Copy Link
Add to Bookmark
Report
NuKE Issue 07-003
================================================================================
NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE
uK E-
E- "The _COMPLETE_ Cellular Telephone Hackers Guide Nu
Nu PART 1 KE
KE The Cellular Telephone System" -N
-N OCRd By uK
uK The NuKE Crew E-
E- Nu
E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu
NuKE InfoJournal #7
August 1993
[The following five part series consists of information that we scanned in
from the book "The Complete Cellular Telephone Hackers Guide" published by
Dynaspek Inc. of Westmont, Illinois, USA. Reprinted without permission. You
can order this book by sending US$53.95 (incl. S/H) by check or money order
to Dynaspek, P.O. Box 564, Westmont, IL 60559, or call them at +1 708 971 1585
for more information. -NM]
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% NOTICE %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
The information in this manual is intended to be used as an educational guide
for those seeking technical information about Cellular Mobile Telephone (CMT)
operation.
While the information in this manual is meant to serve as a guide to cellular
phone vulnerabilities, keep in mind that it is against the law to modify a
cellular phone for fraudulent use. The law states that no person shall intercept
or receive, or assist in intercepting or receiving, any communications service
offered over a cellular telephone frequency unless specifically authorized to
do so by a local telephone company or as may otherwise be specifically
authorized by law.
Therefore, it is the sole responsibility of the user of this manual to conform
to the rules and regulations of both Federal and State/Provincial government
in the use of the information contained herein. It is the responsibility of the
user of this manual to arrange and pay for, as necessary, and signals used in
testing any of the circuits or information contained herein.
The authors and those that helped research this article accept _no_ liability
or responsibility for the misuse of the information in this manual, or for any
modifications made on any cellular mobile telephone.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% Cellular System Operation %
The Cellular Mobile Telephone Systems is a low-powered, full duplex, radio/
telephone which operates between 800 and 900 Mhz, using multiple transceiver
sites linked to a central computer for coordination. The sites, or "cells",
named for their honeycomb shape, cover a range of three to six, or more, miles.
(five to nine kilometres) in each direction. Their range is limited only by
certain natural or man-made objects.
The cells overlap one another and operate at different transmitting and
receiving frequencies in order to eliminate cross-talk when transmitting from
cell to cell. Each cell can accommodate up to 45 different voice channel
transceivers. When a cellular phone is activated, it searches available
channels for the strongest signal and locks on to it. While in motion, if
signal strength begins to fade, the telephone will automatically switch signal
frequencies or cells as necessary without operator assistance. It fails to
find an acceptable signal, it will display an "out of service" or "no service"
message, indicating that it has reached the limit of its range and is unable to
communicate.
% Identification %
Each mobile telephone has a unique identification number which allows the Mobile
Telephone Switching Office (MTSO) to track and coordinate all mobile phones in
its service area. This ID number is known as the Electronic Security Number
(ESN). The ESN and Telephone Number are NOT the same. The ESN is permanent
number engraved into a memory chip called a PROM or EPROM, located in the
telephone chassis.
This number cannot be changed through programming as the telephone number
can, although it can be replaced. Each time the telephone is used, it
transmits its ESN to the MTSO by means of DTMF tones during the dialling
sequence. The MTSO can determine which ESN's are good or bad, thus individual
numbers can be banned from use within the system.
Call Switching
Cell sites switching is done automatically by the MTSO. The MTSO constantly
monitors signal strength data of both the caller and the receiver. To maintain
signal quality, when signal strength begins to fade, the MTSO locates the next
best cell site and re-routes the channels to maintain the communications link.
The switch takes approximately 300 milliseconds and is not noticeable to the
user. All switching is handled by computer, with the control channels telling
each cellular unit when and where to switch.
% The Numeric Assignment Module (NAM) %
A Numeric Assignment Module, or NAM, is a programmable, read-only-memory (PROM).
The NAM holds a limited amount of data, usually only 128 or 256 bits. NAM's
used are typically made by either NEC or Signetics. Common chip numbers are
82S23, 82S123 or equivalent. Other NAM's are manufactured by National
Semiconductors, Fujitsu, Texas Instruments, AMD and others. The NAM is actually
a 32-word by 8 bit PROM which is programmed with a PROM programmer/burner. The
32x8 PROM (256 bits, 32 word by 8 bit) bits are like fuses. A programmer will
trigger certain fuses within the NAM in order to give the phone a unique
identity and certain options.
NAM's are easy to purchase. Only the number of the chip is needed to buy one.
Consulting the latest issue of an IC MASTER is one way to determine what's
inside the chip and who distributes it.
The NAME is used to store the Mobile Identification Number (MIN), Lock Code,
the Home Systems Identification number (SIDH), and various other system
data. From the beginning address of the NAM, 00, you will find the System
Identification Home number (SIDH). Each market allows for two systems. These
two digits are even for the wire-line and odd for the non-wireline.
There are two kinds of NAMs used in cellular telephones:
"TRI-STATE" and "OPEN COLLECTOR" It is _mandatory_ to identify the type of
NAM in your cellular telephone before attempting to replace it. After it has
been identified, any of the electronic supply companies should be able to
supply a replacement. A TRI-STATE NAM can be used in over 95% of the cellular
telephones on the market today containing replaceable NAM's.
*** The NEC cellular series will _only_ accept tri-state NAM's ***
The identify the NAM chip compare the numbers in the READILY AVAILABLE NAME
TYPES table to the various chips on the circuit board for a match. The NAM
chip is usually factory mounted on a ZIF socket.
*** Motorola handheld phones, require special NAM's. Try calling the
cellular phone stores in your area. ***
% READILY AVAILABLE NAME TYPES %
Open Collector Tri-State
NAM Brand Part Number Part Number
AMD AM27LS18 AM27LS19
Fujitsu MB7056 MB7051
Harris HM7602 HM7603
MMI 53/63S080 53/63S081
MMI 53/6330 53/6331
NSC DM54S188 DM54S288
NSC DM82S23 DM82S123
TI TBP38SA030 TBP38S030
TI 74S188 74S288 (the most common)
(try National Semiconductor)
% Programming the NAM %
NAM's are generally mapped the same in all cellular phones. Codes such as
Mobile Id numbers (MIN1, MIN2), Homer System Id (SIDH), Access Overload Class
(ACCOLC), Group Identification Mark (GIM), Electronic Serial Number (ESN), and
options are programmed into the NAM.
% Format Map for NAM %
MOST BIT SIGNIFICANCE LEAST HEX ADDR.
-----------------------------------------------------
0 SIDH(14-8) 00
SIDH(7-0) 01 (8x32 NAM)
LU 0 0 0 0 0 0 MIN 02
A/B RI MIN2(33-28) 03
MIN(27-24) 0 0 0 0 04
0 0 0 0 MIN(23-20) 05
MIN1(19-12) 06
MIN1(11-4) 07
MIN1(3-0) 0 0 0 0 08
0 0 0 0 SCM(3-0) 09
0 0 0 0 0 IPCH(10-8) 0A
IPCH(7-0) 0B
0 0 0 0 ACCOLC(3-0) 0C
0 0 0 0 0 0 0 PS 0D
0 0 0 0 GIM(3-0) 0E
LOCK DIGIT 1 LOCK DIGIT 2 0F
LOCK DIGIT 3 LOCK DIGIT 4 10
EE 0 0 0 0 0 0 REP 11
HA 0 0 0 0 0 0 HF 12
SPARE LOCATIONS CONTAIN ALL ZEROS 13
SPARE 14
SPARE 15
SPARE 16
SPARE 17
SPARE 18
SPARE 19
SPARE 1A
SPARE 1B
SPARE 1C
SPARE 1D
NAM CHECKSUM 1E
NAM CHECKSUM 1F
% Cell Terms for the above abbreviations %
A/B : A switch located on the mobile telephone that allows the user to select
which frequency black (carrier) he or she wishes to use. Some telephones
have an internal switch from one block to the other when service is not
available on the pre-set block.
ACCOLC : Access Overload Class. There is no standard in use within the
United States at this time. This system offers priority depending
on how it is selected in the event of system overload. Typically
set to 0 plus the last digit of the phone number to provide random
loading. Originally, when the Federal government began designing
cellular systems, they intended to give emergency vehicles (such as
police, ambulances, and Fire Departments) codes that would allow them
priority over other subscribers, to communicate during emergencies.
EE : End to End signalling. DTMF signals are sent through the lines to
signal the end of a conversation. A tone code is also used to access
long distance carriers, to signal your answering machine, or to access
your voice mail.
GIM : Group Identification Mark. This is a two-digit number assigned by the
cellular carrier which determines roaming rights throughout the system.
As cellular systems are upgraded, the GIM will be on line real time,
requiring all NAM information, including the Mobile Identification
Number (MIN), to be validated before a subscriber is allowed to call
outside of their home area.
IPCH : Initial Paging Channel. 334 - wireline systems. 333 - non-wirelne
systems.
LOCK DIGIT : This field is a one - four digit code. It locks the cellular
telephone to prevent unauthorized use. The lock code is
programmed into the NAM, and is frequently factory set to
either 1234 or 0004.
LU : Local Use flag. Occasionally used to initialize approval for local calls.
The cellular carrier insures that local users are registered with a
local system. Hackers use the Roaming Technique to avoid this
complication.
HA : Horn Alert. 0 or 1. A 1 in this field tells the cellular phone that
this feature is available.
HF : Hands Free. 0 or 1. A 1 in this field tells the cellular phone that
this feature is enabled.
MIN1 : Mobile Identification Number. The telephone number assigned to
the telephone by the cellular carrier. If the telephone is brought
in, or a new one is purchased, the cellular service assigns this
number for both billing and for receiving calls. 7 or 10 digits in
length.
MIN2: The area code of the cellular phone number.
MIN MARK : Can be 0 or 1. The home station sends extended address data upon
origination and page response.
REP : Repertory dialling. Speed dialling. Some phones are capable of storing
100 numbers.
SCM : Station Class Mark. Identifies the phone as either a hand-held or
transportable/fixed cellular phone. SCM is determined by the transmit
power of the phone (0.8 watts for hand-held, 1.2, 3.0 watts for
transportable/fixed)
SIDH : Home System Id. Code used to identify the Home system where the cellular
telephone is registered. (See the Home System Id Listing Article)
% What About the Electronic Serial Number (ESN) %
An Electronic Serial Number, or ESN, is the unique, 32-bit, eleven-digit
serial number for each cellular telephone sold. The ESN is transmitted each
time a cellular telephone places a call. It is used to verify whether a
cellular telephone is registered with an authorized carrier. A dealer needs
the ESN in order to restore the service on a used phone.
The first three numbers are the manufacturer's decimal code. The fourth and
fifth are reserved, and may contain any digit, zero through nine. The
remaining six numbers are the decimal serial number for each individual
phone.
1 2 3 4 5 6 7 8 9 10 11
Manufacturers Reserved Decimal serial number
ESN code 0-9 of the phone
The decimal serial number can occasionally be found within the documentation
provided with a new cellular phone. In some cases, the ESN is engraved on
the telephone itself, but this is not universal with all manufacturers.
If a cellular telephone has been disconnected for any reason, the ESN must be
provided in order for service to be reestablished with the Carrier. Each
manufacturer assigns their own ESN to every mobile telephone. Therefore, a
single ESN may be duplicated by one or more manufacturers. A hacker may
bypass this system by altering other system information and leaving the
particular telephone's ESN unaltered.
*** CHANGING the ESN is THE ONLY SURE WAY to minimize any risk of getting
caught ***
The ESN is assigned at the factory, and in almost all cases, is the only
element that cannot be altered by use of the programming sequence without
removing it and replacing it with a new chip. The ESN chip is always factory
soldered and occasionally epoxide onto the circuit board to reduce tampering.
A decent hacker will be able to remove it and install a ZIF (Zero Insertion
Force) socket in its place. The ZIF socket makes it easy to replace the ESN
chip at any time. The NAM chip usually factory installed in a ZIF socket.
% How to locate the ESN %
Several methods are available for locating a cellular telephone ESN. These
methods are as follows:
1. The ESN is normally located on a PROM. The ESN is intentionally made to
be unerasable on most cellular phones to prevent the fraudulent use of
the phone. The PROM is programmed and installed at the factory with the
security fuse blown in order to prevent tampering. The ESN code on a PROM
may be read by removing the PROM from the cellular telephone and placing
it in a PROM reader to obtain a memory map of the chip. The ESN PROM is
distinctive because of its size and package. The ESN PROM will have
between sixteen and twenty-eight leads, in a square or rectangular
package. This is a BIPOLAR PROM. Most cellular telephones will accept
the National Semiconductor 32x8 PROM, which cannot be reprogrammed.
If a hacker knew the ESN of a particular cellular telephone, it is
possible to trace the memory map by installing the PROM in a reader and
obtaining a fuse map by use of the READ MASTER switch of the PROM
programmer. Many PROM programmers contain a VERIFY and COMPARE switch
to provide a comparison of one PROM's programming with another.
This may be a complicated task for the first-timer, so it is
recommended that a cellular telephone (bag phones are best) is
purchased strictly for the purpose of dismantling it in order to locate
the ESN. This will probably destroy the telephone, but will provide
valuable experience.
*** Some of the newer hand-held phone manufacturers (Motorola) are changing
to VLSI (very large scale integration) which combine several other chips
with the ESN chip, preventing hackers from programming those ships. Bag
phones are almost an easy hack. ***
2. Hire a "Cellular Consultant." A consultant is someone who works as an
installer and/or programmer, and would be able to show the user where
the ESN is located.
3. Get in touch with a local cellular telephone servicer and simply ask
for their help in identifying the memory chips in the telephone. Most
technicians will help without too much difficulty. (It's called
social engineering)
4. As a last resort, remove each memory chip and place it in a PROM reader.
When one if found that registers a reading, the ESN has been located.
5. Take the phone to a cellular service provider and ask them to provide
the ESN. They are often requested for insurance purposes, and can be
supplied easily enough by use of a Cellular Service Monitor. The monitor
reads the transmissions from the telephone and indicates the specific ESN.
6. The ESN is also normally provided with the original user information, if
available.
7. ESN chips may be identified by some of the following manufacturers'
markings:
AMD, AMPS, DM, HARRIS, HM, MOTOROLA, MB, MMI, NS, NSC, TBP, TI.
*** ESN Readers are also available for personal purchase. See "Buyers Guide"
article for further information on Personal Readers. ***
% Replacing the ESN %
Now that you've located the ESN, how do you replace it? The ESN needs to be
unsoldered in order to remove it. The user should be familiar with soldering
techniques, extra care must be taken not to touch any of the surrounding
connections, solder joints or chips. I do recommend you get a de-soldering
pen, you should get the pen with the suction pump, it will remove the
solder nicely. Chip pullers and de-soldering tools are available from any
electronical semiconductors store, even Radio Shack.
The following steps will aid in ESN removal:
1. Unscrew and remove the entire PC board containing the ESN. This is done
to prevent inadvertent damage to the rest of the unit during the
removing process.
2. Once you have determined which is the correct ESN chip, it is wise to make
a sketch of it to insure that it is replaced in the proper place and
direction. (Don't laugh, just DO IT.)
3. Using extreme caution, unsolder and remove the chip from the board.
4. Solder in a ZIF (Zero Insertion Force) socket to provide for easier removal
and placement of additional chips.
*** WARNING: No retailer, manufacturer or servicer will work on a unit in
which the ESN has been removed. In addition, it is their responsibility
to notify the proper authorities of such tampering. So if you screw up
get a _trustable_ friend to help or trash the unit. ***
5. Once the ZIF socket has been installed, reinsert the ESN and attempt to
place a call. If the call is successfully completed, the ESN has been
properly removed and replaced. If the call does not go through, recheck
the leads on the ZIF socket for proper installation.
6. Insert the ESN in a PROM reader to be sure it gets a reading. Use the
search mode to identify the Manufacturer's Serial Number, in order to
identify the first three addresses of the ESN on the PROM where
reprogramming will be done.
% Programming the ESN %
Insert the ESN in a PROM programmer to be sure it gets a reading. Use the
search mode and "read master" to identify the Manufacturer's Serial Number,
in order to identify the first three addresses of the ESN on the PROM fuse
map where programming the new chip will be done. Record the locations of the
ESN. Use the "edit buffer" command to change one number of the ESN. A new PROM
is then programmed with the PROM programmer. Instructions will come with the
programmers.
The entire PROM reading/emulating/programming process is relatively fast when
a personal computer is available. (Some PROM programmers allow RS-232 interface
with the IBM-PC clone, with the help of a computer program.) This will allow
the use of an EPROM emulator and allow you to program (burn) PROM chips
directly from the computer.
The Installation of the ZIF socket makes it possible to insert an EPROM
emulator into the socket. The hacker will often try a hundred or more ESN codes
before finding a good one. Use of an EPROM Emulator will allow the hacker to
load ESN codes without burning EPROMs until a good code is found and will
save the hacker hundreds of chips with the wrong codes programmed into them.
Use the emulator and the code read from the original chip, re-code a new PROM.
Change the original ESN code by one number. Load the emulator and try making
a phone call. Keep trying this process until a call is completed. The entire
process is often completed in less than one-two hours.
A Programmer for use with a personal computer will allow the hacker to store
codes for easy editing and reprogramming new chips when the Cellular carrier
blocks the particular ESN is use. Use the working ESN code from above to burn
a new PROM and insert into the ZIF.
*** Most smart hackers also change the SIDH and MIN on the NAM in order
to minimize the possibility of being caught. ***
*** Remember Hackers will always be smart about who they are calling and
any traceable calling habits. ***
Some other manufacturer's cellular telephones are privately labelled for
certain companies. However, when reprogramming a cellular telephone, any
valid ESN code will work on any phone. The numbers listed bellow are all
Valid ESN Codes.
% Manufacturer's ESN Codes %
Manufacturer Decimal Hex Code
Alpine Electronics 150 96
AT&T 158 9E
Audiovox-Audiotel 138 8A
Blaupunkt (Bosch) 148 94
Clarion Company 140 8C
Clarion Manufacturing Company 166 A6
CM Communications 153 99
Di-Bar Electronics 145 91
E.D. Johnson 131 83
Emptel Electronics 178 B2
Ericsson 143 8F
Ericsson GE Mobile 157 9D
Fujitsu 133 85
Gateway Telephone 147 93
General Electric 146 92
Goldstar Products 141 8D
Harris 137 89
Hitachi 132 84
Hughes Network Systems 164 A4
Hyundai 160 A0
Japan Radio Co., Ltd. 152 98
Kokusai 139 8B
Mansoor Electronics 167 A7
Mobira 156 9C
Motorola 130 82
Motorola International 168 A8
Mitsubishi 134 86
Murata Machinery 144 90
NEC 135 87
Nokia 165 A5
Novatel 142 8E
OKI 129 81
Panasonic (Matsushita) 136 88
Philips Circuit Assemblies 171 AB
Philips Telecom 170 AA
Qualcomm 159 9F
Samsunq Corp. 179 B0
Sanyo 175 AF
Satellite Technology Services 161 A1
Shintom West 174 AE
Sony Corp. 154 9A
Tama Denki Co. 155 9B
Technophone 162 A2
Uniden Corp. of America 172 AC
Uniden Corp. of Japan 173 AD
Universal Cellular 149 95
Yupiteru Industries 163 A3
================================================================================
