210 lines
9.7 KiB
Plaintext
210 lines
9.7 KiB
Plaintext
|
<20>Ŀ <20>Ŀ 3-FEB-89
|
|||
|
|
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ<EFBFBD><CDBB><EFBFBD>
|
|||
|
|
<20>Ķ THE DNA BOX <20><><EFBFBD>
|
|||
|
|
<20><><EFBFBD><EFBFBD>Ķ Hacking Cellular Phones <20><><EFBFBD><EFBFBD>Ŀ
|
|||
|
|
<20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ѽ <20><><EFBFBD>
|
|||
|
|
<20><><EFBFBD> ' ` ' ` ' ` ' ` ' ` ' ` ' <20><><EFBFBD>
|
|||
|
|
<EFBFBD> P A R T F O U R <20>
|
|||
|
|
<EFBFBD> <20>
|
|||
|
|
<EFBFBD> T H E N U M B E R O F T H E B E A S T <20>
|
|||
|
|
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
Preliminary technical info about the AMPS (Advanced Mobile Phone System).
|
|||
|
|
|
|||
|
|
MOBILE TELEPHONE SWITCHING OFFICE (MTSO)
|
|||
|
|
Cell Control Sites (Towers) are connected to the Mobile Telephone Switching
|
|||
|
|
Office (MTSO) by a pair of 9600 baud data lines, one of which is a backup.
|
|||
|
|
The MTSO routes calls, controls and coordinates the cell sites (especially
|
|||
|
|
during handoffs as a mobile phone moves from one cell to another while a
|
|||
|
|
call is in progress), and connects to a Central Office (CO) of the local
|
|||
|
|
telephone company via voice lines.
|
|||
|
|
There is some indication that an MTSO may be re-programmed and otherwise
|
|||
|
|
hacked via standard phone lines using a personal computer/modem.
|
|||
|
|
|
|||
|
|
NUMERIC ASSIGNMENT MODULE (NAM)
|
|||
|
|
There is a PROM chip in every cellular phone that holds the phone number (MIN)
|
|||
|
|
assigned to it. This is the "Numerical Assignment Module" or NAM. Schematics
|
|||
|
|
and block diagrams occasionally call this the "ID PROM". The NAM also
|
|||
|
|
holds the serial number (ESN) of the cellular phone, and the system ID (SID)
|
|||
|
|
of the mobile phone's home system.
|
|||
|
|
By encoding new PROM chips (or re-programming EPROM chips) and swapping them
|
|||
|
|
with the originals, a cellular phone can be made to take on a new identity.
|
|||
|
|
It is possible to make a circuit board with a bank of PROMs that
|
|||
|
|
plugs into the NAM socket, and allows quick switching between several
|
|||
|
|
phone ID's. It's even feasible to emulate the behavior of a PROM with
|
|||
|
|
dual-port RAM chips, which can be instantly updated by a laptop computer.
|
|||
|
|
|
|||
|
|
A photograph of a "BYTEK S1-KX NAM Multiprogrammer" suggests that this
|
|||
|
|
"sophisticated piece of equipment" is merely a relabled generic PROM burner.
|
|||
|
|
|
|||
|
|
==============================================================================
|
|||
|
|
MOBILE IDENTIFICATION NUMBER (MIN)
|
|||
|
|
The published explanations of how to compute this number all contain
|
|||
|
|
deliberate errors, probably for the purpose of thwarting phreaks and people
|
|||
|
|
attempting to change the serial numbers and ID codes of stolen phones.
|
|||
|
|
Even the arithmetic is wrong in some published examples!
|
|||
|
|
Until the FCC/IEEE spec is available (a trip is planned to a university
|
|||
|
|
engineering library) the following is almost certainly the way that MIN is
|
|||
|
|
computed, taking into consideration how such codings are done elsewhere,
|
|||
|
|
comparing notes and tables from a variety of sources, and using common sense.
|
|||
|
|
|
|||
|
|
A BASIC program (MIN.BAS) that computes MINs from phone numbers is being
|
|||
|
|
distributed with this file.
|
|||
|
|
|
|||
|
|
There are two parts to the 34-bit MIN.
|
|||
|
|
They are derived from a cellular phone number as follows:
|
|||
|
|
|
|||
|
|
-------------------------------------------------------------------
|
|||
|
|
MIN2 - a ten bit number representing the area code.
|
|||
|
|
|
|||
|
|
Look up the three digits of area code in the following table:
|
|||
|
|
|
|||
|
|
Phone Digit: 1 2 3 4 5 6 7 8 9 0
|
|||
|
|
Coded Digit: 0 1 2 3 4 5 6 7 8 9
|
|||
|
|
|
|||
|
|
(Or just add 9 to a digit and use the right digit of the result)
|
|||
|
|
|
|||
|
|
Then convert that number to a 10-digit binary number:
|
|||
|
|
|
|||
|
|
For example, for the (213) area code, MIN2 would be 102,
|
|||
|
|
which expressed as a 10-digit binary number would be 0001100110.
|
|||
|
|
|
|||
|
|
Area Code = 213 (get Area Code)
|
|||
|
|
102 (add 9 to each digit modulo 10, or use table)
|
|||
|
|
MIN2 = 0001100110 (convert to binary)
|
|||
|
|
---------------------------------------------------------------------------
|
|||
|
|
MIN1 - a 24 bit number representing the 7-digit phone number.
|
|||
|
|
|
|||
|
|
The first ten bits of MIN1 are computed the same way as MIN2, only
|
|||
|
|
the next 3 digits of the phone number are used.
|
|||
|
|
The middle four bits of MIN1 are simply the fourth digit of the phone number
|
|||
|
|
expressed in binary (Remember; a "0" becomes a "10").
|
|||
|
|
The last next ten bits of MIN1 are encoded using the final three digits of
|
|||
|
|
the phone number in the same way.
|
|||
|
|
|
|||
|
|
So, MIN1 for 376-0111 would be:
|
|||
|
|
|
|||
|
|
(get Phone Number) 376 0 111
|
|||
|
|
(modify digits where appropriate) 265 (10) 000
|
|||
|
|
(convert each part to a binary number) 0100001001 1010 0000000000
|
|||
|
|
---------------------------------------------------------------------------
|
|||
|
|
|
|||
|
|
Thus the complete 34-bit Mobile Identification Number for (213)376-0111 is:
|
|||
|
|
|
|||
|
|
376 0 111 213
|
|||
|
|
________ __ ________ ________
|
|||
|
|
/ \/ \/ \/ \
|
|||
|
|
MIN = 0100001001101000000000000001100110
|
|||
|
|
\______________________/\________/
|
|||
|
|
MIN1 MIN2
|
|||
|
|
|
|||
|
|
----------------------------------------------------------------------------
|
|||
|
|
|
|||
|
|
ELECTRONIC SERVICE NUMBER (ESN)
|
|||
|
|
The serial number for each phone is encoded as a 32 bit binary number.
|
|||
|
|
|
|||
|
|
Available evidence suggests that the ESN is an 8-digit hexadecimal
|
|||
|
|
number, which is encoded directly to binary:
|
|||
|
|
|
|||
|
|
Serial Number = 821A056F
|
|||
|
|
Digits = 8 2 1 A 0 5 6 F
|
|||
|
|
ESN = 0001 0001 0001 1010 0000 0101 0110 1111
|
|||
|
|
|
|||
|
|
Here is a table for converting Hexadecimal to Binary:
|
|||
|
|
|
|||
|
|
Hex Binary Hex Binary Hex Binary Hex Binary
|
|||
|
|
--- ------ --- ------ --- ------ --- ------
|
|||
|
|
0 0000 4 0100 8 1000 C 1100
|
|||
|
|
1 0001 5 0101 9 1001 D 1101
|
|||
|
|
2 0010 6 0110 A 1010 E 1110
|
|||
|
|
3 0011 7 0111 B 1011 F 1111
|
|||
|
|
|
|||
|
|
----------------------------------------------------------------------------
|
|||
|
|
SYSTEM IDENTIFICATION (SID)
|
|||
|
|
A 15 bit binary number representing a mobile phone's home cellular system.
|
|||
|
|
|
|||
|
|
============================================================================
|
|||
|
|
|
|||
|
|
---------------------CELLULAR PHONE FREQUENCIES-----------------------------
|
|||
|
|
Here, again, are the frequency range assignments for Cellular Telephones:
|
|||
|
|
|
|||
|
|
Repeater Input (Phone transmissions) 825.030 - 844.980 Megahertz
|
|||
|
|
Repeater Output (Tower transmissions) 870.030 - 889.980 Megahertz
|
|||
|
|
|
|||
|
|
There are 666 Channels. Phones transmit 45 MHz below the corresponding
|
|||
|
|
Tower channel. The channels are spaced every 30 KHz.
|
|||
|
|
|
|||
|
|
These channels are divided into "Nonwireline" (A) and "Wireline" (B) services.
|
|||
|
|
|
|||
|
|
Nonwireline (A) service uses the 825-835/870-880 frequencies (channels 1-333)
|
|||
|
|
Wireline (B) service uses the 835-845/880-890 frequencies (channels 334-666)
|
|||
|
|
|
|||
|
|
A channel is either dedicated to control signals, or to voice signals.
|
|||
|
|
Digital message streams are sent on both types of channels, however.
|
|||
|
|
|
|||
|
|
There are 21 control channels for each service.
|
|||
|
|
|
|||
|
|
Non-Wireline (A) control channels are located in the frequency ranges
|
|||
|
|
834.39 - 834.99 and 879.39 - 879.99 (channels 312 - 333 )
|
|||
|
|
|
|||
|
|
Wireline (B) control channels are located in the frequency ranges
|
|||
|
|
835.02 - 835.62 and 880.02 - 880.62 (channels 334 - 355)
|
|||
|
|
|
|||
|
|
The new 998 channel systems use 332 additional channels in the ranges
|
|||
|
|
821-825/866-870 and 845-851/890-896.
|
|||
|
|
|
|||
|
|
Cell Control Sites (Towers) are connected to an MTSO (Mobile Telephone
|
|||
|
|
Switching Office) which connects the cellular system to a Central Office (CO)
|
|||
|
|
of a conventional telephone system.
|
|||
|
|
|
|||
|
|
Each Cell Control Site uses a maximum of 16 channels, up to 4 of which
|
|||
|
|
may be control channels. There will always be at least 1 control channel
|
|||
|
|
available in each cell. Cellular Towers are easily identified by the
|
|||
|
|
flat triangular platforms at the top of the mast, with short vertical
|
|||
|
|
antennas at each corner of the platform.
|
|||
|
|
|
|||
|
|
Most UHF Televisions and cable-ready VCR's are capable of monitoring
|
|||
|
|
Cellular Phone channels. Try tuning between UHF TV channels 72 - 76 for
|
|||
|
|
mobile phones, and between UHF TV channels 79 - 83 for towers.
|
|||
|
|
-----------------------------------------------------------------------------
|
|||
|
|
|
|||
|
|
SUPERVISORY AUDIO TONE (SAT)
|
|||
|
|
A mobile phone must be able to recognize and retransmit any of the
|
|||
|
|
three audio frequencies used as SAT's.
|
|||
|
|
|
|||
|
|
These tones (and their binary codes) are:
|
|||
|
|
(00) 5970 Hz
|
|||
|
|
(01) 6000 Hz
|
|||
|
|
(10) 6030 Hz
|
|||
|
|
|
|||
|
|
The SAT is used during signaling, but not during data transmission.
|
|||
|
|
The binary codes are sent during data transmission to control which of the
|
|||
|
|
SAT tones a mobile phone will be using.
|
|||
|
|
Each cell site (or tower) uses only one of the three SATs. The mobile
|
|||
|
|
transmitter returns that same SAT to the tower.
|
|||
|
|
Tone recognition must take place within 250 milliseconds.
|
|||
|
|
|
|||
|
|
SIGNALING TONE (ST)
|
|||
|
|
A 10 KHz tone is used for signaling by mobile phones during alert, handoff,
|
|||
|
|
certain service requests, and diconnect.
|
|||
|
|
|
|||
|
|
DATA TRANSMISSION
|
|||
|
|
Cellular Phones use a data rate of 10 Kilobits per second, and must be
|
|||
|
|
accurate to within one bit per second.
|
|||
|
|
Frequency Modulation (FM) is used for both voice and data transmissions.
|
|||
|
|
Digital data is transmitted as an 8KHz frequency shift of the carrier.
|
|||
|
|
A binary one is transmited as a +8KHz shift and a binary zero as a -8KHz
|
|||
|
|
shift. NRZ (Non-Return to Zero) coding is used, which means that the carrier
|
|||
|
|
is not shifted back to it's center frequency between transmitted binary bits.
|
|||
|
|
|
|||
|
|
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
|
|||
|
|
<EFBFBD> The DNA BOX - Striking at the Nucleus of Corporate Communications. <20>
|
|||
|
|
<EFBFBD> A current project of... <20>
|
|||
|
|
|
|||
|
|
Outlaw
|
|||
|
|
Telecommandos
|
|||
|
|
<20><>ݳ<EFBFBD><EFBFBD><DEBA>ݳ<EFBFBD>ݳ<DEB3>
|
|||
|
|
<20><>ݳ<EFBFBD><EFBFBD><DEBA>ݳ<EFBFBD>ݳ<DEB3>
|
|||
|
|
<20>01-213-376-0111<31>
|
|||
|
|
|
|||
|
|
Downloaded From P-80 International Information Systems 304-744-2253
|