|
CELLULAR TELEPHONE ESN EMULATION -------------------------------- The term "Emulation" is used to describe the process of making two, or more, phones look alike to the cellular system. A basic understanding of the terms NAM and ESN is required before proceeding. NAM or "Number Allocation Module" is the term used to describe a cellular telephone's dealer programmable system parameters. These parameters include the users telephone number and other settings required to identify the phone to the cellular system. Older phones use an PROM chip that has to be programed or "burnt" using an PROM programmer. On all newer phones the NAM information can be re-programed at will from the handset be anyone possessing the relevant programing instructions, and in some cases a programming or "password" adaptor. ESN or "Electronic Serial Number" is the term used to describe a cellular telephones "un-alterable" fingerprint and is programed into the phone by the manufacturer. The ESN is commonly expressed as an eleven digit decimal, or eight digit hex number. The decimal format includes a three digit manufacturers identification and an eight digit unique serial number, the hex format includes a two digit manufacturers identification and a six digit unique serial number. When combined the NAM and ESN provide the cellular carriers a way of identifying the phone and determining whether to allow the phone to place a call. Whenever the phone is used it transmits this information to the cellular switch where it is compared to a data base of current subscribers. If the system recognizes the phone as being an out of area, or "roaming", subscriber a check is made with the home system. This check is either made during the first call, or more commonly these days before the first call is completed. CELLULAR FRAUD -------------- In the past it was often possible for hackers to change the ESN and NAM information and make one call before the system locked the unit out. The NAM and ESN information would be changed and another call could be completed. This is known as ESN "Tumbling" and over the last few years the Cellular Carriers have lost millions of dollars to this scam. It has been estimated that at the height of tumbling in New York City up to 30% of calls placed were fraudulent. To change the ESN the hacker would generally remove the phone's ESN chip and install a socket to take an easily reprogramable EPROM chip, the ESN could then be reprogramed at will. More recently people have reverse engineered certain manufacturer's software to allow simple reprograming using a lap top computer connected to the phone's data port. The Cellular industry has reacted to this in various ways. Initially the simple way to prevent tumbling was to ban all roaming customers from direct dialing, legitimate callers had to pre-register using a credit card to guarantee payment. Newer advanced software allows pre-screening of callers information and has now all but eliminated tumbling. In most service areas the ESN and NAM information is checked on power up or as soon as the SEND button is pressed, prior to allowing the completion of the call. The Cellular hackers have now turned to other ways of making fraudulent calls. The most common of these is to obtain a legitimate subscriber's telephone number and ESN and re-program a phone with this information, therefore making an exact clone able to make (and receive) phone calls. This method allows anything from a few days to a full month of "free" calls, and can go on indefinitely if the cloned number is a corporate account as executive's phone bills are rarely questioned. LEGAL EMULATION --------------- The above illegal cloning of subscriber's cellular telephones and the reverse engineering of manufacturer's software has been adapted by a number of legitimate companies. It is now possible to have more than one phone per cellular telephone number. Several companies are now offering legal cloning or emulation where for a fee of around $200-$300 they will program your second phone with the ESN of your currently active phone. To avoid fraud these companies often ask for a copy of a current cellular telephone bill showing the mobile number and subscribers name. This is then compared with picture ID to insure that the customer is a legitimate bill paying subscriber. Once a phone has been emulated the following should be noted: 1. If an attempt is made to use both phones at the same time and in the same system one of the following will occur: OUTGOING CALLS - First call will complete as normal, second phone will get a fast busy, system deny recording, or call will drop. INCOMING CALLS - Both phones may ring and call can be answered but might immediately drop. Strongest signal may ring and call can be answered. Neither phone will ring. 2. If one phone is in the home market and one is roaming both phones should work and it should be possible to call your own number. This depends on the roaming agreement between the two systems. In systems with "Automatic Roaming" or "Super Access" agreements it may be necessary to turn off the auto call forwarding to avoid problems, dial * O F F SEND in many locations. 3. If both phones are roaming in DIFFERENT systems do NOT attempt to have both phones turned on at the same time as your home system will probably generate a roam fraud message and CUT THE PHONE OFF! 4. If the secondary (cloned) phone is stolen call the carrier and have the mobile number changed, re-program the primary phone with the new number. Do not report the phone stolen as the ESN will be locked out and neither phone will work. If you know the secondary phone's ORIGINAL ESN report this as stolen and tell the carrier that the phone was not active. Nine times out of ten if the thief tries to activate the phone the hardware serial number (assumed to be the correct ESN) will be checked on the deny list and service will be denied. If the original ESN has not been reported stolen and the phone is activated using the hardware serial number the phone won't work as the ESN is incorrect! If the "correct" emulated ESN is read from the phone service will probably be denied if the thief tries to activate the phone on the same home system as the primary phone. This is because many systems do not allow two numbers on one ESN. The thief could activate service on an alternate system. You could prevent the emulated phone from working by having the ESN in the primary phone emulated to another phone, you can then report the phone's ESN as stolen. This is not recommended as using a phone with a stolen ESN would cause problems if you ever need to use the original ESN. Remember that legitimate emulation does not remove the original ESN, it simply adds some code to make the phone appear to have a different ESN. 5. If the primary phone is stolen you can report the theft, then have the secondary phone's ESN changed back to it's original or re programed to match another phone. This will usually be done for a nominal charge. As of April 1993 California Grapevine Communications offers ESN emulation for the following phones (call for latest list): AUDIOVOX: - 832, 832A, 1000, 4200A BC - 40, 45, 55, 55A, 65A, 410. CMT - 300A, 400, 405, 410A, 420, 450, 550, 600, 605, 750, 1700. CTR - 420A, 1900, 2000, CTX - 1500, 2500, 3100A, 3200A, 4000, 4100A PRT - 200 SP - 85, 85A, 95, TRANS - 420 NEC: 3700, 3800, 4000 M3800, M4500, M4600, M4700, M4800 P200, P300, P301 P9000, P9100 NOVATEL: 8300, 8301, 8305, 8305A, 8320, 8320A PTR825 PANASONIC: EB2500, EB2501 (TP500, 501) PIONEER: SEE MOTOROLA MOTOROLA: ALL MOBILES, TRANSPORTABLES AND BAG PHONES. ALL FLIPS, 8000 SERIES AND ULTRA CLASSICS PRIOR TO VERSION 9121. NO MICROTAC LITE'S (YET) TECHNOPHONE: MC905, MC905MKII/985/995 THE FOLLOWING MUST BE EMULATED TO SAME BRAND: SHINTOM, UNIDEN, GE The price for Emulation is $199.00 (mention this software) plus shipping. Proof of ID, valid Cellular account and social security number are required. Please call or write for further information. 25082 LUNA BONITA DRIVE, LAGUNA HILLS, CA, 92653 TEL: (714)643-8426 FAX: (714)643-8379 COPYRIGHT 1993 CALIFORNIA GRAPEVINE COMMUNICATIONS