CELLULAR TELEPHONE PHREAKING PHILE SERIES VOL 1 by The Mad Phone-man How would ya like to have a phone that no body could locate? How bout free phone service on it too? Well Cellular telephones have the potential to do all this and more. First lets discuss some basics of the service. QUESTIONS & ANSWERS: -------------------- Q:What is cellular; a cellular phone? A: A 800 mhz radiotelephone, running 3 watts, with the ability to change channel on computer command from the central switch. This happens when you travel thru the service area and your signal becomes stronger at a neighboring cell base station. Q: They are marketed as a high security device with no possibility of anyone making a phoney call and charging it to someone else, how can it be phreaked? A: An understanding of the phone reveals that every time a call is made, the phone number,an electronic serial number, and other data is sent to the switch. If you were to listen to the oposite side of the control channel as the call is being "set-up" you would hear this data being transmitted to the switch in NRZ code (non-return to zero). All one has to do, is record this info and program the bogus phone to these params and a free call is possible thru the switch. Q: Has anyone done this yet? A: YES, about 6 months after the first cellular phone system was "turned-up" a technician programmed a panasonic telephone with a NEC E.S.N. (Electronic serial number) this was reportedly done for a gram of coke. With the popular ROM programmers available today, almost any NAM (Numeric Assignment Module) can be duplicated or copied with changes. (The NAM is the heart of the billing information and contains the phone number but not the ESN) The most popular integrated circut for NAMs is the 74LS123. Q: This sounds like a lot of trouble, is there easier ways to get service? A: SURE, the cellphone companies have been their own downfall. In an effort market their wares as a universal service (Your phone will work in any system) they have let the cart get before the horse. Nobody can tell if a phone from another city (that has a roaming agreement) is valid till its too late. The only thing they could do after finding out is block any call with the bad ESN because as we know, the phone number is easy to change, but the ESN is not. So heres a likely plot...a roamer identifying itself as a number from Chicago non-wireline accesses a Cellular system in Dallas. Sometimes an operator intervienes but you can bullshit them as long as you know the information you have programmed into your phone. Then you make calls just like you are a local user. If you're found out, you remove the number, change it to another, and see if that works. Usualy it will require the radio's ESN chip to be changed, but thats a lot easier if you have a ZIF (zero insertion force) socket installed, thats what I use. Upcomming soon, more good info on particular mfgrs ESN codes. Cracking the Motorola switch, Shortcommings of the Ericcson AXE-10 switch. >>> The Mad Phone-man <<< Downloaded from The Land of Fa-II [716]/773-7526 CELLULAR TELEPHONE PHREAKING PHILE VOL 2 by "The Mad Phone-man" Some terms you should understand: Control Channel- The channel the phone and cell base first communicate on. Reverse Control Ch- The oposite frequency, 45 mhz lower than the control channel.This is where the mobile unit is. Voice channel- The channel you are assigned by the switch to commence the call on after the exchange of suscriber data. Reverse voice channel- Again 45mhz lower. Cell Site- The base station that talks to the mobile. Switch- The computer that places the calls, and takes and recieves data from the suscriber or from PSTN. (public switched tel netwk) OK that should get things started. A suscriber picks up his handset to place a call. The phone has already been locked onto the strongest control ch in the area by a computerized scanner in the phone. As he drives thru the service a the computer constantly picks out the strongest control ch and stays on it, altho more than one cell site can actualy be heard. The suscriber enters the number to call on the keypad, and presses the "send" button. At this time th folowing data is transmitted to the cell sit by the mobile. The callers electronic serial number (ESN) , his home system number (two digits) his mobile's area code and phone number, and the number he wants.The cellular switch now picks up an outgoing line, places the call for him and tells the mobile to switch to a voice channel. The two ends are linked in the central switch and violla! A complete phone call, in about 3 seconds. I have purposely over-simplified the whole process to point out the moment of truth. The mobile's ESN and phone number and the data in the switch must match or no go. This is how the billing is figgured out.If one had the ESN and the mobilephone number, you could call anytine anyplace without fear of trace, let alone bill. The ideal setup would let you listen to the reverse control channel, record and display heard working numbers and ESN's and recall them at your discression to make calls. This would be tits! Were not quite there yet. But some hard work has allready been done for us. All the aforementioned codes are sent in hex, in NRZ code (phancy term for phase shift keying) but the phone allready has, for example a NRZ receiver and transmitter built right in. All that has to be done is to have a receiver on the reverse control channel, recover the other suscribers data and save it or at least print it out. The mobile radio data books show some good technical stuff on the systems used and chip part numbers for the NRZ stuff. I know there is a mfgr using the lowley 8085 chip for the control head functions, seems like theres room for xperementin here. More to come!... "The Mad Phone-man" Downloaded from The Land of Fa-II [716]/773-7526 CELLULAR TELEPHONE PHREAKING PHILE VOL 3 by "The Mad Phone-man" Now that you have become familiar with the technology of cellular phones its time to discuss what you can do with a phone right now. Not every system pays attention to a "Roamer" from outside the system as closely as they do a local suscriber. In their mad rush to offer cellular as "universal" service, meaning you can place a call in any cellular city any- where in North America, they fucked up. OK, heres the poop...I access say..Cleveland Ohio Cellular 1's Ericcson switch and tell them by my "NAM" info that im a roamer from NYNEX in New York City. Cleveland will let me make the call, cause it bills back to NYC my number of minutes used. If the NYC number is bogus, the call goes thru, and the bill doesn't go anywhere. They do know the exchange data for NYC, thats on a chart so ya cant tell em yer...555-1212 or such..you must tell em yer a valid roamer and the System number (two digits) must match NYC's. This is not too hard to figgure out, (call some of their stupid sales idiots some time and see what they will let out of the bag)...so now lets see what else you should know. OK, the system number for the foreign exchange....Nynex in Buffalo is 56, Chicago nonwireline is 01, Buffalo Nonwireline is 03, All wirelines are even numbers all non-wirelines are odd. OK, first three digits of the mobile number....Nynex Buffalo- 863 xxxx Buffalo Non-wire 861 xxxx, 690 xxxx. I am sure it wont take much to figgure out the local numbers for your area like I said the sales people are fucks and will tell ya anything to make a sale. Until the companys get a cellular clearinghouse to validate roamers in real time this will work out fine. The prospects of such a clearinghouse are good after the companys get done with their bitching at each other. But it may be a while before it becomes routine to look up a roamer. There's simply too many to look up every time service is wanted. So, steal a cellphone and his antenna, re-nam it as a roamer and when ya get it setup, make copies of the info with different suscriber numbers (the last 4 digits) and make free calls till whenever. More to come...."The NOVATEL series phones " Uncracking the Maintenance code This is probibaly the best radio to use to shut down a cell site completely, it has secret codes in the ctrl head that allow you to bypass conventional switching protocols. Downloaded from The Land of Fa-II [716]/773-7526 WHATS IN A NAM by The Mad Phone-man --------------------------------------------------------- Nam stands for "Number Assignment Module" or to the Teckies a PROM (Programable Read-Only Memory) A blank Nam usualy costs between $1. to $2.75. Sometimes its more expensive depending on the operating temperature and packaging specifications. Two flavors of NAM's are used for cellular. NEC uses the open colector (Signetics p/n 82S32 or equivalent). All others use the tri-state (Signetics 82S123 or equivalent). Blank Nams are manufactured by Signetics,National Semiconductor, Monolithic Memorys, Fujitsu, Texas Instruments, and Advanced Microdevices. Blank Nams can be purchased at your electronic distribuitor's and many radios come with a blank included. The NAM contains the subscriber number and lock code, the home system identification and other system required information. You may wonder how this info is arranged. The NAM is organized into 32 rows and 8 columns. It is 32 words of 8 bits each. (256 bits total) Starting from the top of the NAM (address 00) you will find the abreviation SIDH, This means "system identification number home" , a number starting at 0001 assigned by the FCC. Each market allows two systems. Even for the wire-line and odd for the non-wireline. At address 03 we find LU (Local use) on the left and MIN on the right these are usualy set to 1. Locations with zeros are reserved. Going down the map, there's MIN1 and MIN2 the subscriber number and the area code respectivly Dont try to read them from a raw printout of the NAM data, they are scrambled beond recognition. The reason? The way they are arranged is the way they must be transmitted to the cellular systems receivers. The programmer does this to make the radio's job easier. Next is the station class mark, which identifys the class and power capability of the phone. The system will treat a handheld (low power) differently than a standard 3 watt mobile. IPCH is the inital paging channel. The radio listens for a page on this channel. Wirelines use 334 and non-wirelines use 333. ACCOLC (ACCess Overload Class) is designed in throwing off customers in the event of an overload. Thru neglect this standard has been largely unused. (A class 15 station is supposed to be police, fire, or military) Usualy its set to 0 plus the last digit of the phone number to provide random loading. PS- Prefered system. This is always 1 in non-wireline and 0 in wireline. The lock code is about the only thing you can read directly by studying the NAM data. The "spare" bit must be a 0 if the radio contains a 3 digit code. Because the number of clicks when you dial 0 on a (dial) phone equals 10 zeros in the lock code are represented by an "A" the hexadecimal equiv of 10. EE,REP,HA, and HF correspond to end-to-end signaling (DTMF tones possible you talk) REPeratory dialing (provision for 10 or more numbers in memory) Horn Alert and hands free. Like all options, they are 1, if turned on and 0 if (all these numbers are in hex) are supposed to be used by radio mfgrs to store option switches. Usualy 13 is used, 14 sometimes and the rest less often. Last you will find checksum adjustment and checksum. These numbers are calculated automaticly after the data has been edited for the NAM. The sum of all words in the nam plus these last two must equal a number with 0's in the last two digits. The radio checks this sum and if it isnt correct the radio assumes the NAM is bad or tampered with. In the case the radio refuses to operate until a legal NAM is installed. MARK most BIT SIGNIFICANCE least Hex DEFINITION address ---------------------------------------------------------------------------- | 0 SIDH (14-8) | 00 ---------------------------------------------------------------------------- | SIDH (7-0) | 01 ---------------------------------------------------------------------------- LU=Local use | LU | 0 0 0 0 0 0 | MIN | 02 ---------------------------------------------------------------------------- | 0 0 MIN2 (33-28) | 03 ---------------------------------------------------------------------------- | MIN2 (27-24) | 0 0 0 0 | 04 ---------------------------------------------------------------------------- | 0 0 0 0 | MIN1 (23-20) | 05 ---------------------------------------------------------------------------- | MIN1 (19-12) | 06 ---------------------------------------------------------------------------- | MIN1 (11-4) | 07 ---------------------------------------------------------------------------- | MIN1 (3-0) | 0 0 0 0 | 08 ---------------------------------------------------------------------------- | 0 0 0 0 | SCM (3-0) | 09 ---------------------------------------------------------------------------- | 0 0 0 0 0 | IPCH (10-8) | 0A ---------------------------------------------------------------------------- | ICPH (7-0) | 0B ---------------------------------------------------------------------------- | 0 0 0 0 | ACCOLC (3-0) | 0C ---------------------------------------------------------------------------- PS=Perf Syst | 0 0 0 0 0 0 0 | PS | 0D ---------------------------------------------------------------------------- | 0 0 0 0 | GIM (3-0) | 0E ---------------------------------------------------------------------------- | LOCK DIGIT 1 | LOCK DIGIT 2 | 0F ---------------------------------------------------------------------------- | LOCK DIGIT 3 LOCK SPARE BITS | 10 ---------------------------------------------------------------------------- EE=End/End | EE | 0 0 0 0 0 0 | REP | 11 ---------------------------------------------------------------------------- REP=Reprity | HA | 0 0 0 0 0 0 | HF | 12 ---------------------------------------------------------------------------- HF=Handsfree | | HA=Horn Alt | Spare Locations (13-1D) | | contain all 0's | 13 | | to | | 1D ---------------------------------------------------------------------------- | NAM CHECKSUM ADJUSTMENT | 1E ---------------------------------------------------------------------------- | NAM CHECKSUM | 1F ---------------------------------------------------------------------------- Downloaded from The Land of Fa-II [716]/773-7526