1) ARFCN tool install:
ARFCN tool is a little piece of software that calculates the uplink and downlink frequencies of GSM through the ARFCN number or viceversa.
I have only been able to compile it correctly in Ubuntu, not in Kali linux. But don’t worry because there are some web pages that do the same calculation online. So you will be able to run all the software in Kali linux for sure.
So to get the files to compile the tool go to the following link and click on the download button: http://www.runningserver.com/?page=runningserver.content.download.arfcncalc
(this will download a .tar file)
Then you have to enter the following commands:
tar-xvf arfcncalc.tar
(and is all you have to do, if all is correct now you can use the tool)
For example:
./arfcncalc -d -a 124
(this command will show the downlink frequency of the ARFCN number 124)
To see all the options of the ARFCN tool enter the next command:
usuari@usuari-EasyNote-TM98:~/Documentos/SDR/arfcncalc$ ./arfcncalc -help
_______________________________________________________________________________
ArfcnCalc – GSM frequency calculation tool V.1.0
Copyright(c) 2010 Philipp Fabian Benedikt Maier
CAUTION: This is a very early version of this program. It might still contain
some bugs that might cause wrong calculation results. If you find a
bug, please email to: philipp.maier@runningserver.com – Thanks!
This is a tool for calculating the resulting frequency from a given ARFCN
and can be used easyly in shellscripts for doing arfcn calculations
The following options are available
-h or -? …….. Print this screen.
-v ………….. Verbose output.
-u ………….. Calculate uplink frequency / Treat frequency as uplink
-d ………….. Calculate downlink frequency / Treat frequency as downlik
-b ………….. Specify band (optional, needed with GSM1900/1800).
-p ………….. Generate a bandplan with all known arfcns.
-f ………….. Find an Arfcn for a given frequency
The following bands can be handled (option -b):
450 …………. GSM450
480 …………. GSM480
850 …………. GSM850
900 …………. GSM900 (P-GSM, E-GSM and R-GSM)
1800 ………… GSM1800 \__Caution:
1900 ………… GSM1900 / Conflicting ARFCN-Numbers!
Usage:
arfcncalc -a arfcen [-udv -b band] ….. Calculate the frequency for an arfcn
arfcncalc -f frequency [-udv -b band] .. Calculate arfcn for a frequency
arfcncalc -p ……………………… Generate bandplan
Examples:
arfcncalc -a 512 -b 1900 -d … Calc downlink frequency (GSM1900) of Arfcn 512
arfcncalc -a 123 -v ……….. Get verbose information about Arfcn 123
arfcncalc -f 959600000 -d ….. Get an arfcn for the dnlink frequency 959.6Mhz
________________________________________________________________________________
If the software doesn’t work in Kali linux use the next link, which is a table of ARFCN conversion and does exactly the same of the software explained above but only with a look: https://gsm.ks.uni-freiburg.de/arfcn.php
There are some online calculators but I haven’t needed them.
2) Kalibrate tool install:
Kalibrate(kal) can scan for GSM base stations in a given frequency band and
can use those GSM base stations to calculate the local oscillator frequency
offset.
In our case we will use it to see what are the main GSM frequencies of our area and look for the ones inside our GSM providers frequency band.
To install and compile this tool, we can follow the next youtube video: http://www.youtube.com/watch?v=VaKzhaf5iKg
Also this is the thread in RTL-SDR blog which links to the video above: http://www.rtl-sdr.com/how-to-calibrate-rtl-sdr-using-kalibrate-rtl-on-linux
This is the source on Github: https://github.com/steve-m/kalibrate-rtl
The steps to compile, which are the same as the video are the followings ones:
git clone https://github.com/steve-m/kalibrate-rtl
cd kalibrate-rtl ./bootstrap && CXXFLAGS='-W -Wall -O3' ./configure make make install
It can produce some errors but although some usages may not run, the one which we are interested in will run perfectly so, there’s not a problem.
This is an example of usage:
root@kali:/home/SDR/kalibrate-rtl# kal -s GSM900
____________________________________________________________
Found 1 device(s):
0: ezcap USB 2.0 DVB-T/DAB/FM dongle
Using device 0: ezcap USB 2.0 DVB-T/DAB/FM dongle
Found Rafael Micro R820T tuner
Exact sample rate is: 270833.002142 Hz
kal: Scanning for GSM-900 base stations.
GSM-900:
chan: 74 (949.8MHz – 39.881kHz) power: 100204.30
chan: 101 (955.2MHz – 39.456kHz) power: 91973.50
chan: 108 (956.6MHz – 39.531kHz) power: 181214.37
chan: 115 (958.0MHz – 39.590kHz) power: 65380.82
____________________________________________________________
In this example we can see which channels are the most powerful ones and in this case I will tune the RTL-SDR dongle to any of these frequencies because the frequency range of my mobile service provider is Vodafone and it has the frequency band of: 949,9 – 959,9 MHz.
This can be seen in my general thread about GSM on STEP 2: https://ferrancasanovas.wordpress.com/cracking-and-sniffing-gsm-with-rtl-sdr-concept/
3) Kraken tool install:
The Kraken tool is a software created by Karsten Nohl and is used to get the Kc key from some received frames of GSM and crack this key to decode the information and get a voice call or a SMS data from the GSM information that you have sniffed with RTL-SDR dongle.
This tool is really amazing because it tries with some frames to get the key using the same algorithms as GSM system. The only thing that you must provide is the correct frames of each voice call, so you must understand the system very well and be able to identify the necessary frames for Kraken tool input.
I tried to get this tool running but I wasn’t able to get it working. So I used another method to get the Kc key, which is only for my own mobile phone and can’t get the others’ keys.
You can see how I get the Key in a further thread I will create and on the STEP 3 of the GSM general post: https://ferrancasanovas.wordpress.com/cracking-and-sniffing-gsm-with-rtl-sdr-concept/
First of all we will get the files from github repository:
git clone git://git.srlabs.de/kraken.git
This link says that the repository is only for reading: https://opensource.srlabs.de/projects/a51-decrypt/wiki
Then we only have to follow the next steps but I think that the compilation will not end in success.
The problem is that the kraken tool needs a separate GPU core to realize hard CPU spending tasks with the A5/1 tables to unencypt the frames of GSM. The separate GPU that Karsten Nohl recommended to me by mail is an ATI 5xxx GPU.
Here is the link to download the A5/1 rainbow tables that use the kraken tool: https://opensource.srlabs.de/projects/a51-decrypt/files (You can download them from torrent with any linux distribution and I recommend you to download the last file which is a .tgz and contains all of the above tables).
The Kraken tool uses these rainbow tables to compare the input frames and run the algorithm of GSM system with the frames of a voice call and reproduce the process to extract the Kc key by the same way as the BTS tower does.
So you can try to use these steps but I don’t think they will work. I’m only showing another way of sniffing GSM frames.
cd Utilities make cd .. cd Kraken ./build.sh cd.. cd a5_cpu ./build.sh cd .. cd TableConvert make cd .. cd TableGeneration make (error 1) cd .. cd a5_ati make (error 1)
These 2 errors are the ones which I have found. I think that the rainbow tables files must be placed in a specified directory inside the one created with the github repository, but I don’t know exactly what is the correct one.
And the second error is caused by the lack of a separate GPU unit like an ATi, which I explained above.
I recommend you to see the next youtube video in which Karsten Nohl explains how to crack an sniff a GSM voice call: http://www.youtube.com/watch?v=0hjn-BP8nro
I know that the video takes about 1 hour to finalize but is really amazing and interesting and it talks about his Kraken tool and uses this tool to decode the voice call, so you will be able to see the tool running correctly.
This is another page that talks about Kraken tool: https://lists.srlabs.de/pipermail/a51/2010-July/000683.html
This is also the tutorial which explains the process of decoding a voice call with Kraken, which is quite difficult for someone like me who is a beginner of GSM system: https://srlabs.de/airprobe-how-to/
This is also another example of the steps you would follow: https://lists.srlabs.de/pipermail/a51/2010-July/000688.html
4) Toast tool install:
The toast tool is a software that converts the GSM files that produce Airprobe to audio files that can be played with all of audio players such as VLC.
This tool will be used at the final steps of the GSM cracking produce to get the final file to listen the decoded and sniffed voice call.
Page to download it by clicking at the top of the page the link named: “- free sourcecode“:
There are some explanations about what type of audio files are the GSM files produced by Airprobe and in what type we must convert them to be listened with VLC player.
I recommend you to read the information in this page for further explanations. Now we will proceed with the install steps.
Steps to get Toast tool running:
wget http://www.quut.com/gsm/gsm-1.0.13.tar.gz
(instead of downloading the file by clicking in the button you can directly use this command to get the file at the directory that you want)
tar -zxvf gsm-1.0.13.tar.gz cd gsm-1.0-pl13 make make install cd bin ./toast -d file
(where file is the name of the GSM file that we want to convert to an audio file)
5) VLC player install:
To finalize I recommend to download the VLC player which can be used without the graphical interface via the terminal prompt only and is very flexible.
To install it you only have to go to the Ubuntu Software Center or Add/remove Software program, and look for VLC player and install it. It’s possible that the packets are only available in Ubuntu Software Center but there is not a problem because you can download it in Kali linux as I explained in other threads.
This is an image to see how is the graphical interface of VLC player.
You can use also the VLC player through the terminal prompt using the command:
cvlc file
(where file is the audio file you want to play)
And there are all the related softwares that must be used during the GSM sniffing procedure to see the results.
Low-cost hardware and free software 
Retroenllaç: Get Kc key and TMSI number! | [ADS-B aeronautical radar - Initial page] & [GSM cracking] (RTL-SDR concept)!!!
Ooooooh man!!! This is really amazing! I can believe that someone had the Kraken tool compiled!!! Lots of thanks for all of the information!!! It’s possible for you to make a little tutorial or recommend me the additional things I must use to get it compiled??
Hello,
I was also strugling to compile kraken and unfortunately, there is no manual to do that. After a long time and effort, I have figured out how to successfuly compile kraken. First of all, an ATI GPU is not necessary. You can use only CPU, but the time is ridiculous slow. But again, to manage to utilise a GPU with kraken is a hell of a story, because it needs you to install some pretty old (2010) software. That’s catalyst 11.7 and ATI sdk 2.5 (that was before ATI was bought from AMD). Also, to manage to install such an old driver, you can do it in Ubuntu editions up to 12.04. Actually, I installed Ubuntu 11 first and then upgraded. That’s because Catalyst 11.7 is compatible with Xorg server up to 11.3, and not with 11.4 wich is the latest. But besides that, if you have the rainbow tables, which is pretty difficult to download them, you must mount them fist in a second 2TB drive. You can’t use the already downloaded 40x40GB files, but you have to mount them on a second 2TB drive. The tables are mounted in raw format, without any file system. But again, to mount them, you first have to .make first the TableConvert folder and copy the result TableConvert to the Index file, where Behemoth.py is. From that point on, you must setup your config correctly and point to the mount drives. e.g. /dev/sdb (not /dev/sdb1, which should be a partition on the sdb device. Remember, no file system). Also, you specify how many tables you want to mount. If you have all 40, you can mount them all, if you have 1, you can mount only 1, but with 2.5% success rate to find a correct key or less). After that, you run Behemoth to mount the tables in the empty/no file systems disk. It will take a lot of time to mount, depending on how much tables you want to mount on destination disk. It will also create some .idx files and the config file will have some values on where the mounted data live. If an attempt is failed, then reset the config file to the pre run state of Behemoth.py and also, delete the .idx files. The .idx files should be around 80MB for each table. After that, you’re ready. Just type ./kraken /home/kraken/indexes 6666. The second path is the place you have the /indexexes folder and the 6666 is the port, which you can put whatever port you want kraken to listen. After the tables are loaded, just type “crack 1101010101010101001……..1010110” that’s the sequence you want to break and that’s all. If it’s correct, then you’ll have a result, if not, then maybe the sequence is not correct, or you don’t have all the tables mounted. You can also fireup a second terminal and use “telnet localhost 6666)
Kraken is a great tool, but compiling and runnign is a mess. Also, because there’s lot of thing missing, there’s no practical usage of this, except if you really know what you’re doing, which I don’t.
Cheers.
hai…
2) “Kalibrate tool install” that video not playinghttp://www.youtube.com/watch?v=VaKzhaf5iKg please help me how 2 install Kalibrate tool in kali linux
I can not help you nowadays with this problem! Try to search for another video tutorial on the installation! I think there is a group of kali Linux or a webpage! Probably they have some description!
So sorry! Kind regards!
Ferran.