Basics of Cellular Telephony/Phreaking
Originally Written 12/19/99
Revised someplace in 2001
Note to reader: Although some of the following information has been written by the author, some of it has been simply compiled and inserted, especially the end appendices. All information that has been completely taken from another file has been indicated, and proper credit has been given. (Except the information found in the appendices, which is readily availible from many texts.)
_Terms_
Control Channel- The channel the phone and cell base first communicate on. Meant only to send/receive digital data. The 21 control channels in each band may be dedicated to two different applications: access and paging channels.
Reverse Control Channel- The opposite frequency, 45 mhz lower than the control channel. This is where the mobile unit is.
Voice channel- The channel you are assigned by the switch to commence the call on after the exchange of suscriber data.
Reverse voice channel- Again 45mhz lower.
Cell Site- The base station that talks to the mobile.
Switch- The computer that places the calls, and takes and recieves data
from the suscriber or from PSTN. (public switched tel network)
ESN- electronic serial number. The ESN is a 4 byte hex or 11-digit octal number. I have encountered mostly 11-digit octal numbers on the casing of most celluar phones. the first three digits represent the manufacturer and the remaining eight digits are the units ESN. I'll go more into the ESN later in the document.
SCM- Station Class Mark. Used for station identification
by providing the station type and power output rating.
SID- System Identification Number wich represents the mobile's home system.
SIDH- System Identification for Home System. The transmission of the SIDH number tells the carrier where to forward the billing information to in case the user is "roaming". The SIDH table tells the major cities and their identifying numbers. Changing an SIDH is programming job that takes only minutes, but be aware that the ESN is still sent to the cellular phone company.
NAM- Numeric Assignment Module
MIN- Mobile Identification Number (Your cellular phone number)
_Cellular Frequencies_
From the cell tower, information is sent on Band A or Band B (the 2 cellular carriers in the area) over the frequencies listed in Appendix A. Within the 2 bands are 832 cellular frequencies. Each one has 416 bands, and within the bands are voice channels that actually transmit and receive information from cellular phones.
_How it works_
(Note, this is a very basic file. If you would like more advanced cellular telephony, read Damien Thorn's file at the L0pht.)
To begin, cellular telephony uses the wireless signalling system #7 (SS7). As soon as a user turns on a cell phone the MIN/ESN for that phone will be carried as an SS7 network message to a database, known as the Home Location Register (HLR) within the user's home carrier system. The HLR will provide information for validation as well as customer profile info for advanced features as voicemail. That information will then be be relayed to a second database, the visitor location register, maintained by the carrier that is hosting the roaming call. They hope to reduce fraud by checking the ESN with real time validation on a per call basis. The current system is unable to detect fraud until after a caller has made his/her first call. (This system simply uses a customers calling profile to detect an unusual calling pattern.) When you turn your phone on, the ESN and MIN are sent to the tower on the Forward Channel. The tower then sends back information on the reverse channel with such things as: If your phone number has an account or not, where you are calling from, account information. After all these objects are verified, your CO (central office, Cell Site is located here,) or MTSO, (Mobile Telephone Switching Office, used when roaming) will allow you to make a call. When you dial the number and hit "Send" the number is sent to the cell site, and then relayed to the person's telephone line on the forward channel. When a person picks up the phone and begins to talk, all the information is sent on the reverse channel. The chips and devices in the cell site put both channels together and allow you to have a conversation on a voice channel. With new technology such as PCS and prepaid wireless, it has been more difficult to alter the information in a NAM EPROM (Electronically programmed read-only memory... the memory in this chip is erased and programmed via the use of UV rays) or EEPROM chip.
_NAM Programming_
So.. if you changed the ESN, SIDH and MIN in your phone... you could make phone calls via someone else's account, right? Well, sort of. All you have to do is use an EPROM programmer and change the data in the NAM. Easy you say? No. The NAM is equipped with security measures and checksums (algorithm code used to make sure there are no errors in the digits) to protect against unwanted programming of the NAM chip. You can also program your phone to only use ONE frequency, and to stop locking onto the strongest channel, therefore picking up someone else's phone call. This can also be done with a scanner by using the frequencies listed above.
**N.B.: The following information until otherwise noted is COMPLETELY taken from The Ultimate Cellular Phone Phreaking Manual #2, by The Raven. I take NO credit for this.**
You must get seven pieces of data from the cellular system operator to
allow you to reprogram the cellular phone. You provide the remaining data.
Write all of this programming data on the NAM Reprogramming Data Table
provided in this text before implementing this procedure. Incorrect NAM
entries can cause your cellular phone to operate improperly or not at all.
The required data is:
* System Identification (SID) Code (S-digits): Indicates youe home system
Enter 0's into the left-most unsued positions. Provided by the system
operator.
* Cellular Phone Number (10 digits): Used in the same manner as a standard
land-line phone. The mobile phone number and the Electric Serial Number
are checked against each other by the cellular system each time a call
is placed or recieved. Provided to you by the system operator.
* Station Class Code (2 digits): This number is 06 or 14 for most personal
or portable phones. Even though your phone has extended bandwith
capability (832 channel capacity), the cellular system operator may
require your station class code to remain 06. The code should be 14 if
832 channel operation is allowed.
* Access Overload Class (2 digits): Provided to you by the system operator.
* Group ID Mark (2 digits): Provided to you by the system operator.
* Security Code (6 digits): The six-digit security code allows the user to
restrict his calls in certain ways and permits other advanced security
measures. Refer to your phones operator manual for further details.
Select any 6-digit code that you will remember, but one that will not be
easily guessed.
* Unlock Code (3-digits): The 3-digit unlock code unlocks the phone after
it has been locked. LOcking the phone allows you to prevent unauthorized
usage. With many models, this number can be resued as often as desired.
Check the users manual. Select any convenient 3-digit number.
* Initial Paging Channel (4 digits): Use a leading 0 if required.
(example: Channel 334 is entered as 0334.) Provided to you by the
system operator.
* Option Bits (6 digits): This reprogramming step allows you to program
six seperate features in one step. Each feature is either selected or
cancelled by assigning a value of 1 or 0. The six individual single-
digit features combine to form a six-digit code which is entered as one
step. If any of the features is to be changed , the entire six-bit word
must be re-entered.
DIGIT #1: Internal Speaker: This feature is normally selected by
entering 0. However, if you purchased the convertible
Accessory and it contains a seperate external/VSP unit,
cancel the internal speaker feature by reprogramming 1.
DIGIT #2: Local Use: This feature is normally selected by entering 1.
Your system operator can tell you if you need to cancel
this feature by reprogramming 0.
DIGIT #3: MIN Mark: This feature is normally not used and is assigned
a value of 0. To select use 1.
DIGIT #4: Auto Recall: This feature is always 1.
DIGIT #5: 2nd Phone Number: This feature is usually not used and
assigned a value of 0.
DIGIT #6: Diversity: This feature is always set at 0 for the portable/
personal phone used alone. If you have a convertible
accessory, and it has two external antennas, select this
feature by reprogramming 1.
* Option Bits (3 digits): This step allows you to reprogram an additional
three separate features in one step. Each feature is either selected or
cancelled with the digit 1 or 0. The three individual single-digit
features combine to form a three-digit code which is entered as one
step. If any of the features is to be changed the entire three-bit word
must be reentered.
DIGIT #1: Long Tone DTMF: Certian electronic devices such as answering
machines, are are not able to decode the normal DTMF tones
because the phone standard duration is too short. The Long
Tone DTMF allows access to answer machines and other similar
devices by transmitting the DTMF tone for as long as the key
is depressed. This feature is normally not used and is
assigned a value of 0. However you can select long tone DTMF
by reprogramminng 1.
NOTE: Personal or portable models with a MENU key can more flexibly
select and cancel this feature thru the menu. To allow Menu
control of the function it must be cancelled in the NAM by
setting this bit to 0. If Long Tone DTMF is selected in the
NAM with a 1 in this bit, it cannot be reversed thru the menu.
DIGIT #2: Future use: This feature is always set at 0.
DIGIT #3: Eight-Hour Timeout (Convertible only): Personal or portable
phones with the convertible accessory can normally be left
active in the vehicle for eight hours with the ignation cut
off. If the time out feature is selected the phone will turn
itself off after eight hours to preserve the vehicle's
battery. This feature is normally selected by entering 0.
However, you can cancel this eight-hour time limit by
entering 1.
**END section of The Ultimate Cellular Phone Phreaking Manual #2, by The Raven**
_Roaming_
When a phone is out of reach of a home frequency, the phone will try to find a carrier. The little "ROAM" light on the LCD or Vacuum Tube screen on your mobile will notify you when on roam. Some companies have made contracts with other companies to use each other's cell towers. If no service is availible, you might get a message like "We cannot find your wirless account. If you would like to use a calling card, third party billing, or credit card, press 1" As long as you know a valid credit card and have information on the real owner of the cellular phone, you can most likely use this. There was a "Roaming Scam" developed some time ago that allowed a person with a cell to receive cellular service by using their phones in areas where the SIDH numbers are different from the ones currently used in the phones. I have included a SIDH table in Appendix B. For the most part, this trick is obsolete.
_The NAM_
Inside the phone, you will find a small EPROM or EEPROM which stores NAM information. The E/EPROM will have anywhere from 16 to 28 leads coming out from it, and will be square- or rectangular-shaped. If it is a DIP (Dual Inline Packaging) chip, it will always be rectangular. This does not mean that non-DIP chips will always be square. The NAM stores data about the phone and its user, such as the ESN, MIN, SIDH, and other various bits of information. Computing of the NAM information is done in binary and must result in a sum of 0. This is called the checksum. The sum of all words in the NAM plus the last two must equal a number with "0" in the last two digits. The ESN is a 32-bit number which identifies a phone to the cell tower. The ESN is programmed into the E/EPROM by the manufacturer and cannot be changed unless a new, reprogrammed E/EPROM is inserted. There are 11 digits in an ESN. Format is the following:
-First three digits: Manufacturer decimal code
-Next two digits: Reserved, may contain numbers including 0.
-Last 6 digits: Decimal serial number.
_Obtaining NAM information_
One way to obtain the ESN and MIN is to simply get your hands on someone else's cell phone, take off the battery to find the ESN, then turn on the phone to get the MIN. You'll need to find the SID/SIDH by calling the CO and using your "Social Engineering" skills to find it.
Another way is by scanning the listed channels above. You should hear a series of beeps. You'll need a type of DTMF decoder or touch-tone decoder to interpret the beeps into an ESN and MIN. You can then program these into your phone and clone it. For information on programming different types of phones via the handset, visit http://www3.l0pht.com/~oblivion/blkcrwl/cell/cellprog.html
_Cellular Security_
Companies have taken some drastic security measures to stop cellular phreaks. The computers will compare the time and place where phone calls were made to prevent cloning. For example, if a man in Michigan were to call his family at 4:20 PM, and another person in Florida called a 900 phone sex number at 4:23, the company would shut off the person's account to prevent the cloning. They know it is a cloned MIN because there is no possible way to get from MI to FL in 3 minutes.
____Appendix A: Cellular Frequencies____
Channel Base Frequency Mobile Frequency
VHF Low Band
ZO 35.26 43.26
ZF 35.30 43.30
ZH 35.34 43.34
ZA 35.42 43.32
ZY 34.46 43.46
ZC 35.50 43.50
ZB 35.54 43.54
ZW 35.62 43.62
ZL 35.66 43.66
VHF High Band
JL 152.51 157.77
YL 152.54 157.80
JP 152.57 157.83
YP 152.60 157.86
YJ 152.63 157.89
YK 152.66 157.92
JS 152.69 157.95
YS 152.72 157.98
YA 152.75 158.01
JK 152.78 158.04
JA 152.81 158.07
UHF Band
QC 454.375 459.375
QJ 454.40 459.40
QO 454.425 459.425
QA 454.45 459.45
QE 454.475 459.475
QP 454.50 459.50
QK 454.525 459.525
QB 454.55 459.55
QO 454.575 459.575
QA 454.60 459.60
QY 454.625 459.625
QF 454.650 459.650
CELLULAR FREQUENCIES from CHANNEL NUMBER:
F = 825.030 + B * 45 + ( N + 1 ) * .03
where: N = 1 to 799
F = 824.040 + B * 45 + ( N + 1 ) * .03
where: N = 991 to 1023
CHANNEL NUMBER from CELLULAR FREQUENCIES
N = 1 + (F - 825.030 - B * 45) / .03
where: F >= 825.000 (mobile)
or F >= 870.030 (cell site)
N = 991 + (F - 824.040 - B * 45) / .03
where: F <= 825.000 (moblie)
or F <= 870.000 (base)
TV Cell & Channel Scanner TV Oscillator Band
Channel Freq.& Number Frequency Frequency Limit
===================================================================
73 (first) 0001 - 825.03 45.97 871 824-830
73 (last) 0166 - 829.98 41.02 871 824-830
74 (first) 0167 - 830.01 46.99 877 830-836
74 (last) 0366 - 835.98 41.02 877 830-836
75 (first) 0367 - 836.01 46.99 883 836-842
75 (last) 0566 - 841.98 41.02 883 836-842
76 (first) 0567 - 842.01 46.99 889 842-848
76 (last) 0766 - 847.98 41.02 889 842-848
77 (first) 0767 - 848.01 46.99 895 848-854
77 (last) 0799 - 848.97 46.03 895 848-854
___Appendix B: SIDH Table___
SYSTEM NON(A) WIRE(B)
Abilene,TX 131 422
Aguadilla 605 188
Aiken,GA 181 084
Akron,OH 073 054
Albany,GA 241 204
Alburquerque,NM 079 110
Alexandria,LA 243 212
Allentown,PA 103 008
Alton,IL 017 046
Altoona,PA 247 032
Amarillo,TX 249 422
Anchorage,AK 251 234
Anderson,IN 253 080
Anderson,SC 139 116
Anniston,AL 113 098
Appleton,WI 217 240
Asheville,NC 263 246
Ashland,WV 307 TBA
Athens,AL 203 198
Athens,GA 041 034
Atlanta,GA 041 034
Atlantic City,NJ 267 250
Augusta,GA 181 084
Aurora,IL 001 020
Austin,TX 107 164
Bakersfield,CA 183 228
Baltimore,MD 013 018
Bangor,ME 271 254
Baton Rouge,LA 085 106
Battle Creek,MI 403 256
Beaumont,TX 185 012
Bellingham,WA 047 006
Beloit,WI 217 210
Benton Harbor,MI 277 260
Biddeford,ME 501 484
Billings,MT 279 262
Biloxi,MS 281 264
Binghamton,NY 283 266
Birmingham,AL 113 098
Bismarck,ND 285 268
Bloomington,IL 455 532
Boise,ID 289 272
Boston,MA 007 028
Bradenton,FL 175 042
Bremerton,WA 047 006
Bridgeport,CT 119 088
Bristol,TN 149 074
Brownsville,TX 451 434
Bryan,TX 297 280
Buffalo,NY 003 056
Burlington,NC 069 144
Burlington,VT 313 300
Canton,OH 073 054
Casper,WY 301 284
Ceder Falls,IA 589 568
Cedar Rapids,IA 303 286
Champaign,IL 305 532
Charleston,WV 307 290
Charleston,SC 127 156
Charlotte,NC 139 114
Charlottesville,VA 309 292
Chattanooga,TN 161 148
Chicago,IL 001 020
Chico,CA 311 294
Cincinnati,OH 051 014
Clarksville,TN 179 296
Cleveland,OH 015 054
College Station,TX 297 280
Colorado Springs,CO 045 180
Columbia,MO 317 298
Columbia,SC 189 182
Columbus,GA 319 302
Columbus,OH 133 138
Corpus Christi,TX 191 184
Council Bluffs,IA 137 152
Cumberland,MD 321 304
Dallas,TX 033 038
Danville,VA 323 306
Davenport,IA 193 186
Dayton, OH 163 134
Daytona Beach,FL 325 308
Decatur,IL 327 532
Dennison,TX 033 038
Denver,CO 045 058
Des Moines,IA 195 150
Detroit, MI 021 010
Dothan,AL 329 312
Dover,NH 501 484
Dubuque,IA 331 314
Duluth,MN 333 316
Durham,NC 069 144
Eau Claire,WI 335 318
Elgin,IL 001 020
El Paso,TX 097 092
Elkhart,IN 549 530
Elmira,NY 283 266
Elyria,OH TBA 054
Enid,OK 341 324
Erie,PA 343 326
Eugene,OR 061 328
Evansville,IN 197 190
Fargo,ND 347 330
Fayettesville,NC 349 100
Fayetteville,AR 607 342
Flint,MI 021 010
Florence,AL 113 334
Florence,SC 377 350
Fort Collins,CO 045 336
Fort Lauderdale,FL 037 024
For Meyers,FL 355 042
Fort Pierce,FL 037 340
Fort Smith,AR 359 342
Fort Walton Bch,FL 361 344
Fort Wayne,IN 199 080
Fort Worth,TX 033 038
Fresno,CA 153 162
Gadsden,AL 113 098
Gainesville,FL 365 348
Galveston,TX 367 012
Gary,IN 001 020
Glens Falls, NY 063 078
Grand Forks,ND 371 356
Grand Rapids,MI 021 244
Granite City,IL 017 046
Great Falls, MT 373 358
Greeley,CO 045 360
Green Bay,WI 217 362
Greensboro,NC 095 142
Greenville,SC 139 116
Gulf of Mexico,LA 171 194
Gulfport,MS TBA 264
Gunterville,AL 203 198
Hagerstown,MD 381 364
Hamilton,OH 383 366
Harlingen,TX 451 434
Harrisburg,PA 159 096
Hartford,CT 119 088
Hickory,NC 385 368
Honolulu,HI 167 060
Houma,LA 387 370
Houston,TX 035 012
Huntington,WV 307 196
Huntsville,AL 203 198
Indianapolis,IN 019 080
Iowa City,IA 389 286
Jackson,MI 391 374
Jackson,MS 205 160
Jacksonville,FL 075 136
Jacksonville,NC 393 376
Janesville, WI 217 210
Johnson City,TN 149 074
Johnstown,PA 039 032
Joliet,IL 001 020
Joplin,MO 401 384
Kalamazoo,MI 403 386
Kankakee,IL 001 020
Kansas City,KS/MO 059 052
Kennewick,WA TBA 500
Kenosha,WI 217 044
Killeen,TX 409 392
Kingsport,TN 149 074
Knoxville,TN 093 104
Kokomo,IN 411 080
La Crosse,WI 413 396
Lafayette,IN 415 080
Lafayette,LA 431 414
Lake Charles,LA 417 400
Lakeland,FL 175 042
Lancaster,PA 159 096
Lansing,MI 021 188
Laredo,TX 419 402
Las Cruces,NM 097 404
Las Vegas,NV 211 064
Lawrence,KS 059 406
Lawton,OK 425 408
Lewiston,ME 427 482
Lexington,KY 213 206
Lima,OH 021 412
Lincoln,NE 433 416
Little Rock,AR 215 208
Long Branch,NY 173 022
Longview,TX 229 418
Lorain,OH 437 054
Los Angeles,CA 027 002
Louisville, KY 065 076
Lubbock,TX 439 422
Lynchberg,VA 441 424
Macon,GA 443 426
Madison,WI 217 210
Manchester,NH 445 428
Mansfield,OH 447 430
Marshall,TX 229 418
Mayaguez 449 432
McAllen,TX 451 434
Medford,OR 061 436
Melbourne,FL 175 068
Memphis,TN 143 062
Miami,FL 037 024
Midland,TX 459 422
Millville,NH TBA 250
Milwaukee,WI 005 044
Minneapolis,MN 023 026
Mobile,AL 081 120
Modesto,CA 233 224
Moline,IL 193 186
Monroe,LA 463 440
Monterey,CA 527 126
Montgomery,AL 465 444
Moorehead,ND TBA 330
Muncie,IN 467 080
Muskegon,MI 021 448
Nashua,NH 445 428
Nashville,TN 179 118
NE Pennsylvania 103 172
New Bedford,MA 119 028
New Brunswick,NY 173 022
New Haven,CT 119 088
New London,CT 119 088
New Orleans,LA 057 036
Newport News,VA 083 168
New York,NY 025 022
Norfolk,VA 083 168
Ocala,FL 473 348
Odessa,TX 475 422
Oklahoma City,OK 169 146
Olympia,WA 047 006
Omaha,NE 137 152
Orange County,NY 479 486
Orlando,FL 175 068
Owensboro,KY 197 190
Oxnard,CA 027 002
Panama City,FL 483 462
Parkersburg,WV 485 032
Pascagoula,MS 487 264
Pasco,WA TBA 500
Pensacola,FL 361 120
Peoria,IL 221 214
Petaluma,CA 031 040
Petersburg,VA 071 472
Philadelphia,PA 029 008
Phoenix,AZ 053 048
Pine Bluff,AR 215 208
Pittsburg,PA 039 032
Pittsfield,MA 119 480
Ponce,PR 497 082
Portland,ME 499 482
Portland,OR 061 030
Portsmouth,NH 501 484
Poughkeepsie,NY 503 486
Providence,RI 119 028
Provo,UT 091 488
Pueblo,CO 045 490
Racine,WI 217 044
Raleigh,NC 069 144
Rapid City,SD 511 494
Reading,PA 103 008
Redding,CA 513 294
Reno,NV 515 498
Richland,WA 517 500
Richmond,VA 071 170
Roanoke,VA 519 502
Rochester,NH 501 484
Rochester,MN 521 504
Rochester,NY 117 154
Rockford,IL 217 506
Sacramento,CA 129 112
Saginaw,MI 021 389
Salem,OR 061 030
Salinas,CA 527 126
Salt Lake City,UT 091 094
San Angelo,TX 529 510
San Antonio,TX 151 122
San Diego,CA 043 004
San Francisco,CA 031 040
San Jose,CA 031 040
Terre Haute,IN 567 080
Texarkana,AR/TX 229 550
Toledo,OH 021 130
Topeka,KS 059 552
Trenton,PA 029 008
Tuscon,AZ 053 140
Tulsa,OK 111 166
Tuscaloosa,AL 577 098
Tyler,TX 579 418
Utica,NY 235 226
Vallejo,CA 031 040
Victoria,TX 581 562
Vineland,NJ 583 250
Visalia,CA 153 162
Waco,TX 587 566
Warren,OH 089 126
Washington,DC 013 018
Waterloo,IA 589 568
Wausau,WI 591 570
West Palm Beach,FL 037 024
Wheeling,WV 039 032
Wichita Falls,TX 595 574
Wichita,KS 165 070
Wilkes Barr,PA 103 172
Williamsport,PA 103 576
Wilmington,DE 123 008
Wilmington,NC 599 578
Winston-Salem,NC 095 142
Worcester,MA 007 028
Yakima,WA 601 580
York,PA 159 096
Youngstown,OH 089 126
Yuba City,CA 129 112
__Appendix C: Suggested Reading__
The Ultimate Cellular Phone Phreaking Manual, by The Raven
The Cellular Telephone Phreaking Phile Series, by the Mad Phone-Man
Cellular Phone Secrets, by Bootleg
Cellular Telephony, Damien Thorn
-Janus
http://www.warpedreality.com/gashous
hijanus@tupac.com
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
