New EVDO vulnerability - GSM-Forum

kocoman · 02-02-2010, 05:05

Should Telus take down the EVDO network for this vulnerability?
See thread:
http://img16.imageshack.us/img16/689...forevdo.th.png

http://img121.imageshack.us/img121/9...ermanen.th.png

What you need:
1. Inactive EVDO phone or inactive EVDO data card that you don’t plan to sell/reuse anymore. (used on any network, does not have to be Telus) (to prove the concept) (could also work with “active” for the more experienced, data account sharing etc later on if success.)
2. Good EV coverage, ie: does not drop back to 1X (or know how to force EV in the NV settings)
3. Must have tried successfully with #777 with tethering the phone in the past (easier with data cards)
4. “A Telus EVDO PRL” if not getting a EV icon, or was provisioned on other networks, ie: USA, Bell
5. Your SPC/MSL
6. Know how to connect your phone with QPST/Qualcomm (ie: not Nokia)
7. An active account (with Telus or Koodo) with a EVDO phone on it, ie: prepaid, smartphone, datacard, friend to share/enemy to kick out/stranger’s from OTA scans. You need their phone# and EVDO ESN (It does not work with 3G+ or MEID or 1X)
8. Copy down your existing settings. AN, Um, M.IP, NAI. In qpst
9. Willing to risk loss something and not blame me!!!

1. Open up QPST Configuration, then make sure the “Diag” port gets detected by it.
2. Open “Service Programming”
3. Read from phone, enter MSL
4. Go to the PPP Config Tab, then Um
5. Copy down the “User ID” [email protected] and save it somewhere.
6. Do step 4 again, but with the AN tab
7. Now go back to the Um tab, then depending on your network/phone config (trial and error)
If your active account is Telus prepaid: (free) – also for regular accounts with WAP, smartphones, etc
[email protected] or [email protected] for Treo 700p/755p
If your active account is koodo (free)
[email protected]
If you want to use “tethering” charges (ie: have data card plan)
[email protected]

8. Enter one of the above in the user ID.
9. For the password, it’s ALL the 11 digit of the ESN of that account in DECIMAL – check it in eCare (you have to include the zero if necessary)
10. Repeat for the AN tab
11. Now go to the M.IP tab
12. Double click on the “enabled” profile. (There should only be one “enabled”)
13. Copy down the NAI settings to somewhere.
14. In the NAI field, enter the user ID in step 8
15. The Tethered NAI should be blank
16. The AAA shared secret, click on Enter Text String button.
17. Then enter the ESN from step 9
18. You could also fill in the HA, but Telus does not use MIP usually.
19. Save settings to phone
20. Try connecting with #777. Not sure if WAP portals would work.
21. If not work, make sure the PRL is Telus (Bell would work too for free roaming in Eastern Canada, but not sure about Western Canada)

Its so many steps and without pictures, but a reference for someone who want to try it then report back. Its not for n00b.

sayyedikram · 02-02-2010, 05:08

thats called the master bro thanks

tomtim · 02-02-2010, 05:17

Quote:

Originally Posted by kocoman

Should Telus take down the EVDO network for this vulnerability?
See thread:
http://img16.imageshack.us/img16/689...forevdo.th.png

http://img121.imageshack.us/img121/9...ermanen.th.png

What you need:
1. Inactive EVDO phone or inactive EVDO data card that you don’t plan to sell/reuse anymore. (used on any network, does not have to be Telus) (to prove the concept) (could also work with “active” for the more experienced, data account sharing etc later on if success.)
2. Good EV coverage, ie: does not drop back to 1X (or know how to force EV in the NV settings)
3. Must have tried successfully with #777 with tethering the phone in the past (easier with data cards)
4. “A Telus EVDO PRL” if not getting a EV icon, or was provisioned on other networks, ie: USA, Bell
5. Your SPC/MSL
6. Know how to connect your phone with QPST/Qualcomm (ie: not Nokia)
7. An active account (with Telus or Koodo) with a EVDO phone on it, ie: prepaid, smartphone, datacard, friend to share/enemy to kick out/stranger’s from OTA scans. You need their phone# and EVDO ESN (It does not work with 3G+ or MEID or 1X)
8. Copy down your existing settings. AN, Um, M.IP, NAI. In qpst
9. Willing to risk loss something and not blame me!!!

1. Open up QPST Configuration, then make sure the “Diag” port gets detected by it.
2. Open “Service Programming”
3. Read from phone, enter MSL
4. Go to the PPP Config Tab, then Um
5. Copy down the “User ID” [email protected] and save it somewhere.
6. Do step 4 again, but with the AN tab
7. Now go back to the Um tab, then depending on your network/phone config (trial and error)
If your active account is Telus prepaid: (free) – also for regular accounts with WAP, smartphones, etc
[email protected] or [email protected] for Treo 700p/755p
If your active account is koodo (free)
[email protected]
If you want to use “tethering” charges (ie: have data card plan)
[email protected]

8. Enter one of the above in the user ID.
9. For the password, it’s ALL the 11 digit of the ESN of that account in DECIMAL – check it in eCare (you have to include the zero if necessary)
10. Repeat for the AN tab
11. Now go to the M.IP tab
12. Double click on the “enabled” profile. (There should only be one “enabled”)
13. Copy down the NAI settings to somewhere.
14. In the NAI field, enter the user ID in step 8
15. The Tethered NAI should be blank
16. The AAA shared secret, click on Enter Text String button.
17. Then enter the ESN from step 9
18. You could also fill in the HA, but Telus does not use MIP usually.
19. Save settings to phone
20. Try connecting with #777. Not sure if WAP portals would work.
21. If not work, make sure the PRL is Telus (Bell would work too for free roaming in Eastern Canada, but not sure about Western Canada)

Its so many steps and without pictures, but a reference for someone who want to try it then report back. Its not for n00b.

nice info kocoman... i wonder is this way works for indonesia network

kocoman · 09-03-2010, 15:26

NEW NOTES

1) So if the account is MEID based, just convert the MEID from DEC to HEX. (because QPST "MIP" tab complains that the password is over 16 digits)
Then put all those HEX MEID into the password fields where "ESN" was supposed to go

2) Use Profile 1 (enable it), disable profile 0. (don't delete profile 0)
Then select Simple IP only

3) in Windows dialer, put that NAI and password in. make sure your "Watcher, etc" app is not changing it back to something else

----
reply to above,

I don't know about China or Indonesia networks or "my operator use huawei networks, and this system don't support MEID for EVDO registration." - carver

Unless I can remote control to take a look.?

02-02-2010, 05:05	#1 (permalink)
kocoman Insane Poster Join Date: Nov 2005 Posts: 64 Member: 203880 Status: Offline Thanks Meter: 1	New EVDO vulnerability Should Telus take down the EVDO network for this vulnerability? See thread: http://img16.imageshack.us/img16/689...forevdo.th.png http://img121.imageshack.us/img121/9...ermanen.th.png What you need: 1. Inactive EVDO phone or inactive EVDO data card that you don’t plan to sell/reuse anymore. (used on any network, does not have to be Telus) (to prove the concept) (could also work with “active” for the more experienced, data account sharing etc later on if success.) 2. Good EV coverage, ie: does not drop back to 1X (or know how to force EV in the NV settings) 3. Must have tried successfully with #777 with tethering the phone in the past (easier with data cards) 4. “A Telus EVDO PRL” if not getting a EV icon, or was provisioned on other networks, ie: USA, Bell 5. Your SPC/MSL 6. Know how to connect your phone with QPST/Qualcomm (ie: not Nokia) 7. An active account (with Telus or Koodo) with a EVDO phone on it, ie: prepaid, smartphone, datacard, friend to share/enemy to kick out/stranger’s from OTA scans. You need their phone# and EVDO ESN (It does not work with 3G+ or MEID or 1X) 8. Copy down your existing settings. AN, Um, M.IP, NAI. In qpst 9. Willing to risk loss something and not blame me!!! 1. Open up QPST Configuration, then make sure the “Diag” port gets detected by it. 2. Open “Service Programming” 3. Read from phone, enter MSL 4. Go to the PPP Config Tab, then Um 5. Copy down the “User ID” [email protected] and save it somewhere. 6. Do step 4 again, but with the AN tab 7. Now go back to the Um tab, then depending on your network/phone config (trial and error) If your active account is Telus prepaid: (free) – also for regular accounts with WAP, smartphones, etc [email protected] or [email protected] for Treo 700p/755p If your active account is koodo (free) [email protected] If you want to use “tethering” charges (ie: have data card plan) [email protected] 8. Enter one of the above in the user ID. 9. For the password, it’s ALL the 11 digit of the ESN of that account in DECIMAL – check it in eCare (you have to include the zero if necessary) 10. Repeat for the AN tab 11. Now go to the M.IP tab 12. Double click on the “enabled” profile. (There should only be one “enabled”) 13. Copy down the NAI settings to somewhere. 14. In the NAI field, enter the user ID in step 8 15. The Tethered NAI should be blank 16. The AAA shared secret, click on Enter Text String button. 17. Then enter the ESN from step 9 18. You could also fill in the HA, but Telus does not use MIP usually. 19. Save settings to phone 20. Try connecting with #777. Not sure if WAP portals would work. 21. If not work, make sure the PRL is Telus (Bell would work too for free roaming in Eastern Canada, but not sure about Western Canada) Its so many steps and without pictures, but a reference for someone who want to try it then report back. Its not for n00b.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
FuriousGold & NEW CABLES SET 2010 (UPDATED 30 MARS 2010) NEED HELP	FuriouS TeaM	FuriousGold	66	08-27-2010 13:20
Motorola T720 cell phone DoS vulnerability Exploit!!!!	killgsm	Motorola P2k	0	03-24-2004 23:41
T720 Phone Denial Of Service Vulnerability	Fre3 Crack3r	Motorola P2k	0	03-06-2004 16:42
WARNING, Motorola T720 cell phone DoS vulnerability	equinoxe	Motorola P2k	1	03-02-2004 12:04

02-02-2010, 05:08	#2 (permalink)
sayyedikram Freak Poster Join Date: Feb 2006 Location: in ur soul Posts: 487 Member: 234349 Status: Offline Thanks Meter: 227	thats called the master bro thanks

09-03-2010, 15:26	#4 (permalink)
kocoman Insane Poster Join Date: Nov 2005 Posts: 64 Member: 203880 Status: Offline Thanks Meter: 1	NEW NOTES 1) So if the account is MEID based, just convert the MEID from DEC to HEX. (because QPST "MIP" tab complains that the password is over 16 digits) Then put all those HEX MEID into the password fields where "ESN" was supposed to go 2) Use Profile 1 (enable it), disable profile 0. (don't delete profile 0) Then select Simple IP only 3) in Windows dialer, put that NAI and password in. make sure your "Watcher, etc" app is not changing it back to something else ---- reply to above, I don't know about China or Indonesia networks or "my operator use huawei networks, and this system don't support MEID for EVDO registration." - carver Unless I can remote control to take a look.?