Open r00tb3 opened 4 years ago
Hello,
When using QCSuper with the --wireshark-live
option, you're not using the network capture abilities of Wireshark, you're only instructing Wireshark to decode the .PCAP file that is streamed to Wireshark's standard input by QCSuper.
The radio frames don't directly go to the network interfaces of your computer, these are forwarded through TCP by the remote service executed on the Android phone towards QCSuper, then QCSuper transforms the information obtained over TCP into a valid streamed .PCAP, then it instantiates a Wireshark instance (done here) to pass the streamed .PCAP contents to Wireshark as they are generated.
Here is how this is done more in detail:
/dev/diag
device on the Android side, and will on the other hand expose a TCP service that will allow to retrieve the obtained Diag frames over a simple framing (defined here).-i -
option of Wireshark that allows to receive .PCAP contents from the standard input, and the -k
option that allows not prompting the user for selecting an interface)Also, can I implement the same using C language?
Yes, you can implement this in C through reproducing the logic mentioned above, including calling ADB, decoding the Diag frames, generating GSMTAP and spawing Wireshark as a subprocess. But depending on your purpose or use case, it would be maybe simpler to run QCSuper as a subprocess and manipulate the obtained .PCAP data through using something like --pcap-dump -
so that you can obtain the PCAP file data directly for you from its standard output and do whatever you like with it.
Regards,
@p1-mmr Thanks a lot for the answer.
I'll be rewriting the code in C to improve my coding skills also I'm exploring the baseband communication between the BP and the AP in android smartphones to learn baseband exploitation I guess rewriting in C will help me understand in-depth how does the /dev/diag work behind the scenes.
Any other suggestions are welcome.
Regards.
@p1-mmr
it would be maybe simpler to run QCSuper as a subprocess and manipulate the obtained .PCAP data through using something like --pcap-dump - so that you can obtain the PCAP file data directly for you from its standard output and do whatever you like with it.
I did the same I have a .pcap file whose frame has the following protocols: IPv4, UDP, GSM TAP, LTE RRC I've written a script to grep the info I need from these protocols but it seems that LTE-RRC uses ASN.1 encoder which after printing displays some other value then I expected how do I convert these ASN.1 encoded values to text and print them using C language?
Any help is appreciated.
Awaiting for your reply.
Hello,
You can use an ASN.1 compiler, such as asn1c in order to compile the ASN.1 definitions of the RRC protocol into C code. The RRC protocol is defined in TS 36.331 for 4G and TS 25.331 for 3G.
Regards,
Yes but I've got a .pcap file, not a .asn1 file and I only need to dump the LTE-RRC protocol messages. I'm performing the whole process in C and I'm stuck now.
Hello,
The ASN.1 definitions are present in the .DOC specification of RRC LTE linked above.
Other people already did the extraction work, as you can find through the Github search tool: https://github.com/search?l=ASN.1&q=%22EUTRA-RRC-Definitions+DEFINITIONS+AUTOMATIC+TAGS%22&type=Code
The .ASN1 text definitions can be translated into generated .C code using an ASN.1 compiler, and the generated .C code can decode the BER-serialized ASN1 messages contained in the .PCAP file.
Regards,
Hello,
The ASN.1 definitions are present in the .DOC specification of RRC LTE linked above.
Other people already did the extraction work, as you can find through the Github search tool: https://github.com/search?l=ASN.1&q=%22EUTRA-RRC-Definitions+DEFINITIONS+AUTOMATIC+TAGS%22&type=Code
The .ASN1 text definitions can be translated into generated .C code using an ASN.1 compiler, and the generated .C code can decode the BER-serialized ASN1 messages contained in the .PCAP file.
Regards,
Thanks a lot for the detailed explanation.
I'll be using the ASN file used by Wireshark for dissecting the same.
Regards.
and the generated .C code can decode the BER-serialized ASN1 messages contained in the.PCAP file
Hi, @p1-mmr I've tried the steps you had mentioned above I've got tons of header and C source files for decoding the RRC messages but how do I integrate it into my code and decode the asn1 encoded messages?
For example,
I want to decode the PLMN ID present in the SIB1 message I've added the PLMN-Identity.h
in my main code which I've obtained after compiling the Wireshark's asn1 file but for decoding SIB1 when I point to the PLMN_Identity_t
structure of PLMN-Identity.h header file it prints nothing!!
I don't know what I'm doing wrong or maybe I'm missing some step.
Can you pls shed some light on this?
Regards.
Hi all,
Thanks to P1sec for writing this tool.
After enabling the --Wireshark-live option If I close the Wireshark that is spawned by the QCsuper tool and try to listen to the loopback interface manually I only see TCP packets which do not have any LTE/GSM signalling messages, what interface is the DIAG traffic forwarded too?
Is it loopback or something else?
If it is loopback why am I not able to see any signalling messages?
AFAIK after hitting
usr/bin/adb forward tcp:43555 tcp:43555
I should see signalling messages even if I manually listen on port 43555 using Wireshark and tshark but that is not happening in this case, what am I missing?Also, can I implement the same using C language?
Regards.