1) ARFCN tool install:
ARFCN tool is a little piece of software that calculates the uplink and downlink frequencies of GSM through the ARFCN number or viceversa.
I have only been able to compile it correctly in Ubuntu, not in Kali linux. But don’t worry because there are some web pages that do the same calculation online. So you will be able to run all the software in Kali linux for sure.
So to get the files to compile the tool go to the following link and click on the download button: http://www.runningserver.com/?page=runningserver.content.download.arfcncalc
(this will download a .tar file)
Then you have to enter the following commands:
(and is all you have to do, if all is correct now you can use the tool)
./arfcncalc -d -a 124
(this command will show the downlink frequency of the ARFCN number 124)
To see all the options of the ARFCN tool enter the next command:
usuari@usuari-EasyNote-TM98:~/Documentos/SDR/arfcncalc$ ./arfcncalc -help
ArfcnCalc – GSM frequency calculation tool V.1.0
Copyright(c) 2010 Philipp Fabian Benedikt Maier
CAUTION: This is a very early version of this program. It might still contain
some bugs that might cause wrong calculation results. If you find a
bug, please email to: email@example.com – Thanks!
This is a tool for calculating the resulting frequency from a given ARFCN
and can be used easyly in shellscripts for doing arfcn calculations
The following options are available
-h or -? …….. Print this screen.
-v ………….. Verbose output.
-u ………….. Calculate uplink frequency / Treat frequency as uplink
-d ………….. Calculate downlink frequency / Treat frequency as downlik
-b ………….. Specify band (optional, needed with GSM1900/1800).
-p ………….. Generate a bandplan with all known arfcns.
-f ………….. Find an Arfcn for a given frequency
The following bands can be handled (option -b):
450 …………. GSM450
480 …………. GSM480
850 …………. GSM850
900 …………. GSM900 (P-GSM, E-GSM and R-GSM)
1800 ………… GSM1800 \__Caution:
1900 ………… GSM1900 / Conflicting ARFCN-Numbers!
arfcncalc -a arfcen [-udv -b band] ….. Calculate the frequency for an arfcn
arfcncalc -f frequency [-udv -b band] .. Calculate arfcn for a frequency
arfcncalc -p ……………………… Generate bandplan
arfcncalc -a 512 -b 1900 -d … Calc downlink frequency (GSM1900) of Arfcn 512
arfcncalc -a 123 -v ……….. Get verbose information about Arfcn 123
arfcncalc -f 959600000 -d ….. Get an arfcn for the dnlink frequency 959.6Mhz
If the software doesn’t work in Kali linux use the next link, which is a table of ARFCN conversion and does exactly the same of the software explained above but only with a look: https://gsm.ks.uni-freiburg.de/arfcn.php
There are some online calculators but I haven’t needed them.
2) Kalibrate tool install:
Kalibrate(kal) can scan for GSM base stations in a given frequency band and
can use those GSM base stations to calculate the local oscillator frequency
In our case we will use it to see what are the main GSM frequencies of our area and look for the ones inside our GSM providers frequency band.
To install and compile this tool, we can follow the next youtube video: http://www.youtube.com/watch?v=VaKzhaf5iKg
Also this is the thread in RTL-SDR blog which links to the video above: http://www.rtl-sdr.com/how-to-calibrate-rtl-sdr-using-kalibrate-rtl-on-linux
This is the source on Github: https://github.com/steve-m/kalibrate-rtl
The steps to compile, which are the same as the video are the followings ones:
git clone https://github.com/steve-m/kalibrate-rtl
cd kalibrate-rtl ./bootstrap && CXXFLAGS='-W -Wall -O3' ./configure make make install
It can produce some errors but although some usages may not run, the one which we are interested in will run perfectly so, there’s not a problem.
This is an example of usage:
root@kali:/home/SDR/kalibrate-rtl# kal -s GSM900
Found 1 device(s):
0: ezcap USB 2.0 DVB-T/DAB/FM dongle
Using device 0: ezcap USB 2.0 DVB-T/DAB/FM dongle
Found Rafael Micro R820T tuner
Exact sample rate is: 270833.002142 Hz
kal: Scanning for GSM-900 base stations.
chan: 74 (949.8MHz – 39.881kHz) power: 100204.30
chan: 101 (955.2MHz – 39.456kHz) power: 91973.50
chan: 108 (956.6MHz – 39.531kHz) power: 181214.37
chan: 115 (958.0MHz – 39.590kHz) power: 65380.82
In this example we can see which channels are the most powerful ones and in this case I will tune the RTL-SDR dongle to any of these frequencies because the frequency range of my mobile service provider is Vodafone and it has the frequency band of: 949,9 – 959,9 MHz.
This can be seen in my general thread about GSM on STEP 2: https://ferrancasanovas.wordpress.com/cracking-and-sniffing-gsm-with-rtl-sdr-concept/
3) Kraken tool install:
The Kraken tool is a software created by Karsten Nohl and is used to get the Kc key from some received frames of GSM and crack this key to decode the information and get a voice call or a SMS data from the GSM information that you have sniffed with RTL-SDR dongle.
This tool is really amazing because it tries with some frames to get the key using the same algorithms as GSM system. The only thing that you must provide is the correct frames of each voice call, so you must understand the system very well and be able to identify the necessary frames for Kraken tool input.
I tried to get this tool running but I wasn’t able to get it working. So I used another method to get the Kc key, which is only for my own mobile phone and can’t get the others’ keys.
You can see how I get the Key in a further thread I will create and on the STEP 3 of the GSM general post: https://ferrancasanovas.wordpress.com/cracking-and-sniffing-gsm-with-rtl-sdr-concept/
First of all we will get the files from github repository:
git clone git://git.srlabs.de/kraken.git
This link says that the repository is only for reading: https://opensource.srlabs.de/projects/a51-decrypt/wiki
Then we only have to follow the next steps but I think that the compilation will not end in success.
The problem is that the kraken tool needs a separate GPU core to realize hard CPU spending tasks with the A5/1 tables to unencypt the frames of GSM. The separate GPU that Karsten Nohl recommended to me by mail is an ATI 5xxx GPU.
Here is the link to download the A5/1 rainbow tables that use the kraken tool: https://opensource.srlabs.de/projects/a51-decrypt/files (You can download them from torrent with any linux distribution and I recommend you to download the last file which is a .tgz and contains all of the above tables).
The Kraken tool uses these rainbow tables to compare the input frames and run the algorithm of GSM system with the frames of a voice call and reproduce the process to extract the Kc key by the same way as the BTS tower does.
So you can try to use these steps but I don’t think they will work. I’m only showing another way of sniffing GSM frames.
cd Utilities make cd .. cd Kraken ./build.sh cd.. cd a5_cpu ./build.sh cd .. cd TableConvert make cd .. cd TableGeneration make (error 1) cd .. cd a5_ati make (error 1)
These 2 errors are the ones which I have found. I think that the rainbow tables files must be placed in a specified directory inside the one created with the github repository, but I don’t know exactly what is the correct one.
And the second error is caused by the lack of a separate GPU unit like an ATi, which I explained above.
I recommend you to see the next youtube video in which Karsten Nohl explains how to crack an sniff a GSM voice call: http://www.youtube.com/watch?v=0hjn-BP8nro
I know that the video takes about 1 hour to finalize but is really amazing and interesting and it talks about his Kraken tool and uses this tool to decode the voice call, so you will be able to see the tool running correctly.
This is another page that talks about Kraken tool: https://lists.srlabs.de/pipermail/a51/2010-July/000683.html
This is also the tutorial which explains the process of decoding a voice call with Kraken, which is quite difficult for someone like me who is a beginner of GSM system: https://srlabs.de/airprobe-how-to/
This is also another example of the steps you would follow: https://lists.srlabs.de/pipermail/a51/2010-July/000688.html
4) Toast tool install:
The toast tool is a software that converts the GSM files that produce Airprobe to audio files that can be played with all of audio players such as VLC.
This tool will be used at the final steps of the GSM cracking produce to get the final file to listen the decoded and sniffed voice call.
Page to download it by clicking at the top of the page the link named: “- free sourcecode“:
There are some explanations about what type of audio files are the GSM files produced by Airprobe and in what type we must convert them to be listened with VLC player.
I recommend you to read the information in this page for further explanations. Now we will proceed with the install steps.
Steps to get Toast tool running:
(instead of downloading the file by clicking in the button you can directly use this command to get the file at the directory that you want)
tar -zxvf gsm-1.0.13.tar.gz cd gsm-1.0-pl13 make make install cd bin ./toast -d file
(where file is the name of the GSM file that we want to convert to an audio file)
5) VLC player install:
To finalize I recommend to download the VLC player which can be used without the graphical interface via the terminal prompt only and is very flexible.
To install it you only have to go to the Ubuntu Software Center or Add/remove Software program, and look for VLC player and install it. It’s possible that the packets are only available in Ubuntu Software Center but there is not a problem because you can download it in Kali linux as I explained in other threads.
This is an image to see how is the graphical interface of VLC player.
You can use also the VLC player through the terminal prompt using the command:
(where file is the audio file you want to play)
And there are all the related softwares that must be used during the GSM sniffing procedure to see the results.