GSM firmware hacking

thomasg thomas at
Mon Aug 11 17:05:40 CEST 2008

The chance to get caught is even higher.
Operating on the GSM bands automatically means the basestations receive what
you send.
This also means they can (and do) easily recognize if there's something
At this point the operator might inform the regulator (BNA in germany) who
has the equipment to track you down.

And of course GSM is sensitive - high bitrates at less then -100 dBm with
complex access methods.

On Mon, Aug 11, 2008 at 4:39 PM, Nils Faerber <
nils.faerber at> wrote:

> Sébastien Lorquet schrieb:
> > getting cell information is far from firmware hacking :)
> > Many modems have (maybe undocumented) AT commands to get that info.
> > For me, GSM hacking is putting hands in the low level code itself.
> Well, at least for Germany I would strictly advise *not* to do so.
> Interesting it is, indeed.
> But not advisable.
> You would put yourself in big danger ending up in jail.
> First of all the GSM bands are highly regulated bands. Doing something
> there that interferes with regular traffic is strictly forbidden and
> causes severe legal action.
> Second the GSM network is pretty fragile - at least to what I learned
> from some people that are supposed to know it. So sending wrong data to
> the network may cause severe problems withing the GSM network, either
> just your cell, your provider or the whole network in your region. In
> that case you may again end up in jail.
> All this of course if they get you. Chances are low but not impossible.
> Sidestory to this: The radio traffic control was handled by the German
> border patrol (Bundesgrenzschutz) which is now part of the federal
> police (Bundespolizei). A friend of mine worked for the red cross and
> was responsible for all the radio transmitters. At a big event (several
> hundred red cross people and a big truck as central coordination
> station) they had a mal-behaving radio transmitter in the control
> station (which was equipped with dozens of transmitters). The event has
> not even begun the Border patrol knocked at their door. Coming in where
> two not very nice looking guys and they carried a small pocket sized
> device. They said that one of the transmitters had a failure, ran around
> with their pocket gadget and after some seconds pointed at one of the
> transmitters and said "Switch off that device - now.".
> They located the station-truck through the whole city without knowing
> about the event - they simply measured it. For this they had a
> Volkswagen "Bus" (aky Bulli) with a slightly extended roof, just 4-5cm
> thick. Under that extended roof, they explained, hundreds of small
> dipole antennas where located which allowed very precise measurements of
> signal strengths and directions. It worked quite well...
> So what shall this story tell?
> As soon as you operate a redio transmission device you can be localised
> *very* easily. If you do something *almost* harmful to the GMS net, the
> operator may recognise this and tell the cell number (and thus rough)
> region to the authorities and they can handle the rest.
> So again, it is very very interesting but without *very* good knowledge
> of the GSM standards (low-level baseband that is) and very good
> knowledge about the hardware you are dealing with (the NEO baseband
> hardware) I would not touch it. Any mistake you do can take you directly
> to court or jail. And in the days of security panics and terrorist
> paranoia you might even end up as enemy of the state.
> Cheers
>  nils faerber
> --
> kernel concepts GbR        Tel: +49-271-771091-12
> Sieghuetter Hauptweg 48    Fax: +49-271-771091-19
> D-57072 Siegen             Mob: +49-176-21024535
> --
> _______________________________________________
> hardware mailing list
> hardware at
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the hardware mailing list