Accelerate3g5 -- blobb » History » Revision 31
Revision 30 (blobb, 04/20/2017 09:11 PM) → Revision 31/153 (blobb, 04/20/2017 09:15 PM)
h1. Accelerate3g5 -- blobb
h2. Summary
Trying to come up with a fuzzing interface.
h3. Participants
* André Boddenberg (email: dr.blobb@gmail.com)
h2. Details
First setting up the femtocell and understand basics of UMTS communication. (almost done)
Collecting information e.g. slides, talks, docu about fuzzing of wireless protocols. (started)
Writing some code to craft requests and run fuzz tests against subscriber. (tbd)
Note: first time fuzzing.
h2. Test devices
TD1: Samsung Galaxy S5 Mini (G800F)
OS: Lineage OS (14.1/7.1.1)
BB: G800FXXU1BPC3
SIM: MicroSIM
TD2: LG Nexus 5 (hammerhead)
OS: Android Marshmallow (6.0)
BB: M48974A-2.0.50.2.27
SIM: MicroSIM
TD3: HTC One M9
OS: Android Lollipop (5.1)
BB: 01.04_U11440601_71.02.50709G_F
SIM: NanoSIM (cutted MicroSIM)
h2. Journal
_2017-03-07_
pick up package at the sysmocom office.
having an informative conversation with Neels about jenkins.osmocom.
_2017-03-12_
Set up wiki page.
Seeing femtocell on network interface.
Compiled source as described, but couldn't configure/launch CN successfully (yet).
Next time will try Neels' launch script and same IP range.
_2017-03-15_
Reading "data sheet [overview]":http://www.ipaccess.com/uploads/wysiwyg_editor/files/2017/S8_S16-Datasheet-v1.0.pdf "data sheet [details]":https://fccid.io/pdf.php?id=1462491 about ip.access nano3G S8.
Configuring femtocell via telnet (dry run).
Running in HLR issue mentioned in wiki when invoking run.sh.
_2017_04-02_
Lecture about Fuzzing:
"SMS Fuzzing - SIM Toolkit Attack - B. Alecu, defcon21 2013":https://www.defcon.org/images/defcon-21/dc-21-presentations/Alecu/DEFCON-21-Bogdan-Alecu-Attacking-SIM-Toolkit-with-SMS-WP.pdf
"SMS Vulnerability Analysis on Feature Phones, N. Golde, 2011":http://www.isti.tu-berlin.de/fileadmin/fg214/finished_theses/NicoGolde/diplom_golde.pdf
"Fuzzing the GSM Protocol - B. Hond, master thesis 2011":www.ru.nl/publish/pages/769526/scriptie-brinio-final-brinio_hond.pdf
Talks about Fuzzing:
"SMS Fuzzing - Sim Toolkit Attack - B. Alecu, Deepsec 2011":http://www.securitytube.net/video/2518
"Using OpenBSC for fuzzing of GSM handsets - H. Welte, 26c3 2009":http://mirror.fem-net.de/CCC/26C3/mp4/26c3-3535-en-using_openbsc_for_fuzzing_of_gsm_handsets.mp4
Slides about Fuzzing:
"MobiDeke: Fuzzing the GSM Protocol Stack - S. Dudek & G. Delugr, hack.lu 2012":http://archive.hack.lu/2012/Fuzzing_The_GSM_Protocol_Stack_-_Sebastien_Dudek_Guillaume_Delugre.pdf
"Base Jumping - Attacking the GSM BB and BTS - grugq, 2010":http://conference.hackinthebox.org/hitbsecconf2010kul/materials/D2T1%20-%20The%20Grugq%20-%20Attacking%20GSM%20Basestations.pdf
"Fuzzing your GSM phone - Harald Welte, 26c3 2009":https://events.ccc.de/congress/2009/Fahrplan/attachments/1503_openbsc_gsm_fuzzing.pdf
"Fuzzing the Phone in your Phone - C. Miller & C. Mulliner, Blackhat 2009":https://engineering.purdue.edu/dcsl/reading/2011/jevin-fuzzing.pdf
"Injecting SMS Messages into Smart Phones for Security Analysis - C. Mulliner, 2009":https://www.mulliner.org/security/sms/feed/injecting_sms_mulliner_miller.pdf
"Security Testing esp. Fuzzing - E. Poll, ????":https://www.cs.ru.nl/E.Poll/ss/slides/12_Fuzzing.pdf
_2017-04-19_
Resolving HLR issue and set all IPs correct in *.cfg files.
hNodeB connects to owmo-hnbgw, but no UE is connecting to it.
Adding SIM cards to hlr.db, after creating db successfully (thanks
_2017-04-20_
rebuild with correct branch/tag (openbsc:vlr_3G,libosmo-sccp:old_sua)
TD1 and TD2 *successfully connected* to the femtocell!!! *\o/*
TD3 gets IP address but can not be called. *TODO*: investigate with wireshark
voice calls work (TD1->TD2, TD2->TD1).
data is not working *TODO*: make it work :)
h2. Conclusions
- UE's are connecting and voice calls are working :)
>- network LED does not indicate whether IP has been assigned by DHCP server.
>- umts LED does indicate whether cell is connected to hnbgw, etc pp.