Precall Validation: Process and Terms

We know that pressing send or turning on the phone conveys information about the phone to the cell site and then to the MTSO. A call gets checked with all this information. There are many parts to each digital message. A five digit code called the home system identification number (SID or sometimes SIDH) identifies the cellular carrier your phone is registered with. For example, Cellular One's code in Sacramento, California, is 00129. Go to Stockton forty miles south and Cellular One uses 00224. A system can easily identify roamers with this information. The "Roaming" lamp flashes or the LED pulses if you are out of your local area. Or the "No Service" lamp comes on if the mobile can't pick up a decent signal. This number is keypad programmable, of course, since people change carriers and move to different areas. You can find yours by calling up a local cellular dealer. Or by putting your phone in the programming mode.
This number doesn't go off in a numerical form, of course, but as a binary string of zero's and ones. These digital signals are repeated several times to make sure they get received. The mobile identification number or MIN is your telephone's number. MINs are keypad programmable. You or a dealer can assign it any number desired. That makes it different than its electronic serial number which we'll discuss next. A MIN is ten digits long. A MIN is not your directory number since it is not long enough to include a country code. It's also limited when it comes to future uses since it isn't long enough to carry an extension number.
The electronic serial number or ESN is a unique number assigned to each phone. One per phone! Every cell phone starts out with just one ESN. This number gets electronically burned into the phone's ROM, or read only memory chip. A phone's MIN may change but the serial number remains the same. The ESN is a long binary number. Its 32 bit size provides billions of possible serial numbers. The ESN gets transmitted whenever the phone is turned on, handed over to another cell or at regular intervals decided by the system. Every ten to fifteen minutes is typical. Capturing an ESN lies at the heart of cloning. You'll often hear about stolen codes. "Someone stole Major Giuliani's and Commissioner Bratton's codes." The ESN is what is actually being intercepted. A code is something that stands for something else. In this case, the ESN. A hexadecimal number represents the ESN for programming and test purposes. Such a number might look like this: 82 57 2C 01.
The station class mark or SCM tells the cell site and the switch what power level the mobile operates at. The cell site can turn down the power in your phone, lowering it to a level that will do the job while not interfering with the rest of the system. In years past the station class mark also told the switch not to assign older phones to a so called expanded channel, since those phones were not built with the new frequencies the FCC allowed.
The switch process this information along with other data. It first checks for a valid ESN/MIN combination. You don't get access unless your phone number matches up with a correct, valid serial number and MIN. You have to have both unless, perhaps, if you call 911. The local carrier checks its own database first. Each carrier maintains its own records but the database may be almost anywhere. These local databases are updated, supposedly, around the clock by two much larger data bases maintained by Electronic Data Systems and GTE. EDS maintains records for most of the former Bell companies and their new cellular spin offs. GTE maintains records for GTE cellular companies as well as for other companies. Your call will not proceed returned unless everything checks out. These database companies try to supply a current list of bad ESNs as well as information to the network on the tens of thousands cellular users coming on line every day.
A local caller will probably get access if validation is successful. Roamers may not have the same luck if they're in another state or fairly distant from their home system. Even seven miles from San Francisco, depending on the area you are in. (I know this personally.) A roamer's record must be checked from afar. Many carriers still can't agree on the way to exchange their information or how to pay for it. A lot comes down to cost. A distant system may still be dependent on older switches or slower databases that can't provide a quick response. The so called North American Cellular Network attempts to link each participating carrier together with the same intelligent network/system 7 facilities.
Still, that leaves many rural areas out of the loop. A call may be dropped or intercepted rather than allowed access. In addition, the various carriers are always arguing over fees to query each others databases. Fraud is enough of a problem in some areas that many systems will not take a chance in passing a call through. It's really a numbers game. How much is the system actually loosing, compared to how much prevention would cost? Preventive measures may cost millions of dollars to put in place at each MTSO. Still, as the years go along, cooperation among carriers is getting better and the number of easily cloned analog phones in use are declining.

Origination: Making a call

Making a mobile call uses many steps that help receive a call. The same basic process. Punch out the number that you want to call. Press the send button. Your mobile transmits that telephone number, along with a request for service signal, and all the information used to register a call to the cell site. The mobile transmits this information on the strongest reverse control channel. The MTSO checks out this info and assigns a voice channel. It communicates that assignment to the mobile on the forward control channel. The cell site opens a voice channel and transmits a SAT on it. The mobile detects the SAT and locks on, transmitting it back to the cell site. The MTSO detects this confirmation and sends the mobile a message in return. This could be several things. It might be a busy signal, ringback or whatever tone was delivered to the switch. Making a call, however, involves far more problems and resources than an incoming call does.
Making a call and getting a call from your cellular phone should be equally easy. It isn't, but not for technical reasons, that is setting up and carrying a call. Rather, originating a call from a mobile presents fraud issues for the user and the carrier. Especially when you are out of your local area. Incoming calls don't present a risk to the carrier. Someone on the other end is paying for them. The carrier, however, is responsible for the cost of fraudulent calls originating in its system. Most systems shut down roaming or do an operator intercept rather than allow a questionable call. I've had close friends asked for their credit card numbers by operators to place a call. [See cloning comments]
Can you imagine giving a credit card number or a calling card number over the air? You're now making calls at a payphone, just like the good old days. Cellular One has shut down roaming "privileges" altogether in New York City, Washington and Miami at different times. But you can go through their operator and pay three times the cost of a normal call if you like. So what's going on? Why the problem with some outgoing calls? We first have to look at some more terms and procedures. We need to see what happens with call processing at the switch and network level. This is the exciting world of precall validation.
-------------------
Notes:
[Clone comments] "You could make more clear that this is due to validation and fraud issues, not to the mechanics of setting up the call, since this is pretty much the same for originations and terminations."
"By the way, at AirTouch we took a big bite out of fraudulent calls when we stopped automatically giving every customer international dialing capability. We gave it to any legitimate customer who asked for it, but the default was no international dialing. So the cloners would rarely get a MIN/ESN combo that would allow them to make calls to Colombia to make those 'arrangements'. Yes, the drug traffic was a huge part of the cloning problem. We had some folks who worked a lot with law enforcement, particularly the DEA. Another large part of it was the creeps who would sell calls to South America on the street corners of L.A. Illegal immigrants would line up to make calls home on this cloned phone."
"Actually, even though it's an inconvenience, being cloned can be fun if you are an engineer working for the carrier. You can do all kinds of fun things with the cloner. Like seeing where they are making their calls and informing the police. Like hotlining the phone so that ALL calls go straight to customer service. It would have been fun to hotline them to INS, but INS wouldn't have liked that."

The SAT, Dial Tone, and Blank and Burst

[Remember that we are discussing the original or default call set up routine in AMPS. IS-136, and IS-95 use a different, all digital method, although they switch back to this basic version we are now describing in non-digital territory. GSM also uses a different, incompatible technique to set up calls.]
An SAT is a high pitched, inaudible tone that helps the system distinguish between callers on the same channel but in different cells. The mobile tunes to its assigned channel and it looks for the right supervisory audio tone. Upon hearing it, the mobile throws the tone back to the cell site on its reverse voice channel. What engineers call transpond, the automatic relaying of a signal. We now have a loop going between the cell site and the phone. No SAT or the wrong SAT means no good.
AMPS generates the supervisory audio tone at three different non-radio frequencies. SAT 0 is at 5970 Hz, SAT 1 is at6000 Hz, and SAT 2 is at 6030 Hz. Using different frequencies makes sure that the mobile is using the right channel assignment. It's not enough to get a tone on the right forward and reverse path -- the mobile must connect to the right channel and the right SAT. Two steps. This tone is transmitted continuously during a call. You don't hear it since it's filtered during transmission. The mobile, in fact, drops a call after five seconds if it loses or has the wrong the SAT. [Much more on the SAT and co-channel interference] The all digital GSM and PCS systems, by comparison, drops the call like AMPS but then automatically tries to re-connect on another channel that may not be suffering the same interference.
Excellent .pdf file from Paul Bedell on co-channel interference, carrier to interference ratio, adjacent channel interference and so on, along with good background information everyone can use to understand cellular radio. (280K, 14 pages in .pdf)
The file above is from his book Cellular/PCs Management. More information and reviews are here (external link to Amazon.com)
The cell site unmutes the forward voice channel if the SAT gets returned, causing the mobile to take the mute off the reverse voice channel. Your phone then produces a ring for you to hear. This is unlike a landline telephone in which ringing gets produced at a central office or switch. To digress briefly, dial tone is not present on AMPS phones, although E.F. Johnson phones produced land line type dial tone within the unit. [See dial tone.]
Can't keep track of these steps? Check out the call processing diagram
Enough about the SAT. I mentioned another tone that's generated by the mobile phone itself. It's called the signaling tone or ST. Don't confuse it with the SAT. You need the supervisory audio tone first. The ST comes in after that; it's necessary to complete the call. The mobile produces the ST, compared to the SAT which the cell site originates. It's a 10 kHz audio tone. The mobile starts transmitting this signal back to the cell on the forward voice path once it gets an alerting message. Your phone stops transmitting it once you pick up the handset or otherwise go off hook to answer the ring. Cell folks might call this confirmation of alert. The system knows that you've picked up the phone when the ST stops.
Thanks to Dwayne Rosenburgh N3BJM for corrections on the SAT and ST
AMPS uses signaling tones of different lengths to indicate three other things. Cleardown or termination means hanging up, going on hook, or terminating a call. The phone sends a signaling tone of 1.8 seconds when that happens. 400 ms. of ST means a hookflash. Hookflash requests additional services during a conversation in some areas. Confirmation of handover request is another arcane cell term. The ST gets sent for 50 ms. before your call is handed from one cell to another. Along with the SAT. That assures a smooth handoff from one cell to another. The MTSO assigns a new channel, checks for the right SAT and listens for a signaling tone when a handover occurs. Complicated but effective and all happening in less than a second. [See SIT]
Okay, we're now on the line with someone. Maybe you! How does the mobile communicate with the base station, now that a conversation is in progress? Yes, there is a control frequency but the mobile can only transmit on one frequency at a time. So what happens? The secret is a straightforward process known as blank and burst. As Mark van der Hoek puts it,
"Once a call is up on a voice channel, all signaling is done on the voice channel via a scheme known as "Blank and Burst". When the site needs to send an order to the mobile, such as hand off, power up, or power down, it mutes the SAT on the voice channel. This is filtered at the mobile so that the customer never hears it. When the SAT is muted, the phone mutes the audio path, thus the "blank", and the site sends a "burst" of data. The process takes a fraction of a second and is scarcely noticeable to the customer. Again, it's more noticeable on a Motorola system than on Ericsson or Lucent. You can sometimes hear the 'bzzt' of the data burst."
Blank and burst is similiar to the way many telco payphones signal. Let's say you're making a long distance call. The operator or the automated coin toll service computer asks you for $1.35 for the first three minutes. And maybe another dollar during the conversation. The payphone will mute or blank out the voice channel when you deposit the coins. That's so it can burst the tones of the different denominations to the operator or ACTS. These days you won't often hear those tones. And all done through blank and burst. Now let's get back to cellular.
--------------------
Notes:
[Dial tone] During the start of your call a "No Service" lamp or display instead tells you if coverage isn't available If coverage is available you punch in your numbers and get a response back from the system. Imagine dialing your landline phone without taking the receiver of the hook. If you could dial like that, where would be the for dial tone?
[Much more on the SAT and co-channel interference] The supervisory audio tone distinguishes between co-channel interferrors, an intimidatingly named but important to know problem in cellular radio. Co-channel interferrors are cellular customers using the same channel set in different cells who unknowingly interfere with each other. We know all about frequency reuse and that radio engineers carefully assign channels in each cell to minimize interference. But what happens when they do? Let's see how AMPS uses the SAT in practice and how it handles the interference problem.
Mark van der Hoek describes two people, a businessman using his cell phone in the city, and a hiker on top of a mountain overlooking the city. The businessman's call is going well. But now the hiker decides to use his phone to tell his friends he has climbed the summit. (Or as we American climbers say, "bagged the peak.")
From the climber's position he can see all of the city and consequently the entire area under cellular coverage. Since radio waves travel in nearly a straight line at high frequencies, it's possible his call could be taken by nearly any cell. Like the one the businessman is now using. This is not what radio engineers plan on, since the nearest cell site usually handles a call, in fact, Mark points out they don't want people using cell phones on an airplane! "Knock it off, turkey! Can't you see you're confusing the poor cell sites?"
If the hiker's mobile is told by the cell site first setting up his call to go channel 656, SAT 0, but his radio tunes now to a different cell with channel 656, SAT 1, instead, a fade timer in the mobile shuts down its transmitter after five seconds. In that way an existing call in the cell is not disrupted.
If the mobile gets the right channel and SAT but in a different cell than intended, FM capture occurs, where the stronger call on the frequency will displace, at least temporarily, the weaker call. Both callers now hear each other's conversation. A multiple SAT condition is the same as no SAT, so the fade timer starts on both calls. If the correct SAT does not resume before the fade timer expires, both calls are terminated
Mark puts it simply, "Remember, the only thing a mobile can do with SAT is detect it and transpond it. Either it gets what it was told to expect, and transponds it, or it doesn't get what it was told to expect, in which case it starts the fade timer. If the fade timer expires, the mobile's transmitter is shut down and the call is over."
[SIT] "A large supplier and a carrier I worked for went round and round on this. If their system did not detect hand-off confirmation, it tore down the call. Even if it got to the next site successfully. Their reasoning was that, if the mobile was in such a poor radio frequency environment that 50 ms of ST could not be detected, the call is in bad shape and should be torn down. We disagreed. We said, "Let the customer decide. If it's a lousy call, they'll hang up. If it's a good call, we want it to stay up!" Just because a mobile on channel 423 is in trouble doesn't mean that it will be when it hands off to channel 742 in another cell! In fact, a hand-off may happen just in time to save a call that is going south. Why?"
"Well, just because there is interference on channel 423 doesn't mean that there is on 742! Or what if the hand-off dragged? That is, for whatever reason the call did not hand off at approximately half way between the cells. (Lot's of reasons that could happen.) So the path to the serving site is stretched thiiiiin, almost to the point of dropping the call. But the hand-off, almost by definition in this case, will be to a site that is very close. That ought to be a good thing, you'd think. Well, the system supplier predicted Gloom, Doom, and Massive Dropped Calls if we changed it. We insisted, and things worked much better. Hand-off failures and dropped calls did not increase, and perceived service was much better. For this and a number of other reasons I have long suspected that their system did not do a good job of detecting ST

Pages: Getting a Call

Okay, your phone's now registered with your local system. Let's say you get a call. It's the F.B.I., asking you to turn yourself in. You laugh and hang up. As you speed to Mexico you marvel at the technology involved. What happened? Your phone recognized its mobile number on the paging channel. Remember, that's always the forward control channel or path except in a CDMA system. The mobile responded by sending its identifying information again to the MTSO, along with a message confirming that it received the page. The system responded by sending a voice channel assignment to the cell you were in. The cell site's transceiver got this information and began setting things up. It first informed the mobile about the new channel, say, channel 10 in cell number 8. It then generated a supervisory audio tone or SAT on the forward voice frequency. What's that?

Registration -- Hello, World

A mobile phone runs a self diagnostic when it's powered up. Once completed it acts like a scanning radio. Searching through its list of forward control channels, it picks one with the strongest signal, the nearest cell or sector usually providing that. Just to be sure, the mobile re-scans and camps on the strongest one. Not making a call but still on? The mobile re-scans every seven seconds or when signal strength drops before a pre-determined level. Next, as Will Galloway writes, "After an AMPS phone selects the strongest channel, it tries to decode the data stream and in particular the System ID, to see if it's at home or roaming. If there are too many errors, it will switch to the next strongest channel. It also watches the busy/idle bit in the data stream to find a free slot to transmit its information." After selecting a channel the phone then identifies itself on the reverse control path. The mobile sends its phone number, its electronic serial number, and its home system ID. Among other things. The cell site relays this information to the mobile telecommunications switching office. The MTSO, in turn, communicates with different databases, switching centers and software programs.
The local system registers the phone if everything checks out. Mr. Mobile can now take incoming calls since the system is aware that it is in use. The mobile then monitors paging channels while it idles. It starts this scanning with the initial paging channel or IPCH. That's usually channel 333 for the non-wireline carrier and 334 for the wireline carrier. The mobile is programed with this information and 21 channels to scan when your carrier programs your phone's directory number, the MIN, or mobile identification number. Again, the paging channel or path is another word for the forward control channel. It carries data and is transmitted by the cell site. A mobile first responds to a page on the reverse control channel of the cell it is in. The MTSO then assigns yet another channel for the conversation. But I am getting ahead of myself. Let's finish registration.
Registration is an ongoing process. Moving from one service area to another causes registration to begin again. Just waiting ten or fifteen minutes does the same thing. It's an automatic activity of the system. It updates the status of the waiting phone to let the system know what's going on. The cell site can initiate registration on its own by sending a signal to the mobile. That forces the unit to transmit and identify itself. Registration also takes place just before you call. Again, the whole process takes only a few hundred milliseconds.
AMPS, the older, analog voice system, not the digital IS-136, uses frequency shift keying to send data. Just like a modem. Data's sent in binary. 0's and 1's. 0's go on one frequency and 1's go on another. They alternate back and forth in rapid succession. Don't be confused by the mention of additional frequencies. Frequency shift keying uses the existing carrier wave. The data rides 8kHz above and below, say, 879.990 MHz. Read up on the earliest kinds of modems and FSK and you'll understand the way AMPS sends digital information.
Data gets sent at 10 kbps or 10,000 bits per second from the cell site. That's fairly slow but fast enough to do the job. Since cellular uses radio waves to communicate signals are subject to the vagaries of the radio band. Things such as billboards, trucks, and underpasses, what Lee calls local scatters, can deflect a cellular call. So the system repeats each part of each digital message five times. That slows things considerably. Add in the time for encoding and decoding the digital stream and the actual transfer rate can fall to as low as 1200 bps.
Remember, too, that an analog wave carries this digital information, just like most modems. It's not completely accurate, therefore, to call AMPS an analog system. AMPS is actually a hybrid system, combining both digital and analog signals. IS-136, what AT&T now uses for its cellular network, and IS-95, what Sprint uses for its, are by contrast completely digital systems.
-------------------
Notes
Bits, frames, slots, and channels: How They Relate To Cellular
Here's a little bit on digital; perhaps enough to understand the accompanying Cellular Telephone Basics article. This writing is from my digital wireless series:Frames, slots, and channels organize digital information. They're key to understanding cellular and PCS systems. And discussing them gets really complicated. So let's back up, review, and then look at the earliest method for organizing digital information: Morse code.You may have seen in the rough draft of digital principles how information gets converted from sound waves to binary numbers or bits. It's done by pulse code modulation or some other scheme. This binary information or code is then sent by electricity or light wave, with electricity or light turned on and off to represent the code. 10101111, for example, is the binary number for 175. Turning on and off the signal source in the above sequence represents the code.Early digital wireless used a similar method with the telegraph. Instead of a binary code, though, they used Morse code. How did they do that? Landline telegraphs used a key to make or break an electrical circuit, a battery to produce power, a single line joining one telegraph station to another and an electromagnetic receiver or sounder that upon being turned on and off, produced a clicking noise.

A telegraph key tap broke the circuit momentarily, transmitting a short pulse to a distant sounder, interpreted by an operator as a dot. A more lengthy break produced a dash.. To illustrate and compare, sending the number 175 in American Morse Code requires 11 pulses, three more than in binary code. Here's the drill: dot, dash, dash, dot; dash, dash, dot, dot; dash, dash, dash. Now that's complicated! But how do we get to wireless?Let's say you build a telegraph or buy one. You power it with, say, two six volt lantern batteries. Now run a line away from the unit -- any length of insulated wire will do. Strip a foot or two of insulation off. Put the exposed wire into the air. Tap the key. Congratulations. You've just sent a digital signal. (An inch or two.) The line acts as an antenna, radiating electrical energy. And instead of using a wire to connect to a distant receiver, you've used electromagnetic waves, silently passing energy and the information it carries across the atmosphere.Transmitting binary or digital information today is, of course, much more complicated and faster than sending Morse code. And you need a radio transmitter, not just a piece of wire, to get your signal up into the very high radio spectrum, not the low baseband frequency a signal sets up naturally when placed on a wire. But transmission still involves sending code, represented by turning energy on and off, and radio waves to send it. And as American Morse code was a logical, cohesive plan to send signals, much more complicated and useful arrangements have been devised.
We know that 1s and 0s make up binary messages. An almost unending stream of them, millions of them really, parade back and forth between mobiles and base stations. Keeping that information flowing without interruption or error means keeping that data organized. Engineers build elaborate data structures to do that, digital formats to house those 1s and 0s. As I've said before, these digital formats are key to understanding cellular radio, including PCS systems. And understanding digital formats means understanding bits, frames, slots, and channels. Bits get put into frames. Frames hold slots which in turn hold channels. All these elements act together. To be disgustingly repetitive and obvious, here's the list again:
Frames
Slots
Channels
Bits
We have a railroad made not of steel but of bits. The data stream is managed and built out of bits. Frames and slots and channels are all made out of bits, just assembled in different ways. Frames are like railroad cars, they carry and hold the slots which contains the channels which carry and manage the bits. Huh? Read further, and bear with the raillroad analogy.
A frame is an all inclusive data package. A sequence of bits makes up a frame. Bit stands for binary digit, 0s and 1s that represent electrical impulses. (Go back to the previous discussion if this seems unclear.) A frame can be long or short, depending on the complexity of its task and the amount of information it carries. In cellular working the frame length is precisely set, in the case of digital cellular, where we have time division multiplexing, every frame is 40 milliseconds long. That's like railroad boxcars of all the same length. Many people confuse frames with packets because they do similiar things and have a similiar structure. Without defining packets, let just say that frames can carry packets, but packets cannot carry frames. Got it? For now?
A frame carries conversation or data in slots as well as information about the frame itself. More specifically, a frame contains three things. The first is control information, such as a frame's length, its destination, and its origin. The second is the information the frame carries, namely time slots. Think of those slots as freight. These slots, in turn, carry a sliced up part of a multiplexed conversation. The third part of a frame is an error checking routine, known as "error detection and correction bits." These help keep the data stream's integrity, making sure that all the frames or digital boxcars keep in order.
The slots themselves hold individual call information within the frame, that is, the multiplexed pieces of each conversation as well as signaling and control data. Slots hold the bits that make up the call. frequency for a predetermined amount of time in an assigned time slot. Certain bits within the slots perform error correction, making sure sure that what you send is what is received. Same way with data sent in frames on telephone land lines. When you request $20.00 from your automatic teller machine, the built in error checking insures that $2000.00 is not sent instead. The TDMA based IS-136 uses two slots out of a possible six. Now let's refer to specific time slots. Slots so designated are called channels, ones that do certain jobs.
Channels handle the call processing, the actual mechanics of a call. Don't confuse these data channels with radio channels. A pair of radio frequencies makes up a channel in digital IS-136, and AMPS. One frequency to transmit and one to receive. In digital working, however, we call a channel a dedicated time slot within a data or bit stream. A channel sends particular messages. Things like pages, for when a mobile is called, or origination requests, when a mobile is first turned on and asks for service.

AMPS Call Processing

Let's look at how cellular uses data channels and voice channels. Keep in mind the big picture while we discuss this. A call gets set up on a control channel and another channel actually carries the conversation. The whole process begins with registration. It's what happens when you first turn on a phone but before you punch in a number and hit the send button. It only takes a few hundred milliseconds. Registration lets the local system know that a phone is active, in a particular area, and that the mobile can now take incoming calls. What cell folks call pages. If the mobile is roaming outside its home area its home system gets notfied. Registration begins when you turn on your phone.

Channel Names and Functions

Okay, so what do we have? The first point is that cell phones and base stations transmit or communicate with each other on dedicated paired frequencies called channels. Base stations use one frequency of that channel and mobiles use the other. Got it? The second point is that a certain amount of bandwidth called an offset separates these frequencies. Now let's look at what these frequencies do, as we discuss how channels work and how they are used to pass information back and forth.
Certain channels carry only cellular system data. We call these control channels. This control channel is usually the first channel in each cell. It's responsible for call setup, in fact, many radio engineers prefer calling it the setup channel since that's what it does. Voice channels, by comparison, are those paired frequencies which handle a call's traffic, be it voice or data, as well as signaling information about the call itself.
A cell or sector's first channel is always the control or setup channel for each cell. You have 21 control channels if you have 21 cells. A call gets going, in other words, on the control channel first and then drops out of the picture once the call gets assigned a voice channel. The voice channel then handles the conversation as well as further signaling between the mobile and the base station. Don't place too much importance, by-the-way, to the setup channel. Although first in each cell's lineup, most radio engineers place priority on the voice channels in a system. The control channel lurks in the background. Now let's add some terms.
When discussing cell phone operation we call a base station's transmitting frequency the forward path. The cell phone's transmitting frequency, by comparison, is called the reverse path. Do not become confused. Both radio frequencies make up a channel as we've discussed before but we now treat them individually to discuss what direction information or traffic flows. Knowing what direction is important for later, when we discuss how calls are originated and how they are handled.
Once the MTSO or mobile telephone switch assigns a voice channel the two frequencies making up the voice channel handle signaling during the actual conversation. You might note then that a call two channels: voice and data. Got it? Knowing this makes many things easier. A mobile's electronic serial number is only transmitted on the reverse control channel. A person tracking ESNs need only monitor one of 21 frequencies. They don't have to look through the entire band.
So, we have two channels for every call with four frequencies involved. Clear? And a forward and reverse path for each frequency. Let's name them here. Again, a frequency is the medium upon which information travels. A path is the direction the information flows. Here you go:
--> Forward control path: Base station to mobile
<-- Reverse control path: Mobile to base station ------------------------------ --> Forward voice path: Base station to mobile
<-- Reverse voice path: Mobile to base station One last point at the risk of losing everybody. You'll hear about dedicated control channels, paging channels, and access channels. These are not different channels but different uses of the control channel. Let's clear up this terminology confusion by looking at call processing. We'll look at the way AMPS sets up calls. Both analog and digital cellular (IS-136) use this method, CDMA cellular (IS-95) and GSM being the exceptions. We'll also touch on a number of new terms along the way. Still confused about the terms channels, frequency, and path?, and how they relate to each other?

Cellular frequency and channel discussion

American cell phone frequencies start at 824 MHz and end at 894 MHz. The band isn't continuous, though, it runs from 824 to 849MHz, and then from 869 to 894. Airphone, Nextel, SMR, and public safety services use the bandwidth between the two cellular blocks. Cellular takes up 50 megahertz total. Quite a chunk. By comparison, the AM broadcast band takes up only 1.17 megahertz of space. That band, however, provides only 107 frequencies to broadcast on. Cellular may provide thousands of frequencies to carry conversations and data. This large number of frequencies and the large channel size required account for the large amount of spectrum used.
Thanks to Will Galloway for corrections
The original analog American system, AT&T's Advanced Mobile Phone Service or AMPS, now succeeded by its digital IS-136 service, uses 832 channels that are 30 kHz wide. Years ago Motorola and Hughes each tried making more spectrum efficient systems, cutting down on channel size or bandwidth, but these never caught on. Motorola's analog system, NAMPS, standing for Narrowband Advanced Mobile Service provided 2412 channels, using channels 10 kHz wide instead of 30kHz. [See NAMPS] While voice quality was poor and technical problems abounded, NAMPS died because digital and its inherent capacity gain came along, otherwise, as Mark puts it, "We'd have all gone to NAMPS eventually, poor voice quality or not."[NAMPS2]
I mentioned that a typical cell channel is 30 kilohertz wide compared to the ten kHz allowed an AM radio station. How is it possible, you might ask, that a one to three watt cellular phone call can take up a path that is three times wider than a 50,000 watt broadcast station? Well, power does not necessarily relate to bandwidth. A high powered signal might take up lots of room or a high powered signal might be narrowly focused. A wider channel helps with audio quality. An FM stereo station, for example, uses a 150 kHz channel to provide the best quality sound. A 30 kHz channel for cellular gives you great sound almost automatically, nearly on par with the normal telephone network.
Cellular runs in two blocks from, getting specific now, 824.04 MHz to 893. 97 MHz. In particular, cell phones or mobiles use the frequencies from 824.04 MHz to 848.97 and the base stations operate on 869.04 MHz to 893.97 MHz. These two frequencies in turn make up a channel. 45 MHz separates each transmit and receive frequency within a cell or sector, a part of a cell. That separation keeps them from interfering with each other. Getting confusing? Let's look at the frequencies of a single cell for a single carrier. For this example, let's assume that this is one of 21 cells in an AMPS system:
Cell#1 of 21 in Band A (The nonwireline carrier)
Channel 1 (333) Tx 879.990 Rx 834.990
Channel 2 (312) Tx 879.360 Rx 834.360
Channel 3 (291) Tx 878.730 Rx 833.730
Channel 4 (270) Tx 878.100 Rx 833.100
Channel 5 (249) Tx 877.470 Rx 832.470
Channel 6 (228) Tx 876.840 Rx 831.840
Channel 7 (207) Tx 876.210 Rx 831.210
Channel 8 (186) Tx 875.580 Rx 830.580 etc., etc.,
The number of channels within a cell or within an individual sector of a cell varies greatly, depending on many factors. As Mark van der Hoek writes, "A sector may have as few as 4 or as many as 80 channels. Sometimes more! For a special event like the opening of a new race track, I've put 100 channels in a temporary site. That's called a Cell On Wheels, or COW. Literally a cell site in a truck."
Cellular network planners assign these frequency pairs or channels carefully and in advance. It is exacting work. Adding new channels later to increase capacity is even more difficult. See Adding channels Channel layout is confusing since the ordering is non-intuitive and because there are so many numbers involved. Speaking of numbers, check out the sidebar. Channels 800 to 832 are not labeled as such. Cell channels go up to 799 in AMPS and then stop. Believe it or not, the numbering begins again at 991 and then goes up to 1023. That gives us 832. Why the confusion and the odd numbering? The Bell System originally planned for 1000 channels but was given only 666 by the FCC. When cellular proved popular the FCC was again approached for more channels but granted only an extra 166. By this time the frequency spectrum and channel numbers that should have gone to cellular had been assigned to other radio services. So the numbering picks up at 991 instead of 800. Arggh!
You might wonder why frequencies are offset at all. It's so you can talk and listen at the same time, just like on a regular telephone. Cellular is not like CB radio. Citizen's band uses the same frequency to transmit and receive. What's called "push to talk" since you must depress a microphone key or switch each time you want to talk. Cellular, though, provides full duplex communication. It's more expensive and complicated to do it this way. That's since the mobile unit and the base station both need circuitry to transmit on one frequency while receiving on another. But it's the only way that permits a normal, back and forth, talk when you want to, conversation. Take a look at the animated .gif below to visualize full duplex communication. See how two frequencies, a voice channel, lets you talk and listen at the same time?

Basic Theory and Operation

Cell phone theory is simple. Executing that theory is extremely complicated. Each cell site has a base station with a computerized 800 or 1900 megahertz transceiver and an antenna. This radio equipment provides coverage for an area that's usually two to ten miles in radius. Even smaller cell sites cover tunnels, subways and specific roadways. The area size depends on, among other things, topography, population, and traffic. When you turn on your phone the mobile switch determines what cell will carry the call and assigns a vacant radio channel within that cell to take the conversation. It selects the cell to serve you by measuring signal strength, matching your mobile to the cell that has picked up the strongest signal. Managing handoffs or handovers, that is, moving from cell to cell, is handled in a similar manner. The base station serving your call sends a hand-off request to the mobile switch after your signal drops below a handover threshold. The cell site makes several scans to confirm this and then switches your call to the next cell. You may drive fifty miles, use 8 different cells and never once realize that your call has been transferred. At least, that is the goal. Let's look at some details of this amazing technology, starting with cellular's place in the radio spectrum and how it began.
The FCC allocates frequency space in the United States for commercial and amateur radio services. Some of these assignments may be coordinated with the International Telecommunications Union but many are not. Much debate and discussion over many years placed cellular frequencies in the 800 megahertz band. By comparison, PCS or Personal Communication Services technology, still cellular radio, operates in the 1900 MHz band. The FCC also issues the necessary operating licenses to the different cellular providers.
Although the Bell System had trialed cellular in Chicago, and worldwide deployment of AMPS began shortly thereafter, American commercial cellular development began in earnest only after AT&T's breakup in 1984. The United States government decided to license two carriers in each geographical area. One license went automatically to the local telephone companies, in telecom parlance, the local exchange carriers or LECs. The other went to an individual, a company or a group of investors who met a long list of requirements and who properly petitioned the FCC. And, perhaps most importantly, who won the cellular lottery. Since there were so many qualified applicants, operating licenses were ultimately granted by the luck of a draw, not by a spectrum auction as they are today.
The local telephone companies were called the wireline carriers. The others were the non-wireline carriers. Each company in each area took half the spectrum available. What's called the "A Band" and the "B Band." The nonwireline carriers usually got the A Band and the wireline carriers got the B band. There's no real advantage to having either one. It's important to remember, though, that depending on the technology used, one carrier might provide more connections than a competitor does with the same amount of spectrum.

Cell and Sector Terminology

With cellular radio we use a simple hexagon to represent a complex object: the geographical area covered by cellular radio antennas. These areas are called cells. Using this shape let us picture the cellular idea, because on a map it only approximates the covered area. Why a hexagon and not a circle to represent cells?

When showing a cellular system we want to depict an area totally covered by radio, without any gaps. Any cellular system will have gaps in coverage, but the hexagonal shape lets us more neatly visualize, in theory, how the system is laid out. Notice how the circles below would leave gaps in our layout. Still, why hexagons and not triangles or rhomboids? Read the text below and we'll come to that discussion in just a bit.

Notice the illustration below. The middle circles represent cell sites. This is where the base station radio equipment and their antennas are located. A cell site gives radio coverage to a cell. Do you understand the difference between these two terms? The cell site is a location or a point, the cell is a wide geographical area. Okay?Most cells have been split into sectors or individual areas to make them more efficient and to let them to carry more calls. Antennas transmit inward to each cell. That's very important to remember. They cover a portion or a sector of each cell, not the whole thing. Antennas from other cell sites cover the other portions. The covered area, if you look closely, resembles a sort of rhomboid, as you'll see in the diagram after this one. The cell site equipment provides each sector with its own set of channels. In this example, just below , the cell site transmits and receives on three different sets of channels, one for each part or sector of the three cells it covers.

Is this discussion clear or still muddy? if you understand cells and sectors or come back if you get hung up on the terms at some later point. For most of us, let's go through this again, this time from another point of view. Mark provides the diagram and makes some key points here:
"Most people see the cell as the blue hexagon, being defined by the tower in the center, with the antennae pointing in the directions indicated by the arrows. In reality, the cell is the red hexagon, with the towers at the corners, as you depict it above and I illustrate it below. The confusion comes from not realizing that a cell is a geographic area, not a point. We use the terms 'cell' (the coverage area) and 'cell site' (the base station location) interchangeably, but they are not the same thing.

Mark goes on to talk about cells and sectors and the kind of antennas needed: "These days most cells are divided into sectors. Typically three but you might see just two or rarely six. Six sectored sites have been touted as a Great Thing by manufacturers such as Hughes and Motorola who want to sell you more equipment. In practice six sectors sites have been more trouble than they're worth. So, typically, you have three antenna per sector or 'face'. You'll have one antenna for the voice transmit channel, one antenna for the set up or control channel, and two antennas to receive. Or you may duplex one of the transmits onto a receive. By sectorising you gain better control of interference issues. That is, you're transmitting in one direction instead of broadcasting all around, like with an omnidirectional antenna, so you can tighten up your frequency re-use"

"This is a large point of confusion with, I think, most RF or radio frequency engineers, so you'll see it written about incorrectly. While at AirTouch, I had the good fortune to work for a few months with a consultant who was retired from Bell Labs. He was one of the engineers who worked on cellular in the 60s and 70s. We had a few discussions on this at AirTouch, and many of the engineers still didn't get it. And, of course, I had access to Dr. Lee frequently during my years there. It doesn't get much more authoritative than the guys who developed the stuff!"
Jim Harless, a regular contributor, recently checked in regarding six sector cells. He agrees with Mark about the early days, that six sector cells in AMPS did not work out. He notes that "At Metawave (link now dead) I've been actively involved in converting some busy CDMA cells to 6-sector using our smart antenna platform. Although our technology is vendor specific, you can't use it with all equipment, it actually works quite well, regardless of the added number of pilots and increase in soft handoffs. In short, six sector simply allows carriers to populate the cell with more channel elements. Also, they are looking for improved cell performance, which we have been able to provide. By the way, I think the reason early CDMA papers had inflated capacity numbers were because they had six sector cells in mind."
Mark says "I don't recall any discussion of anything like that. But Qualcomm knew next to nothing about a commercial mobile radio environment. They had been strictly military contractors. So they had a lot to learn, and I think they made some bad assumptions early on. I think they just underestimated the noise levels that would exist in the real world. I do know for sure that the 'other carrier jammer' problem caught them completely by surprise. That's what we encountered when mobiles would drive next to a competitors site and get knocked off the air. They had to re-design the phone.
Now, what about those hexagon shaped cell sites?Mark van der Hoek says the answer has to do with frequency planning and vehicle traffic. "After much experimenting and calculating, the Bell team came up with the solution that the honeybee has known about all along -- the hex system. Using 3 sectored sites, major roads could be served by one dominant sector, and a frequency re-use pattern of 7 could be applied that would allow the most efficient re-use of the available channels."