diff options
author | Andreas Eversberg <jolly@eversberg.eu> | 2016-10-28 20:22:36 +0200 |
---|---|---|
committer | Andreas Eversberg <jolly@eversberg.eu> | 2016-10-29 14:38:48 +0200 |
commit | 42ddd3320ecf94080aabcca18116f1941fcc8986 (patch) | |
tree | 16b5a7c2089c06903d20afdb21193fe815299799 | |
parent | 052fe5d1de34c8113d2e6ec51c115f3e4e8759ab (diff) |
work on docs
-rw-r--r-- | docs/b-netz.html | 59 | ||||
-rw-r--r-- | docs/b-netz_dioden1.jpg | bin | 0 -> 189711 bytes | |||
-rw-r--r-- | docs/b-netz_dioden2.jpg | bin | 0 -> 634487 bytes |
3 files changed, 59 insertions, 0 deletions
diff --git a/docs/b-netz.html b/docs/b-netz.html index ab9cd93..02a2d2b 100644 --- a/docs/b-netz.html +++ b/docs/b-netz.html @@ -14,6 +14,7 @@ <li><a href="#history">History</a> <li><a href="#howitworks">How it works</a> <li><a href="#basestation">Setup of a base station</a> + <li><a href="#hacking">Haking a Phone with security module (Kennungsspeicher)</a> </ul> <p class="toppic"> @@ -740,6 +741,64 @@ bnetz.c:439 debug : Sending telegramm 'Trennsignal/Schlusssignal'. ... </pre> +<p class="toppic"> +<a name="hacking"></a> +Kennungsspeicher (The Security Module) +</p> + +<p> +Older phones used soldered jumpers to set the phone number (ID) of the phone. +Just by soldering a different number, the network could be used without paying. +So simple was hacking back then - if you could affort an expensive B-Netz phone. +The security module "Kennungsspeicher" was introduced to prevent using the phone, if it is not inserted into the internal socket. +The idea was to disable unsubscribed phones, just by removing the module. +This module was owned by the German post office and I got a phone without it. +The phone did not work until.... +I hacked this module connector by reverse engineering the firmware. +It's pinout is like this: +</p> + +<pre> +-left side of the security module- +Pin 1 : Select digit 3 +Pin 2 : Select digit 4 +Pin 3 : - (VSS) +Pin 4 : D2 +Pin 5 : D3 +Pin 6 : Select digit 5 +Pin 7 : unknown / unused +Pin 8 : D1 +Pin 9 : D0 +Pin 10: +5V (VDD) +Pin 11: Select digit 2 +Pin 12: Select digit 1 +-right side of the security module- +</pre> + +<p> +D0...D3 must be pulled up (4.7 kOhm resistors to +5V). +The phone will pull each select line to low to access each digit. +The digit on D0...D3 is BCD encoded. +</p> + +<p> +The simplest hack is to connect D3 to +5V to get "88888" as number. +The cool hack is to build a module replacement from diodes, resistors and jumpers. +The jumpers connect the select lines via diodes to the D0...D3 lines. +Each digit requires 4 diodes and 4 jumpers. +The select lines pull the diodes to low voltage and so the D0...D3 lines. +The D0...D3 lines must be pulled up to 5V using a resistor, so they are in high state if not pulled low by a diode. +</p> + +<center><img src="b-netz_dioden1.jpg"/></center> + +<p> +Now I can program any phone just by setting jumers. +I call this "JPROM" (Jumper Programmable Read Only Memory). +</p> + +<center><img src="b-netz_dioden2.jpg"/></center> + [<a href="index.html">Back to main page</a>] </td></tr></table></center> </body> diff --git a/docs/b-netz_dioden1.jpg b/docs/b-netz_dioden1.jpg Binary files differnew file mode 100644 index 0000000..aa3dc35 --- /dev/null +++ b/docs/b-netz_dioden1.jpg diff --git a/docs/b-netz_dioden2.jpg b/docs/b-netz_dioden2.jpg Binary files differnew file mode 100644 index 0000000..7a9d1b9 --- /dev/null +++ b/docs/b-netz_dioden2.jpg |