HOW TO BUILD AN ESN/MIN SNARFER

From Higher Intellect Wiki
Jump to: navigation, search
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
<>                                                                          <>
<>                    HOW TO BUILD AN ESN/MIN SNARFER                       <>
<>                        THE BASIC REQUIREMENTS                            <>
<>                                                                          <>
<>                                by                                        <>
<>                                                                          <>
<>                             D a v e X                                    <>
<>                                                                          <>
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>

Ok, lets get one thing straight, you won't be able to go to tandy's and        
buy the bits to build a snarfer after reading this file, it is only a primer   
to point an interested person in the general direction, you need to be more    
than a little electronically inclined to build the hardware, although most     
semi-literate programmers could write a piece of software to use with it.      
I have written a short program in compiled basic which werked, so you don't    
have to be an asm wizard to get results.                                       
                                                                               
Step 1                                                                         
^^^^^^                                                                         
Lets get started, to begin with you need an NBFM receiver that covers the      
cellular phone band.                                                           
This reciever must be modified to do the job in hand, so if you don't fancy    
wrecking your expensive multiband scanner then stop now.                       
                                                                               
To modify your receiver you need to take the output of the discriminator       
unfiltered and unamplified, if you don't get this right, it won't werk the     
hardware, as phase shifts introduced in the amplification and/or filtering     
will destroy the data before you can decode it.                                
It is also a good idea to fit a wider IF filter, 20khz seems about right for   
cellular telemetry, but you may get limited success with the original one.     
                                                                               
OK, so you have done open heart surgery on your scanner and you now have two   
soggy wires hanging out of it. One wire going to the discriminator output,     
and the other going to chassis ground. It is a good scheme to fit a small      
socket, ( a 2.5mm jack socket is ideal for this purpose).  Also place a        
0.22uF capacitor in series with the discriminator output to prevent any        
stray electricity finding its way back to your scanner and fucking it.         
                                                                               
Plugging a telephone earpiece or similar into your newly fitted socket will    
result in a very quiet signal being heard, but neither the volume control or   
the squelch will have any effect on this signal. If you get this far then you  
are doing good and chances are you've done it right.                           
                                                                               
Step 2                                                                         
^^^^^^                                                                         
Next you need some custom hardware, I'm not going to supply a parts list or    
a diagram, and don't bother hassling me via email, because I still wont tell  
you more, unless you have made a good start and need help getting it to       
werk right.                                                                   
(This is for two reasons,                                                     
                                                                              
    1) Why the fuck should I do all the research and prototyping and then     
       give it to you on a plate?  Next thing you'll be wanting me to build   
       you one.                                                               
                                                                              
    2) Who is to say that my design is the best there is, someone else might  
       come up with a better design if they are forced to think about it, but 
       if I just give you a circuit and a parts list you wont bother thinking 
       you'll just clone my design.                                          
                                                                               
Not withstanding the aforementioned, this is what you require:-                
                                                                               
The signal from your radio needs converting to TTL using a comparator, an      
LM339 would werk well here.                                                    
                                                                               
You need a VCO with a nominal center frequency of 8khz, this is phase locked   
to the incoming datastream. a 4046 would seem to fit the bill.                 
                                                                               
The output of your PLL is your clock signal, this is one of the outputs you    
need to present to your computer for the decoding process.                     
                                                                               
The other output is generated by exclusive or'ing the datastream and the       
recovered clock, you could use a 4070 for this function.                       
                                                                               
You now have both clock and data lines, these are fed to your computer for     
decoding. (you also need to connect a ground wire too).                        
                                                                               
                                                                               
Step 3                                                                         
^^^^^^                                                                         
You must first tune your radio to the reverse channel, this is most easily  
accomplished by tuning around between 930mhz and 950mhz until you find the
strongest forward channel, (Hint. it goes burbullyburbullyburbullyburbully)
Once you have found the strongest forward channel, retune your radio to exactly
45mhz lower, this is the reverse channel, and you should hear noises on it
during busy periods that sound a bit like pissed off flies, bzzzz bzzzz bzzzz,
these are data bursts from cellular phones, sending (among other things),their
min and esn to the local cellular tower.                                      
                                                                              
The decoding process is fairly simple, you need to read your chosen input port 
each time the clock goes high, (or low), the bit value is taken from the xor'd 
data line.                                                                     
You are looking for the bit sequence 11100010010. When you receive this flag,  
you immediately capture the next 1207 bits, these are used to get the esn/min  
pair.                                                                          
                                                                              
Begining at bit(274) take ten bits, convert this to decimal, to this number    
add 111 (one hundred and eleven), take the three rightmost digits, and store   
this as 'A'.                                                                   
                                                                               
Begining at bit(20) take four bits, convert these to decimal and store it, lets
call it 'B'.                                                                   
                                                                              
Begining at bit(24) take ten bits, convert this to decimal, to this number     
add 111 (one hundred and eleven), take the three rightmost digits, and store   
this as 'C'.                                                                   
                                                                              
Begining at bit(34) take ten bits, convert this to decimal, to this number     
add 111 (one hundred and eleven), take the three rightmost digits, and store   
this as 'D'.                                                                   
                                                                              
With it so far? if not read it again until you are familiar with the process.  
                                                                               
Now starting at bit(508), take four bits and convert them to decimal, this is  
stored as 'E', it is a two digit number and may require a leading zero.!       
                                                                               
Begining at bit(512) take six bits, convert these to decimal, this number is   
also a two digit number and may require a leading zero. Store as 'F'.          
                                                                               
Starting at bit(518) take six bits, convert them to decimal, this number is    
also a two digit number and may require a leading zero. Store as 'G'.          
                                                                               
Now starting at bit(492), take sixteen bits and convert this to decimal, this  
is stored as 'H', it is a five digit number, and may need padding with leading  
zeros to achieve this.                                                         
                                                                               
You should now have numbers A through G.                                       
                                                                               
E should read 00, if not you fucked up.                                        
                                                                               
Finally you print it out like so:-   AB-CD E/F/G/H                             
                                                                               
It should look like this, 234#-###### ##/##/00/#####                           
                                                                               
The remaining bits are for the most part junk, but can be used for verification 
of the information you have just collected.                                   
Each piece of info, min1, min2 and esn is sent 5 times in a 240 bit block, so  
using your razor sharp mind, (or a calculator), you should have figured out    
that each data sub block is 48 bits long. By adding 48 to the above bit(#s)    
you can do the same decoding process again. And again at bit(#)+96 etc. and
use the extra four copies as mental error correction.                       
                                                                             
There is a parity field attached to each subblock for error correction purposes
but this complicates the decoding process somewhat, and would be a bit ugly to
write in basic.                                                               
                                                                              
In Phate103, there is more info on the data format used, and an asm routine 
for calculating the CRC using the parity bits.                              
                                                                              
Have phun, but please don't use any of these snarfed pairs to make free calls
as this is probably illegal.                                                 
                                                                              
( This information will not werk in the USA, although the signalling formats   
are similar to this, certain modifications need to be made both to the hardware
interface and the decoding method. If you are stateside, and require this      
additional info, email me, DaveX @ Plan9 )                                     
                                                                               
                                                                               
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
Greets.                                                                        
~~~~~~~                                                                        
CHEROKEE                                                                       
KILSLUG                                                                        
MAELSTROM                                                                      
MEEKO
PULSE


Share your opinion