Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Phreaking Cellular - Other Manufacturers :: 9x_oki.txt

OKI 900 Guide to the OKI 900 by: Darkfox




STATION ID - 7047/3.12

9x Datakit Network
FOR OFFICIAL USE ONLY

This is a 9x system, restricted to authorized persons and for
official 9x business only. Anyone using this system, network or data
is subject to being monitored at any time for system administration and
for identifying unauthorized users or system misuse. Anyone using this
system expressly consents to such monitoring and is advised that any
evidence of criminal activity revealed through such monitoring may be
provided to law enforcement for prosecution.



darkfox's (dx's) guide to the Oki 900 - released by 9x in 96
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-


This is meant to be a complete guide to the Oki 900, the #1 phone for
H/P activities. They rule! :)


The Oki 900 is not a new fone.. In fact, they have stopped making them,
but they are available used, and Oki will still sometimes repair yours
if you manage to blow it up. (just don't let them see the solder
marks inside.. hehe)


The Oki 900 has many cool functions, even without being modified.
It has all the standard stuff, like alpha-numeric memories, back-lit display,
and volume settings, and then has some unusual features, such as an
auto-answer system, that can act like a beeper. People can call it, and then
leave they number, and it will be stored in your Oki.

The Oki also has a test mode, and a very nice debug mode. [see below]
The fone can be used as a scanner, so you can monitor cellular conversations.

  - TEST MODE -

The testmode on the fone can be used to test various things.
You can see what cellular channel you currently are using, and see
your signal strength in hex.

To enter the testmode, power up the fone, and enter the following:

* T E S T M O D E #

You then can use the UP/DOWN volume buttons on the side of the fone
and go through a small menu.

 - DEBUG MODE -


Here's how to use the debug mode from the keypad.

Power the phone up.  Wait for PowerOn msg.  Hit 7 and 9 together.
Then hit Menu, Snd, End, Rcl, Sto, Clr. The Phone will say "good timing"
if you did it correctly. If you failed, power off the fone, and try again.

Debugger is now enabled, but phone works normally.  Hit 1 and 3
together to halt phone and enter debugger.  Everything on display
lights up.  Hit Clr, Clr till you get status display.

Now you can execute commands listed below.  For example to reboot phone
enter #, 0, 2, Snd.  Commands all start with # and end with Snd.  Some
take arguments.

You can use #25, to display memory in EEPROM, and I think once in
that command you can hit # and * to go up and down in memory, Clr to
exit.  Hex chars are entered as "*n", like *1=A, *2=B, etc.

Here is a almost complete command list:


SUSPEND     #01         Performs Initialization
RESTART     #02         Terminates the test mode
STATUS      #03         Shows current status of TRU
RESET       #04         Resets the autonomous timer
TURNAROUND  #05    ?    Returns Data Bytes following command to the Test Set.
INIT        #06         Initialize the TRU to following states:
                         Carrier Off, Attenuation - 0db, Receive Audio Muted
                         Transmit Audio Muted, Signaling tone off,
                         Autonomous timer reset, SAT off, and DTMF off
CARRIER ON  #07         Turns the carrier on
CARRIER OFF #08         Turns the carrier off
LOAD SYNTH  #09XXXX     Sets the synthesizer to channel XXXX
SET ATTN    #10X        Set the RF power attenuation to X
                         0=0db, 7=-28 dB (in steps of -4db through 7)
RXMUTE      #11         Mutes the receive audio
RXUNMUTE    #12         Unmutes the receive audio
TXMUTE      #13         Mutes the transmit audio
TXUNMUTE    #14         Unmutes the transmit audio
RESETOFF    #15         Discontinues resetting of autonomous timer
STON        #16         Transmits a continuous signaling tone
STOFF       #17         Stops transmission of signaling tone
SETUP       #18         Transmits a 5 word RCC message (fixed text pattern)
VOICE       #19         Transmits a 2 word (RCC) RVC message (fixed test 
pattern)
RCVSU       #20         Receives a 2 word FCC message (cancel with 0x38)
RCVVC       #21         Receives a 1 word (FCC) FVC message (cancel with 0x38)
SEND-NAM    #22         Returns the information contained in the NAM
VERSION     #23
SEND-SN     #24
MEM         #25XXXX     Displays the resident memory data at XX
                          00XX=in micro, XXXX=EEPROM
WSTS        #28         Count 1 word messages on CC, until TERMINATE
WSTV        #29         Count 1 word messages on VC, until TERMINATE
SATON       #32X        Enable the transmission of SAT X
                         0= 5970 Hz, 1=6000 Hz, 2=6030 Hz
SATOFF      #33         Disables the transmission of SAT
CDATA       #34<60>     Transmits 5 word RCC message (30 bytes)
HITNON      #35         Activates the 1150Hz tone to receive audio line
HITNOFF     #36         Deactivates the 1150Hz tone
LOTNON      #37         Activates the 770Hz tone to receive audio line
LOTNOFF     #38         Deactivates the 770Hz tone
DTMFON      #42XX       Enable the transmission of DTMF frequency XX[2]
DTMFOFF     #43         Disable the transmission of DTMF
?           #44
?           #45
?           #46
?           #47
?           #48
?           #51
-           #52<xx>
?           #53
-           #54XXXXZZ   Write HEX (ZZ) into ADDRESS $XXXX
                        if 00XXZZ then store #$YY in MicoRAM $XX
-           #56         Return Value stored in $BEBB
?           #60
?           #62
?           #63
RCVSU       #64         Receives a 2 word FCC message (duplicate of cmd #20)
COMP-ON     #65         Enable the compressor and expander
COMP-OFF    #66         Disable the compressor and expander
setvol      #67         X-Set volume (0-7) 0=max
SERIAL I/O  #683XX?     Mutes/Unmute Tx/Rx Audio Signal Enable
                        Disable the Compressor/Expander, XX=commanded states.
                            CMD Compress Tx Mute Rx Mute
                            --- -------- ------- -------
                            40  on       unmuted unmuted
                            41  off      unmuted unmuted
                            42  on       muted   unmuted
                            43  off      muted   ummuted
                            44  on       unmuted muted
                            45  off      unmuted muted
                            46  on       muted   muted
                            47  off      muted   muted
?           #72          [pulls something, outputs 1 word!?!]
?           #73<arg>

                      Scans channels,...

                       #73 XXXX xxxx YY

                        XXXX = Start channels scan
                        xxxx = End   channels
                         yy  = Time

?           #74
-           #75         Enable Handsfree (disable spkr)
-           #76         Disable Handsfree (enable spkr)
-           #77         Turns on Loudspeaker near mic
-           #79
?           #80
?           #81
?           #84
?           #85


So...

Let's say you wanted to monitor the calls on channel 100.

1. First, go into debug mode as described above.
2. Then hit #,1,2, SEND
3. Then #77 to make it louder (if you want, otherwise it is hard to hear.
4. Then press #,0,9, 100, SEND.
5. You are now listening to channel 100, press #09 (channel number),
   SEND to change channels.


- MODS -

There are many mods available for the Oki 900.

The mods are modified versions of the fones firmware, on a chip form.
Some Okis have the firmware soldered onto the board, some are socketted.

If you are lucky, yours is socketted, otherwise, I hope you are really good
with a soldering iron. :)

List Of Mods, and what they do:

4711  - a buggy mod, that supposedly let you enter up to 5
        ESNs through the keyboard, and then toggle between them.

4712  - a cleaned up version of the 4711

4713  - ???

4714  - ???

4715  - Lets you enter up to 200+ through a cable connection, or up to 5
        with the keypad. It will use each ESN only 3 times, then go to the
        next one. It makes it VERY hard to trace the fraud pattern.

Vampire - Chip that makes the Oki continually scan for ESN/MIN pairs, and
          then stores them. [this mod supposedly requires additional
          hardware mods. (EF filter?)]


 - CTEK -

 The Cellular Telephone Experimenters Kit or CTEK for short, is made by
Network Wizards. It included both software for your PC, and a special
cable to interface with the Okis proprietary data port. Unfortunately, NW
no longer has any more cables, so if you want one, you'll have to find
someone with an old CTEK, or someone that has learned to make the cable.
Making the cable yourself is not an easy feat, as it contains
microcontrollers, and other assorted electronics.

With the CTEK, you can turn any Oki, modded or unmodded, into a powerful
scanning device, that compares with high priced police equipment. You
can scan for a phone number, and then have the program turn on the audio
when that person makes a call, allowing you to tap into your targets line.

It doesn't allow you to receive ESNs though, so if your looking for a DDI,
look elsewhere.

Conclusion
----------

That about covers the Oki 900. We've discussed the fone itself, the testmode,
the debug mode, mods available, and the CTEK. Now go "aquire" one and have
fun. :)

If you have any questions, look around on alt.cellular.oki.900,
alt.cellular-phone-tech, #cellular, and #9x.


Greetz go to all members of 9x.



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH