Group 42-Sells Out! - The Information Archive

home *** CD-ROM | disk | FTP | other *** search

/ Group 42-Sells Out! - The Information Archive / Group 42 Sells Out (Group 42) (1996).iso / commun / cell / dtcell.txt < prev next >

Wrap

Text File | 1995-11-26 | 66KB | 1,329 lines

The following file is a verbatim transcript of an article by the same name appearing in the November, 1992 issue of NUTS & VOLTS Magazine. Copyright (c) 1992 Damien Thorn and T & L Publications. Permission is granted to freely distribute this file in unmodified form. Identifying board headers may be added as desired. A CELLULAR COMMUNICATIONS PRIMER By Damien Thorn INTRODUCTION The specific technologies involved in the cellular network are highly complex, comprised of a vast array of computers, control equipment, transceivers, multiplexers, switching equipment, etc. The theory and principals of operation which we'll cover here are much easier to comprehend. With this article you'll learn the basics, and how you can profit from that understanding. Next month I'll show you how to reprogram a cellular phone through the keypad. Cellular telephones are viewed by most users as simply another phone, albeit cordless. A cellular mobile telephone (CMT) emulates a landline set so credibly that the deepest technical concern for most people is remembering how to make the phone dial a frequently called number stored in memory. The comfort and familiarity of the phones are by design, I'm sure. To a public that has difficulty programming a VCR, the reality of cellular technology would be overwhelming and perhaps somewhat frightening. Cellular phones are little more than low power transceivers capable of transmitting and receiving a total of 666 or 832 frequencies, depending on the model. They operate in a full-duplex mode, transmitting the mobile side of the conversation on one frequency while simultaneously receiving the other side from the cell site on a different frequency. A basic multi-channel two-way radio under the control of some powerful software. The network itself is where the engineering genius becomes apparent. OVERVIEW OF NETWORK ARCHITECTURE The cellular network consists of a honeycomb of transceiver sites (towers), each capable of handling up to about 40 separate cellular calls. Each site has an effective range of 3-5 miles. The term "cell" is derived from the size and shape of the site's coverage pattern, and the arrangement of the cell sites. The various sites in each city are all linked together through the mobile telephone switching office (MTSO). The MTSO not only coordinates the use of the radio spectrum, but utilizes computers to authenticate a subscriber's phone before making the connection and maintains billing records. The MTSO also serves as the interface point with the landline telephone company for cellular calls. As you drive through town the MTSO monitors the relative signal strength of the transmission from your phone. When the signal strength becomes higher in any cell other than the one handling your call, the MTSO uses a frequency known as a control channel to transmit data to your phone telling it to switch frequencies and lock into another cell. This "hand off" from one cell to another happens so quickly that most people never notice the transition from one frequency or cell site to the next. This is noteworthy because the hand off required your phone to change transmit and receive frequencies, while the cellular network not only reestablished radio contact with you on another transceiver, but rerouted the landline audio to that cell site as well. The cell site is generally located in the center of the cell. This is where the antennas, transceivers and control equipment are located that serve that cell. Due to the limited coverage area of the cell, these cell sites are located a maximum of ten miles from each other to provide uninterrupted coverage without "dead spots" - areas where your phone cannot operate because you're out of range of a cell. Since most markets are served by two cellular service providers who do not share cell sites, there are actually twice as many cells (and cell sites) than would be required for one provider to supply service. In the past I've worked at radio station transmitter sites that leased tower space to cellular companies, but I never realized how prolific these cell sites were until I studied the technology and looked closely at the antennas around me. Where ever your phone works, you're within three to five (line of sight) miles of a at least two sites, and probably more since coverage areas overlap. The adjacent cells never share common frequencies to avoid interference. Cellular sites come in different forms. In congested metropolitan areas the transceiver sites may be located on taller buildings. In other areas they are located on stand alone towers. Towers can either be built by the cellular carrier for their exclusive use, or the cellular antenna array can share a common tower (an "antenna farm") with other radio and broadcast services. No matter where the antennas are located, they can be recognized easily by their unique three- sided configuration. Refer to the accompanying photos for examples of two common types of cellular arrays. When I asked both cellular carriers based in Sacramento to disclose the location of their cell sites in my area, they refused. The customer relations representatives indicated the information was confidential - almost a trade secret. I left voice mail messages with their engineers describing the information I wanted. Neither even returned my call. The implications of this guarded attitude are interesting, and more than a bit disconcerting. Fortunately the FCC maintains public records on all transmitter licensees, and the California Public Utilities Commission (CPUC) requires cellular companies to file abstracts with them containing the information I wanted. The CPUC even told me the name of the person who would be available to help me dig through the abstracts and make photocopies. I didn't bother, but it was nice to see my tax dollars at work for my benefit. OPERATING FREQUENCIES The frequency spectrum allocated by the FCC used by the phone to transmit voice and data to the cell site is 824.000 - 849.000 Mhz. The tower transmits to the phone on a spectrum of the same size from 869.000 to 894.000 Mhz. The cellular frequencies are narrow band FM, all spaced 30 Khz apart, so determining every specific frequency is a matter of simple addition. For example, knowing the lowest frequency used by a cell site is 869.000 Mhz, simply increment upward in 30 Khz steps: 869.030, 869.060, 869.090, 869.120, etc. The frequencies used by the phone for transmission to the tower increment upward the same way from 824.000 Mhz. The frequencies are paired so that the phone is always transmitting to the tower on a frequency exactly 45 Mhz lower than the frequency the tower is using. If the landline (base) side of the call is transmitted to the phone on 887.940 Mhz, then the phone is simultaneously transmitting the mobile side of the call back to the cell site on 842.940 Mhz. Cell sites generally transmit the mobile side of the call at reduced gain back to the cellular phone along with the audio from the landline side of the call. This can be intentional, as in the "side tone" present in a standard landline telephone receiver, or the result of poor nulling where the cellular network interfaces with the Telco lines. This means anyone with a receiver or scanner capable of tuning the upper frequency in the pair can monitor both sides of the conversation. It is illegal to do so, however. CELLULAR COMMUNICATIONS PRIVACY To calm fears that cellular calls were not private, the cellular industry lobbied congress into passing legislation known today as the Electronic Communication Privacy Act (ECPA) of 1986 which makes it a crime to monitor cellular phone calls and a host of other transmissions like digital pagers. This law is used by cellular equipment dealers and service providers to reassure customers that their conversations will remain private. A person using a cellular phone is broadcasting his private conversation on airwaves owned by the general public. These radio signals permeate our homes, bodies, and scanning receivers. Yet so complete is the cellular transceiver's emulation of an actual telephone that the general public not only expects privacy, but feels confident that the call is secure. Nobody could possibly be sitting in the privacy of their living room monitoring the conversation. That would be a Federal crime. The ECPA has been described as a "toothless tiger" as it is virtually unenforceable. A growing number of scanner enthusiasts are monitoring cellular calls rather than the local fire department because it is much more entertaining. The ECPA is ignored by the public and law enforcement alike, just like the laws remaining on the books that make it illegal to work on Sunday. The bottom line is that it is up to you and I to ensure the privacy of our cellular calls. If you don't want to use a scrambling system, simply don't talk about anything on a cellular phone that you wouldn't discuss using your rig on the amateur bands. TELEPHONE CONTROL DATA With this simplified overview of the cellular network under your belt, let's dig a little deeper into the data exchanged by the cellular carrier and your phone. Obviously there is more information being sent by your phone to the cellular company than your conversation. The service provider needs to identify your physical phone, cellular phone number, etc. This is accomplished via data transmitted by your phone on a frequency set aside as a "data channel" in each cell every time you turn it on or use it. Your phone transmits six pieces of information to the cellular provider. One is the Electronic Serial Number (ESN) of your phone. Every cellular phone is assigned an ESN when manufactured. This ESN consists of numerical data which identify the manufacturer of the phone as well as the actual unique serial number of the specific phone. The ESN is an eleven digit (decimal) number which has been burned into a PROM chip permanently installed in the phone. Like the Vehicle ID Number (VIN) on your car, it is not designed to be removed or modified, although hackers occasionally do in order to circumvent billing procedures (see sidebar). One other item transmitted is your Mobile Identification Number (MIN) which is the actual ten digit area code and telephone number assigned to your phone. The remainder are numerical codes used by the cell site to identify things like your class of service and the specific capabilities of your phone hardware. This data is supplied when you activate service with the carrier. The ESN and MIN are matched and checked by computer against a database each time you use the phone to ensure that you are a valid subscriber, or roaming from a system the carrier can bill for your calls. All of this information (except the ESN) is provided by the cellular carrier and programmed into your phone when you subscribed to their service. The vast majority of cellular phones manufactured today are reprogrammable through the handset. This means that you can change (reprogram) this information yourself without costly programming devices simply by entering the proper keystrokes on the telephone handset, and punching in the data. This knowledge opens up a number of possibilities. If you activate or change your cellular service, you can program the phone yourself with data supplied by the cellular carrier and save paying any type of reprogramming fee. If you're looking to acquire equipment, you can canvass flea markets, swap meets and the pages of classified ad magazines such as Nuts & Volts for great deals on used phones. Not only will you enjoy savings on the hardware, but you'll only need to pay the cellular company to activate service, since you can program the phone yourself. In my article next month in Nuts & Volts I'll explain all the data programmed into a phone, explain what it means, and lead you step by step through the handset programming of a popular phone. This information is an important reference for those who may just want to do something simple like change the unlock code on the phone. We'll also take a look at the publications available through Nuts & Volts advertisers that explain cellular telephone reprogramming and modification in depth. ***************************************************************** BUYING USED CELLULAR GEAR A FEW CAVEATS When shopping the classifieds, flea markets and electronics swap meets for great deals on used cellular telephones, keep the following points in mind to avoid getting "burned." Cellular phones are a major target of theft in some cities. They appeal to criminals such as drug dealers because they allow anonymous and virtually untraceable communication from a vehicle or street corner. The phone is discarded as useless when the service is disconnected, and such units may unwittingly be resold with other used equipment. There is no real way to discern this other than to phone your local cellular service provider to see if the phone's ESN is flagged in their computer as having been stolen. The other type of phone to avoid is one that has been physically modified. Hackers have been known to replace the factory PROM chip containing the ESN with a custom burned chip, thus changing the ESN. If this is done for the purpose of fraudulently making free calls, the ESN chip must be changed periodically as the cellular carrier discovers the fraud associated with that ESN. Detection of this type of modification is easy. Cellular manufacturers as a rule do NOT use a socket to hold the ESN chip. The PROM is usually not only soldered to the board, but sealed in epoxy or "air welded" to the circuit board to discourage this type of modification. An IC socket is usually installed by the hacker to facilitate easy insertion of updated PROM as necessary. No reputable service center will repair a phone if it appears someone has tampered with the ESN, and might call the police if presented with such a phone. The vast majority of equipment you'll find on the open market is genuine surplus or used merchandise. With the above information in mind you can examine the phone and be confident about your decision to make a purchase. ***************************************************************** CELLULAR TELEPHONE PROGRAMMING Focusing on Fundamentals By Damien Thorn The ever-increasing use of cellular telephones has created a market for people with the skills to install and program them. Installation is no more difficult than installing a CB radio, and programming is accomplished by entering data via the keypad on the phone. Whether you want to completely reprogram a new or used phone, or simply change your unlock code, there is no reason to pay a dealer to do it when you can do it yourself in a matter of minutes. In the early days of cellular technology, an external device such as a "programming handset" or ROM programmer was required to "burn" the mobile telephone number and service information into the phone. Today's cellular phones incorporate resident software that allows you to key in the required information on the phone itself. When you are finished and satisfied you've entered the correct data, the phone burns it to non-volatile memory with the push of a button. To understand why the simple process of programming a cellular phone seems to be an industry secret, you need to understand that it is a lucrative service offered by cellular dealers. There is no profit to be made selling the phone hardware. Most dealers sell at close to cost just to remain competitive. The real profits are derived from commissions received from the cellular carriers (service providers) for getting customers to sign up with them. Due to the widespread use of surface mount technology within the phone, service centers almost always return them to the manufacturer for repair. Fortunately for these dealers, most service problems are external, involving the antenna, connectors, cables or a need for reprogramming. These are all relatively simple matters that can quickly be diagnosed and repaired in the shop, thus generating income. Aside from the Federal and State regulations governing the sales and service of cellular equipment (because it is a transmitter), only basic electronics skills and minimal equipment are required to begin such a business. INTRODUCTION TO CELLULAR PROGRAMMING The purpose of this article is to present the fundamentals of cellular programming. I've also included brief reviews and sources of publications that are essential to anyone interested in pursuing cellular programming as a hobby or profession. The basic principals of programming are the same from phone to phone. Each manufacturer (or model),however, has a unique sequence of key strokes to access the programming mode as well as a few other programming quirks. If you plan to work with more than one brand of phone, a publication containing programming tables (or "templates") is a must. The phone used for this article is a common Motorola transportable "bag phone." One reason for selecting this phone is because I own one. The other is because Motorola is the most prolific manufacturer of cellular phones. Also, the "universal" nature of the Motorola programming instruction set used as an example can be used on most of their phones as presented herein. Not only do they make gear bearing the Motorola brand name, they custom manufacture phones for a variety of other vendors. Some examples include the brand names Ambassador, America Series, Dynasty, Modar, Nautilus, Pulsar, Tracer, Blaupunkt, Nissan Infiniti, Toyota LEXUS, and models for AUDI and Ford. PRELUDE TO PROGRAMMING Before you even begin to program a phone, you need to obtain the required data. If you just want to change your unlock code, then you need to make up a convenient three-digit number. Activating service on a used phone requires you to obtain certain information from the cellular carrier providing you with service. Here is a description of the data you will need: 01) System Identification Number (SID): A five digit number that has been assigned to identify the particular cellular carrier from whom you are obtaining service. This number identifies your "home" system. 02) Area Code of Mobile Identification Number (MIN): Simply the area code of your cellular telephone number. MIN is the "official" term for the phone number assigned to you by the cellular company. 03) Mobile Identification Number (MIN): The MIN is the actual seven digit cellular telephone number assigned by the cellular carrier exclusively to your phone. 04) Station Class Mark (SCM): A two-digit number that identifies certain capabilities of your phone. How the cellular network handles your call is based on these digits. The SCM tells the system whether your phone transmits at standard power levels or low power levels, if it can utilize the full 832 channels or only the original 666 frequencies. The last attribute identified is whether your phone employs voice-activated transmission (VOX). A phone without VOX is continuously transmitting a carrier back to the cell site the entire time your call is in progress. The VOX operation used in smaller phones allows the phone to transmit only while you are actually talking. This reduces battery drain and enables handheld phones to operate longer on a smaller battery than would be possible without VOX. To determine the proper SCM for your phone, examine Table 1 and use the code that matches the presence (or absence) of each of the attributes described above. 05) Access Overload Class (AOLC or ACCOLC): A two-digit number used to arbitrate who gets dropped from the system (or refused access) when there are more calls in a cell than can be handled at one time. This feature is allegedly disabled in most systems and no preferential treatment is shown to any particular ACCOLC. 06) Group Identification Mark (GIM): The Group ID Mark is a two-digit number used by cellular sites other than your home system to determine if you should be allowed access to the system on "roam" status. This feature is not yet fully implemented. 07) Security Code: This six-digit number is used to prevent unauthorized or accidental alteration of the data programmed in the phone. The factory default is 000000. 08) Unlock Code: This is a three-digit number required to unlock the phone when you have electronically locked it to prevent unauthorized use. The factory default is "123", however many cellular programmers change it to match the last three digits of your MIN (phone number). 09) Initial Paging Channel (IPCH): This is the channel number used by the cellular provider to "page" the phones in use on the system. The term "paging" refers to notifying a particular phone that it has an incoming call. All idle phones on a system monitor the data stream on the IPCH. Non-wireline cellular carriers use channel 0333 as the IPCH, while wireline providers (operated by a telephone company) utilize channel 0334. 10) Options programming byte A 11) Options programming byte B The options bytes are six and three-digit binary numbers used to enable or disable certain options on the phone. Each digit is either a "1" or "0". Options byte A consists of six bits. We'll label them "ABCDEF" for our purposes, where each letter represents a bit set to "1" or "0". Here is what each bit controls: Bit "A" - Handset internal speaker: A "1" in this position disables the internal speaker of your handset to facilitate the use of an external speaker/microphone combination. This bit is set to "0" in a normal installation to allow normal operation of the handset speaker. Bit "B" - Local Use bit provided for certain cellular carrier system requirements. This is normally enabled with a "1". Bit "C" - MIN mark bit: Usually disabled with a "0" in this field. Bit "D" - Auto recall: The auto recall function is always enabled with a "1" in this position. Bit "E" - Second phone number: If the phone has a dual system registration capability, and you are in fact registered with two different cellular carriers, the function is enabled with a "1" in this field. A "0" in this position indicates the standard cellular configuration having just one telephone number. Bit "F" - Diversity: This bit is used to enable diversity if your telephone is equipped with two antenna connections (ports). If your phone uses just one antenna (standard), this bit is set to "1" to disable diversity. If the phone was of a standard configuration, the description above indicates that this option byte would be programmed as "110100" with each bit enabling or disabling the specific option as appropriate. Option byte B operates in the exact same fashion, except the byte consists of only three bits, controlling three options. We'll label the bits "ABC" where each letter represents a specific bit. Bit "A" - Long tone DTMF: A "1" in this position enables long tone DTMF for end-to-end signalling. This means that the phone will transmit a DTMF tone for as long as you depress a key on the key pad. A "0" will disable this feature, causing the phone to send a short burst of DTMF when you dial, no matter how long you hold down the key. Bit "B" - A "0" in this position enables the internal speaker of a transportable phone to act as the "ringer" to signal an incoming call. This feature can be disabled by programming a "1" in this position if you have some ancillary device connected to signal ringing. Bit "C" - Eight hour timeout: This feature is normally enabled with a "0" in this position. When enabled, the phone will timeout and turn off if it has been left on continuously for eight hours. This helps prevent the phone from completely draining the battery of your car if it is inadvertently left on for an extended period without being used. ENTERING PROGRAMMING MODE Once you have determined the proper values for the data fields described above, you can get down to the actual programming of the phone. With the above data in front of you, it becomes a simple matter of punching it all in on the keypad. To begin programming the phone, you need to enter the programming mode. Almost all Motorola phones use one of six possible key stroke sequences to gain access to the programming mode. These are numbered one through six and listed in Table 2. Indexing the exhaustive list of model numbers to the appropriate sequence number is beyond the scope of this article. It is not difficult to figure out, and whether or not the phone has a "Fcn" (function) or "Ctl" (control) key narrows it down to one or two possibilities. The security code used to enter the programming mode consists of six digits. It is keyed in twice, as though it were a twelve digit number, and in a couple of the sequences is prefaced with a zero for a total of thirteen digits. All Motorola phones are shipped new with the factory default security code set to 000000. Most cellular programmers do not change this, as it only makes reprogramming more difficult in the future. Roughly 80% of the phones I've encountered retain the factory default security code. The other 20% had been changed to 123456 by a local cellular dealer. While the security code could conceivably be any six digit number, you should be aware that this code is only useful to prevent idle tampering with the programming, not lock out the personnel at other service centers. The security code is by no means akin to the vault door protecting the contents of Fort Knox. In the next issue of Nuts & Volts I'll show you how to build manual test adapter from one inexpensive part obtainable at any Radio Shack store. This device will immediately allow you to enter the programming mode without the security code. You can then view and change the security code or all of the programming if you wish. Once in programming mode, the phone will display "01" which indicates the phone is at the first programming step (or field). Table 3 is a template of the programming steps, and you'll notice that the step numbers correspond with the numbers prefacing my descriptions of the required data above. The phone always displays the two-digit field identifier before displaying the data in that particular field. This lets you know where you are in the programming sequence. COFFEE BREAK: TIME FOR AN ASIDE It would not be unusual for you to feel a bit overwhelmed right now. I was confused the first time I attempted to program a cellular phone. If this is your first exposure to cellular programming, may I suggest you grab a cup of coffee and reread the article up to this point before you actually attempt the programming process. At first the idea of security codes and determining the proper sequence necessary to access the programming mode was disconcerting and a bit frustrating. Once this step had been accomplished, I was delighted to discover how easy the actual programming was. If you have difficulty accessing the programming mode, here is a helpful tip: Let's say the phone is quiescent until you've keyed in the entire sequence, including the 13 digits comprising the security code, but fails to display "01" after the final keystroke. This indicates that you are using the correct sequence from Table 2, but the security code is incorrect. If you are using the wrong keystroke sequence to enter programming mode, the phone will abort in the midst of keying in the security code, because it fails to recognize why you are punching in all the digits. If you are using the correct sequence to access the programming mode, the display on the phone will not echo (display) the security code unless you are keying it in too slowly. KEYING IN THE DATA The process leading up to this point is actually the majority of the work involved in programming a cellular phone. Keying in the data is so easy that it's almost disappointing. If you've successfully accessed the programming mode, your phone will display "01" to identify the current field. Pressing "*" advances the display to the data in that field. You can then key in new data and press "*" to advance to step "02", or press "*" without entering data to retain the information currently stored within the field. I just want to change my unlock code, so I need to advance to the field where this data is stored. A quick glance at Table 3 tells me that my current unlock code is stored in field 08. To get to this field, I need only to repeatedly press the "*" key to sequence the phone through the fields without altering any of the data. When "08" is displayed, I know I've arrived at the field containing my unlock code. First I access the programming mode on my transportable phone by turning on the power and keying in sequence number 4 from Table 2. I depress the "control" key on the side of the handset and quickly punch in "0" followed by my security code twice (123456+123456) and finally press the "*" key. The display shows "01" to let me know I am at field 01, the SID. I press "*" to advance to the data, and the display shows "00224" which is my SID. I press "*" again and the software sequences to the next step. "02" is now on the display. Another "*" and the phone displays "209" which is the data in field 02 - my cellular area code. Depressing the star key advances us to step "03" which is my MIN. Pressing "*" displays the contents of field 03, and yes, it certainly is my cellular telephone number (MIN). Each time I press the "*" key the phone continues to advance to the next field number and then displays the data stored there. Since I want to change my unlock code, I repeatedly press the "*" key until the phone displays "08." This is the field containing that code. Another "*" and my display shows "602" which is my current unlock code. I want to change it to "977." With the old code in the display (602), I simply punch in the numbers 9+7+7. The display now reads "977" which will be my new unlock code. If I continued pressing the "*" key, the phone would sequence through the remaining fields until it returned to "01." I could then advance through the fields again. You might want to do this, just scrolling through the data programmed into your phone. Use Table C to identify the fields as you look at the data stored in each. If you accidentally alter the data in any of the fields while you are looking around, press the "#" key to exit programming mode without saving any of the changes to memory. The "#" key will abort the programming mode, leaving the previously stored information intact. Since I changed my unlock code, I need to burn the new information to the Numeric Assignment Module (NAM) in the phone. NAM is the term used to describe the EEPROM chip where the program data is stored. To save the new information, I press "Snd" (Send). This burns the changes to the NAM and exits the programming mode. These are the keys to remember while programming a phone, or just exploring the current programming: The "*" key advances to the next field or step. The "#" key aborts programming without saving any changes. The "Snd" key saves all changes to the NAM and exits programming mode. The "clr" (clear) key will restore a field to the previously stored data if you make a mistake while keying in digits. You can then reenter the data correctly. SUMMARY We've covered a lot of material, and I commend your tenacity. Cellular programming is actually an easy process. You now have a decent understanding of the fundamentals, and I assure you that a bit of practice will lead to a surprising proficiency. The information in this article is specific to cellular equipment manufactured by Motorola. Other manufacturers use somewhat different templates and methods to access the programming mode. If you want a deeper understanding of cellular programming or need the exact programming templates and instructions for a variety of phones, I suggest you buy one of the publications reviewed here. If you own just one model of phone and need a template or other basic assistance, I don't mind helping you out. You can contact me directly via mail at 6333 Pacific Avenue, Suite 203, Stockton, CA 95207-3713. If you need me to provide detailed information, I would appreciate it if you'd enclose a few dollars to help offset my expense. I welcome all comments, and encourage suggestions for future articles. Building a test adapter for Motorola phones is the subject of my article next month in Nuts & Volts. Placing a phone in test mode will allow you to bypass the keystroke sequence and security code to access programming mode. This is a device every cellular service person should have. In addition to getting around a security code long forgotten by a customer, you'll learn how to reset the cumulative call timer, reset the NAM programming to default values and a host of other interesting test functions such as accessing the built-in relative signal strength indicator (RSSI) and channel number display available only when the phone is in test mode. # # # Table 1 DETERMINING YOUR STATION CLASS MARK (SCM) Proper SCM Value Attributes of Your Phone 00 Standard power output; 666 channel cap.; no VOX operation. 04 Standard power output; 666 channel capability; uses VOX. 06 Low power output; 666 channel capability. 08 Standard power output; 832 channel cap.; no operation. 10 Low power output; 832 channel capability; no VOX operation. 12 Standard power output; 832 channel capability; uses VOX. 14 Low power output; 832 channel capability; uses VOX. The SCM value appropriate to your cellular phone should beentered in programming field "04." "Standard power" as used above refers to the RF output level of a transportable phone, or one installed in a vehicle. "Low power" refers to the reduced RF output of handheld units. Handheld phones utilize a lower power level not just because of their size and battery capacity. Since the transmitter and antenna are a part of the handset, it was determined that radiating a full three watts of RF just a few inches from your head might be unhealthy. # # # Table 2 PROGRAMMING MODE ACCESS SEQUENCES #1 - Fcn + [six digit security code] + [six digit security code] + Rcl #2 - Sto + # + [six digit security code] + [six digit security code] + Rcl #3 - Ctl + 0 + [six digit security code] + [six digit security code] + Rcl #4 - Control + 0 + [six digit security code] + [six digit security code] + * #5 - Fcn + 0 + [six digit security code] + [six digit security code] + Mem #6 - Fcn + 0 + [six digit security code] + [six digit security code] + Rcl Note: In sequence #4 the "control" key refers to the audio and ringer volume control button on the side of the handset if no "Ctl" key is present on the handset keypad. Example: If the appropriate sequence for my phone is #3, and my security code is 123456, I would key in the sequence as follows: A) Turn power on. Display reads "ON." B) Press: [Ctl], [0], [1], [2], [3], [4], [5], [6], [1], [2], [3], [4], [5], [6], [Rcl]. C) If entered correctly programming mode is active. Display reads "01." # # # Table 3 TEMPLATE: SEQUENCE OF PROGRAMMING STEPS Field Description Digits Typical Example 01 System ID Number (SID) 5 000233 02 Area Code of Mobile ID Number (MIN) 3 209 03 Mobile Identification Number (MIN) 7 555-1212 04 Station Class Mark (SCM) 2 12 05 Access Overload Class (ACCOLC) 2 06 06 Group ID Mark (GIM) 2 10 07 Security Code 6 000000 or 123456 08 Unlock Code 3 123 or last 3 digits of MIN 09 Initial Paging Channel (IPCH) 4 0333 or 0334 10 Options programming byte "A" 6 011100 (binary) Internal Speaker (1 = disable) X----- Local Use bit (1 = enable) -X---- MIN Mark bit (usually disabled = 0) --0--- Auto-Recall bit (always set to 1) ---1-- Second Phone Number (0 = disable) ----X- Diversity option bit (0 = disable) -----X 11 Options programming byte "B" 3 010 (binary) Long tone DTMF (0 = disable) X-- Ringer/speaker (1 = handset / 2 = transducer) -X- Timeout (8 hour) (0 = enabled) --X If second phone number option is enabled and supported by the hardware, this programming template will repeat for the second phone number. Each field identifier (step) number will be displayed with a "2" to indicate data for the second number. (e.g. "01 2"). ***************************************************************** SOURCES: A Review of Available Publications Every month I peruse the pages of Nuts & Volts with an eye for detail unmatched by the best Revenue Agents employed by the IRS. Why? Because I have an insatiable appetite for information - especially information surrounding technology that seems "inaccessible" to you and me. As a result, I've purchased all four publications advertised herein that deal with cellular communications. Each has unique features and all were worth the money. Here is my opinion of each: Cellular Programmer's Bible The Cellular Programmer's Bible definitely lives up to it's name. Over 300 pages of nothing but programming instructions for every conceivable cellular telephone manufactured. This tomeincludes the factory preset security codes to greatly simplify access to the programming modes of various phones. In addition to precisely detailing every programming sequence, each entry includes invaluable technical information on channel capabilities, test modes, and other unique tidbits applicable to the specific model of phone being described. This volume is mandatory for anyone considering offering programming services to the public. I discovered my Pac Tel Cellular customer service rep uses this same publication as his programming reference, although he carries it in a nondescript binder. Approximately 400 spiral bound 8.5 x 11" pages. $84.45. Available from: TeleCode, P.O. Box 6426, Yuma, AZ, 85366-6426. (602) 782-2316. Cellular Hacker's Bible The Cellular Hacker's Bible is TeleCode's other cellular publication. About one third of this book is devoted to programming templates for over thirty popular phones. The balance consists of an elaborate technical dissertation describing the operation of the cellular network which reads like a Bellcore technical document (coincidence?). From switching to timing and signalling protocols - it's all here. The attention to technical detail can be an engineer's dream or mind-numbing to the casual reader. Although I occasionally became bogged down in things like "wink start signalling" and multi-frequency (MF) call routing codes, I appreciated the excruciating detail when I came to the 18 pages listing each and every frequency in the radio spectrum allocated to the cellular network by the FCC. The reprogramming instructions are easy to follow, but not as comprehensive as the templates in TeleCode's other publication (above). Approximately 180 spiral bound 8.5 x 11" pages. $53.45. Available from: TeleCode, P.O. Box 6426, Yuma, AZ, 85366-6426. (602) 782-2316. Cellular Phone Phreaking Technical documents published "for educational purposes only" by Consumertronics have a unique format and tone not generally found in other books. John J. Williams, MSEE and proprietor of the company, has a gift for presenting detailed technical information in an almost conversational manner full of examples and anecdotes. Cellular Phone Phreaking is no exception. The programming instructions are equivalent to those contained within TeleCode's Cellular Hacker's Bible. The technical description of the cellular network is brief, and Williams includes an abundance of information on how individuals have been known to perpetrate cellular fraud. Included are relevant excerpts from various communications privacy laws, including the text of the Electronic Communications Privacy Act (ECPA). Of value to the technician or monitoring enthusiast are the mathematical algorithms necessary to determine the cellular channel numbers based on the radio frequencies used. While informative and entertaining, this book is a bit thin compared to the others, but Williams crams in a lot of information by using small type and not wasting an inch of space. Approximately 41 spiral bound 8.5 x 11" pages. $39.00. Available from: Consumertronics, 2011 Crescent Drive, P.O. Box 88310, Alamogordo, NM 88310, (505) 434-0234. Cellular Telephone Modification Handbook The Cellular Telephone Modification Handbook is the one publication reviewed that is not really a programming manual per se. It is a book explaining in detail how a hacker would change the Electronic Serial Number (ESN) of a cellular phone. As a "security manual," the book holds nothing back in precisely demonstrating how criminals can defraud the system by doing so. I should note that a legitimate application for this information would be to "clone" a phone that you already own. By duplicating the ESN of your existing phone into another phone, you could use either unit at any given time and avoid having to pay for an additional number and service for the second phone. This seems analogous to adding an extension phone to your telephone service at home. Why have a separate number for each "extension?" Cellular companies don't like it, but it doesn't appear to be illegal. Emulating the phone of your local bank president in order to make free calls is another story entirely. In addition to basic "universal" programming guidelines, this book includes "screen dumps" of PROM emulation software, lists of manufacturers' ESN prefixes and System Identification Numbers (SIDs). Complete with sources for parts and equipment, as well as books and magazines related to the field of cellular communications. The representative I spoke with at Spy Supply provides programming support for their customers. If you need assistance with a specific phone, he'll provide you with programming information for that particular model at no charge. After purchasing the manual, I tested this service and found that he could answer every question I threw at him without hesitation. The availability of this invaluable resource elevates Spy Supply above the ranks of a typical publisher. Approximately 52 spiral bound 8.5 x 11" pages. $79.95. Available from: Spy Supply, 7 Colby Court, Suite 215, Bedford, NH 03110, (617) 327-7272. ***************************************************************** CELLULAR TELEPHONE MANUAL TEST MODE How to Build and Use Programming Aids By Damien Thorn Over the last few months in Nuts & Volts we've taken a close look at cellular technology. From an overview of the network to a "hands-on" tutorial covering cellular telephone reprogramming. This article introduces the construction and use of a manual test adapter to assist in reprogramming or diagnosing problems in various cellular phones. You can build this device in about five minutes with one part from your local computer store or Radio Shack. The simplicity is elegant, and belies the powerful control you can achieve over your cellular hardware. Need to bypass the security code usually required for programming, or display the relative signal strength indication (RSSI) on a specific cellular channel? With a manual test adapter you're just a few keystrokes away from this and more. INTRODUCTION As I mentioned last month, there is little money to be made by cellular dealers in the sales of equipment. Hardware prices are so competitive that most dealers sell new equipment at close to cost. Dealers make their profit through commissions for signing up subscribers for cellular service, and by installation and repair. Installing cellular phones is comparable to installing a CB radio, and less difficult than wiring a car stereo. Modern cellular phones are so reliable that the phone itself rarely needs to be serviced. Ancillary equipment such as wiring and antennas are usually the cause of any malfunction. Probably the most common service operation is programming. Whether you are activating cellular service for the first time, or moving to another city, your cellular phone must be reprogrammed with specific data supplied by the cellular service provider (carrier). Even changing the unlock code on the phone requires reprogramming in many instances, often associated with a fee ranging from $15-50.00. The vast majority of contemporary cellular phones are programmed by punching in the data right on the keypad without the aid of any external programming device. And this service is often performed by shop personnel with little technical skill. With a programming manual in front of her, I watched the receptionist at a local dealer program a phone that was being exchanged by a customer. I use this example to illustrate how easy it is to reprogram a phone. There is really no reason you or I cannot perform this task ourselves and save money. Reprogramming can also become a profitable additional service offered by independent technicians. Motorola's Test Mode Motorola is probably the largest manufacturer of cellular phones. In addition to their own brands, they make phones for a plethora of other companies. I've always admired the quality of Motorola communications equipment, and the test mode engineered into their cellular firmware has scored them a few more points in my book. The test mode is designed to be of assistance to cellular technicians in the field, and is entered by grounding a specific pin on one of the phone's connectors. Once in test mode, the technician has manual control over many of the functions normally automated by the firmware. The phone display can now be used to indicate the status of various operational parameters. The most useful functions to the hobbyist and professional programmer alike are those which allow the data stored in the Numeric Assignment Module (NAM) to be reviewed and changed. This is not much different from using the standard programming mode, except no special keyboard sequences and security codes are required for access. The manual test mode effectively bypasses the software "front door" commonly used to enter programming mode, and is invaluable when the security code is unknown or has long since been forgotten. The rest of this article details the construction of a test adapter and explains its use as applicable to cellular programming. From this point on I'm assuming you've read my previous article or otherwise have at least a basic knowledge of cellular programming. The basic style of the Motorola-manufactured phone will determine how you go about placing the unit in test mode. Palm-size folded phones and the one-piece hand held devices do not require and adapter. A jumper between the contact designated as the "test line" and ground is all that is required. Activating Test Mode: Hand held Phones If your phone is one of the hand held types, slide the battery pack off the unit. The battery pack also serves as the rear of the phone's external case. On the top rear of the phone you should see twelve contacts arranged in two horizonal rows as depicted in Photo #1. Before you go any further, you should look at the model number of the phone located on the back of the handset. A typical model number is "F09FSF9797." The fourth letter (underlined) in this string is important. This indicates the phone is of the Motorola "F" series and contains firmware that is programmed to allow us to use the manual test mode. The older "D" series phones do not contain the appropriate firmware, and are not even programmable from the keypad. Do not attempt this procedure on a "D" series phone. Another way to make sure the phone is of the "F" or higher (G, H, I, etc.) series as opposed tothe older "D" series is to examine the plastic shroud which extends from the top of the phone and partly covers the RF switch/antenna connector housing. The "F" (and newer) series phones have various notches molded into the plastic shroud as can be seen in the photo. To reiterate, if the model number contains the letter "D" as the fourth character, it does not have a test mode, and cannot be reprogrammed from the keypad. Do not attempt to place it in test mode or you may damage the phone. Once you are certain the phoneis of the "F" or higher series, you may proceed. The contact which serves as the test line is #6. This is the contact to the far right in the upper row, and should be the last (and sixth) of the contacts comprising the top row of contacts. Making a connection between this contact and ground will cause the phone to enter the test mode when powered up. The most convenient way I've found to accomplish this in lieu of a special adapter or modified battery pack is to use a small piece of wire as a jumper. The short lengths that come with the Radio Shack RS-232 jumper box we'll be discussing later work perfectly, right out of the package! To jump contact #6 to ground, I use a very small jewelers screwdriver to carefully wedge one of the solder-tinned ends of my jumper into the space between the contact and the plastic edge to the right. The snug fit assures decent electrical contact and helps keep the jumper in place. The other end of the jumper is gently inserted in the crevice on the RF switch housing. This bare metal area is the most convenient ground and will even hold the end of the jumper. Once you have the jumper connected, you need to flatten it against the phone so that you can slide the battery back on without dislodging it. Photo #2 depicts the jumper in the proper position to clear the battery pack. Palm-size Folded Phones The "Micro TAC" variety of miniature folded phones ("Flip-Fones") manufactured by Motorola usually require a special battery to activate the test mode. You can simulate this battery with your standard battery, however. After removing the battery from the phone, you should see three contacts in a row located in the lower right area of the phone. The two outer contacts are the battery connections. Positive "+" is to the left, and negative "-" is to the right. The center contact is somewhat recessed and does not make contact with the standard battery. Your battery however, should have a mating third contact present. To place the phone in test mode, you need to get the center contact to mate with the center contact on the battery. Strategic use of a small piece of folded metal foil, solder wick or similar conductive material can be used to extend the center contact on the phone so that it will make contact with the third terminal of the battery. If you attempt this procedure, immediately power up the phone to make sure you have not shorted the battery terminals. If the phone does not come on at all or feels warm to the touch, quickly remove the battery. A shorted NiCad battery can explode, causing serious injury. MINI-TR or Silver MiniTac phones Two specific phones - Motorola's MINI-TR or Silver MiniTac units can be placed in programming mode by shorting the two contacts of the hands-free microphone connector. Mobile Installations & Transportable Phones These common phones are the type that consist of a handset connected to a separate transceiver unit by a coiled cable resembling the receiver cord of a standard landline telephone. The handset cable is terminated with a modular connector and plugged in to a jack. The control cable from the jack carries the handset, power and options wiring. This control cable is connected to the transceiver with a 25-pin DB25 connector as depicted in Photo #3. These phones are also placed in manual test mode by grounding the test line. The easiest way to accomplish this is by building a small test adapter (also known as a "programming aid"). This device is placed between the control cable and transceiver DB25 connectors allowing all the signals to pass through unaffected with the exception of jumping the test line to audio ground. Building the Test Adapter Construction of the test adapter is pretty straight forward. The same DB25 connectors used by Motorola have been used for years as the standard RS-232-C connector on computer equipment. You can easily pick up a serial RS-232 inline jumper box from your local computer, electronics or Radio Shack store. The part number at Radio Shack is #276-1403 and lists for $9.95 in their 1993 catalog. The Radio Shack jumper box is designed for maximum flexibility and as such does not have any of the pins preconnected. Each trace on the circuit board connecting the pins has a small break which you will need to bridge with solder to allow the signals to pass through. Examine the PC board before beginning and follow a few of the traces. Note the difference between the break in each trace and the small solder pads used for connecting jumpers. You only need to bridge the traces. Once you've applied a small dab of solder to restore the integrity of each trace, you are ready to install the jumper. The test line on these Motorola phones is pin #21. Pin #20 is the audio ground line. You want to jumper (short) these two pins. Small numbers etched on the PC board indicate the jumper point for each pin. Locate the numbers 20 and 21 next to the small solder pads. Using one of the short jumper wires provided with the device, place the ends through these two holes and solder them down on the opposite side of the board. Photo #4 depicts proper jumper installation, although I left one end of the jumper unsoldered to illustrate it going through the board to be soldered on the other side. That completes the construction of a handy programming aid for Motorola cellular phones, and you have a small packet of left over jumpers that are perfect for jumpering the test line contact on the hand held units. Be sure to save them. To use the test adapter, place it between the control (handset) cable and the transceiver as shown in Photo #5. Test Mode Commands Once you've jumpered the appropriate contact or applied the test adapter, it's time to turn on the phone. When the phone powers up, a series of digits should appear in the display similar to those shown in Photo #6. They should alternate with another series of digits. This indicates your phone is in the manual test mode. One display consists of two numbers, each three digits in length. The set to the right is the channel number designator for the specific cellular frequency the phone is receiving from your local cell site (tower). The right-most trio is the relative signal strength indication (RSSI) of the received frequency. The seven-digit number alternating with the channel/RSSI display provides the technician with additional status information. Each individual digit in the field is actually an independent status register. With a letter substituted for each of the seven digits, this is what they represent: A B C D E F G Position A - SAT Frequency. Indicates which of the three SAT lock frequencies is being used by the phone. In this position a "0" = 5970Hz, "1" = 6000Hz, "2" = 6030Hz, "3" = No SAT lock. Position B - Carrier Status indication. "0" = carrier off, "1" = carrier on. Position C - Signalling Tone. "0" = tone off, "1" = tone on. Position D - RF Power Attenuation Level. "0" through "7" are valid values. Position E - Channel designation. A "0" = voice channel, "1" = control data channel. Position F - Audio Mute (receive). "1" = received audio is muted, "0" = unmuted. Position G - Audio Mute (transmit). "1" = transmitted audio is muted. "0" = unmuted. The meaning of all these status registers is fairly complex and has no bearing on cellular reprogramming. This display, like the majority of the test commands, are only of value to an engineer placing the phone under test with a cellular service monitor. Table "A" lists the test commands that can be of assistance in reprogramming. I have omitted the test commands designed for use with a service monitor, as issuing them without the phone connected to a monitor may cause interference to the cellular network. You may own the phone, but the cellular provider owns the FCC license that allows you to use it. Operating the transmitter in the phone in a manner inconsistent with this license could subject you to loss of service and possible legal trouble. Issuing Commands If your phone did not come up with the status display described above, you may need to manually instruct the phone to do so. Pressing "#" enters the test command mode, and "02#" is the command to display the status registers. If you enter a command improperly, the phone will scroll the word "error" across the display. If you need to review the current programming data stored in the NAM, enter "55#" which instructs the phone to enter the programming mode. You can scroll through the contents of NAM displaying the stored values by repeatedly pressing the "*" key. Actual reprogramming through this mode is considerably more difficult than through the standard programming mode. The test mode does not display a step number to let you know what programming step you are at, and the information is stored and displayed in a different order. Many programmers simply use this mode to obtain the security code, exit test mode and program the phone in the normal fashion. As you step through the NAM contents with the "*" key, the security code is the only six-digit number you'll see that isn't binary. Once you've written it down, continue to step through NAM until you see the "tick mark" in the display (it looks like an apostrophe) and exit test mode by turning off the phone. Motorola designed their phones so that they could only be programmed three times. I don't know the rationale for this, but a firmware counter increments each time the phone is reprogrammed, and after the third time it will no longer enter programming mode. The instruction booklet that accompanies the phone instructs you to take it to the dealer where you bought it. If you took the phone to a dealer, they would put the phone in test mode (just like we're doing) and enter the command "32#" which resets the counter to zero, allowing the phone to be reprogrammed three more times. Do it yourself and save! Many phones also have a cumulative call timer that counts the total number of minutes the phone has been used for calls (actively transmitting). This "autonomous timer" (that you were told was not resetable) can be cleared and reset to zero by punching in "03#" while in test mode. Another useful command is "38#" which causes the phone to display the Electronic Serial Number (ESN) that is burned in ROM. The phone will display the ESN one hex byte at a time. Press "*" to increment to the next byte. Note that the display shows four numbers. The two to the left indicate which byte you are viewing (00, 01, 02 or 03),and the actual value of that byte is at the right of the display. You can punch in "19#" if you'd like to view the software version number resident in your phone. Conclusion You should now have an understanding of the test mode inherent in cellular phones manufactured by Motorola, and if you've followed this series of articles in recent issues of Nuts & Volts, the operation of the cellular network and reprogramming procedures are no longer so mysterious. Your questions and comments are always welcome, and you can write or send E-mail directly to me as mentioned below. If plan to do much programming or would like detailed information on the cellular network, you would benefit greatly by investing in one of the detailed technical publications offered in these very pages. I've listed the publishers of several good volumes in a sidebar, and you'll find their ads scattered throughout this magazine. As a final note, you should be aware that the use of this information is undertaken at your own risk. Although most of this information was triple-checked against available technical documentation, none of it originated directly from Motorola. I doubt you'll have a problem, but you never know when a manufacturer might change their specifications. ***************************************************************** TEST MODE COMMAND SUMMARY The following is a summary of some of the commands available from within the test mode on most cellular phones manufactured by Motorola. COMMAND DESCRIPTION # Initial keystroke to enter test command mode. 01# Reboot phone (begin power-up routine). 02# Display status registers. 03# Reset "autonomous timer" to zero minutes. 04# Initialize transceiver. 07# Mute audio (received). 08# Unmute audio (received). 11XXX# Load frequency synthesizer with specific cellular channel (XXX = 3-digit decimal channel designator). 13# Power down the phone (off). 19# Display software version number. 32# Initialize NAM. Erases all programmed data! 36XXX# Activate channel scanning. Pauses on each channel for XXX milliseconds. Keying "#" aborts scanning. 38# Display Electronic Serial Number (ESN). 45# Display current relative signal strength (RSSI) of currently loaded channel. 53# Enables scrambler option if phone is equipped. 54# Disables scrambler option if phone is equipped. 55# Programming mode - display/change NAM contents. ***************************************************************** Sources of Additional Information The following companies distribute publications that offer detailed instructions and information pertaining to cellular programming and various aspects of cellular hardware: Spy Supply 7 Colby Court, Suite 215 Bedford, NH 03110 (617) 327-7272 TeleCode P.O. Box 6426 Yuma, AZ 85366-6426 (602) 782-2316 Consumertronics 2011 Crescent Drive P.O. Box 88310 Alamogordo, NM 88310 (505) 434-0234 ***************************************************************** AUTHOR BIOGRAPHY (For publication) Damien Thorn's interest in electronics has deep roots. A noted "hacker" and "phone phreak" by age sixteen, he contributed regularly to the underground newsletter "TAP." Today Damien is an on-air radio personality and FCC licensed engineer in California's San Joaquin Valley. His interests include computers, communications, security and privacy issues. He welcomes questions and comments. You can reach him at 6333 Pacific Ave. #203, Stockton, CA 95207-3713 or via E-Mail at one of the following: DrDamien@Delphi.com via Internet mail, on CompuServe at 75720,2104, or on Delphi as DrDamien.