My rooted and Nethunter installed (Nethunter not required for this) Nexus 6P is still an awesome phone after 10 years!
This time I’m going through quickly how to use QCSuper on a Linux box and a rooted Nexus 6P to sniff ‘control plane packets.’ These are things like Radio Resource Control (RCC) and NAS (with a caveat). You are not able to see data packets like web traffics, or encrypted packets but I’ll have some posts on those in the very near future! The caveat with NAS is that you’ll see NAS Attach Request and Security Mode Commands but after that, you will not see the encrypted payloads.
Anyway, still super cool, especially to see the unique IDs of cell towers the phone is seeing.
QCSuper works by utilizing the Qualcomm Diag Interface so there’s only a handful of devices that are confirmed out of the box. Luckily, the only one that seems to be expensive is if you want to sniff 5g. But at that price, mind as well get a SDR. Anyway!
Install dependencies:
pip install crcmod
pip install pycrate
pip install qcsuperSweet!
Now if you don’t want to reboot.
Load the proper kernel modules (drivers):
sudo modprobe qcserial
sudo modprobe usbserialNow your ubuntu/kali/linux box is ready to go.
Make sure you have a SIM card inserted in the Nexus 6P. I spent way to long troubleshooting because qcsuper will not balk and Wireshark will open even if you don’t have a SIM card but you won’t see any traffic.
Turns out that the 6P needs a SIM card inserted for its cellular modem to be enabled. To be clear, the SIM does NOT need to be active or anything, just needs to be in there.
I ended up inserting one of those free 200MB sketchy SIMs you can purchase from Amazon that isn’t activated and it works great.
As the bootloader is unlocked and your 6P is rooted, you shouldn’t have to enable developer options –> and USB debugging, but if you turned it off for whatever reason, make sure you turn it back on.
Now plug in the 6P and
adb shell
su
getprop sys.usb.configNow you should see that prop set too
adbWe need to enable diag mode over usb as well so lets do that
setprop sys.usb.config diag,adbOr if you want it to persist over reboot:
setprop persist.sys.usb.config diag,adbNow unplug and replug the 6P to your Linux box.
Now lets open up QCSuper and get to sniffing!
I can’t seem to get
qcsuper --adb --info -vWorking so ignore that and just jump to sniffing and view in Wireshark or dumping the packets directly:
qcsuper --adb --wireshark-liveOR
qcsuper --adb --pcap-dump lte_capture.pcapAnd you should see packets coming in!
Sick!
Here’s one example of some of the cool info you can find within these packets:
Here’s a RRC packet.
The trackingAreaCode identifies the region where the cell tower belongs. The cell Identity is the unique ID of the actual cell tower.
Although likely even if I don’t hide some chunks of this packet you wouldn’t be able to figure out my exact location, you’d def have a idea of where I’m at. If you somehow captured a MCC/MNC then you’d def be able to track me down.
Here are some other interesting packets contents you can search for:
lte-rrc
lte-nas
lte-phyHope this lets you streamline using your 6P and save you some time troubleshooting.
Sources:
END TRANSMISSION