The following file is a verbatim transcript of an article by the same name appearing in the December, 1992 issue of NUTS & VOLTS Magazine. Copyright (c) 1992 Damien Thorn and T & L Publications. Permission is granted to freely distribute this file in unmodified form. Identifying board headers may be added as desired. CELLULAR TELEPHONE PROGRAMMING Focusing on Fundamentals By Damien Thorn The ever-increasing use of cellular telephones has created a market for people with the skills to install and program them. Installation is no more difficult than installing a CB radio, and programming is accomplished by entering data via the keypad on the phone. Whether you want to completely reprogram a new or used phone, or simply change your unlock code, there is no reason to pay a dealer to do it when you can do it yourself in a matter of minutes. In the early days of cellular technology, an external device such as a "programming handset" or ROM programmer was required to "burn" the mobile telephone number and service information into the phone. Today's cellular phones incorporate resident software that allows you to key in the required information on the phone itself. When you are finished and satisfied you've entered the correct data, the phone burns it to non-volatile memory with the push of a button. To understand why the simple process of programming a cellular phone seems to be an industry secret, you need to understand that it is a lucrative service offered by cellular dealers. There is no profit to be made selling the phone hardware. Most dealers sell at close to cost just to remain competitive. The real profits are derived from commissions received from the cellular carriers (service providers) for getting customers to sign up with them. Due to the widespread use of surface mount technology within the phone, service centers almost always return them to the manufacturer for repair. Fortunately for these dealers, most service problems are external, involving the antenna, connectors, cables or a need for reprogramming. These are all relatively simple matters that can quickly be diagnosed and repaired in the shop, thus generating income. Aside from the Federal and State regulations governing the sales and service of cellular equipment (because it is a transmitter), only basic electronics skills and minimal equipment are required to begin such a business. INTRODUCTION TO CELLULAR PROGRAMMING The purpose of this article is to present the fundamentals of cellular programming. I've also included brief reviews and sources of publications that are essential to anyone interested in pursuing cellular programming as a hobby or profession. The basic principals of programming are the same from phone to phone. Each manufacturer (or model), however, has a unique sequence of key strokes to access the programming mode as well as a few other programming quirks. If you plan to work with more than one brand of phone, a publication containing programming tables (or "templates") is a must. The phone used for this article is a common Motorola transportable "bag phone." One reason for selecting this phone is because I own one. The other is because Motorola is the most prolific manufacturer of cellular phones. Also, the "universal" nature of the Motorola programming instruction set used as an example can be used on most of their phones as presented herein. Not only do they make gear bearing the Motorola brand name, they custom manufacture phones for a variety of other vendors. Some examples include the brand names Ambassador, America Series, Dynasty, Modar, Nautilus, Pulsar, Tracer, Blaupunkt, Nissan Infiniti, Toyota LEXUS, and models for AUDI and Ford. PRELUDE TO PROGRAMMING Before you even begin to program a phone, you need to obtain the required data. If you just want to change your unlock code, then you need to make up a convenient three-digit number. Activating service on a used phone requires you to obtain certain information from the cellular carrier providing you with service. Here is a description of the data you will need: 01) System Identification Number (SID): A five digit number that has been assigned to identify the particular cellular carrier from whom you are obtaining service. This number identifies your "home" system. 02) Area Code of Mobile Identification Number (MIN): Simply the area code of your cellular telephone number. MIN is the "official" term for the phone number assigned to you by the cellular company. 03) Mobile Identification Number (MIN): The MIN is the actual seven digit cellular telephone number assigned by the cellular carrier exclusively to your phone. 04) Station Class Mark (SCM): A two-digit number that identifies certain capabilities of your phone. How the cellular network handles your call is based on these digits. The SCM tells the system whether your phone transmits at standard power levels or low power levels, if it can utilize the full 832 channels or only the original 666 frequencies. The last attribute identified is whether your phone employs voice-activated transmission (VOX). A phone without VOX is continuously transmitting a carrier back to the cell site the entire time your call is in progress. The VOX operation used in smaller phones allows the phone to transmit only while you are actually talking. This reduces battery drain and enables handheld phones to operate longer on a smaller battery than would be possible without VOX. To determine the proper SCM for your phone, examine Table 1 and use the code that matches the presence (or absence) of each of the attributes described above. 05) Access Overload Class (AOLC or ACCOLC): A two-digit number used to arbitrate who gets dropped from the system (or refused access) when there are more calls in a cell than can be handled at one time. This feature is allegedly disabled in most systems and no preferential treatment is shown to any particular ACCOLC. 06) Group Identification Mark (GIM): The Group ID Mark is a two-digit number used by cellular sites other than your home system to determine if you should be allowed access to the system on "roam" status. This feature is not yet fully implemented. 07) Security Code: This six-digit number is used to prevent unauthorized or accidental alteration of the data programmed in the phone. The factory default is 000000. 08) Unlock Code: This is a three-digit number required to unlock the phone when you have electronically locked it to prevent unauthorized use. The factory default is "123", however many cellular programmers change it to match the last three digits of your MIN (phone number). 09) Initial Paging Channel (IPCH): This is the channel number used by the cellular provider to "page" the phones in use on the system. The term "paging" refers to notifying a particular phone that it has an incoming call. All idle phones on a system monitor the data stream on the IPCH. Non-wireline cellular carriers use channel 0333 as the IPCH, while wireline providers (operated by a telephone company) utilize channel 0334. 10) Options programming byte A 11) Options programming byte B The options bytes are six and three-digit binary numbers used to enable or disable certain options on the phone. Each digit is either a "1" or "0". Options byte A consists of six bits. We'll label them "ABCDEF" for our purposes, where each letter represents a bit set to "1" or "0". Here is what each bit controls: Bit "A" - Handset internal speaker: A "1" in this position disables the internal speaker of your handset to facilitate the use of an external speaker/microphone combination. This bit is set to "0" in a normal installation to allow normal operation of the handset speaker. Bit "B" - Local Use bit provided for certain cellular carrier system requirements. This is normally enabled with a "1". Bit "C" - MIN mark bit: Usually disabled with a "0" in this field. Bit "D" - Auto recall: The auto recall function is always enabled with a "1" in this position. Bit "E" - Second phone number: If the phone has a dual system registration capability, and you are in fact registered with two different cellular carriers, the function is enabled with a "1" in this field. A "0" in this position indicates the standard cellular configuration having just one telephone number. Bit "F" - Diversity: This bit is used to enable diversity if your telephone is equipped with two antenna connections (ports). If your phone uses just one antenna (standard), this bit is set to "1" to disable diversity. If the phone was of a standard configuration, the description above indicates that this option byte would be programmed as "110100" with each bit enabling or disabling the specific option as appropriate. Option byte B operates in the exact same fashion, except the byte consists of only three bits, controlling three options. We'll label the bits "ABC" where each letter represents a specific bit. Bit "A" - Long tone DTMF: A "1" in this position enables long tone DTMF for end-to-end signalling. This means that the phone will transmit a DTMF tone for as long as you depress a key on the key pad. A "0" will disable this feature, causing the phone to send a short burst of DTMF when you dial, no matter how long you hold down the key. Bit "B" - A "0" in this position enables the internal speaker of a transportable phone to act as the "ringer" to signal an incoming call. This feature can be disabled by programming a "1" in this position if you have some ancillary device connected to signal ringing. Bit "C" - Eight hour timeout: This feature is normally enabled with a "0" in this position. When enabled, the phone will timeout and turn off if it has been left on continuously for eight hours. This helps prevent the phone from completely draining the battery of your car if it is inadvertently left on for an extended period without being used. ENTERING PROGRAMMING MODE Once you have determined the proper values for the data fields described above, you can get down to the actual programming of the phone. With the above data in front of you, it becomes a simple matter of punching it all in on the keypad. To begin programming the phone, you need to enter the programming mode. Almost all Motorola phones use one of six possible key stroke sequences to gain access to the programming mode. These are numbered one through six and listed in Table 2. Indexing the exhaustive list of model numbers to the appropriate sequence number is beyond the scope of this article. It is not difficult to figure out, and whether or not the phone has a "Fcn" (function) or "Ctl" (control) key narrows it down to one or two possibilities. The security code used to enter the programming mode consists of six digits. It is keyed in twice, as though it were a twelve digit number, and in a couple of the sequences is prefaced with a zero for a total of thirteen digits. All Motorola phones are shipped new with the factory default security code set to 000000. Most cellular programmers do not change this, as it only makes reprogramming more difficult in the future. Roughly 80% of the phones I've encountered retain the factory default security code. The other 20% had been changed to 123456 by a local cellular dealer. While the security code could conceivably be any six digit number, you should be aware that this code is only useful to prevent idle tampering with the programming, not lock out the personnel at other service centers. The security code is by no means akin to the vault door protecting the contents of Fort Knox. In the next issue of Nuts & Volts I'll show you how to build manual test adapter from one inexpensive part obtainable at any Radio Shack store. This device will immediately allow you to enter the programming mode without the security code. You can then view and change the security code or all of the programming if you wish. Once in programming mode, the phone will display "01" which indicates the phone is at the first programming step (or field). Table 3 is a template of the programming steps, and you'll notice that the step numbers correspond with the numbers prefacing my descriptions of the required data above. The phone always displays the two-digit field identifier before displaying the data in that particular field. This lets you know where you are in the programming sequence. COFFEE BREAK: TIME FOR AN ASIDE It would not be unusual for you to feel a bit overwhelmed right now. I was confused the first time I attempted to program a cellular phone. If this is your first exposure to cellular programming, may I suggest you grab a cup of coffee and reread the article up to this point before you actually attempt the programming process. At first the idea of security codes and determining the proper sequence necessary to access the programming mode was disconcerting and a bit frustrating. Once this step had been accomplished, I was delighted to discover how easy the actual programming was. If you have difficulty accessing the programming mode, here is a helpful tip: Let's say the phone is quiescent until you've keyed in the entire sequence, including the 13 digits comprising the security code, but fails to display "01" after the final keystroke. This indicates that you are using the correct sequence from Table 2, but the security code is incorrect. If you are using the wrong keystroke sequence to enter programming mode, the phone will abort in the midst of keying in the security code, because it fails to recognize why you are punching in all the digits. If you are using the correct sequence to access the programming mode, the display on the phone will not echo (display) the security code unless you are keying it in too slowly. KEYING IN THE DATA The process leading up to this point is actually the majority of the work involved in programming a cellular phone. Keying in the data is so easy that it's almost disappointing. If you've successfully accessed the programming mode, your phone will display "01" to identify the current field. Pressing "*" advances the display to the data in that field. You can then key in new data and press "*" to advance to step "02", or press "*" without entering data to retain the information currently stored within the field. I just want to change my unlock code, so I need to advance to the field where this data is stored. A quick glance at Table 3 tells me that my current unlock code is stored in field 08. To get to this field, I need only to repeatedly press the "*" key to sequence the phone through the fields without altering any of the data. When "08" is displayed, I know I've arrived at the field containing my unlock code. First I access the programming mode on my transportable phone by turning on the power and keying in sequence number 4 from Table 2. I depress the "control" key on the side of the handset and quickly punch in "0" followed by my security code twice (123456+123456) and finally press the "*" key. The display shows "01" to let me know I am at field 01, the SID. I press "*" to advance to the data, and the display shows "00224" which is my SID. I press "*" again and the software sequences to the next step. "02" is now on the display. Another "*" and the phone displays "209" which is the data in field 02 - my cellular area code. Depressing the star key advances us to step "03" which is my MIN. Pressing "*" displays the contents of field 03, and yes, it certainly is my cellular telephone number (MIN). Each time I press the "*" key the phone continues to advance to the next field number and then displays the data stored there. Since I want to change my unlock code, I repeatedly press the "*" key until the phone displays "08." This is the field containing that code. Another "*" and my display shows "602" which is my current unlock code. I want to change it to "977." With the old code in the display (602), I simply punch in the numbers 9+7+7. The display now reads "977" which will be my new unlock code. If I continued pressing the "*" key, the phone would sequence through the remaining fields until it returned to "01." I could then advance through the fields again. You might want to do this, just scrolling through the data programmed into your phone. Use Table C to identify the fields as you look at the data stored in each. If you accidentally alter the data in any of the fields while you are looking around, press the "#" key to exit programming mode without saving any of the changes to memory. The "#" key will abort the programming mode, leaving the previously stored information intact. Since I changed my unlock code, I need to burn the new information to the Numeric Assignment Module (NAM) in the phone. NAM is the term used to describe the EEPROM chip where the program data is stored. To save the new information, I press "Snd" (Send). This burns the changes to the NAM and exits the programming mode. These are the keys to remember while programming a phone, or just exploring the current programming: The "*" key advances to the next field or step. The "#" key aborts programming without saving any changes. The "Snd" key saves all changes to the NAM and exits programming mode. The "clr" (clear) key will restore a field to the previously stored data if you make a mistake while keying in digits. You can then reenter the data correctly. SUMMARY We've covered a lot of material, and I commend your tenacity. Cellular programming is actually an easy process. You now have a decent understanding of the fundamentals, and I assure you that a bit of practice will lead to a surprising proficiency. The information in this article is specific to cellular equipment manufactured by Motorola. Other manufacturers use somewhat different templates and methods to access the programming mode. If you want a deeper understanding of cellular programming or need the exact programming templates and instructions for a variety of phones, I suggest you buy one of the publications reviewed here. If you own just one model of phone and need a template or other basic assistance, I don't mind helping you out. You can contact me directly via mail at 6333 Pacific Avenue, Suite 203, Stockton, CA 95207-3713. If you need me to provide detailed information, I would appreciate it if you'd enclose a few dollars to help offset my expense. I welcome all comments, and encourage suggestions for future articles. Building a test adapter for Motorola phones is the subject of my article next month in Nuts & Volts. Placing a phone in test mode will allow you to bypass the keystroke sequence and security code to access programming mode. This is a device every cellular service person should have. In addition to getting around a security code long forgotten by a customer, you'll learn how to reset the cumulative call timer, reset the NAM programming to default values and a host of other interesting test functions such as accessing the built-in relative signal strength indicator (RSSI) and channel number display available only when the phone is in test mode. # # # Table 1 DETERMINING YOUR STATION CLASS MARK (SCM) Proper SCM Value Attributes of Your Phone 00 Standard power output; 666 channel capability; no VOX operation. 04 Standard power output; 666 channel capability; uses VOX. 06 Low power output; 666 channel capability. 08 Standard power output; 832 channel capability; no VOX operation. 10 Low power output; 832 channel capability; no VOX operation. 12 Standard power output; 832 channel capability; uses VOX. 14 Low power output; 832 channel capability; uses VOX. The SCM value appropriate to your cellular phone should be entered in programming field "04." "Standard power" as used above refers to the RF output level of a transportable phone, or one installed in a vehicle. "Low power" refers to the reduced RF output of handheld units. Handheld phones utilize a lower power level not just because of their size and battery capacity. Since the transmitter and antenna are a part of the handset, it was determined that radiating a full three watts of RF just a few inches from your head might be unhealthy. # # # Table 2 PROGRAMMING MODE ACCESS SEQUENCES #1 - Fcn + [six digit security code] + [six digit security code] + Rcl #2 - Sto + # + [six digit security code] + [six digit security code] + Rcl #3 - Ctl + 0 + [six digit security code] + [six digit security code] + Rcl #4 - Control + 0 + [six digit security code] + [six digit security code] + * #5 - Fcn + 0 + [six digit security code] + [six digit security code] + Mem #6 - Fcn + 0 + [six digit security code] + [six digit security code] + Rcl Note: In sequence #4 the "control" key refers to the audio and ringer volume control button on the side of the handset if no "Ctl" key is present on the handset keypad. Example: If the appropriate sequence for my phone is #3, and my security code is 123456, I would key in the sequence as follows: A) Turn power on. Display reads "ON." B) Press: [Ctl], [0], [1], [2], [3], [4], [5], [6], [1], [2], [3], [4], [5], [6], [Rcl]. C) If entered correctly programming mode is active. Display reads "01." # # # Table 3 TEMPLATE: SEQUENCE OF PROGRAMMING STEPS Field Description Digits Typical Example 01 System ID Number (SID) 5 000233 02 Area Code of Mobile ID Number (MIN) 3 209 03 Mobile Identification Number (MIN) 7 555-1212 04 Station Class Mark (SCM) 2 12 05 Access Overload Class (ACCOLC) 2 06 06 Group ID Mark (GIM) 2 10 07 Security Code 6 000000 or 123456 08 Unlock Code 3 123 or last 3 digits of MIN 09 Initial Paging Channel (IPCH) 4 0333 or 0334 10 Options programming byte "A" 6 011100 (binary) Internal Speaker (1 = disable) X----- Local Use bit (1 = enable) -X---- MIN Mark bit (usually disabled = 0) --0--- Auto-Recall bit (always set to 1) ---1-- Second Phone Number (0 = disable) ----X- Diversity option bit (0 = disable) -----X 11 Options programming byte "B" 3 010 (binary) Long tone DTMF (0 = disable) X-- Ringer/speaker (1 = handset / 2 = transducer) -X- Timeout (8 hour) (0 = enabled) --X If second phone number option is enabled and supported by the hardware, this programming template will repeat for the second phone number. Each field identifier (step) number will be displayed with a "2" to indicate data for the second number. (e.g. "01 2"). ***************************************************************** ************* SOURCES: A Review of Available Publications Every month I peruse the pages of Nuts & Volts with an eye for detail unmatched by the best Revenue Agents employed by the IRS. Why? Because I have an insatiable appetite for information - especially information surrounding technology that seems "inaccessible" to you and me. As a result, I've purchased all four publications advertised herein that deal with cellular communications. Each has unique features and all were worth the money. Here is my opinion of each: Cellular Programmer's Bible The Cellular Programmer's Bible definitely lives up to it's name. Over 300 pages of nothing but programming instructions for every conceivable cellular telephone manufactured. This tome includes the factory preset security codes to greatly simplify access to the programming modes of various phones. In addition to precisely detailing every programming sequence, each entry includes invaluable technical information on channel capabilities, test modes, and other unique tidbits applicable to the specific model of phone being described. This volume is mandatory for anyone considering offering programming services to the public. I discovered my Pac Tel Cellular customer service rep uses this same publication as his programming reference, although he carries it in a nondescript binder. Approximately 400 spiral bound 8.5 x 11" pages. $84.45. Available from: TeleCode, P.O. Box 6426, Yuma, AZ, 85366-6426. (602) 782-2316. Cellular Hacker's Bible The Cellular Hacker's Bible is TeleCode's other cellular publication. About one third of this book is devoted to programming templates for over thirty popular phones. The balance consists of an elaborate technical dissertation describing the operation of the cellular network which reads like a Bellcore technical document (coincidence?). From switching to timing and signalling protocols - it's all here. The attention to technical detail can be an engineer's dream or mind-numbing to the casual reader. Although I occasionally became bogged down in things like "wink start signalling" and multi-frequency (MF) call routing codes, I appreciated the excruciating detail when I came to the 18 pages listing each and every frequency in the radio spectrum allocated to the cellular network by the FCC. The reprogramming instructions are easy to follow, but not as comprehensive as the templates in TeleCode's other publication (above). Approximately 180 spiral bound 8.5 x 11" pages. $53.45. Available from: TeleCode, P.O. Box 6426, Yuma, AZ, 85366-6426. (602) 782-2316. Cellular Phone Phreaking Technical documents published "for educational purposes only" by Consumertronics have a unique format and tone not generally found in other books. John J. Williams, MSEE and proprietor of the company, has a gift for presenting detailed technical information in an almost conversational manner full of examples and anecdotes. Cellular Phone Phreaking is no exception. The programming instructions are equivalent to those contained within TeleCode's Cellular Hacker's Bible. The technical description of the cellular network is brief, and Williams includes an abundance of information on how individuals have been known to perpetrate cellular fraud. Included are relevant excerpts from various communications privacy laws, including the text of the Electronic Communications Privacy Act (ECPA). Of value to the technician or monitoring enthusiast are the mathematical algorithms necessary to determine the cellular channel numbers based on the radio frequencies used. While informative and entertaining, this book is a bit thin compared to the others, but Williams crams in a lot of information by using small type and not wasting an inch of space. Approximately 41 spiral bound 8.5 x 11" pages. $39.00. Available from: Consumertronics, 2011 Crescent Drive, P.O. Box 88310, Alamogordo, NM 88310, (505) 434-0234. Cellular Telephone Modification Handbook The Cellular Telephone Modification Handbook is the one publication reviewed that is not really a programming manual per se. It is a book explaining in detail how a hacker would change the Electronic Serial Number (ESN) of a cellular phone. As a "security manual," the book holds nothing back in precisely demonstrating how criminals can defraud the system by doing so. I should note that a legitimate application for this information would be to "clone" a phone that you already own. By duplicating the ESN of your existing phone into another phone, you could use either unit at any given time and avoid having to pay for an additional number and service for the second phone. This seems analogous to adding an extension phone to your telephone service at home. Why have a separate number for each "extension?" Cellular companies don't like it, but it doesn't appear to be illegal. Emulating the phone of your local bank president in order to make free calls is another story entirely. In addition to basic "universal" programming guidelines, this book includes "screen dumps" of PROM emulation software, lists of manufacturers' ESN prefixes and System Identification Numbers (SIDs). Complete with sources for parts and equipment, as well as books and magazines related to the field of cellular communications. The representative I spoke with at Spy Supply provides programming support for their customers. If you need assistance with a specific phone, he'll provide you with programming information for that particular model at no charge. After purchasing the manual, I tested this service and found that he could answer every question I threw at him without hesitation. The availability of this invaluable resource elevates Spy Supply above the ranks of a typical publisher. Approximately 52 spiral bound 8.5 x 11" pages. $79.95. Available from: Spy Supply, 7 Colby Court, Suite 215, Bedford, NH 03110, (617) 327-7272. ***************************************************************** ************* AUTHOR BIOGRAPHY (For publication) Damien Thorn's interest in electronics has deep roots. A noted "hacker" and "phone phreak" by age sixteen, he contributed regularly to the underground newsletter "TAP." Today Damien is an on-air radio personality and FCC licensed engineer in California's San Joaquin Valley. His interests include computers, communications, security and privacy issues. He welcomes questions and comments. You can reach him at 6333 Pacific Ave. #203, Stockton, CA 95207-3713 or via E-Mail as Damien@prcomm.com via the Internet.