search

srlabs / blue-merle

The blue-merle package enhances anonymity and reduces forensic traceability of the GL-E750 Mudi 4G mobile wi-fi router
BSD 3-Clause "New" or "Revised" License
171 stars 26 forks source link

Limit frequency bands to those supported by the spoofed IMEI's phone model #1

Open Linuzifer opened 1 year ago

Linuzifer commented 1 year ago

As discussed on page 9 of the Documentation, a fingerprinting risk emerges when blue-merle generates an IMEI with a TAC of a phone model not supporting LTE frequency bands the Mudi router supports, namely B1, B3, B5, B7, B8, B20, B28, B32, B38, B40 and B41. When a blue merle Mudi uses a frequency band that does not match the TAC’s specification, an observer can deduce that the IMEI is spoofed.

As limiting the frequency bands might impact service quality and availability, the feature should be optional.

The command to limit the baseband to specific bands is AT+QCFG=$band

See AT Commands Manual (alternative public link) for details.

6t8k commented 1 year ago

Public links for newer versions of the AT Commands Manual: [V1.3] [V2.0]

6t8k commented 1 year ago

In the AT Commands Manual V1.2 and V1.3, the AT+QCFG="band" section says:

The command specifies the preferred frequency bands to be searched of UE.

(emphasis mine)

Doesn't this beg the question whether the router might in some circumstances actually still use frequency bands that were excluded using the command? Perhaps this should be explicitly tested?

TheWanderer1983 commented 1 year ago

If you think there are enough EP-06E/A's you could just use the TACs for them. To do this replace the imei_prefix values in imei_generate.py with each of the following: EP06-E TACs 86481803;86818604 EP06-A TACs 86925803; 86722504

If you want it to match the many Iphone/Samsung phones around. Update the TACs to include Samsung/Apple phones with the latest models that support all the LTE global bands. Obviously the GL-E750 will only send on the EP-06E bands not all the bands of that model phone, but they are all a subset of that phone. You should remember that the bands being used also depends on the network provider. If that matches the EP-06E then you should be fine. Here is a website that lists how to check the Ep-06E against a number of worldwide operators. https://m2msupport.net/m2msupport/?s=Check+compatability+of+Quectel+Wireless+EP06-E+&submit=Search

Another option is to wait for the GL-E750V2 which replaces the EP06-E with the EM060K. The EM060K supports LTE global bands which aligns with most modern phones. You could then use a lot of TACs from many modern phones. This option requires the software to be updated to work with v2, and of course for v2 to be released which is still TBD.