Motorola GSM Test Card
The Test Card has one single function -
to put the phone into test mode. The card is the key that the software needs
before it will let you enter the test mode. The test mode is used by Motorola
for service and debugging purposes. I guess motorola was taught a lesson from
the old AMPS phones that could be put into testmode by shorting two pins or
entering combinations from the keypad (read all about this in the Motorola
bible by Mike Larsen). To make it a lot harder for kewl phreaks, they designed
the special SIM cards (Test and Clone/Transfer Card). From the test mode you
can perform diagnostics, display the IMEI (on pre *#06# software), soft &
hardware versions and change soft potentiometers
PRIVATECommand Function 01# Exit test mode 02NN# Display PACAL NN (00...19) -
"PCAL NN xxx" 00 to 15 are the calibration of the
PA to match the nominal power of NNth powerlevel See illustration 02NNXX# 02NNXXX# Enter PACAL value XX (00..99) for NN
(00...19) - "PCAL NN XX" use XXX on 2.7 v phones It is generally
*not* a good idea to change the powerlevel calibration. Be advised that on
the 5v phones, it is not possible to enter a value that is higher than 99 -
even though it could be higher in the first place !! 03N# DAI N (0...8) Test Digital Audio Interface (DAI) as
described in GSM TS 11.10 Section III.1.2.3. This is used to determine the
routing of speech data (DAI or internal, i.e. normal mode) and which device
is being tested (speech transcoder / DTX functions or A/D & D/A). N
selects the tested device: 05N# Exec error handler test N (0...3)
Induces or simulates an error and powers off the phone 0 -> CPU error: 1 -> CPU error: 2 -> Modem error: 3 -> CPU error: 07# RX Audio Off (Mute Receiver
Audio Path) 08# RX Audio On (Unmute Receiver
Audio Path) 09# TX Audio Off (Mute
Transmitter Audio Path) 10# TX Audio On (Unmute
Transmitter Audio Path) 11NNN# 11NNNN# Select transceiver channel N (001...124)
for GSM-900 and N (512-885) for GSM-1800 The transceiver channel can only be
changed when the phone is not transmitting (37#) - Where older units would go
on channel 120 by 11120#, newer units like the 8900 require a 110120#
- (Can anyone tell what the channel designations for GSM-1900 is ?) These
newer units will also accept N (900...915) even though it clearly
states the capabilities as PGSM (Primary GSM) when queried with 980# 12NN# Set TX Powerlevel N (00...15) for
GSM-900 and N (0-13) for GSM-1800 This selects how much power the phone
will transmit with.Refer to Power table on the
Engineering menu page -A channel must be set (11NNN#)
before selecting powerlevel. The command will only work when the phone is not
transmitting (37#) 13N# Display memory block usage N (0...3)
- "N:x/y/z" With the cd930, a typical readout
would be: 0:13/29/90, 1:4:10:52, 2:0/5/8 and 3:0/2/3. The last number of the
three values is always constant. This command tells some interesting things
about the software design. The MCU runs a realtime operating system (RTOS)
which takes care of the dynamic memory allocation. There must be API's like
malloc and mfree present. The phone RAM usage is (partially) dynamic. If
anyone has an idea about what RTOS motorola is using, then please drop me a
mail. Having a copy of the development kit for the RTOS would allow you to
make a very nice API library for a disassembler. It seems like the RTOS is
able to allocate three types of memory blocks (small, medium and large ?). 14N# Generate out of memory condition N
(1...3) Induces or simulates an memory error and powers off the phone 1 -> Exec detected error: 2 -> Exec detected error: 3 -> Exec detected error: Seems to do something else on the
8700/StarTAC 15N# 15NN# Generate tone N (1...6) On the 5v phones use the 15n# to
generate tones to the alert transducer (these are generated by the DSP): 151# Normal "annoying motorola
type" ringing, 152# Busy (slow), 153# Busy (fast), 154# Error (tri-tone),
155# No service :3 x busy (Fast), 156# Vibrate This is different for the
d460/8700/StarTAC/Slim: Using the 15xx# to generate tone:
Enter 432# to change to alert, enter 477# adjust volume to max. 1523# Voice Mail alert, 1524# Redial
alert 1525# Busy 1558# Low Battery 1559# SMS alert 1532#/1546# Standard Tone
1533#/1547# British Tone 1534#/1548# French Tone 1535#/1549# German Tone
1536#/1550# Bravo Tone 1537#/1551# Three Ring Tone 1538#/1552# Siren Tone
1539#/1553# Quick Tone 1540#/1554# Single Ring Tone 1541#/1555# High Tone
1542#/1556# Music Tone 1562# No Vibrate or Ring 1563#-1567#
Vibrate(Discontinuous) 1568# Vibrate then Ring 1590# Vibrate(Continuous) 16# Stop generating tones enabled with
15N# 17N# Select DSP (Digital Signal Processor)
type : Motorola(0) or AT&T(1) - "Set To Moto" / "Set to
AT&T" Most phones have this set to
AT&T, which refers to the Lucent 1616DSP - . If this is set incorrectly,
the phone will fail with a code 05 (7100#), not beep on power-up and report
"00.00" as the Speech coder version. You will also not be able to
perform a speech coder loopback .Some of the 8200/8400/6200 have a Motorola
type fitted. The Mot type is physically bigger (about twice the size) and the
pcb layout is therefore different. On some kinds of phone there is a sticker
near the battery contacts which has the pcb revision number, P15 or A5 for
example. If the number is a P type, then it has a Motorola speech coder, if
it is an A type then it has an AT&T or a Lucent type. The command seems
to accept longer parameters, but they seem to have no effect. I have
been informed that it is *not* possible to recover from a wrong setting with
a test card on some units (including 8800 / StarTAC's) ! - DO NOT CHANGE THIS
SETTING UNLESS YOU HAVE A GOOD REASON. Model dependant - will not work on
phones with another DSP (SMoC) 19# 19N# Display call processor s/w version -
"CallProc xx.xx.xx" This is the actual Sw version. The
EPROM / Flash stickers also indicate the version. If the phone has been flash
upgraded (with an emmibox), the stickers and the version reported by the test
card will not be identical. This is also a way to spot an express exchange
unit. my 8200 reports 37.62.57 (ver 1.9) but the stickers say 37.62.39. On newer models (8900, d520, d560,
cd920, cd928, cd930), the parameter N(1...2)is added. 191# Displays
"SVN xx" This is the software stepping number. This means that
minor changes to the software are recorded / indicated here. For example my
A0.06.18 has SVN 11. <Speculation> When implementing the 18 digit
extended IMEI number, as first seen on the International 8900, the suffix
"0" is replaced with three new digits that shall reflect the
firmware version of the ME. This will aid an operator (and Motorola) in
identifying bugs. The operator that logs the IMEI and sw identifier may see
that a specific firmware revision is overrepresented on the dropped call
statistic (I have a good guess where mot would be ranked in an overall
statistic ;-) ). Since the phone family/type will appear from the TAC part of
the IMEI, the extended IMEI information only needs to reflect the stepping
within the family. My guess is that it is the SVN that is appended to the
IMEI. My 8900 reports xxxxxx-xx-xxxxxx-603 and SVN is 03. What the "6"
instead of the spare digit "0" is for, I do not
know.</Speculation> 192# Displays
"Computing checksum", then "Flash=2DA4, ROM=4AEB"
(Checksums). The first one is the checksum of the FLASH ROM (Never checked if
it is the CRC-16 of the full 1024 k, including the bootblock).
"ROM" is the bitmap ROM that is inlcuded on Asian units. Here, the
FLASH ROM is a 2 mb Intel, where the lower 1 mb contains the program and the
upper 1 mb contains the character bitmaps (can someone confirm this 100%). 20# Display modem software version -
"Modem IC v. xx.xx" This is the Modem IC ( XC 390nnnFU )
software version number The latest versions I have seen is
40.02 on a 8700 Hw 3.3 and 41.57 on a 8900 - The modem IC has a DSP 56156
core and a mask programmed ROM. Hence it can't be flashed and the software
can only be upgraded by replacing the MODEM chip Display SMoC IC version - "DSP
v.XX.XX" Support phone: All with SMoC IC
phones. Like d160, new GC-87C, d560 and cd928. (new) GC-87C: 61.95, d560:
61.80, cd928: 61.AB, cd930: 71.09 21# Displays character ROM (version and
checksum ?)- "simp 01.02 E43C e43c" This command works on GC-87C/E and
CD920/cd930 ver A0.06.xx - the later will (in the european version display =
" No Chinese Bitmap ROM". On the Asian models, it will display the
ROM type and the ROM checksum - "simp" would be the simplified
chinese character". <Speculation>This might be removed on newer
units and the character rom is checked with the command 192#</Speculation> 22# Display speech coder (AT&T /
Lucent or Motorola DSP) version - "Spch Cdr v. xx.xx" 5.XX (where X is any number), means
the phone has a Motorola DSP. If the code is 11.XX, it is an AT&T or a
Lucent. This has to be the revision of the actual DSP code which is kept
internally in the DSP1616 ROM - The 1616 can use external memory, but the
motorola design only uses the internal 24K ROM.The Speech Coder revision
therefore cannot be changed without replacing the chip. The latest version I have seen is
11.80 on a 8700 Hw 3.3 - A new speechcoder might have been introduced in the
StarTAC 328c / 1900 : ver 12.20 - any info is appreciated ! This could also
be due to implementation of the half rate or enhanced full rate CODEC. Not supported on SMoC units, since
the speech coder is integrated into the SMoC and probably is relected by the
SMoC IC version (20#). In the A0.06.18 firmware, this command just jumps to a
nullsub and returns. (Which means you will have a nice hook for running your
own programs.) 23# Display info stored - "No Info
Stored" Works on 7500 / 8200 and displays
some sort of an identifier string on the 8900 and newer phones: 24N# Turn on/off the 23dB RX-AGC step
attenuator N (0...1) This toggles a 23 dB Automatic Gain
Control attenuator - it will not take effect until a transceiver channel is
selected (11NNN#). 25NNN# Set RX-AGC level NNN (000...255) Has to be followed by a 11nnn# like
24n# 26NNNN# Set VCO (Voltage Controlled
Oscillator) AFC (Automatic Frequency Control) value N (0000...4095) This command is used to adjust the TX
frequency. A BTS will only accept the MS to be around 50 Hz off frequency
before it is kicked. 27# Display IP Revision Displays IP Rev. (2.0.0 on a DB890
& 2.0.1 on a cd928). IP stands for Intelligent Peripheral, but who knows
what it is ? 31N# TX!
Transmit pseudo-random sequence with midample N
(0...7) Initiates pulsed transmission - The
phone will not be synchronized to a network. When starting this transmission
phones in the vicinity that operate on the channel in question will make a
handover ! (see why you should be careful ?). This indicates that the
transmission is taking place on a traffic channel. 32# TX!
Transmit RACH burst sequence Initiate pulsed transmission - The
bursts seem to be shorter and have a lower frequency than the 31N# bursts.
This command can not be used like the one above to "bump" others
off the channel, indicating that it does not transmit on the traffic channel,
but probably is an access burst on the RACH (Random Access CHannel i.e.
uplink CCCH. Since CCCH channels are common to all users of a cell,
transmitting RACH bursts in every 51-frame multiframe (26 per superframe).
However, since the MS isn't synchronized to the network and it will not
contain the right data (the right color codes and checksum) to be a
"usable" burst it will not be valid for allocation of a channel. 33NNN# Synchronize to BCCH carrier NNN=
channel (001...124) for GSM-900 and (512...885) for GSM-1800 If you punch in a valid channel in
your area, the Ø symbol will turn off and indicate that the phone is
receiving and sucessfully decoding the BCCH. You can check which channels are
active in your area with the Eng Field Options menu. 34NNNXX# TX! Traffic channel
loopback without frame erasure indication N= channel (001...124) for GSM-900
and (512...885) for GSM-1800, X=PowerLevel (00...15)/(00...13) Initiate loopback transmission - The
phone must be synchronized to a network (33nnn#) - If you are close to a BTS,
you can synchronize to the BCCH and use this command to loopback speech like
36# but on a full-rate traffic channel -The phone will code the speech and transmit it to a
test-set (or BTS!) which will loop it back. If it is intended for use with a
test set, the timing advance must be zero (and you would have to be within
1000 meters of a BTS to make it work). I think the speech loopback is
internal and the phone might keep synchronisation to the BTS (perhaps by
sending idle bursts) ? If you have experience with channel layout etc. I
would really like an explanation of what is going on. 36# 36X# Enable speech coder acoustic loopback
The new StarTAC 85 (With the new
Lucent 1627 DSP) will accept parameters 0 and 1 the 8900's will only accept
parameter 0 (most older software versions don't accept any parameters at
all). I could imagine this being a selection of the speech coder type used
(Full Rate / Enhanced Full Rate / Half Rate). Remember to set volume to max
when using this (477#). The v series will also accept the parameter 2,
indicating that it's speech coder eventually will support the Half Rate
codec. 37# Stop transmission Disables Speech coder loopback (36#)
and RF test commands (31N#, 32#, 33NNN#, 34NNNXX# , 40#, 41# ) 38# Start SIMClk This command will start the 3.25 MHz
clock signal to the SIM card. It also initiates sending garble data to the
SIM. Might do something else on the 8800 39# Stop SIMClk This command will stop the 3.25 MHz
clock signal to the SIM card. 40# TX! Initiate constant
carrier transmission - all bits set (1) Will only work if the powerlevel has
been set between 10 and 15 - Thats 200 mW or less. No data is contained in
this transmission 41# TX! Initiate constant
carrier transmission - all bits struck (0) Will only work if the powerlevel has
been set between 10 and 15 - Thats 200 mW or less. No data is contained in
this transmission 42# Disable echo suppression until phone
is switched off 43N# Changes the audio path N (0...8) 0 select carkit audio 45NNN# Display receiver information N
(001...124) for GSM-900 and (512...885) for GSM-1800 - "-xxx.x yyy
z" N is the GSM channel number - the
command will display the channel reception xxx.x (dBm), the last AGC DAC
value yyy (0... 255) and the step AGC value z (0...1) 46# Display AFC DAC value (0-4095) -
"AFC DAC xxxx" 47N# Set earpiece volume N (0...7), 7=max On the 8900, N is replaced by NN
(00...17) 48NNNN# Generate continuous tone. N
(0001...4500) = frequency in Hz On newer units like the 8800 / 8900,
this is slightly different: 480000#-480012# are the dtmf-tones (480011#
is * and 480012# is #) 49N# Display battery Frame N (0...7) data
- "Battery Rd Fail" The test card will remember the data
from the last valid battery. This is the information kept in the Dallas
"add only memory" chip in the battery. Does not work on all models of phones
/ batteries - this command is a good way to check if your Li-Ion battery is
genuine. One of my batteries (SNN5360A) reports 16 bytes (83005AAE3E4EB500)
in slot 0, (00E65A33FF05010D) in slot 1, (198FAE0D2E535F68) in slot 2,
(2E323A4B1D000101). I will compare it again later, so see if it changes with
the number of charging cycles. 50NNN# 50XNNN# Internal charger control N
(000...255) Different in StarTac/Slim phones: NNN is the current level. Can anyone
verify this with an Amp-meter ? (table or graph would be nice) ? Does not work on the d628 51# Enable sidetone Does anyone have information on this
? 52# Disable sidetone ??? Does anyone have information on this
? 53N# Perform RAT test N (0...8) ? Does anyone have information on this
? 54N# Perform LED test N (0...3) Controls the LED on the StarTAC 85,
cd920 and V series. 0= Off, 1= Red, 2= Green and 3= Orange. 55NN# Display Cntr - "Cntr xx: 0 N
(00...13) Is obviously some sort of counter,
but I have no idea what it counts. 57# or 571# Initialize non-volatile memory Use this with caution, since it will
zap almost all settings including: Lifetime meter, phonebook, user settings,
etc. On the StarTAC, this command will work as a "Master Clear" and
not reset the lifetime meter. 58# 58xxxxxx# Display Security code - "SECUR
xxxxxx " Change security code to xxxxxx 59# 59xxx(x)# Display lock code - "LOCK
xxx(x)" Change lock code to xxx(x) 60# Display IMEI -
"xxxxxxxxxxxxxxx" 61# 61NNN# Display LAI MCC -THIS VALUE IS STORED IN THE SIM- "LAI MCC
xxx" The Local Area Information
consists of the Mobile Country Code, Mobile Network
Code & Local Area Code Change LAI MCC to N(000...999) "LAI MNC
xx" This is a two byte value that is
stored in the file called "LOCI" (6F7E) in
the SIM. 62# 62NN# Display LAI MNC -THIS VALUE IS STORED IN THE SIM- Mobile Network
Code Change LAI MNC to N(00...99) This is a one byte value that is
stored in the file called "LOCI" (6F7E) in
the SIM. 63# 63NNNNNN# Display LAI LAC -THIS VALUE IS STORED IN THE SIM- "LAI LAC
x" Local Area Code Change LAI LAC to N(000000...65535) This is a five byte value that is
stored in the file called "LOCI" (6F7E) in
the SIM. 64# 64N# Display Location Update Status -THIS VALUE IS STORED IN THE SIM- "Loc Updt
Stat x" This is the Location
update status which is stored in the file called "LOCI" (6F7E) in
the SIM 0= Updated, 1= Not
updated, 2=PLMN not allowed, 3= Location Area not allowed Change Location Update Status to N
(0...3) 65# Display IMSI (001010123456789) on
test card -THIS VALUE IS STORED IN THE
SIM- "xxxxxxxxxxxxxxx" This is the International
Mobile Subscriber Identity which can be read from the Elementary File
"IMSI" (6F07) in the SIM 66N# 66NXXX# Display TMSI N (0...3) -THIS VALUE IS STORED IN THE SIM- "TMSI N
xxx" This is the Temporary Mobile
Subscriber Identity which is assigned to the MS/SIM by the network Enter TMSI value XXX (000...255) for
N (0...3) This is a four byte value that is
stored in the file called "LOCI" (6F7E) in
the SIM. 67# Zero PLMN selector -THIS
VALUE IS STORED IN THE SIM- 68# Zero forbidden PLMN list -THIS
VALUE IS STORED IN THE SIM- 69# 69N# Display Ciphering Key (Kc) Sequence
number
-THIS VALUE IS STORED IN THE SIM- "Cipher
Key x" This is the Kc sequence
number which can be read from the Elementary File "Kc" (6F20) in
the SIM once the PIN has been entered Change Cipher Key (Kc) Sequence
number to N (0...7) 70NN# 70NNXXX# Display BCCH NN (00...15) -THIS VALUE IS STORED IN THE SIM- "BCCH NN
xxx" This is the content of the Elementary
file "BCCH" (6F74) - By storing a BCCH search sequence, the extent
of a MS's search of BCCH carriers may be reduced. By thinking of the 16 bytes
x 8 bits as a bitmap, it is possible to have a flag for each GSM-900 channel
(plus 4 spares) which specifies to search for a BCCH on that carrier or not. Enter BCCH value XXX (000..255) for
NN (00...15) "BCCH NN XXX" 71NN# Display INFO (Self Diagnostics) NN
(00...99) - "INFO NN xx" INFO 00
(Error Code): 01 CPU exception
(Bus error, Illegal opcode etc.) 02 External SRAM
error The power on checkerboard test of the
SRAM failed (one of the very first things that are done after execution of
the main program starts). 03 Modem error 01= Bad
modem ID 04 Modem error from
DSP 01=
Checkerboard test failed-internal memory 05 Speech Coder
(DSP) powerup failure 01
= Timeout(22# will probably report 00.00 - check DSP setting 17n#) 06 Execption
handler detected error (That would be by the realtime OS.) 01
= Out of memory 07 EEPROM checksum
error (can't always be cleared by clone card - an EMMI or EEPROM exchange
might be needed). 01
= Configuration checksum failure (fix with frame 4 transfer) 08 MMI (Man Machine
Interface) power down (will describe why the phone turned off) 01
= Safety timer expired (carkit?) +80 = Suicide
timer expired too This function returns additional data
in the parameter 1 field. 09 QSPI (Queued
Serial Peripheral Interface) mode fault - probably an SPI bus error. The SPI bus (MOSI, MISO and SCK)is
used for communication between the MODEM IC and the Call Processor. Read much
more about this in the MC683xx and 68HCxx documentation. 0A Layer 1 error
??? 0B Layer 1
interrupt table overrun ??? 0C RAT error ??? In addition, more specified
information is provided for each EC by the following: A normal, working phone will report EC=08
(MMI power down) & SC=03 (Power button hit) 72NN# Display Passive Fail Codes NN
(00..99) - "PFI NN xxx" Describes the passive failure codes
(What are these ??) 73N# 73NXXX# Display Logger control block N
(0...4) - "LOGR N xxx" This is an event logger that is used
for troubleshooting. Can anyone tell how this is used ? Edit Logger control block N (0...4),
XXX (000...255) With this command, the logger can be
programmed to log specific information 75NNNNN# Request flash from emmibox NNNNN
(00000...99999) - "Flash Failure" / "Flash Pls Wait" N=36778 is used for flashing the
software. The operand is absolutely static and serves no purpose at all
(apart from some pathetic access control). The phone has to be connected to a
PC via an "Emmibox" that plugs into the phones butt-plug. After the
transfer, the phone neeeds to be reset (57#). Not all models can be flash
upgraded. Some have EPROM memories instead of FlashROM and will have to be
replaced manually. The EMMI box has an exteral PSU , connects to the RS-232
port of the PC and to the phone. The box will translate between the PC's
serial interface and the Phones DSC bus interface. The emmi is more than just
a DSC bus driver - It uses a MC68332 and has 2 mb of EPROM memory. 88# 880N# 881NNNNNNNN# 882NNNNNN# 883N# Display Real time clock Set clock status N (0..1) : 0 Disable RTC / 1
Enable RTC Set date N (MMDDYYYY) Set time N (HHMMSS) Set daylight saving time N (0..1) : 0 Disable DST / 1
Enable DST Model dependant - d460 and up only 89# 89N# N (1...2) 891# makes the phone make an alert
sound through the speaker 92 # Does anyone have information on this
? 93NNN# Does anyone have information on this
? 94 # Does anyone have information on this
? 95NNN# N=0, 3, 11, 12, 13, 14, 15, 16, 17,
18, 19, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114,
115, 116...299 Beeps, Does anyone have information
on this ? 98N# Select band 98# "No Band Selected" /
"Current Band X", X="DCS1800", "PCS1900",
"PGSM" or "EGSM" Only available on newer and dual band
phones. Perhaps this can give a hint about what mot has in the pipeline... 99# 99N# LCD display test Model dependant - 7500 / 8200 / 8400
/ d460 / d470 only LCD display test N (1...2) 0 Display wakeup screen and light
icons Model dependant - 8700 and up only List of Test Card (81-02430Z01)
Commands The test card can actually be used to
make the phone recalculate the configuration checksum at $0000-$0001 after you
have manually edited the EEPROM data. After powering up the phone it will go:
"phone failed - see supplier" on the display. By updating the PA
calibration table, the configuration checksum will be recalculated. Here are some testing combinations : PRIVATE Audio loopback
test Audio loopback test Audio testing TCH loopback test (CAREFUL!) 36# Start Speech
Coder Loopback 36# Start Speech
Coder Loopback 08# Unmute RX audio
path 11xxx# - select valid
BCCH carrier
The Test and Clone/Transfer cards have
both been emulated succesfully. A curious detail is that many of the test mode
commands are identical (function / number) to the ones used on AMPS phones
(have a look in the mot bible). Not all original testcards will work with the
GSM-1800 mot phones since phase 1 cards do not have all the files that newer
phase 2 units need.
How do the test cards work ? The test
card is not any special by itself. All the functions are carried out by the
phone software, but the card act as the key that unlocks these functions. The
test card is an ordinary SIM with a special entry in the 6FAD file. As soon as
the phone discovers that the inserted SIM card has bit seven of the first byte
in the 6FAD file set (this means every value from 81-FF), it will allow you to
enter test mode by holding down "#" for three seconds. Ordinary SIM
cards have the entry "00 FF FF" in this field, but the test SIM has
"81 FF FF" - 81 is defined in the GSM TS 11.11 as used for "Type
aproval (Test SIM definition is found in GSM TS 11.10 section III.1.6). The
Android has sucessfully constructed a SIM emulator that will allow you to
specify the content of every file on this virtual SIM card (and thereby
emulating the test and clone card). A complete package with test and clone card
emulator executionable (DOS) and diagram can be downloaded from the card
emulation page.
The PIN for the card can be 01234567 ,
00000000 or 11111111 (If you are prompted for one). After the PIN is entered ,
you will need to hold down # for 3 seconds to enter test mode. The PIN code
verification can be removed just as you do with a regular SIM (makes it less
annoying and safer to work with) - Be careful ! Just like a normal SIM, the PIN
can only be entered three times - then the PUK is needed (The PUK is 12345678,
so if you blocked the testcard, you will need to enter **05*12345678*1234*1234#
(Thank you Mark Hawkins !)- The new PIN will now be 1234 - I can recommend
setting "Require SIM PIN" to OFF). The phone will prompt "Test -
Now the commands can be entered - Many of these commands vary with the
different phone types.
Test mode syntax:
When the card is present in the phone,
it will act as if a normal SIM was inserted in the phone. The phone will not
try to register on a network since the test card has MCC=001 and MNC=01 which
are the values described in the GSM TS as "test use".
To enter the test mode the
"#" key has to be pressed down for 3 seconds. The phone will then
enter test mode and display "Test" in the display. Now test mode
commands can be entered. The syntax consists of [command
number][parameter1][parameter2] etc. and is executed with an terminal
"#". The different commands require a different number of parameters.
Here are a few examples:
19 # : Command 19 will display the software version and does not
require any parameters - on a 7500 it could show "CallProc 58.62.15"
59 1234
# : Command 59 normally shows the LOCK code, but when a
parameter is used, the LOCK code is changed to the one specified with the
parameter - This example will change the LOCK code to "1234"
34
058
15
# : Command
34
will configure the radio to channel
058 and powerlevel 15
The test mode is exited with the
command 01#
Here is a list of the commands that I
have figured out so far. If you can help me with the ones that are missing, I
will be happy to hear from you.
0 = Normal operation (no tested device via DAI)
1 = Test of speech decoder / DTX functions (downlink)
2 = Test of speech encoder / DTX functions (uplink)
3 = Uplink loopback test
4 = Test of acoustic devices and A/D & D/A
5 = Buffered input loopback test with debugging info header
6 = Uplink coded output loopback test
7 = Downlink coded input loopback test
8 = Input loopback
EC=01 - SC=00 - P1=00,10,02,E8 - P2=00,00,00,00 -
GI=00,00,00,07,3C,5C,C0,08,00,00,00
EC=01 - SC=00 - P1=00,10,02,E8 - P2=00,00,00,00 -
GI=00,04,00,07,3C,5E,C0,0C,00,00,00
EC=03 - SC=04 - P1=00,00,00,00 - P2=00,00,00,00 -
GI=00,01,00,00,00,02,55,74,00,00,00
EC=01 - SC=00 - P1=00,10,02,F4 - P2=00,00,00,00 - GI=00,00,00,07,3C,A4,20,14,00,07,3C
EC=06 - SC=01 - P1=00,00,00,3E - P2=00,07,3E,4A -
GI=00,00,00,00,00,00,00,00,00,00,00
EC=06 - SC=01 - P1=00,00,00,FE - P2=00,07,3E,4A -
GI=00,00,00,00,00,00,00,00,00,00,00
EC=06 - SC=01 - P1=00,00,02,BA - P2=00,07,3E,4A -
GI=00,00,00,00,00,00,00,00,00,00,00
"A.A.BI.S.JO.Q.B.7.B.0.A.BR.A.BDBRBP.A.55" on my cd930 and
"A.A.BL.Z.MO.AQ.G.5.K.1.A.CI.A.AAAAAA.D.109" on my 8900. The
formatting is fixed and the whole string without periods is kept at $0421-43B
in the EEPROM. It probably decodes to information about features, OEM info,
sim lock status etc.
1 select carkit audio (seems identical to the above)
2 select phone alert transducer
3
4 select earpiece on portable phone
5 select carkit speaker
6
7 select carkit audio
8 select earpiece on portable phone
Does
not work on all software versions (available on 1.9 and above)
480013# and 480014# seems to be the free tone
480015# i dont know, but it sounds horrible
480016# - 480021# are short beeps
480022# is a longer beep with 2500hz
480023# is 1523 (voice mail alert - similar to 15NN#)
480024# is 1524 and so on
000
Stop internal quickcharge
255 Maximum current on internal quickcharge (N controls the current)
50XNNN# : X=0 select main battery, X=1 select auxiliary battery.
04= Runtime bad ID
02= Shifted diagonal test
failed-internal memory
04= Checkerboard test failed-external
memory
08= Shifted diagonal test
failed-external memory
16= Code checksum problem.)
02= Bad ID)
02 = Bad free
03 =
Invalid port
04 =
Invalid DSP ID
05 = Bad pointer
02 = IMEI and
SP checksum failure (fix with unlocking frame)
03 =
DS2401 serial number error (to prohibit cloning?)
04 = ?
02 = Car
ignition turned off
03 = Power
button hit
04 =
Low battery (Turn off treshold voltage reached)
05 = DSC
peripheral was removed while power was on (only reading "1"'s)
06 = Butt plug power toggled
INFO 01 (Sub Code) :
Defines the error category within the given EC
INFO 02-05 (Parameter-1)
INFO 06-09 (Parameter-2)
INFO 10-99 (Generic Information)
980# "Capability X", X="DCS1800", "PGSM",
"PGSM&DCS1800", "PCS1900",
"PGSM&PCS1900", "PGSM&EGSM",
"P&EGSM&DCS"
981# "EDOUT=1(PGSM)", "EDOUT=0(DCS1800)",
"EDOUT=0(PCS1900)" or "Not dual band phone"
1 Display checkered pattern
2 Display reverse checkered pattern
3 Display all pixels set.
Enter
testmode by holding # down
Type 0205# - get answer (eg. 75)
Type 0205075# (just write the same value again)
Type 01# (to leave test mode)
The phone still says "phone failure..."
Turn phone off and on again - "Insert SIM" DONE!!!
(5v units)
(2.7v units)
08# Unmute RX audio path
10# Unmute TX audio path
477# Set the audio level to max.
08# Unmute RX audio path
477# Set the audio level to max.
434# Select earpiece (audio path)
477# Set the audio level to max.
151# Generate a Ring Tone to Earpiece
48XXXX# Generate continuous tone
08# Unmute RX audio path
10# Unmute TX audio path
477# Set the audio level to max.
33xxx# Sync. to BCCH carrier - The "ø" dissapears
34xxx00# Enable TCH-Loopback!
37# End test
