fgsect/scat

Malformed Packet with LTE

Closed this issue ยท 18 comments

Fantastic job with this!

When set to 4G Only, I can't seem to decode any LTE RRC Messages, 3G/UMTS works swimmingly, currently on Wireshark 2.6.3

I get GSM SIM (Malformed Packet or UDP)

If I copy the lua to my plugins directory, I get
Lua Error: [string "/home/user/.config/wireshark/plugins/scat.lua"]:71: Dissector_call: Malformed frame

I'm not getting anything back with

73 00 00 00 03 00 00 00 00 00 00 00 0b 00 00 00	s...............
09 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00	................
04 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00	................
0f 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00	.<..............
00 00 00 80 01 00 80 00 00 00 00 00 00 00 00 00	................
00 00 00 00 00 00 4b 82 7e                     	......K.~

As the mask, no data returns at all.

Using

73 00 00 00 03 00 00 00 00 00 00 00 0b 00 00 00	s...............
3a 02 00 00 06 00 01 00 00 00 00 00 00 00 00 00	:...............
5f 00 00 00 ce 04 ce 00 3f 00 3f 00 df 24 00 00	_.......?.?..$..
7f fc 3c 00 00 00 3e 28 4e 50 05 12 51 e0 00 00	..<...>(NP..Q...
ff ff ff e2 cf e1 7d 51 7f 00 01 74 42 e0 00 00	......}Q...tB...
00 00 00 00 00 00 00 00 00 00 00 00 dd b7 7e   	..............~

(Yielded from QXDM / usbmon cap)

Shows some interesting results, mainly

Unhandled XDM Header 0xb060
Unhandled XDM Header 0xb081
Unhandled XDM Header 0xb060
Unhandled XDM Header 0xb081
Unhandled XDM Header 0xb060
Unhandled XDM Header 0xb060

Still no LTE Frames show up in Wireshark :(

Do other Qualcomm based devices work with LTE/4G?

It looks like the translation from Qualcomm DIAG to Osmo GSMTAP isn't working, trying to work out if it's device specific or if it hasn't been implemented for Qualcomm Devices yet.

Do other Qualcomm based devices work with LTE/4G?

Yes, of course. The devices listed in README.md are regularly tested. May I ask you which device are you using?

I get GSM SIM (Malformed Packet or UDP)

Currently SIM APDU logging is buggy on Qualcomm devices, so you can safely ignore that.

Shows some interesting results, mainly

No other messages than RRC/NAS/measurements are parsed for Qualcomm devices, so that kind of error messages are expected.

Sure, it's a generic Chineese ODM, running a Snapdragon SDM636 (X12 Modem)

Ah I see, I'm actually not getting any data back after the mask is sent, I think perhaps the SDM series, differing from MSM series perhaps has a different DIAG Protocol?

LTE

-------- initialize diag --------
[+] Sending 
60 00 00 81 c3 7e                              	`....~
-------- end --------
-------- start diag --------
[+] Sending 
60 00 00 81 c3 7e                              	`....~
-------- end --------
[+] Sending 
73 00 00 00 03 00 00 00 00 00 00 00 0b 00 00 00	s...............
09 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00	................
04 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00	................
0f 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00	.<..............
00 00 00 80 01 00 80 00 00 00 00 00 00 00 00 00	................
00 00 00 00 00 00 4b 82 7e                     	......K.~
-------- end --------

^ Only Log Mask being sent, no data ๐Ÿ˜ž

UMTS

-------- initialize diag --------
[+] Sending 
60 00 00 81 c3 7e                              	`....~
-------- end --------
-------- start diag --------
[+] Sending 
60 00 00 81 c3 7e                              	`....~
-------- end --------
[+] Sending 
73 00 00 00 03 00 00 00 00 00 00 00 07 00 00 00	s...............
5e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00	^...............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	................
00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00	................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	................
00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00	................
b7 2e 7e                                       	..~
-------- end --------
Logging Recv 10
10 00 26 00 26 00 3a 71 9f 2c 97 1c c2 6c e4 00	..&.&.:q.,...l..
01 15 00 00 00 05 08 72 32 f4 03 04 3a 57 05 f4	.......r2...:W..
00 4f 7b 9e 33 03 57 58 a6 e1 bd 54            	.O{.3.WX...T

^ Perfectly good 3G/UMTS Location Updating Request

There's also a bunch of Non-Log Packets coming back, some of which have the APN (On LTE)

-------- initialize diag --------
[+] Sending 
60 00 00 81 c3 7e                              	`....~
-------- end --------
-------- start diag --------
[+] Sending 
60 00 00 81 c3 7e                              	`....~
-------- end --------
[+] Sending 
73 00 00 00 03 00 00 00 00 00 00 00 0b 00 00 00	s...............
09 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00	................
04 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00	................
0f 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00	.<..............
00 00 00 80 01 00 80 00 00 00 00 00 00 00 00 00	................
00 00 00 00 00 00 4b 82 7e                     	......K.~
-------- end --------
Not parsing non-Log packet 98
98 01 00 00 01 00 00 00 60 0c 00 c8 41 a6 aa 77	........`...A..w
1f c2 6c e4 00 03 0a a4 7f                     	..l......
-------- end --------
Not parsing non-Log packet 98
98 01 00 00 01 00 00 00 60 30 00 c7 41 44 9c 78	........`0..AD.x
1f c2 6c e4 00 01 39 c8 41 48 a2 37 20 c2 6c e4	..l...9.AH.7..l.
00 03 2a c7 41 31 2d 39 20 c2 6c e4 00 01 2b c7	..*.A1-9..l...+.
41 5e 88 02 21 c2 6c e4 00 01 13 7c 89         	A^..!.l....|.
-------- end --------
...

It's interesting if you look at a cfg generated by QXDM for diag_mdlog, I think the mask is within the file

โ†’ hexdump -C LTE_RRC_AND_NAS.cfg                                                                                              
00000000  1d 1c 3b 7e 00 78 f0 7e  4b 32 06 00 ba 4d 7e 7c  |..;~.x.~K2...M~||
00000010  93 49 7e 1c 95 2a 7e 0c  14 3a 7e 63 e5 a1 7e 4b  |.I~..*~..:~c..~K|
00000020  0f 00 00 bb 60 7e 4b 09  00 00 62 b6 7e 4b 08 00  |....`~K...b.~K..|
00000030  00 be ec 7e 4b 08 01 00  66 f5 7e 4b 04 00 00 1d  |...~K...f.~K....|
00000040  49 7e 4b 04 0f 00 d5 ca  7e 4b 0f 18 00 01 9e a9  |I~K.....~K......|
00000050  7e 4b 0f 18 00 02 05 9b  7e 4b 0f 2c 00 28 ea 7e  |~K......~K.,.(.~|
00000060  4b 12 39 00 eb 7b 7e 4b  12 3c 00 53 05 7e 4b 12  |K.9..{~K.<.S.~K.|
00000070  37 00 fb e1 7e 4b 12 3b  00 5b 48 7e 4b 12 35 00  |7...~K.;.[H~K.5.|
00000080  4b d2 7e 4b 12 3a 00 83  51 7e 4b 12 00 08 19 96  |K.~K.:..Q~K.....|
00000090  7e 7d 5d 05 00 00 00 00  00 00 74 41 7e 73 00 00  |~}].......tA~s..|
000000a0  00 00 00 00 00 da 81 7e  73 00 00 00 03 00 00 00  |.......~s.......|
000000b0  0b 00 00 00 ee 00 00 00  00 00 00 00 00 00 00 00  |................|
000000c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000d0  01 00 00 00 0c 30 7c 12  7e 60 00 12 6a 7e        |.....0|.~`..j~|

Noting (Starting at 0x73)

000000a0  00 00 00 00 00 da 81 7e  73 00 00 00 03 00 00 00  |.......~s.......|
000000b0  0b 00 00 00 ee 00 00 00  00 00 00 00 00 00 00 00  |................|
000000c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000d0  01 00 00 00 0c 30 7c 12  7e 60 00 12 6a 7e        |.....0|.~`..j~|

But the cfg generation isn't device aware, so it must be how the Modem is sending back Diag Logs?

So, most luck I've had so far, is this mask (Ignoring the first 2 bytes)

0000   58 00 73 00 00 00 03 00 00 00 0b 00 00 00 3a 02
0010   00 00 06 00 01 00 00 00 00 00 00 00 00 00 5f 00
0020   00 00 ce 04 ce 00 3f 00 3f 00 df 24 00 00 7f fc
0030   3c 00 00 00 3e 28 4e 50 05 12 51 e0 00 00 ff ff
0040   ff e2 cf e1 7d 51 7f 00 01 74 42 e0 00 00 00 00
0050   00 00 00 00 00 00 00 00 00 00 7e

I used usbmon to grab it on it's way to the device. I don't get too many errors about it not recognizing the XDM Header.

And it appears to only spew when I attach or detach.

However it's still not decoding in Wireshark - https://imgur.com/a/cPXjtMn

The string pdcp is almost always in the log.

Sure, it's a generic Chineese ODM, running a Snapdragon SDM636 (X12 Modem)

Ah I see, I'm actually not getting any data back after the mask is sent, I think perhaps the SDM series, differing from MSM series perhaps has a different DIAG Protocol?

Well, I think this is the case for certain basebands. Currently I am testing SCAT on a SDM845 device, and I am also seeing the similar problem. By the way, is it capable of dual SIM / dual LTE? From what I have analyzed, unlike 2G and 3G dual SIM devices from Qualcomm, LTE dual SIM devices have different way to deliver diagnostic logs when I sent the same log masks (and therefore not correctly displayed in SCAT). Even if it is a single SIM device, I assume that architectural changes could exist.

However it's still not decoding in Wireshark - https://imgur.com/a/cPXjtMn
The string pdcp is almost always in the log.

Yup, you hit the experimental code of decoding LTE PDCP PDU. It's never meant to be used in production, that's why the log mask supplied with SCAT didn't enabled that.

Unfortunately, adding dual SIM support for SCAT is a planned task, and I can't give any exact time plan. This bug will be likely addressed with fix for dual SIM.

Indeed it is dual SIM, I believe I can write an NV Value and disable the 2nd slot, making it a 'single slot' device, let's see if that changes anything.

I'll update here shortly.

Again, great work on this, suuuuper helpful tool here ๐Ÿ‘

So disabling the 2nd slot with UIM HW Configuration betters things, I'm getting GSMTAP SIM just fine, can see the Authentication Process happen on LTE (SIM) but still don't see any RRC/NAS layer messages, I think the best way to solve this is implement a "slot" Boolean/Int somewhere in the DIAG Log Resp Packet.

Looking at it further in QXDM, the LTE Logging header is 0x98, not 0x10.

        elif pkt[0] == 0x98:
            # LTE Log Packet with Sub ID (Slot Support)
            print('[+] LTE Logging Packet Recv!')
            util.xxd(pkt)
            pass

Will need to break down the LTE Diag Log Packet and decipher what it does, the first 10 bytes never change.

See a Paging Request
https://imgur.com/a/CPjN9ip
vs RRC Connection Reject
https://imgur.com/a/XlwE0qY

Okay, now I understood the situation. Please wait for some time so I could address the issue.

No worries peremen, let me know if I can do anything to help ๐Ÿ‘

So... As of current master, it should support this type of packet. The 0x98 is indeed header for newer multi SIM devices, which encapsulates 0x10 messages further. Please test again and let me know the results. (Also do not forget -D switch if things went wrong)

Great work! I'm now receiving some RRC and NAS Layer LTE messages, however I can't seem to see any RRC (SIB, Paging / Other PDSCH Messages), but I think this because they're just not using parsed yet.

Thank you! ๐Ÿ‘