BellSouth's Mobitex Network

by Dspanky (Blue Collar Hackers Union)


Everyone's heard of a Palm VII, right?  Well Mobitex is the network it runs on.  I'm just going to cover the basics - the network architecture and protocol, not any specific implementation, and talk a little bit about what is needed to monitor it.  I'm assuming that everyone knows how a basic cellular system works...

BellSouth's Wireless Data Network is a cellular TDMA system operating at 896 to 901 MHz and 935 to 940 MHz that implements a protocol called Mobitex.  It is a data-only network, there is no cellular voice communications to share bandwidth with, and is designed for mobile devices such as smart pagers (send and receive messages), email terminals, and the most famous, the Palm VII.  Also, Mobitex is designed to have the ability to implement many underlying protocols, UDP/IP, TCP/IP, etc.  Mobitex is an "open" protocol, meaning you can get all the specifics on a CD-ROM from Ericsson - for the open price of $100.

Overview and Topology

The network topology is analogous to regular cellular networks (surprise!) and is divided into base stations, local and regional switches, and subscriber terminals.  Switches are all inter-connected via land-lines as well as to the Internet.  Users can connect to the network via fixed terminals (host computers) or mobile terminals (a Palm VII).  Where cellular phones use Electronic Serial Numbers (ESNs) and Mobile Identification Numbers (MINs) for identification and authentication, Mobitex devices have ESNs and 8-digit MANs (Mobitex Access Numbers).  Host access (fixed terminals) is almost always provided by a link at the local switch level and uses a PMAN (Personal Mobitex Access Number) and password instead of a MAN so the subscriber isn't limited to a specific fixed terminal.  Finally, there is the Network Control Center (NCC) which regulates and checks ESN, MAN, and PMAN connections and sends DIE and LIVE commands to invalid terminals.


User applications can utilize standard Internet protocols, TCP, UDP, which are encapsulated in Mobitex Packets (MPAKs) until they reach the land-line portion of the network, where they are stripped of the MPAK headers and sent off as normal.  The system also keeps "mailboxes" for packets that are designated for subscribers that are currently unavailable.  MPAKs can contain 1 to 512 bytes of user data.  A one-byte MPAK is a status message.  Status messages are simply 256 numeric messages that can be configured to allow standard messages to be sent quickly.  These are defined by the application and can be used as a replacement for sending actual sensitive data.

MPAK Format

| 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 |

   MAN        MAN        |   |     Time             |
                   Traffic   |                      Start
                   State &   |                      of Data
                Subscription |-Packet
                   Flags       Class &

This diagram shows the header attached to each MPAK.

Each number corresponds to one byte.  The first six bytes are the sender and receiver's MAN in hex.

The next byte is divided into two 4-bit subfields, the traffic state and subscription flags.  When sending MPAKs the state is always 0.  Otherwise, it can be 2, 4, 6, 8, A, or C, which specify if it was stored in a mailbox before delivery, if it is to be stored in a mailbox, or if it is unable to be sent, etc.  A and C specify that the network is either overloaded or there is a network problem.  Flags specify if the MPAK is to be put in the receiver's mailbox if they are inactive (1), send an acknowledgment when received (2), or to send to multiple MANs (4).  The class and type is split, the two high-bits for class and five low-bits for type.  I've only found information about two classes, 0 and 3.  0 is the most common and is regular subscriber communication.  3 specifies data terminal service communication.

There are three common types - TEXT (1), DATA (2), and HPDATA (4), which define the type of user data attached.  HPDATA is used in conjunction with the HPID to specify a "Higher Protocol" which can be used by the application.   A valid list of HPIDs can be had from Ericsson for a measly $100.

Hackable, the Bottom Line

Let me first say that any Joe Shmoe with a scanner able to monitor cellular frequencies can't intercept this traffic (at least, not without a lot of work).  You want a digital scanner that does the work for you.  Needless to say, these are rare and expensive.  Assuming you have one of these great devices (or have put in a lot of work...), the possibilities are endless.  For starters, you can log all MANs in your area and when they transmit, you can intercept ESN and MIN pairs, then modify your Palm VII to use these.  Or you can figure out the status messages for a particular implementation, which can give insight into what the user is doing.  Here's an example:

Joe Shmoe has a 'leeto Palm VII which he uses to access his bank account.  Instead of sending his account number over the air (which it has to the first time he accesses it, by the way) it sends a status message of 100.  You will know that every time you see this MPAK on the network, Joe is accessing his bank account.

Remember, status messages differ for each implementation, so a particular status message from a Palm VII might not be the same for something else.  Also, because Mobitex supports other protocols, traffic between the handheld device and networks besides BellSouth's may be encrypted or plaintext.  The Palm VII uses Elliptic Curve Cryptography (ECC) to encrypt its communication with the proxy server.  Plaintext would of course be stupid, but hey, people are stupid.

Last Remarks

As more applications are implemented in wireless environments and with the government's propensity to limit the common man's access to the cellular frequencies, we have to strive to keep the airwaves as free and accessible as they were ten years ago.