If your thought repurposing DVB-T dongles for generic software defined radio (SDR) use was cool, wait until you see QCSuper, a project that re-purposes phones and modems to capture raw 2G/3G/4G/5G. You have to have a Qualcomm-based device, it has to either run rooted Android or be a USB modem, but once you find one in your drawers, you can get a steady stream of packets straight into your Wireshark window. No more expensive SDR requirement for getting into cellular sniffing – at least, not unless you are debugging some seriously low-level issues.
It appears there’s a Qualcomm specific diagnostic port you can access over USB, that this software can make use of. The 5G capture support is currently situational, but 2G/3G/4G capabilities seem to be pretty stable. And there’s a good few devices in the “successfully tested” list – given the way this software functions, chances are, your device will work! Remember to report whether it does or doesn’t, of course. Also, the project is seriously rich on instructions – whether you’re using Linux or Windows, it appears you won’t be left alone debugging any problems you might encounter.
This is a receive-only project, so, legally, you are most likely allowed to have fun — at least, it would be pretty complicated to detect that you are, unlike with transmit-capable setups. Qualcomm devices have pretty much permeated our lives, with Qualcomm chips nowadays used even in the ever-present SimCom modules, like the modems used in the PinePhone. Wondering what a sniffer could be useful for? Well, for one, if you ever need to debug a 4G base station you’ve just set up, completely legally, of course.
We’ve seen quite a few DIY 2G networks over the years, but the 4G field has been relatively barren. Turns out, there’s an open source suite called srsRAN that lets you use an SDR for setting up an LTE network, and recently, we’ve found a blog post from [MaFrance351] (Google Translate) that teaches you everything you could need to know if you ever wanted to launch a LTE network for your personal research purposes.
For a start, you want a reasonably powerful computer, a transmit-capable full-duplex software defined radio (SDR), suitable antennas, some programmable SIM cards, and a few other bits and pieces like SIM card programmers and LTE-capable smartphones for testing purposes. Get your hardware ready and strap in, as [MaFrance351] guides you through setting up your own base station, with extreme amounts of detail outlining anything you could get caught up on.
Although wireless standards like 3G, 4G, and 5G are mostly associated with mobile internet, they also include a phone (voice) component. Up till 4G this was done using traditional circuit-switched telephony service, but with this fourth generation the entire standard instead moved to a packet-switched version akin to Voice-over-IP, called VoLTE (voice-over-LTE). Even so, a particular phone can choose to use a 4G modem, yet still use 3G-style phone connections. Until the 3G network is shutdown, that is. This is the crux of [Hugh Jeffreys]’s latest video.
In order to make a VoLTE phone call, your phone, your provider, the receiving phone and the intermediate network providers must all support the protocol. Even some newer phones like the Samsung Galaxy J3 (2016) do not support this. For other phones you have to turn the feature on yourself, if it is available. As [Hugh] points out in the video, there’s no easy way to know whether an Android phone supports it, which is likely to lead to chaos as more and more 3G networks in Australia and elsewhere are turned off, especially in regions where people use phones for longer than a few years.
The cessation of such basic functionality is why in most countries 2G networks remain active, as they are being used by emergency services and others for whom service interruptions can literally cost lives, as well as countless feature phones and Internet of Things devices. For some phones without VoLTE, falling back to 2G might therefore still be an option if they support this. With the spotty support, lack of transparency and random shutdowns, things may however get rather frustrating for some the coming years.
The saying “time and tide wait for no man” is usually used as a verbal kick in the pants, a reminder that sometimes an opportunity must be seized quickly before it passes by. But it can also be interpreted as a warning about the perpetual march of time and how it impacts the world around us. In that case, we would do well to add cellular technology to the list of proverbial things that wait for no one. Do you need 5G? No. Do you want it? Probably not. But it’s here, so be a good consumer and dump all your 4G hardware in the name of technical progress.
This line of logic may explain how the Verizon-branded Netgear AC791L 4G “Jetpack” hotspot you see here, despite being in perfect working order, found itself in the trash. The onset of 5G must have been particularly quick for the previous owner, since they didn’t even bother to wipe their configuration information from the device. In the name of journalistic integrity I won’t divulge the previous owner’s identity; but I will say that their endearing choice of WPA2 key, iluvphysics, makes for a nice fit with our publication.
A quick check of eBay shows these devices, and ones like it, are in ample supply. At the time of this writing, there were more than 1,500 auctions matching the search term “Verizon jetpack”, with most of them going for between $20 and $50 USD. We like cheap and easily obtainable gadgets that can be hacked, but is there anything inside one of these hotspots that we can actually use? Let’s find out.
You’ve got a machine hooked up to the Internet via a shiny new cellular modem, which you plan to administer remotely. You do a quick check on the external IP, and try and log in from another PC. Try as you might, SSH simply won’t connect. What gives?
The reality of the modern internet is that most clients no longer get their own unique IPv4 address. There simply aren’t enough to go around anymore. Instead, most telecommunications operators use Carrier Grade Network Address Translation which allows a single external address to be shared by many customers. This can get in the way of direct connection attempts from the outside world. Even if that’s not the case, most cellular operators tend to block inbound connections by default. However, there is a way around this quandary – using a VPN. Continue reading “Basics Of Remote Cellular Access: Connecting Via VPN”→
These days, we’re blessed with cellular data networks that span great swathes of the Earth. By and large, they’re used to watch TV shows and argue with strangers online. However, they’re also a great tool to use to interact with hardware in remote locations, particularly mobile ones where a wired connection is impractical.
In this series, we’re taking a look at tips and tricks for doing remote cellular admin the right way. First things first, you’ll need a data connection – so let’s look at choosing a modem.
Options Abound
When shopping around for cellular data modems, it can be difficult to wade through the variety of options out there and find something fit for purpose. Modems in this space are often marketed for very specific use cases; at the consumer level, many are designed to be a no-fuss home broadband solution, while in the commercial space, they’re aimed primarily to provide free WiFi for restaurants and cafes. For use in remote admin, the presence of certain features can be critical, so it pays to do your research before spending your hard earned money. We’ve laid out some of the common options below.
Consumer Models
The Sierra Aircard 320U is ancient now, with limited frequency bands available. Its flimsy flexible connector is also a drawback. However, its ease of configuration with Linux systems makes it a dream to use in remote access situations. Unlike many others, it acts as a Direct IP connection, not appearing as a separate router.
Many telecommunications providers around the world sell cheap USB dongles for connecting to the Internet, with these first becoming popular with the rise of 3G. They’re somewhat less common now in the 5G era, with the market shifting more towards WiFi-enabled devices that share internet among several users. These devices can often be had for under $50, and used on prepaid and contract data plans.
These devices are often the first stop for the budding enthusiast building a project that needs remote admin over the cellular network. However, they come with certain caveats that can make them less attractive for this use. Aimed at home users, they are often heavily locked down with firmware that provides minimal configuration options. They’re generally unable to be set up for port forwarding, even if you can convince your telco to give you a real IP instead of carrier-grade NAT. Worse, many appear to the host computer as a router themselves, adding another layer of NAT that can further complicate things. Perhaps most frustratingly, with these telco-delivered modems, the model number printed on the box is often not a great guide as to what you’re getting.
A perfect example is the Huawei E8327. This comes in a huge number of sub-models, with various versions of the modem operating in different routing modes, on different bands, and some even omitting major features like external antenna connectors. Often, it’s impossible to know exactly what features the device has until you open the box and strip the cover off, at which point you’re unable to return the device for your money back.
All is not lost, however. The use of VPNs can help get around NAT issues, and for the more adventurous, some models even have custom firmware available on the deeper, darker forums on the web. For the truly cash strapped, they’re a viable option for those willing to deal with the inevitable headaches. There are generally some modems that stand out over others in this space for configurability and ease of use. This writer has had great success with a now-aging Sierra Aircard 320U, while others have found luck with the Huawei E3372-607. As per earlier warnings though, you don’t want to accidentally end up with an E3372-608 – thar be dragons.
SIM cards are all around us, and with the continuing growth of the Internet of Things, spawning technologies like NB-IoT, this might as well be very literal soon. But what do we really know about them, their internal structure, and their communication protocols? And by extension, their security? To shine some light on these questions, open source and mobile device titan [LaForge] gave an introductory talk about SIM card technologies at the 36C3 in Leipzig, Germany.
Starting with a brief history lesson on the early days of cellular networks based on the German C-Netz, and the origin of the SIM card itself, [LaForge] goes through the main specification and technology parts of each following generation from 2G to 5G. Covering the physical basics, I/O interfaces, communication protocols, and the file system located on the SIM card, you’ll get the answer to “what on Earth is PIN2 for?” along the way.
Of course, a talk like this, on a CCC event, wouldn’t be complete without a deep and critical look at the security side as well. Considering how over-the-air updates on both software and — thanks to mostly running Java nowadays — feature side are more and more common, there certainly is something to look at.
