Are you are a looking for a good outsource firm for your mobile phone forensics in the UK?

Check out DGI in Leeds. Headed up by Stephen Hirst (Ret. HTCU West Yorkshire Police Force) an innovator and leader in the mobile forensics field, DGI is a full service forensic shop that gets the job done quickly and efficiently.

My apologies, Its been a long time since I’ve posted. Here are some service codes for several handset manufacturers

LG

*6861#  factory reset

*8375#

#668#

*#3646633#

*0#

*3241#

*3240#

*0008# language

*0009# language

*0000# language

*7674#

*76863#

*77463#

*72337#

*79763#

*7245786#      check read FFS

*762442#        GVCMMI Magic

###765*02#

###765*05#

###765*08#

###765*07#

###765*78#

1945#*5101#  sim lock menu

2945#*5100#

Nokia

*#06#                IMEI

*#0000#            view Software Version

*#746025625#    [*#sim0clock#]

*#92702689#      [*#war0anty#]   secret menu:

 1. Displays Serial Number

 2. Displays the Month and Year of Manufacture (0997)

 3. Displays (if there) the date where the phone was purchased

 4. Displays the date of last repairment - if found (0000)

 5. Makes you capebel of transferring user data

 6. Shows how many hours the phone has been on

*3370#      Enhanced Full Rate Codec (EFR) activation

#3370#     Enhanced Full Rate Codec (EFR) deactivation

*4370#      Half Rate Codec activation

#4370#     Half Rate Codec deactivation

xx# - xx position in Phone Book

NOKIA 9000

*#06#   IMEI

*#682371158412125#  soft version

*#3283#    prod. date

NOKIA 7650

*#7979#    phone reset

*#7470#    hard reset

*#7370#    master reset (like new phone)

Motorola

*#06#      IMEI

in permament test mode

(* hold 2 sec)

***113*1*[OK] net monitor

T205/T19x (ACER)

*#300# OK    List the Software and Hardware version

*#301# OK    Full Keypads functional Test

*#303# OK    Set Default Language to English

*#304# OK    Set OFF engineering mode

#304*19980722# OK    Set ON engineering mode

*#305# OK    Location: 1 OK

*#307# OK    Engineering Test Mode

*#311# OK    Phone code changed to default code

*#400# OK    ADC, Cal val*

*#402# OK    Adjust Display Intensity / Contrast

*#403# OK    List the Manufacturing Informations

19980722 OK   Master Unlock code for Phone and Sim Lock

*#302# OK    Acoustic test*

7.1 Greeting

7.2 Main VlmGain

7.3 Input Cal

7.4 Output Cal

7.5 Side In Gain

7.6 Vox Gain

7.7 Min Mic Engy

7.8 More

(a) In Vlm Gain

(b) Aux Vlm Gain

(c) Silence Prd

(d) Supp Prd

(e) In Volume

(f) Out Volume

(g) Icon

(h) Image

(i) Animation

*3370#   EFR ON (enhanced full rate)

#3370#  ERF OFF

*#72837726# OK  Confirm ?, Data saver

1234 OK      Phone code default

*#0000# OK   Setting saved, restore set phone do default language

*#0048# OK   Fast change polish langpack

*#0007# OK   Fast change russian langpack

MOTOROLA 3xx

*#06# and quick ‘menu-key’ and 048263* (Push the key quickly!)

and entering at field “OPTCODE” you must try several times.

If not working try with MOTO TEST CARD inserted.

Security code - 32*118*1*0*0

Model - 32*279*1*0*8

Flex ver - 32*383*1*0*0

Master Reset - 18*0

Master Clear - 18*1

Set band GSM 900 - 10*0*3

Set band DCS 1800 - 10*0*4

Set band PCS 1900 - 10*0*5

Set dual band GSM 900/1800 - 10*0*6

Read band - 10*1*0   => 3-GSM, 4-DCS, 5-PCS, 6-GSM/DCS

User code - 32*116*1*0*0 /coded:00310032003300340000 - 1234/

Read imei - 32*4*1*0*0 “OK” /coded:083a05092700247709 - 350907200427799/

47*4*1*0*9*081A32547698103254 => IMEI=123456789012345

it is possible to change IMEI

Sony Ericsson

*#7465625*12*12345678#, 7465625 means SIMLOCK and 12345678 is number

                                        that you get from the unlock program

For SIM code: *#7465625*XX*(8-digit received SIMcode)#

XX can be:

12 for NCK lock

22 for Provider lock

32 for Network lock

42 for SIM code lock

52 for Subset lock

62 for Corporate lock

72 for IMSI personal

99 for IMSI range

For WAP code: *#9275625*11*(8-digit received WAP code)#

*#06#      IMEI number

*#00xx#   Changes language (xx is your country code)

*#0000000#  Resets language to auto selection

*#8378       *#TEST Reset your phone

*#7465625#  *#simlock# -> Displays SIM lock status

*#7353273#  *#release# -> Display firmware version

*#39482633#  *#EXITCODE# -> Shows phone latest failure causes

*#78737322867973738#  *#superfactoryreset#

                                     -> Reset personal data (remove SIM card first)

*#73287489263373738#  *#securitycodereset#

                                     -> Reset security code to 0000 (remove SIM card first)

*#8654#   Test phones keystroke

*#77343#  *#PREGE# -> Activates MONITOR MODE on J5/J6

*#7669666#  *#SONYMON# -> Activates MONITOR MODE on J7/70/27

*#275781#  *#ASKRT1# -> Still unknown

*09*(PIN code)# -> Turns PIN code on

#09*(PIN code)# -> Turns PIN code off

Samsung

*#06#        Show IMEI

*#9999#    Show Software Version

*#0837#    Show Software Version (instructions)

*#0001#    Show Serial Parameters

*#9125#    Activates the smiley when charging

*#0523#    LCD Contrast

*#9998*228#    Battery status (capacity, voltage, temperature)

*#9998*246#    Program status

*#9998*289#    Change Alarm Buzzer Frequency

*#9998*324#    Debug Screens

*#9998*364#    Watchdog

*#9998*377#    EEPROM Error Stack - Use side keys to select values

*#9998*427#    Trace Watchdog

*#9998*523#    Change LCD contrast

*#9998*544#    Jig detect

*#9998*636#    Memory status

*#9998*746#    SIM File Size

*#9998*778#    SIM Service Table

*#9998*785#    RTK (Run Time Kernel) errors - if ok then phn is reset,

                       info is put in memory error

*#9998*786#    Run, Last UP, Last DOWN

*#9998*837#    Software Version

*#9998*842#    Test Vibrator - Flash the screenlight during 10 sec

                       and vibration activated

*#9998*862#    Vocoder Reg - Normal, Earphone or Carkit

*#9998*872#    Diag

*#9998*947#    Reset On Fatal Error

*#9998*999#    Last/Chk

*#9998*9266#   Yann debug screen (Debug Screens?)

*#9998*9999#   Software version

*0001*s*f*t#   Changes serial parameters (s=?, f=0.1, t=0.1)

*0002*?#   unknown

*0003*?#   unknown

FOR NEW SGH (R210, T100, A300…)

if code is in format *#9998*xxx#

try write in this       *#0xxx#

SGH-600

SGH-2100

*2767*3855#   Full EEPROM Reset (THIS CODE REMMOVES SP-LOCK! 

                      but also changes IMEI to 447967-89-400044-0

*2767*2878#   Custom EEPROM Reset

SGH E700

*2767*688#   remove USER CODE and SIMLOCK

SGH V200

Unlocking:

Power on the phone without SIM card and type these codes:

*2767*63342#  and press green button

*2767*3855#    and press green button

*2767*2878#    and press green button

*2767*927#      and press green button

*2767*7822573738# press button

Phone will be unlocked, but all trims are reseted !!!

Mobile phone must be fully charged

SGH S500

Unlocking

*2767*MVT# (*2767*688#) E2P MVT Reset

*#SIMLOCK# (*#7465625#)

The bug I identified in this post has been fixed. Cheers to Susteen for getting on the issue once identified and fixing it. 

My good friend Troy Lawrence from Ft. Worth P.D. wrote this white paper on how to get around a passcode on an Iphone. In Troy’s own words

“We had an iPhone come in this week that was involved in a Homicide case.  Of course, the phone had a passcode on the hand set.  With the help of someone at the FBI, I was able to get passed the passcode.”

Thanks for sharing Troy!

Iphone Passcode Work Around

Susteen has stated that they found the error causing the misreporting of the times that I discovered when I downloaded an LG Fusic.  They have promised a fix out soon….woot! Now if it would just get the SMS and deleted stuff…;-) 

I discovered a serious error in Secure View while doing a forensic examination of an LG Fusic (LX 550) on a drug overdose case. It turns out that the call records as downloaded by SV, are showing a +3 hr (to EST) time offset. This caused detectives to focus their interviews on individuals that they believed were lying to them. This information was also sent to other agencies including the DEA. There was even a call on the phone that showed up in SV that wasn’t in the call records (this software doesn’t get deleted data).

Unfortunately, SV is the only software that downloads the Fusic (BitPim downloads raw data). We were unable to validate the data that SV had downloaded until the call records came in (yes we should have looked at the phone itself ).

After sitting down with the phone, the call records and the SV report, I discovered the above. SV did have the time right just three hours more than it should have been.

Also, I discovered a couple of interesting anomalies in the call records as downloaded by SV. These are in addition to the 3 hour difference.

• Dialed Calls-The time showed in the dialed calls shows the end time of the call and the duration. The call records show start, end and duration
• Received calls show the beginning time of the call. The call records show start, end and duration.
• Missed calls show the end time of the call and only one missed (from the same number). The call records show start, end and multiple entries if there.

The carrier on this phone is SPRINT. I hope this is just an anomaly limited to the Fusic. However, I think it prudent that all downloads using SV be validated to make sure errors are not occurring.

I have been in contact with Susteen and have made them aware of this problem.

I’ve been playing around with a Motorola V3c on a case (CDMA RAZR variant)…and have had moderate success with a number of different pieces of software. In general I can get the contacts and call records (not date/time though just index) from the following pieces of software.

• DP Secure View
• MobilEdit
• BitPim

Curiously, I cannot get Device Seizure to even recognize this phone exists. I of course have to connect over its modem which has been seen on a virtual COM port (16 in my case)…DS just refuses to see the phone.

 I may try to hook up to it via the Hyperterminal but it sure would be nice not to have to do this the hard way…

 Anyway while looking at the filesystem in BitPim, I managed to find the location of the SMS messages (not parsed). They are located in

nvm/seem/syn_messages

I know there is an index which helps mark these up but I havent tried to suss that out yet. What’s cool is that I’ve found some previous messages in there as well…and I’m not talking about a Quick Notes/SMS dump ala Device Seizure either…..

More to come on this one..

 M

I’m back after an absence. Its been crazy…moved offices, got a new job description (same stuff extra hat to wear )…you know life..

If I havenet mentioned this site before it certainly was an oversight on my part. This site is a absolutely fabulous resource for an examiner of CDMA Motorola Phones. I’ve used it many times.  My Thanks to Mark for all his efforts! Enjoy.

http://mark.cdmaforums.com/index.php

This site may help you when looking for test points, JTAG connectors or other ways of getting into a Nokia phone to get it to give up its information

http://www.uselessinfo.pwp.blueyonder.co.uk/nokia-dismantle.htm

Kudos to DS Pat Morrissey of An Garda Siochana for discovering and sharing this site!

I found these doing some research.  They work will some variance on one of my test 6015i phones. Your mileage may vary.

 entry point *3001#12345#

*Note: These are PRI dependent. Some carriers may have them disabled or use *# instead of ## or using different code that spells differently for the same function (e.g. ##DATA# or ##BEARER# on some phones). }

Dial-A-Codes
##837# or *#837#(”VER”) … Displays version screen (also accessible by [Menu]-[6]-[2]).
##66767# or *#66767# (”MOSMS”) … Displays a selection screen to allow toggling of MO-SMS (Message Over : Simple Message Service) mode.
##743# or *#743# (”SID”) … Displays the current SID.
##24# or *#24# (”CH”)… Displays the current Channel.
##786# (”RUN”) … Displays the Diagnostics menu which contains the Life Timer, Reconditioned Status, PRL, your number, and an Options menu which allows you to turn on the Service Screen (Net Monitor) or Restore Defaults (which resets the phone to factory settings). To restore defaults, you must enter the SPC/MSL code at the prompt.
##889# (”TTY”) … Displays a selection screen to allow toggling of TTY mode. (This code is referenced in the official Sprint manual.)
##7738# (”PREV”) … Displays CDMA mode menu, which allows you to select IS-95A, IS-95B, or IS-2000 modes.
*#7738# (”PREV”) … Displays CDMA mode menu, which allows you to select IS-95A, IS-2000, or Analog modes.
##8626337# (”VOCODER”)or *#3872# (”EVRC”) … Displays the EVRC settings menu, which allows you to select the EVRC mode as On, Off, or Home Only.
##2539# (”AKEY”) … Allows you to change the service-specific Authorization Key via the keypad. When the phone asks for Service programming code, enter the SPC/MSL for your phone.
*#639# (”NEW”) … Allows you to change the MDN (phone number) registered in the phone. When the phone asks for Service programming code, enter the SPC/MSL for your phone.
*#775# (”PRL”) … Allows to toggle the use of PRL.

##nnnnnn# … Where nnnnnn is a six-digit number (no more, no less), input will return to the main screen unless the number happens to be your SPC/MSL, in which case you will be taken to the Phone Programming menu which allows you to change the MDN (phone number) registered to the phone. (I don’t know if some other combinations in this domain do something or not, but they all appear to reset the display after entry unless you use the SPC/MSL, which is usually a hash derived from your ESN and is typically service-specific.)

Other Codes
Hold # at the main screen for 3 seconds … Displays the Life Timer in HH:MM format.