记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

OsmocomBB编译及GSM嗅探问题

2013-11-15 15:15
简单一个FAQ,把一些可能遇到的问题整理一下

[首先是OsmocomBB编译流程及可能出现的问题]

1.环境选择

硬件:笔记本、C118手机(或其他可用手机,列表见http://bb.osmocom.org/trac/wiki/Hardware/Phones)

FT232RL、CP2102、PL2303 USB2TTL 模块一个、2.5mm 耳机插头带线一根

推荐定制线、淘宝有售、搜索T191刷机线。

软件:Ubuntu系列、Debian系列、尽量i386

包:apt-get install libtool shtool autoconf git-core pkg-config make gcc

2.编译交叉编译环境

推荐两种方法

1)下载所需要的GnuARM ToolChain
基于x86架构


$ wget http://gnuarm.com/bu-2.15_gcc-3.4.3-c-c++-java_nl-1.12.0_gi-6.1.tar.bz2 百度网盘
$ tar xf bu-2.15_gcc-3.4.3-c-c++-java_nl-1.12.0_gi-6.1.tar.bz2
$ mv gnuarm-* ~/gnuarm
基于64位架构

$ wget http://www.gnuarm.com/bu-2.16.1_gcc-4.0.2-c-c++_nl-1.14.0_gi-6.4_x86-64.tar.bz2 百度网盘
$ tar xf bu-2.16.1_gcc-4.0.2-c-c++_nl-1.14.0_gi-6.4_x86-64.tar.bz2
$ mv gnuarm-* ~/gnuarm
设置环境变量

$ export PATH=~/gnuarm/bin:$PATH
直接编辑~/.bashrc的内容,把上面的这个段话直接加到最后,此时打开新shell,已经可以直接执行arm-elf-gcc*等

即完成OsmocomBB的交叉编译环境的搭建

2)手工编译,参考http://bb.osmocom.org/trac/wiki/GnuArmToolchain

3.编译libosmocore
 


$ git clone git://git.osmocom.org/libosmocore.git

$ git clone git://git.osmocom.org/libosmocore.git
$ cd libosmocore/
$ autoreconf -i
$ ./configure
$ make
$ make install
$ cd ..
$ ldconfig

如果osmocomBB编译运行找不到libosmocore.so.4,执行ldconfig

4.编译OsmocomBB
 


$ git clone git://git.osmocom.org/osmocom-bb.git

$ git clone git://git.osmocom.org/osmocom-bb.git

$ cd osmocom-bb
$ git checkout --track origin/luca/gsmmap
$ cd src
$ make
[下面是使用OsmocomBB刷机、GSM嗅探可能遇到的问题]

1.把 USB2TTL 模块插入到电脑上,如是虚拟机运行、需再共享到虚拟机中,2.5mm 耳机插头的线接手机,


$ cd ~/osmocom-bb/src/host/osmocon/

确保模块灯亮(2个)、此时手机为关机状态

2.启动刷机(刷的是RAM关机即消失、不影响手机)

 


./osmocon -m c123xor -p /dev/ttyUSB0 ../../target/firmware/board/compal_e88/layer1.compalram.bin
c123xor是基于C118的,非C118的手机不要使用这个、C118的固件是compal_e88

短按手机开机键(轻触、不是开机),看到如下输出:

 


Received PROMPT1 from phone, responding with CMD
read_file(../../target/firmware/board/compal_e88/layer1.compalram.bin):file_size=56016,hdr_len=4,dnload_len=56023
got 1 bytes from modem, data looks like: 1b .
got 1 bytes from modem, data looks like: f6 .
got 1 bytes from modem, data looks like: 02 .
got 1 bytes from modem, data looks like: 00 .
got 1 bytes from modem, data looks like: 41 A
got 1 bytes from modem, data looks like: 02 .
got 1 bytes from modem, data looks like: 43 C
Received PROMPT2 from phone, starting download handle_write(): 4096 bytes (4096/56023)
handle_write(): 4096 bytes (8192/56023)
handle_write(): 4096 bytes (12288/56023)
handle_write(): 4096 bytes (16384/56023)
handle_write(): 4096 bytes (20480/56023)
handle_write(): 4096 bytes (24576/56023)
handle_write(): 4096 bytes (28672/56023)
handle_write(): 4096 bytes (32768/56023)
handle_write(): 4096 bytes (36864/56023)
handle_write(): 4096 bytes (40960/56023)
handle_write(): 4096 bytes (45056/56023)
handle_write(): 4096 bytes (49152/56023)
handle_write(): 4096 bytes (53248/56023)
handle_write(): 2775 bytes (56023/56023)
handle_write(): finished
got 1 bytes from modem, data looks like: 1b .
got 1 bytes from modem, data looks like: f6 .
got 1 bytes from modem, data looks like: 02 .
got 1 bytes from modem, data looks like: 00 .
got 1 bytes from modem, data looks like: 41 A
got 1 bytes from modem, data looks like: 03 .
got 1 bytes from modem, data looks like: 42 B
Received DOWNLOAD ACK from phone, your code is running now!
battery_compal_e88_init: starting up

看到以上的信息就证明你的固件刷写操作已经成功了

如果一直显示00或其他单个字符、请将口处线

3.扫描基站

 


$ ~/cell_logger/osmocom-bb/src/host/layer23/src/misc/cell_log -O

如扫描到可能有如下反馈

 


ARFCN 117: tuning
ARFCN 117: got sync
Cell ID: 460_1_03EE_B130
<000e> cell_log.c:248 Cell: ARFCN=117 PWR=-62dB MCC=460 MNC=01 (China, China Unicom)

扫描某一个基站,例如70

 

 


$ ~/cell_logger/osmocom-bb/src/host/layer23/src/misc/ccch_scan -i 127.0.0.1 -a 70
将扫描基站的日志保存到本地

$ dumpcap -i lo -w ~/cell_logger/mobilelog/Cell.log
打开WireShark实时读取相关的信息

$ wireshark -k -i lo -f 'port 4729' (非ROOT请使用sudo)
如果做短信嗅探,wireshark 的 filter 中对 gsm_sms 的包进行过滤显示即可显示抓到的短信包

此时可能出现的问题

1)扫描基站看到疯狂扫描突然停住、此时ctrl+c结束重来

2)未扫描到基站或一直得不到got sync信息,这个暂时也未能解决,还望各位告知

livecd-bootmgr2.png

此外,有一项目名为GSMMAP,有一精简的debian-live-cd,已经编译好了osmocombb环境

The gsmmap.org live ISO is a boot image to capture GSM data from an Osmocom-supported mobile and upload them for analysis at gsmmap.org.

~目录下有一run.sh,扫描结束需要输入ARFCN码和TMSI码,修改脚本可以注释掉TMSI

只是没有图像界面,不方便直接Wireshark显示

Referer:

http://bb.osmocom.org/trac/
http://www.hackdig.com/Article/201311/257701.html

http://www.hacklook.com/forum.php?mod=viewthread&tid=12&extra=page%3D1
http://www.hackdig.com/Article/201311/254407.html

http://www.acfun.tv/v/ac874894

http://www.eric21.com/20131013_5865619656278016

http://offensive.blog.51cto.com/6158223/1107046

#更新于2013.11.11
知识来源: www.2cto.com/Article/201311/257702.html

阅读:230282 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“OsmocomBB编译及GSM嗅探问题”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云