Blackhat 2013-traffic interception & Remote Mobile Phone cloning with a compromised CDMA Femtocell

Source: Internet
Author: User
Tags femtocell


First, popularize the femtocell:

Home Base Station ( English:Femtocell, also translated as Pico Honeycomb Base station), originally called the access point base stations , is a small cellular base station that is generally designed for use in home or small commercial establishments. Connecting to the operator's network via broadband access (such as DSL, cable, fiber) can integrate 2G, 3G, WiFi on one machine.

The 2008 global Mobile World CONGRESS;MWC First exhibited Femtocell technology, which was orange, t-mobile blue graces, and "Femto" meant 10 minus 15 times, also known as Pico . Home base Station, the first in Europe, is an ultra-small mobile base station, compared to Microcell base stations (usually within 2 km of coverage) and Picocell miniature base station (referring to the typical coverage range of 200 meters) smaller, home base stations covering about 12 meters. In some cases, femtocell can provide a wider range of coverage to meet the needs of the office environment.

The family base station can be converted to 3G ADSL or fiber-optic network bandwidth for wireless 3G message, suitable for home and office environment.

The family base station is simple, based on IP protocol, the launch power is 10MW~100MW, also can provide 3G Network service while providing Wi-Fi function, compared to the low cost of traditional base station is Femtocell become the most attractive solution.

A Linux box

The Phone will automatically access the Femtocell,no user interaction and no indication (not a joining an open WiFi network)


1. Get root permissions. There is an HDMI port for console port.

Wireless Signal RANGE:APPR. 40 '

Scs-26uc4:get root by interrupting the boot process. (Uboot delay:press any key to interrupt boot), go to the root shell, run a script and root on fullly functional device. But this vulnerability has been patched.

Scs-2u01:can abort the root process using the Magic sysreq+i key. Then you can log in as root. Run a script and root on fully functional device.

2. Find the Packets:but quicksec works on the kernel level, therefore cannot get useful info using normal capture tools L Ike Tcpdump

Need to customize the kernel module, must is above & below Quickset to get the plaintext before encryption and after D Ecryption.

Things to Do:view the data, and drop it.

(To be continued: 18:21)

Additional: The principle of Androtti right:

Blackhat 2013-traffic interception & Remote Mobile Phone cloning with a compromised CDMA Femtocell

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.