=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Entering the Realm of Cellular by Dynastar -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- " I see your wishes on the wall, and that's all right with me, I see you run to make a call, hoping that there's someone free. " - Sonic Youth Special Thanks for sharing love, information, concepts, thoughts, drugs, property, or time go to: Eric, MKL (you've been more than helpful in this project... that I'll never forget), Richie, Mike (FL), Dennis, Brian, Scott, Don, Steve, Chris, Jason, Bill, Sean, and Mitch. Introduction ~~~~~~~~~~~ There have been quite a few articles on cellular communications, especially recently. I ran around obtaining hundreds of them since I received a portable phone. For the most part, all of the articles I have read are either directly or indirectly taken from articles dating back to 1984. Most of this information, although still valid, has been published in national magazines by now (like the recent Forbes issue.) Hopefully, my article will give you a better idea of the internals of a cellular phone and exactly what you can do with a 64K Prom. I hope you will use this file for something responsible and worthwhile, but I'm not giving an ethics lecture---especially about a companies I hold low regards for anyway. Use your own judgment, and always think in a greater scope of things. The information is there. You just have to get your own copy. This article, for better or worse, will contain nearly all my findings from personal experience. Internal Organs ~~~~~~~~~~~~~~ As a person with an analytical mind, the first thing I did when after getting my cellphone was take it apart. Along with a myriad of electrical parts whose names I do not know, there were quite a few chips as well. Thanks to help from others and some referencing of my own, I identified the more important ones on my phone. These parts are specific to an Oki Telecom cellular phone, so expect yours to be somewhat different. The main processor in the phone is a Intel/Oki 93H006 (a MCS-51 processor, basically a 8051 microprocessor.) The program code is on a 54512 chip, which is replaceable by a socket. Data storage is on a 28C64 EEPROM. Along with these chips are a cellular audio processor, NRZ encoding and decoding chips, another MCS-51 processor for keyboard and screen display, an I/O port expander, and a serial EEPROM chip. These chips are the workhorse of the phone and will tell you how it does what and when it does and how and when and why and then (!). By taking apart all of the code, you will get one massive listing of disassembled source (over 200 pages.) The phone also has two programming modes which you aren't supposed to know about. The first is a menu driven NAM editor, which allows a cellular office to change your MIN, SID, SCM, lock codes, and various other information. On many Oki phones, this is accessed by Menu+Rcl,0,1,2,3,4,5,6,7,8,9 or by Menu+Rcl,*,1,2,3,4,5,6,7,8,# (for factory new OKI 900s. Substitute Menu+Rcl with *+# for new OKI 750s.) NAM programming modes can be found on nearly every cellular phone, old or new. Oki phones have another "undocumented" mode on their phones. It is a technical service mode for the phone. With a few (actually a lot) of key presses you are greeted with a "good timing!!" message to let you know it is active. Then pressing 1+3 will freeze the microprocessor and give you total control of the phone. From this new level, you can do test functions and make modifications to parts of memory. The NAM locations (including the ESN), however, are still protected from modification for the majority of technically inclined users. Even still, I will not say it is impossible to edit the ESN and NAM from the keyboard, it has been done without even modifying the PROM holding instructions. Once you know the locations, you can de-write protect the entire memory. I learned quickly that the "specifications for ESN storage" were not followed perfectly by any cellular phone manufacturer. The hard part, the expensive part ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The worse part of expense in understanding cellular phone is not purchasing a phone, as many believe. Now in many states (with the distinct exception of California) you can get "free" cellulars, if you subscribe to service for a specified length of time. Some of the offers aren't all that bad, and should be considered as an option for someone interested in the cellular communications. That will, once again, not be your biggest expense in a "project" with them. If you intend on modifying the code inside a cellular to make it uniquely yours... I suggest you do it as a group effort. In my case, working with a handheld, I still owe money. The first logical step will be to find new storage chips for replacing the ones inside the phone. If you know about chips, you've noticed mine used a 54512 chip (a once programmable chip which cannot be erased... meaning it must be REPLACED with an exact duplicate.) I first tried to contact Oki Telecom, who had to laugh when I asked about buying a single chip for my phone. I then called the manufacturer of the chip, and found their local distributors in my area. If you plan on doing this, make sure you get more than one distributor. Some of the distributors will allow you to place orders of 10 or 25 chips (at about eight dollar each), and some will require you to make orders of 500 or more dollars only. It is very specific to the type of company you work with, so look around. Next, you will need a programming device to read and write the chips. That will obviously be an E/E/PROM burner. My best advice is to look around for a company that sells them cheaply and supports an array of chips. Another big plus is to have a company that has EVEN A CLUE about what an EEPROM burner is. Some companies had to have a tech working to tell me if it programmed anything. The company (IMHO) that I would choose as the best for service, support, and price would be BP Microsystems (800/225-2102.) If you request information about their programmers, they will send you a listing of all the chips they support (thousands of them) and a MS-DOS copy of their software for the programmer, which you will find invaluable in finding out if a chip is or isn't programmable. They also provide free upgrades which are stored as binary files on their BBS, and you install them yourself. The only disadvantage is that their programmers will cost $299 and up. (I am not a spokesman for BP Microsystems, nor am I endorsing their products, this is only an observation on my part. I am not being paid any amount of money by them, but wouldn't mind negotiating a free programmer for this :-) ...) The next step, if necessary, is to get an adapter for the PROM chip to work with your E/E/PROM programmer. For most transportables and car phones you will need none. For a good percentage of portable phones, expect to buy one. I needed a 28pin SOIC -> 28pin DIP adapter, which ended up costing around $100. Expect you pay somewhere around that for an adapter, if it is required, or make one yourself (ick!) An optional accessory for your phone, I would recommend a "Technical Manual." Not all companies will sell an end user technical manuals for their cellular phones. I do not know about them checking you out for ordering one "as a dealer." Oki Telecom has manuals for the end user and allows you to purchase them for $150. The manual covers schematics and many other interesting and not so interesting tidbits of information you may consider helpful. It isn't necessary, but if you have the cash, it can't hurt. There are other things you can get for cellular phones that you may or may not know about, which don't have a helluva lot to do with anything else. You can also legally purchase ESN/MIN decoders for local range reception and as scanner interfaces. For phones that don't already have them, you can get RJ-11 data jacks for modems and fax machines. There are also the huge assortment of car adapters, quick chargers, battery eliminators, range enlargers, and test equipment. All of these things are ready for your purchase, for many dollars (an ESN/MIN decoder can run around $2,000.) Disassembly ~~~~~~~~~~~ Now that you took the time to purchase all this neato stuff, its about time to put it to use. First thing you will need is a disassembler for your phone's code. This is when it is best to own an IBM compatible computer, as cross assemblers are much more plentiful. Phones can run on nearly any type of micro then company chooses, however many of the ones I've seen run on MCS-51 or Z80. If you want a specific phone, I suggest you call up the manufacturer and ask them about it. I only know personally of the Oki and Fujitsu Pocket Commander (also an MCS-51.) I was able to find a well-made disassembler on the internet myself, via ftp. It was able to bubble disassemble the entire code (with exception of Indirect Jumps.) The result of several disassemblies and my specific entry points produced over 200 pages of undocumented code (the code took up $0000-$A000 on the 512K prom.) After printing out the code, I went through it (with help from some of the above mentioned persons)... I still am going thought it now (a couple months later.) I want you to be sure to know that going through this code, without the slightest clue of what is stored where, can be a horrifying task . Eventually you will learn what is stored where and can guess at routines jobs by the memory locations they access. I strongly suggest you have someone help you, or you will end up a psychotic killer later in life. I'm with you so far, but what do I do now!??! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Now that you have a killed a tree to print it all out, and wasted about three gallons on ink (or 10 pounds of wax if you like crayons), it is time for YOU to decided what you will do with your disassembly. If your into free calls, I'm sure you can figure out how to change the ESN. More serious owners will think about more serious applications. The phone is exactly like owning a computer once you know what how it works. You can have it do anything you want it to. Some of the things I've done/heard about/could imagine are: cellular spying (you can scan the other channels and listen to calls), protect your phone with encryption (RSA if you are really paranoid!), have a longer unlock code which will destroy the phone after successive failures, make caller "restrictions" for other users, add a calculator in it, have it shadow a cellular tower, make it switch towers to prevent locating and lower the chance of monitoring, allow voice scrambling (somewhat hard, may be easier on digital phones), have it look for MIN/ESN pairs and store them, look for MINs or ESNs of corporations for inside trading, look for calls placed to Columbia (to find the eleet drug deals), look for calls to 3l33t BbSeZ so your HST can record a Zmodem Download of the MEGA-K-RaD-wArEZ when they are 0-2 minutes old, or maybe something as simple as allow it to play jingle bells in DTMF when you turn it on. As you can see, the options are limitless, although a great number of them are illegal in all fifty states. The ever popular ESN story ~~~~~~~~~~~~~~~~~~~~~~~~~~ Although you may have heard this 18,000 times, I'm going to repeat it--- mainly because it is not complete. When you place a call, the cellular phone will boardcast the ESN and MIN the of the calling party, as well as the number of the called party. Another thing that is transferred, which is often omitted or questioned, is the SCM. The SCM has something in it which will prove to solve a number of fraud problems for cellular companies. The SCM tells the tower the power of the phone (.6, 1.2, or 3.0.) This allows the tower to do three things: (1) see if a phone that claims to be .6 watts is really broadcasting at .6 watts, (2) see if the phone is using a ESN that is from a .6 watt phone, and (3) in cases of fraud, if a phone claims to be .6 watts, the feds may be looking for someone with a handheld phone rather than someone talking in their car. If you plan on using captured ESNs of other phones, it's a good idea to think about the SCM to avoid a bad situation. When a call is placed on any network, the cellular company will check the validity of the ESN and MIN. If it is made from a local phone, then the process is quite simple. It pulls up the MIN file and checks to see if the ESN matches the file. If not, you either get an operator or a message telling you that you are a bad person and your attempt at making free calls is denied. If you are roaming from your cellular network into another, the process may be somewhat different. The computers no longer have your information right there and require time to contact the other companies to check the information. This type of circumstance allow you to take advantage of the company. Many companies still do not check to see if your a valid customer until after you place your first call. This allows you one free call before it checks. Then your ESN will be blocked from free calls for a period of time (often only 3 days.) This doesn't seem like a major flaw, more of an annoyance to cellular companies. Well, until people understood exactly how it works. By modifying your ESN and MIN each time you place a call on certain networks you are able to get a free call for each ESN and MIN you give them (which turns out to be an unlimited number of free calls.) With this method you never need a valid ESN/MIN pair at all, all you need is a random routine in your phone. The cellco will also check for changes in your ESN/MIN pair it can detect, as well as (in some cases) the general location the call is being placed from and to. This could prove the fall of your theory. It isn't as easy as it looks, and I'm going to make no guesses on how safe it may or may not be. If you want to try it, don't blame (or praise) me. As real time checking becomes more of a standard, fraudulent callers are moving to more technical methods of free calls. The method is having a device (either a external device or the phone itself), steal ESN/MIN pairs from other cellular callers. Once stolen and programmed into a cellular phone, these pairs allow free calls for up to one month on cellular systems. This form of fraud is becoming more difficult to control because of the requirements for information to be exchanged by carriers and the lack of ability to check for duplicate and unacceptable calls. The cellular companies are still trying to find a way to stop it. Attempts are made now to check the SCM in some areas. Other areas are looking for two users with the same ESN/MIN with their phones turned on. Increasing areas are looking for callers who are making one call in one city, and then another 100 miles away in the same ten minute period. As fraud grows, so does the security and checking. With the current cellular system, it appears that there is no stopping of the fraud in many cases. Possibilities for killing someones cellular call and blocking them out while you place a fraudulent one will always exist, and are nearly undetectable in many cases. Depending on your make and model of phone, these things can be easily accomplished or nearly impossible. The Oki phones have a good bit of security in them to prevent this type of modification. The ESN is stored in plain sight in the phone and can be modified. However, once you turn on the phone, you will be greeted with your old ESN. A routine in the phone will take an encrypted copy of the ESN, decode it, and then rewrite it back to where the ESN should be. The encrypted ESN has a checksum added to it as well to prevent modification. It also checks to make sure the first two digits of the ESN are the same as the manufacturer code for Oki Telecom phones ($81.) If either of these are modified in any way, the phone will turn on and greet you with an error message, forcing your phone to be serviced by Oki Telecom. There is no room for mistakes in modifying the code. Oki made even modifying the PROM code a little challenge, they have checksums for the NAM (it does not include the ESN) and also checksums for modified instructions in the chip. These must be disabled if you plan on having a phone which allows MIN/ESN changes. Making the phone scan the cellular channels and NRZ decode other callers MIN/ESN/SCM/CALLED_PARTY groups could be considered a task of an expert. You will have to sort though hundreds of routines and thousands of lines of code, just to understand how the call is completed. Expect this type of modification to require great amounts of attention and time. Comments, Thoughts, and other /dev/null Info ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If you want an estimation of the involvement you may be dealing with when working with the code in a phone, I'll give you some examples. It will take about six months, if you plan on starting from scratch with a few people helping you out along the way. Older phones will, of course, be easier to work with. On the down side, they will usually require a better chip programmer and offer you less room for ability in new functions. There are other ways to make modifications to you phone, I've heard of wires running out of peoples handhelds which did this, that, and the other thing. I find having wires hanging out of my cellular phone a form of blasphemy; just the thought of wires 'hanging' out of my phone makes me want to vomit. That is so untechnical, crude, and noticeably fraudulent to officials (in the case of a physical tumbler hanging out of the phone.) Come on, we can do better! I have to once again, credit those people who took the time out to help me in this. They worked many hours, some quite a few more than me, I'm sure. I did not include any handles of people who helped me with the Oki 900 specifically, because of a variety of reasons dealing with privacy and security. Don't bother asking me (or probably any of other person I mentioned above) for documented source or other specific information as such. I doubt you will get it, try as you will. I will try to help anyone who wants to complete this project and attempt to answer their comments and questions. I will not answer all the questions, but will try to lead you in the right direction. I'm also interested in anyone who does start or complete any cellular project; I'd like to hear about it. Also, donations of any kind of information on your phone will be accepted most enthusiastically as well! Other Sources ~~~~~~~~~~~~~ I referenced many journals in making this file and working with cellular phones. Here are just a few of the ones I've found very informative information in: "The DNA Box" by Outlaw Telecommandos - A great file on the what you can do with a cellular - written by some great minds. Great specific information - on composition of connections and MIN storage. "The Ultimate Cellular Modification Manual" as scanned by Dr. Bloodmoney - A decent source for NAM reprogramming and some of the information - on ESN modification and scams. However, some of the information - contained is incorrect, be warned. "Cellular Telephony" by Brian Oblivion [see Phrack] - A great technical source for the specifics. "The Secrets of Cellular" by Bootleg - Although much of the information included is captured from - other files, the information that is original is worth - the trouble in reading though the file. Contains information - about ESN/MIN decoding equipment. "NAM Reprogramming" by Consumertronics - contained in the Ultimate Modification Manual, but released - years early. "CELLFONE.TXT" by multiple Anonymous authors - contains a good bit of information of the frequencies and laws - involved in cellular use. Glossary ~~~~~~~~ This space is left intentionally blank. There are plenty of other sources (the above files are one example) that offer a complete listing of all the terms used in my article. You should have no problem finding many of those files on Internet or popular systems, such as Ripco BBS.