Phreacking:Telefonia Celular

Envia tus archivos, resúmenes, monografías, etc.

Agregado: 12 de ABRIL de 2000 (Por ) | Palabras: 45165 | Votar | Sin Votos | Sin comentarios | Agregar Comentario
Categoría: Apuntes y Monografías > Computación > Seguridad informatica >
Material educativo de Alipso relacionado con PhreackingTelefonia Celular

Teoria Celular: definicion.caracteristicas.glosario

Bases de la vida. Morfologia celular CNBA: ...

Phreacking:Telefonia Celular:

Enlaces externos relacionados con PhreackingTelefonia Celular

C e l l u l a r T e l e p h o n y

B r i a n O b l i v i o n

A -=Restricted -=Data -=Transmission

The benefit of a mobile transceiver has been the wish of experimenters

since the late 1800's. To have the ability to be reached by another

man despite location, altitude, or depth has had high priority in

communication technology throughout its history. Only until the late

1970's has this been available to the general public. That is when

Bell Telephone (the late Ma Bell) introduced the Advanced Mobile

Phone Service, AMPS for short.

Cellular phones today are used for a multitude of different jobs.

They are used in just plain jibber-jabber, data transfer(I will

go into this mode of cellular telephony in depth later), corporate

deals, surveillance, emergencies, and countless other applications.

The advantages of cellular telephony to the user/phreaker are

obvious:

1. Difficulty of tracking the location of a transceiver

(especially if the transceiver is on the move) makes

it very difficult to locate

2. Range of the unit within settled areas

3. Scrambling techniques are feasible and can be made to

provide moderate security for most transmissions.

4. The unit, with modification can be used as a bug, being

called upon by the controlling party from anywhere on

the globe.

5. It with the right knowledge one can modify the cellular

in both hardware and software to create a rather diverse-

ified machine that will scan, store and randomly change

ESN's per call there by making detection almost impossible.

I feel it will be of great importance for readers to understand the

background of the Cellular phone system, mainly due to the fact that

much of the pioneering systems are still in use today. The first

use of a mobile radio came about in 1921 (remember prohibition?)

by the Detroit police department. This system operated at 2MHz. In

1940, frequencies between 30 and 40MHz were made available to and

soon became overcrowded. The trend of overcrowding continues today.

In 1946, the FCC declared a 'public correspondence system' called,

or rather classified as "Domestic Public Land Mobile Radio Service"

(DPLMRS) at 35 - 44 MHz band that ran along the highway between

New York and Boston. Now the 35-44MHz band is used mainly by Amateur

radio hobbyists due to the bands susceptibility to skip-propagation.

These early mobile radio systems were all PTT(push-to-talk) systems

that did not enjoy todays duplex conversations. The first real

mobile 'phone' system was the 'Improved Mobile Telephone Service'

or the IMTS for short, in 1969. This system covered the spectrum

from 150 - 450MHz, sported automatic channel selection for each

call, eliminated PTT, and allowed the customer to do their own

dialing. From 1969 to 1979 this was the mobile telephone service

that served the public and business community, and it is still

used today.

IMTS frequencies used(MHz):

Channel Base Frequency Mobile Frequency

VHF Low Band

ZO 35.26 43.26

ZF 35.30 43.30

ZH 35.34 43.34

ZA 35.42 43.32

ZY 34.46 43.46

ZC 35.50 43.50

ZB 35.54 43.54

ZW 35.62 43.62

ZL 35.66 43.66

VHF High Band

JL 152.51 157.77

YL 152.54 157.80

JP 152.57 157.83

YP 152.60 157.86

YJ 152.63 157.89

YK 152.66 157.92

JS 152.69 157.95

YS 152.72 157.98

YA 152.75 158.01

JK 152.78 158.04

JA 152.81 158.07

UHF Band

QC 454.375 459.375

QJ 454.40 459.40

QO 454.425 459.425

QA 454.45 459.45

QE 454.475 459.475

QP 454.50 459.50

QK 454.525 459.525

QB 454.55 459.55

QO 454.575 459.575

QA 454.60 459.60

QY 454.625 459.625

QF 454.650 459.650

VHF High frequencies are the most popular frequencies of all

the IMTS band. VHF low bands are used primarily in rural areas

and those with hilly terrain. UHF bands is primarily used in cities

where the VHF bands are overcrowded. Most large cities will find

at least one station being used in their area.

ADVANCED MOBILE PHONE SYSTEM

The next step for Mobile telephone was made in 1979 by Bell

Telephone, again (gee.. where was the competition?), introducing

the Advanced Mobile Phone Service. This service is the focus

of this document, which has now taken over the mobile telephone

industry as the standard. What brought this system to life

were the new digital technologies of the 1970's. This being

large scale integrated custom circuits and microprocessors.

Without these technologies, the system would not have been

economically possible.

The basic elements of the cellular concept have to do with

frequency reuse and cell splitting.

Frequency reuse refers to the use of radio channels on the same

carrier frequency to cover different areas which are separated by

a significant distance. Cell splitting is the ability to split

any cell into smaller cells if the traffic of that cell requires

additional frequencies to handle all the area's calls. These two

elements provide the network an opportunity to handle more simul-

taneous calls, decrease the transmitters/receivers output/input

wattage/gain and a more universal signal quality.

When the system was first introduced, it was allocated 40MHz in

the frequency spectrum, divided into 666 duplex radio channels

providing about 96 channels per cell for the seven cluster

frequency reuse pattern. Cell sites (base stations) are located

in the cells which make up the cellular network. These cells

are usually represented by hexagons on maps or when developing

new systems and layouts. The cell sites contain radio, control,

voice frequency processing and maintenance equipment, as well as

transmitting and receiving antennas. The cell sites are inter-

connected by land-line with the Mobile Telecommunications Switching

Office (MTSO).

In recent years, the FCC has added 156 frequencies to the Cellular

bandwidth. This provides 832 possible frequencies available to

each subscriber per cell. All new cellular telephones are built

to accommodate these new frequencies, but old cellular telephones

still work on the system. How does a cell site know if the unit

is old or new? Let me explain.

The problem of identifying a cellular phones age is done by the

STATION CLASS MARK (SCM). This Number is 4 bits long and broken

down like this:

Bit 1: 0 for 666 channel usage (old)

1 for 832 channel usage (new)

Bit 2: 0 for a mobile unit(in

vehicle)

1 for voice-activated transmit (for portables)

Bit 3-4: Identify the power class of the unit

Class I 00 = 3.0 watts Continuous Tx's 00XX...DTX <> 1

Class II 01 = 1.2 watts Discont. Tx's 01XX...DTX = 1

Class III 10 = 0.6 watts reserved 10XX, 11XX

Reserved 11 = --------- Letters DTX set to 1 permits

use of discontinuous trans-

missions

Cell Sites: How Cellular telephones get their name

Cell sites, as mentioned above are laid out in a hexagonal type

grid. Each cell is part of a larger cell which is made up of

seven cells in the following fashion:

|---| ||===|| |---| |---| |---| |---

/ \ // \\ / \ / \ / \ /

| |===|| 2 ||===|| ||===|| |---| |---|

\ // \ / \\ // \\ / \ / \

|---|| 7 |---| 3 ||==|| 2 ||==|| |---| |---|

/ \\ / \ // \ / \\ Due to the \

| ||---| 1 |---|| 7 |---| 3 ||--| difficulty of |

\ // \ / \\ / \ // \ representing /

|--|| 6 |---| 4 ||--| 1 |---|| |graphics with |

/ \\ / \ // \ / \\ / ASCII characters\

| ||==|| 5 ||==|| 6 |---| 4 ||--| I will only show |

\ / \\ // \\ / \ // \ two of the cell /

|---| ||===|| ||===|| 5 ||==|| |types I am trying-

/ \ / \ / \\ // \ / to convey. \

| |---| |---| ||==|| |---| |---| |

\ / \ / \ / \ / \ / \ /

|---| |---| |---| |---| |---| |---|

As you can see, each cell is a 1/7th of a larger cell. Where one(1)

is the center cell and two(2) is the cell directly above the center.

The other cells are number around the center cell in a clockwise

fashion, ending with seven(7). The cell sites are equipped with

three directional antennas with an RF beam-width of 120 degrees

providing 360 degree coverage for that cell. Note that all cells

never share a common border. Cells which are next to each other

are obviously never assigned the same frequencies. They will

almost always differ by at least 60 kHz. This also demonstrates

the idea behind cell splitting. One could imagine that the perimeter

of one of the large cells was once one cell. Due to a traffic

increase, the cell had to be sub-divided to provide more channels

for the subscribers. Note that subdivisions must be made in factors

of seven.

There are also Mobile Cell sites, which are usually used in the

transitional period during the up-scaling of a cell site due to

increased traffic. Of course, this is just one of the many uses of

this component. Imagine you are building a new complex in a very

remote location. You could feasibly install a few mobile cellular

cell sites to provide a telephone-like network for workers and

executives. The most unique component would be the controller/

transceiver which provides the communications line between the

cell site and the MTSO. In a remote location such a link could

very easily be provided via satellite up/down link facilities.

Lets get into how the phones actually talk with each other. There

are several ways and competitors have still not set an agreed upon

standard.

Frequency Division Multiple Access (FDMA)

This is the traditional method of traffic handling. FDMA is a

single channel per carrier analog method of transmitting signals.

There has never been a definite set on the type of modulation to

be used. There are no regulations requiring a party to use a single

method of modulation. Narrow band FM, single sideband AM, digital, and

spread-spectrum techniques have all been considered as a possible

standard. But none have yet to be chosen.

FDMA works like this: Cell sites are constantly searching out

free channels to start out the next call. As soon as a call finishes

the channel is freed up and put on the list of free channels. Or, as

a subscriber moves from one cell to another the new cell they are in

will hopefully have an open channel to receive the current call in

progress and carry it through its location. This process is called

hand-off, and will be discussed more in-depth further along.

Other proposed traffic handling schemes include Time-Division

Multiple Access (TDMA), Code-Division Multiple Access(CDMA), and

Time-Division/Frequency Division Multiple Access.

Time Division Multiple Access

With TDMA calls are simultaneously held on the same channels, but

are multiplexed between pauses in the conversation. These pauses

occur in the way people talk and think, and the telephone company

also injects small delays on top of the conversation to accommodate

other traffic on that channel. This increase in the length of the

usual pause results in a longer amount of time spent on the call.

Longer calls result in higher cost of the call.

Code Division Multiple Access

This system has been used in mobile military communications for the

past 35 years. This system is digital and breaks up the digitized

conversation into bundles, compressed, sent, then decompressed and

converted back into analog. There are said increases of throughput

of 20 : 1 but CDMA is susceptible to interference which will result

in packet retransmission and delays. Of course error correction can

can help in data integrity, but will also result in a small delay in

throughput.

Time-Division/Frequency Division Multiple Access

TD/FDMA is a relatively new system which is an obvious hybrid of

FDMA and TDMA. This system is mainly geared towards the increase

of digital transmission over the cellular network. TD/FDMA make

it possible to transmit signals from base to mobile without

disturbing the conversation. With FDMA there are significant

disturbances during hand-off with prevent continual data transmission

from site to site. TD/FDMA make it possible to transmit control

signals by the same carrier as the data/voice thereby ridding

extra channel usage for control.

Cellular Frequency Usage and channel allocation

There are 832 cellular phone channels which are split into two

separate bands. Band A consists of 416 channels for non-wireline

services. Band B consists equally of 416 channels for wireline

services. Each of these channels are split into two frequencies

to provide duplex operation. The lower frequency is for the mobile

unite while the other is for the cell site. 21 channels of each

Band are dedicated to 'control' channels and the other 395 are

voice channels. You will find that the channels are numbered from

1 to 1023, skipping channels 800 to 990.

I found these handy-dandy equations that can be used for calculating

frequencies from channels and channels from frequencies.

N = Cellular Channel # F = Cellular Frequency

B = 0 (mobile) or B = 1 (cell site)

CELLULAR FREQUENCIES from CHANNEL NUMBER:

F = 825.030 + B * 45 + ( N + 1 ) * .03

where: N = 1 to 799

F = 824.040 + B * 45 + ( N + 1 ) * .03

where: N = 991 to 1023

CHANNEL NUMBER from CELLULAR FREQUENCIES

N = 1 + (F - 825.030 - B * 45) / .03

where: F >= 825.000 (mobile)

or F >= 870.030 (cell site)

N = 991 + (F - 824.040 - B * 45) / .03

where: F <= 825.000 (mobile)

or F <= 870.000 (base)

Now that you have those frequencies, what to do with them. Well,

for starters, one can very easily monitor the cellular frequencies

with most hand/base scanners. Almost all scanners pre-1988 have

some coverage of the 800 - 900 MHz band. All scanners can

monitor the IMTS frequencies.

Remember that cellular phones operate on a full duplex channel.

That means that one frequency is used for transmission and the

other is used for receiving, each spaced exactly 30 kHz apart.

Remember also that the base frequencies are 45MHz higher than

the cellular phone frequencies. This can obviously make

listening rather difficult. One way to listen to both parts of

the conversation would be having two scanners programmed 45 MHz

apart to capture the entire conversation.

The upper UHF frequency spectrum was 'appropriated' by the Cellular

systems in the late 1970's. Televisions are still made to

receive up to channel 83. This means that you can receive much

of the cellular system on you UHF receiver. One television channel

occupies 6MHz of bandwidth. This was for video, sync, and audio

transmission of the channel. A cellular channel only takes up

24 kHz plus 3kHz set up as a guard band for each audio signal.

This means that 200 cellular channels can fit into one UHF

television channel. If you have an old black and white television

drop a variable cap in there to increase the sensitivity of the

tuning. Some of the older sets have coarse and fine tuning knobs.

Some of the newer, smaller, portable television sets are tuned by

a variable resistor. This make modifications MUCH easier, for now

all you have to do is drop in there a smaller value pot and

tweak away. I have successfully done this on two televisions.

Most users will find that those who don't live in a city will

have a much better listening rate per call. In the city, the cells

are so damn small that hand-off is usually every other minute.

Resulting in chopped conversations.

If you wanted to really get into it, I would suggest to obtain an

old Television set with decent tuning controls and remove the RF

section out of the set. You don't want all that hi-voltage circuitry

lying around(flyback and those caps). UHF receivers in televisions

down-convert UHF frequencies to IF (intermediate frequencies) between

41 and 47 MHz. These output IF frequencies can then be run into a

scanner set to pick-up between 41 - 47 MHz. Anyone who works with

RF knows that it is MUCH easier to work with 40MHz signals than working

with 800MHz signals (not to far away from Ghz.. mmmmmmm.. Waveguides

are just sooo much fun). JUST REMEMBER ONE THING!!!! Isolate the

UHF receiver from your scanner by using a coupling capacitor(.01 -

.1 microfarad(50V min.) will do nicely)!!!! You don't want any of

those biasing voltages creeping into your scanners receiving

AMPLIFIERS!!! Horrors. Also, don't forget to ground both the scanner

and receiver.

Some systems transmit and receive the same cellular transmission

on the base frequencies. There you can simply hang out on the

base frequency and capture both sides of the conversation. The

hand-off rate is much higher in high traffic areas leading the listener

to hear short or choppy conversations. At times you can listen in

for 5 to 10 minutes per call, depending on how fast the caller is

moving through the cell site.

TV Cell & Channel Scanner TV Oscillator Band

Channel Freq.& Number Frequency Frequency Limit

===================================================================

73 (first) 0001 - 825.03 45.97 871 824 - 830

73 (last) 0166 - 829.98 41.02 871 824 - 830

74 (first) 0167 - 830.01 46.99 877 830 - 836

74 (last) 0366 - 835.98 41.02 877 830 - 836

75 (first) 0367 - 836.01 46.99 883 836 - 842

75 (last) 0566 - 841.98 41.02 883 836 - 842

76 (first) 0567 - 842.01 46.99 889 842 - 848

76 (last) 0766 - 847.98 41.02 889 842 - 848

77 (first) 0767 - 848.01 46.99 895 848 - 854

77 (last) 0799 - 848.97 46.03 895 848 - 854

All frequencies are in MHz

You can spend hours just listening to cellular telephone conversations

but I would like to mention that it is illegal to do so. Yes, it is

illegal to monitor cellular telephone conversations. It just another

one of those laws like removing tags off of furniture and pillows.

It's illegal, but what the hell for? Its also illegal to spit on

the sidewalks here in Massachusetts, yet you can carry a shotgun

on Sundays with you to mass(thats still in the books. Obviously

it was for the original settlers). At any rate, I just want you

to understand that doing the following is in violation of the law.

Now back to the good stuff.

Conversation is not only what an avid listener will find on the

cellular bands. One will also hear call/channel setup control

data streams, dialing, and other control messages. At times,

a cell site will send out a full request for all units in its

cell to identify itself. The phone will then respond with the

appropriate identification on the corresponding control channel.

Whenever a mobile unit is turned on, even when not placing a call,

whenever there is power to the unit, it transmits its phone

number and its 8-digit ID number. The same process is done when

an idling phone passes from one cell to the other. This process

is repeated for as long as there is power to the unit. This allows

the MTSO to 'track' a mobile through the network. That is why it is

not a good reason to use a mobile phone from one site. They do have

ways of finding you. And it really is not that hard. Just a bit

of RF Triangulation theory and you're found. However, when the

power to the unit is shut off, as far as the MTSO cares, you never

existed in that cell, of course unless your unit was flagged for some

reason. MTSO's are basically just ESS systems designed for mobile

applications. This will be explained later within this document.

It isn't feasible for the telephone companies to keep track of each

customer on the network. Therefore the MTSO really doesn't know

if you are authorized to use the network or not. When you purchase

a cellular phone, the dealer gives the units phone ID number to the

local BOC, as well as the number the BOC assigned to the customer.

When the unit is fired up in a cell site its ID number and phone

number is transmitted and checked. If the two numbers are registered

under the same subscriber, then the cell site will allow the mobile

to send and receive calls. If they don't match, then the cell will

not allow the unit to send or receive calls. Hence, the most

successful way of reactivating a cellular phone is to obtain an

ID that is presently in use and modifying your rom/prom/eprom for

your specific phone.

RF and AF Specifications:

Everything that you will see from here on out is specifically

Industry/FCC standard. A certain level of compatibility has

to be maintained for national intercommunications, therefore

a common set of standards that apply to all Cellular telephones

can be compiled and analyzed.

Transmitter Mobiles: audio transmission

- 3 kHz to 15 kHz and 6.1 kHz to 15 kHz

- 5.9 kHz to 6.1 kHz 35 dB attenuation

- Above 15 kHz, the attenuation becomes 28 dB

- All this is required after the modulation limiter and before

the modulation stage

Transmitters Base Stations: audio transmission

- 3 kHz to 15 kHz

- Above 15 kHz, attenuation required 28 dB

- Attenuation after modulation limiter - no notch filter required

RF attenuation below carrier Transmitter: audio transmission

- 20 kHz to 40 kHz, use 26 dB.

- 45 kHz to 2nd harmonic, the specification is 60 dB or 43 + 10 log

of mean output power

- 12 kHz to 20 kHz, attenuation 117 log f/12

- 20 kHz to 2nd harmonic, there is a choice: 100 log F/100 or 60 dB

or 43 log + 10 log of mean output power, whichever is less.

Wideband Data

- 20 kHz to 45 kHz, use 26 dB

- 45 kHz to 90 kHz, use 45 dB

- 90 kHz to 2nd harmonic, either 60 dB or 43 + 10 log mean output

power

- all data streams are encoded so that NRZ (non-return-to-zero)

binary ones and zeroes are now zero-to-one and one-to-zero

transitions respectively. Wideband data can then modulate

the transmitter carrier by binary frequency shift keying(BFSK)

and ones and zeroes into the modulator must now be equivalent

to nominal peak frequency deviations of 8 kHz above and below

the carrier frequency.

Supervisory Audio Tones

- Save as RF attenuation measurements

Signaling Tone

- Same as Wideband Data but must be 10 kHz +/- 1 Hz and produce a

nominal frequency deviation of +/- 8 kHz.

The previous information will assist any technophile to modify or

even troubleshoot his/her cellular phone. Those are the working

guidelines, as I stated previously.

UNIT IDENTIFICATION

Each mobile unit is identified by the following sets of numbers.

The first number is the Mobile Identification Number (MIN). This

34 bit binary number is derived from the units telephone number,

MIN1 is the last seven digits of the telephone number and MIN2 is

the area code.

For demonstrative purposes, we'll encode 617-637-8687.

Here's how to derive the MIN2 from a standard area code. In this

example, 617 is the area code. All you have to do is first convert

to modulo 10 using the following function. A zero digit would be

considered to have a value of 10.

100(first number) + 10(second) +1(third) - 111 = x

100(6) + 10(1) + 1(7) - 111 = 506

(or you could just - 111 from the area code.)

Then convert it to a 10-bit binary number: 0111111010

To derive MIN1 from the phone number is equally as simple. First

encode the next three digits, 637.

100(6) + 10(3) + 1(7) - 111 = 526

Converted to binary: 1000001110

The remainder of the number 8687, is processed further by taking

the first digit, eight(8) and converting it directly to binary.

8 = 1000 (binary)

The last three digits are processed as the other two sets of

three numbers were processed.

100(6) + 10(8) + 1(7) - 111 = 576

Converted to binary: 1001000000

So the completed MIN number would look like this:

|--637---||8-||---687--||---617--|

1000001110100010010000000111111010

\________/\__/\________/\________/

A unit is also identifiable by its Electronic Serial Number or

ESN. This number is Factory Preset and is usually stored in a

ROM chip, which is soldered to the board. It may also be found

in a 'computer on a chip', which are the new microcontrollers

which have rom/ram/microprocessor all in the same package. This

type of setup usually has the ESN and the software to drive the

unit all in the same chip. This makes is significantly harder

to dump, modify and replace. But it is far from impossible.

The ESN is a 4 byte hex or 11-digit octal number. I have encountered

mostly 11-digit octal numbers on the casing of most cellular phones.

the first three digits represent the manufacturer and the remaining

eight digits are the units ESN. I'll go more into the ESN later in

the document.

The Station Class Mark (SCM) is also used for station identification

by providing the station type and power output rating. This was

already discussed in a previous section.

The System IDentification (SID number is a number which represents

the mobile's home system. This number is 15-bits long and a list

of current nationwide SID's should either be a part of this file

or it will be distributed along with it.

In the next issue we'll discuss the Control channels, signalling

formats, and dissecting the NAM in detail. Social.technological

impacts (re: cellular interception designed into the units)

-------------- cut me here ---------------------------------------------------

PUTTING IT ALL TOGETHER - Signaling on the Control Channels

There are two types of continuous wideband data stream transmissions.

One is the Forward Control Channel which is sent from the land station

to the mobile. The other is the Reverse Control Channel, which is

sent from the mobile to the land station. Each data stream runs at a

rate of 10 kilobit/sec, +/- 1 bit/sec rate. The formats for each of

the channels follow.

Forward Control Channel

The forward control channel consists of three discrete information

streams. They are called stream A, stream B and the busy-idle

stream. All three streams are multiplexed together. Messages to

mobile stations with the least significant bit of their MIN number

equal to "0" are sent on stream A, and those with a "1" are sent

on stream B.

The busy-idle stream contains busy-idle bits, which are used to

indicate the status of the reverse control channel. If the busy-idle

bit = "0" the reverse control channel is busy, if it equals "1"

it is idle. The busy-idle bit is located at the beginning of each

dotting sequence, word sync sequence, at the beginning of the first

repeat of word A and after every 10 message bits thereafter.

Mobile stations achieve synchronization with the incoming data via

a 10 bit dotting sequence (1010101010) and an 11 bit word sync

sequence (11100010010). Each word contains 40 bits, including parity

and is repeated 5 times after which it is then referred to as a

"block". For a multi-word message, the second word block and subsequent

word blocks are formed the same as the first word block including the

dotting and sync sequences. A "word" is formed when the 28 content

bits are encoded into a (40, 28; 5) BCH (Bose-Chaudhuri-Hocquenghem)

code. The left-most bit shall be designated the most-significant bit.

The Generator polynomial for the (40, 28;5) BCH code is:

12 10 8 5 4 3 0

G (X) = X + X + X + X + X + X + X

Each FOCC message con consist of one or more words. Messaging trans-

mitted over the forward control channel are:

- Mobile station control message

- Overhead message

- control-filler message

Controller-filler messages may be inserted between messages and

between word blocks of a multi-word message.

Message Formats: Found on either stream A or B

MOBILE STATION CONTROL MESSAGE

The mobile station control message can consist of one, two, or four

words.

Word 1 (abbreviated address word)

+--------+-------+---------------------------------------+-----------+

| T t | | | |

| 1 2 | DCC | Mobile Identification Number 1 | P |

| | | 23-0 | |

+--------+-------+---------------------------------------+-----------+

bits: 2 2 24 12

Word 2 (extended address word)

+------+-----+-----------+------+--------+-------+----------+-----+

| 1 2| 11 | MIN2 | = 0 | | | | |

| = +-----+ 3-24 +------+-----+--+-------+----------| P |

| 10 |SCC =| | VMAC | CHAN | |

| | 11 | | | | |

+------+-----+-----------+------------+---------------------+=----+

The Reverse Control Channel (RECC) is a wideband data stream sent

from the mobile station to the land station. This data stream runs

at a rate of 10 kilobit/sec, +/- 1 bit/sec rate. The format of the

RECC data stream follows:

+---------+------+-------+------------+-------------+-----------+-----

+---------+------+-------+------------+-------------+-----------+-----

DCC = Digital Color Code Dotting = 01010101...010101

Received DCC 7-bit Codec DCC Word sync = 11100010010

00 0000000

01 0011111

10 1100011

11 1111100

All messages begin with the RECC seizure precursor with is composed

of a 30 bit dotting sequence (1010...101), and 11 bit word sync

sequence (11100010010), and the coded digital color code.

Each word contains 48 bits, including parity, and is repeated five

times after which it is referred to as a word block. A word is

formed by encoding 36 content bits into a (48, 36) BCH code that has

a distance of 5, (48 36; 5). The left most bit shall be designated

the most-significant bit. The 36 most-significant bits of the 48 bit

field shall be the content bits.

The generator polynomial for the code is the same for the (40,28;5)

code used on the forward channel.

CONTROL CHANNELS (SETUP CHANNELS)

Each wireline and non-wireline service have 21 channels. These

channels are used by the MTSO and the cell sites to directly

communicate with the mobile unit. The first signal sent to initiate

a call is the Supervisory Audio Tone (SAT). This can be thought of

as the voltage used to close the loop on a land telephone.

SAT Tones with corresponding binary codes:

5970 Hz (00)

6000 Hz (01)

6030 HZ (10)

The mobile unit receives the SAT from the cell site and transponds

it back (closing the loop). Tone recognition must take place

within 250 milliseconds or the site interprets it as the mobile

is out of range. If the SAT is returned, then a Signaling Tone

is issued. This Tone is 10kHz and is present when the user is

either being alerted(call initialization), being handed off,

or disconnecting The Signaling tone is used only in mobile to

land direction.

C e l l u l a r T e l e p h o n y I I

B r i a n O b l i v i o n

A -=Restricted -=Data -=Transmission

In the last issue we discussed the history of cellular telephony,

monitoring techniques, and a brief description of its predecessors.

In this issue I'll describe the call processing sequences for land-

originated and mobile-originated calls, as well as the signaling

formats for these processes. I apologize for the bulk of information

but I feel it is important for anyone who is interested in how the

network communicates. Please realize that there was very little I

could add to such a cut and dried topic, and that most is taken

verbatim from Industry standards, with comments and addendums salt

and peppered throughout.

Call-Processing Sequences

Call-Processing Sequence for Land-Originated Calls

MTSO Cell Site Mobile Unit

------------------------------------------------------------------------------

1--Transmits setup channel

data on paging channel

2 ----------------------------Scans and locks on

paging channel

Receives incoming call --- 3

and performs translations

Sends paging message ----- 4

to cell site

5 -- Reformats paging

message

6 -- Sends paging message

to mobile unit via

paging channel

7 ----------------------------Detects Page

8 ----------------------------Scans and locks on

access channel

9 ----------------------------Seizes setup channel

10 ----------------------------Acquires sync

11 ----------------------------Sends service request

12 -- Reformats service request

13 -- Performs directional locate

14 -- Sends service request to

MTSO

Selects voice channel --- 15

Sends tx-on command to -- 16

cell site

17 -- Reformats channel designation

message

18 -- Sends channel designation

message to mobile unit via

access channel

19 -----------------------------Tunes to voice

channel

20 -----------------------------Transponds SAT

21 -- Detects SAT

22 -- Puts on-hook on trunk

Detects off-hook -------- 23

Sends alert order ------- 24

25 -- Reformats alert order

26 -- Sends alert order to

mobile unit via blank-

and-burst on voice channel

27 -----------------------------Alerts User

28 -----------------------------Sends 10-kHz tone

29 -- Detects 10-kHz tone

30 -- Puts on-hook on trunk

Detects on-hook --------- 31

Provides audible ring --- 32

33 -- Detects absence of 10-kHz

tone

34 -- Puts off-hook on trunk

Detects off-hook -------- 35

Removes audible ring ---- 36

and completes connection

Time

Call-Processing Sequence for Mobile-Originated Calls

MTSO Cell Site Mobile Unit

------------------------------------------------------------------------------

1 -- Transmits setup channel

data on paging channel

2 --------------------------- Scans and locks-on

paging channel

3 --------------------------- User initiates call

4 --------------------------- Scans and locks-on

access channel

5 --------------------------- Seizes setup channel

6 --------------------------- Acquires sync

7 --------------------------- Sends service request

8 -- Reformats service request

9 -- Performs directional Locate

10 -- Sends service request to

MTSO

Selects voice channel ---- 11

Sends tx-on command to --- 12

cell site

13 -- Reformats channel

designation message

14 -- Sends channel designation

message to mobile unit via

access channel

15 --------------------------- Tunes to voice

channel

16 --------------------------- Transponds SAT

17 -- Detects SAT

18 -- Puts off-hook on trunk

Detects off-hook --------- 19

Completes call through --- 20

network

Time

Let me review the frequency allocation for Wireline and non-Wireline

systems. Remember that the Wireline service is usually provided by

the area's Telephone Company, in my area that company is NYNEX. The

non-Wireline companies are usually operated by other carriers foreign

to the area, in my area we are serviced by Cellular One (which is owned

by Southwestern Bell). Each company has its one slice of the electro-

magnetic spectrum. The coverage is not continuous, remember that there

are also 800 MHz trunked business systems that also operate in this

bandwidth. Voice channels are 30 kHz apart and the Data channels are

10 kHz apart.

Frequency Range Use

----------------------------------------------------------------------

870.000 - 879.360 Cellular One (mobile input 825.000 - 834.360)

880.650 - 890.000 NYNEX (mobile input 835.650 - 845.500)

890.000 - 891.500 Cellular One (mobile input 845.000 - 846.500)

891.500 - 894.000 NYNEX (mobile input 846.500 - 849.000)

879.390 - 879.990 Cellular One (data)

880.020 - 880.620 NYNEX (data)

The data streams are encoded NRZ (Non-return-to-zero) binary ones

and zeroes are now zero-to-one and one-to-zero transitions respect-

ivly. This is so the wide-band data can modulate the transmitter

via binary frequency shift keying, and ones and zeroes into the

modulator MUST now be equivalent to nominal peak frequency deviations

of 8 kHz above and below the carrier frequency.

PUTTING IT ALL TOGETHER - Signaling on the Control Channels

The following information will be invaluable to the hobbyist that

is monitoring cellular telephones via a scanner and can access

control channel signals. All information released below is

EIA/TIA - FCC standard. There are a lot of differences between

cellular phones, but all phones must interface into the mobile

network and talk fluently between each other and cell sites.

Therefore, the call processing and digital signaling techniques are

uniform throughout the industry.

MOBILE CALL PROCESSING

Calling:

Initially, the land station transmits the first part of its SID

to a mobile monitoring some control channel, followed by the number

of paging channels, an ESN request, then mobile registration, which

will either be set to 0 or 1. When registration is set to one, the

mobile will transmit both MIN1 and MIN2 during system access, another

1 for discontinuous (DTX) transmissions, read control-filler (RCF)

should be set to 1, and access functions (if combined with paging

operations) require field setting to 1, otherwise CPA (combined paging

access) goes to 0.

Receiving:

As the mobile enters the Scan Dedicated Control Channels Task, it

must examine signal strengths of each dedicated control channel

assigned to System A if enabled. Otherwise System B control channels

are checked.

The values assigned in the NAWC (Number of Additional Words

Coming) system parameter overhead message train will determine for

the mobile if all intended information has been received. An EDN

field is used as a cross-check, and control-filler messages are not

to be counted as part of the message. Should a correct BCH code

be received along with a non-recognizable overhead message, it must

be part of the NAWC count train but the equivalent should not try

and execute the instructions.

Under normal circumstances, mobiles are to tune to the strongest

dedicated control channel, receive a system parameter transmission,

and, within 3 seconds, set up the following:

o Set SID's 14 most significant bits to SID1 field value.

o Set SID's least significant bit to 1, if serving system status

enables, or to zero if not.

o Set paging channels N to 1 plus the value of N-1 field.

o Set paging channel FIRSTCHP as follows:

If SIDs = SIDp then FIRSTCHPs = FIRSTCHPp (which is

an 11-bit paging channel).

If SIDs = SIDp and serving system is enabled, set

FIRSTCHPs to initial dedicated channel for system

If SIDs = SIDp and serving system is disabled, set

FIRSTCHPs to first dedicated control channel for

system B.

o Set LASTCHPs to value of FIRSTCHPs + Ns -1.

o Should the mobile come equipped for autonomous registration, it

must:

o Set registration increment (REGINCRs) to its 450 default

value.

o Set registration ID status to enabled.

I know that was a little arcane sounding but it's the best you can

do with specifications. Data is data, there is no way to spruce it

up. From here on out a mobile must begin the Paging Channel Selection

Task. If this cannot be completed on the strongest dedicated

channel, the second strongest dedicated channel may be accessed and

the three second interval commenced again. Incomplete results should

result in a serving system status check and an enabled or disabled

state reversed, permitting the mobile to begin the Scan Dedicated

control Channels Task when channel signal strengths are once more

examined.

Custom local operations for mobiles may be sent and include roaming

mobiles whose home systems are group members. A new access channel

may be transmitted with a new access field set to the initial access

channel. Autonomously registered mobiles may increment their next

registered ID by some fixed value, but the global action message

must have its REGINCR field adequately set. Also, so that all

mobiles will enter the Initialization Task and scan dedicated

control channels, a RESCAN global action message must be transmitted.

Mobile stations may be required to read a control-filler message

before accessing any system on a reverse control channel.

System access for mobiles is sent on a forward control channel in

the following manner. Digital Color Code (DCC) identifies the land

station. Control Mobile Attenuation Code (CMAC) is included in the

control-filler message for mobile power level transmitter adjustment

before accessing any system on a reverse control channel. The WFOM

Wait for Overhead Message field must register 0 before the mobile

accesses a system on a reverse control channel. When mobiles are

assigned to one or more of the 16 overload classes are not to access

organizations on a reverse control channel, an overload control message

is carried with the system parameter overhead message overload class

fields are set to zero among the restricted number, and the remainder

set to 1. Busy-to-idle status (BIS) access parameters go to zero when

mobiles are prevented from checking on the reverse control channel and

the message must be added to the overhead. When mobiles can't use the

reverse control channel for seizure messages attempts or busy signals,

access attempt parameters must also be included in the overhead. And

when a land station receives a seizure precursor matching its digital

color code with 1 or no bit errors, busy idle bits signals on the

forward control channel must be set to busy within 1.2 milliseconds

from the time of the last bit seizure. Busy-idle bit then must remain

busy until a minimum of 30 msec following the final bit of the last

word of the message has been received, or a total of 175 msec has

elapsed.

Channel Confirmation

Mobiles are to monitor station control messages for orders and

respond to both audio and local control orders even though land

stations are not required to reply. MIN bits must be matched.

Thereafter, the System Access Task is entered with a page response,

as above, and an access timer started.

This time runs as follows:

o 12 seconds for an origination

o 6 seconds for page response

o 6 seconds for an order response

o 6 seconds for a registration

The last try code is then set to zero, and the equipment begins the

Scan Access Channels Task to find two channels with the strongest

signals which it tunes and enters the Retrieve Access Attempts

Parameters Task.

This is where both maximum numbers of seizure attempts and busy

signals are each set to 10. A read control-filler bit (RCF) will

then be checked: if the RCF equals zero, the mobile then reads a

control-filler message, sets DCC and WFOM (wait for overhead message

train before reverse control channel access) to the proper fields

and sets the proper fields and sets the appropriate power level.

Should neither the DCC field nor the control-filler message be

received and access time has expired, the mobile station goes to

Serving System Determination Task. But within the allowed access

time, the mobile station enters the Alternate Access Channel Task.

BIS is then set to 1 and the WFOM bit is checked. If WFOM equals 1,

the station enters the Update Overhead Information Task; if WFOM

equals 0, a random delay wait is required of 0 to 200 msec, +/- 1

msec. Then, the station enters the Seize Reverse Control Channel

Task.

Service Requesting is next. This task requires that the mobile

continue to send is message to the land station according to the

following instructions:

o Word A is required at all times.

o Word B has to be sent if last try access LT equals 1 or

if E requires MIN1 and/or MIN2, and the ROAM status is

disabled, or if the station has been paged with a 2-word

control message.

o Word C is transmitted with S (serial number) being 1

o Word D required if the access is an origination

o Word E transmitted when the access is an origination and

between 9 and 16 digits are dialed. When the mobile has

transmitted its complete message, an unmodulated carrier is

required for another 25 milliseconds before carrier turnoff.

After words A through E have been sent, the next mobile task

depends on the type of access.

Order confirmation requires entry into the Serving System Determination

Task.

Origination means entry into the Await Message Task.

Page response, is the same as Origination.

Registration requires Await Registration Confirmation, which

must be completed within 5 seconds or registration failure follows.

The same is true for Await Message since an incomplete task in 5

seconds sends the mobile into the Serving System Determination Task.

Origination or Page response requires mobile update of parameters

delivered in the message. If R equals 1, the mobile enters the

Autonomous Registration Task, otherwise, it goes to the Initial

Voice Channel Confirmation Task. Origination access may be either

an intercept or reorder, and in these instances, mobiles enter the

Serving System Determination Task. The same holds true for a page

response access. But if access is an origination and the user

terminates his call during this task, the call has to be released

on a voice channel and not control channel.

If a mobile station is equipped for Directed Retry and if a new

message is received before all four words of the directed retry

message, it must go to the Serving System Determination Task. There

the last try code (LT) must be set according to the ORDQ (order

qualifier) field of the message as follows:

If 000, LT sets to 0

If 0001, LT sets to 1

Thereafter, the mobile clears the list of control channels to be

scanned in processing Directed Retry (CCLIST) and looks at each

CHANPOS (channel position) field contained in message words three

and four. For nonzero CHANPOS field, the mobile calculates a cor-

responding channel number by adding CHANPOS to FIRSTCHA minus one.

Afterwards, the mobile has then to determine if each channel number

is within the set designated for cellular systems. A true answer

requires adding this/these channel(s) to the CCLIST.

Awaiting Answers

Here, an alert timer is set for 65 seconds (0 to +20 percent). During

this period the following events may take place:

o Should time expire, the mobile turns its transmitter off and

enters the Serving System Determination Task.

o An answer requires signaling tone turnoff and Conversation

Task entry.

o If any of the messages listed hereafter are received within

100 milliseconds, the mobile must compair SCC digits that

identify stored and proper SAT frequencies for the station to

the PSCC (present SAT color code). If not equivalent, the

order is ignored. If correct, then the following actions

taken for each order:

Handoff: Signaling extinguished for 500 msec, signal tone

off, transmitter off, power lever adjusted, new

channel tuned, new SAT, new SCC field, transmitter

on, fade timer reset, and signaling tone on. Wait

for an answer.

Alert: Reset alert timer for 65 seconds and stay in

Waiting for Answer Task.

Stop Alert: Extinguish signaling tone and enter Waiting for

Order Task.

Release: Signaling tone off, wait 500 msec, then enter

Release Task.

Audit: Confirm message to land station, then stay in

Waiting for Answer Task.

Maintenance: Reset alert timer for 65 seconds and remain in

Waiting for Answer Task.

Change Power: Adjust transmitter to power level required and

send confirmation to land station. Remain in

Waiting for Answer Task.

Local Control: If local control is enabled and order received,

examine LC field and determine action.

Orders other than the above for this type of action

are ignored.

Conversation

In this mode, a release-delay timer is set for 500 msec. If Termin-

ation is enabled, the mobile sets termination status to disabled and

waits 500 msec before entering Release Task. The following actions

may then execute:

o Upon call termination, the release delay timer has to be checked.

If time has expired, the Release Task is entered; if not expired,

the mobile must wait until expiration and then enter Release Task.

o Upon user requested flash, signaling tone turned on for 400 msec.

But should a valid order tone be received during this interval,

the flash is immediately terminated and the order processed. The

flash, of course, is not then valid.

o Upon receipt of the following listed orders and within 100 msec,

the mobile must compare SCC with PSCC, and the order is ignored

if the two are not equal. But if they are the same, the following

can occur:

Handoff: Signaling tone on for 50 msec, then off, trans-

mitter off, power level adjusted, new channel tuned,

adjust new SAT, set SCC to SCC field message value,

transmitter on, fade timer reset, remain in

Conversation Task.

Send Called Address: Upon receipt within 10 seconds of last valid flash,

called address sent to land station. Mobile remains

in Conversation Task. Otherwise, remain in Conver-

sation Task.

Alert: Turn on signaling tone, wait 500 msec, then enter

Waiting for Answer Task.

Release: Check release delay timer. If time expired, mobile

enters Release Task; but if timer has not finished,

then mobile must wait and then enter Release Task

when time has expired.

Audit: Order confirmation sent to land station while

remaining in Conversation Task.

Maintenance: Signaling tone on, wait 500 msec, then enter Waiting

for Answer Task.

Change Power: Adjust transmitter to power level required by order

qualification code and send confirmation to land

station. Remain in Conversation Task.

Local Control: If local control in enabled and local control order

received, the LC field is to be checked for subse-

quent action and confirmation.

Orders other than the above for this type of action are ignored.

Release

In the release mode the following steps are required:

o Signaling tone sent for 1.8 sec. If flash in transmission when

signaling tone begun, it must be continued and timing bridged so

that action stops within 1.8 sec.

o Stop signaling tone.

o Turn off transmitter.

o The mobile station then enters the Serving System Deter-

mination Task.

The above is the Cellular System Mobile/Land Station Compatibility

Specification. The following shall be Signaling Formats which are

also found in the above document. I converted all these tables by

HAND into ASCII so appreciate them. It wasn't the easiest thing to

do. But I must say, I definitely understand the entire cellular

operation format.

There are two types of continuous wideband data stream transmissions.

One is the Forward Control Channel which is sent from the land station

to the mobile. The other is the Reverse Control Channel, which is

sent from the mobile to the land station. Each data stream runs at a

rate of 10 kilobit/sec, +/- 1 bit/sec rate. The formats for each of

the channels follow.

- Forward Control Channel