larwe.com logo Home Contact Resume Writing Technical projects Scout restoration Vintage computing

cellular phones:
about cellular fraud
imei cross-reference table
useful technical terms
world gsm carrier list

Did You Know?

Cellular cloning is a federal crime in the United States of America. Specifically, it is a crime for any person other than a cellphone manufacturer to alter the electronic serial number in a cellphone, regardless of the purpose. In other words, in the USA there is no such thing as "legitimately" cloning a cellphone.


Book 3

My third book is released! Learn what you'll need to know in order to become an embedded engineer.


Book 2

Check out my second book; learn practical stuff about building robots and control systems around Linux PCs and the Atmel AVR.


Book 1

My first book gives you all the intro you need on developing 32-bit embedded systems on a hobbyist budget.

Cellular Systems and Other Terms Defined

There are several cellular systems currently in use around the world. Naturally, like everything else remotely technical, these networks and their components are referred to using acronyms. Here are some quick descriptions of the more common of these terms.

AMPS AMPS ("Advanced" Mobile Phone System) was the first cellular system to achieve widespread acceptance. It's primitive, it's analog, it's old, it's overdue for replacement. If you happen to be colonizing another planet and you're looking for a place to skimp on the budget, write to all the friendly carriers Earthside and ask them for their AMPS hardware - you'll be able to get it at bargain basement prices. AMPS is very insecure both in terms of call interception and theft of service, it's not very reliable, has very few value-added services, and it's NOT the system of choice for anything other than price reasons.

Billing identification on an AMPS network is presented as follows: Each handset has a NAM (Numeric Address Module) and an ESN (Electronic Serial Number). When you get your handset activated, the dealer programs the NAM with your telephone number.The ESN is manufacturer-assigned and supposed to be unique. When you place or answer a call, the phone sends its ESN to the network, which checks to see if the ESN belongs to a valid cellular account. (The NAM programming is not used in the billing verification process. The reason you need to program the NAM is simply so that your phone knows which incoming calls belong to it, so it can determine when to ring). The problem with this system is that due to the primitive protocols used, it is very easy for someone with a scanner and a simple decoder circuit to collect ESNs and telephone numbers. It is then easy for such people to steal cellular service by burning a new ESN into a phone and programming its NAM with the matching telephone number. This process is referred to as "cloning" a phone.

Because the voice transmission system is a simple analog radio signal, anyone with a scanner can also listen to your conversations. In fact, as any AMPS user will tell you, sometimes it isn't even necessary to have a scanner - quite often while making AMPS calls in urban areas, you will be able to hear a conversation on the same channel in the next cell.

There are various flavors of AMPS including D-AMPS (also referred to as TDMA or IS-136) and N-AMPS. AMPS operates in the 800MHz area.
CDMA CDMA (Code Division Multiple Access) isn't really a cellular system - it's simply the name for a frequency-hopping technique used to put multiple signals into one spectrum slot. The real designation for "CDMA" networks (at least in the United States) is IS-95. When you hear people talking about "CDMA" phones, they are probably referring to IS-95 handsets based on CDMA technology licensed from Qualcomm. A CDMA network is replacing AMPS in Australia.

CDMA is a very cunning technique, and it offers good security even without superencryption of the actual data stream. It is also easy to phase it in over an existing AMPS network. CDMA is, however, a new technique as far as consumer-grade cellular communications is concerned, and current implementations appear to have some warts - specifically, a lot of trouble with dropped calls, especially in busy areas.

SprintPCS is one of the best-known CDMA providers in the United States. Verizon Wireless (formerly Bell Atlantic Mobile) is another.
Codec "Codec" is an abbrebiation for enCODer/DECoder. In cellular circles, the term refers to software, firmware or hardware used to encode voice data for efficient and reliable transmission, and decode it at the receiver to form intelligible audio once more. All digital cellular systems use a codec of some sort. The codec used in GSM is called GSM (!); an implementation of this codec is also shipped with current versions of Windows. Although the math involved in the protocol doesn't obviously reflect this, the underlying theory of the GSM codec is that human speech is produced by a very simple waveform generated by air passing through the vocal cords. Complex harmonics are added to this simple waveform as it bounces around inside the trachea, sinuses and mouth; the exact composition of the final result depending on the size and position of the tongue, lips and mandible - and the volume, shape and degree of blockage of your sinuses!

To illustrate this point to yourself, make sure you're out of earshot of anyone who might be able to certify you as insane, purse your lips to make the "oo" sound in "book", and start to sing a continuous-pitch note. Without moving your tongue, open your lips progressively wider. Listen to the way the tone (but not the pitch!) of the note changes. Isn't it incredible to think that this organic technology has allowed us simple apes to create complex languages, thereby organizing and directing members of our species, and dominate all other lifeforms on the planet? Now close your mouth, clamp the front of your tongue against your palate, and sing the same note through your nose. That's about as close as you can get to hearing the raw, unmodulated output from your vocal cords. It's a "soft" sound (lacking high-frequency harmonics) which suggests it's something close to a sinusoidal wave.

GSM works by extracting the base tone generated by the vocal cords and interpolating the changing configuration of the speaker's mouth from the audio waveform. This is much more efficient than simply trying to compress the audio data with a simple algorithm working on the raw byte stream. At the other end, in effect the speaker's vocal system is simulated by the decoding side of the codec.

You'll note that throughout this discussion, I have been talking exclusively about speech - this is because the GSM codec was specifically designed to reproduce speech. Especially at high data rates (see EFR), GSM version 6.10 reproduces human speech very well. It is, however, not at all suited to reproducing music or data communications-type waveforms (as generated by modems). This is why you can't simply connect an analog modem up to a GSM phone; the codec would completely mangle the audio ouptut from the modem. A GSM data card is simply an interface which lets your computer send digital data directly into the phone - the phone sends it to the network, and it is somewhere in the land-bound portion of the network that the data stream is actually modulated into tones which a modem can understand.
D-AMPS Digital AMPS. See TDMA. D-AMPS (IS-136) operates mostly in the 800MHz band, but there are some 1900MHz D-AMPS networks in the United States.
DTX DTX (Discontinuous Transmission) is a battery-saving feature implemented on almost all current GSM phones and probably also those from other technologies. Very simply, the phone's transmitter circuits are completely turned off while the microphone is not picking up sounds. The only "drawback", if it can be called such, is that the person on the other end will not be able to hear soft background noises from your end while you're not speaking.
EFR Most modern GSM phones support a feature called EFR (Enhanced Full Rate). This feature provides enhanced audio quality at the expense of occupying more bandwidth on the cellular network.
ESN All AMPS phones have an ESN (Electronic Serial Number). This is a 32-bit number (usually quoted in hexadecimal), supposed to be unique. The ESN is usually printed inside the handset's battery compartment. Never tell your ESN to anybody, especially an enemy or known prankster!

For a description of how the ESN is used by the network, see AMPS.
GSM GSM (formerly Groupe Spéciale Mobile, now Global System for Mobiles) is unarguably the world's most popular cellular system. It is a TDMA digital system. In no particular order, the features offered by GSM include: the ability to send short text messages directly between handsets, seamless international roaming, superb audio quality, good spectrum usage, the ability to swap handsets as desired without needing to inform your carrier, very reliable 9600bps data/fax capability, reasonable call security, and more.

GSM implementations exist in three flavors - GSM900, GSM1800 and GSM1900, which operate in the 900MHz, 1.8GHz and 1.9GHz bands respectively. GSM1900 is presently used only in the United States of America, but it will apparently spread to other areas soon. GSM900 is the most commonly used band. GSM1800 seems to be intended as an "extra" band to increase cell capacity in crowded GSM900 areas. However, some GSM1800-only networks do exist. Note that GSM1800 is sometimes referred to as "DCS" or "PCN", and GSM1900 is sometimes called "PCS".

At present, there are a handful of dual-mode phones such as the Motorola cd928 and Ericsson SH888 which operate in both the 900 and 1800MHz bands. There are also a number of phones such as the Ericsson I888 and Bosch Worldphone 718 which operate in both the 900 and 1900MHz bands. Unfortunately, there are no phones as yet which operate in all three bands, which means that depending on where you are,where you want to go, and what roaming agreements exist with your carrier, you may still need a rental handset.

Luckily, GSM makes it easy to switch phones as necessary. When you sign up with a GSM provider, you are issued with a smartcard ("SIM" - Subscriber Identity Module). Among other information, this card contains a serial number ("IMSI" - International Mobile Subscriber Identifier) which uniquely links it to your cellular account. Wherever you are in the world, you can simply insert the SIM into a GSM phone compatible with the local networks, and the IMSI will be transmitted to the local carrier(s) to identify you. As long as at least one of the carriers in range has a roaming agreement with your home carrier, and your cellular account is valid, you will be able to log into the local network and make calls as you please. People who call your home-country cellular number will automatically be put through to you.

For those familiar with AMPS terminology, the IMSI is equivalent to an analog phone's NAM programming. Each GSM handset also has a hardware identifier equivalent to an AMPS phone's ESN. This is the IMEI (International Mobile Equipment Identifier) which is also transmitted to the network. In theory, the IMEI can be used to keep stolen phones off-air. In practise, the difficulty of maintaining a worldwide stolen handset database online and accessible from any carrier within a few seconds means that the IMEI is ignored. Unlike AMPS, in GSM there is NO billing tie-in between the subscriber's identity and the handset. It isn't necessary, because unlike AMPS phones which can have their NAM programmed easily from the keypad, all the subscriber information in GSM is lurking inside PIN-protected memory within a smartcard. A SIM is impossible to clone without physically accessing it - and it's hard to clone even then.

One unfortunate design feature of GSM is that the size of a cell is limited to 35km unless special, capacity-reducing magic software hacks are installed in the base stations. Even if you have a line-of-sight path to the nearest base station and a nice strong signal, if you're more than 35km away you can't use the network. This is a fairly serious limitation for rural use (especially in a country like Australia, which has vast open spaces with more lizards than people), though it doesn't matter for the densely populated cities for which GSM was designed. And it doesn't matter to the lizards either; most of whom seem to be equally happy with almost any cellular phone as long as it isn't in a lizard-skin case.

(From reading the above, you might get the impression that I take my GSM phones to bed with me every night and cuddle them for sheer joy. Well, this isn't the case - partly because the puppy who sleeps on my pillow might chew them. But GSM is a very good system).

iDEN A proprietary TDMA cellular system from Motorola. Some of the iDEN phones look very nice, but it seems that their plastics haven't been used in Motorola's industry-standard phones, which is unfortunate. The best-known (only?) iDEN carriers are Nextel, in the United States, and Clearnet, in Canada.
IMEI Every GSM handset has an unique IMEI (International Mobile Equipment Identifier), set by the manufacturer. This identifier can in theory be used to track and bar stolen handsets. In practise, it is not used for anything. The IMEI is broken into fields thus:

TTTTTT-FF-SSSSSS-P

Digits denoted "T" are referred to as the TAC (Type Approval Code). The first two digits of the TAC are the international dialing code of the country in which type approval was sought. Note that if the TAC starts with 01 (USA), the chances are very good that you're looking at a GSM1900-only phone. 900MHz, 1800MHz and multiband phones carry European type approvals.

Digits denoted "F" are referred to as the FAC (Final Assembly Code). This code, chosen by the manufacturer, identifies the facility at which the final assembly of the phone was completed.

Digits denoted "S" are referred to as the SNR (Serial NumbeR). This is the manufacturer's serial number for the appliance. Note that this may have no relation to the separate, proprietary MSN (Mechanical Serial Number), if any, printed on the device's serialization label.

The final digit is "SPare", and most references you read will tell you that it is always zero. For modern phones, this is no longer true. However, if you are using some software that calculates a magic code of some sort based on your phone's IMEI, and the code calculated doesn't work, try substituting a zero for the last digit.

When you see an IMEI on a label or onscreen, it will not necessarily be formatted with the puctuation shown above. All fields will, however, be present as described.

On almost all GSM phones you can display the IMEI onscreen by typing *#06#. Be suspicious if you are offered a secondhand phone where the IMEI shown onscreen doesn't match that printed on the label- especially if the TAC is different. The phone may have had its IMEI electronically defaced for some fraudulent purpose. If only the SNR field is different, it probably means the phone has had a logic board replacement.

IMSI Subscribers to GSM networks are identified by an unique IMSI (International Mobile Subscriber Identifier). This number is sent to the network when the user logs on, and it is used to contact the user's home carrier and establish the bona fides of his/her account. The IMSI is stored in the SIM.

Note that although the IMSI determines a subscriber's telephone number by associating the user with a specific cellular account, the actual digits of the IMSI have no relationship to the telephone number. For example, if you lose your SIM card and ask your carrier for another, your new SIM will have a new IMSI and the old IMSI will be invalidated - but your telephone number will remain unchanged.
N-AMPS Narrowband-AMPS (see AMPS). Very similar to AMPS but the voice channels used in N-AMPS are narrower, allowing more cellular conversations to operate in the same bandwidth.
NAM All AMPS phones have a NAM (Numeric Address Module) which is programmed at sign-up time with the subscriber's telephone number. The handset uses the information in the NAM to identify which incoming calls on the network "belong" to it. There is no cross-checking on this until the call is answered - if you program your phone's NAM with someone else's telephone number, your phone will ring each time they receive a call. (You won't be able to answer their calls, however).

Because of the vast, diverse and unfriendly AMPS networks in the United States, many phones have multiple NAMs so that they can use different carriers without reprogramming. (Note that a multi-NAM phone still has only one ESN).

For a fuller description of how the NAM is used by the network, see AMPS.
PHS A digital cellular system used exclusively in Japan. I believe that it operates in the 1.5GHz band. Frankly, I also believe Japan's cellular provider(s) should pull their head out of the sand (or wherever else it might be lodged) and install a GSM network, even if they have to move it to a nonstandard band to avoid spectrum reallocation issues. I don't intend to waste any time learning about PHS, as I trust that Iridium or something else will become popular enough to eradicate this silly non-standard system. Just be aware that if you go to Japan, you will need to rent a phone. NTT (Japanese telco) seems to be concentrating at this point in time on selling cellular telephones to dogs and cats (and I'm NOT joking), so presumably few resources are being diverted towards the needs of mere humans.
PIN/PIN2 The PIN (Personal Identification Number) requested by a GSM phone is a means of assuring that a stolen SIM is not usable. The PIN is stored on the SIM in execute-only memory - it cannot be read out by external hardware. When you type in your PIN, the phone sends it to the SIM and it is the SIM which validates it. If you get the PIN wrong three times in a row, the card will be blocked and will ask for a PUK code (Personal Unblocking Key or Provider Unblocking Key, depending on who you ask). If you enter this code incorrectly ten times in a row, the card will be permanently blocked and will need replacement. The PUK is usually NOT divulged to you when you get the SIM - you need to call the carrier for it.

If you think about this system for a moment, you will see that it is quite cleverly designed - an attacker who steals the SIM will have an impossibly small number of tries to guess the PIN, yet a user who legitimately forgets his/her PIN can fix the problem over the telephone.

Most SIMs will allow you to turn off the power-on PIN challenge. This is not advisable unless you're using a prepaid SIM where it doesn't really matter much in a monetary sense if someone steals your account temporarily.

Certain features on new SIMs are protected by a second pin, referred to as PIN2. PIN2 is "backed up" by a second PUK code, PUK2.
PUK/PUK2 See PIN.
SIM In GSM parlance, a Subscriber Identity Module. This is a PIN-protected smartcard which stores (among other things) the subscriber's IMSI (possibly more than one if the subscriber has multiple lines on the one SIM), received SMS (pager) messages, user phonebook entries, lists of preferred carriers for roaming purposes, service center numbers for voicemail and SMS, and carrier-specific security information.

SIMs are available in two types - "fullsize" (credit card size) and "plugin" or "chip" - a much smaller rectangular shape with a missing corner. The two types are electrically identical, differing only in the amount of plastic surrounding the chip. Plugin SIMs are always supplied as a fullsize frame with a breakout panel containing the chip. An example is shown below. (The plugin SIM in this photo doesn't actually belong to the frame shown - it was chosen because its color contrasts well with the frame, so you can compare the size and shape of fullsize vs. plugin):

SIM card

Below the surface, there are other different SIM types - mostly, SIMs vary in the amount of storage space they offer. Some other battery-saving and miscellaneous features have also been implemented in modern SIMs, including a second PIN and PUK (PIN2 and PUK2) used to restrict access to certain new network or handset features.

TDMA Like CDMA, TDMA (Time Division Multiple Access) refers to a technique for allowing multiple transmitters to share a single frequency. Unlike CDMA, TDMA achieves this by assigning each transmitter a short frame during which it is allowed to transmit. Everybody speaks in turn, in short.

The most popular TDMA implementation is GSM, but there are others - Motorola's iDEN system, for example. In the United States, the networks commonly referred to as "TDMA" are better referred to as IS-136 networks. AT&T's digital cellular service is an example of IS-136.

TDMA is also referred to as D-AMPS (Digital AMPS).


larwe.com and all original content herein is © Copyright 2001 by Lewin A.R.W. Edwards. "larwe.com" is a trademark protected under U.S. and international law. Infringement or attempted dilution of the intellectual property rights held by Lewin A.R.W. Edwards will be prosecuted to the fullest possible extent.