 I'd like to say good afternoon everybody. This is going to be my first talk at DEF CON. I'm nervous as hell. Just fucking deal with it. I'd like to say welcome. I'm from, my name's Terence from War Driving World. I'm sure a couple of you have seen me. Any of you guys bought stuff from us at all? Or nothing? Alright cool. Don't worry about it. I'm here to get you guys excited about EVDO. I haven't seen anything on it. I'm really looking forward to it. And we're going to have a blast. Alright. We're going to start out with an intro to EVDO. Very basic shit. Cell phone data. Yay. Fun. Good. RevZero was designed in 1999. 700 kilobits per second. RevV was done. Produced latency. Increased data. And it's available now in stores. Designed to be using VoIP. RevV was set out for like HD content. HD video. That's going to be coming out in 2008. And I just want to give you a basic overview of the cards here. There's some form factors which you guys are familiar with. We have the SD card. We have the SD card. We have the SD card. We have the SD card. We have the SD card. You guys are familiar with. We have the S620. Which has locked firmware. This is where we're going to get into this stuff. It's got an external antenna port. V620 again locked firmware. 640. PC5200 locked firmware. Dell 5700. MSL all zeros. We can connect to it. But we got that locked firmware issue. So we can't edit files. And then the 740. Same deal. Then we got the KPC650. Which has got completely unlocked firmware. We can edit it. We can write whatever we want. And this is where the fun begins. Junction links packed. We're going to get to that in a little bit. And then right now. Is anyone familiar with QPST? Awesome. This is the software. Huh? I don't have it. This is the Qualcomm firmware. The Qualcomm software that was developed for the cards. So that we can edit the firmware files. And start doing what we want to do. Right now here we're just going to go through how to configure it. Once you get it loaded on the system. You go to the QPST configuration. You'll see this window. And then you're going to add new port. And then what you're going to do is you're going to when you add the new port. You're going to look for the card that has the UTS. And you're going to have the card. And you get the modem. It's a show here. Let's get it fired up. All right. Here you can see that we've got the modem enabled. And that the MSL is set to all zeroes. And we're able to log on to the card here. And see the actual firmware. In here we've got the ESN file. Which we can edit. Oh shit. Sorry guys. Here is the... Huh? Fuck. Yeah. All right. Yeah. Now here we can actually edit the ESN file. And this is the only card that's capable of doing it and all the cards that I've tested. I'm not going to actually go ahead and do it right now because of course it's a felony. But I am going to show you that it is possible of doing it. All right. So what we'll do is once you've edited the ESN file well not... Once someone has edited it or not you're able to load the ESN file back on and overwrite the existing one. It will actually change the ESN. Now some of you guys have cell phones that have both EVDO and regular wireless cell phone. A lot of people have come up and asked is it possible to take the ESN for your EVDO phone and then move it over to an EVDO card and then connect to it. I could say I've never personally tried it but I have heard that that if you do that you move it over to the phone and then the ESN on the phone will connect to just the EVDO. It won't actually connect to the phone network but you will be able to download packets and download data and stuff just as if it was an internal EVDO card. Actually, let's go ahead here and move the ESN file over. Oh, sorry. We're going through the QBST configuration. We're going through the QBST configuration and we're connecting to the phone. It came undone when we tried to mess with the computer and display settings. So what happens here is when we go to create that new file it will overwrite and it gives us the options to overwrite the existing one and then here you select it you choose the file you'd like just drop this one in here and boom, it just overwrote it and if someone was to actually edit the file and change the ESN it would overwrite it and would change it to that ESN and this gets to some of the basic theory and concept behind the monitoring of the EVDO packets itself. We're going to close out of this for a second. I want to show you some more parts of the EVDO of the QBST software. Don't worry, we got some nice Linux stuff coming up soon. And right now there's two parts. There's the EVDO. There's the RXTT and the RTT and then there's the EVDO side and a lot of times what will happen is you'll be in an RTT zone and you'll be just one bar less on EVDO so it's not going to connect the EVDO network, it's going to connect to the RTT. So you're able to edit the card to only connect to the EVDO side of it with this service programming. And again, it's really nice because this card is unlocked and the MSL is all zeros. Here you see we have many options for the card that we can edit and change. Here we'll read from the phone and this will pull the existing settings that we have pre-programmed on the phone. Here the preferred network mode will allow you to select which network you want it to connect to or automatic networks. Yeah, let's go! And then again write it back to the phone. Now here's this interesting tab that we really need to look into. This is capable of turning on and off the security on the card. Oh shit! Huh? It's my Guinness stash! Ha! Ha! Ha! Also we're able to download the firmware from the card with another part of the software called the software download. And this will enable us to back up the files in the phone before we edit it or if we edit it and also read through them and some nice editors that they have for us. Here we're backing up the QCN file off the phone and then we're going to go into an editor and see what we can change. So here we'll just go through the viewer and then actually... There's some torrents floating around but I've never seen them. Alright, the green demon man. Here we have our QCN file which we had downloaded earlier and we can also edit each setting in here as well and write them back to the non-volatile RAM. Now it's essential for you to know that if someone was going to go about and edit the ECN file there's a checksum similar to a barcode and there's a checksum calculator. The checksum is the last digit right here and there's some checksum calculators floating around as well and you're going to need the checksum calculator to generate the last digit to change the ECN. Alright, I'm going to go back to the junction patch. Using these cards in Linux has been a bear. I've been using mine for over a past year. I've been using it in Gen2 and I absolutely love it. What it's done for me is I can't begin to explain how many classes it's gotten me through with the teachers talking and stuff like that. What I noticed is when I'm in class at our school we don't have Wi-Fi so what we were able to do or what I was able to do was go out and create sort of like a stompbox for Linux on a live CD and we're going to present that as well. Yeah Well, no. Alright, what I'm going to do now is I'm going to load up my Gen2 distro and I'm going to show you guys the EVDO access point and also the EVDO configuration script. Huh? You really don't want to know. It's my 27th mountain. I have a check force. The range on what? Huh? The access point I'm using is the laptop with WLINK and FIG so it's internal. Again, you could use any card that you wanted well any athero space card that you wanted to get any external antenna to get whatever range you're looking for. So I'm going to give out some free shit. Alright I've got a free KPC 650 card here. The good one. Hmm, I don't know. We've got to make this damn thing I don't want to throw this so uh No, no, no, let's Alright, let's come up with a nice contest that we can give this out and uh What? Anybody want to spot a fed for a card? Alright, let's take it too freaking long uh Please spot a hacker What is Pilgrim's real name? What is Pilgrim's real name? Ha ha ha Awesome Awesome So what up? I got one more We're almost done Man, this is this is really bad Alright, what I've heard is when two ESNs connect to the network, they both drop and then one is um deactivated until you call the cell phone company. Wouldn't want to be in that position but that's what would happen I mean, does anyone else have any questions at all? Well, when two ESNs connect to the system, they drop both Yeah, they drop the ESN and then so the ESN is dead until the person calls back um I wouldn't want to be the one with that account Alright, this is all theory and um what we want to do is the basic concept that we have is if we can match the ESN of another phone and then have a way to disconnect it from Verizon or not have it go out and connect to Verizon and be within the range of another card that has the same ESN what can we do? And this is where we want to work on, what we want to work on and I wanted to get people excited about this so that we can work on this and go further with this. This car the KP650 has opened up a whole new avenue for us to explore that wasn't available before so it's going to happen, it's going to happen soon I've heard of TDMA networks being compromised and I've heard from reliable sources that they are able to monitor TDMA networks so if they're able to monitor TDMA why not CDMA? Ah here's a good one Can you use a sprint ESN on a Verizon card? Can you take a sprint card and transfer it to Verizon? And I want to say it's possible there's a file on the firmware of the card that has the user settings so the connection string to connect to Verizon or sprint and it's there and it's editable so if you were to say take an ESN from a Verizon card move it over to a sprint card and then change the Verizon card to mimic the sprint card it should work really should work I can't hear you yes I was going to look into that until I found the KP650 I had a whole box of cards to go through and edit and the KP650 cards were the one that I didn't have to we didn't have to do any of that so the files are there and editable and good to go so I say we stick with the KP650 move forward with the project and see what we can do with that no because it's all zeroes on most of them except for the 620s so like the XV620 the 5700 that's all zeroes but there's a firmware lock that locks the files from being edited that is not being shown on the Kyocera Is there any other questions? This seems to be working a little better There's no mini PCI You mean PC express? The PC express cards seem to be based off of the 620 chipset and have the same issue I have one built into the laptop and I was experiencing the exact same thing again the MSL or the SPC was set to all zeroes you were able to log into the card but you weren't able to edit the files that you want to work with I'm sorry? Yes I haven't done too much work with the USB models but I'm expecting to see the same results since they're all based off of the same chipsets the USB cards all of them seem to be built on further from the 620 card all the cards that are out even the USBs so what was weird was the Kyocera was the only card that was put up by Kyocera and this was the only card that we've seen that has that unlocked so I'm really not expecting them to have the same problem come out again with the same issue nothing we just got to go and start working on it you know that's why we're here I really want people to get going with this so we're up and going now go ahead and right now this is a forward looking tail of our varlog messages file and as you see we've just connected with the internal that was built into this now I have an internal Theros card that's built into the laptop so I wrote this script that's going to be coming out on the live CD for everybody that'll allow you to re-broadcast this over wifi I'm going to just bring it back to me for a second the dialog seems to be a little cranky with the resolution all out of whack but we're going to go ahead and do it anyways here we're going to select our network name well here we're able to select our network name run it and then it automatically does everything for you all the routing and all the routing tables so that you can come back and have a wireless network with e-video that has DHCP support and you can now allow your friends to connect while you're in the vicinity of the area I talk to you later is there any other questions I'm sorry that's an open question cool that sounds good we're going to move this over to track 1 Q&A thank you guys