Changelog / News for Janus Motorola GSM pages

06-05-98 An implementation of the COMP128 can be found at www.ccc.de - You will need a linux box for the attack program, but the SIM card emulator itself requires DOS because of the odd motorola baudrate. The emulator uses the standard season interface, which is basicly the same as the ASIM interface. ASIM uses the DSR (pin 6 on a 9 pin SUB-D) and Season uses DCD (pin 1 on a 9 pin SUB-D) to detect a phone issued reset to the SIM. Read about the conversion of your old sat interface into one that ASIM will work with at: http://www.g7hid.demon.co.uk/motorola.htm. One more thing: I believe I make it pretty clear that you should NOT try to make transfers of frame 1, 4 and 5 between phones of different type. I have none the less heard from more than 5 people that did this anyway: Putting frame 4 from an 8700 onto a 8200 *IS* the sure way to destroy your phone. Unless you have a backup EEPROM dump, I do not know of a way to fix it.

19-04-98 Updated 50#, 67# & 68# in the test mode command list - Thanks RxT. Some interesting news at www.scard.org/gsm this week ! It means that you should not lend out your SIM and PIN to strangers - It will be interesting to see if the future will bring realistic OTA attacks. Too bad about the A5 - I wonder what "security" agency decided to lobotomize it to 56 bit entrophy. If you think they can't listen in on your conversation - think again...

10-04-98 StarTAC news: The new software for the StarTAC (64.09.09), makes the phone bleep (yes, beep-beep) when turned on IF THE PHONE HAS GOT A NON-ORIGINAL BATTERY (that can not be identified as a mot battery from it's internal Dallas memory)!!! The phone will work BUT you do NOT see any info on the status of the battery level and you cannot at all charge it from the phone itself !!! An original StarTAC Li battery costs around 160 USD !!! And guess who can 100% dictate (with the Dallas chip) how many recycling cycles it should last... Sorry my friend, your 250 cycles are up (speculation) - time to cough up for a new (original) battery !! Updated the DSC bus info a bit.

04-04-98 The StarTAC does not support analog HF kits. The kit will have to have it's own CODEC and DSC bus driver to send the digital speech data via the DSC bus to the DSP (I guess Motorola doesn't wan't 3rd party HF kits on the market.). Did anyone notice the extra digits displayed after the IMEI on the 8900 ? Could it be a locking status indicator ?

02-04-98 Added quite a few new parameters to the Eng Field Options page.

28-03-98 Added some more detail to the info on how the xtal can be added to the 8700/8800/8900. Added tri-colour LED (á la StarTAC) information to the project page. Rumors will know that mot are going to withdraw the EMMIboxes from the small service shops during '98.

27-03-98 After adding a crystal from an old wristwatch, the 8900 clock runns perfectly. It's a job that requires a steady hand and 20/20 vision !

26-03-98 There are several new parameters available in the 8900 Eng Field Menu: CRO, TO, C2, CBA, CBQ, 2ter, 2bis, ECSC. The XZQTY that obviously wasn't doing anything has been removed. Added a bit to the transfer card page about how the phone can spot a bad transfer frame on the card. Added transfer frame data structure mapping project (phew!) to the project page.

23-03-98 The missing battery backup of the clock has been solved by Ralph. A Li button cell has to be connected between gnd and pin 9 of the 68k - pin 9 has to be lifted off the print before doing this. I hope to get some scans that will show possible ways of placing the xtal and battery. It seems like mot might will be introducing a new DSP - The Chinese StarTAC 328c has speechcoder version 12.20 - normally 05.xx indicated a motorola DSP and 11.xx indicates a Lucent. Testmode command 27# will display "IP Rev" on the very latest 8900 / DB890's (9A.02.11) - thanks Liu !

16-03-98 Got positive feedback about adding the xtal to the 8800 (Eplus). A new test mode command on the 8800 was also discovered. 98x# seem to replace the 02# command - thanks Ralph. More about this on the test card page soon.

14-03-98 A kind person has informed me of the functions of most of the test mode commands that were missing from my list. These are : 03n# DAI, 40# transmit "1", 41# transmit "0", 51# enable sidetone, 52# disable sidetone, 53x# Perform Rat test. If anyone can describe what these are used for (especially DAI, Rat and sidetone) then please drop me a line. Updated the project page a bit.

13-03-98 Added a brief description of what the MODEM chip does. If someone that has knowledge of Motorola DSP cores will write a few lines that describes it, I would really apreciate it.

09-03-98 Chefchen has brought us yet another improved mottool (Thanks !). It has been updated (more models will be recognized). There is also a .txt along with the program that describes excately what mottool can be used for and what it can't. The version number notation has been changed to the dates of the main program (functions) and the library (phone data). The current version is Main:19980308 Lib:19980308. A project page has been added.

07-03-98 The pages have been updated (at last!). There is now an index frame that I would like you to use (motpages.html) - please bookmark it. From there you can acces the newly made FAQ (please contribute to it). I have written a thorough explanation of the different ways of editing the phone configuration using various methods (menu customization) - it should be able to clarify why you should forget everything you heard about the codes and start assembling the SIM card emulator. Please contribute to the wakeup graphics gallery. Perhaps best of all is the information on how to add the clock osciliator that will make the 8700 clock tick (bottom of the hardware page). An updated mottool (v13) is now available. BTW, does this sound familar: Read what businessweek had to say about mot quality (among other things).

01-12-97 MEDIT program by TST added to the SIM emulator page. It will allow you to easily customize the menu layout of frame #1 as well as uploading custom wakeup graphics (96x32 pixels) from .bmp files. A big thank you goes out to TST for sharing this great editor/customizer with us ! Please send me copies of your custom graphics !

26-11-97 ASIM v2.9 is available. GSM-1800 units are now supported plus a few minor bug fixes (GREAT WORK ANDROID !)

13-11-97 Okay, I am taking a real short break from my writing to try and get up to date on a couple of issues: The clone emulator is working great and I have already heard from several people that finally have been able to activate the Eng Field menu on their 8700 & StarTAC's by copying frame 1 from similar phones that had the menu activated - NICE ! Others have without fear started to edit the frames and customized their phones to a great extent - mainly concerning the 8700 clock. I still want to warn against editing frames - It is associated with great risk. The problem with the 8700 is that even though the clock can be activated and set, it does not run ! It only runs 3 sec. / minute probably because some hardware is missing - could be a Li backup battery or something entirely else. I have been told from a reliable source that it is possible to make it run with "a minor hardware modification". It would require a thorough comparison of StarTAC and 8700 design and since I have neither or even diagrams, then it is not a thing I am able to do. This is a job for someone else (any volunteers?) ! It would be nice to make some organized way of exchanging custom transfer frames but I am not sure how it should be done. If you make a good custom frame, I would like to get a copy. You could perhaps also post it to alt.cellular.motorola along with a detailed description (the S19 format is ideal for posting in the text body) - I know some people will bitch about acm not being a binary group, but if anything is relevant to the group, this for sure is. I have added a tool for the 683xx BDM (Background Debugging Mode) on the hardware page - a fantastic way to dump FLASH & EEPROM content and to halt the processor and look at the RAM and registers at any time using just a 5 wire interface to the processor ! The program requires some electronics skills, but comes highly recommended. The ASIM program has been updated (among other things) to work with even more Mot GSM models by supporting the SIM sleep command that is used on older equipment. PCB layouts and SIM commands have also been included. Enough for now - Back to work ! 06-11-97 Really short update: A new version of the androids emulator is now available. It will emulate a transfer card on most mot GSM phones as well and even allow you to edit the transfer frames. I haven't got the time (at the moment) to write some guidelines and warnings about the use - But please: Be damn careful - you can get in a *lot* of trouble with improper use, so don't say I didn't warn you. 12-10-97 Extremely good news !!! I have received a design for a SIM card emulator by the android - it will allow you to emulate a test card for very little money and effort. This means that everybody can have a test SIM for less than 10 USD. Look at the page dedicated to this design for more information. Software.txt and imei.txt updated. This is the last update that I am going to make until I have turned in my final paper. Now you know why I probably won't return your mail and update these pages - Normal "service" will resume later. Until then, take care and enjoy the little "farewell" present. See you all later ! 09-10-97 Tim has compared several StarTAC stickers and it seems like the "70xx" does report the software version of the phone. The ones seen so far are xx=02 for 97.00.02 which is on the StarTAC-J and xx=33 for 64.08.33 which I believe is the latest version available - Please send me a brief report is you can give me other combinations. The results will be added to sver.txt which can be reached from the HwSw table. Added a few notes to the test card emulation section of the test card page. 03-10-97 It *is* possible to emulate a test card - I have now heard from people that have done it using two very different approaches. The only difference from an ordinary SIM is the AD field as described on the test card page. Again, I would really like to encourage people with PIC experience to try and develop a design which we can distribute so everybody will be able to get a test sim at a low price. 25-09-97 I have removed the pages on the ibt server. The reason is that it was difficult for me to upload updates - Instead of having two copies of the same pages that never are "in sync" (sometimes months between ibt updates and still everybody seem to link to it anyway), I think it's better to just have the image server where they always will be fresh. I would like to thank my friend Morten at ibt for hosting my pages for so long - You would be surprised if you knew the kind of things he has had to put up with ! So everybody: Please update your links to point to the image server ! - Thank you... 23-09-97 It seems like there are several bugs associated with the SMS support on motorola phones. I just found this article on top of the known "8200 powering down when trying to read certain messages" - Did anyone ever check what the reason for this powerdown is (7100# will probably report 08 - MMI requested powerdown, but what is the sub code) ? I got a mail from Mike of M2L electronics : They can sell a TSOP-28 adapter for just 60 USD - this is a *very* good price. So if you are looking for an adapter to dump and program the TSOP-28 EEPROMs, you should drop a note to mike@m2l.com. Thanks to Tim for the missing 6200/7500 carkit menu enable/disable codes. 20-09-97 The test mode activation without the card is *not* software specific. It is due to an EEPROM flag which has not been set properly after/during the manufacture and is clearly a glitch by Motorola. I would be *very* interested in getting an EEPROM dump from such a phone in order to locate the register. 19-09-97 A StarTAC with Sw 64.08.31 will also enter test mode without the card and in addition also accept the 113 code. I would very much like to know if this is general for all StarTAC's with these recent software revisions or if it is because some EEPROM registers has been changed during production. What has gotten into Motorola ??? I will urge everyone with SlimLite's and StarTAC's to try and enter testmode: Hold down "#" for 3 seconds if testmode is entered, the display will say "Test". Use 19# to display the software version and 01# to exit. Please report back to me if you are successful. 57# will do a "Master Clear" and not affect the lifetime meter on the above StarTAC's. 18-09-97 Some StarTAC software versions will allow you to enter the test mode *without* a test card ! I have had several reports from .au & .cn that Sw 64.08.33 will do this. Please try to confirm this and report the software (19#) version if it works for you - unfortunately this version will not accept the ppp113p1p(ok). Updated the testcard 15# (alert transducer test) command with the 2.7v additions. 15-09-97 Radiophone is back ! The new URL is http://radiophone.dhp.com (check his changelog). Got some feedback on the 2000e, it seems like it is essentially a 90% recycled d460. This means that we can be pretty sure that the Eng Field Options menu does exist in it ! 13-09-97 It seems like the 2.7 volt units (d460 and later models) needs to have the audiopath set to "earpiece" in order to make the audio loopback mode work. To use the audio loopback mode, enter: 36#, 08# 477#, 434# 07-09-97 I am pissed off ! Some jerk named Leon Vandenberg of Newcom Technologies just sent me 200k worth of UCE for a GSM product. A company which shows such a lack of respect for other peoples time and money does not deserve your business ! Please help me try to stop this disgusting net behavior and mail him your thoughts ! 05-09-97 These pages are now mirrored at http://www.ax.ru/gsm/ - A big thank you goes out to George for the hospitality ! 17-08-97 Mottool v13 is available now (Thank you for working overtime Chefchen). It will display the wake-up graphics of the 8700/StarTAC and Slimlite - If anyone can help with tips on how the checksum is calculated, your help would be appreciated ! 10-08-97 Good news for people who blocked their test cards by typing the wrong PIN ! The test card PUK is 12345678 ! To unblock your testcard and give it the PIN 1234, enter **05*12345678*1234*1234# - Thank you Mark Hawkins ! 09-08-97 I have been informed of the PA calibration data in the EEPROM (normally read and changed with testcard command 02nn#) - This feature is now incorporated in Motool v12. Added more entries to the software version document. 07-08-97 I received another confirmation on the StarTAC menu customization codes from Bengt Höjer - plus a confirmation on the slimlite (look at the codes.htm) !! However it seems like only a very few of the phones will accept the codes. The mottool v11 has been available for a couple of days, but I forgot to state it here. Changed the counter cgi-script to a new one. I have tried to clarify the actual differences between the StarTAC models (on the hardware.htm). Oh, by the way: Please feel free to copy the spambot bait at the bottom of default.htm to your own pages ;-) 29-07-97 Even another update from Chefchen ! Mottool v10 will now handle phonebooks better. Did anyone manage to make Stephan Bausson's construction work with SIM cards ? 27-07-97 Received an update (v9) of the EEPROM decoding program from Chefchen - The .dll is no longer needed and the program will also report the 6 digit security code. The Motorola SIM unlocking code is *not* derived from the IMEI - it is stored (encrypted and with a checksum) in the EEPROM. 24-07-97 It has been impossible to get in touch with motspares@bigfoot.com. I have removed all references to the address since the account that it forwards to has been canceled. I have been informed that the South African IMEI checking page will only check that particular operators blacklist. Known bad IMEI's turned up as good ones using that service (makes it kind of useless). I believe that operators generally aren't very good at updating their databases. 22-07-97 I have added links to some ISO 7816 documentation on the hardware page (SIM card section). This includes a ISO card reader/writer hardware designed by Stephan Bausson - The SIM cards use the ISO 7816 protocol (The design can be simplified if used with SIM cards only - SIM Vpp is only 5 volts and pins 4 & 8 are omitted !). 19-07-97 Added a combine tool to merge two 8 bit dumps into a 16 bit dump - another real useful utility by Chefchen. The 5200 does not have a Eng Field Menu, so there is not much sense in trying to find it. Some more information was added to the Clone card section of tcard.htm . I had mistakenly stated the 29LV800 to be 16 Mbit - It is only 8 Mbit. 15-07-97 I would like to encourage people with programming skills and experience in async. communication to have a look at SIM card emulation - not the GSM algorithm part, just the file serving part ! A lot of documentation exist on the SIM communication and files (ISO 7816 & ETSI GSM TS 11.11) - I am sure that it will be possible to make a computer simulate a test/clone card by making a virtual SIM with the right data in the Administrative Data field. 05-07-97 I am receiving a lot of mail these days from people that want to buy cards. I have written it on my pages and now I am putting it here: I DO NOT SELL ANY CARDS AT ALL !!! If you can't get them from the sources I list on my pages, then I can't help you - Sorry, but that's the way it is. I saw some more d160's, they were made in the UK - The phones are develloped in the US and then the production is moved to the UK. Added d470 RF/Logic board scans to the hardware page - legends are soon to follow ! 26-06-97 Heard from an 8800 (one2one) user today ! The 8800 has to be switched MANUALLY from 900 to 1800 and vice versa. I thought the whole Idea was to do it automaticly so you could benefit from the high 1800 capacity in the cities and the better 900 coverage in the urban areas - Big dissapointment. Added more detailed explanations to the test card commands that read/edit SIM data. Put up a new version of the eeprom decoding tool from ChefChen (This is starting to look promising !). 25-06-97 Updated many of the chip descriptions (thank you Saras). I am going to start looking into SIM locking since I soon will have a locked phone (Thank you JetCat) - I need a TSOP28 (8mm x 13.4mm, 0.55 mm pitch) and a PLCC32 adaptor for the 28c64 so if anyone has one that they aren't using or can help me find one, I would like to hear from you. 20-06-97 Ryo from .id reported that a StarTAC 80 will accept the codes described for the 7500 ! I thought this was impossible, but he claims to have been able to use the codes for "Copy SIM Phonebook" and "Select Phone Line" after using [][][]070[]0[](OK) and [][][]002[]1[](OK) first. Please try to verify this (also on the d460/8700) and report back. Added a few chip descriptions. 19-06-97 Added a small IMEI decoding utility by Chefchen to the hardware page. My spy in Germany reports some quite interesting uses of the testmode command 34nnnxx#, which seems to be a loopback mode like 36# - Where 36# loopback through the speechcoder, 34nnnxx# seems to loopback through a BTS !!! Talk about screwing up traffic ! I do not understand how this can be done, without the operators Kc. How can anyone just seize BTS resources and make the BTS loopback !?!? - any takers for an explanation ??? 17-06-97 Kurgan has been kind to send me some scans and disassembly instructions for the StarTAC 70 - they can be found on the hardware page. Now for something exciting: It seems like there is a way to enter codes on the older International phones (2000-5200 & 7200)- Ulrich Kienzle informed me of some codes for setup of the 2200 which might have the same software as the other ones. I would like to encourage people with these phones to try and investigate the codes and report back what they find - my old 5200 is trashed at the moment so I can't really do anything from here - remember : be careful and note everything down so you will be able to restore the phone again if anything goes wrong. Read about this on the codes page. 15-06-97 Added explanations to various test card commands. It seems like the German E-plus Surf GSM-1800 phone will not accept the test card... If anyone has broken, locked or otherwise unusable 8700's that they want to sell, please let me know - I need some hardware to experiment with ! 14-06-97 I learned today that a polak is running a copy of my Engineering menu page in polish at GeoCities without any credit or links to me at all - he presents it as his own work - That really pisses me off ! Let me make it clear to everyone: I use a lot of time and energy, maintaining these pages and I would like people to respect that by not copying my work on their own pages. If anyone would like to translate the info to some other language and keep it on their page (like Alessandro and Patrick that are doing a great job), we can work out an agreement, but please let ask me before you do ! Now for the updates: To follow GSM MoU guidelines, DCS is now reffered to as GSM-1800 and PCS as GSM-1900. GSM-1800/1900 powerlevels added to powerlevel table. Added explanation of the network DRX value which the Engineering menu reports as BS-PA-MFRM. 11-06-97 It seems like I have been a little ahead of time ;-) the dates have been corrected (You got me there Carlos !). Added explanation of the refresh enable/disable. 10-06-97 I had a close look at the d160 & slimlite today. The d160 is a cheap bulky model (can use ordinary AA batteries as well as a NiCd pack) that is going for free with a subscription, but the slimlite is more expensive than the 8700. The new thing is that the slim is made in the US (FAC=67)and both the phones use a small SIM ! (Hmmm, I do not feel like cutting up my testcard - wonder if it will work at all). Updated GC87 ppp113p1p(OK) confirm list. Battery NTC info and 6200 external antenna info added to pinout1.txt 08-06-97 Just passed 10000 hits on the engineering menu page (counter up for 2 1/2 months) - thats 1000 hits/week ! Thank you ! Please be advised that the http://www.ibt.dk/morten/friends/ pages are a mirror ! It is much faster and reliable than the original pages at http://www.image.dk/~jckrarup/ ,but it is not updated as often... Link to Ericsson tutorial fixed 07-06-97 I have often thought about making a changelog page like the ones that can be found on radiophone and matt's pages. This will allow you to take a peek at this page instead of flipping and scrolling through the site, trying to spot updates. I will also try to put announcements, general news and rumors here...