Digital Two way Radio
 GPS tracking portable equipment
 GSM Intercept
 3G -Catcher
 Passive GSM Intercept
 Semi Active Intecept
 Satellite Equipment
 Satellite Antenna
 Satellite Mobile phone Intercept
 Satellite Single Analysis system
 Single communication Received Equipment
 System Integrated Solution
Products <<< GSM Intercept <<< Passive GSM Intercept
  Passive GSM Intercept -- Passive Concept

Passive system

Active system
    Under the term "Target" we will understand an unequal combination of SIM card and handset with their own identities (IMSI, IMEI etc).

    In this paper we will show you the principle of operation for ComsTrac passive systems.
System overview
    Our specialized GSM monitoring passive system is intended for government agencies and law enforcement groups only and is intended for passive (if system encryption is absent) or semi-active (if A5.1/A5.2 encryption is used) monitoring of 850, GSM-900, DCS-1800, PCS-1900 standard communication systems.
    Control of forward and reverse voice channels and SMS messages;
    Fast channels scanning in 850/900/1800/1900 MHz band and definition of control channels numbers and appropriate cellular providers;
    The possibility to switch off the encryption including both A5.1 and A5.2, if the controlled network supports the operation of the phones without encryption.
    Recording to HDD of voice sessions, SMS messages and call related information;
    Subscriber's location finding relatively to the base station (LAC, BS, sector, distance with accuracy of 550 m) with possibility of its indication on the digital map (optionally);
    Definition of MSISDN - TMSI correlation for the controlled subscriber;
    The possibility of finding of MSISDN number of the controlled subscribed during the call (optionally);
    The possibility to substitute the number, dialled by subscriber without any disclosing traces for subscriber (optionally);
    Proper operation of the system in networks, using Frequency Hopping mode (in contrast to other monitoring systems).
    Tracing of subscriber's movement to another base station coverage area ("handover") if the signal from that base station is strong enough on the receiver input.

    Operational overview
    The system usually consists of a Personal computer, a clone box unit with omnidirectional aerial and A5.2 or A5.1 decipher (or both of them).

    The main idea of this systems is to create a clone of the target's handset, catch it's real radio traffic and discover information from the coded part of the session (coded by A5.2 or A5.1 GSM algorithm). In the modern passive systems A5.2 decipher is represented as special software in the operator's PC. A5.1 decipher is usually implemented as a separate multi-processor unit. ComsTrac Pure Passive A52 is equipped with a52 decipher only and Pure Passive Kc Calc is equipped by both of them.
The system ensures
    Invisible control of BCCH channel for BTS, located within area controlled by the system;
    Invisible control of incoming and outgoing traffic of handsets, located within area controlled by the system;
    Provide real time KC evaluation;
    Provide GSM data interception in case of hopping and handovers. The system support FR, EFR, HR, AMR voice codecs.
How does it work?
    ComsTrac GM system start listening OTA data and sends to A5/1 (A5/2) decipher encrypted bit stream - usually one encrypted burst derived from forward (down link) channel.
    A5/1 (A5/2) decipher calculates ciphering key Kc and sends it back to the ComsTrac GM system.
    ComsTrac GM system implements Kc and decrypts communication which with known Kc is almost immediate process.
    The system can real-time register all GSM data traffic and save it on the hard disk. Also it is possible to play back voice conversations and read all protocol messages, include SMS.

    Passive operation modes
    The operation in this case is fully invisible for a GSM provider and a target because no radio signals are radiated by the system. All incoming GSM signals are received only by RX omnidirectional aerial and are decoded with the help of special software.
    In this mode it is possible to receive GSM information from all networks , located within area controlled by the system, in order to tune the system at required ARFCNs (netmonitor). Also, some receivers may collect this information continuously to support mobile operation (car, train, etc).

    Ensuring secret control of traffic of mobile stations located within area controlled by the system.

    There are two modes of control:
    Random (all mobile stations);
    Selection (only targets or possible targets).

    The system operates secretly, so mobile station subscriber is unable to detect it. The system does not interfere with external mobile GSM networks.
Random mode
    No previous information about target
    This case is the most complicated for GM operator.
    ComsTrac® GM software must be started without any selection limitations. GM operator must investigate each GSM session and make a decision about target presence in this area. This type of operation is named "Random mode".
    This mode is also useful when it is known voice of anybody, who contact with the target or some kind of handset's identities for anyone.
    When the target is localized then it must be marked as a "target" in the GM software and all identities of his handset may be used next time to detect it more faster.

    It is known ARFCN for the target's handset
    The system must be tuned exactly to this channel. It is the task for the operator to find location where this ARFCN is present. Then he must investigate each session to localize target's identity.
    When target is localized then it must be marked as a "target" in the GM software and all identities of his handset may be used next time to detect it more faster.

    It is known target's MSISDN
    In this case operator can activate "TMSI detector" function and try to catch target's current TMSI identity. The next target's session will be started with this identity representation.
    Target's identity is known
    It is very useful for target separation and optimal configuration system resources.
    This operational mode is intended to select targets of interest (according to IMSI/IMEI identifications) from the total number of subscribers located within operational area of the system. If it is known Classmark, KCn or distance to target then selection result will be a group of handsets in the working area.
    This mode allows listening only those sessions, where it is possible to find parameters, listed in the target-list.
    So, all resources of the system will be redistributed solely for escorting of sessions of targets.
    In order to switch ON/OFF selection mode there are special buttons in GM software.
The extended set of selection criteria
    Control of all communications;
    By TMSI (IMSI - if transmitted in the air);
    By phone type (Classmark);
    By presence of reverse channel, for control of subscribers within the nearby area (100-1500 m from the system);
    By IMEI (if transmitted in the air) at interception of reverse channel;
    By interlocutor's phone number;
    Selection of communications by distance from the base station;
    Selection of SMS messages only;
    By Ki or Kc of the subscriber (at that the operation in networks, using A5.1 encryption is provided without any disclosing traces);
    Combination of several selection criteria above.
    Semi-Active operation modes
    The operation in this case may be detected by special equipment because each mode is based on procedures that requests active radiation by the system. That's why additional TX omnidirectional aerial must be connected to the system.
"TMSI detector"
    A clone box unit must be able to discover each TMSI reallocation command in each target's session. In the other case the target may disappear from the system. In this case operator must use special methodic to update time-to-time target's TMSI identity.
    This methodic requests a special system's procedure that make it possible can call to the target's handset and break session before alerting signal on the target's side. So, in this case the system become not fully passive. The methodic is useful when operator know MSISDN number of the target's handset in order to arrange a call.
"Classmark change"
    This mode is intended to transmit to the BTS fake classmark information that current handset is not supported ciphering at all. In this case BTS switch off ciphering for this target in the current session. It is possible to apply this action for various types of connection.
"Immediate release"
    This mode is intended to jamming required GSM session types. The system transmit release request when the session is started and handset couldn't make any connection. It is possible to apply this action for various types of connection.
"Replacement dialled numbers"
    This mode allows the system to divert a call from the pointed MSISDN to the requested MSISDN.

    Configuration facilities
    ComsTrac GM system and A5/1 Decipher can be connected either directly by LAN cable, wirelessly using any available communication means (GPRS, UMTS, satellite link, etc.) and via highly encrypted secure Internet VPN connection.
    A5/1 decipher can serve more than one ComsTrac GM system. It is a typical server-client application. Usually A5/1 decipher is located in a head quarter connected to Internet with static IP address while GSM Interception system can be located virtually in any place of the world.
    There are 3 types of the GM system configuration:
    GM operator's personal computer (PC) is directly connected with the A5/1 Deciphering unit and the Clone box unit by the LAN cable;
    Functional diagram of the ComsTrac® GM system in this case is represented below:
    In practice, there appears frequent situation when network units should be positioned in different location (for example, in different countries) arranging one efficient system (local addresses of the network units should be kept the same).
    VPN (virtual private network) technology within Internet offers the following solution of this task. At that, configuration of the system and algorithm of interaction of its components change.
    GM operator's PC is connected with the Clone box unit directly but with the A5/1 decipher unit by the VPN connection. GM operator's PC works also as VPN server.
    Functional diagram of the ComsTrac® GM system in this case is represented below:
    One special PC is implemented in the system. This PC works as international VPN server. Its main task is coordinate interaction between all network units of the system. In the simplest case, specialized computer that has installed GM software may serve as a server PC.
    When you have a distributed system, any computer connected to high speed Internet and having static external IP-address or constant domain name accessible for any unit connected to Internet may serve as a server PC. At that, there is no need to install the complete set of GM software on this computer. It should have installed VPN-server connection support program only.
    Any other network unit connects to Internet via bridge PC (VPN-client). Any computer that has installed VPN-client connection software may serve as bridge PC.
    GM operator's PC is connected with the VPN server, A5/1 deciphering unit(s) and Clone box unit(s) by the International VPN connection through Internet. Each GM system network device may be located in the different country;
    Functional diagram of the ComsTrac® GM system in this case is represented below:
Technical Specification
Comparison with concurents
    The main technical features of ComsTrac passive GSM monitoring systems in comparison with other monitoring systems
    All information provided by these operating instructions is strictly confidential.
    Equipment intended to be used only for military and police purpose.
    All copyrights reserved by ©ComsTrac Limited.
    The operating instructions may not, without previous written permission from the author, be reproduced, either in total or in part, or be transferred to any form of data carrier.
    The author reserves the right to make changes in the products offered as well as to their technical specifications.
    We accept no liability in the event of mistakes or discrepancies.

Address:947/36 Moo 12 Bangna-Trad Road Km. 3.2, Bangna Bangkok 10260