Anyone who had a cheap set of computer speakers in the early 2000s has heard it – the rhythmic dit-da-dit-dit of a GSM phone pinging a cell tower once an hour or so. [153armstrong] has a write up on how to capture this on your computer.
It’s incredibly simple to do – simply plug in a set of headphone to the sound card’s microphone jack, leave a mobile phone nearby, hit record, and wait. The headphone wire acts as an antenna, and when the phone transmits, it induces a current in the wire, which is picked up by the soundcard.
[153armstrong] notes that their setup only seems to pick up signals from 2G phones, likely using GSM. It doesn’t seem to pick up anything from 3G or 4G phones. We’d wager this is due to the difference in the way different cellular technologies transmit – let us know what you think in the comments.
This system is useful as a way to detect a transmitting phone at close range, however due to the limited bandwidth of a computer soundcard, it is in no way capable of actually decoding the transmissions. As far as other experiments go, why not use your soundcard to detect lightning?
[LaForge] and [Holger] have been hacking around on cell phones for quite a while now, and this led to them working on the open cellphone at OpenMoko and developing the OsmocomBB GSM SDR software. Now, they are turning their sights on 3G and 4G modems, mostly because they would like to use them inside their own devices, but would also like to make them accessible to the broader hacker community. In this talk at the 33rd Chaos Communications Congress (33C3), they discuss their progress in making this darkest part of the modern smartphone useful for the rest of us.
This talk isn’t about the plug-and-play usage of a modern cell-phone modem, though, it’s about reprogramming it. They pick a Qualcomm chipset because it has a useful DIAG protocol, and in particular choose the Quectel EC20 modem that’s used in the iPhone5, because it makes the DIAG stream easily available.
Our story begins with a firmware upgrade from the manufacturer. They unzipped the files, and were pleasantly surprised to find that it’s actually running Linux, undocumented and without the source code being available. Now, [LaForge] just happens to be the founder of gpl-violations.org and knows a thing or two about getting code from vendors who use Linux without following the terms and conditions. The legal story is long and convoluted, and still ongoing, but they got a lot of code from Quectel, and it looks like they’re trying to make good.
Qualcomm, on the other hand, makes the Linux kernel source code available, if not documented. (This is the source on which Quectel’s code is based.) [LaForge] took over the task of documenting it, and then developing some tools for it — there is more going on than we can cover. All of the results of their work are available on the wiki site, if you’re getting ready to dig in.
Continue reading “33C3: Dissecting 3G/4G Phone Modems”
The need for clear and reliable communication has driven technology forward for centuries. The longer communication’s reach, the smaller the world becomes. When it comes to cell phones, seamless network coverage and low power draw are the ideals that continually spawn R&D and the eventual deployment of new equipment.
Almost all of us carry a cell phone these days. It takes a lot of infrastructure to support them, whether or not we use them as phones. The most recognizable part of that infrastructure is the communications tower. But what do you know about them?
Continue reading “A Field Guide to the North American Communications Tower”
If you’ve been waiting in the wings for the next Jailbreak to be release you should know there’s been a bit of a speed bump. [ChronicDevTeam], which has been working on an exploit for A4-based iOS devices called SHAtter, tweeted last Thursday that the fully tested, untethered, and unpatchable package knows as greenpois0n would be released today. But on Friday [Geohot], who you may remember from the PlayStation 3 Hypervisor exploit, rolled out his own mostly untested and admittedly beta jailbreak called limera1n.
So where does that leave the situation? Because [geohot] used a different exploit, the [ChronicDevTeam] decided not to release greenp0ison. If they did, it would give Apple a chance to block two different exploits. Instead they are working feverishly to incorporate, test, and repackage using the same exploit as limera1n.
If you don’t want to wait, jailbreak now, but you risk problems with an unstable exploit method that is only available for Windows.