💾 Archived View for gemini.spam.works › mirrors › textfiles › phreak › PHREAKING › phk90s.txt captured on 2022-07-17 at 11:07:52.

View Raw

More Information

⬅️ Previous capture (2022-06-12)

-=-=-=-=-=-=-

     
     Hitchhikers guide to the phone system.. Phreaking in the nineties
                               (By Billsf)


                                Introduction
                                ------------


  In this article I will try to introduce you to the most complex machine on
earth: the phone system. It's a guide to having fun with the technology, and
I hope it will help you on your travels through the network. It is by no 
means a definitive manual: If you really want to get into this, there are lots
of additional things you must learn and read.
  This article assumes you know a little bit about the history of phreaking.
It is meant as an update for the sometimes very outdated documents that can
be downloaded from BBS's. In here I'll tell you which of the old tricks might
still work today, and what new tricks you may discover as you become a phone
phreak.
  As you learn to phreak you will (hopefully) find ways to make calls that 
you could not make in any other way. Calls to test numbers that you cannot
reach from normal network, calls to ships (unaffordable otherwise), and much
more. As you tell others about the hidden world you have discovered, you will
run into people who have been brainwashed into thinking that all exploration
into the inner workings of the phone system is theft or fraud. Convincing 
these people of your right to explore is probably a waste of time, and does
not advance your technical knowledge.
  Phreaking is like magic in more than one way. Those people who are really
good share their tricks with each other, but usually don't give out these
tricks to anyone walking by. This will be somewhat annoying at first, but
once you're really good you'll understand that it's very unpleasant if the
trick you just discovered is wasted the very next day. I could tell you at
least twenty new tricks in this article but I prefer to teach you how to find
your own.
  Having said this, the best way to get into phreaking is to hook up with 
other phreaks. Unlike any other sub-culture, phreaks are not bound by any
geographical restrictions. You can find other phreaks by looking for 
hacker/phreak BBS's in your region. Having made contact there you may en-
counter these same people in teleconferences that are regularly set up. These
conferences usually have people from all over the planet. Most phreaks from
other contries outside the United States speak Englisch, so language is not
as much of a barrier as you might think.
  If you live in a currently repressed area, such as the United States, you
should beware that even the things that you consider "harmless exploring"
could get you into lots of trouble (confiscation of computer, fines, probation
jail, loss of job, etc.). Use your own judgement and find your protection.


                             Getting Started
                             ---------------

  The human voice contains components as low as 70Hz, and as high as 8000Hz.
Most energy however is between 700 and 900Hz. If you cut off the part under
200 and above 3000, all useful information is still there. This is exactly
what phone companies do on long distance circuits.
  If you think all you have to do is blow 2600Hz and use a set of twelve MF
combinations, you have a lot of catching up to do. One of the first multi-
frequency systems was R1 with 2600Hz as the line signalling frequency, but for
obvious reasons it is rarely used anymore, except for some very small remote
communities. In this case its use is restricted, meaning it will not give you
access to all the world in most cases.
  To begin with, all experimenting starts at home. As you use your phone, 
take careful note as what it does on a variety of calls. Do you hear "dialing"
in the background of certain calls as they are set up? Do you hear any high
pitched beeps while a call is setting up, as it's answered or at hangup of
the called party?
  Can you make your CO fial to complete a call either by playing with the
switchhook or dialing strange numbers? If you are in the United States, did
you ever do something that will produce a recording:"We're sorry, your call
did not go through..." after about 15 seconds of nothing?
  If you can do the last item, you are "in" for sure! Any beeps on answer or
hang-up of the called party also means a sure way in. Hearing the actual MF
tones produced by the telco may also be your way in. While it would be nice
to find this behavior on a toll-free circuit, you may consider using a 
national toll circuit to get an overseas call or even a local circuit for a
bigger discount. Every phone in the world has a way in. All you have to do
is find one!
  

                           An overview of Systems
                           ----------------------

  First we must start with numbering plans. The world is divided up into
eight separate zones. Zone 1 is the United States, Canada and some Caribbean
nations having NPA 809. Zone 2 is Africa. Greenland (299) and Faroe Islands
(298) do not like their Zone 2 assignment, but Zones 3 and 4 (Europe) are
all taken up. Since the DDR is now unified with BRD (Germany) the code 37 is
up for grabs and will probably be subdivided into ten new country codes to
allow the new nations of Europe, including the Baltics, to have their own
codes. Greenland and the Faroe Islands should each get a 37x country code.
Zone 5 is Latin America, including Mexico (52) and Cuba (53). Zone 6 is the 
south Pacific and includes Australia (61), New Zealand (64) and Malaysia (60).
Zone 7 is now called CIS (formerly the Soviet Union), but may become a third
European Code. Zone 8 is Asia and includes Japan (81), Korea (82), Vietnam
(84), China (86), and many others. Zone 9 is the sub-continent of India (91)
and surrounding regions. A special sub-zone is 87, which is the maritime
satellite service (Inmarsat). Country code 99 is reserved as a test code for
international and national purposes and may contain many interesting numbers.
  In zone 1, a ten digit number follows with a fixed format, severely limiting
the total number of phones. NPA's like 310 and 510 attest to that. The new
plan (beginning in 1995) will allow the middle digit to be other than 1 or 0,
allowing up to five times more phones. This is predicted to last into the
21st century. After that Zone 1 must move to the fully extensible system used
in the rest of the world.
  The "rest of the world" uses a system where "0" precedes the area code for
numbers dialed within the country code. France and Denmark are notable ex-
ceptions, where there are no area codes or just one as in France (1 for Paris
and just eight digits for the rest). This system has proven to be a total
mess - worse than the Zone 1 plan!
  In the usual numbering system, the area code can be of any length, but at 
this time between one and five digits are used. The phone number can be any
length too, the only requirement being that the whole number, including the
country code but not the zero before the area code, must not exceed fourteen
digits. Second dialtones are used in some systems to tell customers they are 
connected to the area they are calling and are to proceed with the number.
With step-by-step, you would literally connect to the distant city and then
actually signal it with your pulses. Today, if second dialtones are used it's
only because they were used in the past. They have no meaning today, much
like the second dialtones in the custom calling features common in the United
States. The advantages of the above "linked" system is that it allows ex-
pansion where needed without affecting other numbers. Very small villages may
only have a three digit number while big cities may have eight digit numbers.
Variations of this basic theme are common. In Germany, a large company in 
Hamburg may have a basic five digit number for the reception and eight digit
numbers for the employee extensions. In another case in this same town, 
analog lines have seven digits and ISDN lines have eight digits. In many
places it common to have different length numbers coming to the same place.
As confusing as it sounds, it really is easier to deal with than the fixed
number plan!

                           
                      International Signalling Systems
                      --------------------------------

  CCITT number four (C4) is an early system that linked Europe together and
connected to other systems for overseas calls. C4 uses two tones: 2040 and
2400. Both are played together for 150mS (P) to get the attention of the
distant end, followed by a "long" (XX or YY = 350mS) or a "short" (X or Y =
100mS) of either 2040 (x or X) or 2400 (y or Y) to indicate status of the
call buildup. Address data (x=1 or y=0, 35 ms) is sent in bursts of four bits
as hex digits, allowing 16 different codes. One hundred milliseconds of 
silence was placed between each digit in automatic working. Each digit there-
fore took 240mS to send. This silence interval was non-critical and often had
no timeout, allowing for manual working. C4 is no longer in wide use, but it
was, due to its extreme simplicity a phreak favorite.
  CCITT number five (C5) is still the world's number one overseas signalling
method; over 80 percent of all overseas trunks use it. The "plieks" and tones
on Pink Floyd's "The Wall" are C5, but the producer edited it, revealing an
incomplete number with the old code for Londen. He also botched the cadance
of the address signalling very badly, yet it really sounds OK to the ear as
perhaps the only example most Americans have of what an overseas call sounds
like!
  In actual overseas working, one-half second of 2400 and 2600Hz, compound,
is sent (clear forward) followed by just the 2400Hz (seize), which readies
the trunk for the address signalling. All address signals are preceded with
KP1 (code 13) for terminal traffic, plus a discriminating digit for the class
of call and the number. The last digit is ST (code 15) to tell the system
signalling is over. For international transit working, KP2 (code 14) is used
to tell the system a country code follows, after which the procedure is 
identical to the terminal procedure.
  CCITT six and seven (C6 and C7) are not directly accessible from the
customer's line, yet many "inband" systems interface to both of thes. C6 is
also called Common Channel Interoffice Signalling (CCIS) and as its name
implies, a dedicated line carries all the setup information for a group of
trunks. Modems (usually 1200 Bps) are used at each end of the circuit. CCIS
is cheaper, and as an added benefit, killed all the child's play blue boxing
that was common in the states in the 60's and early 70's. In the early 80's
fiber and other digital transmission became commonplace, and a new signalling
standard was required. C7 places all line, address, and result (backward)
signalling on a Time Division Multiplexed Circuit (TDM and TDMC) along with
everything else like data and voice. All ISDN systems require the use of SS7
to communicate on all levels from local to worldwide.
  The ITU/CCITT has developed a signalling system for very wide and general
use. One called "The European System", R2 has become a very widespread inter-
national system used on all continents. R2 is the most versatile end-to-end
system ever developed. It is a two-way system like C7 and comes in two forms,
analog and digital, both fully compatible with each other. R2 has completely
replaced C4, with the possible exception of a few very remote areas where it
works into R2 using using registers. Two groups of fifteen, two of six MF
tones are used for each direction, the high frequency group forward and the
low group backward. Line signalling can be digital with two channels or out-
of-band at 3825Hz, DC, or in cases of limited bandwidth on trunks, can use the
C4 line signals, just the 2040 + 2400Hz or 3000Hz or even backward signals
sent in a forward direction. The signals can be digitally quantised using the
A-law or u-law codec standards, resulting in compatible signals for analog
lines. In international working, only a small part of the standard is man-
datory with a massive number of options available. For national working, an
ample number of MF combinations are "reserved for national use", providing
an expandable system with virtually limitless capabilities. R2 is the "system
of the nineties" and mastering this, for the first time, allows the phone
phreak "to hold the whole world in his hands" in a manner that the person who
coined this phrase could have only dreamed of in the early seventies!
  With the exception of bilateral agreements between neighboring countries to
make each other's national systems compatible, especially in border regions,
all international systems in use are: C5, C6, C7, and R2. R2 is limited to a
single numbering region by policy and must use one of the three remaining 
systems for overseas working. There are few technical limitations to prevent
R2 from working with satellites, TASI, or other analog/digital underseas 
cables. The spec is flexible enough to allow overseas working, but is not 
done at the present time. R2 is likely to displace C5 on the remaining analog
trunks in the near future.

DTMF is on a 4x4 matrix, one tone from a row and one from a column.
  1=697+1209, etc.

            1209       1336      1477     1633
    697       1          2         3        A
    770       4          5         6        B
    852       7          8         9        C
    941       *          0         #        D

MF signalling, often used to signal between pionts, uses a 2 of 6 matrix.
Each tone has a weighting which adds up to an unique number. The three
standard sets of tones use this system.

       Digit                Weighting
         1                    0+1
         2                    0+2
         3                    1+2
         4                    0+4
         5                    1+4
         6                    2+4
         7                    0+7
         8                    1+7
         9                    2+7
         0 (Code 10)          4+7
         11 (Code 11)         0+12
         12 (Code 12)         1+12
         KP1 (Code 13)        2+12
         KP2 (Code 14)        3+12
         ST (Code 15)         7+12

For C5, either KP is 100mS and each digit lasts 50mS. A 50mS off time is used
between each digit. For older R1 systems, the KP is 100mS and each digit is
68mS on and 68mS off. Modern systems are C5 compatible and use the C5 timing.
In North America, an additional 50 or 68mS pause is inserted before the last
digit.
Example: KP18(pause)2ST.....KP03120600148(pause)0ST. This pattern was added
about 15 years ago and appears to be unnecessary, except to give an audible
indication of false (blue box) signalling. Its is is HIGHLY recommended for
phreaks where it is normally used by the telco! R2 is a COMPELLED system
where reception of the forward signal produces a backward signal, which at
its reception, stops the forward signal. The stopping of the forward signal
stops the backward signal, and when the stopping of the backward signal is
detected, a new forward signal is generated. This goes back and forth until
all the information is transmitted. The backward signal (usually "1", send
next digit) tells the sendig end what to send next. See the CCITT Red Book
or Welch for complete information on both systems.

   Weight        MFC       R2 forward      R2 Backward
     0           700         1380             1140
     1           900         1500             1020
     2           1100        1620             900
     4           1300        1740             780
     7           1500        1860             660
     12          1700        1980             540

C4 is the old European signalling system. The address signals have 35mS pause
between each beep and 100mS pause (minimum) between each digit. Minimum time
to send a digit (including pause) is 345mS. This system is limited use today,
if at all.

   x:     2040                35mS (binary "1")
   y:     2400                35mS (binary "0")
   X:     2040                100mS
   Y:     2400                100mS
   XX:    2040                350mS
   YY:    2400                350mS
   P:     2040+2400           150mS

   Clear Forward:     PXX
   Transit Seizure:   PX
   Forward Transfer:  PYY
   Terminal Seizure:  PY
   1:  yyyx
   2:  yyxy
   3:  yyxx
   ...
   14: xxxy
   15: xxxx
   16: yyyy


   Place                     Event       Freq             Cadance
   =========================================================================
   N. America                dialtone    350+440          Continuous
                             ring        440+480          2s on 4s off
                             busy        480+620          0.5s on 0.5s off
                             fast busy   480+620          0.25 on 0.25 off
   England                   ring        450+500          0.25 on 0.5 off
   (Australia,New Zealand,                                0.25 on 2.0 off
   etc.)                                                  
   Japan                     ring        450+500          1.0 on 2.0 off
   Holland                   dialtone    150+450          Continuous
                                         (450 at -8dB)    
   most of world             all         400 or 440       (See text)
                             SIT         950, 1400, 1800  (See text)


  Most of the world's phone systems use only one low pitched tone to represent
all calling status. The most common tones in use are 400Hz, 440Hz and 450Hz.
In some cases the tones are modulated, usually AM, at 25 or 50Hz at variable
depths. In some old switches, the ring modulates the tone, or it is just the
harmonics of the ring frequency, which is usually 25Hz, but can be other 
frequencies, producing the "fart ring". Cadances for the busy are either the
fast at 0.25 on and 0.25 off, or the slow at 0.5 on and 0.5 off. Ring signals
are usually on one second and off for two, but can vary. In Iraq, the ring is
continuous! The SIT (Subscriber Information Tone) is 950 then 1400 and then
1800Hz. The total length is about one second. The lengths of the individual
tones are sometimes variable to impart different meanings for automatic 
detection.


                        National Signalling Systems
                        ---------------------------

  CCITT 1, 2 and 3 are early international standards for signalling the 
distant end. C1 is just a 500Hz line signalling tone, and was used to alert
the operator at a distant switchboard that there was traffic and no DC path,
due to amplifiers or repeaters on a relatively long circuit. C1 has only one
line signalling function (forward transfer) and no address signalling. It is
probably used nowhere.
  CCITT 2 was the first international standard that used address signalling,
allowing automatic completion of calls. Two frequencies, 600Hz and 750Hz,
were used for line signalling and by pulsing between the two frequencies,
representing make and break, of the loop current at the distant end during
signalling, calls were automatically pulse dialable. You may actually find
this system in limited use in very remote parts of Australia or South Africa.
Fairly high signalling levels are required and may very well make customer
signalling impossible, unless you are right there. Travel to both the above
countries should be fascinating however for both phone play and cultural
experience!
  CCITT 3 is an improved pulse system. Onhook is represented by the presence
of 2280Hz and offhook by the absence of 2280Hz. This exact system is still
used in a surprising number of places. Pulse-dial PBX's often use C3 to signal
distant branches of a company over leased lines. Signalling for this system
is generally at a much lower level than C2: The tones will propagate over any
phone line.
  A system from the early 50's is called R1. Many people remember R1 as the 
Blue boxes of the 60's and 70's . R1 is still in wide use in the United
States, Canada and Japan. The use of 2600Hz for line signalling is quite rare
in the 90's, but can be found in all of the above countries. Address signal-
ling uses the MFC standard which is a combination of two of six tones
between 700Hz and 1700Hz as in CCITT 5. Alsmost all R1 used either "out of
band" signalling at 3825Hz or 3350Hz or some form of digital or DC line
signalling. To use this system from home one must find an indirect method of
using the "out of band" signalling. In North America, most signalling from
your central office to your long distance carrier is R1, as is most OSPS/
TSPS/TOPS operator traffic.
  Pulse systems like CCITT 2 and 3 are still used in national systems. In
North America, the C3 standard using 2600Hz in place of 2280 for national
working was commonplace through the 70's and still has limited end-to-end use
today. "End-to-end" use refers to sending just the last few digits (usually
five) to complete the call at the distant end. The only use this may have to
the phreak would be to make several calls to a single locality on one quarter.
It may be possible that a certain code would drop you into an R1, but you 
just have to experiment! This type of system is referred to as 1VF, meaning
"one Voice Frequency". The other standard frequency, for use outside North 
America, is 2400Hz. A national system using two voice frequencies (2VF) may
still be used in remote areas of Sweden and Norway. The two frequencies are
2400Hz and 2600Hz. Playing these two systems in Europe predates the cracking
of the R1 and C5 systems in the late 50's and early 60's respectively. The
first phone phreak was probably in Sweden.
  Common Channel Interoffice Signalling (CCIS) is CCITT 6 developed for
national use and employing features that are of interest to national admini-
strations. R1 often plays into a gateway being converted to CCIS and CCIS
will play into a gateway that converts to C5, C6 or C7 for international 
working. The bulk of the ATT net is CCIS in North America, while R1 is often
used by your CO talk to it and the lessel networks. CCITT 7 is the digital
system and is the same nationally as internationally. C7 allows the greatest
efficiency of all systems and will in time be the world system. C7 has much
more speed and versatility than R2, but is a digital only system. All fiber
optic systems employ SS7 (C7).
  No discussion of systems is complete without mentioning Socotel. Socotel is
a general system developed by the French. It is a hodgepodge of many systems,
using MFC, pulse tone, pulse AC and pulse DC system. Most (all?) line 
signalling tones can be used. An inband system can use 2500Hz as a clear
forward and 1700 or 1900Hz for seize or, in Socotel terms, "confirm". Most
line signalling today is "out of band", but unlike normal outband signalling,
it is below band: DC, 50Hz or 100Hz. It is a "brute force" system using 100V
levels, insuring no customer has a chance of getting it directly! Call setup
on the AC systems often has a very characteristic sound of of short bursts of
50Hz or 100Hz buzz, followed by the characteristic French series of 500 Hz
beeps to alert the customer that the call has been received from the Socotel
by the end office and is now being (pulse) dialed. Calls often don't make it
through all the gateways of a Socotel system, sometimes giving the French
phreak a surprise access where it stuck!
  On a national level there are even more systems and some are very bizarre.
Some use backward R2 tones in the forward direction for line signalling, 
giving analog lines the versatility of digital line signalling. There have
been some interlocal trunks that actually used DTMF in place of MF! The
"Silicon Valley" was once served by DTMF trunks for instance. When I visited
my local toll office and was told this and pressed for an answer as to why,
I was told "We had extra (expensive then) DTMF receivers and used them!" As
a phreak, be ready for anything as you travel the world.


                              Stuff to read
                              -------------

  Signalling in Telecommunications Networks, S. Welch, 1979
    ISBN 0 906048 044
  The Institution of Electrical Engineers, Londen & New York
  CCITT Red Book, Blue Book, Green Book and whatever other colors of books
  they have, Concentrate on the Q norms.
  Telecommunications Engineering, Roger L. Freeman


- EOF -