logo: Welcome to my site! Back Issues

The Web

Old Home Page
Advertise here
Cell Phone Plans
Cell Phone Basics
Clip Art/Images
Contact Me!
Daily Notes
Digital Basics
Telecom History
Telecom News
Website Docs
Wired Telecom
Wireless Pages





WiWPrivate Line Back Issues

private line magazine and e-zine back issue text archive. Caution when using any material here which is now very much dated.

_(11)_(11A) (12)_(12A)

Here is another issue of private line! Thanks again.


This issue contains four photographs and 16 illustrations, including some nice exploded diagrams of COCOTS. Send me $5.00 if you want the hardcopy version. My address is:

private line 5150 Fair Oaks Blvd. #101-348 Carmichael, CA 95608

$24 a year for 6 issues. Price goes to $27 on July 1, 1995. Mexican and Canadian subscriptions are $31 and overseas subscribers have to pay $44 :(

I. Editorial Page II. Updates and Corrections III. Cell Phone Basics, Part 1 IV. The Roseville Telephone Museum V. Telecom Related Magazines and Newsletters


1. Damien Thorn has agreed to be the technical editor for private line. Damien has written for Tap and 2600. He now writes a great column called Full Duplex Communications for Nuts and Volts. Damien brings more than 15 years of practical, hands on hacking experience to private line. Let me explain a little about what he'll be doing for the magazine and what it means to you.

2. Damien won't be checking every technical fact in my writing or in this magazine, any more than I will check on his writing. Instead, he'll help me with questions that I can't answer. I can't tell you, for example, which cell phones are the easiest to work on and why. He can. I can tell you in general about cell phone theory and operation but I can't tell you much about real field experiences. He can. His advice will help me make fewer mistakes and keep private line more interesting and more practically grounded. In addition, he's also open to the idea of writing a column on a regular basis. I am very happy that he has signed on.

3. What will this magazine cover in the future? I intend to write general pieces about specific subjects. An issue on PBX's, one on outside plant equipment, another on business telecom equipment and so on. I will not write any specific hacking pieces myself. That's for any reader of the magazine to do. I could put two months of effort into a piece about hacking ROLMs but what good would that do someone who doesn't know about PBX operation to begin with? Someone that doesn't know a port from a pier? Reader submitted articles may be as specific as you like. But I'll keep my pages and my articles oriented toward beginners.

4. Today is January 1, 1995. The start of a new year. It's odd to think that these words won't be read until March. In reality, my deadline is only three or four weeks before the cover date. But you have to get each page done when you can. It's one of many oddities that I am dealing with for the first time. Magazine distribution is certainly another. A newssrack for a small magazine is like a consignment stand. Practically every magazine will be bought the real question is how many. You're doing well if 25% of your magazines go unsold. I explained the costs of producing private line last issue but I didn't figure in the cost of returns. Instead of $1.18 a copy, therefore, the true cost is more like $1.47. Quite a difference. On the positive side, it looks like I'll have at least 1200 copies printed up of this issue instead of 600 for the last. That will lower the per unit cost quite a bit. On the other hand, the better cover for this issue will make costs go up. And first class mail rates have also gone up. Oh, well. It feels like I am reinventing the wheel in learning all these things. When I don't have the time to learn them to begin with. What's a solution?

5. Well, the solution might be easy if I had a great deal of money. I could hire staff and advertising people. Then I'd go back to writing and research. But I don't have the money nor would I really want to change the character of the magazine by hiring a paid staff. Perhaps a better idea might be to organize a loosely structured publishing house for alternative technical magazines. Six or seven 'zines using the same printer to lower costs, sharing the same advertiser list and promoting each other's magazines with free ads in each others publications. Nothing too formal or involved. More like an association. No dues or fees. We could all keep in touch with fax machines, the mail and the internet. A quick check of Factsheet5 reveals several technologically oriented magazines: 2600, 2600 Connection, 3W, Short Circuit and Historically Brewed. Throw in all the electronic zines on the net that don't go into hardcopy and you've got quite a few people who aren't in the mainstream writing about tech. I don't have the time to explore this right now but feel free to write if you have any thoughts along this line. Lastly, I want to thank all my new readers, especially those subscribers who signed up without seeing a copy of private line first. That takes faith. In return, I'll try to put out the best magazine I can, something with articles you'll be interested in. The mailbox and the electronic door are always open . . .

Tom Farley

Carmichael, California


6. The internet patent connection got turned off for a few weeks in January. Try it again if you were disappointed before. Internet Multicasting Service and the Patent and Trademark Office were apparently involved in a turf war, with the PTO doing the instigating. There's hope, though, for the future. Bruce Lehman, commissioner of the Patent Office, told the IEEE Spectrum that his agency intends to put the entire patent collection online by the end of the decade. Hot damn. That means the text of all patents dating back to 1790. Wouldn't it be possible, however, to get text and illustrations at a web site? The patents are simple black and white line drawings. Speaking of web sites, I didn't include the PTO's in last issue. It is:

7. Def Con III will be held at the Tropicana Hotel in Las Vegas on August 4th, 5th, and 6th. Speakers will talk on the fifth and sixth. Get there. The Tropicana Hotel is located at 3801 Las Vegas Blvd. South, Las Vegas, Nevada, 89109. Rooms are $65 for a single or a double Monday through Thursday. Rates climb to $90 for a single or double from Friday to Sunday. Ask for the Def Con III convention to get those rates when you call. The Tropicana is at (800) 4689494 or (702) 7392448 (Fax). Yes, Dark Tangent knows that those rates are expensive. That's why he encourages everyone to keep track of developments as the con draws near. Keep up on details and you'll find cheaper motels, people to drive with or people to crash with. The ftp site is: /pub/defcon. Subscribe to the mailing list by sending email to the following: Put the following statement in the body of your message: subscribe dcannounce. This will put you on the mailing list and you will receive updated information on a regular basis. DT's voice mail is 07008264368 from a phone with AT&T LD. His email address is There's also a bulletin board at Alliance Communications +1 612251 2511. Or write him at 2709 E. Madison #102, Seattle, WA, 98112. That will also get you on a list. I do not want any excuses from any of you for not going. You have the whole spring and summer to save up. You have months and months to schedule an entire week off. Which is what you'll need to really enjoy yourself. And you will enjoy yourself. I won't be speaking but I will ask Dark Tangent about setting aside an hour or two for telephone talk. Anyone interested in that could just show up at a certain place at a certain time. No big deal. I wrote at length about Def Con II in private line #3. Please, please try to get there. I'll be writing a little more on this as the con draws near.

8. I just got a copy of Public Communications Magazine. It's the trade magazine that covers customer coin operated telephones most. A careful reading clears up many mysteries surrounding the wiley COCOT. Even the ads are interesting. The inside cover of the November issue, for example, has a Mars Electronic International ad that shows their MS16 electronic coin validator. It's an electronic beastie that checks each coin deposited into a COCOT. While these units were originally designed to guard against fraud, some telcos have been installing them in an apparent attempt to prevent red boxing. Unlike a COCOT, a telco payphone doesn't check every coin deposited during a conversation. It usually just checks the initial deposit. It can't do much more since it's just a dumb box of relays. No memory or intelligence. It sends tones to the central office to indicate a coin deposit. A red box simulates those tones. A coin validator can help stop this if added to a telco payphone. There are other ways for a telco to stop red boxing. One of my readers reports that GTE in some parts of the midwest has gone away from ACTS or automated coin toll service. They're now routing 1+ calls to the operator. You can still try boxing but you lose your anonymity. Public Communications also mentions some other interesting things. Ever notice the housing on these COCOTs? They look like a telco brand (W.E.) but cheaper? Quadram Telecom probably makes them. And who supplies the boards for these so called smart phones? The boards that let the COCOT total coins, rate calls and provide an ACTS like voice to tell you how much they are ripping you off for? Leading suppliers are Protel, maker of the BB and 2000 board, Intellistar, Elcotel and Intellicall. These fit on a chassis as illustrated on page 48. And the locking mechanisms? The most sophisticated is from Medeco High Security Locks, Inc. It's part of a whole system of key management. Check out the March 7, 1994 issue of Design News for more information on this coin box lock. Look for this system to come into wider use in the future.

9. Speaking of the future, the telephone industry is going nuts over debit cards. And I mean nuts. Even Teleconnect is going overboard. Public Communications and Telecard World are fueling the fire but it is the private payphone owner and the card seller that will shove these things into our lives. What's worse is the talk of putting debit card payphones in a neighborhood near you. No coins accepted, thank you. Coinless phones were limited before to airports, train stations or highway rest stops. Places where you had lots of other phones to choose from or no other phones at all. One example is Ameritech's LobbyLine indoor coin phone. You call with a calling card or debit card. Or you call collect or bill to a third party. The present debit phones, though, are being discussed as a replacement to the omnipresent COCOT. The reason? Pure greed. Protel's president, Jerry Yachabach, says that more than 70% of the cost of maintaining payphones is due to coin related functions. He reasons that the industry should find a substitute for coins. Great. His comments go along with pictures of two expensive looking credit card phones. No doubt Protel will make big bucks by selling these things. And what about the rest of the trade? What do they think? Eric Stebel, Managing Editor of Public Communications, nearly drools when he writes "And talk about vandalism and theft switching to a debit card payphone would virtually eliminate that. When was the last time you heard of someone blowing up a payphone just for the fun of it? No, most vandals have an ulterior motive to get to your payphone's coin box. And just think of the float money your company could make off of lost or unused cards. Heck, some people would even buy your debit cards as a collectible and never use them." Hey, Eric, float this! Let's go over some of these terms.

10. The most common form of debit card is the prepaid long distance calling card. Or talk and toss. Industry types call it centralized debit card technology. You pay for a certain amount of long distance in advance at a retail store. In return you get a card. Such as the "AT&T PrePaid Calling Card" available at Office Depot. It has an 800 number and a calling card number on the back. The pictures on the front, in part, drive collector mania. These can be anything from Satan to Santa. Let's say you want to call Germany. You call a number like 1800357 PAID. Your call is routed to a PBX somewhere. Industry favorites for prepaid cards are the NACT LCX 120C from National Applied Computer Technologies and the Harris Digital Systems 20/20 switch. Harris has an entire system called Protocall to handle prepaid debit cards. Their 20/20 switch is called a NGC for some strange reason when it's part of Protocall. In any case, the card seller's switch gets your call. What then? Next step is to enter the calling card number. Could be anything. Like 533 442 5968. The automated attendant tells you the value on your card. It then tells you to dial your number. Your call now goes out from the PBX to the Federal Republic. The robot comes back on after your call to tell you how much you have left on your card. You're now free to make another call or hang up. It's a pretty neat system and you can't beat the anonymity when you're calling from a payphone. The Tonya Harding Gang did have their toss and talk card calls monitored. But that's because the FBI was already watching.

11. What are the economics of all this? Here's a quotation from December's Teleconnect. This article had the happy title "Cash Cow": "Imagine you have a 100 store chain. You sell one $20 prepaid calling card per day per store. You bring in $60,000 a month. ($3,000 cards). You sell calls for 35 cents a minute. Your call cost is 24 cents a minute. 15% of the cards are not active (breakage). Your first month's operating margin is $24,000. Your first year's operating margin is $486,300. Where does the 24 cents a minute come from? You pay seven cents a minute for inbound 800 calls. Eight cents a minute for calls going out. Staff and space two cents. Equipment is five cents. Printing of cards is half a cent. Dedicated T1s [the leased line running from the telephone company to the switch] are one and a half cents a minute. The name of the game is volume. Without volume you can't get your prices down enough." Well, you know that AT&T can get costs down. Yet they charge 60 cents a minute for a call within the United States on their card. Much of that must go to places like Office Depot that actually sell the card. But it's still an expensive service. Remember, too, that a one minute and one second call will get you dinged for two minutes. The other kind of debit card is one with a magnetic stripe. You swipe these in the reader of a debit card payphone. Many countries have this service. Some telcos are playing with it now. Want to call home from the Quickie Mart? Buy a card from the store or go to a vending machine. Just like a BART card. Calls go directly to their destination once the payphone approves the card. The Public Utilities Commission in each state will probably require that 911, 800 numbers and 10X codes can be dialed without a card. Whether the COCOT actually allows those calls is another story. You may also hear about a debit card with an integrated circuit built in. This is chip technology. The chip itself maintains the account balance of the card. VISA and Mastercard are coming out with these soon. You'll be able to make small transactions of all sorts, including phone calls. I think, though, that calling them debit cards is wrong. Chip cards are based on credit and not on money put up front. That makes them a credit card and not a debit card.

12. I will be printing letters in upcoming issues. Tell me if you don't want your name printed. I want to welcome CONSUMERTRONICS aboard as private line's first paid advertiser. I've heard many good things about John Williams' company and I am happy to have them along. Speaking of advertising, my rates are now $100 for a full page, $50.00 for a half and $25.00 for a quarter. See what you missed by not signing on earlier? All subscribers get free classified ads of twenty five words or less. Thanks again to all my new subscribers!. I now have 39 paid subscriptions! Life is good. . .


13. Welcome to the world of cellular telephony. It's a fascinating place. Used phones prices are falling rapidly. It's time to experiment or at least to read up. Let's look at the big picture first. Telephone over radio is nothing special or unusual. Long distance radio telephony dates back to at least 1927, with the introduction of overseas service on short wave between the United States and Great Britain. AT&T and the British Postal Office put that project on the air after four years of experimenting. They expanded it later to communicate with Canada, Australia, South Africa, Egypt and Kenya as well as ships at sea. This service had fourteen dedicated channels or frequencies eventually assigned to it. The main transmitter was at Rugby, England. [1] Cables and satellites have replaced radio telephone for nearly all long distance use but many ships still use it. Radio amateurs on short wave still handle noncommercial telephone calls over short wave. These patches often handle emergency traffic.

14. Local, noncommercial radio telephony has also been going on for years, possibly since the 1950's. Enterprising radio amateurs wired simple telephone interfaces to their base stations long before any direct connection to Bell System equipment was allowed. These home built kits preceded today's sophisticated autopatches. An autopatch is, essentially, a remotely controlled phone. You activate and control one from afar with your radio's DTMF keypad. This could be a 6 meter, 2 meter, 70 cm or even a 1.2 GHz handheld or car mounted rig. You can then make calls from anywhere that you can key up the autopatch.

15. Car mounted mobile telephones carried out local commercial traffic for decades. Companies like Motorola still make them. It's an excellent choice for areas not well served by cellular. Cellular service may cover 90% of urban areas, but it only reaches 30% to 40% of the geographical area of America. Many people refer to mobile telephone by just saying IMTS, which stands for Improved Mobile Telephone System. It's the newest form of mobile radio. [2] Most IMTS equipment operates in the UHF band. A centrally located transmitter and receiver serves a wide area with a relatively few frequencies and users. It's the same concept that taxi fleets and tow truck companies use to dispatch vehicles. Most areas allow you to dial out directly from your car, however, there are still places where the operator comes up on frequency to place the call for you. [3] A single customer could drive 25 miles or more from the transmitter, however, only one person at a time could use that channel.

16. This limited availability of frequencies and their inefficient use were two main reasons for cellular's development. The breakup of the Bell System in 1984 allowed real cellular development to begin. The key to the system is the concept of frequency reuse as depicted in the upper right. Let's look at that as well as some basic cell phone theory.

II Basic Theory and Background

17. Cell phone theory is simple. Executing that theory is extremely complex. Each cell site has a base station with a computerized 800 megahertz transceiver and an antenna. This radio equipment provides coverage for an area that's usually from two to ten miles in radius. Even smaller cell sites cover tunnels, subways and specific roadways. The amount of area depends on topography, population, and traffic. The MTSO decides which cell and which frequencies in that cell should carry your call. How does it do that?

18. Your telephone's signal strength declines or increases as you move toward or away from a tower. The nearest base station constantly reports this signal strength to the MTSO. The mobile switch transfers your call to another cell when your signal level drops to a predetermined point. This handoff usually occurs automatically when the switch determines that another cell's transmitter can provide a better, stronger connection. You may drive fifty miles, use 8 different cells and never once realize that your call has been transferred. Let's look at some basics of this amazing technology.

19. The FCC allocates frequency space in the United States for many services. Some of these assignments may be coordinated with the International Telecommunications Union but many are not. Much debate and discussion over many years placed cellular frequencies in the 800 megahertz band. The FCC also issues the necessary operating licenses to the different cellular providers. Cellular development began in earnest after the Bell System breakup in 1984. The United States decided to license two carriers in each geographical area. One license went automatically to the local exchange carriers. The LECs. The other went to an individual, a company or a group of investors who met a long list of requirements and who properly petitioned the FCC. Cellular parlance calls these LECs wireline carriers. Each company in each area took half the spectrum available. What's called the "A Band" and the "B Band." There's no real advantage in having either one. The nonwireline carriers usually got the A Band and the wireline carriers got the B band. Depending on the technology used, however, one carrier might provide three times the connections a competitor does with the same amount of spectrum.

20. Cell phone frequencies start at 824.04 MHz and end at 893.7 MHz. [4] That's 69.66 megahertz worth of radio frequency spectrum. Quite a chunk. By comparison, the AM broadcast band takes up only 1.17 megahertz of space. This band, however, provides only 107 frequencies to broadcast on. Cellular may provide thousands of frequencies to carry conversations and data. This large number of frequencies and the large channel width required for each channel account for the large amount of spectrum space. For example, AT&T's Advanced Mobile Phone Service or AMPS uses 832 channels that are 30 kHz wide. It's the most common system right now. AMPS, though, has been replaced with NAMPS in crowded cell site areas. NAMPS stands for Narrowband Advanced Mobile Service. It's a Motorola technology. It produces 2412 narrow channels. A NAMP's channel is 10 kHz wide. AMPS, NAMPS and Hughes' ENAMPS are all FM based, analog systems. Digital systems like CDMA and TDMA provide even more channels in the same space. CDMA, in particular, could provide 20 times the number of frequencies that an AMPS system can. Let's back up a little before we drown in a sea of acronyms.

21. I mentioned that a typical cell channel is 30 kilohertz wide compared to the ten kHz allowed an AM radio station. How is it possible, you might ask, that a one to three watt cellular phone call can take up a path that is three times wider than a 50,000 watt broadcast station? Well, power does not necessarily relate to bandwidth. A high powered signal might take up lots of room or a high powered signal might be narrowly focused. A wider channel helps with audio quality. An FM stereo station, for example, uses a 150 kHz channel to provide the best quality sound. A 30 kHz channel for cellular gives you great sound almost automatically, nearly on par with the normal telephone network. That's what's impressive about Motorola's NAMPS. The base station uses a special frequency control circuit to keeps calls exactly on frequency. No wavering or moving off frequency to destroy a call's quality. Things should sound fine with this narrow band _if_ everything is working right.

22. I also mentioned that the cellular band runs from 824.04 MHz to 893. 97 MHz. In particular, cell phones use the frequencies from 824.04 MHz to 848.97 and the base stations operate on 869.04 MHz to 893.97 MHz. 45 MHz separates each transmit and receive frequency within a cell. That keeps them from interfering with each other. Getting confusing? Let's look at the frequencies of a single cell for a single carrier. Maybe that will clear things up. For this example, let's assume that this is one of 21 cells in an AMPS system:

Cell#1 of 21 in Band A (The nonwireline carrier)

Channel 1 (333) Tx 879.990 Rx 834.990 Channel 2 (312) Tx 879.360 Rx 834.360 Channel 3 (291) Tx 878.730 Rx 833.730 Channel 4 (270) Tx 878.100 Rx 833.100 Channel 5 (249) Tx 877.470 Rx 832.470 Channel 6 (228) Tx 876.840 Rx 831.840 Channel 7 (207) Tx 876.210 Rx 831.210 Channel 8 (186) Tx 875.580 Rx 830.580 etc., etc.,

(Each cell has at least 15 frequencies or channels)

23. The cellular network assigns these frequency pairs carefully and in advance. The layout is confusing since the pattern is non-intuitive and because there are so many numbers involved. Don't get too caught up with exact frequency assignments unless you want to go further. [5] Speaking of numbers, check out the sidebar. Channels 800 to 832 are not labeled as such. Cell channels go up to 799 in AMPS and then stop. Believe it or not, the numbering begins again at 991 and then goes up to 1023. That gives us 832. Why offset at all? Cellular is not like CB radio. Citizen's band uses the same frequency to transmit and receive. A push to talk setup. Cellular provides full duplex communication like nearly all modern radios. It's more expensive since the mobile unit and the base station need the circuitry to transmit on one frequency while receiving on another. But it's the only way that permits a normal, back and forth, talk when you want to, conversation.  

24. Some Important Frequency Terms Okay, so what do we do we have? Three things: 1) Cell phones transmit on certain, dedicated frequencies, 2) base stations transmit on certain, dedicated frequencies and 3) a certain amount of bandwidth separates these frequencies. Let's get even more specific. We call a cell site's transmitting frequency the forward channel. A forward channel contains everything you hear since it is the cell site that transmits it. The cell phone's transmitting frequency, by comparison, is called the reverse channel. There's more. Certain channels carry only data. We call these control channels. They, too, have a forward and reverse frequency. This control channel is usually the first channel in each cell. It's responsible for call setup. Getting confusing? Let's go back to our friendly cell site for an example.


25. The first channel is always the control channel for each cell. You'll have 21 control channels if you have 21 cells. Calls get setup on these. A call gets going, in other words, on the control channel first. The MTSO then assigns a normal channel to carry the conversation. The voice channels and the control channel may handle signaling during the actual conversation. A single call, therefore, involves two kinds of forward and reverse channels. One for voice and data and one for data only. Makes it hard to follow, doesn't it? But there are real benefits to figuring it out. A phone's ESN number, for example, is only transmitted on the reverse control channel. A person poaching ESNs need only monitor one of 21 frequencies. They don't have to look through the entire band. I'll use the terms reverse control channel and reverse voice channel to keep these terms separate from now on. One last point at the risk of loosing everybody. You'll hear about dedicated control channels, paging channels, and access channels. These are not different channels but different uses of the control channel. Let's clear up the confusion by looking at call processing. We'll start out with AMPS since it's the most common system and because TDMA uses the AMPS protocol to first set up calls. Even a CDMA carrier uses an AMPS system in the background to carry calls from non-digital phones. We'll also touch on a number of new terms along the way.

III Call Processing

26. Let's look at how cellular uses data channels and voice channels. Keep in mind the big picture while we discuss this. A call gets set up on a control channel and another channel actually carries the conversation. The whole process begins with registration. It's what happens when you first turn on a phone but before you punch in a number and hit the send button. It only takes a few hundred milliseconds. Registration lets the local system know that a phone is active, in a particular area and that it can now take incoming calls. What cell folks call pages. The local system then notifies, in theory, the entire nationwide cellular network that this phone has come on line. Registration begins when you turn on your phone.

Registration -- Hello, World!

27. A mobile phone runs a self diagnostic when it's powered up. Once completed it acts like a scanning radio. It searches through its list of forward control frequencies, trying to pick the one with the strongest signal. The nearest base station usually provides that. The phone then transmits information to identify itself on the corresponding reverse control frequency. The mobile sends its phone number, its electronic serial number and its home system ID. Among other things. The cell site relays this information to the mobile telecommunications switching office. The MTSO, in turn, communicates with different databases, switching centers and software programs.

28. The phone gets registered with the local system if everything checks out. It can now take incoming calls since the system is aware that it is in use. The mobile then monitors a paging channel while it idles. All idle phones monitor this initial paging channel or IPCH. It's usually channel 333 for the non-wireline carrier and 334 for the wireline carrier. [6] Only larger systems have multiple paging channels. Again, this is a data based, forward control channel, transmitted by the cell site. What's different about a paging channel is that it cuts across the entire cellular service area. It's transmitted by each base station, even if that frequency isn't part of a cell's group of fifteen or sixteen. A mobile first responds to a page on the reverse control channel of the cell it is in. The MTSO then assigns yet another channel for the conversation. But I am getting ahead of myself. Let's finish registration.

29. Registration is an ongoing process. Moving from one service area to another causes registration to begin again. Just waiting ten or fifteen minutes does the same thing. It's an automatic activity of the system. It updates the status of the waiting phone to let the system know what's going on. The cell site can initiate registration on its own by sending a signal to the mobile. That forces the unit to transmit and identify itself. Registration also takes place just before you call. Again, the whole process takes only a few hundred milliseconds.

30. AMPS uses frequency shift keying to send data. Just like a modem. Data's sent in binary. 0's and 1's. 0's go on one frequency and 1's go on another. They alternate back and forth in rapid succession. Don't be confused by the mention of more frequencies. Frequency shift keying uses the existing carrier wave. The data rides 8kHz above and below, say, 879.990 MHz. Read up on modems and FSK and you'll understand the way AMPS sends digital information. Data gets sent at 10 k bps or 100,000 bits per second from the cell site. Quite impressive if we're talking about a modem on a land line. But we aren't. Cellular uses a radio link, a very high frequency signal that's subject to the vagaries of its band. Things such as billboards, trucks, and underpasses can deflect a cellular call. So the system repeats each part of each digital message five times. That slows things considerably. Add in the time for encoding and decoding the digital stream and the actual transfer rate can fall to as low as 1200 bps. [7] Remember, too, that an analog wave carries this digital information, just like most modems. It's not completely accurate to call AMPS an analog system. AMPS is actually a hybrid system, combining both digital and analog signals.

Getting a Call -- The Process

31. Okay, your phone's now registered with your local system. You get a call. It's just MCI security, wondering about all those conference calls to the mideast. You laugh and hang up. As you drive off to pick up another shipment of weapons, you marvel at the process of getting a call. What happened? Your phone recognized its mobile number on the paging channel. That's usually the forward control channel. The mobile responds by sending its identifying information once again to the MTSO, along with a message confirming that it received the page. The system responds by sending a voice channel assignment to the cell you are in. The cell site's transceiver gets this information and begins setting things up. It first informs the mobile about the new channel, say, channel 10 in cell number 8. It then generates a supervisory audio tone or SAT on the forward voice frequency. What's that?

32. An SAT is a high pitched tone that acts like a marker. The mobile tunes to its assigned channel and it looks for the right supervisory audio tone. Upon hearing it, the mobile throws the tone back to the cell site on its reverse voice channel. We now have a loop going between the cell site and the phone. This verifies that the mobile is on the right frequency. No SAT means no good. The cell site can fine tune the phone's reception with the SAT. It can also use it roughly determine the phone's location, since it takes a certain time for the signal to make a go around. The cell site releases or unmutes the forward voice channel if the SAT gets returned. It follows that by sending a digital signal on the FVC. This signal alerts the mobile to an incoming call. That action, in turn, causes the mobile to take the mute off the reverse voice channel. The mobile sends an audio tone to the cell site confirming that it got the alerting message. The system then produces a ringing sound for your caller while your phone rings. But let's go back to the SAT for just a moment.

33. I said that a mobile looks for the right supervisory audio tone. AMPS uses three named frequencies: SAT 0: 5970 Hz, SAT 1: 6000 Hz, and SAT 2: 6030 Hz. Three different markers. Why? Spacing cell site frequencies carefully avoids interference. It's the same way with SATs. Call setup is ongoing in each cell. Using several frequencies makes sure that the mobile is using the right channel assignment. It's not enough to get a tone on the right forward and reverse frequency the system must get the right channel and the right SAT. Two steps. Incorrect SATs cause havoc in the cellular bands. This tone is transmitted briefly but somewhat continuously during a call. You don't hear it since the signal lasts less than 300 ms. and because it's muted during transmission. The mobile, in fact, drops a call after a certain amount of time if it looses the SAT connection.

34. Well, enough about the SAT. I mentioned another tone that's generated by the mobile phone itself. It's called the signalling tone or ST. Don't confuse it with the SAT. You need the supervisory audio tone first. The ST comes in after that. It's necessary to complete the call. The mobile produces the ST, compared to the SAT which the cell site originates. The signaling tone is a very high audio frequency tone that you can't hear. Maybe your dog can but not you. It's 10 kHz tone. The mobile starts transmitting this signal back to the cell on the forward voice channel once it gets an alerting message. Your phone stops transmitting it once you pick up the handset or otherwise go off hook to answer its ringing. Cell folks might call this confirmation of alert. The system knows that you've picked up the phone when the ST stops. AMPS uses signalling tones of different duration's to indicate three other things. Cleardown or termination means hanging up, going on hook or terminating a call. The phone sends a signalling tone of 1.8 seconds when that happens. 400 ms. of ST means a hookflash. Hookflash requests additional services during a conversation in some areas. Confirmation of handover request is another arcane cell term. The ST gets sent for 50 ms. before your call is handed from one cell to another. Along with the SAT. That assures a smooth handoff from one cell to another. The MTSO assigns a new channel, checks for the right SAT and listens for a signalling tone when a handover occurs. Complicated but effective and all happening in less than a second.

Origination -- Making a call--

35. Making a mobile call uses many steps that help receive a call. The same basic process. Punch out the number that you want to call. Press the send button. Your mobile transmits that telephone number, along with a request for service signal, and all the information used to register a call to the cell site. The mobile transmits this information on the strongest reverse control channel. The MTSO checks out this info and assigns a voice channel. It communicates that assignment to the mobile on the forward control channel. The cell site opens a voice channel and transmits a SAT on it. The mobile detects the SAT and locks on, transmitting it back to the cell site. The MTSO detects this confirmation and sends the mobile a message in return. This could be several things. It might be a busy signal, ringback or whatever tone was delivered to the switch. Making a call, however, involves far more problems and resources than an incoming call does.

36. Making a call and getting a call from your cellular phone should be equally easy. It isn't. Originating a call from a mobile presents many problems for the user and the carrier. Especially when you are out of your local area. Incoming calls don't present a risk to the carrier. Someone on the other end is paying for them. The carrier, however, is responsible for the cost of fraudulent calls originating in its system. Most systems shut down roaming or do an operator intercept rather than allow a questionable call. I've had close friends asked for their credit card numbers by operators in order to place a call. Can you imagine giving a credit card number or a calling card number over the air? You're now back at a payphone, just like the good old days. Cellular One has shut down roaming "privileges" altogether in New York City, Washington and Miami at different times. But you can go through their operator and pay three times the cost of a normal call if you like. So what's going on? Why the problem with some outgoing calls? We first have to look at some more terms and procedures. We need to see what happens with call processing at the switch and network level. This is the exciting world of precall validation.

37. We know that pressing send or turning on the phone conveys information about the phone to the cell site and then to the MTSO. A call gets checked with all this information. There are many parts to each digital message. A five digit code called the home system identification number (SID or sometimes SIDH) identifies the cellular carrier your phone is registered with. For example, Cellular One's code in Sacramento is 00129. Go to Stockton forty miles south and Cellular One uses 00224. A system can easily identify roamers with this information. The "Roaming" lamp flashes if you are out of your local area. Or the "No Service" lamp comes on if the mobile can't pick up a useable signal. This number is keypad programmable, of course, since people change carriers and move to different areas. You can find yours by calling up a local cellular dealer. Or by putting your phone in the programming mode. [8]. This number doesn't go off in a numerical form, of course, but as a binary string of zero's and ones. These digital signals are repeated several times to make sure they get received. The mobile identification number or MIN is your telephone's telephone number. MINs are keypad programmable. You or a dealer can assign it any number desired. That makes it different than its electronic serial number that we discuss next. A MIN is ten digits long. A MIN is not your directory number since it is not long enough to include a country code. It's also limited when it comes to future uses since it isn't long enough to carry an extension number either. [9]

38. The electronic serial number or ESN is a unique number assigned to each phone. One per phone! Every cell phone starts out with just one ESN. This number gets electronically burned into the phone's ROM, or read only memory chip. A phone's MIN may change but the serial number remains the same. The ESN is a long binary number. Its 32 bit size provides billions of possible serial numbers. The ESN gets transmitted whenever the phone is turned on, handed over to another cell or at regular intervals decided by the system. Every ten to fifteen minutes is typical. Capturing an ESN lies at the heart of cloning. You'll often hear about stolen codes. "Someone stole Major Giuliani's and Commissioner Bratton's codes." The ESN is what is actually being intercepted. A code is something that stands for something else. In this case, the ESN. A hexadecimal number represents the ESN for programming and test purposes. [10] Such a number might look like this: 82 57 2C 01.

39. The station class mark or SCM tells the cell site and the switch what power level the mobile operates at and what frequencies the phone uses. The cell site can turn down the power in your phone, lowering it to a level that will do the job while not interfering with the rest of the system. The SCM also tells the switch if your phone is voice activated. That information, in turn, affects the way the MTSO handles signalling a VOX phone.

40. The switch process this information along with other data. It first checks for a valid ESN/MIN combination. You don't get a dial tone unless your phone number matches up with a correct, valid serial number. You have to have both unless, perhaps, if you call 911. The local carrier checks its own database first. Each carrier maintains its own records but the database may be almost anywhere. These local databases are updated, supposedly, around the clock by two much larger data bases maintained by Electronic Data Systems and GTE. EDS maintains records for most of the former Bell companies and their new cellular spin offs. GTE maintains records for GTE cellular companies as well as for the Cellular One group, a consortium of many different companies. Dial tone will not be returned unless everything checks out. They try to supply a current list of bad ESNs as well as information to the network on the 27,000 new cellular users coming on line every day.

41. A local caller will probably get dial tone if everything checks out. Roamers may not have the same luck if they're in another state or fairly distant from their home system. A roamer's record must be checked from afar. Many carriers still can't agree on the way to exchange this information or how to pay for it. A lot comes down to cost. A distant system may still be dependent on older switches or slower databases that can't provide a quick response. The so called North American Cellular Network is an attempt to link each participating carrier together with the same intelligent network/system 7 facilities. Still, that leaves many rural areas out of the loop. A call may be dropped or intercepted rather than allowed dial tone. In addition, the various carriers are always arguing over fees to query each others databases. Fraud is enough of a problem in some areas that many systems will not take a chance in passing a call through. Yet the fraud is fueled in part by lax network security. It's really a numbers game. How much is the system actually loosing? How much is prevention? Preventive measures may cost millions of dollars to put in place at each MTSO. In any case, the outlook is not good for roaming. Yet the ability to drive anywhere and call from anywhere was a main reason to move away from the old mobile telephone system. You used to have to call ahead to say that you would be visiting a distant city. An operator then had to make arrangements for your phone to be recognized by the local system. Well, Cellular One throughout December and January of last year was asking visiting cell phone callers to do just that before coming to New York City. Such progress!

42. In the next issue I'll write a shorter article that highlights TDMA and CDMA. I intend to have a resource list of part suppliers and publications. I'll also bring you some current information on cell fraud, including a look at Cellular Technical Service's Project Blackbird, a radio "fingerprinting" system designed to identify cloned phones. A similar system is being turned on in N.Y.C so the article should be interesting . .


[1] Hawks, Ellison. Popular Science Mechanical Encyclopedia: How It Works Popular Science Publishing Co., Inc. New York. 1943 87

[2] Fike, John L. and George E. Friend. Understanding Telephone Electronics SAMS, Carmel 1990 268

[3] West, Gordon. Mobile 2Way Radio Communications, Master Publishing Company, Richardson, 1991 41

[4] Macario, Raymond. Cellular Radio: Principles and Design, McGraw Hill, Inc., New York 1993 61 ISBN 007044301 A good book that's fairly up to date and in print. Explains several cellular systems such as GSM, JTACS, etc. as well as AMPS and TDMA. Details all the formats of all the digital messages. No CDMA About $40.00.

[5] Cellular Security Group is advertising free cellular frequency charts. You may want to call first. They're at (508) 7687486. The address is 106 Western Avenue, Essex, MA 01929. Sending a few dollars may help . . .

[6] Damien Thorn "Cellular Telephone Programming: Focusing on Fundamentals" Nuts and Volts Magazine (December, 1992) 23

[7] Noll Introduction to Telephone Systems 123 (I've lost the cite on this one I'll have it next issue)

[8] Thorn, ibid, 2 see also "Cellular Lite: A Less Filling Blend of Technology & Industry News" Nuts and Volts Magazine (March 1993)

[9] Crowe, David "Why MINs Are Phone Numbers and Why They Shouldn't Be" Cellular Network Perspectives (December, 1994) I give all the information on Crowe's newsletter on page 52.

NEXT PAGE --> logo West Sacramento, California, USA. A Tom Farley production




Aslan logo
Aslan Technologies
Link to Aslan