|
==================================================== Stargate's Cell Hackers Journal Vol 94.11 NOV,1994 ==================================================== "Oh course, our system guarantees a fast, clear secure connection" -Cell 1 sales dweeb Well due to some small demand, heres the first issue of mag dedicated to exploring the ins and outs of Cell Phones, I'll try to be as simple as I can and wont dwell with some of the irrelevancies of the operations of the cells, just basically genuine hacking information, some which I will gather from tech manuals and actual testing, now granted I'm just a hobbyist, and it is not my intent for this information to be used in any illegal manner, especially for any persons attempting to defraud any cellular company, and any other of the illegal shit that goes along with that. I am looking for any authors, (cuz I sure as shit don't know everything!) to contribute to this spread of forbidden knowledge. I intend to send out this mag at least quarterly or as any information of great importance is presented , so the size of these texts may vary greatly. What I really like to include is some back door test modes for *any phonez, especially the ESN modification type. I would like to say thanx to everyone who encouraged me and got me started in this great form of technology. And I will strive to keep the information as correct as possible, but 'member I cant test everything, if it sounds logical and can be done, then I'll present it here for your approval, if ya have any text ya want to send , or any comments, please email me at TECHMAN@ANON.PENET.FI (until I get a real internet account!). Enjoy * ----------------------------------------------------------------- I. The Software Question (for popular Motorola fones) The most popular fone among the hackers is obviously the motorola mircrotac of "flip fone" (which is characteristic of its microphone flipping mechanism). Early in the cell game a ware was released by Cellular Press (a.k.a Spy Supply) which could mod all of the motorolas using a simple made cable and a PC. Well as time went on and motorola wanted to add more features and better handling of the hardware, they started to change they're firmware of the fones to accommodate the changes, along with the changes was an inability of the software to modify the ESN data of these fones, thus other ways had to be implemented , one such method was a firmware replacement, this was a easy chore for the Bags and totes, but a pain in the ass for the flips, the bags and totes used the regular DIP package 27c512 Prom, while the equivalent on the flips was in a plcc surface mount package, which could only be removed with real skill, and some expensive soldering equipment, not to mention reprogramming a Eprom / prom of the same type , and then replacing it, now anyone (like me) who has popped open one of those flip fones know how crappy that method is, you risk destroying your fone, and losing some of the features. Well HTH came out with a "trick clip" which consisted of a plcc test socket, and a reprogrammed chip. This procedure still required you to disable the firmware on yer fone , by cutting a trace (*ouch) sticking the trick clip in the chip, jumpering a pin on the socket to a place on the board, and then attaching your cable and using the old ware. Still this was a tedious, expensive (hth wanted $295 for the clip) and dangerous procedure. And sometimes with certain fone revs this didn't work. As time went on and the demand grew to do these phones software solutions began to emerge, one was called TRANS-2, and/or MPC which was a package available from C.G.C (California Grapevine Communications), this package was also available from a company called Cellsoft, both houses sold the ware for a ridiculous $700 and protected it copyright infringement by making it dependant on a dongle to operate. Well after talking to C.G.C about the software and basically getting the brushoff from Cellsoft (they may be another Spy supply house), the MPC / Trans-2 ware was describe as "horrible and buggy" by greg at C.G.C (the guy with the british accent). Well the package was purchased and now is being distributed in its uncraked state to various crak groups for repair ;), but this has either proved a challenge for the guys, or they have been reduced to money grubbers by re-selling the packages, in my opinion these are the lowest of lamers, theres nothing worse than a thief of thieves. As a point of ID, if you can get your hands on the old style flip fone (which were usually tan in color and had a membrane keyboard), these are ready modible , having a firmware rev up to 9012. Now theres one last ware out there that's supposed to the be the most reliable of ones to mod the new fones (up to 9340) is called AMPS/G2. This is now being sold by C.G.C for $700 and is now floating around the internet waiting to be cracked. (sorry greg, but your price is ridiculous). I recently Emailed DrDamien for some new info on moding the new stuff, and found out from him that some places are selling firmware/cable kits for $50 which is not a big bite at all, now he didn't go into detail on what they were, whether they were the old firmware switch (mentioned above, which in some instances caused yer fone to power up saying "loaner" and disabling all your cool functions, like storage and other shit) or the firms that take advantage of the "Identity Transfer" function of theses fones, which simply put xfers your fones NAM/ESN data to another fone by executing a #66 and #69 (see the MOTCODEZ.TXT file) on each fone, one is called a LOADER fone (contains the new info) and the TARGET fone (the fone to get the goodies), now this is proven to work with ALL motorola fones even the new 94F firmware series. C.G.C offers a package consisting of a LOADER fone with special firmware, plus a cable with a switch for $995. From what I've heard this is a nice setup, but way too expensive, remember the true idea of cloning tries to *SAVE the user money by having two lines on one bill, and $1000 bux is just not cost effective now, maybe over a few years perhaps. But you know how the underground works, as soon as someone gets one, they'll copy the firmware , dissect the cable and u/l the info to yer local site. (I'm waiting to see it!) None the less there are some (expensive) options for those who wish to master the new motorola fones, its just a matter of what purpose and how often will you use it, now for those who wish to open your own cell-fone cloning house , good luck, laws are developing as you read this to outlaw that, (you didn't honestly think that they would continue to allow that), and if you can justify spending the $1000 for the loader fone (the most reliable way to date), then more power to ya, as for us regular hackers, who want to learn more about these , then that's outrageous. You'll be better off getting one legit. (*shudder) (tm). * And Also note, the roaming scam is almost non existent, this method consisted of changing the ESN/MIN to a bogus out-of-state number, then making a call, since the subscriber info could not be validate real-time, the first call would go through, but subsequent calls would be blocked until this information was changed again, thus someone developed a "tumbler fone" which changed this info to some random quotient, before each call was place, this drove the Cellcos and Fedz nutz, so they just simply forward your call to a special cell provider who lets you make your call using a Credit card or do it collect, usually at a ridiculous rate i.e. $2.00 per minute. (some allow calling cards) ----------------------------------------------------------------- II. What does the Cellwarez do? Cell Software Review (just the old stuff that's out, cuz there is some confusion on what can do what.) Cellsoft.zip ... This is original stuff that was sold as package from Cellular press, A.K.A Spy Supply, it was priced at $500 and now can be yanked from any good H/P board, it contains the warez to do the Motorolas Panasonics and NEC p300/301/200/201/400. Newphones.arj .. This package is the Shareware (?!?!) release of Cellular press's moding ware. It contains all the files aforementioned plus wiring diagrams, and some warez to do NEC9A/11A NOKIAs , TANDY, R-SHACKS, and MITSUS MT3/MT4 interesting note about this one is that it asks you to upload to various bbs's and then call them (Robert Carp) and Narc em out to receive registration (?!?) and more info on their services, maybe they feel guilty for screwing all those folks around. * Also contains ROMS from the old firms of MOT phones for the ESN replacement technique. UNICHIP.ZIP .. This is another package containing moding wares for the MOTS/NEC/PANS, but this one also contains new software for doing the p400/401/600/601 firms before and after V.34, offered by unisoft. Also has Wiring Digrams for building the cables UNICELL.EXE .. Another package similar to the unichip.zip except this one contains a better Checksum calculator for programming the 9346-16911 eprom, and does a larger variety of fones (Sony/Phillips/Nokia/Cleartone/Novatel/mobira) A-Z.zip .. C.G.Cs intensive programming guide for 110 + cellfones, also has some (little) information on back door test modes and other goodies, such as a definition file and a FAQ on ESN emulation. Cellmon.zip .. Now this one is interesting, it seems to want to interface with a MOT Mircotac, and supposedly, scans the channels to monitor the the frequency, this also may be a simple form of a DDi, (digital Data interface) which is used to read the RCC (reverse control channel). *The RCC is a channel the fone uses to communicate with the tower, ESN/MIN/SCM data is xfered through this chan. Honorable Mention : P3tst001.txt, a text on the test commands for the NEC p300/301/600/601/400/401 phones, includes instructions for ESN modification : NOVATEL1.TXT, this file has information for moding the novatel 83XX series fone, including changing the ESN info, (*warning, can only be done 3 times), OKITEST.TXT , this is a listing of test commands for the OKI series fones, which is considered to be a "HACKER PHONE!" MOTCODEZ.TXT, is a file which has the current test mode commands on motorola phones. ------------------------------------------------------------- III. Current Mod-ible fones This is a short list of the phones that can currently be altered. (ESN wise that is) If I come short on this, please by all means let me know what fones can be altered and how, but this list is comprised mostly of the ones I moded personally. The purpose of this list is for you who are out trying to buy a cellfone, and wanna know which ones can be used. Theres a shitload of fones out there that *cant be modified currently, the big ones are the Audiovoxs (new), judging by the programming and ic's in the phone, Audiovox's engineers were overly security conscious, but as you well know this may and will change as new ways of exploiting technology becomes evident. Currently Modiable HOW ================== === Motorola BAG* Cable, Software Motorola FLIP* Cable, Software Motorola Brick* Cable, Software Panasonic D,E,F,G,H Cable, Software NEC p300/301/600/601/400/401 Cable, Software Nokia (all) Chip Removal NEC 11/9a Cable, Software Novatel (83XX) Keyboard/ROM Mitsubishi MT3/MT4 Chip Removal Sony CM-H333 Chip Removal Phillips PR-92 Chip Removal Nokia 100/190 Chip Removal BT / Ivory Chip Removal Novatel 4400 Chip Removal Cityman 100 Chip Removal Ameritech (motorola) Cable, software NOTES: * indicates that new software or a new method is needed to mod fones with firmware revs higher that 9122. Chip removal refers to removing the 9346-16911 serial eprom, and programming with the Unichip and Unicell software --------------------------------------------------------------- IV. How to get ESN/MIN pairs, the magic stuff Now Methods for obtaining this valuable information varies, I'll give you a few personal examples on how I was able to get some pairs. One method (which was lo-risk and cheap) was to do the old infamous trashing, I cased out a local cell provider branch office, found out what were there days/hours of operation, snooped and asked some questions on how they deal with fraud, (social engineering skills were needed of course), to which the only answer they could provide was "oh , well if you didn't make the calls, we will not require you to pay for them, and we'll change your number" which gave me two good pieces of information, 1 they just chalk it up to loss , to appease the customers, and two, they don't give a fuck in finding out who made the calls. Now that was good to hear, so on the day before trash collection I simply parked my car by the dumpster, (flashlight in my pocket), and simulated taking a leak behind the trash bin, quickly I open the side access panel, and did a quick search, I found 3 bags with words (cellular, contract) clearly visible in the bags, I grabbed them, look around, and tossed them in the trunk. After getting them to my garage (it was about 11:30 pm too) and sifting through the coffee filters, and salad containers, I walked off with about 100 pairs. (written contract info which is discarded after its entered into the computer). The cons to this is that you got a lot of explaining to do to the cops if they see you toss some bags of trash in your trunk, and some states have laws governing trash, to the effect of the trash being the property of the company until its collected by a designated trash refuge agency, non-the-less , this works for some places, Cell-1's here, have a company called 'Document Services' which pick up their trash, and shred the ESN/personal papers and contracts, thus this is ineffective in some areas. Another more expensive way, is to obtain a device called a DDi, Digital Data Interface, this thing comes in various formats from the more expensive stand-alone box, to a device which interfaces with your 800 mhz capable scanner and a PC, the cheapest standalone I seen was $1295, also I saw a kit for a simple one for about 1-$200, this is the safest way do get pairs, simply make the device mobile, and sit in a busy traffic area (freeway overpass) and collect all the data you need. These are just a couple of examples on obtaining the 'magic numbers' , some other ways (trading, inside help) does work too, but are sometimes not effective, try to be creative, the Fedz know about the trashing from back to the Captain Crunch days, the DDi seems to be the logical choice for snarfing. ---------------------------------------------------------------- V. Ways of Detection Well this is another concern that the astute phreaker must know is how to avoid detection, what you must remember is that the only way you can be physically traced, is by having the phone powered up and registered within the system, and all the cops have to do is some rudimentary triangulation and you're snagged, as long as you remember some basic rules, you can slim your chances of being discovered. 1. Never reveal your location or describe yourself over the airwaves, this is a real common mistake, just a simple as you turning on a scanner to monitor conversations, the cops have even more sophisticated equipment to do so. A cell phreaker once told me to just pretend you're in a crowed room when you speak on the fone, so the information that you relay should not be something that you would want that crowd to hear. You are just handing yourself over when you make this mistake. 2. Never leave your phone powered up or battery pack left on, this reason is simple, you turn the phone on, you're registered in the system, every phone transmits the ESN/MIN/SCM data to the cell tower to become registered so that when you place a call , the fone will be ready, some phones (motorola bags/totes/installed) transmit this data, even when its powered off, only the power adapter or battery need be connected, the effect varies when 2 fones with the same ESN/MIN/SCM data are registered at the same time, but most of the time a Fraud Flag goes off, and your calls (the #'s) are recorded or the system denies you access to place calls. 3. Never give any personal information out over the phone, this is a relative mistake as mentioned in #1, except this is mainly geared towards those, who like to make reservations at a restaurant or order a pizza, all the fedz need do is call the number and asked who placed a order at such and such day and time (these places usually keep a record of this), and wham, youre busted. ------------------------------------------------------------------- VI. Internet Sites to get Cell info Here is a list of Anon. FTP sites where Cell info is stored, I've checked them all in the past month, and they're still up. SPY.ORG /pub/SECURITY/SECTEC/cellular Corrupt.Sekurity.com /pub/phones and /pub/incoming l0pht.com /pub/blackcrwl/cell src.doc.ic.ac.uk wiretap.spies.com ftp.winternet.com /users/craigb quartz.rutgers.edu Ftp.Netcom.com siam.unibe.ch ftp.eff.org ftp.cic.net If you got any more, don't hold out, email em, or upload em to me at the above email address. ----------------------------------------------------------------- VII. Last notes Well this will end my first issue of the Cellhackers journal, I need anyone who knows anything, and would like to contribute , please email me or contact me on the stargate BBS, you can find the # and nup on quality boardz, or chat with me on the IRC, I use the handle TECHMAN / CELLFONE / or MICROTAC, usually in the #STARGATE , #CELLULAR, #PHREAK channels, the next issue we'll get into some more ESN moding Back Doors on some popular phones, and I'm trying to get some generic plans for building a cheap DDi, a flip fone and scanner (moded to receive 800 mhz cell freqs) will be needed. I'll try to have the next issue out in JAN, it'll prob be right after new years, hack on gentlemen. Some Greetz go out to: DrDamien for Breaking the Barrier on writing about Cell Phreaking, a lot of shit here I learned from you. PMF the man who supplied MPC to me, thanks man, sorry about our little ESN fandango, but we're clearing it up. PaTcH NET, (Code REd, Thranduil) for starting this cool net, we need to X-pand this shit tho' Drunkfux, for all his late-breaking info and cool t-files, how come you wont validate me on your board man, and I hope your band is working out. MOTOROLA for making a damn good (and modifiable) fone, I hope you guys keep it up. Cybertron , my boy with the gutz. Peaches my girl, Nutz and Voltz mag, WayWard (for his skillz) , TACACS, Chr0nic, Terminal Man, Alphabits, The Raven of HTH, and anyone else I didn't mention. PEACE TECHMAN