....... ....... ...........................:::: ::::............................. ....:::: ::::.... :::: :::: : : ___ ________ ______ ___ _______ _______ ___ ______ _| \\// \\ / __// \\\\ / //_____ ___| _ \\\\/ _|__// _/ || || || | | || | | | || |____\\ ___| |____||____| || --'._____|\\\\_____ |_____//___| |____ | \\\\ .============`----'|___|=============`-----|==========`---'===`----|=====. :::: :::: ::::.... ....:::: ::::........................... .............................:::: ...:::: ::::... infosurge/7 .....................: :....................... : Official Web Site -> http://infosurge.rendrag.net : : Official Submissions -> phase5@cmdrkeen.net : : : : issue #7: 08/10/2000 : :..........................................................: "[14:15] i said 'elite cool see you at 8'" ___________________________[______]..[______]______________________________ [ ] [..] [ ] [ \\\\\\\\\\ ]:[ ] [ \\\\\\\\\\ ]a[ ///// ] Intro............................................phase5 [ \\\\\\\\\\ ]b[ ///// ] Editorial...................................damir d0kic [ \\\\\\\\\\ ]:[ ///// ]-------------------------------------------------------- [ \\\\\\\\\\ ]1[ ///// ] Syslog Exploit.....................................fyre [ \\\\\\\\\\ ]2[ ///// ] Webservers and You.................................eckz [ \\\\\\\\\\ ]3[ ///// ] Australian Bandwidth..............................alpha [ \\\\\\\\\\ ]4[ ///// ] One Time Passwords................................aphex [ \\\\\\\\\\ ]5[ ///// ] Cellular Networks...........................galapogos01 [ \\\\\\\\\\ ]6[ ///// ] Fibre Optics and SONET............................lymco [ \\\\\\\\\\ ]7[ ///// ] CDMA.............................................phunki [ \\\\\\\\\\ ]8[ ///// ] Bash Scripting....................................lymco [ \\\\\\\\\\ ]9[ ///// ] More Ericsson Fun................................analog [ \\\\\\\\\\ ]:[ ///// ]-------------------------------------------------------- [ \\\\\\\\\\ ]c[ ///// ] Outro............................................phase5 [ \\\\\\\\\\ ]d[ ///// ] total................................infosurge (84.5kb) [_______]:[_______]________________________________________________________ [_] [ (c) october 2000 ] [ \\\\\\\\\\ ].......................[ shouts ]........................[ \\\\\\\\\\ ] [ \\\\\\\\\\ ] [ \\\\\\\\\\ ] [ \\\\\\\\\\ ] shard jestar lymco eckz fyre ikari phunki marlinkspike [ \\\\\\\\\\ ] [ \\\\\\\\\\ ] fleabag bsdave damien k karag- xm beatz assass|n [ \\\\\\\\\\ ] [ \\\\\\\\\\ ] synister cmdrkeen ghengis tux x-circuit alpha aphex [ \\\\\\\\\\ ] [ \\\\\\\\\\ ] Wewted cyberpuppet fed0 [ \\\\\\\\\\ ] [ \\\\\\\\\\ ] [ \\\\\\\\\\ ] [ \\\\\\\\\\ ]---------------------------------------------------------[ \\\\\\\\\\ ] [ \\\\\\\\\\ ] [ \\\\\\\\\\ ] Editorial ..............................[ damir d0kic ]......... -[ \\\\\\\\\\ ]----------------------------------------------------------------- "USA Open is crime organisation. USA Open, this moment, this moment . . . all organisation for New York . . . USA, USA is big crime organisation." -[ \\\\\\\\\\ ]----------------------------------------------------------------- [ \\\\\\\\\\ ] [ \\\\\\\\\\ ] [ \\\\\\\\\\ ] Syslog Exploit .........................[ fyre ]................ -[ \\\\\\\\\\ ]----------------------------------------------------------------- Most Linux system administrators (and home users) keep a close watch on their system logs. The reasons are many and varied: diagnosing faulty hardware, finding out what happened to an important daemon, and watching for breakin attempts are some of the most popular reasons. System logs are a very important tool, but there are a large number of people who don't fully understand the shortcomings of the system. Messages are sent from programs (usually daemons) to syslogd(8) through a UNIX domain socket, /dev/log using the C library function syslog(3). When syslogd recieves a message from /dev/log, it decides what to do with it based on the rules in syslog.conf(5); the most common action is to write the message to a logfile. The problem is that /dev/log is world-writeable in most situations - anyone can send messages to the system log. Worse yet, if the message is prefixed with "??? ?? ??:??:?? " (where a ? is any character), syslogd assumes that it is a timestamp and does not bother to add a timestamp of its own. For example, "MOO CO W!:MO:O! " is, to syslogd, a valid timestamp. This diagram shows the format of a normal system log message, plucked randomly from /var/log/messages: Sep 29 14:27:03 abyss ftpd[623]: FTP session closed / / / \\ \\ timestamp hostname program pid message body Only one of those five components cannot be supplied through /dev/log: the hostname. In other words, a malicious user of your system could send a message to /dev/log (which is by default world writeable on most Linux distributions), containing an arbitrary timestamp (with some restrictions - these are discussed later), program name, process id and message body. At the very least, this is annoying. Imagine what would go through your mind if you saw this message floating around your logs: Sep 29 15:41:35 abyss PAM_pwdb[1247]: (su) session opened for user root by nobody(uid=99) You would panic. You could not tell for certain whether your machine had been compromised. There lies the single greatest flaw of the system logging mechanisms on Linux (and BSD Unices, among others): any user may write to the system log. If an event happened (nobody su'd to root), you can be fairly certain that on a properly configured system a message similar to the one above will appear in a logfile somewhere. However, the converse is not necessarily true. Consider this situation: user `bob' has a grudge against user `joe' so decides to create some incriminating log messages. bob decides it'd be fun to make it look like joe was trying ELiTE 0hDaY 5PL01t5. In order to make it more credible, he waits for joe to log in (or sets up a cron-job to do so) so that wtmp shows that joe was logged in at the time (and if bob used a cron-job, wtmp would show bob was no longer online). By writing his evil message to /dev/log, bob creates the following entry in the system log: Sep 30 17:25:17 abyss PAM_pwdb[1292]: authentication failure; joe(uid=509) -> root for su service Just in case that didn't anger the administrator, bob creates the following messages the same way: Sep 30 17:36:49 abyss last message repeated 527 times The icing on the cake is the next message: Sep 30 17:36:49 abyss PAM_pwdb[2527]: (su) session opened for user root by joe(uid=509) The administrator reads these messages, panics, and (hopefully) brings the system down into single user mode. From those messages, he probably infers that joe managed to crack the root password by brute force. Perhaps joe gets his account suspended or deleted, referred to the police, or fired. Yet another problem with syslogd is that can be used to send anonymous broadcast messages ala wall(1) and ignores the mesg(1) state of terminals. There are quite a few approaches that can be taken to restrict who may write message to the system logs. Perhaps the most straightforward is to remove the world-writeable bit from /dev/log, change the group ownership to a new group `log' and put everyone who needs to write log messages in that group. The downfall to this approach is that syslogd will remove and create the /dev/log socket each time it starts up, effectively changing the ownership back to root:root and making it world-writeable. To change this behaviour requires a trivial modification to the source code for syslogd. Another solution would be to harness the power the SCM_CREDENTIALS ancillary message which allows credentials (pid, uid and gid) to be sent through a socket (see unix(7)). This requires modifications to the recieving end (syslogd) and the sending end (syslog in libc) but is the most extensible in the long run. Since on most systems all system accounts have a UID below a number UID (100, 500 and 1000 are common), a simple test could be performed to see if a user should be able to write to logs, or a configuration file (perhaps /etc/syslog.allow) could list the allowed users. A program that can be used to demonstrate that problems discussed follows this article. To extract it, use the following Unix command: tr -d '\\r' logmsg.c The program writes directly to the /dev/log socket, bypassing the C library syslog(3) routine. It has been tested on Red Hat Linux 6.2 with Linux 2.4.0-test8 and syslogd 1.3-3. Other operating systems or distributions of Linux (older version of Red Hat Linux, for example) may require changing SOCK_DGRAM to SOCK_STREAM in logmsg.c to work correctly. Until the issue of authentication of log messages is sorted out, good advice would be to take log messages with a grain of salt. Fyre begin 600 logmsg.c.gz M'XL("(87W#D"`VQO9VUS9RYC`(61;VO",!#&7S>?XJ@P6JUS@S$8NH%L.F1_ M<1,$)R5+4@V+J;2IKAM^]UU:=6P*OBA3BM1,95Q`*],R-?QX>D4J M6RW-TT8:LP]A=O5,_],,5_)]1Y.QE8C4!F94:O!L19,)"X!-:0)5K!>CL4^^ MB6-;$6\\2)S5)Q@Q8-.4\\"3,-:::Q4:S,::YBRD=G)Q?G8[@$UVT2XEB?6JU9 M%*Q>QV(YE4J`5Q!\\0'_KRZ@!;^T0E'2_N:_E@ELTMKZ_QBNR9_Q-VWGB1!Q/ M*D,#[[D;#AY[PP!>GJ[OPIO;?OLA@!/K*R/P<+2%?\\5I6ZZ6;/$I MT:0S[+V&W7;O?M#O^`4>^1@_?F%$9U+E2&R7I#(\\-L_!VXS,J9GB?0TN%@T5 M3]P-G<5:"TP9SPAP^F_D4/6/<#F`5'Z)./)V7\\3W]QR_]CQTO<4O$VE$"=^& @B!0E]"94'VIPNH]2K!YB,!6GA3\\**_(#ON/[N>@"```` ` end -[ \\\\\\\\\\ ]----------------------------------------------------------------- [ \\\\\\\\\\ ] [ \\\\\\\\\\ ] [ \\\\\\\\\\ ] Webservers and you .........................[ eckz ]............ -[ \\\\\\\\\\ ]----------------------------------------------------------------- Lately on the good ol' irc i have been getting asked how to get into webservers. Yes, there are the obvious reasons for "i want to be elite and deface the webpage" which is a phase we all go through admit it, but whether or not we actually do it is another story. But from the people who have been messaging me asking me for help with holes like phf, nph-test-cgi, perl.exe, cgiwrap and (this never ceases to amaze me) RDS i thought the Australian sector of the internet musn't be very secure if old, well known and just obvious holes are sitting there wide open on webservers. So i went off, with my trusty perl scanner in hand and my 4 heaps of jarrah, 4 scoops of sugar coffee in the other. Amazingly i wasn't very suprized. Web admins are doing their usual effort in the workplace. Scratching their nuts, watching South Park episodes and flicking their secretary's bra strap on their walk past to the toilet so they can sit, take a huge dump, and read their latest IT News week mag. While they are on the toilet, heaving and jizzing in amazement as they too can own their own Linux Penguin coffee mug even though they run Windows, that big maxi tower they sit at 24/7 is having some problems. As said in hackers "errr, Mr The Plague, the accounting subdirectory is working really hard on the gibson, it's work load is enough for about 10 users, i think we've got a hacker." By Jesus! You've got it right and right now that user is logged on as root and is about to rm -rf your accounting subdirectory and the rest of your damn server. Back on track.. As i sat at my computer drinking my coffee, smoking my cigarette, eating my muffin i see multiple common holes popping up on servers. 20x.xx.xxx.xxx - /msads/Samples/SELECTOR/showcode.asp 10.xx.xx.xxx - /msadc/msadcs.dll 13x.xxx.xx.xxx - /cgi-bin/nph-test-cgi 13x.xxx.xx.xxx - /cgi-bin/websendmail 10.xx.xx.xxx - /cgi-bin/view-source Now this one, /cgi-bin/jj, cracked me up quite a lot. An Australian government department, that is well known and from my knowledge would hold probably sensitive information with holes like these. (no it wasnt fake, i checked) Since the discovery of rds and the worldwide abuse of the tool you would think admins would either change the server over to some type of linux or patch the hole. Not the case, one server, which i won't name, but is quite a big firm and holds f**king unmentionable data was vulnerable to not only rds but another 5 cgi-holes and the all mighty NetBIOS null session. While my Slackware machine was still scanning i moved over to my Windows machine, opened up My Computer and clicked on Web Folders, type in the address and was stunned to find the results. I had connected with full access privledges to upload/download/rewrite/delete anything in the web roots folder. But it didn't go as far as this. The actually web server was a Windows NT 4.0 Server firewalled by a Redhat 6.0 machine. The reason for this firewall was simple. Their entire network, every office workstation, server, penis extention you name it was connected to the webserver. For the webserver was their main server. More things that put me on the floor laughing kept coming at me. They had a quite little asp interface coded to browse through some directories on the webserver that weren't avaiable to the public. Opening login.asp in the web browser put me to a user/pass screen. Opening it in notepad had me shocked. user=administrator pass=(not shown for obvious reasons) I simply entered them into the user/pass screens and i had gain access to where they stored some more "sensitive files". Then i found they had Microsoft Exchange or some bullshit webmail client like that. Opened the webbrowser and typed in the address. "This is a secure site, please enter a username and password to continue". Thinking, "It won't work, you couldn't be that stupid"....it logged in. Now, because yes i do fear Bubba, and i don't want to goto jail and i want my ass to stay a nice clean virgin im not saying what i found, but it was choice material. Now if i was fed0. i could have just fucked over their whole mailbox. Uploaded trojans and viruses by the dozens. Raped the absolute shit out the network and ran like mad from ASIO. Instead, i left everything as is (except the logs of course) mailed the admin and told him everything that had been done, how it had been accomplished and how to fix it. About 2 hours into the next morning of business work hours i got an e-mail thanking me for the head up on what had happened and advice i had given him. ...Admins Dont leave stupid little holes such as those open on your networks. You will be compromized and if it isn't by someone with a clue, it will be by a stupid little kid who wants to write "1 0wn j00 fuX" all over your main page and change all your passwords. ...Kids and Kids alike Brains kiddies brains, if i had decided to alter one file or decided to change some shit, rape would be inevitable. ...Moral of the story - Sitting up late makes your brain scatter - 4 heaps of jarrah, 4 sugars and cigarette's keeps you awake all night - Farts smell funny - Stupid little web holes are out there, do your research you will find them and not only webpages are stored on webservers. They can hold or be hooked up to a lot more info than you first thought. ...Outro It would be much appreciated if government officials didn't come around to my house for i really don't have time for you between drinking beer and IRC im sorry. The firm i got into had some shit going for them anyway, I knew some people that wanted to take them down and make them go out of business. If the people they had gotten to take down the firm had the clue to look for small things like I did, the firm would be quite royally fucked. Yes, i told them about people wanting to take them out too, i think it helped in the process of them securing their servers faster. that mail thang - eckz@shagz.org i seek you - 66615966 eye are see - Austnet/#phreak linkage - http://users.rendrag.net/~eckz mad propz - back-hand security labs (p0lski style) !@!_HuNnY_!@! (werd to blonde surfie chicks that like me) learn_to_hate (your nose is fucking HUGE!) Bonox Crew (getting drunk, all day, everyday) -[ \\\\\\\\\\ ]----------------------------------------------------------------- [ \\\\\\\\\\ ] [ \\\\\\\\\\ ] [ \\\\\\\\\\ ] Australian Bandwidth .......................[ alpha ]........... -[ \\\\\\\\\\ ]----------------------------------------------------------------- As your probably know bandwidth in Australia isn't too flash. As the new but old technologies make their way into your house will we all feel the bandwidth shortage bite? The answer is yes! If you dont already know, Telstra one of the biggest bandwidth providers in Australia. It has an established internal and international network. Here are some of the key details of the international network: * 980Mbps to the USA * 45Mbps to New Zealand * 55Mps to Japan * 8Mbps to South Korea * 10Mbps to Hong Kong * 49Mbps to Singapore * 2Mbps to Taiwan * 2Mbps to Malaysia * 8Mbps to China As you can see it isn't too large and when 'unlimited' broadband access was introduced in the form of cable by Optus/Excite@home and Telstra the bandwidth bite started to kick in and the dialup users and ISP's had serious bandwidth problems. Although Telstra has acknoledged the problem and they have decided to extend the USA link to 1.4Gbps by the 2000 Sydney Olympics. Although our internal bandwidth isn't really suffering I will give you some important information on what our links are like. Here is the plan of the internal network: * 8Mbps Perth - Darwin * 620Mbps Perth - Sydney * 620Mbps Perth - Adelaide * 8Mbps Darwin - Adelaide * 310Mbps Adelaide - Melbourne * 310Mbps Brisbane - Sydney * 620Mbps Sydney - Melbourne * 310Mbps Sydney - Canberra * 310Mbps Canberra - Melbourne * 34Mbps Melbourne - Hobart This really usn't much compared to USA networks but we can't really expect because Australia is so spread out and fast links cannot be sustained over long distances without repeaters of some sort. This is very much unlike the USA which has city's very close which are mostly already cabled unlike Australian networks which dont really have any gigabit backbones. I hope this little article has shed some light on the bandwidth Australia hasn't really got and why it is taking so long for broadband access at uncapped high speeds. - alpha -[ \\\\\\\\\\ ]----------------------------------------------------------------- [ \\\\\\\\\\ ] [ \\\\\\\\\\ ] [ \\\\\\\\\\ ] One Time Passwords ........................[ aphex ]............ -[ \\\\\\\\\\ ]----------------------------------------------------------------- -=->Intro Just the other day I was reading phunki's article in is4 titled, 'Cryptology & the Magic Bullet'. It got me thinking about one-time passwords. How to set them up on a system, how they are generated etc.. So I asked phase if he wanted an article. The answer was yes of course. Refer to that article for some background knowledge. Clear-text, 'reusable' passwords that travel over a network simply aren't secure. So several alternatives have been created. One-time passwords in one of the answers to improve this. These passwords are desirable because they cannot be reused. Anyone who steals a one-time password is stealing unless garbage. -=->OPIE OPIE stands for One-time Passwords In Everything. Its open source software for linux. and is available from http://ciac.llnl.gov -> Tools -> Authentication Tools. Installing OPIE replaces login, su, and ftpd with its own versions of these programs. that accept both traditional passwords and OPIE one-time "password phrases". -=->The OPIE Transition Mechanism OPIE can be configured to accept either traditional reusable passwords and OPIE one-time "password phrases". This is handy so you can set your local logins to have reusable passwords where there is no danger of having the password taxed, and one-time passwords for remote logins. The only problem with this feature is that it opens a very big security hole by making it possible for people to forget what they are doing use a reusable password in the wrong situation. Sometimes, it is a must to use this feature. To enable this, run configure with --enable-access-file when you build the compile OPIE, which permits you to use the /etc/opieaccess file. In this file is a list of the hosts from which reusable passwords are allowed. For example: permit 127.0.0.1 255.255.255.255 deny 172.16.5.25 255.255.255.255 permit 172.16.5.0 255.255.255.0 The first line can permit access with reusable passwords or deny it. By default, every system not in the /etc/opieaccess file is denied reusable password access. The second line is the address. The third line is the address mask which allows you to specify entire networks with a single line. *bleh* -=->Selecting Your Secret Password The list of one-time password phrases is generated by a program named opiekey. You need to identify yourself to that program by selecting a secret password, opiepassword is used for the secret pass. For example, assume I'm new to OPIE and want to generate a list of password phrases before going on a trip. First, I log in to the OPIE server's console with my traditional reusable password and run 'opiepassword' to select a secret OPIE password, which must be at least 10 characters long. opiepassword accepts the secret password and displays the first password phrase, which is DUG AHOYEMILSAMJOTBERN: $ opiepassword -c Updating aphex: Reminder - Only use this method from the console; NEVER from remote. If you are using telnet, xterm, or a dial-in, type ^C now or exit with no password. Then run opiepassword without the -c parameter. Using MD5 to compute responses. Enter old secret pass phrase: OJ1CCFftNt Enter new secret pass phrase: p3n0r.j00z Again new secret pass phrase: p3n0r.j00z ID APHEX OPIE key is 499 P18318 DUG AHOY EMIL SAM JOT BERN -=->Creating Additional Password Phrases One password phrase, of course, isn't enough. To generate additional password phrases, run 'opiekey'. The second-to-last line output by the 'opiepasswd' command contains important information. It displays the initial sequence number (in this case 499) and the seed (again in this case, p18318). Along with the secret password, these values are required by 'opiekey' to generate the OPIE password phrases. 'opiekey' takes the login sequence number, the user's seed, and the user's secret password as input.. and outputs the correct password phrases. Use the -n argument to request several passwords. Print them out or write them down and your set. The following example requests 5 password phrases from 'opiekey' $ opiekey -n 5 499 p18318 Using MD5 algorithm to compute response. Reminder: Don't use opiekey from telnet or dial-in sessions. Enter Secret pass phrase: p3n0r.j00z 495: NERO BORN ABET HELL YANG WISE 496: VERB JUKE BRAN LAWN NAIR WOOL 497: POE MOOR HAVE UN DRAB MONT 498: SACK WAND WAKE AURA SNUG HOOD 499: SUG AHOY EMIL SAM JOT BERN *NOTE* Login sequence numbers count down from 499 and cannot be reused. When it gets down to 10, re-run opiepasswd and select a new secret password, which will rest the sequence number to 499. The opiekey command line requests 5 password phrases (-n 5) starting from the sequence number 499, counting downwards. The seed (p18318) has to be provided with it. opiekey then prompts for your secret password which you set with 'opiepasswd'. The sequence number, the seed, and the pass are then used to generate the password phrases. To log in, you must use the password phrases that go with the sequence number displayed by 'login'. For example: login: aphex otp-md5 496 p18318 Response or Password: VERB JUKE BRAN LAWN NAIR WOOL A system running OPIE displays a line indicating that the one-time passwords are being generated with the MD5 algorithm (otp-md5), that this login sequence number is 496, and the seed used for the one-time password is p18318. The correct response is the 6 short 'words' generated along with the sequence number. Get it? Well, there's a plain example on how a one time password system works. Not for everyone? Maybe so. But understand it is a very portable system. You don't need any special software on the client, just a list of passwords you generated in your wallet. -=->Outro Of course one of the best and most widely used strong authentication software used is Secure Shell (ssh2). I planned on including a similar guide on it here, but since its used by so many, and that public and private keys have already been reviewed in is3 and is4 it would just be a cheap rehash. I repeated myself a few time, only so the slow amongst you could understand, its not the simplest thing in the world. aphex. pulsewidth.net. -[ \\\\\\\\\\ ]----------------------------------------------------------------- [ \\\\\\\\\\ ] [ \\\\\\\\\\ ] [ \\\\\\\\\\ ] Cellular Networks .........................[ galapgoso01 ]...... -[ \\\\\\\\\\ ]----------------------------------------------------------------- **What is Cellular Telephone Technology** The concept of covering a wide space of land with signal strong enough to reach directly between two points is a far-fetched scenario. The devices required to cover such distances would require huge power sources, and be of substantially large sizes. Clearly, some kind of outside intervention is required. Cellular networks work on the principal of covering the airspace with "Cells," as pictured below. /-----\\ | 5 | /-----*-----*-----\\ | 2 | 1 | 4 | \\-----*-----*-----/ | 3 | \\-----/ As can be seen, the cells cover a hexagonal shape, although in practice this is slightly untrue. Each cell has a base station, located in the centre, which transmits at a low power such that its signal will not overlap much into adjacent cells. The cells can vary in width - up to 30km wide cells are allowed for in the GSM specification, with the minimum being 350m. Each cell joins to several others, allowing the handset to calculate the strongest signal strength and hence use that cells signal. The adjacent cells must also use signals in a different frequency range to avoid conflicts, however some current cellular technologies such as CDMA use the same frequency range to aid in signal quality. When a cellular phone is switched on, the device searches for the strongest base station signal it can find. Once found, it negotiates with this base station, alerting the cellular network as to where it can find said phone. This kind of information is required as the device may roam though many cells throughout the network and its location is required. Hence, any calls coming to this phone will be routed from the PSTN, through the appropriate cellular providers backbone network and to the base station the phone is situated in. Once a call to the cellular phone takes place, the call is routed using the above said information regarding the handpiece location through to the users handpiece. As the user travels, the phone is constantly searching for the strongest base station it can find. Hence, if the user travels into an area where a stronger signal is available, it needs to switch to this cell. There are varying technicalities involved in this switching, or "Hand-off", which differ for each type of technology. GSM, for example, requires a frequency change at the users handpiece - hence the signal must be essentially stopped for a given instant when the device switches cells. For all kinds of cellular networks, the call needs to be re-routed through the backbone network, through to the next base station, and back to the users handpiece. **Cellular Technologies** **First Generation The Advanced Mobile Phone System, or AMPS, was first introduced in America in around 1978. Widespread use of this system began in the United States in around the early 1980s. Being one of the first Cellular systems to be adopted around the world, this system had its limitations, with many security risks. The primitive nature of this system resulted in the major problems in this system, mainly to do with its inefficient use of allocated frequency spectrum, and security flaws. As any given phone transmitted analogue voice on a part of this allocated spectrum using Frequency Modulation in the 800-900mhz bands, citizens with modified UHF radios could listen in to calls made using AMPS Cellular phones. FDMA is the name of this technique used to divide the allocated frequency band. Also, as the signal was not compressed or encoded in any way, it made for inefficient and insecure use of the allocated frequency range for the network, which meant as the user base grew, the system couldn't cope with the number of extra users. These flaws pushed for the development of a replacement system - GSM being the one adopted in Australia, which replaced AMPS in the year 2000 (Zaslavsky 1999:62). Other first generation systems adopted throughout the world included TACS (Total Access Communication Service) in Europe, and NMT (Nordic Mobile Telephone) in Norway and some other European countries. The Norwegian NMT system has two main versions - NMT 450 and NMT 900, which were both designed specifically for the rugged terrain of Europe. The variation of standards throughout Europe, and the number of users were both contributing factors that pushed developers towards a second-generation system. **Second Generation The development of the GSM (Groupê System Mobile, or Global System for Mobiles) standard was a leap in technology as far as cellular communications were concerned. Developed in Europe, and introduced in Finland in 1991 (MoU 2000:14), the GSM system took off rapidly around the world. Its improved signal quality, dramatically enhanced feature set, increased security, efficiency and flexibility all made for a vastly adopted system. GSM is in widespread use in most countries around the world today - the US is one of the only countries just introducing it currently. Australia was the first non European country to join the GSM MoU (Memorandum of Understanding) in 1992, and within 4 years of its launch, had 5.6 per cent of the Australian population switched to the newer, better GSM system. The GSM network uses a technique called TDMA, or Time Division Multiple Access to allow multiple users to access the same frequency range "at once". Note that technically as the air space is divided over a time basis the users don't access the airspace at once; rather, they take turns transmitting on the same airspace. One 200khz frequency band is divided into 8 time division channels (CDG 2000:2). When a GSM phone wishes to make a call, the base station in the area allocates it a time slot and frequency range - this allows the phone to know when to listen in the band for its signal, and when to send its burst of compressed voice data back to the base station. As the GSM network is fundamentally a digital circuit-switching network, some form of conversion is required to convert the analogue voice signal to a digital one for transmission. Also, for more efficient use of the transmission links, data compression is used on this digital signal. There are two main compression algorithims that were introduced with the original GSM standard - Half Rate and Full Rate. These compress the original 64kb/s (8khz, 8bit audio signal; 8x8000) signal down to 8kb/s and 16kb/s, respectively, with error detection packets included. A later standard that was introduced, Enhanced Full Rate, still runs at a data rate of 16kb/s, but has a higher voice signal quality, and requires phones and networks that support it. This compressed signal is also encrypted using the serial number of the phone as a key, so only the network and the phone itself can decode this information. Calls on the GSM network comply with the generic standard for cellular communications - base stations know of a handpieces location in the network, calls are sent to it, etc. However, when a handset moves to a location where a stronger base station is sending, things change slightly. The handpiece must negotiate a connection with the new base station, and be allocated a time code in which to send its information. Then, in a process known as a "Hard hand-off", the handpiece ends the connection to the current base station, and moves to the new one. Therefore, for an instant the handpiece has no connection to the network - this creates a loss in quality, and the possibility of a dropout, so this transition must be kept as quick as possible (Asawa & Stark 1996:2). Other advanced features of the GSM network include SMS - the Short Messaging Service; Caller ID; Call Diversion, barring and waiting. Some of the latest GSM phones come equipped with a WAP (Wide Access Protocol) browser for access to online information services. Another second-generation cellular network, CDMA, which stands for Code Division Multiple Access, is just starting to emerge in Australia. Originally developed as a replacement for the AMPS system, the CDMA network uses allocated spectrum a lot more efficiently than both GSM and AMPS. The CDMA Development Group (CDG, 2000:1) lists the advantages of the CDMA protocol as follows: " * Capacity increases of 8 to 10 times that of an AMPS analogue system and 4 to 5 times that of a GSM system * Improved call quality, with better and more consistent sound as compared to AMPS system * Simplified system planning through the use of the same frequency in every sector of every cell * Enhanced privacy * Improved coverage characteristics, allowing for the possibility of fewer cell sites * Increased talk time for portables * Bandwidth on demand" The CDMA system doesn't divide up the frequency spectrum as AMPS or GSM systems do. To differentiate between each call that is running simultaneously, it allocates each sending unit a code, which the sender in turn uses to sign all outgoing radio packets. This allows the tower at the receiving end to decipher the messages received back into the voice data coming from each individual call. As multiple devices are transmitting in the same frequency band simultaneously, the tower has the complex job of decoding all of these signals. CDMA is a form of DSSS (Direct Sequence Spread Spectrum). The goal of this technique is to increase the bandwidth of a given signal to the point where any interference to the signal would have minimal influence on the original signal encoded. Thus, the CDMA bands allocated to a particular tower are 1.25Mhz wide, and neighbouring cells or towers can use the same frequency band. This wide bandwidth allows the signal quality to remain reasonable with a large user load. The base stations identify each other in transmitting a pseudo-random code, which is time differentiated. This means that all base stations on the CDMA network need to be fully time synchronised. The analogue voice signal on CDMA phones needs to be converted into a digital signal just as with GSM. The signal is compressed, though using proprietary compression algorithms, which are slightly more efficient than GSM methods. The average bandwidth for a voice signal on the CDMA network is around 13Kbp/s - however, this bandwidth rises and falls as the handpiece sees necessary, dropping to as low as 0.8Kb/s in silent periods. **Third and Future generations Third generation, or 3G cellular networks are undergoing development and deployment at this very moment. Works on communications networks such as Iridium have been going on since the deployment of GSM. One of these networks, The Iridium Satellite network, consists of 66 (Jefferies, 1998:1) satellites orbiting around the Earth. The satellites project their signal to an area of 37 hexagonal cells, each of which can be up to 360 nautical miles in diameter. This means one satellite can cover an area of nearly 4 million nautical square miles (Jefferies, 1998:1). This area is not covered simultaneously, however; the cells can be switched on and off, as usage requires, conserving energy. These satellites are built to last an average of five years - after this short life span they will need replacement. These satellites are in an orbit around the earth such that if a user were standing still, the satellite would still be moving past at speed of approx 16,650mph (Jefferies, 1998:1). This means as far as network concepts are concerned, the cell hand-off is quite easy to implement, as the mobile user's handpiece is only likely to hand-off to the next adjacent cell the network moves across the path - i.e.: the next cell is known to the network before the handpiece. The main purpose of the Iridium satellite network at current is to prove global roaming mobile telephone and instant paging (Iridium, 2000:1). There are many other networks like this in development - some for wireless email retrieval, others for the same application (voice). However, Iridium isn't the only communications network proposed in these third generation systems. The GSM association are working on a system for 3G, and have been allocated the radio spectrum to continue development in this area (GSM World, 2000:1). This system will be implemented on top of the existing GSM system to provide higher bandwidth, supposedly, and start to appear in around 2005. The ITU (International Telecommunications Union) are also working on a third generation cellular system - the FPLMTS (Future Public Land Mobile Telecommunications System). Such third generation systems will see an impact as great as the original change from first to second generation - proposals for high speed bandwidth to mobile users are increasingly prevalent. With access like this, access to the Internet and live, portable video conferencing and streaming multimedia will become a reality. The third generation system being developed in Europe and being backed by companies such as Nokia, Ericsson and Alcatel named UMTS (Universal Mobile Telecommunications System) (Nokia, 2000:1) does just this. Planned for launch in 2002, this system will be based on GSM, and provide very high data transmission rates in the 2Ghz band. These companies are also pushing the ITU to merge their technologies with the UMTS, to allow global standardisation of this wideband multimedia telephone network. **Conclusion** Cellular networks although being quite complicated in their actual operation, are based on very simple principals, as just described. Any questions (or spot-the-errors) to galapogos01@mindless.com. =[galapogos01]= References * Martieken, O (1998) "Cellular Networks", http://www.tml.hut.fi/Opinnot/Tik-110.250/1999/Kalvot/TKK_2_99/sld042.htm * Zaslavsky, A (1999) "Public two way wireless networks in Australia", http://broncho.ct.monash.edu.au/~azaslavs/cot3002_link/dcs-l-10/sld062.htm * MoU (2000) "History of GSM Networks", http://www.gsmworld.com/about/history_page14.htm * Asawa & Stark "Optimal handling of handoffs in cellular communications networks", http://www.acm.org/pubs/articles/journals/ton/1996-4-3/p428-asawa/p428-asawa.pdf * CDG, "Technical info about CDMA", http://www.cdg.org/frame_tech.html * CDG, "What is CDMA", http://www.cdg.org/tech/about_cdma.html * Jefferies, "Iridium - Technical Information", http://ntrg.cs.tcd.ie/cs5/98/group2/tech.html * Iridium, "Welcome to Iridium", http://www.iridium.com/ * GSM World, "Press Releases", http://www.gsmworld.com/news/press_releases_61.html * Nokia, "Press Releases", http://www.nokia.com/news/news_htmls/ntc_970814.html -[ \\\\\\\\\\ ]----------------------------------------------------------------- [ \\\\\\\\\\ ] [ \\\\\\\\\\ ] [ \\\\\\\\\\ ] Fibre Optics and SONET .....................[ lymco ]........... -[ \\\\\\\\\\ ]----------------------------------------------------------------- In this article I am going to introduce you to the basics of Fibre Optic cabling, and then school you on SONET. I learnt the basics of this while specialising in W.A.N's at TAFE, the rest is self learning. Hopefully you will find it interesting.. # Brief introduction to Optical Fibre Cabling -- If you have been off in Mars for the past few years, then you would of not heard about Fibre Optic cabling. The greatest jump in cabling technology since the 'tin can and piece of string'. It's incredible bandwidth and ability to not suffer from attenuation (when signal strengths fade) for extreme distances make the copper cables look prehistoric. There is no exact maximum transfer rate, since this depends on the hardware capabilities. However, a very old and wise Telstra advisor told me, that they are managing to double the bandwidth every few years. So the possibilities of Fibre Optic cabling is exceedingly high. A rough estimate would be > 3gb/s for most Telstra setups (year 2000). The main three types of optical fibre cabling are: 1. Single Mode (SMOF) 2. Multi Mode (MMOF) 3. Plastic Single Mode Optic Fibre is called this because of the single beam of light that is uses for transmitting information. The single beam/angle of light is generated by a "LASER". (Think Austin Powers). It is used mostly by Carriers due to it's immense bandwidth and distance capabilities. However the equipment required is much more expensive than MMOF. Multi Mode is called this due to the entry and transmission of more than one beam/angle of light. It is used mostly in commercial environments due to it being alot more cost efficient than Single Mode, but is still adequate for commercial use. Optical Fibres consist of a solid glass core, surrounded by a solid glass cladding. This cladding has a slightly lower refractive index than the core so this in result acts like a mirror creating Total Internal Reflection. Security wise, apparently it is possible to intercept data on Optical Fibre cables. However, all you aloc beige box gurus put away those MacDonalds straws, the equipment you would require to perform the task is expensive, and the clue factor required must be exceedingly high.. not a common occurance in the majority of computer users. -- # Introduction to SONET -- SONET stands for Synchronous Optical NETwork. In basic, it allows different network media to interact using SONET standards. Without it, communication between different transmission media would require extremely heavy multiplexing/demulitplexing and/or encoding/decoding. For example, DS1 uses a rate of 1.54MBps, with AMI encoding and uses 24 voice signals. Whereas E1 transfers at a rate of 2~MBps, and uses 30 voice signals. See the difference? SONET standardises this, with Synchronous Transfer Signal (STS), which has a transfer rate of just over 51MBps. STS contains two main parts, these are: 1) payload - contains the content information, and 2) overhead - carries the signalling and protocol information. For example, a DS1 and E1 link could be joined to form a high speed fibre data stream at over 51MBps. [DS1 link (at 1.54MBps)] ___________ |___ ___|---[SONET (at 51MBps)]---|---[Fibre optic cable] ___________| [E1 link (at 2MBps)] So the above data would travel in STS format until it reaches the other end of the connetion. It will then be terminated through the SONET network, and and return to it's original data format. -- # Terminating Equipment - The terminating equipment is used to convert the STS signal to it's original format(s). Path Terminating Equipment (PTE): This multiplexes and demultiplexes the STS signal. Line Terminating Equipment (LTE): This network element originates and/or terminates the line signal. Section Terminating Equipment (STE): This can be used as either a terminating network element, or a regenerator. As it is able to access, modify and terminate the overhead. # SONET Layers - 1. Path Layer This deals with the transport of services between the PTE. It puts the signals into a format required by the Line Layer. It modifies the overhead for extra performance, and it also reads and interpretes information. 2. Line Layer This layer deals with the transport of the Path Layer. The payload, and the overhead across the physical medium. It provides synchronisation, and also multiplexing for the Path Layer. It also monitors for errors. 3. Section Layer This deals with the transport of STS frames across physical media. It maintains reliable frames and sections, and also monitors for errors. 4. Photonic Layer This deals with the transport of bits across the network. It converts STS and OC signals. # Frame Structure STS-1 is the basic signal rate for SONET. It has a frame rate of 8000 frames per second. Each frame has the structure of 9 rows, and 9 columns. Which is a total of 810 bytes / frame. It also scrambles and descrambles at 127 bits. The first 3 columns (or, 27 bytes) consist of the transport overhead. (Which is by mathmatical formula, 4.44% of the complete 51.84Megabit SONET signal). Columns 4, to 90 are the Synchronous Payload Envelope (SPE). # Finishing up This has been a very brief introduction to SONET. Hopefully you found it interesting, even the W.A.N guru's out there. If you have spotted any errors, or would like to e-mail me, please do so at lymco@spanner.net. -- lymco dev.spanner.net -[ \\\\\\\\\\ ]----------------------------------------------------------------- [ \\\\\\\\\\ ] [ \\\\\\\\\\ ] [ \\\\\\\\\\ ] CDMA .....................[ phunki ]............................ -[ \\\\\\\\\\ ]----------------------------------------------------------------- Contents -Intro - Concepts - Multiple Access Basics - Interleaving - Orthagonality - Assymetry and Channelisation - Transmission - Walsh Codes - PN Codes -Conclusion ------------------------------------------------------------------ Ok, here we're going to have a look at the way data is encoded for transport over multiple access schemes, specifically in the IS-95 CDMA system (Interface Standard IS-95 Code Division Multiple Access). CDMA is a big/complex beast, and im assuming you have a brain, plus some basic mathematical skills, of course, if you had a brain, you'd be reading a book on this, not some half-assed text file. Basically, there are three ways of seperating signals in time, FDMA, TDMA and CDMA (Frequency, Time and Code Division Multiple Access respectively). FDMA is the simplest and generally not very good for large scale networks, so the two main ones are TDMA and CDMA. CDMA is what is used by our good friends Telstra. Debates over TDMA and CDMA can go on for hours, if you want more info on the differences and advantages of each, google.com. I will say one thing though. CDMA is generally a little more complex to implement than TDMA, but has the advantage of being "smarter" or more efficient. There are a few things you need to know before we get to the good stuff, so we'll have a look at them first. -------------------------------------------------------- The fundamental differences between FDMA, TDMA and CDMA come from the way they make use of the available frequency spectrum. I will cover it lightly and basically. In FDMA each user is assigned a particular frequency band for transmission. A segment of the frequency spectrum is divided into different channels. The signals are out through a low pass filter then modulated onto an assigned carrier frequency of a particular channel. That is how the specturm is shared, by divison of frequency. In TDMA, each user is assigned a different time slot in which to transmit, that is, the spectrum is shared by division in the time domain. In CDMA, each user's narrowband signal is spread by a different wideband code. Then, the wideband signals of the users are added together to form a composite signal, and the comosite signal is transmitted over the air in the same frequency band. The wideband codes are orthogonal, and it is through these the receiver can find the wideband signal it wants from the mass of signals in the composite signal. (ie the codes are used to ditch all the crap not for that receiver). Here's a diagram (note the domain of TDMA) /|\\ _______ _______ _______ P | / \\ / \\ / \\ o | / \\ / \\ / \\ w | / User 1 \\ / User 2 \\ / User 3 \\ e | / \\ / \\ / \\ r | / \\ / \\ / \\ |_________________________________________________________________\\ Carrier1 Carrier 2 Carrier 3 Freq / FDMA /|\\ ___________ ___________ ____________ ____________ P | | | | | | | | | o | | | | | | | | | w | | User 1 | | User 2 | | User 3 | | User 4 | e | | | | | | | | | r | | | | | | | | | |__________________________________________________________________\\ | | | | Time / T1 T2 T3 T4 TDMA ____________________________ /|\\ /_____________________________\\ <---- User N | / \\ | / . \\ P | / . \\ (and so on) o | / . \\ w | / . \\ e | /_________________________________________\\ r | /___________________________________________\\ <--- User 2 | /_____________________________________________\\ <--- User 1 |_____________________________________________________________________\\ Freq / CDMA Blah. ------------------------------------------------------------------ Interleaving is a technique for randomising bits in a message/information stream. It pops up in lots of different places for example storing information on cd and it /golly gosh/ cdma. Basically it adds an extra layer of strength to bolster normal error correcting codes (and the digital world would not exist without good error correction). No need to go into it too deep, so we'll just look at an example. We want to send the message "Zero cool wants his gibson back soon" We will put this in a 5x6 matrix: z e r o c o o l w a n t s h i s g i b s o n b a c k s o o n When the message is transmitted, it will be sent like this: zosbc elhsk rwios oasno cngbo otian That is, the message is written left to right, but transmitted in blocks from top to bottom. Once received, it is then de-interleaved by reversing the process above to get the original message. At a basic level this will help get the message back to a recognisable form if there are excessive transmission errors. ----------------------------------------------------------------- This bit is important. Orthagonality is best described as a mathematical property. Two sequences are either orthagonal or not orthagonal. Briefly, if the real-valued functions x and y are said to be orthagaonal if the cross - correlation (R) over T is zero, where R equals the integral of x and y for 0 to T. The one we care about, where time is discrete, is when the cross product (R) of x and y is 0. This is: The summation of the product x(i)y(i) from i=1 to I is 0 (Rxy(0)). Anyway, this is much easier to understand than the lack of mathematical notation symbols in ascii would lead you to belive. Lets have a look at an example: x = [ -1 -1 1 1 ] y = [ -1 1 1 -1 ] These are orthagonal, why? Lets take a look. R = xy = (-1)(-1) + (-1)(1) + (1)(1) + (1)(-1) = 0 x1 y1 x2 y2 x3 y3 x4 y4 Pretty easy really. Now, in a multiple access scheme, we require two additional properties. The first is: Each code in the set of orthagonal codes must have an equal number of 1's and -1's. This gives the particualr code the pseudorandom nature. Have a look at the x and y, the both have two 1's and two -1's. The third property is that the dot product of each code scaled by the order of the code must be equal to 1. This again is quite simple to see in practise. Each item in the sequence is multiplied by itself and summed, then divided by the number of items in the sequence (the order) which needs to give a final answer of 1 to be of use. (Technically you dont multiply each item in the sequence by itself, you multiply the sequence by itself, but its easier to understand this way). To clarify, we'll take another look at our example x and y. Both have four items, so are of the order 4: (xx)/4 = [(-1)(-1) + (-1)(-1) + (1)(1) + (1)(1)]/4 = 4/4 = 1 (yy)/4 = [(-1)(-1) + (1)(1) + (1)(1) + (-1)(-1)]/4 = 4/4 = 1 w00t. -------------------------------------------------- Ok, one last thing before we get to the good stuff. CDMA is assymetric, that is the forward and the reverse links have different link structures. The reason for this is such: When a call is being set up, CDMA has the pilot and sync channels to aid syncronisationfor the forward link, but the reverse link does not have these. Call set-up is a long topic in itself, perhaps it will be the topic of a later file (and i can reveal my pilot flooding cell jamming tekneq, heh). Anyway, for the forward link, walsh codes are used, and for the reverse link, psuedo-random noise codes are used (PN Codes). ---------------------------------------------------------------- Werd, if you got through all that, you'll have no probs with this. First we'll look at Walsh Codes. ------------------------------------------------------------------- So, from the diagram way above, you saw how all of CDMA traffic floods across the frequency band. Walsh codes are used to identify the data for each individual transmisson. Walsh codes are used to seperate indivual users while they simultaneously occupy the same RF band. Walsh codes as used in IS-95 are a set of 64 binary orthagonal sequences. So how are they generated? Recursive use of the Hadamard matrix! best explained by example, lets have a look. (note i will be using ! to imply the inverse, not as a boolean operator, wang) This is our matrix: __ __ | | | Hn Hn | | | | Hn !Hn | |__ __| As you can see, in the lower right hand corner, the inverse of the matrix is present. This is our seed matrix: (wang, its too hard to draw ascii for every matrix, deal with it) H2 = 0 0 0 1 So our inverted matrix is this: !H2 = 1 1 1 0 Now, we want to generate a set of 4 orthagonal walsh sequences w0, w1, w2, and w3, so we take our seed and put in an Hadamard matrix of order 4: 0 0 0 0 H4 = H2 H2 = 0 1 0 1 H2 !H2 0 0 1 1 0 1 1 0 Now, our four orthagonal sequences are taken as the rows of the matrix (look at the coloumns too, spooky :) w0 = [ 0 0 0 0 ] w1 = [ 0 1 0 1 ] w2 = [ 0 0 1 1 ] w3 = [ 0 1 1 0 ] Think back to when i talked about orthagonality. As it is, these codes do not fit the required definition of orthagonality, but this is easilt remedied by substituting -1 in the place of 0. So our final codes are these: w0 = [ -1 -1 -1 -1 ] w1 = [ -1 1 -1 1 ] w2 = [ -1 -1 1 1 ] w3 = [ -1 1 1 -1 ] A few things to note. w0 is all -1's and is not orthagonal. In IS-95 CDMA it is not used to transmit any baseband information. Also, matrices of a higher order can be generated recursively, by taking the inverse of a matrix and applying the seed and its inverse back into the Hadamard matrix. The IS-95 forward link uses a set of 64 orthagonal walsh sequences, giving a physical limitation of 63 channels of the forward link (remember w0 is not used). Just for fun, here's orthagonal walsh codes from H8. w1 = [ -1 1 -1 1 -1 1 -1 1 ] w2 = [ -1 -1 1 1 -1 -1 1 1 ] w3 = [ -1 1 1 -1 -1 1 1 -1 ] w4 = [ -1 -1 -1 -1 1 1 1 1 ] w5 = [ -1 1 -1 1 1 -1 1 -1 ] w6 = [ -1 -1 1 1 1 1 -1 -1 ] w7 = [ -1 1 1 -1 1 -1 -1 1 ] Ok, now we'll have a look at an example. We have three different users wanting to send a seperate message each, these are: m1 = [ 1 -1 1 ] m2 = [ 1 1 -1 ] m3 = [ -1 1 1 ] Each of the three users is assigned a walsh code: w1 = [ -1 1 -1 1 ] w2 = [ -1 -1 1 1 ] w3 = [ -1 1 1 -1 ] Each message is spread by its walsh code. The chip rate of the walsh code is four times the bit rate of the message, contributing to a processing gain of 4. So, we want m1 x w1 (mNwN). Here we go: m1 | 1 -1 1 m1 | 1 1 1 1 -1 -1 -1 -1 1 1 1 1 w1 | -1 1 -1 1 -1 1 -1 1 -1 1 -1 1 m1w1 | -1 1 -1 1 1 -1 1 -1 -1 1 -1 1 m1w1 is the spread spectrum signal of the first message. Now for message 2: m2 | 1 1 -1 m2 | 1 1 1 1 1 1 1 1 -1 -1 -1 -1 w2 | -1 -1 1 1 -1 -1 1 1 -1 -1 1 1 m2w2 | -1 -1 1 1 -1 -1 1 1 1 1 -1 -1 For message 3: m3 | -1 1 1 m3 | -1 -1 -1 -1 1 1 1 1 1 1 1 1 w3 | -1 1 1 -1 -1 1 1 -1 -1 1 1 -1 m3w3 | 1 -1 -1 1 -1 1 1 -1 -1 1 1 -1 Now we need to merge these into one to create our composite (C) signal for transmission. This is: C = m1w1 + m2w2 + m3w3 C = -1 -1 -1 3 -1 -1 3 -1 -1 3 -1 -1 And bang, away it goes. If nothing goes wrong during transmission, the receiver intercepts C and to seperate the original messages, the receiver multiplies C by the assigned walsh code for each message. Eg for m1 (using w1): w1 | -1 1 -1 1 -1 1 -1 1 -1 1 -1 1 C | -1 -1 -1 3 -1 -1 3 -1 -1 3 -1 -1 Cw1 | 1 -1 1 3 1 -1 -3 -1 1 3 1 -1 etc for w2 and w3: Cw2 | 1 1 -1 3 1 1 3 -1 1 -3 -1 -1 Cw3 | 1 -1 -1 -3 1 -1 3 1 1 3 -1 1 Now the receiver adds up (actually its integeration) all the values over each bit period to give M1 M2 and M3 respectively. Cw1 | 1 -1 1 3 1 -1 -3 -1 1 3 1 -1 M1 | 4 -4 4 Cw2 | 1 1 -1 3 1 1 3 -1 1 -3 -1 -1 M2 | 4 4 -4 Cw3 | 1 -1 -1 -3 1 -1 3 1 1 3 -1 -1 M3 | -4 4 4 This is then passed through a "decsion threshold" to determine the original message, which looks something like this: if M > 0 then mr = 1 if M < 0 then mr = -1 By applying this (the r is for received) we get: mr1 = [ 1 -1 1 ] mr2 = [ 1 1 -1 ] mr3 = [ -1 1 1 ] Which, if you care to check, is our original message. Ownage EDITOR NOTE: This article is still incomplete. It will be finalised in issue 8 -[ \\\\\\\\\\ ]----------------------------------------------------------------- [ \\\\\\\\\\ ] [ \\\\\\\\\\ ] [ \\\\\\\\\\ ] Bash Scripting .....................[ lymco ]................... -[ \\\\\\\\\\ ]----------------------------------------------------------------- For those of you who are interested in scripting for your unix box, there is nothing simpler than Bash. It is simular to MS-DOS batch scripting, however the UNIX version is much more powerful. In a nutshell, it contains a list of UNIX commands, and executes them one by one. However, it also features core language functions, such as 'if then else', loops, and what have you. You may think, "What is the point in bash scripting, if I can do the same in languages like C and Perl?". It is EXTREMELY easy to whip up a quick, yet effective script in a few lines, which may take in excess of 20-30 lines of C code. Now that you have a little clue on what it is, lets get down to writing some scripts. For newbies, open a text editor. I prefer jed, since it uses color highlighting for certain language syntax (it supports .sh). If you can't be bothered getting it from linuxberg or freshmeat, then I guess you will have to live with vi(m) (which also supports syntax highlighting) or pico. From here, the first line should contain the following: #!/bin/sh It is not required, but it is good for when we get back to the command line and we want to execute the program. All it does is specify the language interpreter. You would of seen this in TCL, Perl, etc. Now lets try the echo command: echo "What's better than winning a gold medal in the paralympics?" echo "> 'What?'" echo ".. not being disabled." echo "> h0h0" -- As you can see, it is exactly the same like at the command prompt. So the above script would be something like: #!/bin/sh echo "What's better than winning a gold medal in the paralympics?" echo "> 'What?'" echo ".. not being disabled." echo "> h0h0" -- From here, save it with a .sh extention, make it executable (+x), and run it via ./name.sh. When I run it I get the following output: [lymco@preceptor articles] $> ./test.sh What's better than winning a gold medal in the paralympics? > 'What?' .. not being disabled. > h0h0 -- Commenting, (like you may have seen with TCL and Perl once again), are lines which begin with #, they are ignored by the interpreter. The first line, which contains #! as the first two chars is not ignored, probably due to the '!' char, nothing to go gray over though, so lets move on. -- Variables are extremely easy to work with here, to set a variable, it is as simple as varname="werd up", note no white spaces around the '=' sign. When we are not defining the variable, we incldue a dollar ($) sign infront of it. For example, if we were now to echo the variable "varname" to the screen. We would use the following: #!/bin/sh # this defines the variable varname="werd up" # this echos the content of varname to the screen echo $varname echo "The content of '$varname' is $varname" -- save, chmod +x, run it: [lymco@preceptor articles] $> ./werd.sh werd up The content of $varname is werd up -- To capture user input, we simply use the read command. Its argument is simply the variable name we want to assign the input text as. #!/bin/sh echo -n "Enter your name: " read name echo "Hello $name, hope you have a nice day." -- save, chmod +x, run it: [lymco@preceptor articles] $> ./read.sh Enter your name: Matthew Jones Hello Matthew Jones, hope you have a nice day. -- The -n flag in the echo command stops echo from creating a new line afterwards. So it just stops at 'Enter your name: ', and you input your text on that line, instead of a new line. View the man page for echo for more options. -- if/then/else/elif statements are easy, yet can really lighten up a program. Try this pointless script: #!/bin/sh # This is a pointless script, that gets the output of a 'uname' command. ssystem=`uname` if (test $ssystem = "Linux") then echo "You are using Linux" else echo "You are not using Linux," echo "You are using $ssystem" # I realise I could just do echo "You are using $ssystem" fi -- Hopefully, you realised the ` charectors, and didn't mistake it for " or '. This specifies the output of the command inside the quotes. For example, if we were to put var="uname", or var='uname', that would simply return the text, which is not what we want. By the way, if you are using jed, and hit the ` charector, you have to press it twice for it to be outputted to the buffer. 'test', is the shell's Boolean check. Following that, we have the variable (with the $ sign before it), the equals sign (note the white space on either side), following by the matching string, "Linux". If all returns true, then it displayed "You are using Linux", else "You are not using Linux". 'fi' is 'if' backwards, or short for 'finish'. If you are experienced with C, Perl, Javascript, PHP, whatever! Remember, then is like "{", and "}" is like fi. It does not only support equals than, it supports not equals, greater than, less than, greater than or equals, and less than or equals. These are !=, >, <, <=, and >= respectively. -- Global arguments are pre-defined variables. The most commonly used ones in programming are the argument related ones. These are $0, which returns the script name. $1 is the first arguments, $2 the second, and so on. $# returns the number of arguments passed, and $* returns a string of all passed arguments. #!/bin/sh if (test $# = "0") then echo "Please specify 1 or more arguments" elif (test $# = "1") then echo "You specified one argument: $1" else echo "You specified $# arguments, these were:" echo $* fi -- Other variables include: $HOME, $PATH, and $USER. Remember that these user all capital letters. Test them out with the echo command. -- There are multiple methods for looping in bash scripting, lets step through each one. for example: # This script simply cycles through every argument. for x in 198.142.79.69 203.59.0.69 203.59.55.69 do echo Now hax0ring $x.. done -- while example: total=0 echo "Trying to find the number 5" while (test $total != 5) do echo "Trying $total.. unsuccessful." total=$(($total+1)) done echo "Found 5!" -- The above script, 1) sets total to be 0, 2) Starts a while() loop, if total does not equal 5, then it begins/continues. 3) it increments $total by 1, then repeats until $total equals 5. $(($total+1)) is the increment line. Test the expr command (like TCL), variable=$(expr 1 + 2). Since it's such an easy function I won't document it too much. You can test it out. -- until: # This is an example from Beginning Linux Programming until who | grep "$1" > /dev/null do sleep 60 done # now ring the bell and announce the expected user. echo -e \\\\a echo "**** $1 has just logged in ****" exit 0 -- All the above does is sleep for 60 seconds if who does not contain the argument you specified. If it does, however. It does a system beep and displays that message. -- Functions are useful for dividing sections into your code. Example 1: functioname() { echo "This is inside a function" } echo "Starting script." echo "Calling function functioname()" functioname echo "End." exit 0 -- Example 2: #!/bin/sh male_function() { echo "User is male" # Do more stuff } female_function() { echo "User is female" # Do more stuff } echo "Are you male or female?" read sex if (test $sex = "male") then male_function elif (test $sex = "female") then female_function else echo "Not recognised. Input 'male' or 'female' next time." fi -- Okay, well you get the picture of how bash scripting works now, right? Bash scripting is so useful, because you can do such an immense range of things. For example, in my .bash_profile, I have an option to view PortSentry logs, and then after they are displayed, you have an option to print them out, clear them, or back them up. When my system boots, it calls a script to tail -f /var/log/messages and /var/log/secure and then load an infobot, which all get displayed to TTY8 9 and 10 respectively. My .bash_logout has an option to back up certain working documents, etc. Anyway, I can't be bothered with any more and sleep is calling me. I hope you picked it up the basics without any troubles. If you are eager to learn more, download some bookwares or buy a book. -- lymco http://dev.spanner.net -[ \\\\\\\\\\ ]----------------------------------------------------------------- [ \\\\\\\\\\ ] [ \\\\\\\\\\ ] [ \\\\\\\\\\ ] More Ericsson Fun .....................[ analog ]............... -[ \\\\\\\\\\ ]----------------------------------------------------------------- An expansion on Pottsy's article 'Ericsson GH337' which appeared in Infosurge 6. If like me, you own an Ericsson mobile of some description, one of the first things you did upon reading Infosurge 6 was whip it out and try the codes and menu functions you read about. This article basically gives a summary of how well this stuff works on a more modern phone (I own an A1018s), a new secret menu for you to play with, and other misc. crap... --PIN CODE-- When entering your PIN code into an A1018s, the phone will only accept 8 characters. This means that the GH337/8 trick of bypassing the pin-code by hammering in **04*0000*0000*0000# won't work. This would probably be the same for all recent Ericssons (Those with multi-line graphical screens for sure), so you can stop eyeing off innocent (and not so innocent) people's mobiles while dreaming of the havoc you could create. --SECRET MENU v.1.-- OK, this is the same menu detailed in infosurge 6, Using the following key: < - Left arrow > - Right arrow * - * (duh.) (key lifted from Pottsy's article.) you enter >*<<*<* into your phone from the home screen which will give you some alpha-numeric codes (software release info apparently). An A1018 (and probably the T10/T18) won't give you the funky FLASH and INIT EEPROM options of the 337, you just get one option: 'n-row texts?' (Use the arrow keys to scroll to it from the software release info) This works the same way as the 337's TEXT CHECK and basically allows you to look at all the various bits of text your phone displays. Interestingly, among the various pieces of text my A1018 has are 'Active Flip' and 'Voice Dial Error - SIM Changed!' (and a plethora of other voice dial related crap) when the A1018 has neither of these features. The only reason I can think of for this is that the A1018, T10 and T18 all have the same software built in, with various features activated or deactivated (makes you wonder about reactivating them all, eh? btw, the T28 and R* series with their different screen type would almost certainly have their own seperate software) While flipping though all this text, you can skip forward 10 spaces by pressing any of the numbers or the * and # keys. On a final note, when trying this you may find that the secret menu comes up only momentarily before dumping you into the phone book. The solution for this is to pause briefly before keying in the final *. --SECRET MENU v.2.-- I basically fell ass-backwards into this one when I stuffed up trying out the first secret menu. I think (98% certainty) that this menu controls the phone's 'SIM Security' and it appears on the A1018, T10, almost certainly the T18 and possibly others. For those of you who don't know what it is, SIM Security is the feature that allows telcos (i.e. Telstra, Optus etc.) to lock a mobile phone so that it only works on their network. This basically allows them to sell the phone to you for alot less than what it would normally cost since they're now the only ones who can make any money from it. If you want them to unlock the phone, you have to pay up the remainder of the phone's cost plus a bit extra (for their trouble...) whereupon they'll fuck with it for all of three seconds, leaving you free to subscribe to any network you please. After two or so years when the phone's worth crap, you can have the SIM security unlocked far more cheaply. To get into the SIM security control menu, type in <**< from the home screen. The SIM Control menu has four possible options, of which only two are displayed at any given time depending on what SIM Security options are in place. These options are: Lock to Network? Unlock Network? Lock to Network subset? Unlock Network subset? You will only ever see one of the first two options ('Lock to Network?'/'Unlock Network?') depending on whether or not your phone is locked to a network plus one of the last two ('Lock to Network subset?'/'Unlock Network subset?') depending on whether or not your phone is locked to a Network subset. Obviously, you're going to get the two options that reverse those already in place. My phone is locked to a Network but not to a subset so I get the 'Unlock Network?' and 'Lock to Network subset?' options. I'm not sure what they mean by a 'Network subset' but I assume that it is either geographical (Your phone only works, say, in NSW) or technical (Your normally dual-band phone is confined to only use the GSM900 network.) Either way, I don't think it's ever used. Selecting 'Lock to Network' or 'Unlock Network' - whichever you have - will give you the same screen: 05attempts Enter NCK The NCK (Network Code? Key) is an 4-8 digit numerical key which can also include # but not * (dunno why). If you enter less than 4 chracters, the phone will just beep when you hit 'YES'. If you enter 4 or more random characters which turn out to be incorrect, the phone will say 'Wrong NCK' and take you back to the home screen. Flicking back to the '(Un)Lock Network' screen, you will find that you now have only 4 attempts remaining. THERE IS NO WAY TO GET YOUR 5 ATTEMPTS BACK! Once you've blown an attempt it's gone forever. They are not kept track of on the SIM card, turning off the phone and removing the battery won't get them back, and neither will the phone's 'Master Reset' which doesn't do much of anything anyway. If you're doing this on an older phone which has the FLASH or INIT EEPROM options under the first secret menu, you could see if these do the trick. The only other thing I can think of is leaving your phone without its battery for an extended period to bleed the internal backup battery (if one exists) dry, but chances are that the number of failed attempts is stored on a non-volatile EEPROM and you'll probably need your phone too much to leave it usused for the required period of time. The second option will be either 'Lock to Network subset?' or 'Unlock Network subset?'. Like I said, I don't think that this is ever used so you will most likely see 'Lock to Network subset?'. Selecting either will give you a screen similar to the one before: 05attempts (why they leave the space out I don't know) Enter NSCK where the NSCK (Network Subset? Code? Key) is another 4-8 digit key. The same bullshit concerning the number of attempts obviously applies here too so be careful. You may be wondering what happens when you use up all five of your attempts at cracking the NCK/NSCK. Good question, I haven't gone that far. What I would guess is that those menu options would no longer be available to you and you'd have to take the phone back to the shop for them to put right using a special code rather like when you forget your PIN - though you'd have a harder time explaining this one to 'em. As far as I can tell, the NCK/NSCKs are stored within the EEPROM of the phone itself. When trying to lock the phone to a Network or Network subset you can not make up your own NCK/NSCK like you can when putting a PIN code lock on your phone. As an experiment, I removed my phone's SIM card and antenna and entered a random NCK. Instead of the 'Network Error' or 'Unable to Validate' message I was hoping for I got 'Wrong NCK' and lost an attempt. This result is what leads me to believe that the valid NCK/NSCKs are stored on EEPROM. Of course, if you are so inclined, and have the skills and equipment, you could investigate further. By attaching an oscilloscope or DMM to the electrodes of the SIM card reader, you could monitor its activity as you enter a random NCK/NSCK and see whether or not the phone checks the SIM card for the valid code. Unless you have no objection to possibly stuffing your phone for good, I recommend you don't attempt this unless you're certain of what you're doing. Similarly, you could use a Signal Strength Meter or something to montior radio traffic to and from your phone and see whether or not it queries the network for the appropriate info. (The immeadiacy between entering an invalid NCK/NSCK and being told to fuck off kind of rules this one out though.) I'm too poor to buy this equipment, and can't get a hold of it through other means ("Hey kid! That's an ocsilloscope under your jacket!") so I can't try this out. Take note of the fact that the "Lock to Network Subset" option is unavailable unless a SIM card is inserted. While the phone's normal menu system refuses to work when no SIM card is inserted, both secret menus are available (with the previous exception). If you know someone cool who works at a mobile phone dealership, you could probably get these codes in which case I (and everyone else) wouldn't mind knowing them. --FINDING YOUR OWN 3l33t SECRET ERICSSON HAX0RING MENUS-- While above two are the only secret Ericsson menus I know how to access, chances are they are probably more. Finding them is a two step process: 1) Making sure there's something to find: This is the easiest part. Using the first secret menu, you scroll through all of your phone's text looking for anything that could be part of another secret menu. This will be anything you haven't seen before that doesn't sound like a standard feature of the phone. Interesting bits of text in my phone include: Cell info Bopomofo (What the fuck?) Unlock SP? Lock to SP? Enter SPCK (Seems we've found a whole new menu here...) SP LOCKED SP UNLOCKED +NOTE: The SP in those last five pieces of text may stand for Service Provider, in which case this may be the SIM Security control menu and everything I wrote about secret menu no. 2 is bullshit. However, I doubt it. Ericsson's documentation only rarely uses the term 'Service Provider' whereas the term 'Network' is common. (Check out the non-secret 'Network' menu if you don't believe me.) What this menu may do is lock the phone to a Service Provider on a shared network. (Many smaller mobile companies rent air-time off the big guys' networks...) So now you've found some interesting text which seems to be a secret menu. The first thing you want to do is make sure you're not wasting your time. Do this by combing the standard menus and documentation to make sure your 'secret' text is indeed secret. Once you know you've got something good, It time for: 2) Finding out how to get at the bastard. While not exactly hard, this is no doubt the most tedious part and where you'll most likely give up. If you haven't already guessed, your task is to - through trial and error - work out the key combination which drops you into your newfound menu. Both of the secret menus explained in this article require some combination of the arrow and * keys so I'd stick to those. Another similarity is that in both cases, you end up in the phone book just before getting your secret menu but this might just be coincidence. Unless you have a very high boredom threshold, I wouldn't recommend you sit down for a good hour or so of typing random crap into your phone because you'll end up driving yourself insane. Just try out a few random combinations next time you're waiting for a bus or something equally boring. Oh, and make sure you keep track of what you're typing in; nothing would suck more than finding a really cool secret menu only to forget how you got to it. --FURTHER INFO-- The best place to find out more about this kind of stuff would be the programming/technical manual that Ericsson no doubt publishes. They're almost certainly not available to the public (I couldn't find any references to them on Ericsson's web site) but who knows? If you do have a cool friend who works at a mobile phone dealership, ask for a copy while getting the NCK/NSCK. Another possibility for the lucky is finding a discarded copy in the rubbish of your local Telstra Shop/Optus World/whatever. Actually, the likelihood of the latter is set to go up (from like 0.01% to 0.015%) with Ericsson rolling out its new product line to replace the current one. First to go seems to be the A1018s which looks set for replacement by the A2618. Even if you don't get the manual, I gather that there's loads of useful info to be found in the bins of these places so check them out. --IN CLOSING-- Remember that alot of what I've said here is based on inference and theory so don't blindly accept it as fact. If you have other ideas, or better still hard facts, I (and everybody else I'm sure) wouldn't mind hearing of it - particularly if you have those damn codes. As you can no doubt tell, this article isn't intended as a complete, definitive guide to Ericsson's secret menus, but rather an attempt to give you some useful ideas and get you thinking. Anyway, as what I intended to be a short article has grown to over 200 lines, now would be a good time for me to shut up. If you have any questions or comments about this article, feel free to contact me at analog@start.com.au Make yourself heard. ((TM) Ericsson) -[ \\\\\\\\\\ ]----------------------------------------------------------------- [ \\\\\\\\\\ ] [ \\\\\\\\\\ ] [ \\\\\\\\\\ ] Midget Monkey Knife Fighting ....................[ Fleabag ].... -[ \\\\\\\\\\ ]----------------------------------------------------------------- Midget Monkey Knife Fighting **************************** We've all wanted to see this. I mean, c'mon, whats more exciting than a little person attacking a trained monkey with a knife? Nothing. It was just a matter of time till someone like myself did this. I have a deep resentment to midgets. They get more sex than I do, what foxy lady hasn't thought about having sex with a 3 ft man? As for monkeys, I just like them, I think a properly trained monkey could be a savage machine of death. Don't let the fact they lack thumbs give you the misconception they can't wield a sharp blade. Monkeys will be trained, dwarfs will be kidnapped and forced to fight to the death, bets will be made, and I will be rich. Basic Rules : ************* Its a fight to the death, something 3 ft high is getting put in a garbage bag and stuffed into an old ladies recycling bin. Not that I think they recycle dead midgets or monkeys, which brings me to question, why not? Thats for another article. Both parties will be given a knife of their choice. I'm guessing that due to the fact midgets have tiny useless hands they'd choose a small knife, as for the monkeys, it'll depend on the training they've recieved. Once inside the 'Circle Of Death' (TM), the bloodshed will start, this won't be for the light-hearted, theres no time-outs now. Its kill, or be killed. Just the way it should be. No one, not even myself has the power to stop a match. Not the midgets family, nor the monkeys trainer. Something must die. Slowly and painfully. *************** In closing, I believe its just a matter of time before this exciting new sport becomes Australias favorite past time. What better way to show that special girl you like her, than taking her to watch a primate stick a knife into a deformed persons eye? Having trouble getting the kids to eat their dinner? "If you eat everything on your plate, I'll take you kids to watch Midget Monkey Knife Fighting..." I want this sport. You want this sport. Australia wants this sport, and god damn it, we deserve it. Please, do what you can to help the cause, donate money, train a monkey to kill, lock a midget in your basement, feeding him scraps of food from the garbage, beat him, make him angry. I mean, c'mon, whats funnier than a pissed off midget? Fleabag. ************************ -[ \\\\\\\\\\ ]----------------------------------------------------------------- [ \\\\\\\\\\ ] [ \\\\\\\\\\ ] [ \\\\\\\\\\ ] Outro........................................................... -[ \\\\\\\\\\ ]----------------------------------------------------------------- we will leave you now with bsdave's very own zeroday stollie exploit. Have fun kiddiez. #!/usr/bin/perl #hi dave :-) visit("bluelight"); foreach (@chicks) { until (drunk) { stollie; } sex; boast; } ps: mad propz to "k" for his asKi tekneeq. . eof .