Login/Register
Is there a way to download an MMS from command line using curl or wget?
Asked Answered
Solved androidsqlitesecuritymmsapn
B

2

12

I'm doing some Android malware research for MMS based attacks. And I'm looking for a manual way to retrieve or download a received MMS message. I was hoping to find some curl or wget lines to be able to do so, but have not found anything useful.

So far I have got some MMS info from the internal databases, found by:

# find / -iname "*.db" |grep -iE "mms|sms"
...
/data/data/com.android.providers.telephony/databases/mmssms.db
/data/data/com.google.android.gms/databases/icing_mmssms.db
/data/data/com.android.mms/databases/message.db
/data/data/com.android.mms/databases/message_glance.db

# cd /data/data/com.android.providers.telephony/databases/
# echo "select * from pdu;" | sqlite3 -header mmssms.db
...
# echo "select date,sub,ct_l,tr_id from pdu;" | sqlite3 -header mmssms.db

  date|sub|ct_l|tr_id
  1495xxxxxx|Download this message|http://mmsc32:10021/mmsc/3_2?Ae_xxxx_xxxxx-xxx|Ae_xxxx_xxxxx-xxx

How to interpret the mmsc32:10021 part?

Then looking in the message settings for the MMSC, Proxy and port, I want to build a working CLI one-liner or browser request, to download the file for inspection.

In the phone settings settings we can find the MMSC via:

Settings > More > Mobile network > Access Point Names > MMS: <your operator>

MMSC:       http://mms.company.net:8002/
MMS Proxy:  194.xx.xx.xx
MMS Port:   8080

How can I download the MMS file from shell command line (or an external browser)?

PS. Obviously the phone is rooted and have both busybox and sqlite3, and perhaps also curl or wget installed. The AOS is 5.0+.

Addendum: 2017-11-09

From here:

MMS (Multimedia Messaging Service) messages are sent using a combination of SMS and WAP technologies. When an MMS message is sent, a mobile device receives an MMS notification message via SMS. When this MMS notification message is received by the mobile device, the mobile device automatically initiates a WAP gateway connection to download the content of the MMS message.

To send an MMS message, you must first create an MMS message file. The format of an MMS message file is documented in the MMS Encapsulation Protocol specification published by the Open Mobile Alliance (http://www.openmobilealliance.org) and/or the WAP Forum (http://www.wapforum.org). The MMS message file format consists of an MMS message binary header, followed by a multipart MIME message where the multipart message is encoded in a binary multipart format as defined by the WAP Wireless Session Protocol (WSP) specification. This binary MMS message file is stored on a web server using a MIME type of application/vnd.wap.mms-message and an MMS message type of m-retrieve-conf. A subset of the binary MMS header is sent as an MMS notification message (MMS message type m-notification-ind) via SMS to the mobile device together with a URL pointer to the location of the complete message.

Also, smartphones does not download the MMS or SMS content to SIM any more. That is how "feature" phones used to do it.

Addendum: 2017-11-13

Looking at the API-23 (M) sources for the SQLite3 tables shown in Telephony.java, we find that CONTENT_LOCATION = "ct_l";, so we can search for its other uses here. To briefly summarize our findings: 

date    # The message delivery time.
sub     # The subject of the message, if present.
ct_l    # The Content-Location of the message. A field in interface:Telephony.BaseMmsColumns 
tr_id   # The transaction-id of the message.

Thus we might expect that the URI in ct_l can be interpreted as follows:

  • http://mmsc32:10021 is the server (IP:PORT) masked by the MMS proxy (shown) above
  • /mmsc/3_2 is the WAP URL to the message processor
  • ?Ae_xxxx_xxxxx-xxx is telling the message processor to retrieve the message given by the "transaction id": Ae_xxxx_xxxxx-xxx`

Therefore, using the proxy (APN) settings, and using the URL extracted from the message DB (mmssms.db), one should be able to retrieve and download the content of the MMS, using a carefully crafted curl statement. Perhaps something like: 

# curl -x http://proxy_server:proxy_port --proxy-user username:password -L http://url
curl -v -x http://194.xx.xx.xx:8080 -L http://mmsc32:10021/mmsc/3_2?Ae_xxxx_xxxxx-xxx
# Or from outside local net:
curl -v -x http://mms.company.net:8002 -L http://mmsc32:10021/mmsc/3_2?Ae_xxxx_xxxxx-xxx

The first one obviously wouldn't work from outside the phone environment as it refers to an IP class C, only visible within the mobile assigned IP.

Bailes answered 22/5, 2017 at 16:7 Comment(8)
Proxy is usually used to retrieve MSISDN (number) and attach it to the MMSC for a check. No matter what you provide in HTTP headers, the number will not be passed and message therefor not downloaded.Avert
@Avert Sure, but one should be able to setup that proxy according to what was found/extracted (as shown above).Bailes
Own proxy cannot do that. Operator's proxy checks sgsn/ggsn for data connection in order to retrieve imsi/msisdn, which is then passed to the mmsc in order to authenticate MMS download link with subscriber number.Avert
@Avert Then I'm not sure I fully understand that process. Can you link to something, where I can read up on this? (What is sgsn/ggsn?) I suppose you are talking about the mmsc32:10021 part, that is handled from within phone? (Where?) At the end of the day, I just want to download the message to a file, without the phone processing it, as it could contain malware.Bailes
When I say "without the phone processing it", I mean that the message is downloaded in phone, but the message is not processed further in regard to what the phone OS does next, based on (apparent) message type. I.e. image, video, voice, text etc. Exactly what happens depend on your phone AOS and your settings, but most of the time this is not (easily) accessible from user environment, and most likely require root permissions to inspect or change.Bailes
What I want to say, you can download only thru phone/SIM data session, just over internet its impossible.Avert
If I understand correctly: You're able to, with a sequence of bash commands, get the string "mmsc32:10021/mmsc/3_2?Ae_xxxx_xxxxx-xxx|Ae_xxxx_xxxxx-xxx"? Are you just asking how to wget that? I.e., does that URL actually work for downloading the MMS you want?Roller
@NicholasPipitone Yes, that is what I am saying. Because the URL is just mmsc32, I guess we need to resolve it to a proper IP. So, once that is done we should be able to formulate and use can use wget (or whatever) from within the phone, to download the raw message in binary format without actually processing it. I guess you could also do this by setting your phone as an access point and connecting your PC to it.Bailes
D
1

I just used your addendum to get it working, but had to change it slightly.

Note that I'm running this from linux with a PPP interface defined via a connected USB modem. Obviously the connection this executes from has to be "on net" for the carrier that delivered the MMS push.

curl --interface ppp0 -v -x 10.202.2.60:8080 --output mms.pdu http://pxt-get.vodafone.net.au:8080/mmsc?xxxxxxxxxxx

where:

  • ppp0 is the interface defined by the modem connection, and:

  • http://pxt-get.vodafone.net.au:8080/mmsc?xxxxxxxxxxx
    was the URL passed in the original MMS push notification, and:

  • 10.202.2.60 is the MMS proxy given by my carrier, and:

  • 8080 is the MMS port given by my carrier.

This saves the MMS to the file mms.pdu.

The config files: /etc/ppp/options:

debug
4000000
modem
crtscts
lock
connect /etc/ppp/net-connect
asyncmap 0
defaultroute
:
mtu 1400

/etc/ppp/net-chat:

#!/bin/sh
/usr/sbin/chat -v -t 60 -f /etc/ppp/net-chat

/etc/ppp/net-connect:

ABORT 'ERROR'
ABORT 'BUSY'
ABORT 'NO CARRIER'
'' AT
OK ATE0
OK AT+IPR=4000000
OK AT+CGDCONT=1,"IP","live.vodafone.com"
OK AT&S1
OK AT&F
OK AT&W
OK AT+CNMP=14
OK AT&W
OK ATE0
OK ATD*99***1#
CONNECT

Finally connect, by doing: /usr/sbin/pppd /dev/ttyUSB3

Diviner answered 6/12, 2021 at 2:1 Comment(5)
This is great Iain! I never got this to work as I wanted at the time, and basically didn't pursue the task further. That you managed to get this done using the --interface option is great. It would have been cool to also see how you setup your PPP interface. I guess it would be a little OT for this question, but perhaps you have a link to a write up or some other comments that would be useful?Bailes
I put this in /etc/ppp/options: york.workingsoftware.com.au/shortly/#LcwxDoAgDEbh/… I put this in /etc/ppp/net-chat: york.workingsoftware.com.au/shortly/…Diviner
I put this in /etc/ppp/net-connect: york.workingsoftware.com.au/shortly/#U1bUT8rM0y/… then I can connect by doing: /usr/sbin/pppd /dev/ttyUSB3 I can then still connect to the modem for SMS AT commands and reading WAP PUSH notifications via: cu -s 115200 /dev/ttyuSB2Diviner
I use this lib for encoding/decoding MMS PDUs github.com/pmarti/python-messaging although BEWARE!! Their tutorial leaves out an absolutely crucial part of the process of encoding an MMS PDU that cost me about 18 hours of hair pulling: you have to include the From parameter with "insert-address-token", I don't know what "Insert-address-token" is supposed to be so I put literally "Insert-address-token" and it worked :) then I went to bed. openmobilealliance.org/tech/affiliates/wap/…Diviner
Seem to be some good updates of the Py3 fork here.Bailes
B
2

I hope you get an answer to this. I'm not the one, but will throw in my 2 cents worth of advice...

Short version

  • You can't have texts skipping the "send to" SIM card and auto-diverting to some computer.

  • Make an Android app to install on your phone, make sure its job is to detect and divert copies of new inbox messages to your computer.

  • Use a USB dongle for the SIM. When plugged into computer, then you're receiving messages directly to your computer without the phone being involved.

Long version

Rather than command line tools, you're better off making an actual app (via Android SDK) that checks for received messages and forwards some data to you (eg: via email, or sockets, or however you like). Also "some data" meaning either a full copy of the message itself, or just sends feedback of [in-app] message analysis (eg: number of images detected, the hex printout of image bytes and so on).

Looking at Android's SmsManager API it even tells you:

For information about how to behave as the default SMS app on Android 4.4 (API level 19) and higher, see Telephony.

Also look at that API's downloadMultimediaMessage command. It's doing what you need. Telephony page has the information and links to start, but independent blog articles and tutorials (one such example) about this topic are out there too.

Anyways, onto your post...

(1)

"I just want to download the message to a file, without the phone processing it, as it could contain malware"

How do you imagine "without the phone processing it" to work? The phone holds the sim that your operator (via a service centre) will forward messages to, after receiving from sender's own provider's service centre. You and curl are out of this loop. You'll only know of a text when your SIM receives it and the phone OS alerts you.

Technically the phone has processed this message, you just haven't opened it yet.

(2)

"How can I download the MMS file from shell command line or an external browser?"

You have to download that entire mmssms.db file and extract the specific message from it. You treat the .db like any other online database (eg: using SQL/PHP type queries, etc).

See this tutorial for useful advice : http://cheeky4n6monkey.blogspot.co.uk/2013/02/

An alternative for future incoming messages is to just get a (USB) SIM dongle that takes your card. Once plugged into the computer it can receive/send messages since the SIM is live/active inside the dongle (as proxy of phone).

The dongles come with own software (example image of such) for managing web connections and read/write SMS/MMS messages. It's like just having SIM working not in phone but on desktop.

Beetner answered 9/11, 2017 at 5:39 Comment(2)
Yes, of course we can write an app to intercept messages, but that's not what I asked about. But just like the app, we should be able to retrieve the message likewise. (1) AFAIK, no new phones download any messages to SIM, the binary details of the message determine what the handset (TE) OS is going to do with the message. E.g. to save it on SIM, process in SE (APN settings etc) , display directly (flash SMS),or reply to sender etc. (2) The message is not in the DB until you or your phone decide to open it, which again depend on your settings.Bailes
As a side note to (1), it may also be interesting to read this. and this.Bailes
D
1

I just used your addendum to get it working, but had to change it slightly.

Note that I'm running this from linux with a PPP interface defined via a connected USB modem. Obviously the connection this executes from has to be "on net" for the carrier that delivered the MMS push.

curl --interface ppp0 -v -x 10.202.2.60:8080 --output mms.pdu http://pxt-get.vodafone.net.au:8080/mmsc?xxxxxxxxxxx

where:

  • ppp0 is the interface defined by the modem connection, and:

  • http://pxt-get.vodafone.net.au:8080/mmsc?xxxxxxxxxxx
    was the URL passed in the original MMS push notification, and:

  • 10.202.2.60 is the MMS proxy given by my carrier, and:

  • 8080 is the MMS port given by my carrier.

This saves the MMS to the file mms.pdu.

The config files: /etc/ppp/options:

debug
4000000
modem
crtscts
lock
connect /etc/ppp/net-connect
asyncmap 0
defaultroute
:
mtu 1400

/etc/ppp/net-chat:

#!/bin/sh
/usr/sbin/chat -v -t 60 -f /etc/ppp/net-chat

/etc/ppp/net-connect:

ABORT 'ERROR'
ABORT 'BUSY'
ABORT 'NO CARRIER'
'' AT
OK ATE0
OK AT+IPR=4000000
OK AT+CGDCONT=1,"IP","live.vodafone.com"
OK AT&S1
OK AT&F
OK AT&W
OK AT+CNMP=14
OK AT&W
OK ATE0
OK ATD*99***1#
CONNECT

Finally connect, by doing: /usr/sbin/pppd /dev/ttyUSB3

Diviner answered 6/12, 2021 at 2:1 Comment(5)
This is great Iain! I never got this to work as I wanted at the time, and basically didn't pursue the task further. That you managed to get this done using the --interface option is great. It would have been cool to also see how you setup your PPP interface. I guess it would be a little OT for this question, but perhaps you have a link to a write up or some other comments that would be useful?Bailes
I put this in /etc/ppp/options: york.workingsoftware.com.au/shortly/#LcwxDoAgDEbh/… I put this in /etc/ppp/net-chat: york.workingsoftware.com.au/shortly/…Diviner
I put this in /etc/ppp/net-connect: york.workingsoftware.com.au/shortly/#U1bUT8rM0y/… then I can connect by doing: /usr/sbin/pppd /dev/ttyUSB3 I can then still connect to the modem for SMS AT commands and reading WAP PUSH notifications via: cu -s 115200 /dev/ttyuSB2Diviner
I use this lib for encoding/decoding MMS PDUs github.com/pmarti/python-messaging although BEWARE!! Their tutorial leaves out an absolutely crucial part of the process of encoding an MMS PDU that cost me about 18 hours of hair pulling: you have to include the From parameter with "insert-address-token", I don't know what "Insert-address-token" is supposed to be so I put literally "Insert-address-token" and it worked :) then I went to bed. openmobilealliance.org/tech/affiliates/wap/…Diviner
Seem to be some good updates of the Py3 fork here.Bailes

© 2022 - 2024 — McMap. All rights reserved.