
QCSuper: A tool for capturing 2G/3G/4G air traffic on Qualcomm-based phones - homarp
https://labs.p1sec.com/2019/07/09/presenting-qcsuper-a-tool-for-capturing-your-2g-3g-4g-air-traffic-on-qualcomm-based-phones/
======
rootsudo
This is nothing new, you could do this before w/ any old CDMA/GSM phone w/ a
Qualcomm chipset and getting QPST/QXDM what's cool is using non-qualcomm tools
for it! :)

You'd be surprised by putting your phone in listening mode and changing around
a few numbers can get you. the SMS paging channel is really cool, and you can
turn your phone into a sort of Stringray from Harris Corporation.

More so, alot of this stuff is from the Phreaking Scene, which is, not dead,
but very much different then its Mitnick heyday w/ the Oki900 and late 00's
with ESN/MEID fun.

Most of the phreaking scene nowadays involves "rom" hacking vs the actual
modem of the phone, or unlocking, or probing into the cell phones firmware to
grab the 16 byte key that'd unlock the modem for you to play with and do
everything from modify the bluetooth serial address, increase tx power, or
more.

~~~
derefr
> Most of the phreaking scene nowadays involves...

That sounds like it's mostly just client-side attacks to get client-side
effects (essentially, bypassing the DRM of the baseband.) Is there any modern
phreaking that involves tower/node-side attacks, with the goal of achieving
the same sorts of effects as classical phreaking (e.g. "free cell data")?

~~~
philprx
SS7, LTE Diameter attacks.

At first looks unreachable, then you see many ways to get there...

Another way is mobile radio side signaling manipulation (NAS mostly)

------
canada_dry
They do a decent job at explaining (at a high level) the function of the
protocols involved.

~~~
topranks
Yeah it’s very well done from that point of view.

I’ve looked at such captures before and been kinda lost, the explanation is
really great here.

------
lucb1e
I'm wondering if there anything I should be looking for in traffic, like,
could the carrier be querying my phone for anything that it not strictly any
of their business? Then again, they already get a lot of interesting data
through my browsing patterns, tower connection data (=location)...

~~~
rootsudo
The carrier wouldn't need too - your phone is already reporting to them
everything and they can contain and go through information as needed. All
routing is on their side. Your cell phone is an end client device that relies
on a serial number/IMSI to access network resources tied to your identity on
their network.

What you should be more concerned about, with this toolset is anyone can fetch
the data around them using an off the shelf phone, and within proximity of
_ONE_ tower or whatever passes your cell phone. (Bigger antenna, bigger gain =
biggr net.)

Now, what's curious is if you research GSM, SMS paging channel or else - alot
of this stuff is cleartext, but you'd need something good to parse the
information and isolate it per phone. This was w/ QCAT.

Back in the day of CDMA2000/3G, you could see whom the tower was trying to
reach, what nearest handset was communicating with the tower and to/from
(numbers) of text messages.

What's fun is determining what these numbers belonged too.

tl;dr you can do a very low range stingray.

------
zokier
The discourse on mobile traffic is all very interesting, but for a blogpost
introducing new tool for capturing that traffic, I would have been more
interested in hearing more about the diagnostic protocol you are using and its
capabilities.

~~~
voltagex_
[https://github.com/P1sec/QCSuper/blob/master/docs/The%20Diag...](https://github.com/P1sec/QCSuper/blob/master/docs/The%20Diag%20protocol.md)

Now, I wonder what the cheapest rootable Qualcomm-based phone I can get off
eBay is?

~~~
jsjohnst
If you find out, post back. I for one am interested and I’m sure others are
too.

------
NKosmatos
Nice write up with simple (but informative) sketches. I’ll share this post to
some newcomers in our company :-)

