Presenting QCSuper: a tool for capturing your 2G/3G/4G air traffic on Qualcomm-based phones

Lately, I have been playing with a 3G dongle – a small USB device enabling to connect to the mobile Internet. I have discovered that most USB dongles with a Qualcomm processor exposed a special diagnostic protocol, called Diag (or DM, or QCDM – for Qualcomm Diagnostic monitor).But I have also discovered that this proprietary protocol was also present inside Android phones (through a device called /dev/diag) and it allowed a couple good things, such as obtaining raw captures of network air traffic or, in older models, reading/writing at arbitrary offsets of the radio chip’s memory (!).  Today, we are proud to present QCSuper, an open-source tool that will enable you to passively capture raw 2G/3G/4G frames produced by your rooted Qualcomm-based Android phone or dongle, and produce a PCAP analyzable using Wireshark (in addition to a couple other input/output formats). How to use it? Let’s say that you have a rooted Android phone (this is required for reading /dev/diag on the system), plugged in USB to your computer, and that you have downloaded QCSuper (and installed dependencies, everything is explained here). Just do: sudo ./ –adb –wireshark-live That’s… all. A Wireshark window is popping out. You can see radio frames unfolding on your screen, and you are like Neo. You could just run the tool and try to make sense of the displayed information, but for the sake of pedagogy, let’s first analyze some traffic together! Download the example 2G/3G/4G capture (.pcap) This capture was realized on a Sony Xperia Z, switching manually between the 2G, 3G and 4G, generating SMS, calls and some data traffic. What QCSuper provides to you is layer 3 and above packets. To sum up: Layer 1 (physical layer) is the way your phone schedules how radio waves are sent over the air (and it is a complex dance, as some neat tricks are required to optimize the usage of the radio spectrum). Layer 2 (link layer, think like Ethernet header) is the network protocol that handles, in 3G/4G: fragmentation (i.e. “this chunk of radio waves is not big enough for the bytes I’ll want to put into, I’ll use another later”), acknowledgment (“do you have received my important data? yes I have”) tells whether what follows is encrypted and not says what the layer 3 is. In 3G/4G, the layer 2 is split up in two headers called RLC and MAC (which are typically < 10 bytes). Layer 3 (network layer) is where all the interesting stuff is. Your phone says “what’s up, I got that SIM card and it can do cryptography (yes!), I got that phone serial number (IMEI) also, let me send/receive SMS / calls / Internet and allocate bits of radio frequencies”. And the network says “sure, let’s first authenticate with the neat crypto supported by your SIM card”. In 3G/4G the layer 3 protocol is RRC (Radio Resource Configuration Protocol), except for the user data itself. In order to be able to provide a PCAP you can open in Wireshark, these frames are put after a GSMTAP header, a standard header that may contain 2G/3G/4G traffic (layer 2, 3 or upper, in addition to a few other possible things like SIM card communication). Analyzing some packets in Wireshark Near the beginning of the example capture, the first thing our phone does is switching from 4G to 3G (when the “Protocol” column of Wireshark starts to display “RRC”). Ok, what does the stuff displayed here mean? First, you should know that the data transmitted here is encoded using ASN.1. ASN.1 is a very old format (developed in the 80’s) that allows you to define data structures and fields using a special text language, and separately, to write code that will generate binary data that you can send on the network. If you know about Protobuf, it’s just one of the less complex descendants of ASN.1. ASN.1 is used for a lot of things: encoding SSL certificates, encoding data in your credit card, communication between aircrafts but most importantly everywhere in telecommunication networks. Layers, Packets and Channels Let’s look at the first highlighted field in the packet. It says that this packet was transmitted on the Broadcast Control CHannel (BCCH). What is a channel in this context? In telecom protocols, we generally break down traffic in two kinds: data traffic (your mobile data when browsing Internet, or your voice calls) and signalling traffic (all the rest: the exchange of information needed to authenticate your SIM, setup the channel for data, etc. and your SMS). In 3G and 4G, signalling and data packets can be broken down into at least 5 logical channels (there are a few kinds of channels but logical ones are the highest-level, and the ones that map to individual packets): Two channels that bear signalling which is broadcast to every mobile in the area (sent only downlink, i.e. from the radio antenna towards the mobiles): BCCH (Broadcast Control): used by the antenna to broadcast its general characteristics (which operator it belongs to, which frequencies it supports, which area it is located in, etc.) in predefined chunks called SIBs (System information blocks) PCCH (Paging Control): used by the antenna for telling an idle mobile to wake up and establish a new channel (because it receives an SMS or call for example) Two channels that bear signalling exchanged between one mobile and one antenna: CCCH (Common Control): used to request dedicated radio resources to exchange more signalling (unencrypted) DCCH (Dedicated Control): all signalling after that (unencrypted then encrypted) One channel that bears data traffic DTCH (Dedicated Traffic Channel): all your data + telephony (it is commonly encrypted – except emergency calls) A few other channels may be used only in certain cases (namely when your operator broadcasts disaster messages, provides multicast TV or uses certain extra frequencies). You will notice that whether the logical channel is BCCH/PCCH/CCCH… is not an information contained in the layer 3 packet. It is a field from layer 2 that will determine how layer … Continue reading Presenting QCSuper: a tool for capturing your 2G/3G/4G air traffic on Qualcomm-based phones