TUCoPS :: Phreaking General Information :: advphr~1.txt

General Phreaking Skills, by Psycho (mostly relevant to BT)

				General Phreaking Skills
				      By Psycho
				8/11/99 All information
			published in this leaflet was correct
				 at time of printing.


			 Disclaimer: This tutorial was meant to be used for 
			educational purposes ONLY. If you chose to use this 
			    material for anything illegal then I take no 
			    responsibility for your actions whatsoever.

After spending a hell of a long time gathering information on phreaking from multiple sources, I decided it was time someone put it all in one concise guide. This reference does not contain EVERYTHING you will need to know about phreaking, it is not meant as a definitive guide. It just contains material to take you beyond the beginner level. The best way to learn is to get out and practice (although I don't recommend that as it is illegal ;)) This text will not go into beige boxing or basics like that, just Payphones, Blueboxing, VMB Phreaking, and a little red Boxing. If you want to learn the basics, go get Squiler's Guide for beginners which I personally think was a good guide for a newcomer to the subject. I am writing this from the UK so the majority of the material will be British based (BT Phoneboxes and so), but there is a section on things that should work universally (but I can't guarantee it since I have never been too far from Wales. So...

What will we cover?

	***************	UK Section:    *****************
              (D)-Detailed (B)-Brief

· Blue Boxing  		(D)
· Red Boxing		(B)
· Free Calls
· Which phones are which?
· Cocots		(D)
· Payphone 600		(D)
· Payphone 2000		(B)
· Payphone 200 MKII
· Others

	**************    Universal Section:    **************

· VMB Phreaking		(D)
· General Tips
· Others

			****    		            ****
			****         UK Blue Boxing   	    ****
			****     		            ****

As you should already know, Blueboxing is a trick where you dial an 0800 (freephone) number, then release tones down the line, making the other end think you have hung up. Thus making you an extension of their line - anything you do appears to come from them, now when they hang up, you stay on and have control over their line. Bingo! Unfortunately, this trick doesn't work over here anymore. So, you will have to dial up a foreign (preferably developing) country by freephone. These are usually 0800 890 xxxx. So keep scanning until you find a line which emits a nice 'Cheep' sound when they pick up. This means the line is CCITT5. Which is the older format of tone dialling. It has now been replaced by DTMF in most countries so you'll be lucky if you find a working line. If you do find one, don't tell anyone - not even your best friend (that is, assuming you have friends) because word gets around and that is the way decent lines 'die'. So, once you get one, here's the deal:

Get hold of a programme that generates sound tones. I recommend 'Bluebeep', which you can get from: - 
You can either dial up with a voice modem, or you can record the tones from your soundcard, onto a DIGITAL Dictaphone. Analogue is DANGEROUS. Let me explain; sometimes the recording will be okay on a cassette or so, but sometimes you will get a crap recording, it won't work and the operator will know what you are up to. Which is why it would be best to do it from a payphone this way.
Now you wait for an answer then play a mixture of the tones:

2400Hz + 2600Hz

The length of time you hold this varies from country to country but usually somewhere between 50ms and 200ms does it. Then immediately after (no gap) play the plain


On its own for a few seconds until they hang up. Now, with all being successful, you should have a free line all to yourself (WooHoo!!!). Now don't get hasty, we haven't finished yet. Your next task is to play either:

	The KP2 (as below) tone, followed by the country code, then the area code, then 
	the number then ST (as below) for international calls (remember you are dialling 		from a foreign country - to get back to the UK, You'll need a country code &
	Area code (+44 then eg. 01792) before your number. So the international format 			is:


	For local calls (in the country you dialled), play KP1, then the area code, then 		the number then ST. So it's:


(ST simply tells the server to start connecting.
Here's the chart of the codes, and their CCITT5 tones).

		Code    		            Tone Combination

		1					700/900
		2 					700/1100
		3 					900/1100
		4 					700/1300
		5 					900/1300
		6 					1100/1300
		7 					700/1500 
		8 					900/1500
		9 					1100/1500
		0 					1300/1500
		KP1					1100/1700
		KP2 					1300/1700
		ST 					1500/1700 
		C11 					700/1700

The two tones should both be played simultaneously for 50 ms, with a 50 ms gap between them. Ps: This shouldn't be done from a home line, and whatever you do, don't ring home!

			****                                ****
			****   	     UK Red Boxing          ****
			****   				    ****

I don't really have much to say on this subject. Apart from, it's not really worth it, but since this is educational ;-) I'll teach you anyways! This doesn't work direct, just like everything else with BT! You would need to do it via the operator, which makes things pretty awkward. Still what you would need to do is:

Call up the operator, Tell her that one of your keys is missing (and make sure it is in the number you are dialing!) or is stuck down and doesn't make a noise when you push it. Try to act a bit slow :) Ask her if she can put you through to *Place Your Number Here*. If all goes well, she'll mess about for a bit then ask you to put your money in, that is when you let rip with all your tones... Free call, BUT you might get an operator that will ask you to use another phone. You could try reasoning with her, but she has probably just broken up with her boy (Beast) friend and will be in a real bad mood and just zap you with the phone or something! Worst case scenario (not including getting struck by lightning in the box), she will send out an engineer to see to the problem - in which case you grab your stuff and run like hell!  If you want the tones (which you will have to record onto a Dictaphone or something similar), then make a websearch for UK +RedBox +Tones, you should find them in .wavs no problem. That's pretty much it for Red Boxing.

			**** 				    ****
			****         UK Free Calls          ****
			****            		    ****

This one you may as well forget if you are in an urban area, but if you are out in the countryside, where there aren't so many people, and nobody bothers coming to update the phone system, then you are in luck. See if you can find one of them big phone poll things. The closer to you, the better. Now, if it has a small box on the bottom of it then you are in luck. When no-one's around, go up to it with the right tool to open it (Should be a hex spanner, but could differ), and... OPEN IT (surprisingly enough!). You should find some phone stuff. If on or near the box it says something like "Danger - High Voltage" or something like that, then you'd better leave it alone, else, you should find an ordinary modular jack socket which you can plug an ordinary phone into! And since this is for testing the line, it doesn't get billed to anyone, so unless you get caught, you won't get in trouble. If you think you can pull this one off (it must be very near to your house/garden), then try hooking up an extension lead into your house. Hide it every way possible, just don't get caught! Be careful when closing the box, as the wires are very delicate and thin.

			****          			    ****
			****         UK BT Payphones        ****
			****            		    ****

Which phones are which?

There are two main types of Payphones, COCOTs and Phone boxes. COCOTs are the types that you get in Bars, Clubs, Youth Clubs, Schools, Hospitals, Hotels etc. The owner gets his/her share of this money while BT gets the rest. They are more expensive than Phone Boxes. Then there are Phone Boxes, which are... Phones in boxes! (Wow!) Phone boxes come in three main flavours: Payphone 600, Payphone 2000, and the really ancient ones (no one knows what they are called!). Technically, the BT Payphone 200 MkII is a phone box, but it is indoors and acts like a COCOT so we cover that in the COCOT section.

MkII: This is the ones that you may have seen dotted around the place. They are cream and brown coloured. They're wall mounted and pretty old so are usually quite dirty! They have a small grey LCD display and nothing fancy. Found in old bars etc.

Payphone 600: These are mostly found in sub-urban areas. It has a 'Follow on Call' button under the handset, is black around the back & sides, Has instructions above the coin return box and has blue writing on the silvery front. The LCD display is right next to the coin slot.
			|# \__________________\
			|#  |        !!!! '='  |
			|#  |  (**)            |
			|#  |   ||     1 2 3   |	!!!! = LCD Display
			|#  |   ||     4 5 6   |	'='  = Coin Slot
			|#  |  (**)    7 8 9   |	 \\   = Steel cased cable
			|#  |   \\     * 0 #   |	~~ = Directions on use
			|#  |   ||     ~~~~~~  |	[_] = Coin return box
			|#  |    \\    ~~~~~~  |	##  = Black area
			\#  |      \\   [__]   |

Okay, so it isn't the best picture in the world but it should give you some idea as to what the Payphone 600 looks like.

Payphone 2000: This is much beefier and hi-tech than the 600 and doesn't have so many faults, thus making it harder to phreak. Only a few phreaking routines are known for this. It is found in the city and commercial areas. It has four LCD displays; 1 large on (above the number pad) and 3 small ones (to the left of the number pad). It has a volume control on the pad, and often speaks the numbers as you dial. You can't really miss it.    And if you are wondering, no I'm not going to draw this one!

The Ancient ones: Not really much to say about these... Simple. It's easier to break into these than phreak them! You can tell it by its bottom section, which looks like it can come off (which it can). Let me show you:

				|     ||||    4 5 6     |
				|    (****)   7 8 9	|
				|     Ż||Ż    * 0 #     |
				|      ||     ________  |
				|      ||     | Coin |  |
				|//| <<<< This bit comes off


Ahhhh, the fabled COCOT! Phreakers love COCOTs because they are so easy to phreak! There are lots of types of COCOT so I can only divide them into group categories, as follows:


PP 190

  Non-BT COCOTs:

General Routines

					BT Cocots

BT Payphone 200 MkII:

This one is the phreakers heaven! You know, the light beige coloured one with the dark brown cable... Good! Now I won't go into these with detail, there are multiple ways to phreak these, but there is one that always works - so there's no point going into the others! Right All you have to do is; (Fake putting some money in to make it look convincing :)) dial *#2580. Just remember star, then hash, then go vertically down the centre of the number pad:				

                                    Go along this line.
					1   |2|   3
					4   |5|   6
					7   |8|   9
					*   |0|   #
				       ŻŻŻ       ŻŻŻ

Then, wait a little and the dialtone should come back. Now you can make any call you like! Local, National, International, 0891, anything! Except don't ring home, or you could be traced (if you make a really long call, or you are in another country etc). You may be unlucky as these phones are rare nowadays, and many might have been patched against this but otherwise, that's all you'll need to know for this phone! If you can't find any around you that this works on, then try using some of the common routines on them.

Other BT

Next is the Payphone 190, which is quite common. First look for the BT logo, then look for 190. If you find one, try this:

Lift up the handset, if it says "----" on the display then you need to type in the code there and then, followed by a "#". If you don't get the dashes, press "****" then the code, then a "#". If you are wondering "How the hell do I get the code?" then take a guess. The manager sets it up, and he's not really expecting people to hack his pin, so it would probably be something like 1111 or 9999 or 1234. Try everything predictable that you can, and if it doesn't work then you may as well give up. But 9 times out of 10, it is just an easy guess away. If you don't get it after a while, leave it for a bit or people will get suspicious. If you get the pin, You will see on the screen "PROG". This is where you jump up and down cheering! Make a note of the pin, and come back when there aren't so many people around. You will be faced with a number of options. Usually the option to dial out is 9. Try pressing this, then if you get a dialtone, get dialling - free call! Or you can mess about with the time/date, barred numbers or whatnot.

If you find a phone which is neither of these, yet is BT then try some of the general routines in the next section.

					Non-BT COCOTs

General Routines

These should work on most COCOTs, BT or not.

Simplest first, this mistake is often made in schools or places where not everyone is allowed. Have a look at the phone, and try to find where it is plugged in. If you can see it, and you can unplug it, then Wahey! Note what colour the handset is, and the wire and the shape. Now if you can get hold of a phone which is similar to this, then all the better. If this phone (Yours) has a cradle to keep it on, take this off. The wire usually goes into the bottom of it and straight out. In most cases, there is nothing important in the base (providing the numbers are on the phone). Either way, bring this in one day, and plug it straight into the socket! Try to make it look like you are using the phone that is there though. This will work fine, no need to put any money in... Just dial away!

Another one which might work in a school or so is, dial this persons number without putting in any money (you wont be able to speak to them, just hear them), as soon as they answer, quickly hang up and redial their number before they hang up. If you were quick enough, you will get the engaged tone, now press 5! Hang up and before you know it (with a bit of luck) the phone will ring, pick it up, free call! Note: this one usually only works on cheap phones (COCOTs).

If when you pick up the receiver, you get a dialtone which isn't the normal BT dialtone, then make a recording of the number you want to dial (from a home phone onto a Dictaphone or something). Once you have the recording, go up to this phone, dial a freephone number, wait for them to hang up, leave it a bit and you should get a normal dialtone. At which point you play your sound and hey Presto!


If you can't find where the phone is plugged in, don't panic. Providing your COCOT is indoors, the wire connecting the handset to the main chassis should be plain plastic wire, with no metal on it. If so, bring in a craft knife (or any sharp knife) and when no one is looking, strip away a part of the wire where no-one will see it (usually right under the main box). This should reveal 4 coloured wires. Now, also bring a wire cutter and a wire stripper. Cut one of these wires. You have a 1 in 4 chance of getting this right. If you do, you should still have a dialtone. If not, don't worry just reconnect them. Keep doing this until you find a wire, which can be cut without losing your dial tone. When you get it, cover up any signs of tampering, put in the smallest credit you have, then dial. If all goes to plan, your credit should never run out! This also works on most payphones (I have never tried it on a 2000), including international phone boxes. On a BT Phone, on re-connecting the wires, the phone will give back all the money that was put in while it was disconnected! So if you need some (small!) cash, disconnect the wire, hide it then come back when some people have used it (they will be oblivious to the fact you don't need money) then re-connect the wire... Bingo! About 40p in small change!!! This can be very time consuming!

					Phone Boxes

Payphone 600

This phone originally had many faults, but now a lot of them have been patched. But if you are lucky enough to live far out on the country where there aren't many PPs then you might have a chance. If so, this first one is a must-try.

This one hardly ever works but it's worth a try. Lift up the phone and when you get a dialtone, pull the hook (that the phone rests on) down with your hand. You should immediately hear a click, and then about 3 or 4 seconds later another click and everything will go blank. Listen to it a few times so you know exactly when the final click is. Now exactly ON the last click, not before or after, On the click, you should let go of the hook, bringing it back up. Keep trying just to make sure that it doesn't work (odds are all for it not working). If you are (extremely) lucky, the display will show 77 or £79, it's not over yet. Pull down on the hook again and the phone will dial quite a few numbers on it's own. Again, it will click then a few seconds later it will click again. Do the same as before, let go exactly on the second click. If all goes well, you will get a dialtone, and the display will say £55.26!!! You can keep dialling until this reaches zero, and when it does, it will reset to £99.99! Using the "Follow on Call" button, you can keep dialling forever! If you find a phone that this works on, DON'T TELL ANYONE (except maybe me!). Or this phone will be patched too. Good luck!

This one often works, but not always. Put 20p or so in, call and wait until you reach 9p or anything less than 10p. Hold down Follow on call, now it would give you any change back but it can't give less than 10p, so it wont. Keep holding it and the coin return chute will be open, now put a quid in (still holding it) it will register but fall straight back out the chute! You can use this constantly, providing you put it in when you have < 10p. Ps: I made out that you have to hold the button down for a while. This is not the case; you can do it immediately.

You can always try hacksawing the metal case around the cable and cutting the wires as covered in the COCOT section.

Payphone 2000

These are pretty well protected now, BT are learning! You could try the hacksaw method but I doubt you'd get very far.

The only one which work(ed)s properly is the coin call. Put in £1, talk until you have about 16p left then press "Follow on Call", dial 141 141 00000 and keep pressing '0' until it spits your quid back out. This only works on ones with a volume control on the number pad.


For those ancient phone boxes (no not the red ones!), you can tell from the bottom section, there is a pretty easy yet destructive way to phreak (vandalise) these. When no-one is around get a strong flathead screwdriver, and shove it under the coin return flap, in the compartment, but at the bottom, then push very hard on it until the bottom pops out (fig. 1). Next take a large (preferably long nosed) pliers, stick it up behind the coin return box, and find a rod of metal going horizontally behind the top of the flap, and force it out (fig. 2).

fig. 1	
|    ||||        |7  8  9|     |
|    ||||	 |*  0  #|     |
|   /\	 ŻŻŻŻŻŻŻŻŻ     |
|   \/	 |ŻŻŻŻŻŻŻ|     |
|    Ż||Ż 	 | coin	 |     |  
|_____||_________|return |_____|
|#################  ^^    ######|  <<< Shove screwdriver in here
\#################  ||    ######/
                   [||]  <<< Screwdriver

	  a) money comes ||
	      down here  \/
fig. 2	
 		|    b)|    |
 		|      |   \|	o = rod to be removed  d)
 		|______/ o  \
 		|       __   \ <<<  Coin return Flap
 		|   ___/   ___\
 		|  /        |
       c) money comes     ^ Put pliers 
        out here \/       |  up here
As fig. 2 shows (badly), the money comes down a), past b) (where the money registers) then out of  c) into the box below. d) is stopping you from putting your fingers up the coin return flap to catch the money as it falls. When you press coin return, your change falls the other side of e), coming into the coin return chamber. Removing this rod will allow you to put your fingers up the coin return box to catch your money as it falls. (It helps if you wiggle your fingers about a bit). This is a compacted drawing. In real, there is more room for your pliers.

Universal Section

			****    			    ****
			****  	      VMB Phreaking         ****
			****     	                    ****

A VMB is a Voice Mail Box. They are use for lots of people in a company to keep in touch with each other. Basically, it's just a big fat fancy souped up answering machine (but not to be confused with one). You can always tell a VMB because:

1) It will say "blah blah 'Voice Mailboxing system' blah blah *Company Name* blah blah." 

2) It will ask for a mailbox no. and a pin no.

3) It will usually be a freephone no.

4) It won't say "*Crackle* Hi. Sorry we can't get to your call, *crackle* but we are probably *talking in the background* out or can't be arsed to answer the *belch* phone at the moment. So please (don't) leave a message after the tone... (Now where's that button? oh yeah) *Click*" or something to that effect.

Try to avoid big companies like Meridian and Aspen, because they have good protection systems and will ask you to enter you box no. and pin no. at the same time. Scan for a bit and see if you can find any cheapo ones. Sorry I can't give you any decent numbers, but I'm not into this myself, but still... I'll give you Meridians number:    (UK) 0800 318 407 (or 409)

Now if you get hold of a company, which lets you, enter mailbox no. and pin no. separately, then good. Try and find a box which is relatively easy for you to remember but isn't too predictable (say... the date you bought your first condom) and is working. The amount of digits in the box and pin are up to you to find out. Again, sorry for the lack of information, but hey! Aren't you supposed to be getting off yo' lazy ass and doing something?!
You can usually tell by the wait between entering the last number and them telling you its wrong for example:

  Wait after entering last no.	       Amount of digits
      until response (secs)

		6				1
		6				2
		6				3
		2				4

This would mean there are 4 digits in the code. The amount is usually a decent number like 4 dig code, or 8 digits or something even like that. The pin is usually 4 digits but not always. These methods do not work with big companies. If you know anyone who has a VMB of their own, try asking them (but think up a good reason to ask first).

Now once you have a valid box, and you know the amount of digits (you could try trial and error if you still don't know. But that would take forever) in the pin, try guessing some predictable numbers like 1111 or 11111111 or 2222 or 22...
Maybe the same as the box no. or the box no. backwards. I don't know! After a couple of hours (hehe!) you should have got into a box. Make a note of the number and pin. You should be faced with a number of options. Whatever you do, don't leave messages to anyone or you will get kicked off 'your' box sooner than you would like. You want to choose the option to dial out (once I spent a matter of hours getting a box with a small company - I forget who, or the number, but anyway, when I finally got in, there was no option to dial outside! That kinda put me off. So don't spend too long!). Make good use of it before it gets closed. You should preferably have an unused box, or someone might get suspicious. There are lots of unused boxes made by default, often the first few boxes (eg. 0013) or things like 1234. Well, that's pretty much it to this subject, good luck!

			****    	                    ****
			****          General Tips          ****
			****     			    ****

One of the most common tricks is to find the four wires inside the main cable going to the handset (from them main box), and find the wire that can be cut without affecting your dialtone. Cut it (surprisingly enough), put some credit in and your call should last as long as you want.

If your phone system uses a modular jack like many do (see fig 2.1), then you can make a line monitor like this:

fig 2.1			        |Ż|Ż|Ż|Ż|Ż||
				| | | | | || 
				|         || 
				|         |\\   <<< Jack plug
				|         | \\
				|         |  \\
				   |  |
     				   |  |  <<< Main Cable
				   |  |
				  / || \   <<< 4 separate wires
			         / /  \ \
			        1  2  3  4

There should be 4 wires. If they are the same as in Britain, there will be a green one, a red one and two others (often black and white), or possibly orange, blue and two others, otherwise, it should be constant Blue and dotted blue and orange and dotted orange. Either way, we want the red and green, the blue and orange, or the dotted blue and constant blue. (If you have orange, blue and dotted orange and dotted blue, you use the two blues). Now. *Huff* *Puff*. Once you have the two wires you are looking for, (attached to a jack plug, one end, bare wires the other) you will need a 33K ohm resistor, and two LEDs (preferably one red and one green).
If you have all these, connect them up as so: (Wires 1 and 4 are inter-changeable. Make sure the LEDs are the right way around. I recommend soldering them, or use a small piece of breadboard).

1   ----------------[33k]----------o----------------o
				   |                |
				   |                |
				 + |              - |
				   X  <<<<<<<<<<<<  X  <<< LEDs
				 - |              + |
				   |                |
				   |                |
4   -------------------------------o----------------o

Depending on the way you have connected the wires, the LEDs may vary (try loosely joining them, then testing it and swap the LEDs around if they are wrong). But this will always be the way it functions:

	|  Phone Status	   |	  LED 1	       |	LED 2	    |
	|		   |     (Green)       |        (Red)       |
	|      In Use	   |	   Dim	       |	 Off        |
	|    Not in Use	   |	  Bright       |	 Off        |
	|     Ringing	   |     Flashing      |       Flashing     |

You can quickly tell which side of an LED is negative in one of two ways:

If it is new, the negative leg will be longer.
Otherwise, hold it up to the light, see fig 2.2

		       / ŻŻŻŻŻŻŻ \
                     /Ż           Ż\
                   /Ż      \\\      Ż\ 
		  |     /  \\\\\      |
                  |    //  \\\\\\     |
                  |    ||      ||     |
		  |    ||      ||     |
		  |    ||      ||     |
                       ||      ||
                       ||      ||
                     + ||      ||  -
                       ||      ||

OK so its a crap drawing.. but still, I'd like to see you draw an LED in notepad!
Note that the negative side is the larger metal terminal (Cathode) inside the the diode, it leans in further, and the negative leg is longer.

You can also try Redboxing if you have a digital (small) recording system handy. eg. Dictaphone.
You need to go up to a phone box, hold the microphone up to the earpiece, then put in a credit - recording the sound it makes. Now hang up, and try playing it back into the mouthpiece. If it gives you credit, you can use this method anytime.

Blueboxing is also worth trying. Do a websearch on Bluebox +*Name of your country* +Tones. The section on blueboxing earlier on should help you but the tones vary with different countries so I can't help you there. If you are in USA or another advanced culture then I doubt you will be able to bluebox in your own country. Read the earlier section and experiment.

VMB phreaking (as explained earlier) also works in most countries, but the numbers you'll have to find out yourself.

If you need to call someone internationally but don't have the money, find a time which would be convenient for them, but night time for you, and go exploring around phone poles and peoples houses, see if you can find somewhere to plug in a phone or beige box (eeuughhh).

I hope you have learned something from this and it has helped you in some way or another.

Thanks to:
The Tutorial by Pharlin J Hack
-= UphreaK =-
Some guy called Neil
And everyone else I forgot to mention.

Any questions, or comments or anything else, contact me at:

