24 June 2009

Pre-Paid, Revisited

In a previous post, I talked about a Net10 Nokia 1600 that appeared to be SIM-locked and have some special firmware that made it nearly useless for anything but Net10's prepaid service.

For the latest experiment, I found an AT&T "Go Phone" Nokia 2610.  I turned it on right next to a running OpenBTS system.  It powered up, registered with OpenBTS and then tried to send an SMS to the private ISDN address 1111340002 via an SMSC at + 14047259800.  Here is the raw TPDU of the message.

If anyone has immediate ideas on the meaning of that 69-byte payload or what the handset is expecting to see in response, let me know.  The known parameters are:

  • IMSI 310410250887606
  • MSISDN +1 707 386 8928
  • PIN 8928
  • ICCID 8901 4104 2125 0887 6088
Unfortunately, the phone itself has a power supply problem, so I will need to find another one.  And then I can post a second example for comparison.


  1. In a recent e-mail, someone pointed out that the SMS payload starts with the IMSI, coded as per GSM 04.08 I am a little embarrassed for not noticing. But then what? There are a lot more bytes there.

  2. Here in Portugal, the pre-paid phones(including the Nokia 1600) don't send that strange SMS... They all register on the network and make calls normally...

    Also. i am yet to see any gsm phone that knows is own phone number... Very strange...

  3. This phone doesn't know its own number either, that was the Net10 phone that know its own number.

    And how do you *know* that your pre-paid phones are not sending binary SMS? The are hidden. There's no indication in the user interface that this is happening. The only way to know it is happening is to use a passive intercepter or get access to the BTS.

  4. From an e-mail I received:

    What you are seeing from the AT&T Go Phone looks like a SIM application designed to execute on device startup which reports characteristics back to the carrier.  I highly doubt the device or SIM is waiting for a response.  Around "0A 19 FF ...", probably starting from FF, looks very much like a typical terminal profile.  GSM 11.11/11.14 may shed some more light on this for you.  I would restart the phone to see if the SMS message gets sent again (to determine if an IMEI change event is triggering the SMS).  And, obviously, put the SIM in any other GSM device and see what changes in the SMS (terminal profile should if the phone model changes at a minimum).  To speculate on why this app may be executing - on prepaid devices, this kind of thing is often done to detect SIM fraud (VOIP/SIP providers, calling card providers, etc. use prepaid SIMs to avoid international tariffs) - but it's difficult to say without further analysis.   www.bladox.com has inexpensive equipment which can be used to trace SIM/ME communications (using the two standards I mentioned and associated ones, you can then piece together what information the SIM is requesting from the ME and likely
    figure out the full contents of the outbound SMS).

  5. I bet, coming from the non-GSM-tech world, that it's trying to ask some form of net10 server for its current balance for the airtime "tank" and its' balance expiration date.

  6. Wait, whoops, misread that. Thought the net10 phone was sending that message...

    ... sounds like it may be trying to grab some settings OTA, then.