úúúÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄ¿ 6-FEB-89 ÉÍÏÍÍÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍ» ÀÂÄÄÄÙ úúúÄÄÄÄÄÄÄÄÄÄÄÄÄÄĶ THE DNA BOX ÇÄÄÄÄÙ úúúÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĶ Hacking Cellular Phones ÇÄÄÄÄ¿ ÈÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÍÍÑÍÑÍѼ ÚÁ¿ úúúÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÙ P A R T F I V E ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ CELLULAR TELEPHONE SIGNALING FORMATS =========================================================================== (RECC) Reverse Control Channel (mobile-to-tower on control channel) RECC Message Format: ---------------------------------------------------------- Seizure Precursor: Dotting (30 bits) 1010101010101010101010101010101 Word Sync (11 bits) 11100010010 DCC (7 bits) xxxxxxx Digital Color Code (DCC) Received Coded -------- ------- 00 0000000 01 0011111 10 1100011 11 1111100 Message: (from one to five words in length) First Word repeated 5 times (240 bits) Second Word repeated 5 times (240 bits) Third Word repeated 5 times (240 bits) Fourth Word repeated 5 times (240 bits) Fifth Word repeated 5 times (240 bits) ---------------------------------------------------------- There are 4 types of RECC messages: Page Response Message Origination Message Order Confirmation Message Order Message These are composed of combinations of the following message words: Abbreviated Address Word: F (1bit) 1 (first word indicator) NAWC (3 bits) xxx (number of additional words to send) T (1 bit) x (0=response,1=origination/order) S (1 bit) x (1=serial number will be sent) E (1 bit) x (1=area will to be sent) (1 bit) 0 SCM (4 bits) xxxx (station class mark) MIN1 (24 bits) xxxxxxxxxxxxxxxxxxxxxxxxx (coded 7 digit phone number) P (12 bits) xxxxxxxxxxxx (Parity) Extended Address Word: F (1 bit) 0 NAWC (3 bits) xxx LOCAL (5 bits) xxxxx (local control - system specific) ORDQ (3 bits) xxx (order qualifier) ORDER (5 bits) xxxxx (order code) LT (1 bit) x (1=last try) (8 bits) 00000000 MIN2 (10 bits) xxxxxxxxxx (coded Area Code) P (12 bits) xxxxxxxxxxxx Serial Number Word: F (1 bit) 0 NAWC (3 bits) xxx SERIAL (32 bits) xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (serial number) P (12 bits) xxxxxxxxxxxx First Word of Called Address: [D1..D16 are the encoded digits] F (1 bit) 0 NAWC (3 bits) xxx D1 (4 bits) xxxx Table of Digit Codes: D2 (4 bits) xxxx ----------------------------- D3 (4 bits) xxxx 1 0001 7 0111 NULL 0000 D4 (4 bits) xxxx 2 0010 8 1000 D5 (4 bits) xxxx 3 0011 9 1001 D6 (4 bits) xxxx 4 0100 0 1010 D7 (4 bits) xxxx 5 0101 * 1011 D8 (4 bits) xxxx 6 0110 # 1100 P (12 bits) xxxxxxxxxxxx Second Word of Called Address: F (1 bit) 0 NAWC (3 bits) 000 D9 (4 bits) xxxx (encoded digits, see above table) D10 (4 bits) xxxx D11 (4 bits) xxxx D12 (4 bits) xxxx D13 (4 bits) xxxx D14 (4 bits) xxxx D15 (4 bits) xxxx D16 (4 bits) xxxx P (12 bits) xxxxxxxxxxxx =========================================================================== (RVC) Reverse Voice Channel (mobile-to-tower on voice channel) RVC Message Format: -------------------------------------------------------------- Dotting (101 bits) 101010101....101 Word Sync (11 bits) 11100010010 Repeat 1 Word 1 (48 bits) xxxxx ... xxxxx Dot (37 bits) 1010101010101010101010101010101 Word Sync (11 bits) 11100010010 Repeat 2 Word 1 (48 bits) xxxxx ... xxxxx . . . . [same pattern of repetition] . . Dot (37 bits) Word Sync (11 bits) Repeat 5 word 1 (48 bits) Dot (37 bits) Word Sync (11 bits) Repeat 1 Word 2 (48 bits) Dot (37 bits) Word Sync (11 bits) Repeat 2 Word 2 (48 bits) . . . . [same pattern of repetition] . . Dot (37 bits) 1010101010101010101010101010101 Word Sync (11 bits) 11100010010 Repeat 5 word 2 (48 bits) xxxxx ... xxxxx ----------------------------------------------------------- There are two kinds of RVC messages: Order Confirmation Message Called Address Message ---------- Order Confirmation Message Word: F (1 bit) 1 NAWC (2 bits) 00 T (1 bit) 1 LOCAL (5 bits) xxxxx ORDQ (3 bits) xxx ORDER (5 bits) xxxxx (19 bits) 0000000000000000000 P (12 bits) xxxxxxxxxxxx --------- --------- Called Address Message, First Word: F (1 bit) 1 NAWC (2 bits) 01 T (1 bit) 0 D1 (4 bits) xxxx D2 (4 bits) xxxx D3 (4 bits) xxxx D4 (4 bits) xxxx D5 (4 bits) xxxx D6 (4 bits) xxxx D7 (4 bits) xxxx D8 (4 bits) xxxx P (12 bits) xxxxxxxxxxxx Called Address Message, Second Word: F (1 bit) 1 NAWC (2 bits) 00 T (1 bit) 0 D9 (4 bits) xxxx D10 (4 bits) xxxx D11 (4 bits) xxxx D12 (4 bits) xxxx D13 (4 bits) xxxx D14 (4 bits) xxxx D15 (4 bits) xxxx D16 (4 bits) xxxx P (12 bits) xxxxxxxxxxxx -------- =========================================================================== (FOCC) Forward Control Channel (tower-to-mobile on control channel) FOCC Message Format: -------------------------------------- Dotting (10 bits) b1010101010 Word Sync (11 bits) b11100010010 Repeat 1 word A (40 bits) bxxxxxxxxxxbxxxxxxxxxxbxxxxxxxxxxbxxxxxxxxxx Repeat 1 word B (40 bits) A Busy/Idle Bit (b) is inserted Repeat 2 word A (40 bits) at the beginning of Dotting and Repeat 2 word B (40 bits) Word Sync, and every 10 bits Repeat 3 word A (40 bits) during word repetitions beginning Repeat 3 word B (40 bits) at the start of the first word. Repeat 4 word A (40 bits) b=1 when the RCC is Idle. Repeat 4 word B (40 bits) b=0 when the RCC is Busy. Repeat 5 word A (40 bits) Repeat 5 word B (40 bits) bxxxxxxxxxxbxxxxxxxxxxbxxxxxxxxxxbxxxxxxxxxx Dotting (10 bits) b1010101010 ------------------------------------- There are three types of FOCC messages: Mobile Station Control Message Overhead Message Control-filler Message Mobile Station Control Message: (one,two or four words) ------------------------------ Abbreviated Address Word: TT (2 bits) 0x (00=if one word sent, 01=if multiple words sent) DCC (2 bits) xx Digital Color Code MIN1 (24 bits) xxxxxxxxxxxxxxxxxxxxxxxx P (12 bits) xxxxxxxxxxxx Extended Address Word: (two versions of this word occur) ----------------------------- ----------------------------- TT (2 bits) 10 TT (2 bits) 10 SCC (2 bits) 11 SCC (2 bits) xx [not=11] MIN2 (10 bits) xxxxxxxxxx MIN2 (10 bits) xxxxxxxxxx (1 bit) 0 (1 bit) 0 LOCAL (5 bits) xxxxx VMAC (3 bits) xxx (attenuation code) ORDQ (3 bits) xxx CHAN (11 bits) xxxxxxxxxxx (channel number) ORDER (5 bits) xxxxx P (12 bits) xxxxxxxxxxxx P (12 bits) xxxxxxxxxxxx First Directed-Retry Word: TT (2 bits) 10 SCC (2 bits) 11 SAT Color Code CHANPOS (7 bits) xxxxxxx channel position relative to first access channel CHANPOS (7 bits) xxxxxxx CHANPOS (7 bits) xxxxxxx (3 bits) 000 P (12 bits) xxxxxxxxxxxx Second Directed-Retry Word: TT (2 bits) 10 SCC (2 bits) 11 CHANPOS (7 bits) xxxxxxx CHANPOS (7 bits) xxxxxxx CHANPOS (7 bits) xxxxxxx (3 bits) 000 P (12 bits) xxxxxxxxxxxx ------------------------------- ------------------------------- Overhead Messages: System Parameter Overhead Message: Global Action Overhead Message: Registration Identification Message: Control-filler Message: System Parameter Overhead Message: ---------------------------------- System Parameter Word 1: TT (2 bits) 11 DCC (2 bits) xx (3 bits) 000 NAWC (4 bits) xxxx OHD (3 bits) 110 (overhead message type) P (12 bits) xxxxxxxxxxxx System Parameter Word 2: TT (2 bits) 11 DCC (2 bits) xx S (1 bit) x (serial number flag) E (1 bit) x (extended address flag) REGH (1 bit) x (registration for home stations) REGR (1 bit) x (registration for roaming stations) DTX (1 bit) x (discontinuous transmission flag) (1 bit) 0 N-1 (5 bits) xxxxx (number of paging channels in system minus 1) RCF (1 bit) x (read-control-filler flag) CPA (1 bit) x (combined paging/access flag) CMAX-1 (1 bit) x (number of access channels in system minus 1) END (1 bit) x (1=last word of overhaed message train) OHD (3 bits) 111 P (12 bits) xxxxxxxxxxxx ------------------------------- ------------------------------- Global Action Overhead Messages: Rescan Global Action Message: TT (2 bit) 11 DCC (2 bits) xx ACT (4 bits) 0001 (16 bits) 0000000000000000 END (1 bit) x OHD (3 bits) 100 P (12 bits) xxxxxxxxxxxx Registration Increment Global Action Message: TT (2 bits) 11 DCC (2 bits) xx ACT (4 bits) 0010 REGINCR (12 bits) xx (registration increment) (4 bits) 0000 END (1 bits) xx OHD (3 bits) 100 P (12 bits) xx New Access Channel Set Global Action Message: TT (2 bits) 11 DCC (2 bits) xx ACT (4 bits) 0110 NEWACC (11 bits) xxxxxxxxxxx (new access channel starting point) (4 bits) 0000 END (1 bit) x OHD (3 bits) 100 P (12 bits) xxxxxxxxxxxx Overload Control Global Action Message: TT (2 bits) 11 DCC (2 bits) xx ACT (4 bits) 1000 OLCD0 (1 bit) x (overload class flags) OLCD2 (1 bit) x OLCD3 (1 bit) x OLCD4 (1 bit) x OLCD5 (1 bit) x OLCD6 (1 bit) x OLCD7 (1 bit) x OLCD8 (1 bit) x OLCD9 (1 bit) x OLCD10 (1 bit) x OLCD11 (1 bit) x OLCD12 (1 bit) x OLCD13 (1 bit) x OLCD14 (1 bit) x OLCD15 (1 bit) x END (1 bit) x OHD (3 bits) 100 P (12 bits) xxxxxxxxxxxx Access Type Paramters Global Action Message: TT (2 bits) 11 DCC (2 bits) xx ACT (4 bits) 1001 BIS (1 bit) x (busy/idle status flag) (15 bits) 000000000000000 END (1 bit) x OHD (3 bits) 100 P (12 bits) xxxxxxxxxxxx Access Attempt Parameters Global Action Message: TT (2 bits) 11 DCC (2 bits) xx ACT (4 bits) 1010 MAXBUSY-PGR (4 bits) xxxx (maximum busy occurrences, page response) MAXSZTR-PGR (4 bits) xxxx (maximum seizure tries, page response) MAXBUSY-OTHER (4 bits) xxxx (maximum busy occurrences, other accesses) MAXSZTR-OTHER (4 bits) xxxx (maximum seizure tries, other accesses) END (1 bits) x OHD (3 bits) 100 P (12 bits) xxxxxxxxxxxx Local Control 1 Message: TT (2 bits) 11 DCC (2 bits) x ACT (4 bits) 1110 LOCAL CONTROL (16 bits) xxxxxxxxxxxxxxxx (any local control code) END (1 bits) x OHD (3 bits) 100 P (12 bits) xxxxxxxxxxxx Local Control 2 Message: TT (2 bits) 11 DCC (2 bits) xx ACT (4 bits) 1111 LOCAL CONTROL (16 bits) xxxxxxxxxxxxxxxx END (1 bits) x OHD (3 bits) 100 P (12 bits) xxxxxxxxxxxx ------------------------------- Registration Identification Message: TT (2 bits) 11 DCC (2 bits) xx REGID (20 bits) xxxxxxxxxxxxxxxxxxxx (registration ID) END (1 bit) x OHD (3 bits) 000 P (12 bits) xxxxxxxxxxxx ------------------------------------ Control-Filler Message: TT (2 bits) 11 DCC (2 bits) xx (6 bits) 010111 CMAC (3 bits) xxx (current mobile attenuation) (7 bits) 0011001 WFOM (1 bit) x (wait for overhead message) (4 bits) 1111 OHD (3 bits) 001 P (12 bits) xxxxxxxxxxxx =========================================================================== (FVC) Forward Voice Channel: (tower-to-mobile on voice channel) FVC Message Format: * BUSY/IDLE bits are inserted into FVC messages in a format similar to that of FOCC messages) -------------------------------------------------------------- Dotting (101 bits) 101010101...101 Word Sync (11 bits) 11100010010 Repeat 1 Word (40 bits) xxxxx...xxxxx Dot (37 bits) 1010101010101010101010101010101 Word Sync (11 bits) 11100010010 Repeat 2 Word (40 bits) xxxxx...xxxxx Dot (37 bits) Word Sync (11 bits) Repeat 3 Word (40 bits) . . . . [same pattern of repetition] . . Dot (37 bits) 1010101010101010101010101010101 Word Sync (11 bits) 11100010010 Repeat 11 Word (40 bits) xxxxx...xxxxx ----------------------------------------------------------- There is only kind of FVC message: Mobile Station Control Message: Mobile Station Control Word: (two versions of this word occur) ----------------------------- ----------------------------- TT (2 bits) 10 TT (2 bits) 10 PSCC (2 bits) xx PSCC (2 bits) xx (present SAT code) (9 bits) 000000000 (9 bits) 000000000 LOCAL (5 bits) xxxxx VMAC (3 bits) xxx (attenuation code) ORDQ (3 bits) xxx CHAN (11 bits) xxxxxxxxxxx (channel number) ORDER (5 bits) xxxxx P (12 bits) xxxxxxxxxxxx P (12 bits) xxxxxxxxxxxx =========================================================================== * See Part Six for information describing various codes used in message word fields. =========================================================================== ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ The DNA BOX - Striking at the Nucleus of Corporate Communications. ³ õ A current project of... õ Outlaw Telecommandos º³Ý³³Þº³Ýݳ³Þ³Ý³º º³Ý³³Þº³Ýݳ³Þ³Ý³º ºxx-xxx-xxx-xxxxº  úúúÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄúúú 9-FEB-89 ÉÍÏÍÍÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍ» ÚÄÄÄÄÄÄÄÄúúú úúúÄÄÄÄÄÄÄÄÄÄÄÄÄÄĶ THE DNA BOX ÇÄÄÄÄÙ ÚÄÄÄÄÄÄÄÄÄúúú úúúÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĶ Hacking Cellular Phones ÇÄÄÄÄÄÄÙ ÈÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÍÍÑÍÑÍѼ úúúÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄúúú P A R T S I X ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ CELLULAR TELEPHONE MESSAGE CODES ============================================================================ The previous file (Part Five) listed the Message Formats and Message Words used by the Cellular Telephone system. Message words have variable sub-fields that are set to convey various information (such as dialed numbers, mobile phone ID, commands, requests, channel assignments etc.). Here are the codes used in Message Word subfields during data transmissions. ============================================================================ Mobile Station Automatic Attenuation Levels Mobile Attenuation Code (MAC) Power Classifications MAC I II III Nominal ERP Power Outputs --- --- --- --- Class ERP Level 000 6 2 -2 --------- ---- -------- 001 2 2 -2 Class I 4W ( 6 dBW) 010 -2 -2 -2 Class II 1.6W ( 2 dBW) 011 -6 -6 -6 Class III 0.6W (-2 dBW) 100 -10 -10 -10 101 -14 -14 -14 110 -18 -18 -18 111 -22 -22 -22 (Attenuation in dBW) ========================================================= Station Class Mark (SCM) SCM Station Class, Transmission ---- ---------------------------- xx00 Class I xx01 Class II xx10 Class III 00xx Continuous Transmissions 01xx Discontinuous Transmissions (for example 0010 means Class I Continuous Transmissions) ========================================================= Digital Color Code (DCC) Received Coded -------- ------- 00 0000000 01 0011111 10 1100011 11 1111100 ======================================= SAT Color Code (Supervisory Audio Tone) Code Frequency ---- --------- 00 5970 Hz 01 6000 Hz 10 6030 Hz 11 (not a channel designation) ==================================== Digit Code (for dialed numbers etc.) Digit Code ----- ---- 1 0001 2 0010 3 0011 4 0100 5 0101 6 0110 7 0111 8 1000 9 1001 0 1010 (zero is encoded as a binary ten) * 1011 # 1100 Null 0000 (when no digit present) =================================== Order and Qualification Codes Order Qual Function ----- --- --------------------- 00000 000 page (or origination) 00001 000 alert 00011 000 release 00100 000 reorder 00110 000 stop alert 00111 000 audit 01000 000 send called-address 01001 000 intercept 01010 000 maintenance 01011 000 change to power level 0 01011 001 change to power level 1 01011 010 change to power level 2 01011 011 change to power level 3 01011 100 change to power level 4 01011 101 change to power level 5 01011 110 change to power level 6 01011 111 change to power level 7 01100 000 directed retry - not last try 01100 001 directed retry - last try 01101 000 non-autonomous registration - do not make whereabouts known 01101 001 non-autonomous registration - make whereabouts known 01101 010 autonomous registration - do not make whereabouts known 01101 011 autonomous registration - make whereabouts known 11110 000 local control (All other codes are reserved) ============================================================== Overhead Message Type Code Order ---- ------------------ 000 registration ID 001 control-filler 010 (reserved) 011 (reserved) 100 global action 101 (reserved) 110 word 1 of system parameter message 111 word 2 of system parameter message ======================================= Global Action Message Types Code Action Type ---- ----------- 0000 (reserved) 0001 rescan paging channels 0010 registration increment 0011 (reserved) 0010 (reserved) 0011 (reserved) 0100 (reserved) 0101 (reserved) 0110 new access channel set 0111 (reserved) 1000 overload control 1001 access type parameters 1010 access attempt parameters 1011 (reserved) 1100 (reserved) 1101 (reserved) 1110 local control 1 1111 local control 2 ==================================================================== Restricted Central Office Codes. Cellular phone numbers are NEVER issued with these patterns in order to prevent Word Sync patterns from occuring inside a command word. 1xx-xxxx 544-2xxx 864-2xxx 224-2xxx 568-1xxx thru 568-7xxx 899-xxxx 288-2xxx 595-8xxx thru 595-0xxx 800-xxxx 339-8xxx thru 339-0xxx 663-xxxx thru 666-xxxx 928-2xxx 352-xxxx 672-2xxx 992-2xxx 416-2xxx 736-2xxx 909-xxxx 470-2xxx 790-2xxx 0xx-xxxx 508-2xxx 851-8xxx thru 851-0xxx ===================================================================== Bose-Chaudhuri-Hocquenghem (BCH) Codes Right now the best GUESS, based on available material, is that BCH coding is the way that the 12 bit Parity field is computed. The "polynomial" that generates the code is given as: 12 10 8 5 4 3 0 gB(X)= X + X + X + X + X + X + X Taking this verbatim in the usual way (superscripts meaning exponentiation) gives ridiculous results that would be difficult to compute at the 10 Kb/s data rate required by the Cellular Data Protocol. It makes more sense to interpret this notation to indicate that the bits of the message word are summed (in binary) in 12, 10, 8, 5, 4, and 3 bit bytes with 1 added. That is: the word is broken up into a bunch of sub-bytes of a certain length, these are added together, the original word is again broken into sub-bytes of the next length and those are summed ... until all listed lengths have been summed. THEN all of those sums are summed and 1 is added. The low order 12 bits of the results of this procedure are used as the parity bits. THIS IS ALMOST PURE SPECULATION. Confirmation is currently being sought at university engineering libraries, or by examining the parity bits in published examples or intercepted cellular messages. The Parity bits are irrelevant to hacking Cellular ID codes however, because message words are repeated many times in each message block, and the ID fields (MIN1, MIN2, and SID) can simply be lifted from the most frequent (and most likely error-free) message words in the block. HOWEVER: If BCH coding transforms the message bits as well as the Parity bits then the proper BCH coding algorithm becomes critical. If all else fails, diassembling the ROM firmware from a Cellular Phone should be conclusive. ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ The DNA BOX - Striking at the Nucleus of Corporate Communications. ³ ³ A current project of... ³ Outlaw Telecommandos º³Ý³³Þº³Ýݳ³Þ³Ý³º º³Ý³³Þº³Ýݳ³Þ³Ý³º ºxx-xxx-xxx-xxxxº