Full Disclosure mailing list archives
Chung's Donut Shop Release: Hacking Sprint PCS Vision
From: Day Jay <d4yj4y () yahoo com>
Date: Fri, 2 May 2003 15:19:21 -0700 (PDT)
Please see the below write-up on hax0ring Sprint PCS Vision. Enjoy ;) d4yj4y day to the motherf_cking jay! Chung's Donut Shop Proudly Presents www.chungsdonutshop.com Hacking Sprint PCS Vision ====================================== Why pay when built in features are gay? by aRgus argus@chugnsdonutshop The Tao of Chung vol 1.0 "Free", "Unlimited", 24/7 Mobile Internet (or hacking Sprint PCS Vision) by aRgus Chung ( )
==[ Table of Contents ]==<
( ) :[ Preface :[ "Unlimited" Internet :[ Materials :[ Putting it all together :[ Debug Codes/etc ( )
==[ Preface ]==<
( ) :::[ What this is not - aka - No this isn't a cloning tutorial dumbass ]:::::::::::::::: This tfile is on obtaining unlimited internet access with a PCS Vision-enabled phone. This is not a HOWTO on cloning, cellular theft, or eavesdropping. There are a number of quality docs on these subjects already. Go find them. :::[ End Disclaimer ]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Sprint recently released their 3g, color-screen line under the name "PCS Vision". The first of these was the Sanyo 4900, followed by 2 offerings from Samsung the A500 and the N400. In the early stages, Sprint was charging by the MB for Vision Internet services. Then Chung wrote a script to run up a pretty hefty bill on any given Vision enabled phone. Sprint was made aware of this by CDS labs and a shirt was requested. This shirt was never received. <speculation> Instead, as if by coincidence, a large number of Sprint customers began having their bills "remotely adjusted". Then Sprint made Vision "unlimited" for consumer users, as they could not block certain scripts written by certain donut vending Asians. </speculation> So now there exists a java enabled, mobile device with "unlimited" 24/7 internet access. Neat. ( )
==[ "Unlimited" Internet ]==<
( ) We must first define "Unlimited". Sprint defines it as "Unlimited access for PHONES". Meaning, if your stupid ass is pulling down mp3s and other bandwidth hogging media, your account will be terminated, without notice, and you will be liable for any pending charges, including early termination of your service. In other words, be smart, be conservative, don't get caught. I check mail, I ssh here n there, I don't hit up high content sites, and I don't pull down any file over 800k. I also make use of the vision service during my peak minutes. When I have free air time (nights and weekends) I use my phone as a dialup modem to my primary ISP. I know of people who use it all the time, every day, all day. They haven't been terminated. Just be forewarned. It's your funeral. ( )
==[ Materials ]==<
( ) 1. Any PCS Vision Enabled Phone (duh) 2. A SnapSync (tm) or comparable data cable 3. Your box (for this example a linux lappy) ( )
==[ Drivers etc. ]==<
( ) To make use of the data cable, you need ACM over USB enabled (it's in make menuconfig), and hot plugging enabled. Below are the ppp connection scripts. "man pon" for for info. ################# #The ppp script:# ################# noauth connect "/usr/sbin/chat -v -f /path/to/ChungChatScript" defaultroute usepeerdns /dev/ttyACM0 230400 local novj ################ #The Chatscript# ################ TIMEOUT 5 ABORT '\nBUSY\r' ABORT '\nERROR\r' ABORT '\nNO ANSWER\r' ABORT '\nNO CARRIER\r' ABORT '\nNO DIALTONE\r' ABORT '\nRINGING\r\n\r\nRINGING\r' '' \rAT TIMEOUT 12 OK ATD#777 TIMEOUT 22 CONNECT "" ( )
==[ Codes etc. ]==<
( ) Almost all of information and services in this section require you obtaining you MSL code. This can easily be obtained through some polite interaction with a customer support rep. Do not ask for your MSL outright, just tell them you vision service isn't working and you get an error that says "IP Conflict" or something similar. ##2769737 (##BROWSER) ##3282 (##INFO) - NAI info. ##3283 (##DATA) ##786 (##RUN) ##2539 (##AKEY) ##889 (##TTY) ##7738 (##PREV) - MSL Change ##8626337 (##VOCODER) - Encoder Sample Rate Test Mode: *NOTE* I have an n400, and have only tested the following on my rig. Testmode is the true debug mode for PCS vision phones. Dial: 47*869#1235 Test Mode Codes 001 suspend 002 reboot 004 display mode 005 set mode (PCS, CDMA, AMPS) 011 Carrier : ON 012 Carrier : OFF 014 CHAN set 015 CdTk_adj set 016 CD TXagc set 018 FM TXagc set 019 LNA Gain set 020 LNA Rs set (LNA Rs[0] - LNA Rs[8]) 021 SIOMODE (SSHF, QXHF, QXDM, SSDM) 022 TEST_S 023 DATA Svc : ON 024 DATA Svc : OFF 031 MRU TABLE: MRU set/select 032 Send NAM 033 Send S/W version 034 Send ESN 035 Product Info 038 Clr Memory (00-55) 039 Send P Info 040 PRD Info set/select 041 Backlight ON 042 Backling OFF 043 Lamp ON 044 Lamp OFF 045 Vibrator ON 046 Vibrator OFF 047 DTMF ON (0-9) 048 DTMF OFF 049 Contrast set 050 Front LCD contrast set 051 BATT TYPE/ID show 052 RD Bat Value 053 Stdby Batt 054 Talk Batt 055 WR Batt 056 Chrg_lvl 057 Therm_lvl 058 Reactive Input 060 RD_Rssi set 061 PCSRxRAS show [00 - 1 062 WrPCRX show [00 - 16] 063 TXPCS[01-16] show 064 PCSFL[00-16] show 065 PCS_lmt set 066 PCS_temp show/set 090 GPS_DOPP set 091 GPMS Mode show 092 D_GPSP set 093 D_PCS set 095 GPS_ANT set 096 GPC_BCNT set 097 GPC_LCA set 098 GPS_LOSS set 099 D_GPSC set 100 D_CDMA set 121 122 PCM loop on 123 PCM loop off 124 PCM[00-11] on/off (Handset RX/TX/SL Headset RX/TX/SL New HFK RX/TX/SL EXT AUD RX/TX/SL 125 GAIN[00-19] set 126 GAIN[00-07] set 131 Get PCS Dat1 132 Get PCS Dat2 133 Get PCS Dat3 134 Get CDMADat1 135 Get CDMADat2 136 Get CDMADat3 137 Get AMPSData 138 Get AudData1 139 Get AudData2 140 Get AudData3 FSM - Field Service Menu MENU010 - Unlock Code: 040793 Hopefully this comes of use to someone. Chung like koi. __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
The Tao of Chung vol 1.0 "Free", "Unlimited", 24/7 Mobile Internet (or hacking Sprint PCS Vision) by aRgus Chung ( )
==[ Table of Contents ]==<
( ) :[ Preface :[ "Unlimited" Internet :[ Materials :[ Putting it all together :[ Debug Codes/etc ( )
==[ Preface ]==<
( ) :::[ What this is not - aka - No this isn't a cloning tutorial dumbass ]:::::::::::::::: This tfile is on obtaining unlimited internet access with a PCS Vision-enabled phone. This is not a HOWTO on cloning, cellular theft, or eavesdropping. There are a number of quality docs on these subjects already. Go find them. :::[ End Disclaimer ]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Sprint recently released their 3g, color-screen line under the name "PCS Vision". The first of these was the Sanyo 4900, followed by 2 offerings from Samsung the A500 and the N400. In the early stages, Sprint was charging by the MB for Vision Internet services. Then Chung wrote a script to run up a pretty hefty bill on any given Vision enabled phone. Sprint was made aware of this by CDS labs and a shirt was requested. This shirt was never received. <speculation> Instead, as if by coincidence, a large number of Sprint customers began having their bills "remotely adjusted". Then Sprint made Vision "unlimited" for consumer users, as they could not block certain scripts written by certain donut vending Asians. </speculation> So now there exists a java enabled, mobile device with "unlimited" 24/7 internet access. Neat. ( )
==[ "Unlimited" Internet ]==<
( ) We must first define "Unlimited". Sprint defines it as "Unlimited access for PHONES". Meaning, if your stupid ass is pulling down mp3s and other bandwidth hogging media, your account will be terminated, without notice, and you will be liable for any pending charges, including early termination of your service. In other words, be smart, be conservative, don't get caught. I check mail, I ssh here n there, I don't hit up high content sites, and I don't pull down any file over 800k. I also make use of the vision service during my peak minutes. When I have free air time (nights and weekends) I use my phone as a dialup modem to my primary ISP. I know of people who use it all the time, every day, all day. They haven't been terminated. Just be forewarned. It's your funeral. ( )
==[ Materials ]==<
( ) 1. Any PCS Vision Enabled Phone (duh) 2. A SnapSync (tm) or comparable data cable 3. Your box (for this example a linux lappy) ( )
==[ Drivers etc. ]==<
( ) To make use of the data cable, you need ACM over USB enabled (it's in make menuconfig), and hot plugging enabled. Below are the ppp connection scripts. "man pon" for for info. ################# #The ppp script:# ################# noauth connect "/usr/sbin/chat -v -f /path/to/ChungChatScript" defaultroute usepeerdns /dev/ttyACM0 230400 local novj ################ #The Chatscript# ################ TIMEOUT 5 ABORT '\nBUSY\r' ABORT '\nERROR\r' ABORT '\nNO ANSWER\r' ABORT '\nNO CARRIER\r' ABORT '\nNO DIALTONE\r' ABORT '\nRINGING\r\n\r\nRINGING\r' '' \rAT TIMEOUT 12 OK ATD#777 TIMEOUT 22 CONNECT "" ( )
==[ Codes etc. ]==<
( ) Almost all of information and services in this section require you obtaining you MSL code. This can easily be obtained through some polite interaction with a customer support rep. Do not ask for your MSL outright, just tell them you vision service isn't working and you get an error that says "IP Conflict" or something similar. ##2769737 (##BROWSER) ##3282 (##INFO) - NAI info. ##3283 (##DATA) ##786 (##RUN) ##2539 (##AKEY) ##889 (##TTY) ##7738 (##PREV) - MSL Change ##8626337 (##VOCODER) - Encoder Sample Rate Test Mode: *NOTE* I have an n400, and have only tested the following on my rig. Testmode is the true debug mode for PCS vision phones. Dial: 47*869#1235 Test Mode Codes 001 suspend 002 reboot 004 display mode 005 set mode (PCS, CDMA, AMPS) 011 Carrier : ON 012 Carrier : OFF 014 CHAN set 015 CdTk_adj set 016 CD TXagc set 018 FM TXagc set 019 LNA Gain set 020 LNA Rs set (LNA Rs[0] - LNA Rs[8]) 021 SIOMODE (SSHF, QXHF, QXDM, SSDM) 022 TEST_S 023 DATA Svc : ON 024 DATA Svc : OFF 031 MRU TABLE: MRU set/select 032 Send NAM 033 Send S/W version 034 Send ESN 035 Product Info 038 Clr Memory (00-55) 039 Send P Info 040 PRD Info set/select 041 Backlight ON 042 Backling OFF 043 Lamp ON 044 Lamp OFF 045 Vibrator ON 046 Vibrator OFF 047 DTMF ON (0-9) 048 DTMF OFF 049 Contrast set 050 Front LCD contrast set 051 BATT TYPE/ID show 052 RD Bat Value 053 Stdby Batt 054 Talk Batt 055 WR Batt 056 Chrg_lvl 057 Therm_lvl 058 Reactive Input 060 RD_Rssi set 061 PCSRxRAS show [00 - 1 062 WrPCRX show [00 - 16] 063 TXPCS[01-16] show 064 PCSFL[00-16] show 065 PCS_lmt set 066 PCS_temp show/set 090 GPS_DOPP set 091 GPMS Mode show 092 D_GPSP set 093 D_PCS set 095 GPS_ANT set 096 GPC_BCNT set 097 GPC_LCA set 098 GPS_LOSS set 099 D_GPSC set 100 D_CDMA set 121 122 PCM loop on 123 PCM loop off 124 PCM[00-11] on/off (Handset RX/TX/SL Headset RX/TX/SL New HFK RX/TX/SL EXT AUD RX/TX/SL 125 GAIN[00-19] set 126 GAIN[00-07] set 131 Get PCS Dat1 132 Get PCS Dat2 133 Get PCS Dat3 134 Get CDMADat1 135 Get CDMADat2 136 Get CDMADat3 137 Get AMPSData 138 Get AudData1 139 Get AudData2 140 Get AudData3 FSM - Field Service Menu MENU010 - Unlock Code: 040793 Hopefully this comes of use to someone. Chung like koi.
Current thread:
- Chung's Donut Shop Release: Hacking Sprint PCS Vision Day Jay (May 02)