TUCoPS :: Phreaking Cellular - Misc. :: dna3.txt

The DNA Box - Hacking cellular phones #3

                        1-FEB--89
                 ڿ   ͻ
                 THE DNA BOX        
                  Hacking Cellular Phones
                      ' ` ' ` ' ` ' ` ' ` ' `     
                         P A R T   T H R E E                             

Previous DNA files discussed the possibility of using Japanese handheld
HAM radios and personal computers, or tape recorders to hack Cellular Phone
codes, and possible uses for investment & business info obtained by
hacking executive and corporate phone calls, and investment info services,
as well as approaches to modifying the Cellular Phones themselves for use as
hacking tools and pirate communication devices.

Here using and modifying UHF-band radio scanners to hack and monitor
Cellular and Mobile telephone systems will be dealt with.

Radio Shack, Uniden, and several other manufacturers make scanners
for use by amateur radio hobbyists. Most of these will intercept mobile
radiotelephone calls without modification by tuning in frequencies in the
156 MHz and 475 MHz regions. Most of these scanners have line-level
audio outputs that can feed a tape recorder or demodulator/tone decoder
chip which can then interface directly to a computer for analyzing codes.
Mobile phones use a tone-pulse dialing protocol that should be simple to decode
and emulate using standard handheld ham radio gear. You can almost count
the dialing beeps without any special equipment. Phone channels are easy to
find: they usually broadcast a standard busy signal or an idle tone
(a fixed audio sine wave) when waiting for the next call. You will also hear
conversations, ringing, and mobile phone operators on these channels.

Here's a partial list of frequencies used by mobile phones:
                        (frequencies in MHz)

152.51   154.57   152.66   152.69   152.72   152.78   154.54
475.45   475.475  475.55   475.6    475.8    475.825  475.85   475.9  476.05

As you can see, many of the frequencies are spaced 30KHz or 25KHz apart,
so there are probably more channels in the gaps at those intervals.

These frequencies were gathered in a few minutes of casual listening using
an unmodified Radio Shack Pro-2021 scanner in search mode.


Hobby scanners capable of monitoring Cellular Phones are prohibited in the US.
To save money on the production line, many international scanner manufacturers
make only one kind of scanning chip which they use in both US and foreign
models. These chips are capable of scanning in the 800MHz range but this
feature is diabled by grounding certain pins in the US models.
Often restoring Cellular scanning functions is merely a matter of cutting
a circuit trace or removing a single diode from a scanner's printed circuit

For instance, removing diode 513 from a Radio Shack Pro-2004 Scanner will
enable the 870MHz Cellular range. Installing diode 510 will increase the
number of scanning channels from 300 to 400. Installing diode 514 will
increase the scanning rate from 16 to 20 channels per second.
These are located on the printed circuit board labeled PC-3.

The Uniden Bearcat 200/205XLT can be modified for Cellular scanning
by cutting or removing the 10K-ohm resisitor located on the printed circuit 
above the letters "DEN" on the microprocessor chip labeled "UNIDEN UC-1147".

The Regency Electronics MX7000 Scanner reportedly scans Cellular Phones
without modification.

An additional scanner rumored to be modifiable is the Realistic Pro-32.

Another source of useful radio gear are "Export Only" manufacturers.
One of these is currently rumored to be offering a handheld cellular phone
that does it's own routing and has an operating radius of 160 kilometers!

Here are the frequency range assignments for Cellular Telephones:

Repeater Input  (Phone transmissions) 825.03 - 844.98 Megahertz
Repeater Output (Tower transmissions) 870.03 - 889.98 Megahertz

There are 666 Channels. Phones transmit 45 MHz below the corresponding
Tower channel. The channels are spaced every 30 KHz.

It's also possible to hack the popular cordless phones. These use the 49MHz
band used by baby monitors and toy FM walkie talkies. Scanners can be used
to monitor these without modification, and FM handheld transceivers will
allow 2-way hacking of these frequencies, which some may find amusing.
Channel Handset Transmit Base Transmit
------- ---------------- -------------
   1        49.67           46.61   (frequencies in Megahertz)
   2        49.845          46.63
   3        49.86           46.67
   4        49.77           46.71
   5        49.875          46.73
   6        49.83           46.77
   7        49.89           46.83
   8        49.93           46.87
   9        49.99           46.93
  10        49.97           46.97

Business Update:
As of January 1989 there are legal maneuvers going on to lift the
ban on portable phones by traders at the NY Stock Exchange. 

 The DNA BOX - Striking at the Nucleus of Corporate Communications.      
 A current project of...                                                 

