WINMX Assorted Textfiles

home *** CD-ROM | disk | FTP | other *** search

/ WINMX Assorted Textfiles / Ebooks.tar / Text - Tech - Phone Phreaking - The ultimate Cellular Phone Phreaking Manual (TXT).zip / cellular-manual.txt

Wrap

Text File | 1999-10-14 | 76KB | 1,375 lines

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ THE HIGH TECH HOODS and A-CORP PRESENTS..... %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%% %%% THE ULTIMATE CELLULAR %%% %%% PHONE PHREAKING %%% %%% MANUAL #1 of 2. %%% %%% %%% %%% COMPILED BY %%% %%% THE RAVEN %%% %%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Hmmm.... Another text file.. Make sure that you keep this one for your collection!! There is no other text file that is more complete or up-to date that explains cellular phone phreaking like this one for 1992!!! Since this is going to be a complete manual it has been broken-up into 2 parts so this is manual 1. I'm hoping that there will be some info. on cellular phreaking published in PHRACK that may be able to help you and me with our endevors but I'm waiting. Another thing that I just found out is that the Hack/Phreak Community is in need for a BBS that doesn't give bullshit info (most do!) and thats cause our world has been infiltrated with narcs and telco/bell agents that try to spread as much misinformation as possible!! But there are a few bbs's that keep the faith and they will be listed at the end of this text. THE RAVEN +=======+ -=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= INDEX.... I. Improved Mobile Telephone Service (IMTS) II. General Information III. Cellular Freqs. & Channels IV. The Cell & It's Structure V. Equipment Description VI. More General Info. VII. Roaming VIII. NOTE =-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= CELLULAR PHREAKER TYPES ----------------------- There are two types of cellular phone phreakers. The first type is the one whos's intrested in scanning cellular phone channels basically to overhear conversations. The second type is the one who obtains and modifies cellular equipment so that he can make free phone calls at someone elese's expense. I. IMPROVED MOBILE TELEPHONE SERVICE This system that was used prior to cellular phones was the Improved Mobile Telephone Service (IMTS), which was much easier to scan for. Most scanner enthusiasts are familiar with this standard mobile phone system; this system has gone thru little evolution in the past decade in the U.S. It has remained a considerably limited service. A large metro area may only have several hundred users, (New York City has about 900 mobile phone subscribers) dur largely to limitations imposed by spectral overcroeding. Land mobile commo has seen a 10-12% annual growth rate for the past two decades. The result is that the 40, 150 and 450 MHZ bands are overcrowded. Even the utilization of the new 900 MHZ band (with 30-40 times more channels available than other bands) is a short-lived solution to the problem. IMTS freqs (MHZ): Channel Base Freq. Mobile Freq. ----------------------------------------- VHF LOW BAND ZO 35.26 43.26 ZF 35.30 43.30 ZH 35.34 43.34 ZA 35.42 43.32 ZY 35.46 43.46 ZR 35.50 43.50 ZB 35.54 43.54 ZW 35.62 43.62 ZL 35.66 43.66 VHF HIGH-BAND JL 152.51 157.77 YL 152.54 157.80 JP 152.57 157.83 YP 152.60 157.86 YJ 152.63 157.89 YK 152.66 157.92 JS 152.69 157.95 YS 152.72 157.98 YA 152.75 158.01 JK 152.78 158.04 JA 152.81 158.07 UHF BAND QC 454.375 459.375 QJ 454.40 459.40 QD 454.425 459.425 QA 454.45 459.45 QE 454.475 459.475 QP 454.50 459.50 QK 454.525 459.525 QB 454.55 459.55 QO 454.575 459.575 QA 454.60 459.60 QY 454.625 459.625 QF 454.650 459.650 The VHF high-band freqs. are the most popular IMTS channels. If you live within 25-50 miles of even a moderate sized town, you should have at least one VHF high-band channel. VHF low-band IMTS is used in rural areas and those with hilly terrain. UHF IMTS is primarily used in cities where the VHF channels are crowded. If you live in a major city, expect to have most, if not all, of these channels available to you. II. GENERAL CELLULAR INFO This section is a little boring but it's needed to set a basic foundation of cellular phone phreaking so that part 2 doesn't sound like all technicial talk! The FCC originally estaablished 3 cellular bands. One was given to the local Bell or Telco, (wireline carrier), one to an independent firm (non-wireline carrier), and one reserved for future use. Originally there were 666 cellular freqs or channels. In recent years the FCC has tacked on another 156 freqs for a total of 832 freqs, and all cellular makers have upgraded their phones to accomodate the new channels. Some of the new channels appears above the original 666 while others appear below. The cellular system cannot know whether or not a cellular phone can be switched to one of the 156 channels without the phone telling it. This is done by the Station Class Mark (SCM), which is a 4-bit binary number. (1) Bit #1 is "0" for 666 and "1" for 832 (2) Bit #2 is "0" for a mobile unit and "1" for a voice activated transmit. (That saves batteries on portables.) (3) Bit #3 and #4 identify the power class of the phone: "00" = 3 watts "01" = 1.2 watts "10" = 0.6 watts and "11" is not assigned. The old traditional scheme for handling cellular traffic is the analog method or Frequency-Divison Multiple Access (FDMA). How the FDMA works is that free channels are found and each transmitter is assigned to one of them. When the call finishes, th echannels are freed up for the next call. Also, as the two parties become physically closer or more distant as they drive or travhghhggytel the call may be handed off to other freqs assigned to the new cells they are in. Newer proposed schemes include Time-Divison Multiple Acess (TDMA) and Code- Divison Multiple Acess (CDMA). IN TDMA systems, calls may simultaneously use the same channels but are interspered between the pauses in the conversation. Many pauses result not only in the way people normally think and talk but when one party is talking, the other is listening. With TDMA, the Cellular Phone Company (CPC) injects small delays in parts of conversations to accommodate other traffic on that channel. This increases the lenght of the average phone call, which also increases their profits from it - not to mention the fact that they can increase there output by the factor of 3 and also then expand their operation. CDMA is a system that's been used by military for the past 30+ years. CDMA appears to basically be a system where conversation are compressed into coded bundles and then decompressed at the other end. A Cellular Mobile Telephone (CMT) is one that is installed in a vehicle, aircraft, watercraft or whatever, as opposed to a transporable or portable unit. III. CELLULAR FREQS & CHANNELS There are 832 cellular phone channels. 416 of these are allocated for the non-wireline services (Band A), and 416 for the wireline services (Band B). Each of these channels have two freqs, spaced 45 MHZ apart, that operate in a full-duplex mode. The lower freq is for the phone unit, while the upper is for the cell or basesite. Of the 416 channels, 21 are digital data control or "set up" channels and 395 are voice channels. Channels are numbered 1 thru 1023, and there is a gap from 800 to 990. Rather than producing a list of 1646 cellular freqs, I have provided the math eqations that can be used to calculate them. These equations can be programmed into computers and calculators. N = Cellular Channel # F = Cellular Freq B = 0 (mobile), or B = 1 (base) CELLULAR FREQS from CHANNEL #S: ------------------------------- F = 825.030 + B*45 + (N-1)*.03 WHERE: n = 1 to 799 F = 824.040 + b*45 + (N-1)*.03 where: N = 991 to 1023 CELLULAR CHANNEL #s from FREQS: ------------------------------- N = 1 + (F-825.030-B*45)/.03 Where: F > = 825.030 (mobile) or F > = 870.030 (base) N = 991 + (F-824.040-B*45)/.03 Where: F < = 825.000 (mobile) or F < = 870.000 (base) If the system uses OMNICELLS, as most do, you can readily find all the channels in a cell if you know just one of them, using tables constructed from these equations. Band A uses channels 1-333 under the old 666-channel system. To that have been added 667-716 and 991-1023 under the new 832-channel system. Band B uses channels from 334-666 under the old system, plus 717-799 under the new system. IV. CONTROL & VOICE CHANNEL ALLOCATIONS --------------------------------------- (D=DESIGNATOR, CC=CONTROL CHANNEL, VC=VOICE CHANNEL) NON-WIRLELINE SERVICES (BAND A) ------------------------------- D = 1A : CC = 313 : VC = 1,22,43,64,85,106,127,148,169,190,211,232,253,274, 295,667,688,709,1003 D = 2A : CC = 314 : VC = 2,23,44,65,86,107,128,149,170,191,212,233,254,275 296,668,689,710,1004 D = 3A : CC = 315 : VC = 3,24,45,66,87,108,129,150,171,192,213,234,255,276 297,669,690,711,1005 D = 4A : CC = 316 : VC = 4,25,46,67,88,109,130,151,172,193,214,235,256,277 298,670,691,712,1006 D = 5A : CC = 317 : VC = 5,26,47,68,89,110,131,152,173,194,215,236,257,278 299,671,692,713,1007 D = 6A : CC = 318 : VC = 6,27,48,69,90,111,132,153,174,195,216,237,258,279 300,672,693,714,1008 D = 7A : CC = 319 : VC = 7,28,49,70,91,112,133,154,175,196,217,238,259,280 301,673,694,715,1009 D = 1B : CC = 320 : VC = 8,29,50,71,92,113,134,155,176,197,218,239,260,281 302,674,695,716,1010 D = 2B : CC = 321 : VC = 9,30,51,72,93,114,135,156,177,198,219,240,261,282 303,675,696,1011 D = 3B : CC = 322 : VC = 10,31,52,73,94,115,136,157,178,199,220,241,262,283 304,676,697,991,1012 D = 4B : CC = 323 : VC = 11,32,53,74,95,116,137,158,179,200,221,242,263,284 305,677,698,992,1013 D = 5B : CC = 324 : VC = 12,33,54,75,96,117,138,159,180,201,222,243,264,285 306,678,699,993,1014 D = 6B : CC = 325 : VC = 13,34,55,76,97,118,139,160,181,202,223,244,265,286 307,679,700,994,1015 D = 7B : CC = 326 : VC = 14,35,56,77,98,119,140,161,182,203,224,245,266,287 308,680,701,995,1016 D = 1C : CC = 327 : VC = 15,36,57,78,99,120,141,162,183,204,225,246,267,288 309,681,702,996,1017 D = 2C : CC = 328 : VC = 16,37,58,79,100,121,142,163,184,205,226,247,268,289 310,682,703,997,1018 D = 3C : CC = 329 : VC = 17,38,59,80,101,122,143,164,185,206,227,248,269,290 311,683,704,998,1019 D = 4C : CC = 330 : VC = 18,39,60,81,102,123,144,165,186,207,228,249,270,291 312,684,705,999,1020 D = 5C : CC = 331 : VC = 19,40,61,82,103,124,145,166,187,208,229,250,271,292 685,706,1000,1021 D = 6C : CC = 332 : VC = 20,41,62,83,104,125,146,167,188,209,230,251,272,293 686,707,1001,1002 D = 7C : CC = 333 : VC = 21,42,63,84,105,126,147,168,189,210,231,252,273,294 687,708,1002,1023 WIRELINE SERVICES (BAND B) -------------------------- D = 1A : CC = 334 : VC = 355,376,397,418,439,460,481,502,523,544,565,586,607 628,649,720,741,762,783 D = 2A : CC = 335 : VC = 356,377,398,419,440,461,482,503,524,545,566,587,608 629,650,721,742,763,784 D = 3A : CC = 336 : VC = 357,378,399,420,441,462,483,504,525,546,567,588,609 630,651,722,743,764,785 D = 4A : CC = 337 : VC = 358,379,400,421,442,463,484,505,526,547,568,589,610 631,652,723,744,765,786 D = 5A : CC = 338 : VC = 359,380,401,422,443,464,485,506,527,548,569,590,611 632,653,724,745,766,787 D = 6A : CC = 339 : VC = 360,381,402,423,444,465,486,507,528,549,570,591,612 633,654,725,746,767,788 D = 7A : CC = 340 : VC = 361,382,403,424,445,466,487,508,529,550,571,592,613 634,655,726,747,768,789 D = 1B : CC = 341 : VC = 362,383,404,425,446,467,488,509,530,551,572,593,614 635,656,727,748,769,790 D = 2B : CC = 342 : VC = 363,384,405,426,447,468,489,510,531,552,573,594,615 636,657,728,749,770,791 D = 3B : CC = 343 : VC = 364,385,406,427,448,469,490,511,532,553,574,595,616 637,658,729,750,771,792 D = 4B : CC = 344 : VC = 365,386,407,428,449,470,491,512,533,554,575,596,617 638,659,730,751,772,793 D = 5B : CC = 345 : VC = 366,387,408,429,450,471,492,513,534,555,576,597,618 639,660,731,752,773,794 D = 6B : CC = 346 : VC = 367,388,409,430,451,472,493,514,535,556,577,598,619 640,661,732,753,774,795 D = 7B : CC = 347 : VC = 368,389,410,431,452,473,494,515,536,557,578,599,620 641,662,733,754,775,796 D = 1C : CC = 348 : VC = 369,390,411,432,453,474,495,515,537,558,579,600,621 642,663,734,755,776,797 D = 2C : CC = 349 : VC = 370,391,412,433,454,475,496,516,538,559,580,601,622 643,664,735,756,777,798 D = 3C : CC = 350 : VC = 371,392,413,434,455,476,497,517,539,560,581,602,623 644,665,736,757,778,799 D = 4C : CC = 351 : VC = 372,393,414,435,456,477,498,518,540,561,582,603,624 645,667,737,758,779 D = 5C : CC = 352 : VC = 373,394,415,436,457,478,499,519,541,562,583,604,625 646,668,738,759,780 D = 6C : CC = 353 : VC = 374,395,416,437,458,479,500,520,542,563,584,605,626 647,669,739,760,781 D = 7C : CC = 354 : VC = 375,396,417,438,459,480,501,522,543,564,585,606,627 648,719,740,761,782 To summarize how a cellular call is made: A mobile unit wishing to make a call will go off-hook and then transmit the digital source and destination codes on a control channel (used to set-up and monitor the call), and are just strong enough to reach the base station in the local cell. Upon getting this data, the base, thru its control freq (same channel), validates the mobile unit. The base station then fowards a message to the central switching office on a land line, which in turn sends the paging signal to all cells in search of the second mobile unit whos number has been dialed. When the destination unit is finally found, it responds to the paging signal by transmitting an acknowledgement code to its local base station on a control channel. The switching center then assigns a pair of unused freqs (called the, "channel Pair") to each of the unit for actual voice commo to take place. These channel pairs are not neccesarily the same for the respective cells that each mobile unit is in. These freqs are also relayed thru the base stations and to the central switching office. When a unit moves into another cell, things get very interesting. Upon entry into another cell, the mobile unit must transmit thru a new base station. An automatic handoff to the new base station is carried out by another exchange of data thru the control channel. Termination of the call is a simple matter. When the call ends,ON-hook signals are exchanged via the control channels between the mobile unit and the base station. The voice channels are then cleared. IV. THE CELL & IT'S STRUCTURE The cellular phone system uses a "honeycombed" hexagonal cell architure. Each of the cell types (A-G) differ from each other only in the freqs. allocated for them. This represents how a cellular system might be laid out. Cells A and B never share a common border. Neither do B and C, A and G, etc. Cells that are next to each other are never assigned adjacent freqs. They always differbu\y at least 60 KHZ. To track a mobile phone as it changes cells, lets put the mobile in a B cell. When the mobile switches freqs. you know that it could only go to a D, E, F, or G cell because A and C have adjacent freqs. The two tables below will help you determine which Channel cell can go next to each other. You can contact your local cellular phone company and see if they have any maps of the cell available in your area (please get a copy for us also). They're not obligated to give you maps but it's worth the try. ADJACENT CELLS -------------- Cell Adjacent cells A C,D,E,F B D,E,F,G C E,F,G,A D F,G,A,B E G,A,B,C F A,B,C,D G B,C,D,E The only fundamental point of cellular technology actually agreed upon to date is that a given service area will be divided into identical adjacent cells with no overlaps and no gaps. The hexagon is the standard cell patteren. At the center of an individual cell is a base station which is conected via land line to a local mobile phone switching office. Certain freq bands are assigned to certain cells, but not shared with adjacent cells to avoid mutual interference. In 1979, AT&T began test marketing its version of a cellular phone system in Chicago. This system is call the Advanced Mobile Phone System (AMPS) Some 2100 sq miles of the metro Chicago area are divided into 10 cells to serve about 2000 customers. Full duplex is possible by using a pair of one way channels separated by 45 MHZ to connect the mobile units with the base stations. The RF range is 825-890 MHZ and normal narrow band FM is used to transmit voice. Hand-off to adjacent cells is accomplished by monitoring signal strengths. When the central switching office determines that a new base station receives the mobile signal better than the previous one, the switching office signals thru the voice channel for the mobile phone to switch to a new channel. Commo distruption thru the switching process is typically 50 milliseconds. As with IMTS, there is the possibility of phreaking calls with IMTS or AMPS simply by monitoring the control channels since they are in dial pulse form. After you have a nice set of numbers, you will neeed a transmitter of sufficient strenght to reach the base station (unlicenced transmitter of course!). Duhh Many regulatory and implementation issues remain unsolved. Modulation issues are the biggest problem to be solved. Single sideband AM, narrow band FM, digital and spread-spectrum techniques are all being considered. If you have any info that may be able to break this down for fellow hackers/phreaks please leave me mail. V. EQUIPMENT DESCRIPTION Most mobile phones have two primary pieces of equipment. These are the transceiver (transmitter-receiver pair) and the control head. The transceiver is usually a metal box with three connectors. They usually contain two circuit boards. One is the transceiver unit itself, and the other is a logic board consisting of a uP, ADC and DAC, and control logic. The transceiver is usually mounted in the trunk or sometimes under the hood, and is connected to both the ignition switch and car battery. A control/audio (shielded) links the equipment together. The control head is a touch-tone phone handset with the extended keypad, alphanumeric display and controls (i.e. mike, volume). Usually there is a separate speaker installed in the cradle for on-hook dialing, call progress monitoring and speakerphone operation. If the CMT has a speaker phone option a small mike is usually mounted to the sun visor. Some cellular phones are voice-activated. If battery-operated, this saves the battery and also makes answering the phone easier. The control head and cradle assembly is usually bolted to the hump between the two front seats for security purposes. Most early CMT's use the AMPS bus (developed by AT&T) which uses a system of 36 wires in a rather bulky and stiff control/audio cable. Some makers now use their own bus, such as Novatel's serial bus, which specifies a thin cable consisting of a few wires, and is much easier to install and dependable to use. In almost all cases, a CMT is powered by regulated 12 volts from standard 13.8 volt car battery. At least 5 amps (continuous) is required. Mobile cellular antennas are usually short (less than one foot long), vertically-mounted stiff wire with a few turns in the middle that acts as a phasing coil in a 5/8-wave configuration. The antenna is generally mounted either thru a hole in the roof or at the top of the rear winshield using silicone rubber cement with conductive plates on both sides to pass the RF thru the glass (some RF losses result from this method but you don't have to maim your vehcle). A 50 ohm coax cable (ex: RG-58/U) links the antenna to the transceiver with a male TNC type UHF connector. A ceramic duplexer permits the transmitter and receiver to share the same antennas at the same time. CMT roof-mounted monopole antennas are designed to work with the ground plane (ie: the vehicle's body, if metal). However, for fixed (ie: home-base) use, an "extended-feed" or voltage-fed coaxial antenna (requires no ground plane) can be used. A capped PVC pipe makes an ideal rooftop housing for this type of antenna-both weatherprofing and concealing it. Note that altho cellular systems are designed for inefficient antennas, for fixed use it is preferred that you use the best antenna you can get. Interfacing audio devices (ex Blue Boxes, other tone generators) to a CMT can be done by coupling the device's output thru an audio coupling transformer wired across the control head's mike lines. A 600-ohm audio coupling antenna is availble from Radio Shack (273-1374). Be sure to DC isolate the phon circuity by wiring the transformer in series with a non-polarized capacitor of at least 1.0 uF and 50 volts. If you can locate the bus that carries the audio, then coupling across it is preferred. An acoustic modem can be coupled to a CMT eithrer thru the mouthpiece or by connecting the mike and speaker wires to those in the control head or bus lines. Any direct-connect devices (ex: answering machines, modems, standard phones, etc) can be connected to a CMT thru the AB1X cellular interface made by : Morrison & Dempsey (818 993-0195). This expensive device is basically a 1-line PBX that connects between the transceiver and control head and provides an RJ-11C (quick-connect) jack that accepts any direct- connect phone accessory. It recognizes both touch-tone and pulse dialing, provides the ringing voltage and generates dial and busy tones as needed. VI. GENERAL PHREAKING INFO ---------------------- Some Definitions: * Control Channel: The channel the phone and cell base first communicate on. * Reverse Control Channel: The opposite freq, 45MHZ lower then the control channel. This is where the mobile unit is. * Voice Channel: The channel you are assigned by the switch to start the call after the exchange of suscriber data. * Revese Voice Channel: Again 45 MHZ lower. * Switch: The computer that places the calls, and takes and receiver data from the subcriber or from the PSTN. (Pubic Swithced Telephone Network). That should get things started. A suscriber picks up his handset to place a call. QUESTIONS AND ANSWERS --------------------- The following questions & answers were taken from THE SOURCE BBS a.k.a. THE NEW YORK HACK EXCHANGE BCOM> I want to get into cellular phone phreaking but I dont know anything so I'm depending on you guys to help me out from the VERY basics! What is cellular; a cellular phone? RAVEN> A 800 MHZ radiotelephone, running 3 watts, with the ability to change channel on computer command from the central swith. This happens when you travel thru the service area and your signal becomes stronger at a neighboring cell base station. BCOM> They are marketed as a high security device with no possibility of anyone making a phoney call & charging it to someone else, how can it be phreaked? RAVEN> An understanding of the phone revels that every time a call is made, the phone number, an electronic serial number, and oother data is sent to the switch. If you were to listen to the opposite side of the control channel as the cell is being "set up" you would hear this data being transmitted to the switdch in NRZ (Non-Return to Zero) code. All one has to do, is record this info and program the bogus phone to these params, and then a free call is possible thru the switch. BCOM> Has anyone done this yet? RAVEN> HELL YEA! about 6 months after the first cellular phone system was "turned-up", a technician programmed a Panasonic telephone with a NEC ESN (Electronic Serial Number). And there have been many other cases since then. With the popular ROM programmers avaible today, almost any NAM (NUmeric Assignment Module) can be duplicated or copied with changes. (The NAM is the heart of the billing info and contains the phone number but not the ESN) The most popular integrated circut for NAMs is the 74LS123. BCOM> Sounds like a lot of trouble, is there easier ways to get service? RAVEN> SURE, the cellphone companies have been their own downfall, In an effort to market their wares as a universal service. Nobody can tell if a phone from another city (that has a roaming agreement) is valid until its too late. The only thing they could do after finding out is block any call with bad ESN because as we know, the phone number is easy to change, but the ESN is not. So here's a likely scenario====> A roamer identifying itself as a number from a Chicago non-wireline accesses a cellular system in Dallas. An operator may intervene but you can usually BS or "Social Engineer" them as long as you know the data you have programmed into your phone. Then you make calls just like your a local user. If your found out, you change the number to another, and see if that works. The phone is locked onto the strongest control channel in the area by a computerized scanner in the phone. As the user drives thru the service, a computer constantly picks out the strongest control channel and stays on it, altho more than one cell site can actually be herd. The subcriber enters the number to call on the keypad, and presses the "send" button. At this time the following data is transmitted to the cell site by the mobile. The callers ESN, his home system number (two digits), his mobile's area code and phone number, and the called number. The cellular switch now picks up an outgoing line, places the call for him and tells the mobile unit to switch to a voice channel. The two ends are linked in the central switch and the two parties are connected up in about 3 seconds. I have purposely over-simplified the whole process to point out the moment of truth. The mobile's ESN and phone number and data in the switch must match or no go. This is required for billing purposes. If one had the ESN and the mobile phone number, he could then calll anytime anyplace without fear of a trace - let alone a bill. The ideal setup would let you listen to the reverse control channel, record and display herd working numbers and ESN's, and recall them as one needs them to make calls. This would be it but we are not quite there yet. But some hard work has already been done for us. All the aforementioned codes are sent in hex, in NRZ code (phancy term for phase shift keying), but the phone already has, for example, a NRZ receiver and transmitter built right into it. All that has to be done is to have a receiver on the reverse control channel, recover the other users data and save it or at least print it out. The mobile radio data book show some good technical info on the systems used and chip part numbers for the NRZ stuff. For example, at least one cellular phone maker uses the 8085 chip for the control head functions - a popular and well understood chip by many. Most cellular phones include a crude password system to keep unauthorized users from using the phone - however, dealers often set the password (usually a 3 to 5 digit code) to the last four digits of the mobile phone or there home phone. If you can find it somewhere on the phone then your in luck!! If you can't find it then I guess you gotta hack it. It souldn't be that hard since most people aren't smart enogh to use something besides "11111", "12345", or whatever, it will be like Hacking a VMB. If you want to modify the chip set in the cellular phoneyou got, there are two chips (of course this depends on the model and maker - your may be different) that will need to be changed - one installed by the maker usually eepoxied in with the phone's ID number, and one installed by the dealer with the phone number, and possible the security code. To do this youll obviously need an EPROM (Erasable Programmable Read-Only Memory) burner, as well as the same type of chips used in the phone (or a friendly & unscruplus dealer!). As to recording the numbers of other mobile phone customers and using them; as far as I know it is quite possible, if you got the equipment to record and decode it. The cellular system would possibly freak out if two phones (with valid ID/phone number combinations) were both present in the network at once, but it remains to be seen what will happen. The MIN is the Mobile Identification Number (includes the phone number, and it is stored on the NAM ROM). Stolen and spoofed ESN's and MINs are good for about a month. Once a bad MIN is revealed, the legit user's MIN is changed by the Mobile Telephone Switching Office (MTSO) and they arrange for a new NAM ROM to be installed in the users legit unit. Of course MTSO keeps a database of all legit,illegit and deadbeat MIN/ESN pairs. However, the MTSO will allow a illegit MIN/ESN pair to continue to function beyond its discovery in hopes of discovering who the phreaks are. One of the properties of cellular phone system is that the transmitter freqs may be changed or "hopped" in the constant effort to allocate freqs. Because of freq. hopping it is very difficult triangulate a CMT using standard RF directional finding methods. It is known that a directional antenna randomly aimed at cellsite repeaters will confuse directional finding equipment being used by them that is synced to their freq. hopping scheme. ROAMING Since cellular technology often results in physical seperation between the caller and-or callled party from landlines, because it offers thousands of lines to choose from, because freq. hopping occurs, and because the caller and-or called party can be rapidly moving from one location to another, cellular phnes are the safest form of phreaking. "Roaming" is one form of cellular phreaking. Roaming occurs when a CMT is used in a cellular system other than the one indicated in the NAMs SID. This is called "ROAMmode", and the ROAM indicator on the control head will light. A CMT can roam into any system its home CPC has a roaming agreement with, and most CPC's now have roam agreements with each other. Not every system pays attention to a "Roamer" from outside the system as cosely as they do a local suscriber. In their mad rush to offer cellular as "universal" service, they screwed up. If there's no roam agreement, the MTSO will transmit a recorded message to the CMT with some instructions to call the CPC, and gives his name ,MIN,ESN and credit card number. All roamed calls will then be completed by the MTSO and billed to the credit card account. This procedure is becomming less common as more roam agreements are made. Usually, CPC can only determine if a roamer came from a system with which it has a roaming agreement - nit the creditworthiness of the roamer. Consequently, many CPCs have been ripped-off by roamers who've been denied service on their home system because they are deadbeats. Once the home CPC is billed for the roaming services provided by the remote CPC to the phreaker or deadbeat, it will notify the same to add that ESN/MIN pair to their MTSO's "negative verify" file to prevent future abuses. Several independent firms are establishing systems software and data networks to allow POSITIVE ROAMER VERIFICATION (PRV), which allow near real time roamer validation bt sharing data between CPCs. Until PRV becomes universal, even bogus ESNs and MINs can roam if they follow the standard format, alto some CPCs are sharing roam data on a limited basis to prevent this. Even with PRV, ESN/MIN pairs that are spoofed to match valid accounts will be accepted both by thier home CPC and roamed CPCs, until the legit customer complains about the calls he didn't make. And even without PRV, some CPCs automatically share ESN and MIN data. This frequently occurs between the CPCs in major cities and those in their bedroom communities. To call a roaming CMT, the caller must know which system that unit is in, which can be a real trick since he may be on the road at the time. He then calls the CPC's roaming number. Roaming numbers vary but usually are in the phone number format (with area code, with the last four digits being "ROAM", and with the 3 middle digits being the remote CPC's exchange). When that number is called, a dial or ready tone is returned, after which the roaming CMT's full MIN is entered in Touch-Tone. After several seconds, the CMT will ring or the caller will hear a recording stating that the roaming CMT is out of range or busy. Telocator Publications (202) 467-4770 publishes a nationwide roaming directory for travellers with celluar phones. For example: I access the Cleveland Ohio Cellular 1's Ericcson switch and I tell them by my NAM INfo that I'm a roamer from NYNEX in New York City. Cleveland will let me make the call, bacause it bills back to NYC for the number of minutes I use. If the NYC number is bogus , the call goes thru anyway, and the bill doesn't go anywhere. They do know the exchange data for NYC (that's on a chart) so you can't tell them a wrong system number (two digits) but one that a valid roamer would have from his area. This is not too hard to figure out, call some of their stupid sales idiots some time and see what they let out of the bag. The system number for the foreign exchange, NYNEX in Buffalo is 56, Chicago nonwireline is 01, and Buffalo nonwireline is 03. All wirelines are even numbers and all nonwirelines are odd. The first three digits of the mobile number: NYNEX Buffalo 863-XXXX. Buffalo Non-wirelines are 861-XXXX and 690-XXXX. You dont have to be a rocket scientist to figure out the local numbers for your area, again by conning the sales people. Until the CPC's get a cellular clearinghouse to validate roamers in real time, this method will work out fine. It will be awhile before it becomes routine to look up a roamer. There's simply to many to look up every time service is wanted. And this problem is increasing because of the expanding use of cellular phones. If a cellular phone and its antenna happen to fall into your hands, you could re-nam it as a roamer and when you get it setup, make copies of the info with different suscriber numbers (the last 4 digits) and make free calls as long as you can. THe Novatel series phone a re probaly the best radios to use to shut down a cell site completely as it has secret codes in the control head that allow you to bypass conventional switching protocols. NOTE I hope that this file has lived up the all the boasting I've put into it. But if there are any problems with the freqs. or anything you can leave me mail on the bbs's I've listed. At this time Demon Roach and Nihilism dont carry my files but you can still leave me mail on those boards! THE RAVEN +=======+ =-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Thats it for part 1 but look out for part 2!! Part 2 will cover: What's in a NAM, NAM reprogramming and how to reprogram the following phones: DIAMONDTEL MESA90X & MESA99X HANDHELD, GATEWAY CP 900 HANDHELD, GENERAL ELECTRIC MINI II & MINI , MITSUBISHI 800 & 900 , MOTOROLA 8000H & ULTRA CLASSIC HANDHELD, NEC P300 & NEC P9100 , NOVATEL PTR800 & 825 , OKI HANDHELD MODEL #750, OKI HANDHELD MODEL #900 , PANASONIC EB3500 , COLT TRANSPORTABLE , DIAMONDTEL MESA 55 & MESA 95 TRANSPORTABLE , FUJITSU MOBILE PHONE , GENERAL ELECTRIC CARFONE XR3000 , GOLDSTAR SERIES 5000 MOBILE , MITSUBUSHI 555,560,600 , NEC M3700 SERIES MOBILE , NOKIA LX-11 & M-10 , NOVATEL 8305 TRANSPORTABLE CA08 SOFTWARE VERSION , OKI CDL400 , PANASONIC EB362 , PANASONIC EB500 OR TP-500 , RADIO SHACK 17-1002 & -1003 , AND GE CARFONE MODELS CF-1000, CF-2000 & CF-2500 So look for it at a BBS near you!! THE RAVEN +=======+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ And as for all of you guys that wanted to know how I got money for most of the thing I have well all I can say is look for me next file: Check Fraud (ckfraud.txt) to put it simple $32,000 in one day! And as you know...No BullShit!! ----------------------------------------------------------------------------- Call the following BBS's to get my files 1st run!: THE SOURCE (212) PRI-VATE RIPCO (312) 528-5020 Bliterkrieg (502) 499-8933 The Hawks Nest (201) 347-6969 You can leave me mail on those boards and on the following: The Demon Roach Underground (806) 794-4362 Nihilism (517-546-0585 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ HIGH TECH HOODS 1992 (c)opyright A-CORP. LATER.......THE RAVEN! THE HIGH TECH HOODS & A-CORP PRESENTS... *%*%*%*%*%*%*%*%*%*%*%*%*%*%* *% THE ULTIMATE %* *% CELLULAR PHONE PHREAKS %* *% MANUAL PART 2 %* *% %* *% WRITTEN BY THE RAVEN %* *% AND INTROSPECT %* *%*%*%*%*%*%*%*%*%*%*%*%*%*%* THE RAVEN +=======+ THANKS TO THE FOLLOWING: PEBBLES, BIT STREAM & THOMAS ICOM /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\//\/\/\/\/\/\/\/\/\/\/\/\ INDEX: I. WHAT'S IN A NAM II. NAM/ESN REPROGRAMMING III. ADVANCED REPROGRAMMING IV. OBTAINING SYS. REGISTRATION DATA V. REPROGRAMMING YOUR PHONE VI. ------------------------ \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ I. What's In A NAM First thing were going to start with is the NAM. The NAM is a PROM, A blank NAM costs about $5. Sometimes its more expensive depending on the operating temperature and packaging specifications. Two flavors of NAM's are most commonly used for cellular phones. NEC Corp. uses the open collector (SIGNETICS p/n 82S23 or equivalent). All others use the tri-state (SIGNETICS 82S123 or equivalent). Blank NAMs are manufactured by Signetics, National Semiconductor, Monolithic Memorys, Fujitsu, Texas Instrum ents, and Advanced Microdevices. Blank NAMs can be purchased at your local electronic distributor's, thru the various parts sources advertised in electronic magazines, and some radios come with a blank included. The NAM contains the subscriber number and lock code, the home system ID and other system-required data. You may wonder how this info is arranged. The NAM is organized into 32 rows and 8 colums. It is 32 words of 8 bits each. (256 bits total). Starting from top of the NAM (address 00), you will find the abreviation SIDH. This means "System Identifaction Number Home", a number starting at 0001 assigned by the FCC. Each market allows two systems. These two digits are even for the wire-line and odd for the non-wireline. At address 03, we find LU (Local Use) on the left and MIN on the right, and they are usually set to 1. Locations with zeros are reserved. Going down the map, there's MIN1 and MIN2-the subscriber number and the area code respectively Dont try to read them from a raw printout of the NAM data, as they are scrambled beyond recognition. The reason? THe way they are arranged is the way they must be transmitted to the cellular systems receivers. The programmer does this to make the radio's job easier. Next is the station class mark, which identifies the class and power capability of the phone. The system will treat a handheld (low power) differently than a standard 3-watt mobile. IPCH is the Inital Paging Channel. The radio listens for a page on this channel. Wirelines use 334 and non-wirelines use 333. ACCOLC (ACCess Overload Class) is designed for throwing off customers in the event of an overload. Thru neglect, this standard has been largly unused. (A Class 15 stationis supposed to be police, fire or military). Usually, It's a set to 0 plus the last digit of the phone number to provide random loading. PS (Preferred System). This is always 1 in a non-wireline and 0 in wireline. The Lock Code is about the only thing you can read directly by studying NAM data. The "spare" bit must be a 0 if the radio contains a 3-digit code. Because the number of clicks when you dial 0 on a (dial) phone equals 10, zeros in the lock code are represented by an "A"(the hexadecimal equiv of 10). EE, REP, HA and HF correspond to end-to-end signaling (DTMF tones, possibly as you talk), and REPeratory dialing (provision for 10 or more numbers in memory). Horn Alert and Hands Free. Like all options, they are 1 if turned on and 0 if turned off (all these numbers are in hex). They are supposed to be used by radio makers to store option switches. Usually 13 is used, 14 sometimes and the rest less often. Last, you will find Cheksum Adjustment and Checksum. These numbers are calculated automatically after the data has been edited for the NAM. The sum of all words in the NAM plus these last two must equal a number with 0's in the last two digits. The radio checks this sum and if it isn't correct the radio assumes the NAM is bad or tampered with. In the case radio refuses to operate until a legal NAM is installed. THE ANATOMY OF A NAM -------------------- MARK Defin. most <-- BIT Significance --> least Hex ------------------------------------------------------ 0 SIDH (14-8) 00 SIDH (7-0) 01 LU=Local use LU 000000 MIN 02 00 MIN2 (33-28) 03 MIN2 (27-24) 0000 04 0000 MIN1 (23-20) 05 MIN1 (19-12) 06 MIN1 (11-4) 07 MIN1 (3-0) 0000 08 0000 SCM (3-0) 09 00000 IPCH (10-8) 0A IPCH (7-0) 0B 0000 ACCOLC (3-0) 0C PS=Perf Syst 0000000 PS 0D 0000 GIM (3-0) 0E LOCK DIGIT 1 LOCK DIGIT 2 0F LOCK DIGIT 3 LOCK SPARE BITS 10 EE=End/End EE 000000 REP 11 REP=Reprity HA 000000 HF 12 HF=Handsfree Spare Locations (13-1D) 13 HA=Horn Alt contain all 0's 1D NAM CHECKSUM ADJUST. 1E NAM CHECKSUM 1F II. NAM/ESN REPROGRAMMING The first step to using cellular phones is to obtain one. They can be purchased new or used. Ham fests are one good source. Many people dump their cellular phones once they see just how expensive they are to operate. And of course the perception of being jerked promotes phreaking. First generation E.F. Johnson units are good choice as they are easy to modify, use uniquely effective diveristy (dual antenna) receivers, and use the AMPS control bus, which means that several maker's control heads will work with it. Another good choice is Novatel's Aurora/150. It uses a proprietary parallel bus and control head, but costs less, is rugged, and is also easy to work on. Also, all Novatel CMTs have built-in diagnostics. This allows you to manually scan all 666 repeater output freqs-great for scanning! All cellular phones have a unique ESN. This is a 4-byte hex or 11 digit octal number stored in the ROM soldered on the logic board. Ideally, it's supposed to be never changed. Some newer cellulars embed the ESN in a VLSI IC (Very Large Scale Integration Integrated Circuit) along with the units program code. This makes ESN mods very difficult at best. The ESN is also imprinted on the reciever boiler plate, usually mounted on the outside of the housing. When converted to octal (11 digits), the first 3 digits represents the maker while the other 8 identify the unit. The other important ROM is the NAM. It contains the MIN (i.e. phone #, including area code), the lock code, and various model ID and carrier ID codes. The lock code keeps unauthorized parties from using the phone. Some newer cellulars have no built in NAM and instead use an EEPROM, which allows a technician who knows the maintenance code to quickly change the NAM data thru the control head keypad. WHen one attempts to make a cellular call, the transceiver first automatically transmits the ESN and NAM data to the nearest cellsite reapeter by means of the Overhead Data Stream (ODS). The ODS is a 10 kilobaud data channel that links the cellular's computer to the MTSO, which then controls the phone's entire operation down to the selected channel and output power. If the MTSO doesn't recognize the received ESN/MIN pair as valid (sometimes due to RF noise), it issues a repeat order and will not process the call unit until a valid pair is received. In most cities, there are two CPCs or "carries". One is the wireline CPC and the other is the non-wireline CPC. Both maintain their own MTSO and network (i.e: cell-site repeaters), and occupy separate halves of the cellular radio band. Non-wirelines use System A, and wirelines use System B. (the amenities that are avaible with most landline phone service - call waiting, caller ID, call-forwarding, 3-way calling,etc., are standard fair for most CPCs. However, they are usually applied for differently.) For the cellular phreaker, the most diffuclt task is obtaining usable ESN/MIN pairs. Over the years,standard phreaker techniques have been employed for all types of phreaking to obtain the required info. These includes trashing, using inside help,joining the staff,hacking them from known good ESNs and MINs (i.e: spoofing), con strategis, strong-arming, Bribing, blackmail, etc. (This is how The High Tech Hoods get them!). The hacker knows that most CPCs do not turn off or keep track of unused MIN numbers. In fact, their general pattern is to start at the low numbers and work their way up. WHen a number is cancelled, it is reassigned instead of using a larger number. The first places to look is the authorized cellular installers and service centers in your area (see your Yellow Pages). They have on file a record of every cellular phone installed or serviced by them, including the ESN/MIN pairs. Another place to focus on is the cellular CPC's customer service or billing department. These offices contain the ESN/MIN pairs often for thousands of cellular phones, and hire low-paid people. Some cellular CPCs, installers and service centers will provide NAM system parameters upon request, and some will sell you NAM and ESN memory maps and schematics of a specific cellular phone model. And some will sell you service manuals (i.e: Motorola) that will describe the often easy method to program their cellular phones. The good phreak/hacker could interface the cellular phone's ADC circuit to his PC and hack out all of the valid ESN/MIN pairs he could possibly need. Since the ESN/MIN pair are transmitted from cellular phones (usually in an unencrypted form), these pairs can be obtained simply by scanning the cellular phone channels. Even if they are encrypted, the phreaker only will need to reproduce the encrypted pair. In some areas, you can buy the ROMs right off the street - often by the same dealers who sell drugs and stolen property, etc. All it takes is a few discreet inquires. However, many get caught doing this because of police stings. Once a valid ESN/MIN is obtained, it must be programed into the cellular phone's ROM. Some cellular makers use different devices and memory maps, but the standard is the AMPS 16-pin 32x8 bit format and some ROMs have proprietary markings. If the part number are different than those given and you can't find them in your data book, look for the IC maker's logo and call or write them for data sheets. If the IC's have proprietary markings, by looking at the external parts that are directly wired to them, one can often determine not only whether the IC is open-collector or tri-state, but also what the pin assingn- ments are, and sometimes the type of replacement IC to use. The ESN ROM is then carefully desoldered from the logic board (first ground the soldering tip thru a 1 Meg-ohm resistor). Once, removed the IC can then be placed on a ROM reader/programmer or NAM programmer (bit editing mode). Any ROM reader/programmer that will burn a compatible ROM is usable, but a dedicated NAM programmer has built-in software that takes out much of the aggravation. Using a non-NAM ROM reader/programmer, one searches for the memory locations that has the same number as ESN printed on the boiler plate. This number will be immediatly followed by an 8-bit checksum determined by the 8 least significant bits of the hex sum of the ESNs four bytes. The old ESN data (now copied into the NAM programmer's RAM) is replaced by the new ESN and the updated checksum. A new blank and compatible ROM is inserted into the ROM burner and burned with the new ESN data. Most cellular phreakers at this point install a Zero Insertion Force (ZIF) DIP socket into the logic board for this and any future ROM changes. The NAM IC is usually already installed in a ZIF socket on the logic board. Similarly, its MIN is read by the ROM reader/programmer and a new ROM is burned with the new MIN and updated MIN checksum. Altho one may wish to also update the CPC's system parameters, they can left the same if the same CPC is desired. To change the CPC'c designation, the last four MIN digits, the checksum and the exchange (if they use more than one exchange) are changed. The more astute cellular phreaker of course can design and build his own NAM programmer/reader, ideally one interfaced to a PC. A more primitive approach is to interface two banks of hex thumbwheel switches to the sockets, altho a computer program would be very helpful to determine the proper switch settings. Thumbwheel switches allow you to make changes on the fly and they can be plugged in as needed, so if one is caught red-handed, it is difficult to prove intent and origin of phone call. III. ADVANCED REPROGRAMMING Your cellular phone contains a special memory which retains data about the phone's individual characteristics, such as its assigned phone number, system identification number, (ID#) and other data that is necessary for cellular operation. This special memory is known as the NAM. You can program the phone yourself, if the phone has not already been programmed where you got it. You can also reprogram the phone yourself should you wish to change some of the features already selected for the NAM. The reprogramming of the NAM is performed after you have contacted your cellular system operator for the nessary data as described below. Enter the data received from your cellular system operator in the NAM Reprogramming Data Table before reprogramming the NAM of your cellular phone. Incorrect NAM entries can cause your cellular phone to operate improperaly or not at all. Your cellular phone can be reprogrammed up to three times. After that, it must be reset at a Motorola-authorized service facility. Be sure you read this complete text before attempting to reprogram your phone! 1. RE-PROGRAMMING FEATURES You must get seven pieces of data from the cellular system operator to allow you to reprogram the cellular phone. You provide the remaining data. Write all of this programming data on the NAM Reprogramming Data Table provided in this text before implementing this procedure. Incorrect NAM entries can cause your cellular phone to operate improperly or not at all. The required data is: * System Identification (SID) Code (S-digits): Indicates youe home system Enter 0's into the left-most unsued positions. Provided by the system operator. * Cellular Phone Number (10 digits): Used in the same manner as a standard land-line phone. The mobile phone number and the Electric Serial Number are checked against each other by the cellular system each time a call is placed or recieved. Provided to you by the system operator. * Station Class Code (2 digits): This number is 06 or 14 for most personal or portable phones. Even though your phone has extended bandwith capability (832 channel capacity), the cellular system operator may require your station class code to remain 06. The code should be 14 if 832 channel operation is allowed. * Access Overload Class (2 digits): Provided to you by the system operator. * Group ID Mark (2 digits): Provided to you by the system operator. * Security Code (6 digits): The six-digit security code allows the user to restrict his calls in certain ways and permits other advanced security measures. Refer to your phones operator manual for further details. Select any 6-digit code that you will remember, but one that will not be easily guessed. * Unlock Code (3-digits): The 3-digit unlock code unlocks the phone after it has been locked. LOcking the phone allows you to prevent unauthorized usage. With many models, this number can be resued as often as desired. Check the users manual. Select any convenient 3-digit number. * Initial Paging Channel (4 digits): Use a leading 0 if required. (example: Channel 334 is entered as 0334.) Provided to you by the system operator. * Option Bits (6 digits): This reprogramming step allows you to program six seperate features in one step. Each feature is either selected or cancelled by assigning a value of 1 or 0. The six individual single- digit features combine to form a six-digit code which is entered as one step. If any of the features is to be changed , the entire six-bit word must be re-entered. DIGIT #1: Internal Speaker: This feature is normally selected by entering 0. However, if you purchased the convertible Accessory and it contains a seperate external/VSP unit, cancel the internal speaker feature by reprogramming 1. DIGIT #2: Local Use: This feature is normally selected by entering 1. Your system operator can tell you if you need to cancel this feature by reprogramming 0. DIGIT #3: MIN Mark: This feature is normally not used and is assigned a value of 0. To select use 1. DIGIT #4: Auto Recall: This feature is always 1. DIGIT #5: 2nd Phone Number: This feature is usually not used and assigned a value of 0. DIGIT #6: Diversity: This feature is always set at 0 for the portable/ personal phone used alone. If you have a convertible accessory, and it has two external antennas, select this feature by reprogramming 1. * Option Bits (3 digits): This step allows you to reprogram an additional three separate features in one step. Each feature is either selected or cancelled with the digit 1 or 0. The three individual single-digit features combine to form a three-digit code which is entered as one step. If any of the features is to be changed the entire three-bit word must be reentered. DIGIT #1: Long Tone DTMF: Certian electronic devices such as answering machines, are are not able to decode the normal DTMF tones because the phone standard duration is too short. The Long Tone DTMF allows access to answer machines and other similar devices by transmitting the DTMF tone for as long as the key is depressed. This feature is normally not used and is assigned a value of 0. However you can select long tone DTMF by reprogramminng 1. NOTE: Personal or portable models with a MENU key can more flexibly select and cancel this feature thru the menu. To allow Menu control of the function it must be cancelled in the NAM by setting this bit to 0. If Long Tone DTMF is selected in the NAM with a 1 in this bit, it cannot be reversed thru the menu. DIGIT #2: Future use: This feature is always set at 0. DIGIT #3: Eight-Hour Timeout (Convertible only): Personal or portable phones with the convertible accessory can normally be left active in the vehicle for eight hours with the ignation cut off. If the time out feature is selected the phone will turn itself off after eight hours to preserve the vehicle's battery. This feature is normally selected by entering 0. However, you can cancel this eight-hour time limit by entering 1. IV. OBTAINING SYS. REGISTRATION DATA A cellular phone owner purchases services from a cellular system operator, just as he would purchase land-line service (for standard phones) from the local phone company. In cities with cellular coverage, the customer may have the option of picking one or two possible cellular system operators. Before you can obtain a phone number you will have to supply your cellular system operator with your electronic serial number. All cellular phones contain a special Electronic Serial Number (ESN). The ESN uniquely identifies your phone and provides a measure of protection against theft and fraud. The ESN is an eight-charcter (numeric/hexadecimal) number printed on the box your phone came in. Once you supply your electronic serial number to the system operator he or she will issue your phone number and supply the other data required to reprogram the NAM. You should immediately enter this data on the NAM Programming Data Table found in this text. V. REPROGRAMMING YOUR PHONE ************************ Determinig the initial Reprogramming Sequence: The initial reprogramming steps include a sequence of keypresses which vary depending on the type of cellular phone you have. The phone NAM can be reprogrammed from the personal or portable keypad. Determine from the Six-Keystroke table below which of the six keystroke sequence numbers to use on your phone, based on the type of keys present on the keypad. SIX-KEYSTROKE TABLE Determining the sequence Number with Personal/Portable Keypad PERSONAL/PORTABLE KEYPAD KEYS SEQUENCE ====================================== MENU AND FCN keys 6 FCN key but no MENU key 1 No FCN key 2 If you have the convertible accessory, the phone NAM must reprogrammed from the convertible handset. (MAke sure that the personal phone is disconnected from the convertible accessory before reprogramming the convertible.) The handset type can be read from the label on the back of the handset. The keystroke sequence number is determinded from the KEYSTROKE SEQUENCE TABLE. If you have the convertible accessory, and wish to use it seperately as a atandalone mobile, you may obtain an additional phone number and reprogram this into the convertible accessory at this time. KEYSTROKE SEQUENCE TABLE ######################## Determining the sequence Number with Convertible Handset MODEL HANDSET TYPE SEQ. ----- ------------ ---- 3000 SCN2007A 6 6000 SCN2023A 2 6000X SLN2020A 1 6000XL TLN2659A 1 6800XL TLN2733A 6 Choose one of the six initial reprogramming sequences from the Initial Sequence Table depending on the sequence number which you determined from previous tables in this file. Initial Reprogram Sequence Table ++++++++++++++++++++++++++++++++ Seq. # Sequence 1 FCN, Security Code entered twice, RCL 2 STO, #, Security Code entered twice, RCL 3 Ctl, 0 + Security Code entered twice, RCL 4 Ctl, 0 + Security Code entered twice, * 5 FCN, 0 + Security Code entered twice, MEM 6 FCN, 0 + Security Code entered twice, RCL Security code is factory-programmed 000000. Initial Steps: Before you proceed with the reprogramming procedure, be sure you have filled out the NAM Reprogramming Data Table herin: Step a: Turn on your cellular phone by pressing the Pwr or On/Off button. The power indicator in the display will flash. Step b: Enter the proper keystroke sequence determined from the Initial Sequence Table. Step c: The message, "01", will appear in the display to confirm the activaction of the NAM reprogramming feature. It also indicates that you are at the first step in the NAM reprogramming sequence. If this message does not appear, it may be due to one of these reasons: (1) The initial sequence may not have been entered quickly enough. The apperence of zeros in the display will indicate this. Press Clr and Try again. (2) The six digit Security Code may have previously been reprogrammed into your cellular phone. If this happens to be the case, you must re-enter the activation sequence using the assigned security code. (3) The maximum number of times that your cellular phone can be reprogrammed from the keypad may have been reached. (4) The ability for your cellular phone to be reprogrammed from the keypad may have been disabled or cancelled. REPROGRAMMING PROCEDURE: Reprogramming for a single phone number can be as quick as a four-step process or may take up to 11 steps, depending on how many programable features you wish to review or change. The phone always has some data programed for each of the features, whether that data is standard programming performed at the factory or data provided by someone who programmed the unit previously. If, while you are reprogramming, you are satisfied with the value already programmed for a particular feature, simply press * to move to the next feature. To perform the following steps, it is nessary for you to refer to the completed NAM Reprogramming Data Table. If you enter a digit incorrectly, press the Clr button to start again. REVIEWING of NAM REPROGRAMMING: Once you have completed the reprogramming steps, review the data by repeatedly pressing *. Check to make sure that the data reprogrammed matches what you wrote in the NAM Reprogramming Data Table. Make any required changes. STORING the DATA: If you are reprogramming a single phone number, press SND to store the programming data when you are satisfied that it is all correct. A two-digit step number (01-11) must appear in the display in order for you to store the data. Press * until one appears and then press SND. Your personal or portable cellular phone is now ready for normal use, if you are reprogramming a single phone number. REPROGRAMMING the Second Phone #: If "012" appears in the display after you have pressed SND to store the programming data for the first phone number, you are ready to repeat some or all of the ten steps, this time for a second phone number. The 01 indicates that you are ready to enter the System ID data (step 1) and the 2 indicates that you are reprogramming data for the second phone number. The phone assigns the same security and lock codes (steps 7 and 8) for the second phone number and as so skips from step 6 to step 9. There is no step 11 when reprogramming a second number. If "01 2" did not appear after reprogramming the first phone number, and you wish to reprogram a second number, either the second phone option has not been selected (step 10) or your phone is not equipped for dual system operation. Once you have completed the reprogramming steps, review the data by repeatly pressing *. Check to make sure that the data programmed matches what you wrote in the NAM reprogramming Data Table. Make any required changes Press SND to store the programming data when you are happy that it's all correct. (A two-digit step number (01-10) must appear in the dispaly.) Your personal or portable cellular phone is now ready for normal use. NAM REPROGRAMMING DATA TABLE ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ STEP DESCRIPTION # OF DIGITS SOURCE --------------------------------------------------------------------------- 01 System ID # 5 Digits Sys Op 02 Cellular Area Code 3 Digits Sys Op 03 Cellular Phone # 7 Digits Sys Op 04 Station Class Mark 2 Digits Sys Op (Usually 14 for 832 chan., 12 for standalone mobile) 05 Access Overld Class 2 Digits Sys Op 06 Group ID Mark 2 Digits Sys Op 07 6-Digit Secur. Code 6 Digits Phone Owner 08 3-Digit Unlock Code 3 Digits Phone Owner 09 Initial Paging Chan. 4 Digits Sys Op (Usually 0333 or 0334) 10 Option Programming 6 Digits /--------------------Handset Internal 1 Dgit Phone Owner Speaker disable If your install, has a seperate External Spkr/VSP unit The handset internal speaker must be disabled. 1 = disabled, 0 = enabled. This bit normally enabled. /--------------------Local Use 1 Digit Sys Op (Normally enabled 1=enabled & 0=disabled) /--------------------MIN Mark 1 Digit Sys Op normally disabled 1=Enabled, 0=disabled /--------------------Auto Recall 1 Digit Always 1 /--------------------2nd Phone # 1 Digit Phone Owner normally disabled 1=Enabled & 0=Disabled /-------------------Diversity 1 Digit (based on the # of antenna ports on your cellular phone 0 = standard 1 Ant. & 1 = Optional 2 ant. =====================Optional programming data entry 11 Option Programming 3 Digits (Cont'd) /--------------------Long Tone DTMF 1 Digit Phone Owner (normally disabled) 1 = Enabled & 0 = Disabled /--------------------For future use 1 Digit Always 0 /--------------------Eight-Hr. Timeout 1 Digit Phone Owner (normally enabled) 1 = Disabled & 0 = Enabled ======================Optional Programming Data Entry Step number - This number is the message that appears in the display during reprogramming. NAM REPROGRAMMING STEPS ----------------------- step Keypad Entry Display Comments ------ -------------- ------------- ----------------------------- 01 Ready for step 1 1a * Current System ID Factory Setting 000000 1b New Sy. ID XXXXXXX New system ID 1c * 02 Ready for step 2 2a * Curr. Area Code Factory set at 111 2b New Area Code XXX New Area Code 2c * 03 Ready for step 3 3a * Cur. Phone # Factory Setting 1110111 3b New Phone # XXXXXXX New Phone # 3c * 04 Ready for step 4 4a * Cur. Station Factory Setting 0/14 for Class Mark portable/personal or 12 for standalone Mobile. 4b New Station XX New Station Class Mark Class Mark 4c * 05 Ready for step 5 5a * Cur. Access Cur. Access Overload Class Overload Class 5b New Access XX New Access Overload Class Overload Class 5c * 06 Ready for step 6 6a * Curr. Group ID Factory set at 00 6b New Group ID XX New Group ID 6c * 07 Ready for step 7 7a * Current Sec. Code Factory set at 000000 7b New Security Code XXXXXX 7c * 08 Ready for step 8 8a * Current Unlock Code setting at 123 8b New Unlock Code XXX New Unlock Code 8c * 09 Ready for step 9 9a * Current Initial Factory Setting 123 0334 PAGING CHANNEL 9b New Initial XXXXXX New Initial Paging Channel Paging Channel 9c * 10 Ready for step 10 10a * Cur. Options Factory Setting 010100 10b New Options XXXXXX New Options 10c * 11 Ready for step 11 11a * Cur. Options Factory Set. 000 11b New Option XXX New Options 11c * 01 or 01 2 Ready for Review to program. or Second Phone Number ============================================================================ Now That conclude Part 2, Part 3 will the instructions for NAM reprogramming for all the phones I listed in part 1. If you have any questions or comments you can leave me mail on one of the following bbs's that I have listed below. THE RAVEN +=======+ The following is a list of BBS's that recieve my files 1st run in order: Installition Five (???) PRI-VATE NUP>KNOWLEDGE BlitzKreig BBS (502) 499-8933 NUP>COLUMBIAN COKE The Ripco BBS (312) 528-5026 The Hawks Nest (201) 347-6969