Tetra decoding

[jlxsolutions]

i don't think they got encrypted, because this would require a major reconfiguration of all devices. most probably the device that receives the LIP messages just moved to another cell, or is connected via some other means.

but if it did get encrypted because of telive, then i would consider this to be a big success (everything should be encrypted by default anyway, software like this forces people to do it)

hmm the SDs-LIP messages were coming from 2 diffrent towers before now they went poof oh well they started to get annoying in the end heh as some updates everyfew seconds (2 to 3) massive location spam.

but thoose new SDS messages look intresting also been seeing calls getting BOC/BIC 'ed (un regidstered device maybe?)

 

[asgard]

so.. telive is working like a charm.. Still not figured out all functions. but i working on that. Big question i have..
let's supose that in one network are 4-5 services active.. network is air encrypted 1. One or more services are using multiple freqencies.. how can i detect wich terminals are paired or are in same service ? how can i detect how manny services are using this network?
br'

 

[hamradionl]

Just idea thinking loud for those who not a Linux guru so no need for PC any more.
possible to use a raspberry like hardware running linux lite with the tetra software,
Input cable connecting this device to discriminator output normal scanner and output this device to speaker.

Only just idea

 

[jlxsolutions]

Just idea thinking loud for those who not a Linux guru so no need for PC any more.
possible to use a raspberry like hardware running linux lite with the tetra software,
Input cable connecting this device to discriminator output normal scanner and output this device to speaker.

Only just idea

Still gonna need setup/compilation and Reduction of samplerate guessing to 1M max

 

[sq5bpf]

so.. telive is working like a charm.. Still not figured out all functions. but i working on that. Big question i have..
let's supose that in one network are 4-5 services active.. network is air encrypted 1. One or more services are using multiple freqencies.. how can i detect wich terminals are paired or are in same service ? how can i detect how manny services are using this network?
br'

define what you mean by "service"? typically this will be one or more groups, that are used by a set of ISSIs.

example:

you see ISSIs 1,2,3,4,5,6,7,8,9,10, and GSSIs 100, 101 and 102. looking at the logs GSSI 100 is used by ISSIs 1,2,3,4; GSSI 101 is used by 2,3,4,5; and GSSI 102 is used by 6,7,8,9,10


so we can deduce that 100 and 101 are somehow related together (used by one company, we can call this a "service"). this user has ISSIs 1,2,3,4,5

group 102 is used by ISSIs 6,7,8,9,10. this may be another company, or this may be the same company (but ISSIs 6-10 never use groups 100 and 101), we can never be sure. now if you see ISSI 6 using GSSI 100, then most probably this is the same company.

this can get more complicated. suppose you have the police, firefighters and ambulances on different GSSIs oin the same network. suppose there is one GSSI used for calling the ambulance dispatch, and that this is also used by the police and firefighters. by doing only analysis which ISSI talks in which GSSI you would conclude that all GSSIs belong to one system (because there is one common GSSI), which is not true. of course if you can receive voice traffic, then it is easier to guess which is which.

i wrote a small patch for one of the users that will export all call information via a HTTP request, which is later processed via a php script and put into a database (ugly hack, but it worked for him). this was later processed to see which SSIs would be in the same call with each other, to discover the "services".

one day i will write something to interface the telive output with Maltego, and in Maltego you will be able to do any correlation you like: graph of who talks to who, which SSIs are active at which times etc

 

[inforest1]

Hi and thanks for this execellent software-no unencrypted tetra here(norway) thought it seems,Air encryption 1. Clicking noises is all that can be heard.

And I am sure the little traffic captured originates in emergency services(around 393 Mhz)

root@kali:~/osmo-tetra-sq5bpf/src# ./receiver1 1 mkfifo: cannot create fifo

I used one rtlsdr-dongle and an old tabletop indoor tv-antenna., kali 2 persistantly installed on usb-stick.

But the basic signalling in the capture , like syncronization bursts , is not encrypted. Is that correct?

I guess otherwise it would be impossible to even "lock on to the tetra downlink" with telive

 

[Your_account]

is there something for win?

 

[jlxsolutions]

Hi and thanks for this execellent software-no unencrypted tetra here(norway) thought it seems,Air encryption 1. Clicking noises is all that can be heard.

And I am sure the little traffic captured originates in emergency services(around 393 Mhz)

root@kali:~/osmo-tetra-sq5bpf/src# ./receiver1 1 mkfifo: cannot create fifo

I used one rtlsdr-dongle and an old tabletop indoor tv-antenna., kali 2 persistantly installed on usb-stick.

But the basic signalling in the capture , like syncronization bursts , is not encrypted. Is that correct?

I guess otherwise it would be impossible to even "lock on to the tetra downlink" with telive

Inforest i would Like to PM you about some things i discovered with scandinavian tetra networks.

 

[inforest1]

Yes, I would like to get info about that

 

[smr]

Inforest i would Like to PM you about some things i discovered with scandinavian tetra networks.

I would also be interested in the info about scandinavian networks

 

[radiox]

Seeking info on encryption capabilities

Excellent work sq5bpf. I'd like to know more about the capabilities of the software. Am I just decoding Tetra or is this also decrypting/decoding the so called TEA 1 ?

The reason I'm asking is because I'm able to listen in on my own traffic, which I was told by the provider was secure. Obviously they're relying on security through obscurity and so I'm not getting any definitive answers on the security provided to me, and the answers I get I don't trust. So I look to you.

I've tried looking over a bunch of ETSI PDFs to try and see if there are different types of Tetra and if the AIE (Air Interface Encryption) is only available to certain types, but I'm unable to see past the so called TEA1,2,3 and 4.

According to http://www.tandcca.com/about/page/12027, the TETRA standard supports those 4 "algorithms". Am I safe to say then that if I can listen to the traffic, then that traffic is not encrypted and thus not belonging to TEA 1,2,3 or 4?

Then there is the end to end encryption (ETEE). Is that also dependant on the network? I'm getting answers that my network doesn't support ETEE, which I find odd. Is that something anyone can give info on?

Can I somehow look at the logs or traffic to see what kind of TETRA network I'm on to know what it's capabilites are? Is there really "old TETRA" and "new TETRA"?

Thanks in advance!

 

[sq5bpf]

Excellent work sq5bpf. I'd like to know more about the capabilities of the software. Am I just decoding Tetra or is this also decrypting/decoding the so called TEA 1 ?

The reason I'm asking is because I'm able to listen in on my own traffic, which I was told by the provider was secure. Obviously they're relying on security through obscurity and so I'm not getting any definitive answers on the security provided to me, and the answers I get I don't trust. So I look to you.

this is all explained in the telive documentation. i would advise that you read all of it, especially the FAQ section.

in short: no, telive (and the osmo-tetra modified for telive) can't do any decryption. one of the reasons is that the TEA algorithms are not public (yet, probably sooner or later someone will publish them, same as with GSM). btw one of the purposes of this software is that you can audit your own network and i'm glad that it has been used this way.

ask your provider for a detailed description how the traffic is secured etc. i assume you are paying extra for this security. then make nice documentation of the fact that you have listened to your own traffic with this software. probably you can have a lot of fun if you show this and the reply from the provider to your company's lawyers (and if you and the lawyers don't mind, please share with us what you can).

btw while it's still unencrypted you could help development of this software. if you can generate some interesting traffic using your own equipment (such as anything which is carried over SDS, especially vendor proprietary protocols), and share telive logs with me along with a description of what was sent, this will help me write a decoder.

 

[sq5bpf]

Then there is the end to end encryption (ETEE). Is that also dependant on the network? I'm getting answers that my network doesn't support ETEE, which I find odd. Is that something anyone can give info on?

afaik ETEE requires support from the terminals (license costs etc), but should be independant of the infrastructure (but please verify this claim). look at this:

https://en.wikipedia.org/wiki/End-to-end_encryption#Example:_TETRA

Can I somehow look at the logs or traffic to see what kind of TETRA network I'm on to know what it's capabilites are? Is there really "old TETRA" and "new TETRA"?

look at the output of tetra-rx, you will have the capabilities there also (such as air encryption etc, but just because the capability is in the infrastructure, doesn't mean that it's used)

regarding "old TETRA" and "new TETRA": the standard is evolving, there is something called TETRA 2, but i don't think anyone has seen it widely deployed yet. the radios and infrastructure cost a lot, so i guess it will take some time before people switch.

 

[smr]

regarding "old TETRA" and "new TETRA": the standard is evolving, there is something called TETRA 2, but i don't think anyone has seen it widely deployed yet. the radios and infrastructure cost a lot, so i guess it will take some time before people switch.

TEDS is commonly referred as TETRA2 and Norway is to my knoledge the only country using TEDS today

 

[sq5bpf]

TEDS is commonly referred as TETRA2 and Norway is to my knoledge the only country using TEDS today

if you're from Norway, could you please send me output from tetra-rx and telive.log from one of these networks?

 

[smr]

if you're from Norway, could you please send me output from tetra-rx and telive.log from one of these networks?

Unfortunately I am not from Norway

 

[sm0vec]

if you're from Norway, could you please send me output from tetra-rx and telive.log from one of these networks?

I can send you some data later.

This explains why I don't see any neighbor information from the Norwegian network, probably that's implemented a bit different in version 2.

 

[grosminet]

RTL SDR and sdrplay not working

is there anyone succeed to run "osmosdr-tetra_demod_fft.py" with gnuradio 3.7.X .

With RTL SDR or SDRPLAY , I have the same error. Device is detected but not starting Tetra decode

errors are :

Traceback (most recent call last):
File "./osmo-tetra-sq5bpf/src/demod/python/osmosdr-tetra_demod_fft.py", line 271, in <module>
tb = top_block()
File "./osmo-tetra-sq5bpf/src/demod/python/osmosdr-tetra_demod_fft.py", line 94, in __init__
self.resamp = filter.pfb_decimator_ccf(int(rerate))
File "/usr/local/lib/python2.7/dist-packages/gnuradio/filter/filter_swig.py", line 1586, in make
return _filter_swig.pfb_decimator_ccf_make(*args, **kwargs)
TypeError: Required argument 'taps' (pos 2) not found

Funcube or funcube pro + are working fine but using QTHID front end and fcdp-tetra_demod.py or fcdp-tetra_demod_fft.py

I tried ./receiver1 with same error

Comments are welcome

 

[sq5bpf]

is there anyone succeed to run "osmosdr-tetra_demod_fft.py" with gnuradio 3.7.X .

which gnuradio version (if 3.7.2 then it won't work, try =>3.7.5)?
which distribution?
how did you install?

 

[grosminet]

which gnuradio version (if 3.7.2 then it won't work, try =>3.7.5)?
which distribution?
how did you install?

for version I have to check
distribution is ubuntu 10.04 (64bits)
install sbrac script or pyboms (same error)