Actions
Samsung GalaxyS9 VoWiFi¶
random notes about how VoWiFi seems to be implemented in the Samsung SM-G960F Galaxy S9.
Outline¶
- there's an userspace ipsec (IKEv2 + ESP) implementation called
eris
which is used to establish the SWu IPsec tunnel to the ePDG - there are
epdg0
..epdg7
net-devices that are used to expose the inner side of the SWu IPsec; taking pcap files of those will show the IMS traffic to/from the P-CSCF - contrary to VoLTE, even the RTP user plane goes through the application processor, via the same eris userspace IPsec implementation
eris¶
related binaries¶
/system/bin/eris /system/lib64/liberis_charon.so /system/lib64/liberis_strongswan.so /system/lib64/liberis_simaka.so
general arcitecture¶
- opens udp sockets on port 500 + 4500 for the IKEv2 + ESP traffic routed via the wlan interface
- decrypts traffic arriving on the UDP socket and re-injects decrypted packets via
epdgX
net-device - talks to rild to perform UMTS AKA with the SIM when prompted by EAP-AKA inside the IKEv2 handshake
- logs quite a bit (
logcat | grep eris
)
potential GPLv2-or-later license violation¶
- the "open source licensing" document on the Android UI doesn't contain any information on the above-mentioned eris related files
- doing a "strings" analysis shows various symbol names and log messages identical to strongswan, so the libraries are not just named by coincidence the same way
- I could not find any source for eris in the soure code releases for SM-G960F on opensource.samsung.org
- I notified Samsung and requested the complete and corresponding source code
log of a connection setup¶
08-26 16:30:09.560 21939 21945 I eris : 04[DMN] [eris_interface] handle_request - type = MSG_TYPE_CONNECT 08-26 16:30:09.561 21939 21945 I eris : 04[DMN] operator_code : DTM 08-26 16:30:09.569 21939 21945 I eris : 04[LIB] created TUN device: epdg1 08-26 16:30:09.612 21939 21950 I eris : 09[IKE] initiating IKE_SA ims[12] to 109.237.187.226 08-26 16:30:09.618 21939 21950 I eris : 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] 08-26 16:30:09.619 21939 21950 I eris : 09[NET] sending packet: from 192.168.101.29[51276] to 109.237.187.226[500] (366 bytes) 08-26 16:30:09.655 21939 21955 I eris : 15[NET] received packet: from 109.237.187.226[500] to 192.168.101.29[51276] (52 bytes) 08-26 16:30:09.656 21939 21955 I eris : 15[ENC] parsed IKE_SA_INIT response 0 [ N(COOKIE) ] 08-26 16:30:09.659 21939 21955 I eris : 15[IKE] initiating IKE_SA ims[12] to 109.237.187.226 08-26 16:30:09.660 21939 21955 I eris : 15[ENC] generating IKE_SA_INIT request 0 [ N(COOKIE) SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] 08-26 16:30:09.662 21939 21955 I eris : 15[NET] sending packet: from 192.168.101.29[51276] to 109.237.187.226[500] (390 bytes) 08-26 16:30:09.700 21939 21949 I eris : 08[NET] received packet: from 109.237.187.226[500] to 192.168.101.29[51276] (288 bytes) 08-26 16:30:09.701 21939 21949 I eris : 08[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 08-26 16:30:09.713 21939 21949 I eris : 08[IKE] local host is behind NAT, sending keep alives 08-26 16:30:09.718 21939 21949 I eris : 08[IKE] establishing CHILD_SA ims{12} 08-26 16:30:09.720 21939 21949 I eris : 08[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(MASK ADDR DNS (16389) ADDR6 DNS6 (16390)) N(ESP_TFC_PAD_N) SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] 08-26 16:30:09.721 21939 21949 I eris : 08[NET] sending packet: from 192.168.101.29[51182] to 109.237.187.226[4500] (428 bytes) 08-26 16:30:09.876 21939 21943 I eris : 07[NET] received packet: from 109.237.187.226[4500] to 192.168.101.29[51182] (204 bytes) 08-26 16:30:09.880 21939 21943 I eris : 07[ENC] parsed IKE_AUTH response 1 [ IDr EAP/REQ/AKA ] 08-26 16:30:09.884 21939 21943 I eris : 07[IKE] server requested EAP_AKA authentication (id 0x01) 08-26 16:30:09.893 21939 21943 I eris : 07[LIB] ignoring skippable EAP-SIM/AKA attribute AT_CHECKCODE 08-26 16:30:09.895 21939 21943 I eris : 07[DMN] simID : 0 08-26 16:30:10.104 21939 21943 I eris : 07[IKE] allow mutual EAP-only authentication 08-26 16:30:10.104 21939 21943 I eris : 07[ENC] generating IKE_AUTH request 2 [ EAP/RES/AKA ] 08-26 16:30:10.105 21939 21943 I eris : 07[NET] sending packet: from 192.168.101.29[51182] to 109.237.187.226[4500] (108 bytes) 08-26 16:30:10.410 21939 21952 I eris : 10[NET] received packet: from 109.237.187.226[4500] to 192.168.101.29[51182] (76 bytes) 08-26 16:30:10.415 21939 21952 I eris : 10[ENC] parsed IKE_AUTH response 2 [ EAP/SUCC ] 08-26 16:30:10.421 21939 21952 I eris : 10[IKE] EAP method EAP_AKA succeeded, MSK established 08-26 16:30:10.433 21939 21952 I eris : 10[IKE] authentication of '...' (myself) with EAP 08-26 16:30:10.440 21939 21952 I eris : 10[ENC] generating IKE_AUTH request 3 [ AUTH ] 08-26 16:30:10.453 21939 21952 I eris : 10[NET] sending packet: from 192.168.101.29[51182] to 109.237.187.226[4500] (92 bytes) 08-26 16:30:10.517 608 608 D wrapperGPS: wrapperisConnected_RILD 08-26 16:30:10.517 608 608 D wrapperGPS: wrapperisConnected_RILD 08-26 16:30:10.572 21939 21944 I eris : 02[NET] received packet: from 109.237.187.226[4500] to 192.168.101.29[51182] (428 bytes) 08-26 16:30:10.573 21939 21944 I eris : 02[ENC] unknown attribute type (16390) 08-26 16:30:10.574 21939 21944 I eris : 02[ENC] unknown attribute type (16390) 08-26 16:30:10.576 21939 21944 I eris : 02[ENC] parsed IKE_AUTH response 3 [ AUTH CPRP(ADDR MASK DNS ADDR6 DNS6 DNS6 (16390) (16390)) N(SET_WINSIZE) N(ESP_TFC_PAD_N) SA TSi TSr ] 08-26 16:30:10.578 21939 21944 I eris : 02[IKE] authentication of '...' with EAP successful 08-26 16:30:10.580 21939 21944 I eris : 02[IKE] IKE_SA ims[12] established between 192.168.101.29[...]...109.237.187.226[...] 08-26 16:30:10.582 21939 21944 I eris : 02[IKE] scheduling rekeying in 64791s 08-26 16:30:10.584 21939 21944 I eris : 02[IKE] maximum IKE_SA lifetime 64811s 08-26 16:30:10.588 21939 21944 I eris : 02[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding 08-26 16:30:10.601 21939 21944 I eris : 02[IKE] CHILD_SA ims{12} established with SPIs 4b212242_i 04b403c3_o and TS 10.30.98.217/32 2a01:59f:d001:3747:1:1:a351:bf8a/128 === 0.0.0.0/0 ::/0 08-26 16:30:10.607 21939 21944 I eris : 02[DMN] setting up ePDG device for CHILD_SA ims{12} 08-26 16:30:10.613 21939 21944 I eris : 02[DMN] successfully created ePDG device 08-26 16:30:10.615 21939 21944 I eris : 02[DMN] update {event 1, error 0, ike_error 0} for conn[2]
file descriptors¶
eris 21939 system 0u CHR 1,3 0t0 14599 /dev/null eris 21939 system 1u CHR 1,3 0t0 14599 /dev/null eris 21939 system 2u CHR 1,3 0t0 14599 /dev/null eris 21939 system 3r FIFO 0,10 0t0 191918 pipe:[191918] eris 21939 system 4w FIFO 0,10 0t0 191918 pipe:[191918] eris 21939 system 5u unix 0t0 188122 socket eris 21939 system 6w CHR 248,0 0t0 14761 /dev/pmsg0 eris 21939 system 7r CHR 1,9 0t0 14597 /dev/urandom eris 21939 system 8r CHR 1,8 0t0 14596 /dev/random eris 21939 system 9r FIFO 0,10 0t0 187175 pipe:[187175] eris 21939 system 10w FIFO 0,10 0t0 187175 pipe:[187175] eris 21939 system 11u netlink 0t0 187176 ROUTE eris 21939 system 12u netlink 0t0 187177 ROUTE eris 21939 system 13u CHR 10,200 0t48 8925 /dev/tun eris 21939 system 14u sock 0t0 1271319 socket:[1271319] eris 21939 system 15u IPv4 0t0 1277757 UDP :51276->:500 eris 21939 system 16u unix 0t0 187165 /dev/socket/eris eris 21939 system 17u unix 0t0 191007 /dev/socket/eris eris 21939 system 18u IPv4 0t0 1284421 UDP :51182->:4500 eris 21939 system 19u IPv4 0t0 1164443 UDP :44774->:500 eris 21939 system 20u IPv4 0t0 1164448 UDP :33934->:4500 eris 21939 system 22w REG 0,9 0 2305 /sys/kernel/debug/tracing/trace_marker eris 21939 system 23u CHR 10,57 0t0 11362 /dev/hwbinder
memory mappings¶
eris 21939 system mem REG 259,2 121760 799 /system/bin/eris eris 21939 system mem CHR 10,57 11362 /dev/hwbinder eris 21939 system mem REG 259,2 24064 4287 /system/lib64/libnetd_client.so eris 21939 system mem REG 259,2 1372848 4086 /system/lib64/libcrypto.so eris 21939 system mem REG 259,2 117416 4518 /system/lib64/libutils.so eris 21939 system mem REG 259,2 23896 4044 /system/lib64/libbinderthreadstate.so eris 21939 system mem REG 259,2 82552 4091 /system/lib64/libcutils.so eris 21939 system mem REG 259,2 20056 4068 /system/lib64/libcgrouprc.so eris 21939 system mem REG 259,2 24192 4152 /system/lib64/libfloatingfeature.so eris 21939 system mem REG 259,2 92240 4233 /system/lib64/liblog.so eris 21939 system mem REG 259,2 159712 4132 /system/lib64/libexpat.so eris 21939 system mem REG 259,2 14016 283 /apex/com.android.runtime/lib64/bionic/libdl.so eris 21939 system mem REG 259,2 872168 4125 /system/lib64/liberis_strongswan.so eris 21939 system mem REG 259,2 24256 4170 /system/lib64/libhardware_legacy.so eris 21939 system mem REG 259,2 36272 4124 /system/lib64/liberis_simaka.so eris 21939 system mem REG 259,2 229352 284 /apex/com.android.runtime/lib64/bionic/libm.so eris 21939 system mem REG 259,2 14896 4186 /system/lib64/libhidltransport.so eris 21939 system mem REG 259,2 44544 4387 /system/lib64/libsecril-client.so eris 21939 system mem REG 259,2 15648 4529 /system/lib64/libvndksupport.so eris 21939 system mem REG 259,2 117104 3828 /system/lib64/android.system.suspend@1.0.so eris 21939 system mem REG 259,2 692152 4184 /system/lib64/libhidlbase.so eris 21939 system mem REG 259,2 719432 4123 /system/lib64/liberis_charon.so eris 21939 system mem REG 259,2 14896 4190 /system/lib64/libhwbinder.so eris 21939 system mem REG 259,2 83552 4039 /system/lib64/libbase.so eris 21939 system mem REG 259,2 19440 4471 /system/lib64/libstdc++.so eris 21939 system mem REG 0,17 196608 10978 /dev/__properties__/u:object_r:hwservicemanager_prop:s0 eris 21939 system mem REG 259,2 1245176 282 /apex/com.android.runtime/lib64/bionic/libc.so eris 21939 system mem REG 259,2 647152 4042 /system/lib64/libbinder.so eris 21939 system mem REG 259,2 106472 4547 /system/lib64/libz.so eris 21939 system mem REG 0,17 196608 10983 /dev/__properties__/u:object_r:log_tag_prop:s0 eris 21939 system mem REG 259,2 355712 4455 /system/lib64/libssl.so eris 21939 system mem REG 259,2 255320 4323 /system/lib64/libprocessgroup.so eris 21939 system mem REG 259,2 845928 4058 /system/lib64/libc++.so eris 21939 system mem REG 0,17 196608 10984 /dev/__properties__/u:object_r:logd_prop:s0 eris 21939 system mem REG 259,2 10192 4104 /system/lib64/libdl_android.so eris 21939 system mem REG 0,17 196608 11092 /dev/__properties__/u:object_r:wifi_log_prop:s0 eris 21939 system mem REG 0,17 196608 10977 /dev/__properties__/u:object_r:heapprofd_prop:s0 eris 21939 system mem REG 0,17 196608 10946 /dev/__properties__/u:object_r:default_prop:s0 eris 21939 system mem REG 0,17 196608 10943 /dev/__properties__/u:object_r:debug_level_prop:s0 eris 21939 system mem REG 0,17 196608 10944 /dev/__properties__/u:object_r:debug_prop:s0 eris 21939 system mem REG 0,17 196608 11094 /dev/__properties__/properties_serial eris 21939 system mem REG 0,17 37416 10907 /dev/__properties__/property_info eris 21939 system mem REG 0,17 196608 11003 /dev/__properties__/u:object_r:product_ship_prop:s0 eris 21939 system mem REG 0,17 196608 10969 /dev/__properties__/u:object_r:exported_system_prop:s0 eris 21939 system mem REG 0,17 196608 10946 /dev/__properties__/u:object_r:default_prop:s0 eris 21939 system mem REG 0,17 196608 10944 /dev/__properties__/u:object_r:debug_prop:s0 eris 21939 system mem REG 0,17 196608 11094 /dev/__properties__/properties_serial eris 21939 system mem REG 0,17 37416 10907 /dev/__properties__/property_info eris 21939 system mem REG 259,2 1608256 214 /apex/com.android.runtime/bin/linker64
/dev/socket/eris¶
after establishing the ePDG connection, eris writes JSON to this:
{"msgType":5,"msgData":{"mIntfName":"epdg1","mIpv4Addr":"10.24.31.1","mIpv6Addr":"2a01:59f:d008:3496:1:2:a39b:a5ce","mIpv4PrefixLen":28,"mIpv6PrefixLen":64,"mIpType":0,"mAtTrustInd":2,"mIpv4Dnses":["10.74.210.210"],"mIpv6Dnses":["2a01:598:7ff:0:10:74:210:210","2a01:598:7ff:0:10:74:210:211"],"mIpv4PcscfAddr":[],"mIpv6PcscfAddr":["2a01:598:405:3002::11","2a01:598:408:3002::15"],"cid":2,"mIkeSrcPort":53026}}
and
"{"msgType":4,"msgData":{"stateCode":1,"errorCode":0,"ikeErrorCode":0,"backoffTimer":-1,"n1_mode_snssai":"","n1_mode_plmn_id":"","cid":2,"mIkeSrcPort":53026}}
/dev/socket/fwmarkd¶
before establishing the connection to the ePDG, the following happens:
21943(eris): getsockopt (18 <socket:[1368429]>,SOL_SOCKET,SO_DOMAIN,0x7a9dbfa6b0,0x7a9dbfa6a0) = 0 21943(eris): socket (1,524289,0) = descriptor 21 21943(eris): connect (21, {unix:///dev/socket/fwmarkd} ) = 0 21943(eris): sendmsg (21 <unix:///dev/socket/fwmarkd>,"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", flags) 21943(eris): recvfrom (21 <unix:///dev/socket/fwmarkd>,"\x00\x00\x00\x00",4,0x0,0x0) = 4 21943(eris): close(21 <unix:///dev/socket/fwmarkd>) = 0 21943(eris): connect (18, {Not yet} ) = 0 21943(eris): socket (1,524289,0) = descriptor 21 21943(eris): connect (21, {unix:///dev/socket/fwmarkd} ) = 0 21943(eris): sendmsg (21 <unix:///dev/socket/fwmarkd>,"\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x11\x94m\xed\xbb\x82\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x05\x9ez\x00\x00\x00H\xa7\xbf\x9d", flags) 21943(eris): recvfrom (21 <unix:///dev/socket/fwmarkd>,"\x00\x00\x00\x00",4,0x0,0x0) = 4 21943(eris): close(21 <unix:///dev/socket/fwmarkd>) = 0
Updated by laforge over 2 years ago · 2 revisions