The Official Phreaker's Manual The Official Phreaker's Manual V1.1 Updated 2/14/87 Compiled, Wordprocessed, and Distributed by: The Jammer and Jack the Ripper Page 1 The Official Phreaker's Manual Introduction What precedes this introduction is what I have termed "The Official Phreakers Manual", while it may not be. Many times I have been on a BBS, which has files claiming to have summed up all the ways to phreak in the U.S. and abroad, well those were pretty lame and a couple pages long. Now after many relentless hours of work, I have done it. This is an informative file and the authors of this and the authors from which I have gathered information, take absolutely NO responsibility and are not liable for, under any circumstances for damage, direct, indirect, incidental, or consequential. Warning: Use of this material may shorten your life in the free world! Ok enough of the bullshit, I readily admit that this is mainly a compilation of available phreak material and public resources. What I have done is to gather it all together and edit, compile, check for errors, put in a readable form, and finally to write what I know without echoing what others have said. I have set this up that it is good for all levels of phreaks, going from novice to advanced, and references and tables for easy reference in the back. This manual is constantly being updated! If you have any contributions or corrections or comments, please leave messages to me (Jack the Ripper) on any BBS's I am on (probably where you got it). Thanks! Page 2 The Official Phreaker's Manual ********************************************************************** Table of Contents ********************************************************************** I....... 005 Chapter 1 I.1..... 006 Glossary of Phreaking terms I.2..... 010 Glossary of Phreaking terms cont. I.3..... 017 Boxes and Electronic Toll Fraud I.4..... 020 How to be a Real Phreak I.5..... 026 Basic Telecommunications I, A Phreaks guide II...... 031 Chapter 2 II.1.... 033 Secrets of the Little Blue Box. Part 1 II.2.... 041 Secrets of the Little Blue Box. Part 2 II.3.... 050 Secrets of the Little Blue Box. Part 3 II.4.... 058 Secrets of the Little Blue Box. Part 4 II.5.... 062 The History of ESS II.6.... 064 History of British Phreaking II.7.... 067 Bad as Shit, an adventure story III..... 069 Chapter 3 III.1... 070 Phreaking Cosmos III.2... 072 Cosmos Revamped III.3... 073 Telenet III.4... 075 Phreaking AT&T Cards III.5... 076 AT&T Forgery III.6... 078 Dealing with Operators III.7... 079 How to set up a Conference Call III.8... 081 Fone tapping III.9... 083 Fone tapping cont. III.10.. 085 Tracing, how dangerous is it III.11.. 086 How to avenge yourself III.12.. 088 Interesting things to do on Step lines III.13.. 089 Busted, An account of the Private Sector bust IV...... 092 Chapter 4 IV.1.... 093 Basic Telecommunications II, Special #'s, Loops, Ani IV.2.... 101 Basic Telecommunications III, Direct Dialing, International IV.3.... 106 Basic Telecommunications IV, Telefone Hierarchy IV.4.... 113 Basic Telecommunications V, Subscriber fone electronics IV.5.... 120 Basic Telecommunications VI, Fortress fones V....... 123 Chapter 5 V.1..... 124 Basic Telecommunications VII, Blue Boxing V.2..... 132 Better Homes & Blue Boxing, Part 1 V.3..... 136 Better Homes & Blue Boxing, Part 2 V.4..... 141 Better Homes & Blue Boxing, Part 3 V.5..... 145 More on Blue Boxing by Fred Stienbeck V.6..... 146 Verification, Remob, etc., Is it possible? V.7..... 148 Equal Access and the American Dream, Another great article V.8..... 160 Equal access and Autodialing Modems V.9..... 161 ISDN, it will change telecommunications for ever V.10.... 163 ISDN, an article from Proto V.11.... 165 MCI Services what they are and how they are useful Page 3 The Official Phreaker's Manual ********************************************************************** Appendixes ********************************************************************** Appendix I...... 170 Reference tables and access lists Appendix I.1.... 171 Country Codes Appendix I.2.... 173 Country Codes cont. Appendix I.3.... 176 Country Codes cont. Appendix I.4.... 181 Max Access ports (Dialups) Appendix I.5.... 182 Metro Fone Access ports Appendix I.6.... 183 Area Codes Appendix I.7.... 185 Tac Dialups around the country Appendix I.8.... 193 Test numbers around the country Appendix I.9.... 196 What a TSPS operators console looks like Appendix II..... 197 Box plans Appendix II.1... 198 How to make an Infinity transmitter Appendix II.2... 203 How to make a silver box 204 Protection Page Page 4 The Official Phreaker's Manual Chapter 1 Ok this chapter will cover the basic vocabulary of phreaking, it is a fairly long list, though not totally complete. After the vocab, will be some of the general rules for phreaking. Most of the rules are protection from the police and AT&T, but others are grammatical rules. These are not as important to your freedom, but many a phreak will think you are a twelve year old if you start talking like, "Hey dudz!^$(&, just got the latest warez! trade u for some soft/docs. Checkul8r". Well you get the point, here's your vocab list... Page 5 The Official Phreaker's Manual ...................................................................... ...................................................................... . The Bell Glossary - .. . by .. . /\<\ /\<\ .. . \>ad \>arvin .. ...................................................................... ...................................................................... ACD: Automatic Call Distributor - A system that automatically distributes calls to operator pools (providing services such as intercept and directory assistance), to airline ticket agents, etc. Administration: The tasks of record-keeping, monitoring, rearranging, prediction need for growth, etc. AIS: Automatic Intercept System - A system employing an audio-response unit under control of a processor to automatically provide pertinent info to callers routed to intercept. Alert: To indicate the existence of an incoming call, (ringing). ANI: Automatic Number Identification - Often pronounced "Annie," a facility for automatically identify the number of the calling party for charging purposes. Appearance: A connection upon a network terminal, as in "the line has two network appearances." Attend: The operation of monitoring a line or an incoming trunk for off-hook or seizure, respectively. Audible: The subdued "image" of ringing transmitted to the calling party during ringing; not derived from the actual ringing signal in later systems. Backbone Route: The route made up of final-group trunks between end offices in different regional center areas. BHC: Busy Hour Calls - The number of calls placed in the busy hour. Blocking: The ratio of unsuccessful to total attempts to use a facility; expresses as a probability when computed a priority. Blocking Network: A network that, under certain conditions, may be unable to form a transmission path from one end of the network to the other. In general, all networks used within the Bell Systems are of the blocking type. Blue Box: Equipment used fraudulently to synthesize signals, gaining access to the toll network for the placement of calls without charge. BORSCHT Circuit: A name for the line circuit in the central office. It functions as a mnemonic for the functions that must be performed by the circuit: Battery, Overvoltage, Ringing, Supervision, Coding, Hybrid, and Testing. Busy Signal: (Called-line-busy) An audible signal which, in the Bell System, comprises 480hz and 620hz interrupted at 60IPM. Bylink: A special high-speed means used in crossbar equipment for routing calls Page 6 The Official Phreaker's Manual incoming from a step-by-step office. Trunks from such offices are often referred to as "bylink" trunks even when incoming to noncrossbar offices; they are more properly referred to as "dc incoming trunks." Such high-speed means are necessary to assure that the first incoming pulse is not lost. Cable Vault: The point which phone cable enters the Central Office building. CAMA: Centralized Automatic Message Accounting - Pronounced like Alabama. CCIS: Common Channel Interoffice Signaling - Signaling information for trunk connections over a separate, nonspeech data link rather that over the trunks themselves. CCITT: International Telegraph and Telephone Consultative Committee- An International committee that formulates plans and sets standards for intercountry communication means. CDO: Community Dial Office - A small usually rural office typically served by step-by-step equipment. CO: Central Office - Comprises a switching network and its control and support equipment. Occasionally improperly used to mean "office code." Centrex: A service comparable in features to PBX service but implemented with some (Centrex CU) or all (Centrex CO) of the control in the central office. In the later case, each station's loop connects to the central office. Customer Loop: The wire pair connecting a customer's station to the central office. DDD: Direct Distance Dialing - Dialing without operator assistance over the nationwide intertoll network. Direct Trunk Group: A trunk group that is a direct connection between a given originating and a given terminating office. EOTT: End Office Toll Trunking - Trunking between end offices in different toll center areas. ESB: Emergency Service Bureau - A centralized agency to which 911 "universal" emergency calls are routed. ESS: Electronic Switching System - A generic term used to identify as a class, stored-program switching systems such as the Bell System's No.1 No.2, No.3, No.4, or No.5. ETS: Electronic Translation Systems - An electronic replacement for the card translator in 4A Crossbar systems. Makes use of the SPC 1A Processor. False Start: An aborted dialing attempt. Fast Busy: (often called reorder) - An audible busy signal interrupted at twice the rate of the normal busy signal; sent to the originating station to indicate that the call blocked due to busy equipment. Final Trunk Group: The trunk group to which calls are routed when available high-usage trunks overflow; these groups generally "home" on an office next highest in the hierarchy. Page 7 The Official Phreaker's Manual Full Group: A trunk group that does not permit rerouting off-contingent foreign traffic; there are seven such offices. Glare: The situation that occurs when a two-way trunk is seized more or less simultaneously at both ends. High Usage Trunk Group: The appellation for a trunk group that has alternate routes via other similar groups, and ultimately via a final trunk group to a higher ranking office. Intercept: The agency (usually an operator) to which calls are routed when made to a line recently removed from a service, or in some other category requiring explanation. Automated versions (ASI) with automatic voiceresponse units are growing in use. Interrupt: The interruption on a phone line to disconnect and connect with another station, such as an Emergence Interrupt. Junctor: A wire or circuit connection between networks in the same office. The functional equivalent to an intraoffice trunk. MF: Multifrequency - The method of signaling over a trunk making use of the simultaneous application of two out of six possible frequencies. NPA: Numbering Plan Area. ONI: Operator Number Identification - The use of an operator in a CAMA office to verbally obtain the calling number of a call originating in an office not equipped with ANI. PBX: Private Branch Exchange - (PABX: Private Automatic Branch Exchange) An telephone office serving a private customer, Typically , access to the outside telephone network is provided. Permanent Signal: A sustained off-hook condition without activity (no dialing or ringing or completed connection); such a condition tends to tie up equipment, especially in earlier systems. Usually accidental, but sometimes used intentionally by customers in high-crime-rate areas to thwart off burglars. POTS: Plain Old Telephone Service - Basic service with no extra "frills". ROTL: Remote Office Test Line - A means for remotely testing trunks. RTA: Remote Trunk Arrangement - An extension to the TSPS system permitting its services to be provided up to 200 miles from the TSPS site. SF: Single Frequency. A signaling method for trunks: 2600hz is impressed upon idle trunks. Supervise: To monitor the status of a call. SxS: (Step-by-Step or Strowger switch) - An electromechanical office type utilizing a gross-motion stepping switch as a combination network and distributed control. Talkoff: The phenomenon of accidental synthesis of a machine-intelligible Page 8 The Official Phreaker's Manual signal by human voice causing an unintended response. "whistling a tone". Trunk: A path between central offices; in general 2-wire for interlocal, 4-wire for intertoll. TSPS: Traffic Service Position System - A system that provides, under stored- program control, efficient operator assistance for toll calls. It does not switch the customer, but provides a bridge connection to the operator. X-bar: (Crossbar) - An electromechanical office type utilizing a "fine-motion" coordinate switch and a multiplicity of central controls (called markers). There are four varieties: No.1 Crossbar: Used in large urban office application; (1938) No 3 Crossbar: A small system started in (1974). No.4A/4M Crossbar: A 4-wire toll machine; (1943). No.5 Crossbar: A machine originally intended for relatively small suburban applications; (1948) Crossbar Tandem: A machine used for interlocal office switching. Page 9 The Official Phreaker's Manual ============================================================ _ _ _______ | \/ | / _____/ |_||_|etal / /hop __________/ / /___________/ (314) 432-0756 Proudly Presents The MCI Telecommunications Glossary Part I Volume I (A - D) Typed by Knight Lightning ============================================================ - A - A & B LEADS: Designation of leads derived from the midpoints of the two 2-wire pairs comprising a 4-wire circuit. ABBREVIATED DIALING: The ability of a telephone user to reach frequently called numbers by using less than seven digits. Synonym: Speed Dialing ACCESS CHARGE: A fee paid for the use of local lines. ACCESS CODE: A digit or number of digits required to be connected to a private line arranged for dial access. ACCESS LINE: A telephone circuit which connects a customer location to a network switching center. AIRLINE MILEAGE: Calculated point-to-point mileage between terminal facilities. ALL TRUNKS BUSY (ATB): A single tone interrupted at a 120 ipm (impulses per minute) rate to indicate all lines or trunks in a routing group are busy. ALTERNATE ROUTE: A secondary communications path used to reach a destination if the primary path is unavailable. ALTERNATE USE: The ability to switch communications facilities from one type of service to another, i.e., voice to data, etc. ALTERNATE VOICE DATA (AVD): A single transmission facility which can be used for either voice or data. AMERICAN STANDARD CODE FOR INFORMATION INTERCHANGE (ASCII): An 8 level code developed for the interchange of information between data processing and communications systems. ANALOG SIGNAL: A signal in the form of a continuous varying physical quantity, e.g., voltage which reflects variations in some quantity, e.g., loudness in the human voice. Page 10 The Official Phreaker's Manual ANNUNICATOR: An audible intercept device that states the condition or restrictions associated with circuits or procedures. ANSWER BACK: An electrical and/or visual indication to the calling or sending end that the called or received station is on the line. ANSWER SUPERVISION: An off-hook signal transmitted toward the calling end of a switched connection when the called party answers. AREA CODE: Synonym: Numbering Plan Area (NPA). A three digit number identifying more than 150 geographic areas of the United States and Canada which permits direct distance dialing on the telephone system. A similar global numbering plan has been established for international subscriber dialing. ATTENDANT POSITION: A telephone switchboard operator's position. It provides either automatic (cordless) or manual (plug and jack) operator controls for incoming and/or outgoing telephone calls. ATTENUATION: A general term used to denote the decrease in power between that transmitted and that received due to loss through equipment, lines, or other transmission devices. It is usually expressed as a ration in db (decibel). AUDIBLE RINGING TONE: An audible signal heard by the calling party during the ringing-interval. AUTHORIZATION CODE: An identification number that the caller enters when placing a call which is used for billing purposes. AUTHORIZED USER: A person, firm, organization, corporation or any other entity authorized by the customer to send or receive communications over a specific communications network. AUTO ANSWER: A machine feature that allows a transmission control unit or station to automatically respond to a call that it receives. AUTOMATIC CALL DISTRIBUTOR (ACD): A switching system designed to queue and/or distribute a large volume of incoming calls to a group of attendants to the next available "answering" position. AUTOMATIC DIALING UNIT: A device which automatically generates a predetermined set of dialing digits. AUTOMATIC IDENTIFICATION OF OUTWARD DIALING (AIOD): A computer generated report showing all long distance calls placed over AT&T's toll network. AUTOMATIC NUMBER IDENTIFICATION (ANI): Automatic equipment at a local dial office used on customer dialed calls to identify the calling-station. AUTOMATIC ROUTE SELECTION (ARS): Least cost routing via AT&T CENTREX system. - B - Page 11 The Official Phreaker's Manual BAND: (1) The range of frequencies between two defined limits. (2) In reference to WATS, one of the five specific geographic areas as defined by AT&T. Synonym: BANDWIDTH. BANDWIDTH: See BAND. BASEBAND: The total frequency band occupied by the aggregate of all the voice and data signals used to modulate a radio carrier. BAUD: A unit of signaling speed. The speed in baud is the number of discrete conditions conditions or signal elements per second. If each signal event represents only one bit condition, then Baud is the same as bits per second. When each signal event represents other than one bit, Baud does not equal bits per second. BELL OPERATING COMPANY (BOC) /BELL SYSTEMS OPERATING COMPANY (BSOC): Any of the 24 AT&T affiliated companies providing local service. BELL SYSTEM: The aggregate of AT&T's 24 associated telephone companies, Long Lines, Western Electric, and Bell Labs. BILLING NUMBER: The MCI term for the number which identifies a customer on a billing location level, assigned to Network Service Customer (by COMS). Assigned for each unique customer name and billing location. For internal use only. BINARY: A number system that uses only two characters ("0" and "1"). BIT: A binary digit. The smallest unit of coded information. BITS PER SECOND (BPS): The rate at which data transmission is measured. BLOCKED CALLS: Attempted calls that are not connected because (1) all lines to the central offices are in use; or (2) all connecting connecting paths through the PBX/switch are in use. BLOCKED ANI: ANI prohibited from completing a call over the MCI network. BREAK: A means of interrupting transmission, a momentary interruption of a circuit. BROADBAND: A transmission facility having a bandwidth of greater then 20 kHz. BUS: A heavy conductor, or group of conductors, to which several units of the same type of equipment may be connected. BUSY: The condition in which facilities over which a call is to be connected are already in use. BUSY HOUR: The time of day when phone lines are most in demand. BUSY TONE: A single that is interrupted at 60 ipm (impulses per minute) rate to indicate that the terminal point of a call is already in use. BYTE: A group of binary digits that are processed by a computer as a unit. Page 12 The Official Phreaker's Manual - C - CARRIER: High frequency current that can be modulated with voice or digital signals for bulk transmission via cable or radio circuits. CARRIER SYSTEM: A system for providing several communications channels over a single path. CATHODE RAY TUBE (CRT): The "television-like" screen used to display the output from a computer. CELLULAR MOBILE RADIO: A system providing exchange telephone service to a station located in an auto or other mobile vehicle, using radio circuits to a base radio station which covers a specific geographical area and as the vehicle moves from one area to another, different base radio stations handle the call. CENTRAL OFFICE (CO): A telephone switching center that provides local access to the public network. Sometimes referred to as: Class 5 office, end office, or Local Dial Office. CENTREX, CO: PBX Service provided by a switch located at the telephone company central office. CENTREX, CU: A variation on Centrex CO provided by a telephone company maintained "Central Office" type switch located at the customer's premises. CENTRAL PROCESSING UNIT (CPU): The control unit within a computer which handles all the intelligent functions of the systems. In a telephone switch, directs all potions of the system to carry out their appropriate functions. Synonym: Common Control. CHANNEL: A communication path via a carrier or microwave radio. CHARACTER: Any letter, digit, or special symbol. In data transmission would be represented by a specific code made up of a group of binary digits. CIRCUIT: A path for the transmission of electromagnetic signals to include all conditioning and signaling equipment. Synonym: Facility CIRCUIT SWITCHING: A switching system that completes a dedicated transmission path from sender to receiver at the time of transmission. CLASS OF SERVICE/CLASS MARK (COS): A subgrouping of telephone customers or users for the sake of rate distinction or limitation of service. COAXIAL CABLE: A cable having several coaxial lines under a single protective sheath. Usually used as a high capacity carrier in urban areas between interexchange and toll offices. CODEC: Coder-Decoder. Used to convert analog signals to digital form for transmission over a digital median and back again to the original analog form. COMMON CARRIER: A government regulated private company that provides the general public with telecommunications services and facilities. Page 13 The Official Phreaker's Manual COMMON CHANNEL INTEROFFICE SIGNALING (CCIS): A digital technology used by AT&T to enhance their Integrated Services Digital Network. It uses a separate data line to route interoffice signals to provide faster call set-up and more efficient use of trunks. COMMON CONTROL SWITCHING ARRANGEMENT (CCSA): An arrangement for telecommunicationsnetworks in which common controlled switching machines are used to route traffic over network routes and access lines. The switching machine may be shared with other users and is maintained by the telephone company. COMPUTER PORT/TKI PORT: The interface through which the computer connects to the communications circuit. CONDITIONING EQUIPMENT: Equipment modifications or adjustments necessary to match transmission levels and impedances and which equalizes transmission and delay to bring circuit losses, levels, and distortion within established standards. CONFIGURATION: The combination of long-distance services and/or equipment that make up a communications system. CONTROL UNIT (CU): The central processor of a telephone switching device. CORPORATE ID NUMBER: The MCI term for the number which identifies a customer on a corporate level. (Not all MCI customers have this). COST COMPONENT: The price of each type of long distance service and/or equipment that constitutes a configuration. COST PER HOUR (CPH): Total cost of different services divided by total holding time (in minutes). CROSS CONNECTION: The wire connections running between terminals on the two sides of a distribution frame, or between binding posts in a terminal. CROSS TALK: The unwanted energy (speech or tone) transferred from one circuit to another circuit. CUSTOMER OWNED AND MAINTAINED (COAM): Customer provided communications apparatus, and their associated wiring. CUSTOMER PREMISE EQUIPMENT (CPE): Telephone equipment, usually including wiring located within the customer's part of a building. CUT: To transfer a service from one facility to another. CUT THROUGH: The establishment of a complete path for signaling and/or audio communications. - D - DATA: Any representation, such as characters to which a meaning is assigned. Page 14 The Official Phreaker's Manual DATA COMMUNICATIONS: The movement of coded information by means of electronic transmission systems. DATA SET: A device which converts data into signals suitable for transmission over communications lines. DATA TERMINAL: A station in a system capable of sending and/or receiving data signals. DECIBEL (db): A unit of measurement represented as a ratio of two voltages, currents or powers and is used to measure transmission loss or gain. DELAY DIAL: A dialing configuration whereby local dial equipment will wait until it receives the entire telephone number before seizing a circuit to transmit the call. DELTA MODULATION (DM): A variant of pulse code modulation whereby a code representing the difference between the amplitude of a sample and t~he amplitude of a previous one is sent. Operates well in the presence of noise, but requires a wide frequency band. DEMODULATION: The process of retrieving data from a modulated signal. DIAL LEVEL: The selection of stations or services associated with a PBX using a one to four digit code (e.g., dialing 9 for access to outside dial tone). DIAL PULSING: The transmitting of telephone address signals by momentarily opening a DC circuit a number of times corresponding to the decimal digit which is dialed. DIAL REPEATING TIE LINE/ DIAL REPEATING TIE TRUNK: A tie line which permits direct station to station calling without use of the attendant. DIAL SELECTIVE SIGNALING: A multipoint network in which the called party is selected by a prearranged dialing code. DIAL TONE: A tone indicating that automatic switching equipment is ready to receive dial signals. DIALING PLAN: A description of the dialing arrangements for customer use on a networks. DIGITAL: Referring to the use of digits to formulate and solve problems, or to encode information. DIMENSION CUSTOM TELEPHONE SERVICE (DCTS): AT&T's electronically programmable telephone station sets which use special buttons to access PBX features. DIRECT DISTANCE DIALING (DDD): A toll service that permits customers to dial their own long distance call without the aid of an operator. DIRECT INWARD DIALING (DID): A PBX or CENTREX feature that allows a customer outside the system to directly dial a station within the system. Page 15 The Official Phreaker's Manual DIRECT OUTWARD DIALING: A PBX or CENTREX feature that allows a station user to gain direct access to an exchange network. DROP: That direction of a circuit which looks towards the local operator. DRY CIRCUIT: A circuit which transmits voice signals and carries no direct current. DUAL TONE MULTI-FREQUENCY (DTMF): Also know as Touch Tone. A type of signaling which emits two distinct frequencies for each indicated digit. DUPLEX: Simultaneous two-way independent transmission. DX SIGNALING: A long-range bidirectional signaling method using paths derived from transmission cable pairs. It is based on a balanced and symmetrical circuit that is identical at both ends. This circuit presents an E&M lead interface to connecting circuits. ============================================================ This concludes Part 1 Volume I of the MCI Telecommunications Glossary. Look for more G-philes from The MCI School of Telecommunications Management Reference Guide coming soon. This has been a 2600 Club production Thanx to Taran King ============================================================ Page 16 The Official Phreaker's Manual $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $ _______________________________ $ $ | | $ $ | ELECTRONIC TOLL FRAUD DEVICES | $ $ |_______________________________| $ $ $ $ $ $ TYPED AND UPLOADED BY: $ $ $ $$$$$$$$$$$$-=>LEX LUTHOR<=-$$$$$$$$$$$ $ $ $ $ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ THIS PHILE IS DESIGNED TO IDENTIFY VARIOUS KINDS OF ETF (ELECTRONIC TOLL FRAUD) DEVICES AND TO DESCRIBE THEIR OPERATION, ACCORDING TO A BOOKLET PUT OUT BY BELL ENTITLED: THE INVESTIGATION AND PROSECUTION OF ELECTRONIC TOLL FRAUD DEVICES. (FOR OFFICIAL USE ONLY). THERE ARE SEVERAL DIFFERENT TYPES OF ELECTRONIC EQUIPMENT WHICH MAY BE GENERALLY CLASSIFIED AS ETF DEVICES. THE MOST SIGNIFICANT IS THE "BLUE BOX". THE CHARACTERISTICS OF EACH TYPE OF DEVICE ARE DISCUSSED BELOW. *BLUE BOX* -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- THE "BLUE BOX" WAS SO NAMED BECAUSE OF THE COLOR OF THE FIRST ONE FOUND. THE DESIGN AND HARDWARE USED IN THE BLUE BOX IS FAIRLY SOPHISTICATED, AND ITS SIZE VARIES FROM A LARGE PIECE OF APPARATUS TO A MINIATURIZED UNIT THAT IS APPROXIMATELY THE SIZE OF A "KING SIZE" PACKAGE OF CIGARETTES. THE BLUE BOX CONTAINS 12 OR 13 BUTTONS OR SWITCHES THAT EMIT MULTI-FREQUENCY TONES CHARACTERISTIC OF THE TONES USED IN THE NORMAL OPERATION OF THE TELEPHONE TOLL (LONG DISTANCE) SWITCHING NETWORK. THE BLUE BOX ENABLES ITS USER TO ORIGINATE FRAUDULENT ("FREE") TOLL CALLS BY CIRCUMVENTING TOLL BILLING EQUIPMENT. THE BLUE BOX MAY BE DIRECTLY CONNECTED TO A PHONE LINE, OR IT MAY BE ACOUSTICALLY COUPLED TO A TELEPHONE HANDSET BY PLACING THE BLUE BOX'S SPEAKER NEXT TO THE TRANSMITTER OR THE TELEPHONE HANDSET. THE OPERATION OF A BLUE BOX WILL BE DISCUSSED IN MORE DETAIL BELOW. TO UNDERSTAND THE NATURE OF A FRAUDULENT BLUE BOX CALL, IT IS NECESSARY TO UNDERSTAND THE BASIC OPERATION OF THE DIRECT DISTANCE DIALING (DDD) TELEPHONE NETWORK. WHEN A DDD CALL IS PROPERLY ORIGINATED, THE CALLING NUMBER IS IDENTIFIED AS AN INTEGRAL PART OF ESTABLISHING THE CONNECTION. THIS MAY BE DONE EITHER AUTOMATICALLY OR, IN SOME CASES, BY AN OPERATOR ASKING THE CALLING PARTY FOR HIS TELEPHONE NUMBER. THIS INFORMATION IS ENTERED ON A TAPE IN THE AUTOMATIC MESSAGE ACCOUNTING (AMA) OFFICE. THIS TAPE ALSO CONTAINS THE NUMBER ASSIGNED TO THE TRUNK LINE OVER WHICH THE CALL IS TO BE SENT. THE INFORMATION RELATING TO THE CALL CONTAINED ON THE TAPE INCLUDES: CALLED NUMBER, CALLING NUMBER, TIME OF CALL. THE TIME OF DISCONNECT AT THE END OF THE CALL IS ALSO RECORDED. ALTHOUGH THE TAPE CONTAINS INFO WITH RESPECT TO MANY DIFFERENT CALLS, THE VARIOUS DATA ENTRIES WITH RESPECT TO A SINGLE CALL ARE EVENTUALLY CORRELATED TO PROVIDE BILLING INFO FOR USE BY YOUR BELL'S ACCOUNTING DEPARTMENT. THE TYPICAL BLUE BOX USER USUALLY DIALS A NUMBER THAT WILL ROUTE THE CALL INTO THE TELEPHONE NETWORK WITHOUT CHARGE. FOR EXAMPLE, THE USER WILL VERY Page 17 The Official Phreaker's Manual OFTEN CALL A WELL-KNOWN INWATS (TOLL-FREE) CUSTOMER'S NUMBER. THE BLUE BOX USER, AFTER GAINING THIS ACCESS TO THE NETWORK AND, IN EFFECT, "SEIZING" CONTROL AND COMPLETE DOMINION OVER THE LINE, OPERATES A KEY ON THE BLUE BOX WHICH EMITS A 2600 HERTZ (CYCLES PER SECOND) TONE. THIS TONE CAUSES THE SWITCHING EQUIPMENT TO RELEASE THE CONNECTION TO THE INWATS CUSTOMER'S LINE. THE 2600HZ TONE IS A SIGNAL THAT THE CALLING PARTY HAS HUNG UP. THE BLUE BOX SIMULATES THIS CONDITION. HOWEVER, IN FACT THE LOCAL TRUNK ON THE CALLING PARTY'S END IS STILL CONNECTED TO THE TOLL NETWORK. THE BLUE BOX USER NOW OPERATES THE "KP" (KEY PULSE) KEY ON THE BLUE BOX TO NOTIFY THE TOLL SWITCHING EQUIPMENT THAT SWITCHING SIGNALS ARE ABOUT TO BE EMITTED. THE USER THEN PUSHES THE "NUMBER" BUTTONS ON THE BLUE BOX CORRESPONDING TO THE TELEPHONE # BEING CALLED. AFTER DOING SO HE/SHE OPERATES THE "ST" (START) KEY TO INDICATE TO THE SWITCHING EQUIPMENT THAT SIGNALLING IS COMPLETE. IF THE CALL IS COMPLETED, ONLY THE PORTION OF THE ORIGINAL CALL PRIOR TO THE EMISSION OF 2600HZ TONE IS RECORDED ON THE AMA TAPE. THE TONES EMITTED BY THE BLUE BOX ARE NOT RECORDED ON THE AMA TAPE. THEREFORE, BECAUSE THE ORIGINAL CALL TO THE INWATS # IS TOLL-FREE, NO BILLING IS RENDERED IN CONNECTION WITH THE CALL. ALTHOUGH THE ABOVE IS A DESCRIPTION OF A TYPICAL BLUE BOX OPERATION USING A COMMON METHOD OF ENTRY INTO THE NETWORK, THE OPERATION OF A BLUE BOX MAY VARY IN ANY ONE OR ALL OF THE FOLLOWING RESPECTS: (A) THE BLUE BOX MAY INCLUDE A ROTARY DIAL TO APPLY THE 2600HZ TONE AND THE SWITCHING SIGNALS. THIS TYPE OF BLUE BOX IS CALLED A "DIAL PULSER" OR "ROTARY SF" BLUE BOX. (B) ENTRANCE INTO THE DDD TOLL NETWORK MAY BE EFFECTED BY A PRETEXT CALL TO ANY OTHER TOLL-FREE # SUCH AS UNIVERSAL DIRECTORY ASSISTANCE (555-1212) OR ANY # IN THE INWATS NETWORK, EITHER INTER-STATE OR INTRA-STATE, WORKING OR NON-WORKING. (C) ENTRANCE INTO THE DDD TOLL NETWORK MAY ALSO BE IN THE FORM OF "SHORT HAUL" CALLING. A "SHORT HAUL" CALL IS A CALL TO ANY # WHICH WILL RESULT IN A LESSER AMOUNT OF TOLL CHARGES THAN THE CHARGES FOR THE CALL TO BE COMPLETED BY THE BLUE BOX. FOR EXAMPLE, A CALL TO BIRMINGHAM FROM ATLANTA MAY COST $.80 FOR THE FIRST 3 MINUTES WHILE A CALL FROM ATLANTA TO LOS ANGELES IS $1.85 FOR 3 MINUTES. THUS, A SHORT HAUL, 3-MINUTE CALL TO BIRMINGHAM FROM ATLANTA, SWITCHED BY USE OF A BLUE BOX TO LOS ANGELES, WOULD RESULT IN A NET FRAUD OF $2.65 FOR A 3 MINUTE CALL. (D) A BLUE BOX MAY BE WIRED INTO THE TELEPHONE LINE OR ACOUSTICALLY CONNECTED TO THE HANDSET. THE BLUE BOX MAY EVEN BE BUILT INSIDE A REGULAR TOUCH-TONE PHONE, USING THE PHONE'S PUSH BUTTONS FOR THE BLUE BOX'S SIGNALLING TONES. (E) A MAGNETIC TAPE RECORDING MAY BE USED TO RECORD THE BLUE BOX TONES REPRESENTATIVE OF SPECIFIC PHONE #'S. SUCH A TAPE RECORDING COULD BE USED IN LIEU OF A BLUE BOX TO FRAUDULENTLY PLACE CALLS TO THE PHONE #'S RECORDED ON THE MAGNETIC TAPE. ALL BLUE BOXES, EXCEPT "DIAL PULSE" OR "ROTARY SF" BLUE BOXES, MUST HAVE THE FOLLOWING 4 COMMON OPERATING CAPABILITIES: (A) IT MUST HAVE SIGNALLING CAPABILITY IN THE FORM OF A 2600HZ TONE. THE TONE IS USED BY THE TOLL NETWORK TO INDICATE, EITHER BY ITS PRESENCE OR ITS ABSENCE, AN "ON HOOK" (IDLE) OR "OFF HOOK" (BUSY) CONDITION OF THE TRUNK. (B) THE BLUE BOX MUST HAVE A "KP" TONES THAT UNLOCKS OR READIES THE MULTI-FREQUENCY RECEIVER AT THE CALLED END TO RECEIVE THE TONES CORRESPONDING TO THE CALLED PHONE #. Page 18 The Official Phreaker's Manual (C) THE TYPICAL BLUE BOX MUST BE ABLE TO EMIT MF TONES WHICH ARE USED TO TRANSMIT PHONE #'S OVER THE TOLL NETWORK. EACH DIGIT OF A PHONE # IS REPRESENTED BY A COMBINATION OF 2 TONES. FOR EXAMPLE, THE DIGIT 2 IS X-MITTED BY A COMBINATION OF 700HZ AND 1100HZ. (D) THE BLUE BOX MUST HAVE AN "ST" KEY WHICH CONSISTS OF A COMBINATION OF 2 TONES THAT TELL THE EQUIPMENT AT THE CALLED END THAT ALL DIGITS HAVE BEEN SENT AND THAT THE EQUIPMENT SHOULD START SWITCHING THE CALL TO THE CALLED NUMBER. THE "DIAL PULSER" OR "ROTARY SF" BLUE BOX REQUIRES ONLY A DIAL WITH A SIGNALLING CAPABILITY TO PRODUCE A 2600HZ TONE. *BLACK BOX* -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- THIS ETF DEVICE IS SO-NAMED BECAUSE OF THE COLOR OF THE FIRST ONE FOUND. IT VARIES IN SIZE AND USUALLY HAS ONE OR TWO SWITCHES OR BUTTONS. ATTACHED TO THE TELEPHONE LINE OF A CALLED PARTY, THE BLACK BOX PROVIDES TOLL-FREE CALLING *TO* THAT PARTY'S LINE. A BLACK BOX USER INFORMS OTHER PERSONS BEFOREHAND THAT THEY WILL NOT BE CHARGED FOR ANY CALL PLACED TO HIM. THE USER THEN OPERATES THE DEVICE CAUSING A "NON-CHARGE" CONDITION ("NO ANSWER" OR "DISCONNECT") TO BE RECORDED ON THE TELEPHONE COMPANY'S BILLING EQUIPMENT. A BLACK BOX IS RELATIVELY SIMPLE TO CONSTRUCT AND IS MUCH LESS SOPHISTICATED THAN A BLUE BOX. *CHEESE BOX* -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ITS DESIGN MAY BE CRUDE OR VERY SOPHISTICATED. ITS SIZE VARIES; ONE WAS FOUND THE SIZE OF A HALF-DOLLAR. A CHEESE BOX IS USED MOST OFTEN BY BOOKMAKERS OR BETTERS TO PLACE WAGERS WITHOUT DETECTION FROM A REMOTE LOCATION. THE DEVICE INTER-CONNECTS 2 PHONE LINES, EACH HAVING DIFFERENT #'S BUT EACH TERMINATING AT THE SAME LOCATION. IN EFFECT, THERE ARE 2 PHONES AT THE SAME LOCATION WHICH ARE LINKED TOGETHER THROUGH A CHEESE BOX. IT IS USUALLY FOUND IN AN UNOCCUPIED APARTMENT CONNECTED TO A PHONE JACK OR CONNECTING BLOCK. THE BOOKMAKER, AT SOME REMOTE LOCATION, DIALS ONE OF THE NUMBERS AND STAYS ON THE LINE. VARIOUS BETTORS DIAL THE OTHER NUMBER BUT ARE AUTOMATICALLY CONNECTED WITH THE BOOKMAKER BY MEANS OF THE CHEESE BOX INTER-CONNECTION. IF, IN ADDITION TO A CHEESE BOX, A BLACK BOX IS INCLUDED IN THE ARRANGEMENT, THE COMBINED EQUIPMENT WOULD PERMIT TOLL-FREE CALLING ON EITHER LINE TO THE OTHER LINE. IF A POLICE RAID WERE CONDUCTED AT THE TERMINATING POINT OF THE CONVERSATIONS -THE LOCATION OF THE CHEESE BOX- THERE WOULD BE NO EVIDENCE OF GAMBLING ACTIVITY. THIS DEVICE IS SOMETIMES DIFFICULT TO IDENTIFY. LAW ENFORCEMENT OFFICIALS HAVE BEEN ADVISED THAT WHEN UNUSUAL DEVICES ARE FOUND ASSOCIATED WITH TELEPHONE CONNECTIONS THE PHONE COMPANY SECURITY REPRESENTATIVES SHOULD BE CONTACTED TO ASSIST IN IDENTIFICATION. (THIS PROBABLY WOULD BE GOOD FOR A BBS , ESPECIALLY WITH THE BLACK BOX SET UP. AND IF YOU EVER DECIDED TO TAKE THE BOARD DOWN, YOU WOULDN'T HAVE TO CHANGE YOUR PHONE #. IT ALSO MAKES IT SO YOU YOURSELF CANNOT BE TRACED. I AM NOT SURE ABOUT CALLING OUT FROM ONE THOUGH) *RED BOX* -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- THIS DEVICE IT COUPLED ACOUSTICALLY TO THE HANDSET TRANSMITTER OF A SINGLE-SLOT COIN TELEPHONE. THE DEVICE EMITS SIGNALS IDENTICAL TO THOSE TONES EMITTED WHEN COINS ARE DEPOSITED. THUS, LOCAL OR TOLL CALLS MAY BE PLACED WITHOUT THE ACTUAL DEPOSIT OF COINS. Page 19 The Official Phreaker's Manual /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ /-/ /-/ /-/ Phreaker's /-/ /-/ PhunHouse /-/ /-/ /-/ /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ /-/ By: /-/ /-/ The Traveler /-/ /-/ /-/ /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ /-/ /-/ /-/ Call: /-/ /-/ Brainstorm BBS /-/ /-/ 612/345-2815 (300/1200) /-/ /-/ /-/ /-/ Little America /-/ /-/ 507/289-8211 (300) /-/ /-/ /-/ /-/ Tell 'em Traveler sent ya /-/ /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ The long awaited prequil to Phreaker's Guide has finally arrived. Conceived from the boredom and loneliness that could only be derived from: The Traveler! But now, he has returned in full strength (after a small vacation) and is here to 'World Premiere' the new files everywhere. Stay cool. This is the prequil to the first one, so just relax. This is not made to be an exclusive ultra elite file, so kinda calm down and watch in the background if you are too cool for it... /-/ Phreak Dictionary /-/ Here you will find some of the basic but necessary terms that should be known by any phreak who wants to be respected at all... Phreak [fr'eek]:1. The action of using mischevious and mostly illegal ways in order to not pay for some sort of telecommunications bill, order, transfer, or other service. It often involves usage of highly illegal boxes and machines in order to defeat the security that is set up to avoid this sort of happening. [fr'eaking]. v. 2. A person who uses the above methods of destruction and chaos in order to make a better life for all. A true phreaker will not not go against his fellows or narc on people who have ragged on him or do anything termed to be dishonorable to phreaks. [fr'eek]. n. 3. A certain code or dialup useful in the action of being a phreak. (Example: "I hacked a new metro phreak last night.") Switching System [Swich'ing sis'tem]: 1. There are 3 main switching systems currently employed in the US, and a few other systems will be mentioned as background. A) SxS: This system was invented in 1918 and was employed in over half of the country until 1978. It is a very basic system that is a general waste of energy and hard work on the linesman. A good way to identify this is that it requires a coin in the phone booth before it will give you a dial tone, or that no call waiting, call forwarding, or any other such service is available. Stands for: Step by Step B) XB: This switching system was first employed in 1978 in order to take care of most of the faults of SxS switching. Not only is it more efficient, but it Page 20 The Official Phreaker's Manual also can support different services in various forms. XB1 is Crossbar Version 1. That is very limited and is hard to distinguish from SxS except by direct view of the wiring involved. Next up was XB4, Crossbar Version 4. With this system, some of the basic things like DTMF that were not available with SxS can be accomplished. For the final stroke of XB, XB5 was created. This is a service that can allow DTMF plus most 800 type services (which were not always available...) Stands for: Crossbar. C) ESS: A nightmare in telecom. In vivid color, ESS is a pretty bad thing to have to stand up to. It is quite simple to identify. Dialing 911 for emergencies, and ANI [see ANI below] are the most common facets of the dread system. ESS has the capability to list in a person's caller log what number was called, how long the call took, and even the status of the conversation (modem or otherwise.) Since ESS has been employed, which has been very recently, it has gone through many kinds of revisions. The latest system to date is ESS 11a, that is employed in Washington D.C. for security reasons. ESS is truly trouble for any phreak, because it is 'smarter' than the other systems. For instance, if on your caller log they saw 50 calls to 1-800-421-9438, they would be able to do a CN/A [see Loopholes below] on your number and determine whether you are subscribed to that service or not. This makes most calls a hazard, because although 800 numbers appear to be free, they are recorded on your caller log and then right before you receive your bill it deletes the billings for them. But before that they are open to inspection, which is one reason why extended use of any code is dangerous under ESS. Some of the boxes [see Boxing below] are unable to function in ESS. It is generally a menace to the true phreak. Stands For: Electronic Switching System. because they could appear on a filter somewhere or maybe it is just nice to know them any ways. A) SSS: Strowger Switching System. First non-operator system available. B) WES: Western Electronics Switching. Used about 40 years ago with some minor places out west. Boxing [Boks'-ing]: 1) The use of personally designed boxes that emit or cancel electronical impulses that allow simpler acting while phreaking. Through the use of separate boxes, you can accomplish most feats possible with or without the control of an operator. 2) Some boxes and their functions are listed below. Ones marked with '*' indicate that they are not operatable in ESS. *Black Box: Makes it seem to the phone company that the phone was never picked up. Blue Box: Emits a 2600hz tone that allows you to do such things as stack a trunk line, kick the operator off line, and others. Red Box: Simulates the noise of a quarter, nickel, or dime being dropped into a payphone. Cheese Box: Turns your home phone into a pay phone to throw off traces (a red box is usually needed in order to call out.) *Clear Box: Gives you a dial tone on some of the old SxS payphones without putting in a coin. Beige Box: A simpler produced linesman's handset that allows you to tap into phone lines and extract by eavesdropping, or crossing wires, etc. Purple Box: Makes all calls made out from your house seem to be local calls. ANI [ANI]: 1) Automatic Number Identification. A service available on ESS that allows a phone service [see Dialups below] to record the number that any certain code was dialed from along with the number that was called and print Page 21 The Official Phreaker's Manual both of these on the customer bill. 950 dialups [see Dialups below] are all designed just to use ANI. Some of the services do not have the proper equipment to read the ANI impulses yet, but it is impossible to see which is which without being busted or not busted first. Dialups [dy'l'ups]: 1) Any local or 800 extended outlet that allows instant access to any service such as MCI, Sprint, or AT&T that from there can be used by handpicking or using a program to reveal other peoples codes which can then be used moderately until they find out about it and you must switch to another code (preferably before they find out about it.) 2) Dialups are extremely common on both senses. Some dialups reveal the company that operates them as soon as you hear the tone. Others are much harder and some you may never be able to identify. A small list of dialups: 1-800-421-9438 (5 digit codes) 1-800-547-6754 (6 digit codes) 1-800-345-0008 (6 digit codes) 1-800-734-3478 (6 digit codes) 1-800-222-2255 (5 digit codes) 3) Codes: Codes are very easily accessed procedures when you call a dialup. They will give you some sort of tone. If the tone does not end in 3 seconds, then punch in the code and immediately following the code, the number you are dialing but strike the '1' in the beginning out first. If the tone does end, then punch in the code when the tone ends. Then, it will give you another tone. Punch in the number you are dialing, or a '9'. If you punch in a '9' and the tone stops, then you messed up a little. If you punch in a tone and the tone continues, then simply dial then number you are calling without the '1'. 4) All codes are not universal. The only type that I know of that is truly universal is Metrophone. Almost every major city has a local Metro dialup (for Philadelphia, (215)351-0100/0126) and since the codes are universal, almost every phreak has used them once or twice. They do not employ ANI in any outlets that I know of, so feel free to check through your books and call 555-1212 or, as a more devious manor, subscribe yourself. Then, never use your own code. That way, if they check up on you due to your caller log, they can usually find out that you are subscribed. Not only that but you could set a phreak hacker around that area and just let it hack away, since they usually group them, and, as a bonus, you will have their local dialup. 5) 950's. They seem like a perfectly cool phreakers dream. They are free from your house, from payphones, from everywhere, and they host all of the major long distance companies (950-1044 , 950-1077 , 950-1088 , 950-1033 .) Well, they aren't. They were designed for ANI. That is the point, end of discussion. A phreak dictionary. If you remember all of the things contained on that file up there, you may have a better chance of doing whatever it is you do. This next section is maybe a little more interesting... Blue Box Plans: --------------- These are some blue box plans, but first, be warned, there have been 2600hz tone detectors out on operator trunk lines since XB4. The idea behind it is to use a 2600hz tone for a few very naughty functions that can really make your day lighten up. But first, here are the plans, or the heart of the file: ============================================== 700 : 1 : 2 : 4 : 7 : 11 : 900 : + : 3 : 5 : 8 : 12 : Page 22 The Official Phreaker's Manual 1100 : + : + : 6 : 9 : KP : 1300 : + : + : + : 10 : KP2 : 1500 : + : + : + : + : ST : : 700 : 900 :1100 :1300 :1500 : ============================================== Stop! Before you diehard users start piecing those little tone tidbits together, there is a simpler method. If you have an Apple-Cat with a program like Cat's Meow IV, then you can generate the necessary tones, the 2600hz tone, the KP tone, the KP2 tone, and the ST tone through the dial section. So if you have that I will assume you can boot it up and it works, and I'll do you the favor of telling you and the other users what to do with the blue box now that you have somehow constructed it. The connection to an operator is one of the most well known and used ways of having fun with your blue box. You simply dial a TSPS (Traffic Service Positioning Station, or the operator you get when you dial '0') and blow a 2600hz tone through the line. Watch out! Do not dial this direct! After you have done that, it is quite simple to have fun with it. Blow a KP tone to start a call, a ST tone to stop it, and a 2600hz tone to hang up. Once you have connected to it, here are some fun numbers to call with it: 0-700-456-1000 Teleconference (free, because you are the operator!) (Area code)-101 Toll Switching (Area code)-121 Local Operator (hehe) (Area code)-131 Information (Area code)-141 Rate & Route (Area code)-181 Coin Refund Operator (Area code)-11511 Conference operator (when you dial 800-544-6363) Well, those were the tone matrix controllers for the blue box and some other helpful stuff to help you to start out with. But those are only the functions with the operator. There are other k-fun things you can do with it... More advanced Blue Box Stuff: Oops. Small mistake up there. I forgot tone lengths. Um, you blow a tone pair out for up to 1/10 of a second with another 1/10 second for silence between the digits. KP tones should be sent for 2/10 of a second. One way to confuse the 2600hz traps is to send pink noise over the channel (for all of you that have decent BSR equalizers, there is major pink noise in there...) Using the operator functions is the use of the 'inward' trunk line. That is working it from the inside. From the 'outward' trunk, you can do such things as make emergency breakthrough calls, tap into lines, busy all of the lines in any trunk (called 'stacking'), enable or disable the TSPS's, and for some 4a systems you can even re-route calls to anywhere. All right. The one thing that every complete phreak guide should not be without is blue box plans, since they were once a vital part of phreaking. Another thing that every complete file needs is a complete listing of all of the 800 numbers around so you can have some more fun. /-/ 800 Dialup Listings /-/ 1-800-345-0008 (6) 1-800-547-6754 (6) 1-800-245-4890 (4) 1-800-327-9136 (4) 1-800-526-5305 (8) 1-800-858-9000 (3) 1-800-437-9895 (7) 1-800-245-7508 (5) 1-800-343-1844 (4) 1-800-322-1415 (6) 1-800-437-3478 (6) 1-800-325-7222 (6) Page 23 The Official Phreaker's Manual All right, set Cat Hacker 1.0 on those numbers and have a fuck of a day. That is enough with 800 codes, by the time this gets around to you I dunno what state those codes will be in, but try them all out anyways and see what you get. On some 800 services now, they have an operator who will answer and ask you for your code, and then your name. Some will switch back and forth between voice and tone verification, you can never be quite sure which you will be up against. Armed with this knowledge you should be having a pretty good time phreaking now. But class isn't over yet, there are still a couple important rules that you should know. If you hear continual clicking on the line, then you should assume that an operator is messing with something, maybe even listening in on you. It is a good idea to call someone back when the phone starts doing that. If you were using a code, use a different code and/or service to call him back. A good way to detect if a code has gone bad or not is to listen when the number has been dialed. If the code is bad you will probably hear the phone ringing more clearly and more quickly than if you were using a different code. If someone answers voice to it then you can immediately assume that it is an operative for whatever company you are using. The famed '311311' code for Metro is one of those. You would have to be quite stupid to actually respond, because whoever you ask for the operator will always say 'He's not in right now, can I have him call you back?' and then they will ask for your name and phone number. Some of the more sophisticated companies will actually give you a carrier on a line that is supposed to give you a carrier and then just have garbage flow across the screen like it would with a bad connection. That is a feeble effort to make you think that the code is still working and maybe get you to dial someone's voice... a good test for the carrier trick is to dial a number that will give you a carrier that you have never dialed with that code before, that will allow you to determine whether the code is good or not. For our next section, a lighter look at some of the things that a phreak should not be without. A vocabulary. A few months ago, it was a quite strange world for the modem people out there. But now, a phreaker's vocabulary is essential if you wanna make a good impression on people when you post what you know about certain subjects. /-/ Vocabulary /-/ - Do not misspell except certain exceptions: phone -> fone freak -> phreak - Never substitute 'z's for 's's. (i.e. codez -> codes) - Never leave many characters after a post (i.e. Hey Dudes!#!@#@!#!@) - NEVER use the 'k' prefix (k-kool, k-rad, k-whatever) - Do not abbreviate. (I got lotsa wares w/ docs) - Never substitute '0' for 'o' (r0dent, l0zer). - Forget about ye old upper case, it looks ruggyish. All right, that was to relieve the tension of what is being drilled into your minds at the moment.. now, however, back to the teaching course. Here are some things you should know about phones and billings for phones, etc. LATA: Local Access Transference Area. Some people who live in large cities or areas may be plagued by this problem. For instance, let's say you live in the 215 area code under the 542 prefix (Ambler, Fort Washington). If you went to dial in a basic Metro code from that area, for instance, 351-0100, that might not be counted under unlimited local calling because it is out of your LATA. For some LATA's, you have to dial a '1' without the area code before you can dial the phone number. That could prove a hassle for us all if you didn't Page 24 The Official Phreaker's Manual realize you would be billed for that sort of call. In that way, sometimes, it is better to be safe than sorry and phreak. The Caller Log: In ESS regions, for every household around, the phone company has something on you called a Caller Log. This shows every single number that you dialed, and things can be arranged so it showed every number that was calling to you. That's one main disadvantage of ESS, it is mostly computerized so a number scan could be done like that quite easily. Using a dialup is an easy way to screw that, and is something worth remembering. Anyways, with the caller log, they check up and see what you dialed. Hmm... you dialed 15 different 800 numbers that month. Soon they find that you are subscribed to none of those companies. But that is not the only thing. Most people would imagine "But wait! 800 numbers don't show up on my phone bill!". To those people, it is a nice thought, but 800 numbers are picked up on the caller log until right before they are sent off to you. So they can check right up on you before they send it away and can note the fact that you fucked up slightly and called one too many 800 lines. Right now, after all of that, you should have a pretty good idea of how to grow up as a good phreak. Follow these guidelines, don't show off, and don't take unnecessary risks when phreaking or hacking. File Level:5 /-/ Credits /-/ To The Videosmith- for setting me straight on some shit. To The Linesman- for telling me to upload it to his AE line. To Modern Mutant- for making me into a phreaking freak. To Jack the Nibbler- for the basis of the blue box plans. By using your new k-koool (hehe) phreaking knowledge, call a couple of these BBS's around the country: /---------------------------------\ | Bulletin Board List | | --------------------- | | 215/844-8836 | | 7 Cities of Gold (3/12) 10megs | | 307/382-4006 | | Brainstorm BBS (3/12) | | 612/345-2815 | | Metal Shop (3/12) | | 314/432-0756 | \---------------------------------/ Stay free! And watch out soon for Deep Thought, somewhere in 215, that will be a nice BBS that Ace of Spades and I will run. You will be the first to find out about it, trust me... Later, The Traveler Zer0-g Page 25 The Official Phreaker's Manual ************ << BIOC AGENT 003'S COURSE IN >> ************ * * * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * * %$ BASIC TELECOMMUNICATIONS $% * * $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ * * PART I * * * ********************************************************** HOW TO BE A REAL PHREAK <><><><><><><><><><><><><><><><><><><><><><><><><><><><><> IN THE PHONE PHREAK SOCIETY THERE ARE CERTAIN VALUES THAT EXIST IN ORDER TO BE A TRUE PHREAK, THESE ARE BEST SUMMED UP BY THE MAGICIAN: "MANY PEOPLE THINK OF PHONE PHREAKS AS SLIME, OUT TO RIP OFF BELL FOR ALL SHE IS WORTH. NOTHING COULD BE FURTHER FROM THE TRUTH! GRANTED, THERE ARE SOME WHO GET THEIR KICKS BY MAKING FREE CALLS; HOWEVER, THEY ARE NOT TRUE PHONE PHREAKS. REAL PHONE PHREAKS ARE 'TELECOMMUNICATIONS HOBBYISTS' WHO EXPERIMENT, PLAY WITH AND LEARN FROM THE PHONE SYSTEM. OCCASIONALLY THIS EXPERIMENTING, AND A NEED TO COMMUNICATE WITH OTHER PHREAKS ( WITH-OUT GOING BROKE), LEADS TO FREE CALLS. THE FREE CALLS ARE BUT A SMALL SUBSET OF A TRUE PHONE PHREAKS ACTIVITIES." THE PHONE PHREAK'S TEN COMMANDMENTS <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> REPRINTED FROM TAP ISSUE #86. (TAP, ROOM 603, 147 W 42 STREET, NEW YORK, NY 10036) SEND A SASE FOR THEIR INFO SHEET AND TELL THEM THAT BIOC AGENT 003 TOLD YOU ABOUT IT.) I. BOX THOU NOT OVER THINE HOME TELEPHONE WIRES, FOR THOSE WHO DOEST MUST SURELY BRING THE WRATH OF THE CHIEF SPECIAL AGENT DOWN UPON THY HEADS. II. SPEAKEST THOU NOT OF IMPORTANT MATTERS OVER THINE HOME TELEPHONE WIRES, FOR TO DO SO IS TO RISK THINE RIGHT OF FREEDOM. III. USE NOT THINE OWN NAME WHEN SPEAKING TO OTHER PHREAKS, FOR THAT EVERY THIRD PHREAK IS AN FBI AGENT IS WELL KNOWN. IV. LET NOT OVERLY MANY PEOPLE KNOW THAT THY BE A PHREAK, AS TO DO SO IS TO USE THINE OWN SELF AS A SACRIFICIAL LAMB. V. IF THOU BE IN SCHOOL, STRIVE TO GET THIN SELF GOOD GRADES, FOR THE AUTHORITIES WELL KNOW THAT SCHOLARS NEVER BREAK THE LAW. VI. IF THOU WORKEST, TRY TO BE A EMPLOYEE, AND IMPRESSEST THINE BOSS WITH THINE ENTHUSIASM, FOR IMPORTANT EMPLOYEES ARE OFTEN SAVED BY THEIR OWN BOSSES. VII. STOREST THOU NOT THINE STOLEN GOODS IN THINE OWN HOME, FOR THOSE WHO DO ARE SURELY NON-BELIEVERS IN THE BELL SYSTEM SECURITY FORCES, AND ARE NOT LONG FOR THIS WORLD. VIII. ATTRACTEST THOU NOT THE ATTENTION OF THE AUTHORITIES, AS THE LESS NOTICEABLE THOU ART, THE BETTER. Page 26 The Official Phreaker's Manual IX. MAKEST SURE THINE FRIENDS ARE INSTANT AMNESIACS AND WILL NOT REMEMBER THAT THOU HAVE CALLED ILLEGALLY, FOR THEIR COOPERATION WITH THE AUTHORITIES WILL SURELY LESSEN THINE TIME FOR FREEDOM ON THIS EARTH. X. SUPPORTEST THOU TAP, AS IT IS THINE NEWSLETTER, AND WITHOUT IT, THY WORK WILL BE FAR MORE LIMITED. CN/A NUMBERS <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> CUSTOMER NAME & ADDRESS BUREAUS EXIST SO THAT AUTHORIZED BELL EMPLOYEES MAY OBTAIN THE NAME & ADDRESS OF ANY CUSTOMER IN THE BELL SYSTEM BY GIVING THE CN/A OPERATOR THE CUSTOMER'S TEL-#. ALL CUSTOMERS ARE MAINTAINED ON FILE INCLUDING UNLISTED #'S. THESE BUREAUS HAVE MANY USES FOR PHREAKS. HERE IS HOW AN EMPLOYEE MIGHT GO ABOUT CALLING CN/A: "HI, THIS IS JOHN DOE FROM THE MIAMI RESIDENTIAL SERVICE CENTER, CAN I HAVE THE CUSTOMERS NAME AT (123) 555-1212." THE EMPLOYEES USUALLY USE THESE FOR CHECKING WHO BELONGS TO A # THAT SOMEONE CLAIMED THEY DIDN'T CALL.IF YOU SOUND CHEERY AND NATURAL THE OPERATOR WILL NEVER ASK ANY QUESTIONS. IF YOU DON'T SOUND LIKE A MATURE ADULT, DON'T USE IT! ALWAYS PRACTICE FIRST & SO YOU DON'T SCREW UP AND MAKE THE OPERATOR SUSPICIOUS. USE NAME THAT SOUNDS REAL, NOT YOUR PIRATE NAME EITHER! ALSO SAY THAT YOU ARE FRO A CITY THAT IS FAR AWAY FROM THE ONE THAT YOU ARE CALLING. THE CN/A NUMBER FOR THE NY AREA & VICINITY (212, 315, 516, 518, 607, 716, & 914), IS 518/471-8111, AND IS OPEN DURING BUSINESS HOURS. DON'T ABUSE IT!!!!!!! AT&T NEWSLINES <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> AT&T NEWSLINES ARE NUMBERS AT AREA PHONE OFFICES THAT TELCO EMPLOYEES CALL TO FIND OUT THE LATEST INFO ON NEW TECHNOLOGY, STOCKS, ETC. THE RECORDED REPORTS RANGE FROM VERY BORING TO VERY INTERESTING. HERE ARE A FEW OF THE NUMBERS: *(201) 483-3800 NJ (518) 471-2272 NY (203) 771-4920 CN (717) 255-5555 PA (212) 393-2151 NY (717) 787-1031 PA (516) 234-9941 NY *(914) 948-8100 NY SOME OF THESE NUMBERS ARE TOLL-FREE, BUT YOU CAN'T ALWAYS COUNT ON IT. * THESE NUMBERS ARE NOT ALWAYS UP! NUMBERS FROM OTHER AREAS ARE AVAILABLE BY REQUEST FROM F)BIOC L)AGENT 003. ANI NUMBERS <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> ANI NUMBERS IDENTIFY THE PHONE NUMBER THAT YOU ARE CALLING FROM. IT IS USEFUL WHEN PLAYING IN CANS (THOSE BIG SILVER BOXES ON TELEPHONE POLES) TO FIND OUT THE # OF THE LINE. IT IS ALSO GOOD TO FIND OUT THE # OF A PHONE THAT DOESN'T HAVE IT PRINTED ON IT. IN THE 914 AREA CODE THE ANI # IS 990. IF YOU JUST HAVE TO DIAL THE LAST 4 DIGITS FOR A LOCAL #, IE CONGERS (268), DIAL 1-990-1111, WHERE 1111 ARE DUMMY DIGITS THERE IS ALSO A LESS USEFUL TYPE OF Page 27 The Official Phreaker's Manual ANI# WHICH WILL IDENTIFY THE AREA CODE & EXCHANGE. IT IS NXX-9901, WHERE 'NXX' IS THE EXCHANGE. IN THE 212 & 516 AREA CODES THE ANI # IS 958. PHREAK NEWSLETTER <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> TAP IS THE "OFFICIAL" PHONE PHREAK NEWSLETTER, AND HAS EXISTED SINCE 1971. EACH 4 PAGE ISSUE IS CRAMMED FULL OF INFORMATION ON PHONE PHREAKING, COMPUTER PHREAKING, FREE GAS, FREE ELECTRICITY, FREE POSTAGE, BREAKING & ENTERING INFO, ETC. IT IS LARGELY PHONE PHREAK ORIENTED, HOWEVER. A 10 ISSUE SUBSCRIPTION COSTS $8.00, IF YOU GET A BULK RATE SEALED ENVELOPE SUBSCRIPTION. I WOULD RECOMMEND THE FIRST CLASS SUBSCRIPTION, WHICH IS $10. AS OF THIS WRITING (7-16-83), THE CURRENT ISSUE IS #86, AND ISSUE #50 IS 8 PAGES INSTEAD OF THE USUAL 4. BACK ISSUES ARE $0.75 EACH, AND ISSUE #50 IS $1.50. A BRIEF INDEX TO THE FIRST 80 ISSUES IS AVAILABLE FOR A SASE, OR FREE WITH A SUBSCRIPTION ORDER. TAP IS NON-PROFIT, AND IN DESPERATE NEED OF MATERIAL (ARTICLES), MONEY, AND VOLUNTEERS. TAP ROOM 603 147 WEST 42ND STREET NEW YORK, NY 10036 BELIEVE ME: IT WILL BE THE BEST $10 YOU WILL EVER SPEND... BLACK BOX <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> THE BLACK BOX IS A DEVICE THAT ATTACHED TO A CALLED PARTIES PHONE THAT ALLOWS HIM/HER TO RECEIVE FREE LONG DISTANCE CALLS FROM FRIENDS WHO CALL. YOU ONLY NEED 2 PARTS: A SPST TOGGLE SWITCH AND A 10,000 OHM (10 K), 1/2 WATT, 10% RESISTOR. ANY ELECTRONICS PLACE SHOULD HAVE THESE. NOW, CUT TWO PIECES OF WIRE, ABOUT 6 INCHES, AND ATTACH THESE TO THE TWO SCREWS ON THE SWITCH. TURN YOUR NORMAL DDSIDE DOWN AND UNSCREW THE 2 SCREWS. LOCATE THE "F" AND "RR" SCREWS ON THE NETWORK BOX. WRAP THE RESISTOR BETWEEN THESE 2 SCREWS AND MAKE SURE THAT THE WIRES TOUCH ONLY THE PROPER TERMINALS! NOW CONNECT ONE WIRE FROM THE SWITCH TO THE RR TERMINAL. FINALLY, ATTACH THE REMAINING WIRE TO THE GREEN WIRE (DISCONNECT IT FROM ITS TERMINAL). NOW BRING THE SWITCH OUT THE REAR OF THE PHONE AND CLOSE IT UP. PUT THE SWITCH IN A POSITION WHERE YOU GET A DIAL TONE, MARK THIS NORMAL. MARK THE OTHER SIDE FREE. WHEN YOUR FRIENDS CALL (AT A PREARRANGED TIME), QUICKLY LIFT & DROP THE RECEIVER AS FAST AS POSSIBLE. THIS WILL STOP THE RINGING, IF NOT TRY AGAIN. IT IS VERY IMPORTANT THAT YOU DO IT FAST! NOW PUT THE SWITCH IN THE FREE POSITION AND PICK UP THE PHONE. KEEP ALL CALLS SHORT & UNDER 15 MINUTES. WHEN SOMEONE CALLS YOU LONG-DISTANCE, THEY ARE BILLED FROM THE MOMENT YOU ANSWER. THE TELCO KNOWS WHEN YOU ANSWER DUE TO A CERTAIN AMOUNT OF VOLTAGE THAT FLOWS WHEN YOU PICK UP THE PHONE. HOWEVER, THE RESISTOR CUTS DOWN ON THE VOLTAGE SO IT IS BELOW THE BILLING RANGE BUT SUFFICIENT ENOUGH TO OPERATE THE MOUTHPIECE. ANSWERING THE PHONE FOR A FRACTION OF A SECOND STOPS THE RING BUT IT IS NOT ENOUGH FOR BILLING TO START. IF THE PHONE IS ANSWERED FOR EVEN ONE Page 28 The Official Phreaker's Manual FULL SECOND, BILLING WILL START AND YOU WILL BE CUT OFF WHEN YOU HANG UP AND SWITCH TO FREE. WARNING: BELL CAN RANDOMLY LOOK FOR BLACK BOXES SO BE CAREFUL! _____________________________________ | | ---BLUE WIRE-->>F< | | | | | --WHITE WIRE---/ | | | | | | RESISTOR | | | | | | | | >RR<-------SWITCH--\ | | | | ----GREEN WIRE--------------------/ | | | |_____________________________________| DIAL LOCKS <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> HAVE YOU EVER BEEN IN AN OFFICE OR SOMEWHERE AND WANTED TO MAKE A FREE FONE CALL BUT SOME ASSHOLE PUT A LOCK ON THE FONE TO PREVENT OUT-GOING CALLS? FRET NO MORE PHELLOW PHREAKS, FOR EVERY SYSTEM CAN BE BEATEN WITH A LITTLE KNOWLEDGE! THERE ARE TWO WAYS TO BEAT THIS OBSTACLE, FIRST PICK THE LOCK, I DON'T HAVE THE TIME TO TEACH LOCKSMITHING SO WE GO TO THE SECOND METHOD WHICH TAKES ADVANTAGE OF TELEPHONE ELECTRONICS. TO BE AS SIMPLE AS POSSIBLE, WHEN YOU PICK UP THE FONE YOU COMPLETE A CIRCUIT KNOW AS A LOCAL LOOP. WHEN YOU HANG-UP YOU BREAK THE CIRCUIT. WHEN YOU DIAL (PULSE) IT ALSO BREAKS THE CIRCUIT BUT NOT LONG ENOUGH TO HANG UP! SO YOU CAN "PUSH-DIAL." TO DO THIS YOU >>> RAPIDLY <<< DEPRESS THE SWITCHHOOK. FOR EXAMPLE, TO DIAL AN OPERATOR (AND THEN GIVE HER THE NUMBER YOU WANT CALLED) >>> RAPIDLY <<< & >>> EVENLY <<< DEPRESS THE SWITCHHOOK 10 TIMES. TO DIAL 634-1268, DEPRESS 6 X'S PAUSE, THEN 3 X'S, PAUSE, THEN 4X'S, ETC. IT TAKES A LITTLE PRACTICE BUT YOU'LL GET THE HANG OF IT. TRY PRACTICING WITH YOUR OWN # SO YOU'LL GET A BUSY TONE WHEN RIGHT. IT'LL ALSO WORK ON TOUCH-TONE(TM) SINCE A DTMF LINE WILL ALSO ACCEPT PULSE. ALSO, NEVER DEPRESS THE SWITCHHOOK FOR MORE THAN A SECOND OR IT'LL HANG-UP! FINALLY, REMEMBER THAT YOU HAVE JUST AS MUCH RIGHT TO THAT FONE AS THE ASSHOLE WHO PUT THE LOCK ON IT! EXCHANGE SCANNING <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> ALMOST EVERY EXCHANGE IN THE BELL SYSTEM HAS TEST #'S AND OTHER "GOODIES" SUCH AS LOOPS WITH DIAL-UPS. THESE "GOODIES" ARE USUALLY FOUND BETWEEN 9900 AND 9999 IN YOUR LOCAL EXCHANGE. IF YOU HAVE THE TIME AND INITIATIVE, SCAN YOUR EXCHANGE AND YOU MAY BECOME LUCKY! HERE ARE MY FINDINGS IN THE 914-268 EXCHANGE: Page 29 The Official Phreaker's Manual 9900 - ANI (SEE SEPARATE BULLETIN) 9901 - ANI (SEE SEPARATE BULLETIN) 9927 - OSC. TONE (POSSIBLE TONE SIDE OF A LOOP) 9936 - VOICE # TO THE TELCO CENTRAL OFFICE 9937 - VOICE # TO THE TELCO CENTRAL OFFICE 9941 - COMPUTER (DIGITAL VOICE TRANSMISSION?) 9960 - OSC. TONE (TONE SIDE LOOP) MAY ALSO BE A COMPUTER IN SOME EXCHANGES 9961 - NO RESPONSE (OTHER END OF LOOP?) 9962 - NO RESPONSE (OTHER END OF LOOP?) 9963 - NO RESPONSE (OTHER END OF LOOP?) 9966 - COMPUTER (SEE 9941) 9968 - TONE THAT DISAPPEARS--RESPONDS TO CERTAIN TOUCH-TONE KEYS MOST OF THE NUMBERS BETWEEN 9900 & 9999 WILL RING OR GO TO A "WHAT #, PLEASE?" OPERATOR. HAVE PHUN AND REMEMBER IT'S ONLY A LOCAL CALL! TOUCH-TONE & FREE CALLS <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> THERE ARE SEVERAL WAYS TO MAKE FREE CALLS (SPRINT, MCI, ETC.) USING A ROTARY PHONE. THEY ARE: 1. USE A NUMBER THAT ACCEPTS VOICE AS WELL AS DTMF. SUCH A # IS (800) 521-8400. AS OF WRITING THIS, A CODE WAS 00717865. A) IF USING VOICE, WAIT FOR THE COMPUTER TO SAY, "AUTHORIZATION #, PLEASE." THEN SAY EACH DIGIT SLOWLY, IT WILL BEEP AFTER EACH DIGIT IS SAID. AFTER EVERY GROUP OF DIGITS, IT WILL REPEAT WHAT YOU HAVE SAID, THEN SAY YES IF IT IS CORRECT, OTHERWISE SAY NO. IF THE ACCESS CODE IS CORRECT, IT WILL THANK YOU AND ASK FOR THE DESTINATION #, THEN SAY THE AREA CODE + NUMBER AS ABOVE. ANOTHER SUCH # IS (800) 245-8173, WHICH HAS A 6 DIGIT ACCESS CODE. (NOTE: IF USING TOUCH-TONE ON THIS #, ENTER THE CODE IMMEDIATELY AFTER THE TONE STOPS.) 2. HOOK UP A TOUCH-TONE FONE INTO YOUR ROTARY FONE. ATTACH THE RED WIRE FROM THE TOUCH-TONE FONE TO THE "R" TERMINAL INSIDE THE FONE ON THE NETWORK BOX. THEN HOOK THE GREEN WIRE TO THE "B" TERMINAL. TO USE THIS DIAL THE # USING ROTARY & THEN USE THE TOUCH-TONE FOR THE CODES. (DON'T HANG UP THE ROTARY FONE WHILE DOING THIS THOUGH!) IF THIS DOESN'T WORK THEN REVERSE THE 2 WIRES. (NOTE:IF YOUR LINE CAN ACCEPT TOUCH-TONE BUT YOU HAVE A ROTARY FONE THEN YOU CAN HOOK UP A TONE FONE DIRECTLY FOR ALL CALLS BUT THIS USUALLY ISN'T THE CASE.) SUCH AS RADIO SHACK'S 43-138. OTHER ALTERNATIVES <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> 4. USE A CHARGE-A-CALL FONE. (THESE ALSO MAKE GREAT EXTENSIONS IF YOU REMOVE IT USING A HEX WRENCH WITH A HOLE IN THE MIDDLE ON THE CENTER SCREW!)--(THESE FONES, FOR THE BENEFIT OF THOSE WHO DON'T KNOW, ARE BLUE WITH NO COIN SLOTS). 5. USE A PAY FONE THAT WANTS YOUR MONEY BEFORE THE DIAL TONE. PUT IN YOUR DIME, DIAL THE #; IF IT'S AN 800 # THEN YOUR DIME WILL COME BACK, IMMEDIATELY PUT A DIME BACK IN (IT'LL COME BACK WHEN YOU HANG UP!) IF IT IS A TONE FIRST FONE AND IT DISCONNECTS THE KEYPAD (SOME DON'T) THEN FIND ANOTHER FONE. Page 30 The Official Phreaker's Manual Chapter 2 Well now we know a little vocabulary, and now its into history, Phreak history. Back at MIT in 1964 arrived a student by the name of Stewart Nelson, who was extremely interested in the telephone. Before entering MIT, he had built autodialers, cheese boxes, and many more gadgets. But when he came to MIT he became even more interested in "fone-hacking" as they called it. After a little while he naturally started using the PDP-1, the schools computer at that time, and from there he decided that it would be interesting to see whether the computer could generate the frequencies required for blue boxing. The hackers at MIT were not interested in ripping off Ma Bell, but just exploring the telephone network. Stew (as he was called) wrote a program to generate all the tones and set off into the vast network. Now there were more people phreaking than the ones at MIT. Most people have heard of Captain Crunch (No not the cereal), he also discovered how to take rides through the fone system, with the aid of a small whistle found in a cereal box (can we guess which one?). By blowing this whistle, he generated the magical 2600hz and into the mouthpiece it sailed, giving him complete control over the system. I have heard rumors that at one time he made about 1/4 of the calls coming out of San Francisco. He got famous fast. He made the cover of people magazine and was interviewed several times (as you'll soon see). Well he finally got caught after a long adventurous career. After he was caught he was put in jail and was beaten up quite badly because he would not teach other inmates how to box calls. After getting out, he joined Apple computer and is still out there somewhere. Then there was Joe the Whistler, blind form the day he was born. He could whistle a perfect 2600hz tone. It was rumored phreaks used to call him to tune their boxes. Well that was up to about 1970, then from 1970 to 1979, phreaking was mainly done by college students, businessmen and anyone who knew enough about electronics and the fone company to make a 555 Ic to generate those magic tones. Businessmen and a few college students mainly just blue box to get free calls. The others were still there, exploring 800#'s and the new ESS systems. ESS posed a big problem for phreaks then and even a bigger one now. ESS was not widespread, but where it was, blue boxing was next to impossible except for the most experienced phreak. Today ESS is installed in almost all major cities and blue boxing is getting harder and harder. 1978 marked a change in phreaking, the Apple ][, now a computer that was affordable, could be programmed, and could save all that precious work on a cassette. Then just a short while later came the Apple Cat modem. With this modem, generating all blue box tones was easy as writing a program to count form one to ten (a little exaggerated). Pretty soon programs that could imitate an operator just as good as the real thing were hitting the community, TSPS and Cat's Meow, are the standard now and are the best. 1982-1986: LD services were starting to appear in mass numbers. People now had programs to hack LD services, telephone exchanges, and even passwords. By now many phreaks were getting extremely good and BBS's started to spring up everywhere, each having many documentations on phreaking for the novice. Then it happened, the movie War Games was released and mass numbers of sixth grade to all ages flocked to see it. The problem wasn't that the movie was bad, it was that now EVERYONE wanted to be a hacker/phreak. Novices came out in such mass numbers, that bulletin boards started to be busy 24 hours a day. To this day, they still have not recovered. Other problems started to occur, novices guessed easy passwords on large government computers and started to play around... Well it wasn't long before they were caught, I think that many people remember the 414-hackers. They were so stupid as to say "yes" when the computer asked them whether they'd like to play games. Well at least it takes the heat off the real phreaks/hacker/krackers. Page 31 The Official Phreaker's Manual After a little history, how about a little thrill? I don't know if this story is true but it sure is as bad as shit! Page 32 The Official Phreaker's Manual ***** The AAG Proudly Presents The AAG Proudly Presents ***** * * * +----------------------------------------------+ * * * * Secrets of the Little Blue Box * * * * by Ron Rosenbaum * * Typed by One Farad Cap/AAG * * * * -A story so incredible it may even make you * * feel sorry for the phone company- * * * * (First of four files) * * * * +----------------------------------------------+ * * * ***** The AAG Proudly Presents The AAG Proudly Presents ***** Dudes... These four files contain the story, "Secrets of the Little Blue Box", by Ron Rosenbaum. -A story so incredible it may even make you feel sorry for the phone company- Printed in the October 1971 issue of Esquire Magazine. If you happen to be in a library and come across a collection of Esquire magazines, the October 1971 issue is the first issue printed in the smaller format. The story begins on page 116 with a picture of a blue box. --One Farad Cap, Atlantic Anarchist Guild The Blue Box Is Introduced: Its Qualities Are Remarked I am in the expensively furnished living room of Al Gilbertson (His real name has been changed.), the creator of the "blue box." Gilbertson is holding one of his shiny black-and-silver "blue boxes" comfortably in the palm of his hand, pointing out the thirteen little red push buttons sticking up from the console. He is dancing his fingers over the buttons, tapping out discordant beeping electronic jingles. He is trying to explain to me how his little blue box does nothing less than place the entire telephone system of the world, satellites, cables and all, at the service of the blue-box operator, free of charge. "That's what it does. Essentially it gives you the power of a super operator. You seize a tandem with this top button," he presses the top button with his index finger and the blue box emits a high-pitched cheep, "and like that" -- cheep goes the blue box again -- "you control the phone company's long-distance switching systems from your cute little Princes phone or any old pay phone. And you've got anonymity. An operator has to operate from a definite location: the phone company knows where she is and what she's doing. But with your beeper box, once you hop onto a trunk, say from a Holiday Inn 800 (toll-free) number, they don't know where you are, or where you're coming from, they don't know how you slipped into their lines and popped up in that 800 number. They don't even know anything illegal is going on. And you can obscure your origins through as many levels as you like. You can call next door by way of White Plains, then over to Liverpool by cable, and then back here by satellite. You can call yourself from one pay phone all the way around the world to a pay phone next to you. And you get your dime back too." "And they can't trace the calls? They can't charge you?" Page 33 The Official Phreaker's Manual "Not if you do it the right way. But you'll find that the free-call thing isn't really as exciting at first as the feeling of power you get from having one of these babies in your hand. I've watched people when they first get hold of one of these things and start using it, and discover they can make connections, set up crisscross and zigzag switching patterns back and forth across the world. They hardly talk to the people they finally reach. They say hello and start thinking of what kind of call to make next. They go a little crazy." He looks down at the neat little package in his palm. His fingers are still dancing, tapping out beeper patterns. "I think it's something to do with how small my models are. There are lots of blue boxes around, but mine are the smallest and most sophisticated electronically. I wish I could show you the prototype we made for our big syndicate order." He sighs. "We had this order for a thousand beeper boxes from a syndicate front man in Las Vegas. They use them to place bets coast to coast, keep lines open for hours, all of which can get expensive if you have to pay. The deal was a thousand blue boxes for $300 apiece. Before then we retailed them for $1500 apiece, but $300,000 in one lump was hard to turn down. We had a manufacturing deal worked out in the Philippines. Everything ready to go. Anyway, the model I had ready for limited mass production was small enough to fit inside a flip-top Marlboro box. It had flush touch panels for a keyboard, rather than these unsightly buttons, sticking out. Looked just like a tiny portable radio. In fact, I had designed it with a tiny transistor receiver to get one AM channel, so in case the law became suspicious the owner could switch on the radio part, start snapping his fingers, and no one could tell anything illegal was going on. I thought of everything for this model -- I had it lined with a band of thermite which could be ignited by radio signal from a tiny button transmitter on your belt, so it could be burned to ashes instantly in case of a bust. It was beautiful. A beautiful little machine. You should have seen the faces on these syndicate guys when they came back after trying it out. They'd hold it in their palm like they never wanted to let it go, and they'd say, 'I can't believe it. I can't believe it.' You probably won't believe it until you try it." The Blue Box Is Tested: Certain Connections Are Made About eleven o'clock two nights later Fraser Lucey has a blue box in the palm of his left hand and a phone in the palm of his right. He is standing inside a phone booth next to an isolated shut-down motel off Highway 1. I am standing outside the phone booth. Fraser likes to show off his blue box for people. Until a few weeks ago when Pacific Telephone made a few arrests in his city, Fraser Lucey liked to bring his blue box (This particular blue box, like most blue boxes, is not blue. Blue boxes have come to be called "blue boxes" either because 1) The first blue box ever confiscated by phone-company security men happened to be blue, or 2) To distinguish them from "black boxes." Black boxes are devices, usually a resistor in series, which, when attached to home phones, allow all incoming calls to be made without charge to one's caller.) to parties. It never failed: a few cheeps from his device and Fraser became the center of attention at the very hippest of gatherings, playing phone tricks and doing request numbers for hours. He began to take orders for his manufacturer in Mexico. He became a dealer. Fraser is cautious now about where he shows off his blue box. But he never Page 34 The Official Phreaker's Manual gets tired of playing with it. "It's like the first time every time," he tells me. Fraser puts a dime in the slot. He listens for a tone and holds the receiver up to my ear. I hear the tone. Fraser begins describing, with a certain practiced air, what he does while he does it. "I'm dialing an 800 number now. Any 800 number will do. It's toll free. Tonight I think I'll use the ----- (he names a well-know rent-a-car company) 800 number. Listen, It's ringing. Here, you hear it? Now watch." He places the blue box over the mouthpiece of the phone so that the one silver and twelve black push buttons are facing up toward me. He presses the silver button -- the one at the top -- and I hear that high-pitched beep. "That's 2600 cycles per second to be exact," says Lucey. "Now, quick. listen." He shoves the earpiece at me. The ringing has vanished. The line gives a slight hiccough, there is a sharp buzz, and then nothing but soft white noise. "We're home free now," Lucey tells me, taking back the phone and applying the blue box to its mouthpiece once again. "We're up on a tandem, into a long-lines trunk. Once you're up on a tandem, you can send yourself anywhere you want to go." He decides to check out London first. He chooses a certain pay phone located in Waterloo Station. This particular pay phone is popular with the phone-phreaks network because there are usually people walking by at all hours who will pick it up and talk for a while. He presses the lower left-hand corner button which is marked "KP" on the face of the box. "That's Key Pulse. It tells the tandem we're ready to give it instructions. First I'll punch out KP 182 START, which will slide us into the overseas sender in White Plains." I hear a neat clunk-cheep. "I think we'll head over to England by satellite. Cable is actually faster and the connection is somewhat better, but I like going by satellite. So I just punch out KP Zero 44. The Zero is supposed to guarantee a satellite connection and 44 is the country code for England. Okay... we're there. In Liverpool actually. Now all I have to do is punch out the London area code which is 1, and dial up the pay phone. Here, listen, I've got a ring now." I hear the soft quick purr-purr of a London ring. Then someone picks up the phone. "Hello," says the London voice. "Hello. Who's this?" Fraser asks. "Hello. There's actually nobody here. I just picked this up while I was passing by. This is a public phone. There's no one here to answer actually." "Hello. Don't hang up. I'm calling from the United States." "Oh. What is the purpose of the call? This is a public phone you know." Downloaded From P-80 International Information Systems 304-744-2253