220 lines
7.7 KiB
Plaintext
220 lines
7.7 KiB
Plaintext
煇曺陳陳陳陳陳陳陳<E999B3> 敖陳陳陳陳陳陳煇<E999B3> 9-FEB-89
|
||
浜詫様詫詫詫詫詫詫詫詫詫詫<E8A9AB> 敖陳陳陳艇煇
|
||
煇曺陳陳陳陳陳陳陳<E999B3> THE DNA BOX 把陳潰 敖陳陳陳陳煇<E999B3>
|
||
煇曺陳陳陳陳陳陳陳超 Hacking Cellular Phones 把陳陳潰
|
||
煩用用用用用用用用様用用用<E794A8>
|
||
煇曺陳陳陳陳陳陳陳陳陳<E999B3> 青陳陳陳陳陳陳陳陳陳艇煇
|
||
P A R T S I X
|
||
敖陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳朕
|
||
|
||
CELLULAR TELEPHONE MESSAGE CODES
|
||
============================================================================
|
||
The previous file (Part Five) listed the Message Formats and Message Words
|
||
used by the Cellular Telephone system. Message words have variable
|
||
sub-fields that are set to convey various information (such as dialed
|
||
numbers, mobile phone ID, commands, requests, channel assignments etc.).
|
||
|
||
Here are the codes used in Message Word subfields during data transmissions.
|
||
|
||
============================================================================
|
||
Mobile Station Automatic Attenuation Levels
|
||
|
||
Mobile Attenuation Code (MAC)
|
||
Power Classifications
|
||
MAC I II III Nominal ERP Power Outputs
|
||
--- --- --- --- Class ERP Level
|
||
000 6 2 -2 --------- ---- --------
|
||
001 2 2 -2 Class I 4W ( 6 dBW)
|
||
010 -2 -2 -2 Class II 1.6W ( 2 dBW)
|
||
011 -6 -6 -6 Class III 0.6W (-2 dBW)
|
||
100 -10 -10 -10
|
||
101 -14 -14 -14
|
||
110 -18 -18 -18
|
||
111 -22 -22 -22
|
||
(Attenuation in dBW)
|
||
=========================================================
|
||
|
||
Station Class Mark (SCM)
|
||
|
||
SCM Station Class, Transmission
|
||
---- ----------------------------
|
||
xx00 Class I
|
||
xx01 Class II
|
||
xx10 Class III
|
||
|
||
00xx Continuous Transmissions
|
||
01xx Discontinuous Transmissions
|
||
|
||
(for example 0010 means Class I Continuous Transmissions)
|
||
=========================================================
|
||
|
||
Digital Color Code (DCC)
|
||
Received Coded
|
||
-------- -------
|
||
00 0000000
|
||
01 0011111
|
||
10 1100011
|
||
11 1111100
|
||
=======================================
|
||
|
||
SAT Color Code (Supervisory Audio Tone)
|
||
|
||
Code Frequency
|
||
---- ---------
|
||
00 5970 Hz
|
||
01 6000 Hz
|
||
10 6030 Hz
|
||
11 (not a channel designation)
|
||
====================================
|
||
|
||
Digit Code (for dialed numbers etc.)
|
||
Digit Code
|
||
----- ----
|
||
1 0001
|
||
2 0010
|
||
3 0011
|
||
4 0100
|
||
5 0101
|
||
6 0110
|
||
7 0111
|
||
8 1000
|
||
9 1001
|
||
0 1010 (zero is encoded as a binary ten)
|
||
* 1011
|
||
# 1100
|
||
Null 0000 (when no digit present)
|
||
===================================
|
||
|
||
Order and Qualification Codes
|
||
|
||
Order Qual Function
|
||
----- --- ---------------------
|
||
00000 000 page (or origination)
|
||
00001 000 alert
|
||
00011 000 release
|
||
00100 000 reorder
|
||
00110 000 stop alert
|
||
00111 000 audit
|
||
01000 000 send called-address
|
||
01001 000 intercept
|
||
01010 000 maintenance
|
||
|
||
01011 000 change to power level 0
|
||
01011 001 change to power level 1
|
||
01011 010 change to power level 2
|
||
01011 011 change to power level 3
|
||
01011 100 change to power level 4
|
||
01011 101 change to power level 5
|
||
01011 110 change to power level 6
|
||
01011 111 change to power level 7
|
||
|
||
01100 000 directed retry - not last try
|
||
01100 001 directed retry - last try
|
||
|
||
01101 000 non-autonomous registration - do not make whereabouts known
|
||
01101 001 non-autonomous registration - make whereabouts known
|
||
01101 010 autonomous registration - do not make whereabouts known
|
||
01101 011 autonomous registration - make whereabouts known
|
||
|
||
11110 000 local control
|
||
|
||
(All other codes are reserved)
|
||
==============================================================
|
||
|
||
Overhead Message Type
|
||
|
||
Code Order
|
||
---- ------------------
|
||
000 registration ID
|
||
001 control-filler
|
||
010 (reserved)
|
||
011 (reserved)
|
||
100 global action
|
||
101 (reserved)
|
||
110 word 1 of system parameter message
|
||
111 word 2 of system parameter message
|
||
=======================================
|
||
|
||
Global Action Message Types
|
||
|
||
Code Action Type
|
||
---- -----------
|
||
0000 (reserved)
|
||
0001 rescan paging channels
|
||
0010 registration increment
|
||
0011 (reserved)
|
||
0010 (reserved)
|
||
0011 (reserved)
|
||
0100 (reserved)
|
||
0101 (reserved)
|
||
0110 new access channel set
|
||
0111 (reserved)
|
||
1000 overload control
|
||
1001 access type parameters
|
||
1010 access attempt parameters
|
||
1011 (reserved)
|
||
1100 (reserved)
|
||
1101 (reserved)
|
||
1110 local control 1
|
||
1111 local control 2
|
||
====================================================================
|
||
|
||
Restricted Central Office Codes.
|
||
Cellular phone numbers are NEVER issued with these patterns in order
|
||
to prevent Word Sync patterns from occuring inside a command word.
|
||
|
||
1xx-xxxx 544-2xxx 864-2xxx
|
||
224-2xxx 568-1xxx thru 568-7xxx 899-xxxx
|
||
288-2xxx 595-8xxx thru 595-0xxx 800-xxxx
|
||
339-8xxx thru 339-0xxx 663-xxxx thru 666-xxxx 928-2xxx
|
||
352-xxxx 672-2xxx 992-2xxx
|
||
416-2xxx 736-2xxx 909-xxxx
|
||
470-2xxx 790-2xxx 0xx-xxxx
|
||
508-2xxx 851-8xxx thru 851-0xxx
|
||
=====================================================================
|
||
Bose-Chaudhuri-Hocquenghem (BCH) Codes
|
||
|
||
Right now the best GUESS, based on available material, is that BCH coding
|
||
is the way that the 12 bit Parity field is computed.
|
||
|
||
The "polynomial" that generates the code is given as:
|
||
|
||
12 10 8 5 4 3 0
|
||
gB(X)= X + X + X + X + X + X + X
|
||
|
||
|
||
Taking this verbatim in the usual way (superscripts meaning exponentiation)
|
||
gives ridiculous results that would be difficult to compute at the
|
||
10 Kb/s data rate required by the Cellular Data Protocol. It makes more sense
|
||
to interpret this notation to indicate that the bits of the message word are
|
||
summed (in binary) in 12, 10, 8, 5, 4, and 3 bit bytes with 1 added.
|
||
That is: the word is broken up into a bunch of sub-bytes of a certain length,
|
||
these are added together, the original word is again broken into sub-bytes of
|
||
the next length and those are summed ... until all listed lengths have been
|
||
summed. THEN all of those sums are summed and 1 is added. The low order
|
||
12 bits of the results of this procedure are used as the parity bits.
|
||
THIS IS ALMOST PURE SPECULATION. Confirmation is currently being sought at
|
||
university engineering libraries, or by examining the parity bits in
|
||
published examples or intercepted cellular messages.
|
||
|
||
The Parity bits are irrelevant to hacking Cellular ID codes however, because
|
||
message words are repeated many times in each message block, and the ID
|
||
fields (MIN1, MIN2, and SID) can simply be lifted from the most
|
||
frequent (and most likely error-free) message words in the block.
|
||
|
||
HOWEVER: If BCH coding transforms the message bits as well as the Parity
|
||
bits then the proper BCH coding algorithm becomes critical. If all else fails,
|
||
diassembling the ROM firmware from a Cellular Phone should be conclusive.
|
||
|
||
敖陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳<EFBFBD>
|
||
<EFBFBD> The DNA BOX - Striking at the Nucleus of Corporate Communications. <20>
|
||
<EFBFBD> A current project of... <20>
|
||
|
||
Outlaw
|
||
Telecommandos
|
||
些欒笠些毫崖浤欒<E6B5A4>
|
||
些欒笠些毫崖浤欒<E6B5A4>
|
||
<20>01-213-376-0111<31>
|
||
|
||
Downloaded From P-80 International Information Systems 304-744-2253
|