But that's the sales crap and really I was interested in doing some reversing on the tech. Sooo...
Here is what I have so far. The device has a pair of numbers (this is somewhat of a lie, but sufficient for now). The one republic assigns you, located in your geographic region and tied into their VoIP service and a second cellular number which is not normally visible. Based on this we can conclude that the republic infrastructure works roughly as follows for an incoming call:
- The call arrives at republic's VoIP switch.
- The VoIP switch checks to see if you've registered recently. If you have it attempts to negotiate a VoIP connection.
- If you haven't, or negotiation fails, it forwards the call to the phones cellular number.
Interestingly, the cellular number can be called and texted directly if you retrieve it from the phone's baseband.
I do wonder about how republic is going to do accounting for their CUI stuff -- I'd posit they'll do it with their VoIP call router. This does make me wonder if one could pull shenanigans by bypassing it using the cell number directly. While this would work in the short term, sooner or later republic will get a bill for the usage from Sprint and probably notice.
For data accounting, I'd guess they're probably using either their own PDSN or a private gateway. I'll verify this sooner or later...
Both of these are really a question of how close a relationship republic has with Sprint. Can't say I've looked to see if any of them are Sprint alumn yet, so its hard to say.
If I were them, I'd probably ask Sprint to block direct access to the cellular number from the outside (just a suggestion).
Another interesting side note, while poking around in the dialer interface I noticed this:
I wonder if either they hired one or more of the XDA folks (who I hold in high regard) or appropriated their app..? Realistically if I were looking for quality phone hackers, XDA is probably where I'd start looking.
Next up I'll probably bust out WireShark and take a look at what their VoIP protocol over WiFi looks like. That should be entertaining... I'll be very interested in knowing if they've implemented anything that resembles security.
---
If you don't understand any of the following, don't do it. You can very easily screw up your phone.
For those that are curious, the second number can be examined by using either Qualcomm Phone Service Tools (which you really shouldn't have) or CDMA-Workshop. Roughly speaking, you need to retrieve the phones SPL, once you have that then read back the service programming. With the service programming data, you can check the directory number for the device (AKA, the cellular number). While not particularly organized, or entirely applicable, bits of this are described here. Use the "old technique" to get the SPL and ignore the part about updating the PRL.
Assuming you're using CDMA-Workship, enter the SPL you just retrieved in the window next to the baud rate and press the read button.
Also interesting is the fact that the MIN, directory number and MDN are all different. For my device the dial number has a local area code, the directory number is 240-469-XXXX, and the MIN is 301-205-XXXX. The latter two being MD area codes.
The MIN returns a number not valid when trying to call it...
What about using a custom ROM? IS there any chance the RW technology could be incorporated into it? I REALLY want ICS but don't want to do so at the expense of my membership with RW.
ReplyDeleteDo you know how the data is tracked for the CUI (both Cell and WiFi)? Would a custom ROM show them nothing (I want it to show something of course as I use a lot of WiFi).
Its really a great post.
ReplyDeletevoipswitch
hosted voip pbx