Instuctional phile Topic ..................... Creating Various Phun Fone Toys Author .................... Compilation phrom several sources Compiler .................. Nocturnal Phoenix This is one of a series of compilations I am creating of the various techniques used to perphorm actions that aught not be perphormed (but will be done anyway, so why not do it right?). I am expecting to have maybe ten or so of these compilations by the time I am done. I realized the need phor some phorm of organization of this sort of inphormation when I came across phour meg of shit like this. Out of that phour meg, two meg was totaly redundant, one meg was corrupted to the point of not being able to read it, and of the other meg, everything that was actually usephul was scattered everywhere in bits and pieces. Now I personally am a strong proponant of peacephul world Anarchy, but I would really rather not try to make something phun like nitroglycerin (to use something extremely dangerous that I saw phrequently in all that shit) without having a complete set of instructions. Whenever it was possible, I have given credit to the author of the original article, although I phound many articles which were the same, word phor word, but with dipherent authors, phorcing me to chose one of them. Sorry if I chose wrong. The compiler of this phile apologizes to the authors of the articles within phor any alterations done to their documents. This was unavoidable, as most of these texts were nearly unreadable by the time I got them. I assume this is due to various changes made by people who had been in possesion of them bephore me, and to the slow corruption of the data as it was sent over innumerable fone lines phrom modem to modem. To avoid the phurther corruption of this very usephul inphormation, I would ask two things: 1. That any comments, notes, additions, etc. be placed at the very end of this phile, not just stuck wherever you pheel like it. I have put a sample addition in at the end of this file for convenience. Please leave: - Your name (your phake name that would be used phor BBS' and such, not your real name) - The date - Where you can be reached (BBS' etc.) - The inphormation you wish to leave 2. That any random corruptions phound while reading (such as the word "TELEPHONE" appearing as "TELEPH´NE") are phixed (I'm sure that some smartass will be tempted to phix the example I have just given. Please don't). Thank you phor your cooperation in this matter. Please give this phile to whoever you can, knowing that it will probably have grown substantially by the next time you phind it. Also, when you do phind it again, and it is a newer version than you have, delete the older version and only distribute the newer one. - Nocturnal Phoenix ------------------------------------------------------------------------------ )()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()( )( How To Listen In On Cordless Telephone Conversations )( )( )( )( An Original 'Phile' By: Beowulf )( )( )( )( Call The Outhouse BBS 201-756-9575 )( )( )( )()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()( Have you ever wanted to know what your brother/sister/parents/ friends/enemies were saying as they hid somewhere, cordless phone in hand? With this phile, now you can! Just follow the simple instructions outlined inside. First some information about cordless telephones: The original cordless telephones (1978-about late 1983) were made to be used on the 1.6 to 1.8 MHz band. If you will notice, 1.6 MHz is also the top end of the AM broadcast band. These phones operate on AM (just like the radio stations) and use the wiring in your house for an antenna. The power of these phones is 1/10 of a watt in most cases, or about 1/50th of the power that your average CB radio will put out. So, not having a lot of power, it is tough to hear these phones. You know how they say '500 foot range'? Sure, that's the range of the handset to the base, but not of the signals emitted by the base! Which means that on good nights you can hear them for many miles (I live in NJ an have heard telephones VERY loudly from NY City, 35 MILES away!). The newer phones, however, are not as easy to hear. They operate on FM on the 49 MHz band, which is the same frequency which your little walkie-talkies that you loved as a ten year old operate on. These phones require a little bit more effort to be heard than do the old ones (and a little $$$). Never fear, however, because about 1 out of 10 phones is the old style, and they are still being made and sold today. How To Do It: For the old style phones, you will need to get a pocket size AM transistor radio. The one I used was an AM/FM Realistic (bought for $9 at Radio Shack). There should be a small plastic box inside the radio. This little 'box' is the VFO (Variable Frequency Oscillator) which controlls the frequency of the radio. Now of course, you aren't going to have a digital frequency counter (they only cost $400, so everyone should have at least two of them) so before you do anything, turn on the radio and tune to the top of the band and find the station which is closest to the top of the broadcast band. Write down the frequency so you have something to compare to later. Now, turn off the radio, get a small size screwdriver, and adjust the small screw(s) on the back of the little plastic box. Don't turn them more than a quarter turn at a time. Now, when you have done your first 'tweak' of the screws, turn on the radio and see where that station at the top of the band is now on the frequency dial. When you have gotten the station 150-200 kHz down from where it was, (like if the frequency was 1600, get it down between 1400 and 1450), you are all set to recieve cordless telephones at the top end of the radio! Note: this little 'trick' may not work as well on all radios, but it is worth a try. If worse comes to worse, you can turn them back. The ideal distance is a close to the base as you can get, but this sucker should pull in signals from up to 500 feet away with no problem. Simply go near someones house with this, and then have fun! Another way: Another way to do this, if the VFO adjustment trick does'nt work, is to adjust the small metal boxes that have little colored screws in them. These are the tuning coils for the reciever circuit, and they affect the frequency also. Another possibility is a combination of turning the VFO screws and the coils to try to get the desired effect. Good Luck! Now for the tough ones, the new phones. The new phones work on the 49 MHz band. You are going to need one of the 'new' walkie talkies that operate on 49 MHz ===- FM -=== (the cheap shit ones are AM). If you decide to invest in one at Radio Shack or similar store, make damn sure you get FM walkie talkies. If you get AM, you're screwed, unless you have a friend who is killer into electronics or ham radio who has the knowledge to convert AM to FM. (Yes, it can be done. I have done it with CB's, and it is great for CB because no one can understand what you are saying unless they have a FM-converted CB.....Hmm.....that may be my next text phile...look for it!!) Anyway.....when you get your FM walkie talkie, you can do one of two things: A) You can play the adjust the coils trick as mentioned in the last article (there is no VFO because walkie talkies are crystal controlled). B) You can change the crystal. Popular frequencies for cordless phones are 49.830, 49.860 and 49.890 MHz. These crystals can be obtained from electronic supply houses (like ones that sell chips for your Apple) for about $2 or less each. And that just about concludes this phile. There are two other shortcut methods that can be used to bypass this mess and get you listening in right away. 1) Get a general coverage receiver. They cover all frequencies from 100 kHz to 30 MHz, and will provide you with 'armchair' reception because you can hook up a monster antenna. (I have a 1964 vintage model that I got for $10 sitting on my desk with a 600 foot long piece of wire for an antenna....boy, I know everything in my neighborhood before the ladies start gossiping!) 2) If you play guitar or bass, and have a 'wireless' system for your guitar like the Nagy 49R, you can hook up a 12 volt lantern battery and go prowling around listening for the phones. (Bass rules!) Method 1 only works on the old phones because of the frequency limitations of the reciever, and method 2 is for new phones only because the 'wireless' systems only work on 49 MHz FM. Have phun with your new knowledge, and look for more philes from me in the future (that CB FM is a good idea.....hmmmm...) ------------------------------------------------------------------------------ The basics of phone anarchy This phile will teach you the basics of Phucking people up with simple eletronic telephone terrorism! 1) Silent Phone Killer This is a device , easy to make, that will take a persons phone off the hook WITHOUT that phucking Alert noise!! 1) Aquire a wall mount, NOT FLUSH MOUNT, phone jack block. This is a square box about 2" X 2" X 1/2" and has a modular jack in the middle (or about). 2) Get a peice of thin wire (not unlike that used in the box) 3) Run the wire from the red to the green terminals as so to connect them. Then Recover the box. . SIMPLE HUH?! 4) Now, Plug this baby into the wall via a telephone type wire with a modular plug at each end. ZAP. . Until the device is deteted and removed, it will do 2 things: a) Put the circut off hook. b) MUTE all other phone devices in the house by drawing all the phone line current. So it they pick up the phone to try to dial, even IF the alert tone is on, it will not be herd on the phone. __________________________ Diag. # 1 I I I MODULAR #### I I PLUG -->#### I I / \ I I |/ \| I I =|============|=WIRE I I | | I I RED GREEN I -------------------------- 2) Loss of hearing!!! This one will make the victim HARD of HEARING. 1) Take a medium strength resistor. 2) Go outside their house. Open the phone connection Box on the side of their house. Wire the resistor in between the red in from the streen and the red going to the home. HEHEHEHE. this will reduce audio, along with causing nemerous other SMALL bugs.... Diag. # 2 --------------------------- I___________ I I I I MODULAR --->####-----I -----^^^-R I PLUG I ####-----I ---------G I I \ \------I-\________Y I I \----- I-\________B I ^^^ = RESISTOR I I I I I I --------------------------- (THIS IS WHAT MOST MODERN ONES LOOK LIKE) (CHECK YOU TARGETS HOME FOR EXACT LAYOUT) Well, That should keep ya busy ------------------------------------------------------------------------------ Making your own test set So, you want a lineman's test set, but are too scared to steal one and don't want to pay $200.00 for one. Well, this file will tell you how. You will need : 3 aligator clips. (The extra for if you screw up one) 1 ONE PEICE phone (the kind you set down on a table to hang up) Optional: 1 wall mount phone jack (For noise-less conecting) Ok. Now you have your shit, what do you do? 1. slice off the modular plug off the phone. KEEP THE PHONE CORD LONG!! 2. expose about 1/2 an inch of the conductor of the RED and GREEN wires. 2a If there is an black and yellow wire on the phone cord, cut them down to get them out of the way. You don't need them 3. Attach the alligator clips to the exposed wires (Try to color cordnate the clips so you know what is green and what is red) easy huh? ____phone here is s diagram: / / ####################################### red # # / # # # # # # ### #==================------==\= \___Clips # # # # # # ### #==================------==\= / # # # # # # \ ####################################### green Optional modifications: 1) Keep the phone intact. use the wall mount phone outlet and a peice of 2 conductor wire (or phone cord type wire). Attach the wire to the block, and attach the clips to the wire as shown above. 2) If you have a little money and the phone line to tap has a close by AC outlet, use a cordless phone insted of the regular one. This allows for you to be away from the base and still use the target line. Try to get a phone that uses CH 10. This ,I have found, is the clearest signal. Here is a diagram of the box method: box / _____________ / red | | / | __ |---------------===\= | |__| |---------------===\= | | \ |_____________| green ------------------------------------------------------------------------------ OoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoO oO Oo Oo Building a Diverter Box oO oO Designed by: Oo Oo Digital Deviant oO oO Oo OoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOo 5/12/91 oOoO Does the Menace of ESS have you down?Tired of worrying about getting nabbed everytime you phreak?Well then the Diverter Box is for you.A few years back I got plans for a box called the Gold Box.Most hackers soon found out that the Gold Box did not work after trying to construct it.The Gold Box design was totally fucked.I still see the plans on many boards to this day.Even though they don't work.But it is those plans inspired me to design the Diverter Box. The construction is fairly simple and cheap.You can get all of the needed parts at your local Radio shack. PARTS NEEDED: =QTY=========ITEM====================================CAT NO======PRICE======= 3 SPDT MICROMINIATURE PC RELAY 275-240 $1.99 EACH 2 NEON LAMPS 272-1100 $ .89 EACH 2 PHOTOCELLS 276-1657 $1.98 FOR 5 1 200V SILICON CONTROLLED RECTIFIER (SCR) 276-1067 $ .99 1 1:1 AUDIO TRANSFORMER 273-1374 $3.59 1 9V BATTERY SNAP CONNECTOR 270-325 $1.19 FOR 5 1 9V BATTERY - SOME WIRE, ELEC TAPE AND SOLDER ============================================================================= CONSTRUCTION/ PLANS: Ok,take the Neon Lamps and the Photocells and tape them together with the electrical tape or any tape that will not allow light in.Tape them together so that the Neon Lamp will shine directly on the photocell.Make sure that no light can get in.Ok,now you will have two separate Optocouplers.In the plans they will be labeled MOC1,and MOC2.It would be best to print the plans out, so you can see the whole thing at one time. BLACK RED ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ³ AUDIO ³ Connect Wires to FONE #1 ³ TRANSFORMR³ Connect Wires to FONE #2 ÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÃÄÄÄÄÄÄÄÄÄÄÄ´ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ WHITE ³ W³ ÚÄÄÙ ³ YELLOW ³ H³ ³Y ³ ³ IÀÄÄÄ¿ ³E ³ ³ T ³ ³L ³ ³ E ³ ³L ³ ³ ÚÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ ³W ÚÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ ÀÄÅÄoNO NCo ³ ³ ÀÄÄÅÄoNO NCo ³ ³ ÚÄÄÅÄo COIL oÄÅÄÄijÄÄÄÄÄÄÄÅÄo COIL oÄÅijÄÄÄÄÄÄÄÄ¿ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ + ³ ³ ³ o COM oÄÅÄÄÄÙ ³ o COM oÄÅÄÙ ³ ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÙ ³ ³ RELAY #1 RELAY #2 ³ - NEGATIVE ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÀÄÄÄÂÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ ³ 9V ³ ³ oNO NCoÄÅÄÙ ³ BATTERY³ ÚÄÄÄÄÅÄo COIL oÄÅÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÁÄÄÄÄÄÄÄÄÙ ³ ³ ³ ³ ³ ÚÄÄÄÄÄÄÄÄÄÄÄ¿ ³ ³ + POSITIVE ³ ³ ³ ³ ³ ³ ÚÄoÄ¿ ³ ³ ³ ³ ³ o COM oÄÅÄÄÄ+ÄÄÄÄÄÄÄÄÙ ³ SCR ÃÄÄÄ´ ³ ³ À¿ ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÙ ³ ÃÄÂÄ´ ³ ³ ³ ³ RELAY #3 ³ ³ ³ ³ ³ ³ ³ ³ - ³ 1 2 3ÄÙ ³ ³ ³ Connect wire to the ³ ³ ³ ³ ³ ³ ³ NEGATIVE terminal on³ ³ ÀÄÄÄÄÄÄÄÄÙ ³ ³ Battery ³ ³ ³ ³ ³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄ+ ³ ³ ³ ³ ³ ³ PHOTOCELL ³ ³ ³ ³ LEADS ÀÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ ÃÄÄÄÄÄÄÄ´ ³ ³ ³ MOC1 ³ ³ ³ PHOTOCELL ÃÄÄÄÄÄÄÄ´ ³ ³ LEADS ³Connect³ NEON LAMP ³ ³ ³ to ³ LEADS ³ ³ ³FONE #3³ ÃÄÄÄÄÄÄÄ´ ³ ³ ³ MOC1 ³ ÃÄÄÄÄÄÄÄ´ ³Connect³ NEON LAMP ³ to ³ LEADS ³FONE #1³ ³ ³ USAGE/ TIPS: You can probably find a better way to connect everything.I just drew the schematics like that so they would be easy to understand.In the areas where a wire crosses over another wire DO NOT connect them, UNLESS there is a "+" sign where the wires cross.Now solder all the shit together.The polarity on the Fone lines doesn't matter.So you won't have to spend time and frustration trying to get the proper polarity connections.As you may have noticed you will need three fone lines.FONE #1 will be the number you call to get a dial tone. FONE #2 is the fone line that you will be dialing out from.You will call FONE #3 to disconnect FONE #1 and FONE #2,in other words you will call this number to cause them to hang up.If you know anything about electronics you could hook up a tone detecting chip that would activate RELAY #3 when a certain tone is played.This would cause the fones to hang up.FONE #2 MUST be a regular fone line.FONE #1 and FONE #3 can be a Pay Fone Line or a regular Fone Line. A good place to hook this up would be at a Jiffy that has two pay fones.But you would not be able to use your box until they close.Your best bet would be to hook it up at a big hotel or motel.They have plenty of pay fones.You may have to run some wire to connect to their PBX,but it can be done.After you've got the device hooked up ANI Fone #1 and Fone #3...Now your all set.Dial with care, but dial any where.Have phun! DISCLAIMER: This file is for INFORMATIONAL Purposes ONLY.The Diverter Box is not to be used in any illegal manner(Yeah, thats it).I do NOT take any responsibility for your actions! ------------------------------------------------------------------------------ HOW TO BUILD A BLACK BOX ------------------------ A BLACK BOX IS A DEVICE THAT IS HOOKED UP TO YOUR FONE THAT FIXES YOUR FONE SO THAT WHEN YOU GET A CALL, THE CALLER DOESN'T GET CHARGED FOR THE CALL. THIS IS GOOD FOR CALLS UP TO 1/2 HOUR, AFTER 1/2 HOUR THE FONE CO. GETS SUSPICOUS, AND THEN YOU CAN GUESS WHAT HAPPENS. THE WAY IT WORKS: WHAT THIS LITTLE BEAUTY DOES IS KEEP THE LINE VOLTAGE FROM DROPPING TO 10V WHEN YOU ANSWER YOUR FONE. THE LINE IS INSTEAD KEPT AT 36V AND IT WILL MAKE THE FONE THINK THAT IT IS STILL RINGING WHILE YOU'RE TALKING. THE REASON FOR THE 1/2 HOUR TIME LIMIT IS THAT THE FONE CO. THINKS THAT SOMETHING IS WRONG AFTER 1/2 AN HOUR OF RINGING. ALL PARTS ARE AVAILABLE AT RADIO SHACK. USING THE LEAST POSSIBLE PARTS AND ARANGEMENT, THE COST IS $0.98, AND THAT IS PARTS FOR TWO OF THEM! TALK ABOUT A DEAL! IF YOU WANT TO SPLURGE THEN YOU CAN GET A SMALL PC BOARD, AND A SWITCH. THERE ARE TWO SCHEMATICS FOR THIS BOX, ONE IS FOR MOST NORMAL FONES. THE SECOND ONE IS FOR FONES THAT DON'T WORK WITH THE FIRST. IT WAS MADE FOR USE WITH A BELL TRIMLINE TOUCH TONE FONE. ** SCHEMATIC 1 FOR MOST FONES ** ** LED ON: BOX ON ** PARTS: 1 1.8K 1/2 WATT RESISTOR 1 1.5V LED 1 SPST SWITCH YOU MAY JUST HAVE TWO WIRES WHICH YOU CONNECT TOGETHER FOR THE SWITCH. FROM >--------------------GREEN-> TO LINE >--! 1.8K LED !---RED--> FONE !--/\/\/\--!>--! ! ! ------>/<------- SPST ** SCHEMATIC 2 FOR ALL FONES ** ** LED ON: BOX OFF ** PARTS: 1 1.8K 1/2 WATT RESISTOR 1 1.5V LED 1 DPST SWITCH FROM >---------------GREEN-> TO LINE >------- ---RED--> FONE ! LED ! -->/<--!>-- ! ! ---/\/\/--- 1.8K HERE IS THE PC BOARD LAYOUT THAT I RECOMMEND USING. IT IS NEAT AND IS VERY EASY TO HOOK UP. SCHEMATIC #1 SCHEMATIC #2 ************** **************** * * * ------- * * ----- * * ! ! * * ! ! * * ! * * RESISTOR ! * * ! ! ! * * ! ! * * ! ! / * * -------- ! * * ! ! \ * * ! ! * * ! ! / * * --SWITCH-- * * ! ! \ * * ! ! * * ! ! / * L * ! ! * F L * ! ! ! * F I>RED- -RED>O I>RED- ---RED>O N>-----GREEN---->N N>-----GREEN------>N E * H * E E * * E ************** **************** ONCE YOU HAVE HOOKED UP ALL THE PARTS, YOU MUST FIGURE OUT WHAT SET OF WIRES GO TO THE LINE AND WHICH GO TO THE FONE. THIS IS BECAUSE OF THE FACT THAT LED'S MUST BE PUT IN IN A CERTAIN DIRECTION. DEPENDING ON WHICH WAY YOU PUT THE LED IS WHAT CONTROLS WHAT WIRES ARE FOR THE LINE & FONE. HOW TO FIND OUT: HOOK UP THE BOX IN ONE DIRECTION USING ONE SET OF WIRES FOR LINE AND THE OTHER FOR FONE. *NOTE* FOR MODEL I SWITCH SHOULD BE OFF. *NOTE* FOR MODEL ][ SWITCH SHOULD BE SET TO SIDE CONNECTING THE LED. ONCE YOU HAVE HOOKED IT UP, THEN PICK UP THE FONE AND SEE IF THE LED IS ON. IF IT IS, THE LED WILL BE LIT. IF IT DOESN'T LIGHT THEN SWITCH THE WIRES AND TRY AGAIN. ONCE YOU KNOW WHICH ARE WHICH THEN LABEL THEM. *NOTE* IF NEITHER DIRECTIONS WORKED THEN YOUR SWITCH WAS IN THE WRONG POSITION. NOW LABLE THE SWITCH IN ITS CURRENT POSITION AS BOX ON. HOW TO USE IT: THE PURPOSE OF THIS BOX IS TO PEOPLE WHO CALL YOU SO IT WOULD MAKE SENCE THAT IT CAN ONLY BE USED TO RECEIVE! CALLS. WHEN THE BOX IS *ON* THEN YOU MAY ONLY RECIEVE CALLS. YOUR PHONE WILL RING LIKE NORMAL AND THE LED ON THE BOX WILL FLASH. IF YOU ANSWER THE FONE NOW, THEN THE LED WILL LIGHT AND THE CALLER WILL NOT BE CHARGED. HANG UP THE FONE AFTER YOU ARE DONE TALKING LIKE NORMAL. YOU WILL NOT BE ABLE TO GET A DIAL TONE OR CALL WHEN THE BOX IS ON, SO TURN THE BOX *OFF* FOR NORMAL CALLS. I DON'T RECOMMEND YOU DON'T WANT IT TO ANSWER WHEN MA BELL CALLS! ------------------------------------------------------------------------------ From : THE PHREAKER'S HANDBOOK Issue #1, Volume 1 July 3, 1989 By DOCTOR DISSECTOR aqua box - A box designed to drain the voltage of the FBI lock-in- trace/trap-trace so you can hang up your fone in an emergency and phrustrate the Pheds some more. The apparatus is simple, just connect the two middle wires of a phone wire and plug, which would be the red and green wires if in the jack, to the cord of some electrical appliance; ie, light bulb or radio. KEEP THE APPLIANCE OFF. Then, get one of those line splitters that will let you hook two phone plugs into one jack. Plug the end of the modified cord into one jack and your fone into the other. THE APPLIANCE MUST BE OFF! Then, when the Pheds turn their lame tracer on and you find that you can't hang up, remove your fone from the jack and turn the appliance ON and keep it ON until you feel safe; it may be awhile. Then turn it off, plug your fone back in, and start phreaking again. Invented by: Captain Xerox and The Traveler. beige box - An apparatus that is a home-made lineman's handset. It is a regular fone that has clips where the red and green wires normally connect to in a fone jack. These clips will attach to the rings and tips found in many of MA's output devices. These are highly portable and VERY useful when messing around with cans and other output devices the fone company has around. Invented by: The Exterminator and The Terminal Man. black box - The infamous box that allows the calling party to not be billed for the call placed. We won't go in depth right now, most plans can be found on many phreak oriented BBS's. The telco can detect black boxes if they suspect one on the line. Also, these will not work under ESS. bleeper boxes - The United Kingdom's own version of the blue box, modified to work with the UK's fone system. Based on the same principles. However, they use two sets of frequencies, foreword and backwards. Blotto box - This box supposedly shorts every fone out in the immediate area, and I don't doubt it. It should kill every fone in the immediate area, until the voltage reaches the fone company, and the fone company filters it. I won't cover this one in this issue, cuz it is dangerous, and phreaks shouldn't destroy MA's equipment, just phuck it up. Look for this on your phavorite BBS or ask your phavorite phreak for info if you really are serious about seriously phucking some fones in some area. blue box - An old piece of equipment that emulated a true operator placing calls, and operators get calls for free. The blue box seizes an open trunk by blasting a 2600 Hz tone through the line after dialing a party that is local or in the 800 NPA so calls will be local or free for the blue boxer. Then, when the blue boxer has seized a trunk, the boxer may then, within the next 10-15 seconds, dial another fone number via MF tones. These MF tones must be preceded by a KP tone and followed with a ST tone. All of these tones are standardized by Bell. The tones as well as the inter- digit intervals are around 75ms. It may vary with the equipment used since ESS can handle higher speeds and doesn't need inter-digit intervals. There are many uses to a blue box, and we will not cover any more here. See your local phreak or phreak oriented BBS for in depth info concerning blue boxes and blue boxing. Incidentally, blue boxes are not considered safe anymore because ESS detects "foreign" tones, such as the 2600 Hz tone, but this detection may be delayed by mixing pink noise of above 3000 Hz with the 2600 Hz tone. To hang up, the 2600 Hz tone is played again. Also, all blue boxes are green boxes because MF "2" corresponds to the Coin Collect tone on the green box, and the "KP" tone corresponds to the Coin Return tone on the green box. See green box for more information. Blue boxing is IMPOSSIBLE under the new CCIS system slowly being integrated into the Bell system. blue box tones - The MF tones generated by the blue box in order to place calls, emulating a true operator. These dual tones must be entered during the 10-15 second period after you have seized a trunk with the 2600 Hz tone. 700: 1 : 2 : 4 : 7 : 11 : KP= Key Pulse Parallel Frequencies 900: ** : 3 : 5 : 8 : 12 : ST= STop 2= Coin Collect 1100: ** : ** : 6 : 9 : KP : KP2= Key Pulse 2 KP= Coin Return 1300: ** : ** : ** : 10 :KP2 : **= None (green box tones) 1500: ** : ** : ** : ** : ST : : 900:1100:1300:1500:1700: 75ms pulse/pause bridge - I don't really understand this one, but these are important phreak toys. I'll cover them more in the next issue of TPH. busy box - Box that will cause the fone to be busy, without taking it OFF-HOOK. Just get a piece of fone wire with a plug on the end, cut it off so there is a plug and about two inches of fone line. Then, strip the wire so the two middle wires, the tip and the ring, are exposed. Then, wrap the ring and the tip together, tape with electrical tape, and plug into the fone jack. The fone will be busy until the box is removed. cheese box - Another type of box which, when coupled with call forwarding services, will allow one to place free fone calls. The safety of this box is unknown. See references for information concerning text philes on this box. clear box - Piece of equipment that compromises of a telephone pickup coil and a small amp. This works on the principal that all receivers are also weak transmitters. So, you amplify your signal on PP fortress fones and spare yourself some change. diverter - This is a nice phreak tool. What a diverter is is a type of call forwarding system done externally, apart from the fone company, which is a piece of hardware that will foreword the call to somewhere else. These can be found on many 24 hour plumbers, doctors, etc. When you call, you will often hear a click and then ringing, or a ring, then a click, then another ring, the second ring often sounds different from the first. Then, the other side picks the fone up and you ask about their company or something stupid, but DO NOT ANNOY them. Then eventually, let them hang up, DO NOT HANG UP YOURSELF. Wait for the dial tone, then dial ANI. If the number ANI reads is different from the one you are calling from, then you have a diverter. Call anywhere you want, for all calls will be billed to the diverter. Also, if someone uses a tracer on you, then they trace the diverter and you are safe. Diverters can, however, hang up on you after a period of time; some companies make diverters that can be set to clear the line after a set period of time, or click every once in a while, which is super annoying, but it will still work. Diverters are usually safer than LD extenders, but there are no guarantees. Diverters can also be accessed via phortress fones. Dial the credit operator and ask for the AT&T CREDIT OPERATOR. They will put on some lame recording that is pretty long. Don't say anything and the recording will hang up. LET IT HANG UP, DO NOT HANG UP. Then the line will clear and you will get a dial tone. Place any call you want with the following format: 9+1+NPA+Nxx+xxxx, or for local calls, just 9+Nxx+xxxx. I'd advise that you call ANI first as a local call to make sure you have a diverter. green box - Equipment that will emulate the Coin Collect, Coin Return, and Ringback tones. This means that if you call someone with a fortress fone and they have a green box, by activating it, your money will be returned. The tones are, in hertz, Coin Collect=700+1100, Coin Return=1100+1700, and Ringback=700+1700. However, before these tones are sent, the MF detectors at the CO must be alerted, this can be done by sending a 900+1500 Hz or single 2600 Hz wink of 90ms followed by a 60ms gap, and then the appropriate signal for at least 900ms. gold box - This box will trace calls, tell if the call is being traced, and can change a trace. grey box - Also known as a silver box. See silver box. output device - Any type of interface such as cans, terminal sets, remote switching centers, bridging heads, etc., where the fone lines of the immediate area are relayed to before going to the fone company. These often are those cases painted light green and stand up from the ground. Most of these can be opened with a 7/16 hex driver, turning the security bolt(s) 1/8 of an inch counter-clockwise, and opening. Terminals on the inside might be labeled "T" for tip and "R" for ring. Otherwise, the ring side is usually on the right and the tip side is on the left. purple box - This one would be nice. Free calls to anywhere via blue boxing, become an operator via blue box, conference calling, disconnect fone line(s), tap fones, detect traces, intercept directory assistance calls. Has all red box tones. This one may not be available under ESS. rainbow box - An ultimate box. You can become an operator. You get free calls, blue box. You can set up conference calls. You can forcefully disconnect lines. You can tap lines. You can detect traces, change traces, and trace as well. All incoming calls are free. You can intercept directory assistance. You have a generator for all MF tones. You can mute and redial. You have all the red-box tones. This is an awesome box. However, it does not exist under ESS. red box - Equipment that will emulate the red box tone generated for coin recognition in all phortress fones. red box tones - Tones that tell the phortress fone how much money was inserted in the fone to make the required call. In one slot fones, these are beeps in pulses; the pulse is a 2200+1700 Hz tone. For quarters, 5 beep tones at 12-17 PPS, for dimes it is 2 beep tones at 5-8.5 PPS, and a nickel causes 1 beep tone at 5-8.5 PPS. For three slot fones, the tones are different. Instead of beeps, they are straight dual tones. For a nickel, it is one bell at 1050-1100 Hz, two bells for a dime, and one gong at 800 Hz for a quarter. When using red box tones, you must insert at least one nickel before playing the tones, cuz a ground test takes place to make sure some money has been inserted. The ground test may be fooled by the Paper Clip Method. Also, it has been known that TSPS can detect certain red box tones, and will record all data on AMA or CAMA of fraudulent activity. ring - The red wire found in fone jacks and most fone equipment. The ring also is less positive than the tip. When looking at a fone plug on the end of typical 4 wire fone line from the top, let's say the top is the side with the hook, the ring will be the middle-right wire. Remember, the ring is red, and to the right. The three "R's" revived! silver box - Equipment that will allow you to emulate the DTMF tones A,B,C,D. The MF tones are, in hertz, A=697+1633, B=770+1633, C=852+1633, D=941+1633. These allow special functions from regular fones, such as ACD Testing Mode. switchhook - The button on your fone that, when depressed, hangs the fone up. These can be used to emulate rotary dial fones if used correctly. tip - The green wire found in fone jacks and most fone equipment. The tip is the more positive wire compared to the ring. When looking at a fone plug from the top, lets say the hook side is the top, the tip will be the middle wire on the left. white box - This is a portable DTMF keypad. ------------------------------------------------------------------------------ High Tech Revenge: The Beigebox by The BHU The beigebox is simply a consumer lineman's handset which is a phone that can be attached to the outside of a person's house. To fabricate a beigebox follow along. Making a beigebox: Obtain an old phone and cut off the plug on the end. Solder an alligator clip onto the red wire and the green wire. Now imagine the possibilities: a $2000 dollar phone bill for that special person 976 numbers galore even harassing the operator at no risk to you! Think of it as walking into an enemies house and using their phone to your heart's content. Connecting the beigebox: Look on the outside of your victim's house taking note of any wires leading from a telephone pole to the exterior of their house. Follow the wires and find where they connect. The telephone wire should be black and about the width of your small finger. You do NOT want the 220 volt house current unless you like having a permanent orange afro. When the telephone wire connects to the victim's house it should run down their wall and into a small beige or grey box. Some boxes have a bolt in the dead center and some have even gone as far as to have a lock (smashing them open is no problem). Now you must open the box and observe: you should see three bolts each with wires attached. Connect the two alligator clips to the two outside bolts and then you should get a dial tone. If you do not get a dial tone experiment with the connections. By the way don't worry about getting electrocuted; there is not enough power in the phone lines to harm you. After placing a few phone calls if you really want to get even pull all the wires out of the box. This will result in about a $100 dollar service charge for your enemy. Use your imagination! ------------------------------------------------------------------------------ P/HUN Newsletter #1 Phile 1.8 of 1.14 -=-=<* Red and Green boxes revived *>=-=- --------------------------- By: Pink Panther Probably most of the information I am about to tell you, you probably already know or have it stored somewhere. But I have seen quite a lot of questions on the subject lately, and thought to explain a couple of things. Blue boxing has been dead for quite some time since everything went to ESS, and the same with black boxing. The latest form of boxing is red and green boxing. They both deal with fortress phones and can only be used with a fortress phone. With a red box, you dial a number at a fortress, insert a nickel, which is the ground check, and play the tape. It will emulate coins being dropped into the fortress. Since there is also questions on what are and how to get these tones, I've created a simple step process: 1) Obtain a recorder that you can directly hook into a fone line. If you use a regular recorder, you will need some modification on it. If you have an answering machine, then you have it made. 2) Find a fortress, and follow the metal pipe (usually metal) from the fortress to where ever it ends up. At somepoint on the pipe, there will be a small box which is held together by two screws. Unscrew the box. 3) You now should find two bolts with wires connected to them. The wires are 22 gauge (which is fairly thin wire). If you see thicker wires, such as 12 gauge wires, these are 220 volt AC lines, usually connected to the light in the phone booth. Do not touch the AC lines, unless you are stupid. Connect the tape recorder to the proper bolts, which means the 22 gauge wire. 4) Now dial a long distance fone number, and you will get a recordering to insert some money. Insert about $6.00 in quarters, then hang up and your money will be returned. The tones should have been recorded with a normal tape with no dolby. 5) Obtain a recorder with a built in speaker, or rip apart a phone set and obtain the earpiece. If there is a diode across the earpiece, remove it. Connect the earpiece to the output of the recorder. (I recommend using an earpiece rather than a built in speaker). 6) To test your tones, dial 0-959-1230 from a fortress, and you should get 'Coin Test ... Please Deposit ... .' Play back the tones you recorded and if everything goes well, you should hear 'Quarter' everytime a tone is played. Remember you only recorded quarter tones. You can record any tones you want by inserting different coins at the recording stage. If you are having problems, try adjusting the volume. 7) To use, dial a non-local number, insert a real nickel, and play the tones. Make sure you have enough tones on the recorder to complete the call. Now I will explain a little about what exactly happens when you deposit coins. When you deposit a coin, it goes through a series of tests, determining what type of coin it is. It will be deposited in various coin slots within the fortress itself if everything goes right. But before it is deposited in the right slot it will cause a wheel to be turned. A nickel will turn the wheel once, a dime twice, and quarter five times. This will cause a frequency to be generated which is sent to a operator or computer. A capacitor is placed across the speech circuit while these tones are generated so that the customer does not here them. Here are the tones and PPS (pules per second): Nickel: 1 beep 5-8.5 PPS Dime: 2 beeps 5-8.5 PPS Quarter: 5 beeps 12-17 PPS A green box allows the caller on the fortress to get his money back. It will generate the tones for coin collect, coin return, and ringback. This is basically what an operator uses. A green box cannot be used on a fortress, but must be used by the called party. An operator release signal must be sent before any tones from the green box are sent. This contains of a 2600hz tone for 90ms, then 60ms silence, then 2600hz for 900ms. This all must be done within the three minute collect period. Anyway, here are the tones: Ringback: 700hz+1700hz Coin Return: 1100hz+1700hz Coin Collect: 700hz+1700hz I hope this has enlighted the few without such knowledge. If you are confused, then don't phuck with this stuff, and get out of phreaking. ------------------------------------------------------------------------------ ==Phrack Inc.== Volume Three, Issue 25, File 7 of 11 ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ The Blue Box And Ma Bell ^*^ ^*^ ^*^ ^*^ Brought To You by The Noid ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ "...The user placed the speaker over the telephone handset's transmitter and simply pressed the buttons that corresponded to the desired CCITT tones. It was just that simple." THE BLUE BOX AND MA BELL ~~~~~~~~~~~~~~~~~~~~~~~~ Before the breakup of AT&T, Ma Bell was everyone's favorite enemy. So it was not surprising that so many people worked so hard and so successfully at perfecting various means of making free and untraceable telephone calls. Whether it was a BLACK BOX used by Joe and Jane College to call home, or a BLUE BOX used by organized crime to lay off untraceable bets, the technology that provided the finest telephone system in the world contained the seeds of its own destruction. The fact of the matter is that the Blue Box was so effective at making untraceable calls that there is no estimate as to how many calls were made or lost revenues of $100, $100-million, or $1-billion on the Blue Box. Blue Boxes were so effective at making free, untraceable calls that Ma Bell didn't want anyone to know about them, and for many years denied their existence. They even went as far as strongarming a major consumer-science magazine into killing an article that had already been prepared on the Blue and Black boxes. Furthermore, the police records of a major city contain a report concerning a break-in at the residence of the author of that article. The only item missing following the break-in was the folder containing copies of one of the earliest Blue-Box designs and a Bell-System booklet that described how subscriber billing was done by the AMA machine -- a booklet that Ma Bell denied ever existed. Since the AMA (Automatic Message Accounting) machine was the means whereby Ma Bell eventually tracked down both the Blue and Black Boxes, I'll take time out to explain it. Besides, knowing how the AMA machine works will help you to better understand Blue and Black Box "phone phreaking." Who Made The Call? ~~~~~~~~~~~~~~~~~~ Back in the early days of the telephone, a customer's billing originated in a mechanical counting device, which was usually called a "register" or a "meter." Each subscriber's line was connected to a meter that was part of a wall of meters. The meter clicked off the message units, and once a month someone simply wrote down the meter's reading, which was later interpolated into message-unit billing for those subscriber's who were charged by the message unit. (Flat-rate subscriber's could make unlimited calls only within a designated geographic area. The meter clicked off message units for calls outside that area.) Because eventually there were too many meters to read individually, and because more subscribers started questioning their monthly bills, the local telephone companies turned to photography. A photograph of a large number of meters served as an incontestable record of their reading at a given date and time, and was much easier to convert to customer billing by the accounting department. As you might imagine, even with photographs, billing was cumbersome and did not reflect the latest technical developments. A meter didn't provide any indication of what the subscriber was doing with the telephone, nor did it indicate how the average subscriber made calls or the efficiency of the information service (how fast the operators could handle requests). So the meters were replaced by the AMA machine. One machine handled up to 20,000 subscribers. It produced a punched tape for a 24-hour period that showed, among other things, the time a phone was picked up (went off-hook), the number dialed, the time the called party answered, and the time the originating phone was hung up (placed on-hook). One other point, which will answer some questions that you're certain to think of as we discuss the Black & Blue boxes: Ma Bell did not want persons outside their system to know about the AMA machine. The reason: Almost everyone had complaints -- usually unjustified -- about their billing. Had the public been aware of the AMA machine they would have asked for a monthly list of their telephone calls. It wasn't that Ma Bell feared errors in billing; rather, they were fearful of being buried under any avalanche of paperwork and customer complaints. Also, the public believed their telephone calls were personal and untraceable, and Ma Bell didn't want to admit that they knew about the who, when, and where of every call. And so Ma Bell always insisted that billing was based on a meter that simply "clicked" for each message unit; that there was no record, other than for long-distance as to who called whom. Long distance was handled by, and the billing information was done by an operator, so there was a written record Ma Bell could not deny. The secrecy surrounding the AMA machine was so pervasive that local, state, and even federal police were told that local calls made by criminals were untraceable, and that people who made obscene telephone calls could not be tracked down unless the person receiving the call could keep the caller on the line for some 30 to 50 minutes so the connections could be physically traced by technicians. Imagine asking a woman or child to put up with almost an hour's worth of the most horrendous obscenities in the hope someone could trace the line. Yet in areas where the AMA machine had replaced the meters, it would have been a simple, though perhaps time-consuming task, to track down the numbers called by any telephone during a 24 hour period. But Ma Bell wanted the AMA machine kept as secret as possible, and so many a criminal was not caught, and many a woman was harassed by the obscene calls of a potential rapist, because existence of the AMA machine was denied. As a sidelight as to the secrecy surrounding the AMA machine, someone at Ma Bell or the local operating company decided to put the squeeze on the author of the article on Blue Boxes, and reported to the Treasury Department that he was, in fact, manufacturing them for organized crime -- the going rate in the mid 1960's was supposedly $20,000 a box. (Perhaps Ma Bell figured the author would get the obvious message: Forget about the Blue Box and the AMA machine or you'll spend lots of time, and much money on lawyer's fees to get out of the hassles it will cause.) The author was suddenly visited at his place of employment by a Treasury agent. Fortunately, it took just a few minutes to convince the agent that the author was really just that, and not a technical wizard working for the mob. But one conversation led to another, and the Treasury agent was astounded to learn about the AMA machine. (Wow! Can an author whose story is squelched spill his guts.) According to the Treasury agent, his department had been told that it was impossible to get a record of local calls made by gangsters: The Treasury department had never been informed of the existence of automatic message accounting. Needless to say, the agent left with his own copy of the Bell System publication about the AMA machine, and the author had an appointment with the local Treasury-Bureau director to fill him in on the AMA machine. That information eventually ended up with Senator Dodd, who was conducting a congressional investigation into, among other things, telephone company surveillance of subscriber lines -- which was a common practice for which there was detailed instructions, Ma Bell's own switching equipment ("crossbar") manual. The Blue Box ~~~~~~~~~~~~ The Blue Box permitted free telephone calls because it used Ma Bell's own internal frequency-sensitive circuits. When direct long-distance dialing was introduced, the crossbar equipment knew a long-distance call was being dialed by the three-digit area code. The crossbar then converted the dial pulses to the CCITT tone groups, shown in the attached table (at the end of this file), that are used for international and trunkline signaling. (Note that those do not correspond to Touch-Tone frequencies.) As you will see in that table, the tone groups represent more than just numbers; among other things there are tone groups identified as 2600 hertz, KP (prime), and ST (start) -- keep them in mind. When a subscriber dialed an area code and a telephone number on a rotary-dial telephone, the crossbar automatically connected the subscriber's telephone to a long-distance trunk, converted the dial pulses to CCITT tones, set up electronic cross-country signaling equipment, and recorded the originating number and the called number on the AMA machine. The CCITT tones sent out on the long-distance trunk lines activated special equipment that set up or selected the routing and caused electro-mechanical equipment in the target city to dial the called telephone. Operator-assisted long-distance calls worked the same way. The operator simply logged into a long-distance trunk and pushed the appropriate buttons, which generated the same tones as direct-dial equipment. The button sequence was 2600 hertz, KP (which activated the long-distance equipment), then the complete area code and telephone number. At the target city, the connection was made to the called number but ringing did not occur until the operator there pressed the ST button. The sequence of events of early Blue Boxes went like this: The caller dialed information in a distant city, which caused his AMA machine to record a free call to information. When the information operator answered, he pressed the 2600 hertz key on the Blue Box, which disconnected the operator and gave him access to a long-distance trunk. He then dialed KP and the desired number and ended with an ST, which caused the target phone to ring. For as long as the conversation took place, the AMA machine indicated a free call to an information operator. The technique required a long-distance information operator because the local operator, not being on a long distance trunk, was accessed through local wire switching, not the CCITT tones. Call Anywhere ~~~~~~~~~~~~~ Now imagine the possibilities. Assume the Blue Box user was in Philadelphia. He would call Chicago information, disconnect from the operator with a KP tone, and then dial anywhere that was on direct-dial service: Los Angeles, Dallas, or anywhere in the world if the Blue Boxer could get the international codes. The legend is often told of one Blue Boxer who, in the 1960's, lived in New York and had a girl friend at a college near Boston. Now back in the 1960's, making a telephone call to a college town on the weekend was even more difficult than it is today to make a call from New York to Florida on a reduced-rate holiday using one of the cut-rate long-distance carriers. So our Blue Boxer got on an international operator's circuit to Rome, Blue Boxed through to a Hamburg operator, and asked Hamburg to patch through to Boston. The Hamburg operator thought the call originated in Rome and inquired as to the "operator's" good English, to which the Blue Boxer replied that he was an expatriate hired to handle calls by American tourists back to their homeland. Every weekend, while the Northeast was strangled by reduced-rate long-distance calls, our Blue Boxer had no trouble sending his voice almost 7,000 miles for free. ...The user placed the speaker over the telephone handset's transmitter and simply pressed the buttons that corresponded to the desired CCITT tones. It was just that simple. Actually, it was even easier than it reads because Blue Boxers discovered they did not need the operator. If they dialed an active telephone located in certain nearby, but different, area codes, they could Blue Box just as if they had Blue Boxed through an information operator's circuit. The subscriber whose line was Blue Boxed simply found his phone was dead when it was picked up. But if the Blue Box conversation was short, the "dead" phone suddenly came to life the next time it was picked up. Using a list of "distant" numbers, a Blue Boxer would never hassle anyone enough times to make them complain to the telephone company. The difference between Blue Boxing off of a subscriber rather than an information operator was that the AMA tape indicated a real long-distance telephone call perhaps costing 15 or 25 cents -- instead of a freebie. Of course that is the reason why when Ma Bell finally decided to go public with "assisted" newspaper articles about the Blue Box users they had apprehended, it was usually about some college kid or "phone phreak." One never read of a mobster being caught. Greed and stupidity were the reasons why the kid's were caught. It was the transistor that led to Ma Bell going public with the Blue Box. By using transistors and RC phase-shift networks for the oscillators, a portable Blue Box could be made inexpensively, and small enough to be used unobtrusively from a public telephone. The college crowd in many technical schools went crazy with the portable Blue Box; they could call the folks back home, their friends, or get a free network (the Alberta and Carolina connections -- which could be a topic for a whole separate file) and never pay a dime to Ma Bell. Unlike the mobsters who were willing to pay a small long-distance charge when Blue Boxing, the kids wanted it, wanted it all free, and so they used the information operator routing, and would often talk "free-of-charge" for hours on end. Ma Bell finally realized that Blue Boxing was costing them Big Bucks, and decided a few articles on the criminal penalties might scare the Blue Boxers enough to cease and desist. But who did Ma Bell catch? The college kids and the greedies. When Ma Bell decided to catch the Blue Boxers she simply examined the AMA tapes for calls to an information operator that were excessively long. No one talked to an operator for 5, 10, 30 minutes, or several hours. Once a long call to an operator appeared several times on an AMA tape, Ma Bell simply monitored the line and the Blue Boxer was caught. (Now you should understand why I opened with an explanation of the AMA machine.) If the Blue Boxer worked from a telephone booth, Ma Bell simply monitored the booth. Ma Bell might not have known who originated the call, but she did know who got the call and getting that party to spill their guts was no problem. The mob and a few Blue Box hobbyists (maybe even thousands) knew of the AMA machine, and so they used a real telephone number for the KP skip. Their AMA tapes looked perfectly legitimate. Even if Ma Bell had told the authorities they could provide a list of direct-dialed calls made by local mobsters, the AMA tapes would never show who was called through a Blue Box. For example, if a bookmaker in New York wanted to lay off some action in Chicago, he could make a legitimate call to a phone in New Jersey and then Blue Box to Chicago. His AMA tape would show a call to New Jersey. Nowhere would there be a record of the call to Chicago. Of course, automatic tone monitoring, computerized billing, and ESS (Electronic Switching System) now makes that virtually impossible, but that's the way it was. You might wonder how Ma Bell discovered the tricks of Blue Boxers. Simple, they hired the perpetrators as consultants. While the initial newspaper articles detailed a potential jail penalties for apprehended blue boxers, except for Ma Bell employees who assisted a blue boxer, it is almost impossible to find an article on the resolution of the cases because most hobbyist blue boxers got suspended sentences and/or probation if they assisted Ma Bell in developing anti-blue box techniques. It is asserted, although it can't be easily proven, that cooperating ex-blue boxers were paid as consultants. (If you can't beat them, hire them to work for you.) Should you get any ideas about Blue Boxing, keep in mind that modern switching equipment has the capacity to recognize unauthorized tones. It's the reason why a local office can leave their subscriber Touch-Tone circuits active, almost inviting you to use the Touch-Tone service. A few days after you use an unauthorized Touch-Tone service, the business office will call and inquire whether you'd like to pay for the service or have it disconnected. The very same central-office equipment that knows you're using Touch-Tone frequencies knows if your line is originating CCITT signals The Black Box ~~~~~~~~~~~~~ The Black Box was primarily used by the college crowd to avoid charges when frequent calls were made between two particular locations, say the college and a student's home. Unlike the somewhat complex circuitry of a Blue Box, a Black Box was nothing more than a capacitor, a momentary switch, and a battery. As you recall from our discussion of the Blue Box, a telephone circuit is really established before the target phone ever rings, and the circuit is capable of carrying an AC signal in either direction. When the caller hears the ringing in his or her handset, nothing is happening at the receiving end because the ringing signal he hears is really a tone generator at his local telephone office. The target (called) telephone actually gets its 20 pulses-per-second ringing voltage when the person who dialed hears nothing in the "dead" spaces between hearing the ringing tone. When the called phone is answered and taken off hook, the telephone completes a local-office DC loop that is the signal to stop the ringing voltage. About three seconds later the DC loop results in a signal being sent all the way back to the caller's AMA machine that the called telephone was answered. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - CCITT NUMERICAL CODE ~~~~~~~~~~~~~~~~~~~~ Digit Frequencies (Hz) 1 700+900 2 700+1100 3 900+1100 4 700+1300 5 900+1300 6 1100+1300 7 700+1500 8 900+1500 9 1100+1500 0 1300+1500 Code 11 700+1700 for inward Code 12 900+1700 operators KP 1100+1700 Prime (Start of pulsing) KP2 1300+1700 Transit traffic ST 1500+1700 Start (End of pulsing) ------------------------------------------------------------------------------ The LOD/H Technical Journal: File #6 of 12 Volume 1, Issue 1 Released: Jan. 1, 1987 +--------------------------------+ | Building Your Own Blue Box | +--------------------------------+ | By | | Jester Sluggo | | Released: Nov. 27, 1986 | +--------------------------------+ This Blue Box is based on the Exar 2207 Voltage Controlled Oscillator. There are other ways to build Blue Boxes, some being better and some not as good, but I chose to do it this way. My reason for doing so: because at the time I started this project, about the only schematic available on BBS's was the one written by Mr. America and Nickie Halflinger. Those plans soon (in about 90 seconds) became very vague in their context with a couple in- consistencies, but I decided to "rough it out" using those plans (based on the Exar 2207 VCO) and build the Blue Box using that as my guide. During the construction of the Blue Box, I decided to type-up a "more complete and clear" set of Blue Box schematics than the file that I based mine on, in order to help others who may be trying/thinking of building a Blue Box. I hope these help. Note: You should get a copy of the Mr. America/Nickie Halflinger Blue Box plans. Those plans may be of help to anyone who may have difficulty understanding these plans. Also, these plans currently do not support CCITT. +---------------------------------+ | Why should I build a Blue Box ? | +---------------------------------+ Many of you may have that question, and here's my answer. Blue Boxing was the origin of phreaking (excluding whistling). Without the advent of Blue Boxes, I feel that some of the advances in the telecommunications industry would've taken longer to develop (The need to stop the phone phreaks forced AT+T Bell Laboratories to "step up" their development to stop those thieves!). There is no harm in building a Blue Box (except the knowledge you will gain in the field of electronics). Although there are software programs (Soft Blue Boxes) available for many micro's that will produce the Blue Box Multi-Frequency (MF) tones, they are not as portable as an actual Blue Box (you can't carry your computer to a telephone, so you must use it from home which could possibly lead to danger). Many phreaks are announcing the end of the Blue Box Era, but due to discoveries I have made (even on ESS 1A and possibly ESS 5), I do not believe this to be true. Although many people consider Blue Boxing "a pain in the ass", I consider Blue Boxing to be "phreaking in its' purest form". There is much to learn on the current fone network that has not been written about, and Blue Boxes are necessary for some of these discoveries. The gift of free fone calls tends to be a bonus. Note: Blue Boxes also make great Christmas gifts! +---------------------------------------+ | Items needed to construct a Blue Box. | +---------------------------------------+ Here is the list of items you will need and where you can get them. It may be a good idea to gather some of the key parts (the chips, and especially the potentiometers, they took about 6 months to back order through Digi-key. A whole 6 fucking months!) before you start this project. Also, basic electronics tools will be necessary, and you might want to test the circuit on a bread board, then wire-wrap the final project. Also, you will need a box of some sort to put it in (like the blue plastic kind at Radio Shack that cost around $5.00). Note: An oscilliscope should be used when tuning in the potentiometers because the Bell system allows only a 7-10% tolerance in the precision of the frequencies. Qty. Item Part No. Place --------------------------------------------------- 1 | 4 x 4 Keypad | | Digi-Key 6 | Inverter Chip | 74C04 | 32 | Potentiometer | | 1 | 4-16 Converter Chip| 74LS154 | 1 | 16 Key Decoder | 74C922 | 2 | 2207 VCO | XR2207CP | Exar Corp. 3 | .01 uf Capacitor | 272-1051 | Radio Shack 5 | .1 uf Capacitor | 272-135 | Radio Shack 2 | 1.5K Ohn Resistor | | Radio Shack 2 | 1.0K Ohm Resistor | | Radio Shack 1 | Speaker | | From an old Autovon fone. 1 | 9 Volt Battery | | Anywhere The resistors should be a +/- 5% tolerance. The speaker can be from a regular telephone (mine just happened to be from an old Autovon phone). But make sure that you remove the diode. The Potentiometers should have a 100K Ohm range (but you may want to make the calculations yourself to double check). The 9-volt battery can be obtained for free if you use your Radio Shack Free Battery Club card. The Exar 2207 VCO can be found if you call the Exar Corp. located in Sunnyvale, California. Call them, and tell them the state you live in, and they'll give the name and phone number to the distributor that is located closest to you. The 2207 will vary from about $3.00 for the silicon-grade (which is the one you'll want to use) to about $12.00 for the high-grade Military chip. Note: When you call Exar, you may want to ask them to send you the spec-sheets that gives greater detail as to the operation and construction of the chip. +-------------------+ | Schematic Diagram | +-------------------+ +--------------+ +-------------+ | 1 2 3 A | | Figure #1 | | 4 5 6 B | +-------------+ | 7 8 9 C | | Logic Side | | * 0 # D | +-------------+ ++-+-+-+-+-+-+-+ 1 | 3 | 5 | 7 | (VCC) | 2 | 4 | 6 | 8 (+5 Volts) +----+ | | | < u | | | [+] | _|_ | | | | | | | | | | \_/GND +--+-+-+-+-+-+-+-+----+ +--+----------+---+ | 2 | 11| 10| 7 | | | 14 7 | (.01C) | | 3 | 4 | 8 | 1 12+------+1 | +--||---+5 13+------+2 (*74C04*) | _|_ | | | | \_/GND | (*74C922*) | +-----------------+ +--||-+6 | |(.1C)| | _|_ | | \_/GND | 9 17 16 15 14 18| +--+--+--+--+--+---+--+ | | | | | | _|_ A B C D | GND\_/ | | | | [+] (VCC) [+] (VCC) | | | | (+5 volts) | (+5 volts) | | | | | -------+--+--+--+------------------+----------------- | 23 22 21 20 24 18+-+ +-----+12 | +--+ | | (*74LS154*) 19+-+ _|_ _|_ | | \_/ \_/GND | 1 2 3 4 5 6 7 8 9 10 11 13 14 15 16 17 | GND +--+--+--+--+--+--+--+--+--+-+--+--+--+--+--+--+----+ 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | | | | | | | | | | | | | | | | | (Connects) | +----------> +------------------------+ | (Figure 2) | +--+ +-------+ | | | | +--+-------+--+-------+---+ | 3--|>o--4 5--|>o--6 | | (Invtr.) (Invtr.) | +---------------+7 | _|_ | (*74C04*) | GND\_/ (VCC) [+]--+14 | (+5 volts) | | +-------------------------+ +-------------+ _ | Figure #2 | / | +---+-------------+----+ +----------------+ | | Tone Generation Side | _|_ | | SPKR +----------------------+ GND\_/ +---+--+---+ | | | \_| | | | | +---------------+ +-------+ | | | | | _|_ | +--+14 | | \_/GND | | (Repeat of) | | | | (First) | ----- (.1C) | | (Circuit) | ----- | | | | | | (*XR2207CP*) | | +-----------------+ | +--+6 | | | | | | | | [+]-----+-------+1 14+--+ | +---------------+ (VCC) | | +--------------------+ (+9 Volts) +----+2 | | | | 12+---------------------+ | (.01C) ----- | | _|_ | ----- | (*XR2207CP*) | \_/GND | | | | 1.5K Ohms | +----+3 11+---+---\/\Rx/\/---+--+ | | | | | _|_ | | | +---\/\Rx/\/---+ \_/GND | | | 1.0K Ohms | | 10+----+ | +-------------+6 9+----+---+ | | | 8+----+ | | | | | ----- (.1C) | | +-----------------+ ----- | +---------+ _|_ +----------+ | | Pot. GND\_/ Pot. | | | \/\/\/\/--+-----------------------\/\/\/\/ | | 1400 Hz. | 1600 Hz. | +---------+ | +----------+ | | Pot. | Pot. | | | \/\/\/\/--+----------------+------\/\/\/\/ | | 1500 Hz. | | 900 Hz. | | | | | | 14 more | | 14 More | | Potentiometers | | Potentiometers | | in this | | in this | | area left out | | area left out | | for simplicity | | for simplicity | | | | | | | | | | (Connects) | <-------------+ (Figure 1) +-------------------------+ | Multiplex Keypad System | +-------------------------+ First, the multiplex pattern used in the 4x4 keypad layout. I suggest that keys 0-9 be used as the Blue Box's 0-9 keys, and then you can assign A-D, *, # keys to your comfort (ie. * = Kp, # = St, D = 2600, and A-C as Kp1, Kp2 or however you want). Note: On your 2600 Hz. key (The D key in example above) it may be a good idea to tune in a second potentiometer to 3700 Hz. (Pink Noise). Keypad Key Assignments Multiplex Pattern +---------+ +-------------+ +------------+ | 1 2 3 A | | 1 2 3 4 | | 1 2 3 A |----Y1=8 X1=3 | 4 5 6 B | | 5 6 7 8 | | 4 5 6 B |----Y2=1 X2=5 | 7 8 9 C | | 9 10 11 12 | | 7 8 9 C |----Y3=2 X3=6 | * 0 # D | | 13 14 15 16 | | * 0 # D |----Y4=4 X4=7 +---------+ +-------------+ +------------+ | | | | X1 X2 X3 X4 +----------------------+ | Blue Box Frequencies | +----------------------+ This section is taken directly from Mark Tabas's "Better Homes and Blue Boxing" file Part 1. Frequenies (Hz) Domestic Int'l ---------------------------------- 700+900 1 1 700+1100 2 2 900+1100 3 3 700+1300 4 4 900+1300 5 5 1100+1300 6 6 700+1500 7 7 900+1500 8 8 1100+1500 9 9 1300+1500 0 0 700+1700 ST3p Code 11 900+1700 STp Code 12 1100+1700 KP KP1 1300+1700 ST2p KP2 1500+1700 ST ST 2600+3700 *Trunking Frequency* Note: For any further information about the uses or duration of the frequencies, read the Mark Tabas files. +----------------+ | Schematic Help | +----------------+ This is the Key to the diagrams in the schematic. I hope that they help more then they might hurt. _|_ \_/GND is the Ground symbol | | ---| |-- is the Capacitor symbol | | (.1C) stands for a .1 uf Capacitor (.01C) stands for a .01 uf Capacitor | ----- ----- is another Capacitor symbol | --\/\Rx/\/-- is the Resistor symbol (The 1.5K Ohm and 1.0K Ohm Resistors are at +/- 5% ) ---+ | \/\/\/\/-- is the Potentiometer symbol (The frequncies I supplied above are just examples.) --|>o-- is the Inverter symbol +------------+ | Conclusion | +------------+ This is just one way to build a Blue Box. If you choose this way, then I hope this file is adequate enough to aid you in the construction. Although these are not the best plans, they do work. This file does not tell you how to use it or what to do once it's built. For that information I mention that you read Mark Tabas's "Better Homes and Blue Boxing" files, or any other files/BBS subboards that deal with that realm. If you need help, I sluggest (thanks for that one Taran) that you ask a close friend, possibly an electronics teacher, or a phreak friend to help you. Also, if you need help or have questions or comments about this file, you can address them to me. I can be contacted through the LOD/H Technical Journal Staff account on the boards listed in the Intro, or on the few boards I call. +-------------+ ! Credentials ! +-------------+ At last, this article would not be possible without the help of the following people/places whom contributed to it in one way or another (it may not be apparent to them, but every minute bit helps). Deserted Surfer (Who helped immensly from Day 1 of this project.) (Without his help this file would not be.) Mark Tabas (For the BHBB files which inspired my interests.) Nickie Halflinger (For the original Blue Box plans I used.) Mr. America (For the original Blue Box plans I used.) Lex Luthor Cheap Shades Exar Corp. Lastly, I would like to thank the United States government for furnishing federal grants to this project. Without their financial help, I would have had to dish out the money from my own pocket (Approximately $80.00. Egads!) Jester Sluggo ------------------------------------------------------------------------------ Name - Nocturnal Phoenix Date - October 25, 1992 I can be reached on GENERIC BBS, (555)-555-5555, 1200/9600 ------------------------------------------------------------------------------