Cellular Network Infrastructure

h1. Accelerate3g5 -- blobb

h2. Summary

Trying to come up with a fuzzing interface.

h3. Participants

* André Boddenberg (email: dr.blobb@gmail.com)

h2. Details

First setting up the femtocell and understand basics of UMTS communication.  (almost done)

Collecting information e.g. slides, talks, docu about fuzzing of wireless protocols. (started)

Writing some code to craft requests and run fuzz tests against subscriber. (tbd)

Note: first time fuzzing.

h2. Test devices

TD1: Samsung Galaxy S5 Mini (G800F) 

 OS: Lineage OS (14.1/7.1.1) 

 BB: G800FXXU1BPC3

SIM: MicroSIM

TD2: LG Nexus 5 (hammerhead)

 OS: Android Marshmallow (6.0) 

 BB: M48974A-2.0.50.2.27

SIM: MicroSIM

TD3: HTC One M9

 OS: Android Lollipop (5.1)

 BB: 01.04_U11440601_71.02.50709G_F

SIM: NanoSIM (cutted MicroSIM)

h2. Journal

_2017-03-07_

pick up package at the sysmocom office.

having an informative conversation with Neels about jenkins.osmocom.

_2017-03-12_

Set up wiki page.

Seeing femtocell on network interface.

Compiled source as described, but couldn't configure/launch CN successfully (yet).

Next time will try Neels' launch script and same IP range.

_2017-03-15_

Reading "data sheet [overview]":http://www.ipaccess.com/uploads/wysiwyg_editor/files/2017/S8_S16-Datasheet-v1.0.pdf "data sheet [details]":https://fccid.io/pdf.php?id=1462491 about ip.access nano3G S8.

Configuring femtocell via telnet (dry run).

Running in HLR issue mentioned in wiki when invoking run.sh.

_2017_04-02_

Lecture about Fuzzing:

"SMS Fuzzing - SIM Toolkit Attack - B. Alecu (2013)":https://www.defcon.org/images/defcon-21/dc-21-presentations/Alecu/DEFCON-21-Bogdan-Alecu-Attacking-SIM-Toolkit-with-SMS-WP.pdf

Talks about Fuzzing:

"Using OpenBSC for fuzzing of GSM handsets - H. Welte (2009)":http://mirror.fem-net.de/CCC/26C3/mp4/26c3-3535-en-using_openbsc_for_fuzzing_of_gsm_handsets.mp4

Slides about Fuzzing:

"MobiDeke: Fuzzing the GSM Protocol Stack - S. Dudek& G. Delugr(2012)":http://archive.hack.lu/2012/Fuzzing_The_GSM_Protocol_Stack_-_Sebastien_Dudek_Guillaume_Delugre.pdf

"Fuzzing your GSM phone - Harald Welte (2009)":https://events.ccc.de/congress/2009/Fahrplan/attachments/1503_openbsc_gsm_fuzzing.pdf

"Fuzzing the Phone in your Phone - C. Miller & C. Mulliner (2009)":https://engineering.purdue.edu/dcsl/reading/2011/jevin-fuzzing.pdf

_2017-04-19_

Resolving HLR issue and set all IPs correct in *.cfg files. 

hNodeB connects to owmo-hnbgw, but no UE is connecting to it.

Adding SIM cards to hlr.db, after creating db successfully (thanks

_2017-04-20_

rebuild with correct branch/tag (openbsc:vlr_3G,libosmo-sccp:old_sua)

TD1 and TD2 *successfully connected* to the femtocell!!! *\o/*

TD3 gets IP address but can not be called. *TODO*: investigate with wireshark

voice calls work (TD1->TD2, TD2->TD1). 

data is not working *TODO*: make it work :)

h2. Conclusions

- UE's are connecting and voice calls are working :) 

>- network LED does not indicate whether IP has been assigned by DHCP server.

>- umts LED does indicate whether cell is connected to hnbgw, etc pp.