summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Src/PyCatcher/src/pyCatcherSettings.py18
-rw-r--r--Tex/Content/Appendix.tex26
-rw-r--r--Tex/Content/Detection.tex193
-rw-r--r--Tex/Content/GSM.tex1
-rw-r--r--Tex/Images/c123_pcb.jpgbin0 -> 684904 bytes
-rw-r--r--Tex/Images/t191cable.jpgbin0 -> 37492 bytes
-rw-r--r--Tex/Master/Glossary.tex9
-rw-r--r--Tex/Master/Master.acn66
-rw-r--r--Tex/Master/Master.aux109
-rw-r--r--Tex/Master/Master.ist2
-rw-r--r--Tex/Master/Master.lof5
-rw-r--r--Tex/Master/Master.log112
-rw-r--r--Tex/Master/Master.lot5
-rw-r--r--Tex/Master/Master.pdfbin6434216 -> 7368893 bytes
-rw-r--r--Tex/Master/Master.synctex.gzbin322615 -> 377399 bytes
-rw-r--r--Tex/Master/Master.toc55
-rw-r--r--Tex/Presentation/IMSMICatcher.pngbin668107 -> 0 bytes
17 files changed, 490 insertions, 111 deletions
diff --git a/Src/PyCatcher/src/pyCatcherSettings.py b/Src/PyCatcher/src/pyCatcherSettings.py
deleted file mode 100644
index 7ced6b3..0000000
--- a/Src/PyCatcher/src/pyCatcherSettings.py
+++ /dev/null
@@ -1,18 +0,0 @@
-#needed commands with full path to applications
-
-PyCatcher_settings = {'debug' : False,
- }
-
-Device_settings = { 'mobile_device' : '/dev/ttyUSB0',
- 'xor_type' : 'c123xor',
- 'firmware' : 'compal_e88',
- }
-
-Osmocon_lib = '/home/tom/Documents/imsi-catcher-detection/Src/osmocom-bb/src'
-
-Commands = {'osmocon_command' : [Osmocon_lib + '/host/osmocon/osmocon',
- '-p', Device_settings['mobile_device'],
- '-m', Device_settings['xor_type'],
- Osmocon_lib + '/target/firmware/board/' + Device_settings['firmware'] + '/layer1.compalram.bin'],
- 'scan_command' : [Osmocon_lib + '/host/layer23/src/misc/catcher'],
- }
diff --git a/Tex/Content/Appendix.tex b/Tex/Content/Appendix.tex
index 1563860..b982674 100644
--- a/Tex/Content/Appendix.tex
+++ b/Tex/Content/Appendix.tex
@@ -1,4 +1,22 @@
-\chapter{appendix}
-\section{OsmocomBB}
-\subsection{Installation}
-\label{sec:osmo_install} \ No newline at end of file
+\chapter{OsmocomBB}
+\section{Installation}
+\label{sec:osmo_install}
+\section{Usage}
+\label{sec:osmo_usage}
+\section{Serial Cable Schematics}
+\label{sec:osmo_serial_schematics}
+
+\chapter{IMSI Catcher Detection System}
+
+\section{Example Configuration}
+
+\chapter{System Information}
+\label{sec:system_infos}
+\section{Type 1}
+\section{Type 2}
+\section{Type 3}
+\section{Type 4}
+
+\chapter{Evaluation Data}
+\section{IMSI Catcher Configurations}
+\section{ICDS Scans} \ No newline at end of file
diff --git a/Tex/Content/Detection.tex b/Tex/Content/Detection.tex
index 703df61..61efcd2 100644
--- a/Tex/Content/Detection.tex
+++ b/Tex/Content/Detection.tex
@@ -3,14 +3,18 @@
The following section will give a short overview of the OsmocomBB framework and how it works in conjunction with the Motorola C123 mobile phone to enable information harvesting for the \gls{icds}.
OsmocomBB is one of many \gls{osmo} projects\footnote{\url{http://osmocom.org/}} that implements the software part of a mobile phone.
Another project is OpenBSC which implements software for configuring and operating a \gls{bsc}.
-OpenBSC is used to realise the Open Source IMSI Catcher \cite{dennis} and the base station that will be used later to evaluate the performance of the \gls{icds}.
+OpenBSC was used to realise the Open Source IMSI Catcher \cite{dennis} and the base station that will be used later to evaluate the performance of the \gls{icds}.
\subsection{OsmocomBB}
OscmocomBB is the project that implements the baseband part of \gls{gsm} as an open source project.
+Baseband means an open source software to control the baseband chip inside the mobile phone which is a different processor than the application processor.
The goal is to have, by using compatible hardware, a phone using free software only as opposed proprietary baseband implementations.
+Therefor the project scope is implementing \gls{gsm} layer 1-3 as well as hardware drivers for the baseband chipset.
+A simple user interface on the phone is planned but not yet implemented and a verbose user interface on the computer.
This could be beneficial to multiple areas \cite{osmo_rationale}:
\begin{itemize}
\item \textbf{Security:} The software running on the baseband chips is highly proprietary and closed.
+ The source is often disclosed only to the mobile phone manufacturers using the specific chipset.
One cannot be sure that this software does not have bugs that could be exploited and ultimately pose a security risk to the subscriber.
History has shown that open source projects are more secure than proprietary solutions since more people can view the source to find issues.
If a security threat is found the bug is fixed fast and a patch is released.
@@ -18,19 +22,34 @@ This could be beneficial to multiple areas \cite{osmo_rationale}:
\item \textbf{Education:} Currently knowledge about \gls{gsm} and its layers on a technical level is not very well spread.
The literature so far
An open source implementation as a reference could serve to educate more developers generally interested in the subject of mobile communications and thus improve products and software.
- \item \textbf{Research:} An open source implementation can decouple research on \gls{gsm} technologies from the industry since key technologies are no longer only available to researchers employed to a specific company.
+ Additionally this implementation enables universities to hold practical lab courses and private persons to do hands-on experiments.
+ \item \textbf{Research:} A free implementation can decouple research on \gls{gsm} technologies from the industry since key technologies are no longer only available to researchers employed to a specific company.
+ Additionally this way security holes can be uncovered more easily.
+ Modifications to the protocol stack can be deployed and tested in a real environment.
\end{itemize}
-The project targets \gls{gsm} layers 1-3 with the first layer being already implemented and ported to an open source firmware.
-At this point layer two and three are do not actually run on the phone but rather on a computer to which the phone is connected via a serial cable.
-More information on the compatible phones will be presented in Section \ref{sec:osmo_phones}.
+\subsubsection{Project Status}
+At this point layer two and three do not actually run on the phone but rather on a computer to which the phone is connected via a serial cable whereas layer 1 runs inside the custom firmware on the \gls{me} itself, since the procedures on layer 1 are very time critical.
+This has advantages as well as disadvantages.
+The disadvantage is that in order to run an application written with OsmocomBB you always have to have a notebook in addition to the phone.
+The benefit however is that during the development process, the phone does not have to be touched after an initial deployment of the firmware.
+This means code can be modified, compiled and tested locally without the need of remote debugging; experimenting is considerably easier this way.
+This separation however would not work in the original \gls{gsm} specification, therefore an extra interface between layer 1 and 2 had to be implemented to manage handle messages.
+It is called L1CTL.
\begin{figure}
\centering
+\includegraphics{../Images/OsmoStructure}
\caption{Interaction of the OsmocomBB components with the ICDS software.}
\label{fig:osmo_setup}
\end{figure}
+The current state of the project is, according to a presentation given on the 27$^\text{th}$ chaos communication congress\footnote{27C3: \url{http://events.ccc.de/congress/2010/wiki/Main_Page}} by Dieter Spaar and Harald Welte, that the network layers 1-3 are fully implemented, SIM cards can be accessed or emulated and \gls{gsm} cell selection and reselection are working.
+A3/A8 as well as A5/1 and A/52, Full Rate and Enhanced Full Rate codecs are there, so it is possible to do voice calls with an OsmocomBB application written for that purpose, called \texttt{mobile}.
+It features a terminal/telnet based interface much like Cisco routers however there is no user interface for the phone so far or any implementation for Handovers since neighbourhood measurements are not implemented in the framework as of now.
+During these calls or during the operation of other programs, it is possible to receive all the frames that are being transmitted via Wireshark from the \texttt{osmocon} application \cite{konrad}.
+
+\subsubsection{OsmocomBB and ICDS}
The setup that is used for the \gls{icds} project can be seen in Figure \ref{fig:osmo_setup}.
It was build and tested in a Xubuntu 11.10 environment \footnote{http://xubuntu.org/} which is a more lightweight variant of the popular Debian based Ubuntu Linux distribution.
The process of acquiring, compiling and running the OsmocomBB framework itself in this environment is explained in Appendix \ref{sec:osmo_install}.
@@ -41,18 +60,175 @@ On the computer side the \texttt{osmocon} program provides a general interface t
Other software can communicate with \texttt{osmocon} and subsequently with the phone using unix sockets.
\texttt{Catcher} is a modified version of the \texttt{cell\_log} program by Andreas Eversberg that interfaces with \texttt{osmocon} to harvest information from \gls{bts} and forward it to the \gls{icds}.
-It can be seen as a layer 2/3 program that scans through available frequencies and reads information from the \gls{bcch} whenever one such channel is available on the frequency at hand.
+It can be seen as a layer 3 program that scans through available frequencies and reads information from the \gls{bcch} whenever one such channel is available on the frequency at hand.
The forwarding is done directly via \texttt{stdout} since it runs as a child process of the \gls{icds}.
The functionality of \texttt{catcher} will be explained in detail in Section \ref{sec:info_gathering} while the implementation and operation of the \gls{icds} will be discussed in Section \ref{sec:icds}.
-
\subsection{Motorola C123}
\label{sec:osmo_phones}
+Since the general idea behind OsmocomBB was to become a vendor independent open source \gls{gsm} implementation for everyone to use, there were certain requirements the targeted hardware would have to meet.
+For the consumer side requirements these were having a low price and a good availability.
+This criterion rules out \gls{diy} approaches since number of produced devices would be low and thus costly or a significant technical knowledge would be expected from all users to assemble the hardware.
+For the developer side this would also mean implementing a lot on the lower levels of analog logic.
+Therefore the Motorola C123 was chosen, an old, very cheap phone that is well spread.
+It has the advantage of being very simple on the hardware side since it is based on the well documented Texas Instruments Calypso Chipset\footnote{Documentation can be found on \url{http://cryptome.org} and other sites.}
+Table \ref{tab:c123_specs} shows an overview of the main specifications for the phone.
+\begin{table}
+\centering
+ \begin{tabular}{ll}
+ \toprule
+ Component &Specification\\
+ \midrule
+ Band &GSM 900, GSM 1800\\
+ Size &$101\times 45\times 21$ mm\\
+ Weight &86 g\\
+ Battery &920mAh Li-Ion battery\\
+ Digital Baseband &Texas Instruments Calypso\\
+ Analog Basenand &Texas Instruments Iota TWL3025\\
+ GSM Transceiver &Texas Instruments Rita TRF6151C\\
+ \bottomrule
+ \end{tabular}
+ \caption{Technical specifications for the Motorola C123.}
+ \label{tab:c123_specs}
+\end{table}
+The OsmocomBB framework should work well or with small adjustments for phones that share the same components.
+Figure \ref{fig:osmo_c123} an image of the Motorola C123 circuit board with the components mentioned before.
+\begin{figure}
+\centering
+ \includegraphics[width=.9\textwidth]{../Images/c123_pcb}
+ \caption{Circuit board of the Motorola C123 with its components \cite{osmo_wiki_c123}.}
+ \label{fig:osmo_c123}
+\end{figure}
+Another reason for choosing this hardware platform was that during the start of the OsmocomBB project an open source implementation of \gls{gsm} layer 1 was already available on sourceforge (TSM30 Project) that could be used as a reference.
+
+In order to use the Motorola C123 in combination with the OsmocomBB framework the custom firmware implementing layer 1 and L1CTL has to be flashed.
+This has to be done using a RS332 serial cable that is connected to the 2.5 mm audio jack.
+The audio jack of the Motorola C123 and other Calypso based mobile phones typically have a 3.3 V serial port on their audio jacks.
+These cables are normally referred to as T191 unlock cables
+A variety of stores around the internet sell the cables ready made for about \$10\footnote{\url{http://fonefunshop.co.uk}}.
+One must be careful when using the PC's serial port to communicate with the phone though.
+Since the phone's serial operates at 3.3 V and is internally connected to the 2.8 V IO-pins of the baseband processor, directly connecting it to the computers 12 V serial port will destroy the hardware.
+Therefore it is recommended to use a USB serial cable.
+Schematics for such an unlock cable, along with a few instructions on how to build one are given in Appendix \ref{sec:osmo_serial_schematics}.
+Another issue is virtualisation.
+The bootloader and the firmware can fail to be deployed correctly if a virtual machine is used as development system.
+This is because the protocol used by Motorola to do the actual flashing process is \emph{very} time critical and thus timeouts can occur that are caused by the overhead the virtual machine imposes on the hardware/software communication.
\section{Procedure}
+The main goal of the \gls{icds} is to reach a conclusion on whether it is safe to initiate a phone call or not, in other words if we trust all surrounding base stations.
+As mentioned before as soon as a subscriber connects to an IMSI Catcher it automatically gives up information on his/her location.
+Therefore this project will use a passive approach on information harvesting, meaning we will only use information that is broadcasted or freely available as to not give up any hints of the \gls{icds} being active.
+
+To that end a four-step process is taken.
+First the information is gathered.
+This process is explained in detail in Section \ref{sec:info_gathering}.
+After information on the surrounding \gls{bts} is ready in the \gls{icds} a set of checks is evaluated on each base station individually each yielding a specific result for the station.
+These checks are called rules and discussed further along with the next two steps in Section \ref{sec:info_evaluation}.
+The next step is to aggregate all the results the rules yielded for each base station into one single result for each \gls{bts}.
+At last, after every \gls{bts} has its evaluation it can be decided whether to tell the subscriber it is safe to initiate a phone call or not.
+
\subsection{Information Gathering}
\label{sec:info_gathering}
+As explained in Section \ref{sec:common_channels} every base station has an associated \gls{bcch} where information about the station and its network is spread.
+\gls{bcch} frames are always sent inside a 51-Multiframe.
+After the \gls{ms} has synchronised using the values on the \gls{fcch} and \gls{sch} it can determine which kind of information is hosted inside the \gls{bcch} message.
+These so called System Information Messages originate at the \gls{bsc} and are produced for each \gls{bts} individually and then periodically broadcasted.
+Since all the required information would not fit inside a single frame there are different kinds of System Information Messages that are distinguished by their \gls{tc} and host different kinds of information.
+The type can be extracted using the \gls{fn} of the frame the message is sent in \cite{GSM2009}:
+\[\text{TC}=(\text{FN} \text{ div } 51)\text{ mod } 8\]
+Table \ref{tab:tc_mapping} shows how the \glspl{tc} can be mapped on those types.
+\begin{table}
+\centering
+\begin{tabular}{lc}
+\toprule
+TC &System Information Type\\
+\midrule
+0 &Type 1\\
+1 &Type 2\\
+2,6 &Type 3\\
+3,7 &Type 4\\
+4,5 &Any (optional)\\
+\bottomrule
+\end{tabular}
+\caption{Type Codes and the corresponding System Information Types \cite{GSM2009}.}
+\label{tab:tc_mapping}
+\end{table}
+For this project the System Information Type 1-4 are of interest because these are available to all \gls{ms} that tune in to the particular \gls{bcch} of the respective \gls{bts} without actively connecting to it.
+
+The harvesting of information contained in these System Information Messages is done via the \texttt{catcher} program.
+\texttt{Catcher} is implemented inside the OsmocomBB framework and connects over the \texttt{osmocon} application to the Motorola C123.
+At first a sweep scan is done over all the \glspl{arfcn} to measure their reception levels in order to determine where base stations and thus \glspl{bcch} are located.
+Afterwards \texttt{catcher} tunes the phone to those specific frequencies where a \gls{bts} was found
+%TODO: see whether all parameters can be harvested inside OsmocomBB
+At each such frequency it waits until all the System Information Messages are gathered and extracts parameters where possible.
+The parameters along with the raw data are forwarded to the main \gls{icds} application for further parsing and evaluation.
+An example for a parsed System Information Type 2 Message can be seen in Figure \ref{fig:sysinfo2}.
+Examples for all the System Information Messages used are located in Appendix \ref{sec:system_infos}.
+\begin{figure}
+\centering
+\caption{System Information 2 Message with annotations \cite{protocols1999}.}
+\label{fig:sysinfo2}
+\end{figure}
+As long as scanning mode is active all the available stations are scanned repeatedly and changes in the \gls{bts} will continuously update the data model inside the \gls{icds} software.
+The parameters harvested are:
+%TODO: add more detail of format
+\begin{itemize}
+ \item Country: The interpreted country code the base station is broadcasting.
+ \item Provider: The interpreted provider code the base station is broadcasting.
+ \item ARFCN: The \gls{arfcn} on which the base station is located.
+ \item rxlev: Receiving strength in db.
+ This parameter is measured by the Motorola C123 and not part of the System Information Messages.
+ Even small changes in the location can have a large impact on this parameter due to shadowing and reflection.
+ How ever it can be used in certain cases as will be discussed in Section \ref{sec:fake_parameters}.
+ \item BSIC: Because of frequency reuse in a cellular network it is possible that two different base stations can sent at the same \gls{arfcn}.
+ In order for the \gls{ms} to keep these apart the \gls{bsic} is also broadcasted.
+ It consists of a \gls{ncc} identifying the provider, so the \gls{ms} can filter out messages that is does not need and the \gls{bcc} that must be unique for a given provider over all base station in a large area.
+ \item LAC: This is the last part of the \gls{lai} (that consists of \gls{mcc} + \gls{mnc} + \gls{lac}) and is a hierarchical identifier for a given base station.
+ The hierarchy is provider wide, meaning two different providers may use \glspl{lac} with a completely different numbering system.
+ \item Cell ID: The Cell ID is a globally unique identifier for the cell the \gls{ms} is connected to.
+ \item Neighbouring Cells: Each base station keeps a list of other base stations in the perimeter for the \gls{ms} to scan and determine if there is a \gls{bts} with a better reception in the area.
+ \item Encryption: The encryption algorithm used to encrypt the voice data.
+ Note that encryption cannot actually be read passively from a base station since the encryption algorithm is determined when a connection is established.
+ %TODO: find out exactly how this is done
+ To not become active and connect to the station, this is harvested by tuning in to something and capture the packages that set the encryption for another mobile subscriber.
+\end{itemize}
+Since the \texttt{catcher} program is spawned inside the \gls{icds} application as a subprocess, information forwarding is done via stdout so new parameters could be implemented with minimal overhead.
+
\subsection{Information Evaluation}
+\label{sec:info_evaluation}
+Each base station is evaluated the moment the data completely arrived at the \gls{icds} application.
+Additionally when a new \gls{bts} has been found and added all formerly discovered station are also re-evaluated since new discoveries can have an impact on the rules that evaluate the context surrounding an old base station.
+
+As mentioned above, evaluation is done based on constructs called rules.
+Each rule represents one check that can be performed on a base station and yields a result based on its findings.
+Possible results are:
+\begin{itemize}
+ \item Critical: This means that the base station evaluated has a critical configuration error or critical settings that are not found on normal base stations, \eg unknown provider names or encryption is turned off.
+ This station should not be trusted.
+ \item Warning: The \gls{bts} at hand has some concerning features but it could not be said whether this really is a hint to a catcher or sheer coincidence.
+ An example would be a base station having a neighbouring cell list of which none of the cells therein have actually be found up to that point.
+ The list could either be a fake or it could simply be coincidence that scan has not found any up to that point.
+ \item Ok: The result is as expected.
+ \item Ignore: In some cases the rule cannot yield a finding.
+ In that case the state is explicitly to 'ignore' so the evaluator knows that this rule should have no influence on the final outcome.
+ This is the case for example when trying to find whether the base station uses encryption or not and no other subscriber connects until a set timeout is reached.
+\end{itemize}
+Rules can be divided into two categories depending on what they do.
+The first category are 'Configuration Rules' while the second are 'Context Rules'.
+An overview as well as details on the rules implemented for each category can be found in the next two sections.
+
+\subsubsection{Configuration Rules}
+This set of rules targets the base station itself.
+Rules in this category are meant to check the parameters that concern the \gls{bts} and check them for integrity and configuration mistakes that could have been made by an IMSI catcher operator.
+
+
+\subsubsection{Contextual Rules}
+
+\subsubsection{Rule Evaluation}
+
+\subsection{Fake Parameters}
+\label{sec:fake_parameters}
+
\section{IMSI Catcher Detection System}
\label{sec:icds}
@@ -60,4 +236,5 @@ The functionality of \texttt{catcher} will be explained in detail in Section \re
\subsubsection{Architecture}
\subsubsection{Extensions}
\subsection{Configuration}
-\subsection{Operation} \ No newline at end of file
+\subsection{Operation}
+\label{sec:icds_operation} \ No newline at end of file
diff --git a/Tex/Content/GSM.tex b/Tex/Content/GSM.tex
index e05d113..402e6e6 100644
--- a/Tex/Content/GSM.tex
+++ b/Tex/Content/GSM.tex
@@ -751,6 +751,7 @@ These are point to point channels.
\end{itemize}
\subsubsection{Common Channels}
+\label{sec:common_channels}
The common channels contain data interesting to all subscribers, thus having a broadcast nature.
These are point to multi-point channels.
\begin{itemize}
diff --git a/Tex/Images/c123_pcb.jpg b/Tex/Images/c123_pcb.jpg
new file mode 100644
index 0000000..a9f24fc
--- /dev/null
+++ b/Tex/Images/c123_pcb.jpg
Binary files differ
diff --git a/Tex/Images/t191cable.jpg b/Tex/Images/t191cable.jpg
new file mode 100644
index 0000000..0e9fa5d
--- /dev/null
+++ b/Tex/Images/t191cable.jpg
Binary files differ
diff --git a/Tex/Master/Glossary.tex b/Tex/Master/Glossary.tex
index 54aed03..72a425b 100644
--- a/Tex/Master/Glossary.tex
+++ b/Tex/Master/Glossary.tex
@@ -90,4 +90,11 @@
\newacronym{bgs}{BGS}{Bundesgrenzschutz}
\newacronym{bmi}{BMI}{Bundesminiterium des Inneren}
\newacronym{osmo}{Osmocom}{Open source mobile communications}
-\newacronym{icds}{ICDS}{IMSI Catcher Detection System} \ No newline at end of file
+\newacronym{icds}{ICDS}{IMSI Catcher Detection System}
+\newacronym{diy}{DIY}{do-it-yourself}
+\newacronym{tc}{TC}{Type Code}
+\newacronym{fn}{FN}{Frame Number}
+\newacronym{lac}{LAC}{Location Area Code}
+\newacronym{ncc}{NCC}{Network Color Code}
+\newacronym{bcc}{BCC}{Base Station Color Code}
+\newacronym{bsic}{BSIC}{Base Station Identification Code} \ No newline at end of file
diff --git a/Tex/Master/Master.acn b/Tex/Master/Master.acn
index 8c430f2..7cc01b8 100644
--- a/Tex/Master/Master.acn
+++ b/Tex/Master/Master.acn
@@ -457,11 +457,63 @@
\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{39}
\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{39}
\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{40}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{40}
+\glossaryentry{ME?\glossaryentryfield{me}{\glsnamefont{ME}}{Mobile Equipment}{\relax }|setentrycounter{page}\glsnumberformat}{40}
\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{40}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{40}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{40}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{40}
-\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{40}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{40}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{40}
+\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{40}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{41}
+\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{41}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{41}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{41}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{41}
+\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{41}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{41}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{41}
+\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{41}
+\glossaryentry{DIY?\glossaryentryfield{diy}{\glsnamefont{DIY}}{do-it-yourself}{\relax }|setentrycounter{page}\glsnumberformat}{41}
+\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{42}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{42}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{43}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{43}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{43}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{43}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{43}
+\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{43}
+\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{43}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{43}
+\glossaryentry{FCCH?\glossaryentryfield{fcch}{\glsnamefont{FCCH}}{Frequency Correction Channel}{\relax }|setentrycounter{page}\glsnumberformat}{43}
+\glossaryentry{SCH?\glossaryentryfield{sch}{\glsnamefont{SCH}}{Signalling Channel}{\relax }|setentrycounter{page}\glsnumberformat}{43}
+\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{43}
+\glossaryentry{BSC?\glossaryentryfield{bsc}{\glsnamefont{BSC}}{Base Station Controller}{\relax }|setentrycounter{page}\glsnumberformat}{43}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{43}
+\glossaryentry{TC?\glossaryentryfield{tc}{\glsnamefont{TC}}{Type Code}{\relax }|setentrycounter{page}\glsnumberformat}{44}
+\glossaryentry{FN?\glossaryentryfield{fn}{\glsnamefont{FN}}{Frame Number}{\relax }|setentrycounter{page}\glsnumberformat}{44}
+\glossaryentry{TC?\glossaryentryfield{tc}{\glsnamefont{TC}}{Type Code}{\relax }|setentrycounter{page}\glsnumberformat}{44}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{44}
+\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{44}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{44}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{44}
+\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{44}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{44}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{44}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{44}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{44}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{44}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{45}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{45}
+\glossaryentry{BSIC?\glossaryentryfield{bsic}{\glsnamefont{BSIC}}{Base Station Identification Code}{\relax }|setentrycounter{page}\glsnumberformat}{45}
+\glossaryentry{NCC?\glossaryentryfield{ncc}{\glsnamefont{NCC}}{Network Color Code}{\relax }|setentrycounter{page}\glsnumberformat}{45}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{45}
+\glossaryentry{BCC?\glossaryentryfield{bcc}{\glsnamefont{BCC}}{Base Station Color Code}{\relax }|setentrycounter{page}\glsnumberformat}{45}
+\glossaryentry{LAI?\glossaryentryfield{lai}{\glsnamefont{LAI}}{Location Area Identifier}{\relax }|setentrycounter{page}\glsnumberformat}{45}
+\glossaryentry{MCC?\glossaryentryfield{mcc}{\glsnamefont{MCC}}{Mobile Country Code}{\relax }|setentrycounter{page}\glsnumberformat}{45}
+\glossaryentry{MNC?\glossaryentryfield{mnc}{\glsnamefont{MNC}}{Mobile Network Code}{\relax }|setentrycounter{page}\glsnumberformat}{45}
+\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{45}
+\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{45}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{45}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{45}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{45}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{45}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{45}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{45}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{46}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{46}
diff --git a/Tex/Master/Master.aux b/Tex/Master/Master.aux
index ad1032b..c58e328 100644
--- a/Tex/Master/Master.aux
+++ b/Tex/Master/Master.aux
@@ -152,6 +152,7 @@
\newlabel{sec:channels}{{2.3.2}{27}}
\@writefile{toc}{\contentsline {subsubsection}{Dedicated Channels}{28}}
\@writefile{toc}{\contentsline {subsubsection}{Common Channels}{28}}
+\newlabel{sec:common_channels}{{2.3.2}{28}}
\citation{gsm0502}
\citation{GSM2009}
\citation{GSM2009}
@@ -222,38 +223,66 @@
\@writefile{toc}{\contentsline {section}{\numberline {3.1}Framework and Hardware}{39}}
\FN@pp@footnote@aux{7}{39}
\@writefile{toc}{\contentsline {subsection}{\numberline {3.1.1}OsmocomBB}{39}}
+\citation{konrad}
\@writefile{lof}{\contentsline {figure}{\numberline {3.1}{\ignorespaces Interaction of the OsmocomBB components with the ICDS software.}}{40}}
\newlabel{fig:osmo_setup}{{3.1}{40}}
+\@writefile{toc}{\contentsline {subsubsection}{Project Status}{40}}
\FN@pp@footnote@aux{8}{40}
+\citation{osmo_wiki_c123}
+\citation{osmo_wiki_c123}
+\@writefile{toc}{\contentsline {subsubsection}{OsmocomBB and ICDS}{41}}
+\FN@pp@footnote@aux{9}{41}
\@writefile{toc}{\contentsline {subsection}{\numberline {3.1.2}Motorola C123}{41}}
\newlabel{sec:osmo_phones}{{3.1.2}{41}}
-\@writefile{toc}{\contentsline {section}{\numberline {3.2}Procedure}{41}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.1}Information Gathering}{41}}
-\newlabel{sec:info_gathering}{{3.2.1}{41}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.2}Information Evaluation}{41}}
-\@writefile{toc}{\contentsline {section}{\numberline {3.3}IMSI Catcher Detection System}{41}}
-\newlabel{sec:icds}{{3.3}{41}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.1}Implemetation}{41}}
-\@writefile{toc}{\contentsline {subsubsection}{Architecture}{41}}
-\@writefile{toc}{\contentsline {subsubsection}{Extensions}{41}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.2}Configuration}{41}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.3}Operation}{41}}
-\FN@pp@footnotehinttrue
-\FN@pp@footnotehinttrue
-\@writefile{toc}{\contentsline {chapter}{\numberline {4}Evaluation}{43}}
+\FN@pp@footnote@aux{10}{41}
+\@writefile{lot}{\contentsline {table}{\numberline {3.1}{\ignorespaces Technical specifications for the Motorola C123.}}{42}}
+\newlabel{tab:c123_specs}{{3.1}{42}}
+\FN@pp@footnote@aux{11}{42}
+\@writefile{toc}{\contentsline {section}{\numberline {3.2}Procedure}{42}}
+\citation{GSM2009}
+\@writefile{lof}{\contentsline {figure}{\numberline {3.2}{\ignorespaces Circuit board of the Motorola C123 with its components \cite {osmo_wiki_c123}.}}{43}}
+\newlabel{fig:osmo_c123}{{3.2}{43}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.1}Information Gathering}{43}}
+\newlabel{sec:info_gathering}{{3.2.1}{43}}
+\citation{GSM2009}
+\citation{GSM2009}
+\citation{protocols1999}
+\citation{protocols1999}
+\@writefile{lot}{\contentsline {table}{\numberline {3.2}{\ignorespaces Type Codes and the corresponding System Information Types \cite {GSM2009}.}}{44}}
+\newlabel{tab:tc_mapping}{{3.2}{44}}
+\@writefile{lof}{\contentsline {figure}{\numberline {3.3}{\ignorespaces System Information 2 Message with annotations \cite {protocols1999}.}}{44}}
+\newlabel{fig:sysinfo2}{{3.3}{44}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.2}Information Evaluation}{45}}
+\newlabel{sec:info_evaluation}{{3.2.2}{45}}
+\@writefile{toc}{\contentsline {subsubsection}{Configuration Rules}{46}}
+\@writefile{toc}{\contentsline {subsubsection}{Contextual Rules}{46}}
+\@writefile{toc}{\contentsline {subsubsection}{Rule Evaluation}{46}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.3}Fake Parameters}{46}}
+\newlabel{sec:fake_parameters}{{3.2.3}{46}}
+\@writefile{toc}{\contentsline {section}{\numberline {3.3}IMSI Catcher Detection System}{46}}
+\newlabel{sec:icds}{{3.3}{46}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.1}Implemetation}{46}}
+\@writefile{toc}{\contentsline {subsubsection}{Architecture}{46}}
+\@writefile{toc}{\contentsline {subsubsection}{Extensions}{46}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.2}Configuration}{46}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.3}Operation}{46}}
+\newlabel{sec:icds_operation}{{3.3.3}{46}}
+\FN@pp@footnotehinttrue
+\FN@pp@footnotehinttrue
+\@writefile{toc}{\contentsline {chapter}{\numberline {4}Evaluation}{47}}
\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{lol}{\addvspace {10\p@ }}
-\@writefile{toc}{\contentsline {section}{\numberline {4.1}Example Scenarios}{43}}
-\@writefile{toc}{\contentsline {section}{\numberline {4.2}Test Period}{43}}
+\@writefile{toc}{\contentsline {section}{\numberline {4.1}Example Scenarios}{47}}
+\@writefile{toc}{\contentsline {section}{\numberline {4.2}Test Period}{47}}
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
-\@writefile{toc}{\contentsline {chapter}{\numberline {5}Conclusion}{45}}
+\@writefile{toc}{\contentsline {chapter}{\numberline {5}Conclusion}{49}}
\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{lol}{\addvspace {10\p@ }}
-\@writefile{toc}{\contentsline {section}{\numberline {5.1}Related Projects}{45}}
-\@writefile{toc}{\contentsline {section}{\numberline {5.2}Future Work}{45}}
+\@writefile{toc}{\contentsline {section}{\numberline {5.1}Related Projects}{49}}
+\@writefile{toc}{\contentsline {section}{\numberline {5.2}Future Work}{49}}
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
@@ -302,24 +331,56 @@
\citation{fox}
\citation{def_catcher}
\citation{mueller}
+\citation{osmo_wiki_c123}
+\citation{protocols1999}
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
\citation{protocols1999}
\citation{kommsys2006}
\citation{GSM2009}
+\citation{GSM2009}
+\FN@pp@footnotehinttrue
+\FN@pp@footnotehinttrue
+\@writefile{toc}{\contentsline {chapter}{\numberline {A}OsmocomBB}{VII}}
+\@writefile{lof}{\addvspace {10\p@ }}
+\@writefile{lot}{\addvspace {10\p@ }}
+\@writefile{lol}{\addvspace {10\p@ }}
+\@writefile{toc}{\contentsline {section}{\numberline {A.1}Installation}{VII}}
+\newlabel{sec:osmo_install}{{A.1}{VII}}
+\@writefile{toc}{\contentsline {section}{\numberline {A.2}Usage}{VII}}
+\newlabel{sec:osmo_usage}{{A.2}{VII}}
+\@writefile{toc}{\contentsline {section}{\numberline {A.3}Serial Cable Schematics}{VII}}
+\newlabel{sec:osmo_serial_schematics}{{A.3}{VII}}
+\FN@pp@footnotehinttrue
+\FN@pp@footnotehinttrue
+\@writefile{toc}{\contentsline {chapter}{\numberline {B}IMSI Catcher Detection System}{IX}}
+\@writefile{lof}{\addvspace {10\p@ }}
+\@writefile{lot}{\addvspace {10\p@ }}
+\@writefile{lol}{\addvspace {10\p@ }}
+\@writefile{toc}{\contentsline {section}{\numberline {B.1}Example Configuration}{IX}}
+\FN@pp@footnotehinttrue
+\FN@pp@footnotehinttrue
+\@writefile{toc}{\contentsline {chapter}{\numberline {C}System Information}{XI}}
+\@writefile{lof}{\addvspace {10\p@ }}
+\@writefile{lot}{\addvspace {10\p@ }}
+\@writefile{lol}{\addvspace {10\p@ }}
+\newlabel{sec:system_infos}{{C}{XI}}
+\@writefile{toc}{\contentsline {section}{\numberline {C.1}Type 1}{XI}}
+\@writefile{toc}{\contentsline {section}{\numberline {C.2}Type 2}{XI}}
+\@writefile{toc}{\contentsline {section}{\numberline {C.3}Type 3}{XI}}
+\@writefile{toc}{\contentsline {section}{\numberline {C.4}Type 4}{XI}}
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
-\@writefile{toc}{\contentsline {chapter}{\numberline {A}appendix}{VII}}
+\@writefile{toc}{\contentsline {chapter}{\numberline {D}Evaluation Data}{XIII}}
\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{lol}{\addvspace {10\p@ }}
-\@writefile{toc}{\contentsline {section}{\numberline {A.1}OsmocomBB}{VII}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {A.1.1}Installation}{VII}}
-\newlabel{sec:osmo_install}{{A.1.1}{VII}}
+\@writefile{toc}{\contentsline {section}{\numberline {D.1}IMSI Catcher Configurations}{XIII}}
+\@writefile{toc}{\contentsline {section}{\numberline {D.2}ICDS Scans}{XIII}}
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
-\@writefile{toc}{\contentsline {chapter}{Acronyms}{IX}}
+\@writefile{toc}{\contentsline {chapter}{Acronyms}{XV}}
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
\gdef \LT@i {\LT@entry
diff --git a/Tex/Master/Master.ist b/Tex/Master/Master.ist
index a65e3c1..9547320 100644
--- a/Tex/Master/Master.ist
+++ b/Tex/Master/Master.ist
@@ -1,5 +1,5 @@
% makeindex style file created by the glossaries package
-% for document 'Master' on 2012-3-22
+% for document 'Master' on 2012-3-29
actual '?'
encap '|'
level '!'
diff --git a/Tex/Master/Master.lof b/Tex/Master/Master.lof
index 47708a6..664ee67 100644
--- a/Tex/Master/Master.lof
+++ b/Tex/Master/Master.lof
@@ -20,6 +20,11 @@
\contentsline {figure}{\numberline {2.14}{\ignorespaces IMSI catching procedure. Adopted and simplified from \cite {mueller}.}}{34}
\addvspace {10\p@ }
\contentsline {figure}{\numberline {3.1}{\ignorespaces Interaction of the OsmocomBB components with the ICDS software.}}{40}
+\contentsline {figure}{\numberline {3.2}{\ignorespaces Circuit board of the Motorola C123 with its components \cite {osmo_wiki_c123}.}}{43}
+\contentsline {figure}{\numberline {3.3}{\ignorespaces System Information 2 Message with annotations \cite {protocols1999}.}}{44}
+\addvspace {10\p@ }
+\addvspace {10\p@ }
+\addvspace {10\p@ }
\addvspace {10\p@ }
\addvspace {10\p@ }
\addvspace {10\p@ }
diff --git a/Tex/Master/Master.log b/Tex/Master/Master.log
index 9300235..a1d3dae 100644
--- a/Tex/Master/Master.log
+++ b/Tex/Master/Master.log
@@ -1,4 +1,4 @@
-This is pdfTeX, Version 3.1415926-1.40.10 (TeX Live 2009/Debian) (format=pdflatex 2012.1.7) 22 MAR 2012 16:14
+This is pdfTeX, Version 3.1415926-1.40.10 (TeX Live 2009/Debian) (format=pdflatex 2012.1.7) 29 MAR 2012 14:35
entering extended mode
%&-line parsing enabled.
**Master.tex
@@ -1024,10 +1024,10 @@ Class scrbook Info: You've told me to use the font selection of the element
(scrbook) on input line 39.
Class scrbook Info: You've told me to use the font selection of the element
(scrbook) `sectioning' that is an alias of element `disposition'
-(scrbook) on input line 52.
+(scrbook) on input line 58.
Class scrbook Info: You've told me to use the font selection of the element
(scrbook) `sectioning' that is an alias of element `disposition'
-(scrbook) on input line 55.
+(scrbook) on input line 61.
[1
@@ -1037,19 +1037,37 @@ Class scrbook Info: You've told me to use the font selection of the element
]
Class scrbook Info: You've told me to use the font selection of the element
(scrbook) `sectioning' that is an alias of element `disposition'
-(scrbook) on input line 58.
+(scrbook) on input line 64.
+Class scrbook Info: You've told me to use the font selection of the element
+(scrbook) `sectioning' that is an alias of element `disposition'
+(scrbook) on input line 65.
+Class scrbook Info: You've told me to use the font selection of the element
+(scrbook) `sectioning' that is an alias of element `disposition'
+(scrbook) on input line 69.
+Class scrbook Info: You've told me to use the font selection of the element
+(scrbook) `sectioning' that is an alias of element `disposition'
+(scrbook) on input line 71.
Class scrbook Info: You've told me to use the font selection of the element
(scrbook) `sectioning' that is an alias of element `disposition'
-(scrbook) on input line 59.
+(scrbook) on input line 76.
+
+Overfull \hbox (1.87224pt too wide) detected at line 77
+ []\T1/ptm/m/n/10.95 XIII
+ []
+
+
+Overfull \hbox (1.87224pt too wide) detected at line 78
+ []\T1/ptm/m/n/10.95 XIII
+ []
+
Class scrbook Info: You've told me to use the font selection of the element
(scrbook) `sectioning' that is an alias of element `disposition'
-(scrbook) on input line 62.
+(scrbook) on input line 79.
)
\tf@toc=\write8
\openout8 = `Master.toc'.
-
-[2] (../Content/Motivation.tex
+ [2] (../Content/Motivation.tex
Chapter 1.
Class scrbook Warning: \float@addtolists detected!
@@ -1175,24 +1193,41 @@ File: uni-0.def 2004/10/17 UCS: Unicode data U+0000..U+00FF
]
Chapter 3.
-LaTeX Warning: Citation `osmo_rationale' on page 39 undefined on input line 11.
+LaTeX Warning: Citation `osmo_rationale' on page 39 undefined on input line 14.
-[39]) (../Content/Evaluation.tex
-Underfull \vbox (badness 10000) has occurred while \output is active []
+[39] <../Images/OsmoStructure.png, id=177, 387.00584pt x 79.13565pt>
+File: ../Images/OsmoStructure.png Graphic file (type png)
- [40]
-[41] [42
+<use ../Images/OsmoStructure.png>
+LaTeX Warning: Citation `konrad' on page 40 undefined on input line 50.
-]
+[40 <../Images/OsmoStructure.png (PNG copy)>]
+<../Images/c123_pcb.jpg, id=181, 1284.8pt x 856.19875pt>
+File: ../Images/c123_pcb.jpg Graphic file (type jpg)
+
+<use ../Images/c123_pcb.jpg>
+
+LaTeX Warning: Citation `osmo_wiki_c123' on page 41 undefined on input line 99.
+
+
+
+LaTeX Warning: Citation `osmo_wiki_c123' on page 41 undefined on input line 99.
+
+
+[41] [42] [43 <../Images/c123_pcb.jpg>] [44] [45]) (../Content/Evaluation.tex
+[46]
Chapter 4.
-) (../Content/Conclusion.tex [43] [44
+) (../Content/Conclusion.tex [47
+
+
+] [48
]
Chapter 5.
-) [45] [46
+) [49] [50
@@ -1265,7 +1300,12 @@ Underfull \hbox (badness 10000) in paragraph at lines 121--126
. html$\T1/ptm/m/n/10.95 ,
[]
-) [2] (./Master.lof)
+) [2] (./Master.lof
+
+LaTeX Warning: Citation `osmo_wiki_c123' on page III undefined on input line 23
+.
+
+)
\tf@lof=\write9
\openout9 = `Master.lof'.
@@ -1279,13 +1319,27 @@ Underfull \hbox (badness 10000) in paragraph at lines 121--126
\tf@lot=\write10
\openout10 = `Master.lot'.
- [5] (../Content/Appendix.tex
-[6
+ [5] (../Content/Appendix.tex [6
]
Appendix A.
-) (./Master.acr [7] [8
+[7] [8
+
+
+]
+Appendix B.
+[9] [10
+
+
+]
+Appendix C.
+[11] [12
+
+
+]
+Appendix D.
+) (./Master.acr [13] [14
]
@@ -1298,19 +1352,19 @@ Underfull \hbox (badness 10000) in paragraph at lines 34--35
[]|\T1/ptm/m/n/10.95 Electrically Erasable Pro-grammable Read-Only
[]
-[9
+[15
-] [10]) [11] (./Master.aux)
+] [16]) [17] (./Master.aux)
LaTeX Warning: There were undefined references.
)
Here is how much of TeX's memory you used:
- 23938 strings out of 493848
- 449962 string characters out of 1152824
- 657848 words of memory out of 3000000
- 26586 multiletter control sequences out of 15000+50000
+ 24089 strings out of 493848
+ 452254 string characters out of 1152824
+ 660017 words of memory out of 3000000
+ 26735 multiletter control sequences out of 15000+50000
73495 words of font info for 100 fonts, out of 3000000 for 9000
714 hyphenation exceptions out of 8191
69i,13n,72p,1076b,1342s stack positions out of 5000i,500n,10000p,200000b,50000s
@@ -1326,9 +1380,9 @@ w/courier/ucrr8a.pfb></usr/share/texmf-texlive/fonts/type1/urw/times/utmb8a.pfb
></usr/share/texmf-texlive/fonts/type1/urw/times/utmr8a.pfb></usr/share/texmf-t
exlive/fonts/type1/urw/times/utmr8a.pfb></usr/share/texmf-texlive/fonts/type1/u
rw/times/utmri8a.pfb>
-Output written on Master.pdf (61 pages, 6434216 bytes).
+Output written on Master.pdf (71 pages, 7368893 bytes).
PDF statistics:
- 278 PDF objects out of 1000 (max. 8388607)
+ 311 PDF objects out of 1000 (max. 8388607)
0 named destinations out of 1000 (max. 500000)
- 103 words of extra memory for PDF output out of 10000 (max. 10000000)
+ 113 words of extra memory for PDF output out of 10000 (max. 10000000)
diff --git a/Tex/Master/Master.lot b/Tex/Master/Master.lot
index e20a38e..08c83cf 100644
--- a/Tex/Master/Master.lot
+++ b/Tex/Master/Master.lot
@@ -7,6 +7,11 @@
\contentsline {table}{\numberline {2.4}{\ignorespaces Frequencies in the different bands \cite {kommsys2006}.}}{16}
\contentsline {table}{\numberline {2.5}{\ignorespaces Possible combinations of logical channels for the base station. From \cite {GSM2009}.}}{29}
\addvspace {10\p@ }
+\contentsline {table}{\numberline {3.1}{\ignorespaces Technical specifications for the Motorola C123.}}{42}
+\contentsline {table}{\numberline {3.2}{\ignorespaces Type Codes and the corresponding System Information Types \cite {GSM2009}.}}{44}
+\addvspace {10\p@ }
+\addvspace {10\p@ }
+\addvspace {10\p@ }
\addvspace {10\p@ }
\addvspace {10\p@ }
\addvspace {10\p@ }
diff --git a/Tex/Master/Master.pdf b/Tex/Master/Master.pdf
index ffbb585..ba00299 100644
--- a/Tex/Master/Master.pdf
+++ b/Tex/Master/Master.pdf
Binary files differ
diff --git a/Tex/Master/Master.synctex.gz b/Tex/Master/Master.synctex.gz
index ab9dda1..43f7dab 100644
--- a/Tex/Master/Master.synctex.gz
+++ b/Tex/Master/Master.synctex.gz
Binary files differ
diff --git a/Tex/Master/Master.toc b/Tex/Master/Master.toc
index 376bb5d..b3def15 100644
--- a/Tex/Master/Master.toc
+++ b/Tex/Master/Master.toc
@@ -39,24 +39,41 @@
\contentsline {chapter}{\numberline {3}IMSI Catcher Detection}{39}
\contentsline {section}{\numberline {3.1}Framework and Hardware}{39}
\contentsline {subsection}{\numberline {3.1.1}OsmocomBB}{39}
+\contentsline {subsubsection}{Project Status}{40}
+\contentsline {subsubsection}{OsmocomBB and ICDS}{41}
\contentsline {subsection}{\numberline {3.1.2}Motorola C123}{41}
-\contentsline {section}{\numberline {3.2}Procedure}{41}
-\contentsline {subsection}{\numberline {3.2.1}Information Gathering}{41}
-\contentsline {subsection}{\numberline {3.2.2}Information Evaluation}{41}
-\contentsline {section}{\numberline {3.3}IMSI Catcher Detection System}{41}
-\contentsline {subsection}{\numberline {3.3.1}Implemetation}{41}
-\contentsline {subsubsection}{Architecture}{41}
-\contentsline {subsubsection}{Extensions}{41}
-\contentsline {subsection}{\numberline {3.3.2}Configuration}{41}
-\contentsline {subsection}{\numberline {3.3.3}Operation}{41}
-\contentsline {chapter}{\numberline {4}Evaluation}{43}
-\contentsline {section}{\numberline {4.1}Example Scenarios}{43}
-\contentsline {section}{\numberline {4.2}Test Period}{43}
-\contentsline {chapter}{\numberline {5}Conclusion}{45}
-\contentsline {section}{\numberline {5.1}Related Projects}{45}
-\contentsline {section}{\numberline {5.2}Future Work}{45}
+\contentsline {section}{\numberline {3.2}Procedure}{42}
+\contentsline {subsection}{\numberline {3.2.1}Information Gathering}{43}
+\contentsline {subsection}{\numberline {3.2.2}Information Evaluation}{45}
+\contentsline {subsubsection}{Configuration Rules}{46}
+\contentsline {subsubsection}{Contextual Rules}{46}
+\contentsline {subsubsection}{Rule Evaluation}{46}
+\contentsline {subsection}{\numberline {3.2.3}Fake Parameters}{46}
+\contentsline {section}{\numberline {3.3}IMSI Catcher Detection System}{46}
+\contentsline {subsection}{\numberline {3.3.1}Implemetation}{46}
+\contentsline {subsubsection}{Architecture}{46}
+\contentsline {subsubsection}{Extensions}{46}
+\contentsline {subsection}{\numberline {3.3.2}Configuration}{46}
+\contentsline {subsection}{\numberline {3.3.3}Operation}{46}
+\contentsline {chapter}{\numberline {4}Evaluation}{47}
+\contentsline {section}{\numberline {4.1}Example Scenarios}{47}
+\contentsline {section}{\numberline {4.2}Test Period}{47}
+\contentsline {chapter}{\numberline {5}Conclusion}{49}
+\contentsline {section}{\numberline {5.1}Related Projects}{49}
+\contentsline {section}{\numberline {5.2}Future Work}{49}
\contentsline {chapter}{Bibliography}{I}
-\contentsline {chapter}{\numberline {A}appendix}{VII}
-\contentsline {section}{\numberline {A.1}OsmocomBB}{VII}
-\contentsline {subsection}{\numberline {A.1.1}Installation}{VII}
-\contentsline {chapter}{Acronyms}{IX}
+\contentsline {chapter}{\numberline {A}OsmocomBB}{VII}
+\contentsline {section}{\numberline {A.1}Installation}{VII}
+\contentsline {section}{\numberline {A.2}Usage}{VII}
+\contentsline {section}{\numberline {A.3}Serial Cable Schematics}{VII}
+\contentsline {chapter}{\numberline {B}IMSI Catcher Detection System}{IX}
+\contentsline {section}{\numberline {B.1}Example Configuration}{IX}
+\contentsline {chapter}{\numberline {C}System Information}{XI}
+\contentsline {section}{\numberline {C.1}Type 1}{XI}
+\contentsline {section}{\numberline {C.2}Type 2}{XI}
+\contentsline {section}{\numberline {C.3}Type 3}{XI}
+\contentsline {section}{\numberline {C.4}Type 4}{XI}
+\contentsline {chapter}{\numberline {D}Evaluation Data}{XIII}
+\contentsline {section}{\numberline {D.1}IMSI Catcher Configurations}{XIII}
+\contentsline {section}{\numberline {D.2}ICDS Scans}{XIII}
+\contentsline {chapter}{Acronyms}{XV}
diff --git a/Tex/Presentation/IMSMICatcher.png b/Tex/Presentation/IMSMICatcher.png
deleted file mode 100644
index 2112b13..0000000
--- a/Tex/Presentation/IMSMICatcher.png
+++ /dev/null
Binary files differ