|
¿ ³ ¿À¿ ¿ ¿Ú¿ ÚÙÚ Ú ÚÙÚ¿ JAN-89 ÉÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍ» ô ÃĶ THE DNA BOX ÇÄÙ ÚĶ Hacking Cellular Phones ÇÄÄÄÄ¿ õ ÈÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍѼ ø ø ø ø ø ø ø ø ø ø ø ø ø ø  P A R T T W O ô ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ The previous DNA file discussed the possibility of using Japanese handheld HAM radios and personal computers, or tape recorders to hack Cellular Phone codes, and possible uses for investment & business info obtained by hacking executive and corporate phone calls, and investment info services. Here I want to mention the obvious idea of simply modifying or replacing the ROMs in a standard Cellular Phone, and disassembling the ROM software that operates the Phone in order to "customize" it for scanning, data monitoring, evesdropping and (of course) making free calls using the codes of registered subscribers. Simply unplugging the ROMS, putting them on a ROM card for a PC and then copying the software to disk for disassembly is the obvious first step. Use of a logic analyzer to monitor and record activity on the Cellular Phone's digital bus would simplify things by providing a map of where data is stored and which instructions are executed during each period of activity: decoding/sending ID tones, selecting frequencies, dialing, and talking. Checking the part number on the CPU embedded in the Cellular Phone will tell you which disassembler to use to give a first draft of the ROM code. The next step is to generate a map of the locations of every subroutine call's entry point, any branch & loop locations, and all addresses written to, read, or read-only (to map out any variables and data). Locations incremented, decremented or tested by branch instructions should also be noted, along with their initial and final values. Each address in the map should be given a symbolic label in your draft of the assembly code. Comments can also be entered with high-level language equivalents that summarize the assembly code as you understand it. Pay special attention to data or loop limits that match elements of the Cellular Phone ID codes (length or contents), or any data locations that are always accessed as a group. This may give you enough info to find the location of the ID code and burn an EPROM with any ID's you've hacked by listening to Cellular Calls. If you have identified the subroutines that accept phone numbers for dialing, you can patch in a second subroutine that accepts an ID code from the keypad and stores it in RAM before calling out, and modify any routines that utilize ID Codes to use RAM addresses instead of ROM addresses. Chances are that the software takes up most or all of the available ROM and RAM scratchpad space on the single-chip microprocessor. If this is the case it might be neccessary to piggyback additional memory chips onto the circuit board to hold any new subroutines you want to add. Suggested new features: 1) Have the Cellular Phone scan for an empty channel and wait for an ID code. Capture the ID code into a table of ID's in RAM and display the captured codes on the liquid crystal display. 2) Program the Cellular Phone to emulate the switching signals and codes sent by PacBell (or your local Cellular carrier), bypassing central switching entirely. This would be useful for making 100% untraceable calls to other Cellular subscribers within direct radio range. This can be used to do your own routing, emulating a phantom switching cell. This could be used to extend cellular service into an otherwise inaccessible area by coupling your Cellular Phone to a 1.2GHz linear amplifier modified to work in the 800MHz band. 3) Make the Cellular Phone recieve data under one ID/Frequency and retransmit it under another. This would make it impossible to monitor both sides of a conversation. This feature could also be used to implement conference calling by running several calls at once out of one phone. ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ The DNA BOX - Striking at the Nucleus of Corporate Communications. ³ õ A current project of... Á Outlaw Telecommandos º³Ý³³Þº³Ýݳ³Þ³Ý³º º³Ý³³Þº³Ýݳ³Þ³Ý³º º01-213-376-0111º