                 HACKING MA BELL
        Another Safe Cracker Production
 
             Basic Telephone Systems
                   Part One
 
 Lifting Ma Bell's Cloak of Secrecy
 ----------------------------------

  Though telephones predate radio communications by many years, they
aren't nearly as simple as they appear at first glance. In fact, some
aspects of telephone systems are most interesting and quite
ingenious. In this article we will describe some of these more
interesting and perhaps less well-known areas of telephone systems.
 
  But before going farther, let me explain and apologize for the fact
that some of the information in this article may not be altogether
complete, up to date, or even correct. I do not work for any phone
company, and therefore do not have access to internal telephone
company literature. Moreover, there is very little material available
in books or magazines which describes how US telephone systems work.
Much of the information in this article has been obtained piece-meal
from many different sources such as books, popular magazines,
computer data communications journals, handbooks, and sometimes just
plain hear-say. I have tried to correlate as much as possible all the
little bits and pieces into a coherent picture which makes sense, but
there is no easy way to be sure of all the little details. So think
of this article as if it is a historical novel - generally accurate
and, regardless of whether it is completely true or not, fascinating.
 
  With this out of the way, let's go on. You, as the customer, are
generally referred to as the 'subscriber'. Your telephone connects to
the Central Office through a two-wire cable which may be miles long
and which may have a resistance on the order of hundreds or even
thousands of Ohms. This cable is essentially a balanced line with a
characteristic impedence of around 900 Ohms, but this varies greatly
with different calls. (This is why it is so hard to keep a hybrid
phone-patch balanced.)
 
  The main power in the central office comes from 48 volt storage
batteries which are constantly kept trickle-charged.  This battery is
connected to your line through a subscriber relay and a balanced
audio transformer. The relay is sensitive enough to detect even quite
small currents through your line.
 
  The buttons which stick up out of your telephone case when you lift
the handset accuate the hook switch. The name probably dates back to
the days when the handset (or even earlier, the earpiece) hung on the
side of the phone from a hook. In any case, when your phone is hung
up it is said to be on the hook; when you lift the handset to make a
call it is said to go off the hook. With the phone on hook, the line
is connected only to the bell (called the ringer). Because the bell
circuit has a capacitor in it, no dc current can flow through the
phone. As a result, the subscriber relay back in the central office
will be deenergized, indicating to the central office (let's
abbreviate that as CO from now on) that your phone is hung up. Since
there is no current through your line or phone, there is no voltage
drop anywhere, and so if you measure the voltage across the phone
line at your home you will see the entire 48 volts (or even more if
the CO batteries are well charged). The positive (grounded) lead is
called the tip and negative lead is called the ring; these names
correspond to the tip and ring of a three-circuit phone plug.
 
  Now suppose you want to place a call. You pick up the handset, and
the phone goes off the hook. This completes the dc circuit through
the dial, microphone, and the hybrid network which is basically a
complicated transformer circuit. At this point current starts to flow
from the battery through your line and phone, and the subscriber
relay back at the CO pulls in. The line voltage across your phone now
drops to just a few volts because the line is loaded down by the low
resistance of the phone. The CO now searches for some idle dialing
circuits, and when it finds them, connects a dial tone back to your
phone.  When you hear this, you start dialing.
 
  When you dial a number, the dial acts as a short circuit until you
release the dial and let the built in spring return it back to the
resting position. As it is returning, it starts to open and close the
circuit in sequence to indicate the number you dialed. If you dial a
1,it opens the circuit once; if you dial a 9 it opens the circuit
nine times. As the dial is returning it causes the subscriber relay
to open and close in step. This enables the CO to recognize the
number you want. When you finish dialing, the dial becomes just a
plain short circuit which passes current through the microphone and
the hybrid network.  Since the mike is a carbon unit, it needs this
current to work.
 
  When the CO receives the complete number, it starts to process your
call. If you dialed another subscriber in the same area, it may
connect you directly to that subscriber's line. Calls to phones a
little further away may have to be routed through another CO, while
long distance calls may go through one or more long distance
switching centers (called tandems) and possibly many other CO's
before arriving at the destination. At the completion of this
process, you may get either a ringing signal, indicating that the
phone at the other end is ringing, one of several types of busy
signals, or possibly just silence, if something goes wrong somewhere.
 
  When you talk to the person at the other end, the cable carries
audio in both directions at the same time. Your carbon microphone
varies the current in your circuit, and this current variation is
detected by a balanced transformer in the CO.At the same time, audio
coming back to your phone goes through the hybrid network to your
earphone. (In phone company lingo they like to call the mike a
transmitter, and the earphone is called a receiver.)
 
  You may be interested in the makeup of the various tones you may
hear on your telephone; these tones are important to people such as
computer communications designers who have to build equipment which
will recognize dial or other signalling tones:
 
  Dial tone in older exchanges may still be a combination of 120 and
600 Hz but the newer exchanges use a combination of 350 and 440 Hz.
There is often a slight change in the dc line voltage at the
beginning of dial tone, and this may also be detected.
 
  Busy signal is a combination of 480 and 620 Hz which alternates for
1/2 second on and 1/2 second off (i.e., 60 interruptions per minute)
when the party you are calling is busy. The same busy signal may be
used for other conditions such as busy interoffice or long distance
circuits, but would then be interrupted either 30 times a minute or
120 times per minute.  This is a standard agreed on by an
international telecommunications organization called CCITT (and I
don't offhand remember the French words it stands for), but
occasionally other frequencies up to 2kHz are used. A siren-like
sound varying between 200 and 400 Hz is often used for other error
conditions.
 
  The ringing tone, which you hear coming back to you when the phone
rings on the other end of the connection, is nowadays mostly a
combination of 440 and 480 Hz, but there is a great variation between
CO's. Very often a higher frequency such as 500 Hz is interrupted at
20 Hz, and other tones are used as well. The tone is usually on for
two seconds and off for 4 seconds.
 
  The ringing current, actually used to ring the bell in a telephone,
is an ac voltage since it has to activate a ringer which has a
capacitor in series with it.Different companies use different ringing
currents, but the most common is 90 volts at 20 Hz. Since a typical
phone may be thousands of feet away from the CO, the thin wires used
may have a fairly high line resistance. Hence only a relatively small
current can be applied to the bell, certainly not enough to ring
something like a doorbell. This problem is solved by making the bell
resonant mechanically at the ringing frequency so that even a fairly
small amount of power is enough to start the striker moving hard
enough to produce a loud sound. This is the reason why a low
frequency ac is used. Although this raises some problems in
generating a 20 Hz signal at a high enough voltage, it has the
advantage that a bell will respond to a ringing current only if the
frequency is quite close to the bell's naturally resonant frequency.
If you build two bells, one resonant at 20 Hz and the other resonant
at 30 Hz, and connect them together to the same line, you can ring
just one bell at a time by connecting a ringing current of the right
frequency to the line; this has some useful applications in ringing
just one phone on a party line.
 
  Now let's look at some of the components of the phone itself.  We
will consider the most common new phone, a model 500 C/D manufactured
by Western Electric and used by Bell System affiliated phone
companies. This is the standard desk phone, having modern rounded
lines and usually having a G1 or G3 handset. It was developed about
1950 and replaced the older 300-series phones which had the older F1
handset and had sharper corners and edges. (There was an inbetween
phone, where they took an old 300 series phone and put a new case on
it which resembled the 500-style case but had a straight up-and down
back - the back of the case came straight down right behind the
handset cradle,whereas the true 500-style telephone has what looks
like a step sticking out behind the cradle). If you are still in
doubt as to which phone you have, the bell loudness control is a
wheel on the 500-type phone and a lever on the 300-type. If you live
in the boondocks, you may still have the 200-type phone (sometimes
called the ovalbase) or maybe even the desk-stand type that looked
like a candlestick, with the microphone mounted on top and the
earpiece hanging on the side from a hook. Neither of these phones had
a built in bell, and so you probably have a bell box attached to your
wall. (If you have a phone with a handle on the side which you crank
to call the operator, the following does not apply to your phone !)
 
  The bell circuit consists of a two-coil ringer and a 0.5 uF
capacitor. On Western Electric phones the capacitor is mounted inside
the network assembly, which also has a large number of screws on top
which act as connection points for almost everything inside the
phone. (I have never been able to find out why the ringer has two
coils of unequal resistance but it apparently has something to do
with determining which subscriber on a party line makes which call.)
In most phones, the yellow and the green wires are connected at the
wall terminal block so that the bell is connected directly across the
telephone line; disconnecting the yellow lead would turn off the bell
(although sometimes the connection is made internally by connecting
the black lead from the ringer directly to the L1 terminal, in which
case the yellow lead is disconnected.
 
  You may wonder why a yellow lead is needed at all when only two
wires are normally used anyway. It is true that only two wires enter
the house from the outside; one of these is the tip and the other is
the ring. In a non-party line the ringing current as well as all talk
voltages are applied between the tip and the ring, and it doesn't
actually matter which of the phone leads goes to the tip and which to
the ring if you have a rotary dial phone. If you have a Touchtone
dial, then you have to observe polarity so that the transistor
circuit in the dial works, in which case you have to make sure that
the green lead goes to the tip and the red lead goes to the ring.
 
  The yellow lead is commonly used for party lines. On a two-party
line ringing current from the CO is applied not between the two
lines, but between one line and ground. In that case the yellow lead
goes to ground while the other side of the ringer (the red lead) is
connected to either the tip or the ring, depending on the party. In
this way, it is possible to ring only one party's bell at a time.
 
  Some of the remaining components inside the phone are varistors:
the phone companies must be the world's biggest users of these
devices, which are variable resistors whose resistance drops as the
voltage across them rises. Their function in the phone set is to
short out parts of the set if the applied voltage gets too high. For
instance, one is connected directly across the earphone (receiver)
and acts as a volume limiter to lower the volume if the applied
voltage gets too high - a great way to protect your eardrums.
 
  The current path goes through a set of contacts on the hook switch,
then through the pulsing contacts on the dial, through part of the
network, through the mike, back through a second winding on the
network, and finally through a second contact on the hook switch and
back out to the red wire.
 
  The hook switch actually has three sets of contacts, two normally
open (open, that is, when the hand set is on the hook) which
completes the dc circuit when you pick up the handset, and a normally
closed contact which is wired directly across the earphone. This
contact's function is to short the earphone during the time that the
dc circuit is being opened or closed through the phone - this
prevents you from being blasted by a loud click in the earphone.
 
  The dial has two contacts. One of these is the pulsing contact,
which is normally closed and only opens during dialing on the return
path of the dial after you let go of it. The second contact, labelled
the off-normal contact, shorts the earphone as soon as you start
turning the dial, and releases the short only after the dial returns
back to the normal position.  In this way you do not hear the
clicking of the dial in the phone as you dial.
 
  Finally, the phone has the hybrid network which consists of a
four-winding transformer and a whole collection of resistors,
capacitors, and varistors. The main function of the network is to
attenuate your own voice to lower its volume in your earphone. The
simplest phone you could build would be just a series circuit
consisting of a dial, a mike, and an earphone.  But the signals
coming back from the other party are so much weaker than your own
signals, that an earphone sensitive enough to reproduce clearly and
loudly the voice of the other person would then blast your eardrums
with the sound of your own voice.  The function of the network is to
partially cancel out the signal produced by the local mike, while
permitting all of the received signal to go to the earphone. This
technique is similar to the use of a hybrid phone patch with a VOX
circuit, where you want the voice of the party on the telephone to go
to your transmitter, but want to keep the receiver signal out of the
transmitter.
 
  In addition to the parts needed for the hybrid, the network also
contains a few other components (such as the RC network across the
dial pulsing contacts) and screw-type connection points for the
entire phone.
 
  A Touchtone phone is similar to the dial shown here, except that
the rotary dial is replaced by a Touchtone dial. In addition to its
transistorized tone generator, the standard Touchtone pad has the
same switch contacts to mute the earphone, except that instead of
completely shorting the earphone, as the rotary dial does, the
Touchtone dial switches in a resistor which only partially mutes the
phone. The circuit of the Touchtone dial is shown in recent editions
of the ARRL Handbook so we won't print it here.
 
  It is fairly common knowledge as to what frequencies are used for
Touch-tone signalling, but a misprint in several recent ARRL
publications gives the wrong frequency for one of the high tones, so
here is a short table which repeats the correct numbers :
 
        LOW
        TONE   HIGH TONE GROUP (Hz)
        GROUP
        (Hz)   1209   1336   1477   1633
        697    1     2     3     A
        770    4     5     6     B
        852    7     8     9     C
        941    *     0     #     D
 
 Each digit is composed of one frequency from the low group and one
frequency from the high group; for instance, the digit 6 is generated
by producing a low tone of 770 Hz and a high tone of 1477 Hz at the
same time. The American Touchtone pads generate both of these tones
with the same transistor, while European pads (yes, there are some)
use two transistors, one for each tone. In addition to the first
three high tones, a fourth one of 1633 has been decided on for
generating four more combinations, called A through D in the above
table. These are not presently in use, although the standard phone
Touchtone pad can easily be modified to produce this tone, since the
required tap on the inductor used to generate the tone is already
present and only an additional switch contact is needed to use it;
information on this simple conversion is found in the 73 publication
'Digital Control of Repeaters'.
 
  What is not generally known is that the U.S. Air Force uses a
different set of Touchtone frequencies, in the range of 1020 to 1980
Hz. Since many of the phones available for purchase in stores come
from Department of Defense surplus sales, it will be interesting when
these phones become available.
 
  Another Touchtone dial presently used by amateurs is made up of a
thin elastomeric switch pad made by the Chomerics Corp. (77 Dragon
Court, Woburn, Mass. 01801) and a thick-film hybrid IC made by
Microsystems International (800 Dorchester Boulevard, Montreal,
Quebec). The pad is the Chomerics ER- 20071, which measures about 2
1/4 inch wide by 3 inches high, and only about 3/16 inch thick
(Chomerics also makes a smaller model ER21289, but it is very
difficult to use and also apparently unreliable).Microsystems
International makes several very similar ICs in the ME8900 series,
which use different amounts of power and generate different amounts
of audio. Some of these also contain protection diodes to avoid
problems if you use the wrong polarity on the IC, and there are so
many models to choose from that you should get the technical data
from the manufacturer before ordering one. There are a number of US
distributors, including Newark Electronics, Milgray and Arrow
Electronics in New York. KA Electronics Sales advertised both the pad
and the IC in the July 1974 issue of 73 Magazine. In single
quantities, the pad goes for about $9 and the IC costs about $18,
although it drops in price if you order larger quantities.
 
  A simple circuit for the IC and pad is shown in the ARRL
publication 'FM and Repeaters for the Radio Amateur'. While this
circuit is perfectly good, it does not work in the presence of a
strong rf. If you want to mount this pad and IC on a portable 2-meter
rig, you will have to use bypass capacitors and chokes to keep the rf
out of the IC. Bypass pins 8 and 16 of the IC to pin 13 with small
discs of about 0.001 or 0.01 uF, right at the IC, using very short
leads. Then put small 2 to 5 microhenry chokes in series with pins 8,
13 and 16 right at the IC. If needed, put more chokes at the other
end of each lead. Ohmite Z-144 chokes are good but a little bulky;
the small 1.8 microhenry chokes used in Motorola Handie-Talkies
(Motorola type 24-82723HO1) are about the size of a 1/8watt resistor
and almost as good.It may seem a little funny to put chokes in the
ground leads,as all hams are trained to use good rf grounds, but the
object is to keep rf out of the IC at all costs and this accomplishes
that by letting the IC float above ground if needed,but removing any
rf voltage which might appear across the IC leads. It is also
possible to generate the Touchtone tones with separate oscillators or
with IC oscillators (such as the NE566), as is done in pads sold by
Data Engineering. This system may not be as stable or accurate as
other systems, though.

------------------Continued on Part 2
