Category Archives: Phreaking

Phreak Philes: Modem scanning in the late 1980s…

phreak /frēk/ INFORMAL

verb: phreak; 3rd person present: phreaks; past tense: phreaked; past participle: phreaked; gerund or present participle: phreaking; noun: phreaking
hack into telecommunications systems, especially to obtain free calls.
“a few old-time hackers still phreak casually just to keep their hand in”

noun: phreak; plural noun: phreaks
a person who hacks into telecommunications systems, especially to obtain free calls.
“the nation’s most clever cellular phone phreaks”

– Oxford Languages via BING search for “define phreak”

I expect most of us have some life changing event we could cite that forever changed the direction of our existence. For example, looking through a telescope for the first mite might have led to a career in astronomy. To me, it was when I was in 7th grade English class and I quoted a line from a PBS TV show I had just watched (“The Hitchhikers Guide to the Galaxy“). A nearby student recognized the quote (“you watched that too?”), and introduce me to the books of Douglas Adams.

Jimmy also introduced me to computers, and helped me learn BASIC programming via books he had. We’d go down to the local Radio Shack to type in the programs we’d written down on paper. This led me to wanting a computer instead of an Intellivison (its baseball program could talk!) or ColecoVision (it came with Donkey Kong!), which started my career as a programmer.

In addition to Douglas Adams and computers, Jimmy also exposed me to the world of phone phreaking — though not at any “WarGames” level. It was just a bunch of junior high kids that learned how to make free phone calls from the school’s payphone, or talk with random kids via “loop lines”. (This made me search for “loop line” to see just what those phone numbers were for. I found a Wikipedia entry about “loop around” which does appear to be what I am referring to. #TheMoreYouKnow).

I remember kids all over Houston, Texas were making use of codes that allowed “free” long distance phone calls. This let them dial in to bulletin board systems out of state without the parents throwing a fit when they received a phone bill.

There was a higher level of phreaking that involved devices that would generate special tons that the old phone system would respond to. They were known as “boxes” and identified by a color. The “red box” simulated a tone that told the phone company a coin was inserted in to a payphone. This allowed making free calls from payphones. I see today’s Wikipedia has an entire category on these boxes with colors I never heard of back then. I think I’d only heard of red, blue (2600 Hz tone generator used for free long distance), and silver (four extra buttons on a standard touch tone keypad labeled A, B, C and D). I recall the “D tone” would knock an operator off the line, for some reason.

I actually had a silver box — something my dad found at a store. I remember him telling me (over the phone) that he found a phone that extra buttons on it that were going to be used for future phone services. He said they were labeled A, B, C and D. Somewhere, I still have that phone. I have no idea why this phone existed in stores, and I never knew how to use it for anything, but somewhere I still have it.

Popular computers like the Apple 2s had tons of phreaking software. The Tandy Color Computer had some, as well, including during the CoCo 3 days. Here’s one called “Super Phreak” by “Mr. Bill”:

It seems to be a software implementation of the phreak boxes, though it doesn’t make any sounds for me (at least not in an emulator).

There was one for the earlier Color Computers, called “BOX.BAS”, but based on the menu screen it may have been called “Phreak Operator.”

I wonder who “S Y N T A X” was, and how the licensing worked.

This one does produce tones, so it must have some assembly language audio routine embedded in it as the CoCo BASIC could only do one tone voice at a time.

But I digress…

In addition to loop lines, hardware boxes, and using codes for free long distance, there were other things lumped together with phreaking, such as having a computer dial numbers looking for other computers. This went by many names (we called it simply “modem scanning”) at the time, but today I see the Wikipedia refers to it as wardialing.

A famous example of this comes from the 1983 movie WarGames where David Lightman (played by a young Matthew Broderick) has his computer scanning for modems, and ends up finding the W.O.P.R. (War Operation Plan Response) supercomputer at NORAD.

WarGames wardialing clip

Unlike the infamous payphone scene, the movie was quite accurate on this. I expect folks wrote replica programs to recreate the user interface:

It does make me wonder how much the wardialing cost his parents. It sure sounded like his computer was just dialing a bunch of long distance numbers in area code 311 ;-)

The Radio Shack Color Computer also had programs that did this. I have two versions of “Modem Scanner” that used a Hayes-compatible modem hooked up to the Serial I/O port of the CoCo. In BASIC, the program would send dial commands to the modem using PRINT #-2 (as if they were going to a serial printer), and then it would use PEEK to look for the carrier detect pin to go high on the port. If a CD was not detected after some time, it would send the hangup command and move on to the next number.

It looked like this:

Above, you can see it would list the status of every number dialed, similarly to the WarGames program.

Using the “print to file” feature of the XRoar emulator, here is what was being sent to the modem:

+++ATZ
ATT C0 E0 M1 Q1
ATDT 555-0000
ATH
ATDT 555-0001
ATH
ATDT 555-0002
ATH
ATDT 555-0003
ATH
ATDT 555-0004
ATH
ATDT 555-0005
ATH
ATDT 555-0006
ATH
ATDT 555-0007
ATH
ATDT 555-0008
ATH
ATDT 555-0009
ATH
ATDT 555-0010
ATH
ATDT 555-0011

At the top, the “+++ATZ ATT C0 E0 M1 Q1” sequence was the initializing modem part. Looking at the list of Hayes modem commands on wikipedia, I can see that…

  • “+++” followed by a pause was the escape code that made a Hayes smart modem go from communications mode to command mode. In command mode you could change settings, dial numbers or hang up.
  • “ATH” was the hang up command. (Hayes commands start with “AT” for attention.)
  • “ATT C0 E0 M1 Q1” – This was “T” for tone dialing, “C” was not listed as a standard command (not sure what it did), “E” turned off auto-echo so commands did not echo back when typing them, “M” turned ON the modem speaker (geesh, that should have been a settable option), and “Q” turned on quit mode so the modem did not echo back “OK” after each command.

Looking at the BASIC source code shows this notice at the top:

And these version notes at the bottom:

The full source code is here:

0 ' +------------------------+
1 ' !   MODEM SCANNER V1.1   !
2 ' ! BY ZIGLWALD X. MALUSHI !
3 ' !    HAYES COMPATABLE    !
4 ' !     MODEM REQUIRED     !
5 ' +------------------------+
6 ' MODEM MUST BE ON AND READY
7 ' WHEN PROGRAM IS RAN
8 '
9 '
10 PCLEAR1:CLEAR10000:DIM MD$(1000)
15 CLS:PRINT@7,"MODEM SCANNER V1.1":PRINTSTRING$(32,131)
20 PRINT@64," THIS PROGRAM WILL DIAL A RANGE  OF  NUMBERS  YOU  SPECIFY  AND  REPORT  ANY MODEM CARRIERS  IT  FINDS.":PRINT
25 PRINT" warning:  CALLS PLACED BY THIS  PROGRAM ARE  CONSIDERED  PRANK  CALLS  AND ARE PUNISHABLE BY A  FINE OF UP TO $1000  AND/OR  A  JAIL TERM OF UP TO 180 DAYS."
30 PRINT:PRINT" ****USE AT YOUR OWN RISK!!****":PRINTSTRING$(32,140)TAB(9)"PRESS ANY KEY:";
35 IFINKEY$=""THEN35
40 CLS:PRINT@7,"MODEM SCANNER V1.1":PRINTSTRING$(32,131)
45 PRINT@68,"***INITIALIZING MODEM***"
50 POKE65315,48:POKE65314,249:POKE65315,52:POKE65314,0:POKE150,180:MD=0
55 FORA=1TO2000:NEXTA:PRINT#-2,"+++";:FORA=1TO2000:NEXTA:PRINT#-2,"ATZ":FORA=1TO1000:NEXTA:PRINT#-2,"ATT C0 E0 M1 Q1"
59 PRINT@128,"SCAN 800'S?  (Y/N) :";:LINEINPUTA$:IFA$="Y"THENAC$="1-800-"ELSEAC$=""
60 PRINT@160,"ENTER PREFIX (###) :";:LINEINPUTPF$:IFLEN(PF$)<>3THEN60
65 PRINT@192,"START RANGE (####) :";:LINEINPUTST$:IFLEN(ST$)<>4THEN65
70 PRINT@226,"END RANGE (####) :";:LINEINPUTEN$:IFLEN(EN$)<>4ORVAL(EN$)<VAL(ST$)THEN70
75 PRINT@288,"SCAN FROM "AC$PF$"-"ST$:PRINT@327,"TO "AC$PF$"-"EN$:PRINT@392,"IS THIS CORRECT? ";:LINEINPUTA$:IFLEFT$(A$,1)<>"Y"THEN59
80 CLS:FORNM=VAL(ST$)TOVAL(EN$):'FORA=1TO10000:NEXTA
82 PRINT@511:PRINT@0,TAB(7)"MODEM SCANNER V1.1":PRINTSTRING$(32,131):PRINT@69,;:IFAC$=""THENPRINT"LOCAL";ELSEPRINT"1-800";
83 PRINT" SCAN IN PROGRESS":PRINT@96,"SCANNED:"NM-VAL(ST$),"CARRIERS:"MD:PRINTSTRING$(32,131):PRINT@448,;
85 NM$=AC$+PF$+"-0000":NN$=RIGHT$(STR$(NM),LEN(STR$(NM))-1):MID$(NM$,1+LEN(NM$)-LEN(NN$),LEN(NN$))=NN$
90 PRINTNM$" - ";:PRINT#-2,"ATDT "NM$
95 CD=PEEK(&HFF20):FORTM=1TO1000:CD=PEEK(&HFF21):IF(CD AND 128)=128 THEN105 ELSENEXTTM
100 PRINT"NOTHING":PRINT#-2,"ATH":FORA=1TO3000:NEXTA:NEXTNM:GOTO120
105 PRINT"*CARRIER*":MD$(MD)=NM$:MD=MD+1
110 FORA=1TO2000:NEXTA:PRINT#-2,"+++";:FORA=1TO2000:NEXTA:PRINT#-2,"ATH":FORA=1TO2000:NEXTA
115 NEXTNM
120 CLS:PRINT@4,"TOTAL CARRIERS FOUND:"MD:PRINTSTRING$(32,131)
125 FORA=0TOMD:PRINTMD$(A),:IF(A/18)=INT(A/18)THEN135
130 NEXTA:PRINT@424,"END OF NUMBERS":END
135 PRINT@425,"PRESS ANY KEY:";
140 IFINKEY$=""THEN140ELSEFORZ=1TO12:PRINT@32+Z*32:NEXTZ:PRINT@96,;:GOTO130
150 '
151 'PROGRAM UPDATES
152 '
155 'OCTOBER 1987 (V1.0)
156 'FEBRUARY 1988 (FOR 800'S)
160 '

I believe the POKEs in line 50 are what made BASIC not wait for the printer to be ready (since that would never happen when using a modem) and setting the printer baud rate to 300 baud.

Line 95 is related to the carrier detect, though I don’t know what it’s doing specifically.

At 120 it appears to display all of the modem numbers found, with a pause at the end of the screen. I see no provision for writing this list out to tape or disk, so I guess the user would have just had to write them down. And, most likely, when scanning 10,000 numbers (0000-9999), how many of them would have actually been modems anyway?

I had a friend who did modem scanning back in the late 1980s, though I don’t know if he used this program. I do know that his parent’s got a phone call from the phone company, reporting that something was wrong on their other phone number and it was making too many calls. His dad went up to the room where the computer was and knew enough about it to hit the read BREAK key and stop the program.

I do not know if I ever used this program, but I do have a story to tell about getting in trouble for dialing in to a number that was found through modem scanning. But that’s a story for another time…

Until then…

For further research…

A disk image containing these programs may be found on the Color Computer archive site:

https://colorcomputerarchive.com/search?q=phreak