========================================================================== OKi 900 / CTEK Protocol Version: 0.99 02.27.99 Reverse Engineered by: dOPEmAN and avoozl additional info by: PoTom ========================================================================== Oki 900 / CTEK Protocol Table of Contents: -------------------------------------------------------------------------- 0.0 - Introduction 0.1 - Greets 0.2 - Disclaimer - 1.0 - Com Port Parameters - 2.0 - CTEK Commands 2.0.1 - Command Structure 2.0.2 - Example - 2.1 - Initialization 2.1.1 - Initialize CTEK 2.1.2 - Set Normal Mode 2.1.3 - Set Test Mode 2.1.4 - Turn off Oki 900 - 2.2 - Operation 2.2.1 - Press a Key 2.2.2 - Release a Key - 2.3 - Transmission 2.3.1 - Set Channel 2.3.2 - Set Carrier Tones 2.3.3 - Set Transmit Power 2.3.4 - Select SAT Tones - 2.4 - Audio 2.4.1 - Set Audio Path 2.4.2 - Mute/Unmute RX Audio 2.4.3 - Mute/Unmute TX Audio 2.4.4 - Set Volume Level 2.4.5 - Set Audio Tones 2.4.6 - Send DTMF Tones 2.4.7 - Recieve DTMF Tones (Still Incomplete) 2.4.8 - Turn Compression Circut On/Off - 2.5 - Status 2.5.1 - Read RSS 2.5.2 - Read Battery Level - 2.6 - Memory 2.6.1 - Read Current ESN 2.6.2 - Read Memory Location 2.6.3 - Write Memory Location 2.6.4 - Nam Checksum - 2.7 - Signaling 2.7.1 - Recieve FOCC Message 2.7.2 - Recieve FOVC Message 2.7.3 - DTMF decode - 3.0.0 - Important Memory Locations - ========================================================================== 0.0 Introduction -------------------------------------------------------------------------- There are only a few commands left to be figured out, if you have any insight into what these might be please email me at dopeman@digitalregime.com The NAM checksum has finally been calcualted after the CTEK protcol has been put on the back burner for a while.. Once again thanks Mark Lottor for all the help in this endeavor.. It's kind of sad that he won't even reply to an email with a 2 sentence answer for the checksum.. You can get the most current verison of this document from the following web sites: http://www.digitalregime.com/oki900/ This document already assumes you are familar with Cellular Phones, CTEK, and the Oki 900. For more information please look at: http://radiophone.dhp.com/ Another good document to check out is the Oki 900 FAQ by IceBerg, which is located at: http://www.geocities.com/ResearchTriangle/6218/ After some time of using DOS software for the CTEK, I realized that there are so many capabilities not taken advantage of (not to menntion the fact that the CTEK software slows down a whole machine in Windows95 to a halt). I deciced to work on writing some CTEK software for Win95. I emailed Mark Lottor creator of the CTEK for information on the CTEK protocol, and was informed that the CTEK was no longer supported by the Network Wizards. This meant the whole protocol had to be reverse engineered, so that I could write some software for Windows95. After some work I found a serial line anaylzer, and began to decode the CTEK protocol. After a week or two most of the protocol had been figured out. All of the information provided here is NOT intended to be sold, or modified in ANY way. For the people trying to sell the CTEK protocol on alt.cellular-tech, sorry Information is meant to be FREE. Below are all of the HEX codes sent, and recieved from the phone. You must wait for all codes to be returned by the CTEK, otherwise your software will crash. If you find any bugs, errors in this document please email me at dopeman@digitalregime.com, or msg me on effnet, in #cellular. ========================================================================== 0.1 - Greets (in no particular order) -------------------------------------------------------------------------- Blundar, POTI, IceBerg, TVMan, Mr Ethos, Dr Who, Spoof, DaVeX ========================================================================== 0.2 - Disclaimer -------------------------------------------------------------------------- The author of this document holds no responsibility for your actions. If you get in trouble because of using the hex codes implimented here that is your problem. ========================================================================== 1.0 - Com Port Parameters -------------------------------------------------------------------------- The com port setting for the CTEK are standard, nothing fancy here: 2400 baud 8 Bit No Parity 1 Stop Bit ========================================================================== 2.0 - Commands -------------------------------------------------------------------------- All of the commands for the CTEK are written like this: Tx: - HEX codes to transmit Rx: - HEX codes to recieve ========================================================================== 2.0.1 - Command Structure -------------------------------------------------------------------------- All commands for the CTEK are grouped into 3 hex codes. The first hex code sent is a header, and the remaining two are the actual command. Here is a list of all headers, and what they mean. C0 - Normal Mode Command C1 Fx By - Test Mode Command (xy is the hex of the test mode command #xy) C5 - Recieve Data from CTEK ========================================================================== 2.0.2 - Example -------------------------------------------------------------------------- This is an example of what the data given below means. If you have trouble understanding this PLEASE stop reading now. Tx: C0 C0 A1 Rx: C0 C0 F1 Transmit "C0 C0 A1" Recieve "C0 C0 F1" ========================================================================== 2.1.1 - Initialize CTEK -------------------------------------------------------------------------- This command initializes the CTEK. It MUST be followed by either the normal mode, or test mode, or the CTEK will not work. Tx: C0 C0 A3 Tx: C0 C0 A1 Rx: E4 C0 B1 Rx: E4 C0 B1 Tx: C1 C0 B4 ========================================================================== 2.1.2 - Set Mode Normal -------------------------------------------------------------------------- This command sets the phone into normal mode. The only commands you can can use in this mode are the Keypress commands. Tx: C0 D5 B3 ========================================================================== 2.1.3 - Set Mode Test -------------------------------------------------------------------------- This command sets the phone into test mode, and gets the Rom version of the phone. w,x,y,z - Bits 1 - 4 of Phone Rom Version Tx: C0 DF B1 Rx: E4 C0 B0 Tx: C1 F1 B7 Rx: C5 Fw Bx Rx: C5 Fy Bz Tx: C1 F1 B9 Tx: C1 F0 B0 Tx: C1 F2 B7 Rx: C5 CB B2 ========================================================================== 2.1.4 - Turn off the Oki 900 -------------------------------------------------------------------------- This command turns of the Oki in normal, or test mode. Tx: C0 C0 A2 Tx: C0 C0 A0 ========================================================================== 2.2.1 - Press a Key -------------------------------------------------------------------------- This command works only in normal mode. The key must be "pressed" for at least 100ms (I.E. Pause 100ms) before the release code is sent. xx - first hex code yy - second hex code Tx: C0 xx yy 1 - C4 B1 2 - C4 B2 3 - C4 B3 4 - C4 B4 5 - C4 B5 6 - C4 B6 7 - C4 B7 8 - C4 B8 9 - C4 B9 0 - C4 BA * - C4 BB # - C4 BC Send - C4 BD End - C4 BE Up - C5 B5 Down - C5 B4 Rcl - C5 B3 Store - C5 B2 Alpha - C5 BA Menu - C5 B6 Clear - C5 B1 ========================================================================== 2.2.2 - Release Key -------------------------------------------------------------------------- Stop pushing a key: Tx: C0 C4 B0 ========================================================================== 2.3.1 - Set Channel (#09) -------------------------------------------------------------------------- Select Channel. Channel: (x,y)z z is the multiplier for channels 256-512, etc. Tx: C1 F0 B9 Tx: C1 Fx By Tx: C1 F0 Bz ========================================================================== 2.3.2 - Set Carrier Tone (#07,#08) -------------------------------------------------------------------------- Turn Transmitter on/off. xx - B7 - transmitter on B8 - transmitter off Tx: C1 F0 xx ========================================================================== 2.3.3 - Set Transmitter Power (#10) -------------------------------------------------------------------------- Set Transmitter Power. xx - B0 (highest) to B7 (lowest) Tx: C1 F0 BA Tx: C1 F0 xx ========================================================================== 2.3.4 - Select SAT Tones: (#32) -------------------------------------------------------------------------- Select SAT Tones. xx - B0 - 5870 hz B1 - 6000 hz B2 - 6030 hz B3 - disable SAT tones Tx: C1 F2 B0 Tx: C1 F0 xx ========================================================================== 2.4.1 - Set Audio Path (#75,#76,#77) -------------------------------------------------------------------------- Select audio input/output location: xx - BB - External Jack (on CTEK cable) BC - Earpiece, Mic BD - Sounder, Earpiece, Mic Tx: C1 F4 xx ========================================================================== 2.4.2 - Mute/Unmute RX Audio: (#11,#12) -------------------------------------------------------------------------- Turn on/off Recieve Audio. xx - BB - Mute Audio BC - Unmute Audio Tx: C1 F0 xx ========================================================================== 2.4.3 - Mute/Unmute TX Audio: (#13,#14) -------------------------------------------------------------------------- Turn on/off Transmit Audio. xx - BD - Mute Audio BE - Unmute Audio Tx: C1 F0 xx ========================================================================== 2.4.4 - Set Volume Level: (#67) -------------------------------------------------------------------------- Set Volume Level for Output. xx - B0 (highest) to B7 (lowest) Tx: C1 F4 B3 Tx: C1 F0 xx ========================================================================== 2.4.5 - Set Audio Tones: (#35,#36,#37,#38) -------------------------------------------------------------------------- Select Audio Alerting Tones. xx - B3 - 1150 hz on B4 - 1150 hz off B5 - 770 hz on B6 - 770 hz off Tx: C1 F2 xx ========================================================================== 2.4.6 - Send DTMF Tones: (#42) -------------------------------------------------------------------------- This transmits a DTMF tone. This command is much like the Keypress function where you need to stop the transmission of DTMF.. It also will test the ringers, and other tones. x,y- DTMF Frequency Tx: C1 F2 BA Tx: C1 Fx By 1 Key - 01 2 Key - 02 3 Key - 03 4 Key - 04 5 Key - 05 6 Key - 06 7 Key - 07 8 Key - 08 9 Key - 09 0 Key - 0A * Key - 0B # Key - 0C Quick Beep - 26 High Ringer - 27 Low Ringer - 28 Fast Busy - 29 Hi/Lo Siren - 2A Short Beep - 2E ========================================================================== 2.4.7 - Stop Sending DTMF Tones: (#43) -------------------------------------------------------------------------- This command stops sending a DTMF tone. Tx: C1 F2 BB ========================================================================== 2.4.8 - Turn Compression Circut On/Off: (#65,#66) -------------------------------------------------------------------------- Turn compressor/expander circut on/off: xx - B1 - on B2 - off Tx: C1 F4 xx ========================================================================== 2.5.1 - Read RSS: (#53) -------------------------------------------------------------------------- Read the Recieved Signal Stregnth (1-99, or -1 for error). Formula: 16(xx-C4)+(yy-B0) Tx: C1 F3 B5 Rx: C5 xx yy ========================================================================== 2.5.2 - Read Battery Level: (#81) -------------------------------------------------------------------------- Reads the current battery level: Formula: ((xy-28)/20) = Voltage of Battery Tx: C1 F5 B1 Tx: C1 F0 B2 Rx: C5 Fx By ========================================================================== 2.6.1 - Read ESN from phone: (#24) -------------------------------------------------------------------------- This command reads the current ESN from the phone. a - h : bits 1-8 of the ESN in HEX. Tx: C1 F1 B8 Rx: C5 Fa Bb Rx: C5 Fc Bd Rx: C5 Fe Bf Rx: C5 Fg Bh ========================================================================== 2.6.2 - Read Memory Location: (#25) -------------------------------------------------------------------------- Reads a memory location from the phone: w,x,y,z - Memory location a,b - Contents of Memory Locations Tx: C1 F1 B9 Tx: C1 Fw Bx Tx: C1 Fy Bz Rx: C5 Fa Bb ========================================================================== 2.6.3 - Write Memory Location: (#54) -------------------------------------------------------------------------- Write a memory location to the phone. If you are writing to an unprotected memory area just use the command as is.. If you need to write the NAM, ESN, or some other protected area make sure you write 01 into 7005 to turn off the write protect, and when you are done you write 00 back into 7005.. w,x,y,z - Memory location a,b - Contents of Memory Locations Tx: C1 F3 B6 Tx: C1 Fw Bx Tx: C1 Fy Bz Tx: C1 Fa Bb ========================================================================== 2.6.4 - NAM Checksum: -------------------------------------------------------------------------- When you alter the NAM you need to write the nam checksum, otherwise other CTEK software (Network Wizards) will crash.. The checksum bit is located in B06B.. This bit will always make the rest of the NAM add up to 00.. To calculate it you need to subtract the old nam cheksum from the calculated checksum. To calculate the checksum you add the values from A02B to B0AB which includes the old checksum value and the administrative password. The addresses increment by 0x40. ========================================================================== 2.7.1 - Recieve FOCC Message: (#20) -------------------------------------------------------------------------- This command recieves a Forward Control Channel Message. A complete message is sent in the x's. The dotting pattern is left out of what is recived. A complete word is recieved, no more, no less. To decode the message you need to convert each HEX value to BINARY, and work with it that way. For more information on signaling please look at RadioPhone. Tx: C1 F1 B4 - Setup for FOCC Message Rx: C5 Cx Bx Rx: C5 Cx Bx Rx: C5 Cx Bx Rx: C5 Cx Bx Rx: C5 Cx Bx Rx: C5 Cx Bx Rx: C5 Cx Bx Rx: C5 Cx Bx Rx: C5 Cx Bx Rx: C5 Cx Bx Tx: C1 F3 B8 -- Cancel FOCC Receive ========================================================================== 2.7.2 - Recieve FOVC Message: (#21) -------------------------------------------------------------------------- This command recieves a Forward Voice Channel Message. A complete message is sent in the x's. The dotting pattern is left out of what is recived. A complete word is recieved, no more, no less. Tx: C1 F1 B5 - Setup for FOVC Message Rx: C5 Cx Bx Rx: C5 Cx Bx Rx: C5 Cx Bx Rx: C5 Cx Bx Rx: C5 Cx Bx Tx: C1 F3 B8 - Cancel FOVC Message Recieve ========================================================================== 2.7.3 - DTMF decode . -------------------------------------------------------------------------- Dtmf char (xx) will be read, notice in order to send DTMF cancel you need to cancel Rx's Tx: C1 F5 B0 - Setup for DTMF decode Rx: C5 Cx Bx ..... Tx: C1 F1 BF - Cancel DTMF decode ========================================================================== 3.0 - Important Memory Locations -------------------------------------------------------------------------- 7005 - Write Protect Location (If 00 Write Protect ON, if 01 off) AF6B,AFAB,AFEB - Administrative Password needs to disable write protect^ BEDA-BEDE - Dealer Password 5 bytes (10 digits) BF2C - Current Nam In Use BF5F - Number of digits to be used for Unlock code (1-8) BF60-BF63 - Keyboard Unlock Code 8 digits or less ^ B06B - Nam Checksum Bit When dealing with the Keyboard Unlock Code, Administrative Password and Dealer password a hex value A is equal to 0. ========================================================================== !EOF! --------------------------------------------------------------------------