Jump to content


Photo
- - - - -

gpsOne: Cell phone tracking on Verizon


  • Please log in to reply
17 replies to this topic

#1 BrakeDanceJ

BrakeDanceJ

    Hakker addict

  • Binrev Financier
  • 598 posts
  • Location:Chicago

Posted 15 April 2007 - 01:15 PM

I can't begin to type my excitement here. It's spawned from the fact that I can't find *any* of this on Google, so it's unchartered territory to explore. The service menu and gps screen are all over google, but nothing to do with transmission of that data over the network!

A while back I posted about my Verizon VX6100 when I found the service code and menu.
Last night I couldn't sleep, so I pulled out my phone and accessed the menu to play around.

I went into a setting called 'Field Tests', and then 'gpsOne', from there I found two interesting things 'GetPos API', and 'NV', under NV you have the option of entering an IP address and port number. Previously when I played with this, I couldn't figure out how to put a period into the input field of the IP address box. I figured it out, you just add a 0 as a place holder. for example: 127.0.0.1 would be 127000000001 12.145.6.78 would be 012145006078.

I entered my IP address, a port, punched the port through on my router, and wrote a simple VB application with WinSock (see? VB is handy!) and set up events to listen.

I pressed the menu option 'Start Application' after setting another setting to 'Send Contiunously'.
It chugged away 'GPS MI TEST' "GPS mode continuous". And all of a sudden my VB app lit up with a text box change! The transmit/recieve arrows on my phone blinked, and i didn't get the usual failure msg from the 'Start Application' menu.

A connection was established between the phone and my PC. The IP address of the connection changed every time, but stayed within a specific range. No data was sent :-(, at least none I could pickup atm; I think it's being sent UDP or a TCP session on another port. I need some software to see what ports are being accessed and what protocols on my (windows box/ developtment box) computer, that way I can listen to whats being sent.

If anyone has a VX6100, 6000 or any other verizon phone with a serivce prog menu and gpsOne, play with this!

Before and after screen shots are below, along with a photo of my setup.
I couldn't focus the camera (no manual focus) on my screen without complete blur of everything on it, however, if you look at the phone carefully in the photo, you can barely make out the words "IP ADDRESS" and "IP PORT".

I'm going to try to "send" something to the phone during the session and see how it responds. Does *anyone* have any documentation on this?


Private Sub Form_Load()
Winsock2.Close
Winsock2.Close
Winsock2.Listen
End Sub

Private Sub Winsock1_DataArrival(ByVal bytesTotal As Long)
Text2.Text = "UDP: RCV"
End Sub

Private Sub Winsock2_Close()
Text1.Text = "TCP: CLS"
End Sub

Private Sub Winsock2_Connect()
Text1.Text = "TCP: CNT"
End Sub

Private Sub Winsock2_ConnectionRequest(ByVal requestID As Long)
Text1.Text = "TCP: CRQ"
Winsock2.Close
Winsock2.Listen
Text2.Text = Winsock2.RemoteHost + ":" + Winsock2.RemoteHostIP
End Sub

Private Sub Winsock2_DataArrival(ByVal bytesTotal As Long)
Text1.Text = "TCP: RCV"
MsgBox Text1.Text
End Sub

Private Sub Winsock2_Error(ByVal Number As Integer, Description As String, ByVal Scode As Long, ByVal Source As String, ByVal HelpFile As String, ByVal HelpContext As Long, CancelDisplay As Boolean)
Text1.Text = "TCP: ERR"
End Sub

Attached Files



#2 BrakeDanceJ

BrakeDanceJ

    Hakker addict

  • Binrev Financier
  • 598 posts
  • Location:Chicago

Posted 15 April 2007 - 01:31 PM

More pictures. Zoom in to see text on the phone. Finger over flash helps clarity but gives a red glow over the images.

Captions

(picture 1):
'gpsOne'
1] Screen Test
2] Test Num
3] Last Location
4] Start Application
5] NV
6] GetPos API
7] Pilot Info
8] Sat Info
9] Test
0] End Sess

(picture 2):
'GPS MI TEST'
GPS mode continuous

Attached Files


Edited by BrakeDanceJ, 15 April 2007 - 01:36 PM.


#3 Trikk

Trikk

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 348 posts
  • Country:
  • Gender:Male
  • Location:Portland, OR

Posted 15 April 2007 - 07:56 PM

Did some google searches, maybe my leet google skillz aren't that great, but i found nothing

all i did was find some shitty hack for GPS

--menu
--0
--"Service code" 000000
--2 for field tests
--6 for gpsone
--1 for gpsone test screen
--turn it on hit ok
--make sure lock stat is off by going to 5 for NV
--2 for lock stat if it's not off,
--5 for gpsone lock turn it off ok
--dial 922 send wait a few seconds look on the display...all the gps longitude/latitude information will be displayed...press up or down to view more.

=\, anyone got any insight on this? seems pretty interesting

#4 PurpleJesus

PurpleJesus

    Dangerous free thinker

  • Members
  • 1,578 posts
  • Gender:Male
  • Location:800

Posted 15 April 2007 - 09:21 PM

Interesting... Wonder if you can get it to send other info and not be charged for it...

#5 BrakeDanceJ

BrakeDanceJ

    Hakker addict

  • Binrev Financier
  • 598 posts
  • Location:Chicago

Posted 15 April 2007 - 10:44 PM

=\, anyone got any insight on this? seems pretty interesting


Yes, that will show the GPS info (speed, distance, height, direction and locations of nearest two towers on your screen)

Interesting... Wonder if you can get it to send other info and not be charged for it...


Verizon is using a 'security through obscurity' type of network-use prevention. They limit your ability to access the browser, but do not block traffic. I've played poker and other games online from demo versions and never was charged for network use.

#6 DarkShadow

DarkShadow

    elite

  • Members
  • 112 posts

Posted 16 April 2007 - 01:05 AM

someone with verizon code a web browser in java! Se if you get unlimited access. I can help, I just won't be able to test it :(

Edited by DarkShadow, 16 April 2007 - 01:06 AM.


#7 chefninja

chefninja

    Gibson Hacker

  • Members
  • 79 posts

Posted 16 April 2007 - 02:06 AM

You should try running Ethereal or tcpdump to see what data the phone is sending to your IP address.

#8 BrakeDanceJ

BrakeDanceJ

    Hakker addict

  • Binrev Financier
  • 598 posts
  • Location:Chicago

Posted 16 April 2007 - 08:09 AM

someone with verizon code a web browser in java! Se if you get unlimited access. I can help, I just won't be able to test it :(


I haven't figured out how to run homebrew code on the phone yet, though theres an option in the service menu about it.

#9 PurpleJesus

PurpleJesus

    Dangerous free thinker

  • Members
  • 1,578 posts
  • Gender:Male
  • Location:800

Posted 16 April 2007 - 08:41 AM

Verizon is using a 'security through obscurity' type of network-use prevention. They limit your ability to access the browser, but do not block traffic. I've played poker and other games online from demo versions and never was charged for network use.



What would happen if you put opera mini on the phone... would that trip up "ability to access the browser"?

#10 kenetik

kenetik

    SCRiPT KiDDie

  • Members
  • 22 posts

Posted 16 April 2007 - 10:15 AM

I have a couple vx6100 and will be glad to help you test this :-)

When i get some free time i will try to replicate your experiment, and i'll fire up a sniffer and post my results.

#11 thej3w

thej3w

    T0tal n00b

  • Members
  • 0 posts
  • Location:Chicago

Posted 16 April 2007 - 10:23 AM

Same here. My roommate has 2 Verizon phones and I tested one yesterday and I was able to bring up the GPSOne thing and mess around with it. It was late when I was working with it so I'll try later tonight and let you know if I find anything.

#12 DarkShadow

DarkShadow

    elite

  • Members
  • 112 posts

Posted 16 April 2007 - 10:28 AM

someone with verizon code a web browser in java! Se if you get unlimited access. I can help, I just won't be able to test it :(


I haven't figured out how to run homebrew code on the phone yet, though theres an option in the service menu about it.


You need to code using: Java 2 Micro Edition (J2ME). There is a good NetBeans extention called "Mobility Pack" that will let you code, test, and compile J2ME code. To get this on your phone, you need to use your phone's computer adapter (usually phone to usb).

#13 kenetik

kenetik

    SCRiPT KiDDie

  • Members
  • 22 posts

Posted 16 April 2007 - 10:35 AM

hmm this may help:
http://developer.ope.../tools_and_sdk/
http://www.java-samp...ple-program.htm

Edited by kenetik, 16 April 2007 - 10:44 AM.


#14 BrakeDanceJ

BrakeDanceJ

    Hakker addict

  • Binrev Financier
  • 598 posts
  • Location:Chicago

Posted 16 April 2007 - 05:03 PM

hmm this may help:
http://developer.ope.../tools_and_sdk/
http://www.java-samp...ple-program.htm


I'll leave that hard-core part for someone else to play with. I've discovered something else that I really want to toy around in. There's a way in the menu to force your phone on a specific "channel", If anyone has access to two phones and this servicing menu, I wouldn't mind seeing what would happen if you forced both phones onto the same channel? Enemy-of-the-state-gene-hackman-goodness, or just the inability to place calls.

#15 thej3w

thej3w

    T0tal n00b

  • Members
  • 0 posts
  • Location:Chicago

Posted 16 April 2007 - 08:31 PM

hmm this may help:
http://developer.ope.../tools_and_sdk/
http://www.java-samp...ple-program.htm


I'll leave that hard-core part for someone else to play with. I've discovered something else that I really want to toy around in. There's a way in the menu to force your phone on a specific "channel", If anyone has access to two phones and this servicing menu, I wouldn't mind seeing what would happen if you forced both phones onto the same channel? Enemy-of-the-state-gene-hackman-goodness, or just the inability to place calls.


I have access to 2 phones. How does one force the channels?

#16 verbal

verbal

    elite

  • Agents of the Revolution
  • 115 posts

Posted 17 April 2007 - 12:34 AM

wow, that sounds really cool. i have a more basic question. how did you get into the service area? can you do this with all phones? what other phones allows you to access the GPS information? cause i know a lot of phones/providers prevent applications running on the phones to access that info? i'm interested in this stuff so if you can just provide me with info, that would be great.

thanks,

verbal

#17 kenetik

kenetik

    SCRiPT KiDDie

  • Members
  • 22 posts

Posted 17 April 2007 - 10:13 AM

on the vx6100 the service menu is accessed by going into the normal 'Menu' then type '0' then the code will be all zeros by default. You are now in service menu.

Also in the GPS settings there is a privacy setting.. any idea exactly what this does? If Privacy is 'none' is it possible to enable 'continuous tracking' remotely maybe?

Edited by kenetik, 17 April 2007 - 10:15 AM.


#18 BrakeDanceJ

BrakeDanceJ

    Hakker addict

  • Binrev Financier
  • 598 posts
  • Location:Chicago

Posted 17 April 2007 - 04:35 PM

on the vx6100 the service menu is accessed by going into the normal 'Menu' then type '0' then the code will be all zeros by default. You are now in service menu.

Also in the GPS settings there is a privacy setting.. any idea exactly what this does? If Privacy is 'none' is it possible to enable 'continuous tracking' remotely maybe?



Privacy has to be none in order to receive a connection. Lock should be 'off'.




BinRev is hosted by the great people at Lunarpages!