New release: QCSuper v2: Support for Android 13/14 + partial 5G compatibility
Today, we are proud to announce that our QCSuper tool has lately been updated to increase the range of devices supported by the application, as well as implementing partial support for 5G. These changes happened to have us release QCSuper v2.
What is QCSuper?
QCSuper is a tool which enables, for research purposes, to capture the contents of radio communication exchanges between your phone's antenna and your Mobile Operator's radio network (RAN). QCSuper has enabled many telecom, mobile and security researchers to perform an analysis of the radio packets (frames) through saving these to the Packet Capture File format (PCAP, with GSMTAP encapsulation) and enabling to use the great Wireshark tool to conduct analysis and research.
Recent changes in Android and QCSuper
The necessity to increase the range of devices supported by QCSuper has been driven by technical changes in recent Android releases: indeed, the variant of the Android open-source kernel (AOSP) for Qualcomm MSM-based devices has been, beginning with a change introduced in certain 4.14.x kernels (which should be included in part of devices bearing Android 10-11-12 and all devices with Android 13-14), modified to disable by default the diagchar kernel module.
The diagchar Linux kernel module was used to expose the /dev/diag kernel device, which is originally the main way QCSuper communicates with the audited Android device when using the --adb flag which allows to capture the 2G/3G/4G/5G frames going on and off a plugged Qualcomm-based Android phone's baseband plugged to the auditing computer with USB.
From now on, QCSuper will be able to communicate with regular Android phones which have had their sys.config.usb configuration key set to enable the Diag port over pseudo-serial USB communication, even when the /dev/diag device is not present.
It also has been modified to try to auto-enable the Diag-over-USB port on rooted phones when possible.
Additionally, capturing 5G/NR frames is possible on certain 5G-compatible phones since 2022. It has been tested successfully with a Xiaomi Mi Mix 3 5G (SM8150 / Snapdragon 855) device.
Figure: Capturing 5G/NR RRC frames sent and received by a Xiaomi phone using QCSuper and Wireshark.
Supporting 5G in PCAP packet capture files
In order to store 2G, 3G and 4G radio frames into Packet Capture files (PCAPs), the industry has traditionally used the GSMTAP format and protocol layer. But this protocol layer hasn't been adapted yet to support 5G New Radio (5G NR) frames for storage into PCAPs, although a draft for a version 3 of the format exists. We needed to change this. Often, when on the edge of new technologies, you need to update the way things were traditionally done and can’t wait for changes to happen in upstream wireshark, we needed a solution now:
As the GSMTAP protocol (which is produced by QCSuper when outputting captures to the PCAP format) has not been updated for encapsulating 5G/NR frames in a standard manner yet, this is done through automatically and locally installing a Wireshark dissector plugin in your home directory when first running QCSuper.
How to use QCSuper in Diag-over-USB mode from now on?
The following instructions apply to Android 10+ phones with a Qualcomm baseband where the /dev/diag device is not present on the phone:
If your phone has been rooted, QCSuper should automatically mode-switch it through trying to execute the su -c "setprop sys.config.usb diag,adb" command through ADB when run with the usual ./qcsuper.py --adb --wireshark-live flags.
If your phone has already been mode-switched to enable using the Diag interface over ADB, you can also use the ./qcsuper.py –usb-modem auto --wireshark-live flags, which will skip the step of trying to mode-switch the phone automatically to ADB.
With certain phone vendors, there are also ways to enable the Diag-over-USB interface without rooting the phone, which you can often find through Google with searching for your phone model name + "enable usb diag mode" for example.
For the moment, we have successfully captured OTA 5G RRC frames using a Xiaomi Mi Mix 3 5G (Snapdragon 855) device. The ecosystem of 5G Android devices is changing fast.
We would like QCSuper users to confirm to us which other 5G-communicating devices work in QCSuper. Please let us know in GitHub in a new issue: don’t hesitate to upload PCAP and logs to show details.
New release: QCSuper v2, packaging & volunteers
As we are releasing QCSuper version 2, we will be packaging this the application Linux packages first, then attempting to package these into Windows install packages. We don’t know yet when these packages and installer will be available, and are looking for testers (and contributors).
If you are interested in participating in building, testing, giving feedback on Mobile Device compatibility, usage UI / UX feedback, helping support the tool and answering questions, etc… you can contact us at: firstname.lastname@example.org
Extra information about QCSuper
For more detailed usage information, feel free to read back the following general information about QCSuper:
- Usage notice
- How to root my phone?
- How to manually enable the diagnostic ports on my phone?
- Using QCSuper with an USB modem
Downloading and learning about QCSuper
Also feel free to read back our introductory blog post about what QCSuper is and how to use it.
QCSuper v2 release webinar
Finally, we’re going to have a Webinar to present the new QCSuper release (v2). It will happen on Wednesday 13th of March 2024 at 9:00 AM CET and you can register right now > here <.
We want to thank the community for the feedback and creative usage you’ve done of QCSuper. We are eager to expand the community and show to new people how to use this tool for transparency, visibility and research.
We’ll be delighted to have you and will have a Q&A session at the end of the Webinar. See you there and happy testing !