re evdo usb card modem

[lowell123]

is there any embeded software to check its current evdo enviroment with zte evdo reva usb data card modem

[zloy_qwer]

Which parameters of EVDO card you want to check?

[carver]

you always can check any layer3 message from BSC, and modem state, in QXDM. ;-)

...if anybody need support, always try write more detail, time so expensive,
so no time for ask about you enviroment or you problem.

[kocoman]

How do you check Layer 3 message? I am trying to fix a PPP/CHAP problem with the modem. I like to use #777 and use the NAI settings from the PHONE/MODEM itself. (and not from "Windows Dialup" - leave those blank)

I looked at Filter View and Logging view but don't know what to "check off".

TIA

[carver]

try google for 80-W1259-1 Rev.C 1xEV-DO REVISION A SESSION NEGOTIATION EXAMPLE, or newer.

[kocoman]

ok, I managed to figure it out myself

Sniffing the Paging channel-Wonder where/when your friend get a call or SMS nearby?

Passive Sniffing the "Paging Channel"
These "paging messages" are transmitted OTA without encryption.

Wondering how the "Car warranty/Telus Scam automated messages to get your credit card number" got your secret/unlisted phone

number?

Wonder where/when your friend "receive" a call or "receive" SMS nearby?

I think this is called Layer 3 tracing
You have to monitor the "0x1007 Paging Channel Message -- General Page Msg"

- Short Message Services IS-637 (tower attempts to send sms to the user)
- EVRC 8K Voice (someone's calling him/her)
- (RS2 Voice, QCELP) (older "Qualcomm Code Excited Linear Prediction" voice codec??)

These were scanned using a normal phone connected to qxdm then log pharsed with Qcat.

----
2009 [14] 0x1007 Paging Channel Message -- General Page Msg ( slot = x )
protocol_rev = 6 (0x6) (IS2000 Rev 0)
chan_type = 1 (0x1) (Paging)
chan
pc_msg
gen
prot_disc = 0 (0x0)
msg_id = 17 (0x11) (General Page)
gen_page
config_msg_seq = 4 (0x4)
acc_msg_seq = 32 (0x20)
class_0_done = 1 (0x1)
class_1_done = 1 (0x1)
tmsi_done = 1 (0x1)
ordered_tmsis = 0 (0x0)
broadcast_done = 1 (0x1)
add_length = 0 (0x0)
num_pages = 1 (0x1)
gen_page[0]
page_class = 0 (0x0)
page_subclass = 0 (0x0)
rec
format0
msg_seq = 3 (0x3)
imsi_s[HI] = 2 (0x2)
imsi_s[LO] = 410xx55 (0x1xxxb7) (647-xxx-7x94)
special_service = 1 (0x1)
service_option = 3 (0x3) (EVRC 8K Voice)

2009 [24] 0x1007 Paging Channel Message -- General Page Msg ( slot = x )
protocol_rev = 6 (0x6) (IS2000 Rev 0)
chan_type = 1 (0x1) (Paging)
chan
pc_msg
gen
prot_disc = 0 (0x0)
msg_id = 17 (0x11) (General Page)
gen_page
config_msg_seq = 4 (0x4)
acc_msg_seq = 32 (0x20)
class_0_done = 1 (0x1)
class_1_done = 1 (0x1)
tmsi_done = 1 (0x1)
ordered_tmsis = 0 (0x0)
broadcast_done = 1 (0x1)
add_length = 0 (0x0)
num_pages = 2 (0x2)
gen_page[0]
page_class = 0 (0x0)
page_subclass = 0 (0x0)
rec
format0
msg_seq = 0 (0x0)
imsi_s[HI] = 2 (0x2)
imsi_s[LO] = 30xx28 (0xbxx844) (705-xxx-01x9)
special_service = 1 (0x1)
service_option = 6 (0x6) (Short Message Services IS-637)
gen_page[1]
page_class = 0 (0x0)
page_subclass = 0 (0x0)
rec
format0
msg_seq = 3 (0x3)
imsi_s[HI] = 2 (0x2)
imsi_s[LO] = 415xxx37 (0x1xxx59) (647-xxx-91x0)
special_service = 1 (0x1)
service_option = 3 (0x3) (EVRC 8K Voice)
2009 [35] 0x1007 Paging Channel Message -- General Page Msg ( slot = x)
protocol_rev = 6 (0x6) (IS2000 Rev 0)
chan_type = 1 (0x1) (Paging)
chan
pc_msg
gen
prot_disc = 0 (0x0)
msg_id = 17 (0x11) (General Page)
gen_page
config_msg_seq = 4 (0x4)
acc_msg_seq = 32 (0x20)
class_0_done = 1 (0x1)
class_1_done = 1 (0x1)
tmsi_done = 1 (0x1)
ordered_tmsis = 0 (0x0)
broadcast_done = 1 (0x1)
add_length = 0 (0x0)
num_pages = 4 (0x4)
gen_page[0]
page_class = 0 (0x0)
page_subclass = 0 (0x0)
rec
format0
msg_seq = 3 (0x3)
imsi_s[HI] = 1 (0x1)
imsi_s[LO] = 83xxx22 (0xxxb46) (416-xxx-6x49)
special_service = 1 (0x1)
service_option = 6 (0x6) (Short Message Services IS-637)
gen_page[1]
page_class = 0 (0x0)
page_subclass = 0 (0x0)
rec
format0
msg_seq = 5 (0x5)
imsi_s[HI] = 1 (0x1)
imsi_s[LO] = 83xx85 (0x3xx7cd) (416-xxx-50x4)
special_service = 1 (0x1)
service_option = 6 (0x6) (Short Message Services IS-637)
gen_page[2]
page_class = 0 (0x0)
page_subclass = 0 (0x0)
rec
format0
msg_seq = 1 (0x1)
imsi_s[HI] = 2 (0x2)
imsi_s[LO] = 40xx2845 (0x1xx8b8d) (647-xxx-20x0)
special_service = 1 (0x1)
service_option = 6 (0x6) (Short Message Services IS-637)
gen_page[3]
page_class = 0 (0x0)
page_subclass = 0 (0x0)
rec
format0
msg_seq = 5 (0x5)
imsi_s[HI] = 1 (0x1)
imsi_s[LO] = 83xx178 (0x31xxda) (416-xxx-25x5)
special_service = 1 (0x1)
service_option = 3 (0x3) (EVRC 8K Voice)

2009 [04] 0x1007 Paging Channel Message -- General Page Msg ( slot = x)
protocol_rev = 6 (0x6) (IS2000 Rev 0)
chan_type = 1 (0x1) (Paging)
chan
pc_msg
gen
prot_disc = 0 (0x0)
msg_id = 17 (0x11) (General Page)
gen_page
config_msg_seq = 4 (0x4)
acc_msg_seq = 32 (0x20)
class_0_done = 1 (0x1)
class_1_done = 1 (0x1)
tmsi_done = 1 (0x1)
ordered_tmsis = 0 (0x0)
broadcast_done = 1 (0x1)
add_length = 0 (0x0)
num_pages = 1 (0x1)
gen_page[0]
page_class = 0 (0x0)
page_subclass = 0 (0x0)
rec
format0
msg_seq = 0 (0x0)
imsi_s[HI] = 1 (0x1)
imsi_s[LO] = 825xx6335 (0xxx909f) (416-xxx-4x60)
special_service = 1 (0x1)
service_option = 3 (0x3) (EVRC 8K Voice)



----


Also, with EVDO, you can get the tower's "location", but it needs some adjusting because its not "Exactly" Latitude and

Longitude.

for evdo:

country_code = 1 (0xx) (BCD: 0xx)
sector_id[0] = x (0xx0)
sector_id[1] = x (0x0)
sector_id[2] = x (0x0)
sector_id[3] = x (0x0)
sector_id[4] = x (0x)
sector_id[5] = x (0xx)
sector_id[6] = x (0xxx)
sector_id[7] = x (0xx)
subnet_mask = xx (0xx)
sector_signature = x (0xx)
latitude = xxxxxx (0xxf0) <- these has values filled in (same everytime you connect to THAT tower)
longitude = xxxxxxx (0xx0)


I am able to map NEAR where my phone uses the towers. Have not tried it yet with 1x towers,

for 1x:
base_lat = 0 (0x0) (0ø0'0.0"N)
base_long = 0 (0x0) (0ø0'0.0"E)
reg_dist = 0 (0x0) (Distance Based Registration DISABLED)

Maybe? esn scanning is possible too, but will post about it if make some progress.

maybe have to enable agps on my phone?

Also, Bell uses the Cisco network cards? keeps sending "level_15_access" when you use the http page, Telus also has those

telnet ports you can access but no idea about how to login.

If anyone is interested, can post more info about how to do it.

This is the esn part:

2009 [25] 0x1007 Paging Channel Message -- Order Msg
protocol_rev = 6 (0x6) (IS2000 Rev 0)
chan_type = 1 (0x1) (Paging)
chan
pc_msg
gen
prot_disc = 0 (0x0)
msg_id = 7 (0x7) (Order)
pc_ord
num_ords = 1 (0x1)
ords[0]
gen
hdr
ack_seq = 5 (0x5)
msg_seq = 0 (0x0)
ack_req = 0 (0x0)
valid_ack = 1 (0x1)
addr_type = 1 (0x1)
addr
type1
esn_len = 4 (0x4)
esn[HI] = 0 (0x0)
esn[LO] = 3xx32 (0x1xx95c) That phone is an LG
order = 16 (0x10) (Base Station Acknowledgement Order)

If you scan long enough and with Excel, etc you can map out the esn of Telus (instead of going behind the counter at walmart to copy esn)

For esn link to phone, maybe need to scan:

2009 [27] 0x1004 Access Channel Message -- Registration Msg
or

2009 [27] 0x1004 Access Channel Message -- Page Response Msg

Will post back if there is any result on the above two.

[goldin]

I am a learner and new to this site. Hope for the Best