dbell@cup.portal.com (David J Bell) (08/05/90)
OK: here's one to research. My son told us of a friend at work, whose
father had picked up from am aquaintance at a major aerospace/electronics
company, a replacment chip for some model of cellular phone. This
replacement chip (possibly a ROM or pROM) supposedly allows unlimited
free calling.
Now, I can see a probable difficulty in *receiving* calls on the
modified phone, as the unit ID may be what gets modified/trashed, but
it would seem at least possible that unlimited *outgoing* calls could
go through without being billed. For example, the ROM could ID the
unit as a service rig, and billing would be to the carrier's overhead...
Any thoughs as to the likelihood of this being true? Where I could
get such a beast (for educational purposes, only, of course!!)?
Dave dbell@cup.portal.com
{I am in no way affiliated with any cellular carrier, ICC, FCC, etc, etc}brian@ucsd.Edu (Brian Kantor) (08/06/90)
The Electronic Serial Number of most cellular phones is contained in a
read-only memory chip inside the phone. It is what identifies your
phone and distinguishes it from all the other yuppies on the service.
If the ESN were to be changed, one of the following would happen:
1) someone else would get billed for your calls
2) no one would get billed for your calls
3) you would not be able to make calls.
(1) would happen if your new ESN duplicated a registered user's number.
(2) would happen if the ESN landed on a demo or unassigned-but-authorized
number
(3) would happen if the ESN was not authorized
#3 is probably most likely, but it depends on your local phone system.
In any case, you probably would not be able to receive incoming calls, since
the cellular system wouldn't know your phone's new ESN and couldn't map
your cell-phone number to it.
Most Cell-Phones have the ESN chip installed in a tamper-resistant
manner. Sockets are rare - most are soldered in. Nearly all are
covered with epoxy or some other goop that makes it hard to remove and
replace the chip without permanent damage to the phone.
Finally, it's illegal to avoid charges that way.
- Brianalan@mq.UUCP (Alan H. Mintz) (08/06/90)
In article <32457@cup.portal.com>, dbell@cup.portal.com (David J Bell) writes: > OK: here's one to research. My son told us of a friend at work, whose > father had picked up from am aquaintance at a major aerospace/electronics > company, a replacment chip for some model of cellular phone. This > replacement chip (possibly a ROM or pROM) supposedly allows unlimited > free calling. > > Now, I can see a probable difficulty in *receiving* calls on the > modified phone, as the unit ID may be what gets modified/trashed, but > it would seem at least possible that unlimited *outgoing* calls could > go through without being billed. For example, the ROM could ID the > unit as a service rig, and billing would be to the carrier's overhead... For most systems, ALL calls are billed to SOME account. I believe some switches may allow the existence of certain "Maintenance" numbers, but most carriers choose not to use this. Each cellular phone has an ESN (Electronic Serial Number) and a MIN (Mobile ID Number or Phone Number). The two must match the record in the switch in order for an incoming or outgoing call to be completed. These are usually stored in two separate places in the phone. The ESN is usually somehow affixed to the frame or buried or epoxied. The device that stores the MIN is easily changeable. You would have to change both to allow what you are talking about. In any case, it is clearly unlawful to alter the ESN of a cellular phone! This has been tried and proven in Federal Court under laws pertaining to altering of serial number of electronic equipment (about three years ago, in Florida I believe). -- < Alan H. Mintz | Voice +1 714 980 1034 > < Micro-Quick Systems, Inc. | FAX +1 714 944 3995 > < 10384 Hillside Road | uunet: mq!alan > < Alta Loma, CA 91701 USA | Internet: [pending] >
wb8foz@mthvax.cs.miami.edu (David Lesher) (08/06/90)
Several years ago, the feds busted some people in the NYC area for exactly the action you describe: cloning ESN chips. I suspect that what you describe is possible, but not desirable. You will likely suffer the indignity of moving to new quarters, typically equipped with unusual locks, at short notice. The cell-sellers claim that theft of phones is "no problem" because you can, in theory, disable a 'hot' phone's use nationwide within minutes. What they do NOT mention is most stolen phones emerge in Latin America (or farther south) where such luxuries as stolen ESN blocking are not bothered with. -- A host is a host from coast to coast.....wb8foz@mthvax.cs.miami.edu & no one will talk to a host that's close............(305) 255-RTFM Unless the host (that isn't close)......................pob 570-335 is busy, hung or dead....................................33257-0335
lindh@uhasun.hartford.edu (Andrew Lindh) (08/06/90)
In article <30@mq.UUCP>, alan@mq.UUCP (Alan H. Mintz) writes: > Each cellular phone has an ESN (Electronic Serial Number) and a MIN (Mobile > ID Number or Phone Number). The two must match the record in the switch in > order for an incoming or outgoing call to be completed. These are usually > stored in two separate places in the phone. The ESN is usually somehow > affixed to the frame or buried or epoxied. The device that stores the MIN > is easily changeable. You would have to change both to allow what you are > talking about. As I remember some phones have a RS-232 serial port that hooks to am IBM and with special software you can read the ESN and MIN and change the MIN. You could also get the status of the phone and other stuff..... You may be thinking..."Wow a RS-232 port!" well there are many chips that are made that are a CPU with RS-232...I use them all the time. The ones that come to mind are the simple Z8600 series. (check out the Zilog Z8603...an old, but great chip....) -- Andrew Lindh, a student at the University of Hartford -- Computer Science INTERNET: lindh@uhasun.hartford.edu | NOTE: All views here are MINE!!! BITNET: lindh@hartford.bitnet | Not the school's or those of anyone else! UUCP: lindh@uhasun.uucp | ---- When will I graduate??? "SYNFU!"
sheasby@dgp.toronto.edu (Michael C. Sheasby) (08/06/90)
The other day I was in a mall and noticed a few yahoos gathered around a pay phone... they looked around for cops and then unscrewed the receiver on the phone (the ear end, not the mouth end). They took out the small speaker and touched the two wires leading to it to the handset holder (the thing you put the phone back on when you finish the call). Then they dialed and quickly screwed the receiver cap back on. Apparently this saved them a quarter. I suppose it has something to do with a small current passing through the metal receiver hook and fooling the phone into thinking a quarter had been deposited. Anyone ever see this? can you do it any other way? ---Mike. .
robiner@oberon.usc.edu (08/07/90)
In article <1990Aug6.124516.8051@jarvis.csri.toronto.edu> sheasby@dgp.toronto.edu (Michael C. Sheasby) writes: > >The other day I was in a mall and noticed a few yahoos gathered >around a pay phone... they looked around for cops and then >unscrewed the receiver on the phone (the ear end, not the mouth >end). > >They took out the small speaker and touched the two wires >leading to it to the handset holder (the thing you put the >phone back on when you finish the call). Then they dialed >and quickly screwed the receiver cap back on. Apparently this >saved them a quarter. Well, now the phone companies are really gonna love this net... Matthew Broderick pulled this scam in the movie "War Games" but I don't know if it works in the real world. MOst pay phones have glued, or locked, or sealed mouth peices anyway, so it'd be very difficult (and illegal) to try tampering with them. =steve=
larry@rsiatl.UUCP (Larry Kahhan) (08/07/90)
In article <1990Aug6.124516.8051@jarvis.csri.toronto.edu> sheasby@dgp.toronto.edu (Michael C. Sheasby) writes: > >The other day I was in a mall and noticed a few yahoos gathered >around a pay phone... they looked around for cops and then >unscrewed the receiver on the phone (the ear end, not the mouth >end). > >They took out the small speaker and touched the two wires >leading to it to the handset holder (the thing you put the >phone back on when you finish the call). Then they dialed >and quickly screwed the receiver cap back on. Apparently this >saved them a quarter. > There are two basic type of pay telephones in existance; coin first and dial tone first. In dial tone first type telephonesa loop start interface is used. In coin first type telebphones, the circuit is a ground start. The ground start type phone is probably what they were using. At any rate, in this type circuit, the TIP lead coming from the central office is open, and the ring lead has -48V (current limited, usually through a resistive feed). Normally, the ring lead is grounded when you insert your quarter, the central office detects current flow, and then gives you a TIP ground, which allows you to complete the loop with the receiver off-hook, ultimately giving you dial tone. What these guys were doing was externally applying RING GROUND to the telephone loop, bypassing the coin mechanism. I wouldn't recommend making phone calls in this manner, as phone companies tend to get upset over theft of service issues. It's not worth it to try to save a quarter more or less on a telephone call. Larry Kahhan - NRA, NRA-ILA, CSG, GSSA , & GOA
wchan@umd5.umd.edu (Winthrop D Chan) (08/07/90)
In article <1990Aug6.124516.8051@jarvis.csri.toronto.edu> sheasby@dgp.toronto.edu (Michael C. Sheasby) writes: > >The other day I was in a mall and noticed a few yahoos gathered >around a pay phone... they looked around for cops and then >unscrewed the receiver on the phone (the ear end, not the mouth >end). > >They took out the small speaker and touched the two wires >leading to it to the handset holder (the thing you put the >phone back on when you finish the call). Then they dialed >and quickly screwed the receiver cap back on. Apparently this >saved them a quarter. > Well, I haven't seen that one, but I have seen people poke little holes with a nail into the 2nd hole from the bottom of the mouthpiece. They stick a paper clip into the hole and then dial the 1st 6 numbers, then they "short" the paper clip to something metal on the phone and dial the last digit before shorting it again. It was running rampant on this university for a while and only works on local calls. The phone company has replaced all the mouthpieces with ones that have a steel plate which makes it impossible to pull this trick again without severely damaging the mouthpiece. Winthrop ============================================================================= <------- ____ This is how most Computer Science majors look &&& / \ __ _____, after staying up all night for a few weeks `-- | o \' ` &&/ and living off of vending machine food. `| | o },-' \____( )__/ Winthrop Desmond Chan ,' \' \ /~~~~~~|. | .}~~~\ producer@cscwam.umd.edu producer@eng.umd.edu ,-----( . | .}--. | . /\___/ wchan@umd5.umd.edu wchan@linus.umd.edu `----^,\ \ wchan@snoopy.umd.edu wchan@umdd.umd.edu \_ | ACK! Disclaimer : "My employeer is not responsible for what I do or say here" ==============================================================================
whelan@huey.wslab.Hawaii.Edu (Jerry Whelan) (08/07/90)
In article <32457@cup.portal.com> dbell@cup.portal.com (David J Bell) writes:
=>OK: here's one to research. My son told us of a friend at work, whose
=>father had picked up from am aquaintance at a major aerospace/electronics
=>company, a replacment chip for some model of cellular phone. This
=>replacement chip (possibly a ROM or pROM) supposedly allows unlimited
=>free calling.
This sounds similar to those cable descrambler boxes one
can (could ?) buy.
The story I heard was that someone borrowed a legit box from
a friend, copied the eproms and then just started selling those,
without telling the friend what he did. So, as long as the
friend kept his subscription up, all the illegal eproms worked fine,
however when someone got caught, it was traced back to the original
owner who quite promptly changed his descrambler to a new one.
Suddenly (to hear the story) thousands of people were suddenly without
cable...
I wouldn't be surprised if this replacement chip is a pirated
copy of someone else's (probably corporate) cellular phone "identifier."
But, never even having touched such a beast I don't really know how
they work.
--
-------------------------------------------------------------------------------
whelan@ (uhunix.uhcc.hawaii.edu || uhccux.BITNET || nextsrv.uhcc.hawaii.edu)whelan@huey.wslab.Hawaii.Edu (Jerry Whelan) (08/07/90)
In article <1990Aug6.124516.8051@jarvis.csri.toronto.edu> sheasby@dgp.toronto.edu (Michael C. Sheasby) writes:
=>They took out the small speaker and touched the two wires
=>leading to it to the handset holder (the thing you put the
=>phone back on when you finish the call). Then they dialed
=>and quickly screwed the receiver cap back on. Apparently this
=>saved them a quarter.
=>
=>I suppose it has something to do with a small current passing
=>through the metal receiver hook and fooling the phone into thinking
=>a quarter had been deposited.
=>
=>Anyone ever see this? can you do it any other way?
Yeah, at my boarding high school this was fairly common in the
dorms. However we didn't have to take it apart, rather we stuck a
wire in a hole in the speaker cap and touched the other end to
the metal cable that connected the handset to the rest of the phone.
Here at college I've noticed that a number of public phones have the
center hole in the speaker cap filled in, I assume this is to prevent
people from doing the above operation.
--
-------------------------------------------------------------------------------
whelan@ (uhunix.uhcc.hawaii.edu || uhccux.BITNET || nextsrv.uhcc.hawaii.edu)andyp@treehouse.UUCP (Andy Peterman) (08/07/90)
In article <26438@usc.edu> robiner@oberon.usc.edu writes: >In article <1990Aug6.124516.8051@jarvis.csri.toronto.edu> sheasby@dgp.toronto.edu (Michael C. Sheasby) writes: >> >>The other day I was in a mall and noticed a few yahoos gathered >>around a pay phone... they looked around for cops and then >>unscrewed the receiver on the phone (the ear end, not the mouth >>end). >> >>They took out the small speaker and touched the two wires >>leading to it to the handset holder (the thing you put the >>phone back on when you finish the call). Then they dialed >>and quickly screwed the receiver cap back on. Apparently this >>saved them a quarter. > >Matthew Broderick pulled this scam in the movie "War Games" but I don't >know if it works in the real world. MOst pay phones have glued, or locked, >or sealed mouth peices anyway, so it'd be very difficult (and illegal) >to try tampering with them. When I was a kid (I hate to admit it, but back in the early 60's) I use to use that trick to make free phone calls. We'd take a paper clip and unscrew the microphone and jump either contact to the phone's ground. If the mike didn't unscrew, we'd poke a hole through the diaphram and that would usually work. We'd hear clicking and then get a dial tone. DON'T TRY THIS METHOD NOW - IT WON'T WORK!!!! The new phones (since the late 60's or so) use a different signalling mechanism to indicate money is needed. I had a fond flashback when I saw them use that method in "War Games". I had totally forgotten about it. I suppose that's even better proof that it doesn't work anymore - otherwise they wouldn't have shown it in the movie. Andy
ins_atge@jhunix.HCF.JHU.EDU (Thomas G Edwards) (08/08/90)
In article <26438@usc.edu> robiner@oberon.usc.edu writes: (about making free calls from payphones using the handset grounding method) >Matthew Broderick pulled this scam in the movie "War Games" but I don't >know if it works in the real world. MOst pay phones have glued, or locked, >or sealed mouth peices anyway, so it'd be very difficult (and illegal) >to try tampering with them. At least it worked when I was in high school (I'm a nice boy now :-) Actually, in my area there were no unscrewable handsets in payphones. The speaker actually was protected by a piece of metal. To properly do it, one had to hammer a nail through the metal protector, and then use a paper clip to connect the speaker to the metal case of the payphone. And you had to do it at the proper times while dialing. One could always tell phones which were used in this manner by the tell-tale enlarged hole in the plastic over the speaker. I do not understand why it works...perhaps something to do with ground-loop start, but then how can the payphone work without red box tones (i.e. nickel tones?)...it must also do something to the payphone. -Tom
jon@vector0 (A Product of Society) (08/09/90)
andyp@treehouse.UUCP (Andy Peterman) writes: > DON'T TRY THIS METHOD NOW - IT WON'T WORK!!!! I'm not sure if this was a stab at trying to prevent abuse or not... But it does still work. Just make sure you don't make it a long-standing habit. Ma Bell does keep records of which pay phones they need to watch (and they will)... 5 years or 50,000 dollars... (Or is it more?) Anyway, the punch method (sticking a paper clip in mouthpiece) often ruins the mouthpiece so you can't talk. Nice work. The new high tech criminal method - bring a tape recorder and tape the sound (couple clicks) of when you drop your money in. Then, the next time you want to call somewhere, take out your tape recorder, drop in a *nickel* (bypasses the ground test done on the money - use a nickel because the call will only cost you .05), then playback the clicking money sounds. There's one short click for the nickel, two shorts for a dime, and a long for a quarter. (I don't remember frequencies etc right now...) Some new phones block the clicks from being heard on the earpiece. If this is the case, you can easily make your PC generate the clicks for you to record. Or find a phone that does let you hear them. (No disclaimer, the Gestapo reads that as "intent". But be considerate. Don't make the pay phone rates go up.) > Andy ___ Jon ..??$!...ames!pacbell!sactoh0!vector0!jon Internet: sactoh0!vector0!jon@pacbell.com <bee dee deep> "We're sorry, the .signature you have reached has been disconnected. Please check your path and try your read again."
aez@Data-IO.COM (Adam Zilinskas) (08/10/90)
In article <26438@usc.edu> robiner@oberon.usc.edu writes: >In article <1990Aug6.124516.8051@jarvis.csri.toronto.edu> sheasby@dgp.toronto.edu (Michael C. Sheasby) writes: >> >>The other day I was in a mall and noticed a few yahoos gathered >>around a pay phone... they looked around for cops and then >>unscrewed the receiver on the phone (the ear end, not the mouth >>end). >> >>They took out the small speaker and touched the two wires >>leading to it to the handset holder (the thing you put the >>phone back on when you finish the call). Then they dialed >>and quickly screwed the receiver cap back on. Apparently this >>saved them a quarter. > >Well, now the phone companies are really gonna love this net... > >Matthew Broderick pulled this scam in the movie "War Games" but I don't >know if it works in the real world. MOst pay phones have glued, or locked, >or sealed mouth peices anyway, so it'd be very difficult (and illegal) >to try tampering with them. > >=steve= I remember that the old pay phone system used to use bells to detect the coins going through the slot. A quarter would fall down one path and ring one bell and a dime go down another and ring a different bell (or was it dinging a bell several times?). Well some people found out how this worked and got some chimes that matched the pay phone bells very closely. So when the operator said: "Deposit 50 cents please" they would ding the chime X times and fool the system. The newer phone systems now use a series of pulsed tones to defeat this 'feature'. I also heard another legend that Captain Crunch Cereal one time had a toy whistle in it that approximated the operator control tones used in the touch-tone system (the tones created by the illegal 'blue boxes' to get free service from the phone system by enaging the switching systems in strange ways). Well, I think somebody in ATT got lots of free cereal when they had to confiscate the whistles :-) Adam Zilinskas N E W S F O D D E R . g r r
bush@uhccux.uhcc.Hawaii.Edu (Anthony Bush) (08/15/90)
crossing of wires on the phone to get free calls is true.. the dorm I was in we used a paper clip and shoved it in where the cord goes into the reciever (you have to remove the rubber off first) then you jiggle it until you hear static then release it.. WALA! thats it. Warning.. dont do this at home.. it is not only illegal.. but also you get a mean shock if you do it wrong (it was fun watching the froshs getting shocked) :) aloha and mahalo from Hawaii! edman