Professional Documents
Culture Documents
==phrack magazine==
by damien thorn
legal crap
use caution when rebuilding corrupt serial numbers, and avoid lending your
talents to further the goals of unscrupulous people.
introduction
chapter 1
equipment required
models covered
hand-held units
disassembly
with the end panel removed, the top plastic cover is now free to
slide off. with this cover removed, the metal transceiver itself
can be dumped from the remaining plastic housing by turning it
upside down, or pulling up on the metal heat sink assembly that
comprises one side of the transceiver unit.
other than several connectors that mate between the two boards,
the board is usually held in place by several blobs of solder spaced
along the edge of the board. these small 'solder welds' serve as
a ground bond between the board and the transceiver chassis, and
are not electrically necessary under normal circumstances.
once the solder ground bonds have been melted and removed with a
de-soldering tool or solder wick, use a pair of needle-nose pliers
to gently bend back the small metal tabs holding the circuit
board in place.
the board that supplies logic and control functions for the
cellular mobile telephone is easily identifiable by the
microprocessor and 27c512 eprom containing the operating
firmware. the eprom's erase window is covered by a protective sticker
that identifies the firmware version stored therein. within the last
few years, the version has ranged from tp-2 through tp-8.
also on this board is the serial eeprom where the esn and nam
parameters are stored. this chip is an 8-pin dip located in a
socket near pin #1 of the nec microprocessor. it is usually
covered with a small paper sticker bearing the last few digits of
the serial number stored inside.
while security experts may blast nokia for designing a phone that
stores the esn in a socketed chip, and then says "here i am" by
placing a sticker on it, this is a dream come true for any
technician facing issues of data corruption.
contents of nam
note that these data dumps are simulated for illustrative purposes.
the esn and encoded min bytes are not legitimate numbers, so don't
bother 'testing' them.
the first five bytes of data contain the security code. these
bytes are the hex values representing ascii characters 0 through
9, thus represented as "3x" where "x" is the actual digit of the
security code. a factory security code of 1 2 3 4 5 would be
represented in bytes 00 through 04 as follows:
31 32 33 34 35
understanding addresses
to assist those in reading the locations of the various bytes in the eeprom,
understand that each line (as usually displayed on a programmer) contains
sixteen (16) bytes. the first line begins with byte 00, then 01, 02, 03,
04, 05, 06, 07, 08, 09, 0a, 0b, 0c, 0d, 0e and finally 0f.
the second line begins with 10, then 11, 12, 13, 14, 15, 16, 17,
18, 19, 1a, 1b, 1c, 1d, 1e, and 1f as the last byte of the line.
the third line increments the same way, except as byte 30, 31,
etc., to 3f. you now know how to count in base 16 (hex)!
the hex esn for any given phone consists of four bytes, as we use
the term here. technically it is eight bytes (in hex, 32 bits if
expressed in binary form), but we're referring to a 'byte' as a two-digit
hex number, rather than each digit (byte) as a single entity. for our
example, we're using the fictitious esn of a521ff0a. all radio shack
phones will have an esn beginning with a5 hex. this is the "manufacturers
code" prefix that has been assigned to tandy.
breaking the esn into four bytes as viewed on the prom programmer,
the esn would appear as:
a5 21 ff 0a
refer back to the example dump of the data within the 8572 ic.
immediately following the security code is the esn stored in
reverse order. with the security code occupying bytes 00 to 04,
the esn is located in bytes 05, 06, 07 and 08. byte 09 contains
the value 38. it should always contain 38.
in the example, beginning with byte 05 you can read the esn (in
reverse sequence) as:
0a ff 21 a5
other addresses
0000 31 32 33 34 35 xx xx xx xx xx xx xx xx xx xx xx
0000 xx xx xx xx xx 0a ff 21 a5 xx xx xx xx xx xx xx
there is a one byte device checksum stored within the 8572 that
is used by the phone to check the integrity of the data stored
therein. the checksum is located at byte 3d, indicated by "xx"
in the example below.
the checksum is derived from all the data stored in the nam, not
just the esn. computing it is relatively easy as it is simply
the sum (in hex) of all the values from bytes 00 through 3c as
underlined below.
checksum location
0000 31 32 33 34 35 0a ff 21 a5 38 25 82 0f 25 17 1a
0010 00 00 00 00 24 15 b1 c3 24 04 a3 21 16 2d 11 aa
0020 0a 00 00 64 6c b3 32 00 27 00 01 01 11 11 11 11
0030 11 08 4d 01 0f 01 0f 00 04 00 00 00 ff xx aa 55
0040 aa 55 aa 55 aa 55 aa 55 aa 55 aa 55 aa 55 aa 55
0050 aa 55 aa 55 aa 55 aa 55 aa 55 aa 55 aa 55 aa 55
0060 aa 55 aa 55 aa 55 aa 55 aa 55 aa 55 aa 55 aa 55
0070 aa 55 aa 55 aa 55 aa 55 aa 55 aa 55 aa 55 aa 55
0000 31 32 33 34 35 0a ff 21 a5 38 25 82 0f 25 17 1a
0010 00 00 00 00 24 15 b1 c3 24 04 a3 21 16 2d 11 aa
0020 0a 00 00 64 6c b3 32 00 27 00 01 01 11 11 11 11
0030 11 08 4d 01 0f 01 0f 00 04 00 00 00 ff .. .. ..
0040 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..
0050 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..
0060 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..
0070 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..
default values
in the event that all of the data stored within the nam becomes
corrupt, the technician will need to program the security code,
the esn, and certain default data values to allow the phone to power
up. once powered up, all of the other data can be automatically
reconstructed by the phone using the handset programming mode.
since the factory does not provide any information about the
contents of the 8572 eeprom, we are unsure of the function of
this 'default data.' it seems to have little significance.
0000 xx xx xx xx xx xx xx xx xx 38 xx xx xx xx xx xx
0010 00 00 00 00 xx xx xx xx xx xx xx xx xx xx xx xx
0020 xx xx xx xx xx xx xx 00 27 00 01 01 11 11 11 11
0030 11 08 4d 01 0f 01 0f 00 04 00 00 00 ff xx aa 55
0040 aa 55 aa 55 aa 55 aa 55 aa 55 aa 55 aa 55 aa 55
0050 aa 55 aa 55 aa 55 aa 55 aa 55 aa 55 aa 55 aa 55
0060 aa 55 aa 55 aa 55 aa 55 aa 55 aa 55 aa 55 aa 55
0070 aa 55 aa 55 aa 55 aa 55 aa 55 aa 55 aa 55 aa 55
additional notes
once the chip has been programmed with the software, restore the
integrity of the cut trace to the base of q115 and remove the
short between the collector and emitter.
the cellular data repair utility software requires that you first
create a small text file using an ascii text editor such as dos's
"edit" utility program.
this text file must contain the data described below in the
specific order presented. the data in this image (.img) file
will be programmed into the 8572.
165
00246812
00031
1
1
5105551212
08
0334
10
1
10
12345
programming
once the image file containing the appropriate data has been
saved, run the software with qbasic or microsoft basic and follow the
prompts. be sure to set the proper parallel port address in line
1950 to reflect the port to which the interface is connected
first.
tuning steps
additional adjustment
the level of audio fed to the earphone via the "ear" line (pin #7
on the handset connector) can be adjusted via vr215. 1.2 vrms is
the factory specified level with the volume turned up to it's
maximum setting.
power loss
appendix iii
technical resources
eeprom programmer
andromeda research
p.o. box 222
milford, ohio 45150
(513) 831-9708 - voice
(513) 831-7562 - fax
service manuals
service manuals are available for most radio shack or tandy products from
tandy national parts. ordering these publications requires that you visit
your local radio shack store. tell the clerk that you want him (or her)
to call national parts and order a service manual for catalog number....
national parts no longer accepts calls from consumers and will only
ship to a recognized radio shack retail outlet.
nokia - mobira
service handsets, manuals and other parts can be ordered from
nokia-mobira in largo, florida. their toll-free technical
assistance number is (800) 666-5553.
the interface
the db-25 connector is wired to an 8-pin dip socket to accommodate the 8572
integrated circuit. a regulated, well-filtered source of 5 volts must be
connected to pin #8 of the dip socket, and pin #4 must be tied to ground.
if the pc used for programming and the power source to the ic socket share
a common ground, you may be able to use pin #25 of the parallel port connector
as shown in the diagram.
the diagrams in the uuencoded .zip file will assist in identifying and
locating the various adjustment points on the logic board and transceiver (rf)
pc board. alignment should not be attempted by technicians unfamiliar with
the principles involved, or in the absence of calibrated radio frequency
measurement equipment.
programming template
*, 3, 0, 0, 1, #, x, x, x, x, x, sel, 9, end
5) use the end key to step through each step. the snd key
toggles the state of single-digit options. to enter new
information, use end to step through the display until the old
data is displayed. key in the new data and press end to increment to
the next step.
6) when programming has been completed, press sel, clr to save
changes.
press sel, clr to save & exit. turn power off and back on for
model ct-302.
[begin editorial]
--------------------------------------------------------------------------
how to obtain a hard-copy version of this file - with all photos:
--------------------------------------------------------------------------
the guys at the l0pht have always been cool with us, and maintain what
amounts to one of the best cellular archives accessible on the 'net. we
want to do what we can to assist them in providing this public source of
enlightenment. now you can help them, and get something for it in return.
if nothing else, you can sit back and enjoy all my great close-up photos
of the chips <g>!
-- damien thorn
[end editorial]
-----------------------------------------------------------------------------
you can reach me via e-mail at: dam...@prcomm.com
-----------------------------------------------------------------------------
--
-=-graham-john bullers=-=ab...@freenet.toronto.on.ca=-=alt.2600.moderated-=
lord grant me the serenity to accept the things i cannot change.the courage
to change the things i can.and the wisdom to hide the bodies of the people
=-=-=-=-=-=-=-=-=i had to kill because they pissed me off=-=-=-=-=-=-=-=-=-=