Passive Sniffing the "Paging Channel" These "paging messages" are transmitted OTA without encryption. Wondering how the "Car warranty/Telus Scam automated messages to get your credit card number" got your secret/unlisted phone number? Wonder where/when your friend "receive" a call or "receive" SMS nearby? I think this is called Layer 3 tracing You have to monitor the "0x1007 Paging Channel Message -- General Page Msg" - Short Message Services IS-637 (tower attempts to send sms to the user) - EVRC 8K Voice (someone's calling him/her) - (RS2 Voice, QCELP) (older "Qualcomm Code Excited Linear Prediction" voice codec??) These were scanned using a normal phone connected to qxdm then log pharsed with Qcat. ---- 2009 [14] 0x1007 Paging Channel Message -- General Page Msg ( slot = x ) protocol_rev = 6 (0x6) (IS2000 Rev 0) chan_type = 1 (0x1) (Paging) chan pc_msg gen prot_disc = 0 (0x0) msg_id = 17 (0x11) (General Page) gen_page config_msg_seq = 4 (0x4) acc_msg_seq = 32 (0x20) class_0_done = 1 (0x1) class_1_done = 1 (0x1) tmsi_done = 1 (0x1) ordered_tmsis = 0 (0x0) broadcast_done = 1 (0x1) add_length = 0 (0x0) num_pages = 1 (0x1) gen_page[0] page_class = 0 (0x0) page_subclass = 0 (0x0) rec format0 msg_seq = 3 (0x3) imsi_s[HI] = 2 (0x2) imsi_s[LO] = 410xx55 (0x1xxxb7) (647-xxx-7x94) special_service = 1 (0x1) service_option = 3 (0x3) (EVRC 8K Voice) 2009 [24] 0x1007 Paging Channel Message -- General Page Msg ( slot = x ) protocol_rev = 6 (0x6) (IS2000 Rev 0) chan_type = 1 (0x1) (Paging) chan pc_msg gen prot_disc = 0 (0x0) msg_id = 17 (0x11) (General Page) gen_page config_msg_seq = 4 (0x4) acc_msg_seq = 32 (0x20) class_0_done = 1 (0x1) class_1_done = 1 (0x1) tmsi_done = 1 (0x1) ordered_tmsis = 0 (0x0) broadcast_done = 1 (0x1) add_length = 0 (0x0) num_pages = 2 (0x2) gen_page[0] page_class = 0 (0x0) page_subclass = 0 (0x0) rec format0 msg_seq = 0 (0x0) imsi_s[HI] = 2 (0x2) imsi_s[LO] = 30xx28 (0xbxx844) (705-xxx-01x9) special_service = 1 (0x1) service_option = 6 (0x6) (Short Message Services IS-637) gen_page[1] page_class = 0 (0x0) page_subclass = 0 (0x0) rec format0 msg_seq = 3 (0x3) imsi_s[HI] = 2 (0x2) imsi_s[LO] = 415xxx37 (0x1xxx59) (647-xxx-91x0) special_service = 1 (0x1) service_option = 3 (0x3) (EVRC 8K Voice) 2009 [35] 0x1007 Paging Channel Message -- General Page Msg ( slot = x) protocol_rev = 6 (0x6) (IS2000 Rev 0) chan_type = 1 (0x1) (Paging) chan pc_msg gen prot_disc = 0 (0x0) msg_id = 17 (0x11) (General Page) gen_page config_msg_seq = 4 (0x4) acc_msg_seq = 32 (0x20) class_0_done = 1 (0x1) class_1_done = 1 (0x1) tmsi_done = 1 (0x1) ordered_tmsis = 0 (0x0) broadcast_done = 1 (0x1) add_length = 0 (0x0) num_pages = 4 (0x4) gen_page[0] page_class = 0 (0x0) page_subclass = 0 (0x0) rec format0 msg_seq = 3 (0x3) imsi_s[HI] = 1 (0x1) imsi_s[LO] = 83xxx22 (0xxxb46) (416-xxx-6x49) special_service = 1 (0x1) service_option = 6 (0x6) (Short Message Services IS-637) gen_page[1] page_class = 0 (0x0) page_subclass = 0 (0x0) rec format0 msg_seq = 5 (0x5) imsi_s[HI] = 1 (0x1) imsi_s[LO] = 83xx85 (0x3xx7cd) (416-xxx-50x4) special_service = 1 (0x1) service_option = 6 (0x6) (Short Message Services IS-637) gen_page[2] page_class = 0 (0x0) page_subclass = 0 (0x0) rec format0 msg_seq = 1 (0x1) imsi_s[HI] = 2 (0x2) imsi_s[LO] = 40xx2845 (0x1xx8b8d) (647-xxx-20x0) special_service = 1 (0x1) service_option = 6 (0x6) (Short Message Services IS-637) gen_page[3] page_class = 0 (0x0) page_subclass = 0 (0x0) rec format0 msg_seq = 5 (0x5) imsi_s[HI] = 1 (0x1) imsi_s[LO] = 83xx178 (0x31xxda) (416-xxx-25x5) special_service = 1 (0x1) service_option = 3 (0x3) (EVRC 8K Voice) 2009 [04] 0x1007 Paging Channel Message -- General Page Msg ( slot = x) protocol_rev = 6 (0x6) (IS2000 Rev 0) chan_type = 1 (0x1) (Paging) chan pc_msg gen prot_disc = 0 (0x0) msg_id = 17 (0x11) (General Page) gen_page config_msg_seq = 4 (0x4) acc_msg_seq = 32 (0x20) class_0_done = 1 (0x1) class_1_done = 1 (0x1) tmsi_done = 1 (0x1) ordered_tmsis = 0 (0x0) broadcast_done = 1 (0x1) add_length = 0 (0x0) num_pages = 1 (0x1) gen_page[0] page_class = 0 (0x0) page_subclass = 0 (0x0) rec format0 msg_seq = 0 (0x0) imsi_s[HI] = 1 (0x1) imsi_s[LO] = 825xx6335 (0xxx909f) (416-xxx-4x60) special_service = 1 (0x1) service_option = 3 (0x3) (EVRC 8K Voice) ---- Also, with EVDO, you can get the tower's "location", but it needs some adjusting because its not "Exactly" Latitude and Longitude. for evdo: country_code = 1 (0xx) (BCD: 0xx) sector_id[0] = x (0xx0) sector_id[1] = x (0x0) sector_id[2] = x (0x0) sector_id[3] = x (0x0) sector_id[4] = x (0x) sector_id[5] = x (0xx) sector_id[6] = x (0xxx) sector_id[7] = x (0xx) subnet_mask = xx (0xx) sector_signature = x (0xx) latitude = xxxxxx (0xxf0)
04-22-2009, 13:57
Similar Threads 
Linear Mode
