100:00:09,249 --> 00:00:12,109This talk will be by Sylvain Munaut200:00:12,109 --> 00:00:14,859who works with the Osmocom project.300:00:14,859 --> 00:00:19,330He will talk today about theosmo-gmr satellite phones.400:00:19,330 --> 00:00:22,980After the talk there will be theopportunity to ask questions.500:00:22,980 --> 00:00:25,419You can approach one of the microphones600:00:25,419 --> 00:00:28,279and then you have the chanceto ask one question.700:00:28,279 --> 00:00:32,860Please give a round of applauseto Mr Sylvain Munaut!800:00:32,860 --> 00:00:35,760*Applause*900:00:36,360 --> 00:00:39,469- Hi! Thank you for being here.1000:00:39,469 --> 00:00:44,750As he said I'm going to talk aboutsatellite phones today.1100:00:44,750 --> 00:00:50,060I'll first talk with a quick recap of theprevious work we've done.1200:00:50,060 --> 00:00:53,880At 28C3 there was a presentationon this subject.1300:00:53,880 --> 00:00:56,030But there were some pieces missing.1400:00:56,030 --> 00:00:58,799So, I'm just gonna recapwhat we did previously1500:00:58,799 --> 00:01:00,749and then move on to the new stuff1600:01:00,749 --> 00:01:03,370which is the speech codec and cipher1700:01:03,370 --> 00:01:06,850reverse engineering and crackingthat's been done.1800:01:06,850 --> 00:01:09,819First, what is GMR exactly?1900:01:09,819 --> 00:01:12,810GMR stands for GEO-Mobile Radio and2000:01:12,810 --> 00:01:16,849it's an ETSI standardfor satellite phones.2100:01:16,849 --> 00:01:19,430It's heavily inspired from GSM and2200:01:19,430 --> 00:01:21,339if you read the GMR specs2300:01:21,339 --> 00:01:23,850there is plenty of referenceto go see the GSM spec.2400:01:23,850 --> 00:01:27,110There is actually two standards named GMR:2500:01:27,110 --> 00:01:28,800GMR-1 and GMR-2.2600:01:28,800 --> 00:01:31,010They are not an evolution of one another.2700:01:31,010 --> 00:01:32,899They are competing standards2800:01:32,899 --> 00:01:35,180that have been developedby distinct companies2900:01:35,180 --> 00:01:38,110and then both have beenstandardized to ETSI.3000:01:38,110 --> 00:01:41,380Today, we're gonna be lookingat GMR-1.3100:01:41,380 --> 00:01:46,420That comes in 3 evolutions.It started with plain old GMR-13200:01:46,420 --> 00:01:49,230which is voice calls and SMS.3300:01:49,230 --> 00:01:52,820It evolved to include packet data.That's called GMPRS.3400:01:52,820 --> 00:01:55,040And then there was a later evolution3500:01:55,040 --> 00:01:57,570to interconnect with the 3G core network3600:01:57,570 --> 00:02:01,470and improve the air interfaceand that's GMR-1 3G.3700:02:01,470 --> 00:02:04,280But we'll be mostly looking atthe first version3800:02:04,280 --> 00:02:07,508which is still used.3900:02:08,778 --> 00:02:13,350Among the deployments the onewe focused on was Thuraya.4000:02:13,350 --> 00:02:16,460The reason why is thatit's the most common4100:02:16,460 --> 00:02:19,099commercial operatorwhere you can actually buy SIM4200:02:19,099 --> 00:02:20,800and place phone calls.4300:02:20,800 --> 00:02:23,200The satellites are visible from Europe4400:02:23,200 --> 00:02:26,950which is kind of a requirement for meto look at the signal.4500:02:26,950 --> 00:02:31,376This operator is mostly active in themiddle east, Asia and Africa.4600:02:31,376 --> 00:02:33,929In Europe you don't see too many people4700:02:33,929 --> 00:02:37,279with satellite phonesbecause we have GSM coverage.4800:02:37,279 --> 00:02:40,659But there are other operatorsand we actually read recently4900:02:40,659 --> 00:02:44,370that there is a new deploymentplanned for Europe5000:02:44,370 --> 00:02:46,920called Solaris Mobile and they said5100:02:46,920 --> 00:02:49,899they're going to use GRM-1 3G5200:02:49,899 --> 00:02:52,920but the satellite isn't launched yet.5300:02:53,110 --> 00:02:55,590This is the coverage zone for Thuraya.5400:02:55,590 --> 00:02:58,499As you can see Europe is very well covered5500:02:58,499 --> 00:03:01,219so there is no problem if you want toreceive the signal.5600:03:01,219 --> 00:03:04,299If you are somewhere in that areayou can see it.5700:03:04,299 --> 00:03:07,309So, since it's so heavily inspired by GSM5800:03:07,309 --> 00:03:09,960it makes sense to compare it to it.5900:03:09,960 --> 00:03:13,469The first thing they did is torename everything.6000:03:13,469 --> 00:03:15,950So, instead of a base transceiver station6100:03:15,950 --> 00:03:17,719you have a GEO transceiver station.6200:03:17,719 --> 00:03:19,559Instead of a base station controller6300:03:19,559 --> 00:03:21,769you have a GEO station controller.6400:03:21,769 --> 00:03:25,599Instead of a mobile stationyou have a mobile earth station.6500:03:25,599 --> 00:03:29,580Then they did some actualuseful stuff like6600:03:29,580 --> 00:03:32,379use specialized features for satellites.6700:03:32,379 --> 00:03:35,149The first one isterminal-to-terminal calls.6800:03:35,149 --> 00:03:37,340When you're usually placing a call6900:03:37,340 --> 00:03:40,159your signal goes from yoursatellite phone to the satellite7000:03:40,159 --> 00:03:43,180then it goes back to thecore network on earth7100:03:43,180 --> 00:03:46,159and then, if you're callinganother satellite phone7200:03:46,159 --> 00:03:48,849it would have to again goback up to the satellite7300:03:48,849 --> 00:03:51,389and back to the other phoneand that means that7400:03:51,389 --> 00:03:54,130you pay 4 trips from earth to space7500:03:54,130 --> 00:03:56,849and since the satellite is ingeosynchronous orbit7600:03:56,849 --> 00:03:58,989it's pretty far away.7700:03:58,989 --> 00:04:01,879So, to reduce the delay in communication7800:04:01,879 --> 00:04:06,450they have the so-calledterminal-to-terminal calls where7900:04:06,450 --> 00:04:09,140the call network will stillhandle establishing8000:04:09,140 --> 00:04:12,209the channel but oncethe call is established8100:04:12,209 --> 00:04:14,989the data is going directlyfrom one phone to the satellite8200:04:14,989 --> 00:04:17,660and directly back down to the other phone8300:04:17,660 --> 00:04:19,758without any involvement from the network.8400:04:19,768 --> 00:04:21,990It never even sees the packets.8500:04:21,990 --> 00:04:26,169They also have this call called“High Penetration Alerting”8600:04:26,169 --> 00:04:29,189That's because like in the moviesyou see people using8700:04:29,189 --> 00:04:31,599satellite phones in bunkersand stuff like that8800:04:31,599 --> 00:04:34,379in practice, as soon as you are inside8900:04:34,379 --> 00:04:37,430you can't see the satellite andyou can't place a call at all9000:04:37,430 --> 00:04:40,009but you still might want tobe able to at least…9100:04:40,009 --> 00:04:41,990you know, you can't pick up the phone9200:04:41,990 --> 00:04:44,949but you want to know thatsomebody is calling you9300:04:44,949 --> 00:04:47,560and so they have this specialized channel9400:04:47,560 --> 00:04:51,419which has an incredible amountof error correction on it9500:04:51,419 --> 00:04:53,620so that even with very very low signal9600:04:53,620 --> 00:04:57,350you can still get an indicationthat somebody is trying to call you9700:04:57,350 --> 00:05:01,270please run outside soyou can take the call.9800:05:01,270 --> 00:05:04,420There's also a verytight integration to GPS9900:05:04,420 --> 00:05:07,309For example, all the Almanacand Ephemeris data10000:05:07,309 --> 00:05:09,700are actually broadcastedby the Thuraya satellite10100:05:09,700 --> 00:05:11,889so that your phone can get a lock faster10200:05:11,889 --> 00:05:14,670and when you place a phone callthe very first thing10300:05:14,670 --> 00:05:19,049that your phone will dois send your exact GPS coordinates10400:05:19,049 --> 00:05:22,409in clear to the operator.10500:05:22,909 --> 00:05:25,229They do this for two reasons:10600:05:25,229 --> 00:05:28,949The first one is:If you're not on the right frequency10700:05:28,949 --> 00:05:31,969for this particular geographic locationthey can tell you10800:05:31,969 --> 00:05:34,470“OK. You shouldn't be connectingon this frequency10900:05:34,470 --> 00:05:36,860use this one! It has a much better signal11000:05:36,860 --> 00:05:38,939and you get better quality”.11100:05:38,939 --> 00:05:42,399That's one reason.The other reason is purely commercial:11200:05:42,399 --> 00:05:44,740It's for billing because if you're calling11300:05:44,740 --> 00:05:47,349while you are in certain countriesit's gonna cost more11400:05:47,349 --> 00:05:49,609than if you are on the other sideof the border11500:05:49,609 --> 00:05:51,600and so they need to know where you are11600:05:51,600 --> 00:05:52,979to bill you correctly.11700:05:52,979 --> 00:05:55,580And then compared to GSM,of course, they introduced11800:05:55,580 --> 00:05:57,620the two things we're gonna look at today:11900:05:57,620 --> 00:06:01,199They changed the speech codecto something called AMBE12000:06:01,199 --> 00:06:03,740and they changed the cipher.They are not using A5/112100:06:03,740 --> 00:06:06,269or A5/2 or A5/3 or that kind of stuff.12200:06:06,269 --> 00:06:10,040They use something called A5/GMR-1.12300:06:10,300 --> 00:06:13,419If you look at the protocol stack12400:06:13,419 --> 00:06:15,400anything in the lower layers12500:06:15,400 --> 00:06:18,430(radio modulation, TDMA frame structure)12600:06:18,430 --> 00:06:21,439it's completely differentbecause you have to deal with12700:06:21,439 --> 00:06:24,369the particular of thesatellite communication.12800:06:24,369 --> 00:06:26,379You find the same kind of concept12900:06:26,379 --> 00:06:29,110and you find the control channelsand broadcast channels13000:06:29,110 --> 00:06:31,960but their implementation is different.13100:06:31,960 --> 00:06:35,039If you go up one layerto the data link layer13200:06:35,039 --> 00:06:39,319you have something very similar to LAPDm.13300:06:39,319 --> 00:06:42,749Again, they needed some minor adaptation13400:06:42,749 --> 00:06:44,960because bandwidth costs a loton a satellite.13500:06:44,960 --> 00:06:48,030They reduce the size of the overheadby reducing the header13600:06:48,030 --> 00:06:50,039and since you have so much delay13700:06:50,039 --> 00:06:52,620going from your phone to the satellite and13800:06:52,620 --> 00:06:55,590back down to the earth stationthen again to your phone13900:06:55,590 --> 00:07:00,439you have something likenearly 500 ms of delay14000:07:00,439 --> 00:07:05,099because you have basically 4…no 250 ms, sorry,14100:07:05,099 --> 00:07:10,330because you have both paths up and down14200:07:10,330 --> 00:07:13,789and so, with that delay you need moretime for the acknowledgement14300:07:13,789 --> 00:07:17,389to come in,so they increased the window size.14400:07:17,389 --> 00:07:19,440Anything above that, so, layer 314500:07:19,440 --> 00:07:22,170radio resource, sinceit's managed the radio channel14600:07:22,170 --> 00:07:24,599is still a bit differentbut anything above that14700:07:24,599 --> 00:07:28,279is strictly the same as GSM.It actually interoperates14800:07:28,279 --> 00:07:30,589with the GSM core networkwhich means I can take14900:07:30,589 --> 00:07:33,819my Belgian operator SIMput it into a Thuraya phone15000:07:33,819 --> 00:07:37,620and I can roam onto the satelliteand place calls15100:07:37,620 --> 00:07:40,400which is really niceexcept for the price you pay15200:07:40,400 --> 00:07:42,809at the end of the month.15300:07:42,809 --> 00:07:45,519For packet data it's essentiallythe same thing.15400:07:45,519 --> 00:07:47,479Anything that's close to the lower level15500:07:47,479 --> 00:07:50,219like RLC and MAC is gonna be different,15600:07:50,219 --> 00:07:52,599anything above interoperates with GSM15700:07:52,599 --> 00:07:55,829so you're gonna be speaking toa GSM core network15800:07:55,829 --> 00:07:59,939SGSN and GGSN and all that good stuff.15900:07:59,939 --> 00:08:05,349So, osmo-gmr, what we presented last time,16000:08:05,349 --> 00:08:10,319is essentially everything you needed to gofrom RF to wireshark.16100:08:10,319 --> 00:08:13,460That includes the hardware setup16200:08:13,460 --> 00:08:19,949(how you can build an antenna,what LNA to use, what SDR receiver to use)16300:08:19,949 --> 00:08:22,849At that time we didn'tactually have RTL-SDR,16400:08:22,849 --> 00:08:25,740the cheap DVB dongle you can use as SDR.16500:08:25,740 --> 00:08:29,379Nowadays we do which means thatfor less than 100 bucks16600:08:29,379 --> 00:08:32,900you can get an antenna,LNA and SDR receiver and all16700:08:32,900 --> 00:08:36,040that we need to listen to those signals.16800:08:36,040 --> 00:08:38,599Then we did all theSDR processing which is16900:08:38,599 --> 00:08:41,470taking that raw data, filtering it,selecting the channel17000:08:41,470 --> 00:08:45,350doing the demodulationgetting actual data bits out of it.17100:08:45,350 --> 00:08:48,480Then, channel coding which isconverting those data bits into17200:08:48,480 --> 00:08:52,380layer 2 frames. Then,interpreting those layer 2 frames17300:08:52,380 --> 00:08:55,560into channel assignmentand follow those assignments17400:08:55,560 --> 00:08:58,650into a demonstration application.17500:08:58,650 --> 00:09:01,880And finally, the wireshark dissectorwhich takes this17600:09:01,880 --> 00:09:05,460and presents it nicely in a wayyou can read stuff.17700:09:05,460 --> 00:09:08,680But there is two things we couldn't do:17800:09:08,680 --> 00:09:11,310First, we couldn't see past theciphering mode command17900:09:11,310 --> 00:09:13,529which as soon as ciphering was enabled18000:09:13,529 --> 00:09:15,630we couldn't see anything because18100:09:15,630 --> 00:09:18,310we knew the key becauseit was our own calls18200:09:18,310 --> 00:09:20,319and we can read the key from the SIM18300:09:20,319 --> 00:09:23,160but we didn't know the algorithmthat was used to cipher18400:09:23,160 --> 00:09:26,380so there was no way for us todecipher that.18500:09:26,380 --> 00:09:29,350And we also had no way toget the voice data,18600:09:29,350 --> 00:09:33,070converting the frame intoactual audio that we can listen to18700:09:33,070 --> 00:09:37,900We couldn't do that and that'swhat we're gonna look into.18800:09:38,470 --> 00:09:44,320So the first thing is the speech codec.18900:09:46,270 --> 00:09:50,959It's called AMBE forAdvanced Multi-Band Excitation.19000:09:50,959 --> 00:09:55,960It's not a codec in itself.AMBE is more a family of codecs19100:09:55,960 --> 00:09:59,570which means you have several codecswhich are named AMBE19200:09:59,570 --> 00:10:02,220which are different versionsof one another19300:10:02,220 --> 00:10:05,410slightly different so thatthey're not compatible.19400:10:05,410 --> 00:10:08,330It's not documented in the standard19500:10:08,330 --> 00:10:11,749which is really annoying.When I started working on GMR19600:10:11,749 --> 00:10:15,490I really thought thatthe codec was in there19700:10:15,490 --> 00:10:19,570and then I discovered it wasn't.That was a bad day.19800:10:19,570 --> 00:10:23,250There is a bit of specification in there19900:10:23,250 --> 00:10:26,810but it only gives a high leveldescription like20000:10:26,810 --> 00:10:31,119“The codec takes audio as inputand produces 80 bits of output20100:10:31,119 --> 00:10:34,940every 20 ms” but nothingthat can be used to20200:10:34,940 --> 00:10:39,470realistically implement a decoder.20300:10:40,650 --> 00:10:44,290That codec is made by a company DVSI Inc.20400:10:44,290 --> 00:10:48,529whose entire business is codecs.That's all they do20500:10:48,529 --> 00:10:51,410which is probably why there areincompatible versions20600:10:51,410 --> 00:10:54,660of AMBE because they cansell different versions.20700:10:54,660 --> 00:10:58,999These guys, they do sella small USB stick that20800:10:58,999 --> 00:11:02,440can decode some of the variants.For example, you can decode20900:11:02,440 --> 00:11:06,660DStar audio which is alsoanother AMBE codec21000:11:06,660 --> 00:11:11,320or P25 which is used inlaw enforcement radio in the US21100:11:11,320 --> 00:11:13,610(it's also an AMBE variant)21200:11:13,610 --> 00:11:16,620and the cheap USB stick can decode that.21300:11:16,620 --> 00:11:19,779Unfortunately, it's incompatiblewith the GMR-1 variant21400:11:19,779 --> 00:11:22,329because that's the first thing I did,I contacted DVSI21500:11:22,329 --> 00:11:24,850to know what were my options.21600:11:24,850 --> 00:11:31,010And short of buying a source code licensewhich is just too expensive21700:11:31,760 --> 00:11:35,469is buying the appliancewhich is called NET-2000.21800:11:35,469 --> 00:11:39,029And not only does it cost like 2000 Euros21900:11:39,029 --> 00:11:42,850which is way too much for a hobby project22000:11:42,850 --> 00:11:46,290but you also have to special-order itwith a GMR-1 firmware22100:11:46,290 --> 00:11:50,080and you have to sign somenon-reverse engineering agreement22200:11:50,080 --> 00:11:53,590which… That wasn't an option.22300:11:53,590 --> 00:11:57,480We still had some hope.The first hope we had is that22400:11:57,480 --> 00:12:03,210as I said P25 uses an AMBE variant as well22500:12:03,210 --> 00:12:06,790and this particular variantis actually documented.22600:12:06,790 --> 00:12:11,180So you can download the standardfor that particular22700:12:11,180 --> 00:12:15,199variant of AMBE and you haveall the math and all the specs22800:12:15,199 --> 00:12:18,459so you can write a decoderand somebody actually wrote22900:12:18,459 --> 00:12:21,870a decoder which is open sourcewhich is called ambelib23000:12:21,870 --> 00:12:27,670and so we can use that code as a baseto modify it. That was a lead.23100:12:27,670 --> 00:12:31,730The other lead, of course, is that thecodec is somewhere in the phone.23200:12:31,730 --> 00:12:33,940The phone is obviously capableof decoding audio23300:12:33,940 --> 00:12:37,000so maybe we can find it in there.23400:12:37,000 --> 00:12:40,939But before we can startsearching for the codec23500:12:40,939 --> 00:12:45,250it's good to have a basic understandingof how the codec works23600:12:45,250 --> 00:12:47,899so that we know what we're looking for.23700:12:47,899 --> 00:12:50,400The first thing to understand:it's a vocoder.23800:12:50,400 --> 00:12:53,120It's not a general-purpose audio codec23900:12:53,120 --> 00:12:58,000which means if you try to feed it musicit's gonna perform horribly24000:12:58,000 --> 00:13:01,380because a general-purposeaudio codec will try to model24100:13:01,380 --> 00:13:06,300what your ear can actually hearand what it can't24200:13:06,300 --> 00:13:10,250whereas a vocoder is gonna tryto model the speech24300:13:10,250 --> 00:13:12,949and reconstructssomething that sounds like24400:13:12,949 --> 00:13:15,519but is not actually the same thing.24500:13:15,519 --> 00:13:18,649They will drop a lot of information.24600:13:18,649 --> 00:13:23,060To do that the first thing they dois to split your speech24700:13:23,060 --> 00:13:25,850into small segments which arecompressed independently.24800:13:25,850 --> 00:13:31,920In the case of GMR-1those segments are 10 ms long and24900:13:31,920 --> 00:13:36,610they are combined by pairand each pair is compressed25000:13:36,610 --> 00:13:40,800into a single frame. And then,for each of those small segments25100:13:40,800 --> 00:13:45,740they will represent it in 4 parameters.Those 4 parameters are25200:13:45,740 --> 00:13:52,389the pitch which is thefundamental frequency25300:13:52,389 --> 00:13:56,089of the periodic component of your voice,25400:13:56,089 --> 00:13:58,889the gain which ishow loud you are talking,25500:13:58,889 --> 00:14:01,429something calledvoiced/unvoiced decision,25600:14:01,429 --> 00:14:03,700we're gonna see what this is right after25700:14:03,700 --> 00:14:06,899but essentially you have thefundamental frequency25800:14:06,899 --> 00:14:08,990and for each harmonic,two times the frequency,25900:14:08,990 --> 00:14:11,339three times the frequency,four times the frequency,26000:14:11,339 --> 00:14:16,300you have a bit that saysis that component voiced or unvoiced26100:14:16,300 --> 00:14:21,730and then you have the amplitudesfor the various harmonics.26200:14:22,420 --> 00:14:26,520If you want to play back the voiceyou have to do 3 things:26300:14:26,520 --> 00:14:29,319The first thing is unpacking.26400:14:29,319 --> 00:14:33,420That's taking the 80 bitsof the voice frame26500:14:33,420 --> 00:14:36,639and reconstruct quantizedparameters from it.26600:14:36,639 --> 00:14:40,290All the parameters are not justput in order one after the other26700:14:40,290 --> 00:14:43,259because some of the bits in a framewill receive more error correction26800:14:43,259 --> 00:14:47,230than others and some of the bitsare more sensitive to errors than others26900:14:47,230 --> 00:14:51,269and so they will be placed atspecific places in the frame27000:14:51,269 --> 00:14:54,720so that if errors do happen,hopefully it will affect something27100:14:54,720 --> 00:14:57,190that is not too important.27200:14:57,190 --> 00:14:59,629That's the unpacking step.27300:14:59,629 --> 00:15:01,949The second one is dequantization.27400:15:01,949 --> 00:15:04,960That's going from the quantized,compressed parameters27500:15:04,960 --> 00:15:08,590into floating point valueor integer values27600:15:08,590 --> 00:15:10,899which will represent the real parameters27700:15:10,899 --> 00:15:13,110that are going to be used in the last step27800:15:13,110 --> 00:15:16,699which is synthesis. And synthesisis taking those parameters27900:15:16,699 --> 00:15:23,069and reconstructing actual audiothat sounds like the original voice.28000:15:23,410 --> 00:15:26,459To do a quick overviewof the synthesis step28100:15:26,459 --> 00:15:29,420what you do is you takefor each possible harmonic,28200:15:29,420 --> 00:15:32,470so, f0, 2 f0, 3 f0,…28300:15:32,470 --> 00:15:36,319you have the voiced/unvoiced decision28400:15:36,319 --> 00:15:39,870and what voiced means isthat you're gonna reconstruct28500:15:39,870 --> 00:15:43,389that particular frequencyas a pure sinusoidal tone,28600:15:43,389 --> 00:15:49,600and if it's unvoiced you're just gonnafill that small band with noise.28700:15:49,600 --> 00:15:55,129And with that they can reconstructhuman voice pretty well.28800:15:55,129 --> 00:16:00,320So, now that we know more or lesshow the codec works28900:16:00,320 --> 00:16:02,679and what we are looking for29000:16:02,679 --> 00:16:08,130we can start looking atwhere we are gonna find this codec.29100:16:08,130 --> 00:16:13,340The phone we looked at isthe Thuraya SO-2510.29200:16:13,340 --> 00:16:16,830We looked at it mostly becauseit was the cheapest phone on eBay.29300:16:16,830 --> 00:16:20,090And that also means that it's the simplest29400:16:20,090 --> 00:16:25,480which means you haveless places to look into.29500:16:26,059 --> 00:16:30,600We knew the codec was in the DSP.How did we know that is that29600:16:30,600 --> 00:16:33,399there is simply no other places it could be.29700:16:33,399 --> 00:16:36,889There are a bunch of chips on that phone, of course,29800:16:36,889 --> 00:16:39,769there is only two where it could possibly be:29900:16:39,769 --> 00:16:42,069the TI OMAP main processor,30000:16:42,069 --> 00:16:44,290and then they also have like a small ASIC30100:16:44,290 --> 00:16:46,459which is named the DALMA ASIC because30200:16:46,459 --> 00:16:49,779there is a big DALMA marking on it.30300:16:49,779 --> 00:16:53,870At first, we thought thatthat chip was the AMBE codec.30400:16:53,870 --> 00:16:58,139But it turned out thatwe found some Korean paper30500:16:58,139 --> 00:17:00,029from the phone manufacturerthat described30600:17:00,029 --> 00:17:02,439the phone architecture.And there is a schematic30700:17:02,439 --> 00:17:05,020of the internals of that ASICand it showed30800:17:05,020 --> 00:17:07,589it only had satellite radio functions30900:17:07,589 --> 00:17:09,910and absolutely nothingto do with the codec31000:17:09,910 --> 00:17:13,670which means there was a good chanceit was in the TI OMAP processor.31100:17:13,670 --> 00:17:17,170Why in the DSP? Well, becauseit just makes sense31200:17:17,170 --> 00:17:20,260to make the codec in the DSPespecially since DVSI31300:17:20,260 --> 00:17:25,450the company that makes the codecmostly sells those codecs as a31400:17:25,450 --> 00:17:30,360DSP precompiled library that you can buy.31500:17:30,550 --> 00:17:38,520Pretty standard process: We get thefirmware update from the Internet.31600:17:38,520 --> 00:17:42,280From there we can extractthe actual DSP image31700:17:42,280 --> 00:17:46,000which is the code that isloaded into the DSP.31800:17:46,000 --> 00:17:47,960Thankfully it's supported by IDA31900:17:47,960 --> 00:17:50,770which makes the whole processeasier to reverse engineer.32000:17:50,770 --> 00:17:54,360But it's still like 250KB of binary data32100:17:54,360 --> 00:17:56,870and since it's a DSP it has no I/O32200:17:56,870 --> 00:18:01,220which means there is nota single string in it.32300:18:01,220 --> 00:18:04,960And also it's a DSP which meansit's written in DSP assembly.32400:18:04,960 --> 00:18:08,070I don't know if you evertried to read that32500:18:08,070 --> 00:18:12,930but it's not the mostunderstandable thing in the world32600:18:12,930 --> 00:18:16,420because it's highly optimizedfor speed, of course.32700:18:16,420 --> 00:18:19,400And I actually looked at thatcode and went over it a few times32800:18:19,400 --> 00:18:22,000and took a few hours and looked at it32900:18:22,000 --> 00:18:25,240and I couldn't see anything in it.33000:18:25,240 --> 00:18:30,700And one day I get an emailfrom a colleague in OSMOCOM,33100:18:30,700 --> 00:18:34,640Dieter Spaar, asking meif I had ever looked at that codec33200:18:34,640 --> 00:18:36,550and I told him “yeah I looked33300:18:36,550 --> 00:18:38,330but I couldn't really find anything.33400:18:38,330 --> 00:18:40,500Do you see anything?”33500:18:40,500 --> 00:18:42,180And six hours later he sent me33600:18:42,180 --> 00:18:43,950“I think this is the entry point33700:18:43,950 --> 00:18:46,330for the encoding and decoding functions”33800:18:46,330 --> 00:18:48,880“Oh, OK. Good!”33900:18:48,880 --> 00:18:53,060The way he found thatfrom what I remember is that34000:18:53,060 --> 00:18:56,640you look at what would a codec use.34100:18:56,640 --> 00:18:59,930And of course it's gonnaaccess the audio path34200:18:59,930 --> 00:19:05,850so you can look at the audio DMA setup,and audio DMA interrupts.34300:19:05,850 --> 00:19:09,110You can also look for constantsthat you know are used in the codec,34400:19:09,110 --> 00:19:12,450for example, I said thatthe frames are 80 bits,34500:19:12,450 --> 00:19:15,170so you can look for the constant 80somewhere in the code.34600:19:15,170 --> 00:19:16,590You can look at it.34700:19:16,590 --> 00:19:20,350It will produce 160 audio samplesper frame decoded34800:19:20,350 --> 00:19:23,400so you can look at the constant 160.34900:19:23,400 --> 00:19:26,170Once you actually found one function35000:19:26,170 --> 00:19:28,970there is somethingthat kind of stands out,35100:19:28,970 --> 00:19:32,330it's that since they ship thatas a binary library35200:19:32,330 --> 00:19:36,800they don't really trust the guywho implements the rest of the DSP code35300:19:36,800 --> 00:19:38,940to setup the C runtime properly35400:19:38,940 --> 00:19:43,230and so what they do is they switcheverything at each call into the codec.35500:19:43,230 --> 00:19:48,260They switch the stack, theyre-setup/reconfigure the C runtime,35600:19:48,260 --> 00:19:50,560so that it's really independent.35700:19:50,560 --> 00:19:53,870Once you find one function,finding the other is pretty easy,35800:19:53,870 --> 00:19:59,730you can just look for thatparticular function prelude35900:19:59,730 --> 00:20:06,530that happens at each call atthe audio library.36000:20:06,530 --> 00:20:11,000OK, so, we know where the code is36100:20:11,000 --> 00:20:12,930but it's still a massive amount of code.36200:20:12,930 --> 00:20:17,680I think it's like one third ofthe DSP code is the audio codec.36300:20:17,680 --> 00:20:24,180So, It's not something you can easilyreverse engineer in a few hours.36400:20:24,180 --> 00:20:29,120So, before trying reverseengineering we just tried,36500:20:29,120 --> 00:20:31,790OK, maybe we can just run it.36600:20:31,790 --> 00:20:34,810It turns out that TI has thisreally nice program called36700:20:34,810 --> 00:20:38,550TI Code Composer Studiowhich includes a simulator36800:20:38,550 --> 00:20:42,960and it's a really nice pieceof software because36900:20:42,960 --> 00:20:47,060not only can you pretty accuratelysimulate any of the DSPs37000:20:47,060 --> 00:20:51,220you can also completely configurethe surrounding environment37100:20:51,220 --> 00:20:55,670in which it runs so you can setuparbitrary memory map.37200:20:55,670 --> 00:20:59,400You can also trace all memory accessto see what part37300:20:59,400 --> 00:21:03,910of memory is being read or being writtenor being executed.37400:21:03,910 --> 00:21:07,240You can also access a fileon your host system.37500:21:07,240 --> 00:21:09,010So you can use fread and fwrite37600:21:09,010 --> 00:21:11,890and the simulator wouldautomatically translate those calls37700:21:11,890 --> 00:21:16,890into actual reading from the audio,hard drive and write to your hard drive37800:21:16,890 --> 00:21:22,470so you can read a compressedfile that you saved37900:21:22,470 --> 00:21:28,250and it will write an audiowave file at the output.38000:21:28,250 --> 00:21:32,230And the way to do that ispretty straightforward.38100:21:32,230 --> 00:21:35,130You essentially just need totake the binary dump that38200:21:35,130 --> 00:21:38,950you have from the firmware update38300:21:38,950 --> 00:21:45,040and you need to find a way tomix in your own custom code.38400:21:45,040 --> 00:21:51,380The way to do that: You createa new object file like ELF38500:21:51,380 --> 00:21:55,090except in this case it's called COFF,a common object file format.38600:21:55,090 --> 00:21:57,680But it's the same idea.38700:21:57,680 --> 00:22:04,790You can just link to it like you wouldlink any other piece of binary.38800:22:04,980 --> 00:22:07,180You write a simple main function38900:22:07,180 --> 00:22:12,010that will basically fread yourcompressed samples,39000:22:12,010 --> 00:22:15,180call the decoding functionor at least what you hope39100:22:15,180 --> 00:22:19,660is the decoding functionand fwrite the audio samples.39200:22:19,660 --> 00:22:24,670And surprisingly it worked.It didn't require that much effort.39300:22:24,670 --> 00:22:27,860In like a couple of daysit was all working.39400:22:27,860 --> 00:22:32,950It didn't work on the first try.There was a couple of pitfalls.39500:22:32,950 --> 00:22:37,010But essentially the IDE is thereand it can probably be applied39600:22:37,010 --> 00:22:39,580to other things as well.39700:22:39,580 --> 00:22:42,160Of course there is somepretty big downsides.39800:22:42,160 --> 00:22:46,410At first, it's pretty slow.Definitely sub-real-time39900:22:46,410 --> 00:22:50,550even on a modern laptop.40000:22:50,550 --> 00:22:53,630It also requires TI Code Composer Studio40100:22:53,630 --> 00:22:58,160which is a Windows applicationand it's also not free.40200:22:58,160 --> 00:23:02,050You have a 30 days evaluation periodbut that's about it.40300:23:02,050 --> 00:23:05,200So it's really not that practical.40400:23:05,200 --> 00:23:07,550But it was running in the simulator.40500:23:07,550 --> 00:23:10,880There is no real reasonit cannot run on real hardware.40600:23:10,880 --> 00:23:14,360Of course, that's what we try next.40700:23:14,360 --> 00:23:16,800Unfortunately, on real hardware40800:23:16,800 --> 00:23:20,380you can't just put memoryanywhere you want.40900:23:20,380 --> 00:23:24,080When the codec runs in the phone,41000:23:24,080 --> 00:23:28,640it runs inside a TI-OMAPwhich is an ARM plus a DSP41100:23:28,640 --> 00:23:31,250and that chip has an MMUwhich means41200:23:31,250 --> 00:23:35,480you can createany virtual memory you want.41300:23:35,480 --> 00:23:38,880But if you're trying to runon a cheap DSP board41400:23:38,880 --> 00:23:42,420that you can get for 50 bucks,41500:23:42,420 --> 00:23:45,530those usually don't include an MMU at all41600:23:45,530 --> 00:23:47,640which means you need to find a board41700:23:47,640 --> 00:23:49,640which has memoryat the right places41800:23:49,640 --> 00:23:54,970because the binary you have has beenlinked to a specific physical addresses41900:23:54,970 --> 00:23:58,500and it needs to run atthat particular addresses.42000:23:58,500 --> 00:24:05,920Thankfully, Dieter found one such boardwith a compatible memory map42100:24:05,920 --> 00:24:11,520and it had SDRAM.Well, we needed it to have some memory.42200:24:11,520 --> 00:24:17,370It also included Ethernet which meanswe can make some networked appliance42300:24:17,370 --> 00:24:20,390where we submit samples and get them back.42400:24:20,390 --> 00:24:22,800That was really nice.42500:24:22,800 --> 00:24:25,640The process of migrating the codefrom the simulator42600:24:25,640 --> 00:24:28,650to the board is actuallypretty smooth because42700:24:28,650 --> 00:24:31,500of the way TI Code Composer Studio works.42800:24:31,500 --> 00:24:34,090You just basically select that as a target42900:24:34,090 --> 00:24:39,500and since the memory was at the rightplace it pretty much worked.43000:24:39,500 --> 00:24:42,680Now, it wasn't quite as fast as we want it43100:24:42,680 --> 00:24:47,570because it was only runningabout real-time at the first try43200:24:47,570 --> 00:24:51,890and that's because SDRAM is slowespecially when you do43300:24:51,890 --> 00:24:56,650a bunch of random accessesthe SDRAM isn't really fast.43400:24:56,650 --> 00:25:00,390The codec has unfortunatelya lot of big data tables43500:25:00,390 --> 00:25:05,320which are accessed constantlylike to compute cosines.43600:25:05,320 --> 00:25:10,030So, what Dieter did is basicallyidentify a couple43700:25:10,030 --> 00:25:13,790of those big tablesthat are accessed very often43800:25:13,790 --> 00:25:16,370and then just migrated themto internal SRAM.43900:25:16,370 --> 00:25:19,470You just find the one or two places44000:25:19,470 --> 00:25:22,190where the code reads from those tables44100:25:22,190 --> 00:25:25,730and just patch the address to another address44200:25:25,730 --> 00:25:28,510and redirect it to there.44300:25:28,510 --> 00:25:32,770And that got the code running much faster,about 16x faster than real-time.44400:25:32,770 --> 00:25:35,040And honestly, that was good.44500:25:35,040 --> 00:25:39,380I wasn't really planning on doinganything else on the hardware44600:25:39,380 --> 00:25:43,670and so I ordered the same board…except I didn't.44700:25:43,670 --> 00:25:47,680I somehow ended up clickingon the wrong button in the44800:25:47,680 --> 00:25:50,370TI store or something andwhen the board arrived44900:25:50,370 --> 00:25:53,100I didn't have the right one.45000:25:53,100 --> 00:25:55,846At that point I had two choices:45100:25:55,846 --> 00:25:58,592I could just order the same board45200:25:58,592 --> 00:26:01,080and wait one more week,45300:26:01,080 --> 00:26:04,390or I could try to runthe code on it anyway.45400:26:04,390 --> 00:26:07,270The second board didn't have Ethernet.It had USB.45500:26:07,270 --> 00:26:09,990But most importantly it didn'thave any SDRAM at all.45600:26:09,990 --> 00:26:12,300It only had internal SRAM45700:26:12,300 --> 00:26:16,170and unfortunately not atthe right address.45800:26:16,170 --> 00:26:21,130So I just figured: OK.I'm just gonna try to relocate the binary45900:26:21,130 --> 00:26:24,920and make it run on another address.How hard can it be?46000:26:24,920 --> 00:26:27,850It turned out to be pretty straightforwardbecause46100:26:27,850 --> 00:26:30,600in I think less than a day it was running46200:26:30,600 --> 00:26:34,200and that's really thanks to IDAPythonand the simulator.46300:26:34,200 --> 00:26:37,540Basically what I did is in IDAPythonwhich is the46400:26:37,540 --> 00:26:42,440scripting language inIDA reverse engineering software46500:26:42,440 --> 00:26:46,410you can iterate through all the opcodes,then for that46600:26:46,410 --> 00:26:50,290opcode you can test:Is there an absolute memory reference46700:26:50,290 --> 00:26:53,420somewhere in that opcode?If no, then don't do anything.46800:26:53,420 --> 00:26:56,020If there is an absolute memory reference,46900:26:56,020 --> 00:26:59,520is that reference fallingsomewhere in a place that47000:26:59,520 --> 00:27:02,000I'm trying to relocate or not?If it is a place47100:27:02,000 --> 00:27:04,230I'm trying to relocate thenjust patch that opcode47200:27:04,230 --> 00:27:07,490and change the absolute memory referenceto the new place.47300:27:07,490 --> 00:27:10,370Go through all the code like thatand try to run it.47400:27:10,370 --> 00:27:13,390Of course, it didn't workthe first time around47500:27:13,390 --> 00:27:19,530because there was a couple ofpitfalls in that approach47600:27:19,760 --> 00:27:25,430but using the simulator it waspretty easy to find out where47700:27:25,430 --> 00:27:29,990things were going wrong becauseyou take the original code47800:27:29,990 --> 00:27:32,910you run everything in the simulatorand you trace every47900:27:32,910 --> 00:27:37,840memory access, then you take yourpotentially relocated code48000:27:37,840 --> 00:27:42,320you run it again in the simulatorand trace every memory access48100:27:42,320 --> 00:27:45,480Decoding the same frameit should be deterministic48200:27:45,480 --> 00:27:49,580and so you should have the exact samememory access patterns48300:27:49,580 --> 00:27:52,990in both cases. And as soon as you seethat they are diverging48400:27:52,990 --> 00:27:55,700you know that somewherea branch wasn't taken or48500:27:55,700 --> 00:27:59,170something went wrong andyou can go at that place in your code48600:27:59,170 --> 00:28:03,040look and see why therelocation didn't work.48700:28:03,040 --> 00:28:06,950It only took two tries tohave the code running.48800:28:06,950 --> 00:28:10,570It was running on my board andI didn't have to order a new one48900:28:10,570 --> 00:28:13,220which was pretty nice.49000:28:13,220 --> 00:28:15,760So we have a hardware USB decoder49100:28:15,760 --> 00:28:19,430which is very useful butyou still have to carry it around49200:28:19,430 --> 00:28:23,220or plug it into a networkserver or something49300:28:23,220 --> 00:28:26,230which isn't necessarilysomething you want.49400:28:26,230 --> 00:28:32,470I wanted something I couldcheckout into git, basically.49500:28:32,470 --> 00:28:38,740So, I started reverse engineeringthe entire codec.49600:28:38,740 --> 00:28:43,170Now, it turned out to be very painful.49700:28:43,170 --> 00:28:47,310As I said, to reconstruct audioyou have three main steps.49800:28:47,310 --> 00:28:50,960The first one is unpacking andit's just basically bit shuffling.49900:28:50,960 --> 00:28:54,610It's like the first thingthe codec does which means50000:28:54,610 --> 00:28:58,020it's really easy to find andit's really easy to follow.50100:28:58,020 --> 00:29:00,020So, no problem there.50200:29:00,020 --> 00:29:04,230The second step is dequantizationand it took like 95% percent50300:29:04,230 --> 00:29:07,970of the work because it's lot of math.50400:29:07,970 --> 00:29:12,000It's all written in DSP assembly,in fixed-point50500:29:12,000 --> 00:29:15,140and sometimes you're looking ata function to figure out50600:29:15,140 --> 00:29:18,590what that function does youhave to run it with different50700:29:18,590 --> 00:29:22,610parameters to see what doesthat thing compute.50800:29:22,610 --> 00:29:26,040Graphing is really useful for that.You just feed some50900:29:26,040 --> 00:29:29,140inputs into the simulator seewhat output is generated51000:29:29,140 --> 00:29:32,970and just plot it in PyLab or something.51100:29:32,970 --> 00:29:37,240And then you can see, OK,that actually computes a logarithm.51200:29:37,240 --> 00:29:42,070There is still a lot of code thereand there was no51300:29:42,070 --> 00:29:46,010other option for that partbecause the quantization step51400:29:46,010 --> 00:29:49,020is completely specific to GMR.It's not shared with any51500:29:49,020 --> 00:29:52,130of the other AMBE variants.51600:29:52,130 --> 00:29:55,170The synthesis part is evenmore complicated, is even more51700:29:55,170 --> 00:29:58,470code in the DSP but I really didn't want…51800:29:58,470 --> 00:30:01,540after finishing the dequantizationI really didn't want51900:30:01,540 --> 00:30:05,380to the synthesis, so I just assumedthat the synthesis step52000:30:05,380 --> 00:30:08,650was gonna be very similarto the one in P25.52100:30:08,650 --> 00:30:13,900So I took the mbelib existingopen-source code for P25,52200:30:13,900 --> 00:30:17,860I ripped out the unpackingand dequantization out of it.52300:30:17,860 --> 00:30:21,300That's because it's the one for P25,of course.52400:30:21,300 --> 00:30:25,240I just plugged in my own implementation52500:30:25,240 --> 00:30:28,200and run it through the synthesis.52600:30:28,200 --> 00:30:31,480There's a couple of thingsyou need to take care of52700:30:31,480 --> 00:30:37,810mostly because P25 uses 20 ms frames,GMR uses 10 ms frames.52800:30:37,810 --> 00:30:42,280So, I basically dropped one frameevery other frame in GMR52900:30:42,280 --> 00:30:46,130and just used the 10 ms parametersynthesized 20 ms of speech53000:30:46,130 --> 00:30:48,880but it produced somethingwhere you could follow53100:30:48,880 --> 00:30:51,600a conversation and it worked.53200:30:51,600 --> 00:30:55,780I was still not really happy about itbecause the code quality53300:30:55,780 --> 00:30:58,670of mbelib was really not that good.53400:30:58,670 --> 00:31:01,420Its performance is also not that good.53500:31:01,420 --> 00:31:05,190It wasn't actually fasterthan the hardware decoder.53600:31:05,190 --> 00:31:09,760So, in the end I went back tothe actual P25 specifications53700:31:09,760 --> 00:31:13,920that I had andrewrote a clean implementation53800:31:13,920 --> 00:31:17,010of the synthesis step.I just guessed the difference.53900:31:17,010 --> 00:31:21,253Every time it says 20 msI just put 10 ms. When there is54000:31:21,253 --> 00:31:26,016a 512-bin FFT I just put 25654100:31:26,016 --> 00:31:29,920and adapted stuff as I went.54200:31:29,920 --> 00:31:33,670And the resulting code is in the git54300:31:33,670 --> 00:31:37,420and you can decode voice.54400:31:37,420 --> 00:31:40,143I think it works pretty well.54500:31:40,143 --> 00:31:42,676You can hear some subtle differences54600:31:42,676 --> 00:31:45,370compared to the original codec54700:31:45,370 --> 00:31:48,400because DVSI did do a bunch of stuff to54800:31:48,400 --> 00:31:51,480improve the voice quality.It's their whole business.54900:31:51,480 --> 00:31:55,630And I didn't go through all of that.55000:31:55,630 --> 00:32:00,070But… From my point of view,I'm done on this and I'm not55100:32:00,070 --> 00:32:03,470gonna go any further.We have C code we can run.55200:32:03,470 --> 00:32:05,850So. That's good.55300:32:05,850 --> 00:32:13,030*Applause*55400:32:13,800 --> 00:32:16,610Thank you.55500:32:16,610 --> 00:32:20,500Next, we move on to the cipher.55600:32:20,500 --> 00:32:24,000We didn't reverse engineer the cipher.55700:32:24,000 --> 00:32:27,520That was done by a teamat the Bochum university55800:32:27,520 --> 00:32:30,410led by Benedikt Driessen.55900:32:30,410 --> 00:32:34,250Right after we publ…After 28C3, basically…56000:32:34,250 --> 00:32:38,380Actually, at 28C3 we already hadsome contacts with them but56100:32:38,380 --> 00:32:41,150the paper wasn't published yet.56200:32:41,150 --> 00:32:44,620And we actually have them validatetheir data and their attack56300:32:44,620 --> 00:32:46,360using osmo-gmr.56400:32:46,360 --> 00:32:49,610I definitely encourage you toread the paper that they published56500:32:49,610 --> 00:32:52,430because the method they used.They are actually the ones56600:32:52,430 --> 00:32:56,610who extracted the DSP image whichwe used to reverse engineer the codec.56700:32:56,610 --> 00:33:02,320They were the first onesto extract it from the56800:33:02,320 --> 00:33:05,110file that you can download online.56900:33:05,110 --> 00:33:08,780And then, there is some prettyinteresting stuff in there.57000:33:08,780 --> 00:33:11,460As I said, they also publishedan attack on that cipher57100:33:11,460 --> 00:33:14,040which is a ciphertext-only attack57200:33:14,040 --> 00:33:18,030and I'll show some of the results later on.57300:33:18,030 --> 00:33:23,210So, what does the cipher look like?Well, it looks like that.57400:33:23,210 --> 00:33:27,260If you are familiar with A5/2 or even A5/157500:33:27,260 --> 00:33:29,970that should look very familiar because57600:33:29,970 --> 00:33:32,400it's pretty much the same thing.57700:33:32,400 --> 00:33:36,090So you have 4 linear feedback registers.57800:33:36,090 --> 00:33:40,060The first 3 ones are combinedusing a nonlinear output function57900:33:40,060 --> 00:33:44,000into the actual key stream.And then you have a 4th register58000:33:44,000 --> 00:33:48,120which a few of the bits are tapped.They go to a nonlinear58100:33:48,120 --> 00:33:50,630clocking function and that functionis gonna determine58200:33:50,630 --> 00:33:54,650how fast the other registers are clocked.58300:33:54,650 --> 00:34:00,310So, not all registers advanceat each output bit.58400:34:00,310 --> 00:34:05,280And as I said, it is very similar to…it's actually a copy of A5/258500:34:05,280 --> 00:34:08,109except they changed every number like…they don't…58600:34:08,109 --> 00:34:11,320the polynomial for the linearfeedback registers are different,58700:34:11,320 --> 00:34:14,429which bits are tapped to combineinto the output are different.58800:34:14,429 --> 00:34:18,050Same thing for R4 butit's the exact same structure58900:34:18,050 --> 00:34:23,000which means we can reuse the attackthat works on A5/2.59000:34:23,000 --> 00:34:27,099This cipher obviously hasan initialization step59100:34:27,099 --> 00:34:30,249where you basically take the keyand the frame number59200:34:30,249 --> 00:34:32,419that you want to encrypt59300:34:32,419 --> 00:34:36,039and you have some process to initialize59400:34:36,039 --> 00:34:37,940the LFSR with those data.59500:34:37,940 --> 00:34:39,940But really the only thing to retain59600:34:39,940 --> 00:34:42,918is that the initializationprocess is entirely linear.59700:34:42,918 --> 00:34:46,465There is some XOR and LFSR being involved.59800:34:46,465 --> 00:34:50,012So that's pretty much…59900:34:50,012 --> 00:34:54,289…the thing to remember.60000:34:54,489 --> 00:35:00,160The actual irregular clockingonly is applied when you60100:35:00,160 --> 00:35:05,819generate bitstreamfor encrypting the frame.60200:35:05,819 --> 00:35:10,110Since we are gonna talk aboutattacks on ciphers60300:35:10,110 --> 00:35:14,529in some details there are a few thingsthat you may not remember60400:35:14,529 --> 00:35:18,369if you don't do algebra all the time.60500:35:18,369 --> 00:35:21,430This is a very very quick reminder.60600:35:21,430 --> 00:35:26,410So, you should know is thatwhen you see GF(2) that's60700:35:26,410 --> 00:35:28,269just a fancy term for binary.60800:35:28,269 --> 00:35:31,690What we call addition in GF(2)is just the XOR operation.60900:35:31,690 --> 00:35:33,909Multiplication is just the logic AND61000:35:33,909 --> 00:35:36,120and you can do everything with that.61100:35:36,120 --> 00:35:39,930If you accept those definitions,then algebra over binary61200:35:39,930 --> 00:35:43,740is gonna be pretty much the same asalgebra over real numbers61300:35:43,740 --> 00:35:47,480and all the nice propertiesare gonna be applicable61400:35:47,480 --> 00:35:50,450to binary math as well.61500:35:50,450 --> 00:35:53,859I mentioned previously “linear”and I will mention it61600:35:53,859 --> 00:35:56,400several times in the rest of this talk.61700:35:56,400 --> 00:36:00,559When I say “linear” it's either a constant,61800:36:00,559 --> 00:36:03,680or a variable or unknownmultiplied by a constant61900:36:03,680 --> 00:36:07,710but you never have two variablesmultiplied together62000:36:07,710 --> 00:36:13,340because then it becomes quadraticand it's not linear anymore.62100:36:13,849 --> 00:36:18,400Being linear has some nice propertieslike linear systems of equations62200:36:18,400 --> 00:36:22,859we have very fast algorithms tosolve them62300:36:22,859 --> 00:36:27,759and every linear operation can berepresented as matrix operation62400:36:27,759 --> 00:36:31,009which is especially useful…we're gonna be dealing with62500:36:31,009 --> 00:36:34,369hundreds of unknowns andspelling them out is not an option.62600:36:34,369 --> 00:36:38,409We have to have some way ofrepresenting that and that's62700:36:38,409 --> 00:36:42,400matrix operations, essentially.62800:36:42,400 --> 00:36:45,979One other important thing to know is:62900:36:45,979 --> 00:36:50,330When you have an operationthat adds redundancy, for example,63000:36:50,330 --> 00:36:52,670channel coding where you add the CRC63100:36:52,670 --> 00:36:55,140or where you do convolutional coding,63200:36:55,140 --> 00:36:58,470adding error correction addsredundancy to your message63300:36:58,470 --> 00:37:01,439and when you have redundancyyou can create what's called63400:37:01,439 --> 00:37:05,109a parity check matrix to checkif that redundancy in that present.63500:37:05,109 --> 00:37:07,549So, for a CRC you checkthe CRC for example.63600:37:07,549 --> 00:37:10,750But it can be generalized to anythingthat adds redundancy.63700:37:10,750 --> 00:37:14,240It can be checked.And that becomes very useful to63800:37:14,240 --> 00:37:16,860make the attack much faster.63900:37:16,860 --> 00:37:21,380So, a little more detail aboutwhat the guys at Bochum did.64000:37:21,380 --> 00:37:24,599They published a ciphertext-only attack64100:37:24,599 --> 00:37:27,640that means you only need tocapture data off the air64200:37:27,640 --> 00:37:30,000and directly with thatyou feed it to the attack64300:37:30,000 --> 00:37:32,029and it can give you the key.64400:37:32,029 --> 00:37:34,869Their target was called TCH3 frames64500:37:34,869 --> 00:37:38,299and those are traffic frames,they're what carries the voice64600:37:38,299 --> 00:37:40,860which means you have a lot of them because64700:37:40,860 --> 00:37:43,670as long as the conversation is still going,64800:37:43,670 --> 00:37:46,130frames that are being generated constantly,64900:37:46,130 --> 00:37:48,950several tens of them per second.65000:37:48,950 --> 00:37:52,119They didn't start from nothing. As I said65100:37:52,119 --> 00:37:54,639the cipher is heavily based on A5/2, so,65200:37:54,639 --> 00:37:57,359it kind of makes sense to read the papers65300:37:57,359 --> 00:38:00,670that were published about A5/2 attacks.65400:38:00,670 --> 00:38:05,809The most interesting one and one of themost advanced one is called65500:38:05,809 --> 00:38:12,119“Instant Ciphertext-Only Cryptanalysisof GSM encrypted communication”65600:38:12,119 --> 00:38:15,930It's kind of math-heavy but65700:38:15,930 --> 00:38:21,290it provides an attack on A5/2that recovers the key instantly65800:38:21,290 --> 00:38:23,549which is really nice.65900:38:23,549 --> 00:38:26,349They modified this attack.They tweaked it for GMR-166000:38:26,349 --> 00:38:28,359because the frames are different.66100:38:28,359 --> 00:38:30,350There's different amount of bits.66200:38:30,350 --> 00:38:32,740The cipher is slightly different.66300:38:32,740 --> 00:38:34,910And they also did something a little weird.66400:38:34,910 --> 00:38:37,160They tried to guess more bits66500:38:37,160 --> 00:38:39,339some of the bits they tried to brute-force.66600:38:39,339 --> 00:38:41,720I'm not exactly sure why.66700:38:41,720 --> 00:38:44,369I think it's to reducethe number of unknowns.66800:38:44,369 --> 00:38:47,930But I don't know if it actuallyhad the desired effect.66900:38:47,930 --> 00:38:52,339And in the RUB paperthey published their result:67000:38:52,339 --> 00:38:59,569With 350 GB of precomputed datausing 32 TCH3 frames67100:38:59,569 --> 00:39:03,260they managed to recover the keyin something like 40 minutes67200:39:03,260 --> 00:39:06,309which is not bad, definitely, and it works.67300:39:06,309 --> 00:39:09,399But the original attack is named “instant”.67400:39:09,399 --> 00:39:13,03940 minutes isn't instant – to me, at least.67500:39:13,039 --> 00:39:17,979So, we started looking for a better attack.67600:39:18,349 --> 00:39:21,630We started off the same paperbecause it's kind of67700:39:21,630 --> 00:39:24,650the state of the art of A5/2 attacks67800:39:24,650 --> 00:39:27,469but we really didn't do anything fancy.67900:39:27,469 --> 00:39:32,890We just used it exactly as they saidin the original paper68000:39:32,890 --> 00:39:36,559and we just did the necessary tweaksfor A5/GMR-1,68100:39:36,559 --> 00:39:39,910changing the matrix andthe length of the vector,68200:39:39,910 --> 00:39:42,499really nothing fancy.68300:39:42,499 --> 00:39:46,269We also decided to attacka different type of channel68400:39:46,269 --> 00:39:49,390and this is probably whatmakes the most difference.68500:39:49,390 --> 00:39:52,130We decided to target FACCH3 control frames68600:39:52,130 --> 00:39:54,710instead of the TCH3 voice frames.68700:39:54,710 --> 00:39:58,690There is a very big advantage totargeting those frames.68800:39:58,690 --> 00:40:02,990First, they use a different kind ofmodulation and training sequence.68900:40:02,990 --> 00:40:06,440From an RF point of viewthey are much easier to receive.69000:40:06,440 --> 00:40:09,940And that's pretty important ifyou're trying to mount an attack because69100:40:09,940 --> 00:40:12,660as soon as you have abit error in the reception69200:40:12,660 --> 00:40:15,409it will make your equations inconsistent69300:40:15,409 --> 00:40:18,600and you won't actually be ableto solve for the key as easily.69400:40:18,600 --> 00:40:21,880So, this is a very nice propertyof those frames.69500:40:21,880 --> 00:40:24,569The other very nice property isthat we have known69600:40:24,569 --> 00:40:28,779plaintext on the FACCH3 channel,the control channel.69700:40:28,779 --> 00:40:31,559There are some predictable framesthat we know will there69800:40:31,559 --> 00:40:33,379and we know where they will be.69900:40:33,379 --> 00:40:35,589the voice traffic iscompletely unpredictable.70000:40:35,589 --> 00:40:37,500It's someone talking.70100:40:37,500 --> 00:40:41,190The control traffic will followsome very known patterns70200:40:41,190 --> 00:40:46,260and I'll show an example ofplaintext which is really trivial.70300:40:46,540 --> 00:40:50,210Some other of the nice propertiesof the control channel is:70400:40:50,210 --> 00:40:53,249There is much more redundancy.70500:40:53,249 --> 00:40:57,759In TCH3 not all the bits areactually error-corrected70600:40:57,759 --> 00:41:01,220which means you don't havethat much information70700:41:01,220 --> 00:41:05,450while for the control channeleach layer-2 bit that you transmit70800:41:05,450 --> 00:41:09,809is almost quadrupledbefore you put it on the air70900:41:09,809 --> 00:41:15,130which means you can builda lot of equations very fast71000:41:15,130 --> 00:41:20,380without many bursts.In the RUB attack they needed 32 frames,71100:41:20,380 --> 00:41:26,599probably because there is not muchredundancy in the TCH3 frames.71200:41:26,599 --> 00:41:30,420And also, as a nice bonus thatwe discovered later is that71300:41:30,420 --> 00:41:34,279the FACCH3 control channelis also used to negotiate71400:41:34,279 --> 00:41:38,089other types of channels likethe channels that are used71500:41:38,089 --> 00:41:42,890when you send FAX orwhen you establish a data call71600:41:42,890 --> 00:41:44,840over satellite networks.71700:41:44,840 --> 00:41:48,359It's actually negotiated usingthat type of control channel71800:41:48,359 --> 00:41:51,109which means the same kind of attackcan work to crack71900:41:51,109 --> 00:41:54,900not only voice but also data calls and FAX.72000:41:54,900 --> 00:41:58,380This is an example of the plaintext.72100:41:58,380 --> 00:42:00,779I don't know if you can really see it.72200:42:00,779 --> 00:42:03,249But essentially on the topyou have the cipher mode command72300:42:03,249 --> 00:42:06,150the first line in blue isthe cipher mode command.72400:42:06,150 --> 00:42:08,630So everything after thatis in theory ciphered.72500:42:08,630 --> 00:42:10,700This is, of course, the enciphered view.72600:42:10,700 --> 00:42:13,910And the three marked packetsin gray and black72700:42:13,910 --> 00:42:15,839are the very predictable texts72800:42:15,839 --> 00:42:19,200and what they are is acknowledgements.72900:42:19,200 --> 00:42:21,170Because of the delay on the GSM channel73000:42:21,170 --> 00:42:23,089there is some outstandingacknowledgement73100:42:23,089 --> 00:42:27,759that still need to be sentwhen the ciphering is turned on.73200:42:27,759 --> 00:42:31,569You get empty packets withincrementing sequence number73300:42:31,569 --> 00:42:34,769and the ACK bit set.73400:42:34,769 --> 00:42:37,160Something changes in them,the sequence number, but73500:42:37,160 --> 00:42:41,209as soon as you can count,predicting them is trivial.73600:42:41,209 --> 00:42:45,400This definitely works in practicelike 100% of the time.73700:42:45,400 --> 00:42:49,770I never really had any problem with that.73800:42:50,740 --> 00:42:56,190So, how do you build a plaintext attack?73900:43:03,810 --> 00:43:07,849The general goal is…what you're trying to achieve74000:43:07,849 --> 00:43:11,529is build a giant system of equationsthat's linear74100:43:11,529 --> 00:43:13,320and that you can solve.74200:43:13,320 --> 00:43:16,710It's gonna have the formA * x = b74300:43:16,710 --> 00:43:21,450b is the cipher stream thatis generated by A5/GMR-174400:43:21,450 --> 00:43:26,299x is some representation ofthe internal state of the cipher74500:43:26,299 --> 00:43:28,269that you are trying to find74600:43:28,269 --> 00:43:31,130and A is a giant matrixthat you can precompute74700:43:31,130 --> 00:43:35,309that's only dependent onthe structure of the cipher.74800:43:35,309 --> 00:43:39,650Each row of A and b are gonna representone bit of the output74900:43:39,650 --> 00:43:44,999and how to combine that internal stateto generate that cipher stream bit.75000:43:44,999 --> 00:43:48,470As I mentioned,the initialization process is linear75100:43:48,470 --> 00:43:51,329and that's very importantfor two things.75200:43:51,329 --> 00:43:54,360First,from the internal state of the cipher75300:43:54,360 --> 00:43:57,950you're gonna be able to recover the key75400:43:57,950 --> 00:44:01,540which is not entirely true.There is one bit of the key75500:44:01,540 --> 00:44:04,789that you can't recoverbecause that bit of the key75600:44:04,789 --> 00:44:08,499turns out to have absolutely no effecton the output whatsoever.75700:44:08,499 --> 00:44:12,322so, you can't recover itbut doesn't matter either.75800:44:12,322 --> 00:44:14,925The other thing is that75900:44:14,925 --> 00:44:18,499you're gonna need tobuild a lot of equations.76000:44:18,499 --> 00:44:20,689That system is gonna be big.76100:44:20,689 --> 00:44:23,670In a single burst of datayou won't have enough equations.76200:44:23,670 --> 00:44:25,660You're gonna need multiple of them.76300:44:25,660 --> 00:44:28,649But, of course, those multiple burstsare gonna have different76400:44:28,649 --> 00:44:31,060frame numbers because they're sequential.76500:44:31,060 --> 00:44:33,790They're not gonna wrap before a long time.76600:44:33,790 --> 00:44:36,620But since the initializationis entirely linear76700:44:36,620 --> 00:44:40,599you can actually derive equationfrom one frame number76800:44:40,599 --> 00:44:44,380from an equation built out ofanother frame number.76900:44:44,380 --> 00:44:49,859But, of course, it would be too easy.The cipher isn't entirely linear.77000:44:49,859 --> 00:44:53,419so, we have to “linearize” it and77100:44:53,419 --> 00:44:57,150when I first started looking ata crypto attack on A5/277200:44:57,150 --> 00:45:00,010in the paper it was alwaysone line that said77300:45:00,010 --> 00:45:02,539oh yeah, we linearize the cipher77400:45:02,539 --> 00:45:06,350and they kind of always assumedthe readers know what that means77500:45:06,350 --> 00:45:08,890which I didn't at the time.77600:45:08,890 --> 00:45:12,490So, I decided to be a little more explicit.77700:45:12,490 --> 00:45:16,720The two nonlinear elements arethe output function77800:45:16,720 --> 00:45:20,400which uses a majority functionwhere you take three bits77900:45:20,400 --> 00:45:24,390and it outputs whicheverbit is more common78000:45:24,390 --> 00:45:27,450and you can rewrite thatmajority function as being78100:45:27,450 --> 00:45:30,970the sum of a plus b multiplied by c78200:45:30,970 --> 00:45:37,190or if you wish a XOR b AND c.78300:45:37,190 --> 00:45:41,210And the problem is theb multiplied by c because78400:45:41,210 --> 00:45:43,779that's quadratic, that's not linear.78500:45:43,779 --> 00:45:46,309That means thatwe can't introduce that.78600:45:46,309 --> 00:45:50,029And the way to linearize thatis to kind of ignore it.78700:45:50,029 --> 00:45:54,070For every possible quadratic termthat's gonna be generated78800:45:54,070 --> 00:45:57,690by that nonlinear output function78900:45:57,690 --> 00:46:00,170you generate a new unknown.79000:46:00,170 --> 00:46:03,290In reality that unknownisn't really unknown.79100:46:03,290 --> 00:46:06,719It's a function of your other variables but79200:46:06,719 --> 00:46:10,170you can't represent it in a linear fashion.79300:46:10,170 --> 00:46:15,359So, you just ignore it and say“OK, this is a new unknown, deal with it”.79400:46:15,359 --> 00:46:18,640Actually, there is a lot ofpossible combinations79500:46:18,640 --> 00:46:21,999which adds 594 new unknownsto your equation system79600:46:21,999 --> 00:46:25,279which means that you're gonna needa bunch more equations79700:46:25,279 --> 00:46:27,539to be able to actually solve it.79800:46:27,539 --> 00:46:32,279But at least it makes it linear.So, there is hope.79900:46:32,619 --> 00:46:39,969The other nonlinear thing in that cipheris the clocking.80000:46:40,170 --> 00:46:44,220As I said, all the LSFR don't advanceat the same rate.80100:46:44,220 --> 00:46:50,380Some are clocked once or zero timesat each output bit.80200:46:50,380 --> 00:46:55,880And this is a function of the value of R4at that particular time.80300:46:56,160 --> 00:46:59,689So, how do we linearize that?80400:46:59,689 --> 00:47:04,559Well, R4 is a 17-bitlinear feedback register.80500:47:04,559 --> 00:47:08,960So, we can knowall its future states from any…80600:47:08,960 --> 00:47:12,890As soon as we have a good stateat one particular time80700:47:12,890 --> 00:47:15,789you can predict all the future states80800:47:15,789 --> 00:47:19,300because it's clocked all the time.80900:47:19,640 --> 00:47:23,620And in those 17 bitsthe initialization step forces81000:47:23,620 --> 00:47:25,869one of those bits to one.81100:47:25,869 --> 00:47:28,650So, there is only 16 bitsthat you don't know81200:47:28,650 --> 00:47:32,980which means there is only65536 possible clocking81300:47:32,980 --> 00:47:35,710patterns for the cipher.81400:47:35,710 --> 00:47:40,400So, the way we approachthat is we just brute-force it.81500:47:40,400 --> 00:47:43,339You just assume that R4 isgonna be equal to that value81600:47:43,339 --> 00:47:47,819after the initializationand you just assume that81700:47:47,819 --> 00:47:52,779and try to solve and crack the cipherby using that assumption.81800:47:52,779 --> 00:47:56,369And if you find the Kc, well,then maybe it's the right one.81900:47:56,369 --> 00:48:00,980You just repeat that 65536 timesand most of the time82000:48:00,980 --> 00:48:04,190if your guess about R4 is incorrect82100:48:04,190 --> 00:48:07,170the system will end up being inconsistent82200:48:07,170 --> 00:48:10,799and you won't actually have any solution.82300:48:10,799 --> 00:48:17,509But this still requires solving65536 systems82400:48:17,509 --> 00:48:22,409which is fast but not that fast.82500:48:22,409 --> 00:48:28,190There is actually a trick that we canapply to do better guesses.82600:48:28,190 --> 00:48:31,789When you build thesegiant equation systems82700:48:31,789 --> 00:48:34,869it turns out that some of theequations that you construct82800:48:34,869 --> 00:48:37,549they are not gonna be independent.Some of them are82900:48:37,549 --> 00:48:40,369gonna be related to each other.83000:48:40,369 --> 00:48:44,700And so some of the rows are redundant.And what's nice is:83100:48:44,700 --> 00:48:49,020If they're redundantwe can actually test for that redundancy.83200:48:49,020 --> 00:48:52,539For the 65536 possible systemsthat you need to solve,83300:48:52,539 --> 00:48:55,249you also have anAn * x = b83400:48:55,249 --> 00:48:59,319there is a bunch of rows in Anthat are gonna be linear dependent.83500:48:59,319 --> 00:49:03,660So, for each of them you canbuild a parity check matrix Hn83600:49:03,660 --> 00:49:08,299so that you have this nice propertyof a parity check matrix83700:49:08,299 --> 00:49:12,779where you multiply b by Hnand you get a zero matrix.83800:49:12,779 --> 00:49:16,109But all those Hn, you can precompute them.83900:49:16,109 --> 00:49:19,860That's the offline data of the attack.84000:49:19,860 --> 00:49:23,009You precompute those giant matrices,84100:49:23,009 --> 00:49:29,369then you take b which is the cipher textyou got from the cipher,84200:49:29,569 --> 00:49:33,289you multiply it by this matrixand if it gives you zero,84300:49:33,289 --> 00:49:37,069you know that this particular R4 valuemight be correct.84400:49:37,069 --> 00:49:38,940You don't know if it's correct or not,84500:49:38,940 --> 00:49:40,579but at least it might be.84600:49:40,579 --> 00:49:43,830If the result is non-zerothen you know that R4 is definitely84700:49:43,830 --> 00:49:46,869not the correct R4 and soinstead of solving an entire84800:49:46,869 --> 00:49:50,190system of equations the only thingyou need to do is84900:49:50,190 --> 00:49:54,339do one matrix multiplicationand that is pretty fast.85000:49:54,339 --> 00:49:57,819And in the end you're gonna havea couple of possible matches85100:49:57,819 --> 00:50:01,520so you're gonna solve like maybe3 or 4 systems of equations85200:50:01,520 --> 00:50:05,239instead of solving 65536 andthat's much much faster.85300:50:05,239 --> 00:50:09,739Now, how do you go froma known-plaintext attack85400:50:09,739 --> 00:50:12,960to a ciphertext-only attack?85500:50:12,960 --> 00:50:16,190I'm not gonna detail that muchbut essentially85600:50:16,190 --> 00:50:19,880the channel coding operationintroduces redundancy85700:50:19,880 --> 00:50:23,730and you can kind of null out that…85800:50:23,730 --> 00:50:26,980if you take the last equation you have85900:50:26,980 --> 00:50:29,750H multiplied by y plus g.86000:50:29,750 --> 00:50:34,220H is a function of the channel coding.86100:50:34,220 --> 00:50:36,289You can compute it. It's known.86200:50:36,289 --> 00:50:40,339y is the data thatyou received off the air.86300:50:40,339 --> 00:50:42,250So, you know it as well.86400:50:42,250 --> 00:50:45,579g is also a function ofthe channel coding operation.86500:50:45,579 --> 00:50:50,039So, you know it.So everything on the left you know.86600:50:50,039 --> 00:50:54,689And the last value is H multiplied by A86700:50:54,689 --> 00:50:58,149which is what you had inthe known-plaintext attack,86800:50:58,149 --> 00:51:00,200so you know it as well.86900:51:00,200 --> 00:51:03,189And everything you don't knowis x and so, again,87000:51:03,189 --> 00:51:06,369you have a linear system of equationsthat you can solve.87100:51:06,369 --> 00:51:09,629And the same R4 quick-scanmethod can be applied87200:51:09,629 --> 00:51:14,090to scan very quickly and nothave to solve everything.87300:51:14,320 --> 00:51:17,070So, this is the result.87400:51:17,070 --> 00:51:20,970If you use the fact thatyou know some plaintext87500:51:20,970 --> 00:51:24,009you need about 50 Megabytesof data precomputed,87600:51:24,009 --> 00:51:27,179you need to receive 8 burstsor even 4 if you87700:51:27,179 --> 00:51:30,509by any chance have the rightframe number alignment,87800:51:30,509 --> 00:51:33,110and in like 500 msyou can get the key back.87900:51:33,110 --> 00:51:35,820And that's on a 6 year old laptop.88000:51:35,820 --> 00:51:39,849On any recent machine it's really instant.88100:51:39,849 --> 00:51:43,199If you want to use theciphertext-only variant,88200:51:43,199 --> 00:51:46,059and honestly I really don't knowwhy you would88300:51:46,059 --> 00:51:50,370because the known-plaintext works,so you might as well use it.88400:51:50,370 --> 00:51:53,750But if you want it purelyfor academic purposes,88500:51:53,750 --> 00:51:57,130then you need 8 bursts,88600:51:57,130 --> 00:52:00,510about 5 Gigabytes of data,88700:52:00,520 --> 00:52:03,590and then it takes a little longer88800:52:03,590 --> 00:52:08,719like about 1 second to recover the key.88900:52:09,189 --> 00:52:12,769A few things I would like tolook at in the future,89000:52:12,769 --> 00:52:15,099is C-band.89100:52:15,099 --> 00:52:19,539The satellite has to talk backto the earth station89200:52:19,539 --> 00:52:22,540and this happensin a different frequency band89300:52:22,540 --> 00:52:25,046and this is what we would like to look at,89400:52:25,046 --> 00:52:27,042essentially, the feeder link89500:52:27,042 --> 00:52:29,639If any of you have a large dish,satellite dish,89600:52:29,639 --> 00:52:32,689and want to provide data for usplease contact us,89700:52:32,689 --> 00:52:34,560we're looking for it.89800:52:34,560 --> 00:52:38,369We're also startedlooking into packet data89900:52:38,369 --> 00:52:41,299and some other stuff.90000:52:41,299 --> 00:52:45,279A quick note aboutother satellite phone systems,90100:52:45,279 --> 00:52:48,340please don't assume thatjust because Thuraya GMR-190200:52:48,340 --> 00:52:50,869is broken that the others aren'tunless you have90300:52:50,869 --> 00:52:53,009actual proof that they aren'tbecause the only90400:52:53,009 --> 00:52:55,609reason we chose Thuraya isbecause the phone was90500:52:55,609 --> 00:52:57,659the cheapest on eBay.90600:52:57,659 --> 00:53:01,660So, given that all the satellitephone systems also…90700:53:01,660 --> 00:53:05,519you know, you can find commercialinterceptors for them,90800:53:05,519 --> 00:53:11,029there is a big chance that they'renot much more secure.90900:53:11,029 --> 00:53:13,869I like to thank a few people:91000:53:13,869 --> 00:53:19,390Dimitry Stolnikov,the main other author in osmo-gmr91100:53:19,390 --> 00:53:22,960doing a bunch of the RF capture stuff,91200:53:22,960 --> 00:53:27,790Dieter Spaarfor reverse engineering of the AMBE codec91300:53:27,790 --> 00:53:30,079and all the help he provided there91400:53:30,079 --> 00:53:33,089and the RUB team, of course,for their support in91500:53:33,089 --> 00:53:35,470reverse engineering the cipher,91600:53:35,470 --> 00:53:39,529and the organizer for having me91700:53:39,529 --> 00:53:42,540and thank you for your attention!91800:53:42,540 --> 00:53:46,509*Applause*91900:53:46,720 --> 00:53:52,410- Thank you very much!We now have time for a few questions.92000:53:52,410 --> 00:53:56,949First, are there questionsfrom the Internet?92100:53:57,529 --> 00:54:00,579Not yet. So,if you have a question, please92200:54:00,579 --> 00:54:03,059approach one of the microphones.92300:54:03,059 --> 00:54:05,559Yes, please, microphone number 3!92400:54:05,559 --> 00:54:12,639- Yes, I have a rather not technicalbut political question:92500:54:12,660 --> 00:54:17,720So, you said in the beginningthere was like a short92600:54:17,720 --> 00:54:20,690way of communication thatonly the satellite transmits92700:54:20,690 --> 00:54:24,630the voice data, so there isno ground station involved?92800:54:24,630 --> 00:54:30,369- Yes. - Do you think that thismight upset some of the people92900:54:30,369 --> 00:54:34,089who like to intercept callsbecause it makes intercepting93000:54:34,089 --> 00:54:36,489the voice data much more complicated93100:54:36,489 --> 00:54:39,279than just going to ground station and say93200:54:39,279 --> 00:54:41,090“I want to listen to this”?93300:54:41,090 --> 00:54:44,289- First, just because the satellitewill send the data back93400:54:44,289 --> 00:54:45,999directly to their mobile phone93500:54:45,999 --> 00:54:49,049doesn't mean the satellitecan't also provide a copy93600:54:49,049 --> 00:54:52,589of it to the earth station.It just doesn't go through.93700:54:52,589 --> 00:54:56,089But the satellite can obviouslysend a copy of it if they want to.93800:54:56,259 --> 00:54:59,699- And probably there will be apossibility for the ground station93900:54:59,699 --> 00:55:02,339to say“Don't do that direction connection”.94000:55:02,339 --> 00:55:05,740- On the other hand they can alsojust intercept it off the air94100:55:05,740 --> 00:55:07,919because it's so easy to listen to it.94200:55:07,919 --> 00:55:10,920Last year there was a talk with somebody94300:55:10,920 --> 00:55:13,799that looked at satellite pictures94400:55:13,799 --> 00:55:17,120and they saw that one of thespy satellites was relocated94500:55:17,120 --> 00:55:21,839like right next to theThuraya-2 satellite.94600:55:21,839 --> 00:55:25,059You can look that up.It was a presentation last year.94700:55:25,059 --> 00:55:28,509It was pretty interestingto see that… yeah…94800:55:28,509 --> 00:55:31,319If you want to listen to it you can do it.94900:55:31,319 --> 00:55:32,899- Thank you!95000:55:32,899 --> 00:55:37,060- Next question from microphone number 2!95100:55:39,349 --> 00:55:46,349- I've two questions: Can you hearboth sides of the conversation95200:55:46,349 --> 00:55:50,250or only one side of the conversation?The second question is:95300:55:50,250 --> 00:55:53,119How big of a dish do you need?95400:55:53,119 --> 00:55:55,199- If you want to receive L-band which is95500:55:55,199 --> 00:55:58,420just listen to the communicationfrom the satellite to the phone95600:55:58,420 --> 00:56:02,099you don't need a dish,you need like a small antenna.95700:56:02,099 --> 00:56:05,960You can even do it with a modifiedGPS antenna and a piece of metal.95800:56:05,960 --> 00:56:09,529So, it's really easy andreally cheap to do.95900:56:09,529 --> 00:56:13,059You can only hear the thepart of the conversation96000:56:13,059 --> 00:56:15,759that comes from the satelliteto the phone.96100:56:15,759 --> 00:56:20,140So, if by any chance that guyis speaking to another phone96200:56:20,140 --> 00:56:24,226you can hear both sidesbecause you can intercept both96300:56:24,226 --> 00:56:26,992channels simultaneously.96400:56:26,992 --> 00:56:30,000But in general, you either96500:56:30,000 --> 00:56:34,349only hear one side or you canalso be close enough to the96600:56:34,349 --> 00:56:38,749actual satellite phonesto receive the uplink96700:56:38,749 --> 00:56:42,930that goes from the phone to the satellite.96800:56:42,930 --> 00:56:46,149Dimitry showed me like acommercial intercept system96900:56:46,149 --> 00:56:50,609where apparently they use likeplanes to intercept the uplink.97000:56:50,609 --> 00:56:53,739They just fly over the area of interest97100:56:53,739 --> 00:56:58,550so they can more easily receivethe uplink from the phones.97200:56:58,550 --> 00:57:00,879- One final question. Please make it short97300:57:00,879 --> 00:57:02,919because we are running out of time.97400:57:02,919 --> 00:57:05,079- I'll try my best.97500:57:05,079 --> 00:57:08,170Launching your own satelliteis certainly not an option97600:57:08,170 --> 00:57:11,099but do you see any practical applications97700:57:11,099 --> 00:57:16,289in terms of what you did with GSM?97800:57:17,349 --> 00:57:20,949- Not really. It would beinteresting to try start a net97900:57:20,949 --> 00:57:24,409because there is nothing that saysthat you have to be on a satellite.98000:57:24,409 --> 00:57:27,900You could technically start a base station on earth98100:57:27,900 --> 00:57:31,549using that protocol and it would work.98200:57:31,549 --> 00:57:35,009And the phones have much more powerthan a GSM phone.98300:57:35,009 --> 00:57:38,440But other than that,you could build an IMSI catcher98400:57:38,440 --> 00:57:40,790for satellite phones if you wanted to98500:57:40,790 --> 00:57:44,250and you'd definitely beat thesignal strength of the satellite98600:57:44,250 --> 00:57:46,659with your own setup.98700:57:46,659 --> 00:57:48,340- Thank you.98800:57:48,340 --> 00:57:53,169- Please give the speakeranother round of applause!