Accelerate3g5 -- blobb » History » Version 148
blobb, 05/10/2017 03:11 PM
1 | 1 | blobb | h1. Accelerate3g5 -- blobb |
---|---|---|---|
2 | 2 | blobb | |
3 | h2. Summary |
||
4 | |||
5 | 3 | blobb | Trying to come up with a fuzzing interface. |
6 | |||
7 | 2 | blobb | h3. Participants |
8 | |||
9 | 85 | blobb | * André (email: dr.blobb@gmail.com) |
10 | 2 | blobb | |
11 | 122 | blobb | |
12 | |||
13 | 2 | blobb | h2. Details |
14 | 3 | blobb | |
15 | 136 | blobb | *1)* First setting up the femtocell and understand necessary basics of UMTS communication to do so. (done) |
16 | *2)* Collecting information e.g. slides, talks, docu about fuzzing of wireless protocols. (done) |
||
17 | *3)* craft requests and run fuzz tests against subscriber. (to be done) |
||
18 | 1 | blobb | |
19 | Note: first time fuzzing. |
||
20 | |||
21 | 121 | blobb | |
22 | |||
23 | 25 | blobb | h2. Test devices |
24 | |||
25 | TD1: Samsung Galaxy S5 Mini (G800F) |
||
26 | OS: Lineage OS (14.1/7.1.1) |
||
27 | BB: G800FXXU1BPC3 |
||
28 | SIM: MicroSIM |
||
29 | |||
30 | TD2: LG Nexus 5 (hammerhead) |
||
31 | OS: Android Marshmallow (6.0) |
||
32 | BB: M48974A-2.0.50.2.27 |
||
33 | SIM: MicroSIM |
||
34 | |||
35 | TD3: HTC One M9 |
||
36 | OS: Android Lollipop (5.1) |
||
37 | BB: 01.04_U11440601_71.02.50709G_F |
||
38 | SIM: NanoSIM (cutted MicroSIM) |
||
39 | |||
40 | 87 | blobb | TD4: Samsung S3 (GT-I9300) |
41 | OS: Android Jelly Bean (4.3) |
||
42 | BB: I9300XXUGNA8 |
||
43 | 88 | blobb | SIM: MicroSim |
44 | 87 | blobb | |
45 | 118 | blobb | |
46 | |
||
47 | |||
48 | 7 | blobb | h2. Journal |
49 | |||
50 | 135 | blobb | |
51 | 137 | blobb | +*1) Setting up the network*+ |
52 | 132 | blobb | |
53 | 39 | blobb | +_2017-03-07_+ |
54 | 42 | blobb | Pick up package at Sysmocom office. |
55 | Having an informative conversation with Neels about Jenkins, Docker and build artifacts. |
||
56 | 8 | blobb | |
57 | 39 | blobb | +_2017-03-12_+ |
58 | 10 | blobb | Set up wiki page. |
59 | 26 | blobb | Seeing femtocell on network interface. |
60 | 1 | blobb | Compiled source as described, but couldn't configure/launch CN successfully (yet). |
61 | 26 | blobb | Next time will try Neels' launch script and same IP range. |
62 | 1 | blobb | |
63 | 39 | blobb | +_2017-03-15_+ |
64 | 1 | blobb | Reading "data sheet [overview]":http://www.ipaccess.com/uploads/wysiwyg_editor/files/2017/S8_S16-Datasheet-v1.0.pdf "data sheet [details]":https://fccid.io/pdf.php?id=1462491 about ip.access nano3G S8. |
65 | Configuring femtocell via telnet (dry run). |
||
66 | Running in HLR issue mentioned in wiki when invoking run.sh. |
||
67 | 12 | blobb | |
68 | 39 | blobb | +_2017_04-02_+ |
69 | 137 | blobb | *2) Collecting input about fuzzing*: |
70 | 1 | blobb | |
71 | 50 | blobb | papers/theses: |
72 | 33 | blobb | >"SMS Fuzzing - SIM Toolkit Attack - B. Alecu, defcon21 2013":https://www.defcon.org/images/defcon-21/dc-21-presentations/Alecu/DEFCON-21-Bogdan-Alecu-Attacking-SIM-Toolkit-with-SMS-WP.pdf |
73 | 37 | blobb | >"SMS Vulnerability Analysis on Feature Phones - N. Golde, 2011":http://www.isti.tu-berlin.de/fileadmin/fg214/finished_theses/NicoGolde/diplom_golde.pdf |
74 | 49 | blobb | >"Fuzzing the GSM Protocol - B. Hond, master thesis 2011":http://www.ru.nl/publish/pages/769526/scriptie-brinio-final-brinio_hond.pdf |
75 | 26 | blobb | |
76 | 34 | blobb | talks: |
77 | 33 | blobb | >"SMS Fuzzing - Sim Toolkit Attack - B. Alecu, Deepsec 2011":http://www.securitytube.net/video/2518 |
78 | >"Using OpenBSC for fuzzing of GSM handsets - H. Welte, 26c3 2009":http://mirror.fem-net.de/CCC/26C3/mp4/26c3-3535-en-using_openbsc_for_fuzzing_of_gsm_handsets.mp4 |
||
79 | 26 | blobb | |
80 | 34 | blobb | slides: |
81 | 33 | blobb | >"MobiDeke: Fuzzing the GSM Protocol Stack - S. Dudek & G. Delugr, hack.lu 2012":http://archive.hack.lu/2012/Fuzzing_The_GSM_Protocol_Stack_-_Sebastien_Dudek_Guillaume_Delugre.pdf |
82 | >"Base Jumping - Attacking the GSM BB and BTS - grugq, 2010":http://conference.hackinthebox.org/hitbsecconf2010kul/materials/D2T1%20-%20The%20Grugq%20-%20Attacking%20GSM%20Basestations.pdf |
||
83 | >"Fuzzing your GSM phone - Harald Welte, 26c3 2009":https://events.ccc.de/congress/2009/Fahrplan/attachments/1503_openbsc_gsm_fuzzing.pdf |
||
84 | >"Fuzzing the Phone in your Phone - C. Miller & C. Mulliner, Blackhat 2009":https://engineering.purdue.edu/dcsl/reading/2011/jevin-fuzzing.pdf |
||
85 | >"Injecting SMS Messages into Smart Phones for Security Analysis - C. Mulliner, 2009":https://www.mulliner.org/security/sms/feed/injecting_sms_mulliner_miller.pdf |
||
86 | >"Security Testing esp. Fuzzing - E. Poll, ????":https://www.cs.ru.nl/E.Poll/ss/slides/12_Fuzzing.pdf |
||
87 | 26 | blobb | |
88 | 39 | blobb | +_2017-04-19_+ |
89 | 43 | blobb | Resolving HLR issue and set correct IPs in "*.cfg files":https://osmocom.org/attachments/download/2559/3G-config-example-v3.tar. |
90 | 58 | blobb | hNodeB connects to hnbgw, but no UE is connecting to it. |
91 | > [issue from wiki: ...unable to resolve DNS record look up of 0.ipaccess.pool.ntp.org... no trx]. |
||
92 | Connect femtocell to LAN with internet access to resolve DNS record look up issue, still no phones are connecting (yet). |
||
93 | 1 | blobb | Adding SIM cards to hlr.db, after creating db successfully [thanks to "andreas":https://osmocom.org/projects/cellular-infrastructure/wiki/Accelerate3g5_--_andreas] |
94 | |||
95 | 39 | blobb | +_2017-04-20_+ |
96 | 1 | blobb | Create and attach "build_3G.sh":https://osmocom.org/attachments/download/2602/build_3G.sh (adapted from "build_2G.sh":https://osmocom.org/attachments/download/2438/build_2G.sh). |
97 | 68 | blobb | Rebuild with correct branch/tag (openbsc:vlr_3G,libosmo-sccp:old_sua). |
98 | 38 | blobb | TD1 and TD2 *successfully connected* to femtocell!!! *\o/* |
99 | 67 | blobb | *Voice calls work* (TD1<->TD2). |
100 | 53 | blobb | |
101 | 1 | blobb | +_2017-04-22_+ |
102 | Create and attach "configure_nano3G.exp":https://projects.osmocom.org/attachments/download/2604/configure_nano3G.exp. |
||
103 | 71 | blobb | > Invoke expect script within "run.sh":https://projects.osmocom.org/attachments/download/2559/3G-config-example-v3.tar to automate initial nano3G configuration via telnet. |
104 | 69 | blobb | *SMS work* (TD1<->TD2), probably worked before but have been tested "today". |
105 | 62 | blobb | |
106 | 1 | blobb | +_2017-04-24_+ |
107 | Compile OpenBSC with --enable-mgcp-transcoding flag and create 127.0.0.2 on lo. :) |
||
108 | Attach refactored version of "build_3G.sh":https://projects.osmocom.org/attachments/download/2605/build_3G.sh. |
||
109 | 81 | blobb | *Data "works"* (TD1<->TD2, TDx<->tun0/192.168.42.1 |
110 | 75 | blobb | >Note: data "worked" before (UEs got IP 2017-4-20). But I didn't manage to forward packets from tun0->eth0->inet yet, although the following iptable rule has been applied: |
111 | 143 | blobb | <pre> |
112 | sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward" |
||
113 | sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE |
||
114 | </pre> |
||
115 | 73 | blobb | |
116 | 74 | blobb | +_2017-04-25_+ |
117 | 1 | blobb | Create and attach "find_nano3G.sh":https://osmocom.org/attachments/download/2609/find_nano3G.sh. |
118 | 102 | blobb | Picked up TD4 at a friend's place. Now I don't need to change the SIM/USIM card in TD1, which is my "normal" cell phone to test functionality. *Thanks* a lot buddy :) |
119 | 89 | blobb | |
120 | 90 | blobb | +_2017-04-26_+ |
121 | 92 | blobb | As it actually belongs to the accelerate3g5 project, I add the "hands-on repo":https://github.com/blobbsen/repo-handson this journal. |
122 | 99 | blobb | > It provides functionality to clone necessary git repos and build accerelate3g5 CN stack. |
123 | 7 | blobb | |
124 | 93 | blobb | +_2017-04-29_+ |
125 | 1 | blobb | Test MMS, *doesn't* work. |
126 | 125 | blobb | I'd changed MCC and MNC from the "wiki-default":http://osmocom.org/projects/cellular-infrastructure/wiki/Configuring_the_ipaccess_nano3G values (MCC=901, MNC=98) to MCC=809 and MNC=90 on the hNodeB (telnet) to align with SIM-cards' IMSIs and avoid roaming, but it didn't work out (yet). |
127 | 113 | blobb | |
128 | 111 | blobb | +_2017-04-30_+ |
129 | 101 | blobb | Set csgAccessMode to CSG_ACCESS_MODE_CLOSED_ACCESS to avoid interfering with UEs now owned by me. |
130 | 125 | blobb | Set additional ip table rule. UE's have finally internet connection. *\o/* |
131 | |||
132 | 144 | blobb | <pre> |
133 | sudo iptables -t nat -A POSTROUTING -o lo -j MASQUERADE |
||
134 | </pre> |
||
135 | 98 | blobb | |
136 | 96 | blobb | +_2017-05-01_+ |
137 | 114 | blobb | UEs are not roaming anymore *\o/*. Actually the explanation of a friend how the MCC and MNC has to be set according to the IMSI (0-2 MCC, 3-4 MNC digits) was correct, |
138 | 123 | blobb | but I didn't read the IMSI correctly from the "sysmocom full-size SIM card". Such IMSIs on the full-size SIM card consist of 18 digits. |
139 | After using IMSIs from delivery e-mail (which are 15 digits long and not 18 as full-size-SIM-card-IMSI) it works. |
||
140 | 124 | blobb | Moreover, I now know that the IMSI can ONLY hold 15 digits and consists of MCC (3), MNC (2-3) and MSIN (9-10). |
141 | 125 | blobb | |
142 | A poor/manual stability test for the entire UMTS network has been successful for 12 hours ((DL: 7,8-5,9, UL: 1,2-0,8) Mbit/s and ping: 170-150 ms). |
||
143 | 114 | blobb | |
144 | 135 | blobb | |
145 | 147 | blobb | |
146 | 148 | blobb | +*3) Understand how and try to fuzz handsets*+ |
147 | 135 | blobb | |
148 | 1 | blobb | +_2017-05-03_+ |
149 | system is only mounted as read-only, "mount -o remount,rw /" changes this behavior to rw. |
||
150 | Change ssh_banner (just for fun): |
||
151 | 141 | blobb | |
152 | !ssh_banner.jpg! |
||
153 | 130 | blobb | |
154 | Changing thttp port to 80 and show own index.html (just for fun). |
||
155 | Entire network still works fine, when thttpd port changed to 80. |
||
156 | |||
157 | +_2017-05-04_+ |
||
158 | Thinking about installing python and scapy on the hNodeB to see whether we could fuzz directly on the imq0-15 interfaces as they might represent UL+DL connections of UEs. |
||
159 | (nano3G S8 can serve up to 8 clients -> 8*(UL+DL) = 16 interfaces) |
||
160 | 1 | blobb | |
161 | 130 | blobb | First problem we only have ~ 20 MB storage left for python and scapy, which are around 70 MB and we cannot use ipkg to install anything as the repository servers are not available. |
162 | Storage problem can be solved by creating a ramdisk. I've create a 70 MB ramdisk and verified whether the entire network still works. |
||
163 | Yes it does, although only 2.4 MB RAM was left and 2 UEs have been connected. |
||
164 | |||
165 | Copying Python binaries and dependent libs (libssl.so.1.0.0,...) from a RaspberryPi Model A, because they use same processor/architecture. |
||
166 | After all dependencies have been copied via ssh, python still doesn't run, showing some "GLIBS_VERSION" error, so I tried to replace libc.so.6 with the one on the RasPi too. |
||
167 | 146 | blobb | This was a huge mistake, which showed me that I am missing system level and C knowledge, because some google research (afterwards) proofed that replacing libc.so.6 is a very, very bad idea. |
168 | 130 | blobb | After replacing libc.so.6 any executed command resulted in -> "Illegal Instruction - Core Dumped"... :S |
169 | |||
170 | I did it a "Factory Reset", but it seems to only reset AP configuration settings or might be damaged as well in fact of the libc.so.6 change. |
||
171 | The hNodeB still gets an IP from the DHCP server and one can ping it. But no ports are open anymore, thus I cannot connect at all. :/ |
||
172 | It seems that I really have bricked the hNodeB... -.-" |
||
173 | |||
174 | +_2017-05-07_+ |
||
175 | 142 | blobb | A friend supported me (*thanks!*) with his experience and equipment to see whether any Serial or JTAG interface might still works, so we may could change the wrong symlink. |
176 | 139 | blobb | The following pictures show results of our probing (SK1, PL1, PL2, PL3, J1 and J4): |
177 | 1 | blobb | |
178 | 139 | blobb | !nano3G_PCB_front_preview.JPG! |
179 | 1 | blobb | |
180 | 139 | blobb | !nano3G_PCB_back_preview.JPG! |
181 | 140 | blobb | |
182 | 130 | blobb | |
183 | Unfortunately we didn't find any Serial connection, although some pins indicated some sort of communication. |
||
184 | 131 | blobb | Furthermore the used Spansion S29GL-512P10FFCR2 flash is BGA and not TSOP ("datasheet":https://media.digikey.com/pdf/Data%20Sheets/Cypress%20PDFs/S29GLyyyP_Dec-16-2015.pdf). So a try to unsolder and fix tehe flash as described in "Reverse Engineering Flash memory for Fun and Benefit":https://www.blackhat.com/docs/us-14/materials/us-14-Oh-Reverse-Engineering-Flash-Memory-For-Fun-And-Benefit.pdf could not be applied. |
185 | 130 | blobb | |
186 | 1 | blobb | +_2017-05-08_+ |
187 | Thinking about buying a "BGA64 test socket":http://www.vipprogrammer.com/nand-bga64-test-socket-adapter-for-proman-tl86plus-nand-programmer-programmer-3533 in order to desolder and fix the Spansion flash. |
||
188 | 130 | blobb | But first buying a S29GL512P10FFCR2 (LAA064), a S29GL512P10TFCR2 (TSO56) an a "TSOP56 test socket":http://www.ebay.de/itm/New-TSOP56-TSOP-56-TO-DIP56-DIP-56-0-5mm-Universal-IC-Programmer-Socket-Adapter-/162210700904?hash=item25c482de68:g:pdMAAOSwPCVX4amp - which is much cheaper than the BGA64-test socket - to play around with such flash type before doing anything with/on the hNodeB. |
189 | |||
190 | 140 | blobb | Buying an "Omnikey CardMan 3121 USB CCID reader":http://shop.sysmocom.de/products/cm3121 and a "Professional SIM card adapter":http://shop.sysmocom.de/products/sim-adapter-pcb to be able to tinker with SIM cards as long flash and test socket did not arrive. |
191 | 126 | blobb | |
192 | 119 | blobb | |
193 | |
||
194 | |||
195 | 24 | blobb | h2. Conclusions |
196 | 1 | blobb | |
197 | 117 | blobb | - UE's are connecting. Voice calls + SMS + data are working and UEs are *not* roaming. =) |
198 | 145 | blobb | - *Never ever* mess around with libc.so.6 :/ |
199 | 100 | blobb | |
200 | 84 | blobb | |
201 | |