Introduction: Arduino-Based Blue Box (Phone Phreaking)

About: Me? Oh, I like bunny rabbits with floppy ears and chestnut fur.

History and Story

In the 1950s, 1960s, 1970s, 1980s and even up into the 1990s phone phreaking was an amazingly cool way to explore an unknown world of phone switching networks. To "phreak" a telephone switch, can be done by using frequencies, or tones to manipulate the switching hardware. In doing so, taking control of the hardware was simple and gave the "phone phreak" the power of an inward-operator.

Blue Box

"The blue box is an electronic device that simulates a telephone operator's dialing console. It functions by replicating the tones used to switch long-distance calls and using them to route the user's own call, bypassing the normal switching mechanism. The most typical use of a blue box was to place free telephone calls. The blue box no longer works in most western nations, as modern switching systems are now digital and no longer use the in-band signaling which the blue box emulates. Instead, signaling occurs on an out-of-band channel which cannot be accessed from the line the caller is using (called Common Channel Interoffice Signaling (CCIS)). The blue box got its name because the first such device confiscated in 1961 by Bell System security was in a blue chassis." - ProjectMF.org

Around the mid 1950s, Bell decided to publish an article on In-Band Signal Frequency Signalling (I swear they knew the whole time what would happen!) which "leaked" these frequency specifications. This led to hardware hacking enthusiasts and hobbyists, just like you and me, into creating their own multi-frequency tone synthesis devices called blue boxes. The frequencies are played at the same volume and for specific durations. For example, to dial a "1" as an inward operator, we would use 900Hz + 700Hz sine waves played for 66ms. If we stored digits we would play them for 66ms with 66ms pauses in between. The * and # keys are referred to as "KP" and "ST" respectively. And the only single frequency tone used is for seizing the trunk which is 2600Hz (this is what the original hacker quarterly "2600" magazine is actually named after). This is often referred to as "supervisory signalling," or "seizing the trunk."

As time went on, the older switching technologies started to fade out and the new packet-switched networks of today became more prevalent. This led to the decline (sometimes people say "death") of phone phreaking. In-band signalling (sending signals through the mouth piece of the phone handset) was good for gone. That is, until a brilliant phone phreak and hacker named PhiberOptik (Mark Abene) had the great idea of emulating the phone switches of old by hacking the open source Linux Asterisk PBX. In doing so, he made the Zaptel mechanism (used in older versions) recognize single and multiple frequency tones. He gave the presentation at H.O.P.E. (Hackers on Planet Earth) in 2006 and the Asterisks patches were then released on his website Project.MF.org Since then, there has also been a resurgence of antique telephone hardware into what is known as the Collector's Network. These invaluable resources empower anyone who ever wanted to phone phreak, explore, and control phone switching equipment but never got the chance to, the opportunity.

Let's Get Started!

I have come to you Instructables.com for the chance of spreading the word that phone phreaking is, in fact, alive and well! So, with this history and brief introduction in our belts, we can now move on to making our own blue box to phreak with.

Step 1: Arduino IDE and Library Setup

The advent of the Arduino put power into the hands of the same type of folks who originally designed the first blue boxes. We can write our own micro-controller code, use easily obtainable Radio Shack parts to design unique hardware and much, much more. There are many ways we can design our blue boxes and this article will only cover a simple few of them.

Tone Library

First is the Tone library - square wave - synthesis device. This device can be made using the Arduino Micro ATMega32u4 based chip with the Arduino (external) Tone library. The library needs to be modified to work with the ATMega32u4 chip and a modified version can be downloaded on my website here. This library and chip have only been tested with the Arduino IDE version 1.0.5 Now that we have the library and chip, we now need a simple schematic that we can use with a keypad.

Keypad Library

The Arduino Keypad library can be found here. All libraries need to be in the Arduino "libraries" directory located in the base of your IDE installation. e.g. C:\Users\trevelyn412\Documents\Arduino\libraries Most of the time this is as simple as extracting the library from a zip file, but check your library's documentation if advanced instructions for installation are required.

TMRpcm Library

Finally, the TMRpcm library is used by schematic 2 for playing WAV files from our second blue box. The author of this library was kind enough to help me via email as I was having difficulty with the non-existent SeeedStudio v3 SD card Shield documentation. It plays mono files at 32khz and below (I use 22khz) at 8 bit. There are however a lot of advanced functions and code optimizations that we can do by editing the pcmConfig.h header file, such as allowing a larger buffer space as we uncomment and change the line,

#define buffSize 128  //must be an even number

Also, by storing a single frequency WAV file onto the SD card, we need to lower it's actual cycles by 25. This means in Audacity, generate a tone for 2575hz rather than 2600 for supervisory signalling.

The sounds I have created are all in the directory "sounds" located at the root of the micro SD card. There are several notes by the Arduino community for storing files and accessing them via Arduino libraries located here. These are very important to follow by.

Hardware Required

In these tutorials I use the following parts,

  1. Simple 10k Ohm resistors
  2. Momentary push-buttons
  3. LED lit toggle power switches
  4. Arduino UNO && Arduino Micro
  5. SeeedStudio v3 SD Card Shield
  6. BLUE Advantus Super Stacker Crayon Boxes
  7. Blue LEDs
  8. 100k Potentiometers for volume
  9. 2.2uF non-polarized capacitor (optional)
  10. 9V batteries (one schematic uses 2 in parallel
  11. Rotary dial mechanism from old phone
  12. Velleman 4x4 keypad
  13. 150 Ohm telephone receiver speaker part #SD150(ph) (for optimal output)

And anything else is optional. The LEDs are optional and hardware with LEDs like the power switches are also optional. Changing the schematic for accommodate for these should be very easy.

Arduino Experience

This tutorial assumes very basic knowledge of the code used by the Arduino and how to set up a basic project using a bread board. I do, however go into instructions on how to manage these projects into boxes of their own, but that requires soldering and solder experience, in most cases.

Step 2: 1st Schematic

I will be showing you how to construct the two boxes that I have personally made using the Tone synthesis library and the Arduino UNO / SeeedStudio SD Shield - TMRpcm WAV file player versions. For two of these tutorials I will be using the Velleman 4x4 keypad. This is a very study keypad which comes with a pin-out diagram on the back of the package for easily hooking it up to the Ardiuno.

In the image above is the simplest schematic in this series. It uses only a 4x4 keypad, a single supervisory signalling button, a volume knob (potentiometer), and a stylish LED-lit power button. The momentary pushbutton requires the pin 10 also have a 10k Ohm resistance to ground. The other side of the switch goes directly to the 5V pin as we can see form the simple schematic. Developing this hardware layout is simple, but debugging can take hours. It's best to use a simple bread-board for those unfamiliar with schematic diagrams or electronics.

Step 3: Code for Schematic 1

Programming

The code for this new schematic in it's entirety can be found here on my pastebin.com profile. For the sake of this tutorial we will cover most of the key concepts of the syntax I have used. First of all the Arduino uses a programming language which is object-oriented; C++. This language is quite powerful and powers a lot of modern-day web site logic, micro-controllers, and much more!

Keypad

First we create a two dimensional array of integers that we use for holding the frequencies as specified per digit by the Wikipedia Blue Box page. We also set a duration as a typedef unsigned integer array. These integers are playback duration periods.

int bb[16][2] = { // MF 0,1,2,3,4,5,6,7,8,9,kp,st,2400+2600,kp2,st2,ss4 super<br>  {1300,1500},{700,900},{700,1100},      // 0,1,2
  {900,1100},{700,1300},{900,1300},      // 3,4,5
  {1100,1300},{700,1500},{900,1500},     // 6,7,8
  {1100,1500},{1100,1700},{1500,1700},   // 9,kp,st
  {2600,2400},{1300,1700},{900,1700},    // 2400+2600,kp2,st2
  {2400,2040},                           // ss4 Supervisory
};
<p>uint8_t bbdur[2] = {60,100};</p>

Next, we create an array matrix of keys as characters. These characters will be used each time a button on the keypad is pressed. We also set the rows and pins integer arrays.

char keys[4][4] = {<br>  {'1','2','3','a'},
  {'4','5','6','b'},
  {'7','8','9','c'},
  {'#','0','*','d'}
};
<p>byte rowPins[4] = {5,4,3,2}; //connect to the row pinouts of the keypad<br>byte colPins[4] = {9,8,7,6}; //connect to the column pinouts of the keypad</p>

Next we create a keypad object and a simple array of Tone objects. Since we are playing tones out of two pins at once, this just makes our lives simpler when writing and debugging the code.

Tone freq[2]; // array of Tone objects, now we can play as freq[0].play(); etc<br>Keypad keypad = Keypad(makeKeymap(keys),rowPins,colPins,4,4);

Reading Buttons and Playing Tones

In the setup() function, we need to set the freq[0] and freq[1] pins for output. This is simple. We also set the "pin mode" for the 2600 button and set an event-listener, which is a procButton() button processing custom function call. This is event-driven programming. This basically means that we "listen" for keys to be pressed, which would be an "event." The main loop() function is what handles the events and listeners for us.

freq[0].begin(11); // Initialize our first tone generator<br>freq[1].begin(12); // Initialize our second tone generator
pinMode(10, INPUT); // 2600 button
keypad.addEventListener(procButton);

We have kept our main loop() method simple, which is good since it is constantly being called. The first line,

char button = keypad.getKey();

basically calls the getKey() method of the keypad object to see if and which key was pressed. The code,

if(digitalRead(10)==HIGH){ // play 2600Hz if top button pressed<br>  super(); // supervisory signalling
}

simply listens for voltage on pin 10 and if found, plays the 2600hz frequency by calling the custom supervisory signalling super() function. This is the very first function defined just below the loop() function. It is also the first function to call the custom single frequency playing sf() function as,

sf(2600,750);

The arguments we pass to this function are the frequency to be played, and the duration. After lexically assigning the frequency and duration to integer variables of the same names, the custom sf() function only calls a single play method on a single pin as,

freq[0].play(frequency,duration);

This is our first look at the tone synthesis play method from the Tone library. So, if you can imagine playing two tones, for multi-frequency would look similar, but with two pins, as,

freq[0].play(frequency,duration);<br>freq[0].play(frequency,duration);

And that is exactly what the custom multi-frequency playing mf() function does.

So how do we process each key press in the procButton() function? Using a case-switch logic. The constants "RELEASED," "PRESSED," and "HOLD," (not "HELD" for some strange reason), are part of the keypad library and we can use the in a case-switch logic block as,

switch (keypad.getState()){<br>case RELEASED: // drop right away
  // do some stuff
  break;
case PRESSED: // momentary
  // do some stuff
  break;
case HOLD: // HELD (special functions)
  // do some stuff
  break;
}

And that's exactly what we do. Since the procButton() function is an event-handler called by the loop() function, we get a keypadevent object passed to it's handler procButton(). This object can be treated as a simple character - and we do that by simple subtracting the integer 48 from it to obtain which key was pressed from 0-9.

void procButton(KeypadEvent b){<br>  b -= 48;

Now we know which key was pressed and pass it to the mf() function which uses the multidimensional array bb[] which we created earlier to play the mf tones. You may have noticed that the KP (*) and ST (#) are not 0-9. This is correct, as they come through and after the subtraction are -13 and -6 respectively. The mf() function then handles these as,

}else if(digit==-13){<br>  digit = 12;  // *     
}else if(digit==-6){       
  digit = 14;  // #

This then plays the tones as they are assigned in the bb[] multi-dimensional array.

We have now covered all of the key concepts programmatically with this schematic (1), let's move onto the second schematic and how we can play WAV files which offer a completely different sound to our blue boxes.

Extra Features

This code provides a massive amount of extra features including recording digits into and array for playback, and different modes of operation. The code is very straight forward Arduino C++ code. Long press 'A' to cycle through the different modes. Each time we change modes the notifyMode() function will pulse out a code of 440hz beeps to let us know which mode we are currently using. All modes are fully described on my weblog here or on the Wikipedia page for blue box specifications.

Step 4: Schematic 2

This schematic involves the use of the SeeedStudio SD card shield for the Arduino UNO. I am using the discontinued v3 Shield from SeeedStudio. The on-board toggle switch is to switch back and forth between the micro-SD slot and the standard SD slot.

The schematic shows a multi-colored LED being used, simply because I didn't have an extra single Blue LED laying around. Everything else is seemingly the same as the previous version (schematic 1).

This device is actually a lot simpler than the first as far as the code goes - but a lot more advanced as well. The reason being is that it is very easy to run out of memory with the Arduino UNO, and there seem to be a lot of bugs. So the only concept we will be covering is how to play the WAV files and a few caveats of storing playable WAV files on your Micro SD card.

Pin 9 is used by the TMRpcm library for playing back tones, so this interrupts our sequential 2-9 keypad pin layout. Also pins 10-13 are being used by the SD card shield which leaves us with no extra pins to finish our button and last keypad pins on the right side of the board. No worries, we can use the Analogue input pins on the left side (as you can see from our schematic 2 in the image above).

Step 5: Code for Schematic 2

Programming

The code differences are not very hefty for this version. The complete code-listing is available on my pastebin.com profile here. We should, however also cover how to record the WAV files which we will do below the code analysis section. We are, in fact using a different micro-controller board - the Arduino UNO and should make the changes to specify for it in the IDE.

Three new pre-processor directives are used,

#include  // preprocessor directives (header files)<br>#define SDPIN 10    // SD Card Pin for SeeedStudio SD Card Shield
#include  // to play WAV files

In the setup() function we use the code,

if (!SD.begin(SDPIN)) {<br>  Serial.println("initialization failed!");   
}else{     
  Serial.println("initialization success!");   

}
tmrpcm.speakerPin = 9; //11 on Mega, 9 on Uno, Nano, etc   
tmrpcm.setVolume(3); // set volume here (test for distortion)

To initialize the SD card by mounting it's file system, set the speaker output pin used by the TMRpcm object as 9, and also to set the volume programmatically. Setting the volume programmatically can also be done by using a simple button listener of for a keypad callback, but I left this up to the potentiometer as the software defined volume seemed to add a bit of distortion to the tones.

We create a simple TMRpcm object as,

TMRpcm tmrpcm; // create sound playing object

Then, we can now call the play() method and pass to it a character array, as,

tmrpcm.play("sounds/blusin01.wav");

And that's it.

Notes on File Names

The naming conventions especially! I chose to stick with a simple 8 character limit for every file. for example 0-9 MF tones,

  • blusin00.wav
  • blusin01.wav
  • blusin02.wav
  • blusin03.wav
  • blusin04.wav
  • blusin05.wav
  • blusin06.wav
  • blusin07.wav
  • blusin08.wav
  • blusin09.wav

This ensured good compatibility and should be followed at least for the purposes of this documentation.

File Creation with Audacity

I used Audacity to create all of my sound files. When you first open audacity at the bottom left side of the screen you can change the frequency to 22khz from the default 44khz. Then got to "Generate->Tone" and select 700 as the frequency. I use an amplitude of 0.5 which works well with low distortion. Click the right down arrow and select the only option with "milliseconds" and then set the value to, 00.00.00.066 which is 66 milliseconds.

Next, click anywhere in the grey area outside of the tone clip and repeat the process but choose 900hz. This will create another mono channel tone just below the first as seen in the screenshot above. Now click "File->Export" and save it as "Other Uncompressed Files." Click on the "options" dialog and select "unsigned 8bit Microsoft PCM."

Save it to the sounds directory of the SD card and it should now be playable by the Arduino code.

Step 6: Schematic 3 (Rotary Mechanism)

Our last blue box uses an old rotary mechanism on the face, just like Ralph Barclay's original blue box. The schematic for this is easier in some ways, but more advanced in others. Since the rotary mechanism only uses 2 pins, that is easier. I got the idea for this box from my friend Mathew Hesse and the phone mechanism was donated to me from my mom.

But, there is no KP, or ST on a rotary mechanism, so we need to specify those as external buttons! This far we have only worked with single external button implementations. For this reason I have created a separate schematic to show how to use three momentary push buttons in the color image above. When using actual two-pin push buttons the schematic become even simpler.

The black and white schematic is the entire project which is incredibly simple. This is the first implementation in which I use the 470 Ohm resistor and the layout for the rotary device is borrowed from another instructables.com project by guidomax here.

The rest of the design should not be anything new if you have followed along with the entire project this far.

Step 7: Code for Schematic 3 (Rotary)

Programming

Again, I need to give credit to guidomax for his instructables.com tutorial as I have borrowed some of his code for this project. The entire code listing can be found on my pastebin.com profile here.

The single input pit used is pin 7 and we define it in the setup() function. as,

pinMode(in, INPUT); // input for rotary device

We also set our Tone objects in the pin[] array and set pins as input for 2600hz, KP, and ST.

pin[0].begin(pin0); // Initialize our first tone generator<br>pin[1].begin(pin1); // Initialize our second tone generator
pinMode(b2600, INPUT); // 2600 button
pinMode(bst, INPUT); // 2600 button
pinMode(bkp, INPUT); // 2600 button

Next in the loop() function we simply call two functions, one for checking if the buttons were pressed, and one for checking if the rotary dial was accessed. The buttons() function uses digitalRead() to check for the presence of voltage across the specified pins. If the 2600hz button was pressed, we simply check to see if digits were previously stored and if so play them back by looping over the stored integer array and calling mf() per digit until we reach a -1 value. If you haven't noticed this far, this is pretty much how we playback digits for each box except for the strange memory issue with our Arduino UNO box (schematic 2).

Handling Rotary Input

The rotary() function gets a voltage read on our rotary dial pin using digitalRead() as,

int reading = digitalRead(in);

This returns to reading the value of the constant - HIGH or LOW. If it differs from it was last read - stored in lastState we take note of the time using the millis() function as,

lastStateChangeTime = millis();

This is used when we check the difference between the current time at the beginning of the function to the lastStateChangeTime. if it's greater than 100 milliseconds, we continue to play an MF tone. The previously pressed stored digit is checked and if we hit a control digit twice, we enter a new mode. This is how we start recording digits in this box. For this box, we can press KP twice to begin record mode to record digits. KP can then again be used as we can MF the number, KP,1,2,1,ST, for instance and then hit KP twice again to end record mode. To change to pulse dial mode, which is a mode I created after seeing the Joe Engressia video on pulse dialing, simply press ST twice.

Step 8: The Chassis

Model of Box

The chassis of all the projects listed so far in this tutorial fit perfectly fine into the Advantus SuperStacker Crayon Boxes available from Walmart.com

Circular Holes

To carve out holes for the components I simply used s steak knife with a sharp tip and twisted it around while applying pressure to the chassis or face-plate. It doesn't really have to look pretty, as the washers and nuts will cover slight mistakes.

Square Holes

The USB port holes were made using a small pear knife that I held over the flame of a candle for a few seconds. For the USB B port and external power adapter squares, I simply cut a square smaller than the port itself and then widened it slowly and carefully using a scalpel or razor blade.

All excess burned or ripped plastic around the holes I created was removed with a scalpel or razor blade.

Dremel Tool

The Dremel Tool was very useful for many things, not just drilling small holes. I used the cutting disc to shorten a potentiometer arm, and the drill bit to carve out the strange, large shape of the rotary dial mechanism.

I laid the rotary dial mechanism onto the face plate and took advantage of it being clear by drawing around the portion which protrudes through into the case with a black Sharpie marker. After that I simply used a plain drill bit in my Dremel Tool and drilled a hole into the plastic directly on the black line and then followed the line around while carving the shape out of the plastic.

Be very careful and wear protective eye wear when doing any of these methods!

Step 9: Acknowledgements

Further Reading

I have an Instructables.com tutorial on setting up your own old fashioned phone switch (ProjectMF): https://www.instructables.com/id/ProjectMF-Installation-Phone-Phreaking/

You can check out my weblog for more detailed development logs for each one of these boxes,

BlizzyB Heron - http://weaknetlabs.com/main/?p=2568

BlizzyB Ocean - http://weaknetlabs.com/main/?p=2785

BlizzyB Ocean speaking video with new volume knob (potentiometer): https://www.youtube.com/watch?v=SJ1NCB7bQks

Original Blizzard Box - http://weaknetlabs.com/main/?p=2254

SpinnyB (Rotary) - http://weaknetlabs.com/main/?p=2656

Audio

If you'd like to here some high quality phone phreaking recordings, recorded in the hay-day of phreaking, check out the Evan Doorbell narrated recordings at the Phone Trips website here.

Books

Phil Lapsley just recently wrote a great book on the subject and history of phone phreaking. He goes into great detail and went through a rigorous interview process with many phone phreaks before writing. I highly recommend it! - Exploding the Phone

ProjectMF and (Accessible) Old Switches

Also, to view videos of a ProjectMF Asterisk implementation in action, check out my phone phreaking videos on my YouTube.com channel here! Check out the Collector's Network to test out your new Blue Box here. Simply click on "Inbound Portals" and dial in using the number for your region. Then you can access any exchange and subscriber digits from there.

If you'd like your own ProjectMF switch, you can check out my Instructables.com tutorial on how to do so here.

Thank You

Thank you to Guidomax for the rotary mechanism code and implementation Thank you Mathew Hesse for the idea of the rotary blue box, SpinnyB! Thanks to my Mom and Julie for being patient with me while making these cool boxes! Thanks to DF99 for the help with the ProjectMF Box (which will be yet another instructable.com tutorial to come in the near future :))