[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]


..[ Phrack Magazine ]..
.:: Cellular Debug Mode Commands ::.

Issues: [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ 16 ] [ 17 ] [ 18 ] [ 19 ] [ 20 ] [ 21 ] [ 22 ] [ 23 ] [ 24 ] [ 25 ] [ 26 ] [ 27 ] [ 28 ] [ 29 ] [ 30 ] [ 31 ] [ 32 ] [ 33 ] [ 34 ] [ 35 ] [ 36 ] [ 37 ] [ 38 ] [ 39 ] [ 40 ] [ 41 ] [ 42 ] [ 43 ] [ 44 ] [ 45 ] [ 46 ] [ 47 ] [ 48 ] [ 49 ] [ 50 ] [ 51 ] [ 52 ] [ 53 ] [ 54 ] [ 55 ] [ 56 ] [ 57 ] [ 58 ] [ 59 ] [ 60 ] [ 61 ] [ 62 ] [ 63 ] [ 64 ] [ 65 ] [ 66 ] [ 67 ] [ 68 ] [ 69 ] [ 70 ]
Current issue : #45 | Release date : 1994-03-30 | Editor : Erik Bloodaxe
IntroductionErik Bloodaxe
Phrack Loopback Part IPhrack Staff
Phrack Loopback Part II / EditorialPhrack Staff
Line Noise Part IPhrack Staff
Line Noise Part IIPhrack Staff
Line Noise Part IIIPhrack Staff
Phrack Prophile on Control CControl C
Running a BBS on X.25Seven Up
No Time for GoodbyesEmmanuel Goldstein
Security Guidelinesunknown
Ho Ho Con Miscellanyvarious
Quentin Strikes AgainWhite Knight & The Omega
10th Chaos Computer CongressManny E. Farber
Defcon II informationPhrack Staff
VMS Informationvarious
DCL BBS PROGRAMRaoul
Hollywood-Style Bits & BytesRichard Goodwin
Fraudulent Applications of 900 ServicesCodec
Screwing Over Your Local McDonald'sCharlie X
The Senator Markey Hearing Transcriptsunknown
The Universal Data ConverterMaldoror
BOX.EXE - Box Program for Sound BlasterThe Fixer
Introduction To Octel's ASPENOptik Nerve
Radio Free Berkeley Informationunknown
The MCX7700 PABX SystemDr. Delam
Cellular Debug Mode Commandsvarious
International Scenesvarious
Phrack World NewsDatastream Cowboy
Title : Cellular Debug Mode Commands
Author : various
                              ==Phrack Magazine==

                 Volume Five, Issue Forty-Five, File 26 of 28

******************************************************************************

                          Cellular Debug Mode Commands


**************************************

 Motorola test mode programing codes
        for most motorola phones

**************************************

01# Restart (re-enter DC power start-up
    routine)

02# Display Current Telephone Status

04# Initializes Telephone to Std.
    Default Conditions

05# TX Carrier On (key transmitter)

06# TX Carrier Off

07# RX Off (mute receiver audio)

08# RX Audio On (unmute receiver audio)

09# TX Audio Off

10# TX Audio On

11(ch.no.)# Set Transceiver to channel
    (RX & TX)

12# Set power level

13# Power Off

14# 10 khz Signalling Tone On

15# 10 khz Signalling Tone Off

16# Setup (Transmits a five word RECC
    message)

17# Voice (Transmits a two word REVC
    message)

18# C-SCAN

19# Display Software Version Number
    (year & week)

25# SAT On

26# SAT Off

27# Transmit Data (TX continuous
    control channel data)

32# Clear (clears non-volatile memory)

33# Turn DTMF on

34# Turn DTMF off

35# Display RSSI ("D" series portable
    only)

35# Set Audio path

38# Display ESN (displays ESN in four
    steps, hit * till back at start)

39# Compander On

41# Enables Diversity

42#,43#,44# Disable Diversity
     (different models use different
      codez)

45# Display Current RSSI

46# Display Cumulative Call Timer

47# Set Audio level

48# Side Tone On

49# Side Tone Off

55# Display and or program NAM (test
    mode programing)

58# Compander On

59# Compander Off

61# ESN Transfer (for series I and Mini
    T.A.C's)

62# Turn On Ringer

63# Turn Off Ringer

66# Identity Transfer (series II and
    some current portables)

68# Display FLEX and Model info

69# Used with Identity Transfer

***************************************
***************************************

1. Entering test mode on 25 pin
   transceivers is as follows:

   for F19ATA or F19CTA ground pin 11
       and power-up phone,
   for DMT/Mini T.A.C series I, II,
       III ground pin 21 and power-up
       phone.

2. Entering test mode on OEM 32 pin
   transceivers is as follows:

     ground pin 9 and power-up phone.

3. Entering test mode on portable
   phones is as follows:

     ground pin 6 and power-up phone.

4. Entering test mode on Micro T.A.C's
   phones is as follows:

     ground pin 2 and power-up phone.

------------------------------------------------------------------------------

Oki Debug Commands - Good Timing
From Nuts & Volts Dec. 1993

To Enter Debug Mode:

Press 7 & 9 Together
then press MENU, SEND, END, RCL, STO and CLR
then press 1 & 3 together

Commands:

#01     Suspend         Performs Initialization
#02     Restart         Terminates the test mode
#03     Status          Shows the current status of TRU
#04     Reset           Resets the timer
#07     Carrier On      Turns the carrier on
#08     Carrier Off     Turns off the carrier
#09XXXX Load Synth      Sets the synthesizer to channel XXXX
#10X    Set Attn        Sets the RF power attenuation to X
#11     RX Mute         Mutes the receive audio
#12     RX Unmute       Unmute the receive audio
#13     TX Mute         Mutes the transmit audio
#14     TX Unmute       Unmutes the transmit audio
#16     ST On           Transmits a signalling tone
#17     ST Off          Turns off the signalling tone
#18     Setup           Transmits a 5 word RCC message
#19     Voice           Transmits a 2 word RVC message
#20     Rcv SU          Receives a 2 word FCC message
#21     Rcv VC          Receives a 1 word FVC message
#22     Send NAM        Returns the information contained in the NAM
#23     Version         Displays the TRU software version
#24     Send SN         Displays the ESN
#25XXXX Mem             Displays the resident memory data at XXXX
#28     WSTS            Receive 1 word messages on CC until #56/CLR
#29     WSTV            Receive 1 word messages on VC until #56/CLR
#32X    SAT On          Enables the transmission of SAT X
#33     SAT Off         Disables the transmission of SAT
#35     Hi TN On        Activates the 1150 Hz tone to receive audio line
#36     Hi TN Off       Deactivates the 1150 Hz tone
#37     Lo TN On        Activates the 770 Hz tone to receive audio line
#38     Lo TN Off       Deactivates the 770 Hz tone
#42XX   DTMF On         Enables the transmission of DTMF frequency XX
#43     DTMF Off        Disables the transmission of DTMF

------------------------------------------------------------------------------

Novatel 8325
------------

This article is copyright 1993 by the author. Reproduction is allowed, with the
following restrictions:

1) Any copy, or edited version, of this file must contain this copyright
   notice, the author's name, and the information regarding Phrack.
2) No commercial use may be made of it without prior permission of the author.
   This permission may be revoked at any time, in which case all reproduction
   must cease, and any copies must be destroyed.
3) Use as evidence in a court of law, for the purposes of this agreement,
   is considered a commercial use.
4) This agreement can not be changed, or added to in any way. Receipt of this
   work through an authorized commercial distributor does not imply permission
   given to the commercial consumer to re-distribute it in a commercial manner.
5) Any part of this agreement found invalid by a court of law does not render
   the remainder of this agreement void: The rest of the terms of the agreement
   must still be adhered to.


The Novatel 8325 is a bag-style portable cellular telephone. It is known as a
'ProClassic' in Novatel MarketSpeak. Two different handsets (control units) are
used with the 8325 transceiver: the 4130 and 5160. My phone has the 5160.
The handsets appear very similar: I doubt there is any functional difference
between them. Earlier transceivers, such as the 8320, contain many of the same
features as the 8325, though the hidden menus are accessed with different
codes. The only other code I know of is #746, which is the code for the 8320
CFG menu.

Terms: Throughout this article, I will refer to things without explaining them
each time. If you get lost, refer to the table below.

NORMAL = the phone is in this mode when it is not locked, or in either of the
hidden menus, or in the 'user' menus accessed by the MENU key. The screen will
display either READY or SCANNING when in normal mode. This is the mode the phone
is in when it is first turned on.

LOCKED = when the phone displays LOCKED, a code must be typed to enter normal
mode. The default code is 1234. The telephone can be locked using [FCN] 1 [SND]
from normal mode. The phone must be locked before entering in any of the codes
to access the hidden menus described below.

TBL = troubleshooting mode = the hidden menu accessed with 546*. This is a
menu supposedly know only to Novatel, not even their dealers are supposed to
know about it. According to Novatel, some of the features in this menu could
destroy the phone if improperly set. Scare tactics? You decide.

CFG = configuration mode = the hidden menu accessed with 510*. This is used by
dealers to set up a subscriber's service. As far as I know, there is nothing
particularly dangerous about this mode, but Novatel is touchy about it
nonetheless. I take no responsibility for any damages.


Troubleshooting Mode - TBL

First, lock phone with [FCN] 1 [SND]
Then, enter 546* on the keypad. The phone
will not make tones for each key pressed.

TBL 8325    /___ This is what shows up on my phone.
REV NA0C    \    Yours may be different.

You are now in troubleshooting mode. You may page through the functions
by using the arrow keys, or access the functions by number, by hitting #
(The screen will display DIR PAGE ACCESS) and then the function number,
from the chart below. Note that on initially entering Troubleshooting mode,
you are on function 37. Toggle with the [SND] key, unless otherwise noted.

#    Screen       Default   Toggle/Range       Description
-----------------------------------------------------------------------------
11   TRANSMIT     OFF       ON   Turn the transmitter on.
12   TX TEST      OFF       [CLR]=OFF, 0-7 test data stream, audio levels of
13   CHANNEL      0000      0000-1023    [H/F] = down, [RCL] = up.
14   TX AUDIO     OFF       ON
15   VOLUME GAIN  6         0-7
16   RX AUDIO     OFF       ON   Turn the receiver on. Set this to ON
                                 and use in conjunction with #13
                                 (CHANNEL) to listen to calls.
17   POWER ATTN   3         0-7
18   SYNTH LOCKED                       synthesizer locked. if reads
                                        unlocked,  the phone has real problems.
19   SAT OFF      ??                    transmitted SAT
20   RF POWER     OFF       ON          Not an option, but an indicator. When
                                        TRANSMIT is set ON, this displays ON.
21   SPEAKER      ON        OFF
22   SIDE TONE    ON        OFF
23   TX DTMF      OFF        Tone test. [CLR] then 00-25. DTMF means touch-tone
                 00 = DTMF 1     01 = DTMF 2      02 = DTMF 3     03 = DTMF A?
                 04 = DTMF 4     05 = DTMF 5      06 = DTMF 6     07 = DTMF B?
                 08 = DTMF 7     09 = DTMF 8      10 = DTMF 9     11 = DTMF C?
                 12 = DTMF *     13 = DTMF 0      14 = DTMF #     15 = DTMF D?
                 16 = 1+2+3      17 = 4+5+6       18 = 7+8+9      19 = *+0+#
                 20 = 1+4+7+#    21 = 2+5+8+0     22 = 3+6+9+#    23 = A+B+C+D?
                 24 = ?          25 = Wake-up-tone. The + signs are use to
                 signify keys simultaneously held on a regular (desk-style)
                 touch-tone phone. These tones are each half of the dual tones
                 the comprise touch tones.
24   RX MODE      BURST     CONT
25   RX TEST      OFF       ON
26   FRME CNT     000000   Frame count.  (of counter)

27   BIT ERR      0000000   Bit Error.   every so often is no big
                                         deal. Hit any key to clear.
28   WATCHDOG     ON        OFF          watch-dog periodically checks the
                                         timing of the different clocks
                                         in the system.  Hit any key to turn
                                         this off and the Phone re-starts
29   HOOK SW      OFF                    Hook Switch - since a bag phone has
                                         no switch hook, always off.
30   HORN MODE    ON        OFF          Toggles indicator light
31   BELL MODE    0         0-9, [SND]
32   RSST         20x                    Received Signal Strength Indicator
33   MICROPHN     ENABLED   DISABLED
34   NVM TEST     RM=0 E=1               Non-Volatile Memory Test
35   COMPANDR     ON        OFF          A Compander compresses speech to
                                         confine energy to the given bandwidth.
36   NVM CLR      USE SND                Non-Volatile Memory [SND]="ACCESS
                                         DENIED"
37   TBL 8325     REV NA0C               MENU,MODEL,REVISION (INITAL SCREEN)
------Modulation------- Don't mess with this stuff - it can screw up your phone
 N0 means channel bank 0. Banks are 0-4. Tune to a mid-band channel using the
 keypad, and tune with [H/F] down and [RCL] for up.
38   MODG CLR     Any Key, 0 = YES        resets options #39,#40,#41 to default.
39   CHN 0991     N0 AMG16  AMG = SAD Deviation.
40   CHN 0991     N0 DMG16  DMG = Signalling tone.
41   CHN 0991     N0 SMG12  SMG = Transmit audio level.
------Digital Potentiometers-- DANGER! Play with this, and you may have to
                               send your phone out for repair.
42   DPOT CLR     Any Key, 0 = YES   resets options #43,#44,#45,#46 to default
43   MICROPHN     14190 OHM
44   EXPANDER     14936 OHM
45   TX LIMIT     12180 OHM
46   SPEAKER      15420 OHM
------Analog Switches-------- Enables/Disables on-board potentiometers.
47   ANALOG SW1   ON         High end of transmit audio
48   ANALOG SW2   OFF        Low end of transmit audio
-----
49   PWR LVL3     DAC0777     power level, reading from digital-analog converter
50   PL3@0000     14          power level @ channel, received signal strength
[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]
© Copyleft 1985-2021, Phrack Magazine.