Buy a broadcom smartphone. Turn bluetooth off, and set it to airplane mode. Then Bluepwn your device, with bluetooth turned off.

Funny how airplane mode didn't work.

That's just one of the quirks. Baseband and what qualcomm is tracking is way worse.

I recommend buying an old Motorola Calypso device and fiddling with osmocomBB, you can DIY an IMSI catcher pretty easily. And you'll be mind blown how many class0 SMS you'll receive per day, just for tracking you. Back in the days you could track people's phones remotely but the popularity of HushSMS and other tools made cell providers block class0 SMS not sent by themselves.

This wiki article is a nice overview: https://github.com/CellularPrivacy/Android-IMSI-Catcher-Dete...

You made the assertion that basebands remain in contact with towers even in airplane mode, and so can be tracked. Someone asked for supporting evidence for that claim. You've responded with examples and links to different issues. It's a fairly extraordinary claim (it's not one I'd heard before - it's clear that other radios may remain alive for various purposes even when airplane mode is switched on, given that you can use wifi and bluetooth on planes, but you're the first person I've heard make this claim about the cellular radio), and you haven't provided any evidence to back it up at all.

Saying more words and then linking to a page from an IMSI catcher's wiki (where it doesn't talk about radio on/off states) isn't exactly "providing sources".

>Buy a broadcom smartphone. Turn bluetooth off, and set it to airplane mode. Then Bluepwn your device, with bluetooth turned off.

???

Baseband SoC running their own OS independent from Android/iOS and staying asleep (while still listening for incoming signals) is very much no longer in conspiracy theory territory and more an established fact now. I don't have the source at hand but it's in one of the standards. And the purpose is very clear: LEA like Interpol must be able to locate any IMEI at any point if in tower range, regardless of the power state of the "main" OS

Surely this is really easy to prove by putting a phone into an anechoic chamber and using a spectrum analyser to show that it's still TXing?

The phone isn't going to connect to a tower it cannot see.

It can't just scream out into the void and hope a tower picks it up, it needs a few pieces of timing information & cell configuration beforehand.

I don’t doubt SoCs have their own micro-OS, but I too would love to see a reliable source showing phones connect to towers when powered off. Wouldn’t this, at a minimum, violate FAA/EASA rules? Google tells me the cellular radio in an iPhone has no power when in airplane mode or when off.

Even in airplane mode?

I dare you to do the following:

Charge phone to full 100%. Turn it off.

Put it into a faraday cage, e.g. a steel box, for 7 days.

Take it out again and wonder why the battery is empty.

(The faraday cage has the effect of making the modem have to switch bands constantly, which costs more electricity than sleep mode in LTE)

Interesting, but you should probably use a control. Two phones, same hardware, same software. One inside the faraday cage, one outside, both in the same room with the same conditions otherwise.

Repeat the experiment a few times. Then cross over: liberate the caged phone, cage the free phone, and repeat the experiment a few more times. Or alternate the phones' positions between experiments. This mitigates hardware and software differences that might've been overlooked (such as a faulty battery, etc).

Analyze the results, draw your conclusions, publish, and encourage others to reproduce.

It would still be simpler for you to link to a credible source. A bit strange that you seem uninterested in doing so, and prefer to tell people to do their own experiments, in this case one that requires an extra phone and a week of time.

Batteries naturally drain slowly when not used. What would this little experiment prove, exactly?