Tumbling exploits a weakness in the AMPS/NAMPS roaming system.
In tumbling, you first configure the SIDH in your mobile telephone to pretend to be from another cellular carrier. If you are in Colorado, for example, you would configure your mobile telephone as if it were subscribed to a cellular carrier in Texas.
Next, you modify your mobile telephone to generate a random ESN (Electronic Serial Number) and a random MIN (Mobile Identification Number) from an Area Code served by the carrier you configured into your mobile telephone in the first step.
This second step involves replacing the firmware in your mobile telephone with a set of firmware that has been modified to generate these rndom numbers, or "tumble." The mobile telephone should then generate two new random numbers each time it is power cycled.
When you placed a call with the modified telephone, the local cellular carrier would recognize your phone as a roaming telephone from a remote cellular carrier. The local cellular carrier would allow you make telephone calls, and would send the bill to the remote cellular carrier. The remote cellular carrier would realize that the ESN/MIN pair did not match a legitimate subscriber and would discard the data as bogus.
Tumbling allowed the maximum in convenience and anonymity with the least amount of fuss. Unfortunately, it also caused enormous headaches for legitimately roaming subscribers as the cellular carriers tried to stop the toll fraud.
The famous tumbling phone was the Oki 900.