[ H a c k e r s I n f o r m a t i o n R e p o r t F i v e ] [>>>>>>>>>>>>>> Cell Stuff 1 <<<<<<<<<<<<<<<] [The first article in a series of god-knows-how-many, completely dedicated to] [the official toy of the modern Phone Phreak: The Cellular Phone] [This article covers mostly Motorola Cellular] This is the first article of HIR completely devoted to all that funky cellular stuff. As you may recall, in HiR 3 we mentioned that we found a really kick- ass course guide used for employee training with motorola phones. This article is the first fruit of the knowledge contained within that book's old tattered pages. I've sort of divided this article into two sections: I. A flowchart of the chain of events that happen inside a cellular phone II. user- and test-mode cellular programming introduction On with the show! -<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>- I. Cellular telephone chain of events Sometimes it's nice to know what exactly is going on inside something. Maybe you want to troubleshoot it. Maybe you just want to be reassured that every- thing isn't just being powered by rubber bands and springs. Who knows. Regardless, I've finally found a flowchart that describes in detail every action that a cellular phone takes after you power it up. The flow chart does NOT cover what happens once you make or receive a call, however. 1. Power button pressed. Self Test Occurs. NoSvc indicator activated. 2. Scan preferred system (A or B). 3. Scan all 21 control channels for that system. 4. Use strongest control channel. 5. If Overhead information is received and decoded, jump to step 8. 6. Tune to second strongest control channel. 7. If overhead info still cannot be recieve d or decoded, jump to step 12. * 8. If the system ID matches the cell phone's home SID, jump to step 10. 9. Activate Roam indicator. 10. Turn off NoSvc indicator. 11. Rescan after 5 minutes (Jump to step 2) 12. Turn on NoSvc Indicator. 13. Switch to non-preferred system (A or B), then jump to step 3. * In most phones, only the 2 strongest control channels are scanned, but some phones scan more than 2. -<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>-<=>- II. Introduction to user- and test-mode programming on motorola cell phones There are 2 types of programming on motorola phones. The easiest of the two is called user mode programming. This method also goes by the name "security code programming", because there is a security code that is used when entering programming mode. Once in this mode, it is possible to change the security code, which is 6 digits long. After that, the old security code will no longer let you in to user mode programming. Take note that there is never a need for any special equipment here, as long as all the keys on the keypad work normally. The other method is called test mode programming. There is never a way to get into test mode with the keypad alone. Sometimes it takes a whole desktop system with special interface cables and custom software, but in some cases, it's quite a bit easier than that, and can be done with nothing more than a little piece of aluminum foil or a pair of needle-nose pliers. I will only cover User-Mode programming in this article, but in HiR 7 I'll expose some ways of getting into Test Mode, and compare the features that make each programming mode diverse. Some (but far from all) actual programming operations will be covered in depth, but since I myself have not messed with actual programming to much extent, all that i can provide is what I've done. I will descibe each memory location, and the function of each bit or byte, though. Getting into User programming mode: This varies quite a bit from model to model. When it comes to motorola phones, there are 6 main user-mode entry sequences. Some phones may not allow user-mode programming, and a very small group of phones have another way of accessing user-mode programming which is more complex than I wish to cover here. Below is a table of the 6 user-mode entry key sequences. Then there will be another table of which handsets use which of the 6 sequences to get into user-mode programming. Wherever %CODE% shows up in the sequence, you'll have to enter the 6-digit security code twice. By default, the security code is 000000. So, where %CODE% shows up, you would want to try 000000000000 first, unless you know the security code is something else. if the security code was 852030, then where %CODE% is, you would need to enter 852030852030. Simple enough? Just remember to enter the security code twice. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Table 6-2.II.1: keystroke sequences for entering user-mode programming ÚÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³Num ³Key Sequence ³ ÃÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 1 ³ [FCN] %CODE% [RCL] ³ ÃÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 2 ³ [STO] # %CODE% [RCL] ³ ÃÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 3 ³ [CTL] 0 %CODE% [RCL] ³ ÃÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 4 ³ [CTL] 0 %CODE% [X'ed Diamond thing] (CTL may also be the volume key) ³ ÃÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 5 ³ [FCN] 0 %CODE% [MEM] ³ ÃÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 6 ³ [FCN] 0 %CODE% [RCL] ³ ÀÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Once in User-Mode Programming, you can do quite a bit, but not quite enough to satisfy the desires of most phreaks. I'll show you what each value in user-mode programming means, and I'll focus on the ones I am familiar with (remember, I'm not a HUGE cell phreak, I just study it occasionally). If you modify the phone number, an internal counter dubbed the "3-Times" counter, will increment by 1. Once it hits 3, the cellular phone goes nuts and will not operate. According to the manual, you're supposed to turn it in to a cellular technician who will then ask why the phone number got changed so many times...heh...Well all they have to do is enter test mode, and modify the counter (Reset it). Of course if you can weasel your way into test mode, you should be fine. =] Pressing the * key steps through each entry in sequence. Pressing CLR returns the current data field to the previous value. Pressing # will exit the program without saving any changes. This does not have any affect on the "3-times" counter. Pressing the SND key while entering data has no effect. Pressing the SND key while on an entry field will save the data. If the telephone number was changed, the "3-times" counter will increment. Entry Default Description 01 00000 System ID. This is the system ID of your cellular carrier. 02 111 Cellular Area Code. 03 1110111 Cellular Telephone Number. 04 XX Station Class Mark. Varies according to channel access, VOX capability and power out. You probably will never have a need to mess with this one. 05 00 Access Overload Class. Level of priority for accessing the system in case of a system overload. 06 00 Group ID Mark. Specifies how many of the SID bits are significant. 07 000000 User Security Code. Code used in accessing user-mode programming features. Also used for changing the un- lock code. 08 123 Unlock Code. Supplied by the user to allow only those people who know the code to use the phone. 09 0334 Initial Paging Channel. 0333 for side A SID's, 0334 for side B SID's. 10 011100 Option Programming. These are toggle bits, read from Left to right: 1. Internal Speaker disable. Disables the Handset call processing speaker if using an external speaker. 0=Internal Speaker on, 1=Internal Speaker Disabled. 2. Local use. If set to 1, the phone responds to local control orders when the group id is matched. 3. MIN Mark. If set to 1, area code is transmitted on every call. 4. Auto Recall. 1 enables access to phone numbers stored in memory locations. 0 disables access. 5. Second Telephone Number Enable. Allows entry of telephone data into Second NAM (or into programming memory if the phone does not support second NAM) 6. Diversity. If the dual-antenna feature is present, and you want to enable the diversity feature (use both antennae). 1=Enabled, 0=Disabled. 11 11110 Option Programming 2. This set of option bits is only available on phones with software version 8735 or later (Phones with 832 channels). Some phones only have 3 or 4 bits instead of 5. These will always be the rightermost 3 or 4 bits (the last 3 or 4 of this table, Failed Page and Enhanced Scan may not be pres- ent in every phone). 1. Failed Page Indicator. Informs the user of any in-bound call attempt that failed (typically due to a weak signal) if set to 1. 2. Motorola Enhanced Scan. Newer high-perfomance scanning technique is utilized where multiple signalling channels are present if this bit is set to 1. Motorola started implementing this feature in mid '91. Phones produced before this time do not have this feature. 3. Long tone DTMF. If set to 1, the DTMF tones are transmitted long enough to make it easier for certain DTMF-Sensing equipment to pick up the tones. This helps when trying to access voice mail or automated phone menus from a cellphone. 4. Transportable Internal Ringer/Speaker. 0=Audio routed to external seaker of "Tough Talker" or Carry Phone. 1=Audio routed to the handset speaker. 5. Eight Hour Timeout. If phone remains inactive for 8 hours straight, it automatically turns off. This is mainly for carphones, to keep them from totally draining your car battery. If the Second Telephone bit was enabled, the whole process will start over again, except with a "2" to the right of the entry number. Entries 7, 8, and 11 are not repeated. Keep a lookout for info on getting into test-mode programming, where the REAL fun begins. It should be ready by HiR7, but I want to make sure there's concrete info.