Path: utzoo!utgpu!attcan!uunet!lll-winken!lll-lcc!ames!pasteur!ucbvax!ucsd!orion.cf.uci.edu!oberon!bbn!mit-eddie!killer!vector!nobody From: tim@Athena.UUCP (Tim Dawson) Newsgroups: comp.dcom.telecom Subject: Re: Cellular Setup Message-ID: Date: 25 Jan 89 17:32:12 GMT Sender: chip@vector.UUCP Lines: 78 Approved: telecom-request@vector.uucp X-Submissions-To: telecom@bu-cs.bu.edu X-Administrivia-To: telecom-request@vector.uucp X-TELECOM-Digest: volume 9, issue 31, message 1 >X-TELECOM-Digest: volume 9, issue 24, message 4 > >Question: How is phase shifting actually involved in communications between the mobile unit and the switching office ? > >Question: Is it possible to access cellular setup channels and place fraudulent call with a ham radio? > >Thanks for your help .. > >Perry > >Reply here on this newsgroup or e-mail to boottrax@csd4.milw.wisc.edu (arpanet) To answer your questions as best as possible: 1) The "Phase Shifting" you refer to is in all probability referring to the modulation of the RF going from the mobile to the cell site. (I forget the actual emission designators) and is similar to FM. Typically communications from the cell site to the cellular switching office are via T-1 pcm carrier systems. 2) Extremly improbable. For the why, first let me describe the scenario of a modbile to land call set up. a) User enters phone number and hits send. b) Mobile listens to data stream on signalling channel, and checks busy/idle bits to see if another mobile has channel in use. If idle, mobile sends request containing mobile Electronic Serial Number (manufactured into the radio), the mobiles phone number, and the called number. c) System receives request and sends data burst back to mobile confirming that request is received, and assigning a voice channel. d) Mobile changes frequency to voice channel, verifies SAT (sub audible tone used to verify that mobile has reached correct channel) and returns same SAT to cell site. Mobile also verifies DCC (Digital Color Code - like SAT but in digital domain) to confirm channel. Mobile unmutes audio and call setup proceeds through switch. At this point, all progress tones, etc heard from the mobile are coming from the land office, not the mobile switch. e) Call is now in progress. While call is up, Cell sites constantly are scanning mobile signal strength. If dips below threshhold for a certain (variable from system to system) number of scans, a handoff request is made. Adjacent cells scan the mobile, and if signal is ABOVE threshold, the system initiates handoff. A request is sent digitally to the mobile to mute audio, and change to the new frequency (also sent). The mobile mutes, changes frequency, verifies SAT and DCC on the new channel and unmutes (all in about 50 ms or so, typically). This handoff is generally inaudible to the user, but is what makes using cellular with modems a pain - no audio/data can be sent during this handoff. f) For call termination, mobile sends disconnect request to switch, and all facilities are idled. As can be seen, this is not a trivial process. The primary problem with trying to defraud a Mobile system is that you have to know a valid mobiles Electronic Serial Number/Mobile Number Combination or the system will deny service. You also have to be ablo to transmit and receive 9600 baud FSK (to the best of my memory - my spec isn't handy) to the system in order to determine what voice channel assignment has been made. And you have to do it FAST! Most all call setup items described above must occur within very closely difined time windows, or the system will fail the call. Also, as soon as the guy who gets stuck with the bill bitches, they will most likely change his mobile number, or start tracing the calls and can determine who is the fraudulent user based on who is being called quite easily. This is one of the big plusses of cellular telephony - if somebody steals a phone, their ESN can be denied nationally, and they can't use it. It is not impossible to change ESN in a phone, but is extremely difficult since it is manufactured physically into the unit, and is not generally documented by the manufacturer is public domain documnets for security reasons. So what you would end up doing is basically redesigning a cellular mobile, and seriously doubt whether many people have the skill and knowledge to even come close to being able to do so. Also, with the security provisions in cellular systems, even if you could manage the hardware, the system software would still make it highly unlikely that you could use it. -- ================================================================================ Tim Dawson (...!killer!mcsd!Athena!tim) Motorola Computer Systems, Dallas, TX. "The opinions expressed above do not relect those of my employer - often even I cannot figure out what I am talking about."