Subscribe to RSS
	Monthly Newsletter
	LinkedIn Group

• Home
  • Downloads
  • White Papers
  • Common Terms
• Articles
  • iPhone
    • Data Acquisition
  • TomTom
    • Basic Analysis
    • Advanced Analysis
• Projects
  • GPS Hash Sets
  • Iridium Handset Analysis
• Resources
  • Blackthorn2
  • Device Seizure
  • TomTology
  • Freeware Tools
• Forum - Linkedin
• About Us
  • Contact Form

 

Iridium Handset Examination

Introduction: Iridium is a privately held company specializing in commercial satellite voice and data communications and has a true global reach with coverage in the Polar Regions. Iridium's constellation consists of 66 low-earth orbiting (LEO), cross-linked satellites operating as a fully meshed network and supported by in-orbit spares. Iridium has three locations: the network operations center in Leesburg, Virginia, the commercial gateway in Tempe, AZ, and the Department of Defense gateway in Hawaii. Because all Iridium communications are routed from space to these locations in the United States, all are subject to US law with regard to Pen Registers and Electronic Intercepts.

Iridium is making major investments in network enhancements and launching the Iridium NEXT initiative, its next generation satellite constellation, which will be fully operational by 2016. Iridium handsets are common in transnational smuggling organizations and can provide useful information:

• Device Information
• Called List
• Callers list
• Contacts
• Text Messages Inbox
• Text Messages Out Box
• Geolocation Data

Handset Identification:

Model: 9505A	Model: 9505	Model: 9500

The International Mobile Equipment Identity (IMEI) is a number unique to every handset that the network uses to identify valid devices. It serves as the serial number and is usually found printed on the phone underneath the battery. An example is 30000Xxxxxxxxx (x = 0-9). The first 5 digits identify the manufacture and type of phone.

The major outward physical difference in the 9505 and the 9505A is under the display window. On the 9505 is reads Motorola and the 9505A reads Iridium. The 9505A also is absent the IrDa port on the left side of the handset.

The SIM card on the 9505 and 9505A are located under the battery next to the IMEI label and look like the traditional GSM SIM card. The 9500 model requires the full 'credit card' size SIM card and is located on the bottom of the phone. The lever on the right hand side of the phone can be used to eject the full size card.

Data Acquisition: Data can be acquired from Iridium handsets using HyperTerminal. HyperTerminal is an embedded Microsoft application and is standard on XP Professional and higher. HyperTerminal uses a logical method to extract the data by sending commands to the handsets and recording the responses. The application should be located in the Start Menu > Programs > Accessories > Communications

HyperTerminal Configuration

• Name Connection Choose COM Port
• Port Setting - Selecting Restore Defaults should automatically change the setting to the below information, if it does not manually input them.
  • Bits Per Second: 9600
  • Data bits: 8
  • Parity: None
  • Stop bits: 1
  • Flow control: None
• Ensure you are disconnected by selecting the disconnect menu button then edit the following settings
  • File > Properties > Setting tab > ASCII Setup…
    • Check the ‘Echo typed characters locally’
  • Transfer > Capture Text > *.txt
    • * is the location and name you choose for the output file
  • Select the Start button once you have named the file.

Iridium Unlock Codes - Minimal information can be obtained if the handset is locked, such as device information and geolocation data.  If the SIM card pin code does not work, be aware after three attempts the SIM is blocked and will require a PUK to unlock it. If the PUK1 and PUK2 code is entered incorrectly eight times, the SIM card is permanently locked and the data irrecoverable.

• Factory default SIM card PIN Code is “1111”
• Factory default Phone Unlock Code is “1234”

AT Commands - An AT command is a string of characters sent to the handset. A command string has a prefix, a body, and a terminator. The prefix consists of the ASCII characters AT or at. The body is a string of commands restricted to printable ASCII characters. The default terminator is the <CR> character.

Most commands include a prefix of + followed by a single alpha character. Prefixes used include +C, +D, +G, +I, and +S. Commands designed specifically for the Satellite Series handsets include a -MS prefix. Most commands include three alpha characters after the prefix which designates the specific information being requested.  Example: AT-MSGEO, GEO being the specific request for geolocation information from a satellite handset

Target Information:
Manufacturer Identification
Exec Command: AT+CGMI
Output Example:

Motorola
OK

Model Identification
Exec Command: AT+CGMM
Output Example:

9505 Satellite Series
OK

Revision (commonly referred to as Firmware Version)
Exec Command: AT+CGMR
Output Example:

Call processor version: LAC109G
DSP version: LAC0108
NVM version: LAC0109
OK

Serial Number/IMEI
Exec Command: AT+CGSN
Output Example:

300001000000000
OK

SMS Messages
Exec Command: +CMGL=4
Other Values

• 0 "REC UNREAD" received unread message (i.e. new message) (default)
• 1 "REC READ" received read message
• 2 "STO UNSENT" stored unsent message (only applicable to SMS)
• 3 "STO SENT" stored sent message (only applicable to SMS)
• 4 "ALL" all messages (only applicable to +CMGL command)

Response is in the following format for PDU mode:
+CMGL: <index>,<stat>,[<alpha>],<length><CR><LF><pdu>

Where:

• <alpha>: string type alphanumeric representation of TP-destination address or TP-originating address corresponding to the entry found in the phonebook (optional field);
• <length>: in PDU mode, this is the length of the actual TP data unit in octets (i.e. the RP layer SMSC address octets are not counted in the length)
• <pdu>: GSM 04.11 SC address followed by GSM 03.40 TPDU in hexadecimal format.

Output Example:

+CMGL:002,002,,010
000100008100002CCD705E5C06BDDD6510399C07DDCBA07B9ACD0699D3E7BABC0C7AD7E9A03B3A4C07D1DF20F23B04
OK

Contacts (Handset & SIM Card Phonebook)
The command to read the phonebook data is two fold. The first command sets the phonebook to read and the second command specifics the range of date. In order to read any of the phonebook data, the range or position of the data in the desired directory must be specified or less no data will be returned in the output. 

Step one – Phonebook Memory Storage
Select phonebook memory storage <storage> should be type enclosed by “”; for example, “FD”.
<storage> takes the following values:

• FD           SIM fixed dialing phonebook
• LD           Last ten calls dialed phonebook
• ME         ISU phonebook
• MT         combined ISU and SIM phonebook (default)
• SM         SIM phonebook

Exec Command: AT+CPBS="<storage>"

Step Two - Determine range
Command returns currently selected memory, the number of used locations and total number of locations in the memory. Response is in the form:
+CPBS: <storage>,<used>,<total>

Where:  <used> indicates the number of used locations and <total> shows the total capacity of <storage>.

Exec Command: AT+CPBS
*Note - Your data range will be the from 1 to <total>

Step Three – Run assembled command
Exec Command: AT+CPBS="MT"; +CPBR=1,255
Output Example:

+CPBR:001,"+533155551212",145,"SAM"
+CPBR:002,"+3455551212",145,"JIM"
+CPBR:003,"+440235647864",145,"BARRY"
+CPBR:101,"+4404531278435",145,"JAIMIE"
OK

*Note – When running the +CPBS command the handset phonebook is 1-100 and the SIM card phonebook 101-255.

Last Dialed Numbers
The last dialed numbers are stored as part of the phonebook. You can repeat the above step or execute the below command string. This string is known to work on 9505 models and above.
Exec Command: AT+CPBS="LD"; +CPBR=1,10
Output Example:

+CPBR:001,"005095551212",129,""
+CPBR:002,"005065551212",129,""
+CPBR:003,"0017275551212",129,""
+CPBR:004,"5095551212",129,""

Geolocation Information
Exec Command: AT-MSGEO
Output Example:

-MSGEO: 888,-5111,2222,f321df8c

Command String to Execute: Commands can be executed one at a time or in a string. If a command in the middle of the string returns errors, none of the consecutive commands with run properly. Up to 128 characters can be in a command string. All letters should be either capital or lower case but not both.

Cut and Paste the following command strings into HyperTerminal to retrieve data. Everything between the quotes but NOT the quotes themselves.
Exec Command String: “AT+CGMI; +CGMM ; +CGMR; +CGSN; +CNUM; +CMGL=4;”
Output Example:

Iridium
9505A
Call Processor Version: IS05004
DSP Version: 0x002b, 2.18
NVM Version: MON0010
300114010016910
+CNUM:"","",129
+CNUM:"","",129
+CNUM:"","",129
+CMGL:001,002,,010
0001FF0080000002D927
+CMGL:002,002,,010
0001FF0080000002C827
+CMGL:003,002,,031
0001FF008000001ACD62910A6A1641412A888A2C828C49E9940A823283C322
OK

Exec Command String: “AT+CPBS="LD"; +CPBR=1,10; +CPBS="MT"; +CPBR=1,255; -MSGEO”
Output Example:

+CPBR:001,"005095551212",129,""
+CPBR:002,"005065551212",129,""
+CPBR:003,"0017275551212",129,""
+CPBR:004,"5095551212",129,""
+CPBR:005,"+5355512124",145,"ROLY"
+CPBR:006,"00130545551212",129,""
+CPBR:007,"0013055551212",129,""
+CPBR:008,"0013055551212",129,""
+CPBR:009,"0013055551212",129,""
+CPBR:010,"0013055551212",129,""
+CPBR:001,"+533155551212",145,"SAM"
+CPBR:002,"+345641235",145,"JIM"
+CPBR:003,"+440235647864",145,"BARRY"
+CPBR:101,"+4404531278435",145,"JAIMIE"
-MSGEO: 890,-5256,2677,f321df8c
OK

Ensure there are no errors in the output. If you encounter errors execute the commands individually with AT preceding each one. Example “AT-MSGEO”

Data Analysis:
Assigned Handset Number Breakdown (a.k.a. Phone Number, encoded on SIM Card)

• 8816-214 - Commercial Accounts
• 8816-310 - Test/Demo Accounts
• 8816-314 - Commercial Accounts
• 8816-315 - Prepaid Accounts
• 8816-316 - Prepaid Accounts
• 8816-317 - Colombia Ministry of Defense
• 8816-318 - Crew Calling Card
• 8816-414 - Commerial Accounts
• 8816-415 - Prepaid Accounts

Iridium Dialing Services - These are numbers that may be found in the last dialed calls, phonebook, or toll records.

• 8816 -000021 - Direct Internet (Internet Service using TCP/IP stack)
• 8816 -000022 - Internet Access.
• 8816 -000023 - Internet Access.
• 8816 -00005XX - A custom device that calls Iridium Gateway and is telneted to a TCP/IP Address and Port (fixed, not dynamic)
• 8816 -00006XX - PPP/MLPPP type of connection. This is just a normal computer accessing the Internet with either a single line/phone or multiple lines/phones.
• 8816 -00009XX - Testing number for trouble shooting customers no commercial traffic. All of this traffic is controlled.

 
SMS Messages – The content of the SMS messages are outputted in Hexadecimal  PDU format and need to be decoded. PDUspy is a free decoder. Copy the Hexadecimal output and paste it into the Manual tab in PDUspy and select the approach settings. The message is either incoming or outgoing and select the “a SMSC header” button and then decode.

Geolocation Data – The ability to retrieve geolocation information from Iridium handsets in relatively new and has only been implemented in 9505 and 9505a handsets with firmware versions SAC0201, LAC03xx, SAC03xx or above. The output of the MSGEO command returns  X,Y,Z coordinates and a timestamp. A decoding process can be ran to convert the output into latitude and longitude and the time the fix was taken.

* Note - The MSGEO command can be executed even if the handset is locked.

Iridium Geolocation Conversion Tool- by Radio Tactics Limited

The accuracy of the geolocation data depends on many variables. Iridium's published error rate is 12 miles.
Enter x, y, z coordinates and timestamp output from the AT-MSGEO command below. Ex. 756,-5520,3092,f321df8c

X	Y	Z	Timestamp
Latitude	Longitude	Time of fix

 

Recommended Seizure Techniques: Iridium handsets are constantly communicating with the satellite constellation and receiving information from the gateway. When a device is seized be aware that turning it off, if you do not have the unlock code or SIM pin, could lock the device and require interaction with Iridium to gain access again. However, if the phone is not turned off it will continue to update its position data and erase the last dialed calls or SMS messages if new calls or messages are received.

It is possible to use a faraday bag to negate both concerns. Depending on the time span until the device can be examined, power consumption/supply is a consideration. Another option would be to remove the external antenna. Preliminary testing shows that this will not allow the handset to communicate with the constellation.

When you are ready to examine the device it should be inside away from windows so the device does not have a clear view of the sky. If the handset establishes a satellite lock and registers with the gateway, it will overwrite the last known position data found using the –MSGEO command.

Tools Available: There are currently no commercially available SATCOM device analysis tools.