GSM firmware hacking

Nils Faerber nils.faerber at
Mon Aug 11 16:39:41 CEST 2008

Sébastien Lorquet schrieb:
> getting cell information is far from firmware hacking :)
> Many modems have (maybe undocumented) AT commands to get that info.
> For me, GSM hacking is putting hands in the low level code itself.

Well, at least for Germany I would strictly advise *not* to do so.
Interesting it is, indeed.
But not advisable.

You would put yourself in big danger ending up in jail.

First of all the GSM bands are highly regulated bands. Doing something
there that interferes with regular traffic is strictly forbidden and
causes severe legal action.

Second the GSM network is pretty fragile - at least to what I learned
from some people that are supposed to know it. So sending wrong data to
the network may cause severe problems withing the GSM network, either
just your cell, your provider or the whole network in your region. In
that case you may again end up in jail.

All this of course if they get you. Chances are low but not impossible.

Sidestory to this: The radio traffic control was handled by the German
border patrol (Bundesgrenzschutz) which is now part of the federal
police (Bundespolizei). A friend of mine worked for the red cross and
was responsible for all the radio transmitters. At a big event (several
hundred red cross people and a big truck as central coordination
station) they had a mal-behaving radio transmitter in the control
station (which was equipped with dozens of transmitters). The event has
not even begun the Border patrol knocked at their door. Coming in where
two not very nice looking guys and they carried a small pocket sized
device. They said that one of the transmitters had a failure, ran around
with their pocket gadget and after some seconds pointed at one of the
transmitters and said "Switch off that device - now.".
They located the station-truck through the whole city without knowing
about the event - they simply measured it. For this they had a
Volkswagen "Bus" (aky Bulli) with a slightly extended roof, just 4-5cm
thick. Under that extended roof, they explained, hundreds of small
dipole antennas where located which allowed very precise measurements of
signal strengths and directions. It worked quite well...

So what shall this story tell?
As soon as you operate a redio transmission device you can be localised
*very* easily. If you do something *almost* harmful to the GMS net, the
operator may recognise this and tell the cell number (and thus rough)
region to the authorities and they can handle the rest.

So again, it is very very interesting but without *very* good knowledge
of the GSM standards (low-level baseband that is) and very good
knowledge about the hardware you are dealing with (the NEO baseband
hardware) I would not touch it. Any mistake you do can take you directly
to court or jail. And in the days of security panics and terrorist
paranoia you might even end up as enemy of the state.

  nils faerber

kernel concepts GbR        Tel: +49-271-771091-12
Sieghuetter Hauptweg 48    Fax: +49-271-771091-19
D-57072 Siegen             Mob: +49-176-21024535

More information about the hardware mailing list