home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The Unsorted BBS Collection
/
thegreatunsorted.tar
/
thegreatunsorted
/
texts
/
cell_nfo
/
celltel.txt
< prev
next >
Wrap
Text File
|
1995-03-05
|
103KB
|
1,960 lines
==Phrack Inc.==
Volume Four, Issue Thirty-Eight, File 9 of 15
***************************************************************************
* *
* Cellular Telephony *
* *
* by *
* Brian Oblivion *
* *
* *
* Courtesy of: Restricted-Data-Transmissions (RDT) *
* "Truth Is Cheap, But Information Costs." *
* *
* *
***************************************************************************
The benefit of a mobile transceiver has been the wish of experimenters since
the late 1800's. To have the ability to be reached by another man despite
location, altitude, or depth has had high priority in communication technology
throughout its history. Only until the late 1970's has this been available to
the general public. That is when Bell Telephone (the late Ma Bell) introduced
the Advanced Mobile Phone Service, AMPS for short.
Cellular phones today are used for a multitude of different jobs. They are
used in just plain jibber-jabber, data transfer (I will go into this mode of
cellular telephony in depth later), corporate deals, surveillance, emergencies,
and countless other applications. The advantages of cellular telephony to the
user/phreaker are obvious:
1. Difficulty of tracking the location of a transceiver (especially if the
transceiver is on the move) makes it very difficult to locate.
2. Range of the unit within settled areas.
3. Scrambling techniques are feasible and can be made to provide moderate
security for most transmissions.
4. The unit, with modification can be used as a bug, being called upon by the
controlling party from anywhere on the globe.
5. With the right knowledge, one can modify the cellular in both hardware and
software to create a rather diversified machine that will scan, store and
randomly change.
6. ESN's per call thereby making detection almost impossible.
I feel it will be of great importance for readers to understand the background
of the Cellular phone system, mainly due to the fact that much of the
pioneering systems are still in use today. The first use of a mobile radio
came about in 1921 by the Detroit police department. This system operated at
2MHz. In 1940, frequencies between 30 and 40MHz were made available too and
soon became overcrowded. The trend of overcrowding continues today.
In 1946, the FCC declared a "public correspondence system" called, or rather
classified as "Domestic Public Land Mobile Radio Service" (DPLMRS) at 35 - 44
MHz band that ran along the highway between New York and Boston. Now the 35-
44MHz band is used mainly by Amateur radio hobbyists due to the bands
susceptibility to skip-propagation.
These early mobile radio systems were all PTT (push-to-talk) systems that did
not enjoy today's duplex conversations. The first real mobile "phone" system
was the "Improved Mobile Telephone Service" or the IMTS for short, in 1969.
This system covered the spectrum from 150 - 450MHz, sported automatic channel
selection for each call, eliminated PTT, and allowed the customer to do their
own dialing. From 1969 to 1979 this was the mobile telephone service that
served the public and business community, and it is still used today.
IMTS frequencies used (MHz):
Channel Base Frequency Mobile Frequency
VHF Low Band
ZO 35.26 43.26
ZF 35.30 43.30
ZH 35.34 43.34
ZA 35.42 43.32
ZY 34.46 43.46
ZC 35.50 43.50
ZB 35.54 43.54
ZW 35.62 43.62
ZL 35.66 43.66
VHF High Band
JL 152.51 157.77
YL 152.54 157.80
JP 152.57 157.83
YP 152.60 157.86
YJ 152.63 157.89
YK 152.66 157.92
JS 152.69 157.95
YS 152.72 157.98
YA 152.75 158.01
JK 152.78 158.04
JA 152.81 158.07
UHF Band
QC 454.375 459.375
QJ 454.40 459.40
QO 454.425 459.425
QA 454.45 459.45
QE 454.475 459.475
QP 454.50 459.50
QK 454.525 459.525
QB 454.55 459.55
QO 454.575 459.575
QA 454.60 459.60
QY 454.625 459.625
QF 454.650 459.650
VHF high frequencies are the most popular frequencies of all the IMTS band.
VHF low bands are used primarily in rural areas and those with hilly terrain.
UHF bands are primarily used in cities where the VHF bands are overcrowded.
Most large cities will find at least one station being used in their area.
ADVANCED MOBILE PHONE SYSTEM
The next step for mobile telephone was made in 1979 by Bell Telephone, again
introducing the Advanced Mobile Phone Service. This service is the focus of
this document, which has now taken over the mobile telephone industry as the
standard. What brought this system to life were the new digital technologies
of the 1970's. This being large scale integrated custom circuits and
microprocessors. Without these technologies, the system would not have been
economically possible.
The basic elements of the cellular concept have to do with frequency reuse and
cell splitting.
Frequency re-use refers to the use of radio channels on the same carrier
frequency to cover different areas which are separated by a significant
distance. Cell splitting is the ability to split any cell into smaller cells
if the traffic of that cell requires additional frequencies to handle all the
area's calls. These two elements provide the network an opportunity to handle
more simultaneous calls, decrease the transmitters/receivers output/input
wattage/gain and a more universal signal quality.
When the system was first introduced, it was allocated 40MHz in the frequency
spectrum, divided into 666 duplex radio channels providing about 96 channels
per cell for the seven cluster frequency reuse pattern. Cell sites (base
stations) are located in the cells which make up the cellular network. These
cells are usually represented by hexagons on maps or when developing new
systems and layouts. The cell sites contain radio, control, voice frequency
processing and maintenance equipment, as well as transmitting and receiving
antennas. The cell sites are inter-connected by landline with the Mobile
Telecommunications Switching Office (MTSO).
In recent years, the FCC has added 156 frequencies to the cellular bandwidth.
This provides 832 possible frequencies available to each subscriber per cell.
All new cellular telephones are built to accommodate these new frequencies, but
old cellular telephones still work on the system. How does a cell site know if
the unit is old or new? Let me explain.
The problem of identifying a cellular phones age is done by the STATION CLASS
MARK (SCM). This number is 4 bits long and broken down like this:
Bit 1: 0 for 666 channel usage (old)
1 for 832 channel usage (new)
Bit 2: 0 for a mobile unit (in vehicle)
1 for voice-activated transmit (for portables)
Bit 3-4: Identify the power class of the unit
Class I 00 = 3.0 watts Continuous Tx's 00XX...DTX <> 1
Class II 01 = 1.2 watts Discont. Tx's 01XX...DTX = 1
Class III 10 = 0.6 watts reserved 10XX, 11XX
Reserved 11 = --------- Letters DTX set to 1 permits
use of discontinuous trans-
missions
Cell Sites: How Cellular Telephones Get Their Name
Cell sites, as mentioned above are laid out in a hexagonal type grid. Each
cell is part of a larger cell which is made up of seven cells in the following
fashion:
|---| ||===|| |---| |---| |---| |---
/ \ // \\ / \ / \ / \ /
| |===|| 2 ||===|| ||===|| |---| |---|
\ // \ / \\ // \\ / \ / \
|---|| 7 |---| 3 ||==|| 2 ||==|| pc |---| |---|
/ \\ / \ // \ / \\ Due to the \
| ||---| 1 |---|| 7 |---| 3 ||--| difficulty of |
\ // \ / \\ / \ // \ representing /
|--|| 6 |---| 4 ||--| 1 |---|| |graphics with |
/ \\ / \ // \ / \\ / ASCII characters\
| ||==|| 5 ||==|| 6 |---| 4 ||--| I will only show |
\ / \\ // \\ / \ // \ two of the cell /
|---| ||===|| ||===|| 5 ||==|| |types I am trying-
/ \ / \ / \\ // \ / to convey. \
| |---| |---| ||==|| |---| |---| |
\ / \ / \ / \ / \ / \ /
|---| |---| |---| |---| |---| |---|
As you can see, each cell is a 1/7th of a larger cell. Where one (1) is the
center cell and two (2) is the cell directly above the center. The other cells
are number around the center cell in a clockwise fashion, ending with seven
(7). The cell sites are equipped with three directional antennas with an RF
beamwidth of 120 degrees providing 360 degree coverage for that cell. Note
that all cells never share a common border. Cells which are next to each other
are obviously never assigned the same frequencies. They will almost always
differ by at least 60 KHz. This also demonstrates the idea behind cell
splitting. One could imagine that the parameter of one of the large cells was
once one cell. Due to a traffic increase, the cell had to be sub-divided to
provide more channels for the subscribers. Note that subdivisions must be made
in factors of seven.
There are also Mobile Cell sites, which are usually used in the transitional
period during the upscaling of a cell site due to increased traffic. Of
course, this is just one of the many uses of this component. Imagine you are
building a new complex in a very remote location. You could feasibly install a
few mobile cellular cell sites to provide a telephone-like network for workers
and executives. The most unique component would be the controller/transceiver
which provides the communications line between the cell site and the MTSO. In
a remote location such a link could very easily be provided via satellite
up/down link facilities.
Let's get into how the phones actually talk with each other. There are several
ways and competitors have still not set an agreed upon standard.
Frequency Division Multiple Access (FDMA)
This is the traditional method of traffic handling. FDMA is a single channel
per carrier analog method of transmitting signals. There has never been a
definite set on the type of modulation to be used. There are no regulations
requiring a party to use a single method of modulation. Narrow band FM, single
sideband AM, digital, and spread-spectrum techniques have all been considered
as a possible standard, but none have yet to be chosen.
FDMA works like this: Cell sites are constantly searching out free channels to
start out the next call. As soon as a call finishes, the channel is freed up
and put on the list of free channels. Or, as a subscriber moves from one cell
to another, the new cell they are in will hopefully have an open channel to
receive the current call in progress and carry it through its location. This
process is called handoff, and will be discussed more in depth further along.
Other proposed traffic handling schemes include Time-Division Multiple Access
(TDMA), Code-Division Multiple Access (CDMA), and Time-Division/Frequency
Division Multiple Access (TD/FDMA).
Time Division Multiple Access
With TDMA, calls are simultaneously held on the same channels, but are
multiplexed between pauses in the conversation. These pauses occur in the way
people talk and think, and the telephone company also injects small delays on
top of the conversation to accommodate other traffic on that channel. This
increase in the length of the usual pause results in a longer amount of time
spent on the call. Longer calls result in higher costs of the calls.
Code Division Multiple Access
This system has been used in mobile military communications for the past 35
years. This system is digital and breaks up the digitized conversation into
bundles, compresses, sends, then decompresses and converts back into analog.
There are said increases of throughput of 20 : 1 but CDMA is susceptible to
interference which will result in packet retransmission and delays. Of course,
error correction can help in data integrity, but will also result in a small
delay in throughput.
Time-Division/Frequency Division Multiple Access
TD/FDMA is a relatively new system which is an obvious hybrid of FDMA and TDMA.
This system is mainly geared towards the increase of digital transmission over
the cellular network. TD/FDMA make it possible to transmit signals from base
to mobile without disturbing the conversation. With FDMA, there are
significant disturbances during handoff which prevent continual data
transmission from site to site. TD/FDMA makes it possible to transmit control
signals by the same carrier as the data/voice thereby ridding extra channel
usage for control.
Cellular Frequency Usage and channel allocation
There are 832 cellular phone channels which are split into two separate bands.
Band A consists of 416 channels for non-wireline services. Band B consists
equally of 416 channels for wireline services. Each of these channels are
split into two frequencies to provide duplex operation. The lower frequency is
for the mobile unit while the other is for the cell site. 21 channels of each
band are dedicated to "control" channels and the other 395 are voice channels.
You will find that the channels are numbered from 1 to 1023, skipping channels
800 to 990.
I found these handy-dandy equations that can be used for calculating
frequencies from channels and channels from frequencies.
N = Cellular Channel # F = Cellular Frequency
B = 0 (mobile) or B = 1 (cell site)
CELLULAR FREQUENCIES from CHANNEL NUMBER:
F = 825.030 + B * 45 + ( N + 1 ) * .03
where: N = 1 to 799
F = 824.040 + B * 45 + ( N + 1 ) * .03
where: N = 991 to 1023
CHANNEL NUMBER from CELLULAR FREQUENCIES
N = 1 + (F - 825.030 - B * 45) / .03
where: F >= 825.000 (mobile)
or F >= 870.030 (cell site)
N = 991 + (F - 824.040 - B * 45) / .03
where: F <= 825.000 (mobile)
or F <= 870.000 (base)
Now that you have those frequencies, what can you do with them? Well, for
starters, one can very easily monitor the cellular frequencies with most
hand/base scanners. Almost all scanners pre-1988 have some coverage of the
800 - 900 MHz band. All scanners can monitor the IMTS frequencies.
Remember that cellular phones operate on a full duplex channel. That means
that one frequency is used for transmission and the other is used for
receiving, each spaced exactly 30 KHz apart. Remember also that the base
frequencies are 45MHz higher than the cellular phone frequencies. This can
obviously make listening rather difficult. One way to listen to both parts of
the conversation would be having two scanners programmed 45 MHz apart to
capture the entire conversation.
The upper UHF frequency spectrum was "appropriated" by the Cellular systems in
the late 1970's. Televisions are still made to receive up to channel 83. This
means that you can receive much of the cellular system on you UHF receiver. One
television channel occupies 6MHz of bandwidth. This was for video, sync, and
audio transmission of the channel. A cellular channel only takes up 24 KHz
plus 3KHz set up as a guard band for each audio signal. This means that 200
cellular channels can fit into one UHF television channel. If you have an old
black and white television, drop a variable cap in there to increase the
sensitivity of the tuning. Some of the older sets have coarse and fine tuning
knobs.
Some of the newer, smaller, portable television sets are tuned by a variable
resistor. This make modifications MUCH easier, for now all you have to do is
drop a smaller value pot in there and tweak away. I have successfully done
this on two televisions. Most users will find that those who don't live in a
city will have a much better listening rate per call. In the city, the cells
are so damn small that handoff is usually every other minute. Resulting in
chopped conversations.
If you wanted to really get into it, I would suggest you obtain an old
television set with decent tuning controls and remove the RF section out of the
set. You don't want all that hi-voltage circuitry lying around (flyback and
those caps). UHF receivers in televisions downconvert UHF frequencies to IF
(intermediate frequencies) between 41 and 47 MHz. These output IF frequencies
can then be run into a scanner set to pick-up between 41 - 47 MHz. Anyone who
works with RF knows that it is MUCH easier to work with 40MHz signals than
working with 800MHz signals. JUST REMEMBER ONE THING! Isolate the UHF
receiver from your scanner by using a coupling capacitor (0.01 - 0.1 microfarad
<50V minimum> will do nicely). You don't want any of those biasing voltages
creeping into your scanner's receiving AMPLIFIERS! Horrors. Also, don't
forget to ground both the scanner and receiver.
Some systems transmit and receive the same cellular transmission on the base
frequencies. There you can simply hang out on the base frequency and capture
both sides of the conversation. The handoff rate is much higher in high
traffic areas leading the listener to hear short or choppy conversations. At
times you can listen in for 5 to 10 minutes per call, depending on how fast the
caller is moving through the cell site.
TV Cell & Channel Scanner TV Oscillator Band
Channel Freq.& Number Frequency Frequency Limit
===================================================================
73 (first) 0001 - 825.03 45.97 871 824 - 830
73 (last) 0166 - 829.98 41.02 871 824 - 830
74 (first) 0167 - 830.01 46.99 877 830 - 836
74 (last) 0366 - 835.98 41.02 877 830 - 836
75 (first) 0367 - 836.01 46.99 883 836 - 842
75 (last) 0566 - 841.98 41.02 883 836 - 842
76 (first) 0567 - 842.01 46.99 889 842 - 848
76 (last) 0766 - 847.98 41.02 889 842 - 848
77 (first) 0767 - 848.01 46.99 895 848 - 854
77 (last) 0799 - 848.97 46.03 895 848 - 854
All frequencies are in MHz
You can spend hours just listening to cellular telephone conversations, but I
would like to mention that it is illegal to do so. Yes, it is illegal to
monitor cellular telephone conversations. It just another one of those laws
like removing tags off of furniture and pillows. It's illegal, but what the
hell for? At any rate, I just want you to understand that doing the following
is in violation of the law.
Now back to the good stuff.
Conversation is not only what an avid listener will find on the cellular bands.
One will also hear call/channel set-up control data streams, dialing, and other
control messages. At times, a cell site will send out a full request for all
units in its cell to identify itself. The phone will then respond with the
appropriate identification on the corresponding control channel.
Whenever a mobile unit is turned on, even when not placing a call, whenever
there is power to the unit, it transmits its phone number and its 8-digit ID
number. The same process is done when an idling phone passes from one cell to
the other. This process is repeated for as long as there is power to the unit.
This allows the MTSO to "track" a mobile through the network. That is why it
is not a good reason to use a mobile phone from one site. They do have ways of
finding you. And it really is not that hard. Just a bit of RF Triangulation
theory and you're found. However, when the power to the unit is shut off, as
far as the MTSO cares, you never existed in that cell, of course unless your
unit was flagged for some reason. MTSO's are basically just ESS systems
designed for mobile applications. This will be explained later within this
document.
It isn't feasible for the telephone companies to keep track of each customer on
the network. Therefore the MTSO really doesn't know if you are authorized to
use the network or not. When you purchase a cellular phone, the dealer gives
the unit's phone ID number to the local BOC, as well as the number the BOC
assigned to the customer. When the unit is fired up in a cell site its ID
number and phone number are transmitted and checked. If the two numbers are
registered under the same subscriber, then the cell site will allow the mobile
to send and receive calls. If they don't match, then the cell will not allow
the unit to send or receive calls. Hence, the most successful way of
reactivating a cellular phone is to obtain an ID that is presently in use and
modifying your ROM/PROM/EPROM for your specific phone.
RF and AF Specifications:
Everything that you will see from here on out is specifically Industry/FCC
standard. A certain level of compatibility has to be maintained for national
intercommunications, therefore a common set of standards that apply to all
cellular telephones can be compiled and analyzed.
Transmitter Mobiles: audio transmission
- 3 KHz to 15 KHz and 6.1 KHz to 15 KHz.
- 5.9 KHz to 6.1 KHz 35 dB attenuation.
- Above 15 KHz, the attenuation becomes 28 dB.
- All this is required after the modulation limiter and before the
modulation stage.
Transmitters Base Stations: audio transmission
- 3 KHz to 15 KHz.
- Above 15 KHz, attenuation required 28 dB.
- Attenuation after modulation limiter - no notch filter required.
RF attenuation below carrier transmitter: audio transmission
- 20 KHz to 40 KHz, use 26 dB.
- 45 KHz to 2nd harmonic, the specification is 60 dB or 43 + 10 log of
mean output power.
- 12 KHz to 20 KHz, attenuation 117 log f/12.
- 20 KHz to 2nd harmonic, there is a choice: 100 log F/100 or 60 dB or
43 log + 10 log of mean output power, whichever is less.
Wideband Data
- 20 KHz to 45 KHz, use 26 dB.
- 45 KHz to 90 KHz, use 45 dB.
- 90 KHz to 2nd harmonic, either 60 dB or 43 + 10 log mean output
power.
- all data streams are encoded so that NRZ (non-return-to-zero) binary
ones and zeroes are now zero-to-one and one-to-zero transitions
respectively. Wideband data can then modulate the transmitter
carrier by binary frequency shift keying (BFSK) and ones and zeroes
into the modulator must now be equivalent to nominal peak frequency
deviations of 8 KHz above and below the carrier frequency.
Supervisory Audio Tones
- Save as RF attenuation measurements.
Signaling Tone
- Same as Wideband Data but must be 10 KHz +/- 1 Hz and produce a
nominal frequency deviation of +/- 8 KHz.
The previous information will assist any technophile to modify or even
troubleshoot his/her cellular phone. Those are the working guidelines, as I
stated previously.
UNIT IDENTIFICATION
Each mobile unit is identified by the following sets of numbers.
The first number is the Mobile Identification Number (MIN). This 34 bit binary
number is derived from the unit's telephone number. MIN1 is the last seven
digits of the telephone number and MIN2 is the area code.
For demonstrative purposes, we'll encode 617-637-8687.
Here's how to derive the MIN2 from a standard area code. In this example, 617
is the area code. All you have to do is first convert to modulo 10 using the
following function. A zero digit would be considered to have a value of 10.
100(first number) + 10(second) +1(third) - 111 = x
100(6) + 10(1) + 1(7) - 111 = 506
(or you could just - 111 from the area code.)
Then convert it to a 10-bit binary number: 0111111010.
To derive MIN1 from the phone number is equally as simple. First
encode the next three digits, 637.
100(6) + 10(3) + 1(7) - 111 = 526
Converted to binary: 1000001110
The remainder of the number 8687, is processed further by taking the
first digit, eight (8) and converting it directly to binary.
8 = 1000 (binary)
The last three digits are processed as the other two sets of three
numbers were processed.
100(6) + 10(8) + 1(7) - 111 = 576
Converted to binary: 1001000000.
So the completed MIN number would look like this:
|--637---||8-||---687--||---617--|
1000001110100010010000000111111010
\________/\__/\________/\________/
A unit is also identifiable by its Electronic Serial Number or ESN. This
number is factory preset and is usually stored in a ROM chip, which is soldered
to the board. It may also be found in a "computer on a chip," which are the
new microcontrollers which have ROM/RAM/microprocessor all in the same package.
This type of set-up usually has the ESN and the software to drive the unit all
in the same chip. This makes is significantly harder to dump, modify and
replace. But it is far from impossible.
The ESN is a 4 byte hex or 11-digit octal number. I have encountered mostly
11-digit octal numbers on the casing of most cellular phones. The first three
digits represent the manufacturer and the remaining eight digits are the unit's
ESN.
The Station Class Mark (SCM) is also used for station identification by
providing the station type and power output rating. This was already discussed
in a previous section.
The System IDentification (SID number is a number which represents the mobile's
home system. This number is 15-bits long and a list of current nationwide
SID's should either be a part of this file or it will be distributed along with
it.
______________________________________________________________________________
_
==Phrack Inc.==
Volume Four, Issue Forty, File 6 of 14
***************************************************************************
* *
* Cellular Telephony *
* Part II *
* *
* by *
* Brian Oblivion *
* *
* *
* Courtesy of: Restricted-Data-Transmissions (RDT) *
* "Truth Is Cheap, But Information Costs." *
* *
* June 1, 1992 *
***************************************************************************
In Phrack 38, I discussed the history of cellular telephony, monitoring
techniques, and a brief description of its predecessors. In Part II, I'll
describe the call processing sequences for land-originated and mobile-
originated calls, as well as the signaling formats for these processes. I
apologize for the bulk of information, but I feel it is important for anyone
who is interested in how the network communicates. Please realize that there
was very little I could add to such a cut and dried topic, and that most is
taken verbatim from Industry standards, with comments and addendum salt and
peppered throughout.
Call-Processing Sequences
Call-Processing Sequence for Land-Originated Calls
MTSO Cell Site Mobile Unit
------------------------------------------------------------------------------
1 -- Transmits setup channel data on paging channel
2 ----------------------------Scans and locks on
paging channel
Receives incoming call --- 3
and performs translations
Sends paging message ----- 4
to cell site
5 -- Reformats paging
message
6 -- Sends paging message
to mobile unit via
paging channel
7 ----------------------------Detects Page
8 ----------------------------Scans and locks on
access channel
9 ----------------------------Seizes setup channel
10 ----------------------------Acquires sync
11 ----------------------------Sends service request
12 -- Reformats service request
13 -- Performs directional locate
14 -- Sends service request to MTSO
Selects voice channel --- 15
Sends tx-on command to -- 16
cell site
17 -- Reformats channel designation message
18 -- Sends channel designation message to mobile
unit via access channel
19 -----------------------------Tunes to voice
channel
20 -----------------------------Transponds SAT
21 -- Detects SAT
22 -- Puts on-hook on trunk
Detects off-hook -------- 23
Sends alert order ------- 24
25 -- Reformats alert order
26 -- Sends alert order to mobile unit via blank-
and-burst on voice channel
27 -----------------------------Alerts User
28 -----------------------------Sends 10-kHz tone
29 -- Detects 10-kHz tone
30 -- Puts on-hook on trunk
Detects on-hook --------- 31
Provides audible ring --- 32
33 -- Detects absence of 10-kHz tone
34 -- Puts off-hook on trunk
Detects off-hook -------- 35
Removes audible ring ---- 36
and completes connection
Time
Call-Processing Sequence for Mobile-Originated Calls
MTSO Cell Site Mobile Unit
------------------------------------------------------------------------------
1 -- Transmits setup channel
data on paging channel
2 --------------------------- Scans and locks-on
paging channel
3 --------------------------- User initiates call
4 --------------------------- Scans and locks-on
access channel
5 --------------------------- Seizes setup channel
6 --------------------------- Acquires sync
7 --------------------------- Sends service request
8 -- Reformats service request
9 -- Performs directional Locate
10 -- Sends service request to MTSO
Selects voice channel ---- 11
Sends tx-on command to --- 12
cell site
13 -- Reformats channel designation message
14 -- Sends channel designation message to mobile
unit via access channel
15 --------------------------- Tunes to voice
channel
16 --------------------------- Transponds SAT
17 -- Detects SAT
18 -- Puts off-hook on trunk
Detects off-hook --------- 19
Completes call through --- 20
network Time
Let me review the frequency allocation for Wireline and non-Wireline systems.
Remember that the Wireline service is usually provided by the area's telephone
company, in my area that company is NYNEX. The non-Wireline companies are
usually operated by other carriers foreign to the area, in my area we are
serviced by Cellular One (which is owned by Southwestern Bell). Each company
has its one slice of the electro-magnetic spectrum. The coverage is not
continuous, remember that there are also 800 MHz trunked business systems that
also operate in this bandwidth. Voice channels are 30 KHz apart and the Data
channels are 10 KHz apart.
Frequency Range Use
----------------------------------------------------------------------
870.000 - 879.360 Cellular One (mobile input 825.000 - 834.360)
880.650 - 890.000 NYNEX (mobile input 835.650 - 845.500)
890.000 - 891.500 Cellular One (mobile input 845.000 - 846.500)
891.500 - 894.000 NYNEX (mobile input 846.500 - 849.000)
879.390 - 879.990 Cellular One (data)
880.020 - 880.620 NYNEX (data)
The data streams are encoded NRZ (Non-return-to-zero) binary ones and zeroes
are now zero-to-one and one-to-zero transitions respectively. This is so the
wideband data can modulate the transmitter via binary frequency shift keying,
and ones and zeroes into the modulator MUST now be equivalent to nominal peak
frequency deviations of 8 KHz above and below the carrier frequency.
PUTTING IT ALL TOGETHER - Signaling on the Control Channels
The following information will be invaluable to the hobbyist that is monitoring
cellular telephones via a scanner and can access control channel signals. All
information released below is EIA/TIA -- FCC standard. There are a lot of
differences between cellular phones, but all phones must interface into the
mobile network and talk fluently between each other and cell sites. Therefore,
the call processing and digital signaling techniques are uniform throughout the
industry.
MOBILE CALL PROCESSING
Calling:
Initially, the land station transmits the first part of its SID to a mobile
monitoring some control channel, followed by the number of paging channels, an
ESN request, then mobile registration, which will either be set to 0 or 1.
When registration is set to one, the mobile will transmit both MIN1 and MIN2
during system access, another 1 for discontinuous (DTX) transmissions, read
control-filler (RCF) should be set to 1, and access functions (if combined with
paging operations) require field setting to 1, otherwise CPA (combined paging
access) goes to 0.
Receiving:
As the mobile enters the Scan Dedicated Control Channels Task, it must examine
signal strengths of each dedicated control channel assigned to System A if
enabled. Otherwise System B control channels are checked. The values assigned
in the NAWC (Number of Additional Words Coming) system parameter overhead
message train will determine for the mobile if all intended information has
been received. An EDN field is used as a crosscheck, and control-filler
messages are not to be counted as part of the message. Should a correct BCH
code be received along with a non-recognizable overhead message, it must be
part of the NAWC count train but the equivalent should not try and execute the
instructions.
Under normal circumstances, mobiles are to tune to the strongest dedicated
control channel, receive a system parameter transmission, and, within 3
seconds, set up the following:
o Set SID's 14 most significant bits to SID1 field value.
o Set SID's least significant bit to 1, if serving system status
enables, or to zero if not.
o Set paging channels N to 1 plus the value of N-1 field.
o Set paging channel FIRSTCHP as follows:
If SIDs = SIDp then FIRSTCHPs = FIRSTCHPp (which is an 11-bit
paging channel).
If SIDs = SIDp and serving system is enabled, set FIRSTCHPs to
initial dedicated channel for system B.
If SIDs = SIDp and serving system is disabled, set FIRSTCHPs to
first dedicated control channel for system B.
o Set LASTCHPs to value of FIRSTCHPs + Ns -1.
o Should the mobile come equipped for autonomous registration, it
must:
o Set registration increment (REGINCRs) to its 450 default
value.
o Set registration ID status to enabled.
I know that was a little arcane sounding but it's the best you can do with
specifications. Data is data, there is no way to spruce it up. From here on
out a mobile must begin the Paging Channel Selection Task. If this cannot be
completed on the strongest dedicated channel, the second strongest dedicated
channel may be accessed and the three second interval commenced again.
Incomplete results should result in a serving system status check and an
enabled or disabled state reversed, permitting the mobile to begin the Scan.
Dedicated control Channels Task when channel signal strengths are once more
examined.
Custom local operations for mobiles may be sent and include roaming mobiles
whose home systems are group members. A new access channel may be transmitted
with a new access field set to the initial access channel. Autonomously
registered mobiles may increment their next registered ID by some fixed value,
but the global action message must have its REGINCR field adequately set.
Also, so that all mobiles will enter the Initialization Task and scan dedicated
control channels, a RESCAN global action message must be transmitted.
Mobile stations may be required to read a control-filler message before
accessing any system on a reverse control channel.
System access for mobiles is sent on a forward control channel in the following
manner. Digital Color Code (DCC) identifies the land is carried with the
system parameter overhead message overload class fields are set to zero among
the restricted number, and the remainder set to 1. Busy-to-idle status (BIS)
access parameters go to zero when mobiles are prevented from checking on the
reverse control channel and the message must be added to the overhead. When
mobiles can't use the reverse control channel for seizure messages attempts or
busy signals, access attempt parameters must also be included in the overhead.
And when a land station receives a seizure precursor matching its digital color
code with 1 or no bit errors, busy idle bits signals on the forward control
channel must be set to busy within 1.2 milliseconds from the time of the last
bit seizure. Busy-idle bit then must remain busy until a minimum of 30 msec
following the final bit of the last word of the message has been received, or a
total of 175 msec has elapsed.
Channel Confirmation
Mobiles are to monitor station control messages for orders and respond to both
audio and local control orders even though land stations are not required to
reply. MIN bits must be matched. Thereafter, the System Access Task is
entered with a page response, as above, and an access timer started.
This time runs as follows:
o 12 seconds for an origination
o 6 seconds for page response
o 6 seconds for an order response
o 6 seconds for a registration
The last try code is then set to zero, and the equipment begins the Scan Access
Channels Task to find two channels with the strongest signals which it tunes
and enters the Retrieve Access Attempts Parameters Task.
This is where both maximum numbers of seizure attempts and busy signals are
each set to 10. A read control-filler bit (RCF) will then be checked: If the
RCF equals zero, the mobile then reads a control-filler message, sets DCC and
WFOM (wait for overhead message train before reverse control channel access) to
the proper fields and sets the proper fields and sets the appropriate power
level. Should neither the DCC field nor the control-filler message be received
and access time has expired, the mobile station goes to Serving System
Determination Task. But within the allowed access time, the mobile station
enters the Alternate Access Channel Task. BIS is then set to 1 and the WFOM
bit is checked. If WFOM equals 1, the station enters the Update Overhead
Information Task; if WFOM equals 0, a random delay wait is required of 0 to 200
msec, +/- 1 msec. Then, the station enters the Seize Reverse Control Channel
Task.
Service Requesting is next. This task requires that the mobile continue to
send is message to the land station according to the following instructions:
o Word A is required at all times.
o Word B has to be sent if last try access LT equals 1 or if E requires
MIN1 and/or MIN2, and the ROAM status is disabled, or if the station
has been paged with a 2-word control message.
o Word C is transmitted with S (serial number) being 1
o Word D required if the access is an origination
o Word E transmitted when the access is an origination and between 9
and 16 digits are dialed. When the mobile has transmitted its
complete message, an unmodulated carrier is required for another 25
milliseconds before carrier turnoff. After words A through E have
been sent, the next mobile task depends on the type of access.
Order confirmation requires entry into the Serving System Determination Task.
Origination means entry into the Await Message Task.
Page response, is the same as Origination.
Registration requires Await Registration Confirmation, which must be completed
within 5 seconds or registration failure follows. The same is true for Await
Message since an incomplete task in 5 seconds sends the mobile into the Serving
System Determination Task. Origination or Page response requires mobile update
of parameters delivered in the message. If R equals 1, the mobile enters the
Autonomous Registration Task, otherwise, it goes to the Initial Voice Channel
Confirmation Task. Origination access may be either an intercept or reorder,
and in these instances, mobiles enter the Serving System Determination Task.
The same holds true for a page response access. But if access is an
origination and the user terminates his call during this task, the call has to
be released on a voice channel and not control channel.
If a mobile station is equipped for Directed Retry and if a new message is
received before all four words of the directed retry message, it must go to the
Serving System Determination Task. There the last try code (LT) must be set
according to the ORDQ (order qualifier) field of the message as follows:
If 000, LT sets to 0
If 0001, LT sets to 1
Thereafter, the mobile clears the list of control channels to be scanned in
processing Directed Retry (CCLIST) and looks at each CHANPOS (channel position)
field contained in message words three and four. For nonzero CHANPOS field,
the mobile calculates a corresponding channel number by adding CHANPOS to
FIRSTCHA minus one. Afterwards, the mobile has then to determine if each
channel number is within the set designated for cellular systems. A true
answer requires adding this/these channel(s) to the CCLIST.
Awaiting Answers
Here, an alert timer is set for 65 seconds (0 to +20 percent). During this
period the following events may take place:
o Should time expire, the mobile turns its transmitter off and enters
the Serving System Determination Task.
o An answer requires signaling tone turnoff and Conversation Task
entry.
o If any of the messages listed hereafter are received within 100
milliseconds, the mobile must compare SCC digits that identify stored
and proper SAT frequencies for the station to the PSCC (present SAT
color code). If not equivalent, the order is ignored. If correct,
then the following actions taken for each order:
Handoff: Signaling extinguished for 500 msec, signal tone off,
transmitter off, power lever adjusted, new channel tuned, new SAT, new
SCC field, transmitter on, fade timer reset, and signaling tone on.
Wait for an answer.
Alert: Reset alert timer for 65 seconds and stay in
Waiting for Answer Task.
Stop Alert: Extinguish signaling tone and enter Waiting for Order Task.
Release: Signaling tone off, wait 500 msec, then enter Release Task.
Audit: Confirm message to land station, then stay in
Waiting for Answer Task.
Maintenance: Reset alert timer for 65 seconds and remain in
Waiting for Answer Task.
Change Power: Adjust transmitter to power level required and send
confirmation to land station. Remain in
Waiting for Answer Task.
Local Control: If local control is enabled and order received, examine LC
field and determine action.
Orders other than the above for this type of action are
ignored.
Conversation
In this mode, a release-delay timer is set for 500 mSec. If Termination is
enabled, the mobile sets termination status to disabled and waits 500 mSec
before entering Release Task. The following actions may then execute:
o Upon call termination, the release delay timer has to be checked.
If time has expired, the Release Task is entered; if not expired,
the mobile must wait until expiration and then enter Release Task.
o Upon user requested flash, signaling tone turned on for 400 mSec.
But should a valid order tone be received during this interval,
the flash is immediately terminated and the order processed. The
flash, of course, is not then valid.
o Upon receipt of the following listed orders and within 100 mSec,
the mobile must compare SCC with PSCC, and the order is ignored
if the two are not equal. But if they are the same, the following
can occur:
Handoff: Signaling tone on for 50 mSec, then off, transmitter off,
power level adjusted, new channel tuned, adjust new SAT, set SCC to SCC
field message value, transmitter on, fade timer reset, remain in
Conversation Task.
Send Called Address: Upon receipt within 10 seconds of last valid flash,
called address sent to land station. Mobile remains in
Conversation Task. Otherwise, remain in Conversation Task.
Alert: Turn on signaling tone, wait 500 mSec, then enter
Waiting for Answer Task.
Release: Check release delay timer. If time expired, mobile enters
Release Task; but if timer has not finished, then mobile must
wait and then enter Release Task when time has expired.
Audit: Order confirmation sent to land station while remaining in
Conversation Task.
Maintenance: Signaling tone on, wait 500 mSec, then enter Waiting for
Answer Task.
Change Power: Adjust transmitter to power level required by order
qualification code and send confirmation to land station.
Remain in Conversation Task.
Local Control: If local control in enabled and local control order received,
the LC field is to be checked for subsequent action and
confirmation.
Orders other than the above for this type of action are ignored.
Release
In the release mode the following steps are required:
o Signaling tone sent for 1.8 sec. If flash in transmission when
signaling tone begun, it must be continued and timing bridged so
that action stops within 1.8 sec.
o Stop signaling tone.
o Turn off transmitter.
o The mobile station then enters the Serving System
Determination Task.
The above is the Cellular System Mobile/Land Station Compatibility
Specification. The following shall be Signaling Formats which are also found
in the above document. I converted all these tables by HAND into ASCII so
appreciate them. It wasn't the easiest thing to do. But I must say, I
definitely understand the entire cellular operation format.
There are two types of continuous wideband data stream transmissions. One
is the Forward Control Channel which is sent from the land station to the
mobile. The other is the Reverse Control Channel, which is sent from the
mobile to the land station. Each data stream runs at a rate of 10 kilobit/sec,
+/- 1 bit/sec rate. The formats for each of the channels follow.
- Forward Control Channel
The forward control channel consists of three discrete information streams.
They are called stream A, stream B and the busy-idle stream. All three streams
are multiplexed together. Messages to mobile stations with the least
significant bit of their MIN number equal to "0" are sent on stream A, and
those with a "1" are sent on stream B.
The busy-idle stream contains busy-idle bits, which are used to indicate the
status of the reverse control channel. If the busy-idle bit = "0" the reverse
control channel is busy, if it equals "1" it is idle. The busy-idle bit is
located at the beginning of each dotting sequence, word sync sequence, at the
beginning of the first repeat of word A and after every 10 message bits
thereafter.
Mobile stations achieve synchronization with the incoming data via a 10 bit
dotting sequence (1010101010) and an 11 bit word sync sequence (11100010010).
Each word contains 40 bits, including parity and is repeated 5 times after
which it is then referred to as a "block". For a multiword message, the second
word block and subsequent word blocks are formed the same as the first word
block including the dotting and sync sequences. A "word" is formed when the 28
content bits are encoded into a (40, 28; 5) BCH (Bose-Chaudhuri-Hocquenghem)
code. The left-most bit shall be designated the most-significant bit.
The Generator polynominal for the (40, 28;5) BCH code is:
12 10 8 5 4 3 0
G (X) = X + X + X + X + X + X + X
B
Each FOCC message can consist of one or more words. Messaging transmitted over
the forward control channel are:
- Mobile station control message
- Overhead message
- Control-filler message
Control-filler messages may be inserted between messages and between word
blocks of a multiword message.
Message Formats: Found on either stream A or B
- Mobile Station Control Message
The mobile station control message can consist of one, two, or four words.
Word 1 (abbreviated address word)
+--------+-------+---------------------------------------+-----------+
| T t | | | |
| 1 2 | DCC | Mobile Identification Number 1 | P |
| | | 23-0 | |
+--------+-------+---------------------------------------+-----------+
bits: 2 2 24 12
Word 2 (Extended Address Word)
+------+-----+-----------+------+--------+-------+----------+-----+
| T T |SCC =| | RSVD | LOCAL | CRDQ | ORDER | |
| 1 2| 11 | MIN2 | = 0 | | | | |
| = +-----+ 3-24 +------+-----+--+-------+----------| P |
| 10 |SCC =| | VMAC | CHAN | |
| | 11 | | | | |
+------+-----+-----------+------------+---------------------+-----+
2 2 10 3 11 12
Word 3 (First Directed-Retry Word)
+------+-----+-----------+-----------+-----------+-------+--------+
| T T | SCC | | | | RSVD | |
| 1 2| = | CHANPOS | CHANPOS | CHANPOS | = | |
| = | | | | | 000 | P |
| 10 | 11 | | | | | |
+------+-----+-----------+-----------+-----------+-------+--------+
2 2 7 7 7 3 12
Word 4 (Second Directed-Retry Word)
+------+-----+-----------+-----------+-----------+-------+--------+
| T T | SCC | | | | RSVD | |
| 1 2| = | CHANPOS | CHANPOS | CHANPOS | = | |
| = | | | | | 000 | P |
| 10 | 11 | | | | | |
+------+-----+-----------+-----------+-----------+-------+--------+
2 2 7 7 7 3 12
The interpretation of the data fields:
T T - Type field. If only Word 1 is send, set to 00 in Word 1.
SCC - SAT color code (discussed previously)
ORDER - Order field. Identifies the order type (see table below)
ORDQ - Order qualifier field. Qualifies the order to a specific
action
LOCAL - Local control field. This field is specific to each system.
The ORDER field must be set to local control for this field to
be interpreted.
VMAC - Voice Mobile Attenuation Code field. Indicates the mobile
station power level associated with the designated voice
channel.
CHAN - Channel number field. Indicates the designated voice channel.
CHANPOS- CHANnel POSition field. Indicates the position of a control
channel relative to the first access channel (FIRSTCHA).
RSVD - Reserved for future use, all bits must be set as indicated.
P - Parity field.
Coded Digital Color Code
+--------------------------------------------+
| Received DCC 7-bit Coded DCC |
| 00 0000000 |
| 01 0011111 |
| 10 1100011 |
| 11 1111100 |
+--------------------------------------------+
Order and Order Qualification Codes
+-------+-------------+---------------------------------------------------+
| Order | Order | |
| Code |Qualification| Function |
| | Code | |
+-------+-----------------------------------------------------------------+
| 00000 000 page (or origination) |
| 00001 000 alert |
| 00011 000 release |
| 00100 000 reorder |
| 00110 000 stop alert |
| 00111 000 audit |
| 01000 000 send called-address |
| 01001 000 intercept |
| 01010 000 maintenance |
| |
| 01011 000 charge power to power level 0 |
| 01011 001 charge power to power level 1 |
| 01011 010 charge power to power level 2 |
| 01011 011 charge power to power level 3 |
| 01011 100 charge power to power level 4 |
| 01011 101 charge power to power level 5 |
| 01011 110 charge power to power level 6 |
| 01011 111 charge power to power level 7 |
| |
| 01100 000 directed retry - not last try |
| 01100 001 directed retry - last try |
| |
| 01101 000 non-autonomous registration - don't reveal location |
| 01101 001 non-autonomous registration - make location known |
| 01101 010 autonomous registration - don't reveal location |
| 01101 011 autonomous registration - make location known |
| |
| 11110 000 local control |
| |
| All other codes are reserved |
| |
+-------------------------------------------------------------------------+
Forward Voice Channel
The forward voice channel (FVC) is a wideband data stream sent by the land
station to the mobile station. This data stream must be generated at a 10
kilobit/Sec +/- .1 bit/Sec rate. The Forward Voice Channel format follows:
+-----------+------+--------+-----+------+--------+-----+------+------
|| | | Repeat | | | Repeat | | |
|| | word | | | word | | | word |
|| Dotting | sync | 1 of | dot | sync | 2 of | dot | sync |
|| | | | | | | | |
|| | | Word | | | Word | | |
+-----------+------+--------+-----+------+--------+-----+------+------
101 11 40 37 11 40 37 11
-----+--------+-----+------+--------+-----+------+--------+
| Repeat | | | Repeat | | | Repeat ||
| | | word | | | word | ||
| 9 of | dot | sync | 10 of | dot | sync | 11 of ||
| | | | | | | ||
| Word | | | Word | | | Word ||
-----+--------+-----+------+--------+-----+------+--------+
40 37 11 40 37 11 40
A 37-bit dotting sequence and an 11-bit word sync sequence are sent to permit
mobile stations to achieve synchronization with the incoming data, except at
the first repeat of the word, where the 101-bit dotting sequence is used. Each
word contains 40 bits, including parity, and is repeated eleven times together
with the 37-bit dotting and 11-bit word sync; it is then referred to as a word
block. A word block is formed by encoded the 28 content bits into a (40, 28)
BCH code that has a distance of 5 (40, 28; 5). The left-most bit (as always)
is designated the most-significant bit. The 28 most significant bits of the
40-bit field shall be the content bits. The generator polynominal is the same
as that used for the forward control channel.
The mobile station control message is the only message transmitted over the
forward voice channel. The mobile station control message consists of one
word.
Mobile Station Control Message:
+-------+-------+------+-----------+-------+------+-------+------+
| T T | SCC = | | RSVD = | LOCAL | ORDQ | ORDER | |
| 1 2 | 11 | | 000 ... 0 | | | | |
| = +-------| PSCC +-----------+-------+------+-------+ P |
| | SCC = | | RSVD = | VMAC | CHANNEL | |
| 10 | 11 | | 000 ... 0 | | | |
+-------+-------+------+-----------+-------+--------------+------+
2 2 2 8 3 11 12
Interpretation of the data fields:
T T - Type field. Set to '10'.
1 2
SCC - SAT color code for new channel (see SCC table)
PSCC - Present SAT color code. Indicates the SAT color code
associated with the present channel.
ORDER - Order field. Identifies the order type. (see Order table)
ORDQ - Order qualifier field. Qualifies the order to a specific
action (see Order table)
LOCAL - Local Control field. This field is specific to each system.
The ORDER field must be set to local control (see Order table)
for this field to be interpreted.
VMAC - Voice mobile attenuation code field. Indicates the mobile
station power level associated with the designated voice
channel.
RSVD - Reserved for future use; all bits must be set as indicated.
P - Parity field.
Reverse Control Channel
The Reverse Control Channel (RECC) is a wideband data stream sent from the
mobile station to the land station. This data stream runs at a rate of 10
kilobit/sec, +/- 1 bit/sec rate. The format of the RECC data stream follows:
+---------+------+-------+------------+-------------+-----------+-----
| Dotting | Word | Coded | first word | Second word | Third word|
| | sync | DCC | repeated | repeated | repeated |
| | | | 5 times | 5 times | 5 times |
+---------+------+-------+------------+-------------+-----------+-----
bits: 30 11 7 240 240 240
Dotting = 01010101...010101
Word sync = 11100010010
All messages begin with the RECC seizure precursor with is composed of a 30 bit
dotting sequence (1010...101), and 11 bit word sync sequence (11100010010), and
the coded digital color code.
Each word contains 48 bits, including parity, and is repeated five times after
which it is referred to as a word block. A word is formed by encoding 36
content bits into a (48, 36) BCH code that has a distance of 5, (48 36; 5).
The left most bit shall be designated the most-significant bit. The 36 most
significant bits of the 48 bit field shall be the content bits.
The generator polynomial for the code is the same for the (40,28;5) code used
on the forward channel.
Each Reverse Control Channel message can consist of one of the five words. The
types of messages to be transmitted over the reverse control channel are as
follows:
o Page Response Message
o Origination Message
o Order Confirmation Message
o Order Message
These messages are made up of combination of the following five words:
Word A - Abbreviated Address Word
+---+------+---+---+---+------+---+-----------------------------------+---+
| F | | | | | RSVD | S | | |
| | | | | | | | | |
| = | NAWC | T | S | E | = | C | MIN 1 | P |
| | | | | | | | 23 - 0 | |
| 1 | | | | | 0 | M | | |
+---+------+---+---+---+------+---+-----------------------------------+---+
1 3 1 1 1 1 4 24 12
Word B - Extended Address Word
+---+------+-------+------+-------+----+------+-----------------------+---+
| F | | | | | | RSVD | | |
| | | | | | | | | |
| = | NAWC | LOCAL | ORDQ | LOCAL | LT | = | MIN 2 | P |
| | | | | | | | 33-24 | |
| 0 | | | | | | 00..0| | |
+---+------+-------+------+-------+----+------+-----------------------+---+
1 3 5 3 5 1 8 10 12
Word C - Electronic Serial Number Word
+---+--------+--------------------------------------+---------------+
| F | | | |
| | | | |
| = | NAWC | SERIAL (ESN) | P |
| | | | |
| 1 | | | |
+---+--------+--------------------------------------+---------------+
1 3 32 12
Word D - First Word of the Called-Address
+---+------+-------+-------+-----+-----+-----+-----+-------+-------+---+
| F | | 1st | 2nd | | | | | 7th | 8th | |
| | | | | | | | | | | |
| = | NAWC | DIGIT | DIGIT | ... | ... | ... | ... | DIGIT | DIGIT | P |
| | | | | | | | | | | |
| 1 | | | | | | | | | | |
+---+------+-------+-------+-----+-----+-----+-----+-------+-------+---+
1 3 4 4 4 4 4 4 4 4 12
Word E - Second Word of the Called-Address
+---+------+-------+-------+-----+-----+-----+-----+-------+-------+---+
| F | NAWC | 9th | 10th | | | | | 15th | 16th | |
| | | | | | | | | | | |
| = | = | DIGIT | DIGIT | ... | ... | ... | ... | DIGIT | DIGIT | P |
| | | | | | | | | | | |
| 0 | 000 | | | | | | | | | |
+---+------+-------+-------+-----+-----+-----+-----+-------+-------+---+
1 3 4 4 4 4 4 4 4 4 12
The interpretation of the data fields is as follows:
F - First word indication field. Set to '1' in first word and '0'
in subsequent words.
NAWC - Number of additional words coming field.
T - T field. Set to '1' to identify the message as an origination
or an order; set to '0' to identify the message as an order
response or page response.
S - Send serial number word. If the serial number word is sent,
set to '1'; if the serial number word is not sent, set to
'0'.
SCM - The station class mark field
ORDER - Order field. Identifies the order type.
ORDQ - Order qualifier field. Qualifies the order confirmation to a
specific action.
LOCAL - Local control field. This field is specific to each system.
The ORDER field must be set to locate control for this field
to be interpreted.
LT - Last-try code field.
MIN1 - Mobile Identification number field part one.
MIN2 - Mobile Identification number field part two.
SERIAL - Electronic Serial Number field. Identifies the serial number
of the mobile station.
DIGIT - Digit field (see table below)
RSVD - Reserved for future use; all bits must be set as indicated.
P - Parity field.
Called-address Digit Codes
+------------------------------------------------------------------------+
| Digit Code Digit Code |
| |
| 1 0001 7 0111 |
| 2 0010 8 1000 |
| 3 0011 9 1001 |
| 4 0100 0 1010 |
| 5 0101 * 1011 |
| 6 0110 # 1100 |
| Null 0000 |
| |
| NOTE: |
| 1. The digit 0 is encoded as binary 10, not binary zero. |
| 2. The code 0000 is the null code, indicated no digit present |
| 3. All other four-bit sequences are reserved, and must not be |
| transmitted. |
| |
+------------------------------------------------------------------------+
Examples of encoding called-address information into the called address words
follow:
If the number 2# is entered, the word is as follows:
+------+------+------+------+------+------+------+------+------+---------+
| NOTE | 0010 | 1100 | 0000 | 0000 | 0000 | 0000 | 0000 | 0000 | P |
+------+------+------+------+------+------+------+------+------+---------+
If the number 13792640 is entered, the word is as follows:
+------+------+------+------+------+------+------+------+------+---------+
| NOTE | 0001 | 0011 | 0111 | 1001 | 0010 | 0110 | 0100 | 1010 | P |
+------+------+------+------+------+------+------+------+------+---------+
As you can see the numbers are coded into four bits and inserted sequentially
into the train. Notice that when the number is longer than 8 numbers it is
broken into two different Words.
If the number 6178680300 is entered, the words are as follows:
Word D - First Word of the Called-Address
+------+------+------+------+------+------+------+------+------+---------+
| NOTE | 0110 | 0001 | 0111 | 1000 | 0110 | 1000 | 1010 | 1010 | P |
+------+------+------+------+------+------+------+------+------+---------+
4 4 4 4 4 4 4 4 4 12
Word E - Second Word of the Called-Address
+------+------+------+------+------+------+------+------+------+---------+
| NOTE | 0010 | 1010 | 1010 | 0000 | 0000 | 0000 | 0000 | 0000 | P |
+------+------+------+------+------+------+------+------+------+---------+
4 4 4 4 4 4 4 4 4 12
NOTE = four bits which depend on the type of message
Reverse Voice Channel
The reverse voice channel (RVC) is a wideband data stream sent from the mobile
station to the land station. This data stream must be generated at a 10
kilobit/second +/- 1 bit/sec rate. The format is presented below.
+-------------+------+----------+-----+------+----------+-----+------+----
|| | | Repeat 1 | | | Repeat 2 | | |
|| | word | | | word | | | word |
|| Dotting | sync | of | Dot | sync | of | Dot | sync |
|| | | | | | | | |
|| | | Word 1 | | | Word 1 | | |
+-------------+------+----------+-----+------+----------+-----+------+----
101 11 48 37 11 48 37 11
---+----------+-----+------+----------+-----+------+----------+-----+----
| Repeat 3 | | | Repeat 4 | | | Repeat 5 | |
| | | word | | | word | | |
| of | Dot | sync | of | Dot | sync | of | Dot |
| | | | | | | | |
| Word 1 | | | Word 1 | | | Word 1 | |
---+----------+-----+------+----------+-----+------+----------+-----+----
48 37 11 48 37 11 48 37
---+------+----------+-------- -------+----------+
| | Repeat 1 | | Repeat 5 ||
| word | | | ||
| sync | of | ... | of ||
| | | | ||
| | Word 2 | | Word 2 ||
---+------+----------+-------- -------+----------+
A 37-bit dotting sequence and an 11-bit word sync sequence are sent to permit
land stations to achieve synchronization with the incoming data, except at the
first repeat of word 1, where a 101-bit dotting sequence is used. Each word
contains 48 bits, including parity, and is repeated five times together with
the 37-bit dotting and 11-bit word sync sequences; it is then referred to as a
word block. For a multi-word message, the second word block is formed the same
as the first word block including the 37-bit dotting and 11-bit word sync
sequences. A word is formed by encoding the 36 content bits into a (48, 36)
BCH code that has a distance of 5, (48, 36; 5). The left-most bit (earliest in
time) shall be designated the most-significant bit. The 36 most-significant
bits of the 48-bit field shall be the content bits. The generator polynomial
for the code is the same as for the (40, 28; 5) code used on the forward
control channel.
Each RVC message can consist of one or two words. The types of messages to be
transmitted over the reverse voice channel are as follows:
o Order Confirmation Message
o Called-Address Message
The message formats are as follows:
Order Confirmation Message:
+---+------+---+-------+------+-------+-----------+---------+
| F | NAWC | T | | | | RSVD | |
| | | | | | | | |
| = | = | = | LOCAL | ORDQ | ORDER | = | P |
| | | | | | | | |
| 1 | 00 | 1 | | | | 000 ... 0 | |
+---+------+---+-------+------+-------+-----------+---------+
1 2 1 5 3 5 19 12
Called-Address Message
Word 1 - First Word of the Called-Address
+---+------+---+-------+-------+-----+-----+-----+-----+-------+-------+---+
| F | NAWC | T | | | | | | | | | |
| | | | 1st | 2nd | | | | | 7th | 8th | |
| = | = | = | Digit | Digit | ... | ... | ... | ... | Digit | Digit | P |
| | | | | | | | | | | | |
| 1 | 01 | 0 | | | | | | | | | |
+---+------+---+-------+-------+-----+-----+-----+-----+-------+-------+---+
1 2 1 4 4 4 4 4 4 4 4 12
Word 2 - Second Word of the Called-Address
+---+------+---+-------+-------+-----+-----+-----+-----+-------+-------+---+
| F | NAWC | T | | | | | | | | | |
| | | | 9th | 10th | | | | | 15th | 16th | |
| = | = | = | Digit | Digit | ... | ... | ... | .. | Digit | Digit | P |
| | | | | | | | | | | | |
| 0 | 00 | 0D| | | | | | | | | |
+---+------+---+-------+-------+-----+-----+-----+-----+-------+-------+---+
1 2 1 4 4 4 4 4 4 4 4 12
The fields are descriptions a the me as those for the Reverse Control channel
above.
Overhead Message
A three-bit OHD field is used to identify the overhead message types. Overhead
message type codes are listed in the table below. They are grouped into the
following functional classes:
o System parameter overhead message
o Global action overhead message
o Registration identification message
o Control-filler message
Overhead messages are send in a group called an overhead message train. The
first message of the train must be the system parameter overhead message. The
desired global action messages and/or a registration ID message must be
appended to the end of the system parameter overhead message. The total number
of words in an overhead message train is one more than the value of the NAWC
field contained in the first word of the system parameter overhead message.
The last word in the train must be set to '0'. For NAWC-counting purposes,
inserted control-filler messages must not be counted as part of the overhead
message train.
The system parameter overhead message must be sent every .8 +/- .3 seconds on
each of the following control channels:
o combined paging-access forward channel.
o Separate paging forward control channel
o Separated access forward control channel when the control-filler
message is sent with the WFOM bit set to '1'.
The global action messages and the registration identification message are sent
on an as needed basis.
o The system parameter for overhead message consists of two words.
0 Word 1
+-------+-----+----------+------+------+-----+------------+
| T T | | | RSVD | | OHD | |
| 1 2 | | | | | | |
| = | DCC | SID1 | = | NAWC | = | P |
| | | | | | | |
| 11 | | | 000 | | 110 | |
+-------+-----+----------+------+------+-----+------------+
2 2 14 3 4 3 12
Word 2
+-------+-------+-----+-----+------+------+-----+------+---
| T T | | | | | | | RSVD |
| 1 2 | | | | | | | |
| = | DCC | S | E | REGH | REGR | DTX | = |
| | | | | | | | |
| 11 | | | | | | | 0 |
+-------+-------+-----+-----+------+------+-----+------+---
2 2 1 1 1 1 1 1
---+-------+-----+-----+----------+-----+-------+-----------+
| | | | | | OHD | |
| | | | | | | |
| N - 1 | RCF | CPA | CMAX - 1 | END | = | P |
| | | | | | | |
| | | | | | 111 | |
---+-------+-----+-----+----------+-----+-------+-----------+
5 1 1 7 1 3 12
Overhead Message Types
+----------------------------------------------------------+
| Code Order |
+----------------------------------------------------------+
| 000 Registration ID |
| 001 Control-filler |
| 010 reserved |
| 011 reserved |
| 100 global action |
| 101 reserved |
| 110 Word 1 of system parameter message |
| 111 Word 2 of system parameter message |
+----------------------------------------------------------+
The interpretation of the data fields:
T T - Type field. Set to '11' indicating an overhead word.
1 2
OHD - Overhead message type field. The OHD field of Word 1 is set
to '110' indicating the first word of the system parameter
overhead message. The OHD field of Word 2 is set to '111'
indicating the second word of the system parameter overhead
message.
DCC - Digital Color Code field.
SID1 - First part of the system identification field
NAWC - Number of Additional Words Coming field. In Word 1 this
field is set to one fewer than the total number of words in
the overhead message train.
S - Serial number field.
E - Extended address field.
REGH - Registration field for home stations.
REGR - Registration field for roaming stations.
DTX - Discontinuous transmission field.
N-1 - N is the number of paging channels in the system.
RCF - Read-control-filler field.
CPA - Combined paging/access field
CMAX-1 - CMAX is the number of access channels in the system.
END - End indication field. Set to '1' to indicate the last word
and '0' if not the last word.
RSVD - Reserved for future use, all bit must be set as indicated.
P - Parity field.
Each global action overhead message consists of one word. Any number of global
action messages can be appended to a system parameter overhead message.
Here are the global action command formats:
Rescan Global Action Message
+-------{-------+------+---------------+-------+-------+-------------+
| T T | | ACT | RSVD = | | OHD | |
| 1 2 | | | | | | |
| = | DCC | = | | END | = | P |
| | | | 000 ... 0 | | | |
| 11 | | 0001 | | | 100 | |
+-------+-------+------+---------------+-------+-------+-------------+
2 2 4 16 1 3 12
Registration Increment Global Action Message
+-------+-----+------+---------+--------+-------+-------+------------+
| T T | | ACT | | | | OHD | |
| 1 2 | | | | RSVD = | | | |
| = | DCC | = | REGINCR | | END | = | P |
| | | | | 0000 | | | |
| 11 | | 0010 | | | | 100 | |
+-------+-----+------+---------+--------+-------+-------+------------+
2 2 4 12 4 1 3 12
New Access Channel Set Global Action Message
+-------+-------+-------+--------+----------+-------+-------+----------+
| T T | | ACT | | | | OHD | |
| 1 2 | | | | RSVD = | | | |
| = | DCC | = | NEWACC | | END | = | P |
| | | | | 00000 | | | |
| 11 | | 0110 | | | | 100 | |
+-------+-------+-------+--------+----------+-------+-------+----------+
2 2 4 11 5 1 3 12
Overload Control Global Action Message
+-------+-----+-------+---+---+---+-- --+---+---+---+-----+-----+------+
| T T | | ACT | O | O | O | | O | O | O | | OHD | |
| 1 2 | | | L | L | L | | L | L | L | | | |
| = | DCC | = | C | C | C | ... | C | C | C | END | = | P |
| | | | | | | | | | | | | |
| 11 | | 0110 | 0 | 1 | 2 | | 13| 14| 15| | 100 | |
+-------+-----+-------+---+---+---+-- --+---+---+---+-----+-----+------+
2 2 4 1 1 1 1 1 1 1 3 12
Access Type Parameters Global Action Message
+-------+-----+------+-------+-----------+-------+-------+-----------+
| T T | | ACT | | | | OHD | |
| 1 2 | | | | RSVD = | | | |
| = | DCC | = | BIS | | END | = | P |
| | | | | 0 ... 000 | | | |
| 11 | | 1001 | | | | 100 | |
+-------+-----+------+-------+-----------+-------+-------+-----------+
2 2 4 1 15 1 3 12
Access Attempt Parameters Global Action Message
+-------+-------+---------+-----------+-----------+-----------+---
| T T | | ACT | | | |
| 1 2 | | | MAXBUSY | MAXSZTR | MAXBUSY |
| = | DCC | = | | | |
| | | | - PGR | - PGR | - OTHER |
| 11 | | 1010 | | | |
+-------+-------+---------+-----------+-----------+-----------+---
2 2 4 4 4 4
------+-----------+-------+-------+-----------+
| | | OHD | |
| MAXSZTR | | | |
| | END | = | P |
| - OTHER | | | |
| | | 100 | |
------+-----------+-------+-------+-----------+
4 1 3 12
Local Control 1 Message
+-------+-------+-------+-----------------+-------+-------+----------+
| T T | | ACT | | | OHD | |
| 1 2 | | | | | | |
| = | DCC | = | LOCAL CONTROL | END | = | P |
| | | | | | | |
| 11 | | 1110 | | | 100 | |
+-------+-------+-------+-----------------+-------+-------+----------+
2 2 4 16 1 3 12
Local Control 2 Message
+-------+-------+-------+-----------------+-------+-------+----------+
| T T | | ACT | | | OHD | |
| 1 2 | | | | | | |
| = | DCC | = | LOCAL CONTROL | END | = | P |
| | | | | | | |
| 11 | | 1111 | | | 100 | |
+-------+-------+-------+-----------------+-------+-------+----------+
2 2 4 16 1 3 12
The interpretation of the data fields are as follows:
T T - Type field. Set to '11' indicating overhead word.
1 2
ACT - Global action field (see table below).
BIS - Busy-idle status field.
DCC - Digital Color Code.
OHD - Overhead Message type field. Set to '100' indicating the
global action message.
REGINCR - Registration increment field.
NEWACC - News access channel starting point field.
MAXBUSY - Maximum busy occurrences field (page response).
- PGR
MAXBUSY - Maximum busy occurrences field (other accesses).
- OTHER
MAXSZTR - Maximum seizure tries field (page response).
- PRG
MAXSZTR - Maximum seizure tries field (other accesses).
- OTHER
OLCN - Overload class field (N = 0 to 15)
END - End indication field. Set to '1' to indicate the last word
of the overhead message train; set to '0' if not last word.
RSVD - Reserved for future use, all bits must be set as indicated.
LOCAL - May be set to any bit pattern.
CONTROL
P - Parity field.
The registration ID message consists of one word. When sent, the message must
be appended to a system parameter overhead message in addition to any global
action messages.
+-------+-------+-------------+-------+-------+-----------+
| T T | | | | OHD | |
| 1 2 | | | | | |
| = | DCC | REGID | END | = | P |
| | | | | | |
| 11 | | | | 000 | |
+-------+-------+-------------+-------+-------+-----------+
2 2 20 1 3 12
The interpretation of the data fields:
T T - Type field. Set to '11' indicating overhead word.
DCC - Digital color code field.
OHD - Overhead message type field. Set to '000' indicating the
registration ID message.
REGID - Registration ID field.
END - End indication field. Set to '1' to indicate last word of
the overhead message train; set to '0' if not.
P - Parity field.
The control-filler message consists of one word. It is sent whenever there is
no other message to be sent on the forward control channel. It may be inserted
between messages as well as between word blocks of a multiword message. The
control-filler message is chosen so that when it is sent, the 11-bit word
sequence will not appear in the message stream, independent of the busy-idle
bit status.
The control-filler message is also used to specify a control mobile
attenuation code (CMAC) for use by mobile stations accessing the system on the
reverse control channel, and a wait-for-overhead-message bit (WFOM) indicating
whether or not mobile stations must read an overhead message train before
accessing the system.
+-------+-----+------+------+------+--+------+---+------+----+-----+-----+
| T T | | | | RVSD | | RVSD | | | | OHD | |
| 1 2 | | | | | | | | | | | |
| = | DCC |010111| CMAC | = |11| = | 1 | WFOM |1111| = | P |
| | | | | | | | | | | | |
| 11 | | | | 00 | | 00 | | | | 001 | |
+-------+-----+------+------+------+--+------+---+------+----+-----+-----+
2 2 6 3 2 2 2 1 1 4 3 16
Interpretation of the data fields:
T T - Type field. Set to '11' indicating overhead word.
1 2
DCC - Digital color code field.
CMAC - Control mobile attenuation field. Indicates the mobile
station power level associated with the reverse control
channel.
RVSD - Reserved for future use; all bits must be set as indicated.
WFOM - Wait-for-overhead-message field.
OHD - Overhead message type field. Set to '001' indicating the
control-filler word.
P - Parity field.
Data Restrictions
The 11-bit sequence (11100010010) is shorter than the length of a word, and
therefore can be embedded in a word. Normally, embedded word-sync will not
cause a problem because the next word sent will not have the word-sync sequence
embedded in it. There are, however, three cases in which the word-sync
sequence may appear periodically in the FOCC stream. They are as follows:
o the overhead message
o the control-filler message
o Mobile station control messages with pages to mobile stations with
certain central office codes.
These three cases are handled by:
1. Restricting the overhead message transmission rate to about once per
second
2. designing the control-filler message to exclude the word-sync
sequence, taking into account the various busy-idle bits
3. Restricting the use of certain office codes
If the mobile station control message is examined with the MIN1 separated into
NXX-X-XXX as described earlier (where NXX is the central office code, N
represents a number from 2 - 9, and X represents a number from 0-9) the order
and order qualifications table can be used to deduce when the word-sync word
would be sent. If a number of mobile stations are paged consecutively with the
same central office code, mobile stations that are attempting to synchronize to
the data stream may not be able to do so because of the presence of the false
word sync sequence. Therefore, the combinations of central office codes and
groups of line numbers appearing in the following table must not be used for
mobile stations.
RESTRICTED CENTRAL OFFICE CODES
+-------------------------------------------------------------------------+
| Central |
| T T DCC NXX X XXX Office Thousands |
| 1 2 Code Digit |
+-------------------------------------------------------------------------+
| 01 11 000100(1)0000 ... ... 175 0 to 9 |
| 01 11 000100(1)0001 ... ... 176 0 to 9 |
| 01 11 000100(1)0010 ... ... 177 0 to 9 |
| 01 11 000100(1)0011 ... ... 178 0 to 9 |
| 01 11 000100(1)0100 ... ... 179 0 to 9 |
| 01 11 000100(1)0101 ... ... 170 0 to 9 |
| 01 11 000100(1)0110 ... ... 181 0 to 9 |
| 01 11 000100(1)0111 ... ... 182 0 to 9 |
| 0Z 11 100010(0)1000 ... ... 663 0 to 9 |
| 0Z 11 100010(0)1001 ... ... 664 0 to 9 |
| 0Z 11 100010(0)1010 ... ... 665 0 to 9 |
| 0Z 11 100010(0)1011 ... ... 666 0 to 9 |
| 0Z Z1 110001(0)0100 ... ... 899 0 to 9 |
| 0Z Z1 110001(0)0101 ... ... 800 0 to 9 |
| 0Z ZZ 111000(1)0010 ... ... 909 0 to 9 |
| 00 ZZ 011100(0)1001 0ZZZ ... 568 1 to 7 |
| 00 ZZ 111100(0)1001 0ZZZ ... 070 1 to 7 |
| 00 ZZ 001110(0)0100 10ZZ ... 339 8,9,0 |
| 00 ZZ 011110(0)0100 10ZZ ... 595 8,9,0 |
| 00 ZZ 101110(0)0100 10ZZ ... 851 8,9,0 |
| 00 ZZ 111110(0)0100 10ZZ ... 007 8,9,0 |
| 0Z ZZ 000011(1)0100 0010 ... 150 2 |
| 0Z ZZ 000111(1)0001 0010 ... 224 2 |
| 0Z ZZ 001011(1)0001 0010 ... 288 2 |
| 0Z ZZ 001111(1)0001 0010 ... 352 2 |
| 0Z ZZ 010011(1)0001 0010 ... 416 2 |
| 0Z ZZ 010111(1)0001 0010 ... 470 2 |
| 0Z ZZ 011011(1)0001 0010 ... 544 2 |
| 0Z ZZ 011111(1)0001 0010 ... 508 2 |
| 0Z ZZ 100011(1)0001 0010 ... 672 2 |
| 0Z ZZ 100111(1)0001 0010 ... 736 2 |
| 0Z ZZ 101011(1)0001 0010 ... 790 2 |
| 0Z ZZ 101111(1)0001 0010 ... 864 2 |
| 0Z ZZ 110011(1)0001 0010 ... 928 2 |
| 0Z ZZ 110111(1)0001 0010 ... 992 2 |
| 0Z ZZ 111011(1)0001 0010 ... 056 2 |
| 0Z ZZ 111111(1)0001 0010 ... ... 2 |
+-------------------------------------------------------------------------+
1. In each case, Z represents a bit that may be 1 or 0.
2. Some codes are not used as central office codes in the US at this time.
They are included for completeness.
3. The bit in parentheses is the busy-idle bit.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Well there is your signaling in a nutshell. Please note I hardly have the most
up-to-date signalling data. Basically what was presented here was a skeleton,
the bare bones without all the additions. There are some additions that are
system specific. As I get updates I'll be sure to share them with the rest of
you. I would be interested in any feedback, so, if you have something to say,
send it to:
oblivion@atdt.org
In the last article I said that there would be a listing of SID codes
accompanying the article. Well, I forgot to edit that line out, but if you
would like a copy of it, just mail me at the above address an you shall receive
one.
In the next article I will be going in-depth on the actual hardware behind the
Mobile telephone, the chip sets, and its operation. I will also publish any
updates to the previous material I find, as well as information on the
transitory NAMPS system that will be used to bridge the existing AMPS cellular
network over to the ISDN compatible fully digital network.
_______________________________________________________________________________
