search

dev-zzo / aluhacking

Tools and other stuff for hacking Alcatel-Lucent femtocells
MIT License
2 stars 4 forks source link

gtp: Write error:1 Destination IP:53.0.1.10 and Port:2152 #3

Closed dev-zzo closed 2 years ago

dev-zzo commented 2 years ago

Funky problem with GTP

UMC01 20220418T124328+0000 823 UserPlaneThread  00000067 !E IPPS_GTPU  -> F(write:396)Write error:1 Destination IP:53.0.1.10 and Port:2152
UMC01 20220418T124329+0000 113 UserPlaneThread  00000068 !E IPPS_GTPU  -> F(write:396)Write error:1 Destination IP:53.0.1.10 and Port:2152
UMC01 20220418T124329+0000 303 UserPlaneThread  00000069 !E IPPS_GTPU  -> F(write:396)Write error:1 Destination IP:53.0.1.10 and Port:2152
UMC01 20220418T124329+0000 443 UserPlaneThread  00000070 !E IPPS_GTPU  -> F(write:396)Write error:1 Destination IP:53.0.1.10 and Port:2152
UMC01 20220418T124329+0000 535 UserPlaneThread  00000071 !E IPPS_GTPU  -> F(write:396)Write error:1 Destination IP:53.0.1.10 and Port:2152
UMC01 20220418T124329+0000 602 UserPlaneThread  00000072 !E IPPS_GTPU  -> F(handleGTPUTimerEchoResponse:2768)Received GTPU_TIMER_ECHO_RESPONSE_EXPIRY message
UMC01 20220418T124330+0000 513 UserPlaneThread  00000073 !E IPPS_GTPU  -> F(write:396)Write error:1 Destination IP:53.0.1.10 and Port:2152
UMC01 20220418T124330+0000 533 UserPlaneThread  00000074 !E IPPS_GTPU  -> F(write:396)Write error:1 Destination IP:53.0.1.10 and Port:2152
UMC01 20220418T124331+0000 304 UserPlaneThread  00000075 !E IPPS_GTPU  -> F(write:396)Write error:1 Destination IP:53.0.1.10 and Port:2152
UMC01 20220418T124331+0000 683 UserPlaneThread  00000076 !E IPPS_GTPU  -> F(write:396)Write error:1 Destination IP:53.0.1.10 and Port:2152
dev-zzo commented 2 years ago

More log output...

UMC01 20220418T124349+0000 412 UserPlaneThread  00000145 !E IPPS_GTPU  -> F(write:396)Write error:1 Destination IP:53.0.1.10 and Port:2152
UMC01 20220418T124349+0000 451 UserPlaneThread  00000146 !E IPPS_GTPU  -> F(write:396)Write error:1 Destination IP:53.0.1.10 and Port:2152
UMC01 20220418T124349+0000 536 UserPlaneThread  00000019 ?P #EVENT# GTP Path Failure
UMC01 20220418T124349+0000 536 UserPlaneThread  00000147 !E IPPS_GTPU  -> F(sendPathFailureToOAM:2344)Sent path failure indication to OAM for RemoteAddress = 53.0.1.10
UMC01 20220418T124349+0000 537 UserPlaneThread  00000148 !E IPPS_GTPU  -> F(sendPathFailureToOAM:2344)Sent path failure indication to OAM for RemoteAddress = 53.0.1.10
UMC01 20220418T124349+0000 537 UserPlaneThread  00000149 !E IPPS_GTPU  -> F(sendErrorIndicationToCN:2281)This Msg has been send to CN to indicate the Error
UMC01 20220418T124349+0000 537 UserPlaneThread  00000150 !E IPPS_GTPU  -> F(handleGTPUTimerEchoResponse:2764)Echo Response failed for RemoteIP : 53.0.1.10
UMC01 20220418T124349+0000 537 UserPlaneThread  00000151 !E IPPS_GTPU  -> F(handleGTPUTimerEchoResponse:2765)Send error indication to CN and delete echo_resp timer
UMC01 20220418T124350+0000 222 OamThread    00000152 !W WARNING FM::F(sendfaultDefene):: Received fault IuPSUplane_gTPEchoFailure
UMC01 20220418T124350+0000 222 OamThread    00000153 !W WARNING *** UBM WARNING *** File:/vobs/fbsr_oam/UOAM_FM/auto_rt/rt/src/FastTrackFiles/aFctFM.cpp line:851 ***
UMC01 20220418T124350+0000 226 OamThread    00000154 !W WARNING FM::F(sendfaultDefene):: Received fault IuPSUplane_gTPEchoFailure
UMC01 20220418T124350+0000 226 OamThread    00000155 !W WARNING *** UBM WARNING *** File:/vobs/fbsr_oam/UOAM_FM/auto_rt/rt/src/FastTrackFiles/aFctFM.cpp line:851 ***
UMC01 20220418T124350+0000 561 UserPlaneThread  00000156 !E IPPS_GTPU  -> F(write:396)Write error:1 Destination IP:53.0.1.10 and Port:2152
UMC01 20220418T124350+0000 582 UserPlaneThread  00000157 !E IPPS_GTPU  -> F(write:396)Write error:1 Destination IP:53.0.1.10 and Port:2152
dev-zzo commented 2 years ago

This seems to come out when the PDU context has been established, so only when a device is active. Could be a bug in how GGSN GTP info is passed from SGSN to the femto?

Clearly, the IP address is wrong here.

UMC01 20220422T125804+0000 597 SgsnProxyThread  00001355 ?D IUPSPROXY [IUPSPROXY_ASN_1]Enter RMAP_RANAP_CONV::decodeMsg().
UMC01 20220422T125804+0000 597 SgsnProxyThread  00001356 ?I IUPSPROXY [IUPSPROXY_ASN_1]Length of message to be decoded is 85.
UMC01 20220422T125804+0000 597 SgsnProxyThread  00001357 ?I IUPSPROXY [IUPSPROXY_ASN_1]PER Stream (pdu=1; len='00000055'H)
UMC01 20220422T125804+0000 597 SgsnProxyThread  00001358 ?I IUPSPROXY [IUPSPROXY_ASN_1]00000051 00000100 36404A00 00010035 003B380A 12DE1869 FF800C34 FF001F40
UMC01 20220422T125804+0000 598 SgsnProxyThread  00001359 ?I IUPSPROXY [IUPSPROXY_ASN_1]0806089E 00000000 B1400560 018CBA7F 0000113E 3500010A 0A0ACF00 00000000
UMC01 20220422T125804+0000 598 SgsnProxyThread  00001360 ?I IUPSPROXY [IUPSPROXY_ASN_1]00000000 00000000 00000000 01400678 1C000000 00
UMC01 20220422T125804+0000 734 SgsnProxyThread  00001361 ?D IUPSPROXY [IUPSPROXY_ASN_1]Start decode RAB assignment.
UMC01 20220422T125804+0000 734 SgsnProxyThread  00001362 ?D IUPSPROXY [IUPSPROXY_ASN_1]Start decode RAB setup modify list.
UMC01 20220422T125804+0000 734 SgsnProxyThread  00001363 ?D IUPSPROXY [IUPSPROXY_ASN_1]p_FieldPair->id is 53.
UMC01 20220422T125804+0000 734 SgsnProxyThread  00001364 ?D IUPSPROXY [IUPSPROXY_ASN_1]RAB id is 5.
UMC01 20220422T125804+0000 735 SgsnProxyThread  00001365 ?D IUPSPROXY [IUPSPROXY_ASN_1]Start decode Rab Raram.
UMC01 20220422T125804+0000 735 SgsnProxyThread  00001366 ?D IUPSPROXY [IUPSPROXY_ASN_1]Start decode Traffic Class.
UMC01 20220422T125804+0000 735 SgsnProxyThread  00001367 ?D IUPSPROXY [IUPSPROXY_ASN_1]Traffic Class function return 1.
UMC01 20220422T125804+0000 735 SgsnProxyThread  00001368 ?D IUPSPROXY [IUPSPROXY_ASN_1]Decoded Traffic Class is 3.
UMC01 20220422T125804+0000 735 SgsnProxyThread  00001369 ?D IUPSPROXY [IUPSPROXY_ASN_1]Start decode Asymmetery Ind.
UMC01 20220422T125804+0000 735 SgsnProxyThread  00001370 ?D IUPSPROXY [IUPSPROXY_ASN_1]Asymmetery Ind is 3.
UMC01 20220422T125804+0000 735 SgsnProxyThread  00001371 ?D IUPSPROXY [IUPSPROXY_ASN_1]Asymmetery Ind function return 1.
UMC01 20220422T125804+0000 735 SgsnProxyThread  00001372 ?D IUPSPROXY [IUPSPROXY_ASN_1]Decode maxBitRate.dlRate = 1600000.
UMC01 20220422T125804+0000 735 SgsnProxyThread  00001373 ?D IUPSPROXY [IUPSPROXY_ASN_1]Decode maxBitRate.ulRate = 800000.
UMC01 20220422T125804+0000 735 SgsnProxyThread  00001374 ?D IUPSPROXY [IUPSPROXY_ASN_1]Start decode Delivery Order.
UMC01 20220422T125804+0000 735 SgsnProxyThread  00001375 ?D IUPSPROXY [IUPSPROXY_ASN_1]Delivery Order function return 1.
UMC01 20220422T125804+0000 735 SgsnProxyThread  00001376 ?D IUPSPROXY [IUPSPROXY_ASN_1]enter decRABParmExtMaxBitrateList
UMC01 20220422T125804+0000 736 SgsnProxyThread  00001377 ?D IUPSPROXY [IUPSPROXY_ASN_1]p_ExtMaxBitRate->value = 42000000
UMC01 20220422T125804+0000 736 SgsnProxyThread  00001378 ?D IUPSPROXY [IUPSPROXY_ASN_1]Decode extendedMaxBitRate.dlRate = 42000000.
UMC01 20220422T125804+0000 736 SgsnProxyThread  00001379 ?D IUPSPROXY [IUPSPROXY_ASN_1]Decode extendedMaxBitRate.ulRate = 42000000.
UMC01 20220422T125804+0000 736 SgsnProxyThread  00001380 ?D IUPSPROXY [IUPSPROXY_ASN_1]enter decRABParmExtMaxBitrateList with:1
UMC01 20220422T125804+0000 736 SgsnProxyThread  00001381 ?D IUPSPROXY [IUPSPROXY_ASN_1]Start decode Alloc Retention Prio.
UMC01 20220422T125804+0000 736 SgsnProxyThread  00001382 ?D IUPSPROXY [IUPSPROXY_ASN_1]prioLevel = 15.
UMC01 20220422T125804+0000 736 SgsnProxyThread  00001383 ?D IUPSPROXY [IUPSPROXY_ASN_1]Start decode Preemption Capabilities.
UMC01 20220422T125804+0000 736 SgsnProxyThread  00001384 ?D IUPSPROXY [IUPSPROXY_ASN_1]Preemption Capabilities function return 1.
UMC01 20220422T125804+0000 736 SgsnProxyThread  00001385 ?D IUPSPROXY [IUPSPROXY_ASN_1]Start decode Preemption Vulnerability.
UMC01 20220422T125804+0000 737 SgsnProxyThread  00001386 ?D IUPSPROXY [IUPSPROXY_ASN_1]Preemption Vulnerability function return 1.
UMC01 20220422T125804+0000 737 SgsnProxyThread  00001387 ?D IUPSPROXY [IUPSPROXY_ASN_1]Start decode Queuing.
UMC01 20220422T125804+0000 737 SgsnProxyThread  00001388 ?D IUPSPROXY [IUPSPROXY_ASN_1]Queuing function return 1.
UMC01 20220422T125804+0000 737 SgsnProxyThread  00001389 ?D IUPSPROXY [IUPSPROXY_ASN_1]Alloc Retention Prio function return 1.
UMC01 20220422T125804+0000 737 SgsnProxyThread  00001390 ?D IUPSPROXY [IUPSPROXY_ASN_1]Rab Param function return 1.
UMC01 20220422T125804+0000 737 SgsnProxyThread  00001391 ?D IUPSPROXY [IUPSPROXY_ASN_1]Start decode User Plane Info.
UMC01 20220422T125804+0000 737 SgsnProxyThread  00001392 ?D IUPSPROXY [IUPSPROXY_ASN_1]Mask in User Plane Info : 112
UMC01 20220422T125804+0000 737 SgsnProxyThread  00001393 ?D IUPSPROXY [IUPSPROXY_ASN_1]userPlaneMode = 0
UMC01 20220422T125804+0000 737 SgsnProxyThread  00001394 ?D IUPSPROXY [IUPSPROXY_ASN_1]userPlaneModeVersion = 1
UMC01 20220422T125804+0000 737 SgsnProxyThread  00001395 ?D IUPSPROXY [IUPSPROXY_ASN_1]User Plane Info function return 1.
UMC01 20220422T125804+0000 737 SgsnProxyThread  00001396 ?D IUPSPROXY [IUPSPROXY_ASN_1]Start decode Transport Layer Info.
UMC01 20220422T125804+0000 737 SgsnProxyThread  00001397 ?D IUPSPROXY [IUPSPROXY_ASN_1]Mask in Transport Layer Info is 16.
UMC01 20220422T125804+0000 737 SgsnProxyThread  00001398 ?D IUPSPROXY [IUPSPROXY_ASN_1]Transport Layer Info function return 1.
UMC01 20220422T125804+0000 738 SgsnProxyThread  00001399 ?D IUPSPROXY [IUPSPROXY_ASN_1]Start decode PDP type information.
UMC01 20220422T125804+0000 738 SgsnProxyThread  00001400 ?D IUPSPROXY [IUPSPROXY_ASN_1]PDP type information function return 1.
UMC01 20220422T125804+0000 738 SgsnProxyThread  00001401 ?D IUPSPROXY [IUPSPROXY_ASN_1]Start decode Data Volume Reporting.
UMC01 20220422T125804+0000 738 SgsnProxyThread  00001402 ?D IUPSPROXY [IUPSPROXY_ASN_1]Data Volume Reporting function return 1.
UMC01 20220422T125804+0000 738 SgsnProxyThread  00001403 ?D IUPSPROXY [IUPSPROXY_ASN_1]Start decode DL GTP-PDU Sequence.
UMC01 20220422T125804+0000 738 SgsnProxyThread  00001404 ?D IUPSPROXY [IUPSPROXY_ASN_1]DL GTP-PDU SN = 0x00000000.
UMC01 20220422T125804+0000 738 SgsnProxyThread  00001405 ?D IUPSPROXY [IUPSPROXY_ASN_1]DL GTP-PDU Sequence function return 1.
UMC01 20220422T125804+0000 738 SgsnProxyThread  00001406 ?D IUPSPROXY [IUPSPROXY_ASN_1]Start decode UL GTP-PDU Sequence.
UMC01 20220422T125804+0000 738 SgsnProxyThread  00001407 ?D IUPSPROXY [IUPSPROXY_ASN_1]UL GTP-PDU SN = 0x00000000.
UMC01 20220422T125804+0000 738 SgsnProxyThread  00001408 ?D IUPSPROXY [IUPSPROXY_ASN_1]UL GTP-PDU Sequence function return 1.
UMC01 20220422T125804+0000 738 SgsnProxyThread  00001409 ?D IUPSPROXY [IUPSPROXY_ASN_1]Start decode DL N-PDU Sequence.
UMC01 20220422T125804+0000 738 SgsnProxyThread  00001410 ?D IUPSPROXY [IUPSPROXY_ASN_1]DL N-PDU Sequence return 1.
UMC01 20220422T125804+0000 738 SgsnProxyThread  00001411 ?D IUPSPROXY [IUPSPROXY_ASN_1]Start decode UL N-PDU Sequence.
UMC01 20220422T125804+0000 739 SgsnProxyThread  00001412 ?D IUPSPROXY [IUPSPROXY_ASN_1]UL N-PDU Sequence return 1.
UMC01 20220422T125804+0000 739 SgsnProxyThread  00001413 ?D IUPSPROXY [IUPSPROXY_ASN_1]Start decode Alternative RAB Parameter.
UMC01 20220422T125804+0000 739 SgsnProxyThread  00001414 ?D IUPSPROXY [IUPSPROXY_ASN_1]Alter RAB Para function return 1.
UMC01 20220422T125804+0000 739 SgsnProxyThread  00001415 ?D IUPSPROXY [IUPSPROXY_ASN_1]RAB SOM list func return counter 1.
UMC01 20220422T125804+0000 739 SgsnProxyThread  00001416 ?D IUPSPROXY [IUPSPROXY_ASN_1]RAB assignment  function return 1.
UMC01 20220422T125804+0000 739 SgsnProxyThread  00001417 ?D IUPSPROXY [IUPSPROXY_ASN_1]RabAssignmentRequest decoded successfully.
UMC01 20220422T125804+0000 739 SgsnProxyThread  00001418 ?D IUPSPROXY [IUPSPROXY_IPPSITF]Enter the function fnGetUeCtxtIdbyIuConId.
UMC01 20220422T125804+0000 739 SgsnProxyThread  00001419 ?D IUPSPROXY [IUPSPROXY_IPPSITF]IuConId = 70.
UMC01 20220422T125804+0000 739 SgsnProxyThread  00001420 ?D IUPSPROXY [IUPSPROXY_IPPSITF]Get UeCtxtId = 0.
UMC01 20220422T125804+0000 739 SgsnProxyThread  00001421 ?D IUPSPROXY [IUPSPROXY_ASN_1]Decode Message function return 1.
UMC01 20220422T125804+0000 739 SgsnProxyThread  00001422 ?D IUPSPROXY [IUPSPROXY_TOP]Decode success.
UMC01 20220422T125804+0000 739 SgsnProxyThread  00001423 ?D IUPSPROXY [IUPSPROXY_IPPSITF]Enter the function fnGetUeCtxtIdbyIuConId.
UMC01 20220422T125804+0000 740 SgsnProxyThread  00001424 ?D IUPSPROXY [IUPSPROXY_IPPSITF]IuConId = 70.
UMC01 20220422T125804+0000 740 SgsnProxyThread  00001425 ?D IUPSPROXY [IUPSPROXY_IPPSITF]Get UeCtxtId = 0.
UMC01 20220422T125804+0000 740 SgsnProxyThread  00001426 ?D IUPSPROXY [IUPSPROXY_IPPSITF]fnHandleSctpDataMsg:unUcxId=0, bReceivedRelocRequied=0
UMC01 20220422T125804+0000 740 SgsnProxyThread  00001427 ?D IUPSPROXY [IUPSPROXY_IPPSITF]fnHandleSctpDataInd:unUcxId=0, bReceivedRelocRequied=0
UMC01 20220422T125804+0000 740 SgsnProxyThread  00001428 ?D IUPSPROXY [IUPSPROXY_IPPSITF]Enter the function fnProcessDlRanapMsg, unUcxId=0, nMsgType=7
UMC01 20220422T125804+0000 740 SgsnProxyThread  00001429 ?D IUPSPROXY [IUPSPROXY_TOP]IuPSPUEx:set bRabAssiRspIsSentFlag false
UMC01 20220422T125804+0000 740 SgsnProxyThread  00001430 ?D IUPSPROXY [IUPSPROXY_IPPSITF]Receive CNC_MSG_TYPE_RAB_ASSIGNMENT_REQ From CN
UMC01 20220422T125804+0000 741 SgsnProxyThread  00001431 ?D IUPSPROXY [IUPSPROXY_IPPSITF]Send CNC_MSG_TYPE_RAB_ASSIGNMENT_REQ to UEx
UMC01 20220422T125804+0000 741 SgsnProxyThread  00001432 ?D IUPSPROXY [IUPSPROXY_TOP]IuPSUEx: Enter function HandleRABAssignReqFromCN,UECtxtId = 0
UMC01 20220422T125804+0000 741 SgsnProxyThread  00001433 ?D IUPSPROXY [IUPSPROXY_TOP]IuPSUEx: Coming a rab assignment request!
UMC01 20220422T125804+0000 741 SgsnProxyThread  00001434 ?D IUPSPROXY [IUPSPROXY_TOP]IuPSUEx: There are 0 rab assignment request(s) in the queue!
UMC01 20220422T125804+0000 742 SgsnProxyThread  00001435 ?D IUPSPROXY [IUPSPROXY_TOP]IuPSUEx: Rab Assignment Request Running flag is 0, 1 Request(s) in the Queue!
UMC01 20220422T125804+0000 742 SgsnProxyThread  00001436 ?D IUPSPROXY [IUPSPROXY_TOP]IuPSUEx: Get a new Rab Assignment Request from the Queue!
UMC01 20220422T125804+0000 742 SgsnProxyThread  00001437 ?D IUPSPROXY [IUPSPROXY_TOP]IuPSUEx: numbers of rab setup From CN is 1
UMC01 20220422T125804+0000 742 SgsnProxyThread  00001438 ?D IUPSPROXY [IUPSPROXY_TOP]IuPSUEx: numbers of rab release From CN is 0
UMC01 20220422T125804+0000 742 SgsnProxyThread  00001439 ?D IUPSPROXY [IUPSPROXY_TOP]IuPSUEx: MPDP supported mode is 1
UMC01 20220422T125804+0000 742 SgsnProxyThread  00001440 ?D IUPSPROXY [IUPSPROXY_TOP]IuPSPUEx: NO RAB release in RAB assignment requst.
UMC01 20220422T125804+0000 742 SgsnProxyThread  00001441 ?D IUPSPROXY [IUPSPROXY_IPPSITF]Enter the function fnGetRabCtxtIdbyNsApi
UMC01 20220422T125804+0000 742 SgsnProxyThread  00001442 ?D IUPSPROXY [IUPSPROXY_TOP]IuPSPUEx: RAB Assign Req New RAB setup
UMC01 20220422T125804+0000 742 SgsnProxyThread  00001443 ?D IUPSPROXY [IUPSPROXY_OAMITF]enter AllocateRABCtx()
UMC01 20220422T125804+0000 742 SgsnProxyThread  00001444 ?I IUPSPROXY [IUPSPROXY_TOP]IuPSPUEx: Allocate RAB context Id success, UECtxtId = 0 RABCtxtId = 0
UMC01 20220422T125804+0000 743 SgsnProxyThread  00001445 ?D IUPSPROXY [IUPSPROXY_TOP]Enter fnGetRabSetupPort function
UMC01 20220422T125804+0000 743 SgsnProxyThread  00001446 ?D IUPSPROXY [IUPSPROXY_IPPSITF]Enter the function fnGetRabCtxtIdbyNsApi
UMC01 20220422T125804+0000 743 SgsnProxyThread  00001447 ?D IUPSPROXY [IUPSPROXY_TOP] Get RabSetupPort(0)
UMC01 20220422T125804+0000 743 SgsnProxyThread  00001448 ?D IUPSPROXY [IUPSPROXY_TOP]IuPSPUEx: UECtxtId = 0,bDirectSentToBRRM = 0
UMC01 20220422T125804+0000 743 SgsnProxyThread  00001449 ?D IUPSPROXY [IUPSPROXY_TOP]IuPSPUEx: Send RAB_SETUP_REQ to RABx success, UECtxtId = 0  RABPort = 0
UMC01 20220422T125804+0000 743 SgsnProxyThread  00001450 ?D IUPSPROXY [IUPSPROXY_TOP]enter fnSaveRabAssignReq function.
UMC01 20220422T125804+0000 743 SgsnProxyThread  00001451 ?D IUPSPROXY [IUPSPROXY_TOP]IuPSPUEx:  unSetupCount = 1
UMC01 20220422T125804+0000 743 SgsnProxyThread  00001452 ?D IUPSPROXY [IUPSPROXY_TOP]IuPSPUEx:  unRelCount = 0 
UMC01 20220422T125804+0000 743 SgsnProxyThread  00001453 ?D IUPSPROXY [IUPSPROXY_TOP]IuPSPUEx:  unRelSuccessCount = 0 
UMC01 20220422T125804+0000 744 SgsnProxyThread  00001454 ?D IUPSPROXY [IUPSPROXY_TOP]IuPSPUEx: UECtxtId = 0,bDirectSentToBRRM = 0
UMC01 20220422T125804+0000 746 SgsnProxyThread  00001455 ?D IUPSPROXY [IUPSPROXY_TOP]IuPSPUEx: End of  function fnHanleRabAssignReq,UECtxtId = 0  RABCtxtId = 0
UMC01 20220422T125804+0000 746 SgsnProxyThread  00001456 ?D IUPSPROXY [IUPSPROXY_IPPSITF]SUBSTRACE: enter subscriTraceForIMSIPresent, unUeCtxtId=0,Imsi=901700000031978
UMC01 20220422T125804+0000 746 SgsnProxyThread  00001457 ?D IUPSPROXY [IUPSPROXY_IPPSITF]SUBSTRACE: subscriTraceForIMSIPresent():bSubscribTraceEnabled is false!
UMC01 20220422T125804+0000 746 SgsnProxyThread  00001458 ?D IUPSPROXY [IUPSPROXY_TOP]UEx(0) enter state: IuPS_UE_SERVING
UMC01 20220422T125804+0000 776 SgsnProxyThread  00001459 ?D IUPSPROXY [IUPSPROXY_TOP]RABx(255) enter state: RAB_SETUP
UMC01 20220422T125804+0000 777 SgsnProxyThread  00001460 ?D IUPSPROXY [IUPSPROXY_TOP]IuPSPRABx: Receive Receive RAB_SETUP_REQ From UEx, RABCtxtId = 255
UMC01 20220422T125804+0000 777 SgsnProxyThread  00001461 ?I IUPSPROXY [IUPSPROXY_TOP]IuPSPRABx: UECtxtId = 0, bRABSetupingforF2MHO = 1
UMC01 20220422T125804+0000 777 SgsnProxyThread  00001462 ?D IUPSPROXY [IUPSPROXY_IPPSITF]Enter the function fnGetRabCtxtIdbyNsApi
UMC01 20220422T125804+0000 777 SgsnProxyThread  00001463 ?I IUPSPROXY [IUPSPROXY_TOP]IuPSPRABx: GetRABCtxtId OK, RABCtxtId = 0 UECtxtId = 0
UMC01 20220422T125804+0000 777 SgsnProxyThread  00001464 ?D IUPSPROXY [IUPSPROXY_ASN_1]ucRabId = 5, unIPAddress = 53.0.1.10
UMC01 20220422T125804+0000 777 SgsnProxyThread  00001465 ?D IUPSPROXY [IUPSPROXY_ASN_1]unTeid = 0x1.
UMC01 20220422T125804+0000 777 SgsnProxyThread  00001466 ?I IUPSPROXY [IUPSPROXY_TOP]IuPSPRABx: Receive the RAB SETUP REQ SGSNIP is 0x3500010a,SGSNTEID = 1 
UMC01 20220422T125804+0000 777 SgsnProxyThread  00001467 ?D IUPSPROXY [IUPSPROXY_IPPSITF]Enter the function fnSendGtpuServicesSetupRequest
UMC01 20220422T125804+0000 777 SgsnProxyThread  00001468 ?D IUPSPROXY [IUPSPROXY_TOP]IUPSUEx: enter fnFillGtpuReqImsi(), unUeCtxtId=0
UMC01 20220422T125804+0000 777 SgsnProxyThread  00001469 ?D IUPSPROXY Encoded IMSI:  ******** hex trace for buffer of length          8 ************
UMC01 20220422T125804+0000 777 SgsnProxyThread  00001470 ?D IUPSPROXY Encoded IMSI:  *** rel addrH [abs addrH]:  HEX HEX  HEX HEX  HEX HEX  HEX HEX
UMC01 20220422T125804+0000 778 SgsnProxyThread  00001471 ?D IUPSPROXY Encoded IMSI:  *** 00000000H [017107F8H]:  09710000 001379F8  
UMC01 20220422T125804+0000 778 SgsnProxyThread  00001472 ?D IUPSPROXY Encoded IMSI:  ***************************************************************
UMC01 20220422T125804+0000 778 SgsnProxyThread  00001473 ?I IUPSPROXY [IUPSPROXY_IPPSITF]SendGtpuSetupReq: SourceCEPID=0x15000, IuCNConnID=0x46, SrcBSRIPv4Address=0xa0a0a02.
UMC01 20220422T125804+0000 778 SgsnProxyThread  00001474 ?I IUPSPROXY [IUPSPROXY_IPPSITF]SendGtpuSetupReq: NSAPI=0x5,RxTEID=0x1,TxTEID=0x1.
UMC01 20220422T125804+0000 778 SgsnProxyThread  00001475 ?I IUPSPROXY [IUPSPROXY_IPPSITF]SendGtpuSetupReq:RemoteIPv4Address=0x3500010a,TrafficClass=3,DeliveryOrderRequired=0
UMC01 20220422T125804+0000 778 SgsnProxyThread  00001476 ?I IUPSPROXY [IUPSPROXY_TOP]Success to send GTPU setup request to UE.
UMC01 20220422T125804+0000 778 SgsnProxyThread  00001477 ?I IUPSPROXY [IUPSPROXY_TOP]IuPSPRABx: Send GTPU Setup request  when RAB setup no BPG , RABCtxtId = 0
UMC01 20220422T125804+0000 778 SgsnProxyThread  00001478 ?D IUPSPROXY [IUPSPROXY_TOP]RABx(0) enter state: RAB_SETUP_WAIT_GTPU_RSP
UMC01 20220422T125804+0000 778 SgsnProxyThread  00001479 ?D IUPSPROXY [IUPSPROXY_TOP]IuPSUEx: Enter function fnSendGTPUSetup, UECtxtId = 0
UMC01 20220422T125804+0000 778 SgsnProxyThread  00001480 ?D IUPSPROXY [IUPSPROXY_TOP]IuPSUEx: Now we get 1 GTPU Setup Request(s).
UMC01 20220422T125804+0000 779 SgsnProxyThread  00001481 ?D IUPSPROXY [IUPSPROXY_IPPSITF]Enter the function fnGetRabCtxtIdbyNsApi
UMC01 20220422T125804+0000 779 SgsnProxyThread  00001482 ?D IUPSPROXY [IUPSPROXY_TOP]IuPSPUEx: Find Rab ContextID, 0
UMC01 20220422T125804+0000 779 SgsnProxyThread  00001483 ?D IUPSPROXY [IUPSPROXY_TOP]IuPSPUEx:unGTPUCount =0 
UMC01 20220422T125804+0000 779 SgsnProxyThread  00001484 ?D IUPSPROXY [IUPSPROXY_TOP]IuPSPUEx:unSetupCount =1 
UMC01 20220422T125804+0000 779 SgsnProxyThread  00001485 ?D IUPSPROXY [IUPSPROXY_TOP]IuPSUEx:enough GTPU setup request(s),merge and send to IPPS.
UMC01 20220422T125804+0000 805 IPPS_IPSC_LCID  00001486 ?I IPPS_IPCM  -> F(processCtrlMsg:141)Received IPPS_SERVICE_REQ
UMC01 20220422T125804+0000 988 UserPlaneThread  00001487 ?D IPPS_GTPU  -> F(handleGTPUServiceReq:144)Handling GTPUServiceReq in GTPUManager state: Configured
UMC01 20220422T125804+0000 989 UserPlaneThread  00001488 ?I IPPS_GTPU  -> F(handleGTPURxTxSetupReq:751)CNLcid:33620513,SMCepID:86016,IuCNConn:70,aucIMSI:   q
UMC01 20220422T125804+0000 989 UserPlaneThread  00001489 ?I IPPS_GTPU  -> F(handleGTPURxTxSetupReq:752)RxTEID:1,TxTEID:1,NSAPI:5,ucCount:1
UMC01 20220422T125804+0000 989 UserPlaneThread  00001490 ?D IPPS_GTPU  -> F(handleGTPURxTxSetupReq:183)The client nsapi is 5
UMC01 20220422T125804+0000 989 UserPlaneThread  00001491 ?D IPPS_GTPU  -> F(handleGTPURxTxSetupReq:218)CEPID0,CNLCID33620513,IMSI   q,SMCEP86016
UMC01 20220422T125804+0000 989 UserPlaneThread  00001492 ?D IPPS_GTPU  -> F(handleGTPURxTxSetupReq:219)IuCNConnID70,ReordReqFlag0,RXTEID1
UMC01 20220422T125804+0000 989 UserPlaneThread  00001493 ?D IPPS_GTPU  -> F(handleGTPURxTxSetupReq:221)TXTEID1,TrafficCls3,ValidSeqNums1
UMC01 20220422T125804+0000 989 UserPlaneThread  00001494 ?D IPPS_GTPU  -> F(handleGTPURxTxSetupReq:222)NextDlSeqN0,NextUlSeqN0,RemoteIP 53.0.1.10
UMC01 20220422T125804+0000 989 UserPlaneThread  00001495 ?I IPPS_GTPU  -> F(handleGTPURxTxSetupReq:829)GTPU Client CEPID=0 ,Remote IpAddress:53.0.1.10
UMC01 20220422T125804+0000 989 UserPlaneThread  00001496 ?I IPPS_GTPU  -> F(setTimers:2884)Remote IP 53.0.1.10
UMC01 20220422T125804+0000 990 UserPlaneThread  00001497 !E IPPS_GTPU  -> F(write:396)Write error:1 Destination IP:53.0.1.10 and Port:2152
dev-zzo commented 2 years ago

After PER decoding, this is handled by RM_RA_EncDec::dec_transport_layer_info2RMAP() which fails to correctly parse the value, simply assuming the IP is at offset zero. This is not the case with the Osmocom stack, at least. The code needs to be patched to fetch the IP from offset 3.

dev-zzo commented 2 years ago

The patch appears to fix the issue.

UMC01 20220423T001107+0200 712 UserPlaneThread  00000042 ?I IPPS_GTPU  -> F(handleGTPURxTxSetupReq:751)CNLcid:33620515,SMCepID:86016,IuCNConn:26,aucIMSI:  q
UMC01 20220423T001107+0200 712 UserPlaneThread  00000043 ?I IPPS_GTPU  -> F(handleGTPURxTxSetupReq:752)RxTEID:1,TxTEID:1,NSAPI:5,ucCount:1
UMC01 20220423T001107+0200 712 UserPlaneThread  00000044 ?I IPPS_GTPU  -> F(handleGTPURxTxSetupReq:829)GTPU Client CEPID=0 ,Remote IpAddress:10.10.10.207
UMC01 20220423T001107+0200 712 UserPlaneThread  00000045 ?I IPPS_GTPU  -> F(setTimers:2884)Remote IP 10.10.10.207
UMC01 20220423T001107+0200 713 IPPS_IPSC_LCID  00000046 ?I IPPS_GTPU  -> F(routeMsg:122)Ctrl Msg sent to  GTPU
UMC01 20220423T001108+0200 426 UserPlaneThread  00000047 ?I IPPS_GTPU  -> F(handleRedirectCepReq:446)PDCPLCID = 33620563, PDCPCEPID = 0
UMC01 20220423T001108+0200 426 UserPlaneThread  00000048 ?I IPPS_GTPU  -> F(sendRedirectCepResp:612) Msg sent to PDCP
dev-zzo commented 2 years ago

The patch should be applied to the RM_RA_EncDec::dec_transport_layer_info2RMAP() function and is as follows, replacing a call to memcpy() with some byte shuffling from the correct offset:

.text:0041CB00 0C 30 A0 E3                     MOV     R3, #0xC
.text:0041CB04 93 02 06 E0                     MUL     R6, R3, R2
.text:0041CB08 00 30 D5 E5                     LDRB    R3, [R5]
.text:0041CB0C 06 50 84 E0                     ADD     R5, R4, R6
.text:0041CB10 2C 31 C5 E5                     STRB    R3, [R5,#0x12C]
.text:0041CB14 74 10 97 E5                     LDR     R1, [R7,#0x74]
.text:0041CB18             ;;; PATCH BELOW
.text:0041CB18             LDRB    R3, [R1,#3]
.text:0041CB18             MOV     R3, R3, LSL#24
.text:0041CB18             LDRB    R2, [R1,#4]
.text:0041CB18             ORR     R3, R3, R2, LSL#16
.text:0041CB18             LDRB    R2, [R1,#5]
.text:0041CB18             ORR     R3, R3, R2, LSL#8
.text:0041CB18             LDRB    R2, [R1,#6]
.text:0041CB18             ORR     R3, R3, R2
.text:0041CB18             STR     R3, [R5,#0x130]
.text:0041CB18             LDRH    R0, [R7,#0x78]
.text:0041CB18             CMP     R0, #1
.text:0041CB18 04 20 A0 E3                     MOV     R2, #4
.text:0041CB1C 13 0E 85 E2                     ADD     R0, R5, #0x130
.text:0041CB20 27 CF EF EB                     BL      memcpy
.text:0041CB24 30 21 95 E5                     LDR     R2, [R5,#0x130]
.text:0041CB28 B8 07 D7 E1                     LDRH    R0, [R7,#0x78]
.text:0041CB2C 22 3C A0 E1                     MOV     R3, R2,LSR#24
.text:0041CB30 02 3C 83 E1                     ORR     R3, R3, R2,LSL#24
.text:0041CB34 FF 18 02 E2                     AND     R1, R2, #0xFF0000
.text:0041CB38 21 34 83 E1                     ORR     R3, R3, R1,LSR#8
.text:0041CB3C FF 2C 02 E2                     AND     R2, R2, #0xFF00
.text:0041CB40 02 34 83 E1                     ORR     R3, R3, R2,LSL#8
.text:0041CB44 01 00 50 E3                     CMP     R0, #1
.text:0041CB48 30 31 85 E5                     STR     R3, [R5,#0x130]
.text:0041CB4C             ;;; PATCH ABOVE
.text:0041CB4C 09 00 00 1A                     BNE     loc_41CB78