It was suitable for use on the
analogue carphone system ATF-1,
which was in use from 1980 to 1995, and operated in the 150 MHz
Unlike on modern systems – such as GSM –
speech on ATF-1
was not encrypted.
Anyone with a
scanner could monitor the mobile
communications of service engineers, business men, captains of industry
and politicians alike.
Furthermore, there was no authentication whatsoever, and the digital
modem signals – used for handshaking and handover – used an existing
CPC protocol, of which the details were available.
The device is shown in the image above. It is housed in an aluminium
enclosure with a 16-button keypad 2 on top, and a green and red indicator
LED. It is powered by an internal 9V block battery, or by an
external source, such as the 12V battery of a car. It is fully autonomous
(not connected directly to transmitter or receiver) and mimics the modem
signals from the carphone, by using two distinct in-band
audio tones: 1950 Hz and 2070 Hz — for a digital '1' and '0' respectively.
Rather than stealing carphones and modifying them for clandestine use – as
also happended in the Netherlands –
the COT solution was entirely based on commercial-off-the-shelf
equipment, and the home-made phreaking unit shown here.
The image on the right shows a complete setup as it was used by COT,
neatly stowed is a plastic briefcase. At the right is an ICOM IC2E
handheld transceiver that was meant for the 2m amateur radio band (144-146 MHz).
It had been modified for the American 2m band (144-148 MHz), and
was then used with a +600 kHz repeater shift.
This allowed the IC2E to use the
first 10 input channels
(148.410 - 148.590 MHz)
of the ATF-1 base stations
(148.410 - 149.130 MHz). For the return signal from
the base station (153.010 - 153.730 MHz) a simple communications receiver or
computer scanner was used.
All the user had to do to initiate a call, is enter
the desired subscriber number on the keypad, and hold the microphone in front
of the miniature speaker of the control box, whilst keeping the |
The unit is in many ways similar to the so-called blue box,
that was used from the 1960s to the 1990s, to make free phone calls on
regular analogue wired telephone networks (POTS)
in America and Europe .
This technique — commonly known as phone phreaking —
was and is illegal .
Compatible and interoperable with the German B-Netz.
A later version had just 12 buttons on the keypad.
The diagram below shows how phreaking of the
ATF-1 mobile network was done.
A complete setup consists of three independent units: a general
FM communications receiver, a (modified) transmitter for the
2m amateur band (typically an ICOM IC2E), and the phreaking unit.
Note that the phreaking box is not connected to the transmitter
and/or the receiver. It transmits the (emulated) modem signals
through acoustic coupling of its speaker with the
microphone of the transmitter. It was arguably
the first hands-free configuration of a 1G car phone system.
The device is housed in an extruded eloxed aluminium enclosure with
black plastic end panels. It measures 108 × 103 × 35 mm and
weights 310 grams, including a 9V battery. The interior can be
accessed by removing one of the plastic end panels and sliding
out the |
PCB and the keypad.
PCB measures 100 × 100 mm, and contains 26 parts.
The circuit is built around a
Motorola MC68705P3 microcontroller.
It has 112 bytes of
RAM and a built-in 1804 byte
EPROM, that holds the firmware
[A]. It can be erased by placing
its window under an
UV-light source for 10 min.
The image on the right shows the
PCB from a prototype of the
phreaking unit. The empty 28-pin socket at the far side
is for the Motorola microcontroller, which has been removed here.
It was a rather expensive part at the time, and has probably
been reused in a different project.
At the right is a battery clip, to which the 9V NiCd cell was
connected (removed here). At the centre is a 3-pin LM7805
voltage regular which provides the +5V for the microcontroller
and the 8-pin audio amplifier in front if it. Although the
text has been removed from this part — this was often done to
make it more difficult to copy the design — it is clear that it
is an LM386 or similar.
Below is the circuit diagram of the ATF-1 phreaking unit. At the top left
is the power circuit, which allows the device to be powered by the internal
rechargeable 9V NiCd battery, or by an external (12V) source, in which
case the internal 9V battery is recharged. When the device is ON, an LM7805
delivers a stable +5V for the Motorola microcontroller and the LM386
The circuit is built around a
Motorola MC68705 microcontroller, which
has 122 bytes of memory (
RAM) and 1804 bytes of erasable memory for
storage of the firmware (
EPROM). A quartz crystal provides
a clock frequency of 2.1 MHz. The controller has two bi-directional 8-bit
data busses (PA and PB) and one bi-directional 4-bit bus (PC).
The PA-bus is used for scanning the keypad, by defining 4 bits as outputs
and 4 as inputs.
Of the PC-bus, one line is used for production of the audio signal (C0)
and two for the red and green LED indicators (C1, C2). The PB-bus is unused.
At the bottom right is the audio amplifier, which is built around an
LM386 integrated circuit (IC). The desired tones of 1950 and 2070 Hz
are generated in software and are delivered at pin C0. A simple
integrating network (1K + 10n) converts the square wave signal into a
reasonably smooth sine wave, which is then supplied to the LM386 amplifier,
and eventually to the speaker (SPK).
- Anonymous donor, Prototype of ATF-1 carphone phreaking unit
Received December 2019 - THANKS !.
- Wikipedia, Phreaking
Retrieved May 2019.
- Wikipedia, Blue box
Retrieved May 2019.
- Anonymous former KPN expert, Personal correspondence
Any links shown in red are currently unavailable.
If you like the information on this website, why not make a donation?|
© Crypto Museum. Created: Tuesday 04 February 2020. Last changed: Thursday, 06 February 2020 - 22:45 CET.