Zen and the Art of Fone Phreaking `97
bi: C拊eRpHreAk and DTMF of 4matt producti0nz
b4 i get started, just remember i did not rite this phile
so you people can learn preform telecommunications fraud!
contrary to popular beleafs phreaking is still an art form.
phreaking is a form of intelectual advancement. is just like
hacking, if u think of it this way: when hacking you type
certain commands in phreaking, you play certain MHz tones.
blue boxing is just like gaining r00t access of a unix sys.
by gaining r00t access you be come the ‘system operator’.
the blue box utelizes ‘system operator’ tones. see what i’m sayn?
just cuz phreaking is intelectual it dousnt mean it cant be fun.
_`’-.,_,.-‘`_`’-.,_,.-> [ definitions ] <-.,_,.-‘`_`’-.,_,.-‘`_
Phreak [“free”k] Verb–1. The act of “Phreaking”
2. The act of making telephone calls without paying money
[the word phreak is a combination of phone, freak, and free]
Phreaker [“free”-k-er] Noun–1. One who engages in the act of
“Phreaking” 2.One who makes telephone calls without paying
money
_`’-.,_,.-‘`_`’-.,_,.-> [fone systems in the world today] <-.,_,.-‘`_`’-.,_,.-‘`_
[1] Step by Step
[2] Crossbar
[3] ESS Electronic Switching System
Step by Step
~~~~~~~~~~
First switching system used in America, adopted in 1918 and until
1978 Bell had over 53% of all exchanges using Step by Step [SxS].
A long,and confusing train of switches is used for SxS switching.
[> Disadvantages <]
[A] The switch train may become jammed : Blocking call.
[B] No DTMF [Dual-Tone Multi-Frequency][“Touch-tone”].
[C] Much maintanance and much electricity.[0;36;40m
[D] Everything is hardwired
+> Identification<+
[A] No pulsing digits after dialing or DTMF.
[B] Phone Company sounds like many typewriters.
[C] No: Speed calling, Call forwarding, and other services.
[D] Pay-phone wants money first before dial-tone.
Crossbar
~~~~~~~
Crossbar has been Bell’s primary switcher after 1960. Three
types of Crossbar switching exist: Number 1 Crossbar [1XB],
Number 4 Crossbar [4XB], and Number 5 Crossbar [5XB]. A
switching matrix is used for all the phones in an area.When
someone calls, the route is determined and is met up with the
othr fone.The matrix is set-up in horizontal and vertical paths.
There are no definite distinguishing features of Crossbar
switching.
ESS
~~~
ESS is the big brother of the Bell family. Its very name strikes
fear and apprehension into the hearts of most who have this
knowlege, for a good reason. ESS [electronic switching System]
knows the full story on every telephone hooked into it. While
it may be paranoid to say that all telecomunications loop holes
may come to a screeching hault under ESS, it is certainly
realistic to think that everyone must be a little more careful
under ESS. Heres why:
With ESS, every single digit dialed is recorded. This is useful
not only for nailing telecomunications frauders but settling
billing disputes. In the past, there has been no easy way for
the phone company to show you what numbers you have dialed locally.
If you protested long enough, and loud enough, they might have put
a pen register on your line to record everything and prove it to
you. Under ESS, the actual printout [which will be dragged out of
of a vault somewhere if needed] shows every last digit you dialed,
Every 800 call, every directory assistance, repair service, the
operator, every rendation of the 1812 overture, everything! Here
is a typical example of an ESS print out, which shows time of
connect, and a number called:
DATE TIME LENGTH UNITS NUMBER NOTE
—- —- —— —– —— —-
0403 1517 3 1 264-9021 none
0403 1523 5 3 576-1303 H,P,V,C,A
0403 1600 1 0 800-555-1212 none
0403 1612 10 2.25* 716-221-3184 none
0403 01629 1 0 000-000-0000 O
[TSPS]
Now your probally asking, “What are those letters under
“NOTE?” Well, those letters stand for cretain words or
phrases that the Telco/phone company serches for. For
instance: O may stand for Overthrow. From here on, every
time you dial that number, the ESS may tap the line! And
this IS Legal! It is legal because they may think you are
planning to “Overthrow” the Government or something!
You never know.
A thousand calls to “800” will show up on the Ess print out.
Every touch tone or pulse is kept track off along with every
foreign signal. A traffic engineer did an exhausting study of 800 calls
over the past few years and came to these conclusions:
1] Legit made calls to 800 numbers last up to an average
of three minutes or less. Of the illegal calls via 800
lines, more than 80% lasted 5 minutes or longer.
2] The average residential telephone subscriber dials five
calls per month to an 800 number. Persons making illegal
calls via 800 numbers average significantly higher number.
Under ESS, one simply does not place a 2600 MHz on the line,
unless of course, they want a Telco security representative
and a FBI/Police man at their door with in the hour!
Tracing calls, for reasons such as fraud or abusive calls, is done
from a computer terminal in a security department. Within Ess,
nothing is hidden or concealed in electromechanical frames, etc.
It is merely a software program designed for ease in operation by the
Telco. Call tracing has become very sophisticated and immediate.
There is no more “running in the frames” or looking for long periods
of time. ROM Chips in ESS computers work quickly. That’s what ESS
is all about.
Minimizing telecommunications fraud is not the only reason for ESS,
but is a very important one. The first and foremost reason for the
ESS is to provide the Teleco with better control on billing and
equipment records, faster handling of calls [i.e. less equipment
tied up in the office at one time], and to help agencies such as
the F.B.I. keep better account of who was calling who from where.
When the F.B.I. finds out that someone who’s calls they want to trace
is on an ESS exchange, they are thrilled because it is so much easier
for them to trace.
The United States won’t be 100% ESS until sometime around 2010.
But, in real practice, phone offices in almost every city, are getting
some of the basic modifications brought about by ESS. “911” service
is an ESS function. So is ANI [ Automatic Number Identification] on
long distance calls. “Dial Tone First” payphones are also an ESS
function. None of these things were available prior to ESS. The
amount of pure fraud calling via bogess calling card numbers,
third party dialing, colored boxing, etc. on the ESS lines led to
the decision to rapidly install the ANI, for example, even if the
rest of the ESS was several years away in some cases.
Depending on how you you choose to look at the whole concept of ESS,
it can be either one of the most advantageous inventions of all time,
or one of the terrifying. The system is good for consumers in that
it can take a lot of activity and do lots of things that older
systems could never do. Features such as direct dialing overseas,
call forwarding, and call holding are steps forward without question.
But at the same time, what do all of the nasty implications mentioned
further back mean to the average person on the sidewalk? This system
is perfectly capable of monitoring anyone , not just telecommunication
frauders. What would happen if the nice, friendly government we have
somehow got overthrown and a mean nasty one took its place? With ESS,
they wouldn’t have to do much work, just come up with some new software.
Imagine a phone system that could tell authorities how many calls you
placed to certain types of people: i.e. African Americans, Hispanics,
Communists, known Anacharists, laundromat service employees….ESS
could do it if so programmed.
_`’-.,_,.-‘`_`’-.,_,.-> [ History of the Art of phreaking ] <-.,_,.-‘`_`’-.,_,.-‘`_
the age of blue boxing began, not with a bang, but with a whistle. In
1972,a man named John Draper, a slightly scraggly engineer at a national
semiconductor, found a small blue whistle in a box of “Captain Crunch”
Cereal. The whistle was deformed and had an odd extra hole. Draper found
that when the regular hole was covered the whistle created a perfect 2600hz
cycle. Draper, who now refers to himself as “Cap’n Crunch”, toyed with the
whistle until he created his first basic PCI-Board construction of the Blue box.
After receiving a university file which contained information on all operator
tones, the Cap’n created the new version of the blue box which utilizes all
operator tones.
_`’-.,_,.-‘`_`’-.,_,.-> [ Colored Boxing ] <-.,_,.-‘`_`’-.,_,.-‘`_
The bulk of phreaking was (and still is to some extent) committed
by a technological piece known as a colored box. Most colored boxes
function by using certain Megahurtz tones/ combinations of Megahurtz
tones . The next section gives a list and short description of all colored boxes.
What is a Red Box?
When a coin is inserted into a payphone, the payphone emits a set of
tones to ACTS (Automated Coin Toll System). Red boxes work by fooling
ACTS into believing you have actually put money into the phone. The
red box simply plays the ACTS tones into the telephone microphone.
ACTS hears those tones, and allows you to place your call. The actual
tones are:
Nickel Signal 1700+2200hz 0.060s on
Dime Signal 1700+2200hz 0.060s on, 0.060s off, twice repeating
Quarter Signal 1700+2200hz 33ms on, 33ms off, 5 times repeating
Canada uses a variant of ACTSD called N-ACTS. N-ACTS uses different
tones than ACTS. In Canada, the tones to use are:
Nickel Signal 2200hz 0.060s on
Dime Signal 2200hz 0.060s on, 0.060s off, twice repeating
Quarter Signal 2200hz 33ms on, 33ms off, 5 times repeating
How do I build a Red Box?
Red boxes are commonly manufactured from modified Radio Shack tone
dialers, Hallmark greeting cards, or made from scratch from readily
available electronic components.
To make a Red Box from a Radio Shack 43-141 or 43-146 tone dialer, open
the dialer and replace the crystal with a new one. The purpose of the
new crystal is to cause the * button on your tone dialer to create a
1700Mhz and 2200Mhz tone instead of the original 941Mhz and 1209Mhz
tones. The exact value of the replacement crystal should be 6.466806 to
create a perfect 1700Mhz tone and 6.513698 to create a perfect 2200mhz
tone. A crystal close to those values will create a tone that easily
falls within the loose tolerances of ACTS. The most popular choice is
the 6.5536Mhz crystal, because it is the easiest to procure. The old
crystal is the large shiny metal component labeled “3.579545Mhz.” When
you are finished replacing the crystal, program the P1 button with five
*’s. That will simulate a quarter tone each time you press P1.
Where can I get a 6.5536Mhz crystal?
Your best bet is a local electronics store. Radio Shack sells them, but
they are overpriced and the store must order them in. This takes
approximately two weeks. In addition, many Radio Shack employees do not
know that this can be done.
Or, you could order the crystal mail order. This introduces Shipping
and Handling charges, which are usually much greater than the price of
the crystal. It’s best to get several people together to share the S&H
cost. Or, buy five or six yourself and sell them later. Some of the
places you can order crystals are:
Digi-Key
701 Brooks Avenue South
P.O. Box 677
Thief River Falls, MN 56701-0677
(800)344-4539
Part Number:X415-ND /* Note: 6.500Mhz and only .197 x .433 x .149! *
Part Number:X018-ND
JDR Microdevices:
2233 Branham Lane
San Jose, CA 95124
(800)538-5000
Part Number: 6.5536MHZ
Tandy Express Order M
thepathfinders 