What happens when you send SMS

Original author: Scott B. Weingart
  • Transfer
This is the third article in the full-stack dev loop about secret data life. It is dedicated to the complex and long route of SMS: set, save, send, receive and display. I’ll add some history and context to dilute the list of protocols. Although the text is quite technical, it's pretty easy to understand.

The first two parts of the cycle:

  • Cetus , the propagation of errors in the ancestors of the seventeenth century spreadsheets
  • "Down the rabbit hole" , about the incredibly difficult search for the source of a single data set

So, let's begin…

The foot involuntarily twitched from the vibration: was it a telephone or did it just seem? - and a quick look found a flashing blue light. “I love you” from my wife. I immediately went down to say good night to her, because I know the difference between a message and a message . This is a bit like encryption or steganography: anyone sees text, but only I can decode hidden data.

My translation is just one link in a surprisingly long chain of events that are needed to send and decrypt a message (“go down and say good night”) in less than five seconds to a distance of about 10 meters.

Apparently, the message originated somewhere in my wife's brain and turned into finger movements, but this signal transmission is a topic for another article. Our conversation begins from the moment when her thumb touched the translucent screen, and ends when the light fell on my retina.

The looking glass

With each touch from the screen, a small electrical charge flows into the arm. Since the current flows easily through the human body, the sensors on the phone register the change in voltage at the point where the finger touched the screen. When this happens, random voltage fluctuations occur in the rest of the screen, so the algorithm determines the maximum voltage fluctuations and assumes that in this particular place the person wanted to press with his finger.

Fig. 0. Capacitive touch sensor

So she presses the screen, typing one letter at a time.


She does not use svaypom (but for some reason it still prints faster than me). The phone reliably records the coordinates (x, y) of each keystroke and checks the coordinates of each key on the screen. It is harder than you think; Sometimes the finger slides off, but somehow the phone understands that this is not a gesture, but simply a blurred press.

Deep in the metal guts of the device, the algorithm checks that each time the voltage change covers more than a certain number of pixels, which is called a touch slop . If the area is small, the phone registers a keystroke, not a swipe.

Fig. 1. Android code for detecting touch slop. Please note that the developers knew my wife's gender.

She finishes the message, a measly 10 characters out of 160 allowed.

160 characters - carefully verified number. According to legend, in 1984, German telephone engineer Friedhelm Hillebrand sat at the typewriter and wrote as many random sentences as he had thought of. Then his team studied the postcards and teletype messages - and found that most of them do not exceed 160 characters. “Eureka!” They apparently shouted in German, before fixing the limit of characters in text messages for the next three or more decades.

Character Restrictions and Legends

Legends rarely tell the whole story, and SMS is no exception. Hillebrand and his team hoped to send messages through an additional channel, which the telephones already used to exchange information with the base station.

The SS7 signaling system is a set of protocols used by cell phones to remain in constant contact with the base station; they need a permanent connection to receive a call and send their location, check voice mail, etc. When developing the protocol, in 1980 they introduced a hard limit of 279 bytes of information. If Hillebrand wanted to receive text messages via the SS7 protocol, then he should fit into this restriction.

Usually 279 bytes are equal to 279 characters. The byte is 8 bits, and in common encodings one character corresponds to one byte.


0100 0001


0100 0010


0100 0011

and so on.

Unfortunately, to send a message using the SS7 protocol, you cannot simply send 2232 zeros and ones (279 bytes of 8 bits) with a radio signal from one phone to another. The message should include the sender and recipient numbers, as well as the service message for the base station "Hey, this message, not the call, do not send a call signal!"

By the time Hillebrand and his colleagues managed to cram all the necessary bits of the context in 279- byte signal, they have only 140 bytes or 1120 bits left.

But what if you encode a character in only 7 bits? Then 160 (1120/7 = 160) characters can be crammed into each message, but this reduction requires sacrifices: fewer possible characters.

The eight-bit encoding allows 256 possible characters: one place is occupied by a lower-case 'a', one is an upper-case letter 'A', its place is a space and the character '@', a line break, and so on, up to 256. To shrink the alphabet to seven bits, you must delete some characters are: 1/2 (½), degree (°), pi (π), and so on. But assuming that people never use these characters in the text (a bad guess, of course), Gillebrand and his colleagues managed to put 160 characters in 140 bytes. In turn, this volume exactly fit into 279 bytes of the SS7 signal: the exact number of characters that was previously determined as the ideal message length.

Fig. 2. GSM-7 character set

And now the wife dials “I love you”, and the phone converts the letters into a 7-bit coding scheme, which is called GSM-7.

“I” (the intersection of the fourth column and the ninth row in the table):


Space (the intersection of the second column and the zero row):


“l” =


“o” =


and so on in turn.

In general, her message turns into the following sequence:

49 20 6C 6F 76 65 20 79 6F 75

(only 10 bytes). Each two-character code, called a hexadecimal code (hex), is one eight-bit fragment, and all together it sounds like "I love you."

But in fact, the message is not stored in the phone. It must convert 8-bit text to 7-bit code. As a result of the conversion, the message starts changing to the following:

49 10 FB 6D 2F 83 F2 EF 3A

(9 bytes) in its phone.

When the wife finally finishes her message (it only takes a few seconds), she clicks "Send" - and a lot of tiny angels get a coded message, tremble with their invisible wings 10 meters to my office and gently transfer it to my phone. The process is not very easy, which is why my phone vibrates slightly on delivery.

The so-called "communication engineers" will tell you a different story, and for the sake of completeness, I will retell it, but if I were you, I would not trust those people too much.


The engineer will say that when the phone senses the voltage change by coordinates on the screen, which coincide with the coordinates of the location of the graphic item with the “Send” button, it sends a coded message to the SIM card, and during the transfer process adds various contextual data. When the message reaches my wife's SIM card, then there is no longer 140, but 176 bytes (text + context).

An additional 36 bytes are used to encode other information, as shown below.

Fig. 3. Here the bytes are called octets (8 bits). Counting all gives 174 octets (10 + 1 + 1 + 12 + 1 + 1 + 7 + 1 + 140). The remaining two bytes are reserved for accounting SIM-cards.

The first ten bytes are reserved for the SMS Center (SCC) phone number (SMSC), which is responsible for receiving, storing, forwarding, and delivering text messages. In essence, this is a switch: the wife’s phone sends a signal to the local cellular tower, which sends a text message to the SMSC. The SMS center, which in our case is controlled by AT & T, sends the text to the base station nearest to my phone. As I sit in three rooms from my wife, the message returns to the same base station and then to my phone.

Fig. 4. SMS Cellular Network

The next byte (PDU-type) encodes basic information about how the phone should interpret the message: whether it was sent successfully, whether the delivery message is needed and (important) whether it is a single text or part of a chain of related messages.

The byte after the PDU-type is a message reference (MR). This number from 1 to 255 is essentially used as a short-term ID so that the phone and the operator recognize the message. The message from the wife is set to 0, because her phone has its own message identification system, independent of this particular file.

The next twelve bytes are reserved for the recipient's phone number, which is called the destination address (DA). With the exception of the 7-bit text encoding, which helps to squeeze 160 letters into 140 characters, the phone number encoding is the most stupid and confusing thing in this SMS. It is called reverse nibble notation and converts each digit into a nibble, that is, a nibble, and swaps them (Understood? A half byte is a nibble, hahahahaha, but no one laughs, it's engineers).

My number 1-352-537-8376 in my wife's phone is registered as:


1-3 turns into


52 turns into


53 turns into


7-8 turns into


37 turns into


And the last 6 turns into ...


What the hell did this six? Well, it means the end of the number, but for some terrible reason (again, reverse notation) is one character before the last digit.

It's like “pig Latin,” just for numbers.

Усу посопаса бысыласа сособасакаса, осон есеёсё люсюбисил. Осонаса съеселаса кусусосок мясясаса, осон есеёсё усубисил.

But I do not scoff.

[UPD: Sean Gees PointedThat the reverse writing of nibbles is an inevitable artifact of representing 4-bit numbers from low to high (little-endian) 8-bit fragments. This does not cancel the above description, but adds some context for those who understand and makes the decision more reasonable].

Byte Protocol Identifier (PID) is now, by and large, wasted space. It takes about 40 possible values ​​and tells the provider how to send the message. The value


means that the wife sends "I love you" to the fax, and the value


means that she somehow sends it to the voice line. Since this message is in the form of SMS to the phone, the PID is set to


(Like any other text sent in the modern world).

Fig. 5. Possible PID values

The next byte is the data encoding scheme (DCS, see the documentation ), which tells the operator and the recipient's phone what character encoding scheme was used. The wife sent the text to GSM-7, but it’s easy to imagine that the text could be typed in Cyrillic, hieroglyphs or complex mathematical equations (well, maybe it’s not easy to imagine, but everyone has the right to dream, right?).

In the wife’s text, DCS bytes are set to


what corresponds to a 7-bit alphabet, but the value can be changed to an 8- or 16-bit alphabet, although this will leave much less space for characters. By the way, this is why your emoji reduce the number of characters available.

There is also a small flag in the DCS byte, which tells the phone whether it is necessary to self-destruct a message after sending, as in the movie “Mission Impossible”, so this is very cool.

The validity period (VP) takes up to seven bytes and gives us the opportunity to get acquainted with another aspect of how the SMS forwarding system actually works. Take another look at Figure 4 above. All right, I'll wait.

So, when the wife finally presses the “Send” button, the text is sent to the SMS center (SMSC), which then sends a message to me. I am sitting on the second floor and my phone is on, so I get a message in a few seconds, but what if the phone is turned off? Of course, then he can not accept the message, the SMSC should therefore something to do with the text.

If the SMSC cannot find my phone, then the message from the wife will simply jump in the system until my phone connects - and then the SMS center immediately sends the text. I like to imagine how the SMSC constantly checks every phone on the network to check if it’s my phone or not: how a puppy waiting for the owner at the door sniffs at every passerby: does it smell my man? Not. Maybe this is the smell of my man? Not. Is that the smell of my man? DADAPRYURA !!!

The validity period (VP) bytes tell the system how long the puppy will wait before it gets bored and it finds a new home. This is either a time stamp or a gap, and it essentially says: "If you have not found the recipient's phone in the coming days, just do not worry about sending a message." By default, the SMS validity period is 10,080 minutes, so if the phone does not connect to the network within seven days, you will never receive this SMS.

Since SMS often leaves a lot of empty space, several bits are dedicated to letting the phone and the operator know exactly which bytes are not used. The wife's SIM card is waiting for a 176-byte SMS, but she wrote a very short message, so if the SIM card receives only 45 bytes, it can get confused and suggest some kind of failure. The User Data Length (UDL) byte solves this problem: it indicates exactly how many bytes are in a text message.

In the case of “I love you”, the UDL will indicate that the message is 9 bytes. You might expect the value to be 10 bytes, one byte for each of the ten characters:


but since each character consists of seven bits, not eight (full bytes), you can reset the additional bytes during translation: 7 bits * 10 characters = 70 bits, divide by 8 (number of bits in a byte) = 8.75 bytes, rounded up to 9 bytes.

We come to the last part of the SMS: this is the message itself or UD (user data). A message can take up to 140 bytes, although, as I just mentioned, “I love you” will take a measly 9. It's amazing how much is packed into these 9 bytes: not just a message (my wife's supposed love for me, which is already quite difficult to compress into zeros and units), but the very meaning (you need to go down and wish her good night). Here are these bytes:

49 10 FB 6D 2F 83 F2 EF 3A

In general, this message is stored on my wife's SIM card:

SCA [1-10] -PDU [1] -MR [1] -DA [1-12] -DCS [1] -VP [0 , 1, or 7] -UDL [1] -UD [0-140]

00 - 11 - 00 - 07 31 25 35 87 73 F6 - ?? 00 ?? - ?? - 09 - 49 10 FB 6D 2F 83 F2 EF 3A

(Note: to get the full message, you need to dig a little more. Alas, only part of the message is visible here due to non-displayable characters, question marks)

Waves on the air

Now the SMS should somehow begin its difficult journey from the SIM card to the nearest base station. To do this, the wife's phone must convert the string from 176 to 279 bytes for the SS7 signaling protocol, convert these digital bytes to an analog radio signal, and then send signals on the air somewhere between 800 and 2000 MHz. This means that there is a distance between 15 and 37 cm between wave peaks.

Figure. 6. Wavelength

For efficient transmission and reception of signals, the antenna must be at least half the wavelength. If the waves of cellular communication are from 15 to 37 cm, then the antennas should be approximately 7–19 cm in size. Now stop and think about the average height of a mobile phone, and why it never decreases.

Through a certain digital gymnastics, the explanation of which will take too much time, suddenly my wife's phone shoots a 279-byte information package with the text “I love you” with the speed of light in all directions, which eventually fades away and dissolves in radio noise after about 50 kilometers.

Long before this, the signal reaches the AT & T HSPA ID199694204 LAC21767 base station. This base transceiver station (BTS) is about five blocks from my favorite La Gourmandine bakery in Hazelwood, and although I found its coordinates using the Android application OpenSignal, the antenna is well hidden from prying eyes.

Here the most amazing thing is that BTS generally receives this signal, taking into account everything else. Not only does my wife send “I love you” in a thousandth part of the electromagnetic spectrum, but tens of thousands of other people within a radius of 50 kilometers talk on the phone or write messages. In addition, many radio and television signals argue for our attention on the air, along with visible light that is reflected in different directions, this is only a small part of the electromagnetic waves, which seem to interfere with the operation of BTS.

As Richard Feynman eloquently put it in 1983, the cellular tower is like a small blind beetle lying in the water on the edge of a pool: it is only by the height and direction of the waves that it determines who swims where.

Feynman discusses waves.

Partly because of the complex interference of signals, each base station of a transceiver usually cannot process more than 200 active users (voice or data) simultaneously. So, “I love you” pings the local base station about half a mile away, and then screams into the void in all directions until it disappears into the general noise.


All things considered, I was very lucky. If my wife and I were served by different mobile operators or were in different cities, the route of her message would be much longer.

A 277-byte SS7 message arrives at the local BTS near the bakery. From there it enters the base station controller (BSC), which is the brain not only of ours, but also of several other local antennas. The BSC sends text to the Pittsburgh City AT & T Mobile Switching Center (MSC), which relies on the text message SCA (remember the address of the service center embedded in each SMS? That's where it is needed) to receive the message in the corresponding SMS center (SMSC).

This gibberish is easier to understand using the diagram in Figure 7; I just described steps 1 and 3. If the other operator had a wife, we would go to steps 4-7, because that’s where mobile operators talk to each other. The SMS should come from the SMSC to the global switch and then potentially jump around the world before finding the path to my phone.

Fig. 7. SMS routing via GSM network

But it also sits on AT & T, and our phones are connected to the same cell, so after the third step, the 279-byte love package simply turns around and returns via the same SMS center, through the same base station , but now on my phone instead of hers. Traveling a few dozen kilometers in the blink of an eye.


Bzzzzz. Pocket vibrated. The notice makes it clear that the SMS arrived on the nano-SIM card, a chip the size of a pinky. Like Bilbo Baggins or any good adventurer, it has changed a bit along the way there and back.

Fig. 8. The received message is different from the sent one (Fig. 3)

. Figure 8 shows the structure of the received message “I love you”. Comparing figures 3 and 8, we see several differences. SCA (SMS center number), PDU (some mechanical ordering), PID (“from phone to phone”, not “from phone to fax”), DCS (coding scheme), UDL (message length) and UD (self message) remained unchanged, but the VP (expiration date), MR (message identification number) and DA (my phone number) are missing.

Instead, two new information blocks appeared on the phone: OA (wife’s original phone number) and SCTS (SMS center time stamp, that is, when the wife sent a message).

My wife's phone number is stored in the same annoying inverse notation (such as dyslexia, only computers), in which my number was stored on her phone, and the timestamp is in the same format as the expiration date stored on her phone.

These two replacements are completely logical. Her phone had to contact me at a certain time at a certain address, and now I need to know who sent the message and when. Without the return address, I would not understand exactly who sent this message, so that its interpretation could change dramatically.

Bright screen light

As any computer translates a stream of bytes into a series of coordinates (x, y) for pixels of certain colors, the phone receives a command to display on the screen

49 10 FB 6D 2F 83 F2 EF 3A

so that I can see the text “Love you” on the screen in black and white glowing points. This is an interesting process, but it is not particularly unique for smartphones, so you have to look elsewhere. Focusing on how these instructions turn into light points.

Friendly marketers at Samsung call my screen Super AMOLED (Active Matrix Organic Light-Emitting Diode) - an active matrix on organic light-emitting diodes, which is somehow redundant and not particularly informative, so let's ignore the abbreviation as another distraction and dive right into technology.

On each of 83 square centimeters of the screen in my phone about 50 000 tiny pixels are located. In order for this number to fit, each pixel must be about 45 microns (micrometers) wide: thinner than human hair. Four million light elements on the palm-sized square.

But you already know how the screens work. You know that every point of light, like the Christian God or the musketeers (minus d'Artanyan), is always “three in one”. Red, green and blue form the white light of a single pixel. If you change the brightness of each channel, you can get any color RGB. And since 4 × 3 = 12, it's 12 million tiny sources of light, innocently dormant behind my black mirror, waiting for me to press the power button to read the message from my wife.

Fig. 9. Samsung OLED display subpixel array.

As follows from the abbreviation, each pixel is an organic LED. This is an incomprehensible technical jargon for a simple electric sandwich:

Pic. 10. Electric sandwich. It

is not necessary to study the purpose of each layer, it is only important to know that the cathode (negatively charged plate) is located under a layer of organic molecules (just some molecules with carbon), and the top is covered with an anode (positively charged plate).

When the phone wants to turn on the screen, it sends electrons from the cathode to the anode. The molecules in the middle receive a charge and begin to emit visible light - photons, up through the transparent anode, the screen into my open eyes.

Since each pixel is three points of light (red, green, and blue), in fact, there are three sandwiches per pixel. They are all essentially the same, with the exception of the organic molecule: poly-para-phenylene for blue light, polythiophene for red and poly-para-phenylene-vinylene for green. Since each of them is slightly different, they glow in different colors when current is passed.

(Fun fact: the blue subpixels burn out much faster due to the process called “exciton-polaron annihilation”, which sounds really exciting, doesn't it?)

All four million pixels are located on the index matrix. The index works on the computer in much the same way as the table of contents in the book: when the phone wants a certain pixel to emit a certain color, it searches for that pixel in the index, and then sends a signal to the address found. Let there be light, and become light.

(Another funny fact: now you know what AMOLED “active matrix on organic light-emitting diodes” means, even though you didn’t ask).

The phone's operating system interprets the text message from the wife, determines the shape of each letter, and matches these figures with the index matrix. She sends the right electrical impulses to the Super AMOLED screen to display these three small words that have covered that distance and defeated all enemies in their path.

It is very strange that my eyes never see the letters in the bright light of the LEDs: the text appears in black and white. The phone creates the illusion of text through negative space, filling the screen with white, setting all red, green and blue pixels to maximum brightness, and then turning off those where there should be letters. Its complexity is insultingly ordinary.

Fig. 11. Negative space

Shining everything except the text message from my wife and allowing you to read between the lights, the phone briefly describes the lies underlying the modern information age: that communication is easy . The speed and apparent simplicity hide a bunch of middlemen.

And this is not only technical intermediaries. The message from my wife would not have come to me if I hadn’t paid my phone bill on time, if not for the small army of workers that serves financial systems behind the scenes. Technicians maintain cell towers in working order, which they reach via a network of roads, partially subsidized by federal taxes collected from hundreds of millions of Americans in 50 states. Since many transactions still take place by mail, if the postal system collapses tomorrow, the telephone service will also be painful. Details of both our phones were collected by exhausted workers at factories in South America and Asia, and exhausted programmers who rent expensive rooms in Silicon Valley wrote a code that guarantees constant communication for our phones.

All this is hidden in 10 letters. Text that, let's be honest, means much more than what is written in it. My brain subconsciously analyzes the years of communication with my wife in order to decipher the message on the phone, but between her and me all the same are overgrown with social engineering intermediation - a broth of people, events and details that can never be unraveled.


And here I am, in the office, late Sunday evening. “I love you,” the wife wrote from the bedroom downstairs, and after a few seconds the message came to my phone ten meters away. I understand what this means: it's time to say good night and maybe complete this article. I am writing the last words, now a little more aware of the complex layering of kilometers, signals, decades of history and human sweat, which took my wife not to shout to me that, damn it, it was already time to rest.

Also popular now: