I have recently learned a little more about the Sprint PCS cellular network, and I would like to share this info with the readers of this website. This info applies more to Columbus, OH then anywhere else, but if anyone else knows about another city I would love to hear about it. From my understanding Cell phones use 3 major ID's to know who's who on their networks and who's allowed to make what calls. These ID's are an ESN (Electronic Serial Number), the phone number of the cell phone, and a SID number. The SID number determines your home city. When you place a call the network matches your phone number with your ESN to determine if you're a legit user of the network. Then you can make your call. If you're roaming then the cell network that you're on will forward the call information (number called, duration, etc.) to the SID city. Then your home city will process this information and bill you. Well, theoretically if you change your ESN, phone number, and SID to a city that you're not in, you'll get free cell calls. This is where you get into cell phone cloning etc. Aside from the general concept of how cell calls are placed, that of which I'm still learning, I'd like to touch on the Sprint PCS phone network. The phone I'll be talking about it a Sanyo SCP-3000. I found that if you remove the battery it says the ESN in HEX and DEC. If you were to go to a Sprint PCS store I'm sure you could 'look' at one of their phone and clone it. Then make calls on them. The phones in their stores are active to make calls all over the US. When you purchase a phone they program it at the store, but if you move from one home city to another you can just call them and they will walk you through the re-programming of it. This is where I come it. On this particular phone if you press menu and then 7 it will take you to the setup menu. If you press 0 you get to a field service option that is password protected. (6 digits) I haven't been able to get this password out of them yet. Now, if you press menu and then 4 you will go to the display menu. From here you hit 0 again. Surprise surprise, another area with a password. For Columbus and maybe even Sprint PCS the code is 661649. This will put you into a 'configuration' menu. From here all the options can be edited. You will have the following: ESN - Electronic Serial Number NAM 1 Phone Number - Your Phone Number NAM 1 Home SID - Columbus is 4418 (Denotes your Home City) NAM 1 Name - 'Sprint PCS' (Can be anything you want, It's displayed on boot) Service Sec. Code - This is the code you entered to get here NAM 1 Lockout System - ?? Don't know NAM 1 CDMA Phone Number - Your Phone Number NAM 1 Mobile Country Code - 310 (I think this is the code for the US) NAM 1 Mobile Network Code - 00 (?? Don't know) NAM 1 Mobile Station ID # - Your Phone Number NAM 1 CDMA Home SID - Columbus is 4418 (Same as above) NAM 1 AMPS Phone Number - Your Phone Number NAM 1 AMPS Home SID - Columbus is 4418 (Same as above) Phone Model - 7 (?? Don't know) Slot Cycle Index - 2 (?? Don't know) NAM Number Assignment Module and it holds in RAM the telephone number and ESN of the phone CDMA Code Division Multiple Access otherwise know as the Sprint PCS network. AMPS Advanced Mobile Phone Service which is used for analog cell transmission. I think this is a little more complicated then it has to be because my phone is a dual band. Meaning I can switch between Analog and Digital Networks. So I have a few more options then just a Digital Phone. Pretty much what it appears to be is the same information repeated for the different networks. Now, basically what you have to do is change your ESN and Phone Number to something else then match the cities SID with the phone number and rather is a true number and you've cloned or it a total fake, you can make calls for free. When you place the call the Home City you're in will register this and give you the call. Then they forward that call information to your home city... The SID you typed in... Starting to see the picture? When the home city looks that info up to bill the person they find out 1) It doesn't exist or 2) They find out nothing because it's a real number. Either way, you get the free call and by the time anyone finds out about it you're finished and the SID and ESN are changed again. They only thing I think you might want to consider is that when your phone is on and you have signal... It's traceable... When you have signal your phone is on the network, communicating with the switches, and jumping from cell to cell. You would need to turn you're phone on, change the info, make your call, change it back, and then turn the phone off till you get a good distance from where you placed the call. This all might be a bit much, but I think it's a good precaution. I hope this information assists all you Cell Phreaks out there, and if anyone else has any other information that may be of some assistants please feel free to share it.... I would also like to get the SID for all the cities in the US if anyone happens to have access to the info. =) ~sn0crash sn0crash@DigitalPhreak.net