Page 310 

Undergound. Go to Table of Contents.

   algorithms as well or the Ki is useless. These algorithms can be

   obtained by hacking the switch manufacturer, i.e. Siemens, Alcatel,

   Motorola ...


   `As a call is made from the target cellphone, you need to feed the A5

   key into a cellphone which has been modified to let it eavesdrop on

   the channel used by the cellphone. Normally, this eavesdropping will

   only produce static--since the conversation is encrypted. However,

   with the keys and equipment, you can decode the conversation.'


   This is one of the handover messages, logged with a CCITT7 link

   monitor, that he saw:


   13:54:46"3 4Rx< SCCP 12-2-09-1 12-2-04-0 13 CR




   BSSMAP GSM 08.08 Rev 3.9.2 (BSSM) HaNDover REQuest (HOREQ)


   -------0 Discrimination bit D BSSMAP


   0000000- Filler


   00101011 Message Length 43


   00010000 Message Type 0x10


   Channel Type


   00001011 IE Name Channel type


   00000011 IE Length 3


   00000001 Speech/Data Indicator Speech


   00001000 Channel Rate/Type Full rate TCH channel Bm


   00000001 Speech Encoding Algorithm GSM speech algorithm Ver 1


   Encryption Information


   00001010 IE Name Encryption information


   00001001 IE Length 9


   00000010 Algorithm ID GSM user data encryption V. 1


   ******** Encryption Key C9 7F 45 7E 29 8E 08 00


   Classmark Information Type 2


   00010010 IE Name Classmark information type 2


   00000010 IE Length 2


   -----001 RF power capability Class 2, portable


   ---00--- Encryption algorithm Algorithm A5


   000----- Revision level