Copy Link
Add to Bookmark
Report
Leeto Phreako Headz Issue 2 (Part II of II)
/ / / _ // _//_ _// /
/ /_/ _/ / _/ / / // //
/_____/__//___/ /_/ /___/ ______ _ _ ___
/ _ // // // _ / / _// _ // // // /
/ __// _ // _ / / _// __ // _/// //
/__/ /_//_//_/_\_\/___/_/ /_//_/\_\/___/
/ // // _// _ // _ // __/
/ _ // _// __ // ////__ /
/_//_//___/_/ /_//___//____/
Issue number 2, Part II of II
_____________________________________
| \
| The low down on trunking systems \
| By: Bagel |
| Contact: bagel@Phreaker.net |
| /
-------------------------------------/
IIIINNNNNNNNNN
X INDEX D
XEEEEEEEEEEEED
I. Conventional vs. Trunked
II. Types of Trunked Systems
III. Trunking Frequencies
IV. Trunking Equipment
V. Disadvantages of Trunking
VI. Conclusion
----------------------------------------------------------------------
I. Conventional vs. Trunked
In the wide world of radio scanning, there are two essential types
of radio systems: conventional and trunked. Conventional radio systems.
In a conventional system, only one conversation can be taking place on
one such frequency, or channel, irregardless as to how many that
corporation, company, police department, or booze-bag owns. For example,
lets take a police department. Let's say they own 5 channels, or
frequencies. Only ONE conversation can be taking place on EACH channel
at a time. This can be extremely inefficient. This is where trunked
systems fall into place. A good example on how a trunked system works
came from a manual I was reading is as follows: "At most banks, everyone
stands in the same line. At the front of the line the customer goes to
whatever window is empty. The next customer in line probably goes to a
different window. Doesn't matter, the service is still the same." So,
instead of all users trying to transmit messages via one VHF/UHF
repeater, the users of one corporation/po-po department transmit on
whatever frequency is open and currently not being used or is not as
busy as the others. Therefore, all repeaters are being used at the same
time, with the same amount of users on each. Still don't understand?
One more example, if you don't understand it by now, you are a booze bag.
Conventional System: A bank with only one teller window. Everyone
has to wait their turn, and everyone gets what they need at a very slow
and inefficient pace.
Trunked System: A bank with five teller windows. Everyone gets
served as each window opens up. Customers get in and out very quickly
and efficiently.
II. Types of Trunked Systems
There are two main types of trunked systems. These are Motorola
and G.E. Ericsson (EDACS). The Motorola trunked systems can be
classified into three types:
Motorola (I) - Motorola type I
Motorola (II) - Motorola type II
Motorola (IIi) - Motorola type IIi
The more common and popular one out of the two is the Motorola
system. However, there is another type of trunking system besides
Motorola and Ericsson, and that is LTR. LTR equipment is available from
a number of manufacturers, and has been used for many years. In LTR
systems, there is no control channel, instead, a central-computer is used
to control the channels/users. A new type of LTR system is being used
by a small amount of public safety agencies under the name "MultiNet".
III. Trunking Frequencies
The majority of trunking systems operate on the infamous "800"
band. However, this is just "one of those things". In other words,
trunking systems can also be used on the UHF band such as 406-420MHz
(yes, ic0n... 420!). But overall, you will find 9 out of the 10 trunked
systems operating on the "800" band.
Below I will list nationwide, United States Government trunked
systems.
Motorola Systems used by Federal Government
Group 1: 406.350 407.150 407.950 408.750 409.550
Group 2: 406.750 407.550 408.350 409.150 409.950
Group 3: 406.550 407.350 408.150 408.950 409.750
Group 4: 406.950 407.750 408.550 409.350 410.150
Ericsson Trunked Systems (EDACS)
406.000 406.100 406.150 406.200 406.225
406.350 406.550 406.750 407.150 407.175 407.250
407.325 407.350 407.375 407.425 407.450 407.475
407.525 407.575 407.950 408.025 408.050 408.150
408.175 408.425 408.475 408.525 408.550 408.575
408.625 408.750 408.950 409.025 409.125 409.150
409.225 409.300 409.325 409.350 409.475 409.550
409.600 409.725 409.750 409.850 409.950 410.000
IV. Trunking Equipment
Well, in case you haven't noticed, the average 90 dollar scanner
is NOT trunking capable. Conventional scanners do not have trunking
capabilities and/or do not cover the "800" band in their frequency range.
So you have to spend the extra 50 bux and go and get a trunking-capable
scanner. Personally, unless your a hermit and do not explore outside of
your house, getting a portable trunking capable scanner, such as myself.
I have the Radio Shack PRO-94 1,000 channel, Dual Trunking scanner. I
got it cheap ($149.99) because of the time I bought it (a month before
Christmas), when all the prices go down. Also, make sure you get a DUAL
trunking scanner, so you can listen to both Motorola and Ericsson (EDACS)
systems. You WILL be limited to ANALOG systems, trunking scanners cannot
interpret digital trunking signals, but you will not really have to worry
about that, thus digital trunking systems are even more expensive than
analog systems. I recommend picking up "Police Call, 2002 Edition" for
20 bucks at Radio Shack, which has a huge list of trunking frequencies,
including the ones listed above.
V. Disadvantages of Trunking
Like everything in life, trunking has its disadvantages also.
The advantages certainly outweigh the disadvantages. One disadvantage of
trunking is that it is expensive. It costs a lot more to purchase and
operate an analog trunking system, including the radios that go along
with users on that trunk, than a conventional system and radios. The
other disadvantage is that scanners (us), need to save up our b00ze
money to buy a trunking scanner.... BAH! One more disadvantage is that
all users aren't really "trunking-compatible" if you know what I mean.
In other words, not everyone understands trunking and how it works.
VI. Conclusion
Well, like every tutorial, I hope this has helped you understand
the concept of trunking, how it works, what you need to use trunking,
some frequencies and types of trunked systems, and some disadvantages
of trunking. Until next time...... BaGeL, I'm out.
-----------
Shoutoutz: |
-----------
Shoutoutz to all my boyz in cDp, I lub you guys.
Also to all muh b00ze-bagz in lph... w00t w00t.
Another shout-out to the JC's... JUGGALO COMMANDOS
Guy_SJS... clean that house!
HardW1r3... we go waayyy back.
Flow... wherever you may be.
Bizurke... faaayyyyyyygoooooo
SupaKilla... juggalo I got yah back
ic0n... what time is it ic0n?? Your also 31337 as hell man.
Xenocide... This thing came up and said, you've... you've got a virus.
deepdish... you b00zzee bag.
angel... "shuddup bitch"... hahaa, im jus kidden hun, I lub yah.
Dark_Archon... did your grandfather die yet so you can get his scanner?
eslut... nice work w/ the confs ;)
Reaver423... sup d00d, happy belated birthday
locutus126... you are a big booze bag d00d, get help.
MaddJimBeam... muh MA phreaker
GameZ... thanks for the help w/ the IRCd bro, and the baker is NOT home
newbie... chillen in Argentina
halo... you dissappeared but yah still cool
gaijin... wassssssssaaaaaahhhhhhhhhhh
If I missed ne1 sorry, I still love you... lol.
____________________________________________________
| \
| *****Standard/Cat3 color scheme conversion***** \
| By: Captain B |
| Contact: ??? |
| /
----------------------------------------------------/
Before I begin, unless you plan on installing Cat3 wire in your home, you need not read any
further. The purpose of this file is to give you an understanding of the Cat 3 wiring color
scheme, and how to connect it to standard wiring phone jacks. Before I do, let me mention that
another difference between standard and Cat3 cabling is that Cat cabling has a greater
bandwidth, and can push more data per second over it than standard wire. Also, Cat cabling is
twisted pair wiring. Standard is non-twisted. Meaning, each wire in a pair (negative and postive)
are twisted around each other, thereby making the pair self-shielding. In other words, Cat
cabling phone wire is better. To further break it down which is the best among the 3 types of
Cat cabling, here's a chart showing the data per sec each can transmit...
Type -- Data per sec.
Cat3 -- 10MegaBits/sec
Cat5 --100MegaBits/sec
Cat5e--1000MegaBits (or 1GigaBit) per sec
Cat5/5e only seem to come in RJ45 4 pair (4 line)wiring, as far as I've seen. Cat3 I've seen in
both 2 pair and 4 pair wiring at Home Depot. For residential homes, most people won't have more
than 2 line wiring. (And most likely won't need more than 2 pair wiring). So, for Cat3 I'll only
be mentioning the wire colors for 2 pair Cat3. The extra wires (if It's Cat3 4 pair wire) don't
need to be hooked up. In fact, they can be cut, if you like. Installing phone wire of any type
always requires a wire cutter and wire stripper. (Or buy a combo wire stripper/cutter from Rat
Shack, or some other electronic store). I'm not going into about how to strip off wire
insulation, or any of that here. You should know that stuff. Okay, so here's how the color
conversion between standard and Cat3 wire goes..
Standard wire Cat 3
Tip- Green -----Line 1----- Orange
Ring- Red -----Line 1----- White/orange stripe
Tip- Black -----Line 2----- Blue
Ring-Yellow ----Line 2----- White/blue stripe
Tip= Postive (primary)
Ring= Negative (secondary)
Solid color wires= Positive
Non-solid color (stripe) wires= Negative
As a final note for anyone trying to install phone wire for the first time: Take your time, work
slowly and carefully, and exercise patients. The small gauge (size) of phone wire of any type makes it pretty prone
to easy breakage. Also, if you're only using your phone line for standard voice communications, It's not necessary
to go with Cat 3,5, or 5e wire. Cat cabling is more ideally suited for data transmitions. Such as modems, fax machines,
TTY machines, or other telecom equipment that transmits data over phone lines. But, you can use Cat cabling for regular
voice communication, too. To get a few more tips on installing phone wire, pick up a book called "Installing Telephones"
from Radio Shack or pick up some other telecom related book at other electronics stores. Also, your library may have some
books about it, so go check. And, here's a related web site you may find useful: http://www.phonewiring.com/ Oh, and always
remember to disconnect your phone line at the TNI (Telephone Network Interface) outside your house first to remove voltage
while working. Or, you can short the pair (connect ring and tip terminals or wire together) to remove voltage. Or, at least
take a phone off the hook to minimize voltage. Have phun.
____________________________
| \
| party box \
| By: deepdish |
| Contact: brody@g33k.net |
| /
----------------------------/
Okay, the party box. This box can be used in
many ways. 1st you can make your own conf from
this, if you have more then two phone lines.
This is a very easy box.
Materials:
2 or more phones (identical)
2 or more phone lines
1 roll of duck tape or solder iron and solder
wire cutters
First, you take the head set cords of both phones
and you strip the wires about 2 inches from the
base and strip the wires about an inch. Connect
the one green (tip) wire from the phone to the
other and so forth with the red (ring).
There you go. you can do this with more then 2
fones if you have more then 2 lines.
Other uses:
You can make a beige box party box by just adding
alligator clips to the phone and going to a TNI or
a can box with more then one line.
___________________________________
| \
| A Phreaks Guide To 1337 Text \
| By: Reaver |
| Contact: reaver_netpo@yahoo.com |
| /
-----------------------------------/
Gradually each hour, each day, each year more and more people join the
ranks of the h/p scene. Be it for the pride, honor, or the respect of
being able to learn about some of the best equipment ever invented by man
they have joined. But I feel sorry them, for we as hackers and phreaks
have our own language that we sometimes use. This is the language of
1337 73X7 (Leet Text). This language is easy to learn once you know the
basics, but some don't even know the basics. So I have written this
article to ensure that no one is left out in the dark in an in depth
1337 conversation. Here are the basics:
1: This number can be used for either I or L
3: E
4: A
5: S
6: G
7: T
8: G
0: O
12: R *Double numbers like these are rarely used.
13: B *Double numbers like these are rarely used.
There are some others but for the most part these are the ones you
should know. See I told you our 1337 14n6u463 w45 345y 70 134rn.
Have a great day and hopefully next time someone speaks in 1337 you
will understand them :).
___________________________________________
| \
| The New Motorola Bible \
| By: Agent5 |
| Contact: crash_overide_9900@yahoo.com |
| /
-------------------------------------------/
Brought to you from the makers of sharp things.
Well, I was sittin down wondering what the hell to do. So I updated the
motorola bible. As I understand, the last update was in 1997 and a lot
of changes have been made since then to motorola fones. While the old
motorola bible still has a lot of info in it, it does not have what you
need for the new shit out there.
NOTE: on most of the newer fones you have to access test mode by
entering... Fcn, 00**TESTMODE, Sto
Motorola 8700
Turn on Clock
To turn on the hidden clock on your phone follow the following procedure:
In Setup menu turn ON "extended menu"
in language selection change to "GREEK" or "EAAKA"
exit menu
press key labeled "i" (the info key)
type *#25625# and finally
turn OFF the phone
next time you'll wake up the phone the clock will be on your display and
while
surfing menu you'll find the option to set its time.
Show IMEI code
If you need to know what's the IMEI code of your phone, simply press:
* # 06 #
you'll read it on display.
RBS Info
To activate RBS info menu simply press:
[][][]113[]1[]OK ("[]" = the block you obtain pressing "*" for 3 seconds
or more)
this procedure seems not to work on all software version but it's the
only one
you can try from keypad.
Some 8700 remain frozen after you switched on cell broadcast; the phone
seems to function properly but it can't origin or receive any calls and
turns off when you press any key.
To view IMEI number *#06#
Motorola Elite
Test Mode
To enter in Nam programming Mode, press:
[arrow up]
000000000000 (12 times zero)
[MR]
now display shows the first step of NAM programming; simply enter data
and move to the next step using:
* (the same key of [left arrow])
Software version
To see software version of your phone you need to short-circuit antenna
ground with the two nearest pin together in the connector located under
the phone. then:
Power ON the phone and type:
#19#
Now display is showing software version of your phone.
Serial Number
To see the serial number of your phone you need to short-circuit antenna
ground with the two nearest pin together in the connector located under
the phone. then:
Power ON the phone
and type:
#75#
now display is showing the first pair of digits, then go ahead using
* (the same key of [left arrow])
to show the second pair and so on.
Pinout
The pins are numbered 1 thru 10 from right to left
ANT- (O) | | | | | | | | | |
1) Audio Ground
2) Ext b
3) T Data
4) C Data
5) R Data
6) Logic Ground
7) Audio Out - on/off
8) Audio In
9) Manual Test
10) Battery Feedback
Motorola Flare
Functionality enablement
Following you'll find the procedure in order to get more menu's from
your phone. But you don't just get more menu's, you'll get 99 more
memories available, giving a total of 198 memories! These memories are
stored in the phone, not in the SIM, which means you can store many more
characters and numbers for each name. Before you begin, take note that:
Make a note of your voicemail number! You may lose it during this!
(don't worry, you can reprogram it later).
You may need to use the master reset option to get outgoing DTMF going
again after this. All the menu's seem to be dependant on others being
available, so if you just activate one, it will say not available
Lastly, p = a pause. i.e., what you get when you hold down the * button
for 3 seconds.
And then....let's go !
First of all, press
ppp070p0p OK
You have just turned off the code that disables further changes. This
seems to have been set in some phones.
Now enter:
ppp000p1p OK
ppp001p1p OK
ppp002p1p OK
all the way to
ppp113p1p OK
but AVOID ppp070p1p and ppp007p1p
Don't worry, this only takes about 35 mins for all 111, but just don't
lose count!
Then go to phone setup menu, and select extended menu
And finally ....
You'd find some more menu items which wasn't there before and you got 99
more memory locations giving a total of 198 memories.
Show IMEI code
If you need to know what's the IMEI code of your phone, simply press:
* # 06 #
You'll read it on display.
Pinout
Numbered left to right, keypad up, battery down
1) Audio Ground
2) V
3) True data (TD) (input)
4) Downlink - Complimentary data (CD) (input)
5) Uplink - Return data (RD) (output)
6) GND
7) Audio Out - on/off
8) Audio In
9) Manual Test - ???
10) Battery Feedback
11) Antenna connector
To switch to the external antenna, a 2k2 resitor shout be placed in the
coaxial antenna cable from shield to core.
Motorola MicroTac
Test Mode
To enter in Nam programming Mode, you need to short-circuit the first
and the third battery pin from the right, then:
Power ON the phone
Display will show "Tacs5", type in:
55
Now display shows the first step of NAM programming; simply enter data
and move to the next step using:
* (the same key of [left arrow])
Software version
To enter in Nam programming Mode, you need to short-circuit the first and
the third battery pin from the right, then:
Power ON the phone
Display will show "Tacs5", type in:
19
Now display is showing software version of your phone.
Motorola StarTac
Show IMEI code
If you need to know what's the IMEI code of your phone, simply press:
* # 06 #
You'll read it on display.
Pinout
1) Connected with 22pf to pin 3
2) RF out
3) Connected with 33 pf to pin 8, 33 pf to pin, 33 pf to pin 7
4) BAT_FDBAK
5) MAN_TEST connected with 10k to L275
6) RS232_TX - connected to MCU SPI bus
7) RS232_RX - connected to MCU SPI bus
8) AUDIO_IN
9) AUDIO_OUT
10) Connected with 33 pf to pin 13, 33 pf to pin 14
11) UPLINK -|
12) DOWNLINK -|- DSC bus connected to the BIC
13) DSC_EN_B -|
14) EXT_B
15) Gnd
Motorola d460/2500/6200 (Flare)/7500/8200/8400/8700
To activate RBS:
(pause means the * key held in until box appears)
[pause] [pause] [pause] 1 1 3 [pause] 1 [pause] [ok]
You now have to press the [MENU] and scroll to the 'Eng Field Options'
function with the keys, and enable it.
To de-activate RBS,
[pause] [pause] [pause] 1 1 3 [pause] 0 [pause] [ok]
This only works with some versions of software. Please report what works
and doesn't for you.
Reported working, by country:
d460: IT
6200 Flare: UK (Orange), AU
7500: IT (model: F16 HW: 5.2 SW: 2.1)
8200: ES, AU, NL, BE
8400: IT, NL
8700: AU, IT, SG, DE, ES, ZA
Uses of RBS:
Distance From Base Station - Place a call, when it is answered, press
[MENU] until 'Eng Field Option' is displayed, press [OK], select 'Active
Cell', press [OK], press [MENU] until 'Time Adv xxx' appears, where xxx
is a number. Multiply this number by 550, and the result is the distance
from the RBS (Radio Base Station), in meters.
Signal Quality - press [MENU] until 'Eng Field Option' is displayed,
press [OK], select 'Active Cell', press [OK], press [MENU] until 'C1'
appears. This is the signal quality. If it becomes negative for longer
than 5 seconds, a new cell is selected.
Options under Eng Field Options
Eng Field Options
Active Cell
RxLev -55 Received powerlevel in dBm
NCC 0 National Colour Code, used for identifying channel
BCC 7 Broadcast Colour Code, also for identifying purposes
MSTxPwr 35 Max allowed transmit power 35dBm about 3.2W
C1 003 Is a calculated figure for the quality control signal which is
constantly sent out from the RBS quality the signal returning from the
phone has. If this value is negative for more than 5 sec then the system
will make a cell switch.
Time Adv xxx xxx is a number. Multiply this number by 550, and the result
is the distance from the RBS (Radio Base Station), in meters.
Adjacent Cells
Adj Cell 1
Channel 0033 Channel Number
RxLev -65 Received powerlevel in dBm
BCCH Decode I think it means it is able to decode the channel information
contained in the BCCH
RxLevAM -104 Min allowed reception, compare with RxLev -65 and you get
the C1 value which is 39 and reported back to base as measure of field
strength.
MTxPwr 35 Aain max allowed powerlevel
C1 003 ??
NCC 0 National Colour Code
BCC 6 Broadcast Colour Code
System Parameters
Combined Off ??
AcsClas 0000 Allows different priorities - this network doesn't support
it.
MCC 505 Mobile Country Code, 505 for Australia, 240 for Swedes etc
MNC 01 Mobile Network Code, 01 for Mobilenet, 02 for Optus, 03 for
Vodafone using MCC 505. MCCバ is often called Network Code
LAC 08720 Location Area Code, shows which exchange your're in
CellID 00473 Base Station Identity
T3212 005 Time between periodic network updates (either hours between or
time remaing until update, not sure)
BS-PA-MFRM 4 ??
XZQTY 14.3 ??
Motorola Flip Pinout:
ANT- (O) | | | | | | | | | |
10 9 8 7 6 5 4 3 2 1
Top of phone (screen)
1) Audio Ground
2) Ext b
3) T Data
4) C Data
5) R Data
6) Logic Ground
7) Audio Out - on/off
8) Audio In
9) Manual Test
10) Battery Feedback
Motorola Analogue Phones
MOTOROLA PROGRAMMING INSTRUCTIONS
NOTES: Some units have dual NAM's.
The ESN prefix is 130 decimal, 82 hex.
Determine which access sequence to use:
HAND HELD PORtable MODELS
If the phone has a FCN button and no MENU button use sequence 1.
If the phone has no FCN button use sequence 2.
If the phone has a MENU button and a FCN button use sequence 4.
INSTALLED MOBILE PHONES AND TRANSPORtable MODELS
If the phone has no FCN button and no RCL button use sequence 3.
If the phone has a FCN button use sequence 4.
If the phone has a MEM button use sequence 5.
If the phone has a RCL button and no FCN button use sequence 6.
SEQUENCE# ACCESS CODE
1 FCN (SECURITY CODE TWICE) RCL
2 STO # (SECURITY CODE TWICE) RCL
3 CTL 0 (SECURITY CODE TWICE) *
4 FCN 0 (SECURITY CODE TWICE) RCL
5 FCN 0 (SECURITY CODE TWICE) MEM
6 CTL 0 (SECURITY CODE TWICE) RCL
The default security code is 000000. The CTL (control) button is the
single black button on the side of the handset.
NAM programming:
1. Turn the power on.
2. Within ten seconds enter the access sequence as determined above.
3. The phone should now show "01" in the left of the display, this is
the first programming entry step number. If it does not the security code
is incorrect, or the programming lock-out counter has been exceeded. In
either case you can still program the unit by following the steps under
TEST MODE PROGRAMING below.
4. The * key is used to increment each step:
Each time you press * the display will increment from the step number,
displayed on the left, to the data stored in that step, displayed on the
right. When the data is displayed make any necessary changes and press *
to increment to the next step number.
5. The SND key is used to complete and exit programming when any STEP
NUMBER is displayed.
If you have enabled the second phone number bit in step 10 below then
pressing SND will switch to NAM 2. Steps 01 thru 06, 09 and 10 will
repeat for NAM 2, the step number will be followed by a "2" to indicate
NAM two.
6. The CLR key will revert the display to the previously stored data.
7. The # key will abort programming at any time.
PROGRAMING DATA:
STEP# #OF DIGITS/RANGE DESCRIPTION
01 00000 - 32767 SYSTEM ID
02 3 DIGITS AREA CODE
03 7 DIGITS TEL NUMBER
04 2 DIGITS STATION CLASS MARK
05 2 DIGITS ACCESS OVERLOAD CLASS
06 2 DIGITS GROUP ID (10 IN USA)
07 6 DIGITS SECURITY CODE
08 3 DIGITS LOCK CODE
09 0333 OR 0334 INITIAL PAGING CHANNEL
10 6 DIGIT BINARY OPTION PROGRAMING (SEE NOTE 1)
11 3 DIGIT BINARY OPTION PROGRAMING (SEE NOTE 2)
NOTES:
Take care with Motorola's use of "0" and "1". Some options use "0" to
enable, some use "1".
1. This is a 6 digit binary field used to select the following options:
Digit 1: Internal handset speaker, 0 to enable.
Digit 2: Local Use Mark, 0 or 1.
Digit 3: MIN Mark, 0 or 1.
Digit 4: Auto Recall, always set to 1 (enabled).
Digit 5: Second phone number (not all phones), 1 to enable.
Digit 6: Diversity (Two antennas, not all phones), 1 to enable.
2. This is a 3 digit binary field used to select the following options:
Digit 1: Continuous DTMF, 1 to enable.
Digit 2: Transportable Ringer/Speaker, 0=Transducer, 1=Handset.
Digit 3: 8 hour time out in transportable mode, 0 to enable.
TEST MODE ACCESS:
INSTALLED MOBILE PHONES AND TRANSPORTALE MODELS
To enter test mode on units with software version 85 and higher you must
short pins 20 and 21 of the transceiver data connector. An RS232 break
out box is useful for this, or construct a test mode adapter from
standard Radio Shack parts.
For MINI TR or Silver Mini Tac transceivers (smaller data connector) you
can either short pins 9 and 14 or simply use a paper clip to short the
hands free microphone connector.
HAND HELD PORTABLE MODELS:
There are two basic types of Motorola portable phones, the Micro-Tac
series "Flip" phones, and the larger 8000 and Ultra Classic phones.
Certain newer Motorola and Pioneer badged Micro-Tac phones do not have a
"flip", but follow the same procedure as the Micro-Tac.
8000 & ULTRA CLASSIC SERIES:
If you have an 8000 series phone determine the "type" before trying to
enter test mode. On the back of the phone, or on the bottom in certain
older models, locate the F09... number this is the series number. If the
FOURTH digit of this number is a "D" you CAN NOT program the unit through
test mode, a Motorola RTL4154/RTL4153 programmer is required to make any
changes to this unit.
Having determined that you do not have a "D" series phone the following
procedure is used to access test mode:
Remove the battery from the phone and locate the 12 contacts at the top
near the antenna connector. These contacts are numbered 1 through 12
from top left through bottom right. Pin 6, top right, is the Manual Test
Mode Pin. You must ground this pin while powering up the phone. Pin 7
(lower left) or the antenna connector should be used for ground. Follow
one of these procedures to gain access to pin 6:
1. The top section of the battery that covers the contacts contains
nothing but air. By careful measuring you can drill a small hole in the
battery to gain access to pin 6, alternately simply cut the top off the
battery with a hack saw. Having gained access use a paper clip to short
pin six to the antenna connector ground while powering up the phone.
2. If you do not want to "destroy" a battery you can apply an external
7.5 volts to the and - connectors at the bottom of the phone, ground pin
6 while powering up the phone as above.
3. You can also try soldering or jamming a small jumper between pins 6
and 7 (top right to lower left), or between pin 6 and the antenna
connector housing ground. Carefully replace the battery and power up the
phone. Use caution with this method not to short out any other
pin.
4. A cigarette lighter adapter, if you have one, also makes a great test
mode adapter as it can be disassembled to give you easier access to pin 6.
Many are pre marked, or even have holes in the right location. This is
because they are often stamped from the same mold that the manufacturer
uses for making hands free adapter kits and these kits require access to
the phone's connectors.
MICRO-TAC "FLIP" SERIES:
This phone follows similar methods as outlined for the 8000 series above.
Remove the battery and locate the three contacts at the bottom of the
phone, the two outer contacts are raised and connect with the battery.
The center contact is recessed, this is the Manual Test Mode connector.
Now look at the battery contacts, the two outer ones supply power to the
phone, the center contact is an "extra" ground. This ground needs to be
shorted to the test mode connector on the phone. The easiest way to do
this is to put a small piece of solder wick, wire, aluminum foil or any
other conductive material into the recess on the phone. Having done this
carefully replace the battery and turn on the power, if you have been
successful the phone will wake up in test mode.
TEST MODE PROGRAMING:
Assuming you have completed one of the above steps correctly the phone
will wake up in test mode when you turn the power on. When you first
access test mode the phone's display will alternate between various status
information that includes the received signal strength and channel number.
The phone will operate normally in this mode. You can now access Service
Mode by pressing the # key, the display will clear and a ' will appear. Use
the following procedure to program the phone:
1. Enter 55# to access programming mode.
2. The * key advances to the next step. (NOTE that test mode programing
does NOT have step numbers, each time you press the * key the phone will
display the next data entry).
3. The CLR key will revert the display to the previously stored data.
4. The # key aborts programming at any time.
5. To complete programming you must scroll through ALL entries until a '
appears in the display.
6. Note that some entries contain more digits than can be displayed by the
phone, in this case only the last part of the data can be seen.
TEST MODE PROGRAMING DATA:
STEP# #OF DIGITS/RANGE DESCRIPTION
01 00000 - 32767 SYSTEM ID
02 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 1 BELOW
03 10 DIGITS MIN (AREA CODE & TEL#)
04 2 DIGITS STATION CLASS MARK
05 2 DIGITS ACCESS OVERLOAD CLASS
06 2 DIGITS GROUP ID (10 IN USA)
07 6 DIGITS SECURITY CODE
08 3 DIGITS LOCK CODE
09 3 DIGITS SERVICE LEVEL (LEAVE AT 004)
10 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 2 BELOW
11 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 3 BELOW
12 0333 OR 0334 INITIAL PAGING CHANNEL
13 0333 "A" SYSTEM IPCH
14 0334 "B" SYSTEM IPCH
15 3 DIGIT NUMBER PAGING CHANNEL (021 IN USA)
16 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 4 BELOW
Steps 01 through 06 and 12 will repeat for NAM 2 if the second phone
number bit has been enabled in step 11.
NOTES:
Take care with Motorola's use of "0" and "1". Some options use "0" to
enable, some use "1".
These are eight digit binary fields used to select the following options:
1. (step 02 above, suggested entry is: 11101001 for "A" system, 10101001
2. for "B" sys)
Digit 1: Local use mark, 0 or 1.
Digit 2: Preferred system, 0 or 1.
Digit 3: End to end (DTMF) dialing, 1 to enable.
Digit 4: Not used, enter 0.
Digit 5: Repertory (speed) dialing, 1 to enable.
Digit 6: Auxiliary (horn) alert, 1 to enable.
Digit 7: Hands free (VSP) auto mute, 1 to enable (mutes outgoing hands
free audio until the MUTE key is pressed).
Digit 8: Min mark, 0 or 1.
2. (step 10 above, suggested entry is: 00000100)
Digits 1 - 4: Not used in USA, enter 0.
Digit 5: Single system scan, 1 to enable (scan A or B system only,
determined by bit 2 of step 02. Set to "0" to allow user the option).
Digit 6: Super speed dial, 1 to enable (pressing N, or NN SND will dial
the number stored in memory location NN).
Digit 7: User selectable service level, 0 to enable (allows user to set
long distance/memory access dialing restrictions).
Digit 8: Lock function, 0 to enable (allows user to lock/un-lock the
phone, if this is set to 1 the phone can not be locked).
3. (step 11 above, suggested entry is: 00000000)
Digit 1: Handset programming, 0 to enable (allows access to programing
mode without having to enter test mode).
Digit 2: Second phone number (not all phones), 1 to enable.
Digit 3: Call timer access, 0 to enable.
Digit 4: Auto system busy redial, 0 to enable.
Digit 5: Speaker disable, 1 to enable (use with select VSP units
only, do not use with 2000 series mobiles).
Digit 6: IMTS/Cellular, 1 to enable (rarely used).
Digit 7: User selectable system registration, 0 to enable.
Digit 8: Dual antennae (diversity), 1 to enable.
4. (step 16 above, suggested entry is: 0011010 for portable and 0011011
for mobile units)
Digit 1: Not used, 0 only.
Digit 2: Not used, 0 only
Digit 3: Continuous DTMF, 1 to enable (software version 8735 and later)
Digit 4: 8 hour time-out, 0 to enable (software version 8735 and later)
Digit 5: Not used, 0 only.
Digit 6: Failed page indicator, 0 to enable (phone beeps when an
incoming call is detected but signal conditions prevent completion of
the call).
Digit 7: Portable scan, 0 for portable, 1 for mobile units.
C-SCAN OPTION:
Newer Motorola phones are equipped with a feature called C-Scan, this is
an option along with the standard A/B system selections. C-Scan allows
the phone to be programmed with up to five inhibited system ID's per NAM.
This is designed to prevent the phone from roaming onto specified non-home
systems and therefore reduce "accidental" roaming fees.
1. C-Scan can only be programmed from test mode, power phone up with the
relevant test mode contact grounded (see above).
2. Press # to access test mode.
3. Press 18#, the phone will display "0 40000".
4. Enter the first inhibited system ID and press *.
Continue to enter additional system ID's if required. After the 5th entry
the phone will display "N2". Press * to continue and add system ID's for
NAM 2 as required.
5. If an incorrect entry is made (outside the range of 00000-32767) the
display will not advance, press CLR and re-enter. Use a setting of 40000
for any un-needed locations.
6. When the last entry has been made press * to store and press # to exit,
turn off power.
LOCK/UNLOCK PROCEDURES:
Phones with "LOCK" buttons: Press lock for at least 1/2 a second.
Phones with a "FCN" button: Press FCN 5, note that 5 has the letter's
"J,K, and L" for lock.
Phones with no FCN or LOCK button: Press Control 5, control is the black
volume button on the side of the handset.
SYSTEM SELECT PROCEDURES:
Phones with a RCL button: Press RCL *, then * to select, STO to store.
Phones with no RCL button: Press Control * then * to select, # to store.
Options are: CSCAn: Preferred/Non preferred with system lockout.
Std A/b, or Std b/A: Preferred/Non preferred.
SCAn Ab, or SCAn bA: Non preferred/Preferred
SCAn A: "A" ONLY
SCAn b: "B" ONLY
HOME: Home only
(these are typical options, some phone's vary. C-Scan only available on
newer models and does not appear unless programmed, see above
GENERAL NOTES:
HANDSETS: Most Motorola handsets are interchangeable, when a handset is
used with a transceiver other than the one it was designed for the
display will show "LOANER". Some features and buttons may not work, for
instance if the original handset did not have a RCL or STO button, and
the replacement does, you will have to use the control * or control #
sequence to access memory and A/B system select procedures.
MOTOROLA TEST MODE COMMANDS:
01# RESTART (POWER OFF THEN ON)
02# STATUS DISPLAY, ALTERNATES BETWEEN:
ABC DEF where:
ABC = Channel number
DEF = Received sensitivity for that channel
and: A B C D E F G where:
A = SAT frequency (0=5970, 1=6000, 2=6030, 3=no channel lock)
B = Carrier (0=off, 1=on)
C = Signalling tone (0=off, 1=on)
D = Power level (0 through 7)
E = Channel mode (0=voice channel, 1=control channel)
F = Receive audio mute (0=unmuted, 1=muted)
G = Transmit audio mute (0=unmuted, 1=muted)
Press * to hold display and # to end.
03# Reset call timers
04# Initialize Tranceiver to following settings:
Carrier = OFF
Receive Audio = MUTED
Transmit Audio = MUTED
Signaling Tone = OFF
Call Timer RESET and peroiodic resetting ENABLED
SAT = OFF
DTMF & Audio Tones = OFF
Audio Path = To SPEAKER
05# Turn Carrier ON
06# Turn Carrier OFF
07# Mute RECEIVE audio
08# Unmute RECEIVE audio
09# Mute TRANSMIT audio
10# Unmute TRANSMIT audio
11ABC# Load Synthesizer with ABC, where ABC=the channel number in decimal
12A# Set RF power level to A, where A=1 to 7
13# Power down phone
14# Transmit signaling tone
15# Stop transmit of signaling tone
16# Transmit a five word reverse voice channel message, all words will
be: "FF00AA55CC33"
17# Transmit a two word reverse voice channel message, both words will
be: "FF00AA55CC33"
18# Display contents of NAM one address at a time, press * to advance,
press # to exit. (Two digit number to the left is the ADDRESS, to the
right is the DATA)
19# Display software version
20# Receive control channel messages counting correctable and
uncorrectable errors. When the command starts the number of the command
will be displayed in the upper right hand corner of the display. Entering
a # will terminate the test and display two three digit numbers. The first
number is the number of correctable errors and the second is uncorrectable
errors.
21# Receive voice channel messages counting correctable and
uncorrectable errors. When the command starts the number of the command
will be displayed in the upper right hand corner of the display. Entering
a # will terminate the test and display two three digit numbers. The
first number is the number of correctable errors and the second is
uncorrectable errors.
22# Receive control channel messages counting word sync sequences. When
the command starts the number of the command will be displayed in the
upper right hand corner of the display. Entering a # will terminate the
test and display the number of word sync sequences in the display.
23# Receive voice channel messages counting word sync sequences. When
the command starts the number of the command will be displayed in the
upper right hand corner of the display. Entering a # will terminate the
test and display the number of word sync sequences in the display.
24# Turn SAT transmission ON
25# SAT OFF
27# Transmit continuous control channel data, all words are:
"FF00AA55CC33". When the command starts the number of the command will be
displayed in the upper right hand corner of the display. Press # to
terminate the test.
28# Activate high tone (1150 Hz 55 Hz)
29# Deactivate high tone
30# Activate low tone (770 Hz 40 Hz)
31# Deactivate low tone
32# Initialize all non-volatile memory to zeros. Resets unit and makes
it look "new".
33A# Activate DTMF tone where A = DTMF digit 0 through 9
34# Deactivate DTMF
35A# Send audio path to A where A = 0 for handsfree, 1 for speaker, 2
for alert, 3 for Handset 36ABC# Activate channel scan, ABC is scan speed
in milliseconds. Tunes from channel 1 to 666. Press * to pause scan and
display RSSI, if scan speed is 300 milliseconds or greater the RSSI is
displayed with each channel, if scan is less than 300 milliseconds the
RSSI is only displayed when you press *
37# not used
38# Display serial number in hex (ESN). Displayes the byte number in the
upper right side of the display and the data to the left, press * to step
through the bytes, press # to exit.
39# Receive one control channel word, when the word is received it will
be displayed in hex. Command terminates when the word has been received
or when # is pressed.
40# Receive one voice channel word, when the word is received it will be
displayed in hex. Command terminates when the word has been received or
when # is pressed.
41# (F19CTA models only) Enables the diversity antenna option on mobiles
so equipped.
42# Disable diversity.
43# Disable diversity and force the mobile to use the TRANSMIT antenna.
44# Disable diversity and force the mobile to use the RECEIVE antenna.
45# Display the RSSI reading taken on the current channel.
46# Display the cumulative call timer.
47A# Set audio level to A where A = 0 lowest, A = 6 highest, or A = 7
muted.
48# Turn sidetone on
49# Sidetone off
50# Maintenance data is transmitted and test results displayed: PASS =
Received data is correct, FAIL1 = No data received within 2 seconds,
FAIL2 = Received data is incorrect.
51# Maintenance data is transmitted and looped back and test results
displayed: PASS = Looped back data is correct, FAIL1 = No data looped
back within 2 seconds, FAIL2 = Looped back data is incorrect.
52A# Set phase adjustment. A decimal number thet corresponds to phase
shift compensation in 4.5 degree increments. Compensation added to the
inherant phase shift of the tranceiver to acheive a total phase shift of
0 (zero) degrees. Do not enter any value other than from the following
list:
# entered, Degree of shift
0 0 59 121.5 86 243.0
1 4.5 60 126.0 87 247.5
2 9.0 61 130.5 112 252.0
3 13.5 62 135.0 113 256.5
4 18.0 63 139.5 114 261.0
5 22.5 40 144.0 115 265.5
6 27.0 41 148.5 116 270.0
7 31.5 42 153.0 117 274.5
16 36.0 43 157.5 118 279.0
17 40.5 44 162.0 119 283.5
18 45.0 45 166.5 120 288.0
19 49.5 46 171.0 121 292.5
20 54.0 47 175.5 122 297.0
21 58.5 64 180.0 123 301.5
22 63.0 65 184.5 124 306.0
23 67.5 66 189.0 125 310.5
48 72.0 67 193.5 126 315.0
49 76.5 68 198.0 127 319.5
50 81.0 69 202.5 104 324.0
51 85.5 70 207.0 105 328.5
52 90.0 71 211.5 106 333.0
53 94.5 80 216.0 107 337.5
54 99.0 81 220.5 108 342.0
55 103.5 82 225.0 109 346.5
56 108.0 83 229.5 110 351.0
57 112.5 84 234.0 111 355.5
58 117.0 85 238.5
53# Enable scrambler option, if equipped.
54# Disable scrambler option, if equipped.
55# Test Mode programming.
58# Compandor on. Audio compressor and expandor on.
59# Compandor off. Audio compressor and expandor off.
61# Serial number transfer, not all models.
62# Turn on audio ringer path.
63# Turn off audio ringer path.
70# Abbreviated field transmitter audio deviation command for tranceivers
with FCC ID: ABZ89FT5668.
71# Abbreviated field power adjustment command for tranceivers with FCC
ID: ABZ89FT5668.
72# Field audio phasing command.
73# Field power adjustment command.
And now to the specifics....In this section I will list a few specific
Motorola Phones and their codes, that are significant to us as
Telecommunications Hobbiests.
Motorola 6200
To activate RBS (Engineering Menus):
[pause] [pause] [pause] 1 1 3 [pause] 1 [pause] [ok]
(pause means the * key held in until box appears)
You now have to press the [MENU] and scroll to the 'Eng Field Options'
function with the < or > keys, and enable it.
To de-activate RBS (Engineering Menus):
[pause] [pause] [pause] 1 1 3 [pause] 0 [pause] [ok]
(pause means the * key held in until box appears)
Works on 6200's,8200's,1-888's,7500's,8400's and GSM StarTacs with later
than version .27 software.
Options under Eng Field Options
Eng Field Options
Active Cell
RxLev -55 Received powerlevel in dBm
NCC 0 National Colour Code, used for identifying channel
BCC 7 Broadcast Colour Code, also for identifying purposes
MSTxPwr 35 Max allowed transmit power 35dBm about 3.2W
C1 003 Is a calculated figure for the quality control signal which is
constantly sent out from the RBS quality the signal returning from the phone
has. If this value is negative for more than 5 sec then the system will make
a cell switch.Time Adv xxx xxx is a number. Multiply this number by 550, and
the result is the distance from the RBS (Radio Base Station), in meters.
Adjacent Cells
Adj Cell 1
Channel 0033 Channel Number
RxLev -65 Received powerlevel in dBm
BCCH Decode I think it means it is able to decode the channel information
contained in the BCCH
RxLevAM -104 Min allowed reception, compare with RxLev -65 and you get the
C1 value which is 39 and reported back to base as measure of field strength.
MTxPwr 35 Aain max allowed powerlevel
C1 003 ??
NCC 0 National Colour Code
BCC 6 Broadcast Colour Code
System Parameters
Combined Off ??
AcsClas 0000 Allows different priorities - this network doesn't support
it.
MCC 505 Mobile Country Code, 505 for Australia, 240 for Swedes etc
MNC 01 Mobile Network Code, 01 for Mobilenet, 02 for Optus, 03 for
Vodafone using MCC 505. MCC+MNC is often called Network Code
LAC 08720 Location Area Code, shows which exchange your're in
CellID 00473 Base Station Identity
T3212 005 Time between periodic network updates (either hours between
or time remaing until update, not sure)
BS-PA-MFRM 4 ??
XZQTY 14.3 ??
Motorola Flip Pinout:
ANT- (O) | | | | | | | | | |
10 9 8 7 6 5 4 3 2 1
Top of phone (screen)
1) Audio Ground
2) Ext b+
3) T Data
4) C Data
5) R Data
6) Logic Ground
7) Audio Out - on/off
8) Audio In
9) Manual Test
10) Battery Feedback
FREE CALL TIP! FIND YOURSELF ONE O THSES BABIES AND YOU'RE SET FOR LIFE!
The trick can be done on cd160 and cd520 only:
1 Enter the phone number
2 Enter OK
3 Type *#06#
4 Press Button C
4 And finally press the button for power off.
You should now be able to talk without being billed.
Bag fone... Any bag fone... just get one cause they are cheap and easy
to program and get pretty good reception!
Motorola CD 160 Tip.
Press menu and type one of these numbers and press OK:
11 = Status Review
13 = Available Networks
14 = Preferred Networks
22 = Select Keypad Tones
25 = Require SIM Card PIN
26 = Language Selection
32 = Repetitive Timer
33 = Single Alert Timer
34 = Set IN-Call Display
35 = Show Call Timers
36 = Show Call Charges
37 = Call Charge Settings
38 = Reset All Timers
43 = Reset All Timers
45 = Show Last Call
46 = Total For All Calls
47 = Lifetime Timer
51 = Change Unlock Code
52 = Master Reset
53 = Master Clear (Warning!! May result in deleting the Message
Editor!!!)
54 = New Security Code
55 = Automatic Lock
63 = Battery Saving Mode
That should be it. If you have any questions, find them out yourself.
___________________________________________
| \
| Social Engineering Independent Telcos \
| By: Xenocide |
| Contact: xen423@yahoo.com |
| /
|------------------------------------------/
Intro:
Have you ever wanted to get those super duper k-rad telco test numbers?
Thought the only way was scanning? Well my friend to day is you're
lucky day! Cause you've won five thousand dollars! No, not really but I
am going to teach you how to social engineer test numbers from
Independent telcos.
There are a few requirements to this article:
1) Half a brain
2) Local phone book
3) Pencil & paper
4) Working phone (preferably pay phone)
5) Patience
Now that you have those basic necessities, let's begin. First look up
Telephone in the yellow pages of your phone book. Look for something
that says Telephone/PBX Installation or any thing closely related.
Write these numbers down along with their name, these are the major
telco's competition.
Now that you have a list of numbers to call, let's make a script.
You may want to make a copy of it to take with you but as in any social
engineering situation, the conversation can change drastically in
seconds. Always be prepared and know everything about who and what you
are social engineering. If the conversation gets sticky and you don't
know what to do, try to get out of it as quick and smooth as you can.
If they catch on to what you're doing then you might not have another
chance at calling back.
YOU - You
THM - The Independent Telco
YOU : Dials number to telco...
THM : Hello, this is LameTelco how may I help you
YOU : Yes this is (any first name), I'm out here in (local city/town)
working on a trouble ticket and I've got all these pairs here
and no way to match them to their owners. The reason for that is
the hand-set I was using broke and it had my/all my (ANAC/Ringback/
Loop/DATU/RCMAC...) number(s) programmed in its memory and I don't
carry my number book with me any more so I'm in a bit of a jam. I'd
really appreciate it if you could get me this/these number(s) so I can get
back to work.
THM : Ok Sir, please hold...
THM : Ok sir, here is the number(s) you requested.
YOU : (Write the number(s) down!!!) Ok thanks a lot.
THM : Hey no problem.
Owned! Hopefully it will go as smooth as that. Sometimes they will want
more info out of you, like, What office are you working out of? What is
the trouble ticket number? What the hell is a test number? Just be
prepared to answer qucikly so it looks like you're who you say you are.
If they ask What is the ticket number? then smoothly reply I left it in
my truck or something to that effect. If things get harsh or you are
having trouble then politely say I will get in touch with my repair
foreman. Just make sure they don't know you tired to social engineer
themotherwise if and when you call back they will prolly be a lot more
stricton the info they give you.
Now go to the phone or payphone. Make sure if you call from your home phone
that you have some way to hide your number. And always have fun, thats what
phreaking is about, having fun, exploring, learning and sharing.
Note from the editor:
"Damn, man! This article had more spelling errors than Microsoft's
Windows 2000 'Getting Started' guide!"
_____________________________________________________________
| \
| OBTAINING SOCIAL SECURITY NUMBERS AND HENCE CREDIT CARDS \
| By: Loc |
| loc@fuckmicrosoft.com |
| /
|------------------------------------------------------------/
co-thought-up with b4l0r
Go to my personal bitch, a Target department store. Now, find the employee
application machine. There are going to be two of them in any given store,
they will be side by side in little sit down booths. They can also be used
to set up teleconferences, if you read my article in UPL 26. Now, there is
a slot to the right of the application machine. These are used for the
applicants to write sosec info, birthday info and address on, sign and drop
into the slot. However, this is just begging to be exploited. Simply gank
the papers outa the slot (they're very easy to get) and walk out.
The directios on the paper tell you not to write the year of your birthday,
but most people applying to a job at target are idiots and do so anyway.
These are the best applications to work with as you will not need to call
them and SE any information. If they didn't write the year of their birthday,
use their names and addresses to get their fone number. Call them and say
its Subway Birthday club and they get a free footlong meal on their birthday.
Tell them that you cross check all month date and year values to ensure that
no fraud occurs. There, you've got the info.
Now obtain a PO box. This is somewhat hard but you can fabricate
identification and get a mailboxes etc box. There are tons of credit card
applications everywhere, you generally just don't notice them. Pick up every
credit card application that you see and fill it out as one of your victims.
An Apple loan would also be very nice, a dual 800 g4 with 22 inch monitor for
the price of a PO box for a month, approximately 10 bucks.
(Note from the editor: Loc's views on use of Apple and Mac products do not
reflect those of the Editor or those of the members of 13370 phr34k0 h34d'5
or their affiliates.)
Start carding your ass off. The beauty of this method is that the victim will
not be alerted for a few months, and neither will the CC company, they'll
just think your not good with money and black list 'your' credit. You can
use the same PO box for a long time, but I wouldn't reccomend using more
than a month, for safety's sake.
_________________________________________
| \
| Cordless Phone fun \
| By: Jackass |
| Contact: jackass_440@pla440.zzn.com |
| /
|----------------------------------------/
Ok now to get to the cool stuff. To listen in on cordless phones you
will need a police scanner I recommend a programmable one these can be
bought at Radio Shack for an ungodly amount or try Ebay. I've seen them
decently cheap on there.
Now that you have your scanner, program these frequencies in and listen
all you want. I recommend you program the base frequency in because
you'll hear both sides of the conversation but if you want program in
that handset I could really careless.
Channel Base Handset
1 43.720 48.760
2 43.740 48.840
3 43.820 48.860
4 43.840 48.920
5 43.920 49.020
6 43.960 49.080
7 44.120 49.100
8 44.160 49.160
9 44.180 49.200
10 44.200 49.240
11 44.320 49.280
12 44.360 49.360
13 44.400 49.400
14 44.460 49.460
15 44.480 49.500
16 46.610 49.670
17 46.630 49.845
18 46.670 49.860
19 46.710 49.770
20 46.730 49.875
21 46.770 49.830
22 46.830 49.890
23 46.870 49.930
24 46.930 49.990
25 46.970 49.970
Now its time for the real fun shit. I'm going to tell you how to
broadcast and or block cordless phone transmission.
What you need
1. A VHF CB that you can mod for out of band transmission.
2. A transverter (I used a Ten Tec model 1209)
Ok now that you have all that stuff its time to have fun. So you have
modded your CB and have the transverter all you have to do now is add
94 MHz to the frequencies and your ready to have fun and if you can't
figure out what to do with it then you shouldn't have read this part
and you wasted money go give your new toy to some punk kids to play
with Im sure they'll enjoy it. I figured Id save you the trouble and
listed the frequencies below.
Base
-=======-
137.7200
137.7400
137.8200
137.8400
137.9200
137.9600
138.1200
138.1600
138.1800
138.2000
138.3200
138.3600
138.4000
138.4600
138.4800
140.6100
140.6300
140.6700
140.7100
140.7300
140.7700
140.8300
140.8700
140.9300
140.9700
Handset
-========-
142.7600
142.8400
142.8600
142.9200
143.0000
143.0800
143.1000
143.1600
143.2000
143.2400
143.2800
143.3600
143.4000
143.4600
143.5000
143.6700
143.7700
143.8600
143.7700
143.8750
143.8300
143.8600
143.9300
143.9900
143.9700
Ok now for something else useless but cool. Get a cordless handet
(preferably the kind that the channel changes on the base) and
walk around with it not only can you listen in but you can make free
calls. Just be carefull.
Well, I'm just about finished. But I have one last thing. The cordless
beige box. Just get a cordless phone (base and hand set and a way to power
the base ::cough:: batteries) and hook it up like a beige box and viola you
got a cool little toy.
WELL THATS IT HAVE FUN AND BE A GOOD LIL PHREAK!
