💾 Archived View for spam.works › mirrors › textfiles › phreak › hmb1.txt captured on 2023-06-16 at 19:44:38.
-=-=-=-=-=-=-
Another Safe Cracker Production Hacking Ma Bell Part One Spencer Whipple, Jr. c/o 73 Magazine Peterborough, NH 03548 Basic Telephone Systems Part One Lifting Ma Bell's Cloak of Secrecy ---------------------------------- Though telephones predate radio communications by many years, they aren't nearly as simple as they appear at first glance. In fact, some aspects of telephone systems are most interesting and quite ingenious. In this article we will describe some of these more interesting and perhaps less well-known areas of telephone systems. But before going farther, let me explain and apologize for the fact that some of the information in this article may not be altogether complete, up to date, or even correct. I do not work for any phone company, and therefore do not have access to internal telephone company literature. Moreover, there is very little material available in books or magazines which describes how US telephone systems work. Much of the information in this article has been obtained piece-meal from many different sources such as books, popular magazines, computer data communications journals, handbooks, and sometimes just plain hear-say. I have tried to correlate as much as possible all the little bits and pieces into a coherent picture which makes sense, but there is no easy way to be sure of all the little details. So think of this article as if it is a historical novel - generally accurate and, regardless of whether it is completely true or not, fascinating. With this out of the way, let's go on. Figure 1 shows a simple diagram which explains how your home telephone fits into the overall picture. You, as the customer, are generally referred to as the 'subscriber'. Your telephone connects to the Central Office through a two-wire cable which may be miles long and which may have a resistance on the order of hundreds or even thousands of Ohms. This cable is essentially a balanced line with a characteristic im- pedence of around 900 Ohms, but this varies greatly with different calls. (This is why it is so hard to keep a hybrid phone-patch balanced.) The main power in the central office comes from 48 volt storage batteries which are constantly kept trickle-charged. This battery is connected to your line through a subscriber relay and a balanced audio transformer. The relay is sensitive enough to detect even quite small currents through your line. The buttons which stick up out of your telephone case when you lift the handset accuate the hook switch. The name probably dates back to the days when the handset (or even earlier, the earpiece) hung on the side of the phone from a hook. In any case, when your phone is hung up it is said to be on the hook; when you lift the handset to make a call it is said to go off the hook. With the phone on hook, the line is connected only to the bell (called the ringer). Because the bell circuit has a capacitor in it, no dc current can flow through the phone. As a result, the subscriber relay back in the central office will be deenergized, indicating to the central office (let's abbreviate that as CO from now on) that your phone is hung up. Since there is no current through your line or phone, there is no voltage drop anywhere, and so if you measure the voltage across the phone line at your home you will see the entire 48 volts (or even more if the CO batteries are well charged). The positive (grounded) lead is called the tip and negative lead is called the ring; these names cor- respond to the tip and ring of a three-circuit phone plug. Now suppose you want to place a call. You pick up the handset, and the phone goes off the hook. This completes the dc circuit through the dial, micro- phone, and the hybrid network which is basically a complicated transformer circuit. At this point current starts to flow from the battery through your line and phone, and the subscriber relay back at the CO pulls in. The line voltage across your phone now drops to just a few volts because the line is loaded down by the low resistance of the phone. The CO now searches for some idle dialing circuits, and when it finds them, connects a dial tone back to your phone. When you hear this, you start dialing. The dial shown in Fig. 1 is a rotary dial of the type which you turn with your finger (we will talk about Touchtone dials later). When you dial a number, the dial acts as a short circuit until you release the dial and let the built- in spring return it back to the resting position. As it is returning, it starts to open and close the circuit in sequence to indicate the number you dialed. If you dial a 1,it opens the circuit once; if you dial a 9 it opens the circuit nine times. As the dial is returning it causes the subscriber relay to open and close in step. This enables the CO to recognize the number you want. When you finish dialing, the dial becomes just a plain short circuit which passes current through the microphone and the hybrid network. Since the mike is a carbon unit, it needs this current to work. When the CO receives the complete number, it starts to process your call. If you dialed another subscriber in the same area, it may connect you directly to that subscriber's line. Calls to phones a little further away may have to be routed through another CO, while long distance calls may go through one or more long distance switching centers (called tandems) and possibly many other CO's before arriving at the destination. At the completion of this process, you may get either a ringing signal, indicating that the phone at the other end is ringing, one of several types of busy signals, or possibly just silence, if something goes wrong somewhere. When you talk to the person at the other end, the cable carries audio in both directions at the same time. Your carbon microphone varies the current in your circuit, and this current variation is detected by a balanced trans- former in the CO.At the same time, audio coming back to your phone goes through the hybrid network to your earphone. (In phone company lingo they like to call the mike a transmitter, and the earphone is called a receiver.) You may be interested in the makeup of the various tones you may hear on your telephone; these tones are important to people such as computer com- munications designers who have to build equipment which will recognize dial or other signalling tones: Dial tone in older exchanges may still be a combination of 120 and 600 Hz but the newer exchanges use a combination of 350 and 440 Hz. There is often a slight change in the dc line voltage at the beginning of dial tone, and this may also be detected. Busy signal is a combination of 480 and 620 Hz which alternates for 1/2 second on and 1/2 second off (i.e., 60 interruptions per minute) when the party you are calling is busy. The same busy signal may be used for other conditions such as busy interoffice or long distance circuits, but would then be interrupted either 30 times a minute or 120 times per minute. This is a standard agreed on by an international telecommunications organization called CCITT (and I don't offhand remember the French words it stands for), but occasionally other frequencies up to 2kHz are used. A siren-like sound varying between 200 and 400 Hz is often used for other error conditions. The ringing tone, which you hear coming back to you when the phone rings on the other end of the connection, is nowadays mostly a combination of 440 and 480 Hz, but there is a great variation between CO's. Very often a higher frequency such as 500 Hz is interrupted at 20 Hz, and other tones are used as well. The tone is usually on for two seconds and off for 4 seconds. The ringing current, actually used to ring the bell in a telephone, is an ac voltage since it has to activate a ringer which has a capacitor in series with it.Different companies use different ringing currents, but the most common is 90 volts at 20 Hz. Since a typical phone may be thousands of feet away from the CO, the thin wires used may have a fairly high line resistance. Hence only a relatively small current can be applied to the bell, certainly not enough to ring something like a doorbell. This problem is solved by making the bell resonant mechanically at the ringing frequency so that even a fairly small amount of power is enough to start the striker moving hard enough to produce a loud sound. This is the reason why a low frequency ac is used. Although this raises some problems in generating a 20 Hz signal at a high enough voltage, it has the advantage that a bell will respond to a ringing current only if the frequency is quite close to the bell's naturally resonant frequency. If you build two bells, one resonant at 20 Hz and the other resonant at 30 Hz, and connect them together to the same line, you can ring just one bell at a time by connecting a ringing current of the right frequency to the line; this has some useful applications in ringing just one phone on a party line. Now let's look at some of the components of the phone itself. We will consider the most common new phone, a model 500 C/D manufactured by Western Electric and used by Bell System affiliated phone companies. This is the standard desk phone, having modern rounded lines and usually having a G1 or G3 handset. It was developed about 1950 and replaced the older 300-series phones which had the older F1 handset and had sharper corners and edges. (There was an inbetween phone, where they took an old 300 series phone and put a new case on it which resembled the 500-style case but had a straight up-and down back - the back of the case came straight down right behind the handset cradle,whereas the true 500-style telephone has what looks like a step sticking out behind the cradle). If you are still in doubt as to which phone you have, the bell loudness control is a wheel on the 500-type phone and a lever on the 300-type. If you live in the boondocks, you may still have the 200-type phone (sometimes called the ovalbase) or maybe even the desk-stand type that looked like a candlestick, with the microphone mounted on top and the earpiece hanging on the side from a hook. Neither of these phones had a built in bell, and so you probably have a bell box attached to your wall. (If you have a phone with a handle on the side which you crank to call the operator, the following does not apply to your phone !) Fig. 2 shows the bell circuit, which consists of a two-coil ringer and a 0.5 uF capacitor. On Western Electric phones the capacitor is mounted inside the network assembly, which also has a large number of screws on top which act as connection points for almost everything inside the phone. (I have never been able to find out why the ringer has two coils of unequal resistance but it apparently has something to do with determining which subscriber on a party line makes which call.) In most phones, the yellow and the green wires are connected at the wall terminal block so that the bell is connected directly across the telephone line; disconnecting the yellow lead would turn off the bell (although sometimes the connection is made internally by connecting the black lead from the ringer directly to the L1 terminal, in which case the yellow lead is disconnected. You may wonder why a yellow lead is needed at all when only two wires are normally used anyway. It is true that only two wires enter the house from the outside; one of these is the tip and the other is the ring. In a non-party line the ringing current as well as all talk voltages are applied between the tip and the ring, and it doesn't actually matter which of the phone leads goes to the tip and which to the ring if you have a rotary dial phone. If you have a Touchtone dial, then you have to observe polarity so that the transistor circuit in the dial works, in which case you have to make sure that the green lead goes to the tip and the red lead goes to the ring. The yellow lead is commonly used for party lines. On a two-party line ringing current from the CO is applied not between the two lines, but between one line and ground. In that case the yellow lead goes to ground while the other side of the ringer (the red lead) is connected to either the tip or the ring, depending on the party. In this way, it is possible to ring only one party's bell at a time. The remaining connections inside the telephone are shown in Fig.3. The components labeled VR are varistors: the phone companies must be the world's biggest users of these devices, which are variable resistors whose resistance drops as the voltage across them rises. Their function in the phone set is to short out parts of the set if the applied voltage gets too high. For in- stance, VR2 is connected directly across the earphone (receiver) and acts as a volume limiter to lower the volume if the applied voltage gets too high - a great way to protect your eardrums. As you can see in Fig.3 we use the standard phone company way of ident- ifying normally open and and normally closed switches - an X in a wire is normally a normally open contact of a switch or relay, while a short bar means a normally closed contact.The arrows in the drawing show the path of dc current through the phone when it was off the hook. Starting at the green wire, the current path goes through a set of contacts on the hook switch, then through the pulsing contacts on the dial, through part of the network, through the mike, back through a second winding on the network, and finally through a second contact on the hook switch and back out to the red wire. The hook switch actually has three sets of contacts, two normally open (open, that is, when the hand set is on the hook) which completes the dc cir- cuit when you pick up the handset, and a normally closed contact which is wired directly across the earphone. This contact's function is to short the earphone during the time that the dc circuit is being opened or closed through the phone - this prevents you from being blasted by a loud click in the ear- phone. The dial has two contacts. One of these is the pulsing contact, which is normally closed and only opens during dialing on the return path of the dial after you let go of it. The second contact, labelled the off-normal con- tact, shorts the earphone as soon as you start turning the dial, and releases the short only after the dial returns back to the normal position. In this way you do not hear the clicking of the dial in the phone as you dial. Finally, the phone has the hybrid network which consists of a four-winding transformer and a whole collection of resistors, capacitors, and varistors. The main function of the network is to attenuate your own voice to lower its volume in your earphone. The simplest phone you could build would be just a series circuit consisting of a dial, a }ike, and an earphone. But the signals coming back from the other party are so much weaker than your own signals, that an earphone sensitive enough to reproduce clearly and loudly the voice of the other person would then blast your eardrums with the sound of your own voice. The function of the network is to partially cancel out the signal pro- duced by the local mike, while permitting all of the received signal to go to the earphone. This technique is similar to the use of a hybrid phone patch with a VOX circuit, where you want the voice of the party on the telephone to go to your transmitter, but want to keep the receiver signal out of the transmitter. In addition to the parts needed for the hybrid, the network also contains a few other components (such as the RC network across the dial pulsing contacts) and screw-type connection points for the entire phone. A Touchtone phone is similar to the dial shown here, except that the rotary dial is replaced by a Touchtone dial. In addition to its transistor- ized tone generator, the standard Touchtone pad has the same switch contacts to mute the earphone, except that instead of completely shorting the earphone, as the rotary dial does, the Touchtone dial switches in a resistor which only partially mutes the phone. The circuit of the Touchtone dial is shown in recent editions of the ARRL Handbook so we won't print it here, but Fig.4 shows two possible connections of such dials for amateur use. Fig.4 (a) shows the connection for coupling the dial output electrically to a transmitter in- put, while Fig.4 (b) shows how to connect it to a 500 Ohm earphone (such as the earphone from a telephone handset) for acoustic coupling into a transmitter microphone. Fig.5 shows how the terminals on a Trimline Touchtone pad cor- respond to the colored wires coming from the standard desk-type phone pad. It is fairly common knowledge as to what frequencies are used for Touch- tone signalling, but a misprint in several recent ARRL publications gives the wrong frequency for one of the high tones, so here is a short table which repeats the correct numbers : LOW TONE HIGH TONE GROUP (Hz) GROUP (Hz) 1209 1336 1477 1633 697 1 2 3 A 770 4 5 6 B 852 7 8 9 C 941 * 0 # D Each digit is composed of one frequency from the low group and one frequency from the high group; for instance, the digit 6 is generated by producing a low tone of 770 Hz and a high tone of 1477 Hz at the same time. The American Touchtone pads generate both of these tones with the same transistor, while European pads (yes, there are some) use two transistors, one for each tone. In addition to the first three high tones, a fourth one of 1633 has been decided on for generating four more combinations, called A through D in the above table. These are not presently in use, although the standard phone Touch- tone pad can easily be modified to produce this tone, since the required tap on the inductor used to generate the tone is already present and only an additional switch contact is needed to use it; information on this simple conversion is found in the 73 publication 'Digital Control of Repeaters'. What is not generally known is that the U.S. Air Force uses a different set of Touchtone frequencies, in the range of 1020 to 1980 Hz. Since many of the phones available for purchase in stores come from Department of Defense surplus sales, it will be interesting when these phones become available. Another Touchtone dial presently used by amateurs is made up of a thin elastomeric switch pad made by the Chomerics Corp. (77 Dragon Court, Woburn, Mass. 01801) and a thick-film hybrid IC made by Microsystems International (800 Dorchester Boulevard, Montreal, Quebec). The pad is the Chomerics ER- 20071, which measures about 2 1/4 inch wide by 3 inches high, and only about 3/16 inch thick (Chomerics also makes a smaller model ER21289, but it is very difficult to use and also apparently unreliable).Microsystems International makes several very similar ICs in the ME8900 series, which use different amounts of power and generate different amounts of audio. Some of these also contain protection diodes to avoid problems if you use the wrong polarity on the IC, and there are so many models to choose from that you should get the technical data from the manufacturer before ordering one. There are a number of US distributors, including Newark Electronics, Milgray and Arrow Electronics in New York. KA Electronics Sales advertised both the pad and the IC in the July 1974 issue of 73 Magazine. In single quantities, the pad goes for about $9 and the IC costs about $18, although it drops in price if you order larger quantities. A simple circuit for the IC and pad isshown in the ARRL publication 'FM and Repeaters for the Radio Amateur'. While this circuit is perfectly good, it does not work in the presence of a strong rf. If you want to mount this pad and IC on a portable 2-meter rig, you will have to use bypass capacitors and chokes to keep the rf out of the IC. Bypass pins 8 and 16 of the IC to pin 13 with small discs of about 0.001 or 0.01 uF, right at the IC, using very short leads. Then put small 2 to 5 microhenry chokes in series with pins 8, 13 and 16 right at the IC. If needed, put more chokes at the other end of each lead. Ohmite Z-144 chokes are good but a little bulky; the small 1.8 microhenry chokes used in Motorola Handie-Talkies (Motorola type 24-82723HO1) are about the size of a 1/8watt resistor and almost as good.It may seem a little funny to put chokes in the ground leads,as all hams are trained to use good rf grounds, but the object is to keep rf out of the IC at all costs and this accomplishes that by letting the IC float above ground if needed,but removing any rf voltage which might appear across the IC leads. It is also possible to generate the Touchtone tones with separate oscillators or with IC oscillators (such as the NE566), as is done in pads sold by Data Engineering. This system may not be as stable or accurate as other systems, though. One of the problems with any current IC is that the frequency changes if rf gets near it. Many hams are having a hard time mounting such IC pads on their 2-meter Handie-Talkies. But a solution seems in sight - Mostek, a large IC company, is coming out with an IC Touchtone generator which has cheap 3.58 MHz external crystal as reference, and then produces the tone frequencies by dividing the 3.58 MHz down with flip flops to get the required tone frequen- cies. This approach not only promises to be more reliable in the presence of rf, but should also be cheaper since it would not need the custom (and expen- sive) laser trimming of components that the Microsystems International IC needs to adjust the frequencies within tolerence. At the other end of the telephone circuit, in the CO, various circuits are used to decode the digit you dial into the appropriate signals needed to perform the actual connection. In dial systems, this decoding is done by relay circuits, such as steppers. This circuitry is designed for dialing at the rate of of 10 pulses per second, with a duty cycle of about 60% open, 40% closed. The minimum time between digits is about 600 milliseconds, although a slightly greater time between digits is safer since it avoids errors. In practice, many COs will accept dialing at substantially slower or faster rates, and often you will see a dial that has been speeded up by changing the mechanical gov- ernor to operate almost twice as fast; it depends on the type of CO equipment. Touchtone decoding is usually done by filter circuits which separate out the Touchtone tones by filters and then use a transistor circuit to operate a relay. A common decoder is the 247B, which is designed for use in small dial switchboard systems of the type that would be installed on the premises of a business for local communication between extensions. It consists of a limiter amplifier, seven filters and relay drivers (one for each of the seven tones commonly used) and some timing and checking circuitry. Each of the seven relays has multiple contacts, which are then connected in various serial/par- allel combinations to provide a grounding of one of ten output contacts, when a digit is received. The standard 247B does not recognize the * and # digits, but can be modified easily enough if you have the unit diagram. The 247B decoder is not very selective, and can easily be triggered by voice unless some additional timing circuits are connected at the output to require that the relay closure exceed some minimum time interval before it is accepted. Slightly more complicated decoders which have the time delays built in are the A3-type and the C-type Touchtone receivers. Both of these are used in customer-owned automatic switchboards when a caller from the outside (via the telephone company) wants to be able to dial directly into the private switchboard to call a specific extension. The C-type unit is similar to the 247B in that it has ten outputs one for each digit. The A3-type does not have output relays, but instead has seven voltage outputs, one for each of the seven basic tones, for activating external 48-volt relays. The A-3 unit is ideal for activating a Touchtone encoder, which can then be used to regenerate the touchtone digits if the original input is noisy. This might be very useful in a repeater autopatch, for cleaning up Touchtone digits before they are sent to the telephone system. In addition to the above,there are probably other types of units specially designed for use in the CO, but information on these is not readily available. It is also fairly easy to build a Touchtone decoder from scratch. Though the standard telephone company decoders all use filter circuits, it is much easier (though perhaps not as reliable) to use NE567 phase-locked-loop integrated circuits. An interesting sidelight to Touchtone operation is that it greatly speeds up the process of placing a call. With a Touchtone dial it is possible to dial a call perhaps 3 to 5 times faster than with a rotary dial. Since the CO equipment which receives and decodes the number is only needed on your line during the dialing time, this means that this equipment can be switched off your line sooner and can therefore handle more calls. In fact, the entire Touchtone system was invented so that CO operation would be streamlined and less equipment would be needed for handling calls. It is ironic that the cus- tomer should be charged extra for a service which not only costs the telephone company nothing, but even saves it money. Another practice which may or may not cost the telephone company money is the connection of privately-owned extension phones. You have probably seen these sold by mail order houses and local stores. The telephone companies claim that connecting these phones to their lines robs them of revenue and also may cause damage to their equipment. There are others, of course, that hold the opinion that the easy availability of extensions only causes people to make more calls since they are more convenient, and that the companies really benefit from such use. The question of damage to equipment is also not easily answered, since most of the extension phones are directly compatible, and in many cases the same type as the telephone company itself uses. Be that as it may, this may be a good time to discuss such use. Prior to an FCC decision on telephone company interconnection in the Caterphone case in 1968, all telephone companies claimed that the connection of any equipment to their lines was illegal. This was a slight misstatement as no specific laws against such use were on the books. Instead, each local telephone company had to file a tariff with the public service commission in that state, and one of the provisions of that tariff was that no connection of any external equipment was allowed. By its approval of that tariff, the public service commission gave a sort of implicit legal status to the prohibition. In the Caterphone case, however, the FCC ruled that the connection of outside equipment had to be allowed. The phone companies then relaxed their tariff wording such that the connection of outside equipment was allowed if this connection was through a connecting arrangement 'provided by the telephone company' for the purpose of protecting its equipment from damage. Although this result has been challenged in several states, that seems to be the present status. The strange thing is that some telephone companies allow intercon- nection of customer equipment without any hassle whatsoever, while others really make things difficult for the customer. ...WHIPPLE (and Safe Cracker) The End