Blue box

From Wikipedia, the free encyclopedia
  (Redirected from Blue box (phreaking))
Jump to: navigation, search
This article is about the phone phreaking tool. For other uses, see Blue box (disambiguation).
The blue box built by Steve Wozniak, on display at the Computer History Museum, gift of Rick Prelinger

A blue box is an electronic device that generates the same tones employed by a telephone operator's dialing console to switch long-distance calls.[1] A blue box is a tool that emerged in the 1960s and '70s; it allowed users to route their own calls by emulating the in-band signaling mechanism that then controlled switching in long distance dialing systems. The most typical use of a blue box was to place free telephone calls. A related device, the black box enabled one to receive calls which were free to the caller. The blue box no longer works in most Western nations, as modern switching systems are now digital and do not use in-band signaling. Instead, signaling occurs on an out-of-band channel which cannot be accessed from the line the caller is using, a system called Common Channel Interoffice Signaling or CCIS.

History[edit]

A tone of 2600 Hz (LOUD)

Problems playing this file? See media help.

In November, 1954, the Bell System Technical Journal published an article titled "In-Band Single-Frequency Signaling" which described the process used for routing telephone calls over trunk lines with the then-current signaling system, R1.[2] The article described the basics of the inter-office trunking system and the signalling used. This, while handy, could not be used in and of itself, as the frequencies used for the Multi-Frequency, or "MF", tones were not published in this article.

In November, 1960, the other half of the equation was revealed by the Bell System Technical Journal: another article titled "Signaling Systems for Control of Telephone Switching" was published containing the frequencies used for the digits that were used for the actual routing codes[3] With these two items of information, the phone system was at the disposal of anyone with a cursory knowledge of electronics. Once Bell realized what they had done, company representatives visited most college campuses and physically cut out the pages that had the tone frequencies, but the information had already been made public and the error was irreversible.

However, contrary to numerous stories, before finding the articles in the Bell System Technical Journal it was discovered by many, some very unintentionally and to their annoyance, that a 2600 Hz tone, used by AT&T Corporation as a steady signal to mark currently unused long-distance telephone lines, or "trunk lines", would reset those lines. Joe Engressia (known as Joybubbles) accidentally discovered it at the age of 7 by whistling (with his mouth).[4] He and other famous phone phreaks such as "Bill from New York" and "The Glitch", trained themselves to whistle 2600 Hz to reset a trunk line. They also learned how to route phone calls by causing trunks to flash in certain patterns. At one point in the 1960s, packets of the Cap'n Crunch breakfast cereal included a free gift: a small whistle that (by coincidence) generated a 2600 Hz tone when one of the whistle's two holes was covered. The phreaker John Draper adopted his nickname "Captain Crunch" from this whistle. Others would utilize exotic birds such as canaries which are able to hit the 2600 Hz tone to the same effect.

With the ability to blue box, what was once individuals exploring the telephone network started to develop into a whole sub-culture. Famous phone phreaks such as John "Captain Crunch" Draper, Mark Bernay, and Al Bernay used blue boxes to explore the various 'hidden codes' that were not dialable from a regular phone line.

Some of the more famous pranksters were Steve Wozniak and Steve Jobs, founders of Apple Computer. On one occasion Wozniak dialed Vatican City and identified himself as Henry Kissinger (imitating Kissinger's German accent) and asked to speak to the Pope (who was sleeping at the time).[5]

Blue boxes were primarily the domain of "pranksters" and "explorers",[citation needed] but others used blue boxes solely to make free phone calls. They were also popular with drug dealers and other criminals, because calls were not only free, but were virtually impossible to trace with the technology available at the time.

Blue boxing hit the mainstream media when an article by Ron Rosenbaum titled Secrets of the Little Blue Box was published in the October 1971 issue of Esquire magazine.[4] Suddenly, many more people wanted to get into the phone phreaking culture spawned by the blue box, and it furthered the fame of Captain Crunch and groups, like the Legion of Doom. Two major amateur radio magazines ('73' and "CQ') published articles on the telephone system in the mid 1970s. CQ Magazine also published details on phone phreaking, including the tone frequencies and several working blue box schematics in 1974.

In November 1988, the CCITT (now known as ITU-T) published recommendation Q.140, which goes over Signaling System No. 5's international functions, once again giving away the 'secret' frequencies of the system. This caused a resurgence of blue boxing incidents with a new generation.[citation needed]

During the early 1990s, blue boxing became popular with the international warez scene, especially in Europe. Software was made to facilitate blue boxing using a computer to generate the signalling tones and play them into the phone. For the PC there were BlueBEEP, TLO, and others, and blue boxes for other platforms such as Amiga were available as well.

In the 1970s and 80s some trunks were modified to filter out single frequency tones arriving from a caller. The death of blueboxing came in the mid to late 1990s when telcos, becoming aware of the problem, eventually moved to out-of-band signaling systems with separate data and signalling channels (such as CCIS and SS7). These systems separated the voice and signaling channels, making it impossible to generate signalling signals from an ordinary voice phone line. It is rumored that some international trunks still utilize in-band signaling and are susceptible to tones, although often it's 2600+2400 Hz then 2400 Hz to seize. Sometimes the initial tone is a composition of three frequencies. A given country may have inband signalling on trunks from a specific country but not others.

Operation[edit]

The operation of a blue box is simple: First, the user places a long distance telephone call, usually to an 800 number or some other non-supervising phone number. For the most part, anything going beyond 50 miles would go over a trunk type susceptible to this technique.

When the call starts to ring, the caller uses the blue box to send a 2600 Hz tone (or 2600+2400 Hz on many international trunks followed by a 2400 Hz tone). The 2600 Hz is a supervisory signal, because it indicates the status of a trunk; on hook (tone) or off-hook (no tone). By playing this tone, you are convincing the far end of the connection that you've hung up and it should wait. When the tone stops, the trunk will go off-hook and on-hook (known as a supervision flash), making a "Ka-Cheep" noise, followed by silence. This is the far end of the connection signalling to the near end that it is now waiting for routing digits.

Once the far end sends the supervision flash, the user would use the blue box to dial a "Key Pulse" or "KP", the tone that starts a routing digit sequence, followed by either a telephone number or one of the numerous special codes that were used internally by the telephone company, then finished up with a "Start" or "ST" tone. At this point, the far end of the connection would route the call the way you told it, while the user's local exchange would presume the call was still ringing at the original number. KP1 is generally used for domestic dialing where KP2 would be for international calls.

The blue box consisted of a set of audio oscillators, a telephone keypad, an audio amplifier and speaker. Its use relied, like much of the telephone hacking methodology of the time, on the use of a constant tone of 2600 Hz to indicate an unused telephone line. A free long distance telephone call (such as the information operator from another area code) was made using a regular telephone, and when the line was connected, a 2600 Hz tone from the blue box was fed into the mouthpiece of the telephone, causing the operator to be disconnected and a free long distance line to be available to the blue box user. The keyboard was then used to place the desired call, using touch tone frequencies specific for telephone operators. These frequencies are different from the normal touch tone frequencies used by telephone subscribers, which is why the telephone keypad could not be used and the blue box was necessary.

Countermeasures[edit]

Development and use of the blue box was largely enabled by Bell Telephone's policy of publishing all technical documentation regarding its equipment. In response to the development of this and other means of telephone hacking, the company began to develop other means of securing its system, without publicly disclosing the details.[citation needed] These included modifying telephone central offices to listen for the 2600 Hz tone coming from a subscriber telephone. This, plus the investigation and prosecution of several hackers by the FBI, led to a decrease in phone phreaking and displaced much of the remaining activity to coin phones.

Electronic switching systems maintained logs of all calls made, including calls to free numbers. This earned the nickname "electronic surveillance system" as telephone company personnel would use this data to locate unusual patterns (such as lengthy, repeated calls to information or national hotel reservation numbers) and wiretap the affected lines. In one 1975 case, the Pacific Telephone Company targeted one defendant's line with the following equipment:

  • A CMC 2600, a device which registers on a counter the number of times a 2600 cycle tone is detected on the line.
  • A tape recorder, activated automatically by the CMC 2600 to record two minutes of telephone audio after each burst of 2600 cycle activity.
  • A Hekemian 51A, which replicates the functions of the CMC 2600 and also produces a tape print-out of outgoing calls. Ordinary calls were recorded in black ink and destination numbers called via the blue box were recorded in red ink.[6]

Demise and legacy[edit]

Ultimately, the blue box's days were numbered due to digital switching equipment and out-of-band signalling. Currently, the blue box no longer works in North America, primarily because the phone system has converted to digital and (analog) inband signalling is no longer used. The "blue box" terminology has therefore been recycled for other purposes. The hacking community evolved into other endeavours and there currently exists a commercially published hacking magazine, titled 2600, a reference to the 2600 Hz tone that was once central to so much of telephone hacking.

Frequencies and timings[edit]

Each MF tone consists of two frequencies, shown in the table on the left. Note that these are not the same as customer dialed Touch Tone, which is shown by the table on the right:

Operator (blue box) dialed MF frequencies
Code 700 Hz 900 Hz 1100 Hz 1300 Hz 1500 Hz 1700 Hz
1 X X
2 X X
3 X X
4 X X
5 X X
6 X X
7 X X
8 X X
9 X X
0/10 X X
11/ST3 X X
12/ST2 X X
KP X X
KP/ST2 X X
ST X X
Customer-dialed Touch-Tone (DTMF) frequencies
1209 Hz 1336 Hz 1477 Hz 1633 Hz
697 Hz 1 2 3 A
770 Hz 4 5 6 B
852 Hz 7 8 9 C
941 Hz * 0 # D

The rightmost column is not present on most
consumer telephones.


Normally, the tone durations are on for 60ms, with 60ms of silence between digits. The 'KP' and 'KP2' tones are sent for 100ms. KP2 (ST2 in the R1 standard) was used for dialing internal Bell System telephone numbers. However, actual frequency durations can vary depending on location, switch type, and the machine status.

This set of MF tones was originally devised for Bell System long-distance operators placing calls manually and predates the 1963 DTMF "Touch-Tone" system used by subscribers; in some 1950s and 1960s AT&T archive films, operators are shown asking callers for the number and pressing KP + area code + seven-digit number + ST manually to complete individual toll calls. The leading 1- trunk prefix was not dialled as the operator was already on a Long Lines trunk at this point.

Special codes[edit]

Some of the special codes a person could get onto are in the chart below. "NPA" is a U.S. telephone company term for 'area code'.

Many of these appear to have been originally three-digit codes, dialled without the leading area code, and the format of destination numbers dialled to the international senders has changed at various points as ability to call additional nations was added.[7]

  • NPA+100 – Plant Test – Balance termination
  • NPA+101 – Plant Test – Toll Testing Board
  • NPA+102 – Plant Test – Milliwatt tone (1004 Hz)
  • NPA+103 – Plant Test – Signaling test termination
  • NPA+104 – Plant Test – 2-way transmission and noise test
  • NPA+105 – Plant Test – Automatic Transmission Measuring System
  • NPA+106 – Plant Test – CCSA loop transmission test
  • NPA+107 – Plant Test – Par meter generator
  • NPA+108 – Plant Test – CCSA loop echo support maintenance
  • NPA+109 – Plant Test – Echo canceler test line
  • NPA+121 – Inward Operator
  • NPA+131 – Operator Directory assistance
  • NPA+141 – Rate and Route Information
  • 914+151 – Overseas incoming (White Plains, NY)
  • 212+151 – Overseas incoming (New York, NY)
  • NPA+161 – trouble reporting operator (defunct)
  • NPA+181 – Coin Refund Operator
  • 914+182 – International Sender (White Plains, NY)
  • 212+183 – International Sender (New York, NY)
  • 412+184 – International Sender (Pittsburgh, PA)
  • 407+185 – International Sender (Orlando, FL)
  • 510+186[citation needed] – International Sender (Oakland, CA) - area code was likely 415 in this era, as area code 510 was TWX
  • 303+187 – International Sender (Denver, CO)
  • 212+188 – International Sender (New York, NY)

Not all NPAs had all functions.

Blue boxes in other countries[edit]

Another signaling system widely used on international circuits (except those terminating in North America) was CCITT Signaling System No. 4 (friendly named 'SS4').

Technical definitions are specified in formerly CCITT (now ITU-T) Recommendations Q.120 to Q.139.[8]

This was also an in-band system but, instead of using multifrequency signals for digits, it used four 35 ms pulses of tone, separated by 35 ms of silence, to represent digits in four-bit binary code, with 2400 Hz as a '0' and 2040 Hz as a '1'. The supervisory signals used the same two frequencies, but each supervisory signal started with both tones together (for 150 ms) followed, without a gap, by a long (350 ms) or short (100 ms) period of a single tone of 2400 Hz or 2040 Hz. Phreaks in Europe built System 4 blue boxes that generated these signals. Because System 4 was used only on international circuits, the use of these blue boxes was more specialized.

Typically, a phreak would gain access to international dialing at low or zero cost by some other means, make a dialed call to a country that was available via direct dialing, and then use the System 4 blue box to clear down the international connection and make a call to a destination that was available only via operator service.

Thus, the System 4 blue box was used primarily as a way of setting up calls to hard-to-reach operator-only destinations, in order to impress other phreaks, rather than as a way of making free or cheap calls.

A typical System 4 blue box had a keypad (for sending four-bit digit signals) plus four buttons for the four supervisory signals (clear-forward, seize-terminal, seize-transit, and transfer-to-operator). After some experimentation, nimble-fingered phreaks found that all they really needed was two buttons, one for each frequency. With practice, it was possible to generate all the signals with sufficient timing precision manually, including the digit signals. This made it possible to make the blue box quite small.

A refinement added to some System 4 blue boxes was an anti-acknowledgment-echo guard tone. Because the connection between the telephone and the telephone network is two-wire, but the signaling on the international circuit operates on a four-wire basis (totally separate send and receive paths), signal-acknowledgment tones (single pulses of one of the two frequencies from the far end of the circuit after receipt of each digit) tended to be reflected back at the four-wire/two-wire conversion point. Although these reflected signals were relatively faint, they were sometimes loud enough for the digit-receiving circuits at the far end to treat them as the first bit of the next digit, messing up the phreak's transmitted digits. What the improved blue box did was to continuously transmit a tone of some other frequency (e.g., 600 Hz) as a guard tone whenever it was not sending a System 4 signal. This guard tone drowned out the echoed acknowledgment signals, so that only the blue box-transmitted digits were heard by the digit-receiving circuits at the far end.

See also[edit]

References[edit]

External links[edit]