home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker Chronicles 1
/
HACKER1.ISO
/
phreak
/
bioc.7
< prev
next >
Wrap
Text File
|
1992-03-04
|
21KB
|
728 lines
******BIOC Agent 003's course in*******
* *
* ========================== *
* =BASIC TELECOMMUNICATIONS= *
* ========================== *
* Part VII *
***************************************
Preface:
After most neophyte phreaks overcome
their fascination with Metro codes and
WATS extenders, they will usually seek
to explore other avenues in the vast
phone network. Often they will come
across references such as "simply dial
KP + 2130801050 + ST for the Alliance
teleconferencing system in LA."
Numbers such as the one above were
intended to be used with a blue box;
this article will explain the
fundamental principles of the fine art
of blue boxing.
Genesis:
--------
In the beginning, all long distance
calls were connected manually by
operators who passed on the called
number verbally to other operators in
series. This is because pulse (aka
rotary) digits are created by causing
breaks in the DC current (see Basic
Telcom V). Since long distance calls
require routing through various
switching equipment and AC voice
amplifiers, pulse dialing cannot be
used to send the destination number to
the end local office (CO).
Eventually, the demand for faster and
more efficient long distance (LD)
service caused Bell to make a
multi-billion dollar decision. They
had to create a signaling system that
could be used on the LD Network.
Basically, they had two options:
[1] To send all the signaling and
supervisory information (ie, ON & OFF
HOOK) over separate data links. This
type of signaling is referred to as
out-of-band signaling.
-or-
[2] To send all the signaling
information along with the conversation
using tones to represent digits. This
type of signaling is referred to as
in-band signaling.
Being the cheap bastard that they
naturally are, Bell chose the latter
(and cheaper) method -- IN-BAND
signaling. They eventually regretted
this, though (heh, heh)...
IN-BAND SIGNALING PRINCIPLES:
-----------------------------
When a subscriber dials a telephone
number, whether in rotary or touch-tone
(aka DTMF), the equipment in the CO
interprets the digits and looks for a
convenient trunk line to send the call
on its way. In the case of a local
call, it will probably be sent via an
inter-office trunk; otherwise, it will
be sent to a toll office (class 4 or
higher -- see Telcom IV) to be
processed.
When trunks are not being used there is
a 2600 Hz tone on the line; thus, to
find a free trunk, the CO equipment
simply checks for the presence of 2600
Hz. If it doesn't find a free trunk the
customer will receive a re-order signal
(120 IPM busy signal) or the "all
circuits are busy..." message. If it
does find a free trunk it "seizes" it
-- removing the 2600 Hz. It then sends
the called number or a special routing
code to the other end or toll office.
The tones it uses to send this
information are called multi-frequency
(MF) tones. An MF tone consists of two
tones from a set of six master tones
which are combined to produce 12
separate tones. You can sometimes hear
these tones in the background when you
make a call but they are usually
filtered out so your delicate ears
cannot hear them. These are NOT the
same as touch-tones.
To notify the equipment at the far end
of the trunk that it is about to
receive routing information, the
originating end first sends a Key Pulse
(KP) tone. At the end of sending the
digits, the originating end then sends
a STart (ST) tone. Thus to call
914-359-1517, the equipment would send
KP + 9143591517 + ST in MF tones. When
the customer hangs up, 2600 Hz is once
again sent to signify a disconnect to
the distant end.
History:
--------
In the November 1960 issue of The Bell
System Technical Journal, an article
entitled "Signaling Systems for
Control of Telephone Switching" was
published. This journal, which was
sent to most university libraries,
happened to contain the actual MF tones
used in signaling. They appeared as
follows:
Digit Tones
----- -----
1 700 + 900 Hz
2 700 + 1100 Hz
3 900 + 1100 Hz
4 700 + 1300 Hz
5 900 + 1300 Hz
6 1100 + 1300 Hz
7 700 + 1500 Hz
8 900 + 1500 Hz
9 1100 + 1500 Hz
0 1300 + 1500 Hz
KP 1100 + 1700 Hz
ST 1500 + 1700 Hz
11 (*) 700 + 1700 Hz
12 (*) 900 + 1700 Hz
KP2 (*) 1300 + 1700 Hz
(*) Used only on CCITT SYSTEM 5 for
special international calling.
Bell caught wind of blue boxing in 1961
when it caught a Washington state
college student using one. They
originally found out about blue boxes
through police raids and informants.
In 1964, Bell Labs came up with
scanning equipment, which recorded all
suspicious calls, to detect blue box
usage. These units were installed in
CO's where major toll fraud existed.
AT&T Security would then listen to the
tapes to see if any toll fraud was
actually committed. Over 200
convictions resulted from the project.
Surprisingly enough, blue boxing is not
solely limited to the electronics
enthusiast; AT&T has caught
businessmen, film stars, doctors,
lawyers, college students, high school
students and even a millionaire
financier (Bernard Cornfeld) using the
device. AT&T also said that nearly
half of those that they catch are
businessmen.
Of course, phone phreaks have achieved
an almost cult status. They have also
had their fair share of media. In
October 1971, Esquire published the
infamous "Secrets of the Little Blue
Box" article which featured phreaks
such as Captain Crunch, who took his
name from the cereal which one gave
away whistles that produced a perfect
2600 Hz pitch; Joe Engressia, the blind
phreak; and Mark Bernay, one of the
nation's first and oldest phreaks.
Others such as Apple computer
co-founders Steve Wozniak & Steve Jobs
have also had blue box backgrounds.
1971 also saw the publication of the
first issue of YIPL, the phone phreak
newsletter, (now TAP) under the
editorship of supreme yippie Abbie
Hoffman.
Usage:
------
To use a blue box, one would usually
make a free call to any 800 number or
distant directory assistance (NPA-555-
1212). This, of course, is legitimate.
When the call is answered, one would
then swiftly press the button that
would send 2600 Hz down the line. This
has the effect of making the distant CO
equipment think that the call was
terminated and it leaves the trunk
hanging. Now, the user has about 10
seconds to enter in the telephone
number he wished to dial -- in MF, that
is. The CO equipment merely assumes
that this came from another office and
it will happily process the call.
Since there are no records (except on
toll fraud detection devices!) of these
MF tones, the user is not billed for
the call. When the user hangs up, the
CO equipment simply records that he
hung up on a free call.
DETECTION:
----------
Bell has had 20 years to work on
detection devices; therefore, in this
day and age, they are rather well
refined. Basically, the detection
device will look for the presence of
2600 Hz where it does not belong. It
then records the calling number and all
activity after the 2600 Hz. If you
happen to be at a fortress fone,
though, and you make the call short,
your chances of getting caught are
significantly reduced (see Telcom VI).
Incidentally, there have been rumors of
certain test numbers (see Telcom II)
that hook directly into trunks thus
avoiding the need for 2600 Hz and
detection!
Another way that Bell catches boxers is
to examine the CAMA (Centralized
Automatic Message Accounting) tapes.
When you make a call, your number, the
called number, and time of day are all
recorded. The same thing happens when
you hang up. This tape is then
processed for billing purposes.
Normally, all free calls are ignored.
But Bell can program the billing
equipment to make note of lengthy calls
to directory assistance. They can then
put a pen register (aka DNR) on the
line or an actual full-blown tap. This
detection can be avoided by making
short-haul (aka local) calls to box off
of.
It is interesting to note that NPA+555-
1212 originally did not return answer
supervision. Thus the calls were not
recorded on the AMA/CAMA tapes. AT&T
changed this though for "traffic
studies!"
CCIS:
-----
Besides detection devices, Bell has
begun to gradually redesign the network
using out-of-band signaling. This is
known as Common Channel Inter-office
Signaling (CCIS). Since this signaling
method sends all the signaling
information over separate data lines,
blue boxing is impossible under it.
While being implemented gradually, this
multi-billion dollar project is still
strangling the fine art of blue boxing.
Of course until the project is totally
complete, boxing will still be
possible. It will become progressively
harder to find places to box off of,
though. In areas with CCIS, one must
find a directory assistance office that
doesn't have CCIS yet. Area codes in
Canada and predominately rural states
are the best bets. WATS numbers
terminating in non-CCIS cities are also
good prospects.
Pink Noise:
-----------
Another way that may help to avoid
detection is too add some "pink noise"
to the 2600 Hz tone.
Since 2600 Hz tones can be simulated in
speech, the detection equipment must be
careful not to misinterpret speech as
a disconnect signal. Thus a virtually
pure 2600 Hz tone is required for
disconnect.
Keeping this in mind, the 2600 Hz
detection equipment is also probably
looking for pure 2600 Hz or else is
would be triggered every time someone
hit that note (highest E on a piano =
2637 Hz). This is also the reason that
the 2600 Hz tone must be sent rapidly;
sometimes, it won't work when the
operator is saying "Hello, hello." It
is feasible to send some "pink noise"
along with the 2600 Hz. Most of this
energy should be above 3000 Hz. The
pink noise won't make it into the toll
network (where we want our pure 2600 Hz
to hit) but it should make it past the
local CO and thus the fraud detectors.
CONSTRUCTION:
-------------
While step-by-step details for the
construction of a blue box is beyond
the scope of this tutorial, it is
worthwhile to mention some of the
details.
First there are some alternatives but
they are not as good as an actual blue
box. Many computers are capable of
generating MF tones. Thus, your local
phriendly software pirate should have a
program compatible for your computer.
However, it is highly advisable not to
box from home as stated in The Ten
Commandments (as interpreted for
phreaks by Fred Steinbeck -- TAP #86).
I. Box thou not over thine home
telephone wires, for those who
doest must surely bring the full
wrath of the Chief Special Agent
down upon thy heads.
Another alternative that has a moderate
success rate involves recording the
tones from a phriend with a box or
computer onto a cassette tape. They
can then be used at a fortress.
As for actual construction techniques,
TAP has devoted many issues to blue
boxing. Basically, a blue box is
merely a device capable of generating
two different tones simultaneously.
There are two basic construction
methods that I will outline below for
the electronics hobbyist.
The first involves the use of two 555
timer chips (or a 556 -- i.e., two
555's in one chip). It offers
excellent frequency and voltage
stability. Also, it does not need a
diode matrix keypad but used double-
pole switches instead. Schematics for
this type of box can be found in TAP
issue #29.
The other common box makes use of two
Intersil 8038CC Function Generators.
It also requires a diode matrix keypad,
potentiometers, an LM-100 voltage
regulator, a 741 Op-amp, and a handful
of other parts. The schematics for
this type of blue box can be found in
TAP #26.
Both designs draw about 20 ma of
current.
Also, most blue boxes use telephone
earpieces (with the varistor removed)
for speakers. These can be easily
liberated from fortress fones with a
small coping saw.
Usually, the hardest part about
building a blue box is the calibration.
A frequency counter is a must and an
oscilloscope won't hurt.
Some boxes also take timing into
account. It is feasible on the ESS
systems that they check to see if the
digits are of uniform length. If they
aren't, they are probably from a blue
box and a trouble card may be dropped.
With this in mind, the Bell standard
for MF pulses and interdigit intervals
is around 75 ms. It varies with the
equipment used since ESS can handle
higher speeds and doesn't need
interdigit intervals.
APPLICATIONS:
-------------
Besides dialing normal calls free,
i.e., KP+NPA+NNX+XXXX+ST, blue boxes
offer the entire network for
exploration. Emergency break-ins,
service monitoring (aka taps), stacking
tandems (the art of busying out all
trunks between two points), re-routing
calls, conference calls, and much, much
more are all feasible. Although, Bell
frequently changes these codes due to
phreaks.
Here are some standard ones, though:
OPERATOR & OTHER CODES:
-----------------------
(an optional NPA may proceed all of the
numbers; otherwise, you will reach the
one local for the area where the call
is originated)
001 -- Trunk Access System
009 -- Rate Quote System
101 -- toll office test board
121 -- INWARD Operator
This operator assists the local "0"
operator in completing calls. (S)he
will do virtually anything for you
providing it is within her NPA.
131 -- Operator Directory
assistance
141 -- Rout & Rate
(141 defunct -- use KP + 800 + 141 +
1212 + ST)
These operators are very useful if you
know how to mumble a few cryptic
phrases as compiled below (with thanks
to Fred Steinbeck):
To find out...
...Area Codes
For example say , "Miami, Florida,
numbers route, please." The R&R
operator will tell you "305 plus,"
meaning that 305 plus the seven digit
number will get you Miami.
... Inward Operator City Codes
Usually, the INWARD operator for an
area is simply KP + NPA + 121 + ST. In
some area codes, though, there are
several large cities and thus several
inwards. To find the inward for a
specific city, you would say "916 756,
operator route, please" to the R&R
operator who will then tell you "916
plus 001 plus." This means that KP+
916 + 001 + 121 + ST will get you an
inward for Sacramento, CA (916-756).
... City names
If you want to know the city that
corresponds to an area code and
exchange, you simply tell the R&R,
"Place name, 914 390, please." In this
example, the R&R operator will respond
with "White Plains, NY."
... International Directory Assistance
If you need a directory route for
London, you could say "International,
London, England. TSPS directory route,
please." The R&R operator will respond
with "Directory to London, England.
Country code 44 plus 1 plus 986 plus
3611." Therefore to get a DA operator
in London, you would route yourself to
an international sender and KP +
04419863611 + ST.
... Country & City codes
If you need to know the country and
city code for an international number
you can say "International, Sydney,
Australia, TSPS numbers route, please"
and get "Country code 61 plus 2."
... International Inwards Routes
To get routing codes for international
inwards say "International, London,
England, TSPS inward route, please."
The R&R Operator will respond with
"Country code 44 plus 121."
Finally, to get language assistance for
completing a foreign call you can tell
the foreign inward, "United States
calling. Language assistance in
completing a call to (called party) at
(called number)."
151 -- overseas incoming (212 +
& 914+)
160-XX0 -- Various Overseas Operators
161 -- trouble reporting operator
(defunct)
181 -- Coin Refund Operator
18X -- Overseas senders
To make an international call, one
would KP + 011 + 0CC + ST where CC is
the country code. This will route you
to the appropriate overseas sender.
You will then receive a 480 Hz dial
tone. Here you enter KP + 0CC + city
code + local number + ST and the call
is on its way.
Country codes can be either 1, 2, or 3
digits but they must be padded for
three digits to create a pseudo-country
code with extra zero's if necessary.
For example, England, country code 44,
becomes 044.
To see which international sender a
certain country (lets use French
Guiana, country code 594, for example)
goes through, you can dial KP + 011 +
594 + ST, wait for the Proceed to Send
tone then KP + 000 + 0000 + ST and you
will receive a recording saying which
ISC (International Switching Center) it
is. For the example it will say, "This
is the international switching center
in Pittsburg, PA -- This is a recording
- 4121." You can actually route calls
to certain senders yourself (KP + NPA +
18X + ST) but it is better off not to
since it may look suspicious if a call
is sent through a sender that it
shouldn't go through. Here are the
senders:
182 -- White Plains, NY
183 -- New York, NY
184 -- Pittsburg, PA
185 -- Orlando, FL
186 -- Oakland, CA
187 -- Denver, CO
188 -- New York, NY
Also, there tends to be alot of talk
about the Code 11, Code 12, KP2, STP,
ST3P, & ST2P keys. While they do exist
the blue boxer need not concern himself
with them. The first three are used on
CCITT System 5. This is the signaling
system that the International Senders
use to send information to other
countries. These codes are usually
added automatically just like the
language assistance digit [which
distinguishes operator (or blue box)
dialed calls from customer dialed
calls]. The STP, ST3P, & ST2P tones
are used when equipment is
communicating with the TSPS. These
also are automatically added when
needed in most cases.
[see Telcom III for more on
International Switching Centers (ISC)]
11XXX -- miscellaneous operators
11501 -- universal cordboard
operator
11511 -- conference operator
11521 -- mobile operator
11531 -- marine operator
11541 -- LD incoming switchboard
11551 -- leave word for time &
charges (neat stuff)
11561 -- same as 11551 but for
hotel/motels
11571 -- overseas operators --
language assistance
The 11XXX series is interesting
scanning material.
Miscellaneous Routing Codes :
-----------------------------
Alliance Teleconferencing has several
numbers, a few of which are listed
below:
KP + 213 080 XXXX + ST
KP + 305 025 XXXX + ST
KP + 312 001 XXXX + ST
XXXX = 1050, 1100, or a few others
Also, at KP + 317 009 + ST there is a
MF tone checker. After the
beep-kerclunk, dial in KP + 999 1234567
890 + ST and it will repeat the digits
that you pulsed if they are of the
right frequency.
Tandem Scanning:
----------------
To find all sorts of interesting
things, you must look. Begin scanning
three digit codes in your area (i.e.,
KP + 000 + ST, KP + 001 + ST, etc.).
Keep track of all of your results.
Sometimes you must probe things, send
additional digits and see what happens,
send touch-tone, send it 2600 Hz, rip
it apart. You never know, you may run
into something phun, like a computer
that checks CC numbers.
Incidentally, in some exchange you can
dial inwards and other box codes
directly! For example, 914-121-1111
will get you a NY inward. The only
problem is that a 0 or 1 as the first
digit of the exchange is usually
prohibited in customer dialing.
Somebody may have "accidentally"
changed this screening code on your
ESS's computer, though -- you never
know and it can't hurt to try. WATS
translation numbers also take up some
of the 0XX & 1XX codes.
Finally, certain tones on the blue box
can also be used for other purposes.
An MF "2" corresponds to COIN COLLECT
while "KP" corresponds to COIN RETURN.
Thus every blue box is also a green box
(see Telcom VI).
Coming soon:
------------
Telcom VIII will deal with cordless
phones, mobile phones, and other neat
things.
Be careful and have phun,
*****BIOC
*=$=*Agent
*****003
<<=-FARGO 4A-=>>
January 21, 1985
---------------------------------------
The preceding was intended for
informational purposes only. The
implementation of some of the above
mentioned information may be a
violation of state and/or federal laws.
---------------------------------------
[Sherwood Forest ][ -- (914) 359-1517]
PS All sysops are welcome to use this
material in its unadulterated form.
PPS Any and all threats, comments,
suggestions, and/or subpoenas are
welcome.