Mirrors/Zines
1
0
Fork 0
mirror of https://github.com/fdiskyou/Zines.git synced 2025-03-09 00:00:00 +01:00
Code Issues Releases Wiki Activity
Zines/phrack/38/9.txt

559 lines
28 KiB
Text
Raw Permalink Normal View History

1st import into tree
2016-12-14 22:07:35 +00:00
==Phrack Inc.==
Volume Four, Issue Thirty-Eight, File 9 of 15
***************************************************************************
* *
* Cellular Telephony *
* *
* by *
* Brian Oblivion *
* *
* *
* Courtesy of: Restricted-Data-Transmissions (RDT) *
* "Truth Is Cheap, But Information Costs." *
* *
* *
***************************************************************************
The benefit of a mobile transceiver has been the wish of experimenters since
the late 1800's. To have the ability to be reached by another man despite
location, altitude, or depth has had high priority in communication technology
throughout its history. Only until the late 1970's has this been available to
the general public. That is when Bell Telephone (the late Ma Bell) introduced
the Advanced Mobile Phone Service, AMPS for short.
Cellular phones today are used for a multitude of different jobs. They are
used in just plain jibber-jabber, data transfer (I will go into this mode of
cellular telephony in depth later), corporate deals, surveillance, emergencies,
and countless other applications. The advantages of cellular telephony to the
user/phreaker are obvious:
1. Difficulty of tracking the location of a transceiver (especially if the
transceiver is on the move) makes it very difficult to locate.
2. Range of the unit within settled areas.
3. Scrambling techniques are feasible and can be made to provide moderate
security for most transmissions.
4. The unit, with modification can be used as a bug, being called upon by the
controlling party from anywhere on the globe.
5. With the right knowledge, one can modify the cellular in both hardware and
software to create a rather diversified machine that will scan, store and
randomly change.
6. ESN's per call thereby making detection almost impossible.
I feel it will be of great importance for readers to understand the background
of the Cellular phone system, mainly due to the fact that much of the
pioneering systems are still in use today. The first use of a mobile radio
came about in 1921 by the Detroit police department. This system operated at
2MHz. In 1940, frequencies between 30 and 40MHz were made available too and
soon became overcrowded. The trend of overcrowding continues today.
In 1946, the FCC declared a "public correspondence system" called, or rather
classified as "Domestic Public Land Mobile Radio Service" (DPLMRS) at 35 - 44
MHz band that ran along the highway between New York and Boston. Now the 35-
44MHz band is used mainly by Amateur radio hobbyists due to the bands
susceptibility to skip-propagation.
These early mobile radio systems were all PTT (push-to-talk) systems that did
not enjoy today's duplex conversations. The first real mobile "phone" system
was the "Improved Mobile Telephone Service" or the IMTS for short, in 1969.
This system covered the spectrum from 150 - 450MHz, sported automatic channel
selection for each call, eliminated PTT, and allowed the customer to do their
own dialing. From 1969 to 1979 this was the mobile telephone service that
served the public and business community, and it is still used today.
IMTS frequencies used (MHz):
Channel Base Frequency Mobile Frequency
VHF Low Band
ZO 35.26 43.26
ZF 35.30 43.30
ZH 35.34 43.34
ZA 35.42 43.32
ZY 34.46 43.46
ZC 35.50 43.50
ZB 35.54 43.54
ZW 35.62 43.62
ZL 35.66 43.66
VHF High Band
JL 152.51 157.77
YL 152.54 157.80
JP 152.57 157.83
YP 152.60 157.86
YJ 152.63 157.89
YK 152.66 157.92
JS 152.69 157.95
YS 152.72 157.98
YA 152.75 158.01
JK 152.78 158.04
JA 152.81 158.07
UHF Band
QC 454.375 459.375
QJ 454.40 459.40
QO 454.425 459.425
QA 454.45 459.45
QE 454.475 459.475
QP 454.50 459.50
QK 454.525 459.525
QB 454.55 459.55
QO 454.575 459.575
QA 454.60 459.60
QY 454.625 459.625
QF 454.650 459.650
VHF high frequencies are the most popular frequencies of all the IMTS band.
VHF low bands are used primarily in rural areas and those with hilly terrain.
UHF bands are primarily used in cities where the VHF bands are overcrowded.
Most large cities will find at least one station being used in their area.
ADVANCED MOBILE PHONE SYSTEM
The next step for mobile telephone was made in 1979 by Bell Telephone, again
introducing the Advanced Mobile Phone Service. This service is the focus of
this document, which has now taken over the mobile telephone industry as the
standard. What brought this system to life were the new digital technologies
of the 1970's. This being large scale integrated custom circuits and
microprocessors. Without these technologies, the system would not have been
economically possible.
The basic elements of the cellular concept have to do with frequency reuse and
cell splitting.
Frequency re-use refers to the use of radio channels on the same carrier
frequency to cover different areas which are separated by a significant
distance. Cell splitting is the ability to split any cell into smaller cells
if the traffic of that cell requires additional frequencies to handle all the
area's calls. These two elements provide the network an opportunity to handle
more simultaneous calls, decrease the transmitters/receivers output/input
wattage/gain and a more universal signal quality.
When the system was first introduced, it was allocated 40MHz in the frequency
spectrum, divided into 666 duplex radio channels providing about 96 channels
per cell for the seven cluster frequency reuse pattern. Cell sites (base
stations) are located in the cells which make up the cellular network. These
cells are usually represented by hexagons on maps or when developing new
systems and layouts. The cell sites contain radio, control, voice frequency
processing and maintenance equipment, as well as transmitting and receiving
antennas. The cell sites are inter-connected by landline with the Mobile
Telecommunications Switching Office (MTSO).
In recent years, the FCC has added 156 frequencies to the cellular bandwidth.
This provides 832 possible frequencies available to each subscriber per cell.
All new cellular telephones are built to accommodate these new frequencies, but
old cellular telephones still work on the system. How does a cell site know if
the unit is old or new? Let me explain.
The problem of identifying a cellular phones age is done by the STATION CLASS
MARK (SCM). This number is 4 bits long and broken down like this:
Bit 1: 0 for 666 channel usage (old)
1 for 832 channel usage (new)
Bit 2: 0 for a mobile unit (in vehicle)
1 for voice-activated transmit (for portables)
Bit 3-4: Identify the power class of the unit
Class I 00 = 3.0 watts Continuous Tx's 00XX...DTX <> 1
Class II 01 = 1.2 watts Discont. Tx's 01XX...DTX = 1
Class III 10 = 0.6 watts reserved 10XX, 11XX
Reserved 11 = --------- Letters DTX set to 1 permits
use of discontinuous trans-
missions
Cell Sites: How Cellular Telephones Get Their Name
Cell sites, as mentioned above are laid out in a hexagonal type grid. Each
cell is part of a larger cell which is made up of seven cells in the following
fashion:
|---| ||===|| |---| |---| |---| |---
/ \ // \\ / \ / \ / \ /
| |===|| 2 ||===|| ||===|| |---| |---|
\ // \ / \\ // \\ / \ / \
|---|| 7 |---| 3 ||==|| 2 ||==|| pc |---| |---|
/ \\ / \ // \ / \\ Due to the \
| ||---| 1 |---|| 7 |---| 3 ||--| difficulty of |
\ // \ / \\ / \ // \ representing /
|--|| 6 |---| 4 ||--| 1 |---|| |graphics with |
/ \\ / \ // \ / \\ / ASCII characters\
| ||==|| 5 ||==|| 6 |---| 4 ||--| I will only show |
\ / \\ // \\ / \ // \ two of the cell /
|---| ||===|| ||===|| 5 ||==|| |types I am trying-
/ \ / \ / \\ // \ / to convey. \
| |---| |---| ||==|| |---| |---| |
\ / \ / \ / \ / \ / \ /
|---| |---| |---| |---| |---| |---|
As you can see, each cell is a 1/7th of a larger cell. Where one (1) is the
center cell and two (2) is the cell directly above the center. The other cells
are number around the center cell in a clockwise fashion, ending with seven
(7). The cell sites are equipped with three directional antennas with an RF
beamwidth of 120 degrees providing 360 degree coverage for that cell. Note
that all cells never share a common border. Cells which are next to each other
are obviously never assigned the same frequencies. They will almost always
differ by at least 60 KHz. This also demonstrates the idea behind cell
splitting. One could imagine that the parameter of one of the large cells was
once one cell. Due to a traffic increase, the cell had to be sub-divided to
provide more channels for the subscribers. Note that subdivisions must be made
in factors of seven.
There are also Mobile Cell sites, which are usually used in the transitional
period during the upscaling of a cell site due to increased traffic. Of
course, this is just one of the many uses of this component. Imagine you are
building a new complex in a very remote location. You could feasibly install a
few mobile cellular cell sites to provide a telephone-like network for workers
and executives. The most unique component would be the controller/transceiver
which provides the communications line between the cell site and the MTSO. In
a remote location such a link could very easily be provided via satellite
up/down link facilities.
Let's get into how the phones actually talk with each other. There are several
ways and competitors have still not set an agreed upon standard.
Frequency Division Multiple Access (FDMA)
This is the traditional method of traffic handling. FDMA is a single channel
per carrier analog method of transmitting signals. There has never been a
definite set on the type of modulation to be used. There are no regulations
requiring a party to use a single method of modulation. Narrow band FM, single
sideband AM, digital, and spread-spectrum techniques have all been considered
as a possible standard, but none have yet to be chosen.
FDMA works like this: Cell sites are constantly searching out free channels to
start out the next call. As soon as a call finishes, the channel is freed up
and put on the list of free channels. Or, as a subscriber moves from one cell
to another, the new cell they are in will hopefully have an open channel to
receive the current call in progress and carry it through its location. This
process is called handoff, and will be discussed more in depth further along.
Other proposed traffic handling schemes include Time-Division Multiple Access
(TDMA), Code-Division Multiple Access (CDMA), and Time-Division/Frequency
Division Multiple Access (TD/FDMA).
Time Division Multiple Access
With TDMA, calls are simultaneously held on the same channels, but are
multiplexed between pauses in the conversation. These pauses occur in the way
people talk and think, and the telephone company also injects small delays on
top of the conversation to accommodate other traffic on that channel. This
increase in the length of the usual pause results in a longer amount of time
spent on the call. Longer calls result in higher costs of the calls.
Code Division Multiple Access
This system has been used in mobile military communications for the past 35
years. This system is digital and breaks up the digitized conversation into
bundles, compresses, sends, then decompresses and converts back into analog.
There are said increases of throughput of 20 : 1 but CDMA is susceptible to
interference which will result in packet retransmission and delays. Of course,
error correction can help in data integrity, but will also result in a small
delay in throughput.
Time-Division/Frequency Division Multiple Access
TD/FDMA is a relatively new system which is an obvious hybrid of FDMA and TDMA.
This system is mainly geared towards the increase of digital transmission over
the cellular network. TD/FDMA make it possible to transmit signals from base
to mobile without disturbing the conversation. With FDMA, there are
significant disturbances during handoff which prevent continual data
transmission from site to site. TD/FDMA makes it possible to transmit control
signals by the same carrier as the data/voice thereby ridding extra channel
usage for control.
Cellular Frequency Usage and channel allocation
There are 832 cellular phone channels which are split into two separate bands.
Band A consists of 416 channels for non-wireline services. Band B consists
equally of 416 channels for wireline services. Each of these channels are
split into two frequencies to provide duplex operation. The lower frequency is
for the mobile unit while the other is for the cell site. 21 channels of each
band are dedicated to "control" channels and the other 395 are voice channels.
You will find that the channels are numbered from 1 to 1023, skipping channels
800 to 990.
I found these handy-dandy equations that can be used for calculating
frequencies from channels and channels from frequencies.
N = Cellular Channel # F = Cellular Frequency
B = 0 (mobile) or B = 1 (cell site)
CELLULAR FREQUENCIES from CHANNEL NUMBER:
F = 825.030 + B * 45 + ( N + 1 ) * .03
where: N = 1 to 799
F = 824.040 + B * 45 + ( N + 1 ) * .03
where: N = 991 to 1023
CHANNEL NUMBER from CELLULAR FREQUENCIES
N = 1 + (F - 825.030 - B * 45) / .03
where: F >= 825.000 (mobile)
or F >= 870.030 (cell site)
N = 991 + (F - 824.040 - B * 45) / .03
where: F <= 825.000 (mobile)
or F <= 870.000 (base)
Now that you have those frequencies, what can you do with them? Well, for
starters, one can very easily monitor the cellular frequencies with most
hand/base scanners. Almost all scanners pre-1988 have some coverage of the
800 - 900 MHz band. All scanners can monitor the IMTS frequencies.
Remember that cellular phones operate on a full duplex channel. That means
that one frequency is used for transmission and the other is used for
receiving, each spaced exactly 30 KHz apart. Remember also that the base
frequencies are 45MHz higher than the cellular phone frequencies. This can
obviously make listening rather difficult. One way to listen to both parts of
the conversation would be having two scanners programmed 45 MHz apart to
capture the entire conversation.
The upper UHF frequency spectrum was "appropriated" by the Cellular systems in
the late 1970's. Televisions are still made to receive up to channel 83. This
means that you can receive much of the cellular system on you UHF receiver. One
television channel occupies 6MHz of bandwidth. This was for video, sync, and
audio transmission of the channel. A cellular channel only takes up 24 KHz
plus 3KHz set up as a guard band for each audio signal. This means that 200
cellular channels can fit into one UHF television channel. If you have an old
black and white television, drop a variable cap in there to increase the
sensitivity of the tuning. Some of the older sets have coarse and fine tuning
knobs.
Some of the newer, smaller, portable television sets are tuned by a variable
resistor. This make modifications MUCH easier, for now all you have to do is
drop a smaller value pot in there and tweak away. I have successfully done
this on two televisions. Most users will find that those who don't live in a
city will have a much better listening rate per call. In the city, the cells
are so damn small that handoff is usually every other minute. Resulting in
chopped conversations.
If you wanted to really get into it, I would suggest you obtain an old
television set with decent tuning controls and remove the RF section out of the
set. You don't want all that hi-voltage circuitry lying around (flyback and
those caps). UHF receivers in televisions downconvert UHF frequencies to IF
(intermediate frequencies) between 41 and 47 MHz. These output IF frequencies
can then be run into a scanner set to pick-up between 41 - 47 MHz. Anyone who
works with RF knows that it is MUCH easier to work with 40MHz signals than
working with 800MHz signals. JUST REMEMBER ONE THING! Isolate the UHF
receiver from your scanner by using a coupling capacitor (0.01 - 0.1 microfarad
<50V minimum> will do nicely). You don't want any of those biasing voltages
creeping into your scanner's receiving AMPLIFIERS! Horrors. Also, don't
forget to ground both the scanner and receiver.
Some systems transmit and receive the same cellular transmission on the base
frequencies. There you can simply hang out on the base frequency and capture
both sides of the conversation. The handoff rate is much higher in high
traffic areas leading the listener to hear short or choppy conversations. At
times you can listen in for 5 to 10 minutes per call, depending on how fast the
caller is moving through the cell site.
TV Cell & Channel Scanner TV Oscillator Band
Channel Freq.& Number Frequency Frequency Limit
===================================================================
73 (first) 0001 - 825.03 45.97 871 824 - 830
73 (last) 0166 - 829.98 41.02 871 824 - 830
74 (first) 0167 - 830.01 46.99 877 830 - 836
74 (last) 0366 - 835.98 41.02 877 830 - 836
75 (first) 0367 - 836.01 46.99 883 836 - 842
75 (last) 0566 - 841.98 41.02 883 836 - 842
76 (first) 0567 - 842.01 46.99 889 842 - 848
76 (last) 0766 - 847.98 41.02 889 842 - 848
77 (first) 0767 - 848.01 46.99 895 848 - 854
77 (last) 0799 - 848.97 46.03 895 848 - 854
All frequencies are in MHz
You can spend hours just listening to cellular telephone conversations, but I
would like to mention that it is illegal to do so. Yes, it is illegal to
monitor cellular telephone conversations. It just another one of those laws
like removing tags off of furniture and pillows. It's illegal, but what the
hell for? At any rate, I just want you to understand that doing the following
is in violation of the law.
Now back to the good stuff.
Conversation is not only what an avid listener will find on the cellular bands.
One will also hear call/channel set-up control data streams, dialing, and other
control messages. At times, a cell site will send out a full request for all
units in its cell to identify itself. The phone will then respond with the
appropriate identification on the corresponding control channel.
Whenever a mobile unit is turned on, even when not placing a call, whenever
there is power to the unit, it transmits its phone number and its 8-digit ID
number. The same process is done when an idling phone passes from one cell to
the other. This process is repeated for as long as there is power to the unit.
This allows the MTSO to "track" a mobile through the network. That is why it
is not a good reason to use a mobile phone from one site. They do have ways of
finding you. And it really is not that hard. Just a bit of RF Triangulation
theory and you're found. However, when the power to the unit is shut off, as
far as the MTSO cares, you never existed in that cell, of course unless your
unit was flagged for some reason. MTSO's are basically just ESS systems
designed for mobile applications. This will be explained later within this
document.
It isn't feasible for the telephone companies to keep track of each customer on
the network. Therefore the MTSO really doesn't know if you are authorized to
use the network or not. When you purchase a cellular phone, the dealer gives
the unit's phone ID number to the local BOC, as well as the number the BOC
assigned to the customer. When the unit is fired up in a cell site its ID
number and phone number are transmitted and checked. If the two numbers are
registered under the same subscriber, then the cell site will allow the mobile
to send and receive calls. If they don't match, then the cell will not allow
the unit to send or receive calls. Hence, the most successful way of
reactivating a cellular phone is to obtain an ID that is presently in use and
modifying your ROM/PROM/EPROM for your specific phone.
RF and AF Specifications:
Everything that you will see from here on out is specifically Industry/FCC
standard. A certain level of compatibility has to be maintained for national
intercommunications, therefore a common set of standards that apply to all
cellular telephones can be compiled and analyzed.
Transmitter Mobiles: audio transmission
- 3 KHz to 15 KHz and 6.1 KHz to 15 KHz.
- 5.9 KHz to 6.1 KHz 35 dB attenuation.
- Above 15 KHz, the attenuation becomes 28 dB.
- All this is required after the modulation limiter and before the
modulation stage.
Transmitters Base Stations: audio transmission
- 3 KHz to 15 KHz.
- Above 15 KHz, attenuation required 28 dB.
- Attenuation after modulation limiter - no notch filter required.
RF attenuation below carrier transmitter: audio transmission
- 20 KHz to 40 KHz, use 26 dB.
- 45 KHz to 2nd harmonic, the specification is 60 dB or 43 + 10 log of
mean output power.
- 12 KHz to 20 KHz, attenuation 117 log f/12.
- 20 KHz to 2nd harmonic, there is a choice: 100 log F/100 or 60 dB or
43 log + 10 log of mean output power, whichever is less.
Wideband Data
- 20 KHz to 45 KHz, use 26 dB.
- 45 KHz to 90 KHz, use 45 dB.
- 90 KHz to 2nd harmonic, either 60 dB or 43 + 10 log mean output
power.
- all data streams are encoded so that NRZ (non-return-to-zero) binary
ones and zeroes are now zero-to-one and one-to-zero transitions
respectively. Wideband data can then modulate the transmitter
carrier by binary frequency shift keying (BFSK) and ones and zeroes
into the modulator must now be equivalent to nominal peak frequency
deviations of 8 KHz above and below the carrier frequency.
Supervisory Audio Tones
- Save as RF attenuation measurements.
Signaling Tone
- Same as Wideband Data but must be 10 KHz +/- 1 Hz and produce a
nominal frequency deviation of +/- 8 KHz.
The previous information will assist any technophile to modify or even
troubleshoot his/her cellular phone. Those are the working guidelines, as I
stated previously.
UNIT IDENTIFICATION
Each mobile unit is identified by the following sets of numbers.
The first number is the Mobile Identification Number (MIN). This 34 bit binary
number is derived from the unit's telephone number. MIN1 is the last seven
digits of the telephone number and MIN2 is the area code.
For demonstrative purposes, we'll encode 617-637-8687.
Here's how to derive the MIN2 from a standard area code. In this example, 617
is the area code. All you have to do is first convert to modulo 10 using the
following function. A zero digit would be considered to have a value of 10.
100(first number) + 10(second) +1(third) - 111 = x
100(6) + 10(1) + 1(7) - 111 = 506
(or you could just - 111 from the area code.)
Then convert it to a 10-bit binary number: 0111111010.
To derive MIN1 from the phone number is equally as simple. First
encode the next three digits, 637.
100(6) + 10(3) + 1(7) - 111 = 526
Converted to binary: 1000001110
The remainder of the number 8687, is processed further by taking the
first digit, eight (8) and converting it directly to binary.
8 = 1000 (binary)
The last three digits are processed as the other two sets of three
numbers were processed.
100(6) + 10(8) + 1(7) - 111 = 576
Converted to binary: 1001000000.
So the completed MIN number would look like this:
|--637---||8-||---687--||---617--|
1000001110100010010000000111111010
\________/\__/\________/\________/
A unit is also identifiable by its Electronic Serial Number or ESN. This
number is factory preset and is usually stored in a ROM chip, which is soldered
to the board. It may also be found in a "computer on a chip," which are the
new microcontrollers which have ROM/RAM/microprocessor all in the same package.
This type of set-up usually has the ESN and the software to drive the unit all
in the same chip. This makes is significantly harder to dump, modify and
replace. But it is far from impossible.
The ESN is a 4 byte hex or 11-digit octal number. I have encountered mostly
11-digit octal numbers on the casing of most cellular phones. The first three
digits represent the manufacturer and the remaining eight digits are the unit's
ESN.
The Station Class Mark (SCM) is also used for station identification by
providing the station type and power output rating. This was already discussed
in a previous section.
The System IDentification (SID number is a number which represents the mobile's
home system. This number is 15-bits long and a list of current nationwide
SID's should either be a part of this file or it will be distributed along with
it.
_______________________________________________________________________________
Reference in a new issue Copy permalink