Decoding an SMS message from the Log File

I’m trying to send an law enforcement investigator all SMS text messages that I received the other day. For whatever reason the SMS messages did not save locally to the computer nor did they save to the SIM card. I immediately exported a log capture with activity from 8-26 through 9-1 and it appears the SMS texts are sort of there but currently in an encrypted type of form.

What is this form considered and is it relatively easy to decode? There’s about 100 SMS texts total.

  1. This is a snippet from the GobiApi-Skylight 2015-09-01_23.43.32.txt file which was under the main log capture’s /SwiApps/GobiApi Archived Logs.
GobiApi 22:30:34.977 1061.186669 0x00001ee4 t :   Message received from service type 2
GobiApi 22:30:34.977 1061.186800 0x00001ee4 i :   DMS: <<<<<-----
GobiApi 22:30:34.977 1061.186853 0x00001ee4 i :      02 2B 00 58 55 25 00 02 04 00 00 00 00 00 11 0C   .+.XU%..........
GobiApi 22:30:34.977 1061.186893 0x00001ee4 i :      00 25 0D 30 11 CC 10 E4 0C B8 0B 54 0B 10 0C 00   .%.0.......T....
GobiApi 22:30:34.977 1061.186917 0x00001ee4 i :      20 00 6C 00 5F 00 55 00 F1 FF E7 FF                .l._.U.....
GobiApi 22:30:34.977 1061.186968 0x00001ee4 t :   QmiService::HandleTransactionResponse
GobiApi 22:30:34.977 1061.187003 0x00001ee4 t :   Response ID: 43
GobiApi 22:30:34.977 1061.187027 0x00001ee4 t :   Outstanding transaction 0x05a05f08 - Request ID: 42
GobiApi 22:30:34.977 1061.187067 0x00001ee4 t :   Outstanding transaction 0x05a52ca0 - Request ID: 43
GobiApi 22:30:34.977 1061.187090 0x00001ee4 t :   Signal response
GobiApi 22:30:34.977 1061.187165 0x00001084 t :   Transaction response received, msgID 21848
GobiApi 22:30:34.977 1061.187210 0x00001084 h : - SwiGetEnvironment (Duration = 31ms - Total time = 78ms - Total calls = 2)
GobiApi 22:30:34.977 1061.187236 0x00001084 h : + GetServingNetwork
GobiApi 22:30:34.977 1061.187260 0x00001084 t :   Processing QmiTransaction: 0x05a52ca0
GobiApi 22:30:34.977 1061.187284 0x00001084 t :   TransactionId: 21
GobiApi 22:30:34.977 1061.187307 0x00001084 i :   NAS: ----->>>>>
GobiApi 22:30:34.977 1061.187330 0x00001084 i :      00 15 00 24 00 00 00                              ...$...
GobiApi 22:30:34.977 1061.187370 0x00001084 t :   Waiting for response
GobiApi 22:30:34.977 1061.187401 0x00001f20 i :   HSM_EXT_MUX: Ready E_SetCommand
GobiApi 22:30:34.980 1061.190463 0x00001ee4 t :   Message received from service type 2
GobiApi 22:30:34.981 1061.190555 0x00001ee4 i :   DMS: <<<<<-----
GobiApi 22:30:34.981 1061.190594 0x00001ee4 i :      02 2A 00 24 00 33 00 02 04 00 00 00 00 00 01 0B   .*.$.3..........
GobiApi 22:30:34.981 1061.190630 0x00001ee4 i :      00 31 38 30 34 32 34 33 36 31 33 34 11 1B 00 33   .18042436134...3
GobiApi 22:30:34.981 1061.190665 0x00001ee4 i :      31 30 32 36 30 31 31 35 38 34 36 39 33 30 30 30   1026011584693000
GobiApi 22:30:34.981 1061.190700 0x00001ee4 i :      30 30 30 30 30 30 30 30 30 30                     0000000000
GobiApi 22:30:34.981 1061.190735 0x00001ee4 t :   QmiService::HandleTransactionResponse
GobiApi 22:30:34.981 1061.190768 0x00001ee4 t :   Response ID: 42
GobiApi 22:30:34.981 1061.190802 0x00001ee4 t :   Outstanding transaction 0x05a05f08 - Request ID: 42
GobiApi 22:30:34.981 1061.190835 0x00001ee4 t :   Signal response
GobiApi 22:30:34.981 1061.190926 0x00001418 t :   Transaction response received, msgID 36
GobiApi 22:30:34.981 1061.190987 0x00001418 i :   IMSI pointer is NULL
GobiApi 22:30:34.981 1061.191028 0x00001418 h : - GetVoiceNumber (Duration = 62ms - Total time = 110ms - Total calls = 3)
GobiApi 22:30:34.996 1061.206409 0x00001ee4 t :   Message received from service type 6
GobiApi 22:30:34.997 1061.206553 0x00001ee4 i :   PDS: <<<<<-----
GobiApi 22:30:34.997 1061.206618 0x00001ee4 i :      04 07 00 60 00 00 00                              ...`...
GobiApi 22:30:35.000 1061.210558 0x00001ee4 t :   Message received from service type 2
GobiApi 22:30:35.001 1061.210809 0x00001ee4 i :   DMS: <<<<<-----
GobiApi 22:30:35.001 1061.210962 0x00001ee4 i :      02 2C 00 22 00 10 00 02 04 00 00 00 00 00 01 06   .,."............
GobiApi 22:30:35.001 1061.211074 0x00001ee4 i :      00 45 4D 37 33 35 35                              .EM7355
GobiApi 22:30:35.001 1061.211180 0x00001ee4 t :   QmiService::HandleTransactionResponse
GobiApi 22:30:35.001 1061.211273 0x00001ee4 t :   Response ID: 44
GobiApi 22:30:35.001 1061.211374 0x00001ee4 t :   Outstanding transaction 0x05a5a0f8 - Request ID: 44
GobiApi 22:30:35.001 1061.211469 0x00001ee4 t :   Signal response
GobiApi 22:30:35.002 1061.211589 0x00000ba0 t :   Transaction response received, msgID 34
GobiApi 22:30:35.002 1061.211739 0x00000ba0 h : - GetModelID (Duration = 47ms - Total time = 93ms - Total calls = 4)
GobiApi 22:30:35.002 1061.211971 0x00000ba0 h : + SwiGetProfileList
GobiApi 22:30:35.002 1061.212033 0x00000ba0 t :   Processing QmiTransaction: 0x05a5a0f8
GobiApi 22:30:35.002 1061.212093 0x00000ba0 t :   TransactionId: 4
GobiApi 22:30:35.002 1061.212190 0x00000ba0 i :   WDS: ----->>>>>
GobiApi 22:30:35.002 1061.212286 0x00000ba0 i :      00 04 00 2A 00 04 00 10 01 00 00                  ...*.......
GobiApi 22:30:35.002 1061.212400 0x00000ba0 t :   Waiting for response
GobiApi 22:30:35.002 1061.212523 0x00001f20 i :   HSM_EXT_MUX: Ready E_SetCommand
GobiApi 22:30:35.005 1061.215148 0x00001ee4 t :   Message received from service type 3
GobiApi 22:30:35.005 1061.215412 0x00001ee4 i :   NAS: <<<<<-----
GobiApi 22:30:35.005 1061.215558 0x00001ee4 i :      02 14 00 24 00 58 00 02 04 00 00 00 00 00 27 05   ...$.X........'.
GobiApi 22:30:35.006 1061.215655 0x00001ee4 i :      00 36 01 04 01 01 24 02 00 02 54 21 05 00 02 03   .6....$...T!....
GobiApi 22:30:35.006 1061.215770 0x00001ee4 i :      00 01 00 1D 04 00 02 4E B1 00 1C 02 00 FE FF 1B   .......N........
GobiApi 22:30:35.006 1061.215858 0x00001ee4 i :      01 00 01 1A 01 00 F0 15 03 00 01 08 01 12 0D 00   ................
GobiApi 22:30:35.006 1061.215919 0x00001ee4 i :      36 01 04 01 08 54 2D 4D 6F 62 69 6C 65 11 02 00   6....T-Mobile...
GobiApi 22:30:35.006 1061.215978 0x00001ee4 i :      01 0B 10 01 00 01 01 06 00 01 01 01 02 01 08      ...............
GobiApi 22:30:35.006 1061.216033 0x00001ee4 t :   QmiService::HandleTransactionResponse
GobiApi 22:30:35.006 1061.216087 0x00001ee4 t :   Response ID: 20
GobiApi 22:30:35.006 1061.216144 0x00001ee4 t :   Outstanding transaction 0x05a2ceb0 - Request ID: 20
GobiApi 22:30:35.006 1061.216197 0x00001ee4 t :   Signal response
GobiApi 22:30:35.006 1061.216327 0x00001384 t :   Transaction response received, msgID 36
GobiApi 22:30:35.006 1061.216469 0x00001384 t :   Returning RegState: 1 Roaming: 1 MCC: 310 MNC: 260 Network: T-Mobile
GobiApi 22:30:35.006 1061.216547 0x00001384 h : - GetServingNetwork (Duration = 31ms - Total time = 47ms - Total calls = 2)
  1. If there’s a better place to be trying to dig up these SMS messages please let me know. I looked under what I thought would be the most likely place for a temporary SMS cache file to live, eg. /Users/username/AppData/…

  2. Is there a better program I can use that can receive SMS texts like SMS Express can but will actually save them and give you more features?

Thanks in advance for the help and sorry if this has been answered but I did a few searches around this forum and didn’t find anything.

The hex data are QMI messages without the QMUX header, and is trivial to decode if you have the spec. The Qualcomm docs are not publicly available, but the open source they contributed through the Code Aurora project is. The libqmi project is a good reference, having both the original Code Aurora source and the extrated protocol data in json format: freedesktop.org/wiki/Software/libqmi/

The interesting part of QMUX is already decoded so it isn’t any problem that this is missing: We know that the service is DMS. There is also some redundant decoded info there - the transaction (response) ID are bytes 2 and 3 in Little Endian: 0x002B = 43

The next 2 bytes are the message ID (all multibyte numbers are in LE): 0x5558. I believe this is a vendor specific message (standard messages have much lower IDs), so we don’t have any docs for it. But we can still figure out something based on the message structure. The 2 bytes following the message ID give the length of the rest of the message (TLV data). And as you can see, there are exactly 0x0025 = 37 remaining bytes after the length. Those remaining bytes are a sequence of TLVs having 1 type byte, 2 length bytes and type specific data.

So the first TLV is “02 04 00 00 00 00 00”. This type 0x02 TLV is special, having the same meaning in most QMI messages. It has always length = 4, divided in a 2-byte status and a 2-byte error code. All zeroes, as here, means “success”. You should see this pattern in most QMI responses, and it is a great way to figure out where the message starts and ends as it is usually (always?) the first TLV.

Then there are two message specific TLVs, both with 12 bytes data: 0x11 and 0x10. I don’t know the meaning of those. You’d need the spec of DMS message 0x5558 for that.

But decoding messages with SMS data this way should be possible. Those messages are standard so you can use libqmi as a reference. Look for “WMS”, not “DMS”. DMS is for device management and is useless for your purpose. WMS is the service dealing with SMS. If you find any WMS message id 0x0022 responses in the log, then those are good candidates.

Note that the actual message data most likely is coded as 7bit GSM PDUs, so you’ll have to decode that further after having extracted it from the log. But there are tools for that.