==Phrack Magazine== Volume Seven, Issue Forty-Eight, File 7 of 18 TANDY / RADIO SHACK CELLULAR PHONES REBUILDING ELECTRONIC SERIAL NUMBERS AND OTHER DATA By Damien Thorn LEGAL CRAP (mandated by our cheap-suit, can't afford cigars, polyester-pants-wearing, no-practice-having, almost dis-barred, old-fart legal counsel who only charges us $20 / hour because he meant to retire when he was 70 but lived a few years longer than he expected...hell, we love him!) Contents copyright 1994, 1995 Phoenix Rising Communications. Software copyright 1993, 1994, 1995 as indicated. All Rights Reserved. Distribution of contents in hard-copy form is forbidden. Redistribution in electronic form is permitted only as outlined in the Phrack licensing agreement, provided this article is not segregated from the other editorial contents of Phrack #48. Use caution when rebuilding corrupt serial numbers, and avoid lending your talents to further the goals of unscrupulous people. Altering the serial number of a cellular transceiver is a violation of the FCC rules, and the U.S. Secret Service is charged with the responsibility of investigating fraudulent activity. All of this material was developed in-house and not provided or endorsed by the manufacturer. Brand names and trademarks are used for identification purposes only and are the property of their respective owners. Use of same within this article definitely does not imply agreement with or endorsement of the material presented, and probably aggravates them to no end. There are no guarantees or warranties with regard to the accuracy of this article. Although we've done the best job that we can, we may be wrong. Happens all the time. If you damage a phone or inadvertently start a global thermonuclear war, that's your problem. Don't come crying to us, or make us fork over another twenty bucks to the old shyster. What you do with this information is your responsibility. INTRODUCTION While manufacturers publish service manuals for their cellular transceivers, they have an annoying habit of omitting certain data pertaining to memory devices and the arrangement of the data stored inside them. Since this stored information includes the electronic serial number (ESN), the lack of documentation can easily be excused as a way to avoid unwittingly facilitating fraud. The drawback to the 'security through obscurity' approach is that service technicians who have a legitimate need to reprogram these memory devices are unable to do so. The Nokia-designed transceivers discussed in this article are an excellent example. Since the ESN is stored in the same electrically-erasable programmable read-only memory (EEPROM) device as the numeric assignment module (NAM) information, corruption of the data can be catastrophic to the operation of the phone. Since the handset programming mode of these Nokia units actually write-enables the memory device to store the alterable parameters, an errant pulse from the microprocessor, dropped bits or supply voltages falling out of tolerance can cause the ESN or checksum to become overwritten or otherwise rendered useless. Should this occur, dealers have had little recourse but to ship the transceiver back to the factory for repair. Until now, that is. The goal of Phoenix Rising Communications in producing this documentation is to empower technicians to do the job they have been educated and hired to perform. This guide to Tandy and Radio Shack cellular phones will enable the technician to rebuild the corrupt data within this series of transceivers with confidence. The information in this article was developed from the installed and transportable versions of the most commonly purchased phones from Radio Shack stores. These units were sold for many years, and finally replaced last year with a new, redesigned model. The data presented here can probably be applied to certain compatible Nokia transceivers as indicated later in the text. CHAPTER 1 This publication is designed to provide supplemental information to assist in the servicing of cellular mobile telephones manufactured by Tandy Corporation under license from the Nokia Corporation. It is not meant to be a replacement for the factory service manual. Any shop needing to perform component level repairs should definitely obtain the factory documentation from Tandy National Parts. Our primary goal is to explain the contents of the numeric assignment module, or NAM. In these particular phones, both the NAM parameters and the electronic serial number (ESN) are stored within the same electrically erasable programmable read-only memory (EEPROM) device. The problem inherent with this engineering decision is that the ESN stored within this chip is not necessarily permanent. Since the chip can be erased or reprogrammed, certain circumstances could possibly cause the ESN to become corrupt. These include improper signals from the microprocessor, induced currents or a power interruption during NAM programming as the write cycle is taking place. Since the available service literature does not describe the functions of this serial EEPROM or the data contained within, service personnel would have to return the transceiver to the manufacturer for service. This is not cost effective in terms of time or money for either the shop or cellular customer. Technicians who invest a little time to become familiar with the data stored within the NAM circuitry, including the placement of the ESN and checksum byte can service these types of problems in-house and with little difficulty. Basic instructions for peaking the transceiver's RF sections have also been included herein as a convenience. While the phone is open and on the test bench, the customer's transceiver should also be given a quick check for proper alignment. EQUIPMENT REQUIRED Other than basic hand tools, disassembly of the phone requires a soldering iron with a medium sized tip and a vacuum de-soldering tool. Good size solder removal braid may be used in conjunction with, or in lieu of the de-soldering tool. To correct data that has become corrupted within the EEPROM, a programming device is required capable of reading and burning an 8-pin DIP integrated circuit. One such inexpensive device is listed in appendix III. An individual who is familiar with the memory device involved has written a software program in the BASIC language to allow the programming of this chip via the parallel port of an IBM-compatible personal computer. The source code for this program can be found in the appendix, and is provided as a reference only. Such software is subject to the peculiarities of the host PC and therefore cannot be recommended for use in place of a standard PROM programmer. Older versions of GWBASIC are preferred to Microsoft's current QBASIC interpreter. MODELS COVERED The information presented is believed to cover all of the installed and transportable (bag phone) cellular transceivers manufactured by the Tandy Corporation under license from the Nokia Corporation up until about a year ago. Tests have been conducted on a random selection of these phones with manufacture dates ranging from 1989 through early 1994. All versions of the "TP" firmware through January, 1994 should be supported. Although no house-branded OEM Nokia transceivers have been tested, we have surmised that this information is applicable to several models based on the same or a similar design. These models include the Nokia LX-11, M-11, M-10 and the Nokia-Mobira P4000 (PT612). Some of these units, like the very old Radio Shack equivalents, will require a service handset to program. More on that in the next issue of Phrack. HAND-HELD UNITS Only one of the hand-held cellular phones previously sold through Radio Shack utilizes a discrete surface-mounted integrated circuit to store the ESN and NAM parameters. If you have the capability to read and program this SOIC 93C46 memory device you may be able to extrapolate the PROM dumps in this guide to work with this phone. Due to the difficulty in disassembling this unit and the delicate nature of the surface-mounted EEPROM, the reader is cautioned against attempting to service these in-house. DISASSEMBLY Prior to disassembling the transceiver, all antenna and cables, including the handset, should be disconnected from the jacks on the unit. To aid in disassembly and component location, the original hard-copy version of this publication contained several pages of photographs. While the hard-copy version is available (see end of article), you will hopefully be able to figure out what we're talking about without them. Disassembly begins by snapping the plastic end panel from the black transceiver cover. Some units just pop up and off, while others have two small plastic tabs on each side that must be depressed free the end panel for removal. With the end panel removed, the top plastic cover is now free to slide off. With this cover removed, the metal transceiver itself can be dumped from the remaining plastic housing by turning it upside down, or pulling up on the metal heat sink assembly that comprises one side of the transceiver unit. There is a metal shield on each side of the transceiver (top and bottom.) One is a solid piece of thin sheet metal, and the other is broken up in to smaller, individual shields and soldered to the transceiver chassis. The shield that needs to be removed is the solid one. It is only held in place with the friction grips along the edges, and can be pried off with your fingers. Once the shield is removed from the proper side of the transceiver, the solder side of the logic board will be exposed. This board must be removed to gain access to the component side. Take static precautions so as not to fry the CMOS silicon that is currently hidden from view. Other than several connectors that mate between the two boards, the board is usually held in place by several blobs of solder spaced along the edge of the board. These small 'solder welds' serve as a ground bond between the board and the transceiver chassis, and are not electrically necessary under normal circumstances. Once the solder ground bonds have been melted and removed with a de-soldering tool or solder wick, use a pair of needle-nose pliers to gently bend back the small metal tabs holding the circuit board in place. Before proceeding, inspect the foil side of the board to ensure that no solder has splashed on the board during de-soldering, and that the foil traces where the work was performed are still intact. This last step is where most trouble arises. These boards are delicate, and a heavy hand while prying or bending will almost ensure that a trace or five will be transected when the tool slips. If this happens, resolder the traces to undo the damage. At this point the logic board is held in place only by pins on the transceiver board sticking up in to sockets on the logic board. Gripping the edges of the logic board with your fingers and pulling straight up will disengage the connectors and allow the logic board to pull free of the transceiver. Slightly rocking the board from each side may aid in the removal. Do not grip the board with pliers or damage can result to the small chip resistors and other components mounted on the solder side of the board. Once dislodged, you'll have two separate circuit boards. THE LOGIC BOARD The board that supplies logic and control functions for the cellular mobile telephone is easily identifiable by the microprocessor and 27C512 EPROM containing the operating firmware. The EPROM's erase window is covered by a protective sticker that identifies the firmware version stored therein. Within the last few years, the version has ranged from TP-2 through TP-8. Also on this board is the serial EEPROM where the ESN and NAM parameters are stored. This chip is an 8-pin DIP located in a socket near pin #1 of the NEC microprocessor. It is usually covered with a small paper sticker bearing the last few digits of the serial number stored inside. While security experts may blast Nokia for designing a phone that stores the ESN in a socketed chip, and then says "here I am" by placing a sticker on it, this is a dream come true for any technician facing issues of data corruption. THE SERIAL EEPROM The Serial EEPROM containing all of this data is a PCD8572 (or 85C72) manufactured by Microchip Technology, Inc. This 8-pin device is a 1k (128x8) CMOS serial electrically erasable PROM. The pin configuration for the device can be found in the appendix. Power is supplied to this chip only when the microprocessor is performing a read or write operation. Transistor Q115 (surface mounted to the underside of the logic board right about in the middle) switches the supply voltage on and off. Should power be interrupted during the write cycle, the ESN may become corrupt. REBUILDING THE ESN To replace the damaged serial number, note the unit's serial number from the cellular service agreement or the phone itself. The ESN (in decimal) is located on a white paper sticker applied to the side of the metal transceiver chassis. It is also stamped into the plastic model identification plate on one side of the plastic outer housing. For reprogramming, the ESN must be converted to hex. A scientific calculator or any number of public domain computer programs will simplify the task. CONTENTS OF NAM Once the original serial number has been determined, carefully remove the 8572 EEPROM from the socket and place it in the adapter required by your PROM programmer. Reading the contents of the chip, you'll see data as depicted below. Note that these data dumps are simulated for illustrative purposes. The ESN and encoded MIN bytes are not legitimate numbers, so don't bother 'testing' them. The first five bytes of data contain the security code. These bytes are the hex values representing ASCII characters 0 through 9, thus represented as "3X" where "X" is the actual digit of the security code. A factory security code of 1 2 3 4 5 would be represented in bytes 00 through 04 as follows: 31 32 33 34 35 Since you will require the security code to enter handset programming mode, please note the current security code or program these bytes with your shop's standard default. UNDERSTANDING ADDRESSES Some cellular technicians have little experience in the digital world. Service monitors and watt-meters are expensive and wonderful devices, but sometimes you need to do a little more than tweak a pot to fix a phone. The digital-literate can skip this oversimplified explanation. To assist those in reading the locations of the various bytes in the EEPROM, understand that each line (as usually displayed on a programmer) contains sixteen (16) bytes. The first line begins with byte 00, then 01, 02, 03, 04, 05, 06, 07, 08, 09, 0A, 0B, 0C, 0D, 0E and finally 0F. The second line begins with 10, then 11, 12, 13, 14, 15, 16, 17, 18, 19, 1A, 1B, 1C, 1D, 1E, and 1F as the last byte of the line. The third line increments the same way, except as byte 30, 31, etc., to 3F. You now know how to count in base 16 (hex)! As an example, the locations used by the phone end at byte 3D, which contains 00 in the example below. Beginning with the next byte (3E), a repetitive pattern of alternating values of AA and 55 are stored. This is just 'test' data and is never read by the phone. The chip itself ends at byte 7F, and your PROM programmer may display FF following byte 7F to indicate the non-existence of these locations in the chip. 8572 EXAMPLE DATA DUMP 0000 31 32 33 34 35 0A FF 21 A5 38 25 82 0F 25 17 1A 0010 00 00 00 00 24 15 B1 C3 24 04 A3 21 16 2D 11 AA 0020 0A 00 00 64 6C B3 32 00 27 00 01 01 11 11 11 11 0030 11 08 4D 01 0F 01 0F 00 04 00 00 00 FF 00 AA 55 0040 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 0050 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 0060 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 0070 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 THE CRUCIAL SERIAL NUMBER The hex ESN for any given phone consists of four bytes, as we use the term here. Technically it is eight bytes (in hex, 32 bits if expressed in binary form), but we're referring to a 'byte' as a two-digit hex number, rather than each digit (byte) as a single entity. For our example, we're using the fictitious ESN of A521FF0A. All Radio Shack phones will have an ESN beginning with A5 hex. This is the "manufacturers code" prefix that has been assigned to Tandy. Breaking the ESN into four bytes as viewed on the PROM programmer, the ESN would appear as: A5 21 FF 0A Refer back to the example dump of the data within the 8572 IC. Immediately following the security code is the ESN stored in reverse order. With the security code occupying bytes 00 to 04, the ESN is located in bytes 05, 06, 07 and 08. Byte 09 contains the value 38. It should always contain 38. In the example, beginning with byte 05 you can read the ESN (in reverse sequence) as: 0A FF 21 A5 The examples below will assist you in visualizing the bytes containing the security code and the electronic serial number. The programming and placement of these two crucial pieces of data is fairly straight forward. Using the buffer editor function of the PROM programmer, you can simply type over the garbage that may be present in these locations with the correct values for the security code and the ESN. Double check your data entry! OTHER ADDRESSES The entire NAM data is stored in the remaining locations of this chip. Bytes 0A, 0B and 0C contain the firmware revision date, and bytes 0D - 0F contain the installation date as programmed via the handset programming mode. Other bytes contain the encoded Mobile Identification Number (MIN), Station Class Mark (SCM), etc. These various bytes do not need to be reprogrammed through your PROM burner, as they can all be corrected via handset programming. Only the security code and ESN must be properly reprogrammed directly to the chip itself. For more information on the locations of this other data, refer to the source code in Appendix A. It allows you to see where (and how) this other data is stored within the NAM. The last item to program is the checksum. THE SECURITY CODE: BYTES 00 - 04 0000 31 32 33 34 35 XX XX XX XX XX XX XX XX XX XX XX THE ESN: BYTES 05 - 08 0000 XX XX XX XX XX 0A FF 21 A5 XX XX XX XX XX XX XX LOCATING THE CHECKSUM There is a one byte device checksum stored within the 8572 that is used by the phone to check the integrity of the data stored therein. The checksum is located at byte 3D, indicated by "XX" in the example below. The checksum is derived from all the data stored in the NAM, not just the ESN. Computing it is relatively easy as it is simply the sum (in hex) of all the values from bytes 00 through 3C as underlined below. Assuming the PROM programmer has a checksum function, you can enter the beginning address as 0000 and the ending address as 003C. The software will add all of the values between these locations and give you the sum. The alternative is to add the numbers manually using the hex mode of a scientific calculator. Either way, adding the hex values of all the bytes between 00 and 3C of our example yields a sum of 0B5E. The least significant two-digit byte is the actual device checksum that would be programmed in location 3D. In our example, the least significant half is 5E. Ignoring the most significant half of the sum (0B), a value of 5E must be programmed to location 3D. Note that the checksum will be recomputed and change after handset programming. When the MIN or other data is changed, it alters the values in various bytes. The checksum encompasses all of the data stored within the chip used by the transceiver's firmware. CHECKSUM LOCATION 0000 31 32 33 34 35 0A FF 21 A5 38 25 82 0F 25 17 1A 0010 00 00 00 00 24 15 B1 C3 24 04 A3 21 16 2D 11 AA 0020 0A 00 00 64 6C B3 32 00 27 00 01 01 11 11 11 11 0030 11 08 4D 01 0F 01 0F 00 04 00 00 00 FF XX AA 55 0040 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 0050 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 0060 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 0070 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 BYTES SUMMED TO DERIVE CHECKSUM 0000 31 32 33 34 35 0A FF 21 A5 38 25 82 0F 25 17 1A 0010 00 00 00 00 24 15 B1 C3 24 04 A3 21 16 2D 11 AA 0020 0A 00 00 64 6C B3 32 00 27 00 01 01 11 11 11 11 0030 11 08 4D 01 0F 01 0F 00 04 00 00 00 FF .. .. .. 0040 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 0050 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 0060 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 0070 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. DEFAULT VALUES In the event that all of the data stored within the NAM becomes corrupt, the technician will need to program the security code, the ESN, and certain default data values to allow the phone to power up. Once powered up, all of the other data can be automatically reconstructed by the phone using the handset programming mode. Since the factory does not provide any information about the contents of the 8572 EEPROM, we are unsure of the function of this 'default data.' It seems to have little significance. The underlined bytes depicted below are fairly typical. Ideally the technician should compare the contents of an operational phone with equivalent firmware to determine the values for the underlined locations, but if this is not possible then the values provided in the example may suffice. Once these defaults have been programmed in the proper locations, and the ESN and security code have been reconstructed, compute the checksum and store it in address 3D. Temporarily reassemble the phone and apply power. The unit should power up and complete it's self-test which will include the operation where the microprocessor computes the NAM checksum and compares it to the value stored in location 3D. Assuming the self-diagnostics pass, the remaining data can now be reconstructed through normal handset programming. The handset programming template applicable to most of these units is located immediately following the appendix detailing the chip programming software included for reference purposes. DEFAULT DATA VALUES 0000 XX XX XX XX XX XX XX XX XX 38 XX XX XX XX XX XX 0010 00 00 00 00 XX XX XX XX XX XX XX XX XX XX XX XX 0020 XX XX XX XX XX XX XX 00 27 00 01 01 11 11 11 11 0030 11 08 4D 01 0F 01 0F 00 04 00 00 00 FF XX AA 55 0040 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 0050 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 0060 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 0070 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 ADDITIONAL NOTES As discussed, the parallel port programming software interface has a few quirks, most involving the programming voltage supplied to the chip. If all else fails, and a PROM burner is not available, take the supply voltage (Vcc) directly from the logic board. Run test lead jumpers from pins #4 and #8 of the IC socket on the logic board that held the 8572 EEPROM and connect to the respective pins on the socket attached to the cable to be used for programming. Turn the board over and locate surface mount transistor Q115 which switches the supply voltage to the IC socket on and off. This small chip transistor is directly to the left of pin #8 (of the 8572 socket) and can be positively identified by the circuit trace from socket pin #8 leading directly to the emitter of Q115. By examining this area of the board, you can determine which of the other two traces connects to the transistor's collector. Jumpering the traces and shorting the collector and emitter simply provides a constant, conditioned voltage supply to the socket designed to power the 8572 in programming mode. It may also be necessary to cut the trace to the base of Q115. Once the chip has been programmed with the software, restore the integrity of the cut trace to the base of Q115 and remove the short between the collector and emitter. USING THE SOFTWARE The Cellular Data Repair Utility software requires that you first create a small text file using an ASCII text editor such as DOS's "EDIT" utility program. This text file must contain the data described below in the specific order presented. The data in this image (.img) file will be programmed into the 8572. XXX ESN Prefix (decimal) XXXXXXXX ESN (8 digits decimal) XXXXX SIDH (5 digits decimal) 1 Access Bit 1 Local Option Bit AAAPPPXXXX MIN (10 digits) 08 SCM 0XXX (0333 or 0334) 10 Access Overload Class 1 Pref. System Bit 10 GIM 12345 Security Code EXAMPLE IMAGE FILE Filename: TEST.IMG 165 00246812 00031 1 1 5105551212 08 0334 10 1 10 12345 PROGRAMMING Once the image file containing the appropriate data has been saved, run the software with QBASIC or Microsoft BASIC and follow the prompts. Be sure to set the proper parallel port address in line 1950 to reflect the port to which the interface is connected first. TUNING STEPS 1) With a digital voltmeter attached to the positive terminal of C908, adjust VR908 to provide a reading of 8 vdc (q 0.1 volt). 2) With the voltmeter attached to the positive terminal of C913, adjust VR918 for a reading of 8 vdc (q 0.1 volt). 3) Connect the voltmeter to test point TXV and enter diagnostic command 0, 1, SEL, 9, END. Adjust C676 to achieve a reading of 5 vdc control voltage (q 0.1 volt). 4) Check receiver control voltage with test point RXV. Adjust C614 for a reading of 4 vdc (q 0.1 volt). 5) With a power meter connected to the antenna connector of the transceiver through an attenuator, enter command SEL, 1, 2, SND, END to turn on the transmitter at high power. VR814 should then be adjusted to show 3 watts (34.8 dBm) on the power meter. 6) Using the same power meter, enter command SEL, 1, 3, 7, END. Adjust VR846 for a low power maximum reading of 4 milliwatts (6 dBm). 7) Using a frequency counter to measure the output of the antenna connector, adjust X600 for a reading of 836.4000 MHz (q 0.1 kHz). 8) Using a deviation meter, activate DTMF tones with command SEL, 2, 1, END, 1, 1, END and adjust VR259 for 8.4 kHz q 0.1 kHz DTMF deviation. 9) End DTMF signaling with command 1, 0, END. Enable SAT transmission by entering SEL, 2, 8, SND, END and adjust VR261 for 7.8 kHz deviation (q 0.1 kHz). 10) Enter SND, END to discontinue SAT signaling. ADDITIONAL ADJUSTMENT The level of audio fed to the earphone via the "ear" line (pin #7 on the handset connector) can be adjusted via VR215. 1.2 Vrms is the factory specified level with the volume turned up to it's maximum setting. Received audio signals can be adjusted for minimal distortion by peaking L703. Frequency deviation of voice audio can be fine tuned with VR260. Factory spec. is for 8 kHz deviation. POWER LOSS If the transceiver refuses to even power up and begin self-diagnostics, check the traces on the underside of the board near the power connector. Most of these units 'protect' themselves against reverse polarity being present on the power cables with fusible traces. If the phone is connected to a vehicle or battery power supply backwards, one of these very small circuit traces will vaporize, leaving the phone inoperative. While inconvenient for the customer and service technician alike, repairing the trace is an additional source of revenue for the shop that might not be generated had a standard replaceable fuse or rectifier been utilized in the design. APPENDIX III TECHNICAL RESOURCES EEPROM PROGRAMMER In preparing this article and performing other research involving various types of firmware, we used the EPROM+ programming system from Andromeda Research. This small, portable device is housed in a carrying case and requires no internal card to operate with your PC. Once the software is installed on the computer, the EPROM+ programmer is simply plugged into an available parallel printer port. To program the PCD8572 series EEPROMs, a small adapter is required. You can construct this yourself from the included instructions, or purchase it already built for about $35 extra. The EPROM+ programming system is available for $289 from the manufacturer: Andromeda Research P.O. Box 222 Milford, Ohio 45150 (513) 831-9708 - voice (513) 831-7562 - fax SERVICE MANUALS Service manuals are available for most Radio Shack or Tandy products from Tandy National Parts. Ordering these publications requires that you visit your local Radio Shack store. Tell the clerk that you want him (or her) to call National Parts and order a service manual for catalog number.... National Parts no longer accepts calls from consumers and will only ship to a recognized Radio Shack retail outlet. NOKIA - MOBIRA Service handsets, manuals and other parts can be ordered from Nokia-Mobira in Largo, Florida. Their toll-free technical assistance number is (800) 666-5553. TANDY FAX-BACK SERVICE Tandy Support Services offers technical information via fax-back server. There is no mention that the service is restricted to Radio Shack stores. Although ANI can be hell, the toll-free number is (800) 323-6586 if you want to be faxed product info on assorted 'Shack products. The server makes neat video game noises, and thanks you for using the service. For an index of the cellular specification sheets available via fax-back, request document #8882. Programming instructions are also available from this automated fax server: DOCUMENT # PHONE MODEL 9009 Current List [index] 8728 CT-105, 1050, 1055 9004 CT-350 9005 CT-302 9006 CT-102, 103, 104, 1030, 1033 9007 CT-300, 301 9008 CT-100, 101, 200, 201 9020 CT-351 9665 BC901ST [170-1015] 9579 CP-1700 [170-1016] 9577 CP-4600/5600 [170-1067 / 170-1056] 14493 Ericsson AH-210 [170-1064] 9581 EZ-400 [170-1057] 9743 Motorola 12822 [170-1058] 9583 Motorola DPC550 [170-1059] This information provided for reference purposes only. Use of this fax-back service may be restricted to authorized personnel. No one has ever faxed me to complain, however. THE INTERFACE The uuencoded drawing which accompanies this article describes the interface required to use the programming software to rebuild the data stored within the serial EEPROM. Because there are a number of variables that can affect the performance of this software and interface, prepare yourself for a bit of trial and error. A standard programming device is recommended over the use of this software. Since the original publication of this manual in hard-copy, we've heard reports that the software does not work well with the PCD8572, but does favor the PCD85C72 (CMOS version). The DB-25 connector is wired to an 8-pin DIP socket to accommodate the 8572 integrated circuit. A regulated, well-filtered source of 5 volts must be connected to pin #8 of the DIP socket, and Pin #4 must be tied to ground. If the PC used for programming and the power source to the IC socket share a common ground, you may be able to use pin #25 of the parallel port connector as shown in the diagram. Please be careful not to cause any shorts in this instance or you may damage your computer by sinking too much current through the parallel port. If you are unsure of what you are doing, eliminate the connection between pin #4 of the IC socket and pin #25 of the DB-25 connector. Instead, connect pin #4 directly to ground. The resistor shown in the circuit is used as an optional voltage divider. Depending on the voltage provided by pin #2 of your parallel port, a resistor between 100 and 1k ohms may be required to drop it to a level within the nominal range required by the EEPROM. TUNING THE RADIO The diagrams in the uuencoded .zip file will assist in identifying and locating the various adjustment points on the logic board and transceiver (RF) PC board. Alignment should not be attempted by technicians unfamiliar with the principles involved, or in the absence of calibrated radio frequency measurement equipment. A diagnostic (service) handset may be required to access service-level commands within the transceiver. If the phone does not respond properly to the commands documented herein, you'll need to obtain a service handset from Tandy National Parts. This handset is actually a Nokia "programming handset" which can be obtained directly from the factory. PROGRAMMING TEMPLATE For Tandy / Radio Shack Cellular Mobile Telephones Models CT-102, 302, 1030, 1033, etc. 1) Power up phone. After the phone cycles through it's self-test mode and the display clears, enter the following keystrokes from the keypad: *, 3, 0, 0, 1, #, X, X, X, X, X, SEL, 9, END The X, X, X, X, X represents the five-digit security code stored in EEPROM. The factory default is 1, 2, 3, 4, 5. This security code is required to access handset programming mode. 2) The display will now read: IdEnt IF InFO Pri 3) Press END to program NAM 1. Display will show first programming step. 4) To program NAM 2, press SND twice instead of END. Display will cycle through: OPt InFO diSAbLEd then OPt InFO EnAbLEd 5) Use the END key to step through each step. The SND key toggles the state of single-digit options. To enter new information, use END to step through the display until the old data is displayed. Key in the new data and press END to increment to the next step. 6) When programming has been completed, press SEL, CLR to save changes. Step # Desired Input Display Data Description 01 5 digits HO-Id SIDH (Home System Identification) 02 0 or 1 MIN Mark MIN Mark (Toggle with SND) 03 0 or 1 LOCL OPt Local Use Mark (Toggle with SND) 04 10 digits Phon MIN (Area Code + Mobile Number) 05 08 St CLASS SCM (Station Class Mark) 06 333 or 334 PAging Ch IPCH (Initial Paging Channel) 07 2 digits O-LOAd CL Access Overload Class 08 A or B PrEF SyS Preferred System (Toggle with SND) 09 2 digits grOUP Id GIM Mark (Set to 10 in U.S.) 10 5 digits SECUrity Security Code 11 ------- 1 dAtE Firmware Date - not changeable 12 mmddyy 2 dAtE Installation Date Press SEL, CLR to save & exit. Turn Power off and back on for model CT-302. [Begin Editorial] -------------------------------------------------------------------------- HOW TO OBTAIN A HARD-COPY VERSION OF THIS FILE - WITH ALL PHOTOS: -------------------------------------------------------------------------- "The Complete Guide to Tandy / Radio Shack Cellular Hardware" is available for $15 prepaid. We keep $5 of the price to cover the cost of printing and the Priority mail postage. The remaining $10 of the purchase price will be donated to Boston's The L0pht to help them cover the cost of upgrading their Internet connection for l0pht.com.... The guys at the L0pht have always been cool with us, and maintain what amounts to one of the best cellular archives accessible on the 'net. We want to do what we can to assist them in providing this public source of enlightenment. Now you can help them, and get something for it in return. If nothing else, you can sit back and enjoy all my great close-up photos of the chips ! -- Damien Thorn Here's the address: Phoenix Rising Communications 3422 W. Hammer Lane, Suite C-110 Stockton, California 95219 [end editorial] ----------------------------------------------------------------------------- You can reach me via e-mail at: damien@prcomm.com ----------------------------------------------------------------------------- 1000 ' CELLULAR DATA REPAIR UTILITY 1005 ' Form image and program PCD8572 IC via LPT port. 1010 ' (c) 1993, 1994, 1995 WarpCoreBreachGroup - All rights reserved. 1015 ' 1020 ' This program is not shareware/freeware. 1025 ' 1030 DATA xx,xx,xx,xx,xx,xx,xx,xx ' Bytes 00-07 1040 DATA xx,38,xx,xx,xx,xx,xx,xx ' Bytes 08-15 1050 DATA 00,00,00,00,xx,xx,xx,xx ' Bytes 16-23 1060 DATA xx,xx,xx,xx,xx,xx,xx,xx ' Bytes 24-31 1070 DATA xx,xx,xx,D6,C5,5C,C6,00 ' Bytes 32-39 1080 DATA 27,00,01,01,11,11,11,11 ' Bytes 40-47 1090 DATA 11,08,4D,01,0F,01,0F,00 ' Bytes 48-55 1100 DATA 04,00,00,00,FF ' Bytes 56-60 1105 UNIT1$="050490" 1110 DIM BYTE$(60),BYTE(61) 1120 FOR I=0 TO 60:READ BYTE$(I):NEXT 1130 FILES "*.IMG" 1140 LINE INPUT "Which file do you want to read? ";F$ 1150 OPEN "I",#1,F$+".IMG" 1160 INPUT#1,ESNPREFIX 1170 INPUT#1,ESN# 1180 INPUT#1,HOMEID 1190 INPUT#1,ACCESS 1200 INPUT#1,LOCALOPT 1210 INPUT#1,PHONE$ 1220 INPUT#1,STATCLASS 1230 INPUT#1,PGCH 1240 INPUT#1,OVERLDCL 1250 INPUT#1,PREFSYS 1260 INPUT#1,GROUPID 1270 INPUT#1,SEC$ 1280 ' Building binary image 1290 UNIT2$=MID$(UNIT$,1,2)+MID$(UNIT$,4,2)+MID$(UNIT$,9,2) 1300 CLOSE #1 1310 FOR I=1 TO 5:BYTE$(I-1)="3"+MID$(SEC$,I,1):NEXT 1320 FOR I=0 TO 2:BYTE$(10+I)=RIGHT$("0"+HEX$(VAL(MID$(UNIT1$,I*2+1,2))),2) 1325 NEXT 1330 FOR I=0 TO 2:BYTE$(13+I)=RIGHT$("0"+HEX$(VAL(MID$(UNIT2$,I*2+1,2))),2) 1335 NEXT 1340 FOR I=0 TO 4:BYTE$(24+I)=MID$(PHONE$,2*I+1,2):NEXT 1350 FOR I=5 TO 0 STEP -1 1360 Q=INT(ESN#/(16^I)) 1370 ESN#=ESN#-Q*(16^I) 1380 IF Q>9 THEN Q=Q+7 1390 ESN$=ESN$+CHR$(48+Q) 1400 NEXT 1410 BYTE$(8)=RIGHT$("0"+HEX$(ESNPREFIX),2) 1420 BYTE$(5)=MID$(ESN$,5,2) 1430 BYTE$(6)=MID$(ESN$,3,2) 1440 BYTE$(7)=MID$(ESN$,1,2) 1450 FOR I=0 TO 60:Q$=BYTE$(I) 1460 QH=ASC(LEFT$(Q$,1))-48:IF QH>9 THEN QH=QH-7:IF QH>15 THEN QH=QH-32 1470 QL=ASC(RIGHT$(Q$,1))-48:IF QL>9 THEN QL=QL-7:IF QL>15 THEN QL=QL-32 1480 Q=QH*16+QL 1490 BYTE(I)=Q:CHECK=CHECK+Q 1500 NEXT 1510 BYTE(20)=HOMEID AND 255:BYTE(21)=INT(HOMEID/256) 1520 BYTE(22)=ACCESS 1530 BYTE(23)=LOCALOPT 1540 BYTE(29)=STATCLASS 1550 BYTE(30)=PGCH AND 255:BYTE(31)=INT(PGCH/256) 1560 BYTE(32)=OVERLDCL 1570 BYTE(33)=PREFSYS 1580 BYTE(34)=GROUPID 1590 AC$=MID$(PHONE$,1,3) 1600 PRE$=MID$(PHONE$,4,3) 1610 PH$=MID$(PHONE$,7,4) 1620 AC=VAL(AC$) 1630 IF MID$(AC$,2,2)="00" THEN AC2=AC-1:GOTO 1670 1640 IF MID$(AC$,3,1)="0" THEN AC2=AC-101:GOTO 1670 1650 IF MID$(AC$,2,1)="0" THEN AC2=AC-11:GOTO 1670 1660 AC2=AC-111 1670 PRE=VAL(PRE$) 1680 IF MID$(PRE$,2,2)="00" THEN PRE2=PRE-1:GOTO 1720 1690 IF MID$(PRE$,2,1)="0" THEN PRE2=PRE-11:GOTO 1720 1700 IF MID$(PRE$,3,1)="0" THEN PRE2=PRE-101:GOTO 1720 1710 PRE2=PRE-111 1720 IF PRE2<0 THEN PRE2=1000+PRE2 1730 IF LEFT$(PH$,1)="0" THEN D=-24:GOTO 1750 1740 D=87-24*(ASC(PH$)-49) 1750 IF MID$(PH$,4,1)="0" THEN D=D-10 1760 IF MID$(PH$,3,1)="0" THEN D=D-100 1770 IF MID$(PH$,2,1)="0" THEN D=D-1000 1780 IF MID$(PH$,1,1)="0" THEN D=D-10105 1790 PH2=VAL(PH$)-D 1800 C=INT(PRE2/4) 1810 B=64*(PRE2 AND 3) 1820 A=PH2 AND 255 1830 B=B OR INT(PH2/256) 1840 BYTE(35)=A 1850 BYTE(36)=B 1860 BYTE(37)=C 1870 BYTE(38)=AC2 AND 255 1880 BYTE(39)=INT(AC2/256) 1890 CHECK=0 1900 FOR I=0 TO 60 1910 CHECK=CHECK+BYTE(I) 1920 NEXT 1930 BYTE(61)=CHECK AND 255 1940 DEV$="1010":ADDR$="000" 1945 ' Select the base address for your printer port with the next line. 1950 BASE=&H378 ' Which is LPT2. &h378 is LPT1 and &h3bc is LPT3. 1960 GOTO 2120 1970 OUT BASE,(DOUT AND 1) OR 2*(CLK AND 1) OR 4*(RELAY) 1980 FOR DELAY=0 TO 9:NEXT 1990 DIN=INP(BASE) AND 1 2000 RETURN 2010 FOR I=1 TO LEN(B$) 2020 B=ASC(MID$(B$,I,1))-48 2030 DOUT=B:CLK=0:GOSUB 1970 2040 DOUT=B:CLK=1:GOSUB 1970 2050 DOUT=B:CLK=0:GOSUB 1970 2060 NEXT 2070 T=0 2080 DOUT=1:CLK=1:GOSUB 1970 2090 IF DIN=0 THEN RETURN 2100 IF T=200 THEN BEEP:PRINT "Nack timeout error":STOP 2105 ' Is voltage applied to the chip? 2110 T=T+1:GOTO 2080 2120 MAX=61:RELAY=1:DOUT=1:CLK=1:GOSUB 1970 2130 T$=TIME$ 2140 IF T$=TIME$ GOTO 2140 2150 FOR J=0 TO MAX 2160 DOUT=1:CLK=1:GOSUB 1970 ' Start bit 2170 IF DIN=0 THEN BEEP:PRINT "Bus not free error":STOP ' Bad! 2180 DOUT=0:CLK=1:GOSUB 1970 2190 DOUT=0:CLK=0:GOSUB 1970 2200 B$=DEV$+ADDR$+"0" 2210 GOSUB 2010 2220 B$="" 2230 FOR I=7 TO 0 STEP -1 2240 IF (J AND (2^I)) THEN B$=B$+"1" ELSE B$=B$+"0" 2250 NEXT 2260 GOSUB 2010 2270 Z=BYTE(J) 2280 B$="":FOR I=7 TO 0 STEP -1 2290 IF (Z AND (2^I)) THEN B$=B$+"1" ELSE B$=B$+"0" 2300 NEXT 2310 GOSUB 2010 2320 DOUT=0:CLK=0:GOSUB 1970 2330 DOUT=0:CLK=1:GOSUB 1970 ' Stop bit 2340 DOUT=1:CLK=1:GOSUB 1970 2350 PRINT USING "###% programmed";100*J/MAX 2360 PRINT STRING$(80*J/MAX,46) 2370 LOCATE CSRLIN-2,POS(0) 2380 GOSUB 1970 2390 IF DIN=0 GOTO 2380 2400 NEXT 2410 RELAY=0:DOUT=1:CLK=1:GOSUB 1970 2420 PRINT:PRINT 2430 'This is the end in case you though the code was truncated somehow...