Nine years ago, I got lost, alone, in the forest near Sitnica / Bosnia & Herzegovina. I knew I had to contact someone for help, because the daylight was decreasing every minute, falling in the night.
I’ve owned my old HTC Evo 3D Android phone, with only 0.02 BAM (≈0.01 EUR) on my prepaid SIM card balance so I had insufficient credit for either phone call or SMS message. Of course, there wasn’t any kind of mobile data available by that time, so basically I had no chance to call my parents in order to help me. GPS was also totally useless, because Sygic and Google Maps could not work without internet, especially that deep in the forest.
However, there was a single way to reach my parents somehow, as our mobile provider had a feature that allowed users to transfer prepaid credit to another mobile account by sending a free SMS to
065 1110 containing the following message:
D5 contains an integer number that represents it will transfer 5.00 BAM to mobile account matching the number
06*******, and so the recipient will get an SMS notification of the mobile credit transfer.
As I only had 0.02 BAM on my account, I tried sending 0 BAM to my father’s number, and it worked! He got a weird notification stating that his account has been credited with 0.00 BAM by me, so he immediately called me to clarify that. Therefore, he had been calling me several times, coordinating me over a phone to find the closest exit out of the forest.
So this actually led me to think a bit more about this free SMS command and the trick that I’ve just discovered. Of course, as I am daily involved into reverse-engineering, security, software development, networking and stuff, I came up with an awesome idea.
Let the brainstorming begin!
I had been trying to find a way to send a full text – free SMS, but I’ve been limited only to a single SMS command, and that was
D5_06*******. That could not send any kind of a text, or even a single letter!
When I was a child, my dad learned me the Morse code, and I simply loved it! So, that was basically my best inspiration for this project. I used this command trick within my mobile operator’s network to transfer 0.00 BAM of credit to other phone number, while forming a piece of information event that will result in a full text message being received by other end-user later.
How I’ve done it?
I simply created a kind of a transceiver application in Java that sends multiple of these free SMS commands to the same number, while making short delays between each message, when it is needed. Also, I had to install this transceiver application onto both Android phones that listen to these free SMS messages, coming from
065 1110 number.
So essentially, I had a map of each character/letter (A-Z, 0-9, space) assigned to a number of messages:
- Letter “A” was represented by 1 message
- Letter “B” by 2 messages
- Letter “Z” by 26 messages
- Number “0” by 27 messages
- Number “1” by 28 messages
- A “space” by 37 messages
Each character had to end with a short delay of
5.5 seconds. That marks the end of message sequence, forming a single character. And
5.5s delay was a perfect match for both 2G and 3G environments, just to prevent a data collision, in case a free SMS was delayed over a cell-tower network.
So, in order to send a simple
Hello World message, I had to send
161 free SMS commands to a number
065 1110, containing text
D0_*******, following this pattern:
So we have 161 messages, with 11 delays, which will be sent from our phone, also received and decoded by another user’s phone, in more than 60.5 seconds.
How to slightly improve the speed?
Once I have done a remapping/reordering of all characters (A-Z, 0-9, and a space), by placing the most common used characters at the beginning of the map, the software sent much less SMS commands than in the first iteration.
The overall speed of this communication app improved by 35% according to my performance tests.
You must admit that this is still a pretty slow way of communication for some real daily usage, but it was totally worth playing with!
Of course, this method of communication hasn’t been fully allowed by the mobile operator, as this technique is actually abusing their server with loads of commands.
DISCLAIMER: This article is meant for educational purposes only. Therefore I’m not responsible for any harm/illegal activity that may happen.
Abdón ArellanoJuly 24, 2022 at 4:56 am
Itís difficult to find experienced people for this topic, however, you sound like you know what youíre talking about! Thanks
workingatmart.comFebruary 1, 2023 at 9:27 pm