******************************************************************************** * * * THE MOTOROLA BIBLE * * For all Cellular AND Pager Info * * * * MOTOROLA USERS AND PROGRAMMING GUIDES * * By Mike Larsen * * Ver. 2.0 ************ * * 12/23/95 * ******************************************************************************** Table of Contents: Section 1 Introduction 7 Phone Pin Outs 2 General User Info 8 Cable Specs 3 Programming Info 9 Channel Number vs. Frequency 4 Test Mode 10 Trik Clip 5 Hacking the FOVC 11 Pager Info 6 Reading the SID 12 Disclaimer I*N*T*R*O*D*U*C*T*I*O*N****************************************S*E*C*T*I*O*N***1 After much deliberation, I decided to include information about Motorola's pagers and their test mode commands. Since pagers aren't as much fun as cellular, along with the fact there isn't much to them, this information is very limited and somewhat brief. I would still like all information pertaing to all of Motorola's pagers sent to me so this file can stay current. GENERAL DISCLAIMER: This manual is not intended to be an aid in cellular fraud. That is both illegal and immoral. Would you like someone to make charges on your phone? If you want free calls, you want to check elsewhere for information pertaining to BOXES, which is NOT mentioned in the Motorola Bible. This manual is not intended for use by people with little electronics experience. This is not a tutorial and not intended to be used except by people with previous cellular experience and are familiar with programming cellular phones. There are tons of introductory files all over the net. For more info get into alt.cellular or alt.2600. If you have specific questions, those are the places to start. If you have any additions are corrections about this manual, please email me at: Mike.Larsen@bbs.uti.com Stularsenmic@vax.colsf.edu p.s. I hope to make this manual more international. However, the U.S. cellular system greatly differs from other countries and we are all ignorant here to what others are doing (but isn't that ALWAYS the way?). Any info on hacking the GSM system (at least being able to use different SIM cards in different phones). The term is 'SIM locked' and a friend needs to unlock his phone. Please Email ANY info about this. Send all related info about the new phones with caller ID - Manuals, instructions, bugs, etc. p.s.s. If anyone has ANY type of cellular monitoring software that is P.C. based (using a scanner and/or Motorola Bag phone) EMAIL me immediately! -------------------------------------------------------------------------------- ************************************************************ * CHECK OUT THE NEW HOME ON THE WEB OF THE MOTOROLA BIBLE! * ************************************************************ This is a kick-ass sight with general info (all phones), cable specs, software, and other cool stuff. All updates will be posted here first! http://www.primenet.com/~mtorola When you get there, send him Email and tell him you saw the site listed here in the Bible. G*E*N*E*R*A*L***U*S*E*R***I*N*F*O******************************S*E*C*T*I*O*N***2 Before going in to the programming of the cellular phone, it is important for the user to know the normal things necessary for day to day operation. While the majority of the stuff in the users manual is intended for people that have problems programming their VCR, their are a few things that are very important and are only mentioned in the users manual. Turn On: [Pwr] Place Call: Enter number, [Snd] Receive Call: [Snd] or open flip fone End Call: [End] or close flip fone Store Number: Phone number, [Sto], 2-digit location number Recall Number: [Rcl], 2-digit location number Super Speed Dialing: Directory location number, [Snd] Changing Entries: Press [Rcl] and the 2-digit location number so that the number to be changed is displayed. Press and release [Clr] to back out each of the digits. Enter a new number and press [Sto]. Call Number Displayed: [Snd] Microphone Muting: Press [Fcn], [6]. To unmute, press [Fcn], [6] Lock Unit: [Fcn], [5] or [LOCK] Unlock: Three digit unlock code. If you make an error, [Clr] and enter again. Automatic Lock: [FCN], [6] (not all phones) "EnAbLE" will appear if compatible. Display Unlock Code: Press [Fcn], [0], your six-digit security code, [Rcl]. Changing Your Unlock Code: Press [Fcn], [0], your six-digit security code, your NEW 3-digit unlock code, [Sto]. Review Battery Meter: Press [Fcn], [4] and release. Adjust Volume: Earpiece - Press and hold [Vol] to increase. Release, press again to decrease. Ringer - [Fcn], then Vol as above. Recall Last Number Used: [Rcl], [0], [0] Recall Own Phone Number: [Rcl], [#] Individual Call Timer: [Rcl], [#], [#] Resettable Call Timer: [Rcl], [#], [#], [#] Reset Resettable Call Timer: [Fcn], [0], [7], [Clr] Cumulative Call Timer: [Rcl], [#], [#], [#], [#] Access Features: Press [Fcn], [1]. To change features, press [*] and [#] to scroll and [Clr] to change. To exit feature menu, press [END]. Review/Scroll Menu Features: Press [*] or [#] Status Review: [Fcn], [0], [9], [Rcl], [#] or [*] scrolls messages. To end press [END]. Changing System Type: Press [Rcl], [*]. Repeatedly press [*] until the desired system type appears. To select press [Sto]. Outgoing Call Restrictions: Press [Fcn], [0], 6-digit security code, [1], [Sto]. Phone will place calls only from memory locations 1-10. To change back to unrestricted dialing press [Fcn], [0], 6-digit security code, [4], [Sto]. I would like to add that while I have extensively worked on finding additional test mode commands, I (nor anyone else) have never worked with the normal operation commands as listed above. For example, above you will notice sequences with [Fcn], [1] or [Fcn], [0], [7]. This is totally unexplored teritory. Happy hacking :) See entering test mode on the new 95xx phones. P*R*O*G*R*A*M*M*I*N*G***I*N*F*O********************************S*E*C*T*I*O*N***3 NOTES: Some units have dual NAM's. The ESN prefix is 130 decimal, 82 hex. Motorola: 1-800-331-6456 There are MANY different models of Motorola phones sold under various brand names, if you think it's a Motorola, it probably is. Determine which access sequence to use: HAND HELD PORTABLE MODELS If the phone has a FCN button and no MENU button use sequence 1. If the phone has no FCN button use sequence 2. If the phone has a MENU button and a FCN button use sequence 4. INSTALLED MOBILE PHONES AND TRANSPORTABLE MODELS If the phone has no FCN button and no RCL button use sequence 3. If the phone has a FCN button use sequence 4. If the phone has a MEM button use sequence 5. If the phone has a RCL button and no FCN button use sequence 6. SEQUENCE# ACCESS CODE 1 FCN (SECURITY CODE TWICE) RCL 2 STO # (SECURITY CODE TWICE) RCL 3 CTL 0 (SECURITY CODE TWICE) * 4 FCN 0 (SECURITY CODE TWICE) RCL 5 FCN 0 (SECURITY CODE TWICE) MEM 6 CTL 0 (SECURITY CODE TWICE) RCL The default security code is 000000. The CTL (control) button is the single black button on the side of the handset. NAM programing: 1. Turn the power on. 2. Within ten seconds enter the access sequence as determined above. 3. The phone should now show "01" in the left of the display, this is the first programing entry step number. If it does not the security code is incorrect, or the programing lock-out counter has been exceeded. In either case you can still program the unit by following the steps under TEST MODE PROGRAMING below. 4. The * key is used to increment each step: Each time you press * the display will increment from the step number, displayed on the left, to the data stored in that step, displayed on the right. When the data is displayed make any necessary changes and press * to increment to the next step number. 5. The SND key is used to complete and exit programing when any STEP NUMBER is displayed. If you have enabled the second phone number bit in step 10 below then pressing SND will switch to NAM 2. Steps 01 thru 06, 09 and 10 will repeat for NAM 2, the step number will be followed by a "2" to indicate NAM two. 5. The CLR key will revert the display to the previously stored data. 6. The # key will abort programing at any time. PROGRAMING DATA: STEP# #OF DIGITS/RANGE DESCRIPTION 01 00000 - 32767 SYSTEM ID 02 3 DIGITS AREA CODE 03 7 DIGITS TEL NUMBER 04 2 DIGITS STATION CLASS MARK 05 2 DIGITS ACCESS OVERLOAD CLASS 06 2 DIGITS GROUP ID (10 IN USA) 07 6 DIGITS SECURITY CODE 08 3 DIGITS LOCK CODE 09 0333 OR 0334 INITIAL PAGING CHANNEL 10 6 DIGIT BINARY OPTION PROGRAMING (SEE NOTE 1) 11 3 DIGIT BINARY OPTION PROGRAMING (SEE NOTE 2) NOTES: Take care with Motorola's use of "0" and "1". Some options use "0" to enable, some use "1". 1. This is a 6 digit binary field used to select the following options: Digit 1: Internal handset speaker, 0 to enable. Digit 2: Local Use Mark, 0 or 1. Digit 3: MIN Mark, 0 or 1. Digit 4: Auto Recall, always set to 1 (enabled). Digit 5: Second phone number (not all phones), 1 to enable. Digit 6: Diversity (Two antennas, not all phones), 1 to enable. 2. This is a 3 digit binary field used to select the following options: Digit 1: Continuous DTMF, 1 to enable. Digit 2: Transportable Ringer/Speaker, 0=Transducer, 1=Handset. Digit 3: 8 hour time out in transportable mode, 0 to enable. On newer models, they have added and changed some numbers. The numbers as of the 3/27/92 manual are as follows: 1. The 6 digit binary field is still the same. 2. The 3 digit binary field has become a 5 digit binary field. Digit 1: Failed Page Indicator 1=Disabled;0=Enabled Digit 2: Motorola Enhanced Scan 1=Enabled; 0=Disabled Digit 3: Long Tone DTMF 1=Enabled; 0=Disabled Digit 4: Transportable Internal Ringer Speaker 1=Handset; 0=Transdcr Digit 5: Eight Hour Timeout 1=Disabled;0=Enabled T*E*S*T***M*O*D*E**********************************************S*E*C*T*I*O*N***4 TEST MODE ACCESS: NEWER 95xx PHONES (Thank you Motorola!!!) Many newer phones don't require grounding. If your software version number is 9526 (I think) or newer, enter this: FCN + 0 + 0 + * + * + 8 3 7 8 6 6 3 3 + STO In case you have trouble remembering the number sequence, it spells out "TESTMODE." Leave it to Motorola to make this easier and easier all the time. I have used this and it does work. This command just backs up my claim even furthar that esn changing via handset is a reality. It's a matter of finding the correct combination of keys. Normal test mode commands work like usual from then on. For some odd reason, this hasn't been included in all the 95xx phones. I believe they started it in Software 9526. This is only an estimate, so if you have a 95xx flip, let me know what software version you have and whether it works or not so this date can be isolated. Mine is a 9562 that worked. INSTALLED MOBILE PHONES AND TRANSPORTABLE MODELS To enter test mode on units with software version 85 and higher you must short pins 20 and 21 of the transceiver data connector. An RS232 break out box is useful for this, or construct a test mode adaptor from standard Radio Shack parts. For MINI TR or Silver Mini Tac transceivers (smaller data connector) you can either short pins 9 and 14 or simply use a paper clip to short the hands free microphone connector. HAND HELD PORTABLE MODELS: There are two basic types of Motorola portable phones, the Micro-Tac series "Flip" phones, and the larger 8000 and Ultra Classic phones. Certain newer Motorola and Pioneer badged Micro-Tac phones do not have a "flip", but follow the same procedure as the Micro-Tac. 8000 & ULTRA CLASSIC SERIES: If you have an 8000 series phone determine the "type" before trying to enter test mode. On the back of the phone, or on the bottom in certain older models, locate the F09... number this is the series number. If the FOURTH digit of this number is a "D" you CAN NOT program the unit through test mode, a Motorola RTL4154/RTL4153 programer is required to make any changes to this unit. Having determined that you do not have a "D" series phone the following procedure is used to access test mode: Remove the battery from the phone and locate the 12 contacts at the top near the antenna connector. These contacts are numbered 1 through 12 from top left through bottom right. Pin 6, top right, is the Manual Test Mode Pin. You must ground this pin while powering up the phone. Pin 7 (lower left) or the antenna connector should be used for ground. Follow one of these procedures to gain access to pin 6: 1. The top section of the battery that covers the contacts contains nothing but air. By careful measuring you can drill a small hole in the battery to gain access to pin 6, alternately simply cut the top off the battery with a hack saw. Having gained access use a paper clip to short pin six to the antenna connector ground while powering up the phone. 2. If you do not want to "destroy" a battery you can apply an external 7.5 volts to the + and - connectors at the bottom of the phone, ground pin 6 while powering up the phone as above. 3. You can also try soldering or jamming a small jumper between pins 6 and 7 (top right to lower left), or between pin 6 and the antenna connector housing ground. Carefully replace the battery and power up the phone. Use caution with this method not to short out any other pin. 4. A cigarette lighter adaptor, if you have one, also makes a great test mode adaptor as it can be disassembled to give you easier access to pin 6. Many are pre marked, or even have holes in the right location. This is because they are often stamped from the same mold that the manufacturer uses for making hands free adaptor kits and these kits require access to the phone's connectors. ULTRA CLASSIC II SERIES: Ground Pin 2 to pin 4. MICRO-TAC "FLIP" SERIES: This phone follows similar methods as outlined for the 8000 series above. Remove the battery and locate the three contacts at the bottom of the phone, the two outer contacts are raised and connect with the battery. The center contact is recessed, this is the Manual Test Mode connector. Now look at the battery contacts, the two outer ones supply power to the phone, the center contact is an "extra" ground. This ground needs to be shorted to the test mode connector on the phone. The easiest way to do this is to put a small piece of solder wick, wire, aluminum foil or any other conductive material into the recess on the phone. Having done this carefully replace the battery and turn on the power, if you have been successful the phone will wake up in test mode. GENERAL NOTES: HANDSETS: Most Motorola handsets are interchangeable, when a handset is used with a transceiver other than the one it was designed for the display will show "LOANER". Some features and buttons may not work, for instance if the original handset did not have a RCL or STO button, and the replacement does, you will have to use the control * or control # sequence to access memory and A/B system select procedures. LOCK/UNLOCK PROCEDURES: Phones with "LOCK" buttons: Press lock for at least 1/2 a second. Phones with a "FCN" button: Press FCN 5, note that 5 has the letter's "J,K, and L" for lock. Phones with no FCN or LOCK button: Press Control 5, control is the black volume button on the side of the handset. SYSTEM SELECT PROCEDURES: Phones with a RCL button: Press RCL *, then * to select, STO to store. Phones with no RCL button: Press Control * then * to select, # to store. Options are: CSCAn: Preferred/Non preferred with system lockout. Std A/b, or Std b/A: Preferred/Non preferred. SCAn Ab, or SCAn bA: Non preferred/Preferred SCAn A: "A" ONLY SCAn b: "B" ONLY HOME: Home only (these are typical options, some phone's vary. C-Scan is only available on newer models and does not appear unless programed, see below.) -------------------------------------------------------------------------------- TEST MODE NOTE: Not all commands work on all telephones. If a command is not valid the display will show "ErrOr." Not all numbers have been assigned. Not all numbers have been listed here. Some commands were intended only for Motorola factory applications. (This is the disclaimer in the technical training manual. I have included all of the other commands I have discovered one way or another. Some that say no function do have a function but it is unknown until it is figured out.) Three test commands are significant for programming and registering the the telephone for service: see full descriptions under TEST MODE COMMANDS. 32# Clears the telephone. (Older Motorola allowed either three or fifteen changes in the MIN. After that, the phone had to be sent to Motorola to reset the counter. This is the command they use.) 38# Displays the ESN 55# This is the TEST MODE PROGRAMMING (as described below). TEST MODE COMMANDS: # Enter Test Command Mode 00# no function 01# Restart (Re-enter DC power start-up routine.) On TDMA telephones, this command has the same effect as pressing the PWR button. 02# Display Current Telephone Status (This is a non-altering version of the STATUS DISPLAY. On a 14 character display, all the information is shown. On a 7 character display only the information on the second line of a 14 character display is shown. On a 10 character display, all the information on the second line of a 14 charcter display plus the last three characters of the first line are shown.) STATUS DISPLAY, ALTERNATES BETWEEN: AAA BBB AAA = Channel Number (decimal) BBB = RSSI reading for channel CDEFGHI are as follows: C = SAT frequency (0=5970, 1=6000, 2=6030, 3=no channel lock) D = Carrier (0=off, 1=on) E = Signalling tone (0=off, 1=on) F = Power attenuation level (0 through 7) G = Channel mode (0=voice channel, 1=control channel) H = Receive audio mute (0=unmuted, 1=muted) I = Transmit audio mute (0=unmuted, 1=muted) Press * to hold display and # to end. 03# Reset Autonomous Timer. This command results in the reset of the autonomous timer but does not provide any test function on these models. 04# Initializes Telephone to Standard Default Conditions: Carrier Off, Power Level 0, Receiver Audio Muted, Transmit Audio Muted, Signalling Tone Off, SAT Off, Resetting of Watch-Dog Timer Enabled, DTMF and Audio Tones Off, Audio Path Set to Speaker 05# TX Carrier On (Key Transmitter) 06# TX Carrier Off 07# RX Audio Off (Mute Receiver Audio) 08# RX Audio On (Unmute Receiver Audio) 09# TX Audio Off 10# TX Audio On 11(Ch.No.)# Set Tranceiver to Channel xxxx (Receive and Transmit in Decimal; accepts 1, 2, 3, or 4 digits) see end of file for more info on this command 12x# Set Power Step to x; (0,1-7) 0=Maximum Power (3 Watts) 7=Minimum Power Out 13# Power Off (Shuts off the radio) 14# 10 kHz Signalling Tone On 15# 10 kHz Signalling Tone Off 16# Setup (Transmits a five word RECC message; each of the five words will be "FF00AA55CC33." Transmitter de-keys at the end of the message.) 17# Voice (Transmits a two word REVC message; each of the two words will be "FF00AA55CC33." Transmitter de-keys at the end of the message.) 18# C-Scan (Allows for entry of as many as 5 negative SID's for each NAM.) Newer Motorola phones are equipped with a feature called C-Scan, this is an option along with the standard A/B system selections. C-Scan allows the phone to be programed with up to five inhibited system ID's per NAM. This is designed to prevent the phone from roaming onto specified non-home systems and therefore reduce "accidental" roaming fees. 1. C-Scan can only be programed from test mode, power phone up with the relevant test mode contact grounded (see above). 2. Press # to access test mode. 3. Press 18#, the phone will display "0 40000". 4. Enter the first inhibited system ID and press *. Continue to enter additional system ID's if required. After the 5th entry the phone will display "N2". Press * to continue and add system ID's for NAM 2 as required. 5. If an incorrect entry is made (outside the range of 00000-32767) the display will not advance, press CLR and re-enter. Use a setting of 40000 for any un-needed locations. 6. When the last entry has been made press * to store and press # to exit, turn off power. or [**Phones without the C-Scan option used this command to SEND NAM.**] 18# SEND NAM. Display shows AA BB. Where AA=Address and BB=Data. Displays the contents of the NAM, one address at a time, advanced by pressing the * key. The following data is contained in NAM. The test is exited by depressing the # key. SIDH Sec. Code OPT. (1,2,&3) MIN MIN1, MIN2 FCHNA SCM FCHNB IPCH NDED ACCOLC CHKSUM GIM 19# Display Software Version Number (4 digits displayed as year and week) NOTE: Entering commands 20# through 23# or 27# causes the tranceiver to begin a counting sequence or continous transmission as described below. In order to exit from the commands to enter another test command, the # key must be depressed; all other key depressions are ignored. 20# Receive control channel messages counting correctable and uncorrectable errors. When the command starts, the number of the command will be displayed in the upper-right corner of the display. Entering a # key will terminate the command and display two three-digit numbers in the display. The first number is the number of correctable errors and the second is the uncorrectable errors. 21# Received voice channel messages counting correctable and uncorrectable errors. When the command starts, the number of the command will be displayed in the upper right-hand corner of the display. Entering a # key terminates the command and will display two three-digit numbers in display. The first is the number of correctable errors and the second is the uncorrectable errors. 22# Receive control channel messages counting word sync sequence. When the command starts, the number of the command will be displayed in the upper right-hand corner of the display. Entering a # key will terminate the command and display the number of word sync sequences in the display. 23# Receive voice channel messages counting word sync sequences. When the command starts, the number of the command will be displayed in the upper right-hand corner of the display. Entering a # key will terminate the command and display the number of word sync sequences in the display. 24# Receive control channel data and display the majority voted busy/idle bit. 0=idle 1=busy 25x# SAT On When x=0, SAT=5970HZ x=1, SAT=6000HZ x=2, SAT=6030HZ 26# SAT Off 27# Transmit Data (Transmits continuous control channel data. All words will be "FF00AA55CC33." When the command starts, '27' will be displayed in the right side of the display. Entering a # key will terminate the command. The transmitter de-keys when finished.) 28# Activate the high tone (1150 Hz +/- 55 Hz) 29# De-activate the high tone 30# Activate the low tone (770 Hz +/- 40 Hz) 31# De-activate the low tone 32# Clear (Sets non-volatile memory to zeroes or factory default. This command will affect all counters, all repertory memory including the last number called stack, and all user programmable features including the setting of System Registration. It does not affect the ESN, NAM, phasing data, or lock code. This takes a minute or so. DO NOT TURN OFF THE TELEPHONE WHILE THIS IS SHOWING '32' ON THE DISPLAY. WAIT UNTIL THE NORMAL SERVICE LEVEL DISPLAY RESUMES!) 33x# Turn on DTMF for x (1-9, *, 0, #, plus the single tones) Where x=1 697 Hz + 1209 Hz 14 1150 HZ (not used in cellular) 2 697 Hz + 1336 Hz 15 1209 Hz 3 697 Hz + 1477 Hz 16 1336 Hz 4 770 Hz + 1209 Hz 17 1477 Hz 5 770 Hz + 1336 Hz 18 1633 Hz (not used in cellular) 6 770 Hz + 1477 Hz 19 Turn DTMF off 7 852 Hz + 1209 Hz 20 2087 Hz 8 852 Hz + 1336 Hz 21 2308 Hz 9 852 Hz + 1477 Hz 22 2553 Hz (not used in cellular) * 941 Hz + 1209 Hz 23 Turn DTMF off 0 941 Hz + 1336 Hz 24 3428 Hz (not used in cellular) # 941 Hz + 1477 Hz 25 3636 Hz (not used in cellular) 10 697 Hz 26 4000 Hz (not used in cellular) 11 770 Hz 27 3555 Hz (not used in cellular) 12 852 Hz 28 4571 Hz (not used in cellular) 13 941 Hz 29 Turn DTMF off Someone Please Check Out 24 thru 28 for accuracy. I had weak equipment. 34# Turn DTMF Off 35# Display RSSI ("D" Series Portable Only) or 35x# Set Audio Path to x x=0, V.S.P Microphone (Applies to mobiles only.) x=1, Speaker x=2, Alert x=3, Handset x=4, Mute x=5, External Telephone (Applies to Portables Only) x=6, External Handset (Applies to NEWER Portables) 36nnn# Scan (TDMA Telephones only. Scans the primary control channels and attempts to decipher the forward data stream. The display will show PASS1 if the strongest control channel was accessed, PASS2 if the second strongest was accessed, and FAIL if no control channel could be accessed.) (nnn=Scan speed in milliseconds). Tunes from channel 1 to 666 in order. Entering a * pauses the scan and displays current Channel Number and RSSI reading (AAA=Channel Number and BBB=RSSI Reading). When scan speed is 300 milliseconds or greater, the current status is displayed during the scan; when less than 300 milliseconds the status is displayed only during pause. Entering * during a pause causes the scan to resume. Entering # aborts the scan and leaves the mobile tuned to the current channel. During this command only the * and # keys are recognized. 37# Sets Low Battery Threshold. Usage: #37#x# where x is any number from 1 to 255. If set to 1, the Low Battery indicator will come up when the phone is powered on. If set to 255, it may never come up. 38# Display ESN (Displays ESN in four steps, two hexadecimal digits at a time in a for digit display. The decimal shows the address, 00 through 03 as the first two digits, and two digits of the ESN as the last two digits. Use the 'G' to step through the entire hexadecimal ESN.) Compander OFF ("D" Series Portables) or 38# SND-SNM. Display shows AA BB. Where AA=Address;BB=Data. Send the SNM to the display. All 32 bytes of the SNM will be displayed, one byte at a time. The byte address will be displayed in the upper right-hand corner and the contents of that address will be displayed in the hex. The * key is used to step through the address similar to the SEND-NAM (18#) command. 39# Compander ON ("D" Series Portables) or 39# RCVSU. Receive one control channel word. When the word is received it is displayed in hex. This command will be complete when a control channel word is received or when the # key is entered to abort the command. 40# RCVVC. Receive one voice channel word. When the word is received it is displayed in hex. This command will be complete when a voice channel word is received or when the # key is entered to abort the command. 41# Enables Diversity (On F19CTA... Series only.) 42# Disables Diversity (On F19CTA... Series only.) 43# Disable Diversity USE T/R ANTENNA (On F19CTA... Series only.) USE R ANTENNA (On D.M.T./ Mini TAC) 44# Disable Diversity USE R ANTENNA (On F19CTA... Series only.) USE T/R ANTENNA (On D.M.T./ Mini TAC) 45# Display Current Receive Signal Strength Indicator (Dislpayed as a 3 digit decimal number) The strongest signal I have ever received was 179 and I was sitting directly below the tower WITHOUT an external antenna. 46# Display Cumulative Call Timer 47x# Set RX Audio level to X (For F19CTA ...Series Tranceivers) X=0, Lowest Volume X=6, Highest Volume X=7, mute Normal setting is 4. (For D.M.T./ Mini TAC Tranceivers) X=0, Lowest Volume X=7, Highest Volume Normal setting is 4. (For TDMA Tranceivers and F09F... Series and Higher Portables) X=0, Lowest Volume X=15, Highest Volume Normal setting is 2 to 4. (On TDMA Tranceivers and Micro TAC portables, settings 8 through 15 are for DTMF applications only.) 48# Side Tone On. Use this command in conjunction with 350# to test the entire audio path in hands-free applications. 49# Side Tone Off 50# Maintenance data is transmitted and test results displayed: PASS=received data is correct FAIL 1=2second timeout, no data rec. FAIL 2=received data is incorrect 51# Test of mobile where maintenance data is transmitted and looped back. Display is as follows: PASS=looped-back data is correct FAIL 1=2 second timeout, no looped-back data FAIL 2=looped-back data is incorrect 52x# SAT Phase Adjustment. A decimal value that corresponds to phase shift compensation in 4.5 degree increments. Compensation added to inherent phase shift in tranceiver to achieve a total of 0 degrees phase shift. Do NOT enter any values except those shown below. 0 degrees = 0 121.5 degrees = 59 243.0 degrees = 86 4.5 = 1 126.0 = 60 247.5 = 87 9.0 = 2 130.5 = 61 252.0 = 112 13.5 = 3 135.0 = 62 256.5 = 113 18.0 = 4 139.5 = 63 261.0 = 114 22.5 = 5 144.0 = 40 265.5 = 115 27.0 = 6 148.5 = 41 270.0 = 116 31.5 = 7 153.0 = 42 274.5 = 117 36.0 = 16 157.5 = 43 279.0 = 118 40.5 = 17 162.0 = 44 283.5 = 119 45.0 = 18 166.5 = 45 288.0 = 120 49.5 = 19 171.0 = 46 292.5 = 121 54.0 = 20 175.5 = 47 297.0 = 122 58.5 = 21 180.0 = 64 301.5 = 123 63.0 = 22 184.5 = 65 306.0 = 124 67.5 = 23 189.0 = 66 310.5 = 125 72.0 = 48 193.5 = 67 315.0 = 126 76.5 = 49 198.0 = 68 319.5 = 127 81.0 = 50 202.5 = 69 324.0 = 104 85.5 = 51 207.0 = 70 328.5 = 105 90.0 = 52 211.5 = 71 333.0 = 106 94.5 = 53 216.0 = 80 337.5 = 107 99.0 = 54 220.5 = 81 342.0 = 108 103.5 = 55 225.0 = 82 346.5 = 109 108.0 = 56 229.5 = 83 351.0 = 110 112.5 = 57 234.0 = 84 355.5 = 111 117.0 = 58 238.5 = 85 360.0 = 70 53# Enable scrambler option, when equipped. 54# Disable scrambler option, when equipped. 55# Display/Program N.A.M. (Test Mode Programming) TEST MODE PROGRAMING: The following steps are for software version 9308 and older. If you have a newer phone they will most likely be different. The newer phones with Caller ID are for sure. SEND ME THE NEW PROGRAMMING STEPS SO I CAN UPDATE THESE!!! I don't want to hear that they were wrong unless there are corrected steps following!!! Assuming you have completed one of the above steps correctly the phone will wake up in test mode when you turn the power on. When you first access test mode the phone's display will alternate between various status information that includes the received signal strength and channel number. The phone will operate normally in this mode. You can now access Service Mode by pressing the # key, the display will clear and a ' will appear. Use the following procedure to program the phone: 1. Enter 55# to access programing mode. 2. The * key advances to the next step. (NOTE that test mode programing does NOT have step numbers, each time you press the * key the phone will display the next data entry). 3. The CLR key will revert the display to the previously stored data. 4. The # key aborts programing at any time. 5. To complete programing you must scroll through ALL entries until a ' appears in the display. 6. Note that some entries contain more digits than can be displayed by the phone, in this case only the last part of the data can be seen. TEST MODE PROGRAMING DATA: For AMPS and NAMPS Cellular Telephones STEP# #OF DIGITS/RANGE DESCRIPTION 01 00000 - 32767 SYSTEM ID 02 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 1 BELOW 03 10 DIGITS MIN (AREA CODE & TEL#) 04 2 DIGITS STATION CLASS MARK, SEE NOTE 2 BELOW 05 2 DIGITS ACCESS OVERLOAD CLASS 06 2 DIGITS GROUP ID (10 IN USA) 07 6 DIGITS SECURITY CODE 08 3 DIGITS LOCK CODE 09 3 DIGITS SERVICE LEVEL, SEE NOTE 3 BELOW 10 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 4 BELOW 11 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 5 BELOW 12 0333 OR 0334 INITIAL PAGING CHANNEL 13 0333 "A" SYSTEM IPCH 14 0334 "B" SYSTEM IPCH 15 3 DIGIT NUMBER PAGING CHANNEL (021 IN USA) 16 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 6 BELOW Steps 01 through 06 and 12 will repeat for NAM 2 if the second phone number bit has been enabled in step 11. TEST MODE PROGRAMING DATA: For TDMA Cellular Telephones STEP# #OF DIGITS/RANGE DESCRIPTION 01 00000 - 32767 SYSTEM ID 02 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 1 BELOW 03 10 DIGITS MIN (AREA CODE & TEL#) 04 2 DIGITS STATION CLASS MARK, SEE NOTE 2 BELOW 05 2 DIGITS ACCESS OVERLOAD CLASS 06 2 DIGITS GROUP ID (10 IN USA) 07 6 DIGITS SECURITY CODE 08 3 DIGITS LOCK CODE 09 3 DIGITS SERVICE LEVEL, SEE NOTE 3 BELOW 10 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 4 BELOW 11 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 5 BELOW 12 0333 OR 0334 INITIAL PAGING CHANNEL 13 0333 "A" SYSTEM IPCH 14 0334 "B" SYSTEM IPCH 15 3 DIGITS DEDICATED PAGING CHANNELS (021 IN USA) 16 3 DIGITS SECONDARY INITIAL PAGING CHANNEL. 708 for system A, 737 for system B. Allows the TDMA telephone to be assigned to a TDMA channel in a call 17 708 SECONDARY INITIAL PAGING CHANNEL FOR SYSTEM A 18 737 SECONDARY INITIAL PAGING CHANNEL FOR SYSTEM B 19 8 DIGITS OPTION PROGRAMMING, SEE NOTE 6 BELOW NOTES: Take care with Motorola's use of "0" and "1". Some options use "0" to enable, some use "1". These are eight digit binary fields used to select the following options: 1. (step 02 above, suggested entry is: 11101001 for "A" system, 10101001 for "B" sys) Digit 1: Local use mark, 0 or 1. Digit 2: Preferred system, 1=system A, 0=system B. Digit 3: End to end (DTMF) dialing, 1 to enable. Digit 4: Not used, enter 0. Formerly used for test mobile. Digit 5: Repertory (speed) dialing, 1 to enable. (Not used in TDMA) Digit 6: Auxiliary (horn) alert, 1 to enable. Digit 7: Hands free (VSP) auto mute, 1 to enable (mutes outgoing hands free audio until the MUTE key is pressed). (Not used in TDMA) Digit 8: Min mark, 1. NOT CHANGEABLE. 2. Station Class Mark SCM | 666 or 832 Ch. | VOX | Max Power -----+----------------+-----+----------- 00 | 666 | N | 3.0 W 01 | 666 | N | 1.2 W 02 | 666 | N | 0.6 W 03 | | | 04 | 666 | Y | 3.0 W 05 | 666 | Y | 1.2 W 06 | 666 | Y | 0.6 W 07 | | | 08 | 832 | N | 3.0 W 09 | 832 | N | 1.2 W 10 | 832 | N | 0.6 W 11 | | | 12 | 832 | Y | 3.0 W 13 | 832 | Y | 1.2 W 14 | 832 | Y | 0.6 W 15 | | | 3. Service Level Codes: 001 The telephone will only dial numbers in memory locations 01, 02 and 03. No keypad entries or memory storage is possible. Restrict ALL outgoing calls by clearing locations 01, 02, and 03 and place the phone in servicing level 001. In some phones this applies to memory locations 01 - 10. 002 The telephone will dial only numbers from memory locations. The keypad is disabled and super speed dialing is not enabled. 003 Keypad dial only; no memory recall allowed. 004 Unlimited keypad and memory dialing. (DEFAULT) 005 Seven-digit dialing only 006 Full keypad and memory dialing, but memory locations 1 through 10 cannot be changed. 007 The phone will dial only from as many as 50 programmable memory locations 4. (step 10 above, suggested entry is: 00000100) Digits 1 - 3: Not used in USA, enter 0. Digit 4: Extended Field. When enabled, the telephone will scan more than 32 paging channels. Not used in USA, 0 to disable Digit 5: Single system scan, 1 to enable (scan A or B system only, determined by bit 2 of step 02. Set to "0" to allow user the option). Digit 6: Super speed dial, 1 to enable (pressing N, or NN SND will dial the number stored in memory location NN). Digit 7: User selectable service level, 0 to enable (allows user to set long distance/memory access dialing restrictions). Digit 8: Lock function, 0 to enable (allows user to lock/un-lock the phone, if this is set to 1 the phone can not be locked). 5. (step 11 above, suggested entry is: 00000000) Digit 1: Handset programing, 0 to enable (allows access to programing mode without having to enter test mode). Digit 2: Second phone number (not all phones), 1 to enable. Digit 3: Call timer access, 0 to enable. (Not used in TDMA) Digit 4: Auto system busy redial, 0 to enable. Digit 5: Internal Speaker disable, 1 to enable (use with select VSP units only, do not use with 2000 series mobiles). Digit 6: IMTS/Cellular, 1 to enable (rarely used). Digit 7: User selectable system registration, 0 to enable. Digit 8: Dual antenna (diversity), 1 to enable. 6. (step 16 and 19 above, suggested entry is: 0011010 for portable and 0011011 for mobile units) Digit 1: Enhanced Scan, when enabled, four strongest signalling channels are scanned insted of two. 1=enabled, 0-disabled. Digit 2: Cellular Connection, used only in series II phones if a series I cellular connection is used with a series II. 0=series II, 1=series I, 0 for ALL TDMA PHONES Digit 3: Continuous DTMF, 1 to enable (software version 8735 and later) Digit 4: Transportable Internal Ringer/Speaker. When set to 0, audio is routed to the external speaker of the transportable; 1 routes it to the handset. Digit 5: 8 hour time-out, 0 to enable (software version 8735 and later) Digit 6: Not used, 0 only. Digit 7: Failed page indicator, 0 to enable (phone beeps when an incoming call is detected but signal conditions prevent completion of the call). Digit 8: Portable scan, 0 for portable, 1 for mobile units. 56# Illumination Diagnostic. Lights up all lights (except the green in use light) and displays all "8"'s. The phone is also muted until repowered. 57x# Call Processing Mode x=0, AMPS x=1, NAMPS x=2-4, RESERVED x=5, TDMA signalling x=6, TDMA signalling with loopback before decoding x=7, TDMA signalling with loopback voice after decoding x=8, TDMA signalling with loopback FACCH after decoding x=9, TDMA forced synchronization 58# Compander On (Audio compressor and expander) (See 39#) 59# Compander Off (Audio compressor and expander) (See 38#) 60# no function 61# ESN Transfer (For Series I D.M.T./Mini TAC only) 62# Turn On Ringer Audio Path 63# Turn Off Ringer Audio Path 64# ? Does something, doesn't display anything 65# ? Does something, doesn't display anything 66# Identity Transfer (Series II Trancvrs and some Current Shipping Portables) 67# Displays two 3 digit numbers. If you keep entering this command repeatedly, the first number will constantly change, the second won't (as far as I have seen). 68# Diaplay FLEX and Model Information 69# Used with Identity Transfer 70# Abbreviated field transmitter audio deviation command, for tranceivers with FCC ID ABZ89FT5668. 71# Abbreviated field power adjustment command, for tranceivers with FCC ID ABZ89FT5668. 72# Field audio phasing commands. The left side of the display should read "00" followed by a two digit number. The "00" indicates the first programming step. If you press the *, the 00 changes to 01 and so on until 08. The "06" and "0A" are used to change the audio level (to change: press the volume up or down keys). Other registers...don't know. 73# Field power adjustment command. 74#-99# no function NOTES: As new fones come out, more commands are added/deleted as needed. The majority of these commands were figured using VERY old software versions. Some commands won't work on some phones. If you find a command that does something, please inform me as well as the software version number of the phone it was discovered on. -------------------------------------------------------------------------------- * NEW SECTION * COMMANDS THAT DO SOMETHING BUT I DON'T KNOW WHAT!!! 74# 75# 76# 77# 78# 80# 99# If you have any insight to these commands or if you have any more to add to the list, please email me promptly. Thank you. H*A*C*K*I*N*G***T*H*E***F*O*V*C********************************S*E*C*T*I*O*N***5 Note: This is NOT my hack. Thanks to Patrk@delphi.com for this addition. HACKING THE FOVC Problem: When listening to something interesting (a conversation), just when that sexy sounding horny broad begins to give her phone number to some lucky guy, HANDOFF!!! then static... DAMN! Trick: Hack the FOVC. a quick definition: FOVC = FOward Voice Channel FOCC = FOward Control Channel REVC = REverse Voice Channel RECC = REverse Control Channel As the phone travels through cells, the FOVC is where the tower tells the phone to adjust power levels for the current cell or to change to a new channel for use in the new cell. This info can be hacked apart. So. When you've found a good conversation, don't be lazy! Enter 40#! This makes the phone listen for commands on the voice channel (embedded in the audio portion- you can hear it as a "bump" sound). It will just sit there and the display will read '40' , but the conversation will still be audible. Now when the phone receives a FOVC command (a 40 bit sequence) data will flow across the display, in hex format, and stop. Listen to the phone, if the conversation is still there, then the command was only to adjust power levels. If the conversation is gone, then its a handoff. If you only got a power adjustment command just press # or clr, which ever gets you back to the ' prompt. Enter 40# and keep listening. You can also use the # key to cancel the 40# command, if you want to change channels or something. If it was a handoff, its time for some quick math. You have to convert some of the numbers to binary, and then to decimal. I don't know how many characters your phone's display will show. Mine only shows the last seven of the ten hex digits. Count left from the end 6 digits. Write down that digit and the next two on a piece of paper, ie: ???j16djjj j=junk numbers (hex numbers range from 0-9,a-f) / \ these are lost due to scrolling write down 16d then convert it to a binary string: 1 = 0001 6 = 0110 d = 1101 (d=13) now you have a binary string like this: 000101101101 throw away the first 2 bits and get: 0101101101 convert this to decimal and get: 365 365 is the new channel the conversation has moved to! Enter 110365# and voila! You too, can hear the horny babe's phone number! Don't forget to enter 40# again, as the call may be moving quickly through cells ( small cells or freeway driving ) or the call can get bounced around by the tower for cell traffic purposes. Here's one more example of the hex>binary>decimal conversion. ???j5aejjj 5 = 0101 a = 1010 e = 1110 full string = 010110101110 truncate 2 msb = 0110101110 convert to decimal = 430 R*E*A*D*I*N*G***T*H*E***S*I*D**********************************S*E*C*T*I*O*N***6 READING THE SID by Doctor Who The SID (System IDentification) of a control channel can be determined using the test mode of the Motorola cellular phone. This document assumes the reader understands celllular technology in general, and how to access Motorola's test mode in specific. Tune the phone to the desired control channel with 11xxxx# where xxxx is the channel number. Hit 39# to receive one control channel word. One shoulld appear in less than two seconds, filling up all ten digits on the display with hexadecimal digits. Do this repeatedly until one is found with the correct pattern. Digit places start at the left hand side and go to the right. The first digit should be C,D,E, or F. This letter can be used to determine the DCC/SAT of the cell. A "C" is SAT 0, D is 1, E is 2, and F is 3. Ignore digits 8,9, and 10. They are parity bytes. Digit 7 should be "6" or "E", though I have never found it to be other than "E". The hexadecimal value of represented by digits 2 through 5 is then divided by two, and then 1 added if the carrier as an "A" side, "non-wireline" carrier. The result is the system ID. for example: E00388EA08 E means this cell has an SAT/DCC of 3. The A08 is ignored. The E to the left of it is proper and normal, so this is the right kind of message. Ignore the 8 in position 6, that is just to the left E. 0038 in hexadecimal translates ((3*16=48)+8) to 56. 56/2=28. Looking up System ID 28 on my chart indicates Nynex in Boston. This is correct. Please be aware that the two SID charts I have seen around the net are very outdated. I have a more recent version on paper which I may eventually type in, when I have the time and energy. The methods used above are only a very crude way to do what could be done much more efficiently by computer. I am sure that programs will be written to do exactly this, but I am holding off until I have thoroughly hacked the meaning of all these types of message before writing such a program. I am also contemplating the design of a cable to replace the handset, running from the 25 pin connector on the side of my bag phone to a computer. ---------=?> Doctor Who To phone 13(--------)6 --------= 5 = 18-25(-+------)8 --------= | 6 = | +-)7 --------= | | 7* = | | --------= | | 8* = NeG PoS ---Cig adapter --------= DB25 Male Phone Power Connector (see Note 1) 1-To phone pin 4 1-DB25 pin 4(see note 2) Gnd-To Db25 Pins 18-25 and 2-To Phone test lead 2-NC Phone pin 8 (see note 2) 3-NC 3-NC Tip-To phone pin 7 4-To phone pin 1 4-To DB25 pin 1 (see note 2) 5-NC 5-To DB25 pin 12 6-NC 6-To DB25 pin 13 7-NC 7-To tip on power connector 8-NC 8-GND 9-NC Test Lead-To DB25 pin 2 (See note 2) 10-NC 11-NC 12-To Phone pin 5 13-To Phone pin 6 14-NC 15-NC 16-NC 17-NC 18-GND \ 19-GND | 20-GND | 21-GND |--Conn together to GND on 12v conn 22-GND | And pin 8 on phone plug 23-GND | 24-GND | 25-GND / NOTE 1: The power adapter on the cable is 12 volt input but is a regulated 7.95 volts out. DO NOT connect 12 volts between pins 7 and 8 on the phone connector. NOTE 2: | /| DB25 Pin 4-----| < |------Phone pin 1 | \| | /| DB25 Pin 2-----| < |------Phone test lead | \| -------------------------------------------------------------------------------- Motorol Transcievers _____________________ 4500x,4800x,6800x,Etc. ______________________ Female 25 Pin Male 25 Pin D-Connector D-connector To transciever To P.C.Parallel Port Pin Pin 1._____________________________________ 4. 2._____________________________________ 18. ___10k______ 13. / ______4+5._______________________/____10K______ 12. | 12.____________________________________/ | 11._____________________________________ 13. | 18._____________________________________ 1. | 21._____________________________________ 2. | ___14+17+20+23.____________________________ 18. | | | |___ -ve | |________ +ve 9 Volt Motorola 8500x 8800x(early type) ________________________________ 25 Pin D-plug(P.C.lpt1) Phone Back(battery removed) Pin Diode,s [] [] [] [] [] [] 3.--orange-|<1n4001---------------------/ / / 4.--blue---|<1n4001----------------------------/ / 2.--red----|<1n4001---------------------------------------/ 19.-------------\ 20.-----------\ | [] [] [] [] [] [] 18.--black----+-+------------/ / / / 13.--yellow-----------------------/ / / 12.--brown------------------------------------/ / 1.--grey-------------------------------------------/ [] [] -8 to -12V. +8 to =12V. NOTE Diode protocol: Kathode---|