Susteen Error Fix

The bug I identified in this post has been fixed. Cheers to Susteen for getting on the issue once identified and fixing it. 

Susteen IDs Error-Promises Fix

From The Good To Know Desk-

 

Susteen has stated that they found the error causing the misreporting of the times that I discovered when I downloaded an LG Fusic.  They have promised a fix out soon….woot! Now if it would just get the SMS and deleted stuff…;-) 

Data Pilot Secure View Danger

I discovered a serious error in Secure View while doing a forensic examination of an LG Fusic (LX 550) on a drug overdose case. It turns out that the call records as downloaded by SV, are showing a +3 hr (to EST) time offset. This caused detectives to focus their interviews on individuals that they believed were lying to them. This information was also sent to other agencies including the DEA. There was even a call on the phone that showed up in SV that wasn’t in the call records (this software doesn’t get deleted data).

Unfortunately, SV is the only software that downloads the Fusic (BitPim downloads raw data). We were unable to validate the data that SV had downloaded until the call records came in (yes we should have looked at the phone itself ).

After sitting down with the phone, the call records and the SV report, I discovered the above. SV did have the time right just three hours more than it should have been.

Also, I discovered a couple of interesting anomalies in the call records as downloaded by SV. These are in addition to the 3 hour difference.

• Dialed Calls-The time showed in the dialed calls shows the end time of the call and the duration. The call records show start, end and duration
• Received calls show the beginning time of the call. The call records show start, end and duration.
• Missed calls show the end time of the call and only one missed (from the same number). The call records show start, end and multiple entries if there.

The carrier on this phone is SPRINT. I hope this is just an anomaly limited to the Fusic. However, I think it prudent that all downloads using SV be validated to make sure errors are not occurring.

I have been in contact with Susteen and have made them aware of this problem.

Location of SMS Messages in a Motorola V3c

I’ve been playing around with a Motorola V3c on a case (CDMA RAZR variant)…and have had moderate success with a number of different pieces of software. In general I can get the contacts and call records (not date/time though just index) from the following pieces of software.

• DP Secure View
• MobilEdit
• BitPim

Curiously, I cannot get Device Seizure to even recognize this phone exists. I of course have to connect over its modem which has been seen on a virtual COM port (16 in my case)…DS just refuses to see the phone.

 I may try to hook up to it via the Hyperterminal but it sure would be nice not to have to do this the hard way…

 Anyway while looking at the filesystem in BitPim, I managed to find the location of the SMS messages (not parsed). They are located in

nvm/seem/syn_messages

I know there is an index which helps mark these up but I havent tried to suss that out yet. What’s cool is that I’ve found some previous messages in there as well…and I’m not talking about a Quick Notes/SMS dump ala Device Seizure either…..

More to come on this one..

 M

Motorola Site

I’m back after an absence. Its been crazy…moved offices, got a new job description (same stuff extra hat to wear )…you know life..

If I havenet mentioned this site before it certainly was an oversight on my part. This site is a absolutely fabulous resource for an examiner of CDMA Motorola Phones. I’ve used it many times.  My Thanks to Mark for all his efforts! Enjoy.

http://mark.cdmaforums.com/index.php

Nokia CDMA Service Codes

I found these doing some research.  They work will some variance on one of my test 6015i phones. Your mileage may vary.

 entry point *3001#12345#

*Note: These are PRI dependent. Some carriers may have them disabled or use *# instead of ## or using different code that spells differently for the same function (e.g. ##DATA# or ##BEARER# on some phones). }

Dial-A-Codes
##837# or *#837#(”VER”) … Displays version screen (also accessible by [Menu]-[6]-[2]).
##66767# or *#66767# (”MOSMS”) … Displays a selection screen to allow toggling of MO-SMS (Message Over : Simple Message Service) mode.
##743# or *#743# (”SID”) … Displays the current SID.
##24# or *#24# (”CH”)… Displays the current Channel.
##786# (”RUN”) … Displays the Diagnostics menu which contains the Life Timer, Reconditioned Status, PRL, your number, and an Options menu which allows you to turn on the Service Screen (Net Monitor) or Restore Defaults (which resets the phone to factory settings). To restore defaults, you must enter the SPC/MSL code at the prompt.
##889# (”TTY”) … Displays a selection screen to allow toggling of TTY mode. (This code is referenced in the official Sprint manual.)
##7738# (”PREV”) … Displays CDMA mode menu, which allows you to select IS-95A, IS-95B, or IS-2000 modes.
*#7738# (”PREV”) … Displays CDMA mode menu, which allows you to select IS-95A, IS-2000, or Analog modes.
##8626337# (”VOCODER”)or *#3872# (”EVRC”) … Displays the EVRC settings menu, which allows you to select the EVRC mode as On, Off, or Home Only.
##2539# (”AKEY”) … Allows you to change the service-specific Authorization Key via the keypad. When the phone asks for Service programming code, enter the SPC/MSL for your phone.
*#639# (”NEW”) … Allows you to change the MDN (phone number) registered in the phone. When the phone asks for Service programming code, enter the SPC/MSL for your phone.
*#775# (”PRL”) … Allows to toggle the use of PRL.

##nnnnnn# … Where nnnnnn is a six-digit number (no more, no less), input will return to the main screen unless the number happens to be your SPC/MSL, in which case you will be taken to the Phone Programming menu which allows you to change the MDN (phone number) registered to the phone. (I don’t know if some other combinations in this domain do something or not, but they all appear to reset the display after entry unless you use the SPC/MSL, which is usually a hash derived from your ESN and is typically service-specific.)

Other Codes
Hold # at the main screen for 3 seconds … Displays the Life Timer in HH:MM format.

More BitPim Magic

My  good friend Det. Brian Roach of the Kansas City Police Department recently posted this tip on decoding SMS messages on a Motorola V3m

” Its there, the date & time is viewable in hex.  Check the SMS folder, the applicable files should be named in a format such as “inbox000.dat, inbox001.dat”, etc….4076 bytes in size.Date/time string starts at 15th byte….15^th byte is year, 16^th is month, 17^th is day….18^th byte is hour, 19^th byte is minutes and 20^th byte is seconds.An example would be 05 10 18 12 24 49…October 18^th 2005, 12:24:49.”

Thanks Brian for the great tip!

Some Mobile Phone Acronyms Defined

Some definitions for those pesky mobile phone acronyms

MSL

The MSL is known as the Master Subsidy Lock code. It is the main code used to program your phone, and access and change the settings of your phone.

SPC

This is the subsidy lock that the providers put on the phone so you have to stay with them to use your phone (you can unlock this).

NAM

The NAM is the electronic memory in the cellular phone that stores the telephone number and an electronic serial number. Phones with dual- or multi-NAM features offer users the option of registering the phone with a local number in more than one market. (from mobiledia,com)

PRL

(Preferred Roaming List)
The PRL is a list of information that resides in the memory of a digital phone. It lists the frequency bands the phone can use in various parts of the country. (The smaller bands within Cellular or PCS.) (from phonescoop)

ESN

(Electronic Serial Number) The unique identification number embedded in a wireless phone by the manufacturer. Each time a call is placed, the ESN is automatically transmitted to the base station so the wireless carrier’s mobile switching office can check the call’s validity. The ESN cannot easily be altered in the field. The ESN differs from the mobile identification number, which is the wireless carrier’s identifier for a phone in the network. MINs and ESNs can be electronically checked to help prevent fraud. (from mobiledia.com)

BitPim and SPC

While answering some follow-up questions on BitPim and the user security lock I came across these links regarding using BitPim to grab the SPC ot unlock the filesystem.

BitPim and SPC (this one is specific about BitPim and SPC and is the next)
BitPim and SPC II

Howard Forums SPC

Hope this is helpful for the community

Mike

BitPim Gem

Hey all you CDMA fans…got a little forensic gem for you that you may not have known about. I discovered this the other day whilst examining a locked Audiovox 8910.

BitPim does not explicitly provide support for this phone however, by choosing “Other CDMA” and selecting the modem port recognized by BitPim I was able to take a read (Caveat-only partial since a manual follow-up showed that BitPim did miss some areas)of the filesystem….

Did I mention that the phone has a security code!!!????

Yes, thats right, it went around the security code!!!!

I found the Security Code (plus the default) in the NVM filesystem area. It was located in the NVM_002 file starting at 119 and ending at offset 122 (1289). Concidentally this is the same file where the Banner is located (in this case starting at offset 57 and going for fifteen bytes and ending at offset 71 “WHERE”S DA MONEY”).

I confirmed the Security Code with the one given to the OIC and a manual unlock. I also confirmed the banner with a manual look.

This should work for other CDMA phones.

I hope this is useful to the community.

Mike