SDR(四)osmocomBB SMS Sniffing
0x0 开源项目
OsmocomBB是国外一个开源项目,是GSM协议栈(Protocols stack)的开源实现,全称是Open source mobile communication Baseband.目的是要实现手机端从物理层(layer1)到layer3的三层实现。
官方介绍:
OsmocomBB is an Free Software / Open Source GSM Baseband software implementation. It intends to completely replace the need for a proprietary GSM baseband software, such as drivers for the GSM analog and digital baseband (integrated and external) peripherals the GSM phone-side protocol stack, from layer 1 up to layer 3.
OsmocomBB is an Free Software / Open Source GSM Baseband software implementation. It intends to completely replace the need for a proprietary GSM baseband software, such as drivers for the GSM analog and digital baseband (integrated and external) peripherals the GSM phone-side protocol stack, from layer 1 up to layer 3.
In short: By using OsmocomBB on a compatible phone, you are able to make and receive phone calls, send and receive SMS, etc. based on Free Software only.
0x1 设备
- 摩托罗拉的C118
- CP2102 USB转TTL模块
- 2.5mm 3极耳机杜邦线
0x2 编译
1、系统:kali2.0
2、编译环境
apt-get update && apt-get dist-upgrade -y
apt-get install build-essential libgmp3-dev libmpfr-dev libx11-6 libx11-dev texinfo flex bison libncurses5 libncurses5-dbg libncurses5-dev libncursesw5 libncursesw5-dbg libncursesw5-dev zlibc zlib1g-dev libmpfr4 libmpc-dev
3、osmocomBB依赖
aptitude install libtool shtool automake autoconf git-core pkg-config make gcc
4、arm交叉编译环境
目录结构和所需文件如下图:(wget分别下载)
chmod +x gnu-arm-build.3.sh
./gnu-arm-build.3.sh
编译完成后把arm添加进环境变量
export PATH=$PATH:~/Desktop/c118/source/arm/install/binsource ~/.bashrc
5、mac arm编译环境
sudo port install libtool-devel autoconf git-core pkgconfig automake17 gcc46
sudo port install arm-elf-gcc
or
put it in /usr/local/armadd it to your path
6、编译osmocomBB固件
6.1、libosmocore库
git clone git://git.osmocom.org/libosmocore.git
apt-get install build-essential libtool shtool autoconf automake git-core pkg-config make gcc libpcsclite-dev
autoreconf -i
./configure
make
sudo make install
遇到的坑:
1、缺少talloc
apt-get无此库,去官网下载安装,https://www.samba.org/ftp/talloc/
$ wget https://www.samba.org/ftp/talloc/talloc-2.1.7.tar.gz
$ tar -zxvf talloc-2.1.7.tar.gz
$ cd talloc-2.1.7/
$ ./configure
$ make
$ sudo make install
2、mac版缺少libpcsc
./configure --disable-pcsc #libpcsclite isn't available on OS X
3、/usr/bin: python2: No such file or directory
sudo ln -s /usr/bin/python2.7 /usr/local/bin/python2
4、完成后编译其他程序无法读取到libosmocore
~/.zshrc添加相应PKG_CONFIG_PATH:PKG_CONFIG_PATH=$PKG_CONFIG_PATH:/Users/***/Desktop/source/rf/libosmocoreexport PKG_CONFIG_PATH
6.2 osmocomBB
git clone git://git.osmocom.org/osmocom-bb.git
git checkout --track origin/luca/gsmmap
cd src
make
0x3 刷机
cd src/host/osmocon
sudo ./osmocon -m c123xor -p /dev/tty.SLAB_USBtoUART ../../target/firmware/board/compal_e88/layer1.compalram.bin
按一下开机键,刷机成功界面如下:
0x4 扫描基站
cd osmocom-bb/src/host/layer23/src/misc/
sudo ./cell_log -O
其中cell_log的参数是字母O,具体作用是只检查ARFCN是否可用,不进行其它操作,可以用./cell_log —help参看说明。终端中会输出日志信息,其中会包含能够收到的基站的相关信息,格式类似这样:
cell_log.c:248 Cell: ARFCN=40 PWR=-61dB MCC=460 MNC=00 (China,China Mobile)
ARFCN后面的编号可以代表基站信道号,有些还包含了运营商信息。
手机log同样也包含了基站信道信息:
ARFCN后面的编号可以代表基站信道号,有些还包含了运营商信息。
手机log同样也包含了基站信道信息:
0x5 信道
c118过于低端,每个手机只能嗅探一个信道,可以参考下面的图(我们现在只能抓Downlink的数据包):
因为想要Sniffer Uplink的包,要修改硬件,C118主板上的RX filters要换掉,换成我们需要的HHM1625&&HHM1623C1滤波器组件,才能抓Uplink的数据包。
有关信道号ARFCN的问题,可以参考下面的图:
苹果手机可以执行:
*3001#12345#* 进入工程模式查看手机基站信道,下图中E-ARFCN为1650(4G)
0x6 嗅探
cd osmocom-bb/src/host/layer23/src/misc
sudo ./ccch_scan -i 127.0.0.1 -a ARFCN
ARFCN为扫描到的信道值。
遇到的坑:
遇到的坑:
wireshark抓包
sudo wireshark -k -i lo -f 'port 4729'
开启wireshark监控结果
过滤协议为gsm_sms
过滤协议为gsm_sms
(开了一天都没抓到一个包,估计还有其他问题)
0 评论:
发表评论