180 lines
8.4 KiB
Plaintext
180 lines
8.4 KiB
Plaintext
|
CELLULAR TELEPHONE ESN EMULATION
|
||
|
|
--------------------------------
|
||
|
|
|
||
|
|
|
||
|
|
The term "Emulation" is used to describe the process of making two, or
|
||
|
|
more, phones look alike to the cellular system. A basic understanding of
|
||
|
|
the terms NAM and ESN is required before proceeding.
|
||
|
|
|
||
|
|
NAM or "Number Allocation Module" is the term used to describe a cellular
|
||
|
|
telephone's dealer programmable system parameters. These parameters
|
||
|
|
include the users telephone number and other settings required to identify
|
||
|
|
the phone to the cellular system. Older phones use an PROM chip that has
|
||
|
|
to be programed or "burnt" using an PROM programmer. On all newer phones
|
||
|
|
the NAM information can be re-programed at will from the handset be anyone
|
||
|
|
possessing the relevant programing instructions, and in some cases a
|
||
|
|
programming or "password" adaptor.
|
||
|
|
|
||
|
|
ESN or "Electronic Serial Number" is the term used to describe a cellular
|
||
|
|
telephones "un-alterable" fingerprint and is programed into the phone by
|
||
|
|
the manufacturer. The ESN is commonly expressed as an eleven digit decimal,
|
||
|
|
or eight digit hex number. The decimal format includes a three digit
|
||
|
|
manufacturers identification and an eight digit unique serial number, the
|
||
|
|
hex format includes a two digit manufacturers identification and a six digit
|
||
|
|
unique serial number.
|
||
|
|
|
||
|
|
When combined the NAM and ESN provide the cellular carriers a way of
|
||
|
|
identifying the phone and determining whether to allow the phone to place a
|
||
|
|
call. Whenever the phone is used it transmits this information to the
|
||
|
|
cellular switch where it is compared to a data base of current subscribers.
|
||
|
|
If the system recognizes the phone as being an out of area, or "roaming",
|
||
|
|
subscriber a check is made with the home system. This check is either made
|
||
|
|
during the first call, or more commonly these days before the first call
|
||
|
|
is completed.
|
||
|
|
|
||
|
|
|
||
|
|
CELLULAR FRAUD
|
||
|
|
--------------
|
||
|
|
|
||
|
|
In the past it was often possible for hackers to change the ESN and NAM
|
||
|
|
information and make one call before the system locked the unit out.
|
||
|
|
The NAM and ESN information would be changed and another call could be
|
||
|
|
completed. This is known as ESN "Tumbling" and over the last few years
|
||
|
|
the Cellular Carriers have lost millions of dollars to this scam. It
|
||
|
|
has been estimated that at the height of tumbling in New York City up to
|
||
|
|
30% of calls placed were fraudulent.
|
||
|
|
|
||
|
|
To change the ESN the hacker would generally remove the phone's ESN chip
|
||
|
|
and install a socket to take an easily reprogramable EPROM chip, the ESN
|
||
|
|
could then be reprogramed at will. More recently people have reverse
|
||
|
|
engineered certain manufacturer's software to allow simple reprograming
|
||
|
|
using a lap top computer connected to the phone's data port.
|
||
|
|
|
||
|
|
The Cellular industry has reacted to this in various ways. Initially the
|
||
|
|
simple way to prevent tumbling was to ban all roaming customers from direct
|
||
|
|
dialing, legitimate callers had to pre-register using a credit card to
|
||
|
|
guarantee payment. Newer advanced software allows pre-screening of
|
||
|
|
callers information and has now all but eliminated tumbling. In most
|
||
|
|
service areas the ESN and NAM information is checked on power up or as soon
|
||
|
|
as the SEND button is pressed, prior to allowing the completion of the call.
|
||
|
|
|
||
|
|
The Cellular hackers have now turned to other ways of making fraudulent
|
||
|
|
calls. The most common of these is to obtain a legitimate subscriber's
|
||
|
|
telephone number and ESN and re-program a phone with this information,
|
||
|
|
therefore making an exact clone able to make (and receive) phone calls.
|
||
|
|
This method allows anything from a few days to a full month of "free"
|
||
|
|
calls, and can go on indefinitely if the cloned number is a corporate
|
||
|
|
account as executive's phone bills are rarely questioned.
|
||
|
|
|
||
|
|
|
||
|
|
LEGAL EMULATION
|
||
|
|
---------------
|
||
|
|
|
||
|
|
The above illegal cloning of subscriber's cellular telephones and the
|
||
|
|
reverse engineering of manufacturer's software has been adapted by a number
|
||
|
|
of legitimate companies. It is now possible to have more than one phone
|
||
|
|
per cellular telephone number. Several companies are now offering legal
|
||
|
|
cloning or emulation where for a fee of around $200-$300 they will program
|
||
|
|
your second phone with the ESN of your currently active phone.
|
||
|
|
|
||
|
|
To avoid fraud these companies often ask for a copy of a current cellular
|
||
|
|
telephone bill showing the mobile number and subscribers name. This is
|
||
|
|
then compared with picture ID to insure that the customer is a legitimate
|
||
|
|
bill paying subscriber.
|
||
|
|
|
||
|
|
Once a phone has been emulated the following should be noted:
|
||
|
|
|
||
|
|
1. If an attempt is made to use both phones at the same time and in the
|
||
|
|
same system one of the following will occur:
|
||
|
|
|
||
|
|
OUTGOING CALLS - First call will complete as normal, second phone will
|
||
|
|
get a fast busy, system deny recording, or call will drop.
|
||
|
|
|
||
|
|
INCOMING CALLS - Both phones may ring and call can be answered but might
|
||
|
|
immediately drop. Strongest signal may ring and call can be answered.
|
||
|
|
Neither phone will ring.
|
||
|
|
|
||
|
|
2. If one phone is in the home market and one is roaming both phones
|
||
|
|
should work and it should be possible to call your own number. This
|
||
|
|
depends on the roaming agreement between the two systems. In systems with
|
||
|
|
"Automatic Roaming" or "Super Access" agreements it may be necessary to
|
||
|
|
turn off the auto call forwarding to avoid problems, dial * O F F SEND in
|
||
|
|
many locations.
|
||
|
|
|
||
|
|
3. If both phones are roaming in DIFFERENT systems do NOT attempt to have
|
||
|
|
both phones turned on at the same time as your home system will probably
|
||
|
|
generate a roam fraud message and CUT THE PHONE OFF!
|
||
|
|
|
||
|
|
4. If the secondary (cloned) phone is stolen call the carrier and have
|
||
|
|
the mobile number changed, re-program the primary phone with the new
|
||
|
|
number. Do not report the phone stolen as the ESN will be locked out and
|
||
|
|
neither phone will work. If you know the secondary phone's ORIGINAL ESN
|
||
|
|
report this as stolen and tell the carrier that the phone was not active.
|
||
|
|
|
||
|
|
Nine times out of ten if the thief tries to activate the phone the hardware
|
||
|
|
serial number (assumed to be the correct ESN) will be checked on the deny
|
||
|
|
list and service will be denied. If the original ESN has not been reported
|
||
|
|
stolen and the phone is activated using the hardware serial number the
|
||
|
|
phone won't work as the ESN is incorrect!
|
||
|
|
|
||
|
|
If the "correct" emulated ESN is read from the phone service will probably
|
||
|
|
be denied if the thief tries to activate the phone on the same home system
|
||
|
|
as the primary phone. This is because many systems do not allow two
|
||
|
|
numbers on one ESN. The thief could activate service on an alternate
|
||
|
|
system.
|
||
|
|
|
||
|
|
You could prevent the emulated phone from working by having the ESN in the
|
||
|
|
primary phone emulated to another phone, you can then report the phone's
|
||
|
|
ESN as stolen. This is not recommended as using a phone with a stolen ESN
|
||
|
|
would cause problems if you ever need to use the original ESN. Remember
|
||
|
|
that legitimate emulation does not remove the original ESN, it simply adds
|
||
|
|
some code to make the phone appear to have a different ESN.
|
||
|
|
|
||
|
|
5. If the primary phone is stolen you can report the theft, then have the
|
||
|
|
secondary phone's ESN changed back to it's original or re programed to
|
||
|
|
match another phone. This will usually be done for a nominal charge.
|
||
|
|
|
||
|
|
As of April 1993 California Grapevine Communications offers ESN emulation for
|
||
|
|
the following phones (call for latest list):
|
||
|
|
|
||
|
|
AUDIOVOX: - 832, 832A, 1000, 4200A
|
||
|
|
BC - 40, 45, 55, 55A, 65A, 410.
|
||
|
|
CMT - 300A, 400, 405, 410A, 420, 450, 550, 600, 605, 750, 1700.
|
||
|
|
CTR - 420A, 1900, 2000,
|
||
|
|
CTX - 1500, 2500, 3100A, 3200A, 4000, 4100A
|
||
|
|
PRT - 200
|
||
|
|
SP - 85, 85A, 95,
|
||
|
|
TRANS - 420
|
||
|
|
|
||
|
|
|
||
|
|
NEC: 3700, 3800, 4000
|
||
|
|
M3800, M4500, M4600, M4700, M4800
|
||
|
|
P200, P300, P301
|
||
|
|
P9000, P9100
|
||
|
|
|
||
|
|
NOVATEL: 8300, 8301, 8305, 8305A, 8320, 8320A
|
||
|
|
PTR825
|
||
|
|
|
||
|
|
PANASONIC: EB2500, EB2501 (TP500, 501)
|
||
|
|
|
||
|
|
PIONEER: SEE MOTOROLA
|
||
|
|
|
||
|
|
MOTOROLA: ALL MOBILES, TRANSPORTABLES AND BAG PHONES.
|
||
|
|
ALL FLIPS, 8000 SERIES AND ULTRA CLASSICS PRIOR TO VERSION 9121.
|
||
|
|
NO MICROTAC LITE'S (YET)
|
||
|
|
|
||
|
|
TECHNOPHONE: MC905, MC905MKII/985/995
|
||
|
|
|
||
|
|
THE FOLLOWING MUST BE EMULATED TO SAME BRAND:
|
||
|
|
|
||
|
|
SHINTOM, UNIDEN, GE
|
||
|
|
|
||
|
|
The price for Emulation is $199.00 (mention this software) plus shipping.
|
||
|
|
Proof of ID, valid Cellular account and social security number are required.
|
||
|
|
Please call or write for further information.
|
||
|
|
|
||
|
|
25082 LUNA BONITA DRIVE, LAGUNA HILLS, CA, 92653
|
||
|
|
TEL: (714)643-8426 FAX: (714)643-8379
|
||
|
|
|
||
|
|
COPYRIGHT 1993 CALIFORNIA GRAPEVINE COMMUNICATIONS
|