
			     Wireless Phones, Part 1
				  by Mr. Icom
				Updated: 4/17/87
Introduction:
=============

While there have been many files dealing with mobile phones, all that I've seen
have had inaccurate or incomplete information.	This file will inform the
phreak about the various telephone systems currently in use:  "Cordless"
Phones, IMTS, Marine, Cellular, and Satellite trunks; hopefully giving the
reader an insight on how they work, and perhaps how to control them.  In Part
I, I will discuss "cordless" phones.


Cordless Phones
===============

Cordless phones need no explanation, as most phreaks have one or two.  However,
there seems to be an unexplainable lack of accuracy as to the frequencies used
on them.  Cordless phones use two frequencies simultanisly for full-duplex
communications.  Currently, there are 3 frequency pair ranges used by cordless
phones.  The first is a 1.7 Mhz./49 Mhz.  split.  These are used by the first
cordless phones.  Where the base transponder transmits in the 1.7 Mhz.	range,
and the handset transmits in the 49 Mhz.  range.  The 1.7 Mhz.	carrier uses
the AC power lines in the house as an antenna(This is known as "Carrier
Current" transmission).  Because of this fact, the range was limited, and the
connections generally sucked because of interference from the 60 Hz.  power
line frequency.  While no more of these units are being made.  They still can
be had at tag sales/flea markets, and rip-off department stores like Caldors,
Ames, and Jamesway.  The frequencies (in Mhz.)are outlined below:

 Base		Handset
 =====		=======
 1.705		49.830
 1.735		49.845
 1.765		49.860
 1.795		49.875
 1.825		49.890

It is also interesting to note that the above 1.7 Mhz.	frequencies are also
used by those "Wireless Intercoms" sold by Radio Shack.

The second pair of frequencies is 46 Mhz./49 Mhz.  All cordless phones today
use these frequencies.	The elimination of the bothersome 1.7 Mhz.  side clears
up interference, and also allows for a longer range.  Another thing which the
FCC did when allocation the 46/49 splits was include more channels to lessen
interference from other phones.  The frequencies are:

 Base		Handset
 ====== 	=======
 46.610 	49.670
 46.630 	49.845
 46.670 	49.860
 46.710 	49.770
 46.730 	49.875
 46.770 	49.830
 46.830 	49.890
 46.870 	49.930
 46.930 	49.990
 46.970 	49.970

It is interesting to note that the the 46 and 49 Mhz.  range is also allocated
for U.S.  Government use, specificaly the military.  This discrepency stems
from two reasons.  First, the FCC doesn't handle governmental allocations, an
organization called IRAC(Intergovernmental Radio Advisory Commitie) does them.
Second, the FCC feels that the range of cordless phones is so limited that it
won't cause interference.

The third pair of frequencies used is 49 Mhz./70 Mhz.  These were used by
cordless phones designed for export to foregin countries.  While they are
illegal, that doen't stop people from using them.

"Crusing for dial tones"
========================

Back in the early days of cordless phones, the lack of security features on
them made it easy for someone to take his handset, and drive/walk around the
neighborhood, finding out how many dial-tones he could bring up.  Nowadays, the
addition of various things in order to prevent this make it very difficult.
There are three major security features used in cordless phones.  The first one
disconnects the base transponder from the airwaves if the phone is put in its
charger slot.  While there is no way to circumvent this, keeping the phone in
its charger slot appears to many people as a limitation of its mobility.  Thus,
many prople keep them lying around OUT of the charger slot, right by their
side, so they don't have to run for the phone when it rings.  Thus, their
desire for convienence destroys the security.  The second feature is a digital
code which the handset sends to the transponder when it is brought off hook.
The transponder checks the code, and if it matches, a dial tone is presented.
This code is either preset at the factory, or user set by manipulating a couple
of DIP switches.  While the changing of the code on preset units would reqiure
you to go inside the machine, and clip/add a few diodes.  With the user set
ones, all one would have to do is try every code till you get a dial-tone.
Most sets have 4-8 switches for the security code.  This comes out from 8 to
255 different combinations.  The security code is transmitted via a digital
tone, similiar to that used by IMTS signaling.(More on that in a future
volume.) To hear what I'm talking about, get your handset and a scanner.  Tune
your scanner to your handset frequency, and bring your handset off hook.  As
you bring it off hook, you should hear a bleeping tone.  That is the security
code being transmitted.  Now, if you had a slightly modified 6 meter ham
transmitter, and lived fairly close to your neighbor with a cordless phone.
You could possibly record his security code, and play it back through your
transmitter, thus sucessfully impersonating his handset.  While I don't know of
any compatibilities between cordless phone security codes at this point, if I
hear of any, they will be posted in a revision of this article.

The third security feature was designed, and marketed just recently, this
security feature is complete digitizing of the phones audio using Pulse Code
Modulation, very similiar to what's used on digital trunks.


Increasing Your Range
=====================

Once cordless phones came out, someone got the bright idea of extending its
range.	Most people think that some kind of amplifer can be built which would
give you more power, and extended range.  It isn't that simple.  Since a
cordless phone is a full-duplex radio link, an isolator is needed to keep the
two transmitters seperate.  Unless you had a degree in Radio Enginerring, your
attempts at making this would most likely ruin the unit, and any sucessful
attempts would make your cordless phone about 10 times its current size.
However, there is another way to extend your range, and that is by assing an
external antenna on your roof.	This will only work with 46/49 Mhz.  units, as
this antenna will only bost the 49 Mhz.  side on 1.7/49 Mhz.  units.  On those
phones, the 49 Mhz.  side is usually ok, and you'll still have to put up with
the interference on 1.7 Mhz.  In any event, you'll need 5 lengths of stiff
wire(coathangers) 47 inches long, an SO-239 coaxial cable connector, and enough
good quality(RG-8) coaxial cable to get from your phone to your roof.  The
cable should have a PL-259 connector on one end, and alligator clips on the
other.	Take the wire, and attach it to the SO-239 as shown:


					|
			 Wire attached->|
			 to center hole |
					|
					^
			 Wire attached/===\
			 to outer    /	*  \
			 holes----> /	$   \
			 (ground)  /	|    \
					|
					|
			    Coaxial	|
			     Cable  --> |
					|
				     Down to
				       Base
				       Unit

       ^
      ===     SO-239 Connector
       *


       $      PL-259 Connector


At the base Unit, attach the center conducter to the whip antenna, and attach
the other connector to the chassis(ground).  For those lacking in antenna
building skills, there are also commercially availible units availible for
about $50.

IMTS
====

IMTS, or Improved Mobile Telephone Service is an automated telephone system which used to be the standard of mobile phones until cellular came along.  IMTS uses the following frequencies (in Mhz.):

Channel   Base Freq.	 Mobile Freq.
-------   ----------	 ------------
  ZO	  35.26 	 43.26
  ZF	  35.30 	 43.30
  ZH	  35.34 	 43.34
  ZM	  35.38 	 43.38
  ZA	  35.42 	 43.32
  ZY	  35.46 	 43.46
  ZR	  35.50 	 43.50
  ZB	  35.54 	 43.54
  ZW	  35.62 	 43.62
  ZL	  35.66 	 43.66
  1	  152.03	 158.49
  3	  152.06	 158.52
  5	  152.09	 158.55
  7	  152.12	 158.58
  9	  152.15	 158.61
  11	  152.18	 158.64
  13	  152.21	 158.67
  JL	  152.51	 157.77
  YL	  152.54	 157.80
  JP	  152.57	 157.83
  YP	  152.60	 157.86
  YJ	  152.63	 157.89
  YK	  152.66	 157.92
  JS	  152.69	 157.95
  YS	  152.72	 157.98
  YR	  152.75	 158.01
  JK	  152.78	 158.04
  JR	  152.81	 158.07

     There are also frequencies allocated in the UHF Range. The base
frequencies are posted below. The mobiles operate 5 Mhz. above the base
frequency. Thus, the mobile frequency for channel 21 is 458.025.

  21	  454.025
  22	  454.05
  23	  454.075
  24	  454.10
  25	  454.125
  26	  454.15
  27	  454.175
  28	  454.20
  29	  454.225
  30	  454.25
  31	  454.275
  32	  454.30
  33	  454.325
  34	  454.35
  QC	  454.375
  QJ	  454.40
  QD	  454.425
  QA	  454.45
  QE	  454.475
  QP	  454.50
  QK	  454.525
  QB	  454.55
  QO	  454.575
  QR	  454.60
  QY	  454.625
  QF	  454.675

     Of all these frequencies, the VHF-high band ones are the most popular. If
you live within 25-50 miles of anything resembling a a moderatly sized town,
you will have at least 1 VHF-high band channel availible.  VHF-low band
channels are used primarilly in rural areas, and those with mountainous
terrain. UHF channels are being used in cities where the VHF channels are
getting crowded.  If you live in a major city, expect to have most, if not all
these channels availible to you.

IMTS Signaling:

  IMTS signaling is accomplised by in-band signaling tones from 1,300 hz. to
2,200 hz.  Two Single frequency tones are alternated, much like ASCII modem
tones, to produce the digits for the ID number, and destination number.  The
tones are as follows.

Base tones:
Idle - 2,000 hz. - used to indicate an availible channel.
Sieze - 1,800 hz. - sent as an acknowledgement by the base that a channel has
been taken.
Mobile Tones:
Guard - 2,150 hz. - used when the mobile goes off-hook to sieze a channel, as
the "space" tone when sending the ID and destination number, and to acknowledge
an incomming call.
Connect - 1,633 hz. - used to "pick-up" and incomming call, and as the "mark"
tone in sending the ID and destination number.
Disconnect - 1,336 hz. - used to disconnect.

To originate a call, the mobile sends 350 ms(milliseconds) of guard tone
followed by 50 ms of connect tone.  The base then sends stops sending the idle
tone, stays quiet for 250ms, and sends 250ms of sieze tone.  The mobile sends
190ms of guard tone, and sends the ID number at 20 pulses per second.  The ID
number consists of the subscribers A/C and phone number. The pulses consist of
25 ms of connect tone, follwed by either 25ms of silence or guard tone,
depending if the digit is odd or even.	The interdigit interval is either 190ms
of silence or guard tone, depending on weither or not the last digit was odd or
even.  Once the ID is sent, dialing is accomplished by sending alternating
connect and guard tones at 10 pulses per second. A pulse is 60ms of connect
tone, followed by 40ms of guard tone.  To disconnect, send 750ms of disconnect
tone.

Getting an IMTS phone:

There are many ways to get an IMTS phone.  They can be bought from electronic
surplus dealers, however these may need some work, and you'll have to figure
out how to reprogram the thing.  I've also seen the ID circutry torn out of
them when sold as surplus in order to keep people from doing what you're about
to do.	Your best bet is to go to a hamfest/electronic fleamarket, and pick up
a business band mobile radio.  These are surplus units capabile of transmitting
in the 150-174 Mhz.  range.  While these units are often modified by hams for
the 2 meter(144-148 Mhz.), or 3/4 meter (440-450 Mhz.) band.  They can be
modified back for the business band.  All that most of these units require to
be brought into the IMTS band is the proper crystal, and the retuning of a
capaciter or two.  This, along with a cheap VHF-high band reciever makes a full
duplex radio setup.  (Be sure to use headphones with the reciever to avoid
feedback!) Now you need to duplicate the tones.  There are two ways to do this.
The easiest, and most versatle is to use a computer, and generate the tones,
but since few computers with tone generating capabilities are portable, an
alternate method must be found.  By wiring up an ordinary phone dial to a dual
tone audio oscillator, one can duplicate a mobile phone dialer.  Plans for this
unit can be found in 2600 magazine.(See end of file.) With your "IMTS Box.",
you can either tape an ID number off the air, or generate one with your
computer.  To use your homebrew IMTS phone, find a channel that has an idle
tone on it, send your connect and ID tone sequence, dial your number, and
you're connected.


Marine Band
===========

The marine telephone band is for ships at sea to communicate with landbased
telephones.  A marine band telephone call is put through by finding an unused
frequency, calling the marine operator, and giving her your callsign and phone
number to call.  The frequencies are as follows (in Mhz.).

Channel   Ship Freq.	 Shore Freq.
-------   ----------	 -----------
  24	  157.20	 161.8
  84	  157.225	 161.825
  25	  157.25	 161.85
  85	  157.275	 161.875
  26	  157.30	 161.90
  86	  157.325	 161.925
  27	  157.35	 161.95
  87	  157.375	 161.975
  28	  157.40	 162.00

Marine Band Radiotelephones:

While you could take your business band radio, and put in marine band crystals,
Marine Radiotelephones are easily availible, and somewhat inexpensive
($100-$300 for a decent radio with VFO, memories and 25 watts).  Some places
may ask you for a marine license, which is no problem.	Just write to the FCC,
and they will send you an application, there are no requirements.  Before using
your radio, listen on the telephone channels for a contact by another ship, and
copy down the callsign used.  Wait a while, and then feel free to use the
callsign to place a call.  DO NOT USE YOUR OWN CALLSIGN IF YOU GOT ONE!  If you
do, expect to pay for a buck a minute minimmum call.  Marine telephone is one
of the easiest ways for "wireless" communications, however, it still presents
the same dangers as IMTS phreaking.


Ham Radio Autopatch and the Simpatch
====================================

Autopatch is a function put on many ham repeaters allowing the use of a
phone-line over the air.  While one could phreak using an Autopatch, I advise
you not to, as there is usually a control operator monitoring the machine.
(Some do it 24 hours a day.), and any attempts at hacking an access code will
probally be noted.  Being a Ham, I'm not going into the subject of Autopatch
any further than this, as there are better ways to phreak, and Ham's are
helpful people(Some are even phreaks!) whom you can get assistance on technical
matters.  In short, don't fuck with Autopatches!  However, along the lines of
an autopatch is something called a Simpatch, which is a simpler version of an
autopatch designed for use with a ham transciver.  This device makes a
wonderful extended-range cordless phone when hooked up into a can.  It's major
drawback is that it's expensive, but anyone with a little electronics backround
can probally build one.  A simpatch can also be used with CB's, or just about
any other radio.  A good idea for an extended range cordless phone would be a
simpatch, and two CB walkie talkies.  One CB would be connected to the Simpatch
connected to the can and accessed via the second walkie talkie.  The entire
setup could be hidden in a tree and using a wire antenna (dipole of 1/4 wave
vertical) for a range of 5-20 miles.


Conclusion
==========

Acknowledgements:

1) Mobile Phones-Theory and Construction. by The Reasearcher. 2600, April 1986
   Availible from:  2600 Magazine
		    P.O. Box 752
		    Middle Island, NY 11953
		    Write for latest rates on subscriptions and back issues.
2) Understanding Telephone Electronics. Availible at Radio Shack
3) American Radio Relay League
   225 Main St.
   Newington, CT 06111
   (has free information on ham radio)

     Thanks go to The Datamaster, Peter Pulse, Bellcon, and The Surge for their
assistance.

-Mr. Icom
 March 29, 1987, Updated April 17, 1987

End of File.

