[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]

..[ Phrack Magazine ]..
.:: Lifting Ma Bell's Cloak Of Secrecy ::.

Issues: [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ 16 ] [ 17 ] [ 18 ] [ 19 ] [ 20 ] [ 21 ] [ 22 ] [ 23 ] [ 24 ] [ 25 ] [ 26 ] [ 27 ] [ 28 ] [ 29 ] [ 30 ] [ 31 ] [ 32 ] [ 33 ] [ 34 ] [ 35 ] [ 36 ] [ 37 ] [ 38 ] [ 39 ] [ 40 ] [ 41 ] [ 42 ] [ 43 ] [ 44 ] [ 45 ] [ 46 ] [ 47 ] [ 48 ] [ 49 ] [ 50 ] [ 51 ] [ 52 ] [ 53 ] [ 54 ] [ 55 ] [ 56 ] [ 57 ] [ 58 ] [ 59 ] [ 60 ] [ 61 ] [ 62 ] [ 63 ] [ 64 ] [ 65 ] [ 66 ] [ 67 ] [ 68 ]
Current issue : #24 | Release date : 1989-02-25 | Editor : Taran King
Phrack Inc. XXIV IndexKnight Lightning & Taran King
Phrack Pro-Phile XXIV Featuring Chanda LeirTaran King
Limbo To Infinity; Chapter Three of FTSagaKnight Lightning
Frontiers; Chapter Four of FTSagaKnight Lightning
Control Office Administration Of Enhanced 911 ServiceThe Eavesdropper
Glossary Terminology For Enhanced 911 ServiceThe Eavesdropper
Advanced Bitnet ProceduresVaxBuster
Special Area Codesunknown
Lifting Ma Bell's Cloak Of SecrecyVaxCat
Network ProgressionDedicated Link
Phrack World News XXIVKnight Lightning
Phrack World News XXIVKnight Lightning
Phrack World News XXIVKnight Lightning
Title : Lifting Ma Bell's Cloak Of Secrecy
Author : VaxCat
                                ==Phrack Inc.==

                      Volume Two, Issue 24, File 9 of 13

         |                                                          |
         |            Lifting Ma Bell's Cloak Of Secrecy            |
         |            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~            |
         |           A New Look At Basic Telephone Systems          |
         |                                                          |
         |                         by VaxCat                        |
         |                                                          |

Though telephones predate radio communications by many years, they aren't
nearly as simple as they appear at first glance.  In fact, some aspects of
telephone systems are most interesting and quite ingenious.  In this file, I
will describe some of these more interesting and perhaps less well-known areas
of telephone systems.  Before going any further, let me explain and apologize
for the fact that some of the information in this file may not be altogether
complete, up to date, or even totally correct.

I do not work for any phone company, and therefore, I do not have unlimited
access to internal telephone company literature.  Moreover, there is very
little material available in books or magazines which describes how United
States telephone systems work.  Much of the information in this file has been
obtained piece-meal from many different sources such as books, popular
magazines, computer data communications journals, handbooks, and sometimes just
plain hearsay.

I have tried to correlate as much as possible all the little bits and pieces
into a coherent picture which makes sense, but there is no easy way to be sure
of all the little details.  So think of this article as if it is a historical
novel - generally accurate and, regardless of whether it is completely true or
not, fascinating.  With this out of the way, let's go on.

You, as a customer, are generally referred to as the "subscriber."  Your
telephone connects to the Central Office through a two-wire cable which may be
miles long, and which may have a resistance on the order of hundreds or even
thousands of Ohms.  This cable is essentially a balanced line with a
characteristic impedance of around 900 Ohms, but this varies greatly with
different cables, different weather conditions, and different calls.  This is
why it is so hard to keep a hybrid phone-patch balanced.

The main power in the central office comes from 48 volt storage batteries which
are constantly kept trickle-charged.  This battery is connected to your line
through a subscriber relay and a balanced audio transformer.  The relay is
sensitive enough to detect even quite small currents through your line.

The buttons which stick up out of your telephone case when you lift the handset
activate the hook switch.  The name probably dates back to the days when the
handset (or even earlier, the earpiece) hung on the side of the phone from a
hook.  In any case, when your phone is hung up it is said to be on the hook,
and when you lift the handset to make a call it is said to go off the hook.
With the phone on hook, the line is connected only to the bell (called the
ringer).  Because the bell circuit has a capacitor in it, no DC current can
flow through the phone.  As a result, the subscriber relay back in the central
office will be de-energized, indicating to the central office (let's abbreviate
that as CO from now on) that your phone is hung up.

Since there is no current through your line or phone, there is no voltage drop
anywhere, and so if you measure the voltage across the phone line at your phone
you will see the entire 48 volts (or even more if the CO batteries are well

The positive (grounded) lead is called the tip and the negative lead is called
the ring; these names correspond to the tip and ring of a three-circuit phone
plug.  Now suppose you want to place a call; You pick up the handset and the
phone goes off the hook.  This completes the DC circuit through the dial,
microphone, and the hybrid network which is basically a complicated transformer

At this point current starts to flow from the battery through your line and
phone, and the subscriber relay back at the CO pulls in.  The line voltage
across your phone now drops to just a few volts because the line is loaded down
by the low resistance of the phone.  The CO now searches for some idle dialing
circuits, and when it finds them, connects a dial tone back to your phone.
When you hear this, you start dialing.

So lets talk about rotary dial, the type of phone which you turn with your
finger (we will talk about Touchtone dials later).  When you dial a number, the
dial acts as a short circuit until you release the dial and let the built-in
spring return it back to the resting position.  As it is returning, it starts
to open and close the circuit in sequence to indicate the number you dialed.
If you dial a 1, it opens the circuit once; if you dial a 9 it opens the
circuit nine times.  As the dial is returning it cause the subscriber relay to
open and close in step.  This enables the CO to recognize the number you want.
When you finish dialing, the dial becomes just a plain short circuit which
passes current through the microphone and the hybrid network.  Since the mike
is a carbon unit, it needs this current to work.  When the CO receives he
complete number, it starts to process your call.  If you dialed another
subscriber in the same area, it may connect you directly to that subscriber's
line.  Calls to phones a little further away may have to be routed through
another CO, while long distance calls may go through one or more long distance
switching centers (called tandems) and possibly many other CO's before arriving
at the destination.  At the completion of this process, you may get either a
ringing signal, indicating that the phone at the other end is ringing, one of
several types of busy signals, or possibly just silence, if something goes
wrong somewhere.

When you talk to the person at the other end, the cable carries audio in both
directions at the same time.  Your carbon microphone varies the current in your
circuit, and this current variation is detected by a balanced transformer in
the CO.  At the same time, audio coming back to your phone goes through the
hybrid network to your earphone.  In phone company lingo they like to call the
mike a transmitter, and the earphone is called the receiver.

You may be interested in the makeup of the various tones you may hear on your
telephone; these tones are important to people such as computer communications
designers who have to build equipment which will recognize dial or other
signaling tones:

     Dial tone in older exchanges may still be a combination of 120 and 600 Hz,
     but the newer exchanges use a combination of 350 and 440 Hz.  There is
     often a slight change in the DC line voltage at the beginning of dial
     tone, and this may also be detected.

     Busy signal is a combination of 480 and 620 Hz which alternates for 1/2
     second on and 1/2 second off (i.e., 60 interruptions per minute) when the
     party you are calling is busy.

     The same busy signal may be used for other conditions such as busy
     interoffice or long distance circuits, but would then be interrupted
     either 30 times a minute or 120 times per minute.  This is a standard
     agreed on by an international telecommunications organization called CCITT
     (and I don't offhand remember the French words it stands for), but
     occasionally other frequencies up to 2 kHz are used.  A siren-like sound
     varying between 200 and 400 Hz is often used for other error conditions.

     The ringing tone, which you hear coming back to you when the phone rings
     on the other end of the connection, is nowadays mostly a combination of
     440 and 480 Hz, but there is great variation between CO's.  Very often a
     higher frequency such as 500 Hz is interrupted at 20 Hz, and other tones
     are used as well.  The tone is usually on for 2 seconds and off for 4

     The ringing current, actually used to ring the bell in a telephone, is an
     AC voltage since it has to activate a ringer which has a capacitor in
     series with it.  Different companies use different ringing currents, but
     the most common is 90 volts at 20 Hz.  Since a typical phone may be
     thousands of feet away from the CO, the thin wires used may have a fairly
     high line resistance.  Hence only a relatively small current can be
     applied to the bell, certainly not enough to ring something like a
     doorbell.  This problem is solved by making the bell resonant mechanically
     at the ringing frequency so that even a fairly small amount of power is
     enough to start the striker moving hard enough to produce a loud sound.
     This is the reason why a low-frequency AC is used.  Although this raises
     some problems in generating a 20 Hz signal at a high enough voltage, it
     has the advantage that a bell will respond to a ringing current only if
     the frequency is quite close to the bell's naturally resonant frequency.
     If you build two bells, one resonant at 20 Hz and the other resonant at 30
     Hz, and connect them together to the same line, you can ring just one bell
     at a time by connecting a ringing current of the right frequency to the
     line; this has some useful applications in ringing just one phone on a
     party line.

Now let's look at some of the components of the phone itself.  We will consider
the most common new phone, a model 500 C/D manufactured by Western Electric and
used by Bell System affiliated phone companies.  This is the standard desk
phone, having modern rounded lines and usually having a G1 or G3 handset.  It
was developed about 1950 and replaced the older 300-series phones which had the
older F1 handset and had sharper corners and edges.  There was an in between
phone, where they took an old 300-series phone and put a new case on it which
resembled the 500-style case, but had a straight up and down back - the back of
the case came straight down right behind the handset cradle, whereas the true
500-style telephone has what looks like a set sticking out behind the cradle).

If you are still in doubt as to which phone you have, the bell loudness control
is a wheel on the 500-type phone and a lever on the 300-type.  If you live in
the boondocks, you may still have the 200-type phone (sometimes called the
ovalbase) or maybe even the desk-stand type that looked like a candlestick,
with the microphone mounted on the top and the earpiece hanging on the side
from a hook.

Neither of these phones had a built in bell, and so you probably have a bell
box attached to your wall.  If you have a phone with a handle on the side which
you crack to call the operator, the following does not apply to your phone!

Now lets discuss the bell circuit, which consists of a two-coil ringer and a
0.5 uF capacitor.  On Western Electric phones the capacitor is mounted inside
the network assembly, which also has a large number of screws on top which act
as connection points for almost everything inside the phone.  I have never
been able to find out why the ringer has two coils of unequal resistance, but
it apparently has something to do with determining which subscriber on a party
line makes which call.  In most phones, the yellow and the green wires are
connected together at the wall terminal block so that the bell is connected
directly across the telephone line; disconnecting the yellow lead would turn
off the bell (although sometimes the connection is made internally by
connecting the black lead from the ringer directly to the L1 terminal, in which
case the yellow lead is disconnected.

You may wonder why a yellow lead is needed at all when only two wires are
normally used anyway.  It is true that only two wires enter the house from the
outside; one of these is the tip and the other is the ring.  In a non-party
line the ringing current as well as all talk voltages are applied between the
tip and the ring, and it doesn't actually matter which of the phone leads goes
to the tip and which to the ring if you have a rotary dial phone.  If you have
a Touchtone dial, then you have to observe polarity so that the transistor
circuit in the dial works, in which case you have to make sure that the green
lead goes to the tip and the red lead goes to the ring.

The yellow lead is commonly used for party lines.  On a two-party line ringing
current from the CO is applied not between the two lines, but between one line
and ground.  In that case the yellow lead goes to ground while the other side
of the ringer (the red lead) is connected to either the tip or the ring,
depending on the party.  In this way, it is possible to ring only one party's
bell at a time.

The remaining connections inside the telephone are varistors; the phone
companies must be the world's biggest users of these devices, which are
variable resistors whose resistance drops as the voltage across them rises.
Their function in the phone set is to short out parts of the set if the applied
voltage gets too high.

The hook switch actually has three sets of contacts, two normally open (open,
that is, when the hand set is on hook) which completes the DC circuit when you
pick up the handset, and a normally closed contact which is wired directly
across the earphone.  This contact's function is to short the earphone during
the time that the DC circuit is being opened or closed through the phone - this
prevents you from being blasted by a loud click in the earphone.

The dial has two contacts.  One of these is the pulsing contact, which is
normally closed and only opens during dialing on the return path of the dial
after you let go of it.  The second contact (the off-normal contact), shorts
the earphone as soon as you start turning the dial, and releases the short only
after the dial returns back to the normal position.  In this way you do not
hear the clicking of the dial in the phone as you dial.  Finally, the phone has
the hybrid network which consists of a four-winding transformer and whole
collection of resistors, capacitors, and varistors.  The main function of the
network is to attenuate your own voice to lower its volume in your earphone.

The simplest phone you could build would be just a series circuit consisting of
a dial, a mike, and an earphone.  But the signals coming back from the other
party so much weaker than your own signals, that than earphone sensitive enough
to reproduce clearly and loudly the voice of the other person would then blast
your eardrums with the sound of your own voice.  The function of the network is
to partially cancel out the signal produced by the local mike, while permitting
all of the received signal to go to the earphone.  This technique is similar to
the use of the hybrid phone patch with a VOX circuit, where you want the voice
of the party on the telephone to go to your transmitter, but want to keep the
receiver signal out the transmitter.

In addition to the parts needed for the hybrid, the network also contains a few
other components (such as the RC network across the dial pulsing contacts) and
screwtype connection points for the entire phone.

A Touchtone phone is similar to the dial phone described above, except that the
rotary dial is replaced by a Touchtone dial.  In addition to its transistorized
tone generator, the standard Touchtone pad has the same switch contacts to mute
the earphone, except that instead of completely shorting the earphone, as the
rotary dial does, the Touchtone dial switches in a resistor which only
partially mutes the phone.

It is fairly common knowledge as to what frequencies are used for Touchtone
signalling, but a it never hurts to reiterate information.  Each digit is
composed of one frequency from the low group and one frequency from the high
group; for instance, the digit 6 is generated by producing a low tone of 770 Hz
(Hertz) and a high tone of 1477 Hz at the same time.  The American Touchtone
pads generate both of these tones with the same transistor, while European pads
(yes, there are some) use two transistors, one for reach tone.  In addition to
the first three high tones, a fourth tone of 1633 Hz has been decided on for
generating four more combinations.  These are not presently in use, although
the standard phone Touchtone pad can easily be modified to produce this tone,
since the required tap on the inductor used to generate the the tone is already
present and only an additional switch contact is needed to use it.

What is not generally known is that the United States Air Force uses a
different set of Touchtone frequencies, in the range of 1020 to 1980 Hz.  Since
many of the phones available for purchase in stores come from Department of
Defense surplus sales, it will be interesting when these phones become

Another Touchtone dial presently used by amateurs is made up from a thin
elastomeric switch pad made by the Chomerics Corporation (77 Dragon Court,
Woburn, Mass. 01801) and a thick-film hybrid IC made by Microsystems
International (800 Dorchester Boulevard, Montreal, Quebec).  The pad is the
Chomerics ER-20071, which measures about 2 1/4 inch wide by 3 inches high, and
only about 3/16 inch thick (Chomerics also makes a smaller model ER21289, but
it is very difficult to use and also apparently unreliable).  Microsystems
International makes several very similar ICs in the ME8900 series, which use
different amounts of power and generate different amounts of audio.  Some of
these also contain protection diodes to avoid problems if you use the wrong
polarity on the IC, and there are so many models to choose from that you should
get the technical data from the manufacturer before ordering one.  There are a
number of United States distributors, including Newark Electronics, Milgray and
Arrow Electronics in New York.

One of the problems with any current IC oscillator is that the frequency
changes if rf gets near it.  Many hams are having a hard time mounting such IC
pads on their 2 meter handie-Talkies.  A solution seems in sight as Mostek, a
large IC company, is coming out with an IC Touchtone generator which has a
cheap 3.58 MHz external crystal as reference, and then produces the tone
frequencies by dividing the 3.58 MHz down with flip flops to get the required
tone frequencies.  This approach not only promises to be more reliable in the
presence of rf, but should also be cheaper since it would not need the custom
(and expensive) laser trimming of components that the Microsystems
International IC needs to adjust the frequencies within tolerance.

At the other end of the telephone circuit, in the CO, various circuits are used
to decode the digit you dial into the appropriate signals needed to perform the
actual connection.  In dial systems, this decoding is done by relay circuits,
such as steppers.  This circuitry is designed for dialing at the rate of 10
pulses per second, with a duty cycle of about 60% open, 40% closed.  The
minimum time between digits is about 600 milliseconds, although a slightly
greater time between digits is safer since it avoids errors.

In practice, many COs will accept dialing at substantially slower or faster
rates, and often you will see a dial that has been speeded up by changing the
mechanical governor to operate almost twice as fast; it depends on the type of
CO equipment.

Touchtone decoding is usually done by filter circuits which separate out the
Touchtone tones by filters and then use a transistor circuit to operate a
relay.  A common decoder is the 247B, which is designed for use in small dial
switchboard systems of the type that would be installed on the premises of a
business for local communication between extensions.  It consists of a limiter
amplifier, seven filters and relay drivers (one for each of the seven tones
commonly used) and some timing and checking circuitry.  Each of the seven
relays has multiple contacts, which are then connected in various
series/parallel combinations to provide a grounding of one of ten output
contacts, when a digit is received.  The standard 247B does not recognize the *
and  digits, but can be modified easily enough if you have the unit diagram.

The 247B decoder is not very selective, and can easily be triggered by voice
unless some additional timing circuits are connected at the output to require
that the relay closure exceed some minimum time interval before it is accepted.
Slightly more complicated decoders which have the time delays built in are the
A3-type and the C-type Touchtone Receivers.  both of these are used in
customer-owned automatic switchboards when a caller from the outside (via the
telephone company) wants to be able to dial directly into the private
switchboard to call a specific extension.

The C-type unit is similar to the 247B in that it has ten outputs one for each
digit.  The A3-type does not have output relays, but instead has seven voltage
outputs, one for each of the seven basic tones, for activating external 48-volt
relays.  The A-3 unit is ideal for activating a Touchtone encoder, which can
then be used to regenerate the Touchtone digits if the original input is noisy.
This might be very useful in a repeater autopatch, for cleaning up Touchtone
digits before they are sent into the telephone system.

In addition to the above, there are probably other types of units specially
designed for use in the CO, but information on these is not readily available.
It is also fairly easy to build a Touchtone decoder from scratch.  Though the
standard telephone company decoders all use filter circuits, it is much easier
(though perhaps not as reliable) to use NE567 phase-locked-loop integrated

An interesting sidelight to Touchtone operation is that it greatly speeds up
the process of placing a call.  With a Touchtone dial it is possible to dial a
call perhaps 3 or 5 times faster than with a rotary dial.  Since the CO
equipment which receives and decodes the number is only needed on your line
during the dialing time, this means that this equipment can be switched off
your line sooner and can therefore handle more calls.  In fact, the entire
Touchtone system was invented so that CO operation would be streamlined and
less equipment would be needed for handling calls.  It is ironic that the
customer should be charged extra for a service which not only costs the
telephone company nothing, but even saves it money.

Another practice which may or may not cost the company money is the connection
of privately-owned extension phones.  You have probably seen these sold by mail
order houses and local stores.  The telephone companies claim that connecting
these phones to their lines robs them of revenue and also may cause damage to
their equipment.  There are others, of course, who hold the opinion that the
easy availability of extensions only causes people to make more calls since
they are more convenient, and that the companies really benefit from such use.
The question of damage to equipment is also not easily answered, since most of
the extension phones are directly compatible, and in many cases the same type
as the telephone company itself uses.  Be that as it may, this may be a good
time to discuss such use.

Prior to an FCC decision to telephone company interconnection in the Carterfone
case in 1968, all telephone companies claimed that the connection of any
equipment to their lines was illegal.  This was a slight misstatement as no
specific laws against such use were on the books.  Instead, each local
telephone company had to file a tariff with the public service commission in
that state, and one of the provisions of that tariff was that no connection of
any external equipment was allowed.  By its approval of that tariff, the public
service commission gave a sort of implicit legal status to the prohibition.

In the Carterfone case, however, the FCC ruled that the connection of outside
equipment had to be allowed.  The phone companies then relaxed their tariff
wording such that connection of outside equipment was allowed if this
connection was through a connecting arrangement provided by the telephone
company for the purpose of protecting its equipment from damage.  Although this
result has been challenged in several states, that seems to be the present
status.  The strange thing is that some telephone companies allow
interconnection of customer equipment without any hassle whatsoever, while
others really make things difficult for the customer.
[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]
© Copyleft 1985-2014, Phrack Magazine.