Project

General

Profile

Accelerate3g5 -- blobb » History » Version 100

blobb, 04/30/2017 05:13 PM

1 1 blobb
h1. Accelerate3g5 -- blobb
2 2 blobb
3
h2. Summary
4
5 3 blobb
Trying to come up with a fuzzing interface.
6
7 2 blobb
h3. Participants
8
9 85 blobb
* André (email: dr.blobb@gmail.com)
10 2 blobb
11
h2. Details
12 3 blobb
13 62 blobb
First setting up the femtocell and understand necessary basics of UMTS communication to do so. (done)
14 36 blobb
Collecting information e.g. slides, talks, docu about fuzzing of wireless protocols. (done)
15 62 blobb
Writing some code to craft requests and run fuzz tests against subscriber. (to be done)
16 1 blobb
17
Note: first time fuzzing.
18
19 25 blobb
h2. Test devices
20
21
TD1: Samsung Galaxy S5 Mini (G800F) 
22
 OS: Lineage OS (14.1/7.1.1) 
23
 BB: G800FXXU1BPC3
24
SIM: MicroSIM
25
26
TD2: LG Nexus 5 (hammerhead)
27
 OS: Android Marshmallow (6.0) 
28
 BB: M48974A-2.0.50.2.27
29
SIM: MicroSIM
30
31
TD3: HTC One M9
32
 OS: Android Lollipop (5.1)
33
 BB: 01.04_U11440601_71.02.50709G_F
34
SIM: NanoSIM (cutted MicroSIM)
35
36 87 blobb
TD4: Samsung S3 (GT-I9300)
37
 OS: Android Jelly Bean (4.3)
38
 BB: I9300XXUGNA8
39 88 blobb
SIM: MicroSim
40 87 blobb
41 7 blobb
h2. Journal
42
43 39 blobb
+_2017-03-07_+
44 42 blobb
Pick up package at Sysmocom office.
45
Having an informative conversation with Neels about Jenkins, Docker and build artifacts.
46 8 blobb
47 39 blobb
+_2017-03-12_+
48 10 blobb
Set up wiki page.
49 26 blobb
Seeing femtocell on network interface.
50 1 blobb
Compiled source as described, but couldn't configure/launch CN successfully (yet).
51 26 blobb
Next time will try Neels' launch script and same IP range.
52 1 blobb
53 39 blobb
+_2017-03-15_+
54 1 blobb
Reading "data sheet [overview]":http://www.ipaccess.com/uploads/wysiwyg_editor/files/2017/S8_S16-Datasheet-v1.0.pdf "data sheet [details]":https://fccid.io/pdf.php?id=1462491 about ip.access nano3G S8.
55
Configuring femtocell via telnet (dry run).
56
Running in HLR issue mentioned in wiki when invoking run.sh.
57 12 blobb
58 39 blobb
+_2017_04-02_+
59 33 blobb
Collecting input about fuzzing:
60 1 blobb
61 50 blobb
papers/theses:
62 33 blobb
>"SMS Fuzzing - SIM Toolkit Attack - B. Alecu, defcon21 2013":https://www.defcon.org/images/defcon-21/dc-21-presentations/Alecu/DEFCON-21-Bogdan-Alecu-Attacking-SIM-Toolkit-with-SMS-WP.pdf
63 37 blobb
>"SMS Vulnerability Analysis on Feature Phones - N. Golde, 2011":http://www.isti.tu-berlin.de/fileadmin/fg214/finished_theses/NicoGolde/diplom_golde.pdf
64 49 blobb
>"Fuzzing the GSM Protocol - B. Hond, master thesis 2011":http://www.ru.nl/publish/pages/769526/scriptie-brinio-final-brinio_hond.pdf
65 26 blobb
66 34 blobb
talks:
67 33 blobb
>"SMS Fuzzing - Sim Toolkit Attack - B. Alecu, Deepsec 2011":http://www.securitytube.net/video/2518
68
>"Using OpenBSC for fuzzing of GSM handsets - H. Welte, 26c3 2009":http://mirror.fem-net.de/CCC/26C3/mp4/26c3-3535-en-using_openbsc_for_fuzzing_of_gsm_handsets.mp4
69 26 blobb
70 34 blobb
slides:
71 33 blobb
>"MobiDeke: Fuzzing the GSM Protocol Stack - S. Dudek & G. Delugr, hack.lu 2012":http://archive.hack.lu/2012/Fuzzing_The_GSM_Protocol_Stack_-_Sebastien_Dudek_Guillaume_Delugre.pdf
72
>"Base Jumping - Attacking the GSM BB and BTS - grugq, 2010":http://conference.hackinthebox.org/hitbsecconf2010kul/materials/D2T1%20-%20The%20Grugq%20-%20Attacking%20GSM%20Basestations.pdf
73
>"Fuzzing your GSM phone - Harald Welte, 26c3 2009":https://events.ccc.de/congress/2009/Fahrplan/attachments/1503_openbsc_gsm_fuzzing.pdf
74
>"Fuzzing the Phone in your Phone - C. Miller & C. Mulliner, Blackhat 2009":https://engineering.purdue.edu/dcsl/reading/2011/jevin-fuzzing.pdf
75
>"Injecting SMS Messages into Smart Phones for Security Analysis - C. Mulliner, 2009":https://www.mulliner.org/security/sms/feed/injecting_sms_mulliner_miller.pdf
76
>"Security Testing esp. Fuzzing - E. Poll, ????":https://www.cs.ru.nl/E.Poll/ss/slides/12_Fuzzing.pdf
77 26 blobb
78 39 blobb
+_2017-04-19_+
79 43 blobb
Resolving HLR issue and set correct IPs in "*.cfg files":https://osmocom.org/attachments/download/2559/3G-config-example-v3.tar. 
80 58 blobb
hNodeB connects to hnbgw, but no UE is connecting to it. 
81
> [issue from wiki: ...unable to resolve DNS record look up of 0.ipaccess.pool.ntp.org... no trx].
82
Connect femtocell to LAN with internet access to resolve DNS record look up issue, still no phones are connecting (yet).
83 1 blobb
Adding SIM cards to hlr.db, after creating db successfully [thanks to "andreas":https://osmocom.org/projects/cellular-infrastructure/wiki/Accelerate3g5_--_andreas]
84
85 39 blobb
+_2017-04-20_+
86 1 blobb
Create and attach "build_3G.sh":https://osmocom.org/attachments/download/2602/build_3G.sh (adapted from "build_2G.sh":https://osmocom.org/attachments/download/2438/build_2G.sh).
87 68 blobb
Rebuild with correct branch/tag (openbsc:vlr_3G,libosmo-sccp:old_sua).
88 38 blobb
TD1 and TD2 *successfully connected* to femtocell!!! *\o/*
89 67 blobb
*Voice calls work* (TD1<->TD2).
90 53 blobb
91 1 blobb
+_2017-04-22_+
92
Create and attach "configure_nano3G.exp":https://projects.osmocom.org/attachments/download/2604/configure_nano3G.exp. 
93 71 blobb
> Invoke expect script within "run.sh":https://projects.osmocom.org/attachments/download/2559/3G-config-example-v3.tar to automate initial nano3G configuration via telnet. 
94 69 blobb
*SMS work* (TD1<->TD2), probably worked before but have been tested "today".
95 62 blobb
96 1 blobb
+_2017-04-24_+
97
Compile OpenBSC with --enable-mgcp-transcoding flag and create 127.0.0.2 on lo. :)
98
Attach refactored version of "build_3G.sh":https://projects.osmocom.org/attachments/download/2605/build_3G.sh.
99 81 blobb
*Data "works"* (TD1<->TD2, TDx<->tun0/192.168.42.1
100 75 blobb
>Note: data "worked" before (UEs got IP 2017-4-20). But I didn't manage to forward packets from tun0->eth0->inet yet, although the following iptable rule has been applied:
101 79 blobb
>>sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward" 
102 75 blobb
>>sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
103 73 blobb
104 74 blobb
+_2017-04-25_+
105 1 blobb
Create and attach "find_nano3G.sh":https://osmocom.org/attachments/download/2609/find_nano3G.sh.
106 91 blobb
Picked up TD4 at a friend's place. Now I don't need to change the SIM/USIM card in TD1, which is my "normal" cell phone to test functionality. *Thanks* a lot buddy, in case you might read this. :)
107 89 blobb
108 90 blobb
+_2017-04-26_+
109 92 blobb
As it actually belongs to the accelerate3g5 project, I add the "hands-on repo":https://github.com/blobbsen/repo-handson this journal.
110 99 blobb
> It provides functionality to clone necessary git repos and build accerelate3g5 CN stack.
111 7 blobb
112 93 blobb
+_2017-04-29_+
113 99 blobb
Set MCC=809 (Mobile Country Code) and MNC=90 (Mobile Network Code) according to SIM-cards' IMSI to avoid "roaming" indications on UE.
114 94 blobb
Test MMS, doesn't work.
115 93 blobb
116 96 blobb
+_2017-04-30_+
117
Set MCC=809 and MNC=90 in osmo-msc.cfg as well as via telnet, because some devices were still roaming. Now every device roams again... 'raised eyebrow'
118 97 blobb
Set correct ip table rule. UE's have finally internet connection. *\o/* (GGSN listens on lo not on eth*)  
119 96 blobb
120 98 blobb
>sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward" 
121
>sudo iptables -t nat -A POSTROUTING -o lo -j MASQUERADE
122 96 blobb
123 24 blobb
h2. Conclusions
124 1 blobb
125 100 blobb
- UE's are connecting. Voice calls + data are working, but still roaming. :/
126
127
On 29th of April I'd changed MCC and MNC from the "\"wiki-default\"":http://osmocom.org/projects/cellular-infrastructure/wiki/Configuring_the_ipaccess_nano3G values (MCC=901, MNC=98) to MCC=809 and MNC=90 on the hNodeB (telnet) to align with SIM-cards' IMSIs and avoid roaming. TD4 worked as expected, no roaming anymore. But the TD1 did only work, when data roaming was enabled. Moreover TD2 showed a different "network name" 90198 and did also only work when roaming was enabled. So it seems that configurations of MCC and MNC within osmo-cfg to apply for some BB?!?
128
129
S3      -> shows: 809 90   roams: no  (expected)
130
S5 mini -> shows: 809 90   roams: yes (confusing?!?!)
131
Nexus 5 -> shows: 901 98   roams: yes (expected)
132
133 95 blobb
134 84 blobb
&nbsp;
135
&nbsp;
Add picture from clipboard (Maximum size: 48.8 MB)