I was in Chicago recently and I met this guys by a hall way apparent "burning" cell phones to allow them make free calls anywhere. how does this work? and is it safe for one's phone??
I ask them but they were reluctant telling me and I escape a good beating :)

What is done is the phone is reprogrammed to use an account belonging to somebody else, or a non existing account. This is only possible with analogue cellphones, and is the main reason why the analogue cellphone network has almost been completely fased out in Norway.
Of course one can damage the phone doing this if one doesn't know what one is doing, or if one is unlucky.
Also this is a kind of shady business because one can end up running up someone else's phone bill.

man that is bad.. that guy definitely need a swift kick in the nutz..

afaik, you can only steal phone lines from analog network. gotta love Voicestream gsm ;)

A nother great disadvantage with analogue networks is that they are really really easy to wire tap.
I got a friend who works for a teleco in Norway and he demonstrated it to me once when we were hiking in the mountains.
He let us in to a sender/receiver and all we had to do was wait untill we saw a conversation go through the sentral and plug in a headset to the server.

burning is not cloning. Burning is a roaming scam (changing the number + the system id to an out of state roamer) that is 99.9% not likely to be working in chicago. Cloining is changing the ESN and the phone number on a phone which makes it an exact copy of the other phone in the eyes of the network. Cloning is only easy on analog phones but every other network type is susseptible to it.

Analog is VERY easy to monitor and it is pretty easy to catch esn/nam pairs out of the air with a radio scanner. THAT (and it having low call capacity) is the reason that companies want to phase it out. They dont give two shits that you can listen in on phone calls.

And dont think your voice stream is so impossible to clone either. Let your phone out of sight to be "repaired" for about 4 hours and you can get cloned just as bad and with less recourse(No sir, you ran that bill up, there is no gsm cloning!).

Also, if your friend let you into a tower to monitor a conversation, that is nothing special. Most towers for every system have convo monitoring instruments. The only monitoring that is a feat in any sort of way is done away from OFFICIAL celco equipment.

Geohunk, if you see those fool(s) again, ask them if they are just changing the phone number and SID (and who's network they are going on) . Then just ask them for the numbers. BTW the roaming scam ripps nobody but the phone company.

I do not include my sim card when I send my phone in for repair, genius.

Yes, you may not give it to them but they could have very well done it before they gave you the card when you signed up. The point is that its not impossible.

Originally posted by green gerbil
Analog is VERY easy to monitor and it is pretty easy to catch esn/nam pairs out of the air with a radio scanner. THAT (and it having low call capacity) is the reason that companies want to phase it out. They dont give two shits that you can listen in on phone calls.

This is not the case in Norway. It's the government who has decided that the analogue systems will be fased out. And one of their main arguments is that it is too easy to listen in on phonecalls.
The reason it's taking so long to be fased out is because of the wavelength each receiver has a much greater coverage and is therefor used in boats, in the mountains, etc.


And dont think your voice stream is so impossible to clone either. Let your phone out of sight to be "repaired" for about 4 hours and you can get cloned just as bad and with less recourse(No sir, you ran that bill up, there is no gsm cloning!).

First of all you don't leave your SIM card in the phone during a repair. If so you are just plain stupid. The few times I have had phones repaired the service personel have taken out the SIM card and given it to me.
Anyway. Cloning it before you buy it is not an option (at least not in Norway, and most likely not in most other countries either) The SIM card is sealed by the telco company before sending it to the shop, or if you wish to keep your old number they write a new SIM-card while you watch. Also the network it self has SIM clone protection. If there are two SIM-cards logged on at the same time for the same account, the account is automatically disabled.


Also, if your friend let you into a tower to monitor a conversation, that is nothing special. Most towers for every system have convo monitoring instruments. The only monitoring that is a feat in any sort of way is done away from OFFICIAL celco equipment.

Jupp. But the difference is that monitoring the analogue network here is really simple. All you have to do is plug in a regular analogue headset. The GSM network however requires a special device to be pluged in to a sealed contact. This requres somebody to obtain the special device before monitoring. (That's at least the way it is in Norway)

I see that Norway is pretty smart about mobile stuff but in the USA that is not the case. Providers rarely shut off phones that go on at the same time whether its analog, gsm, tdma or whatever. People are also dumb and they will leave their sim in the phone. A technician or salesperson up to no good will not remind them to take it out and will copy it. GSM is also newer here so people arent used to sim cards. Any of the other phone systems have no removable identity so if you give them to anyone they can clone them.

don't do it....

Hey Green Gerbil!!! I saw ya page 'bout 5120i, well, I have it too ;)
If you want to analyze my sw (it's v4.03, a bit newer than yours), I attached it somewhere @ 51xx/61xx board... I was wondering; how did ya dumped EEPROM? Which one is it's address?? Is Dejan flasher enough to do that? :cool:

dejan dumps the flash, while mbus/fbus dumps the eeprom.

Originally posted by green gerbil
dejan dumps the flash, while mbus/fbus dumps the eeprom.


sssshit... shall build this one as soon as I free protoboard from rests of dejan cable ;)
uhm, my dejan cable finally worked, on older computer OR my current one but with external power supply for IC... BTW, I studied how does dejan flasher works: it first boots mobile with special bootstrap, then sends the flash-reader module to mobile's RAM and the show begins... so, I guess is it quite possible to make model-specific "EEPROM-reader" and use it instead of default "f_loader.bin"... Does anyone thought 'bout this possibility? of course it requires a lot of ARM knowledge, but I found the way itself pretty phreaky, LOL!

no point in really using dejan to read eeprom when nokiasoc does it just fine. right now the biggest problem is figuring out how to update the FAID of the phones so any modifications can be done.

nokiasoc uses MBUS cable and I still didn't made mine ;)
so why just don't use dejan cable I already built and which seems to work fine? that was my idea, but it seems that is much easier to build MBUS cable :p
now, what is the problem with FAID? I thought Nokia tool by Rolis was able to fix FAID... I know it's difficult (impossible?) to change IMEI/ESN, but saw many people successfully changin' FAID ;)

Nokiatool fixes GSM FAID, the TDMA faid is different because there is no IMEI. TDMA Faid depends on I think flash checksums, esn, and the COBBA chip.

When u change the esn in the eeprom the phone loses signal and does the same shit that GSM phones do when you dont update FAID. And btw, the IMEI is easy to change on GSM because they can update FAID. ESN changing (and flash modifications) would be just as easy if someone figured the formula out.

sounds like a BIIIIIIIIIG trouble :(
now, supposing that I have 2 Nokia 5120i, both TDMA sure, with the same hardware, same firmware, but different EEPROM contents, I'm able to swap their "identities", right? Also, I had found TDMA unlocker out there, does that means that someone found TDMA FAID algorithm? And finally, what happens if I use NokiaSOC option to "full factory reset values"? Really curious to get this info before I fuck up my phone :rolleyes:

U SHOULD be able to swap it fine except for the fact that the cobba ID will be different in each phone and u will get no service. The cobba id is also part of the FAID calculation.

hummmmmm, few hours ago I tried to copy EEPROM of my friend's 5120i to mine 5120i... The "clone" became insane (better saying, MAD possessed it ;), it resetted every 20-30 seconds, in Field Test "STATUS" line was "?????????" and no signal was captured... Sometimes NokiaSOC reported ESN being source's and sometimes it was "000000000". The source phone seemd to be OK, received calls BUT 1-2 hours later it simply logged out of network and didn't came back... I had to load into it a backup I made of it's EEPROM before and it ressurected (thanks God!)... Yeah, nobody messes with FAID and lives :D
Now, how the hell can I get rid of that? First of all, is FAID calculated by subroutine stores somewhere in firmware? I guess special hardware should be too expensive... And second, how Nokia-certified dudes play with FAID? If they have software able to change FAID on TDMA, why isn't it downloadable to mere mortals, as NokiaSOC and WinTesla are?! :confused:

P.S. - from what country are u gerbil?

Well from what I read here and on other forums, faid is calculated by the DSP chip which u have no access to and it uses on gsm the PPM crc, the IMEI and the COBBA (Cobba is an audio codec chip) id and possibly cobba checksum.

On TDMA and maybe CDMA, it uses all of that except the imei, which is swapped for the ESN. Dont even know if the algorythm for both is the same and I cant find the algorythm for gsm posted anywhere and I dunno how they figured it out.

Since it appears you have a lot of knowlegdge in programming and electronics, perhaps you might be able to get arround the faid issue. Maybe its possible to remap the real esn and ppm checksum locations and leave the old ones intact by changing MCU arround with a disassembler. They have been messing with that stuff on the gsm side and thats where custom menus and fading lights came from.

And nokia techs do have FAID and ESN software and knowledge of the algorithm and everything, the problem is that there are not enough people to leak the software. NokiaSOC and Wintesla was pretty hard to find a few months ago and that is available to a lot more people. So until its figured out or someone at nokia usa gets pissed off nobody gets anything.

I'm from the USA, btw.

well, seems a lot of work to do ;)
certainly, it seems the best way to simply override FAID modification reprogramming MCU. I was also wondering; where the hell the FAID is stored?! Separate EEPROM? when I enter *3001#12345# and change NAMs, is FAID updated? or it is "selective" for ESN/checksums only? anyway, I'll try to play with this baby soon:

http://www.datarescue.com/idabase/idaarm710a.htm

As soon as I find newer version of it, mine is too old and weak :(

The FAID is in the eeprom somewhere. And easily changeable things like the nam arent in the calculations. Best thing that would take care of the ESN issue is to make the mcu look for it in another location and then have it skip its checksums.

I was thinking...


MCU:
========================
// lots of code
...
// lots of code

if (!is_faid_ok()) {
reboot();
}

// lots of code
...
// lots of code

int is_faid_ok (void) {
a = get_faid_from_dsp();
b = get_faid_from_eeprom();
if (a == b) {
return 1;
} else {
return 0;
}
}

// lots of code
...
// lots of code
========================



(oh yeah, I do think in pseudocode ;) )
I suppose that at some time of execution MCU reaches the condition of FAID being or not valid... Maybe it calls some special sub-routine to do that, I mean, compare FAID stored on EEPROM with that which DSP computes. So, what can be done if we find such condition out of 1 Mb of ARM code?

1) we can intercept the FAID that DSP just calculed for us... we can patch MCU to print it on the LCD so we can reprogram mobile later ;)
2) if there's no way to read FAID from DSP, we can simply override that condition, making MCU beleive that any FAID is OK.

the only way for protect FAID perfectly is something like making DSP completely/partially disable itself whet FAID it generates doesn't match FAID that is inside EEPROM... such a thingie requires some extra hardware, I beleive it's a bit of overkill!!! What do you think?

P.S. - I was playing around with "factory fix" to figure out where's FAID stored on EEPROM and, by Murphy's law, completelly killed my EEPROM... Now my phone doesn't even boots so I must wait 2 weeks before a friend of mine uses his EEPROM writer to fix a shit I made; so I have to suspend my researches until this hopefully happens :(

I think you might have damaged flash with all that resetting. A phone never shows a blank screen if only its eeprom is messed up. You should try to reflash from backup and see what happens.

desoldering EEPROM should be a hell on earth... but that's only thing I can do :p
pretty strange, I heard that EEPROM supports up to 1000 rewrites, I don't beleive 3 resets could screw so much. I guess NokiaSOC has wrote random data in some very critic place so MCU lock up when it tries to process that... kinda "segmentation fault" on ARM :)

I'd still reflash the phone once or twice before pulling out the eeprom and putting it on a real programmer.

To program EEPROM I need Mbus, and Mbus requires mobile to at least boot ;)
Mine doesn't boot, sometimes it answers through Dejan cable but can't upload f_loader.bin to phone... I guess the real programmer is the better thing to do. I was also thinking; MCU/PPM checksum algorithms are same for GSM & TDMA, right? And that ones are well-known also... So, maybe it is possible to modify MCU, for example, and write specially computed bytes in it to keep checksums the same... So there's no need to update FAID! This technique is widley used to hack multiplayer games as they exchange checksums to see if is there anyone cheating.... I will try to do that if I find MCU/PPM checksum algorithm for TDMA... Hope that's not too hard :rolleyes:

The checksums are calculated the same way and the ones in PPM are exactly the same as the ones in on GSM. I think the MCU checksum locations might be different but they are calculated the same way most likely. Check out this site if you haven't seen it before. Its got some cool info and a ARM disassembler.

http://www.geocities.com/nok5rev