- 280px-Blue_Box_in_museum.jpg (21.87 KiB) Viewed 6314 times
The blue box built by Steve Wozniak, on display at the Computer History Museum, gift of Rick Prelinger
An early phreaking tool, the blue box is an electronic device that simulates a telephone operator's dialing console. It functions by replicating the tones used to switch long-distance calls and using them to route the user's own call, bypassing the normal switching mechanism. The most typical use of a blue box was to place free telephone calls - inversely, the Black Box enabled one to receive calls which were free to the caller. The blue box no longer works in most western nations, as modern switching systems are now digital and no longer use the in-band signaling which the blue box emulates. Instead, signaling occurs on an out-of-band channel which cannot be accessed from the line the caller is using (called Common Channel Interoffice Signaling (CCIS)).
The blue box got its name because the first such device confiscated by Bell System security was in a blue plastic case.
-------------------------------------------
History
In November, 1954, the Bell System Technical Journal published an article, which described the process used for routing telephone calls over trunk lines with the then-current signaling system, R1.[1] The article described the basics of the inter-office trunking system and the signalling used. This, while handy, could not be used in and of itself, as the frequencies used for the Multi-Frequency, or "MF", tones were not published in this article.
In November, 1960, the other half of the equation was revealed by the Bell System Technical Journal: another article entitled "Signaling Systems for Control of Telephone Switching" (by C. Breen and C. A. Dahlbom) was published containing the frequencies used for the digits that were used for the actual routing codes.[citation needed] With these two items of information, the phone system was at the disposal of anyone with a cursory knowledge of electronics.
However, contrary to numerous stories, before finding the articles in the Bell System Technical Journal it was discovered by many, some very unintentionally and to their annoyance, that some Bell System trunks could be reset by a 2600 Hz tone. Joe Engressia (known as Joybubbles) accidentally discovered it at the age of 7 by whistling (with his mouth).[2] He and other famous phone phreaks such as "Bill from New York" and "The Glitch", trained themselves to whistle 2600 Hz (which would reset trunks). They also learned how to route phone calls by causing trunks to flash in certain patterns.
With the ability to blue box, what was once individuals exploring the telephone network started to develop into a whole sub-culture. Famous phone phreaks such as John "Captain Crunch" Draper, Mark Bernay, and Al Bernay used blue boxes to explore the various 'hidden codes' that were not dialable from a regular phone line.
Some of the more famous pranksters were Steve Wozniak and Steve Jobs, founders of Apple Computer. On one occasion Wozniak dialed Vatican City and identified himself as Henry Kissinger (imitating Kissinger's German accent) and asked to speak to the Pope (who was sleeping at the time).[3]
Blue boxes were primarily the domain of "pranksters" and "explorers"; while others used blue boxes solely to make free phone calls.
Blue boxing hit the mainstream media when an article by Ron Rosenbaum entitled Secrets of the Little Blue Box was published in the October 1971 issue of Esquire magazine.[2] Suddenly, many more people wanted to get into the phone phreaking culture spawned by the blue box, and it furthered the fame of Captain Crunch and groups, like the Legion of Doom.
In November 1988, the CCITT (now known as ITU-T) published recommendation Q.140, which goes over Signaling System No. 5's international functions, once again giving away the 'secret' frequencies of the system. This caused a resurgence of blue boxing incidents with a new generation.[citation needed]
During the early 1990s, blue boxing became popular with the international warez scene, especially in Europe. Software was made to facilitate blue boxing using a computer to generate the signalling tones and play them into the phone. For the PC there were BlueBEEP, TLO, and others, and blue boxes for other platforms such as Amiga were available as well.
The death of blueboxing came in the mid to late 1990s when telcos, becoming aware of the problem, eventually moved to signalling systems with separate data and signalling channels (such as CCIS and SS7), making manipulation impossible. It is rumored that some international trunks still utilize in-band signaling and are susceptible to tones, although often it's 2600+2400Hz then 2400 Hz to seize. Sometimes the initial tone is a composition of three frequencies. A given country may have inband signalling on trunks from a specific country but not others.
--------------------------------------------
Operation
The operation of a blue box is simple: First, the user places a long distance telephone call, usually to an 800 number or some other non-supervising phone number. For the most part, anything going beyond 50 miles would go over a trunk type susceptible to this technique.
When the call starts to ring, the caller uses the blue box to send a 2600 Hz tone (or 2600+2400Hz on many international trunks followed by a 2400 Hz tone). The 2600 Hz is a supervisory signal, because it indicates the status of a trunk; on hook (tone) or off-hook (no tone). By playing this tone, you are convincing the far end of the connection that you've hung up and it should wait. When the tone stops, the trunk will go off-hook and on-hook (known as a supervision flash), making a "Ka-Cheep" noise, followed by silence. This is the far end of the connection signalling to the near end that it is now waiting for routing digits.
Once the far end sends the supervision flash, the user would use the blue box to dial a "Key Pulse" or "KP", the tone that starts a routing digit sequence, followed by either a telephone number or one of the numerous special codes that were used internally by the telephone company, then finished up with a "Start" or "ST" tone. At this point, the far end of the connection would route the call the way you told it, while the users end would think you were still ringing at the original number. KP1 is generally used for domestic dialing where KP2 would be for international calls.
------------------------------------------------
Names
Spiro was one of the names given to the blue box, a piece of telephone hacking equipment used in the 1970s to make long distance telephone calls without being billed. In a sarcastic reference, it was named after Spiro Agnew, the vice-president of the United States at the time, who was greatly unpopular with the youth and counterculture who largely made up the telephone hacking community. Other pieces of hacking equipment were named the Agnew, and even the T, Agnew's middle initial.
The Spiro consisted of a set of audio oscillators, a telephone keypad, an audio amplifier and speaker. Its use relied, like much of the telephone hacking methodology of the time, on the use of a constant tone of 2600 hertz to indicate an unused telephone line. A free long distance telephone call (such as the information operator from another area code) was made using a regular telephone, and when the line was connected, a 2600 Hz tone from the Spiro was fed into the mouthpiece of the telephone, causing the operator to be disconnected and a free long distance line to be available to the Spiro user. The keyboard was then used to place the desired call, using touch tone frequencies specific for telephone operators. These frequencies are different from the normal touch tone frequencies used by telephone subscribers, which is why the telephone keypad could not be used and the Spiro was necessary.
Development and use of the Spiro was largely enabled by Bell Telephone's policy of publishing all technical documentation regarding its equipment. In response to the development of this and other means of telephone hacking, the company began to develop other means of securing its system, without publicly disclosing the details[citation needed]. This, plus the investigation and prosecution of several hackers by the FBI, finally made the Spiro and other hacking equipment obsolete. The hacking community evolved into other endeavors, however, and there currently exists a commercially published hacking magazine, titled 2600, a reference to the 2600 Hz tone that was central to so much of telephone hacking.
Frequencies and Timings
Each MF tone consists of two frequencies, shown in the table on the left. Note that these are not the same as customer dialed Touch Tone, which is shown by the table on the right:
---------------------------------------------
Operator (blue box) dialed MF frequencies
Code--700 Hz--900 Hz--1100 Hz--1300 Hz--1500 Hz--1700 Hz
1--------X-----------X
2--------X----------------------X
3--------------------X----------X
4--------X-----------------------------------X
5--------------------X-----------------------X
6--------------------------------X-----------X
7--------X-----------------------------------------------X
8--------------------X-----------------------------------X
9--------------------------------X-----------------------X
0/10----------------------------------------X-----------X
11/ST3 -X--------------------------------------------------------X
12/ST2-------------X---------------------------------------------X
KP-------------------------------X---------------------------------X
KP/ST2-------------------------------------X---------------------X
ST-------------------------------------------------------X---------X
-------------------------------
Customer-dialed Touch-Tone (DTMF) frequencies
---------1209 Hz--1336 Hz--1477 Hz---1633 Hz
697 Hz----1-------- 2-----------3-----------A
770 Hz----4---------5-----------6-----------B
852 Hz----7---------8-----------9-----------C
941 Hz----*----------0-----------#-----------D
--------------------------
Normally, the tone durations are on for 60ms, with 60ms of silence between digits. The 'KP' and 'KP2' tones are sent for 100ms. KP2 (ST2 in the R1 standard) was used for dialing internal Bell System telephone numbers. However, actual frequency durations can vary depending on location, switch type, and the machine status.
Special codes ---------------------
Some of the special codes a person could get onto are in the chart below. "NPA" is a U.S. telephone company term for 'area code'.
NPA+100 – Plant Test – Balance termination
NPA+101 – Plant Test – Toll Testing Board
NPA+102 – Plant Test – Milliwatt tone (1004 Hz)
NPA+103 – Plant Test – Signaling test termination
NPA+104 – Plant Test – 2-way transmission and noise test
NPA+105 – Plant Test – Automatic Transmission Measuring System
NPA+106 – Plant Test – CCSA loop transmission test
NPA+107 – Plant Test – Par meter generator
NPA+108 – Plant Test – CCSA loop echo support maintenance
NPA+109 – Plant Test – Echo canceler test line
NPA+121 – Inward Operator
NPA+131 – Operator Directory assistance
NPA+141 – Rate and Route Information
914+151 – Overseas incoming (White Plains, NY)
212+151 – Overseas incoming (New York, NY)
NPA+161 – trouble reporting operator (defunct)
NPA+181 – Coin Refund Operator
914+182 – International Sender (White Plains, NY)
212+183 – International Sender (New York, NY)
412+184 – International Sender (Pittsburgh, PA)
407+185 – International Sender (Orlando, FL)
510+186 – International Sender (Oakland, CA)
303+187 – International Sender (Denver, CO)
212+188 – International Sender (New York, NY)
Not all NPAs had all functions.
Back to the games boys and girls
