STATION ID - 7047/3.

12
9x Datakit Network
FOR OFFICIAL USE ONLY
This is a 9x system, restricted to authorized persons and for
official 9x business only. Anyone using this system, network or data
is subject to being monitored at any time for system administration and
for identifying unauthorized users or system misuse. Anyone using this
system expressly consents to such monitoring and is advised that any
evidence of criminal activity revealed through such monitoring may be
provided to law enforcement for prosecution.

*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*
[9x]
[9x]
[9x]
I N T R O D U C T I O N
[9x]
[9x]
T O
[9x]
[9x]
B L U E
B O X I N G
[9x]
[9x]
B Y
[9x]
[9x]
L I N E M A N, 1 9 9 6
[9x]
[9x]
[9x]
*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*[9x]*

Intro
----------------Y0, this is an intro to blue boxing in the 90's. I don't claim
to be an expert, or an authority on the topic of international or regional
signalling, just someone interested. The information provided in this
file is not illegal. Almost all of it is publicly available.
*** NOTICE ***
This is not meant to be a comprehensive guide to C5, R1 or any
other form of signalling. Treat it as an introduction. There is alot
of information I have not included, because a) It would confusing,
and b) It's not important. Id like to stress that alot of my examples
have been OVER SIMPLIFIED for convetion. I have included a list of refrences
that you should probably check-out if your interested. This info is/was
publicly available at most quality Librarys. Fr3e inph0 4 aLl.
As with all things of a suspicious nature, you will eventually get
caught. How long you go without getting caught depends on skill, precaution,
and luck.
Generally, Wut iZ Signalling
----------------Signalling is the term used to describe how telecommunication
networks communicate with each other. There are many types of signalling,
including DC Pulsing (like on a rotary-fone) and even DTMF. Dialing
a phone number is actually a form of signalling called subscriber line
signalling.
Telephone networks communicate via special "lines", connecting each other
up, called Trunks. Information about a call, and in some cases the

conversation, is passed through a trunk line to the called network. The

called end gathers the signalling information, manipulates some hardware,
and voila- a call is made. If the called line is busy etc.. then the
called end signals back to the called system, and the caller get a busy
signal.
Thats way over simplified, (and somewhat incorrect) but I'll explain more as
I go. Until then, here is an analogy. :)
Trunk lines are like Bridges (the kind you drive over). Instead of running
many small bridges to various locations, one large bridge is built in a
convienient spot. Even though there is only one bridge, it's big and handles
lots of traffic, effectivley connecting two sections of town. :)
The one signalling system I will discuss is: CCITT5. It is still possible
to use other systems (Like R1), but most people wont be able to find them.
CCITT5 (C5) is an international Signalling system. It was designed for
handeling international calls going over the trans-atlantic cables. Its
still widley used in many South American, Carribean, Asian and poorer
countrys. Slowly, it's dying out.
C5 is a standard protocal set by the ITU (International Telecommunications
Union), formerly known as the CCITT. (International Telegraph and Telephone
Consulative Committee). They set communication standards and publish lots of
documentation about the aforementioned as well as various other
communications related topics.
More about Signalling
----------------As is with most things, its kind of neccesary to understand a bit about
the system you will be (ab)using. In the following sections, I'll describe
Trunk Lines, terminal and transit networks, line signalling, and
interregister signalling.
Trunk Lines
----------------A trunk line is a circut that connects two (2) networks together. You
may already be familiar with the trunk lines running between CO's.
For C5, however, the trunk lines will be the ones that connect transit
(international) networks to terminal (national) networks in distant countrys.
For our C5 purposes, an International trunk will look like this:
__________
__________
| OUTGOING |=>====>====> FORWARD >====>====>==| INCOMING |
| EXCHANGE |
| EXCHANGE |
|__________|==<====<=== BACKWARD =<====<====<=|__________|
(Caller)
(Reciever)
Signals sent in the forward direction go from the callers
end to the recipiants end, and the opposite goes for the backward
direction.
For C5 this is not compleatly acurate. In reality it's not the outgoing
exchange the sends the C5 signalling info to the incoming exchange; its
really an international "gateway" at the transit (national) exchange that
sends the C5 info to the incoming transit exchange. Go see the refrences if
you really care.

Signals really just audio noises (like beeps) that represent certain
"commands" (line signalling) and "parameters" (interregister singalling)
to be issued to the routing/switching equipment. The signalling
hardware picks these signals up by looking for characteristic energy levels.
At the end of this file (amongst the other tables) you will find a list
of singals, and their frequencys.
The trunk lines not only transmit signalling information, they also
transmit your conversation. So, when you make a call over one of these
trunks you have access to more than a friendly voice. :) I once wondered
why in the hell anyone would ever do such a stupid thing, but the answer
is simple. With the volume of traffic going overseas, and the cost of
the cable, equipment, boats, crew and design, the profit for using a single
line to handle both signalling and voice eaisly outweighs the amount of
"potential" loss due to fraud or bad connections. No one really cares.
If your wondering how your going to find a C5 trunk and access it for
free, then stop. Its really simple. Home Country Directs take care of it
for you. You just dial an 800/888 that's connected to another country.
Ive included an older list of HCD's accessable from Canada at the end
of this file.
Some terms you should know:
Terminal -- National
Transit -- International
Line Signalling
----------------This really only applies to C5, because R1 uses 2600Hz to sequentially
determine the state of line conditions.
Line signalling issues commands/responses that mess with the actual
connection of the line. Answer, Busy-Flash, Clear Forward and Clear Back
are all Line Signals. Though you only need to know about Clear Forward
for now, I'll give you a brief definition of the above.
Answer: This is a signal sent in the backward direction to indicate
that a connection has been established to the called party
and appropriate action (like billing) should begin.
Busy: This a signal sent in the backward direction to indicate
that the called party's line is not available. This doesn't
always mean the line is busy, it just means you can't talk
to them right yet.
Clear Forward: This is a signal, sent in the forward direction to tell
the incoming exchange to kill the current interregister
connection. Its pretty much the same thing as hanging up.
Sort of. :) (See clear backward)
Clear Backward: This is a signal, sent in the backward direction, to tell
the outgoing exchange to clear the current interregister
connection (disconnect the call from the [inter]national
network). To you, its almost useless.
Proceed-to-send: A signal sent in response to a seize, by the incoming
exchange, indicating that it is ready to recieve
interregister (routing) information.

Release Guard: A signal sent in the backward direction indicating

that the circut is free at the incoming end.
Seize: A signal sent in the forward direction to prepare the
incoming exchange for a call.
There are alot of other line signalls, but you'll have to look at the
refrences for those. The big ones to pay attention to now are Seize,
Release Guard, Clear Forward and Proceed-to-send.
To best describe the operation of line signalling, I'll use an example
of a call from John Smith in Albany, NY to a Johan Smitelly in Greece.
> = forward direction
< = backward direction
J.Smith: Dials Greece --+ Call is routed from the US to Greece.
|
|
|
1. >US: SEIZE
2. <GR: PROCEED-TO-SEND
3. >US: KP1-XXXXXXX-ST (Interregister, more later)
4. <GR: "Ring-Ring"
5. <GR: ANSWER
|
|
|
"Worst pot i've ever smoked!, Damn yank!!"
(Greece Hangs Up)
|
6. <GR: CLEAR BACKWARD
7. >US: CLEAR FORWARD
1. US takes hold of a line
2. Greece says Okay, where to?
3. US says "Terminal call, XXXXXXXX, go"
4. Ring
5. Greece says - "Hey! America, start billing your subscriber."
6. Greece tells america to let go of their circut.
7. America says let go of yours.
The call is over.
And thats pretty much it. After the clear forward the whole process
starts over again.
As a blue boxer, you must: Terminate your current call (with a Clear Forward)
Take control of a circut (With a Siezure)
Send your NEW routing info (KPX-XXXXXXXX-ST)
The incoming exchange will respond with all of the appropriate tones, because
it thinks your signalling equipment.
And this brings me into interregister signalling.
Interregister Signalling
----------------You learned how to take control of a line (with Line Signalling), but
you still don't know how to do anything with that line. Thats where

Interregister signalling comes into play. Interregister signalling is the

process of actually routing your call (telling it where to go). The cool
thing is that you can make your call go ANYWHERE (theoretically),
give yourself a higher priority then a regular caller, and gain access to
numbers that you can't get to through the regular telephone network.
Here are a few terms you will need to know:
KP1: Indicates the beggining of a terminal (national) routing.
KP2: Indicates the beggining of a transit (international) routing.
ST: Indicates the end of a routing.
I'll start with terminal calls.
A terminal call is one that is inside of the national network that owns the
trunk line. It's kind of like a local call, but fuck the regional boundries.
The format for a typical terminal call is:
KP1 - XXXXXXX - ST
Pretty easy. Just like R1. :)
Transit calls are formated a little diffrent because they obviously need
more information. The format for a typical transit call is:
KP2 - Country Code - Discriminating Digit - XXXXXXX - ST
The Discriminating Digit specifies what kind of caller you are
(or in some cases your language).
There are other routing formats, depending on what you want to do. Here
are some examples, just so it'll all sink in.
* Note:
F> = Forward direction (You send it)
R< = Backward direction (You hear it)
All examples start after a call has been placed to a C5 Exchange
in whatever country.
.

Type of Call: Terminal, Automatic

Number to call: 506-674-7575
R<
F>
R<
F>
R<
F>

Type
Number
R<
F>
R<
F>
R<

"Hello?"
CLEAR FORWARD
RELEASAE GUARD
SEIZE
PROCEED-TO-SEND
KP1-506-674-7575-ST
of Call: Transit, Automatic
to Call: 44-602-86125
"Ci?"
CLEAR FORWARD
RELEASE GUARD
SIEZE
PROCEED-TO-SEND

F> KP2-44-10-602-86125-ST
.

Type of Call: Terminal, Semi-automatic

Number to Call: English Code11(Inward) Operator
R<"Snakes Crack House, Snake speaking."
F>CLEAR FORWARD
R<RELEASE GUARD
F>SIEZE
R<PROCEED-TO-SEND
F>KP1-2-Code11-ST

There's enough there for you to work with. Enj0y. Other than a few
technical details, you should now know enough to get started on your own.
If you want more information, check out the refrences. Check out the
next session if you want to avoid alot of hassle.
Q & A session
----------------It would be really nice if everything were as easy as sending a never-changing
series of tones down a line. In the real world things don't work quite as
easily. The line signalling codes a VERY picky and need to be sent at
exactly the right time, with the proper delays in between signals.
This section will just run through alot of common problems and their
solutions.
Q. Where can I get a blue box?
A. Go download Scavenger Dialer, By Scavenger
ftp: ftp.fc.net/phrack
or
Write your own
or
Build a hardware bluebox (The Jolly Box)
Q. How do I know if the number Im calling goes through a C5 trunk?
A. Usually if you listen, you will hear wierd beeps before the phone
rings, when the person answers the phone, or after the called party
hangs up. These noises are actually signals being sent in the
reverse direction.
Q. Why can't I just blast tones, and how do I find the freq's??
A. The breaking-freq's of Blue boxing are alot like k0d3z to wAReZ k1dz.
Trading is a good way to get them, but you can also scan them. Typically
the timings will be:
Length:

Clear Forward
150ms

Delay:

10ms

|
+
|
|

Seize
150ms

When scanning, just adjust your timings by about 10 ms. The lengths
of Clear Forward, Delay, and Seize are all variable.

Q. I'm positive I'm sending the right tones with the right freqs.
Why isn't anything working?
A. Sound quality is a big issue too. The tones are picked up by energy level,
which means that they are volume sensitive. To much volume, to much
energy. To little volume, not enough energy. It wouldn't be a problem
if you could send tones DIRECTLY to the incoming exchange, but the call
is really routed through 2 national networks (outgoing and incoming)
over a potentially crappy multiplexed wire, and through a middle
transit international exchange. Sometimes the connections are so poor
you just have to hang-up (this is rare). Remember that the countrys
you are calling are only setup this way because it's affordable.
For instance- Iceland has mechanical switching equipment handling a certain
Canada-Iceland trunk. If you send signals quick enough, you'll actually
knock their equipment out of whack, and shut down the trunk until someone
manually puts the thing back on track. :) Just an example of the kind of
conditions you can expect.
If your playing the tones into a phone, make sure your phone has excellent
recpetion (Nortern Telecoms Harmony's are perfect), and use a small,
high-quality earphone.
If you pump the tones into the wire, make sure you get rid of any noise.
Q. I hear the release guard, but I can't sieze. Whats wrong?
A. You probably got your volume screwed, the timings wrong, or your
tones arn't pure enough.
Q. I only use Cellular. Can I still box?
A. It IS possible to box over a cell phone. Ive never done it myself, but
I know someone who has gotten it to work (after considerable effort)
Q. Why can't I call my pals back in the US?
A. Routing is an interesting problem. Not every trunk is allowed to route
everywhere. Sometimes you can only call certain countrys, and sometimes
you can't call any (other than terminal). Some require a routing code,
some don't. If you can dial transit calls to a limited number of countrys,
start playing with mutliple siezures.
Q. What are multiple Seizures?
A. You call one country, box to another, sieze the new country, call
another, etc... It's like finding a path through various countrys
to make it to your destination.
Q. Damn AT&T. Filtering my line. I'm gonna sue, but until then, what?
A. If your tones are being filtered by your telco, then add some noise.
You'll need find that small window that makes your tones valid enough
to signal, yet bogus enough to pass the filters. There are many
methods to doing this.

. Add side tones

. Dont use
. Constantly adjust your volume (to generate a warbeling effect).
Q. I have a big hack comming up, and I really DON'T want to get caught.
How can I maximize my chances of success via the Blue box?
A. The answer to that is politics. :) Go through countrys that are
on not-so-friendly terms with eachother. If the "attacked" country
cant find out where the call came from because the country that handled
the call refuses to cooperate, what can they do?
Tables and Charts
----------------Here's all of the info you need.
CCITT system 5 Line Signals
Signal
Frequency(Hz)
--------------+-------------Seizure
2400 *
Clear Forward
2600 + 2400 *
Clear Backward
2600
Proceed-to-Send
2600
Release guard
2400 + 2600
* Signals relevant to this
file. There are more
signals, but you can look
them up yourself if your
really interested.

CCITT syste 5 Interregister MF Signals

Signal
Frequency(Hz)
------------+-------------KP1 (term) 1100 + 1700
KP2 (trans) 1300 + 1700
Digit 1
700 + 900
2
700 + 1100
3
900 + 1100
4
700 + 1300
5
900 + 1300
6
1100 + 1300
7
700 + 1500
8
900 + 1500
9
1100 + 1500
0
1300 + 1500
Code11
700 + 1700
Code12
900 + 1700
ST (end)
1500 + 1700

List of Home Country Directs

------------------------------Australia Direct
800-682-2878

Austria Direct
Belgium Direct
Belize Direct
Bermuda Direct
Brazil Direct
British VI Direct
Cayman Direct
Chile Direct
China Direct
Costa Rica Direct
Denmark Direct
El Salvador Direct
Finland Direct
France Direct
Germany Direct
Greece Direct
Guam Direct
HK Direct
Hungary Direct
Indonesia Direct
Ireland Direct
Italy Direct
Japan Direct
Korea Direct
Macau Direct
Malasia Direct
Netherlands Direct
Norway Direct
New Zealand Direct
Portugal Direct
Panama Direct
Philippines Direct
Singapore Direct
Spain Direct
Sweden Direct
Taiwan Direct
Thailand Direct
Turkey Direct
UK Direct
Uruguay Direct
Yugoslavia Direct

800-624-0043
800-472-0032
800-235-1154
800-232-2067
800-344-1055
800-248-6585
800-852-3653
800-552-0056
800-532-4462
800-252-5114
800-762-0045
800-422-2425
800-232-0358
800-537-2623
800-292-0049
800-443-5527
800-367-4826
800-992-2323
800-352-9469
800-242-4757
800-562-6262
800-543-7662
800-543-0051
800-822-8256
800-622-2821
800-772-7369
800-432-0031
800-292-0047
800-248-0064
800-822-2776
800-872-6106
800-336-7445
800-822-6588
800-247-7246
800-345-0046
800-626-0979
800-342-0066
800-828-2646
800-445-5667
800-245-8411
800-367-9841 / 9842

* Thanks to the Phone Company for bringing

us this file

Conclusion
-----------I hope I've answered some of the more common question relating to signalling.
My intent was to provide an introduction to signalling. If you found this
file useful, please pass it along. If you think it sucks, write a better
one.
-LineMan
Greets go out to:
All 9X members -- W3rD up!
Cartel Members -- R0q 0n, b-ware the Delta

Scavenger
Substance
SL
Sl0ppy
QwiK
Virus
Bspline
TelcoNigga
The Kansas Crew
BlackHeart
WildMan

------------

You have the best dialer in t0wn.

Ewe n33d some hash.
Good luck...
ph3aR the GPk ph0Rc3z
Yo. B??36, <letorp>
I got a job :)
Hi
Wassup
Y0, I will visit!@#
Get a k0mpUd3r.
Java!@

"He who claims to know everything, knows the least of

all; for he is not aware of that which he does not know."