Writing

Feed Software, technology, sysadmin war stories, and more.

Tuesday, March 6, 2012

Scanning the 46/49 MHz bands by exploiting a race condition

I seem to have a knack for triggering race conditions in various electronic devices. It's usually something annoying like screwing up a self-checkout stand, but sometimes it can actually be useful.

Way back in the early '90s, I had access to a 46/49 MHz cordless phone made by AT&T. It was actually two fully functional phones. One part was the handset itself, and it would rest on the base to charge. The base also had a speakerphone built-in and it had a few other interesting features, like paging.

You could push a button on the base in the charger cradle and the remote would start beeping at you. This way, you could find the phone if you lost it. Better still, you could use it to alert someone who had the phone, and they could turn on the speakerphone in "intercom mode" to chat with you. Intercom mode could also be initiated from the handset at any time to listen in for whatever reason.

There was one fun thing I noticed: either end could terminate intercom mode. Hitting the [OFF] button at the base would do the trick. This is where the race shows up.

Somehow, I noticed one day that it was possible to get the handset to make an "error" noise. It would do this when it couldn't get a response from the base station. If you were out of range or if the base station was unplugged, it would just make that noise and cancel whatever operation you were trying to do.

Just like when I broke that CD changer, the trick here was to start pushing both buttons at the same time: [INTCM] on the handset and [OFF] on the base. Normally, this would either make an error noise and do nothing, or it would start and then immediately stop intercom mode.

However, once I got the timing down after a few tries, something fun would happen. The handset would make that error noise and would stay in intercom mode with its receiver still switched on! At the same time, the base would shut off. Since the base was no longer transmitting, it would no longer step on signals from other houses!

I could now push the [CHAN] button on my handset to flip through the 10 channels and it would just jump all by itself. This gave me a completely manual scanner, but it was portable and trivial to recharge. Spying on our neighbors was now trivial.

It's surprising just what people will say over a radio.