Blue box

Blue box at the Powerhouse Museum

A blue box is an electronic device that simulated an operator by generating the same tones employed by a telephone operator's dialing console to, for example, switch long-distance calls.[1] A blue box is a tool that emerged in the 1960s and '70s; it allowed users to route their own calls by emulating the in-band signaling mechanism that then controlled switching in long distance dialing systems. The most typical use of a blue box was to place free telephone calls. A related device, the black box, enabled one to receive calls which were free to the caller. The blue box no longer works in most Western nations, as modern switching systems do not use in-band signaling. Instead, signaling occurs on an out-of-band channel which cannot be accessed from the line the caller is using, a system called Common Channel Interoffice Signaling or CCIS.

History

2600 Hz
A tone of 2600 Hz (LOUD)

Problems playing this file? See media help.

In November 1954, the Bell System Technical Journal published an article entitled "In-Band Single-Frequency Signaling", which described the process used for routing telephone calls over trunk lines with the then-current signaling system, R1.[2] The article described the basics of the inter-office trunking system and the signalling used. This, while handy, could not be used in and of itself, as the frequencies used for the Multi-Frequency, or "MF", tones were not published in this article.

In November 1960, the other half of the equation was revealed by the Bell System Technical Journal, with another article entitled "Signaling Systems for Control of Telephone Switching", which published the frequencies used for the digits that were used for the actual routing codes.[3] With these two items of information, the phone system was at the disposal of anyone with a cursory knowledge of electronics.

However, contrary to numerous stories, before finding the articles in the Bell System Technical Journal it was discovered by many, some very unintentionally and to their annoyance, that a 2600 Hz tone, used by AT&T Corporation as a steady signal to mark currently unused long-distance telephone lines, or "trunk lines", would reset those lines. Joe Engressia (known as Joybubbles) accidentally discovered it at the age of 7 by whistling (with his mouth).[4] He and other famous phone phreaks, such as "Bill from New York" and "The Glitch", trained themselves to whistle 2600 Hz to reset a trunk line. They also learned how to route phone calls by causing trunks to flash in certain patterns. At one point in the 1960s, packets of the Cap'n Crunch breakfast cereal included a free gift: a small whistle that (by coincidence) generated a 2600 Hz tone when one of the whistle's two holes was covered. The phreaker John Draper adopted his nickname "Captain Crunch" from this whistle. Others would utilize exotic birds such as canaries, which are able to hit the 2600 Hz tone with the same effect.

With the ability to blue box, what was once just a few isolated individuals exploring the telephone network started to develop into a whole sub-culture. Famous phone phreaks such as John "Captain Crunch" Draper, Mark Bernay, and Al Bernay used blue boxes to explore the various 'hidden codes' that were not dialable from a regular phone line.

Some of the more famous pranksters were Steve Wozniak and Steve Jobs, founders of Apple Computer. On one occasion Wozniak dialed Vatican City and identified himself as Henry Kissinger (imitating Kissinger's German accent) and asked to speak to the Pope (who was sleeping at the time).[5] Wozniak said in 1986:[6]

I called only to explore the phone company as a system, to learn the codes and tricks. I'd talk to the London operator, and convince her I was a New York operator. When I called my parents and my friends, I paid. After six months I quit--I'd done everything that I could.

I was so pure. Now I realize others were not as pure, they were just trying to make money. But then I thought we were all pure.

Blue boxes were primarily the domain of "pranksters" and "explorers", but others used blue boxes solely to make free phone calls. They were also popular with drug dealers and other criminals, because calls were not only free, but were virtually impossible to trace with the technology available at the time.

Blue boxing hit the mainstream media when an article by Ron Rosenbaum titled Secrets of the Little Blue Box was published in the October 1971 issue of Esquire magazine.[4] Suddenly, many more people wanted to get into the phone phreaking culture spawned by the blue box, and it furthered the fame of Captain Crunch. Two major amateur radio magazines ('73' and "CQ') published articles on the telephone system in the mid 1970s. CQ Magazine also published details on phone phreaking, including the tone frequencies and several working blue box schematics in 1974.

In November 1988, the CCITT (now known as ITU-T) published recommendation Q.140, which goes over Signaling System No. 5's international functions, once again giving away the 'secret' frequencies of the system. This caused a resurgence of blue boxing incidents with a new generation.

During the early 1990s, blue boxing became popular with the international warez scene, especially in Europe. Software was made to facilitate blue boxing using a computer to generate the signalling tones and play them into the phone. For the PC there were BlueBEEP, TLO, and others, and blue boxes for other platforms such as Amiga were available as well.

In the 1970s and 1980s, some trunks were modified to filter out single frequency tones arriving from a caller. The death of blueboxing came in the mid to late 1990s when telcos, becoming aware of the problem, eventually moved to out-of-band signaling systems with separate data and signalling channels (such as CCIS and SS7). These systems separated the voice and signaling channels, making it impossible to generate signalling signals from an ordinary voice phone line. It is rumored that some international trunks still utilize in-band signaling and are susceptible to tones, although often it is 2600+2400 Hz then 2400 Hz to seize. Sometimes the initial tone is a composition of three frequencies. A given country may have inband signalling on trunks from a specific country but not others.

Operation

The operation of a blue box is simple: First, the user places a long distance telephone call, usually to an 800 number or some other non-supervising phone number. For the most part, anything going beyond 50 miles would go over a trunk type susceptible to this technique.

When the call starts to ring, the caller uses the blue box to send a 2600 Hz tone (or 2600+2400 Hz on many international trunks followed by a 2400 Hz tone). The 2600 Hz is a supervisory signal, because it indicates the status of a trunk; on hook (tone) or off-hook (no tone). By playing this tone, you are convincing the far end of the connection that you've hung up and it should wait. When the tone stops, the trunk will go off-hook and on-hook (known as a supervision flash), making a "Ka-Cheep" noise, followed by silence. This is the far end of the connection signalling to the near end that it is now waiting for routing digits.

Once the far end sends the supervision flash, the user would use the blue box to dial a "Key Pulse" or "KP", the tone that starts a routing digit sequence, followed by either a telephone number or one of the numerous special codes that were used internally by the telephone company, then finished up with a "Start" or "ST" tone. At this point, the far end of the connection would route the call the way you told it, while the user's local exchange would presume the call was still ringing at the original number. KP1 is generally used for domestic dialing where KP2 would be for international calls.

The blue box consisted of a set of audio oscillators, a telephone keypad, an audio amplifier and speaker. Its use relied, like much of the telephone hacking methodology of the time, on the use of a constant tone of 2600 Hz to indicate an unused telephone line. A free long distance telephone call (such as a 1-800 number or, less commonly, the information operator from another area code) was made using a regular telephone, and when the line was connected, a 2600 Hz tone from the blue box was fed into the mouthpiece of the telephone, causing the operator to be disconnected and a free long distance line to be available to the blue box user. The keyboard was then used to place the desired call, using multi-frequency tones specific for telephone operators. These frequencies are different from the normal touch tone frequencies used by telephone subscribers, which is why the telephone keypad could not be used and the blue box was necessary.

Countermeasures

Development and use of the blue box was largely enabled by Bell Telephone's policy of publishing all technical documentation regarding its equipment. In response to the development of this and other means of telephone hacking, the company began to develop other means of securing its system, without publicly disclosing the details. These included modifying telephone central offices to listen for the 2600 Hz tone coming from a subscriber telephone. This, plus the investigation and prosecution of several hackers by the FBI, led to a decrease in phone phreaking and displaced much of the remaining activity to coin phones.

Electronic switching systems maintained logs of all calls made, including calls to free numbers. This earned the nickname "electronic surveillance system" as telephone company personnel would use this data to locate unusual patterns (such as lengthy, repeated calls to information or national hotel reservation numbers) and wiretap the affected lines. In one 1975 case, the Pacific Telephone Company targeted one defendant's line with the following equipment:

Demise and legacy

The development of digital switching equipment and out-of-band signaling prevented the use of blue boxes. The "blue box" terminology has therefore been recycled for other purposes. The hacking community evolved into other endeavors and there currently exists a commercially published hacking magazine, titled 2600, a reference to the 2600 Hz tone that was once central to so much of telephone hacking.[8]

Frequencies and timings

Each MF tone consists of two frequencies, shown in the table on the left. The Touch Tone encoding is shown by the table on the right:

Operator (blue box) dialed MF frequencies
Code 700 Hz 900 Hz 1100 Hz 1300 Hz 1500 Hz 1700 Hz
1 X X
2 X X
3 X X
4 X X
5 X X
6 X X
7 X X
8 X X
9 X X
0/10 X X
11/ST3 X X
12/ST2 X X
KP X X
KP2 X X
ST X X
Customer-dialed Touch-Tone (DTMF) frequencies
1209 Hz 1336 Hz 1477 Hz 1633 Hz
697 Hz 1 2 3 A
770 Hz 4 5 6 B
852 Hz 7 8 9 C
941 Hz * 0 # D

The rightmost column is not present on
consumer telephones.

Normally, the tone durations are on for 60ms, with 60ms of silence between digits. The 'KP' and 'KP2' tones are sent for 100ms. KP2 (ST2 in the R1 standard) was used for dialing internal Bell System telephone numbers. However, actual frequency durations can vary depending on location, switch type, and the machine status.

This set of MF tones was originally devised for Bell System long-distance operators placing calls manually, and predates the DTMF Touch-Tone system used by subscribers. The leading trunk prefix 1 was not dialed as the operator was already on a Long Lines trunk at this point.

Special codes

Some of the special codes a person could get onto are in the chart below. "NPA" is a telephone company term for 'area code'.

Many of these appear to have been originally three-digit codes, dialled without the leading area code, and the format of destination numbers dialled to the international senders has changed at various points as ability to call additional nations was added.[9]

Not all NPAs had all functions. As some NPAs contained multiple cities, an additional routing code was sometimes placed after the area code. For instance, 519+044+121 may reach the Windsor inward operator and 519+034+121 the London inward operator 175 km distant, but in the same area code.[10]

Blue boxes in other countries

Another signaling system widely used on international circuits (except those terminating in North America) was CCITT Signaling System No. 4 (friendly named 'SS4').

Technical definitions are specified in formerly CCITT (now ITU-T) Recommendations Q.120 to Q.139.[11]

This was also an in-band system but, instead of using multifrequency signals for digits, it used four 35 ms pulses of tone, separated by 35 ms of silence, to represent digits in four-bit binary code, with 2400 Hz as a '0' and 2040 Hz as a '1'. The supervisory signals used the same two frequencies, but each supervisory signal started with both tones together (for 150 ms) followed, without a gap, by a long (350 ms) or short (100 ms) period of a single tone of 2400 Hz or 2040 Hz. Phreaks in Europe built System 4 blue boxes that generated these signals. Because System 4 was used only on international circuits, the use of these blue boxes was more specialized.

Typically, a phreak would gain access to international dialing at low or zero cost by some other means, make a dialed call to a country that was available via direct dialing, and then use the System 4 blue box to clear down the international connection and make a call to a destination that was available only via operator service.

Thus, the System 4 blue box was used primarily as a way of setting up calls to hard-to-reach operator-only destinations, in order to impress other phreaks, rather than as a way of making free or cheap calls.

A typical System 4 blue box had a keypad (for sending four-bit digit signals) plus four buttons for the four supervisory signals (clear-forward, seize-terminal, seize-transit, and transfer-to-operator). After some experimentation, nimble-fingered phreaks found that all they really needed was two buttons, one for each frequency. With practice, it was possible to generate all the signals with sufficient timing precision manually, including the digit signals. This made it possible to make the blue box quite small.

A refinement added to some System 4 blue boxes was an anti-acknowledgement-echo guard tone. Because the connection between the telephone and the telephone network is two-wire, but the signalling on the international circuit operates on a four-wire basis (totally separate send and receive paths), signal-acknowledgement tones (single pulses of one of the two frequencies from the far end of the circuit after receipt of each digit) tended to be reflected back at the four-wire/two-wire conversion point. Although these reflected signals were relatively faint, they were sometimes loud enough for the digit-receiving circuits at the far end to treat them as the first bit of the next digit, messing up the phreak's transmitted digits.

What the improved blue box did was to continuously transmit a tone of some other frequency (e.g., 600 Hz) as a guard tone whenever it was not sending a System 4 signal. This guard tone drowned out the echoed acknowledgement signals, so that only the blue box-transmitted digits were heard by the digit-receiving circuits at the far end.

See also

References

This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.