Hacking CDMA PRLs

Hacking CDMA PRLs

by The Prophet

In North America, CDMA is the most popular digital technology used in wireless telecommunications.

Verizon, Alltel, US Cellular, Sprint PCS, Telus, Bell Mobility, Iusacell, and numerous other carriers throughout the continent operate service on CDMA networks.  CDMA offers the most comprehensive coverage of any digital technology on our continent.  CDMA is also gaining popularity in Asia and some parts of Europe outside the European Union.

In the United States, every carrier sells "nationwide" service in one form or another.  They would all like you to believe that they operate service in every corer of the continent, and publish maps boasting seamless, wall-to-wall, nationwide coverage.

Marketing, sadly, must always converge with reality, and this is where roaming comes into play.  Carriers negotiate roaming agreements to provide coverage to their subscribers where they do not have coverage of their own.  And in more places than not, your carrier probably doesn't operate their own network.

Hooking you up with the right network, however, can be a fairly complex technical problem.  I'll elaborate...

My CDMA handset has CDMA (PCS) and AMPS (cellular) capability, and is compatible with the networks of four different carriers here in the Seattle area (Verizon, Sprint, Qwest, and AT&T Wireless).

Obviously I prefer digital roaming but my carrier (a nationwide PCS carrier) doesn't have a roaming agreement with Qwest, so this won't work (for what it's worth, my carrier has service everywhere Qwest does and then some, so it wouldn't benefit me much).  They do have both digital and analog roaming agreements with Verizon (although my handset only works with analog roaming on the frequency Verizon uses in this area), and they have an analog roaming agreement with AT&T Wireless.

If I leave my home network, it is preferable to my carrier that I roam on the Verizon network because the wholesale airtime is less costly to them than from AT&T Wireless.  It's preferable to me, too; Caller ID and voicemail notification don't work when I am roaming on AT&T Wireless.

Fortunately for you and your wireless carrier, you don't have to make conscious decisions about which carrier on which to roam.

Your handset uses a file called the Preferred Roaming List (PRL) to do it for you.  This file contains a listing of the frequencies and System IDs it is authorized to use.  It is stored in binary format and is often updated by the carrier over the air when you call customer service.

Unfortunately for you, this means that your carrier can make changes to your roaming coverage without you knowing.  And even more unfortunately, they may not be good changes from your perspective.

Parts of a PRL

PRLs are fairly standardized, although there are some subtle differences between carriers (such as whether an enhanced roaming indicator is used).

The file consists of an acquisition table and a system table.  What follows is how a major nationwide PCS carrier structures its PRLs.

Acquisition Table

The acquisition table indicates which frequencies and technologies are used when searching for a wireless signal.

These are used to help your handset quickly locate a signal.  Acquisition tables can also be used to restrict your handset to a particular type of service (such as analog), even when another type of service (such as digital) may be available.

This is unfortunately common; analog wholesale airtime is generally less expensive than digital, so your home carrier may prefer to stick you with crackly, battery-draining analog service when you leave their service area.

The acquisition table is broken into the following categories:

INDEX:  This is a numerical identifier for each entry in the acquisition table.

ACQ TYPE:  This is a numerical identifier for the technology that is used:

1 - AMPS/Cellular Frequencies

4 - CDMA/Cellular Frequencies

5 - CDMA/PCS Frequencies (scan entire block)

6 - CDMA/PCS Frequencies (scan partial block)

CH1:  Indicates the first channel to be scanned, or one of the following special characters:

A - Scan cellular or PCS "A" Block (the handset decides which depending on the acquisition type)

B - Scan cellular or PCS "B" Block (the handset decides which depending on the acquisition type)

C - Scan PCS "C" Block

D - Scan PCS "D" Block

E - Scan PCS "E" Block

F - Scan PCS "F" Block

Both - Scan cellular "A" and "B" Blocks

CH2-CH37:  Each of these can be used to scan additional, specifically identified, PCS frequency range.

Figure 1: Example Acquisition Table
INDEX ACQ TYPE  CH1  CH2  CH3  CH4  CH5  CH6  CH7  - - - -  CH31
0     6         500  425  825  575  850  325  625    200
1     6         575  625  500  425
2     6          50  100  715  475  825  850  175    250
3     6          25  200  350  375  725   50  475    175    250
4     1        Both
5     1           A
6     1           B
7     5           A
8     5           B
9     5           C
10    5           D
11    5           E
12    5           F
13    4           A
14    4           B
-
37    4        Both
Note:  This has been truncated to conserve space.  Most acquisition tables are much more complex and contain over 40 entries.  I have retained #37 in the index because it is referenced in the figures below.

System Table

The system table is the meat of the PRL.

It lists System IDs that your phone is authorized to use, the acquisition type used with each, and their priority.  It's important to realize that this isn't a comprehensive listing of all the carriers with whom your wireless carrier has a roaming agreement.

For example, my handset will always default to the analog cellular "A" Block carrier if no other signal is available.

This is just fine in Valdez, Alaska.  While their System ID is not included in the current PRL on my handset, Dobson Cellular has a roaming agreement with my home carrier and operates analog service on the cellular "A" Block, so I had no trouble roaming there.

The system table is broken into the following categories:

INDEX:  This is a numerical identifier for each entry in the system table.

SID:  The System ID of the carrier being scanned.  For example, 0006 is the System ID for Verizon's Seattle market.

NID:  The Network ID.  This is nearly always set to 65535.

NEG/PREF:  Determines whether the entry represents a Preferred (PREF) or negative (NEG) System ID.  If this is set to NEG, only emergency calls are allowed on this System ID.

GEO:  If set to NEW, this represents a new geographical area in the PRL.

PRI:  If set to SAME, the next entry has the same priority as the current entry.  If set to MORE, the next entry will have a lower priority than the current entry.

ACQ INDEX:  Cross-references an index entry in the acquisition table.  The System ID will be scanned using the frequencies represented in this entry.  For example, an acquisition index of (4) means that the handset will scan the cellular "A" and "B" Blocks for an AMPS (analog) signal.

ROAM IND:  Determines whether the roaming indicator is displayed.  This is somewhat counterintuitive; a roaming indicator of 1 means that no roaming indicator will be displayed, while a roaming indicator of 0 means that one will be displayed.

Figure 2: Example System Table
1   4174  65535  PREF   NEW  SAME  12  1
2   4180  65535  PREF  SAME  SAME   6  1
3   4186  65535  PREF  SAME  SAME  12  1
4   4188  65535  PREF  SAME  MORE  12  1
5   1165  65535  PREF  SAME  SAME   4  0
6   1441  65535  PREF  SAME  MORE  37  0
7   1739  65535  PREF  SAME  MORE  37  0
8    436  65535  PREF  SAME  MORE  37  0
9    580  65535  PREF  SAME  MORE  37  0
10  1173  65535  PREF  SAME  SAME   4  0
11  1607  65535  PREF  SAME  MORE  37  0
12  1610  65535  PREF  SAME  MORE  37  0
13  1779  65535  PREF  SAME  MORE  37  0
14  1784  65535  PREF  SAME  MORE  37  0
L5  1858  65535  PREF  SAME  MORE   3  0
16  1858  65535  PREF  SAME  MORE   4  0
17     6  65535  PREF  SAME  MORE  37  0
Note:  This has been truncated to conserve space.  Most acquisition tables are much more complex and contain hundreds of entries.

Interpreting PRLs

Obviously, raw PRLs aren't very human-readable.

Some CDMA hackers like to take PRLs apart after they are released and match up the information in them with FCC databases and other sources.  This can provide some insight into new coverage and changes to existing coverage.

To interpret a PRL, you need to download the binary version to your handset using a data cable.  You can do this using the file system browser in the free BitPim tool (to download the tool, search the Web for BitPim).

Depending on your carrier, this file may be located in an obvious place, or may not be.

On many handsets the file is located in the /nvm/PRL directory.  On my handset, the prl_0000 and prl_0001 files you'd expect in that location are there.  However, they're effectively blank - 4,306 bytes of NULL characters.

On my handset (and many Sanyo handsets), you need to keep digging.

Go to the /nvm/nvm directory.  The nvm_0019 or nvm_0024 file is your target.  Save both out to your hard disk.

You're not ready to hack on it yet (you didn't think it'd be that easy, did you?).  You'll need to massage it in a hex editor first.  I like XVI32, which you can find by searching the web; it's freeware and works well.

Open the file in your hex editor and search for the 0F (hexadecimal) offset.  Truncate all the characters ahead of it, then scroll to the bottom of the file and find where all of the NULL characters (00 hexadecimal) begin.  Truncate them all.

Now save your changes and open the file in your favorite PRL editor (you can find one easily by searching the web).

If you've done everything correctly, you will be able to open the PRL for viewing.

Figure 3: Example PRL Interpretation, Based on Figure 2 System Table
Priority 1
   04174 PCS -- SprintPCS - Portland OR
            SCAN 500B 575B 475B
   04180 PCS -- SprintPCS - Salt Lake City UT
            SCAN 675B 500B 600B
   04186 PCS -- SprintPCS - Seattle WA
            SCAN 500B 575B 475B
   04188 PCS -- SprintPCS - Spokane WA/Billings MT
            SCAN 500B 575B 475B
Priority 2
   01165 (A) RM Western Wireless Corporation
            389A Idaho 2 - Idaho
            390A Idaho 3 - Lemhi
   01441 D/A RM Western Wireless Corporation
            268A Billings MT
            297A Great Falls, MT
            523A Montana 1 - Lincoln
            524A Montana 2 - Toole
            525A Montana 3 - Phillips
            526A Montana 4 - Daniels
            527A Montana 5 - Mineral
            528A Montana 6 - Deer Lodge
            529A Montana 7 - Fergus
            530A Montana 8 - Beaverhead
            531A Montana 9 - Carbon
            532A Montana 10 - Prairie
			01739 D/A RM Western Wireless Corporation
   01739 D/A RM Western Wireless Corporation
            675A Utah 3 - Juab
            676A Utah 4 - Beaver
            677A Utah 5 - Daggett
            678A Utah 6 - Piute
Priority 3
   00436 D/A RM United States Cellular Corporation
            229B Medford OR
   00580 D/A RM United States Cellular Corporation
            191B Yakima WA
            214B Richland-Kennewick-Pasco WA
            607B Oregon 2 - Hood River
            608B Oregon 3 - Umatilla
            697B Washington 5 - Kittitas
            699B Washington 7 - Skamania
   01173 (A) RM United States Cellular Corporation
            390A Idaho 3 - Lemhi
            392A Idaho 5 - Butte
            393A Idaho 6 - Clark
   01607 D/A RM United States Cellular Corporation
            610A Oregon 5 - Coos
   01610 D/A RM United States Cellular Corporation
            611B Oregon 6 - Crook
   01779 D/A RM United States Cellular Corporation
            696A Washington 4 - Grays Harbor
   01784 D/A RM United States Cellular Corporation
            698B Washington 6 - Pacific
Priority 4
   01858 PCS RM UBET Wireless
            SCAN 25 200 350 375 725 50 475 175 250
Priority 5
   01858 (A) RM UBET Wireless
            677B Utah 5 - Daggett
Priority 6
   00006 D/A RM Verizon Wireless
            020B Seattle-Everett WA
            082B Tacoma WA
            212B Bremerton WA
            242B Olympia WA
            270B Bellingham WA
            693B Washington 1 - Clallam
            696B Washington 4 - Grays Harbor
Hacking PRLs

Here's where things might get more interesting.

Suppose that in the example above, you knew that Western Wireless operates CDMA service on the System ID 1165 "A" Block.

Unfortunately, your carrier, through the PRL, has restricted you to crackly, battery-draining, scratchy analog service when you travel in this area.  Let's also assume for the sake of argument that the cellular "B" carrier in the area has better service, but isn't in the PRL even though you know your carrier has a roaming agreement with them.

If the acquisition index were to change to 37 from 4 on this entry, you'd suddenly have digital service in this area.  Or what about bypassing Western Wireless entirely?

Add the carrier you prefer into the PRL and elevate their priority above Western Wireless, and you'd use them instead.  Here's how to do it:

Obtain a copy of the Phone Service Tool (PST) for your handset.  It helps to have a friend who works for your wireless carrier, because PSTs generally aren't available to consumers.

Using your PRL editor, make the changes and save them out to a new binary file.

Using the PST, upload the new PRL to your handset.  Be careful never to upload an empty PRL!

If this sounds daunting, it's because it is.

I always encourage people to experiment with technology, but this is something I don't encourage most 2600 readers to try.  You won't break your phone by reading the interesting things in the file system of your handset, and it's definitely safe to read your PRL.

However, bad things can happen if you make changes, so be forewarned:

You will void the warranty on your handset.  Don't expect any sympathy from your carrier, and they will know how you broke your phone (especially after this article appears in 2600)!

You will almost certainly violate the terms of your carrier's service agreement.  This means that your carrier can cancel your service and still charge you the early termination fee (yes, even though they canceled you).

If you upload a blank PRL, your handset may be irreparably damaged (yes, really, this has happened).

PRLs are complex and it's easy to mess them up, so you might have weird problems with your service if you make changes.  If you have problems, just revert back to the original PRL and they should go away.

In some areas, creating or using a hacked PRL may even be a crime!  Take this warning seriously.  Penalties for technology crimes are beyond all bounds of reason.

You now have the power.  Use it for good, not for evil!

Hacking CDMA PRLs  The Fifth HOPE (2004)

Editing the PRL File  HowardForums Thread

Motorola PST Version 2.8.8.4.2 User Guide

Motorola PST 4.9  This program works under Win 98SE.  (How to Run Under WinXP)

Motorola PST 6.3.1  After decompressing with WinRAR, there will be an installation program and a cracked file.  It seems that it can be used without cracking.

Motorola PST 7.2.5

Motorola USB Cable Schematic

P2K Phone File Manager  For Motorola P2K phones, by Author Vilko

P2K Drivers

mobile PhoneTools - v1.23c  English

mobile PhoneTools - v2.16  Tawainese

PRL Tools - Introduction & Tutorial

PST Tutorial for Motorola V220 Phones

Return to $2600 Index