1

theSpyStop.com

Volume

Basic Electronic Surveillance

WARNING

Please check with you local state or country regarding the legality of using any of the following circuits. Note that it is an illegal offence to connect unauthorised equipment to public telephone systems. It is also an illegal offence to listen to and/or record telephone conversations without informing all parties.

T of Contents able
Chapter 1 Basic Circuit Laws Voltage and Current Power in a Circuit Ohms Law Decimal Multipliers Circuit Notation Preferred Values Chapter 2 Components Chapter 6 How Telephones Work Resistors Capacitors Transistors Inductors Aerials/Antennae Batteries Microphones Diodes Chapter 3 FM Transmitters FM Bug #1 FM Bug #2 FM Bug #3 FM Bug #4 FM Bug #5 Peaking Circuit Field Strength Meter Chapter 4 The Basic RF Oscillator Reactance and Resonance Bandwidth and Q Tank Circuit 23 24 25 13 14 16 18 19 21 22 Audio Interface without transformer Isolation Audio Interface with transformer Isolation Audio Interface using Remote Socket and Drop-out Relay RF Line Transmitters Series Telephone Transmitter 1 Telephone Pick-up with Transmitter Series Telephone Transmitter 2 Infinity Transmitter 34 35 36 37 38 39 40 41 5 7 8 9 10 10 11 12 Ringer Hook Switch Dialer Unit Speech Circuit Handset Telephone Signaling Chapter 7 Telephone Eavesdropping 31 31 31 32 32 33 3 3 3 4 4 4

Chapter 5 FM Receivers Modulation FM Vs AM Receiving Equipment 26 26 27

1
Basic Circuit Laws
VOLTAGE AND CURRENT POWER IN A CIRCUIT

Chapter

This was by no means intended to be a complete course in electronics but a mere overview of the basic circuit laws you will need to know plus an introduction to the components you will be using.

In an electronic circuit there are two quantities we want to keep track of, these are voltage and current. Hopefully they are changing with time otherwise we would have a very boring circuit. Voltage (E) is a measure of the potential difference between two points and is measured in volts. Current (I) is a measure of the rate of flow of electrons past a point and is measured in amperes or amps.

When current is passed through a component, heat is released. To determine how much power a component is expected to handle, we use the formula below. This is especially important for calculating the wattage of certain components such as resistors:
Power (P) = Voltage (E) Current (I)

Where Power is in Watts, Voltage is taken in Volts and Current is measured in Amperes (or Amps). Variations include E=P/I and I=P/E
OHMS LAW

Ohms Law must be the single most commonly used formula in electronics today. It defines the relationship between resistance, current and voltage. In words it simply states that the current passing through a resistance is directly proportional to the voltage applied:
Voltage (E) = Current (I) Resistance (R)

Where Voltage is in Volts, Current is taken in Amperes and Resistance is measured in Ohms (). Variations include I=E/R and R=E/I

DECIMAL

MULTIPLIERS

Decimal multipliers are used to simplify and shorten the notations of quantities such as component values. For convenience we use the sub-multiples outlined below:
Abbreviation p n m k M Prefix Pico Nano micro milli UNIT kilo mega Multiply by 0.000000000001 0.000000001 0.000001 0.001 1 1,000 1,000,000 Or -12 10 -9 10 -6 10 -3 10 0 10 3 10 6 10

CIRCUIT NOTATION

Some circuits give component values as they are spoken while others replace the decimal point with the first letter of the sub-multiple prefix. For example: 5p6 for 5.6pF ceramic or n1 for a 0.1nH inductor. Similarly for resistors, 6k8 corresponds to a 6.9k resistor.
PREFERRED VALUES

The system of preferred values is used for resistors, capacitors and inductors. It provides a logical progression from one value to the next, where each increase is determined by an approximately constant percentage. Depending on the component, there could be anything from 3 through to 192 preferred values in each decade. A few are listed below:
E6 SERIES (6 per decade): E12 SERIES (12 per decade): E24 SERIES (24 per decade): 1.0 1.5 2.2 3.3 4.7 6.8 (10 15 etc) 1.0 1.2 1.5 1.8 2.2 2.7 3.3 3.9 4.7 5.6 6.8 8.2 (10 12 etc) 1.0 1.1 1.2 1.3 1.5 1.6 1.8 2.0 2.2 2.4 2.7 3.0 3.3 3.6 3.9 4.3 4.7 5.1 5.6 6.2 6.8 7.5 8.2 9.1 (10 11 12 etc)

2
Components
RESISTORS

Chapter

Resistors serve one purpose; they dissipate power. Resistors are commonly used for limiting or reducing the amount of current flowing in a circuit and to attenuate a voltage to a required level. Resistors dissipate power by presenting a resistance to the flow of current passing through them; the unwanted energy is then released as heat. Resistance is measured in Ohms (in honour or Georg Ohm) and is represented by the symbol . Some publications use the letter R, as there is no omega symbol available to them. Resistors are either fixed in value or variable, variable resistors are termed potentiometers, or pots for short, whilst miniature pots are called trimpots. Resistors have what is called a power rating; this indicates the amount of power they can handle without being damaged. Power ratings range from 1/10 to 5 Watts or more and are usually directly related to the size of the resistor. To determine the value of a typical leaded resistor we use the coloured bands painted on the resistors body. Depending on the resistor there could be 4 or 5 bands. To decipher these bands we use the table below: Colour
SILVER GOLD BLACK BROWN RED ORANGE YELLOW GREEN BLUE VIOLET GREY WHITE

1ST Digit
0 1 2 3 4 5 6 7 8 9

2ND Digit
0 1 2 3 4 5 6 7 8 9

Multiplier
*0.01 *0.1 *1 *10 *100 *1k *10k *100k *1M *10M -

Tolerance
10% 5% 1% 2% 0.5% 0.25% 0.1% -

Say for example a resistor has the following bands: brown-black-red-gold on it. The first band is usually closer to one end of the resistor and in our example this is brown which
5

corresponds to 1 from the table. The second band, black, gives us 0. The third band is the multiplier and gives us the number of zeroes that follow the first two significant figures. In this case the multiplier is red which gives us 100. Putting all of these together we get 10(00) or 1k. The fourth band gives us the tolerance of the resistor, or how close the resistors value is compared to the value printed on it. In this example that is 5% so the actual value lies somewhere between 5% and +5% of 1k or between 950 and 1050. Some resistors, especially those with tolerances of 2% or better, use 5 bands instead of four. This allows for an extra digit for accuracy. In these cases there are three significant figures followed by a multiplier and tolerance band. A further example may help; a five band resistor has the following bands on it: brown-black-black-yellow-brown. This corresponds to 100(0000) or 1M 1%. The actual value lies somewhere between 990k and 1010k. SMD chip resistors use a code similar to capacitors EIA code for conveying their values. Resistors in Series When two or more resistors are connected in series, the total resistance, RT, is increased and the total resistance is equal to the sum of the individual resistances:

RT=R1+R2+R3+ Resistors in Parallel When two or more resistors are connected in parallel, the total resistance, RT is always smaller than the lowest resistance present in the combination: RT=1/[1/R1+1/R2+1/R3+] Two resistors in parallel are easy: RT = [R1*R2]/[R1+R2]

CAPACITORS

Capacitors are simply energy storage devices. They store energy in the form of an electrical charge. Capacitors are also used as smoothing devices across supply rails and as coupling components. Capacitance is measured in Farads (F) after Michael Faraday, but in practice this is too large a value, so prefixes are commonly used. Capacitors, like resistors, can be fixed in value, or variable (called trimcaps). The main types of capacitors you will come across are ceramic, greencap, electrolytic, tantalum and monolithic. Tantalum and electrolytic capacitors are polarized and so must be installed correctly. In principle a capacitor is no more than two conductive plates separated by an insulator called a dielectric. When a voltage is applied to the capacitor, electrons flow into it until it is fully charged. At that point current ceases to flow even though a voltage may still be applied. Although a capacitor can pass alternating current (AC) it cannot pass direct current (DC). This is because there is no electrical connection between the plates. This feature makes them very useful for passing audio signals, which should only be AC. Variable capacitors consist of two plates, one of which can be rotated by the rotor on the outside. By adjusting the rotor we can adjust how much the plates overlap and therefore the capacitance. Variable capacitors are easily damaged if soldered too long, causing these plastic insulators to melt. If you find it hard to turn the rotor, the capacitor is probably damaged. Note also to only use a non-metallic screwdriver when adjusting trimcaps. Capacitor values are printed on their body using the EIA code. The table on the right will help those having trouble going from one prefix to another. It lists various EIA codes, their true value and equivalents. Tolerances are also marked on the body of capacitors; they may take the form of a letter or a coloured band, the most common of which are listed below:
Letter A C D E F G J K Colour Red Green White Brown Red Green White 1

Tolerance +20-10 1 0.25pF 1 0.5pF 1pF 1% 2% 5% 10% 2

2

Letter L M N P 2 Q S W 2 W Z

Colour Black Grey

Tolerance 15% 20% 30% +100-0% +30-10% +50-20% +50-10% +40-20% +80-20%

Notes:

caps <10pF

electrolytic only

Capacitors can be damaged if their working voltage (WV) is exceeded. This is the maximum voltage that can be applied to a capacitor. In most cases you can replace a capacitor with one of an identical value but a higher WV, but never go below this rating.

Most real capacitors exhibit some sort of change in value when subjected to varying temperatures. There is a temperature coefficient that goes with each capacitor and tells us how that particular capacitor will react at different temperatures. Try where possible to use NP0 (negative positive zero) type capacitors. These are the most stable capacitors available and will only fluctuate only minutely over a wide range of temperatures. This is important to us because we do not want the final frequency of our transmitters drifting on a hot day. Capacitors also come in SMD but ceramic chip capacitors do not have their values printed on them, which can be a hassle for the hobbyist. Capacitors in series

CT=1/[1/C1+1/C2+1/C3+] You will note that this is the same formula for resistors in parallel. Capacitors in parallel Capacitors in parallel behave exactly the same as resistors in series:

CT=C1+C2+C3+
TRANSISTORS

Transistors have two main functions; they can be used as amplifiers or as a high-speed switch. The word transistor is actually an acronym, it stands for Transfer Resistor. The original and still most common transistor type is the bipolar transistor. They come in two versions, NPN and PNP and these are refereed to as complements. There are generally three leads on a transistor; the base (B), the collector (C) and the emitter (E). These must all be connected correctly for the transistor to operate. An NPN transistor has a negative voltage on the emitter, when a positive voltage (with respect to the emitter) is applied to the base; the transistor begins to conduct by allowing current to flow through the base/emitter circuit. This relatively small base current causes a much larger version to appear in the collector/emitter circuit. This phenomenon is called current gain. Note for an NPN transistor the arrow points in indicating the emitter. A PNP transistor works in exactly the same way except there is a negative voltage on the collector and a positive voltage on the emitter. When a negative voltage is applied to the base, a larger version again appears through the collector/emitter circuit except this time the current will flow in the opposite

direction. Note that the arrow indicating the emitter points in for a PNP transistor. Most of the circuits in this manual call for the use of a BC547 NPN transistor. This is a common garden variety type but if you run into difficulty obtaining one, or you just want to experiment, I have included a list of alternative transistors. BF599 is a SMD transistor so miniaturisation is possible. I have not tried all of these but according to their specifications they should all work.
2N2219A 2N2222 2N3563 2N2643 2N2916 2N2987 2N3903 2N3904 2N4140 2N4970 BC107 BC108 BC109 BC147 BC148 BC182L BC183 BC184L BC207 BC208 BC337 BC548 BF173 BF174 BF199 BF200 BF494 BF599 BFS17 BFS19 BFS20 BR180 PN100 PN2222 PNS222A ZTX300

INDUCTORS

Inductors, like capacitors, are simply energy storage devices. Inductors store energy in the form of a magnetic charge with inductance being measured in Henries (H). The circuits in this manual require you to wind your own inductors from enamelled copper wire (ECW), regular bare copper can be used but the turns must not touch each other. This wire is wound a specific number of times around a suitable former, because of this structure they are commonly referred to as coils. Some inductors use a ferrous material as a core to increase the coils inductance otherwise they are termed air-coils because they have no core. These ferrous cores, called slugs, are easily chipped and damaged so be careful when attempting to use them. Most of the circuits in this manual use the same type of pre-wound coil, it consists of 6 turns (counted at the top of the coil) of 25 SWG (0.5mm) or 24 B&S ECW wound around a suitable 3mm former such as a small Philips screwdriver or 1/8 drill bit shank. This gives us an inductor with an approximate value of 0.1H. The inductance of the coil can be adjusted by pushing the coils closer or farther apart if they are air-cored or by the slug as mentioned before. If you would like to design your own coil, I have included the formula that allows you to do so. Note that this can only be used for air-core coils whose length is at least equal to the radius:
L = (n2r2) / [254(0.9r+l) ]

Where L=inductance in H, n=number of turns, l is the overall length in mm and r=coil radius also in mm.

AERIALS/ANTENNA

The aerial, or antenna, is used to radiate the RF energy into the atmosphere and hopefully to the receiver where it can be listened to or recorded for future listening. The aerial is seen as a resistive load by the circuit, but it is of such a low resistance that the signal finds it easy to flow into it. Energy is then lost from the circuit in the form of electromagnetic radiation. For our purposes, a length of insulated hook-up wire will suffice as an antenna. The length of the aerial deserves consideration, if you know what frequency you would like to transmit on then you can use the following formula to determine the wavelength and corresponding aerial length required:
WAVELENGTH = 300 / FREQUENCY

Where wavelength is in metres and frequency is in MHz. Say for example you wish to transmit on 100MHz, you would require a full wavelength aerial 3m in length. This is quite long so to minimize any chance of visual detection you could opt for a half-wavelength aerial, in this case that would be 1.5m in length. If this is still too long for your situation, a quarter wavelength (75cm) could be employed. This is not an exact science, so it may pay to experiment with different lengths and plot the lengths against the distances gained on a graph in an attempt to maximize results. Another option available to you is to use a dipole aerial arrangement. This is an identical length of wire attached to the negative (or the positive) supply rail. The resulting signals appearing on each aerial are identical but out of phase of each other. By using two quarter wavelength aerials you can achieve similar results, but not identical, to that of a half wavelength aerial. Three things are important when using an aerial: they must be fully extended, they must be in the same plane as the receiver (i.e. if one aerial is vertical, both must be vertical otherwise aerial polarizations may occur) and to keep them away from your skin for a body transmitter or the telephone line pair for a telephone transmitter.
BATTERIES

Apart from the aerial, the determining factor of a transmitters final size is the battery. The battery (or batteries) primary use is to power the transmitter, but there are so many different batteries on the market that it can be difficult to decide which to use. The main sizes of batteries you will encounter are AA, AAA, N, PP3 or some small type of coin cell. We can achieve the desired voltages of 1.5V or 9V using these or 3V, 6V and 12V by combining two or more. There are also specialised batteries like small 12V batteries for cameras and car remotes as well as small button cells used in hearing aids. You may like to experiment with these depending on their availability. Once the size of battery has been determined, the next step is to decide on the type of battery to use. Available types include: alkaline, lithium, silver oxide, nickel metal hydride, zinc chloride, 0% mercury and or course rechargeable batteries. The type you choose depends on your budget and the application. If the bug is to be of the throw away type where you simply place it somewhere not to be retrieved again, then fancy expensive batteries are not a necessity. These types of transmitters are also called drop-ins or disposables.

10

SIZE EQUIVALENTS Other more advanced transmitters, N AM5 MN9100 LR1 LADY such as VOX bugs, or voice operated AAA AM4 MN2400 LR03 MICRO transmitters, turn on only when AA AM3 MN1500 LR6 MIGNON audio reaches a preset level. PP3 6AM6 MN1604 6LR61 E-BLOCK Otherwise a beep is sent to the receiver to ensure it is set to the correct frequency. These have a very low draw current when on beep mode, so a set of lithium batteries could last up to 6 months. I would not class these as disposables as they cost upwards of $100 compared to a $15 drop in. The only other problem you will come across is attaching wires to the battery. Some batteries like the PP3 have snaps that simply clip on or off, but others like the button cells will require you to solder directly to the battery. It may pay to use some sandpaper on the battery so the solder will take but do not overheat them as they have a tendency to leak out toxic chemicals or explode.
MICROPHONES

The room transmitter circuits in this manual call for the use of small electret microphones to convert sound waves into electrical impulses. For the best results I recommend using omni-directional microphone inserts. These are the common type you will find within old tape recorders and the like. Other sources of miniature microphones are old cell phones or hearing aids. The smallest of these microphones are only a few millimetres across, but the average insert measures 10mm wide by 8mm across. The microphone is polarised so must be installed correctly for proper operation. The negative lead of the microphone is connected to the negative supply rail and can be easily identified as it is connected to the microphones metal case. Microphones have two or three leads on them depending on whether they require an external load resistor. Two leaded inserts require a load resistor to be connected between the positive rail and the output lead; this resistor provides the microphone with the correct amount of current for reliable use. Microphones with three leads on them already have this load resistor incorporated within the microphone. If sourcing your own microphones, it may pay to experiment with different load resistors. Note that the load resistor sets the sensitivity of the microphone. The inside of a regular two leaded microphone consists of only two parts; a mylar diaphragm and a Field Effect Transistor (FET). A mylar diaphragm is just a thin piece of plastic that has been charged in an electric field. The charge remains on the diaphragm even after the energising field has been removed. This is called the electret material and is metallised so the charges move more readily over its surface. The input lead of the FET (called the gate) is attached to a large metal disc, which is placed near the diaphragm. As sound enters through the small hole in the

11

electret microphones case moving the diaphragm which influences the charges placed on the metal disc. These fluctuations are fed to the FET where they are amplified then passed to the output lead to the rest of the circuit. They usually pass through a DC blocking capacitor with a value somewhere between 10nF and 100nF to give a reasonable frequency response.
DIODES

There are a number of different types of diodes, all with their various differences but with one basic feature in common: they allow current to flow in one direction only. Diodes are therefore polarized and must be installed correctly in the circuit or they will not work. A diode is a two layered device that has an extremely low resistance to current flow in one direction and an extremely high resistance to current flow in the other direction. A diode is often called a rectifier. Ideally, you can consider a diode as being able to pass current in only one direction. If the P side voltage is positive relative to the N side by an amount greater than the forward bias of the diode, then the diode will freely pass current like a closed switch. This diode is said to be forwardbiased. If the P side is negative relative to the N side, virtually no current will be allowed to flow, unless and until the device reaches the breakdown voltage. This condition is referred to as reverse biased. If the reverse breakdown voltage is exceeded, the point at which reversebiased current starts to flow, then the diode may be destroyed. The P side of a diode is called the anode and the cathode. The cathode is easily distinguished from the anode as it has a bar or line at that end. Diodes are commonly used to convert alternating current (AC) to direct current (DC). This process is called rectification. A single diode when used for rectification is called a half-wave rectifier. When four diodes are connected together and used to redirect both the positive and negative alterations of AC to DC, then that configuration is referred to as a diode bridge or bridge rectifier. Zener diodes are commonly used as voltage regulators. These are specially manufactured diodes that are designed to operate in the reverse breakdown region. Every zener diode is manufactured for a specific reverse breakdown voltage called a zener voltage (VZ). As with a normal diode, the zener diode blocks current only up to VZ, where the reverse resistance drops to a low value and the diode conducts in the normally reverse direction. When this occurs, the voltage drop of the diode remains constant over a wide range of currents, so because of this, the zener diode can be used to clamp the maximum voltage that can occur in a circuit.

12

3
FM Transmitter Schematics
FM BUG #1

Chapter

This is probably the simplest FM bug (FIG 3.1) you will ever see. There are a minimum amount of components and as there is no audio preamplifier, sound reproduction will only be as good as the microphone insert used. Parts list: R1- 68k R2- 330 C1-1nF C2- 5p6 C3- 22nF VC1- 10-40pF Q1- BC547 L1- 6 turns MIC- electret insert ANT- 60cm

FIGURE 3.1 this one stage transmitter is probably the simplest FM transmitter you will come across.

When you speak into the microphone this presents a voltage signal to the transistors base. This makes the transistor work at a different point at its operation curve. Here it has a different collector voltage and current as well as different internal resistances and capacitances. L1 consists of 6 turns of 0.5mm enamelled copper wire wound around a 3mm former. Supply is 9 volts with a range between 50 100 metres. For 3 volt operation replace R1 with a 39k resistor. The circuit can be built on strip board but ensure that you cut all unused tracks as they lessen the transmitters efficiency. The secret to achieving long range is to keep all tracks short and components pushed as close to the board as possible to keep all leads as short as possible. This makes the circuit tight. You can use two 9 volt batteries wired in parallel to power the transmitter,

13

effectively doubling the range (and final size) but because of this high output you may encounter interference with TV reception. The main problems with simple transmitters such as these are outlined below: The internal capacitances of the transistor (and capacitors) change with the surrounding temperature. After turning on the transmitter, there will be a slow frequency drift until the transmitter reaches thermal equilibrium which can take up to 15 minutes. A draft of air can also shift the frequency even after thermal equilibrium is reached so an enclosure is highly recommended, even a piece of heat shrink tubing can be use effectively which will also keep the size of the transmitter to a minimum, If using a transformer power supply, any slight hum will directly modulate the oscillator. If using batteries, the frequency of operation shifts as the battery runs down as these transmitters use a VCO. This effect is called Frequency Pushing, The antenna has to be directly connected to the tank circuit or via a small sniffer capacitor usually of a very low capacitance. The antenna now becomes part of the tuned circuit and will affect the final frequency if you approach the antenna or handle it. This effect is called Frequency Pulling With no audio preamplifier, the microphone may not be able to present enough input to modulate the VCO. Even if the carrier signal is strong enough to reach the receiver, the signal will be weak and noisy, The one transistor transmitter circuit working on 3 volts, can only output 1-5mW of RF power that can only travel 20-50m line-of-sight.

FM

BUG #2

This is the factory standard VCO FM transmitter. I have seen these retail from $20-$200 depending on where you look. The circuit is fairly simple and consists of two parts: an audio amplifier and an RF oscillator. The microphone is a standard type and picks up audio that is amplified firstly by the internal FET. The microphone is biased by R1. This audio signal is then passed along through the 22nF coupling capacitor to the first transistor which is wired in as a self-biasing common emitter amplifier stage with R2 providing bias. This stage has a gain of around 60-80. This boosting is necessary for injecting into the next stage, otherwise the microphone may be driven too hard resulting in distortion. The amplified signal is then fed through the 0.1F coupling capacitor to the base of the oscillator stage. Here a BC547 transistor is connected in a Colpitts oscillator configuration. Bias is provided by R4 with stabilising current feedback from R5. R5 also ensures that signal is kept away from the negative rail. C3 holds the transistors base at ground potential for RF signals while allowing audio signals to pass unimpeded. The coil (L1) is comprised of 5 turns

14

FIGURE 3.2 the two stage transmitter is probably the most popular FM transmitter you will come across. Do not be fooled by its simplicity as a 500m range is not unheard of.

of ECW wound around a 3mm former and together with VC1 and C4 form the tank circuit. C5 provides the necessary feedback for oscillation. C6 across the rails holds the +9V rail at ground potential for AC and ensures the circuit operates Parts list: stably even when the battery is nearing its end. Using R1- 39k 0.5mm enamel copper wire, make a coil with 5 turns R2- 1M counting at the top, on a 3mm former. While still on the R3- 10k former, cut off the excess wire and scrape 2mm of enamel off each end. The oscillator is a voltage controlled oscillator R4- 47k (VCO) and is dependent on the voltage applied. When R5- 470 turned on a pulse of energy is passed through the collectorC1, C5-22nF emitter circuit of Q2 including the tank circuit, this pulse is C2- 100nF monolithic due to the transistor being turned on by C4. Energy is firstly C3- 1nF stored by the capacitor because of their lower impedance, C4- 5p6 when charged the energy is transferred to the inductor VC1-10-40pF where it produces electromagnetic flux which is constantly Q1, Q2-BC547 increasing. A point is reached where the flux collapses and L1- 6 turns the energy is passed back to the capacitor where the cycle MIC- electret insert begins again. The transistor is designed to supply a small ANT- 90cm amount of energy each cycle to keep oscillations at a maximum, remember all of this is happening at 100 million cycles per second. Once this basic frequency is set, called the carrier frequency, we can superimpose the amplified audio onto Q2. By applying the audio to the base of Q2 we can effectively modulate the base-emitter junction capacitance. This in turn causes the desired

15

frequency modulation (FM) of the oscillator. Then by connecting an aerial to the oscillator we can radiate the signal to the receiver. To tune the receiver, attach the battery and place the transmitter at least 10m from the radio which is tuned to a dead (quiet) spot and with the volume up quite loud so the static can be heard. The microphone should be near some sort of sound like a TV or radio, use a non-metallic object) to turn the variable capacitor until a feedback whistle can be heard from the radio. If all you get is some kind of distorted sound that is definitely coming from the transmitter (i.e. it ceases when the transmitters battery is removed) then the load resistor for the microphone will need to be adjusted. If everything looks alright but it still does not work, the following voltage checks may be of aid: Q1 collector=2V, Q1 base=0.6V, Q2 base=2.6V, Q2 emitter=2V.
FM BUG #3

If the RF output is still too low or that the frequency suffers too much from Frequency Pulling, then you will need an extra transistor to act as an amplifier/buffer. This last stage offers a gain in output but more importantly it isolates the oscillator and antenna making it more stable in hand held situations. The schematic (FIG 3.3) can be divided into three distinct sections; an audio amplifier, an RF oscillator and an output buffer stage.

FIGURE 3.3 this FM transmitter features an extra amplifier/buffer stage making it good for handheld applications

Starting at the extreme left we have the electret microphone which is biased by the resistor R1. This resistor determines the gain and therefore then sensitivity. The 22nf capacitor couples the microphones signal to the first stage, the audio amplifier. This section consists of the first BC547 and two biasing resistors. This stage provides a gain of around 70 allowing the microphone not to be driven too hard ensuring that background noise stays at a minimum. This stage is then coupled to the RF oscillator stage via the 100nf monolithic capacitor, chosen for its small size. This next stage is a high frequency oscillator operating around 100

16

MHz (or 100 million cycles per second).This oscillator is a voltage controlled oscillator (VCO) which means that the supply voltage will have an effect on the operating frequency. This oscillator stage is controlled by the 47k resistor which turns the transistor on by allowing current to flow through the collector/emitter circuit. Connected to the collector is our old favourite, the tank circuit comprised of a capacitor, trimcap and inductor. Along comes the audio waveform and because it is a much lower frequency, the capacitor does not have any hold on the voltage and the base is allowed to rise and fall. This alters the gain of the transistor and changes its internal capacitance. This in turn alters the frequency of the oscillator an amount equal to the waveform entering it. This called frequency modulation or FM. The output of the oscillator is taken from the emitter via a 5p6 capacitor to a further stage called an output amplifier stage. The purpose of this stage Parts list: is to separate the aerial from the oscillator so the aerial does not load the oscillator and alter the frequency. The R1- 39k output stage is partially turned on by the 150k base R2- 1M resistor and the signal from the capacitor increases and R3- 22k decreases the base current. The transistor amplifies this R4- 47k and produces a varying collector current. At the frequency R5- 470 of operation, some of the current is passed to the aerial R6- 150k and is radiated as radio waves. The resistor on the R7- 330 collector keeps signal away from the positive rail while C1, C6-22nF delivering current to the output for feeding to the aerial. C2- 100nF monolithic The final component is the 22n capacitor across the supply C3- 1nF rails. This is necessary for reducing the internal impedance C4, C5- 5p6 of the battery and helps stabilise the supply rails and VC1-10-40pF ensures peaks of current to be drawn without affecting the Q1, Q2, Q3-BC547 rest of the circuit. Supply is 3 volts which is as low as you L1- 6 turns can go for reasonable operation. L1 is the usual 5 turns but MIC- electret insert you can experiment with 4 or 6 turns depending on which ANT- 90cm end of the FM band you intend to use. Range is between 100-200 metres. Average voltages for trouble shooting: Q1 base=0.6V, Q1 collector=2.1V, Q2 collector=3V, Q2 emitter=2V, Q3 base=2.6V, Q3 collector=1.5V.

17

FM

BUG #4

This circuit (FIG 3.4) differs from all the others that I have shown you as it is a crystal controlled transmitter. Unlike the previous circuits which were voltage controlled oscillators (VCO), this circuit has an extremely stable oscillator as it operates independently of the supply voltage. The first part of the circuit should be familiar to you; it consists of an electret microphone feeding an audio amplifier which is wired in a self-biasing configuration. The next stage contains our crystal (X1) and the oscillator stage with components chosen so the tuned circuit is operating around 30MHz. The way a crystal works is that its capacitance alters abruptly at the frequency marked on it, in this case 10MHz. The crystal is placed between the emitters of Q2 and Q3 and has a 27pF capacitor across it to increase the capacitance. The crystal only likes to oscillate at one frequency (10MHz) and even though Q3 excites it at 90MHz, it only reacts every nine pulses and sends a pulse to Q3 at a rate of 10MHz. The oscillator stage (comprising Q2, 3-27pF trimmer and 5 turns on a ferrite slug) is operating at 30MHz and gets a pulse every third cycle to keep it operating at exactly 30MHz. The output of this stage is connected Q3 via a 47pF capacitor and this tuned circuit is designed to operate at 90MHz. This means a pulse from Q2 is appearing every third cycle of Q3 to keep it operating at exactly 90MHz. Simply put, we have an oscillator working in the crystals third overtone feeding a frequency tripler. This tripler is then fed into an output amplifier stage which should also be familiar to you. This amplifier boosts the RF signal before sending it to the antenna. It is buffered from the tripler stage so the antenna does not have any loading effect on the tripler. L2 comprises 4 turns on a ferrite slug and L3 comprises 10 turns on a ferrite slug. Supply voltage is 6 volts and a range of 500 metres can be expected.

FIGURE 3.4 this FM transmitter features a crystal controlled oscillator making it more stable than the previous transmitters.

18

FM

BUG #5

This room transmitter is a powerful three stage FM transmitter with a range up to 1000 metres in the open. It uses an RF transistor in the output stage. Range is dependent on four factors: operating conditions (inside or out), type of aerial (length, single wire or dipole), operating voltage (max 15 volt) and if the circuit has been peaked for maximum performance. Basically this circuit (see Fig 3.5) is a radio frequency (RF) oscillator that operates around 100 MHz. Audio is picked up and amplified initially by the microphone and its internal FET. Then it is fed onto another audio amplification stage built around transistor Q1 to bring the level up to a suitable level to be injected into the next stage. Output from the collector or Q1 is fed into the base of Q2 where it modulates the resonant frequency of the tank circuit, comprised of L1/VC1/C6. Modulation occurs as the junction capacitance of Q2 varies. Junction capacitance is a function of the potential difference applied to the base of Q2. The tank circuit is connected in a Hartley oscillator configuration. The final stage is built around Q3, the RF transistor, which amplifies the output RF signal. Now let us take a closer look at the individual building blocks of the circuit:

FIGURE 3.5 the three stage FM transmitter is very simple when broken into the individual building blocks. It is actually a four stage transmitter if you count the active FET preamplifier in the electret microphone.

The electret microphone: An electret is a permanently charged dielectric. It is the electrostatic equivalent of a permanent magnet. It is made by allowing a heated ceramic material to cool in a magnetic field. A slice of this material is used as part of the dielectric, similar to a capacitor, in which the diaphragm of the microphone forms one plate. Audio enters through the small hole on the case of the microphone where these sound pressures move one of these plates. This movement changes the capacitance, which is amplified by the

19

internal FET. Electret microphone inserts are used because they are small, exhibit excellent sensitivity over a very wide frequency response all at a low cost. First amplification stage: This is a standard self-biasing common emitter amplifier. C1 couples the audio from the microphone to Q1 allowing only AC to pass, as well as isolating the microphone from the base voltage of the transistor. Oscillator stage: Every transmitter needs an oscillator to generate the RF carrier waves. The tank circuit (C6/VC1/L1), transistor (Q2) and feedback capacitor (C5) form the oscillator circuit. An input signal is not needed to sustain the oscillation. The feedback signal makes the base-emitter current of the transistor vary at the resonant frequency. This causes the emitter-collector current to vary at the same frequency. This signal is fed to the antenna and radiated as radio waves. The name tank circuit comes from the ability of the capacitor(s) and inductor combination (called an LC circuit) to store energy for oscillations. In a pure LC circuit (one with no resistance) energy cannot be lost. (in an AC network only the resistive elements will dissipate electrical energy. The purely reactive elements, the C and the L, just store energy to returned to the system later. Note that the tank circuit will not start and continue oscillating just by having a DC potential put across it. Positive feedback must be provided. Parts List: Resistors: (all -watt, 5% carbon film) R1, R4- 47k (yellow/violet/orange/gold R2- 22k (red/red/orange/gold) R3- 4.7k (yellow/white/red/gold) R5- 470 (yellow/violet/brown/gold) R6- 39k (orange/white/orange/gold) R7- 100 (brown/black/brown/gold) R8- 1M (brown/black/green/gold) Capacitors: C1, C11- 22nF ceramic disc (223) C2, C3- 0.1F monolithic (104) C4- 1nF disc ceramic (102) C5- 5.6pF disc ceramic (5.6) C6, C9- 10pF ceramic (10) C7, C8, C10- 47pF ceramic (47) VC1- 5-20pF trimmer (red) Semiconductors: Q1, Q2- BC547 NPN transistor Q2- ZTX320 NPN transistor Miscellaneous: L1- 15nH, 6 turns ECW L2- 30nH, 8 turns ECW L3- 8nH, 6 turns tinned copper wire PCB 9V battery snap Solder Microphone insert Antenna

Trimcap: The slots inside the trimcap are shaped like the head of an arrow. The maximum capacitance value is when the arrow is pointed in to the 12 oclock position. A turn of 180 brings the trimcap value to its minimum rated value. C6, the capacitor in parallel with the red trimcap will put the transmission in the 98 105 MHz range of the commercial FM band. By increasing the value, say to 27pF, you can move the frequency down towards the lower end of the FM band. But this end generally has more stations on it to compete with.

20

RF amplifier stage: The final amplification stage adds more power to the generated RF signal. To do this it needs an RF transistor. L2 is an RFC or radio frequency choke, and with C9 help to reduce harmonics. Output power from this stage will be at a maximum when it is tuned to oscillate at exactly the same frequency as the previous stage. This can be achieved using the peaking circuit which is provided and whose operation I shall soon cover. If you want you can add a small (say 10pF) coupling capacitor on the antenna to minimise any capacitance effects the aerial has on the final LC stage. I have not found it to be essential so have opted to omit it. Dipole antenna: Range is dependent on the aerial and one option is to employ a dipole antenna arrangement. This is basically two identical lengths of wire attached to two points in the circuit that are oscillating 180 out of phase with each other. Two such points are the antenna point and positive rail. You can experiment by cutting the aerial in half, leaving half soldered to the aerial point and the other half attached to the positive rail. Ensure to point the two wires in opposite directions. Operating voltage: Output power can be increased by using a higher operating voltage. The maximum voltage is determined by Q3 whose maximum operating voltage is 15 volts I do not recommend exceeding 12 volts as you can cause interference to any TV in the transmission range. If you do intend to increase the operating voltage, then some resistances will have to change also. If you want more range there are certain component adjustments you can make but you will make the circuit less stable and more prone to drift: Reduce R5 to 100 Reduce R7 to 47 Increase C7 to 470pF.
PEAKING CIRCUIT

The tank circuits of all the transmitters presented here need to be tuned in order to get maximum power output. The output peaks as the tank circuit is tuned to match the oscillator frequency. This peak can be measured on a multimeter. A peaking circuit (Fig 3.6) is simply an RF detector that uses diodes to charge a capacitor. The voltage across the capacitor is measured using a voltmeter set to a low voltage range (2 or 20 volts). The circuit can be assembled without a PCB, simply solder all the components directly to each other following the circuit diagram. The output should be connected to the input of a multimeter using banana plugs or a pair of paperclips fashioned to fit. The input connects to the antenna pad using a 5cm (2) length of wire. Switch the voltmeter to the lowest DC range. To tune the tank circuit, simply move the turns of L3 further apart or closer together until the reading on the voltmeter reaches is at a maximum. For this reason it is easier to use an analog multimeter as opposed to a digital multimeter. Note that the reading will be lower while you

21

are touching the coil. You will almost certainly find that the coil turns have to be spread very far apart wit the last turn at each end of the coil almost touching the PCB. Once the output is at a maximum, remove the peaking circuit and connect the antenna. If you change the oscillator frequency by moving the trimcap or by adjusting L1, then you will have to repeat the peaking process in order to get the maximum power output. Parts List: R1- 470 (yellow/violet/black/gold) C1- 100pFceramic (101) C2- 100nF greencap (104) D1, D2- 1N4148 silicon diodes LED- red light emitting diode
FIGURE 3.6

This circuit measures the field strength by converting the signal to DC and amplifying it. This field strength meter was designed to be used for VHF frequencies in the range of 80110MHz. The meter used was a signal meter with a FSD (full scale deflection) of 250A. Meters with lower FSD will offer greater sensitivity. A small telescopic whip aerial can be used to receive the incoming RF which is then fed rectified and converted to DC by R1, C1 and D1 which is then fed onto the FET. R2 is used to adjust the meter for a zero deflection hen no signal is present as well as setting the bias for Q1. Parts List: Resistors: R1- 3.3M (orange/orange/green/gold R2- 10k trimpot C1- 100pF ceramic (101) L1- 0.15-0.35H 4-6 turns 20 SWG 5mm former D1- 0A91 germanium diode Q1- 2N3819 ANT- Telescopic whip aerial METER- Signal meter 250A FSD FIGURE 6.1 this RF field strength meter is suitable for any of the transmitters covered in this manual.

FIELD STRENGTH METER

22

4
The Basic RF Oscillator
The basic building block of any transmitter is the oscillator. The majority circuits in this manual use tank circuits or an LC combination to provide this oscillation and to produce a carrier frequency. The basic components that comprise an LC circuit are an inductor and capacitor which are connected in parallel. To enable us to change the carrier frequency, the capacitor or inductor or both, must be variable. Spreading the turns closer or farther apart can change air core inductor characteristics. With the aid of a small drop of candle wax, they can be held in place. If a ferrite core is used then this can be screwed in or out using a nonmetallic screwdriver to slowly tune the transmitter. Care must be taken with these slugs, as they are very brittle and prone to chipping. If a variable capacitor is used, then again a nonmetallic screwdriver should be used to slowly tune in the desired frequency. Before we go any further though, we should discuss some basic concepts before returning to the oscillator.
REACTANCE AND RESONANCE

Chapter

Reactance is a term used to describe a certain kind of current opposition. Just as resistors are used to impede the flow of electrons, capacitors and inductors also exhibit this resistive trait. However, unlike resistors, the impedance of these components varies with frequency. This type of impedance is called reactance. Capacitive reactance (XC) is defined as:
X C =1/(2fC)

Inductance reactance (XL) is defined as:

X L =2fL

Where X is reactance in ohms, f is the applied frequency in Hz, =3.141, C is capacitance in farads and L is the inductance in henries. The formulae can be arranged to give:
C=1/(2fX C ) and L=X L /(2f)

As we vary the input frequency to an LC circuit, the reactance of L and C change in opposite directions. To be more specific, as frequency increases, XC decreases and XL increases. The

23

point at which these two are equal to each other is called the resonant frequency (FR). Graphically, this is where the two lines meet. In this condition the magnitude of their reactance are equal but out of phase and the components are said to be resonant.
X C =X L 2fL=1/(2fC) F R =1/(2LC)

BANDWIDTH AND Q

When placed in parallel, the network of inductor and capacitor will have a very high impedance that decreases sharply either side of the resonant frequency. Below is a typical frequency response curve for a resonant circuit. Maximum response occurs at the resonant frequency but a significant response occurs for adjacent frequencies also. Of particular interest to us is bandwidth (BW), which is defined by the quality of the circuit. In parallel resonant circuits the current is amplified through the reactive components. The Quality (Q) Factor is a measure of the goodness of the tuned circuit. This circuit Q differs from component Q, especially inductor Q. The Q of an inductor is defined as XL/RL or the ratio of inductive reactance to the effective resistance of the inductors wiring. Normal values of circuit Q range from 10 to 250. By using a large value for L and a small value for C we can achieve a reasonable level of Q. Circuit Q is simply a measure of the sharpness of the response curve, or if you like the selectivity at resonance, which sets the bandwidth. Bandwidth is measured between the points where the response falls off to 0.707 of the maximum value at resonance. Note how as Q is increased the bandwidth becomes smaller. A high Q is desirable as all the energy is released on a smaller bandwidth requiring less power but giving us greater range. A smaller bandwidth also allows us to be more selective with our final frequency, so we can place it near a larger, stronger transmission (such as a commercial radio station). By snuggling our transmitter next to this stronger transmission we can avoid being accidentally found. Most scanning receivers will simply skip over our

24

transmission. However, if we want our transmitter to carry a full range of audio frequencies we must not make the bandwidth too small.
TANK CIRCUIT

The tank circuit is the parallel connection of a resonating capacitor and inductor. Recall that a capacitor stores energy in an electrostatic field while an inductor stores energy in a magnetic field. Assume that a pulse of energy is applied to the tank circuit. Current then flows into the coil creating a magnetic field around the inductor that collapses as soon as the pulse passes. When this field collapses it creates a tank circuit current that flows into the capacitor and proceeds to charge the capacitor up. As soon as this current ceases, the capacitor sends the charge back into the circuit, where current flows back into the capacitor where another field is formed where the process starts again. In an ideal, pure circuit, this would carry on continuously, however, in the real world losses occur. This causes the amplitude of successive oscillations to be lower than the last. After a few cycles the oscillation eventually dies out. Such a decreasing oscillation is said to be damped. Notice how each cycle is smaller than the one before it. These losses are due to the creation of magnetic flux and the conversion back to a current. If we add a transistor arrangement that compensates for these losses, with a capacitor across the transistors collector/emitter circuit providing a feedback path that tops up each of these decreasing oscillations, we can allow these oscillations to continue. Now back to the basic RF oscillator. By putting a tank circuit on the collector of a suitable transistor and providing a feedback capacitor, what we have is an oscillator providing a carrier frequency. By careful selection of the right components we can place this carrier anywhere on the FM band. All that we would find on the FM band is a quiet spot because there is no information being transmitted. By feeding an audio input into the transistors base, we can change the characteristics of the oscillator or more precisely, we are modulating the frequency. This is basically how a frequency modulated (FM) transmitter works.

25

5
FM Receivers
MODULATION FM VS AM

Chapter

FM is an important part of todays world; it is widely used for broadcasting high quality radio. The commercial FM band occupies the 88MHz to 108MHz part of the RF (radio frequency) spectrum, but this differs slightly around the world. FM is still the band of choice for miniature bugs.

The standard method of modulation is that of frequency modulation. FM is typified by constant amplitude but varying frequency. The degree of frequency variation is proportional to the amplitude of the modulating wave whereas the rate of variation is according to the modulating frequency itself.

In frequency modulation, a fixed carrier of say 100MHz (100 million cycles per second) is modulated by the information from the audio circuit. With commercial FM music stations the amount of deviation from the fixed carrier would be in the region of 75 kHz. Since high fidelity reproduction is not a major concern to the designers of covert devices, the amount of deviation is kept to a minimum. A deviation level of 5-10 kHz will more than suffice. FM has distinct advantages over AM, especially in surveillance applications. The following advantages over AM apply:

It is generally accepted that FM reception is much cleaner than the noise prone AM. Given that the transmission from a battery operate device is going to be very weak, it is important that the received signal is not swamped by electrical interference such as car ignitions, storms or other noise producers. This advantage arises from the fact that many interference voltages produce amplitude modulated waves. FM by nature is insensitive to amplitude changes is unaffected whereas AM suffers, A lower component count is required enabling a smaller deice to be constructed,

26

Far less power is required to frequency modulate a signal to achieve a reasonable transmission distance and give acceptable recovered audio at the receiver. A 30mW FM transmitter can expect a hundred metres easily whereas an AM transmitter would require 200mW at least to reach that same distance and it would still be noisy. FM however requires a greater bandwidth to obtain a system more tolerant of noise.

RECEIVING EQUIPMENT

A receiver is just a transmitter used in reverse. An aerial picks up all the electromagnetic radiation in the atmosphere, a tuned circuit decides what particular frequency we want and rejects all the rest. A demodulator is then used to decipher the signal that is then passed on to an earpiece or amplifier so a speaker can be used. A transmitter is only as good as the receiver it is used in conjunction with. By using the FM band we can be assured that receiving equipment (and recording equipment if required) are cheap and readily available. Some receivers have good selectivity, which allow transmissions to be placed by commercial radio stations. Unless the transmission is weak or hidden as previously mentioned, then there is a good chance that anyone on your block with an FM radio will also be able to receive your transmission. Transmitters that operate above the FM band can be received on airband radios whose frequency range extends up to 140MHz. These generally have lower selectivity and are less popular than standard receivers so the chances of detection are greatly reduced. There are however an increasing number of radio enthusiasts who are scanning the airwaves in pursuit of their hobby so the chance of discovery is still there. Commercial radio stations as well as ground/air and air/ground communications share the airband. Any interference caused by transmitting on this frequency is not only illegal but also highly dangerous. What follows is the circuit and details for constructing your own FM radio. The square in the middle of the circuit is an integrated circuit (IC) and all that is required is a few external components to have a working radio. But why would you want to build your own radio when you can buy one for less than $10? For a start you will learn about electronics as well as having fun and the feeling of accomplishment when you finally turn it on and tune in your first radio station is a buzz all itself. Other advantages of building your own radio will be discussed later also. This circuit shown here is capable of picking up any of the circuits described within this manual. Recovered audio can be fed to earphones, another transmitter, a recording device or an amplifier so a speaker can be used. The only problem you may encounter is from tuning the receiver, which depends on the type of variable capacitor you use. FM signals are more difficult to decode than AM signals due to the way the information is sent. In AM, the audio signal is encoded by modulating the amplitude of a fixed frequency carrier signal. This audio is easily recovered using a simple diode detector. In FM, carrier amplitude is kept constant but the frequency of the carrier is varied according tot the audio signal. The process of demodulation is much more complicated but luckily this function is taken care

27

Parts List: Resistors R1- 4.7k R2- 10k R3-18k VR1- 100k log trimpot Capacitors C1- 33pF ceramic (33) C2- 39pF ceramic (39) C3- 47pF ceramic (47) C4- 56pF ceramic (56) C5- 150pF ceramic (151) C6- 180pF ceramic (181) C7- 220pF ceramic (221) C8, C9- 330pF ceramic (331) C10- 0.0022F MKT polyester (222) C11- 0.0027F MKT polyester (272) C12, 13- 0.0033F MKT polyester (332) C14- 0.01F MKT polyester (103) C15, 16- 0.1F ceramic (103) C17- 0.1F MKT polyester (104) C18- 0.15F MKT polyester (154) C19- 100F 16WV electrolytic C20- 200F 16WV electrolytic Miscellaneous IC1- TDA7000 SW1- SPST switch ANT- 75cm insulated copper wire L1- see text L2- see text

of by IC1. IC1 operates in a similar fashion to a super heterodyne tuner. Simply put, an incoming signal is mixed with a local oscillator signal to produce an intermediate frequency (IF). This IF is then filtered then demodulated to detect the audio. At the centre of the circuit is our TDA7000 IC. RF is received by the aerial and fed to the internal mixer through a bandpass filter consisting of C1, C2 and L2. L2 consists of 6 turns of 0.63mm ECW wound around 5mm former. Signals outside the desired frequency range are filtered out reducing interference. VC1 and L1 set the tuning range between 88-108MHz. L1 consists of 2 turns 0.63mm ECW on 5mm former with an F29 ferrite slug. SW1 switches the muting function on or off, which allows weaker stations to be tuned in by muting background hiss when switched to ON. Recovered audio is recovered at pin 2 and fed to volume control VR1. Earphones should be used as the signal will be very weak; otherwise use an amplifier if a speaker is required. A 9 volt battery supplies power for the circuit. To test the unit, set the volume up halfway, set mute to OFF and connect the battery. Use the tuning capacitor, tune across and you should hear radio stations coming in through loud and clear. If some of the stations cannot be picked up at one end, you will need to adjust the slug in L1.

By adjusting L1, C1, C4 or VC1 you can alter the receivers tuning range from down to 1.5MHz up to 110MHz and above. Using a matching transmitter you can have more privacy in your transmissions,

By making two receivers and two transmitters, what you will have is a make-shift pair of walkie talkies, A repeater of sorts can be built by feeding in the recovered audio into another transmitter, in essence repeating the signal. This method of repetition increases range and is used by radio amateurs, IC1 comes in SMD so miniaturisation is possible. The surface mount version is called TDA7010.

28

29

6
How Telephones Work
I thought it necessary that a manual relating to telephone eavesdropping should include a section on how telephones actually operate. To learn about wiretapping you must first understand the basics of telephones. This overview is not too concerned with the public switched telephone network (PSTN) but concentrates on what is actually at your end of the classical telephone. The best way to learn how something works is to completely dismantle it. So if you have a spare telephone lying around (working or not) tear it apart. Note that some of the voltages and currents listed are averages and will differ around the world depending on the telephone and the network it is connected to. The common one-line telephone, found in most homes, has four wires that lead out of the telephone set. These are coloured red, green, black and yellow. All information arrives and is sent as electrical current over the green and red copper wires referred to as the tip and ring respectively. The tip is usually the more positive of the two but voltage polarity swaps back and forth. These names are from back when operators manually plugged and unplugged jacks in cord boards to connect telephones, where one was the tip of the plug and the other was the ring (of the barrel). The main parts of a telephone can be broken down into the block diagram shown below.

Chapter

30

RINGER

The ringer simply alerts you to an incoming call, either visually or audibly. When the telephone is called, the network the telephone is connected to sends bursts of between 90-120V AC at a frequency of around 20Hz. These bursts are referred to as the ringing cadence and differ around the world. If an electromechanical ringer is employed by the telephone, then these AC currents will cause magnetic forces within a solenoid coil to move a metal clapper, which strikes a gong of some sort. A capacitor is placed in series with the ringer blocking DC energizing the ringer. Resulting current drawn by an unblocked ringer would fool the network into thinking that the telephone was off-hook even if it were idle. Electronic ringers are more common now as they are smaller, lighter, more pleasant sounding as well as easier and cheaper to produce.
HOOK SWITCH

A hook switch is just that, a switch. Older telephones have a cradle that uses the weight of the handset to connect and disconnect a set of electrical contacts. Electronic telephones are more likely to contain an on/off switch that activates a relay. An interesting eavesdropping method takes advantage of the hook switch by shorting it, usually with the aid of a resistor, usually of a low value so as not to trip the central station relay. The resistor allows a bit of current to trickle through the microphone, activating it and sending audio down the line just like a normal phone call except at a lower level, or a capacitor that is installed across one side of the hook switch which keeps the microphone hot (on) and allows a bit of audio to pass on by, but keeps the DC where it belongs. In both of these applications, one side of the double pole hook switch must be shorted out, leaving the open side to accept your device. Other methods include Bending the hook switch so it never actually hangs up. Not the best method as it raises suspicions. Using a reverse bias diode which can be externally controlled. By doing any of these modifications an eavesdropper can monitor room audio through an extension phone in another room.
DIALER UNIT

This tells the exchange what number you want and can be either rotary, dual tone multifrequency (DTMF or MF) or pulse. Rotary dialers comprise of a fingerplate, which is connected to some springs and some electrical contacts. When the dial is turned one of the contact sets closes and when released, springs pull the plate back to the original position. All of this switching sends out clicks or more precisely current pulses to be interpreted as the telephone number we want to call. It works by actually disconnecting the telephone or hanging up the telephone at specific times. So if you dial 1 the phone is disconnected once, twice for 2 and 10 times for 0. You can actually dial on old rotary phones using this method.

31

DTMF (or touch-tone) uses a combination of audio tones to represent digits. DTMF is faster and less prone to error and was developed so a dialing system could travel across microwave links and integrate with computer controlled exchanges. The layout for a typical DTMF keypad is shown below with the individual row (low group) and column (high group) frequencies. If for example the number 8 were pressed, then an 852Hz tone and a 1336Hz tone would be mixed together and sent down the telephone line. Pulse dialing is a combination of rotary and DTMF dialing. Pulses are used instead of tones but are selected by pushing a button rather than using a number plate. These pulses had to be stores before they could be used as it took longer to produce and send then it was to choose. This memory capacity became last number redial and other memory banks on electronic telephones.
SPEECH CIRCUIT

The speech circuit must couple the receiver, microphone and dialer into the two-wire telephone line and provide adequate sidetone between microphone and receiver. Sidetone is when output from the transmitter can be heard in the receiver of the same telephone, this allows you to gauge how loud to speak.
HANDSET

The handset can be divided into two distinct parts; the transmitter and receiver. Transmitter/Microphone: A transmitter simply converts acoustical energy of your speech into a varying electrical energy that can be transmitted through the PSTN to another telephone. The copper wires transmit the fluctuating sound waves of your voice as a fluctuating current. The telephone company sends this current through the wires, which are connected to the telephones microphone and speaker. When you speak into the microphone, the sound produces air-pressure fluctuations that move the microphone diaphragm back and forth. The microphone is hooked up so that it increases and decreases resistance in sync with the fluctuation in air pressure felt by the microphone diaphragm. There are three general types of transmitters in use today: carbon microphone, electrodynamic microphones and electret microphones. Before all telephones used to use carbon microphones which made it easy to install a hidden bug. All you had to do was unscrew the handset and replace the microphone with a modified one containing the transmitter circuitry. Receiver/Speaker: A telephone receivers element is used to convert electrical speech signals on the PSTN back into acoustical energy or sound vibrations that you can hear. The varying current travels to the speaker and moves the telephones speaker driver. The heart of the driver is an electromagnet, which is attached to a diaphragm and suspended in front of a natural magnet. The wire carrying the varying electrical current winds around the electromagnet, giving it a magnetic field that repels it from the natural magnet. When the current increases, the electromagnets magnetism increases and it pushes farther away from the natural magnet. When the current decreases, it slips back. In this way, the varying

32

electrical current moves the speakers diaphragm back and forth, recreating the sound picked up by microphone on the other end.
TELEPHONE SIGNALING

Telephone signaling controls the connection between two telephones and other things such as line status. Telephone signaling can be DC, AC or digital. DC Signaling: DC telephone signaling is based upon current flowing through the feed wires. An idle (on-hook) telephone would have the tip at around 0V, while the ring is about 48V DC, this voltage was selected as it enough to get through kilometers of thin telephone wire and still low enough to be safe. 48V is also easy to generate from normal lead acid batteries (412v car batteries in series). This is important if there is a power failure. Some countries use 36V or 60V. When the handset is lifted a loop current is drawn and the tip goes negative and the ring goes positive (or more correctly less negative). A typical off-hook condition is tip at about 20V and ring at 28V DC. This means there is about 8V between the wires going to a telephone in normal operation. The DC resistance of typical telephone equipment is between 200-300 while current flowing through is between 20-50mA. This current flow is your telephones way of requesting service so eventually you should end up with a dial tone. DC signaling is used in rotary and pulse dialing operations. AC Signaling: AC signaling uses tones to control networks and indicate network status, the most familiar control tones are those used for DTMF signaling. Digital Signaling: Digital indicates that there are only two states, either on/off (true/false). Instead of interrupting loop current to provide these on/off states, two fixed tones are often used, one for digital true and one for digital false. Two DC voltage levels can be used for digital signaling. When these binary digits (or bits) are transmitted in the proper time frame, valuable information can be sent quickly and efficiently. Caller ID, which tells the called telephone the number of the calling telephone, relies on digital signaling.
SIMPLE INTERCOM

BAT 9V 12V 24V

R1 300 1/2W 680 1/2W 1.2K 1/2W

Here is a simple intercom you can build using a couple of old phones, a resistor and a power supply. Follow the values shown, starting at 9V until you get the telephones operating. You may need to adjust the resistor values but do not exceed 30mA of current. Obviously there will be no ringer but if you use speakerphones you can just push the buttons to get the other ends attention. Apart from the simple intercom use for this project, you may also use it to test any of the devices mentioned here.

33

7
Telephone Eavesdropping
Now that we have a firm understanding on how telephones work, we can move on to how to tap a telephone. Telephone tapping falls into four distinct areas: Audio Interfaces RF Line Transmitters Telephone Pick-ups and Infinity Transmitters SIMPLE AUDIO INTERFACES
INTERFACES WITHOUT TRANSFORMER ISOLATION

Chapter

In some special cases an audio interface can be constructed without isolation transformers. In these cases the audio signal is passed from the telephone line through a capacitor or resistor or both, which blocks DC from the telephone line. This type of isolation circuit works quite well in applications where size must be kept to a minimum. Note this is not the preferred way to do telephone line interfacing. Ideally an isolating transformer should be used. If we simplify things, we can consider that the telephone connection between two phones is a pair of copper wires that form a loop. As with any circuit you can hook up more loads (components powered by the circuit) anywhere along this line. This is what you are doing when you plug another telephone into an extension jack. As this is easy to install and maintain, it makes for a very convenient system. But this simplicity makes it very easy to abuse. At any point, either inside your home or out, someone can add a new load. Simply locate a good point along the phone line, strip away a small piece of the insulation on the two hot

34

(red and green) wires WITHOUT CUTTING THE WIRES, and attach a set of high impedance headphones. Use a small capacitor (1nF) and resistor (100k) to keep out the 48V phone power. Instead of a pair of headphones a simple telephone tap could employ an ordinary telephone or linesman butt set. Attach it to an accessible, exposed point outside. With this connection the eavesdropper can use the telephone in all of the ways the subject can, such as hearing and making calls. It would pay however to disable the microphone as it is not necessary for listening and may alert the subject to the telephone tap when they hear someone breathing on the line. Drawbacks of this type of wiretap are obvious: knowledge of when telephone calls are to be made must be known, then they would need to stay at the wiretap to hear everything or run out to the garage every time someone uses the phone. Predicting such things are difficult and hanging around outside with a makeshift telephone can raise suspicions. The simplest solution is to use some sort of recorder, which will operate exactly like an answer machine. This can be achieved with a tape recorder and a telephone interface. Parts list: R1, R2- 100k R3- 40k C1, C2- 10nF capacitor

C1 and C2 block DC and pass the audio to the output. R1 and R2 provide some protection against the spikes on the telephone line and ensure that the circuit is of such high impedance that it does not disturb proper telephone operation. R1, R2 and R3 together all make up a voltage division network which will attenuate the audio signal from the telephone line to the desired signal output level. C1 and C2 should be rated to handle 1.5kV pulses. C1, C2, R1 and R2 should provide impedance so high that telephone line balancing is not disturbed. Note that this circuit provides no surge protection, as there is no transformer.
AUDIO INTERFACES WITH TRANSFORMER ISOLATION

This circuit allows you to amplify or record a telephone call. The 8 secondary winding of the transformer connects in series with either of the telephone feed wires. The 1k primary winding can feed either a cassette recorder or audio amplifier. This allows a clear path for the audio to pass through without loading the phone, which is a real factor to consider as any draw over 20-40mA might trip the relay at the central exchange who may send out a repairman to investigate. Common tapes are limited to 60 or 90 minutes so other methods

35

can be used also. Specialised recorders that have the tape mechanism slowed down allowing double or even triple recoding times are commonly used. Voiceactivated recorders, like the kinds used for dictation, are also ideal. Also the remote socket on some recorders can be used to turn the recorder on or off when the telephone handset is picked up. The best idea would be to use an interface that takes advantage of the remote socket found on many recorders by using a drop-out relay.
AUDIO INTERFACE USING OUT RELAY REMOTE SOCKET AND DROP-

This circuit allows you to switch on a tape recorder that is connected to the telephone line automatically as the receiver is picked up. This saves you having to sit around outside waiting for the telephone to be used. The tape recorder must have a microphone input as well as a

remote socket. This circuit is designed to operate for the newer 1.5V and 3V types as well as the older 6V and 12V types. The circuit can be broken Parts list: into two parts. On the left are the connections to each R1- 220 telephone line and to the MIC socket of the tape R2- 22k recorder. The diode and capacitors ensure that no DC R3, R4, R5- 10M voltages pass through to the input of the MIC while VR1- 1M trimpot the RC network clips large transients. On the right is C1, C2- 100nF capacitor the circuit which detects when the handset has been Q1- BC548 lifted and which then turns on the FET. The trimpot Q2- VN10K N-Ch DMOSFET adjusts the voltage level of this circuit. The voltage of D1~D6- 1N4148 a normal telephone line is between 40 and 60V, D7- 1N4004 depending on the country and the telephone system. ZD1- 10V When you pick up the handset, the voltage falls

36

between 6 and 12V. This drop is used to control the recorder via the remote socket. When the line voltage is high the base of the BC548 is pulled high so the transistor is turned on. This pulls the gate of the FET down to less than 1V. This shuts off the FET. When the line voltage falls, the BC548 must turn off. Adjust the trimpot if it does not. Now the FET gate potential rises to the 10V set by the zener diode. To use the interface, plug the MIC and REM into the recorder and connect it to the telephone by cutting one of the feed lines. Put in a cassette and push record and play. With the telephone on-hook nothing should happen and when the handset is lifted it should start recording. If it does not then either the trimpot needs adjusting or the remote socket plugs need to be swapped around. The only way to fix it is to have a play around. All of these methods can be employed at any point along the telephone pair, either as it leaves the phone, before the surge protector, on the drop cable running to the telephone pole or at the junction boxes located on the pole or in the buildings garage. But even with these devices at his or her disposal, the eavesdropper will still have to return to the tap to replace the tape. The solution to this is to install a transmitter or bug.

RF

LINE TRANSMITTERS

This is the best sort of wiretap as once in place the eavesdropper does not need to return to keep them running, nor do they need a microphone as they can use the telephones and power is not required as some can be powered by the telephone line itself. Being small, they can be concealed within the telephone itself so access is only required once to install it. All conversations are now broadcast onto the airwaves so all that is needed is a nearby spot to listen to the transmission, ideally a radio in a car outside with the option of recording for later analysis. RF line transmitters are either series or parallel devices depending on how they are designed to be attached to the telephone line. Parallel and series transmitters have their respective good and bad points. Series Transmitters Advantages: Draws line voltage, so requires no batteries and the user is not forced to risk detection by having to change them. Generally harder to detect with countermeasures equipment because they run off batteries instead of line voltage Parallel Transmitters

37

Disadvantages: Can be detected by voltage measurements. Installation is more complex (must be installed on a hot line due to risk of interrupting connection). Must be placed as close as possible to target to prevent line hum. Batteries must be replaced eventually, unless an expensive device with a trickle charger is used. Radiates a constant signal even if phone is not in use so an be detected Some current may be draw which can give away its presence

SERIES TELEPHONE TRANSMITTER 1

This telephone bug is a simply a small, low powered FM transmitter that transmits in the upper part of the FM band. Power is taken from the phone line and any FM receiver can be used to receive the transmission. This circuit uses SMD components. The transmitter is a simple voltage controlled oscillator (VCO) so the output frequency depends on the input voltage. Parts list: R1-10k SMD R2- 1k SMD C1, C2- 4.7pF SMD C3- 47pF SMD C4- 1nF SMD Q1- BF599 SMD D1, D2, D3, D4- BAS16 SMD L1- 2.2F SMD L2- 2.2F SMD

Telephone line voltage is applied to the oscillator through a full-wave bridge formed by D1-D4. Small variations caused by the audio cause the frequency of the VCO to vary, thereby frequency modulating the output. The transmitter goes in series with either side of the phone line at any phone. Only that telephone will activate the transmitter when it is picked up. Placing the transmitter at the incoming telephone line will cause it

38

to be activated when any telephone is picked up. To install the transmitter simply place the transmitter in series with one of the telephone feed lines. Tuning is just as simple. Place a radio nearby, tune it to a dead spot in the upper third of the band. Take the handset off the cradle and tune L2 until the dial tone comes through the radio. Try to use a non-metallic tool and not handle the transmitter too much. The transmitter will warm up slightly as it starts so expect the final frequency to drift slightly in this warm up period. On top of these the eavesdropper can use a telephone pick-up coil to intercept conversations without having to cut the phone line.
TELEPHONE PICK-UP WITH TRANSMITTER

This circuit is designed to be used with a low impedance microphone such as a telephone pick-up device shown. The advantage of these pick-ups is that they can intercept telephone conversations without having to cut the line and without adding a load to the line you can hopefully avoid detection. A home made pick-up can be made by winding 1000-5000 turns of 30 AWG ECW on a Parts list: R1-1M R2, R4- 10k R3- 100 R5- 4k7 R6- 120 C1, C2- 10F 12WVDC C3. C4- 10nF C5- 4.7pF C6- 22nF VC1- 10-40pF Q1, Q2- BC547 L1-5 turns MIC- pick-up

small ferrite rod. Pick-ups have a few limitations though; they need to be physically attached to the telephone, usually on the handset, even an extension phone on the hook, near the base, or the side-tone coil to work well but good results can be achieved by coiling the telephone cable up and placing the pick-up on this coil. Volume is always going to be a problem but an amplifier can fix this, also they are prone to picking up the AC hum from nearby electronic appliances so bear that in mind when installing. An even

39

better method of using an induction microphone is to install it directly within the telephone, then run the audio off into the two unused wires in the telephone cable (usually black and yellow). Now the eavesdropper can attach a parallel device to the line without contacting the main lines at any time. The circuit below is a simple RF transmitter that employs a tank circuit to form our oscillator. Power source is 9 volts. R3 may need to be adjusted for best results, try to stay within 22-220.
SERIES TELEPHONE TRANSMITTER

The following telephone transmitter is you factory standard type of transmitter. I have seen this retail for $100s of dollars online. The transmitter attaches in series to one of your telephone lines. Either of these two lines will work. When there is a signal on the line (for example when you make or answer a call by lifting the handset) the circuit will start transmitting both sides of the conversation a short distance on the FM band, which can be recovered by any standard FM radio. It is a leech device so there is no need for a battery as it steals power from the telephone line. There is also no need for an aerial as it feeds the RF signal back into the telephone line, which radiates it onto the FM band. The frequency that it transmits on is fully adjustable between 80MHz and 110MHz and is achieved through adjusting the trimcap.

The circuit is basically a radio frequency (RF) oscillator that operates around 93MHz (93 million cycles per second). Power for the circuit is derived from the full wave diode bridge. C1, VC1, and L3 form the FM oscillator. Every transmitter requires an oscillator to generate the radio frequency carrier wave. L1, C6 and Q2 form the power amplifier. Audio is coupled from the telephone lines through R3 and C2 into the base of Q2 which varies the junction capacitance of Q2 which in turn modulates the oscillator. Junction capacitance is a function of the potential difference applied to the base of the transistor. R1 and C4 act as a low pass filter. C3 is a high frequency shunt. L2 acts as a RFC (radio frequency choke) decoupling the power and audio from the transmitter amplifier circuit. No aerial is needed as the telephone line itself acts as a sufficient aerial. The transmitter attaches in series to ONE of the two telephone lines going to your telephone. Either of these two lines will do. Attach one alligator clip to one cut end and the other clip to the other cut end. Take your telephone off the hook and tune a nearby FM radio to 93MHz. It should not be too difficult to tune the transmitter in by adjusting the trimcap until you
40

can hear the dial tone coming through on your radio. First adjust VC1 to pick up the transmission and then use the radio tuning dial to fine tune. Take a portable radio outside and follow the telephone line to see what sort of range is possible. This type of circuit should be calibrated. The resonant frequency of the L1/C6 amplifier circuit should be adjusted so as to match the resonant frequency of C1/VC1/L3. However, in practice, I think you will find that the unit operates perfectly OK as it is without the need to calibrate anything. If you decide to calibrate the transmitter, you will need a frequency meter, a CRO or just by trial and error. Calibration is achieved by moving the coils of L1 further apart. You will find that the transmitter tunes into the FM band in the 90-95MHz area. If you want to move this tunable area to the 98-105MHz range then you will need to replace C1 by a 10pF capacitor. Note that you should not hold the transmitter in your hands when you try to do any calibration. Your own body capacitance when you touch it is more then enough to change the oscillation frequency of the whole unit. You can experiment to get greater transmission range away from the telephone line by adding an aerial (around 150mm will suffice) to the collector of Q2.
INFINITY TRANSMITTER

The infinity transmitter, or harmonica bug, is used to monitor phone conversations from anywhere in the world via the phone lines. The name in itself is a bit misleading as it is not a transmitter as such i.e. a radio transmitter, but uses the telephone line as transmission medium. The infinity transmitter is connected to the target telephone by various means and inside the unit is a tone decoder, switching circuitry, a high-gain voice amplifier and a modulator for imposing the audio on the telephone line. What started out as a way for traveling salesmen to check on their girlfriends while away on business has become a complex security device. Various models are available but in essence they operate in a similar fashion; after planting the device, the eavesdropper will call the target phone and use a tone generator, whistle or harmonica (hence the nickname) to send a special tone down the line. The infinity transmitter has a special tone decoder circuitry that is tuned to the same frequency as the whistle and will answer the call. The microphone now becomes hot and all room audio within around 10m of the handset, is sent down the line to the delight of the eavesdropper. Other versions require that the target phone first be answered then when they have hung up the whistle blown down the line turning on the transmitter. Some versions require the target phone to ring first then to be recalled after a predetermined time has elapsed whereby special timing circuitry will then activate the transmitter. A more complex design of the infinity transmitter operates as follows, audio information is picked up by the microphone in the handset and is then hardwired to a tape recorder or radio linked to a receiver and tape recode combination. This tape recording can then be played back, rewound or fast forwarded (via the eavesdroppers own DTMF telephone situated elsewhere) to the eavesdroppers who may be anywhere in the world. This last part is similar to remote accessing your messages on an answer machine. Even if the target phone has to be used to download the tape recordings, it can now be done at high speed and later played back at normal

41

speed. This provides a more secure system, lowering any chances of the target picking up the telephone and hearing their last conversation. It also saves on the cost of the telephone call. Even more complex designs incorporate control units that can be remotely accessed to switch between microphones in a monitored area, or to connect and disconnect any taps on the target line or to turn on and off any hidden transmitters in a building. The possibilities of remotely controlling devices are endless. I have heard of versions that are able leave the target telephone able to still be used to place calls and with a break in capability so all three parties can converse. I have never used one of these devices but I am assuming they would require some sort of conference call facility on the target phone. I have seen the schematics for infinity transmitters on the internet but they are all quite old and date back to before tone dialing and digital exchanges when it was possible to answer the incoming call before the target telephone could. New telephone systems of today tend to ring before the unit can answer raising suspicions as does a stream of silent callers or sorry wrong number or even whistles being blown down the line. These devices do have their legal uses as a security device for properties that are uninhabited. Security staff can monitor the area via the telephone checking for the sounds of any intruders.

42