011
crack #1 took 163804 msec
Cracking 111000110011111001001110101011001100001101011001000111101001000101000001000001110110001110101110001010010110011010
crack #2 took 163345 msec
Cracking 001111111010011010010111011100100110000110001000101010010101000100111011010101000001000000010111111110010010011100
crack #3 took 163770 msec
Cracking 100101110000000011110011111011111001111011100110100111110011110011101010111110101100011101101001111000011111011101
crack #4 took 162527 msec
Cracking 111110011100001100111110001101110011011000100001101110000011111100111010011001111000011011110111010010110101110010
crack #5 took 162704 msec
Cracking 110000001011111001111000110100000110001010000111011011110101100101101101001111111110111101111100111111101111110001
crack #6 took 163333 msec
Cracking 111111101000001001011101001011110001010001011000110011110111000001010010000011011100011010100011110010100001101001
crack #7 took 163828 msec
Cracking 011110001110101001011111101111001010011100011001001000101000110110010001110010010100011000100110000010111110001101
crack #8 took 164285 msec
Cracking 100100100001011010111001110000111100000110101110111010111101010111001100111001001011111000101001000011010011111010
crack #9 took 162402 msec
Cracking 000011000111100111111001111001110001100011001110000111011100111110100010101011100000110001100011111010010000000000
crack #10 took 163272 msec
Cracking 110010110110100110000011000101011001000000110111001110101011000000100111001000000001111011010010000101110010101000
crack #11 took 163199 msec
Cracking 101011011000100110100001001001111101111111001111001101000000001110010010001100011100111100001101000100001111110110
crack #12 took 162164 msec

Im thinking if its just throwing an unhandled exception if a potential key is not found after testing all possible frame numbers. I really have no idea. Thanks a lot.

HNC

[romankh]

Hi,

if it doesnt find the key, it should just print out that the key could not be found.
Are the bursts 1179171,...,1179175 in the burst file you provided ?

[hncaga]

Hi, i dont know exactly if those bursts are in the file. for testing purposes, i just saved the bursts file in /tmp/ directory. this happens to me everytime i run the a51_kraken module. always throwing the:

ERROR: unhandled exception in Plugin command a51_kraken.
Message was:

not just this sample bursts file. so im wondering if im doing it wrong. or is it a bug. i also encountered this in a fresh installed ubuntu 16.04 but the error is still the same. before, im also encountering the same error in #10 but its working now after the commit.

thanks a lot
HNC

[romankh]

Bug is likely, there were some changes in gr-gsm, I need to do some more investigations, that will take a few days. For example, it looks like the data decoded of at least some of my testdata changed since my last update of gr-gsm.

The easiest way to check if those bursts are in the file:

• start a wireshark recording session, if wireshark is installed, use wireshark in gat
• run decode -t 1 --bursts /tmp/sample.bursts
• see if those framenumbers are in the wireshark capture

If you like, you can also send me a capture that is producing the error, I wont publish or use it for anything other than debugging

[hncaga]

Hello, i tried to use the a51_kraken module again. here are the commands and output that ive got. where can i send the burst file?

gat > capture_rtlsdr -b P-GSM -f 941740000 --bursts /tmp/sample.bursts --length 120
gr-osmosdr v0.1.4-77-g2a2236cc (0.1.5git) gnuradio 3.7.11
built-in source types: file fcd rtl rtl_tcp uhd hackrf bladerf rfspace airspy redpitaya 
Using device #0 Generic RTL2832U SN: 77771111153705700
Detached kernel driver
Found Rafael Micro R820T tuner
[R82XX] PLL not locked!
Exact sample rate is: 2000000.052982 Hz
[R82XX] PLL not locked!

gat > analyze immediate --bursts /tmp/sample.bursts -m BCCH_SDCCH4
FNR  TYPE  TIMESLOT  TIMING ADVANCE  SUBCHANNEL HOPPING

=============================================================================
| FNR     | TYPE     | TIMESLOT  | TIMING ADVANCE  | SUBCHANNEL  | HOPPING  |
=============================================================================
| 338152  | SDCCH/8  | 1         | 0               | 4           | N        |
-----------------------------------------------------------------------------
| 337534  | SDCCH/8  | 3         | 1               | 1           | Y        |
-----------------------------------------------------------------------------
| 328425  | SDCCH/8  | 1         | 1               | 5           | N        |
-----------------------------------------------------------------------------

gat > analyze cipher --bursts /tmp/sample.bursts -m SDCCH8 -t 1
CMCs:
Framenumber: 328613   A5/1
Framenumber: 338350   A5/1

gat > a51_kraken --bursts /tmp/sample.bursts --frame-cmc 328613 -m SDCCH8 -t 1 -v
Cipher Mode Command at 328613
Using SDCCH message bursts 328664 - 328668
Cracking Burst : 100000011101010000010111101100000010001110111111100000011101011111001101000110010001001111110110000001111011010101
Cracking Burst : 111010000101101000110101011010011111001110011000001111011001110001111011100001010011000101100100011010001000010111
Cracking Burst : 000101100100000110111011011010110110100001000111101010101110101011001011101011001101011111101110011011001011110101
Cracking Burst : 010001110001111010000110100001000101010011111001011110111011100100001100011110010111111011010100110100101111000100
Using SDCCH message bursts 328715 - 328719
Cracking Burst : 110000000111010101010111001001100011111110110101110100100100110000001111110101010110100110111101100010111101110101
Cracking Burst : 101000001000001110010101111010000101110001010000011010001101111100101000011011110001011010110100101101011111110000
Cracking Burst : 110110110110100100010010111111100110011100000101101101010111010110011101000010000000010100111111100111000000101100
Cracking Burst : 000110111000011000001000111110001010101100000001101100010001000111001010010011101010111110001100100001100110000110
Using SDCCH message bursts 328766 - 328770
Cracking Burst : 011111010111010000100101111100010011100110000100110000000111011110011000010101010101110101010000010100111101011110
Cracking Burst : 010110011111000011110011010011001111101100111011010010010111100100111001001001011001011000110010010111101100101011
Cracking Burst : 000000011110001101001000110110101100110111101001101010111101111010010111011111101100000110101111010011001001000010
Cracking Burst : 111010101110101101100111011001010111110001101111100010011101111010010101100111101101001101101001101110000110011010
Using SDCCH message bursts 328817 - 328821
Cracking Burst : 001001111001010001111001010000001101111110000010101110000100110101000011000001111011110010110110100010010100000111
Cracking Burst : 101111100100100100000101000010001011100000000101010101011001100001011001110001001100110111100110000010101110101111
Cracking Burst : 000111111010000100100011011011101000011000000100110110010000101010000110000101001101100010110000101100101000110010
Cracking Burst : 010000100100000101111111010001011111111100100100111100010001111111000110011000000100011111100011111000100101111011
Using SDCCH message bursts 328868 - 328872
Cracking Burst : 001000011111100111100100100001111011100101111101110001101110110111100110010111011110001111100111111111000100111010
Cracking Burst : 011010110010110110101101001111000001101000001001100111110011000101011101100110001101000111101100010001111011011010
Cracking Burst : 010101100000011011100001110110010010010100100111011010010101100000101000001000010001001010010100110110000100110001
Cracking Burst : 000101011101001000100011110001000001110011111100100100011010101000101101010111011100110100101001010100001000011010
ERROR: unhandled exception in Plugin command a51_kraken.
Message was: 

gat > 

i modified the a51_kraken temporarily to show the current bursts while testing.

by the way, i have a bladerf sdr and if theres anything that i can do to make it compatible to gat, im willing to contribute. thanks

HNC

[romankh]

Please send it to rkhassraf@gmail.com
It could take until the weekend until I have a fix

Regarding bladerf and contribution:
I would like to have more hardware supported, so that would be great.
Do you have any working flowgraph for gr-gsm, that uses hackrf and you could provide ?
I think it shouldnt be a problem to support bladerf,

[hncaga]

Email sent sir. I will try to generate cfile and burst file using bladerf this afternoon. will also send you the .grc
Thanks

[romankh]

Ok, I found the reason for that exception.
I missed to document a dependency, i.e. a external library that must be installed on your computer for the SACCH attack.

What you need to do is download, build and install gsmframecoder.tar.gz on your system. It needs to be in the path, so that you can call it from commandline.

I will add some documentation about that tomorrow, and will open an issue to find a better solution for that.

[hncaga]

yap! got it. I thought the function of gsmframecoder is already coded in gat, Before, even in manual cracking, i used to place gsmframecoder (including find_kc) in the same working directory.

i forgot that i also encountered the same error here in gat when i forgot to copy the find_kc file in the same folder. I think this issue has been resolved. I will send the bladerf sample bursts and other files including .grc later. Thanks a lot