CELLULAR TELEPHONE PHREAKING PHILE SERIES      VOL 1  by The Mad Phone-man

How would ya like to have a phone that no body could locate? How bout free
phone service on it too? Well Cellular telephones have the potential to do
all this and more. First lets discuss some basics of the service.
Q:What is cellular a cellular phone?
A: A 800 mhz radiotelephone, running 3 watts, with the ability to change
  channel on computer command from the central switch. This happens when you
travel thru the service area and your signal becomes stronger at a neighboring
cell base station.
Q: They are marketed as a high security device with no possibility of anyone
making a phoney call and charging it to someone else, how can it be phreaked?
A: An understanding of the phone reveals that every time a call is made, the
phone number,an electronic serial number, and other data is sent to the switch.
If you were to listen to the oposite side of the control channel as the call
is being "set-up" you would hear this data being transmitted to the switch in
NRZ code (non-return to zero). All one has to do, is record this info and
program the bogus phone to these params and a free call is possible thru the
switch.
Q: Has anyone done this yet?
A: YES, about 6 months after the first cellular phone system was "turned-up"
a technician programmed a panasonic telephone with a NEC E.S.N. (Electronic
serial number) this was reportedly done for a gram of coke. With the popular
ROM programmers available today, almost any NAM (Numeric Assignment Module)
can be duplicated or copied with changes. (The NAM is the heart of the billing
information and contains the phone number but not the ESN) The most popular
integrated circut for NAMs is the 74LS123.
Q: This sounds like a lot of trouble, is there easier ways to get service?
A: SURE, the cellphone companies have been their own downfall. In an effort
market their wares as universal service (Your phone will work in any system)
they have let the cart get before the horse. Nobody can tell if a phone from
another city (that has a roaming agreement) is valid till its too late. The
only thing they could do after finding out is block any call with the bad
ESN because as we know, the phone number is easy to change, but the ESN is
not. So heres a likely plot...a roamer identifying itself as a number from
Chicago non-wireline accesses a Cellular system in Dallas. Sometimes an
operator intervienes but you can bullshit them as long as you know the
information you have programmed into your phone. Then you make calls just
like you are a local user. If you're found out, you remove the number,
change it to another, and see if that works. Usualy it will require the
radio's ESN chip to be changed, but thats a lot easier if you have a ZIF
(zero insertion force) socket installed, thats what I use.

    Upcomming soon, more good info on particular mfgrs ESN codes.
  Cracking the Motorola switch, Shortcommings of the Ericcson AXE-10 switch.

             >>> The Mad Phone-man <<<



CELLULAR TELEPHONE PHREAKING PHILE        VOL 2 by "The Mad Phone-man"

Some terms you should understand:

Control Channel- The channel the phone and cell base first communicate on.
Reverse Control Ch- The oposite frequency, 45 mhz lower than the control
                    channel.This is where the mobile unit is.
Voice channel- The channel you are assigned by the switch to commence the
                    call on after the exchange of suscriber data.
Reverse voice channel- Again 45mhz lower.
Cell Site- The base station that talks to the mobile.
Switch- The computer that places the calls, and takes and recieves data
        from the suscriber or from PSTN. (public switched tel netwk)
OK that should get things started. A suscriber picks up his handset to
place a call.

 The phone has already been locked onto the strongest control ch in the
area by a computerized scanner in the phone. As he drives thru the service area
the computer constantly picks out the strongest control ch and stays on it,
altho more than one cell site can actualy be heard. The suscriber enters the
number to call on the keypad, and presses the "send" button. At this time the
folowing data is transmitted to the cell sit by the mobile. The callers
electronic serial number (ESN) , his home system number (two digits) his
mobile's area code and phone number, and the number he wants.The cellular
switch now picks up an outgoing line, places the call for him and tells
the mobile to switch to a voice channel. The two ends are linked in the
central switch and violla! A complete phone call, in about 3 seconds.

I have purposely over-simplified the whole process to point out the
moment of truth. The mobile's ESN and phone number and the data in the
switch must match or no go. This is how the billing is figgured out.If
one had the ESN and the mobilephone number, you could call anytine
anyplace without fear of trace, let alone bill. The ideal setup would
let you listen to the reverse control channel, record and display heard
working numbers and ESN's and recall them at your discression to make calls.
This would be tits!  Were not quite there yet. But some hard work has
allready been done for us. All the aforementioned codes are sent
in hex, in NRZ code (phancy term for phase shift keying) but the phone
allready has, for example a NRZ receiver and transmitter built rite in.
All that has to be done is to have a receiver on the reverse control
channel, recover the other suscribers data and save it or at least print
it out. The mobile radio data books show some good technical stuff on
the systems used and chip part numbers for the NRZ stuff. I know there
is a mfgr using the lowley 8085 chip for the control head functions,
seems like theres room for xperementin here.

               More to come!...     "The Mad Phone-man"



CELLULAR TELEPHONE PHREAKING PHILE         VOL 3 by "The Mad Phone-man"

Now that you have become familiar with the technology of cellular phones
its time to discuss what you can do with a phone right now.
Not every system pays attention to a "Roamer" from outside the system as
closely as they do a local suscriber. In their mad rush to offer cellular as
"universal" service, meaning you can place a call in any cellular city any-
where in North America, they fucked up.
OK, heres the poop...I access say..Cleveland Ohio Cellular 1's Ericcson switch
and tell them by my "NAM" info that im a roamer from NYNEX in New York City.
Cleveland will let me make the call, cause it bills back to NYC  my number
of minutes used. If the NYC number is bogus, the call goes thru, and the bill
doesn't go anywhere. They do know the exchange data for NYC, thats on a chart
so ya cant tell em yer...555-1212 or such..you must tell em yer a valid roamer
and the System number (two digits) must match NYC's. This is not too hard to
figgure out, (call some of their stupid sales idiots some time and see what
they will let out of the bag)...so now lets see what else you should know.

OK, the system number for the foreign exchange....Nynex in Buffalo is 56,
Chicago nonwireline is 01, Buffalo Nonwireline is 03, All wirelines are even
numbers all non-wirelines are odd.

OK, first three digits of the mobile number....Nynex Buffalo- 863 xxxx
   Buffalo Non-wire 861 xxxx, 690 xxxx.

I am sure it wont take much to figgure out the local numbers for your area
like I said the sales people are fucks and will tell ya anything to
make a sale.


Until the companys get a cellular clearinghouse to validate roamers in real
t{w{e this will work out fine. The prospects of such a clearinghouse are
good after the companys get done with their bitching at each other.
But it may be a while before it becomes routine to look up a roamer. There's
simply too many to look up every time service is wanted.

So, steal a cellphone and his antenna, re-nam it as a roamer and when ya get
it setup, make copies of the info with different suscriber numbers (the
last 4 digits) and make free calls till whenever.


                  More to come...."The NOVATEL series phones "

                           Uncracking the Maintenance code

                     This is probibaly the best radio to use to shut down
                     a cell site completely, it has secret codes in the ctrl
                     head that allow you to bypass conventional switching
                     protocols.







WHATS IN A NAM                by The Mad Phone-man
---------------------------------------------------------
Nam stands for "Number Assignment Module" or to the Teckies a PROM
(Programable Read-Only Memory) A blank Nam usualy costs between $1. to
$2.75. Sometimes its more expensive depending on the operating temperature
and packaging specifications.
 Two flavors of NAM's are used for cellular. NEC uses the open colector
(Signetics p/n 82S32 or equivalent). All others use the tri-state (Signetics
82S123 or equivalent). Blank Nams are manufactured by Signetics,National
Semiconductor, Monolithic Memorys, Fujitsu, Texas Instruments, and Advanced
Microdevices. Blank Nams can be purchased at your electronic distribuitor's
and many radios come with a blank included.

The NAM contains the subscriber number and lock code, the home system
identification and other system required information. You may wonder how this
info is arranged.
The NAM is organized into 32 rows and 8 columns. It is 32 words of 8 bits
each. (256 bits total) Starting from the top of the NAM (address 00)
you will find the abreviation SIDH, This means "system identification number
home" , a number starting at 0001 assigned by the FCC.
Each market allows two systems. Even for the wire-line and odd for
the non-wireline.
 At address 03 we find LU (Local use) on the left and MIN on the right these
areusualy set to 1. Locations with zeros are reserved. Going down the map,
there's MIN1 and MIN2 the subscriber number and the area code respectivly
Dont try to read them from a raw printout of the NAM data, they are scrambled
beond recognition. The reason? The way they are arranged is the way they must
be transmitted to the cellular systems receivers. The programmer does this to
make the radio's job easier.
 Next is the station class mark, which identifys the class and power capability
of the phone. The system will treat a handheld (low power) differently than
a standard 3 watt mobile.
 IPCH is the inital paging channel. The radio listens for a page on this
channel. Wirelines use 334 and non-wirelines use 333.
 ACCOLC (ACCess Overload Class)  is designed in throwing off customers in
the event of an overload. Thru neglect this standard has been largely unused.
(A class 15 station is supposed to be police, fire, or military)
Usualy its set to 0 plus the last digit of the phone number to provide random
loading.
  PS- Prefered system. This is always 1 in non-wireline and 0 in wireline.

  The lock code is about the only thing you can read directly by studying
the NAM data. The "spare" bit must be a 0 if the radio contains a 3 digit code.
Because the number of clicks when you dial 0 on a (dial) phone equals 10
zeros in the lock code are represented by an "A" the hexadecimal equiv of 10.
 EE,REP,HA, and HF correspond to end-to-end signaling (DTMF tones possible
you talk) REPeratory dialing (provision for 10 or more numbers in memory)
 Horn Alert and hands free. Like all options, they are 1, if turned on and
0 if turned off.
 Addresses 13 thru 1D (all these numbers are in hex) are supposed to be used
by radio mfgrs to store option switches. Usualy 13 is used, 14 sometimes and
 the rest less often.
 Last you will find checksum adjustment and checksum. These numbers are
calculated automaticly after the data has been edited for the NAM. The sum
of all words in the nam plus these last two must equal a number with 0's
in the last two digits. The radio checks this sum and if it isnt correct
the radio assumes the NAM is bad or tampered with. In the case the radio
refuses to operate until a legal NAM is installed.


 MARK            most        BIT SIGNIFICANCE       least        Hex
DEFINITION                                                      address
----------------------------------------------------------------------------
             |    0         SIDH (14-8)                   |       00
----------------------------------------------------------------------------
             |              SIDH (7-0)                    |       01
----------------------------------------------------------------------------
LU=Local use |   LU  |    0  0  0  0  0  0          | MIN |       02
----------------------------------------------------------------------------
             | 0   0          MIN2 (33-28)                |       03
----------------------------------------------------------------------------
             |   MIN2 (27-24)        |     0  0  0  0     |       04
----------------------------------------------------------------------------
             |  0  0  0  0      |     MIN1 (23-20)        |       05
----------------------------------------------------------------------------
             |                MIN1  (19-12)               |       06
----------------------------------------------------------------------------
             |                MIN1  (11-4)                |       07
----------------------------------------------------------------------------
             |        MIN1 (3-0)  |   0   0   0   0       |       08
----------------------------------------------------------------------------
             |     0   0   0   0    |     SCM (3-0)       |       09
----------------------------------------------------------------------------
             |     0   0   0   0   0   |   IPCH  (10-8)   |       0A
----------------------------------------------------------------------------
             |          ICPH   (7-0)                      |       0B
----------------------------------------------------------------------------
             |     0   0   0  0    |   ACCOLC  (3-0)      |       0C
----------------------------------------------------------------------------
PS=Perf Syst |     0   0   0   0   0   0   0   |   PS     |       0D
----------------------------------------------------------------------------
             |    0   0   0   0   |     GIM (3-0)         |       0E
----------------------------------------------------------------------------
             |   LOCK DIGIT 1       |   LOCK DIGIT 2      |       0F
----------------------------------------------------------------------------
             |   LOCK DIGIT 3       |   LOCK SPARE BITS   |       10
----------------------------------------------------------------------------
EE=End/End   |   EE  |   0    0    0    0    0    0 | REP |       11
----------------------------------------------------------------------------
REP=Reprity  |   HA  |   0    0    0    0    0    0 | HF  |       12
----------------------------------------------------------------------------
HF=Handsfree |                                            |
HA=Horn Alt  |         Spare Locations (13-1D)            |
             |         contain all 0's                    |       13
             |                                            |       to
             |                                            |       1D
----------------------------------------------------------------------------
             |         NAM CHECKSUM ADJUSTMENT            |       1E
----------------------------------------------------------------------------
             |            NAM CHECKSUM                    |       1F
----------------------------------------------------------------------------







This page was created Wed Aug 11 23:16:19 EDT 1999


Using Linux
 version 2.0.32
 on an i586

Copyright (C) 1999 - Matarese.com