Utilize an old, analog AMPS Motorola bag-style cellular phone to monitor cellular phone conversations and also track the hand-off datastream.  This will allow you to track and listen to a person's cellular phone call even as it is passed off to different cells.

Example

A known Communist is running for U.S. President.  At his press conference, he picks up a cellular phone to call his advisor about changing the official language of the U.S. to Arabic.  You scan the 825 to 850 MHz frequency range with your modified Radio Shack scanner trying to intercept the cellular uplink frequency.  You find it.  It's 830.01 MHz.  You quickly run over to your AMPS Cellular System Call Monitor and do the following:

1. Press [PWR]

2. Wait for boot up.  Verify the phone is in test mode.  It will flash data that looks something like this:
   

    322 082
    0012110
    

3. Press [#]
4. Wait for the U5  ' prompt.
5. Enter [0] [8] [#].  This turns the receiver audio on.  Static (or buzzing-data) should be heard from the handset's speaker.
6. Enter [1] [1] [0] [1] [6] [7] [#].  This sets the receiver to monitor the downlink frequency of 875.01 MHz (830.01 + 45 MHz).  The 0167 is the Motorola test mode channel number.
7. You should now be hearing both sides of the commie's cellular phone conversation.
8. Quickly enter [4] [0] [#].  The phone will sit there and display '40' during the conversation.
9. When the phone hands-off to another cell, there will be a quick buzzing sound and then the call will drop.  By entering the [4] [0] [#] command you can monitor the forward voice control channel (FOVC).
10. During this example hand-off, the phone displayed 9084EA5 after the hand-off.  Some of the data scrolls off the screen, but this is not important.
11. If the call is still there after some FOVC data is displayed, it was only the cell tower controlling the cell phone's uplink output power.  Press [#] to clear the data and quickly re-enter [4] [0] [#].
12. The seven displayed hexadecimal digits are in the following format: xXXXxxx.  The x's are junk digits you can ignore and the X's are the new channel - in this example channel 084.
13. Convert the hexadecimal number 084 to decimal number 132.
14. Enter [1] [1] [0] [1] [3] [2] [#].  The new channel.  You should again hear the conversation.
15. Quickly re-enter [4] [0] [#] to again monitor the FOVC data stream.
16. Keep repeating these steps throughout the converstation.

Pictures

• Picture 1  Overview of the Motorola phone to look for.
• Picture 2  Close up picture of the model number information.
• Picture 3  Internal picture.  Use a #10 Torx screwdriver to open the phone and remove the main PC board.
• Picture 4  Internal close up.
• Picture 5  To permanently place the phone in test mode during power up, jumper pin-21 of the DB-25 connector to ground.  The easiest way is to remove the bypass capacitor on pin-21 and install a 0-ohm jumper.

Notes

Mike Larsen's Motorola Bible v3.0  Includes all the Motorola test mode commands you'll need, including changing the received audio level and the audio path.

Motorola Cellular Frequencies to Test Mode Channel Number

Cellular Phone TX/RX Frequency, Channel Number Manager & FOVC Code to Channel Number Converter  Perl script

C Code for Converting Motorola FOVC Test Code into Channels