TUCoPS :: Phreaking Cellular - Misc. :: cpp2.txt

Ultimate Cellular Phreaking Manual Part 2

Better a bottle in front of me than a frontal lobotomy.


THE HIGH TECH HOODS
& A-CORP PRESENTS... 

                        *%*%*%*%*%*%*%*%*%*%*%*%*%*%*
                        *%       THE ULTIMATE      %*
                        *% CELLULAR PHONE PHREAKS  %*
                        *%     MANUAL PART 2       %*
                        *%                         %*
                        *%   WRITTEN BY THE RAVEN  %*
                        *%     AND INTROSPECT      %*
                        *%*%*%*%*%*%*%*%*%*%*%*%*%*%*

 
 

                                                      THE RAVEN
                                                      +=======+
       THANKS TO THE FOLLOWING:  PEBBLES, BIT STREAM & THOMAS ICOM
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\//\/\/\/\/\/\/\/\/\/\/\/\

     INDEX:

              I. WHAT'S IN A NAM
             II. NAM/ESN REPROGRAMMING
            III. ADVANCED REPROGRAMMING
             IV. OBTAINING SYS. REGISTRATION DATA
              V. REPROGRAMMING YOUR PHONE
             VI. ------------------------

\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

 I. What's In A NAM

 First thing were going to start with is the NAM. The NAM is a PROM, A blank
NAM costs about $5. Sometimes its more expensive depending on the operating
temperature and packaging specifications.
 Two flavors of NAM's are most commonly used for cellular phones. NEC Corp.
uses the open collector (SIGNETICS p/n 82S23 or equivalent). All others use
the tri-state (SIGNETICS 82S123 or equivalent). Blank NAMs are manufactured by
Signetics, National Semiconductor, Monolithic Memorys, Fujitsu, Texas Instrum
ents, and Advanced Microdevices. Blank NAMs can be purchased at your local
electronic distributor's, thru the various parts sources advertised in 
electronic magazines, and some radios come with a blank included.
 The NAM contains the subscriber number and lock code, the home system ID and
other system-required data. You may wonder how this info is arranged. The NAM
is organized into 32 rows and 8 colums. It is 32 words of 8 bits each.
(256 bits total). Starting  from top of the NAM (address 00), you will find
the abreviation SIDH. This means "System Identifaction Number Home", a number
starting at 0001 assigned by the FCC. Each market allows two systems. These
two digits are even for the wire-line and odd for the non-wireline.
 At address 03, we find LU (Local Use) on the left and MIN on the right, and
they are usually set to 1. Locations with zeros are reserved. Going down the
map, there's MIN1 and MIN2-the subscriber number and the area code respectively
Dont try to read them from a raw printout of the NAM data, as they are 
scrambled beyond recognition. The reason? THe way they are arranged is the way
they must be transmitted to the cellular systems receivers. The programmer
does this to make the radio's job easier.
 Next is the station class mark, which identifies the class and power
capability of the phone. The system will treat a handheld (low power) 
differently than a standard 3-watt mobile.

 IPCH is the Inital Paging Channel. The radio listens for a page on this
channel. Wirelines use 334 and non-wirelines use 333.

 ACCOLC (ACCess Overload Class) is designed for throwing off customers in the
event of an overload. Thru neglect, this standard has been largly unused.
(A Class 15 stationis supposed to be police, fire or military). Usually, It's
a set to 0 plus the last digit of the phone number to provide random loading.

 PS (Preferred System). This is always 1 in a non-wireline and 0 in wireline.

 The Lock Code is about the only thing you can read directly by studying NAM
data. The "spare" bit must be a 0 if the radio contains a 3-digit code.
Because the number of clicks when you dial 0 on a (dial) phone equals 10,
zeros in the lock code are represented by an "A"(the hexadecimal equiv of 10).

 EE, REP, HA and HF correspond to end-to-end signaling (DTMF tones, possibly
as you talk), and REPeratory dialing (provision for 10 or more numbers in
memory).

 Horn Alert and Hands Free. Like all options, they are 1 if turned on and 0 if
turned off (all these numbers are in hex). They are supposed to be used by
radio makers to store option switches. Usually 13 is used, 14 sometimes and 
the rest less often.

 Last, you will find Cheksum Adjustment and Checksum. These numbers are 
calculated automatically after the data has been edited for the NAM. The sum
of all words in the NAM plus these last two must equal a number with 0's in
the last two digits. The radio checks this sum and if it isn't correct the
radio assumes the NAM is bad or tampered with. In the case radio refuses to
operate until a legal NAM is installed.

                        THE ANATOMY OF A NAM
                        --------------------

       MARK Defin.    most <-- BIT Significance --> least Hex
       ------------------------------------------------------
                             0     SIDH (14-8)            00
                                   SIDH (7-0)             01
       LU=Local use LU       000000        MIN            02
                             00    MIN2 (33-28)           03
                                   MIN2 (27-24)  0000     04
                             0000  MIN1 (23-20)           05
                                   MIN1 (19-12)           06
                                   MIN1 (11-4)            07
                                   MIN1 (3-0)    0000     08
                             0000  SCM (3-0)              09
                             00000 IPCH (10-8)            0A
                                   IPCH (7-0)             0B
                             0000  ACCOLC (3-0)           0C
       PS=Perf Syst    0000000     PS                     0D
                       0000    GIM (3-0)                  0E
                       LOCK DIGIT 1    LOCK DIGIT 2       0F
                       LOCK DIGIT 3    LOCK SPARE BITS    10
       EE=End/End            EE    000000 REP             11
       REP=Reprity     HA    000000              HF       12
       HF=Handsfree          Spare Locations (13-1D)      13
       HA=Horn Alt               contain all 0's          1D
                
                             NAM CHECKSUM ADJUST.         1E
                             NAM CHECKSUM                 1F

 II. NAM/ESN REPROGRAMMING

 The first step to using cellular phones is to obtain one. They can be 
purchased new or used. Ham fests are one good source. Many people dump their
cellular phones once they see just how expensive they are to operate. And of
course the perception of being jerked promotes phreaking. 
 First generation E.F. Johnson units are good choice as they are easy to 
modify, use uniquely effective diveristy (dual antenna) receivers, and use the
AMPS control bus, which means that several maker's control heads will work 
with it. Another good choice is Novatel's Aurora/150. It uses a proprietary
parallel bus and control head, but costs less, is rugged, and is also easy to
work on. Also, all Novatel CMTs have built-in diagnostics. This allows you to
manually scan all 666 repeater output freqs-great for scanning!
 All cellular phones have a unique ESN. This is a 4-byte hex or 11 digit 
octal number stored in the ROM soldered on the logic board. Ideally, it's 
supposed to be never changed. Some newer cellulars embed the ESN in a 
VLSI IC (Very Large Scale Integration Integrated Circuit) along with the units
program code. This makes ESN mods very difficult at best. The ESN is also
imprinted on the reciever boiler plate, usually mounted on the outside of the
housing. When converted to octal (11 digits), the first 3 digits represents
the maker while the other 8 identify the unit.
 The other important ROM is the NAM. It contains the MIN (i.e. phone #,
including area code), the lock code, and various model ID and carrier ID
codes.
 The lock code keeps unauthorized parties from using the phone. Some newer
cellulars have no built in NAM and instead use an EEPROM, which allows a
technician who knows the maintenance code to quickly change the NAM data thru
the control head keypad.
 WHen one attempts to make a cellular call, the transceiver first automatically
transmits the ESN and NAM data to the nearest cellsite reapeter by means of
the Overhead Data Stream (ODS). The ODS is a 10 kilobaud data channel that 
links the cellular's computer to the MTSO, which then controls the phone's
entire operation down to the selected channel and output power. If the MTSO
doesn't recognize the received ESN/MIN pair as valid (sometimes due to RF
noise), it issues a repeat order and will not process the call unit until a
valid pair is received.
 In most cities, there are two CPCs or "carries". One is the wireline CPC and
the other is the non-wireline CPC. Both maintain their own MTSO and network
(i.e: cell-site repeaters), and occupy separate halves of the cellular radio
band. Non-wirelines use System A, and wirelines use System B. (the amenities
that are avaible with most landline phone service - call waiting, caller ID,
call-forwarding, 3-way calling,etc., are standard fair for most CPCs. However,
they are usually applied for differently.)
 For the cellular phreaker, the most diffuclt task is obtaining usable ESN/MIN
pairs. Over the years,standard phreaker techniques have been employed for all
types of phreaking to obtain the required info.  These includes trashing,
using inside help,joining the staff,hacking them from known good ESNs and
MINs (i.e: spoofing), con strategis, strong-arming, Bribing, blackmail, etc.
(This is how The High Tech Hoods get them!).
 The hacker knows that most CPCs do not turn off or keep track of unused MIN
numbers. In fact, their general pattern is to start at the low numbers and 
work their way up. WHen a number is cancelled, it is reassigned instead of 
using a larger number.
 The first places to look is the authorized cellular installers and service 
centers in your area (see your Yellow Pages). They have on file a record of
every cellular phone installed or serviced by them, including the ESN/MIN 
pairs. Another place to focus on is the cellular CPC's customer service or
billing department. These offices contain the ESN/MIN pairs often for
thousands of cellular phones,  and hire low-paid people. Some cellular CPCs,
installers and service centers will provide NAM system parameters upon
request, and some will sell you NAM and ESN memory maps and schematics of a
specific cellular phone model. And some will sell you service manuals
(i.e: Motorola) that will describe the often easy method to program their 
cellular phones.
 The good phreak/hacker could interface the cellular phone's ADC circuit to
his PC and hack out all of the valid ESN/MIN pairs he could possibly need.
Since the ESN/MIN pair are transmitted from cellular phones (usually in an
unencrypted form), these pairs can be obtained simply by scanning the cellular
phone channels. Even if they are encrypted, the phreaker only will need to 
reproduce the encrypted pair. In some areas, you can buy the ROMs right off
the street - often by the same dealers who sell drugs and stolen property,
etc. All it takes is a few discreet inquires. However, many get caught
doing this because of police stings.
 Once a valid ESN/MIN is obtained, it must be programed into the cellular 
phone's ROM. Some cellular makers use different devices and memory maps, but
the standard is the AMPS 16-pin 32x8 bit format and some ROMs have proprietary
markings.
 If the part number are different than those given and you can't find them in
your data book, look for the IC maker's logo and call or write them for data
sheets. If the IC's have proprietary markings, by looking at the external
parts that are directly wired to them, one can often determine not only
whether the IC is open-collector or tri-state, but also what the pin assingn-
ments are, and sometimes the type of replacement IC to use.
 The ESN ROM is then carefully desoldered from the logic board (first ground
the soldering tip thru a 1 Meg-ohm resistor). Once, removed the IC can then be
placed on a ROM reader/programmer or NAM programmer (bit editing mode). Any
ROM reader/programmer that will burn a compatible ROM is usable, but a 
dedicated NAM programmer has built-in software that takes out much of the
aggravation. Using a non-NAM ROM reader/programmer, one searches for the memory
locations that has the same number as ESN printed on the boiler plate. This 
number will be immediatly followed by an 8-bit checksum determined by the 8
least significant bits of the hex sum of the ESNs four bytes.
 The old ESN data (now copied into the NAM programmer's RAM) is replaced by the
new ESN and the updated checksum. A new blank and compatible ROM is inserted 
into the ROM burner and burned with the new ESN data. Most cellular phreakers
at this point install a Zero Insertion Force (ZIF) DIP socket into the logic
board for this and any future ROM changes.
 The NAM IC is usually already installed in a ZIF socket on the logic board.
Similarly, its MIN is read by the ROM reader/programmer and a new ROM is
burned with the new MIN and updated MIN checksum.  Altho one may wish to also
update the CPC's system parameters, they can left the same if the same CPC
is desired. To change the CPC'c designation, the last four MIN digits, the
checksum and the exchange (if they use more than one exchange) are changed.
 The more astute cellular phreaker of course can design and build his own NAM
programmer/reader, ideally one interfaced to a PC. A more primitive approach
is to interface two banks of hex thumbwheel switches to the sockets, altho
a computer program would be very helpful to determine the proper switch
settings. Thumbwheel switches allow you to make changes on the fly and they
can be plugged in as needed, so if one is caught red-handed, it is difficult
to prove intent and origin of phone call.

   III. ADVANCED REPROGRAMMING
 
 Your cellular phone contains a special memory which retains data about the 
phone's individual characteristics, such as its assigned phone number, system
identification number, (ID#) and other data that is necessary for cellular
operation. This special memory is known as the NAM. You can program the phone
yourself, if the phone has not already been programmed where you got it. You
can also reprogram the phone yourself should you wish to change some of the 
features already selected for the NAM.
  The reprogramming of the NAM is performed after you have contacted your
cellular system operator for the nessary data as described below. Enter the
data received from your cellular system operator in the NAM Reprogramming
Data Table before reprogramming  the NAM of your cellular phone. Incorrect
NAM entries can cause your cellular phone to operate improperaly or not at
all. Your cellular phone can be reprogrammed up to three times. After that,
it must be reset at a Motorola-authorized service facility.
 Be sure you read this complete text before attempting to reprogram your 
phone!

 1. RE-PROGRAMMING FEATURES

  You must get seven pieces of data from the cellular system operator to 
allow you to reprogram the cellular phone. You provide the remaining data.
Write all of this  programming data on the NAM Reprogramming Data Table
provided in this text before implementing this procedure. Incorrect NAM
entries can cause your cellular phone to operate improperly or not at all.
The required data is:
  * System Identification (SID) Code (S-digits): Indicates youe home system
    Enter 0's into the left-most unsued positions. Provided by the system
    operator.
  
  * Cellular Phone Number (10 digits): Used in the same manner as a standard
    land-line phone. The mobile phone number and the Electric Serial Number
    are checked against each other by the cellular system each time a call
    is placed or recieved. Provided to you by the system operator.

  * Station Class Code (2 digits): This number is 06 or 14 for most personal
    or portable phones. Even though your phone has extended bandwith
    capabi   Overload Class
 5c            *           06                       Ready for step 6
 6a            *           Curr. Group ID Factory set at 00
 6b      New Group ID      XX                        New Group ID
 6c            *           07                       Ready for step 7
 7a            *           Current Sec. Code Factory set at 000000
 7b     New Security Code  XXXXXX     
 7c            *           08                        Ready for step 8
 8a            *                      Current Unlock Code setting at 123
 8b       New Unlock Code   XXX                     New Unlock Code
 8c            *           09                        Ready for step 9
 9a            *                      Current Initial Factory Setting 123
 0334                                               PAGING CHANNEL
 9b       New Initial      XXXXXX                     New Initial
          Paging Channel                            Paging Channel
 9c            *           10                        Ready for step 10
10a            *           Cur. Options             Factory Setting 010100
10b       New Options      XXXXXX                    New Options
10c            *           11                         Ready for step 11
11a            *           Cur. Options              Factory Set. 000
11b       New Option        XXX                       New Options
11c             *          01 or 01 2                Ready for Review
                                                      to program.
 or
Second                      Phone Number

============================================================================
 Now That conclude Part 2, Part 3 will the instructions for NAM reprogramming
for all the phones I listed in part 1. If you have any questions or comments
you can leave me mail on one of the following bbs's that I have listed below.

                                                           THE RAVEN
                                                           +=======+




TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH