Analyzing Carrier IQ Profiles
As we explained in our post on Carrier IQ's architecture, one of the main factors in determining what the Carrier IQ stack does on a particular phone is the "Profile" that is running on that device. Profiles are files that are typically written by Carrier IQ Inc. to the specifications of a phone company or other client, and pushed to the phone by Carrier IQ Inc. using its own command and control infrastructure. Profiles contain instructions about what data to collect, how to aggregate it, and where to send it.
To create transparency for the public that has been monitored by the more intrusive variants of this software, we will need a comprehensive library of these Profiles, and to know which ones were pushed to which phones at what times. Profiles are stored in different locations in different versions of the Carrier IQ software, and in many cases, a phone may need to be jailbroken or rooted before the profile can be extracted.
If you have a rooted/jailbroken phone, and can find a Profile on it, please send us 1) a copy of the Profile, 2) which phone and network it was from, and 3) where on the phone's file system you found it. You can send us this information in an email at email@example.com or in a git remote we can pull from. [UPDATE: there is a thread at xda-developers.org discussing possible methods for finding profiles on phones]
How to read a Carrier IQ Profile
On casual inspection, Carrier IQ Profiles are a mixture of binary data and legible code (example). EFF volunteer Jered Wierzbicki reverse engineered the file format and has written a program for parsing it called IQIQ, which we are presenting for the first time here. The binary file format is WBXML with a custom DTD. The code in the Profiles is written in Forth (if you would like a quick reference on the language, this one is good).
IQIQ transforms Carrier IQ Profiles from WBXML to human-readable XML. You can browse the source code to it online, or fetch it with git:
git clone https://git.eff.org/public/iqiq.git
There are also some examples of default Profiles from some Android-derived smartphones,1 and an example of a commented version of the Forth code in one portion of the default T-Mobile Profile. That code appears to determine when Carrier IQ is active on those phones; it may also be buggy — if that is the case,
it would have led to Carrier IQ being active when phones with T-Mobile SIMs were operating on non-T-Mobile US networks.
[Update 2011-12-21: The bug would only trigger if the phone's APN was also set to epc.tmobile.com, which should not happen on non-T-mobile networks. So this bug would only cause transmissions on unintended T-Mobile networks, of which there may be none].