A blue box is an electronic device that produces tones used to generate the in-band signaling tones formerly used within the North American long-distance telephone network to send line status and called number information over voice circuits. This allowed an illicit user, referred to as a "phreaker", to place long-distance calls, without using the network's user facilities, that would be billed to another number or dismissed entirely as an incomplete call. A number of similar "color boxes" were also created to control other aspects of the phone network.
First developed in the 1960s and used by a small phreaker community, the introduction of low-cost microelectronics in the early 1970s greatly simplified these devices to the point where they could be constructed by anyone reasonably competent with a soldering iron or breadboard construction. Soon after, models of relatively low quality were being offered fully assembled, but these often required tinkering by the user to remain operational.
The long-distance network became digitized, replacing the audio call-control tones with out-of-band signaling methods in the form of common-channel signaling (CCS) carried digitally on a separate channel inaccessible to the telephone user. The audio-tone-based blue boxes were of limited use by the 1980s, and of little use today.
History
Automated dialing
Local calling had been increasingly automated through the first half of the 20th century, but long-distance calling still required operator intervention. Automation was deemed essential by AT&T. By the 1940s they had developed a system that used audible tones played over the long-distance lines to control network connections. Tone pairs, referred to as multi-frequency (MF) signals, were assigned to the digits used for telephone numbers. A different, single tone, referred to as single frequency (SF), was used as a line status signal.
This new system allowed the telephone network to be increasingly automated by deploying the dialers and tone generators on an as-required basis, starting with the busier exchanges. Bell Labs was happy to advertise their success in creating this system, and repeatedly revealed details of its inner workings. In the February 1950 issue of Popular Electronics, they published an advertisement, Playing a Tune for a Telephone Number, which showed the musical notes for the digits on a staff and described the telephone operator's pushbuttons as a "musical keyboard".[2] Two keys on a piano would need to be pushed simultaneously to play the tones for each digit. The illustration did not include the tone pairs for the special control signals KP and ST, although in the picture the operator's finger is on the KP key and the ST key is visible. In the 1950s, AT&T released a public relations film, "Speeding Speech", which described the operation of the system. In the film, the tone sequence for sending a complete telephone number is heard through a loudspeaker as a technician presses the keys for dialing.[3]
In November 1954, the Bell System Technical Journal published an article entitled "In-Band Single-Frequency Signaling", which described the signaling scheme used for starting and ending telephone calls for the purpose of routing over trunk lines.[4][5] In November 1960, an article in the Bell System Technical Journal provided an overview of the technical details of signaling systems, and disclosed the frequencies of the signals.[6]
The system was relatively complex for 1950s technology. It had to accurately decode the frequencies and ignore any signals where that frequency might be accidentally created; music playing in the background might randomly contain the SF tones and the system had to filter these out. To do this, the signaling unit compared the signal power from a bandpass filter centered on 2600 Hz to signal power in other parts of the audio band, and only triggered if the tone was the most prominent signal. The originating end of the call would play the tone into the trunk line when the call ended, and trigger the remote end to end the call. After a short time, the originating end reduced the tone level and continued to send tone as long as it received on hook status from its local equipment.
Discovery and early use
Before the technical details were published, many users discovered unintentionally, and to their annoyance, that a 2600 Hz tone played into the caller's handset would cause a long-distance call to disconnect. The 2600 Hz tone might be present if the caller were whistling into the telephone microphone while waiting for the called party to answer. Upon detecting the tone from the caller's end, the receiving signaling unit sent an on hook status to the connected equipment, which disconnected the call from that point forward, as if the caller had hung up.
Among the earliest to discover this effect was Joe Engressia, known as Joybubbles, who accidentally discovered it at the age of seven by whistling. He became fascinated with the phone network, and over the next decade had built up a considerable base of knowledge about the system and how to place calls using the control tones. He and other phone phreaks, such as "Bill from New York" and "The Glitch", trained themselves to whistle 2600 Hz to reset a trunk line. They also learned how to route telephone calls by flashing, that is using very short pulses of the on-hook signal, to send routing instructions.
At one point in the 1960s, packages of the Cap'n Crunch breakfast cereal included a free gift: a small whistle that, by coincidence, generated a 2600 Hz tone when one of the whistle's two holes was covered.[7] The phreaker John Draper adopted his nickname "Captain Crunch" from this whistle.[8]
The "toll free" 800 service was launched in 1967 and gave the hackers easy numbers to call. The user would generally choose a number in the target area and then use it as above. Even if billing information were generated, it would be to a 1-800 number and thus free of charge. As before, the remote system would notice a call going to the ultimate non-free number, but could not match the other end.
Technology
It was technically possible to generate the tones with the technology available at the time the system was first deployed. A piano or electronic organ had keys that were close enough in frequency to work. With tuning, they could even be made dead on frequency. For dialing the phone number, the user would press 2 keys at a time. An experienced pianist might have found the key combinations awkward to play. But a blank player piano roll could have been punched to operate the required keys and dial a phone number. Another strategy would have been to purchase doorbells, remove the plungers, and mount them on a frame that could be set over the piano keyboard. Twelve DPDT pushbuttons, labelled KP, ST and the 10 digits, would operate pairs of plungers to play the phone company tones, after the E7 piano key had been pressed and released.
At the time, there were consumer devices for recording on wire or blank phonograph records, so the piano did not have to be near the phone. Consumer tape recorders came later and made the recording process easier. Small, battery powered, tape recorders allowed the tones to be played back almost anywhere.
It was possible to construct an electronic blue box with 1940s vacuum tube technology, but the device would have been relatively large and power hungry. Just as it did for radios, shrinking them from the size of toasters to the size of cigarette packages and allowing them to be powered by small batteries, transistor technology made a small, battery powered, electronic blue box practical.
AT&T security captured its first blue box in about 1962, but it probably was not the first one built.
A typical blue box had 13 pushbuttons. One button would be for the 2600 Hz tone, pressed and released to disconnect the outgoing connection and then connect a digit receiver. There would be a KP button, to be pressed next, 10 buttons for telephone number digits, and the ST button to be pressed last. The blue box may have had 7 oscillators, 6 for the 2 out of 6 digit code and one for the 2600 Hz tone, or 2 oscillators with switchable frequencies.
The blue box was thought to be a sophisticated electronic device and sold on the black market for a typical $800–1,000 or as much as $3,500. Actually, designing and building one was within the capabilities of many electronics students and engineers with knowledge of the required tones, using published designs for electronic oscillators, amplifiers and switch matrixes, and assembled with readily available parts. Furthermore, it was possible to generate the required tones using consumer products or lab test equipment. The tones could be recorded on small, battery powered, cassette recorders for playback anywhere.
To reduce call set up time, telephone numbers were transmitted from machine to machine in a "speed dial" format, about 1.5 seconds for a 10 digit number, including KP and ST. To catch the cheaters, AT&T could have connected monitors to digit receivers that were not being used for operator dialed calls and logged calls dialed at manual speed. So, some hackers went to the extra trouble of building blue boxes that stored telephone numbers and played the tones with the same timing as the machines.
Subculture
The widespread ability to blue box, once limited to just a few isolated individuals exploring the telephone network, developed into a subculture.[9][10] Famous phone phreaks such as "Captain Crunch", Mark Bernay,[11]: 125 and Al Bernay used blue boxes to explore the various "hidden codes" that could not be dialled by a standard telephone.
Some of the more famous pranksters were Steve Wozniak and Steve Jobs, founders of Apple Computer.[12] On one occasion, Wozniak dialed Vatican City and identified himself as Henry Kissinger (imitating Kissinger's German accent) and asked to speak to the Pope (who was sleeping at the time).[13][12] Wozniak said in 1986:[14]
I called only to explore the phone company as a system, to learn the codes and tricks. I'd talk to the London operator, and convince her I was a New York operator. When I called my parents and my friends, I paid. After six months I quit—I'd done everything that I could.
I was so pure. Now I realize others were not as pure, they were just trying to make money. But then I thought we were all pure.
Jobs later told his biographer that if it had not been for Wozniak's blue boxes, "there wouldn't have been an Apple."[15]
In the media
Blue boxing hit the mainstream media when an article by Ron Rosenbaum titled Secrets of the Little Blue Box was published in the October 1971 issue of Esquire magazine.[11] Suddenly, many more people wanted to get into the phone phreaking culture spawned by the blue box, and it furthered the fame of Captain Crunch.
Two major amateur radio magazines ('73' and "CQ') published articles on the telephone system in the mid-1970s. CQ Magazine published details on phone phreaking, including the tone frequencies and several working blue box schematics in 1974.[16] The June 1975 issue of 73 magazine carried an article describing the rudiments of the long-distance signaling network, and how to construct and operate red and blue boxes.[17] Around the same time, do-it-yourself blue box kits became available.[18][19]
In November 1988, the CCITT (now known as ITU-T) published recommendation Q.140 for the Signaling System No. 5, which caused a resurgence of blue boxing by a new generation of users.
In the early 1990s, blue boxing became popular with the international warez scene, especially in Europe. Software was made to enable blue boxing using a computer to generate and play the signaling tones. For the PC there were BlueBEEP, TLO, and others, and blue boxes were available for other platforms such as Amiga.
Operation
Automating dialing
Local plain old telephone service works by watching the voltage on the telephone lines between the telephone company's exchange office and the customer's telephone. When the phone is on-hook ("hung up") the approximately 48 volt electricity from the exchange flows to the phone and is looped back without passing through the handset. When the user picks up the handset, the current has to flow through the speaker and microphone in it, causing the voltage to drop to under 10 V. This sudden drop in voltage signals the user has picked up the phone.
Originally, all calls were routed manually by an operator who would look for small light bulbs that would illuminate when a subscriber picked up the phone to make a call. The operator would connect a handset to the line, ask the user who they were calling, and then connect a cable between two phone jacks to complete the call. If the user was placing a long-distance call, the local operator would first talk to an operator at the remote exchange using one of the trunk lines between the two locations. When the local operator heard the remote customer come on the line, they would connect their local customer to the same trunk line to complete the call.
The calling process began to be automated from the earliest days of the telephone system. Increasingly sophisticated electromechanical systems would use the changes in voltage to start the connection process. The rotary dial was introduced around 1904 to operate these switches; the dial repeatedly rapidly connects and disconnects the line, a process known as pulse dialing. In common systems, these periodic changes in voltage caused a stepper motor to rotate one position for each pulse of a digit, with longer pauses to switch from one rotary switch to another. When enough digits had been decoded, typically seven in North America, connections between the rotors would select a single line, the customer being dialed.
The idea of using changing voltages to complete the call worked well for the local exchange where the distance between the customer and exchange office might be on the order of a few kilometers. Over longer distances, the capacitance of the lines filter out any rapid changes in voltage and dialing pulses do not reach the remote office in clean form, so that long-distance calls still required operator intervention. As telephone use grew, long-distance calling in particular, telephone companies were increasingly interested in automating this type of connection.
Long-distance direct dialing
To address this need, the Bell System adopted a second system on the circuits that connected the exchanges. When the user dialed a long-distance number, indicated in North America by dialing a "1" at the beginning of the number, the call was switched to a separate system known as a "tandem". The tandem would then buffer the remaining digits and decode the number to see which remote exchange was being dialed, generally using the area code for this purpose. They would then look for a free trunk line between the two exchanges; if none were available the tandem would play the "fast busy" reorder signal to tell the user to try again later.[11]
The basic protocol for finding a free line worked by playing a 2600 Hz tone into the line whenever it was not being used. The tandems at both ends of a given trunk line did this. When the tandem determined which remote exchange was being called it scanned the trunk lines between the two exchanges looking for the tone. When it heard the tone on one of the lines, it knew that line was free to use. They would then select that line and drop the 2600 Hz tone from their end. The remote tandem would hear the tone stop, drop their tone, and then play a supervision flash, making a "ka-cheep" sound, to indicate they had noticed the signal. The line was now free on both ends to connect a call.[11]
Pulse dialing still had the problem that sending the dialed number to the remote exchange would not work due to the capacitance of the network. The tandems solved this by buffering the phone number and then converting each digit into a series of two tones, the multi-frequency signaling system, or "MF". Once the local tandem had found a free line and connected to it, it then relayed the rest of the phone number over the line using the tone dialing method. The remote tandem then decoded the tones and turned them back into pulses on the local exchange. To indicate the start and end of a series of MF digits, special MF tones, KP and ST, were used.[11]
When the call was finished and one of the parties hung up the phone, their exchange would notice the change in voltage and begin playing the 2600 Hz tone into the trunk line. The other end of the connection would respond to the tone by causing their local call to hang up as well, and then began playing the tone into their end as before, to mark the line as free at both ends.[11]
Blue boxing
The blue box consisted of several of audio oscillators, a telephone keypad, an audio amplifier and a speaker. To operate a blue box, the user placed a long-distance telephone call, often to a number that was in the target area. Usually, this initial call would be to a 1-800 number or some other non-supervising telephone number such as directory assistance.[11] Using a toll-free number ensured that the phone being used for access would not be billed.
When the call began to ring, the caller would hold the blue box speaker over the microphone in the handset and use the box to send the 2600 Hz tone (or 2600+2400 Hz on many international trunks followed by a 2400 Hz tone). The called office interprets this tone as the caller hanging up before the call completed, disconnects the call, and begins playing 2600Hz to mark the line free. However, this does not disconnect the call at the caller's end, only physically hanging up the phone will do that. This leaves the caller on a live line that is connected via a long-distance trunk line to a target exchange.[11]
The caller now stops playing the tone. The called exchange interprets this loss of tone to mean the exchange's tandem is attempting to place another call. It responds by dropping its tone and then playing the flash to indicate it is ready to accept routing tones. Once the called end sends the supervision flash, the caller uses the blue box to send a "Key Pulse" or "KP", the tone that starts a routing digit sequence, followed by either a telephone number or one of the numerous special codes that were used internally by the telephone company, then finished with a "Start" tone, "ST".[11] At this point, the called end of the connection would route the call the way it was told, while the caller's local exchange would act as if the call was still ringing at the original number.
Countermeasures
Blue boxing remained rare until the early 1970s when the required systems began to drop in cost and the concept began to be more widely known. At the time, phreakers felt there was nothing Bell Telephone could do to stop blue boxing because it would require Bell to upgrade all their hardware.[11]
For the immediate term, Bell responded with a number of blue box detection and law enforcement countermeasures. Armed with records of all long-distance calls made, kept by both mechanical switching systems and newer electronic switching systems, including calls to toll-free telephone numbers which did not appear on customer bills, telephone security employees began examining those records looking for suspicious patterns of activity. For instance, at the time, calls to long-distance information, while answered, deliberately did not return the electrical "off hook" signal indicating that they had been answered. When an information call was diverted to another number that answered, the billing equipment would log that event. Billing computers processed the logs and generated lists of calls to information that had been answered with an off-hook tone. In the early days, the lists were probably intended to detect equipment malfunctions, but the follow-up investigation did lead to blue box users. After the toll free "800" service was inaugurated, the billing computers were also programmed to generate lists of lengthy calls to toll free numbers. While many of these calls were legitimate, telephone security employees would examine the lists and follow up irregularities.
In this case, filters could be installed on those lines to block the blue box. Bell also would wiretap the affected lines. In one 1975 case, the Pacific Telephone Company targeted one defendant's line with the following equipment:
- A CMC 2600, a device which registers on a counter the number of times a 2600 Hz tone is detected on the line;
- A tape recorder, activated automatically by the CMC 2600 to record two minutes of telephone audio after each burst of 2600 Hz activity; and
- A Hekemian 51A, which replicates the functions of the CMC 2600 and also produces a paper tape print-out of outgoing calls. Ordinary calls were recorded in black ink and destination numbers called via the blue box were recorded in red ink.[20]
These actions resulted in several highly publicized trials.
Decline
The ultimate solution to the blue box vulnerability was to do what the phreakers thought impossible and upgrade the entire network. This process occurred in stages, some of which were already well underway in the early 1970s.
The T1 system was developed beginning in 1957 and began to be deployed around 1962. It digitized the voice signals so that they could be more efficiently carried in high-density connections between exchanges, carrying 24 lines on a single 4-wire connection. Depending on the network layout, the user might no longer be connected directly to a tandem, but instead to a local office that forwarded the signal over a T1 to a more distant exchange that did have the tandem. Simply due to the way the system worked, the supervisory signals had to be filtered out in order for the digitization of the analog signal to work. Recall that the 2600 Hz tone was not dropped from the trunk until the line was connected all the way and would be mixed with other tones like the ringing or busy signal; when used over a T1 this tone mixed with other signals and caused a problem known as "quantization noise" that distorted the sound. These tones were thus filtered down on either side of the T1 connection. Thus it was difficult to blue box in such an environment, although successes are known.
But blue boxing was eventually eliminated entirely for unrelated reasons. In the existing tandem-based network, completing a call required several stages communicating over the trunk line, even if the remote user never answered the call. As this process might take on the order of 10 to 15 seconds, the total wasted time across all of the trunk lines could be used to carry additional calls. To improve line usage, Bell began the development of the Number One Electronic Switching System (1ESS). This system performed all the calling and line supervision using a separate private line between the two offices. Using this system, when a long-distance call was placed the trunk line was not initially used. Instead, the local office sent a message containing the called number to the remote exchange using this separate channel. The remote office would then attempt to complete the call, and indicate this to the original office using the same private line. Only if the remote user answered would the systems attempt to find a free trunk line and connect, thereby reducing the use of the trunk lines to the absolute minimum.
This change also meant the signaling system was available internally to the network on this separate line. There was no connection between the user lines and this signaling line, so there was no route by which the users could influence the dialing. The same rapid reduction in prices that made the blue box possible also led to the rapid reduction in cost of the ESS systems. First applied only to their busiest connections, by the 1980s, the latest 4ESS models and similar machines from other companies were deployed to almost all major exchanges, leaving only corners of the network still connected using tandems. Blue boxing worked if one connected to such an exchange, but could only be used end-to-end if the entire network between the two endpoints consisted only of tandems, which became increasingly rare and disappeared by the late 1980s.
Analog long-distance transmission systems remained more cost effective for the long haul circuits until, at least, the 1970s. Even then, there was a huge installed base of analog circuits, and it made better economic sense to keep using them. It was not until competitor Sprint built its all digital, "quiet", network, where "you could actually hear a pin drop",[21] that AT&T took a multi-billion dollar write-off and upgraded its long-distance network to digital technology.
The phreaking community that had emerged during the blue box era evolved into other endeavors and there currently exists a commercially published hacking magazine, titled 2600, a reference to the 2600 Hz tone that was once central to so much of telephone hacking.[22]
Frequencies and timings
Each multifrequency tone consists of two frequencies chosen from a set of six, shown in the table on the left. The Touch Tone encoding is shown by the table on the right:
Code | 700 Hz | 900 Hz | 1100 Hz | 1300 Hz | 1500 Hz | 1700 Hz |
---|---|---|---|---|---|---|
1 | X | X | ||||
2 | X | X | ||||
3 | X | X | ||||
4 | X | X | ||||
5 | X | X | ||||
6 | X | X | ||||
7 | X | X | ||||
8 | X | X | ||||
9 | X | X | ||||
0/10 | X | X | ||||
11/ST3 | X | X | ||||
12/ST2 | X | X | ||||
KP | X | X | ||||
KP2 | X | X | ||||
ST | X | X |
1209 Hz | 1336 Hz | 1477 Hz | 1633 Hz | |
---|---|---|---|---|
697 Hz | 1 | 2 | 3 | A |
770 Hz | 4 | 5 | 6 | B |
852 Hz | 7 | 8 | 9 | C |
941 Hz | * | 0 | # | D |
The rightmost column is not present on consumer telephones.
Normally, the tone durations for passing numbers from machine to machine in a "speed dialing" format are on for 60 ms, with 60 ms of silence between digits. The 'KP' and 'KP2' tones are sent for 100 ms. KP2 (ST2 in the R1 standard) was used for dialing internal Bell System telephone numbers. However, actual tone durations can vary slightly depending on location, switch type, and the machine status.
For operators, technicians, and blue box phone phreakers, the tone durations would be set by how long the buttons were held down and, for silence, how long before manually pressing the next button.
A blue box could have been constructed which would send the tones with machine to machine timing, with the number either stored in digital memory or a matrix of switches. In the switch matrix, there might be 10 rows for digits, each with 5 switches. Two switches would be moved to on, selecting the 2 tones. (KP and ST would be hard wired.) The 5 switches could be labelled 0, 1, 2, 4, and 7, with the user selecting pairs of switches adding to each digit, with special case 4 plus 7 for digit 0.
Alternatively, the tones could be recorded on magnetic tape, which would be cut into pieces and spliced together, using a commercial splicer for accurate alignment. If the phreaker matched machine dialing and recorded at 7.5 ips (inches per second), the splices for tone and silence would be about 1/2-inch long., with KP 3/4-inch long. For more manageable splicing lengths, the phreaker could use a 15 ips tape recorder, which was less common, and double those lengths. For those without a 15 ips machine but having 2 tape recorders, the tones could be recorded an octave low at 7.5 ips, the pieces spliced together would be were double those lengths. The spliced tape would be re-recorded from a 7.5 ips machine to a 3.75 ips machine. The resulting recording could be played back at 7.5 ips. An interval of 2600 Hz, to disconnect the trunk, followed by an interval of silence, to give enough time for a digit receiver to connect, would be added to precede KP.
This set of MF tones was originally devised for Bell System long-distance operators placing calls manually, as well as machine to machine dialing, and predates the DTMF Touch-Tone system used by subscribers. The leading 1 for customer dialed long-distance calls was not dialed. For operators, the line was muted during dialing, but, for customer telephones, it was only muted while a key was pressed. The Touch Tone frequencies were chosen to minimize the risk of customer talking while dialing, or background sounds, being registered as a digit or digits and resulting in a wrong number. Muting guarded against that happening during operator dialing, so the MF system did not have to be, and was not, so robust. The tones have a simple 200 Hz spacing. For Touch Tone, harmonic relationships and intermodulation products were taken into account in the choice of tones.
Special codes
Some of the special codes a person could get onto are in the chart below. "NPA" is a telephone company term for 'area code'.
Many of these appear to have been originally three-digit codes, dialed without the leading area code, and the format of destination numbers dialed to the international senders has changed at various points as the ability to call additional nations was added.[23]
- NPA+100 – Plant Test – Balance termination
- NPA+101 – Plant Test – Toll Testing Board
- NPA+102 – Plant Test – Milliwatt tone (1004 Hz)
- NPA+103 – Plant Test – Signaling test termination
- NPA+104 – Plant Test – 2-way transmission and noise test
- NPA+105 – Plant Test – Automatic Transmission Measuring System
- NPA+106 – Plant Test – CCSA loop transmission test
- NPA+107 – Plant Test – Par meter generator
- NPA+108 – Plant Test – CCSA loop echo support maintenance
- NPA+109 – Plant Test – Echo canceler test line
- NPA+121 – Inward Operator
- NPA+131 – Operator Directory assistance
- NPA+141 – Rate and Route Information
- 914+151 – Overseas incoming (White Plains, NY)
- 212+151 – Overseas incoming (New York, NY)
- NPA+161 – trouble reporting operator (defunct)
- NPA+181 – Coin Refund Operator
- 914+182 – International Sender (White Plains, NY)
- 212+183 – International Sender (New York, NY)
- 412+184 – International Sender (Pittsburgh, PA)
- 407+185 – International Sender (Orlando, FL)
- 415+186 – International Sender (Oakland, CA – in this era, 510 was TWX)
- 303+187 – International Sender (Denver, CO)
- 212+188 – International Sender (New York, NY)
Not all NPAs had all functions. As some NPAs contained multiple cities, an additional routing code was sometimes placed after the area code. For instance, 519+044+121 may reach the Windsor inward operator and 519+034+121 the London inward operator 175 km (109 mi) distant, but in the same area code.[24]
In other countries
Another signaling system widely used on international circuits (except those terminating in North America) was CCITT Signaling System No. 4 (friendly named 'SS4').
Technical definitions are specified in formerly CCITT (now ITU-T) Recommendations Q.120 to Q.139.[25]
This was also an in-band system but, instead of using multifrequency signals for digits, it used four 35 ms pulses of tone, separated by 35 ms of silence, to represent digits in four-bit binary code, with 2400 Hz as a '0' and 2040 Hz as a '1'. The supervisory signals used the same two frequencies, but each supervisory signal started with both tones together (for 150 ms) followed, without a gap, by a long (350 ms) or short (100 ms) period of a single tone of 2400 Hz or 2040 Hz. Phreaks in Europe built System 4 blue boxes that generated these signals. Because System 4 was used only on international circuits, the use of these blue boxes was more specialized.
Typically, a phreak would gain access to international dialing at low or zero cost by some other means, make a dialed call to a country that was available via direct dialing, and then use the System 4 blue box to clear down the international connection and make a call to a destination that was available only via operator service. Thus, the System 4 blue box was used primarily as a way of setting up calls to hard-to-reach operator-only destinations.
A typical System 4 blue box had a keypad (for sending four-bit digit signals) plus four buttons for the four supervisory signals (clear-forward, seize-terminal, seize-transit, and transfer-to-operator). After some experimentation, nimble-fingered phreaks found that all they needed was two buttons, one for each frequency. With practice, it was possible to manually generate all the signals with sufficient timing precision, including the digit signals. This made it possible to make the blue box quite small.
A refinement added to some System 4 blue boxes was an anti-acknowledgment-echo guard tone. Because the connection between the telephone and the telephone network is two-wire, but the signaling on the international circuit operates on a four-wire basis (totally separate send and receive paths), signal-acknowledgment tones (single pulses of one of the two frequencies from the far end of the circuit after receipt of each digit) tended to be reflected at the four-wire/two-wire conversion point. Although these reflected signals were relatively faint, they were sometimes loud enough for the digit-receiving circuits at the far end to treat them as the first bit of the next digit, messing up the phreak's transmitted digits.
What the improved blue box did was to continuously transmit a tone of some other frequency (e.g., 600 Hz) as a guard tone whenever it was not sending a System 4 signal. This guard tone drowned out the echoed acknowledgment signals so that only the blue box-transmitted digits were heard by the digit-receiving circuits at the far end.
See also
- Falsing
- Operation Cybersnare – Story involving blue boxing from the United States
References
- Rosenbaum, Ron (1971). "Secrets of the Little Blue Box" (PDF). Esquire. No. October. pp. 117–125, 222–226 – via C*NET.
- ↑ "Steve Jobs' First Business was Selling Blue Boxes that Allowed Users to Get Free Phone Service Illegally". October 6, 2012.
- ↑ Playing a tune for a telephone number, Popular Electronics, February 1950
- ↑ AT&T, Speeding Speech, 1950
- ↑ Weaver, A.; Newell, N. A., "In-Band Single-Frequency Signaling" (PDF), Bell System Technical Journal
- ↑ Wilson, E. Jan (December 6, 1998). Telecom and Network Security: Toll Fraud & Telabuse Update. TRI-Telecommunications Reports International, Incorporated. ISBN 9780938866091 – via Google Books.
- ↑ Breen, C.; Dahlbom, C. A. (1960), "Signaling Systems for Control of Telephone Switching" (PDF), Bell System Technical Journal, XXXIX (6): 1381–1444, doi:10.1002/j.1538-7305.1960.tb01611.x,
The keyer relay M operates and releases from signals on the M lead and alternately removes or applies 2600 cycles to the transmit line of the facility. ... Table IV—Frequencies and Digit Codes for MF Pulsing: Digit 1: Frequencies 700 + 900 ...
- ↑ Gitlin, Martin; Goldstein, Margaret J. (December 6, 2015). Cyber Attack. Twenty-First Century Books. ISBN 9781467725125 – via Google Books.
- ↑ Yan, Laura (October 22, 2019). "An Early Hacker Used a Cereal Box Whistle to Take Over Phone Lines". Popular Mechanics.
- ↑ Shinder, Debra Littlejohn; Cross, Michael (July 21, 2008). Scene of the Cybercrime. Elsevier. ISBN 9780080486994 – via Google Books.
- ↑ Wozniak, Steve (October 17, 2007). iWoz: Computer Geek to Cult Icon. W. W. Norton & Company. p. 110. ISBN 9780393066869 – via Internet Archive.
bluebox subculture.
- 1 2 3 4 5 6 7 8 9 10 Rosenbaum 1971.
- 1 2 Lapsley, Phil (February 20, 2013). "The Definitive Story of Steve Wozniak, Steve Jobs, and Phone Phreaking". The Atlantic.
- ↑ Wozniak, S. G.; Smith, G. (2006), iWoz: From Computer Geek to Cult Icon: How I Invented the Personal Computer, Co-Founded Apple, and Had Fun Doing It, New York: W. W. Norton & Company, ISBN 0-393-06143-4
- ↑ Stix, Harriet (May 14, 1986). "A UC Berkeley Degree Is Now the Apple of Steve Wozniak's Eye". Los Angeles Times. Retrieved January 5, 2015.
- ↑ Isaacson, Walter (2015). Steve Jobs. Simon and Schuster. ISBN 9781501127625. p. 30
- ↑ Olsen, Hank (April 1974). "A One-Chip, Two Tone Generator". CQ. p. 48.
- ↑ Whipple Jr., Spencer (June 1, 1975). "Inside Ma Bell". 73. pp. 68–80. Retrieved May 9, 2019 – via Internet Archive.
- ↑ LLC, New York Media (June 6, 1977). "New York Magazine". New York Media, LLC – via Google Books.
- ↑ Pursell, Carroll W. (December 6, 2007). Technology in Postwar America: A History. Columbia University Press. ISBN 9780231123044 – via Google Books.
- ↑ UNITED STATES of America vs. Bernard CORNFIELD, dba Grayhall Inc, No. 76-3391, United States Court of Appeals, Ninth Circuit. October 27, 1977.
- ↑ Archived at Ghostarchive and the Wayback Machine: Sprint Phone Service commercial 1986 pin drop, retrieved March 16, 2021
- ↑ "NEW 'Off the Wall' ONLINE | 2600". Archived from the original on June 2, 2016. Retrieved May 31, 2016.
- ↑ Phil Lapsley (2013). Exploding The Phone – Extra Goodies – Overseas Dialing. ISBN 978-0-8021-2061-8.
- ↑ Traffic Routing Guide, AT&T, 1977
- ↑ CCITT SS4 / ITU-T Q.120–139 https://www.itu.int/rec/dologin_pub.asp?lang=e&id=T-REC-Q.120-Q.139-198811-I!!PDF-E&type=items
External links
- The SARTS technical journal
- Secrets of the Little Blue Box – article with photos
- All about the Blue Box and related devices Archived October 17, 2014, at the Wayback Machine
- Text files about blue boxing
- The definitive guide to Phreak boxes Archived January 28, 2013, at the Wayback Machine
- Fun with Dick and Jane by Lewis Gum and Edward Oxford – an article that appeared in the 1978 Bell Telephone Magazine about telephone fraud and Phone Phreaks
- A site dedicated to the history of phone phreaking, with extensive information on blue boxing.
- A working, publicly accessible simulation of the old telephone network that allows legal blue boxing. It also has instructions for building a basic blue box.
- November 1954, Bell System Technical Journal article titled "In-Band Single-Frequency Signaling" (A. Weaver and N. A. Newell)
- November 1960, Bell System Technical Journal article titled "Signaling Systems for Control of Telephone Switching" (by C. Breen and C. A. Dahlbom)
- Moschitto, Denis; Sen, Evrim (July 2001). "Manipulieren der Telefonleitung: Blue Boxing" [Manipulate the phone line: Blue boxing]. Hackerland – Das Logbuch der Szene (in German). Tropen Verlag Michael Zöllner. ISBN 978-3-932170-29-4.
- A commercially available test set playing tones "speed dial"