[Full-Disclosure] Chung's Donut Shop Release: Hacking Sprint PCS Vision
From: Day Jay (d4yj4y_at_yahoo.com)
Date: 05/03/03
- Previous message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Slow Internet?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Fri, 2 May 2003 15:19:21 -0700 (PDT)
Please see the below write-up on hax0ring Sprint PCS
Vision.
Enjoy ;)
d4yj4y
day to the motherf_cking jay!
Chung's Donut Shop Proudly Presents
www.chungsdonutshop.com
Hacking Sprint PCS Vision
======================================
Why pay when built in features are gay?
by aRgus
argus@chugnsdonutshop
The Tao of Chung
vol 1.0
"Free", "Unlimited", 24/7 Mobile Internet
(or hacking Sprint PCS Vision)
by aRgus Chung
( )
>==[ Table of Contents ]==<
( )
:[ Preface
:[ "Unlimited" Internet
:[ Materials
:[ Putting it all together
:[ Debug Codes/etc
( )
>==[ Preface ]==<
( )
:::[ What this is not - aka - No this isn't a
cloning tutorial dumbass ]::::::::::::::::
This tfile is on obtaining unlimited internet
access with a PCS
Vision-enabled phone. This is not a HOWTO on
cloning, cellular
theft, or eavesdropping. There are a number of
quality docs on
these subjects already. Go find them.
:::[ End Disclaimer
]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Sprint recently released their 3g, color-screen line
under the name "PCS Vision". The first
of these was the Sanyo 4900, followed by 2 offerings
from Samsung the A500 and the N400.
In the early stages, Sprint was charging by the MB
for Vision Internet services. Then Chung
wrote a script to run up a pretty hefty bill on any
given Vision enabled phone. Sprint
was made aware of this by CDS labs and a shirt was
requested. This shirt was never received.
<speculation>
Instead, as if by coincidence, a large number of
Sprint customers began having their bills
"remotely adjusted". Then Sprint made Vision
"unlimited" for consumer users, as they could
not block certain scripts written by certain donut
vending Asians.
</speculation>
So now there exists a java enabled, mobile device
with "unlimited" 24/7 internet access. Neat.
( )
>==[ "Unlimited" Internet ]==<
( )
We must first define "Unlimited". Sprint defines it
as "Unlimited access for PHONES". Meaning,
if your stupid ass is pulling down mp3s and other
bandwidth hogging media, your account will
be terminated, without notice, and you will be
liable for any pending charges, including early
termination of your service. In other words, be
smart, be conservative, don't get caught.
I check mail, I ssh here n there, I don't hit up
high content sites, and I don't pull down
any file over 800k. I also make use of the vision
service during my peak minutes. When I
have free air time (nights and weekends) I use my
phone as a dialup modem to my primary ISP.
I know of people who use it all the time, every
day, all day. They haven't been terminated.
Just be forewarned. It's your funeral.
( )
>==[ Materials ]==<
( )
1. Any PCS Vision Enabled Phone (duh)
2. A SnapSync (tm) or comparable data cable
3. Your box (for this example a linux lappy)
( )
>==[ Drivers etc. ]==<
( )
To make use of the data cable, you need ACM over
USB enabled (it's in make menuconfig), and
hot plugging enabled. Below are the ppp connection
scripts. "man pon" for for info.
#################
#The ppp script:#
#################
noauth
connect "/usr/sbin/chat -v -f
/path/to/ChungChatScript"
defaultroute
usepeerdns
/dev/ttyACM0
230400
local
novj
################
#The Chatscript#
################
TIMEOUT 5
ABORT '\nBUSY\r'
ABORT '\nERROR\r'
ABORT '\nNO ANSWER\r'
ABORT '\nNO CARRIER\r'
ABORT '\nNO DIALTONE\r'
ABORT '\nRINGING\r\n\r\nRINGING\r'
'' \rAT
TIMEOUT 12
OK ATD#777
TIMEOUT 22
CONNECT ""
( )
>==[ Codes etc. ]==<
( )
Almost all of information and services in this
section require you obtaining you MSL
code. This can easily be obtained through some
polite interaction with a customer
support rep.
Do not ask for your MSL outright, just tell them you
vision service isn't working
and you get an error that says "IP Conflict" or
something similar.
##2769737 (##BROWSER)
##3282 (##INFO) - NAI info.
##3283 (##DATA)
##786 (##RUN)
##2539 (##AKEY)
##889 (##TTY)
##7738 (##PREV) - MSL Change
##8626337 (##VOCODER) - Encoder Sample Rate
Test Mode:
*NOTE* I have an n400, and have only tested the
following on my rig.
Testmode is the true debug mode for PCS vision
phones.
Dial: 47*869#1235
Test Mode Codes
001 suspend
002 reboot
004 display mode
005 set mode (PCS, CDMA, AMPS)
011 Carrier : ON
012 Carrier : OFF
014 CHAN set
015 CdTk_adj set
016 CD TXagc set
018 FM TXagc set
019 LNA Gain set
020 LNA Rs set (LNA Rs[0] - LNA Rs[8])
021 SIOMODE (SSHF, QXHF, QXDM, SSDM)
022 TEST_S
023 DATA Svc : ON
024 DATA Svc : OFF
031 MRU TABLE: MRU set/select
032 Send NAM
033 Send S/W version
034 Send ESN
035 Product Info
038 Clr Memory (00-55)
039 Send P Info
040 PRD Info set/select
041 Backlight ON
042 Backling OFF
043 Lamp ON
044 Lamp OFF
045 Vibrator ON
046 Vibrator OFF
047 DTMF ON (0-9)
048 DTMF OFF
049 Contrast set
050 Front LCD contrast set
051 BATT TYPE/ID show
052 RD Bat Value
053 Stdby Batt
054 Talk Batt
055 WR Batt
056 Chrg_lvl
057 Therm_lvl
058 Reactive Input
060 RD_Rssi set
061 PCSRxRAS show [00 - 1
062 WrPCRX show [00 - 16]
063 TXPCS[01-16] show
064 PCSFL[00-16] show
065 PCS_lmt set
066 PCS_temp show/set
090 GPS_DOPP set
091 GPMS Mode show
092 D_GPSP set
093 D_PCS set
095 GPS_ANT set
096 GPC_BCNT set
097 GPC_LCA set
098 GPS_LOSS set
099 D_GPSC set
100 D_CDMA set
121
122 PCM loop on
123 PCM loop off
124 PCM[00-11] on/off (Handset RX/TX/SL Headset
RX/TX/SL New HFK RX/TX/SL EXT AUD RX/TX/SL
125 GAIN[00-19] set
126 GAIN[00-07] set
131 Get PCS Dat1
132 Get PCS Dat2
133 Get PCS Dat3
134 Get CDMADat1
135 Get CDMADat2
136 Get CDMADat3
137 Get AMPSData
138 Get AudData1
139 Get AudData2
140 Get AudData3
FSM - Field Service Menu
MENU010 - Unlock Code: 040793
Hopefully this comes of use to someone. Chung like
koi.
__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com
The Tao of Chung
vol 1.0
"Free", "Unlimited", 24/7 Mobile Internet
(or hacking Sprint PCS Vision)
by aRgus Chung
( )
>==[ Table of Contents ]==<
( )
:[ Preface
:[ "Unlimited" Internet
:[ Materials
:[ Putting it all together
:[ Debug Codes/etc
( )
>==[ Preface ]==<
( )
:::[ What this is not - aka - No this isn't a cloning tutorial dumbass ]::::::::::::::::
This tfile is on obtaining unlimited internet access with a PCS
Vision-enabled phone. This is not a HOWTO on cloning, cellular
theft, or eavesdropping. There are a number of quality docs on
these subjects already. Go find them.
:::[ End Disclaimer ]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Sprint recently released their 3g, color-screen line under the name "PCS Vision". The first
of these was the Sanyo 4900, followed by 2 offerings from Samsung the A500 and the N400.
In the early stages, Sprint was charging by the MB for Vision Internet services. Then Chung
wrote a script to run up a pretty hefty bill on any given Vision enabled phone. Sprint
was made aware of this by CDS labs and a shirt was requested. This shirt was never received.
<speculation>
Instead, as if by coincidence, a large number of Sprint customers began having their bills
"remotely adjusted". Then Sprint made Vision "unlimited" for consumer users, as they could
not block certain scripts written by certain donut vending Asians.
</speculation>
So now there exists a java enabled, mobile device with "unlimited" 24/7 internet access. Neat.
( )
>==[ "Unlimited" Internet ]==<
( )
We must first define "Unlimited". Sprint defines it as "Unlimited access for PHONES". Meaning,
if your stupid ass is pulling down mp3s and other bandwidth hogging media, your account will
be terminated, without notice, and you will be liable for any pending charges, including early
termination of your service. In other words, be smart, be conservative, don't get caught.
I check mail, I ssh here n there, I don't hit up high content sites, and I don't pull down
any file over 800k. I also make use of the vision service during my peak minutes. When I
have free air time (nights and weekends) I use my phone as a dialup modem to my primary ISP.
I know of people who use it all the time, every day, all day. They haven't been terminated.
Just be forewarned. It's your funeral.
( )
>==[ Materials ]==<
( )
1. Any PCS Vision Enabled Phone (duh)
2. A SnapSync (tm) or comparable data cable
3. Your box (for this example a linux lappy)
( )
>==[ Drivers etc. ]==<
( )
To make use of the data cable, you need ACM over USB enabled (it's in make menuconfig), and
hot plugging enabled. Below are the ppp connection scripts. "man pon" for for info.
#################
#The ppp script:#
#################
noauth
connect "/usr/sbin/chat -v -f /path/to/ChungChatScript"
defaultroute
usepeerdns
/dev/ttyACM0
230400
local
novj
################
#The Chatscript#
################
TIMEOUT 5
ABORT '\nBUSY\r'
ABORT '\nERROR\r'
ABORT '\nNO ANSWER\r'
ABORT '\nNO CARRIER\r'
ABORT '\nNO DIALTONE\r'
ABORT '\nRINGING\r\n\r\nRINGING\r'
'' \rAT
TIMEOUT 12
OK ATD#777
TIMEOUT 22
CONNECT ""
( )
>==[ Codes etc. ]==<
( )
Almost all of information and services in this section require you obtaining you MSL
code. This can easily be obtained through some polite interaction with a customer
support rep.
Do not ask for your MSL outright, just tell them you vision service isn't working
and you get an error that says "IP Conflict" or something similar.
##2769737 (##BROWSER)
##3282 (##INFO) - NAI info.
##3283 (##DATA)
##786 (##RUN)
##2539 (##AKEY)
##889 (##TTY)
##7738 (##PREV) - MSL Change
##8626337 (##VOCODER) - Encoder Sample Rate
Test Mode:
*NOTE* I have an n400, and have only tested the following on my rig.
Testmode is the true debug mode for PCS vision phones.
Dial: 47*869#1235
Test Mode Codes
001 suspend
002 reboot
004 display mode
005 set mode (PCS, CDMA, AMPS)
011 Carrier : ON
012 Carrier : OFF
014 CHAN set
015 CdTk_adj set
016 CD TXagc set
018 FM TXagc set
019 LNA Gain set
020 LNA Rs set (LNA Rs[0] - LNA Rs[8])
021 SIOMODE (SSHF, QXHF, QXDM, SSDM)
022 TEST_S
023 DATA Svc : ON
024 DATA Svc : OFF
031 MRU TABLE: MRU set/select
032 Send NAM
033 Send S/W version
034 Send ESN
035 Product Info
038 Clr Memory (00-55)
039 Send P Info
040 PRD Info set/select
041 Backlight ON
042 Backling OFF
043 Lamp ON
044 Lamp OFF
045 Vibrator ON
046 Vibrator OFF
047 DTMF ON (0-9)
048 DTMF OFF
049 Contrast set
050 Front LCD contrast set
051 BATT TYPE/ID show
052 RD Bat Value
053 Stdby Batt
054 Talk Batt
055 WR Batt
056 Chrg_lvl
057 Therm_lvl
058 Reactive Input
060 RD_Rssi set
061 PCSRxRAS show [00 - 1
062 WrPCRX show [00 - 16]
063 TXPCS[01-16] show
064 PCSFL[00-16] show
065 PCS_lmt set
066 PCS_temp show/set
090 GPS_DOPP set
091 GPMS Mode show
092 D_GPSP set
093 D_PCS set
095 GPS_ANT set
096 GPC_BCNT set
097 GPC_LCA set
098 GPS_LOSS set
099 D_GPSC set
100 D_CDMA set
121
122 PCM loop on
123 PCM loop off
124 PCM[00-11] on/off (Handset RX/TX/SL Headset RX/TX/SL New HFK RX/TX/SL EXT AUD RX/TX/SL
125 GAIN[00-19] set
126 GAIN[00-07] set
131 Get PCS Dat1
132 Get PCS Dat2
133 Get PCS Dat3
134 Get CDMADat1
135 Get CDMADat2
136 Get CDMADat3
137 Get AMPSData
138 Get AudData1
139 Get AudData2
140 Get AudData3
FSM - Field Service Menu
MENU010 - Unlock Code: 040793
Hopefully this comes of use to someone. Chung like koi.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Slow Internet?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
