Copy Link
Add to Bookmark
Report
infosurge Issue 07
....... .......
...........................:::: ::::.............................
....:::: ::::....
:::: ::::
: :
___ ________ ______ ___ _______ _______ ___ ______
_| \\// \\ / __// \\\\ / //_____ ___| _ \\\\/ _|__// _/
|| || || | | || | | | || |____\\ ___|
|____||____| || --'._____|\\\\_____ |_____//___| |____ | \\\\
.============`----'|___|=============`-----|==========`---'===`----|=====.
:::: ::::
::::.... ....::::
::::........................... .............................::::
...:::: ::::... infosurge/7
.....................: :.......................
: Official Web Site -> http://infosurge.rendrag.net :
: Official Submissions -> phase5@cmdrkeen.net :
: :
: issue #7: 08/10/2000 :
:..........................................................:
"[14:15] <fyre> i said 'elite cool see you at 8'"
___________________________[______]..[______]______________________________
[ ] [..] [ ]
[ \\\\\\\\\\ ]:[ ]
[ \\\\\\\\\\ ]a[ ///// ] Intro............................................phase5
[ \\\\\\\\\\ ]b[ ///// ] Editorial...................................damir d0kic
[ \\\\\\\\\\ ]:[ ///// ]--------------------------------------------------------
[ \\\\\\\\\\ ]1[ ///// ] Syslog Exploit.....................................fyre
[ \\\\\\\\\\ ]2[ ///// ] Webservers and You.................................eckz
[ \\\\\\\\\\ ]3[ ///// ] Australian Bandwidth..............................alpha
[ \\\\\\\\\\ ]4[ ///// ] One Time Passwords................................aphex
[ \\\\\\\\\\ ]5[ ///// ] Cellular Networks...........................galapogos01
[ \\\\\\\\\\ ]6[ ///// ] Fibre Optics and SONET............................lymco
[ \\\\\\\\\\ ]7[ ///// ] CDMA.............................................phunki
[ \\\\\\\\\\ ]8[ ///// ] Bash Scripting....................................lymco
[ \\\\\\\\\\ ]9[ ///// ] More Ericsson Fun................................analog
[ \\\\\\\\\\ ]:[ ///// ]--------------------------------------------------------
[ \\\\\\\\\\ ]c[ ///// ] Outro............................................phase5
[ \\\\\\\\\\ ]d[ ///// ] total................................infosurge (84.5kb)
[_______]:[_______]________________________________________________________
[_] [ (c) october 2000 ]
[ \\\\\\\\\\ ].......................[ shouts ]........................[ \\\\\\\\\\ ]
[ \\\\\\\\\\ ] [ \\\\\\\\\\ ]
[ \\\\\\\\\\ ] shard jestar lymco eckz fyre ikari phunki marlinkspike [ \\\\\\\\\\ ]
[ \\\\\\\\\\ ] fleabag bsdave damien k karag- xm beatz assass|n [ \\\\\\\\\\ ]
[ \\\\\\\\\\ ] synister cmdrkeen ghengis tux x-circuit alpha aphex [ \\\\\\\\\\ ]
[ \\\\\\\\\\ ] Wewted cyberpuppet fed0 [ \\\\\\\\\\ ]
[ \\\\\\\\\\ ] [ \\\\\\\\\\ ]
[ \\\\\\\\\\ ]---------------------------------------------------------[ \\\\\\\\\\ ]
[ \\\\\\\\\\ ]
[ \\\\\\\\\\ ] Editorial ..............................[ damir d0kic ].........
-[ \\\\\\\\\\ ]-----------------------------------------------------------------
"USA Open is crime organisation. USA Open, this moment, this moment . . .
all organisation for New York . . . USA, USA is big crime organisation."
-[ \\\\\\\\\\ ]-----------------------------------------------------------------
[ \\\\\\\\\\ ]
[ \\\\\\\\\\ ]
[ \\\\\\\\\\ ] Syslog Exploit .........................[ fyre ]................
-[ \\\\\\\\\\ ]-----------------------------------------------------------------
Most Linux system administrators (and home users) keep a close watch
on their system logs. The reasons are many and varied: diagnosing
faulty hardware, finding out what happened to an important daemon,
and watching for breakin attempts are some of the most popular
reasons. System logs are a very important tool, but there are a large
number of people who don't fully understand the shortcomings of the
system.
Messages are sent from programs (usually daemons) to syslogd(8)
through a UNIX domain socket, /dev/log using the C library function
syslog(3). When syslogd recieves a message from /dev/log, it decides
what to do with it based on the rules in syslog.conf(5); the most
common action is to write the message to a logfile.
The problem is that /dev/log is world-writeable in most situations -
anyone can send messages to the system log. Worse yet, if the message
is prefixed with "??? ?? ??:??:?? " (where a ? is any character),
syslogd assumes that it is a timestamp and does not bother to add a
timestamp of its own. For example, "MOO CO W!:MO:O! " is, to syslogd,
a valid timestamp.
This diagram shows the format of a normal system log message, plucked
randomly from /var/log/messages:
Sep 29 14:27:03 abyss ftpd[623]: FTP session closed
/ / / \\ \\
timestamp hostname program pid message body
Only one of those five components cannot be supplied through
/dev/log: the hostname. In other words, a malicious user of your
system could send a message to /dev/log (which is by default world
writeable on most Linux distributions), containing an arbitrary
timestamp (with some restrictions - these are discussed later),
program name, process id and message body. At the very least, this is
annoying. Imagine what would go through your mind if you saw this
message floating around your logs:
Sep 29 15:41:35 abyss PAM_pwdb[1247]: (su) session opened for user
root by nobody(uid=99)
You would panic. You could not tell for certain whether your machine
had been compromised. There lies the single greatest flaw of the
system logging mechanisms on Linux (and BSD Unices, among others):
any user may write to the system log. If an event happened (nobody
su'd to root), you can be fairly certain that on a properly
configured system a message similar to the one above will appear in a
logfile somewhere. However, the converse is not necessarily true.
Consider this situation: user `bob' has a grudge against user `joe'
so decides to create some incriminating log messages. bob decides
it'd be fun to make it look like joe was trying ELiTE 0hDaY 5PL01t5.
In order to make it more credible, he waits for joe to log in (or
sets up a cron-job to do so) so that wtmp shows that joe was logged
in at the time (and if bob used a cron-job, wtmp would show bob was
no longer online). By writing his evil message to /dev/log, bob
creates the following entry in the system log:
Sep 30 17:25:17 abyss PAM_pwdb[1292]: authentication failure;
joe(uid=509) -> root for su service
Just in case that didn't anger the administrator, bob creates the
following messages the same way:
Sep 30 17:36:49 abyss last message repeated 527 times
The icing on the cake is the next message:
Sep 30 17:36:49 abyss PAM_pwdb[2527]: (su) session opened for user
root by joe(uid=509)
The administrator reads these messages, panics, and (hopefully)
brings the system down into single user mode. From those messages, he
probably infers that joe managed to crack the root password by brute
force. Perhaps joe gets his account suspended or deleted, referred to
the police, or fired.
Yet another problem with syslogd is that can be used to send anonymous
broadcast messages ala wall(1) and ignores the mesg(1) state of
terminals.
There are quite a few approaches that can be taken to restrict who
may write message to the system logs. Perhaps the most
straightforward is to remove the world-writeable bit from /dev/log,
change the group ownership to a new group `log' and put everyone who
needs to write log messages in that group. The downfall to this
approach is that syslogd will remove and create the /dev/log socket
each time it starts up, effectively changing the ownership back to
root:root and making it world-writeable. To change this behaviour
requires a trivial modification to the source code for syslogd.
Another solution would be to harness the power the SCM_CREDENTIALS
ancillary message which allows credentials (pid, uid and gid) to be
sent through a socket (see unix(7)). This requires modifications to
the recieving end (syslogd) and the sending end (syslog in libc) but
is the most extensible in the long run. Since on most systems all
system accounts have a UID below a number UID (100, 500 and 1000 are
common), a simple test could be performed to see if a user should be
able to write to logs, or a configuration file (perhaps
/etc/syslog.allow) could list the allowed users.
A program that can be used to demonstrate that problems discussed
follows this article. To extract it, use the following Unix command:
tr -d '\\r' <infosurge-8.txt | uudecode -o - | gzip -dc >logmsg.c
The program writes directly to the /dev/log socket, bypassing the C
library syslog(3) routine. It has been tested on Red Hat Linux 6.2
with Linux 2.4.0-test8 and syslogd 1.3-3. Other operating systems or
distributions of Linux (older version of Red Hat Linux, for example)
may require changing SOCK_DGRAM to SOCK_STREAM in logmsg.c to work
correctly.
Until the issue of authentication of log messages is sorted out, good
advice would be to take log messages with a grain of salt.
Fyre <fyre@box3n.gumbynet.org>
begin 600 logmsg.c.gz
M'XL("(87W#D"`VQO9VUS9RYC`(61;VO",!#&7S>?XJ@P6JUS@S$8NH%L.F1_
M<1,$)R5+4@V+J;2IKAM^]UU:=6P*OBA<G[M[?L>3BM1,95Q`*],R-?QX>D4J
M6RW-TT8:LP]A=O5,_],,5_)]1Y.QE8C4!F94:O!L19,)"X!-:0)5K!>CL4^^
MB6-;$6\\2)S5)Q@Q8-.4\\"3,-:::Q4:S,::YBRD=G)Q?G8[@$UVT2XEB?6JU9
M%*Q>QV(YE4J`5Q!\\0'_KRZ@!;^T0E'2_N:_E@ELTMKZ_QBNR9_Q-VWGB1!Q/
M*D,#[[D;#AY[PP!>GJ[OPIO;?OLA@!/K*R/P<+2%?\\5I<Y$D<0*>6ZZ6;/$I
MT:0S[+V&W7;O?M#O^`4>^1@_?F%$9U+E2&R7I#(\\-L_!VXS,J9GB?0TN%@T5
M3]P-G<5:"TP9SPAP^F_D4/6/<#F`5'Z)./)V7\\3W]QR_]CQTO<4O$VE$"=^&
@B!0E]"94'VIPNH]2K!YB,!6GA3\\**_(#ON/[N>@"````
`
end
-[ \\\\\\\\\\ ]-----------------------------------------------------------------
[ \\\\\\\\\\ ]
[ \\\\\\\\\\ ]
[ \\\\\\\\\\ ] Webservers and you .........................[ eckz ]............
-[ \\\\\\\\\\ ]-----------------------------------------------------------------
Lately on the good ol' irc i have been getting asked how to get
into webservers. Yes, there are the obvious reasons for "i want to
be elite and deface the webpage" which is a phase we all go through
admit it, but whether or not we actually do it is another story. But
from the people who have been messaging me asking me for help with
holes like phf, nph-test-cgi, perl.exe, cgiwrap and (this never ceases
to amaze me) RDS i thought the Australian sector of the internet musn't
be very secure if old, well known and just obvious holes are sitting there
wide open on webservers. So i went off, with my trusty perl scanner in
hand and my 4 heaps of jarrah, 4 scoops of sugar coffee in the other.
Amazingly i wasn't very suprized. Web admins are doing their usual effort
in the workplace. Scratching their nuts, watching South Park episodes
and flicking their secretary's bra strap on their walk past to the toilet
so they can sit, take a huge dump, and read their latest IT News week mag.
While they are on the toilet, heaving and jizzing in amazement as they too
can own their own Linux Penguin coffee mug even though they run Windows,
that big maxi tower they sit at 24/7 is having some problems. As said in hackers
"errr, Mr The Plague, the accounting subdirectory is working really hard on the
gibson, it's work load is enough for about 10 users, i think we've got a hacker."
By Jesus! You've got it right and right now that user is logged on as root and
is about to rm -rf your accounting subdirectory and the rest of your damn server.
Back on track..
As i sat at my computer drinking my coffee, smoking my cigarette, eating my
muffin i see multiple common holes popping up on servers.
20x.xx.xxx.xxx - /msads/Samples/SELECTOR/showcode.asp
10.xx.xx.xxx - /msadc/msadcs.dll
13x.xxx.xx.xxx - /cgi-bin/nph-test-cgi
13x.xxx.xx.xxx - /cgi-bin/websendmail
10.xx.xx.xxx - /cgi-bin/view-source
Now this one, /cgi-bin/jj, cracked me up quite a lot. An Australian government
department, that is well known and from my knowledge would hold probably
sensitive information with holes like these. (no it wasnt fake, i checked)
Since the discovery of rds and the worldwide abuse of the tool you would think
admins would either change the server over to some type of linux or patch the
hole. Not the case, one server, which i won't name, but is quite a big firm
and holds f**king unmentionable data was vulnerable to not only rds but another
5 cgi-holes and the all mighty NetBIOS null session. While my Slackware machine
was still scanning i moved over to my Windows machine, opened up My Computer
and clicked on Web Folders, type in the address and was stunned to find the results.
I had connected with full access privledges to upload/download/rewrite/delete anything
in the web roots folder. But it didn't go as far as this. The actually web server
was a Windows NT 4.0 Server firewalled by a Redhat 6.0 machine. The reason for this
firewall was simple. Their entire network, every office workstation, server, penis
extention you name it was connected to the webserver. For the webserver was their
main server. More things that put me on the floor laughing kept coming at me.
They had a quite little asp interface coded to browse through some directories
on the webserver that weren't avaiable to the public. Opening login.asp in the
web browser put me to a user/pass screen. Opening it in notepad had me shocked.
user=administrator
pass=(not shown for obvious reasons)
I simply entered them into the user/pass screens and i had gain access to where they
stored some more "sensitive files". Then i found they had Microsoft Exchange
or some bullshit webmail client like that. Opened the webbrowser and typed in the
address. "This is a secure site, please enter a username and password to continue".
Thinking, "It won't work, you couldn't be that stupid"....it logged in.
Now, because yes i do fear Bubba, and i don't want to goto jail and i want my
ass to stay a nice clean virgin im not saying what i found, but it was choice material.
Now if i was fed0. i could have just fucked over their whole mailbox. Uploaded
trojans and viruses by the dozens. Raped the absolute shit out the network and
ran like mad from ASIO. Instead, i left everything as is (except the logs of course)
mailed the admin and told him everything that had been done, how it had been
accomplished and how to fix it.
About 2 hours into the next morning of business work hours i got an e-mail thanking me
for the head up on what had happened and advice i had given him.
...Admins
Dont leave stupid little holes such as those open on your networks. You will be
compromized and if it isn't by someone with a clue, it will be by a stupid little
kid who wants to write "1 0wn j00 fuX" all over your main page and change all your
passwords.
...Kids and Kids alike
Brains kiddies brains, if i had decided to alter one file or decided to change some
shit, rape would be inevitable.
...Moral of the story
- Sitting up late makes your brain scatter
- 4 heaps of jarrah, 4 sugars and cigarette's keeps you awake all night
- Farts smell funny
- Stupid little web holes are out there, do your research you will find them
and not only webpages are stored on webservers. They can hold or be hooked up
to a lot more info than you first thought.
...Outro
It would be much appreciated if government officials didn't come around to my house
for i really don't have time for you between drinking beer and IRC im sorry.
The firm i got into had some shit going for them anyway, I knew some people that
wanted to take them down and make them go out of business. If the people they had gotten
to take down the firm had the clue to look for small things like I did, the firm would
be quite royally fucked. Yes, i told them about people wanting to take them out too, i think
it helped in the process of them securing their servers faster.
that mail thang - eckz@shagz.org
i seek you - 66615966
eye are see - Austnet/#phreak
linkage - http://users.rendrag.net/~eckz
mad propz - back-hand security labs (p0lski style)
!@!_HuNnY_!@! (werd to blonde surfie chicks that like me)
learn_to_hate (your nose is fucking HUGE!)
Bonox Crew (getting drunk, all day, everyday)
-[ \\\\\\\\\\ ]-----------------------------------------------------------------
[ \\\\\\\\\\ ]
[ \\\\\\\\\\ ]
[ \\\\\\\\\\ ] Australian Bandwidth .......................[ alpha ]...........
-[ \\\\\\\\\\ ]-----------------------------------------------------------------
As your probably know bandwidth in Australia isn't too flash. As the new but
old technologies make their way into your house will we all feel the bandwidth
shortage bite? The answer is yes!
If you dont already know, Telstra one of the biggest bandwidth providers in
Australia. It has an established internal and international network. Here are
some of the key details of the international network:
* 980Mbps to the USA
* 45Mbps to New Zealand
* 55Mps to Japan
* 8Mbps to South Korea
* 10Mbps to Hong Kong
* 49Mbps to Singapore
* 2Mbps to Taiwan
* 2Mbps to Malaysia
* 8Mbps to China
As you can see it isn't too large and when 'unlimited' broadband access was
introduced in the form of cable by Optus/Excite@home and Telstra the bandwidth
bite started to kick in and the dialup users and ISP's had serious bandwidth
problems. Although Telstra has acknoledged the problem and they have decided
to extend the USA link to 1.4Gbps by the 2000 Sydney Olympics.
Although our internal bandwidth isn't really suffering I will give you some
important information on what our links are like. Here is the plan of the
internal network:
* 8Mbps Perth - Darwin
* 620Mbps Perth - Sydney
* 620Mbps Perth - Adelaide
* 8Mbps Darwin - Adelaide
* 310Mbps Adelaide - Melbourne
* 310Mbps Brisbane - Sydney
* 620Mbps Sydney - Melbourne
* 310Mbps Sydney - Canberra
* 310Mbps Canberra - Melbourne
* 34Mbps Melbourne - Hobart
This really usn't much compared to USA networks but we can't really expect
because Australia is so spread out and fast links cannot be sustained over
long distances without repeaters of some sort. This is very much unlike the
USA which has city's very close which are mostly already cabled unlike
Australian networks which dont really have any gigabit backbones.
I hope this little article has shed some light on the bandwidth Australia
hasn't really got and why it is taking so long for broadband access at
uncapped high speeds.
- alpha
-[ \\\\\\\\\\ ]-----------------------------------------------------------------
[ \\\\\\\\\\ ]
[ \\\\\\\\\\ ]
[ \\\\\\\\\\ ] One Time Passwords ........................[ aphex ]............
-[ \\\\\\\\\\ ]-----------------------------------------------------------------
-=->Intro
Just the other day I was reading phunki's article in is4 titled, 'Cryptology
& the Magic Bullet'. It got me thinking about one-time passwords. How to set
them up on a system, how they are generated etc.. So I asked phase if he
wanted an article. The answer was yes of course. Refer to that article for
some background knowledge.
Clear-text, 'reusable' passwords that travel over a network simply aren't
secure. So several alternatives have been created. One-time passwords in one
of the answers to improve this. These passwords are desirable because they
cannot be reused. Anyone who steals a one-time password is stealing unless
garbage.
-=->OPIE
OPIE stands for One-time Passwords In Everything. Its open source software
for linux. and is available from http://ciac.llnl.gov -> Tools ->
Authentication Tools. Installing OPIE replaces login, su, and ftpd with its
own versions of these programs. that accept both traditional passwords and
OPIE one-time "password phrases".
-=->The OPIE Transition Mechanism
OPIE can be configured to accept either traditional reusable passwords
and OPIE one-time "password phrases". This is handy so you can set your local
logins to have reusable passwords where there is no danger of having the
password taxed, and one-time passwords for remote logins. The only problem
with this feature is that it opens a very big security hole by making it
possible for people to forget what they are doing use a reusable password in
the wrong situation.
Sometimes, it is a must to use this feature. To enable this, run configure
with --enable-access-file when you build the compile OPIE, which permits you
to use the /etc/opieaccess file. In this file is a list of the hosts from
which reusable passwords are allowed. For example:
permit 127.0.0.1 255.255.255.255
deny 172.16.5.25 255.255.255.255
permit 172.16.5.0 255.255.255.0
The first line can permit access with reusable passwords or deny it. By
default, every system not in the /etc/opieaccess file is denied reusable
password access. The second line is the address. The third line is the address
mask which allows you to specify entire networks with a single line.
*bleh*
-=->Selecting Your Secret Password
The list of one-time password phrases is generated by a program named
opiekey. You need to identify yourself to that program by selecting a secret
password, opiepassword is used for the secret pass.
For example, assume I'm new to OPIE and want to generate a list of password
phrases before going on a trip. First, I log in to the OPIE server's console
with my traditional reusable password and run 'opiepassword' to select a
secret OPIE password, which must be at least 10 characters long. opiepassword
accepts the secret password and displays the first password phrase, which is
DUG AHOYEMILSAMJOTBERN:
$ opiepassword -c
Updating aphex:
Reminder - Only use this method from the console; NEVER from remote.
If you are using telnet, xterm, or a dial-in, type ^C now or exit with no
password. Then run opiepassword without the -c parameter.
Using MD5 to compute responses.
Enter old secret pass phrase: OJ1CCFftNt
Enter new secret pass phrase: p3n0r.j00z
Again new secret pass phrase: p3n0r.j00z
ID APHEX OPIE key is 499 P18318
DUG AHOY EMIL SAM JOT BERN
-=->Creating Additional Password Phrases
One password phrase, of course, isn't enough. To generate additional
password phrases, run 'opiekey'. The second-to-last line output by the
'opiepasswd' command contains important information. It displays the initial
sequence number (in this case 499) and the seed (again in this case, p18318).
Along with the secret password, these values are required by 'opiekey' to
generate the OPIE password phrases.
'opiekey' takes the login sequence number, the user's seed, and the user's
secret password as input.. and outputs the correct password phrases. Use the
-n argument to request several passwords. Print them out or write them down
and your set. The following example requests 5 password phrases from 'opiekey'
$ opiekey -n 5 499 p18318
Using MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter Secret pass phrase: p3n0r.j00z
495: NERO BORN ABET HELL YANG WISE
496: VERB JUKE BRAN LAWN NAIR WOOL
497: POE MOOR HAVE UN DRAB MONT
498: SACK WAND WAKE AURA SNUG HOOD
499: SUG AHOY EMIL SAM JOT BERN
*NOTE* Login sequence numbers count down from 499 and cannot be reused. When
it gets down to 10, re-run opiepasswd and select a new secret password, which
will rest the sequence number to 499.
The opiekey command line requests 5 password phrases (-n 5) starting from the
sequence number 499, counting downwards. The seed (p18318) has to be provided
with it. opiekey then prompts for your secret password which you set with
'opiepasswd'. The sequence number, the seed, and the pass are then used to
generate the password phrases.
To log in, you must use the password phrases that go with the sequence number
displayed by 'login'. For example:
login: aphex
otp-md5 496 p18318
Response or Password: VERB JUKE BRAN LAWN NAIR WOOL
A system running OPIE displays a line indicating that the one-time passwords
are being generated with the MD5 algorithm (otp-md5), that this login sequence
number is 496, and the seed used for the one-time password is p18318. The
correct response is the 6 short 'words' generated along with the sequence
number. Get it?
Well, there's a plain example on how a one time password system works. Not
for everyone? Maybe so. But understand it is a very portable system. You don't
need any special software on the client, just a list of passwords you
generated in your wallet.
-=->Outro
Of course one of the best and most widely used strong authentication
software used is Secure Shell (ssh2). I planned on including a similar guide
on it here, but since its used by so many, and that public and private keys
have already been reviewed in is3 and is4 it would just be a cheap rehash. I
repeated myself a few time, only so the slow amongst you could understand, its
not the simplest thing in the world.
aphex.
pulsewidth.net.
-[ \\\\\\\\\\ ]-----------------------------------------------------------------
[ \\\\\\\\\\ ]
[ \\\\\\\\\\ ]
[ \\\\\\\\\\ ] Cellular Networks .........................[ galapgoso01 ]......
-[ \\\\\\\\\\ ]-----------------------------------------------------------------
**What is Cellular Telephone Technology**
The concept of covering a wide space of land with signal strong enough
to reach directly between two points is a far-fetched scenario. The devices
required to cover such distances would require huge power sources, and be of
substantially large sizes. Clearly, some kind of outside intervention is
required.
Cellular networks work on the principal of covering the airspace with
"Cells," as pictured below.
/-----\\
| 5 |
/-----*-----*-----\\
| 2 | 1 | 4 |
\\-----*-----*-----/
| 3 |
\\-----/
As can be seen, the cells cover a hexagonal shape, although in practice
this is slightly untrue. Each cell has a base station, located in the centre,
which transmits at a low power such that its signal will not overlap much into
adjacent cells. The cells can vary in width - up to 30km wide cells are
allowed for in the GSM specification, with the minimum being 350m. Each cell
joins to several others, allowing the handset to calculate the strongest signal
strength and hence use that cells signal. The adjacent cells must also use
signals in a different frequency range to avoid conflicts, however some current
cellular technologies such as CDMA use the same frequency range to aid in
signal quality.
When a cellular phone is switched on, the device searches for the
strongest base station signal it can find. Once found, it negotiates with this
base station, alerting the cellular network as to where it can find said phone.
This kind of information is required as the device may roam though many cells
throughout the network and its location is required. Hence, any calls coming
to this phone will be routed from the PSTN, through the appropriate cellular
providers backbone network and to the base station the phone is situated in.
Once a call to the cellular phone takes place, the call is routed using
the above said information regarding the handpiece location through to the
users handpiece. As the user travels, the phone is constantly searching for
the strongest base station it can find. Hence, if the user travels into an
area where a stronger signal is available, it needs to switch to this cell.
There are varying technicalities involved in this switching, or "Hand-off",
which differ for each type of technology. GSM, for example, requires a
frequency change at the users handpiece - hence the signal must be essentially
stopped for a given instant when the device switches cells. For all kinds of
cellular networks, the call needs to be re-routed through the backbone network,
through to the next base station, and back to the users handpiece.
**Cellular Technologies**
**First Generation
The Advanced Mobile Phone System, or AMPS, was first introduced in
America in around 1978. Widespread use of this system began in the United
States in around the early 1980s. Being one of the first Cellular systems to
be adopted around the world, this system had its limitations, with many
security risks. The primitive nature of this system resulted in the major
problems in this system, mainly to do with its inefficient use of allocated
frequency spectrum, and security flaws. As any given phone transmitted
analogue voice on a part of this allocated spectrum using Frequency Modulation
in the 800-900mhz bands, citizens with modified UHF radios could listen in to
calls made using AMPS Cellular phones. FDMA is the name of this technique used
to divide the allocated frequency band. Also, as the signal was not compressed
or encoded in any way, it made for inefficient and insecure use of the
allocated frequency range for the network, which meant as the user base grew,
the system couldn't cope with the number of extra users. These flaws pushed
for the development of a replacement system - GSM being the one adopted in
Australia, which replaced AMPS in the year 2000 (Zaslavsky 1999:62).
Other first generation systems adopted throughout the world included TACS
(Total Access Communication Service) in Europe, and NMT (Nordic Mobile
Telephone) in Norway and some other European countries. The Norwegian NMT
system has two main versions - NMT 450 and NMT 900, which were both designed
specifically for the rugged terrain of Europe. The variation of standards
throughout Europe, and the number of users were both contributing factors that
pushed developers towards a second-generation system.
**Second Generation
The development of the GSM (Groupê System Mobile, or Global System for
Mobiles) standard was a leap in technology as far as cellular communications
were concerned. Developed in Europe, and introduced in Finland in 1991 (MoU
2000:14), the GSM system took off rapidly around the world. Its improved
signal quality, dramatically enhanced feature set, increased security,
efficiency and flexibility all made for a vastly adopted system. GSM is in
widespread use in most countries around the world today - the US is one of the
only countries just introducing it currently. Australia was the first non
European country to join the GSM MoU (Memorandum of Understanding) in 1992, and
within 4 years of its launch, had 5.6 per cent of the Australian population
switched to the newer, better GSM system.
The GSM network uses a technique called TDMA, or Time Division Multiple
Access to allow multiple users to access the same frequency range "at once".
Note that technically as the air space is divided over a time basis the users
don't access the airspace at once; rather, they take turns transmitting on the
same airspace. One 200khz frequency band is divided into 8 time division
channels (CDG 2000:2). When a GSM phone wishes to make a call, the base station
in the area allocates it a time slot and frequency range - this allows the
phone to know when to listen in the band for its signal, and when to send its
burst of compressed voice data back to the base station.
As the GSM network is fundamentally a digital circuit-switching network, some
form of conversion is required to convert the analogue voice signal to a
digital one for transmission. Also, for more efficient use of the transmission
links, data compression is used on this digital signal. There are two main
compression algorithims that were introduced with the original GSM standard -
Half Rate and Full Rate. These compress the original 64kb/s (8khz, 8bit audio
signal; 8x8000) signal down to 8kb/s and 16kb/s, respectively, with error
detection packets included. A later standard that was introduced, Enhanced
Full Rate, still runs at a data rate of 16kb/s, but has a higher voice signal
quality, and requires phones and networks that support it. This compressed
signal is also encrypted using the serial number of the phone as a key, so only
the network and the phone itself can decode this information.
Calls on the GSM network comply with the generic standard for cellular
communications - base stations know of a handpieces location in the network,
calls are sent to it, etc. However, when a handset moves to a location where a
stronger base station is sending, things change slightly. The handpiece must
negotiate a connection with the new base station, and be allocated a time code
in which to send its information. Then, in a process known as a "Hard
hand-off", the handpiece ends the connection to the current base station, and
moves to the new one. Therefore, for an instant the handpiece has no
connection to the network - this creates a loss in quality, and the possibility
of a dropout, so this transition must be kept as quick as possible (Asawa &
Stark 1996:2).
Other advanced features of the GSM network include SMS - the Short
Messaging Service; Caller ID; Call Diversion, barring and waiting. Some of the
latest GSM phones come equipped with a WAP (Wide Access Protocol) browser for
access to online information services.
Another second-generation cellular network, CDMA, which stands for Code
Division Multiple Access, is just starting to emerge in Australia. Originally
developed as a replacement for the AMPS system, the CDMA network uses allocated
spectrum a lot more efficiently than both GSM and AMPS. The CDMA Development
Group (CDG, 2000:1) lists the advantages of the CDMA protocol as follows:
"
* Capacity increases of 8 to 10 times that of an AMPS analogue system and 4 to
5 times that of a GSM system
* Improved call quality, with better and more consistent sound as compared to
AMPS system
* Simplified system planning through the use of the same frequency in every
sector of every cell
* Enhanced privacy
* Improved coverage characteristics, allowing for the possibility of fewer cell
sites
* Increased talk time for portables
* Bandwidth on demand"
The CDMA system doesn't divide up the frequency spectrum as AMPS or GSM systems
do. To differentiate between each call that is running simultaneously, it
allocates each sending unit a code, which the sender in turn uses to sign all
outgoing radio packets. This allows the tower at the receiving end to decipher
the messages received back into the voice data coming from each individual
call. As multiple devices are transmitting in the same frequency band
simultaneously, the tower has the complex job of decoding all of these signals.
CDMA is a form of DSSS (Direct Sequence Spread Spectrum). The goal of this
technique is to increase the bandwidth of a given signal to the point where any
interference to the signal would have minimal influence on the original signal
encoded. Thus, the CDMA bands allocated to a particular tower are 1.25Mhz
wide, and neighbouring cells or towers can use the same frequency band. This
wide bandwidth allows the signal quality to remain reasonable with a large user
load. The base stations identify each other in transmitting a pseudo-random
code, which is time differentiated. This means that all base stations on the
CDMA network need to be fully time synchronised.
The analogue voice signal on CDMA phones needs to be converted into a digital
signal just as with GSM. The signal is compressed, though using proprietary
compression algorithms, which are slightly more efficient than GSM methods.
The average bandwidth for a voice signal on the CDMA network is around 13Kbp/s
- however, this bandwidth rises and falls as the handpiece sees necessary,
dropping to as low as 0.8Kb/s in silent periods.
**Third and Future generations
Third generation, or 3G cellular networks are undergoing development and
deployment at this very moment. Works on communications networks such as
Iridium have been going on since the deployment of GSM.
One of these networks, The Iridium Satellite network, consists of 66
(Jefferies, 1998:1) satellites orbiting around the Earth. The satellites
project their signal to an area of 37 hexagonal cells, each of which can be up
to 360 nautical miles in diameter. This means one satellite can cover an area
of nearly 4 million nautical square miles (Jefferies, 1998:1). This area is
not covered simultaneously, however; the cells can be switched on and off, as
usage requires, conserving energy. These satellites are built to last an
average of five years - after this short life span they will need replacement.
These satellites are in an orbit around the earth such that if a user were
standing still, the satellite would still be moving past at speed of approx
16,650mph (Jefferies, 1998:1). This means as far as network concepts are
concerned, the cell hand-off is quite easy to implement, as the mobile user's
handpiece is only likely to hand-off to the next adjacent cell the network
moves across the path - i.e.: the next cell is known to the network before the
handpiece.
The main purpose of the Iridium satellite network at current is to prove global
roaming mobile telephone and instant paging (Iridium, 2000:1). There are many
other networks like this in development - some for wireless email retrieval,
others for the same application (voice).
However, Iridium isn't the only communications network proposed in
these third generation systems. The GSM association are working on a system
for 3G, and have been allocated the radio spectrum to continue development in
this area (GSM World, 2000:1). This system will be implemented on top of the
existing GSM system to provide higher bandwidth, supposedly, and start to
appear in around 2005.
The ITU (International Telecommunications Union) are also working on a third
generation cellular system - the FPLMTS (Future Public Land Mobile
Telecommunications System).
Such third generation systems will see an impact as great as the
original change from first to second generation - proposals for high speed
bandwidth to mobile users are increasingly prevalent. With access like this,
access to the Internet and live, portable video conferencing and streaming
multimedia will become a reality.
The third generation system being developed in Europe and being backed
by companies such as Nokia, Ericsson and Alcatel named UMTS (Universal Mobile
Telecommunications System) (Nokia, 2000:1) does just this. Planned for launch
in 2002, this system will be based on GSM, and provide very high data
transmission rates in the 2Ghz band. These companies are also pushing the ITU
to merge their technologies with the UMTS, to allow global standardisation of
this wideband multimedia telephone network.
**Conclusion**
Cellular networks although being quite complicated in their actual
operation, are based on very simple principals, as just described. Any
questions (or spot-the-errors) to galapogos01@mindless.com.
=[galapogos01]=
References
* Martieken, O (1998) "Cellular Networks",
http://www.tml.hut.fi/Opinnot/Tik-110.250/1999/Kalvot/TKK_2_99/sld042.htm
* Zaslavsky, A (1999) "Public two way wireless networks in Australia",
http://broncho.ct.monash.edu.au/~azaslavs/cot3002_link/dcs-l-10/sld062.htm
* MoU (2000) "History of GSM Networks",
http://www.gsmworld.com/about/history_page14.htm
* Asawa & Stark "Optimal handling of handoffs in cellular communications
networks",
http://www.acm.org/pubs/articles/journals/ton/1996-4-3/p428-asawa/p428-asawa.pdf
* CDG, "Technical info about CDMA", http://www.cdg.org/frame_tech.html
* CDG, "What is CDMA", http://www.cdg.org/tech/about_cdma.html
* Jefferies, "Iridium - Technical Information",
http://ntrg.cs.tcd.ie/cs5/98/group2/tech.html
* Iridium, "Welcome to Iridium", http://www.iridium.com/
* GSM World, "Press Releases",
http://www.gsmworld.com/news/press_releases_61.html
* Nokia, "Press Releases", http://www.nokia.com/news/news_htmls/ntc_970814.html
-[ \\\\\\\\\\ ]-----------------------------------------------------------------
[ \\\\\\\\\\ ]
[ \\\\\\\\\\ ]
[ \\\\\\\\\\ ] Fibre Optics and SONET .....................[ lymco ]...........
-[ \\\\\\\\\\ ]-----------------------------------------------------------------
In this article I am going to introduce you to the basics of Fibre Optic
cabling, and then school you on SONET. I learnt the basics of this while
specialising in W.A.N's at TAFE, the rest is self learning. Hopefully you will
find it interesting..
# Brief introduction to Optical Fibre Cabling --
If you have been off in Mars for the past few years, then you would of not
heard about Fibre Optic cabling. The greatest jump in cabling technology
since the 'tin can and piece of string'. It's incredible bandwidth and
ability to not suffer from attenuation (when signal strengths fade) for
extreme distances make the copper cables look prehistoric.
There is no exact maximum transfer rate, since this depends on the
hardware capabilities. However, a very old and wise Telstra
advisor told me, that they are managing to double the bandwidth every few
years. So the possibilities of Fibre Optic cabling is exceedingly high. A
rough estimate would be > 3gb/s for most Telstra setups (year 2000).
The main three types of optical fibre cabling are:
1. Single Mode (SMOF)
2. Multi Mode (MMOF)
3. Plastic
Single Mode Optic Fibre is called this because of the single beam of light
that is uses for transmitting information. The single beam/angle of light
is generated by a "LASER". (Think Austin Powers). It is used mostly by
Carriers due to it's immense bandwidth and distance capabilities. However
the equipment required is much more expensive than MMOF.
Multi Mode is called this due to the entry and transmission of more than
one beam/angle of light. It is used mostly in commercial environments due to it
being alot more cost efficient than Single Mode, but is still adequate for
commercial use.
Optical Fibres consist of a solid glass core, surrounded by a solid glass
cladding. This cladding has a slightly lower refractive index than the
core so this in result acts like a mirror creating Total Internal
Reflection.
Security wise, apparently it is possible to intercept data on Optical Fibre
cables. However, all you aloc beige box gurus put away those MacDonalds straws,
the equipment you would require to perform the task is expensive, and the
clue factor required must be exceedingly high.. not a common occurance in
the majority of computer users.
--
# Introduction to SONET --
SONET stands for Synchronous Optical NETwork. In basic, it allows different
network media to interact using SONET standards. Without it, communication
between different transmission media would require extremely heavy
multiplexing/demulitplexing and/or encoding/decoding. For example, DS1 uses a
rate of 1.54MBps, with AMI encoding and uses 24 voice signals. Whereas E1
transfers at a rate of 2~MBps, and uses 30 voice signals. See the difference?
SONET standardises this, with Synchronous Transfer Signal (STS), which has a
transfer rate of just over 51MBps. STS contains two main parts, these are: 1)
payload - contains the content information, and 2) overhead - carries the
signalling and protocol information.
For example, a DS1 and E1 link could be joined to form a high speed fibre
data stream at over 51MBps.
[DS1 link (at 1.54MBps)]
___________
|___
___|---[SONET (at 51MBps)]---|---[Fibre optic cable]
___________|
[E1 link (at 2MBps)]
So the above data would travel in STS format until it reaches the other end
of the connetion. It will then be terminated through the SONET network, and
and return to it's original data format.
--
# Terminating Equipment -
The terminating equipment is used to convert the STS signal to it's original
format(s).
Path Terminating Equipment (PTE):
This multiplexes and demultiplexes the STS signal.
Line Terminating Equipment (LTE):
This network element originates and/or terminates the line signal.
Section Terminating Equipment (STE):
This can be used as either a terminating network element, or a regenerator.
As it is able to access, modify and terminate the overhead.
# SONET Layers -
1. Path Layer
This deals with the transport of services between the PTE. It puts the
signals into a format required by the Line Layer. It modifies the overhead
for extra performance, and it also reads and interpretes information.
2. Line Layer
This layer deals with the transport of the Path Layer. The payload, and the
overhead across the physical medium. It provides synchronisation, and also
multiplexing for the Path Layer. It also monitors for errors.
3. Section Layer
This deals with the transport of STS frames across physical media. It
maintains reliable frames and sections, and also monitors for errors.
4. Photonic Layer
This deals with the transport of bits across the network. It converts STS
and OC signals.
# Frame Structure
STS-1 is the basic signal rate for SONET. It has a frame rate of 8000 frames
per second. Each frame has the structure of 9 rows, and 9 columns. Which is
a total of 810 bytes / frame. It also scrambles and descrambles at 127 bits.
The first 3 columns (or, 27 bytes) consist of the transport overhead. (Which
is by mathmatical formula, 4.44% of the complete 51.84Megabit SONET signal).
Columns 4, to 90 are the Synchronous Payload Envelope (SPE).
# Finishing up
This has been a very brief introduction to SONET. Hopefully you found it
interesting, even the W.A.N guru's out there. If you have spotted any
errors, or would like to e-mail me, please do so at lymco@spanner.net.
--
lymco
dev.spanner.net
-[ \\\\\\\\\\ ]-----------------------------------------------------------------
[ \\\\\\\\\\ ]
[ \\\\\\\\\\ ]
[ \\\\\\\\\\ ] CDMA .....................[ phunki ]............................
-[ \\\\\\\\\\ ]-----------------------------------------------------------------
Contents
-Intro
- Concepts
- Multiple Access Basics
- Interleaving
- Orthagonality
- Assymetry and Channelisation
- Transmission
- Walsh Codes
- PN Codes
-Conclusion
---<Introduction>---------------------------------------------------------------
Ok, here we're going to have a look at the way data is encoded for transport
over multiple access schemes, specifically in the IS-95 CDMA system (Interface
Standard IS-95 Code Division Multiple Access). CDMA is a big/complex beast, and
im assuming you have a brain, plus some basic mathematical skills, of course, if
you had a brain, you'd be reading a book on this, not some half-assed text file.
Basically, there are three ways of seperating signals in time, FDMA, TDMA and
CDMA (Frequency, Time and Code Division Multiple Access respectively). FDMA is
the simplest and generally not very good for large scale networks, so the two
main ones are TDMA and CDMA. CDMA is what is used by our good friends Telstra.
Debates over TDMA and CDMA can go on for hours, if you want more info on the
differences and advantages of each, google.com. I will say one thing though.
CDMA is generally a little more complex to implement than TDMA, but has the
advantage of being "smarter" or more efficient.
There are a few things you need to know before we get to the good stuff, so
we'll have a look at them first.
---<Multiple Access Basics>-----------------------------------------------------
The fundamental differences between FDMA, TDMA and CDMA come from the way
they make use of the available frequency spectrum. I will cover it lightly and
basically.
In FDMA each user is assigned a particular frequency band for transmission.
A segment of the frequency spectrum is divided into different channels. The
signals are out through a low pass filter then modulated onto an assigned
carrier frequency of a particular channel. That is how the specturm is shared,
by divison of frequency.
In TDMA, each user is assigned a different time slot in which to transmit,
that is, the spectrum is shared by division in the time domain.
In CDMA, each user's narrowband signal is spread by a different wideband
code. Then, the wideband signals of the users are added together to form a
composite signal, and the comosite signal is transmitted over the air in the
same frequency band. The wideband codes are orthogonal, and it is through these
the receiver can find the wideband signal it wants from the mass of signals in
the composite signal. (ie the codes are used to ditch all the crap not for that
receiver).
Here's a diagram (note the domain of TDMA)
/|\\ _______ _______ _______
P | / \\ / \\ / \\
o | / \\ / \\ / \\
w | / User 1 \\ / User 2 \\ / User 3 \\
e | / \\ / \\ / \\
r | / \\ / \\ / \\
|_________________________________________________________________\\
Carrier1 Carrier 2 Carrier 3 Freq /
FDMA
/|\\ ___________ ___________ ____________ ____________
P | | | | | | | | |
o | | | | | | | | |
w | | User 1 | | User 2 | | User 3 | | User 4 |
e | | | | | | | | |
r | | | | | | | | |
|__________________________________________________________________\\
| | | | Time /
T1 T2 T3 T4
TDMA
____________________________
/|\\ /_____________________________\\ <---- User N
| / \\
| / . \\
P | / . \\ (and so on)
o | / . \\
w | / . \\
e | /_________________________________________\\
r | /___________________________________________\\ <--- User 2
| /_____________________________________________\\ <--- User 1
|_____________________________________________________________________\\
Freq /
CDMA
Blah.
---<Interleaving>---------------------------------------------------------------
Interleaving is a technique for randomising bits in a message/information
stream. It pops up in lots of different places for example storing information
on cd and it /golly gosh/ cdma. Basically it adds an extra layer of strength to
bolster normal error correcting codes (and the digital world would not exist
without good error correction). No need to go into it too deep, so we'll just
look at an example.
We want to send the message
"Zero cool wants his gibson back soon"
We will put this in a 5x6 matrix:
z e r o c o
o l w a n t
s h i s g i
b s o n b a
c k s o o n
When the message is transmitted, it will be sent like this:
zosbc elhsk rwios oasno cngbo otian
That is, the message is written left to right, but transmitted in blocks from
top to bottom. Once received, it is then de-interleaved by reversing the process
above to get the original message. At a basic level this will help get the
message back to a recognisable form if there are excessive transmission errors.
---<Orthoganality>--------------------------------------------------------------
This bit is important. Orthagonality is best described as a mathematical
property. Two sequences are either orthagonal or not orthagonal. Briefly, if the
real-valued functions x and y are said to be orthagaonal if the cross -
correlation (R) over T is zero, where R equals the integral of x and y for 0 to
T. The one we care about, where time is discrete, is when the cross product (R)
of x and y is 0. This is: The summation of the product x(i)y(i) from i=1 to I is
0 (Rxy(0)). Anyway, this is much easier to understand than the lack of
mathematical notation symbols in ascii would lead you to belive. Lets have a
look at an example:
x = [ -1 -1 1 1 ]
y = [ -1 1 1 -1 ]
These are orthagonal, why? Lets take a look.
R = xy = (-1)(-1) + (-1)(1) + (1)(1) + (1)(-1) = 0
x1 y1 x2 y2 x3 y3 x4 y4
Pretty easy really.
Now, in a multiple access scheme, we require two additional properties. The
first is: Each code in the set of orthagonal codes must have an equal number
of 1's and -1's. This gives the particualr code the pseudorandom nature. Have a
look at the x and y, the both have two 1's and two -1's.
The third property is that the dot product of each code scaled by the order
of the code must be equal to 1. This again is quite simple to see in practise.
Each item in the sequence is multiplied by itself and summed, then divided by
the number of items in the sequence (the order) which needs to give a final
answer of 1 to be of use. (Technically you dont multiply each item in the
sequence by itself, you multiply the sequence by itself, but its easier to
understand this way).
To clarify, we'll take another look at our example x and y. Both have four
items, so are of the order 4:
(xx)/4 = [(-1)(-1) + (-1)(-1) + (1)(1) + (1)(1)]/4 = 4/4 = 1
(yy)/4 = [(-1)(-1) + (1)(1) + (1)(1) + (-1)(-1)]/4 = 4/4 = 1
w00t.
---<Assymetry and Channelisation>-----------------------------------------------
Ok, one last thing before we get to the good stuff. CDMA is assymetric, that is
the forward and the reverse links have different link structures. The reason for
this is such: When a call is being set up, CDMA has the pilot and sync channels
to aid syncronisationfor the forward link, but the reverse link does not have
these. Call set-up is a long topic in itself, perhaps it will be the topic of
a later file (and i can reveal my pilot flooding cell jamming tekneq, heh).
Anyway, for the forward link, walsh codes are used, and for the reverse link,
psuedo-random noise codes are used (PN Codes).
---<The Codes !@#$>-------------------------------------------------------------
Werd, if you got through all that, you'll have no probs with this. First we'll
look at Walsh Codes.
---<Walsh Codes>----------------------------------------------------------------
So, from the diagram way above, you saw how all of CDMA traffic floods across
the frequency band. Walsh codes are used to identify the data for each
individual transmisson. Walsh codes are used to seperate indivual users while
they simultaneously occupy the same RF band. Walsh codes as used in IS-95 are
a set of 64 binary orthagonal sequences. So how are they generated? Recursive
use of the Hadamard matrix! best explained by example, lets have a look. (note
i will be using ! to imply the inverse, not as a boolean operator, wang)
This is our matrix:
__ __
| |
| Hn Hn |
| |
| Hn !Hn |
|__ __|
As you can see, in the lower right hand corner, the inverse of the matrix is
present.
This is our seed matrix: (wang, its too hard to draw ascii for every matrix,
deal with it)
H2 = 0 0
0 1
So our inverted matrix is this:
!H2 = 1 1
1 0
Now, we want to generate a set of 4 orthagonal walsh sequences w0, w1, w2, and
w3, so we take our seed and put in an Hadamard matrix of order 4:
0 0 0 0
H4 = H2 H2 = 0 1 0 1
H2 !H2 0 0 1 1
0 1 1 0
Now, our four orthagonal sequences are taken as the rows of the matrix (look at
the coloumns too, spooky :)
w0 = [ 0 0 0 0 ]
w1 = [ 0 1 0 1 ]
w2 = [ 0 0 1 1 ]
w3 = [ 0 1 1 0 ]
Think back to when i talked about orthagonality. As it is, these codes do not
fit the required definition of orthagonality, but this is easilt remedied by
substituting -1 in the place of 0. So our final codes are these:
w0 = [ -1 -1 -1 -1 ]
w1 = [ -1 1 -1 1 ]
w2 = [ -1 -1 1 1 ]
w3 = [ -1 1 1 -1 ]
A few things to note. w0 is all -1's and is not orthagonal. In IS-95 CDMA it is
not used to transmit any baseband information. Also, matrices of a higher order
can be generated recursively, by taking the inverse of a matrix and applying the
seed and its inverse back into the Hadamard matrix. The IS-95 forward link uses
a set of 64 orthagonal walsh sequences, giving a physical limitation of 63
channels of the forward link (remember w0 is not used).
Just for fun, here's orthagonal walsh codes from H8.
w1 = [ -1 1 -1 1 -1 1 -1 1 ]
w2 = [ -1 -1 1 1 -1 -1 1 1 ]
w3 = [ -1 1 1 -1 -1 1 1 -1 ]
w4 = [ -1 -1 -1 -1 1 1 1 1 ]
w5 = [ -1 1 -1 1 1 -1 1 -1 ]
w6 = [ -1 -1 1 1 1 1 -1 -1 ]
w7 = [ -1 1 1 -1 1 -1 -1 1 ]
Ok, now we'll have a look at an example. We have three different users wanting
to send a seperate message each, these are:
m1 = [ 1 -1 1 ]
m2 = [ 1 1 -1 ]
m3 = [ -1 1 1 ]
Each of the three users is assigned a walsh code:
w1 = [ -1 1 -1 1 ]
w2 = [ -1 -1 1 1 ]
w3 = [ -1 1 1 -1 ]
Each message is spread by its walsh code. The chip rate of the walsh code is
four times the bit rate of the message, contributing to a processing gain of 4.
So, we want m1 x w1 (mNwN). Here we go:
m1 | 1 -1 1
m1 | 1 1 1 1 -1 -1 -1 -1 1 1 1 1
w1 | -1 1 -1 1 -1 1 -1 1 -1 1 -1 1
m1w1 | -1 1 -1 1 1 -1 1 -1 -1 1 -1 1
m1w1 is the spread spectrum signal of the first message. Now for message 2:
m2 | 1 1 -1
m2 | 1 1 1 1 1 1 1 1 -1 -1 -1 -1
w2 | -1 -1 1 1 -1 -1 1 1 -1 -1 1 1
m2w2 | -1 -1 1 1 -1 -1 1 1 1 1 -1 -1
For message 3:
m3 | -1 1 1
m3 | -1 -1 -1 -1 1 1 1 1 1 1 1 1
w3 | -1 1 1 -1 -1 1 1 -1 -1 1 1 -1
m3w3 | 1 -1 -1 1 -1 1 1 -1 -1 1 1 -1
Now we need to merge these into one to create our composite (C) signal for
transmission. This is:
C = m1w1 + m2w2 + m3w3
C = -1 -1 -1 3 -1 -1 3 -1 -1 3 -1 -1
And bang, away it goes. If nothing goes wrong during transmission, the receiver
intercepts C and to seperate the original messages, the receiver multiplies C
by the assigned walsh code for each message. Eg for m1 (using w1):
w1 | -1 1 -1 1 -1 1 -1 1 -1 1 -1 1
C | -1 -1 -1 3 -1 -1 3 -1 -1 3 -1 -1
Cw1 | 1 -1 1 3 1 -1 -3 -1 1 3 1 -1
etc for w2 and w3:
Cw2 | 1 1 -1 3 1 1 3 -1 1 -3 -1 -1
Cw3 | 1 -1 -1 -3 1 -1 3 1 1 3 -1 1
Now the receiver adds up (actually its integeration) all the values over each
bit period to give M1 M2 and M3 respectively.
Cw1 | 1 -1 1 3 1 -1 -3 -1 1 3 1 -1
M1 | 4 -4 4
Cw2 | 1 1 -1 3 1 1 3 -1 1 -3 -1 -1
M2 | 4 4 -4
Cw3 | 1 -1 -1 -3 1 -1 3 1 1 3 -1 -1
M3 | -4 4 4
This is then passed through a "decsion threshold" to determine the original
message, which looks something like this:
if M > 0 then mr = 1
if M < 0 then mr = -1
By applying this (the r is for received) we get:
mr1 = [ 1 -1 1 ]
mr2 = [ 1 1 -1 ]
mr3 = [ -1 1 1 ]
Which, if you care to check, is our original message. Ownage
EDITOR NOTE: This article is still incomplete. It will be finalised in issue 8
-[ \\\\\\\\\\ ]-----------------------------------------------------------------
[ \\\\\\\\\\ ]
[ \\\\\\\\\\ ]
[ \\\\\\\\\\ ] Bash Scripting .....................[ lymco ]...................
-[ \\\\\\\\\\ ]-----------------------------------------------------------------
For those of you who are interested in scripting for your unix box, there is
nothing simpler than Bash. It is simular to MS-DOS batch scripting, however
the UNIX version is much more powerful. In a nutshell, it contains a list of
UNIX commands, and executes them one by one. However, it also features core
language functions, such as 'if then else', loops, and what have you.
You may think, "What is the point in bash scripting, if I can do the same in
languages like C and Perl?". It is EXTREMELY easy to whip up a quick,
yet effective script in a few lines, which may take in excess of 20-30 lines
of C code.
Now that you have a little clue on what it is, lets get down to writing
some scripts. For newbies, open a text editor. I prefer jed, since it uses
color highlighting for certain language syntax (it supports .sh). If you can't
be bothered getting it from linuxberg or freshmeat, then I guess you will have
to live with vi(m) (which also supports syntax highlighting) or pico.
From here, the first line should contain the following:
#!/bin/sh
It is not required, but it is good for when we get back to the command line
and we want
to execute the program. All it does is specify the language
interpreter. You would of seen this in TCL, Perl, etc.
Now lets try the echo command:
echo "What's better than winning a gold medal in the paralympics?"
echo "> 'What?'"
echo ".. not being disabled."
echo "> h0h0"
--
As you can see, it is exactly the same like at the command prompt.
So the above script would be something like:
#!/bin/sh
echo "What's better than winning a gold medal in the paralympics?"
echo "> 'What?'"
echo ".. not being disabled."
echo "> h0h0"
--
From here, save it with a .sh extention, make it executable (+x), and run it
via ./name.sh. When I run it I get the following output:
[lymco@preceptor articles]
$> ./test.sh
What's better than winning a gold medal in the paralympics?
> 'What?'
.. not being disabled.
> h0h0
--
Commenting, (like you may have seen with TCL and Perl once again), are lines
which begin with #, they are ignored by the interpreter. The first line,
which contains #! as the first two chars is not ignored, probably due to the
'!' char, nothing to go gray over though, so lets move on.
--
Variables are extremely easy to work with here, to set a variable, it is as
simple as varname="werd up", note no white spaces around the '=' sign. When
we are not defining the variable, we incldue a dollar ($) sign infront of
it. For example, if we were now to echo the variable "varname" to the
screen. We would use the following:
#!/bin/sh
# this defines the variable
varname="werd up"
# this echos the content of varname to the screen
echo $varname
echo "The content of '$varname' is $varname"
--
save, chmod +x, run it:
[lymco@preceptor articles]
$> ./werd.sh
werd up
The content of $varname is werd up
--
To capture user input, we simply use the read command. Its argument is simply
the variable name we want to assign the input text as.
#!/bin/sh
echo -n "Enter your name: "
read name
echo "Hello $name, hope you have a nice day."
--
save, chmod +x, run it:
[lymco@preceptor articles]
$> ./read.sh
Enter your name: Matthew Jones
Hello Matthew Jones, hope you have a nice day.
--
The -n flag in the echo command stops echo from creating a new line
afterwards. So it just stops at 'Enter your name: ', and you input your text
on that line, instead of a new line. View the man page for echo for more
options.
--
if/then/else/elif statements are easy, yet can really lighten up a program.
Try this pointless script:
#!/bin/sh
# This is a pointless script, that gets the output of a 'uname' command.
ssystem=`uname`
if (test $ssystem = "Linux") then
echo "You are using Linux"
else
echo "You are not using Linux,"
echo "You are using $ssystem"
# I realise I could just do echo "You are using $ssystem"
fi
--
Hopefully, you realised the ` charectors, and didn't mistake it for " or '.
This specifies the output of the command inside the quotes. For example,
if we were to put var="uname", or var='uname', that would simply return the
text, which is not what we want. By the way, if you are using jed, and hit the
` charector, you have to press it twice for it to be outputted to the buffer.
'test', is the shell's Boolean check. Following that, we have the variable
(with the $ sign before it), the equals sign (note the white space on either
side), following by the matching string, "Linux". If all returns true,
then it displayed "You are using Linux", else "You are not using Linux".
'fi' is 'if' backwards, or short for 'finish'. If you are experienced with
C, Perl, Javascript, PHP, whatever! Remember, then is like "{", and "}" is
like fi.
It does not only support equals than, it supports not equals, greater than,
less than, greater than or equals, and less than or equals. These are !=, >,
<, <=, and >= respectively.
--
Global arguments are pre-defined variables. The most commonly used ones in
programming are the argument related ones. These are $0, which returns the
script name. $1 is the first arguments, $2 the second, and so on. $# returns
the number of arguments passed, and $* returns a string of all passed
arguments.
#!/bin/sh
if (test $# = "0") then
echo "Please specify 1 or more arguments"
elif (test $# = "1") then
echo "You specified one argument: $1"
else
echo "You specified $# arguments, these were:"
echo $*
fi
--
Other variables include: $HOME, $PATH, and $USER. Remember that these user
all capital letters. Test them out with the echo command.
--
There are multiple methods for looping in bash scripting, lets step through
each one.
for example:
# This script simply cycles through every argument.
for x in 198.142.79.69 203.59.0.69 203.59.55.69
do
echo Now hax0ring $x..
done
--
while example:
total=0
echo "Trying to find the number 5"
while (test $total != 5)
do
echo "Trying $total.. unsuccessful."
total=$(($total+1))
done
echo "Found 5!"
--
The above script, 1) sets total to be 0, 2) Starts a while() loop, if total
does not equal 5, then it begins/continues. 3) it increments $total by 1, then
repeats until $total equals 5. $(($total+1)) is the increment line. Test the
expr command (like TCL), variable=$(expr 1 + 2). Since it's such an easy
function I won't document it too much. You can test it out.
--
until:
# This is an example from Beginning Linux Programming
until who | grep "$1" > /dev/null
do
sleep 60
done
# now ring the bell and announce the expected user.
echo -e \\\\a
echo "**** $1 has just logged in ****"
exit 0
--
All the above does is sleep for 60 seconds if who does not contain the
argument you specified. If it does, however. It does a system beep and
displays that message.
--
Functions are useful for dividing sections into your code.
Example 1:
functioname() {
echo "This is inside a function"
}
echo "Starting script."
echo "Calling function functioname()"
functioname
echo "End."
exit 0
--
Example 2:
#!/bin/sh
male_function() {
echo "User is male"
# Do more stuff
}
female_function() {
echo "User is female"
# Do more stuff
}
echo "Are you male or female?"
read sex
if (test $sex = "male") then
male_function
elif (test $sex = "female") then
female_function
else
echo "Not recognised. Input 'male' or 'female' next time."
fi
--
Okay, well you get the picture of how bash scripting works now, right?
Bash scripting is so useful, because you can do such an immense range of
things. For example, in my .bash_profile, I have an option to view
PortSentry logs, and then after they are displayed, you have an option to
print them out, clear them, or back them up. When my system boots, it
calls a script to tail -f /var/log/messages and /var/log/secure and then
load an infobot, which all get displayed to TTY8 9 and 10 respectively. My
.bash_logout has an option to back up certain working documents, etc.
Anyway, I can't be bothered with any more and sleep is calling me. I hope
you picked it up the basics without any troubles. If you are eager to
learn more, download some bookwares or buy a book.
--
lymco
http://dev.spanner.net
-[ \\\\\\\\\\ ]-----------------------------------------------------------------
[ \\\\\\\\\\ ]
[ \\\\\\\\\\ ]
[ \\\\\\\\\\ ] More Ericsson Fun .....................[ analog ]...............
-[ \\\\\\\\\\ ]-----------------------------------------------------------------
An expansion on Pottsy's article 'Ericsson GH337' which appeared in Infosurge
6.
If like me, you own an Ericsson mobile of some description, one of the first
things you did upon reading Infosurge 6 was whip it out and try the codes
and menu functions you read about. This article basically gives a summary of
how well this stuff works on a more modern phone (I own an A1018s), a new
secret menu for you to play with, and other misc. crap...
--PIN CODE--
When entering your PIN code into an A1018s, the phone will only accept 8
characters. This means that the GH337/8 trick of bypassing the pin-code by
hammering in **04*0000*0000*0000# won't work. This would probably be the
same for all recent Ericssons (Those with multi-line graphical screens for
sure), so you can stop eyeing off innocent (and not so innocent) people's
mobiles while dreaming of the havoc you could create.
--SECRET MENU v.1.--
OK, this is the same menu detailed in infosurge 6, Using the following key:
< - Left arrow
> - Right arrow
* - * (duh.)
(key lifted from Pottsy's article.)
you enter >*<<*<* into your phone from the home screen which will give you
some alpha-numeric codes (software release info apparently). An A1018 (and
probably the T10/T18) won't give you the funky FLASH and INIT EEPROM options
of the 337, you just get one option: 'n-row texts?' (Use the arrow keys to
scroll to it from the software release info) This works the same way as the
337's TEXT CHECK and basically allows you to look at all the various bits of
text your phone displays. Interestingly, among the various pieces of text my
A1018 has are 'Active Flip' and 'Voice Dial Error - SIM Changed!' (and a
plethora of other voice dial related crap) when the A1018 has neither of these
features. The only reason I can think of for this is that the A1018, T10 and
T18 all have the same software built in, with various features activated or
deactivated (makes you wonder about reactivating them all, eh? btw, the T28
and R* series with their different screen type would almost certainly have
their own seperate software) While flipping though all this text, you can skip
forward 10 spaces by pressing any of the numbers or the * and # keys. On a
final note, when trying this you may find that the secret menu comes up only
momentarily before dumping you into the phone book. The solution for this
is to pause briefly before keying in the final *.
--SECRET MENU v.2.--
I basically fell ass-backwards into this one when I stuffed up trying out
the first secret menu. I think (98% certainty) that this menu controls the
phone's 'SIM Security' and it appears on the A1018, T10, almost certainly the
T18 and possibly others. For those of you who don't know what it is, SIM
Security is the feature that allows telcos (i.e. Telstra, Optus etc.) to lock a
mobile phone so that it only works on their network. This basically allows them
to sell the phone to you for alot less than what it would normally cost since
they're now the only ones who can make any money from it. If you want them to
unlock the phone, you have to pay up the remainder of the phone's cost plus a
bit extra (for their trouble...) whereupon they'll fuck with it for all of
three seconds, leaving you free to subscribe to any network you please. After
two or so years when the phone's worth crap, you can have the SIM security
unlocked far more cheaply. To get into the SIM security control menu, type in
<**< from the home screen. The SIM Control menu has four possible options, of
which only two are displayed at any given time depending on what SIM Security
options are in place. These options are:
Lock to Network?
Unlock Network?
Lock to Network subset?
Unlock Network subset?
You will only ever see one of the first two options ('Lock to Network?'/'Unlock
Network?') depending on whether or not your phone is locked to a network plus
one of the last two ('Lock to Network subset?'/'Unlock Network subset?')
depending on whether or not your phone is locked to a Network subset.
Obviously, you're going to get the two options that reverse those already in
place. My phone is locked to a Network but not to a subset so I get the
'Unlock Network?' and 'Lock to Network subset?' options. I'm not sure what
they mean by a 'Network subset' but I assume that it is either geographical
(Your phone only works, say, in NSW) or technical (Your normally dual-band
phone is confined to only use the GSM900 network.) Either way, I don't think
it's ever used. Selecting 'Lock to Network' or 'Unlock Network' - whichever
you have - will give you the same screen:
05attempts
Enter NCK
The NCK (Network Code? Key) is an 4-8 digit numerical key which can also
include # but not * (dunno why). If you enter less than 4 chracters, the phone
will just beep when you hit 'YES'. If you enter 4 or more random characters
which turn out to be incorrect, the phone will say 'Wrong NCK' and take you
back to the home screen. Flicking back to the '(Un)Lock Network' screen, you
will find that you now have only 4 attempts remaining. THERE IS NO WAY TO GET
YOUR 5 ATTEMPTS BACK! Once you've blown an attempt it's gone forever. They are
not kept track of on the SIM card, turning off the phone and removing the
battery won't get them back, and neither will the phone's 'Master Reset' which
doesn't do much of anything anyway. If you're doing this on an older phone
which has the FLASH or INIT EEPROM options under the first secret menu, you
could see if these do the trick. The only other thing I can think of is
leaving your phone without its battery for an extended period to bleed the
internal backup battery (if one exists) dry, but chances are that the number
of failed attempts is stored on a non-volatile EEPROM and you'll probably need
your phone too much to leave it usused for the required period of time.
The second option will be either 'Lock to Network subset?' or 'Unlock Network
subset?'. Like I said, I don't think that this is ever used so you will most
likely see 'Lock to Network subset?'. Selecting either will give you a screen
similar to the one before:
05attempts (why they leave the space out I don't know)
Enter NSCK
where the NSCK (Network Subset? Code? Key) is another 4-8 digit key. The same
bullshit concerning the number of attempts obviously applies here too so be
careful.
You may be wondering what happens when you use up all five of your attempts at
cracking the NCK/NSCK. Good question, I haven't gone that far. What I would
guess is that those menu options would no longer be available to you and
you'd have to take the phone back to the shop for them to put right using a
special code rather like when you forget your PIN - though you'd have a harder
time explaining this one to 'em.
As far as I can tell, the NCK/NSCKs are stored within the EEPROM of the phone
itself. When trying to lock the phone to a Network or Network subset you can
not make up your own NCK/NSCK like you can when putting a PIN code lock on your
phone. As an experiment, I removed my phone's SIM card and antenna and
entered a random NCK. Instead of the 'Network Error' or 'Unable to Validate'
message I was hoping for I got 'Wrong NCK' and lost an attempt. This result
is what leads me to believe that the valid NCK/NSCKs are stored on EEPROM. Of
course, if you are so inclined, and have the skills and equipment, you could
investigate further. By attaching an oscilloscope or DMM to the electrodes of
the SIM card reader, you could monitor its activity as you enter a random
NCK/NSCK and see whether or not the phone checks the SIM card for the valid
code. Unless you have no objection to possibly stuffing your phone for
good, I recommend you don't attempt this unless you're certain of what you're
doing. Similarly, you could use a Signal Strength Meter or something to
montior radio traffic to and from your phone and see whether or not it queries
the network for the appropriate info. (The immeadiacy between entering an
invalid NCK/NSCK and being told to fuck off kind of rules this one out
though.) I'm too poor to buy this equipment, and can't get a hold of it
through other means ("Hey kid! That's an ocsilloscope under your jacket!") so
I can't try this out. Take note of the fact that the "Lock to Network Subset"
option is unavailable unless a SIM card is inserted.
While the phone's normal menu system refuses to work when no SIM card is
inserted, both secret menus are available (with the previous exception).
If you know someone cool who works at a mobile phone dealership, you could
probably get these codes in which case I (and everyone else) wouldn't mind
knowing them.
--FINDING YOUR OWN 3l33t SECRET ERICSSON HAX0RING MENUS--
While above two are the only secret Ericsson menus I know how to access,
chances are they are probably more. Finding them is a two step process:
1) Making sure there's something to find:
This is the easiest part. Using the first secret menu, you scroll through all
of your phone's text looking for anything that could be part of another secret
menu. This will be anything you haven't seen before that doesn't sound like a
standard feature of the phone. Interesting bits of text in my phone include:
Cell info
Bopomofo (What the fuck?)
Unlock SP?
Lock to SP?
Enter SPCK (Seems we've found a whole new menu here...)
SP LOCKED
SP UNLOCKED
+NOTE: The SP in those last five pieces of text may stand for Service
Provider, in which case this may be the SIM Security control menu and
everything I wrote about secret menu no. 2 is bullshit. However, I
doubt it. Ericsson's documentation only rarely uses the term 'Service
Provider' whereas the term 'Network' is common. (Check out the
non-secret 'Network' menu if you don't believe me.) What this menu may
do is lock the phone to a Service Provider on a shared network. (Many
smaller mobile companies rent air-time off the big guys' networks...)
So now you've found some interesting text which seems to be a secret menu. The
first thing you want to do is make sure you're not wasting your time. Do this
by combing the standard menus and documentation to make sure your 'secret' text
is indeed secret. Once you know you've got something good, It time for:
2) Finding out how to get at the bastard.
While not exactly hard, this is no doubt the most tedious part and where
you'll most likely give up. If you haven't already guessed, your task is to -
through trial and error - work out the key combination which drops you into
your newfound menu. Both of the secret menus explained in this article require
some combination of the arrow and * keys so I'd stick to those. Another
similarity is that in both cases, you end up in the phone book just before
getting your secret menu but this might just be coincidence. Unless you have
a very high boredom threshold, I wouldn't recommend you sit down for a good
hour or so of typing random crap into your phone because you'll end up driving
yourself insane. Just try out a few random combinations next time you're
waiting for a bus or something equally boring. Oh, and make sure you keep
track of what you're typing in; nothing would suck more than finding a really
cool secret menu only to forget how you got to it.
--FURTHER INFO--
The best place to find out more about this kind of stuff would be the
programming/technical manual that Ericsson no doubt publishes. They're almost
certainly not available to the public (I couldn't find any references to them
on Ericsson's web site) but who knows? If you do have a cool friend who works
at a mobile phone dealership, ask for a copy while getting the NCK/NSCK.
Another possibility for the lucky is finding a discarded copy in the rubbish
of your local Telstra Shop/Optus World/whatever. Actually, the likelihood of
the latter is set to go up (from like 0.01% to 0.015%) with Ericsson rolling
out its new product line to replace the current one. First to go seems to be
the A1018s which looks set for replacement by the A2618. Even if you don't get
the manual, I gather that there's loads of useful info to be found in the bins
of these places so check them out.
--IN CLOSING--
Remember that alot of what I've said here is based on inference and theory so
don't blindly accept it as fact. If you have other ideas, or better still hard
facts, I (and everybody else I'm sure) wouldn't mind hearing of it -
particularly if you have those damn codes. As you can no doubt tell, this
article isn't intended as a complete, definitive guide to Ericsson's secret
menus, but rather an attempt to give you some useful ideas and get you
thinking.
Anyway, as what I intended to be a short article has grown to over 200 lines,
now would be a good time for me to shut up. If you have any questions or
comments about this article, feel free to contact me at analog@start.com.au
Make yourself heard. ((TM) Ericsson)
-[ \\\\\\\\\\ ]-----------------------------------------------------------------
[ \\\\\\\\\\ ]
[ \\\\\\\\\\ ]
[ \\\\\\\\\\ ] Midget Monkey Knife Fighting ....................[ Fleabag ]....
-[ \\\\\\\\\\ ]-----------------------------------------------------------------
Midget Monkey Knife Fighting
****************************
We've all wanted to see this. I mean, c'mon, whats more exciting than a
little person attacking a trained monkey with a knife? Nothing. It was just a
matter of time till someone like myself did this. I have a deep resentment to
midgets. They get more sex than I do, what foxy lady hasn't thought about
having sex with a 3 ft man? As for monkeys, I just like them, I think a
properly trained monkey could be a savage machine of death. Don't let the fact
they lack thumbs give you the misconception they can't wield a sharp blade.
Monkeys will be trained, dwarfs will be kidnapped and forced to fight to the
death, bets will be made, and I will be rich.
Basic Rules :
*************
Its a fight to the death, something 3 ft high is getting put in a garbage bag
and stuffed into an old ladies recycling bin. Not that I think they recycle
dead midgets or monkeys, which brings me to question, why not? Thats for
another article.
Both parties will be given a knife of their choice. I'm guessing that due to
the fact midgets have tiny useless hands they'd choose a small knife, as for
the monkeys, it'll depend on the training they've recieved.
Once inside the 'Circle Of Death' (TM), the bloodshed will start, this won't
be for the light-hearted, theres no time-outs now. Its kill, or be killed.
Just the way it should be.
No one, not even myself has the power to stop a match. Not the midgets family,
nor the monkeys trainer. Something must die. Slowly and painfully.
***************
In closing, I believe its just a matter of time before this exciting new
sport becomes Australias favorite past time. What better way to show that
special girl you like her, than taking her to watch a primate stick a knife
into a deformed persons eye? Having trouble getting the kids to eat their
dinner? "If you eat everything on your plate, I'll take you kids to watch
Midget Monkey Knife Fighting..."
I want this sport. You want this sport. Australia wants this sport, and god
damn it, we deserve it. Please, do what you can to help the cause, donate
money, train a monkey to kill, lock a midget in your basement, feeding him
scraps of food from the garbage, beat him, make him angry. I mean, c'mon,
whats funnier than a pissed off midget?
Fleabag.
************************
-[ \\\\\\\\\\ ]-----------------------------------------------------------------
[ \\\\\\\\\\ ]
[ \\\\\\\\\\ ]
[ \\\\\\\\\\ ] Outro...........................................................
-[ \\\\\\\\\\ ]-----------------------------------------------------------------
we will leave you now with bsdave's very own zeroday stollie exploit. Have
fun kiddiez.
#!/usr/bin/perl
#hi dave :-)
visit("bluelight");
foreach (@chicks) {
until (drunk) {
stollie;
}
sex;
boast;
}
ps: mad propz to "k" for his asKi tekneeq.
. eof .