Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Phreaking Cellular - Misc. :: cell_01.txt

Telecom Bandit's files on Cellular Fraud




PART I.          WHAT IS BROADCAST FROM A CELLULAR TOWER?

        When a cellular phone makes a call, it normally transmits it's
Electronic Security Number(ESN),Mobile Identification Number(MIN),it's
Station Class Mark(SCM) and the number called in a short burst of data. 
This burst is the short buzz you hear after you press the SEND button and
before the tower catches the data.  These four things are the components
the cellular provider uses to ensure that the phone is programmed to be 
billed and that it also has the identity of both the customer and the
phone.

        There are usually two cellular phone companies in an area.  One is
the wire-line carrier (Band B), which is usually Bell, and the other is the
non-wireline carrier (Band A). Within the two bands are 832 cellular phone
channels.  Each one has 416 bands, and within the bands are voice channels
that actually transmit and receive information from cellular phones.

        The ESN and the phone number (MIN) are the two primary identifiers
for any cellular phone.  By changing both, the cellular carrier will accept
the call and bill it to either a wrong account or provide service based on 
the fact that it is NOT a disconnected receiver.  It will also look at the
other two components, in order to insure that it is actually a cellular
phone and to forward billing information to that carrier.

        The Station Class Mark can also be changed if you wish to prevent 
the cellular carrier from determining the type of phone that is placing the
call.  By providing the cellular tower with a false SCM, the cellular
carrier, the FCC, or whoever happens to chase down cellular fraud is often
looking for a particular phone which in reality is not the phone they are
looking for.  For example, you can provide the SCM for a Radio Shack phone,
when in reality you are using a Novatell (How this is done from changing
the SCM I do not know...remember...I didn't write this).

        The Number Assignment Module (NAM) also has the SIDH (System
Identification for Home System) number programmed into it.  Refer to SIDH
TABLE.  The transmittal of the SIDH number tells the carrier where to forward
the billing information to in case the user is "roaming".  The SIDH table
tells the major cities and their identifying numbers.  Changing an SIDH is
programming job that takes only minutes, but be aware that the ESN is still
sent to the cellular phone company.  After they realize that the ESN is 
connected to either a fake number or a phone that is not in the network, they
will block service.  They only way around this is to reprogram the ESN.

*****************************************************************************



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH