Secrets for Ericsson GH688

Most of the information presented in this page applies also to other ERICSSON mobile phones. Namely GA628, GF788, GF788e, S868, SH888 and i888.

Secret Codes and Menus

*#06# to check the IMEI (International Mobile Equipment Identity)

*#0000# to reset the phone's menu-language to English.

Firmaware Revision and Text Strings

>*<<*<* to check the firmware revision.
CXC125065    - Cell phone's internal product code.
PRG
970715 1515   - Firmware revision (date & time stamp).

When showing the firmware revision you can press > to go to 1-row text strings. After pressing YES you can check the phone's text programming in currently selected language. (298 entries). The complete key sequence is >*<<*<*>YES.

If you addicionally press > you go to n-row text strings. After pressing YES you can check the phone's text programming in currently selected language. (160 entries?). The complete key sequence is >*<<*<*>>YES.

Service Provider Lock

The Service Provider(SP) Lock menu is used to lock the cell phone to the SP's SIM card. Once the cell phone is locked to a specific operator, if one inserts a SIM card from a different operator the phone will refuse to accept it! The cell phone will however accept another SIM card from the same operator.

To activate the menu press <**<. "Lock to Network?" will be displayed. By pressing YES you have 5 attempts to enter NCK.

If after activating the menu you press > "Lock to Network subset?" will be displayed. By pressing YES you have 5 attempts to enter NSCK.
NOTE: The same procedure is used for both locking and unlocking.

2nd way to activate the menu

>*<*CLR< is another sequence to activate the SP Lock menu.

Warning: If an invalid code is entered all five times, the menu will exit and be deactivated! Any further attempt to activate the NCK/NSCK lock Menu will result in the response "Not allowed"!

Tricks...

Menu access without SIM inserted

Without the SIM card inserted in the phone press **04*0000*0000*0000#NO when prompted for PIN. This way it is possible to enable Channel Information without the need of a cable. But the phone lock when trying to go beyond menu "Settings | Answering mode" or try to access menu "Mail". I suppose this happens becaus the phone tries to access information stored on the non-inserted SIM card

Free phone calls using the GH688/GA628/GF788...

... and a prepaid GSM SIM CARD. This is a "SIM card" which only has a certain amount of credit on it (like a normal phonebox telecard)...

Q: It can be traced?
A: Yes, it can. But I think it is difficult because when detected, TELECEL (my operator) only ends the call.

Step 1: dial the number and wait till the phone give you a click and "Connecting" appears on the screen.
Step 2: press CLR and keep it pressed till the dialled number is erased from the screen.
Step 3: press 0.
Step 4: press #.
Step 5: press NO.
Step 6: press NO and keep it pressed until the phone is "turned off".
You can then still speak on the phone but the SIM card does not record your calls which will lead to FREE phone calls in some countries... To put the phone really off, you have to remove the battery.
NOTE: This trick has only been reported working on PREPAID GSM cards only.

Tips

Shortcut for Last Dialed call menu...

If you for some reason don't want to enter the 'Last Dialed calls menu' by using the 'YES' key you can use the following key stroke instead: First '0' then '#'.

Bat. level indicator when turned OFF...

When the gh688 is turned off and the phone is not changing - the bat. level can be seen for a short period of time by pressing the 'NO' key quick, once (it has to be quick!) and then wait for about 2 sec. The bat. level will now be shown in the display at its normal position.

Full Network Name...

You can see the Full Network Name by doing the following:
Go to the network menu, when the phone displays the networks available (in 'Select net' and 'Edit list' menu) you can press * and you will see the full name.

Software versions

Fixes in Software version<98xxxx>
Language bug fixes. No longer permits the 0# trick used for free phone calls.

Fixes in Software version<971009>
After receiving an SMS the prompt Message read? stayed on the screen until you pressed YES or NO. This new software eliminated this "feature" and when you receive an SMS Message read? stays on the screen only for a few seconds then changes into an envelope.

Fixes in Software version <970905>
(and Ericsson 788 - software version 970716) The error is described as "MS unable to find HPLMN if 30 or more competitor ARFCN+s have greater signal strength than the HPLMN."
That is: if there are 30 or more channels belonging to other carriers which are stronger than the customer's home network, the phone will not be able to find the customer's home network.

Fixes in Software version <970715>

  • The bug of the missing arrow on display when all diverting active.
  • Key lock key on display turned around , like in manual. (???)
  • An updated GSM operators' list.
  • Better and more solid reception.
  • Changing problem when turned OFF.

    • Pin-outs:

    The Ericsson GH688 can be connected to a PC with a TTL/RS232 interface.

    Pin Designation Function Direction 
    1 AFMS  Audio Out  Out 
    2 ATMS  Audio In  In 
    3 EXTAUD  External Audio Accessoriy Sense  In 
    4 AGND  GND (analog) 
    5 PORTHF  Portable Hands Free  In 
    6 MUTE  Mute  Out 
    7 VPPFLASH  Test/Flash  In 
    8 VDD  Logic Reference (+5V)  Out 
    9 TFMS/DFMS  Data Out  Out 
    10 GND  GND (DC and digital) 
    11 TTMS/DTMS  Data In  In 
    12 DCIO  DC I/O  In/Out 

    Short description

    1. AFMS - Audio From Mobile Station
    2. ATMS - Audio To Mobile Station
    3. EXTAUD - External Analog Audio Accessory Sense. 0V to enable
    4. AGND - Analog GND
    5. PORTHF - Portable Hands Free Sense. OV to enable Hands Free
    6. MUTE - Music Mute. +5V while scrolling or during a conversation.
    7. VPPFLASH - +5V to Enable test mode, +12V to Enable test mode and set Flash voltage, during power up. 
      In this mode the serial line works at 115200 instead of the standard 9600.
    8. VDD - Logical Reference (+5V). Used do enable status on accessories (over 100mA).
    9. TFMS/DFMS - Terminal adaptor equipment from Mobile Station/Data from Mobile Station. 
      RS232 serial output at TTL level (0/5V).
    10. GND - Digital and DC GND.
    11. TTMS/DTMS - Terminal adaptor equipment to Mobile Station/Data to Mobile Station. 
      RS232 serial input at TTL level (0/5V).
    12. DCIO - DC for phone battery recharging and External Accessory power. Recharge at +7.2V (600mA).

    NOTES:

  • Pins are numbered from left to right with keyboard up.
  • Comunication are at 9600 n 8 1.
  • Debug messages are text format, have trailing 0x0A0D and appear at 115200 baud.

    • Portable Handsfree Unit

    Pin Function Value 
    Earphone  16 Ohm 
    Microphone  <= 2 kOhm 
    Analog GND 
    Connected to GND (Pin 4) 

    IMEI

    IMEI stands for International Mobile Equipment Identity, is intended to identify a mobile like a licence plate identifies a car and is supposed to be unique in the world. 
    XXXXXX-XX-XXXXXX-X(-XX)
 TAC   FAC  SNR  *  ??
    TAC = Type Approval Code (first 2 digits = country code of the approval-country) 
    FAC = Final Assembly Code (51 and 61 are used for Ericsson) 
    SNR = Serial Number
    = Unknown (0 or 9). 
    ??  = Unknown. If this value does not exist * is 0 (Older phone versions). 

    The IMEI is stored in the eeprom of the memory (and yes, if you know how, it can be changed). More infos can be found here (pdf).

    Channel Information

    This shows the information of the Mobile Station with the Base Station. It can be activated by selecting ON on the hidden menu "Settings | Channel". This hidden menu can be enabled by software and a PC cable, and is also visible when there is no SIM card inserted.
    To enable the menu without the SIM card inserted you can either remove the SIM after powering on the phone, or simply use the trick to access the menus without a SIM card shown above. To remove the SIM after powering on the phone do this: I already tried to both SIM card 8KB & 16KB and it works fine. To activate this Channel menu you should contact the SIM Card to the Phone. 
    Example Channel Screen
+-------------+
||S778 19 43  |
||   0  1 --  |
|             |
+-------------+

Legend:
+-------------+
||0001 02 03  | Line 1
||   4  5 06  | Line 2
|             | Line 3
+-------------+
    On standby only 0001 and 02 are available!
    1. This represents the phone state.
    2. This shows Rx Level. The value displayed is from 0 to 63. This is an indicator on how good your reception is for the moment. 0 is a signal strength of -110dBm. 63 is approx -45 to -50dBm. RXLEV is measured in dBm in such a way that incoming signal equals -110.5 + RXLEV so that a RXLEV at 50 equals an incoming signal strenght at -50.5 dBm (plus or minus 0.5dBm) For example 19 is the signal level. every block on the 4 segment level indicator on the left of the screen represents 13.
    3. This shows the output power in dBm.
    4. This shows the timeslot. The timeslot is from 0 to 30. You can see it when making a call.
    5. This shows Rx Quality. Rx Quality is a measurement of how much error correction is required to the speech. 0 indicates none and as the figure rises you hear more pings and pongs on the speech as large parts of the frame are missing. If you have more RxQ then 5, you are on good way to loose your call. RxQuality reads 0-7.RXQUAL is measured by using a table weras the biterrorrate or BER is interesting and measured in %

      6. RXQUAL table

      0        BER < 0,2 (%)
1        0,2 < BER <  0,4
2        0,4 < BER <  0,8
3        0,8 < BER <  1,6
4        1,6 < BER <  3,2
5        3,2 < BER <  6,4
6        6,4 < BER < 12,8 (here we have lost half a burst)
7       12,8 < BER

BER stands for Bit Error Rate.
    6. This shows the timeing advance. The BS tells the MS to send before it should just make sure that the MS burst is comming to the BS on the right time. The TA is measured in halfbits so the distance to the BTS can be calculated as 1,11 * TA/2. TimeingAdvance is a value from 0 to 63. Co-incidentely this tells you how far you are from the base site in 550m chunks, up to the theoretical max of 35.2 km.

    Working on this

    AT command supported and DATA communucation

    These are THE ONLY AT commands supported by the ERICSSON GH688. Marked on bold are commands sent and on blue reply received.
    All valid commands are echoed by the mobile phone. ME stands for Mobile Equipment, TE stands for Terminal Equipment and TA stands for Terminal Adaptor.
    More infos on sh888 AT command are found in the official ericcson AT command documentation (pdf).
    NOTE: The sh888 does only support some basic at commands over the standard rs232 (without ericsson software). All other
    at commands are only supported after the ericsson software is installed because the modem in the sh888 talk IRDA protocoll
    over the wire (see AT*BINARY). So the sh888 is not the right choice for non Windows machines which would like to communicate
    via rs232. A direct IRDA connection (without a cable) is no problem for all machines speaking IRDA protocoll
    (The ericsson software is only available for windows)

    ' Don't what is the purpose of this
    AT
    OK

    ' GET MANUFACTURER IDENTIFICATION
    ' Implementation: mandatory for TA, optional for ME
    AT+GMI
    ERICSSON

    OK
    AT+CGMI
    ERICSSON

    OK

    ' GET MANUFACTURER MODEL IDENTIFICATION
    ' Implementation: mandatory for TA, optional for ME
    AT+GMM
    1050701

    OK
    AT+CGMM
    1050701

    OK

    ' GET MODEL REVISION IDENTIFICATION
    ' Implementation: mandatory for TA, optional for ME
    ' Returns: YearMonthDayHourMinute,A,B,I,J,T2
    AT+GMR
    YYMMDDHHmm,A,B,I,J,T2

    OK
    AT+CGMR
    YYMMDDHHmm,A,B,I,J,T2

    OK

    ANSWER INCOMING PHONE CALL
    ' This command is only available when ringing.
    ATA

    DIAL PHONE NUMBER
    ' This command only dials voice calls.
    ' Format: ATD<number>;
    ' Returns OK when call is answered
    ATD123;
    OK

    END PHONE CALL
    ' This ends an ongoing phone call
    ATH
    OK

    ' GET BATTERY CHARGE LEVEL
    ' Implementation: optional
    ' Format: AT+CBC=(bcs),(bcl)
    ' (bcs)
    '     0 = ME is powered by the battery
    '     1 = ME has a battery connected but not powered by it
    '     2 = ME does not have a battery connected
    '     3 = Recorgnized power fault, calls inhibited
    ' (bcl)
    '     0 = battery is exhausted, or ME does not have a battery connected
    '     1 ... 100 = battery has 1 ... 100 percent of capacity remaining
    AT+CBC=?
    +CRC: (0,1),(0-100)

    OK
    AT+CBC
    +CBC: 0,100

    OK

    ' GET PHONE ACTIVITY STATUS
    ' Implementation: mandatory when ME can be operated from TE
    ' Return value:
    '     0 = ready
    '     1 = unavailable
    '     2 = unknown
    '     3 = ringing
    '     4 = call in progress
    '     5 = asleep
    AT+CPAS=?
    +CPAS: (1)

    OK
    AT+CPAS
    +CPAS: 0

    OK

    ' CELLULAR INCOMING CALL TYPE INDICATION RESULT CODE
    ' Implementation: mandatory when data or fax calls implemented
    ' Format: AT+CRC=(mode)
    ' (mode)
    '     0 = disables extended format
    '     1 = enables extended format
    AT+CRC=?
    +CRC: (0,1)

    OK
    AT+CRC?
    +CRC: 0

    OK

    'Enter Frame mode
    AT*BINARY
    CONNECT
    ...and the phone is frame connected to the serial port.
    If you dont reply it will send (char in HEX) 02 02 31 0C four times with a second of interval. If you keep not replying it will send 02 02 01 01 four times also spaced a second.
    ' GET/SET FUNCTIONALITY LEVEL
    ' Set to 0 to switch off the phone.
    ' Returns 1 when the phone is on.
    AT*ONOFF=?
    *ONOFF: (0,1)

    OK
    AT*ONOFF?
    *ONOFF: 1

    OK
    AT+CFUN=?
    +CFUN: (0,1)

    OK
    AT+CFUN?
    +CFUN: 1

    OK

    ' Don't know what this is for but a value from 0 to 15 can be used.
    ' I suppose it is for setting baud rate.
    AT*TRANSCH=?
    OK
    AT*TRANSCH=0
    CONNECT