Lan LanXiang's blog

Creations in My Mind, Sparks in My Life, Not Wasted
Search
Main Site
FriendLinks
Back

OsmocomBB 扫描短信

#hack#电脑技巧#hack#入侵#短信
Wed Mar 18 2015 22:21:34 GMT+0800 (China Standard Time)


先感谢几个网站。bb.osmocom.org》www.evil0x.com》drops.wooyun.org

按照本教程做,只要你有耐心,且设备没有问题,我保证你可以成功。 本教程涉及的摩托罗拉C118,是不需要SIM卡(电话卡) 的。 刷入手机的固件并不会导致手机无法开机,所以你可以大胆地刷入。

设备清单:
  1. 摩托罗拉 C118
  2. FT232RL
  3. 摩托罗拉 Motorola C118专用数据连接线(加杜邦头)
  4. MiniUSB 链接线
我是用的KALI进行测试的。(装在虚拟机上的) KALI在虚拟机安装步骤就不说了,主要说一下乱七八糟的环境配置和测试

  1. 用户目录下建立source/arm

    2. 进入arm目录再创建三个目录 build、 install 、src
    3. 进入src目录分别下载这三个文件包:

  2. 下载 gnu-arm-build.2.sh 文件到arm目录

http://bb.osmocom.org/trac/raw-attachment/wiki/GnuArmToolchain/gnu-arm-build.2.sh

然后进入终端输入以下命令(从上面提供的网址转载的命令,总之都安上就行了)

sudoapt-get installlibtool shtool autoconf git-core pkg-config makegcc build-essential libgmp3-dev libmpfr-dev libx11-6 libx11-dev texinfo flex bison libncurses5 libncurses5-dbg libncurses5-dev libncursesw5 libncursesw5-dbg libncursesw5-dev zlibc zlib1g-dev libmpfr4 libmpc-dev

sudo apt-get install build-essential libgmp3-dev libmpfr-dev libx11-6 libx11-dev texinfo flex bison libncurses5 \ libncurses5-dbg libncurses5-dev libncursesw5 libncursesw5-dbg libncursesw5-dev zlibc zlib1g-dev libmpfr4 libmpc-dev

嗯,我发现我们还少一个,还要输入下面这个命令。(亲测上面装完以后还是有错误,必须安装下面这个包才行) sudo apt-get install libosmocore-dev

然后到arm目录下输入 ./gnu-arm-build.2.sh

然后就会出现 I will build an arm-elf cross-compiler:

  Prefix: <YOURPATH>/install
  Sources: <YOURPATH>/src
  Build files: <YOURPATH>/build

Press ^C now if you do NOT want to do this.

这个时候按回车。

我们需要将 arm/install/bin目录加入环境变量中,
export PATH=$PATH:arm/install/bin 上面这个 $PATH:后面跟上自己的路径 然后重新打开终端让环境变量生效 在终端中输入arm然后按tab键,如果出现 arm-开头的如下图所示就说明编译环境搞定了
然后下载 osmocombb、libosmocore 源码
1
2
3
 cd~   git clone git://git.osmocom.org/osmocom-bb.git   git clone git://git.osmocom.org/libosmocore.git 
 
编译 libosmocore
1
2
3
4
5
cd~/libosmocore
autoreconf -i  
./configure
make
sudomakeinstall 
 
 然后切换 osmocombb 到下面的分支,并且编译
1
2
3
4
cd~/osmocom-bb
git checkout --track origin/luca/gsmmap
cdsrc  
make 
下面说一下硬件连接
  • 连接线与TTL的接法
黑/黄:GND 红:TX 白:RX

(注意:手机左面是插口,下面的是充电插口……)

这个接法只适用于我在第一章中发的图中的FT232RL 具体你们要自己看啦。 嗯,快把你的手机什么的连接好

然后手机现在是关机(对了,如果手机没电……先充一下电……) 确认都连好了,就按照以下步骤继续做~

打开终端输入

1
2
cd~/osmocom-bb/src/host/osmocon/
./osmocon-m c123xor -p /dev/ttyUSB0../../target/firmware/board/compal_e88/layer1.compalram.bin
然后回车~按一下手机开机键(不要长按,长按手机就开机了,表示这手机的开机声好像俄罗斯方块游戏机的开机声……) 然后看到以下内容就说明成功了:
got 1 bytes from modem, data looks like: 2f  /
got 1 bytes from modem, data looks like: 00  .
got 1 bytes from modem, data looks like: 1b  .
got 4 bytes from modem, data looks like: f6 02 00 41  ...A
got 1 bytes from modem, data looks like: 01  .
got 1 bytes from modem, data looks like: 40  @
Received PROMPT1 from phone, responding with CMD
read_file(../../target/firmware/board/compal_e88/layer1.compalram.bin): file_size=56016, hdr_len=4, dnload_len=56023
got 1 bytes from modem, data looks like: 1b  .
got 1 bytes from modem, data looks like: f6  .
got 1 bytes from modem, data looks like: 02  .
got 1 bytes from modem, data looks like: 00  .
got 1 bytes from modem, data looks like: 41  A
got 1 bytes from modem, data looks like: 02  .
got 1 bytes from modem, data looks like: 43  C
Received PROMPT2 from phone, starting download
handle_write(): 4096 bytes (4096/56023)
handle_write(): 4096 bytes (8192/56023)
handle_write(): 4096 bytes (12288/56023)
handle_write(): 4096 bytes (16384/56023)
handle_write(): 4096 bytes (20480/56023)
handle_write(): 4096 bytes (24576/56023)
handle_write(): 4096 bytes (28672/56023)
handle_write(): 4096 bytes (32768/56023)
handle_write(): 4096 bytes (36864/56023)
handle_write(): 4096 bytes (40960/56023)
handle_write(): 4096 bytes (45056/56023)
handle_write(): 4096 bytes (49152/56023)
handle_write(): 4096 bytes (53248/56023)
handle_write(): 2775 bytes (56023/56023)
handle_write(): finished
got 1 bytes from modem, data looks like: 1b  .
got 1 bytes from modem, data looks like: f6  .
got 1 bytes from modem, data looks like: 02  .
got 1 bytes from modem, data looks like: 00  .
got 1 bytes from modem, data looks like: 41  A
got 1 bytes from modem, data looks like: 03  .
got 1 bytes from modem, data looks like: 42  B
Received DOWNLOAD ACK from phone, your code is running now!
battery_compal_e88_init: starting up
(这一步很可能失败,失败了就多按几次,直到handle_write(): 4096 bytes (4096/56023)出来就行了
(也别反复按……反复短按手机也会开机  ←亲测)

这里我要多说两句,当你第二次用cd~/osmocom-bb/src/host/osmocon/

./osmocon-m c123xor -p /dev/ttyUSB0../../target/firmware/board/compal_e88/layer1.compalram.bin 的时候,会多出一个Power up simcard,如下图,你忽略就好了。
 然后手机屏幕也会显示: Layer 1 osmocom-bb然后不要看手机屏了,接下来继续打开一个新终端 执行如下命令进行基站扫描
1
2
cd~/osmocom-bb/src/host/layer23/src/misc/
./cell_log
看到如下输出则说明扫描到可用的基站
1
2
3
4
ARFCN 117: tuning
ARFCN 117: got sync
Cell ID: 460_1_03EE_B130
<000e> cell_log.c:248 Cell: ARFCN=117 PWR=-62dB MCC=460 MNC=01 (China, China Unicom)

记住ARFCN后面的编号,再新建一个终端,输入以下代码

1
2
cd~/osmocom-bb/src/host/layer23/src/misc/
./ccch_scan-i 127.0.0.1 -a 117 #这个117是上面的ARFCN后面的数字
这里说一下,如果你看到的输出一直是红色,那么你应该换个基站,或者换个位置 如果是蓝色,那么就说明信号良好 如果红色最后出现Refuse=255,那么你可以换个基站试试

新建一个终端,输入以下命令,开启 wireshark 抓包。

1
sudowireshark -k -i lo -f 'port 4729'
然后在 wireshark 的 filter 中对 gsm_sms 的包进行过滤显示 下图为抓到的短信包(为什么我抓到的就是10086……):
教程结束~
Back

Related Articles

vc++ 2022 minimum or additional runtime missing the feature you are trying to use is in a network resource that is unavailable

Read 12/4/2022, 2:12:00 PM

安卓手机屏幕没有显示 转移出数据的方法

Read 12/13/2021, 10:00:00 PM

nodejs 直接升级(不影响当前正在运行程序)

Read 12/11/2021, 9:03:26 PM

Open Graph Protocol(开放内容协议)

Read 12/8/2021, 11:05:00 PM

pixel experience + magisk 支付宝刷脸

Read 12/8/2021, 9:31:15 AM
IDEA SECTOR
Power by Typecho | Sparks by LanLanXiang build in b0e46f5ef85b30f02050cba7dfde379e58e0afdb | 12/3/2022, 8:24:00 PM | sitemap
English 中文