Cellular Telephone Experimenter's Kit (2600 article)

[Michael Handler <grendel@netaxs.com>]

[ Apologies about posting to the list, but my mail directory got scragged 
by Net Access admins, and I lost the list of people who wanted this. 
Interesting stuff regardless.]


----- BEGIN ARTICLE -----

From _2600_ Magazine, Spring 1994 (Volume 11, Number 1), pp 20-21

***** Product Review *****
Cellular Telephone Experimenters Kit
$125, Available for OKI 900
Network Wizards
PO Box 343
Menlo Park, CA  94026
Voice: (415) 326-2060
Fax:   (415) 326-4672
Email: info@nw.com
OKI Telecom
(404) 955-9800
(800) 554-3112
Review by Mr. Upsetter

        Any technology that combines radio, telephones, and computers is
sure to interest hackers. It's no wonder cellular telephony has received
so much attention. Now exploring the system is a little easier for us. A
company called Network Wizards has introduced an interface that allows
control of an OKI 900 cellular telephone from a DOS PC via the RS-232
port. Their Cellular Telephone Experimenters Kit (CTEK) consists of an
interface, four DOS executables for controlling the phone, and a C
function library so you can write your own programs. Also included on
disk are a user's manual, function library, and a short cellular
tutorial.
        The interface itself is contained in a small black box with a
DB25 connector on one end. A cable with a specialized plug for
connecting to the OKI is on the other end. Inside is a PIC16C54
microcontroller which converts data from the OKI to standard RS-232
data. The interface also has a mini stereo jack for connecting a
microphone and earphone.
        The DOS executables included with the CTEK allow you to perform
numerous functions. The MENU.EXE program allows you to change any of the
phone's five NAMs. (A NAM, or Number Assignment Module, consists of a
telephone number, system ID, initial paging channel, access overload
class, and group ID mark. This information, along with your ESN,
identifies your phone in the cellular system.) This program also allows
you to read, write, and edit the phone's 200 alphanumeric memories. The
TEST.EXE program, allows you to manually control the transmit and audio
functions of the phone. You can turn the transmitted on or off and set
the channel, SAT, and transmit power. You can also set the volume, mute
the transmit, or recieve audio as well as set the audio source to the
earpiece, sounder, or external jack on the CTEK interface. The TEL.EXE
program allows you to monitor the paging channel and displays all the
forward control channel messages. It also allows you to place and
receive a phone call while displaying the voice channel messages. The
KEYCON.EXE program simply allows you to press keys on the OKI from the
computer keyboard.
        The programs provided with the CTEK certainly expand on the
functionality of the phone. But to do the really fun stuff, you need to
write your own programs. Source code to TEL.EXE and KEYCON.EXE are
provided to get your started with the CTEK function library. Although my
C programming skills were a little rusty, I found it easy enough to
write programs with the library. I wrote a cellular scanning program
which had the following capabilities:

        * Scan for a paging channel and display the messages. If a voice
channel is assigned, go to that channel and listen to the call.
        * Scan voice channels and listen to active channels.
        * Scan OMNICELL channels and listen to active channels.
        * While listening to a call, display the voice channel messages.
        * Automatically follow handoffs.
        * Decode DTMF, change the volume or audio source.
        * Automatically mute the audio and stop monitoring when the call
is released.

        Other functions in the library allow you to send reverse channel
messages, get the received signal strength, control transmitter and
audio functions, and read the phone's memory. Overall the function
library is quite versatile. I had several other ideas for programs, for
instance:

        * Log all messages and call information for certain cellular
phone numbers. You could log paging channel messages, calls placed and
received, call durations, DMTF digits dialed, cell channels used, etc.
        * Create a "spectrum" display of the cellular band by scanning
all channels and recording the signal strength.
        * With a map of cell cites in your area, physically track a
phone as it moves from cell to cell.

        I had great fun exploring the cellular network while playing
with the CTEK. But this kit isn't for everyone. To get the most out of
CTEK, you need to write your own programs. The executables provided in
the kit really don't use the phone to its highest potential. Also, the
OKI 900 isn't the cheapest phone in the world. It goes for about $400 to
$450 new, perhaps $300 used if you can find one. Still, you could put
together a great cellular monitoring system comparable to the ones
designed for law enforcement for a few hundred dollars as opposed to a
few thousand dollars. The CTEK is best suited for monitoring the
cellular network rather than as a tool for fraud. You cannot change the
phone's ESN with the CTEK. In fact, the library function which lets you
send reverse control messages won't even let you send a bogus ESN.
        Overall, the CTEK is a well-designed product, both in hardward
and in software. While it's currently only available for the OKI 900,
Network Wizards promises a version for the OKI 1150 soon.

***** Sample output of my cellular monitoring program *****
             (phone numbers have been masked)

Monitor system A or B?
Monitoring system B
Scanning for control channel
Monitoring Control Channel: 0337 System: B
Received Signal Strength: 46
(408) 482-01XX page scc=3, dcc=2
(415) 264-06XX page scc=3, dcc=2
(408) 671-19XX page scc=3, dcc=2
(310) 701-23XX non-autonomous reg: on scc=3, dcc=3
(805) 680-11XX reserved (13,6) scc=3, dcc=2
(415) 517-32XX page scc=3, dcc=2
(408) 499-03XX page scc=3, dcc=2
(805) 893-22XX reserved (13,6) scc=3, dcc=2
(510) 914-46XX page scc=3, dcc=2
(213) 500-44XX chan=526, vmac=0, scc=1, dcc=2
monitoring channel 256
audio on
hit any key to stop monitoring
Decoding DTMF. Press any key to resume.
3447555#706
audio off
(415) 971-86XX page scc=3, dcc=2
(707) 312-21XX page scc=3, dcc=2
OMNICELL Scan: Press any key to resume.
channel: 0358 RSSI: 10
channel: 0379 RSSI: 53
activity on channel 0379 RSSI 53
audio on
hit any key to stop monitoring
handoff msg: chan=465, vmac=0, scc=2, pscc=1
tuning to channel 465
handoff msg: chan=505, vmac=0, scc=1, pscc=2
tuning to channel 505
audio off
channel: 0400 RSSI: 11
channel: 0421 RSSI: 08

----- END ARTICLE -----

Transcribed 22 June 1994 by Michael Handler <grendel@netaxs.com>
Support 2600! If you like the article, please buy the magazine -- there
is immense amounts of useful information in there.

--------------------------------------------------------------------------
Michael Brandt Handler                                <grendel@netaxs.com> 
Philadelphia, PA                            PGP v2.6 public key on request
Boycott PSI, Inc. & Canter & Siegel    <<NSA>> 1984: We're Behind Schedule