CELLULAR SIGNALLING

As discussed last month, a cellular telephone is actually a two-way radio transceiver, communicating with a network of base stations as it travels through a service area. The base stations are all connected to a Mobile Telephone Switching Office (MTSO), which links the cellular network to the land-based public switched telephone network (PSTN).

In order to make the cellular telephone behave like a wired phone, a rather involved set of signals pass between base stations and the mobile. Before going in to the details of that signalling, there are a few concepts to cover.

Since frequencies are shared in a cellular system, it is possible (although not desirable) that a mobile unit may receive signals from more than one base station at a time. It is also possible that as the mobile moves through a coverage area, the signal strength of the transmitted or received signal may fall below a useable level. Other fading and interference effects may also prevent a clear connection. In order to gracefully handle these problems cellular designers incorporated supervisory audio tones (SATs). One of three tones, at 5970 Hz, 6000 Hz, or 6030 Hz, is transmitted by the base station and transponded (repeated back) by the mobile. During a conversation, the assigned SAT is sent continuously by both the base and the mobile, except during data transmissions and the intervals between voice activated transmissions (VOX). If either the base station or the mobile fails to receive the proper SAT for more than a few seconds, the call is prematurely ended. This is one example of what is known as a dropped call.

Since there is no wire connection from the mobile to the base station to indicate whether the switchhook is on-hook or off-hook, cellular systems use a supervisory tone (ST) instead. This 10 kHz tone is used for mobile ringing, call terminations, handoffs, and switchhook. Both the SATs and the ST are sent and received "out-of-band," and are not heard by the mobile user.

Recall from last month's column that there are two types of cellular channels: control and voice. Control channels are dedicated to digital data transmissions, providing access and paging functions. Voice channels carry the analog voice, as well as a limited amount of digital information. When a base station needs to communicate information to the mobile during a conversation, it will temporarily mute the audio path and send a burst of digital data. These periods, known as blank-and-burst, generally last less than half a second, and are rarely noticed by the user.

GOING INTO SERVICE

The following steps are taken by a cellular phone when it is turned on:

1. A self-test is performed to verify the hardware is functioning correctly.
2. The signal strength of each of the 21 forward control channels (FOCCs) assigned to the subscriber's selected carrier (wireline or non-wireline) are measured.
3. The receiver is tuned to the strongest FOCC and an attempt is made to decode the data stream. If the strongest channel cannot be decoded, the receiver is tuned to the second strongest FOCC and another attempt to decode the data stream is made. If this also fails, the phone indicates NO SERVICE.
4. The portions of the FOCC data stream that contain system information, known as overhead messages, are decoded. These messages report the system identification code and indicate the sets of channels to use for paging and access, as well as other local control and support information. If the decoded system identification code is not the home system for the phone, ROAMING is indicated.
5. If the system uses paging channels, the signal strength of each paging channel is measured, and the receiver tunes to the strongest one. Otherwise the receiver is tuned to the strongest access channel. The phone then waits on that channel, decoding each paging message, looking for it's own Mobile Identification Number (MIN). Occasionally the phone re-measures the strength of each paging channel, and retunes to the strongest one.
6. Some systems request that the phone occasionally identify itself using a process known as Autonomous System Registration, which informs the system of the location and capabilities of the phone. This helps paging efficiency, although law enforcement agencies can use this to track a cellular telephone, even when no conversation is taking place.

1. The user enters the desired number and presses SEND.
2. The phone quickly measures the signal strength on the active access channels, and tunes to the strongest one. It then transmits identifying information and the number to call to the base station, which forwards it to the MTSO.
3. The MTSO sends a voice channel and SAT assignment to the base station, which sets up the channel, begins sending SAT, and relays the assignment to the mobile. The MTSO also outpulses the called number to the PSTN (if calling a landline telephone), or sends a paging message (if calling another mobile).
4. The phone tunes to the assigned voice channel and verifies that the SAT is correct. If correct, it the transponds (sends back) the same SAT and unmutes the forward audio.
5. The base detects the reverse SAT that the mobile is sending and unmutes the reverse audio. The mobile user can now hear the far end call progress (ringing, busy signal, intercept, etc) and will be able to converse if the other party answers.

1. The phone monitors messages on the strongest paging channel.
2. When the phone decodes it's own Mobile Identification Number (MIN), an event called a page match, it tunes to the strongest access channel and sends identifying information back. This also serves to inform the MTSO of the location of the phone, and therefore which base station to use.
3. The MTSO sends a voice channel and SAT assignment to the base station, which sets up the channel, begins sending SAT, and relays the assignment to the mobile via the access channel.
4. The phone tunes to the assigned voice channel and verifies that the SAT is correct. If correct, the phone transponds (sends back) the same SAT.
5. The base station receives the SAT that the mobile is sending, and informs the MTSO that the phone is ready. The MTSO responds by sending an alert order, which is delivered via blank-and-burst to the phone.
6. The phone responds by transmitting the 10 kHz signalling tone, and starts ringing. When the user answers, the phone stops sending the signalling tone.
7. When the MTSO is informed that the signalling tone is no longer being received, it connects the incoming call to the serving cell site and unmutes forward and reverse audio, allowing the conversation to begin.

If the land-based phone ends the call, the MTSO issues a release order, which is sent by blank-and-burst. The phone responds by sending about two seconds of supervisory tone. If the mobile unit ends the call, it simply sends about two seconds of supervisory tone. In either case, the phone then turns off the transmitter, tunes to the strongest paging channel, and returns to the idle state, listening for a page.

POWER MANAGEMENT

Base stations have the ability to measure received signal strength by monitoring the reverse channel of an operating mobile unit. In order to minimize interference yet maintain adequate connectivity, the base station will occasionally send commands to the mobile unit to increase or decrease transmitter power. This also has the side effect of increasing battery life, by limiting transmitter power to the minimum necessary. All cellular telephones have eight power steps from a maximum of three watts (for a mobile) or 0.6 watts (for a handheld) down to about half a milliwatt. Handhelds cannot use the two highest power settings.

HANDOFF

If the mobile unit is transmitting at maximum power yet the received power at the serving base station is near the minimum acceptable level, the base station asks the MTSO to consider a handoff. The MTSO then commands the surrounding base stations to measure and report the received signal of the mobile unit. The base station with the strongest signal and available voice channels will become the new serving base station.

When the MTSO is ready to effect the handoff, the audio is blanked and a data message containing a new voice channel and SAT assignment is bursted. The phone acknowledges the handoff by sending a very short burst of signalling tone on the old voice channel, then tunes to new voice channel and begins transmitting the new SAT.

These are the primary activities a cellular network must support. Next month we'll take a look at how criminals take advantage of this signalling to acquire free phone service.

MODERN-DAY SCAMS

If you use a pager on a regular basis, do you always call the number on the display when you're paged, even if you don't recognize it? Apparently many people do, and scam artists are using this to their advantage. In a high-profile case in 1991, a man used his computer to send a premium toll number (a 212-540-nnnn number that incurs a charge for the caller, similar to a 900 or 976 number) to more than 26,000 pagers in the New York metropolitan area. When the pager user returned the call, they were connected to a recording and charged $55.

More recently, thousands of pagers in different states have received messages requesting a call back to numbers in the 809 area code, each of which apparently reaches a different recording. One particularly devious message starts out sounding like a normal conversation, with a male voice saying "hello" and asking the caller to "hang on." Expensive seconds tick by as a polite caller waits for the voice to continue. When the voice does return, it makes a demand for payment for unspecified charges. Other messages have offered questionable products and services. unrequested and unneeded by the caller. In each case the caller only learns later that a charge of up to $25 has been made on their telephone bill.

Fradulent requests to call numbers in the 809 area code have even migrated to the Internet. In October the following electronic mail message was sent to a large number of unsuspecting people:

Date: Tue, 1 Oct 1996 14:12:49 -0700
From: "Global Communications"@demon.net
Subject: Unpaid account
Message-ID: <844184592.19166.164@[194.222.75.163]>

I am writing to give you a final 24hrs to settle your outstanding account. If I have not received the settlement in full, I will commence legal proceedings without further delay. If you would like to discuss this matter to avoid court action, call Mike Murray at Global Communications on +1 809 496 2700.

The telephone number is in the British Virgin Islands, and of course there is no "outstanding account" for the recipient of this electronic mail message. Some curious recipients called the number collect, and heard a recording similar to the pager scams.

Part of the problem with these fraudulent call requests lies in the fact that most consumers are unaware that other countries are part of the North American Numbering Plan (NANP), and thus have area codes that are difficult to distinguish from domestic ones. Because of this, unscrupulous businesses located in Caribbean countries can be reached by what appears to be a United States telephone number, yet remain immune from US law.

The 809 area code serves Puerto Rico (a US commonwealth), the Virgin Islands (both US and British), the Bahamas, Jamaica, the Dominican Republic, and other areas of the Caribbean. Long distance charges are usually much higher than to other US area codes, and additional charges apply to international calls. This will become even more confusing as new area codes become active (see table).

Several parties are benefiting from these fraudulent operations, first and foremost of which are the pay-per-call operators who dream up these scams and induce people to call under false pretenses. Pay-per-call service bureaus exist in many Caribbean countries, providing equipment and numbers to would-be operators. The service bureaus are paid a kickback from the local telephone company based on the amount of inbound call traffic they can generate, typically anywhere from 25 to 50 cents per minute.

US long distance companies also collect their portion of the fee for the calls, and some carriers charge far more than others. Although access to the 809 area is available for much less than $1.00 per minute, most major long distance carriers charge several times that amount. To their credit, however, both AT&T and Sprint have blocked access to some of the most flagrant 809 scam numbers. This is, at best, a temporary measure, since these scams will simply switch to new numbers.

If you receive a page or e-mail for a number you don't recognize, especially with a strange area code, be sure you know what the charges will be before you return the call.

As always, comments, questions, and even criticisms are welcome at dan@decode.com. Until next month, happy monitoring!