Click for homepage
Pollux
ATF-1 car telephone

Pollux was a mobile telephone set (car phone), manufactured by Motorola in the USA, and rented by Dutch telecom monopolist PTT (now: KPN) between 1980 and 1995, for use on the first Dutch automatically-switched mobile phone network ATF-1 and on the compatible German B-Netz [1].

ATF-1 was the successor the manually-switched OLN network which had been in use since 1949. Pollux was the second mobile tele­phone, after Castor, that was available for the ATF-1 network.

Customers could not buy it, but had to rent it from PTT on a subscription base, to which the cost of the calls was added. As the network had a capacity of just 2500 subscribers, the call tariff was very high. Pollux consisted of a hand­set with built-in controls and LED display, fitted near the dashboard, and a transceiver 1 that was so large that it had to be fitted in the trunk of the car.
  
Pollux carphone with handset (Motorola Pulsar II)

The image above shows the transceiver (without cover) and the handset, which was custom-made for PTT. It was the Dutch variant of the VHF-version of the Motorola Pulsar II, of the US MTS net­work [5]. It operated in the 150 MHz VHF band with a channel spacing of 20 kHz, using analogue (FM) voice with in-band signalling. As there was no form of encryption and/or authentication whatsoever, the system was extremely susceptible to eavesdropping and phone phreaking [3].

  1. Transceiver is the compound of the words transmitter and receiver.

Pollux carphone with handset (Motorola Pulsar II) Bare Pollux (Motorola Pulsar II) car telephone Pollux (Motorola Pulsar II VHF) without enclosure Connections at the rear Modified handset of a clandestine Pollux ATF-1 car phone Handset off-hook Handset with display and controls Wiring between transceiver and handset
A
×
A
1 / 8
Pollux carphone with handset (Motorola Pulsar II)
A
2 / 8
Bare Pollux (Motorola Pulsar II) car telephone
A
3 / 8
Pollux (Motorola Pulsar II VHF) without enclosure
A
4 / 8
Connections at the rear
A
5 / 8
Modified handset of a clandestine Pollux ATF-1 car phone
A
6 / 8
Handset off-hook
A
7 / 8
Handset with display and controls
A
8 / 8
Wiring between transceiver and handset

ATF-1 network
ATF-1 was the first automatically-switched mobile telephone network in the Netherlands. It was introduced on 1 March 1980 as the successor to the manually-switch OLN — Openbaar Landelijk Net (Public National Network). Based on the German B-Netz, it operated in the 150 MHz band [1].

ATF-1 was interoperable with the networks in Germany, Austria and Luxemburg, and had a maximum capacity of 2500 subscribers, that were served by 30 base stations throughout the country, as shown in the map on the right.

For outgoing calls, the mobile subscriber no longer had to to be patched by an operator, but could simply enter the number on the numeric keypad of the car phone. For incoming calls the situation was slightly more complicated, as the country was divided into three regions – north, south and west – and a caller had to know in which region the mobile user was located.

Apart from business users, ATF-1 also became very popular amoung inland navigation skippers, as it could be used throughout a large part of western Europe, along the entire trajectory of the river Rhine. For a long time however, the use of mobile phones aboard ships was prohibited in the Netherlands, and skippers risked a fine when they were caught. The ban was lifted in 1988.
  
Map of the Netherlands with ATF-1 base stations in 1980.

In 1985 and 1986 it became clear that the ATF-1 network was hacked by so-called phreakers, who managed to make phone calls on someone else's expence, or even free of charge, by using number spoofing (see below). When this was discovered, PTT decided to upgrade all existing mobile stations with a BEMOTEL authentication unit. Although this was reasonably successful, it was a one-way authentication, that worked on outgoing calls only. After a while, the phreakers discovered that it was still possible to call free-of-charge by making collect calls [2].

The maximum capacity of 2500 users was reached in 1983, just three years after the launch of the network, which prompted PTT to add a new network that had to be ready within a few years. In 1985, ATF-1 was succeeded by ATF-2 which worked in the 450 MHz band and was based on the NMT-450 standard of the Nordic countries. The ATF-1 service was terminated in 1995.

 More about ATF-1


Clandestine use
ATF-1 was a fully analogue FM system with in-band signalling, and no form of encryption or authentication whatsoever. Speech conversations were sent over the air in clear, and could be picked up by anyone with a suitable receiver or scanner that covered the 150 MHz band (2m).

In the same vain, the telephone numbers of the calling party and the mobile subscriber were sent over the air in clear, and it wasn't before long that hackers discovered a way to decode the data and display it on a computer screen.

The weakest point in the system however, was the fact that the telephone number of the mobile subscriber was only held inside the mobile tele­phone, programmed in a so-called codeplug. The codeplug was a small plug-in unit that was issued by the PTT service engineer when the rented telephone was installed in the user's car.
  
ATF-1 codeplug (unprogrammed)

By altering the arrangment of the components inside the codeplug, it appeared to be possible to change the telephone's subscriber number, after which it was possible to make a call on someone else's expense. This led to complaints from users who got huge bills for unmade phone calls.

Worse even: hackers also discovered that any phone number that had not yet been issued by the PTT, was unblocked, allowing them to make phone calls for which nobody could be charged.

This soon led to a growing illegal business, in which many carphones were ripped from the cars of genuine subscribers, converted by the hackers, and put to use for (criminal) activities. The stolen telephones were built inside common briefcases, so that they could be carried around inconspicuously. An example of a Pollux phone housed inside a briefcase is shown on the right.
  
Clandestine Pollux ATF-1 car phone

By adding a set of five thumbwheels, the user of the stolen phone was able to select any possible subscriber number. As there was no authentication, all that PTT could do once the malicious use if its net­work was discovered, was block the number indefinitely. It could never be issued again.

All the malicious user had to do, was 'invent' a new number, enter it on the thumwheels, and continue. And this appeared to be easier than anticipated: any telephone number that had not yet been issued to a legitimate subscriber, was recognised by the ATF-1 network as a valid one.

Around 1985, PTT noticed an enormous rise in the clandestine use of its network and – at the same time – an increase in the number of car phones that were stolen from the vehicles of legitimate subscribers. This prompted the Dutch National Police to start a criminal investigation.
  
Thumbwheels for selecting the subscriber number

Finally, in October 1986, after numerous observations throughout the entire country, the police arrested 13 people in seven Dutch cities, all of which were somehow related to the theft of the phones or their conversion for clandestine use [4]. In 1987, the PTT started a call-back operation, in which all existing mobile telephones were upgraded with a Bemotel authentication module. This solved most of the problems, but could not avoid that phreakers later successfully managed to circumvent the authentication and use the network free of charge, by making collect calls [2].

 More about clandestine use of ATF-1

Samsonite briefcase with clandestine Pollux ATF-1 car phone Clandestine Pollux ATF-1 car phone Handset and 5-digit subscriber number selector Thumbwheels for selecting the subscriber number Modified handset of a clandestine Pollux ATF-1 car phone Handset off-hook Handset with display and controls Thumbwheels for selecting the subscriber number
B
×
B
1 / 8
Samsonite briefcase with clandestine Pollux ATF-1 car phone
B
2 / 8
Clandestine Pollux ATF-1 car phone
B
3 / 8
Handset and 5-digit subscriber number selector
B
4 / 8
Thumbwheels for selecting the subscriber number
B
5 / 8
Modified handset of a clandestine Pollux ATF-1 car phone
B
6 / 8
Handset off-hook
B
7 / 8
Handset with display and controls
B
8 / 8
Thumbwheels for selecting the subscriber number




Interior
Pollux is based on the Motorola Pulsar II VHF car telephone, that was used in the US at the time, on one of its national analogue networks, known as
MTS
. It consisted of a large main unit – the actual transceiver – a handset with cradle, and a thick 6-metre long multi-wire extension cable.

The main unit measures ~ 40 x 31 x 10 cm and weights more that 10 kg. The reason for the size and weight is the fact that the distance between a mobile subscriber and the nearest base station was relatively large – typically in the range of 10 to 30 km – as a result of which the transmitter had to produce a high output level of > 35W.

The image on the right shows a typical Pollux main unit, of which the cover has been removed. At the front is a large black heatsink to which the transistors of the Power Amplifier (PA) are mounted. At the right is the duplex filter. 1
  
Bare Pollux (Motorola Pulsar II) car telephone

As the transceiver was so large, it was ususally mounted in the trunk of the car. Likewise, when they were stolen and converted for clandestine use, they were generally built inside a large travel suitcase – so that they could be carried around – with a heavy
PSU
carried in an additional case.

In many cases though, a PSU was not needed, as the device was connected to the cigarette-lighter socket that was present on each car's dashboard.

Sometimes, the main unit was modified heavily, so that it could be fitted in a regular Samsonite executive-style briefcase of the ara. The image on the right shows an example of a Pollux main unit that has been modified for this. Most of the large black heatsink has been cut-off, and the metal frame at the other end, has been grinded, cut, bended and shaped in such a way that the Samsonite briefcase could be closed properly.
  
Pollux car phone, modified to fit inside a small Samsonite briefcase

In the above case, the modified transceiver was covered with a black wooden hood, so that it was hidden from view. With most of the heatsink removed, the set could not be used for long talks, as it would overheat the device. The wiring from the device's codeplug socket was usually extended to an electronic unit with a 5-digit selector, on which the desired subscriber number was set.

  1. The input frequencies were in the range 148.410 to 149.130 MHz, whilst the output was between 153.010 and 153.730 MHz. This means that input and output were 4.6 MHz apart, with a channel spacing of 30 kHz. In total there were 37 channels of which channel 19 was the calling channel at 153.370 MHz [6].

Pollux carphone with handset (Motorola Pulsar II) Bare Pollux (Motorola Pulsar II) car telephone Pollux car phone, modified to fit inside a small Samsonite briefcase Modified Pollux car phone Modified chassis Codeplug socket with wiring to thumbwheels Wiring between transceiver and handset Codeplug emulator with 5-thumbwheels
C
×
C
1 / 8
Pollux carphone with handset (Motorola Pulsar II)
C
2 / 8
Bare Pollux (Motorola Pulsar II) car telephone
C
3 / 8
Pollux car phone, modified to fit inside a small Samsonite briefcase
C
4 / 8
Modified Pollux car phone
C
5 / 8
Modified chassis
C
6 / 8
Codeplug socket with wiring to thumbwheels
C
7 / 8
Wiring between transceiver and handset
C
8 / 8
Codeplug emulator with 5-thumbwheels

Codeplug emulator
For number spoofing, hacked telephone sets were commonly equipped with a set of five numeric thumb­wheels, which allowed the user to select any possible subscriber number at will. For this to work, the existing codeplug was removed and replaced by a ribbon cable, at the end of which an electronic circuit with no less that 6 ICs connected the set to the thumbwheels. In order to protect the design against other hackers, the electronic circuit shown here, was cast in an opaque epoxy.


This way, the codeplug emulator literally became a black box that could not easily be copied. The x-ray image above shows the contents of the black box as it was found in one of the phones. The circuit appears to be hastily constructed, as shown by the messy arrangement of the wiring. 1

  1. Images made with Creative Electron TruView Prime.  More

Codeplug emulator with 5-thumbwheels X-ray  view of the codeplug emulator Another x-ray view of the codeplug emulator
D
×
D
1 / 3
Codeplug emulator with 5-thumbwheels
D
2 / 3
X-ray  view of the codeplug emulator
D
3 / 3
Another x-ray view of the codeplug emulator

Glossary
ATF   Autotelefoon
Name for the Dutch automatically-switched analogue carphone networks, of which three generations have existed (nown as ATF-1, ATF-2 and ATF-3. Succeeded in 1994 by GSM.
B-Netz   B network
First automatically-switched analogue mobile telephone network in Germany, compatible with ATF-1 in the Netherlands, and with the networks in Austria and Luxemburg.
GSM   Global System for Mobile Communication
Digital mobile telephone network, with built-in encryption and authentication. Introduced in 1991 and rolled-out in most European countries in 1992. In the Netherlands, GSM was introduced in 1994.  More
KPN   Koninklijke PTT Nederland
Royal PTT of The Netherlands. This was the name of the former Dutch state-owned telecom monopolist PTT after its privatisation in 1989.
OLN   Openbaar Landelijk Net
First Dutch public radio network for mobile telephony in the 80 MHz band, introduced in 1949 and operated by the PTT (now: KPN). The network was manually-switched, which means that the subscriber had to be patched by an operator. Terminated in 1985.  More
PTT   Staatsbedrijf der Posterijen, Telegrafie en Telefonie
Dutch state-owned telecommunications monopolist from 1881 until its privatisation in 1989. Responsible for the development and operation of the post, telegraph and telephone networks in the Netherlands. Also responsible for monitoring the radio spectrum and for enforcing the telecom laws.
References
  1. Wikipedia, B-Netz
    Retrieved May 2019.

  2. Wikipedia, Collect call
    Retrieved May 2019.

  3. Wikipedia, Phreaking
    Retrieved May 2019.

  4. Provinciale Zeeuwse Courant, Wijdvertakte zwendelzaak met autotelefoons ontdekt
    28 October 1986, page 5.
     Direct download

  5. Geoffrey C. Fors, Motorola and GE mobile telephones, 1970-1983
    The Mobile Telephone. Chapter 6. 2007. Retrieved June 2019.

  6. Peter Poelman & The Key, Autotelefoonnet 1 gehackt
    Hack-Tic Magazine, Issue 2, 1989. Page 7 (Dutch).
Further information
Any links shown in red are currently unavailable. If you like the information on this website, why not make a donation?
Crypto Museum. Created: Tuesday 28 May 2019. Last changed: Sunday, 02 June 2019 - 17:36 CET.
Click for homepage