Note: The following consists of various messages and observations on cellular telephone operations which have been floating around on a number of hobbyist computer networks. Monitoring cellular telephone frequencies is a felony. The material is presented here only for itŐs technical insights as to how these systems actually operate. The Chicago Area Radio Monitoring Association fully supports all local, state and federal laws. CARMA - July, 93 From: Ed J. Gurney To: All Msg #122, Jun-08-93 16:52:02 Subject: Cellular Frequencies From: egurney@vcd.hp.com (Ed J. Gurney) Organization: Hewlett-Packard VCD Bryan Mohr (bryan.mohr@spacebbs.com) wrote: >Does anybody have the exact start and stop frequencies for both >Cellular companies in a given area? I know that it is 30khz >spacing, but I need the rest of the info. I need this information >so that I know exactly what frequencies to lock out of my scanner. :> That's a good idea. :-) Wouldn't want to be violating that ECPA by scanning the 800 MHz band an accidentally tuning in a cellular telephone conversation. If your scanner has the capability to lock-out certain ranges of frequencies, then you might find this information useful. 8-> There are actually many frequency allocations for cellular, in the US it's called AMPS (Advanced Mobile Phone Service), Canada uses AURORA 800. Each country in Europe has their own standard: TACS (Total Access Communicatoins) in the UK; NMT or Nordic system in Scandinavian countries, RC2000 in France; NETZ C-450 in Germany. NTT is the Japanese standard. AMPS has 30 kHz channel spacing with 20 MHz of spectrum allocation and 5 MHz of "additional spectrum". This allows a total of 832 channels. (For comparison, TACS uses 25 kHz spacing, has 15 MHz of spectrum with 10 MHz of additional for 1000 channels.) The following chart is divided into two systems. System A is defined for the non-wireline companies, and system B is for the wireline companies: AMPS System A Channel# Mobile TX (MHz) Mobile RX (MHz) 1 825.030 870.030 313* 834.390 879.390 333+ 834.990 879.990 667 845.010 890.010 716 846.480 891.480 991 824.040 869.040 1023 825.000 870.000 AMPS System B 334* 835.020 880.020 354+ 835.620 880.620 666 844.980 890.000 717 846.510 891.000 799 848.970 894.000 * indicates the last DEdicated Control Channel for each system + indicates the first DEdicated Control Channel for each system Here it is in "graphical" form: *** Mobile TX *** 824 825 835 845 846.5 849 851 MHz ------------------------------------------------------ | A | A | B | A | B |Rsrvd| ------------------------------------------------------ 991 ^ 1 333 666 716 799 Ch# 1023 *** Cell Site TX *** 869 870 880 890 891.5 894 896 MHz ------------------------------------------------------ | A | A :xxx: B | A | B |Rsrvd| ------------------------------------------------------ 991 ^ 1 ^ ^ 666 716 799 Ch# 1023 313 354 (x'd areas indicate control channels) Now, in text form: AMPS cellular systems employ a frequency spectrum of 20 MHz made up of 666 channels with 30 kHz channel spacing. The transmit frequency at 825.030 MHz is specified as channel 1, and transmit frequency at 844.980 MHz is specified as channel 666. The receiver operates at 45 MHz above the transmit frequency, therefore, channel 1 receives at 870.030 and channel 666 receives at 889.980 MHz. An additional 5 MHz spectrum was subsequently added to the existing 20 MHz which increased the number of channels from 666 to 832. This, and lots of other interesting info on the cellular system is taken from the 1993 Philips Semiconductors RF/Wireless Communicatons databook. (Specifically, the application notes on using their Cellular Chip Set.) Also, the data sheet on the UMA1000T Data Processor for Cellular Radio (DPROC) chip (included in this databook) provides detailed information on the data signal transmitted between the phones and the cell sites. Interesting reading. On another note, I've heard from a reliable source that there is now a device you can buy that allows you to follow cellular telephone calls provided the cell sites the calls are transferred to are within range. (In other words, it decodes the little "brappp" sent a second or two before the call transfers to a different cell and automatically tunes something/your scanner to the correct frequency.) I'm not sure if the device is stand-alone, or if it works with your scanner via RS-232 or something. It costs around $300-$400. I've told you everything I've heard. Anyone have any more details? (The same company that makes this is supposedly working on a unit to follow trunking systems as well.) -- Ed J. Gurney N8FPW Hewlett-Packard Company Vancouver (USA!) Division egurney@vcd.hp.com #include "Failures are divided into two classes-- those who thought and never did, and those who did and never thought." John Charles Salak --- * Origin: Great Lakes UseNet Gateway [royaljok.fidonet.org] (1:231/510) *** This is a reply to #104. *** See also #166. In article jcksnste@A writes: >[Craig Shore discussed hearing both sides of cell calls] > >I have not heard it in any of the areas I've lived in, but I seem to >recall a posting a while ago that cell sites near them only broadcast >one side of the call. > ...... > >Please clarify, people, for I know you will. :) > I'll give it a shot- On the cellular system, there are two channels of communication for the phone and the tower. The channel from the phone to the tower is called the reverse channel, and the one from the tower to the mobile is called the forward channel. For the sake of this discussion, I'll ignore the data channels, althought they're referred to the same way. On the reverse channel, _all_ that will be heard is the mobile's voice. You will not hear any of the landline's (or other cellular's) voice at all. Reason follows: On the forward channel, the base site sends out the landline voice at full strength. Obviously, this is so the mobile unit can hear the conversation from the person at the other end of the conversation. In addition, the base site also transmits a small portion of the mobile's voice back on top of the landline voice. This is done because the human mind is accustomed to hearing its own voice to some degree on a regular phone. Some of the audio is taken on a regular phone and fed back electronically into the receiver (earpiece) so that the person hears himself a little. This is easily verified by giving the audio from the receiver to feed back into the mouthpiece, and feedback results. Anyway, the same practice is done for cellular systems. Now you ask: why do the voice levels change so much? As a previous poster mentioned, perhaps misunderstanding a little, yes, the voice is weaker when the mobile is farther away. But that's farther away from the cell tower, not you, unless you're monitoring the RVC (reverse voice channel), in which case you won't hear any of the landline's side of the conversation. As the mobile is moved through the cell site, the tower is monitoring the strength of the signal coming from the mobile, and when the signal varies beyond a certain extent, then the tower sends out a message telling the mobile to vary its power to one of seven power levels (in the non-digital standard). In spite of this, as the unit moves farther from the cell site, the siganl obviously drops some in strength before it is handed off to the next site. So as the signal is dropping, that certain part of the RVC which is fed back to the mobile on the FVC (forward VC) is dropping also. So it's possible for the mobile's side to vary in the amount of voice you can hear from it. The landline's voice should generally stay the same, however, assuming your antenna is fixed as well and ignoring fading from passing objects near your antenna, etc. Now the reason for the mobile side of the conversation not having any of the landline's voice: Think for a second: if the site is feeding the mobile voice back to the mobile receiver, and the mobile retransmits what it hears (primarily would be the landline), then what would happen? Obviously, feedback would result: this would be unacceptable for the cellular users. I recently talked to a law enforcement official in somewhere, perhaps Canada, but anyway, he said that the local cellular company has decided to toally drop _all_ of the reverse voice from being rebroadcast back onto the receiver of the mobile. Why, he wasn't sure of. So it was impossible to hear both sides at any one time. Not nearly, but outright impossible. This still leaves one issue which someone had mentioned: Yes, the mobile phones are rather low powered, with the most powerful limited to 3 watts here in the US by the FCC rules. The portable phones, that is, the handheld self-contained units, are generally .6 watts, but (as the local cellular agent just told me) version which can produce 1.5 watts are being developed and introduced. These don't have nearly the power that the site tower does, so to monitor the RVC, you need to be within several miles of the phone being used. As this would only contain the one side of the conversation, though, it's not much fun to listen to (not that we're supposed to listen to any of it anyway- you all know the rules, and it's up to you to follow them ;) Hope this answers some of the questions lots of people have asked recently. If anyone has any more questions, ask and I'll do my best to post what I know about the US cellular system. As the disclaimer says, UNC probably doesn't know anything about this, and I have no connections with them other than using their Internet BBS for news, etc. --Sherrod From: Marvin Hoffman To: All Msg #13, Jun-09-93 12:40:22 Subject: Cell Tel Priv - Duplex? The cellular base transmitter receives and rebroadcasts the transmissions of the cellular mobile or portable unit. Also, it broadcasts the other side of the conversation which comes in via wireline, microwave or fiber optic. The scanner is only hearing one frequency but the base cellular site is rebroadcasting the mobile's conversation as well as the wireline line side of the conversation. Note some cellular trasmitters do in fact only carry the side of the conversation from the phone network and instead of repeating the mobile it just feeds that audio out to the land based (regular) telephone caller. All of the above is based upon extensive reading and not listening to cellular calls. Marvin Hoffman, KD4EGV Appalachian State University Boone, NC From: pas@jupitercmc.ca (Peter Stokes) Organization: Canadian Microelectronics Corporation Reply-To: pas@jupiter.ic.cmc.ca In article <1993Jun9.033916.12055@nuchat.sccsi.com>, glynnet@zero.cypher.com (Glynne Tolar) writes: |> In article <1v32q2$kn1@samba.oit.unc.edu> Sherrod.Munday@launchpad.unc.edu |> (Sherrod Munday) writes: |> > |> >On the cellular system, there are two channels of communication for the |> >phone and the tower. The channel from the phone to the tower is called |> >the reverse channel, and the one from the tower to the mobile is called |> >the forward channel. For the sake of this discussion, I'll ignore the |> >data channels, althought they're referred to the same way. |> > |> >On the reverse channel, _all_ that will be heard is the mobile's voice. |> >You will not hear any of the landline's (or other cellular's) voice at |> >all. Reason follows: |> > |> >On the forward channel, the base site sends out the landline voice at full |> >strength. Obviously, this is so the mobile unit can hear the conversation |> >from the person at the other end of the conversation. In addition, the |> >base site also transmits a small portion of the mobile's voice back on top |> >of the landline voice. This is done because the human mind is accustomed |> >to hearing its own voice to some degree on a regular phone. Some of the |> >audio is taken on a regular phone and fed back electronically into the |> >receiver (earpiece) so that the person hears himself a little. This is |> >easily verified by giving the audio from the receiver to feed back into |> >the mouthpiece, and feedback results. Anyway, the same practice is done |> |> If you monitor cellular for any period of time you will discover that not |> all connections reply the moble's voice. The reason I figure for this is |> that some phones cancel the echo to make using a speakerphone setup |> posiable. Otherwise feedback will result. Here in South-Eastern Ontario, Canada, all of the non-wireline company forward channel transmissions do NOT include any echo of the mobile transmission. The wireline company forward channel transmissions do indeed include both sides of the conversation making scanner listening possible. From: Brett Borowski To: All Msg #21, Jun-09-93 14:49:58 Subject: Cell Tel Priv - Duplex? From: brett@surfpix.princeton.edu (Brett Borowski) Organization: Very little. HOFFMANMK@CONRAD.APPSTATE.EDU (Marvin Hoffman) wrote: >The cellular base transmitter receives and rebroadcasts the transmissions >of the cellular mobile or portable unit. Also, it broadcasts the other >side of the conversation which comes in via wireline, microwave or fiber >optic. The scanner is only hearing one frequency but the base cellular >site is rebroadcasting the mobile's conversation as well as the wireline >line side of the conversation. There was a very authorative post a while ago about this. If I remember correctly, the mobile site only transmits the land line signal to the portable phone. >Note some cellular trasmitters do in fact only carry the side of the >conversation from the phone network and instead of repeating the mobile >it just feeds that audio out to the land based (regular) telephone >caller. As it was explained, it's not up to the cellular site to transmit the portable caller's signal back to the portable unit. But, as I mentioned above, it transmits all of the land line audio. And here-in lies the difference. Most phone systems are 'unbalanced.' That is, the incoming signal gets sent back out. When this is the cast, the cell cite broadcast contains both sides of the conversation. However, when the land line connection is digital to a digital PBX system, there is little to no bounce back of the incoming signal. >All of the above is based upon extensive reading and not listening to >cellular calls. If the original post is floating around, it might be time for a repost. I suspect that if the conversation is converted to an analog signal on a copper pair, one will here both sides. But an all-digital connection may never mix the audio. And perhaps a call between two cellular phones on the same service will also have the two conversational ends isolated. From: Robert Ford To: All Msg #22, Jun-09-93 12:33:52 Subject: Cell calls From: robert@UNBSJ.CA (Robert Ford) Organization: UNB Saint John Campus What I observe... Here, there is a data channel at 880.1400MHz. Any conversion that takes place in the 868.9500--880.1400MHz, I only get one side of the conversation, the base side. The other half 880.1400--896.1000MHz, I get both sides. From: Ed J. Gurney To: All Msg #41, Jun-09-93 16:51:02 Subject: Cell calls From: egurney@vcd.hp.com (Ed J. Gurney) Organization: Hewlett-Packard VCD Glynne Tolar (glynnet@zero.cypher.com) wrote: >I'd love to know what the format for the data bursts are. Like what info >are the cell sites and phones sending to each other. Try to call up a local Philips Semiconductor rep and ask for information on their Cellular Chip Set. On of them is the UMA1000T "Data Processor for Cellular Radio (DPROC)". Here's some info for the RF/Wireless Databook: A call is initially set up using one out of a number of dedicated control channels (see my previous post [author search for "Gurney"] for frequency spectrum info). This establishes a duplex voice connection using a pair of voice channels. Any further transmission of control data occurs on these voice channels by briefly blanking the audio and simultaneously transmitting the data. The data burst is brief and barely noticeable by the user. A data rate of 10 kbit/s is used in the AMPS system. A function known as Supervisory Audio Tone (SAT), a set of 3 audio tones (5970, 6000 and 6030 Hz), is used to indicate the presence of the mobile on the designated voice channel. The signal, which is analogous to the On-Hook signal on land lines, is sent out to the mobile by the base station on the Forward Voice Channel. The signal must be accurately recovered and transponded back to the base statoin to complete the 'loop'. At the base station this signal is used to ascertain the overall quality of the communication link. Another voice channel associated signal is Signalling Tone (ST). This tone (8 kHz in AMPS) is generated by the mobile and is sent in conjunction with SAT on the Reverse Voice Channel to serve as an acknowledgment signal to a number of system orders. Data is sent/received in Manchester encoded NRZ format. The signalling formats are as follows (numbers indicate # of bits): Forward Control Channel 10 11 40 40 40 40 10 -------------------------------------------------------------------------- | | Bit | Word | Repeat 1 | Repeat 1 | Repeat 2 | ... | Repeat 5 | | Bit | | Sync| Sync | of Word A| of Word B| of Word A| ... | of Word B| | Sync -------------------------------------------------------------------------- Forward Voice Channel 101 11 40 37 11 40 --------------------------------------------------------/ | | Bit | Word | Repeat 1 | Bit | Word | Repeat 2 | ... / | | Sync| Sync | of Word | Sync| Sync | of Word | ... / --------------------------------------------------------/ 37 11 40 37 11 40 /---------------------------------------------------- / Bit | Word | Repeat 10 | Bit | Word | Repeat 11 | | / Sync| Sync | of Word | Sync| Sync | of Word | | /---------------------------------------------------- Reverse Control Channel 30 11 7 240 240 ----------------------------------------------------------------------- | Bit | Word | Coded | First Word Repeated | Second Word Repeated | ... | Sync| Sync | DCC | 5 times | 5 times | ... ----------------------------------------------------------------------- Reverse Voice Channel 101 11 48 37 11 48 48 -------------------------------------------------------------------/ | | Bit | Word | Repeat 1 | Bit | Word | Repeat 2 | ... | Repeat 5 / | | Sync| Sync | of Word 1| Sync| Sync | of Word 1| ... | of Word 1/ -------------------------------------------------------------------/ 37 11 48 37 11 48 /--------------------------------------------------------- / Bit | Word | Repeat 1 | Bit | Word | ... | Repeat 5 | | / Sync| Sync | of Word 2| Sync| Sync | ... | of Word 2| | /--------------------------------------------------------- The information in the data stream is identified by the its position with respect to a unique synchronizing word (the Word Sync.) This sync word is an 11 bit-Barker code which has low probability of simulation in an error environment, and can easily be detected. On the Reverse Control/Voice channels, each 36-bit Information Word is coded into a 48-bit code word (the extra 12 bits are parity information). (Forward Voice/Control channels have 28-bit Information Words.) >> If anyone has more information on this topic, I'm sure the net would love to hear about it! << BTW, I had this dream last night where I was listening to cellular phones calls on my 2006 (model 20-145A) and a friend of mine was listening to them on another 2006 (model 20-145). Except that I rarely (if ever) heard the data bursts that were transmitted on either the voice or data channels (ie, I didn't hear "braaappp" every few seconds during a conversation.) But my friend with the 20-145 DID. Is that another potential difference between the 20-145 and A versions (I know about the backlight dimmer/on-off switch already.) Is it possible the 20-145A I heard in my dream had audio filters to block the data signals? Or is it possibly caused by differences in antennas/ distance from cell site? I doubt I'll ever have this dream again, but I thought I'd ask anyway... Regards as always, Ed -- Ed J. Gurney N8FPW Hewlett-Packard Company Vancouver (USA!) Division egurney@vcd.hp.com #include "Failures are divided into two classes-- those who thought and never did, and those who did and never thought." John Charles Salak --- * Origin: Great Lakes UseNet Gateway [royaljok.fidonet.org] (1:231/510) *** This is a reply to #22. *** See also #45. From: Mr. Lyn R. Kennedy To: All Msg #118, Jun-12-93 11:33:48 Subject: cellphone stuff From: lrk@k5qwb.lonestar.org (Mr. Lyn R. Kennedy) Organization: Radio Amateur k5qwb Ok, here's the deal. What toy hear on the forward channel depends on the ability of the phone system to isolate the two channels. In the case of a cellphone-to-cellphone call, the whole thing is 4-wire. It's not only easy, it's normal for the two directions to be separate. In the case of a call to a regular phone, the path usually gets converted to 2-wire someplace and that is where the mobile side gets fed back; at a lower level if the circuit works. There are probably some newer systems with really good 4-wire to 2-wire circuitry (maybe all digital) and the possibility that ISDN phones stay 4-wire all the way. Anyway, being unable to hear the mobile while listening to the base channel is often an indication that the call is to another cellphone.