|
| |
|
Cellular Systems & Other Terms
There are several cellular systems currently in use around the world. Naturally, like
everything else remotely technical, these networks and their components are referred to
using acronyms. Here are some quick descriptions of the more common of these terms.
| AMPS |
AMPS (I've heard conflicting opinions on what the acronym means) was the first
cellular system to achieve widespread acceptance. It's primitive, it's analog, it's old,
it's overdue for replacement. If you happen to be colonizing another planet and you're
looking for a place to skimp on the budget, write to all the friendly carriers Earthside
and ask them for their AMPS hardware - you'll be able to get it at bargain basement
prices. AMPS is very insecure both in terms of call interception and theft of service,
it's not very reliable, has very few value-added services, and it's NOT the system of
choice for anything other than price reasons. Billing identification on an AMPS network
is presented as follows: Each handset has a NAM (Numeric Address Module) and an ESN
(Electronic Serial Number). When you get your handset activated, the dealer programs the
NAM with your telephone number.The ESN is manufacturer-assigned and supposed to be unique.
When you place or answer a call, the phone sends its ESN to the network, which checks to
see if the ESN belongs to a valid cellular account. (The NAM programming is not used in
the billing verification process. The reason you need to program the NAM is simply so that
your phone knows which incoming calls belong to it, so it can determine when to ring). The
problem with this system is that due to the primitive protocols used, it is very easy for
someone with a scanner and a simple decoder circuit to collect ESNs and telephone numbers.
It is then easy for such people to steal cellular service by burning a new ESN into a
phone and programming its NAM with the matching telephone number. This process is referred
to as "cloning" a phone.
Because the voice transmission system is a simple analog radio signal, anyone with a
scanner can also listen to your conversations. In fact, as any AMPS user will tell you,
sometimes it isn't even necessary to have a scanner - quite often while making AMPS calls
in urban areas, you will be able to hear a conversation on the same channel in the next
cell.
There are various flavors of AMPS including D-AMPS and N-AMPS. "Vanilla" AMPS
operates in the 800MHz area. |
| CDMA |
CDMA (Code Division Multiple Access) isn't really a cellular system - it's
simply the name for a frequency-hopping technique used to put multiple signals into one
spectrum slot. When you hear people talking about "CDMA" phones, they are
probably referring to handsets based on CDMA technology licensed from Qualcomm. A CDMA
network (probably similar to the U.S. networks) is the proposed replacement for AMPS in
rural Australia when our AMPS net goes off-air in 2000AD, give or take protest time. CDMA
is a very cunning technique, and it offers good security even without superencryption of
the actual data stream. It is also easy to phase it in over an existing AMPS network. CDMA
is, however, a new technique as far as consumer-grade cellular communications is
concerned, and current implementations appear to have some warts - specifically, a lot of
trouble with dropped calls, especially in busy areas. |
| Codec |
"Codec" is an abbrebiation for enCODer/DECoder. In cellular circles, the
term refers to software, firmware or hardware used to encode voice data for efficient and
reliable transmission, and decode it at the receiver to form intelligible audio once more.
All digital cellular systems use a codec of some sort. The codec used in GSM is called GSM
(!); an implementation of this codec is also shipped with current versions of Windows.
Although the math involved in the protocol doesn't obviously reflect this, the underlying
theory of the GSM codec is that human speech is produced by a very simple waveform
generated by air passing through the vocal cords. Complex harmonics are added to this
simple waveform as it bounces around inside the trachea, sinuses and mouth; the exact
composition of the final result depending on the size and position of the tongue, lips and
mandible - and the volume, shape and degree of blockage of your sinuses! To illustrate
this point to yourself, make sure you're out of earshot of anyone who might be able to
certify you as insane, purse your lips to make the "oo" sound in
"book", and start to sing a continuous-pitch note. Without moving your tongue,
open your lips progressively wider. Listen to the way the tone (but not the pitch!) of the
note changes. Isn't it incredible to think that this organic technology has allowed us
simple apes to create complex languages, thereby organizing and directing members of our
species, and dominate all other lifeforms on the planet? Now close your mouth, clamp the
front of your tongue against your palate, and sing the same note through your nose. That's
about as close as you can get to hearing the raw, unmodulated output from your vocal
cords. It's a "soft" sound (lacking high-frequency harmonics) which suggests
it's something close to a sinusoidal wave.
GSM works by extracting the base tone generated by the vocal cords and interpolating
the changing configuration of the speaker's mouth from the audio waveform. This is much
more efficient than simply trying to compress the audio data with a simple algorithm
working on the raw byte stream. At the other end, in effect the speaker's vocal system is
simulated by the decoding side of the codec.
You'll note that throughout this discussion, I have been talking exclusively about
speech - this is because the GSM codec was specifically designed to reproduce speech.
Especially at high data rates (see EFR), GSM version 6.10 reproduces human speech very
well. It is, however, not at all suited to reproducing music or data communications-type
waveforms (as generated by modems). This is why you can't simply connect an analog modem
up to a GSM phone; the codec would completely mangle the audio ouptut from the modem. A
GSM data card is simply an interface which lets your computer send digital data directly
into the phone - the phone sends it to the network, and it is somewhere in the land-bound
portion of the network that the data stream is actually modulated into tones which a modem
can understand. |
| DTX |
DTX (Discontinuous Transmission) is a battery-saving feature implemented on almost all
current GSM phones and probably also those from other technologies. Very simply, the
phone's transmitter circuits are completely turned off while the microphone is not picking
up sounds. The only "drawback", if it can be called such, is that the person on
the other end will not be able to hear soft background noises from your end while you're
not speaking. |
| EFR |
Almost all modern GSM phones support a feature called EFR (Enhanced Full Rate). This
feature provides enhanced audio quality at the expense of occupying more bandwidth on the
cellular network. |
| ESN |
All AMPS phones have an ESN (Electronic Serial Number). This is a 32-bit number
(usually quoted in hexadecimal), supposed to be unique. The ESN is usually printed inside
the handset's battery compartment. Never tell your ESN to anybody, especially an enemy
or known prankster! For a description of how the ESN is used by the network, see
AMPS. |
| GSM |
GSM (formerly Groupe Speciale Mobile, now Global System for Mobiles) is
unarguably the world's most popular cellular system. It is a TDMA digital system. In no
particular order, the features offered by GSM include: the ability to send short text
messages directly between handsets, seamless international roaming, superb audio quality,
good spectrum usage, the ability to swap handsets as desired without needing to inform
your carrier, very reliable 9600bps data/fax capability, reasonable call security, and
more. GSM implementations exist in three flavors - GSM900, GSM1800 and GSM1900, which
operate in the 900MHz, 1.8GHz and 1.9GHz bands respectively. GSM1900 is presently used
only in the United States of America, but it will apparently spread to other areas soon.
GSM900 is the most commonly used band. GSM1800 seems to be intended as an
"extra" band to increase cell capacity in crowded GSM900 areas. However, some
GSM1800-only networks do exist. Note that GSM1800 is sometimes referred to as
"DCS" or "PCN", and GSM1900 is sometimes called "PCS".
At present, there are a handful of dual-mode phones such as the Motorola cd928 and
Ericsson SH888 which operate in both the 900 and 1800MHz bands. There are also a number of
phones such as the Ericsson I888 and Bosch Worldphone 718 which operate in both the 900
and 1900MHz bands. Unfortunately, there are no phones as yet which operate in all three
bands, which means that depending on where you are,where you want to go, and what roaming
agreements exist with your carrier, you may still need a rental handset.
Luckily, GSM makes it easy to switch phones as necessary. When you sign up with a GSM
provider, you are issued with a smartcard ("SIM" - Subscriber Identity Module).
Among other information, this card contains a serial number ("IMSI" -
International Mobile Subscriber Identifier) which uniquely links it to your cellular
account. Wherever you are in the world, you can simply insert the SIM into a GSM phone
compatible with the local networks, and the IMSI will be transmitted to the local
carrier(s) to identify you. As long as at least one of the carriers in range has a roaming
agreement with your home carrier, and your cellular account is valid, you will be able to
log into the local network and make calls as you please. People who call your home-country
cellular number will automatically be put through to you.
For those familiar with AMPS terminology, the IMSI is equivalent to an analog phone's
NAM programming. Each GSM handset also has a hardware identifier equivalent to an AMPS
phone's ESN. This is the IMEI (International Mobile Equipment Identifier) which is also
transmitted to the network. In theory, the IMEI can be used to keep stolen phones off-air.
In practise, the difficulty of maintaining a worldwide stolen handset database online and
accessible from any carrier within a few seconds means that the IMEI is ignored. Unlike
AMPS, in GSM there is NO billing tie-in between the subscriber's identity and the handset.
It isn't necessary, because unlike AMPS phones which can have their NAM programmed easily
from the keypad, all the subscriber information in GSM is lurking inside PIN-protected
memory within a smartcard. A SIM is impossible to clone without physically accessing it -
and it's hard to clone even then.
One unfortunate design feature of GSM is that the size of a cell is limited to 35km
unless special, capacity-reducing magic software hacks are installed in the base stations.
Even if you have a line-of-sight path to the nearest base station and a nice strong
signal, if you're more than 35km away you can't use the network. This is a fairly serious
limitation for rural use (especially in a country like Australia, which has vast open
spaces with more lizards than people), though it doesn't matter for the densely populated
cities for which GSM was designed. And it doesn't matter to the lizards either; most of
whom seem to be equally happy with almost any cellular phone as long as it isn't in a
lizard-skin case.
(From reading the above, you might get the impression that I take my GSM phones to bed
with me every night and cuddle them for sheer joy. Well, this isn't the case - partly
because the puppy who sleeps on my pillow might chew them. But GSM is a very good system). |
| iDEN |
A proprietary TDMA cellular system from Motorola. Some of the iDEN phones look very
nice, but it seems that their plastics haven't been used in Motorola's industry-standard
phones, which is unfortunate. The best-known (only?) iDEN carriers are Nextel, in the
United States, and Clearnet, in Canada. |
| IMEI |
Every GSM handset has an unique IMEI (International Mobile Equipment Identifier), set
by the manufacturer. This identifier can in theory be used to track and bar stolen
handsets. In practise, it is not used for anything. The IMEI is broken into fields thus: TTTTTT-FF-SSSSSS-P
Digits denoted "T" are referred to as the TAC (Type Approval Code). The first
two digits of the TAC are the international dialing code of the country in which type
approval was sought. Note that if the TAC starts with 01 (USA), the chances are very good
that you're looking at a GSM1900-only phone. 900MHz, 1800MHz and multiband phones carry
European type approvals.
Digits denoted "F" are referred to as the FAC (Final Assembly Code). This
code, chosen by the manufacturer, identifies the facility at which the final assembly of
the phone was completed.
Digits denoted "S" are referred to as the SNR (Serial NumbeR). This is the
manufacturer's serial number for the appliance. Note that this may have no relation to the
separate, proprietary MSN (Mechanical Serial Number), if any, printed on the device's
serialization label.
The final digit is "SPare", and most references you read will tell you that
it is always zero. For modern phones, this is no longer true. However, if you are using
some software that calculates a magic code of some sort based on your phone's IMEI, and
the code calculated doesn't work, try substituting a zero for the last digit.
When you see an IMEI on a label or onscreen, it will not necessarily be formatted with
the puctuation shown above. All fields will, however, be present as described.
On almost all GSM phones you can display the IMEI onscreen by typing *#06#. Be
suspicious if you are offered a secondhand phone where the IMEI shown onscreen doesn't
match that printed on the label- especially if the TAC is different. The phone may have
had its IMEI electronically defaced for some fraudulent purpose. If only the SNR field is
different, it probably means the phone has had a logic board replacement. |
| IMSI |
Subscribers to GSM networks are identified by an unique IMSI (International Mobile
Subscriber Identifier). This number is sent to the network when the user logs on, and it
is used to contact the user's home carrier and establish the bona fides of his/her
account. The IMSI is stored in the SIM. Note that although the IMSI determines a
subscriber's telephone number by associating the user with a specific cellular account,
the actual digits of the IMSI have no relationship to the telephone number. For example,
if you lose your SIM card and ask your carrier for another, your new SIM will have a new
IMSI and the old IMSI will be invalidated - but your telephone number will remain
unchanged. |
| N-AMPS |
See AMPS. |
| NAM |
All AMPS phones have a NAM (Numeric Address Module) which is programmed at sign-up
time with the subscriber's telephone number. The handset uses the information in the NAM
to identify which incoming calls on the network "belong" to it. There is no
cross-checking on this until the call is answered - if you program your phone's NAM with
someone else's telephone number, your phone will ring each time they receive a call. (You
won't be able to answer their calls, however). Because of the vast, diverse and
unfriendly AMPS networks in the United States, many phones have multiple NAMs so that they
can use different carriers without reprogramming. (Note that a multi-NAM phone still has
only one ESN).
For a fuller description of how the NAM is used by the network, see AMPS. |
| PHS |
A digital cellular system used exclusively in Japan. I believe that it operates in the
1.5GHz band. Frankly, I also believe Japan's cellular provider(s) should pull their head
out of the sand (or wherever else it might be lodged) and install a GSM network, even if
they have to move it to a nonstandard band to avoid spectrum reallocation issues. I don't
intend to waste any time learning about PHS, as I trust that Iridium or something else
will become popular enough to eradicate this silly non-standard system. Just be aware that
if you go to Japan, you will need to rent a phone. NTT (Japanese telco) seems to be
concentrating at this point in time on selling cellular telephones to dogs and cats (and
I'm NOT joking), so presumably few resources are being diverted towards the needs of mere
humans. |
| PIN/PIN2 |
The PIN (Personal Identification Number) requested by a GSM phone is a means of
assuring that a stolen SIM is not usable. The PIN is stored on the SIM in execute-only
memory - it cannot be read out by external hardware. When you type in your PIN, the phone
sends it to the SIM and it is the SIM which validates it. If you get the PIN wrong three
times in a row, the card will be blocked and will ask for a PUK code (Personal Unblocking
Key or Provider Unblocking Key, depending on who you ask). If you enter this code
incorrectly ten times in a row, the card will be permanently blocked and will need
replacement. The PUK is usually NOT divulged to you when you get the SIM - you need to
call the carrier for it. If you think about this system for a moment, you will see that
it is quite cleverly designed - an attacker who steals the SIM will have an impossibly
small number of tries to guess the PIN, yet a user who legitimately forgets his/her PIN
can fix the problem over the telephone.
Most SIMs will allow you to turn off the power-on PIN challenge. This is not advisable
unless you're using a prepaid SIM where it doesn't really matter much in a monetary sense
if someone steals your account temporarily.
Certain features on new SIMs are protected by a second pin, referred to as PIN2. PIN2
is "backed up" by a second PUK code, PUK2. |
| PUK/PUK2 |
See PIN. |
| SIM |
In GSM parlance, a Subscriber Identity Module. This is a PIN-protected smartcard which
stores (among other things) the subscriber's IMSI (possibly more than one if the
subscriber has multiple lines on the one SIM), received SMS (pager) messages, user
phonebook entries, lists of preferred carriers for roaming purposes, service center
numbers for voicemail and SMS, and carrier-specific security information. SIMs are
available in two types - "fullsize" (credit card size) and "plugin" or
"chip" - a much smaller rectangular shape with a missing corner. The two types
are electrically identical, differing only in the amount of plastic surrounding the chip.
Plugin SIMs are always supplied as a fullsize frame with a breakout panel containing the
chip. An example is shown below. (The plugin SIM in this photo doesn't actually belong to
the frame shown - it was chosen because its color contrasts well with the frame, so you
can compare the size and shape of fullsize vs. plugin):
Below the surface, there are other different SIM types - mostly, SIMs vary in the
amount of storage space they offer. Some other battery-saving and miscellaneous features
have also been implemented in modern SIMs, including a second PIN and PUK (PIN2 and PUK2)
used to restrict access to certain new network or handset features. |
| TDMA |
Like CDMA, TDMA (Time Division Multiple Access) refers to a technique for allowing
multiple transmitters to share a single frequency. Unlike CDMA, TDMA achieves this by
assigning each transmitter a short frame during which it is allowed to transmit. Everybody
speaks in turn, in short. The most popular TDMA implementation is GSM, but there are
others - Motorola's iDEN system, for example. |
|
|
|