Custom ROM install – Android system

This thread is to talk about the android system, about what parts we can change and about what kind of acces we have inside the system like a normal user.

It’s important to notice that this thread is not roughly necessary for cracking GSM. First of all you don’t need to root your device or change the ROM if you have your original Samsung ROM and the device is recognized by the computer as a Modem.

That’s what you have to keep in mind. This thread will not solve other problems of sniffing GSM or capturing GSM frames.

My intention is to clarify some advantatges and disadvantatges that someone can have with a rooted phone or with a Custom ROM.It’s also important to notice that rooting the phone can give you some privileges that can overcome a lot of problems.

So let’s begin with the thread. First of all I would like to remember what I commented in a thread that I posted few days ago that says:

The Stock ROMs of the Samsung devices brings the possibility to communicate through the android device like a Modem. I mean when you connect the Mobile to the PC via USB, this device will be recognized by the system like a memory storage (DCIM), like and ADB interface (if you have installed the ADB software of android) and finally like a Modem that brings you the possibility to communicate through AT commands like any other Modem to the SIM card of the Mobile phone and extract the 2 necessary numbers.

And few lines after this paragraph:

It’s important to take into account that the Android operating system is a linux distribution that is restricted by the user and in which you are not able to get access in all parts of the system. So like any other linux distribution we must have superuser privileges to do some kind of things that are prohibited by the normal user, like accessing to some files of the system or installing certain applications that are not in google play store, etc.

First of all I would like to recommend you to read and understand what are the main terms that could be used in this thread about the Android system and what kind of words you have to understand. Here are the main definitions and principal concepts:

And another link about the same concepts than the first one:

Also read about PIT files:

To know something more about the android system architecture check this link out.
Android System Layers:

To root or flash your device remember to enable the USB debugging option in the settings menu before connecting it through the USB cable.

Mainly there are 2 different ways of getting superuser privileges on your phone:

1) Rooting your phone: rooting is essentially a process that allows users of smartphones, tablets or other devices running on Android to gain “superuser” access to the software. This will allow the user to perform administrative tasks such as writing to locations normally restricted by the system which in turn will allow for deeper customization.

2) Flashing a Custom ROM to your phone: Flashing refers to the overwriting of existing data on ROM modules present in an electronic device with new data. This can be done to upgrade a device or to change the provider of a service associated with the function of the device, such as changing from one mobile phone service provider to another or installing a new operating system.
In simple words flashing is called installing firmware on your phone.

REMARK: It doesn’t matter what is your choice, but a think that you might take into account is that only phones with unlocked bootloaders can be flashed. For this reason is why is prefered rooting your phone, because you can root your phone with a locked bootloader. When I talk about unlocked bootloaders I mean phones that can be unlocked even if they are locked now. Because there are some other phones that can’t be unlocked unles you pay to unlock them.

I recommend to search in the web page of XDAdevelopers your specific phone model and look for softwares to root it or to flash new ROMs. In my case, I will comment how to flash new ROMs on my Samsung Galaxy S GT-I9000 and root it and how to root my Sony Ericsson Xperia neo V (MT11i).

Sony Ericsson Xperia neo V (MT11i):

An advanced and complete analysis of the device can be found here:

A) Unlock the Bootloader:

My Sony phone has a locked bootloader, because of this I was only able to root it. You can check if you have a locked bootloader or an unlocked one by entering the next code in the phone dialer app:

This will open a hidden menu where we have to click Service info –> Configuration.
Then check the option mentioned as: Rooting status: Bootloader unlock allowed: Yes/No. 
If the option is marked as YES, you need to continue because you have the bootloader locked but you can unlock it for free and by yourself.
If is marked as NO, you will have to change the option of Bootloader unlock allowed: No to Yes and this isn’t an easy thing. And then you will have to continue as the ones who have the option allowed.
This option is set to NO normally because the request of the carrier (or service’s provider) to Sony to unlock the phone and by this way, only official Sony ROMs and kernels can be used. By this way, Sony tries to force the user to only use their Software and, the most important thing, don’t let the developers or other people to copy or use apps developed by them like TrackID or Video Unlimited with different Operating systems.
In this thread in XDAdevelopers web there is a conversation about this problem:
To know some more things about the bootloader of this device and options you have to unlock it, I recommend you to see the next youtube video:
It uses an Xperia ARC S device but the solution and the procedure is the same for the Xperia Neo V device. It uses two devices, one blocked by carrier request that says Bootloader unlock allowed: NO and the other which says Bootloader unlock allowed: YES.
Normally the first one is bought through a carrier and the second one is an open device bought without any carrier and where you can use all types of SIMs cards of differents carriers.
REMARK: It’s important to notice that is not the same concept to unlock the bootloader option to say Yes instead of NO that unlocking the SIM card phone to become opened and be able to use any SIM card. This concept may sometimes be confusing and I hope that this clarifies the things.
To unlock the bootloader you have 3 options (in case you have the option Bootloader unlock allowed: NO):
1) Follow the steps of this link, and pay for unlocking the bootloader. I haven’t try it, but it seems to be true but you will have to pay 7.99€, what is not a good option for us. This option will also unlock the SIM card.
2) The second option is to unlock with the procedure that describes the last youtube video that explains all the options:
The problem is that you have to pay too. This procedure seems to be good too but you have to download some software from the this link. Then you will have to ask for an appointment in this forum:
An expert will use the software you have downloaded and will control your computer to unlock your phone remotely. The procedure on how to do it is on the video. I haven’t try this option.
3) The third option is the one which I will use, I haven’t try it yet but it really is the better, I think. This option is to talk to Sony company and send an e-mail explaining your situation and the step you want to perform at this mail:
This is explained by some guys in this XDA thread:
The Sony company will ask for your IMEI, device model and your SIM unlock code. Then they will ask you to call at a phone number and will ask for the bill that demonstrates you have bought the device thorugh the carriers or wherever you have obtained. This is the better option because they will pick up your phone at your home and this option is totally free. The only problem is that they might spend 2 – 3 weeks to open the phone and they will bring back the phone without any type of data, all will be removed.
I really recommend you to use this method, because it is the official method and the company ensures that the phone will not become bricked. With the other options you don’t know for sure what can happens.
After these previous step, you can use the offical Sony method or the S1tool method to unlock the bootloader. This is when you have changed the option Bootloader unlock allowed: NO to YES (in case you have the option Bootloader unlock allowed: YES).
1) Official Sony method: (with this method, the Sony apps like TrackID or Video unlimited will be removed and will become unabel to use with the new ROMs or Kernels).
2) The second option is to unlock it with a free software named S1tool and a strange connection with a paper clip. I tried this option and nothing happens to me, I mean it seems to go well but the bootloader continue locked. Then I asked some people of how dangerous could be to do this and I won’t try it anymore, because the phone is the one that I use nowadays and can become bricked. But in case I have some other phone I will try without hesitating it.
To try this option, follow this link:
I also recommend to check if your bootloader can be unlocked or not:
Is a youtube video which shows the process step by step. The software it uses is named S1tool and seems not to be dangerous. The software only works in Windows and for certain models of Sony phones, which are written in the description of the video.
To place the paper clip in a good way use this youtube video:
Or if you prefer a blog to follow, this is the same: (The sofwtare can be downloaded in a link placed in the description of the video at the youtube link or here).
The blog says that is 100% normal to have the NO word at the bootloader hidden menu described above after the operation, and this is exactly what happened to me. But I really don’t know if then you are able to flash the device or not. So that’s all I can help about this topic. This option allows us to use the Sony apps with other ROMs and Kernels.
B) Flash a new ROM:
Since here I can affirm all I have done, but thereafter I can only guide you for the suposed steps you must follow to flash the device (always talking about the Sony case).
So now you have to use the Flashtool that can be run in Linux or Windows, in my case I have used Linux, to flash a new firmware. The link to install the flashtool and the steps I followed are these ones: (and the Flashtool download page is:
Another way of flashing new ROMs is with the fastboot menu, which is similar to the recovery menu, but I haven’t been able to get it working. This link show the steps to get it running on linux and windows:
The Fastboot menu will only work if you have the Bootloader unlocked, after the steps seen before!
I know that all this explanation is not a real help because it’s difficult to get running all the options, but quiet everyone!
I have the solution to this. If you are tired of trying to flash new Custom ROMs and you don’t get success, I recommend you to root your device and this will be enough.
C) Root your Sony:
c.1) Root your Sony device with Android versions 2.3.6 or 2.3.7:
To root my Sony device I used the easy and quick software named ERoot recommended by XDA developers.
It works perfectly and without any danger for your phone. It only runs in Windows. And you have to follow these steps:
These steps are easy to follow and you will have your Sony phone rooted quicker, but check that the software supports your model of Sony phone first.
Afterwards check out this link with some FAQs and some advantatges of rooting:
I recommend you to download the Terminal Emulator and Busybox apps of Google play store which will give you the opportunity to browse into your phone.
The terminal emulator will be as a terminal prompt of your linux:
And Busybox app will increase the commands that you are able to use in the terminal emulator app:
busyboxThe Busybox app only works under superuser privileges and with the superuser app that will be installed with Eroot you can give these privileges to all the apps which requires them. The terminal emulator app will alson give you the possibility of entering the command “su”.
This is the official page of busybox with all the commands that gives to you:
There are a lot of other apps you can enjoy with superuser privileges, do a google search to find them. This method to root the device will only work if you have NOT updated your Android system to the latest version for this device which is the Android 4.0.4 Ice-Cream Sandwich (ICS).
c.2) Root your Sony device with Android version 4.0.4 (ICS):
If you have updated the system you must use another way for rooting your device which I have used and it owrks perfectly without the need of unlocking the bootloader.
You will have to download the Flashtool and the DooMLoRD’s rooting toolkit to root your device by this method.
You can do it following this XDA developers thread:
You won’t have any problem with this tutorial is very easy to follow. Then to understand better the problem of the bootloader you can read this other thread and see the diagram that explains some more things about the device:
For any other device model you can go to XDA developers web page and check all the threads for the device model you are using.
Samsung Galaxy S GT-I9000:

First of all we will talk about how to root the Samsung device and then I will show how to flash the device.

A) Unlock the SIM card of the Samsung:

This process is performed to be possible that the device works with different SIM cards of different service providers without paying to unlock the phone. The app you mmust download through the Google Play Store is the next one:

With this you must follow the steps that it tells you and finally the phone will reboot and will be unlocked. In the case the phone doesn’t do anything, don’t worry! Just take off the battery and and put it again! The phone will reboot and will be unlocked when started.

It’s important to know that with this procedure the IMEI number will be changed by one that is unlocked. The IMEI number is the one who identifies your phone, so your are giving a false identification number to your phone and by this way, this new identification is unlocked and accepts all types of SIM cards.

There are a lot of other apps for unlocking the SIM card but now one works freely, all performs the process paying some money. I think this is the only free way.

B) Root the Samsung:

Once the device has been unlocked for the SIM card, we will proceed to root the device.
To root the Samsung we will use the Odin software that only works in Windows.
This software is perfect to root the device and flash Stock ROMs in case you want to do a downgrade (which is returning to the original ROM).
To download Odin, go to the next link:

Download a CFroot file from the following link:
(You can choose any file that you one, only take into account your Android version, I mean if it’s a 2.2 or 2.3 android system.
Here there are some more CFroot files:
Depending on each file, it will install the app named root and the ClockworkMod Recovery and even if the Busybox in some cases.
To root the device with Odin we will follow this youtube video:

In my case I used the CFroot file named: The file is a .zip but you have to unzip it and use the .tar file.

Some advice to follow the youtube video:
1) To enter into the download mode: (Volume down + Home button + power button, at the same time)
2) To enter into the recovery mode: (first press volume up and Home button and then pressing these ones, finally press the power button; in this order)


In case you need the drivers of Samsung can be downloaded here: (But there’s no need to use them).
And also the Modem drivers of Samsung:

After this process the device will be rooted and you can do the same as before, installing Terminal Emulator app and Busybox app. When using the Terminal emulator app with your device disconnected from your computer it can be useful to know that the button combination: volume Up + W is the same as direction up button on a computer that shows the past introduced commands!

And that’s all the process to root your Samsung.

C) Flash the Samsung (upgrade to a more updated Android version):

Then to flash a Custom Rom like a CyanogenMod one, you only have to use the Recovery mode. This recovery mode is installed with CFroot file through the Odin software.

To flash a CyanogenMod ROM you can use this thread as a tutorial: (But I will explain the process in detail so I recommend you to follow my steps and use it if and only if you get lost).

I recommend you to flash a Custom ROM from CyanogenMod because are the most professional ones, and they really work very well.

To choose a CyanogenMod ROM go to this link and I recommend to choose an stable one:

To know what are the differences about stable, nightly and other ROMs read about it in the forum of cyanogenmod: (Here is explained what are the differences about the experimental, nightly, stable ROMs, etc.)

I recommend the CyanogenMod (CM) 10.2 stable version because is the latest stable version and it will bring to you the Android 4.2 Jelly Bean version, which is really cool. The CM11 will bring the 4.4 KitKat version but is not stable yet.

To upgrade the system you only have to use adb push tool, which I talk about at my other thread, to place the CyanogenMod ROM into the sdcard of the Android memory system. I have used the second part of this tutorial named “Installing CyanogenMod from recovery”. The first is to install a custom recovery but we have already installed it with CFroot file, so it’s not necessary the first part.

You have to enter on a terminal prompt, inside the directory where adb is placed, the next command:

adb push /home/usuari/Descargas/ /sdcard/

This command performs the task of copying files from the computer to the phone.

It’s also important to notice that you have to connect your phone with the USB cable to your computer and have Android SDK installed and adb shell running.

Then when the file is placed inside your SDcard, you only have to:

1) Disconnect your phone from your computer.

2) Shut down your phone, enter to the recovery mode as explained before.

3) Optional/Recommended: Select backup and restore to create a backup of the current installation on the device. If this option is missing, it’s likely because the stock ROM has overwritten your custom recovery on boot. So if it’s missing is not necessary to perform a backup.

4) Select the option to wipe data/factory reset. It will erase all your personal data so save all your information before.

5) Select install zip from sdcard.

6) Select choose zip from sdcard. And select the CyanogenMod .zip file.

And when the system reboot, you will have a Custom ROM from CyanogenMod installed.

It’s possible that CyanogenMod ROM detects that you are using a false IMEI number, but if a menu appears you only have to accept and no problem will appear. This is because the Sim card unlock performed before.

To activate the developer options in CyanogenMod you have to go to Settings menu –> About phone and press about 7 or 8 times the build number. This will enable the developer options. This option is really interesting because you can change the performance of the battery or change the frequency of the CPU.


These options are the improvements that brings the CyanogenMod to your mobile phone apart from rooting acces like before. So it’s because of this why the CyanogenMod ROMs are at the top of Custom ROMs.


Another thing that must be commented is that the Google Apps (Gapps) won’t come with the ROM, so you have to install them like you have done with the CyanogenMod file.

You can download the .zip file of Gapps at the following link: (Choose the one corresponding to the CyanogenMod version you’ve installled).

Then you have to enter to connect the phone through USB again, place the .zip file of Gapps in the sdcard, change to recovery mode and install the .zip file like before. It’s so easy!

Finally I would like to say that if you have a CyanogenMod you can install apps like SilentSMS which is a good help to get the TMSI number of the other part of the communication. You can read about it in:

To install it you only have to follow the steps on the link. But if you don’t have a CyanogenMod ROM or any other Custom ROM that has the code signing turned off, the app won’t work for you. Because I don’t know how to turn off code signing in Stock ROMs.

D) Flash the Samsung (downgrade to a Stock ROM or to the original ROM):

This is a step by step tutorial that tells how to use Odin for upgrading your Stock ROM or downgrading it: (It doesn’t work for installing Custom ROMs).

We will use this method for downgrading to a specific Stock ROM of Samsung, because the upgrade process only allows us to install Stock ROMs which usually runs on 2.3.6 or 2.3.7 Android versions and if we want to update the Android to versions like 4.2 Jelly Bean Android version or even 4.4 Kitkat Android version, we have to use another method.

In this link there are all the tutorials about how to upgrade or downgrade your system to different ROMs, and these are the methods which I have explained above. If you want to check if you have made it correctly:

From this link you have to download the PIT files. There are some links before the topic upgrading to kitkat, where you can download Odin too. To choose which PIT file is the best I have searched a lot and there are few differences about it. I have used the first one which is the 512 PIT file. But choose whatever you want. The link is a .rar file that contains the 3 different PIT files that you can use. Read this thread about PIT files if you are not sure which one is the best:

To downgrade your Android system to a Stock ROM of Samsung, you have to download few files more. These are the PHONE file, the CSC file and the PDA file which you can  download at the following link: (This link also shows how to use Odin to downgrade, but it’s very easy).

I don’t know exactly what these files are, but you have to download the combination which most suits you of all the download links of the link above. I think that you must catch the ones which are referred to your geographical zone like in my case I caught the ones for Europe but I’m not sure. Then also look the Android version you are installing; the options are: Gingerbread 2.3.3, 2.3.4, 2.3.5 and 2.3.6. Also choose the one for your model I mean there are some for Samsung I9000 and others for Samsung I9000M. And there’s a link to Froyo Android versions files to downgrade to them too. But it’s an older system and I don’t recommend you to choose it. It won’t bring any improvement to you Samsung.

After performing the downgrade you will have to use Odin Software again to flash a CFroot file to get the phone rooted again.Again it doesn’t matter which CFroot file you choose. If you catch a file that doesn’t works good, you can catch another one and flash it again with Odin.

This is the link to download CFroot files again:

Don’t use the file named: CF-Root-XX_OXA_JVU_2.3.6-v4.3-CWM3RFS. I used it and it doesn’t work correctly.

The importance of Downgrading the system is because we will recover the Modem option which I talked about in my other thread.

That’s all the process you have to do to flash or downgrade to a Stock ROM. To guide you for some combinations of files that works very well I have tried the following ones:

a) GT_I9000_XWJWB_XWJW1_NEEJW2: This option installs an older version of Android system and doesn’t work well to use it as a Modem.

b) GT_I9000_XXJW4_XXJW4_OXAJW4: This is the best option you can use and works well in all aspects.

These are the .rar files which contains the PDA, PHONE and CSC files you need for the Odin and you can download them from the link above. These 2 cases works good, the second more than the first, and I recommend you to use them. After the use of Odin for the new Stock ROM you have to use CFroot to get the system rooted again.

They include the Google Apps (Gapps) which are the Google Play Store (if the version is old can be called Android Market yet, but you can update it), Google Maps, Gmail, Google search, Google talks, etc.

If you want to downgrade or recover your original ROM of Samsung that comes with your Samsung when you buy it, first you have to downgrade to a Stock ROM of Samsung. This will bring all the hidden menus of the dialer of Samsung, and then you have to enter the following code into the dialer app:


Do NOT enter this code without reading the paragraph below!!!

Think before you give this code. This code is used for factory format. It’ll remove all files and settings including the internal memory storage. It’ll also reinstall the phone firmware.

Once you give this code, there is no way to cancel the operation unless you remove the battery from the phone. So think twice before giving this code.

You can use this command to reset the original Stock ROM that you have with the Samsung without any update. This can be useful in case you have installed an update that doesn’t work properly.

This is alos posted in my other thread:

The system will do all the things automatically and the original system will be recovered. the only thing you have to do is to press the HOME button when the recovery mode appears to choose the option: Reboot the system now!

It’s also important to say that if the phone is rooted, it will be rooted also after this recover.

That’s all I have done! I hope you to enjoy it very much!!!

ADB install – Android system

In this post I will talk about how to install ADB on linux and on Windows to control your Android device via USB without any problem.

But first of all I want to talk about other ways of controlling your phone through your computer but I think there are much more inefficient and takes more time to assume the commands or the orders that you type with your keyboard or mouse.

The other way that I tried and it works very well but not as efficient as adb is the VNC connection via wifi or internet. To do this I have installed in my phone the app DroidVNC server that you can find in Google Play Store.

It’s important to notice that your device must be rooted to use this app, so I recommend you to read my further thread about Custom ROMs and rooting devices. And it’s important to connect your device via WIFI not through the phone network to have more capacity of data transfer.

So I will assume you have your device rooted and you can give it superuser privileges.

To enable the connection you must open DroidVNC server and start it. It will show your the IP adress of your phone and the port you must connect to. Like in the following image:

DroidVNCThen you have to download in your computer a VNC client like TightVNC Viewer for Ubuntu or like VNC viewer for Windows.

To check that the IP adress of your mobile phone is the same that shows the DroidVNC Server app, you can use the next link: (Here shows the menu settings to check the IP adress which usually is in WIFI settings or configuration menu).

In my 2 devices to know where is the IP adress you must enter the menu:

Sony Ericsson Xperia neo V: Parameters –> Networks –> Wi-Fi parameters –> tab into the connected network!

Samsung Galaxy S GT-I9000: Settings –> Inalambric connections –> Wi-Fi settings –> tab into the connected network!

You can use this link to make the connection:

This method is very interesting because you can see the screen of your phone device at your computer’s screen but it will take some seconds for every thing you do, because it will move at the same time the phone screen and the visualization of the phone on the computer so it’s more efficient the adb shell although you won’t be able to see your phone’s screen. You will only see the terminal of your phone.

ADB (Android Debug Bridge) description: adb are two different applications — one running on your computer (Windows, Linux or Mac) and one running on your phone. When your phone is connected, and USB debugging is enabled, you can issue commands and communicate with the phone using your computer screen and keyboard.

So ADB is the quickest and most useful way to control your Android device through your PC by terminal prompt and make it more simple to enter commands that can be with your device.

Now we can begin with ADB way of communication. First you have to enable some settings of the phone before connecting it via USB to the computer:

Settings –> Aplications –> Unknown sources (enable this option)

Settings –> Aplications –> Development –> USB Debugging (enable this option)

Then you are prepared to catch the USB cable that comes with the device and connect it to your computer.

It will appear on your mobile a tab that shows that the device is connected through USB.

This is also explained in my other thread. So now we can proceed iwth the installation.

1) ADB install in Windows:

This link is the official page of Android operating system and this link talks about Android SDK (Software Developement Kit), which is a tool that provides you the API libraries and developer tools necessary to build, test, and debug apps for Android. It also brings the ADB tool, which is why we are interested in it: (here you have to download the file corresponding to your Windows system).

ADB (Android Debug Bridge) is a controller that will enable us to get superuser privileges and control our phone through our computer.

Here are the steps to get the ADB running in Windows: (In Spanish).

To use the Windows cmd app, which is similar to the Terminal in Linux but the commands will not be the same. It can be useful to have some basic Windows 7 commands only to open and execute the ADB succesfully: (In Spanish).

To begin with the install steps I have followed the next youtube video which tells you how to do it, and before the Android SDK you will have to install the java JDK to enable to run Android SDK. The video is in Spanish but for sure you can found the same video but in English doing a Youtube search:

If you follow the steps of the video, for sure you will install the Android SDK without any problem. The Software will be placed in the following path in the Windows system: C:\Users\Usuari\AppData\Local\Android\android-sdk

Then you have to open your Android  SDK software and download the drivers for your Android version in the options that appear, tick the correpsonding boxes and download them. It can last some 15 – 30 minutes depending on your connection. Be sure you have downloaded your android version drivers because if you download the incorrect ones, then it’s possible that ADB doesn’t work properly.

Then you will be able to control your phone via ADB and through the USB. To do this follow the next steps:

a) Open a cmd in Initial menu.
b) Enter the following commands:

Cd C:\Users\Usuari\AppData\Local\Android\android-sdk\platform-tools
adb shell
chmod 777 /data/dalvik-cache
cd /data/dalvik-cache
chmod 777 ./

After this you are inside the phone and you can move freely wherever you want. It’s important to see that the command “su” is to enter with superuser privileges and it’s possible to don’t get access in case you don’t have you phone rooted or with a Custom ROM.
I will talk about how to root your device and flash it in a further thread.

2) ADB install in Linux:

The install process that I have used in Ubuntu and in Kali Linux is the same that is performed in the next link:

In this case we don’t have to download the drivers because Ubuntu or any Linux distribution don’t need drivers to recognize the devices. So the install process is quicker. It works by terminal as in the case of Windows.

So there are the steps to get it running correctly:

sudo add-apt-repository ppa:nilarimogard/webupd8
sudo apt-get update
sudo apt-get install android-tools-adb android-tools-fastboot

Then the only thing we have to do is just enter the command:

 adb shell

(and this command will get access to our phone device via USB)

I repeat the same as before, you have to enable the USB debugging option in the settings menu as explained above and connect the phone through USB with the original cable.

To know which devices are connected in the moment you can enter, before the command of adb shell, the command:


This command will show how many devices are connected to the computer and their names.

Another tool that comes with adb shell and is not explained above in the Windows part are the commands named: adb push and adb pull.

These commands performs the task of copying files from the computer to the phone and viceversa, respectively. So if you enter a command like this:

adb push /home/usuari/Descargas/ /sdcard/

You are copying the file (which is a Custom Cyanogenmod stable ROM) to the sdcard of your phone.

And if you enter something like this:

adb pull /sdcard/ /home/usuari/Descargas/

You are doing the contrary task.

These are very useful commands to move and copy files from your computer to your phone or viceversa. IN this case we are copying a ROM file but you can copy or move any kind of files, whenever the memory of your phone SDcard is enough to storage the files.

It can be possible that in some cases the adb push option, which comes with adb install doesn’t work properly. In such a case, follow the next steps to solve this problem:

adb devices → Accept the message on your phone!
adb root → restarting as root!
adb devices → Accept the message again!
adb remount → remount completed succesfully!
adb push /home/usuari/Descargas/ /sdcard/

And the problem is solved!

By this way we give privileges to the adb push to copy files into the android system. And with these privileges the adb push command is able to copy and move files on and out of the phones memory.

Here finishes my thread of adb install, I hope to be helping someone and enjoy it.

Advanced/hidden menus – Android system

There are a lot of menus that display to the user some advanced characteristics and variables that are not shown to the normal user in Android Systems.

These menus are used to change or consult some specific features that can be interesting to the advanced users of the system.

In this thread I will show you some of these hidden menus and talk about the advantatges and drawbacks of them.

Not all of them work in all Android operating system versions but the most interesting ones, usually works in most of Android versions.

I have 2 different devices: 1 Sony Ericsson Xperia neo V (which we are going to name it Haida, like in Cyanogenmod ROMs) with the Android system version 4.0.4 Ice Cream Sandwich and 1 Samsung Galaxy S I9000 (which we are going to name it galaxysmtd, like in Cyanogenmod ROMs) with Android system version 2.3.6.

The Android version can be consulted in Settings menu –> About phone –> Android Version.

So I will comment if the Hidden menus are able to use in each device.

So let’s talk about them:


It enters to the Service Mode. It only works with the galaxysmtd and is a very complex menu with 6 parts which are: Debug Screen, Version Info., UMTS RF NV, GSM RF NV, Audio and Common. You have to use the Menu button to go back through all the menus. Here can be consulted variables like the LAC and CellID inside the submenu: Debug Screen –> Basic Information.
Is one of the most completed hidden menus.


This is the submenu commented before but to enter directly. It only works in the galaxysmtd device too.


This menu is able for the Haida and for the galaxysmtd. There are 4 submenus: Phone information, battery information, Usage statistics and Wifi information. Inside the Phone Information menu you can change the network option for the phone, and here you can force the phone to use only GSM network or WCDMA (3G) network, etc. There are other options like Wifi configuration in the other submenus.

Here is a youtube video that shows this specific menu:


This menu shows the IMEI number for Haida phones.


This code can be used for a factory data reset. It’ll remove following things:

  • Google account settings stored in your phone, System and application data and settings and finally Downloaded applications.

It’ll NOT remove:

  • Current system software and bundled applications and  SD card files (e.g. photos, music files, etc.)

Once you give this code, you get a prompt screen asking you to click on “Reset phone” button. So you get a chance to cancel your operation. It doesn’t work for Haida only for galaxysmtd.


Do NOT enter this code without reading the paragraph below!!!

Think before you give this code. This code is used for factory format. It’ll remove all files and settings including the internal memory storage. It’ll also reinstall the phone firmware.

Once you give this code, there is no way to cancel the operation unless you remove the battery from the phone. So think twice before giving this code.

You can use this command to reset the original Stock ROM that you have with the Samsung without any update. This can be useful in case you have installed an update that doesn’t work properly.


This code is used to get information about phone camera. It shows following 6 menus:

  • Phone/CAM Firmware(FW) Ver Check
  • Phone to CAM FW Write
  • ISP Ver Check
  • FW Write Count
  • CAM FW Cal Check
  • CAM to Phone FW Dump

I don’t know exactly what the menus do, but all the menus that show the word check can’t be dangerous for the system for sure. It only works for galaxysmtd.


This one is my favorite one. This code can be used to change the “End Call / Power” button action in your phone. By default, if you long press the button, it shows a screen asking you to select any option from Silent mode, Airplane mode and Power off.

You can change this action using this code. You can enable direct power off on this button so you don’t need to waste your time in selecting the option. It only works for galaxysmtd.

Other types of codes: WLAN, GPS and Bluetooth Test Codes:

*#*#232339#*#* OR *#*#526#*#* OR *#*#528#*#* –> WLAN test (Use “Menu” button to start various tests).

*#*#232338#*#* –> Shows WiFi MAC address.

*#*#1472365#*#* –> GPS test.

*#*#1575#*#* –> Another GPS test.

*#*#232331#*#* –> Bluetooth test.

*#*#232337#*# –> Shows Bluetooth device address.


This code can be used to launch GTalk Service Monitor.

Codes to get Firmware version information:
*#*#4986*2650468#*#* –> PDA, Phone, H/W, RFCallDate.

*#*#1234#*#* –> PDA and Phone.

*#*#1111#*#* –> FTA SW Version.

*#*#2222#*#* –> FTA HW Version.

*#*#44336#*#* –> PDA, Phone, CSC, Build Time, Changelist number.

Codes to launch various Factory Tests:

*#*#0283#*#* –> Packet Loopback.

*#*#0*#*#* –> LCD test.

*#*#0673#*#* OR *#*#0289#*#* –> Melody test.

*#*#0842#*#* –> Device test (Vibration test and BackLight test).

*#*#2663#*#* –> Touch screen version.

*#*#2664#*#* –> Touch screen test.

*#*#0588#*#* –> Proximity sensor test.

*#*#3264#*#* –> RAM version.

NOTE: All above codes have been checked on Google Android phone Samsung Galaxy I7500 only but they should also work in other Google Android phones. But in the newer versions of Android, it’s possible that they don’t work.

All of these codes works for Samsung devices because are extracted from the link below that tells all the hidden menus for a Samsung device.

Hidden codes for Samsung devices:

Get Kc key and TMSI number!

This thread will treat in more detail the STEP 3 described in my general thread of GSM that explains how to get these numbers to decode and unencrypt your own voice call or SMS.

1) TMSI number:

Temporary mobile station identitie (TMSI) number is allocated within a VLR for enhancing the system security. A TMSI corresponds to an IMSI uniquely within a VLR.
The structure of TMSI can be codetermined by the carrier and the equipment provider.
The principles for TMSI allocation are as follows:

  • A TMSI is composed of 4 bytes, which can be 8 hexadecimals.
  • The 32 bits of a TMSI cannot be all ones, because an all-one TMSI in a SIM card indicates an invalid TMSI.

A typical example of TMSI is 60340039.

The TMSI number is the identification that the BTS tower give to every MS (Mobile Station), which is your mobile device, to identify it and distinguish it from the other terminals that are connected with the BTS tower.

This TMSI number will be assigned to your device when entering in the area of coverage of the BTS and the BTS can assign this number for one comunication between your MS and the BTS only or can reuse this number for your MS if you don’t move from the area of coverage of this BTS. I mean if you make a voice call and then make another one, the same TMSI number will be used by the BTS tower for your MS.

Sometimes the BTS tower ask the MS for the IMSI number which is unique for each MS. But the BTS tower try to reduce the transfer of this number by the UM Interface or Air Interface (Interface between the BTS and the MS) because of avoiding sniffing the identification number of the MS. Because of this reason is why it uses the TMSI which is a number which is not always the same and don’t really identifies the MS at other area coverages or at other connections with the BTS.

2) Kc key (or cyphering key):

The second is the Kc Key, which is a number extracted with the GSM algorithm and is different for every communication between the BTS and the MS. This number is the output from the GSM.

Official description: The Kc is the 64-bit ciphering key that is used in the A5 encryption algorithm to encipher and decipher the data that is being transmitted on the Um interface.

This is extracted from the document recommended in the GSM general thread mentioned above named GSM_for_dummies. This document explains in detail all the parts of the encryption the numbers extracted and used through all the process, and all the necessary infromation to understand how the system works.

The RAND and Ki are the input into the A8 encryption algorithm to extract the Kc key. This can be seen in the above document at page 28.

So this Kc key is fundamental to decode the conversation and we have to obtain it. There are some methods to obtain this key and they are explained at this thread: (The method which I have used is the third one listed in this link and I will explain in this post in more detail.)

REMARK: It’s important to notice that with all these methods you will only be able to get your own Kc key and not the others Kc keys, which means that you won’t be able to crack GSM voice calls or SMS from others. You will only be able to crack your own voice calls and SMS messages.

There was another method of obtaining this key apart from the ones explained in the link and which enables to get the Kc key of others too. This method is using the Kraken tool, I talked about this tool in my other thread but I can’t get the tool running correctly. This is all explained in my other thread.

3) Process to get these 2 numbers or keys:

First of all I remark that the 2 numbers (TMSI and Kc) are obtained by the same procedure. This procedure is named AT commands.

AT commands are used to communicate via terminal or user interface to a Modem and get infromation about this Modem. In this case the Modem will be the Mobile phone with the android system and the part of the device we want to get access is the SIM card, which are stored these 2 numbers and where we have to enter after every voice call or SMS to get these numbers of the last communication between the BTS and the MS.

For this reason is why I have only been able to get these numbers with a Samsung android device. The Stock ROMs of the Samsung devices brings the possibility to communicate through the android device like a Modem. I mean when you connect the Mobile to the PC via USB, this device will be recognized by the system like a memory storage (DCIM), like and ADB interface (if you have installed the ADB software of android) and finally like a Modem that brings you the possibility to communicate through AT commands like any other Modem to the SIM card of the Mobile phone and extract the 2 necessary numbers.

It’s important to remark that I’m using a Samsung Galaxy s GT-I9000 model and that I suppose by some comments on different Forums and some google search that all the Samsung devices have this special option of Modem. I pretty sure that I’m not wrong but the only thing you have to do is to check it out.

I know that some of the concepts that I talk about above can be unknown for you, this is the reason why, first of all, I would like to describe all of these concepts and to describe some parts of the Android operating system to bring the possibility of understanding all the parts of this process.

A) Description of the Android System:

First of all it’s important to know that at all versions of the Android system which uses a lot of Mobiles devices, there are some hidden options that enables you to check some sensors and to get some advanced and technical information that is not really shown to the users but can be consulted if your want.

The next link shows the codes you must enter to the dialer application of your Android device to get some information about your system like the BTS tower which is connected with at the moment or some tests of the sensors of the device, etc:

I also recommend you to read my other thread about this topic.

It’s important to take into account that Android operating system is a linux distribution that is restricted by the user and in which you are not able to get access in all parts of the system. So like any other linux distribution we must have superuser privileges to do some kind of things that are prohibited by the normal user, like accessing to some files of the system or installing certain applications that are not in google play store, etc.

First of all I would like to recommend you to read and understand what are the main terms that could be used in this thread about the Android system and what kind of words you have to understand. Here are the main definitions and principal concepts:

Also read about PIT files:

And another link about similar concepts than the first one:

So according to this link:

ADB (Android Debug Bridge) description: adb are two different applications — one running on your computer (Windows, Linux or Mac) and one running on your phone. When your phone is connected, and USB debugging is enabled, you can issue commands and communicate with the phone using your computer screen and keyboard.

So ADB is the quickest and most useful way to control your Android device through your PC by terminal prompt and make it more simple to enter commands that can be with your device.

Once you have written all of this information the only thing you must know and check about your Samsung android device is that if it has the Stock ROM. I mean that the ROM was not changed by a Custom ROM like CyanogenMOD or others. Because the Stock ROM allows us to access the SIM card like a Modem.


To check out if it’s possible to be recognized like a Modem you have to follow the next steps.

First you have to enable some settings of the phone before connecting it via USB to the computer:

Settings –> Aplications –> Unknown sources (enable this option)

Settings –> Aplications –> Development –> USB Debugging (enable this option)

Then you are prepared to catch the USB cable that comes with the device and connect it to your computer.

It will appear on your mobile a tab that shows that the device is connected through USB.

In the computer to check if it’s recognized like a Modem, you only have to do a pair of things.

a) Linux operating system: Open a terminal prompt and enter the command

cd /dev

(This will bring you to the directory where are palced all the devices and you have to check if a device named ttyACM0 appeared. If it appears, congratulations! Your device is prepared.)

b) Windows Operating system: Open the Control Panel in Initial menu and enter to Security and System –> Device Administrator, here has to appear a tab with the name Modem and you have to click and open it. Inside have to be a Modem device named: Samsung USB Composite Device. You can click the right button on it and open Properties, then go to the tab named ………… and make a AT command test.

Note: These are the steps to enter in Windows 7 operating system, but in other Windows versions they have to be similar.

If all these check outs have gone well, you have to continue installing Minicom software (in Linux operating systems) or Hyperterminal software (in Windows operating systems) to get the 2 numbers.

In case you didn’t get the device recognized like a Modem it’s possible you don’t have the Stock ROM of Samsung installed and I recommend you to downgrade your Android version or to change your Custom ROM to the original one. In my case, Samsung Galaxy S GT-I9000 has the Android 2.3.6 or 2.3.7 versions. I have seen some cases that even a older version of Android. So it’s possible that newer versions are Custom ROMs or updates that are not the original ones.

To do a downgrade and get the original version, see my other post.


B) Minicom and Hyperterminal install:

B.1) Hyperterminal Install (Windows operating system):

The only thing you have to do is to download the files of this web page and run the executable file inside the downloaded and decompressed folder.

You only have to click and download the .rar file then extract all the files. To use it, you don’t have to install anything, only run the executable file and a first window will open like the next one:

You have to enter a name for the communication, choose any name, and click on the phone icon. Then it will ask for what kind of communication you want. You have to enter the option of COM3 or COMx where x is the number of your COM port which is connected to the mobile. Don’t worry if you don’t know exactly the number of the port, if you only have the device connected it will show only one COM port option.

Then it will show the window where you have to enter the AT commands. To check if it works well, enter AT and press start. If it returns OK, it means that all is correct.

The final window is something like this:

B.2) Minicom Install (Linux operating system):

This software hasn’t any graphical interface but is really the same than Hyperterminal in Windows but you have to use it through the terminal prompt.

This is a link that talks about Minicom but it’s not really necessary to read it:

To install Minicom in your Linux operating system follow the next steps:

sudo apt-get install minicom
sudo minicom -s

After this, you have to open a new terminal prompt and enter the command:

dmesg|grep tty

(This command will show all the serial ports and you have to find your own serial port to communicate. As we have said before our port has the name ttyACM0).

So you can close the second terminal and return to the first one. You have to select with the directions buttons the option: Serial Port Configuration.
Here you have to enter the letter of the fields you want to change, so the following fields must be changed like this:

ttyACM0 ---- Serial Device

9600 Bps/Par/Bits,"8-N-1" ---- Parity Bits

Yes ---- to Hardware Control Flow

no ---- to Software Control Flow

That’s all you have to change. Accept and save the file of configuration with a name that you can remember later.
In my case I had saved the file with the name configMinicom.
So now the install and configuration of Minicom is finished.
The only thing you must do to open Minicom is:

sudo minicom configMinicom

The Configuration file is saved at your system at the following path: /etc/minicom

So now you can try to enter AT as a check if the software runs correctly and if it returns OK like in Hyperterminal case, it means that all is correct.

Remark: Sometimes it’s possible that Minicom and Hyperterminal don’t write the command one enter but even if they are not displayed, the answers will be displayed too and the commands are entered without any problem is just an error that sometimes occur and brings to think that perhaps the software is not running properly, but there is not a problem.

To exit Minicom you have to enter CTRL + A and then X and enter button.

To see some more detailed minicom setup:


Now that we have installed Minicom in Kali Linux for example, we can connect our Samsung device and begin to enter AT commands to access the SIM card.

To get the 2 numbers that we are talking about during all this thread we have to follow the steps  of this link:

It’s important to follow the position of every command to get the correct result. The command that we will use is the AT+CSIM command which is the one that give generic SIM acces.

This command is really complex and there is short information about it. There are other AT commands that might be useful like AT+CIMI which give us the IMSI number.

FIG exampleMINICOM…………………………..

I know that in the tutorial there are the commands and the answers but in my case the answers are a little bit different and I want to show you my own results:

AT –> To prove that the connection is enable.

ATi –> To see the kind of mobile model.

AT+CPIN? –> To check that the SIM card is ready and enable.

After these few commands we will begin with the AT+CSIM command and the necessary procedure.

First of all we have to run the GSM algorithm:


+CSIM: 64,”00005C5E7F2002005555FF011113001D0700838A838A00838300008300009000″



+CSIM: 4,”9F0C”


In this step it says that extracts the SRES and Kc numbers but in my case this isn’t correct. This is the different part.

Then we have to read the EF files from the SIM card:


+CSIM: 34,”000000096F20040011FF44010200009000″



+CSIM: 22,”807F65C9C99DD800039000″


Here we can identify the KC key hexadecimal number: 807F65C9C99DD800 and the sequence number: 03. This is the Key we have to enter at Airprobe with the (STEP 8 of my general GSM thread) command to decode the information.

Then to extract the TMSI number enter:

+CSIM: 34,”0000000B6F7E040011FF14010200009000″


+CSIM: 26,”980267C912F4105458FF009000″


Here we can identify the TMSI hexadecimal number: 980267C9.

This is the number that must be identified in wireshark to know what is you own voice call.

REMARK: I want to notice that these numbers seems to be correct but in the case of obtaining the IMSI number through the same procedure and through another AT command like AT+CIMI, the results are different and this bring me to the conclusion that it’s possible that these numbers are not correct at the 100%. Although, is the only way I have been able to obtain these numbers and I don’t know how to get them in any other way.

I mean that these results are different and they might be the same:

+CSIM: 22,”0829411055703851509000″




In this second case the IMSI number is: 214015507831505. But in the first one, the IMSI is different. If we convert this number into the hexadecimal format we obtain: C2A55E521AD1. And this is not the number of the above command.

For this reason I investigate more about how to use the AT+CSIM command and I found this link where there are a lot of papers of how to use the command. Inside this link there are all the papers related to the command at this submenu:

I only downloaded the first paper (or the first .zip file) and there are a lot of interesting things about the AT+CSIM command. Anyway it’s not easy to understand.

A thread in XDAdevelopers web page talks about AT commands too, I recommend you to read it and make an idea of what we are doing here:

Also there’s another way of entering AT commands through the adb shell (See my other thread where explains how to install and use adb shell) that is explained in this other link: (But I wasn’t able to found the correct tty to send AT commands.)

It explains a little more about the Android system and its architecture but I think that is more oriented to developers.

So I hope that someone that knows more about this topic can help me and if not I suppose that these results are correct.

ARFCN tool, Kalibrate tool and others – setup

1) ARFCN tool install:

ARFCN tool is a little piece of software that calculates the uplink and downlink frequencies of GSM through the ARFCN number or viceversa.

I have only been able to compile it correctly in Ubuntu, not in Kali linux. But don’t worry because there are some web pages that do the same calculation online. So you will be able to run all the software in Kali linux for sure.

So to get the files to compile the tool go to the following link and click on the download button:

(this will download a .tar file)

Then you have to enter the following commands:

tar-xvf arfcncalc.tar

(and is all you have to do, if all is correct now you can use the tool)

For example:

./arfcncalc -d -a 124

(this command will show the downlink frequency of the ARFCN number 124)

To see all the options of the ARFCN tool enter the next command:

usuari@usuari-EasyNote-TM98:~/Documentos/SDR/arfcncalc$ ./arfcncalc -help

ArfcnCalc – GSM frequency calculation tool V.1.0
Copyright(c) 2010 Philipp Fabian Benedikt Maier

CAUTION: This is a very early version of this program. It might still contain
some bugs that might cause wrong calculation results. If you find a
bug, please email to: – Thanks!

This is a tool for calculating the resulting frequency from a given ARFCN
and can be used easyly in shellscripts for doing arfcn calculations

The following options are available
-h or -? …….. Print this screen.
-v ………….. Verbose output.
-u ………….. Calculate uplink frequency  / Treat frequency as uplink
-d ………….. Calculate downlink frequency / Treat frequency as downlik
-b ………….. Specify band (optional, needed with GSM1900/1800).
-p ………….. Generate a bandplan with all known arfcns.
-f ………….. Find an Arfcn for a given frequency

The following bands can be handled (option -b):
450 …………. GSM450
480 …………. GSM480
850 …………. GSM850
900 …………. GSM900 (P-GSM, E-GSM and R-GSM)
1800 ………… GSM1800 \__Caution:
1900 ………… GSM1900 /  Conflicting ARFCN-Numbers!

arfcncalc -a arfcen [-udv -b band] ….. Calculate the frequency for an arfcn
arfcncalc -f frequency [-udv -b band] .. Calculate arfcn for a frequency
arfcncalc -p ……………………… Generate bandplan

arfcncalc -a 512 -b 1900 -d … Calc downlink frequency (GSM1900) of Arfcn 512
arfcncalc -a 123 -v ……….. Get verbose information about Arfcn 123
arfcncalc -f 959600000 -d ….. Get an arfcn for the dnlink frequency 959.6Mhz

If the software doesn’t work in Kali linux use the next link, which is a table of ARFCN conversion and does exactly the same of the software explained above but only with a look:

There are some online calculators but I haven’t needed them.

2) Kalibrate tool install:
Kalibrate(kal) can scan for GSM base stations in a given frequency band and
can use those GSM base stations to calculate the local oscillator frequency

In our case we will use it to see what are the main GSM frequencies of our area and look for the ones inside our GSM providers frequency band.

To install and compile this tool, we can follow the next youtube video:
Also this is the thread in RTL-SDR blog which links to the video above:

This is the source on Github:

The steps to compile, which are the same as the video are the followings ones:

git clone

cd kalibrate-rtl
./bootstrap && CXXFLAGS='-W -Wall -O3'
make install

It can produce some errors but although some usages may not run, the one which we are interested in will run perfectly so, there’s not a problem.
This is an example of usage:

root@kali:/home/SDR/kalibrate-rtl# kal -s GSM900

Found 1 device(s):
0:  ezcap USB 2.0 DVB-T/DAB/FM dongle

Using device 0: ezcap USB 2.0 DVB-T/DAB/FM dongle
Found Rafael Micro R820T tuner
Exact sample rate is: 270833.002142 Hz
kal: Scanning for GSM-900 base stations.
chan: 74 (949.8MHz – 39.881kHz)    power: 100204.30
chan: 101 (955.2MHz – 39.456kHz)    power: 91973.50
chan: 108 (956.6MHz – 39.531kHz)    power: 181214.37
chan: 115 (958.0MHz – 39.590kHz)    power: 65380.82

In this example we can see which channels are the most powerful ones and in this case I will tune the RTL-SDR dongle to any of these frequencies because the frequency range of my mobile service provider is Vodafone and it has the frequency band of: 949,9 – 959,9 MHz.
This can be seen in my general thread about GSM on STEP 2:

3) Kraken tool install:

The Kraken tool is a software created by Karsten Nohl and is used to get the Kc key from some received frames of GSM and crack this key to decode the information and get a voice call or a SMS data from the GSM information that you have sniffed with RTL-SDR dongle.

This tool is really amazing because it tries with some frames to get the key using the same algorithms as GSM system. The only thing that you must provide is the correct frames of each voice call, so you must understand the system very well and be able to identify the necessary frames for Kraken tool input.

I tried to get this tool running but I wasn’t able to get it working. So I used another method to get the Kc key, which is only for my own mobile phone and can’t get the others’ keys.

You can see how I get the Key in a further thread I will create and on the STEP 3 of the GSM general post:
First of all we will get the files from github repository:

git clone git://

This link says that the repository is only for reading:

Then we only have to follow the next steps but I think that the compilation will not end in success.
The problem is that the kraken tool needs a separate GPU core to realize hard CPU spending tasks with the A5/1 tables to unencypt the frames of GSM. The separate GPU that Karsten Nohl recommended to me by mail is an ATI 5xxx GPU.

Here is the link to download the A5/1 rainbow tables that use the kraken tool: (You can download them from torrent with any linux distribution and I recommend you to download the last file which is a .tgz and contains all of the above tables).
The Kraken tool uses these rainbow tables to compare the input frames and run the algorithm of GSM system with the frames of a voice call and reproduce the process to extract the Kc key by the same way as the BTS tower does.

So you can try to use these steps but I don’t think they will work. I’m only showing another way of sniffing GSM frames.

cd Utilities


cd ..

cd Kraken



cd a5_cpu


cd ..

cd TableConvert


cd ..

cd TableGeneration

make (error 1)

cd ..

cd a5_ati

make (error 1)

These 2 errors are the ones which I have found. I think that the rainbow tables files must be placed in a specified directory inside the one created with the github repository, but I don’t know exactly what is the correct one.
And the second error is caused by the lack of a separate GPU unit like an ATi, which I explained above.

I recommend you to see the next youtube video in which Karsten Nohl explains how to crack an sniff a GSM voice call:

I know that the video takes about 1 hour to finalize but is really amazing and interesting and it talks about his Kraken tool and uses this tool to decode the voice call, so you will be able to see the tool running correctly.

This is another page that talks about Kraken tool:

This is also the tutorial which explains the process of decoding a voice call with Kraken, which is quite difficult for someone like me who is a beginner of GSM system:

This is also another example of the steps you would follow:

4) Toast tool install:

The toast tool is a software that converts the GSM files that produce Airprobe to audio files that can be played with all of audio players such as VLC.

This tool will be used at the final steps of the GSM cracking produce to get the final file to listen the decoded and sniffed voice call.

Page to download it by clicking at the top of the page the link named:  “- free sourcecode“:

There are some explanations about what type of audio files are the GSM files produced by Airprobe and in what type we must convert them to be listened with VLC player.

I recommend you to read the information in this page for further explanations. Now we will proceed with the install steps.

Steps to get Toast tool running:


(instead of downloading the file by clicking in the button you can directly use this command to get the file at the directory that you want)

tar -zxvf gsm-1.0.13.tar.gz

cd gsm-1.0-pl13


make install

cd bin

./toast -d file

(where file is the name of the GSM file that we want to convert to an audio file)

5) VLC player install:

To finalize I recommend to download the VLC player which can be used without the graphical interface via the terminal prompt only and is very flexible.

To install it you only have to go to the Ubuntu Software Center or Add/remove Software program, and look for VLC player and install it. It’s possible that the packets are only available in Ubuntu Software Center but there is not a problem because you can download it in Kali linux as I explained in other threads.


This is an image to see how is the graphical interface of VLC player.

You can use also the VLC player through the terminal prompt using the command:

 cvlc file

(where file is the audio file you want to play)

And there are all the related softwares that must be used during the GSM sniffing procedure to see the results.

Airprobe – setup

Airprobe Install:
The following link is the one I have used to compile and install correctly Airprobe but I have changed some steps because of they are not updated. This is the link of the RTL-SDR blog:
This is has an interesting pdf docuemnt which explains what is exactly GNU Radio and Airprobe and what they are used for. Also this link summarizes the steps to compile Airprobe:

Another link to follow the steps is the next one:

It’s important to notice that you must have GNU Radio compiled, installed and running correctly to get Airprobe running too. So if you don’t have it, go to my other thread and install GNU Radio first.

Ok, so I suppose you have GNU Radio installed and let’s begin with the compilation of Airprobe. Open a command terminal and give it sudo privileges.
It’s allways better to have sudo privileges with this kind of compilations:

cd Documents/SDR/

(To enter in the same directory that I create for the GNU Radio which is named SDR).

mkdir airprobe
cd airprobe
sudo su

(and enter the password)

Before beginning, install the necessary dependencies:

apt-get install git-core autoconf automake libtool g++ python-dev swig

Some more dependencies are needed:

apt-get install gnuradio gnuradio-dev cmake git libboost-all-dev 
libusb-1.0-0 libusb-1.0-0-dev libfftw3-dev swig python-numpy

I don’t know if all these dependencies are required but to be sure install all these packages and there will be no problems if GNU Radio is well-compiled.

git clone git://

This will download the directory on github with all the necessary things to compile libosmocore. First of all we must compile libosmocore:

cd libosmocore
autoreconf –i
sudo make install
sudo ldconfig

Now we have to install Airprobe downloading the updated directory:

git clone git://

(inside the directory of SDR but out of the libosmocore directory)

cd airprobe

(we can see that a second folder with the name “airprobe” is created inside the first folder)

Gsmdecoder and gsm-receiver are tools of Airprobe.

Install gsmdecoder:

cd gsmdecode

Install gsm-receiver:

cd gsm-receiver

Now we are going to test Airprobe:

cd airprobe/gsm-receiver/src/python
wget ​

(If this link is outdated, check out the description below)
It’s better to go to this website:!a5ZUgYKI!N1R6bCdMRGDW-66D2yj2hSjbPQgbJ8sMlB3xPup5yus
And download the file clicking on the orange button:
This is a file with a precaptured GSM information that can be used to check if Airprobe is working after the compilation or not.
Then we have to move the file to the correct directory:

mv capture_941.8M_112.cfile gsm-receiver/src/python

After this, we have to open wireshark with sudo privileges:

sudo apt-get install wireshark

(if you are using kali linux wireshark is already installed)
Open wireshark by typing: “wireshark” in the terminal to have sudo privileges and then follow the steps to decode GSM:

./ capture_941.8M_112.cfile

This step will send the infromation of the cfile into wireshark and decode this information. This is a prepared file which has the information very well extracted and classified, of course if we receive a live channel the information won’t be so well classified.
But after this command, if you see a lot of frames entering in wireshark, it means that Airprobe works well. So this is the end of the compilation tutorial.
See my other thread to know how to setup wireshark to get the information sent by Airprobe: (STEP 6 of the thread)

Official web of the Airprobe project, but it seems to be outdated:

GNU Radio and Gqrx – setup

As I have said in Kali linux some software is easy to obtain and for the GNU Radio and Gqrx case I recommend to search in the Ubuntu Software Center and install the packets through it.
I know that kali linux doesn’t have the Ubuntu Software Center but you can go and download it from the Add/remove software program that brings Kali linux, as I said in my general post of cracking GSM steps:

I think that even with the default Add/remove software program the GNU Radio first and Gqrx then can be downloaded without any problem. It’s important to see that you have to install always de GNU Radio first becuase the Gqrx will work only if you have GNU Radio well-compiled and installed.

This post is to get the GNU Radio and Gqrx in the case the packets are not included in the updating software and you have to compile it through the terminal prompt, like I have done in Ubuntu 12.04 LTS system.

It’s better to install them through the Add/remove software program because it will install all the dependencies and all the problems will be solved. It’s also better because the tools can be executed in any directory and because all the files are well-classified by the program.

So if you have been able to get the software without any further problem via Add/remove software, don’t read anymore; if you have problems, continue reading.

In this case you only will be able to run the tools that comes with gnuradio and Gqrx inside the directory where they are placed. I recommend you to use this video in youtube to get GNU Radio & Gqrx  running via an install script, in the case you can’t get them working by any other way.

GNU Radio may be installed with apt-get command too, in case the command has the packets. This is shown in the next link:

IMPORTANT: Before beginning it’s important to notice that with this process I have been able to compile correctly GNU Radio and Gqrx but airprobe installation falls in so many errors that I haven’t been able to get it working. It’s for this reason why I’m recommending  you to install through the Add/remove software if you are able to. So if you try this process notice that you won’t be ablt to crack GSM without airprobe but with GNU Radio and Gqrx you will be able to do a lot of interesting things and it’s an option to get these softwares running for funny purposes.

1) GNU Radio Install via install script:

Here is the description of how I get the gnuradio compiled in ubuntu:

As we can see in the web page of gnuradio, the method of the video that installs gnuradio in Kali linux is not the same for ubuntu or fedora distributions.
I have followed all the video instructions of the blog that shows how to install gnuradio minus the instruction that says to add *|kali* in a specified line. But in the case of Kali linux you won’t have to do it by this way.
In the video they explain the installation for a Kali linux distribution, although there is no need to use it.
If we want to install the GNU Radio in the kali linux operating system or any other operating system, we must first of all enter the command:

sudo apt-get update

Note that in kali linux there is a terminal prompt that comes with sudo privileges and you don’t need to type sudo to enter as a superuser. This is another advantatge of Kali linux.

The method we will be using is a slightly modified build script written by Marcus Leech. So the instructions we must follow are:

First of all we must check which are the dependencies for our ubuntu version, in my case I used the version Ubuntu 12.04 LTS Precise Pangolin and I found the necessary dependencies are:

sudo apt-get -y install git-core autoconf automake libtool g++ 
python-dev swig pkg-config libboost1.48-all-dev libfftw3-dev 
libcppunit-dev libgsl0-dev libusb-dev sdcc libsdl1.2-dev
python-wxgtk2.8 python-numpy python-cheetah python-lxml doxygen 
python-qt4 python-qwt5-qt4 libxi-dev libqt4-opengl-dev libqwt5-qt4-dev
libfontconfig1-dev libxrender-dev

The dependencies can be found in this link:

Build from source using Marcus Leech Build Script:

mkdir sdr
cd sdr
mkdir gnuradio-src
cd gnuradio-src

To make changes on the build-gnuradio script is better to install gedit first that will count the lines and is better to identify where are the things:

sudo apt-get install gedit
gedit build-gnuradio

Gedit is a text editor that comes with some linux distributions and have to be installed with others. Comment the lines that are showed in the youtube video but don’t add in line 253 the word: *|kali* (IMPORTANT: if you are installing this in kali linux you have to add it!)
To check the debian version:

cat /etc/debian_version

The problem is my system doesn’t have enough space inside the root partition, so I have to get free-space for installing gnuradio:

df -H (to know what amount of free-space there is)
sudo apt-get clean (to get some free-space)
chmod a+x build-gnuradio
sudo su (and enter your password, in case your are not in Kali linux)
./build-gnuradio -m --verbose(answer "yes" to the first 2 questions)

It’s importat to use the -m flag in the last command, because this option will install the last version of GNU Radio, which is the 3.7 version, and this will make sure that the installation of Gqrx has no problems. With the old version of GNU Radio 3.6, the Gqrx can have some problems of compilation and you won’t be able to install it.

The discussion in this blog will make some idea of what I am talking about:

REMARK: This is the reason why airprobe doesn’t work, the owner of Gqrx has build a new version of this software that will only work with the new version of GNU Radio 3.7; but Airprobe is compiled to be used with the old version of GNU Radio 3.6. I tried to get the old version of Gqrx but I wasn’t able to. But using Add/remove Software in kali linux the softwares compile correctly and they have no problem between their versions.

So you must wait for about 2 hours of compiling and then check that no errors have been made by the install process. You can see all this process in the video at the link above to see if you are doing the installation correctly.
A good web page to get used to GNU Radio is: (This web page shows how to use some tools that come with gnuradio and brings you an idea of what exactly is gnuradio and for what is used). It’s important to notice the only tool that has a graphical interface is the gnuradio-companion; the other tools have to be execute through a terminal prompt and don’t have any graphical interface but they are really interesting too.

If all the installation is correctly you should have gnuradio installed and before contuining I recommend to get used with GNU Radio tools with the link above.

To know what version of GNU Radio have you installed, type the following command:

echo -e "from gnuradio import gr\nprint gr.version()" | python

2) GQRX Install:

Gqrx is an experimental AM, FM and Single Side Band (SSB) software defined receiver implemented using GNU Radio and the Qt GUI toolkit. Currently it works on Linux and can use the RTL-SDR dongles as input source. Gqrx is like a SDRsharp but in linux.

Now we will proceed with the installation of Gqrx. The first command we have to enter is:

git clone

It is important to enter the command inside the directory gnuradio_src.
In my case I entered this command first:

git clone git://

Because I notice that miss this dependency. But probably you won’t have to do it.

Then download the Qtcreator program from Ubuntu Software Center, open the file with it and search the document receivers.h and then click on the build button to compile it. If it doesn’t work or you don’t find some of these files, do it by terminal commands.

This is an image of Qtcreator main window:

qtcreatorIt’s important to see that this program is a cross-compiler that may or not have been used. So I prefer to use qmake command instead of this software. For the images of the other softwares, you can find a lot of them at the links posted through all the thread.

I prefer to do it by commands:

cd gqrx

And in the Gqrx directory will be created the executable file Gqrx that will be executed by the next command:


This will open the graphical interface of Gqrx if all the installation process had gone correctly.

I recommend you to follow this blog of Gqrx to make some ideas of what are the problems that people come across and what are the possible solutions you may use:!forum/gqrx

You have to enter with your google account and the administrator of the group will allow you to enter and share your problems, in case you have any. If not, you can enter to see how does this software work and what can you do with it.