Back to Main Page
picture by The NEC P3 is a rather old mobile phone for use on any TACS or E-TACS cellular telephone system (look at this list to find out where there are such networks, in Europe they exist in Austria, Italy, the UK and Ireland). This phone was quite popular a few years ago, so you should be able to pick one up used for little money. I got one including two batteries and a charger for 50 IEP (go here to convert that).
Phacman
Text by DaXX
Now, what makes this phone so interesting? The availability of a so-called Test-Mode-ROM for it.
As all mobile phones, this one has a read-only-memory chip in it, which contains its software. This progam is started when you turn on the phone, it could be compared to a computer's operating system. While the "normal" version of the NEC P3's software allows you to do no extraordinary things, basically only to place calls to a number you enter and to store numbers along with names, the test-mode software lets you go into test mode, where you can do many cool things.
Most importantly, you can change all the information in the phone's NAM (number assignment module) - the ESN (electronic serial number) and the MIN (mobile identifier number).
These two numbers are all there is to an E-TACS phone's identity - program in another phone's ESN & MIN (this information is called a pair) and your NEC P3 becomes a clone of it. You will be able to make calls on the bill of the phone you cloned and to receive calls under its number.
On a test-rom NEC P3, this process of reprogramming the NAM takes less than a minute of pressing buttons on the keypad, and requires no connection to a computer with a "chipping lead", as the vast majority of mobile phones do. However there are plans for a computer-to-P3 cable, along with chipping software, both are available on Dr. Who's Radiophone.
The MIN prefix for Ireland's 088 network is 2720 (088-2 = 2722, 088-6 = 2726). So if somebody's number is 088-313371, their MIN, and what you type in while programming, is 2720313371. The ESN of a phone (an 11 digit number with slashes dividing it) can almost always be found on a sticker on the back of the phone, under the battery. So if you see someone's phone lying around, just note down those numbers, put them in your P3, and mess up their bill.
In test mode, you can also scan all channels (listen in on calls going on in your area), and break into conversations (can be funny, the call has to be on a very nearby cell for that to work though). I've also put on a text which describes how two P3's can be used as CB radios, without actually using the cellular network (never done this myself, can anybody confirm that this works?).
You have a P3, and would like to put a test-mode ROM in it?
Taking the actual chip out of the phone, or putting one in can be tricky, the first and biggest obstacle being "tamper-proof" screws in the case. However pliers with very thin ends worked OK, once I found suitable ones. The complete instructions for doing this can also be downloaded below.
Getting the test-mode software (see below for the image file) written on the existing rom chip from a P3, or getting a
new 27C512 (200 nanoseconds access time) EPROM with the software on it is probably the most difficult part. You could try some electronics companies or university electronics labs, or any other place which might be able and willing to write an EPROM for you. This only takes a minute, but a previously written EPROM has to be erased by exposure to UV light before being re-written, which takes at least half an hour.
P3ROMFIT.TXT - Instructions for taking out/putting in ROMThere's an easier way to get into test mode than the one which is described in the last file. You can simply store your ESN in one of the 99 memory slots once (enter 11 digits, STO (for instance) 68). Then every time you want to enter, you do RCL 68, STO 69, RCL *, RCL # 01 and there you are, instead of keying in the whole ESN every time.P3ROM.ZIP - Image file of test mode ROM
NOPAIRS.TXT - Instructions for using two P3's as CB's
BREAKP3.TXT - Instructions on how to break in to a nearby conversation
P3TST004.TXT - Test-mode manual
P300.zip - Rom Files: .HEX and .BIN files.
So, go out, get a P3 or another kewl fone and have some fun while the E-TACS networks are still on the air!
greets: sonic, simpson (where are you?!), neophyte, scratch, digitone, scavenger, cpu, phacman, jadzia, max, dublin 2600 crowd, krew-l-t, drfonk, gamma, Master of the Matrix, cjb, kry0, qwid, daemon knight (and all +971 ppl :), eniac, mani, Virtual, T5-r, motion, mirage, #bluebox, #phuk, #cellular, #phie