QCSuper: A tool for capturing 2G/3G/4G air traffic on Qualcomm-based phones

QCSuper is a tool allowing to capture raw 2G/3G/4G radio frames, generating PCAP captures using Qualcomm-based phones and modems.

Lately, I have been playing with a 3G dongle – a small USB device enabling to connect to the mobile Internet. I have discovered that most USB dongles with a Qualcomm processor exposed a special diagnostic protocol, called Diag (or DM, or QCDM – for Qualcomm Diagnostic monitor).But I have also discovered that this proprietary protocol was also present inside Android phones (through a device called /dev/diag) and it allowed a couple good things, such as obtaining raw captures of network air traffic or, in older models, reading/writing at arbitrary offsets of the radio chip’s memory (!). 
Today, we are proud to present QCSuper, an open-source tool that will enable you to passively capture raw 2G/3G/4G frames produced by your rooted Qualcomm-based Android phone or dongle, and produce a PCAP analyzable using Wireshark (in addition to a couple other input/output formats).

https://labs.p1sec.com/2019/07/09/presenting-qcsuper-a-tool-for-capturing-your-2g-3g-4g-air-traffic-on-qualcomm-based-phones/

Supported protocols

QCSuper supports capturing a handful of mobile radio protocols. These protocols are put after a GSMTAP header, a standard header (encapsulated into UDP/IP) permitting to identify the protocol, and GSMTAP packets are put into a PCAP file that is fully analyzable using Wireshark.
2G/3G/4G protocols can be broken into a few “layers”: layer 1 is about the digital radio modulation and multiplexing, layer 2 handles stuff like fragmentation and acknowledgement, layer 3 is the proper signalling or user data.
QCSuper allows you most often to capture on layer 3, as it is the most pratical to analyze using Wireshark, and is what the Diag protocol provides natively (and some interesting information is here).

  • 2G (GSM): Layer 3 and upwards (RR/…)
  • 2.5G (GPRS and EDGE): Layer 2 and upwards (MAC-RLC/…) for data acknowledgements
  • 3G (UMTS): Layer 3 and upwards (RRC/…)
    • Additionally, it supports reassembling SIBs (System Information Blocks, the data broadcast to all users) in separate GSMTAP frames, as Wireshark currently can’t do it itself: flag --reassemble-sibs
  • 4G (LTE): Layer 3 and upwards (RRC/…)
    • Additionally, it supports putting decrypted NAS message, which are embedded encrypted embedded into RRC packet, in additional frames: flag --decrypt-nas

By default, the IP traffic sent by your device is not included, you see only the signalling frames. You can include the IP traffic you generate using the --include-ip-traffic option (IP being barely the layer 3 for your data traffic in 2G/3G/4G, at the detail that its headers may be compressed (ROHC) and a tiny PPP header may be included).

https://github.com/P1sec/QCSuper

Installation

QCSuper was tested and developed on Ubuntu 16.04, 18.04 and Windows 7. It depends on a few Python modules.
To use it, your phone must be rooted or expose a diag service port over USB. In order to check for compatibility with your phone, look up the phone’s model on a site like GSMArena and check whether it has a Qualcomm processor.

Installation on Ubuntu is pretty simple.
Open a terminal and type the following:

# Download QCSuper
git clone git@github.com:P1sec/QCSuper.git qcsuper
cd qcsuper

# Install dependencies
sudo apt install python3-pip wireshark
sudo pip3 install --upgrade pyserial crcmod https://github.com/P1sec/pycrate/archive/master.zip

Usage

After having installed it, you can plug your rooted phone in USB and using it is as simple as:

./qcsuper.py --adb --wireshark-live

It uses the Qualcomm Diag protocol, also called QCDM or DM (Diagnostic Monitor) in order to communicate with your phone’s baseband.


References and downloads


Related posts

Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.