Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Phreaking Cellular - Misc. :: emulat.txt

Cellular Telephone ESN Emulation - as a legitimate business!


The term "Emulation" is used to describe the process of making two, or
more, phones look alike to the cellular system.  A basic understanding of
the terms NAM and ESN is required before proceeding.

NAM or "Number Allocation Module" is the term used to describe a cellular
telephone's dealer programmable system parameters.  These parameters
include the users telephone number and other settings required to identify
the phone to the cellular system.  Older phones use an PROM chip that has
to be programed or "burnt" using an PROM programmer.  On all newer phones
the NAM information can be re-programed at will from the handset be anyone
possessing the relevant programing instructions, and in some cases a
programming or "password" adaptor.

ESN or "Electronic Serial Number" is the term used to describe a cellular
telephones "un-alterable" fingerprint and is programed into the phone by
the manufacturer.  The ESN is commonly expressed as an eleven digit decimal,
or eight digit hex number.  The decimal format includes a three digit
manufacturers identification and an eight digit unique serial number, the
hex format includes a two digit manufacturers identification and a six digit
unique serial number.

When combined the NAM and ESN provide the cellular carriers a way of
identifying the phone and determining whether to allow the phone to place a
call.  Whenever the phone is used it transmits this information to the 
cellular switch where it is compared to a data base of current subscribers.  
If the system recognizes the phone as being an out of area, or "roaming", 
subscriber a check is made with the home system.  This check is either made 
during the first call, or more commonly these days before the first call 
is completed.


In the past it was often possible for hackers to change the ESN and NAM 
information and make one call before the system locked the unit out.  
The NAM and ESN information would be changed and another call could be 
completed.  This is known as ESN "Tumbling" and over the last few years 
the Cellular Carriers have lost millions of dollars to this scam.  It 
has been estimated that at the height of tumbling in New York City up to 
30% of calls placed were fraudulent.

To change the ESN the hacker would generally remove the phone's ESN chip
and install a socket to take an easily reprogramable EPROM chip, the ESN
could then be reprogramed at will.  More recently people have reverse
engineered certain manufacturer's software to allow simple reprograming
using a lap top computer connected to the phone's data port.

The Cellular industry has reacted to this in various ways.  Initially the
simple way to prevent tumbling was to ban all roaming customers from direct
dialing, legitimate callers had to pre-register using a credit card to
guarantee payment.  Newer advanced software allows pre-screening of
callers information and has now all but eliminated tumbling.  In most
service areas the ESN and NAM information is checked on power up or as soon 
as the SEND button is pressed, prior to allowing the completion of the call.

The Cellular hackers have now turned to other ways of making fraudulent
calls.  The most common of these is to obtain a legitimate subscriber's
telephone number and ESN and re-program a phone with this information,
therefore making an exact clone able to make (and receive) phone calls.
This method allows anything from a few days to a full month of "free"
calls, and can go on indefinitely if the cloned number is a corporate
account as executive's phone bills are rarely questioned.


The above illegal cloning of subscriber's cellular telephones and the
reverse engineering of manufacturer's software has been adapted by a number
of legitimate companies.  It is now possible to have more than one phone
per cellular telephone number.  Several companies are now offering legal
cloning or emulation where for a fee of around $200-$300 they will program
your second phone with the ESN of your currently active phone.

To avoid fraud these companies often ask for a copy of a current cellular
telephone bill showing the mobile number and subscribers name.  This is
then compared with picture ID to insure that the customer is a legitimate
bill paying subscriber.

Once a phone has been emulated the following should be noted:

1.  If an attempt is made to use both phones at the same time and in the 
same system one of the following will occur:

OUTGOING CALLS - First call will complete as normal, second phone will 
get a fast busy, system deny recording, or call will drop.

INCOMING CALLS - Both phones may ring and call can be answered but might
immediately drop.  Strongest signal may ring and call can be answered.
Neither phone will ring.

2.  If one phone is in the home market and one is roaming both phones
should work and it should be possible to call your own number.  This
depends on the roaming agreement between the two systems.  In systems with
"Automatic Roaming" or "Super Access" agreements it may be necessary to
turn off the auto call forwarding to avoid problems, dial * O F F SEND in
many locations.

3.  If both phones are roaming in DIFFERENT systems do NOT attempt to have
both phones turned on at the same time as your home system will probably 
generate a roam fraud message and CUT THE PHONE OFF!

4.  If the secondary (cloned) phone is stolen call the carrier and have
the mobile number changed, re-program the primary phone with the new
number.  Do not report the phone stolen as the ESN will be locked out and
neither phone will work.  If you know the secondary phone's ORIGINAL ESN
report this as stolen and tell the carrier that the phone was not active.

Nine times out of ten if the thief tries to activate the phone the hardware
serial number (assumed to be the correct ESN) will be checked on the deny
list and service will be denied.  If the original ESN has not been reported
stolen and the phone is activated using the hardware serial number the
phone won't work as the ESN is incorrect!

If the "correct" emulated ESN is read from the phone service will probably
be denied if the thief tries to activate the phone on the same home system
as the primary phone.  This is because many systems do not allow two
numbers on one ESN.  The thief could activate service on an alternate

You could prevent the emulated phone from working by having the ESN in the
primary phone emulated to another phone, you can then report the phone's
ESN as stolen.  This is not recommended as using a phone with a stolen ESN
would cause problems if you ever need to use the original ESN.  Remember
that legitimate emulation does not remove the original ESN, it simply adds
some code to make the phone appear to have a different ESN.

5.  If the primary phone is stolen you can report the theft, then have the
secondary phone's ESN changed back to it's original or re programed to
match another phone.  This will usually be done for a nominal charge.

As of April 1993 California Grapevine Communications offers ESN emulation for
the following phones (call for latest list):

AUDIOVOX:       - 832, 832A, 1000, 4200A
          BC    - 40, 45, 55, 55A, 65A, 410.
          CMT   - 300A, 400, 405, 410A, 420, 450, 550, 600, 605, 750, 1700.
          CTR   - 420A, 1900, 2000,
          CTX   - 1500, 2500, 3100A, 3200A, 4000, 4100A
          PRT   - 200
          SP    - 85, 85A, 95,
          TRANS - 420

NEC:      3700, 3800, 4000
          M3800, M4500, M4600, M4700, M4800
          P200, P300, P301
          P9000, P9100

NOVATEL:  8300, 8301, 8305, 8305A, 8320, 8320A

PANASONIC: EB2500, EB2501 (TP500, 501)






The price for Emulation is $199.00 (mention this software) plus shipping.
Proof of ID, valid Cellular account and social security number are required.
Please call or write for further information.  

TEL: (714)643-8426  FAX: (714)643-8379


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH