|
|
 |
|
|
|
register |
bbs |
search |
rss |
faq |
about
|
|
|
meet up |
add to del.icio.us |
digg it
|
|
|
|
Various Messages about Cellular Freqs
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
Note: The following consists of various messages and observations on cellular telephone operations wich have been floating around on a number of hobbyist computer networks. Monitoring cellular telephoe frequencies is a felony. The material is presented here only for it?s technical insights as to howthese systems actually operate. The Chicago Area Radio Monitoring Association fully supports all locl, state and federal laws. CARMA - July, 93
From: Ed J. Gurney
To: All Msg #122, Jun-08-93 16:52:02
Subject: Cellular Frequencies
From: [email protected] (Ed J. Gurney)
Organization: Hewlett-Packard VCD
Bryan Mohr ([email protected]) wrote:
>Does anybody have the exact start and stop frequencies for both
>Cellular companies in a given area? I know that it is 30khz
>spacing, but I need the rest of the info. I need this information
>so that I know exactly what frequencies to lock out of my scanner. :>
That's a good idea. :-) Wouldn't want to be violating that ECPA by
scanning the 800 MHz band an accidentally tuning in a cellular telephone
conversation. If your scanner has the capability to lock-out certain
ranges of frequencies, then you might find this information useful. 8->
There are actually many frequency allocations for cellular, in the US
it's called AMPS (Advanced Mobile Phone Service), Canada uses AURORA
800. Each country in Europe has their own standard: TACS (Total Access
Communicatoins) in the UK; NMT or Nordic system in Scandinavian
countries, RC2000 in France; NETZ C-450 in Germany. NTT is the Japanese
standard.
AMPS has 30 kHz channel spacing with 20 MHz of spectrum allocation and 5
MHz of "additional spectrum". This allows a total of 832 channels.
(For comparison, TACS uses 25 kHz spacing, has 15 MHz of spectrum with
10 MHz of additional for 1000 channels.)
The following chart is divided into two systems. System A is defined
for the non-wireline companies, and system B is for the wireline
companies:
AMPS System A
Channel# Mobile TX (MHz) Mobile RX (MHz)
1 825.030 870.030
313* 834.390 879.390
333+ 834.990 879.990
667 845.010 890.010
716 846.480 891.480
991 824.040 869.040
1023 825.000 870.000
AMPS System B
334* 835.020 880.020
354+ 835.620 880.620
666 844.980 890.000
717 846.510 891.000
799 848.970 894.000
* indicates the last DEdicated Control Channel for each system
+ indicates the first DEdicated Control Channel for each system
Here it is in "graphical" form:
*** Mobile TX ***
824 825 835 845 846.5 849 851 MHz
------------------------------------------------------
| A | A | B | A | B |Rsrvd|
------------------------------------------------------
991 ^ 1 333 666 716 799 Ch#
1023
*** Cell Site TX ***
869 870 880 890 891.5 894 896 MHz
------------------------------------------------------
| A | A :xxx: B | A | B |Rsrvd|
------------------------------------------------------
991 ^ 1 ^ ^ 666 716 799 Ch#
1023 313 354 (x'd areas indicate control channels)
Now, in text form: AMPS cellular systems employ a frequency spectrum of
20 MHz made up of 666 channels with 30 kHz channel spacing. The
transmit frequency at 825.030 MHz is specified as channel 1, and
transmit frequency at 844.980 MHz is specified as channel 666. The
receiver operates at 45 MHz above the transmit frequency, therefore,
channel 1 receives at 870.030 and channel 666 receives at 889.980 MHz.
An additional 5 MHz spectrum was subsequently added to the existing 20
MHz which increased the number of channels from 666 to 832.
This, and lots of other interesting info on the cellular system is taken
from the 1993 Philips Semiconductors RF/Wireless Communicatons databook.
(Specifically, the application notes on using their Cellular Chip Set.)
Also, the data sheet on the UMA1000T Data Processor for Cellular Radio
(DPROC) chip (included in this databook) provides detailed information
on the data signal transmitted between the phones and the cell sites.
Interesting reading.
On another note, I've heard from a reliable source that there is now
a device you can buy that allows you to follow cellular telephone calls
provided the cell sites the calls are transferred to are within range.
(In other words, it decodes the little "brappp" sent a second or two
before the call transfers to a different cell and automatically tunes
something/your scanner to the correct frequency.) I'm not sure if the
device is stand-alone, or if it works with your scanner via RS-232 or
something. It costs around $300-$400. I've told you everything I've
heard. Anyone have any more details? (The same company that makes this
is supposedly working on a unit to follow trunking systems as well.)
--
Ed J. Gurney N8FPW Hewlett-Packard Company Vancouver (USA!) Division
[email protected] #include <standard-disclaimer.h>
"Failures are divided into two classes-- those who thought and never did,
and those who did and never thought." John Charles Salak
---
* Origin: Great Lakes UseNet Gateway [royaljok.fidonet.org] (1:231/510)
*** This is a reply to #104. *** See also #166.
In article <[email protected]> jcksnste@A writes:
>[Craig Shore discussed hearing both sides of cell calls]
>
>I have not heard it in any of the areas I've lived in, but I seem to
>recall a posting a while ago that cell sites near them only broadcast
>one side of the call.
>
...<deleted>...
>
>Please clarify, people, for I know you will. :)
>
I'll give it a shot-
On the cellular system, there are two channels of communication for the
phone and the tower. The channel from the phone to the tower is called
the reverse channel, and the one from the tower to the mobile is called
the forward channel. For the sake of this discussion, I'll ignore the
data channels, althought they're referred to the same way.
On the reverse channel, _all_ that will be heard is the mobile's voice.
You will not hear any of the landline's (or other cellular's) voice at
all. Reason follows:
On the forward channel, the base site sends out the landline voice at full
strength. Obviously, this is so the mobile unit can hear the conversation
from the person at the other end of the conversation. In addition, the
base site also transmits a small portion of the mobile's voice back on top
of the landline voice. This is done because the human mind is accustomed
to hearing its own voice to some degree on a regular phone. Some of the
audio is taken on a regular phone and fed back electronically into the
receiver (earpiece) so that the person hears himself a little. This is
easily verified by giving the audio from the receiver to feed back into
the mouthpiece, and feedback results. Anyway, the same practice is done
for cellular systems.
Now you ask: why do the voice levels change so much? As a previous poster
mentioned, perhaps misunderstanding a little, yes, the voice is weaker
when the mobile is farther away. But that's farther away from the cell
tower, not you, unless you're monitoring the RVC (reverse voice channel),
in which case you won't hear any of the landline's side of the
conversation. As the mobile is moved through the cell site, the tower is
monitoring the strength of the signal coming from the mobile, and when the
signal varies beyond a certain extent, then the tower sends out a message
telling the mobile to vary its power to one of seven power levels (in the
non-digital standard). In spite of this, as the unit moves farther from
the cell site, the siganl obviously drops some in strength before it is
handed off to the next site. So as the signal is dropping, that certain
part of the RVC which is fed back to the mobile on the FVC (forward VC) is
dropping also. So it's possible for the mobile's side to vary in the
amount of voice you can hear from it. The landline's voice should
generally stay the same, however, assuming your antenna is fixed as well
and ignoring fading from passing objects near your antenna, etc.
Now the reason for the mobile side of the conversation not having any of
the landline's voice: Think for a second: if the site is feeding the
mobile voice back to the mobile receiver, and the mobile retransmits what
it hears (primarily would be the landline), then what would happen?
Obviously, feedback would result: this would be unacceptable for the
cellular users.
I recently talked to a law enforcement official in somewhere, perhaps
Canada, but anyway, he said that the local cellular company has decided to
toally drop _all_ of the reverse voice from being rebroadcast back onto
the receiver of the mobile. Why, he wasn't sure of. So it was impossible
to hear both sides at any one time. Not nearly, but outright impossible.
This still leaves one issue which someone had mentioned: Yes, the mobile
phones are rather low powered, with the most powerful limited to 3
watts here in the US by the FCC rules. The portable phones, that is, the
handheld self-contained units, are generally .6 watts, but (as the local
cellular agent just told me) version which can produce 1.5 watts are being
developed and introduced. These don't have nearly the power that the site
tower does, so to monitor the RVC, you need to be within several miles of
the phone being used. As this would only contain the one side of the
conversation, though, it's not much fun to listen to (not that we're
supposed to listen to any of it anyway- you all know the rules, and it's
up to you to follow them ;)
Hope this answers some of the questions lots of people have asked
recently. If anyone has any more questions, ask and I'll do my best to
post what I know about the US cellular system.
As the disclaimer says, UNC probably doesn't know anything about this, and
I have no connections with them other than using their Internet BBS for
news, etc.
--Sherrod
From: Marvin Hoffman
To: All Msg #13, Jun-09-93 12:40:22
Subject: Cell Tel Priv - Duplex?
The cellular base transmitter receives and rebroadcasts the transmissions
of the cellular mobile or portable unit. Also, it broadcasts the other
side of the conversation which comes in via wireline, microwave or fiber
optic. The scanner is only hearing one frequency but the base cellular
site is rebroadcasting the mobile's conversation as well as the wireline
line side of the conversation.
Note some cellular trasmitters do in fact only carry the side of the
conversation from the phone network and instead of repeating the mobile
it just feeds that audio out to the land based (regular) telephone
caller.
All of the above is based upon extensive reading and not listening to
cellular calls.
Marvin Hoffman, KD4EGV
Appalachian State University
Boone, NC
From: [email protected] (Peter Stokes)
Organization: Canadian Microelectronics Corporation
Reply-To: [email protected]
In article <[email protected]>, [email protected]
(Glynne Tolar) writes:
|> In article <[email protected]> [email protected]
|> (Sherrod Munday) writes:
|> >
|> >On the cellular system, there are two channels of communication for the
|> >phone and the tower. The channel from the phone to the tower is called
|> >the reverse channel, and the one from the tower to the mobile is called
|> >the forward channel. For the sake of this discussion, I'll ignore the
|> >data channels, althought they're referred to the same way.
|> >
|> >On the reverse channel, _all_ that will be heard is the mobile's voice.
|> >You will not hear any of the landline's (or other cellular's) voice at
|> >all. Reason follows:
|> >
|> >On the forward channel, the base site sends out the landline voice at full
|> >strength. Obviously, this is so the mobile unit can hear the conversation
|> >from the person at the other end of the conversation. In addition, the
|> >base site also transmits a small portion of the mobile's voice back on top
|> >of the landline voice. This is done because the human mind is accustomed
|> >to hearing its own voice to some degree on a regular phone. Some of the
|> >audio is taken on a regular phone and fed back electronically into the
|> >receiver (earpiece) so that the person hears himself a little. This is
|> >easily verified by giving the audio from the receiver to feed back into
|> >the mouthpiece, and feedback results. Anyway, the same practice is done
|>
|> If you monitor cellular for any period of time you will discover that not
|> all connections reply the moble's voice. The reason I figure for this is
|> that some phones cancel the echo to make using a speakerphone setup
|> posiable. Otherwise feedback will result.
Here in South-Eastern Ontario, Canada, all of the
non-wireline company forward channel transmissions do NOT
include any echo of the mobile transmission. The
wireline company forward channel transmissions do indeed
include both sides of the conversation making scanner
listening possible.
From: Brett Borowski
To: All Msg #21, Jun-09-93 14:49:58
Subject: Cell Tel Priv - Duplex?
From: [email protected] (Brett Borowski)
Organization: Very little.
[email protected] (Marvin Hoffman) wrote:
>The cellular base transmitter receives and rebroadcasts the transmissions
>of the cellular mobile or portable unit. Also, it broadcasts the other
>side of the conversation which comes in via wireline, microwave or fiber
>optic. The scanner is only hearing one frequency but the base cellular
>site is rebroadcasting the mobile's conversation as well as the wireline
>line side of the conversation.
There was a very authorative post a while ago about this. If I remember
correctly, the mobile site only transmits the land line signal to the
portable phone.
>Note some cellular trasmitters do in fact only carry the side of the
>conversation from the phone network and instead of repeating the mobile
>it just feeds that audio out to the land based (regular) telephone
>caller.
As it was explained, it's not up to the cellular site to transmit
the portable caller's signal back to the portable unit. But, as I
mentioned above, it transmits all of the land line audio. And here-in
lies the difference. Most phone systems are 'unbalanced.' That is, the
incoming signal gets sent back out. When this is the cast, the cell cite
broadcast contains both sides of the conversation. However, when the land
line connection is digital to a digital PBX system, there is little to no
bounce back of the incoming signal.
>All of the above is based upon extensive reading and not listening to
>cellular calls.
If the original post is floating around, it might be time for a repost. I
suspect that if the conversation is converted to an analog signal on a
copper pair, one will here both sides. But an all-digital connection may
never mix the audio. And perhaps a call between two cellular phones on the
same service will also have the two conversational ends isolated.
From: Robert Ford
To: All Msg #22, Jun-09-93 12:33:52
Subject: Cell calls
From: [email protected] (Robert Ford)
Organization: UNB Saint John Campus
What I observe...
Here, there is a data channel at 880.1400MHz. Any conversion that takes
place in the 868.9500--880.1400MHz, I only get one side of the conversation,
the base side. The other half 880.1400--896.1000MHz, I get both sides.
From: Ed J. Gurney
To: All Msg #41, Jun-09-93 16:51:02
Subject: Cell calls
From: [email protected] (Ed J. Gurney)
Organization: Hewlett-Packard VCD
Glynne Tolar ([email protected]) wrote:
>I'd love to know what the format for the data bursts are. Like what info
>are the cell sites and phones sending to each other.
Try to call up a local Philips Semiconductor rep and ask for information
on their Cellular Chip Set. On of them is the UMA1000T "Data Processor
for Cellular Radio (DPROC)". Here's some info for the RF/Wireless
Databook:
A call is initially set up using one out of a number of dedicated
control channels (see my previous post [author search for "Gurney"] for
frequency spectrum info). This establishes a duplex voice connection
using a pair of voice channels. Any further transmission of control
data occurs on these voice channels by briefly blanking the audio and
simultaneously transmitting the data. The data burst is brief and
barely noticeable by the user. A data rate of 10 kbit/s is used in
the AMPS system.
A function known as Supervisory Audio Tone (SAT), a set of 3 audio
tones (5970, 6000 and 6030 Hz), is used to indicate the presence of
the mobile on the designated voice channel. The signal, which is
analogous to the On-Hook signal on land lines, is sent out to the mobile
by the base station on the Forward Voice Channel. The signal must be
accurately recovered and transponded back to the base statoin to complete
the 'loop'. At the base station this signal is used to ascertain the
overall quality of the communication link.
Another voice channel associated signal is Signalling Tone (ST). This
tone (8 kHz in AMPS) is generated by the mobile and is sent in conjunction
with SAT on the Reverse Voice Channel to serve as an acknowledgment signal
to a number of system orders.
Data is sent/received in Manchester encoded NRZ format.
The signalling formats are as follows (numbers indicate # of bits):
Forward Control Channel
10 11 40 40 40 40 10
--------------------------------------------------------------------------
| | Bit | Word | Repeat 1 | Repeat 1 | Repeat 2 | ... | Repeat 5 | | Bit
| | Sync| Sync | of Word A| of Word B| of Word A| ... | of Word B| | Sync
--------------------------------------------------------------------------
Forward Voice Channel
101 11 40 37 11 40
--------------------------------------------------------/
| | Bit | Word | Repeat 1 | Bit | Word | Repeat 2 | ... /
| | Sync| Sync | of Word | Sync| Sync | of Word | ... /
--------------------------------------------------------/
37 11 40 37 11 40
/----------------------------------------------------
/ Bit | Word | Repeat 10 | Bit | Word | Repeat 11 | |
/ Sync| Sync | of Word | Sync| Sync | of Word | |
/----------------------------------------------------
Reverse Control Channel
30 11 7 240 240
-----------------------------------------------------------------------
| Bit | Word | Coded | First Word Repeated | Second Word Repeated | ...
| Sync| Sync | DCC | 5 times | 5 times | ...
-----------------------------------------------------------------------
Reverse Voice Channel
101 11 48 37 11 48 48
-------------------------------------------------------------------/
| | Bit | Word | Repeat 1 | Bit | Word | Repeat 2 | ... | Repeat 5 /
| | Sync| Sync | of Word 1| Sync| Sync | of Word 1| ... | of Word 1/
-------------------------------------------------------------------/
37 11 48 37 11 48
/---------------------------------------------------------
/ Bit | Word | Repeat 1 | Bit | Word | ... | Repeat 5 | |
/ Sync| Sync | of Word 2| Sync| Sync | ... | of Word 2| |
/---------------------------------------------------------
The information in the data stream is identified by the its position with
respect to a unique synchronizing word (the Word Sync.) This sync word is
an 11 bit-Barker code which has low probability of simulation in an error
environment, and can easily be detected.
On the Reverse Control/Voice channels, each 36-bit Information Word is
coded into a 48-bit code word (the extra 12 bits are parity information).
(Forward Voice/Control channels have 28-bit Information Words.)
>> If anyone has more information on this topic, I'm sure the net
would love to hear about it! <<
BTW, I had this dream last night where I was listening to cellular
phones calls on my 2006 (model 20-145A) and a friend of mine was
listening to them on another 2006 (model 20-145). Except that I
rarely (if ever) heard the data bursts that were transmitted on either
the voice or data channels (ie, I didn't hear "braaappp" every few
seconds during a conversation.) But my friend with the 20-145 DID.
Is that another potential difference between the 20-145 and A
versions (I know about the backlight dimmer/on-off switch already.) Is
it possible the 20-145A I heard in my dream had audio filters to block
the data signals? Or is it possibly caused by differences in antennas/
distance from cell site? I doubt I'll ever have this dream again, but
I thought I'd ask anyway...
Regards as always,
Ed
--
Ed J. Gurney N8FPW Hewlett-Packard Company Vancouver (USA!) Division
[email protected] #include <standard-disclaimer.h>
"Failures are divided into two classes-- those who thought and never did,
and those who did and never thought." John Charles Salak
---
* Origin: Great Lakes UseNet Gateway [royaljok.fidonet.org] (1:231/510)
*** This is a reply to #22. *** See also #45.
From: Mr. Lyn R. Kennedy
To: All Msg #118, Jun-12-93 11:33:48
Subject: cellphone stuff
From: [email protected] (Mr. Lyn R. Kennedy)
Organization: Radio Amateur k5qwb
Ok, here's the deal. What toy hear on the forward channel depends on
the ability of the phone system to isolate the two channels. In the
case of a cellphone-to-cellphone call, the whole thing is 4-wire. It's
not only easy, it's normal for the two directions to be separate. In
the case of a call to a regular phone, the path usually gets converted
to 2-wire someplace and that is where the mobile side gets fed back; at
a lower level if the circuit works. There are probably some newer
systems with really good 4-wire to 2-wire circuitry (maybe all digital)
and the possibility that ISDN phones stay 4-wire all the way.
Anyway, being unable to hear the mobile while listening to the base
channel is often an indication that the call is to another cellphone.
X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X
Another file downloaded from: & the Temple of the Screaming Electron
NIRVANAnet(tm) HQ (510) 935-5845
! \ AREA CODE WILL BE (925) AS OF 03/98
-$- -------- *
! . / Raw Data for Raw Nerves
/_\ /-o-\ Information * Innuendo * Lies
(o..) | * Full access for first-time callers
+ |:| /^\ /~\ Thousands of text files * Multi-line Chat
! |:|/\ _| |____|:| We don't want to know who you are, where you
/^\ / O |/...\ /_-_\ live, or what your phone number is
|@ \_| @ /:::::|/|- : -| We are not Big Brother
| | | /~ |/| _ |
|____|/~ @ /~\ |/|_(_)_| Free Speech * Anonymous Access * User-Supported
/_______|_|_|/ To make a $10 donation call (900)443-4227 x145
X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X
|
|
|
To the best of our knowledge, the text on this page may be freely reproduced and distributed.
If you have any questions about this, please check out our Copyright Policy.
totse.com certificate signatures
|
|
|
About | Advertise | Bad Ideas | Community | Contact Us | Copyright Policy | Drugs | Ego | Erotica
FAQ | Fringe | Link to totse.com | Search | Society | Submissions | Technology
|
|
|
|
|
|
