|
Cellular Phone File - #1 written, created and tested by Count Zero {CHiNA} This simple (?) mod has been tested on the: UNIDEN CS-1000/1200 Series Cellular MPPS Red 12/13 (Pretty much same as above model) and has proven effective for over four months running. However, (yes, here comes the big disclaimer...) ---------------------------------------------------------------------------- D I S C L A I M E R CHiNA and its members claim no responsibility for irresponsible use of the information and designs contained herein. This file is being presented on a "for knowledge's sake" basis to the members of the modemming community at large. Any use of this file except for educational and operational efficiency purposes is hereby forbidden. So there! The Conflict * Maxwell Smart * Count Zero * Monalisa Overdrive * The Viper & Rubiks the Cube ---------------------------------------------------------------------------- What this mod does is prevent a correct unit identification code (called UIC from here on) from being transmitted. The messages sent to and from the local transmittal stations should be surpisingly familiar to any one of our readers. But here's the mod and a bit of theory that I used to discover it. (1) Your individual UID is "burned into" a simple 8x8 EPROM that may be erased and "re-written" to accomodate a new code. This may be difficult, and in fact IS difficult because you will have a lot of trouble finding where it begins and ends. (2) The contact sequence when you first power up the unit (which usually goes on while the handset's "NO SERVC" or "SVC UNAVAIL" is lit) goes like this: YOU A0 A0 A0 A0 A0 A0 A0 A0 IT ACK or NAK (up to a max of 4 times) YOU 12 3A + UID IT 12 3A + UID YOU ACK or NAK IT 00 00 00 or FF FF FF (Available / Not Available) The best route to handle this is to FORCE your system to ACK when asked if a false code is its code. The following should outline the procedure: You will need: * A Temperature-Controlled Soldering Iron * Rosin-Core Solder * Solder wick (for you slobs) * Pair of Diag-Cutters (or wire-cutters) * About 15 minutes of time. Step 1 - Unplug the unit and allow to sit for at least a half hour to allow all capacitors to become completely discharged. Also, as a precaution, "discharge" yourself on a common ground (no woolly socks, ok?) Remove cover from "handset" portion (yes, the one with the keypad) Step 2 - Locate the indicated EPROM should have a serial number that begins with an "IA" prefix and will be noted on the circuit board as "IC4" or "IC5". Given this knowledge and the following picture: +5v -!-------!- GND -! IA... !- RST -! !- +1.5v -! !- IC4 D1 -! !- D5 D2 -! !- D6 D3 -! !- D7 D4 -!-------!- D8 ...you should be able to find it. Step 3 - Cut the D1 pin and pull completely back from the motherboard at a 90 deg angle. This will not interfere with your system messages but will disable any "odd number" from being sent! Thus your code alone will come out false. Step 4 - Locate the following components: R14 - Resistor #14 1.5 ohm Cut and jumper with solder and small gauge wire R15 - Resistor #15 3.5 ohm Cut and replace with 1.5 ohm from previous step C22 - Capacitor #22 Cut and leave out! Now make sure you have no "cold" joints and all soldered points are secure! If you are going to screw up at any point in the procedure, this will be it. Make sure to double-check your work! I don't want anyone weeping to me because their handset if now fused to their right ear! Step 5 - (explanation of Step 4) This step "forces" the system to send an ACK (by routing the NAK trigger through ACK output) and thus verifying the bogus code. Step 6 - Reassemble handset. Just a hint, do NOT go overboard on your calls as these calls are not free, they are just being billed to another person's code (if it is a legit code) Again, re-read the disclaimer. Step 7 - Operate the unit normally. TROUBLESHOOTING: Problem Solution * NO POWER Be sure all power leads were reconnected correctly when you put the handset back together. * STILL GETTING CHARGED FOR Cut the correct pin from the IC! CALLS If still getting charged, cut D2 as well though this may be risky. * CALLS "CAN'T BE COMPLETED" Recheck mods made in Step #4. AS DIALED or SYSTEM UNAVAILABLE Well, this should get you started. A few notes before I go: Thanks to The Conflict (for the inspiration), Maxwell Smart (for that "Smart" report on Operation Wolf), Monalisa Overdrive (for letting me call him repeatedly while testing this mod out!), Lord Blix (for the cracking help when I needed it), The Viper (because he wants to be thanked) Call on of our CHiNA nodes today for the latest in "knowledgable" text files unlike other groups... OVER AND OUT ---------> COUNT ZER0 ! +- Shamelessly Leeched from The Mudd Club -+ Press a key...