标签 短信 下的文章

先感谢几个网站。bb.osmocom.org》www.evil0x.com》drops.wooyun.org

按照本教程做,只要你有耐心,且设备没有问题,我保证你可以成功。
本教程涉及的摩托罗拉C118,是不需要SIM卡(电话卡) 的。
刷入手机的固件并不会导致手机无法开机,所以你可以大胆地刷入。


设备清单:
  1. 摩托罗拉 C118


  2. FT232RL


  3. 摩托罗拉 Motorola C118专用数据连接线(加杜邦头)


  4. MiniUSB 链接线

我是用的KALI进行测试的。(装在虚拟机上的)
KALI在虚拟机安装步骤就不说了,主要说一下乱七八糟的环境配置和测试

1. 用户目录下建立source/arm

2. 进入arm目录再创建三个目录 build、 install 、src
3. 进入src目录分别下载这三个文件包:
然后进入终端输入以下命令(从上面提供的网址转载的命令,总之都安上就行了)

sudoapt-get installlibtool shtool autoconf git-core pkg-config makegcc build-essential libgmp3-dev libmpfr-dev libx11-6 libx11-dev texinfo flex bison libncurses5 libncurses5-dbg libncurses5-dev libncursesw5 libncursesw5-dbg libncursesw5-dev zlibc zlib1g-dev libmpfr4 libmpc-dev

sudo apt-get install build-essential libgmp3-dev libmpfr-dev libx11-6 libx11-dev texinfo flex bison libncurses5 \ libncurses5-dbg libncurses5-dev libncursesw5 libncursesw5-dbg libncursesw5-dev zlibc zlib1g-dev libmpfr4 libmpc-dev

嗯,我发现我们还少一个,还要输入下面这个命令。(亲测上面装完以后还是有错误,必须安装下面这个包才行)
sudo apt-get install libosmocore-dev

然后到arm目录下输入
./gnu-arm-build.2.sh

然后就会出现
I will build an arm-elf cross-compiler:

  Prefix: <YOURPATH>/install
  Sources: <YOURPATH>/src
  Build files: <YOURPATH>/build

Press ^C now if you do NOT want to do this.

这个时候按回车。

我们需要将 arm/install/bin目录加入环境变量中,
export PATH=$PATH:arm/install/bin
上面这个 $PATH:后面跟上自己的路径
然后重新打开终端让环境变量生效
在终端中输入arm然后按tab键,如果出现 arm-开头的如下图所示就说明编译环境搞定了
然后下载 osmocombb、libosmocore 源码
1

2

3
cd~  
git clone git://git.osmocom.org/osmocom-bb.git  
git clone git://git.osmocom.org/libosmocore.git
 

编译 libosmocore

1

2

3

4

5
cd~/libosmocore
autoreconf -i  
./configure
make
sudomakeinstall 
 然后切换 osmocombb 到下面的分支,并且编译
1

2

3

4
cd~/osmocom-bb
git checkout --track origin/luca/gsmmap
cdsrc  
make 
下面说一下硬件连接
  • 连接线与TTL的接法

黑/黄:GND 红:TX 白:RX

(注意:手机左面是插口,下面的是充电插口……)

这个接法只适用于我在第一章中发的图中的FT232RL
具体你们要自己看啦。
嗯,快把你的手机什么的连接好

然后手机现在是关机(对了,如果手机没电……先充一下电……)
确认都连好了,就按照以下步骤继续做~

打开终端输入

1

2
cd~/osmocom-bb/src/host/osmocon/
./osmocon-m c123xor -p /dev/ttyUSB0../../target/firmware/board/compal_e88/layer1.compalram.bin

然后回车~按一下手机开机键(不要长按,长按手机就开机了,表示这手机的开机声好像俄罗斯方块游戏机的开机声……)
然后看到以下内容就说明成功了:

got 1 bytes from modem, data looks like: 2f  /
got 1 bytes from modem, data looks like: 00  .
got 1 bytes from modem, data looks like: 1b  .
got 4 bytes from modem, data looks like: f6 02 00 41  ...A
got 1 bytes from modem, data looks like: 01  .
got 1 bytes from modem, data looks like: 40  @
Received PROMPT1 from phone, responding with CMD
read_file(../../target/firmware/board/compal_e88/layer1.compalram.bin): file_size=56016, hdr_len=4, dnload_len=56023
got 1 bytes from modem, data looks like: 1b  .
got 1 bytes from modem, data looks like: f6  .
got 1 bytes from modem, data looks like: 02  .
got 1 bytes from modem, data looks like: 00  .
got 1 bytes from modem, data looks like: 41  A
got 1 bytes from modem, data looks like: 02  .
got 1 bytes from modem, data looks like: 43  C
Received PROMPT2 from phone, starting download
handle_write(): 4096 bytes (4096/56023)
handle_write(): 4096 bytes (8192/56023)
handle_write(): 4096 bytes (12288/56023)
handle_write(): 4096 bytes (16384/56023)
handle_write(): 4096 bytes (20480/56023)
handle_write(): 4096 bytes (24576/56023)
handle_write(): 4096 bytes (28672/56023)
handle_write(): 4096 bytes (32768/56023)
handle_write(): 4096 bytes (36864/56023)
handle_write(): 4096 bytes (40960/56023)
handle_write(): 4096 bytes (45056/56023)
handle_write(): 4096 bytes (49152/56023)
handle_write(): 4096 bytes (53248/56023)
handle_write(): 2775 bytes (56023/56023)
handle_write(): finished
got 1 bytes from modem, data looks like: 1b  .
got 1 bytes from modem, data looks like: f6  .
got 1 bytes from modem, data looks like: 02  .
got 1 bytes from modem, data looks like: 00  .
got 1 bytes from modem, data looks like: 41  A
got 1 bytes from modem, data looks like: 03  .
got 1 bytes from modem, data looks like: 42  B
Received DOWNLOAD ACK from phone, your code is running now!
battery_compal_e88_init: starting up
(这一步很可能失败,失败了就多按几次,直到handle_write(): 4096 bytes (4096/56023)出来就行了

(也别反复按……反复短按手机也会开机  ←亲测)

这里我要多说两句,当你第二次用cd~/osmocom-bb/src/host/osmocon/

./osmocon-m c123xor -p /dev/ttyUSB0../../target/firmware/board/compal_e88/layer1.compalram.bin 的时候,会多出一个Power up simcard,如下图,你忽略就好了。

 然后手机屏幕也会显示:
Layer 1
osmocom-bb然后不要看手机屏了,接下来继续打开一个新终端
执行如下命令进行基站扫描

1

2
cd~/osmocom-bb/src/host/layer23/src/misc/
./cell_log

看到如下输出则说明扫描到可用的基站

1

2

3

4
ARFCN 117: tuning
ARFCN 117: got sync
Cell ID: 460_1_03EE_B130
<000e> cell_log.c:248 Cell: ARFCN=117 PWR=-62dB MCC=460 MNC=01 (China, China Unicom)

记住ARFCN后面的编号,再新建一个终端,输入以下代码

1

2
cd~/osmocom-bb/src/host/layer23/src/misc/
./ccch_scan-i 127.0.0.1 -a 117 #这个117是上面的ARFCN后面的数字

这里说一下,如果你看到的输出一直是红色,那么你应该换个基站,或者换个位置
如果是蓝色,那么就说明信号良好
如果红色最后出现Refuse=255,那么你可以换个基站试试

新建一个终端,输入以下命令,开启 wireshark 抓包。

1
sudowireshark -k -i lo -f 'port 4729'

然后在 wireshark 的 filter 中对 gsm_sms 的包进行过滤显示 下图为抓到的短信包(为什么我抓到的就是10086……):

教程结束~