informis/textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/phreak/CELLULAR/celltest.txt

393 lines
21 KiB
Plaintext
Raw Permalink Normal View History

Initial commit
2021-04-15 13:31:59 -05:00
The following file is a verbatim transcript of an article by the same name appearing in the
January, 1993 issue of NUTS & VOLTS Magazine. The six (6) accompanying photographs
detailing construction have been omitted. Copyright (c) 1992 Damien Thorn and T & L
Publications. Permission is granted to freely distribute this file in unmodified form. Identifying
board headers may be added as desired.
CELLULAR TELEPHONE MANUAL TEST MODE
How to Build and Use Programming Aids
By Damien Thorn
Over the last few months in Nuts & Volts we've taken a close look at cellular technology. From
an overview of the network to a "hands-on" tutorial covering cellular telephone reprogramming.
This article introduces the construction and use of a manual test adapter to assist in
reprogramming or diagnosing problems in various cellular phones.
You can build this device in about five minutes with one part from your local computer store or
Radio Shack. The simplicity is elegant, and belies the powerful control you can achieve over
your cellular hardware. Need to bypass the security code usually required for programming, or
display the relative signal strength indication (RSSI) on a specific cellular channel? With a
manual test adapter you're just a few keystrokes away from this and more.
INTRODUCTION
As I mentioned last month, there is little money to be made by cellular dealers in the sales of
equipment. Hardware prices are so competitive that most dealers sell new equipment at close
to cost. Dealers make their profit through commissions for signing up subscribers for cellular
service, and by installation and repair.
Installing cellular phones is comparable to installing a CB radio, and less difficult than wiring
a car stereo. Modern cellular phones are so reliable that the phone itself rarely needs to be
serviced. Ancillary equipment such as wiring and antennas are usually the cause of any
malfunction. Probably the most common service operation is programming.
Whether you are activating cellular service for the first time, or moving to another city, your
cellular phone must be reprogrammed with specific data supplied by the cellular service provider
(carrier). Even changing the unlock code on the phone requires reprogramming in many
instances, often associated with a fee ranging from $15-50.00.
The vast majority of contemporary cellular phones are programmed by punching in the data right
on the keypad without the aid of any external programming device. And this service is often
performed by shop personnel with little technical skill. With a programming manual in front of
her, I watched the receptionist at a local dealer program a phone that was being exchanged by
a customer.
I use this example to illustrate how easy it is to reprogram a phone. There is really no reason
you or I cannot perform this task ourselves and save money. Reprogramming can also become
a profitable additional service offered by independent technicians.
Motorola's Test Mode
Motorola is probably the largest manufacturer of cellular phones. In addition to their own
brands, they make phones for a plethora of other companies. I've always admired the quality
of Motorola communications equipment, and the test mode engineered into their cellular firmware
has scored them a few more points in my book.
The test mode is designed to be of assistance to cellular technicians in the field, and is entered
by grounding a specific pin on one of the phone's connectors. Once in test mode, the technician
has manual control over many of the functions normally automated by the firmware. The phone
display can now be used to indicate the status of various operational parameters.
The most useful functions to the hobbyist and professional programmer alike are those which
allow the data stored in the Numeric Assignment Module (NAM) to be reviewed and changed.
This is not much different from using the standard programming mode, except no special
keyboard sequences and security codes are required for access. The manual test mode effectively
bypasses the software "front door" commonly used to enter programming mode, and is invaluable
when the security code is unknown or has long since been forgotten.
The rest of this article details the construction of a test adapter and explains its use as applicable
to cellular programming. From this point on I'm assuming you've read my previous article or
otherwise have at least a basic knowledge of cellular programming.
The basic style of the Motorola-manufactured phone will determine how you go about placing
the unit in test mode. Palm-size folded phones and the one-piece hand held devices do not
require and adapter. A jumper between the contact designated as the "test line" and ground is
all that is required.
Activating Test Mode: Hand held Phones
If your phone is one of the hand held types, slide the battery pack off the unit. The battery pack
also serves as the rear of the phone's external case. On the top rear of the phone you should see
twelve contacts arranged in two horizonal rows as depicted in Photo #1.
Before you go any further, you should look at the model number of the phone located on the
back of the handset. A typical model number is "F09FSF9797." The fourth letter (underlined)
in this string is important. This indicates the phone is of the Motorola "F" series and contains
firmware that is programmed to allow us to use the manual test mode. The older "D" series
phones do not contain the appropriate firmware, and are not even programmable from the keypad.
Do not attempt this procedure on a "D" series phone.
Another way to make sure the phone is of the "F" or higher (G, H, I, etc.) series as opposed to
the older "D" series is to examine the plastic shroud which extends from the top of the phone
and partly covers the RF switch/antenna connector housing. The "F" (and newer) series phones
have various notches molded into the plastic shroud as can be seen in the photo.
To reiterate, if the model number contains the letter "D" as the fourth character, it does not have
a test mode, and cannot be reprogrammed from the keypad. Do not attempt to place it in test
mode or you may damage the phone. Once you are certain the phone is of the "F" or higher
series, you may proceed.
The contact which serves as the test line is #6. This is the contact to the far right in the upper
row, and should be the last (and sixth) of the contacts comprising the top row of contacts.
Making a connection between this contact and ground will cause the phone to enter the test mode
when powered up.
The most convenient way I've found to accomplish this in lieu of a special adapter or modified
battery pack is to use a small piece of wire as a jumper. The short lengths that come with the
Radio Shack RS-232 jumper box we'll be discussing later work perfectly, right out of the
package!
To jump contact #6 to ground, I use a very small jewelers screwdriver to carefully wedge one
of the solder-tinned ends of my jumper into the space between the contact and the plastic edge
to the right. The snug fit assures decent electrical contact and helps keep the jumper in place.
The other end of the jumper is gently inserted in the crevice on the RF switch housing. This
bare metal area is the most convenient ground and will even hold the end of the jumper.
Once you have the jumper connected, you need to flatten it against the phone so that you can
slide the battery back on without dislodging it. Photo #2 depicts the jumper in the proper
position to clear the battery pack.
Palm-size Folded Phones
The "Micro TAC" variety of miniature folded phones ("Flip-Fones") manufactured by Motorola
usually require a special battery to activate the test mode. You can simulate this battery with
your standard battery, however.
After removing the battery from the phone, you should see three contacts in a row located in the
lower right area of the phone. The two outer contacts are the battery connections. Positive "+"
is to the left, and negative "-" is to the right.
The center contact is somewhat recessed and does not make contact with the standard battery.
Your battery however, should have a mating third contact present. To place the phone in test
mode, you need to get the center contact to mate with the center contact on the battery. Strategic
use of a small piece of folded metal foil, solder wick or similar conductive material can be used
to extend the center contact on the phone so that it will make contact with the third terminal of
the battery.
If you attempt this procedure, immediately power up the phone to make sure you have not
shorted the battery terminals. If the phone does not come on at all or feels warm to the touch,
quickly remove the battery. A shorted NiCad battery can explode, causing serious injury.
MINI-TR or Silver MiniTac phones
Two specific phones - Motorola's MINI-TR or Silver MiniTac units can be placed in
programming mode by shorting the two contacts of the hands-free microphone connector.
Mobile Installations & Transportable Phones
These common phones are the type that consist of a handset connected to a separate transceiver
unit by a coiled cable resembling the receiver cord of a standard landline telephone. The handset
cable is terminated with a modular connector and plugged in to a jack. The control cable from
the jack carries the handset, power and options wiring. This control cable is connected to the
transceiver with a 25-pin DB25 connector as depicted in Photo #3.
These phones are also placed in manual test mode by grounding the test line. The easiest way
to accomplish this is by building a small test adapter (also known as a "programming aid"). This
device is placed between the control cable and transceiver DB25 connectors allowing all the
signals to pass through unaffected with the exception of jumping the test line to audio ground.
Building the Test Adapter
Construction of the test adapter is pretty straight forward. The same DB25 connectors used by
Motorola have been used for years as the standard RS-232-C connector on computer equipment.
You can easily pick up a serial RS-232 inline jumper box from your local computer, electronics
or Radio Shack store. The part number at Radio Shack is #276-1403 and lists for $9.95 in their
1993 catalog.
The Radio Shack jumper box is designed for maximum flexibility and as such does not have any
of the pins preconnected. Each trace on the circuit board connecting the pins has a small break
which you will need to bridge with solder to allow the signals to pass through. Examine the PC
board before beginning and follow a few of the traces. Note the difference between the break
in each trace and the small solder pads used for connecting jumpers. You only need to bridge
the traces.
Once you've applied a small dab of solder to restore the integrity of each trace, you are ready
to install the jumper. The test line on these Motorola phones is pin #21. Pin #20 is the audio
ground line. You want to jumper (short) these two pins.
Small numbers etched on the PC board indicate the jumper point for each pin. Locate the
numbers 20 and 21 next to the small solder pads. Using one of the short jumper wires provided
with the device, place the ends through these two holes and solder them down on the opposite
side of the board. Photo #4 depicts proper jumper installation, although I left one end of the
jumper unsoldered to illustrate it going through the board to be soldered on the other side.
That completes the construction of a handy programming aid for Motorola cellular phones, and
you have a small packet of left over jumpers that are perfect for jumpering the test line contact
on the hand held units. Be sure to save them.
To use the test adapter, place it between the control (handset) cable and the transceiver as shown
in Photo #5.
Test Mode Commands
Once you've jumpered the appropriate contact or applied the test adapter, it's time to turn on the
phone. When the phone powers up, a series of digits should appear in the display similar to
those shown in Photo #6. They should alternate with another series of digits. This indicates
your phone is in the manual test mode.
One display consists of two numbers, each three digits in length. The set to the right is the
channel number designator for the specific cellular frequency the phone is receiving from your
local cell site (tower). The right-most trio is the relative signal strength indication (RSSI) of the
received frequency.
The seven-digit number alternating with the channel/RSSI display provides the technician with
additional status information. Each individual digit in the field is actually an independent status
register. With a letter substituted for each of the seven digits, this is what they represent:
A B C D E F G
Position A - SAT Frequency. Indicates which of the three SAT lock frequencies is being used
by the phone. In this position a "0" = 5970Hz, "1" = 6000Hz, "2" = 6030Hz, "3" = No SAT
lock.
Position B - Carrier Status indication. "0" = carrier off, "1" = carrier on.
Position C - Signalling Tone. "0" = tone off, "1" = tone on.
Position D - RF Power Attenuation Level. "0" through "7" are valid values.
Position E - Channel designation. A "0" = voice channel, "1" = control data channel.
Position F - Audio Mute (receive). "1" = received audio is muted, "0" = unmuted.
Position G - Audio Mute (transmit). "1" = transmitted audio is muted. "0" = unmuted.
The meaning of all these status registers is fairly complex and has no bearing on cellular
reprogramming. This display, like the majority of the test commands, are only of value to an
engineer placing the phone under test with a cellular service monitor.
Table "A" lists the test commands that can be of assistance in reprogramming. I have omitted
the test commands designed for use with a service monitor, as issuing them without the phone
connected to a monitor may cause interference to the cellular network. You may own the phone,
but the cellular provider owns the FCC license that allows you to use it. Operating the
transmitter in the phone in a manner inconsistent with this license could subject you to loss of
service and possible legal trouble.
Issuing Commands
If your phone did not come up with the status display described above, you may need to
manually instruct the phone to do so. Pressing "#" enters the test command mode, and "02#" is
the command to display the status registers. If you enter a command improperly, the phone will
scroll the word "error" across the display.
If you need to review the current programming data stored in the NAM, enter "55#" which
instructs the phone to enter the programming mode. You can scroll through the contents of
NAM displaying the stored values by repeatedly pressing the "*" key. Actual reprogramming
through this mode is considerably more difficult than through the standard programming mode.
The test mode does not display a step number to let you know what programming step you are
at, and the information is stored and displayed in a different order.
Many programmers simply use this mode to obtain the security code, exit test mode and program
the phone in the normal fashion. As you step through the NAM contents with the "*" key, the
security code is the only six-digit number you'll see that isn't binary. Once you've written it
down, continue to step through NAM until you see the "tick mark" in the display (it looks like
an apostrophe) and exit test mode by turning off the phone.
Motorola designed their phones so that they could only be programmed three times. I don't
know the rationale for this, but a firmware counter increments each time the phone is
reprogrammed, and after the third time it will no longer enter programming mode. The
instruction booklet that accompanies the phone instructs you to take it to the dealer where you
bought it.
If you took the phone to a dealer, they would put the phone in test mode (just like we're doing)
and enter the command "32#" which resets the counter to zero, allowing the phone to be
reprogrammed three more times. Do it yourself and save!
Many phones also have a cumulative call timer that counts the total number of minutes the phone
has been used for calls (actively transmitting). This "autonomous timer" (that you were told was
not resetable) can be cleared and reset to zero by punching in "03#" while in test mode.
Another useful command is "38#" which causes the phone to display the Electronic Serial
Number (ESN) that is burned in ROM. The phone will display the ESN one hex byte at a time.
Press "*" to increment to the next byte. Note that the display shows four numbers. The two to
the left indicate which byte you are viewing (00, 01, 02 or 03), and the actual value of that byte
is at the right of the display.
You can punch in "19#" if you'd like to view the software version number resident in your
phone.
Conclusion
You should now have an understanding of the test mode inherent in cellular phones manufactured
by Motorola, and if you've followed this series of articles in recent issues of Nuts & Volts, the
operation of the cellular network and reprogramming procedures are no longer so mysterious.
Your questions and comments are always welcome, and you can write or send E-mail directly
to me as mentioned below. If plan to do much programming or would like detailed information
on the cellular network, you would benefit greatly by investing in one of the detailed technical
publications offered in these very pages. I've listed the publishers of several good volumes in
a sidebar, and you'll find their ads scattered throughout this magazine.
As a final note, you should be aware that the use of this information is undertaken at your own
risk. Although most of this information was triple-checked against available technical
documentation, none of it originated directly from Motorola. I doubt you'll have a problem, but
you never know when a manufacturer might change their specifications.
******************************************************************************
TEST MODE COMMAND SUMMARY
The following is a summary of some of the commands available from within the test mode on
most cellular phones manufactured by Motorola.
COMMAND DESCRIPTION
# Initial keystroke to enter test command mode.
01# Reboot phone (begin power-up routine).
02# Display status registers.
03# Reset "autonomous timer" to zero minutes.
04# Initialize transceiver.
07# Mute audio (received).
08# Unmute audio (received).
11XXX# Load frequency synthesizer with specific cellular channel (XXX = 3-digit
decimal channel designator).
13# Power down the phone (off).
19# Display software version number.
32# Initialize NAM. Erases all programmed data!
36XXX# Activate channel scanning. Pauses on each channel for XXX milliseconds.
Keying "#" aborts scanning.
38# Display Electronic Serial Number (ESN).
45# Display current relative signal strength (RSSI) of currently loaded channel.
53# Enables scrambler option if phone is equipped.
54# Disables scrambler option if phone is equipped.
55# Programming mode - display/change NAM contents.
******************************************************************************
Sources of Additional Information
The following companies distribute publications that offer detailed instructions and information
pertaining to cellular programming and various aspects of cellular hardware:
Spy Supply
7 Colby Court, Suite 215
Bedford, NH 03110
(617) 327-7272
TeleCode
P.O. Box 6426
Yuma, AZ 85366-6426
(602) 782-2316
Consumertronics
2011 Crescent Drive
P.O. Box 88310
Alamogordo, NM 88310
(505) 434-0234
******************************************************************************
AUTHOR BIOGRAPHY
(For publication)
Damien Thorn's interest in electronics has deep roots. A noted "hacker" and "phone phreak" by
age sixteen, he contributed regularly to the underground newsletter "TAP." Today Damien is
an on-air radio personality and FCC licensed engineer in California's San Joaquin Valley. His
interests include computers, communications, security and privacy issues. He welcomes questions
and comments. You can reach him at 6333 Pacific Ave. #203, Stockton, CA 95207-3713 or via
E-Mail at one of the following: DrDamien@Delphi.com via Internet mail, on CompuServe at
75720,2104, or on Delphi as DrDamien.

Reference in New Issue Copy Permalink