Sim Directories / Mobile networks / GSM - 3G networks. P-1 RE: USB Modem Hacking

[DioGt]

So let's start with some general theory

Almost every Sim has directories like:
RD (Root Directory)
MF (Master File)
DF-tel (Directory- Telcom)
DF-gsm (Directory-GSM)
DF-3g (Directory-3G)
EF (Elementary File)

More Spesific tha location of DF(tel/gsm/3g) are subsets of MF and MF is subset of RD

EF is the Directory that info of SIM kept, like: Phone-contacts, Sended sms etc.

Every SIM has uniqe : IMSI-TMSI / LAI / BCCH

IMSI-TMSI : permanent-temporary customer identity network
LAI: Location of customer
BCCH: control channel



and you can access on these only if you know KI and KC

[Pin also need to access some directories]

Ki:  key [password for encryption]
KC: session key (Key for the encryption - not stable/ can change)

Encryption that GSM - 3G networks use: A5/2 > A5/1 > A5/3 > A5/0   [A3, A8]

*On AuC-(Authentication Center) is saved the Ki*

A5/2  most powerful than: A5/1 >A5/3 > A5/0
A5/1 most powerful than: A5/3 A5/0 - actually is means no encryption

a) to testify the network provider the phone compare the Ki that the phone has with the one on their system to see if it is the same [to do that they use A3 algorithm]

b) with Ki data & A8 algorithm the Kc is created.


c) with the Kc now ready the A5/x encryption (= algorithm ) encrypts the singal for a call Or sms Or  internet (3G).



NOW about the "free" 3G internet. There are 2 (maybe 3 ) possible ways I've thought.

*That doesn't means that they will work :p  BUT they have great possibilities to work! *


1. Hijack the:  IMSI-TMSI / LAI / BCCH  and Ki from an other User to get "free" access on the net with him/her paying the bill :p  ( Too risky, but it can work)

2. by bypassing the security network and get free access ( working on that)

3. By exloiting the free 0.facebook access and gain access to other sites without paying ( Needs advanced knowlegde to Mobile networks

Because it takes lot's of time to write all these and also i do not have complete my thoughts  i will continue to P2 (part 2)


A photo i found that explains how Directories of sim are: (don't have 3G network)

P.S.: Sorry for my english

[max2zz]

found interest on your post.... waiting for your part 2...keep up... tnx btw..

[balanyc]

3. By exloiting the free 0.facebook access and gain access to other sites without paying ( Needs advanced knowlegde to Mobile networks

this one has been using in my country, thx to anonymous phreaker who found the way and share the trick.
free internet access since 6 months ago using my 3g usb modem 
this "0.facebook" called as bughost, used to camouflage data that will be sent to ISP's proxy.
What needed: isp proxy:port, isp header data, bughost, a simple proxy server app that can manipulate header data (called as inject)
inject will send an injectdata (header data contain bughost) to open connection with isp proxy before  realdata will be sent.

[max2zz]

do have any of this tools you mentioned? like bughost ang the others?

[balanyc]

do have any of this tools you mentioned? like bughost ang the others?

inject:
configurable one

Code: [Select]

http://sourceforge.net/projects/injectheaderquery/uploaded by the maker
work for all opsel in my country, though each one have it's own configuration.

bughost:
it can be different for each opsel, so it's more like trial-error. even adf.ly can be used as a bughost lol

[hppd]

How would I find out the ISP header data? And the bughost always has to be facebook right?

[balanyc]

How would I find out the ISP header data? And the bughost always has to be facebook right?

google can answer your first Q 

Code: [Select]

http://web-sniffer.net/
bughost:
this is my header request, you can see what bughost used for

Code: [Select]

HTTP Request Header
Connect to 202.80.220.95 on port 80 ... ok
GET / HTTP/1.1[CRLF]
Host: news.okezone.com[CRLF] <<<<<< bughost


[max2zz]

thanks for ur all response,,, gonna try this,,,

[balanyc]

thanks for ur all response,,, gonna try this,,,

btw, it's better to combine inject with ssh, not a direct access to browser & other app 
since direct need extra configuration 
this is my full set up:
1. uncheck default gateway in your dial-up connection
2. connect
3. add route to your isp proxy
4. start inject
5. login your ssh acc, use inject as your proxy (bitvise or putty, enable proxy forward)
6. open proxifier (make sure all req sent through bitvise)
7. pray, hope your isp have a bughole 


last, I need part2 of this topic, 3 of 7 isp in my country already know how to fix this method 

[max2zz]

nice tut,,,, tnx.....

[hppd]

Nice one balanyc +1. I was wondering would this also work on the Homespot routers instead of 3G? I mean those AP's some ISPs automaticly broadcast when they give you a wireless router. So everybody who has an account on their network can sign in via your router.

[Gwengo]

Hi this is cool. I will look into this