2600 Red Box / Blue Box Now you too can be t3h 3133+ fone phreak... but only if you have a long enough extension cable to your Atari 2600! Relive the bygone days of analog toll fraud! Or just use your Atari 2600 to dial you Mom... because you can. Instructions * Insert cartridge into console * Connect keyboard controllers * Turn power on * Use the select switch to change between red box and blue box mode * Use the keypad buttons to play tones Don't Try This At Home Toll fraud isn't funny. Well, actually it is kind of funny, but not to the phone company or law enforcement agencies. How would you like to tell your cellmate Bubba what you're in for? Besides, these things really don't work any more. Red and green boxing are dead because cell phones have all but killed pay phones, and the pay phones that remain have surely been upgraded to not be controlled by silly in-band tones. Blue boxing died even earlier thanks to digital trunk lines and time-division multiplexing. About dual-tone signalling Back in the good old days, before everything went digital, the only way to control a phone line was by using tones. This was called "in-band signalling", as opposed to "out-of-band signalling" which uses a separate circuit for line control. Using a single tone to mean something would be obvious, and rather simple to implement, but it would have one big problem: random noise on the phone line could be accidentally detected as a signal. The solution to the noise problem was to use two signals. There is also a problem of harmonics causing accidental signals, which is why touch-tone dialing uses such odd frequencies. About touch-tone dialing In the beginning, to call anybody you had to go through an operator. The operator (originally male, until the usual pranks of teenage boys caused a switch to women) would pull down some plugs and use them to connect your circuit. If we still used human operators for every call, a quarter of the population would have to be employed today as operators. So instead, the phone company just made everybody into an operator and made dialing automatic. This used a dial which made a number of short pulses, depending on what number you dialed. These pulses would control a "step switch", which had ten positions and stepped through them as the pulses were received. Then the phone company realized that these things were big, expensive, and required a lot of maintenance. So they wanted to have computers run everything. But a bunch of pulses that have to be counted isn't exactly the best kind of input to a computer. And it's slow if you have a lot of nines and zeros in a phone number. Thus was born touch-tone dialing, using "Dual Tone Multi-Frequency" tones. Each tone could be decoded immediately into a number. And they could charge extra for this feature, even though it made things easier for the phone company. In fact, if you're in the United States, you probably can't even use pulse dial! The circuitry to count the pulses costs the phone company money, and almost nobody uses pulse dialing any more, so they only connect pulse-dialing circuitry to the people who refuse to pay for touch-tone. So with touch-tone dialilng, you get to pay more money and it's cheaper for the phone company! A rarely used feature of touch-tone is the fourth column. These buttons are labeled A, B, C, and D. The only use I'm aware of for the fourth column was in the US military's AUTOVON system. About red boxing Pay phones needed some way to let the phone company know when you inserted a coin. Originally your coin would ring bells, and a human operator could count your dings and gongs. But electronic equipment works a lot better with simple tones. So one pair of tones was used for the coin mechanism. The different value coins (nickels, dimes, and quarters) would each create a unique "cadence", or pattern of notes. A nickel would be one long tone, a dime would be two long tones, and a quarter would be five short tones. A red box is a tone generator designed to create this particular pair of tones. It just so happens that the ratio of the two frequences used for the touch-tone "*" key is almost the same as that of the coin tones. When you replace the 3.58 MHz crystal (a standard TV colorburst crystal) with a 6.5536 MHz crystal (65536 being notable as 2 to the power of 16), the tones of all the buttons are raised in frequency, and the "*" key is now very close to a proper coin tone. The important part of using a red box is to get the cadence right. You should expect a human phone operator to have heard the correct cadence often enough to easily know when you're faking it. Also, the phone mutes the microphone while sending the tone, and if there isn't the sound of clunking coins around the beeps, that's another tip-off to an operator. About green boxing Pay phones also need control signalling. The operator has the ability to return your coins (because you need a real coin to get dialtone, even if you're dialing a 1-800 number). Green box tones are what the operator uses to control a pay phone. Of course these don't work at all from the pay phone itself, and you have to do it from the called party. Operator Release (activates the circuitry which listens for green box tones) Coin Collect (drop the coins into the box) Coin Release (return the coins out the slot) Ringback (I think this makes the phone ring) About blue boxing Blue boxing uses the signals that control long distance trunks. These are the tones that long distance operators would use to dial a number in an operator-assisted call. A 2600Hz tone would cause the phone company equipment to think that the call had been terminated, and in particular the billing system would stop. But the trunk would still be open. By sending the right sequence of tones, you could call someone without being billed. The tones used by the phone company were generated by high-precision equipment with large coils, then distributed by wires to all the operator stations. For years, the phone company's hubris kept them from believing that a small board with cheap transistor oscillators could be accurate enough to be useful. Of course the difference is that the phone company needed dozens of stations with accurate tones, and using cheap transistor oscillators would mean constant maintenance and tuning. A blue boxer only had one board to tune, and it was easy to keep within the tolerance needed to do the job. About the Special Information Tones When you hear that "boop-boop-beee! The number you have dialed is...", the first three tones are called Special Information Tones. You may not realize it, but there are multiple combinations of these tones. Each of the first two tones can be one of two frequencies, and can be either short or long. The last tone is always the same, 1776.7Hz, supposedly a reference to July 1776. Code: Name Description First tone Second tone Third tone NC No Circuit 985.2Hz 380ms 1428.5Hz 380ms 1776.7hz 380ms IC Operator Intercept 913.8Hz 274ms 1370.6Hz 274ms 1776.7Hz 380ms VC Vacant Circuit 985.2Hz 380ms 1370.6Hz 274ms 1776.7Hz 380ms RO Reorder 913.8Hz 274ms 1428.5Hz 380ms 1776.7Hz 380ms The most interesting use of these tones involves telemarketing junk phone calls. Most of the automated telemarketing dialing equipment made until recently will detect these tones and actually take your number off their list if it hears them! Even more amazing, many of them will give up after hearing the first tone! There is a device called the "TeleZapper" which can automatically generate either a single 913.8Hz tone or a sequence of three tones after any phone is picked up. It's really satsifying to pick up the phone, hear the tone, then the line goes dead as another telemarketer gets phooled. Tone list Red box, left keypad Code: KEY FREQ DESCRIPTION 1 697, 1209 touch-tone 1 2 697, 1336 touch-tone 2 3 697, 1477 touch-tone 3 4 770, 1209 touch-tone 4 5 770, 1336 touch-tone 5 6 770, 1477 touch-tone 6 7 852, 1209 touch-tone 7 8 852, 1336 touch-tone 8 9 852, 1477 touch-tone 9 10 941, 1209 touch-tone * 11 941, 1336 touch-tone 0 12 941, 1477 touch-tone # Red box, right keypad Code: KEY FREQ DESCRIPTION 1 697, 1633 touch-tone A 2 1700, 2200 red box "coin" 3 700, 1100 green box "coin collect" 4 770, 1633 touch-tone B 5 350, 440 dialtone 6 1100, 1700 green box "coin return" 7 852, 1633 touch-tone C 8 420, 620 busy tone 9 950, 1500 green box "operator release" 10 941, 1633 touch-tone D 11 440, 480 ringback (what you hear when calling someone) 12 2600 2600 Hz tone Blue box, left keypad Code: KEY FREQ DESCRIPTION 1 700, 900 blue box 1 2 700, 1100 blue box 2 3 900, 1100 blue box 3 (same as green box "coin collect") 4 700, 1300 blue box 4 5 900, 1300 blue box 5 6 1100, 1300 blue box 6 7 700, 1500 blue box 7 8 900, 1500 blue box 8 9 1100, 1500 blue box 9 10 1100, 1700 blue box "KP1" (same as green box "coin return") 11 1300, 1500 blue box 0 12 1500, 1700 blue box "ST" Blue box, right keypad Code: KEY FREQ DESCRIPTION 1 700, 1700 blue box 11? (same as green box "ringback") 2 900, 1700 blue box 12? 3 1300, 1700 blue box "KP2" 4 985 SIT first tone, high (No Circuit series) 5 1428.5 SIT second tone, high 6 1777 SIT third tone 7 913 SIT first tone, low (Operator Intercept series) 8 1371 SIT second tone, low 9 1777 SIT third tone 10 ---- not used 11 ---- not used 12 2600 2600 Hz tone How it works The 2600 sound normally is just a bunch of pseudo-random square waves. So how can you get sine waves out of that? The trick is that the 2600 has one sound mode which is "always on". Then all you need to do is play with the volume. Okay, but how about the timing? Fortunately, there is an accurate reference available, the video horizontal sync. The 2600 lets you halt the CPU until the horizontal sync, then you can be guaranteed to start exactly at the same place in every scan line. In order to generate a sine wave, there needs to be a lookup table. Then the rate at which you go through the table determines the output frequency. For sufficient accuracy, a 16-bit counter is needed, using the high byte as the offset into the 256 byte sine table, and the low byte as a 1/256ths fractional offset. As it turns out, the code to do this for both channels takes up 61 cycles in the scan line, including the syncronization. Using the undocumented LAX instruction saves four more cycles per scan line, for a total of 57 cycles. There are 76 cycles per scan line. Since JSR/RTS would take up 12 cycles alone, there wouldn't be enough time to do anything useful, so the code has to go inline on every scan line. 38 bytes per scan line times 240 scan lines equals 9120 bytes, which is way too big for 4K, but loops and strategic use of JSR/RTS keep the code bloat in check. Code: DoSound MACRO STA WSync ; 3 cycles CLC ; 2 26 (28) cycles for this group LDA CntAL ; 3 ADC StepAL ; 3 STA CntAL ; 3 LAX CntAH ; 3 this delays the sound by one scan line, but saves 4 cycles ADC StepAH ; 3 STA CntAH ; 3 LDA SinTab,X ; 4 sine table must be aligned on a 256-byte page boundary! STA AudV0 ; 3 CLC ; 2 26 (28) cycles for this group, too LDA CntBL ; 3 ADC StepBL ; 3 STA CntBL ; 3 LAX CntBH ; 3 ADC StepBH ; 3 STA CntBH ; 3 LDA SinTab,X ; 4 STA AudV1 ; 3 ENDM The tone frequences are stored in a lookup table as their step values. With a 15700Hz NTSC horizontal sync rate, the forumla is f*65536/15700, or f*4.174267516.