modmobmap
play

Modmobmap The modest mobile networks mapping tool By Sbastien Dudek - PowerPoint PPT Presentation

Feb 16, 2023 •575 likes •950 views

Modmobmap The modest mobile networks mapping tool By Sbastien Dudek BeeRumP May 31st 2018 Introduction Modmobmap (sounds like Bimbimpbap): Modest Mobile networks Mapping tool Used to map 2G/3G and 4G networks (maybe more) in real

  1. Modmobmap The modest mobile networks mapping tool By Sébastien Dudek BeeRumP May 31st 2018

  2. Introduction Modmobmap (sounds like “Bimbimpbap”): Modest Mobile networks Mapping tool Used to map 2G/3G and 4G networks (maybe more) in real live Uses a set of tricks (including the cheapest) to map cells

  3. Context 1 State of the Art 2 ServiceMode as an alternative 3 Make a tool out of it 4

  4. Where can I use this tool? Cell towers discovery have a list and description of surrounding towers spot rogue base stations (mature list required!) Restricted/smart/magic jamming 2

  5. Where can I use this tool? Cell towers discovery Restricted/smart/magic jamming replace the heavy & noisy & cumbersome jammer (or portable ones with weak signals) avoid commercial jamming device reworking (bands disabling) 2

  6. Remember: monitoring with holy relics Old Nokia phone have a net monitor mode that could be enabled via FBus or MBUS access. Tools Gnokii, Gammu and others: activate monitor mode, interact with the phone, and capture trace logs. DCT3-GSMTAP: evolution of Gammu, capture of GSM Um and SIM-ME via GSMTAP pseudo-header format. 3

  7. Existing tool OpenCellID example But very few information... could be used as a database for spotting rogue base stations. But useless for jamming attacks 4

  8. Thing we wanna do for 3G, 4G and more OsmocomBB cell monitor 5

  9. Context 1 State of the Art 2 ServiceMode as an alternative 3 Make a tool out of it 4

  10. Public tools Recorded mobile towers OpenCellid: Open Database of Cell Towers Gsmmap.org and so on. Live scanning tools 6

  11. Public tools Recorded mobile towers OpenCellid: Open Database of Cell Towers Gsmmap.org and so on. Problem! But these solutions don’t map in live and do not give precise information about cell towers. Live scanning tools 6

  12. Public tools Recorded mobile towers Live scanning tools for 2G cells: Gammu/Wammu, DCT3-GSMTAP, and others OsmocomBB via cell_log application for 3G, 4G and more: only tricks: use of exposed DIAG interface → decoding → GSMTAP pseudo-header format SnoopSnitch: not reflexible, but could be reworked for our purposes ;) 6

  13. Methods to capture cells information Possible methods are: Software-Defined Radio Exposed diagnostic interfaces Use of Android RIL 7

  14. Software-Defined Radio Existing tools: Airprobe or GR-GSM OpenLTE: LTE_fdd_dl_scan srsLTE with srsUE 8

  15. Software-Defined Radio Existing tools: Airprobe or GR-GSM OpenLTE: LTE_fdd_dl_scan srsLTE with srsUE No 3G No 3G tools to capture cell information. 8

  16. Exposed diagnostic interface Diagnostic interface enabled: On old phones and 3G sticks like the Icon 255 1 that expose it by default enabling DIAG ourselves: e.g for some LG devices via /sys/devices/platform/lg_diag_cmd/diag_enable Chips used for development Interfaces kept enabled in production by error (e.g via custome bootmodes → CVE-2016-8467) Existing tools: xgoldmon for X-Gold Infineon Basebands diag-parser for exposed Qualcomm DIAG interfaces 1 https://events.ccc.de/congress/2011/Fahrplan/attachments/2022_11ccc- qcombbdbg.pdf 9

  17. Making a development environment Good alternative Could work with almost all bands we want a little expensive: almost 300€ requirements: EC20 LTE modem PCengines APU2 10

  18. (Funny story about EC20) Seen at 33c3 by Harald Welte 2 → the modem runs an OE base Linux distribution It’s also possible to have a shell via the AT command AT+QLINUXCMD : # echo − e ’AT+QLINUXCMD= ” / sbin / getty − L ttyGS0 115200 console ” \ r \ n ’ > / dev / ttyUSB2 # microcom / dev / ttyUSB1 OpenEmbedded Linux 9615 − cdp ttyGS0 msm 20160923 9615 − cdp ttyGS0 9615 − cdp login : root Password : oelinux123 root@9615 − cdp:~# 2 http git.gnumonks.org/laforge- slides/plain/2016/cellular_modems_33c3/33c3modems.html 11

  19. RIL on Android Daemon forwards commands/messages: application ⇆ Vendor RIL vendor library is prorietary and vendor specific vendor library knows how to talk to modem: classic AT QMI for Qualcomm (old?) Samsung IPC Protocol and so on. 12

  20. Context 1 State of the Art 2 ServiceMode as an alternative 3 Make a tool out of it 4

  21. ServiceMode on Android Usually activated by typing a secret code Gives interesting details of current cell: implicit network type used band reception (RX/DL) or/and transmission (TX/UP) (E/U)ARFCN (Absolute Radio Frequency Channel Number) PLMN (Public Land ServiceMode in Samsung Mobile Network) number and so on. 13

  22. Samsung ServiceMode in brief 1 *#0011# secret code handled by ServiceModeApp_RIL ServiceModeApp activity 2 ServiceModeApp → IPC connection → SecFactoryPhoneTest SecPhoneService 3 ServiceModeApp starts the service mode → invokeOemRilRequestRaw() through SecPhoneService (send RIL command RIL_REQUEST_OEM_HOOK_RAW ) 4 ServiceModeApp process in higher level ServiceMode messages coming from RIL. Best place to listen ServiceMode Two good places exist: RIL library independent of Vendor RIL library implementation, or use invokeOemRilRequestRaw() 14

  23. Getting SM messages: the lazy way Ask to our best friend → logcat shell@klte : / $ logcat [ . . . ] I / ServiceModeApp_RIL ( 1542): in QUERT_SERVM_DONE I / ServiceModeApp_RIL ( 1542): size of r e s u l t : 1700 I / ServiceModeApp_RIL ( 1542): Line 0 : RRC: IDLE , Band:1_ I / ServiceModeApp_RIL ( 1542): Line 1 : PLMN:208 − 20_ I / ServiceModeApp_RIL ( 1542): Line 2 : RX:10639 RI: − 70 CID:1 fc09bd_ I / ServiceModeApp_RIL ( 1542): Line 3 : TX:9689 EcIo: − 4 RSCP: − 74_ I / ServiceModeApp_RIL ( 1542): Line 4 : L1 : PCH_Sleep PSC:83 DRX:64_ I / ServiceModeApp_RIL ( 1542): Line 5 : SERVICE : LIMITED_ I / ServiceModeApp_RIL ( 1542): Line 6 : Speech VER : FR FR FR_ I / ServiceModeApp_RIL ( 1542): Line 7 : therm : 111 LNA: 0 _ I / ServiceModeApp_RIL ( 1542): Line 8 : SIB19 Received_ I / ServiceModeApp_RIL ( 1542): Line 9 : PA STATE : 0 (APT) , HDET : 0_ I / ServiceModeApp_RIL ( 1542): Line 10 : NETWORK : UNBLOCK_ I / ServiceModeApp_RIL ( 1542): Line 11 : IMEI Certi : PASS, 1_ Those messages could be then processed to get our current cell information. 15

  24. Context 1 State of the Art 2 ServiceMode as an alternative 3 Make a tool out of it 4

  25. What do I need? At least a phone supporting ServiceMode! 16

  26. Few contraints to resolve “KTHX! But...: 1 how to support other operators different from your own SIM card? Do you need a different SIM card for each operator? 2 how to enumerate cells a MS (Mobile Station) is supposed to see? 17

  27. Few contraints to resolve “KTHX! But...: 1 how to support other operators different from your own SIM card? Do you need a different SIM card for each operator? 2 how to enumerate cells a MS (Mobile Station) is supposed to see? Answer The DFR technique! 17

  28. DFR technique D.F.R : “D” for Dirty, “F” for Fuzzy, “R” for Registration 18

  29. The camping concept in brief Let’s remember 3GPP TS 43.022, ETSI TS 125 304... When selecting a PLMN → MS looks for cells satisfying few conditions (cell of the selected PLMN, not barred, pathloss between MS and BTS below a thresold, and so on.) Cells are checked in a descending order of the signal strength If a suitable is found → MS camps on it and tries to register 19

  30. The camping concept in brief Let’s remember 3GPP TS 43.022, ETSI TS 125 304... When selecting a PLMN → MS looks for cells satisfying few conditions (cell of the selected PLMN, not barred, pathloss between MS and BTS below a thresold, and so on.) Cells are checked in a descending order of the signal strength If a suitable is found → MS camps on it and tries to register Verified through DIAG and ServiceMode If registration fails → MS camps to another cell until it can register → verified via DIAG and ServiceMode 19

  31. Automate the DFR technique with AT commands Android phones often expose a modem interface (e.g. /dev/smd0) 127| shell@klte : / $ getprop r i l d . l i b a r g s − d / dev / smd0 It is possible to: set network type: AT^SYSCONFIG list PLNM and select a PLMN: AT+COPS → requires root privileges 20

  32. We mix all techniques together 21

  33. Don’t forget... *the magic cure powder 22

  34. Here is the frankenstein: modmobmap 23

  35. Demo with a Galaxy S5 phone 24

  36. Conclusion modmobmap: is a cheap way to scan mobile cells supports 2 useful interfaces: ServiceMode; GSMTAP captures: host DIAG (could be easily extended for guest DIAG); srsLTE and OpenLTE captures. the source code will be published in Github soon! any ideas and contribz are welcomed! 25

  37. AVEZ-VOUS DES QUESTIONS ? MERCI DE VOTRE ATTENTION,

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ODL Sub classes F ollo w name of sub class b y colon and its sup erclass. Example:

ODL Sub classes F ollo w name of sub class b y colon and its sup erclass. Example:

ODL Sub classes F ollo w name of sub class b y colon and its sup erclass. Example: Ales are Beers with a Color class Ales:Beers { attribute string color; } Ob jects of the class acquire all the Ales

429 views • 20 slides
Basic SQL Queries 1 Why SQL? SQL is a very-high-level language Say what to do

Basic SQL Queries 1 Why SQL? SQL is a very-high-level language Say what to do

Basic SQL Queries 1 Why SQL? SQL is a very-high-level language Say what to do rather than how to do it Avoid a lot of data-manipulation details needed in procedural languages like C++ or Java Database management

1.47k views • 112 slides
CALIFORNIA ALLIANCE FOR PREVENTION FUNDING CHEAC Annual Meeting October 21, 2018 THE CHALLENGE

CALIFORNIA ALLIANCE FOR PREVENTION FUNDING CHEAC Annual Meeting October 21, 2018 THE CHALLENGE

CALIFORNIA ALLIANCE FOR PREVENTION FUNDING CHEAC Annual Meeting October 21, 2018 THE CHALLENGE 2010: ACA and the creation of the Prevention and Public Health Fund followed by threats to ACA and raids on the Fund Creating a

473 views • 23 slides
TRECVID 2014 INSTANCE RETRIEVAL AN INTRODUCTION . Wessel Kraaij TNO, Radboud University

TRECVID 2014 INSTANCE RETRIEVAL AN INTRODUCTION . Wessel Kraaij TNO, Radboud University

TRECVID 2014 INSTANCE RETRIEVAL AN INTRODUCTION . Wessel Kraaij TNO, Radboud University Nijmegen Paul Over NIST 2 TRECVID 2014 Task Example use case: browsing a video archive, you find a video of a person, place, or thing of

419 views • 38 slides
Spring 2020 Online SQL Tester Note: This runs pgweb on a postgres server in the read-only mode

Spring 2020 Online SQL Tester Note: This runs pgweb on a postgres server in the read-only mode

CompSci 316 Spring 2020 Online SQL Tester Note: This runs pgweb on a postgres server in the read-only mode for simple testing in class. You will receive instructions for installing your own Postgres server and load databases on the VM that you

351 views • 5 slides
SQL Structured Query Language (SQL) CS 235: The language of databases Based on

SQL Structured Query Language (SQL) CS 235: The language of databases Based on

SQL Structured Query Language (SQL) CS 235: The language of databases Based on relational algebra Introduction to Databases extended algebra operations other extensions. Svetlozar Nestorov Lecture Notes #9 SQL Queries

316 views • 4 slides
CS411 data Has similar capabilities for queries to those in Database Systems relational

CS411 data Has similar capabilities for queries to those in Database Systems relational

SQL = S tructured Q uery L anguage Standard language for querying and manipulating CS411 data Has similar capabilities for queries to those in Database Systems relational algebra Support statements for modifying a database (e.g.,

350 views • 8 slides
First Quarter 2016 Earnings Conference Call and Webcast April 28, 2016 Forward Looking

First Quarter 2016 Earnings Conference Call and Webcast April 28, 2016 Forward Looking

First Quarter 2016 Earnings Conference Call and Webcast April 28, 2016 Forward Looking Statements This presentation contains forward-looking statements within the meaning of federal securities laws regarding MPLX LP (MPLX) and Marathon

411 views • 19 slides
Design Problem OK; let's design a relational DB sc hema for b eers- bars-drink ers.

Design Problem OK; let's design a relational DB sc hema for b eers- bars-drink ers.

Design Problem OK; let's design a relational DB sc hema for b eers- bars-drink ers. Drink ers ha v e unique names and addresses. They lik e one or more b eers and frequen t one or more bars. They ha v e

179 views • 15 slides
CS5412: WHERE DID MY PERFORMANCE GO? Lecture XVIII Ken Birman Suppose you follow the rules

CS5412: WHERE DID MY PERFORMANCE GO? Lecture XVIII Ken Birman Suppose you follow the rules

CS5412 Spring 2015 (Cloud Computing: Birman) 1 CS5412: WHERE DID MY PERFORMANCE GO? Lecture XVIII Ken Birman Suppose you follow the rules 2 You set out to build a fairly complex large-scale system for some kind of important task

658 views • 48 slides
Introduction to Python Collections Simple Statistics def main(): sum = 0.0 count = 0 xStr =

Introduction to Python Collections Simple Statistics def main(): sum = 0.0 count = 0 xStr =

Introduction to Python Collections Simple Statistics def main(): sum = 0.0 count = 0 xStr = input("Enter a number (<Enter> to quit) >> ") while xStr != "": x = eval(xStr) sum = sum + x count = count + 1

749 views • 41 slides
Bartering Books to Beers: a Recommender System for Exchange Platforms Jrmie Rappaz

Bartering Books to Beers: a Recommender System for Exchange Platforms Jrmie Rappaz

Bartering Books to Beers: a Recommender System for Exchange Platforms Jrmie Rappaz Maria-Luiza Vladarean Julian McAuley Michele Catasta What is barter? Def. Barter is a system of exchange where goods or services

483 views • 14 slides
DM-Group Meeting Liangzhe Chen, Sep. 25 2014 Papers To

DM-Group Meeting Liangzhe Chen, Sep. 25 2014 Papers To

DM-Group Meeting Liangzhe Chen, Sep. 25 2014 Papers To be Discussed Finding Progression Stages in Time-evolving Event Sequences WWW

772 views • 38 slides
Building Nice Command Line Interfaces A Look Beyond The Standard Library Europython 2015 - Bilbao

Building Nice Command Line Interfaces A Look Beyond The Standard Library Europython 2015 - Bilbao

Building Nice Command Line Interfaces A Look Beyond The Standard Library Europython 2015 - Bilbao 07 July, 2015 Patrick M uhlbauer Software Developer @ Blue Yonder CLI with Python - Where to start? sys.argv? getopt? optparse or argparse?

482 views • 35 slides
Rx in the real world 1 Rob Ciolli 2 Rob Ciolli 3 Rob Ciolli The App 4 Rob Ciolli Quick

Rx in the real world 1 Rob Ciolli 2 Rob Ciolli 3 Rob Ciolli The App 4 Rob Ciolli Quick

Rx in the real world 1 Rob Ciolli 2 Rob Ciolli 3 Rob Ciolli The App 4 Rob Ciolli Quick architecture overview 5 Rob Ciolli MV - WTF 6 Rob Ciolli Model Simple, immutable data struct returned from DB or APIs 7 Rob Ciolli View UI

899 views • 52 slides
Chapter 7: Frequent Itemsets and Association Rules Information Retrieval & Data Mining

Chapter 7: Frequent Itemsets and Association Rules Information Retrieval & Data Mining

Chapter 7: Frequent Itemsets and Association Rules Information Retrieval & Data Mining Universitt des Saarlandes, Saarbrcken Winter Semester 2013/14 VII.1&2 1 Motivational Example Assume you run an on-line store and you

594 views • 30 slides
T RANSLATING D ART TO EFFICIENT J AVA S CRIPT Kasper Lund Google Translating Dart to efficient

T RANSLATING D ART TO EFFICIENT J AVA S CRIPT Kasper Lund Google Translating Dart to efficient

T RANSLATING D ART TO EFFICIENT J AVA S CRIPT Kasper Lund Google Translating Dart to efficient JavaScript Kasper Lund, Google Who am I? Kasper Lund, software engineer at Google Projects OOVM: Embedded Smalltalk system V8:

1.03k views • 49 slides
Lightly Supervised Content Modeling for Corporate Text Analytics Raphael Cohen Data Science as

Lightly Supervised Content Modeling for Corporate Text Analytics Raphael Cohen Data Science as

Lightly Supervised Content Modeling for Corporate Text Analytics Raphael Cohen Data Science as a Service EMC EMC CONFIDENTIAL INTERNAL USE ONLY. 1 Talk Outline Text Analytics for Customer Services Customer interaction data

611 views • 21 slides
Introduction to Logic Programming in Prolog 1 / 39 Outline Programming paradigms Logic

Introduction to Logic Programming in Prolog 1 / 39 Outline Programming paradigms Logic

Introduction to Logic Programming in Prolog 1 / 39 Outline Programming paradigms Logic programming basics Introduction to Prolog Predicates, queries, and rules Understanding the query engine Goal search and unification Structuring recursive

881 views • 39 slides
OWASP London Chapter Meeting 27th July 2017 London Chapter Chapter Leaders: Sam

OWASP London Chapter Meeting 27th July 2017 London Chapter Chapter Leaders: Sam

OWASP London Chapter Meeting 27th July 2017 London Chapter Chapter Leaders: Sam Stepanyan (@securestep9) Sherif Mansour (@kerberosmansour) Chapter Events: Chapter Meetings at least once every 2 months Hackathon &

564 views • 32 slides
Course Overview 1 2 Maria Hybinette, UGA Maria Hybinette, UGA Administration / Logistics

Course Overview 1 2 Maria Hybinette, UGA Maria Hybinette, UGA Administration / Logistics

Short Term Plan ! Today go over expectations and course plan CSCI 4500/6500: Programming ! Next week introduction to programming Languages languages ! Next week also discuss presentation topics & some advice Course Overview 1 2 Maria

177 views • 4 slides
CSE 344 Section 3 Today: HW3 Setup SQL Server Basics Using nested query semantics

CSE 344 Section 3 Today: HW3 Setup SQL Server Basics Using nested query semantics

CSE 344 Section 3 Today: HW3 Setup SQL Server Basics Using nested query semantics SQL Server Basics /* Get list of tables */ SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE='BASE TABLE'; /* Get the columns of a table

212 views • 6 slides
We lc o me ! E le a no r T o rre s, Cha ir 1/ 23/ 19 I ntro duc tio ns T he Uniq ue , T

We lc o me ! E le a no r T o rre s, Cha ir 1/ 23/ 19 I ntro duc tio ns T he Uniq ue , T

We lc o me ! E le a no r T o rre s, Cha ir 1/ 23/ 19 I ntro duc tio ns T he Uniq ue , T he Humo ro us, a nd T he Se rio us (AK A Re c e nt Me dia ) Rupa m So ni 1/ 23/ 19 UNIQUE T HE Vide o # 1 Boise bre we rie s using re c

749 views • 40 slides
Version 7.29.19.1 For more information contact Jessica Waite / / 760.445.6846 / /

Version 7.29.19.1 For more information contact Jessica Waite / / 760.445.6846 / /

Version 7.29.19.1 For more information contact Jessica Waite / / 760.445.6846 / / Jessica@theplotrestaurant.com PROUDLY PLANT BASED Meet The Plot: a lively, inviting restaurant chain. We make delicious, high-quality, and sometimes

496 views • 22 slides

More recommend