Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!cs.utexas.edu!uunet!kitty!larry From: larry@kitty.UUCP (Larry Lippman) Newsgroups: sci.electronics Subject: Re: How to Hack Payphones (?!) Summary: Coin telephone operation... Keywords: hack, payphone Message-ID: <3216@kitty.UUCP> Date: 10 Jun 89 04:58:54 GMT References: <3685@tank.uchicago.edu> Distribution: usa Organization: Recognition Research Corp., Clarence, NY Lines: 67 In article <3685@tank.uchicago.edu>, barry@arthur.uchicago.edu writes: > A friend recently showed me a "technique" for making free phone > calls from a payphone. > > I don't want to promote this method---I just want to know what > how the phone hardware/software allows this to occur. > > step (1): get paper clip, and straighten it out. > step (2): puncture the metal cover that is underneath the > part of the phone you speak into---specifically, poke > it through the hole closest to where the cord connects > to the receiver. > step (3): insert paper clip into the puncture, and scratch the exposed > end against a metal surface while dialing your number. > > [Note: I have not been able to do this succesfully myself---but a random > sampling of three payphones in the U of Chicago Science Library found > that all three had the tell-tale hole of step (2).] > > So---How does it work? (And does it work?) It is indeed possible for this to work under most circumstances where: (1) coin telephone is a "traditional" 1C2 or equivalent single-slot coin telephone set arranged for dial tone first (DTF) service; and (2) the central office (CO) apparatus is AT&T or Northern Telcom. In a DTF coin telephone the dial and talk circuit is enabled upon picking up the handset, without requiring any coin deposit. The user can proceed to dial a number forthwith. If the dialed number is a "free" call (such as operator, directory assistance, 911 or 800-number), the call can proceed with no coin. If the dialed number is a local call requiring a coin deposit, the user may be allowed to complete dialing of the entire number. The CO apparatus identifies the dialed prefix and verifies that it is a local call; it then tests for an "initial rate" coin deposit. If the initial rate deposit is made, the call completes; if there is no money or insufficient money, the call is routed to an intercept recorder which informs the user to hang up, deposit the initial rate, and dial again. The CO apparatus detects the deposit of the initial rate by means of a ground placed on the line by the coin telephone circuit. This ground is balanced between tip and ring, so that no hum (caused by longitudinal imbalance) is introduced into the talk and DTMF dialing circuit. The coin telephone contains a "totalizer" circuit, which is an electromechanical device (aided by some solid-state circuitry and relays) that counts the value of the deposited coins, and provides a contact closure when the initial rate is achieved. The above fraudulent call technique works by spoofing the ground placed on the line by the totalizer circutry in the coin telephone. While shorting one lead of the carbon transmitter to ground does not produce a balanced ground (thereby resulting in hum on the line), it will usually result in a condition which will permit DTMF dialing. Depending upon the particular CO apparatus, the ground needs to be present as soon as the first three digits of the call are dialed (if pre-translation is used), or within milliseconds of the last digit being dialed (if pre-translation is not used). Needless to say, the above technique results in damage to the carbon transmitter, and is therefore unlawful not only from the standpoint of the fraud itself, but from the standpoint of causing damage to the coin telephone. <> Larry Lippman @ Recognition Research Corp. - Uniquex Corp. - Viatran Corp. <> UUCP {allegra|boulder|decvax|rutgers|watmath}!sunybcs!kitty!larry <> TEL 716/688-1231 | 716/773-1700 {hplabs|utzoo|uunet}!/ \uniquex!larry <> FAX 716/741-9635 | 716/773-2488 "Have you hugged your cat today?"