1a. Ert-Ctt-2 Cellular Mobile Phone Trainer Exp Man PT Len Ind 9716

LABTECH INTERNATIONAL LTD www.labtech.
org
Batam (Main Factory):
Kawasan Industri Sekupang Kav. 34, Sekupang, P.O. Box 120 Sekupang, Batam – Indonesia 29422
Tel.: (62-778) 327781, 327782, 321057 Fax.: (62-778) 321414
Singapore (Finance/ Logistics):
163 Penang Road, No. 02-01 Winsland House II, Singapore 238463
Tel.: (65) 64636192, 67261410 Fax.: (065) 64620160 Email Address: singapore@labtech.org
Malaysia (Regional Marketing Center):
No.23 Jalan Alfa B U6/B Pusat Perdagangan Subang Permai, Seksyen U6, 40150 Shah Alam,
Knowledge Engineering Selangor, Malaysia

Tel.: (603) 7845 3600, 7845 4950 Fax.: (603) 7845 1350
Jakarta Office :
ISO 9001 FX Residence 19A, Jl. Jenderal Sudirman Pintu Satu Senayan, Jakarta 10270
Tel. : (021) 2555 4429 Fax. : (021) 2555 4429
General Email : sales@labtech.org
CELLULAR MOBILE PHONE

TRAINER
EXPERIMENT MANUAL
MODEL: ERT-CTT-2
Cellular Mobile Phone Trainer Experiment Manual ERT-CTT-2
CONTENTS
1. OVERVIEW 1
2. EDUCATIONAL CONCEPTS OF THE TRAINER 2
2.1. Cellular mobile phone Training Material 2
2.2. Working with the Courseware 2
3. ABOUT THE TRAINER HARDWARE 4
3.1. List of Items that Come with the Trainer 4
3.2. Setting up the Trainer 4
3.3. The hardware 5
3.4. Electronic Fault System and Test Points 6
4. BASIC THEORY 7
4.1. Mobile Phones - The Basics 8
4.1.1. Introduction 8
4.1.2. History 9
4.1.3. Cell and Sector Terminology 11
4.1.4. Basic Theory and Operation 14
4.1.5. Cellular frequency and channel discussion 15
4.1.6. Channel Names and Functions 17
4.1.7. AMPS Call Processing 19
4.1.8. Origination -- Making a call 23
4.1.9. AMPS and Digital Systems compared 25
4.1.10. Code Division Multiple Access -- IS-95 28
4.1.11. CDMA Benefits 32
4.1.12. AMPS Call Processing 34
4.2. Forensics and the GSM mobile telephone system 36
4.2.1. Introduction 36
4.2.2. History of the GSM system 36
4.2.3. Overview of the GSM system 37
4.2.4. Entities of the GSM system 37
4.2.4.1. The Mobile Station 37
4.2.4.2. The Base Transceiver Station 38
4.2.4.3. The Base Station Controller 38
4.2.4.4. The Mobile Switching Centre 38
4.2.4.5. The Location Registers 38
LABTECH i
4.2.4.6. The Equipment Identity Register 39

4.2.4.7. GSM Security 39
4.2.5. Evidence in the Subscriber Identity Module 39
4.2.5.1. Access to the SIM 39
4.2.5.2. Forensic analysis of SIM cards 40
4.2.5.3. The files on the SIM-card 41
4.2.5.4. Location information, serial number, IMSI, MSISDN 42
4.2.5.5. Text messages 42
4.2.5.6. Short Dial Numbers 43
4.2.5.7. Last Numbers Dialed 43
4.2.5.8. Attacks on the SIM module 43
4.2.6. Evidence in the Mobile Equipment 44
4.2.6.1. Access to the phone 45
4.2.6.2. Forensic analysis of GSM phones 45
4.2.6.3. Phone contents 46
4.2.6.4. Attacks on the phone 46
4.2.7. Electronic evidence in the network 46
4.2.7.1. Subscriber database 46
4.2.7.2. Call Data Records 47
4.2.7.3. Subscriber location 47
4.2.7.4. Attack on the network 48
4.2.8. The Future – UMTS 48
4.2.8.1. UMTS network structure 48
4.2.8.2. UMTS radio interface 49
4.2.8.3. UMTS terminals 49
4.2.8.4. Location services 49
4.2.9. Conclusion 49
5. EXPERIMENTS 51
5.1. Identifying the Hardware 52
5.2. First Step to Use the Phone 55
5.3. Troubleshooting the SIM Card 57
5.4. Troubleshooting the Vibrator Circuit 60
5.5. Troubleshooting the Microphone Circuit 62
5.6. Troubleshooting the Speaker Circuit 64
5.7. Troubleshooting the Battery Unit 66
LABTECH ii
5.8. Troubleshooting the CPU Circuit 68

5.9. Troubleshooting the Charger Unit 70
5.10. Troubleshooting the Camera Circuit 72
6. APPENDIX 74
6.1. The List of Cellular Mobile Phone Fault Simulation 75
6.2. The List of Cellular Mobile Phone Test Points 76
6.3. Cellular Mobile Phone Block Diagram 77
LABTECH iii
1
OVERVIEW
The Labtech's Cellular Mobile Phone Trainer is based upon a popular model of hand phone
from Nokia, which is famous throughout the world for its electronic product quality. It
consists of a standard hand phone, which has been modified for educational purposes. The
Hand phone is mounted on an attractive enclosure/chassis, which protects the Cellular mobile
phone and incorporates the circuitry for the fault-finding mechanism.
In presenting the trainer to the student, we have kept as many as possible the original features
of the Cellular mobile phone so that the student will be able to do troubleshooting just like
what has to done in servicing products in the field. The training program covers the following
points:
• Theory of Cellular mobile phone
• How to Operate Cellular mobile phone trainer
• Factory Service manual.
• Factory User guide
• Test point measurements.
• Diagnosing and Troubleshooting.
LABTECH 1
2
EDUCATIONAL CONCEPTS
OF THE TRAINER
A variety of educational experiments and tasks can be accomplished with this trainer. The
trainer comes complete with a number of different sources of training material so that the
teacher can use them as references to achieve the curriculum goals at his/her school.
2.1. Cellular mobile phone Training Material

Factory Service manual
This manual is a Nokia Service Guide containing all information for servicing and
troubleshooting the Cellular mobile phone. It is important for student to learn how to
use this book since this will be the only information s/he has in improving his/her skill
and knowledge when working in the industrial environment.
Student Job Sheets
These job sheets contain a number of specific exercises with a special purpose for each
experiment to be done with the Labtech's Cellular mobile phone Trainer. The job sheets
incorporate and use information from factory Service manual as well as the textbook
and refer to them often.
User guide
This brief manual covers the basic concepts to operate the Cellular mobile phone
Trainer and contains a review of the main features of the Cellular mobile phone and the
training system.
2.2. WORKING WITH THE COURSEWARE
The courseware may be used in a variety of ways and the teacher can arrange how this
may be used. We would suggest that the courseware is used conceptually to cover the
topics presented below:
General Operation of Cellular mobile phone
Refer to the Basic theory on Experiment manual of how Cellular mobile phone
functioning and controlled.
Operation of the Cellular mobile phone
Refer to the User guide and Service manual for summary of control and operation of the
Cellular mobile phone.
LABTECH 2
Job Sheet Instruction

The student is now ready to go through the job sheet experiments exploring specific
maintenance and alignment procedures that might cause common problems associated
with Cellular mobile phone repair.
While performing each experiment, the student should refer to the Service manual in
order to become more familiar with the layout and its material.
Exploring the Test Points
Use Service manual in guiding the student through all of the test points on the Cellular
mobile phone. This will enable them to gain more experience in locating test points,
setting up the equipment for measuring the output signals at the test points and compare
it with the one described in the Service manual.
Troubleshooting
Now the student is ready for troubleshooting. While doing these exercises the student
should explore each fault simulation in order to diagnose specific problems.
In this way the student can become familiar with the symptom in each block where the
fault has been inserted. After the student has gone through all of the faults, the teacher
may test the students and ask them to locate the fault(s), which has been inserted with
the LED indicator disabled.
It is one of the main features of the Labtech's Cellular mobile phone Trainer that the
fault simulation system can be used by the student as part of the learning process and it
can also be used by the teacher to test the student’s skills and progress.
LABTECH 3
3
ABOUT THE TRAINER
HARDWARE
3.1. LIST OF ITEMS THAT COME WITH THE TRAINER
Cellular mobile phone Trainer

The main unit consists of Cellular mobile phone, enclosure and fault mechanism system
with block diagram included.
Cellular mobile phone Trainer Experiment Manual
This manual consists of job sheets for the student to learn and troubleshoot the Cellular
mobile phone malfunctions..
User guide and Service manual of Cellular mobile phone
The operating instruction is used to guide the student when using the Cellular mobile
phone and its features, and the last one is a Nokia Service manual containing all
information needed for servicing the electrical and electronic parts on the Cellular
mobile phone unit
The CA-42USB data cable
The CA-42 USB data cable is connected from Cellular mobile phone to PC to transfer
file such as calendar, phone book, and media. It is including the software and driver to
be used the CA-42 data cable. Install the PC Suite program before the data cable used.
3.2. SETTING-UP THE TRAINER
1. Read the manuals that come with the trainer before setting-up the Cellular mobile
phone trainer.
2. Unpack the Cellular mobile phone Trainer from its box.
3. The Trainer is designed to be small enough to sit upon a normal laboratory bench
when in its operating condition.
4. Open the case of Cellular mobile phone trainer.
5. Plug the power cord into the power mains.
6. Required a SIM card that has been registered in this country.
7. Install the SIM card and Battery in the cellular mobile phone.
8. Turn ON the Cellular mobile phone by pressing the power switch.
9. Set the clock and date, ensure the Cellular mobile phone is functioning correctly.
10. Read the instruction of using fault simulation system before operating the Cellular
mobile phone trainer.
LABTECH 4
3.3. THE HARDWARE
Block Diagram with

faults switch
Hardware
identification
Rear side Phone
Front side of the

phone
LABTECH 5
3.4. ELECTRONIC FAULT SYSTEM AND TEST POINTS
3.4.1. Instruction for Electronic Fault System

The Cellular mobile phone trainer has a unique fault simulation system that makes
trouble-shooting more interesting and understandable to the student. Our trouble
shooting system consists of fault selector switches, which are electronically selected
using the tiny switch. The faults can be made visible with the LED on the fault display
board or they can be hidden to test the student’s trouble shooting skills.
Use the switch placed on the panel block diagram to build fault simulation by press it.
The fault will be activated and the problem is displayed on the fault display board by the
lighting LED. The results of the fault activation are often readily detectable on the
Cellular mobile phone for problems, which are related to the sound and picture.
To return the Cellular mobile phone to normal operation, press the RESET switch and
the system will be set to normal. Alternatively, remove the power source and the
system will return to normal condition when plug-in again.
Let the students experiment with the fault simulation system by themselves so that they
may observe the various “Physical symptoms” that these faults cause. In this way they
will come to recognize the cause of various common problems. Also have them use
various test instruments in order to electronically determine the cause of the fault by
measuring at the Test Point Board.
The fault display board can be turned off in order to test the students' trouble-shooting
ability. This is done by pressing the LED CONTROL switch. After this feature is
activated, any faults selected will not be shown on the fault display board.
LABTECH 6
4
BASIC THEORY
LABTECH 7
4.1. Mobile Phones - The Basics
4.1.1. Introduction
Cellular radio provides mobile telephone service by employing a network of cell sites
distributed over a wide area. Cell sites incorporate a radio transceiver to manage, send and
receive traffic from the mobile phones in its area, a tower and its antennas, and a link to a
distant switch called an MTSO. This mobile telecommunications switching office places calls
from land based telephones to wireless customers, switches calls between cells as mobile
phones travel across cell boundaries, and authenticates wireless customers before they make
calls.
Cellular uses a principle called frequency reuse to greatly increase customers served. Low
powered mobile phones and radio equipment at each cell site permit the same radio
frequencies to be reused in different cells, multiplying calling capacity without creating
interference. This spectrum efficient method sharply contrasts with earlier mobile systems
that used a high powered, centrally located transmitter, to communicate with high powered
car mounted mobile phones on a small number of frequencies, channels which were then
monopolized and not re-used over a wide area.
Complex signaling routines handle call placements, call requests, handovers, or call transfers
from one cell to another, and roaming, moving from one area carrier to another. Different
cellular radio systems use frequency division multiplexing (analog), time division
multiplexing (TDMA), and spread spectrum (CDMA) techniques. Despite different operating
methods, AMPS, PCS, GSM, E-TACS, and NMT are all cellular radio. That's because they
all rely on a distributed network of cell sites employing frequency re-use. Is your head
spinning yet? Take it easy. Let's ease into this cellular discussion by discussing some history
first.
LABTECH 8
4.1.2. History
United States cellular planning began in the mid 1940s-after World War II, but trial service
did not begin until 1978, and full deployment in America not until 1984. This delay must
seem odd compared to today's furious pace of wireless development, but there were many
reasons for it. Limited technology, Bell System ambivalence, and government regulation
limited radio-telephone progress.
As the vacuum tube and the transistor made possible the early telephone network, the
wireless revolution began only after low cost microprocessors, minature circuit boards, and
digital switching became available. And while AT&T personnel built the finest landline
telephone system in the world, Bell System management never truly committed to mobile
phone telephony. The U.S. Federal Communications Commission also contributed to the
delay, stalling for decades on granting more frequency space. This limited the number of
mobile phone customers, and thus prevented any new service from developing since serving
those few customers would not make economic sense. But in Europe, Scandinavia, Britain,
and Japan, where state run telephone companies operated without competition, and where
regulatory interference was minor, cellular came at the same time or later, not sooner than in
America. It remains a question, then, on what the biggest factor limiting cellular development
truly was.
Although theorized for years before, Bell Laboratories' D.H. Ring articulated the cellular
concept in 1947 in an unpublished paper. W.R.Young, writing in The Bell System Technical
Journal, said Ring' s paper stated all elements of cellular: a network of small geographical
areas called cells, a low powered transmitter in each, traffic controlled by a central switch,
frequencies reused by different cells and so on. Young states that from 1947 Bell teams "had
faith that the means for administering and connecting to many small cells would evolve by
the time they were needed." While cellular waited to evolve, a more simple system was used
for mobile telephony, a technology that, as it finally matured, originated some practices that
cellular radio later employed.
On June 17, 1946 in Saint Louis, Missouri, AT&T and Southwestern Bell introduced the first
American commercial mobile radio-telephone service. It was called simply Mobile
Telephone Service or MTS. Car drivers used newly issued vehicle radio-telephone licenses
granted to Southwestern Bell by the FCC. These radios operated on six channels in the 150
MHz band with a 60 kHz channel spacing, twice the size of today's analog cellular. Bad cross
channel interference, something like cross talk in a landline phone, soon forced Bell to use
only three channels. In a rare exception to Bell System practice, subscribers could buy their
own radio sets and not AT&T's equipment.
Installed high above Southwestern Bell's headquarters at 1010 Pine Street, a centrally located
antenna transmitting 250 watts paged mobiles when a call was for them. Automobiles
responded not by transmitting to the headquarters building but to a scattering of receiving
sites placed around the city, usually atop neighborhood central switching offices. That's
because automobiles used lower powered transmitters, of course, and could not always get a
signal back to the middle of town. These central offices relayed the voice traffic back to the
manually operated switchboard at the HQ where calls were switched. So, although the
receiver sites were passive, merely collecting calls and passing them on, they did presage the
cellular network of distributed, interactive cell sites.
LABTECH 9
One party talked at a time with MTS. You pushed a handset button to talk, then released the
button to listen. This eliminated echo problems which took years to solve before natural, full
duplex communications were possible. Transmitting and receiving frequencies were different,
offset from each other to prevent interference. Operators placed all calls so a complex
signaling routine wasn't required. The Bell System was not interested in automatic dial up and
call handling until decades later, instead, independent wireless companies or Radio Common
Carriers, pioneered these techniques. On March 1, 1948 the first fully automatic
radiotelephone service began operating in Richmond, Indiana, eliminating the operator to
place most calls. The Richmond Radiotelephone Company bested the Bell System by 16
years. AT&T didn't provide automated dialing for most mobile phones until 1964, lagging
behind automatic switching for wireless as they had done with landline telephony. (As an
aside, the Bell System did not retire their last cord switchboard until 1978.) Most systems,
though, RCCs included, still operated manually until the 1960s. In 1964 the Bell System
introduced Improved Mobile Telephone Service or IMTS, a replacement to the badly ageing
Mobile Telephone System. It worked in full-duplex so people didn't have to press a button to
talk. Talk went back and forth just like a regular telephone. It finally permitted direct dialing,
automatic channel selection and reduced bandwidth to 25-30 kHz. Operating details
foreshadowed analog cellular routines, the complexity of which we will see soon enough.
Here's how AT&T described automatic dialing:
Control equipment at the central office continually chooses an idle channel (if there is one)
among the locally equipped complement of channels and marks it with an "idle" tone. All idle
mobiles scan these channels and lock onto the one marked with the idle tone. All incoming
and outgoing calls are then routed over this channel. Signaling in both directions uses low-
speed audio tone pulses for user identification and for dialing.
In January,1969 the Bell System employed frequency reuse in a commercial service for the
first time. On a train. From payphones. As we've mentioned before, frequency re-use is the
defining principle or concept of cellular. "Delighted passengers" on Metroliner trains running
between New York City and Washington, D.C. "found they could conveniently make
telephone calls while racing along at better than 100 miles an hour." Six channels in the 450
MHz band were used again and again in nine zones along the 225 mile route. A computerized
control center in Philadelphia managed the system. The main elements of cellular were finally
coming into being, and would result in a fully functional system in 1978.
LABTECH 10
Let's not dismiss early radio systems too quickly, especially since we need to contrast them
with cellular radio, to see what makes cellular different. IMTS or the Improved Mobile
Telephone System (and its variants) is still around, serving isolated and rural areas not well
covered by cellular. Cellular service may be in 90% of urban areas, but it only reaches 30%
to 40% of the geographical area of America. Most IMTS equipment operates in the UHF
band. Again, it uses a centrally located transmitter and receiver serving a wide area with a
relatively few frequencies and users. Only larger areas will have additional receiving sites
like in Saint Louis. Most areas allow you to dial out directly from your car, however, there
are still places where the operator comes up on frequency to place the call for you. A single
customer can drive 25 miles or more from the transmitter, however, only one person at a time
can use that channel.
This limited availability of frequencies and their inefficient use were two main reasons for
cellular development. The key to the system is, to be stupidly and offensively repetitive, the
concept of frequency reuse. It is the chief difference between IMTS and cellular. In older
mobile phone services a single frequency serves an entire area. In cellular, that frequency is
used again and again. More exactly, a channel is used again and again, a radio channel being a
pair of frequencies, one to transmit on and one to receive.
4.1.3. Cell and Sector Terminology

Let's talk about cell terminology. These terms can get quite confusing. In depicting a cellular
radio system we use simple shapes to represent a complex subject: the geographical area
covered by cellular radio antennas. Otherwise called cells. Using these arbitrary shapes let us
picture the cellular idea, they only approximate the coverage given. First, we use a hexagon
shape and not a circle to represent the cells. Why?
If we draw cells as circles we can't show the cells right next to each other. We get instead a
confusing picture like that on the bottom right. Notice all the gaps between the circles? When
showing a cellular system we want to depict an area totally covered by radio, without any
gaps. Any cellular system will have gaps in coverage, but the hexagonal shape lets us
visualize, in theory, how the system is laid out.
Notice the illustration below. The middle circles represent cell sites. This is where the base
station radio equipment and their antennas are located. A cell site gives radio coverage to a
cell. Do you understand the difference between these two terms? The cell site is a location or
a point, the cell is a wide geographical area. Okay?
LABTECH 11
Most cells have been split into sectors or individual areas to make them more efficient and to
let them to carry more calls. Antennas transmit inward to each cell. That's very important to
remember. They cover a portion or a sector of each cell, not the whole thing. Antennas from
other cell sites cover the other portions. The covered area, if you look closely, resembles a
sort of rhomboid, as you'll see in the diagram after this one. The cell site equipment provides
each sector with its own set of channels. In this example just below the cell site transmits and
receives on three different sets of channels, one for each part or sector of the three cells it
covers.
Is this discussion clear or still muddy? Skip ahead if you understand cells and sectors or come
back if you get hung up on the terms at some later point. For most of us, let's go through this
again, this time from another point of view. Mark provides the diagram and makes some key
points here:
"Most people see the cell as the blue hexagon, being defined by the tower in the center, with
the antennae pointing in the directions indicated by the arrows. In reality, the cell is the red
hexagon, with the towers at the corners, as you depict it above and I illustrate it below. The
confusion comes from not realizing that a cell is a geographic area, not a point. We use the
terms 'cell' (the coverage area) and 'cell site' (the base station location) interchangeably, but
they are not the same thing."
LABTECH 12
These days most cells are divided into sectors. Typically three but you might see just two or
rarely six. Six sectored sites have been touted as a great thing by manufacturers such as
Motorola who want to sell you more equipment. In practice six sectors sites have been more
trouble than they're worth. So, typically, you have three antenna per sector or 'face'. You'll
have one antenna for the voice transmit channel, one antenna for the set up or control channel,
and two antennas to receive. Or you may duplex one of the transmits onto a receive. By
sectorising you gain better control of interference issues. That is, you're transmitting in one
direction instead of broadcasting all around, like with an omni-directional antenna, so you can
tighten up your frequency re-use.
"This is a large point of confusion with, I think, most RF or radio frequency engineers, so
you'll see it written about incorrectly. While at AirTouch, I had the good fortune to work for a
few months with a consultant who was retired from Bell Labs. He was one of the engineers
who worked on cellular in the 60s and 70s. We had a few discussions on this at AirTouch, and
many of the engineers still didn't get it. And, of course, I had access to Dr. Lee frequently
during my years there. It doesn't get much more authoritative than the guys who developed
the stuff!"
LABTECH 13
4.1.4. Basic Theory and Operation

Mobile phone theory is simple. Executing that theory is extremely complex. Each cell site has
a base station with a computerized 800 megahertz transceiver and an antenna. This radio
equipment provides coverage for an area that's usually two to ten miles in radius. Even
smaller cell sites cover tunnels, subways and specific roadways. A size area depends on,
among other things, topography, population, and traffic.
When you turn on your phone the mobile switch determines what cell will carry the call and
assigns a vacant radio channel within that cell to take the conversation. It selects the cell to
serve you by measuring signal strength, matching your mobile phone to the cell that has
picked up the strongest signal. Managing handoffs or handovers, that is, moving from cell to
cell, is handled in a similar manner. The base station serving your call sends a hand-off
request to the mobile switch after your signal drops below a handover threshold. The cell site
makes several scans to confirm this and then switches your call to the next cell. You may
drive fifty miles, use 8 different cells and never once realize that your call has been
transferred. At least, that is the goal. Let's look at some details of this amazing technology,
starting with cellular's place in the radio spectrum and how it began.
The FCC allocates frequency space in the United States for commercial and amateur radio
services. Some of these assignments may be coordinated with the International
Telecommunications Union but many are not. Much debate and discussion over many years
placed cellular frequencies in the 800 megahertz band. By comparison, PCS or Personal
Communication Services technology operates in the 1900 MHz band. The FCC also issues the
necessary operating licenses to the different cellular providers.
Although the Bell System had trialed cellular in early 1978 in Chicago, and worldwide
deployment of AMPS began shortly thereafter, American commercial cellular development
began in earnest only after AT&T's breakup in 1984. The United States government decided
to license two carriers in each geographical area. One license went automatically to the local
telephone companies, in telecom parlance, the local exchange carriers or LECs. The other
went to an individual, a company or a group of investors who met a long list of requirements
LABTECH 14
and who properly petitioned the FCC. And, perhaps most importantly, who won the cellular
lottery. Since there were so many qualified applicants, operating licenses were ultimately
granted by the luck of a draw, not by a spectrum auction as they are today.
The local telephone companies were called the wireline carriers. The others were the non-
wireline carriers. Each company in each area took half the spectrum available. What's called
the "A Band" and the "B Band." The non-wireline carriers usually got the A Band and the
wireline carriers got the B band. There's no real advantage to having either one. It's important
to remember, though, that depending on the technology used, one carrier might provide more
connections than a competitor does with the same amount of spectrum.
Mobiles transmit on certain frequencies, cellular base

stations transmit on others. A and B refer to the
carrier each frequency assignment has. A channel is
made up of two frequencies, one to transmit on and
one to receive.
4.1.5. Cellular frequency and channel discussion

Mobile phone frequencies start at 824.04 MHz and end at 893.7 MHz. That's 69.66 megahertz
worth of radio frequency spectrum. Quite a chunk. By comparison, the AM broadcast band
takes up only 1.17 megahertz of space. That band, however, provides only 107 frequencies to
broadcast on. Cellular may provide thousands of frequencies to carry conversations and data.
This large number of frequencies and the large channel size required account for the large
amount of spectrum used. The most common system, AT&T's Advanced Mobile Phone
Service or (AMPS), for example, uses 832 channels that are 30 kHz wide. Years ago
Motorola and Hughes each tried making more spectrum efficient systems, cutting down on
channel size or bandwidth, but these never caught on. Motorola's system, NAMPS, standing
for Narrowband Advanced Mobile Service provided 2412 channels, using channels 10 kHz
wide instead of 30kHz. While voice quality was poor and technical problems abounded,
NAMPS died because digital and its inherent capacity gain came along, otherwise, as Mark
puts it, "We'd have all gone to NAMPS eventually, poor voice quality or not."
I mentioned that a typical cell channel is 30 kilohertz wide compared to the ten kHz allowed
on an AM radio station. How is it possible, you might ask, that a one to three watt mobile
phone call can take up a path that is three times wider than a 50,000 watt broadcast station?
Well, power does not necessarily relate to bandwidth. A high powered signal might take up
LABTECH 15
lots of room or a high powered signal might be narrowly focused. A wider channel helps with
audio quality. An FM stereo station, for example, uses a 150 kHz channel to provide the best
quality sound. A 30 kHz channel for cellular gives you great sound almost automatically,
nearly on par with the normal telephone network.
I also said that the cellular band runs from 824.04 MHz to 893. 97 MHz. In particular, cell
phones or mobile phones use the frequencies from 824.04 MHz to 848.97 and the base
stations operate on 869.04 MHz to 893.97 MHz. These two frequencies in turn make up a
channel. 45 MHz separates each transmit and receive frequency within a cell or sector, a part
of a cell. That separation keeps them from interfering with each other. Getting confusing?
Let's look at the frequencies of a single cell for a single carrier. For this example, let's assume
that this is one of 21 cells in an AMPS system:
Cell#1 of 21 in Band A (The non-wireline carrier):
Channel 1 (333) Tx 879.990 Rx 834.990
Channel 2 (312) Tx 879.360 Rx 834.360
Channel 3 (291) Tx 878.730 Rx 833.730
Channel 4 (270) Tx 878.100 Rx 833.100
Channel 5 (249) Tx 877.470 Rx 832.470
Channel 6 (228) Tx 876.840 Rx 831.840
Channel 7 (207) Tx 876.210 Rx 831.210
Channel 8 (186) Tx 875.580 Rx 830.580
The number of channels within a cell or within an individual sector of a cell varies greatly,
depending on many factors. As Mark van der Hoek writes, "A sector may have as few as 4 or
as many as 80 channels. Sometimes more! For a special event like the opening of a new race
track, I've put 100 channels in a temporary site. That's called a Cell On Wheels, or COW.
Literally a cell site in a truck."
Cellular network planners assign these frequency pairs or channels carefully and in advance.
It is exacting work. Adding new channels later to increase capacity is even more difficult.
Channel layout is confusing since the ordering is non-intuitive and because there are so many
numbers involved. Speaking of numbers, check out the sidebar. Channels 800 to 832 are not
labeled as such. Cell channels go up to 799 in AMPS and then stop. Believe it or not, the
numbering begins again at 991 and then goes up to 1023. That gives us 832. Why the
confusion and the odd numbering? The Bell System originally planned for 1000 channels but
was given only 666 by the FCC. When cellular proved popular the FCC was again
approached for more channels but granted only an extra 166. By this time the frequency
spectrum and channel numbers that should have gone to cellular had been assigned to other
radio services. So the numbering picks up at 991 instead of 800.
You might wonder why frequencies are offset at all. It's so you can talk and listen at the same
time, just like a regular telephone. Cellular is not like CB radio. Citizen's band uses the same
frequency to transmit and receive. What's called "push to talk" since you must depress a
microphone key or switch each time you want to talk. Cellular, though, provides full duplex
communication. It's more expensive and complicated to do it this way. That's since the mobile
unit and the base station both need circuitry to transmit on one frequency while receiving on
another. But it's the only way that permits a normal, back and forth, talk when you want to,
conversation. Take a look at the animated .gif below to visualize full duplex communication.
See how two frequencies, a voice channel, lets you talk and listen at the same time?
LABTECH 16
Full duplex communication example. The two

frequencies are paired and constitute a voice
channel. Paths indicate direction of flow.
4.1.6. Channel Names and Functions

Okay, so what do we have? The first point is that mobile phones and base stations transmit or
communicate with each other on dedicated paired frequencies called channels. Base stations
use one frequency of that channel and mobile phones use the other. Got it? The second point
is that a certain amount of bandwidth called an 'offset' separates these frequencies. Now let's
look at what these frequencies do, as we discuss how channels work and how they are used to
pass information back and forth.
Certain channels carry only cellular system data. We call these control channels. This control
channel is usually the first channel in each cell. It's responsible for call setup, in fact, many
radio engineers prefer calling it the setup channel since that's what it does. Voice channels, by
comparison, are those paired frequencies which handle a call's traffic, be it voice or data, as
well as signaling information about the call itself.
A cell or first channel sector is always the control or setup channel for each cell. You have 21
control channels if you have 21 cells. A call gets going, in other words, on the control channel
first and then drops out of the picture once the call gets assigned a voice channel. The voice
channel then handles the conversation as well as further signaling between the mobile phone
and the base station. Don't place too much importance, by-the-way, to the setup channel.
Although first in each lineup cell, most radio engineers place priority on the voice channels in
a system. The control channel lurks in the background.
When discussing mobile phone operation we call a base station's transmitting frequency the
forward path. The mobile phones transmitting frequency, by comparison, is called the reverse
path. Do not become confused. Both radio frequencies make up a channel as we've discussed
before but we now treat them individually to discuss what direction information or traffic
flows. Knowing what direction is important for later, when we discuss how calls are
originated and how they are handled.
Once the MTSO or mobile switch assigns a voice channel the two frequencies making up the
voice channel handle signaling during the actual conversation. You might note then that a call
two channels: voice and data. Got it? Knowing this makes many things easier. A mobile
phones electronic serial number is only transmitted on the reverse control channel. A person
LABTECH 17
tracking ESNs need only monitor one of 21 frequencies. They don't have to look through the
entire band.
So, we have two channels for every call with four frequencies involved. Clear? And a
forward and reverse path for each frequency. Let's name them here. Again, a frequency is the
medium upon which information travels. A path is the direction the information flows. Here
you go:
Forward control path: Base station to mobile phone
Reverse control path: Mobile phone to base station
------------------------------
Forward voice path: Base station to mobile phone
Reverse voice path: Mobile phone to base station
One last point at the risk of losing everybody. You'll hear about dedicated control channels,
paging channels, and access channels. These are not different channels but different uses of
the control channel. Let's clear up this terminology confusion by looking at call processing.
We'll look at the way AMPS sets up calls. Both analog and digital cellular (IS-54) use this
method, CDMA cellular being the exception. We'll also touch on a number of new terms
along the way.
LABTECH 18
The control channel and the voice channel,

paired frequencies upon which information
flows. Paths indicate direction of flow.
4.1.7. AMPS Call Processing

Let's look at how cellular uses data channels and voice channels. Keep in mind the big picture
while we discuss this. A call gets set up on a control channel and another channel actually
carries the conversation. The whole process begins with registration. It's what happens when
you first turn on a phone but before you punch in a number and hit the send button. It only
takes a few hundred milliseconds. Registration lets the local system know that a phone is
active, in a particular area, and that the mobile can now take incoming calls. What cell folks
call pages. If the mobile is roaming outside its home area its home system gets notified.
Registration begins when you turn on your phone.
Mobile phones run a self diagnostic when they're powered up. Once completed they act like a
scanning radio. Searching through their list of forward control channels, they pick one with
the strongest signal, the nearest cell or sector usually providing that. Just to be sure, the
mobile phone re-scans and camps on the strongest one. Not making a call but still on? The
LABTECH 19
mobile phone re-scans every seven seconds or when signal strength drops before a pre-
determined level. After selecting a channel the phone then identifies itself on the reverse
control path. The mobile sends its phone number, its electronic serial number, and its home
system ID. Among other things. The cell site relays this information to the mobile
telecommunications switching office. The MTSO, in turn, communicates with different
databases, switching centers and software programs.
The local system registers the mobile phone if everything checks out. Mr. Mobile can now
take incoming calls since the system is aware that it is in use. The mobile then monitors
paging channels while it idles. It starts this scanning with the initial paging channel or IPCH.
That's usually channel 333 for the non-wireline carrier and 334 for the wireline carrier. The
mobile is programmed with this information and 21 channels to scan when your carrier
programs your phone's directory number, the MIN, or mobile identification number. Again,
the paging channel or path is another word for the forward control channel. It carries data and
is transmitted by the cell site. A mobile first responds to a page on the reverse control channel
of the cell it is in. The MTSO then assigns yet another channel for the conversation. But I am
getting ahead of myself. Let's finish registration.
Registration is an ongoing process. Moving from one service area to another causes
registration to begin again. Just waiting ten or fifteen minutes does the same thing. It's an
automatic activity of the system. It updates the status of the waiting phone to let the system
know what's going on. The cell site can initiate registration on its own by sending a signal to
the mobile. That forces the unit to transmit and identify itself. Registration also takes place
just before you call. Again, the whole process takes only a few hundred milliseconds.
AMPS uses frequency shift keying to send data. Just like a modem. Data's sent in binary. 0's
and 1's. 0's go on one frequency and 1's go on another. They alternate back and forth in rapid
succession. Don't be confused by the mention of additional frequencies. Frequency shift
keying uses the existing carrier wave. The data rides 8kHz above and below, say, 879.990
MHz. Read up on the earliest kinds of modems and FSK and you'll understand the way
AMPS sends digital information. Data gets sent at 10 kbps or 10,000 bits per second from the
cell site. That's fairly slow to begin with but fast enough to do the job. Since cellular uses
radio waves to communicate, of course, signals are subject to the vagaries of the radio band.
Things such as billboards, trucks, and underpasses, can deflect a cellular call. So the system
repeats each part of each digital message five times. That slows things considerably. Add in
the time for encoding and decoding the digital stream and the actual transfer rate can fall to as
low as 1200 bps.
Remember, too, that an analog wave carries this digital information, just like most modems.
It's not completely accurate, therefore, to call AMPS an analog system. AMPS is actually a
hybrid system, combining both digital and analog signals.
LABTECH 20
IS-54B, IS-136 frame with time slots
A quick word about 'slots'. Slots hold individual call information within the frame,
remember? In this case we have one frame of information containing six slots. Two slots
make up one voice circuit in TDMA. Like slots 1 and 4, 2 and 5, or 3 and 6. The data rate is
48.6 Kbits/s, less than a 56K modem, with each slot transmitting 324 bits in 6.67 ms. How is
this rate determined? By the number of samples taken, when speech is first converted to
digital. Remember Pulse Amplitude Modulation? Let's look at what's contained in just one
slot of half a frame in digital cellular.
IS-54B time slot structure and the Channels Within
Okay, here are the actual bits, arranged in their containers the slots. All numbers above refer
to the amount of bits. Note that data fields and channels change depending on the direction or
the path that occurs at the time, that is, a link to the mobile from the base station, or a call
from the mobile to the base station. Here are the abbreviations:
G: Guard time. Keeps one time slot or data burst separate from the others. R: Ramp time. Lets
the transmitter go from a quiet state to full power. DATA: The data bits of the actual
conversation. DVCC: Digital verification color code. Data field that keeps the mobile on
frequency. RSVD: Reserved. SACCH: Slow associated control channel. Where system
control information goes. SYNC: Time synchronization signal.
LABTECH 21
Getting a Call -- The Process
Okay, your mobile phone's now registered with your local system. Let's say you get a call. It's
the F.B.I., asking you to turn yourself in. You laugh and hang up. As you speed to Mexico
you marvel at the technology involved. What happened? Your phone recognized its mobile
number on the paging channel. Remember, that's always the forward control channel or path
except in a CDMA system. The mobile phone responded by sending its identifying
information again to the MTSO, along with a message confirming that it received the page.
The system responded by sending a voice channel assignment to the cell you were in. The cell
site's transceiver got this information and began setting things up. It first informed the mobile
about the new channel, say, channel 10 in cell number 8. It then generated a supervisory
audio tone or SAT on the forward voice frequency. What's that?
The SAT, Dial Tone, and Blank and Burst
An SAT is a high pitched, inaudible tone that helps the system distinguish between callers on
the same channel but in different cells. The mobile tunes to its assigned channel and it looks
for the right supervisory audio tone. Upon hearing it, the mobile throws the tone back to the
cell site on its reverse voice channel. What engineers call transpond, the automatic relaying of
a signal. We now have a loop going between the cell site and the mobile phone. No SAT or
the wrong SAT means no good.
AMPS generates the supervisory audio tone at three different non-radio frequencies. SAT 0 is
at 5970 Hz, SAT 1 is at6000 Hz, and SAT 2 is at 6030 Hz. Using different frequencies makes
sure that the mobile phone is using the right channel assignment. It's not enough to get a tone
on the right forward and reverse path -- the mobile must connect to the right channel and the
right SAT. Two steps. This tone is transmitted continuously during a call. You don't hear it
since it's filtered during transmission. The mobile, in fact, drops a call after five seconds if it
loses or has the wrong the SAT. The all digital GSM and PCS systems, by comparison, drops
the call like AMPS but then automatically tries to re-connect on another channel that may not
be suffering the same interference.
The cell site unmutes the forward voice channel if the SAT gets returned, causing the mobile
to take the mute off the reverse voice channel. Your mobile phone then produces a ring for
you to hear. This is unlike a landline telephone in which ringing gets produced at a central
office or switch. To digress briefly, dial tone is not present on AMPS phones, although E.F.
Johnson phones produced land line type dial tone within the unit.
Enough about the SAT. I mentioned another tone that's generated by the mobile phone itself.
It's called the signaling tone or ST. Don't confuse it with the SAT. You need the supervisory
audio tone first. The ST comes in after that; it's necessary to complete the call. The mobile
phone produces the ST, compared to the SAT which the cell site originates. It's a 10 kHz
audio tone. The mobile starts transmitting this signal back to the cell on the forward voice
path once it gets an alerting message. Your phone stops transmitting it once you pick up the
handset or otherwise go off hook to answer the ring. Cell folks might call this confirmation of
alert. The system knows that you've picked up the phone when the ST stops.
AMPS uses signaling tones of different lengths to indicate three other things. Cleardown or
termination means hanging up, going on hook, or terminating a call. The mobile phone sends
a signaling tone of 1.8 seconds when that happens. 400 ms. of ST means a hookflash.
Hookflash requests additional services during a conversation in some areas. Confirmation of
handover request is another arcane cell term. The ST gets sent for 50 ms. before your call is
handed from one cell to another. Along with the SAT. That assures a smooth handoff from
one cell to another. The MTSO assigns a new channel, checks for the right SAT and listens
LABTECH 22
for a signaling tone when a handover occurs. Complicated but effective and all happening in
less than a second.
Okay, we're now on the line with someone. Maybe you! How does the mobile communicate
with the base station, know that a conversation is in progress? Yes, there is a control
frequency but the mobile phone can only transmit on one frequency at a time. So what
happens? The secret is a straightforward process known as blank and burst. As Mark van der
Hoek puts it,
"Once a call is up on a voice channel, all signaling is done on the voice channel via a scheme
known as "Blank and Burst". When the site needs to send an order to the mobile, such as hand
off, power up, or power down, it mutes the SAT on the voice channel. This is filtered at the
mobile so that the customer never hears it. When the SAT is muted, the phone mutes the
audio path, thus the "blank", and the site sends a "burst" of data. The process takes a fraction
of a second and is scarcely noticeable to the customer. Again, it's more noticeable on a
Motorola system than on Ericsson or Lucent. You can sometimes hear the 'bzzt' of the data
burst."
Blank and burst is similiar to the way many telco payphones signal. Let's say you're making a
long distance call. The operator or the automated coin toll service computer asks you for
$1.35 for the first three minutes. And maybe another dollar during the conversation. The
payphone will mute or blank out the voice channel when you deposit the coins. That's so it
can burst the tones of the different denominations to the operator or ACTS. These days you
won't often hear those tones. And all done through blank and burst. Now let's get back to
cellular.
4.1.8. Origination -- Making a call

Making a mobile phone call uses many steps that help receive a call. The same basic process.
Punch out the number that you want to call. Press the send button. Your mobile transmits that
telephone number, along with a request for service signal, and all the information used to
register a call to the cell site. The mobile transmits this information on the strongest reverse
control channel. The MTSO checks out this info and assigns a voice channel. It
communicates that assignment to the mobile on the forward control channel. The cell site
opens a voice channel and transmits a SAT on it. The mobile phone detects the SAT and
locks on, transmitting it back to the cell site. The MTSO detects this confirmation and sends
the mobile a message in return. This could be several things. It might be a busy signal,
ringback or whatever tone was delivered to the switch. Making a call, however, involves far
more problems and resources than an incoming call does.
Making a call and getting a call from your mobile phone should be equally easy. It isn't, but
not for technical reasons, that is setting up and carrying a call. Rather, originating a call from
a mobile presents fraud issues for the user and the carrier. Especially when you are out of
your local area. Incoming calls don't present a risk to the carrier. Someone on the other end is
paying for them. The carrier, however, is responsible for the cost of fraudulent calls
originating in its system. Most systems shut down roaming or do an operator intercept rather
than allow a questionable call. I've had close friends asked for their credit card numbers by
operators to place a call.
Can you imagine giving a credit card number or a calling card number over the air? You're
now making calls at a payphone, just like the good old days. Cellular One has shut down
roaming "privileges" altogether in New York City, Washington and Miami at different times.
But you can go through their operator and pay three times the cost of a normal call if you like.
So what's going on? Why the problem with some outgoing calls? We first have to look at
LABTECH 23
some more terms and procedures. We need to see what happens with call processing at the
switch and network level. This is the exciting world of precall validation.
Precall Validation -- Process and Terms
We know that pressing send or turning on the mobile phone conveys information about the
phone to the cell site and then to the MTSO. A call gets checked with all this information.
There are many parts to each digital message. A five digit code called the home system
identification number (SID or sometimes SIDH) identifies the cellular carrier your mobile
phone is registered with. For example, Cellular One's code in Sacramento, California, is
00129. Go to Stockton forty miles south and Cellular One uses 00224. A system can easily
identify roamers with this information. The "Roaming" lamp flashes or the LED pulses if you
are out of your local area. Or the "No Service" lamp comes on if the mobile phone can't pick
up a decent signal. This number is keypad programmable, of course, since people change
carriers and move to different areas. You can find yours by calling up a local cellular dealer.
Or by putting your phone in the programming mode.
This number doesn't go off in a numerical form, of course, but as a binary string of zero's and
ones. These digital signals are repeated several times to make sure they get received. The
phone identification number or MIN is your mobile phones number. MINs are keypad
programmable. You or a dealer can assign it any number desired. That makes it different than
its electronic serial number which we'll discuss next. A MIN is ten digits long. A MIN is not
your directory number since it is not long enough to include a country code. It's also limited
when it comes to future uses since it isn't long enough to carry an extension number.
The electronic serial number or ESN is a unique number assigned to each mobile phone. One
per phone! Every phone starts out with just one ESN. This number gets electronically burned
into the mobile phones ROM, or read only memory chip. A phone's MIN may change but the
serial number remains the same. The ESN is a long binary number. Its 32 bit size provides
billions of possible serial numbers. The ESN gets transmitted whenever the phone is turned
on, handed over to another cell or at regular intervals decided by the system. Every ten to
fifteen minutes is typical. Capturing an ESN lies at the heart of cloning. You'll often hear
about stolen codes. "Someone stole Major Giuliani's and Commissioner Bratton's codes." The
ESN is what is actually being intercepted. A code is something that stands for something else.
In this case, the ESN. A hexadecimal number represents the ESN for programming and test
purposes. Such a number might look like this: 82 57 2C 01.
The station class mark or SCM tells the cell site and the switch what power level the mobile
phone operates at. The cell site can turn down the power in your phone, lowering it to a level
that will do the job while not interfering with the rest of the system. In years past the station
class mark also told the switch not to assign older phones to a so called expanded channel,
since those phones were not built with the new frequencies the FCC allowed.
The switch process this information along with other data. It first checks for a valid ESN/MIN
combination. You don't get access unless your phone number matches up with a correct, valid
serial number and MIN. You have to have both unless, perhaps, if you call 911. The local
carrier checks its own database first. Each carrier maintains its own records but the database
may be almost anywhere. These local databases are updated, supposedly, around the clock by
two much larger data bases maintained by Electronic Data Systems and GTE. EDS maintains
records for most of the former Bell companies and their new cellular spin offs. GTE
maintains records for GTE cellular companies as well as for the Cellular One group, a
consortium of many different companies. Your call will not proceed returned unless
everything checks out. These database companies try to supply a current list of bad ESNs as
LABTECH 24
well as information to the network on the tens of thousands cellular users coming on line
every day.
A local caller will probably get access if validation is successful. Roamers may not have the
same luck if they're in another state or fairly distant from their home system. Even seven
miles from San Francisco, depending on the area you are. (I know this personally.) A roamer's
record must be checked from afar. Many carriers still can't agree on the way to exchange their
information or how to pay for it. A lot comes down to cost. A distant system may still be
dependent on older switches or slower databases that can't provide a quick response. The so
called North American Cellular Network attempts to link each participating carrier together
with the same intelligent network/system 7 facilities.
Still, that leaves many rural areas out of the loop. A call may be dropped or intercepted rather
than allowed access. In addition, the various carriers are always arguing over fees to query
each others databases. Fraud is enough of a problem in some areas that many systems will not
take a chance in passing a call through. It's really a numbers game. How much is the system
actually loosing, compared to how much prevention would cost? Preventive measures may
cost millions of dollars to put in place at each MTSO. Still, as the years go along, cooperation
among carriers is getting better and the number of easily cloned analog phones in use are
declining. Roaming is now easier than a few years ago.
4.1.9. AMPS and Digital Systems compared

The most commonly used digital cellular system in America is the poetically named IS-54,
colloquially known as D-AMPS or digital AMPS. Make sure you are not misled, this system
is all digital, not like the analog AMPS. Don't run the two names together! IS-54 uses a
multiplexing technique called TDMA or time division multiple access. The TDMA IS-54
uses puts three calls into the same 30kz channel space that AMPS uses to carry one call. It
does this trick by digitally slicing and dicing parts of each conversation into a single data
stream, like filling up one boxcar after another with freight. We'll see how that works in a bit.
TDMA is a transmission technique or access technology, while IS-54 is an operating system.
In the same way AMPS is also an operating system, using a different access technology,
FDMA, or frequency division multiple access. See the difference? Not really? Well, different
systems cellular systems might both use TDMA, like GSM or IS-136, AT&T's latest digital
cellular service. But TDMA, by itself, does not alone a system make. Let's clear this up.
To access means to use, make available, or take control. In a communication system like the
analog based Advanced Mobile Phone Service, we access that system by using frequency
division multiple access or FDMA. Frequency division means calls are placed or divided by
frequency, that is, one call goes on one frequency, say, 100 MHz, and another call goes on
another, say, 200 MHz. Multiple access means the cell site can handle many calls at once.
You can also put digital signals on many frequencies, of course, and that would still be
FDMA. But AMPS traffic is analog.
(Access technology, although a current wireless phrase, is, to me, an open and formless term.
Transmission, the process of transmitting, of conveying intelligence from one point to
another, is a long settled, traditional way to express how signals are sent along. I'll use the
terms here interchangeably.)
By comparison, time division multiple access or TDMA handles multiple and simultaneous
calls by dividing them in time, not by frequency. This is purely digital transmission. Voice
traffic is digitized and portions of many calls are put into a single bit stream, one sample at a
LABTECH 25
time. We'll see with IS-54 that three calls are placed on a single radio channel, one after
another. Note how TDMA is the access technology and IS-54 is the operating system?
Another access method is code division multiple access or CDMA. The cellular system that
uses it, IS-95, tags each and every part of multiple conversations with a specific digital code.
That code lets the operating system reassemble the jumbled calls at the base station. Again,
CDMA is the transmission method and IS-95 is the operating system. . . .
All IS-54 mobile phones handle analog traffic as well as digital, a great feature since you can
travel to rural areas that don't have digital service and still make a call. The beauty of mobile
phones with an AMPS backup mode is they default to analog. As long as your carrier
maintains analog channels you can get through. And this applies as well as to what's known
as IS-95, a cellular system using CDMA or code division multiple access. Your phone still
operates in analog if it can't get a CDMA channel. But I am getting ahead of myself. Back to
time division multiple access.
TDMA's chief benefit to carriers or cellular operators comes from increasing call capacity -- a
channel can carry three conversations instead of just one. But, you say, so could NAMPS, the
now dead analog system we looked at briefly. What's the big deal? NAMPS had the same
fading problems as AMPS, lacked the error correction that digital systems provided and
wasn't sophisticated enough to handle encryption or advanced services. Things such as calling
number identification, extension phone service and messaging. In addition, you can't monitor
a TDMA conversation as easily as an analog call. So, there are other reasons than call
capacity to move to a different technology. Many people ascribe benefits to TDMA because it
is a digital system. Yes and no.
Advanced features depend on digital but conserving bandwidth does not. How's that? Three
conversations get handled on a single frequency. Call capacity increases. But is that a virtue
of digital? No, it is a virtue of multiplexing. A digital signal does not automatically mean less
bandwidth, in fact, it means more. Multiplexing means transmitting multiple conversations on
the same frequency at once. In this case, small parts of three conversations get sent almost
simultaneously. This is not the same as NAMPS, which splits the frequency band into three
discrete sub- frequencies of 10khz apiece. TDMA uses the whole frequency to transmit while
NAMPS does not.
This is a good place to pause now that we are talking about digital. AMPS is a hybrid system,
combing digital signaling on the setup channels and on the voice channel when it uses blank
and burst. Voice traffic, though, is analog. As well as tones to keep it on frequency and help it
find a vacant channel. That's AMPS. But IS-54, now folded into IS-136, is all digital. That's
because it uses digital on its set-up channels, the same radio frequencies that AMPS uses, and
all digital signaling on the voice channel. TDMA, GSM, PCS , and CDMA cellular are all
digital. Let's look at some TDMA basics. But before we do, let me mention one thing.
I wrote in passing about how increasing call capacity was the chief benefit of TDMA to
cellular operators. But it is not necessarily of benefit to the caller, since most new digital
routines play havoc with voice quality. An uncompressed, non-multiplexed, bandwidth
hogging analog signal simply sounds better than its present day digital counterpart. If you
have listened to talk radio you know what I mean, as one mobile phone caller after another
presents their version of digital noise. As the August, 2000 Consumers Digest puts it,
"Digital cellular service does have a couple of drawbacks, the most important of which is
audio quality. Analog mobile phones sound worlds better. Many folks have commented on
what we call the 'Flipper Effect." It refers to the sound of your voice taking on an
'underwater-like' quality with many digital phones. In poor signal areas or when cell sites are
struggling with high call volume, digital mobile phones will often lose full-duplex capability
LABTECH 26
(the ability of both parties to talk simultaneously), and your voice may break up and sound
garbled."
Getting back to our narrative, and to review, we see that going digital doesn't mean anything
special. A multiplexed digital signal is what is key. Each frequency gets divided into six
repeating time slots or frames. Two slots in each frame get assigned for each call. An empty
slot serves as a guard space. This may sound esoteric but it is not. Time division multiplexing
is a proven technology. It's the basis for T1, still the backbone of digital transmission in this
country. Using this method, a T1 line can carry 24 separate mobile phone lines into your
house or business with just an extra twisted pair. Demultiplexing those conversations is no
more difficult than adding the right circuit board to a personal computer. TDMA is a little
different than TDM but it does have a long history in satellite working.
What is important to understand is that the system synchronizes each mobile with a master
clock when a mobile phone initiates or receives a call. It assigns a specific time slot for that
call to use during the conversation. Think of a circus carousel and three groups of kids waiting
for a ride. The horses represent a time slot. Let's say there are eight horses on the carousel.
Each group of kids gets told to jump on a different colored horse when it comes around. One
group rides a red horse, one rides a white one and the other one rides a black horse. They ride
the carousel until they get off at a designated point. Now, if our kids were orderly, you'd see
three lines of children descending on the carousel with one line of kids moving away. In the
case of TDMA, one revolution of the ride might represent one frame. This precisely
synchronized system keeps everyone's call in order. This synchronization continues
throughout the call. Timing information is in every frame. Any digital scheme, though, is no
circus. The actual complexity of these systems is daunting.
There are variations of TDMA. The only one that I am aware of in America is E-TDMA. It is
or was operated in Mobile, Alabama by Bell South. Hughes Network Systems developed this
E-TDMA or Enhanced TDMA. It runs on their equipment. Hughes developed much of their
expertise in this area with satellites. E-TDMA seems to be a dynamic system. Slots get
assigned a frame position as needed. Let's say that you are listening to your wife or a
girlfriend. She's doing all the talking because you've forgotten her birthday. Again. Your
transmit path is open but it's not doing much. As I understand it, "digital speech interpolation"
or DSI stuffs the frame that your call would normally use with other bits from other calls. In
other words, it fills in the quiet spaces in your call with other information. DSI kicks in when
your signal level drops to a pre-determined level. Call capacity gets increased over normal
TDMA. This trick had been limited before to very high density telephone trunks passing
traffic between toll offices. Their system also uses half rate vocoders, advanced speech
compression equipment that can double the amount of calls carried.
Before we turn to another multiplexing scheme, CDMA, let's consider how a digital mobile
phone determines how to choose a digital channel and not an analog one. Perhaps I should
LABTECH 27
have covered that before this section, but you may know enough terminology to understand
what Mark van der Hoek has to say:
"The AMPS system control channel has a bit in its data stream which is called the 'Extended
Protocol Bit.' This was designed in by Bell Labs to facilitate unknown future enhancements. It
is used by both CDMA and TDMA 800 MHz systems."
"When a dual mode mobile phone (TDMA or CDMA and AMPS) first powers up, it goes
through a self check, then starts scanning the 21 control or setup channels, the same as an
AMPS only phone..When it locks on, it looks for what's called an Extended Protocol Bit
within that data stream If it is low, it stays in AMPS. If that bit is high, the phone goes
looking for digital service, according to an established routine. That routine is obviously
different for CDMA and TDMA.
'TDMA mobile phones then tune to one of the RF channels that has been set up by the carrier
as a TDMA channel. Within that TDMA channel data stream is found blocks of control
information interspersed in a carefully defined sequence with voice data. Some of these
blocks are designated as the access or control channel for TDMA. This logical or data
channel, a term brought in from the computer side, constitutes the access channel."
"Remember, the term 'channel' may refer to a pair of radio frequencies or to a particular
segment of data. When data is involved it constitutes the 'logical channel'.' In TDMA, the
sequence differentiates a number of logical channels. This different use of the same term
channel, at once for radio frequencies and at the same time for blocks of data information,
accounts for many reader's confusion. By comparison, in CDMA everything is on the same
RF channel. No setting up on one radio frequency channel and then moving off to another.
Within the one radio frequency channel we have traffic (voice) channels, access channels, and
sync channels, differentiated by Walsh code."
Let's now look at CDMA.
4.1.10. Code Division Multiple Access -- IS-95

Code Division Multiple Access has many variants as well. InterDigital, for example, produces
a broadband CDMA system called B-CDMA that is different from Qualcomm's narrowband
CDMA system. A CDMA system assigns a specific digital code to each user or mobile phone
on the system. It then encodes each bit of information transmitted from each user. These
codes are so specific that dozens of users can transmit simultaneously on the same frequency
without interference to each other, indeed, there is no need for adjacent cell sites to use
different frequencies as in AMPS and TDMA. Every cell site can transmit on every frequency
available to the wireline or non-wireline carrier. CDMA is less prone to interference than
AMPS or TDMA. That's because the specificity of the coded signals helps a CDMA system
treat other radio signals and interference as irrelevant noise. Some of the details of CDMA are
LABTECH 28
also interesting. Before we get to them, let's stop here and review, because it is hard to think
of the big picture, the overall subject of cellular radio, when we get involved in
A. Before We Begin -- A Cellular Radio Review We've discussed, at least in passing, five
different cellular radio systems. We looked in particular at AMPS, the mostly analog, original
cellular radio scheme. That's because three digital schemes default to AMPS, so it's important
to understand this basic operating system.We also looked at IS-54, the first digital service,
which followed AMPS. IS-136 is an AT&T offering, the newest of the TDMA services,
which still retains an AMPS operating mode. Both IS-54 and IS-136 co-exist with AMPS
service, that is, a carrier can mix and match these digital and analog services on whatever
channel sets they choose. IS-95 is a different kind of service, a CDMA, spread spectrum
offering that while not an evolution of the TDMA schemes, still defaults to advanced mobile
phone service where a IS-95 signal cannot be detected.
(Oh, IS-54 , for your information, recently went away by that name, absorbed by the latest
revision of interim standard 136. IS-54 is now IS-136. No, I don't think they mean to confuse
us with their language, it just seems that way. And, since I am digressing slightly here,
consider how many different operating systems computers use: Unix, Linux, Windows, NT,
DOS, the Macintosh OS, and so on. They do the same things in different ways but they are all
computers. Cellular radio is like that, different ways to communicate but all having in
common a distributed network of cell sites, the principle of frequency-reuse, handoffs, and so
on. )
PCS1900, the closest thing we have to GSM in North America, operates at higher frequencies
than conventional cellular. It can use TDMA or CDMA. PCS1900 is not compatible with
other services, but I have seen a Sprint phone which has two bands and two modes. It uses
their PCS service where available but has a mode which lets the phone choose AMPS service
if PCS1900 isn't available. That's not a feature of PCS but rather a hardware fix, two phones
in one. And since we are reviewing, let's make sure we understand what transmission
technologies are involved.
Different transmission techniques enable the different cellular radio systems. These
technologies are the infrastructure of radio. In frequency division multiple access, we separate
radio channels or calls by frequency, like the way broadcast radio stations are separated by
frequency. One call per channel. In time division multiple access we separate calls by time,
one after another. Since calls are separated by time TDMA can put several calls on one
LABTECH 29
channel. In code division multiple access we separate calls by code, putting all the calls this
time on a single channel. Unique codes assigned to every bit of every conversation keeps
them separate. Now, back to CDMA, specifically IS-95.
Back to the CDMA Discussion Qualcomm's CDMA system uses some very advanced speech
compression techniques, utilizing a variable rate vocoder, a speech synthesiser and voice
processor in one. Phil Karn, KA9Q, one of the principal engineers has written that it
"[O]perates at data rates of 1200, 2400, 4800 and 9600 bps. When a user talks, the 9600 bps
data rate is generally used. When the user stops talking, the vocoder generally idles at 1200
bps so you still hear background noise; the mobile phone doesn't just 'go dead'. The vocoder
works with 20 millisecond frames, so each frame can be 3, 6, 12 or 24 bytes long, including
overhead. The rate can be changed arbitrarily from frame to frame under control of the
vocoder."
This is really sophisticated technology, eerily called VAD, for voice activity detection.
Changing data rates allows more calls per cell, since each conversation occupies bandwidth
only when needed, letting others in during the idle times. Some say VAD is the 'trick' in
CDMA that allows greater capacity, and not anything in spread spectrum itself. These data
rate changes help with battery life, too, since the mobile phone can power down in those
moments when not transmitting as much information.Several years ago CDMA was in its
infancy. Some wondered if it would work. I was not among the doubters. In May, 1995 I
wrote in my magazine private line that I felt the future was with this technology. I still think
so and Mark van der Hoek agrees. Because CDMA is so important to cellular radio, especially
for its future, I want to discuss it at length. I've taken many comments on CDMA from the
Cellular Development Group's website. They are the principal industry group pushing CDMA
forward.
A Summary of CDMA
Another transmission technique.
Code division multiple access is quite a different way to send information, it's a spread
spectrum technique. Instead of concentrating a message in the smallest spectrum possible, say
in a radio frequency 10 kHz wide, CDMA spreads that signal out, making it wider. A
frequency might be 1.25 or even 5 MHz wide, 10 times or more the width a conventional call
might use. Now, why would anyone want to do that?, to go from a seemingly efficient method
to a method that seems deliberately inefficient?
The military did much early development on CDMA. They did so because a signal using this
transmission technique is diffused or scattered -- difficult to block, listen in on, or even
identify. The signal appears more like background noise than a normal, concentrated signal
which you can easily target. For the consumer CDMA appeals since a conversation can't be
picked up with a scanner like an analog AMPS call. Think of CDMA in another way. Imagine
a dinner party with 10 people, 8 of them speaking English and two speaking Spanish. The two
Spanish speakers can hear each other talking with out a problem, since their language or 'code'
is so specific. All the other conversations, at least to their ears, are disregarded as background
noise.
CDMA is a transmission technique, a technology, a way to pass information between the base
station and the mobile. Although called 'multiple access', it is really another multiplexing
method, a way to put many calls at once on a single channel. As stated before, analog cellular
or AMPS uses frequency division multiplexing, in which callers are separated by frequency,
TDMA separates callers by time, and CDMA separates calls by code. CDMA traffic includes
telephone calls, be they voice or data, as well as signaling and supervisory information.
LABTECH 30
CDMA is a part of an overall operating system that provides cellular radio service. The most
widespread CDMA based cellular radio system is called IS-95.
A different way to share a channel Unlike FDMA and TDMA, all callers share the same
channel with all other callers. Doesn't that sound odd? Even stranger, all of them use the same
sized signal. Imagine dozens of AM radio stations all broadcasting on the same frequency at
the same time with the same 10Khz sized signal. Sounds crazy, doesn't it? But CDMA does
something like that, only using very low powered mobiles to reduce interference, and of
course, some special coding. "With CDMA, unique digital codes, rather than separate RF
frequencies or channels, are used to differentiate subscribers. The codes are shared by both
the mobile station (cellular phone) and the base station, and are called "pseudo-Random Code
Sequences." Don't panic about that last phrase. Instead, let's get comfortable with CDMA
terms by seeing see how this transmission techniques work.
As the Cellular Development group puts it, "A CDMA call starts with a standard rate of 9600
bits per second (9.6 kilobits per second). This is then spread to a transmitted rate of about 1.23
Megabits per second. Spreading means that digital codes are applied to the data bits
associated with users in a cell. These data bits are transmitted along with the signals of all the
other users in that cell. When the signal is received, the codes are removed from the desired
signal, separating the users and returning the call to a rate of 9600 bps."
Get it? We start with a single call digitized at 9600 bits per second, a rate like a really old
modem. (Let's not talk about modem baud rates here, let's just keep to raw bits.) CDMA then
spreads or applies this 9600 bit stream by using a code transmitted at 1.23 Megabits. Every
caller in the cell occupies the same 1.23 Megabit bandwidth and each call is the same size. A
guard band brings the total bandwidth up to 1.25 Megabits. Once at the receiver the
equipment identifies the call, separates its pieces from the spreading code and other calls, and
returns the signal back to its original 9600 bit rate. For perspective, a CDMA channel
occupies 10% of a carrier's allocated spectrum.
Synchronization
To make this transmission method work it is not enough just to have a fancy coding scheme.
To keep track of all this information flying back and forth we need to synchronize it with a
master clock. As the CDG puts it, "In the final stages of the encoding of the radio link from
the base station to the mobile, CDMA adds a special "pseudo-random code" to the signal that
repeats itself after a finite amount of time. Base stations in the system distinguish themselves
from each other by transmitting different portions of the code at a given time. In other words,
the base stations transmit time offset versions of the same pseudo-random code."
Arrgh. Another phrase with the word 'code in it', one more term to keep track of! Don't
despair. Even if "pseudo-random code" is fiercesomely titled, it's chore is simple to state:
keep base station traffic to its own cell site by issuing a code. Synchronize that code with a
master clock to correlate the code. Like putting a time stamp on each piece of information.
CDMA uses The Global Positioning System or GPS, a network of navigation satellites that,
along with supplying geographical coordinates, continuously transmits an incredibly accurate
time signal.
LABTECH 31
What Every Radio System Must Consider
Radio systems, like living, demand tradeoffs or compromises. The CDG says, "CDMA cell
coverage is dependent upon the way the system is designed. In fact, three primary system
characteristics-Coverage, Quality, and Capacity-must be balanced off of each other to arrive
at the desired level of system performance." Wider coverage, for example, means using higher
powered mobiles which means more radio interference. Increasing capacity means putting
more calls into the same amount of spectrum which means calls may be blocked and voice
quality will decrease. That's because you must compress those calls to fit the spectrum
allowed. As the saying goes, radio systems aren't just sold, they are engineered.
4.1.11. CDMA Benefits

The CDG states that CDMA systems have seven advantages over other cellular radio
transmission techniques. They say these are:
1. Capacity increases of 8 to 10 times that of an AMPS analog system and 4 to 5 times that
of a GSM system
2. Improved call quality, with better and more consistent sound as compared to AMPS
systems
3. Simplified system planning through the use of the same frequency in every sector of
every cell
4. Enhanced privacy
5. Improved coverage characteristics, allowing for the possibility of fewer cell sites
6. Increased talk time for portables
7. Bandwidth on demand
A Few More Details
IS-95 is another cellular radio technnique. It uses CDMA but is backward compatible with the
analog based AMPS. IS-95 handles calls differently than TDMA schemes, although
registration is the same. IS-95 queries the same network resources and databases
toauthenticate a caller. Having said this, IS-95 does share many characteristics of all CDMA
systems.
Handoffs. It's tough transfering a call between cells in any cellular radio scheme. Keeping a
conversation going while a cellular user travels at seventy miles per hour from one cell to the
next finds many calls dropped. CDMA features soft handoffs, where two or more cell sites
may be handling the call at the same time. A final handoff gets done only when the system
makes sure it's safe to do so . . . (will continue . . .)
Let's finish this article with some comments by Mark van der Hoek. He says that the most
signifigant feature of CDMA is how it delivers its features without a great deal of extra
features. He notes how CDMA cell sites can expand or contract, breathing if you will,
depending on how many callers come into the cell. This flexibility comes built into a CDMA
system. Here are some more comments from him:
"CDMA is already dominant, and 3G will be CDMA, and everyone knows it. The matter was
really settled, though some still won't admit it, when Ericsson, the Big Kahoona of GSM,
Great Champion of The Sacred Technology, capitulated to Qualcomm by buying Qualcomm's
infrastructure division. The rest is working out the details of the surrender. TDMA just can't
LABTECH 32
deliver the capacity. In fact, I understand that the GSM standard documents spell out TDMA
as an interim technology until CDMA could be perfected for commercial use."
"A further note on CDMA bandwidth. IS-95 CDMA (Qualcomm) uses a bandwidth of 1.25
MHz. Anyone know why? I have fun with this one, because few people, even in the industry,
know the answer. PhDs often don't know the answer! That's because it is not a technical issue.
The key to the matter can be found in the autograph in one of my reference books, "Mobile
Communications Design Fundamentals" by William C. Y. Lee. The inscription reads, 'I am
very glad to work with you in this stage of designing CDMA system, with my best wishes.
Bill Lee, AirTouch Comm Los Angeles, CA March 22, 1995'."
"Dr. Lee is a major figure in the cellular industry, but few know of the contribution he made
to CDMA. Dr. Lee was one of the engineers at Bell Labs in the '60s who developed cellular.
He later came to work for PacTel Cellular (later AirTouch) as Chief Science Officer.
Qualcomm approached him in 1992 or 1993 about using CDMA technology for cellular.
TDMA was getting off the ground at that time, and Qualcomm had to move fast to have any
hope of prevailing in the marketplace. They proposed to Dr. Lee that PacTel fund them to do
a "Proof of Concept", which is basically a theoretical paper showing the practicality of an
idea. Dr. Lee considered Qualcomm's proposal, and said, "No." Qualcomm was shocked.
Then Dr. Lee told them we'll fund you 10 times that amount and you build us a working
prototype."
"It is not too much to say that we have CDMA where it is today in part because of Dr. Lee.
Qualcomm built their prototype system piggybacked on PacTel's San Diego network. During
the development phase it was realized that deployment of CDMA meant turning off channels
in the analog system. (What we call "spectrum clearing".) "How much can we turn off?" was
the question. Dr. Lee considered it, and came back with the answer, "10%". Well, that worked
out to 1.25 MHz, and that's where it landed. (All of this according to Dr. Lee, who is a
brilliant and genuinely nice person.) By comparison, though, 3rd generation systems will have
a wider bandwidth, than the 1.25 MHZ bandwidth used for CDMA in IS-95 . The biggest
discussion about 3G is now what kind of CDMA will be used. Bandwidth is the sticking
point. Will it be 3.75 MHz or 5 MHz?
LABTECH 33
4.1.12. AMPS Call Processing
This is AMPS call processing for analog and digital services, CDMA or IS-95 excluded . . .
LABTECH 34
LABTECH 35
4.2. Forensics and the GSM mobile telephone system

The GSM system has become the most popular system for mobile communication in the
world. Criminals commonly use GSM phones, and it is therefore a need for forensic
investigators to understand which evidence can be obtained from the GSM system. Evidence
items that can be obtained from the Mobile Equipment, the SIM and the core network are
explored. Tools to extract such evidence from the components of the system exist, but there is
a need to develop more sound forensic procedures and tools for extracting such evidence.
4.2.1. Introduction
With GSM, systems for mobile communication reached a global scale. In the western world,
it seems everyone has their own mobile phone, and GSM has taken more and more of the
market. GSM allows users to roam seamlessly between networks, and separate the user
identity from the phone equipment. In addition the GSM system provides the functional basis
for the 3rd generation mobile system, UMTS.
All these factors make it important for forensic investigators to understand how the GSM
system works, and how evidence can be extracted from it. Criminals took the step into the
mobile age a long time ago, and information from the mobile system can give the investigator
crucial information on the criminal’s actions. It is however important that the information
contained in the system is retrieved with a forensically sound method. It is equally important
that the investigator understands the system in order to be able to explain to the courts how
the system works. It is the aim of this paper to give forensic investigators an introduction to
the current state of GSM forensics, and highlight some of the issues that will have to be
solved in the future.
4.2.2. History of the GSM system
In the beginning of the 1980s several different systems for mobile communications were
developed in Europe. The need for a common system that allowed roaming between countries
was early recognized. In 1982 a number of European countries created a new standardization
organisation called “Groupe Speciale Mobile” (GSM). The mandate of this group was to
develop a standard to be common for the countries that created it. In 1988 the GSM was
included in the European Telecommunication Standards Institute (ETSI), and the standards
developed by GSM thus became standards for all telecommunication administrations in
Europe.
The main work with the GSM took place from 1988 - 1990 and resulted in 12 series of
specifications which in great detail specified the inner workings of GSM. In 1990, when
phase 1 of the specifications was finished, there were three dominating automatic systems for
mobile communications in the world:
1. American AMPS from 1984, with networks in the US.
2. British TACS from 1985, with network in Britain.
3. Nordic NMT from 1981, with networks in the Nordic countries.
Unlike these systems, GSM is a fully digital system, allowing both speech and data services
and allowing roaming across networks and countries. These features made GSM a very
popular system, not only in European countries but also elsewhere. The term GSM has been
chosen as a trademark for the system, meaning “Global System for Mobile communications”,
whereas the group within ETSI working with the standards has been renamed SMG (Special
LABTECH 36
Mobile Group). Today GSM is the largest system for mobile communications in the world,
and exist on all continents.
4.2.3. Overview of the GSM system
The GSM system is specified in 12 series of specifications. For phase 1, these specifications
constitute over 4000 pages. In the following, a short overview of the system will be given.
4.2.4. Entities of the GSM system
Figure 1. Entities in the GSM system
The GSM system consists of a number of separate entities [GSM0302]. These are shown in
figure 1. The entities are connected through interfaces with their own names according to the
specifications, these names are shown on the figure.
4.2.4.1. The Mobile Station
The Mobile Station (MS) is the user equipment in GSM. The MS is what the user can see of
the GSM system. The station consists of two entities, the Mobile Equipment (the phone
itself), and the Subscriber Identity Module (SIM), in form of a smart card contained inside the
phone.
Production of Mobile Equipment is done by many different manufacturers, and there will
almost always be a wide range of different MEs in a mobile network. Therefore the
specifications specify the workings of the ME in great detail. In order to verify the conformal
of the specifications by Mobile Stations, equipment must obtain type approval from the
standardization body [GSM1110].
The MEs in GSM are independent from networks-providers. The identity of the subscriber is
obtained from the SIM that has to be inserted into the MS to make it work. The SIM contains
the IMSI (International Mobile Subscriber Identity) which uniquely intensifies the subscriber
to the network. It also contains information necessary to encrypt the connections on the radio
LABTECH 37
interface. The ME itself is identified by an IMEI (International Mobile Equipment Identity),

which can be obtained by the network upon request. Without the SIM, calls to and from the
mobile station is not allowed. The SIM is implemented as a smart card that can exist in two
forms; large or small.
4.2.4.2. The Base Transceiver Station
The Base Transceiver Station (BTS) is the entity corresponding to one site communicating
with the Mobile Stations. Usually, the BTS will have an antenna with several TRXs (radio
transceivers) that each communicate on one radio frequency. The link-level signaling on the
radio-channels is interpreted in the BTS, whereas most of the higher-level signaling is
forwarded to the BSC and MSC. Speech and data-transmissions from the MS is recoded in the
BTS from the special encoding used on the radio interface to the standard 64 kbit/s encoding
used in telecommunication networks. Like the radio-interface, the Abis interface between the
BTS and the BSC is highly standardized, allowing BTSs and BSCs from different
manufacturers in one network.
4.2.4.3. The Base Station Controller
Each Base Station Controller (BSC) controls the magnitude of several hundred BTSs. The
BSC takes care of a number of different procedures regarding call setup, location update and
handover for each MS.
4.2.4.4. The Mobile Switching Centre
The Mobile Switching Centre is a normal ISDN-switch with extended functionality to handle
mobile subscribers. The basic function of the MSC is to switch speech and data connections
between BSCs, other MSCs, other GSM-networks and external non-mobile-networks. The
MSC also handles a number of functions associated with mobile subscribers, among others
registration, location updating and handover. There will normally exist only a few BSCs per
MSC, due to the large number of BTSs connected to the BSC. The MSC and BSCs are
connected via the highly standardized A-interface [GSM0808]. However, due to the lack of
standardization on Operation and Mangement protocols, network providers usually choose
BSCs, MSCs and Location Registers from one manufacturer.
4.2.4.5. The Location Registers
With each MSC, there is associated a Visitors Location Register (VLR). The VLR can be
associated with one or several MSCs. The VLR stores data about all customers who are
roaming withing the location area of that MSC. This data is updated with the location update
procedure initiated from the MS through the MSC, or directly from the subscriber Home
Location Register (HLR). The HLR is the home register of the subscriber. Subscribtion
information, allowed services, authentication information and localization of the subscriber
are at all times stored in the HLR. This information may be obtained by the VLR/MSC when
necessary. When the subscriber roams into the location area of another VLR/MSC, the HLR
is updated. At mobile terminated calls, the HLR is interrogated to find which MSC the MS is
registered with. Because the HLR is a centralized database that need to be accessed during
every call setup and data transmission in the GSM network, this entity need to have a very
large data transmission capacity.
LABTECH 38
4.2.4.6. The Equipment Identity Register

The Equipment Identity Register (EIR) is an optional register. Its purpose is to register IMEIs
of mobile stations in use. By implementing the EIR the network provider can blacklist stolen
or malfunctioning MS, so that their use is not allowed by the network.
4.2.4.7. GSM Security
GSM provides authentication of users and encryption of the traffic across the air interface.
This is accomplished by giving the user and network a shared secret, kalled Ki. This 128-bit
number is stored on the SIM-card, and is not directly accessible to the user. Each time the
mobile connects to the network, the network authenticates the user by sending a random
number (challenge) to the mobile. The SIM then uses an authentication algorithm to compute
a authentication token SRES using the random number and Ki. The mobile sends the SRES
back to the network which compares the value with an independently computed SRES. At the
same time, an encryption key Kc is computed. This key is used for encryption of subsequent
traffic across the air interface. Thus, even if an attacker listening to the air traffic could crack
the encryption key Kc, the attack would be of little value, since this key changes each time the
authentication procedure is performed.
4.2.5. Evidence in the Subscriber Identity Module

The SIM (Shown in figure 2) contains information that can be of value as evidence. First, the
SIM itself can have value as evidence. As shown on the picture, the name of the network-
provider is usually printed on the SIM, along with a unique identification number that can be
used to get information from the provider, such as the subscriber name and address and phone
number associated with the SIM. Phone records can also be retrieved from this number as
discussed below.
4.2.5.1. Access to the SIM
A PIN-code (Personal Identification Number) is usually required to access the SIM. This
number is a four-digit code that must be entered to gain access. Since the phone cannot be
used without access to the SIM, this number must be entered whenever the phone is turned
on. If the user fails to enter a valid PIN through three attempts, the card becomes blocked, and
LABTECH 39
the user must instead enter a 8-digit code called PUK to reopen it. If the user fails to enter the
correct PUK during ten attempts, the card becomes permanently blocked and cannot be
reopened.
PIN-codes for a card can be changed and deactivated by the user. The PUK-codes are fixed
and cannot be changed. Since the PUK-code is fixed, the network operator usually keeps track
of the PUK-codes for all its users. Therefore, the investigator can almost always gain access
to a SIM-card by asking the network operator for the PUK code. It might, however, be more
efficient to ask the owner of the phone to provide correct PIN or PUK-codes. During searches,
the PUK code might also be recovered, since phone owners usually keep the PUK code in
writing in case they forget the PIN.
4.2.5.2. Forensic analysis of SIM cards
The SIM card is a smart card, containing a processor and non-volatile memory. In GSM, the
SIM card is used as a storage device for subscriber related data. The only purpose of the
processor is to implement the access mechanism and security features. The physical and
logical properties of the access mechanism are defined in GSM specifications. [GSM1111]
The SIM card can be accessed by mounting the card in a standard smart-card reader. To
access the card logically software is needed that implement the GSM SIM access mechanism.
The contents of the SIM card is organized as a series of files containing binary data that can
be downloaded once the user has authenticated himself with a PIN or PUK code.
The best forensic procedure would be to image the entire contents by downloading the entire
memory of the SIM and compute a hash value of this memory. There is currently no tool
available to do this. There are however tools available to download binary contents of
individual files and store them as individual files. Examples of such tools are Sim Manager
Pro (previously Sim-Surf Profi) [SIMMAN], ChipIt [CHIPIT], PDUSpy [PDUSPY] and SIM-
Scan [SIMSCAN]. There are also available administrative tools, which will synchronize data
such as text messages between a SIM card and a computer. Such tools should be avoided in
forensic analysis, since the contents of the card will be contaminated. The currently most
popular tools in law enforcement communities is the tool Cards4Labs [C4L], developed by
Netherlands Forensic Institute, available to law enforcement only. This tool does not store a
digital copy of the SIM-files on the computer, but rather produces a text report on most of the
content on the SIM card.
LABTECH 40
Reading a file as hex values with Sim-Surf Profi
4.2.5.3. The files on the SIM-card

The evidence on the SIM card is stored in the following files:
LABTECH 41
All of the stored data can potentially have evidentiary value. However, most of the files refer
to network internals that the user never see, and therefore does not represent evidence on the
usage of the telephone as such. We therefore limit the discussion here to the files that typical
represent relevant evidence on phone usage.
4.2.5.4. Location information, serial number, IMSI, MSISDN
The LOCI-file byte 5-9 contains among other information the Location Area Identifier (LAI)
where the mobile is currently located. This value will be retained in the SIM card when the
mobile is shut off. Thus, it is possible for an investigator to determine in which Location Area
the mobile was located when it last was operating. The network operator can assist the
investigator in identifying which area the identifier corresponds to. It should be noted that a
location area can contain hundreds or even thousands of cells. Which cell the mobile was last
camping it is not stored in the SIM card.
The serial number, IMSI and MSISDN all provide a unique identification of the customer.
The serial number, which is possible to obtain without providing PIN, identifies the SIM
itself. The IMSI is the customer identification, whereas the MSISDN is the phone number to
the mobile.
4.2.5.5. Text messages
The Short Message Service (SMS) became a very popular service in GSM during the last
years of the 90s. The service basically lets a user type in a short text message on the phone
and send it to another user via a central Short Message Service Centre (SMSC). The SIM
provides storage space for text messages. Most SIM-cards have 12 slots for text-messages. In
addition, most modern phones also let the user store text messages in memory in the ME. It’s
up to the ME software and user configuration which memory is used first, and which
messages are stored. A common configuration is that all incoming messages are stored by
default, and outgoing messages are stored only at the user’s explicit request. Most MEs use
the SIM memory first, before utilizing ME internal memory.
Each of the SMS slots on the SIM has the following layout:
The status byte can take the following values:
%00000000 Unused
%00000001 Mobile terminated message, read
%00000011 Mobile terminated message, not
read
%00000101 Mobile originated message, sent
%00000111 Mobile originated message, not
sent
When a user deletes a message, only the status byte is set to 0. Thus; deleted text-messages
can be recovered except for the status byte as long as the slot has not been overwritten by a
new message. Recovery is done simply by interpreting byte 2-176 of the stored message.
Cards4Labs does this by default.
The TPDU consists of the following elements:
LABTECH 42
- The ISDN number of the service center

- The ISDN number of the sender (or recipient, depending on status) of the message
- Date and time (in seconds) the message was received by the service center, referring to the
clock on the service center.
- Phonebook number
- The message itself
Phonebook number refers to how the user get the message presented. A ME can for instance
define phonebook 1 as “Inbox”, phonebook 2 as “Outbox” etc.
The message itself can be coded in different codes. The original and still most common code
scheme is 7-bit packed. In this scheme, the message is coded in a GSM-specific 7-bit
character set, which is converted into a bit-stream. The bit-stream is then split into bytes to fit
on the SIM card. As a result, the text cannot be read directly from the data using a normal hex
editor. Programs such as Cards4Labs and Sim-Surf Profi will decode all the contents of the
TPDU.
When a new message is written to an available slot, the part of the slot that is not taken up by
the message is filled with hex value FF. Thus, it is not possible to find remnants of previous
messages in “slack-space” in the text-message slots.
4.2.5.6. Short Dial Numbers
To aid the user in remembering numbers, most phones have an ability to store commonly
dialled phone numbers. Most SIM-cards have around 100 slots for storing short dial numbers.
On GSM phones older than around 1999 this was the only mechanism for storing numbers.
On most modern phones, the phone also have it’s own memory and the user can choose to use
one of the memories or both.
In the SIM, short numbers are stored in a binary encoded format, containing a name and a
number in each slot. Programs such as Cards4Labs and Sim-Surf Profi will decode the format.
When a short-number is deleted, the information in the slot is overwritten with hex value FF.
Thus, it is not possible (or at least not feasible) to recover deleted short dial numbers. The
slots will normally be allocated in sequence, so identifying empty slots between used slots
will normally indicate that a stored number has been deleted.
4.2.5.7. Last Numbers Dialed
The SIM also has the ability to store the numbers last dialled. Most cards have only 5 slots for
this. The numbers are stored in a binary encoded format that can be interpreted by programs
such as previously mentioned Cards4Labs and Sim-Surf Profi. Most phones does not use this
feature however, and store a calling log on phone memory instead. Investigators should
therefore also investigate the phone for calling logs.
4.2.5.8. Attacks on the SIM module
It is important for the investigator to understand that the Subscriber Identity Module can be
attacked by crafty criminals. In a forensic context, the most obvious attack method is removal
of evidence. Since the files on the GSM card can be accessed in raw, an attacker can remove
evidence by overwriting storage space. For instance, a person knowing that deleted text
messages are still accessible on the card, could use the card editor in Sim-Surf Profi to
overwrite the messages with other information.
Of more interest to a criminal would be to attack the SIM to impersonate another subscriber.
If this could be done, a criminal would be able to make calls on other subscriber’s accounts,
LABTECH 43
and impersonate other subscribers, as their caller identification would show up at the called
party. In the GSM system, the subscriber identity is only stored on the SIM, so the protection
against impersonation only rely on the SIM security features. The only information that
identifies a user is the user IMSI and the secret encryption key Ki. Both are stored on the SIM
and in the HLR in the network. As we have seen, the IMSI can be read directly from the SIM
card if the user knows the PIN or PUK code. IMSI of other valid subscribers could also be
obtained by listening to unencrypted network traffic on the air interface, since the IMSI will
be transferred unencrypted across the air interface whenever a mobile registers with a new
network. (This happens a lot at certain locations, such as international airports.)
But how can the criminal obtain the encryption key Ki? Since the Ki is stored only internally
in the SIM card it is not accessible directly, but only through usage of the encryption
algorithms stored on the card. However, since the user of a SIM card can feed the algorithm
with known numbers, the Ki can be found if the algorithms contain weaknesses that allow
such analysis. Such an attack is commonly known as a chosen-plaintext attack. The
algorithms in GSM do indeed have such a weakness. A tool to extract Ki from a SIM has been
implemented in the program Sim-Scan, available on the Internet [SIMSCAN]. Both IMSI and
Ki can therefore be obtained by anyone with access to a SIM-card and knowledge of PIN or
PUK.
The next step for the criminal is to produce a new SIM-card with the IMSI and Ki
implemented. This cannot be done on SIM-cards in use, since IMSI is locked through the SIM
access mechanism, and Ki is only internally stored. The attacker therefore needs to get hold of
a fresh card without any subscriber information. These cards can be ordered from the same
source where network providers get their cards. The card must then be programmed with a
special tool for programming of fresh cards. Such a tool is distributed together with the Sim-
Scan package. An attacker could also get hold of a generic smart card and smart card
programmer, and then program the card to act as a SIM.
The conclusion is that impersonation of other GSM subscribers is indeed possible for anyone
who can get hold of a subscriber card and corresponding PIN/PUK.
4.2.6. Evidence in the Mobile Equipment

Specifications specify many functional requirements to the Mobile Equipment in the GSM
system when it comes to the interface with the network and the SIM. As long as these
requirements are met, it’s up to the manufacturer to decide which other functions to
implement on the ME, such as storage of different types of information. It therefore exist a
long range of different phones on the market, each with it’s own capabilities of information
storage and each with it’s own potential as digital evidence. A study of all GSM mobile
LABTECH 44
phones in a forensic context is therefore infeasible. This paper will focus on general principles
and information that is commonly stored on different types of equipment.
4.2.6.1. Access to the phone
Since access to the SIM is needed to use the phone, all phones ask for the SIM PIN code
when the phone is turned on, unless the PIN has been deactivated. Many phones also have the
ability to ask for a separate access code for access to the phone memory. This feature is rarely
used, since the user then will have to enter two access codes whenever the phone is turned on.
In principle, the investigator will not have any means to get hold of the phone access code if it
is activated. It is believed however, that most phones have an ability to circumvent the code
by using special hardware/cables and software to access the contents of the phone.
4.2.6.2. Forensic analysis of GSM phones
Most, if not all, mobile phones implement information storage by means of one or several on-
board flash memory chip(s). This memory contains all information stored on the phone as
well as phone-internal software. The most forensically sound procedure for analysis of phones
would therefore be to find a way to digitally image the contents of the phone memory chips,
and analyses the contents off-line. Since most phones provides a way for the manufacturer to
access the contents and upgrading the software, this procedure can actually be done for most
phones. The procedure would however require knowledge of the programming interface of
the phone, information that manufacturers usually keep for themselves. Tools for accessing
the phone memory directly (called “flashers”) are available on the Internet for many phones.
(Phones from Nokia, Ericsson, Siemens and Motorola amongst others) These flashers seem to
be unauthorized by the phone manufacturers. Using such tools for forensic imaging would
therefore in the author’s opinion seem questionable, but might be the only way to retrieve
information that could have relevance as evidence.
Most phones can be connected to a computer for data transfer. Connection can be done by
means of a special cable from the manufacturer, or by using wireless interfaces such as IrDa
or BlueTooth. The information on the phone can then be accessed by using special software
from the manufacturer. Such software will commonly let the user download information
contained within the phone, such as text messages, short numbers, dialled numbers, received
calls, and configuration parameters. The contents of the memory will not be directly
accessible using such tools.
A third method of forensic analysis of a mobile phone is simply to use they keypad of the
phone to access the stored information, and photograph it as it comes on screen. Most
information stored on the phones can be accessed using the phone menu system. The IMEI is
on most phones available by typing *#06#. As this method is cumbersome and the analyst
risks to change the information on the phone, it should be avoided if possible.
The author has observed that some phones tie information stored on the phone to the
subscriber identity on the SIM-card. This is probably meant as a security feature to prevent
access to sensitive information by unauthorized users. As an example, Nokia phones store
logs of outgoing and incoming calls in the phone. If a user removes the SIM card and insert
another card, these logs will be cleared. Investigators should therefore be cautious with
removing the card from the phone before relevant information has been secured.
LABTECH 45
4.2.6.3. Phone contents

The following contents of modern mobile phones can have value as evidence:
- IMEI
- Short Dial Numbers
- Text Messages
- Settings (languge, date/time, tone/volume etc)
- Stored Audio Recordings
- Stored Computer Files
- Logged incoming calls and dialled numbers
- Stored Executable Progams
- Stored Calendar Events
- GPRS, WAP and Internet settings
Most of this information is available through cable and manufacturer specific software.
However, direct analysis of the memory could potentially reveal other hidden information,
such as deleted text messages. Such analysis has to the authors knowledge not yet been
performed.
4.2.6.4. Attacks on the phone
The before mentioned tools for direct access to the phone memory, so called flashers, also
allow anyone to freely modify the contents of the phone, including phone software. Such
modification is usually done to remove access constraints in the phone. The most common
access constraint one would want to remove is a Service Provider lock (commonly called SP-
lock). A SP-locked phone is locked to SIM cards from a certain service provider. Such locked
phones are often sold together with cheap subscriptions or prepaid subscriptions, to lock the
customer to a certain service provider.
Another change one would want to do is to change the IMEI code of a phone. This is
necessary to use stolen phones, since stolen phone IMEIs will be blacklisted in the EIR. The
ability to change IMEI could also make it more difficult to trace the usage of specific phones.
It is therefore desirable to find a way to detect that the IMEI of a phone has been changed.
The obvious method to do this is to compare the internally stored IMEI with the IMEI printed
on the phone (commonly located under the battery). To detect changes of IMEI and other
changes to a mobile phone it could be useful to find a way to detect electronically if a phone
has been “flashed”. This could be an area of further research within mobile phone forensics.
4.2.7. Electronic evidence in the network
GSM networks contain information that can be of value as evidence. The most valuable
information is arguably the Call Data Record database of the network operator. This database
contains information on each and every call made in the mobile network.
4.2.7.1. Subscriber database
The network provider maintains it’s own subscriber database. The database usually contains
the following information about each customer:
- Customer name and address
- Billing name and address (if other than customer)
- User name and address (if other than customer)
LABTECH 46
- Billing account details

- Telephone Number (MSISDN)
- IMSI
- SIM serial number (as printed on the SIM-card)
- PIN/PUK for the SIM
- Services allowed
Some providers allow prepaid subscriptions, where the customers are not identified by name.
Such subscriptions cannot be tied to a person unless a SIM card with the subscription was
seized from a specific person. Given the SIM-card number, the network operator can always
identify the associated IMSI and MSISDN, and then provide access codes and call details for
that card.
4.2.7.2. Call Data Records
Call Data Records (CDRs) are produced every time a user makes a call or send a text
message. The CDRs are produces in the switch (MSC) where the call or message originates.
CDRs are then gathered in a centralized database and used for billing and other purposes.
Each CDR contains the following:
- Originating MSISDN (A-Number)
- Terminating MSISDN (B-Number)
- Originating and terminating IMEI
- Length
- Type of Service
- Initial serving Base Station (BTS) (not subsequent BTSs after handover)
CDRs can be filtered on any of the above parameters. This means that one can not only obtain
a list of all calls made to/from a certain SIM, but also to/from a certain phone, regardless of
which SIM was used. By looking at the serving BTS, the location of the subscriber can be
pinpointed to the accuracy of a cell at any time the subscribers sends or receives a call or a
text message. Such information certainly has great evidentiary value.
4.2.7.3. Subscriber location
As long as a subscriber is logged on to the network, it is stored in the HLR which Location
Area the subscriber is currently located in. The network operator can however pinpoint the
subscriber to a certain cell at any time by activating subscriber trace in the network. More
accurate location than one cell (the coverage of one base station) was not initially supported in
GSM [WIL98]. Governmental requirements have later demanded the implementation of a
location service in GSM Phase 2 and 2+. Such a location service has now been implemented
in many GSM networks. The location service works by performing triangulation of a mobile
between different base stations, by using field strength measurements reported from the phone
to the network. The location can then be pinpointed to a more accurate level, ranging from a
few hundred meters down to tenths of meters, depending on the conditions. The location
service can be invoked from the mobile at the users request. It can also be invoked from the
network, for instance when the user calls an emergency call centre. The network operator can
use the location service to locate a customer at any time.
An interesting situation is if it is possible to locate where a phone was shut off. This is often
the situation during searches for missing persons. When a phone is turned off it deregisters
with the HLR before it shuts down to avoid incoming calls to page the mobile in the entire
location area. This means that it is impossible to tell which location area or cell a phone was
LABTECH 47
shut down in after the shutdown. However, if the phone loses its power source, it will not
deregister in the HLR since it has no power to communicate. As a result, the last location area
of the phone will be available in the HLR a period of time after the phone lost its power. This
situation can also be detected by people trying to call the missing subscriber. The reason is
that since the mobile is not deregistered in the HLR, the network will try to page the mobile in
the entire location area. The caller will therefore experience 15-20 seconds of silence before
the caller gets the message that the phone cannot be reached. This property can be useful to
detect if missing persons have fallen in water or been implicated in violent crashes, since the
mobile will lose its power source in such situations.
4.2.7.4. Attack on the network
For a long time, it was believed that the GSM system was immune to transmission
interception on the air interface due to the digital encoding and encryption. This has however
shown to be wrong. The transmission protocol on the air interface has flaws in the lack of
mutual authentication and the lack of mandatory encryption. The protocol specifies that the
network can order the MS to turn on or off encryption.
Mobile calls can therefore be intercepted by launching a man-in-the-middle attack in the
following way:
The attacker constructs a device that act as a Mobile Station on one side, and as a Base Station
on the other side. The Base Station side acts as a normal base station within the network
whose customers the attacker want to intercept. Customers of this operator who are closer to
the attacker than a normal base station (in terms of radio field strength) will now try to
register with the attacker’s base station. The attacker now acts as a Mobile Station and
forwards the traffic to a normal base station of the provider network. Since the traffic is just
forwarded, neither network nor MS will notice anything abnormal. Now, when subscriber
Alice wants to use her mobile to call Bob, the call will go through the attackers device. The
attacker now poses as network and order Alice’s MS to use unencrypted communication. The
attacker then encrypts the data, and sends it to the network encrypted. Since Alice herself
normally will not notice that the communication is unencrypted, the attacker can now listen in
to the conversation, without anyone knowing.
Equipment to perform this type of attack has indeed been reported sold in the black market,
although very expensive. It should be noted that it is possible to discover such attacks by
constructing phone software that warns the user when the communication is unencrypted.
(The MS cannot deny unencrypted communication, since that would not conform to GSM
specifications.)
4.2.8. The Future – UMTS
Within the next ten years, the UMTS (Universal Mobile Telephone System) is expected to
become the dominant mobile system all over the world. UMTS has been specified by 3GPP
(3rd Generation Partnership Project), and heavily builds on the principles set forth in GSM.
Some features of the UMTS of interest for the forensic examiner will be discussed in the
following.
4.2.8.1. UMTS network structure
UMTS contains similar network elements as GSM for circuit switched calls. As in GSM, the
core of the network is the MSC, and location registers HLR and VLR. Base Stations (BS) are
controlled by network elements called RNCs (Radio Network Controllers). In addition to the
circuit switching elements, UMTS will have a parallel network structure for packet switching.
This consists of interconnected routers, where IP will be used as the transmission technology.
LABTECH 48
The two different network structures are called CS (Connection Switched) Domain and PS
(Packet Switched) Domain. In the future, as more and more of traditional circuit switched
transmission will be realized through packet switching (such as Voice over IP), it is expected
that the PS Domain will dominate, with Ipv6 as the transmission protocol.
4.2.8.2. UMTS radio interface
The biggest difference between GSM and UMTS is the new radio interface, called UTRAN.
The frequency/time division multiplexing scheme used in GSM has been abandoned for a
code division multiplexing scheme called WCDMA. For the end user this technology will
give better throughput rates (in theory up to 960 kbit/s) and more stable connections. The
interference on other electronic equipment in GSM due to the time multiplexing will also
disappear. However, since the radio interface is very different, the network providers will
have to build a lot of new base stations, a very expensive operation. UMTS will therefore
coexist with GSM, and mobile terminals will be able to use both systems.
The security scheme in UMTS is similar to GSM, with a shared secret hidden on the USIM
providing authentication and encryption between the mobile terminal and the network. The
cryptographic algorithms have been changed to known algorithms without shown weaknesses.
In addition, the protocol has been changed to include mutual authentication, and inability to
turn off encryption as was shown to be a problem in GSM. The protocol also includes
cryptographic signature of the signalling traffic before the encrypted connection has been
established to disallow an attacker to intervene at this stage.
Only time will show if these security measures are enough to keep an entire world of attackers
at bay.
4.2.8.3. UMTS terminals
UMTS does not lay any specific demands on the terminal. It can therefore be expected that
there will be a whole range of different terminals with even more diversity than today. The
UMTS Subscriber Identity Module (USIM) will be an extended version of todays SIM. As the
GSM SIM, the USIM will be implemented as a smart card. The USIM can contain several
“profiles”, for use by different users or different terminals. These profiles contain the
information on today’s SIM, such as IMSI and MSISDN. In addition, the USIM will be able
to contain executable applications, and other user data.
4.2.8.4. Location services
In GSM, location service was added at a late stage in the specification process, long after the
core networks were up and running. In UMTS, location service has been implemented from
the start. The location service gives both the user and network the ability to obtain the position
of the phone. UMTS allows for location service using field strength triangulation, but also
specifies network assisted GPS as a solution. This would require GPS receivers in each and
every phone, but would give higher positioning accuracy when the phone is outdoors.
4.2.9. Conclusion
Since GSM is the worlds largest system for mobile communication today and also lay the
foundation for the future UMTS, it is important to recognize the need to study the methods
and tools for forensic analysis of the GSM system. Where current investigation is done with
tools not specifically designed for forensics (except Cards4Labs), the future will hopefully see
tools that let an investigator image and analyse contents of phones and SIM-cards in a
forensically sound way. Further research is also needed into analysis of information stored on
phones and SIM-cards.
LABTECH 49
It is clear that the GSM system contains large amounts of information valuable to the
investigator. Most of the information is available today and can be retrieved and have a great
potential to be used as evidence.
LABTECH 50
5
EXPERIMENTS
LABTECH 51
5.1. IDENTIFYING THE HARDWARE

PURPOSE
This exercise will guide the students to know all functions of button keys on cellular mobile
phone hardware.
BACKGROUND INFORMATION
Refer to the Cellular Mobile phone user guide.
EQUIPMENT
1. Cellular Mobile Phone trainer ( ERT-CTT-2 )
PROCEDURE
1. Prepare equipment required for this experiment.
2. Observe the Cellular mobile phone trainer, read the Cellular mobile phone user guide and
then study the all button keys functions.
3. Look at the figure below, write down the names and functions of all keys.
1. ___________________________________________________________________________________
___________________________________________________________________________________
___________________________________________________________________________________
LABTECH 52
2. ___________________________________________________________________________________
___________________________________________________________________________________
___________________________________________________________________________________
3. ___________________________________________________________________________________
___________________________________________________________________________________
___________________________________________________________________________________
4. ___________________________________________________________________________________
___________________________________________________________________________________
___________________________________________________________________________________
5. ___________________________________________________________________________________
___________________________________________________________________________________
___________________________________________________________________________________
6. ___________________________________________________________________________________
___________________________________________________________________________________
___________________________________________________________________________________
7. ___________________________________________________________________________________
___________________________________________________________________________________
___________________________________________________________________________________
8. ___________________________________________________________________________________
___________________________________________________________________________________
___________________________________________________________________________________
9. ___________________________________________________________________________________
___________________________________________________________________________________
___________________________________________________________________________________
10. ___________________________________________________________________________________
___________________________________________________________________________________
___________________________________________________________________________________
11. ___________________________________________________________________________________
___________________________________________________________________________________
___________________________________________________________________________________
LABTECH 53
12. ___________________________________________________________________________________
___________________________________________________________________________________
___________________________________________________________________________________
13. ___________________________________________________________________________________
___________________________________________________________________________________
___________________________________________________________________________________
14. ___________________________________________________________________________________
___________________________________________________________________________________
___________________________________________________________________________________
4. Look at the figure below and fill in the blank spaces with data.
1. ___________________________________________________________________________________
2. ___________________________________________________________________________________
3. ___________________________________________________________________________________
4. ___________________________________________________________________________________
5. ___________________________________________________________________________________
6. ___________________________________________________________________________________
5. After completing this experiment, get approval from your instructor.
LABTECH 54
5.2. FIRST STEP TO USE THE PHONE

PURPOSE
This exercise will guide the students to know how to install the SIM card and battery into
Cellular mobile phone.
This exercise will guide the students to know the SIM card function on Cellular mobile
phone.
EQUIPMENT

2. SIM card
PROCEDURE
2. Remove the back cover of the phone by pushing the back cover release button, and slide
the back cover towards the bottom of the phone on rear side of the Cellular mobile phone.
3. Install the SIM card and the Battery.

Note: Use the SIM card that has been registered in your country.
4. Return the back cover to rear side of phone.
5. Turn ON the Cellular mobile phone by pressing and holding the power switch.
6. Wait until The Cellular mobile phone start up is finished and set the real clock and date.
7. Observe the LCD display on Cellular mobile phone.

What is network operator name? ______________________________________________
8. Turn OFF the Cellular mobile phone.
9. Remove the back cover and then uninstall the Battery and SIM card from rear side of
phone.
10. Install the Battery and the back cover except SIM card and then Turn ON the Cellular
mobile phone by pressing the power switch of phone
11. Observe the LCD display on Cellular mobile phone.

What massage is displayed? _________________________________________________
Does the Cellular mobile phone operate normally? _______________________________
12. Turn OFF the Cellular mobile phone and then install again the SIM card.
LABTECH 55
13. Explain what function of the SIM card is in the Cellular mobile phone.
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
14. After completing this experiment clean your work bench.
LABTECH 56
5.3. TROUBLESHOOTING THE SIM CARD

PURPOSE
This exercise will guide the students to know the voltage level that used in operating the
SIM card.
This exercise will guide the students to know the waveforms of Data and Clock signals on
the SIM card.
PIN NAME DESCRIPTION
1 VCC +1.8 VDC power supply input (optional use by the card)
Either used by itself (reset signal supplied from the interface device) or in
2 RESET combination with an internal reset control circuit (optional use by the card).
If internal reset is implemented, the voltage supply on Vcc is mandatory
3 CLOCK Clocking or timing signal (optional use by the card)
4 GND Ground (reference voltage)

Programming voltage input (optional). This contact may be used to supply
5 Vpp the voltage required to program or to erase the internal non-volatile
memory.
6 I/O Input or Output for serial data to the integrated circuit inside the card
7 N/C not used
8 N/C not used
EQUIPMENT

2. Oscilloscope
3. Digital Multimeter
LABTECH 57
PROCEDURE
2. Remove the back cover of the phone by pushing back cover release button, and slide the
back cover towards the bottom of the phone.
3. Install the SIM card and the Battery into rear side of phone and then Return the back
cover.
4. Turn ON the Cellular mobile phone and then set the clock and date, wait until the LCD is
displaying the network operator.
5. Use the Digital Multimeter, measure the SIM card Vcc at TP3 and record the result.
6. Observe the Cellular mobile phone block diagram panel and then activate the SIM card
VCC fault by pressing the fault button.
7. Observe the LCD display of phone.

8. Reset the fault by pressing the RESET button on the Cellular mobile phone block diagram
panel. The Cellular mobile phone will be returned automatically to normal function after
resetting fault.
9. Turn OFF the Cellular mobile phone.

10. Why the phone does not work if the SIM card Vcc voltage unsupplied? Write down your
explanation
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
11. Use the oscilloscope, connect the probe to TP4 and then turn ON the Cellular mobile
phone. During the phone is starting up, observe the data signal on oscilloscope. Draw the
waveform below.
LABTECH 58
12. Activate the SIM card data fault by pressing the fault button on the cellular block diagram
panel.

14. Reset the fault by pressing the RESET button. The Cellular mobile phone will be returned
automatically to normal function after resetting fault.
15. Use the oscilloscope, connect the probe to TP5 and then turn ON the Cellular mobile
phone. During the phone is starting up, observe the clock signal on oscilloscope. Draw the
waveform below.
16. Activate the SIM card clock fault by pressing the fault button on the cellular block
diagram panel.

18. Reset the fault by pressing the RESET button. The Cellular mobile phone will be returned
automatically to normal function after resetting fault.
19. Turn OFF the Cellular mobile phone trainer.
20. Compare all your experiment results to faults list and test points list in appendix.
LABTECH 59
5.4. TROUBLESHOOTING THE VIBRATOR CIRCUIT

PURPOSE
This exercise will guide the students to know the Vibrator function on Cellular mobile
phone.
This exercise will guide the students to know the waveforms of Vibrate signals on the
Vibrate circuit of Cellular mobile phone.
EQUIPMENT

2. SIM card
3. Oscilloscope
4. Other cellular mobile phone that ready to use.
PROCEDURE
3. Install the SIM card and the Battery into rear side of phone and then Return the back cover
Note: Ensure you know the phone number of SIM card that used.
5. Open “Phone setting” menu, then activate the vibrating alert and ringing tone alert.
6. Use other Mobile phone and then dial the phone number to call the Cellular mobile phone
trainer.
7. Touch on rear side of Cellular mobile phone.

Does the Vibrator function on time for incoming call?_________________________
8. Use the Oscilloscope, measure the Vibrate signal at TP2. Record the result and draw the
waveform below.
LABTECH 60
9. Activate the Vibrator fault by pressing the fault button on the Cellular mobile phone
button.
10. Touch again on rear side of Cellular mobile phone trainer.

Does the Vibrator function on time for incoming call? _________________________
11. Use the Oscilloscope, measure again the Vibrate signal at TP2. Compare the result to step
8 above.
12. End the outgoing call of other mobile phone and then reset the fault by pressing the
RESET button.
13. Turn OFF the cellular mobile phone.
14. Compare all experiments result to faults list and test points list in appendix.
LABTECH 61
5.5. TROUBLESHOOTING THE MICROPHONE CIRCUIT

PURPOSE
This exercise will guide the students to know the Microphone function on Cellular mobile
phone.
Refer to the Cellular Mobile phone user guide and schematic diagram
EQUIPMENT
1. Cellular Mobile Phone trainer ( ERT-CTT-2 ).

2. SIM card.
3. Oscilloscope.
4. Other cellular mobile phone.
PROCEDURE
trainer.
6. Use the Oscilloscope and make connection to the microphone signal at TP6.
7. Answer the incoming call and then make a dialogue.

Does the Cellular mobile phone trainer function correctly? _________________________
8. Observe the waveform of microphone signal on oscilloscope.
9. Activate the Microphone fault by pressing the fault button on cellular block diagram
panel.
10. Make a dialogue again.

Does the other mobile phone can hear your voice from Cellular mobile phone trainer? ___
11. Observe again waveform the microphone signal on the oscilloscope

Does the microphone signal still exist on the oscilloscope? _________________________
LABTECH 62
12. Reset the fault by pressing the fault button on the Cellular block diagram panel.
13. End the incoming call by pressing the end call button on the cellular mobile phone trainer.
14. Turn OFF the cellular mobile phone trainer.
15. Compare all experiment results to faults list and test points list in appendix.
16. Explain the function of microphone in cellular mobile phone. Write down your
explanation at below.
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
LABTECH 63
5.6. TROUBLESHOOTING THE SPEAKER CIRCUIT

PURPOSE
This exercise will guide the students to know the function of Speaker on Cellular mobile
phone.
EQUIPMENT

2. SIM card
3. Oscilloscope
4. Other cellular mobile phone.
PROCEDURE
5. Open “Phone setting” menu, then activate the ringing tone alert and volume to higher.
trainer.
7. If the dial has been connecting, do not answer the incoming call on the Cellular mobile
phone trainer, and then listen the ringing alert from speaker of cellular mobile phone
trainer.
Can you hear the ringing alert from speaker? ____________________________________
8. Use the oscilloscope and then measure the ring signal at TP7. Observe the waveform.
9. Activate the Speaker fault by pressing the fault button on the Cellular block diagram
panel.
Can you hear now the ringing alert from speaker? ________________________________
panel.
11. End the call of other mobile phone to reject the call.
LABTECH 64
12. Open the Tones menu of Gallery on the Cellular mobile phone trainer, and play the tone.
Can you hear the song of tones menu from speaker? ______________________________
13. Activate the Speaker fault by pressing the fault button on the Cellular block diagram
panel.
Can you hear now the ringing alert from speaker? ________________________________
panel.
15. Turn OFF the Cellular mobile phone trainer.
16. Compare all experiment results to faults list and test points list on appendix.
17. Explain the function of Speaker on cellular mobile phone. Write down your explanation
below.
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
LABTECH 65
5.7. TROUBLESHOOTING THE BATTERY UNIT

PURPOSE
This exercise will guide the students to know the function of Battery on Cellular mobile
phone.
EQUIPMENT

2. SIM card
PROCEDURE
5. Use the Digital Multimeter and measure the Battery voltage at TP9, record the result.
6. Activate the Battery fault by pressing the fault button on the Cellular mobile phone block
diagram.
7. Observe the cellular mobile phone trainer.

Does the cellular mobile phone still operate normally? ____________________________
8. Use the Digital Multimeter and then measure again at TP9. Compare the result to step5
above.
panel.
10. Observe the Cellular mobile phone.

Does the cellular mobile phone turn on after reset the fault system? ______________
If the cellular mobile phone cannot turn on after reset the fault system, press the power
switch and ensure the Cellular mobile phone can be operated normally.
11. Turn OFF the Cellular mobile phone
LABTECH 66
13. Explain the function of Battery in cellular mobile phone. Write down your explanation
below.
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
LABTECH 67
5.8. TROUBLESHOOTING THE CPU CIRCUIT

PURPOSE
This exercise will guide the students to know the function of CPU circuit on Cellular mobile
phone.
EQUIPMENT

2. SIM card
PROCEDURE
5. Use the Digital Multimeter and measure the CPU voltage at TP10, record the result.
6. Activate the CPU fault by pressing the fault button on the Cellular mobile phone block
diagram.
7. Observe the cellular mobile phone trainer.

above.
panel.

Does the cellular mobile phone turn on after reset the fault system? ______________
If the cellular mobile phone cannot turn on after reset the fault system, press the power
switch and ensure the Cellular mobile phone can be operated normally.
LABTECH 68
13. Explain the function of CPU circuit in cellular mobile phone. Write down your
explanation below.
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
LABTECH 69
5.9. TROUBLESHOOTING THE CHARGER UNIT

PURPOSE
This exercise will guide the students to know the function of Charger unit for Cellular mobile
phone.
EQUIPMENT

2. SIM card
4. Charger
PROCEDURE
5. Use charger unit and connect the charger plug into cellular mobile phone charger
connector.
6. Observe the LCD display, ensure the Charger has been functioned.
7. Use the Digital Multimeter and measure the Charger output voltage at TP8, record the
result.
8. Activate the Charger fault by pressing the fault button on the Cellular mobile phone block
diagram panel.
9. Observe the cellular mobile phone LCD display.

Does the charging system still function? _______________________________________
above.
panel.
LABTECH 70

Does the charging system function after reset the fault? ________________________
13. Unplug the charger connector from cellular mobile phone.
16. Explain the function of Charger unit for cellular mobile phone. Write down your
explanation below.
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
LABTECH 71
5.10. TROUBLESHOOTING THE CAMERA CIRCUIT

PURPOSE
This exercise will guide the students to know the function of Camera for Cellular mobile
phone.
EQUIPMENT

2. SIM card
PROCEDURE
5. Open the Media menu and then start the Camera.
6. Observe the LCD display, ensure the Camera is functioned.
7. Take the photo by pressing the capture button on cellular mobile phone key, save the
image and view.
Can you capture the image? _________________________________________________
8. Return to starting the Camera.
9. Use the digital Multimeter, measure the Camera voltage at TP1. Record the result.
10. Activate the Camera fault by pressing the fault button on the Cellular mobile phone block
diagram panel.
11. Observe the LCD display of Cellular mobile phone.

Does the Camera still function? ______________________________________________
Can you capture the image? _________________________________________________
12. Use the Digital Multimeter and measure again at TP1. Compare the result to step9 above.
LABTECH 72
panel.
14. Observe the LCD display of Cellular mobile phone.

Is the Camera of Cellular mobile phone function after reset fault? ________________
15. Return the Cellular mobile phone to standby menu and then turn OFF.
LABTECH 73
6
APPENDIX
LABTECH 74
6.1. THE LIST OF CELLULAR MOBILE PHONE FAULT

SIMULATION
FAULT
NO FAULT DESCRIPTION SYMPTOMS
LOCATION
1 F1 Camera X1470 pin11 Camera is not operating
2 F2 Vibrator L2404 Vibrator cannot function
The Cellular mobile phone
cannot operate normally
3 F3 SIM card Vcc SIM card pin3
Insert SIM card massage on
LCD display
4 F4 SIM card Data SIM card pin6
LCD display
5 F5 SIM card Clock SIM cad pin1
LCD display
The caller cannot talk
6 F6 Microphone Internal MIC pin1 No sound in Using the Voice
recorder
The ringing tone cannot be
heard in incoming call.
7 F7 Speaker J2100 No sound on Playback
Recording of ring tone or
voice recorder.
The charger is not charging
8 F8 Charger IN DC Connector pin1 the battery of phone
The phone cannot be ON
9 F9 Battery unit Battery positive
The phone will be OFF
The phone cannot ON
10 F10 CPU CPU Vcc
The phone will be OFF
LABTECH 75
6.2. THE LIST OF CELLULAR MOBILE PHONE TEST POINTS
TEST MEASUREMENT
NO DESCRIPTION WAVEFORM
POINT RESULT
1 TP 1 Camera Vcc 1.8 VDC
2 TP 2 Vibrator 0.15 Vp-p
3 TP 3 SIM card Vcc 2.9 VDC

4 TP 4 SIM card Data 2.9 VDC
5 TP 5 SIM card Clock 1 Vp-p
6 TP 6 Microphone Voice signal Voice signal
7 TP 7 Speaker Ring signal Ring signal
8 TP 8 Charger Dc input 4.9 VDC
9 TP 9 Battery Battery positive 4.0 VDC
10 TP 10 CPU CPU supply regulator 4.0 VDC
11 TP 11 USB data + Data signal
12 TP 12 USB data - Data signal
13 GND
LABTECH 76
6.3. CELLULAR MOBILE PHONE BLOCK DIAGRAM
LABTECH 77

1a. Ert-Ctt-2 Cellular Mobile Phone Trainer Exp Man PT Len Ind 9716

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

1a. Ert-Ctt-2 Cellular Mobile Phone Trainer Exp Man PT Len Ind 9716

Uploaded by

Copyright:

Available Formats

LABTECH INTERNATIONAL LTD www.labtech.

Knowledge Engineering Selangor, Malaysia

CELLULAR MOBILE PHONE

4.2.4.6. The Equipment Identity Register 39

5.8. Troubleshooting the CPU Circuit 68

2.1. Cellular mobile phone Training Material

2.2. WORKING WITH THE COURSEWARE

Job Sheet Instruction

Cellular mobile phone Trainer

3.2. SETTING-UP THE TRAINER

3.3. THE HARDWARE

Block Diagram with

Front side of the

3.4. ELECTRONIC FAULT SYSTEM AND TEST POINTS

3.4.1. Instruction for Electronic Fault System

4.1. Mobile Phones - The Basics

4.1.3. Cell and Sector Terminology

4.1.4. Basic Theory and Operation

Mobiles transmit on certain frequencies, cellular base

4.1.5. Cellular frequency and channel discussion

Full duplex communication example. The two

4.1.6. Channel Names and Functions

The control channel and the voice channel,

4.1.7. AMPS Call Processing

IS-54B, IS-136 frame with time slots

IS-54B time slot structure and the Channels Within

Getting a Call -- The Process

4.1.8. Origination -- Making a call

4.1.9. AMPS and Digital Systems compared

Let's now look at CDMA.

4.1.10. Code Division Multiple Access -- IS-95

What Every Radio System Must Consider

4.1.11. CDMA Benefits

A Few More Details

4.1.12. AMPS Call Processing

4.2. Forensics and the GSM mobile telephone system

Figure 1. Entities in the GSM system

interface. The ME itself is identified by an IMEI (International Mobile Equipment Identity),

4.2.4.6. The Equipment Identity Register

4.2.5. Evidence in the Subscriber Identity Module

Reading a file as hex values with Sim-Surf Profi

4.2.5.3. The files on the SIM-card

The status byte can take the following values:

- The ISDN number of the service center

4.2.6. Evidence in the Mobile Equipment

4.2.6.3. Phone contents

- Billing account details

5.1. IDENTIFYING THE HARDWARE

Refer to the Cellular Mobile phone user guide.

1. Cellular Mobile Phone trainer ( ERT-CTT-2 )

1. Prepare equipment required for this experiment.

5. After completing this experiment, get approval from your instructor.

5.2. FIRST STEP TO USE THE PHONE

Refer to the Cellular Mobile phone user guide.

1. Cellular Mobile Phone trainer ( ERT-CTT-2 )

1. Prepare equipment required for this experiment.

3. Install the SIM card and the Battery.

4. Return the back cover to rear side of phone.

7. Observe the LCD display on Cellular mobile phone.

8. Turn OFF the Cellular mobile phone.

11. Observe the LCD display on Cellular mobile phone.

14. After completing this experiment clean your work bench.