Hacking Using GPRS | Shellcoders Programming Uncovered (Uncovered series)

It is clear to hackers that using an anonymous proxy and even chains of anonymous proxies is unsafe. Prudent hackers, therefore, carry out their attacks using GPRS. To achieve this, a hacker needs cellular phone supporting the GPRS protocol. The general principle of GPRS communications is shown in Fig. 3.3.

Figure 3.3: General principle of GPRS communications

A cellular phone, however, is a treacherous thing. Every phone has a unique number (or, to be more precise, a series of numbers ), which is automatically transmitted into the cellular network when the phone is powered up and even in the course of every call (this depends on the service provider). This allows intelligence services for locating stolen phones, track their owners , etc. The Subscriber Identity Module (SIM) card behaves in a similar way. It transmits identification information, using which it is easy to determine the first and last names of the subscriber. Sellers support special lists that mark to whom and when a specific phone was sold. Intelligence services keep vigilant watch over this. Some shops require the clients to show identification, but some do not require the customers to produce documents. Theoretically, it is possible that the purchaser with malicious intentions can specify fictitious name . Nevertheless, there always is some risk that the salesman would recognize a particular individual.

Therefore, to remain unnoticed, hackers privately purchase second-hand cellular phones for an astronomical price. As a rule, such phones are stolen. If necessary, they also obtain SIM cards with some money on the account, proceeding the same way. Having achieved this, the hacker takes a notebook, travels to some uninhabited location, and carries out the planned attack or uploads a newly-written virus to the Internet. To conceal the attack, hackers usually destroy the phones. Under these circumstances, to identify the attacker, intelligence agents will have to trace the entire chain of events: to whom the phone was initially sold, when it was stolen, who stole it, who resold it, etc. Even if they succeed in doing this, they still have no evidence of the hacker's criminal activity, because the exhibit (mobile phone) is destroyed and the discreditable data have already been either erased or encrypted.

If the hacker indulges in such activities only occasionally, the preceding scenario will do. However, if the hacker becomes impudent enough to carry out such attacks regularly, then intelligence services will quickly locate the suspect and have that person shadowed . Even if attacks are carried out from different locations, taking the bearings of the cellular phone is a trifling affair. Cunning hackers know about it; therefore, clever and wary ones proceed as follows : They take a mobile phone supporting Bluetooth, wipe it with alcohol to remove the fingerprints , and hide it under a heap of trash in the middle of neglected ground. The hacker with the notebook carries out the attack from a considerable distance (Bluetooth range is within the limits of 3,000 feet) but within the "line of sight" of the antenna. If suspicious "guests" appear, the hacker stops the attack and bolts.

You might ask why such measures are needed if it is possible to go to any Internet cafe, secretly connect to the local telephone loop in an apartment building, etc. Hackers are not fools. All these methods are unsafe and unreliable. However, destroying the telephone after each attack is too expensive. There will never be enough cellular telephones. With a certain level of risk, however, the hacker might decide to change the International Mobile Equipment Identity (IMEI) number after each attack. In this case, it will not be necessary to destroy the phone. If desired, it is also possible to reprogram the SIM card; however, this is not worth the trouble.

GPRS Modems versus Cellular Phones

Besides cellular phones, it is possible to use GPRS modems for mobile Internet access. There are two kinds of such modems. GPRS modems of the first type are small USB dongles (Fig. 3.4), and GPRS modems of the second type are implemented in the form of PCI adapters (Fig. 3.5). GPRS modems of the second type are preferred by hackers because they are considerably less expensive and are more convenient for experiments. The packing density for PCI adapters is considerably lower than in USB dongles or cellular phones, which allows the manufacturer to employ more readily-available bulk production components . In addition, in contrast to sales of cellular phones, GPRS modems are sold freely and never require the purchaser to produce a passport or other identification documents.

Figure 3.4: GPRS modem connected to a notebook via a USB part

Figure 3.5: GPRS modem implemented in the form of a PCI adapter. The 8-pin chip above the center is EEPROM

Inside a Cellular Phone

The identification number consists of two parts : the Electronic Serial Number (ESN) and the Mobile Identification Number (MIN). Usually, they are designated as ESN/MIN and are called the pair.

The MIN is physically stored in the Number Assignment Module (NAM), a nonvolatile RAM chip no less than 32 bytes in size , covered with plastic or ceramic, and located on a printed circuit board. As a rule, it is EEPROM (in other words, reprogrammable ROM) or PROM (nonreprogrammable ROM). This chip can be identified easily ” it is a small chip with 8 pins. In addition to MIN, it stores SIDH and other auxiliary information. The format of these auxiliary data is briefly outlined in Table 3.1.

Table 3.1: Approximate format of the information stored in NAM
Address	Bits	Purpose
00	14-8	SIDH
01	7-0	SIDH
02		MIN
03	33-28	MIN2
04	27-24	MIN2
05	23-20	MIN1
06	19-12	MIN1
07	11-4	MIN1
08	3-0	MIN1
09	3-0	SCM (Station Class Mark)
0A	10-8	IPCH (Initial Paging CHannel)
0B	7-0	IPCH
0C	3-0	ACCOLC (ACCess OverLoad Control)
0D	0-7	PS (Preferred System)
0E	3-0	GIM (Group ID Mark)
0F	0-7	Lock digit 1,2
10	0-7	Lock digit 3, lock spare bits
11	0-7	EE (End-to-End signaling), REP (REPertory)
12	0-7	HA (Hom Alert), HF (Hands Free)
13		Depends on the manufacturer

1D
1E	0-7	Alignment
1F	0-7	Checksum

Note

SIDH stands for System IDentification for Home system and most frequently is abbreviated SID. This system informs the cellular station which service provider serves this telephone. This information is used for roaming. The SIDH code is a 15-bit identifier common for the entire region but carrying no information about individual subscriber. Therefore, it doesn't need to be changed. SIDH has no influence on the anonymity of an attacker.

Reprogramming NAM from the Keyboard

Some mobile phones allow NAM to be reprogrammed from the keyboard. The sequence of actions for reprogramming NAM is not standardized; it varies from model to model. For example, to reprogram Samsung i300, the hacker must take the following steps:

Press #907*9#0 for the "ENTER LOCK" message to appear on the screen.
Enter OTKSL .
The SVC menu will appear. Press 1 .
Enter the 10-digit MIN value and press SAVE.
Press SAVE again.
Press 3, and then press SAVE 6 times.
Enter "HOME SID" and press SAVE again.
Press END 2 times.
NAM has been changed.

Instructions on reprogramming other cellular phones can be found at the following address: http://www.cdma-ware.com/codes.html . If a specific model is not listed there, it is possible to use any search engine to find the required information on the Internet, using something like "NAM + programming + model" as the keywords.

It should be pointed out, however, that the number of such reprogramming cycles is usually limited ( ranging from 3 to 20, depending on the manufacturer). The number of such reprogramming cycles depends on the microprocessor firmware. The resources of the chip itself are practically unlimited. Nevertheless, for long- term hacking this method is not acceptable. Therefore, hackers have to invent other approaches.

Some hackers unsolder the chip and manually reprogram it using the burner (although generally it is not necessary to unsolder the chip). Others modify the firmware by disallowing it to block NAM. The first approach requires the hacker to have practical soldering skills, and the second approach requires knowledge of the disassembler.

Investigation of the firmware is a kind of aerobatics in the field of hacking. It requires fundamental knowledge and the highest qualification. First, it is necessary to recognize the processor. Even if the original marking of the chip was not carefully destroyed by the manufacturer, no one can guarantee that it will be possible to find the description of machine commands on the Internet. Technical documentation for most mobile processors is classified by the company as confidential or distributed by subscription (and only to partnering companies; supplying such information to unassociated individuals is out of the question). Nevertheless, the command systems of many processors have much in common, and the hacker can learn the particulars, especially if the hacker is motivated (Fig. 3.6). However, what benefits would come of it? Any firmware is stuffed with commands intended for communicating with the input/output ports controlling the electronic circuitry of the telephone. The range of their responsibilities is unknown. Thus, the hacker must deal with a conglomeration of puzzles and might spend an entire year for analysis of the first firmware. Yes, an entire year!

Reprogramming the chip manually is much simpler and, therefore, preferred, although its possibilities are considerably limited in comparison to disassembling . Furthermore, there always is the risk of irreversibly damaging the phone. However, work you enjoy never feels too hard. Before unsoldering the chip, the hacker must determine its type. Most manufacturers use mass-production chips, the model of which can be easily determined by the arrangement and layout of the circuitry even if the marking is destroyed. Types of memory chips and the main chips used by manufacturers are listed in the next section. With this information at hand, the hacker only has to purchase the burner or solder one based on information that can be found on the Internet.

Figure 3.6: Disassembling the firmware

Types of ROM

As was already mentioned, for manually reprogramming the chip, it is necessary to determine its type. In general, ROM chips are classified as follows:

Read-Only Memory (ROM). This is the classic type of memory chip, programmable at the hardware level in the course of chip production. ROM cannot be changed programmatically. As far as I know, such chips are not used in any model of cellular phones.
Programmable Read-Only Memory (PROM). Programmable chips that can be programmed only once. Information is written into PROM using a specialized device called a PROM programmer, PROM blower, or simply a burner. Such chips are not widely used in cellular phones.
Erasable Programmable Read-Only Memory (EPROM ). This is a ROM chip that can be reprogrammed multiple times. It is erased using ultraviolet rays and requires a burner. Such chips can be easily recognized by the presence of a typical "window." According to rumors, it is used in some models of cellular phones; however, I have never seen such models.
Electrically Erasable Programmable Read-Only Memory (EEPROM). ROM chips of this type can be reprogrammed multiple times. The chip is cleared electrically. As a rule, it requires a burner; however, in theory it is possible to do without it. Such chips are widely used in cellular phones.
Flash-EEPROM. This is a kind of EEPROM that can be reprogrammed multiple times and doesn't require a burner. Chips of this kind are widely used in most models of cellular phones.

The main chips that are widely used by most manufacturers of cellular phones are listed in Table 3.2.

Table 3.2: Main types of memory chips used by manufacturers of cellular phones
Chip manufacturer	Memory chip
Chip manufacturer	Open collector	Tristate	Open collector	Tristate
AMD	AM27LS18	AM27LS19	AM27S18	AM27S19
Fujitsu	MB7056	MB7051
Harris	HM7602	HM7603
MMI	53/6330	53/6331
MMI	53/63S080	53/63S081
NSC	DM54S188	DM54S288	DM74S188
NSC	DM82S23	DM82S123
Signetics	82S23	82S123
Texas Instruments	74S188	74S288	TBP18SA030	TBP18S030
Texas Instruments	TBP38SA030	TBP38S030

Reprogramming NAM Manually

Before starting to modify anything in NAM, it is necessary to understand how to compute the checksum. To avoid doing this manually, I have written a simple script for the IDA Pro disassembler. The source code of this script is provided in Listing 3.1.

Listing 3.1: IDA script that automatically computes the checksum

 auto a; auto b; b = 0; PatchByte(MaxEA() - 1, 0); for(a = MinEA(); a < MaxEA(); a++) {           b = (b + Byte (a)) & OxFF; } b = (0x100 - b) & OxFF ; Message("\n%x\n", b); PatchByte(MaxEA() - 1, b);

Having such a script, it is easy to hack MIN. Formally, MIN is a 34-bit number divided into two parts. The 10 lower bits are designated as MIN2. They store the area code. The remaining 24 bits represent the individual number of the mobile device.

The area code is stored in packed binary-decimal format. To convert it to the natural form, it is necessary to add 9 to each decimal digit, divide the result by 10, and compute the remainder from this division. In particular, the following MIN2 value corresponds to area code 213: (2 + 9) /10 = 1; (1 + 9) /10 = 0; (3 + 9) /10 = 2 . Thus, the result is equal to 102 , or 0001100110 in binary notation. This number is the one contained in the chip.

The further 24 bits (MINI) are encoded in a more sophisticated manner. For convenience, the individual identification number of the phone is divided into two parts, which are written approximately as follows: 376-0111 . However, this is so only from the viewpoint of an inexperienced user . In reality, there are three such parts: The first 10 bits of MINI contain the 3 least significant digits ( 111 , in this case), which are encoded similarly to MIN2. The next 4 bits contain the fourth digit of the identification number written in binary form "as is." At the same time, 0 (zero) is written as 10 ( 1010 in binary form). The remaining 10 most significant bits contain the first 3 digits of the identification number, encoded the same way as MIN2. Thus, the MINI field for the previously considered identifier will appear as follows: 265-10-000 (or 0100001001 1010 0000000000 in binary notation).

Thus, the format of MIN representation will appear as shown in Fig. 3.7.

Figure 3.7: Format of MIN representation

Here are a couple of good manuals explaining how to compute MIN and some other identification data:

http://www.3gpp2.org/Public_html/Misc/C.P0006-D_vl.8_cdma2000_Analog-V&V_text_Due_3_June-2005.pdf
http://www.tiaonline.org/standards/sfg/imt2k/cdma2000/TIA-EIA-IS-2000-6-A.pdf

Having discussed NAM, it is necessary to consider ESN ” an 11-digit 32-bit unique number. In GSM devices, it is called IMEI and takes 15 digits, 4 digits more than ESN. However, this is a pure formality .

Standards of wireless communications require manufacturers to ensure the impossibility of changing ESN/IMEI programmatically. However, not all manufacturers observe these requirements. Often ESN/IMEI is stored in NAM, which is a blatant violation. In some cases, it can even be reprogrammed directly from the keyboard. Anyway, even if ESN is burnt into PROM, it is possible to unsolder the chip from the board and replace it with another one. To avoid ruining the telephone by this operation, hackers take special precautions by installing a special panel. In this case, the procedure of chip replacement is a matter of several seconds. Gurus of disassembler modify the firmware in such a way as to ensure that ESN/IMEI is entered directly from the keyboard or automatically generated any time the phone is powered on, instead of being read from ROM.

To all appearances , ESN/IMEI is not encoded and is written in the binary format "as is." Anyway, it is easy to crack the encoding system by viewing ESN/IMEI (as a rule, it is written on the rear panel of the mobile phone). It is highly unlikely that the hacker would find something extraordinary there. The problem is that ESN/IMEI and MIN are not chosen arbitrarily and must correspond to each other, forming a valid combination; otherwise , the provider won't allow such a device to connect to the network. Where is it possible to get valid pairs of ESN/IMEI and MIN? The first idea that comes to mind is peeping. To achieve this, the hacker must take someone else's cellular phone for a couple of minutes (usually, social engineering is the best approach). After several easy manipulations with the keyboard, both ESN/IMEI and MIN will be displayed on the screen. The required manipulations for several of the most popular models are as follows:

Acer (Motorola T191, T205) ” Press *#300# , and then press the green key with the handset icon.
Alcatel ” Press *#06# and the screen will display IMEI and the firmware version.
Bosch ” Press *#3262255*8378# (as letters , it is *#DANCALL*TEST# ).
Ericsson ” Press >*<<*<*, where < and > are the buttons with the left and right arrows.
LG ” Press *#07#, 8060#*.
Mitsubishi ” Press and hold *, then enter 5806.
Motorola ” In the text mode, enter the 19# code.
Nokia ” Enter *#0000# .
Panasonic ” Enter *#9999#.
Samsung ” Enter *#9999#.
Sagem ” In the main menu, press *, then select the first item from the submenu.
Siemens ” Enter *#06# .
Sony ” Enter *#7353273# (as letters, its *#release# ).

The advantage of this approach is that the hacker obtains a pair that is guaranteed to work. However, there also is a drawback, because anonymity is at risk. Intelligence services will quickly find the owner of the original number, and that person will be forced to list all people who might have had access to the telephone.

Some hackers prefer to use generators of identification numbers (Fig. 3.8). Plenty of them can be found on the Internet (if you go to Google and enter something like "IMEI calculator," the listing will be quite long). Not all of them work, however. In addition, hackers might take a scanner, go to some crowded location such as subway or large shop, and obtain about hundred of workable pairs without risking notice. Technically, it is possible to produce a scanner out of any cellular phone or purchase a ready-to-use one. Dozens of companies supply such products through Internet shops. Finally, lists of usable ESN/MIN pairs can be found on hackers' forums and IRC channels.

Figure 3.8: IMEI calculator

In other words, it is easy to reprogram a cellular phone. Every hacker is capable of doing so.

Interesting Internet Resources Related to Telephony

Radio Telephony . Information about cellular telephony and cracking of cellular phones. Lots of interesting articles, step-by-step instructions and software ( http://www.hackcanada,com/blackcrawl/ cell ).
Unicomm Glossary of Terms. Glossary of terms used in cellular telephony ( http://www.unicomm.com/glossary_a-f.htm ).
INSTORESA . This firm is engaged in the development and sale of devices intended for cracking and repairing cellular phones ( http://www.instoresa.com/products/special.htm ).
Hackers-Archiv . Vast archive of links related to cracking cellular phones (however, it is not limited to cellular telephony) ( http://www.fortunecity.de/thekenhausen/marsbar/387/hacker.htm ).
"Spielerekorde verandern." An article on EEPROM reprogramming (in German) ( http://www.desatech.de/desaflash/nokia/spielerek.htm ).
"Tandy/RadioShack cellular phones: Rebuilding electronic serial numbers and other data." An obsolete but still interesting article on cracking cellular phones ( http://www.phrackorg/phrack/48/P48-07 ).