5,604,507 Members 46,153 Now Online
XDA Developers Android and Mobile Development Forum

Raw android GSM radio modem access (text/call intercept)

Tip us?
(Last edited by n01ce; 19th January 2014 at 09:48 AM.)
n01ce's Avatar
Junior Member - OP
Thanks Meter 26
Posts: 27
Join Date: Aug 2013
Angry Raw android GSM radio modem access (text/call intercept)


DISCLAIMER: This post is solely for academic purposes. Do not try to intercept a text or call as it is generally illegal in most if not all countries. Don't play with the licensed radio frequencies.

The question is: Can we use an Android phone, without any external radio receiver, to intercept a GSM call or text not destined to our phone? How?

Overview: GSM calls and texts use mostly insecure networks, protocols and encryption algorithms, all over the air.
This means that calls and texts can be intercepted and deciphered. This has been demonstrated at various security conferences and it is documented carrier-by-carrier at gsmmap.org.

Source: Decrypting GSM phone calls (Karsten Nohl)

Prequisites: To hack GSM call or text we need:
1. Processing power to run the A5/1 cracking software.
I don't know if there is any port on Android(ARM) platforms but that's probably not a real issue.
2. A programmable radio receiver to have raw access to GSM uplink and downlink frequencies digital data. That's where we DON'T want to use an external radio module, and use the phone built-in radio module.

Let's have a look at the different issues behind this question:
A. Can the phone GSM modem listen to the uplinks (phone to GSM network) of other phones?
It is normally built to listen to the GSM downlinks. But whatever, we can already intercept much with the downlink.
Moreover, antennas may use some sort of beamforming that may require the hacker phone to be in a specific zone, if using a passive intercept technique.

B. What piece of software "filters" the GSM data not destined to the phone ?
First, we need to understand how the radio data is accessed on Android.

Source: Radio Layer Interface (Android Open Source Project, Kandroid)

The GSM filtering (in terms of frequency selection or data dismiss) should either occur at the baseband level or at the RIL level. Otherwise, that would mean it's handled directly in the radio chipset (and I don't think we can do much in this latter case...).
The RIL communicates with the baseband with AT commands (specs here). These AT commands seem too be to high level commands to treat raw data streams.
So I guess the suspect is the baseband firmware but I may be wrong.

C. Can we hack the baseband to access raw GSM data not destined to the phone?
Technically, yes, it's a file flashable with ODIN. (The RIL can be flashed too).
But I've not seen on this forum any special activity on custom baseband development (it's always official baseband firmware).
The issue is that the baseband is hardware-specific and it is closed-source: "Every mobile device that is connected to a cellular network runs some kind of baseband processor with highly proprietary and closed-source firmware." (source).
Attempts to hack official baseband firmwares to develop custom baseband firmwares is still only an emerging concept, at the specification study level.
Regarding open-source software, note that "Airprobe has, for most users, since been replaced by the cheaper Osmocom phones". OsmocomBB is an Free Software / Open Source GSM Baseband software implementation. It intends to completely replace the need for a proprietary GSM baseband software". However the list of OsmocomBB compatible phones is very limited.

The help and knowledge of xda community would be much appreciated to progress on this topic

[EDIT] Interesting links:
Decompiling baseband firmware?
HackRF external transceiver (~300$)
[FAQ] The Baseband (Optimus 2x) by sudden36
Monitor mode for Broadcom WiFi Chipsets by Omri Ildis, Yuval Ofir and Ruby Feinstein (check their RECon PPTX presentation with footnotes to see how they reverse engineered the WiFi chipset firmware based on ARM)
The Following 2 Users Say Thank You to n01ce For This Useful Post: [ Click to Expand ]
(Last edited by E:V:A; 13th January 2014 at 02:19 AM.)
E:V:A's Avatar
Recognized Developer
Thanks Meter 1441
Posts: 1,113
Join Date: Dec 2011
Location: -∇ϕ
First of all, this thread should be moved to "Security Discussions".

Second, you'll have quite some additional reading to do...

Then you'll have to realize that the firmware on the baseband is on the order of 60 MB for Qualcomm and 12 MB for Intel (XMM) BP's.

Whats you propose is certainly possible, if not already done with some NSA devices. (Check out their product catalog!) And they a have help from QCOM and Intel etc.

Also, much of the BB code running in QCOMs modem devices, are for Hexagon cores, which are harder to decompile, because of proprietary reasons. But the type of interception you're talking about seem very difficult if you don't know PhD loads of GSM and other mobile phone technology.
MSM8960 Info, Architecture and Bootloader(s)
El Grande Partition Table Reference
How to talk to the Modem with AT commands

Want to know when your phone is getting tracked or tapped?

Help us develop the IMSI Catcher / Spy Detector!
(To be part of the EFF & The Guardian Project toolsets.)
If you like what I do, just click THANKS!
Everything I do is free, altruism is the way!
I do not answer support related PM's.

The Following 3 Users Say Thank You to E:V:A For This Useful Post: [ Click to Expand ]
ahmad990's Avatar
Senior Member
Thanks Meter 9
Posts: 182
Join Date: Jul 2013

Tip: Press the [THANKS] button instead of typing it!
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes