informis/textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/phreak/CELLULAR/cellular.rdt
root@procul 278a90f7ce Initial commit
2021-04-15 13:31:59 -05:00

751 lines
37 KiB
Plaintext
Raw Blame History

C e l l u l a r T e l e p h o n y
by
B r i a n O b l i v i o n
A -=Restricted -=Data -=Transmission
The benefit of a mobile transceiver has been the wish of experimentors
since the late 1800's. To have the ablility to be reached by another
man despite location, altitude, or depth has had high priority in
communication technology throughout its history. Only until the late
1970's has this been available to the general public. That is when
Bell Telephone (the late MaBell) introduced the Advanced Mobile
Phone Service, AMPS for short.
Cellular phones today are used for a multitude of different jobs.
They are used in just plain jibber-jabber, data transfer(I will
go into this mode of cellular telephony indepth later), corporate
deals, surveillance, emergencies, and countless other applications.
The advantages of cellular telephony to the user/phreaker are
obvious:
1. Difficulty of tracking the location of a transciever
(especially if the transciever is on the move) makes
it very difficult to locate
2. Range of the unit within settled areas
3. Scrambling techniques are feasible and can be made to
provide moderate security for most transmissions.
4. The unit, with modification can be used as a bug, being
called upon by the controlling party from anywhere on
the globe.
5. It with the right knowledge one can modify the cellular
in both hardware and software to create a rather diverse-
iffied machine that will scan, store and randomly change
ESN's per call there by making detection almost impossible.
I feel it will be of great importance for readers to understand the
background of the Cellular phone system, mainly due to the fact that
much of the pioneering systems are still in use today. The first
use of a moblie radio came about in 1921 (remember prohibition?)
by the Detroit police department. This system operated at 2Mhz. In
1940, frequencies between 30 and 40Mhz were made available to and
soon became overcrowded. The trend of overcrowding continues today.
In 1946, the FCC declared a 'public corresponence system' called,
or rather classified as "Domestic Public Land Mobile Radio Service"
(DPLMRS) at 35 - 44 Mhz band that ran along the highway between
New York and Boston. Now the 35-44MHz band is used mainly by Amateur
radio hobbiest's due to the bands susceptibility to skip-propogation.
These early mobile radio systems were all PTT(push-to-talk) systems
that did not enjoy todays duplex conversations. The first real
mobile 'phone' system was the 'Improved Mobile Telephone Service'
or the IMTS for short, in 1969. This system covered the spectrum
from 150 - 450MhHz, sported automatic channel selection for each
call, eliminated PTT, and allowed the customer to do thier own
dialing. From 1969 to 1979 this was the mobile telephone service
that served the public and business community, and it is still
used today.
IMTS frequencies used(MHz):
Channel Base Frequency Mobile Frequency
VHF Low Band
ZO 35.26 43.26
ZF 35.30 43.30
ZH 35.34 43.34
ZA 35.42 43.32
ZY 34.46 43.46
ZC 35.50 43.50
ZB 35.54 43.54
ZW 35.62 43.62
ZL 35.66 43.66
VHF High Band
JL 152.51 157.77
YL 152.54 157.80
JP 152.57 157.83
YP 152.60 157.86
YJ 152.63 157.89
YK 152.66 157.92
JS 152.69 157.95
YS 152.72 157.98
YA 152.75 158.01
JK 152.78 158.04
JA 152.81 158.07
UHF Band
QC 454.375 459.375
QJ 454.40 459.40
QO 454.425 459.425
QA 454.45 459.45
QE 454.475 459.475
QP 454.50 459.50
QK 454.525 459.525
QB 454.55 459.55
QO 454.575 459.575
QA 454.60 459.60
QY 454.625 459.625
QF 454.650 459.650
VHF High frequencies are the most popular frequencies of all
the IMTS band. VHF low bands are used primarily in rural areas
and those with hilly terrain. UHF bands is primarily used in cities
where the VHF bands are overcrowded. Most large cities will find
at least one station being used in their area.
ADVANCED MOBILE PHONE SYSTEM
The next step for Mobile telephone was made in 1979 by Bell
Telephone, again (gee.. where was the competition?), introducing
the Advanced Mobile Phone Service. This service is the focus
of this document, which has now taken over the mobile telephone
industry as the standard. What brought this system to life
were the new digital technologies of the 1970's. This being
large scale integrated custom circuits and microprocessors.
Without these technologies, the system would not have been
economically possible.
The basic elements of the cellular concept have to do with
frequency reuse and cell splitting.
Frequency reuse refers to the use of radio channels on the same
carrier frequency to cover different areas which are seperated by
a signifigant distance. Cell splitting is the ability to split
any cell into smaller cells if the traffic of that cell requires
attitional frequencies to handle all the area's calls. These two
elements provide the network an opportunity to handle more simul-
taneous calls, decrease the transmitters/receivers output/input
wattage/gain and a more universal signal quality.
When the system was first introduced, it was allocated 40mHz in
the frequency spectrum, divided into 666 duplex radio channels
providing about 96 channels per cell for the seven cluster
frequency reuse pattern. Cell sites (base stations) are located
in the cells which make up the cellular network. These cells
are usually represented by hexagons on maps or when developing
new systems and layouts. The cell sites contain radio, control,
voice frequency processing and maintnence equipment, as well as
transmitting and receiving antennas. The cell sites are inter-
connected by landline with the Mobie Telecommunications Switching
Office (MTSO).
In recent years, the FCC has added 156 frequencies to the Cellular
bandwidth. This provides 832 possible frequencies available to
each subscriber per cell. All new cellular telephones are built
to accomodate these new frequencies, but old cellular telephones
still work on the system. How does a cell site know if the unit
is old or new? Let me explain.
The problem of identifying a cellular phones age is done by the
STATION CLASS MARK (SCM). This Numer is 4 bits long and broken
down like this:
Bit 1: 0 for 666 channel usage (old)
1 for 832 channel usage (new)
Bit 2: 0 for a mobile unit(in vehical)
1 for voice-activated transmit (for protables)
Bit 3-4: Indentify the power class of the unit
Class I 00 = 3.0 watts Continuous Tx's 00XX...DTX <> 1
Class II 01 = 1.2 watts Discont. Tx's 01XX...DTX = 1
Class III 10 = 0.6 watts reserved 10XX, 11XX
Reserved 11 = --------- Letters DTX set to 1 permits
use of discontinuous trans-
missions
Cell Sites: How Cellular telephones get their name
Cell sites, as mentioned above are layed out in a hexagonal type
grid. Each cell is part of a larger cell which is made up of
seven cells in the following fashion:
|---| ||===|| |---| |---| |---| |---
/ \ // \\ / \ / \ / \ /
| |===|| 2 ||===|| ||===|| |---| |---|
\ // \ / \\ // \\ / \ / \
|---|| 7 |---| 3 ||==|| 2 ||==|| |---| |---|
/ \\ / \ // \ / \\ Due to the \
| ||---| 1 |---|| 7 |---| 3 ||--| difficulty of |
\ // \ / \\ / \ // \ representing /
|--|| 6 |---| 4 ||--| 1 |---|| |graphics with |
/ \\ / \ // \ / \\ / ascii characters\
| ||==|| 5 ||==|| 6 |---| 4 ||--| I will only show |
\ / \\ // \\ / \ // \ two of the cell /
|---| ||===|| ||===|| 5 ||==|| |types I am trying-
/ \ / \ / \\ // \ / to convey. \
| |---| |---| ||==|| |---| |---| |
\ / \ / \ / \ / \ / \ /
|---| |---| |---| |---| |---| |---|
As you can see, each cell is a 1/7th of a larger cell. Where one(1)
is the center cell and two(2) is the cell directly above the center.
The other cells are number around the center cell in a clockwise
fashion, ending with seven(7). The cell sites are equiped with
three directional antennas with an RF beamwidth of 120 degrees
providing 360 degree coverage for that cell. Note that all cells
never share a common border. Cells which are next to each other
are obviously never assigned the same frequencies. They will
almost always differ by at least 60 Khz. This also demonstrates
the idea behind cell splitting. One could imagine that the parimeter
of one of the large cells was once one cell. Due to a traffic
increase, the cell had to be sub-divided to provide more channels
for the subscribers. Note that subdivisions must be made in factors
of seven.
There are also Moblie Cell sites, which are usually used in the
transisitional period during the upscaling of a cell site due to
increased traffic. Of course, this is just one of the many uses of
this component. Imagine you are building a new complex in a very
remote location. You could feasibly install a few mobile cellular
cell sites to provide a telephone-like network for workers and
executives. The most unique component would be the controller/
transceiver which provides the communications line between the
cell site and the MTSO. In a remote location such a link could
very easily be provided via satellite up/down link facilities.
Lets get into how the phones actually talk with eachother. There
are several ways and competitors have still not set an agreed upon
standard.
Frequency Division Multiple Access (FDMA)
This is the traditional method of traffic handling. FDMA is a
single channel per carrier analog method of transmitting signals.
There has never been a definate set on the type of modulation to
be used. There are no regulations requiring a party to use a single
method of modulation. Narrow band FM, single sidband AM, digital, and
spread-spectrum techniques have all been considered as a possible
standard. But none hae yet to be chosen.
FDMA works like this: Cell sites are constantly searching out
free channels to start out the next call. As soon as a call finishes
the channel is freed up and put on the list of free channels. Or, as
a subscriber moves from one cell to another the new cell they are in
will hopefully have an open channel to recieve the current call in
progress and carry it through its location. This process is called
handoff, and will be discussed more indepth further along.
Other proposed traffic handling schemes include Time-Division
Multiple Acces (TDMA), Code-Division Multiple Access(CDMA), and
Time-Division/Frequency Division Multiple Access.
Time Division Multiple Access
With TDMA calls are simultaneously held on the same channels, but
are mutiplexed between pauses in the conversation. These pauses
occur in the way people talk and think, and the telephone company
also injects small delays on top of the conversation to accommodate
other traffic on that channel. This increase in the length of the
usual pause results in a longer amount of time spent on the call.
Longer calls result in higher cost of the call.
Code Division Multiple Access
This system has been used in mobile military communications for the
past 35 years. This system is digital and breaks up the digitized
conversation into bundles, compressed, sent, then decompressed and
converted back into analog. There are said increases of throughput
of 20 : 1 but CDMA is susceptible to interference which will result
in packet retransmission and delays. Of course error correction can
can help in data integrity, but will also result in a small delay in
throughput.
Time-Dvision/Frequency Division Multiple Access
TD/FDMA is a relatively new system which is an obvious hybrid of
FDMA and TDMA. This system is mainly geared towards the increase
of digital transmission over the cellular network. TD/FDMA make
it possible to transmit signals from base to moblie without
disturbing the conversation. With FDMA there are signifigant
disturbances during handoff with prevent continual data transmission
from site to site. TD/FDMA make it possible to transmit control
signals by the same carrier as the data/voice thereby ridding
extra channel usage for control.
Cellular Frequency Usage and channel allocation
There are 832 cellular phone channels which are split into two
seperate bands. Band A consists of 416 channels for non-wireline
services. Band B consists equally of 416 channels for wireline
services. Each of these channels are split into two frequencies
to provide duplex operation. The lower frequency is for the mobile
unite while the other is for the cell site. 21 channels of each
Band are dedicated to 'control' channels and the other 395 are
voice channels. You will find that the channels are numbered from
1 to 1023, skipping channels 800 to 990.
I found these handy-dandy equations that can be used for calculating
frequencies from channels and channels from frequencies.
N = Cellular Channel # F = Cellular Frequency
B = 0 (mobile) or B = 1 (cell site)
CELLULAR FREQUENCIES from CHANNEL NUMBER:
F = 825.030 + B * 45 + ( N + 1 ) * .03
where: N = 1 to 799
F = 824.040 + B * 45 + ( N + 1 ) * .03
where: N = 991 to 1023
CHANNEL NUMBER from CELLULAR FREQUENCIES
N = 1 + (F - 825.030 - B * 45) / .03
where: F >= 825.000 (mobile)
or F >= 870.030 (cell site)
N = 991 + (F - 824.040 - B * 45) / .03
where: F <= 825.000 (moblie)
or F <= 870.000 (base)
Now that you have those frequencies, what to do with them. Well,
for starters, one can very easily monitor the cellular frequencies
with most hand/base scanners. Almost all scanners pre-1988 have
some coverage of the 800 - 900 MHz band. All scanners can
monitor the IMTS frequencies.
Remember that cellular phones operate on a full duplex channel.
That means that one frequency is used for transmission and the
other is used for receiving, each spaced exactly 30 Khz apart.
Remember also that the base frequencies are 45MHz higher than
the cellular phone frequencies. This can obviously make
listening rather difficult. One way to listen to both parts of
the conversation would be having two scanners programmed 45 Mhz
apart to capture the entrire conversation.
The upper UHF frequency specrum was 'appropriated' by the Cellular
systems in the late 1970's. Televisions are still made to
recieve up to channel 83. This means that you can recieve much
of the cellular system on you UHF receiver. One television channel
occupies 6Mhz of bandwidth. This was for video, sync, and audio
transmission of the channel. A cellular channel only takes up
24 KHz plus 3KHz set up as a guard band for each audio signal.
This means that 200 cellular channels can fit into one UHF
television channel. If you have an old black and white television
drop a variable cap in there to increase the sensistivity of the
tuning. Some of the older sets have coarse and fine tuning knobs.
Some of the newer, smaller, portable television sets are tuned by
a variable resistor. This make modifications MUCH easier, for now
all you have to do is drop in there a smaller value pot and
tweak away. I have sucessfully done this on two televisions.
Most users will find that those who don't live in a city will
have a much better listening rate per call. In the city, the cells
are so damn small that handoff is usually every other minute.
Resulting in chopped conversations.
If you wanted to really get into it, I would suggest to obtain an
old Television set with decent tuning controls and remove the RF
section out of the set. You don't want all that hi-voltage circuitry
lying around(flyback and those caps). UHF recievers in televisions
downconvert UHF frequencies to IF (intermediate frequencies) between
41 and 47 MHz. These output IF frequencies can then be run into a
scanner set to pick-up between 41 - 47 MHz. Anyone who works with
RF knows that it is MUCH easier to work with 40MHz signals than working
with 800MHz signals (not to far away from Ghz.. mmmmmmm.. Waveguides
are just sooo much fun). JUST REMEMBER ONE THING!!!! Isolate the
UHF reciever from your scanner by using a coupling capacitor(.01 -
.1 microfarad(50V min.) will do nicely)!!!! You don't want any of
those biasing voltages creeping into your scanners recieving
AMPLIFIERS!!! Horrors. Also, don't forget to gound both the scanner
and reciever.
Some systems transmit and recieve the same cellular transmission
on the base frequencies. There you can simply hang out on the
base frequency and capture both sides of the conversation. The
handoff rate is much higher in high traffic areas leading the listener
to hear short or choppy conversations. At times you can listen in
for 5 to 10 minutes per call, depending on how fast the caller is
moving through the cell site.
TV Cell & Channel Scanner TV Oscillator Band
Channel Freq.& Number Frequency Frequency Limit
===================================================================
73 (first) 0001 - 825.03 45.97 871 824 - 830
73 (last) 0166 - 829.98 41.02 871 824 - 830
74 (first) 0167 - 830.01 46.99 877 830 - 836
74 (last) 0366 - 835.98 41.02 877 830 - 836
75 (first) 0367 - 836.01 46.99 883 836 - 842
75 (last) 0566 - 841.98 41.02 883 836 - 842
76 (first) 0567 - 842.01 46.99 889 842 - 848
76 (last) 0766 - 847.98 41.02 889 842 - 848
77 (first) 0767 - 848.01 46.99 895 848 - 854
77 (last) 0799 - 848.97 46.03 895 848 - 854
All frequencies are in MHz
You can spend hours just listening to cellular telephone conversations
but I would like to mention that it is illegal to do so. Yes, it is
illegal to monitor cellular telephone conversations. It just another
one of those laws like removing tags off of furniture and pillows.
It's illegal, but what the hell for? Its also illegal to spit on
the sidewalks here in Massachusetts, yet you can carry a shotgun
on sundays with you to mass(thats still in the books. Obviously
it was for the original settlers). At any rate, I just want you
to understand that doing the following is in violation of the law.
Now back to the good stuff.
Conversation is not only what an avid listener will find on the
cellular bands. One will also hear call/channel setup control
data streams, dialing, and other control messages. At times,
a cell site will send out a full request for all units in its
cell to indentify itself. The phone will then respond with the
appropriate identification on the corresponding control channel.
Whenever a moblie unit is turned on, even when not placing a call,
whenever there is power to the unit, it transmits its phone
number and its 8-digit ID number. The same process is done when
an idling phone passes from one cell to the other. This process
is repeated for as long as there is power to the unit. This allows
the MTSO to 'track' a mobile through the network. That is why it is
not a good reason to use a mobile phone from one site. They do have
ways of finding you. And it really is not that hard. Just a bit
of RF Triangulation theory and you're found. However, when the
power to the unit is shut off, as far as the MTSO cares, you never
existed in that cell, of course unless your unit was flagged for some
reason. MTSO's are basically just ESS sytems designed for mobile
applications. This will be explained later within this document.
It isn't feasible for the telephone companies to keep track of each
customer on the network. Therefore the MTSO really doesn't know
if you are authorized to use the network or not. When you purchase
a cellular phone, the dealer gives the units phone ID number to the
local BOC, as well as the number the BOC assigned to the customer.
When the unit is fired up in a cell site its ID number and phone
number is transmitted and checked. If the two numbers are registered
under the same subscriber, then the cell site will allow the mobile
to send and recieve calls. If they don't match, then the cell will
not allow the unit to send or recieve calls. Hence, the most
successful way of reactivating a cellular phone is to obtain an
ID that is presently in use and modifying your rom/prom/eprom for
your specific phone.
RF and AF Specifications:
Everything that you will see from here on out is specifically
Industry/FCC standard. A certian level of compatibility has
to be maintained for national intercommunications, therefore
a common set of standards that apply to all Cellular telephones
can be compiled and analyzed.
Transmitter Mobiles: audio transmission
- 3 kHz to 15 kHz and 6.1 kHz to 15 kHz
- 5.9 kHz to 6.1 kHz 35 dB attenuation
- Above 15 kHz, the attenuation becomes 28 dB
- All this is required after the modulation limiter and before
the modulation stage
Transmitters Base Stations: audio transmission
- 3 kHz to 15 kHz
- Above 15 kHz, attenuation required 28 dB
- Atennuation after modulation limiter - no notch filter required
RF attenuation below carrier Transmitter: audio transmission
- 20 kHz to 40 kHz, use 26 dB.
- 45 kHz to 2nd harmonic, the specification is 60 dB or 43 + 10 log
of mean output power
- 12 kHz to 20 kHz, attenuation 117 log f/12
- 20 kHz to 2nd harmonic, there is a choice: 100 log F/100 or 60 dB
or 43 log + 10 log of mean output power, whichever is less.
Wideband Data
- 20 kHz to 45 kHz, use 26 dB
- 45 kHz to 90 kHz, use 45 dB
- 90 kHz to 2nd harmonic, either 60 dB or 43 + 10 log mean output
power
- all data streams are encoded so that NRZ (non-return-to-zero)
binary ones and zeroes are now zero-to-one and one-to-zero
transitions respectively. Wideband data can then modulate
the transmitter carrier by binary frequency shift keying(BFSK)
and ones and zeroes into the modulator must now be equivalent
to nominal peak frequency deviations of 8 kHz above and below
the carrier frequency.
Supervisory Audio Tones
- Save as RF attenuation measurements
Signaling Tone
- Same as Wideband Data but must be 10 kHz +/- 1 Hz and produce a
nominal frequency deviation of +/- 8 kHz.
The previous information will assist any technophile to modify or
even troubleshoot his/her cellular phone. Those are the working
guidelines, as I stated previously.
UNIT IDENTIFICATION
Each mobile unit is identified by the following sets of numbers.
The first number is the Moblie Identification Number (MIN). This
34 bit binary number is derived from the units telephone number,
MIN1 is the last seven digits of the telephone number and MIN2 is
the area code.
For demonstrative purposes, we'll encode 617-637-8687.
Here's how to derive the MIN2 from a standard area code. In this
example, 617 is the area code. All you have to do is first convert
to modulo 10 using the following function. A zero digit would be
considered to have a value of 10.
100(first number) + 10(second) +1(third) - 111 = x
100(6) + 10(1) + 1(7) - 111 = 506
(or you could just - 111 from the area code.)
Then convert it to a 10-bit binary number: 0111111010
To derive MIN1 from the phone number is equally as simple. First
encode the next three digits, 637.
100(6) + 10(3) + 1(7) - 111 = 526
Converted to binary: 1000001110
The remainder of the number 8687, is processed further by taking
the first digit, eight(8) and converting it directly to binary.
8 = 1000 (binary)
The last three digits are processed as the other two sets of
three numbers were processed.
100(6) + 10(8) + 1(7) - 111 = 576
Converted to binary: 1001000000
So the completed MIN number would look like this:
|--637---||8-||---687--||---617--|
1000001110100010010000000111111010
\________/\__/\________/\________/
A unit is also identifiable by its Electronic Serial Number or
ESN. This number is Factory Preset and is usually stored in a
ROM chip, which is soldered to the board. It may also be found
in a 'computer on a chip', which are the new microcontrollers
which have rom/ram/microprocessor all in the same package. This
type of setup usually has the ESN and the software to drive the
unit all in the same chip. This makes is significantly harder
to dump, modify and replace. But it is far from impossible.
The ESN is a 4 byte hex or 11-digit octal number. I have encountered
mostly 11-digit octal numbers on the casing of most celluar phones.
the first three digits represent the manufacturer and the remaining
eight digits are the units ESN. I'll go more into the ESN later in
the document.
The Station Class Mark (SCM) is also used for station identification
by providing the station type and power output rating. This was
already discussed in a previous section.
The System IDentification (SID number is a number wich represents
the mobile's home system. This number is 15-bits long and a list
of current nationwide SID's should either be a part of this file
or it will be distrubted along with it.
In the next issue we'll discuss the Control channels, signalling
formats, and dissecting the NAM in detail. Social.technological
impacts (re: cellular interception designed into the units)
-------------- cut me here ---------------------------------------------------
PUTTING IT ALL TOGETHER - Signaling on the Control Channels
There are two types of continuous wideband data stream transmissions.
One is the Forward Control Channel which is sent from the land station
to the mobile. The other is the Reverse Control Channel, which is
sent from the mobile to the land station. Each data stream runs at a
rate of 10 kilobit/sec, +/- 1 bit/sec rate. The formats for each of
the channels follow.
Forward Control Channel
The forward control channel consists of three discrete information
streams. They are called stream A, stream B and the busy-idle
stream. All three streams are multiplexed together. Messages to
mobile stations with the least significant bit of thier MIN number
equal to "0" are sent on stream A, and those with a "1" are sent
on stream B.
The busy-idle stream contains busy-idle bits, whic are used to
indicate the status of the reverse control channel. If the busy-idle
bit = "0" the reverse control channel is busy, if it equals "1"
it is idle. The busy-idle bit is located at the beginning of each
dotting sequence, word sync sequence, at the beginning of the first
repeat of word A and after every 10 message bits thereafter.
Mobile stations achieve synchronization with the incoming data via
a 10 bit dotting sequence (1010101010) and an 11 bit word sync
sequence (11100010010). Each word contains 40 bits, including parity
and is repeated 5 times after which it is then refered to as a
"block". For a multiword message, the second word block and subsequent
word blocks are formed the same as the first word blok including the
dotting and sync sequences. A "word" is formed when the 28 content
bits are encoded into a (40, 28; 5) BCH (Bose-Chaudhuri-Hocquenghem)
code. The left-most bit shall be designated the most-signifigant bit.
The Generator polynominal for the (40, 28;5) BCH code is:
12 10 8 5 4 3 0
G (X) = X + X + X + X + X + X + X
B
Each FOCC message con consist of one or more words. Messaging trans-
mitted over the forward control channel are:
- Mobile station control message
- Overhead message
- control-filler mesage
Controller-filler messages may be inserted between messages and
between word blocks of a multiword message.
Message Formats: Found on either stream A or B
MOBILE STATION CONTROL MESSAGE
The mobile station control message can consist of one, two, or four
words.
Word 1 (abbreviated address word)
+--------+-------+---------------------------------------+-----------+
| T t | | | |
| 1 2 | DCC | Moblie Identification Number 1 | P |
| | | 23-0 | |
+--------+-------+---------------------------------------+-----------+
bits: 2 2 24 12
Word 2 (extended address word)
+------+-----+-----------+------+--------+-------+----------+-----+
| T T |SCC =| | RSVD | LOCAL | CRDQ | ORDER | |
| 1 2| 11 | MIN2 | = 0 | | | | |
| = +-----+ 3-24 +------+-----+--+-------+----------| P |
| 10 |SCC =| | VMAC | CHAN | |
| | 11 | | | | |
+------+-----+-----------+------------+---------------------+=----+
The Reverse Control Channel (RECC) is a wideband data stream sent
from the moblie station to the land station. This data stream runs
at a rate of 10 kilobit/sec, +/- 1 bit/sec rate. The format of the
RECC data stream follows:
+---------+------+-------+------------+-------------+-----------+-----
| Dotting | Word | Coded | first word | Second word | Third word|
| | sync | DCC | repeated | repeated | repeated | ...
| | | | 5 times | 5 times | 5 times |
+---------+------+-------+------------+-------------+-----------+-----
DCC = Digital Color Code Dotting = 01010101...010101
Received DCC 7-bit Codec DCC Word sync = 11100010010
00 0000000
01 0011111
10 1100011
11 1111100
All messages begin with the RECC seizure precursor with is composed
of a 30 bit dotting sequence (1010...101), and 11 bit word sync
sequence (11100010010), and the coded digital color code.
Each word contains 48 bits, including parity, and is repeated five
times after which it is refered to as a word block. A word is
formed by encoding 36 content bits into a (48, 36) BCH code that has
a distance of 5, (48 36; 5). The left most bit shall be designated
the most-significant bit. The 36 most-significant bits of the 48 bit
field shall be the content bits.
The generator polynomial for the code is the same for the (40,28;5)
code used on the forward channel.
CONTROL CHANNELS (SETUP CHANNELS)
Each wireline and non-wireline service have 21 channels. These
channels are used by the MTSO and the cell sites to directly
communicate with the mobile unit. The first signal sent to initiate
a call is the Supervisory Audio Tone (SAT). This can be thought of
as the voltage used to close the loop on a land telephone.
SAT Tones with corresponding binary codes:
5970 Hz (00)
6000 Hz (01)
6030 HZ (10)
The mobile unit recieves the SAT from the cell site and transponds
it back (closing the loop). Tone recognition must take place
within 250 milliseconds or the site interprets it as the mobile
is out of range. If the SAT is returned, then a Signaling Tone
is issued. This Tone is 10kHz and is present when the user is
either being alerted(call initialization), being handed off,
or disconnecting The Signaling tone is used only in mobile to
land direction
Reference in New Issue View Git Blame Copy Permalink