2600 Red Box / Blue Box

Now you too can be t3h 3133+ fone phreak*... but only if you have a long enough extension cable to your Atari 2600! Relive the bygone days of analog toll fraud!**

Or just use your Atari 2600 to dial you Mom... because you can.

* If you don't know how to read that, do a web search for "leet speak".
** For amusement purposes only

Instructions

Don't Try This At Home

Toll fraud isn't funny. Well, actually it is kind of funny, but not to the phone company or law enforcement agencies. How would you like to tell your cellmate Bubba what you're in for?

Besides, these things really don't work any more. Red and green boxing are dead because cell phones have all but killed pay phones, and the pay phones that remain have surely been upgraded to not be controlled by silly in-band tones. Blue boxing died even earlier thanks to digital trunk lines and time-division multiplexing.

About dual-tone signalling

Back in the good old days, before everything went digital, the only way to control a phone line was by using tones. This was called "in-band signalling", as opposed to "out-of-band signalling" which uses a separate circuit for line control.

Using a single tone to mean something would be obvious, and rather simple to implement, but it would have one big problem: random noise on the phone line could be accidentally detected as a signal. The solution to the noise problem was to use two signals. There is also a problem of harmonics causing accidental signals, which is why touch-tone dialing uses such odd frequencies.

About touch-tone dialing

In the beginning, to call anybody you had to go through an operator. The operator (originally male, until the usual pranks of teenage boys caused a switch to women) would pull down some plugs and use them to connect your circuit.

If we still used human operators for every call, a quarter of the population would have to be employed today as operators. So instead, the phone company just made everybody into an operator and made dialing automatic. This used a dial which made a number of short pulses, depending on what number you dialed. These pulses would control a "step switch", which had ten positions and stepped through them as the pulses were received.

Then the phone company realized that these things were big, expensive, and required a lot of maintenance. So they wanted to have computers run everything. But a bunch of pulses that have to be counted isn't exactly the best kind of input to a computer. And it's slow if you have a lot of nines and zeros in a phone number.

Thus was born touch-tone dialing, using "Dual Tone Multi-Frequency" tones. Each tone could be decoded immediately into a number. And they could charge extra for this feature, even though it made things easier for the phone company. In fact, if you're in the United States, you probably can't even use pulse dial! The circuitry to count the pulses costs the phone company money, and almost nobody uses pulse dialing any more, so they only connect pulse-dialing circuitry to the people who refuse to pay for touch-tone. So with touch-tone dialing, you get to pay more money and it's cheaper for the phone company!

A rarely used feature of touch-tone is the fourth column. These buttons are labeled A, B, C, and D. The only use I'm aware of for the fourth column was in the US military's AUTOVON system.

About red boxing

Pay phones needed some way to let the phone company know when you inserted a coin. Originally your coin would ring bells, and a human operator could count your dings and gongs. But electronic equipment works a lot better with simple tones. So one pair of tones was used for the coin mechanism. The different value coins (nickels, dimes, and quarters) would each create a unique "cadence", or pattern of notes. A nickel would be one long tone, a dime would be two long tones, and a quarter would be five short tones.

A red box is a tone generator designed to create this particular pair of tones. It just so happens that the ratio of the two frequences used for the touch-tone "*" key is almost the same as that of the coin tones. When you replace the 3.58 MHz crystal (a standard TV colorburst crystal) with a 6.5536 MHz crystal (65536 being notable as 2 to the power of 16), the tones of all the buttons are raised in frequency, and the "*" key is now very close to a proper coin tone.

The important part of using a red box is to get the cadence right. You should expect a human phone operator to have heard the correct cadence often enough to easily know when you're faking it. Also, the phone mutes the microphone while sending the tone, and if there isn't the sound of clunking coins around the beeps, that's another tip-off to an operator.

About green boxing

Pay phones also need control signalling. The operator has the ability to return your coins (because you need a real coin to get dialtone, even if you're dialing a 1-800 number). Green box tones are what the operator uses to control a pay phone. Of course these don't work at all from the pay phone itself, and you have to do it from the called party.

Operator Release (activates the circuitry which listens for green box tones)

Coin Collect (drop the coins into the box)

Coin Release (return the coins out the slot)

Ringback (I think this makes the phone ring)

About blue boxing

Blue boxing uses the signals that control long distance trunks. These are the tones that long distance operators would use to dial a number in an operator-assisted call. A 2600Hz tone would cause the phone company equipment to think that the call had been terminated, and in particular the billing system would stop. But the trunk would still be open. By sending the right sequence of tones, you could call someone without being billed.

The tones used by the phone company were generated by high-precision equipment with large coils, then distributed by wires to all the operator stations. For years, the phone company's hubris kept them from believing that a small board with cheap transistor oscillators could be accurate enough to be useful. Of course the difference is that the phone company needed dozens of stations with accurate tones, and using cheap transistor oscillators would mean constant maintenance and tuning. A blue boxer only had one board to tune, and it was easy to keep within the tolerance needed to do the job.

About the Special Information Tones

When you hear that "boop-boop-beee! The number you have dialed is...", the first three tones are called Special Information Tones. You may not realize it, but there are multiple combinations of these tones. Each of the first two tones can be one of two frequencies, and can be either short or long. The last tone is always the same, 1776.7Hz, supposedly a reference to July 1776.

 Name  Description         First tone     Second tone     Third tone
  NC   No Circuit          985.2Hz 380ms  1428.5Hz 380ms  1776.7hz 380ms
  IC   Operator Intercept  913.8Hz 274ms  1370.6Hz 274ms  1776.7Hz 380ms
  VC   Vacant Circuit      985.2Hz 380ms  1370.6Hz 274ms  1776.7Hz 380ms
  RO   Reorder             913.8Hz 274ms  1428.5Hz 380ms  1776.7Hz 380ms

The most interesting use of these tones involves telemarketing junk phone calls. Most of the automated telemarketing dialing equipment made until recently will detect these tones and actually take your number off their list if it hears them! Even more amazing, many of them will give up after hearing the first tone! There is a device called the "TeleZapper" which can automatically generate either a single 913.8Hz tone or a sequence of three tones after any phone is picked up. It's really satsifying to pick up the phone, hear the tone, then the line goes dead as another telemarketer gets phooled.

Tone list

Red box, left keypad

KEY     FREQ      DESCRIPTION
 1    697, 1209   touch-tone 1
 2    697, 1336   touch-tone 2
 3    697, 1477   touch-tone 3
 4    770, 1209   touch-tone 4
 5    770, 1336   touch-tone 5
 6    770, 1477   touch-tone 6
 7    852, 1209   touch-tone 7
 8    852, 1336   touch-tone 8
 9    852, 1477   touch-tone 9
10    941, 1209   touch-tone *
11    941, 1336   touch-tone 0
12    941, 1477   touch-tone #

Red box, right keypad

KEY     FREQ      DESCRIPTION
 1    697, 1633   touch-tone A
 2   1700, 2200   red box "coin"
 3    700, 1100   green box "coin collect"
 4    770, 1633   touch-tone B
 5    350,  440   dialtone
 6   1100, 1700   green box "coin return"
 7    852, 1633   touch-tone C
 8    420,  620   busy tone
 9    950, 1500   green box "operator release"
10    941, 1633   touch-tone D
11    440,  480   ringback (what you hear when calling someone)
12      2600      2600 Hz tone

Blue box, left keypad

KEY     FREQ      DESCRIPTION
 1    700,  900   blue box 1
 2    700, 1100   blue box 2
 3    900, 1100   blue box 3 (same as green box "coin collect")
 4    700, 1300   blue box 4
 5    900, 1300   blue box 5
 6   1100, 1300   blue box 6
 7    700, 1500   blue box 7
 8    900, 1500   blue box 8
 9   1100, 1500   blue box 9
10   1100, 1700   blue box "KP1" (same as green box "coin return")
11   1300, 1500   blue box 0
12   1500, 1700   blue box "ST"

Blue box, right keypad

KEY     FREQ      DESCRIPTION
 1    700, 1700   blue box 11? (same as green box "ringback")
 2    900, 1700   blue box 12?
 3   1300, 1700   blue box "KP2"
 4       985      SIT first tone, high (No Circuit series)
 5      1428.5    SIT second tone, high
 6      1777      SIT third tone
 7       913      SIT first tone, low (Operator Intercept series)
 8      1371      SIT second tone, low
 9      1777      SIT third tone
10      ----      not used
11      ----      not used
12      2600      2600 Hz tone

How it works

The 2600 sound normally is just a bunch of pseudo-random square waves. So how can you get sine waves out of that? The trick is that the 2600 has one sound mode which is "always on". Then all you need to do is play with the volume. Okay, but how about the timing? Fortunately, there is an accurate reference available, the video horizontal sync. The 2600 lets you halt the CPU until the horizontal sync, then you can be guaranteed to start exactly at the same place in every scan line.

In order to generate a sine wave, there needs to be a lookup table. Then the rate at which you go through the table determines the output frequency. For sufficient accuracy, a 16-bit counter is needed, using the high byte as the offset into the 256 byte sine table, and the low byte as a 1/256ths fractional offset.

As it turns out, the code to do this for both channels takes up 61 cycles in the scan line, including the syncronization. Using the undocumented LAX instruction saves four more cycles per scan line, for a total of 57 cycles. There are 76 cycles per scan line. Since JSR/RTS would take up 12 cycles alone, there wouldn't be enough time to do anything useful, so the code has to go inline on every scan line. 38 bytes per scan line times 240 scan lines equals 9120 bytes, which is way too big for 4K, but loops and strategic use of JSR/RTS keep the code bloat in check.

DoSound	MACRO

	STA	WSync		; 3

	CLC			; 2    27 cycles for this group
	LDA	CntAL		; 3
	ADC	StepAL		; 3
	STA	CntAL		; 3
	LAX	CntAH		; 3 this delays the sound by one scan line, but saves 4 cycles
	ADC	StepAH		; 3
	STA	CntAH		; 3
	LDA	SinTab,X	; 4
	STA	AudV0		; 3

	CLC			; 2    27 cycles for this group, too
	LDA	CntBL		; 3
	ADC	StepBL		; 3
	STA	CntBL		; 3
	LAX	CntBH		; 3
	ADC	StepBH		; 3
	STA	CntBH		; 3
	LDA	SinTab,X	; 4
	STA	AudV1		; 3

	ENDM

The tone frequences are stored in a lookup table as their step values. With a 15700Hz NTSC horizontal sync rate, the formula is f*65536/15700, or f*4.174267516.