[Crypto-chi] IMSI Catchers / How to break two cell phones

[Freddy Martinez]

Hi Folks,

Thanks everyone for staying late and talking IMSI Catchers / SS7
attacks at Triple C last night.  If you want the slides or references,
please email me off the list. (I don't intend to publish my talk, they
are a draft for another project).

Below are my experiences with Android phones. Good luck and please
email me with questions.

I was able to get SnoopSnitch and AIMSICD installed on a LG Nexus 5.
It took a bit longer than expected (2 days).  First I tried to do it
on a pre-paid Moto G but that didn't work  The problem is that AT&T
locked the bootloader and Motorola is just horrible when it comes to
locked bootloaders. So if you want to get a dedicated phone for IMSI
catcher catching, I recommend getting the Moto E online (pay cash for
an Amazon gift card) and that *should* have an unlockable bootloader.
But don't get an AT&T Moto G.  It's a waste of time and money.

So I unlocked and rooted the Lexus 5. Before you start, you *need* to
use 4.4.4, the 5.0 and 5.0.1 OS have incompatible kernels (that
baseband!).

So first unlock the bootloader. I recommend the Clockwork recovery
image. (use the clockwork-touch image! It has to be touch). Then
rename your files and load them

mv recovery-clockwork-touch-6.0 recovery.img
fastboot flash recovery recovery.img

But that still didn't work (OS was 5.0.1) so I went to the google
developers page and found
reinstalled stock Android 4.4.4 (in my case ktu84p).  Reboot into the
bootloader and then run

./flash_all.sh

Finally boot into recovery mode and push the SU package for root.
Sideload it using ADB.

adb sideload UPDATE-SuperSUv2.45.zip

reboot and install the apk's as normal.

That worked. Happy hunting.

Freddy M