How a Blue Box
Used to Work
by The Cheshire Catalyst
How did the Network work?The telephone network used to use "In-Band signalling". That is, the signals that told the network where to switch a telephone call travelled along the same circuit that the voice call itself travelled on. In the 1940's and 50's, there was never a thought that such a system could be "phreaked", since the electronic equipment to generate the tones was pretty complicated to build, and something "the public" would never get into. Their own invention of the transistor did them in, by making equipment small, cheap, and the province of "experimentors".
How did a Blue Box work?"When you place a telephone call, your Touch-Tone® telephone dial produced Dual Tone, Multi-Frequency (DTMF) tones that control your local switching office to place a telephone call. If you asked your friendly Telephone Operator to place the call for you, her DTMF dial produced a different set of frequencies that directly controled the Long Lines telephone network. The Blue Box duplicated the operator's tones.
900 1 | | 1100 2 3 | | 1300 4 5 6 | A Matrix of the | tones that made up 1500 7 8 9 0 | the Blue Box digits. | 1700 KP ST | | 700 900 1100 1300 1500 |
How was a Blue Box call made?A slightly greater awareness of how the network works is required. First of all, how do you know that a line is clear of a conversation, and available for the next call? If a guy in New York City and his girl friend in L.A. were just sitting on the line breathing at each other, you don't want to interupt the call just because there's nothing on the line. If the parties are so much in love, they will pay for a circuit to exist between them. When the fellow's roomate yells to him that Star Trek is coming on the tube, though, he finally has to clear down the line, and hang up the phone.
When the local office saw the voltage change on the line indicating the fellow hung up, it sent a tone of 2600 Hz (2,600 cycles per second) down the line to indicate the line is now free. The equipment at the other end sees the 2600 Hz tone, and drops it's side of the connection. When the next call comes through, the tone stops, followed by the In-Band Signals (the DTMF tones) telling the switching system where the next call wants to go. Now lets look at how our own intrepid caller used such a magical device as a Bue Box.
First you need a long distance circuit. We pick up our Touch Tone phone, and send Touch Tones (these are DTMF tones, but we need to differentiate them from the ones the network uses, so we'll keep calling these Touch Tones) to our local Incoming Register. In the old days, rotary dials would pulse out one pulse for a digit 1, two pulses for the digit 2, and so on up to ten pulses for the digit 0. You could tie up an Incoming Register for a while with large numbers. With the advent of Touch Tones, it became One Digit - One Pulse! You needed fewer Incoming Registers to handle the same amount of telephone calls. This meant that Touch Tone calls cost less to put through than rotary dialled calls, After 30 years, the "Premium" for Touch tone service was finally removed in many parts of the country (some places may still have these obscene charges, but I haven't kept track).
So now that the Incoming Register has our digits, we being the switching process. We want to dial 303-499-7111, the National Institute of Standards atomic clock in Boulder CO that tells you the absolutely correct time of day (you can also pick this up on shortwave radio for alot cheaper). Ordinarily, the call gets handed off to the Long Lines network, and we're connected to timed receiver that will let us hold the line for 3 minutes before hanging up (if we don't hang up first).
But we've gotten our hands on a Blue box in the riotous days of the late 1960's. First we "get a circuit", by dialling a Toll-free number. 1-800-325-3535 (Sheraton Hotels) was always a favorite, and would get you to a call center in the middle of the country. While the call was ringing, and before an operator answered the phone, the Phreak would put a tone of 2600 Hz on the line by holding the Blue Box up to the mouthpeice of the phone (what old phone people still call "The Transmitter"), and push the special "2600" button. One fellow found that one side of a "bosun's whistle" found free inside a commonly advertised breakfast cereal put out the magic frequency, and has forever been known as "Captain Crunch".
When the equipment down the line "hears" the 2600 Hz tone come down the line at it, it thinks, "Oh - the call must have been discontinued, since I'm hearing the tone that is only sent down a clear line". The equipment abandons the call to the Sheraton Hotel people.
When the phreak lets up on the 2600 button, the equipment thinks, "Oh - the tone has stopped. The other end must be ready to send me signals telling me where the next call goes". Our intrepid phreaker then hits "KP" (Key Pulse), a signal meaning "Here comes your instructions, so open a register!". Then we put in the tones of the number we want: 303 499 7111 followed by "ST" (Start). The "ST" tone means, "I have completed sending you the destination number, now get me there!".
The equipment puts through the call, and when the called party picks up, a signal is sent back to the billing machine in the callers central office which means, "Start your billing timer now". Of course, our local billing machine only knows about the toll-free call to the Sheraton, and so no billing record is generated.
Simple, eh? Well, that was how simple it was to call anywhere in the country. Or rather, anywhere within the North American Numbering Plan of US, Canada, some of Mexico (which later opted out), and many carribean islands and Bermuda. To get outside of North America, it got a little more complicated. You needed to know where the International Gateways were. They were in White Plains NY, Jacksonville FL, Oakland CA, and some other places. I remember you had to grab your Trunk line with 2600, hit KP-181-ST to get to the White Plains Sender, then 44-1 and the 7 digit number for the Tele-Tourist recording in London. I may have that wrong, but it's been a few decades.
How does the Network work now?For one thing, they use what is called "Out Of Band" signalling. The voice path is no longer the way the switching signals are passed from one switching machine to another.
I tend to use the example of a 25 pair cable from New York to Chicago (since phreaks are used to finding such cables in dumpsters behind newly renovated office buildings). When a call is placed, a message from New York goes down "Pair 1" saying "Take my 'Pair 12' and connect me to this number in Los Angelese". the switch in Chicago gets on it's Pair 1 to LA and says, "Take my Pair 23, and connect me to this number in LA". The Chicago switch will patch Pair 12 from New York to Pair 23 to LA.
The LA switch, however, discovers that the line is already engaged, and sends a Busy Indication back up Pair 1 to Chicago, which puts the data message on Pair 1 to New York. The fellow in New York gets a local busy signal telling him that the line in LA is busy. Well, why bother tying up a nationwide voice circuit with that information?
The one time I had access to a Blue Box, the numbes given above were the two phone numbers I called, the WWV Time Signal in Colorado, and the Teletourist recording in London. I also dialed 910-555-1212, the "Directory Assistance" number for the TWX (TeletypeWriter eXchange) teletype network, which was suppossed to be completely seperate from the voice network. I got there with ease, and proved to myself once and for all that the Bell System was lying about that, and that the two networks were tightly woven together... But that's another story. The TWX Network is long dead and buried, and the SAC's (Special Area Codes) that were once the TWX area codes have long been in voice service to the North American Numbering Plan.
This page is http://CheshireCatalyst.Com/bluebox.html
Return to The Cheshire Catalyst's Home Page.
Please E-Mail comments to the Cheshire Catalyst on this article.