Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is there a way to download an MMS from command line using curl or wget?

Tags:

android

security

sqlite

mms

apn

I'm doing some Android malware research for MMS based attacks. And I'm looking for a manual way to retrieve or download a received MMS message. I was hoping to find some curl or wget lines to be able to do so, but have not found anything useful.

So far I have got some MMS info from the internal databases, found by:

# find / -iname "*.db" |grep -iE "mms|sms"
...
/data/data/com.android.providers.telephony/databases/mmssms.db
/data/data/com.google.android.gms/databases/icing_mmssms.db
/data/data/com.android.mms/databases/message.db
/data/data/com.android.mms/databases/message_glance.db

# cd /data/data/com.android.providers.telephony/databases/
# echo "select * from pdu;" | sqlite3 -header mmssms.db
...
# echo "select date,sub,ct_l,tr_id from pdu;" | sqlite3 -header mmssms.db

  date|sub|ct_l|tr_id
  1495xxxxxx|Download this message|http://mmsc32:10021/mmsc/3_2?Ae_xxxx_xxxxx-xxx|Ae_xxxx_xxxxx-xxx

How to interpret the mmsc32:10021 part?

Then looking in the message settings for the MMSC, Proxy and port, I want to build a working CLI one-liner or browser request, to download the file for inspection.

In the phone settings settings we can find the MMSC via:

Settings > More > Mobile network > Access Point Names > MMS: <your operator>

MMSC:       http://mms.company.net:8002/
MMS Proxy:  194.xx.xx.xx
MMS Port:   8080

How can I download the MMS file from shell command line (or an external browser)?

PS. Obviously the phone is rooted and have both busybox and sqlite3, and perhaps also curl or wget installed. The AOS is 5.0+.

Addendum: 2017-11-09

From here:

MMS (Multimedia Messaging Service) messages are sent using a combination of SMS and WAP technologies. When an MMS message is sent, a mobile device receives an MMS notification message via SMS. When this MMS notification message is received by the mobile device, the mobile device automatically initiates a WAP gateway connection to download the content of the MMS message.

To send an MMS message, you must first create an MMS message file. The format of an MMS message file is documented in the MMS Encapsulation Protocol specification published by the Open Mobile Alliance (http://www.openmobilealliance.org) and/or the WAP Forum (http://www.wapforum.org). The MMS message file format consists of an MMS message binary header, followed by a multipart MIME message where the multipart message is encoded in a binary multipart format as defined by the WAP Wireless Session Protocol (WSP) specification. This binary MMS message file is stored on a web server using a MIME type of application/vnd.wap.mms-message and an MMS message type of m-retrieve-conf. A subset of the binary MMS header is sent as an MMS notification message (MMS message type m-notification-ind) via SMS to the mobile device together with a URL pointer to the location of the complete message.

Also, smartphones does not download the MMS or SMS content to SIM any more. That is how "feature" phones used to do it.

Addendum: 2017-11-13

Looking at the API-23 (M) sources for the SQLite3 tables shown in Telephony.java, we find that CONTENT_LOCATION = "ct_l";, so we can search for its other uses here. To briefly summarize our findings: 

date    # The message delivery time.
sub     # The subject of the message, if present.
ct_l    # The Content-Location of the message. A field in interface:Telephony.BaseMmsColumns 
tr_id   # The transaction-id of the message.

Thus we might expect that the URI in ct_l can be interpreted as follows:

  • http://mmsc32:10021 is the server (IP:PORT) masked by the MMS proxy (shown) above
  • /mmsc/3_2 is the WAP URL to the message processor
  • ?Ae_xxxx_xxxxx-xxx is telling the message processor to retrieve the message given by the "transaction id": Ae_xxxx_xxxxx-xxx`

Therefore, using the proxy (APN) settings, and using the URL extracted from the message DB (mmssms.db), one should be able to retrieve and download the content of the MMS, using a carefully crafted curl statement. Perhaps something like: 

# curl -x http://proxy_server:proxy_port --proxy-user username:password -L http://url
curl -v -x http://194.xx.xx.xx:8080 -L http://mmsc32:10021/mmsc/3_2?Ae_xxxx_xxxxx-xxx
# Or from outside local net:
curl -v -x http://mms.company.net:8002 -L http://mmsc32:10021/mmsc/3_2?Ae_xxxx_xxxxx-xxx

The first one obviously wouldn't work from outside the phone environment as it refers to an IP class C, only visible within the mobile assigned IP.

like image 765
not2qubit Avatar asked May 22 '17 16:05

not2qubit

2 Answers

I just used your addendum to get it working, but had to change it slightly.

Note that I'm running this from linux with a PPP interface defined via a connected USB modem. Obviously the connection this executes from has to be "on net" for the carrier that delivered the MMS push.

curl --interface ppp0 -v -x 10.202.2.60:8080 --output mms.pdu http://pxt-get.vodafone.net.au:8080/mmsc?xxxxxxxxxxx

where:

  • ppp0 is the interface defined by the modem connection, and:

  • http://pxt-get.vodafone.net.au:8080/mmsc?xxxxxxxxxxx
    was the URL passed in the original MMS push notification, and:

  • 10.202.2.60 is the MMS proxy given by my carrier, and:

  • 8080 is the MMS port given by my carrier.

This saves the MMS to the file mms.pdu.

The config files: /etc/ppp/options:

debug
4000000
modem
crtscts
lock
connect /etc/ppp/net-connect
asyncmap 0
defaultroute
:
mtu 1400

/etc/ppp/net-chat:

#!/bin/sh
/usr/sbin/chat -v -t 60 -f /etc/ppp/net-chat

/etc/ppp/net-connect:

ABORT 'ERROR'
ABORT 'BUSY'
ABORT 'NO CARRIER'
'' AT
OK ATE0
OK AT+IPR=4000000
OK AT+CGDCONT=1,"IP","live.vodafone.com"
OK AT&S1
OK AT&F
OK AT&W
OK AT+CNMP=14
OK AT&W
OK ATE0
OK ATD*99***1#
CONNECT

Finally connect, by doing: /usr/sbin/pppd /dev/ttyUSB3

like image 200
Iain Dooley Avatar answered Oct 07 '22 18:10

Iain Dooley

I hope you get an answer to this. I'm not the one, but will throw in my 2 cents worth of advice...

Short version

  • You can't have texts skipping the "send to" SIM card and auto-diverting to some computer.

  • Make an Android app to install on your phone, make sure its job is to detect and divert copies of new inbox messages to your computer.

  • Use a USB dongle for the SIM. When plugged into computer, then you're receiving messages directly to your computer without the phone being involved.

Long version

Rather than command line tools, you're better off making an actual app (via Android SDK) that checks for received messages and forwards some data to you (eg: via email, or sockets, or however you like). Also "some data" meaning either a full copy of the message itself, or just sends feedback of [in-app] message analysis (eg: number of images detected, the hex printout of image bytes and so on).

Looking at Android's SmsManager API it even tells you:

For information about how to behave as the default SMS app on Android 4.4 (API level 19) and higher, see Telephony.

Also look at that API's downloadMultimediaMessage command. It's doing what you need. Telephony page has the information and links to start, but independent blog articles and tutorials (one such example) about this topic are out there too.

Anyways, onto your post...

(1)

"I just want to download the message to a file, without the phone processing it, as it could contain malware"

How do you imagine "without the phone processing it" to work? The phone holds the sim that your operator (via a service centre) will forward messages to, after receiving from sender's own provider's service centre. You and curl are out of this loop. You'll only know of a text when your SIM receives it and the phone OS alerts you.

Technically the phone has processed this message, you just haven't opened it yet.

(2)

"How can I download the MMS file from shell command line or an external browser?"

You have to download that entire mmssms.db file and extract the specific message from it. You treat the .db like any other online database (eg: using SQL/PHP type queries, etc).

See this tutorial for useful advice : http://cheeky4n6monkey.blogspot.co.uk/2013/02/

An alternative for future incoming messages is to just get a (USB) SIM dongle that takes your card. Once plugged into the computer it can receive/send messages since the SIM is live/active inside the dongle (as proxy of phone).

The dongles come with own software (example image of such) for managing web connections and read/write SMS/MMS messages. It's like just having SIM working not in phone but on desktop.

like image 27
VC.One Avatar answered Oct 07 '22 20:10

VC.One
Sign in to Comment

Related questions

Draw a smooth line
How may we optimize (cpu & ram) this android custom splash animation?
do I need AppCompatActivity & v7 Support Libraries with minimum sdk 21?
How to upload apk to play store that is having more than 100 MB size?
How to delete multiple nodes in one request in firebase?
Can Firebase Console send data payload?
Google Firebase serialize/deserialize
Getting 'E/TokenRequestor: You have wrong OAuth2 related configurations. Detailed error: INVALID_AUDIENCE' even after providing accurate client IDs
okhttp loggin interceptor in multipart
react-native wrapper for CoordinatorLayout and BottomSheetBehavior
Android 7 WebView with wrap_content
Android DownloadManager.ERROR_FILE_ERROR
ANDROID: Error W/DynamiteModule: Local module descriptor class for com.google.android.gms.googlecertificates not found
Using SharedElement Activity transitions with a custom View
'java' plugin is not compatible with the Android plugins
How to make clicks on part of model in Vuforia (without Unity)?
How to use NodeJS in Android using J2V8
Adding Social Media Share Logic From Firebase in Android
Does the new Android WebView perform the same as CrossWalk WebView
How to launch google maps app in the background from my app

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!