Topguw: Automating The Guessing And XORing Of Possible A5/1 Keystreams (Known-Plaintext Attack)

Topguw is a Java application developed by Bastien Jalbert in 2015 for the purpose of converging all the steps required for cracking 2G GSM communications.

It automates the process of extracting unencrypted frames, guessing the locations of encrypted versions of those frames and XORing the bursts together for generating input for Kraken's cracking utility.

In this video, I am demonstrating how Topguw is utilized during the known-plaintext attack phase of cracking and subsequently obtaining the Kc value from the famous vf_call6 capture file.

Because grgsm_decode isn't capable of outputting GSM bursts in the correct format, Airprobe patched for GNU-Radio 3.7 is required by Topguw, along with gsmframecoder. The folders containing these software tools were copied to the /root/ directory, as required by Topguw (you can also point Topguw to the directory containing these tools via the 'config' menu).

Because Airprobe requires a decimation rate to be inputted for decoding GSM and printing the raw bursts, 174 is entered via the config menu. If 174 doesn't deliver results, you can try entering 112 for USRP1 recordings, 64 for RTL-SDR recordings and 32 sometimes worked for me on other recordings.

Only attempt to crack your own SMS messages and voice calls, or capture files uploaded with permission by the owner of the data for the purpose of demonstrating the use of these hacking tools. Never attempt to intercept private telecommunications from any other mobile network subscriber, but yourself!

Thanks for watching!

LINKS:

Topguw Github Page:
https://github.com/bastienjalbert/topguw

Bastien Jalbert's Topguw Video:
   • Topguw Proof of concept - GSM Hacking...