EFForg
empty pcap and unhandled GsmRrSignallingMessage on PinePhone
Bug Report Details
- Rayhunter version: https://github.com/EFForg/rayhunter/releases/download/v0.5.0/rayhunter-v0.5.0-linux-armv7.zip
- Device: PinePhone (community edition)
- OS: Kali Nethunter Pro ( kali-nethunterpro-2025.2-pinephone.img, flashed to eMMC )
- No sim card.
Installed via precompiled installer (directly on phone), the daemon and UI seem to work correctly, however when I download the pcaps they are empty, and tailing the service logs gives a streaming list of this:
[1980-01-06T02:28:44Z ERROR rayhunter::gsmtap_parser] gsmtap_sink: ignoring unhandled log type: GsmRrSignallingMessage { channel_type: 131, message_type: 33, length: 23, msg: [21, 6, 33, 0, 1, 240, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43] }
[1980-01-06T02:28:44Z ERROR rayhunter::gsmtap_parser] gsmtap_sink: ignoring unhandled log type: GsmRrSignallingMessage { channel_type: 131, message_type: 33, length: 23, msg: [21, 6, 33, 0, 1, 240, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43] }
[1980-01-06T02:28:45Z ERROR rayhunter::gsmtap_parser] gsmtap_sink: ignoring unhandled log type: GsmRrSignallingMessage { channel_type: 131, message_type: 33, length: 23, msg: [21, 6, 33, 0, 1, 240, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43] }
[1980-01-06T02:28:45Z ERROR rayhunter::gsmtap_parser] gsmtap_sink: ignoring unhandled log type: GsmRrSignallingMessage { channel_type: 131, message_type: 63, length: 23, msg: [49, 6, 63, 16, 14, 48, 10, 120, 172, 234, 2, 1, 7, 201, 69, 128, 89, 144, 43, 43, 43, 43, 43] }
[1980-01-06T02:28:45Z ERROR rayhunter::gsmtap_parser] gsmtap_sink: ignoring unhandled log type: GsmRrSignallingMessage { channel_type: 131, message_type: 33, length: 23, msg: [21, 6, 33, 0, 1, 240, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43] }
[1980-01-06T02:28:46Z ERROR rayhunter::gsmtap_parser] gsmtap_sink: ignoring unhandled log type: GsmRrSignallingMessage { channel_type: 131, message_type: 33, length: 23, msg: [21, 6, 33, 0, 1, 240, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43] }
[1980-01-06T02:28:46Z ERROR rayhunter::gsmtap_parser] gsmtap_sink: ignoring unhandled log type: GsmRrSignallingMessage { channel_type: 131, message_type: 33, length: 23, msg: [21, 6, 33, 0, 1, 240, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43] }
[1980-01-06T02:28:47Z ERROR rayhunter::gsmtap_parser] gsmtap_sink: ignoring unhandled log type: GsmRrSignallingMessage { channel_type: 131, message_type: 33, length: 23, msg: [21, 6, 33, 0, 1, 240, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43] }
[1980-01-06T02:28:47Z ERROR rayhunter::gsmtap_parser] gsmtap_sink: ignoring unhandled log type: GsmRrSignallingMessage { channel_type: 131, message_type: 33, length: 23, msg: [21, 6, 33, 0, 1, 240, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43] }
[1980-01-06T02:28:48Z ERROR rayhunter::gsmtap_parser] gsmtap_sink: ignoring unhandled log type: GsmRrSignallingMessage { channel_type: 131, message_type: 33, length: 23, msg: [21, 6, 33, 0, 1, 240, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43] }
[1980-01-06T02:28:48Z ERROR rayhunter::gsmtap_parser] gsmtap_sink: ignoring unhandled log type: GsmRrSignallingMessage { channel_type: 131, message_type: 33, length: 23, msg: [21, 6, 33, 0, 1, 240, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43] }
[1980-01-06T02:28:49Z ERROR rayhunter::gsmtap_parser] gsmtap_sink: ignoring unhandled log type: GsmRrSignallingMessage { channel_type: 131, message_type: 33, length: 23, msg: [21, 6, 33, 0, 1, 240, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43] }
[1980-01-06T02:28:49Z ERROR rayhunter::gsmtap_parser] gsmtap_sink: ignoring unhandled log type: GsmRrSignallingMessage { channel_type: 131, message_type: 33, length: 23, msg: [21, 6, 33, 0, 1, 240, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43] }
[1980-01-06T02:28:50Z ERROR rayhunter::gsmtap_parser] gsmtap_sink: ignoring unhandled log type: GsmRrSignallingMessage { channel_type: 131, message_type: 33, length: 23, msg: [21, 6, 33, 0, 1, 240, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43] }
[1980-01-06T02:28:50Z ERROR rayhunter::gsmtap_parser] gsmtap_sink: ignoring unhandled log type: GsmRrSignallingMessage { channel_type: 131, message_type: 33, length: 23, msg: [21, 6, 33, 0, 1, 240, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43] }
[1980-01-06T02:28:51Z ERROR rayhunter::gsmtap_parser] gsmtap_sink: ignoring unhandled log type: GsmRrSignallingMessage { channel_type: 131, message_type: 33, length: 23, msg: [21, 6, 33, 0, 1, 240, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43] }
[1980-01-06T02:28:51Z ERROR rayhunter::gsmtap_parser] gsmtap_sink: ignoring unhandled log type: GsmRrSignallingMessage { channel_type: 131, message_type: 33, length: 23, msg: [21, 6, 33, 0, 1, 240, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43] }
[1980-01-06T02:28:52Z ERROR rayhunter::gsmtap_parser] gsmtap_sink: ignoring unhandled log type: GsmRrSignallingMessage { channel_type: 131, message_type: 33, length: 23, msg: [21, 6, 33, 0, 1, 240, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43] }
[1980-01-06T02:28:52Z ERROR rayhunter::gsmtap_parser] gsmtap_sink: ignoring unhandled log type: GsmRrSignallingMessage { channel_type: 131, message_type: 33, length: 23, msg: [21, 6, 33, 0, 1, 240, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43] }
[1980-01-06T02:28:53Z ERROR rayhunter::gsmtap_parser] gsmtap_sink: ignoring unhandled log type: GsmRrSignallingMessage { channel_type: 131, message_type: 33, length: 23, msg: [21, 6, 33, 0, 1, 240, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43] }
[1980-01-06T02:28:53Z ERROR rayhunter::gsmtap_parser] gsmtap_sink: ignoring unhandled log type: GsmRrSignallingMessage { channel_type: 131, message_type: 33, length: 23, msg: [21, 6, 33, 0, 1, 240, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43] }
[1980-01-06T02:28:53Z ERROR rayhunter::gsmtap_parser] gsmtap_sink: ignoring unhandled log type: GsmRrSignallingMessage { channel_type: 131, message_type: 33, length: 23, msg: [21, 6, 33, 0, 1, 240, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43] }
[1980-01-06T02:28:54Z ERROR rayhunter::gsmtap_parser] gsmtap_sink: ignoring unhandled log type: GsmRrSignallingMessage { channel_type: 131, message_type: 33, length: 23, msg: [21, 6, 33, 0, 1, 240, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43] }
[1980-01-06T02:28:54Z ERROR rayhunter::gsmtap_parser] gsmtap_sink: ignoring unhandled log type: GsmRrSignallingMessage { channel_type: 131, message_type: 33, length: 23, msg: [21, 6, 33, 0, 1, 240, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43] }
[1980-01-06T02:28:55Z ERROR rayhunter::gsmtap_parser] gsmtap_sink: ignoring unhandled log type: GsmRrSignallingMessage { channel_type: 131, message_type: 33, length: 23, msg: [21, 6, 33, 0, 1, 240, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, 43] }
Output of mmcli -L:
/org/freedesktop/ModemManager1/Modem/0 [QUALCOMM INCORPORATED] QUECTEL Mobile Broadband Module
More information. I thought the issue was the missing sim card, however if i use https://github.com/P1sec/QCSuper and dump to pcap, I can see the GSMTAP data:
It looks like your modem is configured to use GSM instead of LTE. Check the config by running:
mmcli -m 0 --command AT+QNWINFO
If you don't see a string like
+QNWINFO: "FDD LTE","311480","LTE BAND 13",2050
and instead something like
+QNWINFO: "GSM","310260","GSM 1900",734
try changing your carrier configuration with the AT+QMBNCFG command.
First note your current config with mmcli -m 0 | grep carrier, then
open a serial console to /dev/ttyUSB2 and
AT+QMBNCFG="List"
+QMBNCFG: "List",0,0,0,"ROW_Generic_3GPP",0x0501081F,201901141
+QMBNCFG: "List",1,0,0,"VoLTE-ATT",0x0501033C,201909271
+QMBNCFG: "List",2,1,1,"hVoLTE-Verizon",0x05010141,201911251
[...]
Note your current config with mmcli -m 0 | grep carrier.
Select a different config. Even if they say VoLTE, they may use GSM. Experiment. For example, over the AT interface:
AT+QMBNCFG="select","hVoLTE-Verizon"
OK
AT+CFUN=1,1
OK
wait for the modem to reboot. Confirm you're seeing "FDD LTE" in +QNWINFO when you query the modem's network config after it reboots with mmcli -m 1 --command AT+QNWINFO. Note that the mmcli modem index increased after it rebooted.
Some MBNs may not change anything when selected and will fall back to GSM, so be sure to check multiple configs.
Some PinePhone compatible distros may have more user friendly ways to configure these settings. It is also possible that Kali Nethunter sets some of its own modem setting.
More information. I thought the issue was the missing sim card, however if i use https://github.com/P1sec/QCSuper and dump to pcap, I can see the GSMTAP data:
Rayhunter only parses LTE (4G) messages by design and intentionally doesn't contain code for parsing GSM RRC since those messages are not useful for our heuristics.
It is expected that Rayhunter would have an empty pcapng but QCSuper would parse the messages that Rayhunter drops. We're still logging them in your /data/rayhunter/qmdl/*.qmdl files, but they're not used for analysis and don't make it into the pcapng.
Thanks for the swift response! So, running all of these directly as root, after removing rayhunter-daemon (same output with the service running) and restarting the device:
└─# mmcli -m 0 --command AT+QNWINFO
error: command failed: 'GDBus.Error:org.freedesktop.ModemManager1.Error.Core.Unauthorized: Unauthorized: Operation only allowed in debug mode'
(just in case)
└─# mmcli -m 1 --command AT+QNWINFO
error: couldn't find modem
However:
└─# mmcli -m 0 | grep carrier
| carrier config: Volte_OpenMkt-Commercial-CMCC
| carrier config revision: 05012071
Full output:
-----------------------------------
General | path: /org/freedesktop/ModemManager1/Modem/0
| device id: <REDACTED>
-----------------------------------
Hardware | manufacturer: QUALCOMM INCORPORATED
| model: QUECTEL Mobile Broadband Module
| firmware revision: EG25GGBR07A08M2G
| carrier config: Volte_OpenMkt-Commercial-CMCC
| carrier config revision: 05012071
| h/w revision: 10000
| supported: gsm-umts, lte
| current: gsm-umts, lte
| equipment id: <REDACTED>
-----------------------------------
System | device: /sys/devices/platform/soc/1c1b000.usb/usb1/1-1
| physdev: /sys/devices/platform/soc/1c1b000.usb/usb1/1-1
| drivers: qmi_wwan, option
| plugin: quectel
| primary port: cdc-wdm0
| ports: cdc-wdm0 (qmi), ttyUSB0 (ignored), ttyUSB1 (gps),
| ttyUSB2 (at), ttyUSB3 (at), wwan0 (net)
-----------------------------------
Status | state: failed
| failed reason: sim-missing
| power state: on
-----------------------------------
Modes | supported: allowed: 2g; preferred: none
| allowed: 3g; preferred: none
| allowed: 4g; preferred: none
| allowed: 2g, 3g; preferred: 3g
| allowed: 2g, 3g; preferred: 2g
| allowed: 2g, 4g; preferred: 4g
| allowed: 2g, 4g; preferred: 2g
| allowed: 3g, 4g; preferred: 4g
| allowed: 3g, 4g; preferred: 3g
| allowed: 2g, 3g, 4g; preferred: 4g
| allowed: 2g, 3g, 4g; preferred: 3g
| allowed: 2g, 3g, 4g; preferred: 2g
| current: allowed: 2g, 3g, 4g; preferred: 4g
-----------------------------------
Bands | supported: egsm, dcs, pcs, g850, utran-1, utran-4, utran-6, utran-5,
| utran-8, utran-2, eutran-1, eutran-2, eutran-3, eutran-4, eutran-5,
| eutran-7, eutran-8, eutran-12, eutran-13, eutran-18, eutran-19,
| eutran-20, eutran-25, eutran-26, eutran-28, eutran-38, eutran-39,
| eutran-40, eutran-41, utran-19
| current: egsm, dcs, pcs, g850, utran-1, utran-4, utran-6, utran-5,
| utran-8, utran-2, eutran-1, eutran-2, eutran-3, eutran-4, eutran-5,
| eutran-7, eutran-8, eutran-12, eutran-13, eutran-18, eutran-19,
| eutran-20, eutran-25, eutran-26, eutran-28, eutran-38, eutran-39,
| eutran-40, eutran-41, utran-19
-----------------------------------
IP | supported: ipv4, ipv6, ipv4v6
-----------------------------------
3GPP | imei: <REDACTED>
Some success after restarting ModemManager with --debug:
mmcli -m 0 --command AT+QNWINFO
response: '+QNWINFO: "GSM","22210","GSM 900",44'
Will keep experimenting and update this as i go
Some MBNs may not change anything when selected and will fall back to GSM, so be sure to check multiple configs.
It seems like this is the case for me :/
AT+QMBNCFG="List"
+QMBNCFG: "List",0,0,0,"ROW_Generic_3GPP",0x0501081F,201901141CFG: "List",2,0,0,"hVoLTE-Verizon",0x05010141,201911251
+QMBNCFG: "List",3,0,0,"Sprint-VoLTE",0x05010205,201908141
+QMBNCFG: "List",4,0,0,"Commercial-TMO_VoLTE",0x05010505,201811231
+QMBNCFG: "List",5,0,0,"Telus-Commercial_VoLTE",0x05800C43,201912031
+QMBNCFG: "List",6,0,0,"Commercial-SBM",0x05011C18,201904021
+QMBNCFG: "List",7,0,0,"Commercial-DT",0x05011F1C,201905311
+QMBNCFG: "List",8,0,0,"Reliance_OpnMkt",0x05011B38,201910161
+QMBNCFG: "List",9,0,0,"TF_Germany_VoLTE",0x05010C1B,201909201
+QMBNCFG: "List",10,0,0,"TF_Spain_VoLTE",0x05010CFA,201909261
+QMBNCFG: "List",11,1,1,"Volte_OpenMkt-Commercial-CMCC",0x05012071,201904281
+QMBNCFG: "List",12,0,0,"OpenMkt-Commercial-CT",0x05011322011505,201807052
AT+QMBNCFG="select","Sprint-VoLTE"
OK
AT+CFUN=1,1
OK
Confirmed by this:
└─# mmcli -m 1 | grep carrier
| carrier config: Sprint-VoLTE
| carrier config revision: 05010205
However:
mmcli -m 1 --command AT+QNWINFO
response: '+QNWINFO: "GSM","22210","GSM 900",44'
So confusing XD
NOTE: I've disabled the ModemManager service and just kept running an instance with --debug in another terminal:
Try hVoLTE-Verizon, that one specifically worked for me.
See https://github.com/the-modem-distro/pinephone_modem_sdk/blob/scarthgap/docs/Anatomy%20of%20mcfg_sw%20files.md for more information on these mbn files.
There's possibly another way to configure the modem with more options available than just those available in the existing carrier configs. A shortcut to that may be inserting a SIM, it doesn't have to be active.
hVoLTE-Verizon did it! And can see some stuff in the pcap now :D thank you!
It'd be great if this procedure could be either documented, or better integrated before this https://github.com/EFForg/rayhunter/blob/main/installer/src/pinephone.rs#L122