Mobile phone intercept scanner
Kolibrie was a car-phone intercept receiver developed by the
Politie Verbindingsdienst (PVD)
(Police Signals Service)
in The Netherlands in the early 1990s.
It was intended for the interception of criminal conversations on
the Dutch NMT-900 cellular network,
known as ATF-3.
Kolibrie is Dutch for Hummingbird.
The use of Kolibrie lead to some debate during the public hearings
of the Van Traa Commission in 1995.
It was gradually phased out when GSM became popular.
The mobile telephone networks that were used between the 1970s and 1990s
were all based on analogue duplex radio systems. Eavesdropping by means of
an ordinary (computer) scanner was very easy in those days, not only
for hobbyists and criminals, but also for police investigators.
The problem with an ordinary radio scanner was that the later 900 MHz networks
(NMT-900 or ATF-3) had 2000 channels, making it difficult to determine the
right channel. Furthermore, the eavesdropper would lose the signal when
the mobile station moved from one cell to another.
In order to overcome these problems, the
Police Signals Service (PVD)
developed Kolibrie: a purpose-built scanner that was able to intercept
the mobile telephone (MT) and the base station (BS) simultaneously,
and follow these signals when they moved from one channel to another.
At the time, the analogue mobile phones had a built-in AFSK modem
that periodically contacted the base station in order to setup a call
and/or negotiate a hand-over from one cell to the next.
During a negotiation, the voice channel was briefly muted.
Kolibrie was able to interpret the negotiation data and follow
the hand-overs at the edge of a cell. Furthermore, it was able to
display the number of the caller and the callee.
The image on the right shows Kolibrie receiver with serial number NL127
in its typical blue case. It is internally stamped 09 December 1992.
The police was aware of the 'grey area' of intercepting mobile
conversations . Although strictly speaking it was not illegal in
The Netherlands to use a radio scanner, doing so by means of a Kolibrie
made it possible to follow specific phone numbers and people
(much like a phone tap).
In order to protect the units against anauthorized use, and to prevent
them from falling into the wrong hands, a unique key
in the shape of a 3 mm jack plug
was needed to operate the device.
It is currently unknown how many Kolibrie scanners were produced,
but each of the 25 police districts in The Netherlands had at least
2 units. Taking into account that some extra receivers may have been
produced for other agencies and for the PTT (the Dutch telecom operator),
and perhaps even for some foreign 'customers', a safe estimate seems to
be around 100 units.
Today, the Kolibrie is a highly wanted collector's item. After the units
were phased out in the late 1990s, they had to be destroyed, but some
units showed up on official government sales in the early 2000s and were
subsequently bought by surplus houses. As most buyers didn't known
what they were (there is no name tag),
most units were destroyed or dismantled and used for parts.
Operating the Kolibrie is extremely simple and doesn't require
any special training. After switching it on with the ON/OFF switch
at the left, it briefly shows the
current version number and
then promts for the Identification Plug
(KEY) to be inserted.
Once the key is inserted, the unit
shows the serial number
(e.g. NL127) and then waits for the
key to be removed.
The unit is then ready for use and will start scanning the
NMT-900 frequencies of the mobile station (890-915 MHz)
that should be in the vicinity of the interceptor. In case
there are many mobile stations in the area, it might be
necessary to set the attenuator to LOW and adjust the squelch
(SQL) so that only the observed station (i.e. the subject under
surveillance) is picked up. If it locks onto the wrong
conversation, the SEARCH button should be pressed find the next one.
When scanning, the display shows the text BANDBEWAKING
Once the unit is locked onto the desired channel, the display
shows Gesprek gevonden (Conversation found) and the attenuator
can be switched off again (HIGH), so that the conversation can
be caught properly. In the above image, the upper line of the
display shows a series of dashes. As soon as a (digital)
negotiation signal is caught, this line shows the
number of the caller and the dialled number.
When driving around, the radio signal strength
indicator (RSSI) gives an indication of the distance to the
subject under observation. When Kolibrie looses the MT signal,
the display shows Gesprek verloren (Conversation lost), but stays
on the channel as long as the BS signal is present.
Two LEDs at the right show whether the MT and BS signals are
present. As the volume of the intercepted mobile phones varies
significantly, a potentiometer (BAL) allows the audio balance
between the MT and BS channels to be adjusted so that they both
sound equally strong.
All connections, except for the unique ID key, are at the rear of the unit.
Kolibrie is powered by a 12V DC voltage, such as the battery of a car.
Is was generally connected to the
cigarette lighter receptacle of a
vehicle. The 12V DC source is connected to the 3-pin XLR socket at the right.
The female XML socket at the top left is used for the connection of
a speaker, such as the one that was supplied with the kit. Below the
XLR socket is a 3 mm jack socket for the connection of headphones.
The antenna is connected to the BNC socket at the top center,
left of the two line outputs (one for each receiver).
A remote control unit
could be connected to the large 25-way D-type socket at the
center. It allowed unobtrusive control from, say, the dashboard
of the car.
The vertically mounted 15-way D-type socket (here marked as EXT)
was provided for the connection of additional equipment, such as
automatic recording devices and personal computers (PCs). Recording
equipment can be connected either to the two CINCH (RCA) sockets
or to the 15-way D-type socket (EXT). When using a stereo recorder,
the MT and BS channels can be recorded separately (L and R). This allows
better analysis of the (criminal) conversation later.
Although we are not certain about this at the moment, we have the
impression that the 15-way EXT socket also carries a serial port
that allows the internal microcontroller to communicate with an
external computer, such as a PC. It can be used for targetting
specific phone numbers.
Kolibrie was suitable for use in a car as well as from a desktop.
In any case it was powered from a 12V DC source. When used in a car,
the unit was powered from the cigarette lighter socket. When used on
a desktop is was generally powered by an external power supply unit (PSU).
For the 25 police districts, Kolibrie was supplied in a sturdy plastic
Samsonite briefcase, as shown below.
For transportation, Kolibrie was usually stored inside a sturdy
unobtrusive plastic Samsonite case, together with all accessories,
cables and the ID plug. The Kolibrie, the antenna base and the cables
are stored in the bottom section.
The actual antenna rod, the speaker and the remote control unit
are stored in the top half of the case. Some Kolibrie units have
two Velcro strips at the upper side, so that they could quickly
be installed inside an unmarked car.
Kolibrie does not have an internal speaker, so an external one
is needed in order to monitor the intercepted sound without using
A standard Antiference speaker, such as the ones commonly supplied
with mobile phones, came with the Kolibrie. It should be connected to
the female XML socket at the rear. Although the speaker could be
mounted at the dashboard, it was generally 'floating around' somewhere.
A suitable antenna should be connected to the BNC socket at the rear
of the Kolibrie. As such antenna's were generally not available on an
unmarked police car, a 900 MHz magnet-mount antenna was supplied with the kit.
The mount and the fixed cable were stored in the cable compartment of the
Samsonite case, whilst the antenna rod itself was stored in the top half.
Magnet-mount antennas did not attract unwanted attention as they
were frequently used with car phones at the time.
Although Kolibrie is small enough to be used inside a driving vehicle,
it was sometimes more practicle to hide it from view and use the
remote control unit that consists of a small plastic box with a display
and a push-button. It is connected to the rear of the Kolibrie via
a common 25-way D-type printer extension cable.
The display is connected in parallel
to the existing display and the
push-button duplicates the SEARCH button at the front panel. Turn the
Kolibrie off when connecting the remote control.
Kolibrie is powered by a 12V DC source, such as the battery of a car.
When using the device inside a vehile (which was generally the case),
it was connected to the cigarette lighter receptacle at the dashboard.
A suitable cable, with a female XLR plug at one end and a cigarette lighter
plug at the other end, was supplied with the kit.
To avoid unauthorized access to the Kolibrie, each device
comes with its own unique key in the shape of a 3 mm jack plug that
is attached to a key ring.
Inside the plug is a unique ID chip, like the Dallas DS2400 or
the later Maxim DS2401 ,
without which the device can not be used.
After switching on the unit, the key has to be
The device only continues if the key matches the internal serial number
of the Kolibrie. This way, any lost or stolen devices will become
useless. Once Kolibrie has seen the correct serial number, the user
is prompted to remove the key,
so that a key is never left inside
the unit. Very useful in case Kolibrie gets stolen.
Some Kolibrie units have popped up on the surplus market without a
matching key and the question has arisen whether it would be possible to
create a working key or an emulation for it.
Finding the appropriate DS2401
chip with the correct serial number inside,
is impossible as the manufacturer (Dallas, now: Maxim) guarantees that no
two ID chips have the same serial number and there are no (programmable)
alternatives from them or from any other manufacturer.
In practice, when a police investigator lost his key, Kolibrie had
to be reprogrammed by the PVD.
Although it would theoretically
be possible to build an emulator based on a small microcontroller, such
as a Microchip™ PIC, it would be virtually impossible to 'guess' the required
number, as it is hard-coded into the firmware of the Kolibrie and bears no
relation to the serial number printed at the rear of the device and on the key.
Furthermore, the ID-numbers were issued randomly by the manufacturer,
and the firmware inside the Kolibrie's
is protected against reading.
To cut a long story short: a Kolibrie without the matching key is useless.
Opening the Kolibrie is fairly simple. The case consists of a
in which all PCBs are mounted, a front panel,
a rear panel, and two blue
case shells. After removing the 4 screws at each side, the two case shells can
be removed and the surprisingly modern
well-designed interior is revealed.
Determining the age of the
receiver is rather difficult, as the text has been removed from most of the
ICs. However, the ICs that do carry manufacturing codes, have all been built
in 1991 and 1992, and a stamp at the
bottom of the PSU board
reveals it was tested on 9 December 1992.
The markings on the edge of the PCB
suggest that the receiver was developed in-house by the PVD
in Bilthoven (Netherlands). They also show that
the internal name for the receiver was KOL3.
This could mean that it was the
third design, or that it refers to the ATF-3 network.
As the PCB is also marked 'Issue 2' it seems likely that KOL3,
refers to the ATF-3 network (NMT-900).
Although some documents suggest that there was also a Kolibrie
for the older ATF-2 network (NMT-450)
we have not (yet) found any evidence for the existence of a KOL2 device.
Kolibrie consists of three large PCBs that hold the CPU and the
receivers, a smaller one with the PSU and the Audio Amplifier,
and some smaller PCBs mounted behind the front panel. After removing
the top cover of the blue case,
the upper board (marked PCB2)
This board contains the CPU that is built around a Motorola
. It is part of Motorola's HC05 family and contains an
additional serial I/O port, which is probably used for communication
with a Personal Computer (PC) that can be connected to the
The upper board also contains the
input band filters,
and the first VCO-based mixers. The VCO
is under control of the CPU
and allows scanning over the full 25 MHz frequency span. From the upper
board, HF signals are distributed to the two receivers (MT and BS) below.
The two receivers are largely identical, but each one covers a different
frequency band. The Mobile Telephone receiver (MT) covers the 890-915 MHz
band (also known as the uplink), whilst the Base Station receiver (BS)
covers the 935-960 MHz band (also known as the downlink).
Furthermore, the MT receiver
contains additional electronics to control
a signal strength indicator (SSI) in the shape of a 16-unit LED bar
mounted at the front panel.
In order to intercept only strong (nearby)
signals, an attenuator can be used when searching the spectrum (HIGH/LOW).
The lower board contains the BS receiver, which has neither a signal
streng indicator nor a switchable attenuator. The MT receiver is used
for detecting an intercept candidate, whilst the BS receiver just follows.
A small PCB
is mounted behind the other three boards, behind the rear
panel of the unit. It contains the Power Supply Unit (PSU) and the
LF Audio Amplifier.
As the Kolibrie was a 'sensitive' device, several measures
were taken to prevent misuse and tampering. The following
ant-tamper measures can be observed:
- Identification plug
Each Kolibrie is paired with a matching unique-ID plug that is
used as the key. Without the proper key,
it can not be used. More...
- Red painted screws
The eight screws that hold the two case shells together,
are marked with red paint, in order to make it self-evident
that the case has been opened.
- Text removed from the ICs
In order to prevent reverse-engineering, the identification
numbers have been removed from nearly all ICs and even from
the reed relay.
- Read-protected microcontroller
The Motorola microcontroller has a built-in 7KB EPROM
that contains the firmware, the unit's serial number and
the unique-ID number.
After programming, a security bit (SEC) is set
to protect the EPROM against reading/dumping from the outside.
- Lackered PCB solder side
The bottom side of the three main PCBs is
covered by a hard dark-green sealing. This protects the
PCB against moist, but also makes any modifications
The diagram below roughly shows how the Kolibrie scanner worked.
The unit has two receivers: one for the reception of the mobile
telephone (MT) and one for the base station (BS). As the frequency
distance between the MT-channel and the BS-channel is always 45 MHz,
the two receivers are operated in parallel. The antenna signal is
first filtered for the appropriate band (890-915 MHz and 935-960 MHz),
then amplified and then mixed with the signal from a local oscillator,
which is a VCO operating between 813-838 MHz under control of the CPU.
After mixing, the individual signals (77 MHz and 122 MHz) are fed
into the individual MT and BS receivers. When scanning, the MT receiver
is the leading one. Once it has picked up a signal, it will cause the
CPU to stop scanning. A vertical LED-bar will show the signal strength
of the mobile station and the BS receiver will be tuned to the
corresponding base station channel, so that both can be heared
simultaneously. As the strength of the audio signal varies between
stations, a potentiometer (BAL) can be used to adjust the
audio balance between the two signals.
The audio signals are available at the rear of the unit, either
mixed, or as individual signals, to allow recording. For the latter
a potential-free contact from a reed-relay is available as well.
It could be used to automatically start a tape recorder on reception
of a signal.
ATF (AutoTeleFoon) was the common name for
the Dutch analogue mobile (car) phone network that was introduced in 1980.
The first network operated at 150 MHz and was known as
ATF-1. It was used in The Netherlands, Germany and Austria.
Because of the rather low frequency, the cells of the network were very
large, requiring a lot of (transmission) power, and limiting the maximum
number of users to approx. 2500 in The Netherlands.
After 3 years the network was exhausted.
ATF-1 was followed by ATF-2 in 1985.
It was more affordable than ATF-1 and was based on the
This network operated on 450 MHz and
had smaller cells, allowing more simultaneous users. In the Netherlands
the capacity of the ATF-2 network was approx. 50,000 subscribers,
which was reached just four years later, in 1989.
The capacity of the network was expanded by the introduction
of ATF-3 in 1989.
It was based on the NMT-900 standard
, featuring 1999 channels and full
duplex voice transmission.
ATF-3 used a downlink in the 935-960 MHz band and an
uplink in the 890-915 MHz band.
Due to the higher frequency (resulting in smaller cells) and the increased
number of channels, ATF-3 allowed more subscribers than ATF-1 and ATF-2.
As a result, ATF-3 was more affordable and it wasn't before long that it
became popular amongst business men, but also amongst criminals.
As ATF-3 was an analogue network, using no encryption whatsoever,
it was relatively easy to intercept a conversation using a simple
radio scanner. Users were warned for this by means of a text printed
on the inside of the handset:
U voert een gesprek via een radioverbinding. Afluisteren is mogelijk.
(You are communicating via a radio channel. Eavesdropping is possible).
Eavesdropping became impossible, or at least extremely difficult, when the
GSM network was introduced in the mid 1990s. Being a fully digital system,
GSM uses advanced cryptographic techniques to secure the conversation.
In the Netherlands, GSM was rolled out from 1994 onwards and gradually
replaced the ATF-3 network. ATF-3 was finally closed down in 1997.
In some other countries, the NMT network survived a bit longer.
In Norway and Finland, the NMT network was operational until 2004
and in Sweden even until 2007 . In Russia, the last NMT service was
suspended in 2008 and Iceland was the last to close down their
NMT service in 2010.
When investigating serious crimes, it is relatively easy for the Dutch Police
to obtain a warrant for a telephone tap. This was already the case in the late
1980s and criminals were very much aware of this. As a result, they less and
less used their land-lines for criminal conversations and increasingly started
making use of mobile phones. Although it was relatively easy to intercept an
(analogue) mobile telephone conversion, it was obscured by the sheer number of
channels and criminals did not expect the police to be technically capable and/or
equipped for the task.
The police noticed the increased use of mobile phones by criminals and
started looking for ways to intercept their conversations. Although the
intercepted information could not be used directly in a criminal case
without a warrant, it gave them a good indication of wheather they were
'on the right track'. Furthermore it allowed them to follow a car at
a larger distance than usual.
Standard radio scanners were available in the Netherlands from the early 1970s
onwards from any electronics shop in the country, eventually succeeded by the
first generation of computer-based scanners. Although the scanners of the early
1990s covered the 900 MHz band, scanning the 2000 channels of the ATF-3 network
was not very practicle, especially when the target was driving around and,
hence, changed channels frequently, as illustrated in the drawing below.
For this reason it was decided to let the
Police Signals Service (PVD)
develop its own proprietary scanner that would take the pain out of finding
and following the right conversation. It is believed that the first Kolibrie
devices entered service in the early 1990s.
As the police didn't want to give away their new tactic, the existence of
the Kolibrie was kept secret and the device was never mentioned in their
official reports (Dutch: proces verbaal). It was thought that criminals
would move to other means of communication once they knew their conversations
Officially, the information that was captured this way, could not be used
in a court case, unless a warrant was issued prior to the interception.
Nevertheless it gave them good clues as to the feasibility of a case.
The police thought it was admissable
as the information could have been intercepted by anyone by means of an
ordinary radio scanner. Furthermore, the mobile phone user (i.e. the criminal)
knew his conversation could be overheard as he was pre-warned by a message
printed inside the handset. On the other hand: Kolibrie made it possible
to trap a specific phone number, making it a targeting investigation tool.
All in all a 'grey area'.
All this changed when the methods of the Police's Inter-Regional Investigation
Teams (IRT) were publicly investigated in the mid-1990s,
and the investigators were forced to reveal the existence of the Kolibrie.
Luckily it didn't cause much harm as most criminals had already moved
to the new GSM network that was rolled out from 1994 onwards.
Interception of telephone conversations by the police usually requires a
court order (warrant). Without such a warrant, the police is not allowed
to tap a phone line and the information obtained from the intercepted
conversation can not be used as evidence in a court case.
In December 1994, after a series of incidents (known as the IRT-case),
the Dutch parliament ordered a public hearing about the
investigation methods used by the IRT
of the Dutch Police .
The result was a public hearing that became known as the
Van Traa Commission.
The full text of the final Van Traa Report has been
published online by Buro Jansen & Janssen .
The image on the right shows part of the Van Traa Commission at work
on 23 October 1995 in The Hague (Netherlands). The second person from the
left is chairman Maarten Van Traa .
During the hearings it became publicly known that the
police sometimes used 'special techniques' as an aid to their
investigation. As it was sometimes unclear whether such techniques were
allowed, they were kept secret. In some of the hearings, the existence
of Kolibrie was revealed and confirmed by the interrogated detectives
and, hence, it became known to criminals .
By the time of the hearings however, ATF-3
had already been largely replaced by the new GSM network.
Bringing Kolibrie back to live
As Crypto Museum wants to be a 'living museum', we would like to be
able to demonstrate the operation of the Kolibrie. However, as the old
underlying analogue NMT-900 network no longer exists, it will be
very difficult to let this device perform the task it was designed for.
Please note that it is vital to use the matching identification plug
that has the same serial number as the Kolibrie itself. Without this
plug, the unit can not be used. Collectors that have a Kolibrie without
this plug, should read the section
about the identification plug above.
In order to test the MT and BS receivers, we've used
two RF signal generators;
one running at 895 MHz (MT) and the other one at 940 MHz (BS).
This causes the RRSI and both LEDs to come on
shortly after scanning is started with the squelch (SQL) set to
maximum. The latter is necessary in order to prevent locking onto
spurious digital signals (such as GSM) as illustrated below.
As the band of the former base stations (935-960 MHz) is filled with
fixed and multiplexed signals, we had to raise the level of our test
signal significantly, in order to allow the Kolibrie to pick it up.
Fortunately, the frequency segment for the mobile stations (890-915 MHz),
the so-called uplink, was quiet enough for our test. The two analogue
modulated signals were enough for our initial test and the Kolibrie
immediately locked on to the 895 MHz test signal.
The image above shows the frequency spectrum in which Kolibrie
operates. The frequencies used for our test are indicated with
vertical dashed lines. The yellow block at the left shows the
position of the local oscillator (VCO) that appeared on the
spectrum analyzer when Kolibrie was in use. The LO signal
can be detected at quite some distance from the device.
As we currently have no means of simulating the digital AFSK-based
negotiation data, the upper line
of the Kolibrie's display remains
filled with dashes. If we would be able to simulate the handshake
data between MT and BS, this line would show the caller ID
and the dialled number.
The NMT mobile phone network was a Scandinavian development and was
used in the countries listed below, making these countries possible
candidates for using a Kolibrie. Whenever known, the year in which
the network was closed is given in brackets.
- Czech Republic
- Estinia (2000)
- Finland (2002)
- Iceland (2010)
- Netherlands (1997)
- Norway (2004)
- Russia (2008)
- Sweden (2007)
We should like to thank Marcel Rohrs of The Netherlands for bringing the
existence of the Kolibrie scanner to our attention . In the early 2000s
he was one of the first people to obtain a Kolibrie from a public
government sale. When visiting Crypto Museum in March 2011,
he was the first to demonstrate the unit to us.
We then knew we had to find this clever high-tech tool.
Name of the analogue Dutch mobile phone network. Starting with ATF-1 in 1980
(150 MHz), followed by ATF-2 in 1985 (450 MHz). The last analogue network was
ATF-3 (900 MHz), based on the NMT-900 standard. ATF-3 was closed down in 1997.
Global System for Mobile communication
Digital mobile phone network. Also known as 2nd generation mobile phone (2G).
Interregionaal Recherche Team
Special investigation units of the Dutch Police, known as
Inter-regional Investigation Teams, that existed in the early 1990s.
A series of public hearings, known as the
Van Traa Commission, revealed
in 1996, that the IRT often used unofficial (and sometimes illegal) methods during their
investigations, which eventually led to new laws on criminal investigation.
Nordic Mobile Telephone
Analogue cellular mobile phone network developed in Scandinavia in the mid-1980s.
NMT-450 was the first network to be developed in the 450 MHz band. It was also
the basis for the Dutch ATF-2 network. It was followed by the NMT-900 network,
operating at 900 MHz. The latter was called ATF-3 in The Netherlands.
Dutch Police Signals Service. Responsible for communication and reladed equipment
within the Dutch Police Force. Also the developers of the Kolibrie receiver.
- Wikipedia, Mobiele Telefoon
History of the mobile telephony in The Netherlands (Dutch).
- Wikipedia, Nordic Mobile Telephone
Good description of the NMT network standard.
- Maxim, Dallas Semiconductor, DS2401 Silicon Serial Number
Datasheet of unique ID chip in TO92 case.
- Wikipedia, Parlementaire enquêtecommissie opsprongsmethoden
Dutch public hearing and investigation of criminal investigation methods.
Als known as the Van Traa Commission (Dutch).
- Buro Jansen & Janssen, Van Traa Rapport
The full report of the public hearing, known as the Van Traa Commission.
Nearly 5500 pages in Dutch. With full online search facility.
- Van Traa Report, Hearing number 21. Mr. A.M. Mosterd
One of the documents of the Van Traa Report, revealing the existence
of the Kolibrie intercept receiver.
Hearing number 21, 14 September 1995. Dutch.
- Motorola Inc. MCMC68HC705C8 Technical Data
Datasheet. Rev. 4, May 2002.
- Marcel Rohrs, Owner of a surplus Kolibrie
Crypto Museum, March 2011.
- ANP Historisch Archief Community, Commissie Van Traa in de Eerste Kamer
The Hague, 25 October 1995. Reproduced under the Creative Commons Licence.
Any links shown in red are currently unavailable.
If you like this website, why not make a donation?|
© Copyright 2009-2013, Paul Reuvers & Marc Simons. Last changed: Wednesday, 30 April 2014 - 13:47 CET