2600 red box demo

[yuppicide]

Red Boxing has been dead for many many years now. I remember back when I worked for Radio Shack people would come in to buy our pocket dialers to make red boxes out of them. My store manager owned one.

[Shawn]

Phone Phreaking was a small hobby of a friend & mine when we where in High School. Almost got us both in alot of trouble when we started to think about making "The Call" to make our whole city "ring out in joy" glad we didn't figure it out properly we could have been in alot of trouble (and I might be in a Federal Room & Board instead of sitting here typing about it) It all started with reading about how the phone line had enough power to run a small light bulb and when I doubted it was true I tried it and it was all down hill from there. But it was alot of fun none the less. Man this cart you made just brought back a blast of memeories. Thanks!! P.S. you cart is cool too!!

[NovaXpress]

Ah, the good old red boxes. I think I saw them up through 97 or so. I knew a guy who made and sold them.

 

I'm also nostalgic for the days of free pay-per-view.

[Big Player]

I'm also nostalgic for the days of free pay-per-view.

 

Sometimes you didn't need to do any hacking at all to get free pay-per-view. In Columbus, Time Warner Cable had the pay-per-view channels right in the line with the rest of the channels. If you kept the channel on for more than 3 minutes, you got charged for show. In Cincinnati, with the same cable company, you had to press a red authorize button to start the show.

 

But what we learned after some experimentation was that the counter reset if you flipped the channel off and then back. We watched the Evander Holyfield-Buster Douglas fight and didn't pay a dime. My roommate had a stopwatch and we just made sure to change channels before the 3 mintues was up. It was perfect for the 3 minute rounds in boxing.

[Bruce Tomlin]

Here's my first draft at instructions for this thing:

 

2600 Red Box / Blue Box

 

Now you too can be t3h 3133+ fone phreak... but only if you have a long enough extension cable to your Atari 2600! Relive the bygone days of analog toll fraud!

 

Or just use your Atari 2600 to dial you Mom... because you can.

 

Instructions

 

* Insert cartridge into console

* Connect keyboard controllers

* Turn power on

* Use the select switch to change between red box and blue box mode

* Use the keypad buttons to play tones

 

Don't Try This At Home

 

Toll fraud isn't funny. Well, actually it is kind of funny, but not to the phone company or law enforcement agencies. How would you like to tell your cellmate Bubba what you're in for?

 

Besides, these things really don't work any more. Red and green boxing are dead because cell phones have all but killed pay phones, and the pay phones that remain have surely been upgraded to not be controlled by silly in-band tones. Blue boxing died even earlier thanks to digital trunk lines and time-division multiplexing.

 

About dual-tone signalling

 

Back in the good old days, before everything went digital, the only way to control a phone line was by using tones. This was called "in-band signalling", as opposed to "out-of-band signalling" which uses a separate circuit for line control.

 

Using a single tone to mean something would be obvious, and rather simple to implement, but it would have one big problem: random noise on the phone line could be accidentally detected as a signal. The solution to the noise problem was to use two signals. There is also a problem of harmonics causing accidental signals, which is why touch-tone dialing uses such odd frequencies.

 

About touch-tone dialing

 

In the beginning, to call anybody you had to go through an operator. The operator (originally male, until the usual pranks of teenage boys caused a switch to women) would pull down some plugs and use them to connect your circuit.

 

If we still used human operators for every call, a quarter of the population would have to be employed today as operators. So instead, the phone company just made everybody into an operator and made dialing automatic. This used a dial which made a number of short pulses, depending on what number you dialed. These pulses would control a "step switch", which had ten positions and stepped through them as the pulses were received.

 

Then the phone company realized that these things were big, expensive, and required a lot of maintenance. So they wanted to have computers run everything. But a bunch of pulses that have to be counted isn't exactly the best kind of input to a computer. And it's slow if you have a lot of nines and zeros in a phone number.

 

Thus was born touch-tone dialing, using "Dual Tone Multi-Frequency" tones. Each tone could be decoded immediately into a number. And they could charge extra for this feature, even though it made things easier for the phone company. In fact, if you're in the United States, you probably can't even use pulse dial! The circuitry to count the pulses costs the phone company money, and almost nobody uses pulse dialing any more, so they only connect pulse-dialing circuitry to the people who refuse to pay for touch-tone. So with touch-tone dialilng, you get to pay more money and it's cheaper for the phone company!

 

A rarely used feature of touch-tone is the fourth column. These buttons are labeled A, B, C, and D. The only use I'm aware of for the fourth column was in the US military's AUTOVON system.

 

About red boxing

 

Pay phones needed some way to let the phone company know when you inserted a coin. Originally your coin would ring bells, and a human operator could count your dings and gongs. But electronic equipment works a lot better with simple tones. So one pair of tones was used for the coin mechanism. The different value coins (nickels, dimes, and quarters) would each create a unique "cadence", or pattern of notes. A nickel would be one long tone, a dime would be two long tones, and a quarter would be five short tones.

 

A red box is a tone generator designed to create this particular pair of tones. It just so happens that the ratio of the two frequences used for the touch-tone "*" key is almost the same as that of the coin tones. When you replace the 3.58 MHz crystal (a standard TV colorburst crystal) with a 6.5536 MHz crystal (65536 being notable as 2 to the power of 16), the tones of all the buttons are raised in frequency, and the "*" key is now very close to a proper coin tone.

 

The important part of using a red box is to get the cadence right. You should expect a human phone operator to have heard the correct cadence often enough to easily know when you're faking it. Also, the phone mutes the microphone while sending the tone, and if there isn't the sound of clunking coins around the beeps, that's another tip-off to an operator.

 

About green boxing

 

Pay phones also need control signalling. The operator has the ability to return your coins (because you need a real coin to get dialtone, even if you're dialing a 1-800 number). Green box tones are what the operator uses to control a pay phone. Of course these don't work at all from the pay phone itself, and you have to do it from the called party.

 

Operator Release (activates the circuitry which listens for green box tones)

Coin Collect (drop the coins into the box)

Coin Release (return the coins out the slot)

Ringback (I think this makes the phone ring)

 

About blue boxing

 

Blue boxing uses the signals that control long distance trunks. These are the tones that long distance operators would use to dial a number in an operator-assisted call. A 2600Hz tone would cause the phone company equipment to think that the call had been terminated, and in particular the billing system would stop. But the trunk would still be open. By sending the right sequence of tones, you could call someone without being billed.

 

The tones used by the phone company were generated by high-precision equipment with large coils, then distributed by wires to all the operator stations. For years, the phone company's hubris kept them from believing that a small board with cheap transistor oscillators could be accurate enough to be useful. Of course the difference is that the phone company needed dozens of stations with accurate tones, and using cheap transistor oscillators would mean constant maintenance and tuning. A blue boxer only had one board to tune, and it was easy to keep within the tolerance needed to do the job.

 

About the Special Information Tones

 

When you hear that "boop-boop-beee! The number you have dialed is...", the first three tones are called Special Information Tones. You may not realize it, but there are multiple combinations of these tones. Each of the first two tones can be one of two frequencies, and can be either short or long. The last tone is always the same, 1776.7Hz, supposedly a reference to July 1776.

  Name  Description         First tone     Second tone     Third tone
  NC   No Circuit          985.2Hz 380ms  1428.5Hz 380ms  1776.7hz 380ms
  IC   Operator Intercept  913.8Hz 274ms  1370.6Hz 274ms  1776.7Hz 380ms
  VC   Vacant Circuit      985.2Hz 380ms  1370.6Hz 274ms  1776.7Hz 380ms
  RO   Reorder             913.8Hz 274ms  1428.5Hz 380ms  1776.7Hz 380ms

The most interesting use of these tones involves telemarketing junk phone calls. Most of the automated telemarketing dialing equipment made until recently will detect these tones and actually take your number off their list if it hears them! Even more amazing, many of them will give up after hearing the first tone! There is a device called the "TeleZapper" which can automatically generate either a single 913.8Hz tone or a sequence of three tones after any phone is picked up. It's really satsifying to pick up the phone, hear the tone, then the line goes dead as another telemarketer gets phooled.

 

Tone list

 

Red box, left keypad

  KEY     FREQ      DESCRIPTION
  1    697, 1209   touch-tone 1
  2    697, 1336   touch-tone 2
  3    697, 1477   touch-tone 3
  4    770, 1209   touch-tone 4
  5    770, 1336   touch-tone 5
  6    770, 1477   touch-tone 6
  7    852, 1209   touch-tone 7
  8    852, 1336   touch-tone 8
  9    852, 1477   touch-tone 9
 10    941, 1209   touch-tone *
 11    941, 1336   touch-tone 0
 12    941, 1477   touch-tone #

Red box, right keypad

  KEY     FREQ      DESCRIPTION
  1    697, 1633   touch-tone A
  2   1700, 2200   red box "coin"
  3    700, 1100   green box "coin collect"
  4    770, 1633   touch-tone B
  5    350,  440   dialtone
  6   1100, 1700   green box "coin return"
  7    852, 1633   touch-tone C
  8    420,  620   busy tone
  9    950, 1500   green box "operator release"
 10    941, 1633   touch-tone D
 11    440,  480   ringback (what you hear when calling someone)
 12      2600      2600 Hz tone

Blue box, left keypad

  KEY     FREQ      DESCRIPTION
  1    700,  900   blue box 1
  2    700, 1100   blue box 2
  3    900, 1100   blue box 3 (same as green box "coin collect")
  4    700, 1300   blue box 4
  5    900, 1300   blue box 5
  6   1100, 1300   blue box 6
  7    700, 1500   blue box 7
  8    900, 1500   blue box 8
  9   1100, 1500   blue box 9
 10   1100, 1700   blue box "KP1" (same as green box "coin return")
 11   1300, 1500   blue box 0
 12   1500, 1700   blue box "ST"

Blue box, right keypad

  KEY     FREQ      DESCRIPTION
  1    700, 1700   blue box 11? (same as green box "ringback")
  2    900, 1700   blue box 12?
  3   1300, 1700   blue box "KP2"
  4       985      SIT first tone, high (No Circuit series)
  5      1428.5    SIT second tone, high
  6      1777      SIT third tone
  7       913      SIT first tone, low (Operator Intercept series)
  8      1371      SIT second tone, low
  9      1777      SIT third tone
 10      ----      not used
 11      ----      not used
 12      2600      2600 Hz tone

How it works

 

The 2600 sound normally is just a bunch of pseudo-random square waves. So how can you get sine waves out of that? The trick is that the 2600 has one sound mode which is "always on". Then all you need to do is play with the volume. Okay, but how about the timing? Fortunately, there is an accurate reference available, the video horizontal sync. The 2600 lets you halt the CPU until the horizontal sync, then you can be guaranteed to start exactly at the same place in every scan line.

 

In order to generate a sine wave, there needs to be a lookup table. Then the rate at which you go through the table determines the output frequency. For sufficient accuracy, a 16-bit counter is needed, using the high byte as the offset into the 256 byte sine table, and the low byte as a 1/256ths fractional offset.

 

As it turns out, the code to do this for both channels takes up 61 cycles in the scan line, including the syncronization. Using the undocumented LAX instruction saves four more cycles per scan line, for a total of 57 cycles. There are 76 cycles per scan line. Since JSR/RTS would take up 12 cycles alone, there wouldn't be enough time to do anything useful, so the code has to go inline on every scan line. 38 bytes per scan line times 240 scan lines equals 9120 bytes, which is way too big for 4K, but loops and strategic use of JSR/RTS keep the code bloat in check.

DoSound  MACRO

       STA     WSync  ; 3 cycles

       CLC ; 2    26 (28) cycles for this group
       LDA     CntAL  ; 3
       ADC     StepAL ; 3
       STA     CntAL  ; 3
       LAX     CntAH  ; 3 this delays the sound by one scan line, but saves 4 cycles
       ADC     StepAH ; 3
       STA     CntAH  ; 3
       LDA     SinTab,X; 4 sine table must be aligned on a 256-byte page boundary!
       STA     AudV0  ; 3

       CLC ; 2    26 (28) cycles for this group, too
       LDA     CntBL  ; 3
       ADC     StepBL ; 3
       STA     CntBL  ; 3
       LAX     CntBH  ; 3
       ADC     StepBH ; 3
       STA     CntBH  ; 3
       LDA     SinTab,X; 4
       STA     AudV1  ; 3

       ENDM

The tone frequences are stored in a lookup table as their step values. With a 15700Hz NTSC horizontal sync rate, the forumla is f*65536/15700, or f*4.174267516.

Edited January 24, 2006 by Bruce Tomlin

[+batari]

That's brilliant, to change the volume to simulate a sine wave. So is your 256-byte sine table is just one phase (0-180 degrees) of the wave, or does it do both phases but put in the absolute value in the second phase?

 

I wonder how this might work with the sound only on every other line. It would reduce the effective sample rate to 7.85 Khz which means that you'd get aliasing at frequencies above the nyquist rate of 3.925 Khz, so the range is more limited but should be fine for most music and maybe even your tones. I suppose you might get some audible harmonics, given the lower sample rate and the stairstep sine wave, but on a television this might not be too bothersome. But doing it on every other line, it seems that you'd have enough cycles for an improved graphical interface. or perhaps a game with cool music.

 

Also on the vein of a game with cool music, is there any reason that the full wave could be put in the table, complete with negative phase, so that two waves could be added together, converted to absolute value then stored into one channel, essentially creating a two-voice sound on one channel, leaving the other channel for game sounds?

 

Anyway, just brainstorming here. If anyone has any other thoughts, feel free to respond.

[Bruce Tomlin]

That's brilliant, to change the volume to simulate a sine wave.  So is your 256-byte sine table is just one phase (0-180 degrees) of the wave, or does it do both phases but put in the absolute value in the second phase?

360 degrees... anything less would have taken too much CPU. Also, branches are pointless in the macro because it's the maximum time that the macro takes to execute that matters.

 

I wonder how this might work with the sound only on every other line.  It would reduce the effective sample rate to 7.85 Khz which means that you'd get aliasing at frequencies above the nyquist rate of 3.925 Khz, so the range is more limited but should be fine for most music and maybe even your tones.  I suppose you might get some audible harmonics, given the lower sample rate and the stairstep sine wave, but on a television this might not be too bothersome.  But doing it on every other line, it seems that you'd have enough cycles for an improved graphical interface.  or perhaps a game with cool music.

Especially if you wouldn't be trying to create a pair of sine waves at an arbitrary frequency. Every other scan line and a much shorter sound kernal would let you something useful. And you could a JSR to save code space. In this cart, to do anything with the graphics, I had to set up the TIA at startup and not move anything.

 

Remember: I had to generate two arbitrary frequency sine waves. Nothing else works for DTMF. Sine waves don't make for good game music, and there's no need to go that much work for game sound. It's a tradeoff: I didn't need flashy graphics, but I needed precision sound.

 

Also on the vein of a game with cool music,

Sine waves != cool music

 

is there any reason that the full wave could be put in the table, complete with negative phase, so that two waves could be added together, converted to absolute value then stored into one channel, essentially creating a two-voice sound on one channel, leaving the other channel for game sounds?

Well, you'd lose one bit of resolution right away (two channels means I effectively have 5-bit D/A), and you'd have to actually add the two samples together (clc + add + lsr = 3 + 2 + 2 = 7 cycles more work), but if you were doing a 2-line kernel and discrete samples in a big 3E cart, there would be time to do game stuff every other scan line.

[Bruce Tomlin]

Wednesday evening, as I was burning some EPROMs to make carts to take with me to vgExpo, I noticed a scan line count bug. If there was no keyboard controller in the right controller port, the first three lines of the left keyboard controller would cause the display to bump up and down.

 

The really absurd thing is that I fixed it by making the code 12 bytes smaller.

 

So anyhow, I've finished making 10 carts using recycled Atari 4K boards. (curse them and their 2532 pinout) Tomorrow I need to print up a bunch of labels and instructions.

[SiLic0ne t0aD]

Any of these carts still around by any chance? I really used to be into phreaking, it would be a great novelty item for my collection. Very cool idea, cheers!