Project

General

Profile

Accelerate3g5 -- blobb » History » Version 132

blobb, 05/10/2017 01:12 PM

1 1 blobb
h1. Accelerate3g5 -- blobb
2 2 blobb
3
h2. Summary
4
5 3 blobb
Trying to come up with a fuzzing interface.
6
7 2 blobb
h3. Participants
8
9 85 blobb
* André (email: dr.blobb@gmail.com)
10 2 blobb
11 122 blobb
 
12
13 2 blobb
h2. Details
14 3 blobb
15 115 blobb
First setting up the femtocell and understand necessary basics of UMTS communication to do so. (done)
16 36 blobb
Collecting information e.g. slides, talks, docu about fuzzing of wireless protocols. (done)
17 62 blobb
Writing some code to craft requests and run fuzz tests against subscriber. (to be done)
18 1 blobb
19
Note: first time fuzzing.
20
21 121 blobb
 
22
23 25 blobb
h2. Test devices
24
25
TD1: Samsung Galaxy S5 Mini (G800F) 
26
 OS: Lineage OS (14.1/7.1.1) 
27
 BB: G800FXXU1BPC3
28
SIM: MicroSIM
29
30
TD2: LG Nexus 5 (hammerhead)
31
 OS: Android Marshmallow (6.0) 
32
 BB: M48974A-2.0.50.2.27
33
SIM: MicroSIM
34
35
TD3: HTC One M9
36
 OS: Android Lollipop (5.1)
37
 BB: 01.04_U11440601_71.02.50709G_F
38
SIM: NanoSIM (cutted MicroSIM)
39
40 87 blobb
TD4: Samsung S3 (GT-I9300)
41
 OS: Android Jelly Bean (4.3)
42
 BB: I9300XXUGNA8
43 88 blobb
SIM: MicroSim
44 87 blobb
45 118 blobb
 
46
 
47
48 7 blobb
h2. Journal
49
50 132 blobb
+*Setting up the network*+
51
52 39 blobb
+_2017-03-07_+
53 42 blobb
Pick up package at Sysmocom office.
54
Having an informative conversation with Neels about Jenkins, Docker and build artifacts.
55 8 blobb
56 39 blobb
+_2017-03-12_+
57 10 blobb
Set up wiki page.
58 26 blobb
Seeing femtocell on network interface.
59 1 blobb
Compiled source as described, but couldn't configure/launch CN successfully (yet).
60 26 blobb
Next time will try Neels' launch script and same IP range.
61 1 blobb
62 39 blobb
+_2017-03-15_+
63 1 blobb
Reading "data sheet [overview]":http://www.ipaccess.com/uploads/wysiwyg_editor/files/2017/S8_S16-Datasheet-v1.0.pdf "data sheet [details]":https://fccid.io/pdf.php?id=1462491 about ip.access nano3G S8.
64
Configuring femtocell via telnet (dry run).
65
Running in HLR issue mentioned in wiki when invoking run.sh.
66 12 blobb
67 39 blobb
+_2017_04-02_+
68 33 blobb
Collecting input about fuzzing:
69 1 blobb
70 50 blobb
papers/theses:
71 33 blobb
>"SMS Fuzzing - SIM Toolkit Attack - B. Alecu, defcon21 2013":https://www.defcon.org/images/defcon-21/dc-21-presentations/Alecu/DEFCON-21-Bogdan-Alecu-Attacking-SIM-Toolkit-with-SMS-WP.pdf
72 37 blobb
>"SMS Vulnerability Analysis on Feature Phones - N. Golde, 2011":http://www.isti.tu-berlin.de/fileadmin/fg214/finished_theses/NicoGolde/diplom_golde.pdf
73 49 blobb
>"Fuzzing the GSM Protocol - B. Hond, master thesis 2011":http://www.ru.nl/publish/pages/769526/scriptie-brinio-final-brinio_hond.pdf
74 26 blobb
75 34 blobb
talks:
76 33 blobb
>"SMS Fuzzing - Sim Toolkit Attack - B. Alecu, Deepsec 2011":http://www.securitytube.net/video/2518
77
>"Using OpenBSC for fuzzing of GSM handsets - H. Welte, 26c3 2009":http://mirror.fem-net.de/CCC/26C3/mp4/26c3-3535-en-using_openbsc_for_fuzzing_of_gsm_handsets.mp4
78 26 blobb
79 34 blobb
slides:
80 33 blobb
>"MobiDeke: Fuzzing the GSM Protocol Stack - S. Dudek & G. Delugr, hack.lu 2012":http://archive.hack.lu/2012/Fuzzing_The_GSM_Protocol_Stack_-_Sebastien_Dudek_Guillaume_Delugre.pdf
81
>"Base Jumping - Attacking the GSM BB and BTS - grugq, 2010":http://conference.hackinthebox.org/hitbsecconf2010kul/materials/D2T1%20-%20The%20Grugq%20-%20Attacking%20GSM%20Basestations.pdf
82
>"Fuzzing your GSM phone - Harald Welte, 26c3 2009":https://events.ccc.de/congress/2009/Fahrplan/attachments/1503_openbsc_gsm_fuzzing.pdf
83
>"Fuzzing the Phone in your Phone - C. Miller & C. Mulliner, Blackhat 2009":https://engineering.purdue.edu/dcsl/reading/2011/jevin-fuzzing.pdf
84
>"Injecting SMS Messages into Smart Phones for Security Analysis - C. Mulliner, 2009":https://www.mulliner.org/security/sms/feed/injecting_sms_mulliner_miller.pdf
85
>"Security Testing esp. Fuzzing - E. Poll, ????":https://www.cs.ru.nl/E.Poll/ss/slides/12_Fuzzing.pdf
86 26 blobb
87 39 blobb
+_2017-04-19_+
88 43 blobb
Resolving HLR issue and set correct IPs in "*.cfg files":https://osmocom.org/attachments/download/2559/3G-config-example-v3.tar. 
89 58 blobb
hNodeB connects to hnbgw, but no UE is connecting to it. 
90
> [issue from wiki: ...unable to resolve DNS record look up of 0.ipaccess.pool.ntp.org... no trx].
91
Connect femtocell to LAN with internet access to resolve DNS record look up issue, still no phones are connecting (yet).
92 1 blobb
Adding SIM cards to hlr.db, after creating db successfully [thanks to "andreas":https://osmocom.org/projects/cellular-infrastructure/wiki/Accelerate3g5_--_andreas]
93
94 39 blobb
+_2017-04-20_+
95 1 blobb
Create and attach "build_3G.sh":https://osmocom.org/attachments/download/2602/build_3G.sh (adapted from "build_2G.sh":https://osmocom.org/attachments/download/2438/build_2G.sh).
96 68 blobb
Rebuild with correct branch/tag (openbsc:vlr_3G,libosmo-sccp:old_sua).
97 38 blobb
TD1 and TD2 *successfully connected* to femtocell!!! *\o/*
98 67 blobb
*Voice calls work* (TD1<->TD2).
99 53 blobb
100 1 blobb
+_2017-04-22_+
101
Create and attach "configure_nano3G.exp":https://projects.osmocom.org/attachments/download/2604/configure_nano3G.exp. 
102 71 blobb
> Invoke expect script within "run.sh":https://projects.osmocom.org/attachments/download/2559/3G-config-example-v3.tar to automate initial nano3G configuration via telnet. 
103 69 blobb
*SMS work* (TD1<->TD2), probably worked before but have been tested "today".
104 62 blobb
105 1 blobb
+_2017-04-24_+
106
Compile OpenBSC with --enable-mgcp-transcoding flag and create 127.0.0.2 on lo. :)
107
Attach refactored version of "build_3G.sh":https://projects.osmocom.org/attachments/download/2605/build_3G.sh.
108 81 blobb
*Data "works"* (TD1<->TD2, TDx<->tun0/192.168.42.1
109 75 blobb
>Note: data "worked" before (UEs got IP 2017-4-20). But I didn't manage to forward packets from tun0->eth0->inet yet, although the following iptable rule has been applied:
110 79 blobb
>>sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward" 
111 75 blobb
>>sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
112 73 blobb
113 74 blobb
+_2017-04-25_+
114 1 blobb
Create and attach "find_nano3G.sh":https://osmocom.org/attachments/download/2609/find_nano3G.sh.
115 102 blobb
Picked up TD4 at a friend's place. Now I don't need to change the SIM/USIM card in TD1, which is my "normal" cell phone to test functionality. *Thanks* a lot buddy :)
116 89 blobb
117 90 blobb
+_2017-04-26_+
118 92 blobb
As it actually belongs to the accelerate3g5 project, I add the "hands-on repo":https://github.com/blobbsen/repo-handson this journal.
119 99 blobb
> It provides functionality to clone necessary git repos and build accerelate3g5 CN stack.
120 7 blobb
121 93 blobb
+_2017-04-29_+
122 1 blobb
Test MMS, *doesn't* work.
123 125 blobb
I'd changed MCC and MNC from the "wiki-default":http://osmocom.org/projects/cellular-infrastructure/wiki/Configuring_the_ipaccess_nano3G values (MCC=901, MNC=98) to MCC=809 and MNC=90 on the hNodeB (telnet) to align with SIM-cards' IMSIs and avoid roaming, but it didn't work out (yet).
124 113 blobb
  
125 111 blobb
+_2017-04-30_+
126 101 blobb
Set csgAccessMode to CSG_ACCESS_MODE_CLOSED_ACCESS to avoid interfering with UEs now owned by me.
127 125 blobb
Set additional ip table rule. UE's have finally internet connection. *\o/*  
128
 
129 96 blobb
>sudo iptables -t nat -A POSTROUTING -o lo -j MASQUERADE
130 98 blobb
131
132 96 blobb
+_2017-05-01_+
133 114 blobb
UEs are not roaming anymore *\o/*. Actually the explanation of a friend how the MCC and MNC has to be set according to the IMSI (0-2 MCC, 3-4 MNC digits) was correct, 
134 123 blobb
but I didn't read the IMSI correctly from the "sysmocom full-size SIM card". Such IMSIs on the full-size SIM card consist of 18 digits. 
135
After using IMSIs from delivery e-mail (which are 15 digits long and not 18 as full-size-SIM-card-IMSI) it works. 
136 124 blobb
Moreover, I now know that the IMSI can ONLY hold 15 digits and consists of MCC (3), MNC (2-3) and MSIN (9-10).
137 125 blobb
138
A poor/manual stability test for the entire UMTS network has been successful for 12 hours ((DL: 7,8-5,9, UL: 1,2-0,8) Mbit/s and ping: 170-150 ms).
139 114 blobb
140 132 blobb
+*Understand and try to fuzz handsets*+
141
142 1 blobb
+_2017-05-03_+
143
system is only mounted as read-only, "mount -o remount,rw /" changes this behavior to rw.
144
Change ssh_banner (just for fun):
145 132 blobb
                     _                _       ____        _____
146
                    | |              | |     |___ \      | ____|
147
   __ _  ___ ___ ___| | ___ _ __ __ _| |_ ___  __) | __ _| |__
148
  / _` |/ __/ __/ _ \ |/ _ \ '__/ _` | __/ _ \|__ < / _` |___ \
149
 | (_| | (_| (_|  __/ |  __/ | | (_| | ||  __/___) | (_| |___) |
150
  \__,_|\___\___\___|_|\___|_|  \__,_|\__\___|____/ \__, |____/
151
 osmocom.org/projects/cellular-infrastructure/wiki/Accelerate3g5
152
                                                    |___/
153 130 blobb
154 132 blobb
 Processor	: ARMv6-compatible processor rev 7 (v6l)
155
 Features	: swp half thumb fastmult edsp java
156
 BogoMIPS	: 396.28
157
158
 Linux version 2.6.34-ip3xxff-xc-225.2.0-picochip-4.0.8
159
 (gcc version 4.3.2 (Sourcery G++ Lite 2008q3-72)
160
 #1 PREEMPT Thu Jul 11 17:54:07 BST 2013
161
162
 PN: 237B015 SN: 000295-0000120493 Var: 234Y Rel: 2.7_579.26.7                    
163 130 blobb
164
Changing thttp port to 80 and show own index.html (just for fun).
165
Entire network still works fine, when thttpd port changed to 80.
166
167
+_2017-05-04_+
168
Thinking about installing python and scapy on the hNodeB to see whether we could fuzz directly on the imq0-15 interfaces as they might represent UL+DL connections of UEs. 
169
(nano3G S8 can serve up to 8 clients -> 8*(UL+DL) = 16 interfaces)
170
171
First problem we only have ~ 20 MB storage left for python and scapy, which are around 70 MB and we cannot use ipkg to install anything as the repository servers are not available.
172
Storage problem can be solved by creating a ramdisk. I've create a 70 MB ramdisk and verified whether the entire network still works. 
173
Yes it does, although only 2.4 MB RAM was left and 2 UEs have been connected.
174
175
Copying Python binaries and dependent libs (libssl.so.1.0.0,...) from a RaspberryPi Model A, because they use same processor/architecture.
176
After all dependencies have been copied via ssh, python still doesn't run, showing some "GLIBS_VERSION" error, so I tried to replace libc.so.6 with the one on the RasPi too.
177
This was a huge mistake, which at the same time showed me that I am missing system level and C knowledge at all, because some google research (afterwards) proofed that replacing libc.so.6 is a very, very bad idea.
178
After replacing libc.so.6 any executed command resulted in -> "Illegal Instruction - Core Dumped"... :S
179
180
I did it a "Factory Reset", but it seems to only reset AP configuration settings or might be damaged as well in fact of the libc.so.6 change.
181
The hNodeB still gets an IP from the DHCP server and one can ping it. But no ports are open anymore, thus I cannot connect at all. :/
182
It seems that I really have bricked the hNodeB... -.-"
183
184
+_2017-05-07_+
185
A friend supported me (*thanks*) with his knowledge and equipment to see whether any Serial or JTAG interface might still works, so we may could change the wrong symlink.
186
The following pictures show results of our probing.
187
188
189
190
191
Unfortunately we didn't find any Serial connection, although some pins indicated some sort of communication.
192 131 blobb
Furthermore the used Spansion S29GL-512P10FFCR2 flash is BGA and not TSOP ("datasheet":https://media.digikey.com/pdf/Data%20Sheets/Cypress%20PDFs/S29GLyyyP_Dec-16-2015.pdf). So a try to unsolder and fix tehe flash as described in "Reverse Engineering Flash memory for Fun and Benefit":https://www.blackhat.com/docs/us-14/materials/us-14-Oh-Reverse-Engineering-Flash-Memory-For-Fun-And-Benefit.pdf could not be applied.
193 130 blobb
194 1 blobb
+_2017-05-08_+
195 130 blobb
Thinking about buying a "BGA64 test socket":http://www.vipprogrammer.com/nand-bga64-test-socket-adapter-for-proman-tl86plus-nand-programmer-programmer-3533 in order to desolder and fix the Spansion flash.
196
But first buying a S29GL512P10FFCR2 (LAA064), a S29GL512P10TFCR2 (TSO56) an a "TSOP56 test socket":http://www.ebay.de/itm/New-TSOP56-TSOP-56-TO-DIP56-DIP-56-0-5mm-Universal-IC-Programmer-Socket-Adapter-/162210700904?hash=item25c482de68:g:pdMAAOSwPCVX4amp - which is much cheaper than the BGA64-test socket - to play around with such flash type before doing anything with/on the hNodeB. 
197
198
Buying an "Omnikey CardMan 3121 USB CCID reader":http://shop.sysmocom.de/products/cm3121 and a "Professional SIM card adapter":http://shop.sysmocom.de/products/sim-adapter-pcb to be able to tinker with SIM cards as long flash and test socket arrives.
199
200 126 blobb
201 119 blobb
&nbsp;
202
&nbsp;
203
204 24 blobb
h2. Conclusions
205 1 blobb
206 117 blobb
- UE's are connecting. Voice calls + SMS + data are working and UEs are *not* roaming. =)
207 100 blobb
208 84 blobb
&nbsp;
209
&nbsp;
Add picture from clipboard (Maximum size: 48.8 MB)