💾 Archived View for gemini.spam.works › mirrors › textfiles › phreak › BOXES › redbox.txt captured on 2022-06-12 at 17:21:14.

View Raw

More Information

-=-=-=-=-=-=-

DTMF Generators, White Boxing, and Red Boxing                              
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                              
                                                                           
I've seen before me way too many fabrications of red boxes; the H/P        
community enjoys to talk about it a lot, and fantasize about its abilities.
But seldom do I see an accurate example of any box construction. Perhaps   
I'm simply in the wrong circle? Nevertheless I did a little research on    
the actual structure of an DTMF Generator and on how to convert this into  
a red and white Box. 2600 Enterprises did have the BEST red box example to 
pass before me, however in Canada legislation differs quite a lot, and     
any kit or package that can be hacked is not tolerated; so therefore the   
famous Radio-Shack Pocket Dialer is not available here, and I would say    
many other places, such as Europe or Australia, where Radio Shack is not   
as widely established as in the USA. Our Radio Shacks are no bigger than a 
local corner candy store, and the only useful products they sell are       
calculators. Pathetic is the scene I run into everywhere I go in lovely    
Canada. So since the Radio-Shack Pocket Dialer WITH MEMORY is not available
I guess we must build the actual device from scratch. It's fairly simple,  
and I've already succeeded in building the DTMF Generator. It's very       
easy -- it consists of one IC, a crystal to control the oscillator (in     
the IC) and a key-pad.                                                     
                                                                           
The construction of the DTMF Tone Generator is perhaps the hardest part of 
this project, and yet that is quite fairly simple. Anyhow this project does
require you to know the basics of kit building, and hopefully you know how 
to use a soldering iron, as you will need to solder the IC and Crystal onto
a simple board. Now the DTMF tones are generated internally inside the IC, 
but the timing depends on an external crystal oscillator. And the only     
external component we have is the 3.579545 MHz crystal: right here we have 
a "white box," as a white box is suppose to generate the DTMF "Touch-Tone" 
tones. Now if we replaced the 3.579545 MHz crystal with an 6.5536 MHz one, 
our "*" key on the key-pad will actually be DARN close to 3900 Hertz, the  
EXACT frequency that a coin stimulates when being entered inside the pay-  
phone. So in reality instead of putting $0.25 you can put theses tones on  
the mouth piece and fool the Bell System.                                  
                                                                           
                                                                           
Brief Operation                                                            
~~~~~~~~~~~~~~~                                                            
When entering a $0.25 into a payphone the only way the phone company knows 
that you entered money by a tone which consists of a 700 Hz + 2200 Hz      
(3900 Hz) being flushed into the line. For quarter you will need 3900 Hz   
for 35ms in length and a pause for 35ms and then 3900hz for 35ms then a    
pause...etc. This must be produced exactly FIVE times, so you should have  
five tones of 3900hz of 35ms with pauses of 35ms between each.             
                                                                           
Our DTMF generator contains a ten-number memory. When we save a number into
the DTMF memory and replay it, the redial timing will play the tone for    
72.3ms and pause for 72.3ms before going to the next tone and playing that 
for 72.3ms! Now the tones will be played at this speed ONLY with the       
3.579545 MHz crystal, as the crystal controls ALL LOGIC and TONE GENERATING
TIMING! So when this is replaced with a 6.5535 Mhz crystal it naturally    
will be alot faster and the timing will be faster. As a matter of fact the 
timing is NOW 34.3ms! So anything redialled by the DTMF generator will come
out at 34.3ms and a pause for 34.3ms. Our "*" key will also sound very     
close to the 700 + 2200 Hz, and therefore saving "*" 5 times in a memory   
and redialling it will result into sounding like a $0.25, all one has to do
is put red box to the payphone mouth piece and the phone system will think 
you entered a valid $0.25.                                                 
                                                                           
                                                                           
 _____________________                                                     
/ General Description \____________________________________________________
                                                                           
Features                                                                   
~~~~~~~~                                                                   
   ? 2.5V-12V operation when generating tones, which is A LOT              
     less voltage needed, compared to several white boxes I've             
     seen which ask for 16V-24V.                                           
   ? Stores and auto-dials ten 16-digit numbers.                           
   ? Last number redial.                                                   
   ? Scratchpad, meaning number storage without dialling.                  
   ? 14 Keys, separate storage and redial buttons.                         
   ? 2-digit overwrite for PBX access codes.                               
   ? Low harmonic distortion.                                              
   ? Single-contact or negative-common (2-of-8) key-pad inputs.            
                                                                           
Well, before we begin I must say that replacing the 3.57545 Mhz crystal    
with an 6.5536 will give us the 3900 Hertz tone ONLY by the "*" key. With  
this information the same is true for any key, on the keypad! In fact my   
calculations proved that in order to get an EXACT 3900 Hertz by the "*"    
key we would need a crystal of about 6.4857 Mhz. However chances of        
production of an 6.4857 Mhz crystal is asking for a little too much, so    
naturally we settle for the closest one possible to it; besides analog     
signals are quite difficult to simulate exactly, compared to digital,      
which is always exact!                                                     
                                                                           
This IC is from "National Semiconductor Corporation" model number TP5660.  
Perhaps even the exact IC in the Radio-Shack Pocket Dialer with Memory,    
as the one without memory uses the TP5650 which is this exact IC but       
without memory! The Operating temperature is -30?C to +60?C. This IC       
looks like so:                                                             
                                                                           
                          1?????????????????16                             
                      Vdd???     ????      ????TONE OUT                    
                          2? National      ?15                             
                       Vm??? Semiconductor ????Row 5                       
                          3? (Linear       ?14                             
                    Col 1???  Databook)    ????Row 1                       
                          4?               ?13                             
                    Col 2???               ????Row 2                       
                          5?    TP5660     ?12                             
                    Col 3???               ????Row 3                       
                          6?               ?11                             
                      Vss???               ????Row 4                       
                          7?               ?10                             
 ??????????????????OSC?IN???               ????MUTE OUT                    
??? 3.579545 Mhz Crystal  8?               ?9                              
??? Control OSC. ?OSC?OUT???               ????Col 4                       
 ?????????????????         ?????????????????                               
                                                                          
Replace above with the below to have both Red & White Boxes in one.        
  ?????????                                                                
 ??? ???  3.579545 Mhz                                                    
 ??? ???                                                                   
  ? ? ?  If you put a two-way switch you can switch from crystal,         
   ??????? to crystal, and you'll have a red and white (combo) box!       
 Your new crystal should be 6.5536 for "*" Key                             
                                                                           
                                                                           
Pin Description                                                            
~~~~~~~~~~~~~~~                                                            
Vdd (Pin 1): The positive supply to the device, referenced to              
     Vss. A power-on reset circuit ensures correct operation               
     following initial power-up.                                           
                                                                           
Vm (Pin 2): The negative terminal of the back-up battery for on-hook       
     memory retention. A low-voltage detect circuit prevents               
     missoperation of the circuit in the event of a reduction in           
     the on-hook supply voltage below that required to retain              
     stored data.                                                          
                                                                           
COLUMN & ROW Scans (Pins 3, 4, 5, 9, 11, 12, 13, 14, 15): When no key is   
     closed, pull-up resistors are active on COLUMN inputs and             
     pull-down resistors are active on ROW inputs. Therefore               
     after a key is pressed the ROW pull-down resistors cause a            
     negative-true on COLUMN inputs (for standard telephone                
     key-pads negative-common).                                            
                                                                           
Vss (pin 6): The negative supply to the device in the off-hook             
     state.                                                                
                                                                           
OSC IN, OSC OUT (pin 7, 8): All logic and tone generator timing is         
     derived from the on-chip oscillator circuit.                          
                                                                           
MUTE OUT (pin 10) This is a CMOS output which sinks current to             
     Vss when no tones are being generated and sources current             
     from Vdd when tones are being generated.                              
                                                                           
TONE OUT (pin 16): This output is the open emitter of an NPN               
     transistor. The other pin (collector) is connected with the           
     Vdd.                                                                  
                                                                           
Well, this is the exact pin description according to the abilities and     
limitations of this IC. Now this Integrated Circuit (IC) was designed to   
be powered by the telephone line and a battery to keep the memory intact.  
Well, due to the fact that we are powering this circuit by battery you can 
feed both Vm and Vss to the same negative supply, the battery, of course.  
Now the MUTE OUT pin is perhaps also bothering you; well, this circuit was 
designed to drive a simple interface circuit to mute the receiver when any 
key is depressed. Again this is NOT needed as you will be connecting your  
DTMF generator to a small speaker rather than putting it directly into the 
line, as this circuit was designed for that, so all that MUTE does is when 
you start depressing keys it mutes of the receiver so that it will not     
interfere with other incoming sounds misstated as DTMF tones. However you  
can avoid adding a speaker by un-screwing the mouth piece and feed the     
TONE-OUT and Vdd supply directly into the conventional payphones, however  
this may attract unwanted glances, so you'll be better off with a          
speaker.                                                                   
                                                                           
The next part is about the key-pad, perhaps complex if you plan to design  
your own. Frankly, I found that time consuming; you can buy key-pads in    
several electronics stores, as Radio Shack, but I did find it in a local   
electronics store. Then again, if you have an old phone I guess you can    
take it from there. Now I must warn you there are TWO types of key-pads    
that are widely used, and both will work on this circuit, but you need     
to know which one you have in order to make corrections.                   
                                                                           
The key-pad found in most telephones are what we call STANDARD KEYPADs.    
This has to do on the way the switch is connected inside.                  
                                                                           
        ?         Simply, when a key is depressed, it closes the           
 ???????????Row   switch but also comes in contact with the                
     ???         negative power supply. Thus we call this method          
   ???  ?         NEGATIVE-COMMON or/and standard key-pad.                 
  Vss???                                                                  
        Col                                                                
                                                                           
        ?         As you can see, this method consists of the row          
        ????      and column coming to contact (a closing of a             
        ?        switch). This type of keypad we call                     
 ????????????Row  SINGLE-CONTACT key-pad.                                  
        ?                                                                  
        Col                                                                
                                                                           
If you plan to build your key-pad certainly the single key-pad is the way  
to go, it's a lot simpler. So if your using a standard key-pad remember to 
connect the negative supply to the key-pad! All that's left now is to      
connect the key-pad to the circuit, very easy and fast; you just connect   
Col 1 to Col 1, Row 1 to Row 1, etc... You may notice that this is a       
military-style key-pad, as it includes the A, B, C, D keys which you don't 
find in your everyday phone key-pads. You really don't need them, so if    
you don't have them don't alarm yourself, just don't connect them!         
However you will need TWO extra keys, one for STORE command and the other  
for the REDIAL, so either add an extra key or switch or whatever you wish  
and connect it, like so.                                                   
                                                                           
     ?????????????????????????????Col 1                                    
     ?     ???????????????????????Col 2                                    
     ?     ?     ?????????????????Col 3                                    
     ?     ?     ?      ??????????Col 4                                    
  ??????????????????????????                                               
  ?  1  ?  2  ?  3   ?  A  ???????Row 1                                    
  ??????????????????????????                                               
  ?  4  ?  5  ?  6   ?  B  ???????Row 2                                    
  ??????????????????????????                                               
  ?  7  ?  8  ?  9   ?  C  ???????Row 3                                    
  ??????????????????????????                                               
  ?  *  ?  0  ?  #   ?  D  ???????Row 4                                    
  ??????????????????????????                                               
  ?Store?     ?Redial?     ???????Row 5                                    
  ??????????????????????????                                               
                                                                           
Ahh, congrads, your DTMF Generator is now completed! If you were like      
myself and added an extra switch to go from white box to red box mode,     
GREAT! The only difference is that a white box needs the 3.57545 Mhz       
crystal and the red box needs the corresponding crystal, so simply put a   
switch and move from mode to mode. Now for the red box to work we need five
3900 hertz at 33 milliseconds apart and 33 milliseconds long, so you'll    
need to save your key five times in memory and then simply put the box to  
the mouthpiece end of the payphone and press the memory key, you have just 
enter $0.25 into the payphone.                                             
                                                                           
NOTE: I only have this working with the 6.5536 Mhz crystal. I cannot say   
that the timing interval will be exact with the other crystals; chances    
are that taking a crystal of 7.XXXXXX or 5.XXXXXX Mhz is simply too far    
from the 700 + 2200 hertz tone. Try to get the closest value to 6.50 Mhz.  
                                                                           
I didn't include the way to save the red box tone into the memory,         
as you get a nice little paper when you buy the IC, but in case you don't  
you first power up the unit, press "*" (or your valid red box tone key)    
five times and then you press STORE and a number in which to store it in.  
And to dial the stored key, press REDIAL and the number in which you       
stored the red box tone! Remember the NEW crystal should be installed at   
ALL times to generate the RED BOX tone! If you save the tone with your     
6.XXXX Mhz intact and redial it with the 3.57545 Mhz it will not work!     
                                                                           
Lastly, I recommend an "A-Cut Crystal (NTSC TV color-burst)" for both the  
3.57545 and your red box crystal. Try local components stores. You should  
find the crystal, or else look around, ask around; I did leave you with a  
few references near here where I got most of my stuff so you can try them  
out if you can't find them on your own.                                    
                                                                           
                                                                           
REFERENCE                                                                  
          Addison Ltd/Ltee                                                 
          8018 20th Avenue                                                 
          Montreal, Canada, H1Z-3S7                                        
          tel: 1-514-376-1740                                              
                                                                           
          Active Electronic Components                                     
          6080 Metropolitan East                                           
          Montreal, Canada, H1S-1A9                                        
          tel: 1-514-256-7538                                              
               1-800-363-7601 (Outside Quebec)                             
                                                                           
          Hamilton Avnet International Canada                              
          2570 Sabourin St., St-Laurent                                    
          Montreal, Canada, H4S-1M2                                        
          tel: 1-514-331-6443                                              
               1-800-361-7129 (Outside Quebec)                             
                                                                           
          National Semiconductors Corporation                              
          2900 Semiconductuctor Drive                                      
          Santa Clara, California 95051, USA                               
                                                                           
     ALSO: Try out Motorola and RCA dealers. They carry lots of            
           crystals that go into TV decoders/scramblers, so there's a      
           very good chance they should have it.                           
                                                                           
The crystals don't cost more than $1.00, kaypads can be bought for $0.75,  
PCBoard under $1.00, the IC goes for $2.00. The project should cost under  
$5 if you can find the supplies in local stores -- if I did in lonely      
Canada then you should have no trouble! If they don't have it, ask them to 
order it, if they ask "why?" tell them it's for a TV component, as TVs and 
related works like decoders and scramblers use NTSC TV color-burst         
crystals!                                                                  
                                                                           
NOTE: For the next InfoJournal I should have a DTMF Generator for "Caller  
IDs" (yep, you can send your own DTMF Caller ID tones), and how the        
number/name is received. So call up your local BBS with Caller ID and make 
it display 666-6666 and logon as your favourite Death-Angel character name.
Those interested in the actual project can contact myself anytime soon, of 
course you have must have a grasp of electronics!