Plateforme de Hacking est une communauté faisant évoluer un système de services vulnérables.

Nous apprenons à exploiter de manière collaborative des solutions permettant de détourner les systèmes d'informations.
Cet apprentissage nous permet d'améliorer les technologies que nous utilisons et/ou de mieux comprendre l'ingénierie social.

Nous défendons les valeurs de l'entraide, du challenge personnel et contribuons modestement à rendre l'expérience des utilisateurs finaux la plus agréable possible.

Vous pouvez nous rencontrer via notre salon irc.
Le forum est en cours de remplacement par une version plus moderne, et tout aussi faillible que l'ancien ^^.
A ce jours nous enregistrons plusieurs dizaines de hack réussi contre notre site, et ce chiffre est en constante évolution. Merci a tous les contributeurs!

La refonte est en version alpha. Cette nouvelle plateforme permet de pentester à distance sans avoir son matériel à disposition.
Via l'exécution de scripts python connecté en websocket à l'ihm web, nous pouvons piloter le chargement de scénario
d'attaque/défense en "multijoueur" ^^.
Le système permet de charger des scripts de bibliothèques partagées et de chiffrer les échanges selon les modules déployés.
Vous trouverez dans la rubrique article de nombreux tutoriels afin de mieux comprendre la sécurité informatique,
ainsi que différents articles plus poussés.
  • Sniffing
  • Cracking
  • Buffer overflow
  • Créations d'exploits
  • Social engineering
  • L'anonymat sur le web, spoofing
  • Bypass-proxy, Bypass-firewall
  • Injection de code SSI, SQL, etc...
  • Utilisation d'exploits, création de scripts(php, irc, perl)
Nous vous recommandons de sniffer votre réseau lors de votre navigation sur le site. La refonte vous fournira un outillage pour réaliser vos attaques/défenses.
Flux RSS

flux RSS d'HackBBS Abonnez-vous. Soyez prévenu des tournois, challenges, actualités, ...
Recevez nos dernières actualités sur notre flux RSS.

Vous pourrez également participer à de nombreux challenges en constant renouvellement (si possible :p)
Dernièrement, les missions relativent aux derniers produits open sources marchent bien :)

Votre ultime challenge sera de défacer HackBBS. De nombreuses failles sont présentes. A vous de les trouver et de les exploiter.

Cet ultime test permettra de constater votre réactions face à une faille.
Black ou White? ^^

Ezine du moment: p48-07.txt
                              ==Phrack Magazine==

                 Volume Seven, Issue Forty-Eight, File 7 of 18



                             By Damien Thorn

                                LEGAL CRAP

(mandated by our cheap-suit, can't afford cigars, polyester-pants-wearing,
no-practice-having, almost dis-barred, old-fart legal counsel who only charges
us $20 / hour because he meant to retire when he was 70 but lived a few years
longer than he expected...hell, we love him!)

Contents copyright 1994, 1995  Phoenix Rising Communications.
Software copyright 1993, 1994, 1995 as indicated.

All Rights Reserved.  Distribution of contents in hard-copy form is forbidden.
Redistribution in electronic form is permitted only as outlined in the Phrack
licensing agreement, provided this article is not segregated from the other
editorial contents of Phrack #48.

Use caution when rebuilding corrupt serial numbers, and avoid lending your
talents to further the goals of unscrupulous people.

Altering the serial number of a cellular transceiver is a violation of the
FCC rules, and the U.S. Secret Service is charged with the responsibility
of investigating fraudulent activity.

All of this material was developed in-house and not provided or
endorsed by the manufacturer.  Brand names and trademarks are used for
identification purposes only and are the property of their respective
owners.  Use of same within this article definitely does not imply agreement
with or endorsement of the material presented, and probably aggravates them
to no end.   There are no guarantees or warranties with regard to the accuracy
of this article.  Although we've done the best job that we can, we may be
wrong.  Happens all the time.  If you damage a phone or inadvertently start
a global thermonuclear war, that's your problem.  Don't come crying to us, or
make us fork over another twenty bucks to the old shyster. What you do with
this information is your responsibility.


While manufacturers publish service manuals for their cellular
transceivers, they have an annoying habit of omitting certain
data pertaining to memory devices and the arrangement of the data
stored inside them.  Since this stored information includes the
electronic serial number (ESN), the lack of documentation can
easily be excused as a way to avoid unwittingly facilitating

The drawback to the 'security through obscurity' approach is that
service technicians who have a legitimate need to reprogram these
memory devices are unable to do so.  The Nokia-designed
transceivers discussed in this article are an excellent example. 
Since the ESN is stored in the same electrically-erasable
programmable read-only memory (EEPROM) device as the numeric
assignment module (NAM) information, corruption of the data can
be catastrophic to the operation of the phone.

Since the handset programming mode of these Nokia units actually
write-enables the memory device to store the alterable parameters,
an errant pulse from the microprocessor, dropped bits or supply
voltages falling out of tolerance can cause the ESN or checksum
to become overwritten or otherwise rendered useless.  Should this
occur, dealers have had little recourse but to ship the
transceiver back to the factory for repair.  Until now, that is.

The goal of Phoenix Rising Communications in producing this
documentation is to empower technicians to do the job they have
been educated and hired to perform.  This guide to Tandy and
Radio Shack cellular phones will enable the technician to rebuild the
corrupt data within this series of transceivers with confidence.

The information in this article was developed from the installed
and transportable versions of the most commonly purchased phones
from Radio Shack stores.  These units were sold for many years,
and finally replaced last year with a new, redesigned model.  The
data presented here can probably be applied to certain compatible
Nokia transceivers as indicated later in the text. 

                                 CHAPTER 1

This publication is designed to provide supplemental information
to assist in the servicing of cellular mobile telephones
manufactured by Tandy Corporation under license from the Nokia Corporation. 
It is not meant to be a replacement for the factory service manual. 
Any shop needing to perform component level repairs should
definitely obtain the factory documentation from Tandy National

Our primary goal is to explain the contents of the numeric
assignment module, or NAM.  In these particular phones, both the
NAM parameters and the electronic serial number (ESN) are stored
within the same electrically erasable programmable read-only
memory (EEPROM) device.

The problem inherent with this engineering decision is that the
ESN stored within this chip is not necessarily permanent.  Since the
chip can be erased or reprogrammed, certain circumstances could
possibly cause the ESN to become corrupt.  These include improper
signals from the microprocessor, induced currents or a power
interruption during NAM programming as the write cycle is taking

Since the available service literature does not describe the
functions of this serial EEPROM or the data contained within,
service personnel would have to return the transceiver to the
manufacturer for service.  This is not cost effective in terms of
time or money for either the shop or cellular customer.

Technicians who invest a little time to become familiar with the
data stored within the NAM circuitry, including the placement of
the ESN and checksum byte can service these types of problems
in-house and with little difficulty.

Basic instructions for peaking the transceiver's RF sections have
also been included herein as a convenience.  While the phone is
open and on the test bench, the customer's transceiver should
also be given a quick check for proper alignment.

                            EQUIPMENT REQUIRED

Other than basic hand tools, disassembly of the phone requires a
soldering iron with a medium sized tip and a vacuum de-soldering
tool.  Good size solder removal braid may be used in conjunction
with, or in lieu of the de-soldering tool.

To correct data that has become corrupted within the EEPROM, a
programming device is required capable of reading and burning an
8-pin DIP integrated circuit.  One such inexpensive device is
listed in appendix III.

An individual who is familiar with the memory device involved has
written a software program in the BASIC language to allow the
programming of this chip via the parallel port of an
IBM-compatible personal computer.  The source code for this program
can be found in the appendix, and is provided as a reference only.  Such
software is subject to the peculiarities of the host PC and
therefore cannot be recommended for use in place of a standard PROM
programmer.  Older versions of GWBASIC are preferred to Microsoft's
current QBASIC interpreter.

                              MODELS COVERED

The information presented is believed to cover all of the installed
and transportable (bag phone) cellular transceivers manufactured
by the Tandy Corporation under license from the Nokia Corporation up
until about a year ago.
Tests have been conducted on a random selection of these phones
with manufacture dates ranging from 1989 through early 1994.  All
versions of the "TP" firmware through January, 1994 should be

Although no house-branded OEM Nokia transceivers have been
tested, we have surmised that this information is applicable to several
models based on the same or a similar design.  These models
include the Nokia LX-11, M-11, M-10 and the Nokia-Mobira P4000 (PT612). 
Some of these units, like the very old Radio Shack equivalents,
will require a service handset to program.  More on that in the
next issue of Phrack.

                              HAND-HELD UNITS

Only one of the hand-held cellular phones previously sold through
Radio Shack utilizes a discrete surface-mounted integrated
circuit to store the ESN and NAM parameters.  If you have the capability
to read and program this SOIC 93C46 memory device you may be able to
extrapolate the PROM dumps in this guide to work with this phone.

Due to the difficulty in disassembling this unit and the delicate
nature of the surface-mounted EEPROM, the reader is cautioned
against attempting to service these in-house.


Prior to disassembling the transceiver, all antenna and cables,
including the handset, should be disconnected from the jacks on
the unit.

To aid in disassembly and component location, the original
hard-copy version of this publication contained several pages of
photographs.  While the hard-copy version is available (see end of
article), you will hopefully be able to figure out what we're talking about
without them.

Disassembly begins by snapping the plastic end panel from the
black transceiver cover.  Some units just pop up and off, while others
have two small plastic tabs on each side that must be depressed
free the end panel for removal.

With the end panel removed, the top plastic cover is now free to
slide off.  With this cover removed, the metal transceiver itself
can be dumped from the remaining plastic housing by turning it
upside down, or pulling up on the metal heat sink assembly that
comprises one side of the transceiver unit.

There is a metal shield on each side of the transceiver (top and
bottom.)  One is a solid piece of thin sheet metal, and the other
is broken up in to smaller, individual shields and soldered to
the transceiver chassis.  The shield that needs to be removed is the
solid one.  It is only held in place with the friction grips
along the edges, and can be pried off with your fingers.

Once the shield is removed from the proper side of the
transceiver, the solder side of the logic board will be exposed.
This board must be removed to gain access to the component side.  Take
static precautions so as not to fry the CMOS silicon that is currently
hidden from view. 

Other than several connectors that mate between the two boards,
the board is usually held in place by several blobs of solder spaced
along the edge of the board.  These small 'solder welds' serve as
a ground bond between the board and the transceiver chassis, and
are not electrically necessary under normal circumstances.

Once the solder ground bonds have been melted and removed with a
de-soldering tool or solder wick, use a pair of needle-nose pliers
to gently bend back the small metal tabs holding the circuit
board in place.

Before proceeding, inspect the foil side of the board to ensure
that no solder has splashed on the board during de-soldering, and
that the foil traces where the work was performed are still
intact.  This last step is where most trouble arises.  These boards are
delicate, and a heavy hand while prying or bending will almost
ensure that a trace or five will be transected when the tool
slips.  If this happens, resolder the traces to undo the damage.

At this point the logic board is held in place only by pins on
the transceiver board sticking up in to sockets on the logic board. 
Gripping the edges of the logic board with your fingers and
pulling straight up will disengage the connectors and allow the logic
board to pull free of the transceiver.  Slightly rocking the board from
each side may aid in the removal.  Do not grip the board with
pliers or damage can result to the small chip resistors and other
components mounted on the solder side of the board.

Once dislodged, you'll have two separate circuit boards.   

                              THE LOGIC BOARD

The board that supplies logic and control functions for the
cellular mobile telephone is easily identifiable by the
microprocessor and 27C512 EPROM containing the operating
firmware.  The EPROM's erase window is covered by a protective sticker
that identifies the firmware version stored therein.  Within the last
few years, the version has ranged from TP-2 through TP-8.

Also on this board is the serial EEPROM where the ESN and NAM
parameters are stored.  This chip is an 8-pin DIP located in a
socket near pin #1 of the NEC microprocessor.  It is usually
covered with a small paper sticker bearing the last few digits of
the serial number stored inside.

While security experts may blast Nokia for designing a phone that
stores the ESN in a socketed chip, and then says "here I am" by
placing a sticker on it, this is a dream come true for any
technician facing issues of data corruption.  

                             THE SERIAL EEPROM

The Serial EEPROM containing all of this data is a PCD8572 (or
85C72) manufactured by Microchip Technology, Inc.

This 8-pin device is a 1k (128x8) CMOS serial electrically
erasable PROM.  The pin configuration for the device can be found in the

Power is supplied to this chip only when the microprocessor is
performing a read or write operation.  Transistor Q115 (surface
mounted to the underside of the logic board right about in the
middle) switches the supply voltage on and off.  Should power be
interrupted during the write cycle, the ESN may become corrupt.

                            REBUILDING THE ESN

To replace the damaged serial number, note the unit's serial
number from the cellular service agreement or the phone itself.
The ESN (in decimal) is located on a white paper sticker applied to the
side of the metal transceiver chassis.  It is also stamped into the
plastic model identification plate on one side of the plastic
outer housing.

For reprogramming, the ESN must be converted to hex.  A scientific
calculator or any number of public domain computer programs will
simplify the task.

                          CONTENTS OF NAM

Once the original serial number has been determined, carefully
remove the 8572 EEPROM from the socket and place it in the
adapter required by your PROM programmer.  Reading the contents of the
chip, you'll see data as depicted below.

Note that these data dumps are simulated for illustrative purposes.
The ESN and encoded MIN bytes are not legitimate numbers, so don't
bother 'testing' them.

The first five bytes of data contain the security code.  These
bytes are the hex values representing ASCII characters 0 through
9, thus represented as "3X" where "X" is the actual digit of the
security code.  A factory security code of 1 2 3 4 5 would be
represented in bytes 00 through 04 as follows:

31 32 33 34 35

Since you will require the security code to enter handset
programming mode, please note the current security code or
program these bytes with your shop's standard default.
                     UNDERSTANDING ADDRESSES

Some cellular technicians have little experience in the digital
world.  Service monitors and watt-meters are expensive and wonderful
devices, but sometimes you need to do a little more than tweak a pot
to fix a phone.  The digital-literate can skip this oversimplified

To assist those in reading the locations of the various bytes in the EEPROM,
understand that each line (as usually displayed on a programmer) contains
sixteen (16) bytes.  The first line begins with byte 00, then 01, 02, 03,
04, 05, 06, 07, 08, 09, 0A, 0B, 0C, 0D, 0E and finally 0F.

The second line begins with 10, then 11, 12, 13, 14, 15, 16, 17,
18, 19, 1A, 1B, 1C, 1D, 1E, and 1F as the last byte of the line. 
The third line increments the same way, except as byte 30, 31,
etc., to 3F.  You now know how to count in base 16 (hex)! 

As an example, the locations used by the phone end at byte 3D,
which contains 00 in the example below.  Beginning with the next
byte (3E), a repetitive pattern of alternating values of AA and
55 are stored.  This is just 'test' data and is never read by the
phone.  The chip itself ends at byte 7F, and your PROM programmer
may display FF following byte 7F to indicate the non-existence of
these locations in the chip.

                     8572 EXAMPLE DATA DUMP

          0000 31 32 33 34 35 0A FF 21 A5 38 25 82 0F 25 17 1A
          0010 00 00 00 00 24 15 B1 C3 24 04 A3 21 16 2D 11 AA
          0020 0A 00 00 64 6C B3 32 00 27 00 01 01 11 11 11 11
          0030 11 08 4D 01 0F 01 0F 00 04 00 00 00 FF 00 AA 55
          0040 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55
          0050 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55
          0060 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55
          0070 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 

                    THE CRUCIAL SERIAL NUMBER

The hex ESN for any given phone consists of four bytes, as we use
the term here.  Technically it is eight bytes (in hex, 32 bits if
expressed in binary form), but we're referring to a 'byte' as a two-digit
hex number, rather than each digit (byte) as a single entity.  For our
example, we're using the fictitious ESN of A521FF0A.  All Radio Shack
phones will have an ESN beginning with A5 hex.  This is the "manufacturers
code" prefix that has been assigned to Tandy.

Breaking the ESN into four bytes as viewed on the PROM programmer,
the ESN would appear as:

                          A5 21 FF 0A

Refer back to the example dump of the data within the 8572 IC. 
Immediately following the security code is the ESN stored in
reverse order.  With the security code occupying bytes 00 to 04,
the ESN is located in bytes 05, 06, 07 and 08.  Byte 09 contains
the value 38.  It should always contain 38.

In the example, beginning with byte 05 you can read the ESN (in
reverse sequence) as:

                         0A FF 21 A5

The examples below will assist you in visualizing the bytes
containing the security code and the electronic serial number. 
The programming and placement of these two crucial pieces of data is
fairly straight forward.  Using the buffer editor function of the
PROM programmer, you can simply type over the garbage that may be
present in these locations with the correct values for the
security code and the ESN.  Double check your data entry!

                      OTHER ADDRESSES

The entire NAM data is stored in the remaining locations of this
chip.  Bytes 0A, 0B and 0C contain the firmware revision date,
and bytes 0D - 0F contain the installation date as programmed via the
handset programming mode.

Other bytes contain the encoded Mobile Identification Number
(MIN), Station Class Mark (SCM), etc.

These various bytes do not need to be reprogrammed through your
PROM burner, as they can all be corrected via handset
programming.  Only the security code and ESN must be properly reprogrammed
directly to the chip itself.  For more information on the locations
of this other data, refer to the source code in Appendix A.  It
allows you to see where (and how) this other data is stored within
the NAM.

The last item to program is the checksum.


          0000 31 32 33 34 35 XX XX XX XX XX XX XX XX XX XX XX

THE ESN:  BYTES 05 - 08

          0000 XX XX XX XX XX 0A FF 21 A5 XX XX XX XX XX XX XX

                    LOCATING THE CHECKSUM

There is a one byte device checksum stored within the 8572 that
is used by the phone to check the integrity of the data stored
therein.  The checksum is located at byte 3D, indicated by "XX"
in the example below.

The checksum is derived from all the data stored in the NAM, not
just the ESN.  Computing it is relatively easy as it is simply
the sum (in hex) of all the values from bytes 00 through 3C as
underlined below.

Assuming the PROM programmer has a checksum function, you can
enter the beginning address as 0000 and the ending address as 003C. 
The software will add all of the values between these locations and
give you the sum.  The alternative is to add the numbers manually
using the hex mode of a scientific calculator.  Either way, adding
the hex values of all the bytes between 00 and 3C of our example yields
a sum of 0B5E.

The least significant two-digit byte is the actual device
checksum that would be programmed in location 3D.  In our example, the
least significant half is 5E.  Ignoring the most significant half of
the sum (0B), a value of 5E must be programmed to location 3D.

Note that the checksum will be recomputed and change after
handset programming.  When the MIN or other data is changed, it alters
the values in various bytes.  The checksum encompasses all of the
data stored within the chip used by the transceiver's firmware.

                          CHECKSUM LOCATION

          0000 31 32 33 34 35 0A FF 21 A5 38 25 82 0F 25 17 1A
          0010 00 00 00 00 24 15 B1 C3 24 04 A3 21 16 2D 11 AA
          0020 0A 00 00 64 6C B3 32 00 27 00 01 01 11 11 11 11
          0030 11 08 4D 01 0F 01 0F 00 04 00 00 00 FF XX AA 55
          0040 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55
          0050 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55
          0060 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55
          0070 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 


          0000 31 32 33 34 35 0A FF 21 A5 38 25 82 0F 25 17 1A
          0010 00 00 00 00 24 15 B1 C3 24 04 A3 21 16 2D 11 AA
          0020 0A 00 00 64 6C B3 32 00 27 00 01 01 11 11 11 11
          0030 11 08 4D 01 0F 01 0F 00 04 00 00 00 FF .. .. ..
          0040 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..
          0050 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..
          0060 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..
          0070 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 

                            DEFAULT VALUES

In the event that all of the data stored within the NAM becomes
corrupt, the technician will need to program the security code,
the ESN, and certain default data values to allow the phone to power
up.  Once powered up, all of the other data can be automatically
reconstructed by the phone using the handset programming mode.

Since the factory does not provide any information about the
contents of the 8572 EEPROM, we are unsure of the function of
this 'default data.'  It seems to have little significance.

The underlined bytes depicted below are fairly typical.  Ideally
the technician should compare the contents of an operational
phone with equivalent firmware to determine the values for the
underlined locations, but if this is not possible then the values
provided in the example may suffice.

Once these defaults have been programmed in the proper locations,
and the ESN and security code have been reconstructed, compute
the checksum and store it in address 3D. Temporarily reassemble the
phone and apply power.  The unit should power up and complete it's
self-test which will include the operation where the microprocessor
computes the NAM checksum and compares it to the value stored in
location 3D.

Assuming the self-diagnostics pass, the remaining data can now be
reconstructed through normal handset programming.

The handset programming template applicable to most of these
units is located immediately following the appendix detailing the chip
programming software included for reference purposes.  

                        DEFAULT DATA VALUES

          0000 XX XX XX XX XX XX XX XX XX 38 XX XX XX XX XX XX
          0010 00 00 00 00 XX XX XX XX XX XX XX XX XX XX XX XX
          0020 XX XX XX XX XX XX XX 00 27 00 01 01 11 11 11 11
          0030 11 08 4D 01 0F 01 0F 00 04 00 00 00 FF XX AA 55
          0040 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55
          0050 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55
          0060 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55
          0070 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 

                         ADDITIONAL NOTES

As discussed, the parallel port programming software interface
has a few quirks, most involving the programming voltage supplied to
the chip.  If all else fails, and a PROM burner is not available,
take the supply voltage (Vcc) directly from the logic board.

Run test lead jumpers from pins #4 and #8 of the IC socket on the
logic board that held the 8572 EEPROM and connect to the
respective pins on the socket attached to the cable to be used for
programming.  Turn the board over and locate surface mount
transistor Q115 which switches the supply voltage to the IC
socket on and off.

This small chip transistor is directly to the left of pin #8 (of
the 8572 socket) and can be positively identified by the circuit
trace from socket pin #8 leading directly to the emitter of Q115.

By examining this area of the board, you can determine which of
the other two traces connects to the transistor's collector. 
Jumpering the traces and shorting the collector and emitter simply
provides a constant, conditioned voltage supply to the socket designed to
power the 8572 in programming mode.  It may also be necessary to cut the
trace to the base of Q115.

Once the chip has been programmed with the software, restore the
integrity of the cut trace to the base of Q115 and remove the
short between the collector and emitter.

                         USING THE SOFTWARE

The Cellular Data Repair Utility software requires that you first
create a small text file using an ASCII text editor such as DOS's
"EDIT" utility program.

This text file must contain the data described below in the
specific order presented.  The data in this image (.img) file
will be programmed into the 8572.

XXX       ESN Prefix (decimal)
XXXXXXXX  ESN (8 digits decimal)
XXXXX     SIDH (5 digits decimal)
1         Access Bit
1         Local Option Bit
AAAPPPXXXX       MIN (10 digits)
08        SCM
0XXX      (0333 or 0334)
10        Access Overload Class
1         Pref. System Bit
10        GIM
12345     Security Code

Filename:  TEST.IMG



Once the image file containing the appropriate data has been
saved, run the software with QBASIC or Microsoft BASIC and follow the
prompts.  Be sure to set the proper parallel port address in line
1950 to reflect the port to which the interface is connected

                             TUNING STEPS

1)   With a digital voltmeter attached to the positive terminal
of C908, adjust VR908 to provide a reading of 8 vdc (q 0.1 volt).

2)   With the voltmeter attached to the positive terminal of
C913, adjust VR918 for a reading of 8 vdc (q 0.1 volt).

3)   Connect the voltmeter to test point TXV and enter diagnostic
command 0, 1, SEL, 9, END.  Adjust C676 to achieve a reading of 5
vdc control voltage (q 0.1 volt).

4)   Check receiver control voltage with test point RXV.  Adjust
C614 for a reading of 4 vdc (q 0.1 volt).

5)   With  a power meter connected to the antenna connector of
the transceiver through an attenuator, enter command SEL, 1, 2, SND,
END to turn on the transmitter at high power.  VR814 should then
be adjusted to show 3 watts (34.8 dBm) on the power meter.

6)   Using the same power meter, enter command SEL, 1, 3, 7, END.

Adjust VR846 for a low power maximum reading of 4 milliwatts (6

7)   Using a frequency counter to measure the output of the
antenna connector, adjust X600 for a reading of 836.4000 MHz (q 0.1 kHz).

8)   Using a deviation meter, activate DTMF tones with command
SEL, 2, 1, END, 1, 1, END and adjust VR259 for 8.4 kHz q 0.1 kHz DTMF

9)   End DTMF signaling with command 1, 0, END.  Enable SAT
transmission by entering SEL, 2, 8, SND, END and adjust VR261 for
7.8 kHz deviation (q 0.1 kHz).

10)  Enter SND, END to discontinue SAT signaling.

                        ADDITIONAL ADJUSTMENT

The level of audio fed to the earphone via the "ear" line (pin #7
on the handset connector) can be adjusted via VR215.  1.2 Vrms is
the factory specified level with the volume turned up to it's
maximum setting.

Received audio signals can be adjusted for minimal distortion by
peaking L703.

Frequency deviation of voice audio can be fine tuned with VR260. 
Factory spec. is for 8 kHz deviation.


If the transceiver refuses to even power up and begin self-diagnostics,
check the traces on the underside of the board near the power connector.

Most of these units 'protect' themselves against reverse polarity
being present on the power cables with fusible traces.  If the
phone is connected to a vehicle or battery power supply backwards,
one of these very small circuit traces will vaporize, leaving the
phone inoperative.

While inconvenient for the customer and service technician alike,
repairing the trace is an additional source of revenue for the
shop that might not be generated had a standard replaceable fuse or
rectifier been utilized in the design.

                             APPENDIX III

                         TECHNICAL RESOURCES


In preparing this article and performing other research involving various
types of firmware, we used the EPROM+ programming system from Andromeda
Research.  This small, portable device is housed in a carrying case and
requires no internal card to operate with your PC.  Once the software is
installed on the computer, the EPROM+ programmer is simply plugged into an
available parallel printer port.

To program the PCD8572 series EEPROMs, a small adapter is required.

You can construct this yourself from the included instructions,
or purchase it already built for about $35 extra.

The EPROM+ programming system is available for $289 from the

     Andromeda Research
     P.O. Box 222
     Milford, Ohio 45150
     (513) 831-9708 - voice
     (513) 831-7562 - fax


Service manuals are available for most Radio Shack or Tandy products from
Tandy National Parts.  Ordering these publications requires that you visit
your local Radio Shack store.  Tell the clerk that you want him (or her)
to call National Parts and order a service manual for catalog number....

National Parts no longer accepts calls from consumers and will only
ship to a recognized Radio Shack retail outlet.


Service handsets, manuals and other parts can be ordered from
Nokia-Mobira in Largo, Florida.  Their toll-free technical
assistance number is (800) 666-5553.


Tandy Support Services offers technical information via fax-back
server.  There is no mention that the service is restricted to
Radio Shack stores.  Although ANI can be hell, the toll-free number
is (800) 323-6586 if you want to be faxed product info on assorted 'Shack
products.  The server makes neat video game noises, and thanks you for
using the service.

For an index of the cellular specification sheets available via
fax-back, request document #8882.

Programming instructions are also available from this automated
fax server:


9009           Current List [index] 
8728           CT-105, 1050, 1055
9004           CT-350
9005           CT-302
9006           CT-102, 103, 104, 1030, 1033
9007           CT-300, 301
9008           CT-100, 101, 200, 201
9020           CT-351
9665           BC901ST         [170-1015]
9579           CP-1700         [170-1016]
9577           CP-4600/5600    [170-1067 / 170-1056]
14493          Ericsson AH-210 [170-1064]
9581           EZ-400          [170-1057]
9743           Motorola 12822  [170-1058]
9583           Motorola DPC550 [170-1059]

This information provided for reference purposes only.  Use of
this fax-back service may be restricted to authorized personnel.  No
one has ever faxed me to complain, however. 

                       THE INTERFACE

The uuencoded drawing which accompanies this article describes the
interface required to use the programming software to rebuild the data
stored within the serial EEPROM.  Because there are a number of variables
that can affect the performance of this software and interface, prepare
yourself for a bit of trial and error.  A standard programming device is
recommended over the use of this software.  Since the original publication
of this manual in hard-copy, we've heard reports that the software does not
work well with the PCD8572, but does favor the PCD85C72 (CMOS version).

The DB-25 connector is wired to an 8-pin DIP socket to accommodate the 8572
integrated circuit.  A regulated, well-filtered source of 5 volts must be
connected to pin #8 of the DIP socket, and Pin #4 must be tied to ground.
If the PC used for programming and the power source to the IC socket share
a common ground, you may be able to use pin #25 of the parallel port connector
as shown in the diagram.
Please be careful not to cause any shorts in this instance or you
may damage your computer by sinking too much current through the
parallel port.  If you are unsure of what you are doing, eliminate
the connection between pin #4 of the IC socket and pin #25 of the
DB-25 connector.  Instead, connect pin #4 directly to ground.

The resistor shown in the circuit is used as an optional voltage
divider.  Depending on the voltage provided by pin #2 of your
parallel port, a resistor between 100 and 1k ohms may be required
to drop it to a level within the nominal range required by the

                       TUNING THE RADIO

The diagrams in the uuencoded .zip file will assist in identifying and
locating the various adjustment points on the logic board and transceiver (RF)
PC board.  Alignment should not be attempted by technicians unfamiliar with
the principles involved, or in the absence of calibrated radio frequency
measurement equipment.

A diagnostic (service) handset may be required to access
service-level commands within the transceiver.  If the phone does
not respond properly to the commands documented herein, you'll
need to obtain a service handset from Tandy National Parts.  This
handset is actually a Nokia "programming handset" which can be
obtained directly from the factory.

                       PROGRAMMING TEMPLATE

          For Tandy / Radio Shack Cellular Mobile Telephones
                 Models CT-102, 302, 1030, 1033, etc.

1)   Power up phone.  After the phone cycles through it's
self-test mode and the display clears, enter the following keystrokes from
the keypad:

     *, 3, 0, 0, 1, #, X, X, X, X, X, SEL, 9, END

The X, X, X, X, X represents the five-digit security code stored
in EEPROM.  The factory default is 1, 2, 3, 4, 5.  This security
code is required to access handset programming mode.

2)   The display will now read:    IdEnt IF InFO Pri

3)   Press END to program NAM 1.  Display will show first
programming step.

4)   To program NAM 2, press SND twice instead of END.  Display
will cycle through:       OPt InFO diSAbLEd  then OPt InFO EnAbLEd
5)   Use the END key to step through each step.  The SND key
toggles the state of single-digit options.  To enter new
information, use END to step through the display until the old
data is displayed.  Key in the new data and press END to increment to
the next step.

6)   When programming has been completed, press SEL, CLR to save

Step #    Desired Input  Display   Data Description

01        5 digits       HO-Id     SIDH (Home System Identification)
02        0 or 1         MIN Mark  MIN Mark (Toggle with SND)
03        0 or 1         LOCL OPt  Local Use Mark (Toggle with SND)
04        10 digits      Phon      MIN (Area Code + Mobile Number)
05        08             St CLASS  SCM (Station Class Mark)
06        333 or 334     PAging Ch IPCH (Initial Paging Channel)
07        2 digits       O-LOAd CL Access Overload Class
08        A or B         PrEF SyS  Preferred System (Toggle with SND)
09        2 digits       grOUP Id  GIM Mark (Set to 10 in U.S.)
10        5 digits       SECUrity  Security Code
11        -------        1 dAtE    Firmware Date - not changeable
12        mmddyy         2 dAtE    Installation Date

Press SEL, CLR to save & exit.  Turn Power off and back on for
model CT-302.

[Begin Editorial]


"The Complete Guide to Tandy / Radio Shack Cellular Hardware" is available
for $15 prepaid.  We keep $5 of the price to cover the cost of printing
and the Priority mail postage.  The remaining $10 of the purchase price will
be donated to Boston's The L0pht to help them cover the cost of upgrading
their Internet connection for

The guys at the L0pht have always been cool with us, and maintain what
amounts to one of the best cellular archives accessible on the 'net.  We
want to do what we can to assist them in providing this public source of
enlightenment.  Now you can help them, and get something for it in return.
If nothing else, you can sit back and enjoy all my great close-up photos
of the chips !

                                            -- Damien Thorn

Here's the address:

Phoenix Rising Communications
3422 W. Hammer Lane, Suite C-110
Stockton, California 95219

[end editorial]

You can reach me via e-mail at:

1005 ' Form image and program PCD8572 IC via LPT port.
1010 ' (c) 1993, 1994, 1995 WarpCoreBreachGroup - All rights reserved.
1015 ' 
1020 ' This program is not shareware/freeware.
1025 '
1030 DATA xx,xx,xx,xx,xx,xx,xx,xx ' Bytes 00-07
1040 DATA xx,38,xx,xx,xx,xx,xx,xx ' Bytes 08-15
1050 DATA 00,00,00,00,xx,xx,xx,xx ' Bytes 16-23
1060 DATA xx,xx,xx,xx,xx,xx,xx,xx ' Bytes 24-31
1070 DATA xx,xx,xx,D6,C5,5C,C6,00 ' Bytes 32-39
1080 DATA 27,00,01,01,11,11,11,11 ' Bytes 40-47
1090 DATA 11,08,4D,01,0F,01,0F,00 ' Bytes 48-55
1100 DATA 04,00,00,00,FF          ' Bytes 56-60
1105 UNIT1$="050490"
1110 DIM BYTE$(60),BYTE(61)
1130 FILES "*.IMG"
1140 LINE INPUT "Which file do you want to read? ";F$
1150 OPEN "I",#1,F$+".IMG"
1170 INPUT#1,ESN#
1270 INPUT#1,SEC$
1280 ' Building binary image
1290 UNIT2$=MID$(UNIT$,1,2)+MID$(UNIT$,4,2)+MID$(UNIT$,9,2)
1300 CLOSE #1
1310 FOR I=1 TO 5:BYTE$(I-1)="3"+MID$(SEC$,I,1):NEXT
1320 FOR I=0 TO 2:BYTE$(10+I)=RIGHT$("0"+HEX$(VAL(MID$(UNIT1$,I*2+1,2))),2)
1325 NEXT
1330 FOR I=0 TO 2:BYTE$(13+I)=RIGHT$("0"+HEX$(VAL(MID$(UNIT2$,I*2+1,2))),2)
1335 NEXT
1340 FOR I=0 TO 4:BYTE$(24+I)=MID$(PHONE$,2*I+1,2):NEXT
1350 FOR I=5 TO 0 STEP -1
1360 Q=INT(ESN#/(16^I))
1370 ESN#=ESN#-Q*(16^I)
1380 IF Q>9 THEN Q=Q+7
1390 ESN$=ESN$+CHR$(48+Q)
1400 NEXT
1410 BYTE$(8)=RIGHT$("0"+HEX$(ESNPREFIX),2)
1420 BYTE$(5)=MID$(ESN$,5,2)
1430 BYTE$(6)=MID$(ESN$,3,2)
1440 BYTE$(7)=MID$(ESN$,1,2)
1450 FOR I=0 TO 60:Q$=BYTE$(I)
1460 QH=ASC(LEFT$(Q$,1))-48:IF QH>9 THEN QH=QH-7:IF QH>15 THEN QH=QH-32
1470 QL=ASC(RIGHT$(Q$,1))-48:IF QL>9 THEN QL=QL-7:IF QL>15 THEN QL=QL-32
1480 Q=QH*16+QL
1500 NEXT
1510 BYTE(20)=HOMEID AND 255:BYTE(21)=INT(HOMEID/256)
1520 BYTE(22)=ACCESS
1550 BYTE(30)=PGCH AND 255:BYTE(31)=INT(PGCH/256)
1590 AC$=MID$(PHONE$,1,3)
1600 PRE$=MID$(PHONE$,4,3)
1610 PH$=MID$(PHONE$,7,4)
1620 AC=VAL(AC$)
1630 IF MID$(AC$,2,2)="00" THEN AC2=AC-1:GOTO 1670
1640 IF MID$(AC$,3,1)="0" THEN AC2=AC-101:GOTO 1670
1650 IF MID$(AC$,2,1)="0" THEN AC2=AC-11:GOTO 1670
1660 AC2=AC-111
1670 PRE=VAL(PRE$)
1680 IF MID$(PRE$,2,2)="00" THEN PRE2=PRE-1:GOTO 1720
1690 IF MID$(PRE$,2,1)="0" THEN PRE2=PRE-11:GOTO 1720
1700 IF MID$(PRE$,3,1)="0" THEN PRE2=PRE-101:GOTO 1720
1710 PRE2=PRE-111
1720 IF PRE2<0 THEN PRE2=1000+PRE2
1730 IF LEFT$(PH$,1)="0" THEN D=-24:GOTO 1750
1740 D=87-24*(ASC(PH$)-49)
1750 IF MID$(PH$,4,1)="0" THEN D=D-10
1760 IF MID$(PH$,3,1)="0" THEN D=D-100
1770 IF MID$(PH$,2,1)="0" THEN D=D-1000
1780 IF MID$(PH$,1,1)="0" THEN D=D-10105
1790 PH2=VAL(PH$)-D
1800 C=INT(PRE2/4)
1810 B=64*(PRE2 AND 3)
1820 A=PH2 AND 255
1830 B=B OR INT(PH2/256)
1840 BYTE(35)=A
1850 BYTE(36)=B
1860 BYTE(37)=C
1870 BYTE(38)=AC2 AND 255
1880 BYTE(39)=INT(AC2/256)
1890 CHECK=0
1900 FOR I=0 TO 60
1920 NEXT
1930 BYTE(61)=CHECK AND 255
1940 DEV$="1010":ADDR$="000"
1945 ' Select the base address for your printer port with the next line.
1950 BASE=&H378 ' Which is LPT2. &h378 is LPT1 and &h3bc is LPT3.
1960 GOTO 2120
2010 FOR I=1 TO LEN(B$)
2020 B=ASC(MID$(B$,I,1))-48
2030 DOUT=B:CLK=0:GOSUB 1970
2040 DOUT=B:CLK=1:GOSUB 1970
2050 DOUT=B:CLK=0:GOSUB 1970
2060 NEXT
2070 T=0
2080 DOUT=1:CLK=1:GOSUB 1970
2100 IF T=200 THEN BEEP:PRINT "Nack timeout error":STOP
2105 ' Is voltage applied to the chip?
2110 T=T+1:GOTO 2080
2120 MAX=61:RELAY=1:DOUT=1:CLK=1:GOSUB 1970
2130 T$=TIME$
2140 IF T$=TIME$ GOTO 2140
2150 FOR J=0 TO MAX
2160 DOUT=1:CLK=1:GOSUB 1970 ' Start bit
2170 IF DIN=0 THEN BEEP:PRINT "Bus not free error":STOP ' Bad!
2180 DOUT=0:CLK=1:GOSUB 1970
2190 DOUT=0:CLK=0:GOSUB 1970
2200 B$=DEV$+ADDR$+"0"
2210 GOSUB 2010
2220 B$=""
2230 FOR I=7 TO 0 STEP -1
2240 IF (J AND (2^I)) THEN B$=B$+"1" ELSE B$=B$+"0"
2250 NEXT
2260 GOSUB 2010
2270 Z=BYTE(J)
2280 B$="":FOR I=7 TO 0 STEP -1
2290 IF (Z AND (2^I)) THEN B$=B$+"1" ELSE B$=B$+"0"
2300 NEXT
2310 GOSUB 2010
2320 DOUT=0:CLK=0:GOSUB 1970
2330 DOUT=0:CLK=1:GOSUB 1970 ' Stop bit
2340 DOUT=1:CLK=1:GOSUB 1970
2350 PRINT USING "###% programmed";100*J/MAX
2360 PRINT STRING$(80*J/MAX,46)
2380 GOSUB 1970
2390 IF DIN=0 GOTO 2380
2400 NEXT
2410 RELAY=0:DOUT=1:CLK=1:GOSUB 1970
2430 'This is the end in case you though the code was truncated somehow...

Le but de ce site est de mieux comprendre la sécurité informatique.
Un hacker par définition est une personne qui cherche à améliorer les systèmes d'information dans le seul et unique but de contribuer à la stabilité de ces systèmes!
La croyance populaire laisse entendre que les hackers sont des pirates.
C'est vrai. Mais il y a différents types de pirate.
Tout comme il y a différents types de personnes.
Les bavures courantes auxquelles on pense lorsqu'on évoque le terme de pirate informatique
seraient les hacks de compte msn, ordinateurs lâchement trojantés avec des exploits déjà tous faits
et encore peut-on classifier en tant que hack le fait de spammer
alors que depuis plus de 15 ans des scripts tous faits le font extrêmement bien?

Ce ne sont pas des hackers qui font ça!!!
Nous appelons ces gens des lammers! Quand ils sont mauvais,
ou des black hat lorsqu'ils sont doués dans la mise en application de leurs méfaits.
Aucun amour propre - Aucune dignité
Agissent par dégout, vengeance ou simple plaisir.
Les raisons peuvent être nombreuses et je ne prétends pas devoir juger qui que ce soit.
Je pense juste que l'on ne doit pas utiliser l'épée de fly pour commettre des injustices.
Il est 100 fois plus profitable d'améliorer un système que de marcher sur un château de sable... même si marcher sur un château de sable est rigolo :P
A vous de trouver votre amusement. ;)

Tu peux réagir sur la shootbox

Disclaimer Veuillez lire obligatoirement les règles ci-dessous avant de consulter ce site.
Conformément aux dispositions des différentes lois en vigueur, intrusions et maintenances frauduleuses sur un site, vol et / ou falsification de données.
Vous ne devez en aucun cas mettre en application les stratagèmes mis en place par ce site, qui sont présentés uniquement à titre d’éducation et de recherche dans le domaine de la protection de données.
Vous ne devez en aucun cas utiliser ce que vous aurez découvert, sauf si vous avez une autorisation écrite de l’administrateur d’un site ou que celui-ci vous ai ouvert un compte uniquement pour la recherche de failles.
Tout cela est interdit et illégal ne faites pas n'importe quoi.
Vous acceptez donc que l'administrateur de ce site n'est en aucun cas responsable d'aucun de vos actes. Sinon quittez ce site.
Vous êtes soumis à ce disclaimer.