 This is a quite wonderful little way for manufacturers because what it does is it lets the manufacturer one single product and yet with jumper pads or zero-ohm resistors or even EEPROMs they can easily reconfigure it for other more expensive models. This means they only have to make one model at one cost and then of course they choose whatever price they want to make for all the different ones with more advanced features or things like that. The Lidco boxes are of course something that everyone is familiar with. They've probably read modification facts on it, text documents or even done it yourself. This covers a lot of the different things I'm going to be discussing and one thing I should warn you is bear with me because this is the first time I've ever been making a presentation in front of anyone especially an audience this big so I'm going to warn you about that. One of the first things to do if you're trying to figure out what mods are available for your particular device you've chosen, oops spelling an error, bear with it, are there any special features on models that look identical like for instance the caller ID boxes. You've got two models that look virtually identical yet the only difference between them is the number of calls they store. This could give you an idea of what features are or are not available to possibly be added or removed for your particular piece of hardware you've chosen. Are there any unusual markings on the plastic? One of the things manufacturers like to do is when they make their cases with the plastic injection mold system it's a big metal mold and what they do is they sometimes have modular components to it so that when they inject the plastic if they want to change features as to what doors are or are not available or openings or what not all they have to do is simply put in a second block of metal in place of another one and you now have a door available there for buttons or a hole or whatnot for any other models. This is most visible on the net appliance eye opener with the compact flash socket as if you look at it from the outside you can see small ridges from where there is a door even though it's a solid molded piece of plastic and on the inside you can see the holes drilled in the side for where the door snaps into place if they ever made that into any of the eye openers. Are there any big, empty and unused spots on the case or whatever external case it is? Sometimes what they do is you'll find like let's say a VCR for example have a big open panel on it, a play and a stop button and over on the other side a power button there would be a big strip of absolutely nothing there. There could possibly be something added or made available for that which I'll cover that here shortly. With big open areas those are physical things such as displays, lights, all sorts of stuff and also one of the other things I'm going to be talking one of the other things to look for is LCD displays or other gas plasma displays, vacuum fluorescence you can sometimes see characters on them available indicating that there are possibly certain features there such as with it could be that they use the same display for several different models inside of the embedded chip, the main CPU for the device, there might not even be the ability there added for whatever number of calls you want to have for a caller ID box or other additional features for such as ham radios or things of that nature. The reason why LCD displays can see that is because LCD displays are meant to be viewed like in the top picture looking straight down with the light source either behind you or around you with ambient light. If you look at it at a very shallow angle you can many times see additional characters made the contrast of them made more visible so you can see what other features are there segments of LCD displays for numeric characters or other certain features such as little funny little symbols like some of the people who make ham radios and cell phones and stuff like to put in. I had a much nicer picture until I lost it so I kind of put together a quickie here. You can view the cylinder-like shapes are supposed to be the liquid crystals. How this works is light is sent through the first piece of polarizing glass and turns the light basically into a vertical polarization. The liquid crystals distort that vertical polarization and allow it to become pretty much nonpolarized again. It then passes through the rear one which has horizontal polarization and is reflected off a reflective material of some kind where it then bounces back through and allows you to pretty much see what looks like a light display or light character. When electricity is applied on a thin metal coating on the surface of the LCD display, the liquid crystals line up and polarize themselves and keep from depolarizing the light that passes through it. At which point the light will not be able to pass through the rear filter and because light cannot be reflected off the rear display, the end of the reflective material, it ends up looking dark. The thing is by lowering the voltage the liquid crystals do not properly polarize themselves and the end result is that the display looks somewhat faded or a light shade of gray, basically gray scales like what the Game Boys do, various other displays like the Palm Pilot, if you program in for using the gray scale functions. The thing about it is even when the display segments are wired to the CPU and are not being used, a small amount of trickle voltage is going through that, changing that polarization slightly. If you hold it up to the light to look through it like that first picture I had, when the power is not applied, you will barely see anything at all. You might see the metal coatings, but I wouldn't see anything else. But when the small trickle voltage flows through it, the special characters that might not be normally available will be considerably more visible. So that way you can identify just basically how biot looks. One thing to do when opening it up is keep all the screws separate and what I always do is put down a piece of paper and mark what pattern the screws went in and what holes for whatever device you're opening, whether it's a VCR or a television set or whatnot. Because many of these screws are different for each and every socket and I've seen a lot of people throw them all into the same little bowl and then try to figure out afterwards what screw holes those go back into. Such a pain in the butt, so it's best to keep them all separate in the first place. When you're trying to open it up, do not force it if it won't, if it snapped together and just won't come apart because you will break the parts of the molded plastic case, they're usually snapped together. That happened with my first Sidco collar ID box I owned. As many of you probably have done, broken little snaps at the foot of it. And also, if the case gets stuck on anything, do not force it apart as well because you can damage it. They use cheap plastic that is easy to break. On the circuit board, you can look for possible points where it can be modified at. Usually, it involves a blob of solder of some kind, such as on the collar ID boxes. That all you have to do is, because of the resident flux that's already on it from the original manufacturer, just touch a solder an iron to it and that will pretty much break the contact. And just add solder to reconfigure it again. Open solder pads that are abnormally shaped relative to the rest of the surface mount components. You'll find that when you look at many circuit boards that have the solder pads on it that are open with nothing there, the surface mount components around it, such as the diodes and transistors and stuff, we usually have a different size and shape than the ones that are meant to just have a blob of solder to close it shut to simply short the circuit. This is one of the other most common things as well. Look for a whole rows of zero ohm resistors. Many times, zero ohm resistors are used in place of blobs of solder because they look like any old surface mount component. And people will look at that. Many people who don't know how to read the numbers off the surface mount components will look at that, think it's just a regular resistor or diode or something else, and not think about possibly removing that. Rows of identical diodes or resistors. Usually, the diodes are used for things I found them used in ham radios and police scanners quite a bit. I'll have pictures of those here coming up here shortly. One of the things you're doing is when you find a whole bank of them to go through, one of the tricks I found, which is really good, is gray logic. It's used for motor sensors and various other things, and is a different form of the regular binary logic which many of you people have seen. Touching wires together is one of the other most common things that I found very useful. Take pieces of wire, solder them straight down onto the pads that go up, and simply touch them together or twist them together or short them together. That way you only solder it twice to put the wires on and to take them off. And that way you can go ahead and adjust the configurations and combinations as many times as you want. Or if you're going to have to do it for an extended period of time, I also install one of those banks of dip switches that are commonly used in some of the jumperless motherboards and various other components, such as some of the older ISA cards. Gray code looks like this. And the reason why it's shaped as it is is obviously to simplify the design. And also, as you can see, each and every time the state changes, only one single bit changes between states. This means when you're soldering it, a lot less work. Because for this number of combinations, for 16 different combinations, you only have to solder it about 16 times to get back to where it was at the original factory default. Where if you use regular binary code, you pretty much find yourself soldering a whole lot of times. And in between 7 and 8, as you can see right there, you'd have to solder every single pad at the same time. And the more soldering you have to do means the more heat on your circuit board. That means you can actually delaminate the circuit material itself and take the traces right off. There are all sorts of hidden features in TVs, VCRs, and other home electronics devices. These range from various models that have stereo region coding on some DVD players, possibly. I haven't had too much experience with that since DVD players are still a little on the pricey side. I don't want to rip apart a 200 piece of electronics gear just to find myself screwing it over. I think you people can sympathize with that. This is the inside of my rate 715 DVD player. And all over the board, ranging from on this side, this way here, here, here, and also right here, here, and here, on the board, there are whole banks of zero-ohm resistors. I haven't yet attempted to figure out what those do because, as you can see, a lot of electronics components are missing from it, which I'd have to add, which are usually available only on European models, such as for the SCART connector and also for the Dolby AC3 output. And as I enable those features, the device might not even work or boot up. And also, I just bop the thing as well. So I am not going to mess with it. But it gives you something to look at. Here's a close-up of around the ROM chip and with the CPU up here. This is one bank of zero-ohm resistors. This is another bank. And here's another bank. Those are probably the ones that configure various things, such as what hardware is and is not installed and available on it. Another thing to look at right here is, as you can see, this connector that goes to the faceplate has certain pins missing from it. I followed the traces and discovered that's for audio output, audio-video outputs are right on the front of the player itself for connecting to a stereo system or something like that, which I found on other, I've seen those on pictures of other RAID 715 DVD players. So you could get yourself another audio output by actually wiring those up, which could be useful if you have a crammed stereo system. Another thing to look for is, as I mentioned earlier, VCRs. When I first got into figuring out hardware mods, one of the things I did was I decided to look at one of my VCRs that I had, which I had pulled out of a dumpster and fixed up. I was too cheap to go out and buy one. I don't think many people can sympathize with me. Also, it's fun to fix up something yourself. One of the things I did is it only had a play, a stop and a power button. No record, no speed adjustments, no nothing. I couldn't even rewind a tape except for playing it all the way to the end and letting it rewind automatically. So I took off the faceplate, yeah, wonderful design, huh? So I took off the faceplate and what I found was that on the circuit board right behind the display, there were through holes drilled in the circuit board and pads and the locations to solder on all the additional buttons for fast forward, rewind, et cetera. So I'm like, hmm, after some experimentation with the best way to implement it, I ended up screwing up the faceplate, considerably drilling lots of holes through it. So I went out and got a big chunk of aluminum sheet metal drilled holes through it, put your regular through hole push buttons, a cheap pack of $1 ones from Radio Shack and had myself a full set of buttons and a nice tricked out VCR. That served me for several years until I turned around and gave it to a friend who had ended up dying last year. Ah, on chips. One of the things to look for is on small embedded chips, such as telephones, radios, remote controls. There's almost anything that has a small single chip that can be reused for other things, such as other models of VCR or TV remote controls or the small simple things is unused pins on them can enable you to do all sorts of things, especially if they're not wired to anything. Why they use these is it's less engineering, less work for them. And also it means faster certification as well since some of these devices have to have FCC approval. What I'm going to use for an example is a DTMF chip, which is on this small touch tone encoder here, which inside of it, I decided to want to add the ABC and DT keys one day. What I did is I studied it and what I found is this pin, although it should be for the fourth column, was not. The fourth column was all the way up here. This is pretty common to find unused pins all over the place. Usually these won't even have traces running to them. They'll just simply be soldered to the board just so that the chip is all the way down. And what you can do is short the wires together. In this case, cut the trace on the board and rig up a slide switch, which is what I did with mine so that I can switch the columns back and forth for the yes sir. Now that's a good point. One of the things you can do to find these, the information on what pins are or are not used is to get, as this individual mentioned there, get the data sheets from the manufacturers. Sometimes these are made available, sometimes they are not. In this case for this UM chip, I have not been able to locate the specs on it and I had to figure that out on my own, which with the way it was designed, the wires simply run straight to both vertical and horizontal across the board and are shorted together. So all I had to do was take a paper clip and short the appropriate pins until I found the fourth column. It might be more complex for other devices, but for simple things like telephones, for adding, for example, redial buttons, flash buttons, even possibly memory buttons, which are not available on your small cheap phone, you could be able to add them if you find unused pins. On embedded chips, there's all sorts of different ways they can be configured for the various jumper settings, like I pointed out earlier with the caller ID boxes for the hardware configurations for the components. They could have diodes between them, they could be tied directly to the five volts supply to tie them high or straight to the ground to tie them low. They could even be not soldered to anything at all in order to disable them. They could have diodes in either direction. It all depends upon how the chip was designed in the first place. As to how to find this out, you can contact the manufacturer who'd originally made the chip, especially if it's a commonly available one that is meant to be used for all sorts of devices and get the data sheets on it. Zero-ohm resistors, they come in all sizes. I've had very large ones, almost the size of my pinky fingernail, all the way down to extremely small ones. Usually I found them to be black with zeros printed all across it or green with zeros all across it or even blank. And even I found a few blue ones as well. They're totally blank and have zero ohms of resistance and they're not capacitors or diodes. I've checked them all over. So they could look like almost anything. Surface mount diodes come in all sorts of shapes, sizes and colors as well. And ranging from the cylindrical kind that is glass like the old kind with the through-hole leads, all the up to surface mount ones, even three lead ones that have both the anodes tied together and the cathodes tied together at one end. Although those aren't very common, you do find them here and there. Used for configurations such as in a few models of ham radio. One of the most common places I found these to be used all over the place is for radio scanners and police scanners. As many of you people out there know for how to modify police scanners to let them do cell phones or things like that. Solder pads, zero ohm resistors, diodes and loops of wire are also extremely common. The loops of wire one is a pretty interesting one I'll point out later. And documented pins on the CPU as mentioned earlier. There's also secret codes you can intern on the keypad on a few models. And even computer interface systems are another vulnerability to let you enable your piece of equipment to do all sorts of other interesting little things. For ham radios and police scanners, as mentioned earlier, solder pads, zero ohm resistors, diodes and now loops of wire are used. Loops of wire were actually kind of short lived. Don't know if they're still there or not. The reason why loops of wire were used is because it was meant to be performed by the user after it was sold. The unit incorporation is the one who made the pro 2026. That has a small loop of wire right behind the display labeled L201. It's just a single arts that comes right off the small daughter board right back down. You take that wire, cut it, reassemble your police scanner, reset it and presto. You now have the ability to listen to cell phones. It's kind of the ham radios, the scanner company's way of thumbing their nose at the FCC. When the FCC said you cannot have cell phone anymore, is it okay? Our radios will be sold with cell phone frequencies currently blocked. But of course, all you have to do is remove the certain component as opposed to adding it and you can now get cell phones back. Then the FCC turned around, went to them, said, nope, you can't even make your scanners modifiable so you can't modify them anymore. Unless you replace the CPU with one from a European model or just went out and bought a European one overseas that already had the ability to listen to those bands. Alinkoham radios are another common one. On the base models, you cut the yellow loop of wire and then reassemble it and reset the radio and now you can both transmit and receive out of band depending upon the model. Will depend upon what frequencies you have. Same thing with the handheld models, they have two loops of wire, both a red and a blue one. Cut the blue one, you can now receive out of band which usually includes things like just about 10, 20 megahertz both above and below the ham radio band, depending upon if it's two meter or if it's 70 centimeter. And you cut the red wire and you can now do Mars cap as well. You can also, with many of the Alinkoh ones, when you enable the out of band reception, you can now listen to AM aircraft frequencies as well. Indicating a whole new stage of circuits which normally you would not be used inside the radio. And also of course, everyone's familiar with the YASU FT50, who here isn't. It has one single blob of solder behind the keypad, remove the keypad, remove the solder, reset the radio. It's modifiable. In many cases, the ham radio companies actually want the customers to be able to modify the radios themselves. A few companies for certain models would actually send you out the various components you'd either add or remove or give you instructions on it if you proved you had a Mars cap permit. What that would let them do is that would remove the work from them. Since 99% of the time, the mod would work quite well. And of course, if it didn't work, what you could do is contact them, send it in, and they will service it under the warranty even though you've opened it up and modified it as long as you can prove you have the Mars cap permits. For radioscanners, the Pro 43 shows some of the most common jumpers and configurations out there. Diode one either enables or disables the key lock switch, I think this was probably added for OEM use for ones that they would not want to have the keypad modified or touched or anything like that. So just be stuck at certain frequencies. Diode two would enable the 30 to 54 megahertz coverage. If it was there, you can listen to those and tune to frequencies within that band. If it's removed, you cannot listen to stuff within that band. Same thing with Diode three, which for Europe, 30 to 54 is television signals over there, while here in the United States 66 to 88 megahertz is television signals. So there's no point in tuning in those frequencies, so that's why they can configure between those two for the different markets. And by putting in both diodes in those locations, you can tune in both areas of those frequencies. Diode four would either block the cellular bands or allow the cellular bands. And of course, they'd make it so they only had to do is remove the component quite conveniently, and you can now listen to such frequencies. With surface mount components, most people would either crush or destroy the component on the board without having to get out a soldering iron or actually take the time to desoderate and place it into another location to enable, for instance, 66 to 88 megahertz range. On most other police scanners, there's a single diode in place of diode two and diode three that are the switches between the 30 to 54 megahertz range or the 66 to 88 megahertz range, whether it's there or not. The only problem with listening to these frequencies when comparing to 30 to 54 megahertz or the 66 to 88 megahertz range is the electronics are not designed to tune in 66 to 88 megahertz. So you can listen to stuff there if someone's is actually transmitting there, but the reception will be quite poor without a lot of readjustments and a lot of replacement of the components. But still it's just nice to have that feature added. And of course, diode five would change the stepping range of the cellular telephone frequencies. In Europe, since the cell phones use a totally different frequency plan, what they do is for that area, they would have 12.5 kilohertz steps in between the frequencies. So you can listen to the police or whatever they would have over there depending upon your area or whatnot. But in America, they use 30 kilohertz steps for this analog cell phones in those frequency bands. The thing about that is they'd want to have the frequency jumps in between the two frequencies for the stepping range configurable for the various markets. Another idea with the sticking the wires straight onto the solder pads or whatever configuration point and sticking them up and touching them together is you can touch together combinations of resistors, diodes or whatnot that were not meant to be crossed over to possibly make use of various bugs within the firmware designed inside the chip with the Pro43 when you add a diode and cross it between the cathode of diode one to the anode of the slot for diode five. When you step up or down, the police scanner will now jump very large steps. This would override and jump over the frequencies that would normally block at each end of let's say the 66 to 88 megahertz range. When it tries to go below 66 megahertz it'll only be skip over to the next frequency that would be available either below or above it. But, because it's now jumping over that frequency by stepping in a manner that would be larger than it's supposed to, it jumps straight past that blocking frequency and into a range that normally you wouldn't be able to get access to. At that point you can then open up the squelch as if you got a signal and save the frequency wherever you wanted to. This will let you open up the entire police scanner from 0.5 mega, 0.5 kilohertz all the way up to 999.995 megahertz. With the pro 23, 25, 46, and 51 handheld scanners which were made by Unison along with various other unit in radios depending upon what model number they made them under there's all sorts of keypad tricks for holding down buttons on it and turning it down. The instructions actually, instruction book actually says hold down the two the nine key while turning on your power and the radios totally reset all your frequencies are lost. But if you hold down two, nine and the lockout keys when turning on you now erase all the memories and you fill the memory banks with one through 25 of test frequencies. Two, nine and manual does totally different test frequencies than two, nine and lockout and only one through seven are filled with these test frequencies for workbench use. Two, nine and the band button or two, nine and the monitor button will do a display test which will cycle through all the various characters on display useful if you've ripped the thing apart or rebuilt it or somehow fixed it up and bind it with other parts you wanna see if the display works properly. The cool thing about the two, nine and lockout is as I stated before with the pro 43 when it jumps outside of its normal range you already get frequencies right here that are outside the range that those are supposed to be able to tune on these scanners. So without even opening it up without even hardware configuring it or anything like that you already have frequencies that are outside the normal range. And all you have to do is go to these frequencies and tell it to search up or search down and it'll already be outside of those inside of those bands and you could go to the extremes of it and store those frequencies elsewhere in other memory areas. 14, 15 and 16 are in a 66 to 88 megahertz range and 23 as you can see is within the cellular telephone range. That will let you listen to cell phones. All you have to do is go to the upper and lower limits and you could pretty much have a blast listen to whatever analog cell phones you want to until of course the cell phone companies decide to totally abolish and lock cell phones altogether. For ham radio some of the most common ones are the Mars cap which is extended transmit abilities. Certain forms of extended reception such as AM aircraft like with the Alinkos cellular VHF, UHF and even 800 megahertz with some radios they would actually ship them with the 800 megahertz range allowed and all the electronics necessary to tune it and all you have to do is clip a wire or otherwise modify it by changing dialed configurations and resistor configurations and you can now listen to 800 megahertz. The reason why they even do this is because in order to receive out of band it requires further FCC approval and certification. So they ship it purposely crippled and let the user modify it to enable those added features. They say, well it's not FCC approved though but I had to seriously doubt the FCC is gonna radio place and kick down the door because you're now listening to the police on 155 megahertz which is outside your ham radio range but you never know, they could still bust you for that kind of stuff. Features for specific countries such as their transmit and receive ranges, repeater tone control, repeater offsets and various other features for specific countries. And for the model configurations there are certain pieces of hardware that are or are not available such as with some of the radios the 800 megahertz range, dual band such as 70 centimeter versus two meter which as they'd use the same CPU but certain pins would tell the CPU what model of radio it's in indicating what frequencies you can tune into. Mars cap as many of you people out there have probably modified ham radios. No, is a feature which many people, as an acronym many of you people have heard but still don't know what it means. Military assisted radio service is what Mars stands for. It's a service that where ham radios, users apply their services and apply their hardware to patch telephone calls in wartime emergencies, disaster areas and things like that. Civil air patrol was started back in World War II with civilian aircraft spotting German U-boats off the east coast and they're still used nowadays. You never know when it might be needed if we ever go to nuclear war so we might need to spot a nuclear bomb 30 seconds before it hits the ground. Yeah, search and rescue is also what it's used for as well which I was about to cover. A friend of mine is in as well. And these bands are generally 130 to 170 megahertz or 115 to 170 megahertz, sometimes more, sometimes less depending upon what the ham radio companies decide to manufacture in. One of the other things I've found is especially if you're into Mars cap like a friend of mine is and he did modify one of his ham radios he frequently loaned it to someone else and was constantly afraid of this person using and abusing the out of band transmit abilities which of course he wasn't supposed to let that friend person use it. With many of these ham radios you have to reset the radio with a keypad combination or something like that in order to complete the modification. So what you do is you modify the hardware, cut the wire, remove the diode or whatnot to actually modify it, reset the radio and then unmodify the hardware but don't reset the radio for that last final little stage. That would pretty much not finalize the mod and it could still work in the Mars cap range but all you have to do is reset the radio and the radio is now restored back to its original factory configuration. And you can go ahead and loan it out to your friend at that point and let him use it without the ability of him to use it. One of the things out there that I have found is software hacks. With many of the ham radios and radio scanners having computer interfaces available for them, this lets you do all sorts of really interesting things which with many of the early radios you could actually take advantage of this such as with the FT-50 for example. What you can do is hex edit the saved data files in the case of if the saved data file is basically a direct memory dump of all the information inside the radio scanners either RAM or EEPROM memory just dumps it all out as a computer file is what the software does. You can then go in with the hex editor change for this information such as letting you go out of band or things like that and then re-upload it to the radio. This can also be used for hardware configurations and whatnot. You can intercept or emulate the data transfers by writing your own custom software to let you do these various things or even if it's possible direct edit the devices EEPROM or RAM memory with an in-circuit reader-writer. Of course that'd be pretty darn complex and I would love to see someone out there design that but that's beyond my abilities. Blank.gif is a file I commonly use on some of the websites I designed is basically a one pixel by one pixel transparent gif. This gives you an idea of what a hex file looks like when you view or what a computer file looks like when you view it in a hexadecimal form which is how the computer sees it. For the RDF file that the FT-50 uses for the saved data configuration you can see a 5E3 hex at that specific spot in memory is where the configuration for the hardware is what country code it's configured for. This is also backed up at CE7H as well which is the hex addresses for where those are. What you can do is these two cannot be modified at the same time. You can't modify these and send it out to the radio because the radio will check that and say whoops you're trying to upload a file meant for a totally different radio I'm not going to allow that and give you an error message on the display. So what you can do is change the first one around and then upload the file to the radio at that point and what it would do is the radio will accept it and look at only the second one and say okay I'm supposed to accept you and now it will change itself around so it'll be for instance if you change it over to two hex you'll now have a different country code programmed into it. And then when you redownload the radio both of those memory spots will be zero two hex. When it comes to saved data files one thing that they like to do is put in check sums to tell if the file is corrupted or not or if the user has modified it themselves. As you can see this is kind of a simplified version of check sums right here which is a simple summing method where you add all the hex characters up and you end up with a single digit to tell if it's been modified or not or if it's been damaged or otherwise corrupted. Well as to what kind of check summing is used some of the programmers can get really bored and use all kinds of weird things even quantum math if they wanted to to form some hundred character check sum. It could happen but the most common find is just simply summing it all together. And as you can see right here when this one goes up to two hex the check sum goes up one as well. This is almost an instant tell tale sign that they're just simply using the summing method of check summing. And as you can see when this one goes up to 20 hex this goes up to 50 hex as well makes the 10 jump and when this one goes down one so does this. All you have to do is when you find out where the check sum is being stored up by changing small simple bits of information and looking at where those changes are actually taking place at in the check sum at that point you know where the check sum is and when you go in and change whatever little bit of information you want to what frequency or what not change the check sum equally up or down along with it. If these are more complex form of check summing well you'll have to figure that one out on your own. Another form of data transfer that they use is they don't do a direct memory dump. In this theoretical model it just simply sends out a block of information saying I want you to do this frequency in this memory bank. The advantages of this are it can be a lot faster to upload the information or download the information to or from the police scanner or ham radio because there's a lot less information being sent into and out of it. And as you can see right here the first one sent out is just a simple wake up, here comes some information sends out the various frequencies such channel one to be the priority channel and such channels one, banks one and two to be scanned and all of this off. Then it tells it it's all done with the interface and go back to normal operation. In this theoretical model as you can see these first characters sent out are the memory slots the radio goes into for a hundred channel police scanner. And then as you get down here other codes are sent out to give it other bits of information. But what happens is you actually send out other codes like what does a two hex do, a three hex and other things you can possibly get it to go into test modes, change the hardware or other things and change various other forms of configuration with it. Direct edits of the device's memory. One thing you can do is such as with the Q-Cats if you really want to change the serial number desolder the EE problem chip instead of decline it and drop it into some kind of reader writer unit and change the serial number to let's say 00000031337. Another thing you can do is use a reader writer to take the information instead of directly editing it inside the chip, which some will let you do save it as a file hex edit using their existing software to upload and download the file from your reader writer unit. Hex edit it as before and then re-upload it to the chip and re-solder it into place. Another thing you can do with the Q-Cat as well which a friend just told me about half hour before this little speech is take the data line when you de-clot and cut that little trace on the board instead tie that trace straight to the ground. Now although I haven't had a chance to try that yet he said that theoretically it should let it output all zeros instead of giving some erroneous information and errors in the serial number. Let's see the digital convergence company try to track a serial number with all zeros when half the country has that. One thing you can also do as well is if someone actually goes out and takes the time to make it have an in-circuit EEPROM reader writer that'll let you read and write the RAM or the EEPROM chip or flash memory or something like that directly inside the unit without having to de-solder and take it out. Of course all this information is covered and is basically the same information as to how you'd hack digital television signals and whatnot but it also applies to all sorts of other little things as well when you mess around with smart cards or all sorts of things. One thing to do is to practice with video game emulators for example by editing the saved game information that some of them have. This lets you get some practice messing around with checksums, hexediting, finding locations to actually edit things like that. And that pretty much concludes this little presentation of mine. You can find this slideshow at this website which I have right here if you actually want to view it along with of course these cute little pictures of mine which are also my Windows wallpaper as well. And although I haven't had a chance to upload this yet because I've been busy with various other things here at the convention, I hope to have this uploaded tonight so if you go to this URL like right now it'll come up with a nice little 404 error message. Does anyone have any questions? Yes, you. Could you please repeat that? Tradezone.com? Free Trade Zone. Oh, Free Trade Zone. I've never actually been there, yes. FreeTradeZone.com might have some information on this. I haven't seen it myself so I can't tell you exactly what is or is not there so anything else from anyone? Yes, you. Cellphones, ooh I was gonna cover that. Cellphones, usually they have a customized chip which has everything built into it. The code which is stored, which is actually the computer program itself, the firmware. Everything stored on one single chip. Many times these chips are actually meant to be programmed only once with certain data lines and then tied straight to ground or something like that with the memory that's used inside them could be an EE prompt for firmware updates if it's ever sent back to the factory or it could possibly simply be a prom chip program will read only memory and then only to have the information sent to it once you cannot no longer reprogram it or anything like that. All the other information such as the EE prompt which stores the ESNs and various other serial numbers that is stored within the chip itself and usually that is extremely hard to get to unless you actually first modify the code to then let you get access to it. So with the newer cell phones it's virtually impossible unless you know some secret trick that I don't but with many of the older cell phones especially the ones that have the EE prompt chip soldered separately on the board or have the ROM chip for the software such as with the Oki 900 you can then go through, rewrite new firmware to the ROM chip solder on the ROM chip or put in a socket if you're lucky enough to have a socketed Oki 900 and then you can gain access to changing the ESNs. Anything else? Yes, you. Yeah, when you're changing the country code for example in a radio that does a direct dump of all of its RAM I have only seen usually only the ACU radios do that but other future ham radios and police scanners now that more and more of them are coming out with computer interfaces it all depends upon what the companies actually tend to do. Most police scanners I found all the companies try to copy each other feature wise because like what Microsoft does. Imitation is the sincerest form of flattery, oops. I mean imitation is the sincerest form of flattery. I mean innovation is the sincerest form of flattering. So of course, that's why many of the ham radios and police scanners all use diodes while all many of the caller ID boxes even ones from other companies use solder pads and blobs of solder on them. When you're directly editing the information as a saved data file with a hex editor or however you're directly editing it to look for the checksum that would be kind of hard to look for and you'd have to change a lot of information around and figure out pretty much what you're doing. Another thing you can also do is find configurations from friends in foreign countries and compare the information together to figure out exactly where this information is stored at and what bits and bytes change here and there. It can be a lot of work figuring out where this information is stored at though but of course that's part of the fun of it as well. Yes. Have you ever tried a device? Have you ever tried something by changing around the configurations? Not yet, but of course I'm going to one of these days. So that's the one thing to keep in mind when you fry your device, not if, but when years down the road you fry your device, do not blame me for seeding this information into your head. Anything else? Oh, yes? Yeah. Yes, good point. By changing the configurations themselves you might not actually fry the device directly but you might tell for instance the CPU to use a piece of hardware, a microchip that's not available there and it's trying to use it and could eventually burn itself out possibly in a matter of seconds, possibly in a matter of years. This is a theoretical possibility which I haven't come across yet but it could be possible with some of the devices that are going to be released out in the future. Yes. The Palm Pilot itself, no modifications that I know of or any of the other PDA devices, when you add, but except for adding memory, when you add memory, usually there are no resistors or solder pads or anything like that to configure or change the device. The CPU just simply scans what memory is and isn't available as it all says, okay, I got two megs, I got four megs or something like that. There could be lots of other configurations as well and ways of doing it. Yes. Could you please repeat that? Yes. They have a spring or white papers on this is on their website as well as all the programming and software which might want to create any devices you want to include. Yes, the handspring. For creating the handspring modules, what you can do is, as this individual had just pointed out, is all the specs are available for the various connectors on it for what memory can be added or address ranges or things like that. With many of the sockets, they meant for people and companies to come out with upgrades and add-ons and this can be documented. It might be difficult convincing them to tell you the information because you're not some big multimillion dollar company but in fact some private little individual, they'll be a lot less likely to tell you. Anything else? Yes. Yes, as this individual had pointed out, one of the things is the handspring upgrade socket is electrically seen as a PCMCI slot even though the car design, the socket design, the pinouts, et cetera are shuffled around and configured differently. So you could possibly if you're interested in hacking the handspring, look up the information on PCMCI slots. Any other questions? Anyone might have? Any heckles? Well, that pretty much concludes my little speech. Hope you enjoyed it. And I shall hand the mic over to...