

                              How Payphones Really Work

                                   by The Infidel


               Fortress phones,  a.k.a. payphones,  are something that
               every phreak should have  had experience  with at least
               once in  their career.  Such devices as the red box and
               the green box also make the  fortress a  great place to
               phreak from. In this article, I will try to explain how
               a payphone works, and how one can (ab)use it.

               Basically, payphones are not too different  from normal
               phones,   requiring   all   the  speech  and  signaling
               facilities of ordinary  telephones,  but,  in addition,
               requiring  signals  to  handle  the charge for the call
               with the money inserted.  However, the  payphone itself
               has undergone some changes through the years.


                                Some Payphone History

               In most coin telephones, the stations operate on a pre-
               pay basis, that is, the coins must be  deposited before
               the call  can be  completed. A few of the older central
               offices using step-by-step equipment  that  had  only a
               few   public   telephones   accepted   deposits   after
               completion of the call.  This form  of operation, post-
               pay  coin  service,  was  chosen usually because of the
               long distance between the  local community  dial office
               and the  serving toll switchboard, which often resulted
               in  large  costs  due  to  the  returning  of  coins on
               uncompleted calls.

               The  older  versions  of  pre-pay-phones (the ones made
               famous by David in  War Games),  the A-type  set, would
               produce  a  dialtone  only  after a coin was deposited.
               These were also rotary  phones.  As  ESS  emerged, with
               such options  as 911  and 411 directory assistance, the
               need for a  dialtone-first  phone  emerged,  the C-type
               stations, which  resulted in  the dialtone-first rotary
               phone.

               With the advent of touch tone, calling cards, and long-
               distance carriers,  payphones developed  into the tough
               tone, dialtone-first public telephone  As you  may have
               noticed,   the   intermediate  telephone,  the  rotary,
               dialtone-first phone is  very  hard  to  come  by these
               days,  obviously  due  to  the increasing demand in the
               many  services  now  offered  by  Ma   Bell  and  other
               companies  which  take  advantage  of  the  touch  tone
               service.

               Up  until  1978,  signalling  for  coin   deposits  was
               accomplished  by   a  single-frequency  tone,  sent  in
               pulses, as they are  today. As  an Automated  Coin Toll
               Service  (ACTS)  appeared  necessary,  to  automate the
               routine functions  of  TSPS  (Traffic  Service Position
               System)   Operators,   there   developed   a  need  for
               improvements in the station  to  prevent  simulation of
               the  coin  signals,  and  therefore,  toll  fraud. As a
               result, before the introduction of TSPS/ACTS,  all coin
               sets  manufactured  after  1977 were then equipped with
               dual-frequency oscillators. These  coin  boxes produced
               the current form of coin signalling, the dual-frequency
               tone. This resulted in  the D-type  station, which, due
               to  its  power  requirements and electronic components,
               rather  than  mechanical,  could  only  be  used  in  a
               dialtone-first environment,  and is, therefore, what we
               see today.


                                   Operation Logic

               As noted above, the payphone is,  essentially, the same
               as a customer-owned telephone, with the main difference
               being, quite obviously, the presence of the coin box.

               In the design of  the coin  box, the  following must be
               considered. The  coin box can be very sophisticated, to
               handle many functions,  thus  requiring  a  very simple
               exchange to  just receive  all billing information from
               the phone itself. Or, vice versa,  the coin  box can be
               quite  simple,  and  the  exchange  can  be  much  more
               complex, to interpret the data from  the box  needed to
               place the call and charge a toll for it.

               Today's   standard   Western   Electric/AT&T  telephone
               follows the latter,  a  more  simple  coin  box design.
               These boxes,  signal forward  to the exchange the value
               of  each  coin  inserted,   using  tone   pulses.  This
               technique  requires  Coin  and  Fee  Check  (C  and FC)
               equipment in the exchange, ACTS, to carry out  the call
               accounting  necessary  between  the  value of the coins
               inserted and the rate of  charging  of  the  call. This
               arrangement lets you insert coins into the phone at any
               time during the call, but its main disadvantage is that
               the speech  transmission must  be interrupted while the
               coin value is signalled to the exchange.

               Thus, the property of requesting a  coin for  a call in
               not in  the phone,  but in  the exchange itself. If you
               were to take a payphone home with you and hook it up to
               your line,  it would not request a coin deposit. On the
               other hand, if you were to tap into a payphone line and
               tried to  place a call, you would get the familiar coin
               deposit request message.


                             What Happens to Your Money?

               When you first put your coin in the slot, it  is tested
               for size,  weight and  material. Size  is determined by
               the size of the slot the  coin passes  through, as well
               as  the  coin  chute  it  slides  through  in the phone
               itself. A coin that  is too  large is  not allowed into
               the  phone  itself,  while  one  too  small  just falls
               through without having accomplished  anything. Material
               is identified by the use of magnetic fields; slugs will
               be deflected, while coins  will  not.  If  the  coin is
               right, it  is allowed to hit a sprocket, which when hit
               by  the  coin,  spins   a  certain   amount  of  times,
               determined by its weight. This spinning of the sprocket
               controls a tone generator  within the  telephone, which
               creates  the  coin  deposit  tones,  which in turn, the
               exchange then interprets  to  determine  the  amount to
               credit to the customer.

               As the  payphone can accept only three different coins,
               there are three coin signals to identify each  one. The
               signal consists  of 1700 Hz and 2200 Hz tones generated
               together to produce  a  dual-frequency  tone.  The dual
               tone is  more efficient,  because it cannot be confused
               with (or  simulated by)  human speech,  since the human
               voice can  only produce one tone at a time, and is also
               more difficult to simulate electronically, in an effort
               to prevent  fraud. To  identify the  value of the coin,
               the tone is sent to the exchange in pulses.

               Nickel Tone:   One 60 millisecond pulse (1700 Hz + 2200
                              Hz)

               Dime Tone:     Two  60  millisecond pulses separated by
                              60 milliseconds (1700 Hz + 2200 Hz)

               Quarter Tone:  Five 35 millisecond pulses  separated by
                              35 millisecond (1700 Hz + 2200 Hz)

               As mentioned earlier, the main problem with this design
               is  that  the  conversation   is  interrupted   by  the
               insertion of coins, which can be quite annoying on long
               distance calls placed on peak hours, when the rates are
               highest. Yet,  since the  tones do interrupt the speech
               transmission, a phreak can send, along  with the speech
               transmission, these  same tones, generated artificially
               by a device known as the red box.

               After the coins have been accounted for, they  are held
               in  a  hopper,  which  is  controlled  by a single-coil
               relay. This relay is  controlled by  the application of
               negative or  positive DC  voltage, depending on whether
               the coins are to be  returned  or  collected.  The line
               reversal can occur by one of two ways. One way the line
               reversal can  be accomplished  is at  the phone itself,
               via the switchhook. In the on-hook position, the hopper
               will not allow coins to fall through, and so, they must
               be  released  by  lifting  the  handset to cause a line
               reversal and activate  the  relay.  The  second  way in
               which  a  line  reversal  can  occur is by remote, from
               ACTS. ACTS can signal the station to either  collect or
               return the  coins. The  signals are also in the form of
               dual-frequency tone bursts. Three signals ACTS can send
               to the  fortress are the Coin Collect, Coin Return, and
               Ringback. These  tones  are  also  known  as  green box
               tones. The frequencies of these tones are as follows:

               Coin Collect:  700 Hz + 1100 Hz (900 ms)

               Coin Return:   1100 Hz + 1700 Hz (900 ms)

               Ringback:      700 Hz + 1700 Hz (900 ms)

               The function  of the  first two  should be obvious, but
               the Ringback may be unclear. When you walk  away from a
               phone  after  not  having deposited money for overtime,
               the  phone  rings.  That's  ACTS.  It's   not  actually
               "calling"  the  payphone,  but  sending a signal to the
               station to order it to ring. When you pick up the phone
               and hear  the message,  "Please deposit 40 cents", that
               also ACTS playing  the  recording.  After  you  hang up
               again  or  don't  deposit  your  change,  ACTS  a  TSPS
               operator, who then breaks in  and  asks  for  the money
               personally,  since  Telco  know  you're  definitely not
               going to put money  in a  phone just  because a machine
               asks you  to. If  you've been coerced into handing over
               your money, it's also ACTS which thanks you.


                                  Alternate Designs

               An alternate telephone design allows for  a drastically
               less  complex  exchange,  while  requiring  a much more
               sophisticated coin box.

               A payphone equipped with a "pay at any time" box allows
               for meter pulse signals to be sent from the exchange to
               the payphone, with the  coin  box  performing  the call
               accounting. The  meter pulses  may be signals at 50 Hz,
               or tones of 12 kHz or 16 kHz, depending on the network.
               Therefore,  the  insertion  of coins will not interfere
               with the conversation. Coins inserted prior to the call
               being  established,  and  during  the  call,  are  held
               suspended until the control  logic within  the payphone
               (rather than the exchange) determines that they need to
               be  collected.   Coins  remaining   in  suspension  are
               returned to  the user  when the  payphone goes on-hook.

               When no more coins are  held  in  credit  and  the next
               meter  pulse  is  received,  the payphone requests coin
               insertion and then clears the call after the designated
               grace period  has elapsed. If only part of the value of
               the credit held in  suspension  needs  to  be collected
               when  the  phone  goes  on-hook,  the remainder will be
               lost, unless the phone  is equipped  with a  "follow on
               call"  button  to  credit  the unused portion to a call
               made  immediately  afterwards.  This  design,  seen  in
               England,  is  somewhat  similar  to the privately owned
               payphones available here.

               Since the local telephone network will only allow their
               payphones to  be connected to their special ACTS lines,
               privately  owned  payphones  cannot  use  the  ACTS  to
               perform call accounting for it. Thus, these phones must
               be  installed  on  a   normal   subscriber's   line,  a
               drastically  less  complex  exchange, and, as a result,
               such phones require a much more sophisticated coin box.

               Owning a payphone,  especially  in  high-traffic areas,
               can be  quite advantageous,  since the  owner keeps all
               coins collected, but only in the  long run,  because he
               has to  pay for  the line fee as well as the charge for
               the call placed. Yet,  at  25  cents  a  call,  and the
               current peak  rate being 10.2 cents, the profits can be
               worthwhile.  This  profit  is,  however,  substantially
               diminished by  the expensive  price tag of these units,
               costing between $2000 and $2500 each.

               There are essentially two  types of  payphones that can
               be   purchased.   One   type  is  basically  a  Western
               Electric/AT&T look-alike. The other  is  the  newer and
               fancier electronic  payphone, complete with LCD digital
               display. Such phones offer  sophisticated features such
               as LCD  display of number being dialed, amount of money
               on credit, time allowed  for credit,  and time elapsed.
               Both of these telephones cost somewhere in the range of
               $2500-$3500, depending on the manufacturer and dealer.

               Though they appear quite different, these phones do not
               differ as much internally.

               Both  units  require  billing equipment within the unit
               itself, since  normal  customer  lines  cannot  aid the
               phone  in  that  capacity.  As  a  result  these phones
               contain a "Rating Module",  which  includes  a database
               with all  inter_LATA rates  and site-specific rates, as
               well as a clock,  to determine  when to  apply off-peak
               discount rates.  As rates  change over time, the module
               can be upgraded or replaced to accommodate them, making
               these units quite flexible in that respect.

               These  telephones  must  also  be  able to discriminate
               between slugs and the different denominations of coins,
               which they  do in a manner very similar to the standard
               payphones.

               The main difference between the tow  types of privately
               owned payphones  is the manner in which each places the
               call.

               On the Telco copies,  the billing  equipment within the
               unit receives  the number to be dialed from the keypad,
               compares that number to the number of the line on which
               it     is     installed    (pre-programmed    by    the
               owner/installer), request the appropriate  fee from the
               caller  and  then  places  the call itself; they keypad
               does not  generate the  actual touch  tones which place
               the call.

               The  majority  of  the  digital  models, however, place
               calls through a PBX, often owned by ITT, and the owner,
               in turn,  pays the company for the calls made and keeps
               the remaining  dividends.  The  fact  that  these units
               utilize PBX's is not a condition required by the unity,
               but rather  the  choice  of  the  manufacturer, seeking
               increased  profits  by  the  use  of their own lines to
               place calls for which they can then charge a fee.

               When you make a  call with  this telephone,  the number
               you enter  with the  keypad is shown on the LCD display
               and is then processed  by the  billing equipment. After
               requesting  the  corresponding  fee, the call is placed
               through the PBX. This results in the rapid  sequence of
               touch tones  heard when placing a call with this phone.
               What the phone does is dial the PBX  and then  enter an
               access code used solely by the payphones. That way, the
               local network will not bill the owner of  the phone for
               those call,  since the  calls are  being placed through
               the PBX, and the PBX has a toll-free dialup.

               However, there are many  disadvantages  to  this setup.
               Most  notably,  a  local  network  operator  cannot  be
               reached through this arrangement. If you  dial `0', the
               operator will  be one selected by the company that owns
               the PBX used by the telephone. These operators are much
               more  limited  than  the  local network TSPS operators.
               They  cannot  perform  such   tasks  as   collect  call
               placement, third  party billing  of calls, calling card
               calls,  customer  identification  for  person-to-person
               calls, and  busy line  verification. Another problem is
               that calling  card  calls  cannot  be  made  from these
               phones. This  is due  to the  fact that ACCS (Automated
               Calling Card Service) and  ACTS,  which  automate basic
               TSPS functions,  are not available from within the PBX,
               and even if they were, the touch tones  needed to enter
               the card  number cannot  be generated directly from the
               keypad. This lack of  touch tone  access also prohibits
               calls through  other long-distance carriers via the 950
               exchange. Directory assistance is also inaccessible and
               911 calls cannot be placed. Many bugs in the design can
               also make the  phone  inoperable  or  make  it  enter a
               "Maintenance  Mode"  just  by  hitting  it hard enough,
               since many of these  stations are  not very  secure, in
               some cases made from nothing more than plastic. On some
               units, the touch  tone  access  is  available,  yet the
               telephones are  not configured  to accept  950 calls as
               toll free, again inconveniencing the customer.

               The  Telco  copies  are   not  much   better.  Operator
               assistance  is  limited  to  that which can be obtained
               from  home  lines.  Again,  calls  cannot  be completed
               through long-distance carriers since the station is not
               configured  to  accept  toll-free  950  calls, although
               these telephones  are usually  configured to allow AT&T
               calling card calls (0+ calls) to be placed through it.


                                   The Cheese Box

               There  are  files  circulating  about  the modem/phreak
               world  regarding  a  device  known  as  a  cheese  box.
               According to the files, when one forwards his number to
               an Intercept Operator within his prefix, all subsequent
               outgoing  calls  made  will   be   prompted   for  coin
               insertion,   supposedly    turning   the   subscriber's
               telephone into a payphone.  It should  be quite obvious
               that  this  is  impossible,  since  not  only  does the
               Intercept Operator have nothing  to do  with payphones,
               coin  accounting,  and  ACTS,  but  it also seems quite
               impossible that one's line could become interfaced with
               ACTS simply by forwarding it to an operator. Obviously,
               these files are bogus.


                                     Phone Abuse

               In this last section,  I will  discuss how  you can use
               the  knowledge  obtained  from  above  to  use  to your
               advantage when dealing with these telephones.  I am not
               going  to  get  into  such  topics  as  phone  theft or
               vandalism -- I'll leave that up to your imagination.

               The main advantage of the payphone,  to the  phreak, is
               that it  provides anonymity.  This makes the payphone a
               perfect   location   for   blue   boxing,   engineering
               operations, and other Telco employees modeming (for the
               more daring) and general experimentation.

               Yet,  perhaps  the  most  famous  aspect  of  phreaking
               regarding the  payphone is  the use  of the red box. As
               mentioned above, the red  box is  used to  simulate the
               tones that signal ACTS that money has been deposited in
               the phone and ACTS may place the call and begin billing
               (if service  is timed).  The red box is used by dialing
               the desired number first and then,  when ACTS  asks for
               the change, using the red box to send the coin signals.
               In an attempt to stop red  boxing, the  payphone checks
               to  see  if  the  first  coin  is real, by conducting a
               ground test. To circumvent this, at least one coin must
               deposited  --  a  nickel  is  sufficient.  However, the
               number must be dialed first since ACTS must return your
               coins before  reminding you  that you have insufficient
               credit to place the  call.  Afterwards,  any subsequent
               deposits  required  can  be red boxed successfully, and
               the duration of the call can be as long as you like.

               Red box schematics have  proven to  be hard  to come by
               and are  notoriously a  pain to  build, not only in the
               somewhat more complex circuit  design  than  the simple
               tone generators  used in blue, beige and similar boxes,
               but also  in  the  fact  that  they  are  hard  to tune
               precisely, since  not only  is a  frequency needed, but
               also an oscilloscope, both of which are hard to come by
               and are very expensive.

               However,  there  are  alternatives.  One  method  is to
               locate a payphone that produces the  coin deposit tones
               quite loudly  when the coins are inserted. You can then
               record the tones with a Walkman  (I do  not recommend a
               micro-cassette recorder  for this, because they are not
               stable enough for the  precision required  by ACTS) and
               simply play them back into the mouthpiece when you want
               to place a call just as you would if you  had an actual
               red  box.  When  you  record the tones, a record mostly
               quarters, since,  obviously  they  are  worth  the most
               calling time.

               But  if  you  don't  have your trusty Walkman with you,
               there is still another  way. Simply  find a  set of two
               payphones (or  more) with  at least  one that generates
               loud coin deposit tones.  This phone  will be  Phone A.
               Now dial  the desired  number in  Phone B and when ACTS
               asks you for the  amount required  deposit a  nickel in
               Phone B.  Now put  the two  handset together (the wires
               are long enough to  reach across  the booths)  with the
               earpiece of phone A held tightly against the mouthpiece
               of phone B. It doesn't matter where the  other two ends
               are. The  purpose of  this is  to get  the sound of the
               deposit  tones  from  Phone   A's  earpiece   into  the
               mouthpiece  of  Phone  B.  Then  simply keep depositing
               coins in Phone A until ACTS thanks you  for using AT&T.
               If you  were smart,  you only used quarters in Phone A,
               so you could get some credit towards overtime.  Since a
               number was never dialed with Phone A, when you hang up,
               all the change will be returned to you.

               Red boxes are very useful but not convenient  for local
               calls, though they will, of course work. Another method
               for placing local calls free of charge is  very similar
               to what  David did  in War  Games to  the payphone. The
               problem with that method is that  Telco has  now sealed
               all   mouthpieces   on   the   payphones.  However,  by
               puncturing the mouthpiece with a nail, the metal inside
               will  be  exposed.  There  are  tow  variations on this
               "nail"  or  "paper  clip   trick",  depending   on  the
               telephone in use.

               On the  older D-types,  by either  placing a  nail or a
               paper clip in the hole made in the  mouthpiece and then
               touching the other end to any meal part of the phone, a
               short circuit will occur  which will  render the keypad
               inoperable. If  this is  the case, then deal all digits
               of the number except for the last as you would normally
               and  then  short  circuit  the phone. While doing that,
               hold down the last digit of the number,  disconnect the
               "jumper"  you  have  made  and then release the key. If
               this  doesn't   work,   try   rapidly   connecting  and
               disconnecting  the  jumper  while holding down the last
               digit. The call should then be placed. What  happens is
               the   short   circuit   causes  the  coin  signaler  to
               malfunction and send a coin signal, while also shorting
               out the station, so that it passes the ground test.

               On  the  newer  payphones,  the  short circuit will not
               deactivate  the  keypad.  In  this  case,  simply short
               circuit  the   phone  throughout   the  entire  dialing
               procedure and once  completed  immediately  and rapidly
               connect  and  disconnect  your "jumper", which, if done
               properly will allow the call to be placed.

               A more  direct approach  to payphone  abuse is actually
               making  money  from  it.  to  accomplish this, you need
               access to the line feeding the telephone. This is often
               easiest in  cases when  the telephone  is in a location
               that is below ground and the main distribution cable is
               in the  ground above  the telephone's location, such as
               the lower levels of buildings and  subways. If  you are
               able to  get to the wires, then cut them, or least one,
               so that the dialtone has  been  lost.  Wire  colors are
               irrelevant here since I have seen many different colors
               used,  ranging  from  blue  to  striped  multicolor. By
               cutting wires,  you should  have the  effect of cutting
               all power to the  phone. When  someone walks  up to the
               telephone, he doesn't usually listen for a dialtone and
               simply deposits his  quarter.  The  quarter  then falls
               into the hopper, and since there is no power to cause a
               line reversal, the relay will not release the coin. The
               coins can  then be  retrieved by reconnecting the wires
               and flicking the switchook to initiate a line reversal,
               which will result in a coin return.

               A word  of warning:  Telco monitors their payphones and
               knows when to expect the coin box to be full. Computer-
               base  operations  systems  aid  collection by preparing
               lists of coin boxes that are candidates for collection,
               taking  into  account  location and projected activity.
               The coins  collected are  counted and  entered into the
               operations  system.  Discrepancies  between  actual and
               expected revenue are reported to Telco  security, which
               investigates   them   and  reports  potential  security
               problems.   Routine   station   inspections   are  also
               performed  during  collection,  and  out-of-service  or
               hazardous  conditions  are  reported   immediately  for
               repair.

               The  privately  owned  electronic payphones are just as
               susceptible to  attack, if  not more  so. Most notably,
               just  by  hitting  the  digital ones hard enough in the
               area of the coin slot sometimes causes the  payphone to
               enter  a  "Maintenance  Mode",  where  the LCD displays
               something     to  the   effect  of   "Not  in  Service-
               Maintenance Mode"  and then prompts you for a password,
               which,    when    entered,    places     you    in    a
               diagnostic/maintenance program.

               Another notable  weakness lies  in the  touch tones the
               digital  telephones  produce  when  it  places  a  call
               through the  PBX. If  you can  record them and identify
               them, you will have  a number  and working  access code
               for the  PBX used  by the  telephone. Identification of
               the tones  is rather  difficult though,  since they are
               sent at durations of 50ms.

               Perhaps even more interesting with these phones is that
               the operator will not identify the phone number you are
               calling  from.  She  does,  however, appear to have ANI
               capabilities, since one operator confided that she knew
               the number, yet was not allowed to release it. There is
               a reason for this.  These  telephones  can  be serviced
               from remote,  being equipped  with an internal 300 baud
               modem. The phones  enter  the  "Maintenance  Mode" when
               they  are  connected  to,  and  are  therefore  "Out of
               Service", as the display  shows.  Others  will  enter a
               "Maintenance Mode" only at a specific time of day, when
               activity is the  lowest,  and  only  then  can  they be
               reached.  From  remote,  diagnostic  functions  can  be
               performed, as well as the ability to poll  the unity to
               determine the  amount of money in the coin box, plus an
               accounting of  local  and  long-distance  calls, though
               these functions  will, of  course, differ from phone to
               phone.

               The "Telco copies" also contain a 300 baud modem. Since
               ANI is  locked out from the keypad, the number can only
               be obtained through the operator; she is not aware that
               you are  calling from  a payphone since the station has
               been installed  on a  standard customer  line. Since 0+
               calls  are   available  through  this  unit,  Directory
               Assistance can be obtained  for free  by dialing 0-NPA-
               555-1212.  Since  the  telephone  is  configured not to
               charge for calls placed with 0's before them  (to allow
               for calling cards) the call is free.


                                     Conclusion

               I have  tried to  make this  article as informative and
               accurate  as  possible,   obtaining   information  from
               various manuals  as well  as personal experience. Since
               pay-phones are public, the best way to learn about them
               is  simply  to  experiment  with  them on you own. Good
               luck.


               Notice:   2600 Meetings
                         First Friday of the month in the lobby of the
                         Citicorp Center. 53rd Street, between 3rd and
                         Lexington,  NYC,  from  5pm  to  8pm.  Casual
                         attire please. More info: 516-751-2600

               Advert:   2600 Bulletin Boards

                         2600 BBS #2, Central Office   914-234-3260

                         2600 BBS #3, Yoyodyne         402-564-4518

                         2600 BBS #4, Beehive          703-823-6591

                         2600 BBS #5, The Switchboard  718-358-9209

                         All Open 24 Hours



          Reprinted irrespectively  from 2600 (The Hacker Quarterly, Volume
          Six, Number One, Spring 1989) by:

                           The Anarchy Zone (416) 778 5767

                              curtesy of Master Hacker


