The Beginners Guide to RF hacking by Ph0n-E of BLA & DOC Airphones suck. I'm on yet another long plane ride to some wacky event. I've tried dialing into my favorite isp using this lame GTE airphone, $15 per call no matter how long you "talk". In big letters it says 14.4k data rate, only after several attempts I see the very fine print, 2400 baud throughput. What kind of crap is that? A 14.4 modem that can only do 2400? It might be the fact they use antiquated 900MHz AM transmissions. The ATT skyphones that are now appearing use imarsat technology, but those are $10/minute. Anyway they suck, and I have an hour or so before they start showing Mission Impossible so I guess I'll write this Phrack article Route has been bugging me about. There are a bunch of people who I've helped get into radio stuff, five people bought handheld radios @ DefCon... So I'm going to run down some basics to help everyone get started. As a disclaimer, I knew nothing about RF and radios two years ago. My background is filmmaking, RF stuff is just for phun. So why the hell would you want to screw around with radio gear? Isn't it only for old geezers and wanna be rentacops? Didn't CB go out with Smokey & the Bandit? Some cool things you can do: Fast-food drive thrus can be very entertaining, usually the order taker is on one frequency and the drivethru speaker is on another. So you can park down the block and tell that fat pig that she exceeds the weight limit and McDonalds no longer serves to Fatchix. Or when granny pulls up to order those tasty mcnuggets, blast over her and tell the nice MCD slave you want 30 happy meals for your trip to the orphanage. If you're lucky enough to have two fast food palaces close to each other you can link them together and sit back and enjoy the confusion. You've always wanted a HERF gun, well your radio doubles as a small scale version. RF energy does strange and unpredictable things to electronic gear, especially computers. The guy in front of me on the plane was playing some lame game on his windowz laptop which was making some very annoying cutey noises. He refused to wear headphones, he said "they mushed his hair...". Somehow my radio accidentally keyed up directly under his seat, there was this agonizing cutey death noise and then all kinds of cool graphics appeared on his screen, major crash. He's still trying to get it to reboot. Of course there are the ever popular cordless phones. The new ones work on 900MHz, but 90% of the phones out there work in the 49MHz band. You can easily modify the right ham radio or just use a commercial low band radio to annoy everyone. Scanning phone calls is OK, but now you can talk back, add sound effects, etc... That hot babe down the street is talking to her big goony boyfriend, it seems only fair that you should let her know about his gay boyfriend. Endless hours of torture. You can also just rap with your other hacker pals (especially useful cons). Packet radio, which allows you up to 9600 baud wireless net connections, its really endless in its utility. How to get started: Well you're supposed to get this thing called a HAM license. You take this test given by some grampa, and then you get your very own call sign. If you're up to that, go for it. One thing though, use a P.O. box for your address as the feds think of HAMs as wackos, and are first on the list when searching for terrorists. Keep in mind that most fun radio things are blatantly illegal anyway, but you're use to that sort of thing, right? If you are familiar with scanners, newer ones can receive over a very large range of frequencies, some range from 0 to 2.6 GHz. You are not going to be able to buy a radio that will transmit over that entire spectrum. There are military radios that are designed to sweep large frequencies ranges for jamming, bomb detonation, etc. - but you won't find one at your local radio shack. A very primitive look at how the spectrum is broken down into sections: 0 - 30MHz (HF) Mostly HAM stuff, short-wave, CB. 30 - 80MHz (lowband) Police, business, cordless phones, HAM 80 - 108MHz (FM radio) You know, like tunes and stuff 110 - 122MHz (Aircraft band) You are clear for landing on runway 2600 136 - 174MHz (VHF) HAM, business, police 200 - 230MHz Marine, HAM 410 - 470MHz (UHF), HAM, business 470 - 512MHz T-band, business, police 800MHz cell, trunking, business 900MHz trunking, spread spectrum devices, pagers 1GHZ+ (microwave) satellite, TV trucks, datalinks Something to remember, the lower the frequency the farther the radio waves travel, and the higher the frequency the more directional the waves are. A good place to start is with a dual band handheld. Acquire a Yaesu FT-50. This radio is pretty amazing, its very small, black and looks cool. More importantly it can easily be moded. You see this is a HAM radio, it's designed to transmit on HAM bands, but by removing a resistor and solder joint, and then doing a little keypad trick you have a radio that transmits all over the VHF/UHF bands. It can transmit approximately 120-232MHz and 315-509MHz (varies from radio to radio), and will receive from 76MHz to about 1GHz (thats 1000MHz lamer!), and yes that *includes* cell phones. You also want to get the FTT-12 keypad which adds PL capabilities and other cool stuff including audio sampling. So you get a killer radio, scanner, and red box all in one! Yaesu recently got some heat for this radio so they changed the eprom on newer radios, but they can modified as well, so no worries. Now for some radio basics. There are several different modulation schemes, SSB - Single Side Band, AM - Amplitude Modulation, FM - Frequency Modulation, etc. The most common type above HF communications is NFM, or Narrow band Frequency Modulation. There are three basic ways communication works: Simplex - The Transmit and Receive frequencies are the same, used for short distance communications. Repeater - The Transmit and Receive frequencies are offset, or even on different bands. Trunking - A bunch of different companies or groups within a company share multiple repeaters. If you're listening to a frequency with a scanner and one time its your local Police and the next it's your garbage man, the fire dept... - that's trunking. Similar to cell phones you get bits and pieces of conversations as calls are handed off among repeater sites. Their radios are programmed for specific "talk groups", so the police only hear police, and not bruno calling into base about some weasel kid he found rummaging through his dumpsters. There are three manufacturers - Motorola, Ericsson (GE), and EF Johnson. EFJ uses LTR which sends sub-audible codes along with each transmission, the other systems use a dedicated control channel system similar to cell phones. Hacking trunk systems is an entire article in itself, but as should be obvious, take out the control channel and the entire system crashes (in most cases). OK so you got your new radio you tune around and your find some security goons at the movie theater down the street. They are total losers so you start busting on them. You can hear them, but why they can't hear you? The answer-- SubAudible Tones. These are tones that are constantly transmitted with your voice transmission - supposedly subaudible, but if you listen closely you can hear them. With out the tone you don't break their squelch (they don't hear you.) These tones are used keep nearby users from interfering with each other and to keep bozos like you from messing with them. There are two types, CTCSS Continuos Tone-Codes Squelch system (otherwise known as PL or Privacy Line by Motorola) or DCS Digital Coded Squelch (DPL - Digital Privacy Line). If you listened to me and got that FT-50 you will be styling because its the only modable dual band that does both. So now you need to find their code, first try PL because its more common. There is a mode in which the radio will scan for tones for you, but its slow and a pain. The easiest thing to do is turn on Tone Squelch, you will see the busy light on your radio turn on when they are talking but you wont hear them. Go into the PL tone select mode and tune through the different tones while the busy light remains on, as soon as you hear them again you have the right tone, set it and bust away! If you don't find a PL that works move on to DPL. There is one other squelch setting which uses DTMF tone bursts to open the squelch, but its rarely used, and when it is used its mostly for paging and individuals. Now you find yourself at Defcon, you hear DT is being harassed by security for taking out some slot machines with a HERF gun, so you figure it's your hacker responsibility to fight back. You manage to find a security freq, you get their PL, but their signal is very weak, and only some of them can hear your vicious jokes about their moms. What's up? They are using a repeater. A handheld radio only puts out so much power, usually the max is about 5 watts. That's pretty much all you want radiating that close to your skull (think brain tumor). So a repeater is radio that receives the transmissions from the handhelds on freq A and then retransmits it with a ton more watts on freq B. So you need to program your radio to receive on one channel and transmit on another. Usually repeaters follow a standard rule of 5.0MHz on UHF and .6MHz on VHF, and they can either be positive or negative offsets. Most radios have a auto-repeater mode which will automatically do the offset for you or you need to place the TX and RX freqs in the two different VCOs. Government organizations and people who are likely targets for hacks (Shadow Traffic news copter live feeds) use nonstandard offsets so you will just need to tune around. Some ham radios have an interesting feature called crossband repeat. You're hanging out at Taco Bell munching your Nachos Supreme listening to the drive thru freq on your radio. You notice the Jack in the Box across the street, tuning around you discover that TacoHell is on VHF (say 156.40) and Jack in the Crack is on UHF (say 464.40). You program the two freqs into your radio and put it in xband repeat mode. Now when someone places their order at Taco they hear it at Jacks, and when they place their order at Jacks they hear it at Taco. When the radio receives something on 156.40 it retransmits it on 464.40, and when it receives something on 464.40 it retransmits it on 156.40. "...I want Nachos, gimme Nachos..." "...Sorry we don't have Nachos at Jack's..." "...Huh? Im at Taco Bell..." Get it? Unfortunately the FT-50 does not do xband repeat, that's the only feature it's lacking. Damn it, all this RF hacking is fun, but how do I make free phone calls? Well you can, sort of. Many commercial and amateur repeaters have a feature called an autopatch or phonepatch. This is a box that connects the radio system to a phone line so that you can place and receive calls. Keep in mind that calls are heard by everyone who has their radio on! The autopatch feature is usually protected by a DTMF code. Monitor the input freq of the repeater when someone places a call you will hear their dtmf digits - if you're super elite you can tell what they are by just hearing them, but us normal people who have lives put the FT-50 in DTMF decode mode and snag the codez... If your radio doesn't do DTMF decode, record the audio and decode it later with your soundblaster warez. Most of the time they will block long-distance calls, and 911 calls. Usually there is a way around that, but this is not a phreaking article. Often the repeaters are remote configurable, the operator can change various functions in the field by using a DTMF code. Again, scan for that code and you too can take control of the repeater. What you can do varies greatly from machine to machine, sometimes you can turn on long-distance calls, program speed-dials, even change the freq of the repeater. What about cordless phones, can't I just dial out on someone's line? Sort of. You use to be able to take a Sony cordless phone which did autoscanning (looked for an available channel) drive down the block with the phone on until it locked on to your neighbors cordless and you get a dialtone. Now cordless phones have a subaudible security tone just like PL tones on radios so it doesn't work anymore. There are a bunch of tones and they vary by phone manufacturer, so it's easier to make your free calls other ways. But as I mentioned before you can screw with people, not with your FT-50 though. Cordless phones fall very close to the 6 meter (50MHz) HAM band and the lowband commercial radio frequencies. There are 25 channels with the base transmitting 43-47MHz and the handset from 48-50MHz. What you want to do is program a radio to receive on the base freqs and transmit on the handset freqs. The phones put out a few milliwatts of power (very little). On this freq you need a fairly big antenna, handhelds just don't cut it - think magmount and mobile. There are HAM radios like the Kenwood TM-742A which can be modified for the cordless band, however I have not found a radio which works really well receiving the very low power signals the phones are putting out. So, I say go commercial! The Motorola Radius/Maxtrac line is a good choice. They have 32 channels and put out a cool 65watts so your audio comes blasting out of their phones. Now the sucko part, commercial radios are not designed to be field programmable. There are numerous reasons for this, mainly they just want Joe rentalcop to know he is on "Channel A" , not 464.500. Some radios are programmed vie eproms, but modern Motorola radios are programmed via a computer. You can become pals with some guy at your local radio shop and have him program it for you. If you want to do it yourself you will need a RIB (Radio Interface Box) with the appropriate cable for the radio, and some software. Cloned RIB boxes are sold all the time in rec.radio.swap and at HAM swap meets. The software is a little more difficult, Motorola is very active in going after people who sell or distribute thier software (eh, M0t?) They want you to lease it from them for a few zillion dollars. Be cautious, but you can sometimes find mot warez on web sites, or at HAM shows. The RIB is the same for most radios, just different software, you want Radius or MaxTrac LabTools. It has built in help, so you should be able to figure it out. Ok so you got your lowband radio, snag a 6 meter mag mount antenna, preferably with gain, and start driving around. Put the radio in scan mode and you will find and endless amount of phone calls to break into. Get a DTMF mic for extra fun, as your scanning around listen for people just picking up the phone to make a call. You'll hear dialtone, if you start dialing first since you have infinitely more power than the cordless handset you will overpower them and your call will go through. It's great listening to them explain to the 411 operator that their phone is possessed by demons who keep dialing 411. Another trick is to monitor the base frequency and listen for a weird digital ringing sound - these are tones that make the handset ring. Sample these with a laptop or a yakbak or whatever and play them back on the BASE frequency (note, not the normal handset freq) and you will make their phones ring. Usually the sample won't be perfect so it will ring all wacko. Keep in mind this tone varies from phone to phone, so what works on one phone wont work on another. Besides just scanning around how do you find freqs? OptoElectronics makes cool gizmos called near-field monitors. They sample the RF noise floor and when they see spikes above that they lock on to them. So you stick the Scout in your pocket, when someone transmits near you, the scout reads out their frequency. The Explorer is thier more advanced model which will also demodulates the audio and decode PL/DPL/DTMF tones. There are also several companies that offer CDs of the FCC database. You can search by freq, company name, location, etc. Pretty handy if your looking for a particular freq. Percon has cool CDs that will also do mapping. Before you buy anything check the scanware web site, they are now giving away their freq databases for major areas. OK radioboy, you're hacking repeaters, you're causing all the cordless phones in your neighborhood to ring at midnight, and no one can place orders at your local drivethrus. Until one day, when the FCC and FBI bust down your door. How do you avoid that?? OK, first of all don't hack from home. Inspired people can eventually track you down. How? Direction Finding and RF Fingerprinting. DF gear is basically a wideband antenna and a specialized receiver gizmo to measure signal strength and direction. More advanced units connect into GPS units for precise positioning and into laptops for plotting locations and advance analysis functions such as multipath negations (canceling out reflected signals.) RF finger printing is the idea that each individual radio has specific characteristics based on subtle defects in the manufacture of the VCO and AMP sections in the radio. You sample a waveform of the radio and now theoretically you can tell it apart from other radios. Doesn't really work though-- too many variables. Temperature, battery voltage, age, weather conditions and many other factors all effect the waveform. Theoretically you could have a computer scanning around looking for a particular radio, it might work on some days. Be aware that fingerprinting is out there, but I wouldn't worry about it *too* much. On the other hand DF gear in knowledgeable hands does work. Piss off the right bunch of HAMS and they will be more than happy to hop in their Winnebego and drive all over town looking for you. If you don't stay in the same spot or if you're in an area with a bunch of metal surfaces (reflections) it can be very very hard to find you. Hack wisely, although the FCC has had major cutbacks there are certain instances in which they will take immediate action. They are not going to come after you for encouraging Burger King patrons to become vegetarians, but if you decide to become an air-traffic controller for a day expect every federal agency you know of (and some you don't) to come looking for your ass. My plane is landing so thats all for now, next time - advanced RF hacking, mobile data terminals, van eck, encryption, etc. EOF