TUCoPS :: Phreaking General Information :: rules.txt

Rules of Phreaking plus several dozen k of interesting stuff from 1986



                   THE IC'S RULES OF PHREAKING


 These are the standards of hacking employed by the Inner Core.
 The text comes from a data file written by and for IC members.

                      HACK YOUR OWN CODES. 

Don't leech from someone else. Having codes is like having sex,
if you don't protect yourself you'll end up with a venereal
disease. You have no idea where a code has been before you got
your hands on it, when it was hacked or how long it's been in
circulation. Time is a very important factor, the longer a code
has been in use, the greater the risk.

           DON'T STAY ON A CODE MORE THAN THREE DAYS. 

 Don't give the suckers an even break. To run a trace, MCI needs 
to shuffle a lot  of papers. Ain't that nice. Paper work takes 
time, and it's highly unlikely they could accomplish the feat in 
three days. It's even more unlikely  they would even know  
they've been phreaked for at least a week. All company's have 
thirty day billing cycles, if you started using the code the day 
after the bills went out, you'd have twenty nine days left to 
play with it. The customer gets his billing and bitches up a
 storm. The company now has the option of setting up a trap, but
 alas, they notice  you haven't used the code in three weeks and
 have no destination number to PIN. If you phreaked the code one
 day before the billing cycle ends, the customer may notice
 right away. Figure you have two days for it to reach the
 customer. If he yells right away it takes a few more days for
 the security department to process the paperwork for the trace.
 By that time you're long gone.

           DON'T STAY ON A NODE MORE THAN THREE DAYS.

 If you insist on burning the same company, you're going to
 develop a pattern. You call your girl friend in Alaska every
 damned day using the same company. It doesn't take a genius to
 predict what you're going to do tomorrow. They know where you
 enter their system and where you're going to. You've given them
 everything they need to run a good trace. Spread the wealth a
 little. Use US Telecom, then ITT, Lexitel, Skyline, Metro and a
 few of the 800's if you like. Spread it out. These people have
 no way of comparing. So you can screw Peter, Paul and the rest
 of the Apostles with no worry. Just don't be a dip stick and get
 lazy.

 Everyone is worried about THE TRACE. Don't be. It's no big deal
 for AT&T, after all it is their network, but for the leech
 services it's an entirely different matter. This is why we don't
 mess around with AT&T except through secondary accesses like
 PBX's or Diverters. This is the scenario MCI's security
 department will run down.  They call up a number you've
 called.......

"Hello, this is Inspector Bullshit with MCI. Did you receive a
 phone call from the 212 area code on November 22, 1945 at 4:00
 A. M.? "

"You didn't?"

"We've traced fourteen calls to this number in the last
 two weeks, by the way, who am I speaking with?" 

"Well Mrs. Blabbermouth, perhaps someone else in your household 
 received the calls? "

"I see, your daughter has a boyfriend in New York.

"I'm afraid  he's in some serious trouble Mrs. B. If
 you'll cooperate with me we won't pursue this matter with your
 daughter."

"That's correct, little Susie Blabbermouth won't be involved. It 
 would be a shame to cause you folks trouble, after all she
 didn't actually make the calls.""

 All I need is the boy's name and phone number."

"Let me see if I have that right."Jimmy Phreaker at  
 212-555-1212?"

"Thank you Mrs. B you've been very helpful."

 The point is, if  Bullshit had really run traces he wouldn't be
 calling to con the information. The exchange is typical of those
 used by most phone companys and illustrate several important
 issues.

 Make sure the person you're calling is cool and there's no
 chance  someone else could rat on you. It is very unlikely MCI
 will make such a call if you use the IC's Rules of Phreaking.
 Yet, if it were to occur these are your friend's options...

 1. HANGUP
 2. "FUCK YOU"...THEN HANG UP
 3. "I WAS WATCHING MIAMI VICE AND YOU INTERRUPT ME WITH
    THIS CRAP. FUCK YOU"....HANG UP.
 4. If you want to be nice about it; "I don't know what you're   
    talking about.....HANG UP.

 The problem is now resolved. Remember these guys are like
 rabid dogs in heat, they're excellent con artists. Believe
 nothing you hear. You don't have to talk to them. If they had
 anything on you they'd be standing at your door with a search
 warrant. Their abilities in this area are very restricted. They
 operate by manipulating your fear and you have nothing to fear
 but your own fear. Don't try to come up with some lame
 explanation, you know you received the call and they know it. So
 don't make an ass out of yourself trying to explain away the
 obvious - HANG UP!

 What happens if your are caught? 
 
 Congratulate yourself on being an asshole. The number of phreaks 
 caught are so small you have now qualified for membership  in a
 really elite group of jerks.
 
 Inspector Bullshit now has several options. 

 Grab your computer......... this will be done no matter what.

 Grab your data files and any hard copy you have laying around.
 This to help identify other subversives and also to supply
 incriminating information about you. 

 Try to scare you into a confession. Standard operating procedure
 - keep your fucking mouth shut. You have nothing to gain by 
 talking and a much to lose.

 If you're a minor you can forget about jail time, an adult
 is looking at a couple of weeks in the slam - may-be.

 Realize this, they don't really want your ass as much as they 
 want THE MONEY. That's right boys and girls the buck talks loud 
 and clear.
 
 If you're caught, you've broken every one of the IC's
 rules. At worst you're looking at a couple of thousand in phone
 bills. Get a lawyer to do your talking for you, that'll be about
 a five hundred dollar retainer. If the company is willing to
 settle for the money, and your computer, pay it - it's cheaper
 in the long run. If they want you in the calaboose then fight
 it. As a first time offender the odds of you actually getting
 time are slim. Incidentally, Inspector Bullshit will drop a
 little extra on the bill for good measure. Have the attorney
 demand they produce their records of all "alleged phone
 conversations". 

 In fighting a phreaking case you'll want to have a jury trial. 
 The technology behind the running of a trace is so
 complicated even a halfassed lawyer could confuse the
 average layman. He can make Inspector Bullshit describe
 switching down to atomic subparticles if he wants and by the
 time he gets to how a trace works the jury would be so confused
 you'd skate on a "reasonable doubt". It would be
 interesting to see if a sharp shark could subpoena the actual
 equipment used to run the trace. I don't think MCI would
 care to have one of their computers offline for the time it
 would take to have "independent" examiners checking out the
 functionality of the switching mechanisms. 
 
 To phreak or not to phreak. It's a question only you can answer 
 for yourself.


The following are electronic BBS conversations at a Hacker
Bulletin Board. They have been left intact (misspellings too)with
the exception of codes and phone numbers which could conceiveably
get my ass in hot water.

The Hacker network of communication is loosely knit but extremely
effective in getting information circulated quickly.

Lady G (Lady Godiva) is the only female I've ever seen on a hack
board. Amazingly she conned her way inside, yet turned out not to
be a threat to hackers even though she is employed by government.
 
Numb. -->  72 
Title -->  JUST A LITTLE CODE 
From  -->  BIG BYTE 
Left  -->  19-Apr-86 2:30 am 
 
While not to much to say just heres a sprint 
(Code Deleted) 
 
Also Bill the Cat do you know some people down in Florida like
Blackbeard or  been on some off my Conferences?? Let me know. 
 
    
.s 
opps 
/s 
shit 
 
 
B17> 
 
--> Next bulletin 
 
Numb. -->  73 
Title -->  Fed trap 
From  -->  BIG BYTE 
Left  -->  19-Apr-86 3:05 am 
 
Where i live here in Green Bay Wi, they are busting our town for
illegal use  of the phone.  The number they are getting kids
(leeches on) is 1-800-437-7010 it is GCI of Ancrage <-spelled
wrong Alaska and so far they have busted 400 people from one
school and have questioned 1500 its like a bad dream oh  
who cares not me. Just be careful and dont use it unless you fell
lucky. All the codes used are in the 467xxxxx area so may be
other areas are safe. 
                      later  
                       bb 
 
 
B17> 
 
--> Next bulletin 
 
Numb. -->  74 
Title -->  Bobo.. 
From  -->  THE ARABIAN KNIGHT 
Left  -->  19-Apr-86 11:10 am 
 
Bobo, 
 
     Leave me mail.  Id like to get a 
sprint Code(New).  I got a new Pbx, 
maybe old.  but it works fine..  
 
                  Ak 
 
Bobo- Why are you so worried About  
Lady G?  Does she know alot about you 
or something? 
 
 
 
B17> 
 
--> Next bulletin 
 
Numb. -->  75 
Title -->  [ Lady G. ] ? 
From  -->  THE D MEN TOR 
Left  -->  19-Apr-86 1:23 pm 
 
I can run CNA's in 415, Give me e-mail and I'll find out whatever
you  want to find out about her BOBO. Have you spoken with her?
How do you really know this person is over 30 etc...... 
 
later, 
The D men tor...Confused. 
 
 
B17>W 
 
Enter the name of the person you wish 
to send mail to: 
>THE D MEN TOR 
 
What is the subject of this letter? 
>Lady G 
 
Mail: 
You may enter up to 100 lines of text. 
Press CTRL-A or CTRL-Q when done. 
 
D men 
 
The numbers for Lady G are 415-(Deleted) and 
415-(Deleted).
 
She is over 30 because 
1. She's uses expressions that are 15 years out of date.
2. I recoginize this becuase I too am 15 years out of date.
 
I don't like people getting busted. She pirates  
but that's about it. I wonder why she's on so many hack boards.
Motor City went down right about the time she logged on.
I might be totally wrong, BUT, I want to check it out just to be
safe. 
You can call me Mr. Paranoia. She rattles my cage and 
it makes me nervous. 
 
Let me know what pops. 
 
Bobo 
 
 
E>S 
 
Filing mail for THE D MEN TOR... 
 
B17> 
 
B17>7 
 
--> Telecommunications Today (7)... 
--> 60 bulletins posted; some new! 
 
B7>N 
 
Numb. -->  59 
Title -->  Police Sting 
From  -->  CHARLIE SMITH 
Left  -->  19-Apr-86 6:29 am 
 
 
Here is an interesting story: 
 
AUSTIN,TX--Law enforcement officials here have joined a growing
number  of police agencies nationwide running "sting" operations
to catch persons using bulletin boards for illegal purposes. 
 
Based on information posted on a bulletin board it operated, The
Austin  Police Department said it has been able to turn off two
pirate boards  here and expects shortly to make a number of
arrests for misdemeanor  violations of Texas' newly enacted
computer crime law. 
 
For more than two years, the police department secretly ran a
board called the Underground Tunnel, which was set up to appear
as a normal  BBS run by a Sysop called "Pluto".  But late last
month - to the surprise of the board's more than 1,000 users -
Pluto was revealed as Sgt. Robert Ansley, a seven-year veteran of
the Austin Police Department! 
 
"Most of the users were people interested primarily  in several
on-line  fantasy games or in electronic messaging."  Ansley said. 
"To get to  the levels where people posted information on how to
crash corporate  sysems, the user had to ask for increased
access.  We were very careful not to solicit or entrap anyone
into leaving illegal information." 
 
The Austin Police Department disclosure caught most of the BBS's
users  by surprise.  "I liked the board's electronic messaging
capabilities,"  said user Michael Whalen, the managing editor of
the Daily Texan, the  student newspaper of the University of
Texas, here.  "I was really surprised at how the officer was able
to pull this off." 
 
What the police found, according to Ansley, included access codes 
belonging to the world's largest credit reporting organization,
TRW  Information Services Systems Division of Orange, California. 
"Most  offenders seem to be real big on TRW," said Ansley. 
 
Sting and intelligence gathering bulletin board operations are on
the  rise throughout the country, according to law enforcement
officials.  Several police departments nationwide have already
used bulletin boards  to track down and arrest microcomputer
users who post illegally obtained  calling card codes, mainframe
access procedures and passwords, or other  confidential
information.  According to one high-level West Coast law  
enforcement officer who declined to be identified, federal
officials  are now joining local authorities in running b5lletin
boards (BBSs)  in several key metropolitan areas. 
 
"You better believe law enforcement agencies are interested and
in  in some cases, running bulletin boards," said Dan Pasquale, a
sergeant with the Fremont, California, police department. Last
month, police in Fremont,  capped three and a half months of
bulletin board operations by arresting eight individuals for
alleged credit card fraud, misuse of telephone credit  
card operations, and technical trespass.  Pasquale said most
corporations whose passwords or calling card numbers were posted
on Fremont's BBS were unaware that their information had been
compromised. 

** Hackers Note Here** Pasquale actively solicited the posting of
codes, passwords, credit cards. Qualifying as entrapment. More
experienced hacks pulled out before he sprang his trap. More than
200 people were arrested coast to coast. Only one was elite and
he beat the rap. The rest were rodents.


Although police are pleased with their results, some users say
they  feel the sting bulletin boards are unfair to both the
innocent users  and the suspected criminals alike.  Whalen said
students at the University  of Texas used the board extensively,
andhe claimed that some people  accused of posting access codes
and other information on the board  felt they had been entrapped
when they discovered that the BBS was a  police sting operation. 
 
Whalen also said that some users were concerned about the privacy 
and sanctity of electronic mail left on the board.  "Ansley said
users  are foolish if they don't think a sysop reads the mail on
the board,"  he added. 
  
Indeed, as police turn increasingly to bulletin boards to catch
suspected  criminals, the issue of entrapment has also become a
growing concern,  one to which police are sensitive. 
 
"At no time did the police department urge users to leave access
codes,  applications, or passwords for corporate computers on The
Tunnel,"  Ansley said. 
 
To prove entrapment, a suspect would have to clearly show that
the  government agent offered some type of inducement to promote
criminal  activity, said Jim Harrington, the legal director of
the Texas Civil  Liberties Union here.  "The whole area of police
gaining information  on [criminal activities] by reading
electronic mail is very interesting." 
 
Fremont police held a series of meetings with a district attorney
before  they started a board, according to Pasquale. "We
established a point  where entrapment began and made sure we
never crossed that point,  and in fact, messages on the board
were scripted in conjunction with the  district attorney's
of
  
Ahem, let me hasten to point out the Gemini System is NOT a
police BBS! 
  
Charlie 
 
 
 
Numb. -->  60 
Title -->  Infocom 
From  -->  ATILLA THE HUN 
Left  -->  19-Apr-86 11:37 pm 
 
 
Well I don't know if anyone has heard this but, 
  
I have heard that Infocom will start (or may have started)
calling  AE lines to see if they contain any infocom software. 
If so they download it and check the serials, and bingo if a
pirated version then plain and simple  YOU IS BUSTED! 
  
oh well anyone else know of anything more, I picked it up under  
discussion at a bbs. 
  
   atilla the hun -<*----- 
 
 
 
 
B7>OFF
 
 
In The News

Press reports of hacker misdeeds seem to be written in flavors
which border upon awe to contempt. It depends on the publication.
Newspapers ten to permit more editorializing. Between the two
extremes there is a point of reason. I've often wondered, "If a
fifteen year old kid can break into a 'secure' government
computer, what could a fully trained enemy agent do?" It's a
reasonable question.

Virginia - A fourteen year old hacker who called himself Phineas
Phreak was the first to be prosecuted under the state's computer
trespassing law. Arrested for hacking at a Bulletin Board, he was
placed on one year's probation and ordered to pay $300.00 in
compensation to the board's operator, Allen Knapp.

Milwaukee - A hacker group who called themselves the 414's after
their area code were arrested by FBI agents and found to have
access to more than 60 computer databases. These included a
California Bank, a cancer center and the Los Alamos Scientific
Laboratory.

California - Stanley Rifkin a computer consultant for Security
Pacific Bank, stole the bank's passwords and liberated 10 million
dollars from the institution. He then erased the electronic
records of the transactions. While Rifkin was not a hacker, he
hold the distinction of being the country's number one computer
thief. His arrest was not the result of his computerized
misdeeds, but instead, his lack of expertise at being a thief.

Washington - The United States Government has become the nation's
leading user of computers. As such, they are a target of internal
thieves who have used their systems to divert funds for their own
uses. A number of arrests of computer related theft has led the
government to believe they haven't scratched the surface yet.
It's estimated that only one in 22,000 computers crimes will ever
be prosecuted.

San Diego - A computer hacker, Bill Landreth pleaded guilty to
tapping the GTE Telemail network in Vienna, Virginia. Known as
"The Cracker" he agreed to cooperate with Federal Investigators
in a larger investigation. Four teenagers from Irvine, California
were subsequently arrested and named Landreth as their source of
information on hacking. Landreth has since written a book "Out of
the Inner Circle". The four kids from Irvine don't receive
royalties.

TRW - Hackers armed with stolen passwords broke into the TRW
credit system and reviewed information on employment records,
bankruptcies, loans, social security numbers and credit cards.
The password was stolen from a Sears and Roebuck and was
reportedly in circulation for the better part of a year. The
credit card numbers, expiration dates and credit limits of card
holders were used to make fraudulent purchases. TRW changed the
password.

Atlanta - Edward Johnson took exception to Jerry Falwell's fund
raising activities. His mother had a thing for T.V. preachers and
often gave money to Falwell's Liberty Foundation. Mr. Falwell's
collectors were oblivious to the fact the elderly lady lived on
social security and couldn't afford the donations. On a previous
occasion she had attempted to give the family farm to Jimmy
Swaggart. Johnson adjusted his phreaker program into a phone
cranker  to auto dial Falwell's 800 and tie up the line for 30
seconds a call. Falwell's people reported they lost one million
in donations from the activity. Southern Bell finally trace the
calls and gave Johnson two choices, stop or lose his phone line -
he stopped. After all, it was "God's will".

Washington - Representative William Hughes from New Jersey has
introduced a bill to make computer theft of data and certain
"kinds of hacking activities" federal felonies.

New Jersey - Seven teenagers were arrested on charges of credit
card fraud, phreaking and hacking. An investigation into credit
card purchases led local police to the operator of a hacker bbs.
Armed with a search warrant the police seized his computer and
all related data. Inspection of same led to the arrests of the
other six. Now known in hack circles as the New Jersey Seven,
they reportedly had the ability to change the attitude of a
government satellite. The Inner Core reports they consider it
unlikely the kids knew they had the capability.

In my research, I've noted government and business to be at
greater risk from their own employees than from hackers. Credit
card fraud is the leading hacker crime. The pales beside the
reported cases of computer theft from internal sources. The
Rifkin case is the most noted. However, thousand of unreported
thefts occur every year.
                  MAKING MONEY WITH YOUR CODES


Ok, phreaking will save you money, that's fine. Wouldn't you
rather make some bucks off these jokers? No biggy. You sell your
codes. Is it illegal? You bet, but your the adverturesome type
with avarice in your heart...this is how it works.

Abdul wants to call the Middle East so he can talk with his
camel. No problem. Call the international operator and ask how
much it costs for an hour to Jordon. Charge the raghead fifty
percent of the cost for hooking him up and let him talk as long
as he likes. MCI and Sprint both access the Middle East so you're
in business. Foreigners are good to deal with. They're extremely
paranoid anyway so tell them you have to make the calls from a
phone booth. This isn't true BUT, you're covering your own ass.


There are a variety of good reasons why a phone booth is called a
fortress, this is one. DO NOT SELL THE CODES. Abdul knows nothing
about phreaking. The dumbshit will stay on the code too long and
will end up getting his ass traced. The telcos don't give two
shits about this guy. THEY WANT YOU!. You're the guy costing them
the big bucks. Abdul will make a deal and your tit will be in the
ringer. So keep control of the codes. If you want to be a nice
guy and hand out codes to your phriends fine. Just be sure they
don't have big mouths and that they know the IC's Rules of
Phreaking. You'll find a list of the countrys  MCI and Sprint
access in the appendix. You'll also notice  there are a lot of
places that they don't go. India for one. The only way to book
passage to India is on AT&T. You'll need to bag a PBX or a
Diverter for that action.

                          Equal Access 
 
What does equal access mean to you? Not much. Access was the 
issue that permitted Mci to break up At&t. The result was the 
sudden emergence of the companies you'll find listed in this 
chapter. At&t still retains an 85%+ share of the 
telecommunications market. The rest of the business enterprises 
are basically parasites attempting to feed off of Ma Bell's 
network. 
 
Equal Access means you get to pay 2 to 5 dollars a month for 
"access" to the long distance network, whether you want it or 
not. It means your local telco can go begging to the Public 
Utilities commissions claiming the need for rate increases in the

wake of the break up. Pacfic Tel was hurt so much they posted 
sales recently of one billion dollars. I first in the company's 
history. 
 
There is one small advantage to equal access. Ustel (950-1033)
customers can crossover to the Sprint Network (950-0777) and make
international calls. By appending the equal access code to the
customer code the call will be cross connected.

In short, equal access means this..."Bend over and smile 
America". If you thought you were getting screwed before, well 
you ain't seen nothing yet. 
 
 
                       Equal Access Codes







10824 ATC Directline

10482 Access America

10939 Access Long Distance

10282 Action Telecom

10444 Allnet

      Americall

10002 Americall LDC Inc.

10053 American Network

10366 American Telco

10050 American Telephone Exchange

10080 Amtel

      Amertel

10824 

      ATC Communications

10287 ATS Communications

10272 Bell of Pa

10606 Biz-Tel

10300 Call America

10221 Capitol Telecommunications Inc.

10987 Clay Desta Communications

10266 Com Systems

10885 Communigroup of Kansas City

10733 Comp-Data Communications

      Compute a Call

      Comtel of Pine Bluff

10203 Cytel10233 Delta Communications

10339 Dial USA

      Directline

      Discount Long Distance

      EO Tech10054 Eastern Telephone Systems

10634 Econo Line of Midland

      Econo-line of Waco

10256 Execuline

10393 Execulines of Florida

      Garden State Telco

10235 Inteleplex

10884 ITI

10488 Itt

10535 LDL - Long Distance for Less

10084 LDS

      LDX

      LTS

10066 Lexitel

10852 Line One

10036 Long Distance Savers

10537 Long Distance Service of Washington

      Long Distance Telephone Savers

      Max Long Distance

10222 Mci

10021 Mercury Long Distance

10622 Metro America Communications

      National Telecommunications of Austin

      Network I/Metromedia

10855 Network Plus

10638 Northwest Telecom Ltd.

10785 Olympia Telecom

10808 Phone America of Colorado

10936 R - Comm

10211 RCI

10787 STS/Star Tel

10800 Satelco

10888 Skyline

10087 Southernnet

10321 Southland Systems

10777 Sprint

10889 St. Joseph10787 STS/Star Tel

10007 TMC of Arkansas

10021 TMC of Chattanooga

10007 TMC of El Paso

10007 TMC of Miami

10007 TMC of S.E. Florida

      TMI of Oklahoma

10826 Tel AMCO

      Tel-Central Inc of Oklahoma

10330 Tel-Share

10626 Tel/man

10007 Telemarketing Communications

10899 Telephone Express

10331 Texustel

10850 Tollkall

10824 Transcall

10333 US Telecom

10859 Valu-Line of Longview

      Valu-Line of Wichita Falls

10687 WTS Communicatons

10085 Westel

10220 Western Union

10995 Wylon  

                     ESS

The following is a file taken from a Hack Board. I think it is
intellegently written and accurate. 


           +====================================+
           +  ELECTRONIC SWITCHING SERVICE V1.  +
           +  EXERT FROM 2600 MAGAZINE FEB '84  +
           +FROM THE RADIO STATION: 718-xxx-xxxx+
           +====================================+

            THERE WAS OF COURSE NO WAY OF KNOWING
          WETHER YOU WERE BEING WATCHED AT ANY
          GIVEN MOMENT.  HOW OFTEN, OR ON WHAT
          SYSTEM, THE THOUGHT POLICE PLUGGED IN ON
          ANY INDIVIDUAL WIRE WAS GUESSWORK.  IT 
          WAS EVEN CONCEIVABLE THAT THEY WATCHED
          EVERYBODY ALL THE TIME.  BUT AT ANY RAT
          E THEY COULD PLUG IN YOUR WIRE WHENEVER
          THEY WANTED TO.  YOU HAD TO LIVE--DID L
          IVE, FROM HABIT THAT BECAME INSTICT--IN
          THE ASSUMPTION THAT EVERY SOUND YOU MAD
          E WAS OVERHEARD, AND, EXCEPT IN
          DARKNESS, EVERY MOVEMENT SCRUTINIZED.
                                       
          'FROM NINETEEN EIGHTY-FOUR'

            ESS IS THE BIG BROTHER OF THE BELL
          FAMILY.  ITS VERY NAME STRIKES FEAR AND
          APPREHENSION INTO THE HEARTS OF MOST
          PHREAKERS, AND FOR A VERY GOOD REASON.
          ESS (ELECTRONIC SWITCHING SYSTEM) KNOWS
          THE FULL STORY ON EVERY TELEPHONE
          HOOKED INTO IT.  WHILE IT MAY BE PARANO
          ID TO SAY THAT ALL PHREAKING WILL COME
          TO A SCREECHING HALT UNDER ESS, IT'S
          CERTAINLY REALISTIC TO ADMIT THAT ANY
          PHREAK WHOSE CENTRAL OFFICE TURNS TO
          ESS WILL HAVE TO BA A LOT MORE CAREFUL.
          HERE'S WHY.

            WITH ELECTRONIC SWITCHING, EVERY
          SINGLE DIGIT DIALED IS RECORDED.  THIS
          IS USEFUL NOT ONLY FOR NAILING PHREAKS
          BUT FOR SETTLING BILLING DISPUTES.  IN
          THE PAST, THERE HAS BEEN NO EASY WAY
          FOR THE PHONE COMPANY TO SHOW YOU WHAT
          NUMBERS YOU DIALED LOCALLY.  IF YOU
          PROTESTED LONG ENOUGH AND LOUD ENOUGH,
          THEY MIGHT HAVE PUT A PEN REGISTER ON
          YOUR LINE TO RECORD EVERYTHING AND
          PROVE IT TO YOU.  UNDER ESS, THE ACTUAL
          PRINTOUT (WHICH WILL BE DUG OUT OF A
          VAULT SOMEWHERE IF NEEDED) SHOWS EVERY
          LAST DIGIT DIALED. 
          EVERY 800 CALL, EVERY CALL TO DIRECTORY
          ASSISTANCE, REPAIR SERVICE, THE
          OPERATOR, EVERY RENDITION OF THE 1812
          OVERTURE, EVERYTHING!  HERE IS AN
          EXAMPLE OF A TYPICAL PRINTOUT, WHICH
          SHOWS TIME OF CONNECT, LENGTH OF
          CONNECT, AND NUMBER CALLED.
     
          DATE  TIME  LENGTH UNITS  NUMBER
          
          0603  1518     3   1      456-7890
          0603  1525     5   3      345-6789
          0603  1602     1   0      000-4011
          0603  1603     1   0      800-555-1212
          0603  1603     10  2.35*  212-345-6789
          0603  1624     1   0      000-000-0000
          (TSPS)

            A THOUSAND CALLS TO "800" WILL SHOW
          UP AS JUST THAT--A THOUSAND CALLS TO
          "800"!  EVERY TOUCH TONE OR PULSE IS
          KEPT TRACK OF AND FOR MOST PHREAKS,
          THIS IN ITSELF WON'T BE VERY PRETTY.
          
            SOMEWHERE IN THE HALLOWED HALLS OF 19
          5 BROADWAY, A TRAFFIC ENGINEER DID AN
          EXHAUSTIVE STUDY OF ALL 800 CALLS OVER
          THE PAST FEW YEARS, AND REACHED THE
          FOLLOWING CONCLUSIONS:  (1) LEGITIMATE
          CALLS TO 800 NUMBERS LAST AN AVERAGE OF
          3 MINUTES OR LESS.  OF THE ILLEGAL (I.E
          PHREAKERS) CALLS MADE VIA 800 LINES,
          MORE THAN 80% LASTED 5 MINUTES/LONGER;
          (2) THE AVERAGE RESIDENTIAL TELEPHONE
          SUBSCRIBER MAKES FIVE SUCH CALLS TO AN
          800 NUMBER PER MONTH.  WHENEVER
          PHREAKERS ARE BEING WATCHED, THAT
          NUMBER WAS SIGNIFICANTLY HIGHER.  AS A
          RESULT OF THIS STUDY, ONE FEATURE OF
          ESS IS A DAILY LOG CALLED THE "800
          EXCEPTIONAL CALLING REPORT."

           UNDER ESS, ONE SIMPLY DOES NOT PLACE
          A 2600 HZ TONE ON THE LINE, UNLESS OF
          COURSE, THEY WANT A TELCO SECURITY
          REPRESENTATIVE AND A POLICEMAN AT THEIR
          DOORWITHIN AN HOUR!  THE NEW GENERICS
          OF ESS (THE #5) NOW IN PRODUCTION, WITH
          AN OPERATING PROTOTYPE IN GDNZFA, nILL,
          ALLOW THE SYSTEM TO SILENTLY DETECT ALL
          "FOREIGN" TONES NOT AVALABLE ON THE
          CUSTOMER'S PHONE.  YOU HAVE EXACTLY 12
          BUTTONS ON YOUR TOUCH-TONE (R) PHONE.
          ESS KNOWS WHAT THEY ARE, AND YOU HAD
          BEST NOT SOUND ANY OTHER TONES ON THE
          LINE, SINCE THE NEW #5 IS PROGRAMMED
          TO SILENTLY NOTIFY A HUMAN BEING IN THE
          CENTRAL OFFICE, WHILE CONTINUING WITH
          YOUR CALL AS THOUGH NOTHING WERE WRONG!
            SOMEONE WILL JUST PUNCH A FEW KEYS ON
          THEIR TERMINAL, AND THE WHOLE SORDID
          STORY WILL BE RIGHT IN FRONT OF THEM, &
          PRINTED OUT FOR ACTION BY THE SECURITY
          REPRESENTATIVES AS NEEDED.
          
            TRACING OF CALLS FOR WHATEVER REASON 
          (ABUSIVE CALLS, FRAUD CALLS, ETC.) IS
          DONE BY MERELY ASKING THE COMPUTER
          RIGHT FROM A TERMINAL IN THE SECURITY
          DEPARTMENT.  WITH ESS, EVERYTHING IS RI
          GHT UP FRONT, NOTHING HIDDEN OR
          CONCEALED IN ELECTROMECHANICAL FRAMES, 
          ETC.  IT'S MERELY A SOFTWARE PROGRAM!
          AND A PROGRAM DESIGNED FOR EASE IN
          OPERATION BY THE PHONE COMPANY.  CALL
          TRACING HAS BECOME VERY SOPHISTICATED A
          ND IMMEDIATE.  THERE'S NO MORE RUNNING
          IN THE FRAMES AND LOOKING FOR LONG PERI
          ODS OF TIME.  ROM CHIPS IN COMPUTERS
          WORK FAST, AND THAT IS WHAT ESS IS ALL
          ABOUT.

            PHONE PHREAKS ARE NOT THE ONLY REASON
          FOR ESS, BUT IT WAS ONE VERY IMPORTANT
          ONE.  THE FIRST AND FOREMOST REASON FOR
          ESS IS TO PROVIDE THE PHONE COMPANY
          WITH BETTER CONTROL ON BILLING AND
          EQUIPMENT RECORDS, FASTER HANDLING OF
          CALLS (I.E. LESS EQUIPMENT TIED UP IN
          THE OFF ICE AT ANY ONE TIME), & TO HELP
          AGENCIES SUCH AS THE FBI KEEP BETTER
          ACCOUNT OF WHO WAS CALLING WHO FROM
          WHERE,ETC.  WHEN THE FBI FINDS OUT THAT
          SOMEONE WHOSE CALLS THEY WANT TO TRACE
          IS ON A ESS EXCHANGE, THEY ARE THRILLED
          BECAUSE IT'S SO MUCH EASIER FOR THEM
          THEN.

            THE UNITED STATES WON'T BE 100% ESS
          UNTIL SOMETIME IN THE MID 1990'S.  BUT
          IN REAL PRACTICE, ALL PHONE OFFICES IN
          ALMOST EVERY CITY ARE GETTING SOME OF   
          THE MOST BASIC MODIFICATIONS BROUGHT    
          ABOUT BY ESS.  "911" SERVICE IS AN ESS
          FUNCTION.  SO IS ANI (AUTOMATIC NUMBER 
          IDENTIFICATION) ON LONG DISTANCE CALLS. 
          "DIAL TONE FIRST" PAY PHONES ARE ALSO
          AN ESS FUNCTION.  NONE OF THESE THINGS
          WERE AVAILABLE PRIOR TO ESS. THE AMOUNT
          OF PURE FRAUD CALLING VIA BOGUS CREDIT
          CARD, THIRD NUMBER BILLING, ETC. ON
          BELL'S LINES LED TO THE DECISION TO
          RAPIDLY INSTALL THE ANI, FOR EXAMPLE,
          EVEN IF THE REST OF THE ESS WAS SEVERAL
          YEARS AWAY IN SOME CASES.

            DEPENDING ON HOW YOU CHOOSE TO LOOK
          AT THE WHOLE CONCEPT OF ESS, IT CAN BE
          EITHER ONE OF THE MOST ADVANTAGEOUS
          INNOVATIONS OF ALL TIME OR ONE OF THE
          SCARIEST.  THE SYSTEM IS GOOD FOR
          CONSUMERS IN THAT IT CAN TAKE A LOT OF
          ACTIVITY AND DO LOTS OF THINGS THAT OLD
          ER SYSTEMS COULD NEVER DO.  FEATURES
          SUCH AS DIRECT DIALING OVERSEAS, CALL
          FORWARDING (BOTH OF WHICH OPEN UP NEW
          WORLDS OF PHREAKING WHICH WE'LL EXPLORE
           IN LATER ISSUES), AND CALL HOLDING ARE
          STEPS FORWARD, WITHOUT QUESTION.  BUT
          AT THE SAME TIME, WHAT DO ALL OF THE
          NASTY IMPLICATIONS MENTIONED FURTHER
          BACK MEAN TO THE AVERAGE PERSON ON THE
          SIDEWALK?  THE SYSTEM IS PERFECTLY
          CAPABLE OF MONITORING ANYONE, NOT JUST
          PHONE PHREAKS!  WHAT WOULD HAPPEN IF
          THE NICE FRIENDLY GOVERNMENT WE HAVE
          SOMEHOW GOT OVERTHROWN AND A MEAN NASTY
          ONE TOOK ITS PLACE?  WITH ESS, THEY
          WOULDN'T HAVE TO DO TOO MUCH WORK, JUST
          COME UP WITH SOME NEW SOFTWARE. IMAGINE
          A PHONE SYSTEM THAT COULD TELL
          AUTHORITIES HOW MANY CALLS YOU PLACED
          TO CERTAIN TYPES OF PEOPLE, I.E. BLACKS
           COMMUNISTS, LAUNDROMAT SERVICE
          EMPLOYEES... ESS COULD DO IT, IF SO
          PROGRAMMED.

          *** BIOC         FROM WHACKOLAND BBS:
          *** AGENT        
                           THE RADIO STATION BBS
                           300/1200 BAUD


          ---------------------------------------

 
                   GAMES PHONE COMPANIES PLAY



Some phone companies have come up with clever little tricks to
fuck up the phreaks hacking activities. One of these is the
CARRIER BLAST. Simply put, they shoot a 300/1200 baud answer tone
across the phone line right before you connect with your
destination. This move makes your computer THINK it's connected
with the computer you're calling. The attempt is laughable. All
you need do is to take the modem offline for that period of
seconds when the carrier is blasting. For the Hayes  and the
Hayes compatible modems you work this command into the dialing
sequence, "+++,". Each modem in the AT mode permits you to take
the modem offline and "idle". The function is programable so  you
can use any keyboard character. The "+++" puts the modem in idle,
the comma is a timing element you've preprogrammed. If you want a
five second delay, you will have programmed "ATS8=5" or "ATS8=10"
for a ten second delay. After your delay the modem will continue
to execute  the dialing sequence. You'll now use "ATO" to put the
modem back on line. The whole routine will look like
this,"+++,ATO". Consult your modem manuals if you don't have a
Hayes Compatible. Each manufacturer has "borrowed" the same
features from Hayes. The  result will be the same even if your
commands may differ.
  
Another little gimmick has been borrowed from the PBX. After
entering your code you have to enter "9" to get out. No big deal.
Just use nine as a suffix. 


If you've ever tried hacking an AT&T credit card (and I recommend
that you don't) you'd notice that you can dump the entire dialing
sequence all at once. This is a classy system. Not so with MCI or
UStel. After you've entered the 0 and the area code of your
destination the system beeps you that it has received the proper
format. While this beeping is going on you can't dial over it.
The solution is simple, insert the  "comma delay to wait for the
"beeper" to get done. The one problem you may encounter depends
on the size of you modem's buffer. The Hayes compatible can
accept forty five digits. The MCI/UStel format requires a full 44
digits. You have one to spare. If your buffer size is smaller,
you'll have to break the dialing sequence in two separate
routines. A bit of a bitch but liveable for the return.


Code format bastardizations are a nice change. The telco's hope
that in deviating from the norm, it will be less advantageous for
the hacker, who like anyone else develops habits, to whack away
at their systems. Itt's reverse arrangement is a prime example.                             The Pbx

The Pbx (Public Branch Exchange) is a switching station. In the
old days an operator would stick a plug into a slot and connect
with an incoming call and another plug to a second slot to
establish a connection with the destination. The equipment is the
same in theory except, today the microchip has eliminated the
human operator.

The phreak is interested in the board's dial in/out capability.
The legitimate users of the Pbx can call into a number, enter a
code + a routing number and have an At&t line to dial out with.
Pbx's afford the hack indirect access to Ma Bell without exposing
him to the risk of a trace. There are two principle uses,
Teleconferencing and Overseas calls to area only At&t services.

To find a Pbx the hack scans a local prefix. This is also known
as War Dialing after the movie War Games. To find the unit the
hack must be equipped with a modem capable of recognizing a dial
tone. The Hayes modem can not. The Apple Cat is considered the
ideal phreaking modem. Not only can it  recognize dial tones it
can generate the frequencies needed to emulate a blue box. The
Cat is not one of Ma Bell's favorites. The Hayes user is forced
to sit and listen to the dialing if he wants a Pbx. Most phreaks
will usually make a deal with a cat owner for pbx locations.

The phreak will recognize the Pbx when he hears a second dial
tone. He'll now start playing around looking for the code. Many
switchboards have simple and easy to remember 4 digit codes like
1234. The hack will always go for the obvious. Code lengths can
be any where from zero to eight digits. Pbx's are very user
friendly. When you screw up it'll beep at you to let you know.
This is a worksheet for Pbx hacking


               1    1    1    1    1    1    1    1
               2    2    2    2    2    2    2    2
               3    3    3    3    3    3    3    3
               4    4    4    4    4    4    4    4
               5    5    5    5    5    5    5    5
               6    6    6    6    6    6    6    6    
               7    7    7    7    7    7    7    7    
               8    8    8    8    8    8    8    8
               9    9    9    9    9    9    9    9

The hack will now enter a number from the far left column. If it
beeps at him he knows he's guessed wrong so he disconnects and
redials. With an autodialer that's no big deal. He goes back to
work on the first column. He will eventually it a number which
doesn't generate an error message. He circles it and proceeds to
the next column. When he's succeeded in hacking out the code, he
will hear another dial tone. This is his At&t line out. Most
phreaks will test the line by dialing information, local to the
Pbx.

Some units require an additional out code. Would you believe 9 ?
Actually the Pbx will accept any preprogrammed 2 digit code, like
85. Nine has become a habit and many virgins have lost their
cherry to a phreak by doing the obvious. I've seen units that
required no code, only the 9 to get outside. 

It's impossible to make a Pbx secure. If a hacker want's it, and
he's willing to work on it, he'll get it. The only option
available to the business is to disconnect the in/out dialups and
supply their outside personnel with long distance travel cards.

Loops 
 
 
Loops are mildly interesting in the hack/phreak world. They 
consist of two telephone numbers that, when connected, permit 
callers to hold conversations with strangers or friends whom 
they've met by appointment. 
 
A loop has a high side and a low side, meaning one of the pair of

numbers emits a tone while the other is quiet.  Loops in 213 and 
818 areas can be found by dialing any prefix and 1118 or 1119. 
Pacific Telephone has injected a rather annoying "click" into the

line which makes data transfers impossible and voice 
communication tedious. This situation doesn't exist in other 
areas of the country. 
 
At first glance, loops may not appear to have any practical 
value. To the hacker it has two uses. It enables him to voice 
with people he doesn't want to have his phone number and it's 
useful in conferencing (see Alliance). Many hacks refuse to make 
their personal information available to those who are not long 
standing bbs acquaintances. Loops make safe voicing possible. 
 
 
                           A Few Loops 
 
 
          201-531-9929,9930        201-938-9929,9930 
          206-827-0018,0019        206-988-0020,0022 
          212-283-9977,9997        208-862-9996,9997 
          209-732-0044,0045        212-529-9900,9906 
          212-283-9977,9979        212-352-9900,9906 
          212-220-9977,9979        212-365-9977,9979 
          212-562-9977,9979        212-986-9977,9979 
          213-549-1118,1119        214-299-4759,4757 
          214-291-4759,4757        307-468-9999,9998 
          308-357-0004,0005        402-779-0004,0007 
          406-225-9902,9903        714-884-1118,1119 



These loops were taken from a Hack Board and are for the 808
area.



          ((((((((((((((((((((((((((((((((((( 
          (                                    ( 
          (                                    ( 
          (                                    ( 
          (      Here are some loops for ya.   ( 
          (                                    ( 
          (                                    ( 
          (                                    ( 
          (               (808) = 1            ( 
          (             (9907)= Loud           ( 
          (            (9908)= Silent          ( 
          (                                    ( 
          (                                    ( 
          (                                    ( 
          (                                    ( 
          (         1 328 (Loud) (Silent)      ( 
          (         " 322 """""""""""""""      ( 
          (         " 572 """""""""""""""      ( 
          (         " 261 """""""""""""""      ( 
          (         " 239 """""""""""""""      ( 
          (         " 668 """""""""""""""      ( 
          (         " 885 """""""""""""""      ( 
          (         " 961 """""""""""""""      ( 
          (         " 245 """""""""""""""      ( 
          (         " 332 """""""""""""""      ( 
          (         " 335 """""""""""""""      ( 
          (         " 623 """""""""""""""      ( 
          (         " 624 """""""""""""""      ( 
          (         " 959 """""""""""""""      ( 
          (         " 742 """""""""""""""      ( 
          (         " 879 """""""""""""""      ( 
          (         " 882 """""""""""""""      ( 
          (         " 329 """""""""""""""      ( 
          (         " 247 """""""""""""""      ( 
          (         " 235 """""""""""""""      ( 
          (((((((((((((((((((((((((((((((((((((( 
          The Loop master (Merauge) was here 
 
 
                            DIVERTERS


 Diverters are privately owned call forwarding machines. They'll
 be found almost exclusively in areas that don't have call
 forwarding. This also means  ESS isn't operational in your
 area. This is how it works...

 You may not realize it, but the sounds of a call connecting are 
 permanently etched on your subconscience mind. Whether it's the 
 sounds of tones or clicks, you know when your call has 
 connected. Pay attention next time, you'll see what I mean. A 
 call going to a diverter makes two connections. First to the 
 number  you called and second to the number that the diverter 
 called. When you hear this second connection, you'll know that 
 you've bagged a diverter. The call will be connected to a person 
 you have absolutely no interest in talking to. Tell the person 
 that you have the wrong number, click the rocker on your phone, 
 and wait for HIM to hang up. Your call is now in a never never 
 land between the first number you dialed and the number that the 
 diverter called. Wait about two minutes. You'll hear a faint 
 dial tone in the back ground. That's your AT&T line out. You can 
 now dial anywhere in the world. 

 Since you're  dealing with a real human on the other end, be 
 prepared for the unexpected. I called one diverter recently and 
 had a fellow answer the phone. I used the wrong number routine 
 and clicked the rocker, but HE DIDN'T HANG UP. Hey, I'm cool, a 
 dummied up and waited. After five minutes HE STILL WOULDN'T HANG
 UP. Not only that, he started making lewd suggestions that he 
 and I get together for a date. I like girls and this joker was 
 grossing me out. I said,"Jesus fucking Christ" very disgustedly 
 (for emphasis) and clicked the rocker arm again. THE SON OF A 
 BITCH STILL WOULDN'T HANG UP. I gave up and went to a PBX. 

 This is the moral of this story. This fellow had been burned  
 before. He knew the flaw in his diverter and he knew what to do 
 about it. Plus the guy gets 10 points for have some style. He   
knew what I was trying to do to him and he played the game out  
all the way. A good show. Manufacturers of diverters are hip to  
the game. Their newer machines have disconnect features that  
restrict a phreaks call out abilities. Never the less, there are 
hundreds of thousands of the older machines still out there with 
their cherries intact. Firms that use a diverter are too cheap  
to hire and answering service. For this reason alone they won't  
be too quick to upgrade their systems. They'll get a little  
incentive after they receive a several thousand dollar phone  
bill. 


 I spoke with a phreak not too long ago who received a 2 thousand
 dollar phone bill for conferance calls he'd made with a  
diverter.
 Explained the steps he'd taken in its use. I asked him if the 
second dial tone he received was as loud as the first. I 
informed him as kindly as possible, "You dumb shit, that was 
your dial tone not the diverter". There's a moral in there 
somewhere.
                          The Black Box

Another credible file on box building. Note the black will work
under Crossbar or Step by Step but not with ESS.



***************************************
*                                     *
*      HOW TO BUILD A BLACK BOX       *
*                                     *
***************************************
A BLACK BOX
IS A DEVICE THAT IS HOOKED UP TO YOUR
FONE  THAT FIXES YOUR FONE SO THAT WHEN
YOU GET A CALL,  THE CALLER DOESN'T GET
CHARGED FOR THE CALL.  THIS IS GOOD FOR
CALLS  UP TO 1/2 HOUR,  AFTER 1/2  HOUR
THE FONE CO.   GETS SUSPICOUS, AND THEN
YOU CAN GUESS WHAT HAPPENS.

THE WAY IT WORKS:

WHAT  THIS LITTLE BEAUTY  DOES  IS
KEEP THE LINE VOLTAGE FROM DROPPING  TO
10V  WHEN  YOU ANSWER YOUR  FONE.   THE
LINE IS INSTED KEPT AT 36V AND IT  WILL
MAKE  THE  FONE THINK THAT IT IS  STILL
RINGING WHILE YOUR TALKING.  THE REASON
FOR THE 1/2 HOUR TIME LIMIT IS THAT THE
FONE CO. THINKS THAT SOMETHING IS WRONG
AFTER 1/2 AN HOUR OF RINGING.

ALL  PRTS  ARE  AVAILABLE   RADIO
SHACK.   USING THE LEAST POSSIBLE PARTS
AND ARANGEMENT,  THE COST IS $0.98 !!!!
AND  THAT  IS  PARTS FOR TWO  OF  THEM!
TALK  ABOUT  A DEAL!   IF YOU  WANT  TO
SPLURGE  THEN  YOU CAN GET A  SMALL  PC
BOARD,  AND  A SWITCH.   THERE ARE  TWO
SCHEMATICS  FOR THIS BOX,  ONE  IS  FOR
MOST  NORMAL FONES.   THE SECOND ONE IS
FOR  FONES  THAT DON'T  WORK  WITH  THE
FIRST.  IT WAS MADE FOR USE WITH A BELL
TRIMLINE TOUCH TONE FONE.

**  SCHEMATIC 1 FOR MOST FONES  **
**         LED ON: BOX ON       **

FROM >--------------------GREEN->  TO
LINE >--!   1.8K  LED  !---RED--> FONE
!--/\/\/\--!>--!
!              !
------>/<-------
SPST



PARTS:  1 1.8K 1/2 WATT RESISTOR
1 1.5V LED
1 SPST SWITCH

YOU  MAY JUST HAVE TWO WIRES WHICH  YOU
CONNECT TOGETHER FOR THE SWITCH.


**  SCHEMATIC 2 FOR ALL FONES  **
**        LED ON: BOX OFF      **

FROM >---------------GREEN->  TO
LINE >-------      ---RED--> FONE
!  LED !
-->/<--!>--
!         !
---/\/\/---
1.8K

PARTS:  1 1.8K 1/2 WATT RESISTOR
1 1.5V LED
1 DPST SWITCH


HERE IS THE PC BOARD LAYOUT THAT I
RECOMMEND  USING.   IT  IS NEAT AND  IS
VERY EASY TO HOOK UP.

SCHEMATIC #1        SCHEMATIC #2

**************     ****************
*            *     *  -------     *
* --<LED>--- *     *  !     !     *
* !        ! *     *  ! <SWITCH>  *
* RESISTOR ! *     *  ! !      !  *
*        ! ! *     *  ! !      /  *
* -------- ! *     *  ! !      \  *
* !        ! *     *  ! <LED>! /  *
* --SWITCH-- *     *  !      ! \  *
*  !      !  *     *  !      ! /  *
L *  !      !  * F L *  !      ! !  * F
I>RED-      -RED>O I>RED-      ---RED>O
N>-----GREEN---->N N>-----GREEN------>N
E * H          * E E *              * E
**************     ****************


ONCE YOU HAVE HOOKED UP ALL  THE
PARTS,  YOU MUST FIGURE OUT WHAT SET OF
WIRES  GO TO THE LINE AND WHICH  GO  TO
THE FONE.   THIS IS BECAUSE OF THE FACT
THAT LED'S MUST BE PUT IN, IN A CERTAIN
DIRECTION.  DEPENDING  ON WHICH WAY YOU
PUT THE LED IS WHAT CONTROLS WHAT WIRES
ARE FOR THE LINE & FONE.

HOW TO FIND OUT:

HOOK  UP THE BOX IN ONE  DIRECTION
USING ONE SET OF WIRES FOR LINE AND THE
OTHER FOR FONE.

*NOTE*  FOR MODEL I SWITCH SHOULD BE OFF.
*NOTE*  FOR MODEL ][ SWITCH  SHOULD  BE
SET TO SIDE CONNECTING THE LED.

ONCE  YOU HAVE HOOKED IT UP,  THEN
PICK UP THE FONE AND SEE IF THE LED  IS
ON.  IF IT IS, THE LED WILL BE LIT.  IF
IS  DOESN'T LIGHT THEN SWITCH THE WIRES
AND TRY AGAIN.  ONCE YOU KNOW WHICH ARE
WHICH  THEN LABEL  THEM.   *NOTE*  - IF
NEITHER  DIRECTIONS  WORKED  THEN  YOUR
SWITCH WAS IN THE WRONG POSITION.   NOW
LABLE   THE   SWITCH  IN  ITS   CURRENT
POSITION AS BOX ON.

HOW TO USE IT:

THE PURPOSE OF THIS BOX IS NOT  TO
POEPLE  WHO  CALL YOU SO IT WOULD  MAKE
SENCE  THAT  IT  CAN ONLY  BE  USED  TO
RECEIVE! CALLS.   WHEN THE BOX IS  *ON*
THEN YOU MAY ONLY RECIEVE CALLS.   YOUR
FONE WILL RING LIKE NORMAL AND THE  LED
ON  THE BOX WILL FLASH.   IF YOU ANSWER
THE FONE NOW, THEN THE LED WILL
LIGHT AND THE CALLER WILL NOT BE CHARGED.
HANG  UP  THE FONE AFTER YOU  ARE  DONE
TALKING LIKE NORMAL.   YOU WILL NOT  BE
ABLE  TO  GET A DIAL-TONE OR CALL  WHEN
THE  BOX IS ON,  SO TURN THE BOX  *OFF*
FOR  NORMAL CALLS.    I DON'T  RECOMMEND
YOU DON'T WANT IT TO ANSWER WHEN MA BELL
CALLS!


Incidentally, never let it be said that all hackers are literate.
Just knowing thieves.
                      The Infamous Blue Box


The follwoing appears to be a credible set of plans for the
Captain Crunch machine.



 
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 
$                                     $ 
$           BLUE BOX PLANS!           $ 
$           ---------------           $ 
$                                     $ 
$       Edited and Uploaded by:       $ 
$                                     $ 
$                                     $ 
$$$$$$$->The Spirit Of Radio<-$$$$$$$ 
$                                     $ 
$              Written by:            $ 
$                                     $ 
$     Mr. America from Osuny BBS      $ 
$                                     $ 
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 
 
This file will explain the construction, troubleshooting,
andadjustmentof a Blue Box. 
 
We all know that the touch tone frequencies are composed of 2
tones (2 different freqs.) so that is the reason why we have 2
VCO's (Voltage Controlled Oscilators).  We'll call them VCO#1 and
VCO#2.If you have noticed VCO#1 and VCO#2 are exactly the same
type of  circuits.  That is why only 1 was drawn. But remember
that whatever goes for VCO#1 also goes for VCO#2. Both VCO'S are
composed of a handfull of parts.  One chip, two capacitors,2
resistors and five potentionmeters.  All of this will give you
(when properly calibrated) one of the freqencies necessary (the
other one will come fromVCO#2) for the operation of $ the Blue
Box. Both of these freqs. will bemixed in the speaker to form the
required tone. 
 
This is one of the most sophisticated designs I have ever made.
Why? Because other designs will drain the battery after 10 calls.
This design will make them last 10 months!!!!!!  But
nevertheless, don'tforget to put in aswitch for on and off.  Ok
let's build  the two VCO'S andcalibrate the unit before we get to
the keyboard construction. 
 
 
VCO CONSTRUCTION 
 
TOOLS REQUIRED 
1 ocilliscope(optional but not req) 
1 Freq. counter   (REQUIRED) 
1 Volt meter       "  "  " 
Electronics tools  (Pliers, drll, screwdrivers, etc.) 
 
 
PARTS 
 
R1  1.5K RESISTOR  5% 
R2  1K   RESISTOR  5% 
C1 .1uf  ELECTROLYTIC CAPACITOR 16VDC 
C2 .01uf  "        "  (MYLQR)   16VDC 
C1 2207 VCO CHIP BY EXAR ELECTRONICS 

Remember the above only says VCO#1 but the same is for VCO#2 

R3-R4 150 OHM RESISTORS  5%         . 
C3-C4 .1 uf ELECTROLITIC CAPACITOR  . 
10VDC                         . 

P1-P10 200K TRIMMER POT - 20 TURNS DIODES USED IN THE KEYBOARD
ARE 1N914 TYPE(40 OF THEM) & 13 SWITCHES FOR THE KEYBOARD SPST
MOMENTARY. 

SPKR YOU CAN USE A TELEPHONE SPEAKER FOR THIS (IT WORKS BEST) BUT
REMEMBER TOTAKE OUT THE DIODE THAT IS CONNECTED ACCROSS IT. 
 
 
IMPORTANT NOTES 
 
1. DO NOT USE ANYTHING ELSE OTHER THAN A MYLAR CAPACITOR FORC2. 
2. PINS 10,9,8 SHOULD BE TIED TOGETHER AND BE LEFT FLOATING. 
3. ALL RESISTORS SHOULD BE 5%!  NOTHING ELSE! 
4. A TELEPHONE SPEAKER GIVES THE BEST RESULTS. 
 
 
TROUBLE SHOOTING 
 
By now you should have constructed the two VCO'S on a bread board
or anything that pleases you.  Check for cold solder
joints,broken wires,polarity of the battery, etc.  Before we
apply power to the VCO'S we have to adjust the pots for their
half way travel point.  This is done by turning them 21 turns to
the right and then 10 turns to the left.  Do the same for all ten
of them. 
 
Now apply power to the unit check to see that you have power in
the chips by putting the positive lead of your volt meter on pin
7 andthe negative lead on pin 12.  If you do not have anything
there turn off the unit and RECHECK THE WIRING. 
 
When you get the right voltages on the chips, connect a diode to
a piece of wire (look at fig. 2 for the orientation of the diode)
from round to any pot at point T (look carefully at the schematic
for point T it is labeled T1-T10 for all pots). You should be
able to hear a tone, if not disconnect the lead and place the
speaker close to your ear and if you hear a chirp-like sound,
this means that the two VCO'S are working if you don't, 
it means that either one or both of the VCO'S are dead.  So in
this case it is always good to have an ocilloscope on hand. 
Disconnect the speaker from the circuit and hook the ocilliscope
to 1 of the leads of the speaker & the ground from the scope to
the ground of the battery. Connect again the ground lead with the
diode connected to it  from ground to any pot on the VCO that you
are checking and you should see a triangle wave if not turn the
pot in which you are applying the ground to until you see it.
When you do see it do the the same for the other VCO to makesure
it is working. (amplitude is about 2VAC). When you get the two
VCO's working you are set for the adjustment of the individual
spots. 
 
 
ADJUSTMENT 
 
Disconnect the speaker from the circuit and connect a freq.
counter (the positive lead of the counter to one of the speakers
leads that belongs to VCO#1 or connect it to pin 14. 
 
Connect the negative lead to the battery negative and connect the
jumperlead with the diode from ground to pot number 1.T1 (the
first pot number 1 point T1).  If you got it working you should
hear a tone and get a reading on the counter.  Adjust the pot for
a  freq. of 1700hz and continue doing the same for pots 2-5
except that they get different freqs. which are: 
 
:            $$$$$$$$$$$$$$           : 
:            $            $           : 
:            $ P1 1700hz  $           : 
:            $ P2 1300hz  $           : 
:            $ P3 1100hz  $           : 
:            $ P4  900hz  $           : 
:            $ P5 1500hz  $           : 
:            $            $           : 
:            $$$$$$$$$$$$$$           : 
 
Now disconnect the freq. counter from the speaker lead of VCO#1
or from pin (which ever you had it attached to at the beginning)
and connect it to the speaker lead of VCO#2 or to pin 14 of VCO#2
and make the same adjustments toP6-10.: 
 
:            $$$$$$$$$$$$$$$          : 
:            $             $          : 
:            $ P6  1100hz  $          : 
:            $ P7   700hz  $          : 
:            $ P8   900hz  $          : 
:            $ P9  2600hz  $          : 
:            $ P10 1500hz  $          : 
:            $             $          : 
:            $$$$$$$$$$$$$$$          : 
 
When you finish doing all of the pots go back and re-check 
them. 
 
 
KEYBOARD 
 
IF YOU LOOK AT FIG-2 YOU WILL SEE THAT THE KEYS ARE
SIMPLE SWITCHES. CONNECTED TO A GROUND AND TWO DIODES ON THE
OTHER END. THESE DIODES ARE USED TO SIMPLIFY THE CONSTRUCTION OF
THE KEYBOARD BECAUSE OTHERWISE THE DISTRIBUTION OF THE GROUND
SIGNAL FOR BOTH VCO'S WOULD HAVE BEEN DONE MECHANICALLY.  THE
DIODE WILL GO TO VCO#1 AND THE OTHER WILL GO TO VCO#2. FIG-3
SHOWS THE ARRANGEMENT OF THE KEYS ON THE KEYBOARD. 
 
BELOW IS A TABLE THAT WILL HELP YOU CONNECT THE KEYS TO THE
REQUIRED VCO'SPOTS. 
 
<-------------------------------------> 
<                                     > 
<              (-FIG 2-)              > 
<                                     > 
<-----!-----!--------!--------!-------> 
<     !     !        !        !       > 
< TO  ! TO  !  FREQ  !  FREQ  !  KEY  > 
< POT ! POT !  OUT:  !  OUT:  !       > 
< ON  ! ON  !        !        !       > 
< VCO1! VCO2!        !        !       > 
<-----!-----!--------!--------!-------> 
<  1  !  06 ! 1700hz ! 1100hz !   C   > 
<  2  !  10 ! 1300hz ! 1500hz !   0   > 
<  1  !  10 ! 1700hz ! 1100hz !   E   > 
<  4  !  07 ! 0900hz ! 0700hz !   1   > 
<  3  !  07 ! 1100hz ! 0700hz !   2   > 
<  3  !  08 ! 1100hz ! 0900hz !   3   > 
<  2  !  07 ! 1300hz ! 0700hz !   4   > 
<  2  !  08 ! 1300hz ! 0900hz !   5   > 
<  2  !  06 ! 1300hz ! 1100hz !   6   > 
<  5  !  07 ! 1500hz ! 0700hz !   7   > 
<  5  !  08 ! 1500hz ! 0900hz !   8   > 
<  5  !  06 ! 1500hz ! 1100hz !   9   > 
<  -  !  09 ! ------ ! 2600hz !   X   > 
<     !     !        !        !       > 
<-------------------------------------> 
 
REMEMBER THAT IN FIG-2 IT'S THE SAME FOR EACH KEY EXCEPT THE "X"
KEY, WHICH ONLY TAKES ONE DIODE. 



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH