home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Freaks Macintosh Archive
/
Freaks Macintosh Archive.bin
/
Freaks Macintosh Archives
/
Textfiles
/
zines
/
hir
/
hir6 Folder.sit
/
hir6 Folder
/
hir6-4.txt
< prev
next >
Wrap
Text File
|
1998-07-09
|
12KB
|
198 lines
[ H a c k e r s I n f o r m a t i o n R e p o r t F i v e ]
[>>>>>>>>>>>>>> Cell Stuff 1 <<<<<<<<<<<<<<<]
[The first article in a series of god-knows-how-many, completely dedicated to]
[the official toy of the modern Phone Phreak: The Cellular Phone]
[This article covers mostly Motorola Cellular]
This is the first article of HIR completely devoted to all that funky cellular
stuff. As you may recall, in HiR 3 we mentioned that we found a really kick-
ass course guide used for employee training with motorola phones. This article
is the first fruit of the knowledge contained within that book's old tattered
pages. I've sort of divided this article into two sections:
I. A flowchart of the chain of events that happen inside a cellular phone
II. user- and test-mode cellular programming introduction
On with the show!
-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-
I. Cellular telephone chain of events
Sometimes it's nice to know what exactly is going on inside something. Maybe
you want to troubleshoot it. Maybe you just want to be reassured that every-
thing isn't just being powered by rubber bands and springs. Who knows.
Regardless, I've finally found a flowchart that describes in detail every
action that a cellular phone takes after you power it up. The flow chart
does NOT cover what happens once you make or receive a call, however.
1. Power button pressed. Self Test Occurs. NoSvc indicator activated.
2. Scan preferred system (A or B).
3. Scan all 21 control channels for that system.
4. Use strongest control channel.
5. If Overhead information is received and decoded, jump to step 8.
6. Tune to second strongest control channel.
7. If overhead info still cannot be recieve d or decoded, jump to step 12. *
8. If the system ID matches the cell phone's home SID, jump to step 10.
9. Activate Roam indicator.
10. Turn off NoSvc indicator.
11. Rescan after 5 minutes (Jump to step 2)
12. Turn on NoSvc Indicator.
13. Switch to non-preferred system (A or B), then jump to step 3.
* In most phones, only the 2 strongest control channels are scanned, but some
phones scan more than 2.
-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-
II. Introduction to user- and test-mode programming on motorola cell phones
There are 2 types of programming on motorola phones. The easiest of the two
is called user mode programming. This method also goes by the name "security
code programming", because there is a security code that is used when
entering programming mode. Once in this mode, it is possible to change the
security code, which is 6 digits long. After that, the old security code
will no longer let you in to user mode programming. Take note that there is
never a need for any special equipment here, as long as all the keys on the
keypad work normally.
The other method is called test mode programming. There is never a way to
get into test mode with the keypad alone. Sometimes it takes a whole desktop
system with special interface cables and custom software, but in some cases,
it's quite a bit easier than that, and can be done with nothing more than a
little piece of aluminum foil or a pair of needle-nose pliers.
I will only cover User-Mode programming in this article, but in HiR 7 I'll
expose some ways of getting into Test Mode, and compare the features that
make each programming mode diverse. Some (but far from all) actual
programming operations will be covered in depth, but since I myself have not
messed with actual programming to much extent, all that i can provide is
what I've done. I will descibe each memory location, and the function of
each bit or byte, though.
Getting into User programming mode:
This varies quite a bit from model to model. When it comes to motorola
phones, there are 6 main user-mode entry sequences. Some phones may not
allow user-mode programming, and a very small group of phones have another
way of accessing user-mode programming which is more complex than I wish to
cover here. Below is a table of the 6 user-mode entry key sequences. Then
there will be another table of which handsets use which of the 6 sequences
to get into user-mode programming. Wherever %CODE% shows up in the sequence,
you'll have to enter the 6-digit security code twice. By default, the
security code is 000000. So, where %CODE% shows up, you would want to try
000000000000 first, unless you know the security code is something else.
if the security code was 852030, then where %CODE% is, you would need to enter
852030852030. Simple enough? Just remember to enter the security code twice.
ƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒ
Table 6-2.II.1: keystroke sequences for entering user-mode programming
⁄ƒƒƒƒ¬ƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒø
≥Num ≥Key Sequence ≥
√ƒƒƒƒ≈ƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒ¥
≥ 1 ≥ [FCN] %CODE% [RCL] ≥
√ƒƒƒƒ≈ƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒ¥
≥ 2 ≥ [STO] # %CODE% [RCL] ≥
√ƒƒƒƒ≈ƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒ¥
≥ 3 ≥ [CTL] 0 %CODE% [RCL] ≥
√ƒƒƒƒ≈ƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒ¥
≥ 4 ≥ [CTL] 0 %CODE% [X'ed Diamond thing] (CTL may also be the volume key) ≥
√ƒƒƒƒ≈ƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒ¥
≥ 5 ≥ [FCN] 0 %CODE% [MEM] ≥
√ƒƒƒƒ≈ƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒ¥
≥ 6 ≥ [FCN] 0 %CODE% [RCL] ≥
¿ƒƒƒƒ¡ƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒŸ
Once in User-Mode Programming, you can do quite a bit, but not quite enough
to satisfy the desires of most phreaks. I'll show you what each value in
user-mode programming means, and I'll focus on the ones I am familiar with
(remember, I'm not a HUGE cell phreak, I just study it occasionally).
If you modify the phone number, an internal counter dubbed the "3-Times"
counter, will increment by 1. Once it hits 3, the cellular phone goes nuts
and will not operate. According to the manual, you're supposed to turn it
in to a cellular technician who will then ask why the phone number got
changed so many times...heh...Well all they have to do is enter test mode,
and modify the counter (Reset it). Of course if you can weasel your way
into test mode, you should be fine. =]
Pressing the * key steps through each entry in sequence.
Pressing CLR returns the current data field to the previous value.
Pressing # will exit the program without saving any changes. This does not
have any affect on the "3-times" counter.
Pressing the SND key while entering data has no effect.
Pressing the SND key while on an entry field will save the data. If the
telephone number was changed, the "3-times" counter will increment.
Entry Default Description
01 00000 System ID. This is the system ID of your cellular
carrier.
02 111 Cellular Area Code.
03 1110111 Cellular Telephone Number.
04 XX Station Class Mark. Varies according to channel access,
VOX capability and power out. You probably will never
have a need to mess with this one.
05 00 Access Overload Class. Level of priority for accessing
the system in case of a system overload.
06 00 Group ID Mark. Specifies how many of the SID bits are
significant.
07 000000 User Security Code. Code used in accessing user-mode
programming features. Also used for changing the un-
lock code.
08 123 Unlock Code. Supplied by the user to allow only those
people who know the code to use the phone.
09 0334 Initial Paging Channel. 0333 for side A SID's,
0334 for side B SID's.
10 011100 Option Programming. These are toggle bits, read from
Left to right:
1. Internal Speaker disable. Disables the Handset call
processing speaker if using an external speaker.
0=Internal Speaker on, 1=Internal Speaker Disabled.
2. Local use. If set to 1, the phone responds to local
control orders when the group id is matched.
3. MIN Mark. If set to 1, area code is transmitted on
every call.
4. Auto Recall. 1 enables access to phone numbers
stored in memory locations. 0 disables access.
5. Second Telephone Number Enable. Allows entry of
telephone data into Second NAM (or into programming
memory if the phone does not support second NAM)
6. Diversity. If the dual-antenna feature is present,
and you want to enable the diversity feature (use
both antennae). 1=Enabled, 0=Disabled.
11 11110 Option Programming 2. This set of option bits is only
available on phones with software version 8735 or
later (Phones with 832 channels). Some phones only
have 3 or 4 bits instead of 5. These will always be
the rightermost 3 or 4 bits (the last 3 or 4 of this
table, Failed Page and Enhanced Scan may not be pres-
ent in every phone).
1. Failed Page Indicator. Informs the user of any
in-bound call attempt that failed (typically due
to a weak signal) if set to 1.
2. Motorola Enhanced Scan. Newer high-perfomance
scanning technique is utilized where multiple
signalling channels are present if this bit is
set to 1. Motorola started implementing this
feature in mid '91. Phones produced before
this time do not have this feature.
3. Long tone DTMF. If set to 1, the DTMF tones
are transmitted long enough to make it easier
for certain DTMF-Sensing equipment to pick up
the tones. This helps when trying to access
voice mail or automated phone menus from a
cellphone.
4. Transportable Internal Ringer/Speaker.
0=Audio routed to external seaker of "Tough
Talker" or Carry Phone. 1=Audio routed to the
handset speaker.
5. Eight Hour Timeout. If phone remains inactive
for 8 hours straight, it automatically turns
off. This is mainly for carphones, to keep
them from totally draining your car battery.
If the Second Telephone bit was enabled, the whole process will
start over again, except with a "2" to the right of the entry
number. Entries 7, 8, and 11 are not repeated.
Keep a lookout for info on getting into test-mode programming, where
the REAL fun begins. It should be ready by HiR7, but I want to make
sure there's concrete info.
