Project

General

Profile

Actions

Samsung GalaxyS9 VoWiFi

random notes about how VoWiFi seems to be implemented in the Samsung SM-G960F Galaxy S9.

Outline

  • there's an userspace ipsec (IKEv2 + ESP) implementation called eris which is used to establish the SWu IPsec tunnel to the ePDG
  • there are epdg0..epdg7 net-devices that are used to expose the inner side of the SWu IPsec; taking pcap files of those will show the IMS traffic to/from the P-CSCF
  • contrary to VoLTE, even the RTP user plane goes through the application processor, via the same eris userspace IPsec implementation

eris

related binaries

/system/bin/eris
/system/lib64/liberis_charon.so
/system/lib64/liberis_strongswan.so
/system/lib64/liberis_simaka.so

general arcitecture

  • opens udp sockets on port 500 + 4500 for the IKEv2 + ESP traffic routed via the wlan interface
  • decrypts traffic arriving on the UDP socket and re-injects decrypted packets via epdgX net-device
  • talks to rild to perform UMTS AKA with the SIM when prompted by EAP-AKA inside the IKEv2 handshake
  • logs quite a bit (logcat | grep eris)

potential GPLv2-or-later license violation

  • the "open source licensing" document on the Android UI doesn't contain any information on the above-mentioned eris related files
  • doing a "strings" analysis shows various symbol names and log messages identical to strongswan, so the libraries are not just named by coincidence the same way
  • I could not find any source for eris in the soure code releases for SM-G960F on opensource.samsung.org
  • I notified Samsung and requested the complete and corresponding source code

log of a connection setup

08-26 16:30:09.560 21939 21945 I eris    : 04[DMN] [eris_interface] handle_request - type = MSG_TYPE_CONNECT
08-26 16:30:09.561 21939 21945 I eris    : 04[DMN] operator_code : DTM 
08-26 16:30:09.569 21939 21945 I eris    : 04[LIB] created TUN device: epdg1
08-26 16:30:09.612 21939 21950 I eris    : 09[IKE] initiating IKE_SA ims[12] to 109.237.187.226
08-26 16:30:09.618 21939 21950 I eris    : 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
08-26 16:30:09.619 21939 21950 I eris    : 09[NET] sending packet: from 192.168.101.29[51276] to 109.237.187.226[500] (366 bytes)
08-26 16:30:09.655 21939 21955 I eris    : 15[NET] received packet: from 109.237.187.226[500] to 192.168.101.29[51276] (52 bytes)
08-26 16:30:09.656 21939 21955 I eris    : 15[ENC] parsed IKE_SA_INIT response 0 [ N(COOKIE) ]
08-26 16:30:09.659 21939 21955 I eris    : 15[IKE] initiating IKE_SA ims[12] to 109.237.187.226
08-26 16:30:09.660 21939 21955 I eris    : 15[ENC] generating IKE_SA_INIT request 0 [ N(COOKIE) SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
08-26 16:30:09.662 21939 21955 I eris    : 15[NET] sending packet: from 192.168.101.29[51276] to 109.237.187.226[500] (390 bytes)
08-26 16:30:09.700 21939 21949 I eris    : 08[NET] received packet: from 109.237.187.226[500] to 192.168.101.29[51276] (288 bytes)
08-26 16:30:09.701 21939 21949 I eris    : 08[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
08-26 16:30:09.713 21939 21949 I eris    : 08[IKE] local host is behind NAT, sending keep alives
08-26 16:30:09.718 21939 21949 I eris    : 08[IKE] establishing CHILD_SA ims{12}
08-26 16:30:09.720 21939 21949 I eris    : 08[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(MASK ADDR DNS (16389) ADDR6 DNS6 (16390)) N(ESP_TFC_PAD_N) SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
08-26 16:30:09.721 21939 21949 I eris    : 08[NET] sending packet: from 192.168.101.29[51182] to 109.237.187.226[4500] (428 bytes)
08-26 16:30:09.876 21939 21943 I eris    : 07[NET] received packet: from 109.237.187.226[4500] to 192.168.101.29[51182] (204 bytes)
08-26 16:30:09.880 21939 21943 I eris    : 07[ENC] parsed IKE_AUTH response 1 [ IDr EAP/REQ/AKA ]
08-26 16:30:09.884 21939 21943 I eris    : 07[IKE] server requested EAP_AKA authentication (id 0x01)
08-26 16:30:09.893 21939 21943 I eris    : 07[LIB] ignoring skippable EAP-SIM/AKA attribute AT_CHECKCODE
08-26 16:30:09.895 21939 21943 I eris    : 07[DMN] simID : 0
08-26 16:30:10.104 21939 21943 I eris    : 07[IKE] allow mutual EAP-only authentication
08-26 16:30:10.104 21939 21943 I eris    : 07[ENC] generating IKE_AUTH request 2 [ EAP/RES/AKA ]
08-26 16:30:10.105 21939 21943 I eris    : 07[NET] sending packet: from 192.168.101.29[51182] to 109.237.187.226[4500] (108 bytes)
08-26 16:30:10.410 21939 21952 I eris    : 10[NET] received packet: from 109.237.187.226[4500] to 192.168.101.29[51182] (76 bytes)
08-26 16:30:10.415 21939 21952 I eris    : 10[ENC] parsed IKE_AUTH response 2 [ EAP/SUCC ]
08-26 16:30:10.421 21939 21952 I eris    : 10[IKE] EAP method EAP_AKA succeeded, MSK established
08-26 16:30:10.433 21939 21952 I eris    : 10[IKE] authentication of '...' (myself) with EAP
08-26 16:30:10.440 21939 21952 I eris    : 10[ENC] generating IKE_AUTH request 3 [ AUTH ]
08-26 16:30:10.453 21939 21952 I eris    : 10[NET] sending packet: from 192.168.101.29[51182] to 109.237.187.226[4500] (92 bytes)
08-26 16:30:10.517   608   608 D wrapperGPS: wrapperisConnected_RILD
08-26 16:30:10.517   608   608 D wrapperGPS: wrapperisConnected_RILD
08-26 16:30:10.572 21939 21944 I eris    : 02[NET] received packet: from 109.237.187.226[4500] to 192.168.101.29[51182] (428 bytes)
08-26 16:30:10.573 21939 21944 I eris    : 02[ENC] unknown attribute type (16390)
08-26 16:30:10.574 21939 21944 I eris    : 02[ENC] unknown attribute type (16390)
08-26 16:30:10.576 21939 21944 I eris    : 02[ENC] parsed IKE_AUTH response 3 [ AUTH CPRP(ADDR MASK DNS ADDR6 DNS6 DNS6 (16390) (16390)) N(SET_WINSIZE) N(ESP_TFC_PAD_N) SA TSi TSr ]
08-26 16:30:10.578 21939 21944 I eris    : 02[IKE] authentication of '...' with EAP successful
08-26 16:30:10.580 21939 21944 I eris    : 02[IKE] IKE_SA ims[12] established between 192.168.101.29[...]...109.237.187.226[...]
08-26 16:30:10.582 21939 21944 I eris    : 02[IKE] scheduling rekeying in 64791s
08-26 16:30:10.584 21939 21944 I eris    : 02[IKE] maximum IKE_SA lifetime 64811s
08-26 16:30:10.588 21939 21944 I eris    : 02[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
08-26 16:30:10.601 21939 21944 I eris    : 02[IKE] CHILD_SA ims{12} established with SPIs 4b212242_i 04b403c3_o and TS 10.30.98.217/32 2a01:59f:d001:3747:1:1:a351:bf8a/128 === 0.0.0.0/0 ::/0
08-26 16:30:10.607 21939 21944 I eris    : 02[DMN] setting up ePDG device for CHILD_SA ims{12}
08-26 16:30:10.613 21939 21944 I eris    : 02[DMN] successfully created ePDG device
08-26 16:30:10.615 21939 21944 I eris    : 02[DMN] update {event 1, error 0, ike_error 0} for conn[2]

file descriptors

eris      21939     system    0u      CHR                1,3       0t0      14599 /dev/null
eris      21939     system    1u      CHR                1,3       0t0      14599 /dev/null
eris      21939     system    2u      CHR                1,3       0t0      14599 /dev/null
eris      21939     system    3r     FIFO               0,10       0t0     191918 pipe:[191918]
eris      21939     system    4w     FIFO               0,10       0t0     191918 pipe:[191918]
eris      21939     system    5u     unix                          0t0     188122 socket
eris      21939     system    6w      CHR              248,0       0t0      14761 /dev/pmsg0
eris      21939     system    7r      CHR                1,9       0t0      14597 /dev/urandom
eris      21939     system    8r      CHR                1,8       0t0      14596 /dev/random
eris      21939     system    9r     FIFO               0,10       0t0     187175 pipe:[187175]
eris      21939     system   10w     FIFO               0,10       0t0     187175 pipe:[187175]
eris      21939     system   11u  netlink                          0t0     187176 ROUTE
eris      21939     system   12u  netlink                          0t0     187177 ROUTE
eris      21939     system   13u      CHR             10,200      0t48       8925 /dev/tun
eris      21939     system   14u     sock                          0t0    1271319 socket:[1271319]
eris      21939     system   15u     IPv4                          0t0    1277757 UDP :51276->:500
eris      21939     system   16u     unix                          0t0     187165 /dev/socket/eris
eris      21939     system   17u     unix                          0t0     191007 /dev/socket/eris
eris      21939     system   18u     IPv4                          0t0    1284421 UDP :51182->:4500
eris      21939     system   19u     IPv4                          0t0    1164443 UDP :44774->:500
eris      21939     system   20u     IPv4                          0t0    1164448 UDP :33934->:4500
eris      21939     system   22w      REG                0,9         0       2305 /sys/kernel/debug/tracing/trace_marker
eris      21939     system   23u      CHR              10,57       0t0      11362 /dev/hwbinder

memory mappings

eris      21939     system  mem       REG              259,2    121760        799 /system/bin/eris
eris      21939     system  mem       CHR              10,57                11362 /dev/hwbinder
eris      21939     system  mem       REG              259,2     24064       4287 /system/lib64/libnetd_client.so
eris      21939     system  mem       REG              259,2   1372848       4086 /system/lib64/libcrypto.so
eris      21939     system  mem       REG              259,2    117416       4518 /system/lib64/libutils.so
eris      21939     system  mem       REG              259,2     23896       4044 /system/lib64/libbinderthreadstate.so
eris      21939     system  mem       REG              259,2     82552       4091 /system/lib64/libcutils.so
eris      21939     system  mem       REG              259,2     20056       4068 /system/lib64/libcgrouprc.so
eris      21939     system  mem       REG              259,2     24192       4152 /system/lib64/libfloatingfeature.so
eris      21939     system  mem       REG              259,2     92240       4233 /system/lib64/liblog.so
eris      21939     system  mem       REG              259,2    159712       4132 /system/lib64/libexpat.so
eris      21939     system  mem       REG              259,2     14016        283 /apex/com.android.runtime/lib64/bionic/libdl.so
eris      21939     system  mem       REG              259,2    872168       4125 /system/lib64/liberis_strongswan.so
eris      21939     system  mem       REG              259,2     24256       4170 /system/lib64/libhardware_legacy.so
eris      21939     system  mem       REG              259,2     36272       4124 /system/lib64/liberis_simaka.so
eris      21939     system  mem       REG              259,2    229352        284 /apex/com.android.runtime/lib64/bionic/libm.so
eris      21939     system  mem       REG              259,2     14896       4186 /system/lib64/libhidltransport.so
eris      21939     system  mem       REG              259,2     44544       4387 /system/lib64/libsecril-client.so
eris      21939     system  mem       REG              259,2     15648       4529 /system/lib64/libvndksupport.so
eris      21939     system  mem       REG              259,2    117104       3828 /system/lib64/android.system.suspend@1.0.so
eris      21939     system  mem       REG              259,2    692152       4184 /system/lib64/libhidlbase.so
eris      21939     system  mem       REG              259,2    719432       4123 /system/lib64/liberis_charon.so
eris      21939     system  mem       REG              259,2     14896       4190 /system/lib64/libhwbinder.so
eris      21939     system  mem       REG              259,2     83552       4039 /system/lib64/libbase.so
eris      21939     system  mem       REG              259,2     19440       4471 /system/lib64/libstdc++.so
eris      21939     system  mem       REG               0,17    196608      10978 /dev/__properties__/u:object_r:hwservicemanager_prop:s0
eris      21939     system  mem       REG              259,2   1245176        282 /apex/com.android.runtime/lib64/bionic/libc.so
eris      21939     system  mem       REG              259,2    647152       4042 /system/lib64/libbinder.so
eris      21939     system  mem       REG              259,2    106472       4547 /system/lib64/libz.so
eris      21939     system  mem       REG               0,17    196608      10983 /dev/__properties__/u:object_r:log_tag_prop:s0
eris      21939     system  mem       REG              259,2    355712       4455 /system/lib64/libssl.so
eris      21939     system  mem       REG              259,2    255320       4323 /system/lib64/libprocessgroup.so
eris      21939     system  mem       REG              259,2    845928       4058 /system/lib64/libc++.so
eris      21939     system  mem       REG               0,17    196608      10984 /dev/__properties__/u:object_r:logd_prop:s0
eris      21939     system  mem       REG              259,2     10192       4104 /system/lib64/libdl_android.so
eris      21939     system  mem       REG               0,17    196608      11092 /dev/__properties__/u:object_r:wifi_log_prop:s0
eris      21939     system  mem       REG               0,17    196608      10977 /dev/__properties__/u:object_r:heapprofd_prop:s0
eris      21939     system  mem       REG               0,17    196608      10946 /dev/__properties__/u:object_r:default_prop:s0
eris      21939     system  mem       REG               0,17    196608      10943 /dev/__properties__/u:object_r:debug_level_prop:s0
eris      21939     system  mem       REG               0,17    196608      10944 /dev/__properties__/u:object_r:debug_prop:s0
eris      21939     system  mem       REG               0,17    196608      11094 /dev/__properties__/properties_serial
eris      21939     system  mem       REG               0,17     37416      10907 /dev/__properties__/property_info
eris      21939     system  mem       REG               0,17    196608      11003 /dev/__properties__/u:object_r:product_ship_prop:s0
eris      21939     system  mem       REG               0,17    196608      10969 /dev/__properties__/u:object_r:exported_system_prop:s0
eris      21939     system  mem       REG               0,17    196608      10946 /dev/__properties__/u:object_r:default_prop:s0
eris      21939     system  mem       REG               0,17    196608      10944 /dev/__properties__/u:object_r:debug_prop:s0
eris      21939     system  mem       REG               0,17    196608      11094 /dev/__properties__/properties_serial
eris      21939     system  mem       REG               0,17     37416      10907 /dev/__properties__/property_info
eris      21939     system  mem       REG              259,2   1608256        214 /apex/com.android.runtime/bin/linker64

/dev/socket/eris

after establishing the ePDG connection, eris writes JSON to this:

{"msgType":5,"msgData":{"mIntfName":"epdg1","mIpv4Addr":"10.24.31.1","mIpv6Addr":"2a01:59f:d008:3496:1:2:a39b:a5ce","mIpv4PrefixLen":28,"mIpv6PrefixLen":64,"mIpType":0,"mAtTrustInd":2,"mIpv4Dnses":["10.74.210.210"],"mIpv6Dnses":["2a01:598:7ff:0:10:74:210:210","2a01:598:7ff:0:10:74:210:211"],"mIpv4PcscfAddr":[],"mIpv6PcscfAddr":["2a01:598:405:3002::11","2a01:598:408:3002::15"],"cid":2,"mIkeSrcPort":53026}}

and

"{"msgType":4,"msgData":{"stateCode":1,"errorCode":0,"ikeErrorCode":0,"backoffTimer":-1,"n1_mode_snssai":"","n1_mode_plmn_id":"","cid":2,"mIkeSrcPort":53026}}

/dev/socket/fwmarkd

before establishing the connection to the ePDG, the following happens:

21943(eris): getsockopt  (18 <socket:[1368429]>,SOL_SOCKET,SO_DOMAIN,0x7a9dbfa6b0,0x7a9dbfa6a0) = 0
21943(eris): socket  (1,524289,0) = descriptor 21
21943(eris): connect (21, {unix:///dev/socket/fwmarkd} ) = 0
21943(eris): sendmsg (21 <unix:///dev/socket/fwmarkd>,"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", flags)
21943(eris): recvfrom  (21 <unix:///dev/socket/fwmarkd>,"\x00\x00\x00\x00",4,0x0,0x0) = 4
21943(eris): close(21 <unix:///dev/socket/fwmarkd>) = 0
21943(eris): connect (18, {Not yet} ) = 0
21943(eris): socket  (1,524289,0) = descriptor 21
21943(eris): connect (21, {unix:///dev/socket/fwmarkd} ) = 0
21943(eris): sendmsg (21 <unix:///dev/socket/fwmarkd>,"\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x11\x94m\xed\xbb\x82\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x05\x9ez\x00\x00\x00H\xa7\xbf\x9d", flags)
21943(eris): recvfrom  (21 <unix:///dev/socket/fwmarkd>,"\x00\x00\x00\x00",4,0x0,0x0) = 4
21943(eris): close(21 <unix:///dev/socket/fwmarkd>) = 0

Files (0)

Updated by laforge over 2 years ago · 2 revisions

Add picture from clipboard (Maximum size: 48.8 MB)