ring0 » blog

Writing Wireshark Plugins

tags: n900, debian, wireshark, lua, phonet, isi 2010-08-26 01:10 by sre

In the last days I finally got some bits out of the Nokia N900’s modem on Debian without any properitary tools. For now it’s just the following information:

manufacturer: "Nokia"
model: "Nokia N900"
revision: "V ICPR82_10w08 25-02-10 RX-51 (c) Nokia"

But the most difficult part is probably done. My next plan was to get the modem connect to a mobile network, which requires an unlocked SIM card. Unfortunately ofono does not yet support SIM cards with PINs. Thus I had to find another way to get out how to perform this task.

I started reverse engineering the properitary sscd, but got annoyed of it pretty fast (it’s lots of work for just a little bit of information). I thought it might be easier to analyze the network traffic, since I know the basic format of these messages anyway. So I installed tcpdump in maemo and added the following event.d rule as /etc/event.d/tcpdump:

description "tcpdump on phonet0"
author "sre"

start on started dbus
stop on stopping dbus

respawn limit 10 1

console output

exec tcpdump -i phonet0 -w /root/phonet.log

This worked at one go and I had a log file with ~300 packages in it (this is the amount of packages generated during maemo’s boot phase). The packages were detected as SLL packages by wireshark. This means there was just one blob of data, thus I deceided to write a plugin for Phonet. After some searching I deceided to use the lua interface, since it looked quite easy. I got hit by one problem while coding the (still very basic) plugin, which needs patching of wireshark (Debian Bug #594390).

Now check the IMHO amazing result:

Note, that the plugin covers only some commands and is far from being complete. It will append all data, which has not been analyzed in an extra field.

Update (12.09.2010 04:21:00 +0200):

As of Revision 34101 Wireshark does support ssl.ltype dissectors, so the patch is not needed with it anymore.

Update (05.10.2010 03:35:00 +0200):

You must add the parameter “-s 0” to the tcpdump call or it will limit the packet size.