Please notice: Information provided here
may cause your phone to malfunction. Modifying the software of your GSM
Phone is only a personal choice and shown for amateur purposes only. Commercial
attempts based on these hardware and software may be possibly illegal.
So take the risk yourself.
I always had a sympathy in Motorola products, since my first computer Commodore64
were based upon a Motorola CPU, and it is still assumed as the best computer
of all times. Although everyone who's in favour of Motorola GSM accepts
that these phones are not physically as strong as Motorola states (when
you try to drop it on the floor), they are really stable in electronics
and software and have a menu system which is 'engineer kind'. So I'm happy
with my Motorola and do not have at least a bit of feeling that I'm gonna
change my mind in the future. Only wish that if there were much more features
on them, such as calculator, message sender identity, counter of characters
left in message editor etc. I used to have a d460, which was much comfortable
for me, and now a V3690, which is even more comfortable. Also my girlfriend
has a V2288, we preferred it for it's built-in FM Radio and elegant design.
As I complain about some functional lacking of my d460, was unaware
that something I could take out were already lying in my phone. We already
know that most of the GSM phones are came in different models which have
different functions, in fact having the same hardware and even the same
software inside it. If there could be a way to modify the software of the
phone, then it may be possible to have some features which were not included
in the original purchased version.
As I've searched the web to find something interesting about
the phone I had (formerly d460), came across many of the rumours saying
that it is possible to modify the phone software and enable some features
which are hidden from the user. Traces lead me to the Janus's
web site, completely dedicated to the Motorola GSM. There I found information
and links to hardware and software required to modify my phone's memory.
That's where you should look for information, if you gonna do something
like I did. It's the practical information provided here on this page,
so you should read through Janus's
Motorola pages to get familiar with concepts like 'Test and Clone Cards',
'Transfer Frames', 'Test and Clone Modes' etc. Site has a link to a discussion
list on Motorola GSM too, which is useful if you are in search of a particular
thing.
What I've found was that it only needed a simple adapter which
would connect the phone to the PC, and a software acts as Test and Clone
SIM Cards to enable the editing and transferring of the phone memory contents
through the PC. When I had the chance, brought the pieces of the interface
circuit together, etched a SIM adapter to be inserted into the phone, connected
everything right and ran the emulator. All went right and first I enabled
the Engineering Field Options menu, permanent test mode, and then removed
the SP-Lock from my phone.
Although new phones are protected against such kind of attempts,
I managed to enable permanent test mode and keypad code entry feature on
my V3690. Thus it became possible to enable Engineering Field Options menu
and others through the keypad of the phone. But unfortunately SP-Lock could
not be removed. I found some software/hardware promising this can be done
on the web, but either their software or hardware were missing in their
ZIP files. So the following instructions are only covers the modifications
I've done successfully. Again, these are provided for informational purposes
and personal amateur use only. You are taking the risk yourself. Tweaking
a memory content may cause the phone malfunction, which may only be recovered
at a qualified service, and even an electrical problem (such as a short
circuit, wrong connection or surge voltage) may lead to an unrecoverable
failure requiring a part change.
Here is the hardware layout of the operation. Interface circuit consists
of three transistors and six resistors and so simple to build. It prevents
direct connection of the TTL interfaces of both computer and the phone.
Computer's serial COM1 port (usually where a serial mouse is connected
to) is used to connect interface with a female connector. Phone's SIM socket
is where the other end of the interface is connected to. A small SIM adapter
is used to ease this. It's a PCB board cut as the size of a regular SIM
module and contact points are etched on the copper side of it. I've used
it as is on V3690 and V2288 and placed in it's credit card size SIM Card
frame to be inserted in d460. Since the cables won't fit in, I had to open
the d460 and fix the card manually inside it. Lets start with the preparation
of the SIM adapter. First you need to have a 300 DPI printout of the sim.tif
to
be copied onto a PCB. If you want a credit card size version to be used
on a d460 like phone, may use this one. After the
etching process, drill the holes on it and solder the four wires on it
to be connected to the interface PCB. Using a thin ribbon wire makes it
easy to install into the phone. Taking care while soldering wires to the
adapter PCB is important, since a rough soldering may cause short circuits
between the contacts of the SIM socket of the phone. Just take a look at
the illustration below to get an idea. First, tin the copper layer with
a thin coating of solder (do not overheat the copper, otherwise it may
be detached from the PCB). Insert the pre soldered wire into the hole while
it's tip is aligned with the surface of the copper layer. Then repeat the
soldering to fix the wire into the thin solder layer. If you do it right,
there should be formed a smooth contact surface.
This is the SIM adapter PCB
Preventing a rough soldering
Interface PCB is more easy to create. Print out the pcb.tif
at 300DPI. Etch the PCB and drill the holes, then solder the components
on. Transistors are not critical, as long as their specifications are close
to each other. Take attention to the lead order of them. You may refer
to my PCB Design Page for
more details on how to create your own PCB's
PBC design for ASIM interface
Here is the completed interface and SIM adapter
You'll probably have to open d460 to insert the thick adapter with
the card
Placing adapter in V3690 and connecting interface to COM1
With the basic skills of amateur electronic, upon completion of the parts
(Adapter and Interface) now you may be able to connect your phone to your
PC. Insert SIM adapter into the phone, connect Interface to the PC and
run the SIM card emulator ASIM 3.1
written by the ANDROID. Notice that there are wrong PCB designs in the
ASIM package. So use the one I gave above. Apply +5V to the Interface (in
fact it runs without this external +5V, I tested this on d460, V2288 and
V3690 successfully) and load a SIM file into the emulator (preferably sim.dat)
and start emulation. Turn on your phone and enter the pin stated in the
sim.dat file. By holding the # key for three seconds, your phone will be
in the 'Test Mode'. Note that if your phone is locked to a specific service
provider, it will ask for a special code. In this case, you may try to
remove it (only on older phones) or jump directly to the step: enabling
permanent test mode. Now you can use test mode commands described on the
Janus's pages.
Here you can find a copy of the list.
With clone.dat, you may enter into the Clone Mode and transfer frames from
the phone memory into your computer. I've backed up all five frames this
way before making any changes to my d460. But V3690 and V2288 only permits
the transfer of first two frames and even they are incomplete, so making
any changes on new phones have much risk. With the Medit
software, you have the chance to translate the contents of the frames into
the human readable text. Here are some features added to my V3690, which
were not on the original state. It is also strange that V2288 has a Clock
with Date, just like in V3690 and it is easily enabled by the keypad command
ppp123p1p (letter p stands for the square character displayed
by holding down the * key)
V3690 in Clone Mode
After Permanent Test Mode is enabled, it becomes easy to use
pppXXXpXp type commands whenever wanted.
For example use ppp278p1p to enable EDIT MUSIC RINGTONE ... Please remember
that enabling a function that does not actually implemented on your phone
may lock it.
Some of the enabled hidden features on my V3690, of course internet
access is not possible
Yes! V2288 not only have FM Radio, it also has the clock with date
...
If you carefully read through the user manual of the ASIM, you
may try to transfer factflag.bin
frame
into your phone to enable 'Permanent Test Mode' which makes it possible
to enter Test Mode by holding down the # key for about three
seconds, whenever wanted, without the need of the special Test Card or
the emulator. Also you can remove the SP-Lock from the phone (only worked
on the d460, not on the V3690 and V2288 so do not try) with the spunlock.bin
frame.
Once the Permanent Test Mode enabled, you can shut the phone off, remove
the adapter and exit the emulator. Turn the phone on (with your own SIM
Card inside) then use it's keypad to enter the codes essential to enable
Engineering Field Options menu: ppp000p1p ppp001p1p
ppp070p0p ppp113p1p . Now there should be a new
menu item in your phone's tree, 'Eng Field Options'. There you can found
many parameters belongs to the network, active and passive mode operating
status of your phone. Parameters are explained in detail on the
Janus's
web site so I do not include them here. Only a few of them are interesting
to mention here: While a call is active (it is determined by the
timer displayed on the screen, set by the 'Show time per call' menu option)
enter the engineering menu (you may call a toll free service to do this,
but check if the timer is displayed, otherwise a 'Busy, try later' message
appears). Find the item 'TimeAdv' and note the displayed value near it
(for example: TimeAdv 08). Since the GSM system works on a very high frequency,
it is needed to adjust the delay of the signals travel between the radio
station's antenna and your mobile unit. Thus this parameter exists which
is obtained by dividing a proposed maximum communication distance of 35
kilometers into 64 units. It results in 546.875 meters per unit (practically
accepted as 550 meters). With the example above it corresponds to 8 x 550
= 4400 meters and this gives the minimum distance to the radio station's
antenna from the point you are at. Since the next step is 9 x 550 = 4950
meters, you can predict that you are at somewhere between 4400 and 4950
meters distance to the antenna.
Active cell parameters belongs to the current cell your phone
is listening to. RxLevel indicates the received signal strength of the
active channel in dB. Cell ID parameter can also be read from the System
Parameters menu. This way you may have an idea on how many active cells
are commonly listened by your phone where you are living.
Active channel and Cell ID numbers
You may trace the six most powerful adjacent cells, which are
candidate for a cell switch, in case your current signal loses it's strength.
There may not be six cells in the list all the time, only detectable channels
will be displayed. These may also not strong enough, for example a message
'Not Synched' tells that the channel is detectable but the digital signal
cannot be decoded properly yet.
'Not Synchronized' and 'Broadcast Control Channel Decoding' conditions
Do not hesitate to e-mail me for questions that their answers
cannot be found here or in mentioned source pages. If you have more data
on the subject, or achieve improvements in modifications, I will be glad
to receive information from you.
I always had a sympathy in Motorola products, since my first computer Commodore64
were based upon a Motorola CPU, and it is still assumed as the best computer
of all times. Although everyone who's in favour of Motorola GSM accepts
that these phones are not physically as strong as Motorola states (when
you try to drop it on the floor), they are really stable in electronics
and software and have a menu system which is 'engineer kind'. So I'm happy
with my Motorola and do not have at least a bit of feeling that I'm gonna
change my mind in the future. Only wish that if there were much more features
on them, such as calculator, message sender identity, counter of characters
left in message editor etc. I used to have a d460, which was much comfortable
for me, and now a V3690, which is even more comfortable. Also my girlfriend
has a V2288, we preferred it for it's built-in FM Radio and elegant design.
Here is the hardware layout of the operation. Interface circuit consists
of three transistors and six resistors and so simple to build. It prevents
direct connection of the TTL interfaces of both computer and the phone.
Computer's serial COM1 port (usually where a serial mouse is connected
to) is used to connect interface with a female connector. Phone's SIM socket
is where the other end of the interface is connected to. A small SIM adapter
is used to ease this. It's a PCB board cut as the size of a regular SIM
module and contact points are etched on the copper side of it. I've used
it as is on V3690 and V2288 and placed in it's credit card size SIM Card
frame to be inserted in d460. Since the cables won't fit in, I had to open
the d460 and fix the card manually inside it. Lets start with the preparation
of the SIM adapter. First you need to have a 300 DPI printout of the 
With the basic skills of amateur electronic, upon completion of the parts
(Adapter and Interface) now you may be able to connect your phone to your
PC. Insert SIM adapter into the phone, connect Interface to the PC and
run the SIM card emulator 
Once the Permanent Test Mode enabled, you can shut the phone off, remove
the adapter and exit the emulator. Turn the phone on (with your own SIM
Card inside) then use it's keypad to enter the codes essential to enable
Engineering Field Options menu: ppp000p1p ppp001p1p
ppp070p0p ppp113p1p . Now there should be a new
menu item in your phone's tree, 'Eng Field Options'. There you can found
many parameters belongs to the network, active and passive mode operating
status of your phone. Parameters are explained in detail on the
