Payphone Extenders: The Access Numbers That Replaced Red Boxing - Part 2
by Royal
Disclaimer: This article is for educational purposes only, and is not to be construed as advice or instructions. All attempts have been made to provide the most accurate information at the time of this writing, however the reliability of this information is not guaranteed. Any unlawful actions taken by the author depicted in this writing occurred over ten years ago. The author does not condone or encourage any illegal activities, such as telecommunications fraud. Any actions inspired by the information in this article are done so at the reader's own risk. The author takes no responsibility for any damages or legal consequences that may result from such actions.
This is Part 2 of a two-part article. If you haven't read Part 1 (41:2), please read that before continuing.
Using the Extenders
Getting back to my story: after I brought my recordings home from the Verizon payphone and identified the tones, I ended up with two extenders - one for domestic calls and one for international. In an earlier section, I mentioned the international extender along with its PIN, but there were additional extenders used by payphones in other Verizon territories. Conversely, the one for domestic calls had no PIN and worked on all Verizon payphones in the U.S.! That number was 1-800-713-6496 and, like the international extender, it played an "A" tone. Placing a call was as simple as dialing a telephone number after that tone, as long as it recognized the Automatic Number Identification (ANI). This is similar to the PIN-less dialing feature on some prepaid phone cards where you can assign the number you're calling from to be recognized to bypass the PIN. It's a nice convenience - what could possibly go wrong?
To use an extender, all you have to do is dial the phone number in the same dialing format that the payphone uses, which you'll figure out when you identify all those tones. If there's no PIN, you can also figure it out by attempting three calls in different dialing formats: two domestic and one international.
First, try dialing an area code and phone number with and without a preceding 1, in the formats NPA-NXX-XXXX and 1-NPA-NXX-XXXX; then, try dialing 011 followed by an international number. You will know which formats and types of calls are accepted based on the ones that go through.
If none of those attempts succeed, the extender has a PIN, which you can obviously get using some of the methods I detailed earlier. Payphones will usually dial the PIN - with or without # at the end - before or after the destination phone number. If you already know the PIN, you can try dialing that and the phone number in all the possible formats to figure out which ones can be used to place calls.
If a payphone uses a Carrier Access Code (CAC), you'll have to use a Beige Box on the line or find a way around the firmware if you want to place a call with it. This is because the firmware restricts 101-XXXX 1+ and 101-XXXX 011+ calls. There are a number of ways to get around restrictions programmed in smart boards; some of them work on extenders, CACs, or both. Let's get into them.
Getting Around Dialing Restrictions
Weeks after I got the extenders from that Verizon payphone, a well-known person in the community left me a voicemail. I recognized his voice immediately - he said a mutual friend gave him my number and he wanted to speak with me, asking me to call him back on his cell phone. We started playing phone tag and, in one of his follow-up messages, he said that he had Verizon's access number for domestic calls, but was also interested in the international extender. I had shared the former with a few select friends, and word sure spread like wildfire! When I finally reached him on the phone, we talked for a little while and I gave him the number and PIN. A few weeks later, I dialed one of the extenders on a Verizon payphone but, instead of the call going through, it played a new voice prompt: "restricted number." It turned out that new security measures had been added to the firmware for all Verizon hybrids to prevent users from dialing the extenders, and the timing was awfully suspicious!
This prompted me to figure out various ways to circumvent the restrictions, some of which involve bypassing the firmware altogether. Payphones and their firmware will vary, and therefore so will your results if you try these methods. The types of smart payphones that each method works on - COCOTs and hybrids - are pointed out below. If a CAC can be used, that will be indicated as well.
Skipping the "1" at the Beginning: If dialing a payphone's extender has been restricted, you can skip the 1 at the beginning and dial the rest of the toll-free number in the format 8YY-NXX-XXXX. If this format is accepted, the payphone will dial the access number in the correct format (1-8YY-NXX-XXXX) to place your call. This method only works on COCOTs.
Dialing "0" Instead of "1" at the Beginning: You can try dialing 0 in place of 1 at the beginning in the format 0-8YY-NXX-XXXX. If this format is accepted, the payphone will dial the extender in the correct format (1-8YY-NXX-XXXX) to place your call. This method only works on COCOTs.
Dialing an Incomplete Sequence of Digits: A payphone with badly programmed firmware may process what it thinks is a free call if you only dial three to seven digits. This allows you to get around dialing restrictions on extenders and CACs, as well as make free calls directly to intra-LATA numbers! To test this method, pick up the phone and dial the first three digits of a phone number or CAC, then wait to see what happens. If it works, the payphone will dial those digits and then unmute the handset's mouthpiece, at which point you can dial the rest of the digits yourself. If you get an error, you can keep trying with more digits until you eventually reach seven, noting any successful attempts. If you're dialing the beginning digits of an intra-LATA number that is outside the local calling area, be sure to dial a 1 first. This method only works on COCOTs.
Waiting for the Other Party to Disconnect: This is an old method of making free calls on payphones that bypasses the firmware. During a call, if you let the other party disconnect on you, the payphone may give you a new dial tone without any restrictions, allowing you to dial a payphone extender, CAC, intra-LATA number, etc. without any interference from the firmware. To begin, make a free call that the payphone allows, such as to a toll-free number, operator, Telecommunications Relay Service (TRS), or speed dial code (*X or *XX code). When the called party - whether it's a human or automated system - answers, you can remain silent and wait until the call ends, or take the necessary action(s)i to get him/her/it to hang up on you. Once the called party disconnects, listen for a new dial tone; if you hear one, go ahead and start dialing to place your call. Some payphones will disable the keypad at this point, in which case you'll have to use a tone dialer or other DTMF device.
If that fails, you can try again by calling the payphone from another phone if it accepts incoming calls, or having another person or automated system do it. Then you can answer the payphone and wait for a dial tone again after the calling party disconnects. This method works on COCOTs and hybrids.
Using a Vertical Service Code: Vertical Service Code (VSC) is a NANPA term for the "star codes" that access telephone features called (Custom) Local Area Signaling Services (CLASS or LASS). It's usually preceded by *, but 11 is also accepted due to rotary phones. If it's provisioned on the payphone line, you can use the VSCs for blocking and unblocking Caller ID - *67 and *82, respectively - to circumvent dialing restrictions, including on payphone extenders and CACs. The DTMF for * is likely filtered out by the smart board; you can try dialing 1167 or 1182, which will hopefully be an unrestricted sequence of digits. If you hear a stutter dial tone, you can finish dialing to place your call without any firmware interference. This method only works on hybrids.
Tapping the "1" Key: If you're using a payphone that allows any of the DTMF to pass through while dialing, quickly tapping one of the keys can trick the firmware into thinking you dialed that additional digit on the line. It's best to do this at the beginning, so start out by picking up the payphone and quickly tapping 1. If you still hear a dial tone, you can dial a payphone extender, CAC, etc. without firmware interference. This works because the smart board recognizes the 1 key, but the tone it generates is too short to be detected at the Central Office. If you're calling a payphone extender, for example, the smart board will think you're dialing 1-1-8YY-NXX-XXXX, which should not be restricted. If tapping 1 breaks the dial tone, hang up and try again. This method only works on hybrids.
Repeatedly Tapping a Key: Repeatedly tapping one of the keys on a payphone can prevent the DTMF from the smart board's modem from reaching the line while a call is being processed, and you can take advantage of this to get unrestricted access to the dial tone. In order for this to work, place a free call that causes the smart board to get a new dial tone, then dial all of the digits from the beginning, rather than continuing from trickled digits. On Verizon hybrids, this worked after dialing 0, which would trigger a dial string or dialing macro to use a dial-around in the 101-XXXX-0 format to route the call to a long distance operator, so try dialing that first. If you take no further action, you should soon hear dialing in the background, likely preceded by a voice prompt such as "Thank you" or "Please wait." Listen carefully to the free call being processed and get familiar with it, particularly when the dialing begins and ends; this will help you with the next step.
When you're ready, place the free call again. Rapidly tap one of the keys just before the modem starts dialing (*, 0, and # are the most likely to work), then stop just after it's done. If your timing was right, you should hear the dial tone, at which point you can dial any sequence of digits, including a payphone extender or CAC, without firmware interference. If your timing was too short or too long, DTMF from the modem or the key you were tapping may have broken the dial tone, in which case you can keep trying until you get it right. You can also try different types of free calls to see if you get better results.
It's easy to understand how this works: you get the dial tone due to none of the modem's DTMF being able to reach the line, and dialing is unrestricted because the firmware thinks the free call has been completed. This method only works on hybrids.
DTMF Injection: You can play DTMF into the handset's mouthpiece to get around dialing restrictions as long as it isn't muted by the payphone when you go off-hook. However, the Gemini System III chassis, which is likely installed in such a payphone, can prevent some or all of the DTMF from reaching the line, and, according to its 1998 product manual, has a feature called "Pocket Dialer Detection" which detects DTMF from the handset and "processes the information as if the DTMF came from the dial." Nevertheless, you can either take advantage of this feature or bypass the tone detection in order to get around firmware restrictions, such as on payphone extenders and CACs.
To bypass tone detection, play a constant DTMF tone before you go off-hook, stopping after the dial tone comes on. If you do this while holding your tone dialer or other DTMF device over the mouthpiece, it will be undetected by the smart board but still signal the Central Office, thus breaking the dial tone. If there are any additional digits to dial, you can do that from the handset or the keypad, and your call should go through without firmware interference since the smart board never detected that first digit. For example, if you want to call a payphone extender, you would play a constant 1 tone into the mouthpiece until the dial tone comes on, then dial the last ten digits - the only ones the smart board will detect - normally, in the format 8YY-NXX-XXXX.
Playing DTMF can have the opposite effect if it's at a lower volume. If you play a tone that is low enough to avoid signaling the Central Office, but still loud enough to be detected by the smart board, it will trick the firmware into thinking you dialed that additional digit on the line. To begin, pick up the handset and hold your tone dialer or other DTMF device at a short distance from the mouthpiece (or up close with the volume lowered if that option is available), then play a 1 tone. If the dial tone is still playing, dial the sequence of digits normally, either from the handset or keypad, to see if your call goes through without firmware interference. If it does, the smart board detected that first tone; if not, you'll need to try again with your DTMF dialer closer to the mouthpiece, or set it at a higher volume. Should the dial tone break following the 1 tone, hang up and try again with your dialer further away or set to a lower volume. For example, if you want to call a payphone extender, you would play a 1 tone into the mouthpiece at a lower volume, then regularly dial all eleven digits in the format 1-8YY-XXXX, resulting in the smart board detecting 1-1-8YY-NXX-XXXX. This method only works on hybrids.
Diverting to the Extender: Diverting calls to another number sometimes results in the calling party's ANI - usually just the Calling Party Number (CPN) - being sent to the called party. This is often the case when calls are forwarded, or go over a toll-free extender or calling card platform. If you have access to something with a toll-free number that can divert your calls, you can use it to call a payphone extender since it's a separate number that is not restricted in the payphone's firmware; just make sure it passes the payphone's CPN (you can check with an Automatic Number Announcement Circuit [ANAC]) or it likely won't work. This method works on COCOTs and hybrids.
Dialing Another Payphone Extender: In some cases, you can dial a different access number than the one a payphone uses, which is unlikely to be restricted in the firmware. It still might let you place calls, even if the extender is provided by a different company or used by another Payphone Service Provider (PSP). This is likely due to ANI/DNIS databases not getting updated as payphones are replaced or go under new ownership with the same phone numbers, as well as single companies verifying the same ANIs across multiple access numbers. For example, I mentioned a small PSP earlier that had many access numbers that could be found by scanning; they all worked on that company's payphones and were provided by the same telecommunications company. You could also use some of those extenders on a lot of Verizon payphones, which probably had the same ANIs as previous payphones installed in those areas. This method works on COCOTs and hybrids.
Beige Boxing the Line: If a payphone's line is exposed, you can bypass the firmware altogether by hooking up your Beige Box. You can dial anything freely from there, but since payphone lines tend to have toll restrictions, you'll likely have to use a payphone extender or CAC. This method works on COCOTs and hybrids.
Spoofing to the Extenders
Now for the best part: you can spoof the ANI of a payphone to an extender to make free calls from anywhere! ANI/Caller ID spoofing has been possible for decades, from the early days of social engineering operators, to using VoiceXML applications, to the now-popular use of VoIP and software PBXs. Regardless of the spoofing method, you specifically need to spoof the CPN in order for this to work, which is usually the type of ANI that is sent on such a call anyway. Once the extender answers with a tone, you can dial the number like you're at the payphone, and there's no firmware to get in your way!
You'll need to find a payphone number to spoof, which can be difficult today. If you come across a payphone, you can find the number displayed somewhere on the front or dial an ANAC to have it read back to you. If you can't find a payphone, you'll have to find the number for one online. You'll get a lot of results from search engines and social media, but there are current and former payphone lists, including Payphone Project (www.payphone-project.com), Payphone Directory (www.payphone-directory.org), and YAPL: Yet Another Payphone List (www.yapl.org). Unbeknownst to the maintainers of these websites, they've enabled free phone calls to be made for years, and the numbers are archived on the Wayback Machine!
You may be thinking that a lot of payphones have been decommissioned and that the numbers that had been assigned to them can no longer be spoofed to extenders. However, the ANI/DNIS databases are usually not updated whenever payphones go out of service, allowing you to spoof old ANIs and still place calls! Whether you find an old number online or displayed on a defunct payphone, it helps to know the PSP with which the number was associated, which in turn can help you determine which extender(s) to use. For example, CityBridge, LLC used the same 1-800 extender on all of its payphones in New York City, but many of them were defective, with the number (and company name) still displayed on them. If you knew the PSP was CityBridge as well as the access number that had been used, you could've spoofed one of those old numbers to the 1-800 extender and likely made a free call.
Anti-spoofing measures, such as STIR/SHAKEN and call analytics, have made ANI/Caller ID spoofing more difficult in recent years. The epidemic of robocalls has made this a high priority, and the battle against these types of calls is likely to continue for many years. That said, it's still possible to spoof to many toll-free numbers, and that presumably includes payphone extenders. Time will tell how long it will take for that to change.
Conclusion
Payphone extenders will soon become a thing of the past. This will likely be due to the service becoming unprofitable as payphones continue to dwindle in numbers. However, I'm glad I was able to share this fragment of phone phreaking history with you before that happens.
Shouts: I-baLL; 0xF; av1d; Lucky225; greyarea; licutis; Doug from Doug TV; WhiteSword; Enamon; vvn; accident; elf; nes; XlogicX; Murd0c; Rucas; Lowtec; TheKid; agent5; ntheory; LamerJoe; gr3p; dropc0de; handler; micro214; Digi-D; Jolly; ic0n; bagel; Cessna; deceit. Additional shouts to: the old SoCal bridge; BinRev forums; Phone Losers of America; Bell's Mind (PBX); Telephreak; Boston 2600 (the old and new meetings). R.I.P. KRT_. You will never be forgotten.