Project

General

Profile

Accelerate3g5 -- blobb » History » Version 152

blobb, 05/10/2017 03:36 PM

1 1 blobb
h1. Accelerate3g5 -- blobb
2 2 blobb
3 2 blobb
h2. Summary
4 2 blobb
5 3 blobb
Trying to come up with a fuzzing interface.
6 3 blobb
7 2 blobb
h3. Participants
8 2 blobb
9 85 blobb
* André (email: dr.blobb@gmail.com)
10 2 blobb
11 122 blobb
 
12 122 blobb
13 2 blobb
h2. Details
14 3 blobb
15 136 blobb
*1)* First setting up the femtocell and understand necessary basics of UMTS communication to do so. (done)
16 136 blobb
*2)* Collecting information e.g. slides, talks, docu about fuzzing of wireless protocols. (done)
17 151 blobb
*3)* craft requests and run fuzz tests against subscriber. (in progress)
18 1 blobb
19 1 blobb
Note: first time fuzzing.
20 1 blobb
21 121 blobb
 
22 121 blobb
23 25 blobb
h2. Test devices
24 25 blobb
25 25 blobb
TD1: Samsung Galaxy S5 Mini (G800F) 
26 25 blobb
 OS: Lineage OS (14.1/7.1.1) 
27 25 blobb
 BB: G800FXXU1BPC3
28 25 blobb
SIM: MicroSIM
29 25 blobb
30 25 blobb
TD2: LG Nexus 5 (hammerhead)
31 25 blobb
 OS: Android Marshmallow (6.0) 
32 25 blobb
 BB: M48974A-2.0.50.2.27
33 25 blobb
SIM: MicroSIM
34 25 blobb
35 25 blobb
TD3: HTC One M9
36 25 blobb
 OS: Android Lollipop (5.1)
37 25 blobb
 BB: 01.04_U11440601_71.02.50709G_F
38 25 blobb
SIM: NanoSIM (cutted MicroSIM)
39 25 blobb
40 87 blobb
TD4: Samsung S3 (GT-I9300)
41 87 blobb
 OS: Android Jelly Bean (4.3)
42 87 blobb
 BB: I9300XXUGNA8
43 88 blobb
SIM: MicroSim
44 87 blobb
45 118 blobb
 
46 118 blobb
 
47 118 blobb
48 7 blobb
h2. Journal
49 7 blobb
50 135 blobb
 
51 137 blobb
+*1) Setting up the network*+
52 132 blobb
53 39 blobb
+_2017-03-07_+
54 42 blobb
Pick up package at Sysmocom office.
55 42 blobb
Having an informative conversation with Neels about Jenkins, Docker and build artifacts.
56 8 blobb
57 39 blobb
+_2017-03-12_+
58 10 blobb
Set up wiki page.
59 26 blobb
Seeing femtocell on network interface.
60 1 blobb
Compiled source as described, but couldn't configure/launch CN successfully (yet).
61 26 blobb
Next time will try Neels' launch script and same IP range.
62 1 blobb
63 39 blobb
+_2017-03-15_+
64 1 blobb
Reading "data sheet [overview]":http://www.ipaccess.com/uploads/wysiwyg_editor/files/2017/S8_S16-Datasheet-v1.0.pdf "data sheet [details]":https://fccid.io/pdf.php?id=1462491 about ip.access nano3G S8.
65 1 blobb
Configuring femtocell via telnet (dry run).
66 1 blobb
Running in HLR issue mentioned in wiki when invoking run.sh.
67 12 blobb
68 39 blobb
+_2017_04-02_+
69 137 blobb
*2) Collecting input about fuzzing*:
70 1 blobb
71 50 blobb
papers/theses:
72 33 blobb
>"SMS Fuzzing - SIM Toolkit Attack - B. Alecu, defcon21 2013":https://www.defcon.org/images/defcon-21/dc-21-presentations/Alecu/DEFCON-21-Bogdan-Alecu-Attacking-SIM-Toolkit-with-SMS-WP.pdf
73 37 blobb
>"SMS Vulnerability Analysis on Feature Phones - N. Golde, 2011":http://www.isti.tu-berlin.de/fileadmin/fg214/finished_theses/NicoGolde/diplom_golde.pdf
74 49 blobb
>"Fuzzing the GSM Protocol - B. Hond, master thesis 2011":http://www.ru.nl/publish/pages/769526/scriptie-brinio-final-brinio_hond.pdf
75 26 blobb
76 34 blobb
talks:
77 33 blobb
>"SMS Fuzzing - Sim Toolkit Attack - B. Alecu, Deepsec 2011":http://www.securitytube.net/video/2518
78 33 blobb
>"Using OpenBSC for fuzzing of GSM handsets - H. Welte, 26c3 2009":http://mirror.fem-net.de/CCC/26C3/mp4/26c3-3535-en-using_openbsc_for_fuzzing_of_gsm_handsets.mp4
79 26 blobb
80 34 blobb
slides:
81 33 blobb
>"MobiDeke: Fuzzing the GSM Protocol Stack - S. Dudek & G. Delugr, hack.lu 2012":http://archive.hack.lu/2012/Fuzzing_The_GSM_Protocol_Stack_-_Sebastien_Dudek_Guillaume_Delugre.pdf
82 33 blobb
>"Base Jumping - Attacking the GSM BB and BTS - grugq, 2010":http://conference.hackinthebox.org/hitbsecconf2010kul/materials/D2T1%20-%20The%20Grugq%20-%20Attacking%20GSM%20Basestations.pdf
83 33 blobb
>"Fuzzing your GSM phone - Harald Welte, 26c3 2009":https://events.ccc.de/congress/2009/Fahrplan/attachments/1503_openbsc_gsm_fuzzing.pdf
84 33 blobb
>"Fuzzing the Phone in your Phone - C. Miller & C. Mulliner, Blackhat 2009":https://engineering.purdue.edu/dcsl/reading/2011/jevin-fuzzing.pdf
85 33 blobb
>"Injecting SMS Messages into Smart Phones for Security Analysis - C. Mulliner, 2009":https://www.mulliner.org/security/sms/feed/injecting_sms_mulliner_miller.pdf
86 33 blobb
>"Security Testing esp. Fuzzing - E. Poll, ????":https://www.cs.ru.nl/E.Poll/ss/slides/12_Fuzzing.pdf
87 26 blobb
88 39 blobb
+_2017-04-19_+
89 43 blobb
Resolving HLR issue and set correct IPs in "*.cfg files":https://osmocom.org/attachments/download/2559/3G-config-example-v3.tar. 
90 58 blobb
hNodeB connects to hnbgw, but no UE is connecting to it. 
91 58 blobb
> [issue from wiki: ...unable to resolve DNS record look up of 0.ipaccess.pool.ntp.org... no trx].
92 58 blobb
Connect femtocell to LAN with internet access to resolve DNS record look up issue, still no phones are connecting (yet).
93 1 blobb
Adding SIM cards to hlr.db, after creating db successfully [thanks to "andreas":https://osmocom.org/projects/cellular-infrastructure/wiki/Accelerate3g5_--_andreas]
94 1 blobb
95 39 blobb
+_2017-04-20_+
96 1 blobb
Create and attach "build_3G.sh":https://osmocom.org/attachments/download/2602/build_3G.sh (adapted from "build_2G.sh":https://osmocom.org/attachments/download/2438/build_2G.sh).
97 68 blobb
Rebuild with correct branch/tag (openbsc:vlr_3G,libosmo-sccp:old_sua).
98 38 blobb
TD1 and TD2 *successfully connected* to femtocell!!! *\o/*
99 67 blobb
*Voice calls work* (TD1<->TD2).
100 53 blobb
101 1 blobb
+_2017-04-22_+
102 1 blobb
Create and attach "configure_nano3G.exp":https://projects.osmocom.org/attachments/download/2604/configure_nano3G.exp. 
103 71 blobb
> Invoke expect script within "run.sh":https://projects.osmocom.org/attachments/download/2559/3G-config-example-v3.tar to automate initial nano3G configuration via telnet. 
104 69 blobb
*SMS work* (TD1<->TD2), probably worked before but have been tested "today".
105 62 blobb
106 1 blobb
+_2017-04-24_+
107 1 blobb
Compile OpenBSC with --enable-mgcp-transcoding flag and create 127.0.0.2 on lo. :)
108 1 blobb
Attach refactored version of "build_3G.sh":https://projects.osmocom.org/attachments/download/2605/build_3G.sh.
109 81 blobb
*Data "works"* (TD1<->TD2, TDx<->tun0/192.168.42.1
110 75 blobb
>Note: data "worked" before (UEs got IP 2017-4-20). But I didn't manage to forward packets from tun0->eth0->inet yet, although the following iptable rule has been applied:
111 143 blobb
<pre>
112 143 blobb
sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward" 
113 143 blobb
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
114 143 blobb
</pre>
115 73 blobb
116 74 blobb
+_2017-04-25_+
117 1 blobb
Create and attach "find_nano3G.sh":https://osmocom.org/attachments/download/2609/find_nano3G.sh.
118 102 blobb
Picked up TD4 at a friend's place. Now I don't need to change the SIM/USIM card in TD1, which is my "normal" cell phone to test functionality. *Thanks* a lot buddy :)
119 89 blobb
120 90 blobb
+_2017-04-26_+
121 92 blobb
As it actually belongs to the accelerate3g5 project, I add the "hands-on repo":https://github.com/blobbsen/repo-handson this journal.
122 99 blobb
> It provides functionality to clone necessary git repos and build accerelate3g5 CN stack.
123 7 blobb
124 93 blobb
+_2017-04-29_+
125 1 blobb
Test MMS, *doesn't* work.
126 125 blobb
I'd changed MCC and MNC from the "wiki-default":http://osmocom.org/projects/cellular-infrastructure/wiki/Configuring_the_ipaccess_nano3G values (MCC=901, MNC=98) to MCC=809 and MNC=90 on the hNodeB (telnet) to align with SIM-cards' IMSIs and avoid roaming, but it didn't work out (yet).
127 113 blobb
  
128 111 blobb
+_2017-04-30_+
129 101 blobb
Set csgAccessMode to CSG_ACCESS_MODE_CLOSED_ACCESS to avoid interfering with UEs now owned by me.
130 125 blobb
Set additional ip table rule. UE's have finally internet connection. *\o/*  
131 125 blobb
 
132 144 blobb
<pre>
133 144 blobb
sudo iptables -t nat -A POSTROUTING -o lo -j MASQUERADE
134 144 blobb
</pre>
135 98 blobb
136 96 blobb
+_2017-05-01_+
137 114 blobb
UEs are not roaming anymore *\o/*. Actually the explanation of a friend how the MCC and MNC has to be set according to the IMSI (0-2 MCC, 3-4 MNC digits) was correct, 
138 123 blobb
but I didn't read the IMSI correctly from the "sysmocom full-size SIM card". Such IMSIs on the full-size SIM card consist of 18 digits. 
139 123 blobb
After using IMSIs from delivery e-mail (which are 15 digits long and not 18 as full-size-SIM-card-IMSI) it works. 
140 124 blobb
Moreover, I now know that the IMSI can ONLY hold 15 digits and consists of MCC (3), MNC (2-3) and MSIN (9-10).
141 125 blobb
142 125 blobb
A poor/manual stability test for the entire UMTS network has been successful for 12 hours ((DL: 7,8-5,9, UL: 1,2-0,8) Mbit/s and ping: 170-150 ms).
143 114 blobb
144 135 blobb
&nbsp;
145 147 blobb
&nbsp;
146 148 blobb
+*3) Understand how and try to fuzz handsets*+
147 135 blobb
&nbsp;
148 1 blobb
+_2017-05-03_+
149 149 blobb
system is only mounted as read-only, but as usual the following command changes this behavior to rw:
150 149 blobb
<pre>
151 150 blobb
mount -o remount,rw /
152 149 blobb
</pre>
153 1 blobb
Change ssh_banner (just for fun):
154 141 blobb
155 141 blobb
!ssh_banner.jpg!
156 130 blobb
157 130 blobb
Changing thttp port to 80 and show own index.html (just for fun).
158 130 blobb
Entire network still works fine, when thttpd port changed to 80.
159 130 blobb
160 130 blobb
+_2017-05-04_+
161 130 blobb
Thinking about installing python and scapy on the hNodeB to see whether we could fuzz directly on the imq0-15 interfaces as they might represent UL+DL connections of UEs. 
162 130 blobb
(nano3G S8 can serve up to 8 clients -> 8*(UL+DL) = 16 interfaces)
163 1 blobb
164 130 blobb
First problem we only have ~ 20 MB storage left for python and scapy, which are around 70 MB and we cannot use ipkg to install anything as the repository servers are not available.
165 130 blobb
Storage problem can be solved by creating a ramdisk. I've create a 70 MB ramdisk and verified whether the entire network still works. 
166 130 blobb
Yes it does, although only 2.4 MB RAM was left and 2 UEs have been connected.
167 130 blobb
168 130 blobb
Copying Python binaries and dependent libs (libssl.so.1.0.0,...) from a RaspberryPi Model A, because they use same processor/architecture.
169 130 blobb
After all dependencies have been copied via ssh, python still doesn't run, showing some "GLIBS_VERSION" error, so I tried to replace libc.so.6 with the one on the RasPi too.
170 146 blobb
This was a huge mistake, which showed me that I am missing system level and C knowledge, because some google research (afterwards) proofed that replacing libc.so.6 is a very, very bad idea.
171 130 blobb
After replacing libc.so.6 any executed command resulted in -> "Illegal Instruction - Core Dumped"... :S
172 130 blobb
173 130 blobb
I did it a "Factory Reset", but it seems to only reset AP configuration settings or might be damaged as well in fact of the libc.so.6 change.
174 130 blobb
The hNodeB still gets an IP from the DHCP server and one can ping it. But no ports are open anymore, thus I cannot connect at all. :/
175 130 blobb
It seems that I really have bricked the hNodeB... -.-"
176 130 blobb
177 130 blobb
+_2017-05-07_+
178 142 blobb
A friend supported me (*thanks!*) with his experience and equipment to see whether any Serial or JTAG interface might still works, so we may could change the wrong symlink.
179 139 blobb
The following pictures show results of our probing (SK1, PL1, PL2, PL3, J1 and J4):
180 1 blobb
181 139 blobb
!nano3G_PCB_front_preview.JPG!
182 1 blobb
183 139 blobb
!nano3G_PCB_back_preview.JPG! 
184 140 blobb
&nbsp;
185 130 blobb
186 130 blobb
Unfortunately we didn't find any Serial connection, although some pins indicated some sort of communication.
187 131 blobb
Furthermore the used Spansion S29GL-512P10FFCR2 flash is BGA and not TSOP ("datasheet":https://media.digikey.com/pdf/Data%20Sheets/Cypress%20PDFs/S29GLyyyP_Dec-16-2015.pdf). So a try to unsolder and fix tehe flash as described in "Reverse Engineering Flash memory for Fun and Benefit":https://www.blackhat.com/docs/us-14/materials/us-14-Oh-Reverse-Engineering-Flash-Memory-For-Fun-And-Benefit.pdf could not be applied.
188 130 blobb
189 1 blobb
+_2017-05-08_+
190 1 blobb
Thinking about buying a "BGA64 test socket":http://www.vipprogrammer.com/nand-bga64-test-socket-adapter-for-proman-tl86plus-nand-programmer-programmer-3533 in order to desolder and fix the Spansion flash.
191 130 blobb
But first buying a S29GL512P10FFCR2 (LAA064), a S29GL512P10TFCR2 (TSO56) an a "TSOP56 test socket":http://www.ebay.de/itm/New-TSOP56-TSOP-56-TO-DIP56-DIP-56-0-5mm-Universal-IC-Programmer-Socket-Adapter-/162210700904?hash=item25c482de68:g:pdMAAOSwPCVX4amp - which is much cheaper than the BGA64-test socket - to play around with such flash type before doing anything with/on the hNodeB. 
192 130 blobb
193 140 blobb
Buying an "Omnikey CardMan 3121 USB CCID reader":http://shop.sysmocom.de/products/cm3121 and a "Professional SIM card adapter":http://shop.sysmocom.de/products/sim-adapter-pcb to be able to tinker with SIM cards as long flash and test socket did not arrive.
194 126 blobb
195 119 blobb
&nbsp;
196 119 blobb
&nbsp;
197 119 blobb
198 24 blobb
h2. Conclusions
199 1 blobb
200 117 blobb
- UE's are connecting. Voice calls + SMS + data are working and UEs are *not* roaming. =)
201 152 blobb
- *Never ever* mess around libc.so.6 :/
202 100 blobb
203 84 blobb
&nbsp;
204 84 blobb
&nbsp;
Add picture from clipboard (Maximum size: 48.8 MB)