CELLULAR PHONE BIOPSY --------------------- By: Kingpin/RDT Cellular phones have been a popular topic discussed by media and the underground for the past couple of months. With the rumors about cellular phones causing cancer,cellular scanning laws,large flow of articles describing cell phones,and the recent news clips on cellular fraud, people of all kinds have become interested nd aware of cellular technology. Many articles have been written on the technical aspect of cellular phones, but there is a lot of information dealing with the cellular phone itself which is not usually shared publicly with the entire community. As stated in the first issue of Wired Magazine, cellular phones have many hidden functions and abilities which the normal user does not know about. Since owning my cellular phones, I have been constantly experimenting to uncover unknown functions. Like many people, I feel that obtaining free phone calls is not the only reason to reprogram and reconfigure a cellular phone. Going inside your cellular phone seems to be the most true form of hacking. Exploring somewhere where people don't want you to be, gaining knowledge which people don't have, and having the ability to do things which most people cannot. Starting at the beginning, getting an owner's manual for your phone will help explain some of the user-available functions. You should also try to get ahold of a service/technician's manual. These manuals usually contain the more technical side of the phone, including schematics and sometimes, reprogramming and reconfiguration codes to use from the keypad of the handset. When you open up your phone, you should observe all of the components. The first one you should find is the EPROM (Erasable Programable Read-Only- Memory). This chip is easily found, because it has a little glass window and a number, usually 27xxx, somewhere on it. This 24,28,or 40 pin chip contains the cellular phone's software,and other information which is "cast in stone". The data stored in this chip is unchangeable, unless you read the chip,change the code,and rewrite it. Disassembling the code is a laborious task, but should definitely be done. The microprocessor in the phone is often a custom-made application processor based on a specific instruction set. Z80,8051,and 8085 microprocessors are all very common in cellular phones, but are not limited to these types. Be prepared to spend many hours exploring the code to find out how the phone operates and what kind of functions are available. Most EPROMs in phones have more capacity for data then actually needed, and sometimes there is plenty of room for customization. Another key componenet is the EEPROM (Electronically-Erasable Programmable Read-Only-Memory). Usually just battery-backed RAM, this chip can be programmed and configured to your liking from the keypad of your phone. In my own phones the following (and plenty more) can be accessed and changed using reprogramming codes: 1. ELECTRONIC SERIAL NUMBER (ESN) 2. Initializing the repertory memory (INIT REP) 3. Changing/Setting the Lock Code (LOCKCODE) 4. Allow Quick Recall (QRC SET) 5. Allow Quick Store (QST SET) 6. Turn the Wake-Up tone on/off (WUT SET) 7. Mobile to Land Hold (MLH CLR) 8. Land to Mobile Hold (LMH CLR) 9. Call Round-Up (CRU CLR) 10. Extended DTMF (EE SET) 11. No Land to Mobile (NLM CLR) 12. Horn Alert On/Off (HAL CLR) 13. Online Diagnostics (ONL CLR) 14. System ID Enable/Disable (MAN) 15. Mobile Identification Number (MIN) 16. Service Providers ID (SIDH) 17. Initial Paging Channel (IPCH) 18. Extended Address On/Off (EX SET) 19. IPCH Scan Start - Bank A (IDCCA) 20. IPCH Scan Start - Bank B (IDCCB) 21. Access Overload Class (ACCOLC) 22. Group ID (GROUP ID) 23. Long-Distance Call Restriction (LU SET) 24. SID "Black List" (INVLD ID) 25. System Selection (IRI CLR) 26. Signal Strength Indicator (SSD CLR) 27. Audio Receive On/Off 28. Transmit Audio On/Off 29. Supervisory Audio Tone On/Off (SAT) 30. Channel Number 31. Volume Control 32. Power Control 33. Hands-Free On/Off As you can see, there is plenty of opportunity for configuration. Some phones require special codes to let you change the settings, and other phones require a special handset, cable, or dongle-key proprietary to the specific manufacturer. If your phone requires such a device, it is possible to modify an existing handset or build your own cable. Anything that is stored in the EEPROM can be changed one way or another. The EEPROM can be read in most standard EPROM programmers. The RAM usually emulates a 2716 or 2764 EPROM, but try to get specifications on the particular chip before you plug it into your programmer. Many manufacturers store the information on the EEPROM in plain-text, as to not complicate it for the technicians who are performing tests on the phone. Some companies are aware that their phones can easily be manipulated, so in order to increase security, a few steps are taken. Some phones contain LCC EPROMs instead of the standard DIP EPROMs. These EPROMs are about 1cm X 1cm, the size of the window on a standard EPROM. They perform just like standard EPROMs, except thay are surface mounted, harder to erase (although they still use UV light), and because of the size, more difficult to desolder and/or clip onto. In some cases, instead of using an EEPROM or RAM to store the ESN, a NOVRAM chip is used. This chip cannot be read by an EPROM programmer, thus making it extremely difficult to do without chip-specific hardware. Security for changing the ESN is also incorporated into most of today's phones. Due to increasing problems with call-sell operators,drug dealers, and other people using "cloning" techniques, security has increased greatly. An example follows: The software in one phone provides access to change the ESN three times from the keypad. This is done so the phone can be sold to another user, and be reprogrammed. Every time the ESN is changed, a counter, stored in the NOVRAM of the CPU, keeps track. Once the ESN is reprogrammed three times, a flag is set in the EEPROM, but since the NOVRAM is located in the CPU, and extremely difficult to read and program without special eqipment, it cannot be changed and, in order to be able to use the phone again, it must be sent back to the manufacturer for a replacement EEPROM and a clearing of the CPU NOVRAM. The only way to get around this security is to change the ESN by "hand", directly reading the EEPROM, changing the ESN, and reprogramming. I am sure there are ways around this type of security. There always are. There are many things which can be done by reconfiguring a cellular phone. For example, by setting the Service Provider's ID (SIDH) to 0000 (and sometimes the Group ID), the phone will be placed in "roaming mode". This mode basically means that you are not confined to the service of one cellular carrier, and can choose carriers depending upon your location. I will not go into the advantages and disadvantages of roaming, which can be found in other articles. Configuring the phone so it is able to receive cellular phone conversations is particuraly fun. Since a cellular phone is able to receive much of the 800MHz band, by setting the audio receive mode to constantly be active, you will be able to hear any audio transmitted on that one particular channel. By changing channels, you can scan through the cellular frequencies, receiving other peoples transmissions. Another interesting trick which can be done is to transmit on a channel which is occupied. To do so, first set the transmit audio selection to constantly be active, and after finding a channel you want to interrupt, trigger the SAT (Supervisory Audio Tone). This will drop the person from the current call, and then you can transmit through the cell site for about 5 seconds. I do not know how this works, but I assume that you would have a higher priority for use of the channel, which would drop the call. Here is a partial list of cellular phone manufacturers to aid in obtaining information: AT&T: 800-225-6604 AT&T: 800-232-5179 (Celular Services) Dallas: 408-980-0414 Intel: 800-628-8686 Motorola: 800-331-6456 (Repair) NEC: 800-338-9549 NEC: 800-367-6321 (Customer Service) NEC: 800-632-3531 (Technical Department) Novatel: 800-231-5100 Novatel: 800-766-8283 (Cellular Accessories Sales) Sanyo: 800-421-5013 Sanyo: 201-825-8080 Sony: 800-222-7669 Sony: 816-891-7550 Sony: 714-229-4197 (Integrated Circuit Group) Uniden: 317-842-2483 Uniden: 317-842-1036 Ext: 598 (Customer Service) Uniden: 800-447-0332 (Cellular Technical Support) VLSI: 800-473-8574 VLSI: 408-434-7227 This article should be used as a starting block, and was written to inform people of the vast possibilities of cell phones. You should experiment with your own phones yo see what else can be done.