Jump to content


Photo
- - - - -

Code used by cell phones


  • Please log in to reply
4 replies to this topic

#1 flarn2006

flarn2006

    Gibson Hacker

  • Members
  • 80 posts
  • Gender:Male

Posted 02 September 2010 - 10:43 PM

I talked to a guy at RadioShack earlier today about how cell phones work, and he says there's a code stored in the cell phone, to which the user has no access, which it sends to the "satellite" (he probably meant cell tower/network) to identify it as an activated cell phone. It's not the IMEI number, nor is it an unlock/subsidy code (the latter isn't used for that purpose anyway) but from what he said it seems to be hidden for a reason. IIRC, he said if you found out that code (which he says is a very complicated process) you could potentially make free calls. (I have no intention to commit fraud, I just want to learn more about it.) What I'm confused about is why it would be illegal (he said it was) to hack your cell phone to find out that code even if you don't use it to commit fraud, which confuses me because if it's stored in my own cell phone, I believe I have a right to know it. Does anybody here know what that code is called?

BTW, does anybody here know how GSM and CDMA work? I mean have any specifications on exactly what data is sent. Would this information be public knowledge, or would it have to be leaked somehow? Are there any "sniffer" devices that can figure out exactly what data is sent/received, and whether or not these are legal to use as long as you don't use them to invade others' privacy? Are there any cell phones that aren't programmed to try to keep secrets from its owner, or restrict its owner in any way with how he uses it? Sorry if I'm asking too many questions.

#2 nyphonejacks

nyphonejacks

    Dangerous free thinker

  • Members
  • 793 posts
  • Gender:Male
  • Location:718

Posted 02 September 2010 - 11:08 PM

I talked to a guy at RadioShack earlier today about how cell phones work, and he says there's a code stored in the cell phone, to which the user has no access, which it sends to the "satellite" (he probably meant cell tower/network) to identify it as an activated cell phone. It's not the IMEI number, nor is it an unlock/subsidy code (the latter isn't used for that purpose anyway) but from what he said it seems to be hidden for a reason. IIRC, he said if you found out that code (which he says is a very complicated process) you could potentially make free calls. (I have no intention to commit fraud, I just want to learn more about it.) What I'm confused about is why it would be illegal (he said it was) to hack your cell phone to find out that code even if you don't use it to commit fraud, which confuses me because if it's stored in my own cell phone, I believe I have a right to know it. Does anybody here know what that code is called?

BTW, does anybody here know how GSM and CDMA work? I mean have any specifications on exactly what data is sent. Would this information be public knowledge, or would it have to be leaked somehow? Are there any "sniffer" devices that can figure out exactly what data is sent/received, and whether or not these are legal to use as long as you don't use them to invade others' privacy? Are there any cell phones that aren't programmed to try to keep secrets from its owner, or restrict its owner in any way with how he uses it? Sorry if I'm asking too many questions.


sounds like the guy was full of shit, especially since he referred to cell sites or towers as "satellites" as far as i am aware the IMEI (and possibly serial number) are the only things needed for the cell tower to authenticate the phone...
also, i am not sure how obtaining that information from your phone would allow you to make "free" calls.. any "free" calls would be made by cloning a working phone (which i do not believe is currently possible, and if it is..) the cellular networks are designed to blacklist a phone if multiple devices connect with the same credentials, so not only would you fail to make a call, but you would end up in blacklisting the person's phone that you attempted to clone..

i dont know much on the technical side of cellular, but here is one tidbit that you may not be aware of... most cell sites/towers are fed by (multiple) T1 lines... some are fed by a microwave link (although i have never seen one like this in NYC, they may be more common in remote or rural areas where a T1 may not be feasible, or perhaps the microwave spectrum is too noisy in urban areas, or perhaps the potential for radiation exposure is too great in urban areas to use microwave.... 4G networks will need to be fed by fiber optic, a T1 does not have sufficient bandwidth to provide the speeds and services that a 4g network requires, so carriers are upgrading or replacing their T1 lines with a fiber optic backbone in areas where they will be deploying 4G service...

for more info about cellular stuff you should check http://howardforums.com/

my assumption about "sniffing" cellular signals - it would probably be easier to to a man in the middle attack by using a femocell... of course you would need to do some cracking/modding to how the femocell works to obtain this info, but i am sure that someone somewhere has already done most of the hard work...

#3 Notlob

Notlob

    Will I break 10 posts?

  • Members
  • 2 posts
  • Gender:Male

Posted 03 September 2010 - 01:38 PM

From what I understand, the SIM card holds the IMSI(international mobile subscriber identity) that has the following format (shamelessly stolen from wikipedia):

IMSI wiki link

IMSI: 429011234567890
MCC: 429 Nepal (mobile country code)
MNC: 01 Nepal Telecom (mobile network code)
MSIN: 1234567890 (mobile station identity number)

This is used to initially (mobile switched on) identify you to a mobile network and forms part of the authentication protocol. Here are a couple of links I found when I was looking into this a while back. I thought they were pretty good at explaining it all.

GMS mobile network architecture
GSM authentication and encryption

I believe it's pretty difficult to read the 'hidden' data from the SIM card. From what I remember from a defcon/blackhat presentation you either had to insert probes into the card's microchip or attempt to brute force read the data (if that makes sense). Both of which take a while and have a high probability of destroying the card.

It is becoming possible to sniff and decrypt GSM traffic. Although it takes some pretty beefy equipment and a large set of rainbow tables.
A5/1 Security Project

If memory serves, nokia released a phone with firmware that could be put into a diagnostic mode that could sniff GSM data when attached to a computer (seem to recall THC having something to do with it)

I have been hoping I might be able to do something similar with my android phone, but haven't found anything yet.

I might not have got all of this 100% right, but hope this helps.

#4 flarn2006

flarn2006

    Gibson Hacker

  • Members
  • 80 posts
  • Gender:Male

Posted 04 September 2010 - 12:16 AM

nyphonejacks, I was doing some research on Wikipedia (http://en.wikipedia....Identity_Module) and I think what he was talking about may have been the Ki. The guy at RadioShack said it's stored on the phone, but he just meant as opposed to only being on the "satellites." I don't know if it can make free calls however; he may have been mistaken or maybe I misunderstood. But the only reason it's inaccessible seems to be to protect the owner from other people cloning their SIM. What if the owner wants to clone their own SIM, so they can have multiple cell phones on one account for instance?

Edited by flarn2006, 04 September 2010 - 12:18 AM.


#5 nyphonejacks

nyphonejacks

    Dangerous free thinker

  • Members
  • 793 posts
  • Gender:Male
  • Location:718

Posted 04 September 2010 - 11:15 AM

nyphonejacks, I was doing some research on Wikipedia (http://en.wikipedia....Identity_Module) and I think what he was talking about may have been the Ki. The guy at RadioShack said it's stored on the phone, but he just meant as opposed to only being on the "satellites." I don't know if it can make free calls however; he may have been mistaken or maybe I misunderstood. But the only reason it's inaccessible seems to be to protect the owner from other people cloning their SIM. What if the owner wants to clone their own SIM, so they can have multiple cell phones on one account for instance?

there really is no reason to clone a SIM to have multiple GSM phones on one account - since you can not use more than one cell phone at a time - all you need to do to have multiple cell phones on a GSM account would be to change the SIM card to whatever phone that you choose to use.. now, if you were to want to use multiple cell phones on a CDMA service then i could understand the desire to have a clone of your own phone... granted it is probably easier to mess with a SIM card - and less risky, you only risk bricking the SIM and not the phone...

i was interested in cloning a digital cable box a while ago, not to steal cable, but so that i could have more than one box in my own home, i accept that the cable company has to charge you for the additional cable boxes that you have, but i find it completely unacceptable that you need to pay an additional fee for each box for premium channels on top of the subscription charges for those subscription charges...




BinRev is hosted by the great people at Lunarpages!