Saturday, October 23, 2010

Ham Radio Cellphone Network

I highly recommend this article to anyone, it really resonated with me. The article makes a good point that anyone can throw a wire into a tree and call CQ. But there was one key paragraph that sent my mind wondering. I quote:
Future developments in the non-amateur world of radio from that point included cellular technology and the transmission of higher speed data over the air. Commercial applications for broadcast radio and television have changed radically and now include the imposition of digital methods. Military applications for secure battlefield communication use satellite and terrestrial means like mesh networking for voice and data transmission. Our homes, restaurants and coffee shops are bathed in RF transmitted data that keep our mobile devices connected to the Internet.
 Sure, there's the High Speed MultiMedia HSMM experiments... although the working group for that has disappeared and the general attitude I see about it, over and over is that you can do more with Part15 than you can with the higher power afforded with part97. It's a shame really. I've also seen a couple rare web pages discussing experiments with DATV. Much to my surprise, the experimenters preferred DVB-S to ATSC.

I'm not saying that Ham Radio is completely irrelevant. There's a lot of focus on it's use in emergencies and getting ready to help out in a disaster. And that's great. We have digital modes that run with a soundcard interface on a computer and software defined radio. There is a fairly basic digital voice mode called D-star. That's the big developments lately. Other than that, operating is fairly much the same as it was 30 plus odd years ago.

Why not a Ham Radio Cellphone network? I did some searching and this is what I've come up with..
Okay, the article discusses the use of this stuff to "hack" people's cellphone connections and listen in to their traffic. It misses a point that is blindingly obvious to me.
  • European GSM cellphones have 900mhz as a band
  • American Ham operators have 900mhz as a band
  • Hardware exists to set up a homebrew cellphone base station
  • How cool would it be to set up a legal ham radio cellphone network!
KJ6GCG, Chris Paget, set up his system to demonstrate the vulnerabilities of the GSM system specifically by spoofing the network ID for an active carrier. It should be entirely possible to set up a "fake" carrier that will not interfere with any commercial one and run it on our 900mhz band. Possibly even restrict access to special SIM card programming that could be posted online for any Ham Radio Operator to access. GSM can be run without encryption entirely, it's another point that allowed Mr Paget to demonstrate the call recording. Running in this mode will avoid any trouble with the regulations on the merits of codes and cyphers. The 900mhz band in the phones should be completely unused in America, that option is there to remain compatible with European networks.

Imagine this: Your area sets up a Ham Cellphone node and various operators get a GSM quadband phone of their choice (probably needs to be unlocked). Now they can carry a form of communication around that allows them to contact other hams at any time. It will always work in an emergency. You could potentially allow for a "phone patch" operation. It would be beyond easy to put in an extension number to allow access to any attached repeaters, echolink, etc. Call ex# 270 to access the 147.270 repeater!

I wonder if the data connection works.. Hello hinternet! GSM-APRS? Text messaging? You could set up a truely cell based network with HSMM backhauls between each cell. Put the backhaul in the Ham allocation of 2.4ghz and have fun.

The OpenBTS project is what makes all of this possible. They use a software defined radio called the Universal Software Radio Project (USRP) along with their own Linux-based software to fully act as a Cellphone Base station. There is a blog written by the OpenBTS developers here.

Incidentally, The OpenBTS people have been running a small cellphone network at the Burning Man festival for the past 3 years or so. They get a special temporary license from the FCC and coordinate it with the phone company that covers (or doesn't, in this case) the area. The Wikipedia article references this but I can't find the blog posts that I remember where they talked in detail about it. This is the authorization for 2008 with temporary callsign WD9XKN.

Of course, after writing this whole thing I run across a Wikipedia page with GSM frequencies worldwide. Some of the allocations fall in the 900mhz band but it's not clear to me if there are any channels that fall completely into the 902-928mhz bandwidth that we are allotted. Can uplink and downlink frequencies be set to fall within the allotment? Will that actually work with any phones? I don't know.

Questions? Comments? Flames? Does anyone really read these things?

8 comments:

  1. This is interesting. I am working with several digital projects right now, but this is a different way to look at things.

    Jim
    KC4BQK
    www.kc4bqk.blogspot.com

    ReplyDelete
  2. I was thinking the same thing when I saw the defcon presentation on this.

    http://kb9mwr.blogspot.com/2010/09/diy-emergency-cell-tower.html

    ReplyDelete
  3. I know someone (??) in the KC area is working on a IDEN style PTT digital network on the HAM bands.

    ReplyDelete
  4. Will, got any more information about that? Sounds very interesting. What kind of hardware are they setting up to build the network? What can they access it with? IDEN phones?

    ReplyDelete
  5. Hi,
    Have thought of exactly the same thing for a while. None of the foreign cell bands fall entirely in the US ham bands. The best way I can think of doing this would be to use an external RF converter for the GSM phone so it uses a ham band. I would use 420 to 440 since it is big enough and allows decent range for each base station.
    Jay no2g

    ReplyDelete
  6. I have been having the cell phone on ham bands itch too. Today I got a free junk (no sim card, dead battery) Nokia 2610 cell phone. I got a really clear schematic with voltage and waveform traces off of the internet and I was able to disassemble the phone with a Torx T-6 screwdriver.

    The schematic shows the radio side of the phone apparently driven by a 26Mhz crystal. To make the low band 869.5 Mhz drop down to about 432 Mhz (where I have a ham radio receiver) would need a signal generator set to 12.92 Mhz.

    I do wish there were a way to get cell phone type radio on the ham bands in a more elegant manner. But this is fun for a weekend with only small dollars invested. My call is AG6CB.

    ReplyDelete
  7. Oh well it only took me 4 years to figure out you linked to my article on my blog. You probably didn't know that I am a ham too. And I did know that he was using 900 Mhz because he was a ham too. I also sell and install cellular equipment on marine vessels ... yachts that is. I think your time is running out on GSM with 4G now. The frequency bands have changed, and although 2G and 3G are still up for now. GSM and the 2G / 3G are going away. Pretty soon it will be hard to find user equipment that will DO 900 Mhz. I really don't see any thrill in spending so much money to do this on ham radio ... and the potential for illegal use is too high. Most phones have probably closed that loophole related to the encryption on GSM by now ... and maybe even made steps towards anti-spoofing of carrier signals. I did want to play with this - but damn so much money for a USRP. You'd really have to have repeater quality height and power to make it worth multiple users with handsets and probably even multiple sites to make it worth deploying. I don't think too many individuals or clubs would do this.

    ReplyDelete
    Replies
    1. Yeah, Things have changed in the last 5 years. It'd be great if some commodity hardware would overlap to make something like this viable again. Personally I'd love to find one of the Chinese handsets with something like a built-in RTL dongle. I think one day we might have cellphones that are fully SDR. The main issue is if the SDR is burned into a chip and if it can or can't be changed. Some or all of the Baofeng radios use SDR or SDR-like tech but at a chip level so it's not like we can just go in and edit it. If someone made something that was a 5" Android smartphone where the cellphone radio was SDR based that could be edited.. that could really take off. It'd be like a pocket-sized HackRF.
      Just dreaming.

      Delete