THE HIGH TECH HOODS
& A-CORP PRESENTS...
*%*%*%*%*%*%*%*%*%*%*%*%*%*%*
*% THE ULTIMATE %*
*% CELLULAR PHONE PHREAKS %*
*% MANUAL PART 2 %*
*% %*
*% WRITTEN BY THE RAVEN %*
*% AND INTROSPECT %*
*%*%*%*%*%*%*%*%*%*%*%*%*%*%*
THE RAVEN
+=======+
THANKS TO THE FOLLOWING: PEBBLES, BIT STREAM & THOMAS ICOM
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\//\/\/\/\/\/\/\/\/\/\/\/\
INDEX:
I. WHAT'S IN A NAM
II. NAM/ESN REPROGRAMMING
III. ADVANCED REPROGRAMMING
IV. OBTAINING SYS. REGISTRATION DATA
V. REPROGRAMMING YOUR PHONE
VI. ------------------------
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
I. What's In A NAM
First thing were going to start with is the NAM. The NAM is a PROM, A blank
NAM costs about $5. Sometimes its more expensive depending on the operating
temperature and packaging specifications.
Two flavors of NAM's are most commonly used for cellular phones. NEC Corp.
uses the open collector (SIGNETICS p/n 82S23 or equivalent). All others use
the tri-state (SIGNETICS 82S123 or equivalent). Blank NAMs are manufactured by
Signetics, National Semiconductor, Monolithic Memorys, Fujitsu, Texas Instrum
ents, and Advanced Microdevices. Blank NAMs can be purchased at your local
electronic distributor's, thru the various parts sources advertised in
electronic magazines, and some radios come with a blank included.
The NAM contains the subscriber number and lock code, the home system ID and
other system-required data. You may wonder how this info is arranged. The NAM
is organized into 32 rows and 8 colums. It is 32 words of 8 bits each.
(256 bits total). Starting from top of the NAM (address 00), you will find
the abreviation SIDH. This means "System Identifaction Number Home", a number
starting at 0001 assigned by the FCC. Each market allows two systems. These
two digits are even for the wire-line and odd for the non-wireline.
At address 03, we find LU (Local Use) on the left and MIN on the right, and
they are usually set to 1. Locations with zeros are reserved. Going down the
map, there's MIN1 and MIN2-the subscriber number and the area code respectively
Dont try to read them from a raw printout of the NAM data, as they are
scrambled beyond recognition. The reason? THe way they are arranged is the way
they must be transmitted to the cellular systems receivers. The programmer
does this to make the radio's job easier.
Next is the station class mark, which identifies the class and power
capability of the phone. The system will treat a handheld (low power)
differently than a standard 3-watt mobile.
IPCH is the Inital Paging Channel. The radio listens for a page on this
channel. Wirelines use 334 and non-wirelines use 333.
ACCOLC (ACCess Overload Class) is designed for throwing off customers in the
event of an overload. Thru neglect, this standard has been largly unused.
(A Class 15 stationis supposed to be police, fire or military). Usually, It's
a set to 0 plus the last digit of the phone number to provide random loading.
PS (Preferred System). This is always 1 in a non-wireline and 0 in wireline.
The Lock Code is about the only thing you can read directly by studying NAM
data. The "spare" bit must be a 0 if the radio contains a 3-digit code.
Because the number of clicks when you dial 0 on a (dial) phone equals 10,
zeros in the lock code are represented by an "A"(the hexadecimal equiv of 10).
EE, REP, HA and HF correspond to end-to-end signaling (DTMF tones, possibly
as you talk), and REPeratory dialing (provision for 10 or more numbers in
memory).
Horn Alert and Hands Free. Like all options, they are 1 if turned on and 0 if
turned off (all these numbers are in hex). They are supposed to be used by
radio makers to store option switches. Usually 13 is used, 14 sometimes and
the rest less often.
Last, you will find Cheksum Adjustment and Checksum. These numbers are
calculated automatically after the data has been edited for the NAM. The sum
of all words in the NAM plus these last two must equal a number with 0's in
the last two digits. The radio checks this sum and if it isn't correct the
radio assumes the NAM is bad or tampered with. In the case radio refuses to
operate until a legal NAM is installed.
THE ANATOMY OF A NAM
--------------------
MARK Defin. most <-- BIT Significance --> least Hex
------------------------------------------------------
0 SIDH (14-8) 00
SIDH (7-0) 01
LU=Local use LU 000000 MIN 02
00 MIN2 (33-28) 03
MIN2 (27-24) 0000 04
0000 MIN1 (23-20) 05
MIN1 (19-12) 06
MIN1 (11-4) 07
MIN1 (3-0) 0000 08
0000 SCM (3-0) 09
00000 IPCH (10-8) 0A
IPCH (7-0) 0B
0000 ACCOLC (3-0) 0C
PS=Perf Syst 0000000 PS 0D
0000 GIM (3-0) 0E
LOCK DIGIT 1 LOCK DIGIT 2 0F
LOCK DIGIT 3 LOCK SPARE BITS 10
EE=End/End EE 000000 REP 11
REP=Reprity HA 000000 HF 12
HF=Handsfree Spare Locations (13-1D) 13
HA=Horn Alt contain all 0's 1D
NAM CHECKSUM ADJUST. 1E
NAM CHECKSUM 1F
II. NAM/ESN REPROGRAMMING
The first step to using cellular phones is to obtain one. They can be
purchased new or used. Ham fests are one good source. Many people dump their
cellular phones once they see just how expensive they are to operate. And of
course the perception of being jerked promotes phreaking.
First generation E.F. Johnson units are good choice as they are easy to
modify, use uniquely effective diveristy (dual antenna) receivers, and use the
AMPS control bus, which means that several maker's control heads will work
with it. Another good choice is Novatel's Aurora/150. It uses a proprietary
parallel bus and control head, but costs less, is rugged, and is also easy to
work on. Also, all Novatel CMTs have built-in diagnostics. This allows you to
manually scan all 666 repeater output freqs-great for scanning!
All cellular phones have a unique ESN. This is a 4-byte hex or 11 digit
octal number stored in the ROM soldered on the logic board. Ideally, it's
supposed to be never changed. Some newer cellulars embed the ESN in a
VLSI IC (Very Large Scale Integration Integrated Circuit) along with the units
program code. This makes ESN mods very difficult at best. The ESN is also
imprinted on the reciever boiler plate, usually mounted on the outside of the
housing. When converted to octal (11 digits), the first 3 digits represents
the maker while the other 8 identify the unit.
The other important ROM is the NAM. It contains the MIN (i.e. phone #,
including area code), the lock code, and various model ID and carrier ID
codes.
The lock code keeps unauthorized parties from using the phone. Some newer
cellulars have no built in NAM and instead use an EEPROM, which allows a
technician who knows the maintenance code to quickly change the NAM data thru
the control head keypad.
WHen one attempts to make a cellular call, the transceiver first automatically
transmits the ESN and NAM data to the nearest cellsite reapeter by means of
the Overhead Data Stream (ODS). The ODS is a 10 kilobaud data channel that
links the cellular's computer to the MTSO, which then controls the phone's
entire operation down to the selected channel and output power. If the MTSO
doesn't recognize the received ESN/MIN pair as valid (sometimes due to RF
noise), it issues a repeat order and will not process the call unit until a
valid pair is received.
In most cities, there are two CPCs or "carries". One is the wireline CPC and
the other is the non-wireline CPC. Both maintain their own MTSO and network
(i.e: cell-site repeaters), and occupy separate halves of the cellular radio
band. Non-wirelines use System A, and wirelines use System B. (the amenities
that are avaible with most landline phone service - call waiting, caller ID,
call-forwarding, 3-way calling,etc., are standard fair for most CPCs. However,
they are usually applied for differently.)
For the cellular phreaker, the most diffuclt task is obtaining usable ESN/MIN
pairs. Over the years,standard phreaker techniques have been employed for all
types of phreaking to obtain the required info. These includes trashing,
using inside help,joining the staff,hacking them from known good ESNs and
MINs (i.e: spoofing), con strategis, strong-arming, Bribing, blackmail, etc.
(This is how The High Tech Hoods get them!).
The hacker knows that most CPCs do not turn off or keep track of unused MIN
numbers. In fact, their general pattern is to start at the low numbers and
work their way up. WHen a number is cancelled, it is reassigned instead of
using a larger number.
The first places to look is the authorized cellular installers and service
centers in your area (see your Yellow Pages). They have on file a record of
every cellular phone installed or serviced by them, including the ESN/MIN
pairs. Another place to focus on is the cellular CPC's customer service or
billing department. These offices contain the ESN/MIN pairs often for
thousands of cellular phones, and hire low-paid people. Some cellular CPCs,
installers and service centers will provide NAM system parameters upon
request, and some will sell you NAM and ESN memory maps and schematics of a
specific cellular phone model. And some will sell you service manuals
(i.e: Motorola) that will describe the often easy method to program their
cellular phones.
The good phreak/hacker could interface the cellular phone's ADC circuit to
his PC and hack out all of the valid ESN/MIN pairs he could possibly need.
Since the ESN/MIN pair are transmitted from cellular phones (usually in an
unencrypted form), these pairs can be obtained simply by scanning the cellular
phone channels. Even if they are encrypted, the phreaker only will need to
reproduce the encrypted pair. In some areas, you can buy the ROMs right off
the street - often by the same dealers who sell drugs and stolen property,
etc. All it takes is a few discreet inquires. However, many get caught
doing this because of police stings.
Once a valid ESN/MIN is obtained, it must be programed into the cellular
phone's ROM. Some cellular makers use different devices and memory maps, but
the standard is the AMPS 16-pin 32x8 bit format and some ROMs have proprietary
markings.
If the part number are different than those given and you can't find them in
your data book, look for the IC maker's logo and call or write them for data
sheets. If the IC's have proprietary markings, by looking at the external
parts that are directly wired to them, one can often determine not only
whether the IC is open-collector or tri-state, but also what the pin assingn-
ments are, and sometimes the type of replacement IC to use.
The ESN ROM is then carefully desoldered from the logic board (first ground
the soldering tip thru a 1 Meg-ohm resistor). Once, removed the IC can then be
placed on a ROM reader/programmer or NAM programmer (bit editing mode). Any
ROM reader/programmer that will burn a compatible ROM is usable, but a
dedicated NAM programmer has built-in software that takes out much of the
aggravation. Using a non-NAM ROM reader/programmer, one searches for the memory
locations that has the same number as ESN printed on the boiler plate. This
number will be immediatly followed by an 8-bit checksum determined by the 8
least significant bits of the hex sum of the ESNs four bytes.
The old ESN data (now copied into the NAM programmer's RAM) is replaced by the
new ESN and the updated checksum. A new blank and compatible ROM is inserted
into the ROM burner and burned with the new ESN data. Most cellular phreakers
at this point install a Zero Insertion Force (ZIF) DIP socket into the logic
board for this and any future ROM changes.
The NAM IC is usually already installed in a ZIF socket on the logic board.
Similarly, its MIN is read by the ROM reader/programmer and a new ROM is
burned with the new MIN and updated MIN checksum. Altho one may wish to also
update the CPC's system parameters, they can left the same if the same CPC
is desired. To change the CPC'c designation, the last four MIN digits, the
checksum and the exchange (if they use more than one exchange) are changed.
The more astute cellular phreaker of course can design and build his own NAM
programmer/reader, ideally one interfaced to a PC. A more primitive approach
is to interface two banks of hex thumbwheel switches to the sockets, altho
a computer program would be very helpful to determine the proper switch
settings. Thumbwheel switches allow you to make changes on the fly and they
can be plugged in as needed, so if one is caught red-handed, it is difficult
to prove intent and origin of phone call.
III. ADVANCED REPROGRAMMING
Your cellular phone contains a special memory which retains data about the
phone's individual characteristics, such as its assigned phone number, system
identification number, (ID#) and other data that is necessary for cellular
operation. This special memory is known as the NAM. You can program the phone
yourself, if the phone has not already been programmed where you got it. You
can also reprogram the phone yourself should you wish to change some of the
features already selected for the NAM.
The reprogramming of the NAM is performed after you have contacted your
cellular system operator for the nessary data as described below. Enter the
data received from your cellular system operator in the NAM Reprogramming
Data Table before reprogramming the NAM of your cellular phone. Incorrect
NAM entries can cause your cellular phone to operate improperaly or not at
all. Your cellular phone can be reprogrammed up to three times. After that,
it must be reset at a Motorola-authorized service facility.
Be sure you read this complete text before attempting to reprogram your
phone!
1. RE-PROGRAMMING FEATURES
You must get seven pieces of data from the cellular system operator to
allow you to reprogram the cellular phone. You provide the remaining data.
Write all of this programming data on the NAM Reprogramming Data Table
provided in this text before implementing this procedure. Incorrect NAM
entries can cause your cellular phone to operate improperly or not at all.
The required data is:
* System Identification (SID) Code (S-digits): Indicates youe home system
Enter 0's into the left-most unsued positions. Provided by the system
operator.
* Cellular Phone Number (10 digits): Used in the same manner as a standard
land-line phone. The mobile phone number and the Electric Serial Number
are checked against each other by the cellular system each time a call
is placed or recieved. Provided to you by the system operator.
* Station Class Code (2 digits): This number is 06 or 14 for most personal
or portable phones. Even though your phone has extended bandwith
capabi Overload Class
5c * 06 Ready for step 6
6a * Curr. Group ID Factory set at 00
6b New Group ID XX New Group ID
6c * 07 Ready for step 7
7a * Current Sec. Code Factory set at 000000
7b New Security Code XXXXXX
7c * 08 Ready for step 8
8a * Current Unlock Code setting at 123
8b New Unlock Code XXX New Unlock Code
8c * 09 Ready for step 9
9a * Current Initial Factory Setting 123
0334 PAGING CHANNEL
9b New Initial XXXXXX New Initial
Paging Channel Paging Channel
9c * 10 Ready for step 10
10a * Cur. Options Factory Setting 010100
10b New Options XXXXXX New Options
10c * 11 Ready for step 11
11a * Cur. Options Factory Set. 000
11b New Option XXX New Options
11c * 01 or 01 2 Ready for Review
to program.
or
Second Phone Number
============================================================================
Now That conclude Part 2, Part 3 will the instructions for NAM reprogramming
for all the phones I listed in part 1. If you have any questions or comments
you can leave me mail on one of the following bbs's that I have listed below.
THE RAVEN
+=======+
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
