Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Phreaking Cellular - Misc. :: cpp1.txt

Ultimate Cellular Phreaking Manual Part 1


                  %%%                                %%%
                  %%%     THE ULTIMATE CELLULAR      %%%
                  %%%        PHONE PHREAKING         %%%
                  %%%        MANUAL #1 of 2.         %%%
                  %%%                                %%%
                  %%%          COMPILED BY           %%%
                  %%%           THE RAVEN            %%%
                  %%%                                %%%

(Sysops Note: None of this material COMPILED by Raven appears to be his own
work! After examining some other files on cellular phreaking, I discovered
some of the primary sources of his material are several articles written by
The Mad Phone Man, an article on IMTS by The Researcher (of this bbs (P-80),
and numerous other sources. Raven would suggest that this is his knowledge.
One example of this a question and answer segment that Mad Phone Man had in
one of his cell phreaking series. Raven has substituted his name where the
answers are similar to a type writtin copy of a conversation, whereby the
person speaking at the moments name is at the beginning of that line or lines.
Thus it appears that Raven would like us to beleive him knowledgable on this
subject. NOT! He has also removed all original credits of the real authors.
Sounds like another teenager on an ego/power trip. However, even though some
of this material is duplicated on this system, some is not, so im gonna run it.
I do hope the technical data survived his COMPILING of this data better than
his spelling and use of the english language.   Scan Man)

Hmmm.... Another text file.. Make sure that you keep this one for your 
collection!! There is no other text file that is more complete or up-to
date that explains cellular phone phreaking like this one for 1992!!!

Since this is going to be a complete manual it has been broken-up into 
2 parts so this is manual 1. I'm hoping that there will be some info.
on cellular phreaking published in PHRACK that may be able to help you and
me with our endevors but I'm waiting.

Another thing that I just found out is that the Hack/Phreak Community is
in need for a BBS that doesn't give bullshit info (most do!) and thats cause
our world has been infiltrated with narcs and telco/bell agents that try to
spread as much misinformation as possible!! But there are a few bbs's that
keep the faith and they will be listed at the end of this text.

                                                   THE RAVEN


                    I. Improved Mobile Telephone Service (IMTS)
                   II. General Information
                  III. Cellular Freqs. & Channels
                   IV. The Cell & It's Structure
                    V. Equipment Description
                   VI. More General Info.
                  VII. Roaming
                 VIII. NOTE
                        CELLULAR PHREAKER TYPES

  There are two types of cellular phone phreakers. The first type is the one 
whos's intrested in scanning cellular phone channels basically to overhear
conversations.  The second type is the one who obtains and modifies cellular
equipment  so that he can make free phone calls at someone elese's expense.

  This system that was used prior to cellular phones was the Improved Mobile
Telephone Service (IMTS), which was much easier to scan for.
  Most scanner enthusiasts are familiar with this standard mobile phone
system; this system has gone thru little evolution in the past decade in the
U.S.  It has remained a considerably limited service. A large metro area may
only have several hundred users, (New York City has about 900 mobile phone
subscribers) dur largely to limitations imposed by spectral overcroeding.
Land mobile commo has seen a 10-12% annual growth rate for the past two
decades. The result is that the 40, 150 and 450 MHZ bands are overcrowded.
Even the utilization of the new 900 MHZ band (with 30-40 times more channels
available than other bands) is a short-lived solution to the problem.

 IMTS freqs (MHZ):

              Channel     Base Freq.       Mobile Freq.
                                          VHF LOW BAND
                ZO          35.26             43.26
                ZF          35.30             43.30
                ZH          35.34             43.34
                ZA          35.42             43.32
                ZY          35.46             43.46
                ZR          35.50             43.50
                ZB          35.54             43.54
                ZW          35.62             43.62
                ZL          35.66             43.66
                                          VHF HIGH-BAND
                JL          152.51           157.77
                YL          152.54           157.80
                JP          152.57           157.83
                YP          152.60           157.86
                YJ          152.63           157.89
                YK          152.66           157.92
                JS          152.69           157.95
                YS          152.72           157.98
                YA          152.75           158.01
                JK          152.78           158.04
                JA          152.81           158.07
                                            UHF BAND
                QC          454.375          459.375
                QJ          454.40           459.40
                QD          454.425          459.425
                QA          454.45           459.45
                QE          454.475          459.475
                QP          454.50           459.50
                QK          454.525          459.525
                QB          454.55           459.55
                QO          454.575          459.575
                QA          454.60           459.60
                QY          454.625          459.625
                QF          454.650          459.650

 The VHF high-band freqs. are the most popular IMTS channels. If you live
within 25-50 miles of even a moderate sized town, you should have at least
one VHF high-band channel. VHF low-band IMTS is used in rural areas and
those with hilly terrain. UHF IMTS is primarily used in cities where the
VHF channels are crowded. If you live in a major city, expect to have most,
if not all, of these channels available to you.


  This section is a little boring but it's needed to set a basic foundation
of cellular phone phreaking so that part 2 doesn't sound like all
technicial talk!
  The FCC originally estaablished 3 cellular bands. One was given to the local
Bell or Telco, (wireline carrier), one to an independent firm (non-wireline
carrier), and one reserved for future use. Originally there were 666 cellular
freqs or channels. In recent years the FCC has tacked on another 156 freqs
for a total of 832 freqs, and all cellular makers have upgraded their phones
to accomodate the new channels. Some of the new channels appears above the 
original 666 while others appear below.
  The cellular system cannot know whether or not a cellular phone can be 
switched to one of the 156 channels without the phone telling it. This is done
by the Station Class Mark (SCM), which is a 4-bit binary number.
                (1) Bit #1 is "0" for 666 and "1" for 832
                (2) Bit #2 is "0" for a mobile unit and
                    "1" for a voice activated transmit.
                    (That saves batteries on portables.)
                (3) Bit #3 and #4 identify the power class 
                    of the phone:
                                  "00" = 3 watts
                                  "01" = 1.2 watts
                                  "10" = 0.6 watts
                      and "11" is not assigned.

  The old traditional scheme for handling cellular traffic is the analog
method or Frequency-Divison Multiple Access (FDMA). How the FDMA works is
that free channels are found and each transmitter is assigned to one of them.
When  the call finishes, th echannels are freed up for the next call. Also, as
the two parties become physically closer or more distant as they drive or
travhghhggytel the call may be  handed off to other freqs assigned to the new cells
they are in.
  Newer proposed schemes include Time-Divison Multiple Acess (TDMA) and Code-
Divison Multiple Acess (CDMA). IN TDMA systems, calls may simultaneously use
the same channels but are interspered between the pauses in the conversation.
Many pauses result not only in the way people normally think and talk but when
one party is talking, the other is listening. With TDMA, the Cellular Phone
Company (CPC) injects small delays in parts of conversations to accommodate
other traffic on that channel. This increases the lenght of the average phone
call, which also increases their profits from it - not to mention the fact
that they can increase there output by the factor of 3 and also then expand
their operation.
  CDMA is a system that's been used by military for the past 30+ years. CDMA
appears to basically be a system where conversation are compressed into coded
bundles and then decompressed at the other end. 
  A Cellular Mobile Telephone (CMT) is one that is installed in a vehicle,
aircraft, watercraft or whatever, as opposed to a transporable or portable


  There are 832 cellular phone channels. 416 of these are allocated for the 
non-wireline services (Band A), and 416 for the wireline services (Band B).
Each of these channels have two freqs, spaced 45 MHZ apart, that operate in 
a full-duplex mode. The lower freq is for the phone unit, while the upper is
for the cell or basesite. Of the 416 channels, 21 are digital data control or
"set up" channels and 395 are voice channels. Channels are numbered 1 thru
1023, and there is a gap from 800 to 990.

  Rather than producing a list of 1646 cellular freqs, I have provided the math
eqations that can be used to calculate them. These equations can be programmed
into computers and calculators.

     N = Cellular Channel #              F = Cellular Freq
     B = 0 (mobile), or B = 1 (base)


  F = 825.030 + B*45 + (N-1)*.03
        WHERE: n = 1 to 799

  F = 824.040 + b*45 + (N-1)*.03
       where: N = 991 to 1023


    N = 1 + (F-825.030-B*45)/.03
      Where: F > = 825.030 (mobile)
      or F >  = 870.030 (base)

    N = 991 + (F-824.040-B*45)/.03
      Where: F < = 825.000 (mobile)
       or F < = 870.000 (base)

  If the system uses OMNICELLS, as most do, you can readily find all the
channels in a cell if you know just one of them, using tables constructed
from these equations. Band A uses channels 1-333 under the old 666-channel
system. To that have been added 667-716 and 991-1023 under the new 832-channel
system. Band B uses channels from 334-666 under the old system, plus 717-799
under the new system.




 D = 1A : CC = 313 : VC = 1,22,43,64,85,106,127,148,169,190,211,232,253,274,

 D = 2A : CC = 314 : VC = 2,23,44,65,86,107,128,149,170,191,212,233,254,275

 D = 3A : CC = 315 : VC = 3,24,45,66,87,108,129,150,171,192,213,234,255,276

 D = 4A : CC = 316 : VC = 4,25,46,67,88,109,130,151,172,193,214,235,256,277

 D = 5A : CC = 317 : VC = 5,26,47,68,89,110,131,152,173,194,215,236,257,278

 D = 6A : CC = 318 : VC = 6,27,48,69,90,111,132,153,174,195,216,237,258,279

 D = 7A : CC = 319 : VC = 7,28,49,70,91,112,133,154,175,196,217,238,259,280

 D = 1B : CC = 320 : VC = 8,29,50,71,92,113,134,155,176,197,218,239,260,281

 D = 2B : CC = 321 : VC = 9,30,51,72,93,114,135,156,177,198,219,240,261,282

 D = 3B : CC = 322 : VC = 10,31,52,73,94,115,136,157,178,199,220,241,262,283

 D = 4B : CC = 323 : VC = 11,32,53,74,95,116,137,158,179,200,221,242,263,284

 D = 5B : CC = 324 : VC = 12,33,54,75,96,117,138,159,180,201,222,243,264,285

 D = 6B : CC = 325 : VC = 13,34,55,76,97,118,139,160,181,202,223,244,265,286

 D = 7B : CC = 326 : VC = 14,35,56,77,98,119,140,161,182,203,224,245,266,287

 D = 1C : CC = 327 : VC = 15,36,57,78,99,120,141,162,183,204,225,246,267,288

 D = 2C : CC = 328 : VC = 16,37,58,79,100,121,142,163,184,205,226,247,268,289

 D = 3C : CC = 329 : VC = 17,38,59,80,101,122,143,164,185,206,227,248,269,290

 D = 4C : CC = 330 : VC = 18,39,60,81,102,123,144,165,186,207,228,249,270,291

 D = 5C : CC = 331 : VC = 19,40,61,82,103,124,145,166,187,208,229,250,271,292

 D = 6C : CC = 332 : VC = 20,41,62,83,104,125,146,167,188,209,230,251,272,293

 D = 7C : CC = 333 : VC = 21,42,63,84,105,126,147,168,189,210,231,252,273,294

                    WIRELINE SERVICES (BAND B)

 D = 1A : CC = 334 : VC = 355,376,397,418,439,460,481,502,523,544,565,586,607

 D = 2A : CC = 335 : VC = 356,377,398,419,440,461,482,503,524,545,566,587,608

 D = 3A : CC = 336 : VC = 357,378,399,420,441,462,483,504,525,546,567,588,609

 D = 4A : CC = 337 : VC = 358,379,400,421,442,463,484,505,526,547,568,589,610

 D = 5A : CC = 338 : VC = 359,380,401,422,443,464,485,506,527,548,569,590,611

 D = 6A : CC = 339 : VC = 360,381,402,423,444,465,486,507,528,549,570,591,612

 D = 7A : CC = 340 : VC = 361,382,403,424,445,466,487,508,529,550,571,592,613

 D = 1B : CC = 341 : VC = 362,383,404,425,446,467,488,509,530,551,572,593,614

 D = 2B : CC = 342 : VC = 363,384,405,426,447,468,489,510,531,552,573,594,615

 D = 3B : CC = 343 : VC = 364,385,406,427,448,469,490,511,532,553,574,595,616

 D = 4B : CC = 344 : VC = 365,386,407,428,449,470,491,512,533,554,575,596,617

 D = 5B : CC = 345 : VC = 36epends on the model and maker - your may be
different) that will need to be changed - one installed by the maker usually
eepoxied in with the phone's ID number, and one installed by the dealer with
the phone number, and possible the security code. To do this youll obviously
need an EPROM (Erasable Programmable Read-Only Memory) burner, as well as the
same type of chips used in the phone (or a friendly & unscruplus dealer!).
 As to recording the numbers of other mobile phone customers and using them;
as far as I know it is quite possible, if you got the equipment to record and
decode it. The cellular system would possibly freak out if two phones (with
valid ID/phone number combinations) were both present in the network at once,
but it remains to be seen what will happen.
  The MIN is the Mobile Identification Number (includes the phone number, and
it is stored on the NAM ROM). Stolen and spoofed ESN's and MINs are good for
about a month. Once a bad MIN is revealed, the legit user's MIN is changed
by the Mobile Telephone Switching Office (MTSO) and they arrange for a new
NAM ROM to be installed in the users legit unit. Of course MTSO keeps a 
database of all legit,illegit and deadbeat MIN/ESN pairs. However, the MTSO
will allow a illegit MIN/ESN pair to continue to function beyond its
discovery in hopes of discovering who the phreaks are.
  One of the properties of cellular phone system is that the transmitter 
freqs may be changed or "hopped" in the constant effort to allocate freqs.
Because of freq. hopping it is very difficult triangulate a CMT using
standard RF directional finding methods. It is known that a directional
antenna randomly aimed at cellsite repeaters will confuse directional finding
equipment being used by them that is synced to their freq. hopping scheme.


  Since cellular technology often results in physical seperation between the
caller and-or callled party from landlines, because it offers thousands of
lines to choose from, because freq. hopping occurs, and because the caller
and-or called party can be rapidly moving from one location to another,
cellular phnes are the safest form of phreaking. "Roaming" is one form of
cellular phreaking.
  Roaming occurs when a CMT is used in a cellular system other than the one
indicated in the NAMs SID. This is called "ROAMmode", and the ROAM  indicator
on the control head will light. A CMT can roam into any system its home CPC
has a roaming agreement with, and most  CPC's now have roam agreements with
each other. Not every system pays attention to a "Roamer" from outside the
system as cosely as they do a local suscriber. In their mad rush to offer 
cellular as "universal" service, they screwed up. If there's no roam 
agreement, the MTSO will transmit a recorded message to the CMT with some
instructions to call the CPC, and gives his name ,MIN,ESN and credit card 
number. All roamed calls will then be completed by the MTSO and billed to the
credit card account. This procedure is becomming less common as more roam
agreements are made.
   Usually, CPC can only determine if a roamer came from a system with which
it has a roaming agreement -  nit the creditworthiness of the roamer.
Consequently, many CPCs have been ripped-off by roamers who've been denied
service on their home system because they are deadbeats. Once the home CPC
is billed for the roaming services provided by the remote CPC to the phreaker
or deadbeat, it will notify the same to add that ESN/MIN pair to their
MTSO's "negative verify" file to prevent future abuses.
   Several independent firms are establishing systems software and data
networks to allow POSITIVE ROAMER VERIFICATION (PRV), which allow near real
time roamer validation bt sharing data between CPCs. Until PRV becomes
universal, even bogus ESNs and MINs can roam if they follow the standard
format, alto some CPCs are sharing roam data on a limited basis to prevent
this. Even with PRV, ESN/MIN pairs that are spoofed to match valid accounts
will be accepted both by thier home CPC and roamed CPCs, until the legit
customer complains about the calls he didn't make. And even without PRV,
some CPCs automatically share ESN and MIN data. This frequently occurs 
between the CPCs in major cities and those in their bedroom communities.
  To call a roaming CMT, the caller must know which system that unit is in,
which can be a real trick since he may be on the road at the time. He then
calls the CPC's roaming number. Roaming numbers vary but usually are in the
phone number format (with area code, with the last four digits being 
"ROAM", and with the 3 middle digits being the remote CPC's exchange). 
When that number is called, a dial or ready tone is returned, after 
which the roaming CMT's full MIN is entered in Touch-Tone. After several
seconds, the CMT will ring or the caller will hear a recording stating
that the roaming CMT is out of range or busy. Telocator Publications 
 (202) 467-4770 publishes a nationwide roaming directory for travellers
with celluar phones.
 For example: I access the Cleveland Ohio Cellular 1's Ericcson switch
and I tell them by my NAM INfo that I'm a roamer from NYNEX in New York
City. Cleveland will let me make the call, bacause it bills back to NYC
for the number of minutes  I use. If the NYC number is bogus , the call
goes thru anyway, and the bill doesn't go anywhere. They do know the 
exchange data for NYC (that's on a chart) so you can't tell them a wrong
system number (two digits) but one that a valid roamer would have from
his area. This is not too hard to figure out, call some of their stupid
sales idiots some time and see what they let out of the bag.

 The system number for the foreign exchange, NYNEX in Buffalo is 56,
Chicago nonwireline is 01, and Buffalo nonwireline is 03. All wirelines
are even numbers and all nonwirelines are odd. The first three digits
of the mobile number: NYNEX Buffalo 863-XXXX. Buffalo Non-wirelines
are 861-XXXX and 690-XXXX. 
  You dont have to be a rocket scientist to figure out the local numbers
for your area, again by conning the sales people. Until the CPC's get a
cellular clearinghouse to validate roamers in real time, this method 
will work out fine. It will be awhile before it becomes routine to look
up a roamer. There's simply to many to look up every time service is
wanted. And this problem is increasing because of the expanding use of
cellular phones.
  If a cellular phone and its antenna happen to fall into your hands, you
could re-nam it as a roamer and when you get it setup, make copies of the
info with different suscriber numbers (the last 4 digits) and make free
calls as long as you can.
  THe Novatel series phone a re probaly the best radios to use to shut down
a cell site completely as it has secret codes in the control head that
allow you to bypass conventional switching protocols.
  I hope that this file has lived up the all the boasting I've put into it.
But if there are any problems with the freqs. or anything you can leave me
mail on the bbs's I've listed. At this time Demon Roach and Nihilism dont
carry my files but you can still leave me mail on those boards!

                                                   THE RAVEN


 Thats it for part 1 but look out for part 2!!

 Part 2 will cover:  What's in a NAM, NAM reprogramming and how to
 reprogram the following phones:  DIAMONDTEL MESA90X & MESA99X HANDHELD,
  NEC P300 & NEC P9100 , NOVATEL PTR800 & 825 , OKI HANDHELD MODEL #750,
  MITSUBUSHI 555,560,600 , NEC M3700 SERIES MOBILE , NOKIA LX-11 & M-10 ,
  PANASONIC EB362 , PANASONIC EB500 OR TP-500 , RADIO SHACK 17-1002 & -1003 ,
   AND GE CARFONE MODELS CF-1000, CF-2000 & CF-2500

 So look for it at a BBS near you!!

                                                       THE RAVEN

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH