efforg / crocodilehunter Goto Github PK

Basically, fingerprint the phy layer. We should ask for more information.

By using a hotpot, etc ...

From some testing I did today, it seems like you get at most 7 queries/day, which isn't ideal.

GPS will often loose it's connection especially in a dense urban environment. One large problem this causes is that all tower readings are held in memory until GPS connects again at which time they are all suddenly added to the database with the current GPS location instead of the correct one. We should figure out a way to have a more stable GPS connection.

when using a USRP Cell_measure.cc crashes every time when it hits here: https://github.com/EFForg/srsLTE/blob/refactor/lib/examples/cell_measurement.cc#L494 this problem does not occur on the bladeRF. Something about this commit EFForg/srsLTE@1182633 seems to have caused the problem.

add field about whether cell is in wigle, and button to check it.

Pcaps generated by srsUE for each crocodile hunter session should be saved to the data directory, perhaps named with their timestamp?

we should be able to add a knew known tower in the web UI

See attached screenshot. Every time I enter a letter in the debug console after the first time, it just prints copies of the spinner.

sqlite3 is really struggling with our threaded architecture!

Sometimes you are in a faraday cage and GPS doesn't work so you should be able to disable it.

Before we start we should get a list of earfcn to scan which are present in the local area, either from Wigle or OpencellID (or both)

It's likely that for both hobbyists and commercial ICs, they won't have even bothered to change a lot of stuff from the defaults that come in the config file. We should check for this.

Based on a call with an LTE researcher, there are different times when we'd want to use each of these values.

The idea is that a CSS's NTP will be off (probably by a few seconds). This was Dave + Jeff's idea. Great test case for some ML.

And see if we want to merge their changes in.

when using a sub par USB cable USB3 is powerful enough to cause radio interference in the SDR. This should be documented.

It's likely that for both hobbyist and commercial ICs, they'll be missing the full range of what a normal IC is capable of. We should put in some checks to see if some of that basic stuff is missing.

We've had a variety of different ideas for doing wider scans:

1. Separate processes to scan all the LTE bands in the background, and update the EARFCN list with anything it finds. (This should take 5-10 minutes.) Alternatively we could do this at the very beginning before we start the scan.
2. Also sometimes scanning outside of the North American specific LTE bands might be a good idea, esp since e.g. outside of consulates or in an international area, phones from there will still be receptive to using non-NA LTE bands.

Based on this paper, it says that one technique for tricking phones using LTE to connecting to a CSS is to exploit the "absolute priority based cell reselection" feature. Basically we'll need to parse SIB 4,5,6, and 7 messages to figure out these frequencies and then scan to see if there's anything on them.

We should look for unusual bandwidth values in some scenarios. Lower (e.g. 5 MHz) is probably an indicator of a homebrew IC.

Specifically, dl-bandwidth that's sent in the MIB.

Via trilateration.

the database path should default to /data/cell_data.db but it should be easy to override if a person wants that.

srsUE frequently crashes while it is running. Crashes seem to happen more when the rig is moving.

Watchdog, webui, and crocodile hunter should have a logging convenience class that they can all call which will take care of appropriately formatting output as well as logging to a file.

Right now we have to debug by changing a const. This sucks, make it a command line argument.

• infobox for map
• clicking enodeb hilights on map
• all antennas by CID with trilat page
• cid details page
• polish details page
• better tables for mobile
• fix padding on map
• distance from nearest tower
• call out new or decaying towers

Some initial steps:

• @ynasser to contact ML researchers we collaborated with in the past
• start saving binary blog pcaps

Also, UW researchers suggested clustering and unsupervised learning, and then an iterative labeling approach.

Once the script finds a tower and writes it to the DB, the original EARFCN list it was searching changes to something completely different. Might be related to EFForg/srsLTE#7.

#17 pointed out that if you don't have a wigle pro account it's not a very useful check. We can add a flag to disable wigle for users who don't have a pro account.

one theory is that a CSS will have a distinct lack of paging messages being sent that a normal enodeb would have. We should look for this.

In EFForg/srsLTE there is a file in the examples directory that measures and decodes sib1 data called cell_measurement.cc. I have modified this to scan an entire band and decode any sib1 packets it finds.
We should further modify it to:

• scan a specific list of EARFCN which we can get from wigle when crocodile hunter starts.
• We also need to add socket communication to cell_measurement.cc so that it can talk to crocodile hunter. This can then replace the call to srsue!

It turns out the rasp pi isn't powerful enough to compile srsLTE. Next step to try and get it working on there is cross-compilation on one of our laptops and then trying to run it on the pi.

I think we need to do this? When I cloned this repo, /srsLTE was empty. I had to delete it, then:

git submodule init
git submodule update

... otherwise running the crocodile hunter python script failed because it was empty.

if one travels to another city or is debugging one might want crocodile hunter data to be a seperate "project" this can create a new folder to store the database and pcap (#6) files in

For eventual analysis of logs from other users we should sync the data to an externally hosted DB and webui for examining. Create an API and a service for this. Syncing should happen in batches assuming internet connections will be unstable.