💾 Archived View for gemini.spam.works › mirrors › textfiles › phreak › BLUEBOXING › bethome1.phk captured on 2022-07-17 at 10:30:19.
⬅️ Previous capture (2022-06-12)
-=-=-=-=-=-=-
The Mark Tabas encounter series presents:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Better Homes and Blue Boxing Part I Theory of Operation=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- To quote Karl Marx, blue boxing hasalways been the mst oble form ofphreaking. As opposed to such thingsas using an MCI code to make a freefone call, which is merely mindlesspseudo-phreaking, blue boxing isactual interaction with the BellSystem toll network. It is likewiseadvisable to be more cautious whenblue boxing, but the careful phreakwill not be caught, regardless of whattype of switching system he is under. In this part, I will explain how andwhy blue boxing works, as well aswhere. In later parts, I will givemore practical information for blueboxing and routing information. To begin with, blue boxing is simplycommunicating with trunks. Trunks mustnot be confused with subscriber lines(or "customer loops") which arestandard telefone lines. Trunks arethose lines that connect centraloffices. Now, when trunks are not inuse (i.e., idle or "on-hook" state)they have 2600Hz applied to them. Ifthey are two-way trunks, there is2600Hz in both directions. When atrunk IS in use (busy or "off-hook"state"), the 2600Hz is removed fromthe side that is off-hook. The 2600Hzis therefore known as a supervisorysignal, because it indicates thestatus of a trunk; on hook (tone) oroff-hook (no tone). Note also that2600Hz denoted SF (single frequency)signalling and is "in-band." This isvery important. "In-band" means thatis is within the band of frequenciesthat may be transmitted over normaltelefone lines. Other SF signals, suchas 3700Hz are used also. However, theycannot be carried over the telefonenetwork normally (they are "out-of-band") and are therefore not able tobe taken advantage of as 2600Hz is. Back to trunks. Let's take ahypothetical phone call. You pick upyour fone and dial 1+806-258-1234(your good friend in Armarillo,Texas). For ease, we'll assume thatyou are on #5 Crossbar switching andnot in the 806 area. Your centraloffice (CO) would recognize that806 is a foreign NPA, so it wouldroute the call to the toll centrethat serves you. [For the sake ofaccuracy here, and for the moreexperienced readers, note that theCO in question is a class 5 withLAMA that uses out-of-band SFsupervisory signalling]. Dependingon where you are in the country, thecall would leave your toll centre(on more trunks) to another tollcentre, or office of higher "rank".Then it would be routed to centraloffice 806-258 eventually and thecall would be completed. Illustration:A---CO1-------TC1------TC2----CO2----BA=you CO1=your central officeTC1=your toll office. TC2=toll office in Amarillo.CO2=806-258 central office. B=your friend (806-258-1234) In this situation it would berealistic to say that CO2 uses SFin-band (2600Hz) signalling, whileall the others use out-of-bandsignalling (3700Hz). If you don'tunderstand this, don't worry too much.I am pointing this out merely for thesake of accuracy. The point is thatwhile you are connected to 806-258-1234, all those trunks from YOURcentral office (CO1) to the 806-258central office (CO2) do *NOT* have2600Hz on them, indicating to theBell equipment that a call is inprogress and the trunks are in use. Now let's say you're tired oftalking to your friend in Amarillo(806-258-1234) so you send a 2600Hzdown the line. This tone travels downthe line to your friend's centraloffice (CO2) where it is detected.However, that CO thinks that the2600Hz is originating from Bellequipment, indicating to it thatyou've hung up, and thus the trunksare once again idle (with 2600Hzpresent on them). But actually, youhave not hung up, you have fooled theequipment at your friend's CO intothinking you have. Thus,it disconnectshim and resets the equipment toprepare for the next call. All thishappens very quickly (300-800ms forstep-by-step equipment and 150-400ms for other equipment). When you stop sending 2600Hz (afterabout a second), the equipment thinksthat another call is coming towardsit (e.g. it thinks the far end hascome "off-hook" since the tone hasstopped. It could be thought of as atoggle switch: tone --> on hook, notone -->off hook. Now that you'vestopped sending 2600Hz, several thingshappen:1) A trunk is seized.2) A "wink" is sent to the CALLING endfrom the CALLED end indicating thatthe CALLED end (trunk) is not ready toreceive digits yet.3) A register is found and attachedto the CALLED end of the trunk withinabout two seconds (max).4) A start-dial signal is sent to theCALLING end from the CALLED endindicating that the CALLED end isready to receive digits.Now, all of this is pretty muchtransparent to the blue boxer. All hereally hears when these four thingshappen is a <beep><kerchunk>. So,seizure of a trunk would go somethinglike this: 1> Send a 2600Hz 2> Terminate 2600Hz after 1-2 secs. 3> [beep][kerchunk] Once this happens, you are connectedto a tandem that is ready to obey yourevery command. The next step is tosend signalling information in orderto place your call. For this you mustsimulate the signalling used byoperators and automatic toll-dialingequipment for use on trunks. Thereare mainly two systems, DP and MF.However, DP went out with the dinosaur, so I'll only discuss MF signalling.MF (multi-frequency) signalling is thesignalling used by the majority of theinter- and intra-lata network. It isalso used in international dialingknown as the CCITT no.5 system. MF signalling consists of 7 frequen-cies, beginning with 700Hz andseparated by 200Hz. A different set oftwo of the 7 frequencies represent thedigits 0 thru 9, plus an additional 5special keys. The frequencies and usesare as follows:Frequencies (Hz) Domestic Int'l-------------------------------------- 700+900 1 1 700+1100 2 2 900+1100 3 3 700+1300 4 4 900+1300 5 51100+1300 6 6 700+1500 7 7 900+1500 8 81100+1500 9 91300+1500 0 0 700+1700 ST3p Code 11 900+1700 STp Code 121100+1700 KP KP11300+1700 ST2p KP21500+1700 ST ST The timing of all the MF signals isa nominal 60ms, except for KP, whichshould have a duration of 100ms. Thereshould also be a 60ms silent periodbetween digits. This is very flexible,however, and most Bell equipment willaccept outrageous timings. In addition to the standard useslisted above, MF pulsing also hasexpanded usages known as "expandedinband signalling" that include suchthings as coin collect, coin return,ringback, operator attached, andoperator released. KP2, code 11, andcode 12 and the ST_ps (STart "primes")all have special uses which will bementioned only briefly here. To complete a call using a blue box,once seizure of a trunk has beenaccomplished by sending 2600Hz andpausing for the <beep><kerchunk>, onemust first send a KP. This readies theregister for the digits that follow.For a standard domestic call, the KPwould be followed by either 7 digits(if the call were in the same NPA asthe seized trunk) or 10 digits (if thecall were not in the same NPA as theseized trunk). [Exactly like dialing anormal fone call]. Following eitherthe KP and 7 or 10 digits, a STart issent to signify that no more digitsfollow. Example of a complete call: 1> Dial 1-806-258-1234 2> wait for a call-progress indication (such as ring, busy, recording, etc.) 3> Send 2600Hz for about 1 second. 4> Wait for about 2 seconds while a trunk is seized. 5> Send KP+305+994+9966+ST The call will then connect if every-thing was done properly. Note that ifa call to an 806 number were beingplaced in the same situation, the areacode would be omitted and only KP+seven digits+ST would be sent. Code 11 and code 12 are used ininternational calling to requestcertain types of operators. KP2 isused in international calling to routea call other than by way of the normalroute, whether for economic or equipment reasons. STp, ST2p, and ST3p (prime, twoprime, and three prime) are used inTSPS signalling to indicate callingtype of call (such as coin-directdialed). This has been Part I of BetterHomes and Blue Boxing. I hope youenjoyed and learned from it. If youhave any questions, comments, threatsor insults, please fell free to dropme a line. If you have noticed anyerrors in this text (yes, it doeshappen), please let me know andperhaps a correction will be in order.Part II will deal mainly with moreadvanced principles of blue boxing,as well as routings and operators. Note 1: other highly trunkableareas include: 816,305,813,609,205.I personally have excellent luckboxing off of 609-953-0000. Try thatif you have any trouble. ......................................(c) January 7, 1985 Mark Tabas......................................$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$ ---------------------- : Written for: : : : : K.A.O.S. : : : : at : : : : 215-465-3593 : : : ------------------------------------------------------------ ---------------------------------------Downloaded from P-80 Syetems....