True Colors

by BillSF

There still seems to be much confusion on the color coding scheme of various
"Toll Fraud Devices" (TFDs). The mainstream media has confused colors, made many
up, and most important of all, usually failed to properly describe their
operation. There have been many papers posted by "phreaks," which might be
considered the same kind of unintentional (?) disinformation the mainstream has
put out for years. Many of the world's best phreaks are a generation younger
than the "originals" and may simply not know the operation or history or even
the color that was generally agreed upon for a particular device.

The real list of colors is quite short, and their operation may come as a
surprise to many. To set the record straight, here they are:

Black Box

While in electronics it refers to an often complicated subsystem that somebody
else made and whose internal operation is of little concern to the system
designer. To the phone, it is simply a means to reduce the loop current to the
point where it appears the phone is back on the hook. The construction was one
of the easiest ever. Many variations existed, in fact a field phone or old
crank unit with internal battery could be modified to eliminate the loop
current, reducing greatly the chance of being caught! (This is the real "black
box.") A resistor of a value between about 2.2k to 10k was placed in series
with the phone loop. This resistor supplied enough current to power the talk
circuit of a non-electronic phone. A capacitor of about 330nF or so was often
placed in parallel with the resistor to cancel the increase of impedance caused
by the resistor, resulting in increased audio level. In parallel also was a
small toggle switch, labeled "free" (open) and "normal" (closed). In principle
this was all that was really needed! (To allow ordinary people like the parents
of the student in a distant city to use it, some way to very briefly seize the
line was provided: a pushbutton switch, Zener diode, etc.).

Operation was simple phone would ring and be picked up with the above circuit
in. The switch (in the basic device) would be briefly placed to "normal" and
back to "free." This would be long enough to trip the ring off, yet within the
"grace period" of the caller's CO s billing system, then two to five seconds.
Operation of this was possible in North America because administrative billing
requires a "grace period." Older switches had the voice path present during the
ringing, so the caller would hear the "fart ring" and finally North America had
no timeout then on long-distance calls! While possible on some older switches
today, reduced "grace periods" and ring timeouts make it rather impractical. It
is interesting to note that there was a timeout on local call ringing then in
the U.S.A., so "normal" was usually used. A caller could have the recipient use
the device for a quick payphone call and get his dime back. Operator assisted
calls, for obvious reasons, were out of the question!

Red Box

This is a device to simulate the coin signals at payphones in North America,
in some parts of Australia, and perhaps a few other places. In other places
details vary from the following description of the North American system.
COCOTs may also use this system, but it is unlikely. In the first practical pay
phones, a series of bell sounds were used. $0.05 was a single, high-pitched
"ding," a dime two, and a quarter a lowerpitched "gong" sound. In later models a
contact mic in the phone was switched in to allow the operator to hear the
money pass through the phone. This system was much more secure than today's!
Clever tricks were, however, developed to beat it. A recording of the whole
process, a toy xylophone, and even bringing the horn in an adjacent booth were
all used, among others. Carefully scratching the outside of the phone with a
coin or key made a very convincing "coin dropping through" sound. When the
"fortress phones" were introduced in 1970, all this was replaced by a simple
2200 Hz beep. (The original internal tone generating device, a simple one
transistor L/C oscillator based on the early DTMF generator, was housed in a
pinkish red plastic case, probably giving rise to the name "red box.") The
correct timings are one 55-65 mS beep for a nickel, two beeps separated by
55-65 mS silence for a dime, and five 35-40 mS with equal length separations
for a quarter. Only the quarter signal is needed, as "some money" should be put
in to activate the ground function - two 1k resistors to A and B, with the
other sides connected to ground. Later a second tone, 1700 Hz was added to
allow automatic coin collection (ACTS) and later still the option to change the
second tone to 1500 Hz (IPTS) was added, but is rarely used. Selection of this
tone can take place at coin box collection intervals, alternated between
callers, or controlled by the ACTS machine (see green box). Use of the above
parameters in a real red box is probably the safest method of phreaking, since
it forces you to use a coin phone. Use of the modified dialer with the 6.5536
MHz crystal, now very popular in the States, is anything but safe! Do not use!

Yellow Box

Earlier signaling systems use a continuous tone in either direction to indicate
supervision states. Examples are R1, C3, and 1vf systems. A trunk idle has the
tone (2600 Hz in R1) coming from both ends of the circuit. Upon seizing, the
forward tone is removed and the backward tone is removed briefly and put back
on to acknowledge. This tone then remains on until the called phone is
answered. Removal is referred to as  supervision on  or just  suped.  The tone
is put back on (in the proper direction) when either end hangs up. The end that
stays on hears a very short beep ("pliek") since a filter cuts in in a matter
of a few milliseconds, so a disturbing loud, high pitched tone is not heard by
the customer. A  yellow box  simply generates the tone (2600 for R1) and
provides a filter so the user (the person receiving the call) does not hear the
tone. Operation is identical to the "black box," except a tone is used instead
of dropping the loop current. Advantages of this one are DC parameters of the
subscriber loop are normal and it works on modern exchanges and PBXs! Use today
is limited for the same reasons of the "black box" and also because most of
today s signaling systems don't use this method. This same device was sometimes
used to "shine a trunk" and intercept other people's calls. The victim was at
the mercy of the phreak as far as billing went. He could talk to the person
with the tone on or, if the person got huffy, take the tone off and charge him
for the call. Of course the caller was billed for the number dialed (not the
phreak's number)! Taking the tone off and leaving the line silent or playing a
recording of a ring signal could rack a several minute charge for the victim
caller! Another form is worth mentioning because of historical reasons, and
because it can still work today! This is the C5 version. An 800 mS burst of
2400 Hz means supervision on and an 800 mS burst of 2600 means hang-up. Playing
2600 Hz while picking up the phone on an international call will, in effect,
produce the same result of the black box! Since the tone need be only a few
hundred milliseconds or so (not at all critical) no filter is needed and
anybody can quickly learn how to whistle it! The Cap'n Crunch whistle is the
most famous example and this is by far the simplest TFD! Calls placed from the
U.S.A. on C5 circuits (say 80 percent of all IDDD countries) will still work
for at least a three and a half minute chat (assuming cooperation of the called
party) and some will allow you much longer to unlimited time. Calls from
countries where there is no  grace period  (due to message unit billing) will
not work and the ticker will keep on running! Again, as with the "black box,"
operator assistance is out of the question!

Green Box

This is included on the "blue box" for modern systems. These are the signals
the ACTS or operator uses to control a coin phone, if the link does not supply
a complete DC path, and almost none do today! Earlier systems used the lower
call progress  frequencies: 350, 440, 480, and 620 Hz for this purpose. This
system varies from location to location in North America, so, if in numbering
zone one, have someone call, long distance from a payphone (from a real pay
phone, not a COCOT) and put in at least one real coin. You then play long
bursts of each of the 15 tones. At some point the coin will be returned or
collected. Take note of the digit. Have the caller call again and continue on
to find the other signal. In some (many?) cases the coin can only be returned
when the ACTS machine comes on to "collect" overtime. You just have to beat it
out by getting your return signal in before it sends the collect signal! Note:
in some cases this system includes IPTS control, where available. Also note for
the caller: the code 15 ( ST,  1500+1700 Hz) signal does interesting things! It
can push off the ACTS machine and get your call through without  coin deposit
(and not return!) and push off the calling card validation system and/or
operator and get your call through! The exact right time to make this one
second signal is important. COCOTs and some payphones in countries outside
numbering zone one may use similar or completely different methods. Listen to
what you hear while using a phone and be ready to use the programmable modes of
your Demon Dialer! One final note: I've known people who have recorded these
control tones on their answering machine OGM to give callers their coins back
and allow message retrieval at no cost! The above information is phreaking in
the here and now!

Blue Box

Also "phreaking in the here and now." This is perhaps hacking s trickiest art
today! A blue box is any device that produces two-tone multifrequency signals
other than customer dialing signals. MFC (C5 and R1, for example) and R2
forward are blue box "address signals." In-band supervisory signals ("plick
menu") are probably included and are often, but not always, needed. Information
on international and national signaling standards is available in most
university technical libraries. Full details on this device are far beyond the
scope of this article.

Silver Box

The predecessor to the blue box. For signaling systems C2, C3, and 1vf and 2vf
systems, etc. Early versions were a single tone oscillator (C3, 1vf) and a
salvaged rotary telephone dial. It was possible just after the war, first in
Sweden, and later throughout Europe and then to the rest of the world. There
are convincing rumors that phreaking got its start in Sweden in the forties
with this kind of box that used a vacuum tube valve! A slight variation for 2vf
and C2 required switching a resistor or a capacitor for frequency shift pulse
dialing. C4 and some national 2vf used a binary coded signal for faster
working. A somewhat different switching and timing method was required, which
could be mechanical, electromechanical, or electronic on both the part of the
operating company and foon phreak. C4 required the generating of two separate
tones in compound for line signaling in the call buildup process. Two separate
oscillators could be used, but some elegant single tube or transistor L/C
oscillators were developed by Bell Labs for this purpose in the early days. It
is unknown if early phreaks used them! These old systems are still used in
underdeveloped and/or remote areas of the world. Some old PBXs also use this
for "tie-line" (leased line) working.

There are a few boxes the young generation has brought us. The following are
likely to be adopted in Telco/phreak parlance and are therefore presented here:

Silver Box (!)

This is just a 16-button DTMF dialer and has nothing to do with the first real
phreak toy! Available legally at better telephone shops. The A, B, C, and D
buttons are intended to have special control functions for user devices.
However, phone companies use them very secretively to access special tests.

White Box

Just a 12-key dialer box, available everywhere.

Beige Box

Nothing more than a lineman's test set. The original Bell System standard issue
was a color that could be called beige.

And finally, the newest of them all:

Rainbow Box

(Known to the old-timer as the mythical "mighty Wurlitzer.") As the name
implies, it is capable of doing it all in the in-band arena. Can be implemented
properly by the use of a modern DSP (modem) like the Zyxzel and proper
software. Can also be properly implemented on a digital music synthesizer, like
the Yamaha DX series. Personal computers and most "sound cards" can only do a
not too convincing job. All of these are just theoretical possibilities for
thought. The first and still only "true rainbow box" is the Hack-tic
Technologies "Demon Dialer."
Return to $2600 Index