TUCoPS :: Phreaking Cellular - Misc. :: dna2.txt

The DNA Box - Hacking cellular phones #2 

                        ¿ ³ ¿À¿ ¿ ¿Ú¿ ÚÙÚ Ú ÚÙÚ¿                      JAN-89
                      ÉÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍ» ô
                    ÃĶ      THE DNA BOX        ÇÄÙ
                    ÚĶ Hacking Cellular Phones ÇÄÄÄÄ¿
                    õ ÈÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍѼ    ø
                       ø ø ø ø ø ø ø ø ø ø ø ø ø
                           P A R T   T W O                               ô
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
The previous DNA file discussed the possibility of using Japanese handheld
HAM radios and personal computers, or tape recorders to hack Cellular Phone
codes, and possible uses for investment & business info obtained by
hacking executive and corporate phone calls, and investment info services.

Here I want to mention the obvious idea of simply modifying or replacing the
ROMs in a standard Cellular Phone, and disassembling the ROM software that
operates the Phone in order to "customize" it for scanning, data monitoring,
evesdropping and (of course) making free calls using the codes of registered
subscribers.

Simply unplugging the ROMS, putting them on a ROM card for a PC and then
copying the software to disk for disassembly is the obvious first step.
Use of a logic analyzer to monitor and record activity on the Cellular Phone's
digital bus would simplify things by providing a map of where data is stored
and which instructions are executed during each period of activity:
decoding/sending ID tones, selecting frequencies, dialing, and talking.

Checking the part number on the CPU embedded in the Cellular Phone will tell
you which disassembler to use to give a first draft of the ROM code.
The next step is to generate a map of the locations of every subroutine
call's entry point, any branch & loop locations, and all addresses written to,
read, or read-only (to map out any variables and data). Locations incremented,
decremented or tested by branch instructions should also be noted, along with
their initial and final values.

Each address in the map should be given a symbolic label in your draft of
the assembly code. Comments can also be entered with high-level language
equivalents that summarize the assembly code as you understand it.
Pay special attention to data or loop limits that match elements of the
Cellular Phone ID codes (length or contents), or any data locations that
are always accessed as a group. This may give you enough info to find the
location of the ID code and burn an EPROM with any ID's you've hacked
by listening to Cellular Calls.

If you have identified the subroutines that accept phone numbers for dialing,
you can patch in a second subroutine that accepts an ID code from the keypad
and stores it in RAM before calling out, and modify any routines that 
utilize ID Codes to use RAM addresses instead of ROM addresses.

Chances are that the software takes up most or all of the available ROM
and RAM scratchpad space on the single-chip microprocessor. If this is the case
it might be neccessary to piggyback additional memory chips onto the circuit
board to hold any new subroutines you want to add.

Suggested new features: 
1) Have the Cellular Phone scan for an empty channel and wait for an ID code.
Capture the ID code into a table of ID's in RAM and display the captured codes
on the liquid crystal display. 

2) Program the Cellular Phone to emulate the switching signals and codes sent
by PacBell (or your local Cellular carrier), bypassing central switching
entirely. This would be useful for making 100% untraceable calls to other
Cellular subscribers within direct radio range. This can be used to do your own
routing, emulating a phantom switching cell. This could be used to extend
cellular service into an otherwise inaccessible area by coupling your Cellular
Phone to a 1.2GHz linear amplifier modified to work in the 800MHz band.

3) Make the Cellular Phone recieve data under one ID/Frequency and retransmit
it under another. This would make it impossible to monitor both sides of a
conversation. This feature could also be used to implement conference calling
by running several calls at once out of one phone.

ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ The DNA BOX - Striking at the Nucleus of Corporate Communications.      ³
õ A current project of...                                                 Á
 
        Outlaw
     Telecommandos
   º³Ý³³Þº³Ýݳ³Þ³Ý³º
   º³Ý³³Þº³Ýݳ³Þ³Ý³º
   º01-213-376-0111º

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH