💾 Archived View for gemini.spam.works › mirrors › textfiles › phreak › BOXES › boxes.nph captured on 2022-06-12 at 17:15:09.
View Raw
More Information
-=-=-=-=-=-=-
Instuctional phile
Topic ..................... Creating Various Phun Fone Toys
Author .................... Compilation phrom several sources
Compiler .................. Nocturnal Phoenix
This is one of a series of compilations I am creating of the
various techniques used to perphorm actions that aught not be
perphormed (but will be done anyway, so why not do it right?).
I am expecting to have maybe ten or so of these compilations
by the time I am done. I realized the need phor some phorm of
organization of this sort of inphormation when I came across
phour meg of shit like this. Out of that phour meg, two meg was
totaly redundant, one meg was corrupted to the point of not
being able to read it, and of the other meg, everything that
was actually usephul was scattered everywhere in bits and pieces.
Now I personally am a strong proponant of peacephul world Anarchy,
but I would really rather not try to make something phun like
nitroglycerin (to use something extremely dangerous that I saw
phrequently in all that shit) without having a complete set of
instructions. Whenever it was possible, I have given credit to
the author of the original article, although I phound many
articles which were the same, word phor word, but with dipherent
authors, phorcing me to chose one of them. Sorry if I chose
wrong.
The compiler of this phile apologizes to the authors of the
articles within phor any alterations done to their documents.
This was unavoidable, as most of these texts were nearly
unreadable by the time I got them. I assume this is due to
various changes made by people who had been in possesion of
them bephore me, and to the slow corruption of the data as it
was sent over innumerable fone lines phrom modem to modem. To
avoid the phurther corruption of this very usephul inphormation,
I would ask two things:
1. That any comments, notes, additions, etc. be placed at
the very end of this phile, not just stuck wherever you
pheel like it. I have put a sample addition in at the
end of this file for convenience. Please leave:
- Your name (your phake name that would be used phor
BBS' and such, not your real name)
- The date
- Where you can be reached (BBS' etc.)
- The inphormation you wish to leave
2. That any random corruptions phound while reading (such
as the word "TELEPHONE" appearing as "TELEPH?NE") are
phixed (I'm sure that some smartass will be tempted to
phix the example I have just given. Please don't).
Thank you phor your cooperation in this matter. Please give
this phile to whoever you can, knowing that it will probably
have grown substantially by the next time you phind it. Also,
when you do phind it again, and it is a newer version than you
have, delete the older version and only distribute the newer
one.
- Nocturnal Phoenix
------------------------------------------------------------------------------
)()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()(
)( How To Listen In On Cordless Telephone Conversations )(
)( )(
)( An Original 'Phile' By: Beowulf )(
)( )(
)( Call The Outhouse BBS 201-756-9575 )(
)( )(
)()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()(
Have you ever wanted to know what your brother/sister/parents/
friends/enemies were saying as they hid somewhere, cordless phone in hand?
With this phile, now you can! Just follow the simple instructions outlined
inside.
First some information about cordless telephones:
The original cordless telephones (1978-about late 1983) were made
to be used on the 1.6 to 1.8 MHz band. If you will notice, 1.6 MHz is also
the top end of the AM broadcast band. These phones operate on AM (just like
the radio stations) and use the wiring in your house for an antenna. The
power of these phones is 1/10 of a watt in most cases, or about 1/50th of the
power that your average CB radio will put out. So, not having a lot of power,
it is tough to hear these phones. You know how they say '500 foot range'?
Sure, that's the range of the handset to the base, but not of the signals
emitted by the base! Which means that on good nights you can hear them for
many miles (I live in NJ an have heard telephones VERY loudly from NY City,
35 MILES away!).
The newer phones, however, are not as easy to hear. They operate
on FM on the 49 MHz band, which is the same frequency which your little
walkie-talkies that you loved as a ten year old operate on. These phones
require a little bit more effort to be heard than do the old ones (and a
little $$). Never fear, however, because about 1 out of 10 phones is the
old style, and they are still being made and sold today.
How To Do It:
For the old style phones, you will need to get a pocket size AM
transistor radio. The one I used was an AM/FM Realistic (bought for $9 at
Radio Shack). There should be a small plastic box inside the radio. This
little 'box' is the VFO (Variable Frequency Oscillator) which controlls the
frequency of the radio. Now of course, you aren't going to have a digital
frequency counter (they only cost $400, so everyone should have at least
two of them) so before you do anything, turn on the radio and tune to the
top of the band and find the station which is closest to the top of the
broadcast band. Write down the frequency so you have something to compare
to later.
Now, turn off the radio, get a small size screwdriver, and
adjust the small screw(s) on the back of the little plastic box. Don't turn
them more than a quarter turn at a time. Now, when you have done your first
'tweak' of the screws, turn on the radio and see where that station at the
top of the band is now on the frequency dial. When you have gotten the
station 150-200 kHz down from where it was, (like if the frequency was 1600,
get it down between 1400 and 1450), you are all set to recieve cordless
telephones at the top end of the radio! Note: this little 'trick' may not
work as well on all radios, but it is worth a try. If worse comes to worse,
you can turn them back.
The ideal distance is a close to the base as you can get, but this
sucker should pull in signals from up to 500 feet away with no problem.
Simply go near someones house with this, and then have fun!
Another way: Another way to do this, if the VFO adjustment trick
does'nt work, is to adjust the small metal boxes that have little colored
screws in them. These are the tuning coils for the reciever circuit, and they
affect the frequency also. Another possibility is a combination of turning
the VFO screws and the coils to try to get the desired effect. Good Luck!
Now for the tough ones, the new phones. The new phones work on
the 49 MHz band. You are going to need one of the 'new' walkie talkies that
operate on 49 MHz ===- FM -=== (the cheap shit ones are AM). If you
decide to invest in one at Radio Shack or similar store, make damn sure you
get FM walkie talkies. If you get AM, you're screwed, unless you have a
friend who is killer into electronics or ham radio who has the knowledge to
convert AM to FM. (Yes, it can be done. I have done it with CB's, and it is
great for CB because no one can understand what you are saying unless they
have a FM-converted CB.....Hmm.....that may be my next text phile...look for
it!!) Anyway.....when you get your FM walkie talkie, you can do one of two
things:
A) You can play the adjust the coils trick as mentioned in the last
article (there is no VFO because walkie talkies are crystal
controlled).
B) You can change the crystal. Popular frequencies for cordless
phones are 49.830, 49.860 and 49.890 MHz. These crystals can
be obtained from electronic supply houses (like ones that sell
chips for your Apple) for about $2 or less each.
And that just about concludes this phile. There are two other
shortcut methods that can be used to bypass this mess and get you listening
in right away.
1) Get a general coverage receiver. They cover all frequencies
from 100 kHz to 30 MHz, and will provide you with 'armchair'
reception because you can hook up a monster antenna. (I have
a 1964 vintage model that I got for $10 sitting on my desk
with a 600 foot long piece of wire for an antenna....boy,
I know everything in my neighborhood before the ladies start
gossiping!)
2) If you play guitar or bass, and have a 'wireless' system for
your guitar like the Nagy 49R, you can hook up a 12 volt
lantern battery and go prowling around listening for the
phones. (Bass rules!)
Method 1 only works on the old phones because of the frequency
limitations of the reciever, and method 2 is for new phones only because
the 'wireless' systems only work on 49 MHz FM.
Have phun with your new knowledge, and look for more philes
from me in the future (that CB FM is a good idea.....hmmmm...)
------------------------------------------------------------------------------
The basics of phone anarchy
This phile will teach you the basics of Phucking people up with
simple eletronic telephone terrorism!
1) Silent Phone Killer
This is a device , easy to make, that will take a persons phone off
the hook WITHOUT that phucking Alert noise!!
1) Aquire a wall mount, NOT FLUSH MOUNT, phone jack block.
This is a square box about 2" X 2" X 1/2" and has a
modular jack in the middle (or about).
2) Get a peice of thin wire (not unlike that used in the box)
3) Run the wire from the red to the green terminals as so to
connect them. Then Recover the box.
.
SIMPLE HUH?!
4) Now, Plug this baby into the wall via a telephone type
wire with a modular plug at each end. ZAP.
.
Until the device is deteted and removed, it will do 2
things:
a) Put the circut off hook.
b) MUTE all other phone devices in the house by drawing
all the phone line current. So it they pick up the
phone to try to dial, even IF the alert tone is on,
it will not be herd on the phone.
__________________________
Diag. # 1 I I
I MODULAR #### I
I PLUG -->#### I
I / \ I
I |/ \| I
I =|============|=WIRE I
I | | I
I RED GREEN I
--------------------------
2) Loss of hearing!!!
This one will make the victim HARD of HEARING.
1) Take a medium strength resistor.
2) Go outside their house. Open the phone connection
Box on the side of their house. Wire the resistor
in between the red in from the streen and the red
going to the home. HEHEHEHE. this will reduce
audio, along with causing nemerous other SMALL
bugs....
Diag. # 2
---------------------------
I___________ I
I I I
MODULAR --->####-----I -----^^^-R I
PLUG I ####-----I ---------G I
I \ \------I-\________Y I
I \----- I-\________B I ^^^ = RESISTOR
I I I
I I I
---------------------------
(THIS IS WHAT MOST MODERN ONES LOOK LIKE)
(CHECK YOU TARGETS HOME FOR EXACT LAYOUT)
Well, That should keep ya busy
------------------------------------------------------------------------------
Making your own test set
So, you want a lineman's test set, but are too scared to steal one and
don't want to pay $200.00 for one. Well, this file will tell you how.
You will need :
3 aligator clips. (The extra for if you screw up one)
1 ONE PEICE phone (the kind you set down on a table to
hang up)
Optional:
1 wall mount phone jack (For noise-less conecting)
Ok. Now you have your shit, what do you do?
1. slice off the modular plug off the phone. KEEP THE PHONE CORD LONG!!
2. expose about 1/2 an inch of the conductor of the RED and GREEN wires.
2a If there is an black and yellow wire on the phone cord, cut them down to
get them out of the way. You don't need them
3. Attach the alligator clips to the exposed wires (Try to color cordnate the
clips so you know what is green and what is red)
easy huh?
____phone
here is s diagram: /
/
####################################### red
# # /
# # # # # # ### #==================------==\= \___Clips
# # # # # # ### #==================------==\= /
# # # # # # \
####################################### green
Optional modifications:
1) Keep the phone intact. use the wall mount phone outlet and a peice of 2
conductor wire (or phone cord type wire). Attach the wire to the block, and
attach the clips to the wire as shown above.
2) If you have a little money and the phone line to tap has a close by AC
outlet, use a cordless phone insted of the regular one. This allows for
you to be away from the base and still use the target line. Try to get a
phone that uses CH 10. This ,I have found, is the clearest signal.
Here is a diagram of the box method:
box
/
_____________ / red
| | /
| __ |---------------===\=
| |__| |---------------===\=
| | \
|_____________| green
------------------------------------------------------------------------------
OoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoO
oO Oo
Oo Building a Diverter Box oO
oO Designed by: Oo
Oo Digital Deviant oO
oO Oo
OoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOo 5/12/91 oOoO
Does the Menace of ESS have you down?Tired of worrying about getting nabbed
everytime you phreak?Well then the Diverter Box is for you.A few years back I
got plans for a box called the Gold Box.Most hackers soon found out that the
Gold Box did not work after trying to construct it.The Gold Box design was
totally fucked.I still see the plans on many boards to this day.Even though
they don't work.But it is those plans inspired me to design the Diverter Box.
The construction is fairly simple and cheap.You can get all of the needed
parts at your local Radio shack.
PARTS NEEDED:
=QTY=========ITEM====================================CAT NO======PRICE=======
3 SPDT MICROMINIATURE PC RELAY 275-240 $1.99 EACH
2 NEON LAMPS 272-1100 $ .89 EACH
2 PHOTOCELLS 276-1657 $1.98 FOR 5
1 200V SILICON CONTROLLED RECTIFIER (SCR) 276-1067 $ .99
1 1:1 AUDIO TRANSFORMER 273-1374 $3.59
1 9V BATTERY SNAP CONNECTOR 270-325 $1.19 FOR 5
1 9V BATTERY
- SOME WIRE, ELEC TAPE AND SOLDER
=============================================================================
CONSTRUCTION/ PLANS:
Ok,take the Neon Lamps and the Photocells and tape them together with the
electrical tape or any tape that will not allow light in.Tape them together
so that the Neon Lamp will shine directly on the photocell.Make sure that no
light can get in.Ok,now you will have two separate Optocouplers.In the plans
they will be labeled MOC1,and MOC2.It would be best to print the plans out,
so you can see the whole thing at one time.
BLACK RED
?????????????????????????????????????????????????????????????????????????????
? AUDIO ?
Connect Wires to FONE #1 ? TRANSFORMR? Connect Wires to FONE #2
????????????? ????????????? ???????????????????????
WHITE ? W? ???? ? YELLOW
? H? ?Y ?
? I????? ?E ?
? T ? ?L ?
? E ? ?L ?
? ?????????????? ? ?W ?????????????? ?
????oNO NCo ? ? ?????oNO NCo ? ?
?????o COIL o???????????????o COIL o?????????????
? ? ? ? ? ? ? ?
? ? ? ? ? ? ? + ?
? ? o COM o?????? ? o COM o???? ?
? ?????????????? ?????????????? ?
? RELAY #1 RELAY #2 ? - NEGATIVE
??????????????????? ??????????????
?????????????? ? ? 9V ?
? oNO NCo???? ? BATTERY?
???????o COIL o?????? ????????????????????? ????????????
? ? ? ? ? ????????????? ? ? + POSITIVE
? ? ? ? ? ? ??o?? ? ? ?
? ? o COM o?????+????????? ? SCR ????? ? ? ??
? ?????????????? ? ????? ? ? ?
? RELAY #3 ? ? ? ? ? ? ?
? - ? 1 2 3?? ? ?
? Connect wire to the ? ? ? ? ? ?
? NEGATIVE terminal on? ? ?????????? ?
? Battery ? ? ? ?
? ????????????????????? ? ?????????????+
? ? ? ?
? ? PHOTOCELL ? ?
? ? LEADS ?????????????? ?
????????? ? ?
? MOC1 ? ? ? PHOTOCELL
????????? ? ? LEADS
?Connect? NEON LAMP ? ?
? to ? LEADS ? ?
?FONE #3? ?????????
? ? ? MOC1 ?
?????????
?Connect? NEON LAMP
? to ? LEADS
?FONE #1?
? ?
USAGE/ TIPS:
You can probably find a better way to connect everything.I just drew the
schematics like that so they would be easy to understand.In the areas where a
wire crosses over another wire DO NOT connect them, UNLESS there is a "+" sign
where the wires cross.Now solder all the shit together.The polarity on the
Fone lines doesn't matter.So you won't have to spend time and frustration
trying to get the proper polarity connections.As you may have noticed you will
need three fone lines.FONE #1 will be the number you call to get a dial tone.
FONE #2 is the fone line that you will be dialing out from.You will call
FONE #3 to disconnect FONE #1 and FONE #2,in other words you will call this
number to cause them to hang up.If you know anything about electronics you
could hook up a tone detecting chip that would activate RELAY #3 when a
certain tone is played.This would cause the fones to hang up.FONE #2 MUST be a
regular fone line.FONE #1 and FONE #3 can be a Pay Fone Line or a regular Fone
Line.
A good place to hook this up would be at a Jiffy that has two pay fones.But
you would not be able to use your box until they close.Your best bet would be
to hook it up at a big hotel or motel.They have plenty of pay fones.You may
have to run some wire to connect to their PBX,but it can be done.After you've
got the device hooked up ANI Fone #1 and Fone #3...Now your all set.Dial with
care, but dial any where.Have phun!
DISCLAIMER:
This file is for INFORMATIONAL Purposes ONLY.The Diverter Box is not to be
used in any illegal manner(Yeah, thats it).I do NOT take any responsibility
for your actions!
------------------------------------------------------------------------------
HOW TO BUILD A BLACK BOX
------------------------
A BLACK BOX IS A DEVICE THAT IS HOOKED UP TO YOUR FONE THAT FIXES YOUR FONE
SO THAT WHEN YOU GET A CALL, THE CALLER DOESN'T GET CHARGED FOR THE CALL.
THIS IS GOOD FOR CALLS UP TO 1/2 HOUR, AFTER 1/2 HOUR THE FONE CO. GETS
SUSPICOUS, AND THEN YOU CAN GUESS WHAT HAPPENS.
THE WAY IT WORKS:
WHAT THIS LITTLE BEAUTY DOES IS KEEP THE LINE VOLTAGE FROM DROPPING TO 10V
WHEN YOU ANSWER YOUR FONE. THE LINE IS INSTEAD KEPT AT 36V AND IT WILL MAKE
THE FONE THINK THAT IT IS STILL RINGING WHILE YOU'RE TALKING. THE REASON FOR
THE 1/2 HOUR TIME LIMIT IS THAT THE FONE CO. THINKS THAT SOMETHING IS WRONG
AFTER 1/2 AN HOUR OF RINGING.
ALL PARTS ARE AVAILABLE AT RADIO SHACK. USING THE LEAST POSSIBLE PARTS AND
ARANGEMENT, THE COST IS $0.98, AND THAT IS PARTS FOR TWO OF THEM! TALK
ABOUT A DEAL! IF YOU WANT TO SPLURGE THEN YOU CAN GET A SMALL PC BOARD,
AND A SWITCH. THERE ARE TWO SCHEMATICS FOR THIS BOX, ONE IS FOR MOST NORMAL
FONES. THE SECOND ONE IS FOR FONES THAT DON'T WORK WITH THE FIRST. IT WAS
MADE FOR USE WITH A BELL TRIMLINE TOUCH TONE FONE.
** SCHEMATIC 1 FOR MOST FONES **
** LED ON: BOX ON **
PARTS: 1 1.8K 1/2 WATT RESISTOR
1 1.5V LED
1 SPST SWITCH
YOU MAY JUST HAVE TWO WIRES WHICH YOU
CONNECT TOGETHER FOR THE SWITCH.
FROM >--------------------GREEN-> TO
LINE >--! 1.8K LED !---RED--> FONE
!--/\/\/\--!>--!
! !
------>/<-------
SPST
** SCHEMATIC 2 FOR ALL FONES **
** LED ON: BOX OFF **
PARTS: 1 1.8K 1/2 WATT RESISTOR
1 1.5V LED
1 DPST SWITCH
FROM >---------------GREEN-> TO
LINE >------- ---RED--> FONE
! LED !
-->/<--!>--
! !
---/\/\/---
1.8K
HERE IS THE PC BOARD LAYOUT THAT I
RECOMMEND USING. IT IS NEAT AND IS
VERY EASY TO HOOK UP.
SCHEMATIC #1 SCHEMATIC #2
************** ****************
* * * ------- *
* --<LED>--- * * ! ! *
* ! ! * * ! <SWITCH> *
* RESISTOR ! * * ! ! ! *
* ! ! * * ! ! / *
* -------- ! * * ! ! \ *
* ! ! * * ! <LED>! / *
* --SWITCH-- * * ! ! \ *
* ! ! * * ! ! / *
L * ! ! * F L * ! ! ! * F
I>RED- -RED>O I>RED- ---RED>O
N>-----GREEN---->N N>-----GREEN------>N
E * H * E E * * E
************** ****************
ONCE YOU HAVE HOOKED UP ALL THE PARTS, YOU MUST FIGURE OUT WHAT SET OF WIRES
GO TO THE LINE AND WHICH GO TO THE FONE. THIS IS BECAUSE OF THE FACT THAT
LED'S MUST BE PUT IN IN A CERTAIN DIRECTION. DEPENDING ON WHICH WAY YOU PUT
THE LED IS WHAT CONTROLS WHAT WIRES ARE FOR THE LINE & FONE.
HOW TO FIND OUT:
HOOK UP THE BOX IN ONE DIRECTION USING ONE SET OF WIRES FOR LINE AND THE
OTHER FOR FONE.
- NOTE* FOR MODEL I SWITCH SHOULD BE OFF.
- NOTE* FOR MODEL ][ SWITCH SHOULD BE SET TO SIDE CONNECTING THE LED.
ONCE YOU HAVE HOOKED IT UP, THEN PICK UP THE FONE AND SEE IF THE LED IS ON.
IF IT IS, THE LED WILL BE LIT. IF IT DOESN'T LIGHT THEN SWITCH THE WIRES AND
TRY AGAIN. ONCE YOU KNOW WHICH ARE WHICH THEN LABEL THEM.
- NOTE* IF NEITHER DIRECTIONS WORKED THEN YOUR SWITCH WAS IN THE WRONG
POSITION. NOW LABLE THE SWITCH IN ITS CURRENT POSITION AS BOX ON.
HOW TO USE IT:
THE PURPOSE OF THIS BOX IS TO PEOPLE WHO CALL YOU SO IT WOULD MAKE
SENCE THAT IT CAN ONLY BE USED TO RECEIVE! CALLS. WHEN THE BOX IS *ON*
THEN YOU MAY ONLY RECIEVE CALLS. YOUR PHONE WILL RING LIKE NORMAL AND
THE LED ON THE BOX WILL FLASH. IF YOU ANSWER THE FONE NOW, THEN THE LED
WILL LIGHT AND THE CALLER WILL NOT BE CHARGED. HANG UP THE FONE AFTER
YOU ARE DONE TALKING LIKE NORMAL. YOU WILL NOT BE ABLE TO GET A DIAL
TONE OR CALL WHEN THE BOX IS ON, SO TURN THE BOX *OFF* FOR NORMAL CALLS.
I DON'T RECOMMEND YOU DON'T WANT IT TO ANSWER WHEN MA BELL CALLS!
------------------------------------------------------------------------------
From : THE PHREAKER'S HANDBOOK
Issue #1, Volume 1
July 3, 1989
By DOCTOR DISSECTOR
aqua box - A box designed to drain the voltage of the FBI lock-in-
trace/trap-trace so you can hang up your fone in an emergency and
phrustrate the Pheds some more. The apparatus is simple, just connect the
two middle wires of a phone wire and plug, which would be the red and green
wires if in the jack, to the cord of some electrical appliance; ie, light
bulb or radio. KEEP THE APPLIANCE OFF. Then, get one of those line
splitters that will let you hook two phone plugs into one jack. Plug the
end of the modified cord into one jack and your fone into the other. THE
APPLIANCE MUST BE OFF! Then, when the Pheds turn their lame tracer on and
you find that you can't hang up, remove your fone from the jack and turn
the appliance ON and keep it ON until you feel safe; it may be awhile. Then
turn it off, plug your fone back in, and start phreaking again. Invented
by: Captain Xerox and The Traveler.
beige box - An apparatus that is a home-made lineman's handset. It is
a regular fone that has clips where the red and green wires normally
connect to in a fone jack. These clips will attach to the rings and tips
found in many of MA's output devices. These are highly portable and VERY
useful when messing around with cans and other output devices the fone
company has around. Invented by: The Exterminator and The Terminal Man.
black box - The infamous box that allows the calling party to not be
billed for the call placed. We won't go in depth right now, most plans can
be found on many phreak oriented BBS's. The telco can detect black boxes if
they suspect one on the line. Also, these will not work under ESS.
bleeper boxes - The United Kingdom's own version of the blue box,
modified to work with the UK's fone system. Based on the same principles.
However, they use two sets of frequencies, foreword and backwards.
Blotto box - This box supposedly shorts every fone out in the
immediate area, and I don't doubt it. It should kill every fone in the
immediate area, until the voltage reaches the fone company, and the fone
company filters it. I won't cover this one in this issue, cuz it is
dangerous, and phreaks shouldn't destroy MA's equipment, just phuck it up.
Look for this on your phavorite BBS or ask your phavorite phreak for info
if you really are serious about seriously phucking some fones in some area.
blue box - An old piece of equipment that emulated a true operator
placing calls, and operators get calls for free. The blue box seizes an
open trunk by blasting a 2600 Hz tone through the line after dialing a
party that is local or in the 800 NPA so calls will be local or free for
the blue boxer. Then, when the blue boxer has seized a trunk, the boxer may
then, within the next 10-15 seconds, dial another fone number via MF tones.
These MF tones must be preceded by a KP tone and followed with a ST tone.
All of these tones are standardized by Bell. The tones as well as the inter-
digit intervals are around 75ms. It may vary with the equipment used since
ESS can handle higher speeds and doesn't need inter-digit intervals. There
are many uses to a blue box, and we will not cover any more here. See your
local phreak or phreak oriented BBS for in depth info concerning blue boxes
and blue boxing. Incidentally, blue boxes are not considered safe anymore
because ESS detects "foreign" tones, such as the 2600 Hz tone, but this
detection may be delayed by mixing pink noise of above 3000 Hz with the
2600 Hz tone. To hang up, the 2600 Hz tone is played again. Also, all blue
boxes are green boxes because MF "2" corresponds to the Coin Collect tone
on the green box, and the "KP" tone corresponds to the Coin Return tone on
the green box. See green box for more information. Blue boxing is
IMPOSSIBLE under the new CCIS system slowly being integrated into the Bell
system.
blue box tones - The MF tones generated by the blue box in order to
place calls, emulating a true operator. These dual tones must be entered
during the 10-15 second period after you have seized a trunk with the 2600
Hz tone.
700: 1 : 2 : 4 : 7 : 11 : KP= Key Pulse
Parallel Frequencies 900: ** : 3 : 5 : 8 : 12 : ST= STop
2= Coin Collect 1100: ** : ** : 6 : 9 : KP : KP2= Key Pulse 2
KP= Coin Return 1300: ** : ** : ** : 10 :KP2 : **= None
(green box tones) 1500: ** : ** : ** : ** : ST :
: 900:1100:1300:1500:1700: 75ms pulse/pause
bridge - I don't really understand this one, but these are important
phreak toys. I'll cover them more in the next issue of TPH.
busy box - Box that will cause the fone to be busy, without taking it
OFF-HOOK. Just get a piece of fone wire with a plug on the end, cut it off
so there is a plug and about two inches of fone line. Then, strip the wire
so the two middle wires, the tip and the ring, are exposed. Then, wrap the
ring and the tip together, tape with electrical tape, and plug into the
fone jack. The fone will be busy until the box is removed.
cheese box - Another type of box which, when coupled with call
forwarding services, will allow one to place free fone calls. The safety of
this box is unknown. See references for information concerning text philes
on this box.
clear box - Piece of equipment that compromises of a telephone pickup
coil and a small amp. This works on the principal that all receivers are
also weak transmitters. So, you amplify your signal on PP fortress fones
and spare yourself some change.
diverter - This is a nice phreak tool. What a diverter is is a type of
call forwarding system done externally, apart from the fone company, which
is a piece of hardware that will foreword the call to somewhere else. These
can be found on many 24 hour plumbers, doctors, etc. When you call, you
will often hear a click and then ringing, or a ring, then a click, then
another ring, the second ring often sounds different from the first. Then,
the other side picks the fone up and you ask about their company or
something stupid, but DO NOT ANNOY them. Then eventually, let them hang up,
DO NOT HANG UP YOURSELF. Wait for the dial tone, then dial ANI. If the
number ANI reads is different from the one you are calling from, then you
have a diverter. Call anywhere you want, for all calls will be billed to
the diverter. Also, if someone uses a tracer on you, then they trace the
diverter and you are safe. Diverters can, however, hang up on you after a
period of time; some companies make diverters that can be set to clear the
line after a set period of time, or click every once in a while, which is
super annoying, but it will still work. Diverters are usually safer than LD
extenders, but there are no guarantees. Diverters can also be accessed via
phortress fones. Dial the credit operator and ask for the AT&T CREDIT
OPERATOR. They will put on some lame recording that is pretty long. Don't
say anything and the recording will hang up. LET IT HANG UP, DO NOT HANG
UP. Then the line will clear and you will get a dial tone. Place any call
you want with the following format: 9+1+NPA+Nxx+xxxx, or for local calls,
just 9+Nxx+xxxx. I'd advise that you call ANI first as a local call to make
sure you have a diverter.
green box - Equipment that will emulate the Coin Collect, Coin Return,
and Ringback tones. This means that if you call someone with a fortress
fone and they have a green box, by activating it, your money will be
returned. The tones are, in hertz, Coin Collect=700+1100, Coin
Return=1100+1700, and Ringback=700+1700. However, before these tones are
sent, the MF detectors at the CO must be alerted, this can be done by
sending a 900+1500 Hz or single 2600 Hz wink of 90ms followed by a 60ms
gap, and then the appropriate signal for at least 900ms.
gold box - This box will trace calls, tell if the call is being
traced, and can change a trace.
grey box - Also known as a silver box. See silver box.
output device - Any type of interface such as cans, terminal sets,
remote switching centers, bridging heads, etc., where the fone lines of the
immediate area are relayed to before going to the fone company. These often
are those cases painted light green and stand up from the ground. Most of
these can be opened with a 7/16 hex driver, turning the security bolt(s)
1/8 of an inch counter-clockwise, and opening. Terminals on the inside
might be labeled "T" for tip and "R" for ring. Otherwise, the ring side is
usually on the right and the tip side is on the left.
purple box - This one would be nice. Free calls to anywhere via blue
boxing, become an operator via blue box, conference calling, disconnect
fone line(s), tap fones, detect traces, intercept directory assistance
calls. Has all red box tones. This one may not be available under ESS.
rainbow box - An ultimate box. You can become an operator. You get
free calls, blue box. You can set up conference calls. You can forcefully
disconnect lines. You can tap lines. You can detect traces, change traces,
and trace as well. All incoming calls are free. You can intercept directory
assistance. You have a generator for all MF tones. You can mute and redial.
You have all the red-box tones. This is an awesome box. However, it does
not exist under ESS.
red box - Equipment that will emulate the red box tone generated for
coin recognition in all phortress fones.
red box tones - Tones that tell the phortress fone how much money was
inserted in the fone to make the required call. In one slot fones, these
are beeps in pulses; the pulse is a 2200+1700 Hz tone. For quarters, 5 beep
tones at 12-17 PPS, for dimes it is 2 beep tones at 5-8.5 PPS, and a nickel
causes 1 beep tone at 5-8.5 PPS. For three slot fones, the tones are
different. Instead of beeps, they are straight dual tones. For a nickel, it
is one bell at 1050-1100 Hz, two bells for a dime, and one gong at 800 Hz
for a quarter. When using red box tones, you must insert at least one
nickel before playing the tones, cuz a ground test takes place to make sure
some money has been inserted. The ground test may be fooled by the Paper
Clip Method. Also, it has been known that TSPS can detect certain red box
tones, and will record all data on AMA or CAMA of fraudulent activity.
ring - The red wire found in fone jacks and most fone equipment. The
ring also is less positive than the tip. When looking at a fone plug on the
end of typical 4 wire fone line from the top, let's say the top is the side
with the hook, the ring will be the middle-right wire. Remember, the ring
is red, and to the right. The three "R's" revived!
silver box - Equipment that will allow you to emulate the DTMF tones
A,B,C,D. The MF tones are, in hertz, A=697+1633, B=770+1633, C=852+1633,
D=941+1633. These allow special functions from regular fones, such as ACD
Testing Mode.
switchhook - The button on your fone that, when depressed, hangs the
fone up. These can be used to emulate rotary dial fones if used correctly.
tip - The green wire found in fone jacks and most fone equipment. The
tip is the more positive wire compared to the ring. When looking at a fone
plug from the top, lets say the hook side is the top, the tip will be the
middle wire on the left.
white box - This is a portable DTMF keypad.
------------------------------------------------------------------------------
High Tech Revenge: The Beigebox by The BHU
The beigebox is simply a consumer lineman's handset which is a
phone that can be attached to the outside of a person's house. To
fabricate a beigebox follow along.
Making a beigebox:
Obtain an old phone and cut off the plug on the end. Solder an
alligator clip onto the red wire and the green wire.
Now imagine the possibilities: a $2000 dollar phone bill for
that special person 976 numbers galore even harassing the
operator at no risk to you! Think of it as walking into an
enemies house and using their phone to your heart's content.
Connecting the beigebox:
Look on the outside of your victim's house taking note of any
wires leading from a telephone pole to the exterior of their
house. Follow the wires and find where they connect. The
telephone wire should be black and about the width of your small
finger. You do NOT want the 220 volt house current unless you
like having a permanent orange afro.
When the telephone wire connects to the victim's house it should
run down their wall and into a small beige or grey box. Some
boxes have a bolt in the dead center and some have even gone as
far as to have a lock (smashing them open is no problem). Now
you must open the box and observe: you should see three bolts
each with wires attached. Connect the two alligator clips to the
two outside bolts and then you should get a dial tone. If you
do not get a dial tone experiment with the connections. By the
way don't worry about getting electrocuted; there is not enough
power in the phone lines to harm you.
After placing a few phone calls if you really want to get even
pull all the wires out of the box. This will result in about a
$100 dollar service charge for your enemy.
Use your imagination!
------------------------------------------------------------------------------
P/HUN Newsletter #1 Phile 1.8 of 1.14
-=-=<* Red and Green boxes revived *>=-=-
---------------------------
By: Pink Panther
Probably most of the information I am about to tell you, you
probably already know or have it stored somewhere. But I have seen
quite a lot of questions on the subject lately, and thought to
explain a couple of things.
Blue boxing has been dead for quite some time since
everything went to ESS, and the same with black boxing. The
latest form of boxing is red and green boxing. They both deal
with fortress phones and can only be used with a fortress phone.
With a red box, you dial a number at a fortress, insert
a nickel, which is the ground check, and play the tape. It will
emulate coins being dropped into the fortress. Since there is
also questions on what are and how to get these tones, I've
created a simple step process:
1) Obtain a recorder that you can directly hook into
a fone line. If you use a regular recorder, you will
need some modification on it. If you have an answering
machine, then you have it made.
2) Find a fortress, and follow the metal pipe (usually
metal) from the fortress to where ever it ends up.
At somepoint on the pipe, there will be a small box which
is held together by two screws. Unscrew the box.
3) You now should find two bolts with wires connected
to them. The wires are 22 gauge (which is fairly
thin wire). If you see thicker wires, such
as 12 gauge wires, these are 220 volt AC lines,
usually connected to the light in the phone booth.
Do not touch the AC lines, unless you are stupid.
Connect the tape recorder to the proper bolts, which
means the 22 gauge wire.
4) Now dial a long distance fone number, and you will
get a recordering to insert some money. Insert about
$6.00 in quarters, then hang up and your money will
be returned. The tones should have been recorded
with a normal tape with no dolby.
5) Obtain a recorder with a built in speaker, or
rip apart a phone set and obtain the earpiece. If
there is a diode across the earpiece, remove it.
Connect the earpiece to the output of the recorder.
(I recommend using an earpiece rather than a built
in speaker).
6) To test your tones, dial 0-959-1230 from a fortress,
and you should get 'Coin Test ... Please Deposit ... .'
Play back the tones you recorded and if everything
goes well, you should hear 'Quarter' everytime a tone
is played. Remember you only recorded quarter tones.
You can record any tones you want by inserting different
coins at the recording stage. If you are having problems,
try adjusting the volume.
7) To use, dial a non-local number, insert a real nickel,
and play the tones. Make sure you have enough tones
on the recorder to complete the call.
Now I will explain a little about what exactly happens
when you deposit coins. When you deposit a coin, it goes through
a series of tests, determining what type of coin it is. It
will be deposited in various coin slots within the fortress itself
if everything goes right. But before it is deposited in the
right slot it will cause a wheel to be turned. A nickel will
turn the wheel once, a dime twice, and quarter five times. This
will cause a frequency to be generated which is sent to a
operator or computer. A capacitor is placed across the
speech circuit while these tones are generated so that the
customer does not here them. Here are the tones and PPS (pules
per second):
Nickel: 1 beep 5-8.5 PPS
Dime: 2 beeps 5-8.5 PPS
Quarter: 5 beeps 12-17 PPS
A green box allows the caller on the fortress to get his
money back. It will generate the tones for coin collect, coin
return, and ringback. This is basically what an operator uses.
A green box cannot be used on a fortress, but must be used by the
called party. An operator release signal must be sent before
any tones from the green box are sent. This contains of
a 2600hz tone for 90ms, then 60ms silence, then 2600hz for
900ms. This all must be done within the three minute collect
period. Anyway, here are the tones:
Ringback: 700hz+1700hz
Coin Return: 1100hz+1700hz
Coin Collect: 700hz+1700hz
I hope this has enlighted the few without such knowledge.
If you are confused, then don't phuck with this stuff, and get
out of phreaking.
------------------------------------------------------------------------------
==Phrack Inc.==
Volume Three, Issue 25, File 7 of 11
^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^
^*^ ^*^
^*^ The Blue Box And Ma Bell ^*^
^*^ ^*^
^*^ Brought To You by The Noid ^*^
^*^ ^*^
^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^
"...The user placed the speaker over the telephone handset's
transmitter and simply pressed the buttons that corresponded
to the desired CCITT tones. It was just that simple."
THE BLUE BOX AND MA BELL
~~~~~~~~~~~~~~~~~~~~~~~~
Before the breakup of AT&T, Ma Bell was everyone's favorite enemy. So it was
not surprising that so many people worked so hard and so successfully at
perfecting various means of making free and untraceable telephone calls.
Whether it was a BLACK BOX used by Joe and Jane College to call home, or a
BLUE BOX used by organized crime to lay off untraceable bets, the technology
that provided the finest telephone system in the world contained the seeds of
its own destruction.
The fact of the matter is that the Blue Box was so effective at making
untraceable calls that there is no estimate as to how many calls were made
or lost revenues of $100, $100-million, or $1-billion on the Blue Box. Blue
Boxes were so effective at making free, untraceable calls that Ma Bell didn't
want anyone to know about them, and for many years denied their existence.
They even went as far as strongarming a major consumer-science magazine into
killing an article that had already been prepared on the Blue and Black
boxes. Furthermore, the police records of a major city contain a report
concerning a break-in at the residence of the author of that article. The
only item missing following the break-in was the folder containing copies of
one of the earliest Blue-Box designs and a Bell-System booklet that described
how subscriber billing was done by the AMA machine -- a booklet that Ma Bell
denied ever existed. Since the AMA (Automatic Message Accounting) machine
was the means whereby Ma Bell eventually tracked down both the Blue and Black
Boxes, I'll take time out to explain it. Besides, knowing how the AMA
machine works will help you to better understand Blue and Black Box "phone
phreaking."
Who Made The Call?
~~~~~~~~~~~~~~~~~~
Back in the early days of the telephone, a customer's billing originated in a
mechanical counting device, which was usually called a "register" or a
"meter." Each subscriber's line was connected to a meter that was part of a
wall of meters. The meter clicked off the message units, and once a month
someone simply wrote down the meter's reading, which was later interpolated
into message-unit billing for those subscriber's who were charged by the
message unit. (Flat-rate subscriber's could make unlimited calls only within
a designated geographic area. The meter clicked off message units for calls
outside that area.) Because eventually there were too many meters to read
individually, and because more subscribers started questioning their monthly
bills, the local telephone companies turned to photography. A photograph of a
large number of meters served as an incontestable record of their reading at a
given date and time, and was much easier to convert to customer billing by the
accounting department.
As you might imagine, even with photographs, billing was cumbersome and did
not reflect the latest technical developments. A meter didn't provide any
indication of what the subscriber was doing with the telephone, nor did it
indicate how the average subscriber made calls or the efficiency of the
information service (how fast the operators could handle requests). So the
meters were replaced by the AMA machine. One machine handled up to 20,000
subscribers. It produced a punched tape for a 24-hour period that showed,
among other things, the time a phone was picked up (went off-hook), the number
dialed, the time the called party answered, and the time the originating phone
was hung up (placed on-hook).
One other point, which will answer some questions that you're certain to think
of as we discuss the Black & Blue boxes: Ma Bell did not want persons outside
their system to know about the AMA machine. The reason: Almost everyone
had complaints -- usually unjustified -- about their billing. Had the public
been aware of the AMA machine they would have asked for a monthly list of
their telephone calls. It wasn't that Ma Bell feared errors in billing;
rather, they were fearful of being buried under any avalanche of paperwork
and customer complaints. Also, the public believed their telephone calls
were personal and untraceable, and Ma Bell didn't want to admit that they
knew about the who, when, and where of every call. And so Ma Bell always
insisted that billing was based on a meter that simply "clicked" for each
message unit; that there was no record, other than for long-distance as to
who called whom. Long distance was handled by, and the billing information
was done by an operator, so there was a written record Ma Bell could not
deny.
The secrecy surrounding the AMA machine was so pervasive that local, state,
and even federal police were told that local calls made by criminals were
untraceable, and that people who made obscene telephone calls could not be
tracked down unless the person receiving the call could keep the caller on the
line for some 30 to 50 minutes so the connections could be physically traced
by technicians. Imagine asking a woman or child to put up with almost an
hour's worth of the most horrendous obscenities in the hope someone could
trace the line. Yet in areas where the AMA machine had replaced the meters,
it would have been a simple, though perhaps time-consuming task, to track
down the numbers called by any telephone during a 24 hour period. But Ma
Bell wanted the AMA machine kept as secret as possible, and so many a
criminal was not caught, and many a woman was harassed by the obscene calls
of a potential rapist, because existence of the AMA machine was denied.
As a sidelight as to the secrecy surrounding the AMA machine, someone at Ma
Bell or the local operating company decided to put the squeeze on the author
of the article on Blue Boxes, and reported to the Treasury Department that he
was, in fact, manufacturing them for organized crime -- the going rate in the
mid 1960's was supposedly $20,000 a box. (Perhaps Ma Bell figured the author
would get the obvious message: Forget about the Blue Box and the AMA machine
or you'll spend lots of time, and much money on lawyer's fees to get out of
the hassles it will cause.) The author was suddenly visited at his place of
employment by a Treasury agent.
Fortunately, it took just a few minutes to convince the agent that the author
was really just that, and not a technical wizard working for the mob. But one
conversation led to another, and the Treasury agent was astounded to learn
about the AMA machine. (Wow! Can an author whose story is squelched spill his
guts.) According to the Treasury agent, his department had been told that it
was impossible to get a record of local calls made by gangsters: The Treasury
department had never been informed of the existence of automatic message
accounting. Needless to say, the agent left with his own copy of the Bell
System publication about the AMA machine, and the author had an appointment
with the local Treasury-Bureau director to fill him in on the AMA machine.
That information eventually ended up with Senator Dodd, who was conducting a
congressional investigation into, among other things, telephone company
surveillance of subscriber lines -- which was a common practice for which
there was detailed instructions, Ma Bell's own switching equipment
("crossbar") manual.
The Blue Box
~~~~~~~~~~~~
The Blue Box permitted free telephone calls because it used Ma Bell's own
internal frequency-sensitive circuits. When direct long-distance dialing was
introduced, the crossbar equipment knew a long-distance call was being dialed
by the three-digit area code. The crossbar then converted the dial pulses to
the CCITT tone groups, shown in the attached table (at the end of this file),
that are used for international and trunkline signaling. (Note that those do
not correspond to Touch-Tone frequencies.) As you will see in that table, the
tone groups represent more than just numbers; among other things there are
tone groups identified as 2600 hertz, KP (prime), and ST (start) -- keep them
in mind.
When a subscriber dialed an area code and a telephone number on a rotary-dial
telephone, the crossbar automatically connected the subscriber's telephone to a
long-distance trunk, converted the dial pulses to CCITT tones, set up
electronic cross-country signaling equipment, and recorded the originating
number and the called number on the AMA machine. The CCITT tones sent out on
the long-distance trunk lines activated special equipment that set up or
selected the routing and caused electro-mechanical equipment in the target
city to dial the called telephone.
Operator-assisted long-distance calls worked the same way. The operator
simply logged into a long-distance trunk and pushed the appropriate buttons,
which generated the same tones as direct-dial equipment. The button sequence
was 2600 hertz, KP (which activated the long-distance equipment), then the
complete area code and telephone number. At the target city, the connection
was made to the called number but ringing did not occur until the operator
there pressed the ST button.
The sequence of events of early Blue Boxes went like this: The caller dialed
information in a distant city, which caused his AMA machine to record a free
call to information. When the information operator answered, he pressed the
2600 hertz key on the Blue Box, which disconnected the operator and gave him
access to a long-distance trunk. He then dialed KP and the desired number and
ended with an ST, which caused the target phone to ring. For as long as the
conversation took place, the AMA machine indicated a free call to an
information operator. The technique required a long-distance information
operator because the local operator, not being on a long distance trunk, was
accessed through local wire switching, not the CCITT tones.
Call Anywhere
~~~~~~~~~~~~~
Now imagine the possibilities. Assume the Blue Box user was in Philadelphia.
He would call Chicago information, disconnect from the operator with a KP
tone, and then dial anywhere that was on direct-dial service: Los Angeles,
Dallas, or anywhere in the world if the Blue Boxer could get the international
codes.
The legend is often told of one Blue Boxer who, in the 1960's, lived in New
York and had a girl friend at a college near Boston. Now back in the 1960's,
making a telephone call to a college town on the weekend was even more
difficult than it is today to make a call from New York to Florida on a
reduced-rate holiday using one of the cut-rate long-distance carriers. So our
Blue Boxer got on an international operator's circuit to Rome, Blue Boxed
through to a Hamburg operator, and asked Hamburg to patch through to Boston.
The Hamburg operator thought the call originated in Rome and inquired as to the
"operator's" good English, to which the Blue Boxer replied that he was an
expatriate hired to handle calls by American tourists back to their homeland.
Every weekend, while the Northeast was strangled by reduced-rate long-distance
calls, our Blue Boxer had no trouble sending his voice almost 7,000 miles for
free.
...The user placed the speaker over the telephone handset's transmitter and
simply pressed the buttons that corresponded to the desired CCITT tones. It
was just that simple.
Actually, it was even easier than it reads because Blue Boxers discovered they
did not need the operator. If they dialed an active telephone located in
certain nearby, but different, area codes, they could Blue Box just as if they
had Blue Boxed through an information operator's circuit. The subscriber
whose line was Blue Boxed simply found his phone was dead when it was picked
up. But if the Blue Box conversation was short, the "dead" phone suddenly
came to life the next time it was picked up. Using a list of "distant"
numbers, a Blue Boxer would never hassle anyone enough times to make them
complain to the telephone company.
The difference between Blue Boxing off of a subscriber rather than an
information operator was that the AMA tape indicated a real long-distance
telephone call perhaps costing 15 or 25 cents -- instead of a freebie. Of
course that is the reason why when Ma Bell finally decided to go public with
"assisted" newspaper articles about the Blue Box users they had apprehended,
it was usually about some college kid or "phone phreak." One never read of a
mobster being caught. Greed and stupidity were the reasons why the kid's were
caught.
It was the transistor that led to Ma Bell going public with the Blue Box. By
using transistors and RC phase-shift networks for the oscillators, a portable
Blue Box could be made inexpensively, and small enough to be used
unobtrusively from a public telephone. The college crowd in many technical
schools went crazy with the portable Blue Box; they could call the folks
back home, their friends, or get a free network (the Alberta and Carolina
connections -- which could be a topic for a whole separate file) and never
pay a dime to Ma Bell.
Unlike the mobsters who were willing to pay a small long-distance charge when
Blue Boxing, the kids wanted it, wanted it all free, and so they used the
information operator routing, and would often talk "free-of-charge" for hours
on end.
Ma Bell finally realized that Blue Boxing was costing them Big Bucks, and
decided a few articles on the criminal penalties might scare the Blue Boxers
enough to cease and desist. But who did Ma Bell catch? The college kids and
the greedies. When Ma Bell decided to catch the Blue Boxers she simply
examined the AMA tapes for calls to an information operator that were
excessively long. No one talked to an operator for 5, 10, 30 minutes, or
several hours. Once a long call to an operator appeared several times on an
AMA tape, Ma Bell simply monitored the line and the Blue Boxer was caught.
(Now you should understand why I opened with an explanation of the AMA
machine.) If the Blue Boxer worked from a telephone booth, Ma Bell simply
monitored the booth. Ma Bell might not have known who originated the call,
but she did know who got the call and getting that party to spill their guts
was no problem.
The mob and a few Blue Box hobbyists (maybe even thousands) knew of the AMA
machine, and so they used a real telephone number for the KP skip. Their AMA
tapes looked perfectly legitimate. Even if Ma Bell had told the authorities
they could provide a list of direct-dialed calls made by local mobsters, the
AMA tapes would never show who was called through a Blue Box. For example, if
a bookmaker in New York wanted to lay off some action in Chicago, he could
make a legitimate call to a phone in New Jersey and then Blue Box to Chicago.
His AMA tape would show a call to New Jersey. Nowhere would there be a record
of the call to Chicago. Of course, automatic tone monitoring, computerized
billing, and ESS (Electronic Switching System) now makes that virtually
impossible, but that's the way it was.
You might wonder how Ma Bell discovered the tricks of Blue Boxers. Simple,
they hired the perpetrators as consultants. While the initial newspaper
articles detailed a potential jail penalties for apprehended blue boxers,
except for Ma Bell employees who assisted a blue boxer, it is almost
impossible to find an article on the resolution of the cases because most
hobbyist blue boxers got suspended sentences and/or probation if they
assisted Ma Bell in developing anti-blue box techniques. It is asserted,
although it can't be easily proven, that cooperating ex-blue boxers were
paid as consultants. (If you can't beat them, hire them to work for you.)
Should you get any ideas about Blue Boxing, keep in mind that modern switching
equipment has the capacity to recognize unauthorized tones. It's the reason
why a local office can leave their subscriber Touch-Tone circuits active,
almost inviting you to use the Touch-Tone service. A few days after you use
an unauthorized Touch-Tone service, the business office will call and inquire
whether you'd like to pay for the service or have it disconnected. The very
same central-office equipment that knows you're using Touch-Tone frequencies
knows if your line is originating CCITT signals
The Black Box
~~~~~~~~~~~~~
The Black Box was primarily used by the college crowd to avoid charges when
frequent calls were made between two particular locations, say the college and
a student's home. Unlike the somewhat complex circuitry of a Blue Box, a
Black Box was nothing more than a capacitor, a momentary switch, and a
battery.
As you recall from our discussion of the Blue Box, a telephone circuit is
really established before the target phone ever rings, and the circuit is
capable of carrying an AC signal in either direction. When the caller hears
the ringing in his or her handset, nothing is happening at the receiving end
because the ringing signal he hears is really a tone generator at his local
telephone office. The target (called) telephone actually gets its 20
pulses-per-second ringing voltage when the person who dialed hears nothing in
the "dead" spaces between hearing the ringing tone. When the called phone is
answered and taken off hook, the telephone completes a local-office DC loop
that is the signal to stop the ringing voltage. About three seconds later the
DC loop results in a signal being sent all the way back to the caller's AMA
machine that the called telephone was answered.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
CCITT NUMERICAL CODE
~~~~~~~~~~~~~~~~~~~~
Digit Frequencies (Hz)
1 700+900
2 700+1100
3 900+1100
4 700+1300
5 900+1300
6 1100+1300
7 700+1500
8 900+1500
9 1100+1500
0 1300+1500
Code 11 700+1700 for inward
Code 12 900+1700 operators
KP 1100+1700 Prime (Start of pulsing)
KP2 1300+1700 Transit traffic
ST 1500+1700 Start (End of pulsing)
------------------------------------------------------------------------------
The LOD/H Technical Journal: File #6 of 12
Volume 1, Issue 1 Released: Jan. 1, 1987
+--------------------------------+
| Building Your Own Blue Box |
+--------------------------------+
| By |
| Jester Sluggo |
| Released: Nov. 27, 1986 |
+--------------------------------+
This Blue Box is based on the Exar 2207 Voltage Controlled Oscillator.
There are other ways to build Blue Boxes, some being better and some not as
good, but I chose to do it this way. My reason for doing so: because at the
time I started this project, about the only schematic available on BBS's was
the one written by Mr. America and Nickie Halflinger. Those plans soon (in
about 90 seconds) became very vague in their context with a couple in-
consistencies, but I decided to "rough it out" using those plans (based on the
Exar 2207 VCO) and build the Blue Box using that as my guide. During the
construction of the Blue Box, I decided to type-up a "more complete and clear"
set of Blue Box schematics than the file that I based mine on, in order to
help others who may be trying/thinking of building a Blue Box. I hope these
help.
Note: You should get a copy of the Mr. America/Nickie Halflinger Blue
Box plans. Those plans may be of help to anyone who may have difficulty
understanding these plans. Also, these plans currently do not support CCITT.
+---------------------------------+
| Why should I build a Blue Box ? |
+---------------------------------+
Many of you may have that question, and here's my answer. Blue Boxing was
the origin of phreaking (excluding whistling). Without the advent of Blue
Boxes, I feel that some of the advances in the telecommunications industry
would've taken longer to develop (The need to stop the phone phreaks forced
AT+T Bell Laboratories to "step up" their development to stop those thieves!).
There is no harm in building a Blue Box (except the knowledge you will
gain in the field of electronics). Although there are software programs (Soft
Blue Boxes) available for many micro's that will produce the Blue Box
Multi-Frequency (MF) tones, they are not as portable as an actual Blue Box
(you can't carry your computer to a telephone, so you must use it from home
which could possibly lead to danger).
Many phreaks are announcing the end of the Blue Box Era, but due to
discoveries I have made (even on ESS 1A and possibly ESS 5), I do not believe
this to be true. Although many people consider Blue Boxing "a pain in the
ass", I consider Blue Boxing to be "phreaking in its' purest form". There is
much to learn on the current fone network that has not been written about, and
Blue Boxes are necessary for some of these discoveries. The gift of free fone
calls tends to be a bonus.
Note: Blue Boxes also make great Christmas gifts!
+---------------------------------------+
| Items needed to construct a Blue Box. |
+---------------------------------------+
Here is the list of items you will need and where you can get them. It
may be a good idea to gather some of the key parts (the chips, and especially
the potentiometers, they took about 6 months to back order through Digi-key. A
whole 6 fucking months!) before you start this project. Also, basic
electronics tools will be necessary, and you might want to test the circuit on
a bread board, then wire-wrap the final project. Also, you will need a box of
some sort to put it in (like the blue plastic kind at Radio Shack that cost
around $5.00).
Note: An oscilliscope should be used when tuning in the
potentiometers because the Bell system allows
only a 7-10% tolerance in the precision of the
frequencies.
Qty. Item Part No. Place
---------------------------------------------------
1 | 4 x 4 Keypad | | Digi-Key
6 | Inverter Chip | 74C04 |
32 | Potentiometer | |
1 | 4-16 Converter Chip| 74LS154 |
1 | 16 Key Decoder | 74C922 |
2 | 2207 VCO | XR2207CP | Exar Corp.
3 | .01 uf Capacitor | 272-1051 | Radio Shack
5 | .1 uf Capacitor | 272-135 | Radio Shack
2 | 1.5K Ohn Resistor | | Radio Shack
2 | 1.0K Ohm Resistor | | Radio Shack
1 | Speaker | | From an old Autovon fone.
1 | 9 Volt Battery | | Anywhere
The resistors should be a +/- 5% tolerance.
The speaker can be from a regular telephone (mine just happened to be
from an old Autovon phone). But make sure that you remove the diode.
The Potentiometers should have a 100K Ohm range (but you may want to
make the calculations yourself to double check).
The 9-volt battery can be obtained for free if you use your Radio Shack
Free Battery Club card.
The Exar 2207 VCO can be found if you call the Exar Corp. located in
Sunnyvale, California. Call them, and tell them the state you live in, and
they'll give the name and phone number to the distributor that is located
closest to you. The 2207 will vary from about $3.00 for the silicon-grade
(which is the one you'll want to use) to about $12.00 for the high-grade
Military chip.
Note: When you call Exar, you may want to ask them to send you the
spec-sheets that gives greater detail as to the operation and construction of
the chip.
+-------------------+
| Schematic Diagram |
+-------------------+
+--------------+ +-------------+
| 1 2 3 A | | Figure #1 |
| 4 5 6 B | +-------------+
| 7 8 9 C | | Logic Side |
| * 0 # D | +-------------+
++-+-+-+-+-+-+-+
1 | 3 | 5 | 7 | (VCC)
| 2 | 4 | 6 | 8 (+5 Volts) +----+
| | | < u | | | [+] | _|_
| | | | | | | | | | \_/GND
+--+-+-+-+-+-+-+-+----+ +--+----------+---+
| 2 | 11| 10| 7 | | | 14 7 |
(.01C) | | 3 | 4 | 8 | 1 12+------+1 |
+--||---+5 13+------+2 (*74C04*) |
_|_ | | | |
\_/GND | (*74C922*) | +-----------------+
+--||-+6 |
|(.1C)| |
_|_ | |
\_/GND | 9 17 16 15 14 18|
+--+--+--+--+--+---+--+
| | | | | |
_|_ A B C D |
GND\_/ | | | | [+] (VCC) [+] (VCC)
| | | | (+5 volts) | (+5 volts)
| | | | |
-------+--+--+--+------------------+-----------------
| 23 22 21 20 24 18+-+
+-----+12 | +--+
| | (*74LS154*) 19+-+ _|_
_|_ | | \_/
\_/GND | 1 2 3 4 5 6 7 8 9 10 11 13 14 15 16 17 | GND
+--+--+--+--+--+--+--+--+--+-+--+--+--+--+--+--+----+
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
| | | | | | | | | | | | | | | |
| (Connects)
| +---------->
+------------------------+ | (Figure 2)
| +--+ +-------+
| | | |
+--+-------+--+-------+---+
| 3--|>o--4 5--|>o--6 |
| (Invtr.) (Invtr.) |
+---------------+7 |
_|_ | (*74C04*) |
GND\_/ (VCC) [+]--+14 |
(+5 volts) | |
+-------------------------+
+-------------+ _
| Figure #2 | / |
+---+-------------+----+ +----------------+ |
| Tone Generation Side | _|_ | | SPKR
+----------------------+ GND\_/ +---+--+---+ |
| | \_|
| |
| | +---------------+
+-------+ | | | |
| _|_ | +--+14 |
| \_/GND | | (Repeat of) |
| | | (First) |
----- (.1C) | | (Circuit) |
----- | | |
| | | (*XR2207CP*) |
| +-----------------+ | +--+6 |
| | | | | | |
[+]-----+-------+1 14+--+ | +---------------+
(VCC) | | +--------------------+
(+9 Volts) +----+2 | |
| | 12+---------------------+ |
(.01C) ----- | | _|_ |
----- | (*XR2207CP*) | \_/GND |
| | | 1.5K Ohms |
+----+3 11+---+---\/\Rx/\/---+--+ |
| | | | _|_ |
| | +---\/\Rx/\/---+ \_/GND |
| | 1.0K Ohms |
| 10+----+ |
+-------------+6 9+----+---+ |
| | 8+----+ | |
| | | ----- (.1C) |
| +-----------------+ ----- |
+---------+ _|_ +----------+
| | Pot. GND\_/ Pot. | |
| \/\/\/\/--+-----------------------\/\/\/\/ |
| 1400 Hz. | 1600 Hz. |
+---------+ | +----------+
| | Pot. | Pot. | |
| \/\/\/\/--+----------------+------\/\/\/\/ |
| 1500 Hz. | | 900 Hz. |
| | | |
| 14 more | | 14 More |
| Potentiometers | | Potentiometers |
| in this | | in this |
| area left out | | area left out |
| for simplicity | | for simplicity |
| | | |
| | | |
|
(Connects) |
<-------------+
(Figure 1)
+-------------------------+
| Multiplex Keypad System |
+-------------------------+
First, the multiplex pattern used in the 4x4 keypad layout. I suggest
that keys 0-9 be used as the Blue Box's 0-9 keys, and then you can assign
A-D, *, # keys to your comfort (ie. * = Kp, # = St, D = 2600, and A-C as
Kp1, Kp2 or however you want).
Note: On your 2600 Hz. key (The D key in example above)
it may be a good idea to tune in a second
potentiometer to 3700 Hz. (Pink Noise).
Keypad Key Assignments Multiplex Pattern
+---------+ +-------------+ +------------+
| 1 2 3 A | | 1 2 3 4 | | 1 2 3 A |----Y1=8 X1=3
| 4 5 6 B | | 5 6 7 8 | | 4 5 6 B |----Y2=1 X2=5
| 7 8 9 C | | 9 10 11 12 | | 7 8 9 C |----Y3=2 X3=6
| * 0 # D | | 13 14 15 16 | | * 0 # D |----Y4=4 X4=7
+---------+ +-------------+ +------------+
| | | |
X1 X2 X3 X4
+----------------------+
| Blue Box Frequencies |
+----------------------+
This section is taken directly from Mark Tabas's "Better Homes and Blue
Boxing" file Part 1.
Frequenies (Hz) Domestic Int'l
----------------------------------
700+900 1 1
700+1100 2 2
900+1100 3 3
700+1300 4 4
900+1300 5 5
1100+1300 6 6
700+1500 7 7
900+1500 8 8
1100+1500 9 9
1300+1500 0 0
700+1700 ST3p Code 11
900+1700 STp Code 12
1100+1700 KP KP1
1300+1700 ST2p KP2
1500+1700 ST ST
2600+3700 *Trunking Frequency*
Note: For any further information about the uses or duration of the
frequencies, read the Mark Tabas files.
+----------------+
| Schematic Help |
+----------------+
This is the Key to the diagrams in the schematic. I hope that they help
more then they might hurt.
_|_
\_/GND is the Ground symbol
| |
---| |-- is the Capacitor symbol
| | (.1C) stands for a .1 uf Capacitor
(.01C) stands for a .01 uf Capacitor
|
-----
----- is another Capacitor symbol
|
--\/\Rx/\/-- is the Resistor symbol (The 1.5K Ohm and 1.0K Ohm
Resistors are at +/- 5% )
---+
|
\/\/\/\/-- is the Potentiometer symbol (The frequncies I supplied
above are just examples.)
--|>o-- is the Inverter symbol
+------------+
| Conclusion |
+------------+
This is just one way to build a Blue Box. If you choose this way, then I
hope this file is adequate enough to aid you in the construction. Although
these are not the best plans, they do work. This file does not tell you how to
use it or what to do once it's built. For that information I mention that you
read Mark Tabas's "Better Homes and Blue Boxing" files, or any other files/BBS
subboards that deal with that realm.
If you need help, I sluggest (thanks for that one Taran) that you ask a
close friend, possibly an electronics teacher, or a phreak friend to help you.
Also, if you need help or have questions or comments about this file, you can
address them to me. I can be contacted through the LOD/H Technical Journal
Staff account on the boards listed in the Intro, or on the few boards I call.
+-------------+
! Credentials !
+-------------+
At last, this article would not be possible without the help of the
following people/places whom contributed to it in one way or another (it may
not be apparent to them, but every minute bit helps).
Deserted Surfer (Who helped immensly from Day 1 of this project.)
(Without his help this file would not be.)
Mark Tabas (For the BHBB files which inspired my interests.)
Nickie Halflinger (For the original Blue Box plans I used.)
Mr. America (For the original Blue Box plans I used.)
Lex Luthor
Cheap Shades
Exar Corp.
Lastly, I would like to thank the United States government for furnishing
federal grants to this project. Without their financial help, I would have had
to dish out the money from my own pocket (Approximately $80.00. Egads!)
Jester Sluggo
------------------------------------------------------------------------------
<Example Comment>
Name - Nocturnal Phoenix
Date - October 25, 1992
I can be reached on GENERIC BBS, (555)-555-5555, 1200/9600
<assorted inphormation>
------------------------------------------------------------------------------