Hey, I finally watched Nico's talk "let me answer that for you" and heard him say he ported layer2/3 to target.
Also found a mailing list message about him cleaning it up and putting it up on git and sending it to a few folks.
Did that code ever get shared? Would be cool to play around with and is certainly something I would eventually want to accomplish for my project of making a phone that works by itself.
-Craig
Hi,
On Tue, Sep 3, 2013 at 7:01 PM, Craig Comstock craig_comstock@yahoo.com wrote:
Hey, I finally watched Nico's talk "let me answer that for you" and heard him say he ported layer2/3 to target.
No.
He implemented a very basic l2/l3 that just did exactly what the attack needed (which in comparison to the whole 'mobile' application is very little) and nothing more.
Cheers,
Sylvain
Sure,
I suspected as much but had to ask. :)
For the time being I'll probably keep my focus on nuttx-bb and/or making a UI prototype in osmocom to see how it feels.
Thanks, Craig
________________________________ From: Sylvain Munaut 246tnt@gmail.com To: Craig Comstock craig_comstock@yahoo.com Cc: "baseband-devel@lists.osmocom.org" baseband-devel@lists.osmocom.org Sent: Tuesday, September 3, 2013 1:15 PM Subject: Re: layer2/3 ported to target? paging attack code?
Hi,
On Tue, Sep 3, 2013 at 7:01 PM, Craig Comstock craig_comstock@yahoo.com wrote:
Hey, I finally watched Nico's talk "let me answer that for you" and heard him say he ported layer2/3 to target.
No.
He implemented a very basic l2/l3 that just did exactly what the attack needed (which in comparison to the whole 'mobile' application is very little) and nothing more.
Cheers,
Sylvain
Excerpts from Tim Ehlers's message of 2013-09-04 14:07:55 +0200:
On Tue, 3 Sep 2013, Craig Comstock wrote:
Hi,
I suspected as much but had to ask. :)
but anyhow, the code would be interesting. :)
The code is available here http://tinyurl.com/fun-with-paging (apply on osmocom changeset 4f0acac4c1fa538082f54cb14bef0841aa9c8abb)
but as sylvain said, it's not a complete layer2/3 port to the phone. It only handles the paging requests (and a bit SMSs)
Kevin
Cheers
Tim
Anyone tried it? I've downloaded the patch and applied it to the changset you said. Compilation is ok. Should it generate new images to dump to phone? I can see only standard targets. Dario
On Wed, Sep 4, 2013 at 3:07 PM, Kevin Redon ml@mail.tsaitgaist.info wrote:
Excerpts from Tim Ehlers's message of 2013-09-04 14:07:55 +0200:
On Tue, 3 Sep 2013, Craig Comstock wrote:
Hi,
I suspected as much but had to ask. :)
but anyhow, the code would be interesting. :)
The code is available here http://tinyurl.com/fun-with-paging (apply on osmocom changeset 4f0acac4c1fa538082f54cb14bef0841aa9c8abb)
but as sylvain said, it's not a complete layer2/3 port to the phone. It only handles the paging requests (and a bit SMSs)
Kevin
Cheers
Tim
On Wed, 4 Sep 2013, Dario Lombardo wrote:
Hi,
Anyone tried it? I've downloaded the patch and applied it to the changset you said. Compilation is ok. Should it generate new images to dump to phone? I can see only standard targets.Dario
yes, as I can see, the rssi Target has been modified. So need to load that target with the modified osmocon, which opens another UNIX-Socket /tmp/osmocom_mi to read the victims TMSI. Whith "*" you can toggle the attack modes, which are DETACH, PAGING, RANGE_PAGING, ALL_PAGING, STEAL_SMS.
My only problem is, that I can't find out how to send the TMSI over the Socket. If I only send the TMSI with e.g. socat, I get
Err from socket: Bad address
from osmocon...
What do I miss?
Cheers
Tim
sorry, here the scripts to push the values
Excerpts from Tim Ehlers's message of 2013-09-04 20:46:34 +0200:
On Wed, 4 Sep 2013, Dario Lombardo wrote:
Hi,
Anyone tried it? I've downloaded the patch and applied it to the changset you said. Compilation is ok. Should it generate new images to dump to phone? I can see only standard targets.Dario
yes, as I can see, the rssi Target has been modified. So need to load that target with the modified osmocon, which opens another UNIX-Socket /tmp/osmocom_mi to read the victims TMSI. Whith "*" you can toggle the attack modes, which are DETACH, PAGING, RANGE_PAGING, ALL_PAGING, STEAL_SMS.
My only problem is, that I can't find out how to send the TMSI over the Socket. If I only send the TMSI with e.g. socat, I get
Err from socket: Bad address
from osmocon...
What do I miss?
Cheers
Tim
On Wed, Sep 4, 2013 at 10:08 PM, Kevin Redon ml@mail.tsaitgaist.infowrote:
sorry, here the scripts to push the values
Is the software expected to say something when the tmsi is correctly pushed?
On Thu, 5 Sep 2013, Dario Lombardo wrote:
Hi,
On Wed, Sep 4, 2013 at 10:08 PM, Kevin Redon ml@mail.tsaitgaist.info wrote: sorry, here the scripts to push the values
Is the software expected to say something when the tmsi is correctly pushed?
printf("changing victim TMSI to: "); for (i = 0; i < msg->len && i < 4; i++) { victim_tmsi[i] = msg->data[i]; printf("%02x ", victim_tmsi[i]); } puts("\n");
Best
Tim
Thanks.
Does the POWER indications works for you? Despite of the arfcn I enter, I get always -110. Using RSSI from master, I can get -76 from the strongest cell (arfcn = 1).
On Thu, Sep 5, 2013 at 3:32 PM, Tim Ehlers osmocom@ehlers.info wrote:
On Thu, 5 Sep 2013, Dario Lombardo wrote:
Hi,
On Wed, Sep 4, 2013 at 10:08 PM, Kevin Redon ml@mail.tsaitgaist.info
wrote: sorry, here the scripts to push the values
Is the software expected to say something when the tmsi is correctly pushed?
printf("changing victim TMSI to: "); for (i = 0; i < msg->len && i < 4; i++) { victim_tmsi[i] = msg->data[i]; printf("%02x ", victim_tmsi[i]); } puts("\n");Best
Tim
On Thu, 5 Sep 2013, Dario Lombardo wrote:
Hi Dario,
Does the POWER indications works for you? Despite of the arfcn I enter, I get always -110. Using RSSI from master, I can get -76 from the strongest cell (arfcn = 1).
I only tried one Cell (which is one of the strongest here) from O2 Germany in my Location and Power says -68, which is (nearly) the same as osmocombb-mobile says for that cell. So yes, I think it is working...
Best
Tim
is it possible for having the code source of all this attack on osmocom
attack modes, which are DETACH, PAGING, RANGE_PAGING, ALL_PAGING, STEAL_SMS. ?
-- View this message in context: http://baseband-devel.722152.n3.nabble.com/layer2-3-ported-to-target-paging-... Sent from the baseband-devel mailing list archive at Nabble.com.
any one try this code? its look like work but for real not.
-- View this message in context: http://baseband-devel.722152.n3.nabble.com/layer2-3-ported-to-target-paging-... Sent from the baseband-devel mailing list archive at Nabble.com.
I'm facing a problem. I applied the patch and compiled successfully. However, whenever I tried to load the firmware into the phone I got ftmtool error. I thought it was because the cable so I try to load the original firmware with original osmocon app, same cable of course, it worked perfectly. So I reversed what I did and compiled again and run osmocon and still ftmtool error? So the problem is not the cable,not the patch. The problem is osmocon app itself. Am I right? Anyone knows what problem is it? Is it some kind of code changing prevention?
-- View this message in context: http://baseband-devel.722152.n3.nabble.com/layer2-3-ported-to-target-paging-... Sent from the baseband-devel mailing list archive at Nabble.com.
baseband-devel@lists.osmocom.org
-
alex -
Craig Comstock -
Dario Lombardo -
Dast -
Kevin Redon -
sillymonkey -
Sylvain Munaut -
Tim Ehlers