3
HOW TO USE OLD GSM PROTOCOLS/ENCODINGS TO KNOW IF A USER IS ONLINE ON THE GSM NETWORK AKA PINGSMS 2.0 In the last e! "#nths I$%e &een 'la()n* !)th An+,#)+$s l#! le%el GSM API- a e! (ea,s a*# the )n a"# ssen+Ra!P+ API !as a%a)la&le- all#!)n* a +e%el#'e, t# "an all( en1#+e a SMS "essa*e at a %e,( l#! le%el &e#,e sen+)n* )t t# the GSM &ase&an+ )tsel an+ )te a e! a''l)1at)#ns sen+)n* all 3)n+ # !e),+ SMS l s"s- s)lent s"s- et1 !e,e &#,n. (for a brief overview of PDU encoding refer to this page ). (Un)fortunately Google decided to remove that API, it’ till not ure if they d ecurity related !ur!oe or during ome refactoring of their IP" I#inder mechan but nowaday it’ no more available unle you ue ome very old !hone$firmware ( on mot device they removed the ttyU%# erial interface to end A& command the G%' modem a well ). Until a cou!le of month ago, when I found theSmsManager.sendDataMessage API which, a!!arently, it’not ued anywhere ( if you earch for it you’ll find only a few e am!le, but nothing reg how to ue it with manually encoded PDU ). Uing thi API we’re able to manually encode our %'%, moreover we can !ecific a !ort* a one of it argument which will identify what +ind of m we’re gonna thi !ot I’ll tal+ about !ort - /, namely the !ort ued to end WAP PUSH notifcations. 0AP PU%1 meage were an old mechanim to baically force a remote device to viit a U23 encoded in the %'% !ayload itelf ( I +now, ecurity wie it wa ver but we’re tal+ing about the -4 ), thi !ecific re5uet i called a Service Load * (%3) re5uet, where an 6'3 !ayload li+e the following wa encoded in a binary form an ent along the PDU to the device. <?xml version="1.0"?> <!DOCTYPE sl PUBLIC " #P$O%U& DTD 'L 1.0 E(" "))).)*+,or-m.or DTD sl./ /"> <sl re,=" +2 someevilsi e.3om evil3on en . ml" > 7owaday thi !rotocol i no more handled for obviou reaon 8 I aid handled and notsupported becaue the G%' baeband oftware i actually till able to receiv

How to Use Old Gsm Protocols

Embed Size (px)

DESCRIPTION

How to Use Old Gsm Protocols

Citation preview

HOW TO USE OLD GSM PROTOCOLS/ENCODINGS TO KNOW IF A USER IS ONLINE ON THE GSM NETWORK AKA PINGSMS 2.0

In the last few months Ive been playing with Androids low level GSM API, a few years ago the (in)famoussendRawPdu API was available, allowing a developer to manually encode a SMS message at a very low level before sending it to the GSM baseband itself and quite a few applications sending all kind of weird SMS ( flash sms, silent sms, etc ) were born.

(for a brief overview of PDU encoding refer tothis page).

(Un)fortunately Google decided to remove that API, its still not sure if they did it for security related purposes or during some refactoring of their IPC IBinder mechanism, but nowadays its no more available unless you use some very old phones/firmwares ( on most devices they removed the ttyUSB serial interfaces to send AT commands to the GSM modem as well ).

Until a couple of months ago, when I found theSmsManager.sendDataMessageAPI which, apparently, its not used anywhere ( if you search for it youll find only a few examples, but nothing regarding how to use it with manually encoded PDUs ).Using this API were able to manually encode our SMS, moreover we can specific a port as one of its arguments which will identify what kind of sms were gonna send, in this post Ill talk about port 2948, namely the port used to sendWAP PUSH notifications.

WAP PUSH messages were an old mechanism to basically force a remote device to visit a URL encoded in the SMS payload itself ( I know, security wise it was very dumb, but were talking about the 90s ), this specific request is called a ServiceLoad (SL) request, where an XML payload like the following was encoded in a binary form and sent along the PDU to the device.

Nowadays this protocol is no more handled for obvious reasons I saidhandledand notsupportedbecause the GSM basebands software is actually still able to receive it, but the higher level software ( the OS and its components ) will simply ignore it.For instance, on Android 5.0 you can see the following logs (logcat -b radio) when the device receives such payload:

D/WAP PUSH( 1287): Rx: 0a0603...

D/RILC ( 185): SOCKET RIL_SOCKET_1 REQUEST: SMS_ACKNOWLEDGE length:20

D/RILC ( 185): RequestComplete, RIL_SOCKET_1

E/RILC ( 185): Send Response to RIL_SOCKET_1

D/RILJ ( 1287): [9277]< SMS_ACKNOWLEDGE [SUB0]

V/WAP PUSH( 1287): appid found: 2:application/vnd.wap.slc

W/WAP PUSH( 1287): wap push manager not found!

V/WAP PUSH( 1287): fall back to existing handler

V/WAP PUSH( 1287): Delivering MMS to: com.google.android.talk com.google.android.apps.hangouts.sms.MmsWapPushDeliverReceiver

So the event is delivered to the Google Hangouts application ( the default SMS/MMS handler on my phone ) which simplywill ignore this kind of payloadsunless they are simple MMS instead of anything else ( WAP PUSHes in our case ):

public class MmsWapPushDeliverReceiver extends BroadcastReceiver

{

public void onReceive(Context paramContext, Intent paramIntent)

{

if (("android.provider.Telephony.WAP_PUSH_DELIVER".equals(paramIntent.getAction())) && ("application/vnd.wap.mms-message".equals(paramIntent.getType())))

RealTimeChatService.a(paramIntent.getByteArrayExtra("data"));

}

}

This means that, although the device will receive the data,no kind of notification will be shown to the userand the data itself wont be saved anywhere in the system, but simply discarded.

Having said that, theres a tiny detail thats very handy for us after delivering the WAP PUSH message, the destinationoperator BTS will reply to us with a delivery report. This report will be sent only if the device is turned on and completely able to receive the message ( turned on and with enough GSM network coverage ).In fact, the sendDataMessage API accepts as its last argument a delivery PendingIntent, in other words our application will be informed as soon as the delivery report will be sent back.

We can take advantage of this to do the following:

Craft a WAP PUSH message encoding it manually.

Pass it to the sendDataMessage API and register a delivery intent.

The WAP PUSH will be sent to the target mobile phone and well receive the delivery notification if the phone is turned on, if its not well receive it as soon as it will be turned on.

The target user wont notice absolutely anything.

So, we can basically track a target user GSM network activity invisibly, knowing exactly when the targets device is turned on without him having a single chance to notice anything.

Here's a very simple PoC application I've made to show how to use such API, the same kind of PDU can be sent using a normal GSM serial dongle and some software like Gnokii.