You are on page 1of 14

VME SPY PHONE XD

(Surveillance Phones)

9 Listening to conversations in close vicinity of the phone


9 Interception of conversations made and received by the phone
9 Interception SMS messages sent and received by the phone
9 Sending SMS messages on behalf of the phone from another
number and getting information services instead of SP
9 Blocking SMS
9 Getting location information
9 Notification about calls made and received by the phone
including phone number and call direction
9 Notification about switching the phone ON
9 Notification about replacement SIM card in the phone including
new phone number and IMSI
9 Notification about entering certain geographical area
9 Imitation of “dead” phone
9 Programming the phone either from secret menu or remotely
It is Siemens cellular mobile phones we have modified to turn those into handy
spy devices capable of “tapping” into a mobile conversation at any point of the
globe.
As all the modifications in the Siemens phone are complete in a very elaborate
manner, neither a Spy Phone user nor a technician whatever skilful, can bring
this type of the modification to light.

How does VME SPY PHONE XD work?

1. Listening to conversations in close vicinity of the phone


(“Listening Mode”)
While off the spy option, VME SPY PHONE XD behaves as an ordinary mobile
phone so it makes and receives calls as usual. However, when VME SPY
PHONE XD receives call from the “special access number”, it answers
automatically without any ringing or lights coming on and the display stays the
same as if it is in a “Standby Mode”. Thus it enables you listening discreetly to
what is going on about 5 meters around the phone. No record of the call
received from the special access number will ever be put in the phone's list of
received calls.

The “Listening Mode” will get interrupted right away if:


1. The VME SPY PHONE XD receives a call or;
2. If any key is pressed on SP’s dialer.

2. Interception of conversations made and received by the phone


(“Interception Mode”)

VME SPY PHONE XD sends SMS to the “special access number” every time it
makes or receives a call. The SMS contains data about VME SPY PHONE XD
identity, direction of the call (incoming or outgoing), phone number and phone
location information. The messages appear in the following format:

ID: VME Spy Phone XD CF75:12


Outgoing: 037676543
LAI: 425-01 LAC: 3530 CI: 40621 TA: 04

By receipt of such message you may decide to call VME SPY PHONE XD back
from “special access number”. In this case you will enter into ongoing
conversation in conference mode without being noticed, so you can listen to the
conversation.
Note: Technically, you can participate in the conversation, so, to stay invisible do not forget to
mute your microphone.

The SMS notification function can be activated or closed either from secret
menu of VME SPY PHONE XD or remotely by sending a SMS message in a
specific format from the “special access number”.
3. Interception SMS messages sent and received by the phone
(“SMS Interception Mode”)

Every SMS message sent or received by VME SPY PHONE XD is automatically


copied to “special access number”.
This option can be activated or closed either from secret menu of VME SPY
PHONE XD or remotely by sending a SMS message in a specific format from
the “special access number”.

4. Sending SMS messages on behalf of VME SPY PHONE XD and


getting information services instead of SP
There is an interesting option of sending SMS message from “special access
number” on behalf of SP. In this case the receiving party will be sure he/she
receives SMS from SP’s user as the message comes with SP’s caller ID.
There is another option of blocking all incoming SMS messages of VME SPY
PHONE XD during certain period of time.
Combination of these two options allows stilling information services providing
by network operators.
For example, there is a service implemented in many countries of getting
precise location information of mobile phone. Usually mobile phone’s user has
to send blank SMS to particular number. Just after that he supposed to receive
SMS with his/her geographical position. Using already described VME SPY
PHONE XD features you can easily:
1. Send SMS on behalf VME SPY PHONE XD to the particular number.
2. Copy SMS from network operator to “special access number”
3. Block SMS from network operator so SP’s user will never know about the
trick.
This might sound a bit sophisticated, but all the operation requires one simple
SMS sent from “special access number”.

5. Getting location information


By request from “special access number” VME SPY PHONE XD sends back
SMS containing it’s location information.
The SMS messages appear in the following format:
Phone ID: VME SPY PHONE XD 1034
LAI: 425-01 LAC: 2C24 CI: 512D

LAI (Location Area Information) – country code and operator code the VME
SPY PHONE XD is currently connected to (in our case, 425 means “Israel”, and
01 stands for “Orange”).
LAC (Location Area Code) and CI (Cell ID) are indications of SP’s actual
geographic position.
6. Notification about calls made and received by the phone including
phone number and call direction

See item 2. Interception of conversations made and received by the phone (“Interception Mode”)

This option can be activated or closed either from secret menu of VME SPY
PHONE XD or remotely by sending a SMS message in a specific format from
the “special access number”.

7. Notification about switching the phone ON

Every time VME SPY PHONE XD is switched ON it sends SMS message to


“special access number”.
This option can be activated or closed either from secret menu of VME SPY
PHONE XD or remotely by sending a SMS message in a specific format from
the “special access number”.

8. Notification about replacement SIM card in the phone including


new phone number and IMSI

When a VME SPY PHONE XD user replaces SIM card, the phone immediately
sends SMS message to the “special access number”. The SMS contains
information about new phone number as well as the IMSI of the new SIM card
so the VME SPY PHONE XD user is always under surveillance. It also contains
data on SP’s geographical position.

The SMS messages appear in the following format:

From: NEW PHONE NUMBER


Phone ID: VME SPY PHONE XD 1034
Old IMSI: 425020102010201
New IMSI: 425010501256159
LAI: 425-01 LAC: 2C24 CI: 512D

Phone ID – number of handset issued by producer. Each VME SPY PHONE


XD has a unique number of its own.
IMSI (International Mobile Subscriber Identity) – a number stored in the SIM
card. Each SIM card has its own IMSI.
LAI (Location Area Information) – country code and operator code the VME
SPY PHONE XD is currently connected to (in our case, 425 means “Israel”, and
01 stands for “Orange”).
LAC (Location Area Code) and CI (Cell ID) are indications of SP’s actual
geographic position.
9. Notification about entering certain geographical area.

GSM phones store information about strongest BTS’ located in their vicinity.
This information is frequently updated and can be used as criteria whether a
GSM phone is entering certain area.
Being in particular place, VME SPY PHONE XD can store information about 6
nearest BTS’. It would be mark or fingerprint of this particular place. In the
future, if VME SPY PHONE XD gets the same list of BTS’ (full or partial - it
depends on definitions which can be made or changed remotely), such situation
considered entering the same place. VME SPY PHONE XD will immediately
send SMS notification to “special access number”.

10. Imitation of “dead” phone


There is an additional operation mode in VME SPY PHONE XD enabling to fake
a "non-functional phone". While in this mode, VME SPY PHONE XD appears to
be completely "dead". However, receiving a call from the “special access
number” while keeping the "dead" appearance on, switches the Spy Phone to
the "Listening Mode".

11. Panic button

If user of VME SPY PHONE XD press joystick for about 5 sec, VME SPY
PHONE XD sends “Panic SMS meassage” to special access number. The
message includes text “Panic SMS” following with location information.

12. Programming the phone either from secret menu or remotely

All VME SPY PHONE XD functions can be programmed, reprogrammed,


activated or deactivated at any time either through a quick and simple
procedure requiring a physical access to VME SPY PHONE XD or by sending
SMS message in the specific format from currently active “special access
number”.
PROGRAMMING
Most of VME SPY PHONE XD functions can be programmed, reprogrammed, activated or
deactivated at any time either through a quick and simple procedure requiring a physical
access to VME SPY PHONE XD or by sending SMS messages in the proprietary format
from currently active “special access number”

1. Programming from VME SPY PHONE XD keypad


All the programming procedures begin from typing password (secret 6-digit number) and
end by sign “#”. The sign “#” means end of command string. If VME SPY PHONE XD
“understands” command, the command string disappears from the screen right after typing
sign “#”.

1.1 Display current settings

To display current settings type the following command string:

PASSWORD#

Example:
222222#
(222222 here is PASSWORD)

1.2 Display Help

To display brief instructions how to program SP, type the following command string:

PASSWORD*#

Example:
222222*#
(222222 here is PASSWORD)

1.3 Changing password

There is a Master Password in each SP. The Master Password is defined during producing
of SP, stored in SP’s hardware and cannot be changed by user.
User can define another password - User Password and change it from time to time if
necessary. VME SPY PHONE XD can be programmed by using either Master Password or
User Password.
To define or change User password type the following command string:

MASTER_PASSWORD * 0 * USER_PASSWORD * USER_PASSWORD#

USER_PASSWORD can be any 6-digit number.

Example:
123456*0*222333*222333#

(123456 here is Master Password, 222333 – new User Password)


1.4 Changing Special Access Number

When VME SPY PHONE XD receives a call from any number it behaves as an ordinary
phone. Only if VME SPY PHONE XD receives a call (or SMS) from Special Access Number
it turns out to surveillance device with all its unique features.
There are two Special Access Numbers- main and additional. Main number is used for
listening, interception and control SP. To additional number VME SPY PHONE XD sends
only SMS notifications. If additional number is not defined, VME SPY PHONE XD will use
main number for all purposes.
Special Access Numbers can be changed whenever it’s necessary by typing the following
command string:

For main Special Access Number:

PASSWORD*1*1*W*NEW_ACCESS_NUMBER#

“W” here is a digit from 5 to 9 means how many last digits of caller’s ID will be taken into
account in comparing those with Special Access Number.

For additional Special Access Number:

PASSWORD*1*2*NEW_ACCESS_NUMBER#

Important note: Special Access Number has to be put in international format, i.e. with
country code. Do not attach sign “+” or 00 to the Special Access Number.

Example 1: to program 972 544 678238 as main special Access Number use the following
command string:
222222*1*1*7*972544678238#

(only 7 last digits of number 972 544 678238 will be taken into account)

Example 2: to program 972 544 678239 as additional special Access Number use the
following command string:
222222*1*2*972544678239#

In the both examples PASSWORD is 222222

1.5 Setting, enabling/disabling of “Interception Mode”

PASSWORD*2*1*0# to disable "Interception Mode"


PASSWORD*2*1*1# to enable "Interception Mode"

Although in most cases Spy Phone runs in this mode with its factory settings on, there can
be cases where some fine tuning might be of need.
There are two fine tuning parameters, namely, DELAY1 and DELAY2.
DELAY1 is the time needed for the Spy Phone to put other party on hold and answer call
from special access number. Factory setting of this parameter is 16 (unit of measurement is
0.2 sec).
DELAY2 is the time needed for the Spy Phone to set conference mode. Factory setting of
this parameter is 07 (unit of measurement is 0.2 sec).
To set or display DELAY1 and DELAY2 please use the following commands:

PASSWORD*2*2*XX# to set DELAY1


(For example, “222222*2*2*16#” means setting a delay of 3.2 sec)

PASSWORD*2*3*YY# to set DELAY2


(For example, “222222*2*3*07#” means setting a delay of 1.4 sec)

1.6 Setting, enabling/disabling of “SMS Notification Mode”

This mode allows notification of all calls made/received by SP. If the mode enabled, VME
SPY PHONE XD will send SMS message to Special Access Number.

PASSWORD*3*1*XX# to set delay between incoming call and SMS notification of the
fact (unit of measurement is 0.2 sec)
(For example, “222222*3*1*20#” means setting a 4-sec delay. Setting delay to zero
means disabling SMS notification of incoming calls)

PASSWORD*3*2*YY# to set delay between outgoing call and SMS notification of the
fact (unit of measurement is 0.2 sec)
(For example, “222222*3*2*25#” means setting a 5-sec delay. Setting delay to zero
means disabling SMS notification of outgoing calls)

1.7 Enabling/disabling of “SMS Interception Mode”

PASSWORD*3*3*0# to disable "SMS Interception Mode"


PASSWORD*3*3*1# to enable "SMS Interception Mode"

Note: this mode works correctly only with SMS in English.

1.8 Enabling/disabling of notification about switching the phone ON

PASSWORD*3*4*0# to disable notification about switching the phone ON


PASSWORD*3*4*1# to enable notification about switching the phone ON

1.9 Enabling/disabling of remote VME SPY PHONE XD programming

VME SPY PHONE XD can be programmed either from keypad or remotely. Remote
programming feature can be enabled or disabled.

PASSWORD*3*9*0# to disable remote programming


PASSWORD*3*9*1# to enable remote programming

1.10 Faking “non-functional” phone

Press button “3” for about 5 sec, then release the button.

To exit this mode just remove the battery from the phone for a short period of time and put it
back.
1.11 Notification about entering certain geographical area

There are 4 different checkpoints can be programmed. For each checkpoint VME SPY
PHONE XD “remembers” six BTS. VME SPY PHONE XD considered entering to checkpoint
if at least N BTS match list of the six BTS. Parameter N can be programmed and changed
any time.
Each BTS has the following identities:
LAI Location Area Information (5 digits). Consists of Mobile Country Code (MCC) and
Mobile Network Code (MNC).
For example, 42501 (here 425 is MCC of Israel and 01 is MNC of Orange in
Israel)
LAC Location Area Code (5 digits)
CI Cell ID – unique number of cell (4 digits).

1.11.1 Input LAI

PASSWORD*4*1*C*LAI#
(here C is number of checkpoint from 1 to 4, LAI is 5 digits of LAI).

For example, to enter LAI 42501 for checkpoint 3:


222222*4*1*3*42501#

1.11.2 Input LAC and CI

PASSWORD*4*2*C*B*LAC*CI#
(here C is number of checkpoint from 1 to 4, B is number of BTS from 1 to 6, LAC is 5
digits of LAC, CI is 4 digits of CI).

For example, to enter LAC 34900, CI 7654 for BTS 6 in checkpoint 3:


222222*4*2*3*6*34900*7654#

1.11.3 Service matrix

There is a matrix of enabling/disabling notification about entering each checkpoint. For


example, we would like to receive notification of VME SPY PHONE XD entering
checkpoints 1, 3 and 4. In this case the matrix looks like 1011. If we would like to get
notification about entering only checkpoint 2, the matrix will be 0100.
To program such matrix:

PASSWORD*4*3*0100#

1.11.4 Store current position

To store information automatically about all six BTS in the current position of VME SPY
PHONE XD use the following command string:

PASSWORD*4*4*C#
(here C is number of checkpoint)

For example, to store current position of VME SPY PHONE XD as checkpoint number
3:
222222*4*4*3#
1.11.5 Set match criteria N

To set match criteria (i.e. how many BTS in the current VME SPY PHONE XD position
have to match list of BTS stored in the VME SPY PHONE XD memory):

PASSWORD*4*5*C*N#
(here C is number of checkpoint from 1 to 4, N is match criteria from 1 to 6)

For example, to set match criteria 4 for checkpoint 1:


222222*4*5*1*4#

1.11.6 Display current settings of notification about entering certain geographical


area

To display current settings:

PASSWORD*4*0#
2. Remote control via SMS

VME SPY PHONE XD can be remotely and secretly controlled via SMS channel. There are
two requirements to such SMS messages:
1. They have to be sent only from Special Access Number
2. They have to be in the proprietary format described bellow

Note: It’s recommended to start control SMS from space and finish control SMS with space.

Such SMS will not be displayed by SP. As well there will not be any trace in list of SMS
received by SP.

2.1 Setting, enabling/disabling of “SMS Notification Mode”

INC20 to set delay of SMS notification of incoming calls to 4 sec (20 x 0.2sec = 4 sec)

INC00 to disable SMS notification of incoming calls

OUTG25 to set delay of SMS notification of outgoing calls to 5sec (25 x 0.2sec = 5sec)

OUTG00 to disable SMS notification of outgoing calls

2.2 Requesting location information

LOCATE

2.3 Changing Special Access Number

PHNUMW*NEW_ACCESS_NUMBER# for main number

For example: To set new main Access Number 972544511522 with 7 last digits
taken into account:
PHNUM7*972544511522#

SNUM*NEW_ACCESS_NUMBER# for additional number

For example: To set new additional Access Number 972544511522


SNUM972544511522#

In return VME SPY PHONE XD sends SMS to old Access Number with acknowledgment.
2.4 Enabling/disabling of “SMS Interception Mode”

SMS0 to disable “SMS Interception Mode”


SMS1 to enable “SMS Interception Mode”

Note: this mode works correctly only with SMS in English.

2.5 Enabling/disabling of notification about switching the phone ON

PWRON0 to disable notification about switching the phone ON


PWRON1 to enable notification about switching the phone ON

2.6 Sending SMS messages on behalf of VME SPY PHONE XD and request for
information services on behalf of SP

There are various information services provided by GSM operators, such as Location Based
Services. Usually mobile phone users send keyword or blank SMS to number defined by
cellular operator and get in return SMS with requested information. This information can be
“stolen” from VME SPY PHONE XD by using control SMS in the following format:

INFO;NUMBER;KEYWORD[;TIMEOUT]

NUMBER number defined by cellular operator for getting information service

KEYWORD text of SMS defined by cellular operator to be sent for getting information
service. If word EMPTY will be used as KEYWORD, VME SPY PHONE XD
will not send any SMS to NUMBER.
Note: the text shall not include semicolon.

TIMEOUT optional parameter from 001 to 999 to define waiting time in minutes. While
VME SPY PHONE XD in waiting mode, any incoming SMS will be defined as
SMS from Special Access Number, i.e. there will be no notification and such
SMS will not be displayed. Content of such SMS will be sent to Special
Access Number.
If TIMEOUT is not defined, waiting time will be set to 5 minutes.

Example:
INFO;6677;WHERE;005

(Request for location information sent on behalf of VME SPY PHONE XD to number 6677
by using SMS with text WHERE with timeout of 5 minute)

This feature can be used for sending SMS to any number on behalf of VME SPY PHONE
XD or for blocking incoming SMS for any period of time.

Example:

INFO;054534364;You are fired;001

(SMS with text “You are fired” will be sent on behalf of VME SPY PHONE XD to number
054534364)
Example:

INFO;054534364;EMPTY

(VME SPY PHONE XD will not receive any SMS during 5 min; however all SMS sent to
VME SPY PHONE XD during this period of time will be sent to special access number)

2.7 Notification about entering certain geographical area

There are 4 different checkpoints can be programmed. For each checkpoint VME SPY
PHONE XD “remembers” six BTS. VME SPY PHONE XD considered entering to checkpoint
if at least N BTS match list of the six BTS. Parameter N can be programmed and changed
any time.
Each BTS has the following identities:
LAI Location Area Information (5 digits). Consists of Mobile Country Code (MCC) and
Mobile Network Code (MNC).
For example, 42501 (here 425 is MCC of Israel and 01 is MNC of Orange in
Israel)
LAC Location Area Code (5 digits)
CI Cell ID – unique number of cell (4 digits).

2.7.1 Input LAI

To input LAI 42501 for checkpoint 3:

LAI3:42501

2.7.2 Input LAC and CI

To input LAC 32000 and CI 5432 for BTS 6 of checkpoint 1:

LAC1:6:32000-5432

2.7.3 Service matrix

To set service matrix 1101:

MTSRV1101

2.7.4 Store current position

To store current position of VME SPY PHONE XD and define it as checkpoint number 3:

SETLOC3

2.7.5 Set match criteria N

To set match criteria N=4 for checkpoint 2:

MATCHCELL:2:4
2.7.6 Display current settings of notification about entering certain geographical area

To display current settings for checkpoint 3:

CONFIGL2

2.7.7 Define name of checkpoint

To define any name for checkpoint, for example name OFFICE for checkpoint 3:

NMLOC3:OFFICE

2.8 Display current configuration

To display current configuration:

CONFIGS