13

---------------------------------------
[Ctrl-S pauses/Space=quit]

BLUE BOXING--WHY IT WORKS
by THE RESEARCHER

The most common form of signaling between toll offices uses multifrequency
tones (MF). Multifrequency signaling uses six frequencies placed in that part
of the voice spectrum where different channels have the smallest deviation in
loss. On the Bell System the frequencies used are 700, 900, 1100, 1300, 1500,
and 1700 Hz. Digits are coded as two out of the first five of these frequencies
and are sent between start-of-digit-transmission and end-of-digit-transmission
codes. The following table shows the combinations of frequencies used in North
America and on CCITT Signaling System No. 5:

.   Signal             Frequency pair
. ------------------------------------
. KP1 (start-of-digit        1100+1700
. transmission for a
. national call)
. KP2 (start-of-digit        1300+1700
. transmimission for an
. international call from
. an intermediate (transist) exchange)
. Digits: 1                  700+900
.         2                  700+1100
.         3                  900+1100
.         4                  700+1300
.         5                  900+1300
.         6                 1100+1300
.         7                  700+1500
.         8                  900+1500
.         9                 1100+1500
.         0                 1300+1500
. ST (End of digit          1500+1700
. transmission)

The MF signals are sent over the normal voice channels and are transmitted like
speech. They may be sent either by a switchboard operator or, by automatic
equipment. The reader may possibly have heard these interoffice signals. On
some systems the operator's signaling is occasionally audible, and sometimes
the automatic signaling can be faintly heard due to crosstalk. The quiet
listener may hear a faraway flurry of faint discordant notes. The frequency
2600 Hz is transmitted continuously on all voice channels between toll offices
when the channel is free. This frequency also acts as a disconnect signal,
indicating that the voice channel should return to its unused status. When the
subscriber dials the number it reaches his local central office and possibly
toll office by dc pulsing (unless touch-tone dialing was used). The toll office
selects a free voice channel in an appropriate trunk and stops the 2600 Hz
tone. The office at the end of that trunk detects the break in the 2600 Hz
signal and is alerted to receive a toll telephone number. The number is sent in
the MF code listed above. One toll office passes the number to another until
the called central office is reached. The central office rings the called
telephone. When either party replaces his receiver the call is disconnected and
the toll offices tell each other this by transmitting the 2600 Hz tone again.
It is possible to interfere with the telephone trunking mechanism by
transmitting the 2600 Hz tone from the subscriber's telephone. An AT&T story
has it that a New York shirt manufacturer once broke his front tooth in such a
way that he transmitted a brief 2600 Hz whistle every time he said the word
"shirt" on the telephone. An Eastern Airline office in Atlanta was plagued by
telephone disconnects for seven years and then discovered that they were caused
by the shrieks of exotic birds in the hotel lobby cocktail lounge. Captain
Crunch breakfast cereal packets were once delivered with a toy whistle which
produced a pure 2600 Hz tone. A brief 2600 Hz tone received by a toll office
causes it to free the voice channel in question and place a 2600 Hz tone on the
channel to the next toll office.             A blue box call is started  by
placing a long distance call in the normal way either to a free number
(information or a valid 800 series number) or else to a close-by destination
which is cheap to call. This is the call which will appear on the CAMA tape.
Once dialing is completed, your nearby tandem (toll office) routes the call to
the tandem office at the destination, possibly through intermediate tandems
along the way. As soon as you hear ringing from the other end, you feed 2600 Hz
into your phone for one second. Your local CO is unaccustomed to getting 2600
Hz and so simply ignores it, but passes it on to the nearby tandem.   This
tandem can recognize 2600 Hz as a disconnect idle from other tandems, but is
not built to react to the signal coming from a CO. So it ignores it and passes
it on. But the next tandem, thinking you hung up, cancels the call. This leaves
you hanging, still connected to a toll line between tandems. After one second
of 2600 Hz, you remove it. The distant tandem now sees that the line is no 
longer idle, and so it connects an incoming sender. As soon as you hear the
click signifying this, you have ten seconds to dial the desired number,
preceded by KP and followed by ST. When the number answers, a signal is sent
back and the CAMA tape punched to indicate the connection time. At the end of
the call, the CAMA tape is again punched with your number, the time and the
number you originally dialed. This is the call and time for which you will be
billed (unless it is free) and the number actually reached with the Blue Box is
not recorded. Because of the widespread use of 2600 Hz detectors and ESS which
can trace in seconds, blue boxing is a high risk method of phreaking.

---------------------------------------

Enter (1-69, M=Menu, Q=Quit) :