Digital CDMA Cloning
by tele
How secure is CDMA really?
I mean come on, when you hear about cloning CDMA you think it's not possible. They have an A-Key, right?
Hell, if they did have the A-Key implemented it would stop some CDMA cloning but not all. I am not responsible for what you do with this information. This is only to demonstrate how easily CDMA can be cloned.
The A-Key
CDMA, TDMA, and now some analog (AMPS) have what is called an Authentication Process.
Authentication is a process by which identical calculations are performed in both the network and the mobile phone.
Each subscriber is given a unique numeric 64-bit code called the Authentication Key (A-Key) that is permanently programmed in both the handset and the operator's network before activation. The A-Key is not transmitted over the air, so cloners cannot intercept it with a radio scanner.
To authenticate a call, the network's Authentication Center (AC) initiates a calculation in both the network and the subscriber's handset. The parameters of the calculation include the A-Key, the subscriber's NAM, and a random number.
A legitimate handset will produce the same calculated result as the network. The handset's result is compared with the network's result. If the results match, the phone is not a clone and the call is allowed. If the digital networks leave the A-Key turned off or if the A-Key is set to all zeros, then the phone can be cloned.
Supposedly getting the A-Keys are next to impossible and only a few high-level techs in a network's system have access to the codes.
The IMSI
I know that most Sprint PCS phones use what's called the MIN-based IMSI, which stands for International Mobile Subscriber Identifier.
The IMSI is a unique 10-15 digit number programmed in the phone which designates the subscriber. This number is used for provisioning in network elements.
Basically when the phone is roaming it will use the IMSI as the MIN. The IMSI is now being used by some providers with the MIN and ESN to authenticate a phone on the network.
The IMSI is not a security measure or anything because it's transmitted over the air. When the phone is roaming it will transmit the IMSI and ESN (instead of the MIN and ESN) over the air to authenticate the phone on the network.
The MIN
The Mobile Identification Number is the ten-digit cellular phone number assigned to the phone's ESN to identify the subscriber on the network.
This is used on air interface standards published before 1994, with the IMSI being the current identity.
Any cloner with a modified RadioShack scanner and Banpaia software can capture the over the air IMSI/ESN data or the MIN/ESN data depending on the phone and use it to clone a cellular phone. We are not going to get into how to capture the data in this article. Maybe in the future I will write another article on how to mod your RadioShack scanner to pickup the 800 MHz cellular band and have a DDI tap.
The ESN
The ESN is a unique number assigned to each cellular phone by the manufacturer and is used with the MIN or IMSI to help authenticate the phone on the network.
It is often said to be very hard to change and blah blah. The fact is that one can change the ESN of a cellular phone with just some software and a data cable. Is that easy enough?
The ESN can also be converted from hex to decimal or vice versa. You can get a few different DOS programs on the Internet that will convert the ESN for you.
The SPC
The SPC stands for Service Program Code.
Each CDMA phone has a unique six-digit SPC code based on the phone's ESN.
Without the SPC one cannot program the cellular phone's MIN, IMSI, or the ESN. The SPC code can be reset to 000000 which will unlock the phone.
If your phone is locked and you don't know the SPC you can get a program called Kyocera Unlock Tools (try Google/Yandex). This program will unlock the following Kyocera models: 2035, 3035, 2135, 2235/2255, 1135, 2325/2345.
Now on to the good stuff.
For the hardware we are going to be using a Kyocera 2235 cellular phone and a standard Kyocera serial port data cable. (You can buy them on eBay for cheap.)
For the software we will be using a program called "KWC ESN Writer All" (again, try Google/Yandex). This program will change the ESN on the models named above.
1.) Attach the phone and data cable to COM1 and power on the phone.
2.) Run the program and select your phone model from the drop-down list where it says KWC Model.
3.) Check SPC and enter the phone's Service Program Code.
4.) Type in your new ESN where it says Wr ESN, then click on Write ESN.
The program will put the phone in Data Mode (DM) and search for the ESN address in the phone's EEPROM. It will then replace the ESN with the new one.
To change the ESN you're going to need the hex ESN. Remember the ESN can be converted from hex to decimal or vice versa.
Now you will have to program the phone's MIN or IMSI. When you're cloning a phone you don't have to program both the MIN and IMSI, just the one the phone is using to authenticate on the network.
1.) Press 111111 on the phone's keypad then press Option and select Programming.
2.) The phone will now ask for the Service Program Code. Enter it and the phone will enter the service programming menu.
3.) Select Basic NAM1 Info and press O.K.
4.) Select Phone Number and press O.K.
5.) Enter the ten-digit MIN or IMSI and press O.K.
6.) Now press Clr twice and the phone will restart.
Your phone should now be cloned. Dial 411 to see if it works.
You can also clone TDMA phones with the above hardware/software. You just have to change the network settings in the phone so the phone uses analog only and it will work fine.
Enjoy!