TUCoPS :: Phreaking Cellular - Misc. :: esnsnarf.txt

Cellular help aiding in diagnostics testing

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
<>                                                                          <>
<>                    HOW TO BUILD AN ESN/MIN SNARFER                       <>
<>                        THE BASIC REQUIREMENTS                            <>
<>                                                                          <>
<>                                by                                        <>
<>                                                                          <>
<>                             D a v e X                                    <>
<>                                                                          <>
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>

Ok, lets get one thing straight, you won't be able to go to tandy's and
buy the bits to build a snarfer after reading this file, it is only a primer
to point an interested person in the general direction, you need to be more
than a little electronically inclined to build the hardware, although most
semi-literate programmers could write a piece of software to use with it.
I have written a short program in compiled basic which werked, so you don't
have to be an asm wizard to get results.

Step 1
^^^^^^
Lets get started, to begin with you need an NBFM receiver that covers the
cellular phone band.
This reciever must be modified to do the job in hand, so if you don't fancy
wrecking your expensive multiband scanner then stop now.

To modify your receiver you need to take the output of the discriminator
unfiltered and unamplified, if you don't get this right, it won't werk the
hardware, as phase shifts introduced in the amplification and/or filtering
will destroy the data before you can decode it.
It is also a good idea to fit a wider IF filter, 20khz seems about right for
cellular telemetry, but you may get limited success with the original one.

OK, so you have done open heart surgery on your scanner and you now have two
soggy wires hanging out of it. One wire going to the discriminator output,
and the other going to chassis ground. It is a good scheme to fit a small
socket, ( a 2.5mm jack socket is ideal for this purpose).  Also place a
0.22uF capacitor in series with the discriminator output to prevent any
stray electricity finding its way back to your scanner and fucking it.

Plugging a telephone earpiece or similar into your newly fitted socket will
result in a very quiet signal being heard, but neither the volume control or
the squelch will have any effect on this signal. If you get this far then you
are doing good and chances are you've done it right.

Step 2
^^^^^^
Next you need some custom hardware, I'm not going to supply a parts list or
a diagram, and don't bother hassling me via email, because I still wont tell
you more, unless you have made a good start and need help getting it to
werk right.
This is for two reasons,

    1) Why the fuck should I do all the research and prototyping and then
       give it to you on a plate?  Next thing you'll be wanting me to build
       you one.

    2) Who is to say that my design is the best there is, someone else might
       come up with a better design if they are forced to think about it, but
       if I just give you a circuit and a parts list you wont bother thinking
       you'll just clone my design.

Not withstanding the aforementioned, this is what you require:-

The signal from your radio needs converting to TTL using a comparator, an
LM339 would werk well here.

You need a VCO with a nominal center frequency of 8khz, this is phase locked
to the incoming datastream. a 4046 would seem to fit the bill.
For a cheaper less technical device, you could just use a free running clock
at 8khz, the disadvantages of this method are:-

1] you don't know whether you have data or not data, ie. it could be inverted
   but this can be overcome in software.

2] you will occassionally find that the clock actually changes phase during
the
   reception of a data block, this means you have to disregard this block.

The output of your PLL is your clock signal, this is one of the outputs you
need to present to your computer for the decoding process.

The other output is generated by exclusive or'ing the received datastream and
the clock, you could use a 4070 for this function.

CLOCK @ 8KHZ
   _   _   _   _   _   _   _   _   _   _   _   _   _   _   _   _   _   _   _
|_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_

RECEIVED DATA MANCHESTER ENCODED
 _   ___     ___     _   ___   _   _     _   ___   _   _     _   ___   _     _
| |_|   |___|   |___| |_|   |_| |_| |___| |_|   |_| |_| |___| |_|   |_| |___|

TTL DATA OUTPUT FROM SNARFER
______     ___     _______              _______             _______         __
      |___|   |___|       |____________|       |___________|       |_______|

1   1   0   1   0   1    1   0   0   0   1   1   0   0   0   1   1   0   0   1

You now have both clock and data lines, these are fed to your computer for
decoding. (you also need to connect a ground wire too).


Step 3
^^^^^^
You must first tune your radio to the reverse channel, this is most easily
accomplished by tuning around between 930mhz and 950mhz until you find the
strongest forward channel, (Hint. it goes burbullyburbullyburbullyburbully)
Once you have found the strongest forward channel, retune your radio to
exactly
45mhz lower, this is the reverse channel, and you should hear noises on it
during busy periods that sound a bit like pissed off flies, bzzzz bzzzz bzzzz,
these are data bursts from cellular phones, sending (among other things),their
min and esn to the local cellular tower.

The decoding process is fairly simple, you need to read your chosen input port

each time the clock goes high, (or low), the bit value is taken from the xor'd

data line.
You are looking for the bit sequence 11100010010. When you receive this flag,
you immediately capture the next 1207 bits, these are used to get the esn/min
pair.

Begining at bit(274) take ten bits, convert this to decimal, to this number
add 111 (one hundred and eleven), take the three rightmost digits, and store
this as 'A'.

Begining at bit(20) take four bits, convert these to decimal and store it,
lets
call it 'B'.

Begining at bit(24) take ten bits, convert this to decimal, to this number
add 111 (one hundred and eleven), take the three rightmost digits, and store
this as 'C'.

Begining at bit(34) take ten bits, convert this to decimal, to this number
add 111 (one hundred and eleven), take the three rightmost digits, and store
this as 'D'.

With it so far? if not read it again until you are familiar with the process.

Now starting at bit(508), take four bits and convert them to decimal, this is
stored as 'E', it is a two digit number and may require a leading zero.!

Begining at bit(512) take six bits, convert these to decimal, this number is
also a two digit number and may require a leading zero. Store as 'F'.

Starting at bit(518) take six bits, convert them to decimal, this number is
also a two digit number and may require a leading zero. Store as 'G'.

Now starting at bit(492), take sixteen bits and convert this to decimal, this
is stored as 'H', it is a five digit number, and may need padding with leading
zeros to achieve this.

You should now have numbers A through H.

GG should read 00, if not you fucked up.

Finally you print it out like so:-   AAAB-CCCDDD EE/FF/GG/HHHHH

It should look like this, 234#-###### ##/##/00/#####

The remaining bits are for the most part junk, but can be used for
verification
of the information you have just collected.
Each piece of info, min1, min2 and esn is sent 5 times in a 240 bit block, so
using your razor sharp mind, (or a calculator), you should have figured out
that each data sub block is 48 bits long. By adding 48 to the above bit(#s)
you can do the same decoding process again. And again at bit(#)+96 etc. and
use the extra four copies as mental error correction.

There is a parity field attached to each subblock for error correction
purposes
but this complicates the decoding process somewhat, and would be a bit ugly to
write in basic.

In Phate103, there is more info on the data format used, and an asm routine
for calculating the CRC using the parity bits.

Have phun, but please don't use any of these snarfed pairs to make free calls
as this is probably illegal.

( This information will not werk in the USA, although the signalling formats
are similar to this, certain modifications need to be made both to the
hardware
interface and the decoding method. If you are stateside, and require this
additional info, email me, DaveX @ Plan9 )


<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
Greets.
~~~~~~~
CHEROKEE
KILSLUG
MAELSTROM
MEEKO
PULSE




TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH