TUCoPS :: Phreaking Cellular - Misc. :: cell9411.txt

Stargate's Cell Hacker's Journal Nov. 1994


          ====================================================
                       Stargate's Cell Hackers Journal
                              Vol 94.11  NOV,1994
          ====================================================

"Oh course, our system guarantees a fast, clear secure connection"
                                        -Cell 1 sales dweeb

Well due to some small demand, heres the first issue of mag
dedicated to exploring the ins and outs of Cell Phones, I'll try to
be as simple as I can and wont dwell with some of the irrelevancies
of the operations of the cells, just basically genuine hacking
information, some which I will gather from tech manuals and actual
testing, now granted I'm just a hobbyist, and it is not my intent
for this information to be used in any illegal manner, especially 
for any persons attempting to defraud any cellular company, and
any other of the illegal shit that goes along with that. I am
looking for any authors, (cuz I sure as shit don't know
everything!) to contribute to this spread of forbidden knowledge. 
I intend to send out this mag at least quarterly or as any information 
of great importance is presented , so the size of these texts may vary
greatly. What I really like to include is some back door test modes
for *any phonez, especially the ESN modification type. 
     I would like to say thanx to everyone who encouraged me and 
got me started in this great form of technology. And I will strive
to keep the information as correct as possible, but 'member I cant
test everything, if it sounds logical and can be done, then I'll
present it here for your approval, if ya have any text ya want to
send , or any comments, please email me at TECHMAN@ANON.PENET.FI
(until I get a real internet account!). Enjoy *

-----------------------------------------------------------------

I. The Software Question  (for popular Motorola fones)

     The most popular fone among the hackers is obviously the
motorola mircrotac of "flip fone" (which is characteristic of its 
microphone flipping mechanism). Early in the cell game a ware was
released by Cellular Press (a.k.a Spy Supply) which could mod all
of the motorolas using a simple made cable and a PC. Well as time
went on and motorola wanted to add more features and better
handling of the hardware, they started to change they're firmware
of the fones to accommodate the changes, along with the changes was
an inability of the software to modify the ESN data of these fones,
thus other ways had to be implemented , one such method was a
firmware replacement, this was a easy chore for the Bags and totes,
but a pain in the ass for the flips, the bags and totes used the
regular DIP package 27c512 Prom, while the equivalent on the flips
was in a plcc surface mount package, which could only be removed
with real skill, and some expensive soldering equipment, not to
mention reprogramming a Eprom / prom of the same type , and then
replacing it, now anyone (like me) who has popped open one of those
flip fones know how crappy that method is, you risk destroying your
fone, and losing some of the features. Well HTH came out with
a "trick clip" which consisted of a plcc test socket, and a
reprogrammed chip. This procedure still required you to disable the
firmware on yer fone , by cutting a trace (*ouch) sticking the
trick clip in the chip, jumpering a pin on the socket to a place on
the board, and then attaching your cable and using the old ware.
Still this was a tedious, expensive (hth wanted $295 for the clip)
and dangerous procedure. And sometimes with certain fone revs this 
didn't work. As time went on and the demand grew to do these phones
software solutions began to emerge, one was called TRANS-2, and/or
MPC which was a package available from C.G.C (California Grapevine
Communications), this package was also available from a company
called Cellsoft, both houses sold the ware for a ridiculous $700
and protected it copyright infringement by making it dependant on
a dongle to operate. Well after talking to C.G.C about the software
and basically getting the brushoff from Cellsoft (they may be
another Spy supply house), the MPC / Trans-2 ware was describe as
"horrible and buggy" by greg at C.G.C (the guy with the british
accent). Well the package was purchased and now is being
distributed in its uncraked state to various crak groups for repair
;), but this has either proved a challenge for the guys, or they
have been reduced to money grubbers by re-selling the packages, in
my opinion these are the lowest of lamers, theres nothing worse
than a thief of thieves.  
     As a point of ID, if you can get your hands on the old style
flip fone (which were usually tan in color and had a membrane
keyboard), these are ready modible , having a firmware rev up to
9012.
     Now theres one last ware out there that's supposed to the be
the most reliable of ones to mod the new fones (up to 9340) is
called AMPS/G2. This is now being sold by C.G.C for $700 and is now
floating around the internet waiting to be cracked. (sorry greg,
but your price is ridiculous). I recently Emailed DrDamien for some
new info on moding the new stuff, and found out from him that some
places are selling firmware/cable kits for $50 which is not a big
bite at all, now he didn't go into detail on what they were,
whether they were the old firmware switch (mentioned above, which
in some instances caused yer fone to power up saying "loaner" and
disabling all your cool functions, like storage and other shit) or
the firms that take advantage of the "Identity Transfer" function
of theses fones, which simply put xfers your fones NAM/ESN data to
another fone by executing a #66 and #69 (see the MOTCODEZ.TXT file)
on each fone, one is called a LOADER fone (contains the new info)
and the TARGET fone (the fone to get the goodies), now this is
proven to work with ALL motorola fones even the new 94F firmware
series.
C.G.C offers a package consisting of a LOADER fone with special
firmware, plus a cable with a switch for $995. From what I've heard
this is a nice setup, but way too expensive, remember the true
idea of cloning tries to *SAVE the user money by having two lines
on one bill, and $1000 bux is just not cost effective now, maybe
over a few years perhaps. But you know how the underground works,
as soon as someone gets one, they'll copy the firmware , dissect
the cable and u/l the info to yer local site. (I'm waiting to see
it!)

     None the less there are some (expensive) options for those who
wish to master the new motorola fones, its just a matter of what
purpose and how often will you use it, now for those who wish to
open your own cell-fone cloning house , good luck, laws are
developing as you read this to outlaw that, (you didn't honestly
think that they would continue to allow that), and if you can
justify spending the $1000 for the loader fone (the most reliable
way to date), then more power to ya, as for us regular hackers, who
want to learn more about these , then that's outrageous. You'll be
better off getting one legit. (*shudder) (tm).

     * And Also note, the roaming scam is almost non existent, this
method consisted of changing the ESN/MIN to a bogus out-of-state
number, then making a call, since the subscriber info could not be
validate real-time, the first call would go through, but subsequent
calls would be blocked until this information was changed again,
thus someone developed a "tumbler fone" which changed this info to
some random quotient, before each call was place, this drove the
Cellcos and Fedz nutz, so they just simply forward your call to a
special cell provider who lets you make your call using a Credit
card or do it collect, usually at a ridiculous rate i.e. $2.00 per
minute. (some allow calling cards)
-----------------------------------------------------------------
II. What does the Cellwarez do?

Cell Software Review (just the old stuff that's out, cuz there is
some confusion on what can do what.)

     Cellsoft.zip ... This is original stuff that was sold as
                      package from Cellular press, A.K.A Spy 
                      Supply, it was priced at $500 and now can
                      be yanked from any good H/P board, it
                      contains the warez to do the Motorolas
                      Panasonics and NEC p300/301/200/201/400.

     Newphones.arj .. This package is the Shareware (?!?!) release
                      of Cellular press's moding ware. It contains
                      all the files aforementioned plus wiring
                      diagrams, and some warez to do NEC9A/11A
                      NOKIAs , TANDY, R-SHACKS, and MITSUS MT3/MT4
                      interesting note about this one is that it
                      asks you to upload to various bbs's and then
                      call them (Robert Carp) and Narc em out to
                      receive registration (?!?) and more info on
                      their services, maybe they feel guilty for 
                      screwing all those folks around. * Also
                      contains ROMS from the old firms of MOT
                      phones for the ESN replacement technique.


     UNICHIP.ZIP  ..  This is another package containing moding 
                      wares for the MOTS/NEC/PANS, but this one
                      also contains new software for doing the
                      p400/401/600/601 firms before and after
                      V.34, offered by unisoft. Also has Wiring
                      Digrams for building the cables

     UNICELL.EXE  ..  Another package similar to the unichip.zip
                      except this one contains a better Checksum
                      calculator for programming the 9346-16911
                      eprom, and does a larger variety of fones
                      (Sony/Phillips/Nokia/Cleartone/Novatel/mobira)

     A-Z.zip      ..  C.G.Cs intensive programming guide for 110 +
                      cellfones, also has some (little) information
                      on back door test modes and other goodies,
                      such as a definition file and a FAQ on
                      ESN emulation.

     Cellmon.zip  ..  Now this one is interesting, it seems to want
                      to interface with a MOT Mircotac, and
                      supposedly, scans the channels to monitor the
                      the frequency, this also may be a simple form
                      of a DDi, (digital Data interface) which is
                      used to read the RCC (reverse control
                      channel). *The RCC is a channel the fone uses
                      to communicate with the tower, ESN/MIN/SCM
                      data is xfered through this chan.


Honorable Mention : P3tst001.txt, a text on the test commands for
                    the NEC p300/301/600/601/400/401 phones, 
                    includes instructions for ESN modification :
                    NOVATEL1.TXT, this file has information for 
                    moding the novatel 83XX series fone, including
                    changing the ESN info, (*warning, can only be
                    done 3 times), OKITEST.TXT , this is a listing
                    of test commands for the OKI series fones,
                    which is considered to be a "HACKER PHONE!"
                    MOTCODEZ.TXT, is a file which has the current
                    test mode commands on motorola phones.

-------------------------------------------------------------
III. Current Mod-ible fones


     This is a short list of the phones that can currently be 
altered. (ESN wise that is) If I come short on this, please
by all means let me know what fones can be altered and how, but
this list is comprised mostly of the ones I moded personally.
The purpose of this list is for you who are out trying to buy 
a cellfone, and wanna know which ones can be used. Theres a
shitload of fones out there that *cant be modified currently,
the big ones are the Audiovoxs (new), judging by the programming
and ic's in the phone, Audiovox's engineers were overly security
conscious, but as you well know this may and will change as new
ways of exploiting technology becomes evident. 


               Currently Modiable                   HOW
               ==================                   === 
               Motorola BAG*                        Cable, Software
               Motorola FLIP*                       Cable, Software
               Motorola Brick*                      Cable, Software
               Panasonic D,E,F,G,H                  Cable, Software
               NEC p300/301/600/601/400/401         Cable, Software
               Nokia (all)                          Chip Removal
               NEC 11/9a                            Cable, Software
               Novatel (83XX)                       Keyboard/ROM
               Mitsubishi MT3/MT4                   Chip Removal 
               Sony CM-H333                         Chip Removal
               Phillips PR-92                       Chip Removal
               Nokia 100/190                        Chip Removal
               BT / Ivory                           Chip Removal
               Novatel 4400                         Chip Removal
               Cityman 100                          Chip Removal
               Ameritech (motorola)                 Cable, software

NOTES: * indicates that new software or a new method is needed to
mod fones with firmware revs higher that 9122. Chip removal refers
to removing the 9346-16911 serial eprom, and programming with the 
Unichip and Unicell software

---------------------------------------------------------------
IV. How to get ESN/MIN pairs, the magic stuff

     Now Methods for obtaining this valuable information varies,
I'll give you a few personal examples on how I was able to get some
pairs. One method (which was lo-risk and cheap) was to do the
old infamous trashing, I cased out a local cell provider branch
office, found out what were there days/hours of operation, snooped
and asked some questions on how they deal with fraud, (social
engineering skills were needed of course), to which the only answer
they could provide was "oh , well if you didn't make the calls, we
will not require you to pay for them, and we'll change your number"
which gave me two good pieces of information, 1 they just chalk it
up to loss , to appease the customers, and two, they don't give a
fuck in finding out who made the calls. Now that was good to hear,
so on the day before trash collection I simply parked my car by the
dumpster, (flashlight in my pocket), and simulated taking a leak
behind the trash bin, quickly I open the side access panel, and did
a quick search, I found 3 bags with words (cellular, contract)
clearly visible in the bags, I grabbed them, look around, and
tossed them in the trunk. After getting them to my garage (it was
about 11:30 pm too) and sifting through the coffee filters, and
salad containers, I walked off with about 100 pairs. (written
contract info which is discarded after its entered into the
computer). The cons to this is that you got a lot of explaining to
do to the cops if they see you toss some bags of trash in your
trunk, and some states have laws governing trash, to the effect of
the trash being the property of the company until its collected by
a designated trash refuge agency, non-the-less , this works for
some places, Cell-1's here, have a company called 'Document
Services' which pick up their trash, and shred the ESN/personal
papers and contracts, thus this is ineffective in some areas.

     Another more expensive way, is to obtain a device called a
DDi, Digital Data Interface, this thing comes in various formats
from the more expensive stand-alone box, to a device which
interfaces with your 800 mhz capable scanner and a PC, the cheapest
standalone I seen was $1295, also I saw a kit for a simple one for
about 1-$200, this is the safest way do get pairs, simply make the
device mobile, and sit in a busy traffic area (freeway overpass)
and collect all the data you need.

     These are just a couple of examples on obtaining the 'magic
numbers' , some other ways (trading, inside help) does work too,
but are sometimes not effective, try to be creative, the Fedz know
about the trashing from back to the Captain Crunch days, the DDi
seems to be the logical choice for snarfing.


----------------------------------------------------------------
V. Ways of Detection

     Well this is another concern that the astute phreaker must
know is how to avoid detection, what you must remember is that the
only way you can be physically traced, is by having the phone
powered up and registered within the system, and all the cops have
to do is some rudimentary triangulation and you're snagged, as long
as you remember some basic rules, you can slim your chances of
being discovered.
     1. Never reveal your location or describe yourself over the
airwaves, this is a real common mistake, just a simple as you
turning on a scanner to monitor conversations, the cops have even
more sophisticated equipment to do so. A cell phreaker once told me
to just pretend you're in a crowed room when you speak on the fone,
so the information that you relay should not be something that you
would want that crowd to hear. You are just handing yourself over
when you make this mistake.
     2. Never leave your phone powered up or battery pack left on,
this reason is simple, you turn the phone on, you're registered in
the system, every phone transmits the ESN/MIN/SCM data to the cell
tower to become registered so that when you place a call , the fone
will be ready, some phones (motorola bags/totes/installed) transmit
this data, even when its powered off, only the power adapter or
battery need be connected, the effect varies when 2 fones with the
same ESN/MIN/SCM data are registered at the same time, but most of
the time a Fraud Flag goes off, and your calls (the #'s) are
recorded or the system denies you access to place calls.
     3. Never give any personal information out over the phone,
this is a relative mistake as mentioned in #1, except this is
mainly geared towards those, who like to make reservations at a
restaurant or order a pizza, all the fedz need do is call the
number and asked who placed a order at such and such day and time
(these places usually keep a record of this), and wham, youre
busted.

-------------------------------------------------------------------
VI. Internet Sites to get Cell info

     Here is a list of Anon. FTP sites where Cell info is stored,
I've checked them all in the past month, and they're still up. 

SPY.ORG                   /pub/SECURITY/SECTEC/cellular
Corrupt.Sekurity.com      /pub/phones and /pub/incoming
l0pht.com                 /pub/blackcrwl/cell
src.doc.ic.ac.uk
wiretap.spies.com
ftp.winternet.com         /users/craigb
quartz.rutgers.edu          
Ftp.Netcom.com
siam.unibe.ch
ftp.eff.org
ftp.cic.net

     If you got any more, don't hold out, email em, or upload em to
me at the above email address.
-----------------------------------------------------------------
VII. Last notes

     Well this will end my first issue of the Cellhackers journal,
I need anyone who knows anything, and would like to contribute ,
please email me or contact me on the stargate BBS, you can find the
# and nup on quality boardz, or chat with me on the IRC, I use the
handle TECHMAN / CELLFONE / or MICROTAC, usually in the #STARGATE
, #CELLULAR, #PHREAK channels, the next issue we'll get into some
more ESN moding Back Doors on some popular phones, and I'm trying
to get some generic plans for building a cheap DDi, a flip fone and
scanner (moded to receive 800 mhz cell freqs) will be needed. I'll
try to have the next issue out in JAN, it'll prob be right after
new years, hack on gentlemen.


     Some Greetz go out to:

     DrDamien for Breaking the Barrier on writing about Cell
Phreaking, a lot of shit here I learned from you.
     PMF the man who supplied MPC to me, thanks man, sorry about
our little ESN fandango, but we're clearing it up.
     PaTcH NET, (Code REd, Thranduil) for starting this cool net,
we need to X-pand this shit tho'
     Drunkfux, for all his late-breaking info and cool t-files, how
come you wont validate me on your board man, and I hope your band
is working out.
     MOTOROLA for making a damn good (and modifiable) fone, I hope
you guys keep it up.
     Cybertron , my boy with the gutz. Peaches my girl, Nutz and
Voltz mag, WayWard (for his skillz) , TACACS, Chr0nic, Terminal
Man, Alphabits, The Raven of HTH, and anyone else I didn't mention.

                                                PEACE
                                                TECHMAN


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH