A GUIDE TO CELLULAR PHREAKING --by Bernie S. The recent FBI/Secret Service cellular sting operation that culminated in the arrests of over 25 people in New York City confirms what many of us have suspected for quite some time: that cellular telephone fraud is widespread. The FBI estimates that cellular phone fraud costs system operators $3 million anually; with the average subscriber's airtime bill about $50 per month for 100 minutes of usage, there could be over 2500 cellular pirates on the air if a pirate uses twice the normal amount of airtime. The term "pirate" rather than "phreak" is used here because the vast majority of illegitimate CMT users (Cellular Mobile Telephone) are only interested in stealing airtime, while phone phreaks are mainly interested in learning more about the telephone network through its manipulation. The six-month FBI investigation used "cooperative sources" who named fraudulent installers; then FBI agents posing as customers and installers used standard entrapment techniques to gather evidence against those allegedly involved. The FBI's press release statement that "Recent technological advances in computerized telephone switching equipment and billing systems were instrumental in...(their investigation)" is deliberately misleading. New York cellular carrier NYNEX merely supplied the FBI with its billing data to document the use of bogus and stolen ESN's & MIN's (Electronic Serial Numbers and Mobile Identification Numbers) discovered in the investigation. The Secret Service later became involved because the laws relating to the credit fraud being allegated are under their jurisdition. SAFE PHREAKING: In practice, cellular phreaking is very safe if one does their own tranceiver modifications, changes ESN's & MIN's regularly, and uses standard phone-phreak precautions. Indeed, FBI agent Greg Meecham has stated that fraudulently programmed CMT's are "anattributable, unbillable, untraceable and untappable." A cellular carrier will become aware of any bogus or stolen ESN's and MIN's used on its system within a month or so after their initial use once the subscriber or carrier who is assi gned those codes is billed and notifies them of the error. The home carrier will then change the legitimate subscriber's MIN in the MTSO (Mobile Telephone Switching Office) and arrange for a new NAM (Number Assignment Module, or ROM) to be installed in t hat subsciber's CMT transceiver. The MTSO maintains a database of all its valid ESN/MIN pairs, as well as a "negative verify" file on all known invalid numbers for the deadbeats and pirates in its area. The carrier may choose to leave certain fraudulent codes active to have any activity monitored, but as long as all parties at the receiving end of any phreaked calls become amnesiac to any inquiries, the phreak's identity will remain secret. If a phreak uses a different ESN & MIN every month, it'll be extremely difficult for the carrier to react in time to gather any information. As with any landline, inband signalling (i.e. 2600 Hz, MF tones, etc.) will work but can be easily detected by the ESS controlling that line. Since all cellular systems are in metropolitan areas, it's logical to assume that most cellular lines are on ESS . Although telco security may be aware of any blue-boxing, the links in their security chain stop at the MTSO. Moreover, since the MTSO selects outgoing landlines from a trunk group, a pen register at the CO would be useless for establishing any toll fr aud patterns. Because of cellular's inherent frequency-hopping nature, it is very difficult to track down a CMT using conventional radio direction-finding (DF) techniques, even if it's stationary. A small directional antenna aimed randomly at surrounding cell-site rep eaters with a TV antenna rotor will thoroughly confuse any DF attempts, although keeping calls as short as possible is always a good precaution. Locating a mobile CMT is virtually impossible. I was recently given a tour of an FCC monitoring van in Washi ngton DC, and was suprised to see how lacking in sophistication their onboard DF gear was. The only equipment available to readily locate a CMT transmitter is primarily used by the military and intelligence agencies, which couldn't care less about CMT fr aud unless it involved national security. EQUIPMENT: Most CMT's are actually two main pieces of equipment: the transceiver and control head. The transceiver (transmitter/receiver) is usually a nondescript metal box with three external connectors and contains sophisticated circuitry. There are usually two main circuit boards inside: an RF board with all the radio transmitting/receiving circuits, and a logic board with a microprocessor, A/D & D/A circuits, and control logic. The control head is a Touch-Tone telephone handset with an extended ke ypad, numeric or alphanumeric display, and volume and mic mute controls. It often has a seperate speaker mounted in the cradle for on-hook dialling and call-progress monitoring. Some CMT's have a speakerphone option that allows you to drive with both ha nds on the wheel by talking into a small microphone mounted near the vehicle's sun-visor, and listening to the cradle loudspeaker. This may seem to be the ultimate in laziness, but remember you could be maneuvering your five-speed through heavy traffic o n the exressway when the phone rings! The control head/cradle is usually bolted to the transmission hump by the drivers seat, and the transceiver is usually mounted in the trunk with a power cable connecting it to the car battery and ignition switch. A shielded control cable links this equipment together and allows data and audio to pass between them. Most first-generation CMT's used the AMPS bus, developed by AT&T, which specified a system of 36 parallel wires in a bulky control cable. Some manufactu rers later developed their own busses--Novatel's serial bus specifies a thin cable of just a few wires which is much easier to install in vehicles. For fixed use, a CMT may be powered by any 12-volt regulated DC power supply that can deliver at least 5 A mperes. Any would-be cellular phreak must first obtain a CMT. Used bargains abound in some cities, where many subscribers found they couldn't afford to pay their airtime bills after they bought their phone! First-generation E.F. Johnson transceivers are a good choice because they're easy to work on, use a uniquely effective diversity (dual-antenna) receiver, and use the AMPS control bus, which means that several manufacturers' control heads will work with it. Another good choice is Novatel's Aurora/150 model. It uses a proprietary parallel bus and control head, but costs less, is very rugged, and is also easy to work on. In addition, all Novatel CMT's have built-in diagnostics which allow (among other things) manual scanning of all 666 repeater output freque ncies--great entertainment when you're bored! ANTENNAS: A mobile cellular antenna is usually a short (less than a foot long) piece of stiff wire with a half-dozen or so turns in the middle, like a spring. The "spring" acts as a phasing coil in a 5/8-wave configuration. The antenna is mounted verti cally either through a hole in the vehicle's roof or at the top of the rear windshield using silicone adhesive with conductive plates on either side to pass RF energy right through the glass. It's not quite as efficient as a roof mount, but most folks pr efer not to drill a hole in their Mercedes. A 50-Ohm coaxial cable such as RG-58/U links the antenna to the transceiver with a male TNC-type UHF connector. A ceramic duplexer allows the transmitter and receiver to share the same antenna simultaneously. Mobile roof-mount antennas are designed to work with the ground plane provided by the vehicle's body, but for fixed use an "extended-feed" or voltage-fed coaxial antenna (which requires no ground plane) can be used if there's no tin roof on your house. A capped PVC pipe makes an ideal rooftop housing for this type of antenna, concealing it and making it weatherproof at the same time. As with any kind of antenna, the higher the better--but unless you're surrounded by tall steel buildings any height will probably do (provided you're within range of a cell-site repeater.) It should even work indoors if near a window--remember that cellular systems are designed to work primarily with inefficient antennas at ground-level. Yagi and corner-reflector antenna s are available for fixed use that provide very high gain and directivity. Antenna specialists Co. (216/791-7878) manufactures a broad line of cellular antennas. INTERFACING: Interfacing audio devices such as MF tone-generators to a CMT can be accomplished by coupling the device's output through an audio coupling transformer and capacitor across the control head's microphone wires. If it's available, a schematic diagram will show which CMT bus lines carry the transmit audio; coupling the signal there would be preferable. Acoustic modems can be interfaced acoustically, or by coupling the mic and speaker wires to those on the control head or to the appropriate bu s lines. Direct-connect modems, answering machines, regular and cordless telephones and other devices can be interfaced to a CMT through the AB1X cellular interface manufactured by Morrison & Dempsey Communications (818/993-0195). This compact $300 devi ce is a one-line PBX that connects between the tranceiver and control head and provides an RJ-11C jack that accepts ANY direct-connect telephone accessory. It recognizes Touch-Tone and pulse dialling, provides 1.0B equivalent ringing voltage, and generat es dial and busy tones when appropriate. ACCESS CODES: Every CMT manufactured has a unique ESN, which is an four-byte hexadecimal or 11-digit octal number in a ROM soldered directly to the logic board. It's supposed to be there for life and never removed. Some newer CMT's embed the ESN in a V LSI chip along with the unit's program code, which makes ESN modifications virtually impossible. The ESN is also imprinted on the receiver ID plate mounted on the outside housing. When converted to octal (11 digits), the first three digits specify the C MT manufacturer, and the other 8 identify the unit. Typical ESN's might be 13500014732 (octal) for a NEC brand CMT, and 8E01A7F6 (hexadecimal) for a Novatel. The other important chip is the NAM, which contains the MIN (NPA-XXX-XXXX), lock code (keeps th e kids from using it) and various model-specific and carrier-specific codes. Some newer CMT's have no NAM at all and use an EEPROM which allows a technician who knows the maintenance code to change NAM data through the control head keypad. Basically, when one attempts to make a CMT call the transceiver first automatically transmits its ESN & NAM data to the nearest cell-site repeater by means of the overhead data stream, or ODS. The ODS is a 10 kilobaud data channel that links the CMT's co mputer to the MTSO computer, which controls the phone's entire operation right down to its channel and RF output power. If the MTSO doesn't recognize the received ESN/MIN pair as valid, it returns a reorder signal and will not process the call. In most cities with cellular systems there are two carriers: the wireline operator (usually Bell or the local telco) and the non-wireline operator, an independant company. Both maintain their own MTSO and network of cell-site repeaters, and occupy seperate halve s of the cellular radio band. Non-wirelines operate on system A (channels 001 to 333), and wirelines on system B (channels 334 to 666.) Custom-Calling features such as call-forwarding, call-waiting, and three-way calling are all standard with most cellular carriers, but the procedures for using them differ so it's best to call the carrier for more information. OBTAINING CODES: The most difficult task for cellular phreaks and pirates is obtaining usable ESN's and MIN's. One method involves having an accomplice who is employed at a CMT installation center. They will have a file on every CMT installed at that l ocation, including the ESN's & MIN's assigned to those subscribers. Using several codes from one source could focus attention there, however. Another method involves the help of an inside person at the cellular carrier's customer service or billing depa rtment, where many low-paid employees have access to thousands of valid ESN's & MIN's. The most sophisticated method requires interfacing a CMT's A/D circuitry to a personal computer, enabling one to literally pick valid codes out of thin air. PROGRAMMING THE CMT: Once a valid ESN/MIN pair is obtained, it must be programmed into the CMT's ROM'S. Some CMT manufacturers use different devices and memory maps, but most adhere to the AMPS 16-pin, 32 x 8 bit format. The most common ROM's are Signe tics 82S23 (open collector) and 82S123 (tri-state) or equivalents, but it's best to check the part numbers used in your unit. The existing ESN ROM should be carefully removed from the logic board using grounded desoldering tools and read using a NAM prog rammer' bit-editor mode. Any PROM programmer that is device-compatible can be used, but dedicated NAM programmers have built-in software which greatly simplifies the process. The ESN printed on the ID plate (if in decimal, convert to hex) should be foun d in memory and will be immediately followed by an 8-bit checksum determined by the 8 least significant bits of the hex sum of the ESN's four bytes. The old ESN data (now copied into the NAM programmer's RAM) should be replaced with the new ESN and check sum. A new blank ROM of the same type should be inserted into the programmer and "burned." It would be advisable to solder a ZIF (Zero Insertion Force) DIP socket onto the logic board to accomodate the new ESN chip and any future versions. The NAM chip is usually already ZIF socketed on the logic board for easy replacement. It, too should be copied into the NAM burner's RAM and the old MIN replaced with the new one. The NAM checksum should also be updated to reflect the new data. Althoug h the carrier's system parameters must also be programmed into the NAM, they can be left the same if the NAM being changed had previously been on the carrier now to be used. All that needs to be changed in this case is the last four MIN digits and checks um (and maybe the exchange if they're using more than one.) An excellent write-up on NAM programming is available free of charge from Curtis Electro Devices (415/964-3846). Ask for the May '87 reprint from Cellular Business magazine. Bytek Corporation (305/994-3520) sells a good budget NAM programmer for about $500, and the operations manual (available seperately) explains in detail the memory maps, part numbers, and programming techniques for most CMT's on the market. This same unit is also capable o f programming many ESN chips using the bit-editor mode. Some carriers and their installation agents will provide NAM system parameters on request, and some CMT service facilities will provide NAM & ESN memory maps and schematics of specific CMT's for a p rice. One could eliminate the need for a NAM programmer altogether by programming and interfacing a personal computer to the CMT's ESN and NAM sockets. Another approach is to interface 2 banks of 8 hexadecimal thumbwheel switches to the sockets, although a com puter program would still be needed to determine the proper switch settings. Either of these two approaches will permit quick emulation of any CMT with an ESN & MIN of your choosing. ROAMING: Whenever a CMT is used in a cellular system other than the one indicated by the SID (System ID) code in its NAM, it is in the ROAM mode and the ROAM indicator on the control head will turn on. A CMT can roam in any system its home carrier has a roaming agreement with, and most carriers now have roaming agreements with each other. If there is no roaming agreement, the MTSO will transmit a recorded voice message to the CMT user with instructions to call the carrier (the only call the CMT will be able to make) and give his name, MIN, ESN, and American Express Card number. All roamed calls will then be completed by the MTSO and billed to the credit card account. Fortunately, this procedure is becoming less common as more roaming agreements are m ade. Usually, a carrier can only determine if a roamer came from a system with which it has a roaming agreement, not the creditworthiness of that roamer. Consequently, many carriers have been abused by roamers who've been denied service on their home system d ue to non-payment. Once the home carrier is billed for roaming services provided by the roamed carrier, it will notify same to add that ESN & MIN to their MTSO's "negative verify" file to prevent further abuses. Several independent companies are establi shing system software and data networks to allow Positive Roamer Verification (PRV) which will allow near real-time roamer validation by sharing data between carriers. Because of the many technical, financial, and political details that still need to be resolved, PRV systems will probably not be in place for at least two more years. In the meantime, even fictitious ESN's & MIN's can roam if they follow the standard format, although some carriers are sharing roamer data on a limited basis to curtail this . To call a roaming CMT, the caller must know which system that unit is in, and call that carrier's roaming number. Roaming numbers vary, but are usually in the format: (NPA)XXX-ROAM, where NPA is the carrier's area code and XXX is the MTSO exchange. Cal ling that number will return a dial or ready tone, after which the roamed CMT's full MIN should be entered in Touch-Tones. After a few seconds, the mobile unit will ring or the caller will hear a recording stating that the mobile unit is out of range. T elocator Publications (202/467-4770) publishes a nationwide roaming directory for travellers with cellular phones. Cellular Telephone technology offers phone phreaks complete safety by allowing miles of physical seperation from the wire pair, and by offering thousands of lines to choose from. In addition, all this is possible from just about any location, even from a car, boat, train, or aircraft. It is these characteristics that are attracting a sophisticated new breed of phone phreaks who will enjoy unprecedented convenience and security.