💾 Archived View for gemini.spam.works › mirrors › textfiles › phreak › rascp1.txt captured on 2023-01-29 at 10:45:14.

View Raw

More Information

⬅️ Previous capture (2020-10-31)

-=-=-=-=-=-=-

            =$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$
            \                                                    /
            / R O U T I N G    A N D    S Y S T E M    C O D E S \
            \                                                    /
            /                       Part I                       \
            \                                                    /
            /                By   The   Doctor  (Who)            \
            \                                                    /
            /                      7/10/85                       \
            =$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$


                                1. Introduction

         The Bell system, as it is today, offers a wealth of opportunities for
phreaks. However, Bell doesn't like us to have access to these nifties, so they
hide many special services in that vast block of non-standard numbers which a
customer cannot normally dial.

         That's what this tutorial is all about, the non-standard numbers which
Bell hides from us. We'll take a look first at the Network structure, then the
numbering plan for North America, then at Routing and System codes, including
operators, test lines, OUTWATS, international calling, and more.


                          2. Structure of the Network

         The Bell system is organized as a hierarchic network with 5 levels.
The lowest level, or class 5 office, is the End-Office (EO from here on). The
EO is also called the central exchange, wire center, or central office. This is
where all the subscriber lines are connected for a given exchange number. Each
EO can handle at least 10,000 lines; #5 ESS can handle up to 100,000. Calls
between subscribers in the same EO are connected internally and never leave the
building whereas calls between subscribers in different EO's travel over
inter-exchange trunk lines. Calls that never go higher than the class 5 office
or Tandem office (hold on, I'm getting to it) are local and therefore free.

         In large NPA's that have many EO's, it is uneconomical for each EO to
have at least 12 trunks (the minimum laid at a time) to every other EO.
Imagine, in a city with 600 EO's, there would be 17970 inter-office trunk
cables to maintain! There simply aren't that many simultaneous conversations
going on at any given time, so many trunks would be unused. Instead, Bell has
adopted an intermediate switching level called the Tandem Office. A tandem
Office is to the EO's as a EO is to its subscribers. Local traffic between 2
EO's which don't have direct connecting trunk lines passes through the Tandem
office. Under this scheme, a city of 600 EO's would only require 600 inter-
office trunk cables, that is quite a reduction!

         Subscribers in different NPA's (Numbering Plan Areas, or area codes)
are connected through the Toll Network. The first level in the Toll Network is
the class 4 office, or Toll Center (TC from here on). Each exchange has
dedicated trunks that connect it to the TC that serves it, so a cable map would
look like a star with all the exchanges having a cable to a central point. Once
a call has reached the TC, it does one of four things:

         1. It immediately leaves the TC for the called exchange. This usually
            is the case if the parties are served by the same TC but are not
            local to each other.

         2. It leaves the first TC over trunks in the High-Usage-Trunk-Group
            for the TC serving the called party where it then reaches the
            called exchange. This is the case during non-peak hours.

         3. It leaves the TC over trunks in the Final-Trunk-Group for the
            primary center (to be discussed in a moment).This route is followed
            when all the High-Usage-Trunks are busy.

         4. If none of the above choices were taken, then all the trunks are
            busy. The calling line either gets a re-order tone (fast busy), or
            a recording saying all circuits are busy.

         After the TC, there are three higher levels that function in exactly
the same way. Each level can connect to any other level. As you can see, a call
can climb a "communications ladder", going from Toll Center to primary center
to sectional center to regional center and back down again to reach the called
party. In order, the overall structure of the Network is:

         class 5 office - End office or Exchange
         class 4 office - Toll Center             508 as of 1983
         class 3 office - Primary center          148 as of 1983
         class 2 office - Sectional center        52 as of 1983
         class 1 office - Regional center         10 as of 1983


                      3. Numbering Plan of North America

         When Bell introduced Direct Distance Dialing (DDD) in the 1960's, they
set a standard for telephone numbers. Any subscriber anywhere in the United
States can reach any other subscriber by dialing a 10 or 11 digit "Network
Address". The format for a standard (that is, customer dialable) number is a
three digit area code followed by a 3 digit End-office code followed by a 4
digit station number. In some areas, it is necessary to dial a preceding 1 to
identify the call as long distance. Symbolically, numbers can be represented
by:

           X - Any digit 0 to 9
           N - any digit 2 to 9
           Z - 0 or 1

area code    - NZX
exchange     - usually NNX, but some are NZX (like an area code in appearance)
station      - XXXX

        Bell also defined 200 special codes in each area code that a customer
cannot normally dial. These codes perform system functions, request operators,
an influence the route a call takes. In addition, each Toll Center has a
routing code that lets you force the call to pass through it (more on this
later). They are in the format of:

Special codes- ZXX (all routing and system codes are in this format)
operators    - 1X1 (such as 101, 121, 131, 141, 191, etc.)
Toll centers - 0XX


        4. Operators, routing codes, OutWats, and International calling

         Many special operators exist in the Bell system.Some of them, like
CN/A operators, have standard, customer dialable numbers. However, many others
can only be reached via the appropriate routing/system code. These are......
(an optional area code can be put in front of them.i.e. KP+301+121+ST to get
an inward for Maryland):

      101 - Toll Center test board (Toll maintenance personnel). These people
            are great for social engineering because they almost never get
            suspicious calls from phreaks. I think they can perform traces of
            customers lines for you.

      121 - Inward operator. This operator assists the Toll and assistance
            ("0") operator in making emergency interruptions to numbers in
            other area codes. They can also complete a normal call or, if you
            ask them for "loop around" numbers, they will give you the numbers
            of working loops. To get an emergency interruption, say:
            "I need an emergency interruption on 301-555-1212. My party's name
            is Bill Smith."

      131 - Directory assistance for Toll and Assistance operators. This is
            just a suped up version of the 555-1212 directory assistance
            operator. The only difference that I know of is that they can do
            emergency interruptions.

      141 - Rate & Route operator. Reach at 800-141-1212.
            To find out... (quoted from Bioc's Basic Telecommunications VII)
           1)Area codes
                    say: "Miami, Florida (any city), numbers route please."
               response: "305 plus" (meaning 305 is the area code)
           2)Inward operator numbers (usually 121, but can have a prefix)
                    say: "916-756 (any NPA-EXG), operator route please"
               response: "916 plus 001 plus" (meaning 916-001-121)
           3)City names
                    say: "Place name, 301-340 (any NPA-EXG), please"
               response: "Rockville, Maryland"
           4)International Directory Assistance numbers
                    say: "International, London, England (any city), TSPS
                          directory route, please"
               response: "Directory to London, England. Country code 44 plus 1
                          plus 986 plus 3611"
           5)Country and City codes
                    say: "International, Sydney, Australia (any city), TSPS
                          numbers route, please."
               response: "Country code 61 plus 2"
           6)International inward operators
                    say: "International, London, England (any city), TSPS
                          inward route, please."
               response: "Country code 44 plus 121"
           7)Language Assistance operators (use with foreign inward, not R&R)
                    say: "United States calling. Language assistance in
                          completing a call to <called person's name> at
                          <person's number>."

      151 - Overseas incoming (NPA 212 and 914)

      161 - Trouble reporting operator. Reach at 800-161-1212

The following operators only exist in certain area codes (212 for example):

    11501 - Universal cordboard operator
    11511 - TSPS conference operator (not the same as an Alliance operator)
    11521 - Mobile operator
    11531 - Marine operator
    11541 - Long Distance incoming switchboard
    11551 - Leave word for time and charges
    11561 - Same as above but for Hotels/Motels
    11571 - Overseas operator. Language assistance.

     The Bell system also hides many test and routing numbers from its
customers in the ZXX series. A few of them are listed below.

      001 - Trunk access system. Usually used as a prefix before another code.
      009 - Rate quote system. Gives the toll and assistance operator rate
            information. Although I don't know the command format, I know it
            accepts MF for control. Most area codes have this system function,
            but 713 does for sure.
      011 - prefix for international calling
      080 - Alliance Teleconferencing Toll Center code in many areas. (213)
      100 - loop, tone side
      103 - loop, dead side
      105 - verification (Long-Short beep)
      191 - International operator in some areas, 911 emergency system in
            others
    11601 - another inward in some areas (212)
    11611 - Computer that checks Calling Cards in 212. After the bong, enter
            the calling card number in DTMF and if it's valid you will get a
            message saying so.

      As mentioned previously, each Toll Center in the network has a 3 digit
code in the form of 0XX. This is used primarily when dealing with area codes
that cover more than 1 major city. For example, Alaska has just the 907 area
code, but more than 1 major city. To reach an inward or Toll Center test board
for the appropriate city, you have to enter the Toll Center code for that city.
Otherwise, the switching equipment won't know which of the major cities is
wanted. KP+907+101+ST won't work, you have to dial KP+907+054+101+ST if you
want to reach the Test board in Anchorage. The 054 code forces the call to go
through the Toll Center there.

      International dialing in the Bell system is accomplished by calling up
one of the 7 international senders and then dialing the international number.
The sender codes and their locations are:

      182 - White Plains, New York
      183 - New York, New York
      184 - Pittsburg, Pennsylvania
      185 - Orlando, Florida
      186 - Oakland, California
      187 - Denver, Colorado
      188 - New York, New York (again)

      There are two ways to get to a sender. The simplest way is to dial
KP+sender code+ST (i.e. KP+188+ST). A prefix area code is sometimes required
(i.e. KP+213+188+ST). Another way which arouses less suspicion, is to use the
011 international dialing prefix. To use it, dial KP+011+0+country code+ST
(i.e. KP+011+081+ST for Japan). Again, a prefix area code is often required as
in KP+213+011+081+ST.
      Once you have reached a sender, you will get a 440 hz. dial tone. Now
you enter KP+country code+city code+number+ST. For example, to get a nifty
sounding recording in Japan, dial KP+81+3+8132542+ST.

    In addition to the above routing and system codes, OUTWATS numbers are also
non-standard. OutWats are 800 numbers that make only outgoing calls and get
billed at a bulk rate. Their area code is always 800 and the exchange code
always begins with a 0. For example, 800-047-6287 could be an OUTWATS number
(no guarantees, though).

       Sometimes, when you suspect that the person you are calling will trace
your call, it is helpful to route you call through several cities. This trick
is called multiple routing and is accomplished by putting an area code in front
of the number. For example, if I wanted to call Joe Shmo at 301-340-9999 and I
wanted the call to pass through Los Angeles, I could dial KP+213+301+121+ST.
This would route my call to LA (because of the 213 prefix), then to a Maryland
inward (because of 301-121). When the inward comes on, just say: "I need
assistance in completing a call to 301-340-9999". Walla! Your call is just
about untraceable! Note that more than 2 area codes CANNOT be strung together
because there must be fewer than 12 digits between KP and ST.

       Well, that about wraps up this tutorial. Tune in next time for the next
edition of the most complete Telecommunications tutorial ever written!
(Complements of The Doctor (Who)).