From radiarisainanasitraka at yahoo.fr Sat Jul 4 18:21:23 2015 From: radiarisainanasitraka at yahoo.fr (Dast) Date: Sat, 4 Jul 2015 11:21:23 -0700 (MST) Subject: layer2/3 ported to target? paging attack code? In-Reply-To: <1378325214-sup-34@dennou> References: <1378227662.93957.YahooMailNeo@web121005.mail.ne1.yahoo.com> <1378232842.92551.YahooMailNeo@web121004.mail.ne1.yahoo.com> <1378299933-sup-2371@dennou> <1378325214-sup-34@dennou> Message-ID: <1436034083323-4026717.post@n3.nabble.com> is it possible for having the code source of all this attack on osmocom > attack modes, which are DETACH, PAGING, RANGE_PAGING, ALL_PAGING, > STEAL_SMS. ? -- View this message in context: http://baseband-devel.722152.n3.nabble.com/layer2-3-ported-to-target-paging-attack-code-tp4026139p4026717.html Sent from the baseband-devel mailing list archive at Nabble.com. From Max.Suraev at fairwaves.co Mon Jul 6 14:54:43 2015 From: Max.Suraev at fairwaves.co (=?UTF-8?B?4piO?=) Date: Mon, 06 Jul 2015 16:54:43 +0200 Subject: segfault on bssgp test In-Reply-To: References: <555F3139.4080206@fairwaves.co> <556C64F3.9040301@fairwaves.co> <55719F24.3050000@fairwaves.co> <5571C8CA.4030408@fairwaves.co> Message-ID: <559A96B3.10208@fairwaves.co> After some further digging I've found that "make check" do not see this error but "dpkg-buildpackage -tc -uc -us" does. So apparently .deb build invoke different linker or same linker with different options which in turn triggers this bug. No idea how to track down this difference. 05.06.2015 18:19, Holger Freyther ?????: > >> On 05 Jun 2015, at 18:05, ? wrote: >>> >> >> Hmm.. so it works on Debian but not on Ubuntu? How do I check if gold is used as linker? > > it is not only gold. My first suspicion would be to put a break point in sendto and > see which is executed (the system one or the overload) > -- best regards, Max, http://fairwaves.co From holger at freyther.de Mon Jul 6 14:57:02 2015 From: holger at freyther.de (Holger Freyther) Date: Mon, 6 Jul 2015 16:57:02 +0200 Subject: segfault on bssgp test In-Reply-To: <559A96B3.10208@fairwaves.co> References: <555F3139.4080206@fairwaves.co> <556C64F3.9040301@fairwaves.co> <55719F24.3050000@fairwaves.co> <5571C8CA.4030408@fairwaves.co> <559A96B3.10208@fairwaves.co> Message-ID: <84463E2B-5598-4E8F-A2BC-612543164974@freyther.de> > On 06 Jul 2015, at 16:54, ? wrote: > > After some further digging I've found that "make check" do not see this error but > "dpkg-buildpackage -tc -uc -us" does. So apparently .deb build invoke different > linker or same linker with different options which in turn triggers this bug. > > No idea how to track down this difference. export DEB_BUILD_HARDENING=1 will enable extra flags. E.g. -fPIE -pie might be a candidate? From max.suraev at fairwaves.co Mon Jul 6 16:16:46 2015 From: max.suraev at fairwaves.co (Max) Date: Mon, 6 Jul 2015 18:16:46 +0200 Subject: [PATCH] fix failed .deb build due to failing bssgp test Message-ID: <1436199406-32583-1-git-send-email-max.suraev@fairwaves.co> Signed-off-by: Max --- tests/Makefile.am | 1 + tests/gb/gprs_bssgp_test.c | 20 +------------------- 2 files changed, 2 insertions(+), 19 deletions(-) diff --git a/tests/Makefile.am b/tests/Makefile.am index 6f76e5a..a739ab9 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -69,6 +69,7 @@ gb_bssgp_fc_test_LDADD = $(top_builddir)/src/libosmocore.la $(top_builddir)/src/ gb_gprs_bssgp_test_SOURCES = gb/gprs_bssgp_test.c gb_gprs_bssgp_test_LDADD = $(top_builddir)/src/libosmocore.la $(top_builddir)/src/gb/libosmogb.la $(LIBRARY_DL) +gb_gprs_bssgp_test_LDFLAGS = -static -Wl,--wrap=gprs_ns_sendmsg gb_gprs_ns_test_SOURCES = gb/gprs_ns_test.c gb_gprs_ns_test_LDADD = $(top_builddir)/src/libosmocore.la $(top_builddir)/src/gb/libosmogb.la $(LIBRARY_DL) diff --git a/tests/gb/gprs_bssgp_test.c b/tests/gb/gprs_bssgp_test.c index 14ba4d1..4fb24df 100644 --- a/tests/gb/gprs_bssgp_test.c +++ b/tests/gb/gprs_bssgp_test.c @@ -34,24 +34,6 @@ static struct osmo_prim_hdr last_oph = {0}; /* override */ -ssize_t sendto(int sockfd, const void *buf, size_t len, int flags, - const struct sockaddr *dest_addr, socklen_t addrlen) -{ - typedef ssize_t (*sendto_t)(int, const void *, size_t, int, - const struct sockaddr *, socklen_t); - static sendto_t real_sendto = NULL; - uint32_t dest_host = htonl(((struct sockaddr_in *)dest_addr)->sin_addr.s_addr); - - if (!real_sendto) - real_sendto = dlsym(RTLD_NEXT, "sendto"); - - fprintf(stderr, "MESSAGE to 0x%08x, msg length %d\n%s\n", - dest_host, len, osmo_hexdump(buf, len)); - - return len; -} - -/* override */ int gprs_ns_callback(enum gprs_ns_evt event, struct gprs_nsvc *nsvc, struct msgb *msg, uint16_t bvci) { @@ -64,7 +46,7 @@ int gprs_ns_callback(enum gprs_ns_evt event, struct gprs_nsvc *nsvc, struct msgb *last_ns_tx_msg = NULL; /* override */ -int gprs_ns_sendmsg(struct gprs_ns_inst *nsi, struct msgb *msg) +int __wrap_gprs_ns_sendmsg(struct gprs_ns_inst *nsi, struct msgb *msg) { msgb_free(last_ns_tx_msg); last_ns_tx_msg = msg; -- 2.1.4 From craig_comstock at yahoo.com Tue Jul 7 04:33:30 2015 From: craig_comstock at yahoo.com (Craig Comstock) Date: Tue, 7 Jul 2015 04:33:30 +0000 (UTC) Subject: C139 Nutt-X running from Flash - need to unlock flash? Message-ID: <1653590614.189167.1436243610140.JavaMail.yahoo@mail.yahoo.com> I am making progress getting nuttx running from flash on the C139 but I suspect I might be running into an issue where when code is trying to store a value into flash memory where nuttx code and data are that nuttx seems to stall/halt, maybe an exception vector is being jumped to by the CPU but nuttx isn't quite setup to handle it just yet. Am I right that I would need to unlock flash in order to write even just one byte/word? I tried doing the same sequence of writes that are in cfi_flash.c flash_block_unlock() but that seemed to stall as well... maybe I need to do some initialization of some sort? I may try to port over cfi_flash.c|h into nuttx. nuttx is loaded into two pages: 0x10000 and 0x20000 I copied the macros for writew and __arch_putw and didwritew(0x60,0x0); // CFI_CMD_PROTECTwritew(0xD0,0x10000); // CFI_PROT_UNLOCKwritew(0xff,0x0); // CFI_CMD_RESETwritew(0x60,0x0); // CFI_CMD_PROTECTwritew(0xD0,0x20000); // CFI_PROT_UNLOCKwritew(0xff,0x0); // CFI_CMD_RESET Seemed to halt at the first write. Thanks for any hints, at this point I'm just hacking to try and get things working. -Craig -------------- next part -------------- An HTML attachment was scrubbed... URL: From holger at freyther.de Tue Jul 7 08:07:21 2015 From: holger at freyther.de (Holger Freyther) Date: Tue, 7 Jul 2015 10:07:21 +0200 Subject: [PATCH] fix failed .deb build due to failing bssgp test In-Reply-To: <1436199406-32583-1-git-send-email-max.suraev@fairwaves.co> References: <1436199406-32583-1-git-send-email-max.suraev@fairwaves.co> Message-ID: <71DC3931-4428-4D20-B8AC-85EE270701D6@freyther.de> > On 06 Jul 2015, at 18:16, Max wrote: Hi Max, please provide a detailed and comprehensive commit message. You should explain which compiler flags lead to which code generation which makes it impossible to interpose the system library. holger From playmobilehiho at aol.fr Mon Jul 13 06:15:26 2015 From: playmobilehiho at aol.fr (playmobilehiho at aol.fr) Date: Mon, 13 Jul 2015 02:15:26 -0400 Subject: Starting up. Message-ID: <14e860dc7ac-d7c-7784@webprd-a99.mail.aol.com> Hi everyone, First of all congratulations for the community's work, i've seen Talks about gsm/osmocom/Core network (Karsten, Harald, Sylvain, Tobias). It's impressive. I'm pretty new in the GSM world. I would like to practice tests concerning the obtention of LAC,CID (1/ of the phone using osmocombb, 2/on regular phone in same area of the osmo-bb phone 3/on a phone somewhere) According to the talks this can be achieved using MAP/SCCP and core network access, but i dont really want to mess with this. Can O-bb helps me to retrieve this LAC,CID informations in these three situations? (for the first case, i'm sure it can.) According to gsm protocol stack ( http://www.rfwireless-world.com/images/gsm-protocol-stack.jpg ) we can see that the BSC is able to talk with MSC using BSS MAP/SCCP does that mean that i actually need to use openbsc on a phone and osmoBB on another phone to achieve my tests? For all of this, will i find a good starting code in sylvain/burst_ind branch? will i need non standard baud-rates serial cable? (You guessed it right, i still not have ordered my serial cables). What i've done so far is getting E88 device and compiled the core libs and bb.(i really start) I know my questions are pretty noob compared to all other messages in this list, please accept my apologies if i'm posting in the wrong list. Thank you in advance. Jean. --- (Playmobile, en avant les histoires) -------------- next part -------------- An HTML attachment was scrubbed... URL: From g0tcha at 3gp.za.net Sun Jul 19 10:04:46 2015 From: g0tcha at 3gp.za.net (g0tcha) Date: Sun, 19 Jul 2015 12:04:46 +0200 Subject: osmocommBB and USRP2 Message-ID: Hi Just to clarify and understand the osmocomBB is only a cheaper alternative to the USRP2 , currently the USRP2 can do all the osmocomBB with all its DSP patches etc etc can do? regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From domi at tomcsanyi.net Sun Jul 19 10:11:27 2015 From: domi at tomcsanyi.net (=?utf-8?B?VG9tY3PDoW55aSwgRG9tb25rb3M=?=) Date: Sun, 19 Jul 2015 12:11:27 +0200 (CEST) Subject: osmocommBB and USRP2 In-Reply-To: References: Message-ID: <2E8534C2-B262-4E6C-9CCA-AF298D3EB510@tomcsanyi.net> No. 2015. j?l. 19. d?tummal, 12:02 id?pontban g0tcha ?rta: > Hi > > Just to clarify and understand the osmocomBB is only a cheaper alternative to the USRP2 , currently the USRP2 can do all the osmocomBB with all its DSP patches etc etc can do? > > regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From g0tcha at 3gp.za.net Sun Jul 19 10:26:00 2015 From: g0tcha at 3gp.za.net (g0tcha) Date: Sun, 19 Jul 2015 12:26:00 +0200 Subject: osmocommBB and USRP2 In-Reply-To: <2E8534C2-B262-4E6C-9CCA-AF298D3EB510@tomcsanyi.net> Message-ID: Thanks of rthe response But can you clarify what is the difference between the 2 ? My impression was that the USRP2 can do all the osmocomBB can do and more. Are you saying that the osmocomBB firmware can do a lot more ? I am reffering to the sniffing capabilities, I know that detecting neighbouring cells etc can't be done with USRP2 I usually use a nokia 3310 with netmonitor. Any clarity appreciated From: Tomcs?nyi, Domonkos Date: Sunday 19 July 2015 at 12:11 To: "baseband-devel at lists.osmocom.org" Subject: Re: osmocommBB and USRP2 No. 2015. j?l. 19. d?tummal, 12:02 id?pontban g0tcha ?rta: > Hi > > Just to clarify and understand the osmocomBB is only a cheaper alternative to the USRP2 , currently the USRP2 can do all the osmocomBB with all its DSP patches etc etc can do? > > regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From domi at tomcsanyi.net Sun Jul 19 11:22:59 2015 From: domi at tomcsanyi.net (=?utf-8?Q?Tomcs=C3=A1nyi_Domonkos?=) Date: Sun, 19 Jul 2015 13:22:59 +0200 Subject: osmocommBB and USRP2 In-Reply-To: References: Message-ID: OsmocomBB could be used for many things, one example is demonstrating GSM?s insecurity, but the research and work to do that was done by people who were interested in the topic and did this on their own. Of course the creators of the project are not trying to limit anyone to do anything with OsmocomBB, that?s the main idea behind free and open source, however the project?s main aim is still to provide a framework, which one can use to do different things with GSM easily (not necessarily security related stuff!). So that?s why I told you not to expect much help (especially specific help or instructions) about sniffing with osmocomBB. > 2015. j?l. 19. d?tummal, 13:16 id?pontban g0tcha ?rta: > > Hi > > Thanks for the info, although I find it strange that you say I won?t get far with sniffing questions here. When most of the talk and information presented on using osmocombb were only about interception , locating to demonstrate the insecurities about GSM. > > But thanks for clarifying > > From: Tomcs?nyi Domonkos > > Date: Sunday 19 July 2015 at 13:09 > To: "." > > Subject: Re: osmocommBB and USRP2 > > USRP is not capable of hopping for example. > OsmocomBB?s main goal is not to do sniffing, so I don?t think you will get far with these questions here. > Also you can easily find out about the neighbor cells with a USRP. > > Regards, > Domi > >> 2015. j?l. 19. d?tummal, 12:26 id?pontban g0tcha > ?rta: >> >> Thanks of rthe response >> >> But can you clarify what is the difference between the 2 ? My impression was that the USRP2 can do all the osmocomBB can do and more. >> >> Are you saying that the osmocomBB firmware can do a lot more ? >> >> I am reffering to the sniffing capabilities, I know that detecting neighbouring cells etc can?t be done with USRP2 I usually use a nokia 3310 with netmonitor. >> >> Any clarity appreciated >> >> From: Tomcs?nyi, Domonkos > >> Date: Sunday 19 July 2015 at 12:11 >> To: "baseband-devel at lists.osmocom.org " > >> Subject: Re: osmocommBB and USRP2 >> >> No. >> >> >> 2015. j?l. 19. d?tummal, 12:02 id?pontban g0tcha ?rta: >> >> > Hi >> > >> > Just to clarify and understand the osmocomBB is only a cheaper alternative to the USRP2 , currently the USRP2 can do all the osmocomBB with all its DSP patches etc etc can do? >> > >> > regards > -------------- next part -------------- An HTML attachment was scrubbed... URL: From etiennehelluy at gmail.com Tue Jul 28 16:36:09 2015 From: etiennehelluy at gmail.com (etienne) Date: Tue, 28 Jul 2015 09:36:09 -0700 (MST) Subject: [patch] sim.c waiting char issue Message-ID: <1438101369892-4026719.post@n3.nabble.com> Hello, The sim driver was not working with my sim card. After some successful apdu requests, it was ceasing to work. It turned out that the sim is sending waiting chars before some rx acks. The following patch solved the problem. diff --git a/src/target/firmware/calypso/sim.c b/src/target/firmware/calypso/sim.c index 752628f..b35909f 100644 --- a/src/target/firmware/calypso/sim.c +++ b/src/target/firmware/calypso/sim.c @@ -536,6 +536,8 @@ void sim_handler(void) /* Case 2: No input / Output of known length */ if (mode == SIM_APDU_PUT) { sim_state = SIM_STATE_RX_ACK; + /* ignore waiting char here*/ + sim_ignore_waiting_char = 1; calypso_sim_receive(response, 1); break; /* Case 4: Input / No output */ @@ -563,6 +565,8 @@ void sim_handler(void) break; /* wait until data is received */ /* Disable all interrupt driven functions */ writew(0xFF, REG_SIM_MASKIT); + /*stop ignoring waiting char*/ + sim_ignore_waiting_char = 0; /* error received */ if (sim_rx_character_count == 2) { puts("SIM: command failed\n"); Regards, Etienne -- View this message in context: http://baseband-devel.722152.n3.nabble.com/patch-sim-c-waiting-char-issue-tp4026719.html Sent from the baseband-devel mailing list archive at Nabble.com.