informis/textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/phreak/CELLULAR/dnabox.txt

1134 lines
48 KiB
Plaintext
Raw Normal View History

Initial commit
2021-04-15 13:31:59 -05:00
<20> <20> <20> <20> <20> <20> <20> <20> <20> <20> <20> <20> JAN-89
<20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ <20>
<20>Ķ THE DNA BOX <20><><EFBFBD>
<20>Ķ Hacking Cellular Phones <20>Ŀ
<20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ѽ <20>
<20> <20> <20> <20> <20> <20> <20> <20> <20> <20> <20> <20> <20>
<EFBFBD> P A R T O N E <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
It turns out that there are several Japanese handheld transceivers (HT's)
availible in the US for use by ham radio hobbyists that have hidden
features allowing them to operate in the 800MHz band used by cellular
telephones. Using an FSK decoder chip and a personal computer running an
assembly language program to record and decypher the ID beeps at the beginning
of cellular calls, a "phone book" of cellular ID's can be compiled. A simple
FSK oscillator controlled by the PC can then be used to dial out using the
Handheld Transceiver and the captured ID codes.
A low tech analysis could be done by taping the beeps and playing them back
at slow speed into an oscilloscope. An edited tape may even be adequate for
retransmission; no decyphering required.
Several radio stores in Los Angeles sell the HT's and have given advice in
the past about how to access the hidden out-of-band tuning features in the
ROMS of the Japanese HT's. It's possible now to listen in to cellular
phone conversations without building any special hardware. In fact if you
have a good antenna, or live near a cellular repeater tower, you can
pick up celluar calls using a UHF TV with a sliding tuner by tuning in
"channels" between 72 and 83 on the UHF dial.
Beside the obvious benefits of unlimited, untraceable, national mobile
voice communication, there are other uses for cellular hacking.
For instance: most people using cellular phones are pretty upscale.
It may be possible to scan for ID codes of the telephones of major
corporations and their executives and get insider stock trading information.
Simply by logging the called and calling parties you will be able to compile
a database mapping out the executive level command & communication structure.
If this is linked to a remote controlled tape deck you will know precisely
what is going on and be able to note any unusual activity, such as calls
between the executives of corporations that are in a takeover or leveraged
buy out relationship. It is even likely that you will occasionally intercept
calls between investors and their stock brokers, or calls discussing plans
for new contracts.
This data is most safely used for insider trading of your own; there will be
no way that the Securities and Exchange Commission can establish a link
between you and the insiders. A more risky proposition would be to offer any
intelligence gathered to competitors for a price as industrial espionage.
Then there are the anarchy & disruption angles for cybernetic guerrilla
action at the corporate economic & financial level. Leaking info to the
press can kill a deal or move stock prices prematurely. Intelligence
gathered via cellular hacking can also be used to plan operations against
corporate mainframes by providing names and keywords, or indicating vital
information to be searched for. Listening to the phone calls of candidates
and their campaign staff is also a field rich in possibilities.
A related technology waiting to be hacked is the nationwide net of pocket
pagers. The possibilities for executive harrassment using beeper technology
are relatively unexplored.
There are also several on-line instant stock & commodity quotation systems
that use SCA subcarriers to transmit investment data. By watching activity
on these networks you will be able to look over the shoulder of investors
as they plan their strategy - what kind of inquiries are they making and what
the results are.
Here are a few of the online investment services (business offices, ca.1987)
DATAQUICK 1-800-762-DATA (voice) Southern CA Real Property Data
Lotus Signal/QuoTrek 1-800-272-2855 (voice) Stock Market Data
1-800-433-6955 (voice)
FutureSource 1-800-621-2628 ext.34 (voice) Futures Trading Data
(Or check recent ads in Wall Street Journal etc.)
At any rate, I propose that we start pooling info about cellular phones
toward the goal of building a 'rosetta stone' of cellular dialing protocols,
frequencies, technical info and hardware/software hacks.
High on the hit list is a service/repair manual for a cellular phone, and
journal or technical articles about the inner workings of the cellular
phone system.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<EFBFBD> The DNA BOX - Striking at the Nucleus of Corporate Communications. <20>
<EFBFBD> A current project of... <20>
Outlaw
Telecommandos
<20><>ݳ<EFBFBD>޺<EFBFBD><DEBA>ݳ<EFBFBD>޳ݳ<DEB3>
<20><>ݳ<EFBFBD>޺<EFBFBD><DEBA>ݳ<EFBFBD>޳ݳ<DEB3>
<20> <20> <20><><EFBFBD> <20> <20>ڿ <20><><EFBFBD> <20> <20><>ڿ JAN-89
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ <20>
<20>Ķ THE DNA BOX <20><><EFBFBD>
<20>Ķ Hacking Cellular Phones <20><><EFBFBD><EFBFBD>Ŀ
<20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ѽ <20>
<20> <20> <20> <20> <20> <20> <20> <20> <20> <20> <20> <20> <20>
<EFBFBD> P A R T T W O <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
The previous DNA file discussed the possibility of using Japanese handheld
HAM radios and personal computers, or tape recorders to hack Cellular Phone
codes, and possible uses for investment & business info obtained by
hacking executive and corporate phone calls, and investment info services.
Here I want to mention the obvious idea of simply modifying or replacing the
ROMs in a standard Cellular Phone, and disassembling the ROM software that
operates the Phone in order to "customize" it for scanning, data monitoring,
evesdropping and (of course) making free calls using the codes of registered
subscribers.
Simply unplugging the ROMS, putting them on a ROM card for a PC and then
copying the software to disk for disassembly is the obvious first step.
Use of a logic analyzer to monitor and record activity on the Cellular Phone's
digital bus would simplify things by providing a map of where data is stored
and which instructions are executed during each period of activity:
decoding/sending ID tones, selecting frequencies, dialing, and talking.
Checking the part number on the CPU embedded in the Cellular Phone will tell
you which disassembler to use to give a first draft of the ROM code.
The next step is to generate a map of the locations of every subroutine
call's entry point, any branch & loop locations, and all addresses written to,
read, or read-only (to map out any variables and data). Locations incremented,
decremented or tested by branch instructions should also be noted, along with
their initial and final values.
Each address in the map should be given a symbolic label in your draft of
the assembly code. Comments can also be entered with high-level language
equivalents that summarize the assembly code as you understand it.
Pay special attention to data or loop limits that match elements of the
Cellular Phone ID codes (length or contents), or any data locations that
are always accessed as a group. This may give you enough info to find the
location of the ID code and burn an EPROM with any ID's you've hacked
by listening to Cellular Calls.
If you have identified the subroutines that accept phone numbers for dialing,
you can patch in a second subroutine that accepts an ID code from the keypad
and stores it in RAM before calling out, and modify any routines that
utilize ID Codes to use RAM addresses instead of ROM addresses.
Chances are that the software takes up most or all of the available ROM
and RAM scratchpad space on the single-chip microprocessor. If this is the case
it might be neccessary to piggyback additional memory chips onto the circuit
board to hold any new subroutines you want to add.
Suggested new features:
1) Have the Cellular Phone scan for an empty channel and wait for an ID code.
Capture the ID code into a table of ID's in RAM and display the captured codes
on the liquid crystal display.
2) Program the Cellular Phone to emulate the switching signals and codes sent
by PacBell (or your local Cellular carrier), bypassing central switching
entirely. This would be useful for making 100% untraceable calls to other
Cellular subscribers within direct radio range. This can be used to do your own
routing, emulating a phantom switching cell. This could be used to extend
cellular service into an otherwise inaccessible area by coupling your Cellular
Phone to a 1.2GHz linear amplifier modified to work in the 800MHz band.
3) Make the Cellular Phone recieve data under one ID/Frequency and retransmit
it under another. This would make it impossible to monitor both sides of a
conversation. This feature could also be used to implement conference calling
by running several calls at once out of one phone.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<EFBFBD> The DNA BOX - Striking at the Nucleus of Corporate Communications. <20>
<EFBFBD> A current project of... <20>
Outlaw
Telecommandos
<20><>ݳ<EFBFBD>޺<EFBFBD><DEBA>ݳ<EFBFBD>޳ݳ<DEB3>
<20><>ݳ<EFBFBD>޺<EFBFBD><DEBA>ݳ<EFBFBD>޳ݳ<DEB3>
<20>01-213-376-0111<31>
<20><><EFBFBD>Ŀ <20><><EFBFBD> <20>Ŀ <20>Ŀ <20>Ŀ ڿ <20> <20> 1-FEB--89
ڿ <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ<EFBFBD><CDBB><EFBFBD>
<20><><EFBFBD><EFBFBD>Ķ THE DNA BOX <20><><EFBFBD>
<20><><EFBFBD> ڶ Hacking Cellular Phones <20><><EFBFBD><EFBFBD>Ŀ
<20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ѽ <20><><EFBFBD>
<20> ' ` ' ` ' ` ' ` ' ` ' ` <20> <20><><EFBFBD>
<EFBFBD> P A R T T H R E E <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Previous DNA files discussed the possibility of using Japanese handheld
HAM radios and personal computers, or tape recorders to hack Cellular Phone
codes, and possible uses for investment & business info obtained by
hacking executive and corporate phone calls, and investment info services,
as well as approaches to modifying the Cellular Phones themselves for use as
hacking tools and pirate communication devices.
Here using and modifying UHF-band radio scanners to hack and monitor
Cellular and Mobile telephone systems will be dealt with.
Radio Shack, Uniden, and several other manufacturers make scanners
for use by amateur radio hobbyists. Most of these will intercept mobile
radiotelephone calls without modification by tuning in frequencies in the
156 MHz and 475 MHz regions. Most of these scanners have line-level
audio outputs that can feed a tape recorder or demodulator/tone decoder
chip which can then interface directly to a computer for analyzing codes.
Mobile phones use a tone-pulse dialing protocol that should be simple to decode
and emulate using standard handheld ham radio gear. You can almost count
the dialing beeps without any special equipment. Phone channels are easy to
find: they usually broadcast a standard busy signal or an idle tone
(a fixed audio sine wave) when waiting for the next call. You will also hear
conversations, ringing, and mobile phone operators on these channels.
Here's a partial list of frequencies used by mobile phones:
(frequencies in MHz)
152.51 154.57 152.66 152.69 152.72 152.78 154.54
475.45 475.475 475.55 475.6 475.8 475.825 475.85 475.9 476.05
As you can see, many of the frequencies are spaced 30KHz or 25KHz apart,
so there are probably more channels in the gaps at those intervals.
These frequencies were gathered in a few minutes of casual listening using
an unmodified Radio Shack Pro-2021 scanner in search mode.
SCANNING CELLULAR FREQUENCIES:
Hobby scanners capable of monitoring Cellular Phones are prohibited in the US.
To save money on the production line, many international scanner manufacturers
make only one kind of scanning chip which they use in both US and foreign
models. These chips are capable of scanning in the 800MHz range but this
feature is diabled by grounding certain pins in the US models.
Often restoring Cellular scanning functions is merely a matter of cutting
a circuit trace or removing a single diode from a scanner's printed circuit
board.
For instance, removing diode 513 from a Radio Shack Pro-2004 Scanner will
enable the 870MHz Cellular range. Installing diode 510 will increase the
number of scanning channels from 300 to 400. Installing diode 514 will
increase the scanning rate from 16 to 20 channels per second.
These are located on the printed circuit board labeled PC-3.
The Uniden Bearcat 200/205XLT can be modified for Cellular scanning
by cutting or removing the 10K-ohm resisitor located on the printed circuit
above the letters "DEN" on the microprocessor chip labeled "UNIDEN UC-1147".
The Regency Electronics MX7000 Scanner reportedly scans Cellular Phones
without modification.
An additional scanner rumored to be modifiable is the Realistic Pro-32.
Another source of useful radio gear are "Export Only" manufacturers.
One of these is currently rumored to be offering a handheld cellular phone
that does it's own routing and has an operating radius of 160 kilometers!
CELLULAR PHONE FREQUENCIES:
Here are the frequency range assignments for Cellular Telephones:
Repeater Input (Phone transmissions) 825.03 - 844.98 Megahertz
Repeater Output (Tower transmissions) 870.03 - 889.98 Megahertz
There are 666 Channels. Phones transmit 45 MHz below the corresponding
Tower channel. The channels are spaced every 30 KHz.
CORDLESS PHONE FREQUENCIES:
It's also possible to hack the popular cordless phones. These use the 49MHz
band used by baby monitors and toy FM walkie talkies. Scanners can be used
to monitor these without modification, and FM handheld transceivers will
allow 2-way hacking of these frequencies, which some may find amusing.
Channel Handset Transmit Base Transmit
------- ---------------- -------------
1 49.67 46.61 (frequencies in Megahertz)
2 49.845 46.63
3 49.86 46.67
4 49.77 46.71
5 49.875 46.73
6 49.83 46.77
7 49.89 46.83
8 49.93 46.87
9 49.99 46.93
10 49.97 46.97
Business Update:
As of January 1989 there are legal maneuvers going on to lift the
ban on portable phones by traders at the NY Stock Exchange.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<EFBFBD> The DNA BOX - Striking at the Nucleus of Corporate Communications. <20>
<EFBFBD> A current project of... <20>
Outlaw
Telecommandos
<20><>ݳ<EFBFBD>޺<EFBFBD><DEBA>ݳ<EFBFBD>޳ݳ<DEB3>
<20><>ݳ<EFBFBD>޺<EFBFBD><DEBA>ݳ<EFBFBD>޳ݳ<DEB3>
<20>01-213-376-0111<31>
<20>Ŀ <20>Ŀ 3-FEB-89
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ<EFBFBD><CDBB><EFBFBD>
<20>Ķ THE DNA BOX <20><><EFBFBD>
<20><><EFBFBD><EFBFBD>Ķ Hacking Cellular Phones <20><><EFBFBD><EFBFBD>Ŀ
<20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ѽ <20><><EFBFBD>
<20><><EFBFBD> ' ` ' ` ' ` ' ` ' ` ' ` ' <20><><EFBFBD>
<EFBFBD> P A R T F O U R <20>
<EFBFBD> <20>
<EFBFBD> T H E N U M B E R O F T H E B E A S T <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Preliminary technical info about the AMPS (Advanced Mobile Phone System).
MOBILE TELEPHONE SWITCHING OFFICE (MTSO)
Cell Control Sites (Towers) are connected to the Mobile Telephone Switching
Office (MTSO) by a pair of 9600 baud data lines, one of which is a backup.
The MTSO routes calls, controls and coordinates the cell sites (especially
during handoffs as a mobile phone moves from one cell to another while a
call is in progress), and connects to a Central Office (CO) of the local
telephone company via voice lines.
There is some indication that an MTSO may be re-programmed and otherwise
hacked via standard phone lines using a personal computer/modem.
NUMERIC ASSIGNMENT MODULE (NAM)
There is a PROM chip in every cellular phone that holds the phone number (MIN)
assigned to it. This is the "Numerical Assignment Module" or NAM. Schematics
and block diagrams occasionally call this the "ID PROM". The NAM also
holds the serial number (ESN) of the cellular phone, and the system ID (SID)
of the mobile phone's home system.
By encoding new PROM chips (or re-programming EPROM chips) and swapping them
with the originals, a cellular phone can be made to take on a new identity.
It is possible to make a circuit board with a bank of PROMs that
plugs into the NAM socket, and allows quick switching between several
phone ID's. It's even feasible to emulate the behavior of a PROM with
dual-port RAM chips, which can be instantly updated by a laptop computer.
A photograph of a "BYTEK S1-KX NAM Multiprogrammer" suggests that this
"sophisticated piece of equipment" is merely a relabled generic PROM burner.
==============================================================================
MOBILE IDENTIFICATION NUMBER (MIN)
The published explanations of how to compute this number all contain
deliberate errors, probably for the purpose of thwarting phreaks and people
attempting to change the serial numbers and ID codes of stolen phones.
Even the arithmetic is wrong in some published examples!
Until the FCC/IEEE spec is available (a trip is planned to a university
engineering library) the following is almost certainly the way that MIN is
computed, taking into consideration how such codings are done elsewhere,
comparing notes and tables from a variety of sources, and using common sense.
A BASIC program (MIN.BAS) that computes MINs from phone numbers is being
distributed with this file.
There are two parts to the 34-bit MIN.
They are derived from a cellular phone number as follows:
-------------------------------------------------------------------
MIN2 - a ten bit number representing the area code.
Look up the three digits of area code in the following table:
Phone Digit: 1 2 3 4 5 6 7 8 9 0
Coded Digit: 0 1 2 3 4 5 6 7 8 9
(Or just add 9 to a digit and use the right digit of the result)
Then convert that number to a 10-digit binary number:
For example, for the (213) area code, MIN2 would be 102,
which expressed as a 10-digit binary number would be 0001100110.
Area Code = 213 (get Area Code)
102 (add 9 to each digit modulo 10, or use table)
MIN2 = 0001100110 (convert to binary)
---------------------------------------------------------------------------
MIN1 - a 24 bit number representing the 7-digit phone number.
The first ten bits of MIN1 are computed the same way as MIN2, only
the next 3 digits of the phone number are used.
The middle four bits of MIN1 are simply the fourth digit of the phone number
expressed in binary (Remember; a "0" becomes a "10").
The last next ten bits of MIN1 are encoded using the final three digits of
the phone number in the same way.
So, MIN1 for 376-0111 would be:
(get Phone Number) 376 0 111
(modify digits where appropriate) 265 (10) 000
(convert each part to a binary number) 0100001001 1010 0000000000
---------------------------------------------------------------------------
Thus the complete 34-bit Mobile Identification Number for (213)376-0111 is:
376 0 111 213
________ __ ________ ________
/ \/ \/ \/ \
MIN = 0100001001101000000000000001100110
\______________________/\________/
MIN1 MIN2
----------------------------------------------------------------------------
ELECTRONIC SERVICE NUMBER (ESN)
The serial number for each phone is encoded as a 32 bit binary number.
Available evidence suggests that the ESN is an 8-digit hexadecimal
number, which is encoded directly to binary:
Serial Number = 821A056F
Digits = 8 2 1 A 0 5 6 F
ESN = 0001 0001 0001 1010 0000 0101 0110 1111
Here is a table for converting Hexadecimal to Binary:
Hex Binary Hex Binary Hex Binary Hex Binary
--- ------ --- ------ --- ------ --- ------
0 0000 4 0100 8 1000 C 1100
1 0001 5 0101 9 1001 D 1101
2 0010 6 0110 A 1010 E 1110
3 0011 7 0111 B 1011 F 1111
----------------------------------------------------------------------------
SYSTEM IDENTIFICATION (SID)
A 15 bit binary number representing a mobile phone's home cellular system.
============================================================================
---------------------CELLULAR PHONE FREQUENCIES-----------------------------
Here, again, are the frequency range assignments for Cellular Telephones:
Repeater Input (Phone transmissions) 825.030 - 844.980 Megahertz
Repeater Output (Tower transmissions) 870.030 - 889.980 Megahertz
There are 666 Channels. Phones transmit 45 MHz below the corresponding
Tower channel. The channels are spaced every 30 KHz.
These channels are divided into "Nonwireline" (A) and "Wireline" (B) services.
Nonwireline (A) service uses the 825-835/870-880 frequencies (channels 1-333)
Wireline (B) service uses the 835-845/880-890 frequencies (channels 334-666)
A channel is either dedicated to control signals, or to voice signals.
Digital message streams are sent on both types of channels, however.
There are 21 control channels for each service.
Non-Wireline (A) control channels are located in the frequency ranges
834.39 - 834.99 and 879.39 - 879.99 (channels 312 - 333 )
Wireline (B) control channels are located in the frequency ranges
835.02 - 835.62 and 880.02 - 880.62 (channels 334 - 355)
The new 998 channel systems use 332 additional channels in the ranges
821-825/866-870 and 845-851/890-896.
Cell Control Sites (Towers) are connected to an MTSO (Mobile Telephone
Switching Office) which connects the cellular system to a Central Office (CO)
of a conventional telephone system.
Each Cell Control Site uses a maximum of 16 channels, up to 4 of which
may be control channels. There will always be at least 1 control channel
available in each cell. Cellular Towers are easily identified by the
flat triangular platforms at the top of the mast, with short vertical
antennas at each corner of the platform.
Most UHF Televisions and cable-ready VCR's are capable of monitoring
Cellular Phone channels. Try tuning between UHF TV channels 72 - 76 for
mobile phones, and between UHF TV channels 79 - 83 for towers.
-----------------------------------------------------------------------------
SUPERVISORY AUDIO TONE (SAT)
A mobile phone must be able to recognize and retransmit any of the
three audio frequencies used as SAT's.
These tones (and their binary codes) are:
(00) 5970 Hz
(01) 6000 Hz
(10) 6030 Hz
The SAT is used during signaling, but not during data transmission.
The binary codes are sent during data transmission to control which of the
SAT tones a mobile phone will be using.
Each cell site (or tower) uses only one of the three SATs. The mobile
transmitter returns that same SAT to the tower.
Tone recognition must take place within 250 milliseconds.
SIGNALING TONE (ST)
A 10 KHz tone is used for signaling by mobile phones during alert, handoff,
certain service requests, and diconnect.
DATA TRANSMISSION
Cellular Phones use a data rate of 10 Kilobits per second, and must be
accurate to within one bit per second.
Frequency Modulation (FM) is used for both voice and data transmissions.
Digital data is transmitted as an 8KHz frequency shift of the carrier.
A binary one is transmited as a +8KHz shift and a binary zero as a -8KHz
shift. NRZ (Non-Return to Zero) coding is used, which means that the carrier
is not shifted back to it's center frequency between transmitted binary bits.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<EFBFBD> The DNA BOX - Striking at the Nucleus of Corporate Communications. <20>
<EFBFBD> A current project of... <20>
Outlaw
Telecommandos
<20><>ݳ<EFBFBD>޺<EFBFBD><DEBA>ݳ<EFBFBD>޳ݳ<DEB3>
<20><>ݳ<EFBFBD>޺<EFBFBD><DEBA>ݳ<EFBFBD>޳ݳ<DEB3>
<20>01-213-376-0111<31>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ <20><><EFBFBD><EFBFBD>Ŀ 6-FEB-89
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ķ THE DNA BOX <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ķ Hacking Cellular Phones <20><><EFBFBD><EFBFBD>Ŀ
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ѽ <20><><EFBFBD>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>
P A R T F I V E
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
CELLULAR TELEPHONE SIGNALING FORMATS
===========================================================================
(RECC) Reverse Control Channel (mobile-to-tower on control channel)
RECC Message Format:
----------------------------------------------------------
Seizure Precursor:
Dotting (30 bits) 1010101010101010101010101010101
Word Sync (11 bits) 11100010010
DCC (7 bits) xxxxxxx Digital Color Code (DCC)
Received Coded
-------- -------
00 0000000
01 0011111
10 1100011
11 1111100
Message: (from one to five words in length)
First Word repeated 5 times (240 bits)
Second Word repeated 5 times (240 bits)
Third Word repeated 5 times (240 bits)
Fourth Word repeated 5 times (240 bits)
Fifth Word repeated 5 times (240 bits)
----------------------------------------------------------
There are 4 types of RECC messages:
Page Response Message
Origination Message
Order Confirmation Message
Order Message
These are composed of combinations of the following message words:
Abbreviated Address Word:
F (1bit) 1 (first word indicator)
NAWC (3 bits) xxx (number of additional words to send)
T (1 bit) x (0=response,1=origination/order)
S (1 bit) x (1=serial number will be sent)
E (1 bit) x (1=area will to be sent)
(1 bit) 0
SCM (4 bits) xxxx (station class mark)
MIN1 (24 bits) xxxxxxxxxxxxxxxxxxxxxxxxx (coded 7 digit phone number)
P (12 bits) xxxxxxxxxxxx (Parity)
Extended Address Word:
F (1 bit) 0
NAWC (3 bits) xxx
LOCAL (5 bits) xxxxx (local control - system specific)
ORDQ (3 bits) xxx (order qualifier)
ORDER (5 bits) xxxxx (order code)
LT (1 bit) x (1=last try)
(8 bits) 00000000
MIN2 (10 bits) xxxxxxxxxx (coded Area Code)
P (12 bits) xxxxxxxxxxxx
Serial Number Word:
F (1 bit) 0
NAWC (3 bits) xxx
SERIAL (32 bits) xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (serial number)
P (12 bits) xxxxxxxxxxxx
First Word of Called Address: [D1..D16 are the encoded digits]
F (1 bit) 0
NAWC (3 bits) xxx
D1 (4 bits) xxxx Table of Digit Codes:
D2 (4 bits) xxxx -----------------------------
D3 (4 bits) xxxx 1 0001 7 0111 NULL 0000
D4 (4 bits) xxxx 2 0010 8 1000
D5 (4 bits) xxxx 3 0011 9 1001
D6 (4 bits) xxxx 4 0100 0 1010
D7 (4 bits) xxxx 5 0101 * 1011
D8 (4 bits) xxxx 6 0110 # 1100
P (12 bits) xxxxxxxxxxxx
Second Word of Called Address:
F (1 bit) 0
NAWC (3 bits) 000
D9 (4 bits) xxxx (encoded digits, see above table)
D10 (4 bits) xxxx
D11 (4 bits) xxxx
D12 (4 bits) xxxx
D13 (4 bits) xxxx
D14 (4 bits) xxxx
D15 (4 bits) xxxx
D16 (4 bits) xxxx
P (12 bits) xxxxxxxxxxxx
===========================================================================
(RVC) Reverse Voice Channel (mobile-to-tower on voice channel)
RVC Message Format:
--------------------------------------------------------------
Dotting (101 bits) 101010101....101
Word Sync (11 bits) 11100010010
Repeat 1 Word 1 (48 bits) xxxxx ... xxxxx
Dot (37 bits) 1010101010101010101010101010101
Word Sync (11 bits) 11100010010
Repeat 2 Word 1 (48 bits) xxxxx ... xxxxx
. .
. . [same pattern of repetition]
. .
Dot (37 bits)
Word Sync (11 bits)
Repeat 5 word 1 (48 bits)
Dot (37 bits)
Word Sync (11 bits)
Repeat 1 Word 2 (48 bits)
Dot (37 bits)
Word Sync (11 bits)
Repeat 2 Word 2 (48 bits)
. .
. . [same pattern of repetition]
. .
Dot (37 bits) 1010101010101010101010101010101
Word Sync (11 bits) 11100010010
Repeat 5 word 2 (48 bits) xxxxx ... xxxxx
-----------------------------------------------------------
There are two kinds of RVC messages:
Order Confirmation Message
Called Address Message
----------
Order Confirmation Message Word:
F (1 bit) 1
NAWC (2 bits) 00
T (1 bit) 1
LOCAL (5 bits) xxxxx
ORDQ (3 bits) xxx
ORDER (5 bits) xxxxx
(19 bits) 0000000000000000000
P (12 bits) xxxxxxxxxxxx
---------
---------
Called Address Message, First Word:
F (1 bit) 1
NAWC (2 bits) 01
T (1 bit) 0
D1 (4 bits) xxxx
D2 (4 bits) xxxx
D3 (4 bits) xxxx
D4 (4 bits) xxxx
D5 (4 bits) xxxx
D6 (4 bits) xxxx
D7 (4 bits) xxxx
D8 (4 bits) xxxx
P (12 bits) xxxxxxxxxxxx
Called Address Message, Second Word:
F (1 bit) 1
NAWC (2 bits) 00
T (1 bit) 0
D9 (4 bits) xxxx
D10 (4 bits) xxxx
D11 (4 bits) xxxx
D12 (4 bits) xxxx
D13 (4 bits) xxxx
D14 (4 bits) xxxx
D15 (4 bits) xxxx
D16 (4 bits) xxxx
P (12 bits) xxxxxxxxxxxx
--------
===========================================================================
(FOCC) Forward Control Channel (tower-to-mobile on control channel)
FOCC Message Format:
--------------------------------------
Dotting (10 bits) b1010101010
Word Sync (11 bits) b11100010010
Repeat 1 word A (40 bits) bxxxxxxxxxxbxxxxxxxxxxbxxxxxxxxxxbxxxxxxxxxx
Repeat 1 word B (40 bits) A Busy/Idle Bit (b) is inserted
Repeat 2 word A (40 bits) at the beginning of Dotting and
Repeat 2 word B (40 bits) Word Sync, and every 10 bits
Repeat 3 word A (40 bits) during word repetitions beginning
Repeat 3 word B (40 bits) at the start of the first word.
Repeat 4 word A (40 bits) b=1 when the RCC is Idle.
Repeat 4 word B (40 bits) b=0 when the RCC is Busy.
Repeat 5 word A (40 bits)
Repeat 5 word B (40 bits) bxxxxxxxxxxbxxxxxxxxxxbxxxxxxxxxxbxxxxxxxxxx
Dotting (10 bits) b1010101010
-------------------------------------
There are three types of FOCC messages:
Mobile Station Control Message
Overhead Message
Control-filler Message
Mobile Station Control Message: (one,two or four words)
------------------------------
Abbreviated Address Word:
TT (2 bits) 0x (00=if one word sent, 01=if multiple words sent)
DCC (2 bits) xx Digital Color Code
MIN1 (24 bits) xxxxxxxxxxxxxxxxxxxxxxxx
P (12 bits) xxxxxxxxxxxx
Extended Address Word: (two versions of this word occur)
----------------------------- -----------------------------
TT (2 bits) 10 TT (2 bits) 10
SCC (2 bits) 11 SCC (2 bits) xx [not=11]
MIN2 (10 bits) xxxxxxxxxx MIN2 (10 bits) xxxxxxxxxx
(1 bit) 0 (1 bit) 0
LOCAL (5 bits) xxxxx VMAC (3 bits) xxx (attenuation code)
ORDQ (3 bits) xxx CHAN (11 bits) xxxxxxxxxxx (channel number)
ORDER (5 bits) xxxxx P (12 bits) xxxxxxxxxxxx
P (12 bits) xxxxxxxxxxxx
First Directed-Retry Word:
TT (2 bits) 10
SCC (2 bits) 11 SAT Color Code
CHANPOS (7 bits) xxxxxxx channel position relative to first access channel
CHANPOS (7 bits) xxxxxxx
CHANPOS (7 bits) xxxxxxx
(3 bits) 000
P (12 bits) xxxxxxxxxxxx
Second Directed-Retry Word:
TT (2 bits) 10
SCC (2 bits) 11
CHANPOS (7 bits) xxxxxxx
CHANPOS (7 bits) xxxxxxx
CHANPOS (7 bits) xxxxxxx
(3 bits) 000
P (12 bits) xxxxxxxxxxxx
-------------------------------
-------------------------------
Overhead Messages:
System Parameter Overhead Message:
Global Action Overhead Message:
Registration Identification Message:
Control-filler Message:
System Parameter Overhead Message:
----------------------------------
System Parameter Word 1:
TT (2 bits) 11
DCC (2 bits) xx
(3 bits) 000
NAWC (4 bits) xxxx
OHD (3 bits) 110 (overhead message type)
P (12 bits) xxxxxxxxxxxx
System Parameter Word 2:
TT (2 bits) 11
DCC (2 bits) xx
S (1 bit) x (serial number flag)
E (1 bit) x (extended address flag)
REGH (1 bit) x (registration for home stations)
REGR (1 bit) x (registration for roaming stations)
DTX (1 bit) x (discontinuous transmission flag)
(1 bit) 0
N-1 (5 bits) xxxxx (number of paging channels in system minus 1)
RCF (1 bit) x (read-control-filler flag)
CPA (1 bit) x (combined paging/access flag)
CMAX-1 (1 bit) x (number of access channels in system minus 1)
END (1 bit) x (1=last word of overhaed message train)
OHD (3 bits) 111
P (12 bits) xxxxxxxxxxxx
-------------------------------
-------------------------------
Global Action Overhead Messages:
Rescan Global Action Message:
TT (2 bit) 11
DCC (2 bits) xx
ACT (4 bits) 0001
(16 bits) 0000000000000000
END (1 bit) x
OHD (3 bits) 100
P (12 bits) xxxxxxxxxxxx
Registration Increment Global Action Message:
TT (2 bits) 11
DCC (2 bits) xx
ACT (4 bits) 0010
REGINCR (12 bits) xx (registration increment)
(4 bits) 0000
END (1 bits) xx
OHD (3 bits) 100
P (12 bits) xx
New Access Channel Set Global Action Message:
TT (2 bits) 11
DCC (2 bits) xx
ACT (4 bits) 0110
NEWACC (11 bits) xxxxxxxxxxx (new access channel starting point)
(4 bits) 0000
END (1 bit) x
OHD (3 bits) 100
P (12 bits) xxxxxxxxxxxx
Overload Control Global Action Message:
TT (2 bits) 11
DCC (2 bits) xx
ACT (4 bits) 1000
OLCD0 (1 bit) x (overload class flags)
OLCD2 (1 bit) x
OLCD3 (1 bit) x
OLCD4 (1 bit) x
OLCD5 (1 bit) x
OLCD6 (1 bit) x
OLCD7 (1 bit) x
OLCD8 (1 bit) x
OLCD9 (1 bit) x
OLCD10 (1 bit) x
OLCD11 (1 bit) x
OLCD12 (1 bit) x
OLCD13 (1 bit) x
OLCD14 (1 bit) x
OLCD15 (1 bit) x
END (1 bit) x
OHD (3 bits) 100
P (12 bits) xxxxxxxxxxxx
Access Type Paramters Global Action Message:
TT (2 bits) 11
DCC (2 bits) xx
ACT (4 bits) 1001
BIS (1 bit) x (busy/idle status flag)
(15 bits) 000000000000000
END (1 bit) x
OHD (3 bits) 100
P (12 bits) xxxxxxxxxxxx
Access Attempt Parameters Global Action Message:
TT (2 bits) 11
DCC (2 bits) xx
ACT (4 bits) 1010
MAXBUSY-PGR (4 bits) xxxx (maximum busy occurrences, page response)
MAXSZTR-PGR (4 bits) xxxx (maximum seizure tries, page response)
MAXBUSY-OTHER (4 bits) xxxx (maximum busy occurrences, other accesses)
MAXSZTR-OTHER (4 bits) xxxx (maximum seizure tries, other accesses)
END (1 bits) x
OHD (3 bits) 100
P (12 bits) xxxxxxxxxxxx
Local Control 1 Message:
TT (2 bits) 11
DCC (2 bits) x
ACT (4 bits) 1110
LOCAL CONTROL (16 bits) xxxxxxxxxxxxxxxx (any local control code)
END (1 bits) x
OHD (3 bits) 100
P (12 bits) xxxxxxxxxxxx
Local Control 2 Message:
TT (2 bits) 11
DCC (2 bits) xx
ACT (4 bits) 1111
LOCAL CONTROL (16 bits) xxxxxxxxxxxxxxxx
END (1 bits) x
OHD (3 bits) 100
P (12 bits) xxxxxxxxxxxx
-------------------------------
Registration Identification Message:
TT (2 bits) 11
DCC (2 bits) xx
REGID (20 bits) xxxxxxxxxxxxxxxxxxxx (registration ID)
END (1 bit) x
OHD (3 bits) 000
P (12 bits) xxxxxxxxxxxx
------------------------------------
Control-Filler Message:
TT (2 bits) 11
DCC (2 bits) xx
(6 bits) 010111
CMAC (3 bits) xxx (current mobile attenuation)
(7 bits) 0011001
WFOM (1 bit) x (wait for overhead message)
(4 bits) 1111
OHD (3 bits) 001
P (12 bits) xxxxxxxxxxxx
===========================================================================
(FVC) Forward Voice Channel: (tower-to-mobile on voice channel)
FVC Message Format: * BUSY/IDLE bits are inserted into FVC messages in a
format similar to that of FOCC messages)
--------------------------------------------------------------
Dotting (101 bits) 101010101...101
Word Sync (11 bits) 11100010010
Repeat 1 Word (40 bits) xxxxx...xxxxx
Dot (37 bits) 1010101010101010101010101010101
Word Sync (11 bits) 11100010010
Repeat 2 Word (40 bits) xxxxx...xxxxx
Dot (37 bits)
Word Sync (11 bits)
Repeat 3 Word (40 bits)
. .
. . [same pattern of repetition]
. .
Dot (37 bits) 1010101010101010101010101010101
Word Sync (11 bits) 11100010010
Repeat 11 Word (40 bits) xxxxx...xxxxx
-----------------------------------------------------------
There is only kind of FVC message:
Mobile Station Control Message:
Mobile Station Control Word: (two versions of this word occur)
----------------------------- -----------------------------
TT (2 bits) 10 TT (2 bits) 10
PSCC (2 bits) xx PSCC (2 bits) xx (present SAT code)
(9 bits) 000000000 (9 bits) 000000000
LOCAL (5 bits) xxxxx VMAC (3 bits) xxx (attenuation code)
ORDQ (3 bits) xxx CHAN (11 bits) xxxxxxxxxxx (channel number)
ORDER (5 bits) xxxxx P (12 bits) xxxxxxxxxxxx
P (12 bits) xxxxxxxxxxxx
===========================================================================
* See Part Six for information describing various codes used in message
word fields.
===========================================================================
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<EFBFBD> The DNA BOX - Striking at the Nucleus of Corporate Communications. <20>
<EFBFBD> A current project of... <20>
Outlaw
Telecommandos
<20><>ݳ<EFBFBD>޺<EFBFBD><DEBA>ݳ<EFBFBD>޳ݳ<DEB3>
<20><>ݳ<EFBFBD>޺<EFBFBD><DEBA>ݳ<EFBFBD>޳ݳ<DEB3>
<20>01-213-376-0111<31>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 9-FEB-89
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ķ THE DNA BOX <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ķ Hacking Cellular Phones <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ѽ
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
P A R T S I X
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
CELLULAR TELEPHONE MESSAGE CODES
============================================================================
The previous file (Part Five) listed the Message Formats and Message Words
used by the Cellular Telephone system. Message words have variable
sub-fields that are set to convey various information (such as dialed
numbers, mobile phone ID, commands, requests, channel assignments etc.).
Here are the codes used in Message Word subfields during data transmissions.
============================================================================
Mobile Station Automatic Attenuation Levels
Mobile Attenuation Code (MAC)
Power Classifications
MAC I II III Nominal ERP Power Outputs
--- --- --- --- Class ERP Level
000 6 2 -2 --------- ---- --------
001 2 2 -2 Class I 4W ( 6 dBW)
010 -2 -2 -2 Class II 1.6W ( 2 dBW)
011 -6 -6 -6 Class III 0.6W (-2 dBW)
100 -10 -10 -10
101 -14 -14 -14
110 -18 -18 -18
111 -22 -22 -22
(Attenuation in dBW)
=========================================================
Station Class Mark (SCM)
SCM Station Class, Transmission
---- ----------------------------
xx00 Class I
xx01 Class II
xx10 Class III
00xx Continuous Transmissions
01xx Discontinuous Transmissions
(for example 0010 means Class I Continuous Transmissions)
=========================================================
Digital Color Code (DCC)
Received Coded
-------- -------
00 0000000
01 0011111
10 1100011
11 1111100
=======================================
SAT Color Code (Supervisory Audio Tone)
Code Frequency
---- ---------
00 5970 Hz
01 6000 Hz
10 6030 Hz
11 (not a channel designation)
====================================
Digit Code (for dialed numbers etc.)
Digit Code
----- ----
1 0001
2 0010
3 0011
4 0100
5 0101
6 0110
7 0111
8 1000
9 1001
0 1010 (zero is encoded as a binary ten)
* 1011
# 1100
Null 0000 (when no digit present)
===================================
Order and Qualification Codes
Order Qual Function
----- --- ---------------------
00000 000 page (or origination)
00001 000 alert
00011 000 release
00100 000 reorder
00110 000 stop alert
00111 000 audit
01000 000 send called-address
01001 000 intercept
01010 000 maintenance
01011 000 change to power level 0
01011 001 change to power level 1
01011 010 change to power level 2
01011 011 change to power level 3
01011 100 change to power level 4
01011 101 change to power level 5
01011 110 change to power level 6
01011 111 change to power level 7
01100 000 directed retry - not last try
01100 001 directed retry - last try
01101 000 non-autonomous registration - do not make whereabouts known
01101 001 non-autonomous registration - make whereabouts known
01101 010 autonomous registration - do not make whereabouts known
01101 011 autonomous registration - make whereabouts known
11110 000 local control
(All other codes are reserved)
==============================================================
Overhead Message Type
Code Order
---- ------------------
000 registration ID
001 control-filler
010 (reserved)
011 (reserved)
100 global action
101 (reserved)
110 word 1 of system parameter message
111 word 2 of system parameter message
=======================================
Global Action Message Types
Code Action Type
---- -----------
0000 (reserved)
0001 rescan paging channels
0010 registration increment
0011 (reserved)
0010 (reserved)
0011 (reserved)
0100 (reserved)
0101 (reserved)
0110 new access channel set
0111 (reserved)
1000 overload control
1001 access type parameters
1010 access attempt parameters
1011 (reserved)
1100 (reserved)
1101 (reserved)
1110 local control 1
1111 local control 2
====================================================================
Restricted Central Office Codes.
Cellular phone numbers are NEVER issued with these patterns in order
to prevent Word Sync patterns from occuring inside a command word.
1xx-xxxx 544-2xxx 864-2xxx
224-2xxx 568-1xxx thru 568-7xxx 899-xxxx
288-2xxx 595-8xxx thru 595-0xxx 800-xxxx
339-8xxx thru 339-0xxx 663-xxxx thru 666-xxxx 928-2xxx
352-xxxx 672-2xxx 992-2xxx
416-2xxx 736-2xxx 909-xxxx
470-2xxx 790-2xxx 0xx-xxxx
508-2xxx 851-8xxx thru 851-0xxx
=====================================================================
Bose-Chaudhuri-Hocquenghem (BCH) Codes
Right now the best GUESS, based on available material, is that BCH coding
is the way that the 12 bit Parity field is computed.
The "polynomial" that generates the code is given as:
12 10 8 5 4 3 0
gB(X)= X + X + X + X + X + X + X
Taking this verbatim in the usual way (superscripts meaning exponentiation)
gives ridiculous results that would be difficult to compute at the
10 Kb/s data rate required by the Cellular Data Protocol. It makes more sense
to interpret this notation to indicate that the bits of the message word are
summed (in binary) in 12, 10, 8, 5, 4, and 3 bit bytes with 1 added.
That is: the word is broken up into a bunch of sub-bytes of a certain length,
these are added together, the original word is again broken into sub-bytes of
the next length and those are summed ... until all listed lengths have been
summed. THEN all of those sums are summed and 1 is added. The low order
12 bits of the results of this procedure are used as the parity bits.
THIS IS ALMOST PURE SPECULATION. Confirmation is currently being sought at
university engineering libraries, or by examining the parity bits in
published examples or intercepted cellular messages.
The Parity bits are irrelevant to hacking Cellular ID codes however, because
message words are repeated many times in each message block, and the ID
fields (MIN1, MIN2, and SID) can simply be lifted from the most
frequent (and most likely error-free) message words in the block.
HOWEVER: If BCH coding transforms the message bits as well as the Parity
bits then the proper BCH coding algorithm becomes critical. If all else fails,
diassembling the ROM firmware from a Cellular Phone should be conclusive.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
<EFBFBD> The DNA BOX - Striking at the Nucleus of Corporate Communications. <20>
<EFBFBD> A current project of... <20>
Outlaw
Telecommandos
<20><>ݳ<EFBFBD>޺<EFBFBD><DEBA>ݳ<EFBFBD>޳ݳ<DEB3>
<20><>ݳ<EFBFBD>޺<EFBFBD><DEBA>ݳ<EFBFBD>޳ݳ<DEB3>
<20>01-213-376-0111<31>

Reference in New Issue Copy Permalink