ô ô ô ô ô ô ô ô ô ô ô ô JAN-89 ô ÉÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍ» ô ÀĶ THE DNA BOX ÇÄÙ ÚĶ Hacking Cellular Phones ÇÄ¿ õ ÈÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍѼ õ õ õ õ õ õ õ õ õ õ õ õ õ õ ô P A R T O N E ô ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ It turns out that there are several Japanese handheld transceivers (HT's) availible in the US for use by ham radio hobbyists that have hidden features allowing them to operate in the 800MHz band used by cellular telephones. Using an FSK decoder chip and a personal computer running an assembly language program to record and decypher the ID beeps at the beginning of cellular calls, a "phone book" of cellular ID's can be compiled. A simple FSK oscillator controlled by the PC can then be used to dial out using the Handheld Transceiver and the captured ID codes. A low tech analysis could be done by taping the beeps and playing them back at slow speed into an oscilloscope. An edited tape may even be adequate for retransmission; no decyphering required. Several radio stores in Los Angeles sell the HT's and have given advice in the past about how to access the hidden out-of-band tuning features in the ROMS of the Japanese HT's. It's possible now to listen in to cellular phone conversations without building any special hardware. In fact if you have a good antenna, or live near a cellular repeater tower, you can pick up celluar calls using a UHF TV with a sliding tuner by tuning in "channels" between 72 and 83 on the UHF dial. Beside the obvious benefits of unlimited, untraceable, national mobile voice communication, there are other uses for cellular hacking. For instance: most people using cellular phones are pretty upscale. It may be possible to scan for ID codes of the telephones of major corporations and their executives and get insider stock trading information. Simply by logging the called and calling parties you will be able to compile a database mapping out the executive level command & communication structure. If this is linked to a remote controlled tape deck you will know precisely what is going on and be able to note any unusual activity, such as calls between the executives of corporations that are in a takeover or leveraged buy out relationship. It is even likely that you will occasionally intercept calls between investors and their stock brokers, or calls discussing plans for new contracts. This data is most safely used for insider trading of your own; there will be no way that the Securities and Exchange Commission can establish a link between you and the insiders. A more risky proposition would be to offer any intelligence gathered to competitors for a price as industrial espionage. Then there are the anarchy & disruption angles for cybernetic guerrilla action at the corporate economic & financial level. Leaking info to the press can kill a deal or move stock prices prematurely. Intelligence gathered via cellular hacking can also be used to plan operations against corporate mainframes by providing names and keywords, or indicating vital information to be searched for. Listening to the phone calls of candidates and their campaign staff is also a field rich in possibilities. A related technology waiting to be hacked is the nationwide net of pocket pagers. The possibilities for executive harrassment using beeper technology are relatively unexplored. There are also several on-line instant stock & commodity quotation systems that use SCA subcarriers to transmit investment data. By watching activity on these networks you will be able to look over the shoulder of investors as they plan their strategy - what kind of inquiries are they making and what the results are. Here are a few of the online investment services (business offices, ca.1987) DATAQUICK 1-800-762-DATA (voice) Southern CA Real Property Data Lotus Signal/QuoTrek 1-800-272-2855 (voice) Stock Market Data 1-800-433-6955 (voice) FutureSource 1-800-621-2628 ext.34 (voice) Futures Trading Data (Or check recent ads in Wall Street Journal etc.) At any rate, I propose that we start pooling info about cellular phones toward the goal of building a 'rosetta stone' of cellular dialing protocols, frequencies, technical info and hardware/software hacks. High on the hit list is a service/repair manual for a cellular phone, and journal or technical articles about the inner workings of the cellular phone system. ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ The DNA BOX - Striking at the Nucleus of Corporate Communications. ³ õ A current project of... õ Outlaw Telecommandos º³Ý³³Þº³Ýݳ³Þ³Ý³º º³Ý³³Þº³Ýݳ³Þ³Ý³º ¿ ³ ¿À¿ ¿ ¿Ú¿ ÚÙÚ Ú ÚÙÚ¿ JAN-89 ÉÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍ» ô ÃĶ THE DNA BOX ÇÄÙ ÚĶ Hacking Cellular Phones ÇÄÄÄÄ¿ õ ÈÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍѼ ø ø ø ø ø ø ø ø ø ø ø ø ø ø  P A R T T W O ô ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ The previous DNA file discussed the possibility of using Japanese handheld HAM radios and personal computers, or tape recorders to hack Cellular Phone codes, and possible uses for investment & business info obtained by hacking executive and corporate phone calls, and investment info services. Here I want to mention the obvious idea of simply modifying or replacing the ROMs in a standard Cellular Phone, and disassembling the ROM software that operates the Phone in order to "customize" it for scanning, data monitoring, evesdropping and (of course) making free calls using the codes of registered subscribers. Simply unplugging the ROMS, putting them on a ROM card for a PC and then copying the software to disk for disassembly is the obvious first step. Use of a logic analyzer to monitor and record activity on the Cellular Phone's digital bus would simplify things by providing a map of where data is stored and which instructions are executed during each period of activity: decoding/sending ID tones, selecting frequencies, dialing, and talking. Checking the part number on the CPU embedded in the Cellular Phone will tell you which disassembler to use to give a first draft of the ROM code. The next step is to generate a map of the locations of every subroutine call's entry point, any branch & loop locations, and all addresses written to, read, or read-only (to map out any variables and data). Locations incremented, decremented or tested by branch instructions should also be noted, along with their initial and final values. Each address in the map should be given a symbolic label in your draft of the assembly code. Comments can also be entered with high-level language equivalents that summarize the assembly code as you understand it. Pay special attention to data or loop limits that match elements of the Cellular Phone ID codes (length or contents), or any data locations that are always accessed as a group. This may give you enough info to find the location of the ID code and burn an EPROM with any ID's you've hacked by listening to Cellular Calls. If you have identified the subroutines that accept phone numbers for dialing, you can patch in a second subroutine that accepts an ID code from the keypad and stores it in RAM before calling out, and modify any routines that utilize ID Codes to use RAM addresses instead of ROM addresses. Chances are that the software takes up most or all of the available ROM and RAM scratchpad space on the single-chip microprocessor. If this is the case it might be neccessary to piggyback additional memory chips onto the circuit board to hold any new subroutines you want to add. Suggested new features: 1) Have the Cellular Phone scan for an empty channel and wait for an ID code. Capture the ID code into a table of ID's in RAM and display the captured codes on the liquid crystal display. 2) Program the Cellular Phone to emulate the switching signals and codes sent by PacBell (or your local Cellular carrier), bypassing central switching entirely. This would be useful for making 100% untraceable calls to other Cellular subscribers within direct radio range. This can be used to do your own routing, emulating a phantom switching cell. This could be used to extend cellular service into an otherwise inaccessible area by coupling your Cellular Phone to a 1.2GHz linear amplifier modified to work in the 800MHz band. 3) Make the Cellular Phone recieve data under one ID/Frequency and retransmit it under another. This would make it impossible to monitor both sides of a conversation. This feature could also be used to implement conference calling by running several calls at once out of one phone. ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ The DNA BOX - Striking at the Nucleus of Corporate Communications. ³ õ A current project of... Á Outlaw Telecommandos º³Ý³³Þº³Ýݳ³Þ³Ý³º º³Ý³³Þº³Ýݳ³Þ³Ý³º º01-213-376-0111º ÚÄÁÄ¿ ÚÁ¿ ÚÄ¿ ÚÄ¿ ÚÄ¿ Ú¿ ô ô 1-FEB--89 Ú¿ ÉÍÏÍÍÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍ»ÀÂÙ ³ÃÄÄĶ THE DNA BOX ÇÄÙ ô³³ Ú¶ Hacking Cellular Phones ÇÄÄÄÄ¿ ÀÁ´ õÈÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍѼ ÚÁ¿ õ ' ` ' ` ' ` ' ` ' ` ' ` ø ÀÄÙ Â P A R T T H R E E ô ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Previous DNA files discussed the possibility of using Japanese handheld HAM radios and personal computers, or tape recorders to hack Cellular Phone codes, and possible uses for investment & business info obtained by hacking executive and corporate phone calls, and investment info services, as well as approaches to modifying the Cellular Phones themselves for use as hacking tools and pirate communication devices. Here using and modifying UHF-band radio scanners to hack and monitor Cellular and Mobile telephone systems will be dealt with. Radio Shack, Uniden, and several other manufacturers make scanners for use by amateur radio hobbyists. Most of these will intercept mobile radiotelephone calls without modification by tuning in frequencies in the 156 MHz and 475 MHz regions. Most of these scanners have line-level audio outputs that can feed a tape recorder or demodulator/tone decoder chip which can then interface directly to a computer for analyzing codes. Mobile phones use a tone-pulse dialing protocol that should be simple to decode and emulate using standard handheld ham radio gear. You can almost count the dialing beeps without any special equipment. Phone channels are easy to find: they usually broadcast a standard busy signal or an idle tone (a fixed audio sine wave) when waiting for the next call. You will also hear conversations, ringing, and mobile phone operators on these channels. Here's a partial list of frequencies used by mobile phones: (frequencies in MHz) 152.51 154.57 152.66 152.69 152.72 152.78 154.54 475.45 475.475 475.55 475.6 475.8 475.825 475.85 475.9 476.05 As you can see, many of the frequencies are spaced 30KHz or 25KHz apart, so there are probably more channels in the gaps at those intervals. These frequencies were gathered in a few minutes of casual listening using an unmodified Radio Shack Pro-2021 scanner in search mode. SCANNING CELLULAR FREQUENCIES: Hobby scanners capable of monitoring Cellular Phones are prohibited in the US. To save money on the production line, many international scanner manufacturers make only one kind of scanning chip which they use in both US and foreign models. These chips are capable of scanning in the 800MHz range but this feature is diabled by grounding certain pins in the US models. Often restoring Cellular scanning functions is merely a matter of cutting a circuit trace or removing a single diode from a scanner's printed circuit board. For instance, removing diode 513 from a Radio Shack Pro-2004 Scanner will enable the 870MHz Cellular range. Installing diode 510 will increase the number of scanning channels from 300 to 400. Installing diode 514 will increase the scanning rate from 16 to 20 channels per second. These are located on the printed circuit board labeled PC-3. The Uniden Bearcat 200/205XLT can be modified for Cellular scanning by cutting or removing the 10K-ohm resisitor located on the printed circuit above the letters "DEN" on the microprocessor chip labeled "UNIDEN UC-1147". The Regency Electronics MX7000 Scanner reportedly scans Cellular Phones without modification. An additional scanner rumored to be modifiable is the Realistic Pro-32. Another source of useful radio gear are "Export Only" manufacturers. One of these is currently rumored to be offering a handheld cellular phone that does it's own routing and has an operating radius of 160 kilometers! CELLULAR PHONE FREQUENCIES: Here are the frequency range assignments for Cellular Telephones: Repeater Input (Phone transmissions) 825.03 - 844.98 Megahertz Repeater Output (Tower transmissions) 870.03 - 889.98 Megahertz There are 666 Channels. Phones transmit 45 MHz below the corresponding Tower channel. The channels are spaced every 30 KHz. CORDLESS PHONE FREQUENCIES: It's also possible to hack the popular cordless phones. These use the 49MHz band used by baby monitors and toy FM walkie talkies. Scanners can be used to monitor these without modification, and FM handheld transceivers will allow 2-way hacking of these frequencies, which some may find amusing. Channel Handset Transmit Base Transmit ------- ---------------- ------------- 1 49.67 46.61 (frequencies in Megahertz) 2 49.845 46.63 3 49.86 46.67 4 49.77 46.71 5 49.875 46.73 6 49.83 46.77 7 49.89 46.83 8 49.93 46.87 9 49.99 46.93 10 49.97 46.97 Business Update: As of January 1989 there are legal maneuvers going on to lift the ban on portable phones by traders at the NY Stock Exchange. ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ The DNA BOX - Striking at the Nucleus of Corporate Communications. ³ õ A current project of... Á Outlaw Telecommandos º³Ý³³Þº³Ýݳ³Þ³Ý³º º³Ý³³Þº³Ýݳ³Þ³Ý³º º01-213-376-0111º ÚÄ¿ ÚÄ¿ 3-FEB-89 ÀÂÙÉÍÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÍ»ÀÂÙ ÀĶ THE DNA BOX ÇÄÙ ÚÄÄÄĶ Hacking Cellular Phones ÇÄÄÄÄ¿ ÚÁ¿ ÈÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍѼ ÚÁ¿ ÀÄÙ ' ` ' ` ' ` ' ` ' ` ' ` ' ÀÄÙ ô P A R T F O U R ô ³ ³ ³ T H E N U M B E R O F T H E B E A S T ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Preliminary technical info about the AMPS (Advanced Mobile Phone System). MOBILE TELEPHONE SWITCHING OFFICE (MTSO) Cell Control Sites (Towers) are connected to the Mobile Telephone Switching Office (MTSO) by a pair of 9600 baud data lines, one of which is a backup. The MTSO routes calls, controls and coordinates the cell sites (especially during handoffs as a mobile phone moves from one cell to another while a call is in progress), and connects to a Central Office (CO) of the local telephone company via voice lines. There is some indication that an MTSO may be re-programmed and otherwise hacked via standard phone lines using a personal computer/modem. NUMERIC ASSIGNMENT MODULE (NAM) There is a PROM chip in every cellular phone that holds the phone number (MIN) assigned to it. This is the "Numerical Assignment Module" or NAM. Schematics and block diagrams occasionally call this the "ID PROM". The NAM also holds the serial number (ESN) of the cellular phone, and the system ID (SID) of the mobile phone's home system. By encoding new PROM chips (or re-programming EPROM chips) and swapping them with the originals, a cellular phone can be made to take on a new identity. It is possible to make a circuit board with a bank of PROMs that plugs into the NAM socket, and allows quick switching between several phone ID's. It's even feasible to emulate the behavior of a PROM with dual-port RAM chips, which can be instantly updated by a laptop computer. A photograph of a "BYTEK S1-KX NAM Multiprogrammer" suggests that this "sophisticated piece of equipment" is merely a relabled generic PROM burner. ============================================================================== MOBILE IDENTIFICATION NUMBER (MIN) The published explanations of how to compute this number all contain deliberate errors, probably for the purpose of thwarting phreaks and people attempting to change the serial numbers and ID codes of stolen phones. Even the arithmetic is wrong in some published examples! Until the FCC/IEEE spec is available (a trip is planned to a university engineering library) the following is almost certainly the way that MIN is computed, taking into consideration how such codings are done elsewhere, comparing notes and tables from a variety of sources, and using common sense. A BASIC program (MIN.BAS) that computes MINs from phone numbers is being distributed with this file. There are two parts to the 34-bit MIN. They are derived from a cellular phone number as follows: ------------------------------------------------------------------- MIN2 - a ten bit number representing the area code. Look up the three digits of area code in the following table: Phone Digit: 1 2 3 4 5 6 7 8 9 0 Coded Digit: 0 1 2 3 4 5 6 7 8 9 (Or just add 9 to a digit and use the right digit of the result) Then convert that number to a 10-digit binary number: For example, for the (213) area code, MIN2 would be 102, which expressed as a 10-digit binary number would be 0001100110. Area Code = 213 (get Area Code) 102 (add 9 to each digit modulo 10, or use table) MIN2 = 0001100110 (convert to binary) --------------------------------------------------------------------------- MIN1 - a 24 bit number representing the 7-digit phone number. The first ten bits of MIN1 are computed the same way as MIN2, only the next 3 digits of the phone number are used. The middle four bits of MIN1 are simply the fourth digit of the phone number expressed in binary (Remember; a "0" becomes a "10"). The last next ten bits of MIN1 are encoded using the final three digits of the phone number in the same way. So, MIN1 for 376-0111 would be: (get Phone Number) 376 0 111 (modify digits where appropriate) 265 (10) 000 (convert each part to a binary number) 0100001001 1010 0000000000 --------------------------------------------------------------------------- Thus the complete 34-bit Mobile Identification Number for (213)376-0111 is: 376 0 111 213 ________ __ ________ ________ / \/ \/ \/ \ MIN = 0100001001101000000000000001100110 \______________________/\________/ MIN1 MIN2 ---------------------------------------------------------------------------- ELECTRONIC SERVICE NUMBER (ESN) The serial number for each phone is encoded as a 32 bit binary number. Available evidence suggests that the ESN is an 8-digit hexadecimal number, which is encoded directly to binary: Serial Number = 821A056F Digits = 8 2 1 A 0 5 6 F ESN = 0001 0001 0001 1010 0000 0101 0110 1111 Here is a table for converting Hexadecimal to Binary: Hex Binary Hex Binary Hex Binary Hex Binary --- ------ --- ------ --- ------ --- ------ 0 0000 4 0100 8 1000 C 1100 1 0001 5 0101 9 1001 D 1101 2 0010 6 0110 A 1010 E 1110 3 0011 7 0111 B 1011 F 1111 ---------------------------------------------------------------------------- SYSTEM IDENTIFICATION (SID) A 15 bit binary number representing a mobile phone's home cellular system. ============================================================================ ---------------------CELLULAR PHONE FREQUENCIES----------------------------- Here, again, are the frequency range assignments for Cellular Telephones: Repeater Input (Phone transmissions) 825.030 - 844.980 Megahertz Repeater Output (Tower transmissions) 870.030 - 889.980 Megahertz There are 666 Channels. Phones transmit 45 MHz below the corresponding Tower channel. The channels are spaced every 30 KHz. These channels are divided into "Nonwireline" (A) and "Wireline" (B) services. Nonwireline (A) service uses the 825-835/870-880 frequencies (channels 1-333) Wireline (B) service uses the 835-845/880-890 frequencies (channels 334-666) A channel is either dedicated to control signals, or to voice signals. Digital message streams are sent on both types of channels, however. There are 21 control channels for each service. Non-Wireline (A) control channels are located in the frequency ranges 834.39 - 834.99 and 879.39 - 879.99 (channels 312 - 333 ) Wireline (B) control channels are located in the frequency ranges 835.02 - 835.62 and 880.02 - 880.62 (channels 334 - 355) The new 998 channel systems use 332 additional channels in the ranges 821-825/866-870 and 845-851/890-896. Cell Control Sites (Towers) are connected to an MTSO (Mobile Telephone Switching Office) which connects the cellular system to a Central Office (CO) of a conventional telephone system. Each Cell Control Site uses a maximum of 16 channels, up to 4 of which may be control channels. There will always be at least 1 control channel available in each cell. Cellular Towers are easily identified by the flat triangular platforms at the top of the mast, with short vertical antennas at each corner of the platform. Most UHF Televisions and cable-ready VCR's are capable of monitoring Cellular Phone channels. Try tuning between UHF TV channels 72 - 76 for mobile phones, and between UHF TV channels 79 - 83 for towers. ----------------------------------------------------------------------------- SUPERVISORY AUDIO TONE (SAT) A mobile phone must be able to recognize and retransmit any of the three audio frequencies used as SAT's. These tones (and their binary codes) are: (00) 5970 Hz (01) 6000 Hz (10) 6030 Hz The SAT is used during signaling, but not during data transmission. The binary codes are sent during data transmission to control which of the SAT tones a mobile phone will be using. Each cell site (or tower) uses only one of the three SATs. The mobile transmitter returns that same SAT to the tower. Tone recognition must take place within 250 milliseconds. SIGNALING TONE (ST) A 10 KHz tone is used for signaling by mobile phones during alert, handoff, certain service requests, and diconnect. DATA TRANSMISSION Cellular Phones use a data rate of 10 Kilobits per second, and must be accurate to within one bit per second. Frequency Modulation (FM) is used for both voice and data transmissions. Digital data is transmitted as an 8KHz frequency shift of the carrier. A binary one is transmited as a +8KHz shift and a binary zero as a -8KHz shift. NRZ (Non-Return to Zero) coding is used, which means that the carrier is not shifted back to it's center frequency between transmitted binary bits. ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ The DNA BOX - Striking at the Nucleus of Corporate Communications. ³ õ A current project of... Á Outlaw Telecommandos º³Ý³³Þº³Ýݳ³Þ³Ý³º º³Ý³³Þº³Ýݳ³Þ³Ý³º º01-213-376-0111º úúúÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄ¿ 6-FEB-89 ÉÍÏÍÍÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍ» ÀÂÄÄÄÙ úúúÄÄÄÄÄÄÄÄÄÄÄÄÄÄĶ THE DNA BOX ÇÄÄÄÄÙ úúúÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĶ Hacking Cellular Phones ÇÄÄÄÄ¿ ÈÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÍÍÑÍÑÍѼ ÚÁ¿ úúúÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÙ P A R T F I V E ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ CELLULAR TELEPHONE SIGNALING FORMATS =========================================================================== (RECC) Reverse Control Channel (mobile-to-tower on control channel) RECC Message Format: ---------------------------------------------------------- Seizure Precursor: Dotting (30 bits) 1010101010101010101010101010101 Word Sync (11 bits) 11100010010 DCC (7 bits) xxxxxxx Digital Color Code (DCC) Received Coded -------- ------- 00 0000000 01 0011111 10 1100011 11 1111100 Message: (from one to five words in length) First Word repeated 5 times (240 bits) Second Word repeated 5 times (240 bits) Third Word repeated 5 times (240 bits) Fourth Word repeated 5 times (240 bits) Fifth Word repeated 5 times (240 bits) ---------------------------------------------------------- There are 4 types of RECC messages: Page Response Message Origination Message Order Confirmation Message Order Message These are composed of combinations of the following message words: Abbreviated Address Word: F (1bit) 1 (first word indicator) NAWC (3 bits) xxx (number of additional words to send) T (1 bit) x (0=response,1=origination/order) S (1 bit) x (1=serial number will be sent) E (1 bit) x (1=area will to be sent) (1 bit) 0 SCM (4 bits) xxxx (station class mark) MIN1 (24 bits) xxxxxxxxxxxxxxxxxxxxxxxxx (coded 7 digit phone number) P (12 bits) xxxxxxxxxxxx (Parity) Extended Address Word: F (1 bit) 0 NAWC (3 bits) xxx LOCAL (5 bits) xxxxx (local control - system specific) ORDQ (3 bits) xxx (order qualifier) ORDER (5 bits) xxxxx (order code) LT (1 bit) x (1=last try) (8 bits) 00000000 MIN2 (10 bits) xxxxxxxxxx (coded Area Code) P (12 bits) xxxxxxxxxxxx Serial Number Word: F (1 bit) 0 NAWC (3 bits) xxx SERIAL (32 bits) xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (serial number) P (12 bits) xxxxxxxxxxxx First Word of Called Address: [D1..D16 are the encoded digits] F (1 bit) 0 NAWC (3 bits) xxx D1 (4 bits) xxxx Table of Digit Codes: D2 (4 bits) xxxx ----------------------------- D3 (4 bits) xxxx 1 0001 7 0111 NULL 0000 D4 (4 bits) xxxx 2 0010 8 1000 D5 (4 bits) xxxx 3 0011 9 1001 D6 (4 bits) xxxx 4 0100 0 1010 D7 (4 bits) xxxx 5 0101 * 1011 D8 (4 bits) xxxx 6 0110 # 1100 P (12 bits) xxxxxxxxxxxx Second Word of Called Address: F (1 bit) 0 NAWC (3 bits) 000 D9 (4 bits) xxxx (encoded digits, see above table) D10 (4 bits) xxxx D11 (4 bits) xxxx D12 (4 bits) xxxx D13 (4 bits) xxxx D14 (4 bits) xxxx D15 (4 bits) xxxx D16 (4 bits) xxxx P (12 bits) xxxxxxxxxxxx =========================================================================== (RVC) Reverse Voice Channel (mobile-to-tower on voice channel) RVC Message Format: -------------------------------------------------------------- Dotting (101 bits) 101010101....101 Word Sync (11 bits) 11100010010 Repeat 1 Word 1 (48 bits) xxxxx ... xxxxx Dot (37 bits) 1010101010101010101010101010101 Word Sync (11 bits) 11100010010 Repeat 2 Word 1 (48 bits) xxxxx ... xxxxx . . . . [same pattern of repetition] . . Dot (37 bits) Word Sync (11 bits) Repeat 5 word 1 (48 bits) Dot (37 bits) Word Sync (11 bits) Repeat 1 Word 2 (48 bits) Dot (37 bits) Word Sync (11 bits) Repeat 2 Word 2 (48 bits) . . . . [same pattern of repetition] . . Dot (37 bits) 1010101010101010101010101010101 Word Sync (11 bits) 11100010010 Repeat 5 word 2 (48 bits) xxxxx ... xxxxx ----------------------------------------------------------- There are two kinds of RVC messages: Order Confirmation Message Called Address Message ---------- Order Confirmation Message Word: F (1 bit) 1 NAWC (2 bits) 00 T (1 bit) 1 LOCAL (5 bits) xxxxx ORDQ (3 bits) xxx ORDER (5 bits) xxxxx (19 bits) 0000000000000000000 P (12 bits) xxxxxxxxxxxx --------- --------- Called Address Message, First Word: F (1 bit) 1 NAWC (2 bits) 01 T (1 bit) 0 D1 (4 bits) xxxx D2 (4 bits) xxxx D3 (4 bits) xxxx D4 (4 bits) xxxx D5 (4 bits) xxxx D6 (4 bits) xxxx D7 (4 bits) xxxx D8 (4 bits) xxxx P (12 bits) xxxxxxxxxxxx Called Address Message, Second Word: F (1 bit) 1 NAWC (2 bits) 00 T (1 bit) 0 D9 (4 bits) xxxx D10 (4 bits) xxxx D11 (4 bits) xxxx D12 (4 bits) xxxx D13 (4 bits) xxxx D14 (4 bits) xxxx D15 (4 bits) xxxx D16 (4 bits) xxxx P (12 bits) xxxxxxxxxxxx -------- =========================================================================== (FOCC) Forward Control Channel (tower-to-mobile on control channel) FOCC Message Format: -------------------------------------- Dotting (10 bits) b1010101010 Word Sync (11 bits) b11100010010 Repeat 1 word A (40 bits) bxxxxxxxxxxbxxxxxxxxxxbxxxxxxxxxxbxxxxxxxxxx Repeat 1 word B (40 bits) A Busy/Idle Bit (b) is inserted Repeat 2 word A (40 bits) at the beginning of Dotting and Repeat 2 word B (40 bits) Word Sync, and every 10 bits Repeat 3 word A (40 bits) during word repetitions beginning Repeat 3 word B (40 bits) at the start of the first word. Repeat 4 word A (40 bits) b=1 when the RCC is Idle. Repeat 4 word B (40 bits) b=0 when the RCC is Busy. Repeat 5 word A (40 bits) Repeat 5 word B (40 bits) bxxxxxxxxxxbxxxxxxxxxxbxxxxxxxxxxbxxxxxxxxxx Dotting (10 bits) b1010101010 ------------------------------------- There are three types of FOCC messages: Mobile Station Control Message Overhead Message Control-filler Message Mobile Station Control Message: (one,two or four words) ------------------------------ Abbreviated Address Word: TT (2 bits) 0x (00=if one word sent, 01=if multiple words sent) DCC (2 bits) xx Digital Color Code MIN1 (24 bits) xxxxxxxxxxxxxxxxxxxxxxxx P (12 bits) xxxxxxxxxxxx Extended Address Word: (two versions of this word occur) ----------------------------- ----------------------------- TT (2 bits) 10 TT (2 bits) 10 SCC (2 bits) 11 SCC (2 bits) xx [not=11] MIN2 (10 bits) xxxxxxxxxx MIN2 (10 bits) xxxxxxxxxx (1 bit) 0 (1 bit) 0 LOCAL (5 bits) xxxxx VMAC (3 bits) xxx (attenuation code) ORDQ (3 bits) xxx CHAN (11 bits) xxxxxxxxxxx (channel number) ORDER (5 bits) xxxxx P (12 bits) xxxxxxxxxxxx P (12 bits) xxxxxxxxxxxx First Directed-Retry Word: TT (2 bits) 10 SCC (2 bits) 11 SAT Color Code CHANPOS (7 bits) xxxxxxx channel position relative to first access channel CHANPOS (7 bits) xxxxxxx CHANPOS (7 bits) xxxxxxx (3 bits) 000 P (12 bits) xxxxxxxxxxxx Second Directed-Retry Word: TT (2 bits) 10 SCC (2 bits) 11 CHANPOS (7 bits) xxxxxxx CHANPOS (7 bits) xxxxxxx CHANPOS (7 bits) xxxxxxx (3 bits) 000 P (12 bits) xxxxxxxxxxxx ------------------------------- ------------------------------- Overhead Messages: System Parameter Overhead Message: Global Action Overhead Message: Registration Identification Message: Control-filler Message: System Parameter Overhead Message: ---------------------------------- System Parameter Word 1: TT (2 bits) 11 DCC (2 bits) xx (3 bits) 000 NAWC (4 bits) xxxx OHD (3 bits) 110 (overhead message type) P (12 bits) xxxxxxxxxxxx System Parameter Word 2: TT (2 bits) 11 DCC (2 bits) xx S (1 bit) x (serial number flag) E (1 bit) x (extended address flag) REGH (1 bit) x (registration for home stations) REGR (1 bit) x (registration for roaming stations) DTX (1 bit) x (discontinuous transmission flag) (1 bit) 0 N-1 (5 bits) xxxxx (number of paging channels in system minus 1) RCF (1 bit) x (read-control-filler flag) CPA (1 bit) x (combined paging/access flag) CMAX-1 (1 bit) x (number of access channels in system minus 1) END (1 bit) x (1=last word of overhaed message train) OHD (3 bits) 111 P (12 bits) xxxxxxxxxxxx ------------------------------- ------------------------------- Global Action Overhead Messages: Rescan Global Action Message: TT (2 bit) 11 DCC (2 bits) xx ACT (4 bits) 0001 (16 bits) 0000000000000000 END (1 bit) x OHD (3 bits) 100 P (12 bits) xxxxxxxxxxxx Registration Increment Global Action Message: TT (2 bits) 11 DCC (2 bits) xx ACT (4 bits) 0010 REGINCR (12 bits) xx (registration increment) (4 bits) 0000 END (1 bits) xx OHD (3 bits) 100 P (12 bits) xx New Access Channel Set Global Action Message: TT (2 bits) 11 DCC (2 bits) xx ACT (4 bits) 0110 NEWACC (11 bits) xxxxxxxxxxx (new access channel starting point) (4 bits) 0000 END (1 bit) x OHD (3 bits) 100 P (12 bits) xxxxxxxxxxxx Overload Control Global Action Message: TT (2 bits) 11 DCC (2 bits) xx ACT (4 bits) 1000 OLCD0 (1 bit) x (overload class flags) OLCD2 (1 bit) x OLCD3 (1 bit) x OLCD4 (1 bit) x OLCD5 (1 bit) x OLCD6 (1 bit) x OLCD7 (1 bit) x OLCD8 (1 bit) x OLCD9 (1 bit) x OLCD10 (1 bit) x OLCD11 (1 bit) x OLCD12 (1 bit) x OLCD13 (1 bit) x OLCD14 (1 bit) x OLCD15 (1 bit) x END (1 bit) x OHD (3 bits) 100 P (12 bits) xxxxxxxxxxxx Access Type Paramters Global Action Message: TT (2 bits) 11 DCC (2 bits) xx ACT (4 bits) 1001 BIS (1 bit) x (busy/idle status flag) (15 bits) 000000000000000 END (1 bit) x OHD (3 bits) 100 P (12 bits) xxxxxxxxxxxx Access Attempt Parameters Global Action Message: TT (2 bits) 11 DCC (2 bits) xx ACT (4 bits) 1010 MAXBUSY-PGR (4 bits) xxxx (maximum busy occurrences, page response) MAXSZTR-PGR (4 bits) xxxx (maximum seizure tries, page response) MAXBUSY-OTHER (4 bits) xxxx (maximum busy occurrences, other accesses) MAXSZTR-OTHER (4 bits) xxxx (maximum seizure tries, other accesses) END (1 bits) x OHD (3 bits) 100 P (12 bits) xxxxxxxxxxxx Local Control 1 Message: TT (2 bits) 11 DCC (2 bits) x ACT (4 bits) 1110 LOCAL CONTROL (16 bits) xxxxxxxxxxxxxxxx (any local control code) END (1 bits) x OHD (3 bits) 100 P (12 bits) xxxxxxxxxxxx Local Control 2 Message: TT (2 bits) 11 DCC (2 bits) xx ACT (4 bits) 1111 LOCAL CONTROL (16 bits) xxxxxxxxxxxxxxxx END (1 bits) x OHD (3 bits) 100 P (12 bits) xxxxxxxxxxxx ------------------------------- Registration Identification Message: TT (2 bits) 11 DCC (2 bits) xx REGID (20 bits) xxxxxxxxxxxxxxxxxxxx (registration ID) END (1 bit) x OHD (3 bits) 000 P (12 bits) xxxxxxxxxxxx ------------------------------------ Control-Filler Message: TT (2 bits) 11 DCC (2 bits) xx (6 bits) 010111 CMAC (3 bits) xxx (current mobile attenuation) (7 bits) 0011001 WFOM (1 bit) x (wait for overhead message) (4 bits) 1111 OHD (3 bits) 001 P (12 bits) xxxxxxxxxxxx =========================================================================== (FVC) Forward Voice Channel: (tower-to-mobile on voice channel) FVC Message Format: * BUSY/IDLE bits are inserted into FVC messages in a format similar to that of FOCC messages) -------------------------------------------------------------- Dotting (101 bits) 101010101...101 Word Sync (11 bits) 11100010010 Repeat 1 Word (40 bits) xxxxx...xxxxx Dot (37 bits) 1010101010101010101010101010101 Word Sync (11 bits) 11100010010 Repeat 2 Word (40 bits) xxxxx...xxxxx Dot (37 bits) Word Sync (11 bits) Repeat 3 Word (40 bits) . . . . [same pattern of repetition] . . Dot (37 bits) 1010101010101010101010101010101 Word Sync (11 bits) 11100010010 Repeat 11 Word (40 bits) xxxxx...xxxxx ----------------------------------------------------------- There is only kind of FVC message: Mobile Station Control Message: Mobile Station Control Word: (two versions of this word occur) ----------------------------- ----------------------------- TT (2 bits) 10 TT (2 bits) 10 PSCC (2 bits) xx PSCC (2 bits) xx (present SAT code) (9 bits) 000000000 (9 bits) 000000000 LOCAL (5 bits) xxxxx VMAC (3 bits) xxx (attenuation code) ORDQ (3 bits) xxx CHAN (11 bits) xxxxxxxxxxx (channel number) ORDER (5 bits) xxxxx P (12 bits) xxxxxxxxxxxx P (12 bits) xxxxxxxxxxxx =========================================================================== * See Part Six for information describing various codes used in message word fields. =========================================================================== ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ The DNA BOX - Striking at the Nucleus of Corporate Communications. ³ õ A current project of... õ Outlaw Telecommandos º³Ý³³Þº³Ýݳ³Þ³Ý³º º³Ý³³Þº³Ýݳ³Þ³Ý³º º01-213-376-0111º úúúÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄúúú 9-FEB-89 ÉÍÏÍÍÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍ» ÚÄÄÄÄÄÄÄÄúúú úúúÄÄÄÄÄÄÄÄÄÄÄÄÄÄĶ THE DNA BOX ÇÄÄÄÄÙ ÚÄÄÄÄÄÄÄÄÄúúú úúúÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĶ Hacking Cellular Phones ÇÄÄÄÄÄÄÙ ÈÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÍÍÑÍÑÍѼ úúúÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄúúú P A R T S I X ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ CELLULAR TELEPHONE MESSAGE CODES ============================================================================ The previous file (Part Five) listed the Message Formats and Message Words used by the Cellular Telephone system. Message words have variable sub-fields that are set to convey various information (such as dialed numbers, mobile phone ID, commands, requests, channel assignments etc.). Here are the codes used in Message Word subfields during data transmissions. ============================================================================ Mobile Station Automatic Attenuation Levels Mobile Attenuation Code (MAC) Power Classifications MAC I II III Nominal ERP Power Outputs --- --- --- --- Class ERP Level 000 6 2 -2 --------- ---- -------- 001 2 2 -2 Class I 4W ( 6 dBW) 010 -2 -2 -2 Class II 1.6W ( 2 dBW) 011 -6 -6 -6 Class III 0.6W (-2 dBW) 100 -10 -10 -10 101 -14 -14 -14 110 -18 -18 -18 111 -22 -22 -22 (Attenuation in dBW) ========================================================= Station Class Mark (SCM) SCM Station Class, Transmission ---- ---------------------------- xx00 Class I xx01 Class II xx10 Class III 00xx Continuous Transmissions 01xx Discontinuous Transmissions (for example 0010 means Class I Continuous Transmissions) ========================================================= Digital Color Code (DCC) Received Coded -------- ------- 00 0000000 01 0011111 10 1100011 11 1111100 ======================================= SAT Color Code (Supervisory Audio Tone) Code Frequency ---- --------- 00 5970 Hz 01 6000 Hz 10 6030 Hz 11 (not a channel designation) ==================================== Digit Code (for dialed numbers etc.) Digit Code ----- ---- 1 0001 2 0010 3 0011 4 0100 5 0101 6 0110 7 0111 8 1000 9 1001 0 1010 (zero is encoded as a binary ten) * 1011 # 1100 Null 0000 (when no digit present) =================================== Order and Qualification Codes Order Qual Function ----- --- --------------------- 00000 000 page (or origination) 00001 000 alert 00011 000 release 00100 000 reorder 00110 000 stop alert 00111 000 audit 01000 000 send called-address 01001 000 intercept 01010 000 maintenance 01011 000 change to power level 0 01011 001 change to power level 1 01011 010 change to power level 2 01011 011 change to power level 3 01011 100 change to power level 4 01011 101 change to power level 5 01011 110 change to power level 6 01011 111 change to power level 7 01100 000 directed retry - not last try 01100 001 directed retry - last try 01101 000 non-autonomous registration - do not make whereabouts known 01101 001 non-autonomous registration - make whereabouts known 01101 010 autonomous registration - do not make whereabouts known 01101 011 autonomous registration - make whereabouts known 11110 000 local control (All other codes are reserved) ============================================================== Overhead Message Type Code Order ---- ------------------ 000 registration ID 001 control-filler 010 (reserved) 011 (reserved) 100 global action 101 (reserved) 110 word 1 of system parameter message 111 word 2 of system parameter message ======================================= Global Action Message Types Code Action Type ---- ----------- 0000 (reserved) 0001 rescan paging channels 0010 registration increment 0011 (reserved) 0010 (reserved) 0011 (reserved) 0100 (reserved) 0101 (reserved) 0110 new access channel set 0111 (reserved) 1000 overload control 1001 access type parameters 1010 access attempt parameters 1011 (reserved) 1100 (reserved) 1101 (reserved) 1110 local control 1 1111 local control 2 ==================================================================== Restricted Central Office Codes. Cellular phone numbers are NEVER issued with these patterns in order to prevent Word Sync patterns from occuring inside a command word. 1xx-xxxx 544-2xxx 864-2xxx 224-2xxx 568-1xxx thru 568-7xxx 899-xxxx 288-2xxx 595-8xxx thru 595-0xxx 800-xxxx 339-8xxx thru 339-0xxx 663-xxxx thru 666-xxxx 928-2xxx 352-xxxx 672-2xxx 992-2xxx 416-2xxx 736-2xxx 909-xxxx 470-2xxx 790-2xxx 0xx-xxxx 508-2xxx 851-8xxx thru 851-0xxx ===================================================================== Bose-Chaudhuri-Hocquenghem (BCH) Codes Right now the best GUESS, based on available material, is that BCH coding is the way that the 12 bit Parity field is computed. The "polynomial" that generates the code is given as: 12 10 8 5 4 3 0 gB(X)= X + X + X + X + X + X + X Taking this verbatim in the usual way (superscripts meaning exponentiation) gives ridiculous results that would be difficult to compute at the 10 Kb/s data rate required by the Cellular Data Protocol. It makes more sense to interpret this notation to indicate that the bits of the message word are summed (in binary) in 12, 10, 8, 5, 4, and 3 bit bytes with 1 added. That is: the word is broken up into a bunch of sub-bytes of a certain length, these are added together, the original word is again broken into sub-bytes of the next length and those are summed ... until all listed lengths have been summed. THEN all of those sums are summed and 1 is added. The low order 12 bits of the results of this procedure are used as the parity bits. THIS IS ALMOST PURE SPECULATION. Confirmation is currently being sought at university engineering libraries, or by examining the parity bits in published examples or intercepted cellular messages. The Parity bits are irrelevant to hacking Cellular ID codes however, because message words are repeated many times in each message block, and the ID fields (MIN1, MIN2, and SID) can simply be lifted from the most frequent (and most likely error-free) message words in the block. HOWEVER: If BCH coding transforms the message bits as well as the Parity bits then the proper BCH coding algorithm becomes critical. If all else fails, diassembling the ROM firmware from a Cellular Phone should be conclusive. ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ The DNA BOX - Striking at the Nucleus of Corporate Communications. ³ ³ A current project of... ³ Outlaw Telecommandos º³Ý³³Þº³Ýݳ³Þ³Ý³º º³Ý³³Þº³Ýݳ³Þ³Ý³º º01-213-376-0111º