29C3 – Further hacks on the Calypso platform

in hacks, RF, talks by the machinegeek | 11 comments


In this presentation from the just concluded 29C3 conference in Hamburg, Germany, speaker Sylvain Munaut explains how to turn a cellphone into a BTS.

The Calypso baseband and its companion chips are used on the Motorola C123 among other and are now well known for being supported by the Osmocom-BB open source GSM baseband implementation. A couple years ago, it was hacked a little further by using it as a raw bits capture device allowing the interception of GSM traffic very cheaply.

This talk will present some further work on that platform, showing that just because a device wasn’t design for a given task doesn’t mean it can’t do it. More specifically how you can hack this phone to act as a GSM basestation and broadcast your own network.

For additional info on hacking the Motorola C123, see the OsmocomBB C123 page.

This entry was posted in hacks, RF, talks and tagged , , , , .

Comments

  1. Lloyd says:

    It’s hard to keep up with these events when they all have such stupid names.

  2. a big woot to the whole osmocom team!

    (btw, what’s the name for that tiled window manager?)

  3. eon says:

    well, the last events 27c3,28c3 and deepsec talks from these guys have been full of shit about all code they have and which they say they will release and then afterward they don,t release it after all.And Yes I am talking about their maximal-stripped down osmocombb-version , so much for opensource.And their mail-forum is a joke,harassing many newbies asking polite questions. Why expect newbies to be able to reinvent the wheel?Osmocom: If authorithies have forced you to not post your findings, then just say so on your web-page. As it is now, it more looks like a closed fan-club.

    • Aris Gardelis says:

      I think you have the wrong idea about the whole project. If you have spent some time reading the wiki, the whole purpose of the project is not sniffing or doing illegal stuff. I hope you have heared that listening to other peoples phone calls is illegal. If you will spend some time with this project, you will find out that this is the most interesting project at the moment. It’s exactly what you said. Reinventing the wheel. In the last 30 years or so, this is the only project who can affect so many people. We are talking about billions of users who still use GSM and this will be used for 20 years more. This project is to make a totally free baseband implementation of GSM and make phone calls more secure.
      Also I do not think that the people of osmocom are harrasing anyone. Myself, who am always in the IRC, spend a lot of time explaining to new people about the project and help them on how to start. But most of new people are asking the same big question “How to sniff”. Well…that’s not going to happen. But if you want to learn how GSM works, this is the best place in the right time to be.

    • Sylvain says:

      1) The only presentation done at deepsec in 2010 didn’t mention anything about code availability AFAIR. I’ve always said the imsi detach attack was trivial to implement for anyone familiar with GSM (and by trivial, it’s really 30 sec !). And the sniff demo at deepsec used the _exact_ code that has been in the burst_ind branch.

      2) At 27C3, it was made very clear what was available and what not in the follow-up mail. The only piece that wasn’t published and should have been was audio convesion tool (the one I used was based on code I couldn’t publish because of license issue, so I had to rewrite it) and I got so fed up with all the harassement at the time from people like you that I just dropped all work on that …

      For the main branch of osmocom-bb, all the info and code is on wiki/git. For the sniffing code, I don’t expect newbies to re-invent the wheel … I expect them not to use it, it’s been clearly targetted at GSM security researcher.

      3) At 28C3, the only thing the osmocom team showed was the Osmo-GMR project and everything is available on the git. Some other people might have shown stuff using the C123 but that’s not from osmocom. Since the code is available, other research team are basing their attack on our codebase and what to publish or not is their decision.

      4) About “harassing newbies”. If you clearly show that you didn’t take a few moment out of your day to read the doc and mailing list, why should be take time out of ours to help you ? The wiki has a list of “pre-requirement” that should be full-filled before even trying to run osmocom-bb, it’s not targetted at users that just booted an ubuntu CD for the first time. When learning to swim you don’t just jump in the middle of the atlantic and try swimming to shore …

  4. PinkAsso says:

    Add me to the list of snubs from the Osmocom mailing list. I think Im better off with USRP

    • these two projects have absolutely nothing in common so you’re either a troll or a Captain Obvious ;)

    • Sylvain says:

      In anycase you’re always better off with an USRP. It’s a much more flexible and powerful device. Given it’s about 50 times as expensive, it comes as no surprise. And if you don’t like those projects, don’t use them … no one is forcing you.

  5. Hmm dear Dangerous Prototypes team, the comments are totally neglecting the end of lines! the result is not easy to read!

Leave a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.