
 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

                       Entering the Realm of Cellular
                                 by Dynastar

 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


                    " I see your wishes on the wall,
                       and that's all right with me,
                      I see you run to make a call,
                    hoping that there's someone free. "  - Sonic Youth

  Special Thanks for sharing love, information, concepts, thoughts,
       drugs, property, or time go to: Eric, MKL (you've been
    more than helpful in this project... that I'll never forget),
    Richie, Mike (FL), Dennis, Brian, Scott, Don, Steve, Chris, Jason,
    Bill, Sean, and Mitch.


Introduction
~~~~~~~~~~~
     There have been quite a few articles on cellular communications,
especially recently.  I ran around obtaining hundreds of them since I
received a portable phone.  For the most part, all of the articles I have
read are either directly or indirectly taken from articles dating back
to 1984.  Most of this information, although still valid, has been published
in national magazines by now (like the recent Forbes issue.)  Hopefully,
my article will give you a better idea of the internals of a cellular phone
and exactly what you can do with a 64K Prom.
     I hope you will use this file for something responsible and worthwhile,
but I'm not giving an ethics lecture---especially about a companies I hold
low regards for anyway.  Use your own judgment, and always think in a
greater scope of things.  The information is there.  You just have to get
your own copy.  This article, for better or worse, will contain nearly all
my findings from personal experience.

Internal Organs
~~~~~~~~~~~~~~
     As a person with an analytical mind, the first thing I did when after
getting my cellphone was take it apart.  Along with a myriad of electrical
parts whose names I do not know, there were quite a few chips as well.  Thanks
to help from others and some referencing of my own, I identified the more
important ones on my phone.  These parts are specific to an Oki Telecom
cellular phone, so expect yours to be somewhat different.  The main processor
in the phone is a Intel/Oki 93H006 (a MCS-51 processor, basically a 8051
microprocessor.)  The program code is on a 54512 chip, which is replaceable
by a socket.  Data storage is on a 28C64 EEPROM.  Along with these chips are
a cellular audio processor, NRZ encoding and decoding chips, another MCS-51
processor for keyboard and screen display, an I/O port expander, and a serial
EEPROM chip.  These chips are the workhorse of the phone and will tell you
how it does what and when it does and how and when and why and then (!).
By taking apart all of the code, you will get one massive listing of
disassembled source (over 200 pages.)
     The phone also has two programming modes which you aren't supposed to
know about.  The first is a menu driven NAM editor, which allows a cellular
office to change your MIN, SID, SCM, lock codes, and various other information.
On many Oki phones, this is accessed by Menu+Rcl,0,1,2,3,4,5,6,7,8,9 or by
Menu+Rcl,*,1,2,3,4,5,6,7,8,# (for factory new OKI 900s. Substitute Menu+Rcl
with *+# for new OKI 750s.)  NAM programming modes can be found on nearly every
cellular phone, old or new.  Oki phones have another "undocumented" mode on
their phones.  It is a technical service mode for the phone.  With a few
(actually a lot) of key presses you are greeted with a "good timing!!"
message to let you know it is active. Then pressing 1+3 will freeze the
microprocessor and give you total control of the phone.  From this new
level, you can do test functions and make modifications to parts of memory.
The NAM locations (including the ESN), however, are still protected from
modification for the majority of technically inclined users.  Even still,
I will not say it is impossible to edit the ESN and NAM from the keyboard,
it has been done without even modifying the PROM holding instructions.  Once
you know the locations, you can de-write protect the entire memory. I learned
quickly that the "specifications for ESN storage" were not followed perfectly
by any cellular phone manufacturer.

The hard part, the expensive part
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     The worse part of expense in understanding cellular phone is not
purchasing a phone, as many believe.  Now in many states (with the distinct
exception of California) you can get "free" cellulars, if you subscribe to
service for a specified length of time.  Some of the offers aren't all that
bad, and should be considered as an option for someone interested in the
cellular communications.  That will, once again, not be your biggest
expense in a "project" with them.
     If you intend on modifying the code inside a cellular to make it uniquely
yours... I suggest you do it as a group effort.  In my case, working with
a handheld, I still owe money.  The first logical step will be to find new
storage chips for replacing the ones inside the phone. If you know about
chips, you've noticed mine used a 54512 chip (a once programmable chip which
cannot be erased... meaning it must be REPLACED with an exact duplicate.)  I
first tried to contact Oki Telecom, who had to laugh when I asked about
buying a single chip for my phone.  I then called the manufacturer of the
chip, and found their local distributors in my area.  If you plan on doing
this, make sure you get more than one distributor.  Some of the distributors
will allow you to place orders of 10 or 25 chips (at about eight dollar each),
and some will require you to make orders of 500 or more dollars only.  It
is very specific to the type of company you work with, so look around.
     Next, you will need a programming device to read and write the chips. That
will obviously be an E/E/PROM burner.  My best advice is to look around for
a company that sells them cheaply and supports an array of chips.  Another
big plus is to have a company that has EVEN A CLUE about what an EEPROM burner
is.  Some companies had to have a tech working to tell me if it programmed
anything.  The company (IMHO) that I would choose as the best for service,
support, and price would be BP Microsystems (800/225-2102.)  If you request
information about their programmers, they will send you a listing of all the
chips they support (thousands of them) and a MS-DOS copy of their software for
the programmer, which you will find invaluable in finding out if a chip is
or isn't programmable.  They also provide free upgrades which are stored as
binary files on their BBS, and you install them yourself.  The only
disadvantage is that their programmers will cost $299 and up.  (I am not
a spokesman for BP Microsystems, nor am I endorsing their products, this
is only an observation on my part. I am not being paid any amount of money
by them, but wouldn't mind negotiating a free programmer for this :-) ...)
     The next step, if necessary, is to get an adapter for the PROM chip
to work with your E/E/PROM programmer.  For most transportables and
car phones you will need none.  For a good percentage of portable phones,
expect to buy one.  I needed a 28pin SOIC -> 28pin DIP adapter, which ended
up costing around $100.  Expect you pay somewhere around that for an adapter,
if it is required, or make one yourself (ick!)
     An optional accessory for your phone, I would recommend a "Technical
Manual." Not all companies will sell an end user technical manuals for
their cellular phones.  I do not know about them checking you out for ordering
one "as a dealer."  Oki Telecom has manuals for the end user and allows you
to purchase them for $150.  The manual covers schematics and many other
interesting and not so interesting tidbits of information you may consider
helpful.  It isn't necessary, but if you have the cash, it can't hurt.
     There are other things you can get for cellular phones that you may or
may not know about, which don't have a helluva lot to do with anything else.
You can also legally purchase ESN/MIN decoders for local range reception and
as scanner interfaces. For phones that don't already have them, you can
get RJ-11 data jacks for modems and fax machines.  There are also the huge
assortment of car adapters, quick chargers, battery eliminators, range
enlargers, and test equipment.  All of these things are ready for your
purchase, for many dollars (an ESN/MIN decoder can run around $2,000.)

Disassembly
~~~~~~~~~~~
     Now that you took the time to purchase all this neato stuff, its about
time to put it to use.  First thing you will need is a disassembler for your
phone's code.  This is when it is best to own an IBM compatible computer, as
cross assemblers are much more plentiful.  Phones can run on nearly any
type of micro then company chooses, however many of the ones I've seen run
on MCS-51 or Z80.  If you want a specific phone, I suggest you call up
the manufacturer and ask them about it.  I only know personally of the Oki and
Fujitsu Pocket Commander (also an MCS-51.)  I was able to find a well-made
disassembler on the internet myself, via ftp.  It was able to bubble
disassemble the entire code (with exception of Indirect Jumps.)  The result
of several disassemblies and my specific entry points produced over 200
pages of undocumented code (the code took up $0000-$A000 on the 512K prom.)
After printing out the code, I went through it (with help from some of the
above mentioned persons)... I still am going thought it now (a couple months
later.)  I want you to be sure to know that going through this code, without
the slightest clue of what is stored where, can be a horrifying task <grin>.
Eventually you will learn what is stored where and can guess at routines jobs
by the memory locations they access.  I strongly suggest you have someone
help you, or you will end up a psychotic killer later in life.

I'm with you so far, but what do I do now!??!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Now that you have a killed a tree to print it all out, and wasted about
three gallons on ink (or 10 pounds of wax if you like crayons), it is time
for YOU to decided what you will do with your disassembly.  If your into
free calls, I'm sure you can figure out how to change the ESN.  More serious
owners will think about more serious applications.  The phone is exactly like
owning a computer once you know what how it works.  You can have it do anything
you want it to.  Some of the things I've done/heard about/could imagine are:
cellular spying (you can scan the other channels and listen to calls), protect
your phone with encryption (RSA if you are really paranoid!), have a longer
unlock code which will destroy the phone after successive failures, make
caller "restrictions" for other users, add a calculator in it, have it shadow
a cellular tower, make it switch towers to prevent locating and lower the
chance of monitoring, allow voice scrambling (somewhat hard, may be easier on
digital phones), have it look for MIN/ESN pairs and store them, look for
MINs or ESNs of corporations for inside trading, look for calls placed to
Columbia (to find the eleet drug deals), look for calls to 3l33t BbSeZ so
your HST can record a Zmodem Download of the MEGA-K-RaD-wArEZ when they are
0-2 minutes old, or maybe something as simple as allow it to play jingle
bells in DTMF when you turn it on.  As you can see, the options are limitless,
although a great number of them are illegal in all fifty states.

The ever popular ESN story
~~~~~~~~~~~~~~~~~~~~~~~~~~
     Although you may have heard this 18,000 times, I'm going to repeat it---
mainly because it is not complete.  When you place a call, the cellular
phone will boardcast the ESN and MIN the of the calling party, as well
as the number of the called party.  Another thing that is transferred,
which is often omitted or questioned, is the SCM.  The SCM has something
in it which will prove to solve a number of fraud problems for cellular
companies.  The SCM tells the tower the power of the phone (.6, 1.2, or 3.0.)
This allows the tower to do three things: (1) see if a phone that claims to
be .6 watts is really broadcasting at .6 watts, (2) see if the phone is
using a ESN that is from a .6 watt phone, and (3) in cases of fraud, if a
phone claims to be .6 watts, the feds may be looking for someone with a
handheld phone rather than someone talking in their car.  If you plan on
using captured ESNs of other phones, it's a good idea to think about the
SCM to avoid a bad situation.
     When a call is placed on any network, the cellular company will check
the validity of the ESN and MIN.  If it is made from a local phone, then the
process is quite simple. It pulls up the MIN file and checks to see if the
ESN matches the file.  If not, you either get an operator or a message telling
you that you are a bad person and your attempt at making free calls is denied.
If you are roaming from your cellular network into another, the process may
be somewhat different.  The computers no longer have your information right
there and require time to contact the other companies to check the information.
This type of circumstance allow you to take advantage of the company. Many
companies still do not check to see if your a valid customer until after you
place your first call.  This allows you one free call before it checks. Then
your ESN will be blocked from free calls for a period of time (often only 3
days.)  This doesn't seem like a major flaw, more of an annoyance to cellular
companies. Well, until people understood exactly how it works.  By modifying
your ESN and MIN each time you place a call on certain networks you are
able to get a free call for each ESN and MIN you give them (which turns out
to be an unlimited number of free calls.)  With this method you never need
a valid ESN/MIN pair at all, all you need is a random routine in your phone.
The cellco will also check for changes in your ESN/MIN pair it can detect, as
well as (in some cases) the general location the call is being placed from
and to.  This could prove the fall of your theory.  It isn't as easy as it
looks, and I'm going to make no guesses on how safe it may or may not be.  If
you want to try it, don't blame (or praise) me.
     As real time checking becomes more of a standard, fraudulent callers are
moving to more technical methods of free calls.  The method is having a device
(either a external device or the phone itself), steal ESN/MIN pairs from
other cellular callers.  Once stolen and programmed into a cellular phone,
these pairs allow free calls for up to one month on cellular systems.  This
form of fraud is becoming more difficult to control because of the requirements
for information to be exchanged by carriers and the lack of ability to check
for duplicate and unacceptable calls.  The cellular companies are still trying
to find a way to stop it.  Attempts are made now to check the SCM in some
areas.  Other areas are looking for two users with the same ESN/MIN with
their phones turned on.  Increasing areas are looking for callers who are
making one call in one city, and then another 100 miles away in the same
ten minute period.  As fraud grows, so does the security and checking.  With
the current cellular system, it appears that there is no stopping of the
fraud in many cases.  Possibilities for killing someones cellular call and
blocking them out while you place a fraudulent one will always exist, and
are nearly undetectable in many cases.
     Depending on your make and model of phone, these things can be easily
accomplished or nearly impossible.  The Oki phones have a good bit of
security in them to prevent this type of modification.  The ESN is stored in
plain sight in the phone and can be modified.  However, once you turn on the
phone, you will be greeted with your old ESN.  A routine in the phone will
take an encrypted copy of the ESN, decode it, and then rewrite it back to
where the ESN should be.  The encrypted ESN has a checksum added to it as
well to prevent modification.  It also checks to make sure the first two
digits of the ESN are the same as the manufacturer code for Oki Telecom
phones ($81.)  If either of these are modified in any way, the phone will
turn on and greet you with an error message, forcing your phone to be
serviced by Oki Telecom.  There is no room for mistakes in modifying the
code.  Oki made even modifying the PROM code a little challenge, they
have checksums for the NAM (it does not include the ESN) and also checksums
for modified instructions in the chip.  These must be disabled if you plan
on having a phone which allows MIN/ESN changes.
     Making the phone scan the cellular channels and NRZ decode other
callers MIN/ESN/SCM/CALLED_PARTY groups could be considered a task of an
expert.  You will have to sort though hundreds of routines and thousands of
lines of code, just to understand how the call is completed.  Expect this
type of modification to require great amounts of attention and time.

Comments, Thoughts, and other /dev/null Info
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     If you want an estimation of the involvement you may be dealing with when
working with the code in a phone, I'll give you some examples.  It will take
about six months, if you plan on starting from scratch with a few people
helping you out along the way.  Older phones will, of course, be easier to
work with.  On the down side, they will usually require a better chip
programmer and offer you less room for ability in new functions.  There are
other ways to make modifications to you phone, I've heard of wires running
out of peoples handhelds which did this, that, and the other thing.  I find
having wires hanging out of my cellular phone a form of blasphemy; just the
thought of wires 'hanging' out of my phone makes me want to vomit.  That is
so untechnical, crude, and noticeably fraudulent to officials (in the case of
a physical tumbler hanging out of the phone.)  Come on, we can do better!
     I have to once again, credit those people who took the time out to help
me in this.  They worked many hours, some quite a few more than me, I'm sure.
I did not include any handles of people who helped me with the Oki 900
specifically, because of a variety of reasons dealing with privacy and
security.  Don't bother asking me (or probably any of other person I mentioned
above) for documented source or other specific information as such.  I doubt
you will get it, try as you will.  I will try to help anyone who wants to
complete this project and attempt to answer their comments and questions.  I
will not answer all the questions, but will try to lead you in the right
direction.  I'm also interested in anyone who does start or complete any
cellular project; I'd like to hear about it.  Also, donations of any kind
of information on your phone will be accepted most enthusiastically as well!

Other Sources
~~~~~~~~~~~~~
I referenced many journals in making this file and working with cellular
phones. Here are just a few of the ones I've found very informative
information in:

"The DNA Box" by Outlaw Telecommandos
     - A great file on the what you can do with a cellular
     - written by some great minds. Great specific information
     - on composition of connections and MIN storage.
"The Ultimate Cellular Modification Manual"
     as scanned by Dr. Bloodmoney
     - A decent source for NAM reprogramming and some of the information
     - on ESN modification and scams. However, some of the information
     - contained is incorrect, be warned.
"Cellular Telephony" by Brian Oblivion [see Phrack]
     - A great technical source for the specifics.
"The Secrets of Cellular" by Bootleg
     - Although much of the information included is captured from
     - other files, the information that is original is worth
     - the trouble in reading though the file. Contains information
     - about ESN/MIN decoding equipment.
"NAM Reprogramming" by Consumertronics
     - contained in the Ultimate Modification Manual, but released
     - years early.
"CELLFONE.TXT" by multiple Anonymous authors
     - contains a good bit of information of the frequencies and laws
     - involved in cellular use.

Glossary
~~~~~~~~

     This space is left intentionally blank.  There are plenty of other
sources (the above files are one example) that offer a complete listing
of all the terms used in my article.  You should have no problem finding
many of those files on Internet or popular systems, such as Ripco BBS.


