385 lines
21 KiB
Plaintext
385 lines
21 KiB
Plaintext
|
|
====================================================
|
|
Stargate's Cell Hackers Journal
|
|
Vol 94.11 NOV,1994
|
|
====================================================
|
|
|
|
"Oh course, our system guarantees a fast, clear secure connection"
|
|
-Cell 1 sales dweeb
|
|
|
|
Well due to some small demand, heres the first issue of mag
|
|
dedicated to exploring the ins and outs of Cell Phones, I'll try to
|
|
be as simple as I can and wont dwell with some of the irrelevancies
|
|
of the operations of the cells, just basically genuine hacking
|
|
information, some which I will gather from tech manuals and actual
|
|
testing, now granted I'm just a hobbyist, and it is not my intent
|
|
for this information to be used in any illegal manner, especially
|
|
for any persons attempting to defraud any cellular company, and
|
|
any other of the illegal shit that goes along with that. I am
|
|
looking for any authors, (cuz I sure as shit don't know
|
|
everything!) to contribute to this spread of forbidden knowledge.
|
|
I intend to send out this mag at least quarterly or as any information
|
|
of great importance is presented , so the size of these texts may vary
|
|
greatly. What I really like to include is some back door test modes
|
|
for *any phonez, especially the ESN modification type.
|
|
I would like to say thanx to everyone who encouraged me and
|
|
got me started in this great form of technology. And I will strive
|
|
to keep the information as correct as possible, but 'member I cant
|
|
test everything, if it sounds logical and can be done, then I'll
|
|
present it here for your approval, if ya have any text ya want to
|
|
send , or any comments, please email me at TECHMAN@ANON.PENET.FI
|
|
(until I get a real internet account!). Enjoy *
|
|
|
|
-----------------------------------------------------------------
|
|
|
|
I. The Software Question (for popular Motorola fones)
|
|
|
|
The most popular fone among the hackers is obviously the
|
|
motorola mircrotac of "flip fone" (which is characteristic of its
|
|
microphone flipping mechanism). Early in the cell game a ware was
|
|
released by Cellular Press (a.k.a Spy Supply) which could mod all
|
|
of the motorolas using a simple made cable and a PC. Well as time
|
|
went on and motorola wanted to add more features and better
|
|
handling of the hardware, they started to change they're firmware
|
|
of the fones to accommodate the changes, along with the changes was
|
|
an inability of the software to modify the ESN data of these fones,
|
|
thus other ways had to be implemented , one such method was a
|
|
firmware replacement, this was a easy chore for the Bags and totes,
|
|
but a pain in the ass for the flips, the bags and totes used the
|
|
regular DIP package 27c512 Prom, while the equivalent on the flips
|
|
was in a plcc surface mount package, which could only be removed
|
|
with real skill, and some expensive soldering equipment, not to
|
|
mention reprogramming a Eprom / prom of the same type , and then
|
|
replacing it, now anyone (like me) who has popped open one of those
|
|
flip fones know how crappy that method is, you risk destroying your
|
|
fone, and losing some of the features. Well HTH came out with
|
|
a "trick clip" which consisted of a plcc test socket, and a
|
|
reprogrammed chip. This procedure still required you to disable the
|
|
firmware on yer fone , by cutting a trace (*ouch) sticking the
|
|
trick clip in the chip, jumpering a pin on the socket to a place on
|
|
the board, and then attaching your cable and using the old ware.
|
|
Still this was a tedious, expensive (hth wanted $295 for the clip)
|
|
and dangerous procedure. And sometimes with certain fone revs this
|
|
didn't work. As time went on and the demand grew to do these phones
|
|
software solutions began to emerge, one was called TRANS-2, and/or
|
|
MPC which was a package available from C.G.C (California Grapevine
|
|
Communications), this package was also available from a company
|
|
called Cellsoft, both houses sold the ware for a ridiculous $700
|
|
and protected it copyright infringement by making it dependant on
|
|
a dongle to operate. Well after talking to C.G.C about the software
|
|
and basically getting the brushoff from Cellsoft (they may be
|
|
another Spy supply house), the MPC / Trans-2 ware was describe as
|
|
"horrible and buggy" by greg at C.G.C (the guy with the british
|
|
accent). Well the package was purchased and now is being
|
|
distributed in its uncraked state to various crak groups for repair
|
|
;), but this has either proved a challenge for the guys, or they
|
|
have been reduced to money grubbers by re-selling the packages, in
|
|
my opinion these are the lowest of lamers, theres nothing worse
|
|
than a thief of thieves.
|
|
As a point of ID, if you can get your hands on the old style
|
|
flip fone (which were usually tan in color and had a membrane
|
|
keyboard), these are ready modible , having a firmware rev up to
|
|
9012.
|
|
Now theres one last ware out there that's supposed to the be
|
|
the most reliable of ones to mod the new fones (up to 9340) is
|
|
called AMPS/G2. This is now being sold by C.G.C for $700 and is now
|
|
floating around the internet waiting to be cracked. (sorry greg,
|
|
but your price is ridiculous). I recently Emailed DrDamien for some
|
|
new info on moding the new stuff, and found out from him that some
|
|
places are selling firmware/cable kits for $50 which is not a big
|
|
bite at all, now he didn't go into detail on what they were,
|
|
whether they were the old firmware switch (mentioned above, which
|
|
in some instances caused yer fone to power up saying "loaner" and
|
|
disabling all your cool functions, like storage and other shit) or
|
|
the firms that take advantage of the "Identity Transfer" function
|
|
of theses fones, which simply put xfers your fones NAM/ESN data to
|
|
another fone by executing a #66 and #69 (see the MOTCODEZ.TXT file)
|
|
on each fone, one is called a LOADER fone (contains the new info)
|
|
and the TARGET fone (the fone to get the goodies), now this is
|
|
proven to work with ALL motorola fones even the new 94F firmware
|
|
series.
|
|
C.G.C offers a package consisting of a LOADER fone with special
|
|
firmware, plus a cable with a switch for $995. From what I've heard
|
|
this is a nice setup, but way too expensive, remember the true
|
|
idea of cloning tries to *SAVE the user money by having two lines
|
|
on one bill, and $1000 bux is just not cost effective now, maybe
|
|
over a few years perhaps. But you know how the underground works,
|
|
as soon as someone gets one, they'll copy the firmware , dissect
|
|
the cable and u/l the info to yer local site. (I'm waiting to see
|
|
it!)
|
|
|
|
None the less there are some (expensive) options for those who
|
|
wish to master the new motorola fones, its just a matter of what
|
|
purpose and how often will you use it, now for those who wish to
|
|
open your own cell-fone cloning house , good luck, laws are
|
|
developing as you read this to outlaw that, (you didn't honestly
|
|
think that they would continue to allow that), and if you can
|
|
justify spending the $1000 for the loader fone (the most reliable
|
|
way to date), then more power to ya, as for us regular hackers, who
|
|
want to learn more about these , then that's outrageous. You'll be
|
|
better off getting one legit. (*shudder) (tm).
|
|
|
|
* And Also note, the roaming scam is almost non existent, this
|
|
method consisted of changing the ESN/MIN to a bogus out-of-state
|
|
number, then making a call, since the subscriber info could not be
|
|
validate real-time, the first call would go through, but subsequent
|
|
calls would be blocked until this information was changed again,
|
|
thus someone developed a "tumbler fone" which changed this info to
|
|
some random quotient, before each call was place, this drove the
|
|
Cellcos and Fedz nutz, so they just simply forward your call to a
|
|
special cell provider who lets you make your call using a Credit
|
|
card or do it collect, usually at a ridiculous rate i.e. $2.00 per
|
|
minute. (some allow calling cards)
|
|
-----------------------------------------------------------------
|
|
II. What does the Cellwarez do?
|
|
|
|
Cell Software Review (just the old stuff that's out, cuz there is
|
|
some confusion on what can do what.)
|
|
|
|
Cellsoft.zip ... This is original stuff that was sold as
|
|
package from Cellular press, A.K.A Spy
|
|
Supply, it was priced at $500 and now can
|
|
be yanked from any good H/P board, it
|
|
contains the warez to do the Motorolas
|
|
Panasonics and NEC p300/301/200/201/400.
|
|
|
|
Newphones.arj .. This package is the Shareware (?!?!) release
|
|
of Cellular press's moding ware. It contains
|
|
all the files aforementioned plus wiring
|
|
diagrams, and some warez to do NEC9A/11A
|
|
NOKIAs , TANDY, R-SHACKS, and MITSUS MT3/MT4
|
|
interesting note about this one is that it
|
|
asks you to upload to various bbs's and then
|
|
call them (Robert Carp) and Narc em out to
|
|
receive registration (?!?) and more info on
|
|
their services, maybe they feel guilty for
|
|
screwing all those folks around. * Also
|
|
contains ROMS from the old firms of MOT
|
|
phones for the ESN replacement technique.
|
|
|
|
|
|
UNICHIP.ZIP .. This is another package containing moding
|
|
wares for the MOTS/NEC/PANS, but this one
|
|
also contains new software for doing the
|
|
p400/401/600/601 firms before and after
|
|
V.34, offered by unisoft. Also has Wiring
|
|
Digrams for building the cables
|
|
|
|
UNICELL.EXE .. Another package similar to the unichip.zip
|
|
except this one contains a better Checksum
|
|
calculator for programming the 9346-16911
|
|
eprom, and does a larger variety of fones
|
|
(Sony/Phillips/Nokia/Cleartone/Novatel/mobira)
|
|
|
|
A-Z.zip .. C.G.Cs intensive programming guide for 110 +
|
|
cellfones, also has some (little) information
|
|
on back door test modes and other goodies,
|
|
such as a definition file and a FAQ on
|
|
ESN emulation.
|
|
|
|
Cellmon.zip .. Now this one is interesting, it seems to want
|
|
to interface with a MOT Mircotac, and
|
|
supposedly, scans the channels to monitor the
|
|
the frequency, this also may be a simple form
|
|
of a DDi, (digital Data interface) which is
|
|
used to read the RCC (reverse control
|
|
channel). *The RCC is a channel the fone uses
|
|
to communicate with the tower, ESN/MIN/SCM
|
|
data is xfered through this chan.
|
|
|
|
|
|
Honorable Mention : P3tst001.txt, a text on the test commands for
|
|
the NEC p300/301/600/601/400/401 phones,
|
|
includes instructions for ESN modification :
|
|
NOVATEL1.TXT, this file has information for
|
|
moding the novatel 83XX series fone, including
|
|
changing the ESN info, (*warning, can only be
|
|
done 3 times), OKITEST.TXT , this is a listing
|
|
of test commands for the OKI series fones,
|
|
which is considered to be a "HACKER PHONE!"
|
|
MOTCODEZ.TXT, is a file which has the current
|
|
test mode commands on motorola phones.
|
|
|
|
-------------------------------------------------------------
|
|
III. Current Mod-ible fones
|
|
|
|
|
|
This is a short list of the phones that can currently be
|
|
altered. (ESN wise that is) If I come short on this, please
|
|
by all means let me know what fones can be altered and how, but
|
|
this list is comprised mostly of the ones I moded personally.
|
|
The purpose of this list is for you who are out trying to buy
|
|
a cellfone, and wanna know which ones can be used. Theres a
|
|
shitload of fones out there that *cant be modified currently,
|
|
the big ones are the Audiovoxs (new), judging by the programming
|
|
and ic's in the phone, Audiovox's engineers were overly security
|
|
conscious, but as you well know this may and will change as new
|
|
ways of exploiting technology becomes evident.
|
|
|
|
|
|
Currently Modiable HOW
|
|
================== ===
|
|
Motorola BAG* Cable, Software
|
|
Motorola FLIP* Cable, Software
|
|
Motorola Brick* Cable, Software
|
|
Panasonic D,E,F,G,H Cable, Software
|
|
NEC p300/301/600/601/400/401 Cable, Software
|
|
Nokia (all) Chip Removal
|
|
NEC 11/9a Cable, Software
|
|
Novatel (83XX) Keyboard/ROM
|
|
Mitsubishi MT3/MT4 Chip Removal
|
|
Sony CM-H333 Chip Removal
|
|
Phillips PR-92 Chip Removal
|
|
Nokia 100/190 Chip Removal
|
|
BT / Ivory Chip Removal
|
|
Novatel 4400 Chip Removal
|
|
Cityman 100 Chip Removal
|
|
Ameritech (motorola) Cable, software
|
|
|
|
NOTES: * indicates that new software or a new method is needed to
|
|
mod fones with firmware revs higher that 9122. Chip removal refers
|
|
to removing the 9346-16911 serial eprom, and programming with the
|
|
Unichip and Unicell software
|
|
|
|
---------------------------------------------------------------
|
|
IV. How to get ESN/MIN pairs, the magic stuff
|
|
|
|
Now Methods for obtaining this valuable information varies,
|
|
I'll give you a few personal examples on how I was able to get some
|
|
pairs. One method (which was lo-risk and cheap) was to do the
|
|
old infamous trashing, I cased out a local cell provider branch
|
|
office, found out what were there days/hours of operation, snooped
|
|
and asked some questions on how they deal with fraud, (social
|
|
engineering skills were needed of course), to which the only answer
|
|
they could provide was "oh , well if you didn't make the calls, we
|
|
will not require you to pay for them, and we'll change your number"
|
|
which gave me two good pieces of information, 1 they just chalk it
|
|
up to loss , to appease the customers, and two, they don't give a
|
|
fuck in finding out who made the calls. Now that was good to hear,
|
|
so on the day before trash collection I simply parked my car by the
|
|
dumpster, (flashlight in my pocket), and simulated taking a leak
|
|
behind the trash bin, quickly I open the side access panel, and did
|
|
a quick search, I found 3 bags with words (cellular, contract)
|
|
clearly visible in the bags, I grabbed them, look around, and
|
|
tossed them in the trunk. After getting them to my garage (it was
|
|
about 11:30 pm too) and sifting through the coffee filters, and
|
|
salad containers, I walked off with about 100 pairs. (written
|
|
contract info which is discarded after its entered into the
|
|
computer). The cons to this is that you got a lot of explaining to
|
|
do to the cops if they see you toss some bags of trash in your
|
|
trunk, and some states have laws governing trash, to the effect of
|
|
the trash being the property of the company until its collected by
|
|
a designated trash refuge agency, non-the-less , this works for
|
|
some places, Cell-1's here, have a company called 'Document
|
|
Services' which pick up their trash, and shred the ESN/personal
|
|
papers and contracts, thus this is ineffective in some areas.
|
|
|
|
Another more expensive way, is to obtain a device called a
|
|
DDi, Digital Data Interface, this thing comes in various formats
|
|
from the more expensive stand-alone box, to a device which
|
|
interfaces with your 800 mhz capable scanner and a PC, the cheapest
|
|
standalone I seen was $1295, also I saw a kit for a simple one for
|
|
about 1-$200, this is the safest way do get pairs, simply make the
|
|
device mobile, and sit in a busy traffic area (freeway overpass)
|
|
and collect all the data you need.
|
|
|
|
These are just a couple of examples on obtaining the 'magic
|
|
numbers' , some other ways (trading, inside help) does work too,
|
|
but are sometimes not effective, try to be creative, the Fedz know
|
|
about the trashing from back to the Captain Crunch days, the DDi
|
|
seems to be the logical choice for snarfing.
|
|
|
|
|
|
----------------------------------------------------------------
|
|
V. Ways of Detection
|
|
|
|
Well this is another concern that the astute phreaker must
|
|
know is how to avoid detection, what you must remember is that the
|
|
only way you can be physically traced, is by having the phone
|
|
powered up and registered within the system, and all the cops have
|
|
to do is some rudimentary triangulation and you're snagged, as long
|
|
as you remember some basic rules, you can slim your chances of
|
|
being discovered.
|
|
1. Never reveal your location or describe yourself over the
|
|
airwaves, this is a real common mistake, just a simple as you
|
|
turning on a scanner to monitor conversations, the cops have even
|
|
more sophisticated equipment to do so. A cell phreaker once told me
|
|
to just pretend you're in a crowed room when you speak on the fone,
|
|
so the information that you relay should not be something that you
|
|
would want that crowd to hear. You are just handing yourself over
|
|
when you make this mistake.
|
|
2. Never leave your phone powered up or battery pack left on,
|
|
this reason is simple, you turn the phone on, you're registered in
|
|
the system, every phone transmits the ESN/MIN/SCM data to the cell
|
|
tower to become registered so that when you place a call , the fone
|
|
will be ready, some phones (motorola bags/totes/installed) transmit
|
|
this data, even when its powered off, only the power adapter or
|
|
battery need be connected, the effect varies when 2 fones with the
|
|
same ESN/MIN/SCM data are registered at the same time, but most of
|
|
the time a Fraud Flag goes off, and your calls (the #'s) are
|
|
recorded or the system denies you access to place calls.
|
|
3. Never give any personal information out over the phone,
|
|
this is a relative mistake as mentioned in #1, except this is
|
|
mainly geared towards those, who like to make reservations at a
|
|
restaurant or order a pizza, all the fedz need do is call the
|
|
number and asked who placed a order at such and such day and time
|
|
(these places usually keep a record of this), and wham, youre
|
|
busted.
|
|
|
|
-------------------------------------------------------------------
|
|
VI. Internet Sites to get Cell info
|
|
|
|
Here is a list of Anon. FTP sites where Cell info is stored,
|
|
I've checked them all in the past month, and they're still up.
|
|
|
|
SPY.ORG /pub/SECURITY/SECTEC/cellular
|
|
Corrupt.Sekurity.com /pub/phones and /pub/incoming
|
|
l0pht.com /pub/blackcrwl/cell
|
|
src.doc.ic.ac.uk
|
|
wiretap.spies.com
|
|
ftp.winternet.com /users/craigb
|
|
quartz.rutgers.edu
|
|
Ftp.Netcom.com
|
|
siam.unibe.ch
|
|
ftp.eff.org
|
|
ftp.cic.net
|
|
|
|
If you got any more, don't hold out, email em, or upload em to
|
|
me at the above email address.
|
|
-----------------------------------------------------------------
|
|
VII. Last notes
|
|
|
|
Well this will end my first issue of the Cellhackers journal,
|
|
I need anyone who knows anything, and would like to contribute ,
|
|
please email me or contact me on the stargate BBS, you can find the
|
|
# and nup on quality boardz, or chat with me on the IRC, I use the
|
|
handle TECHMAN / CELLFONE / or MICROTAC, usually in the #STARGATE
|
|
, #CELLULAR, #PHREAK channels, the next issue we'll get into some
|
|
more ESN moding Back Doors on some popular phones, and I'm trying
|
|
to get some generic plans for building a cheap DDi, a flip fone and
|
|
scanner (moded to receive 800 mhz cell freqs) will be needed. I'll
|
|
try to have the next issue out in JAN, it'll prob be right after
|
|
new years, hack on gentlemen.
|
|
|
|
|
|
Some Greetz go out to:
|
|
|
|
DrDamien for Breaking the Barrier on writing about Cell
|
|
Phreaking, a lot of shit here I learned from you.
|
|
PMF the man who supplied MPC to me, thanks man, sorry about
|
|
our little ESN fandango, but we're clearing it up.
|
|
PaTcH NET, (Code REd, Thranduil) for starting this cool net,
|
|
we need to X-pand this shit tho'
|
|
Drunkfux, for all his late-breaking info and cool t-files, how
|
|
come you wont validate me on your board man, and I hope your band
|
|
is working out.
|
|
MOTOROLA for making a damn good (and modifiable) fone, I hope
|
|
you guys keep it up.
|
|
Cybertron , my boy with the gutz. Peaches my girl, Nutz and
|
|
Voltz mag, WayWard (for his skillz) , TACACS, Chr0nic, Terminal
|
|
Man, Alphabits, The Raven of HTH, and anyone else I didn't mention.
|
|
|
|
PEACE
|
|
TECHMAN
|
|
|