.------------------------------------------------------------------. | \ ____ \__ __ ____ / | ! ___/ / / / \_ / \ / / / \___ ! : / \ ____/ \/___________|___________/ \/________/ \__ : : __/\/ / / : ! __/ /_________________________________________/ /\__ ! | \_________________________________________\/ / \___ | ! __/ \___ ____/ ! : \__/ \__/ _/ \__/ / \__ : : / ! / . ! . | : ! . ! ! : : . ! | | . | ! : : ! | ! : !__| ! !__! : ! : / / D e s T R u C T i v E / / : : : : !___/ /_______________________/ /____!__ : ! !/ / / / / / ____/ / ___ / ! `-------- / / / / / / / / / / __/ -----------' \______/\______/\__/___/\______/\__/\______/ -P- -R- -O- -D- -U- -C- -T- -I- -O- -N- __ __ __ __ |\ \ |\ \ |\_\ |\ \ _____ __ __ \ \ \____ ______ _____ _____ ______\ \ \___\|_|_\ \ \ __ |\ _\ |\ \ |\ \ \ \ __ \ |\ __\ |\ __\|\ _ \ |\ __\\ \ __\ |\ \\ \ \/ /_ \ \ \_ \ \ \\_\ \ \ \ \|\ \\ \ _>|_\ \ \_|\ \ \\ \\ \ _>|_\ \ \_|_\ \ \\ \ __ \ \ \____\\ \_____ \ \ \_____\\ \_____\\ \_\ \ \_\\_\\ \_____\\ \____\\ \_\\ \_\|\_\ \|____| \|____|\ \ \|_____| \|_____| \|_| \|_||_| \|_____| \|____| \|_| \|_|\|_| =======\ __\_\ \ /=========================================================== |====== \ |\______\ / ==========================================================| \ \\|______|/ / \ \======== / PRESENTS: THE BEGINNERS GUIDE TO CELLULAR PHREAKING \=========/ WRITTEN FOR UK PHREAKS -=bY CyB3rn3+!k=- ============================================================================ LEGAL REQUIREMENTS: I have done, won't do, don't actually know anything about anything in this document (this message and those following it). I have absolutely no intention of doing so and all that is here is completely fictional - Any resemblance to reality is coincidental or guesswork or public knowledge. In no way do I advise the reading let alone following of the information below and it is not in any way to be construed as instructions - simply a literary excercise in the fiction of intellectual guesswork. This file is not to be distributed to or by any system, be it bbs or otherwise, that charges in any way for full or partial use. In other words, I'm not being paid to write this, so why should you get paid to distribute it? ============================================================================ This guide will hopefully show you all how to make free calls from cellular fonez. I have written this with the absolute beginner in mind, if you are "eleet" then this file ain't for you. After reading many text files that talk about NAM memory maps, EPROM emulators and so on I have realised that there is a need for new files that actually have current info! Reprogramming cellular fonez can be as easy as buying a lead and plugging it into a PC and fone, run some software and you are away.. I have lost count of the number of times that I have been asked what equipment you need to rechip cellular fonez, most people seem to think that its gonna cost big buck$. I read one text file from the US that stated a minimum of $2000 to rechip fones.. yeah, right, as if we have that sorta ca$h to burn.. anywayz, on with the show.. Why cellular? ------------- Haven't you ever thought how kewl it would be to make free calls from anywhere? Go read the Cellnet advertising leaflets, 98% coverage of the UK, fonez that you can take anywhere and do anything with.. Now imagine being able to do that for free. Doesn't that sound good? Yeah, sure it does! Now you're probably thinking, "Why should I bother with cell fonez when I can already blue box globally?" Well global boxing ain't gonna be around for ever. Its been presumed dead once already, how long do ya reckon its gonna last this time? And it is a hell of a lot easier for BT to trace you than for Cellnet or Vodafone. Another good thing about cellular is the fact that you can get 9600 bps connects, and practically error free as well... Look to the future of phreaking, look to cellular... Getting a fone -------------- There are several wayz to go about this. I'll give a brief outline of each below.. 1. Steal it! If you see someone talking on a mobile fone, and they put it down for a moment, just walk up and grab it. Alternatively, if you know anybody who deals in stolen gear, have a talk to them about getting a cell fone.. 2. Buy it! This is probably your best bet. Either post some messages on your favourite hack/phreak bbs asking for fonez, or look out for people selling them. Check out DAC BBS, theres plenty of fonez for sale on there.. ;-) If you don't trust others to send ya the goods then check out your local advertising paper.. Look up the phones/business sections and see whats for sale in the second hand market. Most will be disconnected already and you may be able to get some of the older/rarer fonez suck as bricks (Motorola 8500/8800). Great phun! If you want a brand new fone then why not get some fake id? You usually need two forms of id, then goto your local mobile fone shop and choose yer fone. The great thing about this is that you will also get a months free connection before they discover they've been had. For more info on this read "FONE_EXP.TXT", available on DAC (of course ;-)) But which fone, there are so many? ---------------------------------- This is a good question. What do you want your fone for? If you want to use a modem on it then it must have good signal reception and be easy to convert for modem operation. If you just want it for voice calls then you will want something that is small and light. The most essential thing is that you must be able to get the reprogramming software for it. The cellular area on DAC has loads of sortware, if you intend to buy a fone make sure the s/w is there before you hand over the ca$h. Heres a list of fonez which are recommended and easy to reprogram... Voice ----- Motorola hand portables - 8500X, 8800X, 9800X, Flip fone, Personal fone. Motorola car (not very mobile!) - 4500X, 4800X, 6800X NEC mobile - P3, P4, P100, 9A NEC car - 11A (Haven't seen software for this) Panasonic mobile - D,E,F (haven't seen software for these) or I (s/w ok) Sony mobile - CMH-333 (mars bar) Modem ----- Well in theory its possible to connect a modem to any cell fone but these are the best at the moment. Motorola car - 4500X, 4800X, 6800X NEC mobile - P3 (fax cable?) Motorola hand portable - 8500X (soon?) I know that in the US there are special modem interfaces, and even cellular modems! Might be worth your time looking thru a few US mobile fone mags if you can't get your hands on a Motorola 4500/4800. I believe that there is a fax cable for the P3 that can be modified to take a modem, but I don't have any details on it. DaveX's modem interface can be used on any fone that has audio tx/rx pins. This would probably include Motorola Flips and a few others but since I don't have any firm details on those its best to leave them out. The Motorola 8500X has audio rx but not tx (I think?). I am working on a mod that involves taking the fone apart... Basically the best that you can get for a modem is the Motorola 4800X. As always, leave mail on hp bbses, I know at least one person who is selling these brand new. Okay, so lets assume that you have obtained one of the above fonez. What do you do now? Well, call up a hack/phreak bbs and see whether the software is available for your fone. Or just call DAC, they have software for all of the fonez which I have listed above. The cables will need to be made from diagrams, I have enclosed a file called "WIRING.TXT" which has the cables for several of the above fonez. If the cable ain't there then it will be in the archive along with the rechipping software. Go along to your local electronics shop and get them to make the lead if you can't solder (tell em its for an obscure type of modem or something). Now all of you PC owners are sorted as far as the hardware goes. But wait, I hear somebody cry, what about me - I have an Amiga! Doh! As far as I know there is no reprogramming software for any computer other than the PC. However, there is still a chance for all of you Amiga/Archimedes/whatever dewdz. Lets hear it for ..... The legendary NEC P3 test rom ----------------------------- Yes, this test rom which is available from all good bbs's will allow you to reprogram an NEC P3 from the keypad, without any additional hardware or software. Sounds kewl, huh? All you need is an NEC P3 fone, and the eprom from its innards. Get someone to reprogram the eprom (again, ask on the hack/phreak bbs's) and stick it back in your fone. Voila! You can now auto scan channels and reprogram the fone from the keypad! Excellant if you don't have access to a PC... MIN/ESN Pairz ------------- So what else do you need before you can make free calls? Well, if you've read any of the other text files they probably say something like "MIN,ESN, station class, min mark etc." Not very helpful, eh? All that you really need is the MIN and ESN of another fone. The MIN is the Mobile Identification Number. This is basically the same as a normal fone number (such as 0831 347546) but with the "area" code replaced with a special mobile system number. The system id for the 0831 prefix is 2344, so the MIN of the above number would become 2344 347546. The system id for 0850 is 2346, so the fone number 0850 456673 would have the MIN 2346 456673. Here is a list of all of the mobile prefixes and system ids: VodaFone =-=-=-=- Phone Number System Number System Type ============ ============= =========== 0374 2345 ETACS 0378 2343 ETACS 0831 2344 ETACS 0836 2340 ETACS 0589 2347 ETACS <- I found the 0589 code! -------------------------------------------------- Credits to the (unknown) Cellnet original author for these =-=-=-= numbers. 0585 2349 ETACS 0850 2346 ETACS 0860 2342 ETACS There are others, but they are for a different system that you won't be abusing (yet). The ESN is the Electronic Serial Number. Each fone has its own individual ESN. On many fonez you can reprogram the MIN from the keypad, but not the ESN which makes it useless for phreaking. The only fone which you can reprogram the ESN from the keypad is the NEC P3 with a test rom. The ESN is in the format 15/11/00/40049. Each fone should have a unique ESN. Whenever you place a call the MIN and ESN are read from your fone and compared to a national database which holds details of all of the ESN and MIN pairs in the country. If your MIN/ESN pair match then the call will go through. So to sum up, you need to get some MIN/ESN pairs from somewhere. How to get MIN/ESN pairz ------------------------ This is the most difficult thing about cellular phreaking. If you are either very clever or very rich then you can make or buy a MIN/ESN pairs snarfer. This will read the MIN and ESN from any fones which are in your area and you will then be able to program your fone with these new numbers. On the other hand, there are several alternative methods used by cellular phreaks to get MIN and ESN pairs. 1. Trashing. You've probably read about this in other files. You go along to your local fone shop on the day that they put their rubbish out and wait. As soon as they throw the bin liners out into the street just walk along and grab them! This is best if you have a car because a) you can make a fast getaway and b) you can carry more loot. Now sort through all of the rotten food and look for pieces of paper.. check these out and look for any sort of numbers. If you find any with mobile numbers and a number like 02/08/00/18199 next to them then well done! You have found a MIN/ESN pair. A typical trashed document might look like this: Dear Mr Jones, Please can you ensure that the following fonez are returned to their owners. All of them have now been reprogrammed after the recent spate of fraud that has recently occured. () Phone number New ESN 0374 144213 03/11/00/58403 0831 146395 15/04/00/54464 0831 148324 02/12/00/25757 0831 155439 03/37/00/14593 0831 158369 03/16/00/45173 Yours sincerely, A. N. Ass (Note these are real pairs taken from DaveX's xmas pressie - a list of over 400 pairz!) Now with these pairz you can run home and reprogram your fone. Guess what? Yup, its free callz time! But what if you don't live near to any mobile fone shops? Well, you could always ... 2. Voice hack 'em! Just pick a random mobile number and call it. When the bloke answer say something to the effect of: You: Hi, i'm from Vodafone. We're sorry to have to inform you that an evil hacker has been running huge bills up using your mobile fonez id. If you can give me your ESN number we will be able to stop him and you won't get billed for any of the calls that he has made so far. Victim: Uh, okay. How do I get my fonez ESN? You: Take the battery off your fone. The ESN is usually located on a printed sticker under the battery. Just write it down and I will call you back in a few minutes. Victim: Sure, no problem. Bye! Well there ya go. You will have his fone number, and when you call back you will get his ESN! Great, now just clone his fone and start running up a huge bill from the "Evil Hacker". There is another way, but it involves more risk. I've done it and it works though, so here it is ... 3. Go into a mobile fone shop and look around. Check out whether they have anything on the counter, you know, useful stuff like sheets of paper with pairz on. Now perhaps you can just grab the sheets and walk off without anyone seeing ya, but what I did was to go up to the babe at the counter and say "Hey, gimme some pairz!" Heh heh. Nah, what I actually said was "I'm interested in buying a battery eliminator for a Motorola 8500X fone. Do you sell them?" She said "Wait here. I'll go and check." As soon as she was away I opened up the big notepad on the desk and started to copy out the pairz... she came back pretty quickly so I only got about 4 pairz, but what the hell, its better than nowt. Using the pairz --------------- Now you have a fone, a programming kit and some pairz. Connect your PC and the fone using the cable or adaptor. Now run the software. Depending on the software, you will be told the MIN and ESN that are already in the fone. Just replace these with your new "stolen" pairz and exit from the software. Now unplug your fone and turn it on. Excellant! Free call time! It is best to use the pairz at nights, or whenever the real owner isn't using his/her fone. You see, if the cellular system detects that two fonez with the same identification are making calls at the same time then they will know that something is up, and the MIN/ESN pair will be automatically cancelled. If your fone is showing some kind of error message such as "No SVC" then the pair has been cancelled. Sometimes you will get an error message such as "Your fone service has been temporarily suspended. Please contact your contract supervisor for advice". When the old pair has been used up like this, just program a new one in. Modems ------ Check out DaveX's "MODEM-2-.TXT" file for details of how to build a modem to cellular telephone interface. Alternatively, you could fone the manufacturer of the fone and ask them about connecting a modem to their fonez. Explain how you're a business man who does lots of travelling and needs to access his company's computer network while you're away. Or you could order a proper interface from the US... If you still think that you ain't got what it takes to reprogram a cellular telephone then go buy Exchange and Mart. The fonez section in here has loads of companies selling software and reprogramming interfaces. For example a complete rechipping kit for the Sony Mars Bar is only £35. If you don't like the idea of soldering your own cables and interfaces then these are the dewdz to check out! And finally... -------------- I hope you have enjoyed this little romp through the art of cellular fraud. Hopefully this will encourage hordes of hackers and phreakers to go out and buy a cell fone and get some cainage of cellnet/vodafone in. A big HI! to everyone who has every helped me with this stuph, and all those who will in the future.. Hmm, what do ya reckon for my first text phile? Not bad, I think. Anywayz, I must go, I can see the sun coming up. Till next time! Contact me via Duk n Cover on 01634 686963. A kewl BBS! L8rz, \ \ \ ___ \ __ ___ ___ ___ ___ \ _ o \ \ \ \ \ \ \__\ \ \ \ \__\ \ \ \ /_ \___\__\ \__\ \___ \ \ \ \___ \__ \ \ \ \ __\ ---------------------------------------------------------------------------- Files available in this series are: JUNGLE01.TXT - Global Compuserve dialups (Darkcyde) JUNGLE02.TXT - Global SprintNet/Telenet dialups (Fugitive) JUNGLE03.TXT - Index of UseNet newsgroups (Fugitive) JUNGLE04.TXT - The Definitive Guide To Fraud (Darkcyde) JUNGLE05.TXT - No More Tears :: GLoBaL BoXInG (Fugitive) JUNGLE06.TXT - *TOTALLY* Free Internet Access (Fugitive) JUNGLE07.TXT - The Beginners Guide to Cellular Phreaking (Cybernetik) More titles are soon to emerge from the Destructive Jungle... ----------------------------------------------------------------------------