+----------------------------------------+
                Novatel 8320 Programming, Specifications,
                    Security, and Misc. Information.

                     Collected/Compiled by: Kingpin
               +----------------------------------------+



ENTERING PROGRAM MODE:

Get your phone into FULL LOCK mode (it should say LOCK on the screen) -
[FCN] [1] [SND]

Then hit "#259"

Once you get into the program mode, you use the up and down volume keys on
the handset to go from option to option. Use "SND" to switch an option on
and off (ie: toggle them), such as in the case of option "IRI SET", which
if it is on will show "SET" and if it is off will show "CLR". Use "SND" to
switch between the two.

When you are done programming, hit END, and END again. You will be able to
use your phone with the new options programmed in.


SCREEN DISPLAY:

CNF 8320            (model number)
REV KA02            (software REVision)
---
SERIAL              (ESN - Electronic Serial Number)
xx xxx xxx
---
NAM 1 SEL
0-2   END


-= 0 =-

COMMON
CONFIG
---
INIT REP            (INITialize the REPertory 50 number memory)
USE SND
---
LOCKCODE            (LOCKCODE to unlock a locked phone)
1234
---
OPTION
  QRC SET           (allow QuickReCall)
  QST SET           (allow Quick STore)
  WUT SET           (Wake Up Tone: The noise the phone makes when you first
                     power it up. Press CLR to stop tone)
  MLH CLR           (Mobile to Land Hold. When SET causes the accumulated   
                     air time counter to ignore mobile-originated calls if
                     they are less than 30 seconds in origination)
  LMH CLR           (Land to Mobile Hold)
  CRU CLR           (Call Round Up)
  EE  SET           (Allows touch tone from the keypad)
  NLM CLR           (No Land to Mobile. When SET causes the air time to     
                     ignore land-originated time)
  HAL CLR           (Horn ALert option)
  ONL CLR           (ONLine diagnostics - Tells you the channel numbers     
                     being used, output power, etc.)


-= 1 =-

MAN 1               (System ID 1 - Enabled/Disabled)
ENABLED
---
MIN  312            (Mobile Identification Number)
555-0990
---
SIDH                (Service providers ID # - set to 00000 for roaming)
00010
---
IPCH                (Initial Paging CHannel, use: 333-A  334-B)
0334
---
OPTION
  EX SET            (EXtended address)
---
IDCCA               (controls IPCH scan start A = MUST be 333)
0333
---
IDCCB               (controls IPCH scan start B = MUST be 334)
0334
---
ACCOLC              (Access OverLoad Class - What priority it is given when 
09                   all the channels in a tower are busy)
---
GROUP ID            (Standard to the mobile company and/or phone. For
MARK  10             example, Cell One/NY puts all of its Novatel customers
                     on a GIM of 7)
---
REG TBL
SIZE  1             ( ??? )
---
OPTION
  LU SET            (Lets you only make calls in your service area.)
---
INVLD ID            (Lets you put in up to 4 SIDs which you DON'T want
  1 NONE             service in.)
  2 NONE
  3 NONE
  4 NONE
---
OPTION
  FD  SET           ( ??? )
  MFD SET           (Extended DTMF - use SET to set length of tone)
  32D SET           ( ??? )
  PS  CLR           (Default System.  Use CLR for B; use SET for A)
  IRI CLR           (System Selection.  Use CLR to allow)
  SSD CLR           (Signal Strength indicator. CLR is off; SET is on)


TECHNICAL SPECS FOR NOVATEL:

Communications standard: EAMPS 800-900MHz + extended spectrum
Max RF TX power: 3 watts
Modulation: FM
CPU: Z80 or Z8001 running at 8MHz software on 27512 EPROM
RAM: Dallas semiconductor clock + 16K battery-backed CMOS RAM (emulated     
     2716 EPROM)


CODES (Use when the phone is LOCKed):

[#] [2] [5] [9]          -  CONFIG mode
[#] [8] [3] [*]          -  SERVICE mode
[8] [*] [0] [1]          -  ESN change - Use in CONFIG mode on ESN screen. 
                            Enter the current serial number (without the 8E
                            prefix) and [SND], then enter new serial        
                            number. Hit [SND] when done.
[FCN] [9]                -  With OMT SET, displays scan information         
                            (channel currently used, signal strength, etc.)
[FCN] [8]                -  With OMT SET, displays data coming across data
                            channel


TRICKS:

Listen in on calls:

In SERVICE mode, turn volume to maximum by hitting [7] [SND]. Go to the RX
AUDIO selection, and toggle it on by hitting [SND]. You should be able to
hear static on the receiver. Find the channel selection menu, and press
[H/F] and [RCL] to change channels. Listen in on other people's calls.

Call disconnect:

Find the RF POWER selection, and set it to maximum.  Find the TX AUDIO
selection and toggle it on. Choose a channel with someone on it. Find the
SAT selection menu, and toggle it on. You have about 5 seconds to talk
before the base stations gets disconnected.


SECURITY MEASURES:

The CPU has 16 bytes of NOVRAM, a counter of how many times the serial
number is changed is stored there. Once the serial has been changed three
times, a flag is set in the EEPROM, the next time you turn the phone on,
the software notes the flag, and mirrors it in the CPU NOVRAM - so even if
you change the EEPROM now, it still won't work. It you manage to change the
EEPROM before turning the phone on again, then you're okay until you try to
change (or even access/display) the serial, at which point the software
notes the discrepancy between the internal counter and the EEPROM and
erases the serial anyway. At this point, the unit has to be sent back to
the factory for a new EEPROM and clearing of the CPU NOVRAM. There would
have been an encryption routine for encrypting the ESN, but that would have
made testing difficult.


-= END =-