HACKING YOUR MOTOROLA GSM

HACKING YOUR MOTOROLA GSM

Please notice: Information provided here may cause your phone to malfunction. Modifying the software of your GSM Phone is only a personal choice and shown for amateur purposes only. Commercial attempts based on these hardware and software may be possibly illegal. So take the risk yourself.

I always had a sympathy in Motorola products, since my first computer Commodore64 were based upon a Motorola CPU, and it is still assumed as the best computer of all times. Although everyone who's in favour of Motorola GSM accepts that these phones are not physically as strong as Motorola states (when you try to drop it on the floor), they are really stable in electronics and software and have a menu system which is 'engineer kind'. So I'm happy with my Motorola and do not have at least a bit of feeling that I'm gonna change my mind in the future. Only wish that if there were much more features on them, such as calculator, message sender identity, counter of characters left in message editor etc. I used to have a d460, which was much comfortable for me, and now a V3690, which is even more comfortable. Also my girlfriend has a V2288, we preferred it for it's built-in FM Radio and elegant design.

As I complain about some functional lacking of my d460, was unaware that something I could take out were already lying in my phone. We already know that most of the GSM phones are came in different models which have different functions, in fact having the same hardware and even the same software inside it. If there could be a way to modify the software of the phone, then it may be possible to have some features which were not included in the original purchased version.

As I've searched the web to find something interesting about the phone I had (formerly d460), came across many of the rumours saying that it is possible to modify the phone software and enable some features which are hidden from the user. Traces lead me to the Janus's web site, completely dedicated to the Motorola GSM. There I found information and links to hardware and software required to modify my phone's memory. That's where you should look for information, if you gonna do something like I did. It's the practical information provided here on this page, so you should read through Janus's Motorola pages to get familiar with concepts like 'Test and Clone Cards', 'Transfer Frames', 'Test and Clone Modes' etc. Site has a link to a discussion list on Motorola GSM too, which is useful if you are in search of a particular thing.

What I've found was that it only needed a simple adapter which would connect the phone to the PC, and a software acts as Test and Clone SIM Cards to enable the editing and transferring of the phone memory contents through the PC. When I had the chance, brought the pieces of the interface circuit together, etched a SIM adapter to be inserted into the phone, connected everything right and ran the emulator. All went right and first I enabled the Engineering Field Options menu, permanent test mode, and then removed the SP-Lock from my phone.

Although new phones are protected against such kind of attempts, I managed to enable permanent test mode and keypad code entry feature on my V3690. Thus it became possible to enable Engineering Field Options menu and others through the keypad of the phone. But unfortunately SP-Lock could not be removed. I found some software/hardware promising this can be done on the web, but either their software or hardware were missing in their ZIP files. So the following instructions are only covers the modifications I've done successfully. Again, these are provided for informational purposes and personal amateur use only. You are taking the risk yourself. Tweaking a memory content may cause the phone malfunction, which may only be recovered at a qualified service, and even an electrical problem (such as a short circuit, wrong connection or surge voltage) may lead to an unrecoverable failure requiring a part change.

Here is the hardware layout of the operation. Interface circuit consists of three transistors and six resistors and so simple to build. It prevents direct connection of the TTL interfaces of both computer and the phone. Computer's serial COM1 port (usually where a serial mouse is connected to) is used to connect interface with a female connector. Phone's SIM socket is where the other end of the interface is connected to. A small SIM adapter is used to ease this. It's a PCB board cut as the size of a regular SIM module and contact points are etched on the copper side of it. I've used it as is on V3690 and V2288 and placed in it's credit card size SIM Card frame to be inserted in d460. Since the cables won't fit in, I had to open the d460 and fix the card manually inside it. Lets start with the preparation of the SIM adapter. First you need to have a 300 DPI printout of the sim.tif to be copied onto a PCB. If you want a credit card size version to be used on a d460 like phone, may use this one. After the etching process, drill the holes on it and solder the four wires on it to be connected to the interface PCB. Using a thin ribbon wire makes it easy to install into the phone. Taking care while soldering wires to the adapter PCB is important, since a rough soldering may cause short circuits between the contacts of the SIM socket of the phone. Just take a look at the illustration below to get an idea. First, tin the copper layer with a thin coating of solder (do not overheat the copper, otherwise it may be detached from the PCB). Insert the pre soldered wire into the hole while it's tip is aligned with the surface of the copper layer. Then repeat the soldering to fix the wire into the thin solder layer. If you do it right, there should be formed a smooth contact surface.

This is the SIM adapter PCB

Preventing a rough soldering

Interface PCB is more easy to create. Print out the pcb.tif at 300DPI. Etch the PCB and drill the holes, then solder the components on. Transistors are not critical, as long as their specifications are close to each other. Take attention to the lead order of them. You may refer to my PCB Design Page for more details on how to create your own PCB's

PBC design for ASIM interface

Here is the completed interface and SIM adapter

You'll probably have to open d460 to insert the thick adapter with the card

Placing adapter in V3690 and connecting interface to COM1

With the basic skills of amateur electronic, upon completion of the parts (Adapter and Interface) now you may be able to connect your phone to your PC. Insert SIM adapter into the phone, connect Interface to the PC and run the SIM card emulator ASIM 3.1 written by the ANDROID. Notice that there are wrong PCB designs in the ASIM package. So use the one I gave above. Apply +5V to the Interface (in fact it runs without this external +5V, I tested this on d460, V2288 and V3690 successfully) and load a SIM file into the emulator (preferably sim.dat) and start emulation. Turn on your phone and enter the pin stated in the sim.dat file. By holding the # key for three seconds, your phone will be in the 'Test Mode'. Note that if your phone is locked to a specific service provider, it will ask for a special code. In this case, you may try to remove it (only on older phones) or jump directly to the step: enabling permanent test mode. Now you can use test mode commands described on the Janus's pages. Here you can find a copy of the list. With clone.dat, you may enter into the Clone Mode and transfer frames from the phone memory into your computer. I've backed up all five frames this way before making any changes to my d460. But V3690 and V2288 only permits the transfer of first two frames and even they are incomplete, so making any changes on new phones have much risk. With the Medit software, you have the chance to translate the contents of the frames into the human readable text. Here are some features added to my V3690, which were not on the original state. It is also strange that V2288 has a Clock with Date, just like in V3690 and it is easily enabled by the keypad command ppp123p1p (letter p stands for the square character displayed by holding down the * key)

V3690 in Clone Mode

After Permanent Test Mode is enabled, it becomes easy to use pppXXXpXp type commands whenever wanted. For example use ppp278p1p to enable EDIT MUSIC RINGTONE ... Please remember that enabling a function that does not actually implemented on your phone may lock it.

Some of the enabled hidden features on my V3690, of course internet access is not possible

Yes! V2288 not only have FM Radio, it also has the clock with date ...

If you carefully read through the user manual of the ASIM, you may try to transfer factflag.bin frame into your phone to enable 'Permanent Test Mode' which makes it possible to enter Test Mode by holding down the # key for about three seconds, whenever wanted, without the need of the special Test Card or the emulator. Also you can remove the SP-Lock from the phone (only worked on the d460, not on the V3690 and V2288 so do not try) with the spunlock.bin frame.

Once the Permanent Test Mode enabled, you can shut the phone off, remove the adapter and exit the emulator. Turn the phone on (with your own SIM Card inside) then use it's keypad to enter the codes essential to enable Engineering Field Options menu: ppp000p1p ppp001p1p ppp070p0p ppp113p1p . Now there should be a new menu item in your phone's tree, 'Eng Field Options'. There you can found many parameters belongs to the network, active and passive mode operating status of your phone. Parameters are explained in detail on the Janus's web site so I do not include them here. Only a few of them are interesting to mention here: While a call is active (it is determined by the timer displayed on the screen, set by the 'Show time per call' menu option) enter the engineering menu (you may call a toll free service to do this, but check if the timer is displayed, otherwise a 'Busy, try later' message appears). Find the item 'TimeAdv' and note the displayed value near it (for example: TimeAdv 08). Since the GSM system works on a very high frequency, it is needed to adjust the delay of the signals travel between the radio station's antenna and your mobile unit. Thus this parameter exists which is obtained by dividing a proposed maximum communication distance of 35 kilometers into 64 units. It results in 546.875 meters per unit (practically accepted as 550 meters). With the example above it corresponds to 8 x 550 = 4400 meters and this gives the minimum distance to the radio station's antenna from the point you are at. Since the next step is 9 x 550 = 4950 meters, you can predict that you are at somewhere between 4400 and 4950 meters distance to the antenna.

Active cell parameters belongs to the current cell your phone is listening to. RxLevel indicates the received signal strength of the active channel in dB. Cell ID parameter can also be read from the System Parameters menu. This way you may have an idea on how many active cells are commonly listened by your phone where you are living.

Active channel and Cell ID numbers

You may trace the six most powerful adjacent cells, which are candidate for a cell switch, in case your current signal loses it's strength. There may not be six cells in the list all the time, only detectable channels will be displayed. These may also not strong enough, for example a message 'Not Synched' tells that the channel is detectable but the digital signal cannot be decoded properly yet.

'Not Synchronized' and 'Broadcast Control Channel Decoding' conditions

Do not hesitate to e-mail me for questions that their answers cannot be found here or in mentioned source pages. If you have more data on the subject, or achieve improvements in modifications, I will be glad to receive information from you.