Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Phreaking General Information :: inphreak.dox

Phreaker's Phunhouse - introduction to phreaking

		       /-/			     /-/
		       /-/	Phreaker's	     /-/
		       /-/	 PhunHouse	     /-/
		       /-/			     /-/
		       /-/   By:		     /-/
		       /-/       The Traveler	     /-/
		       /-/			     /-/
    The long awaited prequil to Phreaker's Guide has finally arrived.
Conceived from the boredom and loneliness that could only be derived from:
The Traveler!  But now, he has returned in full strength (after a small
vacation) and is here to 'World Premiere' the new files everywhere. Stay
cool. This is the prequil to the first one, so just relax. This is not made
to be an exclusive ultra elite file, so kinda calm down and watch in the
background if you are too cool for it.
/-/   Phreak Dictionary   /-/
     Here you will find some of the basic but necessary terms that should be
known by any phreak who wants to be respected at all.
	 Phreak   : 1. The action of using mischevious and mostly illegal
		       ways in order to not pay for some sort of tele-
		       communications bill, order, transfer, or other service.
		       It often involves usage of highly illegal boxes and
		       machines in order to defeat the security that is set
		       up to avoid this sort of happening. [fr'eaking]. v.

		    2. A person who uses the above methods of destruction and
		       chaos in order to make a better life for all.  A true
		       phreaker will not not go against his fellows or narc
		       on people who have ragged on him or do anything
		       termed to be dishonorable to phreaks. [fr'eek]. n.

		    3. A certain code or dialup useful in the action of
		       being a phreak. (Example: "I hacked a new metro
		       phreak last night.")
 Switching System : 1. There are 3 main switching systems currently employed
		       in the US, and a few other systems will be mentioned
		       as background.

		    A) SxS: This system was invented in 1918 and was
		       employed in over half of the country until 1978. It
		       is a very basic system that is a general waste of
		       energy and hard work on the linesman. A good way to
		       identify this is that it requires a coin in the phone
		       booth before it will give you a dial tone, or that no
		       call waiting, call forwarding, or any other such
		       service is available.  Stands for: Step by Step

		    B) XB: This switching system was first employed in 1978
		       in order to take care of most of the faults of SxS
		       switching.  Not only is it more efficient, but it
		       also can support different services in various forms.
		       XB1 is Crossbar Version 1. That is very limited and
		       is hard to distinguish from SxS except by direct view
		       of the wiring involved. Next up was XB4, Crossbar
		       Version 4. With this system, some of the basic things
		       like DTMF that were not available with SxS can be
		       accomplished. For the final stroke of XB, XB5 was
		       created. This is a service that can allow DTMF plus
		       most 800 type services (which were not always
		       available.) Stands for: Crossbar.

		    C) ESS: A nightmare in telecom. In vivid color, ESS is
		       a pretty bad thing to have to stand up to. It is
		       quite simple to identify. Dialing 911 for emergencies,
		       and ANI [see ANI below] are the most common facets of
		       the dread system. ESS has the capability to list in a
		       person's caller log what number was called, how long
		       the call took, and even the status of the conversation
		       (modem or otherwise.) Since ESS has been employed,
		       which has been very recently, it has gone through
		       many kinds of revisions. The latest system to date is
		       ESS 11a, that is employed in Washington D.C. for
		       security reasons. ESS is truly trouble for any
		       phreak, because it is 'smarter' than the other
		       systems. For instance, if on your caller log they saw
		       50 calls to 1-800-421-9438, they would be able to do
		       a CN/A [see Loopholes below] on your number and
		       determine whether you are subscribed to that service
		       or not. This makes most calls a hazard, because
		       although 800 numbers appear to be free, they are
		       recorded on your caller log and then right before you
		       receive your bill it deletes the billings for them.
		       But before that the are open to inspection, which is
		       one reason why extended use of any code is dangerous
		       under ESS. Some of the boxes [see Boxing below] are
		       unable to function in ESS.  It is generally a menace
		       to the true phreak. Stands For: Electronic Switching
		       System. Because they could appear on a filter
		       somewhere or maybe it is just nice to know them

		       A) SSS: Strowger Switching System. First
			  non-operator system available.

		       B) WES: Western Electronics Switching. Used about 40
			  years ago with some minor places out west.

	    Boxing:  1) The use of personally designed boxes that emit or
			cancel electronical impulses that allow simpler
			acting while phreaking. Through the use of separate
			boxes, you can accomplish most feats possible with
			or without the control of an operator.

		     2) Some boxes and their functions are listed below.
			Ones marked with '*' indicate that they are not
			operatable in ESS.

		      *Black Box: Makes it seem to the phone company that
				  the phone was never picked up.
		      Blue Box  : Emits a 2600hz tone that allows you to do
				  such things as stack a trunk line, kick
				  the operator off line, and others.
			Red Box : Simulates the noise of a quarter, nickel,
				  or dime being dropped into a payphone.
		     Cheese Box : Turns your home phone into a pay phone to
				  throw off traces (a red box is usually
				  needed in order to call out.)
		     *Clear Box : Gives you a dial tone on some of the old
				  SxS payphones without putting in a coin.
		      Beige Box : A simpler produced linesman's handset that
				  allows you to tap into phone lines and
				  extract by eavesdropping, or crossing
				  wires, etc.
		     Purple Box : Makes all calls made out from your house
				  seem to be local calls.

	  ANI [ANI]: 1) Automatic Number Identification. A service
			available on ESS that allows a phone service [see
			Dialups below] to record the number that any certain
			code was dialed from along with the number that was
			called and print both of these on the customer bill.
			950 dialups [see Dialups below] are all designed
			just to use ANI. Some of the services do not have
			the proper equipment to read the ANI impulses yet,
			but it is impossible to see which is which without
			being busted or not busted first.

 Dialups [dy'l'ups]: 1) Any local or 800 extended outlet that allows instant
			access to any service such as MCI, Sprint, or AT&T
			that from there can be used by handpicking or using
			a program to reveal other peoples codes which can
			then be used moderately until they find out about
			it and you must switch to another code (preferrably
			before they find out about it.)

		     2) Dialups are extremely common on both senses. Some
			dialups reveal the company that operates them as
			soon as you hear the tone. Others are much harder
			and some you may never be able to identify.  A small
			list of dialups:

			     1-800-421-9438 (5 digit codes)
			     1-800-547-6754 (6 digit codes)
			     1-800-345-0008 (6 digit codes)
			     1-800-734-3478 (6 digit codes)
			     1-800-222-2255 (5 digit codes)

		     3) Codes: Codes are very easily accessed procedures
			when you call a dialup. They will give you some sort
			of tone.  If the tone does not end in 3 seconds,
			then punch in the code and immediately following the
			code, the number you are dialing but strike the
			'1' in the beginning out first. If the tone does
			end, then punch in the code when the tone ends.
			Then, it will give you another tone.  Punch in the
			number you are dialing, or a '9'. If you punch in
			a '9' and the tone stops, then you messed up a
			little. If you punch in a tone and the tone
			continues, then simply dial then number you are
			calling without the  '1'.

		     4) All codes are not universal. The only type that I
			know of that is truly universal is Metrophone.
			Almost every major city has a local Metro dialup
			(for Philadelphia, (215)351-0100/0126) and since the
			codes are universal, almost every phreak has used
			them once or twice. They do not employ ANI in any
			outlets that I know of, so feel free to check
			through your books and call 555-1212 or, as a more
			devious manor, subscribe yourself. Then, never use
			your own code. That way, if they check up on you due
			to your caller log, they can usually find out that
			you are subscribed.  Not only that but you could set
			a phreak hacker around that area and just let it
			hack away, since they usually group them, and, as a
			bonus, you will have their local dialup.

		     5) 950's. They seem like a perfectly cool phreakers
			dream. They are free from your house, from payphones,
			from everywhere, and they host all of the major long
			distance companies (950-1044 <MCI>, 950-1077
			<Sprint>, 950-1088 <Skylines>, 950-1033 <Us
			Telecom>.) Well, they aren't. They were designed for
			ANI. That is the point, end of discussion.
     A phreak dictionary. If you remember all of the things contained on
that fileup there, you may have a better chance of doing whatever it is you
do. This next section is maybe a little more interesting...
Blue Box Plans:
     These are some blue box plans, but first, be warned, there have been
2600hz tone detectors out on operator trunk lines since XB4. The idea behind
it is to use a 2600hz tone for a few very naughty functions that can really
make your day lighten up. But first, here are the plans, or the heart of the

700  :   1   :   2   :   4   :   7   :  11   :
900  :   +   :   3   :   5   :   8   :  12   :
1100 :   +   :   +   :   6   :   9   :  KP   :
1300 :   +   :   +   :   +   :  10   :  KP2  :
1500 :   +   :   +   :   +   :   +   :  ST   :
     : 700   : 900   :1100   :1300   :1500   :
     Stop! Before you diehard users start piecing those little tone tidbits
together, there is a simpler method. If you have an Apple-Cat with a
program like Cat's Meow IV, then you can generate the necessary tones, the
2600hz tone, the KP tone, the KP2 tone, and the ST tone through the dial
section. So if you have that I will assume you can boot it up and it works,
and I'll do you the favor of telling you and the other users what to do with
the blue box now that you have somehow constructed it. The connection to an
operator is one of the most well known and used ways of having fun with your
blue box. You simply dial a TSPS (Traffic Service Positioning Station, or
the operator you get when you dial '0') and blow a 2600hz tone through the
line. Watch out! Do not dial this direct! After you have done that, it is
quite simple to have fun with it. Blow a KP tone to start a call, a ST tone
to stop it, and a 2600hz tone to hang up. Once you have connected to it,
here are some fun numbers to call with it:

      0-700-456-1000  Teleconference (free, because you are the operator!)
      (Area code)-101 Toll Switching
      (Area code)-121 Local Operator (hehe)
      (Area code)-131 Information
      (Area code)-141 Rate & Route
      (Area code)-181 Coin Refund Operator
      (Area code)-11511 Conference operator (when you dial 800-544-6363)

     Well, those were the tone matrix controllers for the blue box and some
other helpful stuff to help you to start out with. But those are only the
functions with the operator. There are other k-fun things you can do with it.

 More advanced Blue Box Stuff:

     Oops. Small mistake up there. I forgot tone lengths. Um, you blow a
tone pair out for up to 1/10 of a second with another 1/10 second for silence
between the digits. KP tones should be sent for 2/10 of a second. One way to
confuse the 2600hz traps is to send pink noise over the channel (for all of
you that have decent BSR equalizers, there is major pink noise in there.)

     Using the operator functions is the use of the 'inward' trunk line.
Thatis working it from the inside. From the 'outward' trunk, you can do such
things as make emergency breakthrough calls, tap into lines, busy all of the
lines in any trunk (called 'stacking'), enable or disable the TSPS's, and
for some 4a systems you can even re-route calls to anywhere.
     All right. The one thing that every complete phreak guide should be
without is blue box plans, since they were once a vital part of phreaking.
Another thing that every complete file needs is a complete listing of all of
the 800 numbers around so you can have some more Fun
 /-/   800 Dialup Listings  /-/
1-800-345-0008 (6)   1-800-547-6754 (6)
1-800-245-4890 (4)   1-800-327-9136 (4)
1-800-526-5305 (8)   1-800-858-9000 (3)
1-800-437-9895 (7)   1-800-245-7508 (5)
1-800-343-1844 (4)   1-800-322-1415 (6)
1-800-437-3478 (6)   1-800-325-7222 (6)
     All right, set Cat Hacker 1.0 on those numbers and have a fuck of a
day. That is enough with 800 codes, by the time this gets around to you I
dunno what state those codes will be in, but try them all out anyways and
see what you get. On some 800 services now, they have an operator who will
answer and ask you for your code, and then your name. Some will switch back
and forth between voice and tone verification, you can never be quite sure
which you will be upagainst.

     Armed with this knowledge you should be having a pretty good time
phreaking now. But class isn't over yet, there are still a couple important
rules that you should know. If you hear continual clicking on the line, then
you should assume that an operator is messing with something, maybe even
listening in on you. It is a good idea to call someone back when the phone
starts doing that. If you were using a code, use a different code and/or
service to call him back.

     A good way to detect if a code has gone bad or not is to listen when
the number has been dialed. If the code is bad you will probably hear the
phone ringing more clearly and more quickly than if you were using a
different code.  If someone answers voice to it then you can immediately
assume that it is an operative for whatever company you are using. The famed
'311311' code for Metro is one of those. You would have to be quite stupid
to actually respond, because whoever you ask for the operator will always
say 'He's not in right now, can I have him call you back?' and then they
will ask for your name and phone number. Some of the more sophisticated
companies will actually give you a carrier on a line that is supposed to
give you a carrier and then just have garbage flow across the screen like it
would with a bad connection. That is a feeble effort to make you think that
the code is still working and maybe get you to dial someone's voice, a good
test for the carrier trick is to dial anumber that will give you a carrier
that you have never dialed with that code before, that will allow you to
determine whether the code is good or not. For our next section, a lighter
look at some of the things that a phreak should not be without. A vocabulary.
A few months ago, it was a quite strange world for the modem people out
there. But now, a phreaker's vocabulary is essential if you wanna make a
good impression on people when you post what you know about certain subjects.
 /-/    Vocabulary    /-/
 - Do not misspell except certain exceptions:

	     phone -> fone
	     freak -> phreak

 - Never substitute 'z's for 's's. (i.e. codez -> codes)

 - Never leave many characters after a post (i.e. Hey Dudes!#!@#@!#!@)

 - NEVER use the 'k' prefix (k-kool, k-rad, k-whatever)

 - Do not abbreviate. (I got lotsa wares w/ docs)

 - Never substitute '0' for 'o' (r0dent, l0zer).

 - Forget about ye old upper case, it looks ruggyish.
     All right, that was to relieve the tension of what is being drilled
into your minds at the moment.  Now, however, back to the teaching course.
Here are somethings you should know about phones and billings for phones,
     LATA: Local Access Transference Area. Some people who live in large
cities or areas may be plagued by this problem. For instance, let's say you
live in the 215 area code under the 542 prefix (Ambler, Fort Washington). If
you went to dial in a basic Metro code from that area, for instance,
351-0100, that might not be counted under unlimited local calling because it
is out of your LATA.  For some LATA's, you have to dial a '1' without the
area code before you can dial the phone number. That could prove a hassle
for us all if you didn't realize you would be billed for that sort of call.
In that way, sometimes, it is better to be safe than sorry and phreak.

     The Caller Log: In ESS regions, for every household around, the phone
company has something on you called a Caller Log. This shows every single
number that you dialed, and things can be arranged so it showed every number
that was calling to you. That's one main disadvantage of ESS, it is mostly
computerized so a number scan could be done like that quite easily. Using a
dialup is an easy way to screw that, and is something worth remembering.
Anyways, with the caller log, they check up and see what you dialed. Hmm...
you dialed 15 different 800 numbers that month. Soon they find that you are
subscribed to none of those companies. But that is not the only thing. Most
people would imagine "But wait! 800 numbers don't show up on my phone
bill!". To those people, it is a nice thought, but 800 numbers are picked up
on the caller log until right before they are sent off to you. So they can
check right up on you before they send it away and can note the fact that
you fucked up slightly and called one too many 800 lines.
     Right now, after all of that, you should have a pretty good idea of how
to grow up as a good phreak. Follow these guidelines, don't show off, and
don't take unnecessary risks when phreaking or hacking.
File Level:5
  /-/    Credits   /-/
 To The Videosmith  - for setting me straight on some shit.
 To The Linesman    - for telling me to upload it to his AE line.
 To Modern Mutant   - for making me into a phreaking freak.
 To Jack the Nibbler- for the basis of the blue box plans.
 |      Bulletin Board List	   |
 |     ---------------------       |
 |  Sirius Cybernetic's BBSystem   |
 |      808-521-3306  40megs       |
The Traveler
*******  Agent Berg's course in  ******
*                                     *
*      ==========================     *
*      ==========================     *
*               PART I                *


In part I, we will explore the various special Bell #'s, such as:  CN/A,
AT&T Newslines, loops, 99XX #'s, ANI, ringback, and a few others.


CN/A, which stands for Customer Name and Address, are bureaus that exist so
that authorized Bell employees can find out the name and address of any
customer in the Bell System.  All #'s are maintained on file including
unlisted #'s.

Here's how it works:

 1) You have a # and you want to find out who owns it, e.g. (914) 555-1234.

 2) You look up the CN/A # for that NPA in the list below.  In the example, the
NPA is 914 and the CN/A # is 518-471-8111.

 3) You then call up the CN/A # (during business hours) and say something like,
"Hi, this is John Jones from the residential service center in Miami.  Can
I have the customer's name at 914-555-1234.  That # is 914-555-1234."  Make
up your own REAL sounding name, though.

 4) If you sound natural & cheery, the operator will ask no questions.

Here's the list:

NPA     CN/A #       NPA     CN/A #
---  ------------    ---  ------------
201  201-676-7070    517  313-232-8690
202  202-384-9620    518  518-471-8111
203  203-789-6800    519  416-487-3641
204  ****N/A*****    601  601-961-0877
205  205-988-7000    602  303-232-2300
206  206-382-8000    603  617-787-2750
207  617-787-2750    604  604-432-2996
208  303-232-2300    605  402-345-0600
209  415-546-1341    606  502-583-2861
212  518-471-8111    607  518-471-8115
213  213-501-4144    608  414-424-5690
214  214-948-5731    609  201-676-7070
215  412-633-5600    612  402-345-0600
216  614-464-2345    613  416-487-3641
217  217-525-7000    614  614-464-2345
218  402-345-0600    615  615-373-5791
219  317-265-7027    616  313-223-8690
301  301-534-1168    617  617-787-2750
302  412-633-5600    618  217-525-7000
303  303-232-2300    701  402-345-0600
304  304-344-8041    702  415-546-1341
305  912-784-9111    703  804-747-1411
306  ****N/A*****    704  912-784-9111
307  303-232-2300    705  416-487-3641
308  402-345-0600    707  415-546-1341
309  217-525-7000    709  ****N/A*****
312  312-769-9600    712  402-345-0600
313  313-223-8690    713  713-658-1793
314  314-436-3321    714  213-995-0221
315  518-471-8111    715  414-424-5690
316  816-275-2782    716  518-471-8111
317  317-265-7027    717  412-633-5600
318  318-227-1551    801  303-232-2300
319  402-345-0600    802  617-787-2750
401  617-787-2750    803  912-784-9111
402  402-345-0600    804  804-747-1411
403  403-425-2652    805  415-546-1341
404  912-784-9111    806  512-828-2502
405  405-236-6121    807  416-487-3641
406  303-232-2300    808  212-226-5487
408  415-546-1341         Bermuda Only
412  412-633-5600    809  212-334-4336
413  617-787-2750    812  317-265-7027
414  414-424-5690    813  813-228-7871
415  415-546-1132    814  412-633-5600
416  416-487-3641    815  217-525-7000
417  314-436-3321    816  816-275-2782
418  514-861-6391    817  214-948-5731
419  614-464-2345    819  514-861-6391
501  405-236-6121    901  615-373-5791
502  502-583-2861    902  902-421-4110
503  503-241-3440    903  ****N/A*****
504  504-245-5330    904  912-784-9111
505  303-232-2300    906  313-223-8690
506  506-657-3855    907  ****N/A*****
507  402-345-0600    912  912-784-9111
509  206-382-8000    913  816-275-2782
512  512-828-2501    914  518-471-8111
513  614-464-2345    915  512-828-2501
514  514-861-6391    916  415-546-1341
515  402-345-0600    918  405-236-6121
516  518-471-8111    919  912-784-9111

Bell uses these #'s mainly to find out who owns a # that a customer claims he
never called.

NOTE:	This is the most complete list of CN/A #'s in my possession
	(with only 5 #'s not available).  This list was copyrighted in
	1982 by "Judas Gerard" as it originally appeared in TAP issue
	#78.  (TAP, Room 603, 147 W 42nd St, New York, NY 10036--
	Subscriptions $10/yr.)


Newslines are recordings that Bell employees call up to find out the latest
info on stock, technology, etc. concerning the Bell System.

Here are the #'s that are currently known to phreaks (at least me, anyway):

201-483-3800 NJ        513-421-9060 OH
203-771-4920 CT        516-234-9914 NY
212-393-2151 NY        518-471-2272 NY
213-621-4141 CA        617-955-1111 MA
213-829-0111 CA (GTE)  702-789-6711 NV
213-449-8830 CA        713-224-6116 TX
312-368-8000 IL        714-238-1111 CA
313-223-7223 MI        717-255-5555 PA
314-247-5511 MO        717-787-1031 PA
408-493-5000 CA        802-955-1111 VE
412-633-3333 PA        808-533-4426 HI
414-678-3511 WI        813-223-5666 FL
416-929-4323 ONT.      914-948-8100 NY
503-228-6271 OR        916-480-8000 CA


First of all, you must understand the concept of loops.  I think that the
best way that this is understood is the way that Phred Phreek explained it...

"No self-respecting Phone Phreak can go through life without knowing what a
loop is, how to use one, and the types that are available.  The loop is a
great alternative communication medium that has many potential uses that
havent't even been tapped yet.  In order to explain what a loop is, it
would be helpful to visualize two phone numbers (lines) just floating around in
the Telco central office (CO).  Now, if you (and a friend perhaps) were to call
these two numbers at the same time, POOOOFFFF!!!, you are now connected
together.  I hear what you're saying out there..., "Big deal" or "Why should
Ma Bell collect here two MSU'S (message units) for one lousy phone call!?"
Well... think again.  Haven't you ever wanted someone to call you back but,
were reluctant to give out your home phone number (like the last time you
tried to get your  friend's unlisted # from the business offfice)?  Or how
about a collect call to your friend waiting on a loop, who will gladly
accept the charges?  Or better yet, stumbling upon a loop that you discover
that has multi-user capability (for those late-night conferences).  Best of
all is finding a non-supervised loop that doesn't charge any MSU's or tolls
to one or both parties.  Example:  many moons ago, a loop affectionately known
as 'the 332 Loop' was non-sup (ie, non-supervised) on the tone side.  I had my
friend in California dial the free (non-sup) side, (212) 332-9906 and I
dialed the side that charged, 332-9900. As you can see, I was charged one MSU,
and my friend was charged zilch, for as long as we wished to talk!!!"


"Ahhh...have I perked your interest yet? If so, here is how to find a loop of
you very own.  First, do all of you loop searching at NIGHT!  This is because
the loops serve a genuine test function which Telco uses during the day.  (We
don't want to run into an irate lineman now, do we?)  To find a loop, having 2
#'s is a definite plus.  If not, have a friend to dial #'s at his location.
Last resort, try dialing from two adjacent pay phones. Now get your trusty
white pages (*), and turn to the page where it lists the # of MSU's from your
exchange (or exchanges in your primary calling area) The idea is to find a loop
that is within your primary calling area or is only 1 MSU in your area (call
area A).  This is so you don't go bankrupt trying to find a loop.  Write down
all of these exchanges and do a 99XX scan of those exchanges (99XX scanning
will be discussed shortly).

Before we get up to 99XX scanning, we will look at some other loop info:

Loops are found pairs which are usually close to each other.  For example, in
NPA 212, where the infamous loops are found, there is a standard loop format:

Manhattan & Bronx-------NNX-9977/9979
Brooklyn & Queens-------NNX-9900/9906

NNX is the exchange to be scanned.  Here are some loops that have been found in
NYC.  These are used mostly by Phreaks and call-in lines for pirate radio

212-220-9900/9906			212-283-9977/9979
212-352-9900/9906			212-365-9977/9979
212-529-9900/9906			212-562-9977/9979
212-982-9977/9979			212-986-9977/9979

The lower # is the tone side (singing switch).  The higher # is always silent.
The tone disappears on the lower # when somebody dials in the other side of the
loop.  If you are on the higher #, you'll have to listen to the clicks to see
if somebody dialed-in.  The NYC 982 & 986 loops are different from others.
Usually when you park on a loop, you will hear who ever calls in on the other
half.  When they're done, the next caller (if any) will be queued in, one after
another.  On the NYC 982 & 986, you sometimes can't get any more callers in
after the first. Furthermore, if you park one of these loops and there is
nobody on the other end for more than 4 minutes, you may be automatically
disconnected. These loops are good for back-up purposes when all other loops
are busy.

99XX Scanning:

Most every exchange in the Bell System has a wide variety of test #'s and
other "goodies," such as loops.

These "goodies" are usually found between 9900 and 9999 in your local exchange.
If you have the time and initiative, scan your exchange and you may become

Here are my findings in the 914-268:

9901 - Verification (recording of a/c
       and exchange)
9936 - Voice # to the Telco CO
9937 - Voice # to the Telco CO
9941 - Carrier
9960 - Osc. Tone (tone side loop)
9963 - Tone (stops:  muted)
9966 - Carrier
9968 - Tone that disappears--responds
       to certain touch-tone keys

Most of the #'s between 9900 & 9999 will ring, be busy, go to a special
intercept operator ("what #, please?"), or will go to a "the # you have
reached..." recording.  What you find depends upon the switching equipment in
the exchange and the Telco operating company.

When searching for loops, you may find one of the following possibilities when
you find one:

1.  You can hear through the loop (not muted), but there is a 1/2 second
    click every 10 seconds that interrupts the audio.  This type is good for
    back-up use but the %$#'&" click is super annoying.

2.  One side of the loop is busy; try it again later.

3.  The tone disappears, but you cannot hear through it (the loop is muted,
    try again in a month or so)

4.  You get "The # you have reached recording."  No loop there!

Most loops are muted (#3), but their status does changes from time-to-time.
It all depends if the Telco maintenance personnel remember to "throw the
switch", ie, turn off the loop.

Since I have done the above 914-268 99XX scan, Congers (268) has installed new
switching equipment (DMS100).  Some of the numbers are the same, but I have
noticed that on the DMS100, the recordings are also stored in this area.  268-
9903, 9906, 9909, & 9912 are all different recordings.  Also, there are 2
fortress fone recordings at 268-9911 (deposit 5 cents or else) and 268-
9913 (deposit 10 cents).  None of these recordings supe and alot of other 99XX
#'s don't supe either.

In some areas (like MD), 9906-7 is ringback.  In Washington, there is a
sweep tone test at (202) 560-9944.  In NYC (212), you'll find the infamous
loop lines (as mentioned above).

It will be easier to scan your exchange if you make up a chart like the one

           805-NXX-99XX SCAN

!99X X>:0 :1 :2 :3 :4 :5 :6 :7 :8 :9 !
!990   :  :  :  :  :  :  :  :  :  :  !
!991   :  :  :  :  :  :  :  :  :  :  !
!992   :  :  :  :  :  :  :  :  :  :  !
!993   :  :  :  :  :  :  :  :  :  :  !
!994   :  :  :  :  :  :  :  :  :  :  !
!995   :  :  :  :  :  :  :  :  :  :  !
!996   :  :  :  :  :  :  :  :  :  :  !
!997   :  :  :  :  :  :  :  :  :  :  !
!998   :  :  :  :  :  :  :  :  :  :  !
!999   :  :  :  :  :  :  :  :  :  :  !

This leaves you with 100 boxes (1 for each # between 9900 & 9999).  You
should make your boxes big enough so you can write some sort of shorthand in
them.  For example:

B - busy   (try again at another time)
R - rings  (try again at another time)
O - intercept operator ("what # you calling?)
R1- recording 1 (make a margin note of the types of recordings you get)
T - tone   ] tone at a lower # + ignore
I - ignore ] at a higher # = loop
V - voice # to Telco CO - they usually answer with the city name or area.
C - carrier

There will be others and you should use other characters that you can

Now, back to loops!  As you may have noticed in my 914-268 scan, I found a
muted loop and a tone side.  914-268 failed to come up with the silent side
of a loop!  Therefore, there is no loop in that exchange.  I then scanned
another exchange in my primary calling area (914-634) and I found a loop!!

    (914) 634-9923/9924

So, if at first you don't succeed, move onto another exchange.

If you use the box method that I have outlined above, you will see a T & I
next to each other for a loop.

Some exchanges are special.  For example, 914-623 is a testing bureau.  In this
exchange, not only did I find a loop, but I also found several interesting
tones, noises, and other test functions. Also, the more important the exchange
is, the more you will find. For example, in 914-623, I found well over 10 voice

Also, loops are usually, but not exclusively, found in the 99XX series.  For

    (713) 324-1799/1499

is a loop.

The perfect loop?  Here is what I would look for:

 1.  Non-sup on one or both sides.  To check for a non-sup loop, go to a
     tone-first fortress fone and dial the #.  If it asks for a dime, it
     is supervised.  If the call goes through, then it is non-suped!

 2.  800 loops would be a plus.  They are not necessarily found between
     9900 & 9999 though.  I would check the 1XXX series first.

 3.  Multi-user loops are also a plus for those late night conferences.

Finally, remember it is only a local call to find out what you CO has in store
for you.  If you find anything interesting, be sure to drop me a line.

NOTE:	Your local white pages can be a valuable asset.  You can also order
	other fone books from your business office (usually free for books
	within your operating company's district).  A large fone book, such as
	Manhattan, contains much more info in the first few pages than other


Automatic Number Identification (ANI), is a number that you call up that will
tell you what # you are calling from.

This has a few uses.  First, were you ever somewhere and the fone didn't have
a # printed on it?  Or perhaps you were fooling around in some cans (those
large boxes on fone poles that contain terminals for lineman use--to be
discussed in a future chapter.) and you want to know what what the line # is.

In NPA 914, the ANI is 990.  In NPA's 212 & 516, ANI is 958.  This varies from
area to area.

Here are some other ANI's that I have seen:

1-XXX-1111  (in some 914 areas, esp. under SxS switching equipment, you
            have to dial 1-990-1111)

To find ANI for other areas, check 3 digits #'s first, usually in the 9XX
series (excluding 911).  In areas under step-by-step (to be discussed in the
next part), try 1-9XX-1111.

ANI may also be in 99XX.  Last resort, try to get friendly with your neighbor
who works for the fone company.


Ringback, as its name implies, calls back the # you are at when you dial the
ringback #.

Ringback, in NPA 914, is 660.  You dial 660+the last 4 digits of the fone.  You
will then get a tone, hang-up quickly and pick-up in about 2 seconds.  You will
then get a second tone, hang-up again and the fone will ring.

In NYC, it is also 660, but you may have to press 6 or 7 before you hang up for
the first time (ie, at the first tone).

Other ringback #'s that I have seen are:

26011 -	This 5 digit format is used primarily on step-by-step.  The last 2
	digits (11) are dummy digits.

890-897-XXXX - XXXX are the last 4 digits of the fone #.

119911/11911/1199911 - GTE

NNX-9906/9907 - NPA 301, NNX is the exchange

The reason you get the tone when you pick-up after it rings is because in
some areas, people were using ringback as an in-house intercom.  They would
dial ringback, and when it stopped ringing, they would pick-up & talk with
the person who picked up the other extension.  Bell didn't like this since
there is usually only 1 piece of equipment in each exchange that does the
ringback.  When people used this as an intercom, linemen & repairmen
couln't get through!  In some areas, especially those under step-by-step,
ringback can still be used as an intercom.  Also, under step-by-step, the
ringback procedure is usually simple.  For example, in one area you would dial
26011 and hang-up; it would then ringback.

Touch-Tone Test:

In areas that have a Touch-Tone test, you dial the ringback #.  At the first
tone, you touch-tone digits 1-0.  If they are correct it will beep twice.

I have also seen a TT test in some areas at:  890-751-5191

Coming Soon:

In the next part, we will look at various switching equipment and The Network.

Break up of Bell:

The operating companies are not going to change all the switching equipment
around.  While there will be some changes, most of the information provided
here will remain pertinent after January 1, 1984. Just substitute the word
"fone network" for Bell System.

******BIOC Agent 003's course in*******
*                                     *
*     ==========================      *
*     ==========================      *
*               PART II               *


Part II will deal with the various types of operators, office hierarchy,
& switching equipment.


There are many types of operators in The Network and the more common ones
will be discussed.

TSPS Operator:

The TSPS (Traffic Service Position System) Operator is probably the bitch
(or bastard for the phemale liberationists) that most of us are use to having
to deal with.

Here are her responsibilities:

1) Obtaining billing information for Calling Card or 3rd number calls.

2) Identifying called customer on person-to-person calls.

3) Obtaining acceptance of charges on collect calls.

4) Identifying calling numbers.  This only happens when the calling # is not
automatically recorded by CAMA (Centralized Automatic Message Accounting) &
forwarded from the local office.  This could be caused by equipment failures
or if the office is not equipped for CAMA (most are).

  <I once had an equipment failure happen to me & the TSPS operator came
on and said, "What # are you calling FROM?"  Out of curiosity, I gave her
the # to my CO, she thanked me & then I was connected to a conversion that
appeared to be between a frameman & his wife.  Then it started ringing the
party I originally wanted to call & everyone phreaked out (excuse the pun).
I immediately dropped this dual line conference!>

You shouldn't mess with the TSPS operator since she KNOWS where you are
calling from.  She also knows whether or not you are at a fortress fone & she
can trace calls quite readily.  Out of all the operators, she is one of the

INWARD Operator:

This operator assists your local TSPS ("O") operator in connecting calls.
She will never question a call as long as the call is within HER SERVICE AREA.
She can only be reached via other operators or by a Blue Box.  From a BB,
you would dial KP+NPA+121+ST for the INWARD operator that will help you
connect any calls within that NPA area only. (Blue Boxing will be discussed in
a future part of BASIC TELCOM)


This is the operator that you are connected to when you dial:  411 or
NPA-555-1212.  She does not readily know where you are calling from.  She
does not have access to unlisted #'s, but she does know if an unlisted #
exists for a certain listing.

There is also a directory assistance for deaf people who use Teletypewriters
If you modem can transfer BAUDOT (the Apple Cat can), then you can call her
up and have an interesting conversation with her.  The # is:  800-855-1155.
She uses the standard Telex abbreviations such as GA for Go Ahead.  They tend
to be nicer & will talk longer than your regular operators.  Also, they are
more vulnerable into being talked out of information through the process of
"social engineering" as Cheshire Catalyst would put it.

Other operators have access to their own DA by dialing KP+NPA+131+ST (MF).

This is a little out of the scope of this tutorial, but many telco's are
now charging for calls to dir. asst.  You can beat this by:

(1) count how many calls you make to directory assistance in a billing
period.  Go to a fortress fone & dial DA.  When the operator comes on, give
her a name that you know has an unlisted # or ask for a town that isn't
in the NPA.  She will then ask for your # so she can credit the call to you.
Give her your home #; she doesn't know that you are making a free call from
the fortress.  Just make sure that you don't credit yourself for more calls
than you actually made or you might have a few problems!

(2) If you have a BAUDOT terminal, use the 800 #; it's free & there is one #
for all requests.

C/NA Operators:

C/NA operators are operators that do exactly the opposite of what directory
assistance operators are for.  See part II, for more info on C/NA & #'s.  In my
experiences, these operators know more than the DA op's do & they are more
susceptible to "social engineering."  It is possible to bullshit a C/NA
operator for the NON-PUB DA # (ie, you give them the name & they give you the
unlisted #).  This is due to the fact that they assume your are a phellow
company employee.


The intercept operator is the one that you are connected to when there are not
enough recordings available to tell you that the # has been disconnected or
changed.  She usually says, "What # you callin'?" with a foreign accent.  This
is the lowest operator lifeform.  Even though they don't know where you are
calling from, it is a waste of your time to try to verbally abuse them
since they usually understand very little English.

OTHER Operators:

And then there are the:  Mobile, Ship-to-Shore, Conference, Marine, Verify,
"Leave Word & Call Back," Route & Rate (KP+NPA+141+ST), & other special
operators who have one purpose or another in the Network.

Problems with an Operator?  Ask to speak to their supervisor...Which is
the equivalent of the Madame in a whorehouse (if you will excuse the analogy).

By the way, some CO's that will allow you to dial a 1 or 0 as the 4th digit,
will also allow you to call special operators without a blue box.  This is
very rare though!  For example, 212-121-1111 will get you a NY Inward


Every switching office office in North America (the NPA system), is assigned
an office name & class.  There are five classes of offices numbered 1 through
5.  Your CO is most likely a class 5 or end office. All Long-Distance (Toll)
calls are switched by a toll office which can be a class 4, 3, 2, or 1
office.  There is also a 4X office called an intermediate point.  The 4X
office is a digital one that can have an unattended exchange attached to it
(known as a Remote Switching Unit-RSU).

The following chart will list the Office #, name, & how many of those offices
existed in North America in 1981.

Class       Name       Abb  # Existing
----- ---------------- --- ------------
  1   Regional Center  RC         12
  2   Sectional Center SC         67
  3   Primary Center   PC        230
  4   Toll Center      TC      1,300
  4P  Toll Point       TP
  4X  Intermediate Pt  IP
  5   End Office       EO     19,000
  R   RSU              RSU

When connecting a call from one party to another, the switching equipment
usually tries to find the shortest route between the Class 5 end office of
the caller & the Class 5 end office of the called party.  If no inter-office
trunks exist between the 2 parties, it will then move upto the next highest
office for servicing (Class 4).  If the Class 4 office cannot handle the call
by sending it to another Class 4 or 5 office, it will be sent to the next
office in the hierarchy (3).  The switching equipment first uses the
high-usage interoffice trunk groups, if they are busy it then goes to the final
trunk groups on the next highest level.  If the call cannot be connected then,
you will probably get a re-order (120IPM busy signal) signal.  At this
time, the guys at Network Operations are probably shitting in their pants
and trying to avoid the dreaded Network Dreadlock (as seen on TV!).

It is also interesting to note that 9 connections in tandem is called
ring-around-the-rosy and it has never occurred in telephone history.  This
would case an endless loop connection. [a neat way to really screw-up the

The 10 regional centers in the US & the 2 in Canada are all interconnected.
They form the foundation of the entire telephone network.  Since there are
only 12 of them, they are listed below:

Class 1 Regional Office Location    NPA
----------------------------------  ---
Dallas 4 ESS                        214
Wayne, PA                           215
Denver 4T                           303
Regina No.2 SP1-4W   [Canada]       306
St. Louis 4T                        314
Rockdale, GA                        404
Pittsburgh 4E                       412
Montreal No.1 4AETS  [Canada]       504
Norwich, NY                         607
San Bernardino, CA                  714
Norway, IL                          815
White Plains 4T, NY                 914

The following diagram demonstrates how
the various offices may be connected:

      ^----------^----------^ Regional
     _|_        _|_        _|_Offices
-----|1| <----> |1| <----> |1|-----
     ---        ---        ---
                 |             Others\/
_|_     _|_     _|_    _|__      _|_
|2|     |3|     |4|    |4P|      |5|
---     ---     ---    -^^-      ---
 |       |       |       |
 ^----^  |     ^----^    |
_|_  _|_ |   __|_  _|_   |
|3|  |4| |   |4X|  |5|   ^-----^
---  -^- |   ----  ---  _|__  _|_
      ^  |              |4X|  |5|
    __|_ |              ----  ---
    |5R| |-------------^
    -^^-      /--------|---------\
     _|_      _|_     _|_      _|__
     |R|      |4|     |5|      |5R|
     ---      ---     ---      ----

NOTE:  The preceding diagram used
       certain lower case characters
       that may not be viewed as I
       intended them if you are not
       using as lower case terminal.


In the Network, there are 3 major types of switching equipment.  They are known
as:  Step-by-Step, Crossbar, & ESS.


The Step-By-Step, a/k/a the Strowger switch or two-motion switch, was invented
in 1889 by an undertaker named Almon Strowger.  He invented this mechanical
switching equipment because he felt that the biased operator was routing all
requests for an 'undertaker' to her husband's business.

Bell started using this system in 1918 & as of 1978, over 53% of the Bell
exchanges used this method of switching.

Step-by-Step switching is controlled directly by the dial pulses which move
a series of switches (called the switch train) in order.  When you first pick
up the fone under SxS, a linefinder acknowledges the request (sooner or
later) by sending a dial tone.  If you then dialed 1234, the equipment would
first find an idle selector switch.  It would then move vertically 1 pulse, it
would then move horizontally to find a free second selector, it would then
move 2 vertical pulses, step horizontally to find the next selector, etc.  Thus
the first switch in the train takes no digits, the second switch takes 1 digit,
the third switch takes 1 digit, & the last switch in the train (called the
connector) takes the last 2 digits & connects your calls.  A normal (10,000
line) exchange requires 4 digits (0000-9999) to connect a local call & thus it
takes 4 switches to connect every call (linefinder, 1st & 2nd selectors, & the
connector) .

While it was the first, SxS sucks for
the following reasons:

[1] The switches often become jammed thus the calls often become blocked.

[2] You can't use DTMF (Dual-Tone Multi-Frequency a/k/a Touch-Tone) directly.
It is possible that the Telco may have installed a conversion kit but then the
calls will go through just as slow as pulse, anyway!

[3] They use a lot of electricity & mechanical maintenance. (bad from Telco
point of view)

[4] Everything is hardwired.

They can still hook up pen registers & other shit on the line so it is not
exactly a phreak haven.

You can identify SxS offices by:

(1) Lack of DTMF or pulsing digits after dialing DTMF.

(2) If you go near the CO, it will sound like a typewriter testing

(3) Lack of speed calling, call forwarding, & other customer services.

(4) Fortress fones that want your money first (as opposed to dial tone
first ones).

The preceding don't necessarily imply that you have SxS but they surely give
evidence that it might be.  Also, if any of the above characteristics exist,
it certainly isn't ESS!  Also, SxS have pretty much been eradicated from large
metropolitan areas such as NYC (212).


There are 3 major types of Crossbar systems called:  No. 1 Crossbar (1XB),
No. 4 Crossbar (4XB), & No. 5 Crossbar (5XB).  5XB has been the primary end
office switch of Bell since the 60's and thus it is in wide-use.

Crossbar uses a common control switching method.  When there is an incoming
call, a stored program determines its route through the switching matrix.

In Crossbar, the basic operation principle is that a horizontal & a vertical
line are energized in a matrix known as the crosspoint matrix.  The point where
these 2 lines meet in the matrix is the connection.


		   Electronic Switching System (ESS)
		   The Phreak's Nightmare Come True
		(or Orwell's Prophecy as 2600 puts it)

ESS is Bell's move towards the Airstrip One society depicted in Orwell's 1984.

With ESS, EVERY single digit that you dial is recorded--even if it is a mistake.
They know who you call, when you call, how long you talked for, & probably what
you talked about (in some cases).  ESS can (and is) also programmed to print
out #'s of people who make excessive calls to 800 #'s or directory assistance.
This is called the "800 Exceptional Calling Report."  ESS could also be
programmed to print out logs of who calls certain #'s--like a bookie, a known
Communist, a BBS, etc.  The thing to remember with ESS is that it is a series
of programs working together.  These programs can be very easily changed to do
whatever they want it to do.  One phreak whom I know has some ESS source code
listing which is incredibly complex (as well as documented--Gracias Dios).  This
system makes the job of Bell Security, the FBI, NSA, & other organizations that
like to invade privacy incredibly easy.

With ESS, tracing is done in microseconds (Eine Augenblick) & the results are
printed at the console of a Bell Gestapo officer.  ESS will also pick up any
"foreign" tones on the line such as 2600 Hz!

Bell predicts that the country will become totally ESS by the 1990's.

You can identify ESS by the following which are usually ESS functions:

[1] Dialing 911 for help.
[2] Dial-Tone-First fortresses.
[3] Custom Calling Services such as: Call Forwarding, Speed Dialing, &
    Call Waiting.  (Ask your business office if you can get these.)
[4] ANI (Automatic Number
    Identification) on LD calls.

Phreaking does not come to a complete halt under ESS though--just be very
careful, though!!!

Due to the fact that ESS sends a computer generated "artificial ring", where
the voice is not connected directly to the called parties line until he picks
up, Black Boxes & Infinity Transmitters will not work!

 NOTE:	Another interesting way to find out what type of equipment you are on
	is to raid the trash can of you local CO--this art will be discussed
	in a separate article soon.

Coming Soon:

In the part V, we will start to take a look at telephone electronics.

Further Reading:

For more information on the above topics, I suggest the following:

Notes on the Network, AT&T, 1980.

Understanding Telephone Electronics, Texas Instruments, 1983.

And subscriptions to:

2600, Box 752, Middle Island, NY 11953. Subscriptions are $10/year.  Back
issues are $1 each.  The current issue is #4 (April 1984).

They are both excellent sources of all sorts of information (primarily

******  Agent Berg's course in  *******
*                                     *
*     ==========================      *
*     ==========================      *
*               Part VI               *



This article will focus primarily on the standard Western Electric single-
slot coin telephone (aka fortress fone) which can be divided into 3 types:

- Dial-Tone First (DTF)

- Coin-First (CF):  (ie, it wants your $ before you receive a dial tone)

- Dial Post-Pay Service (PP):  you pay after the party answers

Depositing Coins (Slugs):

Once you have deposited your slug into a fortress, it is subjected to a
gamut of tests.

The first obstacle for a slug is the magnetic trap.  This will stop any light-
weight magnetic slugs and coins.  If it passes this, the slug is then classified
as a nickel, dime, or quarter.  Each slug is then checked for appropriate size
and weight.  If these tests are passed, it will then travel through a nickel,
dime, or quarter magnet as appropriate.  These magnets set up an eddy current
effect which causes coins of the appropriate characteristics to slow down so
they will follow the correct trajectory.  If all goes well, the coin will follow
the correct path (such as bouncing off of the nickel anvil) where it will
hopefully fall into the narrow accepted coin channel.

The rather elaborate tests that are performed as the coin travels down the
coin chute will stop most slugs and other undesirable coins, such as pennies,
which must then be retrieved using the coin release lever.

If the slug miraculously survives the gamut, it will then strike the
appropriate totalizer arm causing a ratchet wheel to rotate once for every
5-cent increment (eg, a quarter will cause it to rotate 5 times).

The totalizer then causes the coin signal oscillator to readout a dual-
frequency signal indicating the value deposited to ACTS (a computer) or the
TSPS operator. These are the same tones used by phreaks in the infamous red

For a quarter, 5 beep tones are outpulsed at 12-17 pulses per second (PPS).
A dime causes 2 beep tones at 5 - 8.5 PPS while a nickel causes one beep tone
at 5 - 8.5 PPS.  A beep consists of 2 tones:  2200 + 1700 Hz.

A relay in the fortress called the "B relay" (yes, there is also an "A
relay") places a capacitor across the speech circuit during totalizer readout
to prevent the "customer" from hearing the red box tones.

In older 3 slot phones:  one bell (1050-1100 Hz) for a nickel, two bells for a
dime, and one gong (800 Hz) for a quarter are used instead of the modern
dual-frequency tones.


While fortresses are connected to the CO of the area, all transactions are
handled via the Traffic Service Position System (TSPS).  In areas that do not
have ACTS, all calls that require operator assistance, such as calling card
and collect, are automatically routed to a TSPS operator position.

In an effort to automate fortress service, a computer system known as
Automated Coin Toll Service (ACTS) has been implemented in many areas.  ACTS
listens to the red box signals from the fones and takes appropriate action.  It
is ACTS which says, "Two dollars please (pause) Please deposit two dollars for
the next ten seconds" (and other variations). Also, if you talk for more than
three minutes and then hang-up, ACTS will call back and demand your money.
ACTS is also responsible for Automated Calling Card Service.

ACTS also provide trouble diagnosis for craftspeople (repairmen specializing in
fortresses).  For example, there is a coin test which is great for tuning up
red boxes.  In many areas this test can be activated by dialing 09591230 at a
fortress (thanks to Karl Marx for this information).  Once activated it will
request that you deposit various coins.  It will then identify the coin and
outpulse the appropriate red box signal.  The coins are usually returned when
you hang up.

To make sure that there is actually money in the fone, the CO initiates a
"ground test" at various times to determine if a coin is actually in the
fone.  This is why you must deposit at least a nickel in order to use a red

Green Boxes:

Paying the initial rate in order to use a red box (on certain fortresses)
left a sour taste in many red boxer's mouths thus the GREEN BOX was invented.
The green box generates useful tones such as COIN COLLECT, COIN RETURN, and
RINGBACK.  These are the tones that ACTS or the TSPS operator would send to
the CO when appropriate. Unfortunately, the green box cannot be used at a
fortress station but it must be used by the CALLED party.

Here are the tones:

     COIN COLLECT       700 + 1100 Hz
     COIN RETURN       1100 + 1700 Hz
     RINGBACK           700 + 1700 Hz

Before the called party sends any of these tones, an operator released signal
should be sent to alert the MF detectors at the CO.  This can be accomplished
by sending 900 + 1500 Hz or a single 2600 Hz wink (90 ms) followed by a 60 ms
gap and then the appropriate signal for at least 900 ms.

Also, do not forget that the initial rate is collected shortly before the 3
minute period is up.

Incidentally, once the above MF tones for collecting and returning coins reach
the CO, they are converted into an appropriate DC pulse (-130 volts for return
& +130 volts for collect). This pulse is then sent down the tip to the fortress.
This causes the coin relay to either return or collect the coins.

The alleged "T-Network" takes advantage of this information.  When a pulse for
COIN COLLECT (+130 VDC) is sent down the line, it must be grounded somewhere.
This is usually either the yellow or black wire.  Thus, if the wires are
exposed, these wires can be cut to prevent the pulse from being grounded.
When the three minute initial period is almost up, make sure that the black &
yellow wires are severed; then hang up, wait about 15 seconds in case of a
second pulse, reconnect the wires, pick up the fone, hang up again, and if
all goes well it should be "JACKPOT" time.

Physical Attack:

A typical fortress weighs roughly 50 lbs. with an empty coin box.  Most of
this is accounted for in the armor plating.  Why all the security?  Well,
Bell contributes it to the following:

  "Social changes during the 1960's made the multislot coin station a prime
target for:  vandalism, strong arm robbery, fraud, and theft of service.  This
brought about the introduction of the more rugged single slot coin station and
a new environment for coin service."

As for picking the lock, I will quote Mr. Phelps:  "We often fantasize about
'picking the lock' or 'getting a master key.'  Well, you can forget about it.
I don't like to discourage people, but it will save you from wasting a lot of
your time--time which can be put to better use (heh, heh)."

As for physical attack, the coin plate is secured on all four side by hardened
steel bolts which pass through two slots each.  These bolts are in turn
interlocked by the main lock.

One phreak I know did manage to take one of the 'mothers' home (which was
attached to a piece of plywood at a construction site; otherwise, the
permanent ones are a bitch to detach from the wall!).  It took him almost
ten hours to open the coin box using a power drill, sledge hammers, and crow
bars (which was empty -- perhaps next time, he will deposit a coin first to
hear if it slushes down nicely or hits the empty bottom with a clunk.)

Taking the fone offers a higher margin of success.  Although this may be
difficult often requiring brute force and there has been several cases of
back axles being lost trying to take down a fone!  A quick and dirty way to
open the coin box is by using a shotgun.  In Detroit, after ecologists
cleaned out a municipal pond, they found 168 coin phones rifled.

In colder areas, such as Canada, some shrewd people tape up the fones using
duct tape, pour in water, and come back the next day when the water will have
froze thus expanding and cracking the fone open.

In one case, "unauthorized coin collectors" where caught when they brought
$6,000 in change to a bank and the bank became suspicious...

At any rate, the main lock is an eight level tumbler located on the right side
of the coin box.  This lock has 390,625 possible positions (5 ^ 8, since there
are 8 tumblers each with 5 possible positions) thus it is highly pick resistant!
The lock is held in place by 4 screws.  If there is sufficient clearance to the
right of the fone, it is conceivable to punch out the screws using the drilling
pattern below (provided by Alexander Mundy in TAP #32):

                       !!        ^
                       !!        !
           ! 1- 3/16 " !!        !
           !<---   --->!!      1-1/2"
       --------------------      !
       !   !           !! !      !
       !  (+)         (+)-! -----------
    ---!               !! !      ^
    !  !               !! !      !
    !  !        (Z)    !! !      !
    !  !               !! !   2-3/16"
    ---!               !! !      !
       !  (+)         (+) !      !
       !               !! !      !
       -------------------- -----------
        (Z) Keyhole   (+) Screws

After this is accomplished, the lock can be pushed backwards disengaging
the lock from the cover plate.  The four bolts of the cover plate can then
be retracted by turning the boltworks with a simple key in the shape of the
hole on the coin plate (see diagram below).  Of course, there are other
methods and drilling patterns.

                  ! !
                  ( )
    Diagram of cover plate keyhole

The top cover uses a similar (but not as strong) locking method with the
keyhole depicted above on the top left side and a regular lock (probably
tumbler also) on the top right-hand side. It is interesting to experiment
with the coin chute and the fortresses own "red box" (which Bell didn't have
the 'balls' to color red).


In a few areas (rural & Canada), post-pay service exists.  With this type of
service, the mouthpiece is cut off until the caller deposits money when the
called party answers.  This also allows for free calls to weather and other
DIAL-IT services!  Recently, 2600 magazine announced the CLEAR BOX which
consists of a telephone pickup coil and a small amp.  It is based on the
principle that the receiver is also a weak transmitter and that by amplifying
your signal you can talk via the transmitter thus avoiding costly telephone

Most fortresses are found in the 9xxx area.  Under former Bell areas, they
usually start at 98xx (right below the 99xx official series) and move

Since the line, not the fone, determines whether or not a deposit must be made,
DTF & Charge-A-Call fones make great extensions!

Finally, fortress fones allow for a new hobby--instruction plate collecting.
All that is required is a flat-head screwdriver and a pair of needle-nose
pliers.  Simply use the screwdriver to lift underneath the plate so that you
can grab it with the pliers and yank downwards. I would suggest covering the
tips of the pliers with electrical tape to prevent scratching.  Ten cent plates
are definitely becoming a "rarity!"

Fortress Security:

While a lonely fortress may seem the perfect target, beware!  The Gestapo
has been known to stake out fortresses for as long as 6 years according to the
Grass Roots Quarterly.  To avoid any problems, do not use the same fones
repeatedly for boxing, calling cards, & other experiments.  The telco knows how
much money should be in the coin box and when its not there they tend to get
perturbed (read:  pissed off).



The preceding is intended for "information purposes only" and I do not advocate
that you participate in any subversive activities...

Coming sooner or later:

Part VII will deal with blue boxing.

References/Suggested Reading:

Various hard-to-find Bell System publications.

"Alternate Method of Opening the Fortress Phone Coin Box," Alexander Mundy,
TAP #32.

"Build a T-Network for Fun & Profit," TAP #15.

"Coiners & Other Thieves," The Phone Book, J. Edgar Hyde, pp 88-91.

"Fortress Fun-ding," TAP #66.

"The Green & Brown Box," Ted Veil & Nick Haflinger, TAP #68.

"Introducing the Clear Box!," 2600, July 1984.

"More Fortress Fun," TAP #49.

"Notes on the Network," AT&T, 1980. [The definitive technical reference guide!]



Box 752
Middle Island, NY 11953

Subscriptions:  $10/year
                    (published monthly)

Last Issue (as of 10/27/84):
                           October 1984



Room 603
147 W 42 Street
New York, NY 10036

Subscriptions:  $10/10 issues or so
    (published sporadically since 1971)

Last Issue (as of 10/27/84):
            January/February 1984 [#90]


Acknowledgements:  Hertz Tone, Tuc,

******BIOC Agent 003's course in*******
*                                     *
*     ==========================      *
*     ==========================      *
*              Part VII               *


After most neophyte phreaks overcome their fascination with Metro codes and
WATS extenders, they will usually seek to explore other avenues in the vast
phone network.  Often they will come across references such as "simply dial
KP + 2130801050 + ST for the Alliance teleconferencing system in LA."  Numbers
such as the one above were intended to be used with a blue box; this article
will explain the fundamental principles of the fine art of blue boxing.


In the beginning, all long distance calls were connected manually by operators
who passed on the called number verbally to other operators in series.  This
is because pulse (aka rotary) digits are created by causing breaks in the DC
current (see Basic Telcom V).  Since long distance calls require routing
through various switching equipment and AC voice amplifiers, pulse dialing
cannot be used to send the destination number to the end local office (CO).

Eventually, the demand for faster and more efficient long distance (LD)
service caused Bell to make a multi-billion dollar decision.  They had to
create a signaling system that could be used on the LD Network. Basically,
they had two options:

[1] To send all the signaling and supervisory information (ie, ON & OFF
HOOK) over separate data links.  This type of signaling is referred to as
out-of-band signaling.
[2] To send all the signaling information along with the conversation
using tones to represent digits.  This type of signaling is referred to as
in-band signaling.

Being the cheap bastard that they naturally are, Bell chose the latter (and
cheaper) method -- IN-BAND signaling.  They eventually regretted this, though
(heh, heh)...


When a subscriber dials a telephone number, whether in rotary or touch-tone
(aka DTMF), the equipment in the CO interprets the digits and looks for a
convenient trunk line to send the call on its way.  In the case of a local
call, it will probably be sent via an inter-office trunk; otherwise, it will
be sent to a toll office (class 4 or higher -- see Telcom IV) to be processed.

When trunks are not being used there is a 2600 Hz tone on the line; thus, to
find a free trunk, the CO equipment simply checks for the presence of 2600
Hz. If it doesn't find a free trunk the customer will receive a re-order signal
(120 IPM busy signal) or the "all circuits are busy..." message.   If it does
find a free trunk it "seizes" it -- removing the 2600 Hz.  It then sends the
called number or a special routing code to the other end or toll office.

The tones it uses to send this information are called multi-frequency
(MF) tones.  An MF tone consists of two tones from a set of six master tones
which are combined to produce 12 separate tones.  You can sometimes hear
these tones in the background when you make a call but they are usually
filtered out so your delicate ears cannot hear them. These are NOT the same
as touch-tones.

To notify the equipment at the far end of the trunk that it is about to receive
routing information, the originating end first sends a Key Pulse (KP) tone.  At
the end of sending the digits, the originating end then sends a STart (ST) tone.
Thus to call 914-359-1517, the equipment would send KP + 9143591517 + ST in MF
tones.  When the customer hangs up, 2600 Hz is once again sent to signify a
disconnect to the distant end.


In the November 1960 issue of The Bell System Technical Journal, an article
entitled "Signaling Systems for Control of Telephone Switching" was published.
This journal, which was sent to most university libraries, happened to contain
the actual MF tones used in signaling.  They appeared as follows:

   Digit                Tones
   -----                -----
     1              700 +  900 Hz
     2              700 + 1100 Hz
     3              900 + 1100 Hz
     4              700 + 1300 Hz
     5              900 + 1300 Hz
     6             1100 + 1300 Hz
     7              700 + 1500 Hz
     8              900 + 1500 Hz
     9             1100 + 1500 Hz
     0             1300 + 1500 Hz
     KP            1100 + 1700 Hz
     ST            1500 + 1700 Hz
     11  (*)        700 + 1700 Hz
     12  (*)        900 + 1700 Hz
     KP2 (*)       1300 + 1700 Hz

(*)  Used only on CCITT SYSTEM 5 for special international calling.

Bell caught wind of blue boxing in 1961 when it caught a Washington state
college student using one.  They originally found out about blue boxes
through police raids and informants.  In 1964, Bell Labs came up with
scanning equipment, which recorded all suspicious calls, to detect blue box
usage.  These units were installed in CO's where major toll fraud existed.
AT&T Security would then listen to the tapes to see if any toll fraud was
actually committed.  Over 200 convictions resulted from the project.
Surprisingly enough, blue boxing is not solely limited to the electronics
enthusiast; AT&T has caught businessmen, film stars, doctors, lawyers, college
students, high school students and even a millionaire financier (Bernard
Cornfeld) using the device.  AT&T also said that nearly half of those that
they catch are businessmen.

Of course, phone phreaks have achieved an almost cult status.  They have also
had their fair share of media.  In October 1971, Esquire published the infamous
"Secrets of the Little Blue Box" article which featured phreaks such as Cap'n
Crunch, who took his name from the cereal which one gave away whistles that
produced a perfect 2600 Hz pitch; Joe Engressia, the blind phreak; and Mark
Bernay, one of the nation's first and oldest phreaks.  Others such as Apple
Computer co-founders Steve Wozniak & Steve Jobs have also had blue box
backgrounds.  1971 also saw the publication of the first issue of YIPL, the
phone phreak newsletter, (now TAP) under the editorship of supreme yippie Abbie


To use a blue box, one would usually make a free call to any 800 number or
distant directory assistance (NPA-555-1212).  This, of course, is legitimate.
When the call is answered, one would then swiftly press the button that would
send 2600 Hz down the line.  This has the effect of making the distant CO
equipment think that the call was terminated and it leaves the trunk hanging.
Now, the user has about 10 seconds to enter in the telephone number he wished
to dial -- in MF, that is.  The CO equipment merely assumes that this came
from another office and it will happily process the call.  Since there are no
records (except on toll fraud detection devices!) of these MF tones, the user
is not billed for the call.  When the user hangs up, the CO equipment simply
records that he hung up on a free call.


Bell has had 20 years to work on detection devices; therefore, in this day and
age, they are rather well refined.  Basically, the detection device will look
for the presence of 2600 Hz where it does not belong.  It then records the
calling number and all activity after the 2600 Hz.  If you happen to be at a
fortress fone, though, and you make the call short, your chances of getting
caught are significantly reduced (see Telcom VI).  Incidentally, there have
been rumors of certain test numbers (see Telcom II) that hook directly into
trunks thus avoiding the need for 2600 Hz and detection!

Another way that Bell catches boxers is to examine the CAMA (Centralized
Automatic Message Accounting) tapes.  When you make a call, your number, the
called number, and time of day are all recorded.  The same thing happens when
you hang up.  This tape is then processed for billing purposes.  Normally, all
free calls are ignored.  But Bell can program the billing equipment to make note
of lengthy calls to directory assistance.  They can then put a pen register (aka
DNR) on the line or an actual full-blown tap.  This detection can be avoided by
making short-haul (aka local) calls to box off of.

It is interesting to note that NPA+555-1212 originally did not return answer
supervision.  Thus the calls were not recorded on the AMA/CAMA tapes.  AT&T
changed this though for "traffic studies!"


Besides detection devices, Bell has begun to gradually redesign the network
using out-of-band signaling.  This is known as Common Channel Inter-office
Signaling (CCIS).  Since this signaling method sends all the signaling
information over separate data lines, blue boxing is impossible under it.

While being implemented gradually, this multi-billion dollar project is still
strangling the fine art of blue boxing.  Of course until the project is totally
complete, boxing will still be possible.  It will become progressively harder
to find places to box off of, though.  In areas with CCIS, one must find a
directory assistance office that doesn't have CCIS yet.  Area codes in Canada
and predominately rural states are the best bets.  WATS numbers terminating in
non-CCIS cities are also good prospects.

Pink Noise:

Another way that may help to avoid detection is too add some "pink noise" to the
2600 Hz tone.

Since 2600 Hz tones can be simulated in speech, the detection equipment must be
careful not to misinterpret speech as a disconnect signal.  Thus a virtually
pure 2600 Hz tone is required for disconnect.

Keeping this in mind, the 2600 Hz detection equipment is also probably
looking for pure 2600 Hz or else is would be triggered every time someone
hit that note (highest E on a piano = 2637 Hz).  This is also the reason that
the 2600 Hz tone must be sent rapidly; sometimes, it won't work when the
operator is saying "Hello, hello."  It is feasible to send some "pink noise"
along with the 2600 Hz.  Most of this energy should be above 3000 Hz.  The
pink noise won't make it into the toll network (where we want our pure 2600 Hz
to hit) but it should make it past the local CO and thus the fraud detectors.


While step-by-step details for the construction of a blue box is beyond the
scope of this tutorial, it is worthwhile to mention some of the details.

First there are some alternatives but they are not as good as an actual blue
box.  Many computers are capable of generating MF tones.  Thus, your local
phriendly software pirate should have a program compatible with your computer.

However, it is highly advisable not to box from home as stated in The Ten
Commandments (as interpreted for phreaks by Fred Steinbeck -- TAP #86).

I.  Box thou not over thine home telephone wires, for those who doest must
    surely bring the full wrath of the Chief Special Agent down upon thy heads.

Another alternative that has a moderate success rate involves recording the
tones from a phriend with a box or computer onto a cassette tape.  They
can then be used at a fortress.

As for actual construction techniques, TAP has devoted many issues to blue
boxing.  Basically, a blue box is merely a device capable of generating
two different tones simultaneously. There are two basic construction methods
that I will outline below for the electronics hobbyist.

The first involves the use of two 555 timer chips (or a 556 -- i.e., two
555's in one chip).  It offers excellent frequency and voltage
stability.  Also, it does not need a diode matrix keypad but used double-
pole switches instead.  Schematics for this type of box can be found in TAP
issue #29.

The other common box makes use of two Intersil 8038CC Function Generators.
It also requires a diode matrix keypad, potentiometers, an LM-100 voltage
regulator, a 741 Op-amp, and a handful of other parts.  The schematics for
this type of blue box can be found in TAP #26.

Both designs draw about 20 ma of current.

Also, most blue boxes use telephone earpieces (with the varistor removed)
for speakers.  These can be easily liberated from fortress fones with a
small coping saw.

Usually, the hardest part about building a blue box is the calibration.  A
frequency counter is a must and an oscilloscope won't hurt.

Some boxes also take timing into account.  It is feasible on the ESS systems
that they check to see if the digits are of uniform length.  If they aren't,
they are probably from a blue box and a trouble card may be dropped.  With this
in mind, the Bell standard for MF pulses and interdigit intervals is around 75
ms.  It varies with the equipment used since ESS can handle higher speeds and
doesn't need interdigit intervals.


Besides dialing normal calls free, i.e., KP+NPA+NNX+XXXX+ST, blue boxes
offer the entire network for exploration.  Emergency break-ins, service
monitoring (aka taps), stacking tandems (the art of busying out all trunks
between two points), re-routing calls, conference calls, and much, much
more are all feasible.  Although, Bell frequently changes these codes due to

Here are some standard ones, though:


(an optional NPA may proceed all of the numbers; otherwise, you will reach the
one local for the area where the call is originated)

001      -- Trunk Access System

009      -- Rate Quote System

101      -- toll office test board

121      -- INWARD Operator

This operator assists the local "0" operator in completing calls.  (S)he
will do virtually anything for you providing it is within her NPA.

131      -- Operator Directory assistance

141      -- Route & Rate

(141 defunct -- use KP + 800 + 141 +
1212 + ST)

These operators are very useful if you know how to mumble a few cryptic
phrases as compiled below (with thanks to Fred Steinbeck):

To find out...

...Area Codes

For example say , "Miami, Florida, numbers route, please."  The R&R
operator will tell you "305 plus," meaning that 305 plus the seven digit
number will get you Miami.

... Inward Operator City Codes

Usually, the INWARD operator for an area is simply KP + NPA + 121 + ST.  In
some area codes, though, there are several large cities and thus several
inwards.  To find the inward for a specific city, you would say "916 756,
operator route, please" to the R&R operator who will then tell you "916
plus 001 plus."  This means that KP + 916 + 001 + 121 + ST will get you an
inward for Sacramento, CA (916-756).

... City names

If you want to know the city that corresponds to an area code and
exchange, you simply tell the R&R, "Place name, 914 390, please."  In this
example, the R&R operator will respond with "White Plains, NY."

... International Directory Assistance

If you need a directory route for London, you could say "International,
London, England.  TSPS directory route, please."  The R&R operator will respond
with "Directory to London, England.  Country code 44 plus 1 plus 986 plus
3611." Therefore to get a DA operator in London, you would route yourself to
an international sender and KP + 04419863611 + ST.

... Country & City codes

If you need to know the country and city code for an international number
you can say "International, Sydney, Australia, TSPS numbers route, please"
and get "Country code 61 plus 2."

... International Inwards Routes

To get routing codes for international inwards say "International, London,
England, TSPS inward route, please." The R&R Operator will respond with
"Country code 44 plus 121."

Finally, to get language assistance for completing a foreign call you can tell
the foreign inward, "United States calling.  Language assistance in
completing a call to (called party) at (called number)."

151      -- overseas incoming (212 + & 914 +)

160-XX0  -- Various Overseas Operators

161      -- trouble reporting operator (defunct)

181      -- Coin Refund Operator

18X      -- Overseas senders

To make an international call, one would KP + 011 + 0CC + ST where CC is
the country code.  This will route you to the appropriate overseas sender.
You will then receive a 480 Hz dial tone.  Here you enter KP + 0CC + city
code + local number + ST and the call is on its way.

Country codes can be either 1, 2, or 3 digits but they must be padded for
three digits to create a pseudo-country code with extra zero's if necessary.
For example, England, country code 44, becomes 044.

To see which international sender a certain country (lets use French
Guiana, country code 594, for example) goes through, you can dial KP + 011 +
594 + ST, wait for the Proceed to Send tone then KP + 000 + 0000 + ST and you
will receive a recording saying which ISC (International Switching Center) it
is.  For the example it will say, "This is the international switching center
in Pittsburg, PA -- This is a recording - 4121."  You can actually route calls
to certain senders yourself (KP + NPA + 18X + ST) but it is better off not to
since it may look suspicious if a call is sent through a sender that it
shouldn't go through.  Here are the senders:

182  -- White Plains, NY
183  -- New York, NY
184  -- Pittsburg, PA
185  -- Orlando, FL
186  -- Oakland, CA
187  -- Denver, CO
188  -- New York, NY

Also, there tends to be alot of talk about the Code 11, Code 12, KP2, STP,
ST3P, & ST2P keys.  While they do exist the blue boxer need not concern himself
with them.  The first three are used on CCITT System 5.  This is the signaling
system that the International Senders use to send information to other
countries.  These codes are usually added automatically just like the
language assistance digit [which distinguishes operator (or blue box)
dialed calls from customer dialed calls].  The STP, ST3P, & ST2P tones
are used when equipment is communicating with the TSPS.  These also are
automatically added when needed in most cases.

[see Telcom III for more on International Switching Centers (ISC)]

11XXX    -- miscellaneous operators

11501    -- universal cordboard operator
11511    -- conference operator
11521    -- mobile operator
11531    -- marine operator
11541    -- LD incoming switchboard
11551    -- leave word for time & charges (neat stuff)
11561    -- same as 11551 but for hotel/motels
11571    -- overseas operators -- language assistance

The 11XXX series is interesting scanning material.

Miscellaneous Routing Codes :

Alliance Teleconferencing has several numbers, a few of which are listed

KP + 213 080 XXXX + ST
KP + 305 025 XXXX + ST
KP + 312 001 XXXX + ST

XXXX = 1050, 1100, or a few others

Also, at KP + 317 009 + ST there is a MF tone checker.  After the beep-kerclunk,
dial in KP + 999 1234567 890 + ST and it will repeat the digits that you pulsed
if they are of the right frequency.

Tandem Scanning:

To find all e sold on a "cash and carry" basis. Instead each sale would
require all the face-to-face contact appropriate to purchasing a
car or life insurance. The legal contract would then be properly
reviewed and SIGNED by the customer. Sound Preposterous?  Now
realch-tone, send it 2600 Hz, rip it apart.  You never know, you may run
into something phun, like a computer that checks CC numbers.

Incidentally, in some exchange you can dial inwards and other box codes
directly!  For example, 914-121-1111 will get you a NY inward.  The only
problem is that a 0 or 1 as the first digit of the exchange is usually
prohibited in customer dialing.  Somebody may have "accidentally" changed
this screening code on your ESS's computer, though -- you never know and it
can't hurt to try.  WATS translation numbers also take up some of the 0XX &
1XX codes.

Finally, certain tones on the blue box can also be used for other purposes.
An MF "2" corresponds to COIN COLLECT while "KP" corresponds to COIN RETURN.
Thus every blue box is also a green box (see Telcom VI).

The preceding was intended for informational purposes only.  The
implementation of some of the above mentioned information may be a
violation of state and/or federal laws.

PPS  Any and all threats, comments,
suggestions, and/or subpoenas are

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH