A trip down phone-phreak memory lane

Just What Is This ProjectMF Thing Anyway?

Project MF is a living, working simulation of analog SF/MF signaling just as it was used as the standard in the public switched telephone network up until the early 90's, when most everything was cut-over by the regional Bells to the fully-digital SS7/ISDN network as it continues today.

This allows a user to "blue box" telephone calls, like the phone phreaks of yesterday.

ProjectMF was first presented to the world at the sixth HOPE conference in 2006 by Mark Abene (A.K.A. Phiber Optik). After the well-received presentation, Mark went on to establish the www.projectmf.com discussion board as a way to promote further development and experimentation and as a way of preserving an important part of telco history.

So What's a Blue Box?

The blue box is an electronic device that simulates a telephone operator's dialing console. It functions by replicating the tones used to switch long-distance calls and using them to route the user's own call, bypassing the normal switching mechanism. The most typical use of a blue box was to place free telephone calls. The blue box no longer works in most western nations, as modern switching systems are now digital and no longer use the in-band signaling which the blue box emulates. Instead, signaling occurs on an out-of-band channel which cannot be accessed from the line the caller is using (called Common Channel Interoffice Signaling (CCIS)).

The blue box got its name because the first such device confiscated in 1961 by Bell System security was in a blue chassis.

If you are perplexed at this point, for a primer on what this is all about a must-read is the article that was published in the October, 1971 Esquire magazine article "Secrets of the Little Blue Box" by Ron Rosenbaum.

From there, peruse the files on textfiles.com to read some of the actual texts that were circulated by phone phreaks "back in the day".

To hear some of this stuff in action, head over to the PhoneTrips web site and listen to the tapes phone phreaks made of their activities. For particularly good examples of blue box usage, I recommend listening to the "Classic Tandem Stacking", "A HiFi 914 Routings tape, part 1", and "A HiFi 914 Routings tape, part 2".

Ok, So How Do I Use One?

The operation of a blue box was/is simple: First, the user places a long distance telephone call, usually to an 800 number or some other non-supervising phone number. For the most part, anything going beyond 50 miles would go over a trunk type susceptible to this technique.

When the call starts to ring, the caller uses the blue box to send a 2600 Hz tone. The 2600 Hz is a supervisory signal, because it indicates the status of a trunk; on hook (tone) or off-hook (no tone). By playing this tone, you are convincing the far end of the connection that you've hung up and it should wait. When the tone stops, the trunk will go off-hook and on-hook (known as a supervision flash), making a "Ka-Cheep" noise, followed by silence. This is the far end of the connection signaling to the near end that it is now waiting for MF routing digits.

Once the far end sends the supervision flash, the user would use the blue box to dial a "Key Pulse" or "KP", the tone that starts a routing digit sequence, followed by either a telephone number or one of the numerous special codes that were used internally by the telephone company, then finished up with a "Start" or "ST" tone. At this point, the far end of the connection would route the call the way you told it, while the users end would think you were still ringing at the original number.

Huh. So where ProjectMF Fit In To All This?

Even though this is all obsolete, it is again made possible by a set of modifications and patches made to the open-source Asterisk PBX server. It allows users to dial into the system via a variety of access methods, including the regular public switched telephone network and SIP. The user is presented with a ringing line. The ringing can be disconnected and the trunk seized by playing a 2600 tone into the line. Thereafter, the call can be diverted to another number or to a series of internal recordings and functions that reside on the server/switch by playing MF or multifrequency tones into the line.

This is all perfectly legal, as the system is totally private. It is really more than a simulation. The call is going over a trunk group of 24 SF/MF trunks, although both sides of the trunks are terminated on the same PC. The hardware that makes this possible is two extra dedicated Ethernet cards on the PC running T1 over Ethernet protocol over a loopback Ethernet cable. Your incoming call gets looped over one of the 24 trunks before terminating back on the same switch, so you have 2600 and MF control.

Project MF server in basement

I have maintained a public ProjectMF system for over a year now. At last old-timers, aspiring phone phreaks, and the curious can experience the clandestine thrill of blue boxing their own calls! I have extended Phiber's original patches to add to the realism and reliability of the system. Lots of the old tricks are possible, including trunk "stacking",as illustrated in one of the Phonetrips recordings.

Accessing My ProjectMF Server

My ProjectMF server can be accessed via the PSTN on 630-485-2995. The switch will play back recorded instructions when you dial in.

Access is also available via:

Note that you need a source of 2600 Hz tone and an MF dialer (NOT a regular DTMF (Touch-Tone) dialer) to make ANY use of this at all. You can download a software blue box for Windows, which also requires you to install install Microsoft's .net framework. This program will let you generate MF tones through your PC's sound card and speakers. You can use the number keys on the right side of your keyboard (if you use a full-size keyboard) as an almost-real blue box, as well as the point and click method!

Alternately, you can build your own, real blue box with instructions found on this site!

During the ringing of the line (or after it stops), play a short burst of 2600, wait for the wink acknowledgment (the "Ker-Cheep"), followed by the MF digits from the list below. The 2600 Hz tone must be played at a somewhat higher level than the MF digits. Additional calls can be placed by playing 2600 again, waiting for the wink, and re-routing the call with new MF digits.

If you do not begin dialing within 5 seconds after playing 2600 and getting the wink, you will hear a "reorder" tone (fast busy). You must then re-seize the line with another burst of 2600.

The system will read back the digits it hears if you dial anything the switch does not understand. Play around with volume levels, especially if just holding the PC speaker up to the phone. The MF tones do not need to be excessively loud. It is important to do this in a fairly quiet environment. Do not talk while dialing. The switch will try to interpret loud sounds as MF digits.

You can divert a call through the box. Just dial 2600, KP, a 10-digit phone number (no leading "1"), and ST. Experiment on the test numbers to get the levels right first.

Video Tutorial

To help you get started, a video tutorial is available on YouTube:

 

The Dialing Plan

Here are some numbers to try after you have seized a trunk with 2600 Hz. (Any three-digit code will also work with an area code prefixed.)

Dialing sequenceGets you ...
KP + 101 + ST "Weasels" recording
KP + 102 + ST "Monkeys" recording
KP + 103 + ST "Moo 1" recording
KP + 104 + ST "Moron" recording
KP + 105 + ST "Moo 2" recording
KP + 106 + ST "Something wrong" recording
KP + 107 + ST "Made it up" recording
KP + 108 + ST "I'm bored" recording
KP + 109 + ST "Don't understand" recording
KP + 110 + ST "Step in stream" recording
KP + 111 + ST "ProjectMF" presentation recording (exit with DTMF "0")
KP + 112 + ST "Classic Tandem Stacking" recording - Evan Doorbell (exit with DTMF "0")
KP + 113 + ST "Evan Doorbell juices off N1 and phreaks around. Part 1 (exit with DTMF "0")
KP + 114 + ST "Evan Doorbell juices off N1 and phreaks around. Part 2 (exit with DTMF "0")
KP + 115 + ST "Evan Doorbell investigates 1xx and 0xx codes (exit with DTMF "0")
KP + 116 through
120 and 122 + ST
"How Evan Doorbell Became a Phone Phreak, parts 1-6"
KP + 600 + ST Asterisk echo test
KP + 121 + ST "Operator" - Leave message if no answer
KP + 123 + ST Joybubbles (Joe Engressia) 1991 Off the Hook Interview, Part 1
KP + 124 + ST Joybubbles (Joe Engressia) 1991 Off the Hook Interview, Part 2
KP + 125 + ST Haxor Joybubbles tech interview, part 1
KP + 126 + ST Haxor Joybubbles tech interview, part 2
KP + 127 + ST Haxor Joybubbles tech interview, part 3
KP + 128 + ST Sounds of Long Distance, part 1
KP + 129 + ST Sounds of Long Distance, part 2
KP + 130 + ST Sounds of Long Distance, part 3
KP + 131 + ST Goog411 Directory Assistance
KP + 132 + ST Sounds of Long Distance, part 4
KP + 133 + ST Sounds of Long Distance, part 5
KP + 134 + ST Sounds of Long Distance, part 6
KP + 135 + ST Sounds of Long Distance, part 7
KP + 136 + ST Sounds of Long Distance, part 8
KP + 137 + ST Sounds of Long Distance, part 9
KP + 138 + ST Sounds of Long Distance, part 10
KP + 139 + ST Sounds of Long Distance, part 11
KP + 140 + ST Sounds of Long Distance, part 12
KP + 141 + ST Sounds of Long Distance, part 13
KP + 142 + ST Sounds of Long Distance, part 14
KP + 143 + ST Sounds of Long Distance, part 15
KP + 144 + ST Sounds of Long Distance, part 16
KP + 145 + ST Dialing the 1XX Codes from Greenville NC Coin Phones, Part 1
KP + 146 + ST Dialing the 1XX Codes from Greenville NC Coin Phones, Part 2
KP + 147 + ST Local Coin Control in the 1970s
KP + 161 + ST Record a comment
KP + 171 + ST Playback comments. 0 to exit, * and # to skip backward and forward
KP + 199 + ST 2600 Hz supervision test
KP + xxx-xxx-xxxx + ST Outdial to phone network
KP + 011 + country code + number + ST Collectors Net Access (www.ckts.info)
KP + 2111 + ST Conference bridge. Please hang up with "#" when done.
KP + 777 + ST Direct access to Telephreak
KP + 2602 + ST DISA dialtone. Can use DTMF to dial. Stack with repeated 2602