Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Phreaking Cellular - Misc. :: cellfile.txt

Cellular phone File #1 by Count Zero

                      Cellular Phone File - #1
                     written, created and tested
                           by Count Zero

This simple (?) mod has been tested on the:

               UNIDEN CS-1000/1200 Series Cellular
               MPPS Red 12/13 (Pretty much same as above model)

and has proven effective for over four months running.  However, (yes, here
comes the big disclaimer...)

                           D I S C L A I M E R

        CHiNA and its members claim no responsibility for irresponsible
use of the information and designs contained herein.  This file is being
presented on a "for knowledge's sake" basis to the members of the modemming
community at large.  Any use of this file except for educational and
operational efficiency purposes is hereby forbidden.

                              So there!

The Conflict * Maxwell Smart * Count Zero * Monalisa Overdrive * The Viper
                          & Rubiks the Cube

What this mod does is prevent a correct unit identification code (called UIC
from here on) from being transmitted.  The messages sent to and from the
local transmittal stations should be surpisingly familiar to any one of our

But here's the mod and a bit of theory that I used to discover it.

(1) Your individual UID is "burned into" a simple 8x8 EPROM that may
    be erased and "re-written" to accomodate a new code.  This may be
    difficult, and in fact IS difficult because you will have a lot of
    trouble finding where it begins and ends.

(2) The contact sequence when you first power up the unit (which usually
    goes on while the handset's "NO SERVC" or "SVC UNAVAIL" is lit) goes
    like this:

                YOU     A0 A0 A0 A0 A0 A0 A0 A0
                IT      ACK or NAK (up to a max of 4 times)
                YOU     12 3A + UID
                IT      12 3A + UID
                YOU     ACK or NAK
                IT      00 00 00 or FF FF FF
                       (Available / Not Available)

The best route to handle this is to FORCE your system to ACK when asked
if a false code is its code.

The following should outline the procedure:

        You will need:

                * A Temperature-Controlled Soldering Iron
                * Rosin-Core Solder
                * Solder wick (for you slobs)
                * Pair of Diag-Cutters (or wire-cutters)
                * About 15 minutes of time.

Step 1 - Unplug the unit and allow to sit for at least a half hour to allow
         all capacitors to become completely discharged.  Also, as a
         precaution, "discharge" yourself on a common ground (no woolly
         socks, ok?)  Remove cover from "handset" portion (yes, the one with
         the keypad)

Step 2 - Locate the indicated EPROM should have a serial number that begins
         with an "IA" prefix and will be noted on the circuit board as
         "IC4" or "IC5".  Given this knowledge and the following picture:

                    +5v -!-------!- GND
                        -! IA... !- RST
                        -!       !-
                  +1.5v -!       !-
          IC4       D1  -!       !-  D5
                    D2  -!       !-  D6
                    D3  -!       !-  D7
                    D4  -!-------!-  D8
 should be able to find it.

Step 3 - Cut the D1 pin and pull completely back from the motherboard at
         a 90 deg angle.  This will not interfere with your system messages
         but will disable any "odd number" from being sent!  Thus your code
         alone will come out false.

Step 4 - Locate the following components:

                R14 - Resistor #14      1.5 ohm
                        Cut and jumper with solder and small gauge wire

                R15 - Resistor #15      3.5 ohm
                        Cut and replace with 1.5 ohm from previous step

                C22 - Capacitor #22
                        Cut and leave out!

Now make sure you have no "cold" joints and all soldered points are secure!
If you are going to screw up at any point in the procedure, this will be it.

Make sure to double-check your work!  I don't want anyone weeping to me
because their handset if now fused to their right ear!

Step 5 - (explanation of Step 4)
         This step "forces" the system to send an ACK (by routing the NAK
         trigger through ACK output) and thus verifying the bogus code.

Step 6 - Reassemble handset.

Just a hint, do NOT go overboard on your calls as these calls are not free,
they are just being billed to another person's code (if it is a legit code)

Again, re-read the disclaimer.

Step 7 - Operate the unit normally.


        Problem                 Solution

* NO POWER                      Be sure all power leads were reconnected
                                correctly when you put the handset back

* STILL GETTING CHARGED FOR     Cut the correct pin from the IC!
  CALLS                         If still getting charged, cut D2 as
                                well though this may be risky.

* CALLS "CAN'T BE COMPLETED"    Recheck mods made in Step #4.

Well, this should get you started.  A few notes before I go:

Thanks to The Conflict (for the inspiration), Maxwell Smart (for that "Smart"
report on Operation Wolf), Monalisa Overdrive (for letting me call him
repeatedly while testing this mod out!), Lord Blix (for the cracking help when
I needed it), The Viper (because he wants to be thanked)

Call on of our CHiNA nodes today for the latest in "knowledgable" text files
unlike other groups...

OVER AND OUT ---------> COUNT ZER0 !

+- Shamelessly Leeched from The Mudd Club -+
Press a key...

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH