ÚÄ¿ ÚÄ¿ 3-FEB-89 ÀÂÙÉÍÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÍ»ÀÂÙ ÀĶ THE DNA BOX ÇÄÙ ÚÄÄÄĶ Hacking Cellular Phones ÇÄÄÄÄ¿ ÚÁ¿ ÈÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍѼ ÚÁ¿ ÀÄÙ ' ` ' ` ' ` ' ` ' ` ' ` ' ÀÄÙ ô P A R T F O U R ô ³ ³ ³ T H E N U M B E R O F T H E B E A S T ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Preliminary technical info about the AMPS (Advanced Mobile Phone System). MOBILE TELEPHONE SWITCHING OFFICE (MTSO) Cell Control Sites (Towers) are connected to the Mobile Telephone Switching Office (MTSO) by a pair of 9600 baud data lines, one of which is a backup. The MTSO routes calls, controls and coordinates the cell sites (especially during handoffs as a mobile phone moves from one cell to another while a call is in progress), and connects to a Central Office (CO) of the local telephone company via voice lines. There is some indication that an MTSO may be re-programmed and otherwise hacked via standard phone lines using a personal computer/modem. NUMERIC ASSIGNMENT MODULE (NAM) There is a PROM chip in every cellular phone that holds the phone number (MIN) assigned to it. This is the "Numerical Assignment Module" or NAM. Schematics and block diagrams occasionally call this the "ID PROM". The NAM also holds the serial number (ESN) of the cellular phone, and the system ID (SID) of the mobile phone's home system. By encoding new PROM chips (or re-programming EPROM chips) and swapping them with the originals, a cellular phone can be made to take on a new identity. It is possible to make a circuit board with a bank of PROMs that plugs into the NAM socket, and allows quick switching between several phone ID's. It's even feasible to emulate the behavior of a PROM with dual-port RAM chips, which can be instantly updated by a laptop computer. A photograph of a "BYTEK S1-KX NAM Multiprogrammer" suggests that this "sophisticated piece of equipment" is merely a relabled generic PROM burner. ============================================================================== MOBILE IDENTIFICATION NUMBER (MIN) The published explanations of how to compute this number all contain deliberate errors, probably for the purpose of thwarting phreaks and people attempting to change the serial numbers and ID codes of stolen phones. Even the arithmetic is wrong in some published examples! Until the FCC/IEEE spec is available (a trip is planned to a university engineering library) the following is almost certainly the way that MIN is computed, taking into consideration how such codings are done elsewhere, comparing notes and tables from a variety of sources, and using common sense. A BASIC program (MIN.BAS) that computes MINs from phone numbers is being distributed with this file. There are two parts to the 34-bit MIN. They are derived from a cellular phone number as follows: ------------------------------------------------------------------- MIN2 - a ten bit number representing the area code. Look up the three digits of area code in the following table: Phone Digit: 1 2 3 4 5 6 7 8 9 0 Coded Digit: 0 1 2 3 4 5 6 7 8 9 (Or just add 9 to a digit and use the right digit of the result) Then convert that number to a 10-digit binary number: For example, for the (213) area code, MIN2 would be 102, which expressed as a 10-digit binary number would be 0001100110. Area Code = 213 (get Area Code) 102 (add 9 to each digit modulo 10, or use table) MIN2 = 0001100110 (convert to binary) --------------------------------------------------------------------------- MIN1 - a 24 bit number representing the 7-digit phone number. The first ten bits of MIN1 are computed the same way as MIN2, only the next 3 digits of the phone number are used. The middle four bits of MIN1 are simply the fourth digit of the phone number expressed in binary (Remember; a "0" becomes a "10"). The last next ten bits of MIN1 are encoded using the final three digits of the phone number in the same way. So, MIN1 for 376-0111 would be: (get Phone Number) 376 0 111 (modify digits where appropriate) 265 (10) 000 (convert each part to a binary number) 0100001001 1010 0000000000 --------------------------------------------------------------------------- Thus the complete 34-bit Mobile Identification Number for (213)376-0111 is: 376 0 111 213 ________ __ ________ ________ / \/ \/ \/ \ MIN = 0100001001101000000000000001100110 \______________________/\________/ MIN1 MIN2 ---------------------------------------------------------------------------- ELECTRONIC SERVICE NUMBER (ESN) The serial number for each phone is encoded as a 32 bit binary number. Available evidence suggests that the ESN is an 8-digit hexadecimal number, which is encoded directly to binary: Serial Number = 821A056F Digits = 8 2 1 A 0 5 6 F ESN = 0001 0001 0001 1010 0000 0101 0110 1111 Here is a table for converting Hexadecimal to Binary: Hex Binary Hex Binary Hex Binary Hex Binary --- ------ --- ------ --- ------ --- ------ 0 0000 4 0100 8 1000 C 1100 1 0001 5 0101 9 1001 D 1101 2 0010 6 0110 A 1010 E 1110 3 0011 7 0111 B 1011 F 1111 ---------------------------------------------------------------------------- SYSTEM IDENTIFICATION (SID) A 15 bit binary number representing a mobile phone's home cellular system. ============================================================================ ---------------------CELLULAR PHONE FREQUENCIES----------------------------- Here, again, are the frequency range assignments for Cellular Telephones: Repeater Input (Phone transmissions) 825.030 - 844.980 Megahertz Repeater Output (Tower transmissions) 870.030 - 889.980 Megahertz There are 666 Channels. Phones transmit 45 MHz below the corresponding Tower channel. The channels are spaced every 30 KHz. These channels are divided into "Nonwireline" (A) and "Wireline" (B) services. Nonwireline (A) service uses the 825-835/870-880 frequencies (channels 1-333) Wireline (B) service uses the 835-845/880-890 frequencies (channels 334-666) A channel is either dedicated to control signals, or to voice signals. Digital message streams are sent on both types of channels, however. There are 21 control channels for each service. Non-Wireline (A) control channels are located in the frequency ranges 834.39 - 834.99 and 879.39 - 879.99 (channels 312 - 333 ) Wireline (B) control channels are located in the frequency ranges 835.02 - 835.62 and 880.02 - 880.62 (channels 334 - 355) The new 998 channel systems use 332 additional channels in the ranges 821-825/866-870 and 845-851/890-896. Cell Control Sites (Towers) are connected to an MTSO (Mobile Telephone Switching Office) which connects the cellular system to a Central Office (CO) of a conventional telephone system. Each Cell Control Site uses a maximum of 16 channels, up to 4 of which may be control channels. There will always be at least 1 control channel available in each cell. Cellular Towers are easily identified by the flat triangular platforms at the top of the mast, with short vertical antennas at each corner of the platform. Most UHF Televisions and cable-ready VCR's are capable of monitoring Cellular Phone channels. Try tuning between UHF TV channels 72 - 76 for mobile phones, and between UHF TV channels 79 - 83 for towers. ----------------------------------------------------------------------------- SUPERVISORY AUDIO TONE (SAT) A mobile phone must be able to recognize and retransmit any of the three audio frequencies used as SAT's. These tones (and their binary codes) are: (00) 5970 Hz (01) 6000 Hz (10) 6030 Hz The SAT is used during signaling, but not during data transmission. The binary codes are sent during data transmission to control which of the SAT tones a mobile phone will be using. Each cell site (or tower) uses only one of the three SATs. The mobile transmitter returns that same SAT to the tower. Tone recognition must take place within 250 milliseconds. SIGNALING TONE (ST) A 10 KHz tone is used for signaling by mobile phones during alert, handoff, certain service requests, and diconnect. DATA TRANSMISSION Cellular Phones use a data rate of 10 Kilobits per second, and must be accurate to within one bit per second. Frequency Modulation (FM) is used for both voice and data transmissions. Digital data is transmitted as an 8KHz frequency shift of the carrier. A binary one is transmited as a +8KHz shift and a binary zero as a -8KHz shift. NRZ (Non-Return to Zero) coding is used, which means that the carrier is not shifted back to it's center frequency between transmitted binary bits. ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ The DNA BOX - Striking at the Nucleus of Corporate Communications. ³ õ A current project of... Á Outlaw Telecommandos º³Ý³³Þº³Ýݳ³Þ³Ý³º º³Ý³³Þº³Ýݳ³Þ³Ý³º º01-213-376-0111º Downloaded From P-80 International Information Systems 304-744-2253