STATION ID - 7047/3.12
9x Datakit Network
FOR OFFICIAL USE ONLY
This is a 9x system, restricted to authorized persons and for
official 9x business only. Anyone using this system, network or data
is subject to being monitored at any time for system administration and
for identifying unauthorized users or system misuse. Anyone using this
system expressly consents to such monitoring and is advised that any
evidence of criminal activity revealed through such monitoring may be
provided to law enforcement for prosecution.
*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*
[9x] [9x]
[9x] I N T R O D U C T I O N [9x]
[9x] T O [9x]
[9x] B L U E B O X I N G [9x]
[9x] B Y [9x]
[9x] L I N E M A N, 1 9 9 6 [9x]
[9x] [9x]
*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*
Intro
-----------------
Y0, this is an intro to blue boxing in the 90's. I don't claim
to be an expert, or an authority on the topic of international or regional
signalling, just someone interested. The information provided in this
file is not illegal. Almost all of it is publicly available.
*** NOTICE ***
This is not meant to be a comprehensive guide to C5, R1 or any
other form of signalling. Treat it as an introduction. There is alot
of information I have not included, because a) It would confusing,
and b) It's not important. Id like to stress that alot of my examples
have been OVER SIMPLIFIED for convetion. I have included a list of refrences
that you should probably check-out if your interested. This info is/was
publicly available at most quality Librarys. Fr3e inph0 4 aLl.
As with all things of a suspicious nature, you will eventually get
caught. How long you go without getting caught depends on skill, precaution,
and luck.
Generally, Wut iZ Signalling
-----------------
Signalling is the term used to describe how telecommunication
networks communicate with each other. There are many types of signalling,
including DC Pulsing (like on a rotary-fone) and even DTMF. Dialing
a phone number is actually a form of signalling called subscriber line
signalling.
Telephone networks communicate via special "lines", connecting each other
up, called Trunks. Information about a call, and in some cases the
conversation, is passed through a trunk line to the called network. The
called end gathers the signalling information, manipulates some hardware,
and voila- a call is made. If the called line is busy etc.. then the
called end signals back to the called system, and the caller get a busy
signal.
Thats way over simplified, (and somewhat incorrect) but I'll explain more as
I go. Until then, here is an analogy. :)
Trunk lines are like Bridges (the kind you drive over). Instead of running
many small bridges to various locations, one large bridge is built in a
convienient spot. Even though there is only one bridge, it's big and handles
lots of traffic, effectivley connecting two sections of town. :)
The one signalling system I will discuss is: CCITT5. It is still possible
to use other systems (Like R1), but most people wont be able to find them.
CCITT5 (C5) is an international Signalling system. It was designed for
handeling international calls going over the trans-atlantic cables. Its
still widley used in many South American, Carribean, Asian and poorer
countrys. Slowly, it's dying out.
C5 is a standard protocal set by the ITU (International Telecommunications
Union), formerly known as the CCITT. (International Telegraph and Telephone
Consulative Committee). They set communication standards and publish lots of
documentation about the aforementioned as well as various other
communications related topics.
More about Signalling
-----------------
As is with most things, its kind of neccesary to understand a bit about
the system you will be (ab)using. In the following sections, I'll describe
Trunk Lines, terminal and transit networks, line signalling, and
interregister signalling.
Trunk Lines
-----------------
A trunk line is a circut that connects two (2) networks together. You
may already be familiar with the trunk lines running between CO's.
For C5, however, the trunk lines will be the ones that connect transit
(international) networks to terminal (national) networks in distant countrys.
For our C5 purposes, an International trunk will look like this:
__________ __________
| OUTGOING |=>====>====> FORWARD >====>====>==| INCOMING |
| EXCHANGE | | EXCHANGE |
|__________|==<====<=== BACKWARD =<====<====<=|__________|
(Caller) (Reciever)
Signals sent in the forward direction go from the callers
end to the recipiants end, and the opposite goes for the backward
direction.
For C5 this is not compleatly acurate. In reality it's not the outgoing
exchange the sends the C5 signalling info to the incoming exchange; its
really an international "gateway" at the transit (national) exchange that
sends the C5 info to the incoming transit exchange. Go see the refrences if
you really care.
Signals really just audio noises (like beeps) that represent certain
"commands" (line signalling) and "parameters" (interregister singalling)
to be issued to the routing/switching equipment. The signalling
hardware picks these signals up by looking for characteristic energy levels.
At the end of this file (amongst the other tables) you will find a list
of singals, and their frequencys.
The trunk lines not only transmit signalling information, they also
transmit your conversation. So, when you make a call over one of these
trunks you have access to more than a friendly voice. :) I once wondered
why in the hell anyone would ever do such a stupid thing, but the answer
is simple. With the volume of traffic going overseas, and the cost of
the cable, equipment, boats, crew and design, the profit for using a single
line to handle both signalling and voice eaisly outweighs the amount of
"potential" loss due to fraud or bad connections. No one really cares.
If your wondering how your going to find a C5 trunk and access it for
free, then stop. Its really simple. Home Country Directs take care of it
for you. You just dial an 800/888 that's connected to another country.
Ive included an older list of HCD's accessable from Canada at the end
of this file.
Some terms you should know:
Terminal -- National
Transit -- International
Line Signalling
-----------------
This really only applies to C5, because R1 uses 2600Hz to sequentially
determine the state of line conditions.
Line signalling issues commands/responses that mess with the actual
connection of the line. Answer, Busy-Flash, Clear Forward and Clear Back
are all Line Signals. Though you only need to know about Clear Forward
for now, I'll give you a brief definition of the above.
Answer: This is a signal sent in the backward direction to indicate
that a connection has been established to the called party
and appropriate action (like billing) should begin.
Busy: This a signal sent in the backward direction to indicate
that the called party's line is not available. This doesn't
always mean the line is busy, it just means you can't talk
to them right yet.
Clear Forward: This is a signal, sent in the forward direction to tell
the incoming exchange to kill the current interregister
connection. Its pretty much the same thing as hanging up.
Sort of. :) (See clear backward)
Clear Backward: This is a signal, sent in the backward direction, to tell
the outgoing exchange to clear the current interregister
connection (disconnect the call from the [inter]national
network). To you, its almost useless.
Proceed-to-send: A signal sent in response to a seize, by the incoming
exchange, indicating that it is ready to recieve
interregister (routing) information.
Release Guard: A signal sent in the backward direction indicating
that the circut is free at the incoming end.
Seize: A signal sent in the forward direction to prepare the
incoming exchange for a call.
There are alot of other line signalls, but you'll have to look at the
refrences for those. The big ones to pay attention to now are Seize,
Release Guard, Clear Forward and Proceed-to-send.
To best describe the operation of line signalling, I'll use an example
of a call from John Smith in Albany, NY to a Johan Smitelly in Greece.
> = forward direction
< = backward direction
J.Smith: Dials Greece --+ Call is routed from the US to Greece.
|
|
|
1. >US: SEIZE
2. <GR: PROCEED-TO-SEND
3. >US: KP1-XXXXXXX-ST (Interregister, more later)
4. <GR: "Ring-Ring"
5. <GR: ANSWER
|
|
|
"Worst pot i've ever smoked!, Damn yank!!"
(Greece Hangs Up)
|
6. <GR: CLEAR BACKWARD
7. >US: CLEAR FORWARD
1. US takes hold of a line
2. Greece says Okay, where to?
3. US says "Terminal call, XXXXXXXX, go"
4. Ring
5. Greece says - "Hey! America, start billing your subscriber."
6. Greece tells america to let go of their circut.
7. America says let go of yours.
The call is over.
And thats pretty much it. After the clear forward the whole process
starts over again.
As a blue boxer, you must: Terminate your current call (with a Clear Forward)
Take control of a circut (With a Siezure)
Send your NEW routing info (KPX-XXXXXXXX-ST)
The incoming exchange will respond with all of the appropriate tones, because
it thinks your signalling equipment.
And this brings me into interregister signalling.
Interregister Signalling
-----------------
You learned how to take control of a line (with Line Signalling), but
you still don't know how to do anything with that line. Thats where
Interregister signalling comes into play. Interregister signalling is the
process of actually routing your call (telling it where to go). The cool
thing is that you can make your call go ANYWHERE (theoretically),
give yourself a higher priority then a regular caller, and gain access to
numbers that you can't get to through the regular telephone network.
Here are a few terms you will need to know:
KP1: Indicates the beggining of a terminal (national) routing.
KP2: Indicates the beggining of a transit (international) routing.
ST: Indicates the end of a routing.
I'll start with terminal calls.
A terminal call is one that is inside of the national network that owns the
trunk line. It's kind of like a local call, but fuck the regional boundries.
The format for a typical terminal call is:
KP1 - XXXXXXX - ST
Pretty easy. Just like R1. :)
Transit calls are formated a little diffrent because they obviously need
more information. The format for a typical transit call is:
KP2 - Country Code - Discriminating Digit - XXXXXXX - ST
The Discriminating Digit specifies what kind of caller you are
(or in some cases your language).
There are other routing formats, depending on what you want to do. Here
are some examples, just so it'll all sink in.
* Note:
F> = Forward direction (You send it)
R< = Backward direction (You hear it)
All examples start after a call has been placed to a C5 Exchange
in whatever country.
Type of Call: Terminal, Automatic
Number to call: 506-674-7575
R< "Hello?"
F> CLEAR FORWARD
R< RELEASAE GUARD
F> SEIZE
R< PROCEED-TO-SEND
F> KP1-506-674-7575-ST
Type of Call: Transit, Automatic
Number to Call: 44-602-86125
R< "Ci?"
F> CLEAR FORWARD
R< RELEASE GUARD
F> SIEZE
R< PROCEED-TO-SEND
F> KP2-44-10-602-86125-ST
Type of Call: Terminal, Semi-automatic
Number to Call: English Code11(Inward) Operator
R<"Snakes Crack House, Snake speaking."
F>CLEAR FORWARD
R<RELEASE GUARD
F>SIEZE
R<PROCEED-TO-SEND
F>KP1-2-Code11-ST
There's enough there for you to work with. Enj0y. Other than a few
technical details, you should now know enough to get started on your own.
If you want more information, check out the refrences. Check out the
next session if you want to avoid alot of hassle.
Q & A session
-----------------
It would be really nice if everything were as easy as sending a never-changing
series of tones down a line. In the real world things don't work quite as
easily. The line signalling codes a VERY picky and need to be sent at
exactly the right time, with the proper delays in between signals.
This section will just run through alot of common problems and their
solutions.
Q. Where can I get a blue box?
A. Go download Scavenger Dialer, By Scavenger
ftp: ftp.fc.net/phrack
or
Write your own
or
Build a hardware bluebox (The Jolly Box)
Q. How do I know if the number Im calling goes through a C5 trunk?
A. Usually if you listen, you will hear wierd beeps before the phone
rings, when the person answers the phone, or after the called party
hangs up. These noises are actually signals being sent in the
reverse direction.
Q. Why can't I just blast tones, and how do I find the freq's??
A. The breaking-freq's of Blue boxing are alot like k0d3z to wAReZ k1dz.
Trading is a good way to get them, but you can also scan them. Typically
the timings will be:
Clear Forward | Seize
Length: 150ms + 150ms
|
Delay: 10ms |
When scanning, just adjust your timings by about 10 ms. The lengths
of Clear Forward, Delay, and Seize are all variable.
Q. I'm positive I'm sending the right tones with the right freqs.
Why isn't anything working?
A. Sound quality is a big issue too. The tones are picked up by energy level,
which means that they are volume sensitive. To much volume, to much
energy. To little volume, not enough energy. It wouldn't be a problem
if you could send tones DIRECTLY to the incoming exchange, but the call
is really routed through 2 national networks (outgoing and incoming)
over a potentially crappy multiplexed wire, and through a middle
transit international exchange. Sometimes the connections are so poor
you just have to hang-up (this is rare). Remember that the countrys
you are calling are only setup this way because it's affordable.
For instance- Iceland has mechanical switching equipment handling a certain
Canada-Iceland trunk. If you send signals quick enough, you'll actually
knock their equipment out of whack, and shut down the trunk until someone
manually puts the thing back on track. :) Just an example of the kind of
conditions you can expect.
If your playing the tones into a phone, make sure your phone has excellent
recpetion (Nortern Telecoms Harmony's are perfect), and use a small,
high-quality earphone.
If you pump the tones into the wire, make sure you get rid of any noise.
Q. I hear the release guard, but I can't sieze. Whats wrong?
A. You probably got your volume screwed, the timings wrong, or your
tones arn't pure enough.
Q. I only use Cellular. Can I still box?
A. It IS possible to box over a cell phone. Ive never done it myself, but
I know someone who has gotten it to work (after considerable effort)
Q. Why can't I call my pals back in the US?
A. Routing is an interesting problem. Not every trunk is allowed to route
everywhere. Sometimes you can only call certain countrys, and sometimes
you can't call any (other than terminal). Some require a routing code,
some don't. If you can dial transit calls to a limited number of countrys,
start playing with mutliple siezures.
Q. What are multiple Seizures?
A. You call one country, box to another, sieze the new country, call
another, etc... It's like finding a path through various countrys
to make it to your destination.
Q. Damn AT&T. Filtering my line. I'm gonna sue, but until then, what?
A. If your tones are being filtered by your telco, then add some noise.
You'll need find that small window that makes your tones valid enough
to signal, yet bogus enough to pass the filters. There are many
methods to doing this.
. Add side tones
. Dont use
. Constantly adjust your volume (to generate a warbeling effect).
Q. I have a big hack comming up, and I really DON'T want to get caught.
How can I maximize my chances of success via the Blue box?
A. The answer to that is politics. :) Go through countrys that are
on not-so-friendly terms with eachother. If the "attacked" country
cant find out where the call came from because the country that handled
the call refuses to cooperate, what can they do?
Tables and Charts
-----------------
Here's all of the info you need.
CCITT system 5 Line Signals
Signal Frequency(Hz)
--------------+--------------
Seizure 2400 *
Clear Forward 2600 + 2400 *
Clear Backward 2600
Proceed-to-Send 2600
Release guard 2400 + 2600
* Signals relevant to this
file. There are more
signals, but you can look
them up yourself if your
really interested.
CCITT syste 5 Interregister MF Signals
Signal Frequency(Hz)
------------+--------------
KP1 (term) 1100 + 1700
KP2 (trans) 1300 + 1700
Digit 1 700 + 900
2 700 + 1100
3 900 + 1100
4 700 + 1300
5 900 + 1300
6 1100 + 1300
7 700 + 1500
8 900 + 1500
9 1100 + 1500
0 1300 + 1500
Code11 700 + 1700
Code12 900 + 1700
ST (end) 1500 + 1700
List of Home Country Directs
-------------------------------
Australia Direct 800-682-2878
Austria Direct 800-624-0043
Belgium Direct 800-472-0032
Belize Direct 800-235-1154
Bermuda Direct 800-232-2067
Brazil Direct 800-344-1055
British VI Direct 800-248-6585
Cayman Direct 800-852-3653
Chile Direct 800-552-0056
China Direct 800-532-4462
Costa Rica Direct 800-252-5114
Denmark Direct 800-762-0045
El Salvador Direct 800-422-2425
Finland Direct 800-232-0358
France Direct 800-537-2623
Germany Direct 800-292-0049
Greece Direct 800-443-5527
Guam Direct 800-367-4826
HK Direct 800-992-2323
Hungary Direct 800-352-9469
Indonesia Direct 800-242-4757
Ireland Direct 800-562-6262
Italy Direct 800-543-7662
Japan Direct 800-543-0051
Korea Direct 800-822-8256
Macau Direct 800-622-2821
Malasia Direct 800-772-7369
Netherlands Direct 800-432-0031
Norway Direct 800-292-0047
New Zealand Direct 800-248-0064
Portugal Direct 800-822-2776
Panama Direct 800-872-6106
Philippines Direct 800-336-7445
Singapore Direct 800-822-6588
Spain Direct 800-247-7246
Sweden Direct 800-345-0046
Taiwan Direct 800-626-0979
Thailand Direct 800-342-0066
Turkey Direct 800-828-2646
UK Direct 800-445-5667
Uruguay Direct 800-245-8411
Yugoslavia Direct 800-367-9841 / 9842
* Thanks to the Phone Company for bringing
us this file
Conclusion
------------
I hope I've answered some of the more common question relating to signalling.
My intent was to provide an introduction to signalling. If you found this
file useful, please pass it along. If you think it sucks, write a better
one.
-LineMan
Greets go out to:
All 9X members -- W3rD up!
Cartel Members -- R0q 0n, b-ware the Delta
Scavenger -- You have the best dialer in t0wn.
Substance -- Ewe n33d some hash.
SL -- Good luck...
Sl0ppy -- ph3aR the GPk ph0Rc3z
QwiK -- Yo. B??36, <letorp>
Virus -- I got a job :)
Bspline -- Hi
TelcoNigga -- Wassup
The Kansas Crew -- Y0, I will visit!@#
BlackHeart -- Get a k0mpUd3r.
WildMan -- Java!@
"He who claims to know everything, knows the least of
all; for he is not aware of that which he does not know."
