Thursday, January 2, 2014

Parse PDU-format SMS messages

Parse PDU-format SMS messages from MCU of Samsung SGH-E900 phone

OK, since I primarily work with Cellebrite's Physical Analyzer, I'll post one script I wrote to parse PDU-formatted SMS messages out of the unallocated space of a Samsung SGH-E900 phone (cheap feature phone) that had a ton of deleted messages hanging out in the nether regions of the device's NOR (MCU) memory. These weren't all parsed by Physical Analyzer automatically. In fact, most of them weren't.

I wrote one version of this first, a version that builds the requisite memory range from "chunks." In this case it's just one chunk, but hopefully it makes sense. Then, I learned I could do it as a "subrange" of an existing memory range, in this case, the MCU image from the extraction. Here are both versions.

I will mention that I suck as a programmer and I wouldn't mind at all if someone could clean this up.



Chunk Version

#This script works for any phone that has PDU-formatted SMS message
#Written for Physical Analyzer


from physical import *                     #necessary for any script written for PA
from PhoneUtils.GSM import PDUParser       #import parser for PDU-formatted SMS

MCU = ds.MemoryRanges[1]                   #choose the MCU for the E900 phone
sms = Chunk (MCU, 0x1E5CE35, 0x53)         #set the offset/length of the SMS in the MCU
chunks = [sms]                             #define the list of chunks (one chunk here)
raw_sms = MemoryRange (chunks)             #define memory range from MCU

hasMMC = True                              #does it have an SMSC number?

parsed_sms = PDUParser.TryParsePDU (raw_mms, hasMMC).SMS #parse out the PDU-formatted SMS

ds.Models.Add (parsed_sms)                 #Add to the datastore
                                           #It will now show up in the Project Tree





Sub-Range Version

#This script works for any phone that has PDU-formatted SMS messages
#Written for Physical Analyzer

from physical import *                      #necessary for any script written for PA
from PhoneUtils.GSM import PDUParser        #import necessary parser for PDU-formatted SMS

MCU = ds.MemoryRanges[1]                    #choose MCU for the E900
offset = 0x1E5CFD9                          #set the offset/length of the SMS in the MCU
length = 0x53
raw_sms = MCU.GetSubRange (offset, length)  #define raw_sms as a subrange of the MCU
                                            #based on offset and length
hasMMC = True                               #does the message contain an SMSC number?

#parse out the PDU-formatted SMS using PA's function
parsed_sms = PDUParser.TryParsePDU (raw_sms, hasMMC).SMS   

ds.Models.Add (parsed_sms)                  #Add to the datastore
                                            #It now shows up in the Project Tree







Anywho, you can test this on any phone that has PDU-formatted SMS messages. You just have to specify the proper memory range and the offset and length. I want to expand this eventually to use grep to search through the unallocated space for these messages and parse them automatically. For further information, read the Python Scripting Guide found under the Help Menu item in Physical Analyzer. There aren't enough people doing this stuff and I want to get some collaborators.

Here's a reference to PDU-format SMS:

PDU-Format SMS Messages

My employer, H-11 Digital Forensics
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)