signalcat 2.0.0

Signaling Collection and Analysis Tool

SCAT: Signaling Collection and Analysis Tool

This application parses diagnostic messages of Qualcomm and Samsung baseband through USB, and generates a stream of GSMTAP packet containing cellular control plane messages.

Requirements

On PC

Only tested in Linux, mostly various versions of Ubuntu. Python 3.10 is a minimum requirement, and the following external modules are required:

• pyUSB
• pySerial
• bitstring
• packaging
• libscrc - optional

To properly decode 2G/3G/4G GSMTAP packets generated by SCAT, Wireshark 2.6.0 or above is required. To properly decode 5G GSMTAPv3 packets generated by SCAT, Wireshark 3.0.0 or above is required, recommended is 4.2.5 or above. For older Wireshark releases, we are providing a Wireshark Lua plugin to extend the GSMTAP dissector. The Wireshark plugin is required to dissect LTE MAC and PDCP packets generated by SCAT version 1.3.0 and later, and NR RRC/NAS-5GS packets.

Information: NR RRC/NAS-5GS messages are only available through GSMTAPv3. NR RRC/NAS-5GS PCAPs generated using SCAT 1.4.0 uses slightly different definition of GSMTAPv3. Please generate PCAP file again if you have QMDL/SDM file along with PCAP file, or use script convert_prerelease_gsmtapv3.py -1 to convert GSMTAP header to the final format when you don't have QMDL/SDM file. If you have PCAP files generated using SCAT <1.3.0 please use convert_prerelease_gsmtapv3.py to convert GSMTAP header to the final GSMTAPv3 release.

Smartphones

Cellular device must expost the diagnostic port via USB. This is largely device-dependent and we can not give generic solution for all devices. You can check out following websites for some instructions on either opening up the diagnostic port or collecting the baseband dump file:

• https://band.radio/diag
• https://cacombos.com/contribute

Try also searching the Internet with keyword (your device name) qpst to get the method of exposing the diagnostic port for Qualcomm-based smartphones. The wiki page collects information on tested devices and any device-specific quirks.

If your smartphone does not expose the diagnostic port via USB, you can try using the baseband dump features existing in some smartphones. Follow the wiki page for details. We do not support any companion app on the (rooted) Android device, and there will be no plan to implement this.

Installation

You need to explicitly install SCAT before using it. Just executing the main script from the git checkout will not work. Use any of the following commands:

# If you want fast CRC calculation (for Qualcomm and HiSilicon)
$ pip install "signalcat[fastcrc]"

# If you don't want or can't build libscrc
$ pip install signalcat

For development purposes, please use pip install -e .[fastcrc] or pip install -e . on your checkout directory.

You will also need to install udev.rules on Linux if SCAT is not able to open the USB device as a normal user. If you cannot open a serial device (even as a root), please stop ModemManager.

Usage

For smartphones use the USB directly to access the diagnostics port. For discrete cellular modules use the serial mode instead. The qcserial and option kernel module do not have the information of diagnostic port of all Qualcomm-based smartphones and cellular modules, and no such module exist for Samsung-based smartphones.

By default, SCAT will send packets to 127.0.0.1, control plane packets to UDP port 4729 as GSMTAP, user plane packets to UDP port 47290 as IP.

Exit the application with Ctrl+C.

Please see the wiki page for advanced options.

Common Options

-t option specifies the type of baseband. Following options are available:

• -t qc: Qualcomm
• -t sec: Samsung
• -t hisi: HiSilicon (experimental, only baseband dump is supported)

SCAT version up to 1.1.0 required specifying the Samsung baseband type manually using -m. As SCAT now autodetects the Samsung baseband type, for SCAT 1.2.0 and above this option is only required when analyzing the raw SDM file without start response.

USB

Accessing the baseband diagnostics via USB:

$ scat -t qc -u -a 001:010 -i 2
$ scat -t sec -u -a 001:010 -i 2

Although there are small heuristic to determine the connected device, it is recommended to explicitly specify the USB device address and interface number of diagnostics node. -a 001:010 specifies the address, which follows the same syntax visible in lsusb command. -i 2 specifies the interface number of the diagnostic node, which is again device specific.

Samsung devices require a correct magic number to be supplied to start the diagnostic session through USB. Please see Issue #27 for more information on this.

Serial

Accessing the baseband diagnostics via serial port:

$ scat -t qc -s /dev/ttyUSB0

Replace /dev/ttyUSB0 to what is your diagnostic device.

Dump

Parsing the baseband dump file:

$ scat -t qc -d test.qmdl
$ scat -t sec -d test.sdm
$ scat -t hisi -d test.lpd

Tested Devices

Please see the wiki page.

Known Bugs

Issues related to exposing the diagnostics port via USB is out of scope.

• On certain Qualcomm devices, after exiting and launching the application for more than once, initialization eventually hangs and no messages are appearing. Root cause still in investigation. Solution: reboot the smartphone.
• On certain Qualcomm devices, you will see "Secure log" messages. This means that the baseband is encrypting the DIAG log packet, which SCAT can't decrypt without a proper RSA key. Obtaining the private key is out of scope, and please do not report issues regarding this.

Chat

• Matrix
• Telegram Bridge

The canonical address is the Matrix chat room. Telegram is only provided as a bridge and exists only for your convenience. In case of abuse I may close down the Telegram bridge.

Rules:

• The --start-magic related to the Issue #27 should not be discussed in the public.
• Please respect the rules of tchncs.de where the chat room is hosted.
• Please be nice to each others, and do not push anyone regarding the ETA of any feature of bugfix.
• SCAT is not a part of KDE project, but I personally recommend KDE's code of conduct.

License

SCAT is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.

References

We are kindly asking any academic works utilizing and/or incorporating this software to cite one of these references listed below:

• Byeongdo Hong, Shinjo Park, Hongil Kim, Dongkwan Kim, Hyunwook Hong, Hyunwoo Choi, Jean-Pierre Seifert, Sung-Ju Lee, Yongdae Kim. Peeking over the Cellular Walled Gardens - A Method for Closed Network Diagnosis -. IEEE Transactions on Mobile Computing, February 2018.

Thanks to Christian Oschwald and Willem Hengeveld from GSMK for their support on Samsung SDM parser.