TUCoPS :: Phreaking Cellular - Misc. :: dna5.txt

The DNA Box - Hacking cellular phones #5

      úúúÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿                           ÚÄÄÄÄ¿            6-FEB-89
                      ÉÍÏÍÍÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍ»   ÀÂÄÄÄÙ
    úúúÄÄÄÄÄÄÄÄÄÄÄÄÄÄĶ      THE DNA BOX        ÇÄÄÄÄÙ
   úúúÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĶ Hacking Cellular Phones ÇÄÄÄÄ¿
                      ÈÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÍÍÑÍÑÍѼ   ÚÁ¿
  úúúÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ                            ÀÄÙ
                          P A R T    F I V E
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿

                 CELLULAR TELEPHONE SIGNALING FORMATS
===========================================================================
(RECC) Reverse Control Channel (mobile-to-tower on control channel)
 RECC Message Format:
 ----------------------------------------------------------
  Seizure Precursor:
   Dotting     (30 bits)     1010101010101010101010101010101
   Word Sync   (11 bits)     11100010010 
   DCC         (7 bits)      xxxxxxx         Digital Color Code (DCC)
                                                Received  Coded
                                                --------  -------
                                                00        0000000    
                                                01        0011111
                                                10        1100011
                                                11        1111100
  Message: (from one to five words in length)
   First Word  repeated 5 times (240 bits)
   Second Word repeated 5 times (240 bits)
   Third Word  repeated 5 times (240 bits)
   Fourth Word repeated 5 times (240 bits)
   Fifth Word  repeated 5 times (240 bits)
  ----------------------------------------------------------
There are 4 types of RECC messages:
    Page Response Message
    Origination Message
    Order Confirmation Message
    Order Message

These are composed of combinations of the following message words:

Abbreviated Address Word:
 F    (1bit)     1                         (first word indicator)
 NAWC (3 bits)   xxx                       (number of additional words to send)
 T    (1 bit)    x                         (0=response,1=origination/order)
 S    (1 bit)    x                         (1=serial number will be sent)
 E    (1 bit)    x                         (1=area will to be sent)
      (1 bit)    0
 SCM  (4 bits)   xxxx                      (station class mark)
 MIN1 (24 bits)  xxxxxxxxxxxxxxxxxxxxxxxxx (coded 7 digit phone number)
 P    (12 bits)  xxxxxxxxxxxx              (Parity)
   
Extended Address Word:
 F     (1 bit)    0
 NAWC  (3 bits)   xxx
 LOCAL (5 bits)   xxxxx         (local control - system specific)
 ORDQ  (3 bits)   xxx           (order qualifier)
 ORDER (5 bits)   xxxxx         (order code)
 LT    (1 bit)    x             (1=last try)
       (8 bits)   00000000
 MIN2  (10 bits)  xxxxxxxxxx    (coded Area Code)
 P     (12 bits)  xxxxxxxxxxxx

Serial Number Word:
 F      (1 bit)    0
 NAWC   (3 bits)   xxx
 SERIAL (32 bits)  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (serial number)
 P      (12 bits)  xxxxxxxxxxxx

First Word of Called Address: [D1..D16 are the encoded digits]
 F    (1 bit)    0
 NAWC (3 bits)   xxx
 D1   (4 bits)   xxxx                     Table of Digit Codes:
 D2   (4 bits)   xxxx                 -----------------------------
 D3   (4 bits)   xxxx                 1 0001     7 0111   NULL 0000
 D4   (4 bits)   xxxx                 2 0010     8 1000
 D5   (4 bits)   xxxx                 3 0011     9 1001
 D6   (4 bits)   xxxx                 4 0100     0 1010
 D7   (4 bits)   xxxx                 5 0101     * 1011
 D8   (4 bits)   xxxx                 6 0110     # 1100
 P    (12 bits)  xxxxxxxxxxxx

Second Word of Called Address:
 F    (1 bit)   0
 NAWC (3 bits)  000
 D9   (4 bits)  xxxx      (encoded digits, see above table)
 D10  (4 bits)  xxxx
 D11  (4 bits)  xxxx
 D12  (4 bits)  xxxx
 D13  (4 bits)  xxxx
 D14  (4 bits)  xxxx
 D15  (4 bits)  xxxx
 D16  (4 bits)  xxxx
 P    (12 bits) xxxxxxxxxxxx
===========================================================================

(RVC) Reverse Voice Channel (mobile-to-tower on voice channel)
 RVC Message Format:
 --------------------------------------------------------------
 Dotting         (101 bits) 101010101....101 
 Word Sync       (11 bits)  11100010010
 Repeat 1 Word 1 (48 bits)  xxxxx ... xxxxx
 Dot             (37 bits)  1010101010101010101010101010101
 Word Sync       (11 bits)  11100010010
 Repeat 2 Word 1 (48 bits)  xxxxx ... xxxxx
  .                 .
  .                 .       [same pattern of repetition]
  .                 .
 Dot             (37 bits)
 Word Sync       (11 bits)
 Repeat 5 word 1 (48 bits)
 Dot             (37 bits)
 Word Sync       (11 bits)
 Repeat 1 Word 2 (48 bits)
 Dot             (37 bits)
 Word Sync       (11 bits)
 Repeat 2 Word 2 (48 bits)
  .                  .
  .                  .      [same pattern of repetition]
  .                  .
 Dot             (37 bits)  1010101010101010101010101010101
 Word Sync       (11 bits)  11100010010
 Repeat 5 word 2 (48 bits)  xxxxx ... xxxxx
-----------------------------------------------------------
 There are two kinds of RVC messages:

  Order Confirmation Message  
  Called Address Message

----------
Order Confirmation Message Word:
 F     (1 bit)   1
 NAWC  (2 bits)  00
 T     (1 bit)   1
 LOCAL (5 bits)  xxxxx
 ORDQ  (3 bits)  xxx
 ORDER (5 bits)  xxxxx
       (19 bits) 0000000000000000000
 P     (12 bits) xxxxxxxxxxxx
---------
---------
Called Address Message, First Word:
 F    (1 bit)   1
 NAWC (2 bits)  01
 T    (1 bit)   0
 D1   (4 bits)  xxxx
 D2   (4 bits)  xxxx
 D3   (4 bits)  xxxx
 D4   (4 bits)  xxxx
 D5   (4 bits)  xxxx
 D6   (4 bits)  xxxx
 D7   (4 bits)  xxxx
 D8   (4 bits)  xxxx
 P    (12 bits) xxxxxxxxxxxx

Called Address Message, Second Word:
 F    (1 bit)   1
 NAWC (2 bits)  00
 T    (1 bit)   0
 D9   (4 bits)  xxxx
 D10  (4 bits)  xxxx
 D11  (4 bits)  xxxx
 D12  (4 bits)  xxxx
 D13  (4 bits)  xxxx
 D14  (4 bits)  xxxx
 D15  (4 bits)  xxxx
 D16  (4 bits)  xxxx
 P    (12 bits) xxxxxxxxxxxx
--------
===========================================================================

(FOCC) Forward Control Channel (tower-to-mobile on control channel)
 FOCC Message Format:
 --------------------------------------
 Dotting         (10 bits) b1010101010
 Word Sync       (11 bits) b11100010010
 Repeat 1 word A (40 bits) bxxxxxxxxxxbxxxxxxxxxxbxxxxxxxxxxbxxxxxxxxxx
 Repeat 1 word B (40 bits)            A Busy/Idle Bit (b) is inserted
 Repeat 2 word A (40 bits)            at the beginning of Dotting and
 Repeat 2 word B (40 bits)            Word Sync, and every 10 bits
 Repeat 3 word A (40 bits)            during word repetitions beginning
 Repeat 3 word B (40 bits)            at the start of the first word.
 Repeat 4 word A (40 bits)            b=1 when the RCC is Idle.
 Repeat 4 word B (40 bits)            b=0 when the RCC is Busy.
 Repeat 5 word A (40 bits)
 Repeat 5 word B (40 bits) bxxxxxxxxxxbxxxxxxxxxxbxxxxxxxxxxbxxxxxxxxxx
 Dotting         (10 bits) b1010101010
 -------------------------------------
There are three types of FOCC messages: 

 Mobile Station Control Message
 Overhead Message
 Control-filler Message

Mobile Station Control Message: (one,two or four words)
------------------------------
Abbreviated Address Word: 
 TT   (2 bits)  0x         (00=if one word sent, 01=if multiple words sent)
 DCC  (2 bits)  xx         Digital Color Code
 MIN1 (24 bits) xxxxxxxxxxxxxxxxxxxxxxxx
 P    (12 bits) xxxxxxxxxxxx

Extended Address Word: (two versions of this word occur)
 -----------------------------   -----------------------------
 TT    (2 bits)  10              TT   (2 bits)  10
 SCC   (2 bits)  11              SCC  (2 bits)  xx    [not=11]
 MIN2  (10 bits) xxxxxxxxxx      MIN2 (10 bits) xxxxxxxxxx
       (1 bit)   0                    (1 bit)   0 
 LOCAL (5 bits)  xxxxx           VMAC (3 bits)  xxx         (attenuation code)
 ORDQ  (3 bits)  xxx             CHAN (11 bits) xxxxxxxxxxx (channel number)
 ORDER (5 bits)  xxxxx              P (12 bits) xxxxxxxxxxxx
 P     (12 bits) xxxxxxxxxxxx

First Directed-Retry Word:
 TT      (2 bits)  10
 SCC     (2 bits)  11       SAT Color Code
 CHANPOS (7 bits)  xxxxxxx  channel position relative to first access channel
 CHANPOS (7 bits)  xxxxxxx 
 CHANPOS (7 bits)  xxxxxxx
         (3 bits)  000 
 P       (12 bits) xxxxxxxxxxxx 

Second Directed-Retry Word:
 TT      (2 bits)  10
 SCC     (2 bits)  11
 CHANPOS (7 bits)  xxxxxxx
 CHANPOS (7 bits)  xxxxxxx
 CHANPOS (7 bits)  xxxxxxx
         (3 bits)  000
 P       (12 bits) xxxxxxxxxxxx
-------------------------------
-------------------------------
Overhead Messages:
  System Parameter Overhead Message:
  Global Action Overhead Message:
  Registration Identification Message:
  Control-filler Message:

System Parameter Overhead Message:
----------------------------------
System Parameter Word 1:
 TT   (2 bits)  11
 DCC  (2 bits)  xx
      (3 bits)  000
 NAWC (4 bits)  xxxx
 OHD  (3 bits)  110           (overhead message type)
 P    (12 bits) xxxxxxxxxxxx

System Parameter Word 2:
 TT     (2 bits)  11
 DCC    (2 bits)  xx
 S      (1 bit)   x     (serial number flag)
 E      (1 bit)   x     (extended address flag)
 REGH   (1 bit)   x     (registration for home stations)
 REGR   (1 bit)   x     (registration for roaming stations)
 DTX    (1 bit)   x     (discontinuous transmission flag)
        (1 bit)   0
 N-1    (5 bits)  xxxxx (number of paging channels in system minus 1)
 RCF    (1 bit)   x     (read-control-filler flag)
 CPA    (1 bit)   x     (combined paging/access flag)
 CMAX-1 (1 bit)   x     (number of access channels in system minus 1)
 END    (1 bit)   x     (1=last word of overhaed message train)
 OHD    (3 bits)  111
 P      (12 bits) xxxxxxxxxxxx
-------------------------------
-------------------------------
Global Action Overhead Messages:

 Rescan Global Action Message:
    TT  (2 bit)   11
    DCC (2 bits)  xx
    ACT (4 bits)  0001
        (16 bits) 0000000000000000
    END (1 bit)   x
    OHD (3 bits)  100
    P   (12 bits) xxxxxxxxxxxx

 Registration Increment Global Action Message:
    TT      (2 bits)  11
    DCC     (2 bits)  xx
    ACT     (4 bits)  0010
    REGINCR (12 bits) xx    (registration increment)
            (4 bits)  0000
    END     (1 bits)  xx
    OHD     (3 bits)  100
    P       (12 bits) xx

 New Access Channel Set Global Action Message:
    TT     (2 bits)  11
    DCC    (2 bits)  xx
    ACT    (4 bits)  0110
    NEWACC (11 bits) xxxxxxxxxxx  (new access channel starting point)
           (4 bits)  0000
    END    (1 bit)   x
    OHD    (3 bits)  100
    P      (12 bits) xxxxxxxxxxxx

 Overload Control Global Action Message:
    TT     (2 bits)  11
    DCC    (2 bits)  xx
    ACT    (4 bits)  1000
    OLCD0  (1 bit)   x     (overload class flags)
    OLCD2  (1 bit)   x
    OLCD3  (1 bit)   x
    OLCD4  (1 bit)   x
    OLCD5  (1 bit)   x
    OLCD6  (1 bit)   x
    OLCD7  (1 bit)   x
    OLCD8  (1 bit)   x
    OLCD9  (1 bit)   x
    OLCD10 (1 bit)   x
    OLCD11 (1 bit)   x
    OLCD12 (1 bit)   x
    OLCD13 (1 bit)   x
    OLCD14 (1 bit)   x
    OLCD15 (1 bit)   x
    END    (1 bit)   x
    OHD    (3 bits)  100
    P      (12 bits) xxxxxxxxxxxx

 Access Type Paramters Global Action Message:
    TT  (2 bits)  11
    DCC (2 bits)  xx
    ACT (4 bits)  1001
    BIS (1 bit)   x                  (busy/idle status flag)
        (15 bits) 000000000000000
    END (1 bit)   x
    OHD (3 bits)  100
    P   (12 bits) xxxxxxxxxxxx

 Access Attempt Parameters Global Action Message:
    TT            (2 bits)  11 
    DCC           (2 bits)  xx
    ACT           (4 bits)  1010
    MAXBUSY-PGR   (4 bits)  xxxx    (maximum busy occurrences, page response)
    MAXSZTR-PGR   (4 bits)  xxxx    (maximum seizure tries, page response)
    MAXBUSY-OTHER (4 bits)  xxxx    (maximum busy occurrences, other accesses)
    MAXSZTR-OTHER (4 bits)  xxxx    (maximum seizure tries, other accesses)
    END           (1 bits)  x
    OHD           (3 bits)  100
    P             (12 bits) xxxxxxxxxxxx

 Local Control 1 Message:
    TT            (2 bits)  11
    DCC           (2 bits)  x
    ACT           (4 bits)  1110
    LOCAL CONTROL (16 bits) xxxxxxxxxxxxxxxx  (any local control code)
    END           (1 bits)  x
    OHD           (3 bits)  100
    P             (12 bits) xxxxxxxxxxxx

 Local Control 2 Message:
    TT            (2 bits)  11
    DCC           (2 bits)  xx
    ACT           (4 bits)  1111
    LOCAL CONTROL (16 bits) xxxxxxxxxxxxxxxx
    END           (1 bits)  x
    OHD           (3 bits)  100
    P             (12 bits) xxxxxxxxxxxx
-------------------------------
Registration Identification Message:

   TT    (2 bits)  11
   DCC   (2 bits)  xx
   REGID (20 bits) xxxxxxxxxxxxxxxxxxxx    (registration ID)
   END   (1 bit)   x
   OHD   (3 bits)  000
   P     (12 bits) xxxxxxxxxxxx
------------------------------------
Control-Filler Message:

   TT   (2 bits) 11
   DCC  (2 bits) xx
        (6 bits) 010111
   CMAC (3 bits) xxx            (current mobile attenuation)
        (7 bits) 0011001
   WFOM (1 bit)  x              (wait for overhead message)
        (4 bits) 1111
   OHD  (3 bits) 001
   P    (12 bits) xxxxxxxxxxxx
===========================================================================
(FVC) Forward Voice Channel: (tower-to-mobile on voice channel)
 FVC Message Format: * BUSY/IDLE bits are inserted into FVC messages in a
                       format similar to that of FOCC messages)
 --------------------------------------------------------------
 Dotting         (101 bits) 101010101...101 
 Word Sync       (11 bits)  11100010010
 Repeat 1 Word   (40 bits)  xxxxx...xxxxx
 Dot             (37 bits)  1010101010101010101010101010101
 Word Sync       (11 bits)  11100010010
 Repeat 2 Word   (40 bits)  xxxxx...xxxxx
 Dot             (37 bits)
 Word Sync       (11 bits)
 Repeat 3 Word   (40 bits)
 .                   . 
 .                   .      [same pattern of repetition]
 .                   .
 Dot             (37 bits)  1010101010101010101010101010101
 Word Sync       (11 bits)  11100010010
 Repeat 11 Word  (40 bits)  xxxxx...xxxxx
-----------------------------------------------------------
 There is only kind of FVC message:

Mobile Station Control Message:

Mobile Station Control Word: (two versions of this word occur)
 -----------------------------   -----------------------------
 TT    (2 bits)  10              TT   (2 bits)  10
 PSCC  (2 bits)  xx              PSCC (2 bits)  xx          (present SAT code)
       (9 bits)  000000000            (9 bits)  000000000 
 LOCAL (5 bits)  xxxxx           VMAC (3 bits)  xxx         (attenuation code)
 ORDQ  (3 bits)  xxx             CHAN (11 bits) xxxxxxxxxxx (channel number)
 ORDER (5 bits)  xxxxx              P (12 bits) xxxxxxxxxxxx
 P     (12 bits) xxxxxxxxxxxx

===========================================================================
* See Part Six for information describing various codes used in message
  word fields.
===========================================================================
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ The DNA BOX - Striking at the Nucleus of Corporate Communications.      ³
õ A current project of...                                                 õ
 
        Outlaw
     Telecommandos
   º³Ý³³Þº³Ýݳ³Þ³Ý³º
   º³Ý³³Þº³Ýݳ³Þ³Ý³º
   º01-213-376-0111º



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH