The following file is a verbatim transcript of an article by the same name appearing in the November, 1992 issue of NUTS & VOLTS Magazine. Copyright (c) 1992 Damien Thorn and T & L Publications. Permission is granted to freely distribute this file in unmodified form. Identifying board headers may be added as desired. A CELLULAR COMMUNICATIONS PRIMER By Damien Thorn INTRODUCTION The specific technologies involved in the cellular network are highly complex, comprised of a vast array of computers, control equipment, transceivers, multiplexers, switching equipment, etc. The theory and principals of operation which we'll cover here are much easier to comprehend. With this article you'll learn the basics, and how you can profit from that understanding. Next month I'll show you how to reprogram a cellular phone through the keypad. Cellular telephones are viewed by most users as simply another phone, albeit cordless. A cellular mobile telephone (CMT) emulates a landline set so credibly that the deepest technical concern for most people is remembering how to make the phone dial a frequently called number stored in memory. The comfort and familiarity of the phones are by design, I'm sure. To a public that has difficulty programming a VCR, the reality of cellular technology would be overwhelming and perhaps somewhat frightening. Cellular phones are little more than low power transceivers capable of transmitting and receiving a total of 666 or 832 frequencies, depending on the model. They operate in a full-duplex mode, transmitting the mobile side of the conversation on one frequency while simultaneously receiving the other side from the cell site on a different frequency. A basic multi-channel two-way radio under the control of some powerful software. The network itself is where the engineering genius becomes apparent. OVERVIEW OF NETWORK ARCHITECTURE The cellular network consists of a honeycomb of transceiver sites (towers), each capable of handling up to about 40 separate cellular calls. Each site has an effective range of 3-5 miles. The term "cell" is derived from the size and shape of the site's coverage pattern, and the arrangement of the cell sites. The various sites in each city are all linked together through the mobile telephone switching office (MTSO). The MTSO not only coordinates the use of the radio spectrum, but utilizes computers to authenticate a subscriber's phone before making the connection and maintains billing records. The MTSO also serves as the interface point with the landline telephone company for cellular calls. As you drive through town the MTSO monitors the relative signal strength of the transmission from your phone. When the signal strength becomes higher in any cell other than the one handling your call, the MTSO uses a frequency known as a control channel to transmit data to your phone telling it to switch frequencies and lock into another cell. This "hand off" from one cell to another happens so quickly that most people never notice the transition from one frequency or cell site to the next. This is noteworthy because the hand off required your phone to change transmit and receive frequencies, while the cellular network not only reestablished radio contact with you on another transceiver, but rerouted the landline audio to that cell site as well. The cell site is generally located in the center of the cell. This is where the antennas, transceivers and control equipment are located that serve that cell. Due to the limited coverage area of the cell, these cell sites are located a maximum of ten miles from each other to provide uninterrupted coverage without "dead spots" - areas where your phone cannot operate because you're out of range of a cell. Since most markets are served by two cellular service providers who do not share cell sites, there are actually twice as many cells (and cell sites) than would be required for one provider to supply service. In the past I've worked at radio station transmitter sites that leased tower space to cellular companies, but I never realized how prolific these cell sites were until I studied the technology and looked closely at the antennas around me. Where ever your phone works, you're within three to five (line of sight) miles of a at least two sites, and probably more since coverage areas overlap. The adjacent cells never share common frequencies to avoid interference. Cellular sites come in different forms. In congested metropolitan areas the transceiver sites may be located on taller buildings. In other areas they are located on stand alone towers. Towers can either be built by the cellular carrier for their exclusive use, or the cellular antenna array can share a common tower (an "antenna farm") with other radio and broadcast services. No matter where the antennas are located, they can be recognized easily by their unique three- sided configuration. Refer to the accompanying photos for examples of two common types of cellular arrays. When I asked both cellular carriers based in Sacramento to disclose the location of their cell sites in my area, they refused. The customer relations representatives indicated the information was confidential - almost a trade secret. I left voice mail messages with their engineers describing the information I wanted. Neither even returned my call. The implications of this guarded attitude are interesting, and more than a bit disconcerting. Fortunately the FCC maintains public records on all transmitter licensees, and the California Public Utilities Commission (CPUC) requires cellular companies to file abstracts with them containing the information I wanted. The CPUC even told me the name of the person who would be available to help me dig through the abstracts and make photocopies. I didn't bother, but it was nice to see my tax dollars at work for my benefit. OPERATING FREQUENCIES The frequency spectrum allocated by the FCC used by the phone to transmit voice and data to the cell site is 824.000 - 849.000 Mhz. The tower transmits to the phone on a spectrum of the same size from 869.000 to 894.000 Mhz. The cellular frequencies are narrow band FM, all spaced 30 Khz apart, so determining every specific frequency is a matter of simple addition. For example, knowing the lowest frequency used by a cell site is 869.000 Mhz, simply increment upward in 30 Khz steps: 869.030, 869.060, 869.090, 869.120, etc. The frequencies used by the phone for transmission to the tower increment upward the same way from 824.000 Mhz. The frequencies are paired so that the phone is always transmitting to the tower on a frequency exactly 45 Mhz lower than the frequency the tower is using. If the landline (base) side of the call is transmitted to the phone on 887.940 Mhz, then the phone is simultaneously transmitting the mobile side of the call back to the cell site on 842.940 Mhz. Cell sites generally transmit the mobile side of the call at reduced gain back to the cellular phone along with the audio from the landline side of the call. This can be intentional, as in the "side tone" present in a standard landline telephone receiver, or the result of poor nulling where the cellular network interfaces with the Telco lines. This means anyone with a receiver or scanner capable of tuning the upper frequency in the pair can monitor both sides of the conversation. It is illegal to do so, however. CELLULAR COMMUNICATIONS PRIVACY To calm fears that cellular calls were not private, the cellular industry lobbied congress into passing legislation known today as the Electronic Communication Privacy Act (ECPA) of 1986 which makes it a crime to monitor cellular phone calls and a host of other transmissions like digital pagers. This law is used by cellular equipment dealers and service providers to reassure customers that their conversations will remain private. A person using a cellular phone is broadcasting his private conversation on airwaves owned by the general public. These radio signals permeate our homes, bodies, and scanning receivers. Yet so complete is the cellular transceiver's emulation of an actual telephone that the general public not only expects privacy, but feels confident that the call is secure. Nobody could possibly be sitting in the privacy of their living room monitoring the conversation. That would be a Federal crime. The ECPA has been described as a "toothless tiger" as it is virtually unenforceable. A growing number of scanner enthusiasts are monitoring cellular calls rather than the local fire department because it is much more entertaining. The ECPA is ignored by the public and law enforcement alike, just like the laws remaining on the books that make it illegal to work on Sunday. The bottom line is that it is up to you and I to ensure the privacy of our cellular calls. If you don't want to use a scrambling system, simply don't talk about anything on a cellular phone that you wouldn't discuss using your rig on the amateur bands. TELEPHONE CONTROL DATA With this simplified overview of the cellular network under your belt, let's dig a little deeper into the data exchanged by the cellular carrier and your phone. Obviously there is more information being sent by your phone to the cellular company than your conversation. The service provider needs to identify your physical phone, cellular phone number, etc. This is accomplished via data transmitted by your phone on a frequency set aside as a "data channel" in each cell every time you turn it on or use it. Your phone transmits six pieces of information to the cellular provider. One is the Electronic Serial Number (ESN) of your phone. Every cellular phone is assigned an ESN when manufactured. This ESN consists of numerical data which identify the manufacturer of the phone as well as the actual unique serial number of the specific phone. The ESN is an eleven digit (decimal) number which has been burned into a PROM chip permanently installed in the phone. Like the Vehicle ID Number (VIN) on your car, it is not designed to be removed or modified, although hackers occasionally do in order to circumvent billing procedures (see sidebar). One other item transmitted is your Mobile Identification Number (MIN) which is the actual ten digit area code and telephone number assigned to your phone. The remainder are numerical codes used by the cell site to identify things like your class of service and the specific capabilities of your phone hardware. This data is supplied when you activate service with the carrier. The ESN and MIN are matched and checked by computer against a database each time you use the phone to ensure that you are a valid subscriber, or roaming from a system the carrier can bill for your calls. All of this information (except the ESN) is provided by the cellular carrier and programmed into your phone when you subscribed to their service. The vast majority of cellular phones manufactured today are reprogrammable through the handset. This means that you can change (reprogram) this information yourself without costly programming devices simply by entering the proper keystrokes on the telephone handset, and punching in the data. This knowledge opens up a number of possibilities. If you activate or change your cellular service, you can program the phone yourself with data supplied by the cellular carrier and save paying any type of reprogramming fee. If you're looking to acquire equipment, you can canvass flea markets, swap meets and the pages of classified ad magazines such as Nuts & Volts for great deals on used phones. Not only will you enjoy savings on the hardware, but you'll only need to pay the cellular company to activate service, since you can program the phone yourself. In my article next month in Nuts & Volts I'll explain all the data programmed into a phone, explain what it means, and lead you step by step through the handset programming of a popular phone. This information is an important reference for those who may just want to do something simple like change the unlock code on the phone. We'll also take a look at the publications available through Nuts & Volts advertisers that explain cellular telephone reprogramming and modification in depth. ****************************************************************************** BUYING USED CELLULAR GEAR A FEW CAVEATS When shopping the classifieds, flea markets and electronics swap meets for great deals on used cellular telephones, keep the following points in mind to avoid getting "burned." Cellular phones are a major target of theft in some cities. They appeal to criminals such as drug dealers because they allow anonymous and virtually untraceable communication from a vehicle or street corner. The phone is discarded as useless when the service is disconnected, and such units may unwittingly be resold with other used equipment. There is no real way to discern this other than to phone your local cellular service provider to see if the phone's ESN is flagged in their computer as having been stolen. The other type of phone to avoid is one that has been physically modified. Hackers have been known to replace the factory PROM chip containing the ESN with a custom burned chip, thus changing the ESN. If this is done for the purpose of fraudulently making free calls, the ESN chip must be changed periodically as the cellular carrier discovers the fraud associated with that ESN. Detection of this type of modification is easy. Cellular manufacturers as a rule do NOT use a socket to hold the ESN chip. The PROM is usually not only soldered to the board, but sealed in epoxy or "air welded" to the circuit board to discourage this type of modification. An IC socket is usually installed by the hacker to facilitate easy insertion of updated PROM as necessary. No reputable service center will repair a phone if it appears someone has tampered with the ESN, and might call the police if presented with such a phone. The vast majority of equipment you'll find on the open market is genuine surplus or used merchandise. With the above information in mind you can examine the phone and be confident about your decision to make a purchase. ****************************************************************************** AUTHOR BIOGRAPHY (For publication) Damien Thorn's interest in electronics has deep roots. A noted "hacker" and "phone phreak" by age sixteen, he contributed regularly to the underground newsletter "TAP." Today Damien is an on-air radio personality and FCC licensed engineer in California's San Joaquin Valley. His interests include computers, communications, security and privacy issues. He welcomes questions and comments. You can reach him at 6333 Pacific Ave. #203, Stockton, CA 95207-3713 or via E-Mail at one of the following: DrDamien@Delphi.com via Internet mail, on CompuServe at 75720,2104, or on Delphi as DrDamien.