NOTE: This stuff is only for the knowledge not for any personal usage...

Please don't try this anyways... This is just for the educational purpose not for Hacking Purpose...

From: O&M Enterprise
Oscar & Micheal...

Mar 22, 2008



After doing a lot of research and a bit of help from Av1, Av4 and a number of Avatar235's friends I have come to the conclusion that the Australian CDMA network structure is insecure. This document will describe (in layman's terms) a method that can be used to Clone (copy) another CDMA phone wirelessly and in an unintrusive manner (ie. sneakyness).

Cloning of mobile phones is the activity of copying the subscriber information from one phone onto the other for purposes of obtaining free calls. This is done by reprogramming an empty CDMA compatible phone (you can do a Factory reset to empty them) with the 'victims' ESN (Electronic Serial Number) and MIN (Mobile Information Number. Getting these numbers can be tricky unless you have physical access to the victim's phone.

Eavesdropping is simply the act of listening in on a conversation over the network from your mobile phone. See the next section for details on which phones can be used.

***The infamous OKI.
The oki 900 cellular phone is one of the if not the most modifiable cellular telephone in the world. It is based around an 8051 microprocessor, and the main program is stored on a 27C512 eprom. Oki reproduced it's popular model 900 cellular phone for AT&T under the model AT&T 3730. Both are identical in appearance and in circuitry. The 900 operates off of 6 volts, either from a ni-cad battery or one of two types of battery eliminators . The 900's antenna is an sma connector.
This phone (the 900) was the basis of most cellular hacks in the time of AMPS system structure in the US (and still is due to poor upgrading of network structure. But don't be fooled, not all OKIs are able to do the things described in this file. The phones compatible with the functions described herein are: OKI 900, 1150, 1325, and 1335.
None of these phones were for sale within Australia from memory. You may be able to find similar functioning phones in Aus like a number of Motorola Phones, but I have no interest in these 'lower class phones'.

***Forced Analog Transmission (FAT).
Forced Analog transmission is where the CDMA network is congested to such a level that any new phones to enter the Cell area are connected to the AMPS (analog) backbone system of the Telecommunication Corporations. This sub-network is in use everyday by employees of the Telcos and even by your GSM and CDMA mobiles.
How is it used? Well, when ever you are out of normal coverage on your GSM phone your phones on-screen status should display 'Emergency calls only' or similar, this status is your GSM mobile transferring over to the AMPS backbone network. GSM for some reason does not transfer over to the Backbone when it encounters congestion possibly because of the encryption differences or the fact that the GSM system is fairly reliable, don't qoute me on this.
So anyway, your victims CDMA phone tranfers it's ESN/MIN set over to the Backbone for authentication via CDMA's standardized CAVE (Cellular Authentication and Voice Encryption), this algorithm generates a 128-bit sub-key called the “Shared Secret Data” (SSD).
The A-Key, the ESN and the network-supplied RANDSSD are the inputs to the CAVE that generates SSD. The SSD has two parts: SSD_A (64 bit), for creating authentication signatures and SSD_B (64 bit), for generating keys to encrypt voice and signaling messages (voice encryption is not done when over FAT) .

The SSD can be shared with roaming service providers to allow local authentication. A fresh SSD can be generated when a mobile returns to the home network or roams to a different system.
I'm guessing most people here are thinking 'What the hell did that mean?' Simply the data for Network Identication of the mobile is sent to the MSC (Mobile Switching Centre) for authentication before 'pairing' the phone to the system.
The trick is that the ESN/MIN data is NOT encrypted on the way to the MSC for further authentication. So you can scan the airwaves for this data if you wish to clone a phone (after decoding the bitstream and re-encoding via software/hardware).

***Scanning the waves.
There are two purposes for scanning:
1. Eavesdropping.
Using an OKI described earlier, you will need to do the following:
Power on phone and immediately hold 7 + 9 at the same time while it boots up for about two seconds.
Release 7 + 9 and hit Menu, Send, End, Recall, Store, Clear and the phone should read good timing!!!
If all goes well hit 1 + 3 at the same time to clear the prompt.
Now hit #12 SND to recieve audio.
Then hit #77 SND and you should hear a buzzing noise because you have just enabled the loud speaker.
Ok, now to begin the scanning of channels enter the following command:
#73AAAABBBBCC SND AAAA = 4 digit low channel number (Channel to begin scan on) BBBB = 4 digit high channel (Cell Channel to end scan on) CC = 2 digit number for how many seconds to scan each channel
For example if you want to scan channels 50-300 at a 1 second interval you would enter:
#730050030001 SND and your scan should begin.
Press # when you find a channel with someone talking you want to listen to and press # again to resume scanning. Press * to restart the scan.
Now if you only want to listen to a specific channel on a lower volume just enter this instead: #12 SND#76 SND to turn the receiver on#09SND to select channel you want to listen on.
2. Snatching Pairs.
Now sometimes you will come across a channel that is widely described as 'Hornets/Bees Buzzing'. This is the encoded ESN/MIN pair. The OKI series described has a headphone jack so you can plug this into your computer to record and decode. I will not go into decoding here, as this is only a proof of concept, NOT a trainer in Electronic Identity Theft.
If you wish to build some devices that can scan the airwaves there is a book out by the author Rudolf F. "Rudy" Graham, called the Encyclopedia of Electronic Projects, Vol 7. Has everything you would want to know about electronic serveilence EXCEPT the holy grail, GSM Intercepting.
***Cloning from your Snatched Pair You will need to follow these instructions to the letter, a s this is very tricky stuff and could ruin your phone.
The ESN/MIN pair is called the NAM, this is what you will need to program using these intructions:
1. Turn power on.
2. Within 30 seconds press RCL & MENU keys together and release, enter * 1 2 3 4 5 6 7 8 #, (or enter dealer password if one has been used).
NOTE: If the dealer password is unknown and the factory default does not work use the following "back door" code: * 6 2 7 2 9 8 5 4 #.
3. The phone will then display the Software Version followed by the ESN in hex
NOTE: If you used the dealer password successfully in step 2 go straight to step 5 below.
4. The phone will display "ENTER NEW PW AND STO" you may enter a ten digit password at this stage to be used in future re-programings. Press STO to retain default password or enter a ten digit password and press STO.
5. The phone will display "RE-ENTER PW AND STO" re-enter the password, press STO to confirm. Again, press STO to retain default password.
6. The following "re-set" options can be bypassed by pressing volume down to scroll. Each step is followed two seconds later by "Press * to Clear", you can either press * or press CLR to bypass. Step# Display Action 01 SSN# Wait 2 seconds. Press * to Reset Press * to clear social security (not used)02 SPD MEM CLR Wait 2 seconds. Press * to Reset Press * to initialize speed dial memories.03 DEFAULT DATA SET Wait 2 seconds. Press * to Reset Press * to initialize unit. POWER ON MESSAGE Wait 2 seconds. Enter ALPHA Enter up to 8 characters followed by STO, or press CLR to bypass.
7. The STO key stores each entry.
8. The Volume UP key scrolls down through the steps.
9. The Volume DOWN key scrolls UP through the steps.
10. At any time press CLR to exit program mode. Phone will display "NAM x Program" press CLR to exit, or continue with additional NAMS. You may also go directly to any NAM by pressing Volume Down when phone displays "NAM x Program". NAM's 2 through 5 only have steps 01 - 06 below. {PROGRAMMING DATA: STEP# #OF DIGITS/RANGE DISPLAY DESCRIPTION 01 10 DIGITS Own# MIN (AREA CODE & PHONE NUMBER)02 5 DIGITS System ID SYSTEM ID03 4 DIGITS IPCH NO. IPCH AUTOMATICALLY SET04 2 DIGITS ACCOLCC ACCESS OVERLOAD05 2 DIGITS GIM GROUP ID (10 FOR USA)06 3 OR 4 DIGITS Unlock LOCK CODE07 4 DIGITS SCM STATION CLASS MARK, USE 1000.08 4 DIGITS/0 OR 1 OPTION OPTION BITS: 1 enables, from left to right: MIN Mark Hands Free Local Use NOT USED9 6 DIGITS SECURITY SECURITY CODE (DEFAULT IS LAST SIX DIGITS OF ESN) }

***Enhancing your OKI.
13. OKI 900 Modifications
Several software modifications exist, below is a list and an explanation of each. These mods are to be burned into the 27c512 SOIC chip inside the OKI 900. They are 150ns 28 pin SOIC chips. An SOIC adapter will be required, and can probably be aquiered through the same place you got your burner. This chip is located on the same side and same board as the lcd, in the lower left hand corner.
4701 - The original mod, holds 5 ESN programmed byte by byte.4711 - Update to the 4701 (fixed bugs).4712 - The most popular and least buggy mod. Works well with C-TEK (See 'C-tek' next section).
Change ESN: (for all above mods)
Press MENU 8 times, until you see ADM menu. Press RCL and enter 123456Use RCL to move from one ESN to another, and STO to save your options. REBOOT Phone!!!!!
Enter Debug Mode: ESN Number Address -------------------------------- ESN Location #1 $BE8E-$BE91 ESN Location #2 $BE93-$BE96 ESN Location #3 $BE98-$BE9B ESN Location #4 $BE9D-$BEA0 ESN location #5 $BEA2-$BEA5 Key: #54 XXXX xx In order, one thru four bytes of ESN Address (Location) The write byte debug command
To use the 0-9 keys, just use 0-9, to access A-F, hit STAR ("*") before 1-6 for A-F. The "*" key can be thought of as a shift key. If you hit the "*" twice, it will act as if you did not hit the "*" at all.
Program NAM:
Enter RCL + MENU, *, 6, 2, 7, 2, 9, 8, 5, 4, # you can then use the up and down keys to scroll through the information and change the appropriate nam.
4715 - Newest widely available mod. Should work with C-TEK This mod will allow you to use 230 ESNs and set a number of times each ESN can be used before auto deletion. Each NAM must be programmed manually.
I have data relating to these mods and can be given on request.
The actual microcontroler is an 8051 derivitave, and a lot of information on programming it can be found on the Internet.

Cellular Telephone Experimenters Kit for the OKI-900/1150
The Cellular Telephone Experimenters Kit allowscontrol of a cellular telephone from a personal computer. The Kit connects any DOS-based PC with a serial port to an OKI-900/1150 phone.
The kit is designed for technicians, students, professionals, hobbyists, and others interested in using, learning, repairing, and experimenting with cellular telephone technology.
The kit consists of an interface adapter, software and manual. The interface adapter converts the cellular phone's proprietary interface to a standard RS-232 interface, and allows connection of external audio signals to the cellular phone. The interface is not designed for data transmission over the cellular system.
The kit includes the cellular telephone interface adapter; a manual and a short cellular tutorial; four programs; a programming library and documentation; and cellular related informational files.
One program is designed for testing the phone and allows a technician to activate many of the OKIs built in test modes and functions, such as tuning to a particular channel, activating carrier, sat, signaling tones, etc.
Another program can be used to access the phone's user features, such as programming NAMs, or uploading, downloading and editing the phone's 200 alphanumeric telephone number memories on the PC.
A programming library object module is supplied to allow you to write your own programs to access the phone in both normal operating mode and in test mode. The library contains functions such as tuning to a channel, turning carrier/audio/sat-tones/signaling-tones on and off, reading received signal strength, sending and receiving digital control messages, and sending and decoding DTMF tones.
Two programs are supplied in source form that give examples of writing applications in either of these modes. One of these programs shows how the PC can completely control the cellular phone, making and receiving calls while the phone is only operating in its test mode, with the PC handling all of the cellular protocol and messaging functions. The other program simply controls the phone by simulating presses on its keypad from the PC.
All code and libraries were compiled using Borland Turbo C 2.0 running under DOS.
NOTE: The OKI 1335 Does not require the C-Tek Dongle Interface cable, it is already RS-232 compliant :).
I have the schematics for a hacked version of the C-Tek and sample software for learning to program your OKI yourself.

CIA-SCAN: fvoc and dtmf display via c-tek (does more) Various other c-tek applications exist, mail me your list, and the files and I will include them.
Scan1c: This appears to be an update to CIA SCAN. It has a graph of signal strengths and most of the same features as CIA but with better control, and can scan both forward, and backwards.
Please let me know of any additional Software you find for the OKI.

This is only a proof of concept. I do not condone Electronic Identity Theft.
When I recieve my OKI 1335 from the US I will re-write this doc with pictures and make it a PDF.

*Note: I just went off on a tangent with this doc and forgot to say that you will need to enter the ESN/MIN pair into an empty CDMA phone. I have not tested using the OKI for Forced Analog Transmission as standard.

O&M Hackers.


Hacking Videos