How-To: The Magic Phone, Part 1: Number Pad Matrix Decoding

This How-To is the first in a series of construction instructions for a project titled The Magic Phone. I was inspired by the Port-O-Rotary from Spark Fun but wanted to take the project to the next level and with hardware I already had on hand. You may be able to extrapolate these instructions to different models of telephones, different telephony protocols, and even different projects.

So what makes up The Magic Phone? Basically, I first wanted to encrust a wireless home phone inside a vintage rotary phone. Here in Europe we have a standard for wireless handsets called DECT which has just been approved by the FCC for the US in April of this year. DECT compatibility is fun in a handset because you can take your phone to a conference or office building phone network which can then assign you a number within their DECT network.

A large DECT network was put in place at What the Hack in the Netherlands this past July. Each person that came equiped with a compatible handset could pick a unique four digit number for the length of the conference. With the What the Hack network one could call another local handset, call outside the conference, call the What the Hack radio to listen in, or even send messages to the computer controlled dance floor at the Blinkenlights section.

Once I decided to house a DECT phone inside a rotary phone, a friend of mine inspired me to also include a cellphone in the same rotary phone housing. The Magic Phone evolved into a multiprotocol phone made of three torn apart existing telephones and a circuit board to decode the rotary dial and "push" the buttons on the phones.

This How-To, Part 1, will cover how to decode the button matrix on an existing telephone, be it a DECT wireless handset or a cellphone. You may ask, why oh why would you not directly control the phone via serial port or the firmware on the phone? The answer is, you may not have access to the firmware or even to the serial protocol on the phone. Also, the goal is to have The Magic Phone be an autonomous telephone with no need to plug it into a computer or computing device. Therefore, we must decode how to push the buttons.

Why would this be useful in your project? Perhaps you don't have access to a cellphone or wireless handset development board. Perhaps you want your robot to auto dial the pizza service at 8pm on Tuesdays while you are busy doing some much needed coding. Perhaps you want to...you get the idea, get creative. Allons-y!

What you will need:

- a phone you can take apart brutally (DECT handset or cellphone or other or all of the above)
- soldering iron
- multimeter (preferable with beep for continuity function)
- computer ribbon cable
- screwdrivers (varies with the type of screws in your handsets)

We will be showing the following example with a DECT/GAP compatible handset: the Gigaset C2 by Siemens (this handset comes with the Gigaset C200 base station). Also, please scrool down to see the same procedure for a cellphone: a Sagem myX3-2. Please note that you can extrapolate this information to any model handset or cellphone with some ingenuity and common sense.

Version 1: The Siemens Gigaset C2

The Siemens Gigaset C2 before destroying:

First open your handset to expose the circuit underneath the number pad. This may take some force and prying in the case of a wireless handset. In these photos you can see the clips you must push back to open most handsets. Siemens takes the notion of clips to a whole new level. This beast was harder to open than a botulism ridden jar of pasta sauce. Be patient.

Now remove the number pad to reveal the circuitry underneath. It may look something like this:

You may want to print or draw up an image of your phone's circuit with the traces in a lighter color than the black you see above. Pull out that multimeter with beep for continuity and start on one of the black traces on the upper left. Label the first trace 1. Touch one lead of the multimeter to what you have just labelled 1 and touch the next separate trace on the board to the right with the other lead. Keep your first lead on 1 and work your way across and down touching each new trace. When you have continuity, mark 1 on your chart to note that the two traces are part of the same chunk on the matrix. When you have finished every possibility with trace 1, move the first lead of your multimeter to the first trace that is not labelled 1 and label it 2. Repeat the process above. Continue to the right to the next unlabelled trace and repeat this "beeping out" of your circuit. Your chart may end up neat and tidy like mine:

A close up of the chart showing recolored traces to help with labelling.

If this is confusing, remember you just need to understand which buttons on the phone share common leads. When you have finished beeping out your circuit, make a chart of how the number pad looks on the phone before disassembly with the two numbers you have assigned that make up each button. Here is an example of how your chart may look:

As you can see in the chart above, the number 1 on the phone pad can be "pushed" by connecting 12 and 10 in my decoded phone button pad matrix. In the same vein, the number 6 can be pushed by connecting 1 and 2. Your numbers will no doubt be different with a different manufacturer or model of phone or even a different direction you chose to decode the keypad circuit.

Next we are going to solder into each unique trace on our circuit. This means, if you have more than one 1 labelled on your chart, you will only need to solder into the first one. To do so on our model of phone we had to scrape a bit of the trace away to reveal copper. Solder doesn't like to stick to strange synthetic stuff. Scrape carefully and chose an area with a large surface area on your trace that isn't too close to another trace so as to avoid short circuits. Prepare these scraped pads by melting a small amount of solder onto them. Strip the ends on your ribbon cable and tin the ends (twist the strands and melt a little solder into them). Solder them in the order you already named when you were beeping out your cable. In other words, solder the first lead to trace 1, the second lead to trace 2, and so on.

The completed phone should look something like this:

Now test your soldering job and your handy little chart by powering up your handset and touching together two of the wires on the loose end of the ribbon cable. Test each button combination to make sure you haven't made any human errors. If your handset displays "st00p1d hum4n" you may have wired up something incorrectly. This concludes the DECT follow-along for reverse engineering the button matrix on your handset. For the cellphone version, read on.

Version 2: The Sagem myX3-2

If you would like to do the same thing with your cellphone, here is the detailed photo follow-along. First open the phone to expose the circuit underneath the keypad. In the case of many cellphones, you may need specialized screwdrivers such as torx.

You may want to print or draw up an image of your phone's circuit with the traces in a lighter color to make them easier to label. Pull out that multimeter with beep for continuity and start on the upper left of the metal pads. Label the first pad 1. Touch one lead of the multimeter to 1 and touch each successive separate pad on the circuit board with the other lead. When you have continuity, mark 1 on your chart to note that the two pads are part of the same chunk on the matrix. Keep the first lead of the multimeter on 1 as you work your way down the circuit. Next label the first unlabelled pad 2 and repeat the beeping out process. Continue to the right to the next unlabelled trace and so on until you finish reverse engineering the button matrix of your circuit. Your finished chart will look something like this:

If this is confusing, remember you just need to understand which buttons on the phone share common leads. When you have finished beeping out your circuit, make a chart of how the number pad looks on the phone before disassembly with the two numbers you assigned that make up each button. Here is an example of how your chart may look:

As you can see in the chart above, the number 1 on the phone pad can be "pushed" by connecting 7 and 10 in my decoded phone button pad matrix. In the same vein, the number 6 can be pushed by connecting 11 and 3. Your numbers will no doubt be different with a different manufacturer or model of phone or even a different direction you chose to decode the keypad circuit.

Next we are going to solder into each unique pad on our circuit. This means, if you have more than one 1 labelled on your chart, you will only need to solder into the first one. Prepare these pads by melting a small amount of solder onto them. Strip the ends on your ribbon cable and tin the ends (twist the strands and melt a little solder into them). Solder them in the order you already named when you were beeping out your cable. In other words, solder the first lead to trace 1, the second lead to trace 2, and so on.

The finished phone pad should look like this:

Now test your soldering job and your handy little chart by powering up your handset and touching together two of the wires on the loose end of the ribbon cable. Test each button combination to make sure you haven't made any human errors. If your handset displays "1337 1337 1337357" you may win bonus points. Congrats!

Be sure to tune in for The Magic Phone, Part 2: The Circuit where we show you how to build a custom circuit to decode the rotary phone's clicks and "push" the button matrix you have just decoded in Part 1.