STATION ID - 7047/3.12 9x Datakit Network FOR OFFICIAL USE ONLY This is a 9x system, restricted to authorized persons and for official 9x business only. Anyone using this system, network or data is subject to being monitored at any time for system administration and for identifying unauthorized users or system misuse. Anyone using this system expressly consents to such monitoring and is advised that any evidence of criminal activity revealed through such monitoring may be provided to law enforcement for prosecution. darkfox's (dx's) guide to the Oki 900 - released by 9x in 96 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=- This is meant to be a complete guide to the Oki 900, the #1 phone for H/P activities. They rule! :) The Oki 900 is not a new fone.. In fact, they have stopped making them, but they are available used, and Oki will still sometimes repair yours if you manage to blow it up. (just don't let them see the solder marks inside.. hehe) The Oki 900 has many cool functions, even without being modified. It has all the standard stuff, like alpha-numeric memories, back-lit display, and volume settings, and then has some unusual features, such as an auto-answer system, that can act like a beeper. People can call it, and then leave they number, and it will be stored in your Oki. The Oki also has a test mode, and a very nice debug mode. [see below] The fone can be used as a scanner, so you can monitor cellular conversations. - TEST MODE - The testmode on the fone can be used to test various things. You can see what cellular channel you currently are using, and see your signal strength in hex. To enter the testmode, power up the fone, and enter the following: * T E S T M O D E # You then can use the UP/DOWN volume buttons on the side of the fone and go through a small menu. - DEBUG MODE - Here's how to use the debug mode from the keypad. Power the phone up. Wait for PowerOn msg. Hit 7 and 9 together. Then hit Menu, Snd, End, Rcl, Sto, Clr. The Phone will say "good timing" if you did it correctly. If you failed, power off the fone, and try again. Debugger is now enabled, but phone works normally. Hit 1 and 3 together to halt phone and enter debugger. Everything on display lights up. Hit Clr, Clr till you get status display. Now you can execute commands listed below. For example to reboot phone enter #, 0, 2, Snd. Commands all start with # and end with Snd. Some take arguments. You can use #25, to display memory in EEPROM, and I think once in that command you can hit # and * to go up and down in memory, Clr to exit. Hex chars are entered as "*n", like *1=A, *2=B, etc. Here is a almost complete command list: SUSPEND #01 Performs Initialization RESTART #02 Terminates the test mode STATUS #03 Shows current status of TRU RESET #04 Resets the autonomous timer TURNAROUND #05 ? Returns Data Bytes following command to the Test Set. INIT #06 Initialize the TRU to following states: Carrier Off, Attenuation - 0db, Receive Audio Muted Transmit Audio Muted, Signaling tone off, Autonomous timer reset, SAT off, and DTMF off CARRIER ON #07 Turns the carrier on CARRIER OFF #08 Turns the carrier off LOAD SYNTH #09XXXX Sets the synthesizer to channel XXXX SET ATTN #10X Set the RF power attenuation to X 0=0db, 7=-28 dB (in steps of -4db through 7) RXMUTE #11 Mutes the receive audio RXUNMUTE #12 Unmutes the receive audio TXMUTE #13 Mutes the transmit audio TXUNMUTE #14 Unmutes the transmit audio RESETOFF #15 Discontinues resetting of autonomous timer STON #16 Transmits a continuous signaling tone STOFF #17 Stops transmission of signaling tone SETUP #18 Transmits a 5 word RCC message (fixed text pattern) VOICE #19 Transmits a 2 word (RCC) RVC message (fixed test pattern) RCVSU #20 Receives a 2 word FCC message (cancel with 0x38) RCVVC #21 Receives a 1 word (FCC) FVC message (cancel with 0x38) SEND-NAM #22 Returns the information contained in the NAM VERSION #23 SEND-SN #24 MEM #25XXXX Displays the resident memory data at XX 00XX=in micro, XXXX=EEPROM WSTS #28 Count 1 word messages on CC, until TERMINATE WSTV #29 Count 1 word messages on VC, until TERMINATE SATON #32X Enable the transmission of SAT X 0= 5970 Hz, 1=6000 Hz, 2=6030 Hz SATOFF #33 Disables the transmission of SAT CDATA #34<60> Transmits 5 word RCC message (30 bytes) HITNON #35 Activates the 1150Hz tone to receive audio line HITNOFF #36 Deactivates the 1150Hz tone LOTNON #37 Activates the 770Hz tone to receive audio line LOTNOFF #38 Deactivates the 770Hz tone DTMFON #42XX Enable the transmission of DTMF frequency XX[2] DTMFOFF #43 Disable the transmission of DTMF ? #44 ? #45 ? #46 ? #47 ? #48 ? #51 - #52 ? #53 - #54XXXXZZ Write HEX (ZZ) into ADDRESS $XXXX if 00XXZZ then store #$YY in MicoRAM $XX - #56 Return Value stored in $BEBB ? #60 ? #62 ? #63 RCVSU #64 Receives a 2 word FCC message (duplicate of cmd #20) COMP-ON #65 Enable the compressor and expander COMP-OFF #66 Disable the compressor and expander setvol #67 X-Set volume (0-7) 0=max SERIAL I/O #683XX? Mutes/Unmute Tx/Rx Audio Signal Enable Disable the Compressor/Expander, XX=commanded states. CMD Compress Tx Mute Rx Mute --- -------- ------- ------- 40 on unmuted unmuted 41 off unmuted unmuted 42 on muted unmuted 43 off muted ummuted 44 on unmuted muted 45 off unmuted muted 46 on muted muted 47 off muted muted ? #72 [pulls something, outputs 1 word!?!] ? #73 Scans channels,... #73 XXXX xxxx YY XXXX = Start channels scan xxxx = End channels yy = Time ? #74 - #75 Enable Handsfree (disable spkr) - #76 Disable Handsfree (enable spkr) - #77 Turns on Loudspeaker near mic - #79 ? #80 ? #81 ? #84 ? #85 So... Let's say you wanted to monitor the calls on channel 100. 1. First, go into debug mode as described above. 2. Then hit #,1,2, SEND 3. Then #77 to make it louder (if you want, otherwise it is hard to hear. 4. Then press #,0,9, 100, SEND. 5. You are now listening to channel 100, press #09 (channel number), SEND to change channels. - MODS - There are many mods available for the Oki 900. The mods are modified versions of the fones firmware, on a chip form. Some Okis have the firmware soldered onto the board, some are socketted. If you are lucky, yours is socketted, otherwise, I hope you are really good with a soldering iron. :) List Of Mods, and what they do: 4711 - a buggy mod, that supposedly let you enter up to 5 ESNs through the keyboard, and then toggle between them. 4712 - a cleaned up version of the 4711 4713 - ??? 4714 - ??? 4715 - Lets you enter up to 200+ through a cable connection, or up to 5 with the keypad. It will use each ESN only 3 times, then go to the next one. It makes it VERY hard to trace the fraud pattern. Vampire - Chip that makes the Oki continually scan for ESN/MIN pairs, and then stores them. [this mod supposedly requires additional hardware mods. (EF filter?)] - CTEK - The Cellular Telephone Experimenters Kit or CTEK for short, is made by Network Wizards. It included both software for your PC, and a special cable to interface with the Okis proprietary data port. Unfortunately, NW no longer has any more cables, so if you want one, you'll have to find someone with an old CTEK, or someone that has learned to make the cable. Making the cable yourself is not an easy feat, as it contains microcontrollers, and other assorted electronics. With the CTEK, you can turn any Oki, modded or unmodded, into a powerful scanning device, that compares with high priced police equipment. You can scan for a phone number, and then have the program turn on the audio when that person makes a call, allowing you to tap into your targets line. It doesn't allow you to receive ESNs though, so if your looking for a DDI, look elsewhere. Conclusion ---------- That about covers the Oki 900. We've discussed the fone itself, the testmode, the debug mode, mods available, and the CTEK. Now go "aquire" one and have fun. :) If you have any questions, look around on alt.cellular.oki.900, alt.cellular-phone-tech, #cellular, and #9x. Greetz go to all members of 9x.