Re: blind demodulation - sound card - lucent winmodem

["CJ Oster" <cjo () dothe12 com>]

A higher sampling rate won't do you too much good, in fact, it's the
opposite--you have more samples to deal with in a given amount of time.
Usable bandwidth on a phone line is about 4kHz, so you only NEED to sample
at twice the maximum analog frequency.  The analog bandwidth of the phone
line is what defines the theoretical maximum transmission rate of about
30kbps.  That's where the 28.8kbps modems come in.  The 33.6 (v.32bis) uses
compression and an encoding technique called trellis-coded modulation, TCM,
which I also believe is used on the 28.8 modems as well.  56k modems cheat
because it's digital on the downstream side and there is essentially more
bandwidth available.  You'll get the most out of a sampling at 16bits
instead of 8.  I don't know enough about TCM to tell you all of the details
of the encoding, but I believe it's pretty tough to just start demodulating
a signal without catching the training sequences.  You can always play some
noise into the phone line and force the modems to re-train.  Either way,
you'll need some pretty thorough understanding of digital signal processing
theory to make it happen.  If you want to build a stand-alone box, you can
get TI dsp's on evaluation boards, but by the time you buy the board, the
development software and the like, you'll drop several thousand dollars on
it.  You might as well just use a nice sound card and beg/borrow/steal a
copy of Matlab to process the data.

-CJO-

PS This sounds like a lot of fun and if you need some help, let me know, I'd
love to be involved.

----- Original Message -----
From: "Evrim ULU" <evrim () envy com tr>
To: "pen-test" <pen-test () securityfocus com>
Sent: Monday, July 01, 2002 1:47 AM
Subject: Re: blind demodulation - sound card - lucent winmodem


> Brass, Phil (ISS Atlanta) wrote:
> > not mistaken, the sound card can sample 44khz 8bits per sample 2
channels,
> > typically, so it actually does roughly 700kbits per second sampling.
> > However, all these extra bits won't help you reconstruct the stream if
the
> > carrier frequency or whatever of the data stream is faster than 44khz.
Even
> > if the information content is less, if you are sampling too slowly, no
> > matter how precisely, you will not be able to reconstruct the stream.
>
> I don't know why you are stuck with the sound card properties. But good
news are
> here: I've looked for national.com after your message and for only $10,
i've
> found adc08200 which is an 8 bit adc and has a 200 MSPS (mega samples per
> second) sampling rate. $10 is very cheap so, we are not stuck with the
44khz
> sound card.
>
>
> > Secondly, the FBI has got "data tap" (modem-deciphering) devices,
starting
> > in 1995: http://www.nctp.org/docs/nwsltr9912/9912p02.html.
>
> I think, they've already done all the things that i'm gonna do in next 10
years
> but this won't stop me ehe:-)
>
> > Perhaps you could get in touch with agent Michael Morris and find out
how
> > his equipment works, or whom he bought it from?
>
> Heh, i don't think agents are going to like me.
>
> --
> Evrim ULU
> evrim () envy com tr / evrim () core gen tr
> sysadm
> http://www.core.gen.tr
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/