Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/fgsect/scat

SCAT: Signaling Collection and Analysis Tool
https://github.com/fgsect/scat

Last synced: 3 months ago
JSON representation

SCAT: Signaling Collection and Analysis Tool

Awesome Lists containing this project

README 

        
# SCAT: Signaling Collection and Analysis Tool



This application parses diagnostic messages of Qualcomm and Samsung baseband

through USB, and generates a stream of GSMTAP packet containing cellular control

plane messages.



## Requirements



### On PC



Only tested in Linux, mostly various versions of Ubuntu.

Python 3.7 is a minimum requirement, and the following external modules are required:



* [pyUSB](https://pypi.org/project/pyusb/)

* [pySerial](https://pypi.org/project/pyserial/)

* [bitstring](https://bitstring.readthedocs.io/en/stable/)

* [packaging](https://pypi.org/project/packaging/)

* [libscrc](https://github.com/hex-in/libscrc) - optional



To properly decode GSMTAP packets generated by SCAT, Wireshark 2.6.0 or above is required.

For older Wireshark releases, we are providing a Wireshark Lua plugin to extend the GSMTAP dissector.

The Wireshark plugin is required to dissect LTE MAC and PDCP packets generated by SCAT version 1.3.0, and NR RRC/NAS-5GS packets.



**Warning:** NR RRC/NAS-5GS messages are only available through GSMTAPv3 which is **[work in progress](https://gitea.osmocom.org/peremen/gsmtapv3)**.

SCAT master uses GSMTAPv3 draft version only for NR RRC/NAS-5GS, and the definition of GSMTAPv3 may change in the future.

SCAT does not guarantee data compatibility of GSMTAPv3 packets **until it is finalized**.

Therefore, please also keep the QMDL/SDM files if you need to preserve 5G signaling messages for future usage.



### Smartphones



Cellular device must expost the diagnostic port via USB.

This is largely device-dependent and we can not give generic solution for all devices.

[This external website](https://cacombos.com/contribute) provides some instructions on either opening up the diagnostic port or collecting the baseband dump file.

You can also search the Internet with keyword `(your device name) qpst` to get the method of exposing the diagnostic port for Qualcomm-based smartphones.

The [wiki page](https://github.com/fgsect/scat/wiki/Devices) collects information on tested devices and any device-specific quirks.



If your smartphone does not expose the diagnostic port via USB, you can try using the baseband dump features existing in some smartphones.

Follow [the wiki page](https://github.com/fgsect/scat/wiki/Baseband-Dumps) for details.

We do not support any companion app on the (rooted) Android device, and there will be no plan to implement this.



## Installation



You need to explicitly install SCAT before using it.

Just executing the main script from the git checkout will not work.

Use any of the following commands:



```

# If you want fast CRC calculation (for Qualcomm and HiSilicon)

$ pip install "scat[fastcrc] @ git+https://github.com/fgsect/scat"



# If you don't want or can't build libscrc

$ pip install git+https://github.com/fgsect/scat

```



Please note that the name SCAT is taken in the PyPI, I will find further solution.



For development purposes, please use `pip install -e .[fastcrc]` or `pip install -e .` on your checkout directory.



You will also need to install [udev.rules](https://github.com/M0Rf30/android-udev-rules) on Linux if SCAT is not able to open the USB device as a normal user.

If you cannot open a serial device (even as a root), please stop ModemManager.



## Usage



For smartphones use the USB directly to access the diagnostics port.

For discrete cellular modules use the serial mode instead.

The `qcserial` and `option` kernel module do not have the information of diagnostic port of all Qualcomm-based smartphones and cellular modules, and no such module exist for Samsung-based smartphones.



By default, SCAT will send packets to 127.0.0.1, control plane packets to UDP port 4729 as GSMTAP, user plane packets to UDP port 47290 as IP.



Exit the application with Ctrl+C.



Please see the [wiki page for advanced options](https://github.com/fgsect/scat/wiki/Advanced-Options).



### Common Options

`-t` option specifies the type of baseband. Following options are available:



* `-t qc`: Qualcomm

* `-t sec`: Samsung

* `-t hisi`: HiSilicon (experimental, only baseband dump is supported)



SCAT version up to 1.1.0 required specifying the Samsung baseband type manually using `-m`.

As SCAT now autodetects the Samsung baseband type, for SCAT 1.2.0 and above this option is only required when analyzing the raw SDM file without start response.



### USB

Accessing the baseband diagnostics via USB:



```

$ scat -t qc -u -a 001:010 -i 2

$ scat -t sec -u -a 001:010 -i 2

```



Although there are small heuristic to determine the connected device, it is recommended to explicitly specify the USB device address and interface number of diagnostics node.

`-a 001:010` specifies the address, which follows the same syntax visible in `lsusb` command.

`-i 2` specifies the interface number of the diagnostic node, which is again device specific.



Samsung devices require a correct magic number to be supplied to start the diagnostic session through USB.

Please see [Issue #27](https://github.com/fgsect/scat/issues/27#issuecomment-1416233282) for more information on this.



### Serial

Accessing the baseband diagnostics via serial port:



`$ scat -t qc -s /dev/ttyUSB0`



Replace `/dev/ttyUSB0` to what is your diagnostic device.



### Dump

Parsing the baseband dump file:



```

$ scat -t qc -d test.qmdl

$ scat -t sec -d test.sdm

$ scat -t hisi -d test.lpd

```



### Tested Devices



Please see the [wiki page](https://github.com/fgsect/scat/wiki/Devices).



## Known Bugs



Issues related to exposing the diagnostics port via USB is out of scope.



* On certain Qualcomm devices, after exiting and launching the application for

  more than once, initialization eventually hangs and no messages are appearing.

  Root cause still in investigation. Solution: reboot the smartphone.

  

## Chat



* [Matrix](https://matrix.to/#/#scat-users:tchncs.de)

* [Telegram Bridge](https://t.me/scat_users)



The canonical address is the Matrix chat room. Telegram is only provided as a bridge and exists only for your convenience. In case of abuse I may close down the Telegram bridge.



Rules:



* The `--start-magic` related to the [Issue #27](https://github.com/fgsect/scat/issues/27#issuecomment-1416233282) should not be discussed in the public.

* Please respect the rules of [tchncs.de](https://tchncs.de/matrix) where the chat room is hosted.

* Please be nice to each others, and do not push anyone regarding the ETA of any feature of bugfix.

* SCAT is not a part of KDE project, but I personally recommend [KDE's code of conduct](https://kde.org/code-of-conduct/).



## License



SCAT is free software; you can redistribute it and/or modify it under the terms

of the GNU General Public License as published by the Free Software Foundation;

either version 2 of the License, or (at your option) any later version.



THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS

FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.



## References

We are kindly asking any academic works utilizing and/or incorporating this

software to cite one of these references listed below:



* Byeongdo Hong, Shinjo Park, Hongil Kim, Dongkwan Kim, Hyunwook Hong, Hyunwoo

  Choi, Jean-Pierre Seifert, Sung-Ju Lee, Yongdae Kim. **Peeking over the

  Cellular Walled Gardens - A Method for Closed Network Diagnosis -**. IEEE

  Transactions on Mobile Computing, February 2018.



Thanks to Christian Oschwald and Willem Hengeveld from GSMK for their support

on Samsung SDM parser.