 So, Osmocom GMR, it's one of the latest member in the Osmocom family. I'll start with a quick introduction on GMR generally, then a technical introduction on GMR1 and finally the software itself that we wrote and how to use it. Okay, so what is GMR? GMR stands for Geostationary Earth-Obit Radio Interface and it's an ETSI standard for satellite phones, so essentially these phones. ETSI is the same body that standardized GSM and they reused a lot of their specification for GMR and if you read the GMR specification, you will find lots and lots of reference to the GSM specification, sometimes referencing entire chapters. GMR is two distinct standards called GMR1 and GMR2. They are not evolution one of the other, so GMR2 is not a replacement for GMR1, they exist in parallel and they've been developed by different vendor groups. In this particular talk, we'll talk only about GMR1 and more specifically the first of the three revisions. So, the first revision just called GMR1 is the equivalent of a standard GSM 2G circuit switch, so essentially voice and SMS and nothing else. A later revision came and it's called GMPRS and it's obviously the equivalent of GPRS, basically adding packet data over GMR and finally the latest revision is GMR1 3G which essentially adds more channel types for IO bandwidth and also interoperability with the UMTS core network. So, where is it used? One of the most important deployment of GMR1 is the Turia satellite network and it's the one we studied because it's the only one visible from Europe and since most of the actually all the developers are in Europe, that's the only one we can receive. More specifically the Turia 3 satellite which is at orbital position 44 east is the only one we can see exactly from here. There are other deployments, for example SkyTera and Terrestar are in the US. ICO, I don't really know well and InMarsat was actually at some point just renting capacity on the Turia satellite and didn't have its own satellites. GMR2 is used in the InMarsat ISAP phone which is a quite well known network as well but we won't go into further details. So, this is the coverage map for the Turia network and as you can see it pretty much covers everywhere except the Americas but here in Europe we are well within the optimal coverage zone and so receiving it is not the problem. So it's heavily based on GSM so it makes sense to compare it a little bit. So the first thing they did is they renamed everything. They changed basically the B into the G for of course Gateway or Geostationary depending on the type and the MS which used to be the mobile station so your phone is now called MES which is Mobile Earth Station. They introduced some useful stuff so specialized features. One of them is the terminal to terminal calls. So if you from a Turia phone you call another Turia phone to avoid to go through all the way from the phone to the satellite to the core network back to the satellite back to the other phone they introduced a shortcut where a phone can talk to the satellite and directly be bounced onto another phone without ever going through the core network and another feature it's called eye penetration alerting and this is because satellite phones don't at least these models don't work at all inside you need almost direct line of sight to the satellite so to the sky but you still want to be able to receive calls when you are inside and so they have some very specific channel types that they've much higher coding gain so that when you're inside you cannot place calls you cannot receive SMS or anything but you can at least if a notification that okay someone is trying to call you you have about 20 seconds to go outside and get the call so that can be useful. It has very tight link to GPS from the start for example all the almanac and ephemeris data from GPS are sent from the Turia satellite to help the phone get a GPS lock much faster and the phone will actually report its position each time it opens the channel to the satellite so that the satellite knows exactly where you are. They introduced a new codec because of bandwidth limitation and they invented a new cipher but we'll talk about that later. From a protocol stack point of view the radio frequency layer and channel coding layer so the lowest layer of the stack are completely different you find the same concept but all the details are really different so different burst, different modulation, a lot more channel types to handle special cases. Above that you have the data link layer which is called here LAPSAT instead of LAPDM. Both are based of the LAPD in the ESD world but they've been adapted for the peculiarities of satellite that is very very long delay because the satellite is like 36 000 kilometers in the sky so for each round trip time it's like 240 milliseconds which is quite high. On the layer 3 level I will detail all the layer afterwards but quickly on the layer 3 level the RR which is radio resource is again completely different and we'll see how it is different everything above that is exactly the same as GSM so no difference whatsoever. A small peek into packet data the situation is similar that is the lower level which are LLC and MAC are different but LLC and above are completely common. So this is an overview of a GMR network and you can see the protocol stack on the bottom. Everything that is in color is specific to GMR everything that is in white is common with GSM with no modification whatsoever so as you can see everything that's in the core network is shared with GSM exactly the same. So in detail you have the satellite which communicates with the phones on earth obviously using what's called spot beam so they are the equivalent of cell in the GSM world spot beams are artificial small zone of coverage that are generated by the satellite using beam forming algorithm of course when I say small it's small at the you know planetary level so it's like a hundred kilometer wide it's not that small something like that. The signal is bounced back to what's called the GTS the combination of the GTS GSC which is a gateway transceiver station and gateway it's GCS actually there is a typo it's a gateway controller station and from there it goes through the GSM core network so MSE HLR typical GSM stuff. Something that's interesting to note is that the satellite only plays a role at the physical layer so data link layer is entirely handled from the phone to the gateway station and it's not touched at all by the the satellite the satellite doesn't have much logic it just bounce back the signal into an aggregate feeder link. So as I said the physical layer using spot for the communication between satellite and form using spot beam it is frequency duplex like in GSM so you have a part of the band that's reserved for communication from the phone to the satellite and another part of the band that's reserved for the inverse direction. It's divided into RFKN 1087 of them which are not not actually very wide there are only 31 kilohertz compared to GSM which is something like 280 kilohertz so they are very small channels. The feeder link so that's the link between the satellite and the main gateway station on earth can happen either in C band or in K band but that's about all that said in the specification there is no other technical detail available at least publicly to what exactly happened on that feeder link. So let's take a look at the physical layer in a little more detail. As in GSM it's entirely synchronous complex TDMA scheme in some aspect it's simpler than GSM in some aspect it's more complex than GSM it really depends on where to look but basically they have to take into account power consumption because something very important on the satellite is that there are some broadcast information that is sent permanently I mean all the time okay periodically I would say and they have to make sure that they don't transmit that information at the same time in all the spot beam because this would create a very high speaking power consumption on the satellite and so this is reflected somewhat in the TDMA alignment and you have to take care of that. A major difference compared to GSM is that okay so you can see one of the TDMA frame here is composed of 24 time slots and the birth that is the packet for information exchanged on the network can occupy several consecutive time slots which was not the case in GSM 2G at least. One of the main problems in the physical layer is the synchronization that is when a phone is powered on it needs to find the carrier essentially so it needs to detect is there a carrier on that particular frequency or is it aligned in time and what is the frequency error because demodulation requires a very precise synchronization between the clock of the cell phone and the clock of the satellite and the crystals and oscillator used in the phones are not that good and so the error must be detected and compensated and I think they found a very elegant solution in this particular waveform which is called the dual chirp so a chirp is a single tone that is varying in frequency over time the graph the picture represents frequency vertically and time horizontally and so you can see that you have two spikes in frequency that crosses each over over time drawing kind of an X in the in the waterfall display and I won't go into all the mathematical detail but this waveform has very interesting property most notably is that if you if you capture roughly what this waveform is using you do a rough accusation by a simple correlation it won't be very precise but it will be good enough to know more or less where it is like in this window and then you multiply that by a reference up chirp so only the ascending part you do the fft and you take the peak frequency of the fft you call that f1 you do the same time for the down chirp and kind of magically the time alignment error will be proportional to f1 minus f2 and the frequency error will be proportional to f1 plus f2 if you're interested in t into why exactly that is you can follow the link there's a very interesting paper about it so packets of information are exchanged in burst on the on the physical layer and they are modulated using what's called a pi4cq psk which is a modulation which is completely different from from gsm again there are two slight different variation one uses a quad phase shift keying the other only has a two phase shift keying but these are the two modulation that are the most used onto the physical layer they are relatively easy to demodulate and we'll see that later on there's a lot of different of burst types too much to list here but it's the demodulation that doesn't change between them there are other types of channels that have very specific purpose like for example the eye penetration alerting as a very specific type of burst and there are some kipa live bursts that are used in very specific cases that uses different modulation represented on the on the bottom and and also for gmprs and 3g you have more modulation types that can be very very complex you can see the the constellation pattern of 32 a psk is much harder to to demodulate and to increase the bandwidth even more even more for packet data instead of using the the base symbol rate of 23 000 kilo symbol per second they can actually use either twice that symbol rate four times that symbol rate or five times that symbol rate to just put even more data on the same on the same channel okay so this was the rf layer the channel coding layer is what will take care of taking the layer two frames breaking them into burst and ensure that they're transmitted correctly by applying error correction and error checking every channel type in gmr uses of course a different method for it but hopefully they all use the the same basic primitives so that's that's kind of good news and we have implemented all of these so essentially it's it's very it's the same primitive that i used in gsm and a lot of other protocols that is convolutional code crc checking scrambling to avoid brands of zero of one that would pose problem in the modulation stage and something interesting is you can see here is the encryption is applied in layer one like in gsm okay LAP set is the data link layer honestly i think it's a bit it's not a very interesting layer but its role is mostly to take the variable size l3 messages and split them up into chunks that fit into bursts and ensure things like retransmission in case packets are lost things like that so layer three is a kind of the let's say the application layer or something its lowest sub level is called radio resources and it obviously is the establishment of dedicated link between the the phone and the satellite this layer is completely different from gsm which is kind of logic because the kind of radio resources that are managed are different you will find the same concept so for example you will find immediate assignment message you will find paging messages actually you find you will find exactly the same types of messages but the detail of how they are encoded and the information contained in them is is different because the of course the detail of the physical layer are different the upper layer mobility management which provides user location tracking and authentication and confidentiality so exchanging the mz for the tim z things like that and the connection management layer are all common with with gsm and so we can reuse all the code that we already wrote for those okay the speech codec was as i said they used a new codec called ambe or at least the the codec family is called ambe standing for advanced multiband excitation it's low bit rate to well to feed the need of the satellite channel unfortunately it's proprietary by a company called digital voice system incorporated there is no public specification whatsoever and there is no reference implementation provided which is kind of a problem for us because that means that we can't either decode nor encode speech data hopefully there is kind of a two way we can get around that the first one is called mbe lib so the same family of codec is used in apcode 25 and dmr if i remember correctly um and someone implemented those particular variants they are different from the variant used in gmr but at least some of the concepts are similar unfortunately the author is anonymous and we have no way to contact him to ask him to to to see if he if he has some some clue about how to decode gmr frames so if by any chance you know him you know the other lead we have is that well the phone codec is obviously implemented in the phone most likely in the phone dsp because the phone dsp is a ti dsp and what the coincidence dvsi provide ti dsp code source for decodec so we could most likely try to find it in there but this is going to be a lot of work and so if there is a way to bypass that that'd be nice from a security standpoint a few words there is some good and there is some bad i'm not sure if the good was intentional or just the byproduct of other decision but uh it's there the the first good news from a security standpoint is that the contention resolution does not echo um the first message so let me explain that a bit in gsm something for an attacker something that's very useful is that the first message sent by the phone to the network um has two interesting properties the first one is that it will always contain some form of unique identifier for the um for the subscriber either it's imzi or it's timzi so that allows you to identify the channel the other nice property of this burst is that the bts which will actually echo the the content of this burst during the contention resolution procedure that means that even if you can only listen on the download link which is very common um you still uh can attribute a given dedicated channel to a given user and this is something um that has been used to do a targeted sniffing on gsm and things like that uh in gmr uh it is not the case the it technically it could be echoed but there is another option and that other option is what is always chosen as far as we can uh as we can tell is that uh it will transmit uh like a csc or ash of the original message so the phone can still know if it's was this message or not without actually revealing the message to the entire world um another feature is that um dtx so this discontinuous transmission um is heavily used in gmr as i previously said poor consumption of the satellite is is pretty important and so when the satellite has nothing to say it does not say anything contrary to gsm where uh on control channel if the base station didn't have anything to say it would just send an empty frame that is completely known and would provide lots and lots of known plain text for an attacker uh in gmr it is not the case if the satellite has nothing to say it would just say nothing and so you don't have as many plain text as you would have in in gsm of course it's not all good because uh it's heavily based on gsm and so some of the things are inherited the security is entirely optional hopefully on turia they actually use it um some of the gsm attack should be applicable as is uh most notably the rsh the denial of service and the mz detached denial of service i say should because we haven't tested them for gsm it was easy for us to set up a test network where we can test that in a controlled environment without impacting commercial network uh here we can't really start a denial of service attack on a satellite uh i think they wouldn't like that something else that's pretty bad is that the phone transmits lots of private information in the rsh so when you take your phone and try to place a call or pour it on or do any kind of transaction the first thing it will need to do is establish a dedicated channel between the phone and the satellite to do that it transmits what's called a request access uh burst in the rsh and here this burst actually contains lots of information in clear text because there's no way to decipher it yet um like the position of your phone so it can be established a channel you essentially broadcast to the entire world where you are and also why you want a channel and in the why parts uh if you're actually placing a not-going call this will include the number that you are dialing so it's it's yeah it's it's bad obviously and finally the cypher is still applied at at layer one about the cypher itself um it's currently unknown it's supposedly derived from a5 2 um the spec kind of strongly inside that and some other people have told us that but it's about all we know uh we actually tried a51 and a52 just in case it was it was that and we tried some minor modification on them but it didn't work so yeah uh we're looking into it the however we can still look into uh what could we do once we get the cypher um as i said the the availability of plain text is going to be more limited than in gsm mostly because of the discontinuous transmission so there is no idle frames that we can use another source of known plain text in gsm was the s acch so a slow associated control channel that was basically a channel that kept repeating the same thing over and over again uh that channel doesn't exist here so no way to use that and finally the the actual channel burst if a lot less bits per burst meaning you have uh even if you have known plain text um you have less of it by by burst that you can exploit um although we don't know the cypher we know that well past experience has shown that uh uh the kind of protocol the they standardized like a51 a52 ga1 ga2 when up especially strong so um and especially when you if you just google for like a to rya intercept you will find commercial cracker that claimed that they can intercept the channel in a few seconds so you can kind of imagine that the cypher must not be that strong if it can be broken in a in a few seconds okay so we'll now look at the actual software stack we wrote but first a bit of history about this project so as I said it's relatively new it was started um around mid july uh when uh raltz and send the mail uh saying yeah I've been looking into gmr with deter and uh he started a a wiki where information started collecting um a few weeks after that uh dimitri actually managed to receive the first signal from the satellite um and seen them on on the fft and um as if you remember the slide with the fcch you could see the the cross um the cross pattern on the fft is very clear you you just can't miss it the signal reception work was continued at a ccc camp uh if you went by the radio tent you should have seen the satellite dish outside um and finally in september around mid september we had the first packet being demodulated and we started analyzing them uh it took some time to clean the code and and make something that we we could release and that other people could use that happened somewhere in october and more recently we had that support for a tch3 channel types so osmo gmr is more than the it's more than it's more than just the osmo gmr git um it's uh it's composed of several parts that must that work together to create a reception chain it all starts with the captor utility that essentially captures the radio signal and save it to a c file so complex samples are very common in the software defined radio those are processed by the gmr1 erics which is our main uh main test of the application and therefore added or to an extended version of the gsm tab to wire shark where we can see the packet content and start looking at to uh into the data that are exchanged so let's uh let's start with capturing uh first step is the antenna essentially anything that can receive the correct band of frequency with uh left hand circular polarization is gonna work omnidirectional are not especially good so you really need something kind of directional but it can be quickly act together the first version was a uh a satellite dish which are at very good gain and very good directivity but unfortunately is not very practical the second antenna that was built was a helical antenna and it's a fairly good tradeoff between performance and convenience and it's relatively easy to build you can you can build one in a few hours and uh steve actually tried a big quad uh that seems to work very well and it's also very easy to construct uh from pcb etching so the details for this one are not uh on the wiki yet but hopefully they will soon be when you have once you have a captured the signal through an antenna you can go through the optional step of amplifying it and uh and filtering it both the steps are optional because it seems we are in the optimal coverage zone the signal is quite strong enough that if you have a fairly good antenna it's it's gonna work just fine however maybe you just you you want to receive more than just the primary spot beam maybe you want to receive spot beams that are not sender to your particular location and you want to look at the neighbors spot beam and those will be weaker so you need to um amplify the signal to get it out of the noise um if you are near a strong transmitter you also may need to to filter the signal because 1.6 gigahertz it's it's it's kind of near some uh some strong carrier and if you have too much gain without filtering you might end up saturating the input stage of your software defined radio there are various options available one of the the cheapest way to get a a walking um amplifier only is actually to use a modified gps lna so if you know those gps antenna uh that you can buy for very cheap they have like a ceramic antenna on top and you can just remove the ceramic antenna remove the gps filter on the pcb and just use the the lna on the antenna and since the gps frequency is actually pretty close from the uh gmr frequency they will work just fine so capture hardware uh you can use any software defined radio you like as long as it can save c files uh but or capture utility as a specific support for uh uhd so basically any etus hardware there is you should be able to use as long as you have a matching doter board for the the correct frequency of course one interesting particularity of the usp one is that since you can put two doter boards you should be able to listen to both uplink and downlink simultaneously um it should be possible with the other etus products uh but you will need a gps uh one pps pulse to synchronize the various um usp between them so it's a little bit more complicated product uh setup sorry the cheapest option you can have is the funcube dongle pro which is this little usb stick that has been released uh some time ago um which actually works very well for gmr it's it has a small bandwidth so you can't capture a lot of rfk and simultaneously uh maybe three adjacent channel at the time but it works very well and it has a actually pretty good sensitivity and it's been used successfully and soon obviously there will be the osmo sdr which is a new project um harald announced uh not so long ago on his blog the software used for capture is called gmr multi erics it's based on new radio and will handle all the nasty details for you um it will choose the the optimal frequency to tune to to avoid the dc peak so that you don't have dc peak in the middle of your signal it will automatically channelize and resample so that the demodulation uh part has a nice uh four sample press again or something um and all you have to do is really you just compile it for the uh for the hardware you want and then just give him the the frequency you want to listen to and uh it will just figure out everything else uh itself and you will hand up with two dot c file that you can feed to the next step of the process so when we started writing the actual sort of defined radio parts for um osmo sdr uh we realized that we didn't have um a lot of the mathematics uh helpers that uh that that were required and so we create a very simple library that has just what we need um and that uh that fits very well with the other osmo com library this one is called the osmo sdr and essentially what it is is support for complex vectors um so iq data and the very common operation on them like um removing the dc offset convolution correlation basically all the small primitives you will need when you implement um software defined radio the actual software defined radio part of osmo gmr is um located in the s ssc sdr and um it has several jobs the first of which is fcch acquisition so this very specific waveform um the process i explained with the correlation dfft it's implemented in there so that given um a random capture we will need to find um first is there a carrier at all uh there and uh if there is what is the the proper alignment and the um the frequency offset to to compensate for it the um the process we have works very well and it can actually find multiple overlapping carrier because of frequency reuse you can sometimes have channels where you have uh two carriers at once that are shifted in time and the the implementation we have can some can can manage to lock to uh to the to both synchronization and extract data from both overlapping channel um so obviously we need a demodulator to uh we need a demodulator to get the data out of the burst um so we just wrote um a generic the cq psk demodulator and the cbpsk so it's handled as a as a special case um and this layer also contains the description of the values burst types so you have sdcch tch the values training sequences that are used and everything and it's all in library form so the this layer is essentially a set of primitives to be used by some some application to to perform um to perform the functions it's currently reception only so only the demodulation part but writing the modulation part which should actually be easier because uh modulation is just generating the the the proper signal envelope and uh and mix it with the transmission window but it's something that we haven't done yet so layer one that's the channel coding layer we have implementation for some of the primitives so essentially scrambling the various conversional codes that are used in uh in gmr uh puncturing all the csc schemes that are used and the interleaving schemes that are used and we also have um stateless coders and decoders for some of the channel types the most important one being the bcch which is the broadcast channel so that's uh essentially the system information messages that describe the network and and tell the phone uh what network he's on what are the neighbor the neighbor uh cell and things like that ccch for paging and immediate assignments and fhcch3 and tch3 are the actual traffic channel where user data is exchanged so these are dedicated channel this entire layer is uh supports encoding and decoding um completely so obviously uh since the both previous layers are just primitives and and the helper function um we need something that actually uses them usually it would be the higher layer like uh layer two layer three and stuff like that but we haven't actually coded that yet so instead we have a test application whose uh whose main job is to just um do the equivalent uh that air probe does for for gsm uh that is you give him a c file where you think there is a carrier it will try to acquire synchronization um extract all the broadcast channel types like bcch and ccch and if by any chance on the ccch it sees an immediate assignment to uh supported channel types like tch3 it will follow it decode the tch3 data and for what all of that to gsm tab for further analysis on um on wire shark so wire shark um this was actually a lot of a lot of work because um you don't realize it when you use wire shark but writing the deceptive that display all the data nicely is kind of a painful process uh and no i am very grateful for all the developers who actually implemented all the protocol that uh that i analyze uh so what has been implemented is the the data link layer la pset is completely implemented the bcch is uh partial uh you will see in the in the chapter that i will show that uh we only decode some of the system information messages because they they are coded in a very um annoying way that is they are unaligned bitfields described in a csn1 uh concrete if you saw the talk by aralt uh it's the same csn1 ccch it's the the dissection is incomplete but we have support for all the message tabs that we have seen so far on toraya so even though we don't support like the the dozens of types of message that are uh described in the specification every message you see um should be uh dissected and and displayed properly if you find one that isn't keep the capture posted to the mailing list and we will add support for it um same thing for the rr layer radio resources that is all the message we've seen so far dissected the upper layer since they are completely common with gsm we obviously didn't rewrite the code and we just forward those data to the g the the pre-existing gsmd sector from from wireshark so um we can take a look at what the gmr signal looks like so this is a representation of the of a gmr signal so on the on this axis you have the frequency and this is time and so you can clearly see here the synchronization pattern and then um all all of this is just there is just no transmission uh it's slightly lighter blue than this because this is actually filtered out by a by a fi i filters to generalize the the thing but uh this is just noise and here you have the burst of data um those small bursts are actually the gps um fmr's data that are transmitted periodically so that the phone can look on uh at least is supposed to look on faster not sure it actually works but um this is bcch and these are ccch um but as you can see you once you see that in if you're trying to receive gmr you just display it uh in a waterfall display and uh if you can see this kind of pattern you know you found the gmr carrier there's just no doubt about it it's very distinctive um um so well obviously i can't really capture a signal live because well we're inside uh but i have some some prerecorded signal that i can process um so unfortunately it's not real it's not really readable on the screen but uh wire shark should be readable um let me launch wire shark so here i'm just calling the uh the main application so yeah you can't read it but it says gmr one erics the first argument is four it's just the number of uh sample pair symbol uh four is the optimal value so just just use four uh then i can give him two uh c file the first one is the bcch and the second one is uh um where the tch is going to be assigned because we can't currently follow uh live um you have to kind of know where the tch are going to be assigned hopefully in teria you just take the bcch number you add one and the channel are going to be assigned there so so that's pretty easy and uh when you launch it it will just decode everything pretty quickly and forward everything to to wire shark so what can we see the the first thing you can see here is the bcch so they are the broadcast information and uh as you can see the second section is somewhat complete until you actually reach here um then the actual message content is uh it's not decoded we only have support for a few uh segments um segment 2a which contains all the synchronization information like the current frame number um and and some offsets and another type we support is segment 3a and this one contains very uh very interesting information because it broadcasts um the name of the network i mean the name is the mnc mcc so you can see 9015 is the code for teria um you can find the location area code which in gmr is split between the msc id and what's called the spot beam id so just the the number of the the spot beam you are on and more interestingly you can find the beam center position so you can know that this beam is actually centered on those gps coordinates and uh one of the first thing we did is just try to map all the beam that we managed to receive and these are the beam center position of all the beams we've been able to receive so far um the reception was from some from belgium and some from uh from germany so you can see that you can capture data uh from beams that are pretty far away um our current assumption is that the beam forming algorithm has some side lobes and we are seeing um those side lobes mostly here um so these all these are broadcast information but of course uh at some point there will be uh let me find it okay so here you can see an immediate assignment there's a channel is being assigned and uh this this was actually me making a call and uh and you will you will find the channel description that says okay go to airf n airf kin 268 on the time slot 13 and if we filter by channel type and only display the dedicated channel you can see here all the communication that has happened between my phone and the and the network so first um empty frame with nothing and then you can see the authentication request exactly the same as in gsm so because um since this is done by the uh mobility management layer it's common with gsm uh and then you can see the ciphering mode command that activates ciphering and you can see it requests a 51 which is not actually the same a 51 as in gsm and it also for some reason transmits a string that tells the phone to display uh belgium on the display i have no idea why they put that in the ciphering mode command but they did um and of course after that you can't see anything because it's ciphered and although it's my phone i have the corresponding key but i don't have the actual algorithm to decode the the data so this will come later on um so what do we plan to do next well find what's missing so essentially find the cipher it's in the phone somewhere find the speech i'll go ahead same thing it's in the phone somewhere implement the upper layers try to instead of manually coding all the message type um try to create code generators that can actually pass the specification and automatically generate a marsh link and the marsh link methods um the transmit side hopefully one day um if you want to implement something feel free to do so uh i'd like to take a moment to thanks uh the people who contributed to this project um most notably the uh dimitri for uh doing all the groundwork in uh in the early capture and uh and writing the actual capture tool that is uh so easy to use a route for uh while starting the project and getting us interested in uh in gmr in the in the first place and uh and steve for the or the research he did into uh finding good way to capture the signal easily with a readily available hardware um you can read uh the specification um as i said you will need both the gmr spec and the gsm spec because there is a lot of reference and you can visit the wiki there is a lot of information as well as getting started and how to get uh how to get things running and that's it thank you for your attention so do you have any question any question it was heavy i know okay yeah there's one question so what's your plan for getting the cypher out of the phone i mean with the codec it's probably a program on the dsp i get that but i would guess the cypher is actual hardware actually it's not because we found uh someone we published uh some korean firm would develop the phone published a paper about the architecture of the phone and you can clearly see the cypher unit being in the omap dsp processor at first we thought it was in the uh in the uh because there is a an azik in it and we thought it it's gonna be in the azik and then we found this paper which actually described the architecture of this azik and you can see that it's not the azik is purely um software defined radio stuff uh do you have a dump of that phone already or is it off the phone or do you need to get it out i'm sorry uh do you have a dump of that firmware already or do you need to get it out of the phone uh we have um we have the firmware update the firmware update files are available on uh on the internet uh freely and they load very nicely in ad so we we actually have it what we're looking for though it's a broken phones uh so if you have if you have some so presumably you were still right i'm sorry where are you okay hi so presumably you will be able to use one of these broken phones to use it as a black box for the codec and the encryption um yeah for the for the encryption we're hoping to to actually uh extract it because uh encryption tends to be relatively easy to spot and and extract um usually that they're quite small on the other hand the speech codec is probably quite large and so in the first time maybe we'll just find out to feed the data to the phone every decompress and uh and get the data or maybe just run the the dsp image in a dsp emulator i mean yeah here is a question from the net can you sniff a uh sorry a rf ch channel data with standard with standard hardware like osmo com bb no you cannot you you cannot use the osmo com bb uh phone hardware to sniff gmr channels because the symbol rate is different the frequency band is different and well that's quite enough actually it's just won't work i have a question uh are all the spots are all the spots active all the time or or is it just when there's a phone you need to have have a phone to activate some spots no the spot beams are all active uh at the same time um at least as far as the as far as we can see as far as the spec is concerned there are some provision to uh i mean they can reconfigure the spots if they want to like allocate more spot for uh for an area because they have more subscriber or stuff like that but spot beams are not activated on demand because the phones uh need the spot beam to synchronize however when a spot beam um as as you saw on the capture most of it is actually most of the time it's actually not transmitting anything so yeah if there is nothing to say uh are you aware of any currently available phones that you can use as a gsm gmr modem such as the analogous to gsm modem whose ad commands yes this one as a as ad commands and they also have a dedicated dedicated modem so there is no phone it's just a data modem for for data connection um do you do you have any plans on emulating or starting the space section yes actually that's probably one of the first thing we're gonna try on the tick side of things because generating a static um carrier beam um should actually be fairly easy uh we i mean um we did it for gsm uh pretty pretty quickly uh just just to make it appear in the network list so i suspect that for gmr it shouldn't be too hard to replicate that and uh and david rellin yes