QCSuper: capture raw 2G/3G/4G/ 5G radio frames
QCSuper
QCSuper is a tool communicating with Qualcomm-based phones and modems, allowing to capture raw 2G/3G/4G (and for certain models 5G) radio frames, among other things.
It will allow you to generate PCAP captures of it using either a rooted Android phone, a USB dongle, or an existing capture in another format.
Supported protocols
QCSuper supports capturing a handful of mobile radio protocols. These protocols are put after a GSMTAP header, a standard header (encapsulated into UDP/IP) permitting to identify the protocol, and GSMTAP packets are put into a PCAP file that is fully analyzable using Wireshark.
2G/3G/4G protocols can be broken into a few “layers”: layer 1 is about the digital radio modulation and multiplexing, layer 2 handles stuff like fragmentation and acknowledgement, layer 3 is the proper signalling or user data.
QCSuper allows you most often to capture on layer 3, as it is the most pratical to analyze using Wireshark, and is what the Diag protocol provides natively (and some interesting information is here).
- 2G (GSM): Layer 3 and upwards (RR/…)
- 2.5G (GPRS and EDGE): Layer 2 and upwards (MAC-RLC/…) for data acknowledgements
- 3G (UMTS): Layer 3 and upwards (RRC/…)
- Additionally, it supports reassembling SIBs (System Information Blocks, the data broadcast to all users) in separate GSMTAP frames, as Wireshark currently can’t do it itself: flag
--reassemble-sibs
- Additionally, it supports reassembling SIBs (System Information Blocks, the data broadcast to all users) in separate GSMTAP frames, as Wireshark currently can’t do it itself: flag
- 4G (LTE): Layer 3 and upwards (RRC/…)
- Additionally, it supports putting decrypted NAS message, which are embedded encrypted embedded into RRC packet, in additional frames: flag
--decrypt-nas
- Additionally, it supports putting decrypted NAS message, which are embedded encrypted embedded into RRC packet, in additional frames: flag
By default, the IP traffic sent by your device is not included, you see only the signalling frames. You can include the IP traffic you generate using the --include-ip-traffic option (IP being barely the layer 3 for your data traffic in 2G/3G/4G, at the detail that its headers may be compressed (ROHC) and a tiny PPP header may be included).
The data traffic you send uses a channel different from the signaling traffic, this channel is setup through the signaling traffic; QCSuper should thus show you all details relevant to how this channel is initiated.
Install & Use
Copyright (C) 2024 P1sec
