CELLULAR TELEPHONE MESSAGE CODES
úúúÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄúúú 9-FEB-89
ÉÍÏÍÍÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍ» ÚÄÄÄÄÄÄÄÄúúú
úúúÄÄÄÄÄÄÄÄÄÄÄÄÄÄĶ THE DNA BOX ÇÄÄÄÄÙ ÚÄÄÄÄÄÄÄÄÄúúú
úúúÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĶ Hacking Cellular Phones ÇÄÄÄÄÄÄÙ
ÈÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÍÍÑÍÑÍѼ
úúúÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄúúú
P A R T S I X
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
CELLULAR TELEPHONE MESSAGE CODES
============================================================================
The previous file (Part Five) listed the Message Formats and Message Words
used by the Cellular Telephone system. Message words have variable
sub-fields that are set to convey various information (such as dialed
numbers, mobile phone ID, commands, requests, channel assignments etc.).
Here are the codes used in Message Word subfields during data transmissions.
============================================================================
Mobile Station Automatic Attenuation Levels
Mobile Attenuation Code (MAC)
Power Classifications
MAC I II III Nominal ERP Power Outputs
--- --- --- --- Class ERP Level
000 6 2 -2 --------- ---- --------
001 2 2 -2 Class I 4W ( 6 dBW)
010 -2 -2 -2 Class II 1.6W ( 2 dBW)
011 -6 -6 -6 Class III 0.6W (-2 dBW)
100 -10 -10 -10
101 -14 -14 -14
110 -18 -18 -18
111 -22 -22 -22
(Attenuation in dBW)
=========================================================
Station Class Mark (SCM)
SCM Station Class, Transmission
---- ----------------------------
xx00 Class I
xx01 Class II
xx10 Class III
00xx Continuous Transmissions
01xx Discontinuous Transmissions
(for example 0010 means Class I Continuous Transmissions)
=========================================================
Digital Color Code (DCC)
Received Coded
-------- -------
00 0000000
01 0011111
10 1100011
11 1111100
=======================================
SAT Color Code (Supervisory Audio Tone)
Code Frequency
---- ---------
00 5970 Hz
01 6000 Hz
10 6030 Hz
11 (not a channel designation)
====================================
Digit Code (for dialed numbers etc.)
Digit Code
----- ----
1 0001
2 0010
3 0011
4 0100
5 0101
6 0110
7 0111
8 1000
9 1001
0 1010 (zero is encoded as a binary ten)
* 1011
# 1100
Null 0000 (when no digit present)
===================================
Order and Qualification Codes
Order Qual Function
----- --- ---------------------
00000 000 page (or origination)
00001 000 alert
00011 000 release
00100 000 reorder
00110 000 stop alert
00111 000 audit
01000 000 send called-address
01001 000 intercept
01010 000 maintenance
01011 000 change to power level 0
01011 001 change to power level 1
01011 010 change to power level 2
01011 011 change to power level 3
01011 100 change to power level 4
01011 101 change to power level 5
01011 110 change to power level 6
01011 111 change to power level 7
01100 000 directed retry - not last try
01100 001 directed retry - last try
01101 000 non-autonomous registration - do not make whereabouts known
01101 001 non-autonomous registration - make whereabouts known
01101 010 autonomous registration - do not make whereabouts known
01101 011 autonomous registration - make whereabouts known
11110 000 local control
(All other codes are reserved)
==============================================================
Overhead Message Type
Code Order
---- ------------------
000 registration ID
001 control-filler
010 (reserved)
011 (reserved)
100 global action
101 (reserved)
110 word 1 of system parameter message
111 word 2 of system parameter message
=======================================
Global Action Message Types
Code Action Type
---- -----------
0000 (reserved)
0001 rescan paging channels
0010 registration increment
0011 (reserved)
0010 (reserved)
0011 (reserved)
0100 (reserved)
0101 (reserved)
0110 new access channel set
0111 (reserved)
1000 overload control
1001 access type parameters
1010 access attempt parameters
1011 (reserved)
1100 (reserved)
1101 (reserved)
1110 local control 1
1111 local control 2
====================================================================
Restricted Central Office Codes.
Cellular phone numbers are NEVER issued with these patterns in order
to prevent Word Sync patterns from occuring inside a command word.
1xx-xxxx 544-2xxx 864-2xxx
224-2xxx 568-1xxx thru 568-7xxx 899-xxxx
288-2xxx 595-8xxx thru 595-0xxx 800-xxxx
339-8xxx thru 339-0xxx 663-xxxx thru 666-xxxx 928-2xxx
352-xxxx 672-2xxx 992-2xxx
416-2xxx 736-2xxx 909-xxxx
470-2xxx 790-2xxx 0xx-xxxx
508-2xxx 851-8xxx thru 851-0xxx
=====================================================================
Bose-Chaudhuri-Hocquenghem (BCH) Codes
Right now the best GUESS, based on available material, is that BCH coding
is the way that the 12 bit Parity field is computed.
The "polynomial" that generates the code is given as:
12 10 8 5 4 3 0
gB(X)= X + X + X + X + X + X + X
Taking this verbatim in the usual way (superscripts meaning exponentiation)
gives ridiculous results that would be difficult to compute at the
10 Kb/s data rate required by the Cellular Data Protocol. It makes more sense
to interpret this notation to indicate that the bits of the message word are
summed (in binary) in 12, 10, 8, 5, 4, and 3 bit bytes with 1 added.
That is: the word is broken up into a bunch of sub-bytes of a certain length,
these are added together, the original word is again broken into sub-bytes of
the next length and those are summed ... until all listed lengths have been
summed. THEN all of those sums are summed and 1 is added. The low order
12 bits of the results of this procedure are used as the parity bits.
THIS IS ALMOST PURE SPECULATION. Confirmation is currently being sought at
university engineering libraries, or by examining the parity bits in
published examples or intercepted cellular messages.
The Parity bits are irrelevant to hacking Cellular ID codes however, because
message words are repeated many times in each message block, and the ID
fields (MIN1, MIN2, and SID) can simply be lifted from the most
frequent (and most likely error-free) message words in the block.
HOWEVER: If BCH coding transforms the message bits as well as the Parity
bits then the proper BCH coding algorithm becomes critical. If all else fails,
diassembling the ROM firmware from a Cellular Phone should be conclusive.
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ The DNA BOX - Striking at the Nucleus of Corporate Communications. ³
³ A current project of... ³
Outlaw
Telecommandos
º³Ý³³Þº³Ýݳ³Þ³Ý³º
º³Ý³³Þº³Ýݳ³Þ³Ý³º
ºxx-xxx-xxx-xxxxº
ÉÍÏÍÍÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍÏÍ» ÚÄÄÄÄÄÄÄÄúúú
úúúÄÄÄÄÄÄÄÄÄÄÄÄÄÄĶ THE DNA BOX ÇÄÄÄÄÙ ÚÄÄÄÄÄÄÄÄÄúúú
úúúÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĶ Hacking Cellular Phones ÇÄÄÄÄÄÄÙ
ÈÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÑÍÍÍÑÍÑÍѼ
úúúÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄúúú
P A R T S I X
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
CELLULAR TELEPHONE MESSAGE CODES
============================================================================
The previous file (Part Five) listed the Message Formats and Message Words
used by the Cellular Telephone system. Message words have variable
sub-fields that are set to convey various information (such as dialed
numbers, mobile phone ID, commands, requests, channel assignments etc.).
Here are the codes used in Message Word subfields during data transmissions.
============================================================================
Mobile Station Automatic Attenuation Levels
Mobile Attenuation Code (MAC)
Power Classifications
MAC I II III Nominal ERP Power Outputs
--- --- --- --- Class ERP Level
000 6 2 -2 --------- ---- --------
001 2 2 -2 Class I 4W ( 6 dBW)
010 -2 -2 -2 Class II 1.6W ( 2 dBW)
011 -6 -6 -6 Class III 0.6W (-2 dBW)
100 -10 -10 -10
101 -14 -14 -14
110 -18 -18 -18
111 -22 -22 -22
(Attenuation in dBW)
=========================================================
Station Class Mark (SCM)
SCM Station Class, Transmission
---- ----------------------------
xx00 Class I
xx01 Class II
xx10 Class III
00xx Continuous Transmissions
01xx Discontinuous Transmissions
(for example 0010 means Class I Continuous Transmissions)
=========================================================
Digital Color Code (DCC)
Received Coded
-------- -------
00 0000000
01 0011111
10 1100011
11 1111100
=======================================
SAT Color Code (Supervisory Audio Tone)
Code Frequency
---- ---------
00 5970 Hz
01 6000 Hz
10 6030 Hz
11 (not a channel designation)
====================================
Digit Code (for dialed numbers etc.)
Digit Code
----- ----
1 0001
2 0010
3 0011
4 0100
5 0101
6 0110
7 0111
8 1000
9 1001
0 1010 (zero is encoded as a binary ten)
* 1011
# 1100
Null 0000 (when no digit present)
===================================
Order and Qualification Codes
Order Qual Function
----- --- ---------------------
00000 000 page (or origination)
00001 000 alert
00011 000 release
00100 000 reorder
00110 000 stop alert
00111 000 audit
01000 000 send called-address
01001 000 intercept
01010 000 maintenance
01011 000 change to power level 0
01011 001 change to power level 1
01011 010 change to power level 2
01011 011 change to power level 3
01011 100 change to power level 4
01011 101 change to power level 5
01011 110 change to power level 6
01011 111 change to power level 7
01100 000 directed retry - not last try
01100 001 directed retry - last try
01101 000 non-autonomous registration - do not make whereabouts known
01101 001 non-autonomous registration - make whereabouts known
01101 010 autonomous registration - do not make whereabouts known
01101 011 autonomous registration - make whereabouts known
11110 000 local control
(All other codes are reserved)
==============================================================
Overhead Message Type
Code Order
---- ------------------
000 registration ID
001 control-filler
010 (reserved)
011 (reserved)
100 global action
101 (reserved)
110 word 1 of system parameter message
111 word 2 of system parameter message
=======================================
Global Action Message Types
Code Action Type
---- -----------
0000 (reserved)
0001 rescan paging channels
0010 registration increment
0011 (reserved)
0010 (reserved)
0011 (reserved)
0100 (reserved)
0101 (reserved)
0110 new access channel set
0111 (reserved)
1000 overload control
1001 access type parameters
1010 access attempt parameters
1011 (reserved)
1100 (reserved)
1101 (reserved)
1110 local control 1
1111 local control 2
====================================================================
Restricted Central Office Codes.
Cellular phone numbers are NEVER issued with these patterns in order
to prevent Word Sync patterns from occuring inside a command word.
1xx-xxxx 544-2xxx 864-2xxx
224-2xxx 568-1xxx thru 568-7xxx 899-xxxx
288-2xxx 595-8xxx thru 595-0xxx 800-xxxx
339-8xxx thru 339-0xxx 663-xxxx thru 666-xxxx 928-2xxx
352-xxxx 672-2xxx 992-2xxx
416-2xxx 736-2xxx 909-xxxx
470-2xxx 790-2xxx 0xx-xxxx
508-2xxx 851-8xxx thru 851-0xxx
=====================================================================
Bose-Chaudhuri-Hocquenghem (BCH) Codes
Right now the best GUESS, based on available material, is that BCH coding
is the way that the 12 bit Parity field is computed.
The "polynomial" that generates the code is given as:
12 10 8 5 4 3 0
gB(X)= X + X + X + X + X + X + X
Taking this verbatim in the usual way (superscripts meaning exponentiation)
gives ridiculous results that would be difficult to compute at the
10 Kb/s data rate required by the Cellular Data Protocol. It makes more sense
to interpret this notation to indicate that the bits of the message word are
summed (in binary) in 12, 10, 8, 5, 4, and 3 bit bytes with 1 added.
That is: the word is broken up into a bunch of sub-bytes of a certain length,
these are added together, the original word is again broken into sub-bytes of
the next length and those are summed ... until all listed lengths have been
summed. THEN all of those sums are summed and 1 is added. The low order
12 bits of the results of this procedure are used as the parity bits.
THIS IS ALMOST PURE SPECULATION. Confirmation is currently being sought at
university engineering libraries, or by examining the parity bits in
published examples or intercepted cellular messages.
The Parity bits are irrelevant to hacking Cellular ID codes however, because
message words are repeated many times in each message block, and the ID
fields (MIN1, MIN2, and SID) can simply be lifted from the most
frequent (and most likely error-free) message words in the block.
HOWEVER: If BCH coding transforms the message bits as well as the Parity
bits then the proper BCH coding algorithm becomes critical. If all else fails,
diassembling the ROM firmware from a Cellular Phone should be conclusive.
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ The DNA BOX - Striking at the Nucleus of Corporate Communications. ³
³ A current project of... ³
Outlaw
Telecommandos
º³Ý³³Þº³Ýݳ³Þ³Ý³º
º³Ý³³Þº³Ýݳ³Þ³Ý³º
ºxx-xxx-xxx-xxxxº
Comments
Post a Comment