informis/textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
master
textfiles/phreak/CELLULAR/cellcomp.phk
root@procul 278a90f7ce Initial commit
2021-04-15 13:31:59 -05:00

269 lines
15 KiB
Plaintext
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

The following file is a verbatim transcript of an article by the same name appearing in the
November, 1992 issue of NUTS & VOLTS Magazine. Copyright (c) 1992 Damien Thorn and
T & L Publications. Permission is granted to freely distribute this file in unmodified form.
Identifying board headers may be added as desired.
A CELLULAR COMMUNICATIONS PRIMER
By Damien Thorn
INTRODUCTION
The specific technologies involved in the cellular network are highly complex, comprised of a
vast array of computers, control equipment, transceivers, multiplexers, switching equipment, etc.
The theory and principals of operation which we'll cover here are much easier to comprehend.
With this article you'll learn the basics, and how you can profit from that understanding. Next
month I'll show you how to reprogram a cellular phone through the keypad.
Cellular telephones are viewed by most users as simply another phone, albeit cordless. A cellular
mobile telephone (CMT) emulates a landline set so credibly that the deepest technical concern
for most people is remembering how to make the phone dial a frequently called number stored
in memory. The comfort and familiarity of the phones are by design, I'm sure. To a public that
has difficulty programming a VCR, the reality of cellular technology would be overwhelming and
perhaps somewhat frightening.
Cellular phones are little more than low power transceivers capable of transmitting and receiving
a total of 666 or 832 frequencies, depending on the model. They operate in a full-duplex mode,
transmitting the mobile side of the conversation on one frequency while simultaneously receiving
the other side from the cell site on a different frequency. A basic multi-channel two-way radio
under the control of some powerful software. The network itself is where the engineering genius
becomes apparent.
OVERVIEW OF NETWORK ARCHITECTURE
The cellular network consists of a honeycomb of transceiver sites (towers), each capable of
handling up to about 40 separate cellular calls. Each site has an effective range of 3-5 miles.
The term "cell" is derived from the size and shape of the site's coverage pattern, and the
arrangement of the cell sites. The various sites in each city are all linked together through the
mobile telephone switching office (MTSO). The MTSO not only coordinates the use of the radio
spectrum, but utilizes computers to authenticate a subscriber's phone before making the
connection and maintains billing records. The MTSO also serves as the interface point with the
landline telephone company for cellular calls.
As you drive through town the MTSO monitors the relative signal strength of the transmission
from your phone. When the signal strength becomes higher in any cell other than the one
handling your call, the MTSO uses a frequency known as a control channel to transmit data to
your phone telling it to switch frequencies and lock into another cell. This "hand off" from one
cell to another happens so quickly that most people never notice the transition from one
frequency or cell site to the next. This is noteworthy because the hand off required your phone
to change transmit and receive frequencies, while the cellular network not only reestablished
radio contact with you on another transceiver, but rerouted the landline audio to that cell site as
well.
The cell site is generally located in the center of the cell. This is where the antennas,
transceivers and control equipment are located that serve that cell. Due to the limited coverage
area of the cell, these cell sites are located a maximum of ten miles from each other to provide
uninterrupted coverage without "dead spots" - areas where your phone cannot operate because
you're out of range of a cell.
Since most markets are served by two cellular service providers who do not share cell sites, there
are actually twice as many cells (and cell sites) than would be required for one provider to supply
service. In the past I've worked at radio station transmitter sites that leased tower space to
cellular companies, but I never realized how prolific these cell sites were until I studied the
technology and looked closely at the antennas around me. Where ever your phone works, you're
within three to five (line of sight) miles of a at least two sites, and probably more since coverage
areas overlap. The adjacent cells never share common frequencies to avoid interference.
Cellular sites come in different forms. In congested metropolitan areas the transceiver sites may
be located on taller buildings. In other areas they are located on stand alone towers. Towers can
either be built by the cellular carrier for their exclusive use, or the cellular antenna array can
share a common tower (an "antenna farm") with other radio and broadcast services.
No matter where the antennas are located, they can be recognized easily by their unique three-
sided configuration. Refer to the accompanying photos for examples of two common types of
cellular arrays. When I asked both cellular carriers based in Sacramento to disclose the location
of their cell sites in my area, they refused. The customer relations representatives indicated the
information was confidential - almost a trade secret. I left voice mail messages with their
engineers describing the information I wanted. Neither even returned my call.
The implications of this guarded attitude are interesting, and more than a bit disconcerting.
Fortunately the FCC maintains public records on all transmitter licensees, and the California
Public Utilities Commission (CPUC) requires cellular companies to file abstracts with them
containing the information I wanted. The CPUC even told me the name of the person who
would be available to help me dig through the abstracts and make photocopies. I didn't bother,
but it was nice to see my tax dollars at work for my benefit.
OPERATING FREQUENCIES
The frequency spectrum allocated by the FCC used by the phone to transmit voice and data to
the cell site is 824.000 - 849.000 Mhz. The tower transmits to the phone on a spectrum of the
same size from 869.000 to 894.000 Mhz. The cellular frequencies are narrow band FM, all
spaced 30 Khz apart, so determining every specific frequency is a matter of simple addition.
For example, knowing the lowest frequency used by a cell site is 869.000 Mhz, simply increment
upward in 30 Khz steps: 869.030, 869.060, 869.090, 869.120, etc. The frequencies used by the
phone for transmission to the tower increment upward the same way from 824.000 Mhz.
The frequencies are paired so that the phone is always transmitting to the tower on a frequency
exactly 45 Mhz lower than the frequency the tower is using. If the landline (base) side of the
call is transmitted to the phone on 887.940 Mhz, then the phone is simultaneously transmitting
the mobile side of the call back to the cell site on 842.940 Mhz.
Cell sites generally transmit the mobile side of the call at reduced gain back to the cellular phone
along with the audio from the landline side of the call. This can be intentional, as in the "side
tone" present in a standard landline telephone receiver, or the result of poor nulling where the
cellular network interfaces with the Telco lines. This means anyone with a receiver or scanner
capable of tuning the upper frequency in the pair can monitor both sides of the conversation.
It is illegal to do so, however.
CELLULAR COMMUNICATIONS PRIVACY
To calm fears that cellular calls were not private, the cellular industry lobbied congress into
passing legislation known today as the Electronic Communication Privacy Act (ECPA) of 1986
which makes it a crime to monitor cellular phone calls and a host of other transmissions like
digital pagers. This law is used by cellular equipment dealers and service providers to reassure
customers that their conversations will remain private.
A person using a cellular phone is broadcasting his private conversation on airwaves owned by
the general public. These radio signals permeate our homes, bodies, and scanning receivers. Yet
so complete is the cellular transceiver's emulation of an actual telephone that the general public
not only expects privacy, but feels confident that the call is secure. Nobody could possibly be
sitting in the privacy of their living room monitoring the conversation. That would be a Federal
crime.
The ECPA has been described as a "toothless tiger" as it is virtually unenforceable. A growing
number of scanner enthusiasts are monitoring cellular calls rather than the local fire department
because it is much more entertaining. The ECPA is ignored by the public and law enforcement
alike, just like the laws remaining on the books that make it illegal to work on Sunday.
The bottom line is that it is up to you and I to ensure the privacy of our cellular calls. If you
don't want to use a scrambling system, simply don't talk about anything on a cellular phone that
you wouldn't discuss using your rig on the amateur bands.
TELEPHONE CONTROL DATA
With this simplified overview of the cellular network under your belt, let's dig a little deeper into
the data exchanged by the cellular carrier and your phone. Obviously there is more information
being sent by your phone to the cellular company than your conversation. The service provider
needs to identify your physical phone, cellular phone number, etc. This is accomplished via data
transmitted by your phone on a frequency set aside as a "data channel" in each cell every time
you turn it on or use it.
Your phone transmits six pieces of information to the cellular provider. One is the Electronic
Serial Number (ESN) of your phone.
Every cellular phone is assigned an ESN when manufactured. This ESN consists of numerical
data which identify the manufacturer of the phone as well as the actual unique serial number of
the specific phone. The ESN is an eleven digit (decimal) number which has been burned into
a PROM chip permanently installed in the phone. Like the Vehicle ID Number (VIN) on your
car, it is not designed to be removed or modified, although hackers occasionally do in order to
circumvent billing procedures (see sidebar).
One other item transmitted is your Mobile Identification Number (MIN) which is the actual ten
digit area code and telephone number assigned to your phone. The remainder are numerical
codes used by the cell site to identify things like your class of service and the specific
capabilities of your phone hardware. This data is supplied when you activate service with the
carrier.
The ESN and MIN are matched and checked by computer against a database each time you use
the phone to ensure that you are a valid subscriber, or roaming from a system the carrier can bill
for your calls.
All of this information (except the ESN) is provided by the cellular carrier and programmed into
your phone when you subscribed to their service. The vast majority of cellular phones
manufactured today are reprogrammable through the handset. This means that you can change
(reprogram) this information yourself without costly programming devices simply by entering the
proper keystrokes on the telephone handset, and punching in the data.
This knowledge opens up a number of possibilities. If you activate or change your cellular
service, you can program the phone yourself with data supplied by the cellular carrier and save
paying any type of reprogramming fee. If you're looking to acquire equipment, you can canvass
flea markets, swap meets and the pages of classified ad magazines such as Nuts & Volts for great
deals on used phones. Not only will you enjoy savings on the hardware, but you'll only need
to pay the cellular company to activate service, since you can program the phone yourself.
In my article next month in Nuts & Volts I'll explain all the data programmed into a phone,
explain what it means, and lead you step by step through the handset programming of a popular
phone. This information is an important reference for those who may just want to do something
simple like change the unlock code on the phone. We'll also take a look at the publications
available through Nuts & Volts advertisers that explain cellular telephone reprogramming and
modification in depth.
******************************************************************************
BUYING USED CELLULAR GEAR
A FEW CAVEATS
When shopping the classifieds, flea markets and electronics swap meets for great deals on used
cellular telephones, keep the following points in mind to avoid getting "burned."
Cellular phones are a major target of theft in some cities. They appeal to criminals such as drug
dealers because they allow anonymous and virtually untraceable communication from a vehicle
or street corner. The phone is discarded as useless when the service is disconnected, and such
units may unwittingly be resold with other used equipment. There is no real way to discern this
other than to phone your local cellular service provider to see if the phone's ESN is flagged in
their computer as having been stolen.
The other type of phone to avoid is one that has been physically modified. Hackers have been
known to replace the factory PROM chip containing the ESN with a custom burned chip, thus
changing the ESN. If this is done for the purpose of fraudulently making free calls, the ESN
chip must be changed periodically as the cellular carrier discovers the fraud associated with that
ESN.
Detection of this type of modification is easy. Cellular manufacturers as a rule do NOT use a
socket to hold the ESN chip. The PROM is usually not only soldered to the board, but sealed
in epoxy or "air welded" to the circuit board to discourage this type of modification. An IC
socket is usually installed by the hacker to facilitate easy insertion of updated PROM as
necessary.
No reputable service center will repair a phone if it appears someone has tampered with the ESN,
and might call the police if presented with such a phone.
The vast majority of equipment you'll find on the open market is genuine surplus or used
merchandise. With the above information in mind you can examine the phone and be confident
about your decision to make a purchase.
******************************************************************************
AUTHOR BIOGRAPHY
(For publication)
Damien Thorn's interest in electronics has deep roots. A noted "hacker" and "phone phreak" by
age sixteen, he contributed regularly to the underground newsletter "TAP." Today Damien is
an on-air radio personality and FCC licensed engineer in California's San Joaquin Valley. His
interests include computers, communications, security and privacy issues. He welcomes questions
and comments. You can reach him at 6333 Pacific Ave. #203, Stockton, CA 95207-3713 or via
E-Mail at one of the following: DrDamien@Delphi.com via Internet mail, on CompuServe at
75720,2104, or on Delphi as DrDamien.

Reference in New Issue View Git Blame Copy Permalink