Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Phreaking Cellular - Misc. :: dna4.txt

The DNA Box - Hacking cellular phones #4

                   Ŀ                           Ŀ                  3-FEB-89
                    Ķ      THE DNA BOX        
                 Ķ Hacking Cellular Phones Ŀ
                    ' ` ' ` ' ` ' ` ' ` ' ` '    
                         P A R T    F O U R                              
           T H E   N U M B E R   O F   T H E   B E A S T                 

Preliminary technical info about the AMPS (Advanced Mobile Phone System).

Cell Control Sites (Towers) are connected to the Mobile Telephone Switching
Office (MTSO) by a pair of 9600 baud data lines, one of which is a backup.
The MTSO routes calls, controls and coordinates the cell sites (especially
during handoffs as a mobile phone moves from one cell to another while a
call is in progress), and connects to a Central Office (CO) of the local
telephone company via voice lines.
There is some indication that an MTSO may be re-programmed and otherwise
hacked via standard phone lines using a personal computer/modem.

 There is a PROM chip in every cellular phone that holds the phone number (MIN)
 assigned to it. This is the "Numerical Assignment Module" or NAM. Schematics
 and block diagrams occasionally call this the "ID PROM". The NAM also
 holds the serial number (ESN) of the cellular phone, and  the system ID (SID)
 of the mobile phone's home system. 
 By encoding new PROM chips (or re-programming EPROM chips) and swapping them
 with the originals, a cellular phone can be made to take on a new identity.
 It is possible to make a circuit board with a bank of PROMs that
 plugs into the NAM socket, and allows quick switching between several
 phone ID's. It's even feasible to emulate the behavior of a PROM with
 dual-port RAM chips, which can be instantly updated by a laptop computer.
 A photograph of a "BYTEK S1-KX NAM Multiprogrammer" suggests that this
 "sophisticated piece of equipment" is merely a relabled generic PROM burner.

 The published explanations of how to compute this number all contain 
 deliberate errors, probably for the purpose of thwarting phreaks and people
 attempting to change the serial numbers and ID codes of stolen phones.
 Even the arithmetic is wrong in some published examples!
 Until the FCC/IEEE spec is available (a trip is planned to a university
 engineering library) the following is almost certainly the way that MIN is
 computed, taking into consideration how such codings are done elsewhere,
 comparing notes and tables from a variety of sources, and using common sense.

 A BASIC program (MIN.BAS) that computes MINs from phone numbers is being
 distributed with this file.

There are two parts to the 34-bit MIN.
They are derived from a cellular phone number as follows:

MIN2 - a ten bit number representing the area code.

Look up the three digits of area code in the following table:

Phone Digit: 1 2 3 4 5 6 7 8 9 0
Coded Digit: 0 1 2 3 4 5 6 7 8 9

(Or just add 9 to a digit and use the right digit of the result)

Then convert that number to a 10-digit binary number:
For example, for the (213) area code, MIN2 would be 102,
which expressed as a 10-digit binary number would be 0001100110.

   Area Code = 213         (get Area Code)
               102         (add 9 to each digit modulo 10, or use table)
        MIN2 = 0001100110  (convert to binary)
MIN1 - a 24 bit number representing the 7-digit phone number.

The first ten bits of MIN1 are computed the same way as MIN2, only
the next 3 digits of the phone number are used. 
The middle four bits of MIN1 are simply the fourth digit of the phone number
expressed in binary (Remember; a "0" becomes a "10").
The last next ten bits of MIN1 are encoded using the final three digits of
the phone number in the same way.

So, MIN1 for 376-0111 would be:

(get Phone Number)                      376   0  111
(modify digits where appropriate)       265 (10) 000
(convert each part to a binary number)  0100001001 1010 0000000000

Thus the complete 34-bit Mobile Identification Number for (213)376-0111 is:

                  376     0     111       213
                ________  __  ________  ________
               /        \/  \/        \/        \
       MIN  =  0100001001101000000000000001100110
                         MIN1             MIN2


The serial number for each phone is encoded as a 32 bit binary number.

Available evidence suggests that the ESN is an 8-digit hexadecimal
number, which is encoded directly to binary:

 Serial Number  =   821A056F
        Digits  =   8    2    1    A    0    5    6    F
           ESN  =   0001 0001 0001 1010 0000 0101 0110 1111

Here is a table for converting Hexadecimal to Binary:

  Hex Binary   Hex Binary   Hex Binary   Hex Binary
  --- ------   --- ------   --- ------   --- ------
   0   0000     4   0100     8   1000     C   1100
   1   0001     5   0101     9   1001     D   1101
   2   0010     6   0110     A   1010     E   1110
   3   0011     7   0111     B   1011     F   1111

A 15 bit binary number representing a mobile phone's home cellular system.


---------------------CELLULAR PHONE FREQUENCIES-----------------------------
Here, again, are the frequency range assignments for Cellular Telephones:

Repeater Input  (Phone transmissions) 825.030 - 844.980 Megahertz
Repeater Output (Tower transmissions) 870.030 - 889.980 Megahertz

There are 666 Channels. Phones transmit 45 MHz below the corresponding
Tower channel. The channels are spaced every 30 KHz.

These channels are divided into "Nonwireline" (A) and "Wireline" (B) services.

Nonwireline (A) service uses the 825-835/870-880 frequencies (channels 1-333)
Wireline (B) service uses the 835-845/880-890 frequencies (channels 334-666)

A channel is either dedicated to control signals, or to voice signals.
Digital message streams are sent on both types of channels, however.

There are 21 control channels for each service.

Non-Wireline (A) control channels are located in the frequency ranges
834.39 - 834.99 and 879.39 - 879.99 (channels 312 - 333 )

Wireline (B) control channels are located in the frequency  ranges 
835.02 - 835.62 and 880.02 - 880.62 (channels 334 - 355)

The new 998 channel systems use 332 additional channels in the ranges
821-825/866-870 and 845-851/890-896.

Cell Control Sites (Towers) are connected to an MTSO (Mobile Telephone
Switching Office) which connects the cellular system to a Central Office (CO)
of a conventional telephone system.

Each Cell Control Site uses a maximum of 16 channels, up to 4 of which
may be control channels. There will always be at least 1 control channel
available in each cell. Cellular Towers are easily identified by the
flat triangular platforms at the top of the mast, with short vertical
antennas at each corner of the platform.

Most UHF Televisions and cable-ready VCR's are capable of monitoring
Cellular Phone channels. Try tuning between UHF TV channels 72 - 76 for
mobile phones, and between UHF TV channels 79 - 83 for towers.

A mobile phone must be able to recognize and retransmit any of the
three audio frequencies used as SAT's.

These tones (and their binary codes) are:
    (00)  5970 Hz
    (01)  6000 Hz
    (10)  6030 Hz

The SAT is used during signaling, but not during data transmission.
The binary codes are sent during data transmission to control which of the
SAT tones a mobile phone will be using. 
Each cell site (or tower) uses only one of the three SATs. The mobile
transmitter returns that same SAT to the tower.
Tone recognition must take place within 250 milliseconds.

A 10 KHz tone is used for signaling by mobile phones during alert, handoff,
certain service requests, and diconnect.

Cellular Phones use a data rate of 10 Kilobits per second, and must be
accurate to within one bit per second.
Frequency Modulation (FM) is used for both voice and data transmissions.
Digital data is transmitted as an 8KHz frequency shift of the carrier.
A binary one is transmited as a +8KHz shift and a binary zero as a -8KHz
shift. NRZ (Non-Return to Zero) coding is used, which means that the carrier
is not shifted back to it's center frequency between transmitted binary bits.

 The DNA BOX - Striking at the Nucleus of Corporate Communications.      
 A current project of...                                                 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH