💾 Archived View for gemini.spam.works › mirrors › textfiles › phreak › BOXES › misp67.phk captured on 2022-07-17 at 10:40:21.

View Raw

More Information

⬅️ Previous capture (2022-06-12)

-=-=-=-=-=-=-

Originally Displayed on P-80 Systems                        

ELECTRONIC TOLL FRAUD DEVICES

BLUE BOXING

     The following information applies primarily to the AT&T network. It is the largest long distance carrier and has been around the longest therefor, more is known about its technical operation. The other carriers have their own special weaknesses and are more easily breached using methods described in another chapter.

What is a Blue Box?

     The blue box is so named because that happened to be the color of the first one found. A basic blue box contains 13 buttons or switches for the digits 0-9 plus two control signals labeled "KP" and "ST". One of the buttons is used to produce the 2600 Hz "disconnect" signal. Blue boxes are used to circumvent telephone company billing equipment and make free calls to anywhere in the world. The box may be conncted directly to the phone line or acousticaly coupled to the mouth piece of the handset. The signaling tones produced by the box may also be recorded on a cassett tape for later playback. In spite of continuing efforts to protect the system from fraudulent use, there has been a new wave of blue boxing in recent years due to the advent of the personal computer and new knowledge about "holes" in the integrity of the system. A phone preak can buy a personal computer in a department store for less than $200.00. Armed with this hardware and the right knowledge, he can make long distance calls including overseas calls, set up interstate conferences with his friends that go on for hours, call special operators who normally can be reached only by other operators, and other "tricks"; all without charge. With the addition of a cheap cassett recorder, he can become highly mobile and illusive.
     Highly advanced and knowledgable phone prheaks are constantly probing the system for flaws in its security. Their ability to call internal operators gives them the power to pose as telephone company personel for the purpose of gaining priviledged information about the system. It would be hard to estimate how many calls from  "Telephone Repair Service" or "Security" were actually placed by phone phreaks doing experiments of their own or fishing for information.

How It Works

     The most common form of signaling between toll offices uses a code derived from six tones. This is refered to as multifrequency signaling or MF signaling. The tones are played together two at a time to represent the digits 0 - 9. In addition there are two special signals designated KP and ST. These are also sent as dual tones. KP stands for key pulse. It is a gate opening signal which tells the system that digits are to follow. ST means "start transit". It tells the system that all digits have been sent. It is an end of transmission signal and is a command to the system to start processing the information. The principle is basicaly the same as that used for tone signaling with a push button telephone except that the frequecies of the tones are different.
     Table (X) shows the combinations of frequencies used in North America and on CCITT Signaling System No. 5:
 
.   Signal             Frequency pair
. ------------------------------------
. KP1 (start-of-digit        1100+1700
. transmission for a
. national call)
. KP2 (start-of-digit        1300+1700
. transmission for an
. international call from
. an intermediate (transist) exchange)
. Digits: 1                  700+900
.         2                  700+1100
.         3                  900+1100
.         4                  700+1300
.         5                  900+1300
.         6                 1100+1300
.         7                  700+1500
.         8                  900+1500
.         9                 1100+1500
.         0                 1300+1500
. ST (End of digit          1500+1700
. transmission)

     The MF signals are sent over the normal voice channels. They may be sent by a switchboard operator or by automatic equipment. On some systems the operator's signaling is audible and sometimes the automatic signaling can be heard due to cross talk between lines.
     A 2600 Hz tone is transmitted continuously on all voice channels between toll offices when the channel is free. This frequency also acts as a disconnect signal, indicating that the voice channel should return to its unused status.
     When a subscriber dials a number it reaches his local central office and possibly toll office by dc pulsing or push button tone signaling. The toll office selects a free voice channel in an appropriate trunk and stops the 2600 Hz tone. The office at the end of that trunk detects the break in the 2600 Hz signal and is alerted to receive a toll telephone number. The number is sent in the MF code listed in table (X). One toll office passes the number to another until the called central office is reached. The central office then rings the called telephone.
     When either party hangs up, the call is disconnected and the toll offices start transmitting the 2600 Hz tone again to indicate that the channel is idle.
     If a short burst of 2600 Hz is transmitted from a subscriber's telephone, the toll office receives this as a signal that the subscriber has hung up. It then places 2600 Hz on the channel to the next toll office. Phone phreaks call this "whistling off" or "beeping off" a trunk. The subscriber is still connected to a long distance switching office. This is the first step to bypassing the telephone company's billing computer and making free calls to anywhere in the world.
     A blue box call is started  by dialing a long distance call in the normal way to a toll free "800" number. Directory assistance numbers can also be used or a call can be placed to a nearby destination which is cheap to call. This is the call which will appear on the CAMA tape. Once dialing is completed, and the called number starts to ring, you feed 2600 Hz into your phone for one second. Experienced phone phreaks familiar with the timing whistle off a second or two before the called number actually rings. The 2600 Hz tone is acousticaly coupled to the phone by simply placing the blue box against the mouth piece and pressing the appropriet button. The local CO is not listening for 2600 Hz to indicate a disconnect. It monitors the current flow in the line and knows the subscriber hung up when the current flow drops below a certain minimum. The 2600 Hz tone is passed on to the toll switching office as if it were a voice signal. The toll office is not listening for 2600 Hz from a CO and so passes it on to the next toll office. At this point the tone is heard as signal that the caller has hung up. The call is cancelled leaving the caller still connected to a toll line between switching offices. After sending 2600 Hz for approximately one second you remove it. The removal of the tone tells the distant switching office that the line is no longer idle. It connects an incoming sender and waits for instructions in the form of MF signaling. At this point you have about ten seconds to start dialing the desired number on the blue box. The number is dialed in a manner simmiler to using a push button telephone. It is in this format: KP+(area code)+(7 digit phone number)+ST.                                  When the called number answers, a signal is sent back causing the CAMA tape to be punched with the time the connection was made. At the end of the call, the CAMA tape is punched with the number called from, the time and the number you originally dialed. This is the information that will be used to compute your bill. The call will be free if an 800 numer was used. The number actually reached with the blue box is not recorded. Modern systems frequently use magnetic tape instead of punched paper tape to record the billing information but it works the same.

Getting Into the System

     Many CO's are now using CCIS (Common Channel Interoffice Signaling). With this system control signaling is done over different lines than those used for voice transmission. If a toll free call is placed from an area using CCIS to another CCIS area, transmitting 2600 Hz will not cause a disconnect. In 1984, just when it appeared that blue boxing was dead except when done from a few areas of the country, advanced "researchers" discovered holes in the system that opened it up again all over the country including nearly every street corner pay phone. New "holes" are constantly being found and usually are soon pluged after it is discovered they are being used to make illegal calls. The main method in use at this time is to call an 800 number that rings into a non CCIS area. Knowledgable phone phreaks predict that all of these "holes" will not be plugged until sometime after the year 2000. By then new and better ways will probably have been developed to beat the system. The trick to using this method is to find an 800 number that rings into one of the few remaining areas that still use the older switching equipment. This is not difficult when you know how. When 2600 Hz is transmitted, it travels over the voice channel to the toll office at the distant end where it is recieved as a disconnect. Usually a "chirp" or "kachink" is heard and you're in!
     A few pay phones, especially those located in rural areas, will disconnect locally if 2600 Hz is played into them. The effect is the same as hanging up the receiver, then picking up again after a few seconds. This is useless for blue boxing and would seem to be an obstical. Actually, it was a delishious challenge to the "researchers" and soon fell as a barrier to boxing under the probing of a few tone combinations. The local disconnect occurs because the local CO is listening for 2600 Hz. The device that does the listening is called a SF (single frequency) unit. These units are designed to disconnect only when 2600 Hz is received without the presence of any other voice band frequencies. This is to prevent accidental disconnects on voice components. To get by this unit, 2600 Hz is played in combination with a second tone in the range of 3400 to 3600 Hz. This is a "guard" tone. When the SF unit hears the higher tone along with the 2600 Hz signal, it does not disconnect. The CO passes the two tones along the voice channel toward the switching office at the distant end. As the tones pass through the long distance network, the higher tone becomes atenuated to a subaudible level. Only the 2600 Hz tone reaches the distant toll office where it produces the desired disconnect. Once again technology triumps in determined hands.                                       The following is a list of 800 prefixes in order by state. The number in parentheses indicates the area code served by that prefix. An asterisk (*) to the left of the prefix indicates that one or more 800 numbers have been found in that prefix which can be whistled off using 2600 Hz. An asterisk to the right indicates that a toll switching office has been located in the area code served by that prefix which will accept MF. There is a lot of research yet to be done on this list. In its present form, it is a road map of great value to the advanced blue boxer.
     This system is gradually being replaced by the expanded 800 service. Prefixes in the expanded 800 service have no relationship to area codes, but thousands of numbers are still in place under the old system. Some of the prefixes listed below are easy to hack for blowable numbers. (A "blowable" number is one which will disconnect on 2600 Hz). Look for the ones with asterisks before and after them like this: *XXX*.

Alabama           633     (205)

Alaska            544     (907)

Arizona           528     (602)

Arkansas          643     (501)

California        227     (415)
                  421     (213)
                  423     (213)
                  854     (714)
                  824     (916)
                  538     (408)
                  235     (805)
                  344     (209)
                  358     (707)

Colorado         *525     (303)
                  255     (303)

Connecticut       243     (203)

Delaware          441     (302)

District of Col.  424     (202)
                  368     (202) For high volume traffic

Florida           327     (305)
                  237     (813)
                 *874*    (904)

Georgia           841     (912)
                 *241     (404)
                  554     (404)

Hawaii            367     (808)

Idaho            *635     (208)

Illinois          621     (312)
                  323     (312)
                  637     (217)
                  435     (815)
                  447     (309)
                  851     (618)

Indiana           428     (317)
                  457     (812)
                  348     (219)

Iowa              553     (319)
                 *247     (515)
                  831     (712)

Kansas            835     (316)
                  255     (913)

Kentucky          626     (502)
                  354     (606)

Louisiana         535     (504)
                  551     (318)

Maine             341     (207)

Maryland          368     (301)

Massachusetts     343     (617)
                  225     (617)
                  628     (413)

Michigan          253     (616)
                  521     (313)
                  338     (906)
                  517     (248)

Minnesota         328     (612)
                  533     (507)
                 *346     (218)

Mississippi       647     (601)

Missouri          821     (816)
                  325     (314)
                  641     (417)

Montana          *548*    (406)

Nebraska          228     (402)
                  445     (308)

Nevada           *634     (702) (Las Vegas)
                  648     (702) Reno

New Hampshire     258     (603)

New Jersey        257     (609)

New Mexico        545     (505)

New York          223     (212)
                  847     (607)
                  221     (212)
                  431     (914)
                  828     (716)
                  645     (516)
                  448     (315)
                  833     (518)

North Carolina    334     (919)
                  438     (704)

North Dakota     *437     (701)

Ohio              321     (216)
                  543     (513)
                  537     (419)
                  848     (614)

Oklahoma          654     (405)
                  331     (918)

Oregon           *547*    (503)

Pennsylvania      523     (215)
                  345     (215)
                 *458*    (814)
                  245     (412)
                  233     (717)

Puerto Rico       468     (809)

Rhode Island      556     (401)

South Carolina   *845*    (803)

South Dakota     *843*    (605)

Tennessee         251     (615)
                  238     (901)

Texas             527     (214)
                  433     (817)
                  531     (512)
                  231     (713)
                  351     (915)
                 *858*    (806)

Utah              453     (801)

Vermont          *451     (802)

Virginia          446     (804)
                  368     Arlington - <For D.C.>
                  336     (703)

Virgin Islands    524     (809)

Washington        426     (206)
                  541     (509)

West Virginia     624     (304)

Wisconsin        *356     (608)
                  558     (414)

Wyoming           443     (307)

How to Make Overseas Calls With a Blue Box

     Overseas dialing is done in two stages of outpulsing. The first stage routes to an overseas sender and uses 011, which is the international access code for International Direct Distance Dialing (IDDD) plus the paired country code. If the country code is two digits, the paired country code can be derived by adding a "0" to the left of the country code. Example: The country code for England is 44. The paired country code would be 044. First stage outpulsing for England would then be: KP-011044-ST. If the country code contains three digits, the paired country code cannot be derived in this way and must be looked up. Example: The country code for Guam is 671. The paired country code is 067. First stage outpulsing for Guam would be KP-011067-ST. Second example: The country code for Cyprus is 357. The paired country code is 087. It is a rule that a paired country code must never be the same as any country code.
     About five seconds after the STart pulse, an international dial tone will be heard. This will time out to a reorder in about ten seconds.
     When the dial tone is heard, the system is ready to accept the second stage of pulsing in the format: KP-country code-city code-digits-ST. At this stage it is the country code not the paired country code which is used.
     Use the paired country codes when calling inward operators.
     Some toll offices are screened against 011 coming in on a long distance trunk. In that case precede the 011 with the area code which would apply for that toll office. Example: for a toll office in Gainsville, FL use KP-904+011+paired CC-ST.
     Another way to reach the overseas senders is to call them directly with KP-sender number-ST. If this doesn't work add the area code of the sender. Example: KP-904185-ST.
     This is a list of international centers with their area codes.:

                     A/C  Sender   Location
                     ---  ------   --------
                     914   182   White Plains, NY
                     212   183   New York, NY
                     412   184   Pittsburg, PA
                     904   185   Jacksonville, FL
                     415   186   Sacramento, CA
                     303   187   Denver, CO
                     212   188   New York (same sender as 183)

     The routing for a particular country can be found by dialing normally (pulse or touch-tone) 011+CC+000+enough digits to add up to a total of seven including the country code. Example: 011+44+00011. You will get a recording. At the end of the recording, the area code of the international center will be given. The sender used to call a particular country can vary depending on the area of the country from which the call is originated. An international call can sometimes be completed through the wrong sender, but this causes a print out that will later be investigated to find out which CO it came from. To find the correct routing when pulsing through any particular toll office use KP+paired CC+000+ST. For example, KP-011044000-ST would give the same result as dialing normally 011-44-00011 if you were dialing it in the area where the toll office is located.
     The first digit of a country code is the world region in which that country is located. The world regions are: 1--North America, 2--Africa, 3 and 4--Europe, 5--South and Central America, 6--South Pacific, 7--Union of Soviet Socialist Republics (U.S.S.R.), 8--Far East, 9--Middle East and South-East Asia.

Note 1. KP2 is not used in first or second stage outpulsing when calling any country in the IDDD network.

Note 2. Public telephones are interfaced to TSPS (Traffic Service Position System). If you call an 800 number and whistle off using 2600 Hz, the distant toll office sends a wink back signal (a short on-hook) indicating it is ready to receive pulsing. TSPS responds to this wink back by printing out the original number called, the number called from, and the number MFed after the wink back. This print out goes to the billing and security departments.

PAIRED COUNTRY CODES

     This is a list of paired country codes for use in first stage outpulsing on overseas calls. For two digit country codes simply add a zero. Example: The country code for England is 44. The paired country code is 044. Paired country codes that cannot be derived by this simple method are listed below.

       Country                Country Code  Paired Code
       -------                ------------  -----------
Algeria                           213           013
American Samoa                    684           284
Bahrain                           973           073
Belize                            501           111
Bolivia                           591           991
Brune                             773           180
Cameroon                          237           077
Costa Rica                        506           806
Cyprus                            357           087
Ecuador                           593           293
El Salvador                       503           003
Ethiopia                          251           059
Fiji                              679           879
Finland                           358           088
French Antilles                   596           896
French Polynesia (Tahiti)         689           289
Gabon                             241           025
Gibralter                         350           050
Guam                              671           067
Guatemala                         502           022
Guyana                            592           892
Haiti                             509           887
Honduras                          504           884
Hong Kong                         852           692
Iceland                           354           854
Iraq                              964           294
Ireland                           353           083
Israel                            972           072
Ivory Coast                       225           285
Jordan                            962           282
Kenya                             254           074
Kuwait                            965           015
Lesotho                           266           186
Liberia                           231           851
Libya                             218           018
Luxembourg                        352           292
Malawi                            265           096
Marisat Atlantic                  871           101
Marisat Pacific                   872           102
Marisat Indian Ocean              873           103
Morocco                           212           012
Namibia                           264           194
Netherlands Antilles              599           099
New Caledonia                     687           287
Nicaragua                         505           975
Nigeria                           234           014
Oman                              968           068
Panama                            507           247
Papua New Quinea                  675           875
Paraquay                          595           295
Portugal                          351           281
Qatar                             974           174
Saipan                            670           071
Saudi Arabia                      966           990
Senegal                           221           021
St. Pierre/Miguelon               508           104
Suriname                          597           097
Swaziland                         268           168
Taiwan                            886           006
Tanzania                          255           075
Tunisia                           216           016
Uganda                            256           876
United Arab Emirates              971           291
Uruguay                           598           288
USSR                                7           007
Yemen Arab Republic               967           297
Zambia                            260           008
Zimbabwe (Rodisia)                263           283

Notes: The Marisat codes are used when calling ships directly. Single stage outpulsing is used for calls to Mexico in this format: KP-180-City Code-digits-ST. To call an inward operator in Mexico use KP-190-City Code-09-ST. For directory assistance use KP-190-City Code-01-ST.

               Red Boxing

     Red boxing consists of simulating the tones produced when coins are deposited in a pay phone. Coin tones are beeps of 2200 Hz + 1700 Hz as follows:

5 cents - 1 beep, 66 milliseconds duration.

10 cents - 2 beeps, each 66 milliseconds duration with 66 millisecond pause between beeps.

25 cents - 5 beeps, each 33 milliseconds duration with a 33 millisecond pause between beeps.

     Two methods have commonly been used by phone phreaks to produce these tones and make free calls.

1. The traditional Red Box consisting of a pair of Wien-bridge oscillators with the timing controlled by 555 timer chips.

2. Producing the signals with a computer which are recorded and then played back into the mouth piece of a pay phone.

     A third very novel method has recently appeared. A phreak in the Midwest has extensively tested a method of red boxing which uses nothing more than a pair of brass or aluminum whistles. The whistles are 1/4 inch in diameter by 4 inches long and are tuned by means of a wooden dowel rod which fits snugly inside. The whistles can be brought precisely on frequency by tuning them against a known signal source such as a computer capable of producing the tones. Once tuned, the whistles are glued or taped together so they can be blown together to produce the dual tone used in coin signaling. It has been tested and proven that with a little practice these whistles can be used to make free calls. Now you can blow your money without spending a cent.

Black Boxes

     Like blue boxes, black boxes got their name from the color of the first one found. The black box, also known as a mute, is a device which permits a subscriber to receive incoming long distance calls without charge to the calling party. This information is presented mainly for its historical interest since black boxes will not work on the new electronic switching systems (ESS).
     The construction and use of a black box was quite simple. A resistor of about 5600 ohms was connected in series with one side of the phone line. Connected in parallel across the resistor were a .47 mfd capacitor and a single pole single throw toggle switch. A momentary contact push button was connected across the line ahead of the other components for the purpose of briefly shorting the line. While waiting for an incomming call, the switch was left in the "on" position which shorted out the resistor and left the phone connected to the line as usual. When a call was received, the proceedure was to throw the switch, lift the receiver and push the button for a period less than one second. That brief short simulated taking the receiver off hook, which stopped the phone from ringing. Releasing the button simulated placing the receiver back on hook. Keep in mind that the receiver is really "off hook", but the presence of the resistor in series with the line reduces the current drawn by the phone below the level needed by telephone company equipment to detect the "off hook" condition. The capacitor bypassed the resistor for audio signals permitting normal conversation to take place. All the billing equipment knew was that a toll call was placed and the called party picked up the receiver and replaced it in less than one second. Since calls of less than one second duration are not billed, there was no charge for the call.
     Later models of the black box featured diodes to automatically perform the button pushing and switch funtions. Aside from this refinement, they worked the same as the one described.

Cheese Boxes

     The first divice of this kind was found in a cheese box, thus the name. A cheese box is a call diverter. Calls placed to one number are rerouted to another. This requires two phone lines each with its own number. Both lines terminate at the same location, ususally a vacant apartment or the apartment of an elderly widow. Only the first number is given out. When this number is called, the cheese box connects the first line to the second. The call is then answered on the second line at a location far removed from the cheese box.
     This has been a favorite trick amoung bookies. Law enforcement officers trace the calls to the location of the cheese box and stage raids. When they get to the location all they find is an empty apartment or a confused old lady. Sometimes, realizing a cheese box is being used, they make a search for it. They don't always find the cheese box even though they know what they are looking for.
     Early cheese boxes were quite simple consisting of only a few diodes and capacitors. They could be as small a fifty cent coin. Because of changes in the system, later models are more sofisticated.
     Cheese boxes are in use today. They have been advertized in a national magazine. Apparently the device is not illegal unless put to an illegal use.

Silver Boxes

     These devices are used by two people to talk or send computer data over long distance lines free of charge. A silver box is simply a normal tone pad with the addition of four keys normally reserved for military or amateur radio use. These four additional keys are designated as follows:

A - Flash
B - Flash override priority
C - Priority communication
D - Priority override

     Push button tone dialing uses a signaling method called Dual Tone Multifrequency or DTMF for short. It is a method of representing digits by playing two tones together using different tones for different digits. The following table lists the frequencies used by a tone pad including the signals of the silver box. All frequencies are in Hertz.

     Tone Dialing Frequencies

LOW
TONE           HIGH TONE GROUP (HZ)
GROUP
(HZ)         1209   1336   1477   1633

697           1      2      3      A
770           4      5      6      B
852           7      8      9      C
941           *      0      #      D

     Silver boxes can be made by modifying an existing key pad or they can be built up from a readily available tone encoder integrated circuit chip. The tones used can also be produced by many personal computers.

Making Free Calls with a Silver Box.

     Silver boxes are used to seize long distance directory assistance lines. Two people calling at about the same time dial directory assistance for a selected area code. Not all area codes work for this. Those in the midwest seem to be favored. When the number rings, the "D" key is pressed. The caller will hear a pulsing tone. The first caller presses "6" on his keypad and waits. The second caller, following the same proceedure to this point, presses "7" on his key pad. The two are instantly connected. Those who have experimented with this say it doesn't matter wether the "6" or the "7" is pressed first so long as one caller uses "6" and the other "7".
     Because of the necessity of prearranging the time of a silver box call, this method hasn't really caught on except as a fun experiment amoung advanced phone phreaks.