Page 310 


Undergound. Go to Table of Contents.

   algorithms as well or the Ki is useless. These algorithms can be

   obtained by hacking the switch manufacturer, i.e. Siemens, Alcatel,

   Motorola ...

  

   `As a call is made from the target cellphone, you need to feed the A5

   key into a cellphone which has been modified to let it eavesdrop on

   the channel used by the cellphone. Normally, this eavesdropping will

   only produce static--since the conversation is encrypted. However,

   with the keys and equipment, you can decode the conversation.'

  

   This is one of the handover messages, logged with a CCITT7 link

   monitor, that he saw:

  

   13:54:46"3 4Rx< SCCP 12-2-09-1 12-2-04-0 13 CR

  

   BSSM HOREQ

  

   BSSMAP GSM 08.08 Rev 3.9.2 (BSSM) HaNDover REQuest (HOREQ)

  

   -------0 Discrimination bit D BSSMAP

  

   0000000- Filler

  

   00101011 Message Length 43

  

   00010000 Message Type 0x10

  

   Channel Type

  

   00001011 IE Name Channel type

  

   00000011 IE Length 3

  

   00000001 Speech/Data Indicator Speech

  

   00001000 Channel Rate/Type Full rate TCH channel Bm

  

   00000001 Speech Encoding Algorithm GSM speech algorithm Ver 1

  

   Encryption Information

  

   00001010 IE Name Encryption information

  

   00001001 IE Length 9

  

   00000010 Algorithm ID GSM user data encryption V. 1

  

   ******** Encryption Key C9 7F 45 7E 29 8E 08 00

  

   Classmark Information Type 2

  

   00010010 IE Name Classmark information type 2

  

   00000010 IE Length 2

  

   -----001 RF power capability Class 2, portable

  

   ---00--- Encryption algorithm Algorithm A5

  

   000----- Revision level