Writing

Feed Software, technology, sysadmin war stories, and more.

Saturday, September 8, 2012

Flip phones and magic on the upper UHF TV band

Remember those old Motorola flip phones? Back around the mid-90s, if you had a cell phone which wasn't bolted to your car and didn't live in a bag, then you might have been using one of them. That's assuming you didn't have the "brick", of course.

Besides the obvious fact they let you talk to people from almost anywhere (a profound concept at the time), there were other traits which made these phones interesting. They included some unusual features which you would normally not expect to see in a bit of consumer electronics. They had a "secret" debug mode which could be reached by grounding the third battery connector. This connector had two loops of metal which stuck out in order to contact matching terminals on the battery. It also had a third flat strip on the phone which got rather close to the battery but did not touch.

As it turned out, if you took a little piece of some relatively thin metal (say, from inside a phone cord, or some Ethernet cable) and crammed some of it in that connector, it would then stick up. Then, when you slid your battery back on, it would make a connection from the phone's flat terminal to the battery's flat terminal. This was electrically what the phone wanted to see, and it would power up in debug mode.

There were all kinds of signal strength things you could do in here, but one mode in particular completely eclipsed all of the others. It was possible to tune the phone's radio to any channel you wanted inside the AMPS space just by supplying the number. Then, once on a channel, you could run another command to "unsquelch" the receiver, and it would start playing back anything it could hear.

Considering that AMPS cellular was nothing more than narrowband FM channels at 30 kHz gaps, there was no further magic required to hear calls. They operated in the clear with no encryption, scrambling, or frequency-hopping. If the signal was strong enough, you'd hear it.

I find it amazing that Motorola made something like that so trivially accessible. Recall that the mid-90s is when scanner manufacturers were required to change their devices so they could not receive the cellular band, and also could not be "trivially modified" (or similar wording) to restore those regions.

Of course, you didn't always need an easily exploited flip phone to snoop on phone calls. You could just break out an older TV which had UHF channels 70-83. The best ones had clicky knobs for the channel and a fine tuning knob to allow recentering. Sure, a lot of the time you'd hear the data "buzzsaw" sound, but there were plenty of calls to hear, too.

I discovered that totally by accident after moving to a new town. I wanted to see what channels we got and was click-click-clicking through the top end, and one of them talked! Playing with the fine tuning knob revealed other conversations, and the rest just followed from that.

I miss the days of random discoveries like that. It's far less likely to happen when everything out there has its own digital encoding scheme.