Cellular Network Infrastructure

h1. Accelerate3g5 -- blobb

h2. Summary

Trying to come up with a fuzzing interface.

h3. Participants

* André (email: dr.blobb@gmail.com)

h2. Details

First setting up the femtocell and understand necessary basics of UMTS communication to do so. (done)

Collecting information e.g. slides, talks, docu about fuzzing of wireless protocols. (done)

Writing some code to craft requests and run fuzz tests against subscriber. (to be done)

Note: first time fuzzing.

 

h2. Test devices

TD1: Samsung Galaxy S5 Mini (G800F) 

 OS: Lineage OS (14.1/7.1.1) 

 BB: G800FXXU1BPC3

SIM: MicroSIM

TD2: LG Nexus 5 (hammerhead)

 OS: Android Marshmallow (6.0) 

 BB: M48974A-2.0.50.2.27

SIM: MicroSIM

TD3: HTC One M9

 OS: Android Lollipop (5.1)

 BB: 01.04_U11440601_71.02.50709G_F

SIM: NanoSIM (cutted MicroSIM)

TD4: Samsung S3 (GT-I9300)

 OS: Android Jelly Bean (4.3)

 BB: I9300XXUGNA8

SIM: MicroSim

 

 

h2. Journal

+_2017-03-07_+

Pick up package at Sysmocom office.

Having an informative conversation with Neels about Jenkins, Docker and build artifacts.

+_2017-03-12_+

Set up wiki page.

Seeing femtocell on network interface.

Compiled source as described, but couldn't configure/launch CN successfully (yet).

Next time will try Neels' launch script and same IP range.

+_2017-03-15_+

Reading "data sheet [overview]":http://www.ipaccess.com/uploads/wysiwyg_editor/files/2017/S8_S16-Datasheet-v1.0.pdf "data sheet [details]":https://fccid.io/pdf.php?id=1462491 about ip.access nano3G S8.

Configuring femtocell via telnet (dry run).

Running in HLR issue mentioned in wiki when invoking run.sh.

+_2017_04-02_+

Collecting input about fuzzing:

papers/theses:

>"SMS Fuzzing - SIM Toolkit Attack - B. Alecu, defcon21 2013":https://www.defcon.org/images/defcon-21/dc-21-presentations/Alecu/DEFCON-21-Bogdan-Alecu-Attacking-SIM-Toolkit-with-SMS-WP.pdf

>"SMS Vulnerability Analysis on Feature Phones - N. Golde, 2011":http://www.isti.tu-berlin.de/fileadmin/fg214/finished_theses/NicoGolde/diplom_golde.pdf

>"Fuzzing the GSM Protocol - B. Hond, master thesis 2011":http://www.ru.nl/publish/pages/769526/scriptie-brinio-final-brinio_hond.pdf

talks:

>"SMS Fuzzing - Sim Toolkit Attack - B. Alecu, Deepsec 2011":http://www.securitytube.net/video/2518

>"Using OpenBSC for fuzzing of GSM handsets - H. Welte, 26c3 2009":http://mirror.fem-net.de/CCC/26C3/mp4/26c3-3535-en-using_openbsc_for_fuzzing_of_gsm_handsets.mp4

slides:

>"MobiDeke: Fuzzing the GSM Protocol Stack - S. Dudek & G. Delugr, hack.lu 2012":http://archive.hack.lu/2012/Fuzzing_The_GSM_Protocol_Stack_-_Sebastien_Dudek_Guillaume_Delugre.pdf

>"Base Jumping - Attacking the GSM BB and BTS - grugq, 2010":http://conference.hackinthebox.org/hitbsecconf2010kul/materials/D2T1%20-%20The%20Grugq%20-%20Attacking%20GSM%20Basestations.pdf

>"Fuzzing your GSM phone - Harald Welte, 26c3 2009":https://events.ccc.de/congress/2009/Fahrplan/attachments/1503_openbsc_gsm_fuzzing.pdf

>"Fuzzing the Phone in your Phone - C. Miller & C. Mulliner, Blackhat 2009":https://engineering.purdue.edu/dcsl/reading/2011/jevin-fuzzing.pdf

>"Injecting SMS Messages into Smart Phones for Security Analysis - C. Mulliner, 2009":https://www.mulliner.org/security/sms/feed/injecting_sms_mulliner_miller.pdf

>"Security Testing esp. Fuzzing - E. Poll, ????":https://www.cs.ru.nl/E.Poll/ss/slides/12_Fuzzing.pdf

+_2017-04-19_+

Resolving HLR issue and set correct IPs in "*.cfg files":https://osmocom.org/attachments/download/2559/3G-config-example-v3.tar. 

hNodeB connects to hnbgw, but no UE is connecting to it. 

> [issue from wiki: ...unable to resolve DNS record look up of 0.ipaccess.pool.ntp.org... no trx].

Connect femtocell to LAN with internet access to resolve DNS record look up issue, still no phones are connecting (yet).

Adding SIM cards to hlr.db, after creating db successfully [thanks to "andreas":https://osmocom.org/projects/cellular-infrastructure/wiki/Accelerate3g5_--_andreas]

+_2017-04-20_+

Create and attach "build_3G.sh":https://osmocom.org/attachments/download/2602/build_3G.sh (adapted from "build_2G.sh":https://osmocom.org/attachments/download/2438/build_2G.sh).

Rebuild with correct branch/tag (openbsc:vlr_3G,libosmo-sccp:old_sua).

TD1 and TD2 *successfully connected* to femtocell!!! *\o/*

*Voice calls work* (TD1<->TD2).

+_2017-04-22_+

Create and attach "configure_nano3G.exp":https://projects.osmocom.org/attachments/download/2604/configure_nano3G.exp. 

> Invoke expect script within "run.sh":https://projects.osmocom.org/attachments/download/2559/3G-config-example-v3.tar to automate initial nano3G configuration via telnet. 

*SMS work* (TD1<->TD2), probably worked before but have been tested "today".

+_2017-04-24_+

Compile OpenBSC with --enable-mgcp-transcoding flag and create 127.0.0.2 on lo. :)

Attach refactored version of "build_3G.sh":https://projects.osmocom.org/attachments/download/2605/build_3G.sh.

*Data "works"* (TD1<->TD2, TDx<->tun0/192.168.42.1

>Note: data "worked" before (UEs got IP 2017-4-20). But I didn't manage to forward packets from tun0->eth0->inet yet, although the following iptable rule has been applied:

>>sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward" 

>>sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

+_2017-04-25_+

Create and attach "find_nano3G.sh":https://osmocom.org/attachments/download/2609/find_nano3G.sh.

Picked up TD4 at a friend's place. Now I don't need to change the SIM/USIM card in TD1, which is my "normal" cell phone to test functionality. *Thanks* a lot buddy :)

+_2017-04-26_+

As it actually belongs to the accelerate3g5 project, I add the "hands-on repo":https://github.com/blobbsen/repo-handson this journal.

> It provides functionality to clone necessary git repos and build accerelate3g5 CN stack.

+_2017-04-29_+

Test MMS, *doesn't* work.

I'd changed MCC and MNC from the "wiki-default":http://osmocom.org/projects/cellular-infrastructure/wiki/Configuring_the_ipaccess_nano3G values (MCC=901, MNC=98) to MCC=809 and MNC=90 on the hNodeB (telnet) to align with SIM-cards' IMSIs and avoid roaming. The result was: 

>S3            -> shows: 809 90     roams: no   (expected)

>S5 mini  -> shows: 809 90     roams: yes (confusing?!?!)

>Nexus 5 -> shows: 901 98     roams: yes (expected)

So it seemed that configurations of MCC and MNC within osmo-msc.cfg do apply for some BB, because osmo-msc.cfg is the only config holding MCC=809 and MNC=90.

After aligning MCC and MNC between hNodeB and Osmo-MSC all UEs shows the correct "network name", but were all roaming... (TODO: understand roaming)

+_2017-04-30_+

Set csgAccessMode to CSG_ACCESS_MODE_CLOSED_ACCESS to avoid interfering with UEs now owned by me.

Set correct ip table rule. UE's have finally internet connection. *\o/* (GGSN listens on *lo* not on eth*)  

>sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward" 

>sudo iptables -t nat -A POSTROUTING -o lo -j MASQUERADE

+_2017-05-01_+

UEs are not roaming anymore *\o/*. Actually the explanation of a friend how the MCC and MNC has to be set according to the IMSI was correct, 

but I wasn't able to read the IMSI correct from the "sysmocom plastic card". Such IMSIs on the sysmocom plastic card consists of 18 digits. 

After comparing IMSIs on "plastic card" with IMSIs in delivery e-mail and using last mentioned digits it works. 

Moreover, I now know that the IMSI can ONLY hold 15 digits and consists of MCC (3), MNC (2-3) and MSIN (9-10).

 

 

h2. Conclusions

- UE's are connecting. Voice calls + SMS + data are working and UEs are *not* roaming. =)