Toll Signalling And Collection Technology on Nortel M1231 Millennium Payphones ........ And The Circumvention Thereof (Or, "How We Didn't Pay For A Couple Of Phone Calls") A self-aggrandizing account by Flame0ut and PrussianSnow Published Around Late 2000 Or Something ******** One of the most common questions asked by young telephone enthusiasts in Canada is, "Can I red box Millennium phones?" The answer, my friend, is no. But some background first. The Millennium phone (model M1231) is an advanced payphone manufactured by Northern Telecom. A good deal of documentation concerning these phones is available on the Internet and through Northern Telecom (1-800-4-NORTEL), but to quickly list some of their "features": - They have an LED screen displaying the current time, date, and a programmable message. - They accept (in Canada) nickels, dimes, quarters and loonies, as well as magnetic cards such as Bell Calling Cards and smartcards such as Bell Quickchange Cards. - The dialing system is multi-layered and involves several firmware systems; that is to say, the dialpad itself isn't responsible in any way for making DTMF, but rather requesting another system to do so. Note that if DTMF tones are played loudly into the microphone, they will be displayed on the LED screen. - ACTS does NOT listen to these lines. Millennium Phones produce no tones when coins are deposited - the line an M1231 sits on is free for dialing out anywhere in the world with no blocking by an Automated Coin Toll System. The only thing blocking you from dialing out on these lines is the payphone itself, which does not actually pick up the line and enable the microphone until it determines that a sufficient amount has been deposited. Note that the dialtone you hear when you pick up the phone is internally generated, and the numbers you "dial" are only actually dialled after the money is collected. This, of course, is significant for our purposes. - When a long-distance number is dialed from the payphone, it displays a message along the lines of "Getting Rates, please wait..." While this message is displayed, a modem in the payphone is dialing an internally-stored number to another modem, presumably at the telephone company, from which it gets the rate for the number you have dialed. In my area, this number is in the 416 area code, and it can easily be gleaned by tapping the payphone line and recording then decoding the DTMF. One could even, theoretically, record the exchange between the modems and then play it into a modem that is in "silent answer" mode to observe what happens during the connection, and possibly figure out the protocol/commands used. Which, of course, would be immoral and wrong. But I digress. Millennium Payphones, and indeed, most payphones out there, store any coins you deposit in a temporary area until the line called is actually answered. As long as it is ringing or you get a busy signal or an error message, your money is not taken, and if you hang up before the line is actually answered you get your money back. It occurred one day to PrussianSnow and I to wonder how this happens - that is, how the payphone knows that the line was answered. We'd heard of payphones in which the toll signalling was done with tones generated by the CO - on a payphone line, the central office would generate tones telling the phone to return or take your coins depending on the circumstances; however, we've never directly observed this method. Fortuitously, PrussianSnow some time later discovered from Northern Telecom's website that one of the requirements for installing an M1231 was "a phone line capable of current reversal". This is, of course, how the tolling is signalled. Making a call from an M1231 works as such: - You dial a number, which is then stored internally. - The payphone waits for, collects, and verifies your money. - When a sufficient amount is deposited, the payphone goes off-hook and dials the number you entered. At this point your money is in the temporary area. - The microphone is enabled (which is also significant). - While the number you've called is ringing, the line current is positive on ring and negative on tip, as is standard. - The line is answered. The CO detects this and flashes a voltage reversal down the payphone line - for a moment, it is negative on ring and positive on tip. - The payphone detects this flash, swallows your money, and enables the dialpad. The voltage is normal (positive ring, negative tip) for the rest of the call. There are a few alternatives - for instance, when a toll-free number is dialed, no voltage flash occurs so the dialpad must be enabled as soon as the number is dialed. Note that you can make tones while an 800 number is ringing, but not during a local one. The circumvention of this is obvious, and an example of the futility of placing the bulk of your security within reach of the end user (to be pedantic for a moment). You do not need to stop this voltage flash from happening, but rather, simply to stop the payphone from detecting it. Once this is done, the payphone will never receive a signal to swallow your money (or debit your Quickchange Card, as it were), and it will simply think that the line is ringing for the duration of your call. The CO will know better, but that is irrelevant. Four diodes, when hooked together so as to convert AC to DC, are collectively referred to as a full-wave rectifier (which can be purchased as a single component). Quite simply, a rectifier has 2 inputs and 2 outputs, and its purpose is to force the polarity of the outputs to be constant no matter what the polarity of the inputs. Hence, when a rectifier is wired between the line and the payphone, the polarity can be forced to always be positive on ring and negative on tip. Right, enough theory. It's time to get For Educational Purposes Only on your ass, and talk about some application and installation. Our prototype of this fingle was a full-wave rectifier of an unknown rating (which happily proved to be enough - these things are generally used on house current AC so many handle up to 110V or 220V with 2 or 4 amps, or more), wired up to a DPDT switch with 3 states -- unrectified, no flow at all (broken line -- no real reason for this one), and rectified polarity. It took PrussianSnow 40 minutes with his head stuck in the top of an M1231 booth off the side of a highway at midnight to get this thing wired up, but it worked the first time much to our orgasmic delight. (Educational purposes only) It shouldn't really take that long to hook up, but this was the first one ever made so nyah. In our example, we'll be using just a rectifier with no DPDT. Installation is simple, and I'll list it in little steps with numbers beside so you don't accidentally do them out of order and hurt yourself. Stuff to bring: - 1 pair of pliers - 1 full-wave rectifier - 1 slot-head screwdriver - a couple of quarters or something - A flashlight couldn't hurt - And neither could some strippers - Some gloves would be nice, so you don't get any small shocks - And some biscuits, perhaps some Saltines or something of the like - anything crunchy and delicious will do. - Alligator clips or crimpers would be nice. 1. Locate the phone box for the payphone, or anywhere in the line where you can easily cut it and splice in the rectifier. The phone box, of course, is preferable. In a standard Millennium phonebooth, the plastic "ceiling" is hinged on one side and latched in at the other with 2 "tamper-proof" screws, which can be coerced out with a slot-head screwdriver. You need only turn them about half a revolution. 2. Once the ceiling is swung down, you will have access to the phone box as well as the 110-volt outlet which powers the lightbulb and the payphone. Some booths have a power switch for the payphone. Don't touch anything you don't have to, unless you want to. And you should want to. You can make funny things happen. Note that the light takes a long time to power up once unplugged and plugged back in. 3. Look at the phone box and eat a biscuit. Be contemplative. Note that there are two main terminals - the one on the right has the ring wires; a red one going to the phone, and a blue one coming from the line. The left terminal, tip, will have a green wire going to the phone and a white wire going to the line. If these should vary, just trust that the right terminal is ring, and positive. In some phones it's actually the red and green that go to the phone line rather than the phone - just figure out where the wires go, christ, it's not all that hard. Geez. Whiner. 4. Loosen the nuts on the terminal bolts with the pliers you so fortuitously brought along. Try not to let the green or red wires come off the bolts, as that would be a pain you don't need. Pull out the blue and white wires. 5. Run the blue wire (or whatever wire was on the right terminal) to an AC input for the rectifier, and run the white wire (or whatever) to the other AC input. You can attach them with gator clips, clothing-pins, crimpers or whatever. Maybe you could bring a soldering iron and some solder, unplug the phone, plug your iron in, wait a couple of minutes while it heats up, then solder the wires together, unplug your iron, wait for it to cool down, put it away, and plug the phone back in. That would be a story to tell. 6. Run the positive output to the right terminal and the negative output to the left terminal. You can attach them by putting them behind the nuts and tightening them again. 7. If the phone is still working, that's a good sign. Pick it up and dial a number local to you. It will ask for a quarter. Deposit one. 8. If the number is dialed and the call goes through, you haven't broken anything. If the number is dialed and you just hear silence, or the LED screen declares "Phone Not In Service", check all your rectifier connections and, as a last resort, assume that I've completely forgotten whether ring is positive or negative and flip your output polarity. Sorry. 9. Hold your breath. When the line is answered, the CO will send the polarity-flip-flash. When it hits your rectifier, it will turn into normal polarity and nothing will happen. So, when the line is answered, the payphone won't take your money. At this point you may jump around shouting gleefully. 10.Hang up the phone. Your money will fall into the coin-return slot. Clink. And that's that. The payphone is now, quite simply, free to use. Flip the ceiling back up and screw the latches back in. Let's talk, now, about caveats. - You need to have the money that the call would cost you or, for a long- distance call, the money for the first minute (the timer will never actually begin). A Quickchange card would be nice in this case. You'll get it all back in the end, and the card will simply never get debited. - Since the phone receives no polarity flash, and since the dialpad only activates when it receives one, you may not use the dialpad while on local or long-distance calls. Bring your tone generator if you want to use a VMB or anything. Since toll-free calls produce no polarity flip, the payphone must enable the dialpad as soon as it dials the number, as mentioned before (pay attention!). - The M1231 may disconnect a call if it goes too long without being answered to the payphone's knowledge. I have no example of this happening, but it would only make sense. At any rate, you have at LEAST 5 minutes. Probably more. Quite possibly this doesn't happen at all, and I'm just a paranoid fuck. - This will likely work on any Millennium phone (M1231, M1232, and so on) as well as any other payphone that uses this signalling. - Oddly enough, if you dial "0" from the phone, the operator will not be able to hear you. We've yet to determine why this is, since there are no other issues with microphone enabling. - Your rectifier may well get diked out when the phone company sees that the payphone in question has made $0.00 in revenue for the last month and a half. (Um, this seems to have been an understatement - note the "update" at the bottom of this document!) For this reason, you may want to make your rectifier togglable. Let's discuss this. To date, we've not determined a really good way to toggle the rectification. Ours had a DPDT switch but we have to pull down the ceiling to get at it, so gah. We've considered things such as a mercury switch sitting on the plastic ceiling so that you can toggle it by giving the ceiling a good thump (Fonzie-style), a relay in the circuit with part of the circuit going into the booth and the other going into a wire that we could hang through a corner of the ceiling, so that one could toggle the rectification by holding the wire against the side of the booth... we've even considered drilling a hole through the back of the booth and sticking a switch through it. Whatever. At any rate, I've gone on long enough and I'm tired. So, this is, of course, all for educational purposes only, and neither PrussianSnow nor I (Flame0ut) take any responsibility for anything this document may cause anyone to do. Note that if NorTel would just make the microphone not activate until the voltage flash, this method would be moot. It's a shame, really. Enjoy! ---- Update, about six months later: Yes, we wrote this document a long time ago and doddled about publishing it. Some things have happened since which we feel are worth noting. Firstly: - Nortel no longer owns the M123X payphone line, it's been sold to a company called Quortech who seems very twitchy about sending out manuals (can't imagine why?) - Our prototype device and payphone have been removed. Both of them. Completely. Our proof-of-concept phone was loaded into a truck and taken away for good. It took them five months, but the first ever creation of this device is now in the hands of Bell Canada, godspeed to it. That's about all. ------- Questions? Concerns? PrussianSnow and Flame0ut can be reached at the l0pht bbs at bbs.l0pht.com That is all. ------- Originally published in Napalm Zine (http://napalm.firest0rm.org)