Welcome to our site! EDAboard.com is an international Electronics Discussion Forum focused on EDA software, circuits, schematics, books, theory, papers, asic, pld, 8051, DSP, Network, RF, Analog Design, PCB, Service Manuals... and a whole lot more! To participate you need to register. Registration is free. Click here to register now.
As I said earlier the bugged phones have the polarity on the piezo ringer connected correctly.
The second thing I now noticed is that the offices with the bugged phones all have the wire connectors (pics I posted earlier) nearby. They are coincidenlty placed in the paneling directly across the phone.
I now suspect those wires are acting as a receiving antenna.
Can someone give me an educated guess as to what frequency ranges could be best suited for that kind of antenna?
I'm going to meause the voltages on the ringer circuit again.
The interference is just noise conducted down the wiring, it's quite normal. You would see the same effect if you placed any long wires close to the IC-R20. As the wires probably run close to sources of interference they are probably conducting more of it to the vicinity of your receiver. Try holding the receiver close to mains cables, especially near computes or monitors and you will hear the same thing.
The real question you should ask is, "is there someone else with an IC-R20, closer than me" who might detect an even weaker signal?
If it was bugged, the chances of someone using 151KHz is extremely remote, it would need a huge antenna to be efficient. The probability would be they would use a frequency in the range 150MHz to about 500MHz where a 'reasonably' efficient antenna could be made small enough to hide but the environment wouldn't absorb too much of the transmission. You can scan up to 3.3GHz with that receiver, it's inconceivable someone would use something even higher in frequency. I still think the chances of it being bugged are almost zero and you should look elsewhere.
A POTS phone like yours is powered from the incoming line but unlike a 'normal' power supply with a 0V side and a powered side, both wires carry voltage. At the switch equipment end (PABX switchboard or Telco if you have a direct line) there is a nominal 50V DC supply but the chain of current flow is through some circuitry there, down the phone line, through your phone, back up the line and then some more circuitry before reaching the oher side of the supply. Because of this, both the phone line wires are above ground potential. You may have two additional wires to the phone, one will be the 'anti-tinkle' line which is to prevent other phones on the same line ringing or 'tinkling' if you use pulse dialling (rare these days) and the other wire a ground line. The gound line if you have one is to deliberately unbalance the lines and create an "Earth loop recall" condition which some PABX detect to alert the operator you want to contact them. On most modern phones the extra two wires are no longer present.
When you connect a voltmeter it measure the voltage between the probes, there is no connection to anything else. When you use the oscilloscope you almost certainly have the ground clip connected via the 'scope body directly to mains Earth so when you connect it you short out one side of the phone line. This is why you see different readings. The way to measure it without an Earth connection is to use two scope probes, set them both to "x10" to prevent damage from the high voltage, leave the ground clips disconnected (make sure they can't dangle and touch anything) then invert one of the scope channels and add it to the other. Your 'scope almost certainly has an invert on at least one channel and you should have an option to add the signals together. This gives you an isolated differential measurment.
You probably won't see much voltage on the ringer unless an incoming call is made. The power for the ringer is AC and comes through the red capacitor, on an idle line or when the phone is 'off hook' there is very little signal on the line, it will be DC with a degree of interference on it. When the phone rings it is because a high AC voltage has been superimposed on the line. The red capcitor blocks (holds back) the DC but lets the AC through where it can be rectified and used as the supply for the ringer IC (the UT31002A). So unless the ringing voltage is present on the line the ringer IC will not have any power source, it cannot do anything useful at all.
If you want to confirm this, use the voltmeter to measure it's supply line, the places to measure between are '+' on pin 1 and '-' on pin 5. The IC needs more than 17V to start working. It's output to the piezo is on pin 8 (with it's ground side on pin 5) and when ringing should be a mix of two tones, one high pitched one and a lower pitched one to make it warble. You will need the oscilloscope to see these signals.
There is NO WAY I will pay the telephone company for DTMF so I joined a few other people in a class action law suit to prevent the Telco from demanding that we switch to DTMF and pay the fee for it each month, and we won. So I still have pulse dialling. I pulse dial my bank then flip a switch on my phone to DTMF to do my banking. None of my other phones "tinkle" when I dial with pulses.
The ringing signal here is 90VAC/20Hz which makes your hand vibrate like crazy when you hold the telephone wires when it rings. Try it (but do not hold a wire in each hand or the jolt might shock your heart).
Audioguru, the tinkle problem went away years ago when electronic ringers became the norm. As well as the DC blocking capacitor there is usually a diac or back-to-back Zeners in series with the ringing voltage to improve noise immunity. The old style phones with a real mechanical bell in them used to shake on the rising and falling edges of loop disconnect pulses and it sometimes shook enough for the bell dome to be hit and 'tinkle'. The extra wire, when used was to mute other bells sharing the same line, essentially it applied damping to the bell coils to stop them dancing. Some countries still have it in their telephone specifications but I doubt anyone has seen the problem in a decade or more.
The nice off-topic chat about good old telephone technology reveals the helplessness regarding the original thread topic, I presume. I can hardly imagine that the discussion gives any new insights.
B.t.w., there have been discussions about eavesdropping in good old days too. I remember that a guy who was a bit affine to conspiracy theories asked me to check, if an offender could utilize the carbon mike for on-hook eavesdropping by feeding RF power to the telephone line, bypassing the hook-switch with the spark suppression capcitor. You know that carbon mikes have been used as AM modulator in the early broadcasting experiments. My result was, it's theoretically possible, but you must tap the telephone line quite near due to it's strong RF attenuation.
My phones dial pulses and DTMF. I haven't seen a 500 series phone with a rotary dial, mechanical bell and carbon granules mic for ages.
This thread about eavesdropping reminds me about when my government allowed other companies to compete with Bell and sell other brands of phones, then the audio systems company I worked for began to sell telephone systems.
Some of the phone systems had wireless boardroom conference microphones and I set up and programmed some huge systems in very lavish boardrooms. Some of the systems had full duplex sound (transmit and receive at the same time instead of voice switching) using modern echo cancelling ICs.
A new bank head office bought a boardroom telephone conference system with wireless mics but were worried about competing banks eavesdropping so wanted encryption for their transmissions. I designed and built a single sideband suppressed carrier system that made voice frequencies backwards then voices were completely unintelligible when heard on a normal radio. My decoder circuit used similar parts and its audio output sounded exactly like the input to the encoder. The new bank soon closed forever because they were cheating their customers and talked about it in their conferences. Eavesdropping didn't catch them, instead their cheated customers caught them cheating.
.... by feeding RF power to the telephone line, bypassing the hook-switch with the spark suppression capcitor......... My result was, it's theoretically possible, but you must tap the telephone line quite near due to it's strong RF attenuation.
In my instance, is it possible that RF is transmitted down the telephone line and finds its way to the ringer where its modulated by room audio?
I suspected this early on but thought it would never get pass the capacitor.
Theroretically yes. Other than with the ancient carbon mike which can modulate RF on it's own, the attack would depend on a counterfeit ringer IC and a considerable RF level, sufficient to power a transmitter after being rectified.
The attack could be detected either by the RF or the DC voltage at the ringer IC (see e.g. posts #31, #33, #75, #85).
In my instance, is it possible that RF is transmitted down the telephone line and finds its way to the ringer where its modulated by room audio?
I suspected this early on but thought it would never get pass the capacitor.
Perhaps if return loss is high, but then all you would hear is the buzzer modulating the RF only during this modulation limited by the audio bandwidth and any chance of nulling out this buzz to discriminate background audio more than 40 dB DOWN would somewhere between slim and none even with a 60dB SNR line.
Let's **assume** that a carrier wave is generated in the ringer circuit.
I learned from researching the Great Seal Bug (GSB) that the carrier was modulated to an AM signal that was transmitted at approximately 1800 MHz. (The incident wave was approximately 300 MHz.) No circuitry was present for the GSB it was entirely passive.
Should I then assume that the output on my ringer would be AM only?
Or is possible for my ringer to generate FM or WFM?
Given the configuration of my ringer circuit, I'm looking for an educated guess to the type of modulation the transmitted signal could potentially be.
** assuming ** the carrier was generated by the ringer, the signal it produced would be decided by the transmitter circuit.
The Great Seal Bug was AM, the principle relies on there being a resonant cavity or antenna in the passive radiator (the GSB in this case). Like all antennas, it both receives and radiates signal, the idea there was to make it receive the transmission from a source elsewhere and modulate it with vibrations picked up locally (the eavesdropping sounds) then use a receiver nearby to pick up the re-radiated signal. It wasn't powered by the incoming signal and it generated no signal of it's own, it just modulated the signal bouncing off it. You might think of it as a light shone through a window on to a mirror then reflected out again to a target. As the mirror surface vibrated, the reflected light would shift off target and the amount and speed of deviation could be used to recover whatever caused the vibration.
You should note that to do this requires some very specialized equipment and a line-of-sight path between the signal source and the reflector and a similar but different line of sight between the reflector and the receiver. Both require sizeable parabolic dishes. At 1800MHz the resonating element would be ~16.6cm long (about 6.5 inches) but in the case of your piezo disc cavity the frequency would have to be much higher, at least 12GHz and probably at least twice that. At those frequencies almost everything absorbs the signal, both incoming and outgoing so the transmitter power would be very significant and large dishes would be needed to focus the beam. As I have stated before, if you can't see two large dishes pointing directly at the phone, with nothing obstructing the line between them and the phone, this method is not being used. At the levels of power needed it is also quiite likely you would notice physiological effects as well, tingling skin, serious headaches, blurred vision and probably heated body tissues as well if you passed through the beam. Additionally, the induced voltages would almost certainly stop the phone working normally.
Incidentally, the light beam analogy was one of the methods used by spies. Again geometry played it part but shooting an IR beam (not visible) at a window and looking at the reflection would make the window glass work like a giant microphone!
Don't even think of QPSK, QAM, OFDM or other exotic transmission modulation techniques :roll:
There are 3099 frequencies on that list. I'd like to copy and paste the entire list into HRD but I cannot find this feature anywhere. Manually entering the frequency will be strenuous.
I have a copy of HRD but I don't think it will help you. A bug, if one exists, is a signal source in it's own right so whoever designed it could use any frequency or kind of modulation they wanted. Most of HRDs abilities are for decoding different 'data over audio' schemes but in the case of live monitoring of speech it would not be reasonably posible to use any of them. You can use it to remote control the IC-R20 if you have a suitable interface cable but stepping through 3099 frequencies that might be in use would be stabbing in the dark to say the least.
If you really want to track down a bugged telephone, make an antenna by wrapping a wire around the phone. Connect one end to the inner of a screened cable (co-ax), the other end to the shield of the cable then plug the cable into the receiver antenna connector. Then wrap the entire telephone in metal foil and also join it to the cable shield, this will ensure any signal from inside the phone is captured on the antenna but everything outside is excluded. Set the receiver to scan the widest frequency range possible. If there is a signal it will be very strong and obvious against the background noise.
You might still pick up a few strong local stations that manage to penetrate the foil but they will be many times weaker than one coming from inside the phone. You might pick up a weak signal around 3.579MHz, if you do, it is quite normal and would come from the oscillator in the DTMF dialler circuit. In most phones the oscillator is shut off until a key is pressed anyway.
If you really want to track down a bugged telephone, make an antenna by wrapping a wire around the phone. Connect one end to the inner of a screened cable (co-ax), the other end to the shield of the cable then plug the cable into the receiver antenna connector. Then wrap the entire telephone in metal foil and also join it to the cable shield, this will ensure any signal from inside the phone is captured on the antenna but everything outside is excluded. Set the receiver to scan the widest frequency range possible. If there is a signal it will be very strong and obvious against the background noise.
That's exactly what I was thinking of. The only drawback to using the 'rubber duck' antenna is it will be difficult to bury complely, the body of the radio works as a counterpoise to the antenna and presumably you don't want to entomb that as well! You will not achieve as much isolation if the radio isn't covered so more background signals will still get through but in relative terms, any signal, even a very weak one from inside the phone will be many times stronger than one from a station a long distance away.
The R20 has a built-in bar antenna for AM reception.
Is this antenna effective over the entire range of 150 kHz to 3.3 GHz?
Or only a limited range e.g. 150 kHz to 5 MHz?
Its seems to provide the same quality of reception as the external antenna although at lower frequencies the bar antenna has better reception.
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.
