scat
scat copied to clipboard
fgsect
samsungparser: Large diag items could be splitted in two diag items
I was trying to figure out why scat couldn't parse the UE Capability Information from a samsung s10 5G (SM-G977B). So I added a raw writer.
I found out that the message I was looking for was splitted in two different buffers: https://github.com/fgsect/scat/blob/b553feb4b07940fb45ea669286e25cebf6232c5f/parsers/samsung/samsungparser.py#L137
This contains the first part of the UE Capability Information: first-buffer.txt
This contains the second part: second-buffer.txt
This is a pcap that contains the UE Capability Information mentioned above: UECAP-notparsed.pcap.zip
This contains an UE Capability Information parsed with scat, in that case the message is smaller because the operator requested only LTE bands 20, 7, 3 and 1: UECAP-parsed.pcap.zip
Note that the size of the first buffer is exactly 2000bytes, so this size could be the max size of a diag item.
Hmm, that's interesting. I haven't seen that before and I will look into it.
Hmm, that's interesting because 0x02 0x54 is LTE_RRC_ASN_VERSION (parsers/samsung/sdmcmd.py, also https://github.com/P1sec/LTE_monitor_c2xx/blob/master/wireshark/epan/dissectors/packet-c2xx.c#L413) and I don't think I've got similar packets from my traces.
On the other hand, SDM 5G RRC messages could be split into multiple fragments. There is similar combining logic in parsers/qualcomm/diag1xlogparser.py for IP packets. However, most of the 5G SA signaling messages I have analyzed are fitting within one packet though.
Okay, confirmed the same packet split on Galaxy S22, fixes will be landing soon.