💾 Archived View for gemini.spam.works › mirrors › textfiles › phreak › BOXES › redbox.txt captured on 2022-06-12 at 17:21:14.
-=-=-=-=-=-=-
DTMF Generators, White Boxing, and Red Boxing ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I've seen before me way too many fabrications of red boxes; the H/P community enjoys to talk about it a lot, and fantasize about its abilities. But seldom do I see an accurate example of any box construction. Perhaps I'm simply in the wrong circle? Nevertheless I did a little research on the actual structure of an DTMF Generator and on how to convert this into a red and white Box. 2600 Enterprises did have the BEST red box example to pass before me, however in Canada legislation differs quite a lot, and any kit or package that can be hacked is not tolerated; so therefore the famous Radio-Shack Pocket Dialer is not available here, and I would say many other places, such as Europe or Australia, where Radio Shack is not as widely established as in the USA. Our Radio Shacks are no bigger than a local corner candy store, and the only useful products they sell are calculators. Pathetic is the scene I run into everywhere I go in lovely Canada. So since the Radio-Shack Pocket Dialer WITH MEMORY is not available I guess we must build the actual device from scratch. It's fairly simple, and I've already succeeded in building the DTMF Generator. It's very easy -- it consists of one IC, a crystal to control the oscillator (in the IC) and a key-pad. The construction of the DTMF Tone Generator is perhaps the hardest part of this project, and yet that is quite fairly simple. Anyhow this project does require you to know the basics of kit building, and hopefully you know how to use a soldering iron, as you will need to solder the IC and Crystal onto a simple board. Now the DTMF tones are generated internally inside the IC, but the timing depends on an external crystal oscillator. And the only external component we have is the 3.579545 MHz crystal: right here we have a "white box," as a white box is suppose to generate the DTMF "Touch-Tone" tones. Now if we replaced the 3.579545 MHz crystal with an 6.5536 MHz one, our "*" key on the key-pad will actually be DARN close to 3900 Hertz, the EXACT frequency that a coin stimulates when being entered inside the pay- phone. So in reality instead of putting $0.25 you can put theses tones on the mouth piece and fool the Bell System. Brief Operation ~~~~~~~~~~~~~~~ When entering a $0.25 into a payphone the only way the phone company knows that you entered money by a tone which consists of a 700 Hz + 2200 Hz (3900 Hz) being flushed into the line. For quarter you will need 3900 Hz for 35ms in length and a pause for 35ms and then 3900hz for 35ms then a pause...etc. This must be produced exactly FIVE times, so you should have five tones of 3900hz of 35ms with pauses of 35ms between each. Our DTMF generator contains a ten-number memory. When we save a number into the DTMF memory and replay it, the redial timing will play the tone for 72.3ms and pause for 72.3ms before going to the next tone and playing that for 72.3ms! Now the tones will be played at this speed ONLY with the 3.579545 MHz crystal, as the crystal controls ALL LOGIC and TONE GENERATING TIMING! So when this is replaced with a 6.5535 Mhz crystal it naturally will be alot faster and the timing will be faster. As a matter of fact the timing is NOW 34.3ms! So anything redialled by the DTMF generator will come out at 34.3ms and a pause for 34.3ms. Our "*" key will also sound very close to the 700 + 2200 Hz, and therefore saving "*" 5 times in a memory and redialling it will result into sounding like a $0.25, all one has to do is put red box to the payphone mouth piece and the phone system will think you entered a valid $0.25. _____________________ / General Description \____________________________________________________ Features ~~~~~~~~ ? 2.5V-12V operation when generating tones, which is A LOT less voltage needed, compared to several white boxes I've seen which ask for 16V-24V. ? Stores and auto-dials ten 16-digit numbers. ? Last number redial. ? Scratchpad, meaning number storage without dialling. ? 14 Keys, separate storage and redial buttons. ? 2-digit overwrite for PBX access codes. ? Low harmonic distortion. ? Single-contact or negative-common (2-of-8) key-pad inputs. Well, before we begin I must say that replacing the 3.57545 Mhz crystal with an 6.5536 will give us the 3900 Hertz tone ONLY by the "*" key. With this information the same is true for any key, on the keypad! In fact my calculations proved that in order to get an EXACT 3900 Hertz by the "*" key we would need a crystal of about 6.4857 Mhz. However chances of production of an 6.4857 Mhz crystal is asking for a little too much, so naturally we settle for the closest one possible to it; besides analog signals are quite difficult to simulate exactly, compared to digital, which is always exact! This IC is from "National Semiconductor Corporation" model number TP5660. Perhaps even the exact IC in the Radio-Shack Pocket Dialer with Memory, as the one without memory uses the TP5650 which is this exact IC but without memory! The Operating temperature is -30?C to +60?C. This IC looks like so: 1?????????????????16 Vdd??? ???? ????TONE OUT 2? National ?15 Vm??? Semiconductor ????Row 5 3? (Linear ?14 Col 1??? Databook) ????Row 1 4? ?13 Col 2??? ????Row 2 5? TP5660 ?12 Col 3??? ????Row 3 6? ?11 Vss??? ????Row 4 7? ?10 ??????????????????OSC?IN??? ????MUTE OUT ??? 3.579545 Mhz Crystal 8? ?9 ??? Control OSC. ?OSC?OUT??? ????Col 4 ????????????????? ????????????????? Replace above with the below to have both Red & White Boxes in one. ????????? ??? ??? 3.579545 Mhz ??? ??? ? ? ? If you put a two-way switch you can switch from crystal, ??????? to crystal, and you'll have a red and white (combo) box! Your new crystal should be 6.5536 for "*" Key Pin Description ~~~~~~~~~~~~~~~ Vdd (Pin 1): The positive supply to the device, referenced to Vss. A power-on reset circuit ensures correct operation following initial power-up. Vm (Pin 2): The negative terminal of the back-up battery for on-hook memory retention. A low-voltage detect circuit prevents missoperation of the circuit in the event of a reduction in the on-hook supply voltage below that required to retain stored data. COLUMN & ROW Scans (Pins 3, 4, 5, 9, 11, 12, 13, 14, 15): When no key is closed, pull-up resistors are active on COLUMN inputs and pull-down resistors are active on ROW inputs. Therefore after a key is pressed the ROW pull-down resistors cause a negative-true on COLUMN inputs (for standard telephone key-pads negative-common). Vss (pin 6): The negative supply to the device in the off-hook state. OSC IN, OSC OUT (pin 7, 8): All logic and tone generator timing is derived from the on-chip oscillator circuit. MUTE OUT (pin 10) This is a CMOS output which sinks current to Vss when no tones are being generated and sources current from Vdd when tones are being generated. TONE OUT (pin 16): This output is the open emitter of an NPN transistor. The other pin (collector) is connected with the Vdd. Well, this is the exact pin description according to the abilities and limitations of this IC. Now this Integrated Circuit (IC) was designed to be powered by the telephone line and a battery to keep the memory intact. Well, due to the fact that we are powering this circuit by battery you can feed both Vm and Vss to the same negative supply, the battery, of course. Now the MUTE OUT pin is perhaps also bothering you; well, this circuit was designed to drive a simple interface circuit to mute the receiver when any key is depressed. Again this is NOT needed as you will be connecting your DTMF generator to a small speaker rather than putting it directly into the line, as this circuit was designed for that, so all that MUTE does is when you start depressing keys it mutes of the receiver so that it will not interfere with other incoming sounds misstated as DTMF tones. However you can avoid adding a speaker by un-screwing the mouth piece and feed the TONE-OUT and Vdd supply directly into the conventional payphones, however this may attract unwanted glances, so you'll be better off with a speaker. The next part is about the key-pad, perhaps complex if you plan to design your own. Frankly, I found that time consuming; you can buy key-pads in several electronics stores, as Radio Shack, but I did find it in a local electronics store. Then again, if you have an old phone I guess you can take it from there. Now I must warn you there are TWO types of key-pads that are widely used, and both will work on this circuit, but you need to know which one you have in order to make corrections. The key-pad found in most telephones are what we call STANDARD KEYPADs. This has to do on the way the switch is connected inside. ? Simply, when a key is depressed, it closes the ???????????Row switch but also comes in contact with the ??? negative power supply. Thus we call this method ??? ? NEGATIVE-COMMON or/and standard key-pad. Vss??? Col ? As you can see, this method consists of the row ???? and column coming to contact (a closing of a ? switch). This type of keypad we call ????????????Row SINGLE-CONTACT key-pad. ? Col If you plan to build your key-pad certainly the single key-pad is the way to go, it's a lot simpler. So if your using a standard key-pad remember to connect the negative supply to the key-pad! All that's left now is to connect the key-pad to the circuit, very easy and fast; you just connect Col 1 to Col 1, Row 1 to Row 1, etc... You may notice that this is a military-style key-pad, as it includes the A, B, C, D keys which you don't find in your everyday phone key-pads. You really don't need them, so if you don't have them don't alarm yourself, just don't connect them! However you will need TWO extra keys, one for STORE command and the other for the REDIAL, so either add an extra key or switch or whatever you wish and connect it, like so. ?????????????????????????????Col 1 ? ???????????????????????Col 2 ? ? ?????????????????Col 3 ? ? ? ??????????Col 4 ?????????????????????????? ? 1 ? 2 ? 3 ? A ???????Row 1 ?????????????????????????? ? 4 ? 5 ? 6 ? B ???????Row 2 ?????????????????????????? ? 7 ? 8 ? 9 ? C ???????Row 3 ?????????????????????????? ? * ? 0 ? # ? D ???????Row 4 ?????????????????????????? ?Store? ?Redial? ???????Row 5 ?????????????????????????? Ahh, congrads, your DTMF Generator is now completed! If you were like myself and added an extra switch to go from white box to red box mode, GREAT! The only difference is that a white box needs the 3.57545 Mhz crystal and the red box needs the corresponding crystal, so simply put a switch and move from mode to mode. Now for the red box to work we need five 3900 hertz at 33 milliseconds apart and 33 milliseconds long, so you'll need to save your key five times in memory and then simply put the box to the mouthpiece end of the payphone and press the memory key, you have just enter $0.25 into the payphone. NOTE: I only have this working with the 6.5536 Mhz crystal. I cannot say that the timing interval will be exact with the other crystals; chances are that taking a crystal of 7.XXXXXX or 5.XXXXXX Mhz is simply too far from the 700 + 2200 hertz tone. Try to get the closest value to 6.50 Mhz. I didn't include the way to save the red box tone into the memory, as you get a nice little paper when you buy the IC, but in case you don't you first power up the unit, press "*" (or your valid red box tone key) five times and then you press STORE and a number in which to store it in. And to dial the stored key, press REDIAL and the number in which you stored the red box tone! Remember the NEW crystal should be installed at ALL times to generate the RED BOX tone! If you save the tone with your 6.XXXX Mhz intact and redial it with the 3.57545 Mhz it will not work! Lastly, I recommend an "A-Cut Crystal (NTSC TV color-burst)" for both the 3.57545 and your red box crystal. Try local components stores. You should find the crystal, or else look around, ask around; I did leave you with a few references near here where I got most of my stuff so you can try them out if you can't find them on your own. REFERENCE Addison Ltd/Ltee 8018 20th Avenue Montreal, Canada, H1Z-3S7 tel: 1-514-376-1740 Active Electronic Components 6080 Metropolitan East Montreal, Canada, H1S-1A9 tel: 1-514-256-7538 1-800-363-7601 (Outside Quebec) Hamilton Avnet International Canada 2570 Sabourin St., St-Laurent Montreal, Canada, H4S-1M2 tel: 1-514-331-6443 1-800-361-7129 (Outside Quebec) National Semiconductors Corporation 2900 Semiconductuctor Drive Santa Clara, California 95051, USA ALSO: Try out Motorola and RCA dealers. They carry lots of crystals that go into TV decoders/scramblers, so there's a very good chance they should have it. The crystals don't cost more than $1.00, kaypads can be bought for $0.75, PCBoard under $1.00, the IC goes for $2.00. The project should cost under $5 if you can find the supplies in local stores -- if I did in lonely Canada then you should have no trouble! If they don't have it, ask them to order it, if they ask "why?" tell them it's for a TV component, as TVs and related works like decoders and scramblers use NTSC TV color-burst crystals! NOTE: For the next InfoJournal I should have a DTMF Generator for "Caller IDs" (yep, you can send your own DTMF Caller ID tones), and how the number/name is received. So call up your local BBS with Caller ID and make it display 666-6666 and logon as your favourite Death-Angel character name. Those interested in the actual project can contact myself anytime soon, of course you have must have a grasp of electronics!