_________SWAT MAGAZINE ISSUE TWENTY FIVE JANUARY 2000 __________ / \___________________________________________/ \ / Chipping Cellnet fones \ / by -=The Firestarter=- \ ----------------------------------------------------------------------- Well i thought that i'd share my knowledge of chipping good old diga's and C12 handsets for the sole purpose of getting free calls. But those of you out there that don't know what i'm on about- the handset keeps a record of the credit that you have, all we're gonna do is modify it a little so that our credit can be topped up with the use of the "on" button :-) Ok first off we're gonna need some tools: 1 Trox screwdriver - Try the hardware shop 1 Fine tipped soldering iron 1 Cellnet phone (preferably C12) 1 pic programmer (i'll get to that later) 1 pic12c508 (thats the pic btw) Ok first off i'll get the easy stuff out of the way, we need to reprogram the pic, now i've seen a few pic programmers, ranging from ones that simply plug into the serial port on your computer, right down to some really sophisticated little devices that have all the bells and whistles on that you'd expect. Personally i couldn't care less what you decide to go out and purchase, a simple serial port pic programmer suits me fine. Anyway i'll get to how you get your hands on these and the cost later on. Ok so now that you have your pic programmer, time to program the pic! ok so what you need to do is dump a little bit of code onto the pic so that your credit gets topped up when you turn your fone on. C12 MOD PIC PROGRAMMER SETTINGS DEVICE: PIC12C508A OSCILLATOR: INTERNAL RC WATCHDOG TIMER: OFF MASTER CLEAR: INTERNAL CODE PROTECT: ON So here's the code for the Diga and C12: --start C12.hex-- :10000000100B42085408430865086C086C086E0819 :10001000650874082008550820082F082008500893 :100020006108790820082608200847086F0820087A :100030002D0820085008680869086C086C086908D1 :1000400070087308200844086908670861082008D8 :1000500026082008430831083208200852084508BD :100060004C084508410853084508200831082E0867 :100070003008200850086908630835083008380837 :100080002605290449040902060046040000460525 :10009000490A4A0A4B0A26044D0A4E0A4F0A4604E8 :1000A00000082904090206002604560A4605580AD3 :1000B000590A5A0A26055C0A5D0A5E0A46040008C7 :1000C0002700080C28002904090206002604E70678 :1000D0002605000046056C0A6D0A6E0A4604670391 :1000E000E802660A290509020600760A4605780A2A :1000F000790A0A0426060A0546040008080C2800A6 :1001000029050902060067034605860A870A0704CF :100110002606070546048C0AE802830A2904090218 :10012000060026042A062605950A4605970A980A17 :10013000990A4604000824004A056A04A10A24001A :100140004A0440094B034A064D03FE0EA00DAA06C1 :10015000A00C60090A06A10A0B024A060D02AA06B3 :1001600060090C024A060E026009080C30004009C2 :100170004B034A064D03A10DAA06A10C60092A04EF :10018000010C900143062A057E0907024A07200058 :10019000800143076A05A402F002C00A5109000861 :1001A000240040094D03FE0EA00DAA06A00C600914 :1001B0000A06D10A0D02AA0660090E026009080C9F :1001C00030000002A4026009F002E10A51090008AF :1001D000AA06FD0A050C2D00D80C2E00010C2B00E0 :1001E000800C2C008A060F0B010C2D00800C2E00B9 :1001F000050C2B00D80C2C000F0B010C2D00D80C7B :100200002E00050C2B00F00C2C008A060F0B050CA1 :100210002D00F00C2E00010C2B00D80C2C00000837 :100220002500880C0200FF0C29000600FF0C2600A8 :1002300006079B0BAA046B006C00130C9F09310C82 :1002400095014307270B320C96014306340BAA0590 :10025000000C2B00700C2C00130C9F098A04000C5E :10026000970143078A05730B000C2B002D00100C1F :100270002C002E00130C9F09DF0C55014C0F430777 :100280009B0B8A04DF0C5601520F4306730BDF0CE5 :1002900056014F0F200C32004306570B8A05DF0C26 :1002A00056014B0F520C32004306570B9B0B1202A8 :1002B0009600310012023600130CD009130C9B0972 :1002C0006A065C0B000C2C002E00130C9F09110217 :1002D000B300130CD009130C9B096A06690B730B4E :1002E0008A069B0B8A05E809050C2F00130C9F0951 :1002F000050C8F0143078C0B310C95014307700BE4 :10030000320C96014307700B330C97014307700BB7 :10031000340C98014307700B130CD009130C9B0984 :100320006A068C0B080CEC014306AB02EE01430697 :0C033000AD02EF02760BFF0C060003008C :021FFE00E20FF0 :00000001FF --end C12.hex-- Ok but what if you have a Diga fone? then use this code instead: --Start Diga.hex-- :02000000000BF3 :1000800078090E02270097090D0227009709100C26 :100090002400000227009709A402E902490A870AFE :1000A00078090E02270097090D02270097097809A1 :1000B0000E02270007059709100C2400B309070258 :1000C0002000A402E9026D0A080C06004605260578 :1000D0000000000000002604870A080C0600460401 :1000E000260500000000000026040C0C06005E0A35 :1000F00046052605080C0600000000000000000070 :100100004604000000000000000026040008080C5F :100110000600460400000000000000002605000064 :1001200000000000000046050E0C06000008080C48 :100130000600080C2800670303074604030646056B :10014000260500000000000000002604E8029B0ACB :100150000C0C060026050000000000000305460701 :100160000304260400080C0C0600080C28002605D1 :100170000000000046070304460603052604670343 :10018000E802B70A0008100C2B006C00EC02C60A4B :06019000EB02C60A0008A4 :10020000C00C02002607020BAA0C2E00B00C2D0019 :10021000010C290050091002690F43074B0BAA0C6F :100220002E00B10C2D00010C29005009A00C2E004D :10023000000C2D00010C29004009C309AA0C2E0056 :10024000C00C2D00100C29005009A20C2E00800CAF :100250002D00100C29004009C309AA0C2E00D00C57 :100260002D00100C29005009A20C2E00900C2D001E :10027000100C29004009C309AA0C2E00E00C2D0027 :10028000080C29005009A20C2E00A00C2D00080C0F :10029000290040098A0BA00C2E00000C2D00010C37 :1002A0002900500910023100AA0C2E00B00C2D00BC :1002B000020C2900690C30004009C309A20C2E0071 :1002C000800C2D00100C29005009AA0C2E00C00C27 :1002D0002D00100C29004009C309A20C2E00900C1F :1002E0002D00100C29005009AA0C2E00D00C2D0056 :1002F000100C29004009C309A20C2E00A00C2D00EF :10030000080C29005009AA0C2E00E00C2D00080C46 :06031000290040098A0BE0 :023FFE00020CB3 :00000001FF --end Diga.hex-- ok so now that you've dumped that bit of code onto the pic i guess that it's time to solder it to the fone's Epromm. Now because i'm overly paranoid about blowing componants with a soldering iron i'd rather use very thin wire to do this next bit. Firstly remove the back cover of the fone, thus revealing the innards of it all, now locate the Epromm! (Note: this is for the C12) Right what we need to do is attach 4 wires to the Epromm of the fone, right we'll attact a wire to pins 4,5,6 and 8. Do this carefully! i'm not 100% sure how volatile these componants are (i don;t mean that they explode, but take a soldering iron to a transister for a few seconds too long and it will never work again - get my point). Ok so now that you have 4 wires attached to the Epromm, let's attach them to the pic that you recently coded. Now my prefered method of this, like attaching any IC to a circuit board is just to solder the wires onto a chip holder then plug the pic into it. ok the wires that you need to solder to the pins are: Epromm pin: Pic pin: 1 8 5 6 6 5 8 4 Once the Pic is installed, piece your fone back togeather and turn it on! call a friend, turn the fone off, turn it on again, wayhay free credit! Anyway, here's the Diga settings: 12C508 to Eprom chip pin 1 to pin 8 pin 8 to pin 1 pin 5 to pin 5 pin 6 to pin 6 When programming the Pic you need to check the configuration fuses. Oscillator = Internal RC Watchdog = Disabled P U timer = Disabled MCLR = Tied to Vcc Very handy indeed! Anyway i hope that this has helped out all of you in chipping fones! Now on to the Pic programmer, you can spend anything up to several hundred quid on one of these things, fortunatly Maplins will sell you pic's that are pre-programmed with a hex code of your choice teehee, you can always abuse this service for a small service charge. But your best bet is to use the www.yahoo.co.uk search engine and look for +pic +programmer in the UK only section, Netw0rk Bug and myself found a good site on Demon that sold them for about £70, can't rememebr the URL though.