informis/textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
master
textfiles/phreak/CELLULAR/cpp.phk
root@procul 278a90f7ce Initial commit
2021-04-15 13:31:59 -05:00

1373 lines
74 KiB
Plaintext
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
THE HIGH TECH HOODS and
A-CORP PRESENTS.....
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%% %%%
%%% THE ULTIMATE CELLULAR %%%
%%% PHONE PHREAKING %%%
%%% MANUAL #1 of 2. %%%
%%% %%%
%%% COMPILED BY %%%
%%% THE RAVEN %%%
%%% %%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Hmmm.... Another text file.. Make sure that you keep this one for your
collection!! There is no other text file that is more complete or up-to
date that explains cellular phone phreaking like this one for 1992!!!
Since this is going to be a complete manual it has been broken-up into
2 parts so this is manual 1. I'm hoping that there will be some info.
on cellular phreaking published in PHRACK that may be able to help you and
me with our endevors but I'm waiting.
Another thing that I just found out is that the Hack/Phreak Community is
in need for a BBS that doesn't give bullshit info (most do!) and thats cause
our world has been infiltrated with narcs and telco/bell agents that try to
spread as much misinformation as possible!! But there are a few bbs's that
keep the faith and they will be listed at the end of this text.
THE RAVEN
+=======+
-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
INDEX....
I. Improved Mobile Telephone Service (IMTS)
II. General Information
III. Cellular Freqs. & Channels
IV. The Cell & It's Structure
V. Equipment Description
VI. More General Info.
VII. Roaming
VIII. NOTE
=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
CELLULAR PHREAKER TYPES
-----------------------
There are two types of cellular phone phreakers. The first type is the one
whos's intrested in scanning cellular phone channels basically to overhear
conversations. The second type is the one who obtains and modifies cellular
equipment so that he can make free phone calls at someone elese's expense.
I. IMPROVED MOBILE TELEPHONE SERVICE
This system that was used prior to cellular phones was the Improved Mobile
Telephone Service (IMTS), which was much easier to scan for.
Most scanner enthusiasts are familiar with this standard mobile phone
system; this system has gone thru little evolution in the past decade in the
U.S. It has remained a considerably limited service. A large metro area may
only have several hundred users, (New York City has about 900 mobile phone
subscribers) dur largely to limitations imposed by spectral overcroeding.
Land mobile commo has seen a 10-12% annual growth rate for the past two
decades. The result is that the 40, 150 and 450 MHZ bands are overcrowded.
Even the utilization of the new 900 MHZ band (with 30-40 times more channels
available than other bands) is a short-lived solution to the problem.
IMTS freqs (MHZ):
Channel Base Freq. Mobile Freq.
-----------------------------------------
VHF LOW BAND
ZO 35.26 43.26
ZF 35.30 43.30
ZH 35.34 43.34
ZA 35.42 43.32
ZY 35.46 43.46
ZR 35.50 43.50
ZB 35.54 43.54
ZW 35.62 43.62
ZL 35.66 43.66
VHF HIGH-BAND
JL 152.51 157.77
YL 152.54 157.80
JP 152.57 157.83
YP 152.60 157.86
YJ 152.63 157.89
YK 152.66 157.92
JS 152.69 157.95
YS 152.72 157.98
YA 152.75 158.01
JK 152.78 158.04
JA 152.81 158.07
UHF BAND
QC 454.375 459.375
QJ 454.40 459.40
QD 454.425 459.425
QA 454.45 459.45
QE 454.475 459.475
QP 454.50 459.50
QK 454.525 459.525
QB 454.55 459.55
QO 454.575 459.575
QA 454.60 459.60
QY 454.625 459.625
QF 454.650 459.650
The VHF high-band freqs. are the most popular IMTS channels. If you live
within 25-50 miles of even a moderate sized town, you should have at least
one VHF high-band channel. VHF low-band IMTS is used in rural areas and
those with hilly terrain. UHF IMTS is primarily used in cities where the
VHF channels are crowded. If you live in a major city, expect to have most,
if not all, of these channels available to you.
II. GENERAL CELLULAR INFO
This section is a little boring but it's needed to set a basic foundation
of cellular phone phreaking so that part 2 doesn't sound like all
technicial talk!
The FCC originally estaablished 3 cellular bands. One was given to the local
Bell or Telco, (wireline carrier), one to an independent firm (non-wireline
carrier), and one reserved for future use. Originally there were 666 cellular
freqs or channels. In recent years the FCC has tacked on another 156 freqs
for a total of 832 freqs, and all cellular makers have upgraded their phones
to accomodate the new channels. Some of the new channels appears above the
original 666 while others appear below.
The cellular system cannot know whether or not a cellular phone can be
switched to one of the 156 channels without the phone telling it. This is done
by the Station Class Mark (SCM), which is a 4-bit binary number.
(1) Bit #1 is "0" for 666 and "1" for 832
(2) Bit #2 is "0" for a mobile unit and
"1" for a voice activated transmit.
(That saves batteries on portables.)
(3) Bit #3 and #4 identify the power class
of the phone:
"00" = 3 watts
"01" = 1.2 watts
"10" = 0.6 watts
and "11" is not assigned.
The old traditional scheme for handling cellular traffic is the analog
method or Frequency-Divison Multiple Access (FDMA). How the FDMA works is
that free channels are found and each transmitter is assigned to one of them.
When the call finishes, th echannels are freed up for the next call. Also, as
the two parties become physically closer or more distant as they drive or
travhghhggytel the call may be handed off to other freqs assigned to the new cells
they are in.
Newer proposed schemes include Time-Divison Multiple Acess (TDMA) and Code-
Divison Multiple Acess (CDMA). IN TDMA systems, calls may simultaneously use
the same channels but are interspered between the pauses in the conversation.
Many pauses result not only in the way people normally think and talk but when
one party is talking, the other is listening. With TDMA, the Cellular Phone
Company (CPC) injects small delays in parts of conversations to accommodate
other traffic on that channel. This increases the lenght of the average phone
call, which also increases their profits from it - not to mention the fact
that they can increase there output by the factor of 3 and also then expand
their operation.
CDMA is a system that's been used by military for the past 30+ years. CDMA
appears to basically be a system where conversation are compressed into coded
bundles and then decompressed at the other end.
A Cellular Mobile Telephone (CMT) is one that is installed in a vehicle,
aircraft, watercraft or whatever, as opposed to a transporable or portable
unit.
III. CELLULAR FREQS & CHANNELS
There are 832 cellular phone channels. 416 of these are allocated for the
non-wireline services (Band A), and 416 for the wireline services (Band B).
Each of these channels have two freqs, spaced 45 MHZ apart, that operate in
a full-duplex mode. The lower freq is for the phone unit, while the upper is
for the cell or basesite. Of the 416 channels, 21 are digital data control or
"set up" channels and 395 are voice channels. Channels are numbered 1 thru
1023, and there is a gap from 800 to 990.
Rather than producing a list of 1646 cellular freqs, I have provided the math
eqations that can be used to calculate them. These equations can be programmed
into computers and calculators.
N = Cellular Channel # F = Cellular Freq
B = 0 (mobile), or B = 1 (base)
CELLULAR FREQS from CHANNEL #S:
-------------------------------
F = 825.030 + B*45 + (N-1)*.03
WHERE: n = 1 to 799
F = 824.040 + b*45 + (N-1)*.03
where: N = 991 to 1023
CELLULAR CHANNEL #s from FREQS:
-------------------------------
N = 1 + (F-825.030-B*45)/.03
Where: F > = 825.030 (mobile)
or F > = 870.030 (base)
N = 991 + (F-824.040-B*45)/.03
Where: F < = 825.000 (mobile)
or F < = 870.000 (base)
If the system uses OMNICELLS, as most do, you can readily find all the
channels in a cell if you know just one of them, using tables constructed
from these equations. Band A uses channels 1-333 under the old 666-channel
system. To that have been added 667-716 and 991-1023 under the new 832-channel
system. Band B uses channels from 334-666 under the old system, plus 717-799
under the new system.
IV. CONTROL & VOICE CHANNEL ALLOCATIONS
---------------------------------------
(D=DESIGNATOR, CC=CONTROL CHANNEL, VC=VOICE CHANNEL)
NON-WIRLELINE SERVICES (BAND A)
-------------------------------
D = 1A : CC = 313 : VC = 1,22,43,64,85,106,127,148,169,190,211,232,253,274,
295,667,688,709,1003
D = 2A : CC = 314 : VC = 2,23,44,65,86,107,128,149,170,191,212,233,254,275
296,668,689,710,1004
D = 3A : CC = 315 : VC = 3,24,45,66,87,108,129,150,171,192,213,234,255,276
297,669,690,711,1005
D = 4A : CC = 316 : VC = 4,25,46,67,88,109,130,151,172,193,214,235,256,277
298,670,691,712,1006
D = 5A : CC = 317 : VC = 5,26,47,68,89,110,131,152,173,194,215,236,257,278
299,671,692,713,1007
D = 6A : CC = 318 : VC = 6,27,48,69,90,111,132,153,174,195,216,237,258,279
300,672,693,714,1008
D = 7A : CC = 319 : VC = 7,28,49,70,91,112,133,154,175,196,217,238,259,280
301,673,694,715,1009
D = 1B : CC = 320 : VC = 8,29,50,71,92,113,134,155,176,197,218,239,260,281
302,674,695,716,1010
D = 2B : CC = 321 : VC = 9,30,51,72,93,114,135,156,177,198,219,240,261,282
303,675,696,1011
D = 3B : CC = 322 : VC = 10,31,52,73,94,115,136,157,178,199,220,241,262,283
304,676,697,991,1012
D = 4B : CC = 323 : VC = 11,32,53,74,95,116,137,158,179,200,221,242,263,284
305,677,698,992,1013
D = 5B : CC = 324 : VC = 12,33,54,75,96,117,138,159,180,201,222,243,264,285
306,678,699,993,1014
D = 6B : CC = 325 : VC = 13,34,55,76,97,118,139,160,181,202,223,244,265,286
307,679,700,994,1015
D = 7B : CC = 326 : VC = 14,35,56,77,98,119,140,161,182,203,224,245,266,287
308,680,701,995,1016
D = 1C : CC = 327 : VC = 15,36,57,78,99,120,141,162,183,204,225,246,267,288
309,681,702,996,1017
D = 2C : CC = 328 : VC = 16,37,58,79,100,121,142,163,184,205,226,247,268,289
310,682,703,997,1018
D = 3C : CC = 329 : VC = 17,38,59,80,101,122,143,164,185,206,227,248,269,290
311,683,704,998,1019
D = 4C : CC = 330 : VC = 18,39,60,81,102,123,144,165,186,207,228,249,270,291
312,684,705,999,1020
D = 5C : CC = 331 : VC = 19,40,61,82,103,124,145,166,187,208,229,250,271,292
685,706,1000,1021
D = 6C : CC = 332 : VC = 20,41,62,83,104,125,146,167,188,209,230,251,272,293
686,707,1001,1002
D = 7C : CC = 333 : VC = 21,42,63,84,105,126,147,168,189,210,231,252,273,294
687,708,1002,1023
WIRELINE SERVICES (BAND B)
--------------------------
D = 1A : CC = 334 : VC = 355,376,397,418,439,460,481,502,523,544,565,586,607
628,649,720,741,762,783
D = 2A : CC = 335 : VC = 356,377,398,419,440,461,482,503,524,545,566,587,608
629,650,721,742,763,784
D = 3A : CC = 336 : VC = 357,378,399,420,441,462,483,504,525,546,567,588,609
630,651,722,743,764,785
D = 4A : CC = 337 : VC = 358,379,400,421,442,463,484,505,526,547,568,589,610
631,652,723,744,765,786
D = 5A : CC = 338 : VC = 359,380,401,422,443,464,485,506,527,548,569,590,611
632,653,724,745,766,787
D = 6A : CC = 339 : VC = 360,381,402,423,444,465,486,507,528,549,570,591,612
633,654,725,746,767,788
D = 7A : CC = 340 : VC = 361,382,403,424,445,466,487,508,529,550,571,592,613
634,655,726,747,768,789
D = 1B : CC = 341 : VC = 362,383,404,425,446,467,488,509,530,551,572,593,614
635,656,727,748,769,790
D = 2B : CC = 342 : VC = 363,384,405,426,447,468,489,510,531,552,573,594,615
636,657,728,749,770,791
D = 3B : CC = 343 : VC = 364,385,406,427,448,469,490,511,532,553,574,595,616
637,658,729,750,771,792
D = 4B : CC = 344 : VC = 365,386,407,428,449,470,491,512,533,554,575,596,617
638,659,730,751,772,793
D = 5B : CC = 345 : VC = 366,387,408,429,450,471,492,513,534,555,576,597,618
639,660,731,752,773,794
D = 6B : CC = 346 : VC = 367,388,409,430,451,472,493,514,535,556,577,598,619
640,661,732,753,774,795
D = 7B : CC = 347 : VC = 368,389,410,431,452,473,494,515,536,557,578,599,620
641,662,733,754,775,796
D = 1C : CC = 348 : VC = 369,390,411,432,453,474,495,515,537,558,579,600,621
642,663,734,755,776,797
D = 2C : CC = 349 : VC = 370,391,412,433,454,475,496,516,538,559,580,601,622
643,664,735,756,777,798
D = 3C : CC = 350 : VC = 371,392,413,434,455,476,497,517,539,560,581,602,623
644,665,736,757,778,799
D = 4C : CC = 351 : VC = 372,393,414,435,456,477,498,518,540,561,582,603,624
645,667,737,758,779
D = 5C : CC = 352 : VC = 373,394,415,436,457,478,499,519,541,562,583,604,625
646,668,738,759,780
D = 6C : CC = 353 : VC = 374,395,416,437,458,479,500,520,542,563,584,605,626
647,669,739,760,781
D = 7C : CC = 354 : VC = 375,396,417,438,459,480,501,522,543,564,585,606,627
648,719,740,761,782
To summarize how a cellular call is made: A mobile unit wishing to make a
call will go off-hook and then transmit the digital source and destination
codes on a control channel (used to set-up and monitor the call), and are
just strong enough to reach the base station in the local cell. Upon getting
this data, the base, thru its control freq (same channel), validates the
mobile unit.
The base station then fowards a message to the central switching office on
a land line, which in turn sends the paging signal to all cells in search of
the second mobile unit whos number has been dialed. When the destination unit
is finally found, it responds to the paging signal by transmitting an
acknowledgement code to its local base station on a control channel.
The switching center then assigns a pair of unused freqs (called the,
"channel Pair") to each of the unit for actual voice commo to take place.
These channel pairs are not neccesarily the same for the respective cells
that each mobile unit is in. These freqs are also relayed thru the base
stations and to the central switching office.
When a unit moves into another cell, things get very interesting. Upon
entry into another cell, the mobile unit must transmit thru a new base
station. An automatic handoff to the new base station is carried out by
another exchange of data thru the control channel.
Termination of the call is a simple matter. When the call ends,ON-hook
signals are exchanged via the control channels between the mobile unit and
the base station. The voice channels are then cleared.
IV. THE CELL & IT'S STRUCTURE
The cellular phone system uses a "honeycombed" hexagonal cell architure.
Each of the cell types (A-G) differ from each other only in the freqs.
allocated for them. This represents how a cellular system might be laid out.
Cells A and B never share a common border. Neither do B and C, A and G,
etc. Cells that are next to each other are never assigned adjacent freqs.
They always differbu\y at least 60 KHZ. To track a mobile phone as it
changes cells, lets put the mobile in a B cell. When the mobile switches
freqs. you know that it could only go to a D, E, F, or G cell because A and
C have adjacent freqs. The two tables below will help you determine which
Channel cell can go next to each other. You can contact your local cellular
phone company and see if they have any maps of the cell available in your
area (please get a copy for us also). They're not obligated to give you maps
but it's worth the try.
ADJACENT CELLS
--------------
Cell Adjacent cells
A C,D,E,F
B D,E,F,G
C E,F,G,A
D F,G,A,B
E G,A,B,C
F A,B,C,D
G B,C,D,E
The only fundamental point of cellular technology actually agreed upon to
date is that a given service area will be divided into identical adjacent
cells with no overlaps and no gaps. The hexagon is the standard cell
patteren. At the center of an individual cell is a base station which is
conected via land line to a local mobile phone switching office. Certain
freq bands are assigned to certain cells, but not shared with adjacent cells
to avoid mutual interference.
In 1979, AT&T began test marketing its version of a cellular phone system
in Chicago. This system is call the Advanced Mobile Phone System (AMPS)
Some 2100 sq miles of the metro Chicago area are divided into 10 cells to
serve about 2000 customers. Full duplex is possible by using a pair of one
way channels separated by 45 MHZ to connect the mobile units with the base
stations. The RF range is 825-890 MHZ and normal narrow band FM is used to
transmit voice. Hand-off to adjacent cells is accomplished by monitoring
signal strengths. When the central switching office determines that a new
base station receives the mobile signal better than the previous one, the
switching office signals thru the voice channel for the mobile phone to
switch to a new channel. Commo distruption thru the switching process is
typically 50 milliseconds.
As with IMTS, there is the possibility of phreaking calls with IMTS or AMPS
simply by monitoring the control channels since they are in dial pulse form.
After you have a nice set of numbers, you will neeed a transmitter of
sufficient strenght to reach the base station (unlicenced transmitter of
course!). Duhh
Many regulatory and implementation issues remain unsolved. Modulation issues
are the biggest problem to be solved. Single sideband AM, narrow band FM,
digital and spread-spectrum techniques are all being considered. If you have
any info that may be able to break this down for fellow hackers/phreaks
please leave me mail.
V. EQUIPMENT DESCRIPTION
Most mobile phones have two primary pieces of equipment. These are the
transceiver (transmitter-receiver pair) and the control head.
The transceiver is usually a metal box with three connectors. They usually
contain two circuit boards. One is the transceiver unit itself, and the other
is a logic board consisting of a uP, ADC and DAC, and control logic. The
transceiver is usually mounted in the trunk or sometimes under the hood, and
is connected to both the ignition switch and car battery. A control/audio
(shielded) links the equipment together.
The control head is a touch-tone phone handset with the extended keypad,
alphanumeric display and controls (i.e. mike, volume). Usually there is a
separate speaker installed in the cradle for on-hook dialing, call progress
monitoring and speakerphone operation. If the CMT has a speaker phone option
a small mike is usually mounted to the sun visor. Some cellular phones are
voice-activated. If battery-operated, this saves the battery and also makes
answering the phone easier. The control head and cradle assembly is usually
bolted to the hump between the two front seats for security purposes.
Most early CMT's use the AMPS bus (developed by AT&T) which uses a system
of 36 wires in a rather bulky and stiff control/audio cable. Some makers now
use their own bus, such as Novatel's serial bus, which specifies a thin cable
consisting of a few wires, and is much easier to install and dependable to
use. In almost all cases, a CMT is powered by regulated 12 volts from standard
13.8 volt car battery. At least 5 amps (continuous) is required.
Mobile cellular antennas are usually short (less than one foot long),
vertically-mounted stiff wire with a few turns in the middle that acts as a
phasing coil in a 5/8-wave configuration. The antenna is generally mounted
either thru a hole in the roof or at the top of the rear winshield using
silicone rubber cement with conductive plates on both sides to pass the RF
thru the glass (some RF losses result from this method but you don't have to
maim your vehcle). A 50 ohm coax cable (ex: RG-58/U) links the antenna to the
transceiver with a male TNC type UHF connector. A ceramic duplexer permits
the transmitter and receiver to share the same antennas at the same time.
CMT roof-mounted monopole antennas are designed to work with the ground
plane (ie: the vehicle's body, if metal). However, for fixed (ie: home-base)
use, an "extended-feed" or voltage-fed coaxial antenna (requires no ground
plane) can be used. A capped PVC pipe makes an ideal rooftop housing for
this type of antenna-both weatherprofing and concealing it. Note that altho
cellular systems are designed for inefficient antennas, for fixed use it is
preferred that you use the best antenna you can get.
Interfacing audio devices (ex Blue Boxes, other tone generators) to a CMT
can be done by coupling the device's output thru an audio coupling
transformer wired across the control head's mike lines. A 600-ohm audio
coupling antenna is availble from Radio Shack (273-1374). Be sure to DC
isolate the phon circuity by wiring the transformer in series with a
non-polarized capacitor of at least 1.0 uF and 50 volts. If you can locate
the bus that carries the audio, then coupling across it is preferred.
An acoustic modem can be coupled to a CMT eithrer thru the mouthpiece or by
connecting the mike and speaker wires to those in the control head or bus
lines. Any direct-connect devices (ex: answering machines, modems, standard
phones, etc) can be connected to a CMT thru the AB1X cellular interface
made by : Morrison & Dempsey (818 993-0195). This expensive device is
basically a 1-line PBX that connects between the transceiver and control
head and provides an RJ-11C (quick-connect) jack that accepts any direct-
connect phone accessory. It recognizes both touch-tone and pulse dialing,
provides the ringing voltage and generates dial and busy tones as needed.
VI. GENERAL PHREAKING INFO
----------------------
Some Definitions:
* Control Channel: The channel the phone and cell base first communicate on.
* Reverse Control Channel: The opposite freq, 45MHZ lower then the control
channel. This is where the mobile unit is.
* Voice Channel: The channel you are assigned by the switch to start the call
after the exchange of suscriber data.
* Revese Voice Channel: Again 45 MHZ lower.
* Switch: The computer that places the calls, and takes and receiver data
from the subcriber or from the PSTN. (Pubic Swithced Telephone Network). That
should get things started. A suscriber picks up his handset to place a call.
QUESTIONS AND ANSWERS
---------------------
The following questions & answers were taken from THE SOURCE BBS a.k.a.
THE NEW YORK HACK EXCHANGE
BCOM> I want to get into cellular phone phreaking but I dont know anything so
I'm depending on you guys to help me out from the VERY basics!
What is cellular; a cellular phone?
RAVEN> A 800 MHZ radiotelephone, running 3 watts, with the ability to change
channel on computer command from the central swith. This happens when
you travel thru the service area and your signal becomes stronger at a
neighboring cell base station.
BCOM> They are marketed as a high security device with no possibility of
anyone making a phoney call & charging it to someone else, how can it
be phreaked?
RAVEN> An understanding of the phone revels that every time a call is made,
the phone number, an electronic serial number, and oother data is sent
to the switch. If you were to listen to the opposite side of the
control channel as the cell is being "set up" you would hear this data
being transmitted to the switdch in NRZ (Non-Return to Zero) code.
All one has to do, is record this info and program the bogus phone to
these params, and then a free call is possible thru the switch.
BCOM> Has anyone done this yet?
RAVEN> HELL YEA! about 6 months after the first cellular phone system was
"turned-up", a technician programmed a Panasonic telephone with a
NEC ESN (Electronic Serial Number). And there have been many other
cases since then. With the popular ROM programmers avaible today,
almost any NAM (NUmeric Assignment Module) can be duplicated or
copied with changes. (The NAM is the heart of the billing info and
contains the phone number but not the ESN) The most popular integrated
circut for NAMs is the 74LS123.
BCOM> Sounds like a lot of trouble, is there easier ways to get service?
RAVEN> SURE, the cellphone companies have been their own downfall, In an
effort to market their wares as a universal service. Nobody can tell
if a phone from another city (that has a roaming agreement) is valid
until its too late. The only thing they could do after finding out is
block any call with bad ESN because as we know, the phone number is
easy to change, but the ESN is not.
So here's a likely scenario====> A roamer identifying itself as a number
from a Chicago non-wireline accesses a cellular system in Dallas. An operator
may intervene but you can usually BS or "Social Engineer" them as long as
you know the data you have programmed into your phone. Then you make calls
just like your a local user. If your found out, you change the number to
another, and see if that works.
The phone is locked onto the strongest control channel in the area by a
computerized scanner in the phone. As the user drives thru the service, a
computer constantly picks out the strongest control channel and stays on it,
altho more than one cell site can actually be herd. The subcriber enters
the number to call on the keypad, and presses the "send" button.
At this time the following data is transmitted to the cell site by the
mobile. The callers ESN, his home system number (two digits), his mobile's
area code and phone number, and the called number. The cellular switch now
picks up an outgoing line, places the call for him and tells the mobile unit
to switch to a voice channel. The two ends are linked in the central switch
and the two parties are connected up in about 3 seconds.
I have purposely over-simplified the whole process to point out the moment
of truth. The mobile's ESN and phone number and data in the switch must match
or no go. This is required for billing purposes. If one had the ESN and the
mobile phone number, he could then calll anytime anyplace without fear of a
trace - let alone a bill. The ideal setup would let you listen to the reverse
control channel, record and display herd working numbers and ESN's, and
recall them as one needs them to make calls.
This would be it but we are not quite there yet. But some hard work has
already been done for us. All the aforementioned codes are sent in hex, in
NRZ code (phancy term for phase shift keying), but the phone already has, for
example, a NRZ receiver and transmitter built right into it. All that has to
be done is to have a receiver on the reverse control channel, recover the
other users data and save it or at least print it out.
The mobile radio data book show some good technical info on the systems used
and chip part numbers for the NRZ stuff. For example, at least one cellular
phone maker uses the 8085 chip for the control head functions - a popular
and well understood chip by many.
Most cellular phones include a crude password system to keep unauthorized
users from using the phone - however, dealers often set the password (usually
a 3 to 5 digit code) to the last four digits of the mobile phone or there
home phone. If you can find it somewhere on the phone then your in luck!!
If you can't find it then I guess you gotta hack it. It souldn't be that
hard since most people aren't smart enogh to use something besides "11111",
"12345", or whatever, it will be like Hacking a VMB.
If you want to modify the chip set in the cellular phoneyou got, there are
two chips (of course this depends on the model and maker - your may be
different) that will need to be changed - one installed by the maker usually
eepoxied in with the phone's ID number, and one installed by the dealer with
the phone number, and possible the security code. To do this youll obviously
need an EPROM (Erasable Programmable Read-Only Memory) burner, as well as the
same type of chips used in the phone (or a friendly & unscruplus dealer!).
As to recording the numbers of other mobile phone customers and using them;
as far as I know it is quite possible, if you got the equipment to record and
decode it. The cellular system would possibly freak out if two phones (with
valid ID/phone number combinations) were both present in the network at once,
but it remains to be seen what will happen.
The MIN is the Mobile Identification Number (includes the phone number, and
it is stored on the NAM ROM). Stolen and spoofed ESN's and MINs are good for
about a month. Once a bad MIN is revealed, the legit user's MIN is changed
by the Mobile Telephone Switching Office (MTSO) and they arrange for a new
NAM ROM to be installed in the users legit unit. Of course MTSO keeps a
database of all legit,illegit and deadbeat MIN/ESN pairs. However, the MTSO
will allow a illegit MIN/ESN pair to continue to function beyond its
discovery in hopes of discovering who the phreaks are.
One of the properties of cellular phone system is that the transmitter
freqs may be changed or "hopped" in the constant effort to allocate freqs.
Because of freq. hopping it is very difficult triangulate a CMT using
standard RF directional finding methods. It is known that a directional
antenna randomly aimed at cellsite repeaters will confuse directional finding
equipment being used by them that is synced to their freq. hopping scheme.
ROAMING
Since cellular technology often results in physical seperation between the
caller and-or callled party from landlines, because it offers thousands of
lines to choose from, because freq. hopping occurs, and because the caller
and-or called party can be rapidly moving from one location to another,
cellular phnes are the safest form of phreaking. "Roaming" is one form of
cellular phreaking.
Roaming occurs when a CMT is used in a cellular system other than the one
indicated in the NAMs SID. This is called "ROAMmode", and the ROAM indicator
on the control head will light. A CMT can roam into any system its home CPC
has a roaming agreement with, and most CPC's now have roam agreements with
each other. Not every system pays attention to a "Roamer" from outside the
system as cosely as they do a local suscriber. In their mad rush to offer
cellular as "universal" service, they screwed up. If there's no roam
agreement, the MTSO will transmit a recorded message to the CMT with some
instructions to call the CPC, and gives his name ,MIN,ESN and credit card
number. All roamed calls will then be completed by the MTSO and billed to the
credit card account. This procedure is becomming less common as more roam
agreements are made.
Usually, CPC can only determine if a roamer came from a system with which
it has a roaming agreement - nit the creditworthiness of the roamer.
Consequently, many CPCs have been ripped-off by roamers who've been denied
service on their home system because they are deadbeats. Once the home CPC
is billed for the roaming services provided by the remote CPC to the phreaker
or deadbeat, it will notify the same to add that ESN/MIN pair to their
MTSO's "negative verify" file to prevent future abuses.
Several independent firms are establishing systems software and data
networks to allow POSITIVE ROAMER VERIFICATION (PRV), which allow near real
time roamer validation bt sharing data between CPCs. Until PRV becomes
universal, even bogus ESNs and MINs can roam if they follow the standard
format, alto some CPCs are sharing roam data on a limited basis to prevent
this. Even with PRV, ESN/MIN pairs that are spoofed to match valid accounts
will be accepted both by thier home CPC and roamed CPCs, until the legit
customer complains about the calls he didn't make. And even without PRV,
some CPCs automatically share ESN and MIN data. This frequently occurs
between the CPCs in major cities and those in their bedroom communities.
To call a roaming CMT, the caller must know which system that unit is in,
which can be a real trick since he may be on the road at the time. He then
calls the CPC's roaming number. Roaming numbers vary but usually are in the
phone number format (with area code, with the last four digits being
"ROAM", and with the 3 middle digits being the remote CPC's exchange).
When that number is called, a dial or ready tone is returned, after
which the roaming CMT's full MIN is entered in Touch-Tone. After several
seconds, the CMT will ring or the caller will hear a recording stating
that the roaming CMT is out of range or busy. Telocator Publications
(202) 467-4770 publishes a nationwide roaming directory for travellers
with celluar phones.
For example: I access the Cleveland Ohio Cellular 1's Ericcson switch
and I tell them by my NAM INfo that I'm a roamer from NYNEX in New York
City. Cleveland will let me make the call, bacause it bills back to NYC
for the number of minutes I use. If the NYC number is bogus , the call
goes thru anyway, and the bill doesn't go anywhere. They do know the
exchange data for NYC (that's on a chart) so you can't tell them a wrong
system number (two digits) but one that a valid roamer would have from
his area. This is not too hard to figure out, call some of their stupid
sales idiots some time and see what they let out of the bag.
The system number for the foreign exchange, NYNEX in Buffalo is 56,
Chicago nonwireline is 01, and Buffalo nonwireline is 03. All wirelines
are even numbers and all nonwirelines are odd. The first three digits
of the mobile number: NYNEX Buffalo 863-XXXX. Buffalo Non-wirelines
are 861-XXXX and 690-XXXX.
You dont have to be a rocket scientist to figure out the local numbers
for your area, again by conning the sales people. Until the CPC's get a
cellular clearinghouse to validate roamers in real time, this method
will work out fine. It will be awhile before it becomes routine to look
up a roamer. There's simply to many to look up every time service is
wanted. And this problem is increasing because of the expanding use of
cellular phones.
If a cellular phone and its antenna happen to fall into your hands, you
could re-nam it as a roamer and when you get it setup, make copies of the
info with different suscriber numbers (the last 4 digits) and make free
calls as long as you can.
THe Novatel series phone a re probaly the best radios to use to shut down
a cell site completely as it has secret codes in the control head that
allow you to bypass conventional switching protocols.
NOTE
I hope that this file has lived up the all the boasting I've put into it.
But if there are any problems with the freqs. or anything you can leave me
mail on the bbs's I've listed. At this time Demon Roach and Nihilism dont
carry my files but you can still leave me mail on those boards!
THE RAVEN
+=======+
=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Thats it for part 1 but look out for part 2!!
Part 2 will cover: What's in a NAM, NAM reprogramming and how to
reprogram the following phones: DIAMONDTEL MESA90X & MESA99X HANDHELD,
GATEWAY CP 900 HANDHELD, GENERAL ELECTRIC MINI II & MINI ,
MITSUBISHI 800 & 900 , MOTOROLA 8000H & ULTRA CLASSIC HANDHELD,
NEC P300 & NEC P9100 , NOVATEL PTR800 & 825 , OKI HANDHELD MODEL #750,
OKI HANDHELD MODEL #900 , PANASONIC EB3500 , COLT TRANSPORTABLE ,
DIAMONDTEL MESA 55 & MESA 95 TRANSPORTABLE , FUJITSU MOBILE PHONE ,
GENERAL ELECTRIC CARFONE XR3000 , GOLDSTAR SERIES 5000 MOBILE ,
MITSUBUSHI 555,560,600 , NEC M3700 SERIES MOBILE , NOKIA LX-11 & M-10 ,
NOVATEL 8305 TRANSPORTABLE CA08 SOFTWARE VERSION , OKI CDL400 ,
PANASONIC EB362 , PANASONIC EB500 OR TP-500 , RADIO SHACK 17-1002 & -1003 ,
AND GE CARFONE MODELS CF-1000, CF-2000 & CF-2500
So look for it at a BBS near you!!
THE RAVEN
+=======+
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
And as for all of you guys that wanted to know how I got money for most of
the thing I have well all I can say is look for me next file:
Check Fraud (ckfraud.txt)
to put it simple $32,000 in one day! And as you know...No BullShit!!
-----------------------------------------------------------------------------
Call the following BBS's to get my files 1st run!:
THE SOURCE (212) PRI-VATE
RIPCO (312) 528-5020
Bliterkrieg (502) 499-8933
The Hawks Nest (201) 347-6969
You can leave me mail on those boards and on the following:
The Demon Roach Underground (806) 794-4362
Nihilism (517-546-0585
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
HIGH TECH HOODS 1992 (c)opyright A-CORP. LATER.......THE RAVEN!
THE HIGH TECH HOODS
& A-CORP PRESENTS...
*%*%*%*%*%*%*%*%*%*%*%*%*%*%*
*% THE ULTIMATE %*
*% CELLULAR PHONE PHREAKS %*
*% MANUAL PART 2 %*
*% %*
*% WRITTEN BY THE RAVEN %*
*% AND INTROSPECT %*
*%*%*%*%*%*%*%*%*%*%*%*%*%*%*
THE RAVEN
+=======+
THANKS TO THE FOLLOWING: PEBBLES, BIT STREAM & THOMAS ICOM
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\//\/\/\/\/\/\/\/\/\/\/\/\
INDEX:
I. WHAT'S IN A NAM
II. NAM/ESN REPROGRAMMING
III. ADVANCED REPROGRAMMING
IV. OBTAINING SYS. REGISTRATION DATA
V. REPROGRAMMING YOUR PHONE
VI. ------------------------
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
I. What's In A NAM
First thing were going to start with is the NAM. The NAM is a PROM, A blank
NAM costs about $5. Sometimes its more expensive depending on the operating
temperature and packaging specifications.
Two flavors of NAM's are most commonly used for cellular phones. NEC Corp.
uses the open collector (SIGNETICS p/n 82S23 or equivalent). All others use
the tri-state (SIGNETICS 82S123 or equivalent). Blank NAMs are manufactured by
Signetics, National Semiconductor, Monolithic Memorys, Fujitsu, Texas Instrum
ents, and Advanced Microdevices. Blank NAMs can be purchased at your local
electronic distributor's, thru the various parts sources advertised in
electronic magazines, and some radios come with a blank included.
The NAM contains the subscriber number and lock code, the home system ID and
other system-required data. You may wonder how this info is arranged. The NAM
is organized into 32 rows and 8 colums. It is 32 words of 8 bits each.
(256 bits total). Starting from top of the NAM (address 00), you will find
the abreviation SIDH. This means "System Identifaction Number Home", a number
starting at 0001 assigned by the FCC. Each market allows two systems. These
two digits are even for the wire-line and odd for the non-wireline.
At address 03, we find LU (Local Use) on the left and MIN on the right, and
they are usually set to 1. Locations with zeros are reserved. Going down the
map, there's MIN1 and MIN2-the subscriber number and the area code respectively
Dont try to read them from a raw printout of the NAM data, as they are
scrambled beyond recognition. The reason? THe way they are arranged is the way
they must be transmitted to the cellular systems receivers. The programmer
does this to make the radio's job easier.
Next is the station class mark, which identifies the class and power
capability of the phone. The system will treat a handheld (low power)
differently than a standard 3-watt mobile.
IPCH is the Inital Paging Channel. The radio listens for a page on this
channel. Wirelines use 334 and non-wirelines use 333.
ACCOLC (ACCess Overload Class) is designed for throwing off customers in the
event of an overload. Thru neglect, this standard has been largly unused.
(A Class 15 stationis supposed to be police, fire or military). Usually, It's
a set to 0 plus the last digit of the phone number to provide random loading.
PS (Preferred System). This is always 1 in a non-wireline and 0 in wireline.
The Lock Code is about the only thing you can read directly by studying NAM
data. The "spare" bit must be a 0 if the radio contains a 3-digit code.
Because the number of clicks when you dial 0 on a (dial) phone equals 10,
zeros in the lock code are represented by an "A"(the hexadecimal equiv of 10).
EE, REP, HA and HF correspond to end-to-end signaling (DTMF tones, possibly
as you talk), and REPeratory dialing (provision for 10 or more numbers in
memory).
Horn Alert and Hands Free. Like all options, they are 1 if turned on and 0 if
turned off (all these numbers are in hex). They are supposed to be used by
radio makers to store option switches. Usually 13 is used, 14 sometimes and
the rest less often.
Last, you will find Cheksum Adjustment and Checksum. These numbers are
calculated automatically after the data has been edited for the NAM. The sum
of all words in the NAM plus these last two must equal a number with 0's in
the last two digits. The radio checks this sum and if it isn't correct the
radio assumes the NAM is bad or tampered with. In the case radio refuses to
operate until a legal NAM is installed.
THE ANATOMY OF A NAM
--------------------
MARK Defin. most <-- BIT Significance --> least Hex
------------------------------------------------------
0 SIDH (14-8) 00
SIDH (7-0) 01
LU=Local use LU 000000 MIN 02
00 MIN2 (33-28) 03
MIN2 (27-24) 0000 04
0000 MIN1 (23-20) 05
MIN1 (19-12) 06
MIN1 (11-4) 07
MIN1 (3-0) 0000 08
0000 SCM (3-0) 09
00000 IPCH (10-8) 0A
IPCH (7-0) 0B
0000 ACCOLC (3-0) 0C
PS=Perf Syst 0000000 PS 0D
0000 GIM (3-0) 0E
LOCK DIGIT 1 LOCK DIGIT 2 0F
LOCK DIGIT 3 LOCK SPARE BITS 10
EE=End/End EE 000000 REP 11
REP=Reprity HA 000000 HF 12
HF=Handsfree Spare Locations (13-1D) 13
HA=Horn Alt contain all 0's 1D
NAM CHECKSUM ADJUST. 1E
NAM CHECKSUM 1F
II. NAM/ESN REPROGRAMMING
The first step to using cellular phones is to obtain one. They can be
purchased new or used. Ham fests are one good source. Many people dump their
cellular phones once they see just how expensive they are to operate. And of
course the perception of being jerked promotes phreaking.
First generation E.F. Johnson units are good choice as they are easy to
modify, use uniquely effective diveristy (dual antenna) receivers, and use the
AMPS control bus, which means that several maker's control heads will work
with it. Another good choice is Novatel's Aurora/150. It uses a proprietary
parallel bus and control head, but costs less, is rugged, and is also easy to
work on. Also, all Novatel CMTs have built-in diagnostics. This allows you to
manually scan all 666 repeater output freqs-great for scanning!
All cellular phones have a unique ESN. This is a 4-byte hex or 11 digit
octal number stored in the ROM soldered on the logic board. Ideally, it's
supposed to be never changed. Some newer cellulars embed the ESN in a
VLSI IC (Very Large Scale Integration Integrated Circuit) along with the units
program code. This makes ESN mods very difficult at best. The ESN is also
imprinted on the reciever boiler plate, usually mounted on the outside of the
housing. When converted to octal (11 digits), the first 3 digits represents
the maker while the other 8 identify the unit.
The other important ROM is the NAM. It contains the MIN (i.e. phone #,
including area code), the lock code, and various model ID and carrier ID
codes.
The lock code keeps unauthorized parties from using the phone. Some newer
cellulars have no built in NAM and instead use an EEPROM, which allows a
technician who knows the maintenance code to quickly change the NAM data thru
the control head keypad.
WHen one attempts to make a cellular call, the transceiver first automatically
transmits the ESN and NAM data to the nearest cellsite reapeter by means of
the Overhead Data Stream (ODS). The ODS is a 10 kilobaud data channel that
links the cellular's computer to the MTSO, which then controls the phone's
entire operation down to the selected channel and output power. If the MTSO
doesn't recognize the received ESN/MIN pair as valid (sometimes due to RF
noise), it issues a repeat order and will not process the call unit until a
valid pair is received.
In most cities, there are two CPCs or "carries". One is the wireline CPC and
the other is the non-wireline CPC. Both maintain their own MTSO and network
(i.e: cell-site repeaters), and occupy separate halves of the cellular radio
band. Non-wirelines use System A, and wirelines use System B. (the amenities
that are avaible with most landline phone service - call waiting, caller ID,
call-forwarding, 3-way calling,etc., are standard fair for most CPCs. However,
they are usually applied for differently.)
For the cellular phreaker, the most diffuclt task is obtaining usable ESN/MIN
pairs. Over the years,standard phreaker techniques have been employed for all
types of phreaking to obtain the required info. These includes trashing,
using inside help,joining the staff,hacking them from known good ESNs and
MINs (i.e: spoofing), con strategis, strong-arming, Bribing, blackmail, etc.
(This is how The High Tech Hoods get them!).
The hacker knows that most CPCs do not turn off or keep track of unused MIN
numbers. In fact, their general pattern is to start at the low numbers and
work their way up. WHen a number is cancelled, it is reassigned instead of
using a larger number.
The first places to look is the authorized cellular installers and service
centers in your area (see your Yellow Pages). They have on file a record of
every cellular phone installed or serviced by them, including the ESN/MIN
pairs. Another place to focus on is the cellular CPC's customer service or
billing department. These offices contain the ESN/MIN pairs often for
thousands of cellular phones, and hire low-paid people. Some cellular CPCs,
installers and service centers will provide NAM system parameters upon
request, and some will sell you NAM and ESN memory maps and schematics of a
specific cellular phone model. And some will sell you service manuals
(i.e: Motorola) that will describe the often easy method to program their
cellular phones.
The good phreak/hacker could interface the cellular phone's ADC circuit to
his PC and hack out all of the valid ESN/MIN pairs he could possibly need.
Since the ESN/MIN pair are transmitted from cellular phones (usually in an
unencrypted form), these pairs can be obtained simply by scanning the cellular
phone channels. Even if they are encrypted, the phreaker only will need to
reproduce the encrypted pair. In some areas, you can buy the ROMs right off
the street - often by the same dealers who sell drugs and stolen property,
etc. All it takes is a few discreet inquires. However, many get caught
doing this because of police stings.
Once a valid ESN/MIN is obtained, it must be programed into the cellular
phone's ROM. Some cellular makers use different devices and memory maps, but
the standard is the AMPS 16-pin 32x8 bit format and some ROMs have proprietary
markings.
If the part number are different than those given and you can't find them in
your data book, look for the IC maker's logo and call or write them for data
sheets. If the IC's have proprietary markings, by looking at the external
parts that are directly wired to them, one can often determine not only
whether the IC is open-collector or tri-state, but also what the pin assingn-
ments are, and sometimes the type of replacement IC to use.
The ESN ROM is then carefully desoldered from the logic board (first ground
the soldering tip thru a 1 Meg-ohm resistor). Once, removed the IC can then be
placed on a ROM reader/programmer or NAM programmer (bit editing mode). Any
ROM reader/programmer that will burn a compatible ROM is usable, but a
dedicated NAM programmer has built-in software that takes out much of the
aggravation. Using a non-NAM ROM reader/programmer, one searches for the memory
locations that has the same number as ESN printed on the boiler plate. This
number will be immediatly followed by an 8-bit checksum determined by the 8
least significant bits of the hex sum of the ESNs four bytes.
The old ESN data (now copied into the NAM programmer's RAM) is replaced by the
new ESN and the updated checksum. A new blank and compatible ROM is inserted
into the ROM burner and burned with the new ESN data. Most cellular phreakers
at this point install a Zero Insertion Force (ZIF) DIP socket into the logic
board for this and any future ROM changes.
The NAM IC is usually already installed in a ZIF socket on the logic board.
Similarly, its MIN is read by the ROM reader/programmer and a new ROM is
burned with the new MIN and updated MIN checksum. Altho one may wish to also
update the CPC's system parameters, they can left the same if the same CPC
is desired. To change the CPC'c designation, the last four MIN digits, the
checksum and the exchange (if they use more than one exchange) are changed.
The more astute cellular phreaker of course can design and build his own NAM
programmer/reader, ideally one interfaced to a PC. A more primitive approach
is to interface two banks of hex thumbwheel switches to the sockets, altho
a computer program would be very helpful to determine the proper switch
settings. Thumbwheel switches allow you to make changes on the fly and they
can be plugged in as needed, so if one is caught red-handed, it is difficult
to prove intent and origin of phone call.
III. ADVANCED REPROGRAMMING
Your cellular phone contains a special memory which retains data about the
phone's individual characteristics, such as its assigned phone number, system
identification number, (ID#) and other data that is necessary for cellular
operation. This special memory is known as the NAM. You can program the phone
yourself, if the phone has not already been programmed where you got it. You
can also reprogram the phone yourself should you wish to change some of the
features already selected for the NAM.
The reprogramming of the NAM is performed after you have contacted your
cellular system operator for the nessary data as described below. Enter the
data received from your cellular system operator in the NAM Reprogramming
Data Table before reprogramming the NAM of your cellular phone. Incorrect
NAM entries can cause your cellular phone to operate improperaly or not at
all. Your cellular phone can be reprogrammed up to three times. After that,
it must be reset at a Motorola-authorized service facility.
Be sure you read this complete text before attempting to reprogram your
phone!
1. RE-PROGRAMMING FEATURES
You must get seven pieces of data from the cellular system operator to
allow you to reprogram the cellular phone. You provide the remaining data.
Write all of this programming data on the NAM Reprogramming Data Table
provided in this text before implementing this procedure. Incorrect NAM
entries can cause your cellular phone to operate improperly or not at all.
The required data is:
* System Identification (SID) Code (S-digits): Indicates youe home system
Enter 0's into the left-most unsued positions. Provided by the system
operator.
* Cellular Phone Number (10 digits): Used in the same manner as a standard
land-line phone. The mobile phone number and the Electric Serial Number
are checked against each other by the cellular system each time a call
is placed or recieved. Provided to you by the system operator.
* Station Class Code (2 digits): This number is 06 or 14 for most personal
or portable phones. Even though your phone has extended bandwith
capability (832 channel capacity), the cellular system operator may
require your station class code to remain 06. The code should be 14 if
832 channel operation is allowed.
* Access Overload Class (2 digits): Provided to you by the system operator.
* Group ID Mark (2 digits): Provided to you by the system operator.
* Security Code (6 digits): The six-digit security code allows the user to
restrict his calls in certain ways and permits other advanced security
measures. Refer to your phones operator manual for further details.
Select any 6-digit code that you will remember, but one that will not be
easily guessed.
* Unlock Code (3-digits): The 3-digit unlock code unlocks the phone after
it has been locked. LOcking the phone allows you to prevent unauthorized
usage. With many models, this number can be resued as often as desired.
Check the users manual. Select any convenient 3-digit number.
* Initial Paging Channel (4 digits): Use a leading 0 if required.
(example: Channel 334 is entered as 0334.) Provided to you by the
system operator.
* Option Bits (6 digits): This reprogramming step allows you to program
six seperate features in one step. Each feature is either selected or
cancelled by assigning a value of 1 or 0. The six individual single-
digit features combine to form a six-digit code which is entered as one
step. If any of the features is to be changed , the entire six-bit word
must be re-entered.
DIGIT #1: Internal Speaker: This feature is normally selected by
entering 0. However, if you purchased the convertible
Accessory and it contains a seperate external/VSP unit,
cancel the internal speaker feature by reprogramming 1.
DIGIT #2: Local Use: This feature is normally selected by entering 1.
Your system operator can tell you if you need to cancel
this feature by reprogramming 0.
DIGIT #3: MIN Mark: This feature is normally not used and is assigned
a value of 0. To select use 1.
DIGIT #4: Auto Recall: This feature is always 1.
DIGIT #5: 2nd Phone Number: This feature is usually not used and
assigned a value of 0.
DIGIT #6: Diversity: This feature is always set at 0 for the portable/
personal phone used alone. If you have a convertible
accessory, and it has two external antennas, select this
feature by reprogramming 1.
* Option Bits (3 digits): This step allows you to reprogram an additional
three separate features in one step. Each feature is either selected or
cancelled with the digit 1 or 0. The three individual single-digit
features combine to form a three-digit code which is entered as one
step. If any of the features is to be changed the entire three-bit word
must be reentered.
DIGIT #1: Long Tone DTMF: Certian electronic devices such as answering
machines, are are not able to decode the normal DTMF tones
because the phone standard duration is too short. The Long
Tone DTMF allows access to answer machines and other similar
devices by transmitting the DTMF tone for as long as the key
is depressed. This feature is normally not used and is
assigned a value of 0. However you can select long tone DTMF
by reprogramminng 1.
NOTE: Personal or portable models with a MENU key can more flexibly
select and cancel this feature thru the menu. To allow Menu
control of the function it must be cancelled in the NAM by
setting this bit to 0. If Long Tone DTMF is selected in the
NAM with a 1 in this bit, it cannot be reversed thru the menu.
DIGIT #2: Future use: This feature is always set at 0.
DIGIT #3: Eight-Hour Timeout (Convertible only): Personal or portable
phones with the convertible accessory can normally be left
active in the vehicle for eight hours with the ignation cut
off. If the time out feature is selected the phone will turn
itself off after eight hours to preserve the vehicle's
battery. This feature is normally selected by entering 0.
However, you can cancel this eight-hour time limit by
entering 1.
IV. OBTAINING SYS. REGISTRATION DATA
A cellular phone owner purchases services from a cellular system operator,
just as he would purchase land-line service (for standard phones) from the
local phone company. In cities with cellular coverage, the customer may have
the option of picking one or two possible cellular system operators.
Before you can obtain a phone number you will have to supply your cellular
system operator with your electronic serial number. All cellular phones
contain a special Electronic Serial Number (ESN). The ESN uniquely identifies
your phone and provides a measure of protection against theft and fraud. The
ESN is an eight-charcter (numeric/hexadecimal) number printed on the box
your phone came in. Once you supply your electronic serial number to the
system operator he or she will issue your phone number and supply the other
data required to reprogram the NAM. You should immediately enter this data
on the NAM Programming Data Table found in this text.
V. REPROGRAMMING YOUR PHONE
************************
Determinig the initial Reprogramming Sequence:
The initial reprogramming steps include a sequence of keypresses which vary
depending on the type of cellular phone you have. The phone NAM can be
reprogrammed from the personal or portable keypad. Determine from the
Six-Keystroke table below which of the six keystroke sequence numbers to
use on your phone, based on the type of keys present on the keypad.
SIX-KEYSTROKE TABLE
Determining the sequence Number with Personal/Portable Keypad
PERSONAL/PORTABLE KEYPAD KEYS SEQUENCE
======================================
MENU AND FCN keys 6
FCN key but no MENU key 1
No FCN key 2
If you have the convertible accessory, the phone NAM must reprogrammed from
the convertible handset. (MAke sure that the personal phone is disconnected
from the convertible accessory before reprogramming the convertible.) The
handset type can be read from the label on the back of the handset. The
keystroke sequence number is determinded from the KEYSTROKE SEQUENCE TABLE.
If you have the convertible accessory, and wish to use it seperately as a
atandalone mobile, you may obtain an additional phone number and reprogram
this into the convertible accessory at this time.
KEYSTROKE SEQUENCE TABLE
########################
Determining the sequence Number with Convertible Handset
MODEL HANDSET TYPE SEQ.
----- ------------ ----
3000 SCN2007A 6
6000 SCN2023A 2
6000X SLN2020A 1
6000XL TLN2659A 1
6800XL TLN2733A 6
Choose one of the six initial reprogramming sequences from the Initial
Sequence Table depending on the sequence number which you determined from
previous tables in this file.
Initial Reprogram Sequence Table
++++++++++++++++++++++++++++++++
Seq. # Sequence
1 FCN, Security Code entered twice, RCL
2 STO, #, Security Code entered twice, RCL
3 Ctl, 0 + Security Code entered twice, RCL
4 Ctl, 0 + Security Code entered twice, *
5 FCN, 0 + Security Code entered twice, MEM
6 FCN, 0 + Security Code entered twice, RCL
Security code is factory-programmed 000000.
Initial Steps: Before you proceed with the reprogramming procedure, be sure
you have filled out the NAM Reprogramming Data Table herin:
Step a: Turn on your cellular phone by pressing the Pwr or On/Off
button. The power indicator in the display will flash.
Step b: Enter the proper keystroke sequence determined from the
Initial Sequence Table.
Step c: The message, "01", will appear in the display to confirm the
activaction of the NAM reprogramming feature. It also
indicates that you are at the first step in the NAM
reprogramming sequence. If this message does not appear, it
may be due to one of these reasons:
(1) The initial sequence may not have been entered quickly enough. The
apperence of zeros in the display will indicate this. Press Clr and Try again.
(2) The six digit Security Code may have previously been reprogrammed into
your cellular phone. If this happens to be the case, you must re-enter the
activation sequence using the assigned security code.
(3) The maximum number of times that your cellular phone can be reprogrammed
from the keypad may have been reached.
(4) The ability for your cellular phone to be reprogrammed from the keypad
may have been disabled or cancelled.
REPROGRAMMING PROCEDURE: Reprogramming for a single phone number can be as
quick as a four-step process or may take up to 11 steps, depending on how
many programable features you wish to review or change. The phone always has
some data programed for each of the features, whether that data is standard
programming performed at the factory or data provided by someone who
programmed the unit previously. If, while you are reprogramming, you are
satisfied with the value already programmed for a particular feature, simply
press * to move to the next feature. To perform the following steps, it is
nessary for you to refer to the completed NAM Reprogramming Data Table. If
you enter a digit incorrectly, press the Clr button to start again.
REVIEWING of NAM REPROGRAMMING: Once you have completed the reprogramming
steps, review the data by repeatedly pressing *. Check to make sure that the
data reprogrammed matches what you wrote in the NAM Reprogramming Data Table.
Make any required changes.
STORING the DATA: If you are reprogramming a single phone number, press SND
to store the programming data when you are satisfied that it is all correct.
A two-digit step number (01-11) must appear in the display in order for you
to store the data. Press * until one appears and then press SND. Your
personal or portable cellular phone is now ready for normal use, if you are
reprogramming a single phone number.
REPROGRAMMING the Second Phone #: If "012" appears in the display after you
have pressed SND to store the programming data for the first phone number,
you are ready to repeat some or all of the ten steps, this time for a second
phone number. The 01 indicates that you are ready to enter the System ID
data (step 1) and the 2 indicates that you are reprogramming data for the
second phone number. The phone assigns the same security and lock codes
(steps 7 and 8) for the second phone number and as so skips from step 6 to
step 9. There is no step 11 when reprogramming a second number.
If "01 2" did not appear after reprogramming the first phone number, and
you wish to reprogram a second number, either the second phone option has not
been selected (step 10) or your phone is not equipped for dual system
operation. Once you have completed the reprogramming steps, review the data
by repeatly pressing *. Check to make sure that the data programmed matches
what you wrote in the NAM reprogramming Data Table. Make any required changes
Press SND to store the programming data when you are happy that it's all
correct. (A two-digit step number (01-10) must appear in the dispaly.)
Your personal or portable cellular phone is now ready for normal use.
NAM REPROGRAMMING DATA TABLE
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
STEP DESCRIPTION # OF DIGITS SOURCE
---------------------------------------------------------------------------
01 System ID # 5 Digits Sys Op
02 Cellular Area Code 3 Digits Sys Op
03 Cellular Phone # 7 Digits Sys Op
04 Station Class Mark 2 Digits Sys Op
(Usually 14 for 832 chan., 12 for standalone mobile)
05 Access Overld Class 2 Digits Sys Op
06 Group ID Mark 2 Digits Sys Op
07 6-Digit Secur. Code 6 Digits Phone Owner
08 3-Digit Unlock Code 3 Digits Phone Owner
09 Initial Paging Chan. 4 Digits Sys Op
(Usually 0333 or 0334)
10 Option Programming 6 Digits
/--------------------Handset Internal 1 Dgit Phone Owner
Speaker disable
If your install, has a seperate
External Spkr/VSP unit
The handset internal speaker
must be disabled.
1 = disabled, 0 = enabled.
This bit normally enabled.
/--------------------Local Use 1 Digit Sys Op
(Normally enabled
1=enabled & 0=disabled)
/--------------------MIN Mark 1 Digit Sys Op
normally disabled
1=Enabled, 0=disabled
/--------------------Auto Recall 1 Digit Always 1
/--------------------2nd Phone # 1 Digit Phone Owner
normally disabled
1=Enabled & 0=Disabled
/-------------------Diversity 1 Digit
(based on the # of antenna ports
on your cellular phone
0 = standard 1 Ant. & 1 = Optional 2 ant.
=====================Optional programming data entry
11 Option Programming 3 Digits (Cont'd)
/--------------------Long Tone DTMF 1 Digit Phone Owner
(normally disabled)
1 = Enabled & 0 = Disabled
/--------------------For future use 1 Digit Always 0
/--------------------Eight-Hr. Timeout 1 Digit Phone Owner
(normally enabled)
1 = Disabled & 0 = Enabled
======================Optional Programming Data Entry
Step number - This number is the message that appears in the display during
reprogramming.
NAM REPROGRAMMING STEPS
-----------------------
step Keypad Entry Display Comments
------ -------------- ------------- -----------------------------
01 Ready for step 1
1a * Current System ID Factory Setting 000000
1b New Sy. ID XXXXXXX New system ID
1c * 02 Ready for step 2
2a * Curr. Area Code Factory set at 111
2b New Area Code XXX New Area Code
2c * 03 Ready for step 3
3a * Cur. Phone # Factory Setting 1110111
3b New Phone # XXXXXXX New Phone #
3c * 04 Ready for step 4
4a * Cur. Station Factory Setting 0/14 for
Class Mark portable/personal or 12
for standalone Mobile.
4b New Station XX New Station
Class Mark Class Mark
4c * 05 Ready for step 5
5a * Cur. Access Cur. Access
Overload Class Overload Class
5b New Access XX New Access
Overload Class Overload Class
5c * 06 Ready for step 6
6a * Curr. Group ID Factory set at 00
6b New Group ID XX New Group ID
6c * 07 Ready for step 7
7a * Current Sec. Code Factory set at 000000
7b New Security Code XXXXXX
7c * 08 Ready for step 8
8a * Current Unlock Code setting at 123
8b New Unlock Code XXX New Unlock Code
8c * 09 Ready for step 9
9a * Current Initial Factory Setting 123
0334 PAGING CHANNEL
9b New Initial XXXXXX New Initial
Paging Channel Paging Channel
9c * 10 Ready for step 10
10a * Cur. Options Factory Setting 010100
10b New Options XXXXXX New Options
10c * 11 Ready for step 11
11a * Cur. Options Factory Set. 000
11b New Option XXX New Options
11c * 01 or 01 2 Ready for Review
to program.
or
Second Phone Number
============================================================================
Now That conclude Part 2, Part 3 will the instructions for NAM reprogramming
for all the phones I listed in part 1. If you have any questions or comments
you can leave me mail on one of the following bbs's that I have listed below.
THE RAVEN
+=======+
The following is a list of BBS's that recieve my files 1st run in order:
Installition Five (???) PRI-VATE NUP>KNOWLEDGE
BlitzKreig BBS (502) 499-8933 NUP>COLUMBIAN COKE
The Ripco BBS (312) 528-5026
The Hawks Nest (201) 347-6969

Reference in New Issue View Git Blame Copy Permalink