path: root/docs
diff options
authorAndreas Eversberg <jolly@eversberg.eu>2016-10-28 20:22:36 +0200
committerAndreas Eversberg <jolly@eversberg.eu>2016-10-29 14:38:48 +0200
commit42ddd3320ecf94080aabcca18116f1941fcc8986 (patch)
tree16b5a7c2089c06903d20afdb21193fe815299799 /docs
parent052fe5d1de34c8113d2e6ec51c115f3e4e8759ab (diff)
work on docs
Diffstat (limited to 'docs')
-rw-r--r--docs/b-netz_dioden1.jpgbin0 -> 189711 bytes
-rw-r--r--docs/b-netz_dioden2.jpgbin0 -> 634487 bytes
3 files changed, 59 insertions, 0 deletions
diff --git a/docs/b-netz.html b/docs/b-netz.html
index ab9cd93..02a2d2b 100644
--- a/docs/b-netz.html
+++ b/docs/b-netz.html
@@ -14,6 +14,7 @@
<li><a href="#history">History</a>
<li><a href="#howitworks">How it works</a>
<li><a href="#basestation">Setup of a base station</a>
+ <li><a href="#hacking">Haking a Phone with security module (Kennungsspeicher)</a>
<p class="toppic">
@@ -740,6 +741,64 @@ bnetz.c:439 debug : Sending telegramm 'Trennsignal/Schlusssignal'.
+<p class="toppic">
+<a name="hacking"></a>
+Kennungsspeicher (The Security Module)
+Older phones used soldered jumpers to set the phone number (ID) of the phone.
+Just by soldering a different number, the network could be used without paying.
+So simple was hacking back then - if you could affort an expensive B-Netz phone.
+The security module "Kennungsspeicher" was introduced to prevent using the phone, if it is not inserted into the internal socket.
+The idea was to disable unsubscribed phones, just by removing the module.
+This module was owned by the German post office and I got a phone without it.
+The phone did not work until....
+I hacked this module connector by reverse engineering the firmware.
+It's pinout is like this:
+-left side of the security module-
+Pin 1 : Select digit 3
+Pin 2 : Select digit 4
+Pin 3 : - (VSS)
+Pin 4 : D2
+Pin 5 : D3
+Pin 6 : Select digit 5
+Pin 7 : unknown / unused
+Pin 8 : D1
+Pin 9 : D0
+Pin 10: +5V (VDD)
+Pin 11: Select digit 2
+Pin 12: Select digit 1
+-right side of the security module-
+D0...D3 must be pulled up (4.7 kOhm resistors to +5V).
+The phone will pull each select line to low to access each digit.
+The digit on D0...D3 is BCD encoded.
+The simplest hack is to connect D3 to +5V to get "88888" as number.
+The cool hack is to build a module replacement from diodes, resistors and jumpers.
+The jumpers connect the select lines via diodes to the D0...D3 lines.
+Each digit requires 4 diodes and 4 jumpers.
+The select lines pull the diodes to low voltage and so the D0...D3 lines.
+The D0...D3 lines must be pulled up to 5V using a resistor, so they are in high state if not pulled low by a diode.
+<center><img src="b-netz_dioden1.jpg"/></center>
+Now I can program any phone just by setting jumers.
+I call this "JPROM" (Jumper Programmable Read Only Memory).
+<center><img src="b-netz_dioden2.jpg"/></center>
[<a href="index.html">Back to main page</a>]
diff --git a/docs/b-netz_dioden1.jpg b/docs/b-netz_dioden1.jpg
new file mode 100644
index 0000000..aa3dc35
--- /dev/null
+++ b/docs/b-netz_dioden1.jpg
Binary files differ
diff --git a/docs/b-netz_dioden2.jpg b/docs/b-netz_dioden2.jpg
new file mode 100644
index 0000000..7a9d1b9
--- /dev/null
+++ b/docs/b-netz_dioden2.jpg
Binary files differ