Category Archives: Electronics

Catching IMSI Catchers: Part 1

I had picked up a GSM/GPRS shield for my Arduino a while back without any specific plans for it — I just thought it would be cool to have a project in the future that was able to communicate wireless over the Internet for either report purposes or to react to events (texts, tweets, etc).

After reports came out regarding local law enforcement’s use of IMSI catching devices like the Harris Stingray, I decided to start experimenting with the shield as means of at least detecting the use of IMSI catching devices.  Since I believe in the balance of power between law enforcement and citizens, and strongly believe in privacy rights,  I wish there were countermeasures (blacklisting after discovery?) that could be developed, but perhaps that is the next step after accurate detection of the devices in the first place.  The project is still under development, but so far here are my assumptions and how they figure into my plan of action.

Assumptions & Background Knowledge

IMSI catchers generally broadcast an extraordinarily strong signal in order to ensure that target cell phones in the area opt to connect to it versus other, real, cell phone towers.  This means signal strength analysis is important to identifying an IMSI catcher.

Further, most, if not all IMSI catchers interrupt service to some degree.  Since they aren’t part of the true cell phone network, typically issues arise when receiving calls and/or texts.  This information should also be possible to leverage during the IMSI catcher identification process.  I’m thinking an SMS notification service like Amazon’s SNS could be useful in this case to have the Arduino trigger texts to itself (since data typically still operates even when connected to an IMSI catcher) and see if they are actually delivered in a timely manner or not.  This could indicate whether the Arduino is connected to a false tower.

We also know there are multiple physical deployment options for IMSI catchers, from stationary devices, to ground-based semi-mobile (i.e. surveillance vans), to airborne (i.e. drones & specially equipped planes (with assistance from the CIA).  Since may of these can be mobile, I think my detection of the devices will have to be from stationary position(s) such that it is possible to detect the movement of the “tower” through signal strength changes and/or triangulation.

It may also be an interesting exercise to toggle through a number of directional antennae (or a single, rotating directional antenna) to see if the direction of the tower or IMSI device could be deduced, potentially leading to the ability to confront and shame law enforcement personnel utilizing the device (say, from a surveillance van) against innocent individuals’ devices (i.e. my Arduino “phone” which has never even made a call).

Out of convenience, and for lack of an adapter for my phone’s existing nano SIM card, I picked up a prepaid GSM SIM from the local Dollar General for about $10 for the kit, and $35 for the first month of service.

Next Steps

I plan to get acquainted with the GSM shield and commands to see what I need to do to create a device that can alert to and log the presence of potentially fake GSM towers, preferably with GPS coordinates marking the location of detection, and possible base station locations.

More to come as this project progresses.  I also recently picked up an RTL-SDR device that should allow straight up spectrum analysis in GSM frequency ranges, so that may change the direction of this project as well.

Since novel legal techniques are being used to suppress information regarding the use of these devices by law enforcement (non-disclose agreements between law enforcement and the manufacturer, which somehow trump Constitutional concerns, WTF?) it is time for this citizen to take matters into his own hands to at least reveal the extent of surveillance being performed on the average American using Stingray-like IMSI capturing devices.  It has become clear from the Snowden revelations that the court system cannot be relied upon to protect citizens, or even to provide information with respect to FOIA requests.  The only alternative is to play the same game the government is playing, utilizing technology, but play it back harder in order to force transparency in these programs.

Throwback: Video Recording Hack on the Palm Pre

This is a throwback post, but I never documented my experience regarding hacking the Palm Pre.  To the best of my knowledge, this is how things went down.


Back when the Palm Pre was released, it wasn’t quite a finished product.  Yes, WebOS was a pretty awesome OS at the time, and the hardware keyboard was a nice touch.  Except critical functionality, besides a shortage of apps developed for WebOS, was missing from the phone.

One of the biggest complaints was the lack of video recording for the Pre’s built-in camera.  I know many people were looking into a homebrew solution for this, so I thought I’d start doing some research and see if I could contribute.

Plan of Attack

The first step I took was to research the hardware involved.  It turns out that the CCD camera chip used in the Pre was the same as the one used in the OLPC (XO laptop).  Knowing that the OLPC offered video chat capabilities, I started researching how those were implemented.

I had already rooted my Pre and had command line access.  The next step was seeing what software was already loaded onto the Pre.

In one example for the XO laptop, Gstreamer was used to pull video from the camera.  I lucked out and realized that Gstreamer was already installed on the Pre, including a number of encoders /decoders muxers/demuxers and video and audio sinks.  It was just a matter of hoping the encoders were actually implemented properly, and that I could actually pipe data through them, and ultimately to the file system.


After a great deal of dabbling at the command line, I was able to pipe raw H.264 video to the file system, a file which was then playable in VLC despite having no file container surrounding it properly:

(make sure FS is rw)
mount -o remount,rw /
gst-launch camsrc ! palmvideoencoder ! filesink location=/media/internal/downloads/foo.mp4
mount -o remount,ro /

A wiki post detailing my original hack is located at WebOS Internals.  I’ve also attached the first successful video (foo) that I was able to record — it was like 4AM and me sitting at my desk in the dark, hoping that the hack session would pay off!  Ultimately, it did.

I’m writing this article years after the fact, but in 2013 I actually ran into a guy and we were talking about the Pre, and I had mentioned I was the guy who performed the original video hack and he remembered it.  Kind of cool to have a little geek street cred!  The original Pre Central post on the topic is located here.