💾 Archived View for gemini.spam.works › mirrors › textfiles › phreak › CELLULAR › cmt.phk captured on 2022-06-12 at 17:28:22.
View Raw
More Information
-=-=-=-=-=-=-
A GUIDE TO CELLULAR PHREAKING
--by Bernie S.
The recent FBI/Secret Service cellular sting operation that culminated in the
arrests of over 25 people in New York City confirms what many of us have
suspected for quite some time: that cellular telephone fraud is widespread.
The FBI estimates that cellular phone fraud costs system operators $3 million
anually; with the average subscriber's airtime bill about $50 per month for 100
minutes of usage, there could be over 2500 cellular pirates on the air if a
pirate uses twice the normal amount of airtime. The term "pirate" rather than
"phreak" is used here because the vast majority of illegitimate CMT users
(Cellular Mobile Telephone) are only interested in stealing airtime, while
phone phreaks are mainly interested in learning more about the telephone
network through its manipulation.
The six-month FBI investigation used "cooperative sources" who named
fraudulent installers; then FBI agents posing as customers and installers used
standard entrapment techniques to gather evidence against those allegedly
involved. The FBI's press release statement that "Recent technological
advances in computerized telephone switching equipment and billing systems were
instrumental in...(their investigation)" is deliberately misleading. New York
cellular carrier NYNEX merely supplied the FBI with its billing data to
document the use of bogus and stolen ESN's & MIN's (Electronic Serial Numbers
and Mobile Identification Numbers) discovered in the investigation. The Secret
Service later became involved because the laws relating to the credit fraud
being allegated are under their jurisdition.
SAFE PHREAKING: In practice, cellular phreaking is very safe if one does
their own tranceiver modifications, changes ESN's & MIN's regularly, and uses
standard phone-phreak precautions. Indeed, FBI agent Greg Meecham has stated
that fraudulently programmed CMT's are "anattributable, unbillable,
untraceable and untappable." A cellular carrier will become aware of any bogus
or stolen ESN's and MIN's used on its system within a month or so after their
initial use once the subscriber or carrier who is assi gned those codes is
billed and notifies them of the error. The home carrier will then change the
legitimate subscriber's MIN in the MTSO (Mobile Telephone Switching Office) and
arrange for a new NAM (Number Assignment Module, or ROM) to be installed in t
hat subsciber's CMT transceiver. The MTSO maintains a database of all its
valid ESN/MIN pairs, as well as a "negative verify" file on all known invalid
numbers for the deadbeats and pirates in its area. The carrier may choose to
leave certain fraudulent codes active to have any activity monitored, but as
long as all parties at the receiving end of any phreaked calls become amnesiac
to any inquiries, the phreak's identity will remain secret. If a phreak uses a
different ESN & MIN every month, it'll be extremely difficult for the carrier
to react in time to gather any information.
As with any landline, inband signalling (i.e. 2600 Hz, MF tones, etc.) will
work but can be easily detected by the ESS controlling that line. Since all
cellular systems are in metropolitan areas, it's logical to assume that most
cellular lines are on ESS . Although telco security may be aware of any
blue-boxing, the links in their security chain stop at the MTSO. Moreover,
since the MTSO selects outgoing landlines from a trunk group, a pen register at
the CO would be useless for establishing any toll fr aud patterns.
Because of cellular's inherent frequency-hopping nature, it is very difficult
to track down a CMT using conventional radio direction-finding (DF) techniques,
even if it's stationary. A small directional antenna aimed randomly at
surrounding cell-site rep eaters with a TV antenna rotor will thoroughly
confuse any DF attempts, although keeping calls as short as possible is always
a good precaution. Locating a mobile CMT is virtually impossible. I was
recently given a tour of an FCC monitoring van in Washi ngton DC, and was
suprised to see how lacking in sophistication their onboard DF gear was. The
only equipment available to readily locate a CMT transmitter is primarily used
by the military and intelligence agencies, which couldn't care less about CMT
fr aud unless it involved national security.
EQUIPMENT: Most CMT's are actually two main pieces of equipment: the
transceiver and control head. The transceiver (transmitter/receiver) is
usually a nondescript metal box with three external connectors and contains
sophisticated circuitry. There are usually two main circuit boards inside: an
RF board with all the radio transmitting/receiving circuits, and a logic board
with a microprocessor, A/D & D/A circuits, and control logic. The control head
is a Touch-Tone telephone handset with an extended ke ypad, numeric or
alphanumeric display, and volume and mic mute controls. It often has a
seperate speaker mounted in the cradle for on-hook dialling and call-progress
monitoring. Some CMT's have a speakerphone option that allows you to drive
with both ha nds on the wheel by talking into a small microphone mounted near
the vehicle's sun-visor, and listening to the cradle loudspeaker. This may
seem to be the ultimate in laziness, but remember you could be maneuvering your
five-speed through heavy traffic o n the exressway when the phone rings! The
control head/cradle is usually bolted to the transmission hump by the drivers
seat, and the transceiver is usually mounted in the trunk with a power cable
connecting it to the car battery and ignition switch. A shielded control cable
links this equipment together and allows data and audio to pass between them.
Most first-generation CMT's used the AMPS bus, developed by AT&T, which
specified a system of 36 parallel wires in a bulky control cable. Some
manufactu rers later developed their own busses--Novatel's serial bus specifies
a thin cable of just a few wires which is much easier to install in vehicles.
For fixed use, a CMT may be powered by any 12-volt regulated DC power supply
that can deliver at least 5 A mperes.
Any would-be cellular phreak must first obtain a CMT. Used bargains abound
in some cities, where many subscribers found they couldn't afford to pay their
airtime bills after they bought their phone! First-generation E.F. Johnson
transceivers are a good choice because they're easy to work on, use a uniquely
effective diversity (dual-antenna) receiver, and use the AMPS control bus,
which means that several manufacturers' control heads will work with it.
Another good choice is Novatel's Aurora/150 model. It uses a proprietary
parallel bus and control head, but costs less, is very rugged, and is also easy
to work on. In addition, all Novatel CMT's have built-in diagnostics which
allow (among other things) manual scanning of all 666 repeater output freque
ncies--great entertainment when you're bored!
ANTENNAS: A mobile cellular antenna is usually a short (less than a foot
long) piece of stiff wire with a half-dozen or so turns in the middle, like a
spring. The "spring" acts as a phasing coil in a 5/8-wave configuration. The
antenna is mounted verti cally either through a hole in the vehicle's roof or
at the top of the rear windshield using silicone adhesive with conductive
plates on either side to pass RF energy right through the glass. It's not
quite as efficient as a roof mount, but most folks pr efer not to drill a hole
in their Mercedes. A 50-Ohm coaxial cable such as RG-58/U links the antenna to
the transceiver with a male TNC-type UHF connector. A ceramic duplexer allows
the transmitter and receiver to share the same antenna simultaneously. Mobile
roof-mount antennas are designed to work with the ground plane provided by the
vehicle's body, but for fixed use an "extended-feed" or voltage-fed coaxial
antenna (which requires no ground plane) can be used if there's no tin roof on
your house. A capped PVC pipe makes an ideal rooftop housing for this type of
antenna, concealing it and making it weatherproof at the same time. As with
any kind of antenna, the higher the better--but unless you're surrounded by
tall steel buildings any height will probably do (provided you're within range
of a cell-site repeater.) It should even work indoors if near a
window--remember that cellular systems are designed to work primarily with
inefficient antennas at ground-level. Yagi and corner-reflector antenna s are
available for fixed use that provide very high gain and directivity. Antenna
specialists Co. (216/791-7878) manufactures a broad line of cellular antennas.
INTERFACING: Interfacing audio devices such as MF tone-generators to a CMT
can be accomplished by coupling the device's output through an audio coupling
transformer and capacitor across the control head's microphone wires. If it's
available, a schematic diagram will show which CMT bus lines carry the transmit
audio; coupling the signal there would be preferable. Acoustic modems can be
interfaced acoustically, or by coupling the mic and speaker wires to those on
the control head or to the appropriate bu s lines. Direct-connect modems,
answering machines, regular and cordless telephones and other devices can be
interfaced to a CMT through the AB1X cellular interface manufactured by
Morrison & Dempsey Communications (818/993-0195). This compact $300 devi ce is
a one-line PBX that connects between the tranceiver and control head and
provides an RJ-11C jack that accepts ANY direct-connect telephone accessory.
It recognizes Touch-Tone and pulse dialling, provides 1.0B equivalent ringing
voltage, and generat es dial and busy tones when appropriate.
ACCESS CODES: Every CMT manufactured has a unique ESN, which is an four-byte
hexadecimal or 11-digit octal number in a ROM soldered directly to the logic
board. It's supposed to be there for life and never removed. Some newer CMT's
embed the ESN in a V LSI chip along with the unit's program code, which makes
ESN modifications virtually impossible. The ESN is also imprinted on the
receiver ID plate mounted on the outside housing. When converted to octal (11
digits), the first three digits specify the C MT manufacturer, and the other 8
identify the unit. Typical ESN's might be 13500014732 (octal) for a NEC brand
CMT, and 8E01A7F6 (hexadecimal) for a Novatel. The other important chip is the
NAM, which contains the MIN (NPA-XXX-XXXX), lock code (keeps th e kids from
using it) and various model-specific and carrier-specific codes. Some newer
CMT's have no NAM at all and use an EEPROM which allows a technician who knows
the maintenance code to change NAM data through the control head keypad.
Basically, when one attempts to make a CMT call the transceiver first
automatically transmits its ESN & NAM data to the nearest cell-site repeater by
means of the overhead data stream, or ODS. The ODS is a 10 kilobaud data
channel that links the CMT's co mputer to the MTSO computer, which controls the
phone's entire operation right down to its channel and RF output power. If the
MTSO doesn't recognize the received ESN/MIN pair as valid, it returns a reorder
signal and will not process the call. In most cities with cellular systems
there are two carriers: the wireline operator (usually Bell or the local
telco) and the non-wireline operator, an independant company. Both maintain
their own MTSO and network of cell-site repeaters, and occupy seperate halve s
of the cellular radio band. Non-wirelines operate on system A (channels 001 to
333), and wirelines on system B (channels 334 to 666.)
Custom-Calling features such as call-forwarding, call-waiting, and three-way
calling are all standard with most cellular carriers, but the procedures for
using them differ so it's best to call the carrier for more information.
OBTAINING CODES: The most difficult task for cellular phreaks and pirates is
obtaining usable ESN's and MIN's. One method involves having an accomplice who
is employed at a CMT installation center. They will have a file on every CMT
installed at that l ocation, including the ESN's & MIN's assigned to those
subscribers. Using several codes from one source could focus attention there,
however. Another method involves the help of an inside person at the cellular
carrier's customer service or billing depa rtment, where many low-paid
employees have access to thousands of valid ESN's & MIN's. The most
sophisticated method requires interfacing a CMT's A/D circuitry to a personal
computer, enabling one to literally pick valid codes out of thin air.
PROGRAMMING THE CMT: Once a valid ESN/MIN pair is obtained, it must be
programmed into the CMT's ROM'S. Some CMT manufacturers use different devices
and memory maps, but most adhere to the AMPS 16-pin, 32 x 8 bit format. The
most common ROM's are Signe tics 82S23 (open collector) and 82S123 (tri-state)
or equivalents, but it's best to check the part numbers used in your unit. The
existing ESN ROM should be carefully removed from the logic board using
grounded desoldering tools and read using a NAM prog rammer' bit-editor mode.
Any PROM programmer that is device-compatible can be used, but dedicated NAM
programmers have built-in software which greatly simplifies the process. The
ESN printed on the ID plate (if in decimal, convert to hex) should be foun d in
memory and will be immediately followed by an 8-bit checksum determined by the
8 least significant bits of the hex sum of the ESN's four bytes. The old ESN
data (now copied into the NAM programmer's RAM) should be replaced with the new
ESN and check sum. A new blank ROM of the same type should be inserted into
the programmer and "burned." It would be advisable to solder a ZIF (Zero
Insertion Force) DIP socket onto the logic board to accomodate the new ESN chip
and any future versions.
The NAM chip is usually already ZIF socketed on the logic board for easy
replacement. It, too should be copied into the NAM burner's RAM and the old
MIN replaced with the new one. The NAM checksum should also be updated to
reflect the new data. Althoug h the carrier's system parameters must also be
programmed into the NAM, they can be left the same if the NAM being changed had
previously been on the carrier now to be used. All that needs to be changed in
this case is the last four MIN digits and checks um (and maybe the exchange if
they're using more than one.) An excellent write-up on NAM programming is
available free of charge from Curtis Electro Devices (415/964-3846). Ask for
the May '87 reprint from Cellular Business magazine. Bytek Corporation
(305/994-3520) sells a good budget NAM programmer for about $500, and the
operations manual (available seperately) explains in detail the memory maps,
part numbers, and programming techniques for most CMT's on the market. This
same unit is also capable o f programming many ESN chips using the bit-editor
mode. Some carriers and their installation agents will provide NAM system
parameters on request, and some CMT service facilities will provide NAM & ESN
memory maps and schematics of specific CMT's for a p rice.
One could eliminate the need for a NAM programmer altogether by programming
and interfacing a personal computer to the CMT's ESN and NAM sockets. Another
approach is to interface 2 banks of 8 hexadecimal thumbwheel switches to the
sockets, although a com puter program would still be needed to determine the
proper switch settings. Either of these two approaches will permit quick
emulation of any CMT with an ESN & MIN of your choosing.
ROAMING: Whenever a CMT is used in a cellular system other than the one
indicated by the SID (System ID) code in its NAM, it is in the ROAM mode and
the ROAM indicator on the control head will turn on. A CMT can roam in any
system its home carrier has a roaming agreement with, and most carriers now
have roaming agreements with each other. If there is no roaming agreement, the
MTSO will transmit a recorded voice message to the CMT user with instructions
to call the carrier (the only call the CMT will be able to make) and give his
name, MIN, ESN, and American Express Card number. All roamed calls will then
be completed by the MTSO and billed to the credit card account. Fortunately,
this procedure is becoming less common as more roaming agreements are m ade.
Usually, a carrier can only determine if a roamer came from a system with
which it has a roaming agreement, not the creditworthiness of that roamer.
Consequently, many carriers have been abused by roamers who've been denied
service on their home system d ue to non-payment. Once the home carrier is
billed for roaming services provided by the roamed carrier, it will notify same
to add that ESN & MIN to their MTSO's "negative verify" file to prevent further
abuses. Several independent companies are establi shing system software and
data networks to allow Positive Roamer Verification (PRV) which will allow near
real-time roamer validation by sharing data between carriers. Because of the
many technical, financial, and political details that still need to be
resolved, PRV systems will probably not be in place for at least two more
years. In the meantime, even fictitious ESN's & MIN's can roam if they follow
the standard format, although some carriers are sharing roamer data on a
limited basis to curtail this .
To call a roaming CMT, the caller must know which system that unit is in, and
call that carrier's roaming number. Roaming numbers vary, but are usually in
the format: (NPA)XXX-ROAM, where NPA is the carrier's area code and XXX is the
MTSO exchange. Cal ling that number will return a dial or ready tone, after
which the roamed CMT's full MIN should be entered in Touch-Tones. After a few
seconds, the mobile unit will ring or the caller will hear a recording stating
that the mobile unit is out of range. T elocator Publications (202/467-4770)
publishes a nationwide roaming directory for travellers with cellular phones.
Cellular Telephone technology offers phone phreaks complete safety by
allowing miles of physical seperation from the wire pair, and by offering
thousands of lines to choose from. In addition, all this is possible from just
about any location, even from a car, boat, train, or aircraft. It is these
characteristics that are attracting a sophisticated new breed of phone phreaks
who will enjoy unprecedented convenience and security.
�