|
******************************************** * * * Introduction to Cellular Phone Cloning * * By Phantom Signal * * * * * * Phantom Phone Phreaks * * www.ppp-sb.org * * * * PPCHQ * * www.ppchq.org * * Released Date: 12-30-00 * * * ******************************************** Table of Contents: 1. Introduction 2. What is Cloning 3. Cloning Cellular Phones 4. Cloning Materials 5. Cloning Procedures 6. Known Clonable Phones 7. What is Snarfing 8. Snarfing 9. Conclusion 10. Shout-Outs Disclaimer: The information provided in this text is for educational purposes only and by no means is encouraged for you to try out on your own. Whatever you do with the information provided is by your own choice and we at PPCHQ cannot and will not be held responsible for it. 1. Introduction: Welcome to "Introduction to Cellular Phone Cloning". I wrote this file to bring a better understanding of cellular phone phreaking to the newbie crowd as well as the moderate or highly advanced crowds. I am sure what ever I have included in this file most of you highly advanced phreaks know or knew before the suns first rising. So this file might be a waste of your time or it might enlighten you on something you didn't know. Anyways to get on with the file. I will be covering different topics here and there. If you wish to add something to this then please email me what you think should be added and you will have your due credit. Thanks for checking out the file. I hope this is the start of many. Many thanks to PPC and PPP. Both very advanced and knowledgable phreaks who are keeping the scene alive. 2. What is Cloning: Cloning is the act of making one cellular phone "act the same" as another. This is accomplished by copying the identity and phone number of one phone and inserting it into another. The phones do not have to be the same model or even the same brand. The second phone acts as the first one does. When the first one rings the second one will two but heres the catch the second phones calls show up on the monthly bills of the first phone, the original phone and number. So when you steal someone elses phone, clone it, and add extra charges to that persons bill you are now involved in a thing we like to call fraud. This only happens if you steal someones phone and clone it, otherwise, your not committing any crime what so ever. You basiclly just made an "extension" to speak. Why have more then one phone with same number? Reasonable excuse, someone in your family needed a phone so you made your number available to themto use and you didn't want multiple numbers. 3. Cloning Cellular Phones: To clone one phone to another requires the extraction of the ESN (Electronic Serial Number) from the master phone and insertion into the phone to be cloned. This is typically accomplished in older phones by opening up the master phone and removing the PROM or EPROM holding the ESN, and other data, and copying it. In newer phones, the data is removed via a serial cable connection to a computer. A file is made from the original extracted data changing data as necessary. Once a computer file has been made, a second blank chip, the same type as in the phone to be cloned, is then reprogrammed with the ESN and other data from the master. The entire procedure can be completed within 1 hour, much less after the first phone is done. With later models phones, the data is sent back to the cloned phone via the same serial cable. 4. Cloning Materials: IBM-PC/XT/AT Computer $50-200 EPROM Programmer and Adapter (If required to read/write chips) $100 EPROM Burner (Modify and save changes) $100 Blank Chips $5 Programming Cables for each particular phone Copycat (For StarTAC, Ericsson, or NEC) 5. Cloning Procedures: Cloning different types of phones. Read and make a file of the master phones PROM or EEPROM using the burner, do this as well for the cloned phone. Print both files for references. Locate the information to be swapped in each file (i.e. ESN, MIN, SIDH). Swap data you have found from master phone to cloned phone file. Compute checksum on completed clone file using the software with the burner. Insert checksum into clone phone in the correct location. Burn new PROM or EEPROM with modified clone file. Install new chip into clone phone and reassemble. Turn the phone on, if you get nothing then you most likely you haven't computed checksum properly. This must be correct or it will not come online after it has been turned on. Reprogram phone with the instructions on how to reprogram that specific phone alone. You can change all information from the handset except the ESN on the phone. You now have a cloned phone of the master phone. Cloning the same phone. All you have to do here is copy PROM or EPROM or EEPROM holding the ESN information. Create a duplicate copy of that chip. Insert the duplicate chip into the second phone. Reprogam if necessary, most of the time not required. And you now have a cloned phone of the master phone. 6. Known Clonable Phones: KEY: 1 Programmable Through Handset after EEPROM is Inserted 2 Requires NAM Programmer 3 Requires Special Hardware 4 Can Be Programmed 3x CELLS: Alpine 9510: 1 Alpine 9511: 1 Amps ALL: 2 Antel Radiant 832XL: 2 Ara Pro-Comm 1800: 1 Astrotel 500: 1 Astrotel 580: 1 Astrotel 591: 1 AT&T 1710: 1 Audiote/Toshiba CMT500: 2 Audiotel BC-20: 2 Audiotel CMT-125: 2 Audiotel CMT-135: 2 Audiovox BC20: 2 Audiovox BC40: 1 Audiovox BC45: 1 Audiovox CMT-125: 2 Audiovox CMT-135: 2 Audiovox CMT1700: 1 Audiovox CMT400: 1 Audiovox CMT405: 1 Audiovox CMT450: 1 Audiovox CMT550: 1 Audiovox CMT600: 1 Audiovox CMT605: 1 Audiovox CMT750: 1 Audiovox CTX1500: 1 Audiovox CTX2500: 1 Audiovox CTX4000: 1 Audiovox CTX5000: 1 Colt Transportable: 1 Diamondtel 100: 1 Diamondtel 200: 1 Diamondtel 90X: 1 Diamondtel 95: 1 Diamondtel Mesa 50: 4/2 Diamondtel Mesa 52: 4 Diamondtel Mesa 52A: 4 Diamondtel Mesa 55: 2 Diamondtel Mesa 55AX: 4 Diamondtel Mesa 55BX: 4 Diamondtel Mesa 60: 4 Diamondtel Mesa 60X: 4 Diamondtel Mesa 80: 4 Diamondtel Mesa 90X: 4 Diamondtel Mesa 95: 4 Diamondtel Mesa 99X: 4 DYNA TAC 2000: 2 Dyna Tac 2000X: 2 Dyna Tac 4000: 2 Dyna Tac 4500L: 2 Dyna Tac 4500XL: 2 Dyna Tac 6000: 2 Dyna Tac 6000X: 2 Dyna Tac 6000XL: 2 E.F. Johnson: 2 Fujitsu 170 PORTABLE: 1 Fujitsu 183-IIX: 1 Fujitsu FM80M-360: 2 Fujitsu FM80M-362: 2 Gateway CP 900: 1 GE Star: 2 Goldstar 5000: 1 Hitachi CR2100: 1 Hitachi CR2100H: 1 MEI HT5000: 3 Mercury 200: 2 Mitsubishi 460 XTAL: 2 Mitsubishi 555: 1 Mitsubishi 560: 1 Mitsubishi 600: 1 Mitsubishi 700: 4 Mitsubishi 800: 1 Mitsubishi 900: 1 Mitsubishi 1500: 1 Mitsubishi Mark 1 301: 2 Mitsubishi Mark 1 401: 2 Mitsubishi Mark 1 450: 2 Mitsubishi Mark 1 455: 2 Mitsubishi Mark 1 500: 2 Mitsubishi Mark 1 555: 2 Mitsubishi Mark 1 560: 2 Mitsubishi Mark 1 600: 2 Mobira ME-300: 1 Mobira ME-53A: 3 Mobira ME-57: 1 Mobira TPA 4/400: 1 Mobira TPA 5/500: 1 Motorola SCN2115A: 4 Motorola SCN2119A: 4 Motorola SCN2124A: 4 Motorola SCN2126A: 4 Motorola SCN2133A: 4 Motorola SCN2134A: 4 Motorola SCN2020A: 4 Motorola SCN2021A: 4 Motorola SCN2025A: 4 Motorola SCN2034A: 4 Motorola TLN2574A: 4 Motorola TLN2659A: 4 Motorola TLN2724A: 4 Motorola TLN2726A: 4 Motorola TLN2733A: 4 Motorola TLN2734A: 4 Motorola TLN2777A: 4 Motorola TLN2867A: 4 Motorola TLN2879A: 4 Motorola 8000H: 4 Motorola Ultra Classic: 4 Motorola SCN2004A: 4 Motorola SCN2005A: 4 Motorola SCN2007A: 4 Motorola SCN2022A: 4 Motorola SCN2023: 4 Motorola SCN2033A: 4 Motorola SCN2043A: 4 Motorola SCN2056B: 4 Motorola SCN2081A: 4 Motorola SCN2085A: 4 Motorola SCN2090A: 4 NEC M3700: 3 NEC P300: 3 NEC P9100: 3 NEC TR5E800-11A: 3 NEC TR5E800-9A: 3 NEC TR5E800-9C: 3 NEC TR5E800-C: 3 NEC TR5E800-G: 3 NEC TR5E800-H: 3 Nokia LX-11: 1 Nokia M-10: 1 Nokia P-30: 1 Panasonic 1001: 2 Panasonic 102: 2 Panasonic 103: 2 Panasonic EB-2501: 3 Panasonic EB-300: 3 Panasonic EB-3500: 3 Panasonic EB-6106EA: 3 Panasonic EB-6110EA: 3 Panasonic EB100: 2 Panasonic EB101: 2 Panasonic EB111: 2 Panasonic EF6103EA: 2 Panasonic EF6103EC: 2 Panasonic EF6104EA: 2 Panasonic EF6104EB: 2 Panasonic EF6104EC: 2 Panasonic EF6105EA: 2 Panasonic EF6105EB: 2 Panasonic EF6106: 2 Radio Shack 17-1002: 3 Radio Shack 17-1003: 1 Radio Shack 17-1003A: 1 Radio Shack 17-1005: 1 Radio Shack 17-1050: 1 Radio Shack 17-2001: 1 Radio Shack 17-3001: 1 Radio Shack CT-100: 1 Radio Shack CT-200: 1 Radio Shack CT-201: 1 Radio Shack CT-300: 1 Radio Shack CT-301: 1 Shintom CM-7600: 2 STS CP-832: 1 Technophone PC-105: 1 Technophone PC-115: 1 Uniden CP-1000: 3 Uniden CP-1100: 3 Uniden CP-1200: 3 Uniden CP-2000: 3 Uniden CP-3000: 3 Uniden CP-5000: 3 Uniden CP-900: 3 USA Corp -A: 1 USA Corp -B: 4 Walker WMCD-8000: 3 7. What is Snarfing: Snarfing is obtaining Electronic Serial Numbers (ESN) and Mobile Identification Numbers (MIN) for reprogramming cellular phones. 8. Snarfing: To begin with you need an NBFM receiver that covers the cellular phone band. This reciever must be modified to do this. To modify your receiver you need to take the output of the discriminator unfiltered and unamplified. It is recommended to fit a wider IF filter, 20khz for cellular telemetry. Using the original one may get limited success. You will have two wires hanging out of the reciever. One wire going to the discriminator output, and the other going to chassis ground. It is a good scheme to fit a small socket (2.5mm Jack Socket). Place an 0.22uF capacitor in series with the discriminator output to prevent any stray electricity finding it's way back to your scanner. Plugging a telephone earpiece or similar into your newly fitted socket will result in a very quiet signal being heard, but neither the volume control or the squelch will have any effect on this signal. If you get this far then you are doing good and chances are you've done it right. The signal from your radio needs converting to TTL using a comparator, an LM339 would werk well here. You need a VCO with a nominal center frequency of 8khz, this is phase locked to the incoming datastream. A 4046. The output of your PLL is your clock signal, this is one of the outputs you need to present to your computer for the decoding process. The other output is generated by exclusive or'ing the received datastream and the clock, you could use a 4070 for this function. You should now have both clock and data lines, these are fed to your computer for decoding. (You also need to connect a ground wire too). You must first tune your radio to the reverse channel, this is done by tuning around between 930mhz and 950mhz until you find the strongest forward channel. Once you have found the strongest forward channel, retune your radio to exactly 45mhz lower, this is the reverse channel, and you should hear noises on it during busy periods that sound a bit like pissed off flies. These are data bursts from cellular phones, sending (among other things), their MIN and ESN to the local cellular tower. You need to read your chosen input port each time the clock goes high or low, the bit value is taken from the xor'd data line. You shoud be looking for the bit sequence 11100010010. When you receive this flag, you immediately capture the next 1207 bit's, these are used to get the ESN/MIN pair. Begining at bit(274) take ten bit's, convert this to decimal, to this number add 111, take the three rightmost digit's, and store this as 'A'. Begining at bit(20) take four bit's, convert these to decimal and store it, call it 'B'. Begining at bit(24) take ten bit's, convert this to decimal, to this number add 111, take the three rightmost digit's, and store this as 'C'. Begining at bit(34) take ten bit's, convert this to decimal, to this number add 111, take the three rightmost digit's, and store this as 'D'. Now starting at bit(508), take four bit's and convert them to decimal, this is stored as 'E', it is a two digit number and may require a leading zero. Begining at bit(512) take six bit's, convert these to decimal, this number is also a two digit number and may require a leading zero. Store as 'F'. Starting at bit(518) take six bit's, convert them to decimal, this number is also a two digit number and may require a leading zero. Store as 'G'. Now starting at bit(492), take sixteen bit's and convert this to decimal, this is stored as 'H', it is a five digit number, and may need padding with leading zeros to achieve this. You should now have numbers A through H. GG should read 00, if this doesnt appear then you messed up the process along the way. Finally you print it out like so: AAAB-CCCDDD EE/FF/GG/HHHHH = 234#-###### ##/##/00/##### The remaining bit's are for the most part junk, but can be used for verification of the information you have just collected. Each piece of info, MIN1, MIN2 and ESN is sent 5 times in a 240 bit block, so using your razor sharp mind, or calculator, you should have figured out that each data sub block is 48 bit's long. By adding 48 to the above bit(#s)you can do the same decoding process again. And again at bit(#)+96 etc. and use the extra four copies as mental error correction. There is a parity field attached to each sublock for error correction purposesbut this complicates the decoding process somewhat, and would be a bit ugly to write in basic. Bit's of information where taken from the file written by dave x. 9. Conclusion: Thanks for checking out the file. If you feel that this is missing something or you would like to add something to this file feel free to email at phantomsignal@mail.com. I will reply within a weeks time atleast. Thank you Herf for reviewing the document before it's release. 10. Shout-Outs: Dark Fairytale, Choaz, Herf, Nufan, Gideon, Tron (For The Name), Nero, Destruction, Warlord, AntiChrist, Pronostic Havok, Voyweiser, and Tele-Assassyn. - Phantom Signal ----------------------------------------------------------------------- -- End of Transmission / Signal Lost -- -----------------------------------------------------------------------