Created page with "<pre> ******************************************************************************** *..."
<pre>
********************************************************************************
* *
* THE MOTOROLA BIBLE *
* For all Cellular AND Pager Info *
* *
* MOTOROLA USERS AND PROGRAMMING GUIDES *
* By Mike Larsen *
* Ver. 2.3
************
* * 5/03/96 *
********************************************************************************
Table of Contents:
Section 1 Introduction 7 Phone Pin Outs
2 General User Info 8 Cable Specs
3 Programming Info 9 Channel Number vs. Frequency
4 Test Mode 10 Trik Clip
5 Hacking the FOVC 11 Pager Info
6 Reading the SID 12 Disclaimer
This manual is not intended to be an aid in cellular fraud. That is
both illegal and immoral. Would you like someone to make charges on your
phone? If you want free calls, you want to check elsewhere for information
pertaining to BOXES, which is NOT mentioned in the Motorola Bible.
This manual is not intended for use by people with little electronics
experience. This is not a tutorial and not intended to be used except by
people with previous cellular experience and are familiar with programming
cellular phones. There are tons of introductory files all over the net. For
more info get into alt.cellular or alt.2600. If you have specific questions,
those are the places to start.
If you have any additions are corrections about this manual, please
email me at:
Before going in to the programming of the cellular phone, it is
important for the user to know the normal things necessary for day to day
operation. While the majority of the stuff in the users manual is intended
for people that have problems programming their VCR, their are a few things
that are very important and are only mentioned in the users manual.
Turn On: [Pwr]
Place Call: Enter number, [Snd]
Receive Call: [Snd] or open flip fone
End Call: [End] or close flip fone
Store Number: Phone number, [Sto], 2-digit location number
Recall Number: [Rcl], 2-digit location number
Super Speed Dialing: Directory location number, [Snd]
Changing Entries: Press [Rcl] and the 2-digit location number
so that the number to be changed is
displayed. Press and release [Clr] to back
out each of the digits. Enter a new number
and press [Sto].
Call Number Displayed: [Snd]
Microphone Muting: Press [Fcn], [6].
To unmute, press [Fcn], [6]
Lock Unit: [Fcn], [5] or [LOCK]
Unlock: Three digit unlock code. If you make an
error, [Clr] and enter again.
Automatic Lock: [FCN], [6] (not all phones)
"EnAbLE" will appear if compatible.
Display Unlock Code: Press [Fcn], [0], your six-digit security
code, [Rcl].
Changing Your Unlock Code: Press [Fcn], [0], your six-digit security
code, your NEW 3-digit unlock code, [Sto].
Review Battery Meter: Press [Fcn], [4] and release.
Adjust Volume: Earpiece - Press and hold [Vol] to increase.
Release, press again to decrease.
Ringer - [Fcn], then Vol as above.
Recall Last Number Used: [Rcl], [0], [0]
Recall Own Phone Number: [Rcl], [#]
Individual Call Timer: [Rcl], [#], [#]
Resettable Call Timer: [Rcl], [#], [#], [#]
Reset Resettable Call Timer: [Fcn], [0], [7], [Clr]
Cumulative Call Timer: [Rcl], [#], [#], [#], [#]
Access Features: Press [Fcn], [1]. To change features, press
[*] and [#] to scroll and [Clr] to change.
To exit feature menu, press [END].
Review/Scroll Menu Features: Press [*] or [#]
Status Review: [Fcn], [0], [9], [Rcl], [#] or [*] scrolls
messages. To end press [END].
Changing System Type: Press [Rcl], [*]. Repeatedly press [*]
until the desired system type appears. To
select press [Sto].
Outgoing Call Restrictions: Press [Fcn], [0], 6-digit security code,
[1], [Sto]. Phone will place calls only
from memory locations 1-10.
To change back to unrestricted dialing
press [Fcn], [0], 6-digit security code,
[4], [Sto].
I would like to add that while I have extensively worked on finding
additional test mode commands, I (nor anyone else) have ever worked with the
normal operation commands as listed above. For example, above you will
notice sequences with [Fcn], [1] or [Fcn], [0], [7]. This is totally
unexplored territory. Happy hacking :) See entering test mode on the new
95xx phones.
Activating the PIN in PIN READY cellfones Thanks to [email protected]
(You cannot use their fone without the PIN activated)
Activating the PIN Ready feature in Motorola fones:
1. Enter user menu - press FNC,1 or FNC,Menu
2. Select Pin Active in menu and press * once or until "Pin Active"
appears in the fone display.
3. Enable 'Pin Active' feature - press CLR.
A small square will appear before 'Pin Active' sayings its enabled.
4. Exit user menu - press END
To store the PIN into memory:
1. Enter the specific PIN code - press XXXX
2. Store four digit PIN into memory location 07 - press STO,0,7
3. Return to normal operation - press CLR
To initiate a call using the PIN Ready feature:
1. Enter the phone number you wish to call:
press (XXX)XXX-XXXX, SND
2. You will hear two short rings, then press SND again. The PIN
Ready feature will automatically send the PIN code you previously
stored into memory location 07 and initiate your call.
---------
What is EE3??
EE3 is the software that Motorola has added to the cellular
product line which provides feature enhancements and increased
security by restricting ESN transfer...
---------
Why did the changes take place...
Due to the FCC Rule change, all new cellular telephones
that were introduced after Jan. 1, 1995 with new FCC IDs must restrict
ESN transfer. Phones introduced prior to this date are "grandfathered"
or not required to be compliant with this rule.
---------
How ya can tell the difference between an EE3 and a non-EE3 fone.
These fones will be identified with the marking of EE3 on the
FCC label (look on da back of da fone)
---------
How does the fone change?!
Some of the changes EE3 phones have are feature differences,
accessory compatibility, and service differences.
---------
Which fones have the PIN CODE feature?!
If the phones has EE3 on the back label, then the fone has the
PIN CODE feature; with the exception of the EE3 TeleTacs and the
pre-AC-P300 boxed contours.
---------
Can a 3-watt VA be used with EE3 fones?!
No, the existing 3-watt VA is not compatible with EE3 fones.
The following part numbers are for the new 3-watt booster for EE3 fones
and for conversion kits for existing 3-watt kits. The 3-watt booster
has its own handset that comes with it.
Deluxe Booster w/Micro Car Handsfree Kit (EE3 pocket and flip)
# S-5415
Deluxe Booster w/Micro Car Handsfree Kit (EE3 Elite) <no, eleet!>
# S-5093
Deluxe Booster Conversion Kit (EE3 pocket and flip)
# S-5094
Deluxe Booster Conversion Kit (EE3 Elite)
# TBA
-----------
Which Motorola fones have the new Lock feature?!
All EE3 fones have the NEW lock feature - FCN,5 and STO to lock it
Well, it seems alot of people have been trying to figure out the date of
manufacture of Motorola cellular phones. This is easily accomplished by
locating the MSN (Mechanical Serial Number) somewhere on the telephone. It can
be 10 or 11 digits. If there is no 11th digit, warranty period is one year. If
there is an 11th digit, the warranty period can be determined from the following
charts. Without a proof of purchase, warranty date is determined by adding 3
months to the date of manufacture.
MSN Example: 194GSTxxxxW
194 is the Accounting Product Code (APC) and has little use.
G is the location of manufacture
S is the Year Code of manufacture
T is the Month Code of manufacture
xxxx is the actual serial number (hex) of that telephone
W is the Warranty Period
Year Code Year Month Code Month Warranty Period Defenition
H 1983 A or B January A 1 yr w/ possible MCSI coverage
J 1984 C or D February B 3 yrs w/ possible MCSI coverage
K 1985 E or F March C 5 yrs w/ possible MCSI coverage
L 1986 G or H April D 2 yrs w/ possible MCSI coverage
M 1987 J or K May E No Warranty
N 1988 L or M June F 90 Days OEM only
P 1989 N or P July H 3 Years, Canada Only
Q 1990 Q or R August L 3 Years, OEM Only
R 1991 S or T September M 1 Year, OEM Only
S 1992 U or V October N, P, X 5 Yrs
T 1993 W or X November Q, R, S, Y, Z 3 Yrs
U 1994 Y or Z December T OEM Telephone
V 1995 U 90 Days (Reconditioned Units)
W 1996 W 4 Yrs.
X 1997
Y 1998 Location of Manufacture Code Location
Z 1999 G Libertyville, Il.
NOTES: Some units have dual NAM's.
The ESN prefix is 130 decimal, 82 hex.
Motorola: 1-800-331-6456
There are MANY different models of Motorola phones sold under various
brand names, if you think it's a Motorola, it probably is.
Determine which access sequence to use:
HAND HELD PORTABLE MODELS
If the phone has a FCN button and no MENU button use sequence 1.
If the phone has no FCN button use sequence 2.
If the phone has a MENU button and a FCN button use sequence 4.
INSTALLED MOBILE PHONES AND TRANSPORTABLE MODELS
If the phone has no FCN button and no RCL button use sequence 3.
If the phone has a FCN button use sequence 4.
If the phone has a MEM button use sequence 5.
If the phone has a RCL button and no FCN button use sequence 6.
The default security code is 000000. The CTL (control) button is the
single black button on the side of the handset.
NAM programing:
1. Turn the power on.
2. Within ten seconds enter the access sequence as determined above.
3. The phone should now show "01" in the left of the display, this is the
first programing entry step number. If it does not the security code
is incorrect, or the programing lock-out counter has been exceeded. In
either case you can still program the unit by following the steps under
TEST MODE PROGRAMING below.
4. The * key is used to increment each step:
Each time you press * the display will increment from the step number,
displayed on the left, to the data stored in that step, displayed on
the right. When the data is displayed make any necessary changes and
press * to increment to the next step number.
5. The SND key is used to complete and exit programing when any STEP
NUMBER is displayed.
If you have enabled the second phone number bit in step 10 below then
pressing SND will switch to NAM 2. Steps 01 thru 06, 09 and 10 will
repeat for NAM 2, the step number will be followed by a "2" to indicate
NAM two.
5. The CLR key will revert the display to the previously stored data.
6. The # key will abort programing at any time.
PROGRAMING DATA:
STEP# #OF DIGITS/RANGE DESCRIPTION
01 00000 - 32767 SYSTEM ID
02 3 DIGITS AREA CODE
03 7 DIGITS TEL NUMBER
04 2 DIGITS STATION CLASS MARK
05 2 DIGITS ACCESS OVERLOAD CLASS
06 2 DIGITS GROUP ID (10 IN USA)
07 6 DIGITS SECURITY CODE
08 3 DIGITS LOCK CODE
09 0333 OR 0334 INITIAL PAGING CHANNEL
10 6 DIGIT BINARY OPTION PROGRAMING (SEE NOTE 1)
11 3 DIGIT BINARY OPTION PROGRAMING (SEE NOTE 2)
NOTES:
Take care with Motorola's use of "0" and "1". Some options use "0" to
enable, some use "1".
1. This is a 6 digit binary field used to select the following options:
Digit 1: Internal handset speaker, 0 to enable.
Digit 2: Local Use Mark, 0 or 1.
Digit 3: MIN Mark, 0 or 1.
Digit 4: Auto Recall, always set to 1 (enabled).
Digit 5: Second phone number (not all phones), 1 to enable.
Digit 6: Diversity (Two antennas, not all phones), 1 to enable.
2. This is a 3 digit binary field used to select the following options:
Digit 1: Continuous DTMF, 1 to enable.
Digit 2: Transportable Ringer/Speaker, 0=Transducer, 1=Handset.
Digit 3: 8 hour time out in transportable mode, 0 to enable.
On newer models, they have added and changed some numbers. The numbers
as of the 3/27/92 manual are as follows:
1. The 6 digit binary field is still the same.
2. The 3 digit binary field has become a 5 digit binary field.
Many newer phones don't require grounding. If your software version number
is 9526 (I think) or newer, enter this:
FCN + 0 + 0 + * + * + 8 3 7 8 6 6 3 3 + STO
In case you have trouble remembering the number sequence, it spells out
"TESTMODE." Leave it to Motorola to make this easier and easier all the time.
I have used this and it does work. This command just backs up my claim even
further that esn changing via handset is a reality. It's a matter of finding
the correct combination of keys.
Normal test mode commands work like usual from then on.
For some odd reason, this hasn't been included in all the 95xx phones. I
believe they started it in Software 9526. This is only an estimate, so if
you have a 95xx flip, let me know what software version you have and whether
it works or not so this date can be isolated. Mine is a 9562 that worked.
INSTALLED MOBILE PHONES AND TRANSPORTABLE MODELS
To enter test mode on units with software version 85 and higher you must
short pins 20 and 21 of the transceiver data connector. An RS232 break out
box is useful for this, or construct a test mode adaptor from standard
Radio Shack parts.
For MINI TR or Silver Mini Tac transceivers (smaller data connector) you
can either short pins 9 and 14 or simply use a paper clip to short the
hands free microphone connector.
HAND HELD PORTABLE MODELS:
There are two basic types of Motorola portable phones, the Micro-Tac series
"Flip" phones, and the larger 8000 and Ultra Classic phones. Certain newer
Motorola and Pioneer badged Micro-Tac phones do not have a "flip", but
follow the same procedure as the Micro-Tac.
8000 & ULTRA CLASSIC SERIES:
If you have an 8000 series phone determine the "type" before trying to
enter test mode. On the back of the phone, or on the bottom in certain
older models, locate the F09... number this is the series number. If the
FOURTH digit of this number is a "D" you CAN NOT program the unit through
test mode, a Motorola RTL4154/RTL4153 programer is required to make any
changes to this unit.
Having determined that you do not have a "D" series phone the following
procedure is used to access test mode:
Remove the battery from the phone and locate the 12 contacts at the top
near the antenna connector. These contacts are numbered 1 through 12 from
top left through bottom right. Pin 6, top right, is the Manual Test Mode
Pin. You must ground this pin while powering up the phone. Pin 7 (lower
left) or the antenna connector should be used for ground. Follow one of
these procedures to gain access to pin 6:
1. The top section of the battery that covers the contacts contains
nothing but air. By careful measuring you can drill a small hole in the
battery to gain access to pin 6, alternately simply cut the top off the
battery with a hack saw. Having gained access use a paper clip to short
pin six to the antenna connector ground while powering up the phone.
2. If you do not want to "destroy" a battery you can apply an external 7.5
volts to the + and - connectors at the bottom of the phone, ground pin 6
while powering up the phone as above.
3. You can also try soldering or jamming a small jumper between pins 6 and
7 (top right to lower left), or between pin 6 and the antenna connector
housing ground. Carefully replace the battery and power up the phone. Use
caution with this method not to short out any other pin.
4. A cigarette lighter adaptor, if you have one, also makes a great test
mode adaptor as it can be disassembled to give you easier access to pin 6.
Many are pre marked, or even have holes in the right location. This is
because they are often stamped from the same mold that the manufacturer
uses for making hands free adaptor kits and these kits require access to
the phone's connectors.
ULTRA CLASSIC II SERIES:
Ground Pin 2 to pin 4.
MICRO-TAC "FLIP" SERIES:
This phone follows similar methods as outlined for the 8000 series above.
Remove the battery and locate the three contacts at the bottom of the
phone, the two outer contacts are raised and connect with the battery. The
center contact is recessed, this is the Manual Test Mode connector.
Now look at the battery contacts, the two outer ones supply power to the
phone, the center contact is an "extra" ground. This ground needs to be
shorted to the test mode connector on the phone. The easiest way to do
this is to put a small piece of solder wick, wire, aluminum foil or any
other conductive material into the recess on the phone. Having done this
carefully replace the battery and turn on the power, if you have been
successful the phone will wake up in test mode.
GENERAL NOTES:
HANDSETS: Most Motorola handsets are interchangeable, when a handset is
used with a transceiver other than the one it was designed for the display
will show "LOANER". Some features and buttons may not work, for instance
if the original handset did not have a RCL or STO button, and the
replacement does, you will have to use the control * or control # sequence
to access memory and A/B system select procedures.
LOCK/UNLOCK PROCEDURES:
Phones with "LOCK" buttons: Press lock for at least 1/2 a second.
Phones with a "FCN" button: Press FCN 5, note that 5 has the letters
"J,K, and L" for lock.
Phones with no FCN or LOCK button: Press Control 5, control is the black
volume button on the side of the
handset.
SYSTEM SELECT PROCEDURES:
Phones with a RCL button: Press RCL *, then * to select, STO to store.
Phones with no RCL button: Press Control * then * to select, # to store.
Options are: CSCAn: Preferred/Non preferred with system lockout.
Std A/b, or Std b/A: Preferred/Non preferred.
SCAn Ab, or SCAn bA: Non preferred/Preferred
SCAn A: "A" ONLY
SCAn b: "B" ONLY
HOME: Home only
(these are typical options, some phone's vary. C-Scan is only available
on newer models and does not appear unless programed, see below.)
NOTE: Not all commands work on all telephones. If a command is not valid the
display will show "ErrOr." Not all numbers have been assigned. Not all
numbers have been listed here. Some commands were intended only for
Motorola factory applications. (This is the disclaimer in the
technical training manual. I have included all of the other commands I
have discovered one way or another. Some that say no function do have
a function but it is unknown until it is figured out.)
Three test commands are significant for programming and registering the
the telephone for service: see full descriptions under TEST MODE COMMANDS.
32# Clears the telephone. (Older Motorola allowed either three or fifteen
changes in the MIN. After that, the phone had to be sent to Motorola to reset
the counter. This is the command they use.)
38# Displays the ESN
55# This is the TEST MODE PROGRAMMING (as described below).
TEST MODE DISPLAY:
Test mode consists of two separate levels. When the telephone is first placed
in Test Mode, it is in the STATUS DISPLAY LEVEL. The display will be scrolling
(or flashing), or it will be locked. If locked, enter the unlock code and the
display will begin scrolling. If the unlock code is not known, press #. By
pushing the # key, the technician causes the cellular telephone to change to
its SERVICING LEVEL. The display will be US' . There are five types of
display, depending on the model of the telephone: a 16 character display, a 14
character display, a 10 digit display (with two versions), an 8 character
display, and a 7 character display. The status display is different in analog
operation than in a TDMA call.
NOTE: Use of a loaner handset is allowed in servicing level, but may not be
allowed in the status display level. A locked telephone will not show the
status display, but will enter the servicing level.
14 Character Analog Call Display 14 Character TDMA Call Display
+---------------+ +---------------+
| A B C D E F G | | A B C D E F G |
| H I J K L M N | | H I J K L M N |
+---------------+ +---------------+
ABC = Channel ABC = Channel ("A" in the
D = *Call Processing Mode position indicates a
EFG = RSSI channel above 1000)
H = **(D)SAT D = *Call Processing Mode
I = 1=TX on EFG = RSSI
J = 1=Signalling Tone On HIJ = Digital Verification
K = Power Level (0-7) Color Code (1-255)
L = 1=Control Channel K = Power Level (0-7)
M = 1=RX Audio off L = 1=TX on
N = 1=TX Audio off M = 1=Bit Error Rate (0-7)
N = 1=Audio Muted
*Call Processing Mode: *Call Processing Mode
BLANK = AMPS BLANK = AMPS
A = NAMPS High Sub-Channel 1 = Slot 1, half rate
B = NAMPS Center Sub-Channel 2 = Slot 2, half rate
C = NAMPS Low Sub-Channel 3 = Slot 3, half rate
4 = Slot 4, half rate
**(D)SAT: 5 = Slot 5, half rate
0 = 5970 Hz 6 = Slot 6, half rate
1 = 6000 Hz 7 = Slot 1, full rate
2 = 6030 Hz 8 = Slot 2, full rate
3 = No SAT 9 = Slot 3, full rate
------------
0-6 = DSAT Vector NOTE: The Analog Call
7 = No DSAT Display will always
show when on a control
channel.
01# Restart (Re-enter DC power start-up routine.) On TDMA telephones, this
command has the same effect as 13#.
02# Display Current Telephone Status (This is a non-altering version of the
STATUS DISPLAY. On a 14 character display, all the information is shown.
On a 7 character display only the information on the second line of a 14
character display is shown. On a 10 character display, all the
information on the second line of a 14 character display plus the last
three characters of the first line are shown.)
STATUS DISPLAY, ALTERNATES BETWEEN:
AAA BBB AAA = Channel Number (decimal) BBB = RSSI reading for channel
CDEFGHI are as follows:
C = SAT frequency (0=5970, 1=6000, 2=6030, 3=no channel lock)
D = Carrier (0=off, 1=on)
E = Signalling tone (0=off, 1=on)
F = Power attenuation level (0 through 7)
G = Channel mode (0=voice channel, 1=control channel)
H = Receive audio mute (0=unmuted, 1=muted)
I = Transmit audio mute (0=unmuted, 1=muted)
Press * to hold display and # to end.
03# Reset Autonomous Timer. This command results in the reset of the
autonomous timer but does not provide any test function on these models.
04# Initializes Telephone to Standard Default Conditions:
Carrier Off, Power Level 0, Receiver Audio Muted, Transmit Audio Muted,
Signalling Tone Off, SAT Off, Resetting of Watch-Dog Timer Enabled,
DTMF and Audio Tones Off, Audio Path Set to Speaker
05# TX Carrier On (Key Transmitter)
06# TX Carrier Off
07# RX Audio Off (Mute Receiver Audio)
08# RX Audio On (Unmute Receiver Audio)
NOTE: It seems Motorola finally discovered that people were using
this command to eaves-drop on cellular conversations. On the
newer phones (95xx), this command when used with 11xxxx#
will only work with the following channels:
11(Ch.No.)# Set Transceiver to Channel xxxx (Receive and Transmit in Decimal;
accepts 1, 2, 3, or 4 digits)
see Section 9 for detailed information on this command
12x# Set Power Step to x; (0,1-7) 0=Maximum Power (3 Watts) 7=Minimum Power Out
13# Power Off (Shuts off the radio)
14# 10 kHz Signalling Tone On
15# 10 kHz Signalling Tone Off
16# Setup (Transmits a five word RECC message; each of the five words will
be "FF00AA55CC33." Transmitter de-keys at the end of the message.)
17# Voice (Transmits a two word REVC message; each of the two words will be
"FF00AA55CC33." Transmitter de-keys at the end of the message.)
18# C-Scan (Allows for entry of as many as 5 negative SID's for each NAM.)
Newer Motorola phones are equipped with a feature called C-Scan, this is
an option along with the standard A/B system selections. C-Scan allows
the phone to be programed with up to five inhibited system ID's per NAM.
This is designed to prevent the phone from roaming onto specified non-home
systems and therefore reduce "accidental" roaming fees.
1. C-Scan can only be programed from test mode, power phone up with the
relevant test mode contact grounded (see above).
2. Press # to access test mode.
3. Press 18#, the phone will display "0 40000".
4. Enter the first inhibited system ID and press *.
Continue to enter additional system ID's if required. After the 5th entry
the phone will display "N2". Press * to continue and add system ID's for
NAM 2 as required.
5. If an incorrect entry is made (outside the range of 00000-32767) the
display will not advance, press CLR and re-enter. Use a setting of
40000 for any un-needed locations.
6. When the last entry has been made press * to store and press # to exit,
turn off power.
or
[**Phones without the C-Scan option used this command to SEND NAM.**]
18# SEND NAM. Display shows AA BB. Where AA=Address and BB=Data. Displays
the contents of the NAM, one address at a time, advanced by pressing the
* key. The following data is contained in NAM. The test is exited by
depressing the # key.
SIDH Sec. Code
OPT. (1,2,&3) MIN
MIN1, MIN2 FCHNA
SCM FCHNB
IPCH NDED
ACCOLC CHKSUM GIM
19# Display Software Version Number (4 digits displayed as year and week)
NOTE: Entering commands 20# through 23# or 27# causes the transceiver to begin
a counting sequence or continuous transmission as described below. In
order to exit from the commands to enter another test command, the #
key must be depressed; all other key depressions are ignored.
20# Receive control channel messages counting correctable and uncorrectable
errors. When the command starts, the number of the command will be
displayed in the upper-right corner of the display. Entering a # key
will terminate the command and display two three-digit numbers in the
display. The first number is the number of correctable errors and the
second is the uncorrectable errors.
21# Received voice channel messages counting correctable and uncorrectable
errors. When the command starts, the number of the command will be
displayed in the upper right-hand corner of the display. Entering a #
key terminates the command and will display two three-digit numbers in
display. The first is the number of correctable errors and the second
is the uncorrectable errors.
22# Receive control channel messages counting word sync sequence. When the
command starts, the number of the command will be displayed in the upper
right-hand corner of the display. Entering a # key will terminate the
command and display the number of word sync sequences in the display.
23# Receive voice channel messages counting word sync sequences. When the
command starts, the number of the command will be displayed in the upper
right-hand corner of the display. Entering a # key will terminate the
command and display the number of word sync sequences in the display.
24# Receive control channel data and display the majority voted busy/idle
bit. 0=idle 1=busy
25x# SAT On When x=0, SAT=5970HZ
x=1, SAT=6000HZ
x=2, SAT=6030HZ
26# SAT Off
27# Transmit Data (Transmits continuous control channel data. All words
will be "FF00AA55CC33." When the command starts, '27' will be displayed
in the right side of the display. Entering a # key will terminate the
command. The transmitter de-keys when finished.)
28# Activate the high tone (1150 Hz +/- 55 Hz)
29# De-activate the high tone
30# Activate the low tone (770 Hz +/- 40 Hz)
31# De-activate the low tone
32# Clear (Sets non-volatile memory to zeroes or factory default. This
command will affect all counters, all repertory memory including the last
number called stack, and all user programmable features including the
setting of System Registration. It does not affect the ESN, NAM, phasing
data, or lock code. This takes a minute or so. DO NOT TURN OFF THE
TELEPHONE WHILE THIS IS SHOWING '32' ON THE DISPLAY. WAIT UNTIL THE
NORMAL SERVICE LEVEL DISPLAY RESUMES! [maybe a minute or so])
33x# Turn on DTMF for x (1-9, *, 0, #, plus the single tones)
Where x=1 697 Hz + 1209 Hz 14 1150 HZ (not used in cellular)
2 697 Hz + 1336 Hz 15 1209 Hz
3 697 Hz + 1477 Hz 16 1336 Hz
4 770 Hz + 1209 Hz 17 1477 Hz
5 770 Hz + 1336 Hz 18 1633 Hz (not used in cellular)
6 770 Hz + 1477 Hz 19 Turn DTMF off
7 852 Hz + 1209 Hz 20 2087 Hz
8 852 Hz + 1336 Hz 21 2308 Hz
9 852 Hz + 1477 Hz 22 2553 Hz (not used in cellular)
* 941 Hz + 1209 Hz 23 Turn DTMF off
0 941 Hz + 1336 Hz 24 3428 Hz (not used in cellular)
# 941 Hz + 1477 Hz 25 3636 Hz (not used in cellular)
10 697 Hz 26 4000 Hz (not used in cellular)
11 770 Hz 27 3555 Hz (not used in cellular)
12 852 Hz 28 4571 Hz (not used in cellular)
13 941 Hz 29 Turn DTMF off
Someone Please Check Out 24 thru 28 for accuracy. I had weak equipment.
34# Turn DTMF Off
35# Display RSSI ("D" Series Portable Only)
or
35x# Set Audio Path to x x=0, V.S.P Microphone (Applies to mobiles only.)
x=1, Speaker
x=2, Alert
x=3, Handset
x=4, Mute
x=5, External Telephone (Applies to Portables Only)
x=6, External Handset (Applies to NEWER Portables)
36nnn# Scan (TDMA Telephones only. Scans the primary control channels and
attempts to decipher the forward data stream. The display will show PASS1
if the strongest control channel was accessed, PASS2 if the second
strongest was accessed, and FAIL if no control channel could be accessed.)
(nnn=Scan speed in milliseconds). Tunes from channel 1 to 666 in order.
Entering a * pauses the scan and displays current Channel Number and
RSSI reading (AAA=Channel Number and BBB=RSSI Reading). When scan speed
is 300 milliseconds or greater, the current status is displayed during the
scan; when less than 300 milliseconds the status is displayed only during
pause. Entering * during a pause causes the scan to resume. Entering #
aborts the scan and leaves the mobile tuned to the current channel. During
this command only the * and # keys are recognized.
NOTE: While I haven't heard from ONE single person that this has worked,
Motorola has continued to print this command in all the Technical
Training Books (including the January 96 edition).
37# Sets Low Battery Threshold. Usage: #37#x# where x is any number
from 1 to 255. If set to 1, the Low Battery indicator will come up
when the phone is powered on. If set to 255, it may never come up.
38# Display ESN (Displays ESN in four steps, two hexadecimal digits at a time
in a for digit display. The decimal shows the address, 00 through 03 as
the first two digits, and two digits of the ESN as the last two digits.
Use the '*' to step through the entire hexadecimal ESN.)
Compander OFF ("D" Series Portables)
or
38# SND-SNM. Display shows AA BB. Where AA=Address;BB=Data. Send the SNM
to the display. All 32 bytes of the SNM will be displayed, one byte at
a time. The byte address will be displayed in the upper right-hand
corner and the contents of that address will be displayed in the hex.
The * key is used to step through the address similar to the SEND-NAM
(18#) command.
39# Compander ON ("D" Series Portables)
or
39# RCVSU. Receive one control channel word. When the word is received it
is displayed in hex. This command will be complete when a control channel
word is received or when the # key is entered to abort the command.
40# RCVVC. Receive one voice channel word. When the word is received it is
displayed in hex. This command will be complete when a voice channel
word is received or when the # key is entered to abort the command.
41# Enables Diversity (On F19CTA... Series only.)
42# Disables Diversity (On F19CTA... Series only.)
43# Disable Diversity
USE T/R ANTENNA (On F19CTA... Series only.)
USE R ANTENNA (On D.M.T./ Mini TAC)
44# Disable Diversity
USE R ANTENNA (On F19CTA... Series only.)
USE T/R ANTENNA (On D.M.T./ Mini TAC)
45# Display Current Receive Signal Strength Indicator (Displayed as a 3 digit
decimal number) The strongest signal I have ever received was 179 and I
was sitting directly below the tower WITHOUT an external antenna.
46# Display Cumulative Call Timer
47x# Set RX Audio level to X
(For F19CTA ...Series Transceivers)
X=0, Lowest Volume
X=6, Highest Volume
X=7, mute
Normal setting is 4.
(For D.M.T./ Mini TAC Transceivers)
X=0, Lowest Volume
X=7, Highest Volume
Normal setting is 4.
(For TDMA Transceivers and F09F... Series and Higher Portables)
X=0, Lowest Volume
X=15, Highest Volume
Normal setting is 2 to 4. (On TDMA
Transceivers and Micro TAC portables,
settings 8 through 15 are for DTMF
applications only.)
48# Side Tone On. Use this command in conjunction with 350# to test the
entire audio path in hands-free applications.
49# Side Tone Off
50# Maintenance data is transmitted and test results displayed:
PASS=received data is correct
FAIL 1=2second timeout, no data rec.
FAIL 2=received data is incorrect
51# Test of mobile where maintenance data is transmitted and looped back.
Display is as follows:
PASS=looped-back data is correct
FAIL 1=2 second timeout, no looped-back data
FAIL 2=looped-back data is incorrect
52x# SAT Phase Adjustment. A decimal value that corresponds to phase shift
compensation in 4.5 degree increments. Compensation added to inherent
phase shift in transceiver to achieve a total of 0 degrees phase shift.
Assuming you have completed one of the above steps correctly the phone
will wake up in test mode when you turn the power on. When you first
access test mode the phone's display will alternate between various status
information that includes the received signal strength and channel number.
The phone will operate normally in this mode. You can now access Service
Mode by pressing the # key, the display will clear and a ' will appear.
Use the following procedure to program the phone:
1. Enter 55# to access programing mode.
2. The * key advances to the next step. (NOTE that test mode programing
does NOT have step numbers, each time you press the * key the phone
will display the next data entry).
3. The CLR key will revert the display to the previously stored data.
4. The # key aborts programing at any time.
5. To complete programing you must scroll through ALL entries until a '
appears in the display.
6. Note that some entries contain more digits than can be displayed by the
phone, in this case only the last part of the data can be seen.
TEST MODE PROGRAMING DATA: For AMPS and NAMPS Cellular Telephones
STEP# #OF DIGITS/RANGE DESCRIPTION
01 00000 - 32767 SYSTEM ID
02 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 1 BELOW
03 10 DIGITS MIN (AREA CODE & TEL#)
04 2 DIGITS STATION CLASS MARK, SEE NOTE 2 BELOW
05 2 DIGITS ACCESS OVERLOAD CLASS
06 2 DIGITS GROUP ID (10 IN USA)
07 6 DIGITS SECURITY CODE
08 3 DIGITS UNLOCK CODE
09 3 DIGITS SERVICE LEVEL, SEE NOTE 3 BELOW
10 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 4 BELOW
11 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 5 BELOW
12 0333 OR 0334 INITIAL PAGING CHANNEL
13 0333 "A" SYSTEM IPCH
14 0334 "B" SYSTEM IPCH
15 3 DIGIT NUMBER PAGING CHANNEL (021 IN USA)
16 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 6 BELOW
Steps 01 through 06 and 12 will repeat for NAM 2 if the second phone
number bit has been enabled in step 11.
TEST MODE PROGRAMING DATA: For TDMA Cellular Telephones
STEP# #OF DIGITS/RANGE DESCRIPTION
01 00000 - 32767 SYSTEM ID
02 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 1 BELOW
03 10 DIGITS MIN (AREA CODE & TEL#)
04 2 DIGITS STATION CLASS MARK, SEE NOTE 2 BELOW
05 2 DIGITS ACCESS OVERLOAD CLASS
06 2 DIGITS GROUP ID (10 IN USA)
07 6 DIGITS SECURITY CODE
08 3 DIGITS LOCK CODE
09 3 DIGITS SERVICE LEVEL, SEE NOTE 3 BELOW
10 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 4 BELOW
11 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 5 BELOW
12 0333 OR 0334 INITIAL PAGING CHANNEL
13 0333 "A" SYSTEM IPCH
14 0334 "B" SYSTEM IPCH
15 3 DIGITS DEDICATED PAGING CHANNELS (021 IN USA)
16 3 DIGITS SECONDARY INITIAL PAGING CHANNEL. 708 for
system A, 737 for system B. Allows the TDMA
telephone to be assigned to a TDMA channel in
a call
17 708 SECONDARY INITIAL PAGING CHANNEL FOR SYSTEM A
18 737 SECONDARY INITIAL PAGING CHANNEL FOR SYSTEM B
19 8 DIGITS OPTION PROGRAMMING, SEE NOTE 6 BELOW
NOTES:
Take care with Motorola's use of "0" and "1". Some options use "0" to
enable, some use "1".
These are eight digit binary fields used to select the following options:
1. (step 02 above, suggested entry is: 11101001 for "A" system, 10101001
for "B" sys)
Digit 1: Local use mark, 0 or 1.
Digit 2: Preferred system, 1=system A, 0=system B.
Digit 3: End to end (DTMF) dialing, 1 to enable.
Digit 4: Not used, enter 0. Formerly used for test mobile.
Digit 5: Repertory (speed) dialing, 1 to enable. (Not used in TDMA)
Digit 6: Auxiliary (horn) alert, 1 to enable.
Digit 7: Hands free (VSP) auto mute, 1 to enable (mutes outgoing hands
free audio until the MUTE key is pressed). (Not used in TDMA)
Digit 8: Min mark, 1 = Enabled. NOT CHANGEABLE on series II or III.
2. Station Class Mark
SCM | 666 or 832 Ch. | VOX | Max Power
-----+----------------+-----+-----------
00 | 666 | N | 3.0 W
01 | 666 | N | 1.2 W
02 | 666 | N | 0.6 W
03 | | |
04 | 666 | Y | 3.0 W
05 | 666 | Y | 1.2 W
06 | 666 | Y | 0.6 W
07 | | |
08 | 832 | N | 3.0 W
09 | 832 | N | 1.2 W
10 | 832 | N | 0.6 W
11 | | |
12 | 832 | Y | 3.0 W
13 | 832 | Y | 1.2 W
14 | 832 | Y | 0.6 W
15 | | |
3. Service Level Codes:
001 The telephone will only dial numbers in memory locations 01, 02
and 03. No keypad entries or memory storage is possible.
Restrict ALL outgoing calls by clearing locations 01, 02, and 03
and place the phone in servicing level 001. In some phones this
applies to memory locations 01 - 10.
002 The telephone will dial only numbers from memory locations. The
keypad is disabled and super speed dialing is not enabled.
003 Keypad dial only; no memory recall allowed.
004 Unlimited keypad and memory dialing. (DEFAULT)
005 Seven-digit dialing only
006 Full keypad and memory dialing, but memory locations 1 through
10 cannot be changed.
007 The phone will dial only from as many as 50 programmable memory
locations
4. (step 10 above, suggested entry is: 00000100)
Digits 1 - 3: Not used in USA, enter 0.
Digit 4: Extended Field. When enabled, the telephone will scan
more than 32 paging channels. Not used in USA, 0 to disable
Digit 5: Single system scan, 1 to enable (scan A or B system only,
determined by bit 2 of step 02. Set to "0" to allow user the
option).
Digit 6: Super speed dial, 1 to enable (pressing N, or NN SND will
dial the number stored in memory location NN).
Digit 7: User selectable service level, 0 to enable (allows user to
set long distance/memory access dialing restrictions).
Digit 8: Lock function, 0 to enable (allows user to lock/un-lock the
phone, if this is set to 1 the phone can not be locked).
5. (step 11 above, suggested entry is: 00000000)
Digit 1: Handset programing, 0 to enable (allows access to programing
mode without having to enter test mode).
Digit 2: Second phone number (not all phones), 1 to enable.
Digit 3: Call timer access, 0 to enable. (Not used in TDMA)
Digit 4: Auto system busy redial, 0 to enable.
Digit 5: Internal Speaker disable, 1 to enable (use with select VSP
units only, do not use with 2000 series mobiles).
Digit 6: IMTS/Cellular, 1 to enable (rarely used).
Digit 7: User selectable system registration, 0 to enable.
Digit 8: Dual antenna (diversity), 1 to enable.
6. (step 16 and 19 above, suggested entry is: 0011010 for portable and 0011011
for mobile units)
Digit 1: Enhanced Scan, when enabled, four strongest signalling
channels are scanned instead of two. 1=enabled, 0-disabled.
Digit 2: Cellular Connection, used only in series II phones if a
series I cellular connection is used with a series II.
0=series II, 1=series I, 0 for ALL TDMA PHONES
Digit 3: Continuous DTMF, 1 to enable (software version 8735 and later)
Digit 4: Transportable Internal Ringer/Speaker. When set to 0, audio
is routed to the external speaker of the transportable; 1
routes it to the handset.
Digit 5: 8 hour time-out, 0 to enable (software version 8735 and later)
Digit 6: Not used, 0 only.
Digit 7: Failed page indicator, 0 to enable (phone beeps when an
incoming call is detected but signal conditions prevent
completion of the call).
Digit 8: Portable scan, 0 for portable, 1 for mobile units.
56# Illumination Diagnostic. Lights up all lights (except the green in use
light) and displays all "8"'s. The phone is also muted until repowered.
57x# Call Processing Mode
x=0, AMPS
x=1, NAMPS
x=2-4, RESERVED
x=5, TDMA signalling
x=6, TDMA signalling with loopback before decoding
x=7, TDMA signalling with loopback voice after decoding
x=8, TDMA signalling with loopback FACCH after decoding
x=9, TDMA forced synchronization
58# Compander On (Audio compressor and expander) (See 39#)
59# Compander Off (Audio compressor and expander) (See 38#)
60# no function
61# ESN Transfer (For Series I D.M.T./Mini TAC only)
62# Turn On Ringer Audio Path
63# Turn Off Ringer Audio Path
64# ? Does something, doesn't display anything
65# ? Does something, doesn't display anything
66# Identity Transfer (Series II Trancvrs and later mobiles, F09HG...,
F09HL..., F09HY..., F09HR..., F09LF..., F09NF..., F09PY..., F09QY...,
F09RY..., and most retail portables shipping prior to April 1, 1995.)
Does the actual transfer of the ESN and NAM info. See the 80x# command.
67# Displays two 3 digit numbers. If you keep entering this command
repeatedly, the first number will constantly change, the second won't
(as far as I have seen).
68# Diaplay FLEX and Model Information
69# Used with 66# for Identity Transfer. In models shipped without the 66#
command, this is used with 80x# instead. Reads NAM information, repertory
memory, and C-Scan ID SID's from old phone.
70# Abbreviated field transmitter audio deviation command, for transceivers
with FCC ID ABZ89FT5668.
71# Abbreviated field power adjustment command, for transceivers with FCC ID
ABZ89FT5668.
72# Field audio phasing commands. The left side of the display should read
"00" followed by a two digit number. The "00" indicates the first
programming step. If you press the *, the 00 changes to 01 and so on until
08. The "06" and "0A" are used to change the audio level (to change:
press the volume up or down keys). Other registers...don't know.
73# Field power adjustment command.
80x# Current Identity Transfer Procedure. (Available in telephones shipping
after April 1, 1995.) This does NOT transfer the ESN.
x=0, Transfers NAM information (On TDMA telephones, this
command also transfers C-Scan SID's.)
x=1, Transfers repertory memory (names & telephone numbers
in memory.)
x=2, Transfers C-Scan SID's on analog telephones (Not
available on TDMA telephones.)
NOTES: As new fones come out, more commands are added/deleted as needed.
The majority of these commands were figured using VERY old software
versions. Some commands won't work on some phones. If you find a
command that does something, please inform me as well as the software
version number of the phone it was discovered on.
Note: This is NOT my hack. Thanks to [email protected] for this addition.
HACKING THE FOVC
Problem: When listening to something interesting (a conversation),
just when that sexy sounding horny broad begins to give her
phone number to some lucky guy, HANDOFF!!! then static... DAMN!
Trick: Hack the FOVC.
a quick definition: FOVC = FOward Voice Channel
FOCC = FOward Control Channel
REVC = REverse Voice Channel
RECC = REverse Control Channel
As the phone travels through cells, the FOVC is where the tower tells
the phone to adjust power levels for the current cell or to change to
a new channel for use in the new cell. This info can be hacked apart.
So. When you've found a good conversation, don't be lazy! Enter 40#!
This makes the phone listen for commands on the voice channel
(embedded in the audio portion- you can hear it as a "bump" sound). It
will just sit there and the display will read '40' , but the
conversation will still be audible. Now when the phone receives a
FOVC command (a 40 bit sequence) data will flow across the display, in
hex format, and stop. Listen to the phone, if the conversation is
still there, then the command was only to adjust power levels. If the
conversation is gone, then its a handoff. If you only got a power
adjustment command just press # or clr, which ever gets you back to
the ' prompt. Enter 40# and keep listening. You can also use the # key
to cancel the 40# command, if you want to change channels or something.
If it was a handoff, its time for some quick math. You have to convert
some of the numbers to binary, and then to decimal. I don't know how
many characters your phone's display will show. Mine only shows the
last seven of the ten hex digits. Count left from the end 6 digits.
Write down that digit and the next two on a piece of paper, ie:
???j16djjj j=junk numbers (hex numbers range from 0-9,a-f)
/ \
these are lost due to scrolling
write down 16d then convert it to a binary string:
1 = 0001
6 = 0110
d = 1101 (d=13)
now you have a binary string like this: 000101101101
throw away the first 2 bits and get: 0101101101
convert this to decimal and get: 365
365 is the new channel the conversation has moved to! Enter 110365#
and voila! You too, can hear the horny babe's phone number!
Don't forget to enter 40# again, as the call may be moving quickly
through cells ( small cells or freeway driving ) or the call can get
bounced around by the tower for cell traffic purposes.
Here's one more example of the hex>binary>decimal conversion.
???j5aejjj
5 = 0101
a = 1010
e = 1110
full string = 010110101110
truncate 2 msb = 0110101110
convert to decimal = 430
READING THE SID WITH THE MOTOROLA PHONE
---------------------------------------
-----------=?> Doctor Who <?=----------
This document is copyright by the author, and may be redistributed without
charge as long as it is not changed in any way. No user other than the author
or his assignees may charge for distribution of this document.
Written on March 19, 1995. A sunny, but still somewhat cold sunday.
The SID (System IDentification) of a control channel can be determined using
the test mode of the Motorola cellular phone. This document assumes the reader
understands cellular technology in general, and how to access Motorola's test
mode in specific.
Tune the phone to the desired control channel with 11xxx# where XXX is the
channel number. Hit 39# to receive one control channel word. One should appear
in less than two seconds, filling up all ten digits on the display with hexa-
decimal digits. Do this repeatedly until one is found with the correct
pattern. Digit places start at the left hand side and go to the right.
The first digit should be C, D, E, or F. This letter can be used to determine the
DCC/SAT of the cell. A "C" is SAT 0, D is 1, E is 2, and F is 3. Ignore digits
8, 9, and 10. They are parity bytes. Digit 7 should be "6" or "E", though I
have never found it to be other than "E". The hexadecimal value of represented
by digits 2 through 5 is then divided by two, and then 1 added if the carrier
is a "A" side, "non-wireline" carrier. The result is the System ID.
for example:
E00388EA08
E means this cell has an SAT/DCC of 3. The A08 is ignored. The E to the left of
it is proper and normal, so this is the right kind of message. Ignore the 8 in
position 6, that is, just to the left of the E. 0038 in hexadecimal translates
((3*16=48)+8)) to 56. 56/2 = 28. Looking up System ID 28 on my chart indicates
Nynex in Boston. This is correct.
Please be aware that the two SID charts I have seen around the net are very
outdated. I have a more recent version on paper which I may eventually type in,
when I have the time and energy.
The methods used above are only a very crude way to do what could be done
much more efficiently by computer. I am sure that programs will be written to
do exactly this, but I am holding off until I have thoroughly hacked the
meaning of all these types of messages before writing such a program. I am
also contemplating the design of a cable to replace the handset, running
from the 25 pin connector on the side of my Bag Phone to a computer.
-----------=?> Doctor Who <?=----------- [email protected] "Do what thou wilt shall be the whole of the law"
RADIOPHONE cellular archive http://www.l0pht.com/radiophone
Before going into the cable specs, here are the pin-outs to all phones as of
now (in the US). A very special thanks go to Motorola for faxing me the new
Ultra Classic II pin-outs!
PIN DESIGNATION/FUNCTION
1 Battery A+, red wire
2 Transmit Audio / ON-OFF Function, a shared line between Audio (AC) and
ground. This line will toggle the ON/OFF status of the telephone.
3 Ground (A+ return), black wire
4 Ignition Sense Lead, green with a black tracer
5 Receiver Audio (RX High), to handset connector pin 8
6 Regulated +9.5 volts, to handset connector pin 2
7 T-Data, one of the 3-wire bus lines, to handset connector pin 3
8 C-Data, one of the 3-wire bus lines, to handset connector pin 4
9 Digital Hands-Free Microphone / Manual Test. When the pin is grounded,
which can be done by shorting the two connectors of the Hands-Free
microphone, the unit is enabled to work in TEST MODE.
10 R-Data, one of the 3-wire bus lines, to handset connector pin 5
11 Handset Logic Ground, to handset connector pin 1
12 Speaker High \
| -> Only on SKN4279A and SKN4277A
13 Speaker Low /
14 Handset Audio Ground, to handset connector pin 6
15 Auxiliary Alert, yellow lead with a black tracer, used to blow the horn
or flash the headlights. Provides a ground for the relay; maximum
current is 1/2 amp. It is *N O T* recommended that this circuit be
used to drive the horn or headlights directly.
25 pin cable pinouts (series 2 and 3 transceivers)
PIN DESIGNATION/FUNCTION
1 Transmit Audio/ON - OFF Function
2 Mobile/Transportable Select Line
3 Ground (A + return), one of 2 black wires. Both are required for proper
operation
4 Battery A +, one of 2 red wires. Both are required for proper operation.
5 Ignition Sense Lead, green with red tracer
6 Receiver audio to handset (RX High), pin 8 on the handset connector
7 Ground
8 Regulated +9.5 volts to handset, pin 2 on handset connector
9 Ground
10 Auxiliary Alert, yellow with black tracer, used to blow the horn or
flash the headlights. Provides a ground function. NOTE: 1/2 amps
maximum current. The recommended method is to drive a relay
(e.g. MOT 59K813674). Ignition Sense, pin 5, must be low for this
function to work.
11 T-Data, one of the 3-wire bus lines, to pin 3 of the handset connector
12 C-Data, one of the 3-wire bus lines, to pin 4 of the handset connector
13 Ground
14 Transmit Audio Shield
15 Transmit Audio
16 Battery A+, one of two red wires. Both are required for proper operation
17 Ground, one of two black wires. Both are required for proper operation
18 R-Data, one of the 3-wire bus lines, to pin 5 of the handset connector
19 Receiver audio to external speaker
20 Ground for receiver audio (shield) to external speaker
21 Manual test line. When connected to ground, puts phone in test mode
22 Ground
23 Handset logic ground, to handset connector pin 1
24 Handset audio ground, to handset connector pin 6
25 Accessory ground, to external speaker
OEM 32 pin cable pinouts 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1
+----------------------------------------------+
Note: Looking into connector C |* * * * * * * * * * * * * * * *|
on the transceiver with the D |* * * * * * * * * * * * * * * *|
antenna port down. +----------------------------------------------+
Pin# Designation/Function Row C Pin# Designation/Function Row D
1 Battery A+ 1 Not Used
2 Ignition Sense 2 Antenna Drive (for power antenna)
3 Status Display Control 3 Not Used
4 Not Used 4 Auxiliary Alert, used to blow the
horn or flash the headlights
through a relay
5 Ground (A+ Return) 5 Not Used
6 GM Proprietary Serial Data Bus 6 GM proprietary serial bus
7 Audio Ground, from GM Audio bus to 7 Audio Ground (not connected)
telephone
8 Low level audio, from telephone to GM 8 Low Level Audio (not connected)
Audio bus
9 Not used 9 Manual Test Line; when grounded
this line enables TEST MODE
10 Not used 10 RX High
11 Mobile / Transportable select line 11 Ground (TX Shield)
12 Handset Logic Ground 12 Regulated +9.5 volts
13 T-Data, one of the 3-wire bus lines 13 C-Data, one of the 3-wire bus lines
14 R-Data, one of the 3-wire bus lines 14 Audio Ground
15 TX High / ON-OFF 15 Ground (Rx Shield)
16 VSP Microphone High 16 VSP Microphone Ground
Pinouts for the Motorola 8000 brick phone - "N" series
-----------=?> Doctor Who <?=-----------
11/21/94
numbering starts on top left 1 2 3 * 4 5 6
7 8 9 * 10 11 12
PIN SIGNAL
* GROUND
1 logic ground
2 not used
3 audio in to phone
4 audio out (and on/off toggle)
5 4.75 Bias
6 Manual test line
7 Ground for audio signals (common)
8 TRU data line
9 not used
10 CMP data line
11 RTN data line
12 ignition sense
OK OK OK. Here are the cable specs. They are 100% correct. Of course I
wouldn't know because these are for information purposes only. I have been
told however by VERY reliable sources that they are guaranteed, 100%, GRADE-A,
correct. If they don't work for you, you did something wrong.
Motorola Cellphone cable construction for flips
-------------------------------------
DB25 FLIP Battery Eliminator cable
---- ---- attatchment pins up:
1(--------)4
--------=
2(--|<----)Jump this line to the Center 1 =
Pin on the back of phone. --------=
=
4(--|<----)1 "|<" is the IN4001 diode. --------=
=
12(--------)5 --------=
4 = -->To phone
13(--------)6 --------=
5 =
18-25(-+------)8 --------=
| 6 =
| +-)7 --------=
| | 7* =
| | --------=
| | 8* =
NeG PoS ---Cig adapter --------=
DB25 Male Phone Power Connector
(see Note 1)
1-To phone pin 4 1-DB25 pin 4(see note 2) Gnd-To Db25 Pins 18-25 and
2-To Phone test lead 2-NC Phone pin 8
(see note 2)
3-NC 3-NC Tip-To phone pin 7
4-To phone pin 1 4-To DB25 pin 1
(see note 2)
5-NC 5-To DB25 pin 12
6-NC 6-To DB25 pin 13
7-NC 7-To tip on power connector
8-NC 8-GND
9-NC Test Lead-To DB25 pin 2 (See note 2)
10-NC
11-NC
12-To Phone pin 5
13-To Phone pin 6
14-NC
15-NC
16-NC
17-NC
18-GND \
19-GND |
20-GND |
21-GND |--Conn together to GND on 12v conn
22-GND | And pin 8 on phone plug
23-GND |
24-GND |
25-GND /
NOTE 1:
The power adapter on the cable is 12 volt input but is a regulated
7.95 volts out. DO NOT connect 12 volts between pins 7 and 8 on the
phone connector.
Frequency Range for 666 Channels: Reverse (Mobile TX) 825.020 - 844.990 MHz
Forward (Mobile RX) 870.020 - 889.990 MHz
Frequency Range for 832 and 2412 Channels:
Reverse (Mobile TX) 824.030 - 848.980 MHz
Forward (Mobile RX) 869.030 - 893.980 MHz
Frequency Calculation for Channels 1-799:
Reverse (Mobile TX) Frequency = 825.00 MHz + (Ch.# X .030 MHz)
Forward (Mobile RX) Frequency = 870.00 MHz + (Ch.# X .030 MHz)
Frequency Calculation for Channels 991-1023:
Reverse (Mobile TX) Frequency = 825.00 MHz - [.030 MHz X (1023 - Ch.#)]
Forward (Mobile RX) Frequency = 870.00 MHz - [.030 MHz X (1023 - Ch.#)]
To determine the center frequency of an associated NAMPS sub-channel in these
formulas, subtract 10 kHz from the restult for the low sub-channel, leave the
result as is for the center sub-channel, and add 10 kHz to the result for the
high sub-channel.
The following text I took from the Poisoned Pen BBS (Hi guys). Thanks Jakey
for taking the time to decipher all of this shit. As far as I know, with
the exception of a post on #cellular and the upload to Poisoned Pen, there is
nothing in print with this compilation. Again, special thanks go to Jakey
([email protected]) for the long, seemingly endless work.
CELLULAR PHONE FREQUENCIES AND MOTOROLA
TEST MODE NUMERIC CODES.
( Motorola test mode channel numbers )
( are for use in motorola test mode )
( with function 11xxxx# )
( All frequencies in Megahertz FM )
Lower Set (1-666)
I got this from a bbs in the (708) are code. It had no name associated
with it. Since NOONE has mailed me any other info on it, I will keep this
in the bible until someone bitches or sends me something tangible. Besides,
with Loadkit so readily available, who has the time to mess with it?
-ML
MOTOROLA "TRIK-CLIP"
This is the plans I recieved for the Flip. Supposedly if one knew the
pinouts on the other moto phones one could transpose. (maybe!) I never
tested this so I don't know if it works. The chip in the flip the text
is talking about is a 32 pin square plcc
After Phone Disassembly Locate 27c512 Eprom on phone board. This is
On The Upper Right Side Of The Display Next To The Roam Indicator.
This Is a 32 pin Square device. **Note the dot and beveled edge
for pin orientation (the dot is pin 1) Count to the left
counter clock wise 2 3 4 5 and so on. To the Right or clockwise
of the dot is pin 32 Vcc. This will aid you in your count to find
pin 25 which is the eprom output enable. This pin is at ground or
Vss - Level. **Note Pin 25 on Eprom in phone must be lifted from
the phone board ground or Vss state. Use an X-acto Knife and or
soldering iron and tools to cut pin at board level where pin
narrows. Do not bend wide part of pin up on eprom as this could
break off of Eprom. Also Wide Part of pin Will be used to make
contact with eprom test clip adapter. The eprom test clip adapter
will take pin 25 to logic high through an 8 to 10 thousand
resistor to pin 32 Vcc. This will Gate off all data Commands from
the phone board eprom and allow the eprom test clip adaptor to
take over. **Note test clip could touch narrow part of cut off
pin on board and cause phone not to power up please remove or fold
down as low as possible so test clip only touches side of eprom.
After programing is complete put pin 25 back together or find a
suitable ground or Vss - source. The phone will power up and work
without pin 25 put back together but for long term precaution
put back to a logic zero or ground to enable the output enable.
To use the eprom test clip adapter pull the locking wedge on the
test clip into the upper position. Seat the eprom test clip adapter
onto the eprom in the phone. Make sure to orient the dot and
beveled edge with each other. Push the locking wedge down to lock
the the eprom test clip adapter onto the eprom in the phone. Hook up
the programing cable to the computer and plug into the jack on the
base of the phone. Also hook up the loose lead with a jumper to the
center terminal between the battery contacts. Turn power on green
light on phone display should come on then a complete display test
will light up after that the no service will blink along with the
signal level mark in corner of display. If the antenna is still on
the phone it could change to roam or something else. I suggest
remove the antenna so the cell sight will not see you. If you do
not get a power on test with the display there are 3 possible
things (1) pin 25 on phone board is touching the test clip this
can be checked by looking with a volt meter at pin 25 where
resistor connects for 4 to 5 volts pos with reference to ground.
(2) Test clip is not sitting on chip good some times you have pull
the test clip up off of the eprom a 64th of an inch all the way
around. (3) there is corrupt data, Pull the eprom test clip off
Phone check to see if power on display is there.
Computer see if data or phone number or cell sight code or data
whole is ok I've seen the cell sight ID corrupt and the phone play
dead on the power on test. The test clip sometimes needs
maintenance look at the gold pins.
Make sure all the pins are level with the edge of it. If not take
an X-acto or pin and lightly bend them out so they are along the
edge of the plastic of the test clip.
Always check to see if eprom in phone contacts are clean before
putting test clip on. **Note when test clip is on phone - only
change the ESN only. *The other data phone number lock and so on
can be changed without the test clip and and should be done so.
The software version in the test clip is 9148 you will see this in
the right corner of the computer. Sometimes the program will crash
during the ESN write this will put all zeros in the ESN field
check the test clip try again. Sometimes I've had to do this 3 or 4
times. Also watch the phone display for codes I've seen at the end
of a wright the code (FO8) just before power down I've had no
problem there but during the key wright (FO8) means I've crashed.
Also during the time when the program is counting back into the
phone I've had (F1O) show up in the display of the phone this
problem means the next time you may not get the power on display
test pull test clip read phone check data to see if cell sight
code is corrupt or some other data correct try again. A word of
caution do not push on eprom on top of test clip as this could
seat eprom lower into adapter and cause bad contact. To remove
test clip pull locking wedge up to unlock the eprom test clip
adapter from the eprom in the phone. Continue pulling up to lift
the eprom test clip adapter from the eprom in the phone.
STRAIGHT FROM A CELLULAR ONE DEALER DUMPSTER!!! Date Dec 8, 1995
(appears EXACTLY like it is on the fax)
CAP code, which is the pager's ESN, can be found in 2 places:
1) The back of the pager (bar code)
For example:
1st number: 929.7125 = frequency
2nd number: 1234567 = CAP code
3rd number: 12345678 9s = Factory serial number
or
2) When the pager is off: press top button twice
and view CAP code, press a 3rd time and
view frequency
This fax didn't say what type of pager it is, so let me know when you try this
if it worked or not.
Subject: BRAVO pagers - undocumented test features
SELF TEST:
TO PUT UNIT INTO A SELF TEST TURN OFF PAGER. NOW HOLD DOWN THE
GRAY ARROW KEY AND BLACK LOCK KEY AT THE SAME TIME AND TURN ON
PAGER. THIS TELLS THE CPU IN PAGER TO GO INTO A SELF TEST. YOU WILL
GET A 2 SECOND LONG BEEP, RELEASE THE GRAY & BLACK BUTTON AND PUSH
THE GRAY BUTTON BEFORE THE 2 SECOND BEEP ENDS. IF YOU DID ALL THIS
IN TIME YOU WILL HAVE "SPL" OR "PAGING P?" AND NOT THE DOTTED LINE
YOU ARE USED TO SEEING WHEN YOU TURN ON PAGER . BY PRESSING THE
GRAY KEY IT WILL GO TO A DISPLAY TEST, PRESS AGAIN AND YOU WILL GET
THE PAGERS CAPCODE (CAPCODE IS THE UNIQUE SERIAL NUMBER WHICH THE
PAGING TRANSMITTERS TRANSMITS TO YOUR PAGER TO TURN ON YOUR PAGER
WHEN SOMEONE PAGES YOU). WAIT AND IN ABOUT 3 SECONDS IT WILL
DISPLAY YOUR SECOND CAPCODE (IF YOU HAVE ONE-MOST DON'T) PRESS THE
GRAY KEY AGAIN AND IT WILL CHECK CONTROLS, PRESS IT AGAIN AND IT
WILL TEST VIBRATOR FUNCTION (IF YOUR PAGER HAS IT). TURN OFF PAGER
AND TURN ON AGAIN TO DISABLE SELF TEST.
SPECIAL PROGRAMMED FEATURES:
TAKE OFF BATTERIES CLIP AND IN CENTER TOWARD THE FRONT OF
PAGER YOU WILL SEE A PRINTED CIRCUIT BOARD EDGE PINS (JUST LIKE THE
BACK SIDE OF A NETENDO CARTAGE. THIS EDGE PINS ARE PLUGGED INTO A
CORE PROGRAMMER. THE PROGRAMMER CAN CHANGE.
CAPCODES: SEE ABOVE
AUTORESET TO MANUAL: YOUR PAGER IN AUTORESET WILL BEEP 8 TIMES
THEN STOP BEEPING. MANUAL RESET THE BEEPER WILL KEEP BEEPING TILL
THE COWS COME HOME OR YOU PUSH A BUTTON TO LOOK AT THE MESSAGE.
DISPLAY: ENGLISH PROMPTS OR INTERNATIONAL-SYMBOL SCREENS
DISPLAYED.
SILENT MODE CHIRP: FOR A SINGLE BEEP WHEN YOUR PAGED. NOT FOR
USE ON VIBRATOR PAGERS.
BEEP ON BAD DATA: YOUR PAGER HEARS IT'S CAPCODE BUT RECEIVED
BAD DISPLAY MESSAGE, IT WILL PUT "EEE" ACROSS DISPLAY TO SHOW BAD
RECEIVE. IF THIS IS FEATURE IS NOT ENABLED AND YOU RECEIVE BAD DATA
YOUR PAGER WILL NOT BEEP AND YOU WILL HAVE NO IDEA SOMEONE TRYED TO
PAGE YOU.
******************************************************************
NOW LETS SAY YOU ARE UNHAPPY WITH YOUR PAGING COMPANY "A" BUT OWN
YOUR PAGER. YOUR $200.00+ PAGER IS TUNED TO THEIR FREQUENCY AND YOU
WANT TO GO TO ANOTHER PAGING COMPANY BUT NOT LOSE ALL THE MONEY YOU
SPENT FOR YOUR PAGER. THE ANSWER IS TO RE-CRYSTAL PAGER TO THE NEW
FREQUENCY OF COMPANY "B". BUT WE MUST ANSWER SOME QUESTIONS FIRST
TO SEE WHAT IT WILL COST.
1. WHAT IS YOUR PAGERS CODING FORMAT (POCSAG) OR (GSC)
THE EASY WAY TO TELL IS TO DO A SELF TEST AND READ
CAPCODE. IF IT'S 7 NUMBERS IT'S POCSAG. IF IT'S 6 NUMBERS
AND 1 LETTER IT'S GSC. IF YOUR PAGER DOES NOT MATCH THE
SAME CODING FORMAT AS COMPANY "B" IT WILL COST MORE THEN
IT'S WORTH TO CHANGE.
2. WHAT BAUD RATE IS YOUR PAGER WORKING AT ? DO SELF TEST AND
IF DISPLAY SHOWS PAGING P1 PAGER IS WORKING AT 1200 BAUD OTHER WISE
YOU ARE SAFE TO ASSUME 512 BAUD IT MUST MATCH COMPANY "B" BAUD RATE
TO BE WORTH YOUR TIME.
3. ARE YOU IN THE SAME FREQUENCY BAND 931 MHZ OR 450 MHZ ETC.
IF COMPANY "A" AND COMPANY "B" ARE NOT IN SAME BAND IT WILL TAKE A
NEW RECEIVER BOARD TO CONVERT PAGER AND COST TO MUCH TO TRY.
IF ALL THE ANSWERS ABOVE SHOW YOU ARE COMPATIBLE YOU CAN CALL
COMPANY "B" AND TELL THEM YOU WANT TO DO BUSINESS WITH THEM AND
NEED A CAPCODE NUMBER SO YOU CAN GET PAGER RECRYSTALED AND HAVE A
CAPCODE PROGRAMMED AT THE SAME TIME.
NOW YOU CAN HAVE COMPANY "B" RECOMMEND A SHOP THAT WILL
RE-CRYSTAL PAGER OR LOOK UP ONE YOURSELF.
(sorry for the all caps, that was how I received it and I am lazy. -ML)
DISCLAIMER: I, Mike Larsen, accept NO responsibility for people using any
info within this text for fraudulent purposes. I did not intend for the info
to be used towards fraud or theft of services. The main reason I spent
hundreds of hours creating and compiling this information is because
programming fees are BULLSHIT and they know it.
Oh, by the way, I forgot to mention in the above disclaimer that I do
nothing fraudulent with MY fone. I pay a bill and everything and can prove
it. So will the "feds" or whoever the Internet gestapo is that's been sending
me mail about me being under their "watchful eye", please go for someone else
that's dealing child pornography or asking for WaReZ? Thanks.
The sole reason I compiled this info into book form is to let people
that are capable, work on their phone. I did not compile this for the sole
purpose of fraud. There is a company in Illinois called BIG BOYZ TOYZ who are
a bunch of complete FUCKZ who refused to give me my security code and/or
programing manual. Phrack published a tidbit about it a few issues back and
I figured if I was going to go through all the trouble of learning all of this,
I might as well let everybody share it. By the way, if you ever see a BIG
BOYZ TOYZ store, they charge WAY too much for everything and will go for list
price unless you know the going price.