Chung's Donut Shop Release: Hacking Sprint PCS Vision

Please see the below write-up on hax0ring Sprint PCS
Vision.

Enjoy ;)

d4yj4y
day to the motherf_cking jay!

Chung's Donut Shop Proudly Presents
www.chungsdonutshop.com

Hacking Sprint PCS Vision
======================================
Why pay when built in features are gay?
by aRgus
argus_at_chugnsdonutshop

The Tao of Chung
vol 1.0

"Free", "Unlimited", 24/7 Mobile Internet
      (or hacking Sprint PCS Vision)
             by aRgus Chung
 

( )
>==[ Table of Contents ]==<
( )

  :[ Preface
  :[ "Unlimited" Internet
  :[ Materials
  :[ Putting it all together
  :[ Debug Codes/etc

( )
>==[ Preface ]==<
( )

  :::[ What this is not - aka - No this isn't a
cloning tutorial dumbass ]::::::::::::::::

     This tfile is on obtaining unlimited internet
access with a PCS
     Vision-enabled phone. This is not a HOWTO on
cloning, cellular
     theft, or eavesdropping. There are a number of
quality docs on
     these subjects already. Go find them.

  :::[ End Disclaimer
]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

  Sprint recently released their 3g, color-screen line
under the name "PCS Vision". The first
  of these was the Sanyo 4900, followed by 2 offerings
from Samsung the A500 and the N400.

  In the early stages, Sprint was charging by the MB
for Vision Internet services. Then Chung
  wrote a script to run up a pretty hefty bill on any
given Vision enabled phone. Sprint
  was made aware of this by CDS labs and a shirt was
requested. This shirt was never received.

<speculation>

  Instead, as if by coincidence, a large number of
Sprint customers began having their bills
  "remotely adjusted". Then Sprint made Vision
"unlimited" for consumer users, as they could
  not block certain scripts written by certain donut
vending Asians.

</speculation>

  So now there exists a java enabled, mobile device
with "unlimited" 24/7 internet access. Neat.

( )
>==[ "Unlimited" Internet ]==<
( )

   We must first define "Unlimited". Sprint defines it
as "Unlimited access for PHONES". Meaning,
   if your stupid ass is pulling down mp3s and other
bandwidth hogging media, your account will
   be terminated, without notice, and you will be
liable for any pending charges, including early
   termination of your service. In other words, be
smart, be conservative, don't get caught.

   I check mail, I ssh here n there, I don't hit up
high content sites, and I don't pull down
   any file over 800k. I also make use of the vision
service during my peak minutes. When I
   have free air time (nights and weekends) I use my
phone as a dialup modem to my primary ISP.

   I know of people who use it all the time, every
day, all day. They haven't been terminated.
   Just be forewarned. It's your funeral.

( )
>==[ Materials ]==<
( )

   1. Any PCS Vision Enabled Phone (duh)
   2. A SnapSync (tm) or comparable data cable
   3. Your box (for this example a linux lappy)

( )
>==[ Drivers etc. ]==<
( )

   To make use of the data cable, you need ACM over
USB enabled (it's in make menuconfig), and
   hot plugging enabled. Below are the ppp connection
scripts. "man pon" for for info.

#################
#The ppp script:#
#################

noauth
connect "/usr/sbin/chat -v -f
/path/to/ChungChatScript"
defaultroute
usepeerdns
/dev/ttyACM0
230400
local
novj

################
#The Chatscript#
################

TIMEOUT 5
ABORT '\nBUSY\r'
ABORT '\nERROR\r'
ABORT '\nNO ANSWER\r'
ABORT '\nNO CARRIER\r'
ABORT '\nNO DIALTONE\r'
ABORT '\nRINGING\r\n\r\nRINGING\r'
'' \rAT
TIMEOUT 12
OK ATD#777
TIMEOUT 22
CONNECT ""

( )
>==[ Codes etc. ]==<
( )

  Almost all of information and services in this
section require you obtaining you MSL
  code. This can easily be obtained through some
polite interaction with a customer
  support rep.

  Do not ask for your MSL outright, just tell them you
vision service isn't working
  and you get an error that says "IP Conflict" or
something similar.

  ##2769737 (##BROWSER)
  ##3282 (##INFO) - NAI info.
  ##3283 (##DATA)
  ##786 (##RUN)
  ##2539 (##AKEY)
  ##889 (##TTY)
  ##7738 (##PREV) - MSL Change
  ##8626337 (##VOCODER) - Encoder Sample Rate
 

  Test Mode:

       *NOTE* I have an n400, and have only tested the
following on my rig.

  Testmode is the true debug mode for PCS vision
phones.

  Dial: 47*869#1235

  Test Mode Codes
 
   001 suspend
   002 reboot
   004 display mode
   005 set mode (PCS, CDMA, AMPS)
   011 Carrier : ON
   012 Carrier : OFF
   014 CHAN set
   015 CdTk_adj set
   016 CD TXagc set
   018 FM TXagc set
   019 LNA Gain set
   020 LNA Rs set (LNA Rs[0] - LNA Rs[8])
   021 SIOMODE (SSHF, QXHF, QXDM, SSDM)
   022 TEST_S
   023 DATA Svc : ON
   024 DATA Svc : OFF
   031 MRU TABLE: MRU set/select
   032 Send NAM
   033 Send S/W version
   034 Send ESN
   035 Product Info
   038 Clr Memory (00-55)
   039 Send P Info
   040 PRD Info set/select
   041 Backlight ON
   042 Backling OFF
   043 Lamp ON
   044 Lamp OFF
   045 Vibrator ON
   046 Vibrator OFF
   047 DTMF ON (0-9)
   048 DTMF OFF
   049 Contrast set
   050 Front LCD contrast set
   051 BATT TYPE/ID show
   052 RD Bat Value
   053 Stdby Batt
   054 Talk Batt
   055 WR Batt
   056 Chrg_lvl
   057 Therm_lvl
   058 Reactive Input
   060 RD_Rssi set
   061 PCSRxRAS show [00 - 1
   062 WrPCRX show [00 - 16]
   063 TXPCS[01-16] show
   064 PCSFL[00-16] show
   065 PCS_lmt set
   066 PCS_temp show/set
   090 GPS_DOPP set
   091 GPMS Mode show
   092 D_GPSP set
   093 D_PCS set
   095 GPS_ANT set
   096 GPC_BCNT set
   097 GPC_LCA set
   098 GPS_LOSS set
   099 D_GPSC set
   100 D_CDMA set
   121
   122 PCM loop on
   123 PCM loop off
   124 PCM[00-11] on/off (Handset RX/TX/SL Headset
RX/TX/SL New HFK RX/TX/SL EXT AUD RX/TX/SL
   125 GAIN[00-19] set
   126 GAIN[00-07] set
   131 Get PCS Dat1
   132 Get PCS Dat2
   133 Get PCS Dat3
   134 Get CDMADat1
   135 Get CDMADat2
   136 Get CDMADat3
   137 Get AMPSData
   138 Get AudData1
   139 Get AudData2
   140 Get AudData3
 
   

   FSM - Field Service Menu

   MENU010 - Unlock Code: 040793

 Hopefully this comes of use to someone. Chung like
koi.

__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com

The Tao of Chung
vol 1.0

"Free", "Unlimited", 24/7 Mobile Internet
      (or hacking Sprint PCS Vision)
             by aRgus Chung
 

( )
>==[ Table of Contents ]==<
( )

  :[ Preface
  :[ "Unlimited" Internet
  :[ Materials
  :[ Putting it all together
  :[ Debug Codes/etc

( )
>==[ Preface ]==<
( )

  :::[ What this is not - aka - No this isn't a cloning tutorial dumbass ]::::::::::::::::

     This tfile is on obtaining unlimited internet access with a PCS
     Vision-enabled phone. This is not a HOWTO on cloning, cellular
     theft, or eavesdropping. There are a number of quality docs on
     these subjects already. Go find them.

  :::[ End Disclaimer ]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

  Sprint recently released their 3g, color-screen line under the name "PCS Vision". The first
  of these was the Sanyo 4900, followed by 2 offerings from Samsung the A500 and the N400.

  In the early stages, Sprint was charging by the MB for Vision Internet services. Then Chung
  wrote a script to run up a pretty hefty bill on any given Vision enabled phone. Sprint
  was made aware of this by CDS labs and a shirt was requested. This shirt was never received.

<speculation>

  Instead, as if by coincidence, a large number of Sprint customers began having their bills
  "remotely adjusted". Then Sprint made Vision "unlimited" for consumer users, as they could
  not block certain scripts written by certain donut vending Asians.

</speculation>

  So now there exists a java enabled, mobile device with "unlimited" 24/7 internet access. Neat.

( )
>==[ "Unlimited" Internet ]==<
( )

   We must first define "Unlimited". Sprint defines it as "Unlimited access for PHONES". Meaning,
   if your stupid ass is pulling down mp3s and other bandwidth hogging media, your account will
   be terminated, without notice, and you will be liable for any pending charges, including early
   termination of your service. In other words, be smart, be conservative, don't get caught.

   I check mail, I ssh here n there, I don't hit up high content sites, and I don't pull down
   any file over 800k. I also make use of the vision service during my peak minutes. When I
   have free air time (nights and weekends) I use my phone as a dialup modem to my primary ISP.

   I know of people who use it all the time, every day, all day. They haven't been terminated.
   Just be forewarned. It's your funeral.

( )
>==[ Materials ]==<
( )

   1. Any PCS Vision Enabled Phone (duh)
   2. A SnapSync (tm) or comparable data cable
   3. Your box (for this example a linux lappy)

( )
>==[ Drivers etc. ]==<
( )

   To make use of the data cable, you need ACM over USB enabled (it's in make menuconfig), and
   hot plugging enabled. Below are the ppp connection scripts. "man pon" for for info.

#################
#The ppp script:#
#################

noauth
connect "/usr/sbin/chat -v -f /path/to/ChungChatScript"
defaultroute
usepeerdns
/dev/ttyACM0
230400
local
novj

################
#The Chatscript#
################

TIMEOUT 5
ABORT '\nBUSY\r'
ABORT '\nERROR\r'
ABORT '\nNO ANSWER\r'
ABORT '\nNO CARRIER\r'
ABORT '\nNO DIALTONE\r'
ABORT '\nRINGING\r\n\r\nRINGING\r'
'' \rAT
TIMEOUT 12
OK ATD#777
TIMEOUT 22
CONNECT ""

( )
>==[ Codes etc. ]==<
( )

  Almost all of information and services in this section require you obtaining you MSL
  code. This can easily be obtained through some polite interaction with a customer
  support rep.

  Do not ask for your MSL outright, just tell them you vision service isn't working
  and you get an error that says "IP Conflict" or something similar.

  ##2769737 (##BROWSER)
  ##3282 (##INFO) - NAI info.
  ##3283 (##DATA)
  ##786 (##RUN)
  ##2539 (##AKEY)
  ##889 (##TTY)
  ##7738 (##PREV) - MSL Change
  ##8626337 (##VOCODER) - Encoder Sample Rate
 

  Test Mode:

       *NOTE* I have an n400, and have only tested the following on my rig.

  Testmode is the true debug mode for PCS vision phones.

  Dial: 47*869#1235

  Test Mode Codes
 
   001 suspend
   002 reboot
   004 display mode
   005 set mode (PCS, CDMA, AMPS)
   011 Carrier : ON
   012 Carrier : OFF
   014 CHAN set
   015 CdTk_adj set
   016 CD TXagc set
   018 FM TXagc set
   019 LNA Gain set
   020 LNA Rs set (LNA Rs[0] - LNA Rs[8])
   021 SIOMODE (SSHF, QXHF, QXDM, SSDM)
   022 TEST_S
   023 DATA Svc : ON
   024 DATA Svc : OFF
   031 MRU TABLE: MRU set/select
   032 Send NAM
   033 Send S/W version
   034 Send ESN
   035 Product Info
   038 Clr Memory (00-55)
   039 Send P Info
   040 PRD Info set/select
   041 Backlight ON
   042 Backling OFF
   043 Lamp ON
   044 Lamp OFF
   045 Vibrator ON
   046 Vibrator OFF
   047 DTMF ON (0-9)
   048 DTMF OFF
   049 Contrast set
   050 Front LCD contrast set
   051 BATT TYPE/ID show
   052 RD Bat Value
   053 Stdby Batt
   054 Talk Batt
   055 WR Batt
   056 Chrg_lvl
   057 Therm_lvl
   058 Reactive Input
   060 RD_Rssi set
   061 PCSRxRAS show [00 - 1
   062 WrPCRX show [00 - 16]
   063 TXPCS[01-16] show
   064 PCSFL[00-16] show
   065 PCS_lmt set
   066 PCS_temp show/set
   090 GPS_DOPP set
   091 GPMS Mode show
   092 D_GPSP set
   093 D_PCS set
   095 GPS_ANT set
   096 GPC_BCNT set
   097 GPC_LCA set
   098 GPS_LOSS set
   099 D_GPSC set
   100 D_CDMA set
   121
   122 PCM loop on
   123 PCM loop off
   124 PCM[00-11] on/off (Handset RX/TX/SL Headset RX/TX/SL New HFK RX/TX/SL EXT AUD RX/TX/SL
   125 GAIN[00-19] set
   126 GAIN[00-07] set
   131 Get PCS Dat1
   132 Get PCS Dat2
   133 Get PCS Dat3
   134 Get CDMADat1
   135 Get CDMADat2
   136 Get CDMADat3
   137 Get AMPSData
   138 Get AudData1
   139 Get AudData2
   140 Get AudData3
 
   

   FSM - Field Service Menu

   MENU010 - Unlock Code: 040793

 Hopefully this comes of use to someone. Chung like koi.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Received on May 02 2003