display | more...
Since the days of experimentation using a standard telephone line are almost over, many of todays curious tech community are moving towards cellular communications.

ESN/MIN pairs are no longer difficult to obtain and if used carefully will last much longer than calling cards, codes and most other methods of phone phreaking.

This text will explain how to easily connect any cellular phone to a modem, without the expense of buying a cellular line interface or similar device.

* What you will require:

To undertake this project you will require the following:

1 desktop telephone
1 telephone doubler socket
4 lengths of wire (30cm long)
1 roll of solder
1 roll of masking tape

You will also require a soldering iron, wire strippers and a screw driver.

* Instructions:

1. Unscrew the screws holding your desktop telephone handset together. Remove the ear piece speaker and microphone from the plastic moulding and cut the wires connected to them.

2. Now solder the 30cm long lengths of wire onto the existing handset ear piece speaker and microphone wires. Once you have done this, simply re-solder the ear piece speaker and microphone onto the extended handset wiring.

3. Place the extended handset ear piece speaker over the mouth piece on your cellular telephone and wrap in masking tape. This will not only hold the extended handset ear piece speaker in position, but also prevent background noise problems.

4. Now place the extended handset microphone over the ear piece on your cellular telephone and wrap in masking tape as above.

* How to use the device:

Basically, what you have done is turned your desktop telephone into an acoustic coupler type device. To use the device, simply follow the instructions below.

1. Plug your telephone doubler socket into your telephone socket. Plug your desktop telephone into one socket and your modem line into the other socket.

2. Leave your telephone handset off the hook until your line is completely dead. (i.e. after you have listened to "please replace the handset and try again" or something similar about 10 times.

3. Dial the modem dialup you wish to call on your cellular phone and press SEND as you would normally.

4. Type ATD into your terminal package and press return. Your modem should now be off the hook and waiting for a carrier signal from your cellular telephone.

* How it works:

The carrier signal from the remote modem will be sent out of your cellular telephone ear piece speaker and into the desktop telephone handset microphone. Your modem will receive any data send into the desktop telephone handset after the ATD (off-hook) command has been issued.

In the same way, any carrier signals from your modem will be sent out of the desktop telephone handset earpiece speaker and into your cellular telephone microphone.

shouts out to: Phantasm on UnAuThOrIsEd AcCeSs BBS...he's the mofo that came up with this :0)
it's also available at phreak.org, and may have been in an issue of phrack...
I recall reading in the book "Takedown*" that this was the method that convicted cracker Kevin Mitnick used that let the feds right to his door. Coordinating with the FCC, FBI and several cellular companies they narrowed his location down to an apartment complex in Raliegh, North Carolina February 1995 where he was arrested.

Running a modem session over an analog cellular connection has been known to be quite unreliable due to static, background noise and geographics among other things. And having repeatedly dropped calls left quite a large series of footprints for the investigators to follow.

Using their direction-finding equipment had it's limitations. Apparently they could only listen to a conversation at the site of a cell tower, as they were tracking the transciever of a cellphone they were listening to by the breaks in conversation. The other party broadcasting from the tower was one that Tsutomu Shimomura recognized, the voice of Eric Corley. At that point, they knew they were close. Also the fact that dropped calls were common was one of the frustrations that the feds experienced while narrowing his location down.

The moral of the story, k1dd13z, is that it is not very wise to use cell phones for illegitmate purposes, as they are becoming more and more like homing devices since manufacturers are now including assisted GPS technology for E911 services in them as well. (then again, when do crackers use those few braincells they have for any common sense anyways?)

* Book Title: Takedown: The Pursuit and Capture of Kevin Mitnick
Author: Tsutomu Shimomura with John Markoff
Publisher: Hyperion 1996
ISBN: 0786862106

I don't see much benefit in the procedure artemis entreri describes; you're essentially making an ad-hoc (and therefore likely leaky) acoustic coupler and then introducing your land line circuit into the mix just to get power and a dial tone for the phone handset, which is overly involved and gains you little relative to simply using the land line directly. The benefit for Kevin Mitnick, of course, was that it takes longer to trace a cell phone call than a land line call, but the rest of us probably don't want to end up like him, do we? So probably you just want to make a call when you have nothing but your cell phone on and, or your cell phone has free long distance, or the like.

Cell phones are cheap these days. Often you can get a second (none-too-fancy) phone with a calling plan for a few dollars extra. Why not simply open up the phone itself? You might need some Torx drivers to get it open, but once you've done that, it's a simple matter of cutting the wires running to the speaker and the microphone and alligator clipping to an RJ-11 connector ripped off a random phone cable (or going whole-hog and buying a connector and crimper from Rat Shack). The dial tone problem is easy to work around with a little knowledge of the Hayes command set: ATX0 tells the modem not to bother listening for a dial tone before dialing. So you tell the modem ATX0, then dial the cell phone by hand, then tell the modem ATD to get it to start negotiation. Ta-da! now u r 1337.

There is something wrong with all of the writeups in this node. As an ex-cellular engineer, I feel the need to set some things straight.

artemis entreri: this cannot work. After the voice is done telling you to hang up and the loud beeping stops, power is cut to your landline phone. It will not be reconnected until you hang up or unplug the phone for bit. Technically, there will still be a small voltage applied to your line to detect when you finally hang up; this isn't nearly enough to operate your phone, which wants -48 volts DC.

Even if you hooked up your own -48V power source to your phone, taping the ear and mouthpiece of a landline phone to a cellphone will cause serious harmonic distortion. Even purpose-built acoustic couplers introduce significant distortion at higher frequencies, which is why recent modems connect directly to the phone line.

Any: soldering the ear and mouthpiece to the cellphone electronics won't help either. The impedance will be completely mismatched if the devices aren't outright incompatible. The landline parts most likely work at -48 volts; I'm willing to bet no-one made cellphones that could drive those parts.

BlueJayW: GPS is not necessary to locate a cellphone user, but being able to locate a cellphone user is necessary for the network to work correctly. The network has to know how far you are from the towers nearest you in order to assign your call to the 'best' (usually nearest) tower and tell your phone what power to transmit at. Always using the lowest possible transmit power at the phone and tower allows what's called frequency reuse. Cellular radio would not be possible without frequency reuse, there would not be enough bandwidth for everyone. By transmitting at low power, you limit the reach of your signal and allow someone in a different cell to use the same frequency at the same time. If cells are small, you can get high call density, and at low power you get good battery life. The network tracks your phone by taking repeated measurements of your signal at several towers, and reassigns you to a different cell when you move.

Also, you misunderstand part of the narrative you refer to. A call can always be monitored completely at the telephone switch your tower is connected to. In an analog network in which tower triangulation wasn't possible, whoever was trying to locate a cellular user would need to use a mobile directional receiver to find the user within the cell. They could only hear the tower side of the call until they got close to the phone they're tracking because the tower's signal can be received in the entire cell, but the phone's signal cannot. They would know they were close when they heard the mobile (not tower) side of the call, but the whole call could be recorded at the phone company switch.

In modern US systems, a law called CALEA mandates that the phone company be able to tap any digital or analog cellular call and forward all voice, data and call control information in a standard format to an evidence collection center for all calls to and from any cellular number. All law enforcement needs to do is get a phone number and a court order. If you feel like being paranoid about something, this is a better target :-)

All: The only good way of using modems over cellular is with support from the phone. Even then, 9600 baud is the most you'll realistically get without using technologies such as GPRS or 1x, which use different digital transmission strategies from voice calls and require additional capabilities in your phone's radio and software.

You people have the right idea, but not the right implementation.

As someone with extensive electronics experience, allow me to clarify.

What you see in movies is Hollywood, not reality. Especially in "high-tech" movies about computers, hackers, etc. Film directors are NOT electrical engineers, so don't assume that what you see can really be done.

First of all, Giza is correct with several points. The loop current on a terrestrial line is reduced to a tiny little sensing current if the phone is left off-hook for a long time.

How long? VERY long... think more along the lines of 10 - 15 minutes! (At least in my area with my local telephone provider.) After the recorded "please hang up" message repeats about 10 times, a VERY LOUD pulsing tone similar to a fast busy signal is played for several minutes. I don't think anyone wants to wait that long before making a cellular data call. That being said, leave the terrestrial phone line out of this!

Giza also mentioned that the acoustic coupler will introduce harmonic distortion. Well, it could very well be so bad you may not even be able to use such a contraption past 300 baud FSK! You'd be much better off using the headset jack on the cellular telephone to interface directly with the cell phone's audio circuits.

Giza is also correct in mentioning that the impedance won't match. This can be fixed with some basic electronic circuitry, but if you don't understand how to interface op-amps and design RC networks, forget about pursuing this project. If however this sort of electronics design is childs play for you, there's more...

We still need to figure out a way of connecting the cell phone to the modem. We've already established that using a terrestrial phone line and telephone is NOT going to work well, or even at all. The problem is, terrestrial telephones use the same pair of wires for both the SEND and RECEIVE audio. Separating this requires a very carefully balanced impedance network which almost exactly matches the impedance characteristics of the modem.

Obviously no telephone line in existence is a perfect match, but because the SNR of a cellular connection is much worse than a terrestrial (wireline) connection, we don't have much room for error here. Your best bet? Forget about trying to make a line hybrid. (That's what the impedance balancing network is called which separates the SEND and RECEIVE audio).

Instead, disassemble the modem, and trace it's DAA circuit. (Data Access Arrangement. It's the analog circuitry between the phone line jack and the A/D converters.) Disconnect the A/D converters from the DAA's hybrid network, but at a point where the A/D converter chip input and output is still buffered (if possible.) Note that on most modern modems, the DAC (digital to analog converter), ADC (analog to digital converter), and DSP (digital signal processor) are all on the same IC.

Now that you've got separate SEND and RECEIVE audio lines which never cross or mix together, it's up to you to design a suitable impedance matching and level matching circuit to connect to the cell phone's headset jack.

Oh yeah, don't forget de-coupling capacitors or high-quality audio transformers. You're dealing with two devices that may be at different ground potentials, with one of the devices bleeding RF all over the place. Have fun with this one, and may the force be with you.

Alright, let's say you've mastered the art of RF electronics and all the "black magic" associated with it. You've successfully modified your modem (or built a damn good impedance matching hybrid that simulates a real-world phone line) and connected it to your cell phone. Signals levels are right where they should be, SNR is great and THD is nice and low. You're still not done... Now you have to wrestle with the cellular telephone and how it's engineers designed it.

Cell phones are designed for voice, not modem tones. The microphone circuitry of the cell phone will likely have filtering to cut low frequencies, boost the mid, etc. The cell phone will also have an AGC (automatic gain control) circuit on the microphone so that when you're yelling in the heat of an argument, your victim will still hear you relatively undistorted. And so that when you're quietly whispering to your partner in crime about phone phreaking, your partner will actually hear you over the phone! Both these types of circuits may wreak havoc on modem tones, which are VERY sensitive to phase error (unless you're perfectly happy with 300 baud).

If the whole phase error thing is confusing you at this point, go read about FSK, PSK, QPSK, and QAM. That's a whole other topic which is beyond the scope of this explanation. If you understand how those modulation schemes work, you'll see why PSK, QPSK, and QAM (which are used for all connection rates faster than 300 baud) need near-perfect phasing.

Finally, this may have been a cool project in the 1980's and early 1990's, but I highly doubt you could do it now. Why? Because it only works with analog phones. Since 99% of the cellular telephone population uses digital phones these days, 99% of the population can't even use a project such as this one.

Here's the scoop: digital cell phones convert the sound into a digital bitstream, then apply a lossy compression algorithm to reduce the data rate. When the audio is restored at the other end of the connection, it does NOT match the original audio! And guess what... the phase angles of all the component frequencies are the first thing to be tossed in the garbage with lossy compression! The very thing which modem tones need to remain intact! See our ears and brains aren't very sensitive to phase error, so to humans the audio still sounds pretty close. But a modem trying to make sense of it won't stand a chance. (Unless you're using an FSK modulation. In other words, 300 baud.)

So let's say you've got a "dual mode" cell phone which can be switched into analog mode. You might be in luck, or you might not. A lot of modern phones, even if they can use analog cellular networks, still pass the audio through a DSP (digital signal processor) before it goes anywhere. If the DSP has aggressive filtering, AGC, or possibly even dynamic range compression, there's a good chance the modems won't be able to connect.

If you're really persistent and insist on making this work, here's a little tip: put the phone into "TTY" or "TDD" mode. This sets the headset jack to industry-standardized levels and impedance, and turns off side-tone. (Side-tone is the term referring to "hearing yourself" in the handset when you speak. For humans, it adds comfort because it doesn't feel like you're talking into a dead telephone. For modems, it's problematic because it's just one more bit of noise that the modem has to try to filter out.) If you can find it, download the "TIA/EIA-PN-3-4558-RV1 Rev. A of TIA TSB121" specification. There's lots of good information to work from on there, particularly about the electrical characterics of the 2.5mm headset jack in TTY (or TDD) mode.

There's still a few issues to be considered on the modem too...

Normally by default, the modem waits for a dial-tone before calling, so you have to disable this. As someone already mentioned, you can use the ATX0 command (that's a zero, not the letter O), but there's a better alternative: ATX3. ATX3 will disable the wait for dial-tone, but will retain things like busy signal detection. (ATX0 will disable all of the modem's intelligence at recognizing telephone signalling.)

You may also want to increase the amount of time the modem spends trying to establish a connection, since the modem will have a lot of different protocols to try before it finally finds something that works on such a contraption. This time value (in seconds) is usually stored in register S7. Type ATS7=n , where n is the number of seconds.

Consider forcing your modem to use lower connection speeds. Hell will become a very cold place before you'll get a 56k connection over a cell phone, so there's no point in even letting your modem try it. It'll just make the connection process take longer... perhaps too long and time-out. Some modems are also buggy and won't bother trying all the way down to their lowest speeds (which may be the best you can expect for this!) unless you force them to use only low speeds.

Also, you may want to increase the modem's tolerance to line noise... specifically, loss of carrier. Most modems will drop the connection if they lose track of the carrier tone for just 1 or 2 seconds. Increase this to at least 4 or 5 seconds. This time value (in tenths of a second) is usually stored in register S10. Type ATS10=n, where n is the number of seconds x10.

Ultimately, the modem with the lowest S7 and S10 settings determines the actual timeouts between the two modems. Even if you set your modem to allow 25.5 seconds of garbled audio before it finally drops the connection (ATS10=255), if the remote modem answering the call only allows for 2, then 2 or more seconds of noise is all it takes to become disconnected!

------------

Now, before anyone argues with all this, allow me to speak from experience.

I have tried this. The results?

  • Analog cordless telephone (closest thing I had to an all-analog cell phone at the time): modems connected at 9600 bps, sometimes 12,000 bps.
  • Dual mode cellular telephone in analog TTY mode: modems connected at 4800 bps, sometimes 7200.
  • Dual mode cellular telephone in analog voice mode: modems connected at 2400 bps.
  • Digital GSM cellular telephone in TTY mode: modems connected at 300 bps FSK.
  • Digital GSM cellular telephone in voice mode: modem sometimes connected at 300 bps FSK, connection was very unreliable.

This was done using active impedance matching circuits with isolation transformers and de-coupling capacitors, parametric equalizers to compensate for the cell phone's tonal characteristics, and a modified modem where the SEND and RECEIVE audio never crossed paths.

A lot of work for something that never achieved very impressive results.

I guarantee you that an old telephone's microphone and earphone held up against a cell phone with masking tape will NOT work.

A cool (if incredibly geeky) thing I did with this to impress some friends:

Get a Tandy TRS-80 Model 100 or similar device with internal modem. Make sure it has the cord to actually attach the modem - if there's no cord, you're stuck here (explanation: the modem in the Tandy used a jack that's not RJ-11, you need a cord to convert. You can make one fairly easily if you can find the plug with solder terminals)

Shorten the cord considerably. We're talking "down to a few inches" here.

Build an acoustic coupler from a cheap landline phone using directions on the Web - but don't bother with the original phone body, stick it in a project box, the smaller the better. Make sure you have a good power source, and wire an on/off switch in there somewhere.

Here's the tricky part. Attach the coupler to your cell phone - I did it with some headphone cup things with the headphones taken out and a lot of duct tape. You can buy these separately.

Connect up the coupler to the Tandy and switch the bottom switches to "ACL" and "CAL" (Acoustic Coupler and Call (as opposed to Answer) respectively - the built in modem uses rotary-phone style clicks to dial, which won't work on a cell)

Tape the cell phone to the coupler if you haven't already, and tape the coupler to the back of the Tandy (the reason for the tiny enclosure)

Either find or set up a BBS or computer or something to connect to. I went the old-school way - I set (for a very short time) up a computer on what used to be the second line we used for dial-up and allowed computers to dial into it to get a terminal with all the usual Linux stuff, plus a simple Web browser (can't remember the one, it was very simple and fit fairly well on the tiny screen)

Head into TELCOM and do STAT M8N1E to set the modem to what you want. Dial the number on the phone and hit (I think) TERM to enter Terminal mode, which will make the Tandy listen to the line and check out any signals on it.

At this point you should have a Tandy with wireless Internet (or at least BBS, if you didn't set up a shell account on a dial-up computer) access. It's quite an interesting experience though not particularly useful - I actually bought one of those crappy prepaid phones to do this with for $6 on sale (I don't have or use a cell regularly)

One thing though - if you set up your own, set it to a very low baud rate - like 75 baud. The lower the rate, the more reliably you can connect, though it will be sloooow. Connecting at 300 baud worked, for some strange reason, for me, but was extremely buggy and ended up with garbage all over the terminal screen. Sentences like "%wset) you$Qfr ba!~K very lowwww." were common. At lower rates, the cell compression is less devastating to the modem - though I never got it to work perfectly.

All in all, a fun project if you have a Tandy 100 already - if you don't, getting one will probably be expensive and not worth it, though if you have money to burn they're nice machines to play around with. The nice thing about using the Tandy for this is it was designed with very low speeds in mind, and having a shell account on a computer with a decent Internet connection means that you can use the 'net at high speeds on a low speed computer, assuming you use it only for text.

SIDE NOTE:

A lot of this applies with any laptop, especially the bit with the shell accounts. If you're incredibly determined to use your cell phone in a stupid way to connect to the 'net, this is probably the fastest.

Log in or register to write something here or to contact authors.