How Pay Phones Really Work (Spring, 1989) ----------------------------------------- By The Infidel Fortress phones, aka pay phones, are something that every phreak should have had experience with at least once in their career. Such devices as the red box and the green box also make the fortress a great place to phreak from. In this article, I will try to explain how a pay phone works, and how one can (ab)use it. Basically, pay phones are not too different from normal phones, requiring all the speech and signaling facilities of ordinary telephones, but, in addition, requiring signals to handle the charge for the call with the money inserted. However, the pay phone itself has undergone some changes through the years. Some Pay Phone History In most coin telephones, the stations operate on a pre-pay basis, that is, the coins must be deposited before the call can be completed. A few of the older central offices using step-by-step equipment that had only a few public telephones accepted deposits after completion of the call. This form of operation, post-pay coin service, was chosen usually because of the long distance between the local community dial office and the serving toll switchboard, which often resulted in large costs due to the returning of coins on uncompleted calls. The older versions of pre-pay phones (the ones made famous by David in War Games), the A-type set, would produce a dial tone only after a coin was deposited. These were also rotary phones. As ESS emerged, with such options as 911 and 411 directory assistance, the need for a dial tone-first phone emerged, the C-type station, which resulted in the dial tone-first rotary phone. With the advent of touch tone, calling cards, and long-distance carriers, pay phones developed into the touch tone, dial tone-first public telephone. As you may have noticed, the intermediate telephone, the rotary, dial tone-first phone is very hard to come by these days, obviously due to the increasing demand in the many services now offered by Ma Bell and other companies, which take advantage of the touch-tone service. Up until 1978, signaling for coin deposits was accomplished by a single-frequency tone, sent in pulses, as they are today. As an Automated Coin Toll Service (ACTS) appeared necessary, to automate the routine functions of TSPS (Traffic Service Position System) operators, there developed a need for improvements in the station to prevent simulation of the coin signals, and therefore, toll fraud. As a result, before the introduction of TSPS/ACTS, all coin sets manufactured after 1977 were then equipped with dual-frequency oscillators. These coin boxes produced the current form of coin signaling, the dual-frequency tone. This resulted in the D-type station, which, due to its power requirements and electronic components, rather than mechanical, could only be used in a dial tone-first environment, and is, therefore, what we see today. Operation Logic As noted above, the pay phone is, essentially, the same as a customer-owned telephone, with the main difference being, quite obviously, the presence of the coin box. In the design of the coin box, the following must be considered. The coin box can be very sophisticated, to handle many functions, thus requiring a very simple exchange to just receive all billing information from the phone itself. Or, vice versa, the coin box can be quite simple, and the exchange can be much more complex, to interpret the data from the box needed to place the call and charge a toll for it. Today s standard Western Electric/AT&T telephone follows the latter, a more simple coin box design. These boxes signal forward to exchange the value of each coin inserted using tone pulses. This technique requires Coin and Fee Check (C and FC) equipment in the exchange, ACTS, to carry out the call accounting necessary between the value of the coins inserted and the rate of charging of the call. This arrangement lets you insert coins into the phone at any time during the call, but its main disadvantage is that the speech transmission must be interrupted while the coin value is signaled to the exchange. Thus, the property of requesting a coin for a call is not in the phone, but in the exchange itself. If you took a pay phone home and hooked it up to your line, it would not request a coin deposit. On the other hand, if you were to tap into a pay phone line and tried to place a call, you would get the familiar coin deposit request message. What Happens to Your Money? When you first put your coin in the slot, it is tested for size, weight and material. Size is determined by the size of the slot the coin passes through, as well as the coin chute it slides through in the phone itself. A coin that is too large is not allowed into the phone itself, while one too small just falls through without having accomplished anything. Material is identified by the use of magnetic fields; slugs will be deflected, while coins will not. If the coin is right, it is allowed to hit a sprocket, which when hit by the coin, spins a certain amount of times, determined by its weight. This spinning of the sprocket controls a tone generator within the telephone, which creates the coin deposit tones, which, in turn, the exchange then interprets to determine the amount to credit the customer. As the pay phone can accept only three different coins, there are three coin signals to identify each one. The signal consists of 1700 Hz and 2200 Hz tones generated together to produce a dual-frequency tone. The dual tone is more efficient, because it cannot be confused with (or simulated by) human speech, since the human voice can only produce one tone at a time, and is also more difficult to simulate electronically, in an effort to prevent fraud. To identify the value of the coin, the tone is sent to the exchange in pulses. * Nickel Tone: One 60 millisecond pulse (1700 Hz + 2200 Hz) * Dime Tone: Two 60 millisecond pulses separated by 60 milliseconds (1700 Hz + 2200 Hz) * Quarter Tone: Five 35 millisecond pulses separated by 35 milliseconds (1700 Hz + 2200 Hz) As mentioned earlier, the main problem with this design is that the conversation is interrupted by the insertion of coins, which can be quite annoying on long-distance calls placed on peak hours, when the rates are highest. Yet, since the tones do interrupt the speech transmission, a phreak can send, along with the speech transmission, these same tones, generated artificially by a device known as the red box. After the coins have been accounted for, they are held in a hopper, which is controlled by a single-coil relay. This relay is controlled by the application of negative or positive DC voltage, depending on whether the coins are to be returned or collected. The line reversal can occur by one of two ways. One way the line reversal can be accomplished is at the phone itself, via the switch-hook. In the on-hook position, the hopper will not allow coins to fall through, and so, they must be released by lifting the handset to cause a line reversal and activate the relay. The second way in which a line reversal can occur is by remote, from ACTS. ACTS can signal the station to either collect or return the coins. The signals are also in the form of dual-frequency tone bursts. Three signals ACTS can send to the fortress are the Coin Collect, Coin Return, and Ringback. These tones are also known as green box tones. The frequencies of these tones are as follows: * Coin Collect: 700 Hz + 1100 Hz (900ms) * Coin Return: 1100 Hz + 1700 Hz (900ms) * Ringback: 700 Hz + 1700 Hz (900ms) The function of the first two should be obvious, but the Ringback may be unclear. When you walk away from a phone after not having deposited money for overtime, the phone rings. That's ACTS. It's not actually "calling" the pay phone, but sending a signal to the station to order it to ring. When you pick up the phone and hear the message, "Please deposit 40 cents," that's also ACTS playing the recording. After you hang up again or don t deposit your change, ACTS signals a TSPS operator, who then breaks in and asks for the money personally, since Telco knows you re definitely not going to put money in a phone just because a machine asks you to. If you've been coerced into handing over your money, it's also ACTS which then thanks you. Alternate Designs An alternate telephone design allows for a drastically less complex exchange, while requiring a much more sophisticated coin box. A pay phone equipped with a "pay at any time" box allows for meter pulse signals to be sent from the exchange to the pay phone, with the coin box performing the call accounting. The meter pulses may be signals at 50 Hz, or tones of 12 kHz or 16 kHz, depending on the network. Therefore, the insertion of coins won't interfere with the conversation. Coins inserted prior to the call being established, and during the call, are held suspended until the control logic within the pay phone (rather than the exchange) determines that they need to be collected. Coins remaining in suspension are returned to the user when the pay phone goes on-hook. When no more coins are held in credit and the next meter pulse is received, the pay phone requests coin insertion and then clears the call after the designated grace period has elapsed. If only part of the value of the credit held in suspension needs to be collected when the phone goes onhook, the remainder will be lost, unless the phone is equipped with a "follow on call" button to credit the unused portion to a call made immediately afterward. This design, seen in England, is somewhat similar to the privately owned pay phones available here. Since the local telephone network will only allow their pay phones to be connected to their special ACTS lines, privately owned pay phones cannot use the ACTS to perform call accounting for it. Thus, these phones must be installed on a normal subscriber's line, a drastically less complex exchange, and as a result such phones require a much more sophisticated coin box. Owning a pay phone, especially in high-traffic areas, can be quite advantageous, since the owner keeps all coins collected, but only in the long run, because he has to pay for the line fee as well as the charge for the call placed. Yet, at 25 cents a call, and the current peak rate being 10.2 cents, the profits can be worthwhile. This profit is, however, substantially diminished by the expensive price tag of these units, costing between $2,000 and $2,500 each. There are essentially two types of pay phones out that can be purchased. One type is basically a Western Electric/AT&T look-alike. The other is the newer and fancier electronic pay phone, complete with LCD digital display. Such phones offer sophisticated features such as LCD display of number being dialed, amount of money on credit, time allowed for credit, and time elapsed. Both of these telephones cost somewhere in the range of $2,500-$3,500, depending on the manufacturer and dealer. Though they appear quite different, these phones do not differ as much internally. Both units require billing equipment within the unit itself, since normal customer lines cannot aid the phone in that capacity. As a result, these phones contain a "Rating Module," which includes a database with all inter-LATA rates and site-specific rates, as well as a clock, to determine when to apply off-peak discount rates. As rates change over time, the module can be upgraded or replaced to accommodate them, making these units quite flexible in that respect. These telephones must also be able to discriminate between slugs and the different denominations of coins, which they do in a manner similar to standard pay phones. The main difference between the two types of privately owned pay phones is the manner in which each places the call. On the Telco copies, the billing equipment within the unit receives the number to be dialed from the keypad, compares that number to the number of the line on which it is installed (pre-programmed by the owner/installer), requests the appropriate fee from the caller, and then places the call itself; the keypad does not generate the actual touch tones, which place the call. The majority of the digital models, however, place calls through a PBX (Private Branch eXchange), often owned by ITT, and the owner in turn pays the company for the calls made and keeps the remaining dividends. The fact that these units utilize PBX's is not a condition required by the unit, but rather the choice of the manufacturer, seeking increased profits by the use of their own lines to place the calls for which they can then charge a fee. When you make a call with this telephone, the number you enter with the keypad is shown on the LCD display and is then processed by the billing equipment. After requesting the corresponding fee, the call is placed through the PBX. This results in the rapid sequence of touch tones heard when placing a call with this phone. What the phone does is dial the PBX and then enter an access code used solely by the pay phones. That way, the local network will not bill the owner of the phone for those calls, since the calls are being placed through the PBX, and the PBX has a toll-free dial-up. However, there are many disadvantages to this setup. Most notably, a local network operator cannot be reached through this arrangement. If you dial "0," the operator will be one selected by the company that owns the PBX used by the telephone. These operators are much more limited than the local network TSPS operators. They cannot perform such tasks as collect call placement, third-party billing of calls, calling card calls, customer identification for person-to-person calls, and busy line verification. Another problem is that calling card calls cannot be made from these phones. This is due to the fact that ACCS (Automated Calling Card Service) and ACTS, which automate basic TSPS functions, are not available from within the PBX and even if they were, the touch tones needed to enter the card number cannot be generated directly from the keypad. This lack of touch-tone access also prohibits calls through other long-distance carriers via the 950 exchange. Directory assistance is also inaccessible and 911 calls cannot be placed. Many bugs in the design can also make the phone inoperable or make it enter a "Maintenance Mode" just by hitting it hard enough, since many of these stations are not very secure, in some cases made from nothing more than plastic. In some units, the touch-tone access is available, yet the telephones are not configured to accept 950 calls as toll-free, again inconveniencing the customer. The Telco copies are not much better. Operator assistance is limited to that which can be obtained from home lines. Again, calls cannot be completed through long-distance carriers since the station is not configured to accept toll-free 950 calls, although these telephones are usually configured to allow AT&T calling card calls (0+ calls) to be placed through them. The Cheese Box There are files circulating about the modem/phreak world regarding a device known as a cheese box. According to the files, when one forwards his number to an Intercept Operator within his prefix, all subsequent outgoing calls made will be prompted for coin insertion, supposedly turning the subscriber s telephone into a pay phone. It should be quite obvious that this is impossible, since not only does the Intercept Operator have nothing to do with pay phones, coin accounting, and ACTS, but it also seems quite impossible that one s line could become interfaced with ACTS simply by forwarding it to an operator. Obviously, these files are bogus. Phone Abuse In this last section, I will discuss how you can use the knowledge obtained from above to use to your advantage when dealing with these telephones, I am not going to get into such topics as phone theft and vandalism - I'll leave that up to your imagination. The main advantage of the pay phone, to the phreak, is that it provides anonymity. This makes the pay phone a perfect location for blue boxing, engineering operators, and other Telco employees, modeming (for the more daring), and general experimentation. Yet, perhaps the most famous aspect of phreaking regarding the pay phone is the use of the red box. As mentioned above, the red box is used to simulate the tones that signal ACTS that money has been deposited in the phone and ACTS may place the call and begin billing (if service is timed). The red box is used by dialing the desired number first and then, when ACTS asks for the change, using the red box to send the coin signals. In an attempt to stop red boxing, the pay phone checks to see if the first coin is real, by conducting a ground test. To circumvent this, at least one coin must be deposited - a nickel is sufficient. However, the number must be dialed first since ACTS must return your coins before reminding you that you have insufficient credit to place the call. Afterward, any subsequent deposits required can be red boxed successfully, and the duration of the call can be as long as you like. Red box schematics have proven to be hard to come by and are notoriously a pain to build, not only in the somewhat more complex circuit design than the simple tone generators used in blue, beige, and similar boxes, but also in the fact that they are hard to tune precisely, since not only is a frequency counter needed, but also an oscilloscope, both of which are hard to come by and are very expensive. However, there are alternatives. One method is to locate a pay phone that produces the coin deposit tones quite loudly when coins are inserted. You can then record the tones with a Walkman (I do not recommend a micro-cassette recorder for this, because they are not stable enough for the precision required by ACTS) and simply play them back into the mouthpiece when you want to place a call just as you would if you had an actual red box. When you record the tones, record mostly quarters, since obviously they are worth the most calling time. But if you don t have your trusty Walkman with you, there is still another way. Simply find a set of two pay phones (or more) with at least one that generates loud coin deposit tones. This phone will be Phone A. Now dial the desired number in Phone B and when ACTS asks you for the amount required, deposit a nickel in Phone B. Now put the two handsets of the phones together (the wires are long enough to reach across the booths) with the earpiece of Phone A held tight against the mouthpiece of Phone B. It doesn't matter where the other two ends are. The purpose of this is to get the sound of the deposit tones from Phone A s earpiece into the mouthpiece of Phone B. Then simply keep depositing coins in Phone A until ACTS thanks you for using AT&T. If you were smart, you only used quarters in Phone A, so you could get some credit toward overtime. Since a number was never dialed with Phone A, when you hang up, all the change will be returned to you. Red boxes are very useful but not convenient for local calls, though they will of course work. Another method for placing local calls free of charge is very similar to what David did in War Games to the pay phone. The problem with that method is that Telco has now sealed all mouthpieces on the pay phones. However, by puncturing the mouthpiece with a nail, the metal inside it will be exposed. There are two variations on this "nail" or "paper clip trick," depending on the telephone in use. On the older D-types, by either placing a nail or a paper clip in the hole made in the mouthpiece and then touching the other end to any metal part of the phone, a short circuit will occur, which will render the keypad inoperable. If this is the case, then dial all digits of the number except for the last as you would normally and then short circuit the phone. While doing that, hold down the last digit of the number, disconnect the "jumper" you have made and then release the key. If this doesn't work, try rapidly connecting and disconnecting the jumper while holding down the last digit. The call should then be placed. What happens is the short circuit causes the coin signaler to malfunction and send a coin signal, while also shorting out the station, so that it passes the ground test. On the newer pay phones, the short circuit will not deactivate the keypad. In this case, simply short circuit the phone throughout the entire dialing procedure and once completed, immediately and rapidly connect and disconnect your "jumper," which, if done properly will allow the call to be placed. A more direct approach to pay-phone abuse is actually making money from it. To accomplish this, you need access to the line feeding the telephone. This is often easiest in cases when the telephone is in a location that is below ground and the main distribution cable is in the ground above the telephone's location, such as the lower levels of buildings and subways. If you are able to get to the wires, then cut them, or at least one, so that the dial tone has been lost. Wire colors are irrelevant here since I have seen many different colors used, ranging from blue to striped multicolor. By cutting wires, you should have the effect of cutting all power to the phone. When someone walks up to the telephone, he doesn't usually listen for a dial tone and simply deposits his quarter. The quarter then falls into the hopper, and since there is no power to cause a line reversal, the relay will not release the coin. The coins can then be retrieved by reconnecting the wires and flicking the switch hook to initiate a line reversal, which will result in a coin return. A word of warning: Telco monitors their pay phones and knows when to expect the coin box to be full. Computer-based operations systems aid collection by preparing lists of coin boxes that are candidates for collection, taking into account location and projected activity. The coins collected are counted and entered into the operations system. Discrepancies between actual and expected revenue are reported to Telco security, which investigates them and reports potential security problems. Routine station inspections are also performed during collection, and out-of-service or hazardous conditions are reported immediately for repair. The privately owned electronic pay phones are just as susceptible to attack, if not more so. Most notably, just by hitting the digital ones hard enough in the area of the coin slot sometimes causes the pay phone to enter a "Maintenance Mode," where the LCD display shows something to the effect of "Not in Service-Maintenance Mode" and then prompts you for a password, which, when entered, places you in a diagnostic/maintenance program. Another notable weakness lies in the touch tones the digital telephones produce when it places a call through the PBX. If you can record them and identify them, you will have a number and working access code for the PBX used by the telephone. Identification of the tones is difficult, though, since they are sent at durations of 50 ms. Perhaps even more interesting with these phones is that the operator will not identify the phone number you are calling from. She does, however, appear to have ANI capabilities, since one operator confided that she knew the number, yet was not allowed to release it. There is a reason for this. These telephones can be serviced from remote, being equipped with an internal 300 baud modem. The phones enter the "Maintenance Mode" when they are connected to, and are therefore "Out of Service," as the display shows. Others will enter a "Maintenance Mode" only at a specific time of day, when activity is lowest, and only then can they be reached. From remote, diagnostic functions can be performed, as well as the ability to poll the unit to determine the amount of money in the coin box, plus an accounting of local and long-distance calls, though these functions will, of course, differ from phone to phone. The "Telco copies" also contain a 300 baud modem. Since ANI is locked out from the keypad, the number can only be obtained through the operator; she is not aware that you are calling from a pay phone, since the station has been installed on a standard customer line. Since 0+ calls are available through this unit, Directory Assistance can be obtained for free by dialing 0-NPA-555-1212. Since the telephone is configured not to charge for calls placed with 0's before them (to allow for calling card calls) the call is free. Conclusion I have tried to make this article as informative and accurate as possible, obtaining in - formation from various manuals as well as personal experience. Since pay phones are public, the best way to learn about them is simply to experiment with them on your own. Good luck.