Kristin Paget is Hacking Carrier Grade LTE eNodeB

Every once in a while you get lucky and a piece of cool gear lands on your bench to tear down and explore. On that measuring stick, Kristin Paget hit the jackpot when she acquired a fascinating piece of current generation cellphone infrastructure. She’s currently researching a carrier-grade LTE eNodeB and walked through some of the findings, along with security findings of two IoT products, during her talk on the Laws of IoT Security at the 2017 Hackaday Superconference.

Evolved Node B (eNodeB) is the meat and potatoes of the LTE cellular network. It connects the antenna to backhaul — this is not something you’d expect to see on the open market but Kristin managed to pick one up from a vendor at DEF CON. Hearing her walk through the process of testing the hardware is a real treat in her talk and we’ll get to that in just a minute. But first, check out our video interview with Kristin the morning after her talk. We get into the progress of her eNodeB research, and touch on the state of IoT security with advice for hardware developers moving forward.

Continue reading “Kristin Paget is Hacking Carrier Grade LTE eNodeB”

Project Loon Will Float LTE to Puerto Rico

Some of the biggest names in technology have offered their help in rebuilding Puerto Rico’s infrastructure. The newest name on the list? The X division of Alphabet, who want to help fill the huge communications gap using Project Loon, their high-altitude balloon network. It looks like X is going to get their wish, as they have just been granted license from the FCC to deploy LTE cell coverage to both Puerto Rico and the US Virgin Islands.

The plan is to launch 30 balloons that will act as a network of floating cell towers to radiate an LTE signal originating from the ground. This coverage would be a great boon to a devastated communications infrastructure, but it won’t be a cakewalk to implement. Some handsets of both major persuasions will require a temporary over-the-air update before they can use Project Loon’s network. For phones that can’t operate on Band 8, it won’t work at all. Even so, it’s a great start.

Now you would think that an emergency communications restoration plan like this would be met by all parties with open arms and a circle of pats on the back, but this solution requires a lot of cooperation. One of the major hurdles was to secure spectrum rights from some if not all of the incumbent wireless carriers. Miraculously, eight of them have agreed to hand over their bandwidth. Another issue is that the FCC license is only good for six months, although they would probably entertain an extension given the circumstances. Finally, the dual ownership of the Virgin Islands makes the situation even more complicated, as X must agree not to infringe upon the wireless coverage footprint of the British Virgin Islands.

Via r/Futurology

Review: New 3G and Cat-M1 Cellular Hardware from Hologram

In July we reported on the launch of the Hologram developer program that offered a free SIM card and a small amount of monthly cellular data for those who wanted to build connectivity into their prototypes. Today, Hologram has launched some new hardware to go along with that program.

Nova is a cellular modem in a USB thumb drive form factor. It ships in a little box with a PCB that hosts the u-blox cellular module, two different antennas, a plastic enclosure, and a SIM card. The product is aimed at those building connected devices around single-board computers, making it easy to plug Nova in and get connected quickly.

This device that Hologram sent me is a 3G modem. They have something like 1,000 of them available to ship starting today, but what I find really exciting is that there is another flavor of Nova that looks the same but hosts a Cat-M1 version of the u-blox module. This is a Low Power Wide Area Network technology built on the LTE network. We’ve seen 2G and 3G modems available for some time now, but if go that route you’re building a product around a network which has an end-of-life concern.

Cat-M1 will be around for much longer and it is designed to be low power and utilizes a narrower bandwidth for less radio-on time. I asked Hologram for some power comparison estimates between the two technologies:

AVERAGE current consumption comparisons:

Cat-M1: as low as 100 mA while transmitting and never more than 190 mA
Equivalent 3G: as high as 680 mA while transmitting

PEAK current consumption comparisons (these are typically filtered through capacitors so the power supply doesn’t ever witness these values, and they are only momentary):

Cat-M1: Less than 490 mA
Equivalent 3G: As high as 1550 mA

This is an exciting development because we haven’t yet seen LTE radios available for devices — of course there are hotspots but those are certainly not optimized for low power or inclusion in a product. But if you know your ESP8266 WiFi specs you know that those figures above put Cat-M1 on a similar power budget and in the realm of battery-operated devices.

The Cat-M1 Nova can be ordered beginning today, should ship in limited quantities within weeks, with wider availability by the end of the year. If you can’t get one in the first wave, the 3G Nova is a direct stand-in from the software side of things.

I suspect we’ll see a lot of interest in Cat-M1 technology moving forward simply because of the the technology promises lower power and longer support. (I’m trying to avoid using the term IoT… oops, there it is.) For today, let’s take a look at the 3G version of the new hardware and the service that supports it.

Continue reading “Review: New 3G and Cat-M1 Cellular Hardware from Hologram”

Hologram.io Offers Developers Free Cell Data

If you’ve been thinking of adding cellular connectivity to a build, here’s a way to try out a new service for free. Hologram.io has just announced a Developer Plan that will give you 1 megabyte of cellular data per month. The company also offers hardware to use with the SIM, but they bill themselves as hardware agnostic. Hologram is about providing a SIM card and the API necessary to use it with the hardware of your choice: any 2G, 3G, 4G, or LTE devices will work with the service.

At 1 MB/month it’s obvious that this is aimed at the burgeoning ranks of Internet of Things developers. If you’re sipping data from a sensor and phoning it home, this will connect you in 200 countries over about 600 networks. We tried to nail them down on exactly which networks but they didn’t take the bait. Apparently any major network in the US should be available through the plan. And they’ve assured us that since this program is aimed at developers, they’re more than happy to field your questions as to which areas you will have service for your specific application.

The catch? The first taste is always free. For additional SIM cards, you’ll have to pay their normal rates. But it’s hard to argue with one free megabyte of cell data every month.

Hologram originally started with a successful Kickstarter campaign under the name Konekt Dash but has since been rebranded while sticking to their cellular-connectivity mission. We always like getting free stuff — like the developer program announced today — but it’s also interesting to see that Hologram is keeping up with the times and has LTE networks available in their service, for which you’ll need an LTE radio of course.

LTE IMSI Catcher

GSM IMSI catchers preyed on a cryptographic misstep in the GSM protocol. But we have LTE now, why worry? No one has an LTE IMSI catcher, right? Wrong. [Domi] is here with a software-defined base transceiver station that will catch your IMSI faster than you can say “stingray” (YouTube video, embedded below).

First of all, what is an IMSI? IMSI stands for International Mobile Subscriber Identity. If an IMEI (International Mobile Equipment Identity) is your license plate, your IMSI would be your driver’s license. The IMEI is specific to the phone. Your IMSI is used to identify you, allowing phone companies to verify your origin country and mobile network subscription.

Now, with terminology in tow, how does [Domi] steal your IMSI? Four words: Tracking Area Update Request. When a phone on an LTE network received a tracking area request, the LTE protocol mandates that the phone deletes all of its authentication information before it can reconnect to a base station. With authentication out of the way [Domi] spoofs a tower, waits for phones to connect, requests the phone’s IMSI and then rejects the phones authentication request, all under the nose of the phone’s user.

Now, before you don your tinfoil hat, allow us to suggest something more effective. Need more cell phone related hacks? We’ve got your back.

Continue reading “LTE IMSI Catcher”

33C3: Dissecting 3G/4G Phone Modems

[LaForge] and [Holger] have been hacking around on cell phones for quite a while now, and this led to them working on the open cellphone at OpenMoko and developing the OsmocomBB GSM SDR software. Now, they are turning their sights on 3G and 4G modems, mostly because they would like to use them inside their own devices, but would also like to make them accessible to the broader hacker community. In this talk at the 33rd Chaos Communications Congress (33C3), they discuss their progress in making this darkest part of the modern smartphone useful for the rest of us.

This talk isn’t about the plug-and-play usage of a modern cell-phone modem, though, it’s about reprogramming it. They pick a Qualcomm chipset because it has a useful DIAG protocol, and in particular choose the Quectel EC20 modem that’s used in the iPhone5, because it makes the DIAG stream easily available.

Our story begins with a firmware upgrade from the manufacturer. They unzipped the files, and were pleasantly surprised to find that it’s actually running Linux, undocumented and without the source code being available. Now, [LaForge] just happens to be the founder of gpl-violations.org and knows a thing or two about getting code from vendors who use Linux without following the terms and conditions. The legal story is long and convoluted, and still ongoing, but they got a lot of code from Quectel, and it looks like they’re trying to make good.

Qualcomm, on the other hand, makes the Linux kernel source code available, if not documented. (This is the source on which Quectel’s code is based.) [LaForge] took over the task of documenting it, and then developing some tools for it — there is more going on than we can cover. All of the results of their work are available on the wiki site, if you’re getting ready to dig in.

Continue reading “33C3: Dissecting 3G/4G Phone Modems”

Solving ISP problem with a Homebrew LTE Yagi

We’ve heard reports that internet connectivity in Australia can be an iffy proposition, and [deandob] seems to back that up. At the limit of a decent DSL connection and on the fringe of LTE, [deandob] decided to optimize the wireless connection with this homebrew Yagi antenna.

Officially known as the Yagi-Uda after its two Japanese inventors from the 1920s, but generally shortened to the name of its less involved but quicker to patent inventor, the Yagi is an antenna that provides high gain in one direction. That a homebrew antenna was even necessary at all is due to [deandob]’s ISP using the 2300MHz band rather than the more popular 2400MHz – plenty of cheap 2.4GHz antennas out there, but not so much with 2.3GHz. With multiple parallel and precisely sized and spaced parasitic elements, a Yagi can be a complicated design, but luckily for [deandob] the ham radio community has a good selection of Yagi design tools available. His final design uses an aluminum rod for a boom, 2mm steel wire for reflectors and directors, and a length of coax as the driven element. The result? Better connectivity that pushes his ISP throttling limit, and no more need to mount the modem high enough in his house to use the internal antenna.

People on the fringes of internet coverage go to great lengths to get connections, like this off-grid network bridge. Or if you’d rather use a homebrew Yagi to listen to meteors, that’s possible too.