QCSuper icon indicating copy to clipboard operation
QCSuper copied to clipboard

Published 20 hours ago verified publisher icon P1sec

[Issue] Pcap dump / Xiaomi Mi Note 3 / Fail to detect current RAT

Open Nementon opened this issue 5 years ago • 2 comments

Context

Xiaomi Mi Note 3 (Qualcomm Snapdragon 660), connected on 3G network for CS (CS fallback) and 4G for PS. Only one SIM activated.

[+] Compilation date:    Mar 22 2019 19:44:52
[+] Release date:        Dec 19 2018 07:00:00
[+] Version directory:   sdm660.g

[+] Common air interface information:
[+]   Station classmark: 58
[+]   Common air interface revision: 9
[+]   Mobile model:      255
[+]   Mobile firmware revision: 100
[+]   Slot cycle index:  48
[+]   Hardware revision: 0x08c (0.140)

[+] Mobile model ID:     0x1012
[+] Chip version:        0
[+] Firmware build ID:   MPSS.AT.3.1.c7-00023-SDM660_GEN_PACK-1

[+] Diag version:        8

Issue

On running "PCAP dump" or "Wireshark-Live" on QCsuper, no PCAP traffic is generated despite I can see some "Diag" response from the debug logs when I initiate a call.

  • python qcsuper.py --adb -v --wireshark-live --reassemble-sibs --decrypt-nas --include-ip-traffic
  • python qcsuper.py --adb -v --pcap-dump ran.pcap

I've made some investigations and discovered that:

  • I'm receiving some "Diag" logs of type LOG_UMTS_NAS_OTA_MESSAGE_LOG_PACKET_C and enter in the following condition: https://github.com/P1sec/QCSuper/blob/45e0c5b7397bc2f1c3d27a64f39e0d35924eea80/modules/pcap_dump.py#L252-L256

But:

  • The attribute current_rat value is None
  • By ignoring the return statement (I'm connected in 3G and not in 2g), QCSuper is able to properly decode the received packets and thus I'm able to generate some PCAP traces.

Nementon avatar Jul 14 '19 17:07 Nementon

Hello!

Thank you for your interest in QCSuper. QCSuper is normally able to receive both 3G layer 3 packets (delivered with WCDMA_SIGNALLING_MESSAGE) and 3G NAS payloads, which are embedded into layer 3 packets (delivered with LOG_UMTS_NAS_OTA_MESSAGE_LOG_PACKET_C).

It seems that your baseband is communicating NAS payloads in a way that is understood by QCSuper, but that it is not the case with layer 3 packets, or it is delivering these using another log type than WCDMA_SIGNALLING_MESSAGE which may be not parsed yet.

If you wish to help us troubleshooting this, could you please perform a raw capture of the Diag logs sent to the modem (through running ./qcsuper.py --adb --dlf-dump /tmp/your_output_file.dlf), and send the produced .DLF file at mmr at p1sec dot com? Feel free to perform a few actions (e.g switching on/off plane mode, generating data traffic, etc.) and wait a bit while performing the capture. Thank you!

I noted that the same issue may have been reported in #10.

Regards,

p1-mmr avatar Jul 15 '19 09:07 p1-mmr

Hi p1-mmr! Did this issue get resolved?

I have the same issue that I am not able to capture any traffic with the option --include-ip-traffic.

I have tested on a Samsung Galaxy S5 and Samsung Galaxy Note 4 with the same result.

What type of debug logs can I provide to you so that you are able to investigate the issue?

Thanks!

Lundmatt avatar Nov 19 '19 10:11 Lundmatt