Fun With Cordless Phones!
Most of us, who were truly interested in radio communications as a hobby, also had related radio interests which extended beyond just simple talking on the CB band. Many were SWL's or avid scanner listeners and would often monitor the comings and goings of the public service band, or the international shortwave bands. Some were so serious in their public service monitoring, that a few actually chased fire calls just to witness the act of dousing a fire. One person, in particular, fell under some suspicion when he would almost always beat the fire company to the fires. Back in the early days, scanner receivers usually operated on 2 or 3 bands, had between 4 and 16 channels, and were crystal controlled. You pretty much picked those frequencies which were popular in your area, and stuck with them. But when programmable scanners came on the scene in the late 70's, a whole new avenue of radio exploration opened up. The first generation of programmable scanners though, were little better than crystal scanners, as they used either combs, optical cards, or a serially entered binary code to program the channels (And you were dead in the water if you lost the code book). When it was all said and done, you were still left with "fixed" channels. But when programmable scanners started incorporating direct keyboard entry, digital frequency readouts, along with frequency search options, many of us started looking closely through the bands for interesting, off-the-beaten-path activity, other than the usual police, fire, or ambulance dispatch. Often you would run across businesses, such as taxi cabs, oil deliveries, and railroads. But one of the most interesting group of frequencies, were those occupied by the early cordless phones. In the early 80's, the cordless phone frequencies were assigned to the upper end of the low public service band (30-50 Mhz). In fact, they plopped their frequencies right on top of the FCC's recently created 49 Mhz low power, no license band, pretty much obliterating any further hope for its use as a QRP hobby user's band, which had been seeing some activity and grass roots support from experimenters up until then. But as much trouble as they caused for us radio experimenters, those cordless phones did hold a bit of voyeuristic curiosity. It seemed that the people who used them were seemingly oblivious to the fact that they were actually transmitting over the air, and had no idea they could be monitored. Consequently, some pretty "interesting" conversations were regularly overheard. Long term listening often opened up a very revealing window into the deeply personal lives of your neighbors. Adultery, sex talk, drug deals, and women who felt that the emotional weight of the world was somehow balanced, ever so precariously, on the top of their shoulders. It was enough to likely pique the interest of those who study human interaction for a living. Soap opera's were nothing compared to the seedy lives of some of these people. Some of the things you heard, you would later wish you didn't know, especially that which related to the people you were friendly with. And you couldn't look at them quite the same way once you knew some of those deep dark secrets. I guess it's true when they say; "Some things are better left unknown."
But all that voyeuristic satisfaction came with one little problem. When listening to 49 Mhz, you usually could hear only one side of the conversation. Since phone transmissions are full duplex (Both sides transmit and receive simultaneously), there are two frequencies required. Well, as it turned out, the "other" side of the cordless conversations on those early phones, were carried just beyond the upper end of the A.M. broadcast band, around 1.7 Mhz. A good broadcast receiver could usually be made to tune far enough to pick them up. Another solution was a general coverage receiver (Like what was included in my Yaesu FT-757). Since the transmissions were FM modulated, you either had to have a receiver capable of FM, or you had to slope detect it. The good news was that you could usually hear both sides of the conversation when tuned to the phone's base frequency on 1.7 Mhz. Due to the characteristics of long wave signals, the 1.7 Mhz signals often carried much farther than the corresponding 49 Mhz signal. It was interesting trying to figure out where many of the voices were coming from, especially those which did not have a match on 49 Mhz. With a good external antenna on a VHF scanner, you could usually receive a 49 Mhz signal about 2 or 3 suburban blocks. So it would seem that those 1.7 Mhz signals had to be even further away.
As much fun and technically challenging as those initial phone conversations were to receive, after a while, simply listening to the conversations became boring. Some of the people's conversations were either so lame, or what they said just begged to be lampooned or heckled, that I started to wish that I could throw in a comment out of nowhere and freak them out. So my ever mischievous mind began to ponder how to rectify this situation.
At that time, my stable of 2-way radios included a Lafayette HA-750 6 meter AM mobile transceiver. This radio looked a lot like the HB-525/625 series of CB radio, but in place of the channel selector, there was a tunable VFO dial that went from 50 to 52 Mhz. Power output was about 4 or 5 watts. It was not a difficult job to align this radio to tune down to the upper end of 49 Mhz. In fact I had used this radio on the 49 Mhz experimenter's band, when it first opened up and we were trying to determine usable range. So I dug it out once again to see how I could use it with the cordless phones. Initially, I would try to override the phone's signal in order to throw in a comment. But I found out instead that all I would do is cause the cordless phone to "hang up" when I keyed the transmitter of my radio. The stronger signal of my transmitter would "block" out the cordless phone's transmitter (and the access tone) which caused the phone to hang up. I also found that I could blindly key on any of the 49 Mhz phone channels, even if I didn't hear someone there, and verify on 1.7 Mhz, that the line suddenly dropped. It would seem that my range was fairly wide. At least more so than the few block radius that I could receive on. This ended up being fun for a little while. I would tune to a particularly heated or intense conversation, and I'd momentarily hit the mike and hang up the line. Then one of the persons would immediately call back the other and accuse them of hanging up on them. Then while the explanations wore on, I'd do it again. Eventually they would realize that the problem was in the phone. It was especially fun when people were entering long strings of numbers like calling cards or credit cards. They would just finish the long string, and *click* (Damn I was brutal then!). That was fun, but I still wanted to be able to make comments, and that led to the next "Frankenradio" project.
As my mischievous and curious side continued to relentlessly push me further down the path toward electronic psychological head games, I picked up a second hand cordless phone at a hamfest and started to experiment with it. I learned some interesting things to do with the phone after a little experimentation. The early cordless phones had no security codes. A simple constant tone (Something like 10 Khz or so) was all it took to bring up the base unit and the phone line. Driving around with a handset, one could find a number of "open" stations. Want to make a phone call? There was nothing to stop you. But the usable range was poor. Usually you had to be right in front of someone's house to accomplish this feat. At least, with simply the handset.........
I had already found that I could not use my HA-750 to throw in comments, as it didn't have the proper access tone. Plus it was also AM modulated, and cordless phones were FM. I began to think how I could modify the radio to accommodate both of those issues. FM'ing a VFO was not an easy or stable project (especially without a schematic handy). Issues with pre-emphasis and deviation bandwidth limiting pretty much discouraged me. I was about to throw in the towel, when a hairbrained idea occurred to me. What if I took the low level RF output from my cordless phone handset, and piped it into the HA-750 to amplify the R.F.? Essentially, that would amount to using the radio as an amplifier only. All of the other necessary stuff was already in the phone. So I tapped the phone's R.F. output stage, and ran a length of RG-174 coax cable into the HA-750, and connected it to the transmit buffer stage. With very little tweaking, I managed to get full power output. I rewired the crystal/VFO switch on the radio so that I could use the radio normally, or as a "Super Phone", simply by turning the knob.
Now things were starting to get interesting. I could key "Super Phone" and bring up a host of phone lines that I could verify with my 1.7 Mhz receiver. At times there were several heard at once. Even if I couldn't hear any return on 1.7, simply blind dialing my own phone number would usually result in my phone ringing. It would seem that with my 5 watt signal and 3 element beam, I could bring up phones a mile or so away. I made a few phone calls with this setup just to see how it worked. My audio quality was surprisingly good, and people couldn't tell that I was using a phone other than my own, to accomplish this feat. It was a bit awkward having to talk into the phone, while listening to the Yaesu for the receive. But it did work.
Now for some fun! Since I knew that my setup could bring up phones, I figured it should allow me to throw out comments as well. So I waited until I found a particularly pathetic conversation one night. Two young ladies were talking about their love lives. One was going on at length about the "signals" her latest boyfriend put out, and how she was trying desperately to read them. Her main point of contention seemed to be that he would tell her one thing, but she sensed another (Guys, women really do this stuff. To them, a simple statement isn't taken the way you intended. It is completely broken down and analyzed. How you say things, and your body language used when saying it, means more to them than what you actually say) and, as usual, strongly felt there there was "another woman" in his life. She was further lamenting whether she should give in to his overt "suggestions" of having sex. After the two had a lengthy estrogen infused emotional evaluation of the situation, I keyed "Super Phone" and said "Oh for crying out loud, just "f*ck the guy!". There was total silence for a second or two, and I thought initially that I had hung up the line. But the signal was still there on the Yaesu's "S" meter. After what seemed like a prolonged period of silence, one of the women finally said; "Oh my god!". The other said; "Did you hear that?", "Who was that?". And the conversation continued from there for about a minute longer, while two audibly shaken women became strickened with overwhelming paranoia. They then quickly hung up, thoroughly convinced that someone (the boyfriend?) was tapping their line (But neither could figure out who's line). There were other similar incidents. One thing that I quickly learned was that most people really don't know how to handle the shock of a unexpected (and unwelcome) third party cutting in on their "private" two-way conversation. I must admit, I did have the most fun with women though. Men would usually just say something like: "Get off the line mother f*cker". Women, on the other hand, would get all freaked out when they found out that their perceived cone of intimate "chick bonding" privacy, was shattered. They always assumed the worst (They definitely watch too much TV), and adopted "stalker paranoia". But instead of just hanging up, they would continue to talk about it as if I wasn't still listening (and gathering more psychological ammo). It made me wish that cordless phones had been around when I was a few years younger during my high school dating scene. I could've gotten a good head's up on what my girlfriends were thinking.
Playing head games like this was fun for a while, but like many of my other bizarre technical projects, I eventually grew bored with it, and I tore the rig down. At this point, 25+ years later, I'd also like to take the time to reflect and ponder "What the hell was I thinking?" back then. I'm sure there could have been some crime that I could have been charged with had I been caught (Which was not very likely). But that thought never occurred to me at the time. In my mind, I was simply having a little harmless (to me anyway) fun. But these types of pranks always seem to happen when new technologies first get adopted by the general public, and suitable laws and protections are not yet in place. Techies always find and exploit loopholes and weaknesses to their advantage. Young hackers do the same thing today with computers. They're not trying to be malicious in most cases. They're just bored and looking for a little harmless fun on the side. Most don't realize that this type of "fun" can be very disconcerting to those who are the "victims" of such pranks.
Eventually cordless phones evolved and moved the base frequency from 1.7 Mhz to 46 Mhz. They also started using digital access codes to prevent unauthorized users (like what I used to do) from bringing up their line. But they could still be listened to. By the 90's the 46/49 Mhz phones were replaced by 900 Mhz phones. Some phones incorporated a form of scrambling. It was not very effective as it could be unscrambled by an SSB receiver. The latest generation of phones have moved to 2.4 and 5.8 Ghz. They are hard to intercept simply because those frequency ranges are not normally included in most monitors and scanners. Even further security has been accomplished by digital transmissions and spread spectrum techniques. It would seem that the loopholes are finally being closed....... Took them long enough.