Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Phreaking Cellular - Misc. :: misccell.txt

Miscelaneus information about hacking cellular and ATM systems

A short primer on ATM communications.

Basic communications:
Most ATM's in use today use either "Bisync" or "SDLC" communication. Bisync
is a format where there is not a start or stop bit, but rather after a 
certain number of characters (a Packet), two (i.e. BI) sync characters are 
sent to  "re-align" or "lock-in" the next packet. Bisync also differs from 
async (Standard IBM serial) in that there is a hardware clock signal to 
indicate when a bit cell should be started.

SDLC is also know as NRZ or Non-return-to-zero. In this format, the electrical 
signal is sent redundantly. A binary 1 for instance will swing from the
current voltage to +12 in 1/4 of a bit cell, remain at +12 for 1/4, swing to -12 in 1/4, and 
remain at -12 for the last 1/4 of the bit cell. A binary 0 will follow the 
opposite pattern (current to -12,remain -12,swing +12, remain +12). The 
interesting part here is that the voltage remains at the last active state
until changed by another bit (hence, NRZ). This format also uses a clock
signal, but the clock may be a seperate hardware line, or may be derived from
the data line. Just to make matters more interesting, the bit cell may be 
inverted (i.e. a 1 bit may go -12 then +12), giving you what is called NRZI
or NRZI-nverted. This gives a possible 4 type of SDLC comm; NRZ, NRZI, 
NRZD (VERY RARE if ever), and NRZID.

Basic Networking:
Most ATM networks use a "Star" topology with "Loops" at each terminus.
Basically, this means that you have one central computer going to several
nodes. Each node is a "loop" with up to 64 ATM's on each loop. You will 
almost never see more than 16 ATM's on a loop, mostly due to the higher cost
of multiplexing more than 16 machines onto a single line. Each ATM has it's
own address or "POLL SELECT #" to differentiate it from every other ATM on
that particular loop. 

Basic Packet Format:
A basic Bisync Packet will look something like this:

        32 32 C7 02 xx xx xx xx xx xx xx xx xx xx 1c xx xx xx xx xx xx xx xx
        |___| p  S                                F   DES Encrypted time
        SYNC  o  O     account # in EBCDIC        L
              l  T                                D

        xx xx xx xx xx xx xx xx xx xx xx xx 1c xx xx xx xx xx xx xx xx ---
        and date and verification code          Text description of 

        ---------------------- xx xx 1c xx xx xx xx xx xx 1c xx xx xx xx xx xx
        Transaction                       Amount              Bank Blurb ex.

        xx xx xx xx xx xx xx xx xx xx xx xx xx 03 00 00 00
        (Thank you for Banking with RIP-Off)   E  |______|
                                               O    Idle

        SOT=Start Of Text
        EOT=End Of Text
        FLD=Field delimiter

Almost all ATM's use EBCDIC coding (which is different from ASCII), this is
the same coding found on most IBM mainframes (no, it's not concidence, many of
the ATM network controllers are still IBM equipment). Although it is possible,
ASCII is never used in SDLC. (SDLC is another IBM protocol.) 

Several companies manufacture devices which tap into this loop, and overlay
the parsed data onto a video picture from the surveillance camera often found 
in an ATM casing. 

Technical Scams/Workarounds

A new way of obtaining PIN numbers has surfaced recently, and has not yet been
picked up on by the ATM Security people.
This involves using three or four mini-mike/transmitters, shaped like bolt
heads. Basically, the four "Bolt-heads" are placed on each corner of the 
ATM keypad so that they look like they hold the keypad down. Each bolt-head
is transmitting on a slightly different frequency.
Each receiver is then fed into a seperate input (usally one pin on a parallel
port) an decoded into discrete audio waveforms. The audio waveforms are then 
processed and compared to a base (i.e. the person doing this would initially
press each key on the keypad in sequence several time). This makes it very
simple to decode keypress sounds into numbers, as each switch will have a 
SLIGHTLY different sound than any other. Even an 8088 at 4.77 MHZ can 
process this data if it is stored first, then processed later.

Another, less known and more sophisticated method, is the use of a magnetic 
pickup coil to pick up the signal from the electronics inside the ATM.
This requires some fairly intense DSP (Digital signal processing).
While this sounds expensive or technical, it is actually fairly simple.
The most common piece of equipment used is a SoundBlaster Pro (c) card.
This card is an often overlooked piece of hacking/phreaking equipment.
(Can also be used for fax interception, satelite pic decoding, touch tone
decoder, telcom operator tones, and MUCH more. ask about more info...)
Using a magnetic pickup allows decoding both the card number, and the PIN.
Card Readers/Writers are available starting at about $125. Note that while
some cards use DES encrytion schemes, a large enough pool of data (real
card numbers and encrypted equivelant) makes it possible to simulate the
encoding scheme. There have been reports (but I have seen no firm evidence) of
the reverse being done. A large magnetic coil is placed in the ATM (possibly
in the deposit slip holder or the deposit receptacle itself), and the correct
signals are fed into it to simulate a viable transaction or to scramble
the Microproccesors. Unsubstantiated information claims that a dual frequency
magnetic field (7200 Hz and 1247 Hz) of >=3000 Gauss scrambles the micro-
proccesors and has a 33% chance of causing the ATM to "freak out" and start
dispensing money at random. My source is anonymous (even to me), but claims
that he/she has done this on more than 30 machines. The 30% figure is from
his/her boasts of "Every third box freaked out and spit money at me". There
has been increased interest in ATM surveillance in the area where this was
supposed to have happened, but this may reflect nothing more than bank 
officials having gotten word of this story and trying to prevent rather than
cure. If you are interested in talking to this person, the last contact I have
had was on Usenet. Message to "" in the alt.hacking newsgroup.
(BTW, there is no domain, I assume this address is the result of 
a "modified" program on a Usenet host.)
Other variations include the use of high power microwave pulses to accomplish
basically the same thing. I have received no further information on this, but
would point out the high power microwaves (pulsed OR steady) can be very
hazardous to people as well as machines.
I would recomend that anyone not experienced in microwave technology stay far
away from high powered microwave experiments of any kind.

Other Interesting Stuff.
Techno-anarchy. (sub-titled "Make electrons, not bombs")
A small but growing number of anarchists are putting down their guns and 
picking up their soldering irons. Simple electronic projects that can be 
built very inexpensively can be used to cause mis-functioning or destruction
of most electronics. A department store in Arizona supposedly lost approx.
$15,000 in consumer electronics due to a "techno-anarchist" revenge.
The story says that a teenage man familiar with electronics purchased a stereo
system from the store which did not work, and had trouble returning it either
for another stereo or for a refund. About two weeks later, he walked in the
store, went to the consumer electronics department, and proceeded to plug in
a "black box" measuring approx. 12" by 8" by 6". (Van De Graff generator?).
Within seconds, malfunctions began to occur. Televisions and stereos began
to randomly change volume/station/function. After no more than 5 minutes, 75%
of the electronics in the department were functionally destroyed. Note that 
there was very little, if any, physical damage. The teenager was apprehended 
by police 5 days later. It is possible is that it took that long for the store 
security and/or police to track down exactly what had happened, since this is
not something that they deal with on any kind of regular basis. The teenager
was supposedly charged with criminal mischief (since no other law would cover 
this act?). The story was only briefly reported in the local newspapers, and 
very little was said by the department store. One supposition is that police
did not want the public to know how easily this was done.
Related stories are heard from time to time about "techno-anarchists" 
disrupting traffic patterns in large citites by "frying" the traffic signal 
controllers. If true, this could cause more damage than is readily apparent,
particularly due to frustrated motorists and the increased loads on roadways
not designed for such heavy traffic. The possibilities for disruption of 
normal day-to-day living  are enormous. This same type of electronic warfare
could be used on critical installations such as air traffic control towers, 
hospitals, and railway controls. 

Tapping modem communications
While many people believe that fax and modem communications cannot be tapped,
this is a false assumption. Many companies are currently marketing Fax inter-
ception cards for as low as $129. There are at least three companies 
advertising these cards in the 1-94 issue of "Law Enforcement Product News".
As far as modem communications, there are several ways to intercept either 
side of a modem link, the simplest of which is to play back the recording of
the modem communications to another modem which has already been placed into 
online mode. The most common method of playback is the answering machine. 
This is reported to work about 50% of the time. 
Another possibility is tapping into the actual RS-232 line to an external 
modem, if available. Most people are not aware that the RS-232 line can be 
paralleled to another device. The trick is to connect only the recieve and 
ground lines on the second device (i.e. DB-9 2 and 5). As long as there is 
only one device doing handshaking and/or responding, there is no problem.
Both sides of the link may be monitored by using one two serial ports; one
to recieve the local, and one to recieve the remote. You should be aware that
this may be illegal if you do not obtain the consent of at least one of the
parties being monitored, if not both. This could be considered a grey area,
as it is unclear whether this could be considered wire-tapping or bugging.
This is also physically harder to do since the tap would require 2 wires to 
be added for 1 side of the communication or 3 wires for both sides (common

Fax Intercept hardware suppliers:
 Power Fax Inc. Address & phone not available at this time
                Faxmate! card for 386+ IBM compatibles. Features Multi level
                zoom, exporting (OCR?), Inverted images, Fax machine ID, 
                handles 2 dimensional and most non-standard faxes

                Faxmatel is an addon board to IBM compatibles with an extremely
                high line impedance to avoid detection by conventional sweeps
                and line testers.

 Kings Security Intern'tl Inc.  Located in L.A. CA (address/# NA at this time)
                KSI Fax Intercept (FAXSNIFF) Laptop computer with special 
                hardware. Features interception and storage of up to 9,999
                group III faxes. Maximum fax baud rate 9600 (no 14.4).
                Connects directly to telephone line, or to ANY SCANNER TYPE
                RECEIVER OR DIGITAL AUDIO RECORDER. This allows FAX 

While pagers may not be as exciting as Cellular Phones, there are many 
possibilities, and pagers are still much more common than cellular phones. 
Pagers are also carried personally, not by a vehicle (which may be loaned to 
someone else or stolen).
Some law enforcement agencies are starting to use cellular phones to track
suspects or aid surveillance/stakeouts. The major problem with this is that
often the person will leave their car/cellular phone in another location, 
thereby eluding a cellular trace. Pagers, on the other hand are always carried
by the owner personally. 
Many new paging networks require a response from the pager when a message is 
sent, to ensure that the page was received correctly. This response is very 
short, usually consisting of the pagers NAM and a simple go/no-go message.
If you know the number of the pager, you can use simple receiver equipment to
determine the strength of the signal to within a few feet, and use the network
to determine where the signal is to within the size of a cell. This makes it 
possible to track a person to within a few feet simply by calling their pager.
The newer pagers that accept a multi-character alphanmeric message are even
more interesting. Most of theses pagers include a TTL or RS-232 port for 
programming and for remote links to equipment such as computers, medical 
monitors, etc. 

RNet Paging data recievers.
Manufactured my Motorola (c), these pagers operate at 138-174 MHZ, 406-423 MHZ,
and 929-932 MHZ. The standard unit includes a 240 byte buffer, TTL or RS232
I/O port, and multiple (4) address codes. 

Port Pinout
| 9 10 11 12 13 14 15 16 |
| 1  2  3  4  5  6  7  8 |

1 +5VDC                   9 +5VDC
2 Keyed                  10 Gnd
3 Gnd                    11 Keyed
4 8-12 VAC/8-16VDC       12 8-12VAC/8-16VDC
5 Serial Data Out        13 Output 1
6 Flow control out       14 Output 2
7 Serial Data In         15 Output 3
8 Flow control in        16 Reserved Output

1,3,4,5 are also available through the holes in the bottom of the unit.
Note that Output 1-3 and reserved are TTL level direct from the uP.

Function codes (serial in)      Command Code    Description
77 Output 1 control             
78 Output 2 control
79 Output 3 control
                                10              logic 0
                                11              logic 1
                                12              Cycle (logic1, delay, logic0)
                                13              Cycle (logic0, delay, logic1)
70 Control output states        14              Set control output states
                                                x1,x2,x3 = logic 0 or 1 for 
                                                output 1,2,3

Data Block 

Function Code | Command Code | Sub Address | Data x1 x2 x3 | Checksum

To send logic 1 to output 3 to a unit with a subaddress of 1000002, send:
To send a logic 0 to outputs 2 and 3, and a logic 1 to output 1 to a unit with
a sub-address of 1231234, send: 70141231234001

Programmable Functions:
Cap Codes/Address codes (xxxxxxx)
        active y/n (yyyy/nnnn)
        Function (aaaa)
        Code Type (indiv.)
Inverted data (y/n)
RS232 interface
        Baud Rate (to 19200 default 9600)
        Data Bits (7/8 default 8)
        Parity (even, odd, none default none)
Out of Range message (Yes/No Default no)
Headers (yes/no default No)
Trailers (yes/no default no)
CTS (y/n def. n)
RTS (y/n def. n)
Enable control output
        Print Control output messages (y/n def. y)
        Output Control individ. address (xxxxxx)
        Output Control Group address (xxxxxx)
        Cycle time delay (x seconds def. 5)
        Message checksum enable (y/n def. n)
        Output 1 Initial logic state (low/high def. low)
           "   2    "      "      "           "
           "   3    "      "      "           "
That should get you started on the RNet(c) paging receivers.

Interesting Equipment
Nothing technical, just some equipment suppliers you don't normally see.

Curtis Electro Devices
4345 Pacific Street
Rocklin, CA 95677
Tel. 800-332-2790 Fax 916-632-0636
ESNR-5900B CellPhone ESN Reader. Stores and prints (to parallel printer) last 
           99 readings with time and date. Detects cellular phone number,
           called number, and ESN up to two miles from target. Options
           include voice capture  (tap?) and handoff following.
   WARNING:Sold to law enforcement only. Proof of identification is
           required. Call or Fax on official law enforcement letterhead.

ZEI Corporation
Address/Phone Currently unavailable.
Counter-Fighter. Detects fraudulent checks and/or credit cards by the presence
                 or absence of magnetic Ink or strip. (If you look at a check,
                 you will see unusual looking numbers on the bottom. These
                 have the routing code/bank/account and often the check number
                 encoded in by using magnetic ink to print the numbers.)
                 The Counter-Fighter operates from a 9V battery  or transformer,
                 and weighs only 3 Ounces. The unit "fits comfortably in the
                 palm of your hand". Upon detection of magnetic ink the unit
                 gives a quick flash of a red light. (This does not check
                 what the magnetic ink says, merely whether it is there or not,
                 Magnetic ink present. Magnetic ink has been imitated by mixing
                 Schaffer's ink with extremely finely ground neodymium magnets.
                 The ink is then used in a calligraphy type pen, or with less 
                 success, in an inkjet printer cartridge. The same thing has 
                 supposedly been done with laser/copier toner, but this seems
                 unlikely due to the metallic rollers/parts in laser printers/

500 Southlake Blvd.
Richmond VA 23236
Tel. 804-794-2500 Fax 804-794-8284
PSA-65A Portable Spectrum Analyzer (Bug-sniffer, radio tracer, etc.)
        The PSA-65A covers up to 1GigaHertz in one sweep, Sensitivity in narrow
        sweeps is -95dBm. It is ideally suited for 2 way radio, cellular, 
        cable, LAN, and surveillance/anti-surveillance work. Options include
        freq. extenders to allow usage at SAT-COM and higher frequencies, audio
        demodulation for monitoring (tapping), and more.

5504 State Rd.
Cleveland OH 44134-7330
Tel. 216-351-1755 or 800-722-664x (number lost due to misprint)
Fax 216-351-0392
RACOM 2816A is a multiline dialed number recorder that can simultaneously 
            Record number dialed and audio on up to 6 lines. Prints and 
            displays date, time, number of rings, length of call and recorder
            status for each line. Seperate minimized audio and cassette 
            recorder for each line. Real time display of line activity on 80
            column display. Completely automatic or manual operation.
            Options include CallerID, Dual and Single tone slaves, RS232 
            output, database program and more.

Federal Card Co.
Address and phone not available at this time.
FBI Trading Cards. Series of 100 Trading Cards features official photographs,
                   descriptions, and criminal records of fugitives currently
                   wanted by the FBI. Subsets include The Top Ten, FBI Lab, 
                   FBI Firearms, and FBI Facts and History. ALSO: Randomly
                   inserted foil stamped bonus cards. Limited production;
                   only 3,750 officially numbered cases printed. Special 
                   on pack offer:Win a trip to Washington D.C. for a tour of 
                   FBI headquarters. Sold in packs of 8. 5% of profit donated
                   to victims of violent crime and drug prevention programs.
                   (The last sentence is verbatim from the ad in the 1-94
                   Law Enforcement Product News, so I have to wonder about
                   victims of drug prevention programs.)

Protective Products
PO Box 450358 Dept. EP
Sunrise Florida 33345
Tel 305-846-8222 OR 800-509-9111
Body Armor Starting at $149 for concealable standard Threat Level IIA

New Eagle Communications
Address Unavailable at this time
Tel 913-582-5823 Fax 913-582-5820
Bone Vibration Headsets. Demo Gear available to quailified organizations.

Tech Support Systems (Surveillance Products)
540 Weddell Drive Suite One
Sunnydale CA 94089
Tel. 408-734-9436 Fax 408-734-9437
Cellmate Model B. A cellular monitoring system designed for unattended 
                  operations. Just enter the suspects phone number and it 
                  automatically intercepts calls made to or from the phone.
                  The included VOX circuit activate sthe built in Marantz (c)
                  cassette recorder to record both sides of the conversation.
                  (This system is packaged in a standard metal shell briefcase,
                  and icludes a cellular phone, recorder and controls. It is
                  available for both Amps and ETACS systems)
        WARNING: Sales are restricted to authorized purchasers only.

More Simple but interesting Junk.
Modifying 386/486 ROM's
WARNING:You do this at your own risk! You CAN seriously hurt hardware if you
screw this up. It is fairly safe to change the text in the BIOS, for instance,
maybe you want your sign on screen to say "Joe's Bar and Grill" instead of
"Some Funky BIOS 1989". But there is NO warranty given to you or anyone you 
ever knew.
Ok, now, first we need to read the old BIOS. Follow the instructions below:

n top.hlf
m f000:0 8000 cs:100
n bot.hlf
m f800:0 8000 cs:100

This will give you two files, top.hlf and bot.hlf, which is one bios chip each
if you have two BIOS chips. If you only have one, then type:
copy /b top.hlf+bot.hlf > whole.thg
del top.hlf
del bot.hlf
You will now have one binary file called whole.thg. Load this file into 
your favorite EPROM burner program (as a binary file), and do a checksum. 
You should get a XX00 where XX is anything. If not, your program does not
support the standard checksum used by IBM compatibles. If so, then you can 
change what you want to (Common changes are to text messages, and Hard Drive
Tables). When you have finished,do another checksum and write it down, then 
write the file back to disk (use binary mode, NOT hex or Intel Hex).
Now we have to find out how to reset the checksum so that it is XX00 again.
Type the following:
H ffff chksum (from just before saving file above)

You will see something like this
2233 DDCC
Write down the last two digits, then type:
Now go back into your EPROM programmer and load the file (remember, Binary).
Find an unused FF, and change it to the two digits from the step above (i.e. 
Now do another Checksum, and verify that is is XX00.
Then burn your new EPROM and install it. If you did not get the checksum right, 
your machine will refuse to boot up, and you will have to try again.

Pirate Television.
Caution: The FCC is very adamant about shutting down unlicensed transmitters,
especially those involving television channels. The normal procedure when
this occurs is to confiscate all equipment and levy a $1000 fine.
Pirate television is actually very easy to get into. The first thing you need
is a transmitter (of course). The second is an amplifier to get your output
up high enough to be of any use. The quickest way to get an inexpensive 
high quality transmitter is from a cable TV surplus equipment reseller.
These can be purchased used for under $50 depending on make/model/features.
The preferred channels are from 14 to 20, as these are within the 400-512 MHz
frequency range. This range falls (mostly) within the range of ham radio, and
linear amplifiers can be purchased very inexpensively. Beware of cheap build-
it-yourself transmitter kits, as they tend to have lots of frequency drift and
instability (esp. when transmitting video and audio at the same time).
There are 100 watt pirate television stations that have been assembled for
as little as $150, although generally, such a stastion will cost around $300.
In the Houston, Texas area, there are currently 4 known active stations,
ranging from 25 to 2500 watts. These stations have operated an average of 5 
years each,  mostly due to the fact that they do not transmit full time, and
all but one moves location monthly or bi-monthly. They also do NOT transmit
pornography or "death" films (Faces of Death, Die On My Blade, etc.)
The fastest way to be found is to transmit things that are overly offensive.
This does not mean that you should only transmit Disney movies, but keep in
mind that this IS a public broadcast, and that ANYONE can receive it.
In the Houston, Texas area, one station is devoted purely to "cult" films, 
such as Pink Floyd's "The Wall", "The Rocky Horror Picture Show", "Night of 
the Living Dead", "Godzilla" movies, etc. Most stations run a mix of music
videos, old/cult movies, and classic reruns such as "The Prisoner" and 
"Dr. Who". Some stations will take requests at P.O. Boxes or on telephone
"loops" (an open two person conference call). Most Pirate TV operators are
technologically literate, and are willing to help someone set up a new station,
(providing you don't compete against them, of course). Many cities host a large
number of these stations, and in some cities the "underground" newspapers even
run the "Pirate Nielsens". If you are interested in setting up your own 
station, check your local yellow pages under "Cable Telivision Equipment" for
the base transmitter, and QRx or 72 magazines for the linear amplifiers.
Keep in mind that you are running an illegal transmitter, and that most ham
radio equipment suppliers will not sell to you if you state that you are 
running a pirate TV station. When choosing an amplifier, be sure that it has
at LEAST a 6 MHz bandwidth, otherwise you will tend to lose your audio and/or

Anyway, this is some basic stuff. You might want to rewrite/clean-up some of 
it though. I will give you a call soon after you recieve this to see if you 
find it informative or useful.

This information gathered/compiled by Light Speed Delta.
Republication or other usage is permitted if verbal permission is given.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH