Home
/
Blog
/

UMA / GAN

UMA, UMA phones, UMA Analog Telephone Adapters and FemtoCell.

Research
Oct 2, 2012
UMA / GAN

UMA = Unlicensed Mobile Access

GAN = Generic Access Network

ts 43.318 and 44.318

Wikipedia says: Generic Access Network or GAN is a telecommunication system that extends mobile voice, data and IP Multimedia Subsystem/Session Initiation Protocol (IMS/SIP) applications over IP networks. Unlicensed Mobile Access or UMA, is the commercial name used by mobile carriers for external IP access into their core networks.

To make it simple, on one side, a device connect to the mobile operator using IPSEC with EAP-SIM. Once connected, a session is established with ip/tcp/uma to the GANC (Gan controller) or UNC (Uma Network Controller). On top of that, GSM L3 packet could be sent

Here is a list of UMA devices

UMA phones

In order for a phone to be UMA enabled, it requires the baseband processor to communicate with the media processor since the signaling is involved, as well as to the SIM card for the EAP-sim establishment. Therefor, it’s not just an application

here is a list of UMA enabled phone:

  • Blackberry Bold 9700
  • Blackberry Bold 9780
  • Blackberry Pearl 8120
  • Blackberry Curve 8320
  • Blackberry Curve 8520
  • Blackberry Flip 8220
  • Blackberry 8900
  • Blackberry 8820
  • Blackberry 9100
  • Blackberry 9300
  • Blackberry 9700
  • Blackberry 9800
  • HP iPAQ 510
  • LG KE520
  • LG CL400
  • Motorola A910
  • Motorola Z6W
  • Nokia 6086
  • Nokia 6136
  • Nokia 6301
  • Nokia 7510
  • Nokia E73
  • Qisda/BenQ e72
  • Sagem my419x
  • Samsung P180
  • Samsung P200
  • Samsung P220
  • Samsung P250
  • Samsung P260
  • Samsung P270
  • Samsung T336
  • Samsung T339
  • Samsung T409
  • Samsung T707
  • Samsung T739 Katalyst
  • SIMTech N6000
  • T-Mobile (HTC) Shadow 2009

As we can see, many of them are from RIM BlackBerry. Follows the Engineering screen mode for configuring UMA on a BlackBerry:

UMA Gemalto USB key (Branded as Unik PC)



Host: scsi9 Channel: 00 Id: 00 Lun: 00

Vendor: Orange Model: ApplicationDRV Rev: 1.00

Type: CD-ROM ANSI SCSI revision: 00

Host: scsi9 Channel: 00 Id: 00 Lun: 01

Vendor: Orange Model: PrivateDRV Rev: 1.00

Type: Direct-Access ANSI SCSI revision: 00

Host: scsi9 Channel: 00 Id: 00 Lun: 02

Vendor: Orange Model: PublicDRV Rev: 1.00

Type: Direct-Access ANSI SCSI revision: 00

Host: scsi9 Channel: 00 Id: 00 Lun: 03

Vendor: Orange Model: CommunicationDRV Rev: 1.00

Type: Direct-Access ANSI SCSI revision: 00

# cat /proc/scsi/usb-storage/9

Host scsi9: usb-storage

Vendor: GEMALTO

Product: Unik PC

Serial Number: A10600000000XXX

Protocol: Transparent SCSI

Transport: Bulk

Quirks: SANE_SENSE

When mounting the filesystem, we get 3 partitions, 1 protected by the sim pin, the 1 COM containing a CDROM image, and 1 System, writable



mount -o loop -t vfat /dev/sdd /media/

# ls -al

total 128007

drwxr-xr-x 2 root root 512 Jan 1 1970 .

drwxr-xr-x 23 root root 4096 Jan 21 20:00 ..

-rwxr-xr-x 1 root root 512 Apr 23 2009 ANCHORI.CLP

-rwxr-xr-x 1 root root 512 Apr 23 2009 ANCHORO.CLP

-rwxr-xr-x 1 root root 52 Apr 23 2009 AUTORUN.INF

-rwxr-xr-x 1 root root 131072000 Apr 23 2009 CD-ROM.CLP

-rwxr-xr-x 1 root root 1024 Apr 23 2009 MINIEXE.EXE

# file CD-ROM.CLP

CD-ROM.CLP: # ISO 9660 CD-ROM filesystem data 'Unik PC'

# mount -t iso9660 -o loop CD-ROM.CLP /mnt/

# ls /mnt

Aide UNIK-PC.url apache Apps autorun.inf backup cdrom.ver Check Help lang private sdongle.conf sdongle.props Softphone Synchro system Unik_PC_Startup.exe usn.cfg

#ls -al /mnt/Softphone

dr-xr-xr-x 1 root root 2048 Sep 16 2009 .

dr-xr-xr-x 1 root root 2048 Sep 16 2009 ..

-r-xr-xr-x 1 root root 942080 Sep 16 2009 ftmvitendotools.dll

-r-xr-xr-x 1 root root 376 Sep 16 2009 gac.ini

-r-xr-xr-x 1 root root 1724416 Sep 16 2009 gdiplus.dll

dr-xr-xr-x 1 root root 2048 Sep 16 2009 KB908002

-r-xr-xr-x 1 root root 2539520 Sep 16 2009 Lang-fre.dll

-r-xr-xr-x 1 root root 804 Sep 16 2009 orange.der

-r-xr-xr-x 1 root root 106 Sep 16 2009 PluginConfig.ini

-r-xr-xr-x 1 root root 81920 Sep 16 2009 PluginQuery.dll

-r-xr-xr-x 1 root root 450560 Sep 16 2009 sdongleEventApi.dll

-r-xr-xr-x 1 root root 1220 Sep 16 2009 softphone_eng.ini

-r-xr-xr-x 1 root root 1221 Sep 16 2009 softphone_fre.ini

-r-xr-xr-x 1 root root 9199616 Sep 16 2009 Unik_PC_Phone.exe

-r-xr-xr-x 1 root root 314887 Sep 16 2009 Unik_PC_PlugInFF.exe

-r-xr-xr-x 1 root root 583692 Sep 16 2009 Unik_PC_PlugInIE.exe

-r-xr-xr-x 1 root root 921884 Sep 16 2009 Unik_PC_PlugInMgr.exe

-r-xr-xr-x 1 root root 444416 Sep 16 2009 Unik_PC_PlugInOLE.exe

-r-xr-xr-x 1 root root 1189376 Sep 16 2009 Unik_PC_PlugInOLE.msi

-r-xr-xr-x 1 root root 430592 Sep 16 2009 Unik_PC_PlugInOLP.exe

-r-xr-xr-x 1 root root 2253312 Sep 16 2009 Unik_PC_PlugInOLP.msi

-r-xr-xr-x 1 root root 1970176 Sep 16 2009 Unik_PC_PlugIns.exe

UMA Analog Telephone Adapters (Sold as Cisco HPort UTA200-tm)

As we can see, the device has 2 Ethernet port, 1 RJ11 port to plugg a real phone, as well as a SIM card slot.

The PCB shows that the main SoC is an ADM8668, classically used on Linksys WRTU54G-TM 1.0.

… more coming …

FemtoCell

Ubiquisys

Some Femtocells (Home NodeB or HNB) use UMA as protocol. The other commonly Protocol used on Femtos are sccp/RANAP

StrongSwan configuration for EAP-SIM as client

A card reader is needed in order to do EAP-SIM with strongswan. Here is a configuration example



conn sfr

keyexchange=ikev2

ike=aes128-sha1-modp1024!

mobike=no

left=%any

leftikeport=4500

leftid=1(IMSI)@gan.mnc010.mcc208.3gppnetwork.org

leftauth=eap

leftsourceip=%cfg

right=unc1-ch1.fr.sfr.com

rightikeport=4500

rightid=@unc1-ch1.fr.sfr.com

rightca="C=FR, ST=Ile de France, L=Champlan, O=SFR, OU=DGRS, CN=SFR Femto Champlan 1tier CA"

rightsubnet=172.0.0.0/8

auto=add

Here we are doing a capture of a FemtoCell that does its Location Update

As seen, the packet is of type GA-CSR Uploing Direct. In embed a L3 GSM message (Location Update Request in this case).

I develpped a lib UMA a while ago that I put on github. it’s available here:

http://github.com/key2/libuma

Here is for example an example of creation of a UMA packet:



struct uma_msg_s *uma_msg;

int i,j;

u_int8_t *titi, *tata;

u_int8_t tem[610];

uma_msg = uma_create_msg(GA_RC_REGISTER_REQUEST ,0,GA_RC);

uma_msg->tlv[uma_msg->ntlv++] = create_IEI_Mobile_Identity("\x29\x80\x01\x43\x58\x58\x54\x39",8);

uma_msg->tlv[uma_msg->ntlv++] = create_IEI_GAN_Release_Indicator(1);

uma_msg->tlv[uma_msg->ntlv++] = create_IEI_GAN_Classmark(7,1,1,0,0,0);

uma_msg->tlv[uma_msg->ntlv++] = create_IEI_Radio_Identity(0,"\x00\x1b\x67\x00\x93\x87");

uma_msg->tlv[uma_msg->ntlv++] = create_IEI_MS_Radio_Identity(0,"\x00\x1b\x67\x00\x93\x87");

uma_msg->tlv[uma_msg->ntlv++] = create_IEI_GSM_RR_UTRAN_RRC_State(7);

uma_msg->tlv[uma_msg->ntlv++] = create_IEI_GERAN_UTRAN_coverage_Indicator(2);

uma_msg->tlv[uma_msg->ntlv++] = create_IEI_Registration_indicators(0);

uma_msg->tlv[uma_msg->ntlv++] = create_IEI_Location_Area_Identification("\x02\xf8\x11\xff\xfc",5);

uma_msg->tlv[uma_msg->ntlv++] = create_IEI_GAN_Control_Channel_Description(0,1,0,0,1,1,16,1,1,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0);

uma_msg->tlv[uma_msg->ntlv++] = create_IEI_TU3906_Timer(00,0x1e);

uma_msg->tlv[uma_msg->ntlv++] = create_IEI_TU3920_Timer(00,0x1e);

uma_msg->tlv[uma_msg->ntlv++] = create_IEI_TU4001_Timer(00,0x0f);

uma_msg->tlv[uma_msg->ntlv++] = create_IEI_TU4003_Timer(00,0x0f);

uma_msg->tlv[uma_msg->ntlv++] = create_IEI_Cell_3G_Identity("\x32\x22\x00\x00");

j = uma_create_buffer(&titi,uma_msg);

The output looks like this:


00 53 00 10 01 08 29 80 01 43 58 58 54 39 02 01 01 07 02 37 00 03 07 00 00 1b 67 00 93 87 60 07 00 00 1b 67 00 93 87 11 01 07 06 01 02 44 01 00 05 05 02 f8 11 ff fc 0e 06 c4 10 01 1d 00 00 16 02 00 1e 25 02 00 1e 2b 02 00 0f 3c 02 00 0f 49 04 32 22 00 00

On the other side, if we take the same buffer and print it out:



uma_msg = uma_parse_msg(titi,j);

for(i = 0; i < uma_msg->ntlv; i++){

tlv_printf(uma_msg->tlv[i]);

}

uma_delete_msg(uma_msg);

Upon execution we get this pretty printed output:


Mobile Identity

------------------------------

data = 29 80 01 43 58 58 54 39

------------------------------

GAN Release Indicator

------------------------------

URI = 01

------------------------------

GAN Classmark

------------------------------

TGA = 07

GC = 01

UC = 01

RRS = 00

PS_HA = 00

GMSI = 00

------------------------------

Radio Identity

------------------------------

type = 00

value = 00 1b 67 00 93 87

------------------------------

MS Radio Identity

------------------------------

type = 00

value = 00 1b 67 00 93 87

------------------------------

GSM RR UTRAN RRC State

------------------------------

GRS = 07

------------------------------

GERAN UTRAN coverage Indicator

------------------------------

CGI = 02

------------------------------

Registration indicators

------------------------------

MPS = 00

------------------------------

Location Area Identification

------------------------------

data = 02 f8 11 ff fc

------------------------------

GAN Control Channel Description

------------------------------

ECMC = 00

NMO = 01

GPRS = 00

DTM = 00

ATT = 01

MSCR = 01

T3212 = 10

RAC = 01

SGSNR = 01

ECMP = 00

RE = 01

PFCFM = 01

_3GECS = 01

PS_HA = 00

ACC8 = 00

ACC9 = 00

ACC10 = 00

ACC11 = 00

ACC12 = 00

ACC13 = 00

ACC14 = 00

ACC15 = 00

ACC0 = 00

ACC1 = 00

ACC2 = 00

ACC3 = 00

ACC4 = 00

ACC5 = 00

ACC6 = 00

ACC7 = 00

------------------------------

TU3906 Timer

------------------------------

MSB = 00

LSB = 1e

------------------------------

TU3920 Timer

------------------------------

MSB = 00

LSB = 1e

------------------------------

TU4001 Timer

------------------------------

MSB = 00

LSB = 0f

------------------------------

TU4003 Timer

------------------------------

MSB = 00

LSB = 0f

------------------------------

Cell 3G Identity

------------------------------

CellID = 32 22 00 00
Summary
Download our whitepaper

LTE Pwnage: Hacking HLR/HSS and MME Core Network Elements

By clicking download you confirm that you accept our terms and conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Be informed

SS7 Attacker Heaven turns into Riot: How to make Nation-State and Intelligence Attackers’ lives much harder on mobile networks

By clicking download you confirm that you accept our terms and conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Towards Harmonization: Mapping EU Telecom Security Regulations and their evolution

By clicking download you confirm that you accept our terms and conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.