informis/textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/phreak/CELLULAR/primer.txt
root@procul 278a90f7ce Initial commit
2021-04-15 13:31:59 -05:00

1329 lines
65 KiB
Plaintext
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

The following file is a verbatim transcript of an article by the
same name appearing in the November, 1992 issue of NUTS & VOLTS Magazine.
Copyright (c) 1992 Damien Thorn and T & L Publications. Permission is
granted to freely distribute this file in unmodified form. Identifying
board headers may be added as desired.
A CELLULAR COMMUNICATIONS PRIMER
By Damien Thorn
INTRODUCTION
The specific technologies involved in the cellular network are
highly complex, comprised of a vast array of computers, control equipment,
transceivers, multiplexers, switching equipment, etc. The theory and
principals of operation which we'll cover here are much easier to
comprehend. With this article you'll learn the basics, and how you can
profit from that understanding. Next month I'll show you how to reprogram
a cellular phone through the keypad.
Cellular telephones are viewed by most users as simply another phone,
albeit cordless. A cellular mobile telephone (CMT) emulates a landline set
so credibly that the deepest technical concern for most people is
remembering how to make the phone dial a frequently called number stored in
memory. The comfort and familiarity of the phones are by design, I'm sure.
To a public that has difficulty programming a VCR, the reality of cellular
technology would be overwhelming and perhaps somewhat frightening.
Cellular phones are little more than low power transceivers capable of
transmitting and receiving a total of 666 or 832 frequencies, depending on
the model. They operate in a full-duplex mode, transmitting the mobile
side of the conversation on one frequency while simultaneously receiving
the other side from the cell site on a different frequency. A basic
multi-channel two-way radio under the control of some powerful software.
The network itself is where the engineering genius becomes apparent.
OVERVIEW OF NETWORK ARCHITECTURE
The cellular network consists of a honeycomb of transceiver sites (towers),
each capable of handling up to about 40 separate cellular calls. Each site
has an effective range of 3-5 miles. The term "cell" is derived from the
size and shape of the site's coverage pattern, and the arrangement of the
cell sites. The various sites in each city are all linked together through
the mobile telephone switching office (MTSO). The MTSO not only
coordinates the use of the radio spectrum, but utilizes computers to
authenticate a subscriber's phone before making the connection and
maintains billing records. The MTSO also serves as the interface point
with the landline telephone company for cellular calls. As you drive
through town the MTSO monitors the relative signal strength of the
transmission from your phone. When the signal strength becomes higher in
any cell other than the one handling your call, the MTSO uses a frequency
known as a control channel to transmit data to your phone telling it to
switch frequencies and lock into another cell. This "hand off" from one
cell to another happens so quickly that most people never notice the
transition from one frequency or cell site to the next. This is noteworthy
because the hand off required your phone to change transmit and receive
frequencies, while the cellular network not only reestablished radio
contact with you on another transceiver, but rerouted the landline audio to
that cell site as well.
The cell site is generally located in the center of the cell. This is
where the antennas, transceivers and control equipment are located that
serve that cell. Due to the limited coverage area of the cell, these cell
sites are located a maximum of ten miles from each other to provide
uninterrupted coverage without "dead spots" - areas where your phone cannot
operate because you're out of range of a cell.
Since most markets are served by two cellular service providers who do not
share cell sites, there are actually twice as many cells (and cell sites)
than would be required for one provider to supply service. In the past
I've worked at radio station transmitter sites that leased tower space to
cellular companies, but I never realized how prolific these cell sites were
until I studied the technology and looked closely at the antennas around
me. Where ever your phone works, you're within three to five (line of
sight) miles of a at least two sites, and probably more since coverage
areas overlap. The adjacent cells never share common frequencies to avoid
interference.
Cellular sites come in different forms. In congested metropolitan areas
the transceiver sites may be located on taller buildings. In other areas
they are located on stand alone towers. Towers can either be built by the
cellular carrier for their exclusive use, or the cellular antenna array can
share a common tower (an "antenna farm") with other radio and broadcast
services.
No matter where the antennas are located, they can be recognized easily by
their unique three- sided configuration. Refer to the accompanying photos
for examples of two common types of cellular arrays. When I asked both
cellular carriers based in Sacramento to disclose the location of their
cell sites in my area, they refused. The customer relations
representatives indicated the information was confidential - almost a trade
secret. I left voice mail messages with their engineers describing the
information I wanted. Neither even returned my call.
The implications of this guarded attitude are interesting, and more than a
bit disconcerting. Fortunately the FCC maintains public records on all
transmitter licensees, and the California Public Utilities Commission
(CPUC) requires cellular companies to file abstracts with them
containing the information I wanted. The CPUC even told me the name of the
person who would be available to help me dig through the abstracts and make
photocopies. I didn't bother, but it was nice to see my tax dollars at
work for my benefit.
OPERATING FREQUENCIES
The frequency spectrum allocated by the FCC used by the phone to transmit
voice and data to the cell site is 824.000 - 849.000 Mhz. The tower
transmits to the phone on a spectrum of the same size from 869.000 to
894.000 Mhz. The cellular frequencies are narrow band FM, all spaced 30
Khz apart, so determining every specific frequency is a matter of simple
addition.
For example, knowing the lowest frequency used by a cell site is 869.000
Mhz, simply increment upward in 30 Khz steps: 869.030, 869.060, 869.090,
869.120, etc. The frequencies used by the phone for transmission to the
tower increment upward the same way from 824.000 Mhz.
The frequencies are paired so that the phone is always transmitting to the
tower on a frequency exactly 45 Mhz lower than the frequency the tower is
using. If the landline (base) side of the call is transmitted to the phone
on 887.940 Mhz, then the phone is simultaneously transmitting the mobile
side of the call back to the cell site on 842.940 Mhz.
Cell sites generally transmit the mobile side of the call at reduced gain
back to the cellular phone along with the audio from the landline side of
the call. This can be intentional, as in the "side tone" present in a
standard landline telephone receiver, or the result of poor nulling where
the cellular network interfaces with the Telco lines. This means anyone
with a receiver or scanner capable of tuning the upper frequency in the
pair can monitor both sides of the conversation. It is illegal to do so,
however.
CELLULAR COMMUNICATIONS PRIVACY
To calm fears that cellular calls were not private, the cellular
industry lobbied congress into passing legislation known today as the
Electronic Communication Privacy Act (ECPA) of 1986 which makes it a crime
to monitor cellular phone calls and a host of other transmissions like
digital pagers. This law is used by cellular equipment dealers and service
providers to reassure customers that their conversations will remain
private.
A person using a cellular phone is broadcasting his private conversation on
airwaves owned by the general public. These radio signals permeate our
homes, bodies, and scanning receivers. Yet so complete is the cellular
transceiver's emulation of an actual telephone that the general public
not only expects privacy, but feels confident that the call is secure.
Nobody could possibly be sitting in the privacy of their living room
monitoring the conversation. That would be a Federal crime. The ECPA has
been described as a "toothless tiger" as it is virtually unenforceable. A
growing number of scanner enthusiasts are monitoring cellular calls rather
than the local fire department because it is much more entertaining. The
ECPA is ignored by the public and law enforcement alike, just like the laws
remaining on the books that make it illegal to work on Sunday.
The bottom line is that it is up to you and I to ensure the privacy of our
cellular calls. If you don't want to use a scrambling system, simply don't
talk about anything on a cellular phone that you wouldn't discuss using
your rig on the amateur bands.
TELEPHONE CONTROL DATA
With this simplified overview of the cellular network under your belt,
let's dig a little deeper into the data exchanged by the cellular carrier
and your phone. Obviously there is more information being sent by your
phone to the cellular company than your conversation. The service provider
needs to identify your physical phone, cellular phone number, etc. This is
accomplished via data transmitted by your phone on a frequency set aside
as a "data channel" in each cell every time you turn it on or use it.
Your phone transmits six pieces of information to the cellular provider.
One is the Electronic Serial Number (ESN) of your phone.
Every cellular phone is assigned an ESN when manufactured. This ESN
consists of numerical data which identify the manufacturer of the phone as
well as the actual unique serial number of the specific phone. The ESN is
an eleven digit (decimal) number which has been burned into a PROM chip
permanently installed in the phone. Like the Vehicle ID Number (VIN) on
your car, it is not designed to be removed or modified, although hackers
occasionally do in order to circumvent billing procedures (see sidebar).
One other item transmitted is your Mobile Identification Number (MIN) which
is the actual ten digit area code and telephone number assigned to your
phone. The remainder are numerical codes used by the cell site to identify
things like your class of service and the specific capabilities of your
phone hardware. This data is supplied when you activate service with the
carrier.
The ESN and MIN are matched and checked by computer against a database each
time you use the phone to ensure that you are a valid subscriber, or
roaming from a system the carrier can bill for your calls.
All of this information (except the ESN) is provided by the cellular
carrier and programmed into your phone when you subscribed to their
service. The vast majority of cellular phones manufactured today are
reprogrammable through the handset. This means that you can change
(reprogram) this information yourself without costly programming
devices simply by entering the proper keystrokes on the telephone handset,
and punching in the data.
This knowledge opens up a number of possibilities. If you activate or
change your cellular service, you can program the phone yourself with data
supplied by the cellular carrier and save paying any type of reprogramming
fee. If you're looking to acquire equipment, you can canvass flea markets,
swap meets and the pages of classified ad magazines such as Nuts & Volts
for great deals on used phones. Not only will you enjoy savings on the
hardware, but you'll only need to pay the cellular company to activate
service, since you can program the phone yourself.
In my article next month in Nuts & Volts I'll explain all the data
programmed into a phone, explain what it means, and lead you step by step
through the handset programming of a popular phone. This information is an
important reference for those who may just want to do something simple like
change the unlock code on the phone. We'll also take a look at the
publications available through Nuts & Volts advertisers that explain
cellular telephone reprogramming and modification in depth.
*****************************************************************
BUYING USED CELLULAR GEAR
A FEW CAVEATS
When shopping the classifieds, flea markets and electronics swap
meets for great deals on used cellular telephones, keep the following points in mind
to avoid getting "burned."
Cellular phones are a major target of theft in some cities. They
appeal to criminals such as drug dealers because they allow anonymous and
virtually untraceable communication from a vehicle or street corner. The
phone is discarded as useless when the service is disconnected, and such
units may unwittingly be resold with other used equipment. There is no
real way to discern this other than to phone your local cellular service
provider to see if the phone's ESN is flagged in their computer as having
been stolen.
The other type of phone to avoid is one that has been physically modified.
Hackers have been known to replace the factory PROM chip containing the ESN
with a custom burned chip, thus changing the ESN. If this is done for the
purpose of fraudulently making free calls, the ESN chip must be changed
periodically as the cellular carrier discovers the fraud associated with
that ESN.
Detection of this type of modification is easy. Cellular manufacturers as
a rule do NOT use a socket to hold the ESN chip. The PROM is usually not
only soldered to the board, but sealed in epoxy or "air welded" to the
circuit board to discourage this type of modification. An IC socket is
usually installed by the hacker to facilitate easy insertion of updated
PROM as necessary.
No reputable service center will repair a phone if it appears someone has
tampered with the ESN, and might call the police if presented with such a
phone.
The vast majority of equipment you'll find on the open market is genuine
surplus or used merchandise. With the above information in mind you can
examine the phone and be confident about your decision to make a purchase.
*****************************************************************
CELLULAR TELEPHONE PROGRAMMING
Focusing on Fundamentals
By Damien Thorn
The ever-increasing use of cellular telephones has created a market for
people with the skills to install and program them. Installation is no
more difficult than installing a CB radio, and programming is accomplished
by entering data via the keypad on the phone. Whether you want to
completely reprogram a new or used phone, or simply change your unlock
code, there is no reason to pay a dealer to do it when you can do it
yourself in a matter of minutes.
In the early days of cellular technology, an external device such as a
"programming handset" or ROM programmer was required to "burn" the mobile
telephone number and service information into the phone. Today's cellular
phones incorporate resident software that allows you to key in the required
information on the phone itself. When you are finished and satisfied
you've entered the correct data, the phone burns it to non-volatile memory
with the push of a button.
To understand why the simple process of programming a cellular phone seems
to be an industry secret, you need to understand that it is a lucrative
service offered by cellular dealers. There is no profit to be made selling
the phone hardware. Most dealers sell at close to cost just to remain
competitive. The real profits are derived from commissions received from
the cellular carriers (service providers) for getting customers to sign up
with them.
Due to the widespread use of surface mount technology within the phone,
service centers almost always return them to the manufacturer for repair.
Fortunately for these dealers, most service problems are external,
involving the antenna, connectors, cables or a need for reprogramming.
These are all relatively simple matters that can quickly be diagnosed and
repaired in the shop, thus generating income. Aside from the Federal and
State regulations governing the sales and service of cellular equipment
(because it is a transmitter), only basic electronics skills and minimal
equipment are required to begin such a business.
INTRODUCTION TO CELLULAR PROGRAMMING
The purpose of this article is to present the fundamentals of cellular
programming. I've also included brief reviews and sources of publications
that are essential to anyone interested in pursuing cellular programming as
a hobby or profession. The basic principals of programming are the same
from phone to phone. Each manufacturer (or model),however, has a unique
sequence of key strokes to access the programming mode as well as a few
other programming quirks. If you plan to work with more than one brand of
phone, a publication containing programming tables (or "templates") is a
must.
The phone used for this article is a common Motorola transportable "bag
phone." One reason for selecting this phone is because I own one. The
other is because Motorola is the most prolific manufacturer of cellular
phones. Also, the "universal" nature of the Motorola programming
instruction set used as an example can be used on most of their phones as
presented herein.
Not only do they make gear bearing the Motorola brand name, they custom
manufacture phones for a variety of other vendors. Some examples include
the brand names Ambassador, America Series, Dynasty, Modar, Nautilus,
Pulsar, Tracer, Blaupunkt, Nissan Infiniti, Toyota LEXUS, and models for
AUDI and Ford.
PRELUDE TO PROGRAMMING
Before you even begin to program a phone, you need to obtain the required
data. If you just want to change your unlock code, then you need to make
up a convenient three-digit number. Activating service on a used phone
requires you to obtain certain information from the cellular carrier
providing you with service. Here is a description of the data you will
need:
01) System Identification Number (SID): A five digit number that has been
assigned to identify the particular cellular carrier from whom you are
obtaining service. This number identifies your "home" system.
02) Area Code of Mobile Identification Number (MIN): Simply the area code
of your cellular telephone number. MIN is the "official" term for the
phone number assigned to you by the cellular company.
03) Mobile Identification Number (MIN): The MIN is the actual seven digit
cellular telephone number assigned by the cellular carrier exclusively to
your phone.
04) Station Class Mark (SCM): A two-digit number that identifies certain
capabilities of your phone. How the cellular network handles your call is
based on these digits. The SCM tells the system whether your phone
transmits at standard power levels or low power levels, if it can utilize
the full 832 channels or only the original 666 frequencies. The last
attribute identified is whether your phone employs voice-activated
transmission (VOX).
A phone without VOX is continuously transmitting a carrier back to the cell
site the entire time your call is in progress. The VOX operation used in
smaller phones allows the phone to transmit only while you are actually
talking. This reduces battery drain and enables handheld phones to operate
longer on a smaller battery than would be possible without VOX.
To determine the proper SCM for your phone, examine Table 1 and use the
code that matches the presence (or absence) of each of the attributes
described above.
05) Access Overload Class (AOLC or ACCOLC): A two-digit number used to
arbitrate who gets dropped from the system (or refused access) when there
are more calls in a cell than can be handled at one time. This feature is
allegedly disabled in most systems and no preferential treatment is shown
to any particular ACCOLC.
06) Group Identification Mark (GIM): The Group ID Mark is a two-digit
number used by cellular sites other than your home system to determine if
you should be allowed access to the system on "roam" status. This feature
is not yet fully implemented.
07) Security Code: This six-digit number is used to prevent unauthorized
or accidental alteration of the data programmed in the phone. The factory
default is 000000.
08) Unlock Code: This is a three-digit number required to unlock the
phone when you have electronically locked it to prevent unauthorized use.
The factory default is "123", however many cellular programmers change it
to match the last three digits of your MIN (phone number).
09) Initial Paging Channel (IPCH): This is the channel number used by the
cellular provider to "page" the phones in use on the system. The term
"paging" refers to notifying a particular phone that it has an incoming
call. All idle phones on a system monitor the data stream on the
IPCH. Non-wireline cellular carriers use channel 0333 as the IPCH, while
wireline providers (operated by a telephone company) utilize channel 0334.
10) Options programming byte A
11) Options programming byte B
The options bytes are six and three-digit binary numbers used to enable or
disable certain options on the phone. Each digit is either a "1" or "0".
Options byte A consists of six bits. We'll label them "ABCDEF" for our
purposes, where each letter represents a bit set to "1" or "0". Here is
what each bit controls:
Bit "A" - Handset internal speaker: A "1" in this position disables the
internal speaker of your handset to facilitate the use of an external
speaker/microphone combination. This bit is set to "0" in a normal
installation to allow normal operation of the handset speaker.
Bit "B" - Local Use bit provided for certain cellular carrier system
requirements. This is normally enabled with a "1".
Bit "C" - MIN mark bit: Usually disabled with a "0" in this field.
Bit "D" - Auto recall: The auto recall function is always enabled with a
"1" in this position.
Bit "E" - Second phone number: If the phone has a dual system registration
capability, and you are in fact registered with two different cellular
carriers, the function is enabled with a "1" in this field. A "0" in this
position indicates the standard cellular configuration having just one
telephone number.
Bit "F" - Diversity: This bit is used to enable diversity if your
telephone is equipped with two antenna connections (ports). If your phone
uses just one antenna (standard), this bit is set to "1" to disable
diversity.
If the phone was of a standard configuration, the description above
indicates that this option byte would be programmed as "110100" with each
bit enabling or disabling the specific option as appropriate.
Option byte B operates in the exact same fashion, except the byte consists
of only three bits, controlling three options. We'll label the bits "ABC"
where each letter represents a specific bit.
Bit "A" - Long tone DTMF: A "1" in this position enables long tone DTMF
for end-to-end signalling. This means that the phone will transmit a DTMF
tone for as long as you depress a key on the key pad. A "0" will disable
this feature, causing the phone to send a short burst of DTMF when you
dial, no matter how long you hold down the key.
Bit "B" - A "0" in this position enables the internal speaker of a
transportable phone to act as the "ringer" to signal an incoming call.
This feature can be disabled by programming a "1" in
this position if you have some ancillary device connected to
signal ringing.
Bit "C" - Eight hour timeout: This feature is normally enabled with a "0"
in this position. When enabled, the phone will timeout and turn off if it
has been left on continuously for eight hours. This helps prevent the
phone from completely draining the battery of your car if it is
inadvertently left on for an extended period without being used.
ENTERING PROGRAMMING MODE
Once you have determined the proper values for the data fields described
above, you can get down to the actual programming of the phone. With the
above data in front of you, it becomes a simple matter of punching it all
in on the keypad.
To begin programming the phone, you need to enter the programming mode.
Almost all Motorola phones use one of six possible key stroke sequences to
gain access to the programming mode. These are numbered one through six
and listed in Table 2.
Indexing the exhaustive list of model numbers to the appropriate sequence
number is beyond the scope of this article. It is not difficult to figure
out, and whether or not the phone has a "Fcn" (function) or "Ctl" (control)
key narrows it down to one or two possibilities.
The security code used to enter the programming mode consists of six
digits. It is keyed in twice, as though it were a twelve digit number, and
in a couple of the sequences is prefaced with a zero for a total of
thirteen digits. All Motorola phones are shipped new with the factory
default security code set to 000000. Most cellular programmers do not
change this, as it only makes reprogramming more difficult in the future.
Roughly 80% of the phones I've encountered retain the factory default
security code. The other 20% had been changed to 123456 by a local
cellular dealer. While the security code could conceivably be any six
digit number, you should be aware that this code is only useful to prevent
idle tampering with the programming, not lock out the personnel at other
service centers.
The security code is by no means akin to the vault door protecting the
contents of Fort Knox. In the next issue of Nuts & Volts I'll show you how
to build manual test adapter from one inexpensive part obtainable at any
Radio Shack store. This device will immediately allow you to enter the
programming mode without the security code. You can then view and change
the security code or all of the programming if you wish.
Once in programming mode, the phone will display "01" which indicates the
phone is at the first programming step (or field). Table 3 is a template
of the programming steps, and you'll notice that the step numbers
correspond with the numbers prefacing my descriptions of the required data
above. The phone always displays the two-digit field identifier before
displaying the data in that particular field. This lets you know where you
are in the programming sequence.
COFFEE BREAK: TIME FOR AN ASIDE
It would not be unusual for you to feel a bit overwhelmed right now. I was
confused the first time I attempted to program a cellular phone. If this
is your first exposure to cellular programming, may I suggest you grab a
cup of coffee and reread the article up to this point before you actually
attempt the programming process.
At first the idea of security codes and determining the proper sequence
necessary to access the programming mode was disconcerting and a bit
frustrating. Once this step had been accomplished, I was delighted to
discover how easy the actual programming was.
If you have difficulty accessing the programming mode, here is a helpful
tip: Let's say the phone is quiescent until you've keyed in the entire
sequence, including the 13 digits comprising the security code, but fails
to display "01" after the final keystroke. This indicates that you are
using the correct sequence from Table 2, but the security code is
incorrect.
If you are using the wrong keystroke sequence to enter programming mode,
the phone will abort in the midst of keying in the security code, because
it fails to recognize why you are punching in all the digits. If you are
using the correct sequence to access the programming mode, the display on
the phone will not echo (display) the security code unless you are keying
it in too slowly.
KEYING IN THE DATA
The process leading up to this point is actually the majority of the work
involved in programming a cellular phone. Keying in the data is so easy
that it's almost disappointing.
If you've successfully accessed the programming mode, your phone will
display "01" to identify the current field. Pressing "*" advances the
display to the data in that field. You can then key in new data and press
"*" to advance to step "02", or press "*" without entering data to retain
the information currently stored within the field.
I just want to change my unlock code, so I need to advance to the field
where this data is stored. A quick glance at Table 3 tells me that my
current unlock code is stored in field 08. To get to this field, I need
only to repeatedly press the "*" key to sequence the phone through the
fields without altering any of the data. When "08" is displayed, I know
I've arrived at the field containing my unlock code.
First I access the programming mode on my transportable phone by turning on
the power and keying in sequence number 4 from Table 2. I depress the
"control" key on the side of the handset and quickly punch in "0" followed
by my security code twice (123456+123456) and finally press the "*" key.
The display shows "01" to let me know I am at field 01, the SID.
I press "*" to advance to the data, and the display shows "00224" which is
my SID. I press "*" again and the software sequences to the next step.
"02" is now on the display. Another "*" and the phone displays "209" which
is the data in field 02 - my cellular area code. Depressing the star key
advances us to step "03" which is my MIN. Pressing "*" displays the
contents of field 03, and yes, it certainly is my cellular telephone number
(MIN).
Each time I press the "*" key the phone continues to advance to the next
field number and then displays the data stored there. Since I want to
change my unlock code, I repeatedly press the "*" key until the phone
displays "08." This is the field containing that code.
Another "*" and my display shows "602" which is my current unlock code. I
want to change it to "977." With the old code in the display (602), I
simply punch in the numbers 9+7+7. The display now reads "977" which will
be my new unlock code.
If I continued pressing the "*" key, the phone would sequence through the
remaining fields until it returned to "01." I could then advance through
the fields again. You might want to do this, just scrolling through the
data programmed into your phone. Use Table C to identify the fields as you
look at the data stored in each.
If you accidentally alter the data in any of the fields while you are
looking around, press the "#" key to exit programming mode without saving
any of the changes to memory. The "#" key will abort the programming mode,
leaving the previously stored information intact.
Since I changed my unlock code, I need to burn the new information to the
Numeric Assignment Module (NAM) in the phone. NAM is the term used to
describe the EEPROM chip where the program data is stored. To save the new
information, I press "Snd" (Send). This burns the changes to the NAM and
exits the programming mode.
These are the keys to remember while programming a phone, or just exploring
the current programming: The "*" key advances to the next field or step.
The "#" key aborts programming without saving any changes. The "Snd" key
saves all changes to the NAM and exits programming mode. The "clr" (clear)
key will restore a field to the previously stored data if you make a
mistake while keying in digits. You can then reenter the data correctly.
SUMMARY
We've covered a lot of material, and I commend your tenacity. Cellular
programming is actually an easy process. You now have a decent
understanding of the fundamentals, and I assure you that a bit of practice
will lead to a surprising proficiency.
The information in this article is specific to cellular equipment
manufactured by Motorola. Other manufacturers use somewhat different
templates and methods to access the programming mode. If you want a deeper
understanding of cellular programming or need the exact programming
templates and instructions for a variety of phones, I suggest you buy one
of the publications reviewed here.
If you own just one model of phone and need a template or other basic
assistance, I don't mind helping you out. You can contact me directly via
mail at 6333 Pacific Avenue, Suite 203, Stockton, CA 95207-3713. If you
need me to provide detailed information, I would appreciate it if you'd
enclose a few dollars to help offset my expense. I welcome all comments,
and encourage suggestions for future articles.
Building a test adapter for Motorola phones is the subject of my article
next month in Nuts & Volts. Placing a phone in test mode will allow you to
bypass the keystroke sequence and security code to access programming mode.
This is a device every cellular service person should have. In addition to
getting around a security code long forgotten by a customer, you'll learn
how to reset the cumulative call timer, reset the NAM programming to
default values and a host of other interesting test functions such as
accessing the built-in relative signal strength indicator (RSSI) and
channel number display available only when the phone is in test mode.
# # #
Table 1
DETERMINING YOUR STATION CLASS MARK (SCM)
Proper SCM Value Attributes of Your Phone
00 Standard power output; 666 channel cap.; no VOX operation.
04 Standard power output; 666 channel capability; uses VOX.
06 Low power output; 666 channel capability.
08 Standard power output; 832 channel cap.; no operation.
10 Low power output; 832 channel capability; no VOX operation.
12 Standard power output; 832 channel capability; uses VOX.
14 Low power output; 832 channel capability; uses VOX.
The SCM value appropriate to your cellular phone should beentered in
programming field "04." "Standard power" as used above refers to the RF
output level of a transportable phone, or one installed in a vehicle. "Low
power" refers to the reduced RF output of handheld units.
Handheld phones utilize a lower power level not just because of their size
and battery capacity. Since the transmitter and antenna are a part of the
handset, it was determined that radiating a full three watts of RF just a
few inches from your head might be unhealthy.
# # #
Table 2
PROGRAMMING MODE ACCESS SEQUENCES
#1 - Fcn + [six digit security code] + [six digit security code] + Rcl
#2 - Sto + # + [six digit security code] + [six digit security code] + Rcl
#3 - Ctl + 0 + [six digit security code] + [six digit security code] + Rcl
#4 - Control + 0 + [six digit security code] + [six digit security code] +
*
#5 - Fcn + 0 + [six digit security code] + [six digit security code] + Mem
#6 - Fcn + 0 + [six digit security code] + [six digit security code] + Rcl
Note: In sequence #4 the "control" key refers to the audio and ringer
volume control button on the side of the handset if no "Ctl" key is present
on the handset keypad.
Example: If the appropriate sequence for my phone is #3, and my security
code is 123456, I would key in the sequence as follows:
A) Turn power on. Display reads "ON."
B) Press: [Ctl], [0], [1], [2], [3], [4], [5], [6], [1], [2], [3], [4],
[5], [6], [Rcl].
C) If entered correctly programming mode is active. Display reads "01."
# # #
Table 3
TEMPLATE: SEQUENCE OF PROGRAMMING STEPS
Field Description Digits Typical Example
01 System ID Number (SID) 5 000233
02 Area Code of Mobile ID Number (MIN) 3 209
03 Mobile Identification Number (MIN) 7 555-1212
04 Station Class Mark (SCM) 2 12
05 Access Overload Class (ACCOLC) 2 06
06 Group ID Mark (GIM) 2 10
07 Security Code 6 000000 or 123456
08 Unlock Code 3 123
or last 3 digits of MIN
09 Initial Paging Channel (IPCH) 4 0333 or 0334
10 Options programming byte "A" 6 011100 (binary)
Internal Speaker (1 = disable) X-----
Local Use bit (1 = enable) -X----
MIN Mark bit (usually disabled = 0) --0---
Auto-Recall bit (always set to 1) ---1--
Second Phone Number (0 = disable) ----X-
Diversity option bit (0 = disable) -----X
11 Options programming byte "B" 3 010 (binary)
Long tone DTMF (0 = disable) X--
Ringer/speaker (1 = handset / 2 = transducer) -X-
Timeout (8 hour) (0 = enabled) --X
If second phone number option is enabled and supported by the hardware,
this programming template will repeat for the second phone number. Each
field identifier (step) number will be displayed with a "2" to indicate
data for the second number. (e.g. "01 2").
*****************************************************************
SOURCES: A Review of Available Publications
Every month I peruse the pages of Nuts & Volts with an eye for detail
unmatched by the best Revenue Agents employed by the IRS. Why? Because I
have an insatiable appetite for information - especially information
surrounding technology that seems "inaccessible" to you and me. As a
result, I've purchased all four publications advertised herein that deal
with cellular communications. Each has unique features and all were worth
the money. Here is my opinion of each:
Cellular Programmer's Bible
The Cellular Programmer's Bible definitely lives up to it's name. Over 300
pages of nothing but programming instructions for every conceivable
cellular telephone manufactured. This tomeincludes the factory preset
security codes to greatly simplify access to the programming modes of
various phones. In addition to precisely detailing every programming
sequence, each entry includes invaluable technical information on channel
capabilities, test modes, and other unique tidbits applicable to the
specific model of phone being described.
This volume is mandatory for anyone considering offering programming
services to the public. I discovered my Pac Tel Cellular customer service
rep uses this same publication as his programming reference, although he
carries it in a nondescript binder.
Approximately 400 spiral bound 8.5 x 11" pages. $84.45.
Available from: TeleCode, P.O. Box 6426, Yuma, AZ, 85366-6426.
(602) 782-2316.
Cellular Hacker's Bible
The Cellular Hacker's Bible is TeleCode's other cellular publication.
About one third of this book is devoted to programming templates for over
thirty popular phones. The balance consists of an elaborate technical
dissertation describing the operation of the cellular network which reads
like a Bellcore technical document (coincidence?). From switching to
timing and signalling protocols - it's all here.
The attention to technical detail can be an engineer's dream or
mind-numbing to the casual reader. Although I occasionally became bogged
down in things like "wink start signalling" and multi-frequency (MF) call
routing codes, I appreciated the excruciating detail when I came to the 18
pages listing each and every frequency in the radio spectrum allocated to
the cellular network by the FCC.
The reprogramming instructions are easy to follow, but not as comprehensive
as the templates in TeleCode's other publication (above).
Approximately 180 spiral bound 8.5 x 11" pages. $53.45.
Available from: TeleCode, P.O. Box 6426, Yuma, AZ, 85366-6426.
(602) 782-2316.
Cellular Phone Phreaking
Technical documents published "for educational purposes only" by
Consumertronics have a unique format and tone not generally found in other
books. John J. Williams, MSEE and proprietor of the company, has a gift
for presenting detailed technical information in an almost conversational
manner full of examples and anecdotes. Cellular Phone Phreaking is no
exception.
The programming instructions are equivalent to those contained within
TeleCode's Cellular Hacker's Bible. The technical description of the
cellular network is brief, and Williams includes an abundance of
information on how individuals have been known to perpetrate cellular
fraud. Included are relevant excerpts from various communications privacy
laws, including the text of the Electronic Communications Privacy Act
(ECPA).
Of value to the technician or monitoring enthusiast are the mathematical
algorithms necessary to determine the cellular channel numbers based on the
radio frequencies used.
While informative and entertaining, this book is a bit thin compared to the
others, but Williams crams in a lot of information by using small type and
not wasting an inch of space.
Approximately 41 spiral bound 8.5 x 11" pages. $39.00.
Available from: Consumertronics, 2011 Crescent Drive, P.O. Box
88310, Alamogordo, NM
88310, (505) 434-0234.
Cellular Telephone Modification Handbook
The Cellular Telephone Modification Handbook is the one publication
reviewed that is not really a programming manual per se. It is a book
explaining in detail how a hacker would change the Electronic Serial Number
(ESN) of a cellular phone. As a "security manual," the book holds nothing
back in precisely demonstrating how criminals can defraud the system by
doing so. I should note that a legitimate application for this information
would be to "clone" a phone that you already own.
By duplicating the ESN of your existing phone into another phone, you could
use either unit at any given time and avoid having to pay for an additional
number and service for the second phone. This seems analogous to adding an
extension phone to your telephone service at home. Why have a separate
number for each "extension?" Cellular companies don't like it, but it
doesn't appear to be illegal. Emulating the phone of your local bank
president in order to make free calls is another story entirely.
In addition to basic "universal" programming guidelines, this book includes
"screen dumps" of PROM emulation software, lists of manufacturers' ESN
prefixes and System Identification Numbers (SIDs). Complete with sources
for parts and equipment, as well as books and magazines related to the
field of cellular communications.
The representative I spoke with at Spy Supply provides programming support
for their customers. If you need assistance with a specific phone, he'll
provide you with programming information for that particular model at no
charge. After purchasing the manual, I tested this service and
found that he could answer every question I threw at him without
hesitation. The availability of this invaluable resource elevates Spy
Supply above the ranks of a typical publisher.
Approximately 52 spiral bound 8.5 x 11" pages. $79.95.
Available from: Spy Supply, 7 Colby Court, Suite 215, Bedford,
NH 03110, (617) 327-7272.
*****************************************************************
CELLULAR TELEPHONE MANUAL TEST MODE
How to Build and Use Programming Aids
By Damien Thorn
Over the last few months in Nuts & Volts we've taken a close look at
cellular technology. From an overview of the network to a "hands-on"
tutorial covering cellular telephone reprogramming. This article
introduces the construction and use of a manual test adapter to assist in
reprogramming or diagnosing problems in various cellular phones.
You can build this device in about five minutes with one part from your
local computer store or Radio Shack. The simplicity is elegant, and belies
the powerful control you can achieve over your cellular hardware. Need to
bypass the security code usually required for programming, or display the
relative signal strength indication (RSSI) on a specific cellular channel?
With a manual test adapter you're just a few keystrokes away from this and
more.
INTRODUCTION
As I mentioned last month, there is little money to be made by cellular
dealers in the sales of equipment. Hardware prices are so competitive that
most dealers sell new equipment at close to cost. Dealers make their
profit through commissions for signing up subscribers for cellular service,
and by installation and repair.
Installing cellular phones is comparable to installing a CB radio, and less
difficult than wiring a car stereo. Modern cellular phones are so reliable
that the phone itself rarely needs to be serviced. Ancillary equipment
such as wiring and antennas are usually the cause of any malfunction.
Probably the most common service operation is programming.
Whether you are activating cellular service for the first time, or moving
to another city, your cellular phone must be reprogrammed with specific
data supplied by the cellular service provider (carrier). Even changing
the unlock code on the phone requires reprogramming in many instances,
often associated with a fee ranging from $15-50.00.
The vast majority of contemporary cellular phones are programmed by
punching in the data right on the keypad without the aid of any external
programming device. And this service is often performed by shop personnel
with little technical skill. With a programming manual in front of her, I
watched the receptionist at a local dealer program a phone that was being
exchanged by a customer.
I use this example to illustrate how easy it is to reprogram a phone.
There is really no reason you or I cannot perform this task ourselves and
save money. Reprogramming can also become a profitable additional service
offered by independent technicians.
Motorola's Test Mode
Motorola is probably the largest manufacturer of cellular phones. In
addition to their own brands, they make phones for a plethora of other
companies. I've always admired the quality of Motorola communications
equipment, and the test mode engineered into their cellular firmware has
scored them a few more points in my book.
The test mode is designed to be of assistance to cellular technicians in
the field, and is entered by grounding a specific pin on one of the phone's
connectors. Once in test mode, the technician has manual control over many
of the functions normally automated by the firmware. The phone display
can now be used to indicate the status of various operational parameters.
The most useful functions to the hobbyist and professional programmer alike
are those which allow the data stored in the Numeric Assignment Module
(NAM) to be reviewed and changed. This is not much different from using
the standard programming mode, except no special keyboard sequences and
security codes are required for access. The manual test mode effectively
bypasses the software "front door" commonly used to enter programming mode,
and is invaluable when the security code is unknown or has long since been
forgotten.
The rest of this article details the construction of a test adapter and
explains its use as applicable to cellular programming. From this point on
I'm assuming you've read my previous article or otherwise have at least a
basic knowledge of cellular programming.
The basic style of the Motorola-manufactured phone will determine how you
go about placing the unit in test mode. Palm-size folded phones and the
one-piece hand held devices do not require and adapter. A jumper between
the contact designated as the "test line" and ground is all that is
required.
Activating Test Mode: Hand held Phones
If your phone is one of the hand held types, slide the battery pack off the
unit. The battery pack also serves as the rear of the phone's external
case. On the top rear of the phone you should see twelve contacts arranged
in two horizonal rows as depicted in Photo #1.
Before you go any further, you should look at the model number of the phone
located on the back of the handset. A typical model number is
"F09FSF9797." The fourth letter (underlined) in this string is important.
This indicates the phone is of the Motorola "F" series and contains
firmware that is programmed to allow us to use the manual test mode. The
older "D" series phones do not contain the appropriate firmware, and are
not even programmable from the keypad. Do not attempt this procedure on a
"D" series phone.
Another way to make sure the phone is of the "F" or higher (G, H, I, etc.)
series as opposed tothe older "D" series is to examine the plastic shroud
which extends from the top of the phone and partly covers the RF
switch/antenna connector housing. The "F" (and newer) series phones have
various notches molded into the plastic shroud as can be seen in the photo.
To reiterate, if the model number contains the letter "D" as the fourth
character, it does not have a test mode, and cannot be reprogrammed from
the keypad. Do not attempt to place it in test mode or you may damage the
phone. Once you are certain the phoneis of the "F" or higher series, you
may proceed.
The contact which serves as the test line is #6. This is the contact to
the far right in the upper row, and should be the last (and sixth) of the
contacts comprising the top row of contacts. Making a connection between
this contact and ground will cause the phone to enter the test mode when
powered up.
The most convenient way I've found to accomplish this in lieu of a special
adapter or modified battery pack is to use a small piece of wire as a
jumper. The short lengths that come with the Radio Shack RS-232 jumper box
we'll be discussing later work perfectly, right out of the package!
To jump contact #6 to ground, I use a very small jewelers screwdriver to
carefully wedge one of the solder-tinned ends of my jumper into the space
between the contact and the plastic edge to the right. The snug fit
assures decent electrical contact and helps keep the jumper in place. The
other end of the jumper is gently inserted in the crevice on the RF switch
housing. This bare metal area is the most convenient ground and will even
hold the end of the jumper.
Once you have the jumper connected, you need to flatten it against the
phone so that you can slide the battery back on without dislodging it.
Photo #2 depicts the jumper in the proper position to clear the battery
pack.
Palm-size Folded Phones
The "Micro TAC" variety of miniature folded phones ("Flip-Fones")
manufactured by Motorola usually require a special battery to activate the
test mode. You can simulate this battery with your standard battery,
however.
After removing the battery from the phone, you should see three contacts in
a row located in the lower right area of the phone. The two outer contacts
are the battery connections. Positive "+" is to the left, and negative "-"
is to the right.
The center contact is somewhat recessed and does not make contact with the
standard battery. Your battery however, should have a mating third contact
present. To place the phone in test mode, you need to get the center
contact to mate with the center contact on the battery. Strategic use of a
small piece of folded metal foil, solder wick or similar conductive
material can be used to extend the center contact on the phone so that it
will make contact with the third terminal of the battery.
If you attempt this procedure, immediately power up the phone to make sure
you have not shorted the battery terminals. If the phone does not come on
at all or feels warm to the touch, quickly remove the battery. A shorted
NiCad battery can explode, causing serious injury.
MINI-TR or Silver MiniTac phones
Two specific phones - Motorola's MINI-TR or Silver MiniTac units can be
placed in programming mode by shorting the two contacts of the hands-free
microphone connector.
Mobile Installations & Transportable Phones
These common phones are the type that consist of a handset connected to a
separate transceiver unit by a coiled cable resembling the receiver cord of
a standard landline telephone. The handset cable is terminated with a
modular connector and plugged in to a jack. The control cable from
the jack carries the handset, power and options wiring. This control cable
is connected to the transceiver with a 25-pin DB25 connector as depicted in
Photo #3.
These phones are also placed in manual test mode by grounding the test
line. The easiest way to accomplish this is by building a small test
adapter (also known as a "programming aid"). This device is placed between
the control cable and transceiver DB25 connectors allowing all the signals
to pass through unaffected with the exception of jumping the test line to
audio ground.
Building the Test Adapter
Construction of the test adapter is pretty straight forward. The same DB25
connectors used by Motorola have been used for years as the standard
RS-232-C connector on computer equipment. You can easily pick up a serial
RS-232 inline jumper box from your local computer, electronics or Radio
Shack store. The part number at Radio Shack is #276-1403 and lists for
$9.95 in their 1993 catalog.
The Radio Shack jumper box is designed for maximum flexibility and as such
does not have any of the pins preconnected. Each trace on the circuit
board connecting the pins has a small break which you will need to bridge
with solder to allow the signals to pass through. Examine the PC board
before beginning and follow a few of the traces. Note the difference
between the break in each trace and the small solder pads used for
connecting jumpers. You only need to bridge the traces.
Once you've applied a small dab of solder to restore the integrity of each
trace, you are ready to install the jumper. The test line on these
Motorola phones is pin #21. Pin #20 is the audio ground line. You want to
jumper (short) these two pins.
Small numbers etched on the PC board indicate the jumper point for each
pin. Locate the numbers 20 and 21 next to the small solder pads. Using
one of the short jumper wires provided with the device, place the ends
through these two holes and solder them down on the opposite side of the
board. Photo #4 depicts proper jumper installation, although I left one
end of the jumper unsoldered to illustrate it going through the board to be
soldered on the other side.
That completes the construction of a handy programming aid for Motorola
cellular phones, and you have a small packet of left over jumpers that are
perfect for jumpering the test line contact on the hand held units. Be
sure to save them.
To use the test adapter, place it between the control (handset) cable and
the transceiver as shown in Photo #5.
Test Mode Commands
Once you've jumpered the appropriate contact or applied the test adapter,
it's time to turn on the phone. When the phone powers up, a series of
digits should appear in the display similar to those shown in Photo #6.
They should alternate with another series of digits. This indicates your
phone is in the manual test mode.
One display consists of two numbers, each three digits in length. The set
to the right is the channel number designator for the specific cellular
frequency the phone is receiving from your local cell site (tower). The
right-most trio is the relative signal strength indication (RSSI) of the
received frequency.
The seven-digit number alternating with the channel/RSSI display provides
the technician with additional status information. Each individual digit
in the field is actually an independent status register. With a letter
substituted for each of the seven digits, this is what they represent:
A B C D E F G
Position A - SAT Frequency. Indicates which of the three SAT lock
frequencies is being used by the phone. In this position a "0" = 5970Hz,
"1" = 6000Hz, "2" = 6030Hz, "3" = No SAT lock.
Position B - Carrier Status indication. "0" = carrier off, "1" = carrier
on.
Position C - Signalling Tone. "0" = tone off, "1" = tone on.
Position D - RF Power Attenuation Level. "0" through "7" are valid values.
Position E - Channel designation. A "0" = voice channel, "1" = control
data channel.
Position F - Audio Mute (receive). "1" = received audio is muted, "0" =
unmuted.
Position G - Audio Mute (transmit). "1" = transmitted audio is muted. "0"
= unmuted.
The meaning of all these status registers is fairly complex and has no
bearing on cellular reprogramming. This display, like the majority of the
test commands, are only of value to an engineer placing the phone under
test with a cellular service monitor.
Table "A" lists the test commands that can be of assistance in
reprogramming. I have omitted the test commands designed for use with a
service monitor, as issuing them without the phone connected to a monitor
may cause interference to the cellular network. You may own the phone, but
the cellular provider owns the FCC license that allows you to use it.
Operating the transmitter in the phone in a manner inconsistent with this
license could subject you to loss of service and possible legal trouble.
Issuing Commands
If your phone did not come up with the status display described above, you
may need to manually instruct the phone to do so. Pressing "#" enters the
test command mode, and "02#" is the command to display the status
registers. If you enter a command improperly, the phone will scroll the
word "error" across the display.
If you need to review the current programming data stored in the NAM, enter
"55#" which instructs the phone to enter the programming mode. You can
scroll through the contents of NAM displaying the stored values by
repeatedly pressing the "*" key. Actual reprogramming through this mode is
considerably more difficult than through the standard programming mode.
The test mode does not display a step number to let you know what
programming step you are at, and the information is stored and displayed in
a different order.
Many programmers simply use this mode to obtain the security code, exit
test mode and program the phone in the normal fashion. As you step through
the NAM contents with the "*" key, the security code is the only six-digit
number you'll see that isn't binary. Once you've written it down, continue
to step through NAM until you see the "tick mark" in the display (it looks
like an apostrophe) and exit test mode by turning off the phone.
Motorola designed their phones so that they could only be programmed three
times. I don't know the rationale for this, but a firmware counter
increments each time the phone is reprogrammed, and after the third time it
will no longer enter programming mode. The instruction booklet that
accompanies the phone instructs you to take it to the dealer where you
bought it.
If you took the phone to a dealer, they would put the phone in test mode
(just like we're doing) and enter the command "32#" which resets the
counter to zero, allowing the phone to be reprogrammed three more times.
Do it yourself and save!
Many phones also have a cumulative call timer that counts the total number
of minutes the phone has been used for calls (actively transmitting). This
"autonomous timer" (that you were told was not resetable) can be cleared
and reset to zero by punching in "03#" while in test mode.
Another useful command is "38#" which causes the phone to display the
Electronic Serial Number (ESN) that is burned in ROM. The phone will
display the ESN one hex byte at a time. Press "*" to increment to the next
byte. Note that the display shows four numbers. The two to the left
indicate which byte you are viewing (00, 01, 02 or 03),and the actual value
of that byte is at the right of the display.
You can punch in "19#" if you'd like to view the software version number
resident in your phone.
Conclusion
You should now have an understanding of the test mode inherent in cellular
phones manufactured by Motorola, and if you've followed this series of
articles in recent issues of Nuts & Volts, the operation of the cellular
network and reprogramming procedures are no longer so mysterious.
Your questions and comments are always welcome, and you can write or send
E-mail directly to me as mentioned below. If plan to do much programming
or would like detailed information on the cellular network, you would
benefit greatly by investing in one of the detailed technical publications
offered in these very pages. I've listed the publishers of several good
volumes in a sidebar, and you'll find their ads scattered throughout this
magazine.
As a final note, you should be aware that the use of this information is
undertaken at your own risk. Although most of this information was
triple-checked against available technical documentation, none of it
originated directly from Motorola. I doubt you'll have a problem, but you
never know when a manufacturer might change their specifications.
*****************************************************************
TEST MODE COMMAND SUMMARY
The following is a summary of some of the commands available from within
the test mode on most cellular phones manufactured by Motorola.
COMMAND DESCRIPTION
# Initial keystroke to enter test command mode.
01# Reboot phone (begin power-up routine).
02# Display status registers.
03# Reset "autonomous timer" to zero minutes.
04# Initialize transceiver.
07# Mute audio (received).
08# Unmute audio (received).
11XXX# Load frequency synthesizer with specific cellular
channel (XXX = 3-digit decimal channel designator).
13# Power down the phone (off).
19# Display software version number.
32# Initialize NAM. Erases all programmed data!
36XXX# Activate channel scanning. Pauses on each channel for
XXX milliseconds. Keying "#" aborts scanning.
38# Display Electronic Serial Number (ESN).
45# Display current relative signal strength (RSSI) of currently
loaded channel.
53# Enables scrambler option if phone is equipped.
54# Disables scrambler option if phone is equipped.
55# Programming mode - display/change NAM contents.
*****************************************************************
Sources of Additional Information
The following companies distribute publications that offer detailed
instructions and information pertaining to cellular programming and various
aspects of cellular hardware:
Spy Supply
7 Colby Court, Suite 215
Bedford, NH 03110
(617) 327-7272
TeleCode
P.O. Box 6426
Yuma, AZ 85366-6426
(602) 782-2316
Consumertronics
2011 Crescent Drive
P.O. Box 88310
Alamogordo, NM 88310
(505) 434-0234
*****************************************************************
AUTHOR BIOGRAPHY
(For publication)
Damien Thorn's interest in electronics has deep roots. A noted "hacker"
and "phone phreak" by age sixteen, he contributed regularly to the
underground newsletter "TAP." Today Damien is an on-air radio personality
and FCC licensed engineer in California's San Joaquin Valley. His
interests include computers, communications, security and privacy issues.
He welcomes questions and comments. You can reach him at 6333 Pacific Ave.
#203, Stockton, CA 95207-3713 or via E-Mail at one of the following:
DrDamien@Delphi.com via Internet mail, on CompuServe at 75720,2104, or on
Delphi as DrDamien.

Reference in New Issue View Git Blame Copy Permalink