neighbouringCellInfo empty in debug logs

[Ueland]

So this morning i decided to take a walk around my office as i am smack middle in Oslo,Norway where a spy scandal is starting to grow now, after signals from multiple IMSI-catchers have been detected. All these are all around my office. The app did not trigger any alarms, but not too surprising giving that:

a: Alpha version for the App b: The IMSI-Catcher may have been taken down as they have been revealed

Specs: AIMSICD version "WIP-Internal v0.1.25-alpha-build-3" Stock Google Nexus 5 (not rooted, working on it now), on Android 5 Getprop: http://pastebin.com/RrUtuxeq

:cherries: Logcat dump on way to known catcher area: https://defuse.ca/b/L2geviNNaWSKZuVbakI4Og :cherries: Logcat dump from known catcher area: https://defuse.ca/b/jwnXkIl4xuy2CSfGzLo3FQ

• Password: imsi

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[SecUpwN]

@Ueland, I very much enjoy that you're such an enthusiastic user of our App and seem to enjoy testing it. Also, thank you very much for the logfiles (@E3V3A, @tobykurien, @He3556 and @andr3jx, please have a close look at those)! As you can see, I had to edit your Issue a little to shorten the headline. Generally speaking, we currently lack contributions on our App, that is why we are still in ALPHA stage.

@Ueland, is your Issue here possibly a duplicate of #137, or is this really a separate one?

If you really want to help us pushing forward, please make some pull requests to squash as many bugs as possible and maybe even continue work on implementing more detection measures. Thank you!

[tobykurien]

I see some logs there that I need to remove (power/sensor logs), to make the log output smaller. As for the neighbouring cells info, if we get back nothing from the API, there's nothing we can do in the app.

[E3V3A]

@Ueland Please try this APK to test if you can use a different method to get neighboring cells. Can you reach the RF hidden Service Menu on that phone?

[Ueland]

Not much output from the app:

Nexus 5 does not have the #2263# code, but it does have the *##4636## code, the only interesting info i find there is this:

[E3V3A]

Just FYI: I just added a flow-chart to #100 to help resolve NC issues.

@Ueland I'm really curious to know what's preventing your phone from showing NC, also in the SM (as you showed above.) Who makes the N5 ? (Was it LG? I forgot.) Since your device is Qualcomm, you should have a _/dev/smd0_, do you? Please send me an email...

[Ueland]

Yup, the N5 is from LG. Gonna check if i have the mentioned device

[Ueland]

@E3V3A: adb shell ls -la /dev/smd0 /dev/smd0: No such file or directory

[E3V3A]

@Ueland That's funny. It's a MSM8974 so it should have an smd device somewhere. Can you dump the output of # ls -alR /dev? Anyway, that would be the AT interface, but we may not need it if we can use the /dev/diag instead. Also if you have time, please send me an email with a link to some defused paste of dmesg and logcat -d -b radio *:v after bootup. (You may want to edit out any personal info if any. Also make sure you're root, when doing all this.)

[Ueland]

i tried a ls on /dev yesterday but got a permission denied error, guess that's caused by not having root. I have planned to get it rooted but it causes all data to be lost so i have not done it yet, will check it up after rooting it.

[E3V3A]

Yes, you need root. But you shouldn't lose any data. No need to flash anything. Try manual installation of Kingroot. Put the Android Terminal Emulator (ATE), Busybox, SuperSU and Kingroot APKs on your SD card. After Kingroot has done its job, run SuperSU and allow it to uninstall other su version. Hopefully it will detect and fix everything. There should be no data loss in this process.

[Ueland]

The Nexus 5 does not have an external SD Card, that might make it worse? ;)

[E3V3A]

Yes, we usually don't make that distinction anymore. So we usually just refer to the separate /media/sdcardX partition as "SD card". So just find whichever way to transfer files to your phone and find it (and run/install) with ES File Explorer, for example.

[Ueland]

Can you send me your e-mail again and i will send you the output you wanted. My phone was locked so i had to unlock it first (aka reinstall), but now it`s done at least.

[SecUpwN]

@Ueland, you'll always find the latest contact information here.

[Ueland]

Thanks for the reminder, sent!

[E3V3A]

Hi @Ueland it seems that your device do output the NC, but are using the getAllCellInfo() function to do that. If you check your radio logcat for these:

D/GsmSST  ( 1257): [GsmSST] SST.getAllCellInfo(): X size=15 list= ...
D/RILJ    ( 1257): [3843]< RIL_REQUEST_GET_CELL_INFO_LIST ...

Regarding the AT interface.

Yes, it seems that they have (re)moved your /dev/smd0, so we have to find or recreate that device node. On my device it is mapped like this. Please also post the result for cat /proc/devices, and look for these:

# cat /proc/devices
Character devices:
...
10 misc
...
250 smdpkt
251 smd       <== Look for this!
...

# alias ls='busybox ls -al --color=always'
# ls -al /dev/smd0
crw-rw----    1 1000     1000      251,   0 Mar 17  2013 /dev/smd0

# \ls -al /dev/smd0
crw-rw---- system   system   251,   0 2013-03-17 08:37 smd0

# \ls -Z /dev/smd{0,22}
crw-rw---- system   system            u:object_r:smd_device:s0 smd0
crw------- root     root              u:object_r:smd_device:s0 smd22

Then we can try to recreate the node with:

# mkdev -m 666 /dev/smd0 c <smd> 0
# chown system.system /dev/smd0
# chcon u:object_r:smd_device:s0 /dev/smd0

Where you have to substitute <smd> with the number you found above. Be careful it says "smd", bacause I noticed that your "media" (/dev/mediaX) is mapped to 251. Also make sure the context of smd0 is the same as that for smd22. I'm not sure if this takes immedate effect or if not, try to kill rild with:

kill -9 `pidof rild`

[E3V3A]

@Ueland Did you get rooted etc?

[Ueland]

Yes, i am rooted, but have not had a chance to play more with this yet.

[Ueland]

Here is the output of /proc/devices: https://defuse.ca/b/dBrkObPHY0sFCGXiMFBXz6

I do not see "smd", but can i be 250 smbpkt?

I checked all filenames available on the device and found this with the name smb in it, but nothing else of interest:

grep smb files.txt 
/sys/bus/i2c/drivers/smb349
/sys/bus/i2c/drivers/smb349/bind
/sys/bus/i2c/drivers/smb349/uevent
/sys/bus/i2c/drivers/smb349/unbind
.....
/sys/kernel/debug/regulator/8941_smbb_boost
/sys/kernel/debug/regulator/8941_smbb_boost/leds-qpnp-ee169200-flash-boost
/sys/kernel/debug/regulator/8941_smbb_boost/leds-qpnp-ee169200-flash-boost/max_uV
/sys/kernel/debug/regulator/8941_smbb_boost/leds-qpnp-ee169200-flash-boost/min_uV
/sys/kernel/debug/regulator/8941_smbb_boost/leds-qpnp-ee169200-flash-boost/uA_load
/sys/kernel/debug/regulator/8941_smbb_boost/voltage
/sys/kernel/debug/regulator/8941_smbb_boost/force_disable
/sys/kernel/debug/regulator/8941_smbb_boost/enable
/sys/kernel/debug/regulator/8941_smbb_boost/8941_smbb_boost
/sys/kernel/debug/regulator/8941_smbb_boost/8941_smbb_boost/max_uV
/sys/kernel/debug/regulator/8941_smbb_boost/8941_smbb_boost/min_uV
/sys/kernel/debug/regulator/8941_smbb_boost/8941_smbb_boost/uA_load
/sys/kernel/debug/regulator/8941_smbb_boost/consumers
/sys/kernel/debug/regulator/8941_smbb_boost/open_count
/sys/kernel/debug/regulator/8941_smbb_boost/use_count

[E3V3A]

No, unfortunately none of those are it. I'll try to find the schematic for your phone, when i get back. Perhaps that will tell me something...

[E3V3A]

@Ueland Actually your neighboring cells are not completely "empty", just a bit crippled, but nonetheless useful. Looking at your logs:

D/RILJ    ( 1257): [3780]< RIL_REQUEST_GET_CELL_INFO_LIST [
        CellInfoLte:{mRegistered=YES mTimeStampType=oem_ril mTimeStamp=74197255133ns CellIdentityLte:{ mMcc=242 mMnc=1 mCi=XXXXXXXX mPci=376 mTac=YYYYY} CellSignalStrengthLte: ss=23 rsrp=-94 rsrq=-8 rssnr=2147483647 cqi=2147483647 ta=2147483647}, 
        CellInfoLte:{mRegistered=NO mTimeStampType=oem_ril mTimeStamp=74197255133ns CellIdentityLte:{ mMcc=2147483647 mMnc=2147483647 mCi=2147483647 mPci=375 mTac=2147483647} CellSignalStrengthLte: ss=18 rsrp=-99 rsrq=-13 rssnr=2147483647 cqi=2147483647 ta=2147483647}, 
        CellInfoLte:{mRegistered=NO mTimeStampType=oem_ril mTimeStamp=74197255133ns CellIdentityLte:{ mMcc=2147483647 mMnc=2147483647 mCi=2147483647 mPci=82 mTac=2147483647} CellSignalStrengthLte: ss=18 rsrp=-102 rsrq=-12 rssnr=2147483647 cqi=2147483647 ta=2147483647}, 
        CellInfoLte:{mRegistered=NO mTimeStampType=oem_ril mTimeStamp=74197255133ns CellIdentityLte:{ mMcc=2147483647 mMnc=2147483647 mCi=2147483647 mPci=338 mTac=2147483647} CellSignalStrengthLte: ss=16 rsrp=-117 rsrq=-20 rssnr=2147483647 cqi=2147483647 ta=2147483647}, 
        CellInfoLte:{mRegistered=NO mTimeStampType=oem_ril mTimeStamp=74197255133ns CellIdentityLte:{ mMcc=2147483647 mMnc=2147483647 mCi=2147483647 mPci=461 mTac=2147483647} CellSignalStrengthLte: ss=17 rsrp=-117 rsrq=-20 rssnr=2147483647 cqi=2147483647 ta=2147483647}, 
        CellInfoLte:{mRegistered=NO mTimeStampType=oem_ril mTimeStamp=74197255133ns CellIdentityLte:{ mMcc=2147483647 mMnc=2147483647 mCi=2147483647 mPci=99 mTac=2147483647} CellSignalStrengthLte: ss=10 rsrp=-109 rsrq=-5 rssnr=2147483647 cqi=2147483647 ta=2147483647}, 
        CellInfoLte:{mRegistered=NO mTimeStampType=oem_ril mTimeStamp=74197255133ns CellIdentityLte:{ mMcc=2147483647 mMnc=2147483647 mCi=2147483647 mPci=498 mTac=2147483647} CellSignalStrengthLte: ss=10 rsrp=-118 rsrq=-14 rssnr=2147483647 cqi=2147483647 ta=2147483647}, 
        CellInfoLte:{mRegistered=NO mTimeStampType=oem_ril mTimeStamp=74197255133ns CellIdentityLte:{ mMcc=2147483647 mMnc=2147483647 mCi=2147483647 mPci=438 mTac=2147483647} CellSignalStrengthLte: ss=9 rsrp=-121 rsrq=-16 rssnr=2147483647 cqi=2147483647 ta=2147483647}, 
        CellInfoLte:{mRegistered=NO mTimeStampType=oem_ril mTimeStamp=74197255133ns CellIdentityLte:{ mMcc=2147483647 mMnc=2147483647 mCi=2147483647 mPci=499 mTac=2147483647} CellSignalStrengthLte: ss=10 rsrp=-123 rsrq=-19 rssnr=2147483647 cqi=2147483647 ta=2147483647}
] [SUB0]

D/GsmSST  ( 1257): [GsmSST] SST.getAllCellInfo(): X size=9 list=[
        CellInfoLte:{mRegistered=YES mTimeStampType=oem_ril mTimeStamp=74197255133ns CellIdentityLte:{ mMcc=242 mMnc=1 mCi=XXXXXXXX mPci=376 mTac=YYYYY} CellSignalStrengthLte: ss=23 rsrp=-94 rsrq=-8 rssnr=2147483647 cqi=2147483647 ta=2147483647}, 
        CellInfoLte:{mRegistered=NO mTimeStampType=oem_ril mTimeStamp=74197255133ns CellIdentityLte:{ mMcc=2147483647 mMnc=2147483647 mCi=2147483647 mPci=375 mTac=2147483647} CellSignalStrengthLte: ss=18 rsrp=-99 rsrq=-13 rssnr=2147483647 cqi=2147483647 ta=2147483647}, 
        CellInfoLte:{mRegistered=NO mTimeStampType=oem_ril mTimeStamp=74197255133ns CellIdentityLte:{ mMcc=2147483647 mMnc=2147483647 mCi=2147483647 mPci=82 mTac=2147483647} CellSignalStrengthLte: ss=18 rsrp=-102 rsrq=-12 rssnr=2147483647 cqi=2147483647 ta=2147483647}, 
        CellInfoLte:{mRegistered=NO mTimeStampType=oem_ril mTimeStamp=74197255133ns CellIdentityLte:{ mMcc=2147483647 mMnc=2147483647 mCi=2147483647 mPci=338 mTac=2147483647} CellSignalStrengthLte: ss=16 rsrp=-117 rsrq=-20 rssnr=2147483647 cqi=2147483647 ta=2147483647}, 
        CellInfoLte:{mRegistered=NO mTimeStampType=oem_ril mTimeStamp=74197255133ns CellIdentityLte:{ mMcc=2147483647 mMnc=2147483647 mCi=2147483647 mPci=461 mTac=2147483647} CellSignalStrengthLte: ss=17 rsrp=-117 rsrq=-20 rssnr=2147483647 cqi=2147483647 ta=2147483647}, 
        CellInfoLte:{mRegistered=NO mTimeStampType=oem_ril mTimeStamp=74197255133ns CellIdentityLte:{ mMcc=2147483647 mMnc=2147483647 mCi=2147483647 mPci=99 mTac=2147483647} CellSignalStrengthLte: ss=10 rsrp=-109 rsrq=-5 rssnr=2147483647 cqi=2147483647 ta=2147483647}, 
        CellInfoLte:{mRegistered=NO mTimeStampType=oem_ril mTimeStamp=74197255133ns CellIdentityLte:{ mMcc=2147483647 mMnc=2147483647 mCi=2147483647 mPci=498 mTac=2147483647} CellSignalStrengthLte: ss=10 rsrp=-118 rsrq=-14 rssnr=2147483647 cqi=2147483647 ta=2147483647}, 
        CellInfoLte:{mRegistered=NO mTimeStampType=oem_ril mTimeStamp=74197255133ns CellIdentityLte:{ mMcc=2147483647 mMnc=2147483647 mCi=2147483647 mPci=438 mTac=2147483647} CellSignalStrengthLte: ss=9 rsrp=-121 rsrq=-16 rssnr=2147483647 cqi=2147483647 ta=2147483647}, 
        CellInfoLte:{mRegistered=NO mTimeStampType=oem_ril mTimeStamp=74197255133ns CellIdentityLte:{ mMcc=2147483647 mMnc=2147483647 mCi=2147483647 mPci=499 mTac=2147483647} CellSignalStrengthLte: ss=10 rsrp=-123 rsrq=-19 rssnr=2147483647 cqi=2147483647 ta=2147483647}
]

We see that you are probably running in LTE mode. Thus:

1. IFF mRegistered=YES we have: mMcc=242 mMnc=1 mCi=XXXXXXXX mPci=376 mTac=YYYYY
2. But we always have: mPci=375 ss=18 rsrp=-99 rsrq=-13. (But can we always assume same mCi here?)

[E3V3A]

BTW. HERE is the Service Manual for your phone (LG D821). Looking at it, there is nothing obvious. All communication is done internally on the MSM8974 SoC. So any interface available will be full dependent on the Kernel... QMI is the best and probably only chance to get access to modem interface on this device, unless we recompile a kernel.

[Ueland]

Confirming per request that this issue still exist in latest version.

[E3V3A]

I think we understand the lack of this info as lacking the correct modem diagnostics filters to allow this info into the AP realm. I'm not sure how this can be changed persistently, but I think grabbing a Diag.cfg file from a working phone model, with same processor, and backup/replace that file. @Ueland Very nice to hear from you, please check if you have this file on your device. You can check with:

su
cd /
find / -iname "Diag.cfg" 

[SecUpwN]

Confirming per request that this issue still exist in latest version.

@Ueland, would you please be so kind and test again if it still persists? It should be gone now.