GSM is complicated technology. So i will give a short explanation of things of interest to the breaking
of A5/1 and some links for further reading.

The A5/1 cipher is applied at the physical layer. This is done in both the handset and the Base Transceiver
Station (BTS), which is the last piece of equipment of the GSM network at the radio interface between network
and handset.

When a layer 3 message is sent between handset and network, it is wrapped in a LAPDm frame, the layer 2
frame format used in the Um interface (the radio link between handset and BTS).
The LAPDm frame is always 23 bytes or 184 bit long.

Before sending the bits over the air, those 184 bits are encoded to allow for forward error correction. 184 bits of
layer 2 frame result in 456 bits that are transmitted over the Um interface.

Those 456 bits are transmitted in 4 bursts of 114 bits each. A burst is the smallest possible unit of communication and can be thought of
as a layer 1 frame.
Internally the burst divides the 114 bit payload into two 57 bit halfes. Then some timing bits are added at the beginning
and end of the burst and a training sequence added between the two payload parts. We are only interested in those
114 bits of information and they are the only bits that get encrypted.

A layer 3 message that is too short to fill up the LAPDm frame will cause that frame to be filled with padding.
This padding is the known plaintext that we need for our attack on A5/1.
So the first encrypted message that is sent by the mobile station after ciphering has been negotiated is a
''Cipher Mode Complete'' message.
You need 3 bytes for the LAPDm header and 2 bytes for the layer 3 protocol message (which is also the minimum
length). Those 2 bytes are constant and known.

If we ignore the LAPDm header for now (24 bits), and thus the first burst (which contains 46 bits of the LAPDm frame),
we still have 3 bursts of 114 bits of known plaintext. 64 bits of known keystream gives the opportunity to
make a lookup in the generated table to try and find the internal state of A5/1.
114 bits of known keystream gives us 114-64+1 = 51 keystream samples. Multiplied by 3 bursts that would make
153 candidates for lookup with a single message of 20 bytes padding.


[http://www.gsmfordummies.com/index.html a comprehensible introduction to GSM]

Here is a nice picture of a FCH, a frequency correction channel. If you count the number of waves you end up with
a fixed frequency ~ 70khz wave. The actual data in the burst is all bits zero, after modulation this gives a fixed
frequency of FDMA base frequency + 67khz for exactly one burst minus some guard bits, so a bit shorter than 576usec.

http://reflextor.com/USRP_FCH.png