[SOLVED] Can a GSM network operator access device firmware version?

Can a GSM network operator access device firmware version?

Can a GSM network operator access the device firmware version?

As far as I know they can read IMSI and IMEI or the extended IMEI namely IMEI-SV which encodes some sort of version numbering (but is not used by all manufacturers.

Can a telecommunication provider by any other means derive the firmware version of the modem or somehow query the devices?

Could AT commandas be used? Can they be executed at scale to query a whole network with millions of devices (if this would give the firmware version number)

Solution

Firstly, it's worth saying that most of the discussion below is related to mobile networks in general, rather than just a 'GSM' network.

Most operators have networks that share and mix technology from '2G', '3G' '4G etc networks and even these terms are not strict definitions (see for some more background on the different generation networks and common naming: https://stackoverflow.com/a/25592213/334402 )

3GPP, the standards body behind most mobile networks, has discussed device management and there exist at least some drafts which cover details like firmware and OS version etc - for example:

3GPP TR 32.802 - User Equipment Management (UEM) Feasibility Study https://www.3gpp.org/ftp/tsg_sa/TSG_SA/TSGS_14/Docs/PDF/SP-010652.pdf

The Open Mobile Alliance has also developed a specification for device management and this likely has more traction. You can see that the firmware version is included in the data covered in their specifications:

OMA Device Management Standardized Objects - https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/OMA-TS-DM_StdObj-V1_2-20070209-A.pdf

The term firmware is also a little ambiguous - if what you want is a feel for the OS version of mobile phone and iPads etc connection to the network, you may be able to work at a higher level and look at the headers in HTTP requests from the devices, specifically at the User Agent string. For example, a query from a browser on an iPhone might include:

Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1

(see more examples here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent)

For Modems in particular, it is also worth mentioning the TR-069 specification for managing CPE (Customer Premise Equipment). This spec is from the broadband world and driven by ISP and Broadband operators need to manage wireless (and wired) modems in their customers homes and premises. It is also built into some GSM modems so worth being aware of also - spec is here:

https://www.broadband-forum.org/download/TR-069_Amendment-6.pdf

Note, links above are correct at time of writing - if broken just search for the spec numbers.