Now with HTTPS!
PUBLISHED 8/11/2024
WRITTEN BY Christopher McRae
AMPS, the Advanced Mobile Phone System, was invented by Bell labs in the 1970s as a replacement for the older mobile phone systems used in the US such as IMTS (Improved Mobile Telephone System). Systems such as IMTS were not true cellular systems, each coverage area, though wide, offered very few channels and therefore it was quite difficult to get a channel and place a call, especially in urban areas. AMPS solved this issue by dividing a coverage area into many "cells". The re purposing of UHF television channels 70 to 83 allowed for a surplus of available bandwidth for AMPS compared to IMTS. AMPS is referred to as an analog system due to the fact that voice is encoded using FM, however the system relies on many digital technologies including a micro processor for managing the phone and FSK (Frequency Shift Keying) for digital communication between base station and phone. AMPS was deployed in Chicago in the late 1970s for a trial run and was released to the general public in 1983. The system was phased out in 2008 with Verizon and AT@T being the final carriers operating an AMPS network.
I recently acquired a Motorola Bag Phone Series III branded under the NYNEX RBOC at an antiques store. My phone is fairly run of the mill for bag phones, but it does have a 10 digit LCD while many models only offered 7 digit LCDs. While most of these bag phones likely lived in vehicles, there is an option to power it from a 12V lead acid battery. I happen to have one of these batteries as I own a camcorder that uses one of the same form factor. Interestingly you must have the battery connected when powering from an external power source or else the phone will not power on. Though my specimen was in poor condition cosmetically, everything appears to work just fine.
Aside from the historical significance, there is something about analog cell phones that makes them appealing to nerds like me in modern times. The Osmocom (Open Source Mobile Communications) project reverse engineers and re implements cellular systems, most notably GSM, and allows, with proper hardware, an individual to operate their own cellular base station. The Osmocom-Analog project has implemented every major analog cell phone system including AMPS and is well documented. The simplicity of AMPS and other analog phone systems makes setting up your own base station much more achievable than more advanced technologies such as GSM which require very expensive hardware. Osmocom-Analog, while it does support full duplex SDRs (Software Defined Radio), if you have an FM transmitter and receiver that supports the right frequencies*(1), you can simply utilize a computer running Osmocom-Analog and a sound card to generate and decode all of the required setup data in order to register an AMPS handset and initiate calls. Theoretically you could even configure a VoIP server with SIP such as Asterisk in order to place calls from your ancient cell phone to the public phone network.
While I plan on experimenting with Osmocom-Analog, I do not currently have the radio hardware to do so. But something you can do with most Motorola AMPS phones from the era is enter "test mode". Test mode is used, obviously, to test functions of the phone including transmit and receive capabilities. But test mode can also be used to configure or "program" certain values into the phone including security codes and service related settings. On certain models, it may have been possible to change the ESN (Electronic Serial Number) without any extra hardware, this would have potentially allowed a malicious actor to make their phone identify as someone else's phone causing any calls to be charged under their name. IMEI is the modern equivalent to ESN. For me, the most interesting thing about test mode is the ability to set the transceiver to any channel (limited on newer models due to eavesdropping concerns) and transmit or receive at will.
Entering test mode on Motorola bag style phones is extremely straightforward, all you need to do is bridge pins 20 and 21 on the DB-25 connector on the back of the phone's transceiver. While the method I used is not very elegant, it is about the simplest way apart from dissembling the radio and hard soldering the pins together. A very useful resource when messing around with these ancient Motorola cell phones is the “Motorola Bible” by Mike Larsen. This plain text file contains pretty much everything you need to now about not only operating the phone normally, but entering and using test mode, programming and more.
Motorola Bag Phones generally utilize a "power adapter" that screws into the back of the transceiver and interfaces with the DB-25 port. I initially thought that I could solder wires directly onto the legs of the female end of this connector that corresponded to pins 20 and 21, but unfortunately, only the legs that are used by the adapter are populated.
Bag Phone transceiver (bottom) with "power adapter" (top)
The DB-25 connector on the power adapter is missing the legs for pins 20 and 21
I then decided to solder wires directly onto the pins of the transceiver and route the wires through the adapter. While sloppy, this did work.
Definitely not my best work.
Ideally, a switch would be installed in the adapter but I was lazy and just ran the wires as is. In order to enable test mode, I simply twist the wires together and power on the radio.
The primary thing I wanted to do in test mode was check the transmit capabilities of the phone. I entered the commands, listed in the Motorola Bible, to enable the transmit carrier and audio, and set the channel to 330. I used a RTL-SDR to tune into to the phone's signal and it was working.
The crazy harmonics are likely due to the poor filtering of my RTL-SDR.
*Note 1: You must also modify the receiver with a "discriminator tap" in order to get raw, unfiltered access to the base band audio. The output audio from the computer must be connected to the PLL of the transmitter in order to bypass any pre-emphasis. Finding a transmitter than can actually transmit on the required 869 to 894 MHz is quite challenging and you will very likely need to make modifications in order to achieve operation in this band.