For more than the past year, I have been studying for the CWAP Exam. As many of you know, CWAP digs into the protocol with tools for Frame Captures and Spectrum Analysis. While reading through the CWAP book, I started to question about how we could capture the same information but in the CBRS band 3.55-3.7Ghz.
Expanding upon my ideas for building my own WLAN Pi Pro and then adding a CBRS Radio, I decided I needed some additional tools to better understand how a CBRS Client works. Here are three tools that can be installed on the CBRS Pi; which, I’ve found that are beneficial when building CBRS networks.
QCSuper
My first killer app, that provides Signaling Information for LTE networks, is called QCSuper. It requires a Qualcomm modem. Since mine is a Qualcomm Snapdragon X55, the tool works amazingly well. This tool provides Airinterface layer 3 packet captures.
LTE/5G hides a lot of the control and signaling traffic from the client just like a Wifi card has to be in Monitor Mode to capture Management, Control, and Data frames. You can run Wireshark or TShark on the WWAN interface of the CBRS Pi but it will only capture layer 3 and above data, it doesn’t capture any of the Signaling data. You can’t put these modems into Monitor Mode like a Wifi network card. Gaining access to the signaling information is obfuscated. QCSuper with a Qualcomm modem solves that.
Qualcomm drivers open up a Diagnostics Monitoring Port that we can use with QCSuper in order to capture packet information From the Airinterface. A great post explaining the details, including a sample pcap file, can be found at this blog post:
QCSuper requires root access and since we have root control over the CBRS Pi this isn’t an issue. You can run it off a rooted Android device with ADB that has a Qualcomm modem built in or using a USB modem. Since the Snapdragon X55 in the CBRS Pi runs off the USB port this tool works well. The Github repository can be found here:
https://github.com/P1sec/QCSuper
To understand this information, you need a deeper understanding of LTE protocols. In depth details about the signaling information from the view point of a Wifi engineering background can be found from Aruba Networks in these three white papers:
https://www.arubanetworks.com/assets/wp/WP_CBRS-The-Radio.pdf
https://www.arubanetworks.com/assets/wp/WP_CBRS-Signaling-and-Control.pdf
https://www.arubanetworks.com/assets/wp/WP_CBRS-LTE-Technology-for-the-Enterprise.pdf
Once you have the application installed, you just have to run a script and it will capture traffic to a pcap file or stream it live with wireshark if you have the desktop installed on your Pi.
$ cd qcsuper
$ sudo ./qcsuper.py –usb-modem /dev/ttyUSB5 –pcap-dump /tmp/my_pcap.pcap –include-ip-traffic –decrypt-nas –reassemble-sibs
$ sudo ./qcsuper.py –usb-modem /dev/ttyUSB5 –wireshark-live
$ sudo ./qcsuper.py –usb-modem /dev/ttyUSB5 –info
If the USB Interface of the Modem does not show in the /dev folder but shows in lsusb with a device number. (5 is what my device number is, but it wasn’t showing in the /dev folder.) You need to run these commands every time the device reboots:
$ mknod /dev/ttyUSB5 c 188 0
$ ls -l /dev/ttyUSB5
Once you run the QCSuper script and capture traffic to a pcap, that the command above stores in the /tmp folder. You can then transfer and open the pcap to your laptop with SCP:
$ scp [email protected]:/tmp/my_pcap5.pcap .
The type of traffic you can capture as that article explains are Broadcast Control (BCCH), Paging Control (PCCH), Common Control (CCCH), Dedicated Control (DCCH), and Dedicated Traffic Control (DTCH).
- Signaling Channels which are broadcast to every mobile in the area in the downlink direction only:
- BCCH (Broadcast Control CHannel): used by the antenna to broadcast its general characteristics (which operator it belongs to, which frequencies it supports, which area it is located in, etc.) in predefined chunks called SIBs (System information blocks)
- PCCH (Paging Control CHannel): used by the antenna for telling an idle mobile to wake up and establish a new channel (because it receives an SMS or call for example)
- Signaling Channels which are exchanged between one mobile and one antenna:
- CCCH (Common Control CHannel): used to request dedicated radio resources to exchange more signaling (unencrypted)
- DCCH (Dedicated Control CHannel): all signaling after that (unencrypted then encrypted)
- Data traffic Channel
- DTCH (Dedicated Traffic CHannel): all your data + telephony (it is commonly encrypted – except emergency calls)
Public LTE networks use Frequency Division Duplex (FDD) where dedicated channels of spectrum are used for different types of traffic such as upload and download. OFDMA divides the channel into upload, download, control, etc. CBRS on the other hand uses Time Division Duplex (TDD) where traffic is sent on the same spectrum channels by differing the timing. These Traffic Channels (BCCH, PCCH, CCCH, DCCH, DTCH) are sent according to a time schedule instead of a dedicated frequency channel. This makes the CBRS to be able to operate with so little spectrum.
CaribouLite SDR
My next two killer applications for my CBRS Pi came from a recent post on LinkedIn. That opened my eyes to an issue with CBRS that can arise as people begin to build other CBRS networks next door to mine. That issue comes down to timing being key to the networks coexisting. In that post, the author mentioned a device that has a Spectrum Analyzer and PLMN Scanner, so I’m going to explore if this is possible with my device.
These two killer applications require an additional piece of hardware, a Software Defined Radio or SDR. I’m currently awaiting delivery of that piece of hardware and will create an additional post once I get that working.
For around $138, you can purchase a SDR that sits on top of the Raspberry Pi GPIO ports. It’s called the CaribouLite SDR. The project recently reached its funding goal and is shipping in May. The CaribouLite supports 30MHz-6GHz. It is the size of a Pi Zero and can be used with any of the Raspberry Pis with GPIO headers. There are lots of other SDR antennas, but I’m interested because this operates as a Pi Hat.
My ideas include building a Spectrum Analyzer with SDRPlusPlus or another of the many Github hosted SpecAn apps. The device would be able to show the layer 1 information for technologies across the spectrum. The device could be used to show off our regular 2.4Ghz and 5Ghz spectrum, plus 3.55-3.7Ghz for CBRS, 6Ghz for Wifi 6e, or IOT bands.
I’m also looking into using this SDR to monitor neighboring PLMN codes to scan for other LTE/5G networks. PLMN or PCI Scanners look for LTE/5G broadcast network names. Some Android phones can show a list of this information. That post on LinkedIn used a PCI Scanner to discover and fix a timing issue with neighboring CBRS networks. The device lists the neighboring PLMN and Signal Strength that the device can see similar to a Wifi Scanner that lists the neighboring Wifi networks.
I’m debating about building this device separate from my CBRS Pi to reduce the size of the device. The Pi Zero 2 and the CaribouLite together would create a small device that would be more mobile with a small external battery. If I can get a SpecAn and the PLMN Scanner that are loaded in a webpage, then the device could be plugged into a mobile device and opened in a browser.
