Playing With OsmocommBB

Apa itu OsmocomBB?! berikut ini penjelasan singkat mengenai project tersebut dari website resminya,

OsmocomBB is an Free Software / Open Source GSM Baseband software implementation.
It intends to completely replace the need for a proprietary GSM baseband software, such as: drivers for the GSM analog and digital baseband (integrated and external) peripherals
the GSM phone-side protocol stack, from layer 1 up to layer 3
In short: By using OsmocomBB on a compatible phone, you are able to make and receive phone calls, send and receive SMS, etc. based on Free Software only.

Website resmi OsmocomBB memberikan penjelasan yang cukup jelas mengenai hal-hal apa saja yang dibutuhkan untuk mulai bermain dengan project tersebut. Saya menggunakan OSX, setelah melakukan instalasi toolchain yang dibutuhkan maka bisa dimulai proses kompilasi hingga melakukan test call dari handphone motorola C115 dengan menggunakan OsmocomBB dan simcard dari operator XXX.

Sebagaimana tertulis dalam wiki berikut, membaca simcard tidak di support oleh master branch OsmocomBB. Support untuk membaca simcard bisa diambil dari test branch milik sylvain, membaca simcard disini berararti membaca informasi simcard dari operator seperti IMSI (International Mobile Subscriber Identity), Ki (key untuk enkripsi dengan operator), ICCID untuk kemudian di proses agar bisa berinteraksi dengan network suatu operator.

$ git clone git://git.osmocom.org/osmocom-bb.git osmocombb-sylvain
Cloning into osmocombb-sylvain...
remote: Counting objects: 12787, done.
remote: Compressing objects: 100% (3786/3786), done.
remote: Total 12787 (delta 9238), reused 11734 (delta 8467)
Receiving objects: 100% (12787/12787), 2.16 MiB | 53 KiB/s, done.
Resolving deltas: 100% (9238/9238), done.
mrs@infosec-id:~/Trunk/GIT
$ cd osmocombb-sylvain/
mrs@infosec-id:~/Trunk/GIT/osmocombb-sylvain
$ git checkout -b testing remotes/origin/sylvain/testing
Branch testing set up to track remote branch sylvain/testing from origin.
Switched to a new branch 'testing'

Langkah selanjutnya adalah mengaktifkan feature TX sehingga OsmocomBB dapat digunakan untuk melakukan data transmisi (membuka koneksi ke network operator), yaitu dengan menghilangkan tanda pagar dari CFLAGS += -DCONFIG_TX_ENABLE yang terdapat pada Makefile firmware,

mrs@infosec-id:~/Trunk/GIT/osmocombb-sylvain
$ cd src/target
target/ target_dsp/
mrs@infosec-id:~/Trunk/GIT/osmocombb-sylvain
$ cd src/target/firmware/
mrs@infosec-id:~/Trunk/GIT/osmocombb-sylvain/src/target/firmware
$ vi Makefile

Selebihnya tinggal melakukan proses kompilasi (pastikan toolchain untuk arch ARM sudah terinstalasi dengan baik pada sistem yang digunakan) dari folder src. Proses kompilasi ini akan menghasilkan aplikasi osmocon, firmware osmocombb, mobile application (layer23).

Adakalanya proses kompilasi mengalami error. Berikut ini salah satu contoh error nya pada mesin yang saya gunakan (Mac OSX),

checking for ranlib... ranlib
./configure: line 3461: syntax error near unexpected token `LIBOSMOCORE,'
./configure: line 3461: `PKG_CHECK_MODULES(LIBOSMOCORE, libosmocore)'
make: *** [host/layer23/Makefile] Error 2

Apabila muncul error diatas, maka berikut ini langkah yang saya lakukan,

cd host/layer23
aclocal -I /opt/local/share/aclocal
autoheader
automake
autoconf

Tentunya masalah kompilasi adalah masalah yang umum ditemukan, dan proses troubleshootingnya setiap kondisi / mesin akan berbeda-beda.

Firmware

Firmware OsmocomBB merupakan layer1 yang nantinya akan di download kedalam target dan tergantung dari target yang kita gunakan. Untuk mengetahui target-target apa saja yang di support dan firmware model apa yang kompatible dapat membaca pada wiki osmocombb, saya sendiri menggunakan target device Motorola C115 yang kompatible dengan firmware board compal e88. Firmware ini nantinya akan menjadi software yang melakukan beragam low-level stuff, termasuk ‘mendengarkan’ frekuensi dan memberikan instruksi kepada hardware C115 untuk melakukan transmisi data.

Osmocon

Firmware tersebut dikirimkan melalui host yang kita gunakan (mis: laptop) dengan bantuan aplikasi osmocon. Osmocon mengatur proses upload dari mesin host (laptop) ke target (handphone), upload menggunakan jalur kabel USB-to-Serial. Untuk OSX, butuh di install dulu driver PL2303 USB to Serial yang dapat didownload dari sini. Dengan kata lain, osmocon akan mengatur firmware dari mesin host yang kita gunakan, dan juga membuka UNIX socket /tmp/osmocon_l2 serta /tmp/osmocon_loader yang nantinya digunakan oleh aplikasi mobile (layer2 dan layer3) untuk berkomunikasi dengan firmware. Informasi lebih detil tentang osmocon dapat dibaca dari sini.

Berikut ini contoh osmocon menjalankan firmware “Hello, World”. Firmware ini hanya menunjukan bahwa melalui osmocon kita sudah dapat melakukan “code execution” pada target handphone berupa penulisan pada layar handphone.

mrs@infosec-id:~/Trunk/GIT/osmocombb-sylvain/src/host/osmocon
$ ./osmocon -p /dev/tty.usbserial -m c123xor ../../target/firmware/board/compal_e88/hello_world.compalram.bin
got 6 bytes from modem, data looks like: 00 00 00 00 00 00 ......
got 1 bytes from modem, data looks like: 2f /
got 1 bytes from modem, data looks like: 81 .
got 1 bytes from modem, data looks like: 1b .
got 1 bytes from modem, data looks like: f6 .
got 1 bytes from modem, data looks like: 02 .
got 1 bytes from modem, data looks like: 00 .
got 1 bytes from modem, data looks like: 41 A
got 1 bytes from modem, data looks like: 01 .
got 1 bytes from modem, data looks like: 40 @
Received PROMPT1 from phone, responding with CMD
read_file(../../target/firmware/board/compal_e88/hello_world.compalram.bin): file_size=18536, hdr_len=4, dnload_len=18543
got 1 bytes from modem, data looks like: 1b .
got 1 bytes from modem, data looks like: f6 .
got 1 bytes from modem, data looks like: 02 .
got 1 bytes from modem, data looks like: 00 .
got 1 bytes from modem, data looks like: 41 A
got 1 bytes from modem, data looks like: 02 .
got 1 bytes from modem, data looks like: 43 C
Received PROMPT2 from phone, starting download
handle_write(): 1024 bytes (1024/18543)
handle_write(): 1024 bytes (2048/18543)
handle_write(): 1024 bytes (3072/18543)
handle_write(): 1024 bytes (4096/18543)
handle_write(): 1024 bytes (5120/18543)
handle_write(): 1024 bytes (6144/18543)
handle_write(): 1024 bytes (7168/18543)
handle_write(): 1024 bytes (8192/18543)
handle_write(): 1024 bytes (9216/18543)
handle_write(): 1024 bytes (10240/18543)
handle_write(): 1024 bytes (11264/18543)
handle_write(): 1024 bytes (12288/18543)
handle_write(): 1024 bytes (13312/18543)
handle_write(): 1024 bytes (14336/18543)
handle_write(): 1024 bytes (15360/18543)
handle_write(): 1024 bytes (16384/18543)
handle_write(): 1024 bytes (17408/18543)
handle_write(): 1024 bytes (18432/18543)
handle_write(): 111 bytes (18543/18543)
handle_write(): finished
got 1 bytes from modem, data looks like: 1b .
got 1 bytes from modem, data looks like: f6 .
got 1 bytes from modem, data looks like: 02 .
got 1 bytes from modem, data looks like: 00 .
got 1 bytes from modem, data looks like: 41 A
got 1 bytes from modem, data looks like: 03 .
got 1 bytes from modem, data looks like: 42 B
Received DOWNLOAD ACK from phone, your code is running now!

OSMOCOM Hello World (revision osmocon_v0.0.0-906-g5589a6b-modified)
======================================================================
Device ID code: 0xb4fb
Device Version code: 0x0000
ARM ID code: 0xfff3
cDSP ID code: 0x0128
Die ID code: f5161c1cb0038f7c
======================================================================
REG_DPLL=0x2413
CNTL_ARM_CLK=0xf0a1
CNTL_CLK=0xff91
CNTL_RST=0xfff3
CNTL_ARM_DIV=0xfff9
==============================================

Dan berikut ini hasilnya,

Mobile Application (Layer 2 & Layer 3)

Mobile application adalah aplikasi untuk layer2 dan layer3, aplikasi ini yang mengatur high-level interaction dengan network suatu operator. Misalnya: dalam proses location update (locup), mobile application akan mengatur proses pembacaan data dari simcard yang ada didalam handphone untuk kemudian dikirimkan ke network operator sebagai proses authentification dengan HLR (Home Location Register). Mobile application juga yang akan mengatur proses call. Mobile application akan menggunakan unix socket yang disediakan oleh osmocon, dan juga membuka port 4247 pada mesin host. Port 4247 nantinya digunakan untuk interaksi antara user dengan mobile application melalui telnet. User dapat memasukan beragam command seperti membaca simcard, menampilkan network yang available dan dapat dibaca oleh osmocombb, hingga melakukan proses call. Mobile application juga akan mengaktifkan proses GSMTAP yang mengirimkan data aliran paket GSM pada localhost port 4729. Untuk dapat membaca aliran data tersebut maka kita bisa memanfaatkan netcat untuk membuka / listening pada port 4729, dan mengaktifkan wireshark yang sudah support protocol GSMTAP untuk listening pada port 4729. Saya menemukan bahwa mobile application saat ini sudah secara otomatis membuka / listening port 4729 sehingga netcat tidak dibutuhkan, namun jika ada yang menemukan pesan error seperti “connection refused to write gsmtap” maka bisa menggunakan netcat.

Berikut ini contoh sniffing paket menggunakan ethereal yang dikonfigurasi untuk menampilkan aliran data dari port GSMTAP (4729),

Test Call

Berikut ini proses “Test Call” menggunakan OsmocomBB pada simcard XXX. Saya tidak melakukan flashing, sehingga upload firmware yang dilakukan bersifat sementara dan tidak menghapus firmware original dari device motorola tersebut.

mrs@infosec-id:~/Trunk/GIT/osmocombb-sylvain/src/host/osmocon
$ ./osmocon -p /dev/tty.usbserial -m c123xor ../../target/firmware/board/compal_e88/layer1.compalram.bin
got 7 bytes from modem, data looks like: 81 1b f6 02 00 41 01 .....A.
got 1 bytes from modem, data looks like: 40 @
Received PROMPT1 from phone, responding with CMD
read_file(../../target/firmware/board/compal_e88/layer1.compalram.bin): file_size=50276, hdr_len=4, dnload_len=50283
got 1 bytes from modem, data looks like: 66 f
got 1 bytes from modem, data looks like: 74 t
got 1 bytes from modem, data looks like: 6d m
got 1 bytes from modem, data looks like: 74 t
got 1 bytes from modem, data looks like: 6f o
got 1 bytes from modem, data looks like: 6f o
got 1 bytes from modem, data looks like: 6c l
Received FTMTOOL from phone, ramloader has aborted
got 1 bytes from modem, data looks like: 65 e
got 1 bytes from modem, data looks like: 72 r
got 1 bytes from modem, data looks like: 72 r
got 1 bytes from modem, data looks like: 6f o
got 1 bytes from modem, data looks like: 72 r
got 1 bytes from modem, data looks like: 00 .
got 1 bytes from modem, data looks like: 00 .
got 1 bytes from modem, data looks like: 00 .
got 1 bytes from modem, data looks like: 2f /
got 1 bytes from modem, data looks like: 81 .
got 1 bytes from modem, data looks like: 1b .
got 1 bytes from modem, data looks like: f6 .
got 1 bytes from modem, data looks like: 02 .
got 1 bytes from modem, data looks like: 00 .
got 1 bytes from modem, data looks like: 41 A
got 1 bytes from modem, data looks like: 01 .
got 1 bytes from modem, data looks like: 40 @
Received PROMPT1 from phone, responding with CMD
read_file(../../target/firmware/board/compal_e88/layer1.compalram.bin): file_size=50276, hdr_len=4, dnload_len=50283
got 1 bytes from modem, data looks like: 1b .
got 1 bytes from modem, data looks like: f6 .
got 1 bytes from modem, data looks like: 02 .
got 1 bytes from modem, data looks like: 00 .
got 1 bytes from modem, data looks like: 41 A
got 1 bytes from modem, data looks like: 02 .
got 1 bytes from modem, data looks like: 43 C
Received PROMPT2 from phone, starting download
handle_write(): 1023 bytes (1023/50283)
handle_write(): 1024 bytes (2047/50283)
handle_write(): 1024 bytes (3071/50283)
handle_write(): 1024 bytes (4095/50283)
handle_write(): 1024 bytes (5119/50283)
handle_write(): 1024 bytes (6143/50283)
handle_write(): 1024 bytes (7167/50283)
handle_write(): 1024 bytes (8191/50283)
handle_write(): 1024 bytes (9215/50283)
handle_write(): 1024 bytes (10239/50283)
handle_write(): 1024 bytes (11263/50283)
handle_write(): 1024 bytes (12287/50283)
handle_write(): 1024 bytes (13311/50283)
handle_write(): 1024 bytes (14335/50283)
handle_write(): 1024 bytes (15359/50283)
handle_write(): 1024 bytes (16383/50283)
handle_write(): 1024 bytes (17407/50283)
handle_write(): 1024 bytes (18431/50283)
handle_write(): 1024 bytes (19455/50283)
handle_write(): 1024 bytes (20479/50283)
handle_write(): 1024 bytes (21503/50283)
handle_write(): 1024 bytes (22527/50283)
handle_write(): 1024 bytes (23551/50283)
handle_write(): 1024 bytes (24575/50283)
handle_write(): 1024 bytes (25599/50283)
handle_write(): 1024 bytes (26623/50283)
handle_write(): 1024 bytes (27647/50283)
handle_write(): 1024 bytes (28671/50283)
handle_write(): 1024 bytes (29695/50283)
handle_write(): 1024 bytes (30719/50283)
handle_write(): 1024 bytes (31743/50283)
handle_write(): 1024 bytes (32767/50283)
handle_write(): 1024 bytes (33791/50283)
handle_write(): 1024 bytes (34815/50283)
handle_write(): 1024 bytes (35839/50283)
handle_write(): 1024 bytes (36863/50283)
handle_write(): 1024 bytes (37887/50283)
handle_write(): 1024 bytes (38911/50283)
handle_write(): 1024 bytes (39935/50283)
handle_write(): 1024 bytes (40959/50283)
handle_write(): 1024 bytes (41983/50283)
handle_write(): 1024 bytes (43007/50283)
handle_write(): 1024 bytes (44031/50283)
handle_write(): 1024 bytes (45055/50283)
handle_write(): 1024 bytes (46079/50283)
handle_write(): 1024 bytes (47103/50283)
handle_write(): 1024 bytes (48127/50283)
handle_write(): 1024 bytes (49151/50283)
handle_write(): 1024 bytes (50175/50283)
handle_write(): 108 bytes (50283/50283)
handle_write(): finished
got 1 bytes from modem, data looks like: 1b .
got 1 bytes from modem, data looks like: f6 .
got 1 bytes from modem, data looks like: 02 .
got 1 bytes from modem, data looks like: 00 .
got 1 bytes from modem, data looks like: 41 A
got 1 bytes from modem, data looks like: 03 .
got 1 bytes from modem, data looks like: 42 B
Received DOWNLOAD ACK from phone, your code is running now!

OSMOCOM Layer 1 (revision osmocon_v0.0.0-906-g5589a6b-modified)
======================================================================
Device ID code: 0xb4fb
Device Version code: 0x0000
ARM ID code: 0xfff3
cDSP ID code: 0x0128
Die ID code: f5161c1cb0038f7c
======================================================================
REG_DPLL=0x2413
CNTL_ARM_CLK=0xf0a1
CNTL_CLK=0xff91
CNTL_RST=0xfff3
CNTL_ARM_DIV=0xfff9
======================================================================
Power up simcard:
Assert DSP into Reset
Releasing DSP from Reset
Setting some dsp_api.ndb values
Setting API NDB parameters
DSP Download Status: 0x0001
DSP API Version: 0x0000 0x0000
Finishing download phase
DSP Download Status: 0x0002
DSP API Version: 0x3606 0x0000
LOST 998!

Seringkali proses upload firmware tidak berjalan dengan mulus. Untuk itu bisa dilakukan langkah-langkah seperti:

1. Cabut batere dan ulangi
2. Start handphone sehingga masuk ke firmware original nya, kemudian matikan, dan ulangi proses upload firmware menggunakan osmocon.
3. Cabut kabel USB, biarkan sesaat, kemudian masukan kembali dan tunggu hingga terdeteksi oleh sistem operasi. Dan ulangi osmocon.

Proses upload dapat di-trigger / dimulai dengan menekan tombol power pada handphone.

Berikut ini salah satu hasil tampilan dari mobile application (dengan telnet ke localhost port 4247) untuk network XXX,

Dan berikut ini adalah salah satu ‘dump’ output dari mobile application. Kita bisa melihat bahwa firmware dapat ‘mendengarkan’ aliran data antar beragam device disekitarnya dengan BTS dari operator. Pada gambar dibawah terlihat aktivitas PAGING REQUEST.

Seperti yang telah disampaikan sebelumnya, mobile application akan menggunakan GSMTAP untuk melempar aliran paket data GSM dan dapat kita analisis menggunakan wireshark (filter port 4729) yang telah support protocol GSMTAP. Berikut ini contoh tampilan dari wireshark yang membaca aktivitas PAGING REQUEST diatas.

Dan tentu saja, kita juga dapat melihat aktivitas high-level lainnya seperti proses LOCATION UPDATE. Pada tahap ini kita dapat melakukan troubleshooting seandainya terjadi masalah location update misal nya, dan guess what?inilah salah satu bentuk aktivitas troubleshooting yang dilakukan oleh engineer-engineer telekomunikasi :).

Berikut ini potongan mobile application ketika saya melakukan test call beberapa waktu yang lalu menggunakan simcard indosat, console yang diberikan mirip ketika kita berinteraksi dengan console mode perangkat cisco,

$ telnet localhost 4247
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying fe80::1...
telnet: connect to address fe80::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Welcome to the OpenBSC Control interface
OsmocomBB# help
This VTY provides advanced help features. When you need help,
anytime at the command line please press '?'.

If nothing matches, the help list will be empty and you must backup
until entering a '?' shows the available options.
Two styles of help are provided:
1. Full help is available when you are ready to enter a
command argument (e.g. 'show ?') and describes each possible
argument.
2. Partial help is provided when an abbreviated argument is entered
and you want to know what arguments match the input
(e.g. 'show me?'.)

OsmocomBB# ?
exit Exit current mode and down to previous mode
help Description of the interactive help system
list Print command list
write Write running configuration to memory, network, or terminal
show Show running system information
disable Turn off privileged mode command
configure Configuration from vty interface
copy Copy configuration
terminal Set terminal line parameters
echo Echo a message back to the vty
who Display who is on vty
monitor Monitor...
no Negate a command or set its defaults
off Turn mobiles off (shutdown) and exit
sim SIM actions
network Network ...
call Make a call
OsmocomBB# sim
testcard Insert test card
reader Select SIM from reader
remove Remove SIM card
pin Enter PIN for SIM card
disable-pin Disable PIN of SIM card
enable-pin Enable PIN of SIM card
change-pin Change PIN of SIM card
unblock-pin Change PIN of SIM card
lai Change LAI of SIM card
OsmocomBB# show
running-config running configuration
startup-config Contentes of startup configuration
version Displays program version
history Display the session command history
ms Display available MS entities
subscriber Display information about subscriber
support Display information about MS support
cell Display information about received cells
ba Display information about band allocations
forbidden Display information about forbidden cells / networks
OsmocomBB# show subscriber
[MS_NAME] Name of MS (see "show ms")
OsmocomBB# show subscriber 1
Mobile Subscriber of MS '1':
IMSI: 510019362330134
ICCID: 89620160000614761992
Service Provider Name: INDOSAT
Status: U1_UPDATED IMSI attached TSMI 0xac0942e3
LAI: MCC 510 MNC 01 LAC 0x141e (Indonesia, INDOSAT)
Key: sequence 0 bb 86 10 c2 97 e9 ec 00
Registered PLMN: MCC 510 MNC 01 (Indonesia, INDOSAT)
Access barred cells: no
Access classes: C4
List of preferred PLMNs:
MCC |MNC
-------+-------
510 |01 (Indonesia, INDOSAT)
525 |05 (Singapore, StarHub)
454 |03 (Hong Kong, 3 (3G))
454 |04 (Hong Kong, 3 DualBand (2G))
440 |10 (Japan, NTT docomo)
466 |01 (Taiwan, FarEasTone)
404 |11 (India, Vodafone IN)
515 |03 (Philippines, Smart)
450 |08 (South Korea, KT SHOW)
510 |21 (Indonesia, IM3)
455 |03 (Macau, 3)
404 |27 (India, Vodafone IN)
404 |30 (India, Vodafone IN)
404 |20 (India, Vodafone IN)
404 |05 (India, Vodafone IN)
404 |68 (India, DOLPHIN)
404 |69 (India, DOLPHIN)
450 |02 (South Korea, KT)
OsmocomBB# call
MS_NAME Name of MS (see "show ms")
OsmocomBB# call 1
NUMBER Phone number to call (Use digits '0123456789*#abc', and '+' to dial international)
emergency Make an emergency call
answer Answer an incomming call
hangup Hangup a call
hold Hold current active call
retrieve Retrieve call on hold
dtmf One or more DTMF digits to transmit
OsmocomBB# call 1 081218602xxx
OsmocomBB#
% (MS 1)
% Call is proceeding

% (MS 1)
% Call is alerting

% (MS 1)
% Call is answered

% (MS 1)
% Call: Remote hangs up

So, mungkin pada tahap ini setiap orang akan mulai menyadari benefit dari project OsmocomBB. Diantaranya adalah seseorang dapat berinteraksi dan mempelajari banyak sekali ilmu telekomunikasi hanya bermodalkan handphone seperti motorola C115 yang harganya sekitar Rp.150, 000. Dan project OsmocomBB ini merupakan project opensource, sehingga setiap orang bisa melihat kode-kode didalamnya, dan tentu saja…dapat di modifikasi sesuai kebutuhan atau bahkan berkontribusi untuk project OsmocomBB seperti menambahkan kode-kode untuk mobile application beragam feature seperti GPRS, SMS, dsb.

Untuk security community?! ini adalah jalan masuk, mungkin dengan beragam metode fuzzer pada protokol transmisi maka seseorang dapat membuat ‘Hang’ ataupun ‘Restart’ BTS suatu operator dan menyebabkan DoS (Denial Of Service)?!

Gud Lak!

Advertisements

7 thoughts on “Playing With OsmocommBB

  1. You are the Bomb bro! I am doing this as my FYP using ubuntu 10.10. I’m done with the installation and configuration of the toolchains and all that, but I hv a lil problem with the serial port of the old computer I am using for the project, I can’t seem to find the driver for it. But u just saved my life by posting this blog on Mac OSX configuration of OSMOCOMBB. I guess I’m just gonna change to my MacBook Pro. Thank you very much, you are a life saver!

  2. One problem,… I’m new to OSX, can you pls help in package installations and configuration of OSMOCOMBB on OSX? Thanks!

    1. Thank you very much Mrs,… but those command appear to be meant for Linux family. My Mac OSX doesn’t seem to execute them. Please I need further help. Tnx!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s