PCAP format and Invalid RRC Setup spCellConfig

[desimetallica]

Hello, thanks for the repo first of all.
I'm trying the V8 "Invalid RRC Setup spCellConfig" vs a OnePlus Nord CE 2 5G with a M_V3_P10 firmware version described in your paper. I've few question:

• in the monitor.1.txt i can't find the "[ASSERT] file:mcu/l1/mml1/mml1_endc/src/mml1_endc_db_hdlr.c line:524 p1:0x91920c70"
• in the pcapng file I can't visualize RRC and MAC shown in your description, but something different. I'm missing something probably...
  
• I've understood that this kind of test (like others) is triggered when phone is toggled in airplane mode on/off and forced to reattach to the network, is it possible to trigger the phone to connect to rogue BS in a different way? For example like higher signal of rouge BS?

Thanks for the info
BR
Desi

[Matheus-Garbelini]

Hi @desimetallica, please find bellow the answer to your questions.

in the monitor.1.txt i can't find the "[ASSERT] file:mcu/l1/mml1/mml1_endc/src/mml1_endc_db_hdlr.c line:524 p1:0x91920c70"

Can you check if your OnePlus Nord CE 2 5G has the following firmware version or similar?

• Android Version: 13
• Android Security Update: May 5, 2023
• Build Number: IV2201_11_F.48
• Baseband Version: M_V3_P10,M_V3_P10

Particularly, the Android Security Update must be May 5 or earlier as we did not test the phone with further security updates.

in the pcapng file I can't visualize RRC and MAC shown in your description, but something different. I'm missing something probably...

Are you using the internal wireshark provided by 5Ghoul to visualize the PCAP file?
You can access such Wireshark by running bin/wireshark from inside the container or from the root project folder.
The Wireshark provided by 5Ghoul is already configured to correctly display 5G NR packets.
However, if you'd like to use your own Wireshark version to display the 5G packets, you can follow this tutorial from OpenAirInterface: Link.

I've understood that this kind of test (like others) is triggered when phone is toggled in Airplane mode on/off and forced to reattach to the network, is it possible to trigger the phone to connect to rogue BS in a different way? For example like higher signal of rouge BS?

That would require performing some NR jamming which 5Ghoul does not implement.
We did not evaluate this, but theoretically, the most simple way of creating this jammer would be to start 2 syncronized SDRs (benevolent BS + rogue BS) such that the rogue base station is always jamming at the exact phase as the benevolent BS. In such case, the phone would still need to time out first, which might take some time to re-trigger a cell search such that a connection with the higher RSSI rogue BS is successful without toggling airplane mode in the phone.

There are other works exploring different approaches to jamming

[1] – Practical Jamming of a Commercial 5G Radio System at 3.6 GHz
https://www.sciencedirect.com/science/article/pii/S1877050922008729
[2] - SigUnder: a Stealthy 5G Low Power Attack and Defenses
https://www.khoury.northeastern.edu/home/noubir/publications-local/LN2021.pdf
[3] - AdaptOver: adaptive overshadowing attacks in cellular networks
https://dl.acm.org/doi/10.1145/3495243.3560525

@desimetallica Let me know if you have further questions.