OsmocomBB MNCC socket implementation without LCR

Gerard Pinto gerardfly9 at gmail.com
Tue Mar 28 07:08:49 UTC 2017


Hi Herald,

Thank you for your responses. I appreciate you taking out time from your
schedule.
Just a couple of things I would like to share since my interest grew in
telecom.

1) Have you or your team tried to reverse engineer/hacking Over the Air OTA
spec - firmware upgrade (understanding this type of communication) using
OpenNITB and latest phones where bootloaders are locked?

- I was planning to try this! But now I will take up merging osmo-sim-auth
and py-sim. (I'm not a great dev but I'm passionate about osmocom and
willing to contribute my time to learning/contributing the same).

2) I have been trying something different with OsmocomBB, osmo-sim-auth and
Tor lately - I would like to hear your views on the same.
 Attack Model: Geo-Location Anonymous calling in GSM.

Description:
1. The attacker uses OsmocomBB phone to make a call using a sim card
service. (No sim card present in the phone).
2. For this, I have taken the SIM card outside OsmocomBB and re-written all
SIM API's in osmo-sim-auth (which is the sim card service).
3. This sim card service is deployed over Tor network, so no one can
actually know the location of the SIM card service.
4, The osmocombb connects to the network and uses this sim card service for
authentication etc.
5. The whole setup of calling etc is initiated by the sim card service,
which is itself behind Tor.

6. Now, This SIM card service can be used my multiple phones, so now you
are not exactly going to track the phone since if I use the SIM card
service to another phone (cell area) the DB entry in VLR has changed which
says the location has changed.
7. My experiments worked well on a LIVE network, understanding the delay in
Tor the network, still, the BTS was accepting RES response challenge from
the SIM card service behind Tor - I still have to calculate the exact max
acceptable delay in sending RES back to BTS to confirm this!

Look forward to hearing from you!

Thanks,
Gerard



On Mon, Mar 27, 2017 at 2:29 AM, Harald Welte <laforge at gnumonks.org> wrote:

> Hi Gerard,
>
> On Mon, Mar 27, 2017 at 02:11:29AM -0700, Gerard Pinto wrote:
> > GSM_TAP was the key - Thank you for this help. External CC works well
> now.
>
> great.
>
> > Just  compared mncc with internal and external CC - Debugged a little
> > further and realized 1 of the fields of bearer_cap was missing!
>
> > mncc-python is good - I read your blog. Made some changes (socket path).
> > Although it does fail with "Invalid mandatory information" - bearer cap
> > missing. I will have to look again at the code.
>
> Patches are always welcome.  I guess mncc-python is so far only used
> with OsmoNITB, and not with the MS-side MNCC on OsmocomBB.  But it would
> be great to have this working, too.
>
> > Osmo-sim-auth and pysim both same projects right?
>
> no.  osmo-sim-auth just performs a (GSM or UMTS) authentication against
> a SIM card.
>
> pySim is for programming certain cards where that is possible (like
> MagicSIM, sysmoSIM, sysmoUSIM, etc.)
>
> I think there are two distinct purposes and it makes sense to have two
> different tools.  But yes, it probably could make sense to merge the
> code in one repository and simply have multiple executables for that.
>
> Would you be interested in merging the two, i.e. provide an incremental
> patchset against pysim that adds the osmo-sim-auth binary?
>
> > Reason I asked since, I wrote all SIM API's in osmo-sim-auth and was
> > planning to push upstream and then realized there is a project pysim
> which
> > has all of that ?
>
> Sorry to hear that. pySim-prog actually existed for much longer time, it
> is what we always used to program SIM Cards ever since 2009.
>
> --
> --
> - Harald Welte <laforge at gnumonks.org>
> http://laforge.gnumonks.org/
> ============================================================
> ================
> "Privacy in residential applications is a desirable marketing option."
>                                                   (ETSI EN 300 175-7 Ch.
> A6)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/baseband-devel/attachments/20170328/5570ba0e/attachment.html>


More information about the baseband-devel mailing list