The Test Card has one single function - to put the phone into test mode. The card is the key that the software needs before it will let you enter the test mode. The test mode is used by motorola for various serivice purposes. I guess motorola was taught a lesson from the old AMPS/E-TACS phones that could be put into testmode by shorting two pins or entering combinations from the keypad. To make it a lot harder for kewl phreaks, they designed the special SIM cards (Test and Clone/Transfer Card). From the test mode you can perform diagnostics, display the IMEI (on pre *#06# software), soft &hardware versions and change soft potentiometers.

The Test and Clone/Transfer cards can not be copied using the copy SIM phonebook option, but they have both been sucessfully emulated.

How does the test cards work ? The test card is not any special by itself. All the functions are carried out by the phone software, but the card act as the key that unlock these functions. The test card is an ordinary SIM with a special entry in the 6FAD file. As soon as the phone discovers that the inserted SIM card has bit seven of the first byte in the 6FAD file set (this means every value from 81-FF), it will allow you to enter test mode by holding down "#" for three seconds. Ordinary SIM cards have the entry "00 FF FF" in this field, but the test SIM has "81 FF FF" - 81 is defined in the GSM TS 11.11 as used for "Type approval".

The PIN for the card can be 01234567 , 00000000 or 11111111 (If you are prompted for one). After the PIN is entered , you will need to hold down # for 3 seconds to enter test mode. The PIN code verification can be removed just as you do with a regular SIM (makes it less annoying and safer to work with) - Be careful ! Just like a normal SIM, the PIN can only be entered three times - then the PUK is needed (The PUK is 12345678, so if you blocked the testcard, you will need to enter **05*12345678*1234*1234# - The new PIN will now be 1234 - I can recommend setting "Require SIM PIN" to OFF). The phone will prompt "Test - Now the commands can be entered - Many of these commands vary with the different phone types.

Test mode syntax:

When the card is present in the phone, it will act as if a normal SIM was inserted in the phone. The phone will not try to register on a network since the test card has MCC=001 and MNC=01 which are the values described in the GSMTS as "test use".

To enter the test mode the "#"key has to be pressed down for 3 seconds. The phone will then enter test mode and display "Test" in the display. Now test mode commands can be entered. The syntax consists of [command number][parameter1][parameter2] etc. and is executed with an terminal "#". The different commands require a different number of parameters. Here are a few examples:

19# : Command 19 will display the software version and does not require any parameters - on a 7500 it could show "CallProc 58.62.15"

591234# : Command 59 normally shows the LOCK code, but when a parameter is used, the LOCK code is changed to the one specified with the parameter - This example will change the LOCK code to "1234"

3405815# : Command 34 will configure the radio to channel 058 and powerlevel 15

The test mode is exited with the command 01#

Here is a list of the commands

CommandFunction

01# Exit test mode

02NN# Display PACAL NN (00...19) - "PCAL NN xxx"

00 to 15 are the calibration of the PA to match the nominal power of NNth powerlevel

02NNXX# Enter PACAL value XX (00..99) for NN (00...19) - "PCAL NN XX"

02NNXXX# use XXX on 2.7 v phones

03N#DAI N (0...8)

05N# Exec error handler test N (0...3) Induces an error and powers off the phone

0 -> CPU error:

EC=01 - SC=00 - P1=00,10,02,E8 - P2=00,00,00,00 - GI=00,00,00,07,3C,5C,C0,08,00,00,00

1 -> CPU error:

EC=01 - SC=00 - P1=00,10,02,E8 - P2=00,00,00,00 - GI=00,04,00,07,3C,5E,C0,0C,00,00,00

2 -> Modem error:

EC=03 - SC=04 - P1=00,00,00,00 - P2=00,00,00,00 - GI=00,01,00,00,00,02,55,74,00,00,00

3 -> CPU error:

EC=01 - SC=00 - P1=00,10,02,F4 - P2=00,00,00,00 - GI=00,00,00,07,3C,A4,20,14,00,07,3C

07# RX Audio Off (Mute Receiver Audio Path)

08# RX Audio On (Unmute Receiver Audio Path)

09# TX Audio Off (Mute Transmitter Audio Path)

10# TX Audio On (Unmute Transmitter Audio Path)

11NNN# Select transciever channel N (001...124)

The transciever channel can only be changed when the phone is not transmitting (37#)

12NN# Set TX Powerlevel N (00...15)

This selects how much power the phone will transmit with.Refer to Power table on the Engineering menu page -A channel must be set (11NNN#) before selecting powerlevel. The command will only work when the prone is not transmitting (37#)

13N# Display memory block usage N (0...3) - "N:x/y/z"

14N# out of memory condition N (1...3) Induces an memory error and powers off the phone

1 -> Exec detected error:

EC=06 - SC=01 - P1=00,00,00,3E - P2=00,07,3E,4A - GI=00,00,00,00,00,00,00,00,00,00,00

2 -> Exec detected error:

EC=06 - SC=01 - P1=00,00,00,FE - P2=00,07,3E,4A - GI=00,00,00,00,00,00,00,00,00,00,00

3 -> Exec detected error:

EC=06 - SC=01 - P1=00,00,02,BA - P2=00,07,3E,4A - GI=00,00,00,00,00,00,00,00,00,00,00

Seems to do something else on the 8700/StarTAC

15N# Generate tone N (1...6)

On the 5v phones use the 15n# to generate tones to the alert transducer (these are generated by the DSP):

151# Normal "annoying motorola type" ringing

152# Busy (slow)

153# Busy (fast)

154# Error (tri-tone)

155# No service :3 x busy (Fast)

156# Vibrate

This is different for the d460/8700/StarTAC/Slim:

15NN#

Using the 15xx# to generate tone: Enter 432# to change to alert, enter 477# adjust volume to max.

1523# Voice Mail alert

1524# Redial alert

1525# Busy

1558# Low Battery

1559# SMS alert

1532#/1546# Standard Tone

1533#/1547# British Tone

1534#/1548# French Tone

1535#/1549# German Tone

1536#/1550# Bravo Tone

1537#/1551# Three Ring Tone

1538#/1552# Siren Tone

1539#/1553# Quick Tone

1540#/1554# Single Ring Tone

1541#/1555# High Tone

1542#/1556# Music Tone

1562# No Vibrate or Ring

1563#-1567# Vibrate(Discontinuous)

1568# Vibrate then Ring

1590# Vibrate(Continuous)

16# Stop generating tones enabled with 15N#

17N# Select DSP (Digital Signal Processor) type : Motorola(0) or AT&T(1)

Most phones have this set to AT&T, which refers to the Lucent 1616DSP - . If this is set incorrectly, the phone will fail with a code 05 (7100#), not beep on power-up and report "00.00" as the Speech coder version. You will also not be able to perform a speech coder loopback .Some of the 8200/8400/6200 have a Motorola type fitted. The Mot type is physically bigger (about twice the size) and the pcb layout is therefore different. On some kinds of phone there is a sticker near the battery contacts which has the pcb revision number, P15 or A5 for example. If the number is a P type, then it has a Motorola speech coder, if it is an A type then it has an AT&T or a Lucent type.

19# Display call processor s/w version - "CallProc xx.xx.xx"

This is the actual Sw version. The EPROM / Flash stickers also indicate the version. If the phone has been flash upgraded (with an emmibox), the stickers and the version reported by the test card will not be identical. This is also a way to spot an express exchange unit.

20# Display modem software version - "Modem IC v. xx.xx"

This is the Modem IC ( XC 390nnnFU ) software version number

The latest versions I have seen is 40.02 on a 8700 Hw 3.3 and 40.03 on a 8800 - This ROM can't be flashed, so the software is changed by replacing the MODEM chip

21# Displays ??? - "simp 01.02 E43C e43c"

22# Display speech coder (AT&T or Motorola DSP) version - "Spch Cdr v. xx.xx"

5.XX (where X is any number), means the phone has a Motorola DSP. If the code is 11.XX, it is an AT&T or a Lucent. This has to be the revision of the actual DSP code which is kept internally in the DSP1616 ROM - The 1616 can use external memory, but the motorola design only uses the internal 24K ROM.The Speech Coder revision therefore cannot be changed without replacing the chip.

23# Display info stored - "No Info Stored" (Works on 7500 / 8200)

24N# Turn on/off the 23dB RX-AGC step attenuator N (0...1)

This toggles a 23 dB Automatic Gain Control attenuator - it will not take affect until a transciever channel is selected (11NNN#).

25NNN# Set RX-AGC level NNN (000...255)

Has to be followed by a 11nnn# like 24n#

26NNNN# Set VCO (Voltage Controlled Osciliator) AFC (Automatic Frequency Control) value N (0000...4095). This command is used to ajust the TX frequeuency. A BTS will only accept the MS to be around 50 Hz off frequency before it is kicked.

31N# Transmit pseudo-random sequence with midample N (0...7)

Initiates pulsed transmission - The phone will not be synchronized to a network. When starting this transmission phones in the vicinity that operate on the cannel in question will make a handover ! (see why you should be careful ?). This indicates that the transmission is taking place on a traffic channel.

32# Transmit RACH burst sequence

Initiate pulsed transmission - The bursts seem to be shorter and have a lower frequency than the 31N# bursts. This command can not be used like the one above to "bump" others off the channel, indicating that it does not transmit on the traffic channel, but probably is an access burst on the RACH (Random Access CHannel i.e. uplink CCCH. Since CCCH channels are common to all users of a cell, transmitting RACH bursts in every 51-frame multiframe (26 per superframe). However, since the MS isn't synchronized to the network and it will not contain the right data (the right color codes and checksum) to be a "usable" burst it will not be valid for allocation of a channel.

33NNN# Synchronize to BCCH carrier NNN= channel (001...124)

If you punch in a valid channel in your area, the O symbol will turn off and indicate that the phone is receiving and sucessfully decoding the BCCH. You can check which channels are active in your area with the EngField Options menu.

34NNNXX# Traffic channel loopback without frame erasure indication N= channel (001...124), X=PowerLevel (00...15)/(00...13)

Initiate loopback transmission - The phone must be synchronized to a network (33nnn#) - If you are close to a BTS, you can synchronize to the BCCH and use this command to loopback speech like 36# but on a full-rate traffic channel -The phone will code the speech and transmit it to a test-set (or BTS!) which will loop it back. If it is intended for use with a test set, the timing advance must be zero (and you would have to be within 1000 meters of a BTS to make it work). The speech loopback is internal and the phone might keep synchronisation to the BTS (perhaps by sending idle bursts) ?

36# Enable speech coder acoustic loopback

Remember to set volume to max when using this (477#)

37# Stop transmission

Disables Speech coder loopback (36#) and RF test commands (31N#, 32#, 33NNN#, 34NNNXX# , 40#, 41# )

38# Start SIMClk

This command will start the 3.25 MHz clock signal to the SIM card. It also initiates sending garble data to the SIM.

39# Stop SIMClk

This command will stop the 3.25 MHz clock signal to the SIM card.

40# Initiate constant carrier transmission - all bits set (1)

Will only work if the powerlevel has been set between 10 and 15 - Thats 200 mW or less. No data is contained in this transmission

41# Initiate constant carrier transmission - all bits struck (0)

Will only work if the powerlevel has been set between 10 and 15 - Thats 200 mW or less. No data is contained in this transmission

42# Disable echo suppression until phone is switched off

43N# Changes the audio path N (0...8)

0 select carkit audio

1 select carkit audio (seems identical to the above)

2 select phone alert transducer

3

4 select earpiece on portable phone

5 select carkit speaker

6

7 select carkit audio

8 select earpiece on portable phone

45NNN# Display receiver information N (001...124) - "-xxx.x yyy z"

N is the GSMchannel number - the command will display the channel reception xxx.x (dBm), the last AGC DAC value yyy (0... 255) and the step AGC value z (0...1)

46# Display AFC DAC value (0-4095) - "AFC DAC xxxx"47N# Set earpiece volume N (0...7), 7=max

48NNNN# Generate continuous tone. N (0001...4500) = frequency in Hz

Does not work on all software versions (1.9 and above)

49N# Display battery Frame N (0...7) data - "Battery Rd Fail"

The test card will remember the data from the last valid battery. This is the information kept in the Dallas "add only memory" chip in the battery. Does not work on all models of phones / batteries - this command is a good way to check if your Li-Ion battery is genuine.

50NNN# Internal charger control N (000...255)

000 Stop internal quickcharge

255 Maximum current on internal quickcharge (N controls the current)

Does not work on the d628

51# Enable sidetone

52# Disable sidetone

53N# Perform RAT test N (0...8) ?

57# Initialize non-volatile memory

Use this with caution, since it wil zap almost all settings including: Lifetime meter, phonebook, user settings, etc. This command will on the StarTAC work as a "Master Clear" and not reset the lifetime meter.

58# Display Security code - "SECUR xxxxxx "

58xxxxxx# Change security code to xxxxxx

59# Display lock code - "LOCK xxxx"

59xxx(x)# Change lock code to xxx(x)

60# Display IMEI - "xxxxxxxxxxxxxxx"

61# Display LAI MCC -THISVALUEISSTOREDINTHESIM- "LAI MCC xxx"

The Local Area Information consists of the Mobile Country Code, Mobile Network Code & Local Area Code

61NNN# Change LAIMCC to N(000...999) -THISVALUEISSTOREDINTHESIM- "LAI MNC xx" This is a two byte value that is stored in the file called "LOCI" (6F7E) in the SIM.

62# Display LAI MNC -

THISVALUEISSTOREDINTHESIM- Mobile Network Code

62NN# Change LAIMNC to N(00...99)-

THISVALUEISSTOREDINTHESIM- This is a one byte value that is stored in the file called "LOCI" (6F7E) in the SIM.

63# Display LAI LAC -

THISVALUEISSTOREDINTHESIM- "LAI LAC x" Local Area Code

63NNNNNN# Change LAILAC to N(000000...65535)-

THISVALUEISSTOREDINTHESIM- This is a five byte value that is stored in the file called "LOCI" (6F7E) in the SIM.

64# Display Location Update Status -

THISVALUEISSTOREDINTHESIM- "Loc Updt Stat x" This is the Location update status which is stored in the file called "LOCI" (6F7E) in the SIM

0= Updated

1= Not updated

2=PLMN not allowed

3= Location Area not allowed

64N# Change Location Update Status to N (0...3) -THISVALUEISSTOREDINTHESIM-

65# Display IMSI (001010123456789) on test card -THISVALUEISSTOREDINTHESIM- "xxxxxxxxxxxxxxx" This is the International Mobile Subscriber Identity which can be read from the Elementary File "IMSI" (6F07) in the SIM

66N# Display TMSI N (0...3) -THISVALUEISSTOREDINTHESIM- "TMSI N xxx"

This is the Temporary Mobile Subscriber Identity which is assigned to the MS/SIM by the network

66NXXX# Enter TMSI value XXX (000...255) for N (0...3) -THISVALUEISSTOREDINTHESIM- This is a four byte value that is stored in the file called "LOCI" (6F7E) in the SIM.

67# ????

68# ????

69# Display Ciphering Key (Kc) Sequence number -THISVALUEISSTOREDINTHESIM- "Cipher Key x" This is the Kc sequence number which can be read from the Elementary File "Kc" (6F20) in the SIM once the PIN has been entered

69N# Change Cipher Key (Kc) Sequence number to N (0...7) -THISVALUEISSTOREDINTHESIM-

70NN# Display BCCH NN (00...15) -

THISVALUEISSTOREDINTHESIM- "BCCH NN xxx"

This is the content of the Elementary file "BCCH" (6F74) - By storing a BCCH search sequence, the extent of a MS's search of BCCH carriers may be reduced. By thinking of the 16 bytes x 8 bits as a bitmap, it is possible to have a flag for each GSM-900 channel (plus 4 spares) which specifies to search for a BCCH on that carrier or not.

70NNXXX# Enter BCCH value XXX (000..255) for NN (00...15) -THISVALUEISSTOREDINTHESIM- "BCCH NN XXX"

71NN# Display INFO (Self Diagnostics) NN (00...99) - "INFO NN xx"

INFO 00 (Error Code):

01 CPU error (unexpected CPU exception)

02 SRAM error

03 Modem error

05 Speech Coder (DSP) Failure (if SC=01, then 22# will probably report 00.00 - check DSP setting 17n#)

06 Exec detected error

07 EEPROM checksum error (can't always be cleared by cloning - an EMMI might be needed)

08 MMI power down (SC: 03=pwr button hit, 04=low battery, 06=butt plug power toggled)

09 QSPI (Queued Serial Peripheral Interface) error - probably a SPI bus error.

0A ???

0B ???

0C ???

The SPI bus (MOSI, MISO and SCK)is used for communication between the MODEMIC and the Call Processor. Read much more about this in the MC683xx and 68HCxx documentation.

In addition, more specified information is provided for each EC by the following:

INFO 01 (Sub Code) : Defines the error category within the given EC

INFO 02-05 (Parameter-1)

INFO 06-09 (Parameter-2)

INFO 10-99 (Generic Information)

A normal, working phone will report EC=08 (MMI power down) & SC=03 (Power button hit)

72NN# Display Passive Fail Codes NN (00..99) - "PFI NN xxx"

Describes the passive failure codes (What are these ??)

73N# Display Logger control block N (0...4) - "LOGR N xxx"

This is an event logger that is used for troubleshooting. Can anyone tell how this is used ?

73NXXX# Edit Logger control block N (0...4), XXX (000...255)

With this command, the logger can be programmed to log specific information

75NNNNN# Request flash from emmibox NNNNN (00000...99999) - "Flash Failure"

N=36778 is used for flashing the software. The phone has to be connected to a PC via an "Emmibox" that plugs into the phones butt-plug. After the transfer, the phone neeeds to be reset (57#). Not all models can be flash upgraded. Some has EPROM memories instead of FlashROM and will have to be replaced manually. The EMMI box has an exteral PSU , connects to the RS-232 port of the PC and to the phone. The box will translate between the PC's serial interface and the Phones DSC bus interface. The emmi is more than just a DSC bus driver - It uses a MC68332 and has 2 mb of EPROM memory.

88# Show Real time clock (Tue Jun 15, 15:29:41 , 2066 ) -

Time / date flashes with 1 sec interval in the dot matrix display

Model dependant - d460/8700 / StarTAC only

88NN# Set clock status NN (00..01)

00# Disable RTC

01# Enable RTC

Model dependant - 2.7 volt phones only

99# LCD display test

Model dependant - 7500 / 8200 / 8400 / d460 / d470 only

99N# LCD display test N (1...2)

1 Display chekered pattern

2 Display reverse chekered pattern

Model dependant - 8700 / StarTAC only

TCH loopback test (CAREFUL!)

36# Start Speech Coder Loopback

08# Unmute RX audio path

10# Unmute TX audio path

477# Set the audio level to max.36# Start Speech Coder Loopback

08# Unmute RX audio path

477# Set the audio level to max.

434# Select earpiece (audio path)08# Unmute RX audio path

477# Set the audio level to max.

151# Generate a Ring Tone to Earpiece

48XXXX# Generate continuous tone11xxx# - select valid BCCH carrier

08# Unmute RX audio path

10# Unmute TX audio path

b>477# Set the audio level to max.

33xxx# Sync. to BCCH carrier - The "o" dissapears

34xxx00# Enable TCH-Loopback!