Post Reply

Raw android GSM radio modem access (text/call intercept)

OP n01ce

12th January 2014, 01:25 AM   |  #1  
n01ce's Avatar
OP Member
Thanks Meter: 67
 
50 posts
Join Date:Joined: Aug 2013
Hello,

DISCLAIMER: This post is solely for academic purposes. Do not try to intercept a text or call as it is generally illegal in most if not all countries. Don't play with the licensed radio frequencies.

The question is: Can we use an Android phone, without any external radio receiver, to intercept a GSM call or text not destined to our phone? How?

Overview: GSM calls and texts use mostly insecure networks, protocols and encryption algorithms, all over the air.
This means that calls and texts can be intercepted and deciphered. This has been demonstrated at various security conferences and it is documented carrier-by-carrier at gsmmap.org.


Source: Decrypting GSM phone calls (Karsten Nohl)

Prequisites: To hack GSM call or text we need:
1. Processing power to run the A5/1 cracking software.
I don't know if there is any port on Android(ARM) platforms but that's probably not a real issue.
2. A programmable radio receiver to have raw access to GSM uplink and downlink frequencies digital data. That's where we DON'T want to use an external radio module, and use the phone built-in radio module.

Let's have a look at the different issues behind this question:
A. Can the phone GSM modem listen to the uplinks (phone to GSM network) of other phones?
It is normally built to listen to the GSM downlinks. But whatever, we can already intercept much with the downlink.
Moreover, antennas may use some sort of beamforming that may require the hacker phone to be in a specific zone, if using a passive intercept technique.

B. What piece of software "filters" the GSM data not destined to the phone ?
First, we need to understand how the radio data is accessed on Android.


Source: Radio Layer Interface (Android Open Source Project, Kandroid)

The GSM filtering (in terms of frequency selection or data dismiss) should either occur at the baseband level or at the RIL level. Otherwise, that would mean it's handled directly in the radio chipset (and I don't think we can do much in this latter case...).
The RIL communicates with the baseband with AT commands (specs here). These AT commands seem too be to high level commands to treat raw data streams.
So I guess the suspect is the baseband firmware but I may be wrong.

C. Can we hack the baseband to access raw GSM data not destined to the phone?
Technically, yes, it's a file flashable with ODIN. (The RIL can be flashed too).
But I've not seen on this forum any special activity on custom baseband development (it's always official baseband firmware).
The issue is that the baseband is hardware-specific and it is closed-source: "Every mobile device that is connected to a cellular network runs some kind of baseband processor with highly proprietary and closed-source firmware." (source).
Attempts to hack official baseband firmwares to develop custom baseband firmwares is still only an emerging concept, at the specification study level.
Regarding open-source software, note that "Airprobe has, for most users, since been replaced by the cheaper Osmocom phones". OsmocomBB is an Free Software / Open Source GSM Baseband software implementation. It intends to completely replace the need for a proprietary GSM baseband software". However the list of OsmocomBB compatible phones is very limited.

The help and knowledge of xda community would be much appreciated to progress on this topic

[EDIT] Interesting links:
Decompiling baseband firmware?
HackRF external transceiver (~300$)
[FAQ] The Baseband (Optimus 2x) by sudden36
Monitor mode for Broadcom WiFi Chipsets by Omri Ildis, Yuval Ofir and Ruby Feinstein (check their RECon PPTX presentation with footnotes to see how they reverse engineered the WiFi chipset firmware based on ARM)
Last edited by n01ce; 19th January 2014 at 09:48 AM.
The Following 2 Users Say Thank You to n01ce For This Useful Post: [ View ]
13th January 2014, 02:17 AM   |  #2  
E:V:A's Avatar
Recognized Developer
Flag -∇ϕ
Thanks Meter: 1,811
 
1,352 posts
Join Date:Joined: Dec 2011
Thumbs up
First of all, this thread should be moved to "Security Discussions".

Second, you'll have quite some additional reading to do...

Then you'll have to realize that the firmware on the baseband is on the order of 60 MB for Qualcomm and 12 MB for Intel (XMM) BP's.

Whats you propose is certainly possible, if not already done with some NSA devices. (Check out their product catalog!) And they a have help from QCOM and Intel etc.

Also, much of the BB code running in QCOMs modem devices, are for Hexagon cores, which are harder to decompile, because of proprietary reasons. But the type of interception you're talking about seem very difficult if you don't know PhD loads of GSM and other mobile phone technology.
Last edited by E:V:A; 13th January 2014 at 02:19 AM.
The Following 3 Users Say Thank You to E:V:A For This Useful Post: [ View ]
19th January 2014, 03:22 PM   |  #3  
Cyboy's Avatar
Senior Member
Thanks Meter: 23
 
275 posts
Join Date:Joined: Jul 2013
More
Thumbs up
Ha?!
8th June 2014, 03:31 AM   |  #4  
n01ce's Avatar
OP Member
Thanks Meter: 67
 
50 posts
Join Date:Joined: Aug 2013
Quote:
Originally Posted by E:V:A

First of all, this thread should be moved to "Security Discussions".

Second, you'll have quite some additional reading to do...

Then you'll have to realize that the firmware on the baseband is on the order of 60 MB for Qualcomm and 12 MB for Intel (XMM) BP's.

Whats you propose is certainly possible, if not already done with some NSA devices. (Check out their product catalog!) And they a have help from QCOM and Intel etc.

Also, much of the BB code running in QCOMs modem devices, are for Hexagon cores, which are harder to decompile, because of proprietary reasons. But the type of interception you're talking about seem very difficult if you don't know PhD loads of GSM and other mobile phone technology.

Hi E:V:A,

Thanks for the information. I've been investigating on how bcmon team performed their hack of the Broadcom 4329/4330 chipset on Galaxy S1.
I'm trying to check if we can apply something similar for the GSM radio.
WiFi monitor mode is just achieved by bypassing some checks on the DSP firmware like "is this packet for me?" (indeed they enable the built-in monitor mode flag of the firmware) and transfers all the received traffic on the MMC bus, on a test channel. The patched firmware is applied on the chipset by simply using Broadcom driver write functions that writes to the Wi-Fi chipset RAM (there are no signature check, and there are also some mechanisms to "overwrite" functions of the chipset ROM code).

Something similar may be achieved with the baseband. It will be more difficult as the RIL is closed-source. Stil, I think Replicant provides an open-source alternative, I have to check libsamsung-IPC and Samsung-RIL.
On Galaxy S1, the baseband is a XMM6160 as you pointed out in some thread. Lucky enough, this phone's too old to have a Snapgragon chipset with Hexagon DSP.
Decompiling the /radio/modem.bin in ARM mode makes me think it's indeed ARM and that we may be able to do something.

Despite I've very bad ARM decompilation skills, some parts of the code seem meaningful when decompiled using ARM archtiecture.

Here's some extract (reverse engineering is allowed to this extent under my country law):

Code:
ROM:0050FF0C aOemPsdPsd_utac DCB "[OEM PSD] PSD_UtaCallPsSetReqQos2gReq",0

ROM:005AFED0 aMifNjfAmfLimit DCB "i`j`m`Limit over:150charsline",0
ROM:005AFEF4 aSmsErrorInInit DCB "[SMS]Error in initialising SMS",0

ROM:007DA718 aCatTraceSta_36 DCB " CAT TRACE:: status IND cause = MS_PAGING_PENDING at Line:%u Fil"
ROM:007DA718                 DCB "e: ",0x22,"%s",0x22," Func: ",0x22,"%s( )",0x22," ",0

ROM:0081A921 aT_resel_intra_ DCB "t_resel_intra_freq_high_mob",0
Baseband "modem.bin" ARM decompilation result (from what I understand, blue is successfully decompiled code, white is blank space and undecoded code, red is decompiled code with issues like references to ROM code that are indeed not part of the modem file):


By the way, this proprietary stuff (baseband + RIL) has a "backdoor" (the modem chipset actually have root access to the phone data, but that doesn't mean there's a GSM backdor in the actual baseband code).

[EDIT] After reviewing the GSM specs, SMS are carried over "Dedicate Control Channels" (between the base station and the mobile device), that the phone in certainly not going to listen to naturally. Moreover this channel, as effect of TDMA, is hopping between frequencies. As the baseband is closed-source, it's not going to be a simple hack to just read the raw radio-fraquency data and guess the next frequency hop; that's merely impossible practically without programmable standard hardware chipset or better, a dedicated hardware that sniffs all channels simultaneously. HackRF should be useful for that, but still not small-factor enough to use it as a mobile phone peripheral.
Last edited by n01ce; 12th July 2014 at 10:08 AM.
The Following User Says Thank You to n01ce For This Useful Post: [ View ]
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes