home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
TAP YIPL
/
TAP_and_YIPL_Collection_CD.iso
/
PHREAK
/
BOXES
/
P80BOX20.ZIP
/
P80BOX.DOC
< prev
next >
Wrap
Text File
|
1994-06-03
|
36KB
|
730 lines
P80BOX Documentation by The Researcher June 3, 1994
INTRODUCTION
The signaling tones produced by a Blue Box, Red Box, Green box, Silver Box
and a standard Touch Tone pad are generated by this program with laboratory
precision. They are provided, together with this file, as historical
documentation of the golden age of hardware phone phreaking.
P80BOX programs the FM synthesizer chips on an Adlib or Sound Blaster card
to produce multiple sine wave outputs. Its predecessors were BLSTRBOX and
DACBOX which use a different method for producing sound. BLSTRBOX uses the
digital-to-analog converter on a Sound Blaster card. DACBOX uses a D to A
convertor attached to a printer port.
Information for P80BOX and this documentation came from many sources.
These are the main ones in order of proven usefulness:
1. The Whistler, most knowledgeable phone phreak of all time.
2. Bell Operating Company documents.
3. The computer underground (contacted through P-80 Systems).
4. Articles published in *TAP, Esquire and 73 Magazine.
5. University libraries.
* TAP was an underground newsletter that appeared in 1971 before the age of
the personal computer. It specialized in general anarchy and serious phone
phreaking.
Except for the Green Box and the European break signal, I have personally
tested and proven everything discussed in this file by field research conducted
in the mid 80's using less sophisticated technology than that provided by this
program. The European break signal appeared in a number of Blue Box programs
from European countries so I have provided support for it. I rely on the
reports of European programmers for belief in its validity.
QUICK START
At the dos prompt type: P80BOX <ENTER>
Or to force monochrome mode: P80BOX /M <ENTER>
The program will come up in MF mode. In this mode the Blue Box, Red Box
and Green Box keys are active. For help on accessing other modes and features,
press F1.
RUNNING P80BOX
HARDWARE REQUIREMENTS: 1. An IBM or compatible personal computer.
2. Any type of monitor. Monochrome and VGA have been
tested. Only ASCII graphics are used requiring no
graphics modes. Monitor type will be autodetected.
Monochrome mode can be forced by using the /M switch.
3. An Adlib or Sound Blaster card.
The program will come up in MF mode. MF is an abbreviation of
multifrequency. These are the Blue Box tones. DTMF tones (Touch Tones) are also
produced from this screen by enclosing the digits in square brackets "[]".
Tones supplied by the user are played by enclosing the digits in curly braces
"{}". User tones are loaded from an external file provided by the user. Use the
file TEMPLET.TBL as a guide to setting up your own user table.
The frequencies and tolerances for all the tones used are given in the
section on TECHNICAL SPECIFICATIONS.
BLUE BOX KEYS: 1, 2, 3, 4, 5, 6, 7, 8, 9, 0
E = Code 11
T = Code 12
K = KP (Key Pulses)
P = KP2
S = ST
D = 2600 Hz Disconnect
B = European Break - Appears to be used like our 2600 Hz
disconnect.
RED BOX KEYS: Q = Quarter
I = dIme
N = Nickel
GREEN BOX KEYS: R - Coin Return
O - Coin Collect
G - Ringback
DTMF KEYS: 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, *, #, A, B, C, D
SILVER BOX: These are the DTMF A-D keys as follows:
A = Flash
B = Flash Override Priority
C = Priority Communication
D = Priority Override
DELAYS: , = (comma) 1 second delay
~ = (tilde) 10 second delay
Mx = Delay x milliseconds. x is in the range of
1 - 65535. Leave a space after the last digit in
milliseconds.
W = Wait. Suspend dialing until a key is pressed.
L = Long play. The next digit is turned on and left on
until a key is pressed.
OTHER KEYS: X - Switch to manual dialing
? - .5 seconds of 480Hz. To mark tape position.
[ = Turn on DTMF interpretation
] = Turn off DTMF interpretation
{ = Turn on USER interpretation
} = Turn off USER interpretation
PLAYING DTMF TONES: Enclose the digits to play as standard Touch Tones in
square brackets. For example, to dial 555-1234, type [555-1234] and hit
<ENTER>. When the program encounters a left square bracket '[' DTMF
interpretation is turned on. It stays on for as long as the program runs until
a right square bracket ']' is encountered. This feature is handy if you are
doing an experiment that only requires DTMF tones. You can start the first dial
string with a left square bracket leaving off the right bracket or just type a
left bracket by itself and hit <ENTER>. All subsequent dial strings will be
interpreted as DTMF digits without the need for brackets. You can switch back
to Blue Box/Red Box mode at any time by entering a right square bracket
anywhere in a dial string or by itself and hitting <ENTER>. A message will
appear on the main screen when the program has been left in DTMF mode.
All you have to remember about square brackets and DTMF tones is:
[ = Turn on DTMF interpretation
] = Turn off DTMF interpretation
PLAYING USER TONES: Playing user tones works exactly like playing DTMF tones
except digits are enclosed in curly braces instead of square brackets. For
example, to dial 555-1234, type {555-1234} <ENTER>. User tones are taken from a
table of user defined frequencies contained in an external file. The name of
the file containing the user table can be added to the command line when P80BOX
is run or can be loaded later by pressing F3. Use the file TEMPLET.TBL as a
guide to setting up your own user table.
Example of loading user table from command line: P80BOX user.tbl
THE FUNCTION KEYS
Pressing F1 displays the following help screen:
──────────[FUNCTION KEYS]──────────┬──────────────[DIALING MODES]───────────────
F1 - Display this help screen │ [] - Digits enclosed in square brackets
F2 - Setup dialing speed │ are played as DTMF tones. These are
F3 - Load user table │ standard Touch-Tones.
F4 - Manual dialing (toggle) │ {} - Digits enclosed in curly brackets
F5 - Ear training (phone sounds) │ are taken from the user table of
F6 - Load dial string from disk │ frequencies. These must be loaded
F7 - Save dial string to disk │ from an external file created by the
F8 - Rotary bluebox (toggle) │ user. The filename can be entered on
F9 - Setup user key │ the command line or the file can be
F10 - Recall last dial string │ loaded by pressing F3.
──────────────[DELAYS]─────────────┤
, = (comma) 1 second delay │ When a mode is turned on, it stays on
~ = (tilde) 10 second delay │ until its corresponding right bracket is
Mx = Delay x milliseconds. │ encountered. The modes are MF, DTMF,
x is in the range of │ USER and ROTARY BLUEBOX. The default mode
1 - 65535. Leave a space │ is MF. In this mode the blue, red and
after the last digit in │ green box tones are available. Silver box
milliseconds. │ (also know as white box) tones and Touch
W = Wait. Suspend dialing │ Tones are available in DTMF mode.
until a key is pressed. │
L = Long play. The next digit ├───────────[SPECIAL PURPOSE KEYS]───────────
is turned on and left on │ X - Switch to manual dialing
until a key is pressed. │ ? - .5 seconds of 480Hz. To mark tape pos.
───────────────────────────────────┴────────────────────────────────────────────
F2 - Setup dialing speed
This lets you change the duration and interdigit interval of the MF (Blue
Box) and DTMF (Touch-Tone) digits. ST is included as an MF digit. KP1, KP2 and
2600Hz disconnect are set separately. You are given the option of making the
new settings permanent defaults for the program.
F3 - Load user table
Prompts for the name of the file containing the table of user defined
frequencies.
F4 - Manual dialing (toggle)
When manual dialing is active digits are played immediately when pressed.
F5 - Ear training (phone sounds)
This gives you a menu of call progress tones as shown below. Pressing the
key corresponding to a selection will produce the sound of that signal.
Call Progress Tones
Signal Frequencies (Hz) Cadence
1> Dial Tone 350 + 440 Continuous
2> Audible Ringing Tone 440 + 480 2 seconds on 4 seconds off
3> Busy Tone 480 + 620 .5 second on .5 second off
4> Reorder Tone(local or toll) 480 + 620 .25 second on .25 sec off
5> Reorder Tone (toll) 480 + 620 .2 second on .3 second off
6> Reorder Tone (local) 480 + 620 .3 second on .2 second off
(The reorder tone you get depends on the type of switching equipment.)
7> Special Information Tones 950,1400,1800 On in order 330 ms, off 20 ms
8> Call-Waiting Tone 440 Single 500 ms pulse
9> Low Tone 480 + 620 Varies according to use
0> High Tone 480 Varies according to use
A> Off Hook Warning (1400+2060+2450+2600) .1 sec on .1 sec off
B> Confirmation Tone (480+620) On 200ms/off100ms/on 400ms/off 500ms/dial tone
C> Operator Emerg. Interrupt 440 2 secs on
D> Recorder Warning Tone 1400 .5 second every 15 seconds
E> TSPS Coin Control Wink 2600 33ms on/33ms off/33ms on/100ms off
F> TSPS Coin Collect 700 + 1100 Wink then on 1 second
G> TSPS Coin Return 1100 + 1700 Wink then on 1 second
H> TSPS Ringback 700 + 1700 Wink then on 2 seconds
F6 - Load dial string from disk
You can set up dial strings in advance, as simple or complex as you like,
and load them into the program with this command. A dial string can contain up
to 4000 characters.
F7 - Save dial string to disk
Prompts for a filename and saves the currently active dial string to disk.
F8 - Rotary bluebox (toggle)
Single Frequency (SF) signaling.
This is really a piece of history. Phone phreaking did not start with the
Blue Box as it has come to be known. It was started by a group of blind kids
whistling off on ancient switches that used SF (Single Frequency) signaling.
This works on a principle similar to pulse dialing with an old rotary dial
phone. The on hook breaks (1 break for 1, 2 breaks for 2, etc.) produced by the
rotary dial are replaced with short bursts of 2600 Hz. The way the kids used
this was to whistle off with 2600 Hz just as was done later with the Blue Box.
They literally did this by whistling with their mouths. When they heard the
"chirp-kerchunk" indicating seizure of a trunk, they whistled the digits of the
number they wanted to call.
Early Blue Boxes were sometimes equipped with a rotary dial and a 2600 Hz
oscillator to do this kind of phreaking.
I have always been impressed by the talent of those earliest phone
phreaks. I could never get my own "whistler" up to 2600 Hz.
To get the flavor of how it all really started, check out the Rotary Blue
Box.
F9 - Setup user key
An input screen will be displayed which lets you set up a sequence of
tones which will be attached to the "+" key. The table below shows the setup to
produce the tones for a "quarter". Frequencies are entered in Hertz. Mark is
the duration of the tones. Space is the duration of the silent period after the
tones for that line are played. Mark and Space are in milliseconds. The
sequence stops when a zero is encountered in the field for Freq1 or, if the
table is full, when all the tones have been played.
To move forward through the fields press TAB or ENTER. To backup press
SHIFT TAB. To move down one field press DOWN ARROW. To move up one field press
UP ARROW.
┌────────────[ Setup User Key ]────────────┐
│ Freq1 Freq2 Freq3 Freq4 Mark Space │
│ 2200 1700 0 0 33 33 │
│ │
│ 2200 1700 0 0 33 33 │
│ │
│ 2200 1700 0 0 33 33 │
│ │
│ 2200 1700 0 0 33 33 │
│ │
│ 2200 1700 0 0 33 33 │
│ │
│ 0 0 0 0 0 0 │
│ │
│ 0 0 0 0 0 0 │
│ │
│ 0 0 0 0 0 0 │
│ │
│ 0 0 0 0 0 0 │
│ │
│ 0 0 0 0 0 0 │
│ │
│ 0 0 0 0 0 0 │
└──────────────────────────────────────────┘
F10 - Recall last dial string
The last active dial string is recalled as if it were typed in again.
DIAL STRING FORMATS FOR P80BOX
Spaces have been injected into dial strings to aid clarity. They have no
effect on their interpretation by the program. All non-dialable characters
except delay commands are ignored. See the section titled HOW BLUE BOXING WAS
DONE for more detailed instructions on placing Blue Box calls.
BLUE BOX CALL IN THE CONTINENTAL U.S.:
FORMAT: (2600 Hz for approx. 1 sec), (Delay approx. 1 second), then send
KP + Area Code + 7 digit phone number + ST
P80BOX DIAL STRING: Assuming the number to be called is (515) 555-1234
D,K 515 555 1234 S
With everything set to program defaults, this is how the above dial string
will be interpreted by the program.
D = Send 2600 Hz for 1 second
, = Delay 1 second
K = Send KP signal for 100 milliseconds
515 555 1234 = Send MF (Multifrequency) digits 70 milliseconds on with 70
ms silent period between digits.
S = Send STart signal for 70 ms
If the number you are calling is in the local dialing area for the
switching office you are controlling you would leave out the area code.
BLUE BOX CALL TO AN OVERSEAS NUMBER:
FORMAT: (2600 Hz for approx. 1 sec), (Delay approx. 1 second)
1st stage outpulsing: KP + 011 + Paired Country Code + ST
Wait about 5 seconds for the overseas dialtone
2nd stage outpulsing: KP + Country Code + City Code + Phone Number + ST
P80BOX DIAL STRING: To call 246-8091 in London, England
D,K 011044 S,,,,,,K 044 1 2468091 S
This will be executed by the program as the following sequence:
D = Send 2600 Hz for 1 second
, = Delay 1 second
K = Send KP for 100 ms
011044 = Send 011 and paired country code as MF digits (70ms on/70ms off)
S = Send ST
,,,,,, = Delay 6 seconds allowing time for international dial tone
K = Send KP
044 1 2468091 = Send MF digits
S = Send ST
MAKING A RED BOX CALL
FORMAT: The required amount of money in nickels, dimes and quarters is
inserted into a coin slot.
P80BOX DIAL STRING: To simulate $1.15
QQQQIN
The program will generate tones for 4 quarters, 1 dime, 1 nickel.
MAKING A STANDARD DTMF CALL:
FORMAT: 1+(A/C)+7 digit number or just 7 digit number for local call.
P80BOX DIAL STRING: To call 555-1234
[5551234]
The digits enclosed in square brackets will be sent as standard DTMF
tones.
TECHNICAL SPECIFICATIONS
These are the standard DTMF (Touch Tone) frequencies in two useful
formats. The Bell Operating Company frequency tolerance is ± %1.5. The Silver
Box consists of the A, B, C and D keys. The legitimate use of those keys is on
a military telephone network called Autovon, in amateur radio, and for internal
telephone company testing.
Digit Frequencies LOW
----- ------------ TONE HIGH TONE GROUP (HZ)
1 697 + 1209 GROUP
2 697 + 1336 (HZ) 1209 1336 1477 1633
3 697 + 1477
4 770 + 1209 697 1 2 3 A - Flash
5 770 + 1336 770 4 5 6 B - Flash override priority
6 770 + 1477 852 7 8 9 C - Priority communication
7 852 + 1209 941 * 0 # D - Priority override
8 852 + 1336
9 852 + 1477
0 941 + 1336
* 941 + 1209
# 941 + 1477
A 697 + 1633
B 770 + 1633
C 852 + 1633
D 941 + 1633
Multifrequency signaling tones used for control of telephone switching
(Blue Box). Bell Operating Company frequency tolerance = ± %1.5.
Digit Frequencies (Hz)
----- ----------------
1 700 + 900
2 700 + 1100
3 900 + 1100
4 700 + 1300
5 900 + 1300
6 1100 + 1300
7 700 + 1500
8 900 + 1500
9 1100 + 1500
0 1300 + 1500
-------------------------------
CODE 11 700 + 1700 Inward operator (European)
CODE 12 900 + 1700 Delayed-ticketing or suspended-
call operator (European)
KP (Key Pulses) 1100 + 1700 Start of digit transmission
for a national call.
KP2 1300 + 1700 Start of digit transmission
for an international call from
an intermediate (transit) exchange.
ST (Start) 1500 + 1700 End-of-digit transmission.
Disconnect 2600 ± 30 Hz
The Red Box frequencies are 2200 Hz + 1700 Hz. The Bell Operating Company
frequency tolerance for these is ± %1.5. Red boxing consists of simulating the
tones produced when coins are deposited in a pay phone.
5 cents - 1 beep, 66 milliseconds duration.
10 cents - 2 beeps, each 66 milliseconds duration with 66 millisecond
pause between beeps.
25 cents - 5 beeps, each 33 milliseconds duration with a 33 millisecond
pause between beeps.
The Green Box tones are used by TSPS operators.
TSPS Coin Control Wink 2600 33ms on 33ms off 33ms on 100ms off
TSPS Coin Collect 700 + 1100 Wink then on 1 second
TSPS Coin Return 1100 + 1700 Wink then on 1 second
TSPS Ringback 700 + 1700 Wink then on 2 seconds
These are the frequencies for the European Break signal which seems to be
used by European phone phreaks to start a calling sequence the way 2600 Hz is
used in the U.S. All I know about it other than the frequencies is that it
appears in European Blue Box programs and that European phones phreaks are Blue
Boxing into underground bulletin boards in the U.S. to this day.
2390 + 2600 150 milliseconds
delay 165 ms
2410 + 2390 225 ms
delay at least 600 ms
HOW BLUE BOXING WAS DONE
"Whistling off", "beeping off", and "blowing 2600 Hz" all mean the same
thing - sending a 2600 Hz tone down a phone line for approximately 1 second. A
"blowable number" means a toll free number like an 800 number or Canadian
directory assistance which when called and fed 2600 Hz results in the seizure
of a trunk in a switching office. All Blue Box calls begin with seizure of a
trunk in this way.
BLUE BOXING WITHIN THE CONTINENTAL U.S.
Boxing a call to anywhere in the Continental United States was so simple I
don't seem to have made any personal notes on the subject. When reviewing my
notes in preparation for this doc file, all I found were a few examples I had
hard coded into a computer program. In any case, this is how it was done.
Though these instructions are given in the present tense, they are spoken from
a viewpoint in the mid 80's.
1. Go to a pay phone. Never do this from home. This is the most important
step in this procedure.
2. Call a "blowable number". It is not necessary to wait for the called
number to ring. Just listen for the click or series of clicks
indicating call completion. If it rings, fine, but Blue Boxing is a
class act and beeping off before the called number rings is classier
and more fabian than waiting until after.
3. Send 2600 Hz for approximately 1 second.
4. Listen for the "chirp-kerchunk" indicating a trunk seizure. If you have
set up an automated procedure by means of a portable computer or a
tape recording of tones produced by a computer, provide a 1 second
delay after the 2600 Hz tone.
5. Send the MF digits in this format: KP+(Area Code)+(7 digit number)+ST.
The timing of the MF digits is not super critical but if you can
control it precisely, send KP for 100 ms; delay 70 ms; send the rest of
the digits including ST at 70 ms with 70 ms interdigit silence.
BLUE BOXING TO OVERSEAS DESTINATIONS
Boxing a call to an overseas number requires more knowledge than that
required for calls within the Continental U.S. To give you this knowledge, I am
including the original notes on my research and field experiments on this
subject. I could call toll free to anywhere in the world that had a telephone.
This is the information I used to do it.
===============Start of Notes on Blue Boxing to Overseas Numbers===============
Notes on Overseas Dialing
Overseas dialing is done in two stages of outpulsing. The first stage
routes to an overseas sender and uses 011, which is the international access
code for International Direct Distance Dialing (IDDD) plus the paired country
code. If the country code is two digits, the paired country code can be
derived by adding a "0" to the left of the country code. Example: The country
code for England is 44. The paired country code would be 044. First stage
outpulsing for England would then be: KP-011044-ST. If the country code
contains three digits, the paired country code cannot be derived in this way
and must be looked up. Example: The country code for Guam is 671. The paired
country code is 067. First stage outpulsing for Guam would be KP-011067-ST.
Second example: The country code for Cyprus is 357. The paired country code is
087. It is a rule that a paired country code must never be the same as any
country code.
About five seconds after the STart pulse, an international dial tone will
be heard. This will time out to a reorder in about ten seconds.
When the dial tone is heard, the system is ready to accept the second
stage of pulsing in the format: KP-country code-city code-digits-ST. At this
stage it is the country code not the paired country code which is used.
Use the paired country codes when calling inward operators.
Some toll offices are screened against 011 coming in on a long distance
trunk. In that case precede the 011 with the area code which would apply for
that toll office. Example: for a toll office in Gainsville, FL use
KP-904+011+paired CC-ST.
Another way to reach the overseas senders is to call them directly with
KP-sender number-ST. If this doesn't work add the area code of the sender.
Example: KP-904185-ST.
This is a list of international centers with their area codes.:
A/C Sender Location
--- ------ --------
914 182 White Plains, NY
212 183 New York, NY
412 184 Pittsburgh, PA
904 185 Jacksonville, FL
415 186 Sacramento, CA
303 187 Denver, CO
212 188 New York (same sender as 183)
The routing for a particular country can be found by dialing normally
(pulse or touch-tone) 011+CC+000+enough digits to add up to a total of seven
including the country code. Example: 011+44+00011. You will get a recording. At
the end of the recording, the area code of the international center will be
given. The sender used to call a particular country can vary depending on the
area of the country from which the call is originated. An international call
can sometimes be completed through the wrong sender, but this causes a print
out that will later be investigated to find out which CO it came from. To find
the correct routing when pulsing through any particular toll office use
KP+paired CC+000+ST. For example, KP-011044000-ST would give the same result as
dialing normally 011-44-00011 if you were dialing it in the area where the toll
office is located.
The first digit of a country code is the world region in which that
country is located. The world regions are: 1--North America, 2--Africa, 3 and
4--Europe, 5--South and Central America, 6--South Pacific, 7--Union of Soviet
Socialist Republics (U.S.S.R.), 8--Far East, 9--Middle East and South-East
Asia.
Note 1. KP2 is not used in first or second stage outpulsing when calling any
country in the IDDD network.
Note 2. Public telephones are interfaced to TSPS (Traffic Service Position
System). If you call an 800 number and whistle off using 2600 Hz, the distant
toll office sends a wink back signal (a short on-hook) indicating it is ready
to receive pulsing. TSPS responds to this wink back by printing out the
original number called, the number called from, and the number MFed after the
wink back. This print out goes to the billing and security departments.
General Notes on Overseas Senders and Routing Codes
(June 1984)
From Canadian Directory Assistance (514) call Montreal sender with KP 188
ST. Using this sender these countries can be called:
England (Satellite)
Australia (Satellite)
Egypt (Cable only)
Philippines (Satellite)
Could not reach Thailand or Japan from this sender. Canadians cannot
direct dial these countries. They have to go through an overseas operator in
Vancouver.
Guam can be reached by satellite by beeping off 514 directory assistance
and calling the sender in Jacksonville with KP 904185 ST.
The following senders could be reached through a PBX extender in Orlando,
Florida. After getting an outside line through the extender any number can be
called. After a series of clicks, blow 2600 Hz. This will give control of a
tandem in the Orlando area.
A/C Sender Location
--- ------ --------
914 182 White Plains
212 183 New York
412 184 Pittsburgh
904 185 Jacksonville
303 187 Denver
These senders could not be reached by this method:
415 186 Oakland
514 188 Montreal
European countries can be reached by beeping off an 800 number and keying
KP 011 Derived CC ST. This will automatically connect you to the right sender
for that country code and will give you an overseas dial-tone for ten seconds.
For example to call the weather recording in England, the routing would be KP
011044 ST then KP 044 1 246 8091 ST.
PAIRED COUNTRY CODES
This is a list of paired country codes for use in first stage outpulsing
on overseas calls. For two digit country codes simply add a zero. Example:
The country code for England is 44. The paired country code is 044. Paired
country codes that cannot be derived by this simple method are listed
below.
Country Country Code Paired Code
------- ------------ -----------
Algeria 213 013
American Samoa 684 284
Bahrain 973 073
Belize 501 111
Bolivia 591 991
Brune 773 180
Cameroon 237 077
Costa Rica 506 806
Cyprus 357 087
Ecuador 593 293
El Salvador 503 003
Ethiopia 251 059
Fiji 679 879
Finland 358 088
French Antilles 596 896
French Polynesia (Tahiti) 689 289
Gabon 241 025
Gibraltar 350 050
Guam 671 067
Guatemala 502 022
Guyana 592 892
Haiti 509 887
Honduras 504 884
Hong Kong 852 692
Iceland 354 854
Iraq 964 294
Ireland 353 083
Israel 972 072
Ivory Coast 225 285
Jordan 962 282
Kenya 254 074
Kuwait 965 015
Lesotho 266 186
Liberia 231 851
Libya 218 018
Luxembourg 352 292
Malawi 265 096
Marisat Atlantic 871 101
Marisat Pacific 872 102
Marisat Indian Ocean 873 103
Morocco 212 012
Namibia 264 194
Netherlands Antilles 599 099
New Caledonia 687 287
Nicaragua 505 975
Nigeria 234 014
Oman 968 068
Panama 507 247
Papua New Quinea 675 875
Paraguay 595 295
Portugal 351 281
Qatar 974 174
Saipan 670 071
Saudi Arabia 966 990
Senegal 221 021
St. Pierre/Miguelon 508 104
Suriname 597 097
Swaziland 268 168
Taiwan 886 006
Tanzania 255 075
Tunisia 216 016
Uganda 256 876
United Arab Emirates 971 291
Uruguay 598 288
USSR 7 007
Yemen Arab Republic 967 297
Zambia 260 008
Zimbabwe (Rhodesia) 263 283
Notes: The Marisat codes are used when calling ships directly. Single stage
outpulsing is used for calls to Mexico in this format: KP-180-City
Code-digits-ST. To call an inward operator in Mexico use KP-190-City
Code-09-ST. For directory assistance use KP-190-City Code-01-ST.
================End of Notes on Blue Boxing to Overseas Numbers================
SILVER BOXING (a.k.a. WHITE BOXING)
I didn't experiment much with this and took no notes on it. I checked it
out once or twice with a young phreak who lived in the midwest. The way it
worked was two phone phreaks in different parts of the country would call
directory assistance in an area that was still on the old 4A switch.
Immediately after dialing the last digit you would hold down the 'D' key on the
silver box. Instead of getting a directory assistance operator you would hear a
pulsing dial tone. Then one caller would send a Touch Tone 6 and the other
would send a Touch Tone 7. The two would then be connected to each other
through a test loop where they could talk indefinitely toll free.
RED BOXING
Red Boxing is a method of making free calls by simulating the tones
produced by dropping coins into a payphone. The specs for these tones are given
above under TECHNICAL SPECIFICATIONS. I experimented intensively with this for
about three weeks. My main method for producing the tones was to make a
cassette recording of an endless string of quarter tones and then play them
into a payphone receiver as needed.
I have the uncertain honor of having invented Red Boxing with whistles.
The whistles were made from aluminum tubing available in hobby shops. They were
1/4 inch in diameter by 4 inches long and were tuned by means of a wooden dowel
rod which fit snugly inside. I tuned one to 2200 Hz and another to 1700 Hz by
adjusting the dowel rod in and out while listening for a zero beat against a
known signal source (a computer). I taped the two whistles together snugly with
masking tape. After very little practice, I found that I could whistle nickels,
dimes and quarters that were accepted by a payphone.
I made a set of these whistles for my Silver Boxing friend, mentioned
above, and mailed them to him. He used them every day for a week to call me up
and demonstrate this new technique for "blowing" money.
