TUCoPS :: Phreaking General Information

TUCoPS :: Phreaking General Information :: rules.txt
Rules of Phreaking plus several dozen k of interesting stuff from 1986

THE IC'S RULES OF PHREAKING

These are the standards of hacking employed by the Inner Core.
The text comes from a data file written by and for IC members.

HACK YOUR OWN CODES.

Don't leech from someone else. Having codes is like having sex,
if you don't protect yourself you'll end up with a venereal
disease. You have no idea where a code has been before you got
your hands on it, when it was hacked or how long it's been in
circulation. Time is a very important factor, the longer a code
has been in use, the greater the risk.

DON'T STAY ON A CODE MORE THAN THREE DAYS.

Don't give the suckers an even break. To run a trace, MCI needs
to shuffle a lot of papers. Ain't that nice. Paper work takes
time, and it's highly unlikely they could accomplish the feat in
three days. It's even more unlikely they would even know
they've been phreaked for at least a week. All company's have
thirty day billing cycles, if you started using the code the day
after the bills went out, you'd have twenty nine days left to
play with it. The customer gets his billing and bitches up a
storm. The company now has the option of setting up a trap, but
alas, they notice you haven't used the code in three weeks and
have no destination number to PIN. If you phreaked the code one
day before the billing cycle ends, the customer may notice
right away. Figure you have two days for it to reach the
customer. If he yells right away it takes a few more days for
the security department to process the paperwork for the trace.
By that time you're long gone.

DON'T STAY ON A NODE MORE THAN THREE DAYS.

If you insist on burning the same company, you're going to
develop a pattern. You call your girl friend in Alaska every
damned day using the same company. It doesn't take a genius to
predict what you're going to do tomorrow. They know where you
enter their system and where you're going to. You've given them
everything they need to run a good trace. Spread the wealth a
little. Use US Telecom, then ITT, Lexitel, Skyline, Metro and a
few of the 800's if you like. Spread it out. These people have
no way of comparing. So you can screw Peter, Paul and the rest
of the Apostles with no worry. Just don't be a dip stick and get
lazy.

Everyone is worried about THE TRACE. Don't be. It's no big deal
for AT&T, after all it is their network, but for the leech
services it's an entirely different matter. This is why we don't
mess around with AT&T except through secondary accesses like
PBX's or Diverters. This is the scenario MCI's security
department will run down. They call up a number you've
called.......

"Hello, this is Inspector Bullshit with MCI. Did you receive a
phone call from the 212 area code on November 22, 1945 at 4:00
A. M.? "

"You didn't?"

"We've traced fourteen calls to this number in the last
two weeks, by the way, who am I speaking with?"

"Well Mrs. Blabbermouth, perhaps someone else in your household
received the calls? "

"I see, your daughter has a boyfriend in New York.

"I'm afraid he's in some serious trouble Mrs. B. If
you'll cooperate with me we won't pursue this matter with your
daughter."

"That's correct, little Susie Blabbermouth won't be involved. It
would be a shame to cause you folks trouble, after all she
didn't actually make the calls.""

All I need is the boy's name and phone number."

"Let me see if I have that right."Jimmy Phreaker at
212-555-1212?"

"Thank you Mrs. B you've been very helpful."

The point is, if Bullshit had really run traces he wouldn't be
calling to con the information. The exchange is typical of those
used by most phone companys and illustrate several important
issues.

Make sure the person you're calling is cool and there's no
chance someone else could rat on you. It is very unlikely MCI
will make such a call if you use the IC's Rules of Phreaking.
Yet, if it were to occur these are your friend's options...

1. HANGUP
2. "FUCK YOU"...THEN HANG UP
3. "I WAS WATCHING MIAMI VICE AND YOU INTERRUPT ME WITH
THIS CRAP. FUCK YOU"....HANG UP.
4. If you want to be nice about it; "I don't know what you're
talking about.....HANG UP.

The problem is now resolved. Remember these guys are like
rabid dogs in heat, they're excellent con artists. Believe
nothing you hear. You don't have to talk to them. If they had
anything on you they'd be standing at your door with a search
warrant. Their abilities in this area are very restricted. They
operate by manipulating your fear and you have nothing to fear
but your own fear. Don't try to come up with some lame
explanation, you know you received the call and they know it. So
don't make an ass out of yourself trying to explain away the
obvious - HANG UP!

What happens if your are caught?

Congratulate yourself on being an asshole. The number of phreaks
caught are so small you have now qualified for membership in a
really elite group of jerks.

Inspector Bullshit now has several options.

Grab your computer......... this will be done no matter what.

Grab your data files and any hard copy you have laying around.
This to help identify other subversives and also to supply
incriminating information about you.

Try to scare you into a confession. Standard operating procedure
- keep your fucking mouth shut. You have nothing to gain by
talking and a much to lose.

If you're a minor you can forget about jail time, an adult
is looking at a couple of weeks in the slam - may-be.

Realize this, they don't really want your ass as much as they
want THE MONEY. That's right boys and girls the buck talks loud
and clear.

If you're caught, you've broken every one of the IC's
rules. At worst you're looking at a couple of thousand in phone
bills. Get a lawyer to do your talking for you, that'll be about
a five hundred dollar retainer. If the company is willing to
settle for the money, and your computer, pay it - it's cheaper
in the long run. If they want you in the calaboose then fight
it. As a first time offender the odds of you actually getting
time are slim. Incidentally, Inspector Bullshit will drop a
little extra on the bill for good measure. Have the attorney
demand they produce their records of all "alleged phone
conversations".

In fighting a phreaking case you'll want to have a jury trial.
The technology behind the running of a trace is so
complicated even a halfassed lawyer could confuse the
average layman. He can make Inspector Bullshit describe
switching down to atomic subparticles if he wants and by the
time he gets to how a trace works the jury would be so confused
you'd skate on a "reasonable doubt". It would be
interesting to see if a sharp shark could subpoena the actual
equipment used to run the trace. I don't think MCI would
care to have one of their computers offline for the time it
would take to have "independent" examiners checking out the
functionality of the switching mechanisms.

To phreak or not to phreak. It's a question only you can answer
for yourself.

The following are electronic BBS conversations at a Hacker
Bulletin Board. They have been left intact (misspellings too)with
the exception of codes and phone numbers which could conceiveably
get my ass in hot water.

The Hacker network of communication is loosely knit but extremely
effective in getting information circulated quickly.

Lady G (Lady Godiva) is the only female I've ever seen on a hack
board. Amazingly she conned her way inside, yet turned out not to
be a threat to hackers even though she is employed by government.

Numb. --> 72
Title --> JUST A LITTLE CODE
From --> BIG BYTE
Left --> 19-Apr-86 2:30 am

While not to much to say just heres a sprint
(Code Deleted)

Also Bill the Cat do you know some people down in Florida like
Blackbeard or been on some off my Conferences?? Let me know.

.s
opps
/s
shit

B17>

--> Next bulletin

Numb. --> 73
Title --> Fed trap
From --> BIG BYTE
Left --> 19-Apr-86 3:05 am

Where i live here in Green Bay Wi, they are busting our town for
illegal use of the phone. The number they are getting kids
(leeches on) is 1-800-437-7010 it is GCI of Ancrage <-spelled
wrong Alaska and so far they have busted 400 people from one
school and have questioned 1500 its like a bad dream oh
who cares not me. Just be careful and dont use it unless you fell
lucky. All the codes used are in the 467xxxxx area so may be
other areas are safe.
later
bb

B17>

--> Next bulletin

Numb. --> 74
Title --> Bobo..
From --> THE ARABIAN KNIGHT
Left --> 19-Apr-86 11:10 am

Bobo,

Leave me mail. Id like to get a
sprint Code(New). I got a new Pbx,
maybe old. but it works fine..

Bobo- Why are you so worried About
Lady G? Does she know alot about you
or something?

B17>

--> Next bulletin

Numb. --> 75
Title --> [ Lady G. ] ?
From --> THE D MEN TOR
Left --> 19-Apr-86 1:23 pm

I can run CNA's in 415, Give me e-mail and I'll find out whatever
you want to find out about her BOBO. Have you spoken with her?
How do you really know this person is over 30 etc......

later,
The D men tor...Confused.

B17>W

Enter the name of the person you wish
to send mail to:
>THE D MEN TOR

What is the subject of this letter?
>Lady G

Mail:
You may enter up to 100 lines of text.
Press CTRL-A or CTRL-Q when done.

D men

The numbers for Lady G are 415-(Deleted) and
415-(Deleted).

She is over 30 because
1. She's uses expressions that are 15 years out of date.
2. I recoginize this becuase I too am 15 years out of date.

I don't like people getting busted. She pirates
but that's about it. I wonder why she's on so many hack boards.
Motor City went down right about the time she logged on.
I might be totally wrong, BUT, I want to check it out just to be
safe.
You can call me Mr. Paranoia. She rattles my cage and
it makes me nervous.

Let me know what pops.

Bobo

E>S

Filing mail for THE D MEN TOR...

B17>

B17>7

--> Telecommunications Today (7)...
--> 60 bulletins posted; some new!

B7>N

Numb. --> 59
Title --> Police Sting
From --> CHARLIE SMITH
Left --> 19-Apr-86 6:29 am

Here is an interesting story:

AUSTIN,TX--Law enforcement officials here have joined a growing
number of police agencies nationwide running "sting" operations
to catch persons using bulletin boards for illegal purposes.

Based on information posted on a bulletin board it operated, The
Austin Police Department said it has been able to turn off two
pirate boards here and expects shortly to make a number of
arrests for misdemeanor violations of Texas' newly enacted
computer crime law.

For more than two years, the police department secretly ran a
board called the Underground Tunnel, which was set up to appear
as a normal BBS run by a Sysop called "Pluto". But late last
month - to the surprise of the board's more than 1,000 users -
Pluto was revealed as Sgt. Robert Ansley, a seven-year veteran of
the Austin Police Department!

"Most of the users were people interested primarily in several
on-line fantasy games or in electronic messaging." Ansley said.
"To get to the levels where people posted information on how to
crash corporate sysems, the user had to ask for increased
access. We were very careful not to solicit or entrap anyone
into leaving illegal information."

The Austin Police Department disclosure caught most of the BBS's
users by surprise. "I liked the board's electronic messaging
capabilities," said user Michael Whalen, the managing editor of
the Daily Texan, the student newspaper of the University of
Texas, here. "I was really surprised at how the officer was able
to pull this off."

What the police found, according to Ansley, included access codes
belonging to the world's largest credit reporting organization,
TRW Information Services Systems Division of Orange, California.
"Most offenders seem to be real big on TRW," said Ansley.

Sting and intelligence gathering bulletin board operations are on
the rise throughout the country, according to law enforcement
officials. Several police departments nationwide have already
used bulletin boards to track down and arrest microcomputer
users who post illegally obtained calling card codes, mainframe
access procedures and passwords, or other confidential
information. According to one high-level West Coast law
enforcement officer who declined to be identified, federal
officials are now joining local authorities in running b5lletin
boards (BBSs) in several key metropolitan areas.

"You better believe law enforcement agencies are interested and
in in some cases, running bulletin boards," said Dan Pasquale, a
sergeant with the Fremont, California, police department. Last
month, police in Fremont, capped three and a half months of
bulletin board operations by arresting eight individuals for
alleged credit card fraud, misuse of telephone credit
card operations, and technical trespass. Pasquale said most
corporations whose passwords or calling card numbers were posted
on Fremont's BBS were unaware that their information had been
compromised.

** Hackers Note Here** Pasquale actively solicited the posting of
codes, passwords, credit cards. Qualifying as entrapment. More
experienced hacks pulled out before he sprang his trap. More than
200 people were arrested coast to coast. Only one was elite and
he beat the rap. The rest were rodents.

Although police are pleased with their results, some users say
they feel the sting bulletin boards are unfair to both the
innocent users and the suspected criminals alike. Whalen said
students at the University of Texas used the board extensively,
andhe claimed that some people accused of posting access codes
and other information on the board felt they had been entrapped
when they discovered that the BBS was a police sting operation.

Whalen also said that some users were concerned about the privacy
and sanctity of electronic mail left on the board. "Ansley said
users are foolish if they don't think a sysop reads the mail on
the board," he added.

Indeed, as police turn increasingly to bulletin boards to catch
suspected criminals, the issue of entrapment has also become a
growing concern, one to which police are sensitive.

"At no time did the police department urge users to leave access
codes, applications, or passwords for corporate computers on The
Tunnel," Ansley said.

To prove entrapment, a suspect would have to clearly show that
the government agent offered some type of inducement to promote
criminal activity, said Jim Harrington, the legal director of
the Texas Civil Liberties Union here. "The whole area of police
gaining information on [criminal activities] by reading
electronic mail is very interesting."

Fremont police held a series of meetings with a district attorney
before they started a board, according to Pasquale. "We
established a point where entrapment began and made sure we
never crossed that point, and in fact, messages on the board
were scripted in conjunction with the district attorney's
of

Ahem, let me hasten to point out the Gemini System is NOT a
police BBS!

Charlie

Numb. --> 60
Title --> Infocom
From --> ATILLA THE HUN
Left --> 19-Apr-86 11:37 pm

Well I don't know if anyone has heard this but,

I have heard that Infocom will start (or may have started)
calling AE lines to see if they contain any infocom software.
If so they download it and check the serials, and bingo if a
pirated version then plain and simple YOU IS BUSTED!

oh well anyone else know of anything more, I picked it up under
discussion at a bbs.

atilla the hun -<*-----

B7>OFF

In The News

Press reports of hacker misdeeds seem to be written in flavors
which border upon awe to contempt. It depends on the publication.
Newspapers ten to permit more editorializing. Between the two
extremes there is a point of reason. I've often wondered, "If a
fifteen year old kid can break into a 'secure' government
computer, what could a fully trained enemy agent do?" It's a
reasonable question.

Virginia - A fourteen year old hacker who called himself Phineas
Phreak was the first to be prosecuted under the state's computer
trespassing law. Arrested for hacking at a Bulletin Board, he was
placed on one year's probation and ordered to pay $300.00 in
compensation to the board's operator, Allen Knapp.

Milwaukee - A hacker group who called themselves the 414's after
their area code were arrested by FBI agents and found to have
access to more than 60 computer databases. These included a
California Bank, a cancer center and the Los Alamos Scientific
Laboratory.

California - Stanley Rifkin a computer consultant for Security
Pacific Bank, stole the bank's passwords and liberated 10 million
dollars from the institution. He then erased the electronic
records of the transactions. While Rifkin was not a hacker, he
hold the distinction of being the country's number one computer
thief. His arrest was not the result of his computerized
misdeeds, but instead, his lack of expertise at being a thief.

Washington - The United States Government has become the nation's
leading user of computers. As such, they are a target of internal
thieves who have used their systems to divert funds for their own
uses. A number of arrests of computer related theft has led the
government to believe they haven't scratched the surface yet.
It's estimated that only one in 22,000 computers crimes will ever
be prosecuted.

San Diego - A computer hacker, Bill Landreth pleaded guilty to
tapping the GTE Telemail network in Vienna, Virginia. Known as
"The Cracker" he agreed to cooperate with Federal Investigators
in a larger investigation. Four teenagers from Irvine, California
were subsequently arrested and named Landreth as their source of
information on hacking. Landreth has since written a book "Out of
the Inner Circle". The four kids from Irvine don't receive
royalties.

TRW - Hackers armed with stolen passwords broke into the TRW
credit system and reviewed information on employment records,
bankruptcies, loans, social security numbers and credit cards.
The password was stolen from a Sears and Roebuck and was
reportedly in circulation for the better part of a year. The
credit card numbers, expiration dates and credit limits of card
holders were used to make fraudulent purchases. TRW changed the
password.

Atlanta - Edward Johnson took exception to Jerry Falwell's fund
raising activities. His mother had a thing for T.V. preachers and
often gave money to Falwell's Liberty Foundation. Mr. Falwell's
collectors were oblivious to the fact the elderly lady lived on
social security and couldn't afford the donations. On a previous
occasion she had attempted to give the family farm to Jimmy
Swaggart. Johnson adjusted his phreaker program into a phone
cranker to auto dial Falwell's 800 and tie up the line for 30
seconds a call. Falwell's people reported they lost one million
in donations from the activity. Southern Bell finally trace the
calls and gave Johnson two choices, stop or lose his phone line -
he stopped. After all, it was "God's will".

Washington - Representative William Hughes from New Jersey has
introduced a bill to make computer theft of data and certain
"kinds of hacking activities" federal felonies.

New Jersey - Seven teenagers were arrested on charges of credit
card fraud, phreaking and hacking. An investigation into credit
card purchases led local police to the operator of a hacker bbs.
Armed with a search warrant the police seized his computer and
all related data. Inspection of same led to the arrests of the
other six. Now known in hack circles as the New Jersey Seven,
they reportedly had the ability to change the attitude of a
government satellite. The Inner Core reports they consider it
unlikely the kids knew they had the capability.

In my research, I've noted government and business to be at
greater risk from their own employees than from hackers. Credit
card fraud is the leading hacker crime. The pales beside the
reported cases of computer theft from internal sources. The
Rifkin case is the most noted. However, thousand of unreported
thefts occur every year.
MAKING MONEY WITH YOUR CODES

Ok, phreaking will save you money, that's fine. Wouldn't you
rather make some bucks off these jokers? No biggy. You sell your
codes. Is it illegal? You bet, but your the adverturesome type
with avarice in your heart...this is how it works.

Abdul wants to call the Middle East so he can talk with his
camel. No problem. Call the international operator and ask how
much it costs for an hour to Jordon. Charge the raghead fifty
percent of the cost for hooking him up and let him talk as long
as he likes. MCI and Sprint both access the Middle East so you're
in business. Foreigners are good to deal with. They're extremely
paranoid anyway so tell them you have to make the calls from a
phone booth. This isn't true BUT, you're covering your own ass.

There are a variety of good reasons why a phone booth is called a
fortress, this is one. DO NOT SELL THE CODES. Abdul knows nothing
about phreaking. The dumbshit will stay on the code too long and
will end up getting his ass traced. The telcos don't give two
shits about this guy. THEY WANT YOU!. You're the guy costing them
the big bucks. Abdul will make a deal and your tit will be in the
ringer. So keep control of the codes. If you want to be a nice
guy and hand out codes to your phriends fine. Just be sure they
don't have big mouths and that they know the IC's Rules of
Phreaking. You'll find a list of the countrys MCI and Sprint
access in the appendix. You'll also notice there are a lot of
places that they don't go. India for one. The only way to book
passage to India is on AT&T. You'll need to bag a PBX or a
Diverter for that action.

Equal Access

What does equal access mean to you? Not much. Access was the
issue that permitted Mci to break up At&t. The result was the
sudden emergence of the companies you'll find listed in this
chapter. At&t still retains an 85%+ share of the
telecommunications market. The rest of the business enterprises
are basically parasites attempting to feed off of Ma Bell's
network.

Equal Access means you get to pay 2 to 5 dollars a month for
"access" to the long distance network, whether you want it or
not. It means your local telco can go begging to the Public
Utilities commissions claiming the need for rate increases in the

wake of the break up. Pacfic Tel was hurt so much they posted
sales recently of one billion dollars. I first in the company's
history.

There is one small advantage to equal access. Ustel (950-1033)
customers can crossover to the Sprint Network (950-0777) and make
international calls. By appending the equal access code to the
customer code the call will be cross connected.

In short, equal access means this..."Bend over and smile
America". If you thought you were getting screwed before, well
you ain't seen nothing yet.

Equal Access Codes

10824 ATC Directline

10482 Access America

10939 Access Long Distance

10282 Action Telecom

10444 Allnet

Americall

10002 Americall LDC Inc.

10053 American Network

10366 American Telco

10050 American Telephone Exchange

10080 Amtel

Amertel

10824

ATC Communications

10287 ATS Communications

10272 Bell of Pa

10606 Biz-Tel

10300 Call America

10221 Capitol Telecommunications Inc.

10987 Clay Desta Communications

10266 Com Systems

10885 Communigroup of Kansas City

10733 Comp-Data Communications

Compute a Call

Comtel of Pine Bluff

10203 Cytel10233 Delta Communications

10339 Dial USA

Directline

Discount Long Distance

EO Tech10054 Eastern Telephone Systems

10634 Econo Line of Midland

Econo-line of Waco

10256 Execuline

10393 Execulines of Florida

Garden State Telco

10235 Inteleplex

10884 ITI

10488 Itt

10535 LDL - Long Distance for Less

10084 LDS

LDX

LTS

10066 Lexitel

10852 Line One

10036 Long Distance Savers

10537 Long Distance Service of Washington

Long Distance Telephone Savers

Max Long Distance

10222 Mci

10021 Mercury Long Distance

10622 Metro America Communications

National Telecommunications of Austin

Network I/Metromedia

10855 Network Plus

10638 Northwest Telecom Ltd.

10785 Olympia Telecom

10808 Phone America of Colorado

10936 R - Comm

10211 RCI

10787 STS/Star Tel

10800 Satelco

10888 Skyline

10087 Southernnet

10321 Southland Systems

10777 Sprint

10889 St. Joseph10787 STS/Star Tel

10007 TMC of Arkansas

10021 TMC of Chattanooga

10007 TMC of El Paso

10007 TMC of Miami

10007 TMC of S.E. Florida

TMI of Oklahoma

10826 Tel AMCO

Tel-Central Inc of Oklahoma

10330 Tel-Share

10626 Tel/man

10007 Telemarketing Communications

10899 Telephone Express

10331 Texustel

10850 Tollkall

10824 Transcall

10333 US Telecom

10859 Valu-Line of Longview

Valu-Line of Wichita Falls

10687 WTS Communicatons

10085 Westel

10220 Western Union

10995 Wylon

ESS

The following is a file taken from a Hack Board. I think it is
intellegently written and accurate.

+====================================+
+ ELECTRONIC SWITCHING SERVICE V1. +
+ EXERT FROM 2600 MAGAZINE FEB '84 +
+FROM THE RADIO STATION: 718-xxx-xxxx+
+====================================+

THERE WAS OF COURSE NO WAY OF KNOWING
WETHER YOU WERE BEING WATCHED AT ANY
GIVEN MOMENT. HOW OFTEN, OR ON WHAT
SYSTEM, THE THOUGHT POLICE PLUGGED IN ON
ANY INDIVIDUAL WIRE WAS GUESSWORK. IT
WAS EVEN CONCEIVABLE THAT THEY WATCHED
EVERYBODY ALL THE TIME. BUT AT ANY RAT
E THEY COULD PLUG IN YOUR WIRE WHENEVER
THEY WANTED TO. YOU HAD TO LIVE--DID L
IVE, FROM HABIT THAT BECAME INSTICT--IN
THE ASSUMPTION THAT EVERY SOUND YOU MAD
E WAS OVERHEARD, AND, EXCEPT IN
DARKNESS, EVERY MOVEMENT SCRUTINIZED.

'FROM NINETEEN EIGHTY-FOUR'

ESS IS THE BIG BROTHER OF THE BELL
FAMILY. ITS VERY NAME STRIKES FEAR AND
APPREHENSION INTO THE HEARTS OF MOST
PHREAKERS, AND FOR A VERY GOOD REASON.
ESS (ELECTRONIC SWITCHING SYSTEM) KNOWS
THE FULL STORY ON EVERY TELEPHONE
HOOKED INTO IT. WHILE IT MAY BE PARANO
ID TO SAY THAT ALL PHREAKING WILL COME
TO A SCREECHING HALT UNDER ESS, IT'S
CERTAINLY REALISTIC TO ADMIT THAT ANY
PHREAK WHOSE CENTRAL OFFICE TURNS TO
ESS WILL HAVE TO BA A LOT MORE CAREFUL.
HERE'S WHY.

WITH ELECTRONIC SWITCHING, EVERY
SINGLE DIGIT DIALED IS RECORDED. THIS
IS USEFUL NOT ONLY FOR NAILING PHREAKS
BUT FOR SETTLING BILLING DISPUTES. IN
THE PAST, THERE HAS BEEN NO EASY WAY
FOR THE PHONE COMPANY TO SHOW YOU WHAT
NUMBERS YOU DIALED LOCALLY. IF YOU
PROTESTED LONG ENOUGH AND LOUD ENOUGH,
THEY MIGHT HAVE PUT A PEN REGISTER ON
YOUR LINE TO RECORD EVERYTHING AND
PROVE IT TO YOU. UNDER ESS, THE ACTUAL
PRINTOUT (WHICH WILL BE DUG OUT OF A
VAULT SOMEWHERE IF NEEDED) SHOWS EVERY
LAST DIGIT DIALED.
EVERY 800 CALL, EVERY CALL TO DIRECTORY
ASSISTANCE, REPAIR SERVICE, THE
OPERATOR, EVERY RENDITION OF THE 1812
OVERTURE, EVERYTHING! HERE IS AN
EXAMPLE OF A TYPICAL PRINTOUT, WHICH
SHOWS TIME OF CONNECT, LENGTH OF
CONNECT, AND NUMBER CALLED.

DATE TIME LENGTH UNITS NUMBER

0603 1518 3 1 456-7890
0603 1525 5 3 345-6789
0603 1602 1 0 000-4011
0603 1603 1 0 800-555-1212
0603 1603 10 2.35* 212-345-6789
0603 1624 1 0 000-000-0000
(TSPS)

A THOUSAND CALLS TO "800" WILL SHOW
UP AS JUST THAT--A THOUSAND CALLS TO
"800"! EVERY TOUCH TONE OR PULSE IS
KEPT TRACK OF AND FOR MOST PHREAKS,
THIS IN ITSELF WON'T BE VERY PRETTY.

SOMEWHERE IN THE HALLOWED HALLS OF 19
5 BROADWAY, A TRAFFIC ENGINEER DID AN
EXHAUSTIVE STUDY OF ALL 800 CALLS OVER
THE PAST FEW YEARS, AND REACHED THE
FOLLOWING CONCLUSIONS: (1) LEGITIMATE
CALLS TO 800 NUMBERS LAST AN AVERAGE OF
3 MINUTES OR LESS. OF THE ILLEGAL (I.E
PHREAKERS) CALLS MADE VIA 800 LINES,
MORE THAN 80% LASTED 5 MINUTES/LONGER;
(2) THE AVERAGE RESIDENTIAL TELEPHONE
SUBSCRIBER MAKES FIVE SUCH CALLS TO AN
800 NUMBER PER MONTH. WHENEVER
PHREAKERS ARE BEING WATCHED, THAT
NUMBER WAS SIGNIFICANTLY HIGHER. AS A
RESULT OF THIS STUDY, ONE FEATURE OF
ESS IS A DAILY LOG CALLED THE "800
EXCEPTIONAL CALLING REPORT."

UNDER ESS, ONE SIMPLY DOES NOT PLACE
A 2600 HZ TONE ON THE LINE, UNLESS OF
COURSE, THEY WANT A TELCO SECURITY
REPRESENTATIVE AND A POLICEMAN AT THEIR
DOORWITHIN AN HOUR! THE NEW GENERICS
OF ESS (THE #5) NOW IN PRODUCTION, WITH
AN OPERATING PROTOTYPE IN GDNZFA, nILL,
ALLOW THE SYSTEM TO SILENTLY DETECT ALL
"FOREIGN" TONES NOT AVALABLE ON THE
CUSTOMER'S PHONE. YOU HAVE EXACTLY 12
BUTTONS ON YOUR TOUCH-TONE (R) PHONE.
ESS KNOWS WHAT THEY ARE, AND YOU HAD
BEST NOT SOUND ANY OTHER TONES ON THE
LINE, SINCE THE NEW #5 IS PROGRAMMED
TO SILENTLY NOTIFY A HUMAN BEING IN THE
CENTRAL OFFICE, WHILE CONTINUING WITH
YOUR CALL AS THOUGH NOTHING WERE WRONG!
SOMEONE WILL JUST PUNCH A FEW KEYS ON
THEIR TERMINAL, AND THE WHOLE SORDID
STORY WILL BE RIGHT IN FRONT OF THEM, &
PRINTED OUT FOR ACTION BY THE SECURITY
REPRESENTATIVES AS NEEDED.

TRACING OF CALLS FOR WHATEVER REASON
(ABUSIVE CALLS, FRAUD CALLS, ETC.) IS
DONE BY MERELY ASKING THE COMPUTER
RIGHT FROM A TERMINAL IN THE SECURITY
DEPARTMENT. WITH ESS, EVERYTHING IS RI
GHT UP FRONT, NOTHING HIDDEN OR
CONCEALED IN ELECTROMECHANICAL FRAMES,
ETC. IT'S MERELY A SOFTWARE PROGRAM!
AND A PROGRAM DESIGNED FOR EASE IN
OPERATION BY THE PHONE COMPANY. CALL
TRACING HAS BECOME VERY SOPHISTICATED A
ND IMMEDIATE. THERE'S NO MORE RUNNING
IN THE FRAMES AND LOOKING FOR LONG PERI
ODS OF TIME. ROM CHIPS IN COMPUTERS
WORK FAST, AND THAT IS WHAT ESS IS ALL
ABOUT.

PHONE PHREAKS ARE NOT THE ONLY REASON
FOR ESS, BUT IT WAS ONE VERY IMPORTANT
ONE. THE FIRST AND FOREMOST REASON FOR
ESS IS TO PROVIDE THE PHONE COMPANY
WITH BETTER CONTROL ON BILLING AND
EQUIPMENT RECORDS, FASTER HANDLING OF
CALLS (I.E. LESS EQUIPMENT TIED UP IN
THE OFF ICE AT ANY ONE TIME), & TO HELP
AGENCIES SUCH AS THE FBI KEEP BETTER
ACCOUNT OF WHO WAS CALLING WHO FROM
WHERE,ETC. WHEN THE FBI FINDS OUT THAT
SOMEONE WHOSE CALLS THEY WANT TO TRACE
IS ON A ESS EXCHANGE, THEY ARE THRILLED
BECAUSE IT'S SO MUCH EASIER FOR THEM
THEN.

THE UNITED STATES WON'T BE 100% ESS
UNTIL SOMETIME IN THE MID 1990'S. BUT
IN REAL PRACTICE, ALL PHONE OFFICES IN
ALMOST EVERY CITY ARE GETTING SOME OF
THE MOST BASIC MODIFICATIONS BROUGHT
ABOUT BY ESS. "911" SERVICE IS AN ESS
FUNCTION. SO IS ANI (AUTOMATIC NUMBER
IDENTIFICATION) ON LONG DISTANCE CALLS.
"DIAL TONE FIRST" PAY PHONES ARE ALSO
AN ESS FUNCTION. NONE OF THESE THINGS
WERE AVAILABLE PRIOR TO ESS. THE AMOUNT
OF PURE FRAUD CALLING VIA BOGUS CREDIT
CARD, THIRD NUMBER BILLING, ETC. ON
BELL'S LINES LED TO THE DECISION TO
RAPIDLY INSTALL THE ANI, FOR EXAMPLE,
EVEN IF THE REST OF THE ESS WAS SEVERAL
YEARS AWAY IN SOME CASES.

DEPENDING ON HOW YOU CHOOSE TO LOOK
AT THE WHOLE CONCEPT OF ESS, IT CAN BE
EITHER ONE OF THE MOST ADVANTAGEOUS
INNOVATIONS OF ALL TIME OR ONE OF THE
SCARIEST. THE SYSTEM IS GOOD FOR
CONSUMERS IN THAT IT CAN TAKE A LOT OF
ACTIVITY AND DO LOTS OF THINGS THAT OLD
ER SYSTEMS COULD NEVER DO. FEATURES
SUCH AS DIRECT DIALING OVERSEAS, CALL
FORWARDING (BOTH OF WHICH OPEN UP NEW
WORLDS OF PHREAKING WHICH WE'LL EXPLORE
IN LATER ISSUES), AND CALL HOLDING ARE
STEPS FORWARD, WITHOUT QUESTION. BUT
AT THE SAME TIME, WHAT DO ALL OF THE
NASTY IMPLICATIONS MENTIONED FURTHER
BACK MEAN TO THE AVERAGE PERSON ON THE
SIDEWALK? THE SYSTEM IS PERFECTLY
CAPABLE OF MONITORING ANYONE, NOT JUST
PHONE PHREAKS! WHAT WOULD HAPPEN IF
THE NICE FRIENDLY GOVERNMENT WE HAVE
SOMEHOW GOT OVERTHROWN AND A MEAN NASTY
ONE TOOK ITS PLACE? WITH ESS, THEY
WOULDN'T HAVE TO DO TOO MUCH WORK, JUST
COME UP WITH SOME NEW SOFTWARE. IMAGINE
A PHONE SYSTEM THAT COULD TELL
AUTHORITIES HOW MANY CALLS YOU PLACED
TO CERTAIN TYPES OF PEOPLE, I.E. BLACKS
COMMUNISTS, LAUNDROMAT SERVICE
EMPLOYEES... ESS COULD DO IT, IF SO
PROGRAMMED.

*** BIOC FROM WHACKOLAND BBS:
*** AGENT
THE RADIO STATION BBS
300/1200 BAUD

---------------------------------------

GAMES PHONE COMPANIES PLAY

Some phone companies have come up with clever little tricks to
fuck up the phreaks hacking activities. One of these is the
CARRIER BLAST. Simply put, they shoot a 300/1200 baud answer tone
across the phone line right before you connect with your
destination. This move makes your computer THINK it's connected
with the computer you're calling. The attempt is laughable. All
you need do is to take the modem offline for that period of
seconds when the carrier is blasting. For the Hayes and the
Hayes compatible modems you work this command into the dialing
sequence, "+++,". Each modem in the AT mode permits you to take
the modem offline and "idle". The function is programable so you
can use any keyboard character. The "+++" puts the modem in idle,
the comma is a timing element you've preprogrammed. If you want a
five second delay, you will have programmed "ATS8=5" or "ATS8=10"
for a ten second delay. After your delay the modem will continue
to execute the dialing sequence. You'll now use "ATO" to put the
modem back on line. The whole routine will look like
this,"+++,ATO". Consult your modem manuals if you don't have a
Hayes Compatible. Each manufacturer has "borrowed" the same
features from Hayes. The result will be the same even if your
commands may differ.

Another little gimmick has been borrowed from the PBX. After
entering your code you have to enter "9" to get out. No big deal.
Just use nine as a suffix.

If you've ever tried hacking an AT&T credit card (and I recommend
that you don't) you'd notice that you can dump the entire dialing
sequence all at once. This is a classy system. Not so with MCI or
UStel. After you've entered the 0 and the area code of your
destination the system beeps you that it has received the proper
format. While this beeping is going on you can't dial over it.
The solution is simple, insert the "comma delay to wait for the
"beeper" to get done. The one problem you may encounter depends
on the size of you modem's buffer. The Hayes compatible can
accept forty five digits. The MCI/UStel format requires a full 44
digits. You have one to spare. If your buffer size is smaller,
you'll have to break the dialing sequence in two separate
routines. A bit of a bitch but liveable for the return.

Code format bastardizations are a nice change. The telco's hope
that in deviating from the norm, it will be less advantageous for
the hacker, who like anyone else develops habits, to whack away
at their systems. Itt's reverse arrangement is a prime example. The Pbx

The Pbx (Public Branch Exchange) is a switching station. In the
old days an operator would stick a plug into a slot and connect
with an incoming call and another plug to a second slot to
establish a connection with the destination. The equipment is the
same in theory except, today the microchip has eliminated the
human operator.

The phreak is interested in the board's dial in/out capability.
The legitimate users of the Pbx can call into a number, enter a
code + a routing number and have an At&t line to dial out with.
Pbx's afford the hack indirect access to Ma Bell without exposing
him to the risk of a trace. There are two principle uses,
Teleconferencing and Overseas calls to area only At&t services.

To find a Pbx the hack scans a local prefix. This is also known
as War Dialing after the movie War Games. To find the unit the
hack must be equipped with a modem capable of recognizing a dial
tone. The Hayes modem can not. The Apple Cat is considered the
ideal phreaking modem. Not only can it recognize dial tones it
can generate the frequencies needed to emulate a blue box. The
Cat is not one of Ma Bell's favorites. The Hayes user is forced
to sit and listen to the dialing if he wants a Pbx. Most phreaks
will usually make a deal with a cat owner for pbx locations.

The phreak will recognize the Pbx when he hears a second dial
tone. He'll now start playing around looking for the code. Many
switchboards have simple and easy to remember 4 digit codes like
1234. The hack will always go for the obvious. Code lengths can
be any where from zero to eight digits. Pbx's are very user
friendly. When you screw up it'll beep at you to let you know.
This is a worksheet for Pbx hacking

1 1 1 1 1 1 1 1
2 2 2 2 2 2 2 2
3 3 3 3 3 3 3 3
4 4 4 4 4 4 4 4
5 5 5 5 5 5 5 5
6 6 6 6 6 6 6 6
7 7 7 7 7 7 7 7
8 8 8 8 8 8 8 8
9 9 9 9 9 9 9 9

The hack will now enter a number from the far left column. If it
beeps at him he knows he's guessed wrong so he disconnects and
redials. With an autodialer that's no big deal. He goes back to
work on the first column. He will eventually it a number which
doesn't generate an error message. He circles it and proceeds to
the next column. When he's succeeded in hacking out the code, he
will hear another dial tone. This is his At&t line out. Most
phreaks will test the line by dialing information, local to the
Pbx.

Some units require an additional out code. Would you believe 9 ?
Actually the Pbx will accept any preprogrammed 2 digit code, like
85. Nine has become a habit and many virgins have lost their
cherry to a phreak by doing the obvious. I've seen units that
required no code, only the 9 to get outside.

It's impossible to make a Pbx secure. If a hacker want's it, and
he's willing to work on it, he'll get it. The only option
available to the business is to disconnect the in/out dialups and
supply their outside personnel with long distance travel cards.

Loops

Loops are mildly interesting in the hack/phreak world. They
consist of two telephone numbers that, when connected, permit
callers to hold conversations with strangers or friends whom
they've met by appointment.

A loop has a high side and a low side, meaning one of the pair of

numbers emits a tone while the other is quiet. Loops in 213 and
818 areas can be found by dialing any prefix and 1118 or 1119.
Pacific Telephone has injected a rather annoying "click" into the

line which makes data transfers impossible and voice
communication tedious. This situation doesn't exist in other
areas of the country.

At first glance, loops may not appear to have any practical
value. To the hacker it has two uses. It enables him to voice
with people he doesn't want to have his phone number and it's
useful in conferencing (see Alliance). Many hacks refuse to make
their personal information available to those who are not long
standing bbs acquaintances. Loops make safe voicing possible.

A Few Loops

201-531-9929,9930 201-938-9929,9930
206-827-0018,0019 206-988-0020,0022
212-283-9977,9997 208-862-9996,9997
209-732-0044,0045 212-529-9900,9906
212-283-9977,9979 212-352-9900,9906
212-220-9977,9979 212-365-9977,9979
212-562-9977,9979 212-986-9977,9979
213-549-1118,1119 214-299-4759,4757
214-291-4759,4757 307-468-9999,9998
308-357-0004,0005 402-779-0004,0007
406-225-9902,9903 714-884-1118,1119

These loops were taken from a Hack Board and are for the 808
area.

(((((((((((((((((((((((((((((((((((
( (
( (
( (
( Here are some loops for ya. (
( (
( (
( (
( (808) = 1 (
( (9907)= Loud (
( (9908)= Silent (
( (
( (
( (
( (
( 1 328 (Loud) (Silent) (
( " 322 """"""""""""""" (
( " 572 """"""""""""""" (
( " 261 """"""""""""""" (
( " 239 """"""""""""""" (
( " 668 """"""""""""""" (
( " 885 """"""""""""""" (
( " 961 """"""""""""""" (
( " 245 """"""""""""""" (
( " 332 """"""""""""""" (
( " 335 """"""""""""""" (
( " 623 """"""""""""""" (
( " 624 """"""""""""""" (
( " 959 """"""""""""""" (
( " 742 """"""""""""""" (
( " 879 """"""""""""""" (
( " 882 """"""""""""""" (
( " 329 """"""""""""""" (
( " 247 """"""""""""""" (
( " 235 """"""""""""""" (
((((((((((((((((((((((((((((((((((((((
The Loop master (Merauge) was here

DIVERTERS

Diverters are privately owned call forwarding machines. They'll
be found almost exclusively in areas that don't have call
forwarding. This also means ESS isn't operational in your
area. This is how it works...

You may not realize it, but the sounds of a call connecting are
permanently etched on your subconscience mind. Whether it's the
sounds of tones or clicks, you know when your call has
connected. Pay attention next time, you'll see what I mean. A
call going to a diverter makes two connections. First to the
number you called and second to the number that the diverter
called. When you hear this second connection, you'll know that
you've bagged a diverter. The call will be connected to a person
you have absolutely no interest in talking to. Tell the person
that you have the wrong number, click the rocker on your phone,
and wait for HIM to hang up. Your call is now in a never never
land between the first number you dialed and the number that the
diverter called. Wait about two minutes. You'll hear a faint
dial tone in the back ground. That's your AT&T line out. You can
now dial anywhere in the world.

Since you're dealing with a real human on the other end, be
prepared for the unexpected. I called one diverter recently and
had a fellow answer the phone. I used the wrong number routine
and clicked the rocker, but HE DIDN'T HANG UP. Hey, I'm cool, a
dummied up and waited. After five minutes HE STILL WOULDN'T HANG
UP. Not only that, he started making lewd suggestions that he
and I get together for a date. I like girls and this joker was
grossing me out. I said,"Jesus fucking Christ" very disgustedly
(for emphasis) and clicked the rocker arm again. THE SON OF A
BITCH STILL WOULDN'T HANG UP. I gave up and went to a PBX.

This is the moral of this story. This fellow had been burned
before. He knew the flaw in his diverter and he knew what to do
about it. Plus the guy gets 10 points for have some style. He
knew what I was trying to do to him and he played the game out
all the way. A good show. Manufacturers of diverters are hip to
the game. Their newer machines have disconnect features that
restrict a phreaks call out abilities. Never the less, there are
hundreds of thousands of the older machines still out there with
their cherries intact. Firms that use a diverter are too cheap
to hire and answering service. For this reason alone they won't
be too quick to upgrade their systems. They'll get a little
incentive after they receive a several thousand dollar phone
bill.

I spoke with a phreak not too long ago who received a 2 thousand
dollar phone bill for conferance calls he'd made with a
diverter.
Explained the steps he'd taken in its use. I asked him if the
second dial tone he received was as loud as the first. I
informed him as kindly as possible, "You dumb shit, that was
your dial tone not the diverter". There's a moral in there
somewhere.
The Black Box

Another credible file on box building. Note the black will work
under Crossbar or Step by Step but not with ESS.

***************************************
* *
* HOW TO BUILD A BLACK BOX *
* *
***************************************
A BLACK BOX
IS A DEVICE THAT IS HOOKED UP TO YOUR
FONE THAT FIXES YOUR FONE SO THAT WHEN
YOU GET A CALL, THE CALLER DOESN'T GET
CHARGED FOR THE CALL. THIS IS GOOD FOR
CALLS UP TO 1/2 HOUR, AFTER 1/2 HOUR
THE FONE CO. GETS SUSPICOUS, AND THEN
YOU CAN GUESS WHAT HAPPENS.

THE WAY IT WORKS:

WHAT THIS LITTLE BEAUTY DOES IS
KEEP THE LINE VOLTAGE FROM DROPPING TO
10V WHEN YOU ANSWER YOUR FONE. THE
LINE IS INSTED KEPT AT 36V AND IT WILL
MAKE THE FONE THINK THAT IT IS STILL
RINGING WHILE YOUR TALKING. THE REASON
FOR THE 1/2 HOUR TIME LIMIT IS THAT THE
FONE CO. THINKS THAT SOMETHING IS WRONG
AFTER 1/2 AN HOUR OF RINGING.

ALL PRTS ARE AVAILABLE RADIO
SHACK. USING THE LEAST POSSIBLE PARTS
AND ARANGEMENT, THE COST IS $0.98 !!!!
AND THAT IS PARTS FOR TWO OF THEM!
TALK ABOUT A DEAL! IF YOU WANT TO
SPLURGE THEN YOU CAN GET A SMALL PC
BOARD, AND A SWITCH. THERE ARE TWO
SCHEMATICS FOR THIS BOX, ONE IS FOR
MOST NORMAL FONES. THE SECOND ONE IS
FOR FONES THAT DON'T WORK WITH THE
FIRST. IT WAS MADE FOR USE WITH A BELL
TRIMLINE TOUCH TONE FONE.

** SCHEMATIC 1 FOR MOST FONES **
** LED ON: BOX ON **

FROM >--------------------GREEN-> TO
LINE >--! 1.8K LED !---RED--> FONE
!--/\/\/\--!>--!
! !
------>/<-------
SPST

PARTS: 1 1.8K 1/2 WATT RESISTOR
1 1.5V LED
1 SPST SWITCH

YOU MAY JUST HAVE TWO WIRES WHICH YOU
CONNECT TOGETHER FOR THE SWITCH.

** SCHEMATIC 2 FOR ALL FONES **
** LED ON: BOX OFF **

FROM >---------------GREEN-> TO
LINE >------- ---RED--> FONE
! LED !
-->/<--!>--
! !
---/\/\/---
1.8K

PARTS: 1 1.8K 1/2 WATT RESISTOR
1 1.5V LED
1 DPST SWITCH

HERE IS THE PC BOARD LAYOUT THAT I
RECOMMEND USING. IT IS NEAT AND IS
VERY EASY TO HOOK UP.

SCHEMATIC #1 SCHEMATIC #2

************** ****************
* * * ------- *
* --<LED>--- * * ! ! *
* ! ! * * ! <SWITCH> *
* RESISTOR ! * * ! ! ! *
* ! ! * * ! ! / *
* -------- ! * * ! ! \ *
* ! ! * * ! <LED>! / *
* --SWITCH-- * * ! ! \ *
* ! ! * * ! ! / *
L * ! ! * F L * ! ! ! * F
I>RED- -RED>O I>RED- ---RED>O
N>-----GREEN---->N N>-----GREEN------>N
E * H * E E * * E
************** ****************

ONCE YOU HAVE HOOKED UP ALL THE
PARTS, YOU MUST FIGURE OUT WHAT SET OF
WIRES GO TO THE LINE AND WHICH GO TO
THE FONE. THIS IS BECAUSE OF THE FACT
THAT LED'S MUST BE PUT IN, IN A CERTAIN
DIRECTION. DEPENDING ON WHICH WAY YOU
PUT THE LED IS WHAT CONTROLS WHAT WIRES
ARE FOR THE LINE & FONE.

HOW TO FIND OUT:

HOOK UP THE BOX IN ONE DIRECTION
USING ONE SET OF WIRES FOR LINE AND THE
OTHER FOR FONE.

*NOTE* FOR MODEL I SWITCH SHOULD BE OFF.
*NOTE* FOR MODEL ][ SWITCH SHOULD BE
SET TO SIDE CONNECTING THE LED.

ONCE YOU HAVE HOOKED IT UP, THEN
PICK UP THE FONE AND SEE IF THE LED IS
ON. IF IT IS, THE LED WILL BE LIT. IF
IS DOESN'T LIGHT THEN SWITCH THE WIRES
AND TRY AGAIN. ONCE YOU KNOW WHICH ARE
WHICH THEN LABEL THEM. *NOTE* - IF
NEITHER DIRECTIONS WORKED THEN YOUR
SWITCH WAS IN THE WRONG POSITION. NOW
LABLE THE SWITCH IN ITS CURRENT
POSITION AS BOX ON.

HOW TO USE IT:

THE PURPOSE OF THIS BOX IS NOT TO
POEPLE WHO CALL YOU SO IT WOULD MAKE
SENCE THAT IT CAN ONLY BE USED TO
RECEIVE! CALLS. WHEN THE BOX IS *ON*
THEN YOU MAY ONLY RECIEVE CALLS. YOUR
FONE WILL RING LIKE NORMAL AND THE LED
ON THE BOX WILL FLASH. IF YOU ANSWER
THE FONE NOW, THEN THE LED WILL
LIGHT AND THE CALLER WILL NOT BE CHARGED.
HANG UP THE FONE AFTER YOU ARE DONE
TALKING LIKE NORMAL. YOU WILL NOT BE
ABLE TO GET A DIAL-TONE OR CALL WHEN
THE BOX IS ON, SO TURN THE BOX *OFF*
FOR NORMAL CALLS. I DON'T RECOMMEND
YOU DON'T WANT IT TO ANSWER WHEN MA BELL
CALLS!

Incidentally, never let it be said that all hackers are literate.
Just knowing thieves.
The Infamous Blue Box

The follwoing appears to be a credible set of plans for the
Captain Crunch machine.

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$ $
$ BLUE BOX PLANS! $
$ --------------- $
$ $
$ Edited and Uploaded by: $
$ $
$ $
$$$$$$$->The Spirit Of Radio<-$$$$$$$
$ $
$ Written by: $
$ $
$ Mr. America from Osuny BBS $
$ $
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

This file will explain the construction, troubleshooting,
andadjustmentof a Blue Box.

We all know that the touch tone frequencies are composed of 2
tones (2 different freqs.) so that is the reason why we have 2
VCO's (Voltage Controlled Oscilators). We'll call them VCO#1 and
VCO#2.If you have noticed VCO#1 and VCO#2 are exactly the same
type of circuits. That is why only 1 was drawn. But remember
that whatever goes for VCO#1 also goes for VCO#2. Both VCO'S are
composed of a handfull of parts. One chip, two capacitors,2
resistors and five potentionmeters. All of this will give you
(when properly calibrated) one of the freqencies necessary (the
other one will come fromVCO#2) for the operation of $ the Blue
Box. Both of these freqs. will bemixed in the speaker to form the
required tone.

This is one of the most sophisticated designs I have ever made.
Why? Because other designs will drain the battery after 10 calls.
This design will make them last 10 months!!!!!! But
nevertheless, don'tforget to put in aswitch for on and off. Ok
let's build the two VCO'S andcalibrate the unit before we get to
the keyboard construction.

VCO CONSTRUCTION

TOOLS REQUIRED
1 ocilliscope(optional but not req)
1 Freq. counter (REQUIRED)
1 Volt meter " " "
Electronics tools (Pliers, drll, screwdrivers, etc.)

PARTS

R1 1.5K RESISTOR 5%
R2 1K RESISTOR 5%
C1 .1uf ELECTROLYTIC CAPACITOR 16VDC
C2 .01uf " " (MYLQR) 16VDC
C1 2207 VCO CHIP BY EXAR ELECTRONICS

Remember the above only says VCO#1 but the same is for VCO#2

R3-R4 150 OHM RESISTORS 5% .
C3-C4 .1 uf ELECTROLITIC CAPACITOR .
10VDC .

P1-P10 200K TRIMMER POT - 20 TURNS DIODES USED IN THE KEYBOARD
ARE 1N914 TYPE(40 OF THEM) & 13 SWITCHES FOR THE KEYBOARD SPST
MOMENTARY.

SPKR YOU CAN USE A TELEPHONE SPEAKER FOR THIS (IT WORKS BEST) BUT
REMEMBER TOTAKE OUT THE DIODE THAT IS CONNECTED ACCROSS IT.

IMPORTANT NOTES

1. DO NOT USE ANYTHING ELSE OTHER THAN A MYLAR CAPACITOR FORC2.
2. PINS 10,9,8 SHOULD BE TIED TOGETHER AND BE LEFT FLOATING.
3. ALL RESISTORS SHOULD BE 5%! NOTHING ELSE!
4. A TELEPHONE SPEAKER GIVES THE BEST RESULTS.

TROUBLE SHOOTING

By now you should have constructed the two VCO'S on a bread board
or anything that pleases you. Check for cold solder
joints,broken wires,polarity of the battery, etc. Before we
apply power to the VCO'S we have to adjust the pots for their
half way travel point. This is done by turning them 21 turns to
the right and then 10 turns to the left. Do the same for all ten
of them.

Now apply power to the unit check to see that you have power in
the chips by putting the positive lead of your volt meter on pin
7 andthe negative lead on pin 12. If you do not have anything
there turn off the unit and RECHECK THE WIRING.

When you get the right voltages on the chips, connect a diode to
a piece of wire (look at fig. 2 for the orientation of the diode)
from round to any pot at point T (look carefully at the schematic
for point T it is labeled T1-T10 for all pots). You should be
able to hear a tone, if not disconnect the lead and place the
speaker close to your ear and if you hear a chirp-like sound,
this means that the two VCO'S are working if you don't,
it means that either one or both of the VCO'S are dead. So in
this case it is always good to have an ocilloscope on hand.
Disconnect the speaker from the circuit and hook the ocilliscope
to 1 of the leads of the speaker & the ground from the scope to
the ground of the battery. Connect again the ground lead with the
diode connected to it from ground to any pot on the VCO that you
are checking and you should see a triangle wave if not turn the
pot in which you are applying the ground to until you see it.
When you do see it do the the same for the other VCO to makesure
it is working. (amplitude is about 2VAC). When you get the two
VCO's working you are set for the adjustment of the individual
spots.

ADJUSTMENT

Disconnect the speaker from the circuit and connect a freq.
counter (the positive lead of the counter to one of the speakers
leads that belongs to VCO#1 or connect it to pin 14.

Connect the negative lead to the battery negative and connect the
jumperlead with the diode from ground to pot number 1.T1 (the
first pot number 1 point T1). If you got it working you should
hear a tone and get a reading on the counter. Adjust the pot for
a freq. of 1700hz and continue doing the same for pots 2-5
except that they get different freqs. which are:

: $$$$$$$$$$$$$$ :
: $ $ :
: $ P1 1700hz $ :
: $ P2 1300hz $ :
: $ P3 1100hz $ :
: $ P4 900hz $ :
: $ P5 1500hz $ :
: $ $ :
: $$$$$$$$$$$$$$ :

Now disconnect the freq. counter from the speaker lead of VCO#1
or from pin (which ever you had it attached to at the beginning)
and connect it to the speaker lead of VCO#2 or to pin 14 of VCO#2
and make the same adjustments toP6-10.:

: $$$$$$$$$$$$$$$ :
: $ $ :
: $ P6 1100hz $ :
: $ P7 700hz $ :
: $ P8 900hz $ :
: $ P9 2600hz $ :
: $ P10 1500hz $ :
: $ $ :
: $$$$$$$$$$$$$$$ :

When you finish doing all of the pots go back and re-check
them.

KEYBOARD

IF YOU LOOK AT FIG-2 YOU WILL SEE THAT THE KEYS ARE
SIMPLE SWITCHES. CONNECTED TO A GROUND AND TWO DIODES ON THE
OTHER END. THESE DIODES ARE USED TO SIMPLIFY THE CONSTRUCTION OF
THE KEYBOARD BECAUSE OTHERWISE THE DISTRIBUTION OF THE GROUND
SIGNAL FOR BOTH VCO'S WOULD HAVE BEEN DONE MECHANICALLY. THE
DIODE WILL GO TO VCO#1 AND THE OTHER WILL GO TO VCO#2. FIG-3
SHOWS THE ARRANGEMENT OF THE KEYS ON THE KEYBOARD.

BELOW IS A TABLE THAT WILL HELP YOU CONNECT THE KEYS TO THE
REQUIRED VCO'SPOTS.

<------------------------------------->
< >
< (-FIG 2-) >
< >
<-----!-----!--------!--------!------->
< ! ! ! ! >
< TO ! TO ! FREQ ! FREQ ! KEY >
< POT ! POT ! OUT: ! OUT: ! >
< ON ! ON ! ! ! >
< VCO1! VCO2! ! ! >
<-----!-----!--------!--------!------->
< 1 ! 06 ! 1700hz ! 1100hz ! C >
< 2 ! 10 ! 1300hz ! 1500hz ! 0 >
< 1 ! 10 ! 1700hz ! 1100hz ! E >
< 4 ! 07 ! 0900hz ! 0700hz ! 1 >
< 3 ! 07 ! 1100hz ! 0700hz ! 2 >
< 3 ! 08 ! 1100hz ! 0900hz ! 3 >
< 2 ! 07 ! 1300hz ! 0700hz ! 4 >
< 2 ! 08 ! 1300hz ! 0900hz ! 5 >
< 2 ! 06 ! 1300hz ! 1100hz ! 6 >
< 5 ! 07 ! 1500hz ! 0700hz ! 7 >
< 5 ! 08 ! 1500hz ! 0900hz ! 8 >
< 5 ! 06 ! 1500hz ! 1100hz ! 9 >
< - ! 09 ! ------ ! 2600hz ! X >
< ! ! ! ! >
<------------------------------------->

REMEMBER THAT IN FIG-2 IT'S THE SAME FOR EACH KEY EXCEPT THE "X"
KEY, WHICH ONLY TAKES ONE DIODE.