STATION ID - 7047/3.12 9x Datakit Network FOR OFFICIAL USE ONLY This is a 9x system, restricted to authorized persons and for official 9x business only. Anyone using this system, network or data is subject to being monitored at any time for system administration and for identifying unauthorized users or system misuse. Anyone using this system expressly consents to such monitoring and is advised that any evidence of criminal activity revealed through such monitoring may be provided to law enforcement for prosecution. *[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]* [9x] [9x] [9x] I N T R O D U C T I O N [9x] [9x] T O [9x] [9x] B L U E B O X I N G [9x] [9x] B Y [9x] [9x] L I N E M A N, 1 9 9 6 [9x] [9x] [9x] *[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]* Intro ----------------- Y0, this is an intro to blue boxing in the 90's. I don't claim to be an expert, or an authority on the topic of international or regional signalling, just someone interested. The information provided in this file is not illegal. Almost all of it is publicly available. *** NOTICE *** This is not meant to be a comprehensive guide to C5, R1 or any other form of signalling. Treat it as an introduction. There is alot of information I have not included, because a) It would confusing, and b) It's not important. Id like to stress that alot of my examples have been OVER SIMPLIFIED for convetion. I have included a list of refrences that you should probably check-out if your interested. This info is/was publicly available at most quality Librarys. Fr3e inph0 4 aLl. As with all things of a suspicious nature, you will eventually get caught. How long you go without getting caught depends on skill, precaution, and luck. Generally, Wut iZ Signalling ----------------- Signalling is the term used to describe how telecommunication networks communicate with each other. There are many types of signalling, including DC Pulsing (like on a rotary-fone) and even DTMF. Dialing a phone number is actually a form of signalling called subscriber line signalling. Telephone networks communicate via special "lines", connecting each other up, called Trunks. Information about a call, and in some cases the conversation, is passed through a trunk line to the called network. The called end gathers the signalling information, manipulates some hardware, and voila- a call is made. If the called line is busy etc.. then the called end signals back to the called system, and the caller get a busy signal. Thats way over simplified, (and somewhat incorrect) but I'll explain more as I go. Until then, here is an analogy. :) Trunk lines are like Bridges (the kind you drive over). Instead of running many small bridges to various locations, one large bridge is built in a convienient spot. Even though there is only one bridge, it's big and handles lots of traffic, effectivley connecting two sections of town. :) The one signalling system I will discuss is: CCITT5. It is still possible to use other systems (Like R1), but most people wont be able to find them. CCITT5 (C5) is an international Signalling system. It was designed for handeling international calls going over the trans-atlantic cables. Its still widley used in many South American, Carribean, Asian and poorer countrys. Slowly, it's dying out. C5 is a standard protocal set by the ITU (International Telecommunications Union), formerly known as the CCITT. (International Telegraph and Telephone Consulative Committee). They set communication standards and publish lots of documentation about the aforementioned as well as various other communications related topics. More about Signalling ----------------- As is with most things, its kind of neccesary to understand a bit about the system you will be (ab)using. In the following sections, I'll describe Trunk Lines, terminal and transit networks, line signalling, and interregister signalling. Trunk Lines ----------------- A trunk line is a circut that connects two (2) networks together. You may already be familiar with the trunk lines running between CO's. For C5, however, the trunk lines will be the ones that connect transit (international) networks to terminal (national) networks in distant countrys. For our C5 purposes, an International trunk will look like this: __________ __________ | OUTGOING |=>====>====> FORWARD >====>====>==| INCOMING | | EXCHANGE | | EXCHANGE | |__________|==<====<=== BACKWARD =<====<====<=|__________| (Caller) (Reciever) Signals sent in the forward direction go from the callers end to the recipiants end, and the opposite goes for the backward direction. For C5 this is not compleatly acurate. In reality it's not the outgoing exchange the sends the C5 signalling info to the incoming exchange; its really an international "gateway" at the transit (national) exchange that sends the C5 info to the incoming transit exchange. Go see the refrences if you really care. Signals really just audio noises (like beeps) that represent certain "commands" (line signalling) and "parameters" (interregister singalling) to be issued to the routing/switching equipment. The signalling hardware picks these signals up by looking for characteristic energy levels. At the end of this file (amongst the other tables) you will find a list of singals, and their frequencys. The trunk lines not only transmit signalling information, they also transmit your conversation. So, when you make a call over one of these trunks you have access to more than a friendly voice. :) I once wondered why in the hell anyone would ever do such a stupid thing, but the answer is simple. With the volume of traffic going overseas, and the cost of the cable, equipment, boats, crew and design, the profit for using a single line to handle both signalling and voice eaisly outweighs the amount of "potential" loss due to fraud or bad connections. No one really cares. If your wondering how your going to find a C5 trunk and access it for free, then stop. Its really simple. Home Country Directs take care of it for you. You just dial an 800/888 that's connected to another country. Ive included an older list of HCD's accessable from Canada at the end of this file. Some terms you should know: Terminal -- National Transit -- International Line Signalling ----------------- This really only applies to C5, because R1 uses 2600Hz to sequentially determine the state of line conditions. Line signalling issues commands/responses that mess with the actual connection of the line. Answer, Busy-Flash, Clear Forward and Clear Back are all Line Signals. Though you only need to know about Clear Forward for now, I'll give you a brief definition of the above. Answer: This is a signal sent in the backward direction to indicate that a connection has been established to the called party and appropriate action (like billing) should begin. Busy: This a signal sent in the backward direction to indicate that the called party's line is not available. This doesn't always mean the line is busy, it just means you can't talk to them right yet. Clear Forward: This is a signal, sent in the forward direction to tell the incoming exchange to kill the current interregister connection. Its pretty much the same thing as hanging up. Sort of. :) (See clear backward) Clear Backward: This is a signal, sent in the backward direction, to tell the outgoing exchange to clear the current interregister connection (disconnect the call from the [inter]national network). To you, its almost useless. Proceed-to-send: A signal sent in response to a seize, by the incoming exchange, indicating that it is ready to recieve interregister (routing) information. Release Guard: A signal sent in the backward direction indicating that the circut is free at the incoming end. Seize: A signal sent in the forward direction to prepare the incoming exchange for a call. There are alot of other line signalls, but you'll have to look at the refrences for those. The big ones to pay attention to now are Seize, Release Guard, Clear Forward and Proceed-to-send. To best describe the operation of line signalling, I'll use an example of a call from John Smith in Albany, NY to a Johan Smitelly in Greece. > = forward direction < = backward direction J.Smith: Dials Greece --+ Call is routed from the US to Greece. | | | 1. >US: SEIZE 2. US: KP1-XXXXXXX-ST (Interregister, more later) 4. US: CLEAR FORWARD 1. US takes hold of a line 2. Greece says Okay, where to? 3. US says "Terminal call, XXXXXXXX, go" 4. Ring 5. Greece says - "Hey! America, start billing your subscriber." 6. Greece tells america to let go of their circut. 7. America says let go of yours. The call is over. And thats pretty much it. After the clear forward the whole process starts over again. As a blue boxer, you must: Terminate your current call (with a Clear Forward) Take control of a circut (With a Siezure) Send your NEW routing info (KPX-XXXXXXXX-ST) The incoming exchange will respond with all of the appropriate tones, because it thinks your signalling equipment. And this brings me into interregister signalling. Interregister Signalling ----------------- You learned how to take control of a line (with Line Signalling), but you still don't know how to do anything with that line. Thats where Interregister signalling comes into play. Interregister signalling is the process of actually routing your call (telling it where to go). The cool thing is that you can make your call go ANYWHERE (theoretically), give yourself a higher priority then a regular caller, and gain access to numbers that you can't get to through the regular telephone network. Here are a few terms you will need to know: KP1: Indicates the beggining of a terminal (national) routing. KP2: Indicates the beggining of a transit (international) routing. ST: Indicates the end of a routing. I'll start with terminal calls. A terminal call is one that is inside of the national network that owns the trunk line. It's kind of like a local call, but fuck the regional boundries. The format for a typical terminal call is: KP1 - XXXXXXX - ST Pretty easy. Just like R1. :) Transit calls are formated a little diffrent because they obviously need more information. The format for a typical transit call is: KP2 - Country Code - Discriminating Digit - XXXXXXX - ST The Discriminating Digit specifies what kind of caller you are (or in some cases your language). There are other routing formats, depending on what you want to do. Here are some examples, just so it'll all sink in. * Note: F> = Forward direction (You send it) R< = Backward direction (You hear it) All examples start after a call has been placed to a C5 Exchange in whatever country. . Type of Call: Terminal, Automatic Number to call: 506-674-7575 R< "Hello?" F> CLEAR FORWARD R< RELEASAE GUARD F> SEIZE R< PROCEED-TO-SEND F> KP1-506-674-7575-ST . Type of Call: Transit, Automatic Number to Call: 44-602-86125 R< "Ci?" F> CLEAR FORWARD R< RELEASE GUARD F> SIEZE R< PROCEED-TO-SEND F> KP2-44-10-602-86125-ST . Type of Call: Terminal, Semi-automatic Number to Call: English Code11(Inward) Operator R<"Snakes Crack House, Snake speaking." F>CLEAR FORWARD RSIEZE RKP1-2-Code11-ST There's enough there for you to work with. Enj0y. Other than a few technical details, you should now know enough to get started on your own. If you want more information, check out the refrences. Check out the next session if you want to avoid alot of hassle. Q & A session ----------------- It would be really nice if everything were as easy as sending a never-changing series of tones down a line. In the real world things don't work quite as easily. The line signalling codes a VERY picky and need to be sent at exactly the right time, with the proper delays in between signals. This section will just run through alot of common problems and their solutions. Q. Where can I get a blue box? A. Go download Scavenger Dialer, By Scavenger ftp: ftp.fc.net/phrack or Write your own or Build a hardware bluebox (The Jolly Box) Q. How do I know if the number Im calling goes through a C5 trunk? A. Usually if you listen, you will hear wierd beeps before the phone rings, when the person answers the phone, or after the called party hangs up. These noises are actually signals being sent in the reverse direction. Q. Why can't I just blast tones, and how do I find the freq's?? A. The breaking-freq's of Blue boxing are alot like k0d3z to wAReZ k1dz. Trading is a good way to get them, but you can also scan them. Typically the timings will be: Clear Forward | Seize Length: 150ms + 150ms | Delay: 10ms | When scanning, just adjust your timings by about 10 ms. The lengths of Clear Forward, Delay, and Seize are all variable. Q. I'm positive I'm sending the right tones with the right freqs. Why isn't anything working? A. Sound quality is a big issue too. The tones are picked up by energy level, which means that they are volume sensitive. To much volume, to much energy. To little volume, not enough energy. It wouldn't be a problem if you could send tones DIRECTLY to the incoming exchange, but the call is really routed through 2 national networks (outgoing and incoming) over a potentially crappy multiplexed wire, and through a middle transit international exchange. Sometimes the connections are so poor you just have to hang-up (this is rare). Remember that the countrys you are calling are only setup this way because it's affordable. For instance- Iceland has mechanical switching equipment handling a certain Canada-Iceland trunk. If you send signals quick enough, you'll actually knock their equipment out of whack, and shut down the trunk until someone manually puts the thing back on track. :) Just an example of the kind of conditions you can expect. If your playing the tones into a phone, make sure your phone has excellent recpetion (Nortern Telecoms Harmony's are perfect), and use a small, high-quality earphone. If you pump the tones into the wire, make sure you get rid of any noise. Q. I hear the release guard, but I can't sieze. Whats wrong? A. You probably got your volume screwed, the timings wrong, or your tones arn't pure enough. Q. I only use Cellular. Can I still box? A. It IS possible to box over a cell phone. Ive never done it myself, but I know someone who has gotten it to work (after considerable effort) Q. Why can't I call my pals back in the US? A. Routing is an interesting problem. Not every trunk is allowed to route everywhere. Sometimes you can only call certain countrys, and sometimes you can't call any (other than terminal). Some require a routing code, some don't. If you can dial transit calls to a limited number of countrys, start playing with mutliple siezures. Q. What are multiple Seizures? A. You call one country, box to another, sieze the new country, call another, etc... It's like finding a path through various countrys to make it to your destination. Q. Damn AT&T. Filtering my line. I'm gonna sue, but until then, what? A. If your tones are being filtered by your telco, then add some noise. You'll need find that small window that makes your tones valid enough to signal, yet bogus enough to pass the filters. There are many methods to doing this. . Add side tones . Dont use . Constantly adjust your volume (to generate a warbeling effect). Q. I have a big hack comming up, and I really DON'T want to get caught. How can I maximize my chances of success via the Blue box? A. The answer to that is politics. :) Go through countrys that are on not-so-friendly terms with eachother. If the "attacked" country cant find out where the call came from because the country that handled the call refuses to cooperate, what can they do? Tables and Charts ----------------- Here's all of the info you need. CCITT system 5 Line Signals Signal Frequency(Hz) --------------+-------------- Seizure 2400 * Clear Forward 2600 + 2400 * Clear Backward 2600 Proceed-to-Send 2600 Release guard 2400 + 2600 * Signals relevant to this file. There are more signals, but you can look them up yourself if your really interested. CCITT syste 5 Interregister MF Signals Signal Frequency(Hz) ------------+-------------- KP1 (term) 1100 + 1700 KP2 (trans) 1300 + 1700 Digit 1 700 + 900 2 700 + 1100 3 900 + 1100 4 700 + 1300 5 900 + 1300 6 1100 + 1300 7 700 + 1500 8 900 + 1500 9 1100 + 1500 0 1300 + 1500 Code11 700 + 1700 Code12 900 + 1700 ST (end) 1500 + 1700 List of Home Country Directs ------------------------------- Australia Direct 800-682-2878 Austria Direct 800-624-0043 Belgium Direct 800-472-0032 Belize Direct 800-235-1154 Bermuda Direct 800-232-2067 Brazil Direct 800-344-1055 British VI Direct 800-248-6585 Cayman Direct 800-852-3653 Chile Direct 800-552-0056 China Direct 800-532-4462 Costa Rica Direct 800-252-5114 Denmark Direct 800-762-0045 El Salvador Direct 800-422-2425 Finland Direct 800-232-0358 France Direct 800-537-2623 Germany Direct 800-292-0049 Greece Direct 800-443-5527 Guam Direct 800-367-4826 HK Direct 800-992-2323 Hungary Direct 800-352-9469 Indonesia Direct 800-242-4757 Ireland Direct 800-562-6262 Italy Direct 800-543-7662 Japan Direct 800-543-0051 Korea Direct 800-822-8256 Macau Direct 800-622-2821 Malasia Direct 800-772-7369 Netherlands Direct 800-432-0031 Norway Direct 800-292-0047 New Zealand Direct 800-248-0064 Portugal Direct 800-822-2776 Panama Direct 800-872-6106 Philippines Direct 800-336-7445 Singapore Direct 800-822-6588 Spain Direct 800-247-7246 Sweden Direct 800-345-0046 Taiwan Direct 800-626-0979 Thailand Direct 800-342-0066 Turkey Direct 800-828-2646 UK Direct 800-445-5667 Uruguay Direct 800-245-8411 Yugoslavia Direct 800-367-9841 / 9842 * Thanks to the Phone Company for bringing us this file Conclusion ------------ I hope I've answered some of the more common question relating to signalling. My intent was to provide an introduction to signalling. If you found this file useful, please pass it along. If you think it sucks, write a better one. -LineMan Greets go out to: All 9X members -- W3rD up! Cartel Members -- R0q 0n, b-ware the Delta Scavenger -- You have the best dialer in t0wn. Substance -- Ewe n33d some hash. SL -- Good luck... Sl0ppy -- ph3aR the GPk ph0Rc3z QwiK -- Yo. B??36, Virus -- I got a job :) Bspline -- Hi TelcoNigga -- Wassup The Kansas Crew -- Y0, I will visit!@# BlackHeart -- Get a k0mpUd3r. WildMan -- Java!@ "He who claims to know everything, knows the least of all; for he is not aware of that which he does not know."