Project

General

Profile

Actions

Accelerate3g5 -- blobb » History » Revision 111

« Previous | Revision 111/153 (diff) | Next »
blobb, 04/30/2017 05:30 PM


Accelerate3g5 -- blobb

Summary

Trying to come up with a fuzzing interface.

Participants

Details

First setting up the femtocell and understand necessary basics of UMTS communication to do so. (almost done)
Collecting information e.g. slides, talks, docu about fuzzing of wireless protocols. (done)
Writing some code to craft requests and run fuzz tests against subscriber. (to be done)

Note: first time fuzzing.

Test devices

TD1: Samsung Galaxy S5 Mini (G800F)
OS: Lineage OS (14.1/7.1.1)
BB: G800FXXU1BPC3
SIM: MicroSIM

TD2: LG Nexus 5 (hammerhead)
OS: Android Marshmallow (6.0)
BB: M48974A-2.0.50.2.27
SIM: MicroSIM

TD3: HTC One M9
OS: Android Lollipop (5.1)
BB: 01.04_U11440601_71.02.50709G_F
SIM: NanoSIM (cutted MicroSIM)

TD4: Samsung S3 (GT-I9300)
OS: Android Jelly Bean (4.3)
BB: I9300XXUGNA8
SIM: MicroSim

Journal

2017-03-07
Pick up package at Sysmocom office.
Having an informative conversation with Neels about Jenkins, Docker and build artifacts.

2017-03-12
Set up wiki page.
Seeing femtocell on network interface.
Compiled source as described, but couldn't configure/launch CN successfully (yet).
Next time will try Neels' launch script and same IP range.

2017-03-15
Reading data sheet [overview] data sheet [details] about ip.access nano3G S8.
Configuring femtocell via telnet (dry run).
Running in HLR issue mentioned in wiki when invoking run.sh.

2017_04-02
Collecting input about fuzzing:

papers/theses:

SMS Fuzzing - SIM Toolkit Attack - B. Alecu, defcon21 2013
SMS Vulnerability Analysis on Feature Phones - N. Golde, 2011
Fuzzing the GSM Protocol - B. Hond, master thesis 2011

talks:

SMS Fuzzing - Sim Toolkit Attack - B. Alecu, Deepsec 2011
Using OpenBSC for fuzzing of GSM handsets - H. Welte, 26c3 2009

slides:

MobiDeke: Fuzzing the GSM Protocol Stack - S. Dudek & G. Delugr, hack.lu 2012
Base Jumping - Attacking the GSM BB and BTS - grugq, 2010
Fuzzing your GSM phone - Harald Welte, 26c3 2009
Fuzzing the Phone in your Phone - C. Miller & C. Mulliner, Blackhat 2009
Injecting SMS Messages into Smart Phones for Security Analysis - C. Mulliner, 2009
Security Testing esp. Fuzzing - E. Poll, ????

2017-04-19
Resolving HLR issue and set correct IPs in *.cfg files.
hNodeB connects to hnbgw, but no UE is connecting to it.

[issue from wiki: ...unable to resolve DNS record look up of 0.ipaccess.pool.ntp.org... no trx].

Connect femtocell to LAN with internet access to resolve DNS record look up issue, still no phones are connecting (yet).
Adding SIM cards to hlr.db, after creating db successfully [thanks to andreas]

2017-04-20
Create and attach build_3G.sh (adapted from build_2G.sh).
Rebuild with correct branch/tag (openbsc:vlr_3G,libosmo-sccp:old_sua).
TD1 and TD2 successfully connected to femtocell!!! \o/
Voice calls work (TD1<->TD2).

2017-04-22
Create and attach configure_nano3G.exp.

Invoke expect script within run.sh to automate initial nano3G configuration via telnet.

SMS work (TD1<->TD2), probably worked before but have been tested "today".

2017-04-24
Compile OpenBSC with --enable-mgcp-transcoding flag and create 127.0.0.2 on lo. :)
Attach refactored version of build_3G.sh.
Data "works" (TD1<->TD2, TDx<->tun0/192.168.42.1

Note: data "worked" before (UEs got IP 2017-4-20). But I didn't manage to forward packets from tun0->eth0->inet yet, although the following iptable rule has been applied:

sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

2017-04-25
Create and attach find_nano3G.sh.
Picked up TD4 at a friend's place. Now I don't need to change the SIM/USIM card in TD1, which is my "normal" cell phone to test functionality. Thanks a lot buddy :)

2017-04-26
As it actually belongs to the accelerate3g5 project, I add the hands-on repo this journal.

It provides functionality to clone necessary git repos and build accerelate3g5 CN stack.

2017-04-29
Test MMS, doesn't work.
I'd changed MCC and MNC from the "\"wiki-default\"":http://osmocom.org/projects/cellular-infrastructure/wiki/Configuring_the_ipaccess_nano3G values (MCC=901, MNC=98) to MCC=809 and MNC=90 on the hNodeB (telnet) to align with SIM-cards' IMSIs and avoid roaming. TD4 worked as expected, no roaming anymore. But TD1 did only work, when data roaming was enabled. Moreover TD2 showed a different "network name" 90198 and did also only work when roaming was enabled. So it seems that configurations of MCC and MNC within osmo-msc.cfg do apply for some BB?!?

S3          -> shows: 809 90    roams: no   (expected)
S5 mini  -> shows: 809 90    roams: yes (confusing?!?!)
Nexus 5 -> shows: 901 98    roams: yes (expected)

After aligning MCC and MNC between hNodeB and Osmo-MSC all UEs shows the correct "network name", but were roaming... (TODO: understand roaming)

2017-04-30
Set csgAccessMode to CSG_ACCESS_MODE_CLOSED_ACCESS to avoid interfering with UEs now owned by me.
Set correct ip table rule. UE's have finally internet connection. \o/ (GGSN listens on lo not on eth*)

sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
sudo iptables -t nat -A POSTROUTING -o lo -j MASQUERADE

Conclusions

- UE's are connecting. Voice calls + data are working, but still roaming. :/

 
 

Files (9)
build_3G.sh_old build_3G.sh_old 1.63 KB script to build 3G tailored CN stack to run nano3G (holding necessary branches/tags) blobb, 04/20/2017 11:48 PM
configure_nano3G.exp configure_nano3G.exp 520 Bytes expect script to configure nano3G in an automated manner (cuz we're lazy) blobb, 04/22/2017 08:19 PM
build_3G.sh build_3G.sh 959 Bytes refactored version of build_3G.sh_old (now with functions) blobb, 04/24/2017 09:34 PM
find_nano3G.sh find_nano3G.sh 823 Bytes script to find nano3G on network via nmap (portpattern) blobb, 04/25/2017 11:48 AM
nano3G_PCB_back.JPG View nano3G_PCB_back.JPG 3.32 MB full quality image blobb, 05/10/2017 02:47 PM
nano3G_PCB_front.jpg View nano3G_PCB_front.jpg 3.75 MB full quality image blobb, 05/10/2017 02:47 PM
nano3G_PCB_front_preview.jpg View nano3G_PCB_front_preview.jpg 586 KB small image for preview blobb, 05/10/2017 02:54 PM
nano3G_PCB_back_preview.jpg View nano3G_PCB_back_preview.jpg 548 KB small image for preview blobb, 05/10/2017 02:54 PM
ssh_banner.jpg View ssh_banner.jpg 31.7 KB blobb, 05/10/2017 03:01 PM

Updated by blobb almost 7 years ago · 111 revisions

Add picture from clipboard (Maximum size: 48.8 MB)