Menu customization - an overview
The menu customization that is described on this page exploits the "Personality (TM)" menu interface that Motorola is using in their newer GSM phones (3200, 5200 and 7200 do *not* have "personality"). This also includes the American GSM-1900 units (2000e, 6000e and StarTAC 8500g) Every menu the software supports is activated with a single bit in a configuration bitmap that is kept in the EEPROM. This means that the features a phone has are dictated by this bitmap. For example the GSM 6200 (later) and GSM 8400 have the same software, but very different features - the GSM 8400 has the message editor and can send SMS messages - the GSM 6200 has the same hardware and software but the menus are disabled in the configuration bitmap. In this manner Motorola can have one software for several types of phones with different features (and prices !).
Once this configuration bitmap was mapped, one could look up excactly which bits were needed to be toggled in order to add or remove menus - There are some menu dependencies however, you manually must activate any menu on a higher level than the one you are trying to activate: "Frequency Of Search" must be enabled before "Slow Search" and "Medium Search" can be activated.
A list of the bitmap can be found
here (MEDIT.MNU): Menus marked with | or ? or not 100% confirmed.
Here the most interesting ones:
002 Keylock (press # & * together), 108 Copy SIM Memory, 113 Eng Field Options, 116 Vibrate Then Ring, 123 Enable Clock (only sw support), 134 Closed User Group, 135 Outgoing Message, 136 Message Editor, 137 Message Settings. A mini FAQ that describes the use of some of these exist.
Five, possibly six different ways of editing the bitmap (and the EEPROM to a greater or less extent) exist :
1) The physical level (28c64)
If you have considerable soldering skills, TSOP or PLCC adaptors and a device programmer you can do it the hard way - You will have to open the phone, find the EEPROM (Atmel 28c64), desolder it, place it in the programmer, dump it, edit the data, recalculate the checksum, program the chip and solder it back in. The EEPROM is easy to find and the TSOP package is fairly easy to desolder with a fine tipped soldering iron - use some excess soldering pewter to conduct the heat to all the pins at one side at a time and use a tweezer to remove the package gently from the PCB. Care should be taken, since the PCB does not tolerate a whole lot of abuse before the tracks are damaged. The adaptor is usually needed, but people that want to play extensively with this use a copper wire with thin isolation and an EEPROM emulator so you can play with the settings without having to solder and desolder all the time. I can recommend the TSOP adaptors that come at a good price from M2L electronics. Once you have dumped the EEPROM, you are ready to edit it. REMEMBER TO KEEP A BACKUP DUMP !
The addresses presented here are from a d460 dump - I cannot guarantee that the layout is universal, but it has worked on 8200's, 8700's and StarTAC's as well. The bitmap starts at $0A0 - which holds bit 7-0, $0A1 holds bit 15-8, $0A2 holds 23-16 etc. So if you want to enable the Eng Field Options (bit 113) then you will have to edit $0B0 which holds bit 119-112 (actually bit 1). Bit No. 0 at address $0A2 seems to toggle the keypad backdoor on some software versions.
After the menu bitmap has been changed, the configuration checksum will not match. When the phone is powered on, then it will fail with a "Phone Failed See Supplier" and report a self diagnostics error "07" which is a checksum error. The entire EEPROM is not checksummed - only a little part of it is. The range and location of the checksummed area varies slightly between different models and several EEPROM map versions do exist. The configuration block checksum is a simple inverted SUM-16 that is kept at 0000:0001 - the checksummed area consists of several blocks with gaps between them, so the easiest way to adjust the checksum will be to add the relative change of the modified bytes instead of trying to locate and calculate the whole checksummed area. On the testcard page, there is an example on how you can use the testcard to make the phone automatically update the 0000:0001 checksum.
And: Yes, the IMEI is within this SUM-16 checked area, but it is also protected by a CRC style checksum stored somewhere else in the EEPROM, so don't bother trying to change it - you will get a "Enter Special Code" since you trigger a IMEI/SIM locking checksum failure. Cloning of the IMEI and locking registers from one phone to another has recently been complicated (8800/8900 and later) by the addition of a DS2401 "silicon serial number" which is included in the EEPROM checksum.
This method is the one that will allow you to fool around most in all the places Mot never intended you to, however it involves a lot of manual work and you will have to adjust the checksums yourself.
2) Modification of transfer frames
Motorola uses the SIM interface as a service port for some applications - This is a wonderful thing, since Mot normally use their proprietary DSC bus (EmmiBox), so now they suddently use a interface that you can actually find documentation on. The SIM-ME interface is thoroughly described in the ISO 7816 1-4 and ETSI GSM TS 11.11 which can be ordered from ISO and ETSI (at a high price however). This approach was an obvious one. When servicing the phones and transferring the user data between different units (when you have it exchanged), the user settings in the EEPROM are copied onto a serial memory ISO7816 card called a clone or transfer card. The card is a "secure" serial EEPROM (SAM) with 3k of memory. You can only read and write it once you have entered the password. The password is sent in plaintext from the MS to the SAM - by looking at the communication between them, it was easy to see that the magic word was "TESTCODE". Now the information needed to change EEPROM data on the transfer card was available, but those cards are still a bit hard and expensive to get, so The Android simply wrote an emulator in Pascal that would emulate this serial EEPROM.
Now the card could be emulated - by dumping EEPROM from the phone to the (emulated) card, the data could be transferred to a PC for storage and editing. The data that is transferred is restricted to only some EEPROM memory areas - Only user data will be transferred - not data specific to the phone like IMEI, SP locking and RF calibrations. This means that this methos is far from being as versatile as the direct editing of the EEPROM, but it is a lot easier since you won't even have to open up the phone. The data can be transferred in diffent blocks or "frames" - since the EEPROM hold 8k, it is not all going to fit in one go on a 3k card. The phone software supports 5 different frames - older software has only 4 different frames. Copying frame 1 to 3 will make a full user setting transfer, including menus, greeting grapics / text, keypad layout, phonebook entries etc. Frame 1 contains the menu structure and frames 2 and 3 mainly contain the abbreviated dialing locations. Frames 4 and 5 are the odd ones out - they have a partial overlap with frame 1 but are used differently. Frame 4 is a "master frame" a transfer card (or an emulator) with frame 4 on it is called a "Master Card" but there is really nothing special about it except from the name. It contains the OEM settings and is used to initialize a phone. Some phones have a special greeting "Welcome to Ajax GSM" and the menu item that allows you to change it has been removed - This is an OEM customized phone. Take a frame 4 from a CORRESPONDING "original" phone and put it onto it in order to make the phone look and feel like and "original" with the "Welcome to Motorola GSM" greeting and menus.
Here is a brief guide that explains how to dump the phone frames to the computer.
1) Download the ASIM package which contains the program and interface diagram. Once you have assembled the interface, you are ready to start the program. 2) Start ASIM (preferrably from a "clean" dos), select "File", "LOAD SIM" and enter "clone.dat" to load the clone card emulation module into the emulator.
2) Start the emulation by selecting "Clone" and "RUN CLONE" - The com port can be changed in the clone.dat file - use notepad or any generic editor for this.
3) Power on the telephone and then insert the "running" emulation card - the phone should display "Clone" in the display. The order of these actions is important on newer phones - Insert the "running" emulator into the powered on phone just to be sure.
4) Save frame #1 to the computer with the command 021# - this will take a few seconds
5) Select "Clone and "SAVE FRAME BIN", enter a filename eg. "mt87" and hit enter
Once you have dumped the frames (mainly frame 1) to a file, you can start to edit it. This is a dangerous process since there are some vital data in there. Especially the keypad layout table is there, so if you disable the keypad then you'll be in trouble. The keypad is needed in order to type in the transfer command 03# - so if you can't use the keypad, you'll need to restore the EEPROM manually or find a mot service place with an emmibox. TST has written a nice utility that will do the menu bitmap editing for you - you simply have to select what menus you want and let it process your dumped frame before you upload it to the phone again. It's called MEDIT and is described on the transfer card page.
To upload a frame from the computer to the phone you will have to reverse the above process: load the dump you want to upload into the emulator and start it up. When clone mode has been entered type the transfer command 03# on the phone to make it receive the frame from the computer.
3) Keypad codes
On the earliest software with support for the "Eng Field Options" , Motorola left in a "Back door" that would allow you to activate this and other menus from the keypad. This "Back door" would allow the modification of the EEPROM data that defines the menu enablement bitmap - The sequences pppXXXpY(OK) (p is the "pause" that appears after holding down "*" for a while) will allow you to directly edit a small field of the EEPROM which contains the configuration bitmap for the "personality" menu interface. XXX is the address of a single bit and by specifying Y, you can toggle it (1-9 will set the bit). Motorola has removed this backdoor from all new software versions, so only a few phones will accept these codes. The phones that support the codes are (roughly) : most 7500's, medium aged 6200's, 8200's and a few early d460's, 8700's, StarTAC's and Slimlites. DO NOT EXPECT THESE CODES TO WORK - if you can't make them work, your software probably doesn't support it. Just use the transfer card emulator instead. UPDATE - Although the codes have been disabled from the ordinary user to play with, they are still available if the factory test flag is set. The factory test flag is described at the bottom of the transfer card page.
(GOOD NEWS - UPDATE). Newer firmware versions will accept the keypad codes, provided that the phone has the factory test flag set. This is done using an FF transfer frame (described otherwhere on these pages). It can be nessecary to enable the bits 001, 000 and 070 first.
TST recently described this situation in a really good way after having experimented with a T2288 (THANKS!):
"First of all: Motorola has changed their firmware in the latest phones (V- L- P- and T-series). Clonemode still works, but the exported frames are somehow "crippled" - all the interesting data is left out, and only 2 frames can be exported. Therefore it is NOT possible to change menu-definitions anymore. Startup graphics and phonebook might work, but not with the current version of MEdit. If you know what you are doing, you can try to make a binary frame file which only consists of a startup-graphic and upload it to the phone. Unfortunately MEditX also doesn't seem to work, you cannot even get into clonemode. Maybe I will have a look sometimes, though it's function is useless by now...
But still: Interestingly it is possible to switch permanent testmode on. Use ASIM 3.1 to enter clonemode and import the file factflag.bin from Janus' pages (under "Transfer Card"). Afterwards you can enter testmode any time by pressing and holding #. Also, the good old keypad codes can be used again to switch on/off any menu!
The following can be switched on for the T2288, maybe also for other models like V2288 etc.:
Enter pppXXXpYp as tel-number and press OK, where p is "pause" (holding * for a while), XXX is the menu number and Y is 1 for on and 0 for off.
First, do: ppp001p1p ppp000p1p ppp070p0p to enable editing of menus
On the T2288 you can switch on some nice-to-have-menus:
011 1 Call Related Features: Call Diverting
012 1 Call Related Features: Call Diverting: Divert Voice Calls: Divert When
Unavailable
013 1 Call Related Features: Call Diverting: Divert Voice Calls: Detailed Diverting
014 1 Call Related Features: Call Diverting: Divert Voice Calls
015 1 Call Related Features: Call Diverting: Divert Voice Calls: Divert All
Voice Calls 016 1 Call Related Features: Call Diverting: Divert Voice Calls:
Detailed Diverting: If Busy
017 1 Call Related Features: Call Diverting: Divert Voice Calls: Detailed Diverting:
If No Answer
018 1 Call Related Features: Call Diverting: Divert Voice Calls: Detailed Diverting:
If Not Reachable
019 1 Call Related Features: Call Diverting: Divert Fax Calls
020 1 Call Related Features: Call Diverting: Divert Data Calls
109 1 Call Related Features: Call Diverting - all submenus: Divert to Voicemail
or Other Number
113 1 MENU-Eng Field Options
203 1 Change Band (no function on 8900) 204 1 Change to 900 (no function on
8900)
205 1 Change to 1800 (no function on 8900)
206 1 Change Band (in Quick Access Menu) (no function on 8900)
276 1 Set Message Alert Tone
But the biggest things on the T2288 are:
278 1 Enable "Edit Music ringtone" (! works !)
And yes, also the clock is there:
123 1 Enable Clock / Phone Setup: Show Time and Date / Set Time and Date / Set
Time Format I guess you also have to enter testmode once and enable the real
time clock by entering 8801# !
The T2288 doesn't have the internal phonebook enabled, but it should be possible to use it somehow. At least the following works:
087 1 Phone Book: Personal Numbers: Check Phone Capacity
WARNING! It is NOT a good idea to enable a function which is using some hardware that is not in the phone! (VoiceNotes, VibraCall, Infrared etc.) Especially: Do NOT enable/use the VoiceNotes menus on phones (e.g. T2288) which don't have the neccessary chip built in! This will damage your phone. Don't say I didn't warn you! A more complete list of all menus will be available (hopefully) soon on Janus' pages. Thanks a lot to the anonymous poster and to DirtyHarry for re-compiling and commenting it. I really don't get Motorola's product-philosophy, so if maybe anyone at Motorola is reading this, why don't you contact me personally by mail and we can discuss it? Thanks! *g* /TST".
4) The DSC bus with an Emmibox
Motorola uses a proprietary three wire bus called the DSC bus for communication to and from the phone. The bus has three lines "Complimentary data", "True data" and "Return data" but I have also seen it referred to as "DSC enable", "Uplink" and "Downlink". On the 8200 the butt plug connections are: pin 4 (downlink), pin 5 (uplink), pin 3 (DSC enable). It can do both analog and digital signalling and also has a "burst" mode for fast data transfers - which for example is used when flashing the phone software. The bus is not controlled directly by the MC 68k, but by an ASIC called the BIC (Bus Interface Controller). The BIC interfaces to the CPU with a0-a3 and d8-d15 and is selected with CS2 on the 68332. It would be interesting to monitor the address and data bus when the BIC is selected.
The emmibox connects between a PC with service software on it, but is much more than just a RS-232 to DSC bus driver - A lot of the functionality is inside the emmibox which is built around a MC 68332 microcontroller like the one in the older phones. With the PC software and the emmibox, the EEPROM can be edited - there are restrictions as to which areas can be edited - ordinary mot service places get "lobotomized" emmi firmware that will not allow them to change IMEI and SP locking, but emmis that will do this do exist.
5) MC 683xx Background Debugging Mode
Okay, how would you like to play god ? Look in every
register and memory location that you would like. Dump the entire
Flash ROM and EEPROM. This is the tool if you are going to hack
or disassemble the firmware or perhaps just some of the routines.
The 683xx processors can be controlled through its Background
Debug Mode (BDM) serial port. This can be achieved through a
simple interface circuit which you must build. The interface
circuit is controlled directly by the PC, through the parallel
port. The schematic diagram for this interface circuit is very
simple (two 74HCxxx). Normally the pins (5) you need to use are
not directly grounded, so you might not have to lift them off the
PCB (on my 8200, BKPT has a pull-up resistor)- it is fairly easy
on the older mot phones, but impossible on the micro crystal
packages that are used in the StarTAC (unless you can
"catch" the lines otherwhere). The BDM is a special
mode of operation that is implemented in the CPU32 core. The
interface to the "outside world" consists of three pins
: IPIPE/DS0, IFETCH/DS1 & BKPT/DSCLK. The background
debugging mode of operation is entered by by holding the BKPT pin
low on the rising edge of RESET (Remember that the MCU, DSP, BIC
& MODEM share the same reset line!). The pin FREEZE will then
indicate that the processor has entered BDM. The BDM allow you to
execute the following commands (implemented in the CPU32 core):
R/W D/A register, R/W system register, R/W memory location, Dump
memory block, Fill memory block, Resume execution, Patch user
code, reset peripherals : in general, let you mess around in all
the places mot least want you to ;-). You will need to get the
program BD32
(can be distributed freely) which is a command line interface for
controlling the BDM from a PC along with detailed documentation.
On the International 8200 that use the 144 pin MC68332, the pins
you have to interface to are: The three wire serial bus: pin
77(DSO), pin 78(DSI), pin 79(DSCLK) and the freeze pin 81 that
indicates the BDM state. Besides these you will need the
reset line at pin 92, Vdd and Gnd - these won't have to be
connected directly to the CPU - they can all be found elsewhere
on the board.
6) RS-232 ?
The StarTAC *does* have a RS-232 (0...5v levels) interface in it's butt plug (Tx pin 6 and Rx pin 7) which is connected to the SPI bus of the MCU - It is enabled by the 68338 general purpose I/O pin called CTIO1. I would not count on it being usable as a service port, but I can't say for sure. There exists a GSM TS which describes the AT command set which is to be used for controlling mobile equipment (ME) functions and GSM network services from a terminal equipment (TE) through a terminal adaptor (TA). This is basiclaly V.25ter with addition of extended GSM commands - all this can be found in ETSI GSM TS 07.07. Perhaps this "soft modem" will be supported by the StarTAC in the future.
I hope to have shed some light on the numerous approaces to adding a bit more functionality to your Mot GSM phone. Remember that this information is provided "as is" and you are the only one to blame if you screw up your phone. You have been warned. This information has been gathered from many different sources - I do not have any means or ways to obtain orginal documentation, so this is likely to contain errors. Be careful, play it safe - make plenty of backups and do not try obviously foolish things like trying to copy a 8700 frame onto a 6200 and the like. You should only copy frames between "identical" phones.
� 1998 Janus Christian Krarup