Awesome

LTE_monitor_c2xx

The purpose of LTE_monitor_c2xx is to provide a LTE message debugging solution composed of a TAP interface that enables you to connect to the internet using a samsung c2xx based USB dongle with the DEBUG options turned on.

It includes:

• A modem manager that creates a TAP port in userland
• A Wireshark dissector that uses GSMTAP in order to see the debug messages

The SAMSUNG GT-B3730 and GT-B3740 are USB dongles that have LTE capabilities. 800Mhz and 2600Mhz band. the later is capable of 3G, 2G..

A reverse engineering task has been done on the dongle in order to understand its protocol. More info are available at:

http://labs.p1sec.com/2013/08/05/samsung-lte-usb-stick-gt-b3730b3740-hacking/

Compiling

Make sure you have libusbx installed

# apt-get install libusb-1.0-0-dev

Or download and follow installation procedures from:

http://libusbx.org/

$ cd mod_switch/
$ make
$ cd ..
$ cd modem/
$ make

At this stage, you should have a binary called "lte"

Those dongle once connected act like a CD-ROM storage. Performing a lsusb shows:

$ lsusb
Bus 005 Device 010: ID 04e8:689a Samsung Electronics Co., Ltd LTE Storage Driver [CMC2xx]
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

Some distributions already have a usb_modswitch that would automatically switch the device into "commercial" mode. Otherwise, a handy tool is given in order to switch the device into commercial mode:

$ ./mod_switch/lte_modswitch
Open Success

Now performing a new lsusb shows:

$ lsusb
Bus 005 Device 011: ID 04e8:6889 Samsung Electronics Co., Ltd GT-B3730 Composite LTE device (Commercial)
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

In this mode, the device is ready to Connect to the LTE network.

In order to get it to connect, you must know your APN.

# ./lte -a "orange.fr"

The Dongle's led is going to switch color a couple of time, and the AT commands are output to the console. At this point, we are waiting to see the "NWSTATEIND: 6" which is the Network State Indicator.

At this point, we need an IP for the tap device that we can get with DHCP:

# dhclient tap1

If everything goes well, an IP gets assigned to the tap1 interface. In any case, one could monitor the tap1 Interface with wireshark.

Wireshark

In order to see the debug packet, GSMTAP is used. and a packet-c2xx.c has been added.

This approach lets us send the debug information to another IP if necessary, to just monitor the LTE debug.

Just compile the Wireshark given in the repository.

Run the LTE dongle with the -d parameter:

# ./lte -a orange.fr -d 192.168.1.2

Where 192.168.1.2 is the ip of the machine running the wireshark. You should at this point see all the debug generated by the dongle. NAS and RRC are detected and decoded.

History

At first, a modification of the existing Kalmia linux driver was made. This one was exposing a new "c2xx" device in /dev/c2xx which was read from a piece of software still present in kalima_mon in the old_kernel_code/ directory. For debugging purpose, as well as for the ease of use, the decision of creating a 100% userland mode has been taken.