AOH :: FLOWBOX.TXT

The Flow Box - Allows phreaking Nortel Millenium Payphones


The Flow Box: Stop Paying For Calls on Millenium Payphones        
Written By Flame0ut & PrussianSnow    Email: barrie2600@usa.net

One of the most common questions asked by young telephone enthusiasts
in Canada is, "Can I red box Millennium phones?"

The answer, my friend, is no.

But some background first. The Millennium phone (model M1231) is an
advanced payphone manufactured by Northern Telecom. A good deal of
documentation concerning these phones is available on the Internet and
through Northern Telecom (1-800-4-NORTEL), but to quickly list some of
their "features":

- They have an LED screen displaying the current time, date, and a
    programmable message.
- They accept (in Canada) nickels, dimes, quarters and loonies, as well
    as magnetic cards such as Bell Calling Cards and smartcards such as
    Bell Quickchange Cards.
- The dialing system is multi-layered and involves several firmware
    systems; that is to say, the dialpad itself isn't responsible in any
    way for making DTMF, but rather requesting another system to do so.
    Note that if DTMF tones are played loudly into the microphone, they
    will be displayed on the LED screen.
- ACTS does NOT listen to these lines. Millennium Phones produce no tones
    when coins are deposited - the line an M1231 sits on is free for
    dialing out anywhere in the world with no blocking by an Automated
    Coin Toll System. The only thing blocking you from dialing out on
    these lines is the payphone itself, which does not actually pick up
    the line and enable the microphone until it determines that a  
    sufficient amount has been deposited. Note that the dialtone you hear
    when you pick up the phone is internally generated, and the numbers
    you "dial" are only actually dialled after the money is collected.
    This, of course, is significant for our purposes.
- When a long-distance number is dialed from the payphone, it displays a
    message along the lines of "Getting Rates, please wait..." While
    this message is displayed, a modem in the payphone is dialing an
    internally-stored number to another modem, presumably at the
    telephone company, from which it gets the rate for the number you
    have dialed. In my area, this number is in the 416 area code, and it
    can easily be gleaned by tapping the payphone line and recording then
    decoding the DTMF. One could even, theoretically, record the exchange
    between the modems and then play it into a modem that is in "silent
    answer" mode to observe what happens during the connection, and
    possibly figure out the protocol/commands used. Which, of course,
    would be immoral and wrong.

But I digress.

  Millennium Payphones, and indeed, most payphones out there, store any
coins you deposit in a temporary area until the line called is actually
answered. As long as it is ringing or you get a busy signal or an error
message, your money is not taken, and if you hang up before the line is
actually answered you get your money back. It occurred one day to
PrussianSnow and I to wonder how this happens - that is, how the payphone
knows that the line was answered.

  We'd heard of payphones in which the toll signalling was done with
tones generated by the CO - on a payphone line, the central office would
generate tones telling the phone to return or take your coins depending
on the circumstances; however, we've never directly observed this method.

  Fortuitously, PrussianSnow some time later discovered from Northern
Telecom's website that one of the requirements for installing an M1231
was "a phone line capable of current reversal". This is, of course, how
the tolling is signalled.

Making a call from an M1231 works as such:
- You dial a number, which is then stored internally.
- The payphone waits for, collects, and verifies your money.
- When a sufficient amount is deposited, the payphone goes off-hook and
    dials the number you entered. At this point your money is in the
    temporary area.
- The microphone is enabled (which is also significant).
- While the number you've called is ringing, the line current is positive
  on ring and negative on tip, as is standard.
- The line is answered. The CO detects this and flashes a voltage reversal
  down the payphone line - for a moment, it is negative on ring and
  positive on tip.
- The payphone detects this flash, swallows your money, and enables the
  dialpad. The voltage is normal (positive ring, negative tip) for the
  rest of the call.

  There are a few alternatives - for instance, when a toll-free number is
dialed, no voltage flash occurs so the dialpad must be enabled as soon as
the number is dialed. Note that you can make tones while an 800 number is
ringing, but not during a local one.

  The circumvention of this is obvious, and an example of the futility of
placing the bulk of your security within reach of the end user (to be
pedantic for a moment). You do not need to stop this voltage flash from
happening, but rather, simply to stop the payphone from detecting it.
Once this is done, the payphone will never receive a signal to swallow
your money (or debit your Quickchange Card, as it were), and it will
simply think that the line is ringing for the duration of your call. The
CO will know better, but that is irrelevant.

  Four diodes, when hooked together so as to convert AC to DC, are
collectively referred to as a full-wave rectifier (which can be purchased
as a single component). Quite simply, a rectifier has 2 inputs and 2
outputs, and its purpose is to force the polarity of the outputs to be
constant no matter what the polarity of the inputs.

  Hence, when a rectifier is wired between the line and the payphone, the
polarity can be forced to always be positive on ring and negative on tip.

  Right, enough theory. It's time to get For Educational Purposes Only on
your ass, and talk about some application and installation.

  Our prototype of this fingle was a full-wave rectifier of an unknown
rating (which happily proved to be enough - these things are generally
used on house current AC so many handle up to 110V or 220V with 2 or 4
amps, or more), wired up to a DPDT switch with 3 states -- unrectified,
no flow at all (broken line -- no real reason for this one), and rectified
polarity.

  It took PrussianSnow 40 minutes with his head stuck in the top of an
M1231 booth off the side of a highway at midnight to get this thing wired
up, but it worked the first time much to our orgasmic delight.
(Educational purposes only)  It shouldn't really take that long to hook
up, but this was the first one ever made so nyah. In our example, we'll
be using just a rectifier with no DPDT.

  Installation is simple, and I'll list it in little steps with numbers
beside so you don't accidentally do them out of order and hurt yourself.

Stuff to bring:
- 1 pair of pliers
- 1 full-wave rectifier
- 1 slot-head screwdriver
- a couple of quarters or something
- A flashlight couldn't hurt
- And neither could some strippers
- Some gloves would be nice, so you don't get any small shocks
- And some biscuits, perhaps some Saltines or something of the like -
    anything crunchy and delicious will do.
- Alligator clips or crimpers would be nice.

1. Locate the phone box for the payphone, or anywhere in the line where
   you can easily cut it and splice in the rectifier. The phone box, of
   course, is preferable. In a standard Millennium phonebooth, the
   plastic "ceiling" is hinged on one side and latched in at the other
   with 2 "tamper-proof" screws, which can be coerced out with a
   slot-head screwdriver. You need only turn them about half a revolution.
2. Once the ceiling is swung down, you will have access to the phone box
   as well as the 110-volt outlet which powers the lightbulb and the
   payphone. Some booths have a power switch for the payphone. Don't
   touch anything you don't have to, unless you want to. And you should
   want to. You can make funny things happen. Note that the light takes
   a long time to power up once unplugged and plugged back in.
3. Look at the phone box and eat a biscuit. Be contemplative. Note that
   there are two main terminals - the one on the right has the ring  
   wires; a red one going to the phone, and a blue one coming from the
   line. The left terminal, tip, will have a green wire going to the
   phone and a white wire going to the line. If these should vary,
   just trust that the right terminal is ring, and positive. In some
   phones it's actually the red and green that go to the phone line
   rather than the phone - just figure out where the wires go, christ,
   it's not all that hard. Geez. Whiner.
4. Loosen the nuts on the terminal bolts with the pliers you so
   fortuitously brought along. Try not to let the green or red wires
   come off the bolts, as that would be a pain you don't need. Pull out
   the blue and white wires.
5. Run the blue wire (or whatever wire was on the right terminal) to an
   AC input for the rectifier, and run the white wire (or whatever) to
   the other AC input. You can attach them with gator clips,  
   clothing-pins, crimpers or whatever. Maybe you could bring a
   soldering iron and some solder, unplug the phone, plug your iron in,
   wait a couple of minutes while it heats up, then solder the wires
   together, unplug your iron, wait for it to cool down, put it away, and
   plug the phone back in. That would be a story to tell.
6. Run the positive output to the right terminal and the negative output
   to the left terminal. You can attach them by putting them behind the
   nuts and tightening them again.
7. If the phone is still working, that's a good sign. Pick it up and
   dial a number local to you. It will ask for a quarter. Deposit one.
8. If the number is dialed and the call goes through, you haven't broken
   anything. If the number is dialed and you just hear silence, or the
   LED screen declares "Phone Not In Service", check all your rectifier
   connections and, as a last resort, assume that I've completely
   forgotten whether ring is positive or negative and flip your output
   polarity. Sorry.
9. Hold your breath. When the line is answered, the CO will send the
   polarity-flip-flash. When it hits your rectifier, it will turn into
   normal polarity and nothing will happen. So, when the line is
   answered, the payphone won't take your money. At this point you may
   jump around shouting gleefully.
10.Hang up the phone. Your money will fall into the coin-return slot.

Clink.

And that's that. The payphone is now, quite simply, free to use. Flip the
ceiling back up and screw the latches back in.

Let's talk, now, about caveats.

- You need to have the money that the call would cost you or, for a long-
  distance call, the money for the first minute (the timer will never
  actually begin). A Quickchange card would be nice in this case.
  You'll get it all back in the end, and the card will simply never get
  debited.
- Since the phone receives no polarity flash, and since the dialpad only
  activates when it receives one, you may not use the dialpad while on
  local or long-distance calls. Bring your tone generator if you want to
  use a VMB or anything. Since toll-free calls produce no polarity flip,
  the payphone must enable the dialpad as soon as it dials the number, as
  mentioned before (pay attention!).
- The M1231 may disconnect a call if it goes too long without being
  answered to the payphone's knowledge. I have no example of this
  happening, but it would only make sense. At any rate, you have at
  LEAST 5 minutes. Probably more. Quite possibly this doesn't happen at
  all, and I'm just a paranoid fuck.
- This will likely work on any Millennium phone (M1231, M1232, and so on)
  as well as any other payphone that uses this signalling.
- Oddly enough, if you dial "0" from the phone, the operator will not be
  able to hear you. We've yet to determine why this is, since there are
  no other issues with microphone enabling.
- Your rectifier may well get diked out when the phone company sees that
  the payphone in question has made $0.00 in revenue for the last month
  and a half. (Um, this seems to have been an understatement - note the
  "update" at the bottom of this document!) For this reason, you may want
  to make your rectifier togglable. Let's discuss this.

  To date, we've not determined a really good way to toggle the
rectification. Ours had a DPDT switch but we have to pull down the
ceiling to get at it, so gah. We've considered things such as a mercury
switch sitting on the plastic ceiling so that you can toggle it by giving
the ceiling a good thump (Fonzie-style), a relay in the circuit with part
of the circuit going into the booth and the other going into a wire that
we could hang through a corner of the ceiling, so that one could toggle
the rectification by holding the wire against the side of the booth...
we've even considered drilling a hole through the back of the booth and
sticking a switch through it.

Whatever.

At any rate, I've gone on long enough and I'm tired. So, this is, of
course, all for educational purposes only, and neither PrussianSnow nor I
(Flame0ut) take any responsibility for anything this document may cause
anyone to do.

Note that if NorTel would just make the microphone not activate until the
voltage flash, this method would be moot.

It's a shame, really.

Enjoy!

----

Update, about six months later:
Yes, we wrote this document a long time ago and doddled about publishing
it.

Some things have happened since which we feel are worth noting. Firstly:
- Nortel no longer owns the M123X payphone line, it's been sold to a
    company called Quortech who seems very twitchy about sending out
    manuals (can't imagine why?)
- Our prototype device and payphone have been removed. Both of them.
    Completely.  Our proof-of-concept phone was loaded into a truck and
    taken away for good. It took them five months, but the first ever
    creation of this device is now in the hands of Bell Canada, godspeed
    to it.

That's about all.
     

AOH Layout and design copyright © 2007 AOH