Project

General

Profile

Accelerate3g5 -- blobb » History » Revision 141

Revision 140 (blobb, 05/10/2017 02:59 PM) → Revision 141/153 (blobb, 05/10/2017 03:02 PM)

h1. Accelerate3g5 -- blobb 

 h2. Summary 

 Trying to come up with a fuzzing interface. 

 h3. Participants 

 * André (email: dr.blobb@gmail.com) 

   

 h2. Details 

 *1)* First setting up the femtocell and understand necessary basics of UMTS communication to do so. (done) 
 *2)* Collecting information e.g. slides, talks, docu about fuzzing of wireless protocols. (done) 
 *3)* craft requests and run fuzz tests against subscriber. (to be done) 

 Note: first time fuzzing. 

   

 h2. Test devices 

 TD1: Samsung Galaxy S5 Mini (G800F)  
  OS: Lineage OS (14.1/7.1.1)  
  BB: G800FXXU1BPC3 
 SIM: MicroSIM 

 TD2: LG Nexus 5 (hammerhead) 
  OS: Android Marshmallow (6.0)  
  BB: M48974A-2.0.50.2.27 
 SIM: MicroSIM 

 TD3: HTC One M9 
  OS: Android Lollipop (5.1) 
  BB: 01.04_U11440601_71.02.50709G_F 
 SIM: NanoSIM (cutted MicroSIM) 

 TD4: Samsung S3 (GT-I9300) 
  OS: Android Jelly Bean (4.3) 
  BB: I9300XXUGNA8 
 SIM: MicroSim 

   
   

 h2. Journal 

   
 +*1) Setting up the network*+ 

 +_2017-03-07_+ 
 Pick up package at Sysmocom office. 
 Having an informative conversation with Neels about Jenkins, Docker and build artifacts. 

 +_2017-03-12_+ 
 Set up wiki page. 
 Seeing femtocell on network interface. 
 Compiled source as described, but couldn't configure/launch CN successfully (yet). 
 Next time will try Neels' launch script and same IP range. 

 +_2017-03-15_+ 
 Reading "data sheet [overview]":http://www.ipaccess.com/uploads/wysiwyg_editor/files/2017/S8_S16-Datasheet-v1.0.pdf "data sheet [details]":https://fccid.io/pdf.php?id=1462491 about ip.access nano3G S8. 
 Configuring femtocell via telnet (dry run). 
 Running in HLR issue mentioned in wiki when invoking run.sh. 

 +_2017_04-02_+ 
 *2) Collecting input about fuzzing*: 

 papers/theses: 
 >"SMS Fuzzing - SIM Toolkit Attack - B. Alecu, defcon21 2013":https://www.defcon.org/images/defcon-21/dc-21-presentations/Alecu/DEFCON-21-Bogdan-Alecu-Attacking-SIM-Toolkit-with-SMS-WP.pdf 
 >"SMS Vulnerability Analysis on Feature Phones - N. Golde, 2011":http://www.isti.tu-berlin.de/fileadmin/fg214/finished_theses/NicoGolde/diplom_golde.pdf 
 >"Fuzzing the GSM Protocol - B. Hond, master thesis 2011":http://www.ru.nl/publish/pages/769526/scriptie-brinio-final-brinio_hond.pdf 

 talks: 
 >"SMS Fuzzing - Sim Toolkit Attack - B. Alecu, Deepsec 2011":http://www.securitytube.net/video/2518 
 >"Using OpenBSC for fuzzing of GSM handsets - H. Welte, 26c3 2009":http://mirror.fem-net.de/CCC/26C3/mp4/26c3-3535-en-using_openbsc_for_fuzzing_of_gsm_handsets.mp4 

 slides: 
 >"MobiDeke: Fuzzing the GSM Protocol Stack - S. Dudek & G. Delugr, hack.lu 2012":http://archive.hack.lu/2012/Fuzzing_The_GSM_Protocol_Stack_-_Sebastien_Dudek_Guillaume_Delugre.pdf 
 >"Base Jumping - Attacking the GSM BB and BTS - grugq, 2010":http://conference.hackinthebox.org/hitbsecconf2010kul/materials/D2T1%20-%20The%20Grugq%20-%20Attacking%20GSM%20Basestations.pdf 
 >"Fuzzing your GSM phone - Harald Welte, 26c3 2009":https://events.ccc.de/congress/2009/Fahrplan/attachments/1503_openbsc_gsm_fuzzing.pdf 
 >"Fuzzing the Phone in your Phone - C. Miller & C. Mulliner, Blackhat 2009":https://engineering.purdue.edu/dcsl/reading/2011/jevin-fuzzing.pdf 
 >"Injecting SMS Messages into Smart Phones for Security Analysis - C. Mulliner, 2009":https://www.mulliner.org/security/sms/feed/injecting_sms_mulliner_miller.pdf 
 >"Security Testing esp. Fuzzing - E. Poll, ????":https://www.cs.ru.nl/E.Poll/ss/slides/12_Fuzzing.pdf 

 +_2017-04-19_+ 
 Resolving HLR issue and set correct IPs in "*.cfg files":https://osmocom.org/attachments/download/2559/3G-config-example-v3.tar.  
 hNodeB connects to hnbgw, but no UE is connecting to it.  
 > [issue from wiki: ...unable to resolve DNS record look up of 0.ipaccess.pool.ntp.org... no trx]. 
 Connect femtocell to LAN with internet access to resolve DNS record look up issue, still no phones are connecting (yet). 
 Adding SIM cards to hlr.db, after creating db successfully [thanks to "andreas":https://osmocom.org/projects/cellular-infrastructure/wiki/Accelerate3g5_--_andreas] 

 +_2017-04-20_+ 
 Create and attach "build_3G.sh":https://osmocom.org/attachments/download/2602/build_3G.sh (adapted from "build_2G.sh":https://osmocom.org/attachments/download/2438/build_2G.sh). 
 Rebuild with correct branch/tag (openbsc:vlr_3G,libosmo-sccp:old_sua). 
 TD1 and TD2 *successfully connected* to femtocell!!! *\o/* 
 *Voice calls work* (TD1<->TD2). 

 +_2017-04-22_+ 
 Create and attach "configure_nano3G.exp":https://projects.osmocom.org/attachments/download/2604/configure_nano3G.exp.  
 > Invoke expect script within "run.sh":https://projects.osmocom.org/attachments/download/2559/3G-config-example-v3.tar to automate initial nano3G configuration via telnet.  
 *SMS work* (TD1<->TD2), probably worked before but have been tested "today". 

 +_2017-04-24_+ 
 Compile OpenBSC with --enable-mgcp-transcoding flag and create 127.0.0.2 on lo. :) 
 Attach refactored version of "build_3G.sh":https://projects.osmocom.org/attachments/download/2605/build_3G.sh. 
 *Data "works"* (TD1<->TD2, TDx<->tun0/192.168.42.1 
 >Note: data "worked" before (UEs got IP 2017-4-20). But I didn't manage to forward packets from tun0->eth0->inet yet, although the following iptable rule has been applied: 
 >>sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"  
 >>sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 

 +_2017-04-25_+ 
 Create and attach "find_nano3G.sh":https://osmocom.org/attachments/download/2609/find_nano3G.sh. 
 Picked up TD4 at a friend's place. Now I don't need to change the SIM/USIM card in TD1, which is my "normal" cell phone to test functionality. *Thanks* a lot buddy :) 

 +_2017-04-26_+ 
 As it actually belongs to the accelerate3g5 project, I add the "hands-on repo":https://github.com/blobbsen/repo-handson this journal. 
 > It provides functionality to clone necessary git repos and build accerelate3g5 CN stack. 

 +_2017-04-29_+ 
 Test MMS, *doesn't* work. 
 I'd changed MCC and MNC from the "wiki-default":http://osmocom.org/projects/cellular-infrastructure/wiki/Configuring_the_ipaccess_nano3G values (MCC=901, MNC=98) to MCC=809 and MNC=90 on the hNodeB (telnet) to align with SIM-cards' IMSIs and avoid roaming, but it didn't work out (yet). 
  
 +_2017-04-30_+ 
 Set csgAccessMode to CSG_ACCESS_MODE_CLOSED_ACCESS to avoid interfering with UEs now owned by me. 
 Set additional ip table rule. UE's have finally internet connection. *\o/*   
 
 >sudo iptables -t nat -A POSTROUTING -o lo -j MASQUERADE 


 +_2017-05-01_+ 
 UEs are not roaming anymore *\o/*. Actually the explanation of a friend how the MCC and MNC has to be set according to the IMSI (0-2 MCC, 3-4 MNC digits) was correct,  
 but I didn't read the IMSI correctly from the "sysmocom full-size SIM card". Such IMSIs on the full-size SIM card consist of 18 digits.  
 After using IMSIs from delivery e-mail (which are 15 digits long and not 18 as full-size-SIM-card-IMSI) it works.  
 Moreover, I now know that the IMSI can ONLY hold 15 digits and consists of MCC (3), MNC (2-3) and MSIN (9-10). 

 A poor/manual stability test for the entire UMTS network has been successful for 12 hours ((DL: 7,8-5,9, UL: 1,2-0,8) Mbit/s and ping: 170-150 ms). 

 &nbsp; 
 +*3) Understand and try to fuzz handsets*+ 
 &nbsp; 
 +_2017-05-03_+ 
 system is only mounted as read-only, "mount -o remount,rw /" changes this behavior to rw. 
 Change ssh_banner (just for fun): 

 !ssh_banner.jpg! 
 !ssh_banner! 

 Changing thttp port to 80 and show own index.html (just for fun). 
 Entire network still works fine, when thttpd port changed to 80. 

 +_2017-05-04_+ 
 Thinking about installing python and scapy on the hNodeB to see whether we could fuzz directly on the imq0-15 interfaces as they might represent UL+DL connections of UEs.  
 (nano3G S8 can serve up to 8 clients -> 8*(UL+DL) = 16 interfaces) 

 First problem we only have ~ 20 MB storage left for python and scapy, which are around 70 MB and we cannot use ipkg to install anything as the repository servers are not available. 
 Storage problem can be solved by creating a ramdisk. I've create a 70 MB ramdisk and verified whether the entire network still works.  
 Yes it does, although only 2.4 MB RAM was left and 2 UEs have been connected. 

 Copying Python binaries and dependent libs (libssl.so.1.0.0,...) from a RaspberryPi Model A, because they use same processor/architecture. 
 After all dependencies have been copied via ssh, python still doesn't run, showing some "GLIBS_VERSION" error, so I tried to replace libc.so.6 with the one on the RasPi too. 
 This was a huge mistake, which at the same time showed me that I am missing system level and C knowledge at all, because some google research (afterwards) proofed that replacing libc.so.6 is a very, very bad idea. 
 After replacing libc.so.6 any executed command resulted in -> "Illegal Instruction - Core Dumped"... :S 

 I did it a "Factory Reset", but it seems to only reset AP configuration settings or might be damaged as well in fact of the libc.so.6 change. 
 The hNodeB still gets an IP from the DHCP server and one can ping it. But no ports are open anymore, thus I cannot connect at all. :/ 
 It seems that I really have bricked the hNodeB... -.-" 

 +_2017-05-07_+ 
 A friend supported me (*thanks*) with his knowledge and equipment to see whether any Serial or JTAG interface might still works, so we may could change the wrong symlink. 
 The following pictures show results of our probing (SK1, PL1, PL2, PL3, J1 and J4): 

 !nano3G_PCB_front_preview.JPG! 

 !nano3G_PCB_back_preview.JPG!  
 &nbsp; 

 Unfortunately we didn't find any Serial connection, although some pins indicated some sort of communication. 
 Furthermore the used Spansion S29GL-512P10FFCR2 flash is BGA and not TSOP ("datasheet":https://media.digikey.com/pdf/Data%20Sheets/Cypress%20PDFs/S29GLyyyP_Dec-16-2015.pdf). So a try to unsolder and fix tehe flash as described in "Reverse Engineering Flash memory for Fun and Benefit":https://www.blackhat.com/docs/us-14/materials/us-14-Oh-Reverse-Engineering-Flash-Memory-For-Fun-And-Benefit.pdf could not be applied. 

 +_2017-05-08_+ 
 Thinking about buying a "BGA64 test socket":http://www.vipprogrammer.com/nand-bga64-test-socket-adapter-for-proman-tl86plus-nand-programmer-programmer-3533 in order to desolder and fix the Spansion flash. 
 But first buying a S29GL512P10FFCR2 (LAA064), a S29GL512P10TFCR2 (TSO56) an a "TSOP56 test socket":http://www.ebay.de/itm/New-TSOP56-TSOP-56-TO-DIP56-DIP-56-0-5mm-Universal-IC-Programmer-Socket-Adapter-/162210700904?hash=item25c482de68:g:pdMAAOSwPCVX4amp - which is much cheaper than the BGA64-test socket - to play around with such flash type before doing anything with/on the hNodeB.  

 Buying an "Omnikey CardMan 3121 USB CCID reader":http://shop.sysmocom.de/products/cm3121 and a "Professional SIM card adapter":http://shop.sysmocom.de/products/sim-adapter-pcb to be able to tinker with SIM cards as long flash and test socket did not arrive. 

 &nbsp; 
 &nbsp; 

 h2. Conclusions 

 - UE's are connecting. Voice calls + SMS + data are working and UEs are *not* roaming. =) 

 &nbsp; 
 &nbsp;
Add picture from clipboard (Maximum size: 48.8 MB)