Cellular Telephony

From Higher Intellect Wiki
Jump to: navigation, search


        C e l l u l a r    T e l e p h o n y


        by

        B r i a n   O b l i v i o n



               A  -=Restricted -=Data -=Transmission



        The benefit of a mobile transceiver has been the wish of experimenters
        since the late 1800's.  To have the ability to be reached by another
        man despite location, altitude, or depth has had high priority in
        communication technology throughout its history.  Only until the late
        1970's has this been available to the general public.  That is when
        Bell Telephone (the late Ma Bell) introduced the Advanced Mobile
        Phone Service, AMPS for short.

        Cellular phones today are used for a multitude of different jobs.
        They are used in just plain jibber-jabber, data transfer(I will
        go into this mode of cellular telephony in depth later), corporate
        deals, surveillance, emergencies, and countless other applications.
        The advantages of cellular telephony to the user/phreaker are
        obvious:

                1.  Difficulty of tracking the location of a transceiver
                    (especially if the transceiver is on the move) makes
                    it very difficult to locate

                2.  Range of the unit within settled areas

                3.  Scrambling techniques are feasible and can be made to
                    provide moderate security for most transmissions.

                4.  The unit, with modification can be used as a bug, being
                    called upon by the controlling party from anywhere on
                    the globe.

                5.  It with the right knowledge one can modify the cellular
                    in both hardware and software to create a rather diverse-
                    ified machine that will scan, store and randomly change
                    ESN's per call there by making detection almost impossible.


        I feel it will be of great importance for readers to understand the
        background of the Cellular phone system, mainly due to the fact that
        much of the pioneering systems are still in use today.  The first
        use of a mobile radio came about in 1921 (remember prohibition?)
        by the Detroit police department.  This system operated at 2MHz.  In
        1940, frequencies between 30 and 40MHz were made available to and
        soon became overcrowded.  The trend of overcrowding continues today.

        In 1946, the FCC declared a 'public correspondence system' called,
        or rather classified as "Domestic Public Land Mobile Radio Service"
        (DPLMRS) at 35 - 44 MHz band that ran along the highway between
        New York and Boston.  Now the 35-44MHz band is used mainly by Amateur
        radio hobbyists due to the bands susceptibility to skip-propagation.

        These early mobile radio systems were all PTT(push-to-talk) systems
        that did not enjoy todays duplex conversations.  The first real
        mobile 'phone' system was the 'Improved Mobile Telephone Service'
        or the IMTS for short, in 1969.  This system covered the spectrum
        from 150 - 450MHz, sported automatic channel selection for each
        call, eliminated PTT, and allowed the customer to do their own
        dialing.  From 1969 to 1979 this was the mobile telephone service
        that served the public and business community, and it is still
        used today.

        IMTS frequencies used(MHz):

        Channel         Base Frequency          Mobile Frequency

        VHF Low Band

        ZO              35.26                   43.26
        ZF              35.30                   43.30
        ZH              35.34                   43.34
        ZA              35.42                   43.32
        ZY              34.46                   43.46
        ZC              35.50                   43.50
        ZB              35.54                   43.54
        ZW              35.62                   43.62
        ZL              35.66                   43.66

        VHF High Band

        JL              152.51                  157.77
        YL              152.54                  157.80
        JP              152.57                  157.83
        YP              152.60                  157.86
        YJ              152.63                  157.89
        YK              152.66                  157.92
        JS              152.69                  157.95
        YS              152.72                  157.98
        YA              152.75                  158.01
        JK              152.78                  158.04
        JA              152.81                  158.07

        UHF Band

        QC              454.375                 459.375
        QJ              454.40                  459.40
        QO              454.425                 459.425
        QA              454.45                  459.45
        QE              454.475                 459.475
        QP              454.50                  459.50
        QK              454.525                 459.525
        QB              454.55                  459.55
        QO              454.575                 459.575
        QA              454.60                  459.60
        QY              454.625                 459.625
        QF              454.650                 459.650

        VHF High frequencies are the most popular frequencies of all
        the IMTS band.  VHF low bands are used primarily in rural areas
        and those with hilly terrain.  UHF bands is primarily used in cities
        where the VHF bands are overcrowded.  Most large cities will find
        at least one station being used in their area.

        ADVANCED MOBILE PHONE SYSTEM

        The next step for Mobile telephone was made in 1979 by Bell
        Telephone, again (gee.. where was the competition?), introducing
        the Advanced Mobile Phone Service.  This service is the focus
        of this document, which has now taken over the mobile telephone
        industry as the standard.   What brought this system to life
        were the new digital technologies of the 1970's.  This being
        large scale integrated custom circuits and microprocessors.
        Without these technologies, the system would not have been
        economically possible.

        The basic elements of the cellular concept have to do with
        frequency reuse and cell splitting.

        Frequency reuse refers to the use of radio channels on the same
        carrier frequency to cover different areas which are separated by
        a significant distance.  Cell splitting is the ability to split
        any cell into smaller cells if the traffic of that cell requires
        additional frequencies to handle all the area's calls.  These two
        elements provide the network an opportunity to handle more simul-
        taneous calls, decrease the transmitters/receivers output/input
        wattage/gain and a more universal signal quality.

        When the system was first introduced, it was allocated 40MHz in
        the frequency spectrum, divided into 666 duplex radio channels
        providing about 96 channels per cell for the seven cluster
        frequency reuse pattern.  Cell sites (base stations) are located
        in the cells which make up the cellular network.  These cells
        are usually represented by hexagons on maps or when developing
        new systems and layouts.  The cell sites contain radio, control,
        voice frequency processing and maintenance equipment, as well as
        transmitting and receiving antennas.  The cell sites are inter-
        connected by land-line with the Mobile Telecommunications Switching
        Office (MTSO).

        In recent years, the FCC has added 156 frequencies to the Cellular
        bandwidth.  This provides 832 possible frequencies available to
        each subscriber per cell.  All new cellular telephones are built
        to accommodate these new frequencies, but old cellular telephones
        still work on the system.  How does a cell site know if the unit
        is old or new?  Let me explain.

        The problem of identifying a cellular phones age is done by the
        STATION CLASS MARK (SCM).  This Number is 4 bits long and broken
        down like this:

                Bit 1:  0 for 666 channel usage (old)
                        1 for 832 channel usage (new)

                Bit 2:  0 for a mobile unit(in 
vehicle)
                        1 for voice-activated transmit (for portables)

                Bit 3-4:  Identify the power class of the unit

    Class I    00 = 3.0 watts Continuous Tx's   00XX...DTX <> 1
    Class II   01 = 1.2 watts Discont. Tx's     01XX...DTX =  1
    Class III  10 = 0.6 watts reserved          10XX, 11XX
    Reserved   11 = ---------                   Letters DTX set to 1 permits
                                                use of discontinuous trans-
                                                missions


   Cell Sites:  How Cellular telephones get their name

        Cell sites, as mentioned above are laid out in a hexagonal type
        grid.  Each cell is part of a larger cell which is made up of
        seven cells in the following fashion:

           |---|      ||===||      |---|       |---|       |---|       |---
          /     \    //     \\    /     \     /     \     /     \     /
         |       |===||  2  ||===||     ||===||      |---|       |---|
          \     //    \     /     \\   //     \\    /     \     /     \
           |---||  7   |---|   3   ||==||  2   ||==||      |---|       |---|
          /     \\    /     \     //    \     /     \\      Due to the      \
         |      ||---|   1   |---||  7   |---|   3   ||--|  difficulty of    |
          \    //     \     /     \\    /     \     //    \ representing    /
           |--||   6   |---|   4   ||--|   1   |---||      |graphics with  |
          /    \\     /     \     //    \     /     \\    / ASCII characters\
         |      ||==||   5   ||==||  6   |---|   4   ||--|  I will only show |
          \     /    \\     //    \\    /     \     //    \ two of the cell /
           |---|      ||===||     ||===||  5   ||==||      |types I am trying-
          /     \     /     \     /     \\    //    \     / to convey.      \
         |       |---|       |---|       ||==||      |---|       |---|       |
          \     /     \     /     \     /     \     /     \     /     \     /
           |---|       |---|       |---|       |---|       |---|       |---|

        As you can see, each cell is a 1/7th of a larger cell. Where one(1)
        is the center cell and two(2) is the cell directly above the center.
        The other cells are number around the center cell in a clockwise
        fashion, ending with seven(7).  The cell sites are equipped with
        three directional antennas with an RF beam-width of 120 degrees
        providing 360 degree coverage for that cell.  Note that all cells
        never share a common border.  Cells which are next to each other
        are obviously never assigned the same frequencies.  They will
        almost always differ by at least 60 kHz.  This also demonstrates
        the idea behind cell splitting.  One could imagine that the perimeter
        of one of the large cells was once one cell.  Due to a traffic
        increase, the cell had to be sub-divided to provide more channels
        for the subscribers.  Note that subdivisions must be made in factors
        of seven.

        There are also Mobile Cell sites, which are usually used in the
        transitional period during the up-scaling of a cell site due to
        increased traffic.  Of course, this is just one of the many uses of
        this component.  Imagine you are building a new complex in a very
        remote location.  You could feasibly install a few mobile cellular
        cell sites to provide a telephone-like network for workers and
        executives.  The most unique component would be the controller/
        transceiver which provides the communications line between the
        cell site and the MTSO.  In a remote location such a link could
        very easily be provided via satellite up/down link facilities.


        Lets get into how the phones actually talk with each other.  There
        are several ways and competitors have still not set an agreed upon
        standard.

        Frequency Division Multiple Access (FDMA)

        This is the traditional method of traffic handling.  FDMA is a
        single channel per carrier analog method of transmitting signals.
        There has never been a definite set on the type of modulation to
        be used.  There are no regulations requiring a party to use a single
        method of modulation.  Narrow band FM, single sideband AM, digital, and
        spread-spectrum techniques have all been considered as a possible
        standard.  But none have yet to be chosen.

        FDMA works like this:  Cell sites are constantly searching out
        free channels to start out the next call.  As soon as a call finishes
        the channel is freed up and put on the list of free channels.  Or, as
        a subscriber moves from one cell to another the new cell they are in
        will hopefully have an open channel to receive the current call in
        progress and carry it through its location.  This process is called
        hand-off, and will be discussed more in-depth further along.

        Other proposed traffic handling schemes include Time-Division
        Multiple Access (TDMA), Code-Division Multiple Access(CDMA), and
        Time-Division/Frequency Division Multiple Access.

        Time Division Multiple Access

        With TDMA calls are simultaneously held on the same channels, but
        are multiplexed between pauses in the conversation.  These pauses
        occur in the way people talk and think, and the telephone company
        also injects small delays on top of the conversation to accommodate
        other traffic on that channel.  This increase in the length of the
        usual pause results in a longer amount of time spent on the call.
        Longer calls result in higher cost of the call.

        Code Division Multiple Access

        This system has been used in mobile military communications for the
        past 35 years.  This system is digital and breaks up the digitized
        conversation into bundles, compressed, sent, then decompressed and
        converted back into analog.  There are said increases of throughput
        of 20 : 1 but CDMA is susceptible to interference which will result
        in packet retransmission and delays.  Of course error correction can
        can help in data integrity, but will also result in a small delay in
        throughput.

        Time-Division/Frequency Division Multiple Access

        TD/FDMA is a relatively new system which is an obvious hybrid of
        FDMA and TDMA.  This system is mainly geared towards the increase
        of digital transmission over the cellular network.  TD/FDMA make
        it possible to transmit signals from base to mobile without
        disturbing the conversation.  With FDMA there are significant
        disturbances during hand-off with prevent continual data transmission
        from site to site.  TD/FDMA make it possible to transmit control
        signals by the same carrier as the data/voice thereby ridding
        extra channel usage for control.


    Cellular Frequency Usage and channel allocation


        There are 832 cellular phone channels which are split into two
        separate bands.  Band A consists of 416 channels for non-wireline
        services.  Band B consists equally of 416 channels for wireline
        services.  Each of these channels are split into two frequencies
        to provide duplex operation.  The lower frequency is for the mobile
        unite while the other is for the cell site.  21 channels of each
        Band are dedicated to 'control' channels and the other 395 are
        voice channels.  You will find that the channels are numbered from
        1 to 1023, skipping channels 800 to 990.

        I found these handy-dandy equations that can be used for calculating
        frequencies from channels and channels from frequencies.

        N = Cellular Channel #          F = Cellular Frequency
        B = 0 (mobile) or B = 1 (cell site)



        CELLULAR FREQUENCIES from CHANNEL NUMBER:


        F = 825.030 + B * 45 + ( N + 1 ) * .03
                where:  N = 1 to 799

        F = 824.040 + B * 45 + ( N + 1 ) * .03
                where:  N = 991 to 1023



        CHANNEL NUMBER from CELLULAR FREQUENCIES


        N = 1 + (F - 825.030 - B * 45) / .03

                where:  F >= 825.000 (mobile)
                     or F >= 870.030 (cell site)

        N = 991 + (F - 824.040 - B * 45) / .03

                where:  F <= 825.000 (mobile)
                     or F <= 870.000 (base)


        Now that you have those frequencies, what to do with them.  Well,
        for starters, one can very easily monitor the cellular frequencies
        with most hand/base scanners.  Almost all scanners pre-1988 have
        some coverage of the 800 - 900 MHz band.  All scanners can
        monitor the IMTS frequencies.

        Remember that cellular phones operate on a full duplex channel.
        That means that one frequency is used for transmission and the
        other is used for receiving, each spaced exactly 30 kHz apart.
        Remember also that the base frequencies are 45MHz higher than
        the cellular phone frequencies.  This can obviously make
        listening rather difficult.  One way to listen to both parts of
        the conversation would be having two scanners programmed 45 MHz
        apart to capture the entire conversation.

        The upper UHF frequency spectrum was 'appropriated' by the Cellular
        systems in the late 1970's.  Televisions are still made to
        receive up to channel 83.  This means that you can receive much
        of the cellular system on you UHF receiver.  One television channel
        occupies 6MHz of bandwidth. This was for video, sync, and audio
        transmission of the channel.  A cellular channel only takes up
        24 kHz plus 3kHz set up as a guard band for each audio signal.
        This means that 200 cellular channels can fit into one UHF
        television channel.  If you have an old black and white television
        drop a variable cap in there to increase the sensitivity of the
        tuning.  Some of the older sets have coarse and fine tuning knobs.

        Some of the newer, smaller, portable television sets are tuned by
        a variable resistor.  This make modifications MUCH easier, for now
        all you have to do is drop in there a smaller value pot and
        tweak away.  I have successfully done this on two televisions.
        Most users will find that those who don't live in a city will
        have a much better listening rate per call.  In the city, the cells
        are so damn small that hand-off is usually every other minute.
        Resulting in chopped conversations.

        If you wanted to really get into it, I would suggest to obtain an
        old Television set with decent tuning controls and remove the RF
        section out of the set.  You don't want all that hi-voltage circuitry
        lying around(flyback and those caps).  UHF receivers in televisions
        down-convert UHF frequencies to IF (intermediate frequencies) between
        41 and 47 MHz.  These output IF frequencies can then be run into a
        scanner set to pick-up between 41 - 47 MHz.  Anyone who works with
        RF knows that it is MUCH easier to work with 40MHz signals than working
        with 800MHz signals (not to far away from Ghz.. mmmmmmm.. Waveguides
        are just sooo much fun).  JUST REMEMBER ONE THING!!!!  Isolate the
        UHF receiver from your scanner by using a coupling capacitor(.01 -
        .1 microfarad(50V min.) will do nicely)!!!!  You don't want any of
        those biasing voltages creeping into your scanners receiving
        AMPLIFIERS!!!  Horrors.  Also, don't forget to ground both the scanner
        and receiver.

        Some systems transmit and receive the same cellular transmission
        on the base frequencies.  There you can simply hang out on the
        base frequency and capture both sides of the conversation.  The
        hand-off rate is much higher in high traffic areas leading the listener
        to hear short or choppy conversations.  At times you can listen in
        for 5 to 10 minutes per call, depending on how fast the caller is
        moving through the cell site.

         TV          Cell & Channel   Scanner    TV Oscillator     Band
        Channel      Freq.& Number    Frequency  Frequency        Limit
        ===================================================================
         73 (first)  0001 - 825.03     45.97        871         824 - 830
         73 (last)   0166 - 829.98     41.02        871         824 - 830
         74 (first)  0167 - 830.01     46.99        877         830 - 836
         74 (last)   0366 - 835.98     41.02        877         830 - 836
         75 (first)  0367 - 836.01     46.99        883         836 - 842
         75 (last)   0566 - 841.98     41.02        883         836 - 842
         76 (first)  0567 - 842.01     46.99        889         842 - 848
         76 (last)   0766 - 847.98     41.02        889         842 - 848
         77 (first)  0767 - 848.01     46.99        895         848 - 854
         77 (last)   0799 - 848.97     46.03        895         848 - 854

         All frequencies are in MHz

        You can spend hours just listening to cellular telephone conversations
        but I would like to mention that it is illegal to do so.  Yes, it is
        illegal to monitor cellular telephone conversations.  It just another
        one of those laws like removing tags off of furniture and pillows.
        It's illegal, but what the hell for?  Its also illegal to spit on
        the sidewalks here in Massachusetts, yet you can carry a shotgun
        on Sundays with you to mass(thats still in the books.  Obviously
        it was for the original settlers).  At any rate, I just want you
        to understand that doing the following is in violation of the law.

        Now back to the good stuff.

        Conversation is not only what an avid listener will find on the
        cellular bands.  One will also hear call/channel setup control
        data streams, dialing, and other control messages.  At times,
        a cell site will send out a full request for all units in its
        cell to identify itself.  The phone will then respond with the
        appropriate identification on the corresponding control channel.

        Whenever a mobile unit is turned on, even when not placing a call,
        whenever there is power to the unit, it transmits its phone
        number and its 8-digit ID number.  The same process is done when
        an idling phone passes from one cell to the other.  This process
        is repeated for as long as there is power to the unit.  This allows
        the MTSO to 'track' a mobile through the network.  That is why it is
        not a good reason to use a mobile phone from one site.  They do have
        ways of finding you.  And it really is not that hard.  Just a bit
        of RF Triangulation theory and you're found.  However, when the
        power to the unit is shut off, as far as the MTSO cares, you never
        existed in that cell, of course unless your unit was flagged for some
        reason.  MTSO's are basically just ESS systems designed for mobile
        applications.  This will be explained later within this document.

        It isn't feasible for the telephone companies to keep track of each
        customer on the network.  Therefore the MTSO really doesn't know
        if you are authorized to use the network or not.  When you purchase
        a cellular phone, the dealer gives the units phone ID number to the
        local BOC, as well as the number the BOC assigned to the customer.
        When the unit is fired up in a cell site its ID number and phone
        number is transmitted and checked.  If the two numbers are registered
        under the same subscriber, then the cell site will allow the mobile
        to send and receive calls.  If they don't match, then the cell will
        not allow the unit to send or receive calls.  Hence, the most
        successful way of reactivating a cellular phone is to obtain an
        ID that is presently in use and modifying your rom/prom/eprom for
        your specific phone.

        RF and AF Specifications:

        Everything that you will see from here on out is specifically
        Industry/FCC standard.  A certain level of compatibility has
        to be maintained for national intercommunications, therefore
        a common set of standards that apply to all Cellular telephones
        can be compiled and analyzed.

        Transmitter Mobiles: audio transmission

        - 3 kHz to 15 kHz and 6.1 kHz to 15 kHz
        - 5.9 kHz to 6.1 kHz 35 dB attenuation
        - Above 15 kHz, the attenuation becomes 28 dB
        - All this is required after the modulation limiter and before
          the modulation stage

        Transmitters Base Stations: audio transmission

        - 3 kHz to 15 kHz
        - Above 15 kHz, attenuation required 28 dB
        - Attenuation after modulation limiter - no notch filter required

        RF attenuation below carrier Transmitter: audio transmission

        - 20 kHz to 40 kHz, use 26 dB.
        - 45 kHz to 2nd harmonic, the specification is 60 dB or 43 + 10 log
          of mean output power
        - 12 kHz to 20 kHz, attenuation 117 log f/12
        - 20 kHz to 2nd harmonic, there is a choice: 100 log F/100 or 60 dB
          or 43 log + 10 log of mean output power, whichever is less.

        Wideband Data

        - 20 kHz to 45 kHz, use 26 dB
        - 45 kHz to 90 kHz, use 45 dB
        - 90 kHz to 2nd harmonic, either 60 dB or 43 + 10 log mean output
          power

        - all data streams are encoded so that NRZ (non-return-to-zero)
          binary ones and zeroes are now zero-to-one and one-to-zero
          transitions respectively.  Wideband data can then modulate
          the transmitter carrier by binary frequency shift keying(BFSK)
          and ones and zeroes into the modulator must now be equivalent
          to nominal peak frequency deviations of 8 kHz above and below
          the carrier frequency.

        Supervisory Audio Tones

        -  Save as RF attenuation measurements

        Signaling Tone

        - Same as Wideband Data but must be 10 kHz +/- 1 Hz and produce a
          nominal frequency deviation of +/- 8 kHz.


        The previous information will assist any technophile to modify or
        even troubleshoot his/her cellular phone.  Those are the working
        guidelines, as I stated previously.


   UNIT IDENTIFICATION

        Each mobile unit is identified by the following sets of numbers.

        The first number is the Mobile Identification Number (MIN).  This
        34 bit binary number is derived from the units telephone number,
        MIN1 is the last seven digits of the telephone number and MIN2 is
        the area code.

        For demonstrative purposes, we'll encode 617-637-8687.

        Here's how to derive the MIN2 from a standard area code.  In this
        example, 617 is the area code.  All you have to do is first convert
        to modulo 10 using the following function.  A zero digit would be
        considered to have a value of 10.

                100(first number) + 10(second) +1(third) - 111 = x

                        100(6) + 10(1) + 1(7) - 111 = 506

                  (or you could just - 111 from the area code.)

        Then convert it to a 10-bit binary number: 0111111010

        To derive MIN1 from the phone number is equally as simple.  First
        encode the next three digits, 637.

                       100(6) + 10(3) + 1(7) - 111 = 526

        Converted to binary:  1000001110

        The remainder of the number 8687, is processed further by taking
        the first digit, eight(8) and converting it directly to binary.

                        8 = 1000 (binary)

        The last three digits are processed as the other two sets of
        three numbers were processed.

                       100(6) + 10(8) + 1(7) - 111 = 576

        Converted to binary:  1001000000

        So the completed MIN number would look like this:

            |--637---||8-||---687--||---617--|
            1000001110100010010000000111111010
            \________/\__/\________/\________/


        A unit is also identifiable by its Electronic Serial Number or
        ESN.  This number is Factory Preset and is usually stored in a
        ROM chip, which is soldered to the board.  It may also be found
        in a 'computer on a chip', which are the new microcontrollers
        which have rom/ram/microprocessor all in the same package.  This
        type of setup usually has the ESN and the software to drive the
        unit all in the same chip.  This makes is significantly harder
        to dump, modify and replace.  But it is far from impossible.

        The ESN is a 4 byte hex or 11-digit octal number.  I have encountered
        mostly 11-digit octal numbers on the casing of most cellular phones.
        the first three digits represent the manufacturer and the remaining
        eight digits are the units ESN.  I'll go more into the ESN later in
        the document.

        The Station Class Mark (SCM) is also used for station identification
        by providing the station type and power output rating.  This was
        already discussed in a previous section.

        The System IDentification (SID number is a number which represents
        the mobile's home system.  This number is 15-bits long and a list
        of current nationwide SID's should either be a part of this file
        or it will be distributed along with it.


        In the next issue we'll discuss the Control channels, signalling
        formats, and dissecting the NAM in detail.  Social.technological
        impacts (re: cellular interception designed into the units)

-------------- cut me here ---------------------------------------------------


   PUTTING IT ALL TOGETHER - Signaling on the Control Channels

        There are two types of continuous wideband data stream transmissions.
        One is the Forward Control Channel which is sent from the land station
        to the mobile.  The other is the Reverse Control Channel, which is
        sent from the mobile to the land station.  Each data stream runs at a
        rate of 10 kilobit/sec, +/- 1 bit/sec rate.  The formats for each of
        the channels follow.


        Forward Control Channel

        The forward control channel consists of three discrete information
        streams.  They are called stream A, stream B and the busy-idle
        stream.  All three streams are multiplexed together.  Messages to
        mobile stations with the least significant bit of their MIN number
        equal to "0" are sent on stream A, and those with a "1" are sent
        on stream B.

        The busy-idle stream contains busy-idle bits, which are used to
        indicate the status of the reverse control channel.  If the busy-idle
        bit = "0" the reverse control channel is busy, if it equals "1"
        it is idle.  The busy-idle bit is located at the beginning of each
        dotting sequence, word sync sequence, at the beginning of the first
        repeat of word A and after every 10 message bits thereafter.

        Mobile stations achieve synchronization with the incoming data via
        a 10 bit dotting sequence (1010101010) and an 11 bit word sync
        sequence (11100010010).  Each word contains 40 bits, including parity
        and is repeated 5 times after which it is then referred to as a
        "block".  For a multi-word message, the second word block and subsequent
        word blocks are formed the same as the first word block including the
        dotting and sync sequences.  A "word" is formed when the 28 content
        bits are encoded into a (40, 28; 5) BCH (Bose-Chaudhuri-Hocquenghem)
        code.  The left-most bit shall be designated the most-significant bit.

        The Generator polynomial for the (40, 28;5) BCH code is:

                        12    10    8    5    4    3    0
              G (X) =  X   + X   + X  + X  + X  + X  + X
               B

        Each FOCC message con consist of one or more words.  Messaging trans-
        mitted over the forward control channel are:

                - Mobile station control message
                - Overhead message
                - control-filler message

        Controller-filler messages may be inserted between messages and
        between word blocks of a multi-word message.

        Message Formats:  Found on either stream A or B

        MOBILE STATION CONTROL MESSAGE

        The mobile station control message can consist of one, two, or four
        words.

        Word 1 (abbreviated address word)

   +--------+-------+---------------------------------------+-----------+
   | T   t  |       |                                       |           |
   |  1   2 |  DCC  |    Mobile Identification Number 1     |     P     |
   |        |       |                      23-0             |           |
   +--------+-------+---------------------------------------+-----------+
 bits:  2       2                      24                         12

         Word 2 (extended address word)

     +------+-----+-----------+------+--------+-------+----------+-----+
     | T  T |SCC =|           | RSVD | LOCAL  | CRDQ  |   ORDER  |     |
     |  1  2| 11  |  MIN2     | = 0  |        |       |          |     |
     |   =  +-----+     3-24  +------+-----+--+-------+----------|  P  |
     |  10  |SCC =|           |    VMAC    |       CHAN          |     |
     |      | 11  |           |            |                     |     |
     +------+-----+-----------+------------+---------------------+=----+

        The Reverse Control Channel (RECC) is a wideband data stream sent
        from the mobile station to the land station.  This data stream runs
        at a rate of 10 kilobit/sec, +/- 1 bit/sec rate.  The format of the
        RECC data stream follows:

     +---------+------+-------+------------+-------------+-----------+-----
     | Dotting | Word | Coded | first word | Second word | Third word|
     |         | sync |  DCC  | repeated   |   repeated  |  repeated | ...
     |         |      |       | 5 times    |   5 times   |  5 times  |
     +---------+------+-------+------------+-------------+-----------+-----

        DCC = Digital Color Code            Dotting = 01010101...010101
      Received DCC    7-bit Codec DCC     Word sync = 11100010010
          00            0000000
          01            0011111
          10            1100011
          11            1111100

        All messages begin with the RECC seizure precursor with is composed
        of a 30 bit dotting sequence (1010...101), and 11 bit word sync
        sequence (11100010010), and the coded digital color code.

        Each word contains 48 bits, including parity, and is repeated five
        times after which it is referred to as a word block.  A word is
        formed by encoding 36 content bits into a (48, 36) BCH code that has
        a distance of 5, (48 36; 5).  The left most bit shall be designated
        the most-significant bit.  The 36 most-significant bits of the 48 bit
        field shall be the content bits.

        The generator polynomial for the code is the same for the (40,28;5)
        code used on the forward channel.


        CONTROL CHANNELS (SETUP CHANNELS)

        Each wireline and non-wireline service have 21 channels.  These
        channels are used by the MTSO and the cell sites to directly
        communicate with the mobile unit.  The first signal sent to initiate
        a call is the Supervisory Audio Tone (SAT).  This can be thought of
        as the voltage used to close the loop on a land telephone.

           SAT Tones with corresponding binary codes:

                5970 Hz  (00)
                6000 Hz  (01)
                6030 HZ  (10)

        The mobile unit receives the SAT from the cell site and transponds
        it back (closing the loop).  Tone recognition must take place
        within 250 milliseconds or the site interprets it as the mobile
        is out of range.  If the SAT is returned, then a Signaling Tone
        is issued.  This Tone is 10kHz and is present when the user is
        either being alerted(call initialization), being handed off,
        or disconnecting  The Signaling tone is used only in mobile to
        land direction











        C e l l u l a r    T e l e p h o n y   I I

        by

        B r i a n   O b l i v i o n



               A  -=Restricted -=Data -=Transmission


        In the last issue we discussed the history of cellular telephony,
        monitoring techniques, and a brief description of its predecessors.
        In this issue I'll describe the call processing sequences for land-
        originated and mobile-originated calls, as well as the signaling
        formats for these processes.  I apologize for the bulk of information
        but I feel it is important for anyone who is interested in how the
        network communicates.  Please realize that there was very little I
        could add to such a cut and dried topic, and that most is taken
        verbatim from Industry standards, with comments and addendums salt
        and peppered throughout.


        Call-Processing Sequences


           Call-Processing Sequence for Land-Originated Calls


 MTSO                       Cell Site                     Mobile Unit
 ------------------------------------------------------------------------------
                            1--Transmits setup channel
                               data on paging channel
                            2 ----------------------------Scans and locks on
                                                          paging channel
 Receives incoming call --- 3
 and performs translations

 Sends paging message ----- 4
 to cell site
                            5 -- Reformats paging
                                 message
                            6 -- Sends paging message
                                 to mobile unit via
                                 paging channel
                            7 ----------------------------Detects Page
                            8 ----------------------------Scans and locks on
                                                          access channel
                            9 ----------------------------Seizes setup channel
                           10 ----------------------------Acquires sync
                           11 ----------------------------Sends service request
                           12 -- Reformats service request
                           13 -- Performs directional locate
                           14 -- Sends service request to
                                 MTSO
 Selects voice channel --- 15
 Sends tx-on command to -- 16
 cell site
                           17 -- Reformats channel designation
                                 message
                           18 -- Sends channel designation
                                 message to mobile unit via
                                 access channel
                           19 -----------------------------Tunes to voice
                                                           channel
                           20 -----------------------------Transponds SAT
                           21 -- Detects SAT
                           22 -- Puts on-hook on trunk
 Detects off-hook -------- 23
 Sends alert order ------- 24
                           25 -- Reformats alert order
                           26 -- Sends alert order to
                                 mobile unit via blank-
                                 and-burst on voice channel
                           27 -----------------------------Alerts User
                           28 -----------------------------Sends 10-kHz tone
                           29 -- Detects 10-kHz tone
                           30 -- Puts on-hook on trunk
 Detects on-hook --------- 31
 Provides audible ring --- 32
                           33 -- Detects absence of 10-kHz
                                 tone
                           34 -- Puts off-hook on trunk
 Detects off-hook -------- 35
 Removes audible ring ---- 36
 and completes connection

                         Time




              Call-Processing Sequence for Mobile-Originated Calls

 MTSO                       Cell Site                     Mobile Unit
 ------------------------------------------------------------------------------
                            1 -- Transmits setup channel
                                 data on paging channel
                            2 --------------------------- Scans and locks-on
                                                          paging channel
                            3 --------------------------- User initiates call
                            4 --------------------------- Scans and locks-on
                                                          access channel
                            5 --------------------------- Seizes setup channel
                            6 --------------------------- Acquires sync
                            7 --------------------------- Sends service request
                            8 -- Reformats service request
                            9 -- Performs directional Locate
                           10 -- Sends service request to
                                 MTSO
Selects voice channel ---- 11
Sends tx-on command to --- 12
cell site
                           13 -- Reformats channel
                                 designation message
                           14 -- Sends channel designation
                                 message to mobile unit via
                                 access channel
                           15 --------------------------- Tunes to voice
                                                           channel
                           16 --------------------------- Transponds SAT
                           17 -- Detects SAT
                           18 -- Puts off-hook on trunk
Detects off-hook --------- 19
Completes call through --- 20
network
                          Time

        Let me review the frequency allocation for Wireline and non-Wireline
        systems.  Remember that the Wireline service is usually provided by
        the area's Telephone Company, in my area that company is NYNEX.  The
        non-Wireline companies are usually operated by other carriers foreign
        to the area, in my area we are serviced by Cellular One (which is owned
        by Southwestern Bell).  Each company has its one slice of the electro-
        magnetic spectrum.  The coverage is not continuous, remember that there
        are also 800 MHz trunked business systems that also operate in this
        bandwidth.  Voice channels are 30 kHz apart and the Data channels are
        10 kHz apart.


        Frequency Range         Use
        ----------------------------------------------------------------------
        870.000 - 879.360       Cellular One (mobile input 825.000 - 834.360)
        880.650 - 890.000       NYNEX (mobile input 835.650 - 845.500)
        890.000 - 891.500       Cellular One (mobile input 845.000 - 846.500)
        891.500 - 894.000       NYNEX (mobile input 846.500 - 849.000)
        879.390 - 879.990       Cellular One (data)
        880.020 - 880.620       NYNEX (data)


        The data streams are encoded NRZ (Non-return-to-zero) binary ones
        and zeroes are now zero-to-one and one-to-zero transitions respect-
        ivly.  This is so the wide-band data can modulate the transmitter
        via binary frequency shift keying, and ones and zeroes into the
        modulator MUST now be equivalent to nominal peak frequency deviations
        of 8 kHz above and below the carrier frequency.


   PUTTING IT ALL TOGETHER - Signaling on the Control Channels

        The following information will be invaluable to the hobbyist that
        is monitoring cellular telephones via a scanner and can access
        control channel signals.  All information released below is
        EIA/TIA - FCC standard.  There are a lot of differences between
        cellular phones, but all phones must interface into the mobile
        network and talk fluently between each other and cell sites.
        Therefore, the call processing and digital signaling techniques are
        uniform throughout the industry.


   MOBILE CALL PROCESSING

        Calling:

        Initially, the land station transmits the first part of its SID
        to a mobile monitoring some control channel, followed by the number
        of paging channels, an ESN request, then mobile registration, which
        will either be set to 0 or 1.  When registration is set to one, the
        mobile will transmit both MIN1 and MIN2 during system access, another
        1 for discontinuous (DTX) transmissions, read control-filler (RCF)
        should be set to 1, and access functions (if combined with paging
        operations) require field setting to 1, otherwise CPA (combined paging
        access) goes to 0.

        Receiving:

        As the mobile enters the Scan Dedicated Control Channels Task, it
        must examine signal strengths of each dedicated control channel
        assigned to System A if enabled.  Otherwise System B control channels
        are checked.
        The values assigned in the NAWC (Number of Additional Words
        Coming) system parameter overhead message train will determine for
        the mobile if all intended information has been received.  An EDN
        field is used as a cross-check, and control-filler messages are not
        to be counted as part of the message.  Should a correct BCH code
        be received along with a non-recognizable overhead message, it must
        be part of the NAWC count train but the equivalent should not try
        and execute the instructions.

        Under normal circumstances, mobiles are to tune to the strongest
        dedicated control channel, receive a system parameter transmission,
        and, within 3 seconds, set up the following:

        o  Set SID's 14 most significant bits to SID1 field value.

        o  Set SID's least significant bit to 1, if serving system status
           enables, or to zero if not.

        o  Set paging channels N to 1 plus the value of N-1 field.

        o  Set paging channel FIRSTCHP as follows:
                If SIDs = SIDp then FIRSTCHPs = FIRSTCHPp (which is
                an 11-bit paging channel).
                If SIDs = SIDp and serving system is enabled, set
                FIRSTCHPs to initial dedicated channel for system
                B.
                If SIDs = SIDp and serving system is disabled, set
                FIRSTCHPs to first dedicated control channel for
                system B.

        o  Set LASTCHPs to value of FIRSTCHPs + Ns -1.

        o  Should the mobile come equipped for autonomous registration, it
           must:

                o Set registration increment (REGINCRs) to its 450 default
                  value.

                o Set registration ID status to enabled.

        I know that was a little arcane sounding but it's the best you can
        do with specifications.  Data is data, there is no way to spruce it
        up.  From here on out a mobile must begin the Paging Channel Selection
        Task.  If this cannot be completed on the strongest dedicated
        channel, the second strongest dedicated channel may be accessed and
        the three second interval commenced again.  Incomplete results should
        result in a serving system status check and an enabled or disabled
        state reversed, permitting the mobile to begin the Scan Dedicated
        control Channels Task when channel signal strengths are once more
        examined.

        Custom local operations for mobiles may be sent and include roaming
        mobiles whose home systems are group members.  A new access channel
        may be transmitted with a new access field set to the initial access
        channel.  Autonomously registered mobiles may increment their next
        registered ID by some fixed value, but the global action message
        must have its REGINCR field adequately set.  Also, so that all
        mobiles will enter the Initialization Task and scan dedicated
        control channels, a RESCAN global action message must be transmitted.

        Mobile stations may be required to read a control-filler message
        before accessing any system on a reverse control channel.

        System access for mobiles is sent on a forward control channel in
        the following manner.  Digital Color Code (DCC) identifies the land
        station.  Control Mobile Attenuation Code (CMAC) is included in the
        control-filler message for mobile power level transmitter adjustment
        before accessing any system on a reverse control channel.  The WFOM
        Wait for Overhead Message field must register 0 before the mobile
        accesses a system on a reverse control channel.  When mobiles are
        assigned to one or more of the 16 overload classes are not to access
        organizations on a reverse control channel, an overload control message
        is carried with the system parameter overhead message overload class
        fields are set to zero among the restricted number, and the remainder
        set to 1.  Busy-to-idle status (BIS) access parameters go to zero when
        mobiles are prevented from checking on the reverse control channel and
        the message must be added to the overhead.  When mobiles can't use the
        reverse control channel for seizure messages attempts or busy signals,
        access attempt parameters must also be included in the overhead.  And
        when a land station receives a seizure precursor matching its digital
        color code with 1 or no bit errors, busy idle bits signals on the
        forward control channel must be set to busy within 1.2 milliseconds
        from the time of the last bit seizure.  Busy-idle bit then must remain
        busy until a minimum of 30 msec following the final bit of the last
        word of the message has been received, or a total of 175 msec has
        elapsed.

        Channel Confirmation

        Mobiles are to monitor station control messages for orders and
        respond to both audio and local control orders even though land
        stations are not required to reply.  MIN bits must be matched.
        Thereafter, the System Access Task is entered with a page response,
        as above, and an access timer started.
        This time runs as follows:

                o  12 seconds for an origination
                o  6 seconds for page response
                o  6 seconds for an order response
                o  6 seconds for a registration

        The last try code is then set to zero, and the equipment begins the
        Scan Access Channels Task to find two channels with the strongest
        signals which it tunes and enters the Retrieve Access Attempts
        Parameters Task.

        This is where both maximum numbers of seizure attempts and busy
        signals are each set to 10.  A read control-filler bit (RCF) will
        then be checked: if the RCF equals zero, the mobile then reads a
        control-filler message, sets DCC and WFOM (wait for overhead message
        train before reverse control channel access) to the proper fields
        and sets the proper fields and sets the appropriate power level.
        Should neither the DCC field nor the control-filler message be
        received and access time has expired, the mobile station goes to
        Serving System Determination Task.  But within the allowed access
        time, the mobile station enters the Alternate Access Channel Task.
        BIS is then set to 1 and the WFOM bit is checked.  If WFOM equals 1,
        the station enters the Update Overhead Information Task; if WFOM
        equals 0, a random delay wait is required of 0 to 200 msec, +/- 1
        msec.  Then, the station enters the Seize Reverse Control Channel
        Task.

        Service Requesting is next.  This task requires that the mobile
        continue to send is message to the land station according to the
        following instructions:

                o Word A is required at all times.
                o Word B has to be sent if last try access LT equals 1 or
                  if E requires MIN1 and/or MIN2, and the ROAM status is
                  disabled, or if the station has been paged with a 2-word
                  control message.
                o Word C is transmitted with S (serial number) being 1
                o Word D required if the access is an origination
                o Word E transmitted when the access is an origination and
                  between 9 and 16 digits are dialed.  When the mobile has
                  transmitted its complete message, an unmodulated carrier is
                  required for another 25 milliseconds before carrier turnoff.
                  After words A through E have been sent, the next mobile task
                  depends on the type of access.

        Order confirmation requires entry into the Serving System Determination
        Task.

             Origination means entry into the Await Message Task.
             Page response, is the same as Origination.

            Registration requires Await Registration Confirmation, which
        must be completed within 5 seconds or registration failure follows.
        The same is true for Await Message since an incomplete task in 5
        seconds sends the mobile into the Serving System Determination Task.
        Origination or Page response requires mobile update of parameters
        delivered in the message.  If R equals 1, the mobile enters the
        Autonomous Registration Task, otherwise, it goes to the Initial
        Voice Channel Confirmation Task.  Origination access may be either
        an intercept or reorder, and in these instances, mobiles enter the
        Serving System Determination Task.  The same holds true for a page
        response access.  But if access is an origination and the user
        terminates his call during this task, the call has to be released
        on a voice channel and not control channel.

        If a mobile station is equipped for Directed Retry and if a new
        message is received before all four words of the directed retry
        message, it must go to the Serving System Determination Task.  There
        the last try code (LT) must be set according to the ORDQ (order
        qualifier) field of the message as follows:

                        If 000, LT sets to 0
                        If 0001, LT sets to 1

        Thereafter, the mobile clears the list of control channels to be
        scanned in processing Directed Retry (CCLIST) and looks at each
        CHANPOS (channel position) field contained in message words three
        and four.  For nonzero CHANPOS field, the mobile calculates a cor-
        responding channel number by adding CHANPOS to FIRSTCHA minus one.
        Afterwards, the mobile has then to determine if each channel number
        is within the set designated for cellular systems.  A true answer
        requires adding this/these channel(s) to the CCLIST.


        Awaiting Answers

        Here, an alert timer is set for 65 seconds (0 to +20 percent).  During
        this period the following events may take place:

                o Should time expire, the mobile turns its transmitter off and
                 enters the Serving System Determination Task.

                o An answer requires signaling tone turnoff and Conversation
                  Task entry.

                o If any of the messages listed hereafter are received within
                  100 milliseconds, the mobile must compair SCC digits that
                  identify stored and proper SAT frequencies for the station to
                  the PSCC (present SAT color code).  If not equivalent, the
                  order is ignored.  If correct, then the following actions
                  taken for each order:

                Handoff:  Signaling extinguished for 500 msec, signal tone
                          off, transmitter off, power lever adjusted, new
                          channel tuned, new SAT, new SCC field, transmitter
                          on, fade timer reset, and signaling tone on.  Wait
                          for an answer.

                  Alert:  Reset alert timer for 65 seconds and stay in
                          Waiting for Answer Task.

             Stop Alert:  Extinguish signaling tone and enter Waiting for
                          Order Task.

                Release:  Signaling tone off, wait 500 msec, then enter
                          Release Task.

                  Audit:  Confirm message to land station, then stay in
                          Waiting for Answer Task.

            Maintenance:  Reset alert timer for 65 seconds and remain in
                          Waiting for Answer Task.

           Change Power:  Adjust transmitter to power level required and
                          send confirmation to land station.  Remain in
                          Waiting for Answer Task.

          Local Control:  If local control is enabled and order received,
                          examine LC field and determine action.

                          Orders other than the above for this type of action
                          are ignored.

        Conversation

        In this mode, a release-delay timer is set for 500 msec.  If Termin-
        ation is enabled, the mobile sets termination status to disabled and
        waits 500 msec before entering Release Task.  The following actions
        may then execute:

        o  Upon call termination, the release delay timer has to be checked.
           If time has expired, the Release Task is entered; if not expired,
           the mobile must wait until expiration and then enter Release Task.

        o  Upon user requested flash, signaling tone turned on for 400 msec.
           But should a valid order tone be received during this interval,
           the flash is immediately terminated and the order processed.  The
           flash, of course, is not then valid.

        o  Upon receipt of the following listed orders and within 100 msec,
           the mobile must compare SCC with PSCC, and the order is ignored
           if the two are not equal.  But if they are the same, the following
           can occur:

                Handoff:  Signaling tone on for 50 msec, then off, trans-
                          mitter off, power level adjusted, new channel tuned,
                          adjust new SAT, set SCC to SCC field message value,
                          transmitter on, fade timer reset, remain in
                          Conversation Task.

    Send Called Address:  Upon receipt within 10 seconds of last valid flash,
                          called address sent to land station.  Mobile remains
                          in Conversation Task.  Otherwise, remain in Conver-
                          sation Task.

                  Alert:  Turn on signaling tone, wait 500 msec, then enter
                          Waiting for Answer Task.

                Release:  Check release delay timer.  If time expired, mobile
                          enters Release Task; but if timer has not finished,
                          then mobile must wait and then enter Release Task
                          when time has expired.

                  Audit:  Order confirmation sent to land station while
                          remaining in Conversation Task.

            Maintenance:  Signaling tone on, wait 500 msec, then enter Waiting
                          for Answer Task.

           Change Power:  Adjust transmitter to power level required by order
                          qualification code and send confirmation to land
                          station.  Remain in Conversation Task.

          Local Control:  If local control in enabled and local control order
                          received, the LC field is to be checked for subse-
                          quent action and confirmation.

        Orders other than the above for this type of action are ignored.


        Release

        In the release mode the following steps are required:

        o  Signaling tone sent for 1.8 sec.  If flash in transmission when
           signaling tone begun, it must be continued and timing bridged so
           that action stops within 1.8 sec.
                o  Stop signaling tone.
                o  Turn off transmitter.
                o  The mobile station then enters the Serving System Deter-
                   mination Task.

        The above is the Cellular System Mobile/Land Station Compatibility
        Specification.  The following shall be Signaling Formats which are
        also found in the above document.  I converted all these tables by
        HAND into ASCII so appreciate them.  It wasn't the easiest thing to
        do.  But I must say, I definitely understand the entire cellular
        operation format.



           There are two types of continuous wideband data stream transmissions.
        One is the Forward Control Channel which is sent from the land station
        to the mobile.  The other is the Reverse Control Channel, which is
        sent from the mobile to the land station.  Each data stream runs at a
        rate of 10 kilobit/sec, +/- 1 bit/sec rate.  The formats for each of
        the channels follow.


      - Forward Control Channel

        The forward control channel consists of three discrete information
        streams.  They are called stream A, stream B and the busy-idle
        stream.  All three streams are multiplexed together.  Messages to
        mobile stations with the least significant bit of their MIN number
        equal to "0" are sent on stream A, and those with a "1" are sent
        on stream B.

        The busy-idle stream contains busy-idle bits, which are used to
        indicate the status of the reverse control channel.  If the busy-idle
        bit = "0" the reverse control channel is busy, if it equals "1"
        it is idle.  The busy-idle bit is located at the beginning of each
        dotting sequence, word sync sequence, at the beginning of the first
        repeat of word A and after every 10 message bits thereafter.

        Mobile stations achieve synchronization with the incoming data via
        a 10 bit dotting sequence (1010101010) and an 11 bit word sync
        sequence (11100010010).  Each word contains 40 bits, including parity
        and is repeated 5 times after which it is then referred to as a
        "block".  For a multiword message, the second word block and subsequent
        word blocks are formed the same as the first word block including the
        dotting and sync sequences.  A "word" is formed when the 28 content
        bits are encoded into a (40, 28; 5) BCH (Bose-Chaudhuri-Hocquenghem)
        code.  The left-most bit shall be designated the most-significant bit.

        The Generator polynomial for the (40, 28;5) BCH code is:

                        12    10    8    5    4    3    0
              G (X) =  X   + X   + X  + X  + X  + X  + X
               B

        Each FOCC message can consist of one or more words.  Messaging trans-
        mitted over the forward control channel are:

                - Mobile station control message
                - Overhead message
                - control-filler message

        Control-filler messages may be inserted between messages and
        between word blocks of a multiword message.

        Message Formats:  Found on either stream A or B

     -  Mobile Station Control Message

        The mobile station control message can consist of one, two, or four
        words.

        Word 1 (abbreviated address word)

   +--------+-------+---------------------------------------+-----------+
   | T   t  |       |                                       |           |
   |  1   2 |  DCC  |    Mobile Identification Number 1     |     P     |
   |        |       |                      23-0             |           |
   +--------+-------+---------------------------------------+-----------+
 bits:  2       2                      24                         12

         Word 2 (Extended Address Word)


     +------+-----+-----------+------+--------+-------+----------+-----+
     | T  T |SCC =|           | RSVD | LOCAL  | CRDQ  |   ORDER  |     |
     |  1  2| 11  |  MIN2     | = 0  |        |       |          |     |
     |   =  +-----+     3-24  +------+-----+--+-------+----------|  P  |
     |  10  |SCC =|           |    VMAC    |       CHAN          |     |
     |      | 11  |           |            |                     |     |
     +------+-----+-----------+------------+---------------------+-----+
         2     2       10           3               11              12


        Word 3 (First Directed-Retry Word)

     +------+-----+-----------+-----------+-----------+-------+--------+
     | T  T | SCC |           |           |           | RSVD  |        |
     |  1  2|  =  |  CHANPOS  |  CHANPOS  |  CHANPOS  |  =    |        |
     |   =  |     |           |           |           | 000   |    P   |
     |  10  | 11  |           |           |           |       |        |
     +------+-----+-----------+-----------+-----------+-------+--------+
        2      2        7           7           7         3       12


        Word 4 (Second Directed-Retry Word)

     +------+-----+-----------+-----------+-----------+-------+--------+
     | T  T | SCC |           |           |           | RSVD  |        |
     |  1  2|  =  |  CHANPOS  |  CHANPOS  |  CHANPOS  |  =    |        |
     |   =  |     |           |           |           | 000   |    P   |
     |  10  | 11  |           |           |           |       |        |
     +------+-----+-----------+-----------+-----------+-------+--------+
        2      2        7           7           7         3        12


        The interpretation of the data fields:

        T  T   - Type field.  If only Word 1 is send, set to 00 in Word 1.
         1  2    If a multiple-word message is sent, set to 01 in Word 1
                 and set to 10 in each additional word.

        DCC    - Digital Color Code field

        MIN1   - First part of the mobile identification number field
        MIN2   - Second part of the mobile identification number field
        SCC    - SAT color code (discussed previously)
        ORDER  - Order field.  Identifies the order type (see table below)
        ORDQ   - Order qualifier field.  Qualifies the order to a specific
                 action
        LOCAL  - Local control field.  This field is specific to each system.
                 The ORDER field must be set to local control for this field
                 to be interpreted.
        VMAC   - Voice Mobile Attenuation Code field.  Indicates the mobile
                 station power level associated with the designated voice
                 channel.
        CHAN   - Channel number field.  Indicates the designated voice channel.
        CHANPOS- CHANnel POSition field.  Indicates the postiion of a control
                 channel relative to the first access channel (FIRSTCHA).
        RSVD   - Reserved for future use, all bits must be set as indicated.
        P      - Parity field.


        Coded Digital Color Code
      +--------------------------------------------+
      | Received DCC           7-bit Coded DCC     |
      |     00                     0000000         |
      |     01                     0011111         |
      |     10                     1100011         |
      |     11                     1111100         |
      +--------------------------------------------+


        Order and Order Qualification Codes

  +-------+-------------+-----------------------------------------------------+
  | Order |    Order    |                                                     |
  | Code  |Qualification|                     Function                        |
  |       |    Code     |                                                     |
  +-------+-------------------------------------------------------------------+
  | 00000      000      page (or origination)                                 |
  | 00001      000      alert                                                 |
  | 00011      000      release                                               |
  | 00100      000      reorder                                               |
  | 00110      000      stop alert                                            |
  | 00111      000      audit                                                 |
  | 01000      000      send called-address                                   |
  | 01001      000      intercept                                             |
  | 01010      000      maintenance                                           |
  |                                                                           |
  | 01011      000      charge power to power level 0                         |
  | 01011      001      charge power to power level 1                         |
  | 01011      010      charge power to power level 2                         |
  | 01011      011      charge power to power level 3                         |
  | 01011      100      charge power to power level 4                         |
  | 01011      101      charge power to power level 5                         |
  | 01011      110      charge power to power level 6                         |
  | 01011      111      charge power to power level 7                         |
  |                                                                           |
  | 01100      000      directed retry - not last try                         |
  | 01100      001      directed retry - last try                             |
  |                                                                           |
  | 01101      000      non-autonomous registration - don't reveal location   |
  | 01101      001      non-autonomous registration - make location known     |
  | 01101      010      autonomous registration - don't reveal location      |
  | 01101      011      autonomous registration - make location known        |
  |                                                                           |
  | 11110      000      local control                                         |
  |                                                                           |
  |      All other codes are reserved                                         |
  |                                                                           |
  +---------------------------------------------------------------------------+


        Forward Voice Channel

        The forward voice channel (FVC) is a wideband data stream sent by the
        land station to the mobile station.  This data stream must be gen-
        erated at a 10 kilobit/Sec +/- .1 bit/Sec rate.  The Forward Voice
        Channel format follows:

  +-----------+------+--------+-----+------+--------+-----+------+------
 ||           |      | Repeat |     |      | Repeat |     |      |
 ||           | word |        |     | word |        |     | word |
 ||  Dotting  | sync |  1 of  | dot | sync |  2 of  | dot | sync |    ...
 ||           |      |        |     |      |        |     |      |
 ||           |      |  Word  |     |      |  Word  |     |      |
  +-----------+------+--------+-----+------+--------+-----+------+------
      101        11      40      37    11      40      37    11

       -----+--------+-----+------+--------+-----+------+--------+
            | Repeat |     |      | Repeat |     |      | Repeat ||
            |        |     | word |        |     | word |        ||
            |  9 of  | dot | sync | 10 of  | dot | sync | 11 of  ||
            |        |     |      |        |     |      |        ||
            |  Word  |     |      |  Word  |     |      |  Word  ||
       -----+--------+-----+------+--------+-----+------+--------+
                40      37    11      40      37    11      40


        A 37-bit dotting sequence and an 11-bit word sync sequence are sent
        to permit mobile stations to achieve synchronization with the incom-
        ming data, except at the first repeat of the word, where the 101-bit
        dotting sequence is used.  Each word contains 40 bits, including
        parity, and is repeated eleven times together with the 37-bit dotting
        and 11-bit word sync; it is then referred to as a word block.  A word
        block is formed by encoded the 28 content bits into a (40, 28) BCH
        code that has a distance of 5 (40, 28; 5).  The left-most bit (as
        always) is designated the most-significant bit.  The 28 most-
        significant bits of the 40-bit field shall be the content bits.  The
        generator polynomial is the same as that used for the forward
        control channel.

        The mobile station control message is the only message transmitted
        over the forward voice channel.  The mobile station control message
        consists of one word.


        Mobile Sation Control Message:

      +-------+-------+------+-----------+-------+------+-------+------+
      | T  T  | SCC = |      |  RSVD =   | LOCAL | ORDQ | ORDER |      |
      |  1  2 |   11  |      | 000 ... 0 |       |      |       |      |
      |   =   +-------| PSCC +-----------+-------+------+-------+   P  |
      |       | SCC = |      |  RSVD =   |  VMAC |    CHANNEL   |      |
      |  10   |   11  |      | 000 ... 0 |       |              |      |
      +-------+-------+------+-----------+-------+--------------+------+
          2       2       2        8         3          11         12

      Interpretation of the data fields:

        T  T   - Type field.  Set to '10'.
         1  2

       SCC     - SAT color code for new channel (see SCC table)
       PSCC    - Present SAT color code.  Indicates the SAT color code
                 associated with the present channel.
       ORDER   - Order field.  Identifies the order type.  (see Order table)
       ORDQ    - Order qualifier field.  Qualifies the order to a specific
                 action (see Order table)
       LOCAL   - Local Control field.  This field is specific to each system.
                 The ORDER field must be set to local control (see Order table)
                 for this field to be interpreted.
       VMAC    - Voice mobile attenuation code field.  Indicates the mobile
                 station power level associated with the designated voice
                 channel.
       RSVD    - Reserved for future use;  all bits must be set as indicated.
       P       - Parity field.




        Reverse Control Channel

        The Reverse Control Channel (RECC) is a wideband data stream sent
        from the mobile station to the land station.  This data stream runs
        at a rate of 10 kilobit/sec, +/- 1 bit/sec rate.  The format of the
        RECC data stream follows:

     +---------+------+-------+------------+-------------+-----------+-----
     | Dotting | Word | Coded | first word | Second word | Third word|
     |         | sync |  DCC  | repeated   |   repeated  |  repeated | ...
     |         |      |       | 5 times    |   5 times   |  5 times  |
     +---------+------+-------+------------+-------------+-----------+-----
  bits:  30       11      7        240           240          240


                         Dotting = 01010101...010101
                       Word sync = 11100010010


        All messages begin with the RECC seizure precursor with is composed
        of a 30 bit dotting sequence (1010...101), and 11 bit word sync
        sequence (11100010010), and the coded digital color code.

        Each word contains 48 bits, including parity, and is repeated five
        times after which it is referred to as a word block.  A word is
        formed by encoding 36 content bits into a (48, 36) BCH code that has
        a distance of 5, (48 36; 5).  The left most bit shall be designated
        the most-significant bit.  The 36 most-significant bits of the 48 bit
        field shall be the content bits.

        The generator polynomial for the code is the same for the (40,28;5)
        code used on the forward channel.

        Each Reverse Control Channel message can consist of one of the five
        words.  The types of messages to be transmitted over the reverse
        control channel are as follows:

                o  Page Response Message
                o  Origination Message
                o  Order Confirmation Message
                o  Order Message

        These messages are made up of combination of the following five words:

        Word A - Abbreviated Address Word

   +---+------+---+---+---+------+---+-----------------------------------+---+
   | F |      |   |   |   | RSVD | S |                                   |   |
   |   |      |   |   |   |      |   |                                   |   |
   | = | NAWC | T | S | E |  =   | C |          MIN 1                    | P |
   |   |      |   |   |   |      |   |                23 - 0             |   |
   | 1 |      |   |   |   |  0   | M |                                   |   |
   +---+------+---+---+---+------+---+-----------------------------------+---+
     1     3    1   1   1    1     4                   24                  12


        Word B - Extended Address Word

   +---+------+-------+------+-------+----+------+-----------------------+---+
   | F |      |       |      |       |    | RSVD |                       |   |
   |   |      |       |      |       |    |      |                       |   |
   | = | NAWC | LOCAL | ORDQ | LOCAL | LT |  =   |      MIN 2            | P |
   |   |      |       |      |       |    |      |            33-24      |   |
   | 0 |      |       |      |       |    | 00..0|                       |   |
   +---+------+-------+------+-------+----+------+-----------------------+---+
     1    3       5      3       5     1      8              10            12


        Word C - Electronic Serial Number Word

   +---+--------+--------------------------------------+---------------+
   | F |        |                                      |               |
   |   |        |                                      |               |
   | = |  NAWC  |             SERIAL (ESN)             |       P       |
   |   |        |                                      |               |
   | 1 |        |                                      |               |
   +---+--------+--------------------------------------+---------------+
     1     3                      32                           12


        Word D - First Word of the Called-Address

    +---+------+-------+-------+-----+-----+-----+-----+-------+-------+---+
    | F |      | 1 st  | 2 nd  |     |     |     |     | 7th   | 8th   |   |
    |   |      |       |       |     |     |     |     |       |       |   |
    | = | NAWC | DIGIT | DIGIT | ... | ... | ... | ... | DIGIT | DIGIT | P |
    |   |      |       |       |     |     |     |     |       |       |   |
    | 1 |      |       |       |     |     |     |     |       |       |   |
    +---+------+-------+-------+-----+-----+-----+-----+-------+-------+---+
      1    3       4       4      4     4     4     4      4       4     12


        Word E - Second Word of the Called-Address

    +---+------+-------+-------+-----+-----+-----+-----+-------+-------+---+
    | F | NAWC | 9 th  | 10th  |     |     |     |     | 15th  | 16th  |   |
    |   |      |       |       |     |     |     |     |       |       |   |
    | = |  =   | DIGIT | DIGIT | ... | ... | ... | ... | DIGIT | DIGIT | P |
    |   |      |       |       |     |     |     |     |       |       |   |
    | 0 | 000  |       |       |     |     |     |     |       |       |   |
    +---+------+-------+-------+-----+-----+-----+-----+-------+-------+---+
      1    3       4       4      4     4     4     4      4       4     12


        The interpretation of the data fields is as follows:

        F      - First word indication field.  Set to '1' in first word and '0'
                 in subsequent words.

        NAWC   - Number of additional words coming field.
        T      - T field.  Set to '1' to identify the message as an origination
                 or an order; set to '0' to identify the message as an order
                 response or page response.
        S      - Send serial number word.  If the serial number word is sent,
                 set to '1';  if the serial number word is not sent, set
                 to '0'.
        SCM    - The station class mark field
        ORDER  - Order field.  Identifies the order type.
        ORDQ   - Order qualifier field.  Qualifies the order confirmation to a
                 specific action.
        LOCAL  - Local control field.  This field is specific to each system.
                 The ORDER field must be set to locate control for this field
                 to be interpreted.
        LT     - Last-try code field.
        MIN1   - Mobile Identification number field part one.
        MIN2   - Mobile Identification number field part two.
        SERIAL - Electronic Serial Number field.  Identifies the serial number
                 of the mobile station.
        DIGIT  - Digit field (see table below)
        RSVD   - Reserved for future use; all bits must be set as indicated.
        P      - Parity field.


        Called-address Digit Codes
   +------------------------------------------------------------------------+
   |    Digit           Code            Digit           Code                |
   |                                                                        |
   |      1             0001              7             0111                |
   |      2             0010              8             1000                |
   |      3             0011              9             1001                |
   |      4             0100              0             1010                |
   |      5             0101              *             1011                |
   |      6             0110              #             1100                |
   |                                    Null            0000                |
   |                                                                        |
   |    NOTE:                                                               |
   |    1.  The digit 0 is encoded as binary 10, not binary zero.           |
   |    2.  The code 0000 is the null code, indicated no digit present      |
   |    3.  All other four-bit sequences are reserved, and must not be      |
   |        transmitted.                                                    |
   |                                                                        |
   +------------------------------------------------------------------------+


        Examples of encoding called-address information into the called-
        address words follow:

        If the number 2# is entered, the word is as follows:

   +------+------+------+------+------+------+------+------+------+---------+
   | NOTE | 0010 | 1100 | 0000 | 0000 | 0000 | 0000 | 0000 | 0000 |    P    |
   +------+------+------+------+------+------+------+------+------+---------+

        If the number 13792640 is entered, the word is as follows:

   +------+------+------+------+------+------+------+------+------+---------+
   | NOTE | 0001 | 0011 | 0111 | 1001 | 0010 | 0110 | 0100 | 1010 |    P    |
   +------+------+------+------+------+------+------+------+------+---------+

        As you can see the numbers are coded into four bits and inserted
        sequentially into the train.  Notice that when the number is longer
        than 8 numbers it is broken into two different Words.

    If the number 6178680300 is entered, the words are as follows:

        Word D - First Word of the Called-Address

   +------+------+------+------+------+------+------+------+------+---------+
   | NOTE | 0110 | 0001 | 0111 | 1000 | 0110 | 1000 | 1010 | 1010 |    P    |
   +------+------+------+------+------+------+------+------+------+---------+
       4      4      4      4      4      4      4      4     4        12

        Word E - Second Word of the Called-Address

   +------+------+------+------+------+------+------+------+------+---------+
   | NOTE | 0010 | 1010 | 1010 | 0000 | 0000 | 0000 | 0000 | 0000 |    P    |
   +------+------+------+------+------+------+------+------+------+---------+
       4      4      4      4      4      4      4      4     4        12

       NOTE = four bits which depend on the type of message



        Reverse Voice Channel

        The reverse voice channel (PVC) is a wideband data stream sent from
        the mobile station to the land station.  This data stream must be
        generated at a 10 kilobit/second +/- 1 bit/sec rate.  The format
        is presented below.

  +-------------+------+----------+-----+------+----------+-----+------+----
 ||             |      | Repeat 1 |     |      | Repeat 2 |     |      |
 ||             | word |          |     | word |          |     | word |
 ||   Dotting   | sync |    of    | Dot | sync |    of    | Dot | sync |
 ||             |      |          |     |      |          |     |      |
 ||             |      |  Word 1  |     |      |  Word 1  |     |      |
  +-------------+------+----------+-----+------+----------+-----+------+----
      101         11       48      37     11       48       37    11

 ---+----------+-----+------+----------+-----+------+----------+-----+----
    | Repeat 3 |     |      | Repeat 4 |     |      | Repeat 5 |     |
    |          |     | word |          |     | word |          |     |
    |    of    | Dot | sync |    of    | Dot | sync |    of    | Dot |
    |          |     |      |          |     |      |          |     |
    |  Word 1  |     |      |  Word 1  |     |      |  Word 1  |     |
 ---+----------+-----+------+----------+-----+------+----------+-----+----
        48       37     11      48        37    11       48       37

        ---+------+----------+--------    -------+----------+
           |      | Repeat 1 |                   | Repeat 5 ||
           | word |          |                   |          ||
           | sync |    of    |   ...             |    of    ||
           |      |          |                   |          ||
           |      |  Word 2  |                   |  Word 2  ||
        ---+------+----------+--------    -------+----------+

        A 37-bit dotting sequence and an 11-bit word sync sequence are sent
        to permit land stations to achieve synchronization with the incoming
        data, except at the first repeat of word 1, where a 101-bit dotting
        sequence is used.  Each word contains 48 bits, including parity, and
        is repeated five times together with the 37-bit dotting and 11-bit
        word sync sequences; it is then referred to as a word block.  For a
        multi-word message, the second word block is formed the same as the
        first word block including the 37-bit dotting and 11-bit word sync
        sequences.  A word is formed by encoding the 36 content bits into a
        (48, 36) BCH code that has a distance of 5, (48, 36; 5).  The left-
        most bit (earliest in time) shall be designated the most-significant
        bit.  The 36 most-significant bits of the 48-bit field shall be the
        content bits.  The generator polynomial for the code is the same as
        for the (40, 28; 5) code used on the forward control channel.

        Each RVC message can consist of one or two words.  The types of
        messages to be transmitted over the reverse voice channel are as
        follows:

                o Order Confirmation Message
                o Called-Address Message

        The message formats are as follows:


        Order Confirmation Message:

     +---+------+---+-------+------+-------+-----------+---------+
     | F | NAWC | T |       |      |       |    RSVD   |         |
     |   |      |   |       |      |       |           |         |
     | = |  =   | = | LOCAL | ORDQ | ORDER |     =     |    P    |
     |   |      |   |       |      |       |           |         |
     | 1 |  00  | 1 |       |      |       | 000 ... 0 |         |
     +---+------+---+-------+------+-------+-----------+---------+
       1    2     1     5       3      5        19         12


        Called-Address Message

        Word 1 - First Word of the Called-Address

  +---+------+---+-------+-------+-----+-----+-----+-----+-------+-------+---+
  | F | NAWC | T |       |       |     |     |     |     |       |       |   |
  |   |      |   |  1st  |  2nd  |     |     |     |     |  7th  |  8th  |   |
  | = |  =   | = | Digit | Digit | ... | ... | ... | ... | Digit | Digit | P |
  |   |      |   |       |       |     |     |     |     |       |       |   |
  | 1 |  01  | 0 |       |       |     |     |     |     |       |       |   |
  +---+------+---+-------+-------+-----+-----+-----+-----+-------+-------+---+
    1    2     1     4       4      4     4     4     4      4       4     12

        Word 2 - Second Word of the Called-Address

  +---+------+---+-------+-------+-----+-----+-----+-----+-------+-------+---+
  | F | NAWC | T |       |       |     |     |     |     |       |       |   |
  |   |      |   |  9th  |  10th |     |     |     |     |  15th |  16th |   |
  | = |  =   | = | Digit | Digit | ... | ... | ... | ... | Digit | Digit | P |
  |   |      |   |       |       |     |     |     |     |       |       |   |
  | 0 |  00  | 0 |       |       |     |     |     |     |       |       |   |
  +---+------+---+-------+-------+-----+-----+-----+-----+-------+-------+---+
    1    2     1     4       4      4     4     4     4      4       4     12


     The fields are descriptions a the same as those for the Reverse Control
     channel above.



        Overhead Message

        A three-bit OHD field is used to identify the overhead message
        types.  Overhead message type codes are listed in the table below.
        They are grouped into the following functional classes:

                o System parameter overhead message
                o Global action overhead message
                o Registration identification message
                o Control-filler message

        Overhead messages are send in a group called an overhead message
        train.  The first message of the train must be the system parameter
        overhead message.  The desired global action messages and/or a
        registration ID message must be appended to the end of the system
        parameter overhead message.  The total number of words in an overhead
        message train is one more than the value of the NAWC field contained
        in the first word of the system parameter overhead message.  The last
        word in the train must be set to '0'.  For NAWC-counting purposes,
        inserted control-filler messages must not be counted as part of the
        overhead message train.

        The system parameter overhead message must be sent every .8 +/- .3
        seconds on each of the following control channels:

                o combined paging-access forward channel.
                o Separate paging forward control channel
                o Separated access forward control channel
                  when the control-filler message is sent with the WFOM bit
                  set to '1'.

        The global action messages and the registration identification message
        are sent on an as needed basis.
                o The system parameter for overhead message consists of two
                  two words.


        Word 1

        +-------+-----+----------+------+------+-----+------------+
        | T  T  |     |          | RSVD |      | OHD |            |
        |  1  2 |     |          |      |      |     |            |
        |   =   | DCC |   SID1   |  =   | NAWC |  =  |     P      |
        |       |     |          |      |      |     |            |
        |  11   |     |          | 000  |      | 110 |            |
        +-------+-----+----------+------+------+-----+------------+
            2      2       14        3      4     3        12


        Word 2

       +-------+-------+-----+-----+------+------+-----+------+---
       | T  T  |       |     |     |      |      |     | RSVD |
       |  1  2 |       |     |     |      |      |     |      |
       |   =   |  DCC  |  S  |  E  | REGH | REGR | DTX |  =   |
       |       |       |     |     |      |      |     |      |
       |   11  |       |     |     |      |      |     |  0   |
       +-------+-------+-----+-----+------+------+-----+------+---
           2       2      1     1     1       1     1      1

       ---+-------+-----+-----+----------+-----+-------+-----------+
          |       |     |     |          |     |  OHD  |           |
          |       |     |     |          |     |       |           |
          | N - 1 | RCF | CPA | CMAX - 1 | END |   =   |     P     |
          |       |     |     |          |     |       |           |
          |       |     |     |          |     |  111  |           |
       ---+-------+-----+-----+----------+-----+-------+-----------+
              5      1     1        7       1      3         12


                Overhead Message Types
    +----------------------------------------------------------+
    |   Code    Order                                          |
    +----------------------------------------------------------+
    |   000     Registration ID                                |
    |   001     Control-filler                                 |
    |   010     reserved                                       |
    |   011     reserved                                       |
    |   100     global action                                  |
    |   101     reserved                                       |
    |   110     Word 1 of system parameter message             |
    |   111     Word 2 of system parameter message             |
    +----------------------------------------------------------+

        The interpretation of the data fields:

        T  T    - Type field. Set to '11' indicating an overhead word.
         1  2
        OHD     - Overhead message type field.  The OHD field of Word 1 is
                  set to '110' indicating the first word of the system
                  parameter overhead message.  The OHD field of Word 2 is
                  set to '111' indicating the second word of the system
                  parameter overhead message.
        DCC     - Digital Color Code field.
        SID1    - First part of the system identification field
        NAWC    - Number of Additional Words Coming field.  In Word 1 this
                  field is set to one fewer than the total number of words
                  in the overhead message train.
        S       - Serial number field.
        E       - Extended address field.
        REGH    - Registration field for home stations.
        REGR    - Registration field for roaming stations.
        DTX     - Discontinuous transmission field.
        N-1     - N is the number of paging channels in the system.
        RCF     - Read-control-filler field.
        CPA     - Combined paging/access field
        CMAX-1  - CMAX is the number of access channels in the system.
        END     - End indication field.  Set to '1' to indicate the last word
                  and '0' if not the last word.
        RSVD    - Reserved for future use, all bit must be set as indicated.
        P       - Parity field.


        Each global action overhead message consists of one word.  Any number
        of global action messages can be appended to a system parameter over-
        head message.

        Here are the global action command formats:


    Rescan Global Action Message

    +-------+-------+------+---------------+-------+-------+-------------+
    | T  T  |       |  ACT |    RSVD =     |       |  OHD  |             |
    |  1  2 |       |      |               |       |       |             |
    |   =   |  DCC  |   =  |               |  END  |   =   |      P      |
    |       |       |      |   000 ... 0   |       |       |             |
    |  11   |       | 0001 |               |       |  100  |             |
    +-------+-------+------+---------------+-------+-------+-------------+
        2       2       4          16          1       3          12

    Registration Increment Global Action Message

    +-------+-----+------+---------+--------+-------+-------+------------+
    | T  T  |     |  ACT |         |        |       |  OHD  |            |
    |  1  2 |     |      |         | RSVD = |       |       |            |
    |   =   | DCC |   =  | REGINCR |        |  END  |   =   |      P     |
    |       |     |      |         |  0000  |       |       |            |
    |  11   |     | 0010 |         |        |       |  100  |            |
    +-------+-----+------+---------+--------+-------+-------+------------+
        2      2     4       12        4        1       3         12

    New Access Channel Set Global Action Message

    +-------+-------+-------+--------+----------+-------+-------+----------+
    | T  T  |       |  ACT  |        |          |       |  OHD  |          |
    |  1  2 |       |       |        |  RSVD =  |       |       |          |
    |   =   |  DCC  |   =   | NEWACC |          |  END  |   =   |     P    |
    |       |       |       |        |  00000   |       |       |          |
    |   11  |       | 0110  |        |          |       |  100  |          |
    +-------+-------+-------+--------+----------+-------+-------+----------+
        2       2       4       11         5        1       3        12


    Overload Control Global Action Message

    +-------+-----+-------+---+---+---+--   --+---+---+---+-----+-----+------+
    | T  T  |     |  ACT  | O | O | O |       | O | O | O |     | OHD |      |
    |  1  2 |     |       | L | L | L |       | L | L | L |     |     |      |
    |   =   | DCC |   =   | C | C | C |  ...  | C | C | C | END |  =  |   P  |
    |       |     |       |   |   |   |       |   |   |   |     |     |      |
    |   11  |     |  0110 | 0 | 1 | 2 |       | 13| 14| 15|     | 100 |      |
    +-------+-----+-------+---+---+---+--   --+---+---+---+-----+-----+------+
        2      2      4     1   1   1           1   1   1    1     3     12


    Access Type Parameters Global Action Message

    +-------+-----+------+-------+-----------+-------+-------+-----------+
    | T  T  |     | ACT  |       |           |       |  OHD  |           |
    |  1  2 |     |      |       |   RSVD =  |       |       |           |
    |   =   | DCC |  =   |  BIS  |           |  END  |   =   |     P     |
    |       |     |      |       | 0 ... 000 |       |       |           |
    |  11   |     | 1001 |       |           |       |  100  |           |
    +-------+-----+------+-------+-----------+-------+-------+-----------+
        2      2      4      1        15         1       3         12


    Access Attempt Parameters Global Action Message

     +-------+-------+---------+-----------+-----------+-----------+---
     | T  T  |       |   ACT   |           |           |           |
     |  1  2 |       |         |  MAXBUSY  |  MAXSZTR  |  MAXBUSY  |
     |   =   |  DCC  |    =    |           |           |           |
     |       |       |         |   - PGR   |   - PGR   |  - OTHER  |
     |  11   |       |   1010  |           |           |           |
     +-------+-------+---------+-----------+-----------+-----------+---
         2       2        4           4           4           4

     ------+-----------+-------+-------+-----------+
           |           |       |  OHD  |           |
           |  MAXSZTR  |       |       |           |
           |           |  END  |   =   |     P     |
           |  - OTHER  |       |       |           |
           |           |       |  100  |           |
     ------+-----------+-------+-------+-----------+
                 4         1       3         12


     Local Control 1 Message

     +-------+-------+-------+-----------------+-------+-------+----------+
     | T  T  |       |  ACT  |                 |       |  OHD  |          |
     |  1  2 |       |       |                 |       |       |          |
     |   =   |  DCC  |   =   |  LOCAL CONTROL  |  END  |   =   |     P    |
     |       |       |       |                 |       |       |          |
     |   11  |       |  1110 |                 |       |  100  |          |
     +-------+-------+-------+-----------------+-------+-------+----------+
         2       2       4            16           1       3        12


     Local Control 2 Message

     +-------+-------+-------+-----------------+-------+-------+----------+
     | T  T  |       |  ACT  |                 |       |  OHD  |          |
     |  1  2 |       |       |                 |       |       |          |
     |   =   |  DCC  |   =   |  LOCAL CONTROL  |  END  |   =   |     P    |
     |       |       |       |                 |       |       |          |
     |   11  |       |  1111 |                 |       |  100  |          |
     +-------+-------+-------+-----------------+-------+-------+----------+
         2       2       4            16           1       3        12


        The interpretation of the data fields are as follows:

        T  T    - Type field.  Set to '11' indicating overhead word.
         1  2
        ACT     - Global action field (see table below).
        BIS     - Busy-idle status field.
        DCC     - Digital Color Code.
        OHD     - Overhead Message type field.  Set to '100' indicating the
                  global action message.
        REGINCR - Registration increment field.
        NEWACC  - News access channel starting point field.
        MAXBUSY - Maximum busy occurrences field (page response).
        - PGR
        MAXBUSY - Maximum busy occurrences field (other accesses).
        - OTHER
        MAXSZTR - Maximum seizure tries field (page response).
        - PRG
        MAXSZTR - Maximum seizure tries field (other accesses).
        - OTHER
        OLCN    - Overload class field (N = 0 to 15)
        END     - End indication field.  Set to '1' to indicate the last word
                  of the overhead message train; set to '0' if not last word.
        RSVD    - Reserved for future use, all bits must be set as indicated.
        LOCAL   - May be set to any bit pattern.
        CONTROL
        P       - Parity field.


        The registration ID message consists of one word.  When sent, the
        message must be appended to a system parameter overhead message in
        addition to any global action messages.


        +-------+-------+-------------+-------+-------+-----------+
        | T  T  |       |             |       |  OHD  |           |
        |  1  2 |       |             |       |       |           |
        |   =   |  DCC  |    REGID    |  END  |   =   |     P     |
        |       |       |             |       |       |           |
        |   11  |       |             |       |  000  |           |
        +-------+-------+-------------+-------+-------+-----------+
            2       2          20         1       3         12

        The interpretation of the data fields:

        T  T    - Type field.  Set to '11' indicating overhead word.
         1  2
        DCC     - Digital color code field.
        OHD     - Overhead message type field.  Set to '000' indicating the
                  registration ID message.
        REGID   - Registration ID field.
        END     - End indication field.  Set to '1' to indicate last word of
                  the overhead message train;  set to '0' if not.
        P       - Parity field.


        The control-filler message consists of one word.  It is sent whenever
        there is no other message to be sent on the forward control channel.
        It may be inserted between messages as well as between word blocks of
        a multiword message.  The control-filler message is chosen so that
        when it is sent, the 11-bit word sequence will not appear in the
        message stream, independent of the busy-idle bit status.

        The control-filler message is also used to specify a control mobile
        attenuation code (CMAC) for use by mobile stations accessing the
        system on the reverse control channel, and a wait-for-overhead-
        message bit (WFOM) indicating whether or not mobile stations must
        read an overhead message train before accessing the system.


  +-------+-----+------+------+------+--+------+---+------+----+-----+-----+
  | T  T  |     |      |      | RVSD |  | RVSD |   |      |    | OHD |     |
  |  1  2 |     |      |      |      |  |      |   |      |    |     |     |
  |   =   | DCC |010111| CMAC |  =   |11|  =   | 1 | WFOM |1111|  =  |  P  |
  |       |     |      |      |      |  |      |   |      |    |     |     |
  |   11  |     |      |      |  00  |  |  00  |   |      |    | 001 |     |
  +-------+-----+------+------+------+--+------+---+------+----+-----+-----+
      2      2      6      3     2     2    2    1     1     4    3     16

        Interpretation of the data fields:

        T  T    - Type field.  Set to '11' indicating overhead word.
         1  2
        DCC     - Digital color code field.
        CMAC    - Control mobile attenuation field.  Indicates the mobile
                  station power level associated with the reverse control
                  channel.
        RVSD    - Reserved for future use; all bits must be set as indicated.
        WFOM    - Wait-for-overhead-message field.
        OHD     - Overhead message type field.  Set to '001' indicating the
                  control-filler word.
        P       - Parity field.


        Data Restrictions

        The 11-bit sequence (11100010010) is shorter than the length of a
        word, and therefore can be embedded in a word.  Normally, embedded
        word-sync will not cause a problem because the next word sent will not
        have the word-sync sequence embedded in it.  There are, however, three
        cases in which the word-sync sequence may appear periodically in the
        FOCC stream.  They are as follows:

                o the overhead message
                o the control-filler message
                o Mobile station control messages with pages to mobile stations
                  with certain central office codes.

        These three cases are handled by:

                1. Restricting the overhead message transmission rate to about
                   once per second
                2. designing the control-filler message to exclude the word-
                   sync sequence, taking into account the various busy-idle
                   bits
                3. Restricting the use of certain office codes


        If the mobile station control message is examined with the MIN1
        separated into NXX-X-XXX as described earlier (where NXX is the
        central office code, N represents a number from 2 - 9, and X
        represents a number from 0-9) the order and order qualifications
        table can be used to deduce when the word-sync word would be sent.
        If a number of mobile stations are paged consecutively with the same
        central office code, mobile stations that are attempting to synchronize
        to the data stream may not be able to do so because of the presence of
        the false word sync sequence.  Therefore, the combinations of central
        office codes and groups of line numbers appearing in the following
        table must not be used for mobile stations.


        RESTRICTED CENTRAL OFFICE CODES
  +-------------------------------------------------------------------------+
  |                                                   Central               |
  |  T  T       DCC        NXX         X     XXX      Office      Thousands |
  |   1  2                                             Code         Digit   |
  +-------------------------------------------------------------------------+
  |  01         11    000100(1)0000   ...    ...       175         0 to 9   |
  |  01         11    000100(1)0001   ...    ...       176         0 to 9   |
  |  01         11    000100(1)0010   ...    ...       177         0 to 9   |
  |  01         11    000100(1)0011   ...    ...       178         0 to 9   |
  |  01         11    000100(1)0100   ...    ...       179         0 to 9   |
  |  01         11    000100(1)0101   ...    ...       170         0 to 9   |
  |  01         11    000100(1)0110   ...    ...       181         0 to 9   |
  |  01         11    000100(1)0111   ...    ...       182         0 to 9   |
  |  0Z         11    100010(0)1000   ...    ...       663         0 to 9   |
  |  0Z         11    100010(0)1001   ...    ...       664         0 to 9   |
  |  0Z         11    100010(0)1010   ...    ...       665         0 to 9   |
  |  0Z         11    100010(0)1011   ...    ...       666         0 to 9   |
  |  0Z         Z1    110001(0)0100   ...    ...       899         0 to 9   |
  |  0Z         Z1    110001(0)0101   ...    ...       800         0 to 9   |
  |  0Z         ZZ    111000(1)0010   ...    ...       909         0 to 9   |
  |  00         ZZ    011100(0)1001   0ZZZ   ...       568         1 to 7   |
  |  00         ZZ    111100(0)1001   0ZZZ   ...       070         1 to 7   |
  |  00         ZZ    001110(0)0100   10ZZ   ...       339          8,9,0   |
  |  00         ZZ    011110(0)0100   10ZZ   ...       595          8,9,0   |
  |  00         ZZ    101110(0)0100   10ZZ   ...       851          8,9,0   |
  |  00         ZZ    111110(0)0100   10ZZ   ...       007          8,9,0   |
  |  0Z         ZZ    000011(1)0100   0010   ...       150            2     |
  |  0Z         ZZ    000111(1)0001   0010   ...       224            2     |
  |  0Z         ZZ    001011(1)0001   0010   ...       288            2     |
  |  0Z         ZZ    001111(1)0001   0010   ...       352            2     |
  |  0Z         ZZ    010011(1)0001   0010   ...       416            2     |
  |  0Z         ZZ    010111(1)0001   0010   ...       470            2     |
  |  0Z         ZZ    011011(1)0001   0010   ...       544            2     |
  |  0Z         ZZ    011111(1)0001   0010   ...       508            2     |
  |  0Z         ZZ    100011(1)0001   0010   ...       672            2     |
  |  0Z         ZZ    100111(1)0001   0010   ...       736            2     |
  |  0Z         ZZ    101011(1)0001   0010   ...       790            2     |
  |  0Z         ZZ    101111(1)0001   0010   ...       864            2     |
  |  0Z         ZZ    110011(1)0001   0010   ...       928            2     |
  |  0Z         ZZ    110111(1)0001   0010   ...       992            2     |
  |  0Z         ZZ    111011(1)0001   0010   ...       056            2     |
  |  0Z         ZZ    111111(1)0001   0010   ...       ...            2     |
  +-------------------------------------------------------------------------+


        1. In each case, Z represents a bit that may be 1 or 0.
        2. Some codes are not used as central office codes in the US at this
           time.  They are included for completeness.
        3. The bit in parentheses is the busy-idle bit.


        Well there is your signaling in a nutshell.  Please note I hardly have
        the most up-to-date signalling data.  Basically what was presented
        here was a skeleton, the bare bones without all the additions.  There
        are some additions that are system specific.  As I get updates I'll be
        sure to share them with the rest of you.  I would be interested in
        any feedback, so, if you have something to say, send it to:

                                oblivion@atdt.org

        In the last article I said that there would be a listing of SID codes
        accompanying the article.  Well, I forgot to edit that line out, but
        if you would like a copy of it, just mail me at the above address an
        you shall receive one.

        In the next article I will be going in-depth on the actual hardware
        behind the Mobile telephone, the chip sets, and its operation.
        I will also publish any updates to the previous material I find, as
        well as information on the transitory NAMPS system that will be used
        to bridge the existing AMPS cellular network over to the ISDN
        compatible fully digital network.


            Yet another...

                    -=Restricted  -=Data  -=Transmission

                   Truth is cheap... but information costs!


Share your opinion