I think it's really sad that there is no readily available LTE wireshark...
I should be able to put any phone into 'monitor mode' and dump all LTE cell data that flows past. And then I should be able to decrypt my own data by getting keys out of my test phone - which should be a thing any phone owner can do through a debug menu.
In essence you can build this using a software defined radio, and open source tooling like srsUE/srsRAN to decode the air interface packets [0].
The gotcha is you can't easily decrypt your own "data" over the air, as the keys you need are resident in the SIM card, and can't be extracted (Ki and OPc being the two symmetric keys you need for LTE)
What you can do though is use srsUE to connect to a network as a piece of user equipment through an SDR, and you can connect a real SIM card to your PC using a standard PCSC smartcard reader [1].
If you have a couple of SDRs, you can run your own eNodeB (4G base station) and run your own "mini network". Obviously watch out for spectrum licensing rules, as handsets only work on certain bands, which are probably all licensed out and illegal to use without spectrum licencing. Some options with light/"zero" licensing are emerging - the UK, US, Germany, Sweden and some others have shared spectrum in bands that work for 5G. The open source ecosystem isn't quite there yet, but it's not a million miles away.
This should get you towards an "LTE wireshark" as you were looking for.
It's too bad srsRAN doesn't support TDMA (yet). LTE band 42 and the 9 cm amateur radio band overlap, so it would be legal for hams to run LTE/5G nodes.
Having your phone being your first ham radio might be a great way to get younger folks into the hobby.
Yeah, once TDD is implemented, things will get interesting for sure - also the CBRS band will open up opportunities for much lower cost radio devices that can have some "serious" range (i.e. small neighbourhood scale WiFi AP) - maybe we'll see that new generation get into ham, and also learning more about networking and launch their own metro-net ISPs?
One minor thing - hams would need to be careful they can run LTE/5G "out the box", given most setups use an encrypted layer to the base station. You can turn that down to zero confidentiality (EEA0) but still using integrity checking (EIA>0), but I am not sure if that's a particularly well-supported mode of operation.
There's also the 13cm band (2300-2450MHz) that overlaps in part or fully TDD-LTE Band40 and FDD-LTE Band30.
North americans also have 902-928MHz 33cm band, but that lacks the paired spectrum above it, so FDD-LTE or GSM are not possible.
And I don't think there's a widely supported TDD-LTE spec for it.
Thanks for pointing out band 40. Apparently it's just used in China, but it is supported on the iPhone 13.
Band 30 is a no-go because the downlink is at 2350 to 2360 MHz, which is not a ham band. The ham band is split because of satellite radio. It's 2300 to 2310 and 2390 to 2450 MHz.
Band38 is the one most 2.4 GHz WiFi-covering half-duplex SDR can handle, at least if modified/adjusted with a local oscillator quartz suitable for LTE. It's an ugly fraction to synthesize with a fractional PLL to LTE-specs of local-oscillator-quality.
Yeah, it's not ham, but low power levels and RF-shielding-cages should suffice to keep radiated emissions far below interfering levels.
It's also surprisingly well supported, at least on non-US handsets, from when I researched it a bit a few months before the first wave hit and blocked collaborative hardware hacking.
The 13cm band is a bit of a mess globally.
Here in Finland it's still full 2300-2450MHz. But in 2300-2320MHz it is shared with lightly licenced "provate LTE".
Hop over to Sweden and it's 2400-2450MHz only with a powerlimit under a watt.
And im USA it's that pumctured mess, isn't there also AT&T running Band30 FDD-LTE?
Years back when I was searching for LTE phones with Band30 for hamLTE use I only found AT&T carrier locked stuff from USA.
Basebands are very much still closed proprietary mostly black boxes, with DMA access to your phone. Such a thing doesn't exist because it's not in test equipment suppliers interests to undercut their existing market so thoroughly, where they'd rather sell you an analyzer that costs the same as a car. Combined with how patent encumbered LTE is in the US, there's only a slim chance of seeing such a thing.
This is false FUD that keeps being repeated. It's not true. No iPhone ever has had a baseband with DMA access to my knowledge, and modern Qualcomm devices have advanced IOMMU systems to firewall away the baseband from the rest of system memory. I'm sure some phones somewhere existed where the baseband was privileged, but it's not the norm.
Companies like Purism keep repeating this lie (their marketing is outright false) to sell you less secure "free" phones that actually have a larger attack surface for the giant proprietary baseband blob. On the Librem 5, the baseband is connected via USB, and they don't have USB device filtering enabled, so the baseband is exposed to the entire Linux kernel USB device driver attack surface. We know that's full of exploitable vulnerabilities, just ask any USB device developer how many times they've run into a kernel panic by accident. That's much worse than an embedded baseband with a single purpose shared memory interface and proper DMA restrictions.
Please research this stuff before continuing to propagate this myth. It doesn't help users' freedom nor security to have it being parroted over and over again.
That may be true of modern systems, but it was certainly true in the past. I"ve barely even heard of Librem 5 though. And we have no idea how actually true that is on an iPhone, thanks to Apple being Apple. (There have been limited attempts with limited success at proving this due to it's more closed nature, but I'm not willing to just take Apple's word on it.) I also don't agree on the nature of the USB attack surface but that's a different digression.
Either way, what's relevant to the thread is that the firmware is a closed-source binary blob that we scarcely have access to, so unless someone does the thing to unlock it, we're ~nowhere on a cheap LTE debugger. GNURadio might have something to say about that but maybe the hackers out in Shenzen (where LTE is 'less' patent encumbered) have different/better tools/options that we never hear about.
It's completely standard practice for SoCs to have IOMMUs these days. E.g. the Apple M1 has over a dozen coprocessors doing various things and sharing memory, but only the GPU coprocessor has access to OS memory (because it manages GPU page tables; we're working on figuring out exactly what the risks are with that one). Everything else is firewalled off.
Well, most of them anyway. The one in the Librem 5 does not AIUI.
> Such a thing doesn't exist because it's not in test equipment suppliers interests
Test equipment suppliers are MORE than happy to hand you very expensive test equipment on very expensive leases. They're not the bottleneck.
Such a thing doesn't exist because it's a complex technical problem which requires uncommon system engineering knowledge followed by a complex technical problem which requires uncommon VLSI design knowledge.
All to produce something which then will require an expensive, complicated dance to get certified with the carriers.
However, if you did produce such an open source chip, the Chinese suppliers would definitely jump on it. You just wouldn't make any money.
There's a new "G" every ten-ish years. Usually there is a lot of hype in the 2 to 3 years before the next G launches, at which point the early release standards are frozen. If equipment has a nominal 5 year replacement span, you deploy early release equipment, then at the half-way point, replace it with newer eqiupment, while looking for the next "G".
The "G"s are driven by marketing and hype - "5G" is better than "4G" and promises a pile of use-cases that haven't materialised. It's pointless even trying to dispel the hype. 1ms latency was heralded, 10 Gbit throughput, etc etc. You can't really do a round-trip measured to the radio (across just the air interface) yet with 1ms latency, let alone 1ms to anywhere meaningful. I'm reminded of Carmack's famous statement [0] about latency.
ARPU (average revenue per user) is not going up, at least in the European markets I'm aware of. Customers were not willing to pay more for 4G or 5G. In fact, I think many are ending up paying less - I negotiated a better deal this time around than last time around (anecdote, n=1, but far from alone) - competition is tight in a 4-operator market.
I don't think patents are necessarily driving the push - the push comes from operators competing to win churn from rivals. This comes from a race to the bottom on price. As soon as someone has "5G", everyone needs it, whether it's really 5G, or just 4G with the string changed on the screen [1]. "Another G" helps drive sales, and coverage helps drive sales. The operators drive the market, as they own the relationship with the customer. Vendors sell whatever operators want, and try to help them make a more compelling differentiated product (which is a dumb pipe now...) - they have fought over "fastest" and "coverage", now they are fighting over "lowest latency" and "best experience" and "most reliable"...
Ultimately, LTE is going nowhere fast, in my view. It varies by market, but will still be the underlying dominant tech for a few more years - unless you are on T Mobile USA or one of a few other carriers, your 5G is "non-standalone" and fully reliant on the 4G network and radios - the 5G cell is carrier-aggregated in as extra capacity. In early systems, uplink was only over 4G, so the only place the 5G radio was used for was downlink. Therefore I'm not convinced it's really patents that drive this, rather marketing and attempts to differentiate and sell to win over others' churn in a reasonably competitive marketplace with limited barriers to switching, and huge cross/up-sell opportunity when you do win a customer.
I (UK) use 5G for all my internetting. Great speeds but iffy pings for gaming but this isn't a huge deal for me.
I only got it because I had to move house during covid and didn't want to risk having to wait weeks for a connection. However I didn't expect it to be as good as it is. So good that I never bothered with getting fibre. I can also just take my 5G router if I move house again, or use the 5G SIM in my dual SIM phone if I'm travelling.
Yeah - of the 3 use cases heralded for 5G, enhanced mobile broadband (eMBB) is the one that has materialised so far.
The other two (massive machine to machine communications, and ultra reliable low latency communications) were more intended for buzzword-laden visions of robotic surgery and internet of everything.
Neither has really materialised like in the brochure. As you say, the speeds for consumer services are great - likely you'd get similarly good speeds with properly deployed 4G, since it can deliver 1 Gbit in theory with enough carrier aggregation. The new 5G spectrum helps a bit if you're in an urban area.
Nobody is going to use 5G to carry out surgery - you'll need real backhaul for any serious distance to get to the place the doctor is (otherwise they could do the surgery directly or using existing robotic equipment in the room), and if you are relying on backhaul, why not just lay fibre to the robot and avoid the risks. You really don't want a latency spike or jamming attack when operating on someone!
Many of the benefits claimed from massive machine to machine communications will need standalone 5G to come about - then slicing and other industrial facing features will start to emerge.
In the meantime though, you rightly point out that 5G serves as effective competition for fixed line connectivity, and that is no bad thing to stimulate roll-out and give some market price pressure.
We (i work at a network vendor) see a lot of (testing) campus networks with local spectrum licenses (EU and especially in DE). ultra-low-latency with edge computing is already something you can buy to get down to 2...5ms latency.
The changes from LTE to 5G/new radio on the RAN part are small actually. The step from LTE system architecture to 5G service-based-architecture in the core network function was quite big and enabling a lot of X-as-a-services (read as: move to cloud). Technically you can run a 4G/5G network with a little bit of smallcell RAN and a single VM running your core (read as: i did in a lab scenario).
I’ve used 5G to displace mostly legacy telco circuits at branch locations. About half are just cellular modems screwed into the wall, the other half have an external antenna.
In general, we are 5x-10x bandwidth with a minor increase in latency and 80% less $.
For larger offices, we’re looking at it as a backup path for a few use cases.
A bunch of things in newer generations reduced the costs for operators (higher terminal density meant less need to buy up new sites for base stations, etc).
Another part is gross simplification of many protocol aspects and moving of "central office" to data center. 5G for example AFAIK makes mandatory what has been slowly been introduced since UMTS, that is a full IP telephony stack. It was already pushed hard on LTE but was optional (and later sold to users as VoLTE).
Among other things it allows all phones to easily use "WiFi calling" or connecting anything to the network so long as you can route an IPsec connection to provider edge. (anyone remembers ugly special SMS Sending cards full of sim carriers, used by paid text suppliers?)
Absolutely amazing writeup, and I love that he released the work in jupyter notebook format (which is rendered perfectly by github no less) which only needs numpy and matplotlib so basically anyone can dig in and start messing with it with minimal effort.
I wish more SDR projects were documented in this form, it is so much more accessible than gnuradio or matlab etc based projects (albeit, these don't run in realtime so it is a bit different usecase than the gnuradio ecosystem).
Not to diminish the very cool work of the author - I'd bet you $1,000,000 you could understand this work with 3 years of dedicated study or 10 years of passionate part-time study.
Software Defined Radio is a pretty steep learning curve. You need to know about RF, digital signal processing, math, software and computers all at the same time.
On the GNU Radio Matrix server, we see Masters and Ph.D students have a difficult time with at least one of the above all the time.
The most successful SDR hackers usually have a ham radio background.
I've never read so many words and understood so few of them. This is some really complex stuff, kudos to the author for this deep dive, it clearly took a lot of work.
I should be able to put any phone into 'monitor mode' and dump all LTE cell data that flows past. And then I should be able to decrypt my own data by getting keys out of my test phone - which should be a thing any phone owner can do through a debug menu.
Why doesn't such tooling exist?