About
Community
Bad Ideas
Drugs
Ego
Erotica
Fringe
Society
Technology
Phreak
Boxes, Old and New
Bugs and Taps
Cellular Phones
Introduction to Telecommunications
PBX's and Switches
Payphones
Phone Phun
VMB's, Pagers, E-Mail, and S&F Systems
register | bbs | search | rss | faq | about
meet up | add to del.icio.us | digg it

Hacking Cellular Phones - Part 5


NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
??????????????????? ?????? 6-FEB-89
??????????????????????????? ??????
??????????????????? THE DNA BOX ??????
???????????????????? Hacking Cellular Phones ??????
??????????????????????????? ???
?????????????????????? ???
P A R T F I V E
???????????????????????????????????????????????????????????????????????????

CELLULAR TELEPHONE SIGNALING FORMATS
===========================================================================
(RECC) Reverse Control Channel (mobile-to-tower on control channel)
RECC Message Format:
----------------------------------------------------------
Seizure Precursor:
Dotting (30 bits) 1010101010101010101010101010101
Word Sync (11 bits) 11100010010
DCC (7 bits) xxxxxxx Digital Color Code (DCC)
Received Coded
-------- -------
00 0000000
01 0011111
10 1100011
11 1111100
Message: (from one to five words in length)
First Word repeated 5 times (240 bits)
Second Word repeated 5 times (240 bits)
Third Word repeated 5 times (240 bits)
Fourth Word repeated 5 times (240 bits)
Fifth Word repeated 5 times (240 bits)
----------------------------------------------------------
There are 4 types of RECC messages:
Page Response Message
Origination Message
Order Confirmation Message
Order Message

These are composed of combinations of the following message words:

Abbreviated Address Word:
F (1bit) 1 (first word indicator)
NAWC (3 bits) xxx (number of additional words to send)
T (1 bit) x (0=response,1=origination/order)
S (1 bit) x (1=serial number will be sent)
E (1 bit) x (1=area will to be sent)
(1 bit) 0
SCM (4 bits) xxxx (station class mark)
MIN1 (24 bits) xxxxxxxxxxxxxxxxxxxxxxxxx (coded 7 digit phone number)
P (12 bits) xxxxxxxxxxxx (Parity)

Extended Address Word:
F (1 bit) 0
NAWC (3 bits) xxx
LOCAL (5 bits) xxxxx (local control - system specific)
ORDQ (3 bits) xxx (order qualifier)
ORDER (5 bits) xxxxx (order code)
LT (1 bit) x (1=last try)
(8 bits) 00000000
MIN2 (10 bits) xxxxxxxxxx (coded Area Code)
P (12 bits) xxxxxxxxxxxx

Serial Number Word:
F (1 bit) 0
NAWC (3 bits) xxx
SERIAL (32 bits) xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (serial number)
P (12 bits) xxxxxxxxxxxx

First Word of Called Address: [D1..D16 are the encoded digits]
F (1 bit) 0
NAWC (3 bits) xxx
D1 (4 bits) xxxx Table of Digit Codes:
D2 (4 bits) xxxx -----------------------------
D3 (4 bits) xxxx 1 0001 7 0111 NULL 0000
D4 (4 bits) xxxx 2 0010 8 1000
D5 (4 bits) xxxx 3 0011 9 1001
D6 (4 bits) xxxx 4 0100 0 1010
D7 (4 bits) xxxx 5 0101 * 1011
D8 (4 bits) xxxx 6 0110 # 1100
P (12 bits) xxxxxxxxxxxx

Second Word of Called Address:
F (1 bit) 0
NAWC (3 bits) 000
D9 (4 bits) xxxx (encoded digits, see above table)
D10 (4 bits) xxxx
D11 (4 bits) xxxx
D12 (4 bits) xxxx
D13 (4 bits) xxxx
D14 (4 bits) xxxx
D15 (4 bits) xxxx
D16 (4 bits) xxxx
P (12 bits) xxxxxxxxxxxx
===========================================================================

(RVC) Reverse Voice Channel (mobile-to-tower on voice channel)
RVC Message Format:
--------------------------------------------------------------
Dotting (101 bits) 101010101....101
Word Sync (11 bits) 11100010010
Repeat 1 Word 1 (48 bits) xxxxx ... xxxxx
Dot (37 bits) 1010101010101010101010101010101
Word Sync (11 bits) 11100010010
Repeat 2 Word 1 (48 bits) xxxxx ... xxxxx
. .
. . [same pattern of repetition]
. .
Dot (37 bits)
Word Sync (11 bits)
Repeat 5 word 1 (48 bits)
Dot (37 bits)
Word Sync (11 bits)
Repeat 1 Word 2 (48 bits)
Dot (37 bits)
Word Sync (11 bits)
Repeat 2 Word 2 (48 bits)
. .
. . [same pattern of repetition]
. .
Dot (37 bits) 1010101010101010101010101010101
Word Sync (11 bits) 11100010010
Repeat 5 word 2 (48 bits) xxxxx ... xxxxx
-----------------------------------------------------------
There are two kinds of RVC messages:

Order Confirmation Message
Called Address Message

----------
Order Confirmation Message Word:
F (1 bit) 1
NAWC (2 bits) 00
T (1 bit) 1
LOCAL (5 bits) xxxxx
ORDQ (3 bits) xxx
ORDER (5 bits) xxxxx
(19 bits) 0000000000000000000
P (12 bits) xxxxxxxxxxxx
---------
---------
Called Address Message, First Word:
F (1 bit) 1
NAWC (2 bits) 01
T (1 bit) 0
D1 (4 bits) xxxx
D2 (4 bits) xxxx
D3 (4 bits) xxxx
D4 (4 bits) xxxx
D5 (4 bits) xxxx
D6 (4 bits) xxxx
D7 (4 bits) xxxx
D8 (4 bits) xxxx
P (12 bits) xxxxxxxxxxxx

Called Address Message, Second Word:
F (1 bit) 1
NAWC (2 bits) 00
T (1 bit) 0
D9 (4 bits) xxxx
D10 (4 bits) xxxx
D11 (4 bits) xxxx
D12 (4 bits) xxxx
D13 (4 bits) xxxx
D14 (4 bits) xxxx
D15 (4 bits) xxxx
D16 (4 bits) xxxx
P (12 bits) xxxxxxxxxxxx
--------
===========================================================================

(FOCC) Forward Control Channel (tower-to-mobile on control channel)
FOCC Message Format:
--------------------------------------
Dotting (10 bits) b1010101010
Word Sync (11 bits) b11100010010
Repeat 1 word A (40 bits) bxxxxxxxxxxbxxxxxxxxxxbxxxxxxxxxxbxxxxxxxxxx
Repeat 1 word B (40 bits) A Busy/Idle Bit (b) is inserted
Repeat 2 word A (40 bits) at the beginning of Dotting and
Repeat 2 word B (40 bits) Word Sync, and every 10 bits
Repeat 3 word A (40 bits) during word repetitions beginning
Repeat 3 word B (40 bits) at the start of the first word.
Repeat 4 word A (40 bits) b=1 when the RCC is Idle.
Repeat 4 word B (40 bits) b=0 when the RCC is Busy.
Repeat 5 word A (40 bits)
Repeat 5 word B (40 bits) bxxxxxxxxxxbxxxxxxxxxxbxxxxxxxxxxbxxxxxxxxxx
Dotting (10 bits) b1010101010
-------------------------------------
There are three types of FOCC messages:

Mobile Station Control Message
Overhead Message
Control-filler Message

Mobile Station Control Message: (one,two or four words)
------------------------------
Abbreviated Address Word:
TT (2 bits) 0x (00=if one word sent, 01=if multiple words sent)
DCC (2 bits) xx Digital Color Code
MIN1 (24 bits) xxxxxxxxxxxxxxxxxxxxxxxx
P (12 bits) xxxxxxxxxxxx

Extended Address Word: (two versions of this word occur)
----------------------------- -----------------------------
TT (2 bits) 10 TT (2 bits) 10
SCC (2 bits) 11 SCC (2 bits) xx [not=11]
MIN2 (10 bits) xxxxxxxxxx MIN2 (10 bits) xxxxxxxxxx
(1 bit) 0 (1 bit) 0
LOCAL (5 bits) xxxxx VMAC (3 bits) xxx (attenuation code)
ORDQ (3 bits) xxx CHAN (11 bits) xxxxxxxxxxx (channel number)
ORDER (5 bits) xxxxx P (12 bits) xxxxxxxxxxxx
P (12 bits) xxxxxxxxxxxx

First Directed-Retry Word:
TT (2 bits) 10
SCC (2 bits) 11 SAT Color Code
CHANPOS (7 bits) xxxxxxx channel position relative to first access channel
CHANPOS (7 bits) xxxxxxx
CHANPOS (7 bits) xxxxxxx
(3 bits) 000
P (12 bits) xxxxxxxxxxxx

Second Directed-Retry Word:
TT (2 bits) 10
SCC (2 bits) 11
CHANPOS (7 bits) xxxxxxx
CHANPOS (7 bits) xxxxxxx
CHANPOS (7 bits) xxxxxxx
(3 bits) 000
P (12 bits) xxxxxxxxxxxx
-------------------------------
-------------------------------
Overhead Messages:
System Parameter Overhead Message:
Global Action Overhead Message:
Registration Identification Message:
Control-filler Message:

System Parameter Overhead Message:
----------------------------------
System Parameter Word 1:
TT (2 bits) 11
DCC (2 bits) xx
(3 bits) 000
NAWC (4 bits) xxxx
OHD (3 bits) 110 (overhead message type)
P (12 bits) xxxxxxxxxxxx

System Parameter Word 2:
TT (2 bits) 11
DCC (2 bits) xx
S (1 bit) x (serial number flag)
E (1 bit) x (extended address flag)
REGH (1 bit) x (registration for home stations)
REGR (1 bit) x (registration for roaming stations)
DTX (1 bit) x (discontinuous transmission flag)
(1 bit) 0
N-1 (5 bits) xxxxx (number of paging channels in system minus 1)
RCF (1 bit) x (read-control-filler flag)
CPA (1 bit) x (combined paging/access flag)
CMAX-1 (1 bit) x (number of access channels in system minus 1)
END (1 bit) x (1=last word of overhaed message train)
OHD (3 bits) 111
P (12 bits) xxxxxxxxxxxx
-------------------------------
-------------------------------
Global Action Overhead Messages:

Rescan Global Action Message:
TT (2 bit) 11
DCC (2 bits) xx
ACT (4 bits) 0001
(16 bits) 0000000000000000
END (1 bit) x
OHD (3 bits) 100
P (12 bits) xxxxxxxxxxxx

Registration Increment Global Action Message:
TT (2 bits) 11
DCC (2 bits) xx
ACT (4 bits) 0010
REGINCR (12 bits) xx (registration increment)
(4 bits) 0000
END (1 bits) xx
OHD (3 bits) 100
P (12 bits) xx

New Access Channel Set Global Action Message:
TT (2 bits) 11
DCC (2 bits) xx
ACT (4 bits) 0110
NEWACC (11 bits) xxxxxxxxxxx (new access channel starting point)
(4 bits) 0000
END (1 bit) x
OHD (3 bits) 100
P (12 bits) xxxxxxxxxxxx

Overload Control Global Action Message:
TT (2 bits) 11
DCC (2 bits) xx
ACT (4 bits) 1000
OLCD0 (1 bit) x (overload class flags)
OLCD2 (1 bit) x
OLCD3 (1 bit) x
OLCD4 (1 bit) x
OLCD5 (1 bit) x
OLCD6 (1 bit) x
OLCD7 (1 bit) x
OLCD8 (1 bit) x
OLCD9 (1 bit) x
OLCD10 (1 bit) x
OLCD11 (1 bit) x
OLCD12 (1 bit) x
OLCD13 (1 bit) x
OLCD14 (1 bit) x
OLCD15 (1 bit) x
END (1 bit) x
OHD (3 bits) 100
P (12 bits) xxxxxxxxxxxx

Access Type Paramters Global Action Message:
TT (2 bits) 11
DCC (2 bits) xx
ACT (4 bits) 1001
BIS (1 bit) x (busy/idle status flag)
(15 bits) 000000000000000
END (1 bit) x
OHD (3 bits) 100
P (12 bits) xxxxxxxxxxxx

Access Attempt Parameters Global Action Message:
TT (2 bits) 11
DCC (2 bits) xx
ACT (4 bits) 1010
MAXBUSY-PGR (4 bits) xxxx (maximum busy occurrences, page response)
MAXSZTR-PGR (4 bits) xxxx (maximum seizure tries, page response)
MAXBUSY-OTHER (4 bits) xxxx (maximum busy occurrences, other accesses)
MAXSZTR-OTHER (4 bits) xxxx (maximum seizure tries, other accesses)
END (1 bits) x
OHD (3 bits) 100
P (12 bits) xxxxxxxxxxxx

Local Control 1 Message:
TT (2 bits) 11
DCC (2 bits) x
ACT (4 bits) 1110
LOCAL CONTROL (16 bits) xxxxxxxxxxxxxxxx (any local control code)
END (1 bits) x
OHD (3 bits) 100
P (12 bits) xxxxxxxxxxxx

Local Control 2 Message:
TT (2 bits) 11
DCC (2 bits) xx
ACT (4 bits) 1111
LOCAL CONTROL (16 bits) xxxxxxxxxxxxxxxx
END (1 bits) x
OHD (3 bits) 100
P (12 bits) xxxxxxxxxxxx
-------------------------------
Registration Identification Message:

TT (2 bits) 11
DCC (2 bits) xx
REGID (20 bits) xxxxxxxxxxxxxxxxxxxx (registration ID)
END (1 bit) x
OHD (3 bits) 000
P (12 bits) xxxxxxxxxxxx
------------------------------------
Control-Filler Message:

TT (2 bits) 11
DCC (2 bits) xx
(6 bits) 010111
CMAC (3 bits) xxx (current mobile attenuation)
(7 bits) 0011001
WFOM (1 bit) x (wait for overhead message)
(4 bits) 1111
OHD (3 bits) 001
P (12 bits) xxxxxxxxxxxx
===========================================================================
(FVC) Forward Voice Channel: (tower-to-mobile on voice channel)
FVC Message Format: * BUSY/IDLE bits are inserted into FVC messages in a
format similar to that of FOCC messages)
--------------------------------------------------------------
Dotting (101 bits) 101010101...101
Word Sync (11 bits) 11100010010
Repeat 1 Word (40 bits) xxxxx...xxxxx
Dot (37 bits) 1010101010101010101010101010101
Word Sync (11 bits) 11100010010
Repeat 2 Word (40 bits) xxxxx...xxxxx
Dot (37 bits)
Word Sync (11 bits)
Repeat 3 Word (40 bits)
. .
. . [same pattern of repetition]
. .
Dot (37 bits) 1010101010101010101010101010101
Word Sync (11 bits) 11100010010
Repeat 11 Word (40 bits) xxxxx...xxxxx
-----------------------------------------------------------
There is only kind of FVC message:

Mobile Station Control Message:

Mobile Station Control Word: (two versions of this word occur)
----------------------------- -----------------------------
TT (2 bits) 10 TT (2 bits) 10
PSCC (2 bits) xx PSCC (2 bits) xx (present SAT code)
(9 bits) 000000000 (9 bits) 000000000
LOCAL (5 bits) xxxxx VMAC (3 bits) xxx (attenuation code)
ORDQ (3 bits) xxx CHAN (11 bits) xxxxxxxxxxx (channel number)
ORDER (5 bits) xxxxx P (12 bits) xxxxxxxxxxxx
P (12 bits) xxxxxxxxxxxx

===========================================================================
* See Part Six for information describing various codes used in message
word fields.
===========================================================================
???????????????????????????????????????????????????????????????????????????
? The DNA BOX - Striking at the Nucleus of Corporate Communications. ?
? A current project of... ?

Outlaw
Telecommandos
?????????????????
?????????????????
?01-213-376-0111?
 
To the best of our knowledge, the text on this page may be freely reproduced and distributed.
If you have any questions about this, please check out our Copyright Policy.

 

totse.com certificate signatures
 
 
About | Advertise | Bad Ideas | Community | Contact Us | Copyright Policy | Drugs | Ego | Erotica
FAQ | Fringe | Link to totse.com | Search | Society | Submissions | Technology
Hot Topics
Php
Withstanding an EMP
Good computer destroyer?
Wow, I never thought the navy would be so obvious.
Alternatives Internets to HTTP
Anti-Virus
a way to monitor someones AIM conversation
VERY simple question: browser history
 
Sponsored Links
 
Ads presented by the
AdBrite Ad Network

 

TSHIRT HELL T-SHIRTS