Blue box

From Free net encyclopedia

For other uses, see Blue box (disambiguation).

Image:Blue box in museum,-cropped.jpg

An early phreaking tool, the blue box is an electronic device that simulates a telephone operator's dialing console. It functions by replicating the tones used to switch long-distance calls and using them to route the user's own call, bypassing the normal switching mechanism. The most typical use of a blue box was to get free telephone calls. Blue boxes no longer work in most western nations, as the switching system is now digital and no longer uses in-band signaling. Instead, signaling occurs on an out-of-band channel which cannot be accessed from the line you are using (called Common Channel Interoffice Signaling (CCIS)).

The blue box got its name because the first device confiscated by Bell System security was in a blue plastic case.

Contents 1 History 2 Operation 3 Frequencies and Timings 4 Special Codes 5 External links

History

In 1955, the Bell System Technical Journal published an article entitled "In Band Signal Frequency Signalling", which described the process used for routing telephone calls over trunk lines with the then current signalling system, R1. The article described the basics of the inter-office trunking system and the signalling used. This, while handy, could not be used in and of itself, as the frequencies used for the Multi-Frequency, or "MF", tones were not published in this article.

In 1964, the other half of the equation was revealed by the Bell System Technical Journal: another article was published containing the frequencies used for the digits that were used for the actual routing codes. With these two bits of information, the phone system was at the disposal of anyone with a cursory knowledge of electronics.

However, contrary to numerous stories, before finding the articles in the Bell System Technical Journal it was discovered by many, some very unintentionally and to their annoyance, that some Bell System trunks could be reset by a 2600 Hz tone. Famous phone phreaks such as Joe Engressia (Joybubbles) and Bill from New York trained themselves to be able to whistle 2600 Hz which would reset trunks. They also learned how to route phone calls by causing trunks to flash in certain patterns.

With the ability to Blue Box, what was once individuals exploring the telephone network, started to develop into a whole sub-culture. Famous phone phreaks such as John Draper (also known as Captain Crunch), Mark Bernay, Al Bernay, Joe Engressia, Evan Doorbell, Bill from New York, and Ben Decibel used Blue boxes to explore the various 'hidden codes' that were not dialable from a regular phone line.

Some of the more famous pranksters were Steve Wozniak and Steve Jobs, founders of Apple Computer. One of the more famous stories Wozniak tells is when he MFed over to the Vatican, and managed to wake up the Pope by impersonating Henry Kissinger.

Other, more dark, sinister types, such as the Mafia, along with people who didn't know better, used blue boxes solely to make free phone calls.

Blue Boxing hit the mainstream when an article entitled Secrets of the Little Blue Box was published in the October 1971 issue of Esquire Magazine. Suddenly, everyone wanted to get into the scene of Blue Boxes, and it furthered the fame of Crunch and others.

To prove that people who do not pay attention to history are doomed to repeat it, in November 1988, the CCITT (now known as ITU-T) published recommendation Q.140, which goes over Signaling System No. 5's international functions, once again giving away the 'secret' frequencies of the system. This caused a resurgence of blue boxing incidents with a new generation.

Operation

The operation of a blue box is simple: First, the user places a long distance telephone call, usually to an 800 number or some other non-supervising phone number. For the most part, anything going beyond 50 miles would go over a trunk type susceptible to this technique.

When the call starts to ring, the caller uses the blue box to send a 2600 Hz tone. The 2600 Hz is a supervisory signal, because it indicates the status of a trunk; on hook (tone) or off-hook (no tone). By playing this tone, you are convincing the far end of the connection that you've hung up and it should wait. When the tone stops, the trunk will make a "Ka-Cheep" noise, followed by silence. This is the far end of the connection going back off-hook and waiting for routing digits.

Once the far end sends the ka-cheep, the user would use the blue box to dial a "Key Pulse" or "KP", the tone that starts a routing digit sequence, followed by either a telephone number or one of the numerous special codes that were used internally by the telephone company, then finished up with a "Start" or "ST" tone. At this point, the far end of the connection would route the call the way you told it, while the user's end would think you were still ringing at the original number.

Frequencies and Timings

Each MF tone consists of two frequencies, shown in the table on the left. Note that these are not the same as customer dialed Touch Tone, which is shown by the table on the right:

Operator (blue box) dialed MF Frequencies 900 1100 1300 1500 1700 700 1 2 4 7 11/ST3 900 3 5 8 12/ST2 1100 6 9 KP 1300 0/10 KP2/ST2 1500 ST

Customer-dialed Touch-Tone (DTMF) Frequencies 1209 Hz 1336 Hz 1477 Hz 1633 Hz 697 Hz 1 2 3 A 770 Hz 4 5 6 B 852 Hz 7 8 9 C 941 Hz * 0 # D

Normally, the tone durations are on for 60ms, with 60ms of silence between digits. The 'KP' and 'KP2' tones are sent for 100ms. KP2 (ST2 in the R1 standard) was used for dialing internal Bell System telephone numbers. However, actual frequency durations can vary depending on location, switch type, and machine status.

Special Codes

Some of the special codes an MFer could get onto are in the chart below. "NPA" is a U.S. telephone company term for 'area code'.

Code:            Type of operator you will reach:
NPA+100        - Plant Test - Balance termination
NPA+101        - Plant Test - Toll Testing Board
NPA+102        - Plant Test - Milliwatt tone (1004 Hz)
NPA+103        - Plant Test - Signaling test termination
NPA+104        - Plant Test - 2-way transmission and noise test
NPA+105        - Plant Test - Automatic Transmission Measuring System 
NPA+106        - Plant Test - CCSA loop transmission test
NPA+107        - Plant Test - Par meter generator
NPA+108        - Plant Test - CCSA loop echo support maintenance
NPA+109        - Plant Test - Echo canceler test line
NPA+121        - Inward Operator
NPA+131        - Operator Directory assistance
NPA+141        - Rate and Route Information
914+151        - Overseas incoming (White Plains, NY)
212+151        - Overseas incoming (New York, NY)
NPA+161        - trouble reporting operator (defunct)
NPA+181        - Coin Refund Operator
914+182        - International Sender (White Plains, NY)
212+183        - International Sender (New York, NY)
412+184        - International Sender (Pittsburgh, PA)
407+185        - International Sender (Orlando, FL)
510+186        - International Sender (Oakland, CA)
303+187        - International Sender (Denver, CO)
212+188        - International Sender (New York, NY)

Not all NPAs had all functions.

External links

• The SARTS technical journal
• Recordings of MFing in action
• Secrets of the Little Blue Box - article with photos
• The Esquire magazine article on John Draper
• All about the Blue Box and related devices
• Text files about blue boxing
• The definitive guide to Phreak boxes

de:Bluebox_(Phreaking) es:Bluebox it:Blue box