1
The Official Phreaker's Manual
The Official Phreaker's Manual V1.1
Updated 2/14/87
Compiled, Wordprocessed, and Distributed by:
The Jammer
and
Jack the Ripper
Page 1
The Official Phreaker's Manual
Introduction
What precedes this introduction is what I have termed "The Official
Phreakers Manual", while it may not be. Many times I have been on a BBS, which
has files claiming to have summed up all the ways to phreak in the U.S. and
abroad, well those were pretty lame and a couple pages long. Now after many
relentless hours of work, I have done it. This is an informative file and the
authors of this and the authors from which I have gathered information, take
absolutely NO responsibility and are not liable for, under any circumstances
for damage, direct, indirect, incidental, or consequential.
Warning: Use of this material may shorten your life in the free world!
Ok enough of the bullshit, I readily admit that this is mainly a compilation
of available phreak material and public resources. What I have done is to
gather it all together and edit, compile, check for errors, put in a readable
form, and finally to write what I know without echoing what others have said.
I have set this up that it is good for all levels of phreaks, going from novice
to advanced, and references and tables for easy reference in the back.
This manual is constantly being updated! If you have any contributions or
corrections or comments, please leave messages to me (Jack the Ripper) on any
BBS's I am on (probably where you got it). Thanks!
Page 2
The Official Phreaker's Manual
**********************************************************************
Table of Contents
**********************************************************************
I....... 005 Chapter 1
I.1..... 006 Glossary of Phreaking terms
I.2..... 010 Glossary of Phreaking terms cont.
I.3..... 017 Boxes and Electronic Toll Fraud
I.4..... 020 How to be a Real Phreak
I.5..... 026 Basic Telecommunications I, A Phreaks guide
II...... 031 Chapter 2
II.1.... 033 Secrets of the Little Blue Box. Part 1
II.2.... 041 Secrets of the Little Blue Box. Part 2
II.3.... 050 Secrets of the Little Blue Box. Part 3
II.4.... 058 Secrets of the Little Blue Box. Part 4
II.5.... 062 The History of ESS
II.6.... 064 History of British Phreaking
II.7.... 067 Bad as Shit, an adventure story
III..... 069 Chapter 3
III.1... 070 Phreaking Cosmos
III.2... 072 Cosmos Revamped
III.3... 073 Telenet
III.4... 075 Phreaking AT&T Cards
III.5... 076 AT&T Forgery
III.6... 078 Dealing with Operators
III.7... 079 How to set up a Conference Call
III.8... 081 Fone tapping
III.9... 083 Fone tapping cont.
III.10.. 085 Tracing, how dangerous is it
III.11.. 086 How to avenge yourself
III.12.. 088 Interesting things to do on Step lines
III.13.. 089 Busted, An account of the Private Sector bust
IV...... 092 Chapter 4
IV.1.... 093 Basic Telecommunications II, Special #'s, Loops, Ani
IV.2.... 101 Basic Telecommunications III, Direct Dialing, International
IV.3.... 106 Basic Telecommunications IV, Telefone Hierarchy
IV.4.... 113 Basic Telecommunications V, Subscriber fone electronics
IV.5.... 120 Basic Telecommunications VI, Fortress fones
V....... 123 Chapter 5
V.1..... 124 Basic Telecommunications VII, Blue Boxing
V.2..... 132 Better Homes & Blue Boxing, Part 1
V.3..... 136 Better Homes & Blue Boxing, Part 2
V.4..... 141 Better Homes & Blue Boxing, Part 3
V.5..... 145 More on Blue Boxing by Fred Stienbeck
V.6..... 146 Verification, Remob, etc., Is it possible?
V.7..... 148 Equal Access and the American Dream, Another great article
V.8..... 160 Equal access and Autodialing Modems
V.9..... 161 ISDN, it will change telecommunications for ever
V.10.... 163 ISDN, an article from Proto
V.11.... 165 MCI Services what they are and how they are useful
Page 3
The Official Phreaker's Manual
**********************************************************************
Appendixes
**********************************************************************
Appendix I...... 170 Reference tables and access lists
Appendix I.1.... 171 Country Codes
Appendix I.2.... 173 Country Codes cont.
Appendix I.3.... 176 Country Codes cont.
Appendix I.4.... 181 Max Access ports (Dialups)
Appendix I.5.... 182 Metro Fone Access ports
Appendix I.6.... 183 Area Codes
Appendix I.7.... 185 Tac Dialups around the country
Appendix I.8.... 193 Test numbers around the country
Appendix I.9.... 196 What a TSPS operators console looks like
Appendix II..... 197 Box plans
Appendix II.1... 198 How to make an Infinity transmitter
Appendix II.2... 203 How to make a silver box
204 Protection Page
Page 4
The Official Phreaker's Manual
Chapter 1
Ok this chapter will cover the basic vocabulary of phreaking, it is a fairly
long list, though not totally complete. After the vocab, will be some of the
general rules for phreaking. Most of the rules are protection from the police
and AT&T, but others are grammatical rules. These are not as important to your
freedom, but many a phreak will think you are a twelve year old if you start
talking like, "Hey dudz!^$(&, just got the latest warez! trade u for some
soft/docs. Checkul8r". Well you get the point, here's your vocab list...
Page 5
The Official Phreaker's Manual
......................................................................
......................................................................
. The Bell Glossary - ..
. by ..
. /Xarvin ..
......................................................................
......................................................................
ACD: Automatic Call Distributor - A system that automatically distributes calls
to operator pools (providing services such as intercept and directory
assistance), to airline ticket agents, etc.
Administration: The tasks of record-keeping, monitoring, rearranging,
prediction need for growth, etc.
AIS: Automatic Intercept System - A system employing an audio-response unit
under control of a processor to automatically provide pertinent info to callers
routed to intercept.
Alert: To indicate the existence of an incoming call, (ringing).
ANI: Automatic Number Identification - Often pronounced "Annie," a facility for
automatically identify the number of the calling party for charging purposes.
Appearance: A connection upon a network terminal, as in "the line has two
network appearances."
Attend: The operation of monitoring a line or an incoming trunk for off-hook or
seizure, respectively.
Audible: The subdued "image" of ringing transmitted to the calling party during
ringing; not derived from the actual ringing signal in later systems.
Backbone Route: The route made up of final-group trunks between end offices in
different regional center areas.
BHC: Busy Hour Calls - The number of calls placed in the busy hour.
Blocking: The ratio of unsuccessful to total attempts to use a facility;
expresses as a probability when computed a priority.
Blocking Network: A network that, under certain conditions, may be unable to
form a transmission path from one end of the network to the other. In general,
all networks used within the Bell Systems are of the blocking type.
Blue Box: Equipment used fraudulently to synthesize signals, gaining access to
the toll network for the placement of calls without charge.
BORSCHT Circuit: A name for the line circuit in the central office. It
functions as a mnemonic for the functions that must be performed by the
circuit: Battery, Overvoltage, Ringing, Supervision, Coding, Hybrid, and
Testing.
Busy Signal: (Called-line-busy) An audible signal which, in the Bell System,
comprises 480hz and 620hz interrupted at 60IPM.
Bylink: A special high-speed means used in crossbar equipment for routing calls
Page 6
The Official Phreaker's Manual
incoming from a step-by-step office. Trunks from such offices are often
referred to as "bylink" trunks even when incoming to noncrossbar offices; they
are more properly referred to as "dc incoming trunks." Such high-speed means
are necessary to assure that the first incoming pulse is not lost.
Cable Vault: The point which phone cable enters the Central Office building.
CAMA: Centralized Automatic Message Accounting - Pronounced like Alabama.
CCIS: Common Channel Interoffice Signaling - Signaling information for trunk
connections over a separate, nonspeech data link rather that over the trunks
themselves.
CCITT: International Telegraph and Telephone Consultative Committee- An
International committee that formulates plans and sets standards for
intercountry communication means.
CDO: Community Dial Office - A small usually rural office typically served by
step-by-step equipment.
CO: Central Office - Comprises a switching network and its control and support
equipment. Occasionally improperly used to mean "office code."
Centrex: A service comparable in features to PBX service but implemented with
some (Centrex CU) or all (Centrex CO) of the control in the central office. In
the later case, each station's loop connects to the central office.
Customer Loop: The wire pair connecting a customer's station to the central
office.
DDD: Direct Distance Dialing - Dialing without operator assistance over the
nationwide intertoll network.
Direct Trunk Group: A trunk group that is a direct connection between a given
originating and a given terminating office.
EOTT: End Office Toll Trunking - Trunking between end offices in different toll
center areas.
ESB: Emergency Service Bureau - A centralized agency to which 911 "universal"
emergency calls are routed.
ESS: Electronic Switching System - A generic term used to identify as a class,
stored-program switching systems such as the Bell System's No.1 No.2, No.3,
No.4, or No.5.
ETS: Electronic Translation Systems - An electronic replacement for the card
translator in 4A Crossbar systems. Makes use of the SPC 1A Processor.
False Start: An aborted dialing attempt.
Fast Busy: (often called reorder) - An audible busy signal interrupted at twice
the rate of the normal busy signal; sent to the originating station to indicate
that the call blocked due to busy equipment.
Final Trunk Group: The trunk group to which calls are routed when available
high-usage trunks overflow; these groups generally "home" on an office next
highest in the hierarchy.
Page 7
The Official Phreaker's Manual
Full Group: A trunk group that does not permit rerouting off-contingent foreign
traffic; there are seven such offices.
Glare: The situation that occurs when a two-way trunk is seized more or less
simultaneously at both ends.
High Usage Trunk Group: The appellation for a trunk group that has alternate
routes via other similar groups, and ultimately via a final trunk group to a
higher ranking office.
Intercept: The agency (usually an operator) to which calls are routed when made
to a line recently removed from a service, or in some other category requiring
another station, such as an Emergence Interrupt.
Junctor: A wire or circuit connection between networks in the same office. The
functional equivalent to an intraoffice trunk.
MF: Multifrequency - The method of signaling over a trunk making use of the
simultaneous application of two out of six possible frequencies.
NPA: Numbering Plan Area.
ONI: Operator Number Identification - The use of an operator in a CAMA office
to verbally obtain the calling number of a call originating in an office not
equipped with ANI.
PBX: Private Branch Exchange - (PABX: Private Automatic Branch Exchange) An
telephone office serving a private customer, Typically , access to the outside
telephone network is provided.
Permanent Signal: A sustained off-hook condition without activity (no dialing
or ringing or completed connection); such a condition tends to tie up
equipment, especially in earlier systems. Usually accidental, but sometimes
used intentionally by customers in high-crime-rate areas to thwart off
burglars.
POTS: Plain Old Telephone Service - Basic service with no extra "frills".
ROTL: Remote Office Test Line - A means for remotely testing trunks.
RTA: Remote Trunk Arrangement - An extension to the TSPS system permitting its
services to be provided up to 200 miles from the TSPS site.
SF: Single Frequency. A signaling method for trunks: 2600hz is impressed upon
idle trunks.
Supervise: To monitor the status of a call.
SxS: (Step-by-Step or Strowger switch) - An electromechanical office type
utilizing a gross-motion stepping switch as a combination network and
distributed control.
Talkoff: The phenomenon of accidental synthesis of a machine-intelligible
Page 8
The Official Phreaker's Manual
signal by human voice causing an unintended response. "whistling a tone".
Trunk: A path between central offices; in general 2-wire for interlocal, 4-wire
for intertoll.
TSPS: Traffic Service Position System - A system that provides, under stored-
program control, efficient operator assistance for toll calls. It does not
switch the customer, but provides a bridge connection to the operator.
X-bar: (Crossbar) - An electromechanical office type utilizing a "fine-motion"
coordinate switch and a multiplicity of central controls (called markers).
There are four varieties:
No.1 Crossbar: Used in large urban office application; (1938)
No 3 Crossbar: A small system started in (1974).
No.4A/4M Crossbar: A 4-wire toll machine; (1943).
No.5 Crossbar: A machine originally intended for relatively small
suburban applications; (1948)
Crossbar Tandem: A machine used for interlocal office switching.
Page 9
The Official Phreaker's Manual
============================================================
_ _ _______
| X/ | / _____/
|_||_|etal / /hop
__________/ /
/___________/
(314) 432-0756
Proudly Presents
The MCI Telecommunications Glossary
Part I Volume I (A - D)
Typed by Knight Lightning
============================================================
- A -
A & B LEADS: Designation of leads derived from the midpoints of the two 2-wire
pairs comprising a 4-wire circuit.
ABBREVIATED DIALING: The ability of a telephone user to reach frequently called
numbers by using less than seven digits. Synonym: Speed Dialing
ACCESS CHARGE: A fee paid for the use of local lines.
ACCESS CODE: A digit or number of digits required to be connected to a private
line arranged for dial access.
ACCESS LINE: A telephone circuit which connects a customer location to a
network switching center.
AIRLINE MILEAGE: Calculated point-to-point mileage between terminal
facilities.
ALL TRUNKS BUSY (ATB): A single tone interrupted at a 120 ipm (impulses per
minute) rate to indicate all lines or trunks in a routing group are busy.
ALTERNATE ROUTE: A secondary communications path used to reach a destination if
the primary path is unavailable.
ALTERNATE USE: The ability to switch communications facilities from one type of
service to another, i.e., voice to data, etc.
ALTERNATE VOICE DATA (AVD): A single transmission facility which can be used
for either voice or data.
AMERICAN STANDARD CODE
FOR INFORMATION INTERCHANGE
(ASCII): An 8 level code developed for the interchange of information between
data processing and communications systems.
ANALOG SIGNAL: A signal in the form of a continuous varying physical quantity,
e.g., voltage which reflects variations in some quantity, e.g., loudness in the
human voice.
Page 10
The Official Phreaker's Manual
ANNUNICATOR: An audible intercept device that states the condition or
restrictions associated with circuits or procedures.
ANSWER BACK: An electrical and/or visual indication to the calling or sending
end that the called or received station is on the line.
ANSWER SUPERVISION: An off-hook signal transmitted toward the calling end of a
switched connection when the called party answers.
AREA CODE: Synonym: Numbering Plan Area (NPA). A three digit number identifying
more than 150 geographic areas of the United States and Canada which permits
direct distance dialing on the telephone system. A similar global numbering
plan has been established for international subscriber dialing.
ATTENDANT POSITION: A telephone switchboard operator's position. It provides
either automatic (cordless) or manual (plug and jack) operator controls for
incoming and/or outgoing telephone calls.
ATTENUATION: A general term used to denote the decrease in power between that
transmitted and that received due to loss through equipment, lines, or other
transmission devices. It is usually expressed as a ration in db (decibel).
(B) ENTRANCE INTO THE DDD TOLL NETWORK MAY BE EFFECTED BY A PRETEXT CALL TO ANY
OTHER TOLL-FREE # SUCH AS UNIVERSAL DIRECTORY ASSISTANCE (555-1212) OR ANY # IN
THE INWATS NETWORK, EITHER INTER-STATE OR INTRA-STATE, WORKING OR NON-WORKING.
(C) ENTRANCE INTO THE DDD TOLL NETWORK MAY ALSO BE IN THE FORM OF "SHORT HAUL"
CALLING. A "SHORT HAUL" CALL IS A CALL TO ANY # WHICH WILL RESULT IN A LESSER
AMOUNT OF TOLL CHARGES THAN THE CHARGES FOR THE CALL TO BE COMPLETED BY THE
BLUE BOX. FOR EXAMPLE, A CALL TO BIRMINGHAM FROM ATLANTA MAY COST $.80 FOR THE
FIRST 3 MINUTES WHILE A CALL FROM ATLANTA TO LOS ANGELES IS $1.85 FOR 3
MINUTES. THUS, A SHORT HAUL, 3-MINUTE CALL TO BIRMINGHAM FROM ATLANTA, SWITCHED
BY USE OF A BLUE BOX TO LOS ANGELES, WOULD RESULT IN A NET FRAUD OF $2.65 FOR A
3 MINUTE CALL.
(D) A BLUE BOX MAY BE WIRED INTO THE TELEPHONE LINE OR ACOUSTICALLY CONNECTED
TO THE HANDSET. THE BLUE BOX MAY EVEN BE BUILT INSIDE A REGULAR TOUCH-TONE
PHONE, USING THE PHONE'S PUSH BUTTONS FOR THE BLUE BOX'S SIGNALLING TONES.
(E) A MAGNETIC TAPE RECORDING MAY BE USED TO RECORD THE BLUE BOX TONES
REPRESENTATIVE OF SPECIFIC PHONE #'S. SUCH A TAPE RECORDING COULD BE USED IN
LIEU OF
A BLUE BOX TO FRAUDULENTLY PLACE CALLS TO THE PHONE #'S RECORDED ON THE
MAGNETIC TAPE.
ALL BLUE BOXES, EXCEPT "DIAL PULSE" OR "ROTARY SF" BLUE BOXES, MUST HAVE
THE FOLLOWING 4 COMMON OPERATING CAPABILITIES:
(A) IT MUST HAVE SIGNALLING CAPABILITY IN THE FORM OF A 2600HZ TONE. THE TONE
IS USED BY THE TOLL NETWORK TO INDICATE, EITHER BY ITS PRESENCE OR ITS ABSENCE,
AN "ON HOOK" (IDLE) OR "OFF HOOK" (BUSY) CONDITION OF THE TRUNK.
(B) THE BLUE BOX MUST HAVE A "KP" TONES THAT UNLOCKS OR READIES THE
MULTI-FREQUENCY RECEIVER AT THE CALLED END TO RECEIVE THE TONES CORRESPONDING
TO THE CALLED PHONE #.
Page 18
The Official Phreaker's Manual
(C) THE TYPICAL BLUE BOX MUST BE ABLE TO EMIT MF TONES WHICH ARE USED TO
TRANSMIT PHONE #'S OVER THE TOLL NETWORK. EACH DIGIT OF A PHONE # IS
REPRESENTED BY A COMBINATION OF 2 TONES. FOR EXAMPLE, THE DIGIT 2 IS X-MITTED
BY A COMBINATION OF 700HZ AND 1100HZ.
(D) THE BLUE BOX MUST HAVE AN "ST" KEY WHICH CONSISTS OF A COMBINATION OF 2
TONES THAT TELL THE EQUIPMENT AT THE CALLED END THAT ALL DIGITS HAVE BEEN SENT
AND THAT THE EQUIPMENT SHOULD START SWITCHING THE CALL TO THE CALLED NUMBER.
THE "DIAL PULSER" OR "ROTARY SF" BLUE BOX REQUIRES ONLY A DIAL WITH A
SIGNALLING CAPABILITY TO PRODUCE A 2600HZ TONE.
*BLACK BOX*
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
THIS ETF DEVICE IS SO-NAMED BECAUSE OF THE COLOR OF THE FIRST ONE FOUND.
IT VARIES IN SIZE AND USUALLY HAS ONE OR TWO SWITCHES OR BUTTONS. ATTACHED TO
THE TELEPHONE LINE OF A CALLED PARTY, THE BLACK BOX PROVIDES TOLL-FREE CALLING
*TO* THAT PARTY'S LINE. A BLACK BOX USER INFORMS OTHER PERSONS BEFOREHAND THAT
THEY WILL NOT BE CHARGED FOR ANY CALL PLACED TO HIM. THE USER THEN OPERATES THE
DEVICE CAUSING A "NON-CHARGE" CONDITION ("NO ANSWER" OR "DISCONNECT") TO BE
RECORDED ON THE TELEPHONE COMPANY'S BILLING EQUIPMENT. A BLACK BOX IS
RELATIVELY SIMPLE TO CONSTRUCT AND IS MUCH LESS SOPHISTICATED THAN A BLUE BOX.
*CHEESE BOX*
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
ITS DESIGN MAY BE CRUDE OR VERY SOPHISTICATED. ITS SIZE VARIES; ONE WAS FOUND
THE SIZE OF A HALF-DOLLAR. A CHEESE BOX IS USED MOST OFTEN BY BOOKMAKERS OR
BETTERS TO PLACE WAGERS WITHOUT DETECTION FROM A REMOTE LOCATION. THE DEVICE
INTER-CONNECTS 2 PHONE LINES, EACH HAVING DIFFERENT #'S BUT EACH TERMINATING AT
THE SAME LOCATION. IN EFFECT, THERE ARE 2 PHONES AT THE SAME LOCATION WHICH ARE
LINKED TOGETHER THROUGH A CHEESE BOX. IT IS USUALLY FOUND IN AN UNOCCUPIED
APARTMENT CONNECTED TO A PHONE JACK OR CONNECTING BLOCK. THE BOOKMAKER, AT SOME
REMOTE LOCATION, DIALS ONE OF THE NUMBERS AND STAYS ON THE LINE. VARIOUS
BETTORS DIAL THE OTHER NUMBER BUT ARE AUTOMATICALLY CONNECTED WITH THE
BOOKMAKER BY MEANS OF THE CHEESE BOX INTER-CONNECTION. IF, IN ADDITION TO A
CHEESE BOX, A BLACK BOX IS INCLUDED IN THE ARRANGEMENT, THE COMBINED EQUIPMENT
WOULD PERMIT TOLL-FREE CALLING ON EITHER LINE TO THE OTHER LINE. IF A POLICE
RAID WERE CONDUCTED AT THE TERMINATING POINT OF THE CONVERSATIONS -THE LOCATION
OF THE CHEESE BOX- THERE WOULD BE NO EVIDENCE OF GAMBLING ACTIVITY. THIS DEVICE
IS SOMETIMES DIFFICULT TO IDENTIFY. LAW ENFORCEMENT OFFICIALS HAVE BEEN ADVISED
THAT WHEN UNUSUAL DEVICES ARE FOUND ASSOCIATED WITH TELEPHONE CONNECTIONS THE
PHONE COMPANY SECURITY REPRESENTATIVES SHOULD BE CONTACTED TO ASSIST IN
IDENTIFICATION. (THIS PROBABLY WOULD BE GOOD FOR A BBS , ESPECIALLY WITH THE
BLACK BOX SET UP. AND IF YOU EVER DECIDED TO TAKE THE BOARD DOWN, YOU WOULDN'T
HAVE TO CHANGE YOUR PHONE #. IT ALSO MAKES IT SO YOU YOURSELF CANNOT BE TRACED.
I AM NOT SURE ABOUT CALLING OUT FROM ONE THOUGH)
*RED BOX*
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
THIS DEVICE IT COUPLED ACOUSTICALLY TO THE HANDSET TRANSMITTER OF A
SINGLE-SLOT COIN TELEPHONE. THE DEVICE EMITS SIGNALS IDENTICAL TO THOSE TONES
EMITTED WHEN COINS ARE DEPOSITED. THUS, LOCAL OR TOLL CALLS MAY BE PLACED
WITHOUT THE ACTUAL DEPOSIT OF COINS.
Page 19
The Official Phreaker's Manual
/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/
/-/ /-/
/-/ Phreaker's /-/
/-/ PhunHouse /-/
/-/ /-/
/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/
/-/ By: /-/
/-/ The Traveler /-/
/-/ /-/
/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/
/-/ /-/
/-/ Call: /-/
/-/ Brainstorm BBS /-/
/-/ 612/345-2815 (300/1200) /-/
/-/ /-/
/-/ Little America /-/
/-/ 507/289-8211 (300) /-/
/-/ /-/
/-/ Tell 'em Traveler sent ya /-/
/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/
The long awaited prequil to Phreaker's Guide has finally arrived. Conceived
from the boredom and loneliness that could only be derived from: The Traveler!
But now, he has returned in full strength (after a small vacation) and is here
to 'World Premiere' the new files everywhere.
Stay cool. This is the prequil to the first one, so just relax. This is not
made to be an exclusive ultra elite file, so kinda calm down and watch in the
background if you are too cool for it...
/-/ Phreak Dictionary /-/
Here you will find some of the basic but necessary terms that should be known
by any phreak who wants to be respected at all...
Phreak [fr'eek]:1. The action of using mischevious and mostly illegal ways
in order to not pay for some sort of telecommunications bill, order, transfer,
or other service. It often involves usage of highly illegal boxes and machines
in order to defeat the security that is set up to avoid this sort of
happening.
[fr'eaking]. v. 2. A person who uses the above methods of destruction and
chaos in order to make a better life for all. A true phreaker will not not go
against his fellows or narc on people who have ragged on him or do anything
termed to be dishonorable to phreaks.
[fr'eek]. n. 3. A certain code or dialup useful in the action of being a
phreak. (Example: "I hacked a new metro phreak last night.")
Switching System
[Swich'ing sis'tem]: 1. There are 3 main switching systems currently employed
in the US, and a few other systems will be mentioned as background.
A) SxS: This system was invented in 1918 and was employed in over half of the
country until 1978. It is a very basic system that is a general waste of energy
and hard work on the linesman. A good way to identify this is that it requires
a coin in the phone booth before it will give you a dial tone, or that no call
waiting, call forwarding, or any other such service is available. Stands for:
Step by Step
B) XB: This switching system was first employed in 1978 in order to take care
of most of the faults of SxS switching. Not only is it more efficient, but it
Page 20
The Official Phreaker's Manual
also can support different services in various forms. XB1 is Crossbar Version
1. That is very limited and is hard to distinguish from SxS except by direct
view of the wiring involved. Next up was XB4, Crossbar Version 4. With this
system, some of the basic things like DTMF that were not available with SxS can
be accomplished. For the final stroke of XB, XB5 was created. This is a service
that can allow DTMF plus most 800 type services (which were not always
available...) Stands for: Crossbar.
C) ESS: A nightmare in telecom. In vivid color, ESS is a pretty bad thing to
have to stand up to. It is quite simple to identify. Dialing 911 for
emergencies, and ANI [see ANI below] are the most common facets of the dread
system. ESS has the capability to list in a person's caller log what number was
called, how long the call took, and even the status of the conversation (modem
or otherwise.) Since ESS has been employed, which has been very recently, it
has gone through many kinds of revisions. The latest system to date is ESS 11a,
that is employed in Washington D.C. for security reasons. ESS is truly trouble
for any phreak, because it is 'smarter' than the other systems. For instance,
if on your caller log they saw 50 calls to 1-800-421-9438, they would be able
to do a CN/A [see Loopholes below] on your number and determine whether you are
subscribed to that service or not. This makes most calls a hazard, because
although 800 numbers appear to be free, they are recorded on your caller log
and then right before you receive your bill it deletes the billings for them.
But before that they are open to inspection, which is one reason why extended
use of any code is dangerous under ESS. Some of the boxes [see Boxing below]
are unable to function in ESS. It is generally a menace to the true phreak.
Stands For: Electronic Switching System. because they could appear on a filter
somewhere or maybe it is just nice to know them any ways.
A) SSS: Strowger Switching System. First non-operator system
available.
B) WES: Western Electronics Switching. Used about 40 years ago
with some minor places out west.
Boxing [Boks'-ing]: 1) The use of personally designed boxes that emit or
cancel electronical impulses that allow simpler acting while phreaking. Through
the use of separate boxes, you can accomplish most feats possible with or
without the control of an operator.
2) Some boxes and their functions are listed below. Ones
marked with '*' indicate that they are not operatable in ESS.
*Black Box: Makes it seem to the phone company that the phone was never
picked up.
Blue Box: Emits a 2600hz tone that allows you to do such things as stack
a trunk line, kick the operator off line, and others.
Red Box: Simulates the noise of a quarter, nickel, or dime being
dropped into a payphone.
Cheese Box: Turns your home phone into a pay phone to throw off traces (a
red box is usually needed in order to call out.)
*Clear Box: Gives you a dial tone on some of the old SxS payphones without
putting in a coin.
into phone lines and extract by eavesdropping, or crossing wires, etc.
Purple Box: Makes all calls made out from your house seem to be local
calls.
ANI [ANI]: 1) Automatic Number Identification. A service available on ESS
that allows a phone service [see Dialups below] to record the number that any
certain code was dialed from along with the number that was called and print
Page 21
The Official Phreaker's Manual
both of these on the customer bill. 950 dialups [see Dialups below] are all
designed just to use ANI. Some of the services do not have the proper equipment
to read the ANI impulses yet, but it is impossible to see which is which
without being busted or not busted first.
Dialups
[dy'l'ups]: 1) Any local or 800 extended outlet that allows instant access to
any service such as MCI, Sprint, or AT&T that from there can be used by
handpicking or using a program to reveal other peoples codes which can then be
used moderately until they find out about it and you must switch to another
code (preferably before they find out about it.)
2) Dialups are extremely common on both senses. Some dialups
reveal the company that operates them as soon as you hear the tone. Others are
much harder and some you may never be able to identify. A small list of
dialups:
1-800-421-9438 (5 digit codes)
1-800-547-6754 (6 digit codes)
1-800-345-0008 (6 digit codes)
1-800-734-3478 (6 digit codes)
1-800-222-2255 (5 digit codes)
3) Codes: Codes are very easily accessed procedures when you call
a dialup. They will give you some sort of tone. If the tone does not end in 3
seconds, then punch in the code and immediately following the code, the number
you are dialing but strike the '1' in the beginning out first. If the tone does
end, then punch in the code when the tone ends. Then, it will give you another
tone. Punch in the number you are dialing, or a '9'. If you punch in a '9' and
the tone stops, then you messed up a little. If you punch in a tone and the
tone continues, then simply dial then number you are calling without the '1'.
4) All codes are not universal. The only type that I know of that
is truly universal is Metrophone. Almost every major city has a local Metro
dialup (for Philadelphia, (215)351-0100/0126) and since the codes are
universal, almost every phreak has used them once or twice. They do not employ
ANI in any outlets that I know of, so feel free to check through your books and
call 555-1212 or, as a more devious manor, subscribe yourself. Then, never use
your own code. That way, if they check up on you due to your caller log, they
can usually find out that you are subscribed. Not only that but you could set a
phreak hacker around that area and just let it hack away, since they usually
group them, and, as a bonus, you will have their local dialup.
5) 950's. They seem like a perfectly cool phreakers dream. They
are free from your house, from payphones, from everywhere, and they host all of
the major long distance companies (950-1044 , 950-1077 , 950-1088
, 950-1033 .) Well, they aren't. They were designed for
ANI. That is the point, end of discussion.
A phreak dictionary. If you remember all of the things contained on that file
up there, you may have a better chance of doing whatever it is you do. This
next section is maybe a little more interesting...
Blue Box Plans:
---------------
These are some blue box plans, but first, be warned, there have been 2600hz
tone detectors out on operator trunk lines since XB4. The idea behind it is to
use a 2600hz tone for a few very naughty functions that can really make your
day lighten up. But first, here are the plans, or the heart of the file:
==============================================
700 : 1 : 2 : 4 : 7 : 11 :
900 : + : 3 : 5 : 8 : 12 :
Page 22
The Official Phreaker's Manual
1100 : + : + : 6 : 9 : KP :
1300 : + : + : + : 10 : KP2 :
1500 : + : + : + : + : ST :
: 700 : 900 :1100 :1300 :1500 :
==============================================
Stop! Before you diehard users start piecing those little tone tidbits
together, there is a simpler method. If you have an Apple-Cat with a program
like Cat's Meow IV, then you can generate the necessary tones, the 2600hz tone,
the KP tone, the KP2 tone, and the ST tone through the dial section. So if you
have that I will assume you can boot it up and it works, and I'll do you the
favor of telling you and the other users what to do with the blue box now that
you have somehow constructed it.
The connection to an operator is one of the most well known and used ways of
having fun with your blue box. You simply dial a TSPS (Traffic Service
Positioning Station, or the operator you get when you dial '0') and blow a
2600hz tone through the line. Watch out! Do not dial this direct! After you
have done that, it is quite simple to have fun with it. Blow a KP tone to start
a call, a ST tone to stop it, and a 2600hz tone to hang up. Once you have
connected to it, here are some fun numbers to call with it:
0-700-456-1000 Teleconference (free, because you are the operator!)
(Area code)-101 Toll Switching
(Area code)-121 Local Operator (hehe)
(Area code)-131 Information
(Area code)-141 Rate & Route
(Area code)-181 Coin Refund Operator
(Area code)-11511 Conference operator (when you dial 800-544-6363)
Well, those were the tone matrix controllers for the blue box and some other
helpful stuff to help you to start out with. But those are only the functions
with the operator. There are other k-fun things you can do with it...
More advanced Blue Box Stuff:
Oops. Small mistake up there. I forgot tone lengths. Um, you blow a tone
pair out for up to 1/10 of a second with another 1/10 second for silence
between the digits. KP tones should be sent for 2/10 of a second. One way to
confuse the 2600hz traps is to send pink noise over the channel (for all of you
that have decent BSR equalizers, there is major pink noise in there...)
Using the operator functions is the use of the 'inward' trunk line. That is
working it from the inside. From the 'outward' trunk, you can do such things as
make emergency breakthrough calls, tap into lines, busy all of the lines in any
trunk (called 'stacking'), enable or disable the TSPS's, and for some 4a
systems you can even re-route calls to anywhere.
All right. The one thing that every complete phreak guide should not be
without is blue box plans, since they were once a vital part of phreaking.
Another thing that every complete file needs is a complete listing of all of
the 800 numbers around so you can have some more fun.
/-/ 800 Dialup Listings /-/
1-800-345-0008 (6) 1-800-547-6754 (6)
1-800-245-4890 (4) 1-800-327-9136 (4)
1-800-526-5305 (8) 1-800-858-9000 (3)
1-800-437-9895 (7) 1-800-245-7508 (5)
1-800-343-1844 (4) 1-800-322-1415 (6)
1-800-437-3478 (6) 1-800-325-7222 (6)
Page 23
The Official Phreaker's Manual
All right, set Cat Hacker 1.0 on those numbers and have a fuck of a day. That
is enough with 800 codes, by the time this gets around to you I dunno what
state those codes will be in, but try them all out anyways and see what you
get. On some 800 services now, they have an operator who will answer and ask
you for your code, and then your name. Some will switch back and forth between
voice and tone verification, you can never be quite sure which you will be up
against.
Armed with this knowledge you should be having a pretty good time phreaking
now. But class isn't over yet, there are still a couple important rules that
you should know. If you hear continual clicking on the line, then you should
assume that an operator is messing with something, maybe even listening in on
you. It is a good idea to call someone back when the phone starts doing that.
If you were using a code, use a different code and/or service to call him
back.
A good way to detect if a code has gone bad or not is to listen when the
number has been dialed. If the code is bad you will probably hear the phone
ringing more clearly and more quickly than if you were using a different code.
If someone answers voice to it then you can immediately assume that it is an
operative for whatever company you are using. The famed '311311' code for Metro
is one of those. You would have to be quite stupid to actually respond, because
whoever you ask for the operator will always say 'He's not in right now, can I
have him call you back?' and then they will ask for your name and phone number.
Some of the more sophisticated companies will actually give you a carrier on a
line that is supposed to give you a carrier and then just have garbage flow
across the screen like it would with a bad connection. That is a feeble effort
to make you think that the code is still working and maybe get you to dial
someone's voice... a good test for the carrier trick is to dial a number that
will give you a carrier that you have never dialed with that code before, that
will allow you to determine whether the code is good or not.
For our next section, a lighter look at some of the things that a phreak
should not be without. A vocabulary. A few months ago, it was a quite strange
world for the modem people out there. But now, a phreaker's vocabulary is
essential if you wanna make a good impression on people when you post what you
know about certain subjects.
/-/ Vocabulary /-/
- Do not misspell except certain exceptions:
phone -> fone
freak -> phreak
- Never substitute 'z's for 's's. (i.e. codez -> codes)
- Never leave many characters after a post (i.e. Hey Dudes!#!@#@!#!@)
- NEVER use the 'k' prefix (k-kool, k-rad, k-whatever)
- Do not abbreviate. (I got lotsa wares w/ docs)
- Never substitute '0' for 'o' (r0dent, l0zer).
- Forget about ye old upper case, it looks ruggyish.
All right, that was to relieve the tension of what is being drilled into your
minds at the moment.. now, however, back to the teaching course. Here are some
things you should know about phones and billings for phones, etc.
LATA: Local Access Transference Area. Some people who live in large cities or
areas may be plagued by this problem. For instance, let's say you live in the
215 area code under the 542 prefix (Ambler, Fort Washington). If you went to
dial in a basic Metro code from that area, for instance, 351-0100, that might
not be counted under unlimited local calling because it is out of your LATA.
For some LATA's, you have to dial a '1' without the area code before you can
dial the phone number. That could prove a hassle for us all if you didn't
Page 24
The Official Phreaker's Manual
realize you would be billed for that sort of call. In that way, sometimes, it
is better to be safe than sorry and phreak.
The Caller Log: In ESS regions, for every household around, the phone company
has something on you called a Caller Log. This shows every single number that
you dialed, and things can be arranged so it showed every number that was
calling to you. That's one main disadvantage of ESS, it is mostly computerized
so a number scan could be done like that quite easily. Using a dialup is an
easy way to screw that, and is something worth remembering. Anyways, with the
caller log, they check up and see what you dialed. Hmm... you dialed 15
different 800 numbers that month. Soon they find that you are subscribed to
none of those companies. But that is not the only thing. Most people would
imagine "But wait! 800 numbers don't show up on my phone bill!". To those
people, it is a nice thought, but 800 numbers are picked up on the caller log
until right before they are sent off to you. So they can check right up on you
before they send it away and can note the fact that you fucked up slightly and
called one too many 800 lines.
Right now, after all of that, you should have a pretty good idea of how to grow
up as a good phreak. Follow these guidelines, don't show off, and don't take
unnecessary risks when phreaking or hacking.
File Level:5
/-/ Credits /-/
To The Videosmith- for setting me straight on some shit.
To The Linesman- for telling me to upload it to his AE line.
To Modern Mutant- for making me into a phreaking freak.
To Jack the Nibbler- for the basis of the blue box plans.
By using your new k-koool (hehe) phreaking knowledge, call a couple of these
BBS's around the country:
/---------------------------------X
| Bulletin Board List |
| --------------------- |
| 215/844-8836 |
| 7 Cities of Gold (3/12) 10megs |
| 307/382-4006 |
| Brainstorm BBS (3/12) |
| 612/345-2815 |
| Metal Shop (3/12) |
| 314/432-0756 |
X---------------------------------/
Stay free! And watch out soon for Deep Thought, somewhere in 215, that will be
a nice BBS that Ace of Spades and I will run. You will be the first to find out
about it, trust me...
Later,
The Traveler
Zer0-g
Page 25
The Official Phreaker's Manual
************ >F< |
| | | |
--WHITE WIRE---/ | |
| | |
| RESISTOR |
| | |
| | |
| >RR
