HOME

TheInfoList



OR:

A blue box is an
electronic device The field of electronics is a branch of physics and electrical engineering that deals with the emission, behaviour and effects of electrons using electronic devices. Electronics uses active devices to control electron flow by amplification ...
that produces tones used to generate the
in-band signaling In telecommunications, in-band signaling is the sending of control information within the same band or channel used for data such as voice or video. This is in contrast to out-of-band signaling which is sent over a different channel, or even o ...
tones formerly used within the North American long-distance telephone network to send line status and called number information over voice circuits. This allowed the user, referred to as a "
phreaker Phreaking is a slang term coined to describe the activity of a culture of people who study, experiment with, or explore telecommunication systems, such as equipment and systems connected to public telephone networks. The term ''phreak'' is a ...
", to surreptitiously place long-distance calls that would be billed to another number or dismissed entirely as an incomplete call. A number of similar "color boxes" were also created to control other aspects of the phone network. First developed in the 1960s and used by a small phreaker community, the introduction of low-cost microelectronics in the early 1970s greatly simplified these devices to the point where they could be constructed by anyone reasonably competent with a
soldering iron A soldering iron is a hand tool used in soldering. It supplies heat to melt solder so that it can flow into the joint between two workpieces. A soldering iron is composed of a heated metal tip (the ''bit'') and an insulated handle. Heating ...
or breadboard construction. Soon after, models of relatively low quality were being offered fully assembled, but these generally required tinkering on the part of the user to keep operational. An exception was the robust system designed by Steve Wozniak prior to starting work on the
Apple I The Apple Computer 1, originally released as the Apple Computer and known later as the Apple I or Apple-1, is an 8-bit desktop computer released by the Apple Computer Company (now Apple Inc.) in 1976. It was designed by Steve Wozniak. The i ...
. It was sold by Steve Jobs. Blue boxes stopped working as the long-distance network was increasingly digitized, replacing the call-control tones with
out-of-band signaling In telecommunication, signaling is the use of signals for controlling communications. This may constitute an information exchange concerning the establishment and control of a telecommunication circuit and the management of the network. Classif ...
methods in the form of
common-channel signaling In telecommunication, common-channel signaling (CCS), or common-channel interoffice signaling (CCIS), is the transmission of control information ''( signaling)'' via a separate channel than that used for the messages, The signaling channel usually ...
(CCS) carried digitally on a separate channel that is inaccessible to the telecom customer. The original technique was of limited use by the 1980s, and of almost no use today.


History


Automated dialing

Local calling had been increasingly automated through the first half of the 20th century, but long-distance calling still required operator intervention. Automation was deemed essential by
AT&T AT&T Inc. is an American multinational telecommunications holding company headquartered at Whitacre Tower in Downtown Dallas, Texas. It is the world's largest telecommunications company by revenue and the third largest provider of mobile te ...
. By the 1940s they had developed a system that used audible tones played over the long-distance lines to control network connections. Tone pairs, referred to as multi-frequency (MF) signals, were assigned to the digits used for telephone numbers. A different, single tone, referred to as single frequency (SF), was used as a line status signal. This new system allowed the telephone network to be increasingly automated by deploying the dialers and tone generators on an as-required basis, starting with the busier exchanges.
Bell Labs Nokia Bell Labs, originally named Bell Telephone Laboratories (1925–1984), then AT&T Bell Laboratories (1984–1996) and Bell Labs Innovations (1996–2007), is an American industrial Research and development, research and scientific developm ...
was happy to advertise their success in creating this system, and repeatedly revealed details of its inner workings. In the February 1950 issue of
Popular Electronics ''Popular Electronics'' was an American magazine published by John August Media, LLC, and hosted at TechnicaCuriosa.com. The magazine was started by Ziff-Davis Publishing Company in October 1954 for electronics hobbyists and experimenters. It soo ...
, they published an advertisement, ''Playing a Tune for a Telephone Number'', which showed the musical notes for the digits on a staff and described the telephone operator's pushbuttons as a "musical keyboard". Two keys on a piano would need to be pushed simultaneously to play the tones for each digit. The illustration did not include the tone pairs for the special control signals KP and ST, although in the picture the operator's finger is on the KP key and the ST key is visible. In the 1950s, AT&T released a public relations film, "Speeding Speech", which described the operation of the system. In the film, the tone sequence for sending a complete telephone number is heard through a loudspeaker as a technician presses the keys for dialing. In November 1954, the Bell System Technical Journal published an article entitled "In-Band Single-Frequency Signaling", which described the signaling scheme used for starting and ending telephone calls for the purpose of routing over trunk lines. In November 1960, an article in the Bell System Technical Journal provided an overview of the technical details of signaling systems, and disclosed the frequencies of the signals. The system was relatively complex for 1950s technology. It had to accurately decode the frequencies and ignore any signals where that frequency might be accidentally created; music playing in the background might randomly contain the SF tones and the system had to filter these out. To do this, the signaling unit compared the signal power from a bandpass filter centered on 2600 Hz to signal power in other parts of the audio band, and only triggered if the tone was the most prominent signal. The originating end of the call would play the tone into the trunk line when the call ended, and trigger the remote end to end the call. After a short time, the originating end reduced the tone level and continued to send tone as long as it received on hook status from its local equipment.


Discovery and early use

Before the technical details were published, many users discovered unintentionally, and to their annoyance, that a 2600 Hz tone played into the caller's handset would cause a
long-distance call In telecommunications, a long-distance call (U.S.) or trunk call (also known as a toll call in the U.K. ) is a telephone call made to a location outside a defined local calling area. Long-distance calls are typically charged a higher billing rate ...
to disconnect. The 2600 Hz tone might be present if the caller were whistling into the telephone microphone while waiting for the called party to answer. Upon detecting the tone from the caller's end, the receiving signaling unit sent an on hook status to the connected equipment, which disconnected the call from that point forward, as if the caller had hung up. Among the earliest to discover this effect was Joe Engressia, known as ''Joybubbles'', who accidentally discovered it at the age of seven by
whistling Whistling without the use of an artificial whistle is achieved by creating a small opening with one's lips, usually after applying moisture (licking one's lips or placing water upon them) and then blowing or sucking air through the space. The a ...
. He became fascinated with the phone network, and over the next decade had built up a considerable base of knowledge about the system and how to place calls using the control tones. He and other
phone phreak Phreaking is a slang term coined to describe the activity of a culture of people who study, experiment with, or explore telecommunication systems, such as equipment and systems connected to public telephone networks. The term ''phreak'' is a ...
s, such as "
Bill from New York Bill(s) may refer to: Common meanings * Banknote, paper cash (especially in the United States) * Bill (law), a proposed law put before a legislature * Invoice, commercial document issued by a seller to a buyer * Bill, a bird or animal's beak Plac ...
" and "The Glitch", trained themselves to whistle 2600 Hz to reset a trunk line. They also learned how to route telephone calls by At one point in the 1960s, packages of the
Cap'n Crunch Cap'n Crunch is a corn and oat breakfast cereal manufactured by Quaker Oats Company, a subsidiary of PepsiCo since 2001. After introducing the original cereal in 1963, marketed simply as ''Cap'n Crunch'', Quaker Oats has since introduced numer ...
breakfast cereal included a free gift: a small whistle that, by coincidence, generated a 2600 Hz tone when one of the whistle's two holes was covered. The phreaker
John Draper John Thomas Draper (born March 11, 1943), also known as Captain Crunch, Crunch, or Crunchman (after the Cap'n Crunch breakfast cereal mascot), is an American computer programmer and former phone phreak. He is a widely known figure within the ...
adopted his nickname "Captain Crunch" from this whistle. The "toll free" 800 service was launched in 1967 and gave the hackers easy numbers to call. The user would generally choose a number in the target area and then use it as above. Even if billing information were generated, it would be to a 1-800 number and thus free of charge. As before, the remote system would notice a call going to the ultimate non-free number, but could not match the other end.


Technology

It was technically possible to generate the tones with the technology available at the time the system was first deployed. A piano or electronic organ had keys that were close enough in frequency to work. With tuning, they could even be made dead on frequency. For dialing the phone number, the user would press 2 keys at a time. An experienced pianist might have found the key combinations awkward to play. But a blank player piano roll could have been punched to operate the required keys and dial a phone number. Another strategy would have been to purchase doorbells, remove the plungers, and mount them on a frame that could be set over the piano keyboard. Twelve DPDT pushbuttons, labelled KP, ST and the 10 digits, would operate pairs of plungers to play the phone company tones, after the E7 piano key had been pressed and released. At the time, there were consumer devices for recording on wire or blank phonograph records, so the piano did not have to be near the phone. Consumer tape recorders came later and made the recording process easier. Small, battery powered, tape recorders allowed the tones to be played back almost anywhere. It was possible to construct an electronic blue box with 1940s vacuum tube technology, but the device would have been relatively large and power hungry. Just as it did for radios, shrinking them from the size of toasters to the size of cigarette packages and allowing them to be powered by small batteries, transistor technology made a small, battery powered, electronic blue box practical. AT&T security captured its first blue box in about 1962, but it probably was not the first one built. A typical blue box had 13 pushbuttons. One button would be for the 2600 Hz tone, pressed and released to disconnect the outgoing connection and then connect a digit receiver. There would be a KP button, to be pressed next, 10 buttons for telephone number digits, and the ST button to be pressed last. The blue box may have had 7 oscillators, 6 for the 2 out of 6 digit code and one for the 2600 Hz tone, or 2 oscillators with switchable frequencies. The blue box was thought to be a sophisticated electronic device and sold on the black market for a typical $800–1,000 or as much as $3,500. Actually, designing and building one was within the capabilities of many electronics students and engineers with knowledge of the required tones, using published designs for electronic oscillators, amplifiers and switch matrixes, and assembled with readily available parts. Furthermore, it was possible to generate the required tones using consumer products or lab test equipment. The tones could be recorded on small, battery powered, cassette recorders for playback anywhere. To reduce call set up time, telephone numbers were transmitted from machine to machine in a "speed dial" format, about 1.5 seconds for a 10 digit number, including KP and ST. To catch the cheaters, AT&T could have connected monitors to digit receivers that were not being used for operator dialed calls and logged calls dialed at manual speed. So, some hackers went to the extra trouble of building blue boxes that stored telephone numbers and played the tones with the same timing as the machines.


Subculture

The widespread ability to blue box, once limited to just a few isolated individuals exploring the telephone network, developed into a subculture. Famous phone phreaks such as "Captain Crunch",
Mark Bernay Mark may refer to: Currency * Bosnia and Herzegovina convertible mark, the currency of Bosnia and Herzegovina * East German mark, the currency of the German Democratic Republic * Estonian mark, the currency of Estonia between 1918 and 1927 * Fin ...
, and Al Bernay used blue boxes to explore the various 'hidden codes' that were not dialable with a standard telephone. Some of the more famous pranksters were Steve Wozniak and Steve Jobs, founders of Apple Computer. On one occasion, Wozniak dialed
Vatican City Vatican City (), officially the Vatican City State ( it, Stato della Città del Vaticano; la, Status Civitatis Vaticanae),—' * german: Vatikanstadt, cf. '—' (in Austria: ') * pl, Miasto Watykańskie, cf. '—' * pt, Cidade do Vati ...
and identified himself as
Henry Kissinger Henry Alfred Kissinger (; ; born Heinz Alfred Kissinger, May 27, 1923) is a German-born American politician, diplomat, and geopolitical consultant who served as United States Secretary of State and National Security Advisor under the presid ...
(imitating Kissinger's German accent) and asked to speak to the Pope (who was sleeping at the time). Wozniak said in 1986: Jobs later told his biographer that if it had not been for Wozniak's blue boxes, "there wouldn't have been an Apple."


In the media

Blue boxing hit the mainstream media when an article by
Ron Rosenbaum Ronald Rosenbaum (born November 27, 1946) is an American literary journalist, literary critic, and novelist. Life and career Rosenbaum was born into a Jewish family in New York City, New York and grew up in Bay Shore, New York. He graduated fr ...
titled ''Secrets of the Little Blue Box'' was published in the October 1971 issue of '' Esquire'' magazine. Suddenly, many more people wanted to get into the
phone phreaking Phreaking is a slang term coined to describe the activity of a culture of people who study, experiment with, or explore telecommunication systems, such as equipment and systems connected to public telephone networks. The term ''phreak'' is a ...
culture spawned by the blue box, and it furthered the fame of Captain Crunch. Two major amateur radio magazines ('73' and "CQ') published articles on the telephone system in the mid-1970s. CQ Magazine published details on phone phreaking, including the tone frequencies and several working blue box schematics in 1974. The June 1975 issue of '73' featured an article describing the rudiments of the long-distance signaling network, how to construct red and blue boxes, and put them into operation. Around the same time, do-it-yourself kits were available to build one's own blue box. In November 1988, the CCITT (now known as
ITU-T The ITU Telecommunication Standardization Sector (ITU-T) is one of the three sectors (divisions or units) of the International Telecommunication Union (ITU). It is responsible for coordinating standards for telecommunications and Information Comm ...
) published recommendation Q.140 for the Signaling System No. 5, which caused a resurgence of blue boxing incidents in a new generation of users. During the early 1990s, blue boxing became popular with the international
warez scene The Warez scene, often referred to as The Scene, is a worldwide, underground, organized network of pirate groups specializing in obtaining and illegally releasing digital media for free before their official sale date. The Scene distributes all fo ...
, especially in Europe. The software was made to facilitate blue boxing using a computer to generate the signaling tones and play them into the phone. For the PC there were
BlueBEEP ''BlueBEEP'' was a popular blue boxing computer program for MS-DOS written between 1993–1995 by the German programmer Stefan Andreas Scheytt, known by the pseudonym Onkel Dittmeyer. Used correctly, it could be used to exploit vulnerabilities i ...
, TLO, and others, and blue boxes for other platforms such as Amiga were available as well.


Operation


Automating dialing

Local
plain old telephone service Plain old telephone service (POTS), or plain ordinary telephone system, is a retronym for voice-grade telephone service employing analog signal transmission over copper loops. POTS was the standard service offering from telephone companies from 1 ...
works by watching the voltage on the telephone lines between the telephone company's exchange office and the customer's telephone. When the phone is on-hook ("hung up") the approximately 48 
volt The volt (symbol: V) is the unit of electric potential, electric potential difference (voltage), and electromotive force in the International System of Units (SI). It is named after the Italian physicist Alessandro Volta (1745–1827). Defin ...
electricity from the exchange flows to the phone and is looped back without passing through the handset. When the user picks up the handset, the current has to flow through the speaker and microphone in it, causing the voltage to drop to under 10 V. This sudden drop in voltage signals the user has picked up the phone. Originally, all calls were routed manually by an operator who would look for small light bulbs that would illuminate when the user picked up the phone. They would connect a handset to the line, ask the user who they were calling, and then connect a cable between two phone jacks to complete the call. If the user was placing a long-distance call, the local operator would first talk to an operator at the remote exchange using one of the trunk lines between the two locations. When the local operator heard the remote customer come on the line, they would connect their local customer to the same trunk line to complete the call. The calling process began to be automated from the earliest days of the telephone system. Increasingly sophisticated
electromechanical In engineering, electromechanics combines processes and procedures drawn from electrical engineering and mechanical engineering. Electromechanics focuses on the interaction of electrical and mechanical systems as a whole and how the two systems ...
systems would use the changes in voltage to start the connection process. The
rotary dial A rotary dial is a component of a telephone or a telephone switchboard that implements a signaling technology in telecommunications known as pulse dialing. It is used when initiating a telephone call to transmit the destination telephone number ...
was introduced around 1904 to operate these switches; the dial rapidly connects and disconnects the line, a process known as
pulse dialing Pulse dialing is a signaling technology in telecommunications in which a direct current local loop circuit is interrupted according to a defined coding system for each signal transmitted, usually a digit. This lends the method the often used name ...
. In common systems, these periodic changes in voltage caused a
stepper motor A stepper motor, also known as step motor or stepping motor, is a brushless DC electric motor that divides a full rotation into a number of equal steps. The motor's position can be commanded to move and hold at one of these steps without any posi ...
to rotate one position for each digit, and longer delays to switch from one rotary switch to another. When enough digits had been decoded, typically seven in North America, connections between each rotor would select a single line, the customer being dialed. The concept of using voltages to complete the call worked well for the local exchange where the distance between the customer and exchange office might be on the order of a few kilometers. Over longer distances, the
capacitance Capacitance is the capability of a material object or device to store electric charge. It is measured by the change in charge in response to a difference in electric potential, expressed as the ratio of those quantities. Commonly recognized ar ...
of the lines filter out any rapid changes in voltage and dialing flashes do not reach the remote office in clean form. Through this period, long-distance calls still required operator intervention. As telephone use grew, long-distance calling in particular, telephone companies were increasingly interested in automating this type of connection.


Long-distance direct dialing

To address this need, the Bell System adopted a second system on the circuits that connected the exchanges. When the user dialed a long-distance number, indicated in North America by dialing a "1" at the beginning of the number, the call was switched to a separate system known as a "
tandem Tandem, or in tandem, is an arrangement in which a team of machines, animals or people are lined up one behind another, all facing in the same direction. The original use of the term in English was in ''tandem harness'', which is used for two ...
". The tandem would then buffer the remaining digits and decode the number to see which remote exchange was being dialed, generally using the area code for this purpose. They would then look for a free trunk line between the two exchanges; if none were available the tandem would play the reorder signal (the "fast busy") to tell the user to try the call again later. The basic protocol for finding a free line worked by playing a 2600 Hz tone into the line whenever it was not being used. The tandems at both ends of a given trunk line did this. When the tandem determined which remote exchange was being called it scanned the trunk lines between the two exchanges looking for the tone. When it heard the tone on one of the lines, it knew that line was free to use. They would then select that line and drop the 2600 Hz tone from their end. The remote tandem would hear the tone stop, drop their tone, and then play a ''supervision flash'', making a "ka-cheep" sound, to indicate they had noticed the signal. The line was now free on both ends to connect a call. Pulse dialing still had the problem that sending the dialed number to the remote exchange would not work due to the capacitance of the network. The tandems solved this by buffering the phone number and then converting each digit into a series of two tones, the
multi-frequency signaling In telephony, multi-frequency signaling (MF) is a type of signaling that was introduced by the Bell System after World War II. It uses a combination of audible tones for address ( telephone number) transport and supervision signaling on trunk li ...
system, or "MF". Once the local tandem had found a free line and connected to it, it then relayed the rest of the phone number over the line using the tone dialing method. The remote tandem then decoded the tones and turned them back into pulses on the local exchange. To indicate the start and end of a series of MF digits, special MF tones, KP and ST, were used. When the call was complete and one of the parties hung up the phone, that exchange would notice the change in voltage and begin playing the 2600 Hz tone into the trunk line. The other end of the connection would hear the tone and cause their local call to hang up as well, and then began playing the tone into their end as well to mark the line free on both ends.


Blue boxing

The blue box consisted of a set of audio oscillators, a
telephone keypad A telephone keypad is a keypad installed on a push-button telephone or similar telecommunication device for dialing a telephone number. It was standardized when the dual-tone multi-frequency signaling (DTMF) system was developed in the Bell Syst ...
, an audio amplifier and
speaker Speaker may refer to: Society and politics * Speaker (politics), the presiding officer in a legislative assembly * Public speaker, one who gives a speech or lecture * A person producing speech: the producer of a given utterance, especially: ** I ...
. The operation of a blue box was simple: First, the user placed a
long-distance telephone call In telecommunications, a long-distance call (U.S.) or trunk call (also known as a toll call in the U.K. ) is a telephone call made to a location outside a defined local calling area. Long-distance calls are typically charged a higher billing rate ...
, often to a number that was in the target area. Usually, this initial call would be to a 1-800 number or some other non-supervising telephone number like
directory assistance In telecommunications, directory assistance or directory inquiries is a phone service used to find out a specific telephone number and/or address of a residence, business, or government entity. Technology Directory assistance systems incorporate ...
. Using a toll-free number ensured that the phone being used for access would not be billed. When the call began to ring, the caller would hold the speaker over the microphone in the handset and use the blue box to send the 2600 Hz tone (or 2600+2400 Hz on many international trunks followed by a 2400 Hz tone). Hearing this tone, the remote office believes the user hung up before the call completed, and disconnects the call on their exchange. As always, it then begins playing 2600 to mark the line free. However, this does not disconnect the call locally, only physically hanging up the phone will do that. So, in this case, the user is left on a live line, one that is connected via a long-distance trunk line to a target exchange. The user now stops playing the tone. The remote exchange interprets this loss of tone to mean the exchange's tandem is attempting to place another call. It responds by dropping its tone and then playing the flash to indicate it is ready to accept routing tones. Once the far end sends the supervision flash, the user uses the blue box to send a "Key Pulse" or "KP", the tone that starts a routing digit sequence, followed by either a telephone number or one of the numerous special codes that were used internally by the telephone company, then finished with a "Start" tone, "ST". At this point, the far end of the connection would route the call the way it was told, while the user's local exchange would presume the call was still ringing at the original number.


Countermeasures

Blue boxing remained rare until the early 1970s when the required systems began to drop in cost and the concept began to be more widely known. At the time, phreakers felt there was nothing
Bell Telephone The Bell System was a system of telecommunication companies, led by the Bell Telephone Company and later by the American Telephone and Telegraph Company (AT&T), that dominated the telephone services industry in North America for over one hundre ...
could do to stop blue boxing because it would require Bell to upgrade all their hardware. For the immediate term, Bell responded with a number of blue box detection and law enforcement countermeasures. Armed with records of all long-distance calls made, kept by both mechanical switching systems and newer electronic switching systems, including calls to
toll-free telephone number A toll-free telephone number or freephone number is a telephone number that is billed for all arriving calls. For the calling party, a call to a toll-free number from a landline is free of charge. A toll-free number is identified by a dialing pre ...
s which did not appear on customer bills, telephone security employees began examining those records looking for suspicious patterns of activity. For instance, at the time, calls to long-distance information, while answered, deliberately did not return the electrical "off hook" signal indicating that they had been answered. When an information call was diverted to another number that answered, the billing equipment would log that event. Billing computers processing the logs and would generate lists of calls to information that were answered. In the early days, the lists were probably intended to detect equipment malfunctions, but the follow up investigation did lead to blue box users. After the toll free "800" service was inaugurated, the billing computers were also programmed to generate lists of lengthy calls to toll free numbers. While many of these calls were legitimate, telephone security employees would examine the lists for irregularities and follow up. In this case, filters could be installed on those lines to block the blue box. Bell also would wiretap the affected lines. In one 1975 case, the Pacific Telephone Company targeted one defendant's line with the following equipment: * A CMC 2600, a device which registers on a counter the number of times a 2600 Hz tone is detected on the line; * A tape recorder, activated automatically by the CMC 2600 to record two minutes of telephone audio after each burst of 2600 Hz activity; and * A Hekemian 51A, which replicates the functions of the CMC 2600 and also produces a paper tape print-out of outgoing calls. Ordinary calls were recorded in black ink and destination numbers called via the blue box were recorded in red ink. These actions resulted in several highly publicized trials.


Decline

The ultimate solution to the blue box vulnerability was to do what the phreakers thought impossible and upgrade the entire network. This process occurred in stages, some of which were already well underway in the early 1970s. The T1 system was developed beginning in 1957 and began to be deployed around 1962. It digitized the voice signals so that they could be more efficiently carried in high-density connections between exchanges, carrying 24 lines on a single 4-wire connection. Depending on the network layout, the user might no longer be connected directly to a tandem, but instead to a local office that forwarded the signal over a T1 to a more distant exchange that did have the tandem. Simply due to the way the system worked, the supervisory signals had to be filtered out in order for the digitization of the analog signal to work. Recall that the 2600 Hz tone was not dropped from the trunk until the line was connected all the way and would be mixed with other tones like the ringing or busy signal; when used over a T1 this tone mixed with other signals and caused a problem known as "quantization noise" that distorted the sound. These tones were thus filtered down on either side of the T1 connection. Thus it was difficult to blue box in such an environment, although successes are known. But blue boxing was eventually eliminated entirely for unrelated reasons. In the existing tandem-based network, completing a call required several stages communicating over the trunk line, even if the remote user never answered the call. As this process might take on the order of 10 to 15 seconds, the total wasted time across all of the trunk lines could be used to carry additional calls. To improve line usage, Bell began the development of the
Number One Electronic Switching System The Number One Electronic Switching System (1ESS) was the first large-scale stored program control (SPC) telephone exchange or electronic switching system in the Bell System. It was manufactured by Western Electric and first placed into servi ...
(1ESS). This system performed all the calling and line supervision using a separate private line between the two offices. Using this system, when a long-distance call was placed the trunk line was not initially used. Instead, the local office sent a message containing the called number to the remote exchange using this separate channel. The remote office would then attempt to complete the call, and indicate this to the original office using the same private line. Only if the remote user answered would the systems attempt to find a free trunk line and connect, thereby reducing the use of the trunk lines to the absolute minimum. This change also meant the signaling system was available internally to the network on this separate line. There was no connection between the user lines and this signaling line, so there was no route by which the users could influence the dialing. The same rapid reduction in prices that made the blue box possible also led to the rapid reduction in cost of the ESS systems. First applied only to their busiest connections, by the 1980s, the latest 4ESS models and similar machines from other companies were deployed to almost all major exchanges, leaving only corners of the network still connected using tandems. Blue boxing worked if one connected to such an exchange, but could only be used end-to-end if the entire network between the two endpoints consisted only of tandems, which became increasingly rare and disappeared by the late 1980s. Analog long-distance transmission systems remained more cost effective for the long haul circuits until, at least, the 1970s. Even then, there was a huge installed base of analog circuits, and it made better economic sense to keep using them. It was not until competitor Sprint built its all digital, "quiet", network, where "you could actually hear a pin drop", that AT&T took a multi-billion dollar write-off and upgraded its long-distance network to digital technology. The phreaking community that had emerged during the blue box era evolved into other endeavors and there currently exists a commercially published hacking magazine, titled '' 2600'', a reference to the 2600 Hz tone that was once central to so much of telephone hacking.


Frequencies and timings

Each multifrequency tone consists of two frequencies chosen from a set of six, shown in the table on the left. The
Touch Tone Dual-tone multi-frequency signaling (DTMF) is a telecommunication signaling system using the voice-frequency band over telephone lines between telephone equipment and other communications devices and switching centers. DTMF was first developed ...
encoding is shown by the table on the right:
The rightmost column is not present on consumer telephones.
Normally, the tone durations for passing numbers from machine to machine in a "speed dialing" format are on for 60 ms, with 60 ms of silence between digits. The 'KP' and 'KP2' tones are sent for 100 ms. KP2 (ST2 in the R1 standard) was used for dialing internal Bell System telephone numbers. However, actual tone durations can vary slightly depending on location, switch type, and the machine status. For operators, technicians, and blue box phone phreakers, the tone durations would be set by how long the buttons were held down and, for silence, how long before manually pressing the next button. A blue box could have been constructed which would send the tones with machine to machine timing, with the number either stored in digital memory or a matrix of switches. In the switch matrix, there might be 10 rows for digits, each with 5 switches. Two switches would be moved to on, selecting the 2 tones. (KP and ST would be hard wired.) The 5 switches could be labelled 0, 1, 2, 4, and 7, with the user selecting pairs of switches adding to each digit, with special case 4 plus 7 for digit 0. Alternatively, the tones could be recorded on magnetic tape, which would be cut into pieces and spliced together, using a commercial splicer for accurate alignment. If the phreaker matched machine dialing and recorded at 7.5 ips (inches per second), the splices for tone and silence would be about 1/2-inch long., with KP 3/4-inch long. For more manageable splicing lengths, the phreaker could use a 15 ips tape recorder, which was less common, and double those lengths. For those without a 15 ips machine but having 2 tape recorders, the tones could be recorded an octave low at 7.5 ips, the pieces spliced together would be were double those lengths. The spliced tape would be re-recorded from a 7.5 ips machine to a 3.75 ips machine. The resulting recording could be played back at 7.5 ips. An interval of 2600 Hz, to disconnect the trunk, followed by an interval of silence, to give enough time for a digit receiver to connect, would be added to precede KP. This set of MF tones was originally devised for Bell System long-distance operators placing calls manually, as well as machine to machine dialing, and predates the DTMF ''Touch-Tone'' system used by subscribers. The leading 1 for customer dialed long-distance calls was not dialed. For operators, the line was muted during dialing, but, for customer telephones, it was only muted while a key was pressed. The Touch Tone frequencies were chosen to minimize the risk of customer talking while dialing, or background sounds, being registered as a digit or digits and resulting in a wrong number. Muting guarded against that happening during operator dialing, so the MF system did not have to be, and was not, so robust. The tones have a simple 200 Hz spacing. For Touch Tone, harmonic relationships and intermodulation products were taken into account in the choice of tones.


Special codes

Some of the special codes a person could get onto are in the chart below. " NPA" is a telephone company term for 'area code'. Many of these appear to have been originally three-digit codes, dialed without the leading area code, and the format of destination numbers dialed to the international senders has changed at various points as the ability to call additional nations was added. * NPA+100 – Plant Test – Balance termination * NPA+101 – Plant Test – Toll Testing Board * NPA+102 – Plant Test – Milliwatt tone (1004 Hz) * NPA+103 – Plant Test – Signaling test termination * NPA+104 – Plant Test – 2-way transmission and noise test * NPA+105 – Plant Test – Automatic Transmission Measuring System * NPA+106 – Plant Test – CCSA loop transmission test * NPA+107 – Plant Test – Par meter generator * NPA+108 – Plant Test – CCSA loop echo support maintenance * NPA+109 – Plant Test – Echo canceler test line * NPA+121 – Inward Operator * NPA+131 – Operator Directory assistance * NPA+141 – Rate and Route Information * 914+151 – Overseas incoming (White Plains, NY) * 212+151 – Overseas incoming (New York, NY) * NPA+161 – trouble reporting operator (defunct) * NPA+181 – Coin Refund Operator * 914+182 – International Sender (White Plains, NY) * 212+183 – International Sender (New York, NY) * 412+184 – International Sender (Pittsburgh, PA) * 407+185 – International Sender (Orlando, FL) * 415+186 – International Sender (Oakland, CA – in this era, 510 was TWX) * 303+187 – International Sender (Denver, CO) * 212+188 – International Sender (New York, NY) Not all NPAs had all functions. As some NPAs contained multiple cities, an additional routing code was sometimes placed after the area code. For instance, 519+044+121 may reach the
Windsor Windsor may refer to: Places Australia * Windsor, New South Wales ** Municipality of Windsor, a former local government area * Windsor, Queensland, a suburb of Brisbane, Queensland **Shire of Windsor, a former local government authority around Wi ...
inward operator and 519+034+121 the
London London is the capital and List of urban areas in the United Kingdom, largest city of England and the United Kingdom, with a population of just under 9 million. It stands on the River Thames in south-east England at the head of a estuary dow ...
inward operator distant, but in the same area code.


In other countries

Another signaling system widely used on international circuits (except those terminating in North America) was CCITT Signaling System No. 4 (friendly named 'SS4'). Technical definitions are specified in formerly CCITT (now
ITU-T The ITU Telecommunication Standardization Sector (ITU-T) is one of the three sectors (divisions or units) of the International Telecommunication Union (ITU). It is responsible for coordinating standards for telecommunications and Information Comm ...
) Recommendations Q.120 to Q.139.CCITT SS4 / ITU-T Q.120–139 https://www.itu.int/rec/dologin_pub.asp?lang=e&id=T-REC-Q.120-Q.139-198811-I!!PDF-E&type=items This was also an in-band system but, instead of using multifrequency signals for digits, it used four 35 ms pulses of tone, separated by 35 ms of silence, to represent digits in four-bit binary code, with 2400 Hz as a '0' and 2040 Hz as a '1'. The supervisory signals used the same two frequencies, but each supervisory signal started with both tones together (for 150 ms) followed, without a gap, by a long (350 ms) or short (100 ms) period of a single tone of 2400 Hz or 2040 Hz. Phreaks in Europe built System 4 blue boxes that generated these signals. Because System 4 was used only on international circuits, the use of these blue boxes was more specialized. Typically, a phreak would gain access to international dialing at low or zero cost by some other means, make a dialed call to a country that was available via direct dialing, and then use the System 4 blue box to clear down the international connection and make a call to a destination that was available only via operator service. Thus, the System 4 blue box was used primarily as a way of setting up calls to hard-to-reach operator-only destinations. A typical System 4 blue box had a keypad (for sending four-bit digit signals) plus four buttons for the four supervisory signals (clear-forward, seize-terminal, seize-transit, and transfer-to-operator). After some experimentation, nimble-fingered phreaks found that all they needed was two buttons, one for each frequency. With practice, it was possible to manually generate all the signals with sufficient timing precision, including the digit signals. This made it possible to make the blue box quite small. A refinement added to some System 4 blue boxes was an anti-acknowledgment-echo guard tone. Because the connection between the telephone and the telephone network is two-wire, but the signaling on the international circuit operates on a four-wire basis (totally separate send and receive paths), signal-acknowledgment tones (single pulses of one of the two frequencies from the far end of the circuit after receipt of each digit) tended to be reflected at the four-wire/two-wire conversion point. Although these reflected signals were relatively faint, they were sometimes loud enough for the digit-receiving circuits at the far end to treat them as the first bit of the next digit, messing up the phreak's transmitted digits. What the improved blue box did was to continuously transmit a tone of some other frequency (e.g., 600 Hz) as a guard tone whenever it was not sending a System 4 signal. This guard tone drowned out the echoed acknowledgment signals so that only the blue box-transmitted digits were heard by the digit-receiving circuits at the far end.


See also

*
Falsing In telecommunications, falsing is when a decoder assumes that it is detecting a valid input even though one is not present. This is also known as a false decode. This article will discuss analog circuits used before digital signal processing. Exam ...
*
Operation Cybersnare Operation Cybersnare was a United States Secret Service operation in 1995 targeted at hacker (computer security), computer hackers. In January 1995, the Secret Service set up an undercover bulletin board system in Bergen County, New Jersey. This ...
– Story involving blue boxing from the United States


References


Bibliography

*


External links


The SARTS technical journal





Text files about blue boxing



Fun with Dick and Jane by Lewis Gum and Edward Oxford – an article that appeared in the 1978 Bell Telephone Magazine about telephone fraud and Phone Phreaks

A site dedicated to the history of phone phreaking, with extensive information on blue boxing.

A working, publicly accessible simulation of the old telephone network that allows legal blue boxing. It also has instructions for building a basic blue box.

November 1954, Bell System Technical Journal article titled "In-Band Single-Frequency Signaling" (A. Weaver and N. A. Newell)

November 1960, Bell System Technical Journal article titled "Signaling Systems for Control of Telephone Switching" (by C. Breen and C. A. Dahlbom)
*
A commercially available test set playing tones "speed dial"
{{Phreaking Boxes Phreaking boxes