I have received more information regarding the Nokia firmware in question. Nokia distributes an application called "Phoenix" internally to support techs which allows them to update/flash the phones. In each distribution an update pack is included which has the flash files embedded within.
These packs are floating around on the internet and are publicly available...
I have found at least one for the V3.44 (RH-18) series. I still do not know at this point if this is the correct firmware, but at least it is a start.
If you want to look at the firmware(s) you must do the following:
- Extract the Installshield executable file. (actually a .CAB file)
- Extract the individual data file packages labelled .cab (use unshield on Linux)
- you will find the firmware files as "rh18_XX.XXX"
Now you run into a bit of a problem. The firmware is "encrypted" (not sure yet if it is *actually* encryption) with a DCT-4 algorithm. You must first decrypt this if you want to load the firmware into a disassembler and then re-crypt if you want to return it to operation on the phone.
Apparently these tools have been around since mid-2004'ish. It is my firm belief now that these phones *do* have an issue with them that allows SMS to be intercepted. Once a dedicated individual has full access to the firmware in a disassembler they *will* find any flaw you had in the code and despite what Nokia says I strongly suspect this is the case and someone(s) have discovered it and are exploiting it for financial gain.
My question is, if this much access has been obtained to the inner workings of the phone, why not simply flash a newer 1100 to an older version and then patch in the necessary changes for SMS interception? Most modders would be able to do this. Is it still an issue of a specific hardware revision of the phone? as far as I can tell, the only difference between other versions and the one everyone is looking for are some internal SAW filters that were swapped out between the 1100 and later versions.
I will continue to be investigating on my own in the interest of security research. Unfortunately, seeing as though any further public dissemination of information on Nokia's firmware may open me up to legal trouble I will not be probably not be updating here as much...
Thursday, April 30, 2009
Tuesday, April 28, 2009
Nokia 1100: Update 2 (firmware display)
The following code displays your Firmware version on the Nokia 1100: (and other series as well)
*#0000#
This must be done with a SIM card inserted in the phone. (even if it is not activated, the phone just has to allow you into the main menu or it will not work without a card inserted)
[Link]
*#0000#
This must be done with a SIM card inserted in the phone. (even if it is not activated, the phone just has to allow you into the main menu or it will not work without a card inserted)
[Link]
Nokia 1100: Update 1
As a follow-up to my last post: I have not seen much coverage of the Nokia story last week in the mainstream InfoSec blogs/websites. There appear to be six phones in the 11XX series, with three sharing the 1100 designation. Models are listed below with their Nokia type-names in parentheses.
- Nokia 1100 (RH-18)
- Nokia 1100a (RH-38)
- Nokia 1100b (RH-36/RH-36x)
All run on "DCT-4" hardware and feature the Nokia OS. Firmware (with dates in DD-MM-YYYY when available) are listed as follows:
1100 (RH-18)
- V3.31, 13-10-2003
- V3.44, 06-11-2003
- V3.45, 18-11-2003
- V4.15, 15-12-2003
- V4.25, 20-02-2004
- V4.35, 26-03-2004
- V5.60, 14-07-2004
- V5.62, 25-10-2004
- V6.64, 08-04-2005
- V8.11, 19-06-2006
1100a (RH-38)
- V7.36, 21-11-2005
1100b (RH-36) <-- branded firmwares??
- V4.22
- VQTKRH-36
I'm still a little unsure *which* version exactly is our mystery version, but on a hunch, I obtained an 1100b off eBay guessing that they would be very similar in design. From all of the service manuals and schematics I have been able to obtain I look to be correct. Assuming I can also get the phone firmware flashed to the version in question, all it will take is some work with the hot-air reflow station and I will have a nearly exact copy of the phone that is in such high demand...
- Nokia 1100 (RH-18)
- Nokia 1100a (RH-38)
- Nokia 1100b (RH-36/RH-36x)
All run on "DCT-4" hardware and feature the Nokia OS. Firmware (with dates in DD-MM-YYYY when available) are listed as follows:
1100 (RH-18)
- V3.31, 13-10-2003
- V3.44, 06-11-2003
- V3.45, 18-11-2003
- V4.15, 15-12-2003
- V4.25, 20-02-2004
- V4.35, 26-03-2004
- V5.60, 14-07-2004
- V5.62, 25-10-2004
- V6.64, 08-04-2005
- V8.11, 19-06-2006
1100a (RH-38)
- V7.36, 21-11-2005
1100b (RH-36) <-- branded firmwares??
- V4.22
- VQTKRH-36
I'm still a little unsure *which* version exactly is our mystery version, but on a hunch, I obtained an 1100b off eBay guessing that they would be very similar in design. From all of the service manuals and schematics I have been able to obtain I look to be correct. Assuming I can also get the phone firmware flashed to the version in question, all it will take is some work with the hot-air reflow station and I will have a nearly exact copy of the phone that is in such high demand...
Monday, April 27, 2009
Nokia 1100 Hacking Rumours
Stories started in major news reporting circles last week of a potential software flaw in the Nokia 1100 series cellular phones which would allow criminals to intercept SMS messages to other users of the network. Apparently authorities were alerted when a Dutch security company named Ultrascan noticed versions of the phones started selling in underground channels for as much as $30,000.00 USD.
Exact details are a little hard to come by, but the effected models appear to be some of the first of these phones that were turned out of the Bochum Germany plant around 2002 with a firmware version of (possibly) 08.11. [link]
An update on the Ultrascan site on April 25th, 2009 states "We have outsourced the testing of the phone, to be examined and tested to see if the TAN interception can be replicated."
Nokia reportedly doesn't know why this phone has suddenly become so popular and denies any software flaw.
Exact details are a little hard to come by, but the effected models appear to be some of the first of these phones that were turned out of the Bochum Germany plant around 2002 with a firmware version of (possibly) 08.11. [link]
An update on the Ultrascan site on April 25th, 2009 states "We have outsourced the testing of the phone, to be examined and tested to see if the TAN interception can be replicated."
Nokia reportedly doesn't know why this phone has suddenly become so popular and denies any software flaw.
Wednesday, April 22, 2009
Owon 60mhz Digital Storage Oscilloscope
When it comes to troubleshooting and/or repairing electronic circuits you really can't beat a good oscilloscope. When I was younger I remember one sitting on the bench of a computer repair shop I worked at that I would quite frequently flip on and fiddle with the knobs and buttons, wondering what exactly it was supposed to do.
Almost 15yrs later and I finally have one of my own. This is an Owon 60mhz Digital Storage Oscilloscope. Most people recommend a 100mhz scope, which makes this unit a little underpowered, but I really wanted a digital scope and I think it will work well for most of my needs. This package even comes complete with a USB and software for recording measurements to your laptop (sorry, no linux support that I have seen) and a decent instruction manual.
I purchased my unit from Saelig and had no problems whatsoever with order and delivery. I will be attempting to post up some good info for others as I learn the features, but in the meantime Afrotechmods on Youtube has a great series which covers the basics.
For those wondering, the graphic above is of it hooked into the oscillator on a mini-camera I bought off eBay awhile back. It was the closest thing I could find generating a sine wave for me to look at.
Tuesday, April 21, 2009
Brazilian Satellite Hackers BUSTED!!!
Anyone involved in radio communications can probably tell you about the proliferation of pirate radio operators using satellites. These individuals use the unencrypted communication channels of US military satellites in order to relay their broadcasts around the world. Youtube had some great videos of captured recordings that I first stumbled upon awhile back but I seem unable to find them now.
Wired ran a story yesterday detailing some of the information on the crackdown of these operators in Brazil. Brazil appears to be, for many reasons, a hotbed of activity for pirate satellite operators by both organized criminal elements and backyard enthusiasts.
Although the article is short, it is a very interesting read and I recommend it. I personally use an IC-R5 wideband receiver to pick up all sorts of interesting chatter. (although I have yet to hear one of these repeated pirate signals come through)
For anyone else wanting to tune-in, note that the national language of Brazil is Portuguese, not Spanish (even after visiting the country, I have trouble hearing the difference) and it is difficult to understand what is being said without recording the communications.
Wired ran a story yesterday detailing some of the information on the crackdown of these operators in Brazil. Brazil appears to be, for many reasons, a hotbed of activity for pirate satellite operators by both organized criminal elements and backyard enthusiasts.
Although the article is short, it is a very interesting read and I recommend it. I personally use an IC-R5 wideband receiver to pick up all sorts of interesting chatter. (although I have yet to hear one of these repeated pirate signals come through)
For anyone else wanting to tune-in, note that the national language of Brazil is Portuguese, not Spanish (even after visiting the country, I have trouble hearing the difference) and it is difficult to understand what is being said without recording the communications.
Friday, April 17, 2009
Pirate Bay: Guilty
I'm going ahead and declaring it now... today is a horrible day for the history of the internet. A Swedish court ruled against the defendants, finding each of the four guilty and sentencing them to 1yr in prison.
This verdict angers me greatly. The idea that someone can be sentenced to prison for what is essentially posting a link on a website is ridiculous. This is a weak attempt to curb piracy by going after the little guys that are easy to intimidate because the copyright organizations of the world do not want to spend the time or money investment to go after the big (and wealthy) organized criminal organizations. Additionally, in the global fishing net they are casting they are harming those that use the Bittorent network in order to distribute legal material which they *do* have rights to.
This verdict angers me greatly. The idea that someone can be sentenced to prison for what is essentially posting a link on a website is ridiculous. This is a weak attempt to curb piracy by going after the little guys that are easy to intimidate because the copyright organizations of the world do not want to spend the time or money investment to go after the big (and wealthy) organized criminal organizations. Additionally, in the global fishing net they are casting they are harming those that use the Bittorent network in order to distribute legal material which they *do* have rights to.
Tuesday, April 14, 2009
Make: Television -- Chicago, IL.
I saw my first episode of the new Make: television show while flipping through the channels last night. Here in Chicago it shows up at 9:30PM CST, Monday night on the Lake Shore public broadcasting (WYIN) station. (DirectTV: ch 56)
A couple of the projects they showcased have been around on the website for awhile, but it was still interesting to see them done for television. As a reader of Make since it first came out a few years back I am happy to see how far it has come into the mainstream.
Now they just need to get filming in HD and life will be complete...
A couple of the projects they showcased have been around on the website for awhile, but it was still interesting to see them done for television. As a reader of Make since it first came out a few years back I am happy to see how far it has come into the mainstream.
Now they just need to get filming in HD and life will be complete...
Tuesday, April 7, 2009
Arduino + Accelerometers = FUN!
Make has a great post today about Arduino and the Memsi 2125 Accelerometer. The video is very professionally shot and I couldn't help but think when I watched it about how much the Arduino and Protoshields are like Lego's for adult geeks. The way everything fits together and actually has a useful purpose -- temperature, motion, infrared, ultrasonic -- really reminds me of building things with my favorite blocks as a kid. These give you some amazing possibilities in the palm of your hand now as an adult however.
[Make How-to Tuesday: Arduino 101 Accelerometers]
[Make How-to Tuesday: Arduino 101 Accelerometers]
Friday, April 3, 2009
A virus that actually does something...
I found this story hidden in the Hack in the Box RSS feed. Now this is what I would call a newsworthy virus. I will be amazed if this was not a directed attack and somehow this piece of malware was able to circumnavigate the (often proprietary) communication software, OS and protocols used in control of a broadcasting satellite.
Sophos also has a good (albeit a bit cheesy) video linked off there that gives more details and a screenshot. A curious thing to note about that screenshot however is the detail of the image that is present. It looks like the grain in the image indicates the signal overloaded the original transmission, very briefly, instead of inserted into the actual stream? I believe it could also be attributed to how the image was inserted into a proprietary codec the broadcaster may use in their stream, but I would be interested to hear ideas on that as well.
As a side note: "All your TV are belong to us..." is still a classic tag line to leave as proof of your conquest. At least we know they have a sense of humour.
Good stuff. I will be watching this one very closely to see if we get anymore details on how it was done...
IT security and control firm Sophos has discovered that hackers have successfully infected the Far Polo L1 geo-stationary satellite with a virus known as W32/Cowen.[link]
Sophos also has a good (albeit a bit cheesy) video linked off there that gives more details and a screenshot. A curious thing to note about that screenshot however is the detail of the image that is present. It looks like the grain in the image indicates the signal overloaded the original transmission, very briefly, instead of inserted into the actual stream? I believe it could also be attributed to how the image was inserted into a proprietary codec the broadcaster may use in their stream, but I would be interested to hear ideas on that as well.
As a side note: "All your TV are belong to us..." is still a classic tag line to leave as proof of your conquest. At least we know they have a sense of humour.
Good stuff. I will be watching this one very closely to see if we get anymore details on how it was done...
Subscribe to:
Posts (Atom)
Posts
