// Practical Phreaking II: Payphones
// Contents: Calling Cards, Operators, Menus, and Access
//
// by The Goatroper
//
// http://www.oldskoolphreak.com

08/31/03

---------------
I. Introduction

OK, phreaks, it's time to get back to basics. This is installment two of
"Practical Phreaking". Last issue we looked at beige boxing, TNIs, and
other building-based techniques. Now, we'll get down to the original roots
of Phreakology and look at the function and methodology of payphone
manipulation. In this issue we'll examine the history of payphone
manipulation, old techniques, current techniques, and speculate on future
access.

-----------
II. History

The history of payphone phreaking is probably one of the most important
parts of phreaking esoteorica. Everyone who's read more than one .txt has
heard of the Blue Box or the Cap'N Crunch whistle, but let me preface the
History with this: Contrary to what you read, what you hear, or what the
Anarchist's Cookbook tells you, BLUE BOXING DOES NOT WORK. Now that that
has been said...

The basic concept behind blue boxing was to trick a payphone into thinking
you had deposited money by using its own tones. When a quarter was inserted
into old payphones, it would play a tone, 2600hz, onto the line. Because
of modern payphone design coin tones are no longer used. There are hundreds
of .txts, guides, FAQs, how-tos, and other sources available that cover the
construction of blue boxes, but don't waste your time, since Radio Shack
phone dialers are not only hideously uncommon, but are no longer able to be
modified in the manner described by said FAQs.

Blue Boxing was developed by Cap'n Crunch and the blind kids, who were
eventualy busted, but not before the knowledge became extremely common.
MaBell was in a panic to stop the barrage of Blue Boxers who were exploiting
their stupidity, and made hundreds of "improvements" to their payphones'
hardware, all of which were eventualy circumvented by enterprising phreaks.
These included muted handsets, hard-wired coin slots, and new tones in some
cases. However, as long as the basic system operated in the same manner,
Blue Boxing was always doable, no matter how the hardware was juggled.

Blue boxing came to a screeching halt with the implementation of the ESS -
Electronic Switching System - in the 90's. It was still sometimes possible to
Blue Box an operator during and for a little while after the switchover, but
it soon became clear that 2600hz was a dead end.

--------------------------------
III. So how do I get free calls?

Just because Blue Boxing is dead doesn't mean you can't get your free calls.
I'm sure that's the only thing some of you are here for, so I'll give that
up right now.

The main ways of getting free calls presently are one: Interstate relay
operators. Depending on the company that maintains the phone you're using,
but if you find the number you're home free. For example, Pacific Bell pay
phones in Southern California use 711. The downside with this is that you
have to talk to the operator, and the call could be recorded - a danger in
and of itself.  Another way is hardware based, and is addressed in "Practical
Phreaking", a hardware phreak using a beige box and the payphone's lines.
This won't work in some (most?) places because of the USOC associated with
the line. The third way is to manipulate the normal operator. There's really
no set way to do this; you're just going to need to experiment. Here's a
sample conversation:

Goatroper dials "0" and listens to the ringing impatiently. On the third
ring -

"AT&T - Thank you." *click, clikclick, chirp*
Operator: "HellomynameisMargarethowmayIhelpyou?"
Goat: "Uh, Hi. I'm here at this payphone, and I put my money in to make a
      call, but I think someone did something to the phone. I mean, the money
      went in and everything, but there's a bunch of crusty blue stuff on the
      number buttons and I can't push them. I was gonna go to the other pay
      phone but my money won't come out. I think there's more blue stuff on
      the lever."
Operator: "Well, I can send you a refund check-"
Goat: "No, I really need to call and all I have are dollar bills. Can you,
      like, connect me or something?"
Operator: "Um, I don't think-"
Goat: "Oh, man, I think I'm late already. Can't you put me through!?"
Operator: "Oh, alright. What's the number?"

Sometimes the operator will be a hardass, but don't despair. Simply hang up
and try again. You'll get a different (and hopefuly nicer) operator.

---------------------
IV. Payphone Secrets

There are a lot of fun things you can do with a payphone besides getting
your phree calls. Besides stealing $.50, you can sometimes access payphone
menus and employee-only codes. On most "regular" payphones, the menu number
is "511". There isn't much you can do on these menus, but sometimes there
are really cool options. On newer payphones, such as some of the newer data
capable phones, certain combinations of numbers will allow access to menu
functions like turning a payphone on or off, locking it, getting free calls,
calling station operators, maintenance record, and all kinds of fun stuff.
It all varies from company to company, model to model, and even location to
location, but some common defaults are:

Five digit:
12345
44444
13579
24242
13133
11127 (acces)


six digit:
123456
444444
272727
135791
162342
101010
111111
999999
111277 (access)


seven digit:
1234567
4444444
1919191
1100110

And many default passwords are a combination of the letters "m" (5), "e"(2),
"n"(5), and "u"(7) with *'s and #'s. (i.e. 52*57, #5257, 52**57, 5*2*5*7,
etc.)

----------------
V. Calling Cards

These are an absolute must for any phreak. Calling cards are a cheap, easy,
safe, and untraceable way to make phone calls. For those of you who have
never used one, they're very simple. You dial a 1-800 number on the card,
enter your card's number, and then enter the destination number. The call is
then charged to the minutes left on your card. A few good brands are "El
Torro" and "GoldCall". When shopping for a card, there are a few things to
look at.

One, cost per minute. Devide the number of minutes on the card by its price.
Two, connection charge. Does it cost a certain number of minutes for using
their 800 number? Try to avoid these as they eat up minutes quickly.
Three, coverage area. Look for a nationwide card. Most are, but too many
times a phreak can find him- or herself with a defunct card.
Four, does long distance cost more per call than local? Cards like this
charge hefty minute penalties for long distance, up to 5 times more minutes
per call.

An average card will give you 100 minutes for 10 dollars with a 2-minute
connection fee and nationwide coverage. A good card will give you 150
minutes for 10 dollars with no connection fee, nationwide coverage, and no
long distance penalties. A GREAT card will give you more than 15 minutes per
dollar with no connection charge and have nationwide coverage with no
penalties. "El Torro" gives 21 minutes per dollar, no connection fee,
nationwide coverage, and is rechargeable by credit card (bad) or in stores
that sell it (good).

By using a calling card, you can call from any phone anonymously, and
they're really a lifesaver when an operator won't cave.

------------
VI. OpDivert

So, you want to call Microsoft Corporate Headquarters or harass an operator
for 35 minutes, but don't want to get caught or have your number recorded...
So you need to make an OpDivert, or Operator Diversion. There are several
ways to do this, and of the two easiest ways only one actualy involves an
operator.

Method one: Dial "0" to get an operator, then bullshit them into dialing a
number for you. This is similar to getting a free call, but this time you
actualy pay, whether at a payphone or from a land line. By having the
operator dial and connect you, the operator's number shows up instead of the
number you're really calling from. Here's a sample conversation:

Goat dials "0" and waits for the operator to come back from lunch.
Operator: "HellothisisStevespeakinghowmayIhelpyou?"
Goat: "Hello, operator. I'm visualy impaired and I need assistance dialing
      this number."
Operator: "No problem. What is the number?"
Goat gives the operator the number. The operator dials it and connects Goat.

This is easy, quick, and foolproof. The other way doesn't involve an
operator, and instead uses those nifty 10-10 numbers.

Simply use a 10-10 number, such as 10-10-220 or 10-10-345 to make a call.
That's it.

Now, these aren't the only ways to OpDivert, but they are the easiest. Other,
more complex opdivert methods are available in any number of Txts and guides
online. The ones I have given should, however, be more than sufficient for
any needs that average and medium phreaks have.

-----------------
VII. Outroduction

Go, now, armed with the most destructive weapon of all: Knowledge. 

With the combined skills in Practical Phreaking and Practical Phreaking II,
you can operate from a home phone or a payphone, and you can build the basic
tools of Phreaking. You can call for free and anonymously, and you can learn
how to deal with operators.

Practice, explore, and learn. 

Catch you later, phreak.

-------------------------------
VIII. Thanks, cranks, and yanks

GREETINGS to DialUp, Kuroishi, LatterBrisk, Optibreth, Travesk, and Cherry Pi

THANKS to dual, OldSkoolPhreak, the RFA crew, and LatterBrisk (you know what
for)