This thread begins with a link to download a zip file that cotains an image, a video file and a text file. Why didn't you paste the text file here and upload the video to youtube.com?

"...to give them the payment"

-- Coideloko


Important
=========

This article describes how a hacker/phreaker can clone cellular devices
and to do many other interesting things in the public and priv8 telefonic
system in Brazil and in other countries. In our tests we used a
Motorola Micro-tac Elite and a good ESN Reader listening to Marisa de
Azevedo Monte drinking some brazilian bears.

Introduction
============

What is a cellular? Radiotelefonic device of 800 MHZ, operating on 3 watts
and able to change automatically the channels through the commands sent
by the "nanocomputer" from the central.

What is ESN?
Acronym for Electronic Serial Number. All the telephones have a serial
number in its memory. We'll need to know the ESN if we want to clone a
cellular. When you make a call the device sends the ESN and the MIN to the
central or "Celula" and after that the base sends the MIN and a signal of
acknowledgment if in the database the MIN/ESN were compatible with the
signal previously sent. Some devices verify the ESN/MIN directly in the
central and just after that they send the positive signal.

What is MIN?
Cellulars Phone Number - Obviously, all the cellulars (enabled) have a
number in its memory. A device also can have two MINs.

What is NAM?
Number Assignment Module. This is a component from the Epron/EEpron, the
ESN, MIN, SCM (Station Class Mark), lock code and other things are located
here too. Some cellulars can be reprogrammed by the keyboard (Oki900), but
they "lock" after 3 changes of MIM (in general are three). The newer
cellulars like Nokia, Motorola, Erickson, and etc, doesn't lock, but they
allow you reprogramming of the NAM without overwriting the Epron.

The Cellular System
===================

There're 3 bandwidth, they are A, B and C. One of these is designed to the
company, another to the independent or private companies and another is
reserved. The brazilian cellular system is divided in smaller parts called
celulas. Each one of them is used to be "base", with many equipments used
to monitore and also are used to control the stations (the celulas
generally are towers with little houses). The celulas have specific
channels associated (control of voice). All the celulas are connected to
the central where the precedure is controlled. Originally there are 666(!)
frequencies or channels used by the cellulars.

In 1988 in USA was added some more 156 channels, totaling 832 (AMPS)
channels. In 1992 the number of channels from the central system was equal
to 2412 (NAMPS). With all this into consideration the developers made
adaptations in the devices to operate in the correct frequency.

416 of 832 channels are available for the bandwidth A and the other part
is available for the bandwidth B. If the system is NAMPS we have 1206 to
the bandwidth A and 1206 to the B. These channels have two frequencies and
they operate in full duplex mode (45 MHZ). The low frequency is designed
to the device and the higher frequency to the base (for sending and for
all input procedures).

Between these 416 or 1206 channels, 21 are of control, are used to control
and also to configure calls. These special channels are used in the
digital transmission between the device and the base. And the rest are
channels of voice. Actually the channels are enumerated from 1 to 1023 and
there are some programs able to convert channels in frequencies and the
inverse process.

See how to do that in the following line:


/* P.S: Program .motcell */
/* Originally having 666 channels: */

Band (A)

* Channels of control = 21 (313 -> 333)
* Channels of voice = (001 -> 312)...
|
|-> 395 AMPS system
|-> 1185 NAMPS system

Band (B)

* Channels of control = 21 (334 -> 354)
* Channels of voice = 355 -> 666
|
|-> 395 AMPS system
|-> 1185 NAMPS system


/* freq -> channel, channel -> freq */

N = Number of the channel
F = Frequency

Se B = 0 --> (device)
Se B = 1 --> (base)


(*) FREQUENCY FOR CHANNELS:

F = 825.030 + B*45 + (N-1)*.03
/* N = 1 ate 799 */

F = 824.040 + b*45 + (N-1)*.03
/* N = 991 ate 1023 */

(*) CHANNELS FOR FREQUENCY:

N = 1 + (F-825.030-B*45)/.03
/* F > = 825.030 (device) */
/* F > = 870.030 (base) */

N = 991 + (F-824.040-B*45)/.03
/* F < = 825.000 (device) */
/* F < = 870.000 (base) */


As we know when a call is made the device sends the ESN/MIN to the base,
but it sends also another important information, the system needs to know
the "seeming" from the device, for that reason we must say to the base
that the information can be sent to the specific channel. The device sent
a binary number (4-bit) with some informations:

bit #1 bit #2 (Saves battery in startacs [portable])
| |
|- 0 = 666 channels |- 0 = Mobile Unit
|- 1 = 832 channels |- 1 = Active transmission (voice)

bit #3
|
|- 00 = 3.0 watts
|- 01 = 1.2 watts
|- 10 = 0.6 watts
|- 11 = ???

The devices can run on many systems. The TDMA and the CDMA respectively
Time-Divison Multiple Acess and Code-Divison Multiple Acess are
different than the traditional. In the TDMA system two or more calls
can use the same channel simultaneously, with little pauses in the
conversation of one side. These programmed pauses by the company may
cause "holding" of another trafic in the same channel. For that
reason there are best quality and a best index for "lost" calls. The
CDMA system is the used by militaries. The transmission is compacted
in one side and "unpacked" in its destine.

In the analogic system FDMA (Frequency-Division Multiple Access) the
free channels (of frequencies) are found by the system and each sender
is associated with one of them. Once the current calling is finished the
occupied channels are able to receive a new transmission or a calling.

Intercepters of calls will see how this works. The talk ends and the
SHSHSHSHSHSHSHSHSHSHSHSHSH starts. That explain the "rush" of lines
in big cities.


Phreaking
=========

There are basically two types of cellular phreaking: The first is more
common, consists in a scanning, searching for channels. This method is
useful to listen to other people and also to save in a file their
personal lives to show in a near future, of course }:) There are
many banks able to receive queries through the "cell" phone (!). There
are many "strange services" actually like call-sex (don't judge too
quickly darling ;P), call-friendship(?) and shoptimes too.

Now let's learn how to phreak easily step by step...

As I said we are using a Micro tac Elite and listening to Marisa Monte.

programming mode (inside the firmware):

FCN + 0 + 0 + * + * + 83 78 66 33 + STO

################### ABC = Actual channel D = Blank -> AMPS (832)
= = A B C D E F G = A -> NAMPS (HSC)
= = H I J K L M N = I = 1 -> TX on B -> NAMPS (CSC)
################### 0 -> TX off C -> NAMPS (LSC)

M = 1 -> RX off N = 1 -> TX off
0 -> RX on 0 -> TX on

So, for our purposes just these informations are truly necessary, but you
can check some more letters below:

EFG = RSSI to the actual channel
H = SAT Frequency
J = Tone signal
L = Voice control

These are just some commands. If you want to know more about the commands
read the motorola's bible or another document concerning to enabling. In
the test-mode there are various other ways to programming your device,
inside the test-mode type "#", the device will display a command line.
Here's what it looks like:

###################
# # US ' #
# # #
###################


In this line we write the commands we need. Remember the "#", this is
equal to the [ENTER]. We'll need of these commands:

02# = sends to the displayer the informations from the device.

04# = reset the settings.

07# = RX off

08# = RX on

A device cellular is able to send and receive data (audio), of couse,
that cmd just enable the receiving. The eavesdropping (broadcast) is
used in this transmission, plz remember that.

To intercept calls:

1) Choose a channel between 832 from the AMPS system. Some time ago
(five or six years) the motorola blocked this command to avoid
intercepting of calls, but just in the newer devices, for these
devices the able channels are:

300 / 333 / 385 / 799 / 800

Before I forget: These are just examples, use your own receptor.

2) Now type 11 + <number of the channel>


Expl: '11231


3) Press "#" and after that 08 and "#". You'll listen some noises, that
means that your device is able to listen 832 channels (1 to 1023), else
it accepts just 5 instead of 832 (these in the line I have shown to
you previously). Choice the channel 300 to intercept. To access the
channel 800 you must type 11991 instead of 11800 .

4) To block the receiving (I'm talking about the audio) type 07 and "#".

5) After finding a conversation type 40 and go to the "#", the device
will show some informations about the current voice channel. The
display will show you '40'. This is useful for checking if a transmission
(conversation) was inserted/allocated into another channel. If you typed
40# the conversation continues, but the various levels of potence are
correctly adjust'ed for/in a determined celula, in this case press CLR or
"#" and type again the command 40 and "#" for continuing listenin' to .
If you wanna cancel the command 40# type "#". If for some reason the
transmission has problems (dIsaPeAreD - feer ,) follow the following
steps:

1) Write the hex number showed in the displayer. The format is
XXXXYYYXXX. What we need is just YYY.
2) Now convert YYY to binary
3) Convert the result to decimal
4) Save the result. This result is the new channel of the conversation,
where it was placed. Type 11 + <result> to continue the intercepting.

Example: 12af11a38c
|||
||| binary decimal
11a ----------> 100011010 ---------> 282

After that write 11282, type "#", type 08, type "#" and
continue listening.

Some other interesting commands:

13# = Shutdown

18# = Shows all the content of the NAM. Use "*" to view other informations
(next page).

19# = Shows the version of the software. XXYY (XX = year / YY = week).

32# = DANGER! Delete all the programming and other informations storage
in the device (last dialed number, etc...). If your wife is a
witch I strongly indicate this option.

38# = Shows the ESN in steps, each step with 2 hex numbers, use "*" to
view them. Don't show this number to anyone never!

55# = Programming mode.


For the other kind of phreaking is needed special equipments and a good
knowledge about cells for programming the devices, this kind of phreaking
uses a ESN Reader or as we call it "scanner", with it we can get a lot of
ESN/MINs in some hours. This device runs perfectly. We were in a square
in our tests.

Good equipments are those that allow us to overwrite the Eprom directly
with some commands or by using softwares. A good example of these devices:
OKI900. The legendary hacker Kevin David Mitnick used this device.
He was jailed searching for informations about the OKI900. Have you ever
heard about that in some moment of your life? Probably... With these kind
of informations David could stay completely invisible inside the cellular
system, "any" cellular system... and u2.

With a ESN/MIN is possible to overwrite the Eprom and to clone a device.
Make calls freely anonymously how many times you want to do that...:)
it's very hard to detect a good phreaker unsing a device operating in
the bandwidth A. Reprogram the Eprom from the device to have a ESN Reader,
your own device search for ESN/MINs automatically and holds in its memory.

NOTE (1): Intercepting can lead us to 3 or 5 years of detention in Brazil.
NOTE (2): All the others kind of "telefonic cheats" in public & private
companies some more hours.


In five days scanning ESN/MINs in my country I found the numbers below.
A simple calculator can convert this format to ESN/MIN, to do that you
must set the checkbox 'hex', type the number and change it to decimal.
I used a filter that gave me this output below.

ps. These ESN/MINs are in the correct format.

ESN:1234567890 - 10 digits
Remove the last number ('0')
123456789
Type these numbers above in some calculator using DEC
Now go to HEX and the output will be:

HEX: D432A5FF
HEX: D5754939
HEX: D4236B40
HEX: D432A3OF
HEX: D4393423
HEX: D470929C
HEX: D47092F8
HEX: D470930B
HEX: D4393309
HEX: D4436809
HEX: 9D14F9C1
HEX: 9D1B0C87
HEX: 9D1B0C87
HEX: 9D1B087D
HEX: 9D1BD85C
HEX: A2218981
HEX: A2201CFD
HEX: A2218800
HEX: D58B08B4
HEX: A22188BA
HEX: D59329CF
HEX: D42B70E0
HEX: D59B07A6
HEX: D5997742
HEX: A2201BC9
HEX: 9D1B0C87
HEX: D59FA79B
HEX: D58A7D18
HEX: D5589803
HEX: D58B08BA
HEX: D58B08BA
HEX: D558F185
HEX: D593266D
HEX: D5CC0828
HEX: D5A4718D
HEX: D58BD0A0
HEX: D5AA1BB5
HEX: D5927BBA
HEX: D5A4718D
HEX: D59329C5
HEX: D5CC08B5
HEX: D59A06E4
HEX: D5CC09EA
HEX: D5932A7A
HEX: D59A06E4
HEX: D59AC0DB
HEX: D59AD228
HEX: 9C6B82D9
HEX: D5BDB6A3
HEX: D5BF61EC
HEX: D5BCBF2C
HEX: D5BF61C5
HEX: D59857D1
HEX: D5BDB6A3
HEX: D5BF61EC
HEX: D5BCBF2C
HEX: D59857D1
HEX: D5B7A3AF
HEX: D59BC66B
HEX: C3B00118
HEX: D5BF618C
HEX: D5985844
HEX: D5BCBF96
HEX: D5BF6187
HEX: D5B7A3AD
HEX: D5BF61C0
HEX: D58B77CA
HEX: D58B1A7C
HEX: D5B0D29D
HEX: D558789D
HEX: D5B21EF7
HEX: D5CC0A33
HEX: 9C6B7887
HEX: 9D2D3CD9
HEX: D4321E5D
HEX: D433E42E
HEX: D4321F01
HEX: C3FBCE13
HEX: C3FBCEE4
HEX: D5B3C7C4
HEX: D5B3C7C4
HEX: D5982DB2
HEX: 9C6B82A6
HEX: D59341E5
HEX: D5984CC8
HEX: D593283F
HEX: D59343D0
HEX: D5925E2C
HEX: D593279B
HEX: D5930620
HEX: D593254B
HEX: D593254B
HEX: D5930770
HEX: D5925E64
HEX: D59321CD
HEX: 9C68ED41
HEX: 9C6B786F
HEX: D59A420B
HEX: D5CC04D3
HEX: D5CC04CE
HEX: D5B3C95C
HEX: D5B898E9
HEX: D5B898E9
HEX: 9C6B7F89
HEX: D59BAA31
HEX: 9C75A37D
HEX: 9C75A382
HEX: 9C759916
HEX: D5B21F4E
HEX: D5B7AC1A
HEX: D5C63455
HEX: D5B34B8D
HEX: D5C62BD2
HEX: D5B89356
HEX: D5FAE153
HEX: 9C75A702
HEX: 9C75A702
HEX: 9C75A702
HEX: D5C5197E
HEX: D5C62BAC
HEX: D5C4BB42
HEX: D5C63456
HEX: D5C63456
HEX: D5B89348
HEX: D5B34BE4
HEX: D5B89A19
HEX: D5CC1DA5
HEX: D5B7B6F9
HEX: D5B7B6F9
HEX: D5B898EA
HEX: D5CC1DAC
HEX: D5C42C71
HEX: D5C516DC
HEX: D5B89504
HEX: D5C63453
HEX: D5984F52
HEX: D5B34BD0
HEX: D58B1C50
HEX: D5B1DDB5
HEX: D5B34BCE
HEX: D5CC04D0
HEX: D5983061
HEX: D5B024BA
HEX: D5B21FFC
HEX: D58BDAE2
HEX: D58BDAE2
HEX: D5ABA952
HEX: D5B21ED9
HEX: 9C68F2E0
HEX: 9C68EEAD
HEX: D5CC385B
HEX: 9C68E7D4
HEX: 9C678E63
HEX: 9C6B7F71
HEX: D5B04249
HEX: 9C6B83C3
HEX: D5B024A2
HEX: 9C68EED7
HEX: 9C68EECB
HEX: 9C68EECB
HEX: D5C4A438
HEX: D5B3F022
HEX: 9C68EEAE
HEX: D58BD93E
HEX: D58BD93E
HEX: D59A6157
HEX: A21889DD
HEX: A21A72DD
HEX: D5B3C90C
HEX: 9C68EB1C
HEX: 9C68EB1C
HEX: 9C6B7940
HEX: D5ABA9A1
HEX: D5AA563F
HEX: D5AA563F
HEX: D59A42BC
HEX: D59A748C
HEX: D59A0844
HEX: D558FF6F
HEX: D599CA8C
HEX: D59A3696
HEX: D593A5C2
HEX: D5A932EC
HEX: D5AB8056
HEX: D59A42BC
HEX: D59A748C
HEX: D59A0844
HEX: D558FF6F
HEX: D599CA8C
HEX: D59A3696
HEX: D59345C2
HEX: D5A932EC
HEX: D5AB8056
HEX: D59A42BC
HEX: D59A748C
HEX: D59A0844
HEX: D558FF6F
HEX: D599CA8C
HEX: D59A3696
HEX: D59345C2

They were modified ;) Special thanks to BSDaemon, Jeremy Brown,
Dark_Side, Cheat Struck, Nash Leon, Sheriff (happy 8m years old)
str0ke, VooDoo, AciDmuD, 6_Bl4ck9_f0x6 and mainly to motorola :)

'cause we r in love with applied engineerin'


--=[ Useful stuff and references


================================================== =======================
thc-nokia-unlock.zip

http://www.freeworld.thc.org/downloa...kia-unlock.zip
================================================== =======================
Sistema de Sinalizacao No. 7 (SS7) - Uma visao geral

http://www.thebugmagazine.org/magazi...3/0x02-ss7.txt
================================================== =======================
Playing with your friends...

http://rapidshare.com/files/444808228/trote_hacker.mp3
================================================== =======================
takedown (Adapted From A True Story)

http://www.google.com/search?hl=en&s...581&q=takedown
&aq=f&aqi=g-sx1g-v3&aql=&oq=
================================================== =======================


Best regards...

[]'s

Pictures are interpreted by different people differently.