Cellular Phone Hacking and Phreaking

AMPS/DAMPS, ETACS, GSM, CDMA, NMT-450, NMT-900, MPT-1327, etc.


Cellular Phone Authentication FAQ

> Very interesting! I haven't heard anything about ORYX... 
> Was it already implemented in any cellular network? 
> For which cellular system was it originally intended (IS-54, IS-136, 
> CDMA, GSM ?) 

So far as I know, it hasn't been implemented anywhere yet. I don't 
know what it was intended for -- it was described in the Common Cryptographic 
Algorithms specification (which describes crypto-primitives which are 
common to many or all of the North American cellular standards). 
It definitely wasn't intended for GSM -- this was by the North American 
standards body (TIA/CTIA/etc.), which has nothing to do with GSM. 

> I mean how many values of A-key exist for any given RANDU/AUTHU pair? 

Well, the A-key is 64 bits, so there are 2^64 possible A-key values. 

(The A-key checksum is only for use when typing in the A-key by hand 
on the keypad of the cellular handset; it adds a few additional digits. 
Those additional checksum digits are then securely erased after entry 
of the A-key. Typically the A-key should be entered before the customer 
even sees the cellphone, or entered once by the customer when they start 
service. The A-key checksum is merely intended to detect typing errors, 
from what I can tell.) 

Therefore, I don't think the A-key checksum will help in determining 
the A-key. 

Now if you have a RAND/AUTHU pair, I believe the AUTHU value is 18 bits 
long, so in theory this means that we can eliminate all but 1 out of 
every 2^18 possibilities for the A-key. In other words, 2^{64-18} = 2^46 
possibilities will remain. With two RAND/AUTHU pairs, 2^28 possibilities 
will remain, etc. With four RAND/AUTHU pairs, the A-key will (theoretically) 
be determined uniquely. 

However, even though the A-key will be determined uniquely, actually 
finding that unique value is very difficult -- it requires much computation. 
The most straightforward approach, brute force exhaustive key search, 
would require 2^64 computations, which is probably too much to be feasible 

> Perhaps if we know both RANDU and AUTHU as a shortcut, and 
> we could use the A-key checksum as another shortcut, it would 
> take less than 100 hours of Pentium 200 to calculate all the possible 
> (not 2^64, probably 2^8 or less) values of A-key. That's what I want 
> to know. However, I'm not an expert in crypto, unfortunately :) 

Well, that's the $64,000 question. I'm not aware of any shortcuts which 
let you recover the A-key quickly given a few known RANDU/AUTHU values. 
There are a number of cryptographers who have looked for such a shortcut; 
it's not known whether one exists. This is the subject of active research. 

I can say that CAVE appears to be cryptographically more secure than 
any of the other cryptographic primitives used in the North American 
cellphones. (That shouldn't be too surprising, since the industry 
has a lot of money riding on the security of CAVE.) 

> I understand that the CAVE is factory built-in in all newer AMPS/DAMPS 
> cellular phones. Upon reception of RANDU (24 bit argument) it calculates 
> AUTHU (18 bit function) according to one-way hash CAVE algorithm using 
> additional arguments MIN1 (24 bit), MIN2 (8 bit), ESN (32 bit) and SSD-A 
> (64 bit). 


I do know this. Suppose we could get the full output (all 16 bytes) of 
CAVE after hashing MIN1,MIN2,ESN,SSD-A, instead of just 18 bits (AUTHU) 
selected from the output. Then there is a partial shortcut which lets 
you reduce the amount of work required from 2^64 to 2^56. That would 
mean that one could recover an SSD-A-key in about the same amount of time 
that it took to break DES recently. 

> I'm interested in the reverse process: knowing RANDU, AUTHU, MIN1, MIN2 
> and ESN can anybody write a PC program to calculate all the values of 
> A-key (how many such values do exist and how long will it take to 
> calculate all of them with Pentium 200?). What if we know SSD-A as well? 

SSD-A is generated (if I remember correctly) as the output of CAVE 
applied to some different inputs, including the A-key. So it seems 
that if you could find a shortcut to quickly recover SSD-A knowing 
just RANDU,AUTHU,MIN1,MIN2,ESN... then the same shortcut might very 
well also let you recover the A-key konwing SSD-A,MIN1,MIN2,ESN.




A-Key Calculator (Win32) program for cellular industry

Description: this is an indispensable tool for cellular industry staff including technicians and security managers, as well as cellular shops and dealers. Now generating a valid A-Key with 6-digit checksum can be done on the spot, provided you know the phone's ESN number. This is sometimes required for testing the phone's A-Key entry function as well as for the phone's activation. It used to be possible to obtain a valid A-Key with cheksum only from the cellular operator itself, now everyone can easily generate the secret checksum value, enter those magic numbers into the phone just using the phone's own keypad and see how the phone is accepting the new A-Key by displaying "VALID". The A-Key Calculator program is not free, a single computer license costs US$49.00. The evaluation period is 30 days.

Some interesting links:

New servicing software for CDMA phones
(reading and writing ESN, MIN, SCM, A-Key, SSD, reading the SPC code, removing the operator's binding, installing the new PRL list, reprogramming the American operator subsidized phones to work in any CDMA network, calculating the ESN checksum, etc.)
AMPS/DAMPS IS-54b Cellular Protocol
(the new TIA/EIA-627 version)
The Source of Standards and Technical Papers for Cellular Industry
(IS-54b, IS-136, IS-95, IS-88, IS-41, TSB-51 and many more)
Obtaining a Copy of CAVE Algorithm is not Easy
Call Processing Software
(CDMA, IS-136)
INfusion IS-41C Authentication Center
Cellular Authentication as seen by NACN
Cracking CDMA and TDMA Algorithms
GSM Technical Specifications List
GSM Security and Encryption
GSM Security Questions
Overview Of GSM
GSM Encryption Algorithm A5
The Source Code of A5 Algorithm
GSM Encryption Algorithms A3 & A8
Very good overview of smartcards
The mobile phone meets the Internet
ESN Manufacturer's Code Assignment - AMPS/DAMPS
ESN Readers For Cellular Industry
Intercepting GSM Phone Traffic by Professionals
Cellular Phone Fraud Countermeasures (Corsair)
This was written 13 years ago! - AMPS/ETACS/NMT
Wireless Cloning (answersleuth.com)
The Case of Bowitz
Cellular Phreaking
British H.P.A.
Cellular Resources
Realm by SorcereR
Hacking the Ericsson 688 (GSM)
GSM Phone Secret Codes
Fraud & Con Schemes
CTIA Against Fraudulent Cloning
Cellular Telephone FraudVirus in Cellular Phone - Is It Possible?
Yet Another Hacker!
General HPA Archive by Stoned Spirit
AMPS/DAMPS/IS-54b/IS-136 Roaming in Russia/CIS
Radio Communication Products and Services - Buy & Sell Forum (mainly in Russian)
Cellular Phone Secrets Forum (with Search Function!
CDMA Software Discussion Board (recommended)
BEPCTAK (Russian hacking site)


Inquiry Form

Please describe here what you are looking for (software, hardware, information)
Your E-mail address:
Starting Point (TM)
The Web  Other Search Resources
Search the Underground for:

Click here to visit the best cellular site on the net !

SEMIONOFF site is up and running since 1996.
Every day more and more visitors are coming to my site.
On the 22nd of February 2000 there was a record: 1300 visits per day!

My Home Page