About
Community
Bad Ideas
Drugs
Ego
Erotica
Fringe
Society
Technology
Phreak
Boxes, Old and New
Bugs and Taps
Cellular Phones
Introduction to Telecommunications
PBX's and Switches
Payphones
Phone Phun
VMB's, Pagers, E-Mail, and S&F Systems
register | bbs | search | rss | faq | about
meet up | add to del.icio.us | digg it

Novatel phone phreaking manual


NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.

+----------------------------------------+
Novatel 8320 Programming, Specifications,
Security, and Misc. Information.

Collected/Compiled by: Kingpin
+----------------------------------------+


ENTERING PROGRAM MODE:

Get your phone into FULL LOCK mode (it should say LOCK on the screen) -
[FCN] [1] [SND]

Then hit "#259"

Once you get into the program mode, you use the up and down volume keys on
the handset to go from option to option. Use "SND" to switch an option on
and off (ie: toggle them), such as in the case of option "IRI SET", which
if it is on will show "SET" and if it is off will show "CLR". Use "SND" to
switch between the two.

When you are done programming, hit END, and END again. You will be able to
use your phone with the new options programmed in.

SCREEN DISPLAY:

CNF 8320 (model number)
REV KA02 (software REVision)
---
SERIAL (ESN - Electronic Serial Number)
xx xxx xxx
---
NAM 1 SEL
0-2 END

-= 0 =-

COMMON
CONFIG
---
INIT REP (INITialize the REPertory 50 number memory)
USE SND
---
LOCKCODE (LOCKCODE to unlock a locked phone)
1234
---
OPTION
QRC SET (allow QuickReCall)
QST SET (allow Quick STore)
WUT SET (Wake Up Tone: The noise the phone makes when you first
power it up. Press CLR to stop tone)
MLH CLR (Mobile to Land Hold. When SET causes the accumulated
air time counter to ignore mobile-originated calls if
they are less than 30 seconds in origination)
LMH CLR (Land to Mobile Hold)
CRU CLR (Call Round Up)
EE SET (Allows touch tone from the keypad)
NLM CLR (No Land to Mobile. When SET causes the air time to
ignore land-originated time)
HAL CLR (Horn ALert option)
ONL CLR (ONLine diagnostics - Tells you the channel numbers
being used, output power, etc.)

-= 1 =-

MAN 1 (System ID 1 - Enabled/Disabled)
ENABLED
---
MIN 312 (Mobile Identification Number)
555-0990
---
SIDH (Service providers ID # - set to 00000 for roaming)
00010
---
IPCH (Initial Paging CHannel, use: 333-A 334-B)
0334
---
OPTION
EX SET (EXtended address)
---
IDCCA (controls IPCH scan start A = MUST be 333)
0333
---
IDCCB (controls IPCH scan start B = MUST be 334)
0334
---
ACCOLC (Access OverLoad Class - What priority it is given when
09 all the channels in a tower are busy)
---
GROUP ID (Standard to the mobile company and/or phone. For
MARK 10 example, Cell One/NY puts all of its Novatel customers
on a GIM of 7)
---
REG TBL
SIZE 1 ( ??? )
---
OPTION
LU SET (Lets you only make calls in your service area.)
---
INVLD ID (Lets you put in up to 4 SIDs which you DON'T want
1 NONE service in.)
2 NONE
3 NONE
4 NONE
---
OPTION
FD SET ( ??? )
MFD SET (Extended DTMF - use SET to set length of tone)
32D SET ( ??? )
PS CLR (Default System. Use CLR for B; use SET for A)
IRI CLR (System Selection. Use CLR to allow)
SSD CLR (Signal Strength indicator. CLR is off; SET is on)

TECHNICAL SPECS FOR NOVATEL:

Communications standard: EAMPS 800-900MHz + extended spectrum
Max RF TX power: 3 watts
Modulation: FM
CPU: Z80 or Z8001 running at 8MHz software on 27512 EPROM
RAM: Dallas semiconductor clock + 16K battery-backed CMOS RAM (emulated
2716 EPROM)

CODES (Use when the phone is LOCKed):

[#] [2] [5] [9] - CONFIG mode
[#] [8] [3] [*] - SERVICE mode
[8] [*] [0] [1] - ESN change - Use in CONFIG mode on ESN screen.
Enter the current serial number (without the 8E
prefix) and [SND], then enter new serial
number. Hit [SND] when done.
[FCN] [9] - With OMT SET, displays scan information
(channel currently used, signal strength, etc.)
[FCN] [8] - With OMT SET, displays data coming across data
channel

TRICKS:

Listen in on calls:

In SERVICE mode, turn volume to maximum by hitting [7] [SND]. Go to the RX
AUDIO selection, and toggle it on by hitting [SND]. You should be able to
hear static on the receiver. Find the channel selection menu, and press
[H/F] and [RCL] to change channels. Listen in on other people's calls.

Call disconnect:

Find the RF POWER selection, and set it to maximum. Find the TX AUDIO
selection and toggle it on. Choose a channel with someone on it. Find the
SAT selection menu, and toggle it on. You have about 5 seconds to talk
before the base stations gets disconnected.

SECURITY MEASURES:

The CPU has 16 bytes of NOVRAM, a counter of how many times the serial
number is changed is stored there. Once the serial has been changed three
times, a flag is set in the EEPROM, the next time you turn the phone on,
the software notes the flag, and mirrors it in the CPU NOVRAM - so even if
you change the EEPROM now, it still won't work. It you manage to change the
EEPROM before turning the phone on again, then you're okay until you try to
change (or even access/display) the serial, at which point the software
notes the discrepancy between the internal counter and the EEPROM and
erases the serial anyway. At this point, the unit has to be sent back to
the factory for a new EEPROM and clearing of the CPU NOVRAM. There would
have been an encryption routine for encrypting the ESN, but that would have
made testing difficult.

-= END =-
 
To the best of our knowledge, the text on this page may be freely reproduced and distributed.
If you have any questions about this, please check out our Copyright Policy.

 

totse.com certificate signatures
 
 
About | Advertise | Bad Ideas | Community | Contact Us | Copyright Policy | Drugs | Ego | Erotica
FAQ | Fringe | Link to totse.com | Search | Society | Submissions | Technology
Hot Topics
VERY simple question: browser history
anyone familiar with ms secure?
how do i hide files in to jpeg
FTP Attackers...
cable tv question
FireWall
What are The Possibilities?
Am I Browsing Securly?
 
Sponsored Links
 
Ads presented by the
AdBrite Ad Network

 

TSHIRT HELL T-SHIRTS