Hey guys, an EFF volunteer - Jered Wierzbicki - has created an application called IQIQ to decode Carrier IQ profiles back to XML. Their public git repo is in the above linked article. In a nutshell, Profiles contain what data is sent back at what interval and to where.
We are now able to see sets of metrics called from phones. The problem is right now we only have default profiles. The EFF is looking to collect as many profiles from as many different devices as possible trying to find real metrics.
Github Proof of concept code for a "profile scraper": https://github.com/TrevE/IQTool
(right now it scans, but only works for automatic sending of archive.img from tmobile, but it should be for root or non root)
If you can contribute go for it! It would help to have a "one click profile sender" out there for everyone.
Possible Methods
FINDING .PRO FILES
We are not too sure yet where updated profiles get stored, so for the time being root users can run the following to search out all .pro files on your disk.
It will likely be some sort of IQProfile.pro, CIQProfile.pro, defaultprofile.pro. Once you locate it just:
Other strategies, such as grepping for a characteristic string like " CONSTANT " across the whole filesystem, might also turn out to be useful. Use this thread to experiment with and improve such techniques!
Waiters suggests a command reference:
Getting archive.img from non-embedded CIQ
We don't yet know if all profiles will be .pro files, or if they'll sometimes be embedded inside of other things. If you are on tmobile the profile information is potentially contained in an archive.img file. The file could be world readable, so you might not even need to be rooted.
WARNING ABOUT ARCHIVE.IMG FORMATS:
Please be warned that sensitive data could be in this archive.img file such as URLs, IMEI, SMS metadata, etc.. EFF will always do its best to keep archive.img files confidential, but please DO NOT send them if there may be any private information on the handset you are working with
Example of where Tmobiles CIQ archive is:
KNOWN STOCK MD5SUMS
Were really trying to find some new profiles containing the pushed metrics, so to check if you are looking at a "stock" profile or not (this only applies to if you find a .pro file)
If it matches one of these md5sums (number on the left) it is likely a known "stock" profile.
SUBMITTING PROFILES
If you would like to submit your profile or archive.img to EFF so CarrierIQ metrics on what operator can be better understood, please send that data off to iqiq@eff.org . It would be very helpful to them to include phone model and network it was pulled from as well.
Thanks for all your help guys!
We are now able to see sets of metrics called from phones. The problem is right now we only have default profiles. The EFF is looking to collect as many profiles from as many different devices as possible trying to find real metrics.
Github Proof of concept code for a "profile scraper": https://github.com/TrevE/IQTool
(right now it scans, but only works for automatic sending of archive.img from tmobile, but it should be for root or non root)
If you can contribute go for it! It would help to have a "one click profile sender" out there for everyone.
Possible Methods
FINDING .PRO FILES
We are not too sure yet where updated profiles get stored, so for the time being root users can run the following to search out all .pro files on your disk.
Code:
adb shell busybox find / -iname "*.pro"
It will likely be some sort of IQProfile.pro, CIQProfile.pro, defaultprofile.pro. Once you locate it just:
Code:
adb pull /full/path/to/profile.pro .
Other strategies, such as grepping for a characteristic string like " CONSTANT " across the whole filesystem, might also turn out to be useful. Use this thread to experiment with and improve such techniques!
Waiters suggests a command reference:
maybe something like this (which could take hours to run...)
Code:grep -r "CONSTANT PROPID" /
Getting archive.img from non-embedded CIQ
We don't yet know if all profiles will be .pro files, or if they'll sometimes be embedded inside of other things. If you are on tmobile the profile information is potentially contained in an archive.img file. The file could be world readable, so you might not even need to be rooted.
WARNING ABOUT ARCHIVE.IMG FORMATS:
Please be warned that sensitive data could be in this archive.img file such as URLs, IMEI, SMS metadata, etc.. EFF will always do its best to keep archive.img files confidential, but please DO NOT send them if there may be any private information on the handset you are working with
Example of where Tmobiles CIQ archive is:
Code:
adb pull /data/data/com.carrieriq.tmobile/app_iq_archive/archive.img .
KNOWN STOCK MD5SUMS
Were really trying to find some new profiles containing the pushed metrics, so to check if you are looking at a "stock" profile or not (this only applies to if you find a .pro file)
Code:
adb shell busybox md5sum /path/to/profile.pro
If it matches one of these md5sums (number on the left) it is likely a known "stock" profile.
Code:
e37a4a8e3ea6d6aa4b7423a462541fa9 att-galaxy-s2-defaultProfile.pro
2618eaa2e3310ec36e1b86f8b643c5fa htc-amaze-tmob-defaultProfile.pro
a6886135d2d1ea423d4edde389fe1794 htc-evo-sprint-iqprofile.pro
2618eaa2e3310ec36e1b86f8b643c5fa tmob-defaultProfile.pro
SUBMITTING PROFILES
If you would like to submit your profile or archive.img to EFF so CarrierIQ metrics on what operator can be better understood, please send that data off to iqiq@eff.org . It would be very helpful to them to include phone model and network it was pulled from as well.
Thanks for all your help guys!
Last edited: