Announcement

Collapse
No announcement yet.

Pure phreaking Part I by M\ M\

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Pure phreaking Part I by M\ M\

    Someone wrote a delightful and humorous comment in this topic:

    Link: https://forum.defcon.org/showthread.php?t=12007

    This thread begins with a link to download a zip file that cotains an image, a video file and a text file. Why didn't you paste the text file here and upload the video to youtube.com?
    As I guess we must be doing something to be really hackers, so let's try:



    "...to give them the payment"

    -- Coideloko


    Important
    =========

    This article describes how a hacker/phreaker can clone cellular devices
    and to do many other interesting things in the public and priv8 telefonic
    system in Brazil and in other countries. In our tests we used a
    Motorola Micro-tac Elite and a good ESN Reader listening to Marisa de
    Azevedo Monte drinking some brazilian bears.

    Introduction
    ============

    What is a cellular? Radiotelefonic device of 800 MHZ, operating on 3 watts
    and able to change automatically the channels through the commands sent
    by the "nanocomputer" from the central.

    What is ESN?
    Acronym for Electronic Serial Number. All the telephones have a serial
    number in its memory. We'll need to know the ESN if we want to clone a
    cellular. When you make a call the device sends the ESN and the MIN to the
    central or "Celula" and after that the base sends the MIN and a signal of
    acknowledgment if in the database the MIN/ESN were compatible with the
    signal previously sent. Some devices verify the ESN/MIN directly in the
    central and just after that they send the positive signal.

    What is MIN?
    Cellulars Phone Number - Obviously, all the cellulars (enabled) have a
    number in its memory. A device also can have two MINs.

    What is NAM?
    Number Assignment Module. This is a component from the Epron/EEpron, the
    ESN, MIN, SCM (Station Class Mark), lock code and other things are located
    here too. Some cellulars can be reprogrammed by the keyboard (Oki900), but
    they "lock" after 3 changes of MIM (in general are three). The newer
    cellulars like Nokia, Motorola, Erickson, and etc, doesn't lock, but they
    allow you reprogramming of the NAM without overwriting the Epron.

    The Cellular System
    ===================

    There're 3 bandwidth, they are A, B and C. One of these is designed to the
    company, another to the independent or private companies and another is
    reserved. The brazilian cellular system is divided in smaller parts called
    celulas. Each one of them is used to be "base", with many equipments used
    to monitore and also are used to control the stations (the celulas
    generally are towers with little houses). The celulas have specific
    channels associated (control of voice). All the celulas are connected to
    the central where the precedure is controlled. Originally there are 666(!)
    frequencies or channels used by the cellulars.

    In 1988 in USA was added some more 156 channels, totaling 832 (AMPS)
    channels. In 1992 the number of channels from the central system was equal
    to 2412 (NAMPS). With all this into consideration the developers made
    adaptations in the devices to operate in the correct frequency.

    416 of 832 channels are available for the bandwidth A and the other part
    is available for the bandwidth B. If the system is NAMPS we have 1206 to
    the bandwidth A and 1206 to the B. These channels have two frequencies and
    they operate in full duplex mode (45 MHZ). The low frequency is designed
    to the device and the higher frequency to the base (for sending and for
    all input procedures).

    Between these 416 or 1206 channels, 21 are of control, are used to control
    and also to configure calls. These special channels are used in the
    digital transmission between the device and the base. And the rest are
    channels of voice. Actually the channels are enumerated from 1 to 1023 and
    there are some programs able to convert channels in frequencies and the
    inverse process.

    See how to do that in the following line:


    /* P.S: Program .motcell */
    /* Originally having 666 channels: */

    Band (A)

    * Channels of control = 21 (313 -> 333)
    * Channels of voice = (001 -> 312)...
    |
    |-> 395 AMPS system
    |-> 1185 NAMPS system

    Band (B)

    * Channels of control = 21 (334 -> 354)
    * Channels of voice = 355 -> 666
    |
    |-> 395 AMPS system
    |-> 1185 NAMPS system


    /* freq -> channel, channel -> freq */

    N = Number of the channel
    F = Frequency

    Se B = 0 --> (device)
    Se B = 1 --> (base)


    (*) FREQUENCY FOR CHANNELS:

    F = 825.030 + B*45 + (N-1)*.03
    /* N = 1 ate 799 */

    F = 824.040 + b*45 + (N-1)*.03
    /* N = 991 ate 1023 */

    (*) CHANNELS FOR FREQUENCY:

    N = 1 + (F-825.030-B*45)/.03
    /* F > = 825.030 (device) */
    /* F > = 870.030 (base) */

    N = 991 + (F-824.040-B*45)/.03
    /* F < = 825.000 (device) */
    /* F < = 870.000 (base) */


    As we know when a call is made the device sends the ESN/MIN to the base,
    but it sends also another important information, the system needs to know
    the "seeming" from the device, for that reason we must say to the base
    that the information can be sent to the specific channel. The device sent
    a binary number (4-bit) with some informations:

    bit #1 bit #2 (Saves battery in startacs [portable])
    | |
    |- 0 = 666 channels |- 0 = Mobile Unit
    |- 1 = 832 channels |- 1 = Active transmission (voice)

    bit #3
    |
    |- 00 = 3.0 watts
    |- 01 = 1.2 watts
    |- 10 = 0.6 watts
    |- 11 = ???

    The devices can run on many systems. The TDMA and the CDMA respectively
    Time-Divison Multiple Acess and Code-Divison Multiple Acess are
    different than the traditional. In the TDMA system two or more calls
    can use the same channel simultaneously, with little pauses in the
    conversation of one side. These programmed pauses by the company may
    cause "holding" of another trafic in the same channel. For that
    reason there are best quality and a best index for "lost" calls. The
    CDMA system is the used by militaries. The transmission is compacted
    in one side and "unpacked" in its destine.

    In the analogic system FDMA (Frequency-Division Multiple Access) the
    free channels (of frequencies) are found by the system and each sender
    is associated with one of them. Once the current calling is finished the
    occupied channels are able to receive a new transmission or a calling.

    Intercepters of calls will see how this works. The talk ends and the
    SHSHSHSHSHSHSHSHSHSHSHSHSH starts. That explain the "rush" of lines
    in big cities.


    Phreaking
    =========

    There are basically two types of cellular phreaking: The first is more
    common, consists in a scanning, searching for channels. This method is
    useful to listen to other people and also to save in a file their
    personal lives to show in a near future, of course }:) There are
    many banks able to receive queries through the "cell" phone (!). There
    are many "strange services" actually like call-sex (don't judge too
    quickly darling ;P), call-friendship(?) and shoptimes too.

    Now let's learn how to phreak easily step by step...

    As I said we are using a Micro tac Elite and listening to Marisa Monte.

    programming mode (inside the firmware):

    FCN + 0 + 0 + * + * + 83 78 66 33 + STO

    ################### ABC = Actual channel D = Blank -> AMPS (832)
    = = A B C D E F G = A -> NAMPS (HSC)
    = = H I J K L M N = I = 1 -> TX on B -> NAMPS (CSC)
    ################### 0 -> TX off C -> NAMPS (LSC)

    M = 1 -> RX off N = 1 -> TX off
    0 -> RX on 0 -> TX on

    So, for our purposes just these informations are truly necessary, but you
    can check some more letters below:

    EFG = RSSI to the actual channel
    H = SAT Frequency
    J = Tone signal
    L = Voice control

    These are just some commands. If you want to know more about the commands
    read the motorola's bible or another document concerning to enabling. In
    the test-mode there are various other ways to programming your device,
    inside the test-mode type "#", the device will display a command line.
    Here's what it looks like:

    ###################
    # # US ' #
    # # #
    ###################


    In this line we write the commands we need. Remember the "#", this is
    equal to the [ENTER]. We'll need of these commands:

    02# = sends to the displayer the informations from the device.

    04# = reset the settings.

    07# = RX off

    08# = RX on

    A device cellular is able to send and receive data (audio), of couse,
    that cmd just enable the receiving. The eavesdropping (broadcast) is
    used in this transmission, plz remember that.

    To intercept calls:

    1) Choose a channel between 832 from the AMPS system. Some time ago
    (five or six years) the motorola blocked this command to avoid
    intercepting of calls, but just in the newer devices, for these
    devices the able channels are:

    300 / 333 / 385 / 799 / 800

    Before I forget: These are just examples, use your own receptor.

    2) Now type 11 + <number of the channel>


    Expl: '11231


    3) Press "#" and after that 08 and "#". You'll listen some noises, that
    means that your device is able to listen 832 channels (1 to 1023), else
    it accepts just 5 instead of 832 (these in the line I have shown to
    you previously). Choice the channel 300 to intercept. To access the
    channel 800 you must type 11991 instead of 11800 .

    4) To block the receiving (I'm talking about the audio) type 07 and "#".

    5) After finding a conversation type 40 and go to the "#", the device
    will show some informations about the current voice channel. The
    display will show you '40'. This is useful for checking if a transmission
    (conversation) was inserted/allocated into another channel. If you typed
    40# the conversation continues, but the various levels of potence are
    correctly adjust'ed for/in a determined celula, in this case press CLR or
    "#" and type again the command 40 and "#" for continuing listenin' to .
    If you wanna cancel the command 40# type "#". If for some reason the
    transmission has problems (dIsaPeAreD - feer ,) follow the following
    steps:

    1) Write the hex number showed in the displayer. The format is
    XXXXYYYXXX. What we need is just YYY.
    2) Now convert YYY to binary
    3) Convert the result to decimal
    4) Save the result. This result is the new channel of the conversation,
    where it was placed. Type 11 + <result> to continue the intercepting.

    Example: 12af11a38c
    |||
    ||| binary decimal
    11a ----------> 100011010 ---------> 282

    After that write 11282, type "#", type 08, type "#" and
    continue listening.

    Some other interesting commands:

    13# = Shutdown

    18# = Shows all the content of the NAM. Use "*" to view other informations
    (next page).

    19# = Shows the version of the software. XXYY (XX = year / YY = week).

    32# = DANGER! Delete all the programming and other informations storage
    in the device (last dialed number, etc...). If your wife is a
    witch I strongly indicate this option.

    38# = Shows the ESN in steps, each step with 2 hex numbers, use "*" to
    view them. Don't show this number to anyone never!

    55# = Programming mode.


    For the other kind of phreaking is needed special equipments and a good
    knowledge about cells for programming the devices, this kind of phreaking
    uses a ESN Reader or as we call it "scanner", with it we can get a lot of
    ESN/MINs in some hours. This device runs perfectly. We were in a square
    in our tests.

    Good equipments are those that allow us to overwrite the Eprom directly
    with some commands or by using softwares. A good example of these devices:
    OKI900. The legendary hacker Kevin David Mitnick used this device.
    He was jailed searching for informations about the OKI900. Have you ever
    heard about that in some moment of your life? Probably... With these kind
    of informations David could stay completely invisible inside the cellular
    system, "any" cellular system... and u2.

    With a ESN/MIN is possible to overwrite the Eprom and to clone a device.
    Make calls freely anonymously how many times you want to do that...:)
    it's very hard to detect a good phreaker unsing a device operating in
    the bandwidth A. Reprogram the Eprom from the device to have a ESN Reader,
    your own device search for ESN/MINs automatically and holds in its memory.

    NOTE (1): Intercepting can lead us to 3 or 5 years of detention in Brazil.
    NOTE (2): All the others kind of "telefonic cheats" in public & private
    companies some more hours.


    In five days scanning ESN/MINs in my country I found the numbers below.
    A simple calculator can convert this format to ESN/MIN, to do that you
    must set the checkbox 'hex', type the number and change it to decimal.
    I used a filter that gave me this output below.

    ps. These ESN/MINs are in the correct format.

    ESN:1234567890 - 10 digits
    Remove the last number ('0')
    123456789
    Type these numbers above in some calculator using DEC
    Now go to HEX and the output will be:

    HEX: D432A5FF
    HEX: D5754939
    HEX: D4236B40
    HEX: D432A3OF
    HEX: D4393423
    HEX: D470929C
    HEX: D47092F8
    HEX: D470930B
    HEX: D4393309
    HEX: D4436809
    HEX: 9D14F9C1
    HEX: 9D1B0C87
    HEX: 9D1B0C87
    HEX: 9D1B087D
    HEX: 9D1BD85C
    HEX: A2218981
    HEX: A2201CFD
    HEX: A2218800
    HEX: D58B08B4
    HEX: A22188BA
    HEX: D59329CF
    HEX: D42B70E0
    HEX: D59B07A6
    HEX: D5997742
    HEX: A2201BC9
    HEX: 9D1B0C87
    HEX: D59FA79B
    HEX: D58A7D18
    HEX: D5589803
    HEX: D58B08BA
    HEX: D58B08BA
    HEX: D558F185
    HEX: D593266D
    HEX: D5CC0828
    HEX: D5A4718D
    HEX: D58BD0A0
    HEX: D5AA1BB5
    HEX: D5927BBA
    HEX: D5A4718D
    HEX: D59329C5
    HEX: D5CC08B5
    HEX: D59A06E4
    HEX: D5CC09EA
    HEX: D5932A7A
    HEX: D59A06E4
    HEX: D59AC0DB
    HEX: D59AD228
    HEX: 9C6B82D9
    HEX: D5BDB6A3
    HEX: D5BF61EC
    HEX: D5BCBF2C
    HEX: D5BF61C5
    HEX: D59857D1
    HEX: D5BDB6A3
    HEX: D5BF61EC
    HEX: D5BCBF2C
    HEX: D59857D1
    HEX: D5B7A3AF
    HEX: D59BC66B
    HEX: C3B00118
    HEX: D5BF618C
    HEX: D5985844
    HEX: D5BCBF96
    HEX: D5BF6187
    HEX: D5B7A3AD
    HEX: D5BF61C0
    HEX: D58B77CA
    HEX: D58B1A7C
    HEX: D5B0D29D
    HEX: D558789D
    HEX: D5B21EF7
    HEX: D5CC0A33
    HEX: 9C6B7887
    HEX: 9D2D3CD9
    HEX: D4321E5D
    HEX: D433E42E
    HEX: D4321F01
    HEX: C3FBCE13
    HEX: C3FBCEE4
    HEX: D5B3C7C4
    HEX: D5B3C7C4
    HEX: D5982DB2
    HEX: 9C6B82A6
    HEX: D59341E5
    HEX: D5984CC8
    HEX: D593283F
    HEX: D59343D0
    HEX: D5925E2C
    HEX: D593279B
    HEX: D5930620
    HEX: D593254B
    HEX: D593254B
    HEX: D5930770
    HEX: D5925E64
    HEX: D59321CD
    HEX: 9C68ED41
    HEX: 9C6B786F
    HEX: D59A420B
    HEX: D5CC04D3
    HEX: D5CC04CE
    HEX: D5B3C95C
    HEX: D5B898E9
    HEX: D5B898E9
    HEX: 9C6B7F89
    HEX: D59BAA31
    HEX: 9C75A37D
    HEX: 9C75A382
    HEX: 9C759916
    HEX: D5B21F4E
    HEX: D5B7AC1A
    HEX: D5C63455
    HEX: D5B34B8D
    HEX: D5C62BD2
    HEX: D5B89356
    HEX: D5FAE153
    HEX: 9C75A702
    HEX: 9C75A702
    HEX: 9C75A702
    HEX: D5C5197E
    HEX: D5C62BAC
    HEX: D5C4BB42
    HEX: D5C63456
    HEX: D5C63456
    HEX: D5B89348
    HEX: D5B34BE4
    HEX: D5B89A19
    HEX: D5CC1DA5
    HEX: D5B7B6F9
    HEX: D5B7B6F9
    HEX: D5B898EA
    HEX: D5CC1DAC
    HEX: D5C42C71
    HEX: D5C516DC
    HEX: D5B89504
    HEX: D5C63453
    HEX: D5984F52
    HEX: D5B34BD0
    HEX: D58B1C50
    HEX: D5B1DDB5
    HEX: D5B34BCE
    HEX: D5CC04D0
    HEX: D5983061
    HEX: D5B024BA
    HEX: D5B21FFC
    HEX: D58BDAE2
    HEX: D58BDAE2
    HEX: D5ABA952
    HEX: D5B21ED9
    HEX: 9C68F2E0
    HEX: 9C68EEAD
    HEX: D5CC385B
    HEX: 9C68E7D4
    HEX: 9C678E63
    HEX: 9C6B7F71
    HEX: D5B04249
    HEX: 9C6B83C3
    HEX: D5B024A2
    HEX: 9C68EED7
    HEX: 9C68EECB
    HEX: 9C68EECB
    HEX: D5C4A438
    HEX: D5B3F022
    HEX: 9C68EEAE
    HEX: D58BD93E
    HEX: D58BD93E
    HEX: D59A6157
    HEX: A21889DD
    HEX: A21A72DD
    HEX: D5B3C90C
    HEX: 9C68EB1C
    HEX: 9C68EB1C
    HEX: 9C6B7940
    HEX: D5ABA9A1
    HEX: D5AA563F
    HEX: D5AA563F
    HEX: D59A42BC
    HEX: D59A748C
    HEX: D59A0844
    HEX: D558FF6F
    HEX: D599CA8C
    HEX: D59A3696
    HEX: D593A5C2
    HEX: D5A932EC
    HEX: D5AB8056
    HEX: D59A42BC
    HEX: D59A748C
    HEX: D59A0844
    HEX: D558FF6F
    HEX: D599CA8C
    HEX: D59A3696
    HEX: D59345C2
    HEX: D5A932EC
    HEX: D5AB8056
    HEX: D59A42BC
    HEX: D59A748C
    HEX: D59A0844
    HEX: D558FF6F
    HEX: D599CA8C
    HEX: D59A3696
    HEX: D59345C2

    They were modified ;) Special thanks to BSDaemon, Jeremy Brown,
    Dark_Side, Cheat Struck, Nash Leon, Sheriff (happy 8m years old)
    str0ke, VooDoo, AciDmuD, 6_Bl4ck9_f0x6 and mainly to motorola :)

    'cause we r in love with applied engineerin'


    --=[ Useful stuff and references


    ================================================== =======================
    thc-nokia-unlock.zip

    http://www.freeworld.thc.org/downloa...kia-unlock.zip
    ================================================== =======================
    Sistema de Sinalizacao No. 7 (SS7) - Uma visao geral

    http://www.thebugmagazine.org/magazi...3/0x02-ss7.txt
    ================================================== =======================
    Playing with your friends...

    http://rapidshare.com/files/444808228/trote_hacker.mp3
    ================================================== =======================
    takedown (Adapted From A True Story)

    http://www.google.com/search?hl=en&s...581&q=takedown
    &aq=f&aqi=g-sx1g-v3&aql=&oq=
    ================================================== =======================


    Best regards...

    []'s

    I'm planning my dismal/distressing/gloomy reply, mister TheCotMan.

    Pictures are interpreted by different people differently.
    streaker, plz respect this woman, my friend...



    http://www.youtube.com/watch?v=6q4GfbGpjvI

    [s]

  • #2
    Re: Pure phreaking Part I by M\ M\

    Originally posted by 6_Bl4ck9_f0x6 View Post
    Someone wrote a delightful and humorous comment in this topic:

    Link: https://forum.defcon.org/showthread.php?t=12007
    streaker, plz respect this woman, my friend...
    ...
    Thanks, it is now more likely that people may respond to the content of your post above. Not all replies will necessarily be good, but they won't all be bad either. Technical discussions often include disagreements here. Disagreements are ok. Chosing to flame other users instead of supporting an argument suggests that there is insufficient support for an argument. Some respect is earned when people engage in technical discussions, and adequately support their views, and admit they made mistakes and learn from those mistakes.

    For this, last part, I still have some questions:
    * Is this video one that includes "Marisa Monte"? (she is mentioned in your post above.)
    * What does she mean to you? (How does she relate to this story and your posted text?)
    * Is the timeline of this video (when it was recorded) part of the story?

    Thanks again for helping us understand how all of this content fits together.

    -Cot
    Last edited by TheCotMan; February 16, 2011, 10:02.

    Comment

    Working...
    X