- Status
Mail
We all use same ip address; in-case if he post or create any xda account XDA will block thinking we are spamming..
Please share your mail id to my private box.. I will share my engineer id.. Note he will be the proper suit..
We all use same ip address; in-case if he post or create any xda account XDA will block thinking we are spamming..
Please share your mail id to my private box.. I will share my engineer id.. Note he will be the proper suit..
3-fold approach to privacy
maybe we should ask Edward Snowden this question
---------- Post added at 08:21 PM ---------- Previous post was at 08:16 PM ----------
indeed,
obviously, xposed is the one to run with least effort on the user side, then perm. master, then pdroid (unless you use CM9+).
maybe we should ask Edward Snowden this question
---------- Post added at 08:21 PM ---------- Previous post was at 08:16 PM ----------
indeed,
- pdroid,
- Xposed,
- "permission master"
obviously, xposed is the one to run with least effort on the user side, then perm. master, then pdroid (unless you use CM9+).
You did not get the point of this project. Tools like Xposed are being developed to restrict permissions of apps, but this thread is completely about notifying a user if he is being tracked by forces like the police or other individuals using IMSI catchers.
You see, there are people like me who are fire and flame and who would even donate for getting this app to be developed - and then there are trolls like you. Did you even read the OP, man? Instead of posting a bunch of bullsh*t here, help us find a skilled developer to create this proof-of-concept app! Comments like yours just make me puke. Please troll elsewhere. Thank you.
Last edited:
Grieve no longer, I've just created the [BOUNTY] IMSI Catcher & Spy Detector PLEDGE THREAD!
Please spread the link, we'll find a developer soon. For sure! :fingers-crossed:
Last edited by a moderator:
UPDATE: Found two interesting projects who are already on GitHub! Check out the Master Thesis, Software to detect IMSI-Catchers. Especially the Papers-Section is a small gold nugget. Even more awesomeness: Smartphone Attack Vector!
@E:V:A, if you're still alive, I'd appreciate if you share where YOUR GitHub is located! Would be cool if we had ONE place to start and not three different GitHub accounts with scattered progress. Thank you ahead for replying.
@E:V:A, if you're still alive, I'd appreciate if you share where YOUR GitHub is located! Would be cool if we had ONE place to start and not three different GitHub accounts with scattered progress. Thank you ahead for replying.
Last edited:
This is superbly reassuring! Looks like there is interest and ground work being done at the academic level.
Btw, Great read, very interesting!
Honestly, we should not be surprised considering how popular of a research topic data security is in university.
Security in phone communication is certainly an already huge and growing concern, as mobile devices, most notably, our smart phones are increasingly relied upon as the main form of communications and entertainment across the globe.
Whoever can tap into private data transmitted between such devices without consent, will have unprecedented and unfair political and economic power advantage.
Look at recent debacle with Angela Merkel and the NSA. Canadian Spying of bids by Brazilian mining companies.
NSA Spying on personal and private communications like phone sex http://reason.com/blog/2013/06/10/remember-that-time-the-nsa-listened-to-u of regular Americans, could easily be used to blackmail and silence any political voice of tomorrow.
Private Business bids have been foiled, political opposition and journalist criticism of political corruption - foundation of democracy - have been silenced and nipped at the bud with such power.
Do we want our children to inherent a World where their ideas and actions can make a difference or one where it can not?
Definitely keeping a watch on that project. And spread the word.
Btw, Great read, very interesting!
Honestly, we should not be surprised considering how popular of a research topic data security is in university.
Security in phone communication is certainly an already huge and growing concern, as mobile devices, most notably, our smart phones are increasingly relied upon as the main form of communications and entertainment across the globe.
Whoever can tap into private data transmitted between such devices without consent, will have unprecedented and unfair political and economic power advantage.
Look at recent debacle with Angela Merkel and the NSA. Canadian Spying of bids by Brazilian mining companies.
NSA Spying on personal and private communications like phone sex http://reason.com/blog/2013/06/10/remember-that-time-the-nsa-listened-to-u of regular Americans, could easily be used to blackmail and silence any political voice of tomorrow.
Private Business bids have been foiled, political opposition and journalist criticism of political corruption - foundation of democracy - have been silenced and nipped at the bud with such power.
Do we want our children to inherent a World where their ideas and actions can make a difference or one where it can not?
Definitely keeping a watch on that project. And spread the word.
NEW GitHub and NEW Website!
HUGE UPDATE: We now have an active GitHub and a neat looking website, along with awesome papers!
HUGE UPDATE: We now have an active GitHub and a neat looking website, along with awesome papers!
Too bad @E:V:A did not reply, hope he'll keep contributing. Set your bookmarks to THIS WEBSITE and THIS GITHUB!
You bet, I hope that this project will get featured one day on the XDA portal to attract even more developers.
Wise words, but sadly, only security enthusiasts realize that. The goal of this thread should be to create an app, that makes it easy for the average user to get in touch with security in a rather playful way and get notified on threats. The interface of the final app shall be as uncluttered and simple as possible. But that is why I have set up the new GitHub - to let people contribute.
Well, our app may not change how the world is working, but certainly it will make a difference. Let's see..
Ha, you better do that! I'm counting on everyone to keep this project alive and flowering. Let's hack this!
Last edited:
oh uh
i have read the thread and i think you are a little overcomplicating the situation:
i want to point out a few options and i can link you to where you can buy these products, ill try to be historically correct:
in the analog days there were boxes to invert speech and you can buy them now. there were boxes trying to
detect runtime and load changes on the line and you can still buy them. there is EVEN the emulation possibility.
there are amps and directive antennas so you can have a different locations with your cellphone, they are quite cheap (3 usd - up to 30 usd for an amp). the sale price of the rhode & schwarz test equipment for the phone is 500 usd now, as there are newer models (the software of the test equipment is not a secret: it is partly an imsi catcher).
there are voip phones with encryption. yes they have linux cores and working RADIOS
also the boxes with analog - sim gateways technologies (50 usd) (there are even fax interfaces for
gsm and yes it is easy to debug).
there are long range bluetooth antennas and amps and boxes that share the sim cards via a bluetooth connection (you can relay it via internet) all that hardware and software is here and the stacks are well documented. developers are everywhere.
there are noise amps that make all that electronic standardized communication impossible at demonstration site, they are quite cheap.
there are long range bt headset and small ones (one cant see), all that is in the price range of 10 usd - 70 usd incl shipping.
there are open phone projects (lots of) which have got the sources of the radios. the problem is that no one of the devs
really likes to share, because it is all about the money and it is hard to work free all the time, because it is free work also
if you live with a refugee. it is about human rights in western states not about asking for a website.
there are sunglasses with mirrors inside so you can see your back.
there is proper phone software and Encoding lets call it proper encryption for phone calls via the internet from a swiss company. there are a lot of sources for datasheets and code available (the chinese internet is fully loaded with them).
they even have domestic products which they dare to sell to you.
ill be back and attach the file with the links of the place where to buy, but they will outdate. there are dev kits with sources
and they are hell cheap in aliexpress and in taobao. they even have fpga hardware for bitcoin mining so that you can use to encrypt voice and data for 30 bucks if you decide to let the user use their usb connections (and not only let them use half of the hardware they pay for in their phone or tablet, because “there is no time”).
all of that is very very cheap and easy. i dont saw any reason why the people in the Foto didnt know that before
ive red that thread. they even have quad sim phones there on aliexpress and you can use two phones (40 bucks each)
and let them switch Connections or use 2 voice Connections, no imsi catcher can monitor that. i have a lot of ideas. they are not about encryption... they are not about using monitor modes of old phones. you can use the softwware nemo or tems, just check the prices on aliexpress. hu there are android Versions!
you have speech synthesis, you have cheap sound cards for usb (3 usd), you can control machines remotely to make your voice calls... if you can get internet connections while demonstrating you can succeed... there are gps, small cameras, recorders and watches with cameras on aliexpress. they put it on you tube for you, if they can afford and import it.
you have tablets with code compatibility so that they are not traceable, you have ssds for 4 x 128 gb uhs-i cards...
all socs have sata, all socs have 2 x usb: only the customer does not want it and you are the customer!!! all people on this site is not able to do some reworking on that... and the chinese devs are not able to provide solder points for you in turn.
is it needed that someone dies before you call up the chinese devs?
nobody even compiles drivers for dvbt (spectrum scanning, only one old slow table has it) or for audio outputs,
but these are standard usage cases for every car or home... still i read about optimizations?
not even vpn modules are included in your "good" abnd “fast” roms in most cases... you dont have time... but the others die.
there is multipath tcp in development, even the guy who wrote the first windows 3.11 socks app is still online
waiting for your questions... there are couple of tcp ip stack mods already done
and available, but not included in life saving platforms (but in banking systems)... it is because usa likes to sell their products without any modifications... and europe sells imsi catchers?
hell the whole world is full of the docs and specs of the hardware you need and of the sources: they dare to get rid of it for minimal payment!
THEY SELL IT! only the people in these islamic countries dont know how to be save with your "technology", because you dont talk about it. there are reasons for that: these products are corrupt garbage (if you dont spend a lot of cash every month on it)
i have read the thread and i think you are a little overcomplicating the situation:
i want to point out a few options and i can link you to where you can buy these products, ill try to be historically correct:
in the analog days there were boxes to invert speech and you can buy them now. there were boxes trying to
detect runtime and load changes on the line and you can still buy them. there is EVEN the emulation possibility.
there are amps and directive antennas so you can have a different locations with your cellphone, they are quite cheap (3 usd - up to 30 usd for an amp). the sale price of the rhode & schwarz test equipment for the phone is 500 usd now, as there are newer models (the software of the test equipment is not a secret: it is partly an imsi catcher).
there are voip phones with encryption. yes they have linux cores and working RADIOS
also the boxes with analog - sim gateways technologies (50 usd) (there are even fax interfaces for
gsm and yes it is easy to debug).
there are long range bluetooth antennas and amps and boxes that share the sim cards via a bluetooth connection (you can relay it via internet) all that hardware and software is here and the stacks are well documented. developers are everywhere.
there are noise amps that make all that electronic standardized communication impossible at demonstration site, they are quite cheap.
there are long range bt headset and small ones (one cant see), all that is in the price range of 10 usd - 70 usd incl shipping.
there are open phone projects (lots of) which have got the sources of the radios. the problem is that no one of the devs
really likes to share, because it is all about the money and it is hard to work free all the time, because it is free work also
if you live with a refugee. it is about human rights in western states not about asking for a website.
there are sunglasses with mirrors inside so you can see your back.
there is proper phone software and Encoding lets call it proper encryption for phone calls via the internet from a swiss company. there are a lot of sources for datasheets and code available (the chinese internet is fully loaded with them).
they even have domestic products which they dare to sell to you.
ill be back and attach the file with the links of the place where to buy, but they will outdate. there are dev kits with sources
and they are hell cheap in aliexpress and in taobao. they even have fpga hardware for bitcoin mining so that you can use to encrypt voice and data for 30 bucks if you decide to let the user use their usb connections (and not only let them use half of the hardware they pay for in their phone or tablet, because “there is no time”).
all of that is very very cheap and easy. i dont saw any reason why the people in the Foto didnt know that before
ive red that thread. they even have quad sim phones there on aliexpress and you can use two phones (40 bucks each)
and let them switch Connections or use 2 voice Connections, no imsi catcher can monitor that. i have a lot of ideas. they are not about encryption... they are not about using monitor modes of old phones. you can use the softwware nemo or tems, just check the prices on aliexpress. hu there are android Versions!
you have speech synthesis, you have cheap sound cards for usb (3 usd), you can control machines remotely to make your voice calls... if you can get internet connections while demonstrating you can succeed... there are gps, small cameras, recorders and watches with cameras on aliexpress. they put it on you tube for you, if they can afford and import it.
you have tablets with code compatibility so that they are not traceable, you have ssds for 4 x 128 gb uhs-i cards...
all socs have sata, all socs have 2 x usb: only the customer does not want it and you are the customer!!! all people on this site is not able to do some reworking on that... and the chinese devs are not able to provide solder points for you in turn.
is it needed that someone dies before you call up the chinese devs?
nobody even compiles drivers for dvbt (spectrum scanning, only one old slow table has it) or for audio outputs,
but these are standard usage cases for every car or home... still i read about optimizations?
not even vpn modules are included in your "good" abnd “fast” roms in most cases... you dont have time... but the others die.
there is multipath tcp in development, even the guy who wrote the first windows 3.11 socks app is still online
waiting for your questions... there are couple of tcp ip stack mods already done
and available, but not included in life saving platforms (but in banking systems)... it is because usa likes to sell their products without any modifications... and europe sells imsi catchers?
hell the whole world is full of the docs and specs of the hardware you need and of the sources: they dare to get rid of it for minimal payment!
THEY SELL IT! only the people in these islamic countries dont know how to be save with your "technology", because you dont talk about it. there are reasons for that: these products are corrupt garbage (if you dont spend a lot of cash every month on it)
Last edited:
Let me summarize your post: You clearly have not understood the point of this project and make it way too simple. Don't get me wrong, but you are one of these guys why other people or developers leave or even not start anything due to annoyance of this type of "smart thinking" of peeps who tell them "with money you can already buy all that crap already". Thanks for your answer here, but PLEASE learn english first, then read everything carefully again and rethink your "smart" theories. Don't get depressed, posting while drunk happens to the best of us.
Last edited:
Hello & Sorry!
I have not abandoned anything. In fact my main productivity problem, is exactly that, I never abandon my projects, unless they've been super-seeded by something better elsewhere, because I know they are important and good. But what that means is that I get easily distracted and start new projects when things are not moving fast. This is one of those. In fact I have not been checking my XDA PM's since October, and I have missed out on many important messages (and even more spam.)
However, I'm impressed and very grateful to see how SecUpwN have tried to promote and get this thing going. Thanks again.
About Github Account
Everybody's probably wondering why I never responded to the Github "requests". It's simply because I never set it up as I intended, in lack of collaborating commitments. There was one github earlier/before, but it was not setup by me, and they guy who set it up, was not as motivated to keep it updated etc. so I did not feel like I had any managing influence or control of that. My original intention was to setup my own, and open it up to all developers who were able to contribute with any form of code. That has not happened yet.
I just tried to access the SecUpwN github URLs. But I just get 404's. Did you remove it?
EDIT: Now it works!
No Flaming Needed
Hi mai77,
I know you used to understand what this project was all about, but since time has passed since your initial interest, I think you've forgotten how it works. I understand what you're saying, but I still don't think its appropriate to promote unrelated projects in this thread. I will clarify the differences again below. Yes, NSA can probably see everything, but this is not about seeing, but more about tracking. Especially by non-NSA governments. The ideal case would be if we could combine the environments you mention above with what I am proposing here, to provide a real open sourced, free to the public and secure device!
Hi, yes, I remember that python stuff. I have since improved my python skills... About Github, see my response above.
Functional Clarification
It is extremely important to understand that this project works on a lower level than any regular sandbox Android app can ever do. The visible parts of this project will use a regular app to process and display information, but all this information and functionality come from deep within the modem processor that will never be accessible from/to any regular AOS Application. A limited set of information is provided by AOS, that can be useful, but in order to provide preventative counter measures and other details, we have to use layer 1 (L1) data and signaling...
For Qualcomm devices we can use the Perl QPST/QXDM framework to extract and manipulate L1/2/3 data, to some extent. But this is just one option. We could essentially use anything we want as long as we have our own modem processor SMD drivers in place. We can certainly do that! What we don't have, however, is a Hexagon disassembler / decompiler. Hexagon is the processor architecture used in all Qulacomm DSPs (aka. modem/CP/BP). Therefore we can never know what other back-doors Qualcomm has provided for US gov't in the bare-metal (hardware) level of those chips.
So another way for very talented people to help secure or mobile future, is to build/develop a poor-mans-Hexagon-disassembler! This is probably not as difficult as it sound, as the DSP instruction sets are old (starting before 2006) and based on previous technology. The later QDSP6 V5 (2013) are just updates and enhancements to these.
For intel/infineon devices, we can just use IDA PRO! (But no-one have bothered to do any reversing, further than a few dozens of functional calls. The monolithic BP kernel is just based on some form of ARM architecture, AFAIK. So although this HW has much poorer documantation and references, technically this architecture is much easier to manipulated at the low level because of its built in and accessible RF sequencer. We can send/transmit at ANY frequency! This is the charm of "security-by-obscurity"!
Summary
Best Seasons Greetings
- E:V:A -
I have not abandoned anything. In fact my main productivity problem, is exactly that, I never abandon my projects, unless they've been super-seeded by something better elsewhere, because I know they are important and good. But what that means is that I get easily distracted and start new projects when things are not moving fast. This is one of those. In fact I have not been checking my XDA PM's since October, and I have missed out on many important messages (and even more spam.)
However, I'm impressed and very grateful to see how SecUpwN have tried to promote and get this thing going. Thanks again.
About Github Account
Everybody's probably wondering why I never responded to the Github "requests". It's simply because I never set it up as I intended, in lack of collaborating commitments. There was one github earlier/before, but it was not setup by me, and they guy who set it up, was not as motivated to keep it updated etc. so I did not feel like I had any managing influence or control of that. My original intention was to setup my own, and open it up to all developers who were able to contribute with any form of code. That has not happened yet.
I just tried to access the SecUpwN github URLs. But I just get 404's. Did you remove it?
EDIT: Now it works!
No Flaming Needed
Hi mai77,
I know you used to understand what this project was all about, but since time has passed since your initial interest, I think you've forgotten how it works. I understand what you're saying, but I still don't think its appropriate to promote unrelated projects in this thread. I will clarify the differences again below. Yes, NSA can probably see everything, but this is not about seeing, but more about tracking. Especially by non-NSA governments. The ideal case would be if we could combine the environments you mention above with what I am proposing here, to provide a real open sourced, free to the public and secure device!
Hi, yes, I remember that python stuff. I have since improved my python skills... About Github, see my response above.
Functional Clarification
It is extremely important to understand that this project works on a lower level than any regular sandbox Android app can ever do. The visible parts of this project will use a regular app to process and display information, but all this information and functionality come from deep within the modem processor that will never be accessible from/to any regular AOS Application. A limited set of information is provided by AOS, that can be useful, but in order to provide preventative counter measures and other details, we have to use layer 1 (L1) data and signaling...
For Qualcomm devices we can use the Perl QPST/QXDM framework to extract and manipulate L1/2/3 data, to some extent. But this is just one option. We could essentially use anything we want as long as we have our own modem processor SMD drivers in place. We can certainly do that! What we don't have, however, is a Hexagon disassembler / decompiler. Hexagon is the processor architecture used in all Qulacomm DSPs (aka. modem/CP/BP). Therefore we can never know what other back-doors Qualcomm has provided for US gov't in the bare-metal (hardware) level of those chips.
So another way for very talented people to help secure or mobile future, is to build/develop a poor-mans-Hexagon-disassembler! This is probably not as difficult as it sound, as the DSP instruction sets are old (starting before 2006) and based on previous technology. The later QDSP6 V5 (2013) are just updates and enhancements to these.
For intel/infineon devices, we can just use IDA PRO! (But no-one have bothered to do any reversing, further than a few dozens of functional calls. The monolithic BP kernel is just based on some form of ARM architecture, AFAIK. So although this HW has much poorer documantation and references, technically this architecture is much easier to manipulated at the low level because of its built in and accessible RF sequencer. We can send/transmit at ANY frequency! This is the charm of "security-by-obscurity"!
Summary
This project:
Other projects:
I hope this helps keeping this project alive...- Detects IMSI based device location tracking
- Provides counter measures for device tracking
- Can provide swarm-wise-decision-based cellular service interruption
- Can provide secure wifi/wimax alternative data routes through MESH-like networking.
- Detect and prevent remote hidden application installation
- Detect and prevent remote hidden SMS-based SIM attacks
- Prevent or spoof GPS data
- Does NOT secure any data transmissions
- Does NOT prevent already installed rogue application from full access
Other projects:
- Provide full device encryption
- Provide secure application sand-boxing
- Provide secure data transmission
- Provide firewalls
Best Seasons Greetings
- E:V:A -
Last edited:
This is part what we are trying to prevent with this project...
Latest Wired Article:
"Cops and Feds Routinely 'Dump' Cell Towers to Track Everyone Nearby"
Latest Wired Article:
"Cops and Feds Routinely 'Dump' Cell Towers to Track Everyone Nearby"
Thank you so much for being back with new stuff on the matter, @E:V:A! I just added your clarification to the GitHub pages as well as to the corresponding website. If there's more you'd like to see there, feel free to let me know. Here's my suggestion: We already have the developer roadmap, but wouldn't it be more useful to break it down into smaller steps? We could assign each small step to specific users who could then contribute that to the GitHub? Would be cool if you add the GitHub link to the OP.
Last edited:
Wait a minute.. yep, now I did. Thank you for adding it! If you have a free minute (I know it's difficult), are you able to break down the preliminary development roadmap into smaller, assignable steps? Have a great day!
Currently searching for the best solution for Issue #1 - finding an attractive way to collect pledges or funds.This is to attract developers and security enthusiasts to participate in our development project. Ideas are very much appreciated!
1: I still remember a "low encryption" indicator, only documented in the manual by this name, appearing once on my made-in-2001 Siemens S35i. I think I was ~30 km from Austria...
2: it might (no proof or supporting evidence) be PIN2, which at least in Italy stopped being printed (and programmed?) on new SIMs around 2004. Or the "Ki" key that's required to clone a card (it's easy to extract on the very first designs, which I bet don't work on any Android)
Our friends over at srlabs.de just released GSMmap - a tool that checks which encryption methods are used by your network operator.
https://opensource.srlabs.de/projects/mobile-network-assessment-tools/wiki/GSMmap-apk
Source is available under the terms of GPLv3.
https://opensource.srlabs.de/projects/mobile-network-assessment-tools/repository/gsmmap-android
https://opensource.srlabs.de/projects/mobile-network-assessment-tools/wiki/GSMmap-apk
Source is available under the terms of GPLv3.
https://opensource.srlabs.de/projects/mobile-network-assessment-tools/repository/gsmmap-android
Awesome, thanks for sharing! I'll contribute once the tool works with my HTC ONE.
@E:V:A: I just discovered your announcement in the CatcherCatcher mailing list. Even developer Sascha of the SRLABS-Team did sent a separate callout to all developers. Do you have a good idea on Issue #1? You may leave your comment there. Thanks for digging forward with us!
Last edited:
- Status
Similar threads
- Poll
Top Liked Posts
-
There are no posts matching your filters.
-
83UPDATE: 2015-01-14IMPORTANT!
Although this thread is still open, it is no longer updated with relevant info.
Please go to our official GitHub Site for the latest developer news and join
our development efforts in our back rooms...
For all the latest changes see our CHANGELOG.---
For all the latest WIP alpha releases, see RELEASES.
The minimum supported AOS API version is 16, thus
AIMSICD will only work on Jelly Bean 4.1 or later.
Call for help to develop an IMSI catcher detector application for Android OS.
Q: What is an IMSI catcher?
A: It is a fake cell tower (aka. Base Transceiver Station, BTS) used to track and monitor specific (groups of) people in the near vicinity of that BTS.
In the light of last years highly publicized events in the many Arabic nations and the German state sponsored rootkit discovery, etc etc. It is of the highest priority to start developing anti/counter-spy applications for the people living in rogue states such as Syria, Iran etc. In addition, it may play an important role in finding (and preventing) other rogue applications that attempt to send silent SMS's to high-cost premium services.
Recently there have been some publicity surrounding the Osmocom BB's, application patch known as "Catcher Catcher" which is used to detect mobile phone tracking and spying, originating from the Mobile Phone Service Provider side. (I.e. something that generally can only be provided by state sponsored government and security forces.)
Relevant links include:
http://bb.osmocom.org/trac/
http://www.youtube.com/watch?v=YWdHSJsEOck
http://events.ccc.de/congress/2011/Fahrplan/events/4736.en.html
http://gsmmap.org/cgi-bin/gsmmap.fcgi?risk=1
http://lab.ks.uni-freiburg.de/projects/imsi-catcher-detection/wiki/Software
http://opensource.srlabs.de/projects/catcher/wiki
For a tutorial on how to compile and help populate the Gsmmap database, see here.
In the News:
http://www.h-online.com/security/ne...iles-and-security-measures-shown-1401668.html
http://www.actualtoday.com/gsm-hacking-osmocom-patch-discovered-silent-sms-and-eavesdropping
This information started 2010 and was extended to last years 28C3 event...
How can you help?
I would very much like to have contact with anyone who can provide more in-depth knowledge how this could possibly be implemented on the AOS. There are several way you can help, eventhough you may not be an expert on HW or even android.
- Help populate the Gsmmap database.
- Follow and help/develop the OsmocomBB project.
- Compile OsmocomBB for an Android phone, so that it can be used as a USB host. (Preferably for one of the more popular models like the Samsung galaxy S.)
- Help mapping out the Android baseband AT command set or the internal RIL function, so that we can obtain as many GSM radio parameters as possible.
- Reverse engineer the vendor RIL of the phone above.
- Reverse engineer the Modem firmware so that we can use the phone as a native catcher-catcher.
- Find provide documentation of the closed source modem(s) most used in androids.
- Share other relevant experience you may have in this matter.
- Find or provide links to documentation of anything baseband related, not already widely known!
- Stay legal, or this project will close really quickly!
NOTE: This is not to prevent IMSI catchers, but to inform the "victims" that they are being subject to tracking/monitoring.
A few other items:
---
- For the Software Change Log, our Github.
- For Phone Support Log, see Post #7 below.
- We have contacted EFF and The Guardian Project and hope to join their efforts and provide support to counter illegal tracking and tapping.
- Thanks to SecUpwN, we now have our own GitHub HERE.
- Have made a preliminary Developer Roadmap.
- Added some important links.
- Licensing Proposal: This will be a community project licensed under a GPLv3 license:
Glossary: (Harald Welte)
The BSS (Base Station Subsystem)
MS (Mobile Station): Your phone
BTS (Base Transceiver Station): The cell tower
BSC (Base Station Controller): Controlling up to hundreds of BTS
BP/CP (Baseband/Cellular Processor): Your phone radio/modem processor (usually an ARM 7/9)
The NSS (Network Sub System)
MSC (Mobile Switching Center): The central switch
HLR (Home Location Register): Database of subscribers
AUC (Authentication Center): Database of authentication keys
VLR (Visitor Location Register): For roaming users
EIR (Equipment Identity Register): To block stolen phones
Our Support:
We have as a goal to become a strong supporter of the EFF and The Guardian Project.
Part of all future donations will go to EFF. Intellectual and technological support will
also be given where possible.
34The GSM Ciphering Indicator
According to the 3GPP GSM standards/specifications [1] for handsets,
there should be a Ciphering Indicator (CI) showing the user when the
GSM phone/data connection is not using encryption. Unfortunately for
many people in the rest of the world, this feature have not been
properly (if at all) implemented in the Android OS, AFAIK [2]. The
second culprit is the fact that your cellular service provider have
disabled showing this CI on the vast majority of SIM cards issued
around the world.
The only options for circumventing these privacy problems are:
- Write an application that present the current ciphering status. (Easy)
- Write an application that hijacks the baseband processor (modem)
SIM binary-code (in the firmware) to force-enable CI and possibly
also the use of A5/3. (Hard) - Make and use a copy of your SIM card that has CI enabled. (Hard)
- Lobby your cellular service provider to always use A5/3 ciphering. (Hard)
(A5/1 was never used and A5/2 can be cracked on-the-fly!) - Force Google to fix the issue! This is hard, since the issue is
already >2 years old at "medium priority", and in addition it
does not resolve the service provider disabled CI in their SIM
cards.
anytime soon. So I lobby for (1) or (2). But to do that we need
some background knowledge. Then I will show you how to read the
CI setting from your SIM card. Then we will figure out how to
write such an application!
References:
[1] 3GPP GSM 02.07: http://www.3gpp.org/ftp/Specs/archive/02_series/02.07/0207-710.zip
[2] Android Issue 5353: https://code.google.com/p/android/issues/detail?id=5353
[3] Dieter Spaar's Blog: http://www.mirider.com/weblog/2010/08/03/#20100803-ciphering_indicator
[4] 3GPP GSM 11.11: ???
Some 3GPP GSM Terminology:
Background:Code:EF - Elementary Files AD - Administrative (Data) Field BCD - Binary-Coded Decimal (compressed) CHV - Card Holder Verification (usually your SIM code) TLV - Tag, Length, Value BER-TLV - Object that conform to the Basic Encoding Rules (BER) RFU - Reserved for Future Use
[1] § B.1.26 Ciphering Indicator
The ciphering indicator feature allows the ME to detect that
ciphering is not switched on and to indicate this to the user,
as defined in GSM 02.09.
The ciphering indicator feature may be disabled by the home network
operator setting data in the "administrative data" field (EF-AD) in
the SIM, as defined in GSM 11.11.
If this feature is not disabled by the SIM, then whenever a
connection is in place, which is, or becomes unenciphered,
an indication shall be given to the user.
Ciphering itself is unaffected by this feature, and the user can
choose how to proceed.
[3] Ciphering Indicator in mobile phones
According to GSM 02.07 B.1.26, there should be a Ciphering Indicator
in the ME to allow a user to detect if ciphering is not switched on.
The Ciphering Indicator can be turned off by the network operator
clearing (what is formerly known as) the OFM (Operational Feature
Monitor) bit in the "administrative data" field of the SIM.
(See GSM 11.11, 10.3.18)
Usually the Ciphering Indicator is turned off, at least in those SIMs
I have seen so far. And you usually cannot modify the administrative
data in the SIM. But would a phone actually display something if the
Ciphering Indicator is enabled and ciphering is not on?
[4] § 10.2.18 The SIM Administrative Data field
All data on your SIM card is stored in a special filesystem hierarchy.
To not delve too far into the murky depths of SIM data storage, we
jump straight to the particular file we are interested in. It is an
elementary file (EF) called Administrative Data (AD), whose
filename/identifier is just a number, like always in the SIM-card
filesystem. In this case it is known '6FAD' (Hex for 28589).
"
This EF contains information concerning the mode of operation according
to the type of SIM, such as normal (to be used by PLMN subscribers for
GSM operations), type approval (to allow specific use of the ME during
type approval procedures of e.g. the radio equipment), cell testing
(to allow testing of a cellbefore commercial use of this cell),
manufacturer specific (to allow the ME manufacturer to perform specific
proprietary auto-test in its ME during e.g. maintenance phases).
"
Technical Summary:
How to read the Ciphering Indicator in your SIMCode:----------------------------------------------------------- Name: EFAD (Administrative Data) Identifier: '6FAD' (28589) File size: 3+X bytes ----------------------------------------------------------- Byte Description ----------------------------------------------------------- 1 UE operation mode 2-3 Additional information (incl. cipher indication) 4 Length of MNC of IMSI 5-X RFU ----------------------------------------------------------- UE Operation Mode: (byte 1) ----------------------------------------------------------- This is the mode of operation for the MS. Coding: (Initial value) '00' - normal operation '80' - type approval operations '01' - normal operation + specific facilities '81' - type approval operations + specific facilities '02' - maintenance (off line) '04' - cell test operation NOTE: All other values are RFU (reserved for future) use ----------------------------------------------------------- Additional Information: (byte 2-3) ----------------------------------------------------------- Coding: - Specific facilities code (if b1=1 in byte 1); - ME manufacturer specific information (if b2=1 in byte 1). Ciphering indication is enabled by enabling both the specific facilities bit (b1) in byte-1 AND the cipher indicator bit (b1) in byte-3. Thus the administrative data field has to be: Byte-1: 0x01 0000 0001 Byte-2: 0x00 0000 0000 Byte-3: 0x01 0000 0001 Byte-4: 0x02/3 0000 001x ----------------------------------------------------------- Length of MNC in the IMSI: (byte 4) ----------------------------------------------------------- The length indicator refers to the number of digits, used for extracting the MNC from the IMSI. This value codes the number of digits of the MNC in the IMSI. Only the values (b1-b2) '0010' and '0011' are currently specified, all other values are reserved for future use. ----------------------------------------------------------- Relevant Documents: TS 22.101 TS 31.102 TS 33.102 -----------------------------------------------------------
Since there is no API call (AFAIK) for directly reading the SIM data
fields, we are going to use your modems standard AT commands. You can
normally do this in two ways. (1) By connecting your phone via USB to
your PC and use a terminal application to send AT commands (ATCs)
directly to the Baseband Processor (BP), aka "modem". (b) To connect
directly to the modem "device" via some terminal program within the
Android Operating System (AOS). For all the details surrounding this,
please see this thread.
Once you've got an AT command terminal session working, you are free
to issue the relevant AT commands to read from your SIM card. The
particular command we are interested in, is the +CRSM command. This
command can read/write various data directly from SIM card files.
==================================================
If you know of any equivalent or valid AOS API call for reading
this type of SIM data, please let us know!
==================================================
The +CRSM syntax is as follows:
For example, you could also read your IMSI code from your SIM card,Code:AT+CRSM=<command>[,<fileid> [,<P1>,<P2>,<P3> [,<data> [,<pathid>]]]] <command> This is the operation to be performed: 176 READ BINARY 178 READ RECORD 192 GET RESPONSE 214 UPDATE BINARY 220 UPDATE RECORD 242 STATUS <fileid> This is an integer which is the identifier of a elementary datafile (EF) on SIM. Mandatory for every command except STATUS and may be e.g.: Hex Dec File --------------------- 6F37 28471 ACMmax 6F07 28423 IMSI 6F39 28473 ACM 6F41 28481 PUKT 6F42 28482 SMS Structure: [CLA INS P1 P2 P3 Data] The bytes have the following meaning: CLA Is the class of instruction (ISO/IEC 7816-3 [25]), 'A0' is used in the GSM application; INS Is the instruction code (ISO/IEC 7816-3 [25]) as defined in this subclause for each command; P1, P2, P3 Are parameters for the instruction. They are specified in table 9. 'FF' is a valid value for P1, P2 and P3. P3 gives the length of the data element. P3='00' introduces a 256 byte data transfer from the SIM in an outgoing data transfer command (response direction). In an ingoing data transfer command (command direction), P3='00' introduces no transfer of data. SW1 and SW2 Are the Status Words indicating the successful or unsuccessful outcome of the command. ------------------------------------------------------------------------------- Dec. <sw1> <sw2> Description ------------------------------------------------------------------------------- 144 0x90 0x00 normal entry of the command, indicating OK 103 0x67 0xXX incorrect parameter P3 0x6B 0xXX incorrect parameter P1 or P2 0x6D 0xXX unknown instruction code given in the command 0x6E 0xXX wrong instruction class given in the command 0x6F 0xXX technical problem with no diagnostic given 0x9F 0xXX length XX of the response data 0x92 0x0X update successful but after using an internal retry routine X times 0x92 0x40 memory problem 0x94 0x00 no EF selected 0x94 0x02 out of range (invalid address) 0x94 0x04 file ID not found; pattern not found 0x94 0x08 file is inconsistent with the command 0x98 0x02 no CHV initialized 0x98 0x04 Access condition not fullfiled / unsucc. CHV verify / authent.failed 0x98 0x08 in contradiction with CHV status 0x98 0x10 in contradiction with invalidation status 0x98 0x40 Unsuccessful CHV-verification. Or UNBLOCK CHF / CHV blocked /UNBL.blocked 0x98 0x50 Increase cannot be performed. Max. value reached -------------------------------------------------------------------------------
but this is a little more tricky as that operation involves a parity
bit-field in the second byte, while using a compressed BCD coding.
Reading the AD field (containing cipher indication)
Also see +CSIM and +CSCS
How to write AD and enable the Cipher Indicator in your SIMCode:[B]AT+CRSM=176,28589,0,0,3[/B] +CRSM: 144,0,"000000" ==> Bytes: 1-3 = 00,00,00 byte1: "MS operation mode" byte2: "Specific facilities" B1 byte3: "Specific facilities" B2 (+ cipher indication) ==> [COLOR=Red]Ciphering indication is disabled[/COLOR] Note: a response like this "+CRSM: 103,3" indicates that there is a problem with P3 and that the value for P3 should be 3.
Now, this is the most tricky part while being poorly documented.
The problem is that since this is an "administrative operation", it
may require something called a "facility lock password". However it
is not clear to me what this is. Is it just a CHV PIN/PUK or is it
something only known to the OEM or cellular service provider?
Anyone who could provide proper guidance here, will be offered
a beer! (Also see: +CLCK, +CPWD, +CSIM for reference.)
Going through the reading hoops above, we guess that the
proper write command should be like this:
However, we know from reading other SIM files (IMSI) that sometimesCode:AT+CRSM=214,28589,0,0,3,"010001"
the data is returned in compressed BCD format. That is, it could be
that the 1st and last pairs of 01's should be swapped to 10's.
So that we have:
Code:AT+CRSM=214,28589,0,0,3,"100010"
Any ideas?13THIS THREAD IS CLOSED UNTIL FURTHER NOTICE!
Due to lack of development and no progress in resolving critical issues, combined with the low level of development-relevant posts in this thread, I have decided to close this thread until further notice. We are restructuring the maintenance and development of this App and thus it will remain closed until other developers can step up and carry on this project. We are also looking into other funding possibilities to hire professional developers.
BUT, THIS DOES NOT MEAN THE PROJECT IS DEAD!
On the contrary, it means we're taking this project more seriously than ever. In addition, our development ideology has changed in the wake of recent copy/paste projects and scientific publications/articles, not even mentioning our efforts, even though it is fairly clear that most information have been directly obtained from this thread and relevant discussions on our GitHub.
From now on, all our development notes and discussions will remain closed to public, but open for any serious developer/hacker to join. When Beta release will be available, so will all the supporting documentation.
If you have any information or other ways to help directly contribute to this project, please contact me or @SecUpwN via email or PM. Any news and successful updates will be posted on our GiHub.
9Hi @SecUpwN
Now don't get too excited but I have made some updates to the base RawPhone application you have in your repo... These changes are still very early stages of bringing RawPhone to a point where it can possibly do some of things that you have been capturing within this thread.
To save me typing everything a second time I have pasted below the commit comments which I hope captures everything I have done so far, but please be mindful that this is the first tiny step
I will make a pull request but if you would prefer to test this by cherry-picking then just close the request and pull the commit directly from my Github.
There is so much more to do and some of things I have rolling around my head include being able to identify possible suitable serial devices available on the phone, a database of AT commands and of course the ability to issue custom commands. Also possibly the extension of the Android telephony manager service to access or capture data relevant to this project.
One thing I did realise I forgot about in my message was that I began to create a ATCommand class to process and interpret responses if the microcom applet was to fail but this is basically useless at the moment More to come on that once I get back to it!!
Initial Development Commit Comments
I am sure there is so much I have forgotten to mention but it is getting late and if I don't go to bed soon I shall never get up for work tomorrow, but like I said this is very rough but at least some progress although from looking at the application once launched you would not really know it. I will hopefully update some of code tomorrow to bring it more in line with Android code standards and also work on some more of UI etc.
I will check back in tomorrow at work if I get a change but if not once I get home.
