Manually listening to radio packets in wireshark

[r00tb3]

Hi all,

Thanks to P1sec for writing this tool.

After enabling the --Wireshark-live option If I close the Wireshark that is spawned by the QCsuper tool and try to listen to the loopback interface manually I only see TCP packets which do not have any LTE/GSM signalling messages, what interface is the DIAG traffic forwarded too?

Is it loopback or something else?

If it is loopback why am I not able to see any signalling messages?

AFAIK after hitting usr/bin/adb forward tcp:43555 tcp:43555 I should see signalling messages even if I manually listen on port 43555 using Wireshark and tshark but that is not happening in this case, what am I missing?

Also, can I implement the same using C language?

Regards.

[p1-mmr]

Hello,

When using QCSuper with the --wireshark-live option, you're not using the network capture abilities of Wireshark, you're only instructing Wireshark to decode the .PCAP file that is streamed to Wireshark's standard input by QCSuper.

The radio frames don't directly go to the network interfaces of your computer, these are forwarded through TCP by the remote service executed on the Android phone towards QCSuper, then QCSuper transforms the information obtained over TCP into a valid streamed .PCAP, then it instantiates a Wireshark instance (done here) to pass the streamed .PCAP contents to Wireshark as they are generated.

Here is how this is done more in detail:

1. QCSuper transfers, over ADB, an ARM-compiled .C program (present here) to your phone that will talk with the /dev/diag device on the Android side, and will on the other hand expose a TCP service that will allow to retrieve the obtained Diag frames over a simple framing (defined here).
2. QCSuper executes the ARM program remotely, still over ADB (done here) until you quit it, and connects to the spawned TCP service (after having forwarded the concerned port over ADB)
3. QCSuper processes the received Diag frames, removes the Diag framing in order to keep only the layer-3 (over-the-air) telecom frames, and re-encapsulates these into GSMTAP, a standard format that can be used to encapsulate radio frames in a format that is decodable by Wireshark (done here and at other places)
4. QCSuper spawns a Wireshark instance, and streams the generated PCAP format contents to it, through the standard input (thanks to the -i - option of Wireshark that allows to receive .PCAP contents from the standard input, and the -k option that allows not prompting the user for selecting an interface)

Also, can I implement the same using C language?

Yes, you can implement this in C through reproducing the logic mentioned above, including calling ADB, decoding the Diag frames, generating GSMTAP and spawing Wireshark as a subprocess. But depending on your purpose or use case, it would be maybe simpler to run QCSuper as a subprocess and manipulate the obtained .PCAP data through using something like --pcap-dump - so that you can obtain the PCAP file data directly for you from its standard output and do whatever you like with it.

Regards,

[r00tb3]

@p1-mmr Thanks a lot for the answer.

I'll be rewriting the code in C to improve my coding skills also I'm exploring the baseband communication between the BP and the AP in android smartphones to learn baseband exploitation I guess rewriting in C will help me understand in-depth how does the /dev/diag work behind the scenes.

Any other suggestions are welcome.

Regards.

[r00tb3]

@p1-mmr

it would be maybe simpler to run QCSuper as a subprocess and manipulate the obtained .PCAP data through using something like --pcap-dump - so that you can obtain the PCAP file data directly for you from its standard output and do whatever you like with it.

I did the same I have a .pcap file whose frame has the following protocols: IPv4, UDP, GSM TAP, LTE RRC I've written a script to grep the info I need from these protocols but it seems that LTE-RRC uses ASN.1 encoder which after printing displays some other value then I expected how do I convert these ASN.1 encoded values to text and print them using C language?

Any help is appreciated.

Awaiting for your reply.

[p1-mmr]

Hello,

You can use an ASN.1 compiler, such as asn1c in order to compile the ASN.1 definitions of the RRC protocol into C code. The RRC protocol is defined in TS 36.331 for 4G and TS 25.331 for 3G.

Regards,

[r00tb3]

Hello,

You can use an ASN.1 compiler, such as asn1c in order to compile the ASN.1 definitions of the RRC protocol into C code. The RRC protocol is defined in TS 36.331 for 4G and TS 25.331 for 3G.

Regards,

Yes but I've got a .pcap file, not a .asn1 file and I only need to dump the LTE-RRC protocol messages. I'm performing the whole process in C and I'm stuck now.

[p1-mmr]

Hello,

The ASN.1 definitions are present in the .DOC specification of RRC LTE linked above.

Other people already did the extraction work, as you can find through the Github search tool: https://github.com/search?l=ASN.1&q=%22EUTRA-RRC-Definitions+DEFINITIONS+AUTOMATIC+TAGS%22&type=Code

The .ASN1 text definitions can be translated into generated .C code using an ASN.1 compiler, and the generated .C code can decode the BER-serialized ASN1 messages contained in the .PCAP file.

Regards,

[r00tb3]

Hello,

The ASN.1 definitions are present in the .DOC specification of RRC LTE linked above.

Other people already did the extraction work, as you can find through the Github search tool: https://github.com/search?l=ASN.1&q=%22EUTRA-RRC-Definitions+DEFINITIONS+AUTOMATIC+TAGS%22&type=Code

The .ASN1 text definitions can be translated into generated .C code using an ASN.1 compiler, and the generated .C code can decode the BER-serialized ASN1 messages contained in the .PCAP file.

Regards,

Thanks a lot for the detailed explanation.

I'll be using the ASN file used by Wireshark for dissecting the same.

https://github.com/wireshark/wireshark/blob/wireshark-2.5.0/epan/dissectors/asn1/lte-rrc/EUTRA-RRC-Definitions.asn

Regards.

[r00tb3]

and the generated .C code can decode the BER-serialized ASN1 messages contained in the.PCAP file

Hi, @p1-mmr I've tried the steps you had mentioned above I've got tons of header and C source files for decoding the RRC messages but how do I integrate it into my code and decode the asn1 encoded messages?

For example,

I want to decode the PLMN ID present in the SIB1 message I've added the PLMN-Identity.h in my main code which I've obtained after compiling the Wireshark's asn1 file but for decoding SIB1 when I point to the PLMN_Identity_t structure of PLMN-Identity.h header file it prints nothing!!

I don't know what I'm doing wrong or maybe I'm missing some step.

Can you pls shed some light on this?

Regards.