This article contains some technical stuff about the SMS PDU structure. Please read this article first : SMS PDU Structure.
I noticed that there is no real demo about the TP-PID of Replace Short Message Type 1-7. I think it's a shame, because it's really harmless and it's pretty cool way to mess up with people.
So I created the following video, which will show what the Replace Short Message really is.
So, it is possible to send from one subscriber to other one, 7 different messages which can be changed.
In the demo video, I sent the following SMS PDUs :
I noticed that there is no real demo about the TP-PID of Replace Short Message Type 1-7. I think it's a shame, because it's really harmless and it's pretty cool way to mess up with people.
So I created the following video, which will show what the Replace Short Message really is.
To be added...
How did happen?!
Well, there is no need to hack into the phone in order to change this kind of message. All has to be done is to use the service right.
According to 3GPP TS 23.040 :
To sum up the above section, a received SMS with TP-PID of one of the Replace Short Message types (values 0x41 - 0x47) will replace any existing SMS with the same originator address and the same TP-PID.The Replace Short Message feature is optional for the ME and the (U)SIM but if implemented it shall be performed as described here.
For MT short messages, on receipt of a short message from the SC, the MS shall check to see if the associated Protocol Identifier contains a Replace Short Message Type code. If such a code is present, then the MS shall check the originating address and replace any existing stored message having the same Protocol Identifier code and originating address with the new short message and other parameter values. If there is no message to be replaced, the MS shall store the message in the normal way. The MS may also check the SC address as well as the Originating Address. However, in a network which has multiple SCs, it is possible for a Replace Message type for a SM to be sent via different SCs and so it is recommended that the SC address should not be checked by the MS unless the application specifically requires such a check.
If a Replace Short Message Type code is not present then the MS shall store the message in the normal way.
So, it is possible to send from one subscriber to other one, 7 different messages which can be changed.
In the demo video, I sent the following SMS PDUs :
0001000C91**************41040C486F772061726520796F753F
0001000C91**************4104124F6F70732E2E2E204368616E676564203A2F
Here is a detail explanation of the PDUs :
- 00 - the SMSC address (reminder - 00 will cause the use of the SMSC address in the SIM card).
- 01 - SMS-SUBMIT PDU type.
- 00 - the reference number of the message. Not really important.
- 0C91************** - the address of the destination.
- 0C - the length of the address.
- 91 - the TON/NPI.
- ************** - the BCD digits (masked of course).
- 41 - Replace Short Message Type 1 PID value.
- 04 - the coding scheme. I used 8bit encoding (too lazy to do the 7bit encoding).
- 0C - the length of the message content.
- The rest of the PDU is the content.
The only difference between the messages that I sent was the message's content. In the first one, the content was an ASCII coded "How are you?", while in the second it was "Oops... Changed :/".
As you may notice, the TP-PID and the originator address haven't changed between the 2 messages I sent.
Conclusion
As the video & the explanation show, if 2 messages have the same originator address and the same Replace Short Message value, the newer mesage will replace the older one.
As you can see, this stuff is harmless. But now you would be able to trick your friends and family - people will think you are a world class hacker (;
Resources :
No comments:
Post a Comment