Introduction To Cellular Phreaking.
By =The-Doh-Boy=

Hi there DC readers, I'm =The-Doh-Boy= and you can check out my earlier, lamer
articles at the SWATeam webpage, swateam.base.org. But for now I'm writing for
DC and my chosen specialised subject is cellular phreaking. I'd like to think I
am pretty well experienced with the standard forms of cell-phreaking, i.e.
cloning, modifying SIMMS, programmable backdoors on fones. I also think I know A
LOT about pre-pay fraud. So I am going to concentrate on this as I know a lot
about it, I could be wrong however, and I always enjoy being told I'm wrong :>
I'm going to give you a brief outline of the older methods of phreaking cellular
fones and why they were introduced (a more in-depth account to come soon), I'm
then going to move on and give a brief summary of the relatively new field of
pre-pay fraud.

GOLDEN OLDIES :>

First principle of cellular fones is the principle of knowing the basics of how
they work. A cellular fone is more or less a HAM Radio with a small computer
attached (no it can't run MSWorks!!!!) The computer handles the signalling to
the local cell tower (like an exchange) and performs the "negotiations"
necessary to complete a call. It will also handle signal conversion in the case
of digital fones. The most important two numbers that are ever signalled to the
tower are the ESN and MIN numbers. These are the numbers which uniquely identify
the fone within the network. They are the DNA of fones. We have all seen the two
stranded DNA molecule, well thats a good way to think of ESN/MIN. They must come
together and fit precisely before the tower will let you go anywhere with the
fone. The ESN is the Electronic Serial Number, this tells the tower what fone is
logged into the network. The MIN is the Mobile Identification Number and this te
lls the tower the customers number. The network you are with has the ESN/MIN in
pairs logged in a database for every fone they will provide service to. If a
fone logs in with a pair which is not on the database, it will either kick you
or let ONE call go through (I will come back to this).
We have all used Dial Up Networking or a Keycard or anything with a passcode.
You could see the ESN/MIN as login/passcode. If these are not valid, then NO
ACCESS CHUMP. So naturally (as with other forms of hacking) you are going to
need ways of using someone elses account. Obviously you must get your fone to
give the cell tower a different ESN/MIN pair from yours. This is the principle
behind cellular cloning. The de-facto standard for doing this involves replacing
the ESN chip with a PROM which can then be loaded with the ESN/MIN pair of
another subscriber. Other methods are commonly used on Motorolas (THE PHREAK
FONE!!!) which can often be re-programmed at the keypad!!! or often using a
ready made cable connection from computer-fone.
So now you have got your fone ready to take new pairs, WHERE DO YOU GET THEM
FROM. Well there are many different options as far as this is concerned!!!
ranging from the HI-TECH 31337 scheme to the low-tech lamo scheme. A popular
way, for people who can't stop spending cash, is a scanner. As mentioned before,
the fone contains a computer which signals to the tower. It just so happens that
if you find carrier signals in the mobile range (can't remember exactly, will
have everything down previsely next article) tune down 20MHz and hook the
scanner to your modem. With some decoding you can recieve ESN/MIN pairs aplenty!
(this is not my favourite method $$$!!!)
Another, more deviant scheme is to go trashing at your local cell shop. They
always write down the ESN/MIN and other customer info. before entering it into
the computer to get the fone hooked up. They then throw this paper into the bin
after. So its the usual trashing drill, rummage around and see what you can get.
(a good method for the low budget, but not for the over-vain!!)
My favourite method is to stand around at airports e.t.c. and wait for business
guys to leave their fone to go to the mens room, have a coffee e.t.c. and just
read the pairs from the fone. The MIN can be calculated from the Mobile number
(always available in an in-built menu) and the ESN is at the back of the fone
inside the battery case.
Once you have your number pairs, load them up and start making free calls. Good
point to note: this only works on analouges so everything you say can be heard
BE CAREFUL
Make sure not to use the same one repeatedly, change them every now and then to
be safe.
Mentioned earlier was a now defunct method of cell phreaking. This involved
churning out random ESN/MIN pairs which the tower thought to be outwith its
domain, while it was validating this pair the call can still go through!!!
Doesn't work anymore(?) so just a passing mention here.
Another use for Motorolas made before 1995 (get one from before this year for
all your cloning related fun) is as an eavsdropper. Certain keypresses in test
mode (ground pin 5 and power up, enter security code twice to enter test mode)
which I will have for you next article, allow you to listen to the channel of
your choice. This means you can listen in to any analouge fone conversation in
the same cell as you. There is also a channel left for "handing off" to other
cells called the FOrwardVoiceCell, this can be obtained from the text shown on
your fone during handoff to listen to the call which was handed to another cell.
If your signal strength is great enough then you can talk to those you are
eavsdropping on!!!
This covers the basics of the old time fraud, now to move on to something which
is just emerging, PRE-PAY FRAUD

PRE-PAY FRAUD FOR THE 21ST CENTURY

To meet demand for a more flexible service, one of the two largest cell p
roviders in the UK, Vodafone, launched its "Pay As You Talk" package. The
instant I saw the advert on TV I knew that people would scam it eventually. I
was right. Every one this christmas wants a pre-pay fone. You couldn't sell one
to your own mother they are in such demand. This is obviously a money spinner,
and good news for fraudsters like us.
There are now so many pre-pay packages that its hard to keep up. As I write this
every single cell provider has such a package. For this inaugiral article I will
concentrate on the Vodafone package as I have LOADS of experience with this
package.
One such benefit is the anonymity the fone provides. You do not have to sign
legal contracts or such with your true identity. Most registration is done by
fone or even by post to the provider. So you can register your fone to "Michael
Mouse, 10 Sesame Street, Botswana" if you wanted. I know that on analouge PAYT
you call 191 and there is an automated registration sevice. Do not ask for stuff
to get sent out to you (its not your address) but once you register the fone
under a false name, there is just about no way of tracing the owner. I believe
that this is the same for most packages, although roumors have been floating
round ph.uk that some require a postal registration (easily defeated).
Most services allow topping up by pre-payed card or credit/debit card. This is
where the fun begins. Topping up can be done automatically over the fone by
calling 191 on Vodafone and asking to top up by credit/debit card. I assume you
have your own method of getting these numbers (docs are required too). Just give
the details and off you go. It also helps to re-register the fone with the docs
on the card. This works on analouge particularly well because there is no postal
registration required. On digital PAYT you must register two cards by post if
you wish to top up. This does not make it impossible to fraud, just more
difficult. Because of this, if you were choosing PAYT go for the analouge option
(I know the quality is bad but, hey, its free aint it?)
Other roumors going round is that new PAYT cards can be generated from old using
a simple checksum formula. I'll definetly get back with more news on this
as/when it comes.
Also doable is to social engineer the reference code of your local shop for your
provider (go for the big superstores who know less about fones). This means you
can fone up, say your local store were out of cards and they said to give you
the reference number and you'd sort out a top up. A pretty lame way which would
wear thin eventually.
So heres the basics of PAYT fraud, I'll get the news updated next ish and will
certainly check out other packages OK?
c'ya =The-Doh-Boy=