Mirror/rayhunter
1
0
Fork 0
mirror of https://github.com/EFForg/rayhunter.git synced 2026-05-30 14:59:26 -07:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: Mirror:v0.7.1
Branches Tags
Mirror:main Mirror:fix-roaming-falsepos Mirror:qmdl-gzip Mirror:fix-81-2 Mirror:fix-457 Mirror:fix-81 Mirror:inseego Mirror:no-adb-auth Mirror:auto-fb
Mirror:v0.11.2 Mirror:v0.11.1 Mirror:v0.11.0 Mirror:v0.10.2 Mirror:v0.10.1 Mirror:v0.10.0 Mirror:v0.9.0 Mirror:v0.8.0 Mirror:v0.7.1 Mirror:v0.7.0 Mirror:v0.6.1 Mirror:v0.6.0 Mirror:v0.5.1 Mirror:v0.5.0 Mirror:v0.4.0 Mirror:v0.3.4 Mirror:v0.3.3 Mirror:v0.3.2 Mirror:v0.3.1 Mirror:v0.3.0 Mirror:v0.2.8 Mirror:v0.2.7 Mirror:v0.2.6 Mirror:v0.2.5 Mirror:v0.2.4 Mirror:v0.2.3 Mirror:v0.2.2 Mirror:v0.2.1 Mirror:v0.2.0 Mirror:v0.1.2 Mirror:v0.1.1 Mirror:v0.1.0
...
compare: Mirror:v0.8.0
Branches Tags
Mirror:main Mirror:fix-roaming-falsepos Mirror:qmdl-gzip Mirror:fix-81-2 Mirror:fix-457 Mirror:fix-81 Mirror:inseego Mirror:no-adb-auth Mirror:auto-fb
Mirror:v0.11.2 Mirror:v0.11.1 Mirror:v0.11.0 Mirror:v0.10.2 Mirror:v0.10.1 Mirror:v0.10.0 Mirror:v0.9.0 Mirror:v0.8.0 Mirror:v0.7.1 Mirror:v0.7.0 Mirror:v0.6.1 Mirror:v0.6.0 Mirror:v0.5.1 Mirror:v0.5.0 Mirror:v0.4.0 Mirror:v0.3.4 Mirror:v0.3.3 Mirror:v0.3.2 Mirror:v0.3.1 Mirror:v0.3.0 Mirror:v0.2.8 Mirror:v0.2.7 Mirror:v0.2.6 Mirror:v0.2.5 Mirror:v0.2.4 Mirror:v0.2.3 Mirror:v0.2.2 Mirror:v0.2.1 Mirror:v0.2.0 Mirror:v0.1.2 Mirror:v0.1.1 Mirror:v0.1.0

21 Commits
v0.7.1 ... v0.8.0

Author SHA1 Message Date
Cooper Quintin
e162070a04 bump to version 0.8.0 2025-11-04 12:41:01 -08:00
Markus Unterwaditzer
2e42750b09 Spawn in background, just in case 2025-11-04 11:24:21 -08:00
Markus Unterwaditzer
e375e4587a change openPort to be non-overlapping 2025-11-04 11:24:21 -08:00
Markus Unterwaditzer
2a30e2d709 fix ci to build rootshell if installer changed 2025-11-04 11:24:21 -08:00
Markus Unterwaditzer
fe2b8b3456 TP-Link: Space out HTTP requests a bit, retry connection for sending files 
On firmware M7350(EU)_V9_9.0.2 Build 241021 (but not sooner), entryId=2
was being sent before entryId=1. entryId=2 is invalid if entryId=1 does
not exist yet. The reason it works is due to both requests firing
simultaneously, so sometimes entryId=1 is indeed being registered first.

We may also be hitting random race conditions on the backend, not 100%
sure. Try to alleviate them by sleeping 1 second between started
requests and waiting until the DOM is ready.

Also, on sluggish devices, it can happen that nc is not ready within
100ms. Fixing that with exponential backoff.
 2025-11-04 11:24:21 -08:00
Markus Unterwaditzer
cedfe2d4d7 Update doc/installing-from-release.md 
Co-authored-by: Cooper Quintin <cooperq@users.noreply.github.com>
 2025-11-04 11:22:43 -08:00
Markus Unterwaditzer
22be337f62 rephrase warning msg 2025-11-04 11:22:43 -08:00
Markus Unterwaditzer
6326c5e783 remove old network installer docs 2025-11-04 11:22:43 -08:00
Markus Unterwaditzer
ea5aa6cee2 Make orbic-network the default, update documentation, add deprecation warnings 2025-11-04 11:22:43 -08:00
Markus Unterwaditzer
65d4f22e09 correct port in documentation 2025-11-04 11:22:43 -08:00
Markus Unterwaditzer
450434b4f9 update a broken link 2025-11-03 14:56:59 -08:00
Markus Unterwaditzer
4e93e03e6a Link to CONTRIBUTING.md from issue templates. 2025-11-03 14:56:59 -08:00
Hal Mueller
e416d6e311 Doc spelling and punctuation corrections: 
- standardize on American English spellings (behavior, analyze)
- consistent bullet line end punctuation.
- wifi -> WiFi, usb -> USB where needed.
- some comma and article edits.
 2025-10-27 01:04:41 +01:00
Hal Mueller
0eebe890c1 Noisey -> noisy 2025-10-27 01:04:41 +01:00
Hal Mueller
28c9f44f73 orcas are whales, not fish 2025-10-27 01:04:41 +01:00
dependabot[bot]
85fa73ddd6 Bump vite from 7.1.9 to 7.1.11 in /daemon/web (#666) 
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-10-21 13:13:23 +02:00
bsickler
b8b90268b9 Enhancement: Remove unnecessary component renders for difference screen sizes (#661) 
* adds breakpoint stores to allow selective rendering on screen size

* removes unused type

* formatting
 2025-10-19 04:43:15 +02:00
Adrien Thebo
9e5de4a445 check: add flag help documentation (#662) 2025-10-19 04:09:33 +02:00
Adrien Thebo
643fb802be make: install node deps when node_modules absent (#660) 
* Install node deps via make.sh when absent

* Unconditionally install node modules
 2025-10-19 01:24:44 +02:00
esp323277
93f22172cc Added HTTP GET request to check if uz801 device is online (#648) 
Co-authored-by: Your Name <you@example.com>
Co-authored-by: Markus Unterwaditzer <markus-tarpit+git@unterwaditzer.net>
 2025-10-16 18:54:32 +02:00
John DeGood
d5f2dd9813 update uninstall filenames (#646) 2025-10-13 16:54:04 +02:00
44 changed files with 309 additions and 186 deletions
Expand all files Collapse all files

6
.github/ISSUE_TEMPLATE/bug.yaml vendored
View File

@@ -2,6 +2,12 @@ name: Bug Report
description: File a bug report.
labels: ["bug"]
body:
- type: checkboxes
attributes:
label: Prerequisites
options:
- label: I have read [CONTRIBUTING.md](https://github.com/EFForg/rayhunter/blob/main/CONTRIBUTING.md)
required: true
- type: textarea
attributes:
label: Bug Report Details

6
.github/ISSUE_TEMPLATE/config.yml vendored
View File

@@ -1,8 +1,8 @@
blank_issues_enabled: true
contact_links:
- name: Rayhunter Mattermost
url: https://opensource.eff.org/signup_user_complete/?id=6iqur37ucfrctfswrs14iscobw&md=link&sbr=su
about: If you're having trouble using Rayhunter and aren't sure you've found a bug or request for a new feature, please first try asking for help here. There is a much larger community there of people familiar with the project who will be able to more quickly answer your questions.
- name: Questions and community
url: https://efforg.github.io/rayhunter/support-feedback-community.html
about: If you're having trouble using Rayhunter and aren't sure you've found a bug or request for a new feature, please first try asking for help on GitHub discussions or Mattermost
- name: Rayhunter Security Policy
url: https://github.com/EFForg/rayhunter/security/advisories/new
about: Please report security vulnerabilities here.

6
.github/ISSUE_TEMPLATE/feature.yaml vendored
View File

@@ -2,6 +2,12 @@ name: Feature Request
description: Suggest a new feature or improvement to Rayhunter
labels: ["enhancement"]
body:
- type: checkboxes
attributes:
label: Prerequisites
options:
- label: I have read [CONTRIBUTING.md](https://github.com/EFForg/rayhunter/blob/main/CONTRIBUTING.md)
required: true
- type: textarea
id: problem
attributes:

6
.github/ISSUE_TEMPLATE/installer-bug.yaml vendored
View File

@@ -2,6 +2,12 @@ name: Installer Issue
description: File an bug related to an installer issue.
labels: ["bug", "installer"]
body:
- type: checkboxes
attributes:
label: Prerequisites
options:
- label: I have read [CONTRIBUTING.md](https://github.com/EFForg/rayhunter/blob/main/CONTRIBUTING.md)
required: true
- type: input
attributes:
label: Rayhunter Version

2
.github/workflows/main.yml vendored
View File

@@ -205,7 +205,7 @@ jobs:
if-no-files-found: error
build_rootshell:
if: needs.files_changed.outputs.rootshell_changed != '0'
if: needs.files_changed.outputs.rootshell_changed != '0' || needs.files_changed.outputs.installer_changed != '0'
needs:
- check_and_test
- files_changed

2
CONTRIBUTING.md
View File

@@ -10,7 +10,7 @@ Our issue tracker is [on GitHub](https://github.com/EFForg/rayhunter/issues).
- Issues should be actionable. If you don't have a
specific feature request or bug report, consider [creating a
discussion](https://github.com/EFForg/rayhunter/discussions) instead.
discussion](https://github.com/EFForg/rayhunter/discussions) or [joining our Mattermost](https://efforg.github.io/rayhunter/support-feedback-community.html) instead.
Example of a good bug report:

12
Cargo.lock generated
View File

@@ -1733,7 +1733,7 @@ dependencies = [
[[package]]
name = "installer"
version = "0.7.1"
version = "0.8.0"
dependencies = [
"adb_client",
"aes",
@@ -2772,7 +2772,7 @@ dependencies = [
[[package]]
name = "rayhunter"
version = "0.7.1"
version = "0.8.0"
dependencies = [
"bytes",
"chrono",
@@ -2794,7 +2794,7 @@ dependencies = [
[[package]]
name = "rayhunter-check"
version = "0.7.1"
version = "0.8.0"
dependencies = [
"clap",
"futures",
@@ -2808,7 +2808,7 @@ dependencies = [
[[package]]
name = "rayhunter-daemon"
version = "0.7.1"
version = "0.8.0"
dependencies = [
"anyhow",
"async-trait",
@@ -2954,7 +2954,7 @@ dependencies = [
[[package]]
name = "rootshell"
version = "0.7.1"
version = "0.8.0"
dependencies = [
"nix",
]
@@ -3439,7 +3439,7 @@ checksum = "61c41af27dd6d1e27b1b16b489db798443478cef1f06a660c96db617ba5de3b1"
[[package]]
name = "telcom-parser"
version = "0.7.1"
version = "0.8.0"
dependencies = [
"asn1-codecs",
"asn1-compiler",

2
check/Cargo.toml
View File

@@ -1,6 +1,6 @@
[package]
name = "rayhunter-check"
version = "0.7.1"
version = "0.8.0"
edition = "2024"
[dependencies]

10
check/src/main.rs
View File

@@ -16,19 +16,19 @@ use walkdir::WalkDir;
#[derive(Parser, Debug)]
#[command(version, about)]
struct Args {
#[arg(short = 'p', long)]
#[arg(short = 'p', long, help = "A file or directory of packet captures")]
path: PathBuf,
#[arg(short = 'P', long)]
#[arg(short = 'P', long, help = "Convert qmdl files to pcap before analysis")]
pcapify: bool,
#[arg(long)]
#[arg(long, help = "Show why some packets were skipped during analysis")]
show_skipped: bool,
#[arg(short, long)]
#[arg(short, long, help = "Only print warnings/errors to stdout")]
quiet: bool,
#[arg(short, long)]
#[arg(short, long, help = "Show debug messages")]
debug: bool,
}

2
daemon/Cargo.toml
View File

@@ -1,6 +1,6 @@
[package]
name = "rayhunter-daemon"
version = "0.7.1"
version = "0.8.0"
edition = "2024"
rust-version = "1.88.0"

8
daemon/web/package-lock.json generated
View File

@@ -26,7 +26,7 @@
"tailwindcss": "^3.4.9",
"typescript": "^5.0.0",
"typescript-eslint": "^8.0.0",
"vite": "^7.1.9",
"vite": "^7.1.11",
"vitest": "^3.2.4"
}
},
@@ -4737,9 +4737,9 @@
"license": "MIT"
},
"node_modules/vite": {
"version": "7.1.9",
"resolved": "https://registry.npmjs.org/vite/-/vite-7.1.9.tgz",
"integrity": "sha512-4nVGliEpxmhCL8DslSAUdxlB6+SMrhB0a1v5ijlh1xB1nEPuy1mxaHxysVucLHuWryAxLWg6a5ei+U4TLn/rFg==",
"version": "7.1.11",
"resolved": "https://registry.npmjs.org/vite/-/vite-7.1.11.tgz",
"integrity": "sha512-uzcxnSDVjAopEUjljkWh8EIrg6tlzrjFUfMcR1EVsRDGwf/ccef0qQPRyOrROwhrTDaApueq+ja+KLPlzR/zdg==",
"dev": true,
"license": "MIT",
"dependencies": {

2
daemon/web/package.json
View File

@@ -33,7 +33,7 @@
"tailwindcss": "^3.4.9",
"typescript": "^5.0.0",
"typescript-eslint": "^8.0.0",
"vite": "^7.1.9",
"vite": "^7.1.11",
"vitest": "^3.2.4"
}
}

2
daemon/web/src/lib/components/ConfigForm.svelte
View File

@@ -266,7 +266,7 @@
class="h-4 w-4 text-rayhunter-blue focus:ring-rayhunter-blue border-gray-300 rounded"
/>
<label for="test_analyzer" class="ml-2 block text-sm text-gray-700">
Test Heuristic (noisey!)
Test Heuristic (noisy!)
</label>
</div>
</div>

50
daemon/web/src/lib/components/ManifestTable.svelte
View File

@@ -1,6 +1,7 @@
<script lang="ts">
import { ManifestEntry } from '$lib/manifest.svelte';
import { AnalysisManager } from '$lib/analysisManager.svelte';
import { screenIsLgUp } from '$lib/stores/breakpoint';
import TableRow from './ManifestTableRow.svelte';
import Card from './ManifestCard.svelte';
interface Props {
@@ -12,27 +13,30 @@
</script>
<!--For larger screens we use a table-->
<table class="hidden table-auto text-left lg:table">
<thead>
<tr class="bg-gray-100 drop-shadow">
<th class="p-2" scope="col">ID</th>
<th class="p-2" scope="col">Started</th>
<th class="p-2" scope="col">Last Message</th>
<th class="p-2" scope="col">Size</th>
<th class="p-2" scope="col">Download</th>
<th class="p-2" scope="col">Analysis</th>
<th class="p-2" scope="col"></th>
</tr>
</thead>
<tbody>
{#each entries as entry, i}
<TableRow {entry} current={false} {i} {manager} />
{#if $screenIsLgUp}
<table class="table-auto text-left table">
<thead>
<tr class="bg-gray-100 drop-shadow">
<th class="p-2" scope="col">ID</th>
<th class="p-2" scope="col">Started</th>
<th class="p-2" scope="col">Last Message</th>
<th class="p-2" scope="col">Size</th>
<th class="p-2" scope="col">Download</th>
<th class="p-2" scope="col">Analysis</th>
<th class="p-2" scope="col"></th>
</tr>
</thead>
<tbody>
{#each entries as entry, i}
<TableRow {entry} current={false} {i} {manager} />
{/each}
</tbody>
</table>
{:else}
<!--For smaller screens we use cards-->
<div class="flex flex-col gap-4">
{#each entries as entry}
<Card {entry} current={false} {server_is_recording} {manager} />
{/each}
</tbody>
</table>
<!--For smaller screens we use cards-->
<div class="lg:hidden flex flex-col gap-4">
{#each entries as entry}
<Card {entry} current={false} {server_is_recording} {manager} />
{/each}
</div>
</div>
{/if}

29
daemon/web/src/lib/stores/breakpoint.ts Normal file
View File

@@ -0,0 +1,29 @@
// stores/breakpoint.ts
import { readable, type Readable } from 'svelte/store';
import { breakpoints } from '../../theme';
type Breakpoint = keyof typeof breakpoints;
// Store that tracks if a specific breakpoint matches
export function createBreakpointStore(breakpoint: Breakpoint): Readable<boolean> {
return readable<boolean>(false, (set) => {
const width = breakpoints[breakpoint];
const mediaQuery = window.matchMedia(`(min-width: ${width})`);
// Set initial value
set(mediaQuery.matches);
// Update on change
const handler = (e: MediaQueryListEvent) => set(e.matches);
mediaQuery.addEventListener('change', handler);
// Cleanup
return () => mediaQuery.removeEventListener('change', handler);
});
}
// Create stores for each breakpoint
export const screenIsSmUp: Readable<boolean> = createBreakpointStore('sm');
export const screenIsMdUp: Readable<boolean> = createBreakpointStore('md');
export const screenIsLgUp: Readable<boolean> = createBreakpointStore('lg');
export const screenIsXlUp: Readable<boolean> = createBreakpointStore('xl');

11
daemon/web/src/theme.ts Normal file
View File

@@ -0,0 +1,11 @@
/** These are the default Tailwind CSS breakpoints.
* We're defining them here so they can be referenced
* programmatically in other parts of the application.
*/
export const breakpoints = {
sm: '640px',
md: '768px',
lg: '1024px',
xl: '1280px',
'2xl': '1536px',
} as const;

2
daemon/web/tailwind.config.ts
View File

@@ -1,4 +1,5 @@
import type { Config } from 'tailwindcss';
import { breakpoints } from './src/theme';
export default {
content: ['./src/**/*.{html,js,svelte,ts}'],
@@ -10,6 +11,7 @@ export default {
'rayhunter-dark-blue': '#3f3da0',
'rayhunter-green': '#94ea18',
},
screens: breakpoints,
},
},

14
doc/configuration.md
View File

@@ -7,17 +7,17 @@ Rayhunter can be configured through web user interface or by editing `/data/rayh
Through web UI you can set:
- **Device UI Level**, which defines what Rayhunter shows on device's built-in screen. *Device UI Level* could be:
- *Invisible mode*: Rayhunter does not show anything on the built-in screen
- *Subtle mode (colored line)*: Rayhunter shows green line if there are no warnings, red line if there are warnings (warnings could be checked through web UI) and white line if Rayhunter is not recording
- *Demo mode (orca gif)*, which shows image of orca fish *and* colored line
- *Subtle mode (colored line)*: Rayhunter shows green line if there are no warnings, red line if there are warnings (warnings could be checked through web UI) and white line if Rayhunter is not recording.
- *Demo mode (orca gif)*, which shows image of orcas *and* colored line.
- *EFF logo*, which shows EFF logo and *and* colored line.
- **Device Input Mode**, which defines behaviour of built-in power button of the device. *Device Input Mode* could be:
- *Disable button control*: built-in power button of the device is not used by Rayhunter;
- *Double-tap power button to start/stop recording*: double clicking on a built-in power button of the device stops and immediately restarts the recording. This could be useful if Rayhunter's heuristichs is triggered and you get the red line, and you want to "reset" the past warnings. Normally you can do that through web UI, but sometimes it is easier to double tap on power button.
- **Device Input Mode**, which defines behavior of built-in power button of the device. *Device Input Mode* could be:
- *Disable button control*: built-in power button of the device is not used by Rayhunter.
- *Double-tap power button to start/stop recording*: double clicking on a built-in power button of the device stops and immediately restarts the recording. This could be useful if Rayhunter's heuristics is triggered and you get the red line, and you want to "reset" the past warnings. Normally you can do that through web UI, but sometimes it is easier to double tap on power button.
- **Colorblind Mode** enables color blind mode (blue line is shown instead of green line, red line remains red). Please note that this does not cover all types of color blindness, but switching green to blue should be about enough to differentiate the color change for most types of color blindness.
- **ntfy URL**, which allows setting a [ntfy](https://ntfy.sh/) URL to which notifications of new detections will be sent. The topic should be unique to your device, e.g., `https://ntfy.sh/rayhunter_notifications_ba9di7ie` or `https://myserver.example.com/rayhunter_notifications_ba9di7ie`. The ntfy Android and iOS apps can then be used to receive notifications. More information can be found in the [ntfy docs](https://docs.ntfy.sh/).
- **Enabled Notification Types** allows enabling or disabling the following types of notifications:
- *Warnings*, which will alert when a heuristic is triggered. Alerts will be sent at most once every five minutes.
- *Low Battery*, which will alert when the device's battery is low. Notifications may not be supported for all devices—you can check if your device is supported by looking at whether the battery level indicator is functioning on the System Information section of the Rayhunter UI.
- With **Analyzer Heuristic Settings** you can switch on or off built-in [Rayhunter heuristics](heuristics.md). Some heuristics are experimental or can trigger a lot of false positive warnings in some networks (our tests have shown that some heuristics have different behaviour in US or European networks). In that case you can decide whether you would like to have the heuristics that trigger a lot of false positives on or off. Please note that we are constantly improving and adding new heuristics, so new release may reduce false positives in existing heuristics as well.
- With **Analyzer Heuristic Settings** you can switch on or off built-in [Rayhunter heuristics](heuristics.md). Some heuristics are experimental or can trigger a lot of false positive warnings in some networks (our tests have shown that some heuristics have different behavior in US or European networks). In that case you can decide whether you would like to have the heuristics that trigger a lot of false positives on or off. Please note that we are constantly improving and adding new heuristics, so a new release may reduce false positives in existing heuristics as well.
If you prefer editing `config.toml` file, you need to obtain a shell on your [Orbic](./orbic.md#obtaining-a-shell) or [TP-Link](./tplink-m7350.md#obtaining-a-shell) device and edit the file manually. You can view the [default configuration file on a GitHub](https://github.com/EFForg/rayhunter/blob/main/dist/config.toml.in).
If you prefer editing `config.toml` file, you need to obtain a shell on your [Orbic](./orbic.md#obtaining-a-shell) or [TP-Link](./tplink-m7350.md#obtaining-a-shell) device and edit the file manually. You can view the [default configuration file on GitHub](https://github.com/EFForg/rayhunter/blob/main/dist/config.toml.in).

2
doc/faq.md
View File

@@ -5,7 +5,7 @@
**It Depends**. Operation of Rayhunter does require the insertion of a SIM card into the device, but that sim card does not have to be actively registered with a service plan. If you want to use the device as a hotspot in addition to a research device, or get [notifications](./configuration.md), an active plan would of course be necessary.
### How can I test that my device is working?
You can enable the `Test Heuristic` under `Analyzer Heuristic Settings` in the config section on your web dashboard. This will cause an alert to trigger every time your device sees a cell tower, you might need to reboot your device or move around a bit to get this one to trigger, but it will be very noisey once it does. People have also tested it by building IMSI catchers at home, but we don't recommend that, since it violates FCC regulations and will probably upset your neighbors.
You can enable the `Test Heuristic` under `Analyzer Heuristic Settings` in the config section on your web dashboard. This will cause an alert to trigger every time your device sees a cell tower, you might need to reboot your device or move around a bit to get this one to trigger, but it will be very noisy once it does. People have also tested it by building IMSI catchers at home, but we don't recommend that, since it violates FCC regulations and will probably upset your neighbors.
<a name="red"></a>

22
doc/heuristics.md
View File

@@ -6,7 +6,7 @@ Rayhunter includes several analyzers to detect potential IMSI catcher activity.
### IMSI Requested (v3)
This analyser tests whether the eNodeB sends an IMSI or IMEI Identity Request NAS message under suspicious .
This analyzer tests whether the eNodeB sends an IMSI or IMEI Identity Request NAS message under suspicious .
Mobile networks primarily request IMSI or IMEI from a mobile device during initial network attachment or when the network cannot identify the mobile device by its temporary identification (TMSI - *Temporary Mobile Subscriber Identity* or GUTI - *Globally Unique Temporary Identifier* in 4G/5G terminology).
@@ -23,7 +23,7 @@ What we consider suspicious is the following chain of events:
* Authentication does *NOT* happen.
* Tower requests phone to disconnect.
Looking for this chain of events is much less prone to false positives than naively looking for any time the IMSI/IMEI is sent. We do still sometimes get false positives when users are in an airplane that is coming in for a landing however. This is likely do to having been disconnected for a while and then being over towers that are not able to route to your home network, but we are still researching.
Looking for this chain of events is much less prone to false positives than naively looking for any time the IMSI/IMEI is sent. We do still sometimes get false positives when users are in an airplane that is coming in for a landing however. This is likely due to having been disconnected for a while and then being over towers that are not able to route to your home network, but we are still researching.
This is the attack used by commercial IMSI catchers used by law enforcement.
@@ -36,43 +36,43 @@ This heuristic will also issue a notification every time your identity is sent t
### Connection Release/Redirected Carrier 2G Downgrade
This analyser tests if a base station releases your device's connection and redirects your device to a 2G base station. This heuristic is useful, because some IMSI catchers may operate in a such way that they downgrade connection to 2G where they can intercept the communication (by performing man-in-the-middle attack).
This analyzer tests if a base station releases your device's connection and redirects your device to a 2G base station. This heuristic is useful, because some IMSI catchers may operate in a such way that they downgrade connection to 2G where they can intercept the communication (by performing man-in-the-middle attack).
### LTE SIB6/7 Downgrade
This analyser tests if LTE base station is broadcasting a SIB type 6 and 7 messages which include 2G/3G frequencies with higher priorities.
This analyzer tests if LTE base station is broadcasting a SIB type 6 and 7 messages which include 2G/3G frequencies with higher priorities.
SIB (*System Information Block*) Type 6 and 7 are specific types of broadcast messages sent by the base station (eNodeB in 4G networks) to mobile devices. They contain essential radio-related configuration parameters to help mobile device perform cell reselection.
This attack exploits the fact that SIB broadcast messages are not encrypted or authenticated. This allows them to pretend to be a legitimate cell by broadcasting fake system information in order to force mobile devices to downgrade from more secure 4G (LTE) to less secure 2G (GSM) network and then steal IMSI and/or perform man-in-the-middle attack. That is why this is also called a downgrade attack.
SIB6 is used for cell reselecion to CDMA2000 systems which are not supported by many modern mobile phones, and SIB7 Provides the mobile device with information to perform cell reselection to GSM/EDGE networks. Therefore SIB6 messages are quite rare, while malformed SIB7 messages are much more frequent in practice.
SIB6 is used for cell reselection to CDMA2000 systems which are not supported by many modern mobile phones, and SIB7 Provides the mobile device with information to perform cell reselection to GSM/EDGE networks. Therefore SIB6 messages are quite rare, while malformed SIB7 messages are much more frequent in practice.
This heuristic is the most useful in the United States or other countries where there are no more operating 2G base stations. See [Wikipedia page on past 2G networks](https://en.wikipedia.org/wiki/2G#Past_2G_networks) for information about your country. In countries where 2G is still in service (such as most of EU), this heuristics may trigger false positives. In that case you should consider disabling it. However this heuristics has been vastly improved to reduce false positive warnings and new tests in European networks show that false positives are vastly reduced.
This heuristic is the most useful in the United States or other countries where there are no more operating 2G base stations. See [Wikipedia page on past 2G networks](https://en.wikipedia.org/wiki/2G#Past_2G_networks) for information about your country. In countries where 2G is still in service (such as most of EU), this heuristic may trigger false positives. In that case you should consider disabling it. However this heuristic has been vastly improved to reduce false positive warnings and new tests in European networks show that false positives are vastly reduced.
### Null Cipher
This analyser tests whether the cell suggests using a null cipher (EEA0) in the RRC layer. That means that encryption between your mobile device and base station is turned off.
This analyzer tests whether the cell suggests using a null cipher (EEA0) in the RRC layer. That means that encryption between your mobile device and base station is turned off.
Normally this should never happen, because null cipher is used almost exclusively for testing and debugging in labs or in controlled environments. Sometimes null cipher is used if encryption negotiation fails or isnt supported (however in most networks this should not be the case). Also, some regulations allow unencrypted communications in **specific** emergency cases.
The general rule is, that null cipher should never be used in commercial deployments, except in very controlled conditions (e.g., test labs) or in a very specific regulatory-approved use cases.
The general rule is that null cipher should never be used in commercial deployments, except in very controlled conditions (e.g., test labs) or in a very specific regulatory-approved use cases.
On the other hand, IMSI catchers often use null cipher to avoid setting up secure contexts (because they lack valid keys) and/or to trick mobile device into using unencrypted links (which makes eavesdropping easier).
### NAS Null Cipher
This analyser tests whether the security mode command at the NAS layer suggests using a null cipher (EEA0). This would usually only happen after a mobile device has successfully authenticated with the MME (*Mobility Management Entity* - core network component that handles signaling and control) but still it shouldn't happen at all. This could be indicative of an attack though using SS7 (*Signaling System 7* - a set of telecommunication protocols used to set up and manage calls and other services) to get key material from the HLR (*Home Location Register* - a database in mobile telecommunications networks that stores subscriber information) of the mobile phone for a successful authentication.
This analyzer tests whether the security mode command at the NAS layer suggests using a null cipher (EEA0). This would usually only happen after a mobile device has successfully authenticated with the MME (*Mobility Management Entity* - core network component that handles signaling and control) but still it shouldn't happen at all. This could be indicative of an attack though using SS7 (*Signaling System 7* - a set of telecommunication protocols used to set up and manage calls and other services) to get key material from the HLR (*Home Location Register* - a database in mobile telecommunications networks that stores subscriber information) of the mobile phone for a successful authentication.
It could also indicate an IMSI catcher which is connected to the mobile network MME and HLR through cooperation between government and telecom provider. Or it could be a false positive if the telecom provider is intending to use null ciphers (if encryption is illegal in some country, or they have some misconfiguration of the network), however this should be very rare case.
### Incomplete SIB
This analyser tests whether the SIB1 message contains a complete SIB chain (SIB3, SIB5, etc.). A legitimate SIB1 message should contain timing information for at least 2 additional SIBs (SIB3, 4, and 5 being the most common) but a fake base station will often not bother to send additional SIBs beyond 1 and 2 (i. e. some IMSI catchers send just SIB1 and *one additional* SIB).
This analyzer tests whether the SIB1 message contains a complete SIB chain (SIB3, SIB5, etc.). A legitimate SIB1 message should contain timing information for at least 2 additional SIBs (SIB3, 4, and 5 being the most common) but a fake base station will often not bother to send additional SIBs beyond 1 and 2 (i. e. some IMSI catchers send just SIB1 and *one additional* SIB).
On its own this might just be a misconfigured base station (though we have only seen it in the wild under suspicious circumstances) but combined with other heuristics such as **IMSI Requested** detection it should be considered as a strong indicator of malicious activity.
### Test Analyzer
This analyzer is great for testing if your Rayhunter installation works. It will alert every time a new tower is seen (specifically every time a tower broadcasts a SIB1 message.) It is designed to be very noisey so we do not recommend leaving it on but if this alerts it means your Rayhunter device is working!
This analyzer is great for testing if your Rayhunter installation works. It will alert every time a new tower is seen (specifically every time a tower broadcasts a SIB1 message.) It is designed to be very noisy so we do not recommend leaving it on but if this alerts it means your Rayhunter device is working!

39
doc/installing-from-release-windows.md
View File

@@ -1,39 +0,0 @@
# Installing from the latest release (Windows)
Windows support in Rayhunter's installer is a work-in-progress. Depending on the device, the installation instructions differ.
## TP-Link
1. Insert a FAT-formatted SD card. This will be used to store all recordings.
2. Connect the device via WiFi or USB Tethering -- you should be able to view the TP-Link admin page on <http://192.168.0.1>.
3. Download the latest release (must be at least 0.3.0) for windows-x86_64, and unpack the zipfile.
4. Open PowerShell or CMD in that extracted folder, the installer: `./installer tplink`
5. Follow the instructions on the screen, if there are any.
## Orbic
<div class=warning><strong>
[The Windows USB installer is known to be buggy](https://github.com/EFForg/rayhunter/issues/366). We strongly recommend using the [Network-based installer](./orbic.md#the-network-installer).
</strong></div>
1. Connect the device to your computer using the provided USB cable.
1. Install the [Zadig WinUSB driver installer](https://zadig.akeo.ie/).
1. Open Zadig, click options->show all devices
![Zadig](./zadig2.png)
1. Select 'RNDIS (Interface 0)'
![Zadig](./zadig.png)
1. Click 'install driver' and wait for it to finish.
2. Download the latest `rayhunter-vX.X.X-windows-x86_64.zip` from the [Rayhunter releases page](https://github.com/EFForg/rayhunter/releases). The version you download will have numbers instead of X
3. Unzip `rayhunter-vX.X.X-windows-x86_64` .
1. Open a powershell terminal by pressing Win+R and typing `powershell` and hitting enter.
5. Type `cd ~\Downloads\rayhunter-v<x.x.x>-windows-x86_64` (**Replace <x.x.x> with the Rayhunter version you just unzipped**) and hit enter.
5. Run the install script: `.\installer.exe orbic` and hit enter.
- The device will restart multiple times over the next few minutes.
- You will know it is done when you see terminal output that says `checking for rayhunter server...success!`
6. Rayhunter should now be running! You can verify this by following the instructions below to [view the web UI](./using-rayhunter.md#the-web-ui). You should also see a green line flash along the top of top the display on the device.

57
doc/installing-from-release.md
View File

@@ -2,7 +2,7 @@
Make sure you've got one of Rayhunter's [supported devices](./supported-devices.md). These instructions have only been tested on macOS and Ubuntu 24.04. If they fail, you will need to [install Rayhunter from source](./installing-from-source.md).
1. For the TP-Link only, insert a FAT-formatted SD card. This will be used to store all recordings.
1. **For the TP-Link only,** insert a FAT-formatted SD card. This will be used to store all recordings.
2. Download the latest `rayhunter-vX.X.X-PLATFORM.zip` from the [Rayhunter releases page](https://github.com/EFForg/rayhunter/releases) for your platform:
- for Linux on x64 architecture: `linux-x64`
- for Linux on ARM64 architecture: `linux-aarch64`
@@ -18,29 +18,50 @@ Make sure you've got one of Rayhunter's [supported devices](./supported-devices.
cd ~/Downloads/rayhunter-vX.X.X-PLATFORM
```
4. Turn on your device by holding the power button on the front.
On Windows you can decompress using the file browser, then navigate to the
folder that contains `installer.exe`, **hold Shift**, Right-Click inside the
folder, then click "Open in PowerShell".
* For the Orbic, connect the device using a USB-C cable.
* Or connect to the network if using the network based installer, this is especially recommended on Windows.
* For TP-Link, connect to its network using either WiFi or USB Tethering.
4. **Connect to your device.**
5. Run the installer:
First turn on your device by holding the power button on the front.
```bash
# On MacOS, you must first remove the quarantine bit
xattr -d com.apple.quarantine installer
```
Then run the installer:
```bash
./installer orbic
# or: ./installer [orbic-network|tplink|tmobile|uz801|pinephone|wingtech]
```
Then connect to the device using either WiFi or USB tethering.
The device will restart multiple times over the next few minutes.
You know you are in the right network when you can access
<http://192.168.1.1> (Orbic) or <http://192.168.0.1> (TP-Link) and see the
hardware's own admin menu.
You will know it is done when you see terminal output that says `Testing Rayhunter... done`
5. **On MacOS only**, you have to run `xattr -d
com.apple.quarantine installer` to allow execution of
the binary.
6. Rayhunter should now be running! You can verify this by [viewing Rayhunter's web UI](./using-rayhunter.md). You should also see a green line flash along the top of top the display on the device.
6. **Run the installer.**
```bash
# For Orbic:
./installer orbic --admin-password 'mypassword'
# Or install over USB if you want ADB and a root shell (not recommended for most users)
./installer orbic-usb
# For TP-Link:
./installer tplink
```
* On Verizon Orbic, the password is the WiFi password.
* On Kajeet/Smartspot devices, the default password is `$m@rt$p0tc0nf!g`
* On Moxee-brand devices, check under the battery for the password.
* You can reset the password by pressing the button under the back case until the unit restarts.
TP-Link does not require an `--admin-password` parameter.
For other devices, check `./installer --help` or the
respective page in the sidebar under "Supported
Devices."
7. The installer will eventually tell you it's done, and the device will reboot.
8. Rayhunter should now be running! You can verify this by [viewing Rayhunter's web UI](./using-rayhunter.md). You should also see a green line flash along the top of top the display on the device.
## Troubleshooting

41
doc/orbic.md
View File

@@ -21,30 +21,29 @@ or on [eBay](https://www.ebay.com/sch/i.html?_nkw=orbic+rc400l).
| Wifi 5Ghz | a/ac/ax |
| Wifi 6 | 🮱 |
## The Network Installer
## Two kinds of installers
Since Rayhunter 0.6.0 there is an alternative, experimental installation
procedure at `./installer orbic-network` that is supposed to eventually replace
`./installer orbic`. It does not require any USB driver installation and works
identically on Windows, Mac and Linux. From our testing it works much more
reliably on Windows than `./installer orbic` does.
The orbic's installation routine underwent many different changes:
The drawback is that the device's admin password is required.
1. Connect to the Orbic's network via WiFi or USB tethering
2. Run `./installer orbic-network --admin-password 'mypassword'`
* On Verizon Orbic, the password is the WiFi password.
* On Kajeet/Smartspot devices, the default password is `$m@rt$p0tc0nf!g`
* On Moxee-brand devices, check under the battery for the password.
* You can reset the password by pressing the button under the back case until the unit restarts.
3. The installer will eventually reboot the device, at which point the device is up and running.
1. The ADB-based shellscript prior to version 0.3.0
2. The Rust-based, ADB-based installer since version 0.3.0
3. Then, starting with 0.6.0, an alternative installer `./installer
orbic-network` that is supposed to work more reliably, can run over the
Orbic's WiFi connection and without the need to manually install USB drivers
on Windows.
4. Starting with 0.8.0, `orbic-network` has been renamed to `orbic`, and the
old `./installer orbic` is now called `./installer orbic-usb`.
It's possible that many tutorials out there still refer to some of the old
installation routines.
## Obtaining a shell
After running through the installation procedure, you can obtain a root shell
by running `adb shell` or `./installer util shell`. Then, inside of that shell
you can run `/bin/rootshell` to obtain "fakeroot."
After running the installer, there will not be a rootshell and ADB will not be
enabled. Instead you can use `./installer util orbic-start-telnet` and connect
to the hotspot using `nc 192.168.1.1 24`. On Windows you might not have `nc`
and will have to use WSL for that.
If you are using the network installer, there will not be a rootshell and ADB will not be enabled by the installer. Instead you can use `./installer util orbic-start-telnet` and connect to the hotspot using `nc 192.168.1.1 23`. On Windows you might not have `nc` and will have to use WSL for that.
If you are using an installer prior to 0.7.0 or `orbic-usb` explicitly, you can
obtain a root shell by running `adb shell` or `./installer util shell`. Then,
inside of that shell you can run `/bin/rootshell` to obtain "fakeroot."

4
doc/reanalyzing.md
View File

@@ -16,7 +16,7 @@ using the `rayhunter-check` CLI tool. That tool contains the same heuristics as
Rayhunter and will also work on traffic data captured with other tools, such as
QCSuper.
Since, 0.6.1, `rayhunter-check` is included in the release zipfile.
Since 0.6.1, `rayhunter-check` is included in the release zipfile.
You can build `rayhunter-check` from source with the following command:
`cargo build --bin rayhunter-check`
@@ -42,4 +42,4 @@ Options:
`rayhunter-check -p ~/Downloads #Check all files in downloads`
`rayhunter-check -d -p ~/Downloads/myfile.qmdl #run in debug mode`
`rayhunter-check -d -p ~/Downloads/myfile.qmdl #run in debug mode`

2
doc/tmobile-tmohs1.md
View File

@@ -37,7 +37,7 @@ According to FCC ID 2APXW-TMOHS1 Test Report No. I20Z61602-WMD02 ([part 1](https
| 71 | 600 MHz (USDD) |
## Installing
Connect to the TMOHS1's network over wifi or usb tethering.
Connect to the TMOHS1's network over WiFi or USB tethering.
The device will not accept web requests until after the default password is changed.
If you have not previously logged in, log in using the default password printed under the battery and change the admin password.

4
doc/tplink-m7350.md
View File

@@ -33,8 +33,8 @@ When filing bug reports, particularly with the installer, please always specify
You can get your TP-Link M7350 from:
* First check for used offers on local sites, sometimes it's much cheaper there.
* [Geizhals price comparison](https://geizhals.eu/?fs=tp-link+m7350)
* [Ebay](https://www.ebay.com/sch/i.html?_nkw=tp-link+m7350&_sacat=0&_from=R40&_trksid=p4432023.m570.l1313)
* [Geizhals price comparison](https://geizhals.eu/?fs=tp-link+m7350).
* [Ebay](https://www.ebay.com/sch/i.html?_nkw=tp-link+m7350&_sacat=0&_from=R40&_trksid=p4432023.m570.l1313).
## Installation & Usage

4
doc/uninstalling.md
View File

@@ -8,7 +8,7 @@ Once in a rootshell, run:
```shell
echo 3 > /usrdata/mode.cfg
rm -rf /data/rayhunter /etc/init.d/rayhunter-daemon /bin/rootshell.sh
rm -rf /data/rayhunter /etc/init.d/rayhunter_daemon /bin/rootshell
reboot
```
@@ -36,4 +36,4 @@ busybox vi /system/bin/initmifiservice.sh
```
Then type 999G (shift+g), then type dd. Then press the colon key (:) and type wq. Finally, press Enter.
4. Lastly, run `setprop persist.sys.usb.config rndis`.
5. Type `reboot` to reboot the device.
5. Type `reboot` to reboot the device.

2
doc/using-rayhunter.md
View File

@@ -14,7 +14,7 @@ You can access this UI in one of two ways:
network and visit <http://192.168.1.1:8080> (orbic)
or <http://192.168.0.1:8080> (tplink).
Click past your browser warning you about the connection not being secure, Rayhunter doesn't have HTTPS yet.
Click past your browser warning you about the connection not being secure; Rayhunter doesn't have HTTPS yet.
On the **Orbic**, you can find the WiFi network password by going to the Orbic's menu > 2.4 GHz WIFI Info > Enter > find the 8-character password next to the lock 🔒 icon.
On the **TP-Link**, you can find the WiFi network password by going to the TP-Link's menu > Advanced > Wireless > Basic Settings.

2
doc/uz801.md
View File

@@ -28,7 +28,7 @@ The most frequent bands found on these devices are LTE bands 1/3/5/8/20. In the
## Installing
With the device fully booted (i.e. beaming a wifi network, blue LED, etc.) and plugged into the computer that is performing the installation, run:
With the device fully booted (i.e. beaming a WiFi network, blue LED, etc.) and plugged into the computer that is performing the installation, run:
```sh
./installer uz801

4
doc/wingtech-ct2mhs01.md
View File

@@ -29,7 +29,7 @@ Wingtechs are abundant on ebay and can also be found on Amazon:
- <https://www.amazon.com/AT-Turbo-Hotspot-256-Black/dp/B09YWLXVWT>
## Installing
Connect to the Wingtech's network over wifi or usb tethering, then run the installer:
Connect to the Wingtech's network over WiFi or USB tethering, then run the installer:
```sh
./installer wingtech --admin-password 12345678 # replace with your own password
@@ -101,4 +101,4 @@ Caused by:
3: Network is unreachable (os error 101)
```
Make sure your computer is connected to the hotspot's wifi network.
Make sure your computer is connected to the hotspot's WiFi network.

BIN
doc/zadig.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 61 KiB

BIN
doc/zadig2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 69 KiB

BIN
doc/zadig3.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 62 KiB

2
installer/Cargo.toml
View File

@@ -1,6 +1,6 @@
[package]
name = "installer"
version = "0.7.1"
version = "0.8.0"
edition = "2024"
[dependencies]

17
installer/src/main.rs
View File

@@ -26,12 +26,11 @@ struct Args {
// of the manufacturer's capitalisation.
#[derive(Subcommand, Debug)]
enum Command {
/// Install rayhunter on the Orbic Orbic RC400L.
Orbic(InstallOrbic),
/// Install rayhunter on the Orbic RC400L using the legacy USB+ADB-based installer.
OrbicUsb(InstallOrbic),
/// Install rayhunter on the Orbic RC400L or Moxee Hotspot via network.
///
/// This is an experimental installer for Orbic that does not require USB drivers on Windows.
OrbicNetwork(OrbicNetworkArgs),
#[clap(alias = "orbic-network")]
Orbic(OrbicNetworkArgs),
/// Install rayhunter on the TMobile TMOHS1.
Tmobile(TmobileArgs),
/// Install rayhunter on the Uz801.
@@ -84,7 +83,7 @@ struct OrbicNetworkArgs {
/// Admin password for authentication.
#[arg(long)]
admin_password: String,
admin_password: Option<String>,
}
#[derive(Parser, Debug)]
@@ -207,8 +206,8 @@ async fn run() -> Result<(), Error> {
Command::Tplink(tplink) => tplink::main_tplink(tplink).await.context("Failed to install rayhunter on the TP-Link M7350. Make sure your computer is connected to the hotspot using USB tethering or WiFi.")?,
Command::Pinephone(_) => pinephone::install().await
.context("Failed to install rayhunter on the Pinephone's Quectel modem")?,
Command::Orbic(_) => orbic::install().await.context("\nFailed to install rayhunter on the Orbic RC400L")?,
Command::OrbicNetwork(args) => orbic_network::install(args.admin_ip, args.admin_username, args.admin_password).await.context("\nFailed to install rayhunter on the Orbic RC400L via network exploit")?,
Command::OrbicUsb(_) => orbic::install().await.context("\nFailed to install rayhunter on the Orbic RC400L (USB installer)")?,
Command::Orbic(args) => orbic_network::install(args.admin_ip, args.admin_username, args.admin_password).await.context("\nFailed to install rayhunter on the Orbic RC400L")?,
Command::Wingtech(args) => wingtech::install(args).await.context("\nFailed to install rayhunter on the Wingtech CT2MHS01")?,
Command::Util(subcommand) => match subcommand.command {
UtilSubCommand::Serial(serial_cmd) => {
@@ -246,7 +245,7 @@ async fn run() -> Result<(), Error> {
UtilSubCommand::WingtechStartAdb(args) => wingtech::start_adb(&args.admin_ip, &args.admin_password).await.context("\nFailed to start adb on the Wingtech CT2MHS01")?,
UtilSubCommand::PinephoneStartAdb => pinephone::start_adb().await.context("\nFailed to start adb on the PinePhone's modem")?,
UtilSubCommand::PinephoneStopAdb => pinephone::stop_adb().await.context("\nFailed to stop adb on the PinePhone's modem")?,
UtilSubCommand::OrbicStartTelnet(args) => orbic_network::start_telnet(&args.admin_ip, &args.admin_username, &args.admin_password).await.context("\\nFailed to start telnet on the Orbic RC400L")?,
UtilSubCommand::OrbicStartTelnet(args) => orbic_network::start_telnet(&args.admin_ip, &args.admin_username, args.admin_password.as_deref()).await.context("\\nFailed to start telnet on the Orbic RC400L")?,
}
}

8
installer/src/orbic.rs
View File

@@ -61,6 +61,10 @@ async fn confirm() -> Result<bool> {
}
pub async fn install() -> Result<()> {
println!(
"WARNING: The orbic USB installer is not recommended for most usecases. Consider using ./installer orbic instead, unless you want ADB access for other purposes."
);
#[cfg(target_os = "windows")]
{
let confirmation = confirm().await?;
@@ -84,6 +88,10 @@ pub async fn install() -> Result<()> {
}
pub async fn shell() -> Result<()> {
println!(
"WARNING: The orbic USB installer is likely to go away in a future version of Rayhunter. Consider using ./installer util orbic-start-telnet instead."
);
println!("opening shell");
let mut adb_device = get_adb().await?;
adb_device.shell(&mut std::io::stdin(), Box::new(std::io::stdout()))?;

22
installer/src/orbic_network.rs
View File

@@ -122,8 +122,12 @@ async fn login_and_exploit(admin_ip: &str, username: &str, password: &str) -> Re
pub async fn start_telnet(
admin_ip: &str,
admin_username: &str,
admin_password: &str,
admin_password: Option<&str>,
) -> Result<()> {
let Some(admin_password) = admin_password else {
anyhow::bail!("--admin-password is required");
};
echo!("Logging in and starting telnet... ");
login_and_exploit(admin_ip, admin_username, admin_password).await?;
println!("done");
@@ -134,8 +138,22 @@ pub async fn start_telnet(
pub async fn install(
admin_ip: String,
admin_username: String,
admin_password: String,
admin_password: Option<String>,
) -> Result<()> {
let Some(admin_password) = admin_password else {
eprintln!(
"As of version 0.8.0, the orbic installer has been rewritten and now requires an --admin-password parameter."
);
eprintln!(
"Refer to the official documentation at https://efforg.github.io/rayhunter/ for how to find the right value."
);
eprintln!();
eprintln!(
"If you are following a tutorial that does not include this parameter, the tutorial is likely outdated. You can run ./installer orbic-usb to access the old installer, however we recommend against it."
);
anyhow::bail!("exiting");
};
echo!("Logging in and starting telnet... ");
login_and_exploit(&admin_ip, &admin_username, &admin_password).await?;
println!("done");

41
installer/src/tplink.rs
View File

@@ -265,6 +265,14 @@ async fn handler(state: State<AppState>, mut req: Request) -> Result<Response, S
// on other versions, this path is /js/settings.min.js
let is_settings_js = path.ends_with("/settings.min.js");
if is_settings_js {
// It can happen that new versions of the admin JS do not take effect because of caching
// headers. This is a problem when trying multiple versions of the installer. Delete all
// caching headers and hope the server never erroneously returns a 304 that way.
req.headers_mut().remove("If-Modified-Since");
req.headers_mut().remove("If-None-Match");
}
*req.uri_mut() = Uri::try_from(uri).unwrap();
let mut response = state
@@ -281,22 +289,33 @@ async fn handler(state: State<AppState>, mut req: Request) -> Result<Response, S
.map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
let mut data = BytesMut::from(data);
// inject some javascript into the admin UI to get us a telnet shell.
data.extend(br#";window.rayhunterPoll = window.setInterval(() => {
// Intentionally register rayhunter-daemon before rayhunter-root so that we are less
// likely to run into race conditions where rayhunter-root is launched, and the
// installer kills the server. In practice both HTTP requests may execute concurrently
// anyway.
Globals.models.PTModel.add({applicationName: "rayhunter-daemon", enableState: 1, entryId: 2, openPort: "2400-2500", openProtocol: "TCP", triggerPort: "$(/etc/init.d/rayhunter_daemon start)", triggerProtocol: "TCP"});
Globals.models.PTModel.add({applicationName: "rayhunter-root", enableState: 1, entryId: 1, openPort: "2300-2400", openProtocol: "TCP", triggerPort: "$(busybox telnetd -l /bin/sh)", triggerProtocol: "TCP"});
data.extend(br#";document.addEventListener("DOMContentLoaded", () => {
console.log("rayhunter: start polling");
var rayhunterSleep = (ms) => new Promise(resolve => setTimeout(resolve, ms));
var rayhunterPoll = window.setInterval(async () => {
Globals.models.PTModel.add({applicationName: "rayhunter-daemon", enableState: 1, entryId: 1, openPort: "2401", openProtocol: "TCP", triggerPort: "$(/etc/init.d/rayhunter_daemon start &)", triggerProtocol: "TCP"});
console.log("rayhunter: first request succeeded, stopping rayhunter poll loop");
window.clearInterval(rayhunterPoll);
// PTModel.add actually does not wait for the request to finsh.
// Wait 1 second for the request to finish.
// Running both requests concurrently can get one of the two requests rejected, as
// sending a request with entryId: 2 is invalid if entryId 1 does not exist (yet)
// This only happens starting with firmware M7350(EU)_V9_9.0.2 Build 241021, earlier
// versions are not affected.
await rayhunterSleep(1000);
console.log("rayhunter: running second request");
Globals.models.PTModel.add({applicationName: "rayhunter-root", enableState: 1, entryId: 2, openPort: "2402", openProtocol: "TCP", triggerPort: "$(busybox telnetd -l /bin/sh &)", triggerProtocol: "TCP"});
// Do not use alert(), instead replace page with success message. Using alert() will
// block the event loop in such a way that any background promises are blocked from
// progress too. For example: The HTTP requests to register our port triggers!
document.body.innerHTML = "<h1>Success! You can go back to the rayhunter installer.</h1>";
// We can stop polling now, presumably both requests are already inflight.
window.clearInterval(window.rayhunterPoll);
}, 1000);"#);
}, 1000);
});"#);
response = Response::from_parts(parts, Body::from(Bytes::from(data)));
response.headers_mut().remove("Content-Length");
}

28
installer/src/util.rs
View File

@@ -91,7 +91,7 @@ pub async fn telnet_send_file(
payload: &[u8],
wait_for_prompt: bool,
) -> Result<()> {
echo!("Sending file {filename} ... ");
echo!("Sending file {filename}... ");
let nc_output = {
let filename = filename.to_owned();
let handle = tokio::spawn(async move {
@@ -102,14 +102,31 @@ pub async fn telnet_send_file(
)
.await
});
// wait for nc to become available. if the installer fails with connection refused, this
// likely is not high enough.
sleep(Duration::from_millis(100)).await;
let mut addr = addr;
addr.set_port(8081);
let mut stream;
let mut attempts = 0;
loop {
// wait for nc to become available, with exponential backoff.
//
// if the installer fails with connection refused, this
// likely is not high enough.
sleep(Duration::from_millis(100 * (1 << attempts))).await;
stream = TcpStream::connect(addr).await;
attempts += 1;
if stream.is_ok() || attempts > 3 {
break;
}
echo!("attempt {attempts}... ");
}
{
let mut stream = TcpStream::connect(addr).await?;
let mut stream = stream?;
stream.write_all(payload).await?;
// if the orbic is sluggish, we need for nc to write the data to disk before
@@ -122,6 +139,7 @@ pub async fn telnet_send_file(
sleep(Duration::from_millis(1000)).await;
// ensure that stream is dropped before we wait for nc to terminate.
drop(stream);
}
handle.await??

15
installer/src/uz801.rs
View File

@@ -54,6 +54,21 @@ pub async fn activate_usb_debug(admin_ip: &str) -> Result<()> {
let referer = format!("http://{admin_ip}/usbdebug.html");
let origin = format!("http://{admin_ip}");
// Check if device is online
echo!("Checking if device is online... ");
let client = reqwest::Client::builder()
.timeout(Duration::from_secs(5))
.build()?;
match client.get(&origin).send().await {
Ok(response) if response.status().is_success() => println!("ok"),
Ok(response) => anyhow::bail!(
"Device at {admin_ip} returned error status: {}",
response.status()
),
Err(e) => anyhow::bail!("Failed to reach device at {admin_ip}: {}", e),
}
let _handle = tokio::spawn(async move {
let client = reqwest::Client::builder()
.timeout(Duration::from_secs(5))

2
lib/Cargo.toml
View File

@@ -1,6 +1,6 @@
[package]
name = "rayhunter"
version = "0.7.1"
version = "0.8.0"
edition = "2024"
description = "Realtime cellular data decoding and analysis for IMSI catcher detection"

1
make.sh
View File

@@ -1,5 +1,6 @@
#!/bin/bash -e
pushd daemon/web
npm install
npm run build
popd
cargo build-daemon-firmware-devel

2
rootshell/Cargo.toml
View File

@@ -1,6 +1,6 @@
[package]
name = "rootshell"
version = "0.7.1"
version = "0.8.0"
edition = "2024"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

2
telcom-parser/Cargo.toml
View File

@@ -1,6 +1,6 @@
[package]
name = "telcom-parser"
version = "0.7.1"
version = "0.8.0"
edition = "2024"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html