Volume 1, Number 2 -- private line -- a journal of inquiry into the telephone system Table of Contents General Information I. Editorial Page II. Update and Corrections III. Telco Payphone Basics, Part II IV. The Coin First Coin Line V. The Dial Tone First Coin Line VI. Tip, Ground and Ring Explained VII. California Cell Fraud Law ---------------------------------------------------- 1. General Info on private line: ISSN No. 1077-3487 A. private line is published six times a year by Tom Farley. Copyright (c) 1994 It runs 24 to 28 pages. It's done in black and white. B. Subscriptions: $24 a year for subscriber's in the U.S. $31 to Canada or Mexico. $44 overseas. Mailed first class or equivalent. (1) Make checks or money orders payable in US funds to private line. (2) Back issues are five dollars apiece. (3) A sample is four dollars. (4) The mailing list is not available to anyone but me. C. Mailing address: 5150 Fair Oaks Blvd. #101-348, Carmichael, CA 95608 D. e-mail address: privateline@delphi.com E. Phone numbers: (916) 488-4231 Voice (916) 978-0810 FAX F. Submissions: Go for it! Anything semi-technical is strongly encouraged. I don't run any personality pieces. I pay with subscriptions. G. Ads: Yes, I'm taking electronic related ads. A full page is $75.00, a half page $37.50 and a quarter $18.75. Subscribers get free classified ads of 25 words or less. ------------------------------------------------------------------ The front cover illustration is of an line finder rack for a step by step exchange. The photo is from a 1943 Popular Mechanics Yearbook. The caption reads, "In an automatic telephone exchange many sets of selectors are required, and when a call is made a vacant line must be found automatically. This apparatus finds one within a few seconds." ---------------------------------------------------- I. EDITORIAL PAGE Sing Ho For The Life of A Zine; On Explaining the Unexplainable; Vegas Bound Welcome to the second issue of private line. I hope you enjoy it. The first issue was well received and I am encouraged. I am now sending samples to magazine wholesalers. I may find a nation wide distributor by the October issue. That would lead to more readers, more comments and more information. Until private line is more reader driven, however, you are stuck with me. And that means fundamentals. I finish the discussion of Telco pay phone basics in this issue. The mystery of ground start is examined as well as the different arrangements of tip, ground and ring. These explanations are my best attempt to make sense out of seemingly nonsensical ideas. They are starting points for a conversation to begin. They are not The Last Word. I worry terribly, however, about my writing. It seems that I have two poor choices. I can provide a precise answer that is too complicated to understand or a simple one that is too general to be accurate. So, something in the middle is presented instead. People have been very forgiving. They appreciate the effort that it takes to get a discussion going. I appreciate that consideration. A local scanning article will be featured in the next issue of private line. People always want interesting numbers to call. The problem is that such numbers are often of regional interest only. I will, therefore, describe some ways that everyone can use to search for test numbers, voice mail boxes, governmental telephone system numbers and so on. This article will be done with the help of an Oakland hacker. It will use numbers from the 415, 510, 707 and 916 area codes as examples. People in the Bay Area will be able to use the numbers given, but people everywhere will be able to use the techniques. It will even have some worksheets to help you systematically explore a prefix and an area code. For now, though, it's off to Def Con II in Las Vegas. A gathering of the clan is taking place in the burning hot desert. It might be a hacker's Woodstock or a recreation of the last scene in The Stand. I don't know. But I'm going. I can't afford the trip. But I'm going. My car may not make it. But I'm going. Next month and next month's finances will have to take care of themselves. For all the right and wrong reasons, people are now going to Las Vegas. And so am I. I'll tell you what happens. Thank you, Tom Farley Carmichael, California II. UPDATES AND CORRECTIONS This update column will be a regular part of private line. Material comes from the last year of Telephony. The local switch 1. I didn't write much about central office switches in the last issue. I thought others had done a better, more complete job so I spent time writing about CDO's and remotes. There are, however, some new CO switches coming on line. An article in early 1994 stated that NEC was one of only two vendors with a large, ATM based central office switch that is ready to be installed. Fujitsu is apparently the other vendor. They did not state, however, the names of the switches. NYNEX was reported in a later article to be installing Fujitsu's Fetex-150 broadband switch for a field trial. Broadband does means ATM. Bell South is also playing with the Fetex-150. They are going into North Carolina and soon to Atlanta. But Telephony doesn't state whether the 150 is the switch that was referred to earlier. If NEC or Fujitsu does deliver a CO then they may offer some sort of coin line service. As I understand it, ATM or asynchronous transmission is a way to handle many kinds of information fairly quickly. Video services, in particular, benefit from ATM. The No. 5ESS, by comparison, is a time division switch. It handles most data files and voice traffic in a faster way than ATM. But it can't handle multi-media or video as well. Read more about ATM in the June IEEE Spectrum. Latest upgrade to the No. 5 , by the way, is apparently the 5E9(1), which went to customers in November, 1993. This now provides the so-called National ISDN-2 capabilities. NYNEX is now able to offer services such as residential voice dialing service and its phonesmart caller ID and call trace. Lovely. As of April 11, 1994, 72% of NYNEX lines were served by digital switches. Half of the remaining lines will eventually be served by 5ESS's or NT S/DMS SuperNode switches. The company expects its network to be 100% digital by 1998. 18% of its lines, therefore, are still served by electronic or analog switches. That's fairly large considering that NYNEX, the Darth Vader of the baby bells, is so well financed. You can tell by this that smaller markets will have a far higher percentage of older equipment. 2. The Remote Switching System Current practice calls a digital remote switch a module. These correspond to the CO switch. For example, when you buy a central office switch you get a module to go along with it if you need a remote. An example would be the No. 5A Remote Switching Module to go along with the No. 5ESS. Remote switching modules are also known as RSMs. Siemens Stromberg Carlson also makes a module for its central office EWSD switch. This switch and its attendant remotes have been installed recently in Puerto Rico. An independent Telco named Alltel has also bought an EWSD switch and one remote unit to serve rural Eclectic, Alabama. It might be interesting to call Eclectic sometime to hear the new switch in town, possibly the only one of its kind in America. I referred to Northern Telecom's DMS-10 as a remote switch and a collection of components. Not exactly. The Digital Matrix Switch- 10 is primarily a switch for rural use. Any components that go with it can be thought of as accessories and not a part of the switch itself. I mentioned several times that a low volume of calls makes rural service expensive, along with the higher costs of building and maintaining the local loop. This low volume works against upgrading since revenue is low. A way around the problem is by offering a switch like the DMS-10. It may generate greater revenue in rural areas by providing services that step by step offices can not. Things such as call forwarding and call waiting. Still, are there that many people that need call waiting in Gabbs, Nevada? The term Community Dial Office is falling out of favor. CDO's refer to older equipment rather than an operating method. Remotes and modules, though, are still dependent on a larger switch. Even basic terms are being redefined. Pac Bell doesn't refer to central offices anymore. They are, instead, a dial tone producing end office. 3. The subscriber loop network How expensive rural service can be is demonstrated by a US West (the old Mountain Bell) field trial. 35 miles from Jackson, Wyoming are 40 customers who live near the town of Bondurant. They are now being supplied phone service by satellite. Subscriber lines terminate at two small satellite earth stations which then connects the customer to US West's switching center in Jackson. U.S. West wants to see if this is less expensive than installing fiber or cable out to these homes, many of which have party line service or no service at all. Now, that's expensive. 4. Coin deposit tones I doubted last issue that operators listened to tones anymore. I speculated that the CO probably listens for the tones instead and sends the amount on a data circuit to the TSPS console. Such nonsense. An attendee of the last San Francisco 2600 meeting gently pointed out the obvious fact that a voice channel exists when you are talking with the operator. Of course. Yes, the amount of money does totalize on the console but you are talking with the operator at the same time. If they hear a bogus tone then they'll do something about it. I don't know what I was thinking of when I wrote that. 5. The GTE RTSS phone This phone interfaced with many other pieces of equipment. Somewhere in Kansas wrote in the Summer issue of 2600 that KG and KY prefixed machines were discussed in a Scientific American article with photos a few years ago. I looked in Carl, Uncover, Inspec and Current Contents for it. Nothing. I then looked on the shelves. The last index S.A. published was in 1978. Nothing. The article probably lies, therefore, between 1979 and about 1988. I'll keep looking. AT&T Technology, however, does have an article on STU III. This article came out in 1989 in volume four. The page numbers are 36 to 40. STU III is apparently a crypto product that AT&T makes which can interface with the GTE RTSS. The magazine was missing when I went to check it out. And so it goes. 6. Interesting numbers The ANAC for parts of 415 has been submitted as 760-7760 and 760- 7761. This agrees with the old ANAC list floating about the Internet. 924--0036 may be a loop disconnect number for 415. In 916, 440-1212 gets you a second dial tone. If you dial additional numbers you may get a long distance operator who doesn't identify her company when she comes on the line. 484-0001 is a strange one. No connection is made. I don't think this is a quiet termination test number. I usually hear a connection and then silence with those. This one never makes a connection. Some Pac Bell numbers to modem into in the 916 are 481-0022 and 484-0022. Possibly 481- 0078. The third issue of private line will be about local scanning. There will be many, many more numbers. III. TELCO PAYPHONE BASICS, PART 2 The Subscriber Loop Network 7. We looked at the subscriber loop network briefly in the June issue. As you may recall, the network is made up of all those elements which constitute the local loop. This includes the twisted pairs that run to each phone, the local switch, overhead cable, amplifiers, multiplexers and so on. In other words, all the elements of switching and transmission. Let's look at what I think is the most confusing part of the subscriber loop. Circuits and the subscriber loop 8. We know that a circuit is a connection with the central office. It carries a call. A circuit exists through the twisted pair or in a channel within a wire to the central office. A circuit can also be a connection between offices, between equipment or within the equipment itself. These circuits may or may not carry a conversation. The word circuit is also used to describe a particular way that the local loop is arranged. I know this sounds confusing. Let's look at three examples of circuits in the subscriber loop. The ringdown circuit 9. For this example we must turn away from pay phones momentarily to consider a semi-public phone. Some supermarkets in Sacramento have taxi phones installed near their front entrances. Lifting the handset rings the dispatcher at Yellow Cab a few miles away. It keeps ringing until it is answered. This is a ringdown circuit. It is possible that Yellow Cab ran its own wire years ago from each market to their headquarters. But not likely. They would then need to power the line, rent space on utility poles for the wires and maintain the system. That doesn't make sense. What does makes sense is having the Telco engineer a solution. This means a relay or circuit board at the central office for the supermarket. The twisted pairs providing cab service are routed by the relay to the headquarters' number. The Telco can probably program a switch to do the same thing today without any hardware. 10. I've heard that some remote places use ringdown circuits. Like isolated ranches. Perhaps. That means, however, that an operator would be signaled whenever someone wanted to make a call. Party line service would be more likely. Party line service is not the same as ringdown. There is no dial with ringdown. An emergency phone on the street might use a ringdown circuit. It may even use a dedicated line that goes directly to a dispatcher. An elevator phone is another example. It also rings until it is answered. The field exchange circuit 11. The field exchange circuit or foreign exchange circuit is often used by businesses. It provides a local phone number for distant customers. Let's say I'm a landscape contractor in Davis, California. Half my work comes from Sacramento which is twenty five miles away. My Davis number has a 752 prefix. My Sacramento number, though, starts with a 371. That's an exchange in West Sacramento which is the closest office to the Davis CO. The 371 a free call for most Sacramento residents. A local call for long distance. I doubt that Telcos use these for pay phones. (1) Dial long line circuits 12. A dial long line circuit or DLL is often used by pay phones. It enables a coin phone to be placed further from the central office than it might otherwise be. Most phones are located within three miles or so of the CO or its connecting point. That's about the distance that pay phoneproduced signals start to fade. Picking them up beyond that point is difficult for the central office. It's a matter of resistance. The resistance of the twisted pair increases with length. At about 2.8 miles the telephone circuit builds to around 1300 ohms. That's acceptable. This figure includes the resistance of the phone, the central office equipment and the twisted pair itself. A coin phone at the six or seven mile mark might have to signal through as much as 3500 ohms of resistance. Amperage falls from about 23 miliamperes to 14 milliampsor less. All signals from the payphone become weak. A dial long line for coin service has special equipment which steps up or amplifies these weak signals. It then sends them to the switching equipment at the central office. This is called repeated signaling. (2) This central office solution may be a cheaper than installing heavier gauge cable or multiplexing equipment to reach distant customers. Signaling 13. The telephone system uses many kinds of signals. Direct current signals, acoustical tones and digital signals are all employed. All three kinds may be used to complete or conduct a call. This variety makes signaling hard to understand. The central office controls Telco pay phones with DC signals. Acoustical tones address a call, signal the coins deposited and perform a number of network functions. Digital signals are indispensable for long distance working. Let's look at DC signals first. DC signaling in the local loop 14. The simplest form of DC signaling is performed when you take the handset off the switch hook. It's called the off hook signal or the off hook condition or more often just off hook. Lifting the handset causes the switch hook buttons to rise. These cause contacts in the phone to close the circuit with the telephone line. They are normally open. This simple act is a signal. It is electrically based. It tells the CO that a phone has gone off hook and that a dial tone should be returned. Another example is the operator attached signal. It disables a pay phone's key pad by changing the polarity of the coin line from a negative charge to a positive one. 15. A rotary dial also produces DC signals. Some refer to this process as loop disconnect signaling. A rotary dial disconnects and reconnects the current in the telephone line as it speeds in a circle. Five interruptions means the number five. But why use DC signals to begin with? Why not control a pay phone with tones? Why not digital signals? DC signals are used for many reasons: (a) They're simple. Manipulating a coin line's electrical status seems complicated. But it's easy to do. DC signaling depends on relays to do the work. These are simple, bulletproof mechanisms that work reliably for years; (b) They're quick. Electricity travels near the speed of light in a circuit without resistance. It's not that fast in the local loop. But it's quick enough. An electrical signal at 60% of that speed is traveling at over 100,000 miles per second. Most pay phones lie within three miles or so of a central office or its connecting point. DC signals, therefore, act almost instantaneously; (c) They're cheap. DC signals don't require expensive equipment. Tone signaling requires finely tuned oscillators to send tones and complex circuits to decode them; (d) They're resistant to fraud. This is a side benefit of DC signaling. It's more difficult to manipulate wires and to generate different voltages than it is to produce tones. Never-the-less, such manipulation is possible. The direct current initial rate signal is simulated by punching a pay phone. Black boxing was an early activity in which physical control of the line was. (3)Direct current signals are treated further later on in this issue. Tones in general 16. DC signals are used unless there is a good reason not to. Or if it is impractical. Keypads are an example of the former reason. The simple and sturdy method of rotary dialing was replaced by the complicated and expensive method of using touch tones. (4) Touch tones are produced and processed faster than rotary dial pulses. Switching equipment is tied up for less time. Milliseconds are vital to the telephone system because of the hundreds of millions of calls a day. They travel more efficiently over microwave links and they make end to end signaling easier. (5) So, touch tones are replacing DC signaling for addressing a call. 17. Tones are also used where DC signals are impractical. DC signals are not very loud by themselves. They might exist as a click for a second or perhaps a soft hum. None would make, for example, a good dial tone. A pleasant, clearly audible signal is needed. The dial tone, the busy signal and ringback (the central office produced sound that represents a ringing phone) are examples of network call progress tones. These are the common everyday tones that signify the current status of the call. Feedback, in other words, for the calling party. 18. Similarly, an audible coin deposit tone is needed to represent a coin when a call is in progress. A DC signal might interfere with the call itself since it affects the electrical status of the line. A digital signal requires a modem inside the phone. Telcos don't favor that approach. A deposit tone or a redbox tone is still a good approach even though it interrupts conversation. Let's look briefly at some other signals. Multi-frequency or MF tones 19. I covered coin deposit tones in detail last issue. There are also some specifics about them later in this issue. ACTS and operators control other parts of coin operation through MF tones. Older offices that don't receive digital signals for coin control use these. Again, the central office controls the payphone with DC signals. The central office is controlled in turn by ACTS or an operator. They use acoustical tones or digital signals to do this. 20. Tones by themselves don't do very much. A dial tone or a busy signal is rather passive. Tones that actually control equipment are different. (6) They are part of a coordinated signaling method or system. You can guess that such signaling systems predated digital working. That's why many analog offices such as step by step and crossbar still use them. MF tones provide automatic number identification or ANI for long distance calls from some of these offices. ANI is essential for billing. It accompanies a call. ANI is put into a digital form at the first properly equipped toll office. Never-the-less, ANI exists in an acoustical form until that time. Creative use of MF may disrupt or alter ANI. In addition, telephone companies use MF tones extensively for internal use. An operator, for example, may address a call to another operator using these tones. Access to inward operators, therefore, is another possibility with home grown MF. 21. Most MF tones in current use are founded on an international agreement called C5. Tones are called codes. Code six stands for the number six, code seven for the number seven and so on. Numbers are represented by different frequencies than DTMF. Three special control tones are used for different functions. MF signaling depends on special receivers just like DTMF signals. MF, though, works differently than DTMF. Touch tones are sent at a pace that varies from person to person. MF tones are often sent in bursts by a machine. 10 tones may be sent in a little more than a second. DTMF signaling is straightforward. MF, on the other hand, depends on a strict protocol. The KP or key pulse code is sent first. It tells the decoder that tones will follow. The ST or start code indicates that all digits have been sent. This shuts the decoder off. The basic tones are shown on page 29. The chart on this page shows how the same frequencies are used for pay phone control once a call is in progress. Actual working of C5 is beyond the scope of this introduction.(7) If there is enough interest, however, I could devote an entire issue to multifrequency tones. A good understanding of MF seems essential to traveling the world by telephone. Digital signals 22. Digital signals help the Telco route a call, trace a call and identify a pay phone's location. Among other things. These signals are not directly accessible to hackers like MF tones. That's because digital signals are produced at the switch and not at the pay phone. Access to the switch itself is needed before any modification can begin.(8) In addition, digital signals are put on a different channel than the voice path on which most hacker signaling takes place. Simply blasting modem tones down the line won't to do any good. It is this inaccessibility that makes digital signals so frustrating. Trunks, Circuits and Links 23. A trunk is a communication channel between switching offices or between equipment at a switching office. It may be a single wire but only rarely. It is most often a channel within a wire or cable. A trunk is distinguished from a line which carries traffic between a customer and an office. Trunks tie offices and equipment together. A subscriber line and a trunk are both transmission lines. The phrase trunk line is correct but redundant. It is always thought of as a trunk first. A line is always thought of as carrying traffic to a local switch. A trunk always passes traffic 24. A trunk may use different signals than a line. Most DC signals can't be used in trunks, for example, because you can't vary the voltage of a particular channel within a trunk. The same current powers all of the channels within the cable. Think of a cable TV line. It may carry fifty channels of programming but you can't vary the voltage on channel 21 and not affect channel 22. The cable has to carry about 60 volts to power the entire line. Different kinds of signals, therefore, may be used between offices than the kinds used between a coin phone its end office. 25. A trunk forms a circuit. But not all circuits are trunks. A trunk usually carries conversations. A circuit usually doesn't. For example, a no test trunk is used to tell whether a line is busy. It's what the operator uses to break into your call when there is an emergency.(9) It may use a circuit or relay to work but it has always been considered a trunk. By comparison, the Automatic Number Announcement Circuit or ANAC is a circuit between switching equipment at the central office. But that doesn't make it a trunk. It tells you the phone number you are calling from. It does not carry, though, any real voice traffic. I wrote about other circuits later. The field exchange circuit would appear to be a trunk since it connects two switching offices. Perhaps. I think it is best described as a hybrid. It has always been called a circuit but it has all the attributes of a trunk. You'll find people using the word trunk less and less these days. 26. A link has several meanings. A data link is fairly self- descriptive. It can be simple. A private, leased line might carry company data from a field office to headquarters. It might be complicated. Most of the telephone network uses data links to carry control signals and routing information for calls which run on trunks. On the other hand, a link is also a collection of circuits. The first push-button long distance operator console used a complex of four circuits. They were known collectively as a position link. You'll also hear about A-links, B-links, off links and so on. They are a collection of circuits. Connections by radio to a switch are also called links. As in a microwave link. Common channel signaling 27. A system that utilizes links, data circuits and trunks together is called common channel signaling. CCS is poorly named. Signaling and conversations are not placed on a common channel. Putting the call on one path and the signals that control the call on another is a part of C6 and C7, the signaling system currently handles most calls. 28. C5 controls trunks with tones. These tones are different than MF but the principle is the same: controlling equipment from a distance with the right signal. C5 carries control codes and conversations together. This was standard practice until the digital age. C5 requires a tone decoder for each trunk. An analog office with 100 trunks needs 100 decoders. They are not cheap. C6 and C7 doesn't need tones to control trunks. Most common channel signaling uses something like a Signal Transfer Point or STPs instead. These are routing computers distributed about the network. STPs direct each call to a toll office. Hundreds and hundreds of multiplexed calls are individually managed through these computers. 29. Routing and other features are enabled by the digitally encoded markers that are put on each call. Among other things, these headers identify the origin of a call and its destination. Data bases can be queried automatically while a call is placed. An operator knows that you are calling from a Telco payphone as soon as you are connected to them. They may even know that you are using an airport pay phone. Automated coin toll service or ACTS, the automated operator you get with a 1+call, is also made possible by accessing these line information data bases or LIBDs. (10) 30. MF controlled trunks still exist for a great deal of operator traffic and perhaps to as many as twenty five per cent of America's central offices. (11) Many still use single frequency tones like 2600. Such a tone might gain control of the trunk or seize it. Remember, though, you are seizing a particular channel in a cable, not the entire cable. A sweep generator at one end may be one way to test for a MF trunk from a pay phone.(12) These system 5 trunks have to interface with system 6 and 7 at some point for long distance calling. Don't think that remote signaling is impossible because your area has gone digital in the form of 6 and 7. Yes, your call to Ryde, California may be split up when sent from your area but both voice and control signals must reunited on one path when getting to the analog office. As long as you have a voice path to an old crossbar or step by step you may be in luck. Here is an example of how convoluted this can be. 31. Most common channel signaling methods give you a local busy signal if a distant phone is busy. Let's say that you dial Gabbs, Nevada. CCS races ahead to see if the line is busy before a voice connection is set up. If it is busy then the data link is brought down and your CO is told to generate a busy signal for you to hear. No need to provide a 600 mile path for you to hear a busy signal. The old Bell System method was called CCIS or common channel interoffice signaling. It used 2400 baud modems to pass information back and forth. Specialized modems still send the routing information back and forth. Let's say, though, that the central office in Gabbs isn't equipped to handle system 6 or 7. Like much of the rural west. What then? 32. It's my understanding that the nearest properly equipped toll office would stand as the interface point. A pay phone call from Gabbs to Sacramento might go something like this: the pay phone would communicate with the central office using DC signals, the CO might communicate with the toll office by tones and the toll office would communicate with the network by digital signals. The STP might send the voice path from the toll office to Reno and then Sacramento. Or maybe to Bakersfield and then back to Sacramento. Depends on the traffic on the net. The STP might be in Fresno. Still, a home brewed tone should be faithfully reproduced over the network to the tone sensitive area you are investigating. To do whatever it may. References 1. Might it be possible for the skillful hacker to use such a circuit? An older central office that still uses tone signaling for trunks might provide a stepping stone for the telephone enthusiast. A call placed here might attract less attention than an 800 number. I invite comments and speculation. 2. Schillo, Robert F. "A Circuit That Stretches Coin Telephone Service' "Bell Laboratories Record." 51:4 (April 1973) 123 3. Billsf mentions black boxes in "True Colors" 2600, The Hacker Quarterly. 10:3 (Autumn 1993) 11. Black boxing seems impossible today but I am open to hearing about how it could done. Still, what would be gained if you were successful? A local call? Physical control of a Telco pay phone is either complicated or impossible. They are usually in public view and subject to surveillance by the Telco. It seems that an ordinary subscriber line would be a better choice for reinventing. I have read, though, of people using pay phone lines to carry their local calls by wiring in part of a cordless phone. You would need to be fairly close and willing to be dropped out whenever someone made a call. . . 4. Touch Tones and DTMF stand for the same thing. They are both dual tone multi-frequency signals. The phrase TOUCH TONES was a trademark of the Bell System. They did pioneering work on tone signaling through Bell Laboratories. Do not confuse them with MF tones. Multi-frequency tones are also dual tones but they are mostly used for internal Telco use. 5. Fike, John L. and George E Friend. "Understanding Telephone Electronics." 2d ed. Carmel, SAMS 1990 6. Most tables describe tones in a confusing way. The dial tone, for example, is a combination of 350 Hz and 440 Hz. Charts state it like this: 350 + 440. You might think that the resultant tone is 790 Hz. Not so. Common sense tells us that two low tones put together will not produce a higher tone. Yet every table I've seen makes it look like an addition problem. I use the ampersand symbol instead. 350 "&" 440. Two tones combined. This is not a minor, pedantic point. It goes to the definition of what a tone is. A single tone is represented by a single sine wave. Two sine waves put together produce a complex sine wave. What then is the frequency? The baffling answer is that it isn't any particular frequency. That's why tables use two tones to describe MF or DTMF signals. I find electroacoustics difficult. What if you combine two radio frequencies together? Couldn't you get a frequency counter to tell you the result? Why can't that be done with audio tones? 7. Billsf "hitchhikers guide to the phone system" 2600 The Hacker Quarterly 9:2 (Summer 1992) 10. Everything written by Billsf is fascinating. This article is about international signaling. It emphasizes MF tones. see also Billsf "True Colors" 2600 The Hacker Quarterly 10:3 (Autumn 1993) 9. More information on the actual working of MF signals. NB: All 2600 back issues are for sale. See any copy of 2600 for details. Or, call their office at (516) 751-2600. Fax line (516) 474-2677. 8. In "A Guide to The 5ESS" 2600, The Hacker Quarterly, Crisp G.RA.S.P details the inner workings of a digital switch and describes ways to program it. It is a very impressive and advanced article. I understand little of it. Those with a good command of UNIX will fare better. 9. This procedure is called a busy line verification or BLV in the trade. A skillful hacker may drop into conversations as well by using the right tones. Read more about BLVs in Agent Steal's classic article "Central Office Operations" in the Winter, 1990 issue of 2600. It's also available through the Legion of Doom's Technical Journal gopher. 10. The trend is to store more and more information in these data bases. This can enable a company maintaining the data base to provide additional services but it can also lead to more fights among the different Telcos and private carriers over who should get that information and who should pay for it. A completely digital network might be operating in our lifetime but you can bet that it won't be flawlessly implemented because of turf wars. 500 companies provide long distance service according to the FCC report referenced below; competition is a zoo. Local competition when implemented will be like letting open the gates of the zoo. Even with call trace a hacker should be able to get some breathing room by going through as many companies as possible when placing a call. 11. "Semiannual Report on Telephone Trends in Telephone Service," May, 1994. Industry Analysis Division, Federal Communications Commission. Available on the Pac Bell gopher and I think Bell South's. The gophers take out the 34 interesting tables. For them you have to modem to the FCC itself, which maintains the world's worst bulletin board at (202) 632-1361. Good luck . . . 12. Such as, perhaps, the one available through the Edlie Electronics ('Always Something New') catalog for around seventy dollars? The "pocket size" sweep generator perhaps? Model 125B? Write for a catalog: 2700 Hempstead Turnpike, Levitown, L.I. NY 11756-1143. I'm sure your Telco will love you for it. IV THE DIAL TONE FIRST COIN LINE 33. I've made many references to the dial tone first coin line in this two part series. I think I have explained it enough by comparison and contrast. Dial tone first is the operating method for at least 90% of the coin telephones in the United States. One thing I haven't done yet is to explain some of the terms on the dial tone first table. 34. TSPS stands for Traffic Service Position System. It is a grotesque phrase the Bell System coined to describe their operator service. Before 1965 most operators worked at manual switchboards. A long distance board might be called a toll board. The Bell System a push button console in 1965 that eliminated the cords and jacks and automated some parts of coin telephone service. It was quite an accomplishment. They called the new console a traffic service position. That made a little sense because you could argue that an operator did indeed work at a position. Years later the Bell System improved the console but not the name. It was now a system or TSPS. I understand that Northern Telecom or Northern Electric makes a similar product called TOPS for our Canadian friends. These operators must then work at a traffic operator position system? I understand that US West has their own kind of automated console for their operators. In any case, all of these consoles have dozens and of buttons and lights to control calls. A display tells them how much money you should deposit for a certain call and then they can watch it ring up or totalize on another display. 35. Wink or multi wink is an important part of computer signaling as well as a method used in the telephone industry. Carefully timed pauses turn a signal in a channel off and on. You can tell by the table that coin phones may be first signaled with this method. It works great for optic fiber trunks since no tones or voltage are required to operate it. It is sort of like flashing the switch hook except that each wink must be the same. And I doubt you can access this since it is triggered at the TSPS position. That may be hundreds of miles from the central office. V. THE COIN FIRST COIN LINE An introduction 36. I wrote in the first issue that coin first pay phones was the standard operating method from the 1920's. Do any remain? I consider coin first a defunct operating system, as dead as panel switching. Deploying 911 throughout the country would be hindered by coin first. There are some interesting details to coin first but I won't describe many because I think it's obsolete. 37. Coin first phones required a deposit before they would operate, although not necessarily a dime. I remember flashing the switch hook after putting in a nickel. That got you a few Pacific Bell numbers. The grace period was also nice. If you dialed a wrong number you could quickly hang up and the pay phone returned your dime. This disappeared in the 916 after dial tone first was introduced. That may have been related, however, to the installation of newer switches and not to a special feature of coin first. 38. There were some problems. The worst was that you needed a coin to call an operator in an emergency. There was no 911 in the early to mid 1970's. Call boxes existed but there was no centralized emergency service. The operator called the right agency when you dialed 0 for help. I remember worrying as a kid about always having change with me. Otherwise, you might find yourself in real trouble and really alone. Another problem was that you couldn't tell if a pay phone was out of order until it took your money. No soothing dial tone to confirm operation. They were dead as a rock without a dime. 39. Some contend that coin first was more susceptible to fraud than dial tone first. I'm not so sure. Blue boxing occurred during the era of coin first. But coin first did not give rise to blue boxing. Instead, single frequency coin deposit tones, non armored handset cable and less sophisticated totalizers all contributed to make coin first pay phones more susceptible than the current models. Coin first operation is not inherently suspect, even if the implementing hardware at the time was. Single frequency trunks were not a part of coin first but instead were accessed by them. Ground Start 40. Memories aside, however, coin first did contribute something that's used to this day by every dial tone first Telco pay phone. It's called ground start. Ground start did two things with coin first. It signaled that 1) the pay phone was off hook and 2) that a coin had been deposited. Dial tone first, by comparison, only uses ground start to signal an off hook. Coin first assumes a coin has been deposited since the phone won't operate without one. Dial tone first provides a dial tone to begin with. It needs a related signal called the initial rate test to indicate that a coin has been put in. Let's look at the mysterious sounding ground start. 41. We usually think of grounding as a way to keep people and equipment safe from electrical shock. The issue of grounding for safety, however, is a different matter than using grounding to get a telephone connection going. Consider what happens when a normal or a post pay coin phone goes off hook. Removing the handset causes the switch hook buttons to rise. This closes the tip and ring contacts in the phone set. They are normally open. Current flows into the loop from the central office. The phone starts consuming power like any other electrical appliance. Voltage drops from 48 volts DC to, say, 10 volts DC. This current flow is detected by a line relay at the CO. It signals other equipment to return a dial tone when a strong enough voltage drop is detected. This is loop start. It's named after the twisted pair that forms a loop connection with the CO. 42. Ground start works differently. With coin first, a relay in the phone grounded the ring wire when a coin was deposited. Current then flowed to the pay phone over the tip wire and into the ground. A dial tone followed shortly thereafter. A little later the ground was removed. This might not make sense at first. We think of electricity as flowing in a loop. We associate circuits with circles. Yet here we have a connection in the local loop in a straight line. No return wire to the CO. But this is the way that telegraphs worked for decades. A conversation can certainly work over one wire. The ground provides the complete path that defines an electrical circuit. Electricity flows to a good ground as easily as water flows downhill. The local loop uses two wires to provides a better sounding call. Not necessarily to provide a complete electrical circuit. A loop is more efficient as far as conducting electricity but you can talk on one wire if you can tolerate some noise. Certainly it is enough to get a connection. But why use this technique for pay phones? 43. Fike and Friend say that "ground start lines are used on loops connecting PBX's to the central office, and in other situations (pay phones) where it is desirable to detect a line that has been selected for use (seizure of the line) instantaneously from either side of the line."(1) Unfortunately, they do not say why it is desirable to so seize a line. 44. I think that coin first used ground start for speed. (NOTE: I'M INCORRECT ON THIS POINT -- SEE THE THIRD ISSUE) It's about getting a dial tone as quickly as possible. That's why it is still used. Ground start ties up equipment less than loop start. I wrote in the first issue that the Bell System chose pre pay operation instead of post pay because of the time it saved its operators. This decision can be traced back to 1906.(2) The simpler post pay was discarded in favor of coin first because an operator had to wait for a customer to coins. With coin first an initial deposit was already placed by the time an operator handled the call. Switching equipment can also be held up. The Bell System still worried about this 60 years later when they decided to go to dial tone first nationwide. Dial tone first would return them to the kind of delays that they feared at the turn of the century. Here's a cry of woe from the Record in 1969: "Making modifications to existing equipment is not the only problem. Some additional equipment must also be provided in the central office to convert to dial tone first operation. For example, holding time of crossbar registers and subscriber senders can increase up to 60 percent for each completed coin call with the new service. This is due to the time taken by customers to deposit coins after the register or sender is attached and furnishing dial tone. Moreover, some calls -- those without the correct initial deposit -- will not be completed and will have to be redialed. Registers and senders must therefore be added to compensate for the increased holding time as the office is converted. Similarly, coin calls handled by ESS offices are subject to a 5 to 15 percent increase in processing time. This increase plus longer equipment holding time will result in a decrease in call handling capacity and require more coin control circuits." (3) 45. Boo hoo. It's obvious that holding time was the most important thing to the Bell System. Ground start would continue to be used with DTF since it is the fastest way to set up a connection. Why is it faster? It uses fewer steps. The central office does not have to power the entire loop immediately to provide a dial tone. Let's say the CO is five miles from a pay phone. Five miles of tip wire and five miles of ring wire. Same 48 volts DC under a pressure of perhaps a hundred milliamps. Pay phone goes off hook. CO supplies power on one wire. Current runs to ground. Dial tone right behind it. No waiting for the rest of the loop to power up. But it can't be that much quicker. It does helps with part of the problem. Not much can be done, though, about someone fumbling for a coin. Or a telephone company drumming its fingers. 46. Switches like the 5ESS return a dial tone before we can put the handset to our ear. Ground start, though, was developed in the era of crossbar, panel and step by step. It might have made a difference then. COCOTS certainly aren't bothered with a wait for a dial tone. But these milliseconds and microseconds are of concern to the Telco since they are the local provider of phone service. Several thousand pay phones in a large city could add up to the that the Bell article described. A Telco pay phone now requires a good ground to properly function. Many signals have been developed which utilize grounding. I explain these on page 39. References 1. Fike, John L. and George E. Friend. "Understanding Telephone Electronics." 2d ed. Carmel, SAMS. 1990 191 2. Fagen, M.D., ed. "A History of Engineering and Science in The Bell System: The Early Years, 1875 -- 1925." New York: Bell Telephone Laboratories, 1975. 156 3. Ruppel, A.E. and G. Spiro 'No Dime Needed' "Bell Laboratories Record" October, 1969 293 VI. TIP, GROUND AND RING EXPLAINED 47. The central office controls Telco pay phones by direct current signals. I discussed why in the basic signaling article. We now look at how DC signals are produced, some terminology about them and a short description of each one. 48. Changing the electrical status of the telephone line produces DC signals. This is done by manipulating the ends, or leads, of the tip and ring wires. That, in turn, is done by relays. These simple, remotely controlled switches are located in the central office and in the pay phone. A coin phone relay can fit on a circuit board. Central office relays are much larger. They may be mounted in racks. 49. Relays work by opening, closing or grounding the tip or ring wire to produce a signal. Opening a circuit breaks the connection. Closing a wire completes it. Grounding a wire shorts it out. Grounding one wire, however, doesn't necessarily short out the entire circuit with the central office. Current and conversations can still flow over the remaining wire. 50. Depending on the signal needed, tip or ring may be opened, closed or grounded at either the central office or at the pay phone. There are nine ways to manipulate tip, ground and ring. Just a few are used for signaling. But we'll look at all of them for comparison. Here's the list: 1. Tip open and ring open. 2. Tip open and ring closed. 3. Tip open and ring grounded. 4. Tip closed and ring open. 5. Tip closed and ring closed. 6. Tip closed and ring grounded. 7. Tip grounded and ring open. 8. Tip grounded and ring closed. 9. Tip grounded and ring grounded. 1.) Tip open and ring open. On hook. The circuit is open because the handset is on the switch hook. This tells the central office that a particular phone isn't being used. 2.) Tip open and ring closed. -48V DC. Coin first idle. The normal polarity of the now defunct coin first line. 3.) Tip open and ring ground. A dead line or an open circuit. No current flows. Not used for coin line signaling. Automatic testing equipment may remove the coin line from service. (1) 4.) Tip closed and ring open. This common DC signal has many variations: (a) The initial rate test signal. -48V DC. An important part of dial tone first operation. Tells the CO that a coin has been put in. Depositing a valid coin trips two pay phone relays. One adds a thousand ohms of resistance to the circuit with the central office. The other grounds the circuit itself.(2) Thus, a coin deposit is represented by a grounded circuit with, supposedly, a certain amount of resistance.(3) The CO, possibly tone, opens the ring lead on its own end. Detecting the coin ground over the tip wire causes a central office relay to close the ring side again. The initial rate signal, therefore, is the action of opening the ring wire to detect the ground. I do not know why it is necessary to disconnect the ring side and not the tip. (b) The stuck coin test signal. +48V DC. Positive current is applied if a coin relay ground persists. That was described above. If successful, the coin will fall into the coin box, resetting the relay and thus removing the ground. The line returns to normal. Automatic equipment may take the line out of service if the ground persists. (c) The coin return signal. -130V DC. The coin relay directs coins to the coin return hopper. Why 130 volts? Later crossbar switches used this voltage. Bell Labs may have used it for coin line signaling since many central offices could produce it. (d) The coin collect signal. +130V DC. The coin relay senses the change from negative to positive current. This directs coins to the coin box. Why doesn't the stuck coin test signal use the same higher voltage? They both use positive current. I don't know. This is difficult to reconcile since the same relay, I think, is being used in both cases. 5.) Tip closed and ring closed. Off hook. Normal operation and dial tone. 6.) Tip closed and ring grounded. Reverse battery. -48V DC. Prompted by the called party going off hook. The first issue discussed reverse battery in detail. This signal may trip a pay phone relay which shorts out the DTMF key pad. 7.) Tip ground and ring open. A dead line. No path for electricity to flow. 8.) Tip ground and ring closed. Current flows on the ring side but the tip side is shorted out. There are a number of variations: (a) Post pay idle? -48V DC. Normal polarity of the post pay line, according to Reeve, before a call is connected. I'm not sure anymore. Few post pay phones should utilize a grounded circuit. (b) Dial tone first idle. -48V DC. Normal condition of the line until a valid coin is deposited or a free call is placed. (c) The operator attached signal. +48 V DC. ACTS or the operator applies positive voltage to the line. This puts the pay phone into the toll mode. Coin deposits are then totaled automatically by ACTS or they show up on the operator's console. (d) The operator released signal in dial tone first. -48 V DC. ACTS or the operator removes positive voltage from the line; restores normal negative voltage after a call. Pay phone goes back to local mode and the totalizer resets itself to zero. (e) +48V DC. The key pad inhibit signal. A coin first signal, similar to the operator attached signal. Disables key pad, perhaps, and resets the pay phone totalizer. 9.) Tip grounded and ring grounded. Dead line. References . . . . (1) Martin, John T. "Chilton's Guide to Telephone Installation and Repair." Radnor. Chilton Book Company. 1985 140 (2) Detailed in Reeve, Whitman D. "Subscriber Loop Signaling and Transmission Handbook: Analog." New York: Institute of Electrical and Electronics Engineers. IEEE Press. 1992 221 (3) Why such a complicated process? Preventing fraud, perhaps? Adding resistance to the initial rate signal may prevent someone from merely grounding the circuit to get a dial tone. Yet, there are many stories of punching pay phones with a pin or nail to simulate the initial rate test.* NYNEX, in fact, claims millions in damage from punching.** That's why so many transmitters are now sealed. We may conclude then that 1) grounding alone works, despite the resistance that's theoretically required or 2) that the human body itself provides the needed resistance, when the punch is held. * Micro Surgeon/West Coast Phreaks. "Punching Payphones". 2600, The Hacker Quarterly. 6:3 (Autumn, 1989) 37 ** Zorpette, Glenn. "New pay phones hit the street". IEEE Spectrum May, 1990. 30 NB: This issue contains three informative tone tables. Send me a #10 S.A.S.E if you would a like a copy of them. -------------------- VI. CALIFORNIA CELL FRAUD LAW: PENAL CODE SECTION 502.8 We looked at California Penal Code Section 502.7 in the June issue. It covers conventional toll fraud and theft of phone service by credit card fraud. Cell fraud occupies its own code section. This law imposes much higher fines than Section 502.7. Here is the complete text of the bill along with my comments. "Section 502.8 Use, possession or manufacture of telecommunication devices with intent to avoid payment; punishment (a) Any person who uses a telecommunications device is guilty of a misdemeanor." The penalty for avoiding a charge by using a telecommunication device. That device is broadly defined by subsection (f) below. Cell phones are included. It might also include a wireless radio system (SMR or equivalent) or possibly a personal communicator. A misdemeanor means that you serve less than a year in county jail. This subsection is for the first offense. "(b) Any person found guilty of violating subdivision (a), who has previously been convicted of the same offense, shall be guilty of a felony, punishable by imprisonment in state prison, a fine of fifty thousand dollars ($50,000), or both." For those twice convicted of violating Section 502.8. State prison. And fifty thousand dollars! You'll be broke already from legal fees. But talk to a lawyer. Your wages might be attached after serving a term, forcing you to flee to someplace remote and primitive. Like Arkansas? "(c) Any person who possesses a telecommunications device with intent to sell or offer to sell to another, intending to avoid the payment of any lawful charge for service to the device, is guilty of a misdemeanor punishable by one year in a county jail or imprisonment in state prison or a fine of up to ten thousand dollars ($10,000), or both." The fine for selling said communication device. Targets the individual. Oddly, there is no specific ban on selling plans for such a beast. Talk to a lawyer, though, before going into the publishing business in California. "(d) Any person who possesses 10 or more telecommunications devices with intent to sell or offer to sell to another, intending to avoid payment of any lawful charge for service to the device, is guilty of a felony, punishable by imprisonment in state prison or a fine of up to fifty thousand dollars ($50,000), or both." Targets the dealer. Having 10 sets off the dogs. "(e) Any person who manufactures 10 or more telecommunications devices and intends to sell or offer to sell to another, intending to avoid payment of any lawful charge for service to the device, is guilty of a felony, punishable by imprisonment in state prison or a fine of up to fifty thousand dollars ($50,000), or both." Targets the manufacturer. For comparison, let's consider some other crimes. Your attack dog, Dial Tone, savages a mailman. You get a jail term, perhaps, just like the hacker. But your fine is only a thousand dollars. (C.P.C. Section 399.5) Or, you molest a child. Another thousand dollar fine. (C.P.C. Section 647.6) Abandon your kids? Sure, it's just a couple thousand. (C.P.C. 270). So, Joe Hacker rides the bus for years after his prison term while Lester the Molester drives his Cadillac to the school yard. "(f) For purposes of this section a telecommunications device is any type of instrument, device, machine or equipment that is designed for or capable of transmitting or receiving wireless communications within the radio spectrum allocated to cellular radio telephony." Defines a telecommunications device. Bans transmitters and receivers. Ridiculous on its face, except to Mr. DA Man. Makes scanners and even frequency counters illegal. And although the police won't be conducting raids to round up scanners, they could seize them as contraband if so inclined. There is no reasonable expectation of privacy over the air, anyway. Or on a land line. Cordless phone calls are fair game. Cell calls aren't. This whole section was muscled in by the cellular industry. Instead of making it more difficult to listen, the industry chose to make receivers illegal. But it is legal to listen to Air Force 1, embassy traffic or the Secret Service if you can find the right frequencies. Motorola and others produce many kinds of secure systems for the military and the police. Such technology, however, would raise the price of a cell phone above consumer acceptance. Or so they thought. I see that they are now pitching the more expensive digital cell phones, in part, for greater privacy. The larger issue is about profits and the control of technology. A possible fine of fifty thousand dollars is a terrible threat. An imposed fine of that amount is a merciless punishment. Monetary penalties for violent crimes are ridiculously low and penalties for hacking are extraordinarily high. I can be fined $10,000 for selling a pirated phone. But if I molest a kid then my fine cannot exceed a thousand dollars. Punishment should fit the crime. It doesn't. Tom Farley --- privateline@delphi.com