informis/textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/phreak/CELLULAR/cellprog.txt
root@procul 278a90f7ce Initial commit
2021-04-15 13:31:59 -05:00

529 lines
30 KiB
Plaintext
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

The following file is a verbatim transcript of an article by the same name appearing in the
December, 1992 issue of NUTS & VOLTS Magazine. Copyright (c) 1992 Damien Thorn and
T & L Publications. Permission is granted to freely distribute this file in unmodified form.
Identifying board headers may be added as desired.
CELLULAR TELEPHONE PROGRAMMING
Focusing on Fundamentals
By Damien Thorn
The ever-increasing use of cellular telephones has created a market for people with the skills to
install and program them. Installation is no more difficult than installing a CB radio, and
programming is accomplished by entering data via the keypad on the phone. Whether you want
to completely reprogram a new or used phone, or simply change your unlock code, there is no
reason to pay a dealer to do it when you can do it yourself in a matter of minutes.
In the early days of cellular technology, an external device such as a "programming handset" or
ROM programmer was required to "burn" the mobile telephone number and service information
into the phone. Today's cellular phones incorporate resident software that allows you to key in
the required information on the phone itself. When you are finished and satisfied you've entered
the correct data, the phone burns it to non-volatile memory with the push of a button.
To understand why the simple process of programming a cellular phone seems to be an industry
secret, you need to understand that it is a lucrative service offered by cellular dealers. There is
no profit to be made selling the phone hardware. Most dealers sell at close to cost just to remain
competitive. The real profits are derived from commissions received from the cellular carriers
(service providers) for getting customers to sign up with them.
Due to the widespread use of surface mount technology within the phone, service centers almost
always return them to the manufacturer for repair. Fortunately for these dealers, most service
problems are external, involving the antenna, connectors, cables or a need for reprogramming.
These are all relatively simple matters that can quickly be diagnosed and repaired in the shop,
thus generating income. Aside from the Federal and State regulations governing the sales and
service of cellular equipment (because it is a transmitter), only basic electronics skills and
minimal equipment are required to begin such a business.
INTRODUCTION TO CELLULAR PROGRAMMING
The purpose of this article is to present the fundamentals of cellular programming. I've also
included brief reviews and sources of publications that are essential to anyone interested in
pursuing cellular programming as a hobby or profession. The basic principals of programming
are the same from phone to phone. Each manufacturer (or model), however, has a unique
sequence of key strokes to access the programming mode as well as a few other programming
quirks. If you plan to work with more than one brand of phone, a publication containing
programming tables (or "templates") is a must.
The phone used for this article is a common Motorola transportable "bag phone." One reason
for selecting this phone is because I own one. The other is because Motorola is the most prolific
manufacturer of cellular phones. Also, the "universal" nature of the Motorola programming
instruction set used as an example can be used on most of their phones as presented herein.
Not only do they make gear bearing the Motorola brand name, they custom manufacture phones
for a variety of other vendors. Some examples include the brand names Ambassador, America
Series, Dynasty, Modar, Nautilus, Pulsar, Tracer, Blaupunkt, Nissan Infiniti, Toyota LEXUS, and
models for AUDI and Ford.
PRELUDE TO PROGRAMMING
Before you even begin to program a phone, you need to obtain the required data. If you just
want to change your unlock code, then you need to make up a convenient three-digit number.
Activating service on a used phone requires you to obtain certain information from the cellular
carrier providing you with service. Here is a description of the data you will need:
01) System Identification Number (SID): A five digit number that has been assigned to
identify the particular cellular carrier from whom you are obtaining service. This number
identifies your "home" system.
02) Area Code of Mobile Identification Number (MIN): Simply the area code of your
cellular telephone number. MIN is the "official" term for the phone number assigned to you by
the cellular company.
03) Mobile Identification Number (MIN): The MIN is the actual seven digit cellular
telephone number assigned by the cellular carrier exclusively to your phone.
04) Station Class Mark (SCM): A two-digit number that identifies certain capabilities of your
phone. How the cellular network handles your call is based on these digits. The SCM tells the
system whether your phone transmits at standard power levels or low power levels, if it can
utilize the full 832 channels or only the original 666 frequencies. The last attribute identified is
whether your phone employs voice-activated transmission (VOX).
A phone without VOX is continuously transmitting a carrier back to the cell site the entire time
your call is in progress. The VOX operation used in smaller phones allows the phone to transmit
only while you are actually talking. This reduces battery drain and enables handheld phones to
operate longer on a smaller battery than would be possible without VOX.
To determine the proper SCM for your phone, examine Table 1 and use the code that matches
the presence (or absence) of each of the attributes described above.
05) Access Overload Class (AOLC or ACCOLC): A two-digit number used to arbitrate who
gets dropped from the system (or refused access) when there are more calls in a cell than can be
handled at one time. This feature is allegedly disabled in most systems and no preferential
treatment is shown to any particular ACCOLC.
06) Group Identification Mark (GIM): The Group ID Mark is a two-digit number used by
cellular sites other than your home system to determine if you should be allowed access to the
system on "roam" status. This feature is not yet fully implemented.
07) Security Code: This six-digit number is used to prevent unauthorized or accidental
alteration of the data programmed in the phone. The factory default is 000000.
08) Unlock Code: This is a three-digit number required to unlock the phone when you have
electronically locked it to prevent unauthorized use. The factory default is "123", however many
cellular programmers change it to match the last three digits of your MIN (phone number).
09) Initial Paging Channel (IPCH): This is the channel number used by the cellular provider
to "page" the phones in use on the system. The term "paging" refers to notifying a particular
phone that it has an incoming call. All idle phones on a system monitor the data stream on the
IPCH. Non-wireline cellular carriers use channel 0333 as the IPCH, while wireline providers
(operated by a telephone company) utilize channel 0334.
10) Options programming byte A
11) Options programming byte B
The options bytes are six and three-digit binary numbers used to enable or disable certain options
on the phone. Each digit is either a "1" or "0".
Options byte A consists of six bits. We'll label them "ABCDEF" for our purposes, where each
letter represents a bit set to "1" or "0". Here is what each bit controls:
Bit "A" - Handset internal speaker: A "1" in this position disables the internal speaker of your
handset to facilitate the use of an external speaker/microphone combination. This bit is set to
"0" in a normal installation to allow normal operation of the handset speaker.
Bit "B" - Local Use bit provided for certain cellular carrier system requirements. This is
normally enabled with a "1".
Bit "C" - MIN mark bit: Usually disabled with a "0" in this field.
Bit "D" - Auto recall: The auto recall function is always enabled with a "1" in this position.
Bit "E" - Second phone number: If the phone has a dual system registration capability, and you
are in fact registered with two different cellular carriers, the function is enabled with a "1" in this
field. A "0" in this position indicates the standard cellular configuration having just one
telephone number.
Bit "F" - Diversity: This bit is used to enable diversity if your telephone is equipped with two
antenna connections (ports). If your phone uses just one antenna (standard), this bit is set to "1"
to disable diversity.
If the phone was of a standard configuration, the description above indicates that this option byte
would be programmed as "110100" with each bit enabling or disabling the specific option as
appropriate.
Option byte B operates in the exact same fashion, except the byte consists of only three bits,
controlling three options. We'll label the bits "ABC" where each letter represents a specific bit.
Bit "A" - Long tone DTMF: A "1" in this position enables long tone DTMF for end-to-end
signalling. This means that the phone will transmit a DTMF tone for as long as you depress a
key on the key pad. A "0" will disable this feature, causing the phone to send a short burst of
DTMF when you dial, no matter how long you hold down the key.
Bit "B" - A "0" in this position enables the internal speaker of a transportable phone to act as
the "ringer" to signal an incoming call. This feature can be disabled by programming a "1" in
this position if you have some ancillary device connected to signal ringing.
Bit "C" - Eight hour timeout: This feature is normally enabled with a "0" in this position.
When enabled, the phone will timeout and turn off if it has been left on continuously for eight
hours. This helps prevent the phone from completely draining the battery of your car if it is
inadvertently left on for an extended period without being used.
ENTERING PROGRAMMING MODE
Once you have determined the proper values for the data fields described above, you can get
down to the actual programming of the phone. With the above data in front of you, it becomes
a simple matter of punching it all in on the keypad.
To begin programming the phone, you need to enter the programming mode. Almost all
Motorola phones use one of six possible key stroke sequences to gain access to the programming
mode. These are numbered one through six and listed in Table 2.
Indexing the exhaustive list of model numbers to the appropriate sequence number is beyond the
scope of this article. It is not difficult to figure out, and whether or not the phone has a "Fcn"
(function) or "Ctl" (control) key narrows it down to one or two possibilities.
The security code used to enter the programming mode consists of six digits. It is keyed in
twice, as though it were a twelve digit number, and in a couple of the sequences is prefaced with
a zero for a total of thirteen digits. All Motorola phones are shipped new with the factory default
security code set to 000000. Most cellular programmers do not change this, as it only makes
reprogramming more difficult in the future.
Roughly 80% of the phones I've encountered retain the factory default security code. The other
20% had been changed to 123456 by a local cellular dealer. While the security code could
conceivably be any six digit number, you should be aware that this code is only useful to prevent
idle tampering with the programming, not lock out the personnel at other service centers.
The security code is by no means akin to the vault door protecting the contents of Fort Knox.
In the next issue of Nuts & Volts I'll show you how to build manual test adapter from one
inexpensive part obtainable at any Radio Shack store. This device will immediately allow you
to enter the programming mode without the security code. You can then view and change the
security code or all of the programming if you wish.
Once in programming mode, the phone will display "01" which indicates the phone is at the first
programming step (or field). Table 3 is a template of the programming steps, and you'll notice
that the step numbers correspond with the numbers prefacing my descriptions of the required data
above. The phone always displays the two-digit field identifier before displaying the data in that
particular field. This lets you know where you are in the programming sequence.
COFFEE BREAK: TIME FOR AN ASIDE
It would not be unusual for you to feel a bit overwhelmed right now. I was confused the first
time I attempted to program a cellular phone. If this is your first exposure to cellular
programming, may I suggest you grab a cup of coffee and reread the article up to this point
before you actually attempt the programming process.
At first the idea of security codes and determining the proper sequence necessary to access the
programming mode was disconcerting and a bit frustrating. Once this step had been
accomplished, I was delighted to discover how easy the actual programming was.
If you have difficulty accessing the programming mode, here is a helpful tip: Let's say the
phone is quiescent until you've keyed in the entire sequence, including the 13 digits comprising
the security code, but fails to display "01" after the final keystroke. This indicates that you are
using the correct sequence from Table 2, but the security code is incorrect.
If you are using the wrong keystroke sequence to enter programming mode, the phone will abort
in the midst of keying in the security code, because it fails to recognize why you are punching
in all the digits. If you are using the correct sequence to access the programming mode, the
display on the phone will not echo (display) the security code unless you are keying it in too
slowly.
KEYING IN THE DATA
The process leading up to this point is actually the majority of the work involved in programming
a cellular phone. Keying in the data is so easy that it's almost disappointing.
If you've successfully accessed the programming mode, your phone will display "01" to identify
the current field. Pressing "*" advances the display to the data in that field. You can then key
in new data and press "*" to advance to step "02", or press "*" without entering data to retain
the information currently stored within the field.
I just want to change my unlock code, so I need to advance to the field where this data is stored.
A quick glance at Table 3 tells me that my current unlock code is stored in field 08. To get to
this field, I need only to repeatedly press the "*" key to sequence the phone through the fields
without altering any of the data. When "08" is displayed, I know I've arrived at the field
containing my unlock code.
First I access the programming mode on my transportable phone by turning on the power and
keying in sequence number 4 from Table 2. I depress the "control" key on the side of the
handset and quickly punch in "0" followed by my security code twice (123456+123456) and
finally press the "*" key. The display shows "01" to let me know I am at field 01, the SID.
I press "*" to advance to the data, and the display shows "00224" which is my SID. I press "*"
again and the software sequences to the next step. "02" is now on the display. Another "*" and
the phone displays "209" which is the data in field 02 - my cellular area code. Depressing the
star key advances us to step "03" which is my MIN. Pressing "*" displays the contents of field
03, and yes, it certainly is my cellular telephone number (MIN).
Each time I press the "*" key the phone continues to advance to the next field number and then
displays the data stored there. Since I want to change my unlock code, I repeatedly press the "*"
key until the phone displays "08." This is the field containing that code.
Another "*" and my display shows "602" which is my current unlock code. I want to change
it to "977." With the old code in the display (602), I simply punch in the numbers 9+7+7.
The display now reads "977" which will be my new unlock code.
If I continued pressing the "*" key, the phone would sequence through the remaining fields until
it returned to "01." I could then advance through the fields again. You might want to do this,
just scrolling through the data programmed into your phone. Use Table C to identify the fields
as you look at the data stored in each.
If you accidentally alter the data in any of the fields while you are looking around, press the "#"
key to exit programming mode without saving any of the changes to memory. The "#" key will
abort the programming mode, leaving the previously stored information intact.
Since I changed my unlock code, I need to burn the new information to the Numeric Assignment
Module (NAM) in the phone. NAM is the term used to describe the EEPROM chip where the
program data is stored. To save the new information, I press "Snd" (Send). This burns the
changes to the NAM and exits the programming mode.
These are the keys to remember while programming a phone, or just exploring the current
programming: The "*" key advances to the next field or step. The "#" key aborts programming
without saving any changes. The "Snd" key saves all changes to the NAM and exits
programming mode. The "clr" (clear) key will restore a field to the previously stored data if you
make a mistake while keying in digits. You can then reenter the data correctly.
SUMMARY
We've covered a lot of material, and I commend your tenacity. Cellular programming is actually
an easy process. You now have a decent understanding of the fundamentals, and I assure you
that a bit of practice will lead to a surprising proficiency.
The information in this article is specific to cellular equipment manufactured by Motorola. Other
manufacturers use somewhat different templates and methods to access the programming mode.
If you want a deeper understanding of cellular programming or need the exact programming
templates and instructions for a variety of phones, I suggest you buy one of the publications
reviewed here.
If you own just one model of phone and need a template or other basic assistance, I don't mind
helping you out. You can contact me directly via mail at 6333 Pacific Avenue, Suite 203,
Stockton, CA 95207-3713. If you need me to provide detailed information, I would appreciate
it if you'd enclose a few dollars to help offset my expense. I welcome all comments, and
encourage suggestions for future articles.
Building a test adapter for Motorola phones is the subject of my article next month in Nuts &
Volts. Placing a phone in test mode will allow you to bypass the keystroke sequence and
security code to access programming mode. This is a device every cellular service person should
have.
In addition to getting around a security code long forgotten by a customer, you'll learn how to
reset the cumulative call timer, reset the NAM programming to default values and a host of other
interesting test functions such as accessing the built-in relative signal strength indicator (RSSI)
and channel number display available only when the phone is in test mode.
# # #
Table 1
DETERMINING YOUR STATION CLASS MARK (SCM)
Proper SCM Value Attributes of Your Phone
00 Standard power output; 666 channel capability; no VOX operation.
04 Standard power output; 666 channel capability; uses VOX.
06 Low power output; 666 channel capability.
08 Standard power output; 832 channel capability; no VOX operation.
10 Low power output; 832 channel capability; no VOX operation.
12 Standard power output; 832 channel capability; uses VOX.
14 Low power output; 832 channel capability; uses VOX.
The SCM value appropriate to your cellular phone should be entered in programming field "04."
"Standard power" as used above refers to the RF output level of a transportable phone, or one
installed in a vehicle. "Low power" refers to the reduced RF output of handheld units.
Handheld phones utilize a lower power level not just because of their size and battery capacity.
Since the transmitter and antenna are a part of the handset, it was determined that radiating a full
three watts of RF just a few inches from your head might be unhealthy.
# # #
Table 2
PROGRAMMING MODE ACCESS SEQUENCES
#1 - Fcn + [six digit security code] + [six digit security code] + Rcl
#2 - Sto + # + [six digit security code] + [six digit security code] + Rcl
#3 - Ctl + 0 + [six digit security code] + [six digit security code] + Rcl
#4 - Control + 0 + [six digit security code] + [six digit security code] + *
#5 - Fcn + 0 + [six digit security code] + [six digit security code] + Mem
#6 - Fcn + 0 + [six digit security code] + [six digit security code] + Rcl
Note: In sequence #4 the "control" key refers to the audio and ringer volume control button on
the side of the handset if no "Ctl" key is present on the handset keypad.
Example: If the appropriate sequence for my phone is #3, and my security code is 123456, I
would key in the sequence as follows:
A) Turn power on. Display reads "ON."
B) Press: [Ctl], [0], [1], [2], [3], [4], [5], [6], [1], [2], [3], [4], [5], [6], [Rcl].
C) If entered correctly programming mode is active. Display reads "01."
# # #
Table 3
TEMPLATE: SEQUENCE OF PROGRAMMING STEPS
Field Description Digits Typical Example
01 System ID Number (SID) 5 000233
02 Area Code of Mobile ID Number (MIN) 3 209
03 Mobile Identification Number (MIN) 7 555-1212
04 Station Class Mark (SCM) 2 12
05 Access Overload Class (ACCOLC) 2 06
06 Group ID Mark (GIM) 2 10
07 Security Code 6 000000 or 123456
08 Unlock Code 3 123 or last 3 digits of MIN
09 Initial Paging Channel (IPCH) 4 0333 or 0334
10 Options programming byte "A" 6 011100 (binary)
Internal Speaker (1 = disable) X-----
Local Use bit (1 = enable) -X----
MIN Mark bit (usually disabled = 0) --0---
Auto-Recall bit (always set to 1) ---1--
Second Phone Number (0 = disable) ----X-
Diversity option bit (0 = disable) -----X
11 Options programming byte "B" 3 010 (binary)
Long tone DTMF (0 = disable) X--
Ringer/speaker (1 = handset / 2 = transducer) -X-
Timeout (8 hour) (0 = enabled) --X
If second phone number option is enabled and supported by the hardware, this programming
template will repeat for the second phone number. Each field identifier (step) number will be
displayed with a "2" to indicate data for the second number. (e.g. "01 2").
******************************************************************************
SOURCES: A Review of Available Publications
Every month I peruse the pages of Nuts & Volts with an eye for detail unmatched by the best
Revenue Agents employed by the IRS. Why? Because I have an insatiable appetite for
information - especially information surrounding technology that seems "inaccessible" to you and
me. As a result, I've purchased all four publications advertised herein that deal with cellular
communications. Each has unique features and all were worth the money. Here is my opinion
of each:
Cellular Programmer's Bible
The Cellular Programmer's Bible definitely lives up to it's name. Over 300 pages of nothing but
programming instructions for every conceivable cellular telephone manufactured. This tome
includes the factory preset security codes to greatly simplify access to the programming modes
of various phones. In addition to precisely detailing every programming sequence, each entry
includes invaluable technical information on channel capabilities, test modes, and other unique
tidbits applicable to the specific model of phone being described.
This volume is mandatory for anyone considering offering programming services to the public.
I discovered my Pac Tel Cellular customer service rep uses this same publication as his
programming reference, although he carries it in a nondescript binder.
Approximately 400 spiral bound 8.5 x 11" pages. $84.45.
Available from: TeleCode, P.O. Box 6426, Yuma, AZ, 85366-6426. (602) 782-2316.
Cellular Hacker's Bible
The Cellular Hacker's Bible is TeleCode's other cellular publication. About one third of this
book is devoted to programming templates for over thirty popular phones. The balance consists
of an elaborate technical dissertation describing the operation of the cellular network which reads
like a Bellcore technical document (coincidence?). From switching to timing and signalling
protocols - it's all here.
The attention to technical detail can be an engineer's dream or mind-numbing to the casual
reader. Although I occasionally became bogged down in things like "wink start signalling" and
multi-frequency (MF) call routing codes, I appreciated the excruciating detail when I came to the
18 pages listing each and every frequency in the radio spectrum allocated to the cellular network
by the FCC.
The reprogramming instructions are easy to follow, but not as comprehensive as the templates
in TeleCode's other publication (above).
Approximately 180 spiral bound 8.5 x 11" pages. $53.45.
Available from: TeleCode, P.O. Box 6426, Yuma, AZ, 85366-6426. (602) 782-2316.
Cellular Phone Phreaking
Technical documents published "for educational purposes only" by Consumertronics have a
unique format and tone not generally found in other books. John J. Williams, MSEE and
proprietor of the company, has a gift for presenting detailed technical information in an almost
conversational manner full of examples and anecdotes. Cellular Phone Phreaking is no exception.
The programming instructions are equivalent to those contained within TeleCode's Cellular
Hacker's Bible. The technical description of the cellular network is brief, and Williams includes
an abundance of information on how individuals have been known to perpetrate cellular fraud.
Included are relevant excerpts from various communications privacy laws, including the text of
the Electronic Communications Privacy Act (ECPA).
Of value to the technician or monitoring enthusiast are the mathematical algorithms necessary
to determine the cellular channel numbers based on the radio frequencies used.
While informative and entertaining, this book is a bit thin compared to the others, but Williams
crams in a lot of information by using small type and not wasting an inch of space.
Approximately 41 spiral bound 8.5 x 11" pages. $39.00.
Available from: Consumertronics, 2011 Crescent Drive, P.O. Box 88310, Alamogordo, NM
88310, (505) 434-0234.
Cellular Telephone Modification Handbook
The Cellular Telephone Modification Handbook is the one publication reviewed that is not really
a programming manual per se. It is a book explaining in detail how a hacker would change the
Electronic Serial Number (ESN) of a cellular phone. As a "security manual," the book holds
nothing back in precisely demonstrating how criminals can defraud the system by doing so. I
should note that a legitimate application for this information would be to "clone" a phone that
you already own.
By duplicating the ESN of your existing phone into another phone, you could use either unit at
any given time and avoid having to pay for an additional number and service for the second
phone. This seems analogous to adding an extension phone to your telephone service at home.
Why have a separate number for each "extension?" Cellular companies don't like it, but it
doesn't appear to be illegal. Emulating the phone of your local bank president in order to make
free calls is another story entirely.
In addition to basic "universal" programming guidelines, this book includes "screen dumps" of
PROM emulation software, lists of manufacturers' ESN prefixes and System Identification
Numbers (SIDs). Complete with sources for parts and equipment, as well as books and
magazines related to the field of cellular communications.
The representative I spoke with at Spy Supply provides programming support for their customers.
If you need assistance with a specific phone, he'll provide you with programming information
for that particular model at no charge. After purchasing the manual, I tested this service and
found that he could answer every question I threw at him without hesitation. The availability
of this invaluable resource elevates Spy Supply above the ranks of a typical publisher.
Approximately 52 spiral bound 8.5 x 11" pages. $79.95.
Available from: Spy Supply, 7 Colby Court, Suite 215, Bedford, NH 03110, (617) 327-7272.
******************************************************************************
AUTHOR BIOGRAPHY
(For publication)
Damien Thorn's interest in electronics has deep roots. A noted "hacker" and "phone phreak" by
age sixteen, he contributed regularly to the underground newsletter "TAP." Today Damien is
an on-air radio personality and FCC licensed engineer in California's San Joaquin Valley. His
interests include computers, communications, security and privacy issues. He welcomes questions
and comments. You can reach him at 6333 Pacific Ave. #203, Stockton, CA 95207-3713 or via
E-Mail at one of the following: DrDamien@Delphi.com via Internet mail, on CompuServe at
75720,2104, or on Delphi as DrDamien.

Reference in New Issue View Git Blame Copy Permalink