I don't know if it's just me but do you find there is no INTERESTING U.K. related info around these days. I've noticed that new releases have slowly declined, and even all these new groups poping up seem to concentrate on RA crap, and especially recently all this new console shite. You can call it what you like, but at the end of the day it's just warez! You only seem to get good files every now and then, and alot of those are copied from american texts. I met a few people that seem to be doing all the work. For example, POtsan, and MAYDAY - releaser of NG2. The same situtation exists on the sat scene. Most people's defence is that they don't know where to start! and the same people spend most of their time slaging of other people and calling them lamers. Don't get me wrong this ain't another one of those 'Pull your finger out everyone, coz i can't be bothered to and oh yeah give me some files!' texts. At this point in time i am very very pissed off, coz for a start i've had sysops now saying 'oh give me your phonecard program and i'll give you axs' and other crap like that, and if it carries on like this i don't think i'll bother releaseing anything at all. But anyway i thought i may as well do something for you lazy buggers out there. But yet again i'm not gonna do all the work for you! This is just a start, and i'm sure someone with an interest will continue this work on. If you do let me know how you get on. This file contains ALL the valid commands that can be sent to a mercury 121 mobile SIM card. Basically the cards that go into the bottom of a mercury mobile phone, the one that has the telephone number etc on it. I don't know how widespread mercury 121 (well it's just one2one now) is so maybe some of you don't know what i'm talking about! Anyway for those that do...... Before i go through the commands lets take a look at the Answer to Reset (This is all from memory so sorry if i made a mistake!) RESET: 3b fb 11 00 00 00 00 00 01 10 01 a2 00 00 20 90 00 T5 = 3b Direct convention (ODD parity) T0 = fb 11 Historic Characters TA = 0 TB = 0 TC = 0 TD = 0 HISTORIC CHARACTERS: 00 00 01 10 01 a2 00 00 20 90 00 TCK = Not Present T = 0 Asynchronous half-duplex character transmition F = 10 Assumes a baud rate of 9600 Bps I = 25 Maximum programming voltage is 25 milliamps P = 00 No programming voltage is required on Vpp N = 00 Guardtime = 2 bits The guard time is very low at only 2 bits, which makes things easier! There doesn't seem to be any tricks here. I used a standard phoenix interface, along with a program i wrote myself to actually send the commands. I would recomend you use CARDEM, which has just been released by my m8 J.C. to send the commands as this has the correct return codes allready programmed in. You can find that on his web site at www.eurosat.com/jc If you can't find that use John Morisson Card utility, often named CARDJM.zip. You should be able to find this on nearly all sat bbs' and even some ordinary hack bbs's. You'll get alot further with Cardem so try to get hold of that first O.K. the card actually has quite shit security! It answers with all the standard ISO return codes ie 92 00 for succesfull, and has some of it's own. What they mean i don't exactly know yet although i have a few theories. The Class code for the one2one card is A0. So the command goes like this Class code + Command + P1 + P2 + Length The class code is A0, and Command, P1, P2 and the length are shown in the table below. The return code is just what the card sends back, saying wether the command was succesfull etc. XX in the table means any value i.e. from 00 to ff. COMMAND P1 P2 LENGTH RETURN MEANING OF RETURN CODE CODE ----------------------------------------------------------------------------- 20 00 01 08 00,00 ------------- ----------------------------------------------------------------------------- 21 XX XX XX 20,00 ------------- ----------------------------------------------------------------------------- 24 00 01 10 00,00 ------------- 02 10 00,00 ------------- ----------------------------------------------------------------------------- 25 XX XX XX DB,00 ------------- ----------------------------------------------------------------------------- 26 00 01 08 00,00 ------------- 02 08 00,00 ------------- ----------------------------------------------------------------------------- 27 XX XX XX 02,00 ------------- ----------------------------------------------------------------------------- 28 00 01 08 00,00 ------------- 02 08 00,00 ------------- ----------------------------------------------------------------------------- 29 XX XX XX 02,00 ------------- ----------------------------------------------------------------------------- 2C 00 00 10 82,00 ------------- 01 10 82,00 ------------- 02 10 82,00 ------------- ----------------------------------------------------------------------------- 2D XX XX XX 82,00 ------------- ----------------------------------------------------------------------------- 82 00 00 11 98,00 ------------- ----------------------------------------------------------------------------- 83 XX XX XX 67,00 INCORRECT LENGTH ----------------------------------------------------------------------------- 84 00 00 10 92,00 COMMAND O.K. 16 BYTES (16 BYTES RETURNED) ----------------------------------------------------------------------------- 85 00 00 00 92,00 COMMAND O.K. 00 BYTES \/ \/ \/ \/ \/ FF FF FF 92,00 COMMAND O.K. FF BYTES ----------------------------------------------------------------------------- 88 00 00 10 00,00 ------------- \/ \/ \/ \/ 00 04 10 00,00 ------------- ----------------------------------------------------------------------------- 89 XX XX XX 67,00 INCORRECT LENGTH ----------------------------------------------------------------------------- A1 XX XX XX 67,00 INCORRECT LENGTH ----------------------------------------------------------------------------- A2 00 00 01 94,00 ------------- \/ \/ \/ \/ FF 03 FF 94,00 ------------- ----------------------------------------------------------------------------- A3 XX XX XX 94,00 ------------- ----------------------------------------------------------------------------- A4 00 00 00 VARIOUS INCORRECT LENGTH \/ \/ \/ INCORRECT REFERENCE FF 00 FF GENERIC ERROR (NO ERROR CODE) Definately one to look at. All values are valid for P1. Only 00 is valid for P2. Different values for length give one of three return codes. I assume the data part of the message contains further refference points. Possibly some kind of activation/deactivation command....could even be a read /write command. Needs further analysis. ----------------------------------------------------------------------------- A5 XX XX XX 5B,00 ------------- ----------------------------------------------------------------------------- B0 00 00 01 94,00 ------------- \/ \/ \/ \/ FF FF FF 94,00 ------------- ----------------------------------------------------------------------------- B1 XX XX XX 94,00 ------------- ----------------------------------------------------------------------------- B2 XX XX XX 94,00 ------------- ----------------------------------------------------------------------------- B3 XX XX XX 94,00 ------------- ----------------------------------------------------------------------------- C0 00 00 01 92,00 COMMAND O.K. (01 BYTES RETURNED) \/ \/ \/ 00 00 22 92,00 COMMAND O.K. (22 BYTES RETURNED) ----------------------------------------------------------------------------- C1 XX XX XX 6B,00 INCORRECT REFERENCE ----------------------------------------------------------------------------- D4 00 00 03 00,00 ------------- ----------------------------------------------------------------------------- D5 XX XX XX 67,00 INCORRECT LENGTH ----------------------------------------------------------------------------- D6 XX XX 01 94,00 ------------- \/ FF 94,00 ------------- ----------------------------------------------------------------------------- D7 XX XX XX 94,00 ------------- ----------------------------------------------------------------------------- DC XX XX 01 94,00 ------------- \/ FF 94,00 ------------- ----------------------------------------------------------------------------- DD XX XX XX 94,00 ------------- ----------------------------------------------------------------------------- E0 XX XX 0D 98,00 ------------- \/ 29 98,00 ------------- ----------------------------------------------------------------------------- E1 XX XX XX 6B,00 INCORRECT REFERENCE ----------------------------------------------------------------------------- E2 00 00 XX 94,00 ------------- ----------------------------------------------------------------------------- E3 XX XX XX 6B,00 INCORRECT REFERENCE ----------------------------------------------------------------------------- F2 00 00 01 92,00 COMMAND O.K. (01 BYTES RETURNED) \/ \/ \/ 00 00 22 92,00 COMMAND O.K. (22 BYTES RETURNED) ----------------------------------------------------------------------------- F3 XX XX XX 6B,00 INCORRECT REFERENCE ----------------------------------------------------------------------------- FA 00 00 00 92,00 COMMAND O.K. ----------------------------------------------------------------------------- FB XX XX XX 6B,00 INCORRECT REFERENCE ----------------------------------------------------------------------------- As a starting point i would suggest looking at commands: 84, 85, C0, F2, FA and especially A4, since these commands send a ISO command o.k return code. Also most of these send some bytes back from the card. I was going to wire up my season interface to monitor the data to and from the card<-->phone, but other things have come up, and thats the main reason i am releaeing this. Otherwise it'll never get done! I think A4 is the main command to concentrate on if your going to experiment with the data you send the card, if you can't be bothered to try that try to get more data from the card by using commands 84, c0 or f2 with one or two data bytes. If you need a card to experiment on, just tell one of your m8's to report theirs stolen and use theirs (or they can say it broke!). It will get blocked but that ain't no big deal you ain't gonna use it in a phone anyway! Actually that could be an advantage because if your using a new ericsson it asks if you want to unblock the card if you say yes it asks for the unblock key. Now it must read the card to check if the unblock key you entered is the same as the one in the card! if you captured this command you could try to change it and possibly dump the whole card! This brings me to the whole point of going to all the trouble....you can clone a personal tarrif card so you can get free after 7 calls every day of the week. Also both cards can be used at the same time due to a loophole in the way their digital system works! In fact there is nothing stoping you capturing id's of the air either. You could steal someone's personal tariff and use it at the same time without them ever knowing. Or you could be mean and use it as a digital basher! However be warned one2one is no longer secure (along with gsm) you can record the conversation and decrypt it on your pentium... then play it back through your sound card. I suppose you could do it in real time with a MMX havn't tried it yet! KAM Of `` __ ___ ______ _______ ! '' | | / /' | _ \ ^ | | / / ______| | | | | > | |/ / | ___ |_/ / | | Email: kgb@pemail.com | < | |_ | _ | | | personal.007@pemail.com | |\ \ |___| | | \ \ _| | | | \ \ | |_| | |###| |__| \__\.______|_______/ |###| ________________ _____/= \ -======1996/7======- | _| ~~~~~~~~~~~~~~~~ `---------^\_| '' `` It's quality of files not quantity! if you want american rip-offs like the other groups just let me know!