The Aqua Box Plans
Every true phreaker lives in fear of the dreaded FBI 'Lock In Trace'. For a long time, it was impossible to escape from the Lock In Trace. This box does offer an escape route with simple directions to it. This box is quite a simple concept, and almost any phreaker with basic electronics knowledge can construct and use it.
The Lock In Trace
A lock in trace is a device used by the FBI to lock into the phone users location so that he can not hang up while a trace is in progress. For those of you who are not familiar with the concept of 'locking in', then here's a brief description. The FBI can tap into a conversation, sort of like a three-way call connection. Then, when they get there, they can plug electricity into the phone line. All phone connections are held open by a certain voltage of electricity. That is why you sometimes get static and faint connections when you are calling far away, because the electricity has trouble keeping the line up. What the lock in trace does is cut into the line and generate that same voltage straight into the lines. That way, when you try and hang up, voltage is retained. Your phone will ring just like someone was calling you even after you hang up. (If you have call waiting, you should understand better about that, for call waiting intercepts the electricity and makes a tone that means someone is going through your line. Then, it is a matter of which voltage is higher. When you push down the receiver, then it see-saws the electricity to the other side. When you have a person on each line it is impossible to hang up unless one or both of them will hang up. If you try to hang up, voltage is retained, and your phone will ring. That should give you an understanding of how calling works. Also, when electricity passes through a certain point on your phone, the electricity causes a bell to ring, or on some newer phones an electronic ring to sound.) So, in order to eliminate the trace, you somehow must lower the voltage level on your phone line. You should know that every time someone else picks up the phone line, then the voltage does decrease a little. In the first steps of planning this out, Xerox suggested getting about a hundred phones all hooked into the same line that could all be taken off the hook at the same time. That would greatly decrease the voltage level. That is also why most three-way connections that are using the bell service three way calling (which is only $3 a month) become quite faint after a while. By now, you should understand the basic idea. You have to drain all of the power out of the line so the voltage can not be kept up. Rather sudden draining of power could quickly short out the FBI voltage machine, because it was only built to sustain the exact voltage necessary to keep the voltage out. For now, imagine this. One of the normal Radio Shack generators that you can go pick up that one end of the cord that hooks into the central box has a phone jack on it and the other has an electrical plug. This way, you can "flash" voltage through the line, but cannot drain it. So, some
modifications have to be done.
Materials
A BEOC (Basic Electrical Output Socket), like a small lamp-type connection, where you just have a simple plug and wire that would plug into a light bulb. One of cords mentioned above, if you can't find one then construct your own... Same voltage connection, but the restrainer must be built in (I.E. The central box) Two phone jacks (one for the modem, one for if you are being traced to plug the aqua box into) Some creativity and easy work.
Notice: No phones have to be destroyed/modified to make this box, so don't go out and buy a new phone for it!
Procedure
All right, this is a very simple procedure. If you have the BEOC, it could drain into anything: a radio, or whatever. The purpose of having that is you are going to suck the voltage out from the phone line into the electrical appliance so there would be no voltage left to lock you in with.
1.Take the connection cord. Examine the plug at the end. It should have only two prongs. If it has three, still, do not fear. Make sure the electrical appliance is turned off unless you want to become a crispy critter while making this thing. Most plugs will have a hard plastic design on the top of them to prevent you from getting in at the electrical wires inside. Well, remove it. If you want to keep the plug (I don't see why...) then just cut the top off. When you look inside, Low and Behold, you will see that at the base of the prongs there are a few wires connecting in. Those wires conduct the power into the appliance. So, you carefully unwrap those from the sides and pull them out until they are about an inch ahead of the prongs. If you don't want to keep the jack, then just rip the prongs out. If you are, cover the prongs with insulation tape so they will not connect with the wires when the power is being drained from the line.
2.Do the same thing with the prongs on the other plug, so you have the wires evenly connected. Now, wrap the end of the wires around each other. If you happen to have the other end of the voltage cord hooked into the phone, stop reading now, you're too fucking stupid to continue. After you've wrapped the wires around each other, then cover the whole thing with the plugs with insulating tape. Then, if you built your own control box or if you bought one, then cram all the wires into it and reclose it. That box is your ticket out of this.
3.Re-check everything to make sure it's all in place. This is a pretty flimsy connection, but on later models when you get more experienced at it then you can solder away at it and form the whole device into one big box, with some kind of cheap Mattel hand-held game inside to be the power connector. In order to use it, just keep this box handy. Plug it into the jack if you want, but it will slightly lower the voltage so it isn't connected. When you plug it in, if you see sparks, unplug it and restart the whole thing. But if it just seems fine then leave it.
Use
----
Now, so you have the whole thing plugged in and all... Do not use this unless the situation is desperate! When the trace has gone on, don't panic, unplug your phone, and turn on the appliance that it was hooked to. It will need energy to turn itself on, and here's a great source... The voltage to keep a phone line open is pretty small and a simple light bulb should drain it all in and probably short the FBI computer at the same time.
" the anarchist cookbook"
Saturday, December 31, 2005
Operators
There are many types of operators in the network and the more common ones will be discussed.
TSPS Operator:
The TSPS [(Traffic Service Position System) as opposed to This Shitty Phone Service] Operator is probably the bitch (or bastard, for the female liberationists out there) that most of us are used to having to deal with. Here are his/her responsibilities:
1.Obtaining billing information for calling card or third number calls
2.Identifying called customer on person-to-person calls.
3.Obtaining acceptance of charges on collect calls.
4.Identifying calling numbers. This only happens when the calling number is not automatically recorded by CAMA(Centralized Automatic Message Accounting) & forwarded from the local office. This could be caused by equipment failures (ANIF- Automatic Number Identification Failure) or if the office is not equipped for CAMA (ONI- Operator Number Identification).
I once had an equipment failure happen to me & the TSPS operator came on and said, "What number are you calling FROM?" Out of curiosity, I gave her the number to my CO, she thanked me & then I was connected to a conversation that appeared to be between a frame man & his wife. Then it started ringing the party I wanted to originally call & everyone phreaked out (excuse the pun). I immediately dropped this dual line conference!
You should not mess with the TSPS operator since she KNOWS which number that you are calling from. Your number will show up on a 10-digit LED read-out (ANI board). She also knows whether or not you are at a fortress phone & she can trace calls quite readily! Out of all of the operators, she is one of the MOST DANGEROUS.
INWARD operator:
This operator assists your local TSPS ("0") operating connecting calls. She will never question a call as long as the call is within HER SERVICE AREA. She can only be reached via other operators or by a blue box. From a blue box, you would dial KP+NPA+121+ST for the INWARD operator that will help you connect any calls within that NPA only. (Blue Boxing will be discussed in a future file).
DIRECTORY ASSISTANCE Operator:
This is the operator that you are connected to when you dial: 411 or NPA-555-1212. She does not readily know where you are calling from. She does not have access to unlisted numbers, but she DOES know if an unlisted # exists for a certain listing.
There is also a directory assistance operator for deaf people who use teletypewriters. If your modem can transfer BAUDOT [(45« baud). One modem that I know of that will do this is the Apple Cat acoustic or the Atari 830 acoustic modem. Yea I know they are hard to find... but if you want to do this.. look around!) then you can call him/her up and have an interesting conversation. The number is: 800-855-1155. They use the standard Telex abbreviations such as GA for go ahead. they tend to be nicer and will talk longer than your regular operators. Also, they are more vulnerable into being talked out of information through the process of "social engineering" as Chesire Catalyst would put it.
Unfortunately, they do not have access to much. I once bullshitted with one of these operators a while back and I found out that there are 2 such DA offices that handle TTY. One is in Philadelphia and the other is in California. They have approx. 7 operators each. Most of the TTY operators think that their job is
boring (based on an official "BIOC poll"). They also feel that they are under-paid. They actually call up a regular DA number to process your request (sorry, no fancy computers!)
Other operators have access to their own DA by dialing KP+NPA+131+ST (MF).
CN/A operators:
CN/A Operators are operators that do exactly the opposite of what directory assistance operators are for. In my experience, these operators know more than the DA op's do & they are more susceptible to "social engineering." It is possible to bullshit a CN/A operator for the NON-PUB DA number (i.e., you give them the name & they give you the unlisted number. See the article on unlisted numbers in this cookbook for more info about them.). This is due to the fact that they assume that you are a fellow company employee. Unfortunately, the AT&T breakup has resulted in the break-up of a few NON-PUB DA numbers and policy changes in CN/A.
INTERCEPT Operator:
The intercept operator is the one that you are connected to when there are not enough recordings available to tell you that the number has been disconnected or changed. She usually says, "What number you calling?" with a foreign accent. This is the lowest operator lifeform. Even though they don't know where you are calling from, it is a waste or your time to try to verbally abuse them since they usually understand very little English anyway.
Incidentally, a few area DO have intelligent INTERCEPT Operators.
OTHER Operators:
And then there are the: Mobile, Ship-to-Shore, Conference, Marine Verify, "Leave Word and Call Back", Rout & Rate (KP+800+141+1212+ST), & other special operators who have one purpose or another in the network.
Problems with an Operator:
Ask to speak to their supervisor... or better yet the Group Chief (who is the highest ranking official in any office) who is the equivalent of the Madame in a whorehouse.
By the way, some CO's that will allow you to dial a 0 or 1 as the 4th digit, will also allow you to call special operators & other fun Tel. Co. numbers without a blue box. This is very rare, though! For example, 212-121-1111 will get you a NY Inward Operator.
Office Hierarchy
Every switching office in North America (the NPA system), is assigned an office name and class. There are five classes of offices numbered 1 through 5. Your CO is most likely a class 5 or end office. All long-distance (Toll) calls are switched by a toll office which can be a class 4, 3, 2, or 1 office. There is also a class 4X office called an intermediate point. The 4X office is a digital one that can have an unattended exchange attached to it (known as a Remote Switching Unit (RSU)).
The following chart will list the Office #, name, & how many of those office exist (to the best of my knowledge) in North America:
Class Name Abb Number Existing
1 Regional Center RC 12
2 Sectional Center SC 67
3 Primary Center PC 230
4 Toll Center TC 1,300
4P Toll Point TP N/A
4X Intermediate Point IP N/A
5 End Office EO 19,000
6 RSU RSU N/A
When connecting a call from one party to another, the switching equipment usually tries to find the shortest route between the class 5 end office of the caller & the class 5 end office of the called party. If no inter-office trunks exist between the two parties, it will then move upward to the next highest office for servicing calls (Class 4). If the Class 4 office cannot handle the call by sending it to another Class 4 or 5 office, it will then be sent to the next highest office in the hierarchy (3). The switching equipment first uses the high-usage interoffice trunk groups, if they are busy then it goes to the final; trunk groups on the next highest level. If the call cannot be connected, you will probably get a re-order [120 IPM (interruptions per minute) busy signal] signal. At this time, the guys at Network Operations are probably shitting in their pants and trying to avoid the dreaded Network Dreadlock (as seen on TV!).
It is also interesting to note that 9 connections in tandem is called ring-around-the-rosy and it has never occurred in telephone history. This would cause an endless loop connection [a neat way to really screw up the network].
The 10 regional centers in the US & the 2 in Canada are all interconnected. they form the foundation of the entire telephone network. Since there are only 12 of them, they are listed below:
Class 1 Regional Office Location NPA
Dallas 4 ESS 214
Wayne, PA 215
Denver 4T 303
Regina No. 2SP1-4W (Canada) 306
St. Louis 4T 314
Rockdale, GA 404
Pittsburgh 4E 412
Montreal No. 1 4AETS (Canada) 504
There are many types of operators in the network and the more common ones will be discussed.
TSPS Operator:
The TSPS [(Traffic Service Position System) as opposed to This Shitty Phone Service] Operator is probably the bitch (or bastard, for the female liberationists out there) that most of us are used to having to deal with. Here are his/her responsibilities:
1.Obtaining billing information for calling card or third number calls
2.Identifying called customer on person-to-person calls.
3.Obtaining acceptance of charges on collect calls.
4.Identifying calling numbers. This only happens when the calling number is not automatically recorded by CAMA(Centralized Automatic Message Accounting) & forwarded from the local office. This could be caused by equipment failures (ANIF- Automatic Number Identification Failure) or if the office is not equipped for CAMA (ONI- Operator Number Identification).
I once had an equipment failure happen to me & the TSPS operator came on and said, "What number are you calling FROM?" Out of curiosity, I gave her the number to my CO, she thanked me & then I was connected to a conversation that appeared to be between a frame man & his wife. Then it started ringing the party I wanted to originally call & everyone phreaked out (excuse the pun). I immediately dropped this dual line conference!
You should not mess with the TSPS operator since she KNOWS which number that you are calling from. Your number will show up on a 10-digit LED read-out (ANI board). She also knows whether or not you are at a fortress phone & she can trace calls quite readily! Out of all of the operators, she is one of the MOST DANGEROUS.
INWARD operator:
This operator assists your local TSPS ("0") operating connecting calls. She will never question a call as long as the call is within HER SERVICE AREA. She can only be reached via other operators or by a blue box. From a blue box, you would dial KP+NPA+121+ST for the INWARD operator that will help you connect any calls within that NPA only. (Blue Boxing will be discussed in a future file).
DIRECTORY ASSISTANCE Operator:
This is the operator that you are connected to when you dial: 411 or NPA-555-1212. She does not readily know where you are calling from. She does not have access to unlisted numbers, but she DOES know if an unlisted # exists for a certain listing.
There is also a directory assistance operator for deaf people who use teletypewriters. If your modem can transfer BAUDOT [(45« baud). One modem that I know of that will do this is the Apple Cat acoustic or the Atari 830 acoustic modem. Yea I know they are hard to find... but if you want to do this.. look around!) then you can call him/her up and have an interesting conversation. The number is: 800-855-1155. They use the standard Telex abbreviations such as GA for go ahead. they tend to be nicer and will talk longer than your regular operators. Also, they are more vulnerable into being talked out of information through the process of "social engineering" as Chesire Catalyst would put it.
Unfortunately, they do not have access to much. I once bullshitted with one of these operators a while back and I found out that there are 2 such DA offices that handle TTY. One is in Philadelphia and the other is in California. They have approx. 7 operators each. Most of the TTY operators think that their job is
boring (based on an official "BIOC poll"). They also feel that they are under-paid. They actually call up a regular DA number to process your request (sorry, no fancy computers!)
Other operators have access to their own DA by dialing KP+NPA+131+ST (MF).
CN/A operators:
CN/A Operators are operators that do exactly the opposite of what directory assistance operators are for. In my experience, these operators know more than the DA op's do & they are more susceptible to "social engineering." It is possible to bullshit a CN/A operator for the NON-PUB DA number (i.e., you give them the name & they give you the unlisted number. See the article on unlisted numbers in this cookbook for more info about them.). This is due to the fact that they assume that you are a fellow company employee. Unfortunately, the AT&T breakup has resulted in the break-up of a few NON-PUB DA numbers and policy changes in CN/A.
INTERCEPT Operator:
The intercept operator is the one that you are connected to when there are not enough recordings available to tell you that the number has been disconnected or changed. She usually says, "What number you calling?" with a foreign accent. This is the lowest operator lifeform. Even though they don't know where you are calling from, it is a waste or your time to try to verbally abuse them since they usually understand very little English anyway.
Incidentally, a few area DO have intelligent INTERCEPT Operators.
OTHER Operators:
And then there are the: Mobile, Ship-to-Shore, Conference, Marine Verify, "Leave Word and Call Back", Rout & Rate (KP+800+141+1212+ST), & other special operators who have one purpose or another in the network.
Problems with an Operator:
Ask to speak to their supervisor... or better yet the Group Chief (who is the highest ranking official in any office) who is the equivalent of the Madame in a whorehouse.
By the way, some CO's that will allow you to dial a 0 or 1 as the 4th digit, will also allow you to call special operators & other fun Tel. Co. numbers without a blue box. This is very rare, though! For example, 212-121-1111 will get you a NY Inward Operator.
Office Hierarchy
Every switching office in North America (the NPA system), is assigned an office name and class. There are five classes of offices numbered 1 through 5. Your CO is most likely a class 5 or end office. All long-distance (Toll) calls are switched by a toll office which can be a class 4, 3, 2, or 1 office. There is also a class 4X office called an intermediate point. The 4X office is a digital one that can have an unattended exchange attached to it (known as a Remote Switching Unit (RSU)).
The following chart will list the Office #, name, & how many of those office exist (to the best of my knowledge) in North America:
Class Name Abb Number Existing
1 Regional Center RC 12
2 Sectional Center SC 67
3 Primary Center PC 230
4 Toll Center TC 1,300
4P Toll Point TP N/A
4X Intermediate Point IP N/A
5 End Office EO 19,000
6 RSU RSU N/A
When connecting a call from one party to another, the switching equipment usually tries to find the shortest route between the class 5 end office of the caller & the class 5 end office of the called party. If no inter-office trunks exist between the two parties, it will then move upward to the next highest office for servicing calls (Class 4). If the Class 4 office cannot handle the call by sending it to another Class 4 or 5 office, it will then be sent to the next highest office in the hierarchy (3). The switching equipment first uses the high-usage interoffice trunk groups, if they are busy then it goes to the final; trunk groups on the next highest level. If the call cannot be connected, you will probably get a re-order [120 IPM (interruptions per minute) busy signal] signal. At this time, the guys at Network Operations are probably shitting in their pants and trying to avoid the dreaded Network Dreadlock (as seen on TV!).
It is also interesting to note that 9 connections in tandem is called ring-around-the-rosy and it has never occurred in telephone history. This would cause an endless loop connection [a neat way to really screw up the network].
The 10 regional centers in the US & the 2 in Canada are all interconnected. they form the foundation of the entire telephone network. Since there are only 12 of them, they are listed below:
Class 1 Regional Office Location NPA
Dallas 4 ESS 214
Wayne, PA 215
Denver 4T 303
Regina No. 2SP1-4W (Canada) 306
St. Louis 4T 314
Rockdale, GA 404
Pittsburgh 4E 412
Montreal No. 1 4AETS (Canada) 504
Telephone basics
To start off, we will discuss the dialing procedures for domestic as well as international dialing. We will also take a look at the telephone numbering plan.
North American Numbering Plan
In North America, the telephone numbering plan is as follows:
· 3 digit Numbering Plan Area (NPA) code , i.e., area code
· 7 digit telephone number consisting of a 3 digit Central Office (CO) code plus a 4 digit station number
These 10 digits are called the network address or destination code. It is in the format of:
Area Code Telephone #
--------- -----------
N*X NXX-XXXX
Where: N = a digit from 2 to 9
* = the digit 0 or 1
X = a digit from 0 to 9
Area Codes
Check your telephone book or the separate listing of area codes found on many bbs's. Here are the special area codes (SAC's):
510 - TWX (USA)
610 - TWX (Canada)
700 - New Service
710 - TWX (USA)
800 - WATS
810 - TWX (USA)
900 - DIAL-IT Services
910 - TWX (USA)
The other area codes never cross state lines, therefore each state must have at least one exclusive NPA code. When a community is split by a state line, the CO numbers are often interchangeable (i.e., you can dial the same number from two different area codes).
TWX (Telex II) consists of 5 teletype-writer area codes. They are owned by Western Union. These SAC's may only be reached via other TWX machines. These run at 110 baud (last I checked! They are most likely faster now!). Besides the TWX numbers, these machines are routed to normal telephone numbers. TWX machines always respond with an answerback. For example, WU's FYI TWX # is (910) 279-5956. The answerback for this service is "WU FYI MAWA".
If you don't want to but a TWX machine, you can still send TWX messages using Easylink [800/325-4112]. However you are gonna have to hack your way onto this one!
700:
700 is currently used by AT&T as a call forwarding service. It is targeted towards salesmen on the run. To understand how this works, I'll explain it with an example. Let's say Joe Q. Salespig works for AT&T security and he is on the run chasing a phreak around the country who royally screwed up an important COSMOS system. Let's say that Joe's 700 # is (700) 382-5968. Every time Joe goes to a new hotel (or most likely SLEAZY MOTEL), he dials a special 700 #, enters a code, and the number where he is staying. Now, if his boss received some important info, all he would do is dial (700) 382-5968 and it would ring wherever Joe last programmed it to. Neat, huh?
800:
This SAC is one of my favorites since it allows for toll free calls. INWARD WATS (INWATS), or Inward Wide Area Telecommunications Service is the 800 numbers that we are all familiar with. 800 numbers are set up in service areas or bands. There are 6 of these. Band 6 is the largest and you can call a band 6 # from anywhere in the US except the state where the call is terminated (that is why most companies have one 800 number for the country and then another one for their state.) Band 5 includes the 48 contiguous states. All the way down to band 1 which includes only the states contiguous to that one. Therefore, less people can reach a band 1 INWATS number than a band 6 number.
Intrastate INWATS #'s (i.e., you can call it from only 1 state) always have a 2 as the last digit in the exchange (i.e., 800-NX2-XXXX). The NXX on 800 numbers represent the area where the business is located. For example, a number beginning with 800-431 would terminate at a NY CO.
800 numbers always end up in a hunt series in a CO. This means that it tries the first number allocated to the company for their 800 lines; if this is busy, it will try the next number, etc. You must have a minimum of 2 lines for each 800 number. For example, Travelnet uses a hunt series. If you dial (800) 521-8400, it will first try the number associated with 8400; if it is busy it will go to the next available port, etc. INWATS customers are billed by the number of hours of calls made to their number.
OUTWATS (OUTWARD WATS): OUTWATS are for making outgoing calls only. Large companies use OUTWATS since they receive bulk-rate discounts. Since OUTWATS numbers cannot have incoming calls, they are in the format of:
(800) *XXX-XXXX
Where * is the digit 0 or 1 (or it may even be designated by a letter) which cannot be dialed unless you box the call. The *XX identifies the type of service and the areas that the company can call.
Remember:
INWATS + OUTWATS = WATS EXTENDER
900:
This DIAL-IT SAC is a nationwide dial-it service. It is use for taking television polls and other stuff. The first minute currently costs an outrageous 50-85 cents and each additional minute costs 35-85 cents. He'll take in a lot of revenue this way!
Dial (900) 555-1212 to find out what is currently on this service.
CO CODES
These identify the switching office where the call is to be routed. The following CO codes are reserved nationwide:
555 - directory assistance
844 - time. These are now in!
936 - weather the 976 exchange
950 - future services
958 - plant test
959 - plant test
970 - plant test (temporary)
976 - DIAL-IT services
Also, the 3 digit ANI & ringback #'s are regarded as plant test and are thus reserved. These numbers vary from area to area.
You cannot dial a 0 or 1 as the first digit of the exchange code (unless using a blue box!). This is due to the fact that these exchanges (000-199) contains all sorts of interesting shit such as conference #'s, operators, test #'s, etc.
950:
Here are the services that are currently used by the 950 exchange:
1000 - SPC
1022 - MCI Execunet
1033 - US Telephone
1044 - Allnet
1066 - Lexitel
1088 - SBS Skyline
These SCC's (Specialized Common Carriers) are free from fortress phones! Also, the 950 exchange will probably be phased out with the introduction of Equal Access.
Plant Tests:
These include ANI, Ringback, and other various tests.
976:
Dial 976-1000 to see what is currently on the service. Also, many bbs's have listings of these numbers.
N11 codes:
----------
Bell is trying to phase out some of these, but they still exist in most areas.
011 - international dialing prefix
211 - coin refund operator
411 - directory assistance
611 - repair service
811 - business office
911 - EMERGENCY
International Dialing
With International Dialing, the world has been divided into 9 numbering zones. To make an international call, you must first dial: International Prefix + Country code + National number.
In North America, the international dialing prefix is 011 for station-to-station calls. If you can dial International numbers directly in your area then you have International Direct Distance Dialing (IDDD).
The country code, which varies from 1 to 3 digits, always has the world numbering zone as the first digit. For example, the country code for the United Kingdom is 44, thus it is in world numbering zone 4. Some boards may contain a complete listing of other country codes, but here I give you a few:
1 - North America (US, Canada, etc.)
20 - Egypt
258 - Mozambique
34 - Spain
49 - Germany
52 - Mexico (southern portion)
7 - USSR
81 - Japan
98 - Iran (call & hassle those bastards!)
If you call from an area other than North America, the format is generally the same. For example, let's say that you wanted to call the White House from Switzerland to tell the president that his numbered bank account is overdrawn (it happens, you know!). First you would dial 00 (the SWISS international dialing prefix), then 1 (the US country code), followed by 202-456-1414 (the
national number for the White House. Just ask for Georgy and give him the bad news!)
Also, country code 87 is reserved for Maritime mobile service, i.e., calling ships:
871 - Marisat (Atlantic)
871 - Marisat (Pacific)
872 - Marisat (Indian)
International Switching:
------------------------
In North America there are currently 7 no. 4 ESS's that perform the duty of ISC (Inter-nation Switching Centers). All international calls dialed from numbering zone 1 will be routed through one of these "gateway cities". They are:
182 - White Plains, NY
183 - New York, NY
184 - Pittsburgh, PA
185 - Orlando, Fl
186 - Oakland, CA
187 - Denver, CO
188 - New York, NY
The 18X series are operator routing codes for overseas access (to be further discussed with blue boxes). All international calls use a signaling service called CCITT. It is an international standard for signaling.
Part II will deal with the various types of operators, office hierarchy, & switching equipment.
Operators
There are many types of operators in the network and the more common ones will be discussed.
TSPS Operator:
The TSPS [(Traffic Service Position System) as opposed to This Shitty Phone Service] Operator is probably the bitch (or bastard, for the female liberationists out there) that most of us are used to having to deal with. Here are his/her responsibilities:
1.Obtaining billing information for calling card or third number calls
2.Identifying called customer on person-to-person calls.
3.Obtaining acceptance of charges on collect calls.
4.Identifying calling numbers. This only happens when the calling number is not automatically recorded by CAMA(Centralized Automatic Message Accounting) & forwarded from the local office. This could be caused by equipment failures (ANIF- Automatic Number Identification Failure) or if the office is not equipped for CAMA (ONI- Operator Number Identification).
I once had an equipment failure happen to me & the TSPS operator came on and said, "What number are you calling FROM?" Out of curiosity, I gave her the number to my CO, she thanked me & then I was connected to a conversation that appeared to be between a frame man & his wife. Then it started ringing the party I wanted to originally call & everyone phreaked out (excuse the pun). I immediately dropped this dual line conference!
You should not mess with the TSPS operator since she KNOWS which number that you are calling from. Your number will show up on a 10-digit LED read-out (ANI board). She also knows whether or not you are at a fortress phone & she can trace calls quite readily! Out of all of the operators, she is one of the MOST DANGEROUS.
INWARD operator:
This operator assists your local TSPS ("0") operating connecting calls. She will never question a call as long as the call is within HER SERVICE AREA. She can only be reached via other operators or by a blue box. From a blue box, you would dial KP+NPA+121+ST for the INWARD operator that will help you connect any calls within that NPA only. (Blue Boxing will be discussed in a future file).
DIRECTORY ASSISTANCE Operator:
This is the operator that you are connected to when you dial: 411 or NPA-555-1212. She does not readily know where you are calling from. She does not have access to unlisted numbers, but she DOES know if an unlisted # exists for a certain listing.
There is also a directory assistance operator for deaf people who use teletypewriters. If your modem can transfer BAUDOT [(45« baud). One modem that I know of that will do this is the Apple Cat acoustic or the Atari 830 acoustic modem. Yea I know they are hard to find... but if you want to do this.. look around!) then you can call him/her up and have an interesting conversation. The number is: 800-855-1155. They use the standard Telex abbreviations such as GA for go ahead. they tend to be nicer and will talk longer than your regular operators. Also, they are more vulnerable into being talked out of information through the process of "social engineering" as Chesire Catalyst would put it.
Unfortunately, they do not have access to much. I once bullshitted with one of these operators a while back and I found out that there are 2 such DA offices that handle TTY. One is in Philadelphia and the other is in California. They have approx. 7 operators each. Most of the TTY operators think that their job is
boring (based on an official "BIOC poll"). They also feel that they are under-paid. They actually call up a regular DA number to process your request (sorry, no fancy computers!)
Other operators have access to their own DA by dialing KP+NPA+131+ST (MF).
CN/A operators:
CN/A Operators are operators that do exactly the opposite of what directory assistance operators are for. In my experience, these operators know more than the DA op's do & they are more susceptible to "social engineering." It is possible to bullshit a CN/A operator for the NON-PUB DA number (i.e., you give them the name & they give you the unlisted number. See the article on unlisted numbers in this cookbook for more info about them.). This is due to the fact that they assume that you are a fellow company employee. Unfortunately, the AT&T breakup has resulted in the break-up of a few NON-PUB DA numbers and policy changes in CN/A.
INTERCEPT Operator:
The intercept operator is the one that you are connected to when there are not enough recordings available to tell you that the number has been disconnected or changed. She usually says, "What number you calling?" with a foreign accent. This is the lowest operator lifeform. Even though they don't know where you are calling from, it is a waste or your time to try to verbally abuse them since they usually understand very little English anyway.
Incidentally, a few area DO have intelligent INTERCEPT Operators.
OTHER Operators:
And then there are the: Mobile, Ship-to-Shore, Conference, Marine Verify, "Leave Word and Call Back", Rout & Rate (KP+800+141+1212+ST), & other special operators who have one purpose or another in the network.
Problems with an Operator:
Ask to speak to their supervisor... or better yet the Group Chief (who is the highest ranking official in any office) who is the equivalent of the Madame in a whorehouse.
By the way, some CO's that will allow you to dial a 0 or 1 as the 4th digit, will also allow you to call special operators & other fun Tel. Co. numbers without a blue box. This is very rare, though! For example, 212-121-1111 will get you a NY Inward Operator.
Office Hierarchy
Every switching office in North America (the NPA system), is assigned an office name and class. There are five classes of offices numbered 1 through 5. Your CO is most likely a class 5 or end office. All long-distance (Toll) calls are switched by a toll office which can be a class 4, 3, 2, or 1 office. There is also a class 4X office called an intermediate point. The 4X office is a digital one that can have an unattended exchange attached to it (known as a Remote Switching Unit (RSU)).
The following chart will list the Office #, name, & how many of those office exist (to the best of my knowledge) in North America:
Class Name Abb Number Existing
1 Regional Center RC 12
2 Sectional Center SC 67
3 Primary Center PC 230
4 Toll Center TC 1,300
4P Toll Point TP N/A
4X Intermediate Point IP N/A
5 End Office EO 19,000
6 RSU RSU N/A
When connecting a call from one party to another, the switching equipment usually tries to find the shortest route between the class 5 end office of the caller & the class 5 end office of the called party. If no inter-office trunks exist between the two parties, it will then move upward to the next highest office for servicing calls (Class 4). If the Class 4 office cannot handle the call by sending it to another Class 4 or 5 office, it will then be sent to the next highest office in the hierarchy (3). The switching equipment first uses the high-usage interoffice trunk groups, if they are busy then it goes to the final; trunk groups on the next highest level. If the call cannot be connected, you will probably get a re-order [120 IPM (interruptions per minute) busy signal] signal. At this time, the guys at Network Operations are probably shitting in their pants and trying to avoid the dreaded Network Dreadlock (as seen on TV!).
It is also interesting to note that 9 connections in tandem is called ring-around-the-rosy and it has never occurred in telephone history. This would cause an endless loop connection [a neat way to really screw up the network].
The 10 regional centers in the US & the 2 in Canada are all interconnected. they form the foundation of the entire telephone network. Since there are only 12 of them, they are listed below:
Class 1 Regional Office Location NPA
Dallas 4 ESS 214
Wayne, PA 215
Denver 4T 303
Regina No. 2SP1-4W (Canada) 306
St. Louis 4T 314
Rockdale, GA 404
Pittsburgh 4E 412
Montreal No. 1 4AETS (Canada) 504
To start off, we will discuss the dialing procedures for domestic as well as international dialing. We will also take a look at the telephone numbering plan.
North American Numbering Plan
In North America, the telephone numbering plan is as follows:
· 3 digit Numbering Plan Area (NPA) code , i.e., area code
· 7 digit telephone number consisting of a 3 digit Central Office (CO) code plus a 4 digit station number
These 10 digits are called the network address or destination code. It is in the format of:
Area Code Telephone #
--------- -----------
N*X NXX-XXXX
Where: N = a digit from 2 to 9
* = the digit 0 or 1
X = a digit from 0 to 9
Area Codes
Check your telephone book or the separate listing of area codes found on many bbs's. Here are the special area codes (SAC's):
510 - TWX (USA)
610 - TWX (Canada)
700 - New Service
710 - TWX (USA)
800 - WATS
810 - TWX (USA)
900 - DIAL-IT Services
910 - TWX (USA)
The other area codes never cross state lines, therefore each state must have at least one exclusive NPA code. When a community is split by a state line, the CO numbers are often interchangeable (i.e., you can dial the same number from two different area codes).
TWX (Telex II) consists of 5 teletype-writer area codes. They are owned by Western Union. These SAC's may only be reached via other TWX machines. These run at 110 baud (last I checked! They are most likely faster now!). Besides the TWX numbers, these machines are routed to normal telephone numbers. TWX machines always respond with an answerback. For example, WU's FYI TWX # is (910) 279-5956. The answerback for this service is "WU FYI MAWA".
If you don't want to but a TWX machine, you can still send TWX messages using Easylink [800/325-4112]. However you are gonna have to hack your way onto this one!
700:
700 is currently used by AT&T as a call forwarding service. It is targeted towards salesmen on the run. To understand how this works, I'll explain it with an example. Let's say Joe Q. Salespig works for AT&T security and he is on the run chasing a phreak around the country who royally screwed up an important COSMOS system. Let's say that Joe's 700 # is (700) 382-5968. Every time Joe goes to a new hotel (or most likely SLEAZY MOTEL), he dials a special 700 #, enters a code, and the number where he is staying. Now, if his boss received some important info, all he would do is dial (700) 382-5968 and it would ring wherever Joe last programmed it to. Neat, huh?
800:
This SAC is one of my favorites since it allows for toll free calls. INWARD WATS (INWATS), or Inward Wide Area Telecommunications Service is the 800 numbers that we are all familiar with. 800 numbers are set up in service areas or bands. There are 6 of these. Band 6 is the largest and you can call a band 6 # from anywhere in the US except the state where the call is terminated (that is why most companies have one 800 number for the country and then another one for their state.) Band 5 includes the 48 contiguous states. All the way down to band 1 which includes only the states contiguous to that one. Therefore, less people can reach a band 1 INWATS number than a band 6 number.
Intrastate INWATS #'s (i.e., you can call it from only 1 state) always have a 2 as the last digit in the exchange (i.e., 800-NX2-XXXX). The NXX on 800 numbers represent the area where the business is located. For example, a number beginning with 800-431 would terminate at a NY CO.
800 numbers always end up in a hunt series in a CO. This means that it tries the first number allocated to the company for their 800 lines; if this is busy, it will try the next number, etc. You must have a minimum of 2 lines for each 800 number. For example, Travelnet uses a hunt series. If you dial (800) 521-8400, it will first try the number associated with 8400; if it is busy it will go to the next available port, etc. INWATS customers are billed by the number of hours of calls made to their number.
OUTWATS (OUTWARD WATS): OUTWATS are for making outgoing calls only. Large companies use OUTWATS since they receive bulk-rate discounts. Since OUTWATS numbers cannot have incoming calls, they are in the format of:
(800) *XXX-XXXX
Where * is the digit 0 or 1 (or it may even be designated by a letter) which cannot be dialed unless you box the call. The *XX identifies the type of service and the areas that the company can call.
Remember:
INWATS + OUTWATS = WATS EXTENDER
900:
This DIAL-IT SAC is a nationwide dial-it service. It is use for taking television polls and other stuff. The first minute currently costs an outrageous 50-85 cents and each additional minute costs 35-85 cents. He'll take in a lot of revenue this way!
Dial (900) 555-1212 to find out what is currently on this service.
CO CODES
These identify the switching office where the call is to be routed. The following CO codes are reserved nationwide:
555 - directory assistance
844 - time. These are now in!
936 - weather the 976 exchange
950 - future services
958 - plant test
959 - plant test
970 - plant test (temporary)
976 - DIAL-IT services
Also, the 3 digit ANI & ringback #'s are regarded as plant test and are thus reserved. These numbers vary from area to area.
You cannot dial a 0 or 1 as the first digit of the exchange code (unless using a blue box!). This is due to the fact that these exchanges (000-199) contains all sorts of interesting shit such as conference #'s, operators, test #'s, etc.
950:
Here are the services that are currently used by the 950 exchange:
1000 - SPC
1022 - MCI Execunet
1033 - US Telephone
1044 - Allnet
1066 - Lexitel
1088 - SBS Skyline
These SCC's (Specialized Common Carriers) are free from fortress phones! Also, the 950 exchange will probably be phased out with the introduction of Equal Access.
Plant Tests:
These include ANI, Ringback, and other various tests.
976:
Dial 976-1000 to see what is currently on the service. Also, many bbs's have listings of these numbers.
N11 codes:
----------
Bell is trying to phase out some of these, but they still exist in most areas.
011 - international dialing prefix
211 - coin refund operator
411 - directory assistance
611 - repair service
811 - business office
911 - EMERGENCY
International Dialing
With International Dialing, the world has been divided into 9 numbering zones. To make an international call, you must first dial: International Prefix + Country code + National number.
In North America, the international dialing prefix is 011 for station-to-station calls. If you can dial International numbers directly in your area then you have International Direct Distance Dialing (IDDD).
The country code, which varies from 1 to 3 digits, always has the world numbering zone as the first digit. For example, the country code for the United Kingdom is 44, thus it is in world numbering zone 4. Some boards may contain a complete listing of other country codes, but here I give you a few:
1 - North America (US, Canada, etc.)
20 - Egypt
258 - Mozambique
34 - Spain
49 - Germany
52 - Mexico (southern portion)
7 - USSR
81 - Japan
98 - Iran (call & hassle those bastards!)
If you call from an area other than North America, the format is generally the same. For example, let's say that you wanted to call the White House from Switzerland to tell the president that his numbered bank account is overdrawn (it happens, you know!). First you would dial 00 (the SWISS international dialing prefix), then 1 (the US country code), followed by 202-456-1414 (the
national number for the White House. Just ask for Georgy and give him the bad news!)
Also, country code 87 is reserved for Maritime mobile service, i.e., calling ships:
871 - Marisat (Atlantic)
871 - Marisat (Pacific)
872 - Marisat (Indian)
International Switching:
------------------------
In North America there are currently 7 no. 4 ESS's that perform the duty of ISC (Inter-nation Switching Centers). All international calls dialed from numbering zone 1 will be routed through one of these "gateway cities". They are:
182 - White Plains, NY
183 - New York, NY
184 - Pittsburgh, PA
185 - Orlando, Fl
186 - Oakland, CA
187 - Denver, CO
188 - New York, NY
The 18X series are operator routing codes for overseas access (to be further discussed with blue boxes). All international calls use a signaling service called CCITT. It is an international standard for signaling.
Part II will deal with the various types of operators, office hierarchy, & switching equipment.
Operators
There are many types of operators in the network and the more common ones will be discussed.
TSPS Operator:
The TSPS [(Traffic Service Position System) as opposed to This Shitty Phone Service] Operator is probably the bitch (or bastard, for the female liberationists out there) that most of us are used to having to deal with. Here are his/her responsibilities:
1.Obtaining billing information for calling card or third number calls
2.Identifying called customer on person-to-person calls.
3.Obtaining acceptance of charges on collect calls.
4.Identifying calling numbers. This only happens when the calling number is not automatically recorded by CAMA(Centralized Automatic Message Accounting) & forwarded from the local office. This could be caused by equipment failures (ANIF- Automatic Number Identification Failure) or if the office is not equipped for CAMA (ONI- Operator Number Identification).
I once had an equipment failure happen to me & the TSPS operator came on and said, "What number are you calling FROM?" Out of curiosity, I gave her the number to my CO, she thanked me & then I was connected to a conversation that appeared to be between a frame man & his wife. Then it started ringing the party I wanted to originally call & everyone phreaked out (excuse the pun). I immediately dropped this dual line conference!
You should not mess with the TSPS operator since she KNOWS which number that you are calling from. Your number will show up on a 10-digit LED read-out (ANI board). She also knows whether or not you are at a fortress phone & she can trace calls quite readily! Out of all of the operators, she is one of the MOST DANGEROUS.
INWARD operator:
This operator assists your local TSPS ("0") operating connecting calls. She will never question a call as long as the call is within HER SERVICE AREA. She can only be reached via other operators or by a blue box. From a blue box, you would dial KP+NPA+121+ST for the INWARD operator that will help you connect any calls within that NPA only. (Blue Boxing will be discussed in a future file).
DIRECTORY ASSISTANCE Operator:
This is the operator that you are connected to when you dial: 411 or NPA-555-1212. She does not readily know where you are calling from. She does not have access to unlisted numbers, but she DOES know if an unlisted # exists for a certain listing.
There is also a directory assistance operator for deaf people who use teletypewriters. If your modem can transfer BAUDOT [(45« baud). One modem that I know of that will do this is the Apple Cat acoustic or the Atari 830 acoustic modem. Yea I know they are hard to find... but if you want to do this.. look around!) then you can call him/her up and have an interesting conversation. The number is: 800-855-1155. They use the standard Telex abbreviations such as GA for go ahead. they tend to be nicer and will talk longer than your regular operators. Also, they are more vulnerable into being talked out of information through the process of "social engineering" as Chesire Catalyst would put it.
Unfortunately, they do not have access to much. I once bullshitted with one of these operators a while back and I found out that there are 2 such DA offices that handle TTY. One is in Philadelphia and the other is in California. They have approx. 7 operators each. Most of the TTY operators think that their job is
boring (based on an official "BIOC poll"). They also feel that they are under-paid. They actually call up a regular DA number to process your request (sorry, no fancy computers!)
Other operators have access to their own DA by dialing KP+NPA+131+ST (MF).
CN/A operators:
CN/A Operators are operators that do exactly the opposite of what directory assistance operators are for. In my experience, these operators know more than the DA op's do & they are more susceptible to "social engineering." It is possible to bullshit a CN/A operator for the NON-PUB DA number (i.e., you give them the name & they give you the unlisted number. See the article on unlisted numbers in this cookbook for more info about them.). This is due to the fact that they assume that you are a fellow company employee. Unfortunately, the AT&T breakup has resulted in the break-up of a few NON-PUB DA numbers and policy changes in CN/A.
INTERCEPT Operator:
The intercept operator is the one that you are connected to when there are not enough recordings available to tell you that the number has been disconnected or changed. She usually says, "What number you calling?" with a foreign accent. This is the lowest operator lifeform. Even though they don't know where you are calling from, it is a waste or your time to try to verbally abuse them since they usually understand very little English anyway.
Incidentally, a few area DO have intelligent INTERCEPT Operators.
OTHER Operators:
And then there are the: Mobile, Ship-to-Shore, Conference, Marine Verify, "Leave Word and Call Back", Rout & Rate (KP+800+141+1212+ST), & other special operators who have one purpose or another in the network.
Problems with an Operator:
Ask to speak to their supervisor... or better yet the Group Chief (who is the highest ranking official in any office) who is the equivalent of the Madame in a whorehouse.
By the way, some CO's that will allow you to dial a 0 or 1 as the 4th digit, will also allow you to call special operators & other fun Tel. Co. numbers without a blue box. This is very rare, though! For example, 212-121-1111 will get you a NY Inward Operator.
Office Hierarchy
Every switching office in North America (the NPA system), is assigned an office name and class. There are five classes of offices numbered 1 through 5. Your CO is most likely a class 5 or end office. All long-distance (Toll) calls are switched by a toll office which can be a class 4, 3, 2, or 1 office. There is also a class 4X office called an intermediate point. The 4X office is a digital one that can have an unattended exchange attached to it (known as a Remote Switching Unit (RSU)).
The following chart will list the Office #, name, & how many of those office exist (to the best of my knowledge) in North America:
Class Name Abb Number Existing
1 Regional Center RC 12
2 Sectional Center SC 67
3 Primary Center PC 230
4 Toll Center TC 1,300
4P Toll Point TP N/A
4X Intermediate Point IP N/A
5 End Office EO 19,000
6 RSU RSU N/A
When connecting a call from one party to another, the switching equipment usually tries to find the shortest route between the class 5 end office of the caller & the class 5 end office of the called party. If no inter-office trunks exist between the two parties, it will then move upward to the next highest office for servicing calls (Class 4). If the Class 4 office cannot handle the call by sending it to another Class 4 or 5 office, it will then be sent to the next highest office in the hierarchy (3). The switching equipment first uses the high-usage interoffice trunk groups, if they are busy then it goes to the final; trunk groups on the next highest level. If the call cannot be connected, you will probably get a re-order [120 IPM (interruptions per minute) busy signal] signal. At this time, the guys at Network Operations are probably shitting in their pants and trying to avoid the dreaded Network Dreadlock (as seen on TV!).
It is also interesting to note that 9 connections in tandem is called ring-around-the-rosy and it has never occurred in telephone history. This would cause an endless loop connection [a neat way to really screw up the network].
The 10 regional centers in the US & the 2 in Canada are all interconnected. they form the foundation of the entire telephone network. Since there are only 12 of them, they are listed below:
Class 1 Regional Office Location NPA
Dallas 4 ESS 214
Wayne, PA 215
Denver 4T 303
Regina No. 2SP1-4W (Canada) 306
St. Louis 4T 314
Rockdale, GA 404
Pittsburgh 4E 412
Montreal No. 1 4AETS (Canada) 504
Thursday, September 01, 2005
anonymous coward submits: Hackers have released the phone, email, and address directory for NASA online. The directory contains over 1000 associates, affiliates, engineeers, scientists, and friends of NASA. NASA has yet to comment on the situation. The directory was released by SheepByte of the hacker zine 'TIZ'. You can check out the directory here:http://www.brokenfloppy.com/tiz/directory.txt
Monday, August 01, 2005
FREE MONEY FROM CHANGE MACHINE !!!!!!!
Have you ever seen one of those really big changer machines in airports Laundromats or arcades that dispense change when you put in your 1 or 5 dollar bill? Well then, here is an article for you.
1.Find the type of change machine that you slide in your bill length wise, not the type where you put the bill in a tray and then slide the tray in!!!
2.After finding the right machine, get a $1 or $5 bill. Start crumpling up into a ball. Then smooth out the bill, now it should have a very wrinkly surface.
3.Now the hard part. You must tear a notch in the bill on the left side about « inch below the little 1 dollar symbol (See Figure).
4.If you have done all of this right then take the bill and go out the machine. Put the bill in the machine and wait. What should happen is: when you put your bill in the machine it thinks everything is fine. When it gets to the part of the bill with the notch cut out, the machine will reject the bill and (if you have done it right) give you the change at the same time!!! So, you end up getting your bill back, plus the change!! It might take a little practice, but once you get the hang of it, you can get a lot of money!
\-----Make notch here. About «" down from the 1.
Anarchist cookbook
Have you ever seen one of those really big changer machines in airports Laundromats or arcades that dispense change when you put in your 1 or 5 dollar bill? Well then, here is an article for you.
1.Find the type of change machine that you slide in your bill length wise, not the type where you put the bill in a tray and then slide the tray in!!!
2.After finding the right machine, get a $1 or $5 bill. Start crumpling up into a ball. Then smooth out the bill, now it should have a very wrinkly surface.
3.Now the hard part. You must tear a notch in the bill on the left side about « inch below the little 1 dollar symbol (See Figure).
4.If you have done all of this right then take the bill and go out the machine. Put the bill in the machine and wait. What should happen is: when you put your bill in the machine it thinks everything is fine. When it gets to the part of the bill with the notch cut out, the machine will reject the bill and (if you have done it right) give you the change at the same time!!! So, you end up getting your bill back, plus the change!! It might take a little practice, but once you get the hang of it, you can get a lot of money!
\-----Make notch here. About «" down from the 1.
Anarchist cookbook
Sunday, July 31, 2005
ADDICTION TO HYDROCODONE ( LORTAB)
i HAVE BEEN ADDICTED TO HYDROCODONE FOR 3 YEARS NOW AND i AM BEGINING TO REALLY FEEL THE EFFECT OF DRUG ADDICTION . i HAVE DECIDED
TO PUT IT ALL BEHIND ME AND QUIT THIS SHIT . BUT I HAVE TO SAY IT WILL BE THE HARDEST THING I HAVE EVER DONE . MY ADVICE TO PEOPLE WHO BUY PILLS
IS ... QUIT OR SPEND YOUR LIFE SEARCHING FOR A BUZZ .
DRIZZT
i HAVE BEEN ADDICTED TO HYDROCODONE FOR 3 YEARS NOW AND i AM BEGINING TO REALLY FEEL THE EFFECT OF DRUG ADDICTION . i HAVE DECIDED
TO PUT IT ALL BEHIND ME AND QUIT THIS SHIT . BUT I HAVE TO SAY IT WILL BE THE HARDEST THING I HAVE EVER DONE . MY ADVICE TO PEOPLE WHO BUY PILLS
IS ... QUIT OR SPEND YOUR LIFE SEARCHING FOR A BUZZ .
DRIZZT
Friday, July 22, 2005
EASY STEP-BY-STEP INSTRUCTIONS!-------------------------------How to make a backup/larger Xbox drive with DiskPro Lite?1. CABLE SWITCH TRICK:a.Plug a power plug from your pc into your xbox hd and fire up your computer. b.Right when it starts booting up, start pressing the Pause Break key and do not let it detect your drives. c.Make sure the IDE cable is going from the xbox to the HD and turn on the xbox. d.Wait for the Xbox to get to the dashboard (fully booted)e.Unplug the ribbon cable that is going from the Xbox HD and replace it with one that is connected to your computer. f.Now, press a key (some times CTRL-Q is needed) to allow your computer to continue booting.2. COPY THE DRIVE TO ANOTHER DRIVE (SAME SIZE OR LARGER)!a.Download DiskPro Lite from "http://www.e-mart.com/www/download.html". You want to download the DPCR.EXE file. b.Execute the DPCR.EXE file to extract the files from it. c.Format a BOOTABLE DOS floppy. Copy the diskpro.exe file to the floppy. d.Boot your PC with the newly made floppy in the drive. e.At the DOS prompt type ``diskpro'' and hit enter (no quotes) f.Use the Quick Copy option g.Select your source drive h.Select your destination drive i.Make sure the above choices are correct before starting the copy j.Relax while the drive is copied to a new drive.k.If you need to use DiskPro again delete the hidden file it creates on your A and C drive named DOSFIT.DSK3. FIX THE PARTITIONS UP (ONLY DO THIS IF YOU ADDED A LARGER HD):a.You need to flash your BIOS to EvolutionX v2.2 or better.ie: If your using a Homebrew chip such as a 29F040B split in to 512k chunks. The EvolutionX v2.2 BIOS is on the EvolutionX ISO floating around. To split the BIOS use Windows Commander or a program like that. Now Flash the 512k BIOS flash your Homebrew chip. More info on flashing and splitting can be found at http://www.xbox-scene.com/articles/homemademod.phpI don't know how people with other mods are going to do this. b.Put the new HD in the XBox as MASTERc.Bootup using EvolutionX (on HD or DVD-R doesn't matter)d.FTP to your Xbox (use EvolutionX to get your IP if you don't know it)e.format just partition 6:ie: FTP COMMAND: Formatpath \Device\Harddisk0\Partition6You will receive a key. Use this key to type:FTP COMMAND: Formatdrive keyYOUR ALL DONE. YOU SHOULD HAVE A CLEAN, BACKED UP (AND MAYBE LARGER DEPENDING ON YOUR DRIVE) XBOX!!!!NOTES:* You might want to look at your drive space using EvolutionX before you start so you can see the difference.* This is risky. If you do anything wrong (and sometimes just because) you could lose your HD or Xbox MB making your XBox worthless.* You will need to know the basics of PC's to do this. How to setup new HD's (master/slave), how to FTP, how to follow instructions.* You will need the EvolutionX BIOS to format the partition.* This has been tested a few times on my system.
Burn copy protected discs at your own risk!!!
You must have dvd decrypter and dvd shrink you should be able to find a copy on the net.
to burn protected dvd's -
dvd decrypter
1- open dvd derypter and put the copy protected dvd in the drive.
2- make sure your source drive is selected ass your dvd drive.
3- click on decrypt and wait for it to finish decrypting.
4- now you are finished. take the dvd out of the drive
if your blank dvd is smaller in size than the
dvd you are copying, open up dvd shrink.
dvd shrink is used to shrink the size of the dvd, basicly saying it will
compress the files to fit a smaller disk than the ariginal.
(ie) 7.56gb to 4.7gb.
dvd shrink
1- open dvd shrink
2- click on open files, find the file called VIDEO_TS witch will be in the dir of a folder with the
same name as the movie you are copying, this folder was created by dvd decrypter and in
defoult location can be found in Local Disk (c:)
3- now click on backup, choose choose your dvd burner, then click on the burn settings tab
and name the Volume Label the name of the movie you are burning, then click OK at the
bottom of the window. after encoding is complete the burning process will start. when done
your dvd will eject from the drive. then click ok.
4- your done, you have now created a very close to perfact copy of a copy protected dvd. Drizzt
You must have dvd decrypter and dvd shrink you should be able to find a copy on the net.
to burn protected dvd's -
dvd decrypter
1- open dvd derypter and put the copy protected dvd in the drive.
2- make sure your source drive is selected ass your dvd drive.
3- click on decrypt and wait for it to finish decrypting.
4- now you are finished. take the dvd out of the drive
if your blank dvd is smaller in size than the
dvd you are copying, open up dvd shrink.
dvd shrink is used to shrink the size of the dvd, basicly saying it will
compress the files to fit a smaller disk than the ariginal.
(ie) 7.56gb to 4.7gb.
dvd shrink
1- open dvd shrink
2- click on open files, find the file called VIDEO_TS witch will be in the dir of a folder with the
same name as the movie you are copying, this folder was created by dvd decrypter and in
defoult location can be found in Local Disk (c:)
3- now click on backup, choose choose your dvd burner, then click on the burn settings tab
and name the Volume Label the name of the movie you are burning, then click OK at the
bottom of the window. after encoding is complete the burning process will start. when done
your dvd will eject from the drive. then click ok.
4- your done, you have now created a very close to perfact copy of a copy protected dvd. Drizzt
- XBOX cracked !!!
First you need to make sure that the game does not automatically load up from your evolutionx menu. (You cant copy a game while you play it)** :
1. Turn on your xbox WITHOUT a DVD in the drive.2. Highlight "system utilities" and press "a"(the green button)3. Highlight "settings" and press "a" 4. Scroll down the option until you find "auto launch games" and press "a" 5. Select "no" and press "a"6. Scroll down to "save and exit" and press "a"7. Reset your xbox WITHOUT a DVD in the drive (turn it off and then on again).
You should now be looking at the main evolutionx menu again; you should not notice anything different, now we can prepare a space to put the game in :
1. Put the game in the DVD drive and wait for the green light on the front of the xbox to stop flashing (you may also notice some writing on the screen change to "game" to acknowledge that there is indeed a game in the drive)2. Highlight "launch menu" and press "a"3. Highlight "apps" and press "a"4. Highlight "boxplorer" and press "a"5. Press Right trigger on control pad (you will notice the "A" change to "B" in the top right corner)6. Press the white button on the controller (this brings up the menu options)7. Highlight "select drive" and press "a"8. Highlight "e:\device\harddisk0\partition1" and press "a"9. Highlight "games" and press "a"10. Press the white button (menu options)11. Highlight "new folder" and press "a"12. Follow the onscreen instructions and "new folder" to whatever your game is called (this is only for reference and does not have to be exact)
You should now be looking at a screen with yellow writing: "new folder" (in) e:\games :
1. Follow the onscreen instructions to accept the new folder2. Press "a"3. Highlight your new folder and press "a" (the writing a the top of the screen should read "e:\games\nameofyourgame\"4. Press the left trigger (you will notice the letter in the top right hand corner turn from "B" to "A")5. Press the white button6. Highlight "select drive" and press "a"7. Select "d:\device\cdrom0" and press "a"8. Press the white button9. Highlight "mark all" and press "a"10. Press the white button11. Highlight "Copy" and press "a"12. Follow the onscreen instructions
Your xbox will now be busy for the next 15-40 min or so depending on your drive speed and the size of the game, so don’t switch it off until its finished, it WILL tell you its finished within the hour.Congratulations you’re done! You can now reset your xbox and launch the game from the evolution x dashboard without the DVD in the drive!*Deleting a game and switching on auto load is an exact reversal of these instructions (remember if you delete the wrong thing you will bugger up your xbox and someone will have to fix it for you**Some evolutionx menu settings may vary, so use your judgment.***Use these instructions at your own risk
This is a very large doc. please Try to read it all, if you want to hack you have to pay very close attention to the details !!
Personaly I love the details. This is where I live.
Drizzt
From: TELECOM Digest (Patrick Townson) <telecom@delta.eecs.nwu.edu>Message-Id: <199506140359.WAA28589@delta.eecs.nwu.edu>To: telecom@delta.eecs.nwu.eduSubject: Motorola Cell Phone Programming
Special mailing to the list; some good stuff about cell phones.
Date: Fri, 09 Jun 95 18:07:12 PDT From: levitt@zorro9.fidonet.org (Ken Levitt) Subject: Motorola Cell Programming
In response to my request on which pins on the 25 pin connector need to be shorted to get into programming mode on my Motorola Tote Phone, I received several responses. The answer is 20 & 21.
However, I also received a massive document from Dave Mathews(dmathews@netcom.com). This appears to be the most comprehensivedocument in existance on Motorola cell phone programming.
I have made some formatting changes, added a few lines regarding myexperiences, and fixed a few typos. I think this document should beplaced in the Telecom Archives for future reference by anyone needingthis information.
Document follows:
From: dmathews@netcom.com (Dave Mathews)
Some minor changes added by Ken Levitt (levitt@zorro9.fidonet.org)
MOTOROLA
NOTES: Some units have dual NAM's. The ESN prefix is 130 decimal, 82 hex. Motorola: 1-800-331-6456
There are MANY different models of Motorola phones sold under variousbrand names, if you think it's a Motorola, it probably is.
Determine which access sequence to use:
HAND HELD PORTABLE MODELS
If the phone has a FCN button and no MENU button use sequence 1.If the phone has no FCN button use sequence 2.If the phone has a MENU button and a FCN button use sequence 4.
INSTALLED MOBILE PHONES AND TRANSPORTABLE MODELS
If the phone has no FCN button and no RCL button use sequence 3.If the phone has a FCN button use sequence 4.If the phone has a MEM button use sequence 5.If the phone has a RCL button and no FCN button use sequence 6.
SEQUENCE# ACCESS CODE
1 FCN (SECURITY CODE TWICE) RCL2 STO # (SECURITY CODE TWICE) RCL3 CTL 0 (SECURITY CODE TWICE) *4 FCN 0 (SECURITY CODE TWICE) RCL5 FCN 0 (SECURITY CODE TWICE) MEM6 CTL 0 (SECURITY CODE TWICE) RCL
The default security code is 000000. The CTL (control) button is thesingle black button on the side of the handset.
NAM programing:
1. Turn the power on.
2. Within ten seconds enter the access sequence as determined above.
3. The phone should now show "01" in the left of the display, this is the first programing entry step number. If it does not the security code is incorrect, or the programing lock-out counter has been exceeded. In either case you can still program the unit by following the steps under TEST MODE PROGRAMING below.
4. The * key is used to increment each step:
Each time you press * the display will increment from the step number, displayed on the left, to the data stored in that step, displayed on the right. When the data is displayed make any necessary changes and press * to increment to the next step number.
5. The SND key is used to complete and exit programing when any STEP NUMBER is displayed.
If you have enabled the second phone number bit in step 10 below then pressing SND will switch to NAM 2. Steps 01 thru 06, 09 and 10 will repeat for NAM 2, the step number will be followed by a "2" to indicate NAM two.
5. The CLR key will revert the display to the previously stored data.
6. The # key will abort programing at any time.
PROGRAMING DATA:
STEP# #OF DIGITS/RANGE DESCRIPTION
01 00000 - 32767 SYSTEM ID02 3 DIGITS AREA CODE03 7 DIGITS TEL NUMBER04 2 DIGITS STATION CLASS MARK05 2 DIGITS ACCESS OVERLOAD CLASS06 2 DIGITS GROUP ID (10 IN USA)07 6 DIGITS SECURITY CODE08 3 DIGITS LOCK CODE09 0333 OR 0334 INITIAL PAGING CHANNEL10 6 DIGIT BINARY OPTION PROGRAMING (SEE NOTE 1)11 3 DIGIT BINARY OPTION PROGRAMING (SEE NOTE 2)
NOTES:
Take care with Motorola's use of "0" and "1". Some options use "0" toenable, some use "1".
1. This is a 6 digit binary field used to select the following options:
Digit 1: Internal handset speaker, 0 to enable. Digit 2: Local Use Mark, 0 or 1. Digit 3: MIN Mark, 0 or 1. Digit 4: Auto Recall, always set to 1 (enabled). Digit 5: Second phone number (not all phones), 1 to enable. Digit 6: Diversity (Two antennas, not all phones), 1 to enable.
2. This is a 3 digit binary field used to select the following options:
Digit 1: Continuous DTMF, 1 to enable. Digit 2: Transportable Ringer/Speaker, 0=Transducer, 1=Handset. Digit 3: 8 hour time out in transportable mode, 0 to enable.
On newer models, they have added and changed some numbers. The numbersas of the 3/27/92 manual are as follows:
1. The 6 digit binary field is still the same.
2. The 3 digit binary field has become a 5 digit binary field.
Digit 1: Failed Page Indicator 1=Disabled;0=Enabled Digit 2: Motorola Enhanced Scan 1=Enabled; 0=Disabled Digit 3: Long Tone DTMF 1=Enabled; 0=Disabled Digit 4: Transportable Internal Ringer Speaker 1=Handset; 0=Transdcr Digit 5: Eight Hour Timeout 1=Disabled;0=Enabled
TEST MODE ACCESS:
INSTALLED MOBILE PHONES AND TRANSPORTABLE MODELS
To enter test mode on units with software version 85 and higher you mustshort pins 20 and 21 of the 25 pin (DB-25) transceiver data connector. AnRS-232 break out box is useful for this, or construct a test mode adaptorfrom standard Radio Shack parts.
Notes added by Ken Levitt (levitt@zorro9,fidonet.org) regarding Motorola Tote Phone model 52770A The Battery is connected to pins 16 (+) and 3 (-), so pins 3, 16, 20, and 21 should be all you need to get into test mode. When the phone is powered up, "Loc'd" displays on the handset. Enter the unlock to see the alternating status display listed below under #02, or press # to directly enter programming mode. ("US" will display)
For MINI TR or Silver Mini Tac transceivers (smaller data connector) youcan either short pins 9 and 14 or simply use a paper clip to short thehands free microphone connector.
HAND HELD PORTABLE MODELS:
There are two basic types of Motorola portable phones, the Micro-Tac series"Flip" phones, and the larger 8000 and Ultra Classic phones. Certain newerMotorola and Pioneer badged Micro-Tac phones do not have a "flip", butfollow the same procedure as the Micro-Tac.
8000 & ULTRA CLASSIC SERIES:
If you have an 8000 series phone determine the "type" before trying toenter test mode. On the back of the phone, or on the bottom in certainolder models, locate the F09... number this is the series number. If theFOURTH digit of this number is a "D" you CAN NOT program the unit throughtest mode, a Motorola RTL4154/RTL4153 programer is required to make anychanges to this unit.
Having determined that you do not have a "D" series phone the followingprocedure is used to access test mode:
Remove the battery from the phone and locate the 12 contacts at the topnear the antenna connector. These contacts are numbered 1 through 12 fromtop left through bottom right. Pin 6, top right, is the Manual Test ModePin. You must ground this pin while powering up the phone. Pin 7 (lowerleft) or the antenna connector should be used for ground. Follow one ofthese procedures to gain access to pin 6:
1. The top section of the battery that covers the contacts containsnothing but air. By careful measuring you can drill a small hole in thebattery to gain access to pin 6, alternately simply cut the top off thebattery with a hack saw. Having gained access use a paper clip to shortpin six to the antenna connector ground while powering up the phone.
2. If you do not want to "destroy" a battery you can apply an external 7.5volts to the + and - connectors at the bottom of the phone, ground pin 6while powering up the phone as above.
3. You can also try soldering or jamming a small jumper between pins 6 and7 (top right to lower left), or between pin 6 and the antenna connectorhousing ground. Carefully replace the battery and power up the phone. Usecaution with this method not to short out any other pin.
4. A cigarette lighter adaptor, if you have one, also makes a great testmode adaptor as it can be disassembled to give you easier access to pin 6.Many are pre marked, or even have holes in the right location. This isbecause they are often stamped from the same mold that the manufactureruses for making hands free adaptor kits and these kits require access tothe phone's connectors.
/ Antenna Housing ZDD? ZDDDDDEDDEDDDDD? 3* 3 3 *3 CDDDDDABBADDDDD4 To enter test mode, ground pin 6 to either pin 7 3H H HZY@?H H H3 or the antenna housing. I personally wrapped a 3H H H@DDYH H H3 paper clip around the antenna housing and bent it CDDDDDDDDDDDDDD4 so it *ALMOST* touched the test pin. All I had 3 Back of phone3 to do was push the paper clip a little when I 3 with battery 3 turned the phone on. 3 removed. The3 3 H is a pin. 3 3 3 3 Counting at 3 3 the top left 3 3 to right. 3 3 3 31 2 3 4 5 63 37 8 9 1011123 3 3 3 3 3* ZD? ZD? *3 @DDADADDD-ADADDY
MICRO-TAC "FLIP" SERIES:
This phone follows similar methods as outlined for the 8000 series above.
Remove the battery and locate the three contacts at the bottom of thephone, the two outer contacts are raised and connect with the battery. Thecenter contact is recessed, this is the Manual Test Mode connector.
Now look at the battery contacts, the two outer ones supply power to thephone, the center contact is an "extra" ground. This ground needs to beshorted to the test mode connector on the phone. The easiest way to dothis is to put a small piece of solder wick, wire, aluminum foil or anyother conductive material into the recess on the phone. Having done thiscarefully replace the battery and turn on the power, if you have beensuccessful the phone will wake up in test mode.
ZDDD? 3 3 ZDADDDADDDDDDDDDDDDDDDDD? 3 3 3DDDDDDDD? ZDDDDDDDD3 3 @DDDDDY 3 3 3 3 Flip phone with 3 3 battery removed. The 3 3 H's are pins. Pin 3 3 2 is the test pin and 3 3 is recessed. Put 3 3 something in the 3 3 recess so it touches 3 3 the battery. 3 3 1 2 3 3 3 3 3 H H H 3 @DDDDDDDDDDDDDDDDDDDDDDDY
GENERAL NOTES:
HANDSETS: Most Motorola handsets are interchangeable, when a handset isused with a transceiver other than the one it was designed for the displaywill show "LOANER". Some features and buttons may not work, for instanceif the original handset did not have a RCL or STO button, and thereplacement does, you will have to use the control * or control # sequenceto access memory and A/B system select procedures.
LOCK/UNLOCK PROCEDURES:
Phones with "LOCK" buttons: Press lock for at least 1/2 a second.
Phones with a "FCN" button: Press FCN 5, note that 5 has the letter's "J,K, and L" for lock.
Phones with no FCN or LOCK button: Press Control 5, control is the black volume button on the side of the handset.
SYSTEM SELECT PROCEDURES:
Phones with a RCL button: Press RCL *, then * to select, STO to store.
Phones with no RCL button: Press Control * then * to select, # to store.
Options are: CSCAn: Preferred/Non preferred with system lockout. Std A/b, or Std b/A: Preferred/Non preferred. SCAn Ab, or SCAn bA: Non preferred/Preferred SCAn A: "A" ONLY SCAn b: "B" ONLY HOME: Home only
(these are typical options, some phone's vary. C-Scan is only available on newer models and does not appear unless programmed, see below.)
TEST MODE Taken from the July 1993 Cellular Subscriber Technical Training Manual Item# 68P09300A60-C and the Curtis Namfax vol.4. I believe this is a complete listing of all the commands that were ever possible. This includes old phones and the new ones. If there are two entries for a particular number, the first one is the current command and the second is for older models.
NOTE: Not all commands work on all telephones. If a command is not valid the display will show "ErrOr." Not all numbers have been assigned. Not all numbers have been listed here. Some commands were intended only for Motorola factory applications. (This is the disclaimer in the technical training manual. I have included all of the other commands I have discovered one way or another. I do believe this is a complete list of the commands.)
Three test commands are significant for programming and registering thethe telephone for service: see full descriptions under TEST MODE COMMANDS.
32# Clears the telephone. (Older Motorola allowed either three or fifteen changes in the MIN. After that, the phone had to be sent to Motorola toreset the counter. This is the command they use.)
38# Displays the ESN
55# This is the TEST MODE PROGRAMMING (as described below).
TEST MODE COMMANDS:
# Enter Test Command Mode
00# no function
01# Restart (Re-enter DC power start-up routine.) On TDMA telephones, this command has the same effect as pressing the PWR button.
02# Display Current Telephone Status (This is a non-alternating version of the STATUS DISPLAY. On a 14 character display, all the information is shown. On a 7 character display only the information on the second line of a 14 character display is shown. On a 10 character display, all the information on the second line of a 14 charcter display plus the last three characters of the first line are shown.)
STATUS DISPLAY, ALTERNATES BETWEEN: AAA BBB AAA = Channel Number (decimal) BBB = RSSI reading for channel CDEFGHI are as follows:
C = SAT frequency (0=5970, 1=6000, 2=6030, 3=no channel lock) D = Carrier (0=off, 1=on) E = Signalling tone (0=off, 1=on) F = Power attenuation level (0 through 7) G = Channel mode (0=voice channel, 1=control channel) H = Receive audio mute (0=unmuted, 1=muted) I = Transmit audio mute (0=unmuted, 1=muted)
Press * to hold display and # to end.
03# Reset Autonomous Timer. This command results in the reset of the autonomous timer but does not provide any test function on these models.
04# Initializes Telephone to Standard Default Conditions: Carrier Off, Power Level 0, Receiver Audio Muted, Transmit Audio Muted, Signalling Tone Off, SAT Off, Resetting of Watch-Dog Timer Enabled, DTMF and Audio Tones Off, Audio Path Set to Speaker
05# TX Carrier On (Key Transmitter)
06# TX Carrier Off
07# RX Audio Off (Mute Receiver Audio)
08# RX Audio On (Unmute Receiver Audio)
09# TX Audio Off
10# TX Audio On
11(Ch.No.)# Set Tranceiver to Channel xxxx (Receive and Transmit in Decimal; accepts 1, 2, 3, or 4 digits)
12x# Set Power Step to x; (0,1-7) 0=Maximum Power (3 Watts) 7=Minimum Power Out
13# Power Off (Shuts off the radio)
14# 10 kHz Signalling Tone On
15# 10 kHz Signalling Tone Off
16# Setup (Transmits a five word RECC message; each of the five words will be "FF00AA55CC33." Transmitter de-keys at the end of the message.)
17# Voice (Transmits a two word REVC message; each of the two words will be "FF00AA55CC33." Transmitter de-keys at the end of the message.)
18# C-Scan (Allows for entry of as many as 5 negative SID's for each NAM.)
Newer Motorola phones are equipped with a feature called C-Scan, this is an option along with the standard A/B system selections. C-Scan allows the phone to be programed with up to five inhibited system ID's per NAM. This is designed to prevent the phone from roaming onto specified non-home systems and therefore reduce "accidental" roaming fees.
1. C-Scan can only be programed from test mode, power phone up with the relevant test mode contact grounded (see above).
2. Press # to access test mode.
3. Press 18#, the phone will display "0 40000".
4. Enter the first inhibited system ID and press *.
Continue to enter additional system ID's if required. After the 5th entry the phone will display "N2". Press * to continue and add system ID's for NAM 2 as required.
5. If an incorrect entry is made (outside the range of 00000-32767) the display will not advance, press CLR and re-enter. Use a setting of 40000 for any un-needed locations.
6. When the last entry has been made press * to store and press # to exit, turn off power. or [**Phones without the C-Scan option used this command to SEND NAM.**]
18# SEND NAM. Display shows AA BB. Where AA=Address and BB=Data. Displays the contents of the NAM, one address at a time, advanced by pressing the * key. The following data is contained in NAM. The test is exited by depressing the # key. SIDH Sec. Code OPT. (1,2,&3) MIN MIN1, MIN2 FCHNA SCM FCHNB IPCH NDED ACCOLC CHKSUM GIM
19# Display Software Version Number (4 digits displayed as year and week)
NOTE: Entering commands 20# through 23# or 27# causes the tranceiver to begin a counting sequence or continous transmission as described below. In order to exit from the commands to enter another test command, the # key must be depressed; all other key depressions are ignored.
20# Receive control channel messages counting correctable and uncorrectable errors. When the command starts, the number of the command will be displayed in the upper-right corner of the display. Entering a # key will terminate the command and display two three-digit numbers in the display. The first number is the number of correctable errors and the second is the uncorrectable errors.
21# Received voice channel messages counting correctable and uncorrectable errors. When the command starts, the number of the command will be displayed in the upper right-hand corner of the display. Entering a # key terminates the command and will display two three-digit numbers in display. The first is the number of correctable errors and the second is the uncorrectable errors.
22# Receive control channel messages counting word sync sequence. When the command starts, the number of the command will be displayed in the upper right-hand corner of the display. Entering a # key will terminate the command and display the number of word sync sequences in the display.
23# Receive voice channel messages counting word sync sequences. When the command starts, the number of the command will be displayed in the upper right-hand corner of the display. Entering a # key will terminate the command and display the number of word sync sequences in the display.
24# Receive control channel data and display the majority voted busy/idle bit. 0=idle 1=busy
25x# SAT On When x=0, SAT=5970HZ x=1, SAT=6000HZ x=2, SAT=6030HZ
26# SAT Off
27# Transmit Data (Transmits continuous control channel data. All words will be "FF00AA55CC33." When the command starts, '27' will be displayed in the right side of the display. Entering a # key will terminate the command. The transmitter de-keys when finished.)
28# Activate the high tone (1150 Hz +/- 55 Hz)
29# De-activate the high tone
30# Activate the low tone (770 Hz +/- 40 Hz)
31# De-activate the low tone
32# Clear (Sets non-volatile memory to zeroes or factory default. This command will affect all counters, all repertory memory including the last number called stack, and all user programmable features including the setting of System Registration. It does not affect the ESN, NAM, phasing data, or lock code. This takes a minute or so. DO NOT TURN OFF THE TELEPHONE WHILE THIS IS SHOWING '32' ON THE DISPLAY. WAIT UNTIL THE NORMAL SERVICE LEVEL DISPLAY RESUMES!)
33x# Turn on DTMF for x (1-9, *, 0, #, plus the single tones) Where x=1 697 Hz + 1209 Hz 10 697 Hz 2 697 Hz + 1336 Hz 11 770 Hz 3 697 Hz + 1477 Hz 12 852 Hz 4 770 Hz + 1209 Hz 13 941 Hz 5 770 Hz + 1336 Hz 14 1150 Hz (not used in cellular) 6 770 Hz + 1477 Hz 15 1209 Hz 7 852 Hz + 1209 Hz 16 1336 Hz 8 852 Hz + 1336 Hz 17 1477 Hz 9 852 Hz + 1477 Hz 18 1633 Hz (not used in cellular) * 941 Hz + 1209 Hz 0 941 Hz + 1336 Hz # 941 Hz + 1477 Hz
34# Turn DTMF Off
35# Display RSSI ("D" Series Portable Only)
or
35x# Set Audio Path to x x=0, V.S.P Microphone (Applies to mobiles only.) x=1, Speaker x=2, Alert x=3, Handset x=4, Mute x=5, External Telephone (Applies to Portables Only) x=6, External Handset (Applies to NEWER Portables)
36nnn# Scan (TDMA Telephones only. Scans the primary control channels and attempts to decipher the forward data stream. The display will show PASS1 if the strongest control channel was accessed, PASS2 if the second strongest was accessed, and FAIL if no control channel could be accessed.) (nnn=Scan speed in milliseconds). Tunes from channel 1 to 666 in order. Entering a * pauses the scan and displays current Channel Number and RSSI reading (AAA=Channel Number and BBB=RSSI Reading). When scan speed is 300 milliseconds or greater, the current status is displayed during the scan; when less than 300 milliseconds the status is displayed only during pause. Entering * during a pause causes the scan to resume. Entering # aborts the scan and leaves the mobile tuned to the current channel. During this command only the * and # keys are recognized.
37# no function
38# Display ESN (Displays ESN in four steps, two hexadecimal digits at a time in a for digit display. The decimal shows the address, 00 through 03 as the first two digits, and two digits of the ESN as the last two digits. Use the 'G' to step through the entire hexadecimal ESN.)
Compander OFF ("D" Series Portables)
or
38# SND-SNM. Display shows AA BB. Where AA=Address;BB=Data. Send the SNM to the display. All 32 bytes of the SNM will be displayed, one byte at a time. The byte address will be displayed in the upper right-hand corner and the contents of that address will be displayed in the hex. The * key is used to step through the address similar to the SEND-NAM (18#) command.
39# Compander ON ("D" Series Portables)
or
39# RCVSU. Receive one control channel word. When the word is received it is displayed in hex. This command will be complete when a control channel word is received or when the # key is entered to abort the command.
40# RCVVC. Receive one voice channel word. When the word is received it is displayed in hex. This command will be complete when a voice channel word is received or when the # key is entered to abort the command.
41# Enables Diversity (On F19CTA... Series only.)
42# Disables Diversity (On F19CTA... Series only.)
43# Disable Diversity USE T/R ANTENNA (On F19CTA... Series only.) USE R ANTENNA (On D.M.T./ Mini TAC)
44# Disable Diversity USE R ANTENNA (On F19CTA... Series only.) USE T/R ANTENNA (On D.M.T./ Mini TAC)
45# Display Current RSSI (Displayed as a three-digit decimal number)
46# Display Cumulative Call Timer
47x# Set RX Audio level to X (For F19CTA ...Series Tranceivers) X=0, Lowest Volume X=6, Highest Volume X=7, mute Normal setting is 4. (For D.M.T./ Mini TAC Tranceivers) X=0, Lowest Volume X=7, Highest Volume Normal setting is 4. (For TDMA Tranceivers and F09F... Series and Higher Portables) X=0, Lowest Volume X=15, Highest Volume Normal setting is 2 to 4. (On TDMA Tranceivers and Micro TAC portables, settings 8 through 15 are for DTMF applications only.)
48# Side Tone On. Use this command in conjunction with 350# to test the entire audio path in hands-free applications.
49# Side Tone Off
50# Maintenance data is transmitted and test results displayed: PASS=received data is correct FAIL 1=2second timeout, no data rec. FAIL 2=received data is incorrect
51# Test of mobile where maintenance data is transmitted and looped back. Display is as follows: PASS=looped-back data is correct FAIL 1=2 second timeout, no looped-back data FAIL 2=looped-back data is incorrect
52x# SAT Phase Adjustment. A decimal value that corresponds to phase shift compensation in 4.5 degree increments. Compensation added to inherent phase shift in tranceiver to achieve a total of 0 degrees phase shift.
Do NOT enter any values except those shown below.
0 degrees = 0 121.5 degrees = 59 243.0 degrees = 86 4.5 = 1 126.0 = 60 247.5 = 87 9.0 = 2 130.5 = 61 252.0 = 112 13.5 = 3 135.0 = 62 256.5 = 113 18.0 = 4 139.5 = 63 261.0 = 114 22.5 = 5 144.0 = 40 265.5 = 115 27.0 = 6 148.5 = 41 270.0 = 116 31.5 = 7 153.0 = 42 274.5 = 117 36.0 = 16 157.5 = 43 279.0 = 118 40.5 = 17 162.0 = 44 283.5 = 119 45.0 = 18 166.5 = 45 288.0 = 120 49.5 = 19 171.0 = 46 292.5 = 121 54.0 = 20 175.5 = 47 297.0 = 122 58.5 = 21 180.0 = 64 301.5 = 123 63.0 = 22 184.5 = 65 306.0 = 124 67.5 = 23 189.0 = 66 310.5 = 125 72.0 = 48 193.5 = 67 315.0 = 126 76.5 = 49 198.0 = 68 319.5 = 127 81.0 = 50 202.5 = 69 324.0 = 104 85.5 = 51 207.0 = 70 328.5 = 105 90.0 = 52 211.5 = 71 333.0 = 106 94.5 = 53 216.0 = 80 337.5 = 107 99.0 = 54 220.5 = 81 342.0 = 108 103.5 = 55 225.0 = 82 346.5 = 109 108.0 = 56 229.5 = 83 351.0 = 110 112.5 = 57 234.0 = 84 355.5 = 111 117.0 = 58 238.5 = 85 360.0 = 70 53# Enable scrambler option, when equipped.
54# Disable scrambler option, when equipped.
55# Display/Program N.A.M. (Test Mode Programming)
TEST MODE PROGRAMING:
Assuming you have completed one of the above steps correctly the phone will wake up in test mode when you turn the power on. When you first access test mode the phone's display will alternate between various status information that includes the received signal strength and channel number.
Note - On some models, the display will show "Loc'd" when powered up. to disply alternating status, enter the unlock code, or to enter programming mode, press # and "US" will display.
The phone will operate normally in this mode. You can now access Service Mode by pressing the # key, the display will clear and a ' will appear. Use the following procedure to program the phone:
1. Enter 55# to access programing mode.
2. The * key advances to the next step. (NOTE that test mode programing does NOT have step numbers, each time you press the * key the phone will display the next data entry).
3. The CLR key will revert the display to the previously stored data.
4. The # key aborts programing at any time.
5. To complete programing you must scroll through ALL entries until a ' appears in the display.
6. Note that some entries contain more digits than can be displayed by the phone, in this case only the last part of the data can be seen.
TEST MODE PROGRAMING DATA:
STEP# #OF DIGITS/RANGE DESCRIPTION
01 00000 - 32767 SYSTEM ID 02 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 1 BELOW 03 10 DIGITS MIN (AREA CODE & TEL#) 04 2 DIGITS STATION CLASS MARK 05 2 DIGITS ACCESS OVERLOAD CLASS 06 2 DIGITS GROUP ID (10 IN USA) 07 6 DIGITS SECURITY CODE 08 3 DIGITS LOCK CODE 09 3 DIGITS SERVICE LEVEL (LEAVE AT 004) 10 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 2 BELOW 11 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 3 BELOW 12 0333 OR 0334 INITIAL PAGING CHANNEL 13 0333 "A" SYSTEM IPCH 14 0334 "B" SYSTEM IPCH 15 3 DIGIT NUMBER PAGING CHANNEL (021 IN USA) 16 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 4 BELOW
Steps 01 through 06 and 12 will repeat for NAM 2 if the second phone number bit has been enabled in step 11.
NOTES:
Take care with Motorola's use of "0" and "1". Some options use "0" to enable, some use "1".
These are eight digit binary fields used to select the following options:
1. (step 02 above, suggested entry is: 11101001 for "A" system, 10101001 for "B" sys)
Digit 1: Local use mark, 0 or 1. Digit 2: Preferred system, 0 or 1. Digit 3: End to end (DTMF) dialing, 1 to enable. Digit 4: Not used, enter 0. Digit 5: Repertory (speed) dialing, 1 to enable. Digit 6: Auxiliary (horn) alert, 1 to enable. Digit 7: Hands free (VSP) auto mute, 1 to enable (mutes outgoing hands free audio until the MUTE key is pressed). Digit 8: Min mark, 0 or 1.
2. (step 10 above, suggested entry is: 00000100)
Digits 1 - 4: Not used in USA, enter 0. Digit 5: Single system scan, 1 to enable (scan A or B system only, determined by bit 2 of step 02. Set to "0" to allow user the option). Digit 6: Super speed dial, 1 to enable (pressing N, or NN SND will dial the number stored in memory location NN). Digit 7: User selectable service level, 0 to enable (allows user to set long distance/memory access dialing restrictions). Digit 8: Lock function, 0 to enable (allows user to lock/un-lock the phone, if this is set to 1 the phone can not be locked).
3. (step 11 above, suggested entry is: 00000000)
Digit 1: Handset programing, 0 to enable (allows access to programing mode without having to enter test mode). Digit 2: Second phone number (not all phones), 1 to enable. Digit 3: Call timer access, 0 to enable. Digit 4: Auto system busy redial, 0 to enable. Digit 5: Speaker disable, 1 to enable (use with select VSP units only, do not use with 2000 series mobiles). Digit 6: IMTS/Cellular, 1 to enable (rarely used). Digit 7: User selectable system registration, 0 to enable. Digit 8: Dual antennae (diversity), 1 to enable.
4. (step 16 above, suggested entry is: 0011010 for portable and 0011011 for mobile units)
Digit 1: Not used, 0 only. Digit 2: Not used, 0 only Digit 3: Continuous DTMF, 1 to enable (software version 8735 and later) Digit 4: 8 hour time-out, 0 to enable (software version 8735 and later) Digit 5: Not used, 0 only. Digit 6: Failed page indicator, 0 to enable (phone beeps when an incoming call is detected but signal conditions prevent completion of the call). Digit 7: Portable scan, 0 for portable, 1 for mobile units.
56# no function
57x# Call Processing Mode x=0, AMPS x=1, NAMPS x=2-4, RESERVED x=5, TDMA signalling x=6, TDMA signalling with loopback before decoding x=7, TDMA signalling with loopback voice after decoding x=8, TDMA signalling with loopback FACCH after decoding x=9, TDMA forced synchronization
58# Compander On (Audio compressor and expander) (See 39#)
59# Compander Off (Audio compressor and expander) (See 38#)
60# no function
61# ESN Transfer (For Series I D.M.T./Mini TAC only)
62# Turn On Ringer Audio Path
63# Turn Off Ringer Audio Path
64#-65# no function
66# Identity Transfer (Series II Tranceivers and some Current Shipping Portables)
67# no function
68# Diaplay FLEX and Model Information
69# Used with Identity Transfer
70# Abbreviated field transmitter audio deviation command, for tranceivers with FCC ID ABZ89FT5668.
71# Abbreviated field power adjustment command, for tranceivers with FCC ID ABZ89FT5668.
72# Field audio phasing commands.
73# Field power adjustment command.
74#-99# no function
Notes: There are several numbers that say "no function" next to their entry. In the technical manual, those numbers APPEAR to have no function. It is very possible that they DO IN FACT have a function. As far as I know, using the information provided by the technical manual, I know of no functions for these numbers. But at the top you'll notice in the disclaimer that NOT ALL FUNCTIONS ARE LISTED HERE. That leaves open the possibility of others. Try these numbers and you may get lucky (or you may wipe some vital information...who knows?). I am in fact almost certain that it is possible to change the ESN via the handset. It is just a matter of finding the correct combination of commands. You can bet that won't be easy, but it can't stay a secret forever though!
For more information, call Motorola and order part# 68-093-00a60. This is a cellular service manual that's used in their cellular service classes that sells for $30. Ask for the Order Fulfillment department when ordering. This manual tells it all! An absolute must have for Motorola users.
I think this might help. There are some that say no function, they MIGHT.Case in point: 37# does something but we don't know yet...:)
Dave
Ken Levitt - On FidoNet gateway node 1:16/390 UUCP: zorro9!levittINTERNET: levitt@zorro9.fidonet.org or levitt%zorro9.uucp@talcott.harvard.edu
--------------------
[TELECOM Digest Editor's Note: My experience has been that when you examineone of the steps for which there is supposedly 'no function' it is best to*carefully* make notes *before* starting anything.
For example, step through one of those and write down on paper the datayou see there. If there is indeed 'no function' for that step, thenwhatever you see there may be just random garbage. But if you don't knowwhat was there, you can't replace it if you need to!
So write it all down first. Then experiment with different values andsee what you find out. Bear in mind some of those 'no functions' may infact cause the data elsewhere to be erased or altered, thus I cannotstress enough to write down every bit of data from every single step*before* you start messing around with anything.
PAT
Personaly I love the details. This is where I live.
Drizzt
From: TELECOM Digest (Patrick Townson) <telecom@delta.eecs.nwu.edu>Message-Id: <199506140359.WAA28589@delta.eecs.nwu.edu>To: telecom@delta.eecs.nwu.eduSubject: Motorola Cell Phone Programming
Special mailing to the list; some good stuff about cell phones.
Date: Fri, 09 Jun 95 18:07:12 PDT From: levitt@zorro9.fidonet.org (Ken Levitt) Subject: Motorola Cell Programming
In response to my request on which pins on the 25 pin connector need to be shorted to get into programming mode on my Motorola Tote Phone, I received several responses. The answer is 20 & 21.
However, I also received a massive document from Dave Mathews(dmathews@netcom.com). This appears to be the most comprehensivedocument in existance on Motorola cell phone programming.
I have made some formatting changes, added a few lines regarding myexperiences, and fixed a few typos. I think this document should beplaced in the Telecom Archives for future reference by anyone needingthis information.
Document follows:
From: dmathews@netcom.com (Dave Mathews)
Some minor changes added by Ken Levitt (levitt@zorro9.fidonet.org)
MOTOROLA
NOTES: Some units have dual NAM's. The ESN prefix is 130 decimal, 82 hex. Motorola: 1-800-331-6456
There are MANY different models of Motorola phones sold under variousbrand names, if you think it's a Motorola, it probably is.
Determine which access sequence to use:
HAND HELD PORTABLE MODELS
If the phone has a FCN button and no MENU button use sequence 1.If the phone has no FCN button use sequence 2.If the phone has a MENU button and a FCN button use sequence 4.
INSTALLED MOBILE PHONES AND TRANSPORTABLE MODELS
If the phone has no FCN button and no RCL button use sequence 3.If the phone has a FCN button use sequence 4.If the phone has a MEM button use sequence 5.If the phone has a RCL button and no FCN button use sequence 6.
SEQUENCE# ACCESS CODE
1 FCN (SECURITY CODE TWICE) RCL2 STO # (SECURITY CODE TWICE) RCL3 CTL 0 (SECURITY CODE TWICE) *4 FCN 0 (SECURITY CODE TWICE) RCL5 FCN 0 (SECURITY CODE TWICE) MEM6 CTL 0 (SECURITY CODE TWICE) RCL
The default security code is 000000. The CTL (control) button is thesingle black button on the side of the handset.
NAM programing:
1. Turn the power on.
2. Within ten seconds enter the access sequence as determined above.
3. The phone should now show "01" in the left of the display, this is the first programing entry step number. If it does not the security code is incorrect, or the programing lock-out counter has been exceeded. In either case you can still program the unit by following the steps under TEST MODE PROGRAMING below.
4. The * key is used to increment each step:
Each time you press * the display will increment from the step number, displayed on the left, to the data stored in that step, displayed on the right. When the data is displayed make any necessary changes and press * to increment to the next step number.
5. The SND key is used to complete and exit programing when any STEP NUMBER is displayed.
If you have enabled the second phone number bit in step 10 below then pressing SND will switch to NAM 2. Steps 01 thru 06, 09 and 10 will repeat for NAM 2, the step number will be followed by a "2" to indicate NAM two.
5. The CLR key will revert the display to the previously stored data.
6. The # key will abort programing at any time.
PROGRAMING DATA:
STEP# #OF DIGITS/RANGE DESCRIPTION
01 00000 - 32767 SYSTEM ID02 3 DIGITS AREA CODE03 7 DIGITS TEL NUMBER04 2 DIGITS STATION CLASS MARK05 2 DIGITS ACCESS OVERLOAD CLASS06 2 DIGITS GROUP ID (10 IN USA)07 6 DIGITS SECURITY CODE08 3 DIGITS LOCK CODE09 0333 OR 0334 INITIAL PAGING CHANNEL10 6 DIGIT BINARY OPTION PROGRAMING (SEE NOTE 1)11 3 DIGIT BINARY OPTION PROGRAMING (SEE NOTE 2)
NOTES:
Take care with Motorola's use of "0" and "1". Some options use "0" toenable, some use "1".
1. This is a 6 digit binary field used to select the following options:
Digit 1: Internal handset speaker, 0 to enable. Digit 2: Local Use Mark, 0 or 1. Digit 3: MIN Mark, 0 or 1. Digit 4: Auto Recall, always set to 1 (enabled). Digit 5: Second phone number (not all phones), 1 to enable. Digit 6: Diversity (Two antennas, not all phones), 1 to enable.
2. This is a 3 digit binary field used to select the following options:
Digit 1: Continuous DTMF, 1 to enable. Digit 2: Transportable Ringer/Speaker, 0=Transducer, 1=Handset. Digit 3: 8 hour time out in transportable mode, 0 to enable.
On newer models, they have added and changed some numbers. The numbersas of the 3/27/92 manual are as follows:
1. The 6 digit binary field is still the same.
2. The 3 digit binary field has become a 5 digit binary field.
Digit 1: Failed Page Indicator 1=Disabled;0=Enabled Digit 2: Motorola Enhanced Scan 1=Enabled; 0=Disabled Digit 3: Long Tone DTMF 1=Enabled; 0=Disabled Digit 4: Transportable Internal Ringer Speaker 1=Handset; 0=Transdcr Digit 5: Eight Hour Timeout 1=Disabled;0=Enabled
TEST MODE ACCESS:
INSTALLED MOBILE PHONES AND TRANSPORTABLE MODELS
To enter test mode on units with software version 85 and higher you mustshort pins 20 and 21 of the 25 pin (DB-25) transceiver data connector. AnRS-232 break out box is useful for this, or construct a test mode adaptorfrom standard Radio Shack parts.
Notes added by Ken Levitt (levitt@zorro9,fidonet.org) regarding Motorola Tote Phone model 52770A The Battery is connected to pins 16 (+) and 3 (-), so pins 3, 16, 20, and 21 should be all you need to get into test mode. When the phone is powered up, "Loc'd" displays on the handset. Enter the unlock to see the alternating status display listed below under #02, or press # to directly enter programming mode. ("US" will display)
For MINI TR or Silver Mini Tac transceivers (smaller data connector) youcan either short pins 9 and 14 or simply use a paper clip to short thehands free microphone connector.
HAND HELD PORTABLE MODELS:
There are two basic types of Motorola portable phones, the Micro-Tac series"Flip" phones, and the larger 8000 and Ultra Classic phones. Certain newerMotorola and Pioneer badged Micro-Tac phones do not have a "flip", butfollow the same procedure as the Micro-Tac.
8000 & ULTRA CLASSIC SERIES:
If you have an 8000 series phone determine the "type" before trying toenter test mode. On the back of the phone, or on the bottom in certainolder models, locate the F09... number this is the series number. If theFOURTH digit of this number is a "D" you CAN NOT program the unit throughtest mode, a Motorola RTL4154/RTL4153 programer is required to make anychanges to this unit.
Having determined that you do not have a "D" series phone the followingprocedure is used to access test mode:
Remove the battery from the phone and locate the 12 contacts at the topnear the antenna connector. These contacts are numbered 1 through 12 fromtop left through bottom right. Pin 6, top right, is the Manual Test ModePin. You must ground this pin while powering up the phone. Pin 7 (lowerleft) or the antenna connector should be used for ground. Follow one ofthese procedures to gain access to pin 6:
1. The top section of the battery that covers the contacts containsnothing but air. By careful measuring you can drill a small hole in thebattery to gain access to pin 6, alternately simply cut the top off thebattery with a hack saw. Having gained access use a paper clip to shortpin six to the antenna connector ground while powering up the phone.
2. If you do not want to "destroy" a battery you can apply an external 7.5volts to the + and - connectors at the bottom of the phone, ground pin 6while powering up the phone as above.
3. You can also try soldering or jamming a small jumper between pins 6 and7 (top right to lower left), or between pin 6 and the antenna connectorhousing ground. Carefully replace the battery and power up the phone. Usecaution with this method not to short out any other pin.
4. A cigarette lighter adaptor, if you have one, also makes a great testmode adaptor as it can be disassembled to give you easier access to pin 6.Many are pre marked, or even have holes in the right location. This isbecause they are often stamped from the same mold that the manufactureruses for making hands free adaptor kits and these kits require access tothe phone's connectors.
/ Antenna Housing ZDD? ZDDDDDEDDEDDDDD? 3* 3 3 *3 CDDDDDABBADDDDD4 To enter test mode, ground pin 6 to either pin 7 3H H HZY@?H H H3 or the antenna housing. I personally wrapped a 3H H H@DDYH H H3 paper clip around the antenna housing and bent it CDDDDDDDDDDDDDD4 so it *ALMOST* touched the test pin. All I had 3 Back of phone3 to do was push the paper clip a little when I 3 with battery 3 turned the phone on. 3 removed. The3 3 H is a pin. 3 3 3 3 Counting at 3 3 the top left 3 3 to right. 3 3 3 31 2 3 4 5 63 37 8 9 1011123 3 3 3 3 3* ZD? ZD? *3 @DDADADDD-ADADDY
MICRO-TAC "FLIP" SERIES:
This phone follows similar methods as outlined for the 8000 series above.
Remove the battery and locate the three contacts at the bottom of thephone, the two outer contacts are raised and connect with the battery. Thecenter contact is recessed, this is the Manual Test Mode connector.
Now look at the battery contacts, the two outer ones supply power to thephone, the center contact is an "extra" ground. This ground needs to beshorted to the test mode connector on the phone. The easiest way to dothis is to put a small piece of solder wick, wire, aluminum foil or anyother conductive material into the recess on the phone. Having done thiscarefully replace the battery and turn on the power, if you have beensuccessful the phone will wake up in test mode.
ZDDD? 3 3 ZDADDDADDDDDDDDDDDDDDDDD? 3 3 3DDDDDDDD? ZDDDDDDDD3 3 @DDDDDY 3 3 3 3 Flip phone with 3 3 battery removed. The 3 3 H's are pins. Pin 3 3 2 is the test pin and 3 3 is recessed. Put 3 3 something in the 3 3 recess so it touches 3 3 the battery. 3 3 1 2 3 3 3 3 3 H H H 3 @DDDDDDDDDDDDDDDDDDDDDDDY
GENERAL NOTES:
HANDSETS: Most Motorola handsets are interchangeable, when a handset isused with a transceiver other than the one it was designed for the displaywill show "LOANER". Some features and buttons may not work, for instanceif the original handset did not have a RCL or STO button, and thereplacement does, you will have to use the control * or control # sequenceto access memory and A/B system select procedures.
LOCK/UNLOCK PROCEDURES:
Phones with "LOCK" buttons: Press lock for at least 1/2 a second.
Phones with a "FCN" button: Press FCN 5, note that 5 has the letter's "J,K, and L" for lock.
Phones with no FCN or LOCK button: Press Control 5, control is the black volume button on the side of the handset.
SYSTEM SELECT PROCEDURES:
Phones with a RCL button: Press RCL *, then * to select, STO to store.
Phones with no RCL button: Press Control * then * to select, # to store.
Options are: CSCAn: Preferred/Non preferred with system lockout. Std A/b, or Std b/A: Preferred/Non preferred. SCAn Ab, or SCAn bA: Non preferred/Preferred SCAn A: "A" ONLY SCAn b: "B" ONLY HOME: Home only
(these are typical options, some phone's vary. C-Scan is only available on newer models and does not appear unless programmed, see below.)
TEST MODE Taken from the July 1993 Cellular Subscriber Technical Training Manual Item# 68P09300A60-C and the Curtis Namfax vol.4. I believe this is a complete listing of all the commands that were ever possible. This includes old phones and the new ones. If there are two entries for a particular number, the first one is the current command and the second is for older models.
NOTE: Not all commands work on all telephones. If a command is not valid the display will show "ErrOr." Not all numbers have been assigned. Not all numbers have been listed here. Some commands were intended only for Motorola factory applications. (This is the disclaimer in the technical training manual. I have included all of the other commands I have discovered one way or another. I do believe this is a complete list of the commands.)
Three test commands are significant for programming and registering thethe telephone for service: see full descriptions under TEST MODE COMMANDS.
32# Clears the telephone. (Older Motorola allowed either three or fifteen changes in the MIN. After that, the phone had to be sent to Motorola toreset the counter. This is the command they use.)
38# Displays the ESN
55# This is the TEST MODE PROGRAMMING (as described below).
TEST MODE COMMANDS:
# Enter Test Command Mode
00# no function
01# Restart (Re-enter DC power start-up routine.) On TDMA telephones, this command has the same effect as pressing the PWR button.
02# Display Current Telephone Status (This is a non-alternating version of the STATUS DISPLAY. On a 14 character display, all the information is shown. On a 7 character display only the information on the second line of a 14 character display is shown. On a 10 character display, all the information on the second line of a 14 charcter display plus the last three characters of the first line are shown.)
STATUS DISPLAY, ALTERNATES BETWEEN: AAA BBB AAA = Channel Number (decimal) BBB = RSSI reading for channel CDEFGHI are as follows:
C = SAT frequency (0=5970, 1=6000, 2=6030, 3=no channel lock) D = Carrier (0=off, 1=on) E = Signalling tone (0=off, 1=on) F = Power attenuation level (0 through 7) G = Channel mode (0=voice channel, 1=control channel) H = Receive audio mute (0=unmuted, 1=muted) I = Transmit audio mute (0=unmuted, 1=muted)
Press * to hold display and # to end.
03# Reset Autonomous Timer. This command results in the reset of the autonomous timer but does not provide any test function on these models.
04# Initializes Telephone to Standard Default Conditions: Carrier Off, Power Level 0, Receiver Audio Muted, Transmit Audio Muted, Signalling Tone Off, SAT Off, Resetting of Watch-Dog Timer Enabled, DTMF and Audio Tones Off, Audio Path Set to Speaker
05# TX Carrier On (Key Transmitter)
06# TX Carrier Off
07# RX Audio Off (Mute Receiver Audio)
08# RX Audio On (Unmute Receiver Audio)
09# TX Audio Off
10# TX Audio On
11(Ch.No.)# Set Tranceiver to Channel xxxx (Receive and Transmit in Decimal; accepts 1, 2, 3, or 4 digits)
12x# Set Power Step to x; (0,1-7) 0=Maximum Power (3 Watts) 7=Minimum Power Out
13# Power Off (Shuts off the radio)
14# 10 kHz Signalling Tone On
15# 10 kHz Signalling Tone Off
16# Setup (Transmits a five word RECC message; each of the five words will be "FF00AA55CC33." Transmitter de-keys at the end of the message.)
17# Voice (Transmits a two word REVC message; each of the two words will be "FF00AA55CC33." Transmitter de-keys at the end of the message.)
18# C-Scan (Allows for entry of as many as 5 negative SID's for each NAM.)
Newer Motorola phones are equipped with a feature called C-Scan, this is an option along with the standard A/B system selections. C-Scan allows the phone to be programed with up to five inhibited system ID's per NAM. This is designed to prevent the phone from roaming onto specified non-home systems and therefore reduce "accidental" roaming fees.
1. C-Scan can only be programed from test mode, power phone up with the relevant test mode contact grounded (see above).
2. Press # to access test mode.
3. Press 18#, the phone will display "0 40000".
4. Enter the first inhibited system ID and press *.
Continue to enter additional system ID's if required. After the 5th entry the phone will display "N2". Press * to continue and add system ID's for NAM 2 as required.
5. If an incorrect entry is made (outside the range of 00000-32767) the display will not advance, press CLR and re-enter. Use a setting of 40000 for any un-needed locations.
6. When the last entry has been made press * to store and press # to exit, turn off power. or [**Phones without the C-Scan option used this command to SEND NAM.**]
18# SEND NAM. Display shows AA BB. Where AA=Address and BB=Data. Displays the contents of the NAM, one address at a time, advanced by pressing the * key. The following data is contained in NAM. The test is exited by depressing the # key. SIDH Sec. Code OPT. (1,2,&3) MIN MIN1, MIN2 FCHNA SCM FCHNB IPCH NDED ACCOLC CHKSUM GIM
19# Display Software Version Number (4 digits displayed as year and week)
NOTE: Entering commands 20# through 23# or 27# causes the tranceiver to begin a counting sequence or continous transmission as described below. In order to exit from the commands to enter another test command, the # key must be depressed; all other key depressions are ignored.
20# Receive control channel messages counting correctable and uncorrectable errors. When the command starts, the number of the command will be displayed in the upper-right corner of the display. Entering a # key will terminate the command and display two three-digit numbers in the display. The first number is the number of correctable errors and the second is the uncorrectable errors.
21# Received voice channel messages counting correctable and uncorrectable errors. When the command starts, the number of the command will be displayed in the upper right-hand corner of the display. Entering a # key terminates the command and will display two three-digit numbers in display. The first is the number of correctable errors and the second is the uncorrectable errors.
22# Receive control channel messages counting word sync sequence. When the command starts, the number of the command will be displayed in the upper right-hand corner of the display. Entering a # key will terminate the command and display the number of word sync sequences in the display.
23# Receive voice channel messages counting word sync sequences. When the command starts, the number of the command will be displayed in the upper right-hand corner of the display. Entering a # key will terminate the command and display the number of word sync sequences in the display.
24# Receive control channel data and display the majority voted busy/idle bit. 0=idle 1=busy
25x# SAT On When x=0, SAT=5970HZ x=1, SAT=6000HZ x=2, SAT=6030HZ
26# SAT Off
27# Transmit Data (Transmits continuous control channel data. All words will be "FF00AA55CC33." When the command starts, '27' will be displayed in the right side of the display. Entering a # key will terminate the command. The transmitter de-keys when finished.)
28# Activate the high tone (1150 Hz +/- 55 Hz)
29# De-activate the high tone
30# Activate the low tone (770 Hz +/- 40 Hz)
31# De-activate the low tone
32# Clear (Sets non-volatile memory to zeroes or factory default. This command will affect all counters, all repertory memory including the last number called stack, and all user programmable features including the setting of System Registration. It does not affect the ESN, NAM, phasing data, or lock code. This takes a minute or so. DO NOT TURN OFF THE TELEPHONE WHILE THIS IS SHOWING '32' ON THE DISPLAY. WAIT UNTIL THE NORMAL SERVICE LEVEL DISPLAY RESUMES!)
33x# Turn on DTMF for x (1-9, *, 0, #, plus the single tones) Where x=1 697 Hz + 1209 Hz 10 697 Hz 2 697 Hz + 1336 Hz 11 770 Hz 3 697 Hz + 1477 Hz 12 852 Hz 4 770 Hz + 1209 Hz 13 941 Hz 5 770 Hz + 1336 Hz 14 1150 Hz (not used in cellular) 6 770 Hz + 1477 Hz 15 1209 Hz 7 852 Hz + 1209 Hz 16 1336 Hz 8 852 Hz + 1336 Hz 17 1477 Hz 9 852 Hz + 1477 Hz 18 1633 Hz (not used in cellular) * 941 Hz + 1209 Hz 0 941 Hz + 1336 Hz # 941 Hz + 1477 Hz
34# Turn DTMF Off
35# Display RSSI ("D" Series Portable Only)
or
35x# Set Audio Path to x x=0, V.S.P Microphone (Applies to mobiles only.) x=1, Speaker x=2, Alert x=3, Handset x=4, Mute x=5, External Telephone (Applies to Portables Only) x=6, External Handset (Applies to NEWER Portables)
36nnn# Scan (TDMA Telephones only. Scans the primary control channels and attempts to decipher the forward data stream. The display will show PASS1 if the strongest control channel was accessed, PASS2 if the second strongest was accessed, and FAIL if no control channel could be accessed.) (nnn=Scan speed in milliseconds). Tunes from channel 1 to 666 in order. Entering a * pauses the scan and displays current Channel Number and RSSI reading (AAA=Channel Number and BBB=RSSI Reading). When scan speed is 300 milliseconds or greater, the current status is displayed during the scan; when less than 300 milliseconds the status is displayed only during pause. Entering * during a pause causes the scan to resume. Entering # aborts the scan and leaves the mobile tuned to the current channel. During this command only the * and # keys are recognized.
37# no function
38# Display ESN (Displays ESN in four steps, two hexadecimal digits at a time in a for digit display. The decimal shows the address, 00 through 03 as the first two digits, and two digits of the ESN as the last two digits. Use the 'G' to step through the entire hexadecimal ESN.)
Compander OFF ("D" Series Portables)
or
38# SND-SNM. Display shows AA BB. Where AA=Address;BB=Data. Send the SNM to the display. All 32 bytes of the SNM will be displayed, one byte at a time. The byte address will be displayed in the upper right-hand corner and the contents of that address will be displayed in the hex. The * key is used to step through the address similar to the SEND-NAM (18#) command.
39# Compander ON ("D" Series Portables)
or
39# RCVSU. Receive one control channel word. When the word is received it is displayed in hex. This command will be complete when a control channel word is received or when the # key is entered to abort the command.
40# RCVVC. Receive one voice channel word. When the word is received it is displayed in hex. This command will be complete when a voice channel word is received or when the # key is entered to abort the command.
41# Enables Diversity (On F19CTA... Series only.)
42# Disables Diversity (On F19CTA... Series only.)
43# Disable Diversity USE T/R ANTENNA (On F19CTA... Series only.) USE R ANTENNA (On D.M.T./ Mini TAC)
44# Disable Diversity USE R ANTENNA (On F19CTA... Series only.) USE T/R ANTENNA (On D.M.T./ Mini TAC)
45# Display Current RSSI (Displayed as a three-digit decimal number)
46# Display Cumulative Call Timer
47x# Set RX Audio level to X (For F19CTA ...Series Tranceivers) X=0, Lowest Volume X=6, Highest Volume X=7, mute Normal setting is 4. (For D.M.T./ Mini TAC Tranceivers) X=0, Lowest Volume X=7, Highest Volume Normal setting is 4. (For TDMA Tranceivers and F09F... Series and Higher Portables) X=0, Lowest Volume X=15, Highest Volume Normal setting is 2 to 4. (On TDMA Tranceivers and Micro TAC portables, settings 8 through 15 are for DTMF applications only.)
48# Side Tone On. Use this command in conjunction with 350# to test the entire audio path in hands-free applications.
49# Side Tone Off
50# Maintenance data is transmitted and test results displayed: PASS=received data is correct FAIL 1=2second timeout, no data rec. FAIL 2=received data is incorrect
51# Test of mobile where maintenance data is transmitted and looped back. Display is as follows: PASS=looped-back data is correct FAIL 1=2 second timeout, no looped-back data FAIL 2=looped-back data is incorrect
52x# SAT Phase Adjustment. A decimal value that corresponds to phase shift compensation in 4.5 degree increments. Compensation added to inherent phase shift in tranceiver to achieve a total of 0 degrees phase shift.
Do NOT enter any values except those shown below.
0 degrees = 0 121.5 degrees = 59 243.0 degrees = 86 4.5 = 1 126.0 = 60 247.5 = 87 9.0 = 2 130.5 = 61 252.0 = 112 13.5 = 3 135.0 = 62 256.5 = 113 18.0 = 4 139.5 = 63 261.0 = 114 22.5 = 5 144.0 = 40 265.5 = 115 27.0 = 6 148.5 = 41 270.0 = 116 31.5 = 7 153.0 = 42 274.5 = 117 36.0 = 16 157.5 = 43 279.0 = 118 40.5 = 17 162.0 = 44 283.5 = 119 45.0 = 18 166.5 = 45 288.0 = 120 49.5 = 19 171.0 = 46 292.5 = 121 54.0 = 20 175.5 = 47 297.0 = 122 58.5 = 21 180.0 = 64 301.5 = 123 63.0 = 22 184.5 = 65 306.0 = 124 67.5 = 23 189.0 = 66 310.5 = 125 72.0 = 48 193.5 = 67 315.0 = 126 76.5 = 49 198.0 = 68 319.5 = 127 81.0 = 50 202.5 = 69 324.0 = 104 85.5 = 51 207.0 = 70 328.5 = 105 90.0 = 52 211.5 = 71 333.0 = 106 94.5 = 53 216.0 = 80 337.5 = 107 99.0 = 54 220.5 = 81 342.0 = 108 103.5 = 55 225.0 = 82 346.5 = 109 108.0 = 56 229.5 = 83 351.0 = 110 112.5 = 57 234.0 = 84 355.5 = 111 117.0 = 58 238.5 = 85 360.0 = 70 53# Enable scrambler option, when equipped.
54# Disable scrambler option, when equipped.
55# Display/Program N.A.M. (Test Mode Programming)
TEST MODE PROGRAMING:
Assuming you have completed one of the above steps correctly the phone will wake up in test mode when you turn the power on. When you first access test mode the phone's display will alternate between various status information that includes the received signal strength and channel number.
Note - On some models, the display will show "Loc'd" when powered up. to disply alternating status, enter the unlock code, or to enter programming mode, press # and "US" will display.
The phone will operate normally in this mode. You can now access Service Mode by pressing the # key, the display will clear and a ' will appear. Use the following procedure to program the phone:
1. Enter 55# to access programing mode.
2. The * key advances to the next step. (NOTE that test mode programing does NOT have step numbers, each time you press the * key the phone will display the next data entry).
3. The CLR key will revert the display to the previously stored data.
4. The # key aborts programing at any time.
5. To complete programing you must scroll through ALL entries until a ' appears in the display.
6. Note that some entries contain more digits than can be displayed by the phone, in this case only the last part of the data can be seen.
TEST MODE PROGRAMING DATA:
STEP# #OF DIGITS/RANGE DESCRIPTION
01 00000 - 32767 SYSTEM ID 02 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 1 BELOW 03 10 DIGITS MIN (AREA CODE & TEL#) 04 2 DIGITS STATION CLASS MARK 05 2 DIGITS ACCESS OVERLOAD CLASS 06 2 DIGITS GROUP ID (10 IN USA) 07 6 DIGITS SECURITY CODE 08 3 DIGITS LOCK CODE 09 3 DIGITS SERVICE LEVEL (LEAVE AT 004) 10 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 2 BELOW 11 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 3 BELOW 12 0333 OR 0334 INITIAL PAGING CHANNEL 13 0333 "A" SYSTEM IPCH 14 0334 "B" SYSTEM IPCH 15 3 DIGIT NUMBER PAGING CHANNEL (021 IN USA) 16 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 4 BELOW
Steps 01 through 06 and 12 will repeat for NAM 2 if the second phone number bit has been enabled in step 11.
NOTES:
Take care with Motorola's use of "0" and "1". Some options use "0" to enable, some use "1".
These are eight digit binary fields used to select the following options:
1. (step 02 above, suggested entry is: 11101001 for "A" system, 10101001 for "B" sys)
Digit 1: Local use mark, 0 or 1. Digit 2: Preferred system, 0 or 1. Digit 3: End to end (DTMF) dialing, 1 to enable. Digit 4: Not used, enter 0. Digit 5: Repertory (speed) dialing, 1 to enable. Digit 6: Auxiliary (horn) alert, 1 to enable. Digit 7: Hands free (VSP) auto mute, 1 to enable (mutes outgoing hands free audio until the MUTE key is pressed). Digit 8: Min mark, 0 or 1.
2. (step 10 above, suggested entry is: 00000100)
Digits 1 - 4: Not used in USA, enter 0. Digit 5: Single system scan, 1 to enable (scan A or B system only, determined by bit 2 of step 02. Set to "0" to allow user the option). Digit 6: Super speed dial, 1 to enable (pressing N, or NN SND will dial the number stored in memory location NN). Digit 7: User selectable service level, 0 to enable (allows user to set long distance/memory access dialing restrictions). Digit 8: Lock function, 0 to enable (allows user to lock/un-lock the phone, if this is set to 1 the phone can not be locked).
3. (step 11 above, suggested entry is: 00000000)
Digit 1: Handset programing, 0 to enable (allows access to programing mode without having to enter test mode). Digit 2: Second phone number (not all phones), 1 to enable. Digit 3: Call timer access, 0 to enable. Digit 4: Auto system busy redial, 0 to enable. Digit 5: Speaker disable, 1 to enable (use with select VSP units only, do not use with 2000 series mobiles). Digit 6: IMTS/Cellular, 1 to enable (rarely used). Digit 7: User selectable system registration, 0 to enable. Digit 8: Dual antennae (diversity), 1 to enable.
4. (step 16 above, suggested entry is: 0011010 for portable and 0011011 for mobile units)
Digit 1: Not used, 0 only. Digit 2: Not used, 0 only Digit 3: Continuous DTMF, 1 to enable (software version 8735 and later) Digit 4: 8 hour time-out, 0 to enable (software version 8735 and later) Digit 5: Not used, 0 only. Digit 6: Failed page indicator, 0 to enable (phone beeps when an incoming call is detected but signal conditions prevent completion of the call). Digit 7: Portable scan, 0 for portable, 1 for mobile units.
56# no function
57x# Call Processing Mode x=0, AMPS x=1, NAMPS x=2-4, RESERVED x=5, TDMA signalling x=6, TDMA signalling with loopback before decoding x=7, TDMA signalling with loopback voice after decoding x=8, TDMA signalling with loopback FACCH after decoding x=9, TDMA forced synchronization
58# Compander On (Audio compressor and expander) (See 39#)
59# Compander Off (Audio compressor and expander) (See 38#)
60# no function
61# ESN Transfer (For Series I D.M.T./Mini TAC only)
62# Turn On Ringer Audio Path
63# Turn Off Ringer Audio Path
64#-65# no function
66# Identity Transfer (Series II Tranceivers and some Current Shipping Portables)
67# no function
68# Diaplay FLEX and Model Information
69# Used with Identity Transfer
70# Abbreviated field transmitter audio deviation command, for tranceivers with FCC ID ABZ89FT5668.
71# Abbreviated field power adjustment command, for tranceivers with FCC ID ABZ89FT5668.
72# Field audio phasing commands.
73# Field power adjustment command.
74#-99# no function
Notes: There are several numbers that say "no function" next to their entry. In the technical manual, those numbers APPEAR to have no function. It is very possible that they DO IN FACT have a function. As far as I know, using the information provided by the technical manual, I know of no functions for these numbers. But at the top you'll notice in the disclaimer that NOT ALL FUNCTIONS ARE LISTED HERE. That leaves open the possibility of others. Try these numbers and you may get lucky (or you may wipe some vital information...who knows?). I am in fact almost certain that it is possible to change the ESN via the handset. It is just a matter of finding the correct combination of commands. You can bet that won't be easy, but it can't stay a secret forever though!
For more information, call Motorola and order part# 68-093-00a60. This is a cellular service manual that's used in their cellular service classes that sells for $30. Ask for the Order Fulfillment department when ordering. This manual tells it all! An absolute must have for Motorola users.
I think this might help. There are some that say no function, they MIGHT.Case in point: 37# does something but we don't know yet...:)
Dave
Ken Levitt - On FidoNet gateway node 1:16/390 UUCP: zorro9!levittINTERNET: levitt@zorro9.fidonet.org or levitt%zorro9.uucp@talcott.harvard.edu
--------------------
[TELECOM Digest Editor's Note: My experience has been that when you examineone of the steps for which there is supposedly 'no function' it is best to*carefully* make notes *before* starting anything.
For example, step through one of those and write down on paper the datayou see there. If there is indeed 'no function' for that step, thenwhatever you see there may be just random garbage. But if you don't knowwhat was there, you can't replace it if you need to!
So write it all down first. Then experiment with different values andsee what you find out. Bear in mind some of those 'no functions' may infact cause the data elsewhere to be erased or altered, thus I cannotstress enough to write down every bit of data from every single step*before* you start messing around with anything.
PAT
Saturday, July 16, 2005
You know I really try to learn as much as I can and as fast as I can but I don't
think a 9 or 10 year old kid should be the programmer that I wish I could be . Its like every other day you here about some kid from bumvill, that has the IQ of a genius. I think GOD
has a plan but I just wish that I could have been the kid whos 10 and graduating college.
today is a yang day for me ,
Drizzt
think a 9 or 10 year old kid should be the programmer that I wish I could be . Its like every other day you here about some kid from bumvill, that has the IQ of a genius. I think GOD
has a plan but I just wish that I could have been the kid whos 10 and graduating college.
today is a yang day for me ,
Drizzt
Password100% Find Any Password, Access Your Own Computer!PCbeginner.com
Lost Word Password?Guaranteed decryption service. 3 minutes per file. Free preview.www.Decryptum.com
Fix All Windows Errors2005 Most-Advanced Error Remover. Fix Your Computer - Free Download!ErrorNuker.com
Password ManagementComprehensive Solutions for Enterprise Security Management.www.betasystems.com
Windows Password UtilityReset/Remove Admin Password Only $9.99 With Free Ship/USAwww.pctech101.com
Free SoftwareDownload this software for free. Alternative software also availablewww.softwarevault.com
VBA Password BypasserBypass VBA code password protection Any VBA-featured documents. Now 29$www.thegrideon.com
Help Desk Password ResetWeb Based NT, 2000, 2003 Account Password Reset for SOX, HIPAA Req.www.Liebsoft.com
Password Finder $39.95Secretly record instant messages & record their email passwordwww.securetactics.com
Active@ Password ChangerBoot disk to reset passwords for Windows XP 2000 2003 NT. Free Demo.www.Password-Changer.com
Lost Word Password?Guaranteed decryption service. 3 minutes per file. Free preview.www.Decryptum.com
Fix All Windows Errors2005 Most-Advanced Error Remover. Fix Your Computer - Free Download!ErrorNuker.com
Password ManagementComprehensive Solutions for Enterprise Security Management.www.betasystems.com
Windows Password UtilityReset/Remove Admin Password Only $9.99 With Free Ship/USAwww.pctech101.com
Free SoftwareDownload this software for free. Alternative software also availablewww.softwarevault.com
VBA Password BypasserBypass VBA code password protection Any VBA-featured documents. Now 29$www.thegrideon.com
Help Desk Password ResetWeb Based NT, 2000, 2003 Account Password Reset for SOX, HIPAA Req.www.Liebsoft.com
Password Finder $39.95Secretly record instant messages & record their email passwordwww.securetactics.com
Active@ Password ChangerBoot disk to reset passwords for Windows XP 2000 2003 NT. Free Demo.www.Password-Changer.com
Windows systems allow a convenient storage of frequently used passwords, such as the password inside Outlook Express. However, since you no longer enter the saved passwords manually, you tend to forget them. And the system will only display such stored passwords as a row of asterisks ("*****").
ActMon Password Recovery XP by iOpusWindows 95/98/NT/2000/XP, shareware, free trial, 30 day money-back guarantee, $29.95 (purchase)
This program allows you to decrypt and display passwords hidden behind asterisks. It works automatically on Web pages and applications on Windows 9x and Windows NT/2000/XP systems. Activate the utility, drag the mouse cursor onto the password field and your password is revealed instantly.
Behind Asterisks XP by Sontrex SoftwareWindows 95/98/NT/2000/XP, shareware, $24.95Purchase the full registered version
An equivalent program from Sontrex Software
ActMon Password Recovery XP by iOpusWindows 95/98/NT/2000/XP, shareware, free trial, 30 day money-back guarantee, $29.95 (purchase)
This program allows you to decrypt and display passwords hidden behind asterisks. It works automatically on Web pages and applications on Windows 9x and Windows NT/2000/XP systems. Activate the utility, drag the mouse cursor onto the password field and your password is revealed instantly.
Behind Asterisks XP by Sontrex SoftwareWindows 95/98/NT/2000/XP, shareware, $24.95Purchase the full registered version
An equivalent program from Sontrex Software
Pluggable password strength checking for your servers
pam_passwdqc is a simple password strength checking module for PAM-aware password changing programs, such as passwd(1). In addition to checking regular passwords, it offers support for passphrases and can provide randomly generated ones. All features are optional and can be (re-)configured without rebuilding.
You may view the latest README and PLATFORMS files (both are also included in the archive below).
Download:
pam_passwdqc 1.0.2 and its signature
These files are also available via FTP.
Follow this link for information on verifying the signatures.
We may help you integrate pam_passwdqc into your OS installs, please check out our services.
pam_passwdqc has been integrated into FreeBSD 5.
pam_passwdqc is used on Owl, distributions by ALT Linux team, and ASPLinux. Additionally, it is a part of Debian GNU/Linux, SuSE Linux, and very recent versions of Red Hat Linux.
You may want to check out these other PAM modules.
Support further work on this software with donations.
Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux
pam_passwdqc is a simple password strength checking module for PAM-aware password changing programs, such as passwd(1). In addition to checking regular passwords, it offers support for passphrases and can provide randomly generated ones. All features are optional and can be (re-)configured without rebuilding.
You may view the latest README and PLATFORMS files (both are also included in the archive below).
Download:
pam_passwdqc 1.0.2 and its signature
These files are also available via FTP.
Follow this link for information on verifying the signatures.
We may help you integrate pam_passwdqc into your OS installs, please check out our services.
pam_passwdqc has been integrated into FreeBSD 5.
pam_passwdqc is used on Owl, distributions by ALT Linux team, and ASPLinux. Additionally, it is a part of Debian GNU/Linux, SuSE Linux, and very recent versions of Red Hat Linux.
You may want to check out these other PAM modules.
Support further work on this software with donations.
Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux
Want to learn how to read write HTML go to
www.htmlgoodies.com
This site will help you if you want to learn
For all HACKING tools please visit
www.foundstone.com
For the novice to the elite the HACKING EXPOSED books are the shizz
Check them out if you are a serious web designer or a sneaky hack .
These books will teach anybody alot and I mean alot about security holes and
vulnerabilities.
Drizzt
www.htmlgoodies.com
This site will help you if you want to learn
For all HACKING tools please visit
www.foundstone.com
For the novice to the elite the HACKING EXPOSED books are the shizz
Check them out if you are a serious web designer or a sneaky hack .
These books will teach anybody alot and I mean alot about security holes and
vulnerabilities.
Drizzt
With a little bit of technical acumen and a few hundred dollars, enterprising thieves can walk away with some late-model cars and gas them up for free to boot, according to research published by computer security experts at the Johns Hopkins University in Baltimore and RSA Security Inc.'s RSA Laboratories in Bedford, Mass. In January, the researchers published the results of a technical analysis of a kind of secure radio frequency identification (RFID) technology called Digital Signature Transponder (DST) from Texas Instruments Inc., which is widely used to secure newer-generation automobiles and electronic payment systems like Exxon Mobil Corp.'s Speedpass. The work revealed serious weaknesses in the cryptographic security used to protect data sent back and forth, and shines a light on the problem of security systems that rely on aging or inadequate cryptography, according to experts. The team of researchers included staff from Johns Hopkins' Information Security Institute such as Avi Rubin, the computer security expert who gained fame for his analysis of flawed electronic voting technology from Diebold Inc. Rubin and a team of three graduate students, along with cryptography experts from RSA, used reverse-engineering techniques and custom-designed tools to crack the cryptographic keys used to secure the systems and simulate both the RFID DST tags and readers. The hack allowed researchers to disable a vehicle immobilizer in a 2005 Ford automobile using a specially equipped laptop computer, and purchase gas at a number of Exxon Mobil locations with a homemade Speedpass device, according to a copy of their findings posted online.
law enforcement officials charged with busting sophisticated financial crime and hacker rings, making arrests and seizing computers used in the criminal activity is often the easy part. More difficult can be making the case in court, where getting a conviction often hinges on whether investigators can glean evidence off of the seized computer equipment and connect that information to specific crimes. The wide availability of powerful encryption software has made evidence gathering a significant challenge for investigators. Criminals can use the software to scramble evidence of their activities so thoroughly that even the most powerful supercomputers in the world would never be able to break into their codes. But the U.S. Secret Service believes that combining computing power with gumshoe detective skills can help crack criminals' encrypted data caches. Taking a cue from scientists searching for signs of extraterrestrial life and mathematicians trying to identify very large prime numbers, the agency best known for protecting presidents and other high officials is tying together its employees' desktop computers in a network designed to crack passwords that alleged criminals have used to scramble evidence of their crimes -- everything from lists of stolen credit card numbers and Social Security numbers to records of bank transfers and e-mail communications with victims and accomplices.
New research on several commonly used hash algorithms has revealed security weaknesses in e-commerce systems and the internet, according to experts. Hash algorithms are used by computers to compare data, and are a cornerstone of encryption and IT security systems. However, experts have warned that hackers now require only 15 minutes to create two email messages that produce the same digital signatures when checked by the most commonly used hash algorithms.
A double-edged threat that attempts to hijack PCs has surfaced in at least three variants, security companies warned on Friday.The new pest, Lebreat, is a combined network worm and mass-mailing worm, F-Secure said. Once run on a PC, it installs a backdoor for hackers, downloads the mass-mailer code and attempts to launch a denial-of-service attack that targets security giant Symantec's Web site, the Finnish antivirus specialist said. The malicious code is also known as Breatle and Reatle at other antivirus companies."This virus claims to be 'Breatle AntiVirus v1.0,' and it spreads over both e-mail and network vulnerabilities," F-Secure said.The network-worm part of Lebreat exploits a known Windows flaw in a component called the Local Security Authority Subsystem Service, the security company said. The LSASS vulnerability was also used by the Sasser worm, F-Secure said in its advisory. Microsoft issued a patch for the LSASS flaw last year.
Subscribe to:
Posts (Atom)
