Samsung GalaxyS9 VoWiFi » History » Version 1
laforge, 08/26/2021 03:44 PM
| 1 | 1 | laforge | h1. Samsung GalaxyS9 VoWiFi |
|---|---|---|---|
| 2 | |||
| 3 | random notes about how VoWiFi seems to be implemented in the Samsung SM-G960F Galaxy S9. |
||
| 4 | |||
| 5 | h2. Outline |
||
| 6 | |||
| 7 | * there's an userspace ipsec (IKEv2 + ESP) implementation called @eris@ which is used to establish the SWu IPsec tunnel to the ePDG |
||
| 8 | * there are @epdg0@..@epdg7@ net-devices that are used to expose the inner side of the SWu IPsec; taking pcap files of those will show the IMS traffic to/from the P-CSCF |
||
| 9 | * contrary to VoLTE, even the RTP user plane goes through the application processor, via the same eris userspace IPsec implementation |
||
| 10 | |||
| 11 | h2. eris |
||
| 12 | |||
| 13 | h3. related binaries |
||
| 14 | |||
| 15 | <pre> |
||
| 16 | /system/bin/eris |
||
| 17 | /system/lib64/liberis_charon.so |
||
| 18 | /system/lib64/liberis_strongswan.so |
||
| 19 | /system/lib64/liberis_simaka.so |
||
| 20 | </pre> |
||
| 21 | |||
| 22 | h3. general arcitecture |
||
| 23 | |||
| 24 | * opens udp sockets on port 500 + 4500 for the IKEv2 + ESP(NAT-T) traffic routed via the wlan interface |
||
| 25 | * decrypts traffic arriving on the UDP socket and re-injects decrypted packets via @epdgX@ net-device |
||
| 26 | * talks to rild to perform UMTS AKA with the SIM when prompted by EAP-AKA inside the IKEv2 handshake |
||
| 27 | * logs quite a bit (@logcat | grep eris@) |
||
| 28 | |||
| 29 | h3. potential GPLv2-or-later license violation |
||
| 30 | |||
| 31 | * the "open source licensing" document on the Android UI doesn't contain any information on the above-mentioned eris related files |
||
| 32 | * doing a "strings" analysis shows various symbol names and log messages identical to strongswan, so the libraries are not just named by coincidence the same way |
||
| 33 | * I could not find any source for eris in the soure code releases for SM-G960F on opensource.samsung.org |
||
| 34 | * I notified Samsung and requested the complete and corresponding source code |
||
| 35 | |||
| 36 | h3. log of a connection setup |
||
| 37 | |||
| 38 | <pre> |
||
| 39 | 08-26 16:30:09.560 21939 21945 I eris : 04[DMN] [eris_interface] handle_request - type = MSG_TYPE_CONNECT |
||
| 40 | 08-26 16:30:09.561 21939 21945 I eris : 04[DMN] operator_code : DTM |
||
| 41 | 08-26 16:30:09.569 21939 21945 I eris : 04[LIB] created TUN device: epdg1 |
||
| 42 | 08-26 16:30:09.612 21939 21950 I eris : 09[IKE] initiating IKE_SA ims[12] to 109.237.187.226 |
||
| 43 | 08-26 16:30:09.618 21939 21950 I eris : 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] |
||
| 44 | 08-26 16:30:09.619 21939 21950 I eris : 09[NET] sending packet: from 192.168.101.29[51276] to 109.237.187.226[500] (366 bytes) |
||
| 45 | 08-26 16:30:09.655 21939 21955 I eris : 15[NET] received packet: from 109.237.187.226[500] to 192.168.101.29[51276] (52 bytes) |
||
| 46 | 08-26 16:30:09.656 21939 21955 I eris : 15[ENC] parsed IKE_SA_INIT response 0 [ N(COOKIE) ] |
||
| 47 | 08-26 16:30:09.659 21939 21955 I eris : 15[IKE] initiating IKE_SA ims[12] to 109.237.187.226 |
||
| 48 | 08-26 16:30:09.660 21939 21955 I eris : 15[ENC] generating IKE_SA_INIT request 0 [ N(COOKIE) SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] |
||
| 49 | 08-26 16:30:09.662 21939 21955 I eris : 15[NET] sending packet: from 192.168.101.29[51276] to 109.237.187.226[500] (390 bytes) |
||
| 50 | 08-26 16:30:09.700 21939 21949 I eris : 08[NET] received packet: from 109.237.187.226[500] to 192.168.101.29[51276] (288 bytes) |
||
| 51 | 08-26 16:30:09.701 21939 21949 I eris : 08[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] |
||
| 52 | 08-26 16:30:09.713 21939 21949 I eris : 08[IKE] local host is behind NAT, sending keep alives |
||
| 53 | 08-26 16:30:09.718 21939 21949 I eris : 08[IKE] establishing CHILD_SA ims{12} |
||
| 54 | 08-26 16:30:09.720 21939 21949 I eris : 08[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(MASK ADDR DNS (16389) ADDR6 DNS6 (16390)) N(ESP_TFC_PAD_N) SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] |
||
| 55 | 08-26 16:30:09.721 21939 21949 I eris : 08[NET] sending packet: from 192.168.101.29[51182] to 109.237.187.226[4500] (428 bytes) |
||
| 56 | 08-26 16:30:09.876 21939 21943 I eris : 07[NET] received packet: from 109.237.187.226[4500] to 192.168.101.29[51182] (204 bytes) |
||
| 57 | 08-26 16:30:09.880 21939 21943 I eris : 07[ENC] parsed IKE_AUTH response 1 [ IDr EAP/REQ/AKA ] |
||
| 58 | 08-26 16:30:09.884 21939 21943 I eris : 07[IKE] server requested EAP_AKA authentication (id 0x01) |
||
| 59 | 08-26 16:30:09.893 21939 21943 I eris : 07[LIB] ignoring skippable EAP-SIM/AKA attribute AT_CHECKCODE |
||
| 60 | 08-26 16:30:09.895 21939 21943 I eris : 07[DMN] simID : 0 |
||
| 61 | 08-26 16:30:10.104 21939 21943 I eris : 07[IKE] allow mutual EAP-only authentication |
||
| 62 | 08-26 16:30:10.104 21939 21943 I eris : 07[ENC] generating IKE_AUTH request 2 [ EAP/RES/AKA ] |
||
| 63 | 08-26 16:30:10.105 21939 21943 I eris : 07[NET] sending packet: from 192.168.101.29[51182] to 109.237.187.226[4500] (108 bytes) |
||
| 64 | 08-26 16:30:10.410 21939 21952 I eris : 10[NET] received packet: from 109.237.187.226[4500] to 192.168.101.29[51182] (76 bytes) |
||
| 65 | 08-26 16:30:10.415 21939 21952 I eris : 10[ENC] parsed IKE_AUTH response 2 [ EAP/SUCC ] |
||
| 66 | 08-26 16:30:10.421 21939 21952 I eris : 10[IKE] EAP method EAP_AKA succeeded, MSK established |
||
| 67 | 08-26 16:30:10.433 21939 21952 I eris : 10[IKE] authentication of '...' (myself) with EAP |
||
| 68 | 08-26 16:30:10.440 21939 21952 I eris : 10[ENC] generating IKE_AUTH request 3 [ AUTH ] |
||
| 69 | 08-26 16:30:10.453 21939 21952 I eris : 10[NET] sending packet: from 192.168.101.29[51182] to 109.237.187.226[4500] (92 bytes) |
||
| 70 | 08-26 16:30:10.517 608 608 D wrapperGPS: wrapperisConnected_RILD |
||
| 71 | 08-26 16:30:10.517 608 608 D wrapperGPS: wrapperisConnected_RILD |
||
| 72 | 08-26 16:30:10.572 21939 21944 I eris : 02[NET] received packet: from 109.237.187.226[4500] to 192.168.101.29[51182] (428 bytes) |
||
| 73 | 08-26 16:30:10.573 21939 21944 I eris : 02[ENC] unknown attribute type (16390) |
||
| 74 | 08-26 16:30:10.574 21939 21944 I eris : 02[ENC] unknown attribute type (16390) |
||
| 75 | 08-26 16:30:10.576 21939 21944 I eris : 02[ENC] parsed IKE_AUTH response 3 [ AUTH CPRP(ADDR MASK DNS ADDR6 DNS6 DNS6 (16390) (16390)) N(SET_WINSIZE) N(ESP_TFC_PAD_N) SA TSi TSr ] |
||
| 76 | 08-26 16:30:10.578 21939 21944 I eris : 02[IKE] authentication of '...' with EAP successful |
||
| 77 | 08-26 16:30:10.580 21939 21944 I eris : 02[IKE] IKE_SA ims[12] established between 192.168.101.29[...]...109.237.187.226[...] |
||
| 78 | 08-26 16:30:10.582 21939 21944 I eris : 02[IKE] scheduling rekeying in 64791s |
||
| 79 | 08-26 16:30:10.584 21939 21944 I eris : 02[IKE] maximum IKE_SA lifetime 64811s |
||
| 80 | 08-26 16:30:10.588 21939 21944 I eris : 02[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding |
||
| 81 | 08-26 16:30:10.601 21939 21944 I eris : 02[IKE] CHILD_SA ims{12} established with SPIs 4b212242_i 04b403c3_o and TS 10.30.98.217/32 2a01:59f:d001:3747:1:1:a351:bf8a/128 === 0.0.0.0/0 ::/0 |
||
| 82 | 08-26 16:30:10.607 21939 21944 I eris : 02[DMN] setting up ePDG device for CHILD_SA ims{12} |
||
| 83 | 08-26 16:30:10.613 21939 21944 I eris : 02[DMN] successfully created ePDG device |
||
| 84 | 08-26 16:30:10.615 21939 21944 I eris : 02[DMN] update {event 1, error 0, ike_error 0} for conn[2] |
||
| 85 | </pre> |
||
| 86 | |||
| 87 | h3. file descriptors |
||
| 88 | |||
| 89 | <pre> |
||
| 90 | eris 21939 system 0u CHR 1,3 0t0 14599 /dev/null |
||
| 91 | eris 21939 system 1u CHR 1,3 0t0 14599 /dev/null |
||
| 92 | eris 21939 system 2u CHR 1,3 0t0 14599 /dev/null |
||
| 93 | eris 21939 system 3r FIFO 0,10 0t0 191918 pipe:[191918] |
||
| 94 | eris 21939 system 4w FIFO 0,10 0t0 191918 pipe:[191918] |
||
| 95 | eris 21939 system 5u unix 0t0 188122 socket |
||
| 96 | eris 21939 system 6w CHR 248,0 0t0 14761 /dev/pmsg0 |
||
| 97 | eris 21939 system 7r CHR 1,9 0t0 14597 /dev/urandom |
||
| 98 | eris 21939 system 8r CHR 1,8 0t0 14596 /dev/random |
||
| 99 | eris 21939 system 9r FIFO 0,10 0t0 187175 pipe:[187175] |
||
| 100 | eris 21939 system 10w FIFO 0,10 0t0 187175 pipe:[187175] |
||
| 101 | eris 21939 system 11u netlink 0t0 187176 ROUTE |
||
| 102 | eris 21939 system 12u netlink 0t0 187177 ROUTE |
||
| 103 | eris 21939 system 13u CHR 10,200 0t48 8925 /dev/tun |
||
| 104 | eris 21939 system 14u sock 0t0 1271319 socket:[1271319] |
||
| 105 | eris 21939 system 15u IPv4 0t0 1277757 UDP :51276->:500 |
||
| 106 | eris 21939 system 16u unix 0t0 187165 /dev/socket/eris |
||
| 107 | eris 21939 system 17u unix 0t0 191007 /dev/socket/eris |
||
| 108 | eris 21939 system 18u IPv4 0t0 1284421 UDP :51182->:4500 |
||
| 109 | eris 21939 system 19u IPv4 0t0 1164443 UDP :44774->:500 |
||
| 110 | eris 21939 system 20u IPv4 0t0 1164448 UDP :33934->:4500 |
||
| 111 | eris 21939 system 22w REG 0,9 0 2305 /sys/kernel/debug/tracing/trace_marker |
||
| 112 | eris 21939 system 23u CHR 10,57 0t0 11362 /dev/hwbinder |
||
| 113 | </pre> |
||
| 114 | |||
| 115 | h3. memory mappings |
||
| 116 | |||
| 117 | <pre> |
||
| 118 | eris 21939 system mem REG 259,2 121760 799 /system/bin/eris |
||
| 119 | eris 21939 system mem CHR 10,57 11362 /dev/hwbinder |
||
| 120 | eris 21939 system mem REG 259,2 24064 4287 /system/lib64/libnetd_client.so |
||
| 121 | eris 21939 system mem REG 259,2 1372848 4086 /system/lib64/libcrypto.so |
||
| 122 | eris 21939 system mem REG 259,2 117416 4518 /system/lib64/libutils.so |
||
| 123 | eris 21939 system mem REG 259,2 23896 4044 /system/lib64/libbinderthreadstate.so |
||
| 124 | eris 21939 system mem REG 259,2 82552 4091 /system/lib64/libcutils.so |
||
| 125 | eris 21939 system mem REG 259,2 20056 4068 /system/lib64/libcgrouprc.so |
||
| 126 | eris 21939 system mem REG 259,2 24192 4152 /system/lib64/libfloatingfeature.so |
||
| 127 | eris 21939 system mem REG 259,2 92240 4233 /system/lib64/liblog.so |
||
| 128 | eris 21939 system mem REG 259,2 159712 4132 /system/lib64/libexpat.so |
||
| 129 | eris 21939 system mem REG 259,2 14016 283 /apex/com.android.runtime/lib64/bionic/libdl.so |
||
| 130 | eris 21939 system mem REG 259,2 872168 4125 /system/lib64/liberis_strongswan.so |
||
| 131 | eris 21939 system mem REG 259,2 24256 4170 /system/lib64/libhardware_legacy.so |
||
| 132 | eris 21939 system mem REG 259,2 36272 4124 /system/lib64/liberis_simaka.so |
||
| 133 | eris 21939 system mem REG 259,2 229352 284 /apex/com.android.runtime/lib64/bionic/libm.so |
||
| 134 | eris 21939 system mem REG 259,2 14896 4186 /system/lib64/libhidltransport.so |
||
| 135 | eris 21939 system mem REG 259,2 44544 4387 /system/lib64/libsecril-client.so |
||
| 136 | eris 21939 system mem REG 259,2 15648 4529 /system/lib64/libvndksupport.so |
||
| 137 | eris 21939 system mem REG 259,2 117104 3828 /system/lib64/android.system.suspend@1.0.so |
||
| 138 | eris 21939 system mem REG 259,2 692152 4184 /system/lib64/libhidlbase.so |
||
| 139 | eris 21939 system mem REG 259,2 719432 4123 /system/lib64/liberis_charon.so |
||
| 140 | eris 21939 system mem REG 259,2 14896 4190 /system/lib64/libhwbinder.so |
||
| 141 | eris 21939 system mem REG 259,2 83552 4039 /system/lib64/libbase.so |
||
| 142 | eris 21939 system mem REG 259,2 19440 4471 /system/lib64/libstdc++.so |
||
| 143 | eris 21939 system mem REG 0,17 196608 10978 /dev/__properties__/u:object_r:hwservicemanager_prop:s0 |
||
| 144 | eris 21939 system mem REG 259,2 1245176 282 /apex/com.android.runtime/lib64/bionic/libc.so |
||
| 145 | eris 21939 system mem REG 259,2 647152 4042 /system/lib64/libbinder.so |
||
| 146 | eris 21939 system mem REG 259,2 106472 4547 /system/lib64/libz.so |
||
| 147 | eris 21939 system mem REG 0,17 196608 10983 /dev/__properties__/u:object_r:log_tag_prop:s0 |
||
| 148 | eris 21939 system mem REG 259,2 355712 4455 /system/lib64/libssl.so |
||
| 149 | eris 21939 system mem REG 259,2 255320 4323 /system/lib64/libprocessgroup.so |
||
| 150 | eris 21939 system mem REG 259,2 845928 4058 /system/lib64/libc++.so |
||
| 151 | eris 21939 system mem REG 0,17 196608 10984 /dev/__properties__/u:object_r:logd_prop:s0 |
||
| 152 | eris 21939 system mem REG 259,2 10192 4104 /system/lib64/libdl_android.so |
||
| 153 | eris 21939 system mem REG 0,17 196608 11092 /dev/__properties__/u:object_r:wifi_log_prop:s0 |
||
| 154 | eris 21939 system mem REG 0,17 196608 10977 /dev/__properties__/u:object_r:heapprofd_prop:s0 |
||
| 155 | eris 21939 system mem REG 0,17 196608 10946 /dev/__properties__/u:object_r:default_prop:s0 |
||
| 156 | eris 21939 system mem REG 0,17 196608 10943 /dev/__properties__/u:object_r:debug_level_prop:s0 |
||
| 157 | eris 21939 system mem REG 0,17 196608 10944 /dev/__properties__/u:object_r:debug_prop:s0 |
||
| 158 | eris 21939 system mem REG 0,17 196608 11094 /dev/__properties__/properties_serial |
||
| 159 | eris 21939 system mem REG 0,17 37416 10907 /dev/__properties__/property_info |
||
| 160 | eris 21939 system mem REG 0,17 196608 11003 /dev/__properties__/u:object_r:product_ship_prop:s0 |
||
| 161 | eris 21939 system mem REG 0,17 196608 10969 /dev/__properties__/u:object_r:exported_system_prop:s0 |
||
| 162 | eris 21939 system mem REG 0,17 196608 10946 /dev/__properties__/u:object_r:default_prop:s0 |
||
| 163 | eris 21939 system mem REG 0,17 196608 10944 /dev/__properties__/u:object_r:debug_prop:s0 |
||
| 164 | eris 21939 system mem REG 0,17 196608 11094 /dev/__properties__/properties_serial |
||
| 165 | eris 21939 system mem REG 0,17 37416 10907 /dev/__properties__/property_info |
||
| 166 | eris 21939 system mem REG 259,2 1608256 214 /apex/com.android.runtime/bin/linker64 |
||
| 167 | </pre> |
