summaryrefslogtreecommitdiffstats
path: root/Tex
diff options
context:
space:
mode:
authorTom2012-04-19 17:50:03 +0200
committerTom2012-04-19 17:50:03 +0200
commite128a9d22fcb2fa47027ed4fe3f83b0577e4f1b6 (patch)
treea5a4e0090e4eb94343395e1f3403dff3fd3b632b /Tex
parentimplemented databases save for guis (diff)
downloadimsi-catcher-detection-e128a9d22fcb2fa47027ed4fe3f83b0577e4f1b6.tar.gz
imsi-catcher-detection-e128a9d22fcb2fa47027ed4fe3f83b0577e4f1b6.tar.xz
imsi-catcher-detection-e128a9d22fcb2fa47027ed4fe3f83b0577e4f1b6.zip
finished database implementation and documentation in thesis, incorporated changes in thesis
Diffstat (limited to 'Tex')
-rw-r--r--Tex/Content/Detection.tex52
-rw-r--r--Tex/Content/GSM.tex153
-rw-r--r--Tex/Content/Motivation.tex6
-rw-r--r--Tex/Images/ICDS.pngbin289007 -> 296984 bytes
-rw-r--r--Tex/Images/databases.pngbin0 -> 27814 bytes
-rw-r--r--Tex/Master/Glossary.tex4
-rw-r--r--Tex/Master/Master.acn64
-rw-r--r--Tex/Master/Master.aux97
-rw-r--r--Tex/Master/Master.ist2
-rw-r--r--Tex/Master/Master.lof7
-rw-r--r--Tex/Master/Master.log217
-rw-r--r--Tex/Master/Master.pdfbin14240416 -> 14250338 bytes
-rw-r--r--Tex/Master/Master.synctex.gzbin478656 -> 470002 bytes
-rw-r--r--Tex/Master/Master.tex5
-rw-r--r--Tex/Master/Master.toc34
15 files changed, 308 insertions, 333 deletions
diff --git a/Tex/Content/Detection.tex b/Tex/Content/Detection.tex
index ef8a528..a146cc4 100644
--- a/Tex/Content/Detection.tex
+++ b/Tex/Content/Detection.tex
@@ -379,13 +379,13 @@ We know that the catcher cell has a new Cell ID that has not been there before.
Therefore the \emph{Cell ID Databse Rule} has three different approaches to exploit this fact:
\begin{itemize}
\item A database of Cell IDs can be learned by the \gls{icds} beforehand.
- Each cell that was seen more often over longer periods of time receives a higher rating.
This can be used to detect new Cell IDs that have not been seen before.
- The better way to receive a Cell ID database is to use a commercially build one since it is always possible to overlook a cell when learning the surroundings.
+ The better way to receive a Cell ID database is to use a commercially build one since it is always possible to overlook a cell when learning the surroundings and not having scanned long enough.
\item A web service also offered by most providers of Cell ID databases can be used to see whether a cell actually exists and check whether it should be situated in the neighbourhood it is in.
\end{itemize}
The three largest Cell ID databases are the two commercial ones by Ericson\footnote{\url{https://labs.ericsson.com/apis/mobile-location/}} and combain\footnote{\url{http://location-api.com/}} as well as the free alternative OpenCellID\footnote{\url{http://www.opencellid.org/}} \cite{wiki_cells}.
Ericson and combain have trial modes, where the first 1000 requests are free for developers afterwards a subscription or a fee per request must be paid.
+Another free alternative with a large coverage is Google Mobile Maps, that also offers a web service where CellIDs and their respecitve \glspl{lai} can be checked against their database to obtain localisation information (or simply check if they are part of the database).
By adding this information new cells can be identified.
The second where an existing cell is replaced is a bit more complicated since its parameters are an exact copy of the old cell.
@@ -502,7 +502,6 @@ Available filters are:
\begin{itemize}
\item Provider Filter: Takes a comma separated white list of providers that should be shown.
\item ARFCN Filter: Takes a range of \glspl{arfcn} to be shown.
- \item Band Filter: This can be used to show only the 900 MHz or the 1800 MHz band.
\end{itemize}
These filters can arbitrarily be combined together.
@@ -514,14 +513,14 @@ Choosing a new evaluator will also trigger a re-evaluation of all the data colle
\item Evaluation: This button brings up a separate window showing only the final evaluation of the scan.
-\item Location Window: This window lets the user choose the current location that is used by the Local Area Database Rule.
-It is also possible to export the current scan as a Local Area Database or import an old database to be enhanced with data from the current scan.
+\item Databases Window: The settings for the databases the \gls{icds} uses can be changed here.
+These settings are mandatory if the Local Area Database Rule or the CellID Rule is going to be used.
\item Save/Load Project: The current state of the application can be saved and loaded as \texttt{.cpf} files.
This enables the user to continue a scan at a later point in time or to compare different data sets scanned at different points in time or locations with one another.
-%TODO: write this as soon as its finished
-\item Provider Quick Evaluation: Lets see what this brings...
+\item User Mode: The \gls{icds} is ultimately meant to be designed as a tool that can be used by end users to check whether it is safe to initiate a phone call or not.
+This dialog presents a way the already configured tool could be presented to end users.
\item Base Station List: This list gives an overview of which base stations have been discovered so far along with some distinguishing information including its evaluation.
A detailed view of a base station can be brought up by selecting it in the list and hitting the enter key.
@@ -541,18 +540,43 @@ Zooming can also be done with the mouse wheel and it is possible to drag the gra
\end{enumerate}
The procedure of operation differs depending on the purpose.
\paragraph{Sweep scans:} This is the normal mode of operation, scanning and evaluating all base stations in the perimeter.
+This is also used for gathering various kinds of information to be used for analysis later.
At first the firmware needs to be flashed onto the device by pressing (1).
After the flashing process is finished the scan can be started by pressing (2).
Either before or during the scan (3),(4) and (5) can be used to customise the output or rules that should be considered during evaluation.
The scan can be stopped at any time.
Resuming the scan will renew the information in the Base Station List.
-\paragraph{Location Area Database:} To build up a new Location Area Database a sweep scan must be done.
-In the Location dialog (7) a location must be set, so the \gls{icds} know to which location the data is linked.
-Afterwards it can be saved and used by adding it to the list of available location databases in the \texttt{settings.py}.
-It is also possible to load an existing database and add the information obtained during the sweep scan to this database.
-To use such a database for evaluation, the location must be set correctly and the respective rule must be activated.
-The correct database will be used automatically.
+\begin{figure}
+\centering
+\subfigure[Databases window.]{\includegraphics[width=.4\textwidth]{../Images/databases}\label{fig:databases}}
+\subfigure[User Mode window.]{\includegraphics[width=.4\textwidth]{../Images/databases}}
+\caption{Settings windows for two ICDS features.}
+\end{figure}
+
+\paragraph{CellID Information:} CellID information can be obtained through several different means.
+The Databases window shown in Figure \ref{fig:databases} can be brought up by pressing (7).
+In the upper part settings concerning the acquisition of CellIDs can be found.
+The operator has the choice between three different methods which can also be used in combination.
+\emph{Google Mobile Maps Service} compares the station's CellIDs and \glspl{lai} to the ones in the Google database.
+If they are found they are marked as such and additionally their location information will be set.
+\emph{OpenCellID Web Service} performs the same task if activated.
+As of now OpenCellID has a very low coverage compared to Google's service but it has been included since it is an open source approach that is developed and updated constantly.
+The \emph{Use Local Databse} feature allows to use a previously build Location Area Database as CellID Database for lookups.
+For this purpose the location to be used as database has to be entered in the textfield.
+Offline lookups can be done that way, which are considerably faster that online lookups, the raw data used by the OpenCellID project can also be downloaded and used as a offline version for reference that way.
+Since these lookups take some time if performed using webservices, this is not done while the scan is taking place, to not delay the acquisition of information from new base stations.
+Pressing the button below the checkboxes will add the CellID Database information from the selected sources to all the stations currently in the base station list.
+If more than one service is activated lookups will be done starting with the Google service and using the next one in line only if the previous lookup failed.
+Having at least one service activated and run on the base station list is a precondition for the CellID Rule to work.
+
+\paragraph{Location Area Database:} The correct location for the Locataion Area Database can also be found in the Databases window.
+Having set up the correct location in the \emph{Current Location} field and having a valid database for that location are preconditions for the Location Are Database Rule to work.
+To build up a database for a specific location a sweep scan for this location has to be done.
+After the sweep scan is finished, the current location has to be set in the dialog and the button for adding/updating the database has to be pressed.
+If there was no existing database for that location it will be created, otherwise the database will be updated with the new information acquired by the sweep scan.
+To raise the quality of a Location Area Database it is recommended to do multiple sweep scans and integrate them rather than to only rely on a single scan.
+This raises the probability that all \gls{bts} in the perimeter are found and it solidifies the interval in which the base station signal strength varies.
%TODO: write this once implementation is finished
-\paragraph{Quick check:} After a sweep scan is completed....
+\paragraph{User Mode:} After a sweep scan is completed.... \ No newline at end of file
diff --git a/Tex/Content/GSM.tex b/Tex/Content/GSM.tex
index 975690a..1880234 100644
--- a/Tex/Content/GSM.tex
+++ b/Tex/Content/GSM.tex
@@ -7,8 +7,8 @@ The $U_m$ interface will be described in detail in Section \ref{sec:Um} since th
Section \ref{sec:catcher} will finally explain how an IMSI-catcher works and how it replaces the system components as well as state from a technical and law perspective why these devices have become a threat to all-day privacy.
\section{A Historical Perspective}
-The acronym GSM was originally derived fom \emph{Group Sp\'{e}ciale Mobile}.
-This committee was part of the \gls{cept} 1982, with the task of developing a pan-Eurpean digital cellular mobile radio standard in the 900 MHz band.
+The acronym GSM was originally derived from \emph{Group Sp\'{e}ciale Mobile}.
+This committee was part of the \gls{cept} 1982, with the task of developing a pan-Eurpean digital cellular mobile radio standard in the 900\MHz band.
1986 the frequency range was officially licensed.
The foundation of this task group was a direct answer to the development of independent and incompatible analog radio networks during the 80's.
Examples of such networks were the C-Netz in Germany, the \gls{tacs} in the UK and \gls{nmt} in Scandinavia.
@@ -20,13 +20,13 @@ This agreement was the foundation for allowing international operation of mobile
In the same year the committee submitted the first detailed specification for the new communications standard.
The acronym was reinterpreted in 1991 after the committee became a part of the \gls{etsi} in 1989 to \emph{Global System for Mobile Communications}.
The very same year the specifications for \gls{dcs1800} were submitted.
-These were essentially the same specifications translated to the 1800 MHz band and the foundation for the USA's 1900 MHz band.
+These were essentially the same specifications translated to the 1800\MHz band and the foundation for the USA's 1900\MHz band.
Under the umbrella of the \gls{etsi}, many \glspl{stc} began to work on different aspects of mobile communication, like network aspects (SMG 03) or security aspects (SMG 10).
SMG 05 dealt with future networks and especially with UMTS specifications which eventually became an independent body inside the \gls{etsi}.
In 1992 many European countries had operational mobile telephone networks.
These networks were a huge success, and as early as 1993 they already counted more than one million subscribers \cite{GSM2009}.
-Also many networks on different frequency bands (900 MHz, 1800 MHz, 1900 MHz) were started outside Europe in countries like the US or Australia with Telstra as the first non European provider.
+Also many networks on different frequency bands (900\MHz, 1800\MHz, 1900\MHz) were started outside Europe in countries like the US or Australia with Telstra as the first non European provider.
The rapid growth of mobile subscribers worldwide until today can be seen in figure \ref{fig:gsm_growth}.
Three of the main reasons for this rapid growth are explained by Heine \cite{protocols1999} as:
\begin{itemize}
@@ -80,9 +80,9 @@ The focus was later expanded in the light of the \emph{International Mobile Comm
\end{itemize}
Up to now the \gls{3gpp} has enhanced mobile standards.
In 2005 the first \gls{hsdpa} network went online.
-\gls{hsdpa} \cite{hsdpa} is a protocol that enables mobile users to download data with speeds up to 84 MBit/s since release 9.
+\gls{hsdpa} \cite{hsdpa} is a protocol that enables mobile users to download data with speeds up to 84\,MBit/s since release 9.
\gls{hsupa} \cite{hsupa} is a related protocol in the \gls{hspa} family that provides similar functionality for uploading data.
-These and other specification are published on the \gls{3gpp} website\footnote{\url{http://www.3gpp.org/}}.
+These and other specification are published on the \gls{3gpp} website\footnote{3GPP - Specification Groups,\url{http://www.3gpp.org/} [Online; Accessed 04.2012]}.
\section{The GSM Network}
\label{sec:network}
@@ -118,41 +118,39 @@ The three subsystems as well as the \gls{ms} will now be discussed in greater de
\label{sec:ms}
With the advent of portable microprocessors in the 80's mobile phones became possible.
Advance in technology up to today yielded ever smaller mobile phones with ever more functionality year by year to a point where not the technology itself was the constraining factor for size but the user interface, \eg button and display sizes.
+This trend changed however with the upcoming of so called smart-phones.
+With weight being the driving factor and not size resolution and display sizes started to increase again but the devices became ever thinner.
What hasn't changed is the basic distinction between \gls{me} and \gls{sim}, the parts of which a \gls{ms} consists.
It is hard to deliver a consistent definition for what a \gls{me} is.
GSM Recommendation 02.07 \cite{GSM0207} summarizes the mandatory and optional features of a \gls{ms}.
Some of the most important mandatory features are \cite{protocols1999}:
\begin{itemize}
- \item \gls{dtmf} signaling capability.
+ \item \gls{dtmf} signalling capability.
\item \gls{sms} capability.
\item The ciphering algorithms A5/1 and A5/2 need to be implemented.
- \item Display capability for short messages and dialed numbers, as well as available \gls{plmn}s.
- \item Capable of doing emergency calls without \gls{sim} card.
+ \item Display capability for short messages and dialled numbers, as well as available \gls{plmn}s.
+ \item A cyphering indicator that shows the user whether encryption is activated on the current connection or not.
\item Machine fixed \gls{imei}.
In a strict sense this disqualifies many modern mobile phones since the \gls{imei} is not fixed onto the device itself but rather is part of the software or firmware.
- Tools like \emph{ZiPhone}\footnote{\url{http://www.ziphone.org/}} for iOS devices\footnote{\url{http://www.apple.com/ios/}}, especially iPhone, can change this supposedly unchangeable identifier.
+ Tools like \emph{ZiPhone}\footnote{Unlock iPhone 4, Jailbreak iPhone, \url{http://www.ziphone.org/} [Online; Accessed 04.2012]} for iOS devices\footnote{Apple iOS5, \url{http://www.apple.com/ios/} [Online; Accessed 04.2012]}, especially iPhone, can change this supposedly unchangeable identifier.
\end{itemize}
-
-The range of devices complying to these specifications is rather large so finding a categorisation can be challenging.
-The intuitive approach would be to establish buckets by device type but there are so many different devices as well as hybrid devices out there that this approach would be impracticable.
-Does a smartphone belong into the same category as a \gls{pda} or in the category of basic mobile phones; and what would a basic mobile phone be?
-
-Another way to categorize different \gls{me}s is by supported frequency band and power class rating according to GSM 05.05\cite{GSM0505}.
-Most mobile phones and smartphones belong to power class 4 and 5, which are for handheld devices.
-Class 4 devices have and output of 2/33 W/dBm and class 5 0.8/29 W/dBm.
+A way to categorize different \gls{me}s is by supported frequency band and power class rating according to GSM 05.05 \cite{GSM0505}.
+Most mobile phones and smart-phones belong to power class 4 and 5, which are for handheld devices.
+Class 4 devices have and output of 2/33\,W/dBm and class 5 0.8/29\,W/dBm.
+%TODO: insert more informatio here
Classes with higher output are typically installed devices, \eg in cars.
-These classes are different for each of the frequency bands, since output needed in higher frequency bands (1800/1900 MHz) is less compared to the 900 MHz band, or the north American 850 MHz band.
+These classes are different for each of the frequency bands, since output needed in higher frequency bands (1800/1900\MHz) is less compared to the 900\MHz band or the north American 850\MHz band.
The supported band is also common category, since it describes in which countries a mobile phone can be used.
However it is more common nowadays that \gls{me} supports two bands, three bands or even all four bands.
These are called dual-band, tri-band and quad-band devices respectively.
As the name suggests the \gls{sim} card is essentially a data storage that holds user specific data.
-This separation is interesting for the GSM user since it allows him/her to exchange the \gls{me} without having to contact the provider.
+This separation is interesting for the \gls{gsm} user since it allows him/her to exchange the \gls{me} without having to contact the provider.
Thus it can be used on different frequency bands and is one of the preconditions for roaming.
The \gls{sim} card can either be in plug-in format or ID-1 SIM format which is normally used for telephone cards, credit cards or car installed \gls{me}.
-The plug-in format is also called ID-000 and can be found in ISO/IEC 7810\cite{ISO7810}.
+The plug-in format is also called ID-000 and can be found in ISO/IEC 7810 \cite{ISO7810}.
The most important information stored on a \gls{sim} card are the \gls{imsi} and the \gls{ki}.
A subset of other parameters stored on the \gls{eeprom} of the card can be seen in Table \ref{tab:simdata}.
@@ -167,8 +165,8 @@ Parameter &Description\\
\midrule
A3/A8 &Algorithms required for authentication and generation of the session key\\
Ki &Secret key\\
-Kc &Session key, generated from a random number and Ki vie A8\\
-PIN &Secret numeric password to use a SIM card\\
+Kc &Session key, generated from a random number and Ki via A8\\
+PIN &Secret numeric password to use the SIM card\\
PUK &Secret numeric password to unlock the SIM card\\
\midrule
\multicolumn{2}{l}{Subscriber Data}\\
@@ -188,14 +186,16 @@ Home PLMN &Multiple entries to identify the home PLMN\\
\end{table}
This key is used to generate the \gls{kc}, as will be explained in Section \ref{sec:nss}.
-Most of this data, although not the security relevant \gls{ki} can be read via a USB \gls{sim} card reader, which can be bought for around \$10 on the web.
+Most of this data, although not the security relevant \gls{ki} and \gls{kc} can be read via a USB \gls{sim} card reader, which can be bought for around \$10 on the web.
Since \gls{ki} never leaves the card, \gls{kc} has to be dynamically generated on the card.
This can be done since the card itself has a microprocessor that manages the security relevant data.
-Key functions, like running the GSM key algorithm, verifying a \gls{pin} or reading a file can be accessed through the microprocessor via a communication protocol.
+Key functions, like running the \gls{gsm} key algorithm, verifying a \gls{pin} or reading a file can be accessed through the microprocessor via a communication protocol.
A brief description of the protocol and functionalities can be found in Sauter's book \cite{kommsys2006}.
-The \gls{imsi} as described in GSM 23.003\cite{GSM23003} uniquely identifies a subscriber.
+The \gls{imsi} as described in GSM 23.003 \cite{GSM23003} uniquely identifies a subscriber.
It has at most 15 digits and is divided into three parts, \gls{mcc}, \gls{mnc} and \gls{msin} of which only the last part is the personal identification number of the subscriber.
+%TODO: insert imsi example
+\[13091283012938\]
The first two are also called \gls{hni}.
The three digit \gls{mcc} describes the country code, the area of domicile of the mobile subscriber.
The \gls{mnc} is an identification number for the home \gls{plmn}.
@@ -271,7 +271,7 @@ Also during calls if the subscriber leaves the respective service area of the sw
A procedure called Handover achieves just that.
For this central role to work it is necessary to be connected to all the other components of the \gls{nss}.
-This is done via different connecitons called Interfaces.
+This is done via different connections called Interfaces.
A brief description of what the different interfaces in a GSM network are and what their respective function is can be seen in Table \ref{tab:interfaces}.
\begin{table}
@@ -305,9 +305,6 @@ $U_m$ &BTS $\leftrightarrow$ MS &Registration procedure, call data \etc as wel
\label{tab:interfaces}
\end{table}
-The $U_m$ interface will be of special interest to this project since it is the source for gathering broadcast information about the network and the respective base stations without directly registering with them.
-The interface itself will be explained in detail in Section \ref{sec:Um}.
-
\subsubsection{Home Location Register}
The \gls{hlr} is the central database in which all personal subscriber related data is stored.
The entries can be divided into two classes, permanent administrative and temporary data.
@@ -324,6 +321,7 @@ As can be seen in Figure \ref{fig:gsm_network} there can be multiple \glspl{vlr}
These registers can be seen as caches for data located in the \gls{hlr}.
Thus they are intended to reduce signalling between the \gls{msc} and the \gls{hlr}.
Each time a subscriber enters a new area that is serviced by a new \gls{msc}, data for this subscriber is transferred to the respective \gls{vlr} from the \gls{hlr}.
+%TODO: more exact on what is transmitted
Such data includes the \gls{imsi} and the \gls{msisdn} as well as authentication data and information on which services are available to that particular subscriber.
Additionally the subscriber is assigned a one-time \gls{imsi} called \gls{tmsi} and information in which \gls{la} the \gls{ms} was registered last is transmitted.
In this way the regular \gls{imsi} is not used and can thus not be harvested by tapping into the radio channel.
@@ -350,7 +348,7 @@ Different companies like Airwide Solutions (now acquired by Mavenir)\footnote{\u
The \gls{ac} is the network component responsible for authenticating mobile subscribers.
It is a part of the \gls{hlr} and the only place apart form the customer's \gls{sim} card where the secret key \gls{ki} is stored.
The authentication is not only done once when the subscriber connects to the network but rather on many occasions \eg the start of a call or other significant events to avoid misuse by a third party.
-This authentication routine is a key based challenge-response procedure\footnote{A procedure where a challenge is encrypted with a key only the sender and recipient possess so only the desired person can decrypt the challenge and can send the required response.} outlined in Figure \ref{fig:authentication}.
+This authentication routine is a key based challenge-response procedure\footnote{A procedure where one party poses a question, a so called challenge and the party to be authenticated has to provide a valid answer.} outlined in Figure \ref{fig:authentication}.
The steps of the procedure can be summarized as follows:
\begin{enumerate}
\item User connects to the network or triggers an event that needs authentication at the \gls{msc}.
@@ -362,10 +360,10 @@ The steps of the procedure can be summarized as follows:
\item RAND: a 128 bit random number.
\item SRES: a 32 bit number called signed response, which is generated by A3 with \gls{ki} and RAND as inputs.
\item Kc: the ciphering key that is used to cypher the data during transmission.
- It is also generated with \gls{ki} and RAND.
+ It is also generated with \gls{ki} and RAND using the algorithm A8.
\end{itemize}
To save signalling bandwidth usually more than one authentication triplet is generated and returned to the \gls{msc} by the \gls{ac}.
- It should be noted that, since a separate cyphering key is used, the secret key never leaves the \gls{ac}.
+ It should be noted that, since a separate cyphering key \gls{kc} is used, the secret key never leaves the \gls{ac}.
In the second case either a previously generated authentication triplet is used or new authentication triplets are requested.
\item RAND is transmitted to the \gls{ms} by the \gls{msc} where the signed response SRES* is created by the \gls{sim} card using A3, \gls{ki} and RAND.
@@ -418,14 +416,14 @@ Before discussing the individual components of this subsystem it is important to
\begin{figure}
\centering
\includegraphics{../Images/Mapping}
-\caption{Mapping of functional entities on the 900 Mhz band.}
+\caption{Mapping of functional entities on the 900\MHz band.}
\label{fig:frequency}
\end{figure}
A frequency band as shown in Figure \ref{fig:frequency} is distributed into different functional entities.
The band is divided into a range for the uplink, the part that is used by the \gls{ms} to upload data into the network and the downlink, that is utilised by the network to send data back.
-In the 900 MHz band each of these has a width of 25 MHz.
-These bands themselves are furthermore divided into channels, each spanning 200 kHz, which accounts for 125 channels on 25 MHz.
+In the 900\MHz band each of these has a width of 25\MHz.
+These bands themselves are furthermore divided into channels, each spanning 200\,kHz, which accounts for 125 channels on 25\MHz.
\begin{table}
\centering
@@ -449,7 +447,7 @@ GSM 850 &128-251 &824-849 &869-894 &45\\
\end{table}
Each of which is identified by its \gls{arfcn}.
-This is a simple numbering scheme, given to those 200 kHz channels.
+This is a simple numbering scheme, given to those 200\,kHz channels.
The frequencies and \glspl{arfcn} are connected as follows:
\begin{align}
F_\text{Uplink} &= \text{Start}_\text{Band} + 0.2 \cdot (\text{ARFCN} -(\text{Start}_\text{ARFCN} -1))\\
@@ -467,8 +465,8 @@ For other bands the numbers differ and can be seen in Table \ref{tab:frequencies
An additional method called time multiplexing which will be explained in further detail in Section \ref{sec:Um}, makes is possible to map $125 \cdot 8 = 1000$ channels that could be used for voice transmission over that band.
Some of these channels need to be used for signalling.
Even though the number by itself seems high it would never suffice to service a large urban area.
-This is one of the reasons why another frequency band in the 1800 MHz range has been opened with 75 MHz up- and downlink supporting 375 channels.
-That by itself would also never suffice to service the huge number of subscribers therefore the GSM network like any other modern mobile radio network is based on a cellular architecture which makes it possible to reuse frequencies.
+This is one of the reasons why another frequency band in the 1800\MHz range has been opened with 75\MHz up- and downlink supporting 375 channels.
+That by itself would also never suffice to service the huge number of subscribers therefore the \gls{gsm} network like any other modern mobile radio network is based on a cellular architecture which makes it possible to reuse frequencies.
The range of one receiver station is drastically reduced to service only a small area.
This is called the cell of the \gls{bts} which in theory can be approximated by a hexagon.
Each of these cells is assigned a different frequency to avoid interference.
@@ -487,7 +485,6 @@ This procedure raises the number of effectively usable by a large factor.
However certain disadvantages come with this procedure as well \cite{protocols1999}.
Increasing the amount of receivers automatically increases the cost of infrastructure for the provider.
Due to the nature of the mobility of subscribers this increases the amount of Handovers needed since it is more likely that a subscriber leaves a small cell during an active call.
-Also an update of the location of a subscribers needs to be done more often to ensure reachability for incoming calls.
These inflict increased signalling load on the network itself.
\begin{figure}
@@ -500,12 +497,14 @@ These inflict increased signalling load on the network itself.
\end{figure}
\subsubsection{Base Transceiver Station}
-They are also called Base Stations and are the entry points to the network for subscribers.
-Theoretically a \gls{bts} can serve a cell of 35 km radius however this is decreased by interference, reflection- and shadowing effects.
+They are also called base stations and are the entry points to the network for subscribers.
+Theoretically a \gls{bts} can serve a cell of 35\,km radius however this is decreased by interference, reflection- and shadowing effects.
+Also this is the theoretical limit for a cell on the 900\MHz band.
+A 1800\MHz cell has a lower coverage since the signal falloff is greater due to the shorter wavelength.
The limiting factor here are the number of subscribers itself.
-A single station can only serve a limited number of users which yields a radius as low as 100 m for a single \gls{bts} in dense urban housing areas \cite{kommsys2006}.
+A single station can only serve a limited number of users which yields a radius as low as 100\,m for a single \gls{bts} in dense urban housing areas \cite{kommsys2006}.
On the countryside where population is less dense the constraining factor can also be transmission power of the \gls{me}.
-Therefore cells with a radius above 15 km are seldom seen.
+Therefore cells with a radius above 15\,km are seldom seen.
\begin{figure}
\centering
@@ -517,10 +516,9 @@ Therefore cells with a radius above 15 km are seldom seen.
\end{figure}
\glspl{bts} and their corresponding cells can have different configurations depending on load or morph structure of the surroundings.
-The main configurations will now be discussed shortly.
-In a \emph{standard configuration} every base base station has its own \gls{ci}, it is a one to one mapping of cells to \gls{bts}.
-This is an cost effective way of providing service to a rural or sparse settled area.
+In a \emph{standard configuration} every base station has its own \gls{ci}, it is a one to one mapping of cells to \gls{bts}.
+This is a cost effective way of providing service to a rural or sparse settled area since only one \gls{bts} is used to cover a large area.
An comparative illustration of configurations can be found in Figure \ref{fig:configurations}.
The \emph{umbrella configuration} is build around one central \gls{bts} that is on high ground compared to its neighbours and has a higher transmission power.
@@ -536,7 +534,7 @@ In the other configurations a single \gls{bts} covers always a 360$^\circ$ area,
The idea is to use antennas which only cover a certain angle, like 180$^\circ$, 120$^\circ$ or 60$^\circ$ dividing a cell into two, three or six sectors respectively each having its own \gls{bts}.
Main advantages are that each single \gls{bts} has to deal with less subscribers and that in a multi-sector configuration frequencies can be reused inside a cell, which is a great advantage for these densely settled areas.
-\subsubsection{Baste Station Controller}
+\subsubsection{Base Station Controller}
The \gls{bsc} is the central unit in the \gls{bss}.
It can be compared to a digital exchange in a standard telephone network with additional mobile extensions.
The design idea was to remove all radio related load from the \gls{msc} into the radio subsystem.
@@ -548,7 +546,6 @@ As a result the initialisation and maintenance of signalling and voice channels
What channels are and how they are established is explained in Section \ref{sec:channels}.
For the sake of functional explanation of the \gls{bsc} it will suffice to regard channels as a communication line for a particular purpose like receiving or sending voice data or for sending broadcast information.
Due to the nature of a mobile network certain other tasks have to be performed like Handovers and power management \cite{kommsys2006}.
-We will now look at the different tasks in more detail.
A \emph{signalling channel} is needed when a subscriber wants to start a call or send a text message.
The \gls{ms} sends a channel request message to the \gls{bsc} which needs to check if any \glspl{sdcch} are free.
@@ -576,18 +573,19 @@ After synchronising with the new cell an acknowledgement is sent by the base sta
What remains is freeing the old \gls{tch} for further use by other subscribers.
\subsubsection{Transcoding rate and Adaption Unit}
-Inside the \gls{nss} voice data is moved with 64 kBit/s over E-1 connections.
+Inside the \gls{nss} voice data is moved with 64\,kBit/s over E-1 connections.
The resources on the air interface are much scarcer, therefore this amount of voice data cannot directly be sent to \glspl{ms} through the radio network.
-The data rate on the $U_m$ interface for voice is about 22.8 kBit/s as will be broken down in detail in Section \ref{sec:radio}.
-Since the channel is noisy and prone to errors, a lot of this bandwidth has to be subtracted for error correction purpose leaving around 13 kBit/s for actual voice data \cite{kommsys2006}.
-The 64 kBit/s PCM signal is sent from the \gls{msc} to the \gls{ms}, on its way it is compressed and then sent over the air interface.
-On the other side, the compressed 13 kbit/s signal is decompressed to 64 kBit/s again.
+The data rate on the $U_m$ interface for voice is about 22.8\,kBit/s as will be broken down in detail in Section \ref{sec:radio}.
+Since the channel is noisy and prone to errors, a lot of this bandwidth has to be subtracted for error correction purpose leaving around 13\,kBit/s for actual voice data \cite{kommsys2006}.
+The 64\,kBit/s PCM signal is sent from the \gls{msc} to the \gls{ms}, on its way it is compressed and then sent over the air interface.
+On the other side, the compressed 13\,kbit/s signal is decompressed to 64 kBit/s again.
The compression and decompression on the subscriber's side is handled by the \gls{me} while on the network side the \gls{trau} is responsible for these tasks.
Additionally the \gls{trau} can choose from a variety of codecs (compression/decompression algorithms).
The one normally used is called Full Rate codec.
-Another codec is the Half Rate codec which compresses the voice signal to 7 kBit/s thus making it possible to double the amount of \glspl{tch} since one channel can be used to transfer two different voice signals.
+Another codec is the Half Rate codec which compresses the voice signal to 7\,kBit/s thus making it possible to double the amount of \glspl{tch} since one channel can be used to transfer two different voice signals.
This is interesting for crowded events where a lot of subscribers need to be served by a relatively small number of \gls{bts}.
+%TODO: move this section to the bts
One of the most important tasks of the \gls{trau} apart from compressing, decompressing and correcting transmission errors is ciphering the voice data.
As in most cases when handling continuous data a stream cyphering algorithm is used.
The stream cypher key $K_c$ that is generated by the authentication centre.
@@ -604,9 +602,10 @@ The complete procedure is outlined in Figure \ref{fig:cypher}.
\label{fig:cypher}
\end{figure}
-Some strong ciphering algorithms are not permitted in certain countries so there is a variety of algorithms called A5/1, A5/2,$\ldots$ A5/n from which one needs to be chosen upon connecting to the network.
-However the encryption in only optional and not mandatory.
-If the network does not offer encryption, the \gls{me} sends its data unencrypted, without giving notice to the user in most cases.
+Some strong ciphering algorithms are not permitted in certain countries so there is a variety of algorithms called A5/0, A5/1 and A5/2 from which one needs to be chosen upon connecting to the network.
+However the encryption is only optional and not mandatory, the use of A5/0 indicates that no encryption is used.
+If the network does not offer such encryption, the \gls{me} sends its data unencrypted, without giving notice to the user in most cases.
+A ciphering indicator is part of most mobile phones, but on most models it is disabled by the operator to not confuse the customers.
The other weakness is the locality of encryption.
The procedure only affects the transmission from the \gls{me} to the \gls{bts}, everything after that is unencrypted voice data.
This is especially a problem when providers use point-to-point radio systems to connect their base stations to the \gls{msc}.
@@ -632,10 +631,10 @@ Additional hardware for each channel is also required to enable duplex transmiss
That number of available frequencies would not suffice to meet the demand, more communication channels were needed.
To that end another technique has been introduced, called \gls{tdma}.
-In \gls{gsm} networks each of these sub-bands yielded by the \gls{fdma} procedure has a width of 200 kHz.
+In \gls{gsm} networks each of these sub-bands yielded by the \gls{fdma} procedure has a width of 200\,kHz.
Onto this smaller carrier frequency, \gls{tdma} frames are transmitted, that contain eight time slots.
-These frames have a transmission length of 4.615 ms.
-Each of these timeslots could host the data of a different subscriber, although the first one is usually used for signalling procedures.
+These frames have a transmission length of 4.615\,ms.
+Each of these timeslots could host the data of a different subscriber, although the first two are usually used for signalling procedures.
An illustration of how these multiplexing methods work together can be seen in Figure \ref{fig:fdma_tdma}.
\begin{figure}
@@ -650,14 +649,14 @@ Another important aspect is the frame hierarchy and the resulting frame numberin
The frame number is broadcasted frequently on the \gls{sch} to keep mobile subscribers in sync and inform subscribers that are about to connect or request a channel for communication.
Figure \ref{fig:frame_hierarchy} shows a complete diagram of the numbering scheme and frame hierarchy for reference.
-The timeslots on the lowest level of the hierarchy have a length of $4.615\text{ ms} \div 8 = 577~\mu\text{s}$ and are also known as Bursts numbered from 0 to 7.
+The timeslots on the lowest level of the hierarchy have a length of $4.615\text{\,ms} \div 8 = 577~\mu\text{s}$ and are also known as Bursts numbered from 0 to 7.
Every new \gls{tdma} frame the sequence number is increased by one.
-Since this number cannot be increased endlessly is repeated every 3 h 28 m 53 s and 760 ms.
+Since this number cannot be increased endlessly is repeated every 3\,h 28\,m 53\,s and 760\,ms.
This is the largest chunk in the frame hierarchy and it is called Hyperframe.
Superframes and Multiframes are layers in between the Hyperframe and the \gls{tdma} frame.
As can be seen in the diagram the two variants of Multiframes, the 26-Multiframe containing 26 \gls{tdma} frames transports traffic channels as well as the respective control channels and the 51-Multiframe with its 51 \gls{tdma} frames with signalling data only.
Superframes wrap these different kinds of Multiframes into packages of the same size.
-So either 51 26-Multiframes can be carried by a Superframe or 51 26-Multiframes yielding a duration of 6 s and 120 ms each.
+So either 51 26-Multiframes can be carried by a Superframe or 51 26-Multiframes yielding a duration of 6\,s and 120\,ms each.
Finally 2048 Superframes make up one Hyperframe.
\begin{figure}
@@ -693,9 +692,10 @@ The channel request message itself has only little data and large Guard Times si
\end{figure}
\subsubsection{Burst Types}
+%TODO make explanation more consistent with image
As suggested by the paragraph above there are different kinds of Bursts which are shown in \ref{fig:burst_types} \cite{GSM2009}.
All Bursts contain the before mentioned Guard Times which separate them from the next Burst.
-In addition to data bits and known fixed bit sequences every frame has has tail bits, which mark the beginning and the end of a frame.
+In addition to data bits and known fixed bit sequences every frame has tail bits, which mark the beginning and the end of a frame.
The training sequence is a fixed bit sequence that appears in conjunction with data bit sequences.
During a radio transmission procedure the signal can be distorted by shadowing, reflection, or other factors which would result in a loss of data.
But since the training sequence is known it is possible to reconstruct the original signal by comparing the incoming training sequence with the expected one and thus conserving the data bits.
@@ -770,6 +770,8 @@ These are point to multi-point channels.
\item \gls{agch}: This is the channel used to respond to a \gls{ms} if a request has been made on the \gls{rach}.
The acknowledgement message also contains information on which \gls{sdcch} to use.
\end{itemize}
+
+%TODO move si parsing here
\subsubsection{Combinations}
These channels cannot arbitrarily be mapped onto Multiframes.
There is a complex multiplexing scheme defined in GSM 05.02 \cite{gsm0502} that explains which channel combinations can occur inside a Multiframe.
@@ -843,6 +845,7 @@ This protocol handles configuration and allocation of radio channels as well as
Therefore in a strict sense \gls{mm} and \gls{cc} information does not belong to Layer 3 functionality but is only transported via \gls{rr} between \gls{ms} and the \gls{nss} \cite{protocols1999}.
\section{IMSI-Catcher}
+%TODO more motivation (espacially fact that everyone is concerned)
\label{sec:catcher}
An \gls{imsi}-Catcher is a technical device that is used to capture the \gls{imsi} and \gls{imei} numbers of mobile subscribers.
The knowledge of the \gls{imsi} and \gls{imei} numbers can be exploited to either tap into the participant's calls or pinpoint the location of the subscriber \cite{fox}.
@@ -855,8 +858,7 @@ This has proven to be a challenge to the authorities.
In 1996 Rohde \& Schwarz a company based in Munich, Germany has developed a device called ''GA 090'' which was the first \gls{imsi}-catcher.
Its was capable of yielding a list with all the \gls{imsi} numbers in the perimeter as well as pinpointing the location of a subscriber given the \gls{imsi}.
Short thereafter the ''GA 900'' was presented which had the additional capability of tapping into calls that originated from a particular \gls{imsi}.
-These commercial versions of catchers produced by Rohde \& Schwarz were priced between 200 000 \euro{} and 300 000 \euro{} in 2001 \cite{fox}.
-Although these catchers are meant to be bought by authorities, it is also possible to buy them as a private customer or to order them from abroad.
+These commercial versions of catchers produced by Rohde \& Schwarz were priced between 200\,000\,\euro{} and 300\,000\,\euro{} in 2001 \cite{fox}.
Regulations prohibit the use of \gls{imsi}-catchers for individuals since the frequency bands the \gls{gsm} network uses are reserved for providers.
However it cannot be guaranteed that such a catcher is not used illegally.
In addition to these commercial products different projects \cite{dennis, def_catcher} have shown that such devices can be built at a very low budget.
@@ -875,9 +877,8 @@ The next section will explain under which circumstances a catcher can be used in
\subsection{Mode of Operation}
\label{sec:catcher_operation}
-Basically an \gls{imsi}-Catcher masks itself as a base station and lures subscribers in its perimeter, to connect to it without their knowledge.
-Ways of luring a subscriber into a catcher are explained in Section \ref{sec:attacks}.
-The one shown in Figure \ref{fig:catcher_catch} is broadcasting a new \gls{lai} to the \gls{ms} at very high power, suggesting that the \gls{ms} entered a new area and has to re-authenticate \cite{mueller}.
+Basically an \gls{imsi}-Catcher masks itself as a base station and lures subscribers in its perimeter to connect to it without their knowledge.
+The attack shown in Figure \ref{fig:catcher_catch} is broadcasting a new \gls{lai} to the \gls{ms} at very high power, suggesting that the \gls{ms} entered a new area and has to re-authenticate \cite{mueller}.
\begin{figure}
\centering
@@ -889,11 +890,12 @@ The one shown in Figure \ref{fig:catcher_catch} is broadcasting a new \gls{lai}
Once a subscriber connects to the device, a command is sent to the \gls{ms} which asks for the \gls{sim}'s \gls{imsi}.
This command is normally only used in case of an error \cite{fox} but can be abused this way.
+%TODO übergang verfeinern
This is only possible since authentication in a \gls{gsm} network is one-sided as discussed earlier in Section \ref{sec:authentication}.
The subscriber has no way of checking the authenticity of a base station but rather has to trust the broadcasted identifier which can be easily forged by a catcher.
At this stage, the subscriber can already be localized as being in a certain distance of the catcher.
-Having the \gls{imsi} the authorities can now also query the provider for personal information about the subscriber, however criminals often use fake credentials when obtaining a \gls{sim} card.
+Having the \gls{imsi} the authorities can now also query the provider for personal information about the subscriber, however criminals may use fake credentials when obtaining a \gls{sim} card.
Since it is only possible to catch all the \glspl{imsi} in an area, the person to be observed has to be followed and the catcher has to be used multiple times.
Each time it yields a set of numbers in the area.
The \gls{imsi} that is part of all the sets is the \gls{imsi} of the person under observation.
@@ -912,10 +914,9 @@ The \gls{imei} is also harvested in a similar fashion if the observed person tri
\subsubsection{Attacks}
\label{sec:attacks}
When operating a catcher the first and most important step is to actually trick the \gls{ms} into connecting to the catcher.
-A lot of phones save the frequency the were tuned to last and upon connecting to the mobile network this is the first frequency they try.
+A lot of phones save the frequency they were tuned to last and upon connecting to the mobile network this is the first frequency they try.
Therefore a \gls{ms} has to be set to 'normal cell selection' mode which means it starts scanning for the best base station available.
-Four possible ways of luring a \gls{ms} to the \gls{imsi}-catcher will now be explained.
-Three were presented by Wehrle for the 'Open Source IMSI-catcher' project \cite{dennis} and one by Federrath \cite{mueller}.
+Three ways of luring a subscriber to the forged cell were presented by Wehrle for the 'Open Source IMSI-catcher' project \cite{dennis}.
The attacks differ on whether the \gls{ms} already is in normal cell selection mode or not, \ie it is connected to another \gls{bts}.
\paragraph{MS is in normal cell selection mode:}
@@ -930,11 +931,9 @@ It can be achieved either by jamming the frequency band of the cell the \gls{ms}
This can be done the following way.
In this method the fact is abused that the \gls{ms} knows its neighbourhood (since it has been broadcasted by the \gls{bts}) and does regular quality measurements.
The main idea is that the operator of the catcher chooses the frequency of a \gls{bts} that is in the neighbourhood of the \gls{bts} that the target \gls{ms} is connected to.
-This way the operator can make sure the \gls{ms} know this frequency and hast quality measurements associated with it.
+This way the operator can make sure the \gls{ms} know this frequency and has quality measurements associated with it.
Furthermore should the chosen \gls{bts}, the one that will be replaced by the catcher, have a bad signal to noise ratio (which is why the \gls{ms} is currently not connected to it).
As soon as the catcher starts broadcasting on that frequency, quality measurements will radically improve and the \gls{ms} will initiate a change of cells to the catcher cell if the quality is above its current cell.
-Another way is to broadcast a new \gls{lai} to the \gls{ms} suggesting it just arrived at a new location and therefore initiating a cell selection \cite{mueller}.
-This works as long as the \gls{ms} has no active connections to the network, if it has, the jamming method can help to disconnect the \gls{ms} from the network.
\subsubsection{Risks and Irregularities}
An \gls{imsi}-catcher cannot target an individual subscriber, it always targets an area thus breaching the privacy of uninvolved subjects.
diff --git a/Tex/Content/Motivation.tex b/Tex/Content/Motivation.tex
index 6e98fa2..6ef734d 100644
--- a/Tex/Content/Motivation.tex
+++ b/Tex/Content/Motivation.tex
@@ -1,4 +1,4 @@
-\chapter{Introduciton}
+\chapter{Introduction}
Boundless communication for everyone, everywhere, anytime.
That was the main idea and dream behind the development of the \gls{gsm} technology.
Considering its reception and growth \cite{GSM2009,GSM_history2011,GSM_stats2011} it can be said that \gls{gsm} was one of the most successful technologies of the last 30 years.
@@ -14,3 +14,7 @@ Possible attacks of how an IMSI-Catcher can be introduced in such a network are
Finally there will be a discussion about the judicial situation in Germany concerning means of electronic surveillance for crime prevention and how this affects privacy and the basic rights of citizens.
The next chapter outlines the frameworks and the hardware that was used for this project.
+
+\section{Disclaimer}
+%senden im eigenen netz mit catcher
+%unieigene lizenz \ No newline at end of file
diff --git a/Tex/Images/ICDS.png b/Tex/Images/ICDS.png
index d01e439..d00a066 100644
--- a/Tex/Images/ICDS.png
+++ b/Tex/Images/ICDS.png
Binary files differ
diff --git a/Tex/Images/databases.png b/Tex/Images/databases.png
new file mode 100644
index 0000000..c516a02
--- /dev/null
+++ b/Tex/Images/databases.png
Binary files differ
diff --git a/Tex/Master/Glossary.tex b/Tex/Master/Glossary.tex
index 9648a83..2a2a673 100644
--- a/Tex/Master/Glossary.tex
+++ b/Tex/Master/Glossary.tex
@@ -26,7 +26,7 @@
\newacronym{pstn}{PSTN}{Public Standard Telephone Network}
\newacronym{scp}{SCP}{Service Control Point}
\newacronym{vas}{VAS}{value-added service}
-\newacronym{plmn}{PLMS}{Public Land Mobile Network}
+\newacronym{plmn}{PLMN}{Public Land Mobile Network}
\newacronym{sim}{SIM}{Subscriber Identity Module}
\newacronym{imei}{IMEI}{International Mobile Equipment Identifier}
\newacronym{dtmf}{DTMF}{Dual Tone Multi Frequency}
@@ -65,7 +65,7 @@
\newacronym{trau}{TRAU}{Transcoding Rate and Adaption Unit}
\newacronym{arfcn}{ARFCN}{Absolute Radio Frequency Number}
\newacronym{ci}{CI}{Cell Identity}
-\newacronym{sdcch}{SDCCH}{Standalone Digital Control Channel}
+\newacronym{sdcch}{SDCCH}{Standalone Dedicated Control Channel}
\newacronym{agch}{AGCH}{Access Grand Channel}
\newacronym{pch}{PCH}{Paging Channel}
\newacronym{tch}{TCH}{Traffic Channel}
diff --git a/Tex/Master/Master.acn b/Tex/Master/Master.acn
index dd3349f..5fe2e99 100644
--- a/Tex/Master/Master.acn
+++ b/Tex/Master/Master.acn
@@ -52,29 +52,30 @@
\glossaryentry{SIM?\glossaryentryfield{sim}{\glsnamefont{SIM}}{Subscriber Identity Module}{\relax }|setentrycounter{page}\glsnumberformat}{6}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{6}
\glossaryentry{ME?\glossaryentryfield{me}{\glsnamefont{ME}}{Mobile Equipment}{\relax }|setentrycounter{page}\glsnumberformat}{6}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{6}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{7}
\glossaryentry{DTMF?\glossaryentryfield{dtmf}{\glsnamefont{DTMF}}{Dual Tone Multi Frequency}{\relax }|setentrycounter{page}\glsnumberformat}{7}
\glossaryentry{SMS?\glossaryentryfield{sms}{\glsnamefont{SMS}}{Short Message Service}{\relax }|setentrycounter{page}\glsnumberformat}{7}
-\glossaryentry{PLMS?\glossaryentryfield{plmn}{\glsnamefont{PLMS}}{Public Land Mobile Network}{\relax }|setentrycounter{page}\glsnumberformat}{7}
-\glossaryentry{SIM?\glossaryentryfield{sim}{\glsnamefont{SIM}}{Subscriber Identity Module}{\relax }|setentrycounter{page}\glsnumberformat}{7}
+\glossaryentry{PLMN?\glossaryentryfield{plmn}{\glsnamefont{PLMN}}{Public Land Mobile Network}{\relax }|setentrycounter{page}\glsnumberformat}{7}
\glossaryentry{IMEI?\glossaryentryfield{imei}{\glsnamefont{IMEI}}{International Mobile Equipment Identifier}{\relax }|setentrycounter{page}\glsnumberformat}{7}
\glossaryentry{IMEI?\glossaryentryfield{imei}{\glsnamefont{IMEI}}{International Mobile Equipment Identifier}{\relax }|setentrycounter{page}\glsnumberformat}{7}
-\glossaryentry{PDA?\glossaryentryfield{pda}{\glsnamefont{PDA}}{Personal Digital Assistant}{\relax }|setentrycounter{page}\glsnumberformat}{7}
\glossaryentry{ME?\glossaryentryfield{me}{\glsnamefont{ME}}{Mobile Equipment}{\relax }|setentrycounter{page}\glsnumberformat}{7}
\glossaryentry{ME?\glossaryentryfield{me}{\glsnamefont{ME}}{Mobile Equipment}{\relax }|setentrycounter{page}\glsnumberformat}{7}
\glossaryentry{SIM?\glossaryentryfield{sim}{\glsnamefont{SIM}}{Subscriber Identity Module}{\relax }|setentrycounter{page}\glsnumberformat}{7}
+\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{7}
\glossaryentry{ME?\glossaryentryfield{me}{\glsnamefont{ME}}{Mobile Equipment}{\relax }|setentrycounter{page}\glsnumberformat}{7}
\glossaryentry{SIM?\glossaryentryfield{sim}{\glsnamefont{SIM}}{Subscriber Identity Module}{\relax }|setentrycounter{page}\glsnumberformat}{7}
\glossaryentry{ME?\glossaryentryfield{me}{\glsnamefont{ME}}{Mobile Equipment}{\relax }|setentrycounter{page}\glsnumberformat}{7}
-\glossaryentry{SIM?\glossaryentryfield{sim}{\glsnamefont{SIM}}{Subscriber Identity Module}{\relax }|setentrycounter{page}\glsnumberformat}{8}
-\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{8}
-\glossaryentry{Ki?\glossaryentryfield{ki}{\glsnamefont{Ki}}{Secret Key}{\relax }|setentrycounter{page}\glsnumberformat}{8}
+\glossaryentry{SIM?\glossaryentryfield{sim}{\glsnamefont{SIM}}{Subscriber Identity Module}{\relax }|setentrycounter{page}\glsnumberformat}{7}
+\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{7}
+\glossaryentry{Ki?\glossaryentryfield{ki}{\glsnamefont{Ki}}{Secret Key}{\relax }|setentrycounter{page}\glsnumberformat}{7}
\glossaryentry{EEPROM?\glossaryentryfield{eeprom}{\glsnamefont{EEPROM}}{Electrically Erasable Programmable Read-Only Memory}{\relax }|setentrycounter{page}\glsnumberformat}{8}
\glossaryentry{Kc?\glossaryentryfield{kc}{\glsnamefont{Kc}}{Cyphering Key}{\relax }|setentrycounter{page}\glsnumberformat}{8}
\glossaryentry{Ki?\glossaryentryfield{ki}{\glsnamefont{Ki}}{Secret Key}{\relax }|setentrycounter{page}\glsnumberformat}{8}
+\glossaryentry{Kc?\glossaryentryfield{kc}{\glsnamefont{Kc}}{Cyphering Key}{\relax }|setentrycounter{page}\glsnumberformat}{8}
\glossaryentry{SIM?\glossaryentryfield{sim}{\glsnamefont{SIM}}{Subscriber Identity Module}{\relax }|setentrycounter{page}\glsnumberformat}{8}
\glossaryentry{Ki?\glossaryentryfield{ki}{\glsnamefont{Ki}}{Secret Key}{\relax }|setentrycounter{page}\glsnumberformat}{8}
\glossaryentry{Kc?\glossaryentryfield{kc}{\glsnamefont{Kc}}{Cyphering Key}{\relax }|setentrycounter{page}\glsnumberformat}{8}
+\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{8}
\glossaryentry{PIN?\glossaryentryfield{pin}{\glsnamefont{PIN}}{Personal Identification Number}{\relax }|setentrycounter{page}\glsnumberformat}{8}
\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{8}
\glossaryentry{MCC?\glossaryentryfield{mcc}{\glsnamefont{MCC}}{Mobile Country Code}{\relax }|setentrycounter{page}\glsnumberformat}{8}
@@ -83,8 +84,8 @@
\glossaryentry{HNI?\glossaryentryfield{hni}{\glsnamefont{HNI}}{Home Network Identifier}{\relax }|setentrycounter{page}\glsnumberformat}{8}
\glossaryentry{MCC?\glossaryentryfield{mcc}{\glsnamefont{MCC}}{Mobile Country Code}{\relax }|setentrycounter{page}\glsnumberformat}{8}
\glossaryentry{MNC?\glossaryentryfield{mnc}{\glsnamefont{MNC}}{Mobile Network Code}{\relax }|setentrycounter{page}\glsnumberformat}{8}
-\glossaryentry{PLMS?\glossaryentryfield{plmn}{\glsnamefont{PLMS}}{Public Land Mobile Network}{\relax }|setentrycounter{page}\glsnumberformat}{8}
-\glossaryentry{MCC?\glossaryentryfield{mcc}{\glsnamefont{MCC}}{Mobile Country Code}{\relax }|setentrycounter{page}\glsnumberformat}{8}
+\glossaryentry{PLMN?\glossaryentryfield{plmn}{\glsnamefont{PLMN}}{Public Land Mobile Network}{\relax }|setentrycounter{page}\glsnumberformat}{9}
+\glossaryentry{MCC?\glossaryentryfield{mcc}{\glsnamefont{MCC}}{Mobile Country Code}{\relax }|setentrycounter{page}\glsnumberformat}{9}
\glossaryentry{MNC?\glossaryentryfield{mnc}{\glsnamefont{MNC}}{Mobile Network Code}{\relax }|setentrycounter{page}\glsnumberformat}{9}
\glossaryentry{MCC?\glossaryentryfield{mcc}{\glsnamefont{MCC}}{Mobile Country Code}{\relax }|setentrycounter{page}\glsnumberformat}{9}
\glossaryentry{ITU?\glossaryentryfield{itu}{\glsnamefont{ITU}}{International Telecomunication Union}{\relax }|setentrycounter{page}\glsnumberformat}{9}
@@ -104,11 +105,11 @@
\glossaryentry{MSC?\glossaryentryfield{msc}{\glsnamefont{MSC}}{Mobile Switching Center}{\relax }|setentrycounter{page}\glsnumberformat}{9}
\glossaryentry{NSS?\glossaryentryfield{nss}{\glsnamefont{NSS}}{Network Subsystem}{\relax }|setentrycounter{page}\glsnumberformat}{9}
\glossaryentry{ISDN?\glossaryentryfield{isdn}{\glsnamefont{ISDN}}{Integrated Services Digital Network}{\relax }|setentrycounter{page}\glsnumberformat}{9}
-\glossaryentry{PLMS?\glossaryentryfield{plmn}{\glsnamefont{PLMS}}{Public Land Mobile Network}{\relax }|setentrycounter{page}\glsnumberformat}{9}
+\glossaryentry{PLMN?\glossaryentryfield{plmn}{\glsnamefont{PLMN}}{Public Land Mobile Network}{\relax }|setentrycounter{page}\glsnumberformat}{9}
\glossaryentry{MSC?\glossaryentryfield{msc}{\glsnamefont{MSC}}{Mobile Switching Center}{\relax }|setentrycounter{page}\glsnumberformat}{9}
-\glossaryentry{LA?\glossaryentryfield{la}{\glsnamefont{LA}}{Location Area}{\relax }|setentrycounter{page}\glsnumberformat}{9}
-\glossaryentry{CC?\glossaryentryfield{cc}{\glsnamefont{CC}}{Call Control}{\relax }|setentrycounter{page}\glsnumberformat}{9}
-\glossaryentry{MM?\glossaryentryfield{mm}{\glsnamefont{MM}}{Mobility Management}{\relax }|setentrycounter{page}\glsnumberformat}{9}
+\glossaryentry{LA?\glossaryentryfield{la}{\glsnamefont{LA}}{Location Area}{\relax }|setentrycounter{page}\glsnumberformat}{10}
+\glossaryentry{CC?\glossaryentryfield{cc}{\glsnamefont{CC}}{Call Control}{\relax }|setentrycounter{page}\glsnumberformat}{10}
+\glossaryentry{MM?\glossaryentryfield{mm}{\glsnamefont{MM}}{Mobility Management}{\relax }|setentrycounter{page}\glsnumberformat}{10}
\glossaryentry{CC?\glossaryentryfield{cc}{\glsnamefont{CC}}{Call Control}{\relax }|setentrycounter{page}\glsnumberformat}{10}
\glossaryentry{MSC?\glossaryentryfield{msc}{\glsnamefont{MSC}}{Mobile Switching Center}{\relax }|setentrycounter{page}\glsnumberformat}{10}
\glossaryentry{PSTN?\glossaryentryfield{pstn}{\glsnamefont{PSTN}}{Public Standard Telephone Network}{\relax }|setentrycounter{page}\glsnumberformat}{10}
@@ -161,6 +162,7 @@
\glossaryentry{Ki?\glossaryentryfield{ki}{\glsnamefont{Ki}}{Secret Key}{\relax }|setentrycounter{page}\glsnumberformat}{14}
\glossaryentry{MSC?\glossaryentryfield{msc}{\glsnamefont{MSC}}{Mobile Switching Center}{\relax }|setentrycounter{page}\glsnumberformat}{14}
\glossaryentry{AC?\glossaryentryfield{ac}{\glsnamefont{AC}}{Authentication Center}{\relax }|setentrycounter{page}\glsnumberformat}{14}
+\glossaryentry{Kc?\glossaryentryfield{kc}{\glsnamefont{Kc}}{Cyphering Key}{\relax }|setentrycounter{page}\glsnumberformat}{14}
\glossaryentry{AC?\glossaryentryfield{ac}{\glsnamefont{AC}}{Authentication Center}{\relax }|setentrycounter{page}\glsnumberformat}{14}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{14}
\glossaryentry{MSC?\glossaryentryfield{msc}{\glsnamefont{MSC}}{Mobile Switching Center}{\relax }|setentrycounter{page}\glsnumberformat}{14}
@@ -201,6 +203,7 @@
\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{15}
\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{17}
\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{17}
+\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{17}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{17}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{17}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{17}
@@ -211,6 +214,7 @@
\glossaryentry{CI?\glossaryentryfield{ci}{\glsnamefont{CI}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{18}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{18}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{18}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{18}
\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{20}
\glossaryentry{BSC?\glossaryentryfield{bsc}{\glsnamefont{BSC}}{Base Station Controller}{\relax }|setentrycounter{page}\glsnumberformat}{20}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{20}
@@ -228,7 +232,7 @@
\glossaryentry{BSC?\glossaryentryfield{bsc}{\glsnamefont{BSC}}{Base Station Controller}{\relax }|setentrycounter{page}\glsnumberformat}{20}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{20}
\glossaryentry{BSC?\glossaryentryfield{bsc}{\glsnamefont{BSC}}{Base Station Controller}{\relax }|setentrycounter{page}\glsnumberformat}{20}
-\glossaryentry{SDCCH?\glossaryentryfield{sdcch}{\glsnamefont{SDCCH}}{Standalone Digital Control Channel}{\relax }|setentrycounter{page}\glsnumberformat}{20}
+\glossaryentry{SDCCH?\glossaryentryfield{sdcch}{\glsnamefont{SDCCH}}{Standalone Dedicated Control Channel}{\relax }|setentrycounter{page}\glsnumberformat}{20}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{20}
\glossaryentry{AGCH?\glossaryentryfield{agch}{\glsnamefont{AGCH}}{Access Grand Channel}{\relax }|setentrycounter{page}\glsnumberformat}{20}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{20}
@@ -243,11 +247,11 @@
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{20}
\glossaryentry{MSC?\glossaryentryfield{msc}{\glsnamefont{MSC}}{Mobile Switching Center}{\relax }|setentrycounter{page}\glsnumberformat}{20}
\glossaryentry{BSC?\glossaryentryfield{bsc}{\glsnamefont{BSC}}{Base Station Controller}{\relax }|setentrycounter{page}\glsnumberformat}{20}
-\glossaryentry{SDCCH?\glossaryentryfield{sdcch}{\glsnamefont{SDCCH}}{Standalone Digital Control Channel}{\relax }|setentrycounter{page}\glsnumberformat}{20}
+\glossaryentry{SDCCH?\glossaryentryfield{sdcch}{\glsnamefont{SDCCH}}{Standalone Dedicated Control Channel}{\relax }|setentrycounter{page}\glsnumberformat}{20}
\glossaryentry{MSC?\glossaryentryfield{msc}{\glsnamefont{MSC}}{Mobile Switching Center}{\relax }|setentrycounter{page}\glsnumberformat}{20}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{20}
-\glossaryentry{TCH?\glossaryentryfield{tch}{\glsnamefont{TCH}}{Traffic Channel}{\relax }|setentrycounter{page}\glsnumberformat}{21}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{21}
+\glossaryentry{TCH?\glossaryentryfield{tch}{\glsnamefont{TCH}}{Traffic Channel}{\relax }|setentrycounter{page}\glsnumberformat}{20}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{20}
\glossaryentry{BSC?\glossaryentryfield{bsc}{\glsnamefont{BSC}}{Base Station Controller}{\relax }|setentrycounter{page}\glsnumberformat}{21}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{21}
\glossaryentry{MSC?\glossaryentryfield{msc}{\glsnamefont{MSC}}{Mobile Switching Center}{\relax }|setentrycounter{page}\glsnumberformat}{21}
@@ -330,7 +334,7 @@
\glossaryentry{SACCH?\glossaryentryfield{sacch}{\glsnamefont{SACCH}}{Slow Access Control Channel}{\relax }|setentrycounter{page}\glsnumberformat}{28}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{28}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{28}
-\glossaryentry{SDCCH?\glossaryentryfield{sdcch}{\glsnamefont{SDCCH}}{Standalone Digital Control Channel}{\relax }|setentrycounter{page}\glsnumberformat}{28}
+\glossaryentry{SDCCH?\glossaryentryfield{sdcch}{\glsnamefont{SDCCH}}{Standalone Dedicated Control Channel}{\relax }|setentrycounter{page}\glsnumberformat}{28}
\glossaryentry{TCH?\glossaryentryfield{tch}{\glsnamefont{TCH}}{Traffic Channel}{\relax }|setentrycounter{page}\glsnumberformat}{28}
\glossaryentry{SCH?\glossaryentryfield{sch}{\glsnamefont{SCH}}{Signalling Channel}{\relax }|setentrycounter{page}\glsnumberformat}{28}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{28}
@@ -342,7 +346,7 @@
\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{28}
\glossaryentry{RACH?\glossaryentryfield{rach}{\glsnamefont{RACH}}{Random Access Channel}{\relax }|setentrycounter{page}\glsnumberformat}{29}
\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{29}
-\glossaryentry{SDCCH?\glossaryentryfield{sdcch}{\glsnamefont{SDCCH}}{Standalone Digital Control Channel}{\relax }|setentrycounter{page}\glsnumberformat}{29}
+\glossaryentry{SDCCH?\glossaryentryfield{sdcch}{\glsnamefont{SDCCH}}{Standalone Dedicated Control Channel}{\relax }|setentrycounter{page}\glsnumberformat}{29}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{29}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{29}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{29}
@@ -350,7 +354,7 @@
\glossaryentry{AGCH?\glossaryentryfield{agch}{\glsnamefont{AGCH}}{Access Grand Channel}{\relax }|setentrycounter{page}\glsnumberformat}{29}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{29}
\glossaryentry{RACH?\glossaryentryfield{rach}{\glsnamefont{RACH}}{Random Access Channel}{\relax }|setentrycounter{page}\glsnumberformat}{29}
-\glossaryentry{SDCCH?\glossaryentryfield{sdcch}{\glsnamefont{SDCCH}}{Standalone Digital Control Channel}{\relax }|setentrycounter{page}\glsnumberformat}{29}
+\glossaryentry{SDCCH?\glossaryentryfield{sdcch}{\glsnamefont{SDCCH}}{Standalone Dedicated Control Channel}{\relax }|setentrycounter{page}\glsnumberformat}{29}
\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{29}
\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{29}
\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{30}
@@ -415,8 +419,6 @@
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{35}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{35}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{35}
-\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{35}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{35}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{35}
\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{35}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{35}
@@ -436,10 +438,6 @@
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{35}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{35}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{35}
-\glossaryentry{LAI?\glossaryentryfield{lai}{\glsnamefont{LAI}}{Location Area Identifier}{\relax }|setentrycounter{page}\glsnumberformat}{35}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{35}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{35}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{36}
\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{36}
\glossaryentry{SIM?\glossaryentryfield{sim}{\glsnamefont{SIM}}{Subscriber Identity Module}{\relax }|setentrycounter{page}\glsnumberformat}{36}
\glossaryentry{IMSI?\glossaryentryfield{imsi}{\glsnamefont{IMSI}}{International Mobile Subscriber Identification}{\relax }|setentrycounter{page}\glsnumberformat}{36}
@@ -536,6 +534,7 @@
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{50}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{50}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{51}
+\glossaryentry{LAI?\glossaryentryfield{lai}{\glsnamefont{LAI}}{Location Area Identifier}{\relax }|setentrycounter{page}\glsnumberformat}{51}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{51}
\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{52}
\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{52}
@@ -543,12 +542,15 @@
\glossaryentry{MVC?\glossaryentryfield{mvc}{\glsnamefont{MVC}}{Model View Controller}{\relax }|setentrycounter{page}\glsnumberformat}{52}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{53}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{53}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{54}
-\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{54}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{54}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{54}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{55}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{55}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{55}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{55}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{55}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{55}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{56}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{56}
\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{56}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{56}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{57}
+\glossaryentry{LAI?\glossaryentryfield{lai}{\glsnamefont{LAI}}{Location Area Identifier}{\relax }|setentrycounter{page}\glsnumberformat}{56}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{57}
diff --git a/Tex/Master/Master.aux b/Tex/Master/Master.aux
index 46ff4f5..2ce5faf 100644
--- a/Tex/Master/Master.aux
+++ b/Tex/Master/Master.aux
@@ -23,11 +23,12 @@
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
-\@writefile{toc}{\contentsline {chapter}{\numberline {1}Introduciton}{1}}
+\@writefile{toc}{\contentsline {chapter}{\numberline {1}Introduction}{1}}
\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{lol}{\addvspace {10\p@ }}
\@writefile{toc}{\contentsline {section}{\numberline {1.1}Structure}{1}}
+\@writefile{toc}{\contentsline {section}{\numberline {1.2}Disclaimer}{1}}
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
\@writefile{toc}{\contentsline {chapter}{\numberline {2}GSM}{3}}
@@ -66,10 +67,10 @@
\newlabel{sec:ms}{{2.2.1}{6}}
\citation{GSM0505}
\citation{ISO7810}
-\FN@pp@footnote@aux{3}{7}
-\FN@pp@footnote@aux{4}{7}
\citation{protocols1999}
\citation{protocols1999}
+\FN@pp@footnote@aux{3}{7}
+\FN@pp@footnote@aux{4}{7}
\citation{kommsys2006}
\citation{GSM23003}
\citation{ITU212}
@@ -101,7 +102,7 @@
\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.4}Base Station Subsystem}{15}}
\newlabel{sec:bss}{{2.2.4}{15}}
\@writefile{toc}{\contentsline {subsubsection}{Frequencies and the Cellular Principle}{15}}
-\@writefile{lof}{\contentsline {figure}{\numberline {2.4}{\ignorespaces Mapping of functional entities on the 900 Mhz band.}}{16}}
+\@writefile{lof}{\contentsline {figure}{\numberline {2.4}{\ignorespaces Mapping of functional entities on the 900\tmspace +\thinmuskip {.1667em}MHz\ band.}}{16}}
\newlabel{fig:frequency}{{2.4}{16}}
\@writefile{lot}{\contentsline {table}{\numberline {2.4}{\ignorespaces Frequencies in the different bands \cite {kommsys2006}.}}{16}}
\newlabel{tab:frequencies}{{2.4}{16}}
@@ -122,7 +123,7 @@
\@writefile{lof}{\contentsline {subfigure}{\numberline{(c)}{\ignorespaces {Sectorised configuration.}}}{19}}
\newlabel{fig:configurations}{{2.6}{19}}
\citation{kommsys2006}
-\@writefile{toc}{\contentsline {subsubsection}{Baste Station Controller}{20}}
+\@writefile{toc}{\contentsline {subsubsection}{Base Station Controller}{20}}
\citation{kommsys2006}
\@writefile{toc}{\contentsline {subsubsection}{Transcoding rate and Adaption Unit}{21}}
\citation{kommsys2006}
@@ -198,15 +199,13 @@
\@writefile{lof}{\contentsline {figure}{\numberline {2.14}{\ignorespaces IMSI catching procedure. Adopted and simplified from \cite {mueller}.}}{34}}
\newlabel{fig:catcher_catch}{{2.14}{34}}
\citation{dennis}
-\citation{mueller}
\citation{imsi_wiki}
-\citation{mueller}
+\citation{fox}
\@writefile{toc}{\contentsline {subsubsection}{Attacks}{35}}
\newlabel{sec:attacks}{{2.4.1}{35}}
\@writefile{toc}{\contentsline {paragraph}{MS is in normal cell selection mode:}{35}}
\@writefile{toc}{\contentsline {paragraph}{MS is already connected to a network:}{35}}
\citation{fox}
-\citation{fox}
\citation{imsi_wiki}
\citation{criminal_justice}
\@writefile{toc}{\contentsline {subsubsection}{Risks and Irregularities}{36}}
@@ -273,20 +272,26 @@
\FN@pp@footnote@aux{16}{51}
\@writefile{toc}{\contentsline {section}{\numberline {3.3}IMSI Catcher Detection System}{51}}
\newlabel{sec:icds}{{3.3}{51}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.1}Implemetation}{51}}
\@writefile{lof}{\contentsline {figure}{\numberline {3.5}{\ignorespaces System architecture of the ICDS. The arrows indicate the flow of data.}}{52}}
\newlabel{fig:architecture}{{3.5}{52}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.1}Implemetation}{52}}
\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.2}Configuration}{53}}
\newlabel{sec:configuration}{{3.3.2}{53}}
\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.3}Operation}{53}}
\newlabel{sec:icds_operation}{{3.3.3}{53}}
\@writefile{lof}{\contentsline {figure}{\numberline {3.6}{\ignorespaces A python dictionary.}}{54}}
\newlabel{fig:python_dict}{{3.6}{54}}
-\@writefile{lof}{\contentsline {figure}{\numberline {3.7}{\ignorespaces The ICDS main window.}}{55}}
-\newlabel{fig:icds}{{3.7}{55}}
+\@writefile{lof}{\contentsline {figure}{\numberline {3.7}{\ignorespaces The ICDS main window.}}{54}}
+\newlabel{fig:icds}{{3.7}{54}}
\@writefile{toc}{\contentsline {paragraph}{Sweep scans:}{56}}
+\@writefile{toc}{\contentsline {paragraph}{CellID Information:}{56}}
+\newlabel{fig:databases}{{3.8(a)}{57}}
+\newlabel{sub@fig:databases}{{(a)}{57}}
+\@writefile{lof}{\contentsline {figure}{\numberline {3.8}{\ignorespaces Settings windows for two ICDS features.}}{57}}
+\@writefile{lof}{\contentsline {subfigure}{\numberline{(a)}{\ignorespaces {Databases window.}}}{57}}
+\@writefile{lof}{\contentsline {subfigure}{\numberline{(b)}{\ignorespaces {User Mode window.}}}{57}}
\@writefile{toc}{\contentsline {paragraph}{Location Area Database:}{57}}
-\@writefile{toc}{\contentsline {paragraph}{Quick check:}{57}}
+\@writefile{toc}{\contentsline {paragraph}{User Mode:}{58}}
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
\@writefile{toc}{\contentsline {chapter}{\numberline {4}Evaluation}{59}}
@@ -338,71 +343,51 @@
\bibcite{blacklisting}{26}
\bibcite{imsi_wiki}{27}
\FN@pp@footnotehinttrue
-\citation{GSM2009}
-\citation{GSM_history2011}
-\citation{GSM_stats2011}
-\citation{GSM2009}
-\citation{protocols1999}
-\citation{kommsys2006}
-\citation{GSM2009}
-\citation{kommsys2006}
-\citation{fox}
-\citation{def_catcher}
-\citation{mueller}
-\citation{osmo_wiki_c123}
-\FN@pp@footnotehinttrue
-\FN@pp@footnotehinttrue
-\FN@pp@footnotehinttrue
-\citation{protocols1999}
-\citation{kommsys2006}
-\citation{GSM2009}
-\citation{GSM2009}
-\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
-\@writefile{toc}{\contentsline {chapter}{\numberline {A}OsmocomBB}{VII}}
+\@writefile{toc}{\contentsline {chapter}{\numberline {A}OsmocomBB}{III}}
\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{lol}{\addvspace {10\p@ }}
-\@writefile{toc}{\contentsline {section}{\numberline {A.1}Installation}{VII}}
-\newlabel{sec:osmo_install}{{A.1}{VII}}
-\@writefile{toc}{\contentsline {section}{\numberline {A.2}Usage}{VIII}}
-\newlabel{sec:osmo_usage}{{A.2}{VIII}}
-\@writefile{toc}{\contentsline {section}{\numberline {A.3}Serial Cable Schematics}{VIII}}
-\newlabel{sec:osmo_serial_schematics}{{A.3}{VIII}}
+\@writefile{toc}{\contentsline {section}{\numberline {A.1}Installation}{III}}
+\newlabel{sec:osmo_install}{{A.1}{III}}
+\@writefile{toc}{\contentsline {section}{\numberline {A.2}Usage}{IV}}
+\newlabel{sec:osmo_usage}{{A.2}{IV}}
+\@writefile{toc}{\contentsline {section}{\numberline {A.3}Serial Cable Schematics}{IV}}
+\newlabel{sec:osmo_serial_schematics}{{A.3}{IV}}
\FN@pp@footnotehinttrue
-\@writefile{lof}{\contentsline {figure}{\numberline {A.1}{\ignorespaces Schematics for the T191 unlock cable.}}{IX}}
-\newlabel{fig:schematics}{{A.1}{IX}}
+\@writefile{lof}{\contentsline {figure}{\numberline {A.1}{\ignorespaces Schematics for the T191 unlock cable.}}{V}}
+\newlabel{fig:schematics}{{A.1}{V}}
\FN@pp@footnotehinttrue
-\@writefile{toc}{\contentsline {chapter}{\numberline {B}IMSI Catcher Detection System}{XI}}
+\@writefile{toc}{\contentsline {chapter}{\numberline {B}IMSI Catcher Detection System}{VII}}
\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{lol}{\addvspace {10\p@ }}
-\@writefile{toc}{\contentsline {section}{\numberline {B.1}Extextions}{XI}}
-\newlabel{sec:extensions}{{B.1}{XI}}
-\@writefile{toc}{\contentsline {section}{\numberline {B.2}Example Configuration}{XI}}
-\newlabel{sec:example_config}{{B.2}{XI}}
+\@writefile{toc}{\contentsline {section}{\numberline {B.1}Extextions}{VII}}
+\newlabel{sec:extensions}{{B.1}{VII}}
+\@writefile{toc}{\contentsline {section}{\numberline {B.2}Example Configuration}{VII}}
+\newlabel{sec:example_config}{{B.2}{VII}}
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
-\@writefile{toc}{\contentsline {chapter}{\numberline {C}System Information}{XIII}}
+\@writefile{toc}{\contentsline {chapter}{\numberline {C}System Information}{IX}}
\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{lol}{\addvspace {10\p@ }}
-\newlabel{sec:system_infos}{{C}{XIII}}
+\newlabel{sec:system_infos}{{C}{IX}}
\FN@pp@footnotehinttrue
-\@writefile{lof}{\contentsline {figure}{\numberline {C.1}{\ignorespaces System Information 1 Message}}{XIV}}
-\@writefile{lof}{\contentsline {figure}{\numberline {C.2}{\ignorespaces System Information 2 Message}}{XV}}
-\@writefile{lof}{\contentsline {figure}{\numberline {C.3}{\ignorespaces System Information 3 Message}}{XVI}}
-\@writefile{lof}{\contentsline {figure}{\numberline {C.4}{\ignorespaces System Information 4 Message}}{XVII}}
+\@writefile{lof}{\contentsline {figure}{\numberline {C.1}{\ignorespaces System Information 1 Message}}{X}}
+\@writefile{lof}{\contentsline {figure}{\numberline {C.2}{\ignorespaces System Information 2 Message}}{XI}}
+\@writefile{lof}{\contentsline {figure}{\numberline {C.3}{\ignorespaces System Information 3 Message}}{XII}}
+\@writefile{lof}{\contentsline {figure}{\numberline {C.4}{\ignorespaces System Information 4 Message}}{XIII}}
\FN@pp@footnotehinttrue
-\@writefile{toc}{\contentsline {chapter}{\numberline {D}Evaluation Data}{XIX}}
+\@writefile{toc}{\contentsline {chapter}{\numberline {D}Evaluation Data}{XV}}
\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{lol}{\addvspace {10\p@ }}
-\@writefile{toc}{\contentsline {section}{\numberline {D.1}IMSI Catcher Configurations}{XIX}}
-\@writefile{toc}{\contentsline {section}{\numberline {D.2}ICDS Scans}{XIX}}
+\@writefile{toc}{\contentsline {section}{\numberline {D.1}IMSI Catcher Configurations}{XV}}
+\@writefile{toc}{\contentsline {section}{\numberline {D.2}ICDS Scans}{XV}}
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
-\@writefile{toc}{\contentsline {chapter}{Acronyms}{XXI}}
+\@writefile{toc}{\contentsline {chapter}{Acronyms}{XVII}}
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
\gdef \LT@i {\LT@entry
diff --git a/Tex/Master/Master.ist b/Tex/Master/Master.ist
index fe40e99..ca83622 100644
--- a/Tex/Master/Master.ist
+++ b/Tex/Master/Master.ist
@@ -1,5 +1,5 @@
% makeindex style file created by the glossaries package
-% for document 'Master' on 2012-4-8
+% for document 'Master' on 2012-4-19
actual '?'
encap '|'
level '!'
diff --git a/Tex/Master/Master.lof b/Tex/Master/Master.lof
index 6e6738a..5a633db 100644
--- a/Tex/Master/Master.lof
+++ b/Tex/Master/Master.lof
@@ -4,7 +4,7 @@
\contentsline {figure}{\numberline {2.1}{\ignorespaces Growth of mobile GSM subscriptions. Compiled from \cite {GSM2009,GSM_history2011,GSM_stats2011}}}{4}
\contentsline {figure}{\numberline {2.2}{\ignorespaces The main components of a GSM network.}}{6}
\contentsline {figure}{\numberline {2.3}{\ignorespaces Authentication procedure.}}{13}
-\contentsline {figure}{\numberline {2.4}{\ignorespaces Mapping of functional entities on the 900 Mhz band.}}{16}
+\contentsline {figure}{\numberline {2.4}{\ignorespaces Mapping of functional entities on the 900\tmspace +\thinmuskip {.1667em}MHz\ band.}}{16}
\contentsline {figure}{\numberline {2.5}{\ignorespaces Theoretical arrangement of radio cells compared to a realistic alignment. Cells with the same number share the same frequency \cite {GSM2009}.}}{18}
\contentsline {figure}{\numberline {2.6}{\ignorespaces Common base station configurations. Compiled from \cite {protocols1999}.}}{19}
\contentsline {subfigure}{\numberline {(a)}{\ignorespaces {Stantard configuration.}}}{19}
@@ -27,7 +27,10 @@
\contentsline {subfigure}{\numberline {(b)}{\ignorespaces {Tainted neighbourhood}}}{49}
\contentsline {figure}{\numberline {3.5}{\ignorespaces System architecture of the ICDS. The arrows indicate the flow of data.}}{52}
\contentsline {figure}{\numberline {3.6}{\ignorespaces A python dictionary.}}{54}
-\contentsline {figure}{\numberline {3.7}{\ignorespaces The ICDS main window.}}{55}
+\contentsline {figure}{\numberline {3.7}{\ignorespaces The ICDS main window.}}{54}
+\contentsline {figure}{\numberline {3.8}{\ignorespaces Settings windows for two ICDS features.}}{57}
+\contentsline {subfigure}{\numberline {(a)}{\ignorespaces {Databases window.}}}{57}
+\contentsline {subfigure}{\numberline {(b)}{\ignorespaces {User Mode window.}}}{57}
\addvspace {10\p@ }
\addvspace {10\p@ }
\addvspace {10\p@ }
diff --git a/Tex/Master/Master.log b/Tex/Master/Master.log
index 2549971..0843273 100644
--- a/Tex/Master/Master.log
+++ b/Tex/Master/Master.log
@@ -1,4 +1,4 @@
-This is pdfTeX, Version 3.1415926-1.40.10 (TeX Live 2009/Debian) (format=pdflatex 2012.1.7) 8 APR 2012 17:47
+This is pdfTeX, Version 3.1415926-1.40.10 (TeX Live 2009/Debian) (format=pdflatex 2012.1.7) 19 APR 2012 17:45
entering extended mode
%&-line parsing enabled.
**Master.tex
@@ -923,35 +923,35 @@ File: lstlang1.sty 2004/09/05 1.3 listings language file
\glo@main@file=\write6
\openout6 = `Master.glo'.
-Package glossaries Info: Writing glossary file Master.glo on input line 94.
+Package glossaries Info: Writing glossary file Master.glo on input line 95.
\glo@acronym@file=\write7
\openout7 = `Master.acn'.
-Package glossaries Info: Writing glossary file Master.acn on input line 94.
+Package glossaries Info: Writing glossary file Master.acn on input line 95.
(./Glossary.tex)
(./Master.aux)
\openout1 = `Master.aux'.
-LaTeX Font Info: Checking defaults for OML/cmm/m/it on input line 111.
-LaTeX Font Info: ... okay on input line 111.
-LaTeX Font Info: Checking defaults for T1/cmr/m/n on input line 111.
-LaTeX Font Info: ... okay on input line 111.
-LaTeX Font Info: Checking defaults for OT1/cmr/m/n on input line 111.
-LaTeX Font Info: ... okay on input line 111.
-LaTeX Font Info: Checking defaults for OMS/cmsy/m/n on input line 111.
-LaTeX Font Info: ... okay on input line 111.
-LaTeX Font Info: Checking defaults for OMX/cmex/m/n on input line 111.
-LaTeX Font Info: ... okay on input line 111.
-LaTeX Font Info: Checking defaults for U/cmr/m/n on input line 111.
-LaTeX Font Info: ... okay on input line 111.
-LaTeX Font Info: Try loading font information for T1+ptm on input line 111.
+LaTeX Font Info: Checking defaults for OML/cmm/m/it on input line 112.
+LaTeX Font Info: ... okay on input line 112.
+LaTeX Font Info: Checking defaults for T1/cmr/m/n on input line 112.
+LaTeX Font Info: ... okay on input line 112.
+LaTeX Font Info: Checking defaults for OT1/cmr/m/n on input line 112.
+LaTeX Font Info: ... okay on input line 112.
+LaTeX Font Info: Checking defaults for OMS/cmsy/m/n on input line 112.
+LaTeX Font Info: ... okay on input line 112.
+LaTeX Font Info: Checking defaults for OMX/cmex/m/n on input line 112.
+LaTeX Font Info: ... okay on input line 112.
+LaTeX Font Info: Checking defaults for U/cmr/m/n on input line 112.
+LaTeX Font Info: ... okay on input line 112.
+LaTeX Font Info: Try loading font information for T1+ptm on input line 112.
(/usr/share/texmf-texlive/tex/latex/psnfss/t1ptm.fd
File: t1ptm.fd 2001/06/04 font definitions for T1/ptm.
)
Package scrbase Info: No captions found for `german'
-(scrbase) --> skipped on input line 111.
+(scrbase) --> skipped on input line 112.
Package scrbase Info: No captions found for `ngerman'
-(scrbase) --> skipped on input line 111.
+(scrbase) --> skipped on input line 112.
(/usr/share/texmf-texlive/tex/latex/ucs/ucsencs.def
File: ucsencs.def 2003/11/29 Fixes to fontencodings LGR, T3
@@ -1009,33 +1009,33 @@ Non-PDF special ignored!
{/var/lib/texmf/fonts/map/pdftex/updmap/pdftex.map} <../Images/unisiegel.pdf>])
LaTeX Font Info: Font shape `T1/ptm/bx/n' in size <10.95> not available
-(Font) Font shape `T1/ptm/b/n' tried instead on input line 121.
+(Font) Font shape `T1/ptm/b/n' tried instead on input line 122.
(../Content/Abstract.tex) [2]
-LaTeX Font Info: Try loading font information for T1+phv on input line 135.
+LaTeX Font Info: Try loading font information for T1+phv on input line 136.
(/usr/share/texmf-texlive/tex/latex/psnfss/t1phv.fd
File: t1phv.fd 2001/06/04 scalable font definitions for T1/phv.
)
LaTeX Font Info: Font shape `T1/phv/bx/n' in size <10.95> not available
-(Font) Font shape `T1/phv/b/n' tried instead on input line 135.
+(Font) Font shape `T1/phv/b/n' tried instead on input line 136.
LaTeX Font Info: Font shape `T1/ptm/bx/n' in size <20.74> not available
-(Font) Font shape `T1/ptm/b/n' tried instead on input line 135.
+(Font) Font shape `T1/ptm/b/n' tried instead on input line 136.
(./Master.toc
Class scrbook Info: You've told me to use the font selection of the element
(scrbook) `sectioning' that is an alias of element `disposition'
(scrbook) on input line 2.
Class scrbook Info: You've told me to use the font selection of the element
(scrbook) `sectioning' that is an alias of element `disposition'
-(scrbook) on input line 4.
+(scrbook) on input line 5.
Class scrbook Info: You've told me to use the font selection of the element
(scrbook) `sectioning' that is an alias of element `disposition'
-(scrbook) on input line 39.
+(scrbook) on input line 40.
Class scrbook Info: You've told me to use the font selection of the element
(scrbook) `sectioning' that is an alias of element `disposition'
-(scrbook) on input line 59.
+(scrbook) on input line 61.
Class scrbook Info: You've told me to use the font selection of the element
(scrbook) `sectioning' that is an alias of element `disposition'
-(scrbook) on input line 60.
+(scrbook) on input line 62.
[1
@@ -1045,47 +1045,28 @@ Class scrbook Info: You've told me to use the font selection of the element
]
Class scrbook Info: You've told me to use the font selection of the element
(scrbook) `sectioning' that is an alias of element `disposition'
-(scrbook) on input line 63.
+(scrbook) on input line 65.
Class scrbook Info: You've told me to use the font selection of the element
(scrbook) `sectioning' that is an alias of element `disposition'
-(scrbook) on input line 64.
-
-Overfull \hbox (1.87224pt too wide) detected at line 66
- []\T1/ptm/m/n/10.95 VIII
- []
-
-
-Overfull \hbox (1.87224pt too wide) detected at line 67
- []\T1/ptm/m/n/10.95 VIII
- []
-
+(scrbook) on input line 66.
Class scrbook Info: You've told me to use the font selection of the element
(scrbook) `sectioning' that is an alias of element `disposition'
-(scrbook) on input line 68.
+(scrbook) on input line 70.
Class scrbook Info: You've told me to use the font selection of the element
(scrbook) `sectioning' that is an alias of element `disposition'
-(scrbook) on input line 71.
+(scrbook) on input line 73.
Class scrbook Info: You've told me to use the font selection of the element
(scrbook) `sectioning' that is an alias of element `disposition'
-(scrbook) on input line 72.
-
-Overfull \hbox (2.48549pt too wide) detected at line 73
- []\T1/ptm/m/n/10.95 XIX
- []
-
-
-Overfull \hbox (2.48549pt too wide) detected at line 74
- []\T1/ptm/m/n/10.95 XIX
- []
-
+(scrbook) on input line 74.
Class scrbook Info: You've told me to use the font selection of the element
(scrbook) `sectioning' that is an alias of element `disposition'
-(scrbook) on input line 75.
+(scrbook) on input line 77.
)
\tf@toc=\write8
\openout8 = `Master.toc'.
- [2] (../Content/Motivation.tex
+
+[2] (../Content/Motivation.tex
Chapter 1.
Class scrbook Warning: \float@addtolists detected!
@@ -1126,11 +1107,11 @@ File: ../Images/Architecture.png Graphic file (type png)
<use ../Images/Architecture.png> [5]
LaTeX Font Info: Font shape `T1/ptm/bx/n' in size <12> not available
(Font) Font shape `T1/ptm/b/n' tried instead on input line 117.
- [6 <../Images/Architecture.png (PNG copy)>] [7]
-Underfull \vbox (badness 2042) has occurred while \output is active []
+ [6 <../Images/Architecture.png (PNG copy)>] [7] [8] [9]
+Underfull \vbox (badness 6808) has occurred while \output is active []
- [8]
-[9] [10] [11] <../Images/Authentication.png, id=66, 359.1819pt x 323.0469pt>
+ [10]
+[11] <../Images/Authentication.png, id=66, 359.1819pt x 323.0469pt>
File: ../Images/Authentication.png Graphic file (type png)
<use ../Images/Authentication.png> [12] [13 <../Images/Authentication.png (PNG
@@ -1138,14 +1119,13 @@ copy)>] [14] <../Images/Mapping.png, id=76, 337.28409pt x 115.19838pt>
File: ../Images/Mapping.png Graphic file (type png)
<use ../Images/Mapping.png> [15] [16 <../Images/Mapping.png (PNG copy)>]
-[17] <../Images/Cells.png, id=87, 98.72083pt x 88.8921pt>
+<../Images/Cells.png, id=84, 98.72083pt x 88.8921pt>
File: ../Images/Cells.png Graphic file (type png)
-
-<use ../Images/Cells.png>
-<../Images/real_Cells.PNG, id=88, 743.02594pt x 496.10344pt>
+ <use ../Images/Cells.png>
+<../Images/real_Cells.PNG, id=85, 743.02594pt x 496.10344pt>
File: ../Images/real_Cells.PNG Graphic file (type png)
-<use ../Images/real_Cells.PNG>
+<use ../Images/real_Cells.PNG> [17]
<../Images/Standart_config.png, id=90, 199.4652pt x 133.26588pt>
File: ../Images/Standart_config.png Graphic file (type png)
@@ -1168,7 +1148,7 @@ File: ../Images/Cipher.png Graphic file (type png)
File: ../Images/TDMAFDMA.png Graphic file (type png)
<use ../Images/TDMAFDMA.png>
-Underfull \vbox (badness 10000) has occurred while \output is active []
+Underfull \vbox (badness 4899) has occurred while \output is active []
[23 <../Images/TDMAFDMA.png (PNG copy)>]
<../Images/Frames.png, id=117, 367.42068pt x 252.29457pt>
@@ -1243,28 +1223,37 @@ LaTeX Font Info: Font shape `T1/phv/bx/n' in size <14.4> not available
(Font) Font shape `T1/phv/b/n' tried instead on input line 305.
[47] [48 <../Images/neighbourhoods_fak.png (PNG copy)>] [49] [50]
-LaTeX Warning: Citation `wiki_cells' on page 51 undefined on input line 387.
+LaTeX Warning: Citation `wiki_cells' on page 51 undefined on input line 386.
<../Images/Architecture_software.png, id=215, 341.8371pt x 183.78261pt>
File: ../Images/Architecture_software.png Graphic file (type png)
-<use ../Images/Architecture_software.png> [51]
-Underfull \vbox (badness 1895) has occurred while \output is active []
-
- [52 <../Images/Architecture_software.png (PNG copy)>]
+<use ../Images/Architecture_software.png> [51] [52 <../Images/Architecture_soft
+ware.png (PNG copy)>]
LaTeX Font Info: Font shape `T1/pcr/m/it' in size <10.95> not available
(Font) Font shape `T1/pcr/m/sl' tried instead on input line 464.
-
-<../Images/ICDS.png, id=223, 1154.3125pt x 869.2475pt>
+ [53]
+<../Images/ICDS.png, id=226, 1343.0175pt x 821.0675pt>
File: ../Images/ICDS.png Graphic file (type png)
-<use ../Images/ICDS.png> [53] [54] [55 <../Images/ICDS.png>] [56])
-(../Content/Evaluation.tex [57] [58
+<use ../Images/ICDS.png> [54 <../Images/ICDS.png>] [55]
+<../Images/databases.png, id=236, 358.33875pt x 373.395pt>
+File: ../Images/databases.png Graphic file (type png)
+<use ../Images/databases.png>
+File: ../Images/databases.png Graphic file (type png)
+ <use ../Images/databases.png>
+Overfull \hbox (10.40205pt too wide) in paragraph at lines 557--572
+[] \T1/ptm/b/n/10.95 Cel-lID In-for-ma-tion:[][] \T1/ptm/m/n/10.95 Cel-lID in-f
+or-ma-tion can be ob-tained through sev-eral dif-fer-ent means.
+ []
-]
+[56]) (../Content/Evaluation.tex [57 <../Images/databases.png>] [58]
Chapter 4.
-) (../Content/Conclusion.tex [59] [60
+) (../Content/Conclusion.tex [59
+
+
+] [60
]
@@ -1342,46 +1331,12 @@ Underfull \hbox (badness 10000) in paragraph at lines 121--126
. html$\T1/ptm/m/n/10.95 ,
[]
-) [2] (./Master.lof
-
-LaTeX Warning: Citation `osmo_wiki_c123' on page III undefined on input line 23
-.
-
-
-Overfull \hbox (2.48549pt too wide) detected at line 37
- []\T1/ptm/m/n/10.95 XIV
- []
-
-
-Overfull \hbox (2.48549pt too wide) detected at line 39
- []\T1/ptm/m/n/10.95 XVI
- []
-
-
-Overfull \hbox (6.13179pt too wide) detected at line 40
- []\T1/ptm/m/n/10.95 XVII
- []
-
-)
-\tf@lof=\write9
-\openout9 = `Master.lof'.
-
- [3
-
-
-] [4
-
-
-] (./Master.lot)
-\tf@lot=\write10
-\openout10 = `Master.lot'.
-
- [5] (../Content/Appendix.tex [6
+) [2] (../Content/Appendix.tex
+Appendix A.
+[3
]
-Appendix A.
-[7]
Overfull \hbox (25.37581pt too wide) in paragraph at lines 31--33
\T1/ptm/m/n/10.95 moved to \T1/pcr/m/n/10.95 osmocom-bb/src/host/layer23/src/mi
sc \T1/ptm/m/n/10.95 and the \T1/pcr/m/n/10.95 Makefile.am
@@ -1392,48 +1347,48 @@ Overfull \hbox (5.82301pt too wide) in paragraph at lines 46--47
[][][][][][][][][][][][][][][][][][]
[]
-<../Images/t191cable.jpg, id=281, 702.625pt x 609.27625pt>
+<../Images/t191cable.jpg, id=270, 702.625pt x 609.27625pt>
File: ../Images/t191cable.jpg Graphic file (type jpg)
-<use ../Images/t191cable.jpg> [8] [9 <../Images/t191cable.jpg>] [10
+<use ../Images/t191cable.jpg> [4] [5 <../Images/t191cable.jpg>] [6
]
Appendix B.
-[11] [12
+[7] [8
]
Appendix C.
-<../Images/sysinfo1.png, id=297, 260.172pt x 393.1488pt>
+<../Images/sysinfo1.png, id=287, 260.172pt x 393.1488pt>
File: ../Images/sysinfo1.png Graphic file (type png)
<use ../Images/sysinfo1.png>
LaTeX Warning: Float too large for page by 0.9002pt on input line 79.
-<../Images/sysinfo2.png, id=298, 261.32832pt x 440.55792pt>
+<../Images/sysinfo2.png, id=288, 261.32832pt x 440.55792pt>
File: ../Images/sysinfo2.png Graphic file (type png)
<use ../Images/sysinfo2.png>
LaTeX Warning: Float too large for page by 61.98238pt on input line 84.
-<../Images/sysinfo3.png, id=299, 284.45473pt x 373.49136pt>
+<../Images/sysinfo3.png, id=289, 284.45473pt x 373.49136pt>
File: ../Images/sysinfo3.png Graphic file (type png)
<use ../Images/sysinfo3.png>
-<../Images/sysinfo4.png, id=300, 252.07776pt x 370.0224pt>
+<../Images/sysinfo4.png, id=290, 252.07776pt x 370.0224pt>
File: ../Images/sysinfo4.png Graphic file (type png)
-<use ../Images/sysinfo4.png> [13] [14 <../Images/sysinfo1.png (PNG copy)>]
-[15 <../Images/sysinfo2.png (PNG copy)>] [16 <../Images/sysinfo3.png (PNG copy)
->] [17 <../Images/sysinfo4.png (PNG copy)>] [18
+<use ../Images/sysinfo4.png> [9] [10 <../Images/sysinfo1.png (PNG copy)>]
+[11 <../Images/sysinfo2.png (PNG copy)>] [12 <../Images/sysinfo3.png (PNG copy)
+>] [13 <../Images/sysinfo4.png (PNG copy)>] [14
]
Appendix D.
-) (./Master.acr [19] [20
+) (./Master.acr [15] [16
]
@@ -1446,19 +1401,19 @@ Underfull \hbox (badness 10000) in paragraph at lines 34--35
[]|\T1/ptm/m/n/10.95 Electrically Erasable Pro-grammable Read-Only
[]
-[21
+[17
-] [22]) [23] (./Master.aux)
+] [18]) [19] (./Master.aux)
LaTeX Warning: There were undefined references.
)
Here is how much of TeX's memory you used:
- 24816 strings out of 493848
- 464492 string characters out of 1152824
- 669765 words of memory out of 3000000
- 27445 multiletter control sequences out of 15000+50000
+ 24802 strings out of 493848
+ 464233 string characters out of 1152824
+ 669802 words of memory out of 3000000
+ 27436 multiletter control sequences out of 15000+50000
80434 words of font info for 106 fonts, out of 3000000 for 9000
714 hyphenation exceptions out of 8191
69i,13n,72p,1076b,1342s stack positions out of 5000i,500n,10000p,200000b,50000s
@@ -1476,9 +1431,9 @@ ourier/ucrr8a.pfb></usr/share/texmf-texlive/fonts/type1/urw/courier/ucrro8a.pfb
f-texlive/fonts/type1/urw/times/utmb8a.pfb></usr/share/texmf-texlive/fonts/type
1/urw/times/utmr8a.pfb></usr/share/texmf-texlive/fonts/type1/urw/times/utmr8a.p
fb></usr/share/texmf-texlive/fonts/type1/urw/times/utmri8a.pfb>
-Output written on Master.pdf (89 pages, 14240416 bytes).
+Output written on Master.pdf (85 pages, 14250338 bytes).
PDF statistics:
- 390 PDF objects out of 1000 (max. 8388607)
+ 380 PDF objects out of 1000 (max. 8388607)
0 named destinations out of 1000 (max. 500000)
- 153 words of extra memory for PDF output out of 10000 (max. 10000000)
+ 158 words of extra memory for PDF output out of 10000 (max. 10000000)
diff --git a/Tex/Master/Master.pdf b/Tex/Master/Master.pdf
index ded48c3..e702cfe 100644
--- a/Tex/Master/Master.pdf
+++ b/Tex/Master/Master.pdf
Binary files differ
diff --git a/Tex/Master/Master.synctex.gz b/Tex/Master/Master.synctex.gz
index ed9b994..29c90b2 100644
--- a/Tex/Master/Master.synctex.gz
+++ b/Tex/Master/Master.synctex.gz
Binary files differ
diff --git a/Tex/Master/Master.tex b/Tex/Master/Master.tex
index e03d694..c687ebc 100644
--- a/Tex/Master/Master.tex
+++ b/Tex/Master/Master.tex
@@ -76,6 +76,7 @@
\newcommand{\ie}{i.e.\ }
\newcommand{\cf}{cf.\ }
\newcommand{\etc}{etc.\ }
+\newcommand{\MHz}{\,MHz\ }
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% Glossary and Listings Style %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
@@ -167,8 +168,8 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% Appendix %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\listoffigures
-\listoftables
+%\listoffigures
+%\listoftables
\newpage
\appendix
\input{../Content/Appendix}
diff --git a/Tex/Master/Master.toc b/Tex/Master/Master.toc
index 0573649..1969091 100644
--- a/Tex/Master/Master.toc
+++ b/Tex/Master/Master.toc
@@ -1,6 +1,7 @@
\select@language {english}
-\contentsline {chapter}{\numberline {1}Introduciton}{1}
+\contentsline {chapter}{\numberline {1}Introduction}{1}
\contentsline {section}{\numberline {1.1}Structure}{1}
+\contentsline {section}{\numberline {1.2}Disclaimer}{1}
\contentsline {chapter}{\numberline {2}GSM}{3}
\contentsline {section}{\numberline {2.1}A Historical Perspective}{3}
\contentsline {section}{\numberline {2.2}The GSM Network}{5}
@@ -15,7 +16,7 @@
\contentsline {subsection}{\numberline {2.2.4}Base Station Subsystem}{15}
\contentsline {subsubsection}{Frequencies and the Cellular Principle}{15}
\contentsline {subsubsection}{Base Transceiver Station}{18}
-\contentsline {subsubsection}{Baste Station Controller}{20}
+\contentsline {subsubsection}{Base Station Controller}{20}
\contentsline {subsubsection}{Transcoding rate and Adaption Unit}{21}
\contentsline {section}{\numberline {2.3}The $U_m$ Interface}{22}
\contentsline {subsection}{\numberline {2.3.1}Radio Transmission}{23}
@@ -50,26 +51,27 @@
\contentsline {subsection}{\numberline {3.2.3}Forged Parameters}{50}
\contentsline {subsubsection}{Database Rules}{50}
\contentsline {section}{\numberline {3.3}IMSI Catcher Detection System}{51}
-\contentsline {subsection}{\numberline {3.3.1}Implemetation}{51}
+\contentsline {subsection}{\numberline {3.3.1}Implemetation}{52}
\contentsline {subsection}{\numberline {3.3.2}Configuration}{53}
\contentsline {subsection}{\numberline {3.3.3}Operation}{53}
\contentsline {paragraph}{Sweep scans:}{56}
+\contentsline {paragraph}{CellID Information:}{56}
\contentsline {paragraph}{Location Area Database:}{57}
-\contentsline {paragraph}{Quick check:}{57}
+\contentsline {paragraph}{User Mode:}{58}
\contentsline {chapter}{\numberline {4}Evaluation}{59}
\contentsline {chapter}{\numberline {5}Conclusion}{61}
\contentsline {section}{\numberline {5.1}Related Projects}{61}
\contentsline {section}{\numberline {5.2}Future Work}{61}
\contentsline {chapter}{Bibliography}{I}
-\contentsline {chapter}{\numberline {A}OsmocomBB}{VII}
-\contentsline {section}{\numberline {A.1}Installation}{VII}
-\contentsline {section}{\numberline {A.2}Usage}{VIII}
-\contentsline {section}{\numberline {A.3}Serial Cable Schematics}{VIII}
-\contentsline {chapter}{\numberline {B}IMSI Catcher Detection System}{XI}
-\contentsline {section}{\numberline {B.1}Extextions}{XI}
-\contentsline {section}{\numberline {B.2}Example Configuration}{XI}
-\contentsline {chapter}{\numberline {C}System Information}{XIII}
-\contentsline {chapter}{\numberline {D}Evaluation Data}{XIX}
-\contentsline {section}{\numberline {D.1}IMSI Catcher Configurations}{XIX}
-\contentsline {section}{\numberline {D.2}ICDS Scans}{XIX}
-\contentsline {chapter}{Acronyms}{XXI}
+\contentsline {chapter}{\numberline {A}OsmocomBB}{III}
+\contentsline {section}{\numberline {A.1}Installation}{III}
+\contentsline {section}{\numberline {A.2}Usage}{IV}
+\contentsline {section}{\numberline {A.3}Serial Cable Schematics}{IV}
+\contentsline {chapter}{\numberline {B}IMSI Catcher Detection System}{VII}
+\contentsline {section}{\numberline {B.1}Extextions}{VII}
+\contentsline {section}{\numberline {B.2}Example Configuration}{VII}
+\contentsline {chapter}{\numberline {C}System Information}{IX}
+\contentsline {chapter}{\numberline {D}Evaluation Data}{XV}
+\contentsline {section}{\numberline {D.1}IMSI Catcher Configurations}{XV}
+\contentsline {section}{\numberline {D.2}ICDS Scans}{XV}
+\contentsline {chapter}{Acronyms}{XVII}