|
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> <> <> <> HOW TO BUILD AN ESN/MIN SNARFER <> <> THE BASIC REQUIREMENTS <> <> <> <> by <> <> <> <> D a v e X <> <> <> <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> Ok, lets get one thing straight, you won't be able to go to tandy's and buy the bits to build a snarfer after reading this file, it is only a primer to point an interested person in the general direction, you need to be more than a little electronically inclined to build the hardware, although most semi-literate programmers could write a piece of software to use with it. I have written a short program in compiled basic which werked, so you don't have to be an asm wizard to get results. Step 1 ^^^^^^ Lets get started, to begin with you need an NBFM receiver that covers the cellular phone band. This reciever must be modified to do the job in hand, so if you don't fancy wrecking your expensive multiband scanner then stop now. To modify your receiver you need to take the output of the discriminator unfiltered and unamplified, if you don't get this right, it won't werk the hardware, as phase shifts introduced in the amplification and/or filtering will destroy the data before you can decode it. It is also a good idea to fit a wider IF filter, 20khz seems about right for cellular telemetry, but you may get limited success with the original one. OK, so you have done open heart surgery on your scanner and you now have two soggy wires hanging out of it. One wire going to the discriminator output, and the other going to chassis ground. It is a good scheme to fit a small socket, ( a 2.5mm jack socket is ideal for this purpose). Also place a 0.22uF capacitor in series with the discriminator output to prevent any stray electricity finding its way back to your scanner and fucking it. Plugging a telephone earpiece or similar into your newly fitted socket will result in a very quiet signal being heard, but neither the volume control or the squelch will have any effect on this signal. If you get this far then you are doing good and chances are you've done it right. Step 2 ^^^^^^ Next you need some custom hardware, I'm not going to supply a parts list or a diagram, and don't bother hassling me via email, because I still wont tell you more, unless you have made a good start and need help getting it to werk right. This is for two reasons, 1) Why the fuck should I do all the research and prototyping and then give it to you on a plate? Next thing you'll be wanting me to build you one. 2) Who is to say that my design is the best there is, someone else might come up with a better design if they are forced to think about it, but if I just give you a circuit and a parts list you wont bother thinking you'll just clone my design. Not withstanding the aforementioned, this is what you require:- The signal from your radio needs converting to TTL using a comparator, an LM339 would werk well here. You need a VCO with a nominal center frequency of 8khz, this is phase locked to the incoming datastream. a 4046 would seem to fit the bill. For a cheaper less technical device, you could just use a free running clock at 8khz, the disadvantages of this method are:- 1] you don't know whether you have data or not data, ie. it could be inverted but this can be overcome in software. 2] you will occassionally find that the clock actually changes phase during the reception of a data block, this means you have to disregard this block. The output of your PLL is your clock signal, this is one of the outputs you need to present to your computer for the decoding process. The other output is generated by exclusive or'ing the received datastream and the clock, you could use a 4070 for this function. CLOCK @ 8KHZ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_ RECEIVED DATA MANCHESTER ENCODED _ ___ ___ _ ___ _ _ _ ___ _ _ _ ___ _ _ | |_| |___| |___| |_| |_| |_| |___| |_| |_| |_| |___| |_| |_| |___| TTL DATA OUTPUT FROM SNARFER ______ ___ _______ _______ _______ __ |___| |___| |____________| |___________| |_______| 1 1 0 1 0 1 1 0 0 0 1 1 0 0 0 1 1 0 0 1 You now have both clock and data lines, these are fed to your computer for decoding. (you also need to connect a ground wire too). Step 3 ^^^^^^ You must first tune your radio to the reverse channel, this is most easily accomplished by tuning around between 930mhz and 950mhz until you find the strongest forward channel, (Hint. it goes burbullyburbullyburbullyburbully) Once you have found the strongest forward channel, retune your radio to exactly 45mhz lower, this is the reverse channel, and you should hear noises on it during busy periods that sound a bit like pissed off flies, bzzzz bzzzz bzzzz, these are data bursts from cellular phones, sending (among other things),their min and esn to the local cellular tower. The decoding process is fairly simple, you need to read your chosen input port each time the clock goes high, (or low), the bit value is taken from the xor'd data line. You are looking for the bit sequence 11100010010. When you receive this flag, you immediately capture the next 1207 bits, these are used to get the esn/min pair. Begining at bit(274) take ten bits, convert this to decimal, to this number add 111 (one hundred and eleven), take the three rightmost digits, and store this as 'A'. Begining at bit(20) take four bits, convert these to decimal and store it, lets call it 'B'. Begining at bit(24) take ten bits, convert this to decimal, to this number add 111 (one hundred and eleven), take the three rightmost digits, and store this as 'C'. Begining at bit(34) take ten bits, convert this to decimal, to this number add 111 (one hundred and eleven), take the three rightmost digits, and store this as 'D'. With it so far? if not read it again until you are familiar with the process. Now starting at bit(508), take four bits and convert them to decimal, this is stored as 'E', it is a two digit number and may require a leading zero.! Begining at bit(512) take six bits, convert these to decimal, this number is also a two digit number and may require a leading zero. Store as 'F'. Starting at bit(518) take six bits, convert them to decimal, this number is also a two digit number and may require a leading zero. Store as 'G'. Now starting at bit(492), take sixteen bits and convert this to decimal, this is stored as 'H', it is a five digit number, and may need padding with leading zeros to achieve this. You should now have numbers A through H. GG should read 00, if not you fucked up. Finally you print it out like so:- AAAB-CCCDDD EE/FF/GG/HHHHH It should look like this, 234#-###### ##/##/00/##### The remaining bits are for the most part junk, but can be used for verification of the information you have just collected. Each piece of info, min1, min2 and esn is sent 5 times in a 240 bit block, so using your razor sharp mind, (or a calculator), you should have figured out that each data sub block is 48 bits long. By adding 48 to the above bit(#s) you can do the same decoding process again. And again at bit(#)+96 etc. and use the extra four copies as mental error correction. There is a parity field attached to each subblock for error correction purposes but this complicates the decoding process somewhat, and would be a bit ugly to write in basic. In Phate103, there is more info on the data format used, and an asm routine for calculating the CRC using the parity bits. Have phun, but please don't use any of these snarfed pairs to make free calls as this is probably illegal. ( This information will not werk in the USA, although the signalling formats are similar to this, certain modifications need to be made both to the hardware interface and the decoding method. If you are stateside, and require this additional info, email me, DaveX @ Plan9 ) <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> Greets. ~~~~~~~ CHEROKEE KILSLUG MAELSTROM MEEKO PULSE