lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: d4yj4y at yahoo.com (Day Jay)
Subject: Chung's Donut Shop Release: Hacking Sprint PCS Vision

Please see the below write-up on hax0ring Sprint PCS
Vision. 

Enjoy ;)

d4yj4y
day to the motherf_cking jay!

Chung's Donut Shop Proudly Presents 
www.chungsdonutshop.com

Hacking Sprint PCS Vision
======================================
Why pay when built in features are gay?
by aRgus
argus@...gnsdonutshop


The Tao of Chung
vol 1.0

"Free", "Unlimited", 24/7 Mobile Internet 
      (or hacking Sprint PCS Vision)
             by aRgus Chung
 

(                           )
 >==[ Table of Contents ]==<
(                           )

  :[  Preface 
  :[ "Unlimited" Internet 
  :[  Materials
  :[  Putting it all together
  :[  Debug Codes/etc


(                 )
 >==[ Preface ]==<
(                 )



  :::[ What this is not - aka - No this isn't a
cloning tutorial dumbass ]::::::::::::::::

     This tfile is on obtaining unlimited internet
access with a PCS
     Vision-enabled phone. This is not a HOWTO on
cloning, cellular
     theft, or eavesdropping. There are a number of
quality docs on
     these subjects already. Go find them.

  :::[ End Disclaimer
]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::



  Sprint recently released their 3g, color-screen line
under the name "PCS Vision". The first
  of these was the Sanyo 4900, followed by 2 offerings
from Samsung the A500 and the N400.

  In the early stages, Sprint was charging by the MB
for Vision Internet services. Then Chung
  wrote a script to run up a pretty hefty bill on any
given Vision enabled phone. Sprint
  was made aware of this by CDS labs and a shirt was
requested. This shirt was never received.

<speculation>

  Instead, as if by coincidence, a large number of
Sprint customers began having their bills
  "remotely adjusted". Then Sprint made Vision
"unlimited" for consumer users, as they could
  not block certain scripts written by certain donut
vending Asians.

</speculation>

  So now there exists a java enabled, mobile device
with "unlimited" 24/7 internet access. Neat.




(                              )
 >==[ "Unlimited" Internet ]==<
(                              )



   We must first define "Unlimited". Sprint defines it
as "Unlimited access for PHONES". Meaning,
   if your stupid ass is pulling down mp3s and other
bandwidth hogging media, your account will
   be terminated, without notice, and you will be
liable for any pending charges, including early
   termination of your service. In other words, be
smart, be conservative, don't get caught.

   I check mail, I ssh here n there, I don't hit up
high content sites, and I don't pull down
   any file over 800k. I also make use of the vision
service during my peak minutes. When I 
   have free air time (nights and weekends) I use my
phone as a dialup modem to my primary ISP.

   I know of people who use it all the time, every
day, all day. They haven't been terminated.
   Just be forewarned. It's your funeral.


(                   )
 >==[ Materials ]==<
(                   )


   1. Any PCS Vision Enabled Phone (duh)
   2. A SnapSync (tm) or comparable data cable
   3. Your box (for this example a linux lappy)



(                      )
 >==[ Drivers etc. ]==<
(                      )


   To make use of the data cable, you need ACM over
USB enabled (it's in make menuconfig), and
   hot plugging enabled. Below are the ppp connection
scripts. "man pon" for for info.

   


#################
#The ppp script:#
#################

noauth
connect "/usr/sbin/chat -v -f
/path/to/ChungChatScript"
defaultroute
usepeerdns
/dev/ttyACM0
230400
local
novj


################
#The Chatscript#
################


TIMEOUT         5
ABORT           '\nBUSY\r'
ABORT           '\nERROR\r'
ABORT           '\nNO ANSWER\r'
ABORT           '\nNO CARRIER\r'
ABORT           '\nNO DIALTONE\r'
ABORT           '\nRINGING\r\n\r\nRINGING\r'
''              \rAT
TIMEOUT         12
OK              ATD#777  
TIMEOUT         22
CONNECT         ""





(                    )
 >==[ Codes etc. ]==<
(                    )

  Almost all of information and services in this
section require you obtaining you MSL
  code. This can easily be obtained through some
polite interaction with a customer
  support rep.

  Do not ask for your MSL outright, just tell them you
vision service isn't working
  and you get an error that says "IP Conflict" or
something similar.

  ##2769737 (##BROWSER) 
  ##3282 (##INFO) - NAI info.
  ##3283 (##DATA) 
  ##786 (##RUN) 
  ##2539 (##AKEY) 
  ##889 (##TTY)
  ##7738 (##PREV) - MSL Change
  ##8626337 (##VOCODER) - Encoder Sample Rate
 

  Test Mode:

       *NOTE* I have an n400, and have only tested the
following on my rig.

  Testmode is the true debug mode for PCS vision
phones.


  Dial: 47*869#1235

  Test Mode Codes
 
   001 suspend                                 
   002 reboot 
   004 display mode 
   005 set mode (PCS, CDMA, AMPS)
   011 Carrier : ON 
   012 Carrier : OFF 
   014 CHAN set 
   015 CdTk_adj set 
   016 CD TXagc set 
   018 FM TXagc set 
   019 LNA Gain set 
   020 LNA Rs set (LNA Rs[0] - LNA Rs[8]) 
   021 SIOMODE (SSHF, QXHF, QXDM, SSDM) 
   022 TEST_S 
   023 DATA Svc : ON 
   024 DATA Svc : OFF 
   031 MRU TABLE: MRU set/select 
   032 Send NAM 
   033 Send S/W version 
   034 Send ESN 
   035 Product Info 
   038 Clr Memory (00-55) 
   039 Send P Info 
   040 PRD Info set/select 
   041 Backlight ON 
   042 Backling OFF 
   043 Lamp ON 
   044 Lamp OFF 
   045 Vibrator ON 
   046 Vibrator OFF 
   047 DTMF ON (0-9) 
   048 DTMF OFF 
   049 Contrast set 
   050 Front LCD contrast set 
   051 BATT TYPE/ID show 
   052 RD Bat Value 
   053 Stdby Batt 
   054 Talk Batt 
   055 WR Batt 
   056 Chrg_lvl 
   057 Therm_lvl 
   058 Reactive Input 
   060 RD_Rssi set 
   061 PCSRxRAS show [00 - 1 
   062 WrPCRX show [00 - 16] 
   063 TXPCS[01-16] show 
   064 PCSFL[00-16] show 
   065 PCS_lmt set 
   066 PCS_temp show/set 
   090 GPS_DOPP set 
   091 GPMS Mode show 
   092 D_GPSP set 
   093 D_PCS set 
   095 GPS_ANT set 
   096 GPC_BCNT set 
   097 GPC_LCA set 
   098 GPS_LOSS set 
   099 D_GPSC set 
   100 D_CDMA set 
   121  
   122 PCM loop on 
   123 PCM loop off 
   124 PCM[00-11] on/off (Handset RX/TX/SL Headset
RX/TX/SL New HFK RX/TX/SL EXT AUD    RX/TX/SL 
   125 GAIN[00-19] set 
   126 GAIN[00-07] set 
   131 Get PCS Dat1 
   132 Get PCS Dat2 
   133 Get PCS Dat3 
   134 Get CDMADat1 
   135 Get CDMADat2 
   136 Get CDMADat3 
   137 Get AMPSData 
   138 Get AudData1 
   139 Get AudData2 
   140 Get AudData3 
 
   

   FSM - Field Service Menu

   MENU010 - Unlock Code: 040793



 Hopefully this comes of use to someone. Chung like
koi.



__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: hackingSprintPCSVision.txt
Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030502/5ba7089d/hackingSprintPCSVision.txt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ