💾 Archived View for gemini.spam.works › mirrors › textfiles › phreak › SWITCHES › ccittug1.txt captured on 2022-07-17 at 11:12:05.
⬅️ Previous capture (2022-06-12)
-=-=-=-=-=-=-
HANNOVER, UNITED GERMANY! [09-28-92!]
---------------------------------------
CCITT UNDERGROUND INFORMATIONS
ISSUE-NO: 1.00
---------------------------------------
THIS TEXT CONTAINS INFORMATIONS ABOUT :
------------->>> CCITT <<<-------------
---------------------------------------
---------------> MENU! <---------------
---------------------------------------
FIRST WORDS
INFORMATIONS
WHAT CAN I DO WITH A BLUEBOX ?
EXPLAIN OTHER PHONESYSTEMS
CCITT: HOW YOU MUST DIAL
WHICH COUNTRIES CAN BLUEBOX ?
HOW SAFE IS BLUEBOXING
LIST OF INTERNATION PHONESYSTEMS
GERMAN TOLLFREE NUMBERS
STORY, HOW I HEARD ABOUT BLUEBOXING
ABOUT ME (GURU JOSH!)
TIME FOR GREETINGS
HOW TO GET IN TOUCH WITH ME
----> NOW, FOLLOW TEXTFILES WRITTEN
BY SOME DIFFERENT PERSONS...
1.) BETTER HOMES AND BLUEBOXING
- part: 1 - THEORY OF OPERATION
- part: 2 - PRATICAL APPLICATIONS
- part: 3 - ADV. SIGNALING
2.) HOW TO BLUEBOX INTO RUSSIA
3.) THE MYTH OF THE 2600HZ DETECTOR
4.) EUROTEXT: 1
FILE 1 & 2 (W) BY MARK TABAS
---------------------------------------
- FIRST WORDS -
---------------------------------------
WHY, I WRITE ANOTHER TEXTFILE ABOUT THE
CCITT NORM (SPECIAL LINE SIGNALING!) ?!
THATS SIMPLE BCOZ. I PLAN TO QUIT THE
SCENE, SINCE THE COPS CAUGHT ME, LAST
MONTH! BUT I DON'T LIKE TO QUIT WITHOUT
ANSWERING ALL THE QUESTIONS ASKED BY
SOME USERS OF MY OLD BBS...
ONLY FOR INFORMATION: THE BBS IS CLOSED
I RUN NOW A UNIX-SYSTEM WHICH IS PUBLIC
---------------------------------------
- INFORMATIONS -
---------------------------------------
I`LL NOT WRITE ANYTHING NON IMPORTANT..
IF YOU DON`T KNOW HOW BLUEBOXING WORKS,
READ EVERYTHING IN THIS TEXTFILE...
I WILL EXPLAIN HOW IT WORKS, AND WHAT'S
POSSIBLE WITH YOUR BLUEBOX.
---------------------------------------
- WHAT CAN I DO WITH A BLUEBOX ? -
---------------------------------------
WELL, YOU CAN REACH NEARLY ALL NUMBERS
WORLDWIDE! - YOU ALSO REACH UNLISTED
NUMBERS FROM ANY COUNTRY AND YOU CAN
DIAL WITH PRIORITY STATUS (FUNNY EHH!)
YOU'LL KNOW: HOW TO DO THAT ?
REALLY SIMPLE, I'LL TRY TO EXPLAIN
HOW IT WORKS - STEP BY STEP!
IF YOU THINK ABOUT USING OPERATORS
READ ALL THE NICE TEXTFILES ABOUT
OPERATORS CAREFUL...
BUT USE'EM THEY'RE KEWL AND THEY
CAN HELP YOU.. SOOOO MUCH!
---------------------------------------
- EXPLAIN PHONE-SYSTEMS -
---------------------------------------
CCITT 2
CCITT 3
CCITT 4
CCITT 5
CCITT SOCOTEL
CCITT 5 - R1
CCITT 5 - R2
SOME DIFFERENT DIALING FREQUENCIES
CCITT: -2-
----------
EG: USED IN SOUTH AFRICA
HANGUP: 600 HZ & 750 HZ, 2280 HZ
TIMING: NO INFOS
DIALING: NO INFOS
THIS SYSTEM IS TO OLD, AND ONLY USED IN
A FEW AFRICAN AND SOUTH AMERICAN
COUNTRIES... I GOT NO INFORMATIONS
ABOUT ANYTHING, ONLY AN OLD MEMBER OF
THE CHAOS COMPUTER CLUB IN GERMANY
SUPPLIED US THE FREQUENCIES FOR THE
HANGUP WITHOUT ANY TIMINS (THANKS!)
CCITT: -3-
----------
EG: USED IN ITALY
HANGUP: 2280 HZ
PULSE: 35 MS +/- 5 MS
INTERVALS: 35 MS +/- 5 MS
DIAL FREQUENCIES:
TRY THE INTERNATIONAL CCITT #-5-
CCITT: -4- (Q.121 & Q.115)
--------------------------
EG: USED IN ITALY & IRELAND ETC!
HANGUP: 2040 & 2040 HZ
FREQ1 (2040 HZ): 0
FREQ2 (2400 HZ): 1
PREFIX: 80 MS +/- 20 MS
SHORT SIGNAL: 40 MS +/- 10 MS
LONG- SIGNAL: 200 MS +/- 40 MS
DIGIT: -PULSE- SHORT INFO:
-1- 1-1-1-0 DIGIT #-1-
-2- 1-1-0-1 DIGIT #-2-
-3- 1-1-0-0 DIGIT #-3-
-4- 1-0-1-1 DIGIT #-4-
-5- 1-0-1-0 DIGIT #-5-
-6- 1-0-0-1 DIGIT #-6-
-7- 1-0-0-0 DIGIT #-7-
-8- 0-1-1-1 DIGIT #-8-
-9- 0-1-1-0 DIGIT #-9-
-0- 0-1-0-1 DIGIT #-0-
CODE 11 0-1-0-0 CALL OPERATOR
CODE 12 0-0-1-1 CALL OPERATOR
SP.C. I 0-0-1-0 SPACE CODE -
SEE Q.104
IHES 0-0-0-1 INCOMMING HALF ECHO
SUPRESSOR
(REQUIRED!)
SP.C. II 1-1-1-1 SPACE CODE
E.O.P. 0-0-0-0 END OF PULSING
KP1 PX LOCAL- CALL
KP2 PY GLOBAL CALL
CLEAR FORWARD PXX \ BETTER READ
XFER- FORWARD PYY / - Q.121! FF
FREQ1 (2040 HZ): 0
FREQ2 (2400 HZ): 1
PREFIX- SIGNAL:
---------------
P 150 MS +/- 30 MS
(0 AND 1 COMPOUND!)
CONTROL SIGNAL:
---------------
X 100 MS +/- 20 MS
(0 SHORT SINGLE SIGNAL!)
Y 100 MS +/- 20 MS
(1 SHORT SINGLE SIGNAL!)
XX 350 MS +/- 70 MS
(0 LONG- SINGLE SIGNAL!)
YY 350 MS +/- 70 MS
(1 LONG- SINGLE SIGNAL!)
CCITT: -5-
----------
EG: USED IN USA, CAN, AUSTRALIA & JAPAN
HANGUP: 2600/2400 HZ
TIMING: 0-999 MS
DIGIT:
------
-1- 700 HZ + 900 HZ
-2- 700 HZ + 1100 HZ
-3- 900 HZ + 1100 HZ
-4- 700 HZ + 1300 HZ
-5- 900 HZ + 1300 HZ
-6- 1100 HZ + 1300 HZ
-7- 700 HZ + 1500 HZ
-8- 900 HZ + 1500 HZ
-9- 1100 HZ + 1500 HZ
-0- 1300 HZ + 1500 HZ
CODE 11 700 HZ + 1700 HZ
CODE 12 900 HZ + 1700 HZ
KP1 1100 HZ + 1700 HZ
KP2 1300 HZ + 1700 HZ
ST 1500 HZ + 1700 HZ
TIMING:
-------
NUMBER-- DIGITS: 0,1-9
LENGTH: 55 MS +/- 7 MS
DELAY : 55 MS +/- 7 MS
OPERATOR DIGITS: C.11/12
LENGTH: 100 MS +/- 15 MS
DELAY : 55 MS +/- 7 MS
CONTROL- DIGITS: KP1/2 & ST
LENGTH: 100 MS +/- 15 MS
DELAY : 55 MS +/- 7 MS
SOMETIMES YOU CAN/MUST USE SHORTER OR
LONGER DIGITS AND THE "START PULSING
(ST)" IS SOMETIMES ONLY: 25 +/- 15 MS
(+/- 5 STEPS)
CCITT: -5- R1
-------------
EG: USED (LOCAL) IN CANADA & USA!
HANGUP: 2600/2600 HZ
TIMING: 0-999 MS
DIGIT:
------
-1- 700 HZ + 900 HZ
-2- 700 HZ + 1100 HZ
-3- 900 HZ + 1100 HZ
-4- 700 HZ + 1300 HZ
-5- 900 HZ + 1300 HZ
-6- 1100 HZ + 1300 HZ
-7- 700 HZ + 1500 HZ
-8- 900 HZ + 1500 HZ
-9- 1100 HZ + 1500 HZ
-0- 1300 HZ + 1500 HZ
CODE 11 700 HZ + 1700 HZ
CODE 12 900 HZ + 1700 HZ
KP1 1100 HZ + 1700 HZ
KP2 1300 HZ + 1700 HZ
ST 1500 HZ + 1700 HZ
TIMING:
-------
NUMBER-- DIGITS: 0,1-9
LENGTH: 60 MS +/- 7 MS
DELAY : 60 MS +/- 7 MS
OPERATOR DIGITS: C.11/12
LENGTH: 100 MS +/- 15 MS
DELAY : 60 MS +/- 7 MS
CONTROL- DIGITS: KP1/2 & ST
LENGTH: 100 MS +/- 15 MS
DELAY : 60 MS +/- 7 MS
CCITT: R2
---------
EG: USED IN HOLLAND, DENMARK & ROMANIA
HANGUP: 3825 HZ OR 3000 HZ
TIMING: 100-640 MS
DIGIT:
------
-1- 1380 HZ + 1500 HZ
-2- 1380 HZ + 1620 HZ
-3- 1500 HZ + 1620 HZ
-4- 1380 HZ + 1740 HZ
-5- 1980 HZ + 1740 HZ
-6- 1620 HZ + 1740 HZ
-7- 1380 HZ + 1860 HZ
-8- 1500 HZ + 1860 HZ
-9- 1620 HZ + 1860 HZ
-0- 1740 HZ + 1860 HZ
KP2E 1380 HZ + 1980 HZ W/O- ECHO
KP2 1500 HZ + 1980 HZ WITH ECHO
ST 1860 HZ + 1980 HZ
ALL INFOS GIVEN BY:
TELECOM PLANNING [REF. 8] CCITT - NY
I DON`T KNOW, BUT I FOUND NONE
INFORMATIONS ABOUT ANY "R2" TIMING
AND I HAVEN`T TRIED ANYTHING RIGHT NOW,
WITH "R2" ALSO SORRY... YOU CAN TRY
THE TIMINGS WHICH ARE USED IN
CCITT: -5- "R1".
TIMING:
-------
NUMBER-- DIGITS: 0,1-9
LENGTH: 60 MS +/- 7 MS
DELAY : 60 MS +/- 7 MS
CONTROL- DIGITS: KP1/2 & ST
LENGTH: 100 MS +/- 15 MS
DELAY : 60 MS +/- 7 MS
CCITT: SOCOTEL
--------------
EG: USED IN SPAIN (USED IN FRANCE!)
HANGUP: 3850 HZ
PULSE: 35 MS +/- 5 MS
INTERVALS: 35 MS +/- 5 MS
DIAL FREQUENCIES:
DIGIT:
------
-1- 700 HZ + 900 HZ
-2- 700 HZ + 1100 HZ
-3- 900 HZ + 1100 HZ
-4- 700 HZ + 1300 HZ
-5- 900 HZ + 1300 HZ
-6- 1100 HZ + 1300 HZ
-7- 700 HZ + 1500 HZ
-8- 900 HZ + 1500 HZ
-9- 1100 HZ + 1500 HZ
-0- 1300 HZ + 1500 HZ
CODE 11 700 HZ + 1700 HZ
CODE 12 900 HZ + 1700 HZ
KP1 1100 HZ + 1700 HZ
KP2 1300 HZ + 1700 HZ
ST 1500 HZ + 1700 HZ
TIMING:
-------
NUMBER-- DIGITS: 0,1-9
LENGTH: 60 MS +/- 7 MS
DELAY : 60 MS +/- 7 MS
OPERATOR DIGITS: C.11/12
LENGTH: 100 MS +/- 15 MS
DELAY : 60 MS +/- 7 MS
CONTROL- DIGITS: KP1/2 & ST
LENGTH: 100 MS +/- 15 MS
DELAY : 60 MS +/- 7 MS
---------------------------------------
- CCITT: HOW YOU MUST DIAL ? -
---------------------------------------
also, to dial your friend in the USA,
Canada or any other american country
you must type:
t/a-0-202-456-1414-c
to reach a cool UNIX-SYSTEM or a
friend in Europe, you must type:
t/b-49-0-511-211-0635-c
If you don't like a busy-signal so
you have to dial for america:
t/a-2-703-121-c
\--> this should be the
area-code, in which
you got the
busy-signal !
t/a-2-703-131-c
/
/--> this operator is
for directory
assistance....!
for more 1XX operators look in other
available files for us-dudes.....
important: don't use an operator,
---------- if you don't know how to
use him !
btw: we found no way to reach the
----> 115xx - operators in the USA!!
If you need directory assistance for
anonther country worldwide, type:
t/b-43-2-d-c or t/b-43-2-e-c
The lines above should give ya the
directory assistance for Austria !
I don't, at the moment, know if you can
do other things with the operators,
but you can change the area code.
(France (33) use a nice music for
the hold position if all lines are
busy!) and you can change the "2"
between "0","1" to "9" sometimes
you get other operators... and
you can always switch between
"d" and "e" (code 11/12) for operators
we're sure, you'll find some really
funny operators, and if you find
something out, leave us a message!
the number for "directory assistance"
are normally the numbers dialed by the
operators (in Germany: 0118 or 00118)
Don't forget you're another operator!
Also, try to be really an operator, or
you'll possibly get trouble....
btw: Please, send the frequencies
---> before or after the number you
---> dialed answer!
---> ----------------------------------
---> also before anything pick-up
---> the phone, or after that thing
---> dropped the phone...
---------------------------------------
- which coutries can bluebox ? -
---------------------------------------
About the question above, normally all
countries can use the bluebox but some
got a device (against bboxing!) that
mean you can't seize a trunk,or gettin
caught after you seize a trunk with
the correct frequencies...
---------------------------------------
- How Safe Is Blueboxing ? -
---------------------------------------
This should be the important question.
How safe is blueboxing, really ?!?
Also, in countries with a new
phone-system (with digital dialing!)
like (for example) in the USA & since
a few weeks ago in some citys in
Switzerland (and some other countries)
you're busted, faster than you
can get a orgasm in own-work!
In countries with special devices,
sometimes simple called: filter
(like in spain and great britain!)
you can't use a bluebox, bcoz. your
frequence(s) to seize a trunk, are
simple filtered by the devices...
Normally, you are safe while
blueboxing, if you
use a non-digital phone-system!
For example: In most citys
in United-Germany [West] ! But to be
100% sure, that you don't use digital
lines, simply test everyday before you
use the bluebox!, If you can dial with
"frequence tones", also sometimes
simple called: "touch-tones"
bcoz. If you can dial with it, you
are easy to bust for German-Telecom!
or any other phone-company!
Also, be careful by using the bluebox
or/and cards after you got a digital
line - system...
---------------------------------------
- LIST OF INTERNATIONAL PHONE SYSTEMS -
---------------------------------------
CAN -1- R1/R2
USA -1- R1/R2
URS -7- ? /R1
EGY -20 ?
AFS -27 C2
GRC -30 ?
HOL -31 R2
BEL -32 R2
-F- -33 R2/SCTL
MCO -33 R2/SCTL
-E- -34 C5: HANGUP: 2500 HZ / 2400 HZ
HNG -36 ?
-D- -37 ?
YUG -38 C3 (OR NONE HAHA!)
-I- -39 C3/C4/C5
ROU -40 R2
SUI -41 C3/C4
TCH -42 C3
AUT -43 C3/C4
GB- -44 C2/R2
DNK -45 R2/C5: HANGUP: 3000 HZ
-S- -46 R1: HANGUP: 2400 HZ
NOR -47 R1: HANGUP: 2400 HZ
POL -48 C3/R2
-D- -49 IKZ 50
PRU -51 R2
MEX -52 ?
CUB -53 R2
ARG -54 R2
-B- -55 R2
CHL -56 R2
CLM -57 ? (R2 ?)
VEN -58 ? (R2 ?)
MLA -60 ?
AUS -61 C5/R1/R2
INS -62 ?
PHL -63 R2/R1
NZL -64 C2
SNG -65 ?
THA -66 R2
JPN -81 C5/R1/R2
KRE -82 R2
VTN -84 ?
VCH -86 ?
TUR -90 ?
IND -91 C5: HANGUP: 2400 HZ
PAK -92 ?
AFG -93 ?
SLK -94 ?
BRM -95 R2
IRN -98 ?
MRC 210 C3
MRC 211 C3
MRC 212 C3
ALG 213 ?
LBR 231 R2
GHA 233 R2
CME 237 R2
KEN 254 C4
TGK 255 R2
UGA 256 C4
BDI 257 R2
MOZ 258 C5: HANGUP: 2400 HZ
ZMB 260 R2
MDG 261 C3
POR 351 R2
LUX 352 R2
IRL 353 C4
CYP 357 R2
SUR 597 R2
FJI 679 R2
BGD 880 R2
JOR 962 R2
SYR 963 R2
IRQ 964 R2
OMA 968 R2
ISR 972 SCTL
---------------------------------------
GERMAN TOLLFREE NUMBERS - BY G-TELECOM!
---------------------------------------
CALLING VIA: SIG.SYSTEM GER.TOLLFREE
---------------------------------------
AUSTRALIA -C5- 800061
BELGIUM 800032
BRAZIL -C5- 800055
CANADA -C5- 0014
CZECHOSLOWAKIA XXXXXX
CHILE -C5- 800056
DENMARK 800045
DOM.REPUBLIC XXXXXX
FINLAND 800358
FRANCE -C5- 800033
GREAT BRITAIN 800044
HONGKONG -C5- 800852
HUNGARY 800036
ICELAND -C5- 800354
IRELAND 800353
ITALY 800039
JAPAN -C5- 800081
KOREA -C5- 800082
LUXEMBOURG 800352
NETHERLAND 800031
NEW ZEALAND -C5- 800064
NORWAY 800047
PORTUGAL 800351
SAUDI ARABIA XXXXXX
SINGAPORE 800065
SPAIN 800034
SWEDEN 800047
SWITZERLAND XXXXXX
TAIWAN (ROC) -C5- 800886
THAILAND -C5- 800066
TURKEY 800090
USA (-AT&T-) -C5- 0010
USA (-MCI!-) -C5- 0012
USA (SPRINT) -C5- 0013
---------------------------------------
THATS ALL MY FRIENDS, IF YOU NEED MORE
INFORMATIONS TRY SOMETHING WITH THE
KEWL "DIALER V2.8D BY UNLIMITED ACCESS"
I THINK THATS THE BEST AROUND THE GLOBE
---------------------------------------
- Story, how I heard about BlueBoxing -
---------------------------------------
some months ago, a friend from spain
called me in the evening and told me
something about a working bluebox
and he said: I call for free now....
after, I asked this dude,
if he could explain: how does it works?
he told me, "I use a programm on a
Atari-ST (haha) and I enter the number
in a special format and when I complete
the number, I must call a friend or
another number here in Spain, and then
I send some tones (frequencies) !
after that, I can call worldwide for
free...."
This info was given by my friend: Paco
in Spain (thanxx for it!) - I got this
info in the last days of 1990 and
I tried now, something to call here
in Europe for free, bcoz. A few days
after the call from my friend, the
bluebox died in spain, and I lost the
contact, but some days later another
friend, now in Germany told me, that
a friend from him, called any
toll-free number, via satellite and
he can call worldwide for free with
a really good line... Now, I knew
100 % it's possible to call for free
around the globe, simple by using a
few
frequencies and so, I tried to find
out, which frquencies are needed...
I visited some hacker's local in my
city, and ask something about the
phone-systems and I heard something
about trunks, and beep / kerchunks
but I knew nothing about it, only
that it worked years ago in the USA!
But I got no info, that it's
possible to use in Europe too.
I talked also, with a friend of mine
in belgium and he told me something
about the phone-systems (thanxx!)
I heard about CCITT Vx-5, R1-2 etc
so I got more and more info and at
the end of january, 1991! I heard in
the line the first: beep, kerchunk!
some days later, I heard: two
beep/kerchunks, but I got no info on
how to dial after you have seized a
trunk ?
Then, I asked again some friends about
how to dial in the international
(operator) system (?)
A guy in south of Germany! told me
some weeks later something about
dialing with a bluebox...
Today, I wrote allready a bluebox
for different countries on three
computers.... - also, on amiga,
Atari-ST and my best bluebox on
the old commodore 64! - it works 100%!
I must never dial two times the same
number, to reach anybody... - and I
can dial much faster than all the other
blueboxes already published in the
computer-scene!
At the moment I work on a portable
bluebox including some other systems!
And all needed frequencies to use the
bluebox worldwide...
Coming soon.....
--------------------------------------
HELL FIRE! - ABOUT ME - GURU JOSH!
--------------------------------------
I'M NOW 23 YEARS OLD, AND I WAS BORN
IN THE NORTHERN PART OF GERMANY!
I USE COMPUTERS SINCE 1983. I GOT FROM
MY PARENTS A COMMODORE 64 AND L8ER AN
AMIGA & PC. NOW, I QUIT ALL SCENE
ACTIVITIES AFTER I WAS CAUGHT FOR
SOFTWARE PIRACY AND PHONE FRAUD.
I CAN ALSO PROGRAM IN 6502/10, 68K
ASSEMBLER, GFA-BASIC, C AND UNIX!
I WROTE ALSO ON C64 THE BEST AND WELL
KNOWN BLUEBOX AND A GOOD ONE ON AMIGA
TOO.
MY OLD BBS IS CLOSED, AND I RUN ALSO
A UNIX SYSTEM (WITH ALOT OF KEWL H/P
FILES ONLINE...!)
THAT'S ALL FOR NOW ABOUT MYSELF....
---------------------------------------
- TIME FOR GREETINGS -
---------------------------------------
AMOS KERON [ISRAEL!]
ANDREAS / PP [WEST GERMANY!]
BLACK GUARDIAN [USA!]
BLACK KNIGHT [USA!]
BUG [NORWAY!]
CODEX [WEST GERMANY!]
COOKIE [PORTUGAL!]
DR. JONES [PORTUGAL!]
DR. NO [NORWAY!]
DRACO / PP [WEST GERMANY!]
EXCALIBUR / PP [WEST GERMANY!]
FASHION LIGHT [ITALY!]
FLETCH [BELGIUM!]
FRED [WEST GERMANY!]
FRED / AMITECH [WEST GERMANY!]
GADGET / PP [WEST GERMANY!]
GIZMO / PP [WEST GERMANY!]
GRAHAM TWO / PP [WEST GERMANY!]
JOHN PLAYER / GC [WEST GERMANY!]
KARO [WEST GERMANY!]
KEEPER [WEST GERMANY!]
KEEPER [AUSTRALIA!]
KREMLIN [PORTUGAL!]
LATTICE [WEST GERMANY!]
LIXOM BAH [SWEDEN!]
LOWTEC [WEST GERMANY!]
MISTER PRESIDENT [WEST GERMANY!]
MISTER ROX [WEST GERMANY!]
MORRISON / PP [WEST GERMANY!]
NEW DEAL [WEST GERMANY!]
ONYX [WEST GERMANY!]
OZZY [WEST GERMANY!]
PACO [SPAIN!]
PSYCHE / PP [WEST GERMANY!]
ROMKERNAL [USA!]
THE WANDERER [WEST GERMANY!]
TECHNIQUE [USA!]
TIMESCAPE [ITALY]
WILBO / PP [WEST GERMANY!]
WIZLER [WEST GERMANY!]
WHITEHEAT [WEST GERMANY!]
AND TO ALL OTHERS WHICH SUPPORTED ME WITH
INFORMATIONS AND ALL THE GREAT/FANTASTIC
HINTS ABOUT BLUEBOXING...
[SPECIAL TO CCITT-BERN! (HEHE)]
--------------------------------------
> THE TEXT WAS WRITTEN <
> BY GURU JOSH <
> OF <
> PHREAKER'S PARADISE! <
> AND! <
> PHUN CLUB! <
> <
> HOW TO GET IN TOUCH, WITH ME !? <
>____________________________________<
> <
> WRITE ME A INTERNET/USENET MESSAGE <
> <
> MY ADDRESS: <
>------------------------------------<
> hellfire@hiss.han.sub.org <
> hellfire@hiss.han.de <
>____________________________________<
> <
> SIMPLE WRITE A MESSAGE TO : <
> ----------------------------- <
> "HELLFIRE" OR "GURU JOSH" <
> ----------------------------- <
>____________________________________<
SIGNED IN PEACE: GURU JOSH
---------------------------------------
NOW, FOLLOWING OTHER TEXTFILE'S WRITTEN
BY SOME DIFFERENT PEOPLE AROUND THE
WHOLE WORLD...
---------------------------------------
Note to sysops: You are welcome to
download this file and use it on
your system, providing you DO NOT
remove the credits for Mark Tabas
or KAOS. In other words, try to act
like a human being!
--------------------------------------
The Mark Tabas encounter
series presents:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Better Homes and Blue Boxing
Part I
Theory of Operation
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
To quote Karl Marx, blue boxing has
always been the most noble form of
phreaking. As opposed to such things
as using an MCI code to make a free
fone call, which is merely mindless
pseudo-phreaking, blue boxing is
actual interaction with the Bell
System toll network. It is likewise
advisable to be more cautious when
blue boxing, but the careful phreak
will not be caught, regardless of what
type of switching system he is under.
In this part, I will explain how and
why blue boxing works, as well as
where. In later parts, I will give
more practical information for blue
boxing and routing information.
To begin with, blue boxing is simply
communicating with trunks. Trunks must
not be confused with subscriber lines
(or "customer loops") which are
standard telefone lines. Trunks are
those lines that connect central
offices. Now, when trunks are not in
use (i.e., idle or "on-hook" state)
they have 2600Hz applied to them. If
they are two-way trunks, there is
2600Hz in both directions. When a
trunk IS in use (busy or "off-hook"
state"), the 2600Hz is removed from
the side that is off-hook. The 2600Hz
is therefore known as a supervisory
signal, because it indicates the
status of a trunk; on hook (tone) or
off-hook (no tone). Note also that
2600Hz denoted SF (single frequency)
signalling and is "in-band." This is
very important. "In-band" means that
is is within the band of frequencies
that may be transmitted over normal
telefone lines. Other SF signals, such
as 3700Hz are used also. However, they
cannot be carried over the telefone
network normally (they are "out-of-
band") and are therefore not able to
be taken advantage of as 2600Hz is.
Back to trunks. Let's take a
hypothetical phone call. You pick up
your fone and dial 1+806-258-1234
(your good friend in Armarillo,
Texas). For ease, we'll assume that
you are on #5 Crossbar switching and
not in the 806 area. Your central
office (CO) would recognize that
806 is a foreign NPA, so it would
route the call to the toll centre
that serves you. [For the sake of
accuracy here, and for the more
experienced readers, note that the
CO in question is a class 5 with
LAMA that uses out-of-band SF
supervisory signalling]. Depending
on where you are in the country, the
call would leave your toll centre
(on more trunks) to another toll
centre, or office of higher "rank".
Then it would be routed to central
office 806-258 eventually and the
call would be completed. Illustration:
A---CO1-------TC1------TC2----CO2----B
A=you CO1=your central office
TC1=your toll office.
TC2=toll office in Amarillo.
CO2=806-258 central office.
B=your friend (806-258-1234)
In this situation it would be
realistic to say that CO2 uses SF
in-band (2600Hz) signalling, while
all the others use out-of-band
signalling (3700Hz). If you don't
understand this, don't worry too much.
I am pointing this out merely for the
sake of accuracy. The point is that
while you are connected to 806-258-
1234, all those trunks from YOUR
central office (CO1) to the 806-258
central office (CO2) do *NOT* have
2600Hz on them, indicating to the
Bell equipment that a call is in
progress and the trunks are in use.
Now let's say you're tired of
talking to your friend in Amarillo
(806-258-1234) so you send a 2600Hz
down the line. This tone travels down
the line to your friend's central
office (CO2) where it is detected.
However, that CO thinks that the
2600Hz is originating from Bell
equipment, indicating to it that
you've hung up, and thus the trunks
are once again idle (with 2600Hz
present on them). But actually, you
have not hung up, you have fooled the
equipment at your friend's CO into
thinking you have. Thus,it disconnects
him and resets the equipment to
prepare for the next call. All this
happens very quickly (300-800ms for
step-by-step equipment and 150-400ms
for other equipment).
When you stop sending 2600Hz (after
about a second), the equipment thinks
that another call is coming towards
it (e.g. it thinks the far end has
come "off-hook" since the tone has
stopped. It could be thought of as a
toggle switch: tone --> on hook, no
tone -->off hook. Now that you've
stopped sending 2600Hz, several things
happen:
1) A trunk is seized.
2) A "wink" is sent to the CALLING end
from the CALLED end indicating that
the CALLED end (trunk) is not ready to
receive digits yet.
3) A register is found and attached
to the CALLED end of the trunk within
about two seconds (max).
4) A start-dial signal is sent to the
CALLING end from the CALLED end
indicating that the CALLED end is
ready to receive digits.
Now, all of this is pretty much
transparent to the blue boxer. All he
really hears when these four things
happen is a <beep><kerchunk>. So,
seizure of a trunk would go something
like this:
1> Send a 2600Hz
2> Terminate 2600Hz after 1-2 secs.
3> [beep][kerchunk]
Once this happens, you are connected
to a tandem that is ready to obey your
every command. The next step is to
send signalling information in order
to place your call. For this you must
simulate the signalling used by
operators and automatic toll-dialing
equipment for use on trunks. There
are mainly two systems, DP and MF.
However, DP went out with the dinosaur
, so I'll only discuss MF signalling.
MF (multi-frequency) signalling is the
signalling used by the majority of the
inter- and intra-lata network. It is
also used in international dialing
known as the CCITT no.5 system.
MF signalling consists of 7 frequen-
cies, beginning with 700Hz and
separated by 200Hz. A different set of
two of the 7 frequencies represent the
digits 0 thru 9, plus an additional 5
special keys. The frequencies and uses
are as follows:
Frequencies (Hz) Domestic Int'l
--------------------------------------
700+900 1 1
700+1100 2 2
900+1100 3 3
700+1300 4 4
900+1300 5 5
1100+1300 6 6
700+1500 7 7
900+1500 8 8
1100+1500 9 9
1300+1500 0 0
700+1700 ST3p Code 11
900+1700 STp Code 12
1100+1700 KP KP1
1300+1700 ST2p KP2
1500+1700 ST ST
The timing of all the MF signals is
a nominal 60ms, except for KP, which
should have a duration of 100ms. There
should also be a 60ms silent period
between digits. This is very flexible,
however, and most Bell equipment will
accept outrageous timings.
In addition to the standard uses
listed above, MF pulsing also has
expanded usages known as "expanded
inband signalling" that include such
things as coin collect, coin return,
ringback, operator attached, and
operator released. KP2, code 11, and
code 12 and the ST_ps (STart "primes")
all have special uses which will be
mentioned only briefly here.
To complete a call using a blue box,
once seizure of a trunk has been
accomplished by sending 2600Hz and
pausing for the <beep><kerchunk>, one
must first send a KP. This readies the
register for the digits that follow.
For a standard domestic call, the KP
would be followed by either 7 digits
(if the call were in the same NPA as
the seized trunk) or 10 digits (if the
call were not in the same NPA as the
seized trunk). [Exactly like dialing a
normal fone call]. Following either
the KP and 7 or 10 digits, a STart is
sent to signify that no more digits
follow. Example of a complete call:
1> Dial 1-806-258-1234
2> wait for a call-progress
indication (such as ring, busy,
recording, etc.)
3> Send 2600Hz for about 1 second.
4> Wait for about 2 seconds while a
trunk is seized.
5> Send KP+305+994+9966+ST
The call will then connect if every-
thing was done properly. Note that if
a call to an 806 number were being
placed in the same situation, the area
code would be omitted and only KP+
seven digits+ST would be sent.
Code 11 and code 12 are used in
international calling to request
certain types of operators. KP2 is
used in international calling to route
a call other than by way of the normal
route, whether for economic or
equipment reasons.
STp, ST2p, and ST3p (prime, two
prime, and three prime) are used in
TSPS signalling to indicate calling
type of call (such as coin-direct
dialed).
This has been Part I of Better
Homes and Blue Boxing. I hope you
enjoyed and learned from it. If you
have any questions, comments, threats
or insults, please fell free to drop
me a line. If you have noticed any
errors in this text (yes, it does
happen), please let me know and
perhaps a correction will be in order.
Part II will deal mainly with more
advanced principles of blue boxing,
as well as routings and operators.
Note 1: other highly trunkable
areas include: 816,305,813,609,205.
I personally have excellent luck
boxing off of 609-953-0000. Try that
if you have any trouble.
......................................
(c) January 7, 1985 Mark Tabas
......................................
$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$
The Mark Tabas encounter series
presents...
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Better Homes and Blue Boxing
Part ii
Practical Applications
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
(It is assumed that the reader has read
and understood Part i of this series).
The essential purpose of blue boxing
in the beginning was merely to receive
toll services free of charge. Though
this can still be done, blue boxing has
essentially outlived its usefulness in
this area. Modern day "extenders" and
long distance services provide a safer
and easier way to make free fone calls.
However, you can do things with a blue
box that just can't be done with any-
thing else. For ordinary toll-fraud, a
blue box is impractical for the
following reasons:
1. Clumsy equipment required (blue
box or equivalent)
2. Most boxed calls must be made
through an extender. Not for
safety reasons, but for reasons
I'll explain later.
3. Connections are often sacrificed
because considerable distances
must be dialed to cross a
seizable trunk, in addition to
awkward routing.
As stated in reason #2, boxed calls
are usually made through an extender.
This is for billing reasons. If you
recall from Part i, 2600Hz is used as a
"supervisory" signal. That is, it
signals the status of a trunk--
"on-hook" or "off-hook." When you
seize a trunk (by briefly sending
2600Hz), your end (the CALLING end)
goes on hook for the duration of the
2600Hz and then goes off-hook once
again when the 2600Hz is terminated.
The CALLED end recognizes that a call
is on the way and attaches a register,
which inerprets the digits which are
to be sent. Now, understand that even
though your end has come off-hook
(no 2600Hz present), the other end is
still on-hook. You may wonder then,
why, if the other end (the CALLED end)
is still on-hook, there is no 2600Hz
coming the other way on the trunk,
when there should be. This is correct.
2600Hz *IS* present on the trunk when
you seize it and afterwards, but you
cannot hear it because of a Band
Elimination Filter (BEF) at your
central office.
Back to the problem. Remember that
when you seize a trunk, 2600Hz is
indeed coming the other way on the
trunk because the CALLED end is still
on-hook, but you don't actually hear
it because of a filter. However, the
Bell equipment knows it's there (they
can "hear" it). The presence of the
2600Hz is telling the billing equip-
ment that your call has not yet been
completed (i.e., the CALLED end is
still on-hook). When finally you do
connect with your boxed call, the
2600Hz from the called end terminates.
This tells the billing equipment that
someone picked up the fone at the
CALLED end and you should begin to be
billed. So you do start to get billed,
but for the call to the trunk, NOT the
boxed call. Your billing equipment
thinks that you've connected with the
number you used to seize the trunk.
Illustration:
1. You call 1+806-258-2222
(directly)
2. Status of trunks:
<----------------------------------->
(You) 806-258-2222
No 2600Hz-------> <------------2600Hz
When you seize a trunk (before the
number you called answers) there is
no affect on your billing equipment.
It simply thinks that you're still
waiting for the call to complete
(the CALLED end is still on-hook; it
is ringing, busy, going to recorder
or intercept operator.
Now, let's say that you've sezied
a trunk (806-258-2222) and for example,
KP+314+949+1705+ST. The call is routed
from the tandem you seized to:
314-949-1705.
Illustration:
<------------------>O<--------------->
(You) 806 314-949
tandem
No 2600Hz----------> <----------2600Hz
Note that the entire path towards
the right (the CALLED end) has no
2600Hz present and is therefore "off-
hook." The entire path towards the left
(the CALLING end) does have 2600Hz
present on it, indicating that the
CALLED end has not picked up (or come
"off-hook"). When 314-949-1705 answers,
"answer supervision" is given and the
2600Hz towards the left (the CALLING
end) terminates. This tells your
billing equipment, which thinks that
you're still waiting to be connected
with 806-258-2222, that you've
finally connected. Billing then begins
to 806-258-2222. Not exactly an
auspicious beginning for an aspiring
young phone phreak.
To avoid this, several actions may
be taken. As previously mentioned,
one may avoid being charged for the
number called to seize a trunk by
using an extender (in which case the
extender will get billed). In some
areas, boxing may be accomplished
using an 800 number, generally in the
format of 800-858-xxxx (many Amarillo
numbers) or 800-NN2-xxxx (special
intra-state class in-WATS numbers).
However, boxing off of 800 numbers is
impossible in many areas. In my area,
Denver, I am served by #1A ESS and it
is impossible for me to box off of
any 800 number.
Years ago, in the early days of blue
boxing (before my time), phreaks often
used directory assistance to box off
of because they were "free" long
distance calls. However, because of
competetive long distance companies,
directory assistance surcharges are
now $0.50 in many areas. It is
additionally advised that directory
assistance numbers not be used to box
from because of the following:
Average DA calls last under 2
minutes. When you box a call, chances
are that it will last considerably
longer. Thus, the Bell billing equip-
ment will make a note of calls to
directory assistance that last a long
time. A call to a directory assistant
lasting for 4 hours and 17 minutes
may appear somewhat suspicious.
Although the date, time, and length
of a DA call do not appear on the bill,
it is recorded on AMA tape and will
trip a trouble report if it were to
last too long. This is how most
phreaks were discovered in the old
days. Also, sometimes too many calls
lasting too long to one 800 number
may raise a few eyebrows at the local
security office.
Assuming you can complete a blue box
call, the following are listed routings
for various Bell internal operators.
These are in the format of KP+NPA+
special routing+1X1+ST, which I will
explain later. The 1X1 is the actual
operator routing, and NPA and NPA+
special routing are used for out-of-
area code calls and out-of-area code
calls requiring special routing,
respectively.
KP+101+ST ...... toll test board
KP+121+ST ...... inward op
KP+131+ST ...... directory assistance
KP+141+ST ...... was rate & route. Now
only works in 312, 815, 717,
and a few others. It has
been replaced with a univer-
sal rate & route number,
800+141+1212.
KP+151+ST ...... overseas completion
operator (inbound). Works
only in certain NPAs, such as
303.
KP+181+ST ...... in some areas, toll
station for small towns
Thus, if you seize a trunk in 806 NPA
and wanted an inward (in 806), then you
would dial KP+121+ST. If you wanted a
312 inward and were dialing on an 806
trunk, an area code would be required.
Thus, you would dial KP+312+121+ST.
Finally, some places in the network
require special routing, in addition to
an area code. An example is Franklin
Park, Ill. It requires a special
routing of 032. For this, you would
dial KP+312+032+121+ST for a Franklin
Park inward operator.
Special routings are in the format
of 0XX. They are used primarily for
load balance, so that traffic flow
may be evenly distributed. About half
of the exchanges in the network
require special routing. Note that
special routings are NEVER EVER EVER
used to dial normal telephone numbers,
only operators.
Operator functions:
TOLL TEST BOARD- Generally a cordboard
position that assists in trunk testing.
They are not used by operators, only
switchmen.
INWARD- Assists the normal TSPS (0+)
operator in completing calls out of
the TSPS's area. Also, inwards perform
emergency inerrupts when the number to
be interrupted is out of the area code
of the original (TSPS) operator. For
example, a 303 operator has a customer
that needs an emergency interrupt on
215-647-6969. The 303 operator gets
the routing for the inward that covers
215-647, since she cannot do the
interrupt herself. The routing is
found to be only 215+ (no special
routing required). So, the 303 operator
keys KP+215+121+ST. An inward answers
and the 303 says to her, "Inward, this
is Denver. I need an emergency
interrupt on 215-647-6969. My
customer's name is Mark Tabas." The
inward will then do the interrupt (off
the line, of course). If the number to
be interrupted had required special
routing, such as, say, 312-456-1234
(spec routing 032), then the 303
operator would dial KP+312+032+121+ST
for the inward to do that interrupt.
DIRECTORY ASSISTANCE- These are the
normal NPA+555+1212 operators that
assist customers with obtaining
telefone directory listings. Not much
toll-fraud potential here, except
maybe $0.50.
RATE AND ROUTE- These operators are
reached by dialing KP+800+141+1212+ST.
They assist normal (TSPS) operators
with rates and routings (thus the
name). The only uses I typically have
for them are the following:
1. Routing information. In the above
example, when the 303 operator needed
to dial an inward that served 215-647,
she needed to know if any special
routing was required and, if so, what
it was. Assuming she would use rate
and route, she would dial them and say
nicely, "Operator's route, please, for
215-647." Rate & route would respond
with "215 plus." This means that the
operator would dial KP+215+121+ST to
reach the inward that serves 215-647.
If there were special routing required,
such as in 312-456, rate & route would
respond with "312 plus 032 plus." In
that case, the operator would dial
KP+312+032+ST for the inward that
serves 312-456.
It is good practice to ask for
"operator's route" specifically, as
there are also "numbers route" and
"directory routes." If you do not
specifically ask for operator's route,
rate & route will generally assume
that is what you want anyway.
"Numbers" route refers to overseas
calls. Example, you want to know how to
reach a number in Geneva, Switzerland
(and you already have the number). You
would call routing and say "Numbers
route, please, Geneva, Switzerland."
The operator would respond with:
"Mark 41+22. 011+041+ST (plus) 041+22"
The "Mark 41+22" has to do with
billing, so disregard it. The 011+041
is access to the overseas gateway (to
be discussed in Part iii) and the 041+
22+ is the routing for Geneva from the
overseas sender.
"Directory" routings are for directory
assistance overseas. Example:
you want a DA in Rome, Italy. You would
call rate & route and say, "Directory
routing please, for Rome, Italy." They
would respond with "011+039+ST (plus)
039+1108 STart." As in the previous
example, the 011+039 is access to the
overseas gateway. The 039+1108 is a
directory assistant in Rome.
2. Nameplace information. Rate & Route
will give you the location of an NPA+
exchange. Example: "Nameplace please,
for 215-648." The operator would
respond with "Paoli, Pennsylvania."
This isn't especially useful, since you
can get the same information (legally)
by dialing 0, but using rate & route is
often much faster and it avoids having
to hang up when you are already on a
trunk.