Launching a 5Ghoul attack looks for adb preconfigured device

[alphafox02]

You all wouldn't happen to have more details on the intent of all the profiles/device info left in the configs? I gave a run a quick try, but it's looking for an adb device with serial number specified in one of the config files. I'm not seeing the base station start and I wasn't sure if that's because of the left behind settings or due to me trying to use a b205 instead of the b210. I can't see anywhere that you may have SDR hardware pre-configured.

[alphafox02]

Starting with the GUI is actually helpful and I can see more of what's going on. The b205mini is not in the fpga directory. I'll address that on my end.

[alphafox02]

uhd_images_downloader pulls in the missing fpga for non b210 usage.

[Matheus-Garbelini]

Hi @alphafox02 the container initially only contains b210 related firmware to save some space. However, you can use uhd_images_downloader to download images for other USRPs. Note that using other USRPs would require following OAI tutorial and choosing a gNB config. file that matches your SDR: https://gitlab.eurecom.fr/oai/openairinterface5g/-/blob/develop/doc/NR_SA_Tutorial_COTS_UE.md?ref_type=heads#42-run-oai-gnb

Bu default 5ghoul uses the OAI config file configs/configs/5gnr_gnb/n78.106.conf, which works for USRPB210. This config file shall be slightly different depending on the SDR you are using.

[alphafox02]

I’ll give both the x310 a try and I also have an AntSDR e200 that presents itself as basically a b210 in most ways, but not as robust. Thank you for pointing me to the configs.

[alphafox02]

Managed to make changes and update the FPGA on the X310 and have it working with 5Ghoul, however, for proper operation I'm assuming I need something to fill in for the adb device being looked for or change the configs to disable that? Right now the eNB/gNB will start and then it talks about waiting for the UE task to start. Modemmanager and adb will complain over and over for about 20 seconds or so, at which point the eNB will shut down and the process will start over.

I'm assuming the project as shipped is setup in a state that has a USB modem UE being started and controlled to create a semi closed loop connection between the UE and the eNB? I haven't looked closely, that's just an observation.

[alphafox02]

I disabled the modem manager in the global config and the search for the USB modem in the 5gnr_gnb_config, but still after 20 seconds or so the process loops.

[AnomalyReport] [Timeout] Target is not responding
[PacketLogger] Packet Number:3, Comment: [Timeout] Target is not responding
[PacketLogger] Packet Number:3, Comment: [Timeout] Target is not responding

I'm probably not fully understanding what the Target is in this case, but I assume that's what is causing the process/eNB to stop and restart.

[Matheus-Garbelini]

Hi @alphafox02, you can disable the global timeout to avoid the rogue base station from restarting by using this option: --GlobalTimeout=false. Hopefully I can update the container & repo. this week with better configuration defaults. Normally the container is expecting a USB modem to be connected to it, and hence the global timeout is running to warn when the UE times out.

By the way, which device type you plan to test 5Ghoul with? A modem or a phone?

[alphafox02]

Excellent, I’ll try that.

I was keeping an eye on a Motorola Edge 2022 I think it was, listed on eBay. I wasn’t sure if that would be okay as I compared it to the 20 and it seemed close. Not sure about its 5G specs. If I get a modem instead, is that something I could just configure in place of the one that’s already configured in the docker configs?

I’m happy to go with whatever the best option is and just order it to test with, even if that means getting a new one.

[Matheus-Garbelini]

Hi @alphafox02, Motorola Edge 2022 seems to be using MediaTek Dimensity 1050, which might not be affected since MediaTek disclosure didn't list any Dimensity SoC. However, it's likely they are also affected since in our tests, Dimensity 900 and Dimensity 1600 indicated they are vulnerable. Motorola Edge 20, on the other hand uses Snapdragon 778G 5G, which is listed as affected on Qualcomm's disclosure. The other side is that if your tests reveal that Motorola Edge 2022 is vulnerable, that pie chart of affected phones will just pile up :neutral_face:.

However, depending on your future needs, a modem can be beneficial for other network or SDR related projects. My overall experience with 5G USB modems is better than with phones. This is because we can configure the modem to specifically not scan for unused 4G and 5G bands, which accelerates the cell search procedure. They are also less likely to complain about not using testing SIM cards to connect to the testing network 001/01.

In any case, having a programmable SIM card is always useful for testing with both 5G phones or USB modems.

Not sure about its 5G specs. If I get a modem instead, is that something I could just configure in place of the one that’s already configured in the docker configs?

Yes. The config file does not assume a specific model of USB modem and instead calls an updated ModemManager software to identify and configure it. However, you can still attach the modem to the container and run commands manually if you want to test step by step the USB modem connectivity to the rogue base station. For example, with UEModemManager->Enable=true, the PoC internally calls qmicli, mmcli to talk to the modem via QMI/AT interface. However, without the UEModemManager (UEModemManager->Enable=false), you can still manually configure and control the modem via AT commands.

You can certainly post here your results and I can assist you with 5G modem testing. So far, the modems that we have used are listed below (all of them have a Qualcomm X55 modem). Do keep in mind that to use these modules directly, you'd need a M.2 to USB 3 adaptor: Quectel RM500Q-GL Simcom SIM8202G Fibocom FM150-AE Telit FT980m

PS: This RM520N-GL suggested by Mark Houtz seems to be really well priced and it employs a Qualcomm X55 modem.

[alphafox02]

I ended up getting a Edge 20 and have not updated it to Android 12. It took me a minute to figure out why 5g was not an option under networks (my sim card was the issue). I'm currently waiting for the same sim cards recommended in your Readme to arrive. Question in the meantime, still trying to set things up with the X310. I've looked at the example configs for that device, the container sees the X310, but I don't seem to see anything in the spectrum on band 78 when starting 5ghoul, although the red and green lights are on under the RF A side of the X310. Those lights will remain on for maybe 30-45 seconds or so and then go out at which point the Base-Station process stopped notice will appear, and things will try to restart.

The --GlobalTimeout=false is set, so perhaps there's some other failure occurring. I'll try and see if I can borrow a B210 from somewhere here soon if I can't get the X310 configured correctly.

[alphafox02]

Hi @alphafox02, Motorola Edge 2022 seems to be using MediaTek Dimensity 1050, which might not be affected since MediaTek disclosure didn't list any Dimensity SoC. However, it's likely they are also affected since in our tests, Dimensity 900 and Dimensity 1600 indicated they are vulnerable. Motorola Edge 20, on the other hand uses Snapdragon 778G 5G, which is listed as affected on Qualcomm's disclosure. The other side is that if your tests reveal that Motorola Edge 2022 is vulnerable, that pie chart of affected phones will just pile up 😐.

However, depending on your future needs, a modem can be beneficial for other network or SDR related projects. My overall experience with 5G USB modems is better than with phones. This is because we can configure the modem to specifically not scan for unused 4G and 5G bands, which accelerates the cell search procedure. They are also less likely to complain about not using testing SIM cards to connect to the testing network 001/01.

In any case, having a programmable SIM card is always useful for testing with both 5G phones or USB modems.

Not sure about its 5G specs. If I get a modem instead, is that something I could just configure in place of the one that’s already configured in the docker configs?

Yes. The config file does not assume a specific model of USB modem and instead calls an updated ModemManager software to identify and configure it. However, you can still attach the modem to the container and run commands manually if you want to test step by step the USB modem connectivity to the rogue base station. For example, with UEModemManager->Enable=true, the PoC internally calls qmicli, mmcli to talk to the modem via QMI/AT interface. However, without the UEModemManager (UEModemManager->Enable=false), you can still manually configure and control the modem via AT commands.

You can certainly post here your results and I can assist you with 5G modem testing. So far, the modems that we have used are listed below (all of them have a Qualcomm X55 modem). Do keep in mind that to use these modules directly, you'd need a M.2 to USB 3 adaptor: Quectel RM500Q-GL Simcom SIM8202G Fibocom FM150-AE Telit FT980m

PS: This RM520N-GL suggested by Mark Houtz seems to be really well priced and it employs a Qualcomm X55 modem.

Good evening. I ended up getting the RM520N-GL. Trying to work through the process of setting it up by looking at both the global_config and the other configs used when starting 5ghoul. The device shows up in dmesg as being assigned to /dev/cdc-wdm0, not wdm1. I made that change in the global_config.json. What's not immediate clear to me as the section asking for ADBDevice. Is there some steps I can follow for the modem usage?