Writing

Software, technology, sysadmin war stories, and more. Feed
Saturday, December 12, 2020

Listening to phone calls with stock consumer devices

In a recent post, I mentioned how the top end of the (US) UHF TV band was given over to cellular phone companies back in the '80s. I also mentioned that the transmissions were just simple analog FM broadcasts, such that the actual television sets of that era could actually receive them. Many strange discoveries were made by tuning those channels and fiddling with the fine tuning knob to move around the band.

I have two other stories about messing around and receiving phone calls, and both involve devices which otherwise were perfectly normal. They're from almost 30 years ago, and none of this applies today.

The first one involves the old AT&T Model 5500 cordless phone which had a giant base incorporating a speakerphone, its own dial pad, bidirectional paging, and (most importantly) an intercom feature. The intercom feature was an interesting thing. If you pushed the INTCM button on the handset, it would open a channel with the base just the same as starting a phone call. It just wouldn't pick up the line, and instead would connect the base's speaker and mic.

If you're thinking "you could totally put the base somewhere, push the button, and listen to the room from somewhere else", you're right, but that's not what the story was. This story was about using a race condition in the design of the system to listen to actual phone calls from surrounding neighbors. It all had to do with timing, like any good race condition.

Pushing INTCM on the handset opened a channel. Pushing OFF on the handset or on the base closed it. All you had to do was keep jamming on the handset's INTCM button and the base's OFF button until you got the timing right. What would happen is it would go "beep, click, beep, click, beep, click" a few times, but eventually you'd nail it and you'd get "beep, *error tone*".

When this happened, the handset would think the session had been stood up, but the base would have already shut down. This left the handset's receiver on, but the base's transmitter turned off! In other words, your handset would now tune in whatever was on that particular channel, and your base wouldn't be there generating a strong signal to cover it up.

The best part of this is that the CHAN button to change channels still worked in this mode. All you had to do is walk around the area while pushing that button to "scan" the band. Once you heard something other than analog static, you could stay on there and spy on the neighbors.

These were old-school 46/49 MHz systems with 10 channels, and this was before anyone had bothered doing any kind of digital stuff, inversion, scrambling, or really much of anything to keep other people from hearing what was going on. The most you could get from most devices back then was a "code" that would supposedly keep other people from grabbing your phone's base to make calls on your line.

So that's the cordless phone story, but I also have a story involving actual analog cellular phones - the very AMPS stuff that got the upper end of the old TV band mentioned before.

Once upon a time, people walked around with those Motorola "flip phones". These were the kind that showed up after the first "brick" phones, sucked power like crazy, and required weird incantations any time you wandered outside of your usual calling area. (For Motorola nerds, it was a DPC-550, in case you wanted to look it up.)

Anyway, this was a decently capable little phone, but it had an interesting feature available to it. The design was such that the phone itself had a large battery snapped onto its back. The phone body had a couple of thick and springy raised copper connectors in order to mate with the battery. However, in between them, there was a flat connector which would not reach the battery.

The battery, meanwhile, had three connectors that lined up with those on the phone, but normally only the outer two would get used. There was a small gap between the phone's middle conductor and the battery's middle conductor by virtue of the phone's side being flat.

It turned out to not be particularly difficult to bridge this gap. If you could find a bad end of a twisted-pair Ethernet cable that had been lopped off, you could grab one of the eight wires inside, strip back the insulation with your nails, and have a nice bit of copper. After a little folding over itself, it would be just thick enough to fit in the gap and bridge the battery to the phone.

Actually doing this then made the phone power up in a service or perhaps diagnostic mode. I assume this is how they programmed it at the store. That part was mildly amusing, but there was other stuff it could do, too. You could instruct the phone to switch on its receiver (!), and it would comply. It would just turn on the radio and start receiving at some channel, and if there was a conversation on it, you'd hear it. You could also command it to change channels, and so effectively "scan" the band yet again.

Thus, despite the bans on consumer equipment (scanners) accessing that part of the 800 MHz band, you could get around it with one of the most commonly-found phones of the day, a bit of wire, and a little knowledge.