Introduction to Digital Cellular Phones By Rasteri (rasteri@whoever.com) December 2001 Contents * Disclaimer * Introduction o Introduction to the Introduction o What you need * Manufacturers o Nokia o Motorola * Techniques o Unlock your phone o Change your IMEI number o Get yourself some SIM cards * Cloning o Getting the SIM o Grabbing the Ki o Making a fake SIM o Using * What to use it for o Anonymous Calls o Abuse * More stuff to try o AT+C o FBUS protocol o Nokia Communicators * About this document ... Disclaimer I take no responsibility for the damage of your phone, the revocation of your mobile account, any criminal charges placed against you, your family or your friends, or any other adverse effects that may result from the reading of this document. Do so at entirely your own risk. This document is provided for information purposes only! Introduction Introduction to the Introduction Once upon a time, there were analogue cellphones. From a phreaker's point of view, they were great - making calls charged to other people them was as easy as plugging a scanner into your computer and waiting for someone to make a call (well, there was slightly more to it than that, but that is hardly the purpose of this document). You could listen in to people's calls using just a scanner, and even track people from cell to cell using a modified cellphone. From a network's point of view, they were (understandably) a nightmare. I'm sure you've all heard of various tales where that guy was busted making tousands of calls to his own premium rate number from cloned analogue handsets. Then digital cellphones came along. These had "uncrackable" encryption, a smaller cell radius, and better looking handsets :) They were adopted very quickly by most users of analogue cellphones, and thanks to the 1999 (or thereabouts) plummet in phone costs, well over 50% of the population now have some kind of GSM mobile phone. What you need This is a list of stuff you will probably want to have if you're going to be mucking about with phones. Handset A cheapo Nokia 5000/6000 series is the best, although it'd be handy to have a Motorola lying around too. Some of the newer models can't make data calls (I beleive the 3310 can't). One with a built-in modem would be ideal, although I just have a 5130 (aka nk402) and it does me fine. Data Cable You can pick these up for a fiver used on ebay, or a tenner on one of the many places that sell them. See the manufacturers section for more details. Smartcard Reader These can be dirt cheap, or frighteningly expensive. I suggest one with both phoenix and smartmouse protocol support. Make sure it has a 3.57Mhz clock, and optionally a 6Mhz one as well (but not instead). If you fancy having a bash at your own, the dumb mouse would be a good choice (search for it on google). PIC programmer Useful as hell, not just for mobile stuff, and really, really easy to make. Can be picked up for less than a tenner if you hunt around, although try to get one with a built in smartcard slot if you can. If you fancy making your own, run a search for the "JDM" programmer. Gold Cards Think of it as a kind of blank smartcard. It can be used to emulate a SIM card, hence cloning becomes a possibility. Data Suite If your phone doesn't have a built in modem then a data suite is a must. The "official" Nokia Cellular Data suite costs money, and is only available for Windows. There is a 3rd party data suite called Gnokii (available at http://www.gnokii.org). It should be all you need, although it can be buggy sometimes and only supports Nokia phones (so far...). Manufacturers Initially, there were only a few manufacturers of GSM mobiles, the most prominent being Nokia and Motorola. Now, every manufacturer and his dog has had a go at making some kind of mobile, be it Bosch, Philips, Sony or Siemens. For this article I'll mostly be concentrating on Motorola and Nokia, as they are the kinds I've had the most experience with. However, a lot of the time, the same rules will apply to all makes of phone. Nokia Nokia phones are perhaps the best to fiddle around with. The 6000 series is probably the best for this, but the 5000 and 9000 hold their own too. Let's have a little run down of some of the features that make them worth considering - Data Cables Data cables for Nokias are very cheap and easy to get hold of. You can either buy one (bidding for one on ebay is a good choice) or make one yourself - there is a brilliant guide to constructing one at http://www.panuworld.net/nuukiaworld/hardware/cables/ Software Software for Nokias is very abundant. Just do a search on google. However, you'll probably want to start with a copy of gnokii (http://www.gnokii.org). For this you'll need some UNIX variant, I use OpenBSD, although linux is more popular and easy to use. Compile and install it, and make sure it works with your data cable. Netmonitor netmonitor.ps All modern Nokia phones have the hidden "Net Monitor" menu. This enables you to view status about the current cell, network, forbidden/allowed networks and even battery voltage/temperature. To enable this you will need a data cable. Un-sp-locking Unlocking Nokias is as easy as plugging in your data cable and running an unlocking program. This will allow your phone to use SIM cards from ANY network that uses your phone's frequency. Most of the time these programs are for windows, so you'll need to be running that (but once your phone is unlocked you can just delete it again). Motorola Motorolas, while not as fun to play with as Nokias, have some unique features. Test/Clone Card Test cards are a special kind of SIM card that switches the phone into "Test" mode. This is sort of a poor man's Netmonitor, although it has some unique features, such as displaying Kc. The clone card is used for making a complete duplicate of all the user data in the handset, including the phone book, startup logo and various settings. Data Cables Data cables for Motorolas can be very expensive. You'll probably need to hunt around a bit. Although check ebay, because they occasionally have cheap ones. Other than that, try searching on google. You can also build your own using the various schematics lying around the net, but they can be hard to come by. Hey, if you don't look, you won't find. Software Software for motorolas is usually just for un-sp-locking, although there are a few IMEI changers floating around. Also, changing startup graphics is a possibility. Techniques Unlock your phone The first thing you want to do is unlock your phone. You will probably be using SIM cards from a few different networks, and this is really the only way to bypass the SP lock that your network put on. This is the part that you need Windows for, and I suggest Windows 95, preferrably one of the OEM service releases. Install it (although you'll probably need to reinstall your bootloader because Windows screws it up), and download some unlocking programs from somewhere like http://mobile.box.sk/ . Then make sure no programs are running (CTRL-ALT-DEL, then shut down everything except explorer and systray) and run whatever unlocking program you like the look of. This could screw up your phone, so make sure the model/OS version of your phone is listed in the program's readme file. Change your IMEI number WARNING - Changing your IMEI number is illegal, so DON'T DO IT! This information is provided for information ONLY! You will probably need windows for this too. Download an IMEI changer and it will give usually give you a tex boxt to type in the IMEI number you want your phone to have. You can find out your current IMEI number by typing *#06# into your phone. This should be pretty self-explanatory. Don't make TOO erratic a change, just change the last 5 digits or so. Get yourself some SIM cards You will want some perpay SIM cards from a few different networks. Try and get second hand SIM cards from people you don't know, as they will be the cheapest and least likely to be traceable. You can get these at car boot sales, in old mobiles or from computer or radio fairs. If you're having difficulty there, go to some corner mobile shop and see if they sell SIM cards (try and make sure it's either a busy shop, or it has no cameras). Pay in cash, and if possible, don't register your SIM card. Register it with a fake name if this is not possible. Use the card in a phone that has never had any SIM card registered to you in it, and change the IMEI number of the phone if it has any possible connection to you. (this might not make you TOTALLY anonymous, but you'll be damn close) Cloning WARNING - This is probably even more illegal than changing your IMEI number! Yes folks, Old-skool-analogue-stylie cloning is still possible, with one (very large) drawback - you need physical access to the SIM card in order to clone it. Even worse, the cloning process can take more than 10 hours, due to the Ki (secret encryption key) code having to be brute-forced out of the SIM card. You may be thinking, "what's the point in cloning someone's SIM card to be anonymous when you can just use a SIM card registered under a false name?". Well, with prepay SIMs, you have to do exactly that - pay before you call. As there is no real way to get free calls on a prepay account, a contract sim is a far better idea. It is very difficult to register a contract (i.e. pay monthly) SIM under a false name, as you'd need a credit card. Hence, it's a far better idea to clone a contract SIM that is already registered. Getting the SIM Unfortuately (depending on your disposition), the best way to do this involves stealing. You need to get hold of someone's phone, and at the very least, their SIM card. There is more than one way to do this, and you can probably think of a few yourself. Here are a few suggestions. The sneaky way Ask someone if you can try your SIM in their phone(your phone is "broken") and instead of replacing their SIM when you're done, leave your SIM in their phone and pocket theirs. They probably won't notice for a while. The obviously illegal way Simply nick someone's phone out of their pocket, take it home, copy their SIM, and hand the phone in to the police afterwards. The other sneaky way Set yourself up as some kind of outfit that needs access to mobile phones overnight (hint... mail order unlocking?) and clone their SIM, before giving it back to them. Grabbing the Ki HINT - You will probably need to be running DOS for this, although DOSEMU should be OK. So you have a SIM card that you want to clone. Download a copy of SimScan (do a search on google), and slot the SIM you want to clone into your smartcard reader (using a small - big adapter if neccesary). Now run SimScan's Ki brute-forcing tool on it (after making sure it works by getting the ATR) and leave it for a few hours. Now write down the Ki. You'll need it later. Making a fake SIM Go download a copy of SIMPic (again, search on google) and follow the instructions that come with it. Oh, and you'll need a copy of Winexplorer as well. You have to program SIMPic onto a gold card, then program the EEPROM on the gold card using Winexplorer. Using Just stick the SIM in your phone :) There might be a problem if your phone only takes small-type SIMs... if this is the case (it probably is) then you'll need to either cut around the gold card using a small card as a template (this MIGHT work, although a lot of gold cards have electronics all the way through the card) or make some sort of adapter, to allow the card to be used externally. The latter is left as an excercise to the reader, although using the metal contacts of an old SIM then soldering wires to them has worked for me. What to use it for If you can't figure this out by yourself, why did you want to do it in the first place? Here's two suggestions though... Anonymous Calls This is probably what half of you want to use a cellphone for. It is the one true way to be totally anonymous. Dial into your ISP (Remember to sign up in a fake name!) and do whatever you want in the secure knowledge that it is EXTREMELY unlikely to get caught. Wardial without having to use your own money. Hack from home. Break into PBXs/voicemail without having to stand for hours in a freezing payphone. Whatever you want. Abuse Call up that so called "friend" of yours who just stole your girlfriend and play mindgames with him until he goes mad and commits suicide.... maybe not. More stuff to try This is about as far as you can go without having to delve into some fairly in-depth technical stuff. If you fancy having a go, here's some things you can start with. AT+C The AT+C command set present in all nokia phones (plus gnokii, NCDS, etc...) allows you to access some lower-level parts of the GSM standard. For instance, ising a well-crafted AT+C command, you can send a message that will crash most nokia phones (please don't ask me how to do this, if you can't figure it out yourself you probably shouldn't be using it). FBUS protocol Gnokii comes with a partial description of the protocol used for communication between a PC and a Nokia handset. If you want to do some really low-level stuff, read this. Although don't do it until you've explored the AT+C command set. Nokia Communicators You might not have heard of this type of phone, but basically it's a PDA bolted onto a Nokia 2110. The great thing about this is you can make your own software for it, using a version of C++. If you have this type of phone, get a hold of the SDK. You can't download it; you'll have to either buy it from Geoworks (who make the operating system) or beg Nokia to give you a copy of it (hey, worked for me :). There have yet to be any phreaking/hacking oriented programs made for this phone, but there's no reason why you shouldn't develop some. Make a war dialler, a port scanner, or whatever takes your fancy. I'm still learning the ins and outs of this phone, and I would imagine I'll go on to use it for greater things. Oh - get a copy of BTERM for it, it lets you directly access the built-in modem from the PDA (which also just happens to support the AT+C command set :). About this document ... Introduction to Digital Cellular Phones This document was generated using the LaTeX2HTML translator Version 2K.1beta (1.61) Copyright © 1993, 1994, 1995, 1996, Nikos Drakos, Computer Based Learning Unit, University of Leeds. Copyright © 1997, 1998, 1999, Ross Moore, Mathematics Department, Macquarie University, Sydney. The command line arguments were: latex2html -split 0 cellphreak.tex The translation was initiated by on 2002-01-09 2002-01-09