Hacking the GSM codecs to pass FSK data through
an experiment by sv3ora

This experiment has been completed by me on 12 November 2019. I did this experiment without any searching on the web or any know-how of the networks. It was all try and see...


For my CB2 micro, I wanted to investigate the possibility of making a modem that would make possible for two such micros to communicate through the users mobile phones. In the beginning I thought this would be straight forward. However after forums discussions I realized that the GSM codecs use aggressive schemes, optimized only for human voice, which would make baseband FSK audio data impossible to pass through.

To test this in practice, I setup a PC with MixW and set it for packet radio. MixW modem, allows the standard rates and mark/space frequencies, but it also allows defining custom rates and mark/space frequencies. So I could play around with these settings and connect the audio from the hands-free jack of a smartphone to the PC. The other party is a landline for the time being, testing initially if any tones will be heard or not.
I believe that if it works for me, will work on every country, since I guess the cellphone networks are compatible. (eg. if I visit another country roaming works).

Initial questions for Bell 202 (1200 baud half duplex) are:

Can you pass a single continuous tone of 1200Hz through GSM?
Can you pass a single continuous tone of 2200Hz through GSM?
Can you pass alternatively switched 1200/2200 tones in low speed through GSM?
Can you switch these tones more frequently and how much more?

I am not limited to Bell 202, but let's start from somewhere.


First results

I did an initial test. I connected a smart phone from it's hands free port to the PC mic and phones. Then I called the smart phone from a land line at home.

It could not even send 110 baud through. It started sending them ok but after 1-3 seconds they were suppressed. Continuously changing the AF volume of the sender PC to 0% and then back to a certain percentage, tricked the codec somehow to restart the ceased transmission tones.

Sending just low rate pulses of a single tone (like morse code) passed ok.
But not FSK at 110, 300 or 1200baud, they all seemed to have this problem I mentioned, after a few seconds the FSK audio ceased by the codecs.
Also when sending the above pulses and tried at the same time to send FSK, again everything was ceased at the channel and nothing heard at the other end, even if my sound card was output tones.
I have also tried SSTV and the result was that audio was ceased after a while, but after more time, compared to the FSK case.


Final results

Now, I did not know if the previous test failure was due to the mobile phone codecs or the landline phone codecs. So this time I tried it with just two mobile phones.
I connected a smart phone from it's hands free port to the PC mic and phones. Then I called another mobile phone placed at my ear to see if I could hear the tones. I tested the above scenarios and the results were the same.

I had to do something to trick the GSM codecs to "think" that ordinary voice is present on the channel and not FSK data, which would be compressed. Finally I managed to do it by passing on the channel, along with the FSK data tones, DTMF tones! In fact only one continuous DTMF tone is needed along with the FSK data, which makes the generator hardware pretty easy, just two oscillators! This tricks the GSM codecs to think that voice or just DTMF tones are passing through, whereas FSK tones are passed too. In other words FSK data is not compressed any more.

I have tested it with the DTMF number 2, but there are other more suitable tones which are more far apart to the 1200Hz/2200Hz of the FSK, so that filtering can become easier later on. To test this yourself, I have created a zip file which contains two audio wav recordings. One of them is random FSK data at 1200 baud following the Bell202 tones protocol. The other is a single continuous DTMF tone, the number 2. Set up your audio player so it can open multiple instances and play these files at the same time, at about the same audio volume. If you do not have an audio jack connection from your phone to the PC, you could try acoustically coupling the phone to the PC, although I have not tested this. If you can hear the FSK data uninterrupted on the other phone, then it works for you. Note that I have deliberately introduced a few short pauses in the original FSK audio data, as an indication of which part is played, without looking at the screen.


Conclusions

This experiment, proves that 1200 baud FSK data can be transferred through the mobile phone network, provided that the GSM codecs are manipulated accordingly so that they do not compress the FSK tones. Although I have not yet tried to retrieve and decode the FSK data stream, the audio of the received stream sounds like the original.




Back to main site