SCAT: Signaling Collection and Analysis Tool
This application parses diagnostic messages of Qualcomm and Samsung baseband through USB, and generates a stream of GSMTAP packet containing cellular control plane messages.
Only tested in Linux, mostly various versions of Ubuntu. Python 3 is a minimum requirement, and the following external modules are required:
To properly decode GSMTAP packets generated by SCAT, Wireshark 2.6.0 or above is required. For older Wireshark releases, we are providing a Wireshark Lua plugin to extend the GSMTAP dissector. GSMTAP definition used by SCAT is based on libosmocore 0.11.0.
Cellular device must expost the diagnostic port via USB. This is largely device-dependent and we can not give generic solution for all devices. Search the Internet with keyword
(your device name) qpstto get the method of exposing the diagnostic port for Qualcomm-based smartphones.
*#0808#in dialer, select any USB mode entry containing
DM.
3197123580in dialer, password is either
996412,
776432,
0821.
277634#*#in dialer (TODO: exact location of USB test menu)
setprop persist.usb.eng 1.
setprop sys.usb.config diag,adb.
While we recommend using USB directly to access the diagnostics port, if your smartphone's diagnostic port is accessible via serial port, using it is also possible. The
qcserialkernel module do not have the information of diagnostic port of all Qualcomm-based smartphones, and no such module exist for Samsung-based smartphones.
Accessing the baseband diagnostics via USB:
$ scat.py -t qc -u -a 001:010 -i 2
The first
-t qcdefines that we are parsing a Qualcomm baseband. For Samsung baseband, use
secinstead of
qcand you need to supply the model manually like this example:
$ scat.py -t sec -m e333 -u -a 001:006 -i 2
Available model types are following:
-m cmc221s: CMC221S, used in very early Samsung LTE modem/smartphone.
-m e303: Exynos modem 303.
-m e333: Exynos modem 333.
-m e333option, YMMV.
-uspecifies that we are accessing the diagnostic device via USB.
Although there are small heuristic to determine the connected device, it is recommended to explicitly specify the USB device address and interface number of diagnostics node.
-a 001:010specifies the address, which follows the same syntax visible in
lsusbcommand.
-i 2specifies the interface number of the diagnostic node, which is again device specific.
Accessing the baseband diagnostics via serial port:
$ scat.py -t qc -s /dev/ttyUSB0
Replace
/dev/ttyUSB0to what is your diagnostic device.
By default, SCAT will send packets to 127.0.0.1, control plane packets to UDP port 4729 as GSMTAP, user plane packets to UDP port 47290 as IP.
Exit the application with Ctrl+C.
Destination to send the GSMTAP packet could be changed using
-H 127.0.0.2switch. For example, this command will send all packets to 127.0.0.2:
$ scat.py -t sec -m e333 -u -a 001:006 -i 2 -H 127.0.0.2
You may want to use the following command to be able to easily sort it with Wireshark:
ifconfig ethUSB 127.0.0.2 netmask 255.255.255.0 up sudo route add -net 127.0.0.0 netmask 255.255.255.0 gw 127.0.0.1
It is possible to automatically determine the USB bus address by using other command's outputs. Following example is for Samsung Galaxy S5 Mini:
val=$(lsusb | awk '/Samsung/ {print substr($4, 1, length($4)-1)}') sudo ./scat.py -t sec -m e303 -u -a 001:$val -i 4 -H 127.0.0.2
Please see the wiki page.
Issues related to exposing the diagnostics port via USB is out of scope.
SCAT is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
We are kindly asking any academic works utilizing and/or incorporating this software to cite one of these references listed below: