Hackers Underworld 2: Forbidden Knowledge

home *** CD-ROM | disk | FTP | other *** search

/ Hackers Underworld 2: Forbidden Knowledge / Hackers Underworld 2: Forbidden Knowledge.iso / PHREAK / PKMANUAL.5 < prev next >

Wrap

Text File | 1994-07-17 | 92KB | 1,982 lines

In this situation it would be realistic to say that CO2 uses SF in-band Page 132 The Official Phreaker's Manual (2600Hz) signalling, while all the others use out-of-band signalling (3700Hz). If you don't understand this, don't worry too much. I am pointing this out merely for the sake of accuracy. The point is that while you are connected to 806-258-1234, all those trunks from YOUR central office (CO1) to the 806-258 central office (CO2) do *NOT* have 2600Hz on them, indicating to the Bell equipment that a call is in progress and the trunks are in use. Now let's say you're tired of talking to your friend in Amarillo (806-258-1234) so you send a 2600Hz down the line. This tone travels down the line to your friend's central office (CO2) where it is detected. However, that CO thinks that the 2600Hz is originating from Bell equipment, indicating to it that you've hung up, and thus the trunks are once again idle (with 2600Hz present on them). But actually, you have not hung up, you have fooled the equipment at your friend's CO into thinking you have. Thus,it disconnects him and resets the equipment to prepare for the next call. All this happens very quickly (300-800ms for step-by-step equipment and 150-400ms for other equipment). When you stop sending 2600Hz (after about a second), the equipment thinks that another call is coming towards it (e.g. it thinks the far end has come "off-hook" since the tone has stopped. It could be thought of as a toggle switch: tone --> on hook, no tone -->off hook. Now that you've stopped sending 2600Hz, several things happen: 1) A trunk is seized. 2) A "wink" is sent to the CALLING end from the CALLED end indicating that the CALLED end (trunk) is not ready to receive digits yet. 3) A register is found and attached to the CALLED end of the trunk within about two seconds (max). 4) A start-dial signal is sent to the CALLING end from the CALLED end indicating that the CALLED end is ready to receive digits. Now, all of this is pretty much transparent to the blue boxer. All he really hears when these four things happen is a <beep><kerchunk>. So, seizure of a trunk would go something like this: 1> Send a 2600Hz 2> Terminate 2600Hz after 1-2 secs. 3> [beep][kerchunk] Once this happens, you are connected to a tandem that is ready to obey your every command. The next step is to send signalling information in order to place your call. For this you must simulate the signalling used by operators and automatic toll-dialing equipment for use on trunks. There are mainly two systems, DP and MF. However, DP went out with the dinosaur , so I'll only discuss MF signalling. MF (multi-frequency) signalling is the signalling used by the majority of the inter- and intra-lata network. It is also used in international dialing known as the CCITT no.5 system. MF signalling consists of 7 frequencies, beginning with 700Hz and separated by 200Hz. A different set of two of the 7 frequencies represent the digits 0 thru 9, plus an additional 5 special keys. The frequencies and uses are as follows: Frequencies (Hz) Domestic Int'l Page 133 The Official Phreaker's Manual -------------------------------------- 700+900 1 1 700+1100 2 2 900+1100 3 3 700+1300 4 4 900+1300 5 5 1100+1300 6 6 700+1500 7 7 900+1500 8 8 1100+1500 9 9 1300+1500 0 0 700+1700 ST3p Code 11 900+1700 STp Code 12 1100+1700 KP KP1 1300+1700 ST2p KP2 1500+1700 ST ST The timing of all the MF signals is a nominal 60ms, except for KP, which should have a duration of 100ms. There should also be a 60ms silent period between digits. This is very flexible, however, and most Bell equipment will accept outrageous timings. In addition to the standard uses listed above, MF pulsing also has expanded usages known as "expanded inband signalling" that include such things as coin collect, coin return, ringback, operator attached, and operator released. KP2, code 11, and code 12 and the ST_ps (STart "primes") all have special uses which will be mentioned only briefly here. To complete a call using a blue box, once seizure of a trunk has been accomplished by sending 2600Hz and pausing for the <beep><kerchunk>, one must first send a KP. This readies the register for the digits that follow. For a standard domestic call, the KP would be followed by either 7 digits (if the call were in the same NPA as the seized trunk) or 10 digits (if the call were not in the same NPA as the seized trunk). [Exactly like dialing a normal fone call]. Following either the KP and 7 or 10 digits, a STart is sent to signify that no more digits follow. Example of a complete call: 1> Dial 1-806-258-1234 2> wait for a call-progress indication (such as ring, busy, recording, etc.) 3> Send 2600Hz for about 1 second. 4> Wait for about 2 seconds while a trunk is seized. 5> Send KP+305+994+9966+ST The call will then connect if every-thing was done properly. Note that if a call to an 806 number were being placed in the same situation, the area code would be omitted and only KP+ seven digits+ST would be sent. Code 11 and code 12 are used in international calling to request certain types of operators. KP2 is used in international calling to route a call other than by way of the normal route, whether for economic or equipment reasons. STp, ST2p, and ST3p (prime, two prime, and three prime) are used in TSPS signalling to indicate calling type of call (such as coin-direct dialed). This has been Part I of Better Homes and Blue Boxing. I hope you enjoyed and learned from it. If you have any questions, comments, threats or insults, please fell free to drop me a line. If you have noticed any errors in this text (yes, it does happen), please let me know and perhaps a correction will be in Page 134 The Official Phreaker's Manual order. Part II will deal mainly with more advanced principles of blue boxing, as well as routings and operators. Note 1: other highly trunkable areas include: 816,305,813,609,205. I personally have excellent luck boxing off of 609-953-0000. Try that if you have any trouble. Page 135 The Official Phreaker's Manual =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Better Homes and Blue Boxing Part II Practical Applications =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- (It is assumed that the reader has read and understood Part I of this series). The essential purpose of blue boxing in the beginning was merely to receive toll services free of charge. Though this can still be done, blue boxing has essentially outlived its usefulness in this area. Modern day "extenders" and long distance services provide a safer and easier way to make free fone calls. However, you can do things with a blue box that just can't be done with anything else. For ordinary toll-fraud, a blue box is impractical for the following reasons: 1. Clumsy equipment required (blue box or equivalent) 2. Most boxed calls must be made through an extender. Not for safety reasons, but for reasons I'll explain later. 3. Connections are often sacrificed because considerable distances must be dialed to cross a seizable trunk, in addition to awkward routing. As stated in reason #2, boxed calls are usually made through an extender. This is for billing reasons. If you recall from Part i, 2600Hz is used as a "supervisory" signal. That is, it signals the status of a trunk--"on-hook" or "off-hook." When you seize a trunk (by briefly sending 2600Hz), your end (the CALLING end) goes on hook for the duration of the 2600Hz and then goes off-hook once again when the 2600Hz is terminated. The CALLED end recognizes that a call is on the way and attaches a register, which interprets the digits which are to be sent. Now, understand that even though your end has come off-hook (no 2600Hz present), the other end is still on-hook. You may wonder then, why, if the other end (the CALLED end) is still on-hook, there is no 2600Hz coming the other way on the trunk, when there should be. This is correct. 2600Hz *IS* present on the trunk when you seize it and afterwards, but you cannot hear it because of a Band Elimination Filter (BEF) at your central office. Back to the problem. Remember that when you seize a trunk, 2600Hz is indeed coming the other way on the trunk because the CALLED end is still on-hook, but you don't actually hear it because of a filter. However, the Bell equipment knows it's there (they can "hear" it). The presence of the 2600Hz is telling the billing equipment that your call has not yet been completed (i.e., the CALLED end is still on-hook). When finally you do connect with your boxed call, the 2600Hz from the called end terminates. This tells the billing equipment that someone picked up the fone at the CALLED end and you should begin to be billed. So you do start to get billed, but for the call to the trunk, NOT the boxed call. Your billing equipment thinks that you've connected with the number you used to seize the trunk. Illustration: 1. You call 1+806-258-2222 (directly) 2. Status of trunks: <-----------------------------------> (You) 806-258-2222 No 2600Hz-------> <------------2600Hz When you seize a trunk (before the number you called answers) there is no Page 136 The Official Phreaker's Manual affect on your billing equipment. It simply thinks that you're still waiting for the call to complete (the CALLED end is still on-hook; it is ringing, busy, going to recorder or intercept operator. Now, let's say that you've seized a trunk (806-258-2222) and for example, KP+314+949+1705+ST. The call is routed from the tandem you seized to: 314-949-1705. Illustration: <------------------>O<---------------> (You) 806 314-949 tandem No 2600Hz----------> <----------2600Hz Note that the entire path towards the right (the CALLED end) has no 2600Hz present and is therefore "off-hook." The entire path towards the left (the CALLING end) does have 2600Hz present on it, indicating that the CALLED end has not picked up (or come "off-hook"). When 314-949-1705 answers, "answer supervision" is given and the 2600Hz towards the left (the CALLING end) terminates. This tells your billing equipment, which thinks that you're still waiting to be connected with 806-258-2222, that you've finally connected. Billing then begins to 806-258-2222. Not exactly an auspicious beginning for an aspiring young phone phreak. To avoid this, several actions may be taken. As previously mentioned, one may avoid being charged for the number called to seize a trunk by using an extender (in which case the extender will get billed). In some areas, boxing may be accomplished using an 800 number, generally in the format of 800-858-xxxx (many Amarillo numbers) or 800-NN2-xxxx (special intra-state class in-WATS numbers). However, boxing off of 800 numbers is impossible in many areas. In my area, Denver, I am served by #1A ESS and it is impossible for me to box off of any 800 number. Years ago, in the early days of blue boxing (before my time), phreaks often used directory assistance to box off of because they were "free" long distance calls. However, because of competitive long distance companies, directory assistance surcharges are now $0.50 in many areas. It is additionally advised that directory assistance numbers not be used to box from because of the following: Average DA calls last under 2 minutes. When you box a call, chances are that it will last considerably longer. Thus, the Bell billing equipment will make a note of calls to directory assistance that last a long time. A call to a directory assistant lasting for 4 hours and 17 minutes may appear somewhat suspicious. Although the date, time, and length of a DA call do not appear on the bill, it is recorded on AMA tape and will trip a trouble report if it were to last too long. This is how most phreaks were discovered in the old days. Also, sometimes too many calls lasting too long to one 800 number may raise a few eyebrows at the local security office. Assuming you can complete a blue box call, the following are listed routings for various Bell internal operators. These are in the format of KP+NPA+ special routing+1X1+ST, which I will explain later. The 1X1 is the actual operator routing, and NPA and NPA+ special routing are used for out-of-area code calls and out-of-area code calls requiring special routing, respectively. KP+101+ST ...... Toll test board. Page 137 The Official Phreaker's Manual KP+121+ST ...... Inward Operator. KP+131+ST ...... Directory assistance. KP+141+ST ...... was rate & route. Now only works in 312, 815, 717, and a few others. It has been replaced with a universal rate & route number 800+141+1212. KP+151+ST ...... Overseas completion operator (inbound). Works only in certain NPAs, such as 303. KP+181+ST ...... In some areas, toll station for small towns. Thus, if you seize a trunk in 806 NPA and wanted an inward (in 806), then you would dial KP+121+ST. If you wanted a 312 inward and were dialing on an 806 trunk, an area code would be required. Thus, you would dial KP+312+121+ST. Finally, some places in the network require special routing, in addition to an area code. An example is Franklin Park, Ill. It requires a special routing of 032. For this, you would dial KP+312+032+121+ST for a Franklin Park inward operator. Special routings are in the format of 0XX. They are used primarily for load balance, so that traffic flow may be evenly distributed. About half of the exchanges in the network require special routing. Note that special routings are NEVER EVER EVER used to dial normal telephone numbers, only operators. Operator functions: TOLL TEST BOARD- Generally a cordboard position that assists in trunk testing. They are not used by operators, only switchmen. INWARD- Assists the normal TSPS (0+) operator in completing calls out of the TSPS's area. Also, inwards perform emergency interrupts when the number to be interrupted is out of the area code of the original (TSPS) operator. For example, a 303 operator has a customer that needs an emergency interrupt on 215-647-6969. The 303 operator gets the routing for the inward that covers 215-647, since she cannot do the interrupt herself. The routing is found to be only 215+ (no special routing required). So, the 303 operator keys KP+215+121+ST. An inward answers and the 303 says to her, "Inward, this is Denver. I need an emergency interrupt on 215-647-6969. My customer's name is Mark Tabas." The inward will then do the interrupt (off the line, of course). If the number to be interrupted had required special routing, such as, say, 312-456-1234 (spec routing 032), then the 303 operator would dial KP+312+032+121+ST for the inward to do that interrupt. DIRECTORY ASSISTANCE- These are the normal NPA+555+1212 operators that assist customers with obtaining telefone directory listings. Not much toll-fraud potential here, except maybe $0.50. RATE AND ROUTE- These operators are reached by dialing KP+800+141+1212+ST. They assist normal (TSPS) operators with rates and routings (thus the name). The only uses I typically have for them are the following: 1. Routing- Information- In the above example, when the 303 operator needed to dial an inward that served 215-647, she needed to know if any special routing was required and, if so, what it was. Assuming she would use rate and route, she would dial them and say nicely, "Operator's route, please, for 215-647." Rate & route would respond with "215 plus." This means that the operator would dial KP+215+121+ST to reach the inward that serves 215-647. If there were special routing required, such as in 312-456, rate & route would respond with "312 plus 032 plus." In that case, the operator would dial KP+312+032+ST for the inward Page 138 The Official Phreaker's Manual that serves 312-456. It is good practice to ask for "operator's route" specifically, as there are also "numbers route" and "directory routes." If you do not specifically ask for operator's route, rate & route will generally assume that is what you want anyway. "Numbers" route refers to overseas calls. Example, you want to know how to reach a number in Geneva, Switzerland (and you already have the number). You would call routing and say "Numbers route, please, Geneva, Switzerland." The operator would respond with: "Mark 41+22. 011+041+ST (plus) 041+22" The "Mark 41+22" has to do with billing, so disregard it. The 011+041 is access to the overseas gateway (to be discussed in Part iii) and the 041+ 22+ is the routing for Geneva from the overseas sender. "Directory" routings are for directory assistance overseas. Example: you want a DA in Rome, Italy. You would call rate & route and say, "Directory routing please, for Rome, Italy." They would respond with "011+039+ST (plus) 039+1108 STart." As in the previous example, the 011+039 is access to the overseas gateway. The 039+1108 is a directory assistant in Rome. 2. Nameplace information- Rate & Route will give you the location of an NPA+ exchange. Example: "Nameplace please, for 215-648." The operator would respond with "Paoli, Pennsylvania." This isn't especially useful, since you can get the same information (legally) by dialing 0, but using rate & route is often much faster and it avoids having to hang up when you are already on a trunk. *NOTE* On Rate & Route: As a blue boxer, always ask for "IOTC" routings. (e.g., "IOTC operator's route", "IOTC numbers route", etc.) This tells them that you want cordboard-type routings, not TSPS, because a blue boxer is actually just a cordboard position (that Bell doesn't know about). OVERSEAS COMPLETION OPERATOR (inbound)- These operators (KP+151+ST) assist in the completion of calls coming in to the United States from overseas. There are KP+151+ST operators only in a few NPAs in the country (namely 303). To use one, you would seize a trunk and dial KP+303+151+ST. Then you would tell the operator, for example, "This is Bangladesh calling. I need U.S. number 215-561-0562 please." [in a broken Indian accent]. She would connect you, and the bill would be sent to Bangladesh (where I've been billing my KP+151+ST calls for two years). Other internal Bell Operators. KP+11501+ST ...... universal operator KP+11511+ST ...... conference op KP+11521+ST ...... mobile op KP+11531+ST ...... marine op KP+11541+ST ...... long distance terminal KP+11551+ST ...... time & charges op KP+11561+ST ...... hotel/motel op KP+11571+ST ...... overseas (outbound) op These 115X1 operators are identical in routing to the 1X1 operators listed previously, with one exception. If special routing is required (0XX), then the trailing 1 is left off. Examples: Page 139 The Official Phreaker's Manual A 312 universal op ... KP+312+11501+ST A Franklin Park (312-456) universal op (special routing 032 required)........ KP+312+032+1150+ST [The trailing 1 of 11501 is left off]. Purposes of 115X1 operators. UNIVERSAL- Used for collect/callback calls to coin stations. CONFERENCE- This is a cordboard conference operator who will set up a conference for a customer on a manual operation basis. MOBILE- Assists in completion of calls to mobile (IMTS) type telefones. MARINE- Assists in completion of calls to ocean going vessels. LONG DISTANCE TERMINAL- Now obsolete.Was used for completion of long distance calls. TIME & CHARGES- Will give exact costs of calls. Used to time calls and inform customer of exactly how much it cost. HOTEL/MOTEL- Handles calls to/from hotels and motels. OVERSEAS COMPLETION (outbound)- assists in completion of calls to overseas points. Only works in some, if any NPAs, because overseas assistance has been centralized to IOCC (covered in Part III). Note that all KP+1X1+ST and KP+115X1+ST operators automatically assume that you are a TSPS or cordboard operator assisting a customer with a call. DO NOT DO ANYTHING TO JEOPARDIZE THIS! If you do not know what to do, don't call these operators! Find out what to do first. This concludes Part II. There is one final part in which I will explain overseas dialing, IOCC (International Overseas Completion Centre), RQS (Rate/Quote System), and some basic scanning. Page 140 The Official Phreaker's Manual =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Better Homes and Blue Boxing Part III Advanced Signalling =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- (It is assumed that the reader has read and understood parts i & ii before proceeding to this part). In Parts I & II, I covered basic theory and domestic signalling and operators. In this part I will explain overseas direct boxing, the IOCC, the RQS, and some basic scanning methods. Overseas Direct Boxing. Calling outside of the United States and Canada is accomplished by using an "overseas gateway." There are 7 over-seas gateways in the Bell System, and each one is designated to serve a certain region of the world. To initiate an overseas call, one must first access the gateway that the call is to be sent on. To do this automatically, decide which country you are calling and find its country code. Then, pad it to the left with zeros as required so it is three digits. [Add 1, 2, or 3 zeros as required]. Examples: Luxembourg (352) is 352 (stays the same) Spain (34) becomes 034 (1 zero added) U.S.S.R. (7) becomes 007 (2 zeros added) Next, seize a trunk and dial KP+011+ CC+ST. Note that CC is the three digit padded country code that you just determined by the above method. [For Luxembourg, dial KP+011+352+ST, Spain KP+011+034+ST, and the U.S.S.R. KP+011+ 007+ST]. This is done to route you to the appropriate overseas gateway that handles the country you are dialing. Even though every gateway will allow you to dial every dialable country, it is good practice to use the gateway that is designated for the country you are calling. After dialing KP+011+CC+ST (as CC is defined above) you should be connected to an overseas gateway. It will acknowledge by sending a wink (which is audible as a <beep><kerchink> and a dial tone. Once you receive international dial tone, you may route your call one of two ways: a) as an operator-originated call, or b) as a customer-originated call. To go as a operator-originated call, key KP+ country code (NOT padded with zeros)+ city code+number+ST. You will then be connected, providing the country you are calling can receive direct-dialed calls. The U.S.S.R. is an example of a country that cannot. Example of a boxed int'l call: To make a call to the Pope (Rome, Italy), first obtain the country code, which is 39. Pad it with zeros so that it is 039. Seize a trunk and dial KP+011+039+ST. Wait for sender dial tone and then dial KP+39+6+6982+ST. 39 is the country code, 6 is the city code, and 6982 is the Pope's number in Rome. To go as an operator-originated call, simply place a zero in front of the country code when dialing on the gateway. Thus, KP+0+39+6+6982+ST would be dialed at sender dial tone. Routing your call as operator-originated does not affect much unless you are dialing an operator in a foreign country Page 141 The Official Phreaker's Manual To dial an operator in a foreign country, you must first obtain the operator routing from rate & route for that country. Dial rate & route and if you're trying to get an operator in Yugoslavia, say nicely, "IOTC Operator's route, please, for Yugoslavia." [In larger countries it may be necessary to specify a city]. Rate & route will respond with, "38 plus 11029". So, dial your overseas gateway, KP+011+038+ST, wait for sender dial tone, and key KP+0+38+11029+ST. You should then get an operator in Yugoslavia. Note that you must prefix the country code on the sender with a 0 because presumably only an operator here can dial an operator in a foreign country. When you dial KP+011+CC+ST for an overseas gateway, it is translated to a 3-digit sender code of the format 18X, depending on which sender is designated to handle the country you are dialing. The overseas gateways and their 3-digit codes are listed below. 182 ..... White Plains, NY 183 ..... New York, NY 184 ..... Pittsburg, PA 185 ..... Orlando, FL 186 ..... Oakland, CA 187 ..... Denver, CO 188 ..... New York, NY Dialing KP+182+ST would get you the sender in White Plains, and KP+183+ST would get the sender in NYC, etc., but the KP+011+CC+ST is highly suggested (as previously mentioned). To find out what sender you were routed to after dialing KP+011+CC+ST, dial (at int'l dial tone): KP+0000000+ST. If you have difficulty in reaching a sender, call rate and route and ask for a numbers route for the country you're dialing. Sometimes, KP+011+ padded country code+ST will not work. I have found this in many 3-digit country codes. Luxembourg, country code 352, for example, should be KP+011+352+ST theoretically. But it is not. In this case, dial KP+011+ 003+ST for the overseas gateway. If you have trouble, try dialing KP+00+ first digit of country code+ST, or call rate The IOCC. Sometimes when you call rate and route and ask for an "IOTC numbers route" or "IOTC operators route" for a foreign country, you will get something like "160+700" (as in the case of the Soviet Union). This means that the country is not dialable directly and must be handled through the International Overseas Completion Centre (IOCC). For an IOCC routing, pad the country code to the RIGHT with zeros until it is 3 digits. Then KP+160 is dialed, plus the padded country code, plus ST. Examples: The U.S.S.R. (7) ...... KP+160+700+ST Japan (81) ............ KP+160+810+ST Uraguay (598) ......... KP+160+598+ST You will then be routed to the IOCC in Pittsburg, PA, who will ask for country, city, and number being dialed. Many times they will ask for a ringback [thanks to Telenet Bob] so have a loop ready. They will then place the call and call you back (or sometimes put you through directly). Some calls, such as to Moscow, take several hours. The Rate Quote System (RQS). The RQS is the operator's rate/quote system. It is a computer used by TSPS Page 142 The Official Phreaker's Manual (0+) operators to get rate and route information without having to dial the rate and route operator. In Part ii, I discussed getting an inward routing for dialing-assistance and emergency interrupts from the rate and route operators (KP+800+141+1212+ST). The same information is available from RQS. Say you want the inward routing for 305-994. You would seize a trunk and dial KP+009+ST (to access the RQS). Sometimes, if you seize a trunk in an NPA not equipped with RQS, you need to dial an NPA that is equipped with RQS first, such as 303. Anyway, after you dial KP+009+ST or KP+303+009+ST, you will receive a wink (<beep><kerchink>) and then RQS dial tone. At RQS dial tone, for an inward routing for 305-994 you would dial KP+06+305+994+ST. That is, KP+06+NPA+exchange+ST. RQS will respond with "305 plus 033 plus". This means you would dial KP+305+033+121+ST for an inward that services 305-994. If no special routing were required, RQS would have responded with "305 plus" and you would simply dial: KP+305+121+ST for an inward. Another RQS feature is the echo feature. You can use it to test your blue box. Dial RQS (KP+009+ST) and then key KP+07+1234567890+ST. RQS will respond with voice identification of the digits it recognized, between the KP+07 and ST. RQS can also be used for rates and directory routings, but those are seldom needed, so they have been omitted here. Simple Scanning. If you're interested in scanning, try dialing on a trunk, routings in the format of KP+11XX1+ST. Begin with 11001 and scan to 11991. There are lots of interesting things to be found there, as Doctor Who (413 area) can tell you. Those 11XX1 routings can also be prefixed with an NPA, so if you want to scan area code 212, dial KP+212+ 11XX1+ST. There, now you know as much about blue boxing as most phreaks. If you read and understand the material, and put aside preconceived ideas of what blue boxing is that you may have acquired from inexperienced people or other bulletin boards, you should be well on you way to an enlightening career in blue boxing. If you follow the guidelines in Part I to box, you should have no problem with the fone company. Comments made by "phreaks" on bulletin boards that proclaim "tracing" of blue boxers are nonsense and should be ignored (except for a passing chuckle). NOTE 1: CCIS and the downfall of blue boxing. CCIS stands for Common Channel Inter-office Signalling. It is a signalling method used between electronic switching systems that eminiates the use of 2600Hz and 3700Hz supervisory signals, and MF pulsing. This is why many places cannot be boxed off of; they employ CCIS, or out-of-band signalling, which will not respond to any tones that you generate on the line. Eventually, all existing toll equipment will be upgraded or replaced with CCIS or T-carrier. In this case, we'll all be boxing with microwave dishes. Until then (about 1995 by current BOC/AT&T estimates), have fun! If you have ANY questions about this text, please feel free to drop me a line. I will respond to all mail, messages, etc. Insults are also welcomed. And if you discover anything interesting scanning, be sure to let me know. Mark Tabas $LOD$ Page 143 The Official Phreaker's Manual This text was prepared in full by Mark Tabas for: K.A.O.S. Philadelphia, PA. [215-465-3593]. Any sysop may freely download this text and use it on his/her BBS, provided that none of it be altered in any way. Technical acknowledgements: Karl Marx, X-Man, High-Rise Joe, Telenet Bob, Lex Luthor, TUC, John Doe, Doctor Who (413 area), The Tone Sweep, Mr. Silicon, K00L KAT, The Glump. References: 1. Notes on the BOC Intra-LATA Networks Bell System publication, 1983. 2. Notes on the Network Bell System publication, 1983. 3. Engineering and Operations in the Bell System Bell System publication, 1983. 4. Notes on Distance Dialing Bell System publication, 1968. 5. Early Medieval Architecture. ....................................... (c) February 6, 1900 Mark Tabas ....................................... Page 144 The Official Phreaker's Manual BY FRED STEINBECK (TAP #88) IT SEEMS THAT FEWER AND FEWER PEOPLE HAVE BLUE BOXES THESE DAYS, AND THAT IS REALLY TOO BAD. BLUE BOXES, WHILE NOT ALL THAT GREAT FOR MAKING FREE CALLS (SINCE THE TPC CAN TELL WHEN THE CALL WAS MADE, AS WELL AS WHERE IT WAS TOO AND FROM), ARE REALLY A LOT OF FUN TO PLAY WITH. SHORT OF BECOMING A REAL LIVE TSPS OPERATOR, THEY ARE ABOUT THE ONLY WAY YOU CAN REALLY PLAY WITH THE NETWORK. FOR THE FEW OF YOU WITH BLUE BOXES, HERE ARE SOME PHRASES WHICH MAY MAKE LIFE EASIER WHEN DEALING WITH THE RATE & ROUTE (R&R) OPERATORS. TO GET THE R&R OP, YOU SEND A KP + 141 + ST. IN SOME AREAS YOU MAY NEED TO PUT ANOTHER NPA BEFORE THE 141 (I.E., KP + 213 + 141 + ST), IF YOU HAVE NO LOCAL R&R OPS. THE R&R OPERATOR HAS A MYRIAD OF INFORMATION, AND ALL IT TAKES TO GET THIS DATA IS MUMBLING CRYPTIC PHRASES. THERE ARE BASICALLY FOUR SPECIAL PHRASES TO GIVE THE R&R OPS. THEY ARE NUMBERS ROUTE, DIRECTORY ROUTE, OPERATOR ROUTE, AND PLACE NAME. YOU GET AN R&R AN AREA CODE FOR A CITY, ONE CAN CALL THE R&R OPERATOR AND ASK FOR THE NUMBERS ROUTE. FOR EXAMPLE, TO FIND THE AREA CODE FOR CARSON CITY, NEVADA, WE'D ASK THE R&R OP FOR "CARSON CITY, NEVADA, NUMBERS ROUTE, PLEASE." AND GET THE ANSWER, "RIGHT... 702 PLUS." MEANING THAT 702 PLUS 7 DIGITS GETS US THERE. SOMETIMES DIRECTORY ASSISTANCE ISN'T JUST NPA + 131. THE WAY TO GET THESE ROUTINGS IS TO CALL R&R AND ASK FOR "ANAHEIM, CALIFORNIA, DIRECTORY ROUTE, PLEASE." OF COURSE, SHE'D TELL US IT WAS 714 PLUS, WHICH MEANS 714 + 131 GETS US THE D.A. OP THERE. THIS IS SORT OF POINTLESS EXAMPLE, BUT I COULDN'T COME UP WITH A BETTER ONE ON SHORT NOTICE. LET'S SAY YOU WANTED TO FIND OUT HOW TO GET TO THE INWARD OPERATOR FOR SACRAMENTO, CALIFORNIA. THE FIRST SIX DIGITS OF A NUMBER IN THAT CITY WILL BE REQUIRED (THE NPA AND AN NXX). FOR EXAMPLE, LET US USEM 916 756. WE WOULD CALL R&R, AND WHEN THE OPERATOR ANSWERED, SAY, "916 756, OPERATOR ROUTE, PLEASE." THE OPERATOR WOULD SAY, "916 PLUS 001 PLUS." THIS MEANS THAT 916 + 001 + 121 WILL GET YOU THE INWARD OPERATOR FOR SACRAMENTO. DO YOU KNOW THE CITY WHICH CORRESPONDS TO 503-640? THE R&R OPERATOR DOES, AND WILL TELL YOU THAT IT IS HILLSBORO, OREGON, IF YOU SWEETLY ASK FOR "PLACE NAME, 503 640, PLEASE." FOR EXAMPLE, LET'S SAY YOU NEED THE DIRECTORY ROUTE FOR SVEG, SWEDEN. SIMPLY CALL R&R, AND ASK FOR, "INTERNATIONAL, BADEN, SWITZERLAND. TSPS DIRECTORY ROUTE, PLEASE." IN RESPONSE TO THIS, YOU'D GET, "RIGHT... DIRECTORY TO SVEG, SWEDEN. COUNTRY CODE 46 PLUS 1170." SO YOU'D ROUTE YOURSELF TO AN INTERNATIONAL SENDER, AND SEND 46 + 1170 TO GET THE D.A. OPERATOR IN SWEDEN. INWARD OPERATOR ROUTINGS TO VARIOUS COUNTRIES ARE OBTAINED THE SAME WAY "INTERNATIONAL, LONDON, ENGLAND, TSPS INWARD ROUTE, PLEASE." AND GET "COUNTRY CODE 44 PLUS 121." THEREFORE, 44 PLUS 121 GETS YOU INWARD FOR LONDON. INWARDS CAN GET YOU LANGUAGE ASSISTANCE IF YOU DON'T SPEAK THE LANGUAGE. TELL THE FOREIGN INWARD, "UNITED STATES CALLING. LANGUAGE ASSISTANCE IN COMPLETING A CALL TO (CALLED PARTY) AT (CALLED NUMBER)." R&R OPERATORS ARE PEOPLE ARE PEOPLE TOO, Y'KNOW. SO ALWAYS BE POLITE, MAKE SURE USE OF 'EM, AND DIAL WITH CARE. NOTE: AS A RESULT OF THE BREAK-UP, R&R IS NOW KP+800+141+1212+ST Page 145 The Official Phreaker's Manual Verification By Fred Steinbeck From TAP issue # 88 10-83 There has been a great deal of controversy in the realm of phreakdom over a mysterious subject known under a number of different names, including "Verification", "Autoverification", "Verify", "Autoverify", "Verify Busy", and even "VFY BY". All of these names basically mean the same thing: the ability to listen to another person's telephone line from any telephone in the direct-dialable world. Needless to say, Bell System is very tight lipped about knowledge regarding verification. Indeed, the infamous book 'Notes on long distance dialing' ('68 edition) says, "Care must be taken to insure that the customer never gains verification capabilities." With a printed policy like that, you can imagine what their real-world policy is like! Even their own rate and route operators will not give verification on routing codes (at least in my experience), one even responding, "What?! You must be crazy! We don't give those out!" Before you get too far into this article, I will state simply: I don't know how to verify. However, I have been fooling with various things related to it, and collecting information on it for some time now. Therefore, while I can't do it (yet), I may be able to point some other bright TAPer on the right track, and perhaps he or she will show us all how. If you have knowledge not covered in this article, but don't want to write an article on your own, please send your ideas, comments, or information to Project Verify, C/O TAP Verify has also been called "Autoverify", and I have no idea why. This is not, to my knowledge, a Bell System term (at least I've never seen it in any manuals) As far as I know, there is verify, which means being able to listen to speech (kind of; see below) on a line, and there is the "Emergency Interrupt which allows you to take part in the conversation taking place on the line in question. It has been suggested that "Autoverify" is the same as an emergency interrupt , but I tend to disagree with this idea. It should be noted that the verification circuitry does not actually let an operator listen to a conversation without making a beep on the line every so often. Instead, she will hear encrypted speech. However, I believe with the proper methods, verify can be converted to an emergency interrupt. Verification is normally done either by your normal "0" (TSPS) operator, if the call is in your home NPA (HNPA), or by an inward operator (IO). If the call is outside your HNPA, your normal operator will call the IO for the NPA,and say, "Verify Busy" or "Emergency Interrupt" please, 555 1212." The IO will perform whatever magic he or she must, and then report back. If the call is in your HNPA, though, the "0" operator can do the verification herself by using the "VFY BY" key on her keyshelf. However, in some areas, the operator uses a routing code to accomplish verification, and this the is loop hole we shall attack. It follows that if a IO or "0" operator can do it, so can we, with a blue box Now, courtesy of Robert Allen (who brought it to my attention) and Susan Thunder (who apparently discovered it), here is what used to work for getting operators to hook you into conversations with other people (i.e.,let you listen to them till you hung up): You'd call the operator and say "Operator, TSPS Maintenance Engineer Calling. Ring forward to 001 + NPA + 7d, ring back to my number, hit ring forward, no AMA, and then position release. This creates some problems, and you must be familiar with the TSPS console(by dialing "0"), you are on the "back", or incoming part of a loop. When she places a call for you, the call goes out on the "forward", or outgoing part of the loop. If an operator wants to make a call, she punches KP FWD (keypulse forward), the number, and ST. Ring FWD puts a 90 volt ringing signal across the forward part of the line (and may dial the number as well). The Page 146 The Official Phreaker's Manual problem arises from the fact that I don't know if Ring FWD will actually dial a call, and if there is some other subtle difference between it an KP FWD. Let us assume ringing forward makes a call from the TSPS console to whatever number is given. Ring back causes your phone to ring (it is assumed you hung up after giving her your instructions; if you didn't you'd hear an annoying 90 volts across the earpiece...) "No AMA" means "no automatic message accounting", so nobody gets billed for the call, although it will show up on a tape somewhere. "Position Release" removes the operator from the circuit, and allows her to receive other calls. This leaves an unaccounted-for ring forward. The verification circuit, as you know, likes to encrypt conversation, which is something we don't want. Well, the second Ring FWD sends another 90 volts crashing against the verify circuitry, which Juda Gerad thinks removes the voice encryption from the line, puts the operator (and you) in circuit, and puts a beep tone on the line every five seconds. This seems to make sense, and I am inclined to agree with him. The bit about "....001 + NPA + 7D" causes the thought "MF routing code" to spring immediately to mind. Now, the above trick was supposed to work in the 213 NPA. I have tried both "KP+001+213+7D+ST", and some other area codes. I generally get nothing, a reorder signal, or a tandem recording. Here's some food for thought: On an official Telco sheet I have, labeled " 213 NPA MF Routing Codes", 001 is listed as "VFY BY", or verify busy for the 213 NPA. 002 is listed for the 805 NPA. Ma Bell likes to have standardized routing codes, such logical, then, that 001 would be a sort of "standard" verify code, and other prefixes would be tacked on at 002,003, etc. However, I have heard from a retired operator that verification codes are different from area to area, and are not always nice numbers like 001, 002. Ah, well, a guy can hope, can't he? Some suggestions for future attacks on this dilemma: Everyone call your operators and subtly ask questions. I have found the tend to give information out easier if you ask for something that you would ordinarily have to be a company employee to know about, such as rate steps, operator routings, etc. Casually let slip that you used to be (or still are) an operator, or that you work for company security. Also, you might want to blue box some codes like 001 followed by your NPA and the last 7D of a busy number. If you get a sort of "whispery noise", try blasting the line with a ringing signal (you might piggyback another line onto yours and call the piggyback to generate the 90 volts) and see if that does anything. Page 147 The Official Phreaker's Manual =================================== EQUAL ACCESS AND THE AMERICAN DREAM =================================== by Mark Tabas P.O. Box 620401 Littleton, CO 80162 July 7, 1985 The American Dream means many things to many people. To the small, typical businessman, it means building a good, strong business based on hard work and perseverance; indeed, with nothing limiting his potential but he amount of work he is willing to put into his business. To a large businessman, the American Dream means living and working in a country where a single corporation can have a profit exceeding the gross national product of an entire third world nation. To the individual, the American Dream is the right to choose -- everything from one's breakfast cereal to a long-distance service, as well as the formal right outlined by our founding fathers: those of life, liberty, and the pursuit of happiness. To the phone phreak, I think the American Dream is, in a sort of twisted way, the uninhibited pursuit of knowledge. This quest could scarcely remain unchecked in many other countries. Analogous to this quest is the thriving of the Bell System, which until January 1, 1984 consisted of the American Telephone and Telegraph Company, the largest corporation in the history of the world. Did the American Dream die on January first or did the divestiture of AT&T cause a giant step forward for competition and free enterprise in the United States? I do not know. I do know that the other nations of the world were amazed that the United States would dissolve the entity that brought the finest and most universal telephone system in the world, and did so at a time when the majority of the rest of the world was still using two dixie cups and a string. The unfairness of the situation is that AT&T built the telephone system of this nation and is now being bound and gagged and having its possessions distributed to others, whom AT&T also wrought. All in the name of fairness, free competition, and "equal access". Where was was MCI during the century that AT&T built he communications system of this nation? Well, I believe in Equal Access, Wholly. And, since I believe in equal access and its implications for equality for all so strongly, I feel that MCI, Sprint, and others should take the same amount of time to build their respective toll networks: 100 years. Therefore, if the United States Justice Department were truly the fair and just administrator that it portrays itself to be, MCI would not have a hand in the long-distance cache until about 2080. That's only fair. There is no doubt that MCI is a sub-standard organization. They consist of incompetent employees, inferior equipment, and an inferior marketing strategy. They are mockingly imitative of AT&T, except in the quality of their service, which is practically unusable. It is also interesting that with less than 2% market share, MCI calls itself "the nation's long-distance company." The point to this diatribe is this. It's time for these long-distance companies such as MCI and Sprint to grow up. With Equal Access, they are going to become real long-distance companies, not the joke organizations they are now, and I think it may just take them one hundred years to do so. Page 148 The Official Phreaker's Manual ============ Equal Access ============ Equal Access, as it applies to the telecommunications industry, is "the requirement that each Bell Operating Company provide exchange access to all long-distance carriers that is equal in type and quality to that provided AT&T communications." This is the official provision set forth by the United States Justice Department in the Modification of the Final Judgment, August 24, 1982. All this means is that each long-distance-distance company will have "equal access" to all of the same types of services that AT&T currently enjoys. There are four types of long-distance carrier services, divided into "feature groups." They follow. FG A: "line side access." This is the standard 7-digit dialup+code (for billing purposes) +destination telephone number. It is currently in use by most long-distance carriers. FG B: "trunk side access." These are the 950 exchange numbers. They also utilize an authorization code for billing. As with FG A, automatic number identification (ANI) (i.e. calling number) is not provided to the carrier, but will be in the future. FG C: "1+ dialing." Currently, only AT&T is able to get this type of service. It is 1/0+7 of 10 digit direct long distance dialing. ANI (for billing) is provided. FG D: "equal access." This will allow for 1/0+7 or 10 digit direct long-distance dialing (presubscription carrier) and 10xxx+1/0+7 or 10 digit long-distance dialing (alternate carrier). ANI for billing is provided at the long-distance carrier's option. Billing may also be handled by the individual long distance company or the local Bell Operating Company. Feature groups C and D are mutually exclusive (i.e. both cannot exist in a particular area at the same time). Areas which have Feature Group C (AT&T long-distance only) are non-Equal Access, and areas which have Feature Group D (multiple long distance carriers) are Equal Access regions. Feature Group B, the 950 exchange numbers will be used in areas in which it is not feasible to provide with Equal Access, such as step-by-step offices (yes, they CAN have 950 numbers), some crossbar offices, and some independent telcos, which are not bound by the provisions of Equal Access and may provide to their customers any type of long-distance service(s) they wish. The 950 exchange is now active in many areas. It is mainly used as a universal "roaming" access port for many long-distance carriers, but when an office is converted to Equal Access, the 950 capability is removed. Thus, in an Equal Access region, one cannot complete a call to a 950 telephone number. I personally am looking very forward to Equal Access. My area is not scheduled for full implementation of it until late 1985 or early 1986, and by this time many of the alternate long distance carriers' networks will be in place (or well under way). Think about what Equal Access means. Equality for all long distance carriers. Access to common facilities, such as: busy-line verification lines, Bell System information, signalling specifications. etc. After full implementation of Equal Access, one will be able to take advantage of and manipulate the services of more than just one carrier. It will no longer be phreaks vs. AT&T. When your area is ready to initiate Equal Access, you will receive a notice in the mail informing you of some of the details of Equal Access, and will ask Page 149 The Official Phreaker's Manual you to specify your choice of "primary carrier." In some cases you will need to specify both inter-LATA carrier (IC), which handles calls out of your LATA (Local Access and Transport Area), and an international carrier (INC), which will handle calls destined for other countries. Recent market studies have shown that between 80 and 90 per cent of residential customers will continue to be served by AT&T for their long-distance service after Equal Access. So much for competition. You will probably be faced with many long-distance companies to choose from, including but not limited to: AT&T, MCI, Sprint, ITT, Western Union, Dial U.S., Call America, TMC, and U.S. Telephone. Whichever you choose will become your "primary carrier." Your primary carrier will handle your call each time you pick up you fone and dial 1+7 or 10 digits or 0+7 or 10 digits, inter-LATA only. That is, if you dial a toll call that is within your LATA, it will be handled by your local telephone company (Bell), not by your primary carrier, even though it is a toll call. Let's use an example. The state of Colorado consists of two LATAs. For this example, I will use three cities in Colorado: Denver (in LATA1), Sterling (LATA1 also), and Colorado Springs (in LATA2). Note here that even though Denver ad Sterling are in the same LATA, and Denver and Colorado Springs are not, Sterling is actually much farther away from Denver than Colorado Springs. This is because LATA boundaries were designed giving consideration to high toll-traffic regions, to bring in revenue. Toll traffic between Denver and Colorado Springs is very high, so the two cities were placed in separate LATAs (or, more correctly, they were separated by a LATA boundary). Toll traffic between Denver and Sterling is very low, of the two cities were allowed to remain in the same LATA. Now, if everyone in Colorado Springs were to pack up and move to Sterling (though who knows what the hell for), the LATA boundaries in Colorado would be changed so that Denver and Sterling were in different LATAs. The primary factor in determining LATAs is money. If I made a call to Sterling from my home in Denver, the call would be routed entirely via Mountain Bell long-distance facilities. No long distance carrier would be involved because Denver and Sterling are in LATA1. If I made a call to Kelley, the blonde babe in Colorado Springs, the call would be handled by a long distance carrier (in this case, AT&T) because Denver is in LATA1 and Colorado Springs is in LATA2. Here is a table to simplify this: Customer dials LATA Carrier ----------------------------------------------------------------- 7 digits same Bell 1+7 digits same Bell 1+7 digits diff LD carrier (currently AT&T) 1+10 digits diff LD carrier (currently AT&T) ----------------------------------------------------------------- Note several things here. First, not all areas need to dial a 1 when dialing any number, local or long distance, but the central offices will still discern whether the call is in the same LATA as the customer or a different one and handle the call appropriately. Secondly, some step-by-step offices require a 1+NPA to be dialed for calls within the same LATA and, in fact, all numbers outside of the office itself. But, for the most part, the above table is standard for common switching networks. ================== Alternate Carriers ================== Your normal long distance carrier will handle all your toll calls which cross over LATA boundaries when you dial directly, 1+. If you wish to place your Page 150 The Official Phreaker's Manual call via another carrier's network, whether for cost, quality, or circuit availability reasons, you may do so in Equal Access regions. To access an alternate long distance carrier after Equal Access, a customer dials 10xxx+1/0+7 or 10 digit telefone number. Note that xxx is the "carrier access code (CAC)." A few CACs currently in use are listed below. 220 ........ Western Union 666 ........ Lexitel 222 ........ MCI 777 ........ Sprint 333 ........ US Telefone 888 ........ SBS 444 ........ Allnet Thus, in an Equal Access region, to dial Fred in Orlando, a customer would dial 1+305+994+9966 to place his call on his primary carrier, or to place it on another network, he could dial: 10222+1+305+994+9966, and the call would go over MCI facilities (in this case). Eventually, after many more long distance services get into the act, there will be a directory of the various long distance companies and their CACs, and deciding which carrier to use for any particular call to get the bet rate will be beyond the ability of everyone except phone phreaks. ================ The 950 Exchange ================ As discussed, the 950 central office exchange is currently a "roaming" access port for various long distance carriers. In areas that have 950, the access to carriers is standardized. Thus, someone travelling to several different areas need only know the 950 number of the carrier he uses to access it from any area (provided that it have 950 active). Originally, the 950 exchange was designed to correspond with the 10xx carrier access code used for Equal Access. For example, 950-1022 would be the same carrier as 1022 (+telephone number). However, it was later found that the 100 codes available for use as 10xx CACs would be insufficient to handle he number of long distance carriers. So, the common carrier access code was increased by one digit, to 10xxx, thus increasing the number of possible CACs to 1000. To keep the 950 exchange consistent with the non CAC, the Bell Operating Companies have opted to change the 950-10xx to 950-0xxx. The xxx in the 950-0xxx remains the same as the xxx in the 10xxx carrier access code. The new modified 950 numbering pan is now active in Philadelphia (Bell Atlantic) among other areas. After Equal Access is well under way, the 950 exchange will be used in certain areas that cannot be equipped for the standard Equal Access dialing plans. This includes step-by-step, #1 crossbar, #5 crossbar, #2ESS, and #3ESS offices. Customers in areas served by these types of switching equipment will dial 950-0xxx, wait for acknowledgement tone from the carrier, and then dial a "personal identification number" and destination telefone number,and the call will be completed on the selected carrier's facilities. Initially, billing will be handled by the carrier itself, and supervisory information and ANI will not be provided by the local Bell Operating Company. There are three main advantages to the 950 central office exchange and protocol. They are: a) universal access for all areas, b) 950-exchange numbers are "trunk side access." This means that the long distance carrier has direct trunks going to it from a Bell toll office or local central office. These trunks are interoffice lines, not customer type (POTS) lines, and supposedly insure higher quality of connection. And, c) 950-exchange numbers are toll and message unit free. On metered-usage (i.e., not "flat rate") customer lines, they cost nothing. In most areas they are free from coin stations, with Colorado as one notable exception. Page 151 The Official Phreaker's Manual ===== Costs ===== Each long-distance carrier must choose the type(s) of service it wishes to provide to its customers. These different types of service were outlined earlier as "Feature Groups." The costs of these Feature Groups vary directly with the complexity and quality of the service itself. The following table outlines the cost to the carrier of each available Feature Group. It is based on the monthly rate per line for 9000 minutes of circuit use, and assumes the carrier and Bell switch are 15 miles apart. FG non-Equal Access Equal Access -------------------------------------------------------- A $329.94 $709.20 B 329.94 721.80 C 752.40 ** N/A ** D ** N/A ** 752.40 -------------------------------------------------------- These figures are a lot more significant than they might appear. They indicate that after Equal Access, in order to compete with the giants such as AT&T, MCI, etc., smaller long distance companies will use Feature Group A or B type service in order to provide significantly lower rates to their customers than companies subscribing to Feature Group D service (like AT&T, MCI, etc). This will cause a unique type of equilibrium to form. Customers willing to dial an access number, authorization code, and destination number and put up with lower quality service will be able to save a lot of money. This seems faintly reminiscent of pre-Equal Access times.... ==================== Directory Assistance ==================== Each Bell Operating Company will be responsible for providing intra-LATA operator services. When a customer dials (1)+411 or (1)+555+1212 for local directory assistance, he will reach a Bell operator who will service requests for listed numbers within the customer's LATA. Requests for numbers in LATAs other than the calling customer's may be handled at the discretion of the local operating company. Initially, the Bell Operating Companies will meet the responsibility for providing directory assistance services by contracting it to a long distance carrier or carriers (currently AT&T). All inter-LATA directory assistance services will be provided by the inter-LATA carrier (IC). ICs may also provide 800 Enterprise service or other toll free type directory assistance services. See table. ================================================================= Intra-LATA: ================================================================= HNPA 411/555-1212 BOC *FNPA NPA+555-1212 BOC HNPA 10xxx+555-1212 intra-LATA carrier *FNPA 10xxx+NPA+555-1212 intra-LATA carrier ================================================================= Inter-LATA: ================================================================= HNPA (10xxx)+1+555-1212 IC Page 152 The Official Phreaker's Manual FNPA (10xxx)+1+NPA+555-1212 IC ================================================================= * When LATA boundaries cross NPA boundaries (rare). FNPA = Foreign Numbering Plan Area (area code). HNPA = Home Numbering Plan Area (area code). At first glance, the above table appears somewhat complex. But, if you understand the concept of LATAs and carriers, it is easily understood. Essentially, all local Bell Operating Companies will maintain their own directory assistance services. When a customer dials 411 or 555-1212, he will reach a BOC directory assistant. Additionally, each long distance carrier that wishes to provide directory assistance to its customers will also have DA facilities. And, when a customer dials a directory assistant (NPA+555-1212) on a carrier, he will reach an operator of that particular long distance carrier. The key here is LATAs. If a customer wants to find a number that is within his LATA, no long distance carrier is involved. It is handled strictly by the Local Bell Operating Company. If a customer is seeking a number that is not within his LATA, he must use the services of an inter-LATA (long-distance) carrier. ====================== TSPS Operator Services ====================== Traffic Service Position System (TSPS) operator services will be handled much in the same fashion as directory assistance services, with a few differences. As with DAs, each Bell Operating Company and each inter-LATA carrier will maintain its own TSPS operator facilities (or cordboard I suppose, if they cannot afford TSPS). When a customer dials simply 0 (operator), he will reach a BOC TSPS operator. The BOC TSPS will be able to handle all types of intra-LATA operator-assisted traffic including (but not limited to): collect, third party billing, Bell credit card, coin, verification and emergency interrupt, and requests for emergency aid. BOC TSPS will be unable to complete calls for customers outside of the customer's LATA. Thus, inter-LATA operator assistance will be handled by an inter-LATA carrier TSPS (IC TSPS). An IC TSPS will handle all previously mentioned types of calls that require inter-LATA transport (i.e., the call originates and terminates in different LATAs). When a customer dials 0+NXX-XXXXX or 0+NPA+NXX-XXXX, the central office will determine if the call is destined for another LATA. If it is not, the call will be sent to the Bell TSPS for appropriate handling. If the call is bound for another LATA (and his determination is made based on the NXX or NPA+NXX), then the call will be sent off to the customer's primary long-distance carrier (since only 0+ was dialed). If the customer wishes to use a different carrier's operator services, he would dial 10xxx+0+number, and the carrier specified by the 10xxx carrier access code would receive the call. Note: if a customer dials 10xxx+0+number, and the call is an intra-LATA call, he will get a recording, "We're sorry, the number you dialed cannot be reached with the carrier access code you dialed. Please check the code and try again or call your carrier for assistance." (Western Electric KS-22550 central office tape list no. 46.) Until the Bell Operating Companies can install their own TSPS facilities and networks, they will (continue to) lease capacity from AT&T TSPS. That is, AT&T will handle the intra-LATA traffic for the BOCs on a contract basis. In the meantime, AT&T will continue to handle its own long-distance operator services while the other inter-LATA carriers will have to implement their own operator networks from scratch. My estimation is that you won't be able to dial 10222+0 for an MCI TSPS operator until sometime around the year 2590. And even then they will probably be cordboard. In addition to the changes in TSPS described above, there will be certain Page 153 The Official Phreaker's Manual modifications to the software and hardware involved in the TSPS operator system. Most critical, and of paramount importance to the telecommunications enthusiast is changes in circuit associated signalling (CAS). This is signalling to and from the TSPS facility. When a customer dials 0 (operator) or 10xxx+0 (IC operator), a succession of events occurs. First, the end office seizes a trunk to the appropriate operator facility (this assumes that no access tandem is involved). The operator service facility responds with a wink (proceed signal) and the end office outpulses the CALLED number (or KP+ST if 0 only dialed). The operator service (OS) facility will then come off-hook to signal that it is ready to receive ANI information. The end office outpulses the ANI information in the format of KP+II+7 digits+ST (or ST'). If there is ANI failure, a KP+02+ST (or ST') will be sent. "ST'" stands for STart "prime", and is indicative of a coin call (i.e., dial 0 from a coin station). A normal ST terminating the ANI sequence means that the call is originating from a noncoin station. See table for ultimate description. Inter-LATA calls MF-pulsed type of call customer dials cld num ANI ============================================================ noncoin: ============================================================ direct dialed 10xxx+1+7/10d KP+7/10d+ST'' KP+II+7d+ST operator assist 10xxx+0 KP+ST''' KP+II+7d+ST special toll 10xxx+0+7/10d KP+7/10d+ST''' KP+II+7d+ST ============================================================ coin: ============================================================ direct dialed 10xxx+1+7/10d KP+7/10d+ST KP+II+7d+ST operator assist 10xxx+0 KP+ST' KP+II+7d+ST special toll 10xxx+0+7/10d KP+7/10d+ST' KP+II+7d+ST ============================================================================= Intra-LATA calls ============================================================================= noncoin: ============================================================================= direct dialed 10xxx+1+7/10d KP+7/10d+ST'' KP+II+7d+ST' operator assist 10xxx+0 KP+ST''' KP+II+7d+ST' special toll 10xxx+0+7/10d KP+7/10d+ST''' KP+II+7d+ST' ============================================================================= coin: ============================================================================= direct dialed 10xxx+1+7/10d KP+7/10d+ST KP+II+7d+ST' operator assist 10xxx+0 KP+ST' KP+II+7d+ST' special toll 10xxx+0+7/10d KP+7/10d+ST' KP+II+7d+ST' ============================================================================= Note: ST=Start, ST'=STart prime, ST''=Start double prime, ST'''=STart triple prime. Once again, the above table appears somewhat intimidating in its complexity. All these STs, ST primes, etc. Actually, the only purpose of the starts is to distinguish to the TSPS machine exactly what type of call the customer is placing and from what type of telefone he is calling. "Special toll" calls are collect, credit card, and third-party billing type calls. Here is an example of a complete dialing and outpulsing sequence for an operator service call: Page 154 The Official Phreaker's Manual from a coin fone, a customer dials 0+ (or 10xxx+) 303+979-9997. The central office would seize a trunk to the operator service facility and outpulse: KP+303+979-9997+ST'. This indicates to the operator service facility that the call is a special toll call originating from a coin telephone. The OS facility comes off-hook and the central office would then outpulse KP+00+232+9969+ST. This is he ANI information, and the ST indicates that the call is inter-LATA (if it were intra-LATA, the sequence would be terminated with ST' instead). Perhaps now I should explain screening. Certain telefones are "screened" against placing certain types of calls. A screening code is a two digit information carrier. For instance, 00 is "identified line" (no special treatment), 01 is multiparty ONI (operator number identification), 02 is ANI failure, 06 is hotel/motel, 07 is coinless (hospital/inmate fone), 08 is inter-LATA restricted, 68 is hotel inter-LATA restricted, 78 is coinless (hospital inmate) inter-LATA restricted, etc. A 98 is an AT&T Charge-A-Call fone (those blue fuckers). More screening codes are allocated as they are needed. Note that the original TSPS screening design only allowed for single digit information digits. They were later found to be insufficient. I believe that the operator services have been adequately covered, so I will now move on to other aspects of Equal Access. ============= Routing Codes ============= The TTC (terminating toll centre) and special routing codes will continue to be used in inter-LATA networks. These 0xx and 1xx type codes, which sometimes precede operator routing codes, will be assigned to various ICs on an individual basis. When 0xx and 1xx codes serve as pseudo-central office code, they will be coordinated such that it will avoid IC conflicts. The Numbering/Dialing Planning Group of the Central Services Organization (sounds like some sort of Communist governing body) will provide assistance where the assignment of coordinated codes is necessary. ================== Special Area Codes ================== Special area codes, also called Service Area Codes (SACs) presented the designers of Equal Access with an interesting problem. SACs are N00 type area codes, such as 700, 800, and 900. They are used for special services and unlike normal area codes, are not associated with a particular state or region. Each long distance carrier will be allocated its own exchanges in each service area code. Thus, when a customer places a call to a number in a service area code, the central office will examine the exchange of the telefone number and route the call over the proper carrier's facilities. The customer will be totally oblivious to this process. Current SACs include 700 (teleconferencing), 800 (toll free services), and 900 (dial-it services). There are currently plans under way to implement the 600 area code, although its exact uses are not yet clear. ================ Signalling to IC ================ Each long distance carrier that wishes to serve a particular LATA must establish a point of presence (POP) in that LATA. A carrier's POP is a toll office that receives toll traffic destined for another LATA. A POP is a centre for inter-LATA transport of toll traffic. This traffic will be directed to it Page 155 The Official Phreaker's Manual from a Bell central office, either an end office or an access tandem (AT). An access tandem is simply a Bell office which directs long distance traffic from a number of local end offices to a number of different inter-LATA carriers. To pass call details (such as called and calling numbers) from the Bell local office to the inter-LATA carrier, a signalling system was designed that employs current multifrequency (MF) signalling protocol. When a customer dials 10xxx+(1/0)+(NPA)+NXX+, the end office will seize a trunk to the appropriate IC as determined by the 10xxx CAC (or primary carrier if no CAC is dialed). Note: this happens as soon as the customer finishes dialing the exchange, even though he may still be dialing the last four digits of he telefone number. After the end office has seized a trunk to the IC, the IC will return a wink, which is the signal to proceed. Then, the end office will send ANI information, in the format of: KP+II+10 digit ANI+ST. If the carrier is not to receive ANI information from the Bell Operating Company (i.e., they are not paying for it), then only KP+ST is sent. Presumably, by now the customer has completed dialing the last four digits of the destination telefone number, so the end office will send: KP+7 or 10 digit CALLED number+ST. Note several things here: 1) The IC does not send a wink when it is ready to receive CALLED number information. 2) ANI information is ten digits, plus a two-digit screening code, and 3) The central office's outpulsing to the IC overlaps the customer's dialing. Some ANI screening codes include: 00 (identified POTS), 01 (ONI multiparty), 02 (ANI failure), 06 (hotel without room identification), 07 (coinless, hospital, inmate, etc.), 08 (inter-LATA restriction), 10 (test call), 20 (AIOD calls, listed DN sent), 27 (coin call), and 95 (test call). These are the same or similar as the screening codes used in operator service signalling. In addition to the domestic signalling design outlined above, a new international signalling system has been designed for use with Equal Access. It also uses two-stage, overlapping outpulsing. After a customer has completed dialing (10xxx)+011+CC (CC is country code), the Bell end office will seize a trunk to he appropriate IC (or international carrier, if direct routing is available). The IC/INC will respond with a wink, and the end office will outpulse: KP+1NX+YXX+CCC+ST. Each of these three groups of routing information indicate something different abut the international call being placed. The 1NX is the "international system routing code, one for each type of call routing." I have absolutely no idea what that means, and no one I have talked to at Bell, AT&T, MCI, CCITT, ITT, the CSO and FCC have any idea either. Next, the YXX is the carrier routing code. It is actually XXX, Which is the three digits of the 10xxx CAC for the particular carrier being accessed. Finally, CCC is the country code, padded with a zero if necessary. One may wonder why the CAC is signalled forward when a trunk is seized directly to the carrier itself. The reason for this is that in some cases a direct trunk to the carrier is not available and the call must be routed through an access tandem, which is responsible for routing calls to a variety of different long distance carriers. ==================== Switch Compatibility ==================== Full-feature Equal Access will become available first for Western Electric #1ESS switching systems. It will be available first in generic 1E8 (1AE8 for #1A ESS). Later, generic 5E2 for #5ESS, generic 2B4 for #2B ESS, generic BCS-16 for Northern Telecom DMS-100, and generics 209 and 302 for DMS-10 will provide full-feature Equal Access capabilities in those types of end office switching equipment. The Western Electric #4ESS, #1 and 1A ESS, #5ESS, and the Northern Telecom DMS-200 machines which serve as toll offices or access tandems will be capable of receiving the new Equal Access signalling format, after required generic development. Other switches (such as all crossbar offices) Page 156 The Official Phreaker's Manual will not be able to handle the new signalling format. ===== LATAs ===== LATAs, Local Access and Transport Areas, are the entire key to the administration of Equal Access. They can be thought of as miniature area codes. A telefone call can never cross a LATA boundary except on an inter-LATA carrier. However, there are certain exceptions to this. For example, in the state of Colorado, which consists of two LATAs, the local Bell Operating Company (Mountain Bell), which serves as the intra-LATA (i.e., calls to/from the same LATA) carrier, may also serve as inter-LATA (to/from different LATAs) carrier within Colorado. There are also exceptions in the corridor region of the New York/New Jersey/Pennsylvania area. The forty-eight continental United States consist of 161 LATAs. Some states, such as Deleware, consist of only one LATA, while others, such as Illinois, can have up to 14 or more. Each LATA is given a name. For instance, Pennsylvania consists of six LATAs: Philadelphia, Capital, Northeast, Altoona, Pittsburgh, and Erie (independent telco). ============== A Few Thoughts ============== In 1973, Chrysler, A&P, RCA, Phillips Petroleum, S.S. Kresge, Boeing Aircraft, International Harvester, Woolworth's, Greyhound, Firestone, Litton, and General Foods, among others, each reported annual profits of less than $150 million. In that same year, the Telephone Company wrote off, as being uncollectable, debts of $150 million. In 1974, the Bell System had direct interests in at least 276 organizations, many of them not related to the telefone industry. Bell also had interlocking financial arrangements with such corporations as the Chase Manhattan Bank, IBM, Prudential Insurance, Sears Roebuck, General Motors, U.S. Steel, and Lever Brothers. Should the need have arisen, the Bell System in 1974 could have exercised control of 400 billion dollars, fully one-third of that year's gross national product. From: Hyde, J. Edward, The Phone Book. Henry Regnery Publishing Company, Chicago Illinois, 1976. ISBN 0-8092-8008-6. There are many viewpoints as to the future course of the telefone industry. The general consensus among most Telco employees is that the children of AT&T (i.e., the seven regional holding companies into which the Bell System was divided) will someday be reassembled into the original Bell System, and all will be well and good in the world of telecommunications again. I tend to disagree with this. I think that within three decades the entire telefone industry will be consolidated and nationalized. It will be owned and operated entirely by the United States Federal Government. This will accomplish several goals of the government. First, the immense revenue from telefone services will provide great financial resources for the federal government. Rates for telefone services will skyrocket far out of the range of affordability, quality of service will deteriorate to a point of unusability, and meanwhile politicians will get rich. Second, once the government controls the telefone system, monitoring the general public will become infinitely easier. Big Brother will be able to keep and eye, or rather, an ear on the general population, and giant step forward in Page 157 The Official Phreaker's Manual ultimate government control of peoples' lives will be achieved. Most people won't know anything about this, and even if they do, they won't give a shit because by then the fucking government will have already invaded every remaining private aspect of the individual's life. To those who find it utterly unthinkable that the federal government would ever assume control of the telefone industry, I would call attention to the situation that existed between 1917 and 1919. During this time the government controlled the phone system of the United States. J. Edward Hyde sums it up beautifully: Between 1917 and 1919, the Federal Government did control the phone industry. Since then, the most charitable historians have blamed the subsequent mess on the First World War. Others blame it on the democrats. But the fact is that it was a fiasco of the bureaucracy's own making, combined with intracompany sabotage. Today, in those countries where the phone service is nationally owned, the service runs from poor to nonexistent. Would you want the government that gave you the Russian wheat deals, Defense Department overruns, Amtrak, and the Postal Service handling your phone problems? From: Hyde, J. Edward, The Phone Book. Henry Regnery Publishing Company, Chicago, Illinois, 1976. ISBN 0-8092-8008-6, p. 170. Technical References: Notes on the BOC intra-LATA Networks. American Telephone & Telegraph Company, 1983. The Phone Book. J. Edward Hyde, 1976. Bell System Technical Journal. Volume 58, Number 5. Engineering and Operations in the Bell System. American Telephone & Telegraph Company, 1983. Acknowledgements: Karl Marx, Telenet Bob, and the scores of Telco employees in Denver, White Plains, Omaha, and North Jersey who were very helpful in patiently answering my many questions about Equal Access. Thanks to Mack the Knife for magnetic transfer of this illustrious file, a tedious task for which I have no time. Thanks to the following printers for their cooperation and professional manner in helping me with final production of this file: Kinko's Print Shop 7155 West Colfax Lakewood, CO Office Products and Printing 5035 S. Kipling Suite B4 Littleton, CO This has been a Mark Tabas Encounter Series production. Questions, comments, and requests may be addressed to: Tabas Page 158 The Official Phreaker's Manual P.O. Box 620401 Littleton, CO 80162 Requests for copies of this or any other Encounter Series file are honored for free, but please enclose a self-addressed medium sized first class mailing envelope with 73 cents postage. Special thanks to Steve Reger, who was kind enough to shoot my neighbor's dog, whose incessant barking constantly distracted me as I labored to complete this file. (for Amy) cl/KIABB!/jd Page 159 The Official Phreaker's Manual Equal Access and Modem Autodialers by Shadow 2600 Now that AT&T is being divested of its local telephone companies, phone customers across the nation have to choose their long distance carrier as equal access is phased in. Advertising campaigns emphasize such aspects as low rates and operator assistance, but no one mentions a factor that will affect modem users who use auto dialers for long distance calls. Not all of the alternate long distance carriers provide called party answering supervision on all calls. Called party answering supervision basically has the telephone company start billing only when the called party answers the telephone. However, many of the alternate long distance companies still operate with the "fixed timeout" basis for charging. That is, if a call is held for a fixed length of time (usually 30 seconds) the charging starts, whether or not the call was answered. This could cause modem owners large bills if they use autodialers to make long distance calls. Modems are usually set up to wait up to one minute when attempting to make a call, and thus have to timeout through busy signals, long call setup sequences, extender waits, and similar problems. This could result in many billed but never answered calls. Some of the other carriers provide it on calls to some cities, and others not support it at all. Only AT&T Communications provides called party answering supervision on all calls to all points at this time. It is almost impossible to get information on how a long distance company charges its calls as as they don't want to reveal how their billing is handled. The alternate carriers get called party supervision when the destination location goes equal access. However, there has been no quick action on the part of the alternate long distance companies to make use of the supervision data as they would have to get equipment for passing the information back to the billing computer at the originating point. Thus called party answering supervision information often ends up being ignored by these carriers even when available. Another point to remember is that called party answering supervision's availability depends on whether the destination has equal access, not the originating location. The lower long distance rates of alternate long distance rates must be weighed against the time out problem as it affects autodialing modems. One way to circumvent this is merely to set your modem to a shorter waiting-for-connect time, but this may not provide enough time for the call to go through. [For more information on this and other telecommunications topics call the Private Sector BBS at (201) 366- 4431] Page 160 The Official Phreaker's Manual ==Phrack Inc.== Volume One, Issue Two, Phile #6 of 9 Toward Universal Information Services Via ISDN ~~~~~~ ~~~~~~~~~ ~~~~~~~~~~~ ~~~~~~~~ ~~~ ~~~~ by Taran King From PROTO newsletter of AT&T Bell Laboratories ------------------------------------------------------------ Phase one, the Present. ~~~~~ ~~~~ ~~~ ~~~~~~~~ The local network of today, although still largely voice-oriented, is already on the path to Universal Information Services. Lightguide fiber is dramatically expanding the capacity of local networks, helping to lower the costs and increase the demand for high-band width, Information Age services. And public networks are increasingly digital and geared for data and special services. For example: o The AT&T Network Systems 5ESS (TM <riiiight>) switch, designed by Bell Laboratories, can serve as the hub of a local deployment of remote modules at locations up to 100 miles from a host central office. o The Integrated Special Services Network (ISSN) is a channel network that provides special services, customer control options and digital private lines rearrangeable under software control. The ISSN incorporates digital carrier terminating equipment such as the D4 Channel Bank, D5 Digital Terminal System and Digital Access and Cross-connect System (DACS). o The New Centrex is bringing greater levels of customer control, improved services and a broad range of data capabilities to the business customer. Today's public networks consist of multiple or overlay networks. The public switched network, or circuit network, mainly for voice, is the base network. Two kinds of overlay networks provide special services. Channel networks carry private lines leased by large customers and transmit much of today's data and image traffic; they also handle traffic for network operations support. Packet networks carry data communications, while packet switching is used internally to public networks for common channel signaling to set up, route and take down calls, or to give customers information. "Overlay networks help telecommunications companies efficiently meet growing demand for digital transmission and special services," says Stan Johnston, Market Planning Manager, Network Systems Evolution, in AT&T Network Systems. "Their integration into a single network, however, would be still more effective." Phase two, the Integrated Services Digital Network (ISDN). ~~~~~ ~~~~ ~~~ ~~~~~~~~~~ ~~~~~~~~ ~~~~~~~ ~~~~~~~ ~~~~~~~ The ISDN is a concept to which AT&T is committed - and it's the foundation for Universal Information Services. The central idea of ISDN, as AT&T Network Systems sees it, is to provide an individual user a link to the local central office of generous band-width - a digital subscriber line that can carry 144,000 bits per second (sure beats 2400 baud!). The band-width is subdivided into two 64,000-bit channels, which may carry voice or data or both, and one 16,000-bit channel for packetized signaling information or data transport. Such a link provides convenient "integrated" network access by accommodating voice, data and signaling over a single line. The ISDN will make it easier for a customer to get varied services from public and private networks. More bandwidth for big customers will be available through another ISDN access standard, the extended digital subscriber Page 161 The Official Phreaker's Manual line, which provides 1.5 billion bits per second as 24 channels of 64,000 bits each. In 1986, new software from Bell Labs will enable the 5ESS switch to accommodate ISDN-sized 144,000-bit channels that standardize and simplify subscribers' use of local networks. AT&T is committed to future products that will also be ISDN-compatible. Other vendors, too, some of whom already plan to build premises, terminal, and other equipment to ISDN standards, will make ISDN a cooperative effort. By providing integrated digital access to networks, ISDN will make important progress toward the goal of Universal Information Services. But overlay networks will continue to divvy up the transport job. And messages needing less than 144,000 bits per second will not fill their allotted bandwidth, leaving capacity under utilized. Phase three, Universal Information Services. ~~~~~ ~~~~~~ ~~~~~~~~~ ~~~~~~~~~~~ ~~~~~~~~~ Rooted in the fertile ground of 5ESS switches, ISDN equipment and technologies such as wideband packet transport, Universal Information Services will bear fruit during the 1990s. From a single kind of network will hang services as different as apples, oranges and pears. Just as network access was integrated in ISDN, transport functions will increasingly be integrated by powerful new network equipment evolved from equipment developed for the ISDN. Where customers once got standard-sized ISDN channels, they'll get big bandwidth for large jobs, little bandwidth for small jobs. Downloaded From P-80 International Information Systems 304-744-2253