[Issue] Pcap dump / Xiaomi Mi Note 3 / Fail to detect current RAT

[Nementon]

Context

Xiaomi Mi Note 3 (Qualcomm Snapdragon 660), connected on 3G network for CS (CS fallback) and 4G for PS. Only one SIM activated.

[+] Compilation date:    Mar 22 2019 19:44:52
[+] Release date:        Dec 19 2018 07:00:00
[+] Version directory:   sdm660.g

[+] Common air interface information:
[+]   Station classmark: 58
[+]   Common air interface revision: 9
[+]   Mobile model:      255
[+]   Mobile firmware revision: 100
[+]   Slot cycle index:  48
[+]   Hardware revision: 0x08c (0.140)

[+] Mobile model ID:     0x1012
[+] Chip version:        0
[+] Firmware build ID:   MPSS.AT.3.1.c7-00023-SDM660_GEN_PACK-1

[+] Diag version:        8

Issue

On running "PCAP dump" or "Wireshark-Live" on QCsuper, no PCAP traffic is generated despite I can see some "Diag" response from the debug logs when I initiate a call.

• python qcsuper.py --adb -v --wireshark-live --reassemble-sibs --decrypt-nas --include-ip-traffic
• python qcsuper.py --adb -v --pcap-dump ran.pcap

I've made some investigations and discovered that:

• I'm receiving some "Diag" logs of type LOG_UMTS_NAS_OTA_MESSAGE_LOG_PACKET_C and enter in the following condition: https://github.com/P1sec/QCSuper/blob/45e0c5b7397bc2f1c3d27a64f39e0d35924eea80/modules/pcap_dump.py#L252-L256

But:

• The attribute current_rat value is None
• By ignoring the return statement (I'm connected in 3G and not in 2g), QCSuper is able to properly decode the received packets and thus I'm able to generate some PCAP traces.

[p1-mmr]

Hello!

Thank you for your interest in QCSuper. QCSuper is normally able to receive both 3G layer 3 packets (delivered with WCDMA_SIGNALLING_MESSAGE) and 3G NAS payloads, which are embedded into layer 3 packets (delivered with LOG_UMTS_NAS_OTA_MESSAGE_LOG_PACKET_C).

It seems that your baseband is communicating NAS payloads in a way that is understood by QCSuper, but that it is not the case with layer 3 packets, or it is delivering these using another log type than WCDMA_SIGNALLING_MESSAGE which may be not parsed yet.

If you wish to help us troubleshooting this, could you please perform a raw capture of the Diag logs sent to the modem (through running ./qcsuper.py --adb --dlf-dump /tmp/your_output_file.dlf), and send the produced .DLF file at mmr at p1sec ｄｏｔ com? Feel free to perform a few actions (e.g switching on/off plane mode, generating data traffic, etc.) and wait a bit while performing the capture. Thank you!

I noted that the same issue may have been reported in #10.

Regards,

[Lundmatt]

Hi p1-mmr! Did this issue get resolved?

I have the same issue that I am not able to capture any traffic with the option --include-ip-traffic.

I have tested on a Samsung Galaxy S5 and Samsung Galaxy Note 4 with the same result.

What type of debug logs can I provide to you so that you are able to investigate the issue?

Thanks!