The Sprint PCS Network

by ~sn0crash  (sn0crash@DigitalPhreak.net)

I have recently learned a little more about the Sprint PCS cellular network, and I would like to share this info with the readers of 2600.  This info applies more to Columbus, Ohio then anywhere else, but if anyone else knows about another city I would love to hear about it.

From my understanding cell phones use three major IDs to know who's who on their networks and who's allowed to make what calls.

These IDs are an Electronic Serial Number (ESN), the phone number of the cell phone, and a SID number.  The SID number determines your home city.

When you place a call, the network matches your phone number with your ESN to determine if you're a legit user of the network.  Then you can make your call.  If you're roaming, then the cell network that you're on will forward the call information (number called, duration, etc.) to the SID city.  Then your home city will process this information and bill you.  Well, theoretically, if you change your ESN, phone number, and SID to a city that you're not in, you'll get free cell calls.  This is where you get into cell phone cloning etc.

Aside from the general concept of how cell calls are placed, that of which I'm still learning, I'd like to touch on the Sprint PCS phone network.  The phone I'll be talking about it a Sanyo SCP-3000.  I found that if you remove the battery it says the ESN in hexadecimal and decimal.  If you were to go to a Sprint PCS store I'm sure you could "look" at one of their phone and clone it, then make calls on them.  The phones in their stores are active to make calls all over the U.S.  When you purchase a phone they program it at the store, but if you move from one home city to another you can just call them and they will walk you through the reprogramming of it.  This is where I come it.

On this particular phone if you press [MENU] and then 7 it will take you to the Setup menu.  If you press 0 you get to a Field Service option that is password protected (6-digits).

I haven't been able to get this password out of them yet.  Now, if you press [MENU] and then 4 you will go to the Display menu.  From here you hit 0 again.  Surprise surprise, another area with a password.

For Columbus and maybe even Sprint PCS the code is: 661649

This will put you into a Config menu.  From here all the options can be edited.  You will have the following:

  • ESN  - Electronic Serial Number
  • NAM 1 Phone Number  - Your phone number.
  • NAM 1 Home SID  - Columbus is 4418  (Denotes your home city)
  • NAM 1 Name  - "Sprint PCS"  (Can be anything you want, it's displayed on boot)
  • Service Security Code  - This is the code you entered to get here.
  • NAM 1 Lockout System  - Don't know??
  • NAM 1 CDMA Phone Number  - Your phone number.
  • NAM 1 Mobile Country Code  - 310  (I think this is the code for the U.S.)
  • NAM 1 Mobile Network Code  - 00  (Don't know?)
  • NAM 1 Mobile Station ID #  - Your phone number.
  • NAM 1 CDMA Home SID  - Columbus is 4418  (Same as above)
  • NAM 1 AMPS Phone Number  - Your phone number.
  • NAM 1 AMPS Home SID  - Columbus is 4418  (Same as above)
  • Phone Model  - 7  (Don't know??)
  • Slot Cycle Index  - 2  (Don't know??)
  • NAM  - Number Assignment Module, and it holds in RAM the telephone number and ESN of the phone.
  • CDMA  - Code Division Multiple Access, otherwise know as the Sprint PCS network.
  • AMPS  - Advanced Mobile Phone Service, which is used for analog cell transmission.

I think this is a little more complicated then it has to be because my phone is a dual-band.  Meaning I can switch between analog and digital networks.  So I have a few more options then just a digital phone.  Pretty much what it appears to be is the same information repeated for the different networks.

Now, basically what you have to do is change your ESN and phone number to something else then match the cities SID with the phone number and rather is a true number and you've cloned or it a total fake, you can make calls for free.

When you place the call the Home City you're in will register this and give you the call.  Then they forward that call information to your home city... the SID you typed in...  Starting to see the picture?

When the home city looks that info up to bill the person they find out:

  1. It doesn't exist.
  2. They find out nothing because it's a real number.

Either way, you get the free call and by the time anyone finds out about it you're finished and the SID and ESN are changed again.

They only thing I think you might want to consider is that when your phone is on and you have signal... it's traceable.

When you have signal your phone is on the network, communicating with the switches and jumping from cell to cell.  You would need to turn your phone on, change the info, make your call, change it back, and then turn the phone off until you get a good distance from where you placed the call.

This all might be a bit much, but I think it's a good precaution.

I hope this information assists all you cell phreaks out there, and if anyone else has any other information that may be of some assistants please feel free to share it...  I would also like to get the SID for all the cities in the U.S. if anyone happens to have access to the info.
Return to $2600 Index