&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
& &
& Oki 900: The Real Deal &
& &
& by: Oki Dokie &
& &
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
Spelling Corrected, gradually HTMLized by drwho.
Well this is the first real file on cellular worth keeping. There
have been several LAME attempts made in 2600. All the files in 2600 were by
people who DID not know enough about the topic to carry on a technical
paper. The only file that was worth reading was written by Brian O. The
file was in Phrack.
Most of the people out there think they are cool because they can
link up SIMPLE cables and use software they did not write to clone cell
phones. All this kids who think they know cell, you do not know anything!
You are all lame!
This file is not for the people on the private cell lists on the
Internet. Not for the people who are looking for handouts not wanting to
understand the technology. One such person is a little kid named Alpha BITS.
Alpha Bits is in jail now, and we all wish him to die there!
This file was written for information warfare! We can all thank the FBI,
This is just the start!
Here is the outline of this file:
- Hardware one will Need
- Memory Break Down
- Debug command
- The Oki Mod
- The Network Wizards Interface cable
- Character set in the Oki 900
Hardware one will Need
~~~~~~~~~~~~~~~~~~~~~~
In this section, this will cover the hardware one will need
to buy, along with the terms, and prices of the hardware.
Package Terms
In electronics there are many terms that are used for the same thing.
One area that electronics manufacturers, distributors and product
representatives have different names for the same thing is in the
packages of the IC (integrated Circuit). The package is the shape,
size of the chip, the number of pins, and the way the pins connect to
the circuit board. Here are some of the common packages:
DIP Dual In-Line Package
PDSO Plastic Dual Small Outline (Same as SOIC)
PLCC Plastic Leaded Chip Carrier
PSIP Plastic Single In-Line Package
SOP Small Outline Package (Same as SOIC)
SOL Small Outline package (Same as SOIC)
SOI Small Outline In-Line Package (Same as SOIC)
SOIC Small Outline In-Line Package
As one can see, the SOP, SOI, SOP, PDSO and SOIC are all the same package.
The best way to find out about the package types is to look in the
back of manufacturer's data books.
The package type of the Oki PROM is a SOIC, this is why it was necessary to
cover this.
EPROM Programmer
The best deal around is the Intronics
EPROM Programmer.
The Pocket Programmer - $130.00
Intronics, Inc.
Box 13723
Edwardsville, KS 66113
(913) 422-2094
A good programmer is The Pocket Programmer that uses the printer port. The
software has 24 functions and programs (E)EPROM, Flash & RAM 27/28(C)XXXX from
16K - 8Meg with a 32 pin socket.
SOIC to DIP Socket
With most EPROM programmers have a ZIF DIP socket. This means that you
will need to have a SOIC to DIP converter. There are several way that
one can go about this, one can buy a converter or one can make one.
You can order a SOIC Test Clip that can be wired into a 28 pin PC board
socket. This will take about an hour of your time to soldering 28 wires
from the clip to 28 pin PCB socket. The cost would be the big plus for
going with the SOIC Test Clip. You can order the clip from:
Contact East
335 Willow Street
North Andover, MA 01845-5995
800-225-5334
Part Number: 923665-28 $12.55
If making a converter seems like it would be too much work, a low price
converter can be found (after looking for weeks). The best price
around for a SOIC to DIP converter is from:
M^2L Electronics
3526 Jasmine, Suite #4
Los Angeles, CA 90034
(310) 837-7818
Part Number: EP-SOIC28 $50.00
Oki Phones Domestic Distributors - Where to get an Oki 900
The last shipment of Oki 900 telephones was in December of 94. There
were 10,000 phones shipped. There should not be too many problems in
finding the phones (maybe not after this is printed).
Allied Communications
1705 Winchester Road
Bensalem, PA 19020
(215) 244-1262
Connecticut, Delaware, Maine, Maryland, Massachusetts, Vermont, New Hampshire,
New Jersey, New York, Pennsylvania, Virginia, West Virginia, Virginia, Washington,
D.C., Kentucky, North Carolina, South Carolina, Tennessee, Louisiana,
Mississippi, Alabama, Georgia, Florida
Cellular Wholesalers, Inc.
5151 Church Street
Skokie, IL 60077
(708) 965-2300
Illinois, Wisconsin, Ohio, Arizona, North Dakota, South Dakota, Minnesota, Iowa,
Michigan, Indiana
Pacific Unplugged Communications, Inc.
20526 Gramercy Place
Torrance, CA 90501
(310) 787-9400
California, Nevada, Arizona, Washington, Wyoming, Alaska, Hawaii, New Mexico,
Colorado, Utah, Idaho, Oregon, Montana,
Southern Electronic Distributors, Inc.
4916 North Royal Atanta Drive
Tucker, GA 30084
(800) 444-8962
North Carolina, South Carolina, Kentucky, Tennessee, Louisiana, Mississippi,
Alabama, Georgia, Florida
Wholesale Cellular USA, Inc.
5720 West 71st Street
Indianapolis, IN, 46278
(800) 243-1227
Kentucky, Indiana, Michigan, Kansas, Ohio, Arizona, Missouri, North Dakota,
Wyoming, South Dakota, Nebraska, Oklahoma, Colorado, Arkansas, Montana, Iowa,
Minnesota, Utah, Wisconsin
The PROM you will Need
The PROM the Oki 900 uses is the TC54512AF-20, this is really a 27C512 SOIC
PROM. This can be ordered from
Memory Break Down
~~~~~~~~~~~~~~~~~
Here is the break down of the Oki 900 phone.
$0000-$FFFF (64K) - Software PROM
$0000-$00FF (256) - Micro Internal Memory
$7000-$70FF (256) - Glue Logic
$A000-$BFFF (8K) - EEPROM
$C000-$C0FF (256) - Extended RAM
$D000-$D0FF (256) - Screen Memory
$0000-$FFFF (64K) - Software PROM
This is the software of the phone. The software controls the
phone. This is where one will need to change the code to allow for
the ESN to be changed. The ROM version covered here is the 4701.
The 4003 is not covered.
Common LCALLS in the Oki 900
Here is a small list of some of the more common lcalls that are
used in the Oki 900. This may or may not help, but here they are:
lcall $04c2 - Sets $D0-$D1 and $A0-$A1 to $78 (there is a good reason)
lcall $0542 - Fixes NAMs if needed, check sum
lcall $055a - Sets up security code via ESN, hex to dec conversion
lcall $0723 - Clr A Set Of Locations to X00, X=R2, DPTR point to first
lcall $072d - Clears custom power on message BEAF to BEB6
lcall $073d - ESN chksumm
lcall $07e6 - Will reset the NAM if something happens to it
lcall $13d4 - ACC.6 to C and lcall $2fe1 Write to screen direct....
lcall $152c - Display on screen (calls $2fe1 along the way)
lcall $1549 - $7A to A and ACC.6 to C
lcall $1638 - Gets key from keyboard and wonders if it is clear
lcall $2722 - Mov DPTR, #$bec2 ESN working storage location mov R7, #04h
lcall $274f - Reads from BED1 BED2
lcall $2e59 - Puts DPTR to R5 and R6 (DPH to R5, DPL to R6)
lcall $2e5e - Puts R5 and R6 to DPTR (R5 to DPH, R6 to DPL)
lcall $2f17 - 22->A, 8->R7, JMP to write to screen ($2fe1)
lcall $2f4e - lcall 3016, A->R7, 10->A, Screen Write, etc...
lcall $2fb3 - A->R0, 39->A, Alcall N2fb3F0, CJNE A on F0 to B2fbc
(R0->A, F0->A, scr write) $2fe1
lcall $2fc3 - A->R7, 10->A, jmp to Screen Write ($2fe1)
lcall $2fd2 - A->R7, A->@C087, CLR A, JMP to Screen write ($2fe1)
lcall $2fe3 - The REAL screen write!!
lcall $2ffb - Write A to @DPTR, for EEPROM (ATMEL 28C64)
lcall $3042 - Adjusts on over load!
lcall $305e - Change channel
lcall $3110 - adds 40h (64d) to name address used for NAM pulls
lcall $31f5 - Point to the correct location of the NAM selected
lcall $3265 - Goto current NAM location and Read it out
lcall $347a - Clr #$7f, Lets just save one byte
lcall $347d - Resets the autonomous timer
lcall $34a7 - Enable Hands-free
lcall $34b0 - Disable Hands-free (enable Skkr)
lcall $3546 - Mutes the receive audio
lcall $354a - UN-mutes the receive audio
lcall $3552 - UN-mutes the transmit audio
lcall $3797 - Setup for call
lcall $3834 - Checks if key is pressed
lcall $3887 - Gets and Decodes a Control Channel Message
lcall $38e6 - Get FCC message
lcall $3939 - Decode FCC Message
lcall $5b5e - Inc DPTR, with DPL inc to only thru $00-$29 and $2b-$3e
lcall $5b5e - Inc DPTR, with DPL inc to only thru $00-$29 and $2b-$3e
lcall $5d84 - NAM Checksum byte correction
lcall $34b6 - Turns on Loudspeaker near mic (Used in Debug #77)
lcall $37cf - Enable the compressor and expander (Used in Debug #65)
lcall $37d6 - Disable the compressor and expander (Used in Debug #66)
lcall $34c6 - Turns the carrier off (Used in Debug #08)
lcall $3741 - Transmits a continuous signaling tone (Used in Debug #16)
lcall $354e - Mutes the transmit audio (Used in Debug #13)
Misc. Locations in the Oki 900 Software.
$0000 Starting entry
$00b1 Read in all data, if not zero, die error number 2
$00c8 RAM Check Sum, if not zero after being deced, error number 3
$00cb RAM Check Sum loop label
$00dd Makes the call to the ESN check sum ($073d) better return a zero
Error number 4
$00e7 Call setup
$0102 Reset phone
$012e Reads out what NAM that the phone is set on
$0136 Check Sum for External RAM, fail error number 3
$0144 Read NAM out abd write into memory
$0501 Setup for Security code (hex to dec conversion)
$055a HEX to decimal converter
$055b HEX to Dec conversion looper var ent point
$0573 Turn off write protect (lcall)
$057a Turn on write protect (lcall)
$0581 Default NAM info, done on reset of phone ($0102) Data
$05c4 Write default NAMs Start from data at $0581
$0723 Clr A Set Of Locations to X00, X=R2, DPTR point to first location
$072d Clears customized power on message
$0732 Clear power on message loop var (Places spaces in the phone)
$073d Loads Encrypted ESN Locations (ESN Check Sum)
$0766 Decodes Encrypted ESN (ESN Check Sum)
$077a ESN Check Sum (ESN Check Sum)
$07dc The Check Sum part of the NAM check sum
$07e6 Will Reset the NAM if something happens to it *** START
$07ed Write loop for NAM write (called from $0581)
$09b1 This is the START of debug!!!!
$0b51 Debug indirect jump
$140e Data for key test (DATA)
$1638 This function is used to read a key from the keypad
more over the CLR key
$16d5 Address table for debug (DATA)
$2722 Loads ESN working storage location with ESN
$2f55 Call from debug command #74
$34a7 Enable Hands free
$34b0 Disable Hands-free (enable Speaker)
$354a UN-mutes the receive audio
$3741 Transmits a continuous signaling tone
$385f From C3834: this is the debug command number #20
$4a74 Setup for customized power on message
$5bb8 200 memory location control
$5bd6 200 memory location address for indirect moves (DATA)
$0000-$00FF (256) - Micro Internal Memory
The internal memory contains the function registers. When one wants
to use the use a register, TASM does not have the labels for one to use.
One can access the register direct. Here is the addresses one will need
to use.
IOCON $FF-$F8
B $F7-$F0
ACC $E7-$E0
PSW $D7-$D0
TH2 $CD
TL2 $CC
RCAP2H $CB
RCAP2L $CA
T2CON $CF-$C8
IP $BF-$B8
P3 $B7-$B0
IE $AF-$A8
P2 $A7-$A0
SBUF $99
SCON $9F-$98
P1 $97-$90
TH1 $8D
TH0 $8C
TL1 $8B
TL0 $8A
TMOD $89
TCON $8F-$88
PCON $87
DP $83
DPL $82
SP $81
P0 $87-$80
The Stack is specified by stack pointer ($81).
Stack Storage Layout
Stack Processing Stack Pointer 7 6 5 4 3 2 1 0
Before Execution $7F D7 D6 D5 D4 D3 D2 D1 D0
Interrupt Process $80 PC7 PC6 PC5 PC4 PC3 PC2 PC1 PC0
$81 PC15 PC14 PC13 PC12 PC11 PC10 PC9 PC8
PUSH process (ACC) $82 A7 A6 A5 A4 A3 A2 A1 A0
POP process (ACC) $82 A7 A6 A5 A4 A3 A2 A1 A0
RETI process (pop PC) $81 PC15 PC14 PC13 PC12 PC11 PC10 PC9 PC8
$80 PC7 PC6 PC5 PC4 PC3 PC2 PC1 PC0
After Execution $7F D7 D6 D5 D4 D3 D2 D1 D0
$7000-$70FF (256) - Glue Logic
Glue Logic is the decoder which controls various functions of the
Oki 900. The NAM locations are under a write protect. The write protect is
controlled via the $7005 location. Here is some sample code showing how
one uses the $7005 write protect.
Turn Off EEPROM Write Protect - $01 into $7005
mov a, #$01 ; Load a $01 into A
mov dptr, #$7005 ; Load the value $7005 into DPTR
movx @dptr, a ; Move A ($01) into the location at DPTR
; which is $7001
Turn On EEPROM Write Protect - $00 into $7005
mov a, #$00 ; Load a $00 into A
mov dptr, #$7005 ; Load the value $7005 into DPTR
movx @dptr, a ; Move A ($01) into the location at DPTR
; which is $7001
$C000-$C0FF (256) - Extended RAM
C0F4-C0FE Current NAM Information (Sid, MIN1/2, ICMP, OCL, GIM)
C0FF Current NAM Selected (0=Auto-NAM)
$D000-$D0FF (256) - Screen Memory
This is the LCD memory locations.
$A000-$BFFF (8K) - EEPROM Memory locations
The EEPROM contains the ESN, NAM, passwords and other data that
may need to be changed.
The ESN contains two locations. The main location is the encrypted
and CAN NO BE CHANGED unless one jumpers the 28C64 EEPROM write protect.
(Order the databook by calling Atmel at 408-441-0311) To jumper the
EEPROM one can place a low on NOT WE (Write enable, Pin 27), NOT CE
(Chip Enable, 20) and a high on OE (Output Enable, pin 22). While
writing each byte, the NOT WE and CE should cycle, the OE NEEDS to be
high.
The other ESN location is the working storage location, the is written
over each time the phone is turned on. One can make a two byte crack
on the binary to change the ESN on the phone. Looking at $0788 in the
Oki PROM, you will see #$90 #$BE #$C2 (#$78 #$60 #$79, extra opcodes are
added to help find the location in question). #$90 #$BE #$CE could be
changed to #$90 #$FF #$F0, and you be able to change the ESN by
using debug command #54 to poke the ESN to $BEC2 thru $BEC5
200 Memory location Table Starts at $9F4E in the PROM. The addresses
are of the names, NOT the numbers please note that the the numbers
come before the names in the locations this starting at B000.
---------------------------------------------------------------
| Addr Memory Location Number | Addr Memory Location Number|
|-------------------------------+-----------------------------|
| B010 Memory location #1 | B029 Memory location #2 |
| B044 Memory location #3 | B05D Memory location #4 |
| B078 Memory location #5 | B091 Memory location #6 |
| B0AC Memory location #7 | B0C5 Memory location #8 |
| B0DE Memory location #9 | B0F9 Memory location #10 |
| B112 Memory location #11 | B12D Memory location #12 |
| B146 Memory location #13 | B15F Memory location #14 |
| B17A Memory location #15 | B193 Memory location #16 |
| B1AE Memory location #17 | B1C7 Memory location #18 |
| B1E0 Memory location #19 | B1FB Memory location #20 |
| B214 Memory location #21 | B22F Memory location #22 |
| B248 Memory location #23 | B261 Memory location #24 |
| B27C Memory location #25 | B295 Memory location #26 |
| B2B0 Memory location #27 | B2C9 Memory location #28 |
| B2E2 Memory location #29 | B2FD Memory location #30 |
| B316 Memory location #31 | B331 Memory location #32 |
| B34A Memory location #33 | B363 Memory location #34 |
| B37E Memory location #35 | B397 Memory location #36 |
| B3B2 Memory location #37 | B3CB Memory location #38 |
| B3E4 Memory location #39 | B3FF Memory location #40 |
| B418 Memory location #41 | B433 Memory location #42 |
| B44C Memory location #43 | B465 Memory location #44 |
| B480 Memory location #45 | B499 Memory location #46 |
| B4B4 Memory location #47 | B4CD Memory location #48 |
| B4E6 Memory location #49 | B501 Memory location #50 |
| B51A Memory location #51 | B535 Memory location #52 |
| B54E Memory location #53 | B567 Memory location #54 |
| B582 Memory location #55 | B59B Memory location #56 |
| B5B6 Memory location #57 | B5CF Memory location #58 |
| B5E8 Memory location #59 | B603 Memory location #60 |
| B61C Memory location #61 | B637 Memory location #62 |
| B650 Memory location #63 | B669 Memory location #64 |
| B684 Memory location #65 | B69D Memory location #66 |
| B6B8 Memory location #67 | B6D1 Memory location #68 |
| B6EC Memory location #69 | B705 Memory location #70 |
| B71E Memory location #71 | B739 Memory location #72 |
| B752 Memory location #73 | B76D Memory location #74 |
| B786 Memory location #75 | B79F Memory location #76 |
| B7BA Memory location #77 | B7D3 Memory location #78 |
| B7EE Memory location #79 | B807 Memory location #80 |
| B820 Memory location #81 | B83B Memory location #82 |
| B854 Memory location #83 | B86F Memory location #84 |
| B888 Memory location #85 | B8A1 Memory location #86 |
| B8BC Memory location #87 | B8D5 Memory location #88 |
| B8F0 Memory location #89 | B909 Memory location #90 |
| B922 Memory location #91 | B93D Memory location #92 |
| B956 Memory location #93 | B971 Memory location #94 |
| B98A Memory location #95 | B9A3 Memory location #96 |
| B9BE Memory location #97 | B9D7 Memory location #98 |
| B9F2 Memory location #99 | BA0B Memory location #100 |
| A010 Memory location #101 | A029 Memory location #102 |
| A044 Memory location #103 | A05D Memory location #104 |
| A078 Memory location #105 | A091 Memory location #106 |
| A0AC Memory location #107 | A0C5 Memory location #108 |
| A0DE Memory location #109 | A0F9 Memory location #110 |
| A112 Memory location #111 | A12D Memory location #112 |
| A146 Memory location #113 | A15F Memory location #114 |
| A17A Memory location #115 | A193 Memory location #116 |
| A1AE Memory location #117 | A1C7 Memory location #118 |
| A1E0 Memory location #119 | A1FB Memory location #120 |
| A214 Memory location #121 | A22F Memory location #122 |
| A248 Memory location #123 | A261 Memory location #124 |
| A27C Memory location #125 | A295 Memory location #126 |
| A2B0 Memory location #127 | A2C9 Memory location #128 |
| A2E2 Memory location #129 | A2FD Memory location #130 |
| A316 Memory location #131 | A331 Memory location #132 |
| A34A Memory location #133 | A363 Memory location #134 |
| A37E Memory location #135 | A397 Memory location #136 |
| A3B2 Memory location #137 | A3CB Memory location #138 |
| A3E4 Memory location #139 | A3FF Memory location #140 |
| A418 Memory location #141 | A433 Memory location #142 |
| A44C Memory location #143 | A465 Memory location #144 |
| A480 Memory location #145 | A499 Memory location #146 |
| A4B4 Memory location #147 | A4CD Memory location #148 |
| A4E6 Memory location #149 | A501 Memory location #150 |
| A51A Memory location #151 | A535 Memory location #152 |
| A54E Memory location #153 | A567 Memory location #154 |
| A582 Memory location #155 | A59B Memory location #156 |
| A5B6 Memory location #157 | A5CF Memory location #158 |
| A5E8 Memory location #159 | A603 Memory location #160 |
| A61C Memory location #161 | A637 Memory location #162 |
| A650 Memory location #163 | A669 Memory location #164 |
| A684 Memory location #165 | A69D Memory location #166 |
| A6B8 Memory location #167 | A6D1 Memory location #168 |
| A6EC Memory location #169 | A705 Memory location #170 |
| A71E Memory location #171 | A739 Memory location #172 |
| A752 Memory location #173 | A76D Memory location #174 |
| A786 Memory location #175 | A79F Memory location #176 |
| A7BA Memory location #177 | A7D3 Memory location #178 |
| A7EE Memory location #179 | A807 Memory location #180 |
| A820 Memory location #181 | A83B Memory location #182 |
| A854 Memory location #183 | A86F Memory location #184 |
| A888 Memory location #185 | A8A1 Memory location #186 |
| A8BC Memory location #187 | A8D5 Memory location #188 |
| A8F0 Memory location #189 | A909 Memory location #190 |
| A922 Memory location #191 | A93D Memory location #192 |
| A956 Memory location #193 | A971 Memory location #194 |
| A98A Memory location #195 | A9A3 Memory location #196 |
| A9BE Memory location #197 | A9D7 Memory location #198 |
| A9F2 Memory location #199 | AA0B Memory location #200 |
---------------------------------------------------------------
NAM Storage in the EEPROM:
SID------- min1/min2------------------- IPCH------ OLC- GIM-
NAM1 - A02B A06B A0AB A0EB A12B A16B A1AB A1EB A22B A26B A2AB
NAM2 - A2EB A32B A36B A3AB A3EB A42B A46B A4AB A4EB A52B A56B
NAM3 - A5AB A5EB A62B A66B A6AB A6EB A72B A76B A7AB A7EB A82B
NAM4 - A86B A8AB A8EB A92B A96B A9AB A9EB AA2B AA6B AAAB AAEB
NAM5 - AB2B AB6B ABAB ABEB AC2B AC6B ACAB ACEB AD2B AD6B ADAB
A6AA Used with Encrypted ESN
A72A Used with Encrypted ESN
A3EA Used with Encrypted ESN
A16A Used with Encrypted ESN
A2AA Used with Encrypted ESN
A22A Used with Encrypted ESN
BBAC-BE73 30 roamer access memories
BE03 Index of NAM in use
BEAF-BEB6 Customized power on message (8 bytes)
BEBE-BEC1 "AEIO" signature sent to cell
BEC2-BEC5 ESN working storage location
BF2C Index of NAM in use
BF2D Even/odd SID (0 or 1)
BF60-BF63 Keyboard unlock code digits
BF71 Version number of display cpu rom
BF74 Lighting mode control byte (0=7sec, 1=off, 2=on)
Debug command
~~~~~~~~~~~~~
Here is a list of some of the debug commands for the Oki 900. Along with
the list of debug commands are the address in the 4701 binary.
The table for the indirect jump starts at $16D5. The indirect jump for
the debug mode is at $0b51.
Note, if the address is $14e3, the debug command does not exist.
Addr Number Use
---- ------ ---
$14e3 #00
$0b81 #01 Performs Initialization
$0000 #02 Terminates the test mode
$0b97 #03 Shows current status of TRU
$0bd0 #04 Resets the autonomous timer
$0b70 #05 Returns Data Bytes following command
to the Test Set.
$0b81 #06 Initialize the TRU to following states:
Carrier Off, Attenuation - 0db,
Receive Audio Muted Transmit Audio Muted,
Signaling tone off,
Autonomous timer reset,
SAT off, and DTMF off
$0bdf #07 Turns the carrier on
$0bf8 #08 Turns the carrier off
$0bfe #09XXXX Sets the synthesizer to channel XXXX
$0c34 #10X Set the RF power attenuation to X
0=0db, 7=-28 db
(in steps of -4db thru 7)
$0c46 #11 Mutes the receive audio
$0c4c #12 UN-mutes the receive audio
$0c52 #13 Mutes the transmit audio
$0c58 #14 UN-mutes the transmit audio
$0bda #15 Discontinues resetting of autonomous timer
$0c5e #16 Transmits a continuous signaling tone
$0c64 #17 Stops transmission of signaling tone
$0fbb #18 Transmits a 5 word RCC message
(fixed text pattern)
$0fe8 #19 Transmits a 2 word (RCC) RVC message
(fixed test pattern)
$1009 #20 Receives a 2 word FCC message (cancel with 0x38)
$1086 #21 Receives a 1 word (FCC) FVC message
(cancel with 0x38)
$0e3d #22 Returns the information contained in the NAM
$0f03 #23
$0edd #24
$0dad #25XXXX Displays the resident memory data at XX
00XX=in micro, XXXX=EEPROM
$14e3 #26
$14e3 #27
$0f2c #28 Count 1 word messages on CC, until TERMINATE
$0f61 #29 Count 1 word messages on VC, until TERMINATE
$14e3 #30
$14e3 #31
$0c73 #32X Enable the transmission of SAT X
0 = 5970 Hz,
1 = 6000 Hz,
2 = 6030 Hz
$0c9d #33 Disables the transmission of SAT
$10a8 #34<60> Transmits 5 word RCC message (30 bytes)
$0cdc #35 Activates the 1150Hz tone to receive audio line
$0cd4 #36 Deactivates the 1150Hz tone
$0ce0 #37 Activates the 770Hz tone to receive audio line
$0cd4 #38 Deactivates the 770Hz tone
$14e3 #39
$14e3 #40
$14e3 $41
$0ca7 #42XX Enable the transmission of DTMF
frequency XX[2]
$0cd4 #43 Disable the transmission of DTMF
$1286 #44
$0cf0 #45
$0d00 #46
$0d06 #47
$0eac #48
$14e3 #49
$14e3 #50
$0d7c #51
$0d55 #52
$0da2 #53
$0e27 #54XXXXZZ Write HEX (ZZ) into ADDRESS $XXXX
$14e3 #55
$0e22 #56 Return Value stored in $BEBB
$14e3 #57
$14e3 #58
$14e3 #59
$10c2 #60
$14e3 #61
$0f91 #62
$0fdc #63
$1009 #64 Receives a 2 word FCC message
(Please see debug command #20)
$0ce4 #65 Enable the compressor and expander
Compander is a SA 5750
This is a Phillips Chip (800) 234-7381
$0cea #66 Disable the compressor and expander
$0d31 #67 X-Set volume (0-7) 0=max
$0d4a #683XX Mutes/UN-mute Tx/Rx Audio Signal
Enable Disable the Compressor/Expander,
XX=commanded states.
CMD Compress Tx Mute Rx Mute
--- -------- ------- -------
40 on UN-muted UN-muted
41 off UN-muted UN-muted
42 on muted UN-muted
43 off muted UN-muted
44 on UN-muted muted
45 off UN-muted muted
46 on muted muted
47 off muted muted
$14e3 #69
$14e3 #70
$14e3 #71
$1142 #72 Pulls, outputs 1 word
$11ff #73XXXXYYYYZZ Scans Channels
XXXX = Starting
YYYY = Ending
zz = Delay
$1305 #74 keypad test
$0ef1 #75 Enable Hands-free (disable spkr)
$0ef7 #76 Disable Hands-free (enable spkr)
$0efd #77 Turns on Loudspeaker near mic
$14e3 #78
$14dd #79
$1a42 #80
$1962 #81
$19c8 #82
$182c #83
$1789 #84
$18fe #85
$14e3 #86
$14e3 #87
$14e3 #88
$14e3 #89
The Oki Mod
~~~~~~~~~~~
Here is the Oki 900 mod, some changes will need to be made to the
4701 binary before this will work. THIS DOES WORK, and IS THE REAL
THING, this is the same one that lame people are selling for cash!
----------------------4715e.asm - Cut Here - Start ----------------------
; **********************************************************************
; * *
; * This is 4715 mod for the Oki 900 Phone *
; * *
; * by: Oki Dokie *
; * *
; * There are a few changes you will have to make to your binary *
; * in order for this code to work for you. A you need to get *
; * around the check sums, if you can not do that, you should not *
; * have this. *
; * *
; * Look at $00dd in the 4701 binary, you will see 12073D, Change *
; * this to 12A290, do this to get the code to run. *
; * *
; **********************************************************************
;
; **********************************************************************
; *
; * BFE1 = 1 Selector ( With a #$20 there, we have a clone), Normal
; * BFE2 = 2 Selector ( with a #$20 there, we have a clone), other Tumble
; * BFE3 = 5 Selector #$20 = clone, $40 = Rotate, other = auto
; * BFE4 = Number of times can be ESN used
; * BEF5 = Number of times it has been
; * ESN Location #1 $be8e-$be91
; * ESN Location #2 $be93-$be96
; * ESN Location #3 $be98-$be9b
; * ESN Location #4 $be9d-$bea0
; * ESN location #5 $bea2-$bea5
; *
; **********************************************************************
;
; Patch this in at $a0de (in the 4701 binary). This should be
; patched in as is! This is the address for the indirect jump for
; the auto mode. Auto mode is the 230 ESN mode where the 230 ESN are
; used and deleted after they are used x number of time. x is from
; 0 to 255, this value is poked in $BFE4. Three strikes and you're out!
;
; The NAM has to be entered in as it is stored in the phone, you
; will have to look that one up yourself, and write your own
; program. :)
;
; You will also need to rework the checksums on the ROM.
; Fast turn on:
; ROM Address $00AB contains $90 $FF $00
; change to $02 $00 $C8
; After the $00 starting at address
; $00AE you can have the words
; "Think There was code Here?"
; and that will being you up to $00C8
; (that is with out the double quote)
;
; Slow turn on:
; ROM Address $00C5 contains $02 $03 $C5
; change to $00 $00 $00
;
;
; **********************************************************************
; Org A016
;
; b010b029b044b05db078b091b0acb0c5b0deb0f9b112b12db146
; b15fb17ab193b1aeb1c7b1e0b1fbb214b22fb248b261b27cb295
; b2b0b2c9b2e2b2fdb316b331b34ab363b37eb397b3b2b3cbb3e4
; b3ffb418b433b44cb465b480b499b4b4b4cdb4e6b501b51ab535
; b54eb567b582b59bb5b6b5cfb5e8b603b61cb637b650b669b684
; b69db6b8b6d1b6ecb705b71eb739b752b76db786b79fb7bab7d3
; b7eeb807b820b83bb854b86fb888b8a1b8bcb8d5b8f0b909b922
; b93db956b971b98ab9a3b9beb9d7b9f2ba0ba000a019a034a04d
; a06da081a09aa0b5a0cfa0eda102a11ba136a14fa16ca183a19c
; a1b7a1d0a1eca204a21da238a251a26ca285a29ea2b9a2d2a2ed
; a306a31fa33aa353a36ea387a3aca3bda3d5a3efa408a42da43c
; a455a470a489a4bea4d6a4f1a50aa52da53fa557a572a58ba5ac
; a5bfa5d8a5f3a60ca62ca640a659a674a68da6aca6c1a6daa6f5
; a70ea72ca743a75ca776a78fa7aca7c3a7dca7f7a810a82ca844
; a85da878a891a8aca8c5a8f9a912a92da946a97aa993a9aea9c7
; a9fbaa14aa2caa3baa4aaa5aaa6caa7caa8daa9caaadaabcaacd
; aaecaafcab0cab2cab3cab4cab5cab6cab7cab8cabacabccabec
; abfcac0cac2cac3cac4cac5cac6cac7cac8cac9cacacacbcaccc
; acecacfcad0cad2cad3cad5cad6cad7cad8cadacadccadecae0c
; ae1cae2cae3cae4cae5cae6cae8cae9caeacaebcaeccaedcaeec
; aefcaf0caf1caf2caf3caf4caf5caf6caf7caf8caf9cafacafbc
; afccafdcaffcba15ba20ba2cba38ba43ba4fba5bba66ba71ba7d
; ba9ababdbac9bad5bae1baedbaf9bb05bb11bb1dbb29bb35bb41
; bb4dbb59bb65bb71bb7dbb89bb95bba1bbadbbb9bbc5bbd1bbdd
; bbe9bbf5bc01bc0dbc19bc25bc31bc3dbc49bc55bc61bc6dbc79
; bc85bc91bc9dbca9bcb5
;
; org. $a290
;
;
;***********************
begin: .org $a290
eleetesn:mov dptr, #$bf2c ; NAM Select
movx a, @dptr ; Load that data up
cjne a, #$01, try2
mov dptr, #$bfe1 ; Load Selector, for Autodial/Clone Mod
movx a, @dptr ; Load that data up
cjne a, #$20, wehnp ; Do We Have Normal Phone?
mov dptr, #$be8e ; ESN Location #1 $be8e-$be91
ljmp letsgo
wehnp: ljmp nothing
try2: cjne a, #$02, try3 ;
mov dptr, #$bfe2 ; Load Selector, for Autodial/Clone Mod
movx a, @dptr ; Load that data up
cjne a, #$20, wehtum ; Do We Have Tumble?
mov dptr, #$be93 ; ESN Location #2 $be93-$be96
ljmp letsgo ;
wehtum: mov dptr, #$bfe3 ; Load Selector, for Tumble/Clone Mod
movx a, @dptr ; Load that data up
ljmp tumbl
try3: cjne a, #$03, try4 ;
mov dptr, #$be98 ; ESN Location #3 $be98-$be9b
ljmp letsgo ;
try4: cjne a, #$04, its5 ;
mov dptr, #$be9d ; ESN Location #4 $be9d-$bea0
ljmp letsgo ;
its5: cjne a, #$05, nothing ; Better be 5, or you get NOTHING!!
mov dptr, #$bfe3 ; Load Selector, for Autodial/Clone Mod
movx a, @dptr ; Load that data up
cjne a, #$20, wehad ; Do We Have Auto Dial?
mov dptr, #$bea2 ; ESN Location #5 $bea2-$bea5
ljmp letsgo ;
wehad: cjne a, #$40, ihad2 ; Do We Have Auto Dial?
ljmp rotate ; Maybe We have Rotate
ihad2: ljmp autodia ;
tumbl: mov a, #$01 ;\
mov dptr, #$7005 ; |Turn off EEPROM write protect.
movx @dptr, a ;/
mov dptr, #$bec2 ; ==========
mov r0, #$60 ;
mov r1, #$04 ;
loop: movx a, @dptr ; Put current Serial # into $60-$63
mov @r0, a ;
inc dptr ;
inc r0 ;
djnz r1,loop ; ==========
mov a, $63 ; Store last byte of ESN
mov $66, a ; for random MIN routine.
mov a, $62 ; and third byte for random
anl a, #$9f ; first byte.
orl a, #$80 ;
mov $60, a ;
inc $60 ; ==========
xrl $61, a ;
dec $61 ; Randomize the second
mov a, $61 ; byte by using the
anl a, #$0f ; first byte as a seed.
mov $61, a ;
mov dptr, #$be00 ; ==========
movx a, @dptr ;
mov @r0, a ; Put position pointer for
inc dptr ; XOR code.
inc r0 ; Put DPTR in $64-$65
movx a, @dptr ;
mov @r0, a ; ==========
mov a, $64 ;
xch a, $83 ; $83 = DPH
; Take pointer for XOR, put
mov a, $65 ; it in DPTR. Then pull
xch a, $82 ; $82 = DPL
; the information in those
clr a ;
movc a, @a+dptr ; two bytes in the *ROM*
xrl $66, a ; (store for later use)
xrl $62, a ; and XOR it with the
inc dptr ; last two ESN bytes.
clr a ;
movc a, @a+dptr ;
xrl $63, a ; ==========
inc $65 ;
mov a, $65 ; Increase the position
jnz nocarry ; of the pointer
mov a, $64 ; for doing an XOR.
inc a ; with the carry
cjne a, #$97, noflip ; function.
clr a ;
noflip: mov $64, a ; ==========
nocarry:mov dptr, #$be00 ;
mov a, $64 ; Store the new pointer
lcall $2ffb ; into the EEPROM
inc dptr ; at $BE00
mov a, $65 ;
lcall $2ffb ; ==========
mov dptr, #$bf3b ;
movx a, @dptr ; Take the time
add a, $62 ; used in minutes
mov $62, a ; on the phone
inc dptr ; and add it to
movx a, @dptr ; the ESN.
add a, $63 ;
mov $63, a ; ==========
mov dptr, #$bec2 ;
mov r0, #$60 ; Store the
mov r1, #$04 ;
esnloop:mov a, @r0 ; new ESN into
lcall $2ffb ;
inc dptr ; the EEPROM.
inc r0 ;
djnz r1,esnloop ; ==========
mov dptr, #$bea1 ; If $BEA1 is set to
movx a, @dptr ; #$01, then don't
cjne a, #$01, fixmin ; randomize the
ljmp done ; phone number.
fixmin: mov a, $63 ; ========== [Begin MIN Randomizer]
anl a, #$03 ;
cjne a, #$03, notbad ; Randomize The Two high bits
anl a, #$01 ; of x where last four = xYYY
; SID------- min1/min2------------------- IPCH------ OLC- GIM-
; NAM1 A02B A06B A0AB A0EB A12B A16B A1AB A1EB A22B A26B A2AB
; NAM2 A2EB A32B A36B A3AB A3EB A42B A46B A4AB A4EB A52B A56B
; NAM3 A5AB A5EB A62B A66B A6AB A6EB A72B A76B A7AB A7EB A82B
; NAM4 A86B A8AB A8EB A92B A96B A9AB A9EB AA2B AA6B AAAB AAEB
; NAM5 AB2B AB6B ABAB ABEB AC2B AC6B ACAB ACEB AD2B AD6B ADAB
; A B C D E F G H I J K
notbad: mov $67, a ;
mov dptr, #$a3eb ; Row = E
movx a, @dptr ; =======
anl a, #$fc ; Randomize The Two low bits
orl a, $67 ; of x where last four = xYYY
lcall $2ffb ; =======
mov dptr, #$a42b ; Row = F
movx a, @dptr ;
xrl $66, a ;
mov a, $67 ;
cjne a, #$02, alltwo ;
mov a, $66 ; Randomize the upper
anl a, #$7f ; 6 bits of the 10bit last 3
mov $66, a ; digits of the MIN.
alltwo: mov a, $66 ;
anl a, #$3f ;[ MIN setup: ]
cjne a, #$3f, notbig ;[areacode--- 10 binary spaces (0=9&HEXCOV)]
mov a, $66 ;[exchange--- 10 binary spaces (0=9&HEXCOV)]
anl a, #$fe ;[7th digit-- 4 binary space (DIRECT DEC) ]
mov $66, a ;[8-10 dig--- 10 binary spaces (0=9&HEXCOV)]
notbig: mov a, $66 ;
lcall $2ffb ; Randomize the lower
mov dptr, #$a46b ; Row = G
; 4 bits of the 10bit last 3
cjne a, #$3e, keepem ; digits of the MIN.
mov a, $62 ;
anl a, #$70 ;
mov $62, a ;
keepem: mov a, $62 ;
anl a, #$f0 ;
lcall $2ffb ; ========================================
lcall $5d84 ; NAM Checksum byte correction
mov dptr, #$7005 ;\
mov a, #$00 ;| Write protect EEPROM again!
movx @dptr, a ;/
done: mov r0, #$64 ;
mov r1, #$04 ; \
clr a ; | Clear
clwork: mov @r0, a ; | ESN/MIN
inc r0 ; | workspace
djnz r1, clwork ; /
clr a ;
ret ; Bye, bye NAM.
; ============= Subroutine for copying in a fake ESN ========================
letsgo: mov r0, #$60 ;
mov r1, #$04 ;
cploop: movx a, @dptr ;
mov @r0, a ; THIS WILL COPY A OBTAINED
inc dptr ;
inc r0 ; ESN TO THE LOCATION FOR
djnz r1, cploop ;
mov dptr, #$bec2 ; REAL ESN USE. FOR USE
mov r0, #$60 ;
mov r1, #$04 ; WITH ESN/MIN PAIRS.
wrloop: mov a, @r0 ;
lcall $2ffb ;
inc dptr ;
inc r0 ;
djnz r1, wrloop ;
ljmp done
autodia:mov a, #$01 ;\
mov dptr, #$7005 ; |Turn off EEPROM write protect.
movx @dptr, a ;/
clr $60 ; Make sure $60 is clean
; ******* Loop for 1 to 256
; \
mov $62, #$a0 ; | #$a0de Load First Address
mov $63, #$de ; | in Data Table
; /
; DPH DPL
; $83 $82
pulldat:mov $83, $62 ; \
mov $82, $63 ; | 82 = DPL
clr a ; | 83 = DPH
movc a, @a+dptr ; | 83 82
mov $60, a ; |
inc $63 ; | Read from Data Table starting
mov $82, $63 ; | at ROM address #$9f4e, we pull
clr a ; |
movc a, @a+dptr ; |
mov $61, a ; | the data (the data being a address)
mov $83, $60 ; | and test to see if there is
mov $82, $61 ; | data (an ESN) at that location.
movx a, @dptr ; |
jnz found1 ; /
inc $63 ; \
mov a, $63 ; |
cjne a, #$00, overtst ; | If we get nothing, we will add
inc $62 ; | one more (MUST be an even number
overtst:mov a, $62 ; | for this to work), while making
cjne a, #$a2, pulldat ; | sure we do not pass address
mov a, $63 ; | #$a140, which is the end of the ESN,
cjne a, #$90, pulldat ; |
ljmp nothing ; /
; ESN
; $62 - 1st byte ESN
; $63 - 2nd byte ESN
; $64 - 3rd byte ESN
; $65 - 4th byte ESN
; $66 - 1st byte NAM for SID
; $67 - 2st byte NAM for SID
; $68 - NAM
; $69 - NAM
; $6A - NAM
; $6B - NAM
; $6C - NAM
found1: mov r0, #$62 ; | Setup for copy loop
mov r1, #$0B ; /
ncplop: movx a, @dptr ; \
mov @r0, a ; |
inc dptr ; | Copy Data to RAM
inc r0 ; |
djnz r1, ncplop ; /
; **************************************************
; ******* Use Number
; * BFE4 = Number of times can be ESN used
; * BEF5 = number of times it has been
; *******
usenum: mov dptr, #$bfe4 ; Times address
movx a, @dptr ; Lets see what's there
mov $56, a ; store for a sec
inc dptr ; bfe5
movx a, @dptr ; Lets see what's there
inc a ; We used it again, need to add that so
cjne a, $56, morlif ; Three Strikes and your out!
mov $83, $60 ; \
mov $82, $61 ; | Load DPTR
; /
clr a ; A = 00
mov r0, #$0b ; Loop X number
delesn: lcall $2ffb ; \
inc dptr ; | Wipe out ESN
djnz r0, delesn ; /
morlif: mov dptr, #$bfe5 ; Load address
lcall $2ffb ;
;**************************************************
comonp: mov dptr, #$bec2 ; \
mov r0, #$62 ; | Set up for ESN Write
mov r1, #$04 ; /
nwrlop: mov a, @r0 ; \
lcall $2ffb ; |
inc dptr ; | **Write ESN loop
inc r0 ; |
djnz r1, nwrlop ; /
mov dptr, #$ab2b ; <---- SID address
mov r0, #$66 ; <---- Start RAM at SID
mov r1, #$07 ; <---- #7 Times
;
; SID------- MIN1/MIN2-------------------
; AB2B AB6B ABAB ABEB AC2B AC6B ACAB
;
donam: mov a, @r0 ; \
lcall $2ffb ; |
lcall $3110 ; | Write SID, MIN1 and MIN2
inc r0 ; |
djnz r1, donam ; /
mov r0, #$60 ; \
mov r1, #$0D ; |
clr a ; | Clear
clwrk2: mov @r0, a ; | ESN/SID/MIN1/MIN2
inc r0 ; | workspace
djnz r1, clwrk2 ; /
clr a ; Clear A
lcall $5d84 ; NAM Checksum byte correction
mov dptr, #$7005 ; \
mov a, #$00 ; | Write protect EEPROM again!
movx @dptr, a ; /
ljmp done ; New ESN/MIN
rotate: mov a, #$01 ; \
mov dptr, #$7005 ; | Turn off EEPROM write protect.
movx @dptr, a ; /
clr $60 ; Make sure $60 is clean
clr $61 ; Make sure $61 is clean
; 01
mov dptr, #$bef6 ;
movx a, @dptr ; load up offset
mov $61, a ; load up offset
;************************************************
mov dptr, #$bfe4 ; Times address
movx a, @dptr ; Lets see what's there
mov $56, a ; store for a sec
inc dptr ; bfe5
movx a, @dptr ; Lets see what's there
inc a ; We used it again, need to add that so
cjne a, $56, morlif ; Three Strikes and your out!
;************************************************
allovr: inc $61 ; $61 is needed because A is used
; for other things
mov a, $61 ; And if $61 is different
cjne a, #$e8, donew ; We only have 230 ESNs to spin thru
mov $61, #$01 ; back to z old FF
donew: mov a, $61 ; We have to copy it again if it is different
movx @dptr, a ; write the new value back
;
; The reason I copy A to $61 and back
; is because A is used else where
;
mov $60, #$e7 ; the total value
mov dptr, #$a28e ; Load the END of the data
rrssee: mov a, $60
cjne a, $61, decrota ; do we have a match?
sjmp gtaaddr ; gotta address
decrota:dec $82 ; \
dec $82 ; DPH DPL | dec on DPTR
mov a, $82 ; |
cjne a, #$fe, nofdech ; $83 $82 | With carry
dec $83 ; /
nofdech:djnz $60, rrssee ; loopit!
ljmp nothing ; there is nothing there,..
gtaaddr:movx a, @dptr ; Load of the ESN for a test
jz allovr ; Is there data there?
mov r0, #$62 ; | Setup for copy loop
mov r1, #$0B ; /
rcpllop:movx a, @dptr ; \
mov @r0, a ; |
inc dptr ; | Copy Data to RAM
inc r0 ; |
djnz r1, rcpllop ; /
ljmp comonp
.END
--------------------- 4715e.asm End - Cut Here - End --------------------
The Network Wizards Interface cable
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
With the interface cable, one can program the NAM and ESN on the phone
with this mod. Clone a phone fast, easy and fun!
---------------------- prog.c - Start - Cut Here ------------------------
/*
ESN Location #1 $be8e-$be91
ESN Location #2 $be93-$be96
ESN Location #3 $be98-$be9b
ESN Location #4 $be9d-$bea0
ESN location #5 $BEA2-$BEA5
*/
#include
#include
#include
#include
#include
#include
#include
#define FALSE 0
#define TRUE 1
#define SWAP(a,b) (a^=b,b^=a,a^=b)
typedef unsigned char bool;
typedef unsigned char byte;
typedef unsigned int word;
#include "ctlib.h"
/* Defines that CTLIB does not have */
#define CT_KEY_1AND3 0x30
#define CT_KEY_4AND6 0x31
#define CT_KEY_7AND9 0x32
#define CT_KEY_STAR_POUND 0x33
#define CT_KEY_RCL_MENU 0x28
#define CT_KEY_SND_END 0x35
/* You may want to use these too!#@ */
#define BUFLEN 128
#define ESC 0x1B
char buf[BUFLEN];
char ps_system;
byte nambyte = 0x00;
byte namonebyte =0x01;
int ps_cc; /* control channel */
int ps_cc_rss; /* control channel last rss */
char ournum[32]; /* our telephone number */
unsigned long ouresn; /* our esn */
main(argc,argv)
int argc;
char *argv[];
{
int i;
/* initialize ct library using the specified COM port */
if (argc > 1)
{
if (*argv[1] == '1')
ct_lib_init(900,0x3f8,4);
else if (*argv[1] == '2')
ct_lib_init(900,0x2f8,3);
else if (*argv[1] == '3')
ct_lib_init(900,0x3e8,5);
else
{
puts("Type 'TMPRO 2' to use COM2");
exit(0);
}
}
else
ct_lib_init(900,0x3f8,4); /* com1 by default */
/* power up oki and tell it what mode to use */
if (!ct_on(MODE_TEST))
{
fprintf(stderr,"?No response from OKI\n");
cleanup();
exit(1);
}
if (!ct_on(MODE_TEST))
{
fprintf(stderr,"?No response from OKI\n");
cleanup();
exit(1);
}
strcpy(ournum,nam_info[ct_state.namindex].number); /* use current nam */
printf("Current NAM index #: %d\n",ct_state.namindex);
printf("Current NAM number : %d\n",nam_info[ct_state.namindex].number);
printf("Tel# is %s, ",ournum);
if (!ct_get_esn(&ouresn))
{
fprintf(stderr,"?Can't get ESN\n");
cleanup();
exit(1);
}
printf("ESN is %08lx\n\n",ouresn);
cmd_elite_stuff();
cleanup();
exit(0);
}
cleanup()
{
ct_off(); /* turn off phone */
ct_lib_done(); /* cleanup library stuff */
}
cmd_power_messages()
{
byte c,x,pointer;
char powerstring[8];
char ch;
for (c=1;c<32;c++)
{
for (x=0;x<8;x++)
{
powerstring[x] = (c*8) + x;
printf("%x ",powerstring[x]);
pointer = 0xBEAF + x;
ct_set_block(&powerstring[x],pointer,1);
}
printf("\n");
ct_off();
ct_on(MODE_NORMAL);
ch = getche();
ct_off();
if (ch == 'x')
{
cleanup();
exit(1);
}
delay(1000);
ct_on(MODE_TEST);
ct_get_nams();
}
}
cmd_elite_stuff()
{
char ch;
unsigned long esn;
byte counter;
char sysid[6];
fetch_esn(&esn,1);
printf("our NAM#1 ESN : %08lx\n",esn);
fetch_esn(&esn,2);
printf("our NAM#2 ESN : %08lx\n",esn);
fetch_esn(&esn,3);
printf("our NAM#3 ESN : %08lx\n",esn);
fetch_esn(&esn,4);
printf("our NAM#4 ESN : %08lx\n",esn);
fetch_esn(&esn,5);
printf("our NAM#5 ESN : %08lx\n",esn);
printf("Enter number of NAM to configure (1-5) : ");
ch = getche();
printf("\nEnter new ESN : ");
scanf("%8lx", &esn);
printf("Enter new MIN : ");
scanf("%10s", &ournum);
printf("Enter system ID : ");
scanf("%5s", &sysid);
store_esn(esn, ch-48);
nambyte = ch-48;
ct_set_block(&nambyte,0xBF2C,1);
ct_set_block(&nambyte,0xC0FF,1);
store_min((ch-48),ournum,sysid);
}
int fetch_esn(esn,nam)
unsigned long *esn;
int nam;
{
word addr;
union esn_un {
unsigned long l;
byte b[4];
} myesn;
switch (nam) {
case 1: addr = 0xBE8E; break;
case 2: addr = 0xBE93; break;
case 3: addr = 0xBE98; break;
case 4: addr = 0xBE9D; break;
case 5: addr = 0xBEA2; break;
default: return(1); break;
}
ct_read_block(esn,addr,4);
myesn.l = *esn;
SWAP(myesn.b[0],myesn.b[3]);
SWAP(myesn.b[1],myesn.b[2]);
*esn = myesn.l;
return(0);
}
int store_esn(unsigned long stored_esn, int nam)
{
word addr;
union esn_un {
unsigned long l;
byte b[4];
} myesn;
switch (nam) {
case 1: addr = 0xBE8E; break;
case 2: addr = 0xBE93; break;
case 3: addr = 0xBE98; break;
case 4: addr = 0xBE9D; break;
case 5: addr = 0xBEA2; break;
default: return(1); break;
}
myesn.l = stored_esn;
SWAP(myesn.b[0],myesn.b[3]);
SWAP(myesn.b[1],myesn.b[2]);
stored_esn = myesn.l;
ct_set_block(&stored_esn,addr,4);
return(0);
}
store_min(int nam, char *num, char *sysid)
{
int x;
ct_off();
ct_on(MODE_NORMAL);
delay(1000);
send(CT_KEY_RCL_MENU);
send(CT_KEY_STAR);
send(CT_KEY_6);
send(CT_KEY_2);
send(CT_KEY_7);
send(CT_KEY_2);
send(CT_KEY_9);
send(CT_KEY_8);
send(CT_KEY_5);
send(CT_KEY_4);
send(CT_KEY_POUND);
printf("Waiting for messages to settle\n");
delay(4000);
for (x=0;x<4+nam;x++)
send(CT_KEY_DOWN);
printf("Waiting for NAM %d to fall through\n",nam);
delay(3000);
sendnum(num);
send(CT_KEY_STO);
send(CT_KEY_DOWN);
sendnum(sysid);
send(CT_KEY_STO);
send(CT_KEY_CLR);
send(CT_KEY_CLR);
ct_off();
}
sendnum(char *number)
{
int x;
for (x=0;x