<div dir="ltr"><div><div><div><div><div><div><div><div><div><div><div><div><div><div>Hi Herald,<br><br></div>Thank you for your responses. I appreciate you taking out time from your schedule.<br></div><div>Just a couple of things I would like to share since my interest grew in telecom.<br><br></div></div><div>1) Have you or your team tried to reverse engineer/hacking Over the Air OTA spec - firmware upgrade (understanding this type of communication) using OpenNITB and latest phones where bootloaders are locked?<br><br></div><div>- I was planning to try this! But now I will take up merging osmo-sim-auth and py-sim. (I'm not a great dev but I'm passionate about osmocom and willing to contribute my time to learning/contributing the same).<br></div><div><br></div>2) I have been trying something different with OsmocomBB, osmo-sim-auth and Tor lately - I would like to hear your views on the same.<br></div> Attack Model: Geo-Location Anonymous calling in GSM.<br><br></div>Description:<br></div>1. The attacker uses OsmocomBB phone to make a call using a sim card service. (No sim card present in the phone).<br></div>2. For this, I have taken the SIM card outside OsmocomBB and re-written all SIM API's in osmo-sim-auth (which is the sim card service).<br></div>3. This sim card service is deployed over Tor network, so no one can actually know the location of the SIM card service.<br></div><div>4, The osmocombb connects to the network and uses this sim card service for authentication etc. <br>5. The whole setup of calling etc is initiated by the sim card service, which is itself behind Tor.<br><br></div>6. Now, This SIM card service can be used my multiple phones, so now you are not exactly going to track the phone since if I use the SIM card service to another phone (cell area) the DB entry in VLR has changed which says the location has changed. <br></div></div>7. My experiments worked well on a LIVE network, understanding the delay in Tor the network, still, the BTS was accepting RES response challenge from the SIM card service behind Tor - I still have to calculate the exact max acceptable delay in sending RES back to BTS to confirm this!<br><br></div>Look forward to hearing from you!<br><br></div>Thanks,<br></div>Gerard<br><div><div><div><br><div><div><div><div><div><div> <br></div></div></div></div></div></div></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Mar 27, 2017 at 2:29 AM, Harald Welte <span dir="ltr"><<a href="mailto:laforge@gnumonks.org" target="_blank">laforge@gnumonks.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Gerard,<br>
<span class=""><br>
On Mon, Mar 27, 2017 at 02:11:29AM -0700, Gerard Pinto wrote:<br>
> GSM_TAP was the key - Thank you for this help. External CC works well now.<br>
<br>
</span>great.<br>
<span class=""><br>
> Just compared mncc with internal and external CC - Debugged a little<br>
> further and realized 1 of the fields of bearer_cap was missing!<br>
<br>
> mncc-python is good - I read your blog. Made some changes (socket path).<br>
> Although it does fail with "Invalid mandatory information" - bearer cap<br>
> missing. I will have to look again at the code.<br>
<br>
</span>Patches are always welcome. I guess mncc-python is so far only used<br>
with OsmoNITB, and not with the MS-side MNCC on OsmocomBB. But it would<br>
be great to have this working, too.<br>
<span class=""><br>
> Osmo-sim-auth and pysim both same projects right?<br>
<br>
</span>no. osmo-sim-auth just performs a (GSM or UMTS) authentication against<br>
a SIM card.<br>
<br>
pySim is for programming certain cards where that is possible (like<br>
MagicSIM, sysmoSIM, sysmoUSIM, etc.)<br>
<br>
I think there are two distinct purposes and it makes sense to have two<br>
different tools. But yes, it probably could make sense to merge the<br>
code in one repository and simply have multiple executables for that.<br>
<br>
Would you be interested in merging the two, i.e. provide an incremental<br>
patchset against pysim that adds the osmo-sim-auth binary?<br>
<span class=""><br>
> Reason I asked since, I wrote all SIM API's in osmo-sim-auth and was<br>
> planning to push upstream and then realized there is a project pysim which<br>
> has all of that ?<br>
<br>
</span>Sorry to hear that. pySim-prog actually existed for much longer time, it<br>
is what we always used to program SIM Cards ever since 2009.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
</font></span><div class="HOEnZb"><div class="h5">--<br>
- Harald Welte <<a href="mailto:laforge@gnumonks.org">laforge@gnumonks.org</a>> <a href="http://laforge.gnumonks.org/" rel="noreferrer" target="_blank">http://laforge.gnumonks.org/</a><br>
==============================<wbr>==============================<wbr>================<br>
"Privacy in residential applications is a desirable marketing option."<br>
(ETSI EN 300 175-7 Ch. A6)<br>
</div></div></blockquote></div><br></div>