textfiles/phreak/CELLULAR/phcellular.phk


Cellular Phreaks & Code Dudes - Hacking chips on cellular phones is the
latest thing in th eunderground

by John Markoff

In Silicon Valley, each new technology gives rise to a new generation of
hackers. Consider the cellular telephone. The land-based telephone system
was originally the playground for small group of hardy adventurer who
believed mastery of telephone technology was an end in itself. Free phone
calls weren't the goal of the first phone phreaks. The challenge was to
understand the system.

The philosophy of these phone hackers: Push the machines as far as they
would go.

Little has changed. Meet V.T. and N.M., the nation's most clever cellular
phone phreaks. (Names here are obscured because, as with many hackers,
V.T. and N.M.'s deeds inhabit a legal gray area.) The original phone
phreaks thought of themselves as "telecommunications hobbyists" who
explored the nooks and crannies of the nation's telephone network - not
for profit, but for intellectual challenge. For a new generation of mobile
phone hackers, the cellular revolution offers rich new veins to mine.

V.T. is a young scientist at a prestigious government laboratory. He has
long hair and his choice in garb frequently tends toward Patagonia. He is
generally regarded as a computer hacker with few equals. N.M. is a
selftaught hacker who lives and works in Silicon Valley. He has mastered
the intricacies of Unix and DOS. Unusually persistent, he spent almost an
entire year picking apart his cellular phone just to see how it works.

What V.T. and N.M. discovered last year is that cellular phones are really
just computers - network terminals - linked together by a gigantic
cellular network. They'also realized that just like other computers,
cellular phones are programmable.

Progammable! In a hacker's mind that means is no reason to limit a
cellular phone to the choice of functions offered by its manufacturer.
That means that cellular phones can be hacked! They can be dissected and
disassembled and put back together in remarkable new ways. Optimized!

Cellular phones aren't the first consumer appliances to be cracked open
and augmented in ways their designers never conceived. Cars, for example,
are no longer the sole province of mechanics. This is the information age:
Modern automobiles have dozens of tiny microprocessors. Each one is a
computer; each one can be reprogrammed. Hot rodding cars today doeon't
mean throwing in a new carburetor, it means ''rewriting' the software
governing the car's fuel injection system.

This is the reality science fiction writers William Gibson and Bruce
Sterling had in mind when they created cyberpunk: Any technology, no
matter how advanced, almost immediately falls to the level of the street.
Here in Silicon Valley, there are hundreds of others like V.T. and N. M.
who squeeze into the crannies of any new technology, bending it to new and
more exotic uses.

On a recent afternoon, V.T. sits at a conference room table in a San
Francisco highrise. ln his hand is an OKI 900 cellular phone. It nestles
comfortably in his palm as his flngers dance across the keyboard.
Suddenly, the tiny back-lit screen flashes a message: "Good Timing!"  Good
Timing? This is a whimsical welcome message left hidden in the phone's
software by the manufacturer's programmers. V.T. has entered the phone's
software sub-basement -- a command  area normally reserved for
technicians. This is where the phone can be reprogrammed; a control
point from which the phone can be directed to do new and cooler things. It
is hidden by a simple
undocumented password.

How did V.T. get the password, or even know one was required?  It didn't
even take sophisticated social engineering - the phone phreak s term for
gaining secret engineering data by fooling unwitting employees into
thinking they are talking to an official phone company technician.
Rather, all he did was order the technical manual, which told him he
needed special codes to enter the software basement. V.T. then called the
cellular phone maker's technical support hotline.  "They said 'sorry about
that,' and asked for a fax number. A couple of minutes later we had the
codes," he recalls with a faint grin.

V.T. fingers continue darting across the keys he is issuing commands built
into the phone by the original programmers. These commands are not found
in the phone''s user manual. Suddenly, voices emerge from the phone's ear
piece. The first is that of a salesman getting his messages from a voice
mail system. V.T. shifts frequencies. Another voice. A woman giving her
boss directions to his next appointment.

What's going on here?  V.T. and N.M. have discovered that every cellular
phone possesses a secret mode that turns it into a powelful cellular
scanner.

 That's just the beginning. Using a special program called a
"disassembler," V.T. has read-out the OKl's software, revealing mole than
90 secret commands for controlling the phone.

That's how the two hackers found the undocumented feartures that turn the
phone into a scanner. Best of all, the manufacturer has included a simple
interface that makes it possible to control the phone with a standard
personal computer.

A personal computer! The most programmable of a hacker's tools! That means
that what appears to be a simple telephone can be easily transformed into
a powerful machine that can do things its designers never dreamed of!

V.T. alld N.M. have also discovered that the OKl s 64-Kbyte ROM - a
standard off the shelf chip that stores the phone's software - has more
than 20 Kbytes of free space. Plenty of room to add special features, just
like hot rodding the electronics of a late-model car. Not only do the
hackers use the software that is already there, but they can add some of
their own as well. And for a good programmer, 20 Kbytes is a lot ot room
to work with.

It is worth noting that V.T. and N.M. are not interested in getting free
phone calls. There are dozens of other ways to accomplish that, as an
anonymous young pirate recently demonstlated by stealing the electronic
serial number from a San Diego roaddide emergency box and then racking up
thousands of phone calls before the scam was discovered. (Such a serial
number allowed the clever hacker to create a phone that the phone network
thought was somewhere on a pole by the side of the freeway .)

It's also possible to wander to street corners in any borough in New York
City and tind a code dude - street slang for someone who illegally pirates
telephone codes - who will give you 15 minutes of phone time to any corner
of the world for $10. These 'duldes' find illegally gathered charge card
numbers and then resell them on the street until telephone security
catches on. The tip-off: often an unusually large number of calls to
Ecuador or France emmanating trom one particular street corner.

Then again, it's possible for you to join the code hackers who write
telephone software that automatically tinds codes to be stolen. Or you can
buy a hot ROM - one that contains magic security information identifying
you as a paying customer. Either way, your actions would be untraceable by
the phone company's interwoven security databases.

But free phone calls are not what V.T. and N.M. are about. "It's so
boring," says V.T. "If you're going to do something illegal, you might as
well do something interesting." So what's tempting? N.M. has hooked his
portable PC and his cellular phone together. He watches the laptop's
screen, which is drawing a map of each cellular phone call currently being
placed in our cell - a term for the area covered by one broadcast unit in
the cellular phone network. The network can easily query each cellular
phone as to its current location. When phones travel trom one cell to the
next - as they tend to do in a car information is passed on in the form of
hidden code married to the phone transmission. Since N.M. knows where each
local cell is, he can display the approximate geographic locations of each
phone that is currently active.

But for that tracking scheme to work, the user must be on the phone. It
would take only a tew days of hacking to extend the sottware on N.M.'s PC
to do an cven more intriging monitoring task: Why not pirate the data from
the cellular network's paging channel (a special frequency that cellular
networks use to communicate administrative information to cellular phones)
and use it to follow car phones through the networks? Each time there is a
hand-off from one cell to the next, that fact could be recorded on the
screen of the PC - making it possible to track users regardless of whether
or not they are on the phone.

Of course this is highly illegal, but N.M. muses that the capability is
something that might be extremely valuable to law enforcement agencies -
and all at a cost far below the exotic systems they now use.

Hooking a cellular phone to a personal computer offers other surveillance
possibilities as well. V.T. and N.M. have considered writing software to
monitor particular phone numbers. They could easily design a program that
turns the OKI 900 on when calls are origilnted on a specific number or
when specific nulmbers are called. A simple voice-activated recorder could
then tape the call. And, ot course a reprogrammed phone could
automatically decode touch-tone passwords - making it easy to steal credit
card numbers or voicemail codes.

Then there's the vampire phone.  Why not, suggests V.T. take advantage of
a cellular phone's radio frequency lealkage - inevitable low-power radio
emissions - to build a phone that with the press of a few buttons, could
scan the RF spectrum for the victim's electronic serial number. You'd have
to be pretty close to the target phone to pick up the RF, but once you
have the identity codes reprogrammed the phone becomes digitally
indistinguishable from the original. This is the type ol phone fraad that
keeps federal investigators up at night.

Or how about the ultimate hackers spoof? V.T. has carefully studied phone
company billing procedures and toured many examples of inaccurate bills.
Why not monitor somebody's caIls and then anonymously send the person a
correct  version of their bill "According to our reords..."
.
Of course, such surveillance is probably highly illegal, and although it
may seem to be catching on, The Electronic Communications Privacy  Act of
1986 makes it a federal crime to eavesdrop on cellular phlonle calls. More
recently, Congress passed another law forbidding the manufacture of
cellular scanners. While they may not be manufacturers, both N.M. and V.T.
realize that their beautifully crafted phones are probably illegal.

For now, their goals are less bold. V.T., for example, wants to be able to
have several phones with the same phone number. "Not a problem as I see
it."

Although federal law requires that electronic serial numbers be hidden in
special protected memory V.T. and N.M. have figured out how to pull that
ESN out and write software so that they can replace it with their own.

V.T. and N.M's explorations into the secrets of the OKI 900 have them with
a great deal of admiration for OKl's programmers. "I don't know what they
were thinking, but they had a good time," V.T. said, "This phone was
clearly built by hackers."

The one thing V.T. and N.M. haven't decided is whether or not they should
tell OKI about the bugs - anld the possibilities they've found in the
phone's software.
Initial commit 2021-04-15 13:31:59 -05:00
			`Cellular Phreaks & Code Dudes - Hacking chips on cellular phones is the`
			`latest thing in th eunderground`

			`by John Markoff`

			`In Silicon Valley, each new technology gives rise to a new generation of`
			`hackers. Consider the cellular telephone. The land-based telephone system`
			`was originally the playground for small group of hardy adventurer who`
			`believed mastery of telephone technology was an end in itself. Free phone`
			`calls weren't the goal of the first phone phreaks. The challenge was to`
			`understand the system.`

			`The philosophy of these phone hackers: Push the machines as far as they`
			`would go.`

			`Little has changed. Meet V.T. and N.M., the nation's most clever cellular`
			`phone phreaks. (Names here are obscured because, as with many hackers,`
			`V.T. and N.M.'s deeds inhabit a legal gray area.) The original phone`
			`phreaks thought of themselves as "telecommunications hobbyists" who`
			`explored the nooks and crannies of the nation's telephone network - not`
			`for profit, but for intellectual challenge. For a new generation of mobile`
			`phone hackers, the cellular revolution offers rich new veins to mine.`

			`V.T. is a young scientist at a prestigious government laboratory. He has`
			`long hair and his choice in garb frequently tends toward Patagonia. He is`
			`generally regarded as a computer hacker with few equals. N.M. is a`
			`selftaught hacker who lives and works in Silicon Valley. He has mastered`
			`the intricacies of Unix and DOS. Unusually persistent, he spent almost an`
			`entire year picking apart his cellular phone just to see how it works.`

			`What V.T. and N.M. discovered last year is that cellular phones are really`
			`just computers - network terminals - linked together by a gigantic`
			`cellular network. They'also realized that just like other computers,`
			`cellular phones are programmable.`

			`Progammable! In a hacker's mind that means is no reason to limit a`
			`cellular phone to the choice of functions offered by its manufacturer.`
			`That means that cellular phones can be hacked! They can be dissected and`
			`disassembled and put back together in remarkable new ways. Optimized!`

			`Cellular phones aren't the first consumer appliances to be cracked open`
			`and augmented in ways their designers never conceived. Cars, for example,`
			`are no longer the sole province of mechanics. This is the information age:`
			`Modern automobiles have dozens of tiny microprocessors. Each one is a`
			`computer; each one can be reprogrammed. Hot rodding cars today doeon't`
			`mean throwing in a new carburetor, it means ''rewriting' the software`
			`governing the car's fuel injection system.`

			`This is the reality science fiction writers William Gibson and Bruce`
			`Sterling had in mind when they created cyberpunk: Any technology, no`
			`matter how advanced, almost immediately falls to the level of the street.`
			`Here in Silicon Valley, there are hundreds of others like V.T. and N. M.`
			`who squeeze into the crannies of any new technology, bending it to new and`
			`more exotic uses.`

			`On a recent afternoon, V.T. sits at a conference room table in a San`
			`Francisco highrise. ln his hand is an OKI 900 cellular phone. It nestles`
			`comfortably in his palm as his flngers dance across the keyboard.`
			`Suddenly, the tiny back-lit screen flashes a message: "Good Timing!" Good`
			`Timing? This is a whimsical welcome message left hidden in the phone's`
			`software by the manufacturer's programmers. V.T. has entered the phone's`
			`software sub-basement -- a command area normally reserved for`
			`technicians. This is where the phone can be reprogrammed; a control`
			`point from which the phone can be directed to do new and cooler things. It`
			`is hidden by a simple`
			`undocumented password.`

			`How did V.T. get the password, or even know one was required? It didn't`
			`even take sophisticated social engineering - the phone phreak s term for`
			`gaining secret engineering data by fooling unwitting employees into`
			`thinking they are talking to an official phone company technician.`
			`Rather, all he did was order the technical manual, which told him he`
			`needed special codes to enter the software basement. V.T. then called the`
			`cellular phone maker's technical support hotline. "They said 'sorry about`
			`that,' and asked for a fax number. A couple of minutes later we had the`
			`codes," he recalls with a faint grin.`

			`V.T. fingers continue darting across the keys he is issuing commands built`
			`into the phone by the original programmers. These commands are not found`
			`in the phone''s user manual. Suddenly, voices emerge from the phone's ear`
			`piece. The first is that of a salesman getting his messages from a voice`
			`mail system. V.T. shifts frequencies. Another voice. A woman giving her`
			`boss directions to his next appointment.`

			`What's going on here? V.T. and N.M. have discovered that every cellular`
			`phone possesses a secret mode that turns it into a powelful cellular`
			`scanner.`

			`That's just the beginning. Using a special program called a`
			`"disassembler," V.T. has read-out the OKl's software, revealing mole than`
			`90 secret commands for controlling the phone.`

			`That's how the two hackers found the undocumented feartures that turn the`
			`phone into a scanner. Best of all, the manufacturer has included a simple`
			`interface that makes it possible to control the phone with a standard`
			`personal computer.`

			`A personal computer! The most programmable of a hacker's tools! That means`
			`that what appears to be a simple telephone can be easily transformed into`
			`a powerful machine that can do things its designers never dreamed of!`

			`V.T. alld N.M. have also discovered that the OKl s 64-Kbyte ROM - a`
			`standard off the shelf chip that stores the phone's software - has more`
			`than 20 Kbytes of free space. Plenty of room to add special features, just`
			`like hot rodding the electronics of a late-model car. Not only do the`
			`hackers use the software that is already there, but they can add some of`
			`their own as well. And for a good programmer, 20 Kbytes is a lot ot room`
			`to work with.`

			`It is worth noting that V.T. and N.M. are not interested in getting free`
			`phone calls. There are dozens of other ways to accomplish that, as an`
			`anonymous young pirate recently demonstlated by stealing the electronic`
			`serial number from a San Diego roaddide emergency box and then racking up`
			`thousands of phone calls before the scam was discovered. (Such a serial`
			`number allowed the clever hacker to create a phone that the phone network`
			`thought was somewhere on a pole by the side of the freeway .)`

			`It's also possible to wander to street corners in any borough in New York`
			`City and tind a code dude - street slang for someone who illegally pirates`
			`telephone codes - who will give you 15 minutes of phone time to any corner`
			`of the world for $10. These 'duldes' find illegally gathered charge card`
			`numbers and then resell them on the street until telephone security`
			`catches on. The tip-off: often an unusually large number of calls to`
			`Ecuador or France emmanating trom one particular street corner.`

			`Then again, it's possible for you to join the code hackers who write`
			`telephone software that automatically tinds codes to be stolen. Or you can`
			`buy a hot ROM - one that contains magic security information identifying`
			`you as a paying customer. Either way, your actions would be untraceable by`
			`the phone company's interwoven security databases.`

			`But free phone calls are not what V.T. and N.M. are about. "It's so`
			`boring," says V.T. "If you're going to do something illegal, you might as`
			`well do something interesting." So what's tempting? N.M. has hooked his`
			`portable PC and his cellular phone together. He watches the laptop's`
			`screen, which is drawing a map of each cellular phone call currently being`
			`placed in our cell - a term for the area covered by one broadcast unit in`
			`the cellular phone network. The network can easily query each cellular`
			`phone as to its current location. When phones travel trom one cell to the`
			`next - as they tend to do in a car information is passed on in the form of`
			`hidden code married to the phone transmission. Since N.M. knows where each`
			`local cell is, he can display the approximate geographic locations of each`
			`phone that is currently active.`

			`But for that tracking scheme to work, the user must be on the phone. It`
			`would take only a tew days of hacking to extend the sottware on N.M.'s PC`
			`to do an cven more intriging monitoring task: Why not pirate the data from`
			`the cellular network's paging channel (a special frequency that cellular`
			`networks use to communicate administrative information to cellular phones)`
			`and use it to follow car phones through the networks? Each time there is a`
			`hand-off from one cell to the next, that fact could be recorded on the`
			`screen of the PC - making it possible to track users regardless of whether`
			`or not they are on the phone.`

			`Of course this is highly illegal, but N.M. muses that the capability is`
			`something that might be extremely valuable to law enforcement agencies -`
			`and all at a cost far below the exotic systems they now use.`

			`Hooking a cellular phone to a personal computer offers other surveillance`
			`possibilities as well. V.T. and N.M. have considered writing software to`
			`monitor particular phone numbers. They could easily design a program that`
			`turns the OKI 900 on when calls are origilnted on a specific number or`
			`when specific nulmbers are called. A simple voice-activated recorder could`
			`then tape the call. And, ot course a reprogrammed phone could`
			`automatically decode touch-tone passwords - making it easy to steal credit`
			`card numbers or voicemail codes.`

			`Then there's the vampire phone. Why not, suggests V.T. take advantage of`
			`a cellular phone's radio frequency lealkage - inevitable low-power radio`
			`emissions - to build a phone that with the press of a few buttons, could`
			`scan the RF spectrum for the victim's electronic serial number. You'd have`
			`to be pretty close to the target phone to pick up the RF, but once you`
			`have the identity codes reprogrammed the phone becomes digitally`
			`indistinguishable from the original. This is the type ol phone fraad that`
			`keeps federal investigators up at night.`

			`Or how about the ultimate hackers spoof? V.T. has carefully studied phone`
			`company billing procedures and toured many examples of inaccurate bills.`
			`Why not monitor somebody's caIls and then anonymously send the person a`
			`correct version of their bill "According to our reords..."`
			`.`
			`Of course, such surveillance is probably highly illegal, and although it`
			`may seem to be catching on, The Electronic Communications Privacy Act of`
			`1986 makes it a federal crime to eavesdrop on cellular phlonle calls. More`
			`recently, Congress passed another law forbidding the manufacture of`
			`cellular scanners. While they may not be manufacturers, both N.M. and V.T.`
			`realize that their beautifully crafted phones are probably illegal.`

			`For now, their goals are less bold. V.T., for example, wants to be able to`
			`have several phones with the same phone number. "Not a problem as I see`
			`it."`

			`Although federal law requires that electronic serial numbers be hidden in`
			`special protected memory V.T. and N.M. have figured out how to pull that`
			`ESN out and write software so that they can replace it with their own.`

			`V.T. and N.M's explorations into the secrets of the OKI 900 have them with`
			`a great deal of admiration for OKl's programmers. "I don't know what they`
			`were thinking, but they had a good time," V.T. said, "This phone was`
			`clearly built by hackers."`

			`The one thing V.T. and N.M. haven't decided is whether or not they should`
			`tell OKI about the bugs - anld the possibilities they've found in the`
			`phone's software.`