Wireshark screenshot with QCSuper-produced packets streaming into it; QCSuper script running in an adjacent terminal

Turn Your Qualcomm Phone Or Modem Into Cellular Sniffer

April 30, 2024 by Arya Voronova 16 Comments

If your thought repurposing DVB-T dongles for generic software defined radio (SDR) use was cool, wait until you see QCSuper, a project that re-purposes phones and modems to capture raw 2G/3G/4G/5G. You have to have a Qualcomm-based device, it has to either run rooted Android or be a USB modem, but once you find one in your drawers, you can get a steady stream of packets straight into your Wireshark window. No more expensive SDR requirement for getting into cellular sniffing – at least, not unless you are debugging some seriously low-level issues.

It appears there’s a Qualcomm specific diagnostic port you can access over USB, that this software can make use of. The 5G capture support is currently situational, but 2G/3G/4G capabilities seem to be pretty stable. And there’s a good few devices in the “successfully tested” list – given the way this software functions, chances are, your device will work! Remember to report whether it does or doesn’t, of course. Also, the project is seriously rich on instructions – whether you’re using Linux or Windows, it appears you won’t be left alone debugging any problems you might encounter.

This is a receive-only project, so, legally, you are most likely allowed to have fun — at least, it would be pretty complicated to detect that you are, unlike with transmit-capable setups. Qualcomm devices have pretty much permeated our lives, with Qualcomm chips nowadays used even in the ever-present SimCom modules, like the modems used in the PinePhone. Wondering what a sniffer could be useful for? Well, for one, if you ever need to debug a 4G base station you’ve just set up, completely legally, of course.

5Ghoul: The 14 Shambling 5G Flaws Used For Disruptive Attacks On Smartphones

December 13, 2023 by Maya Posch 5 Comments

A team of researchers from the ASSET Research Group in Singapore have published the details of a collection of vulnerabilities in the fifth generation mobile communication system (5G) used with smartphones and many other devices. These fourteen vulnerabilities are detailed in this paper and a PoC detailing an attack using a software defined radio (SDR) is provided on GitHub. The core of the PoC attack involves creating a malicious 5G base station (gNB), which nearby 5G modems will seek to communicate with, only for these vulnerabilities to be exploited, to the point where a hard reset (e.g. removal of SIM card) of the affected device may be required.

Hardware Setup for 5Ghoul PoC testing and fuzzer evaluation. (Credit: Matheus E. Garbelini et al., 2023)

Another attack mode seeks to downgrade the target device’s wireless connection, effectively denying the connection to a 5G network and forcing them to connect to an alternative network (2G, 3G, 4G, etc.). Based on the affected 5G modems, the researchers estimate that about 714 smartphone models are at risk of these attacks. Naturally, not just smartphones use these 5G modem chipsets, but also various wireless routers, IoT devices, IP cameras and so on, all of which require the software these modems to be patched.

Most of the vulnerabilities concern the radio resource control (RCC) procedure, caused by flaws in the modem firmware. Android smartphones (where supported) should receive patches for 5Ghoul later this month, but when iPhone devices get patched is still unknown.

Hackaday Links: July 3, 2022

July 3, 2022 by Dan Maloney 10 Comments

Looks like we might have been a bit premature in our dismissal last week of the Sun’s potential for throwing a temper tantrum, as that’s exactly what happened when a G1 geomagnetic storm hit the planet early last week. To be fair, the storm was very minor — aurora visible down to the latitude of Calgary isn’t terribly unusual — but the odd thing about this storm was that it sort of snuck up on us. Solar scientists first thought it was a coronal mass ejection (CME), possibly related to the “monster sunspot” that had rapidly tripled in size and was being hyped up as some kind of planet killer. But it appears this sneak attack came from another, less-studied phenomenon, a co-rotating interaction region, or CIR. These sound a bit like eddy currents in the solar wind, which can bunch up plasma that can suddenly burst forth from the sun, all without showing the usually telltale sunspots.

Then again, even people who study the Sun for a living don’t always seem to agree on what’s going on up there. Back at the beginning of Solar Cycle 25, NASA and NOAA, the National Oceanic and Atmospheric Administration, were calling for a relatively weak showing during our star’s eleven-year cycle, as recorded by the number of sunspots observed. But another model, developed by heliophysicists at the U.S. National Center for Atmospheric Research, predicted that Solar Cycle 25 could be among the strongest ever recorded. And so far, it looks like the latter group might be right. Where the NASA/NOAA model called for 37 sunspots in May of 2022, for example, the Sun actually threw up 97 — much more in line with what the NCAR model predicted. If the trend holds, the peak of the eleven-year cycle in April of 2025 might see over 200 sunspots a month.

So, good news and bad news from the cryptocurrency world lately. The bad news is that cryptocurrency markets are crashing, with the flagship Bitcoin falling from its high of around $67,000 down to $20,000 or so, and looking like it might fall even further. But the good news is that’s put a bit of a crimp in the demand for NVIDIA graphics cards, as the economics of turning electricity into hashes starts to look a little less attractive. So if you’re trying to upgrade your gaming rig, that means there’ll soon be a glut of GPUs, right? Not so fast, maybe: at least one analyst has a different view, based mainly on the distribution of AMD and NVIDIA GPU chips in the market as well as how much revenue they each draw from crypto rather than from traditional uses of the chips. It’s important mainly for investors, so it doesn’t really matter to you if you’re just looking for a graphics card on the cheap.

Speaking of businesses, things are not looking too good for MakerGear. According to a banner announcement on their website, the supplier of 3D printers, parts, and accessories is scaling back operations, to the point where everything is being sold on an “as-is” basis with no returns. In a long post on “The Future of MakerGear,” founder and CEO Rick Pollack says the problem basically boils down to supply chain and COVID issues — they can’t get the parts they need to make printers. And so the company is looking for a buyer. We find this sad but understandable, and wish Rick and everyone at MakerGear the best of luck as they try to keep the lights on.

And finally, if there’s one thing Elon Musk is good at, it’s keeping his many businesses in the public eye. And so it is this week with SpaceX, which is recruiting Starlink customers to write nasty-grams to the Federal Communications Commission regarding Dish Network’s plan to gobble up a bunch of spectrum in the 12-GHz band for their 5G expansion plans. The 3,000 or so newly minted experts on spectrum allocation wrote to tell FCC commissioners how much Dish sucks, and how much they love and depend on Starlink. It looks like they may have a point — Starlink uses the lowest part of the Ku band (12 GHz – 18 GHz) for data downlinks to user terminals, along with big chunks of about half a dozen other bands. It’ll be interesting to watch this one play out.

Greedy Receivers: FCC Considers Regulating Receivers After Altimeter Showdown

March 7, 2022 by Maya Posch 94 Comments

Recently, the media was filled with articles about how turning on 5G transmissions in the C-band could make US planes fall out of the sky. While the matter was ultimately resolved without too much fuss, this conflict may have some long-term consequences, with the FCC looking to potentially address and regulate the root of the problem, as reported by Ars Technica.

At the heart of the whole issue is that while transmitters are regulated in terms of their power and which part of the spectrum they broadcast on, receivers are much less regulated. This means that in the case of the altimeters in airplanes for example, which use the 4.2 GHz – 4.4 GHz spectrum, some of their receivers may be sensitive to a part of the 5G C-band (3.7 GHz -3.98 GHz), despite the standard 200 MHz guard band (upped to 400 MHz in the US) between said C-band and the spectrum used by altimeters.

What the FCC is currently doing is to solicit ways in which it could regulate the performance and standards for receivers. This would then presumably not just pertain to 5G and altimeters, but also to other receivers outside of avionics. Since the FCC already did something similar back in 2003 with an inquiry, but closed it back in 2007 without any action taken, it remains to be seen whether this time will be different. One solid reason would be the wasted spectrum: a 400 MHz guard band is a very large chunk.

Thanks to [Chris Muncy] for the tip.

First Hacks: The Brand New Nokia 5G Gateway Router

December 27, 2021 by Jenny List 28 Comments

Aside from being the focus of a series of bizarre conspiracy theories, 5G cellular networks offer the promise of ultra-fast Internet access anywhere within their range. To that end there are a new breed of devices designed to provide home broadband using 5G as a backhaul. It’s one of these, a Nokia Fastmile, that [Eddie Zhang] received, and he’s found it to be an interesting teardown and investigation. Spoiler: it runs Android and has exploitable bugs.

A privilege escalation bug in the web administration tool led to gaining the ability to export and modify configuration files, but sadly though a telnet prompt can be opened it’s not much use without the password. Uncovering some blocked-off ports on the base of the unit revealed a USB-C port, which was found to connect to an Android device. Via ADB a shell could be opened on Android, but on further investigation it was found that the Fastmile is not a single device but two separate ones. Inside is a PCB with an Android 5G phone to handle the connection, and another with a completely separate home router.

With access to the Android side and a login prompt on the router side that was as far as he was prepared to go without risking bricking his Fastmile. It only remained to do a teardown, which reveals the separate PCBs with their own heatsinks, and an impressive antenna array. Perhaps these devices will in time become as ubiquitous as old routers, and we’ll see them fully laid bare.

It’s a shame that we’ve had to write more about the conspiracy theories surrounding 5G than real 5G devices, but maybe we’ll see more teardowns like this one to make up for it.

Hackaday Links: January 10, 2021

January 10, 2021 by Dan Maloney 36 Comments

You know that feeling when your previously niche hobby goes mainstream, and suddenly you’re not interested in it anymore because it was once quirky and weird but now it’s trendy and all the newcomers are going to come in and ruin it? That just happened to retrocomputing. The article is pretty standard New York Times fare, and gives a bit of attention to the usual suspects of retrocomputing, like Amiga, Atari, and the Holy Grail search for an original Apple I. There’s little technically interesting in it, but we figured that we should probably note it since prices for retrocomputing gear are likely to go up soon. Buy ’em while you can.

Remember the video of the dancing Boston Dynamics robots? We actually had intended to cover that in Links last week, but Editor-in-Chief Mike Szczys beat us to the punch, in an article that garnered a host of surprisingly negative comments. Yes, we understand that this was just showboating, and that the robots were just following a set of preprogrammed routines. Some commenters derided that as not dancing, which we find confusing since human dancing is just following preprogrammed routines. Nevertheless, IEEE Spectrum had an interview this week with Boston Dynamics’ VP of Engineering talking about how the robot dance was put together. There’s a fair amount of doublespeak and couched terms, likely to protect BD’s intellectual property, but it’s still an interesting read. The take-home message is that despite some commenters’ assertions, the routines were apparently not just motion-captured from human dancers, but put together from a suite of moves Atlas, Spot, and Handle had already been trained on. That and the fact that BD worked with a human choreographer to work out the routines.

Looks like 2021 is already trying to give 2020 a run for its money, at least in the marketplace of crazy ideas. The story, released in Guitar World of all places, goes that some conspiracy-minded people in Italy started sharing around a schematic of what they purported to be the “5G chip” that’s supposedly included in the SARS-CoV-2 vaccine. The reason Guitar World picked it up is that eagle-eyed guitar gear collectors noticed that the schematic was actually that of the Boss MetalZone-2 effects pedal, complete with a section labeled “5G Freq.” That was apparently enough to trigger someone, and to ignore the op-amps, potentiometers, and 1/4″ phone jacks on the rest of the schematic. All of which would certainly smart going into the arm, no doubt, but seriously, if it could make us shred like this, we wouldn’t mind getting shot up with it.

Remember the first time you saw a Kindle with an e-ink display? The thing was amazing — the clarity and fine detail of the characters were unlike anything possible with an LCD or CRT display, and the fact that the display stayed on while the reader was off was a little mind-blowing at the time. Since then, e-ink technology has come considerably down market, commoditized to the point where they can be used for price tags on store shelves. But now it looks like they’re scaling up to desktop display sizes, with the announcement of a 25.3″ desktop e-ink monitor by Dasung. Dubbed the Paperlike 253, the 3200 x 1800 pixel display will be able to show 16 shades of gray with no backlighting. The videos of the monitor in action are pretty low resolution, so it’s hard to say what the refresh rate will be, but given the technology it’s going to be limited. This might be a great option as a second or third monitor for those who can work with the low refresh rate and don’t want an LCD monitor backlight blasting them in the face all day.

Continue reading “Hackaday Links: January 10, 2021” →

Radio’s Sordid History Of Being Blamed For Everything

May 22, 2020 by Jenny List 101 Comments

In the surreal world of a pandemic lockdown, we are surrounded by news stories that defy satire. The idea that 5G cellular networks are to blame for the COVID-19 outbreak and a myriad other ills has the more paranoid corners of social media abuzz with concerned citizens leaping upon random pieces of street furniture as potential 5G infrastructure.

The unanimous advice of the world’s scientists, doctors, and engineers that it is inconceivable for a phone technology to cause a viral outbreak. Amusingly, 5G has not yet been rolled out to some of the places where this is happening. But with conspiracy theory, fact denial only serves to reinforce the idea, however misguided. Here at Hackaday we have already ventured into the technical and scientific side of the story, but there is another side to it that leaves the pandemic behind and reaches back over the decades. Fear of new technology and in particular radio is nothing new, it stretches back almost as long as the public has had access to it.

Continue reading “Radio’s Sordid History Of Being Blamed For Everything” →