home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
LSD Docs
/
LSD Docs.iso
/
FILEZ
/
lsd22.dms
/
lsd22.adf
/
PhreakersPhunhouse.pp
/
PhreakersPhunhouse
Wrap
Text File
|
1990-09-07
|
89KB
|
2,747 lines
/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/
/-/ /-/
/-/ Phreaker's /-/
/-/ PhunHouse /-/
/-/ /-/
/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/
/-/ By: /-/
/-/ The Traveler /-/
/-/ /-/
/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/
The long awaited prequil to Phreaker's Guide has finally arrived.
Conceived from the boredom and loneliness that could only be derived from:
The Traveler! But now, he has returned in full strength (after a small
vacation) and is here to 'World Premiere' the new files everywhere. Stay
cool. This is the prequil to the first one, so just relax. This is not made
to be an exclusive ultra elite file, so kinda calm down and watch in the
background if you are too cool for it.
/-/ Phreak Dictionary /-/
Here you will find some of the basic but necessary terms that should be
known by any phreak who wants to be respected at all.
Phreak : 1. The action of using mischevious and mostly illegal
ways in order to not pay for some sort of tele-
communications bill, order, transfer, or other service.
It often involves usage of highly illegal boxes and
machines in order to defeat the security that is set
up to avoid this sort of happening. [fr'eaking]. v.
2. A person who uses the above methods of destruction and
chaos in order to make a better life for all. A true
phreaker will not not go against his fellows or narc
on people who have ragged on him or do anything
termed to be dishonorable to phreaks. [fr'eek]. n.
3. A certain code or dialup useful in the action of
being a phreak. (Example: "I hacked a new metro
phreak last night.")
Switching System: 1. There are 3 main switching systems currently employed
in the US, and a few other systems will be mentioned
as background.
A) SxS: This system was invented in 1918 and was
employed in over half of the country until 1978. It
is a very basic system that is a general waste of
energy and hard work on the linesman. A good way to
identify this is that it requires a coin in the phone
booth before it will give you a dial tone, or that no
call waiting, call forwarding, or any other such
service is available. Stands for: Step by Step
B) XB: This switching system was first employed in 1978
in order to take care of most of the faults of SxS
switching. Not only is it more efficient, but it
also can support different services in various forms.
XB1 is Crossbar Version 1. That is very limited and
is hard to distinguish from SxS except by direct view
of the wiring involved. Next up was XB4, Crossbar
Version 4. With this system, some of the basic things
like DTMF that were not available with SxS can be
accomplished. For the final stroke of XB, XB5 was
created. This is a service that can allow DTMF plus
most 800 type services (which were not always
available.) Stands for: Crossbar.
C) ESS: A nightmare in telecom. In vivid color, ESS is
a pretty bad thing to have to stand up to. It is
quite simple to identify. Dialing 911 for emergencies,
and ANI [see ANI below] are the most common facets of
the dread system. ESS has the capability to list in a
person's caller log what number was called, how long
the call took, and even the status of the conversation
(modem or otherwise.) Since ESS has been employed,
which has been very recently, it has gone through
many kinds of revisions. The latest system to date is
ESS 11a, that is employed in Washington D.C. for
security reasons. ESS is truly trouble for any
phreak, because it is 'smarter' than the other
systems. For instance, if on your caller log they saw
50 calls to 1-800-421-9438, they would be able to do
a CN/A [see Loopholes below] on your number and
determine whether you are subscribed to that service
or not. This makes most calls a hazard, because
although 800 numbers appear to be free, they are
recorded on your caller log and then right before you
receive your bill it deletes the billings for them.
But before that the are open to inspection, which is
one reason why extended use of any code is dangerous
under ESS. Some of the boxes [see Boxing below] are
unable to function in ESS. It is generally a menace
to the true phreak. Stands For: Electronic Switching
System. Because they could appear on a filter
somewhere or maybe it is just nice to know them
anyways.
A) SSS: Strowger Switching System. First
non-operator system available.
B) WES: Western Electronics Switching. Used about 40
years ago with some minor places out west.
Boxing: 1) The use of personally designed boxes that emit or
cancel electronical impulses that allow simpler
acting while phreaking. Through the use of separate
boxes, you can accomplish most feats possible with
or without the control of an operator.
2) Some boxes and their functions are listed below.
Ones marked with '*' indicate that they are not
operatable in ESS.
*Black Box: Makes it seem to the phone company that
the phone was never picked up.
Blue Box : Emits a 2600hz tone that allows you to do
such things as stack a trunk line, kick
the operator off line, and others.
Red Box : Simulates the noise of a quarter, nickel,
or dime being dropped into a payphone.
Cheese Box : Turns your home phone into a pay phone to
throw off traces (a red box is usually
needed in order to call out.)
*Clear Box : Gives you a dial tone on some of the old
SxS payphones without putting in a coin.
Beige Box : A simpler produced linesman's handset that
allows you to tap into phone lines and
extract by eavesdropping, or crossing
wires, etc.
Purple Box : Makes all calls made out from your house
seem to be local calls.
ANI [ANI]: 1) Automatic Number Identification. A service
available on ESS that allows a phone service [see
Dialups below] to record the number that any certain
code was dialed from along with the number that was
called and print both of these on the customer bill.
950 dialups [see Dialups below] are all designed
just to use ANI. Some of the services do not have
the proper equipment to read the ANI impulses yet,
but it is impossible to see which is which without
being busted or not busted first.
Dialups [dy'l'ups]: 1) Any local or 800 extended outlet that allows instant
access to any service such as MCI, Sprint, or AT&T
that from there can be used by handpicking or using
a program to reveal other peoples codes which can
then be used moderately until they find out about
it and you must switch to another code (preferrably
before they find out about it.)
2) Dialups are extremely common on both senses. Some
dialups reveal the company that operates them as
soon as you hear the tone. Others are much harder
and some you may never be able to identify. A small
list of dialups:
1-800-421-9438 (5 digit codes)
1-800-547-6754 (6 digit codes)
1-800-345-0008 (6 digit codes)
1-800-734-3478 (6 digit codes)
1-800-222-2255 (5 digit codes)
3) Codes: Codes are very easily accessed procedures
when you call a dialup. They will give you some sort
of tone. If the tone does not end in 3 seconds,
then punch in the code and immediately following the
code, the number you are dialing but strike the
'1' in the beginning out first. If the tone does
end, then punch in the code when the tone ends.
Then, it will give you another tone. Punch in the
number you are dialing, or a '9'. If you punch in
a '9' and the tone stops, then you messed up a
little. If you punch in a tone and the tone
continues, then simply dial then number you are
calling without the '1'.
4) All codes are not universal. The only type that I
know of that is truly universal is Metrophone.
Almost every major city has a local Metro dialup
(for Philadelphia, (215)351-0100/0126) and since the
codes are universal, almost every phreak has used
them once or twice. They do not employ ANI in any
outlets that I know of, so feel free to check
through your books and call 555-1212 or, as a more
devious manor, subscribe yourself. Then, never use
your own code. That way, if they check up on you due
to your caller log, they can usually find out that
you are subscribed. Not only that but you could set
a phreak hacker around that area and just let it
hack away, since they usually group them, and, as a
bonus, you will have their local dialup.
5) 950's. They seem like a perfectly cool phreakers
dream. They are free from your house, from payphones,
from everywhere, and they host all of the major long
distance companies (950-1044 <MCI>, 950-1077
<Sprint>, 950-1088 <Skylines>, 950-1033 <Us
Telecom>.) Well, they aren't. They were designed for
ANI. That is the point, end of discussion.
A phreak dictionary. If you remember all of the things contained on
that fileup there, you may have a better chance of doing whatever it is you
do. This next section is maybe a little more interesting...
Blue Box Plans:
---------------
These are some blue box plans, but first, be warned, there have been
2600hz tone detectors out on operator trunk lines since XB4. The idea behind
it is to use a 2600hz tone for a few very naughty functions that can really
make your day lighten up. But first, here are the plans, or the heart of the
file:
700 : 1 : 2 : 4 : 7 : 11 :
900 : + : 3 : 5 : 8 : 12 :
1100 : + : + : 6 : 9 : KP :
1300 : + : + : + : 10 : KP2 :
1500 : + : + : + : + : ST :
: 700 : 900 :1100 :1300 :1500 :
Stop! Before you diehard users start piecing those little tone tidbits
together, there is a simpler method. If you have an Apple-
Cat with a
program like Cat's Meow IV, then you can generate the necessary tones, the
2600hz tone, the KP tone, the KP2 tone, and the ST tone through the dial
section. So if you have that I will assume you can boot it up and it works,
and I'll do you the favor of telling you and the other users what to do with
the blue box now that you have somehow constructed it. The connection to an
operator is one of the most well known and used ways of having fun with your
blue box. You simply dial a TSPS (Traffic Service Positioning Station, or
the operator you get when you dial '0') and blow a 2600hz tone through the
line. Watch out! Do not dial this direct! After you have done that, it is
quite simple to have fun with it. Blow a KP tone to start a call, a ST tone
to stop it, and a 2600hz tone to hang up. Once you have connected to it,
here are some fun numbers to call with it:
0-700-456-
1000 Teleconference (free, because you are the operator!)
(Area code)-101 Toll Switching
(Area code)-121 Local Operator (hehe)
(Area code)-131 Information
(Area code)-141 Rate & Route
(Area code)-181 Coin Refund Operator
(Area code)-11511 Conference operator (when you dial 800-544-6363)
Well, those were the tone matrix controllers for the blue box and some
other helpful stuff to help you to start out with. But those are only the
functions with the operator. There are other k-
fun things you can do with it.
More advanced Blue Box Stuff:
Oops. Small mistake up there. I forgot tone lengths. Um, you blow a
tone pair out for up to 1/10 of a second with another 1/10 second for silence
between the digits. KP tones should be sent for 2/10 of a second. One way to
confuse the 2600hz traps is to send pink noise over the channel (for all of
you that have decent BSR equalizers, there is major pink noise in there.)
Using the operator functions is the use of the 'inward' trunk line.
Thatis working it from the inside. From the 'outward' trunk, you can do such
things as make emergency breakthrough calls, tap into lines, busy all of the
lines in any trunk (called 'stacking'), enable or disable the TSPS's, and
for some 4a systems you can even re-route calls to anywhere.
All right. The one thing that every complete phreak guide should be
without is blue box plans, since they were once a vital part of phreaking.
Another thing that every complete file needs is a complete listing of all of
the 800 numbers around so you can have some more Fu7nC
/-/ 800 Dialup Listings /-/
1-800-345-0008 (6) 1-800-547-6754 (6)
1-800-245-4890 (4) 1-800-327-9136 (4)
1-800-526-5305 (8) 1-800-858-9000 (3)
1-800-437-9895 (7) 1-800-245-7508 (5)
1-800-343-1844 (4) 1-800-322-1415 (6)
1-800-437-3478 (6) 1-800-325-7222 (6)
All right, set Cat Hacker 1.0 on those numbers and have a fuck of a
day. That is enough with 800 codes, by the time this gets around to you I
dunno what state those codes will be in, but try them all out anyways and
see what you get. On some 800 services now, they have an operator who will
answer and ask you for your code, and then your name. Some will switch back
and forth between voice and tone verification, you can never be quite sure
which you will be upagainst.
Armed with this knowledge you should be having a pretty good time
phreaking now. But class isn't over yet, there are still a couple important
rules that you should know. If you hear continual clicking on the line, then
you should assume that an operator is messing with something, maybe even
listening in on you. It is a good idea to call someone back when the phone
starts doing that. If you were using a code, use a different code and/or
service to call him back.
A good way to detect if a code has gone bad or not is to listen when
the number has been dialed. If the code is bad you will probably hear the
phone ringing more clearly and more quickly than if you were using a
different code. If someone answers voice to it then you can immediately
assume that it is an operative for whatever company you are using. The famed
'311311' code for Metro is one of those. You would have to be quite stupid
to actually respond, because whoever you ask for the operator will always
say 'He's not in right now, can I have him call you back?' and then they
will ask for your name and phone number. Some of the more sophisticated
companies will actually give you a carrier on a line that is supposed to
give you a carrier and then just have garbage flow across the screen like it
would with a bad connection. That is a feeble effort to make you think that
the code is still working and maybe get you to dial someone's voice, a good
test for the carrier trick is to dial anumber that will give you a carrier
that you have never dialed with that code before, that will allow you to
determine whether the code is good or not. For our next section, a lighter
look at some of the things that a phreak should not be without. A vocabulary.
A few months ago, it was a quite strange world for the modem people out
there. But now, a phreaker's vocabulary is essential if you wanna make a
good impression on people when you post what you know about certain subjects.
/-/ Vocabulary /-/
- Do not misspell except certain exceptions:
phone -> fone
freak -> phreak
- Never substitute 'z's for 's's. (i.e. codez -> codes)
- Never leave many characters after a post (i.e. Hey Dudes!#!@#@!#!@)
- NEVER use the 'k' prefix (k-kool, k-rad, k-whatever)
- Do not abbreviate. (I got lotsa wares w/ docs)
- Never substitute '0' for 'o' (r0dent, l0zer).
- Forget about ye old upper case, it looks ruggyish.
All right, that was to relieve the tension of what is being drilled
into your minds at the moment. Now, however, back to the teaching course.
Here are somethings you should know about phones and billings for phones,
etc.
LATA: Local Access Transference Area. Some people who live in large
cities or areas may be plagued by this problem. For instance, let's say you
live in the 215 area code under the 542 prefix (Ambler, Fort Washington). If
you went to dial in a basic Metro code from that area, for instance,
351-
0100, that might not be counted under unlimited local calling because it
is out of your LATA. For some LATA's, you have to dial a '1' without the
area code before you can dial the phone number. That could prove a hassle
for us all if you didn't realize you would be billed for that sort of call.
In that way, sometimes, it is better to be safe than sorry and phreak.
The Caller Log: In ESS regions, for every household around, the phone
company has something on you called a Caller Log. This shows every single
number that you dialed, and things can be arranged so it showed every number
that was calling to you. That's one main disadvantage of ESS, it is mostly
computerized so a number scan could be done like that quite easily. Using a
dialup is an easy way to screw that, and is something worth remembering.
Anyways, with the caller log, they check up and see what you dialed. Hmm...
you dialed 15 different 800 numbers that month. Soon they find that you are
subscribed to none of those companies. But that is not the only thing. Most
people would imagine "But wait! 800 numbers don't show up on my phone
bill!". To those people, it is a nice thought, but 800 numbers are picked up
on the caller log until right before they are sent off to you. So they can
check right up on you before they send it away and can note the fact that
you fucked up slightly and called one too many 800 lines.
Right now, after all of that, you should have a pretty good idea of how
to grow up as a good phreak. Follow these guidelines, don't show off, and
don't take unnecessary risks when phreaking or hacking.
File Level:5
/-/ Credits /-/
To The Videosmith - for setting me straight on some shit.
To The Linesman - for telling me to upload it to his AE line.
To Modern Mutant - for making me into a phreaking freak.
To Jack the Nibbler- for the basis of the blue box plans.
/---------------------------------\
| Bulletin Board List |
| --------------------- |
| Sirius Cybernetic's BBSystem |
| 808-521-3306 40megs |
\---------------------------------/
Later,
The Traveler
******* Agent Berg's course in ******
* *
* ========================== *
* =BASIC TELECOMMUNICATIONS= *
* ========================== *
* PART I *
***************************************
PREFACE:
In part I, we will explore the various
special Bell #'s, such as: CN/A, AT&T
Newslines, loops, 99XX #'s, ANI,
ringback, and a few others.
CN/A:
-----
CN/A, which stands for Customer Name
and Address, are bureaus that exist so
that authorized Bell employees can find
out the name and address of any
customer in the Bell System. All #'s
are maintained on file including
unlisted #'s.
Here's how it works:
1) You have a # and you want to find
out who owns it, e.g. (914) 555-1234.
2) You look up the CN/A # for that NPA
in the list below. In the example, the
NPA is 914 and the CN/A # is
518-471-8111.
3) You then call up the CN/A # (during
business hours) and say something like,
"Hi, this is John Jones from the
residential service center in Miami.
Can I have the customer's name at
914-555-1234. That # is 914-555-1234."
Make up your own REAL sounding name,
though.
4) If you sound natural & cheery, the
operator will ask no questions.
Here's the list:
NPA CN/A # NPA CN/A #
--- ------------ --- ------------
201 201-676-7070 517 313-232-8690
202 202-384-9620 518 518-471-8111
203 203-789-6800 519 416-487-3641
204 ****N/A***** 601 601-961-0877
205 205-988-7000 602 303-232-2300
206 206-382-8000 603 617-787-2750
207 617-787-2750 604 604-432-2996
208 303-232-2300 605 402-345-0600
209 415-546-1341 606 502-583-2861
212 518-471-8111 607 518-471-8115
213 213-501-4144 608 414-424-5690
214 214-948-5731 609 201-676-7070
215 412-633-5600 612 402-345-0600
216 614-464-2345 613 416-487-3641
217 217-525-7000 614 614-464-2345
218 402-345-0600 615 615-373-5791
219 317-265-7027 616 313-223-8690
301 301-534-1168 617 617-787-2750
302 412-633-5600 618 217-525-7000
303 303-232-2300 701 402-345-0600
304 304-344-8041 702 415-546-1341
305 912-784-9111 703 804-747-1411
306 ****N/A***** 704 912-784-9111
307 303-232-2300 705 416-487-3641
308 402-345-0600 707 415-546-1341
309 217-525-7000 709 ****N/A*****
312 312-769-9600 712 402-345-0600
313 313-223-8690 713 713-658-1793
314 314-436-3321 714 213-995-0221
315 518-471-8111 715 414-424-5690
316 816-275-2782 716 518-471-8111
317 317-265-7027 717 412-633-5600
318 318-227-1551 801 303-232-2300
319 402-345-0600 802 617-787-2750
401 617-787-2750 803 912-784-9111
402 402-345-0600 804 804-747-1411
403 403-425-2652 805 415-546-1341
404 912-784-9111 806 512-828-2502
405 405-236-6121 807 416-487-3641
406 303-232-2300 808 212-226-5487
408 415-546-1341 Bermuda Only
412 412-633-5600 809 212-334-4336
413 617-787-2750 812 317-265-7027
414 414-424-5690 813 813-228-7871
415 415-546-1132 814 412-633-5600
416 416-487-3641 815 217-525-7000
417 314-436-3321 816 816-275-2782
418 514-861-6391 817 214-948-5731
419 614-464-2345 819 514-861-6391
501 405-236-6121 901 615-373-5791
502 502-583-2861 902 902-421-4110
503 503-241-3440 903 ****N/A*****
504 504-245-5330 904 912-784-9111
505 303-232-2300 906 313-223-8690
506 506-657-3855 907 ****N/A*****
507 402-345-0600 912 912-784-9111
509 206-382-8000 913 816-275-2782
512 512-828-2501 914 518-471-8111
513 614-464-2345 915 512-828-2501
514 514-861-6391 916 415-546-1341
515 402-345-0600 918 405-236-6121
516 518-471-8111 919 912-784-9111
Bell uses these #'s mainly to find out
who owns a # that a customer claims he
never called.
NOTE: This is the most complete list
of CN/A #'s in my possession
(with only 5 #'s not available)
This list was copyrighted in
1982 by "Judas Gerard" as it
originally appeared in TAP issue
#78. (TAP, Room 603, 147 W 42nd
St, New York, NY 10036--
Subscriptions $10/yr.)
AT&T NEWSLINES:
---------------
Newslines are recordings that Bell
employees call up to find out the
latest info on stock, technology, etc.
concerning the Bell System.
Here are the #'s that are currently
known to phreaks (at least me, anyway):
201-483-3800 NJ 513-421-9060 OH
203-771-4920 CT 516-234-9914 NY
212-393-2151 NY 518-471-2272 NY
213-621-4141 CA 617-955-1111 MA
213-829-0111 CA (GTE) 702-789-6711 NV
213-449-8830 CA 713-224-6116 TX
312-368-8000 IL 714-238-1111 CA
313-223-7223 MI 717-255-5555 PA
314-247-5511 MO 717-787-1031 PA
408-493-5000 CA 802-955-1111 VE
412-633-3333 PA 808-533-4426 HI
414-678-3511 WI 813-223-5666 FL
416-929-4323 ONT. 914-948-8100 NY
503-228-6271 OR 916-480-8000 CA
=======
=LOOPS=
=======
First of all, you must understand the
concept of loops. I think that the
best way that this is understood is the
way that Phred Phreek explained it...
"No self-respecting Phone Phreak can go
through life without knowing what a
loop is, how to use one, and the types
that are available. The loop is a
great alternative communication medium
that has many potential uses that
havent't even been tapped yet. In
order to explain what a loop is, it
would be helpful to visualize two phone
numbers (lines) just floating around in
the Telco central office (CO). Now, if
you (and a friend perhaps) were to call
these two numbers at the same time,
POOOOPFFF!!!, you are now connected
together. I hear what you're saying
out there..., "Big deal" or "Why should
Ma Bell collect here two MSU'S (message
units) for one lousy phone call!?"
Well... think again. Haven't you ever
wanted someone to call you back but,
were reluctant to give out your home
phone number (like the last time you
tried to get your friend's unlisted #
from the business offfice)? Or how
about a collect call to your friend
waiting on a loop, who will gladly
accept the charges? Or better yet,
stumbling upon a loop that you discover
that has multi-user capability (for
those late-night conferences). Best of
all is finding a non-supervised loop
that doesn't charge any MSU's or tolls
to one or both parties. Example: many
moons ago, a loop affectionately known
as 'the 332 Loop' was non-sup (ie, non-
supervised) on the tone side. I had my
friend in California dial the free
(non-sup) side, (212) 332-9906 and I
dialed the side that charged, 332-9900.
As you can see, I was charged one MSU,
and my friend was charged zilch, for as
long as we wished to talk!!!"
*****
Ahhh...have I perked your interest yet?
If so, here is how to find a loop of
you very own. First, do all of you
loop searching at NIGHT! This is
because the loops serve a genuine test
function which Telco uses during the
day. (We don't want to run into an
irate lineman now, do we?) To find
a loop, having 2 #'s is a definite
plus. If not, have a friend to dial
#'s at his location. Last resort, try
dialing from two adjacent pay phones.
Now get your trusty white pages (*),
and turn to the page where it lists
the # of MSU's from your exchange (or
exchanges in your primary calling area)
The idea is to find a loop that is
within your primary calling area or is
only 1 MSU in your area (call area A).
This is so you don't go bankrupt trying
to find a loop. Write down all of
these exchanges and do a 99XX scan of
those exchanges (99XX scanning will be
discussed shortly).
Before we get up to 99XX scanning, we
will look at some other loop info:
Loops are found pairs which are usually
close to each other. For example, in
NPA 212, where the infamous loops are
found, there is a standard loop format:
Manhattan & Bronx-------NNX-9977/9979
Brooklyn & Queens-------NNX-9900/9906
NNX is the exchange to be scanned. Here
are some loops that have been found in
NYC. These are used mostly by Phreaks
and call-in lines for pirate radio
stations:
212-220-9900/9906
212-283-9977/9979
212-352-9900/9906
212-365-9977/9979
212-529-9900/9906
212-562-9977/9979
212-982-9977/9979
212-986-9977/9979
The lower # is the tone side (singing
switch). The higher # is always
silent. The tone disappears on the
lower # when somebody dials in the
other side of the loop. If you are on
the higher #, you'll have to listen to
the clicks to see if somebody
dialed-in. The NYC 982 & 986 loops are
different from others. Usually when you
park on a loop, you will hear who ever
calls in on the other half. When
they're done, the next caller (if any)
will be queued in, one after another.
On the NYC 982 & 986, you sometimes
can't get any more callers in after the
first. Furthermore, if you park one of
these loops and there is nobody on the
other end for more than 4 minutes, you
may be automatically disconnected.
These loops are good for back-up
purposes when all other loops are busy.
99XX Scanning:
--------------
Most every exchange in the Bell System
has a wide variety of test #'s and
other "goodies," such as loops.
These "goodies" are usually found
between 9900 and 9999 in your local
exchange. If you have the time and
initiative, scan your exchange and you
may become lucky!
Here are my findings in the 914-268:
9901 - Verification (recording of a/c
and exchange)
9936 - Voice # to the Telco CO
9937 - Voice # to the Telco CO
9941 - Carrier
9960 - Osc. Tone (tone side loop)
9963 - Tone (stops: muted)
9966 - Carrier
9968 - Tone that disappears--responds
to certain touch-tone keys
Most of the #'s between 9900 & 9999
will ring, be busy, go to a special
intercept operator ("what #, please?")
, or will go to a "the # you have
reached..." recording. What you find
depends upon the switching equipment in
the exchange and the Telco operating
company.
When searching for loops, you may find
one of the following possibilities when
you find one:
1. You can hear through the loop (not
muted), but there is a 1/2 second
click every 10 seconds that
interrupts the audio. This type is
good for back-up use but the %$#'&"
click is super annoying.
2. One side of the loop is busy; try
it again later.
3. The tone disappears, but you cannot
hear through it (the loop is muted,
try again in a month or so)
4. You get "The # you have reached
recording." No loop there!
Most loops are muted (#3), but their
status does changes from time-to-time.
It all depends if the Telco maintenance
personnel remember to "throw the
switch", ie, turn off the loop.
Since I have done the above 914-268
99XX scan, Congers (268) has installed
new switching equipment (DMS100). Some
of the numbers are the same, but I have
noticed that on the DMS100, the
recordings are also stored in this
area. 268-9903, 9906, 9909, & 9912 are
all different recordings. Also, there
are 2 fortress fone recordings at 268-
9911 (deposit 5 cents or else) and 268-
9913 (deposit 10 cents). None of these
recordings supe and alot of other 99XX
#'s don't supe either.
In some areas (like MD), 9906-7 is
ringback. In Washington, there is a
sweep tone test at (202) 560-9944. In
NYC (212), you'll find the infamous
loop lines (as mentioned above).
It will be easier to scan your exchange
if you make up a chart like the one
below:
NPA-NNX-99XX SCAN
--------------------------------------
!99X X>:0 :1 :2 :3 :4 :5 :6 :7 :8 :9 !
--------------------------------------
!990 : : : : : : : : : : !
--------------------------------------
!991 : : : : : : : : : : !
--------------------------------------
!992 : : : : : : : : : : !
--------------------------------------
!993 : : : : : : : : : : !
--------------------------------------
!994 : : : : : : : : : : !
--------------------------------------
!995 : : : : : : : : : : !
--------------------------------------
!996 : : : : : : : : : : !
--------------------------------------
!997 : : : : : : : : : : !
--------------------------------------
!998 : : : : : : : : : : !
--------------------------------------
!999 : : : : : : : : : : !
--------------------------------------
This leaves you with 100 boxes (1 for
each # between 9900 & 9999). You
should make your boxes big enough so
you can write some sort of shorthand in
them. For example:
B - busy (try again at another time)
R - rings (try again at another time)
O - intercept operator ("what # you
calling?)
R1- recording 1 (make a margin note of
the types of reordings you get)
T - tone ] tone at a lower # + ignore
I - ignore ] at a higher # = loop
V - voice # to Telco CO - they usually
answer with the city name or area.
C - carrier
There will be others and you should
use other characters that you can
understand.
Now, back to loops! As you may have
noticed in my 914-268 scan, I found a
muted loop and a tone side. 914-268
failed to come up with the silent side
of a loop! Therefore, there is no loop
in that exchange. I then scanned
another exchange in my primary calling
area (914-634) and I found a loop!!
(914) 634-9923/9924
So, if at first you don't succeed, move
onto another exchange.
If you use the box method that I have
outlined above, you will see a T & I
next to each other for a loop.
Some exchanges are special. For
example, 914-623 is a testing bureau.
In this exchange, not only did I find a
loop, but I also found several
interesting tones, noises, and other
test functions. Also, the more
important the exchange is, the more you
will find. For example, in 914-623, I
found well over 10 voice #'s!
Also, loops are usually, but not
exclusively, found in the 99XX series.
For example:
(713) 324-1799/1499
is a loop.
The perfect loop? Here is what I would
look for:
1. Non-sup on one or both sides. To
check for a non-sup loop, go to a
tone-first fortress fone and dial
the #. If it asks for a dime, it
is supervised. If the call goes
through, then it is non-suped!
2. 800 loops would be a plus. They
are not necessarily found between
9900 & 9999 though. I would check
the 1XXX series first.
3. Multi-user loops are also a plus
for those late night conferences.
Finally, remember it is only a local
call to find out what you CO has in
store for you. If you find anything
interesting, be sure to drop me a line.
NOTE: Your local white pages can be a
valuable asset. You can also
order other fone books from your
business office (usually free
for books within your operating
company's district). A large
fone book, such as Manhattan,
contains much more info in the
first few pages than other
books.
=====
=ANI=
=====
Automatic Number Identification (ANI),
is a number that you call up that will
tell you what # you are calling from.
This has a few uses. First, were you
ever somewhere and the fone didn't have
a # printed on it? Or perhaps you were
fooling around in some cans (those
large boxes on fone poles that contain
terminals for lineman use--to be
discusses in a future chapter.) and you
want to know what what the line # is.
In NPA 914, the ANI is 990. In NPA's
212 & 516, ANI is 958. This varies
from area to area.
Here are some other ANI's that I have
seen:
890-751-5191
2022222222
1-XXX-1111 (in some 914 areas, esp.
under step-by-step
switching equipment, you
have to dial 1-990-1111)
To find ANI for other areas, check 3
digits #'s first, usually in the 9XX
series (excluding 911). In areas under
step-by-step (to be discussed in the
next part), try 1-9XX-1111.
ANI may also be in 99XX. Last resort,
try to get friendly with your neighbor
who works for the fone company.
Ringback:
---------
Ringback, as its name implies, calls
back the # you are at when you dial the
ringback #.
Ringback, in NPA 914, is 660. You dial
660+the last 4 digits of the fone. You
will then get a tone, hang-up quickly
and pick-up in about 2 seconds. You
will then get a second tone, hang-up
again and the fone will ring.
In NYC, it is also 660, but you may
have to press 6 or 7 before you hang up
for the first time (ie, at the first
tone).
Other ringback #'s that I have seen
are:
26011 - This 5 digit format is used
primarily on step-by-step.
The last 2 digits (11) are
dummy digits.
890-897-XXXX - XXXX are the last 4
digits of the fone #.
119911/11911/1199911 - GTE
NNX-9906/9907 - NPA 301, NNX is the
exchange
The reason you get the tone when you
pick-up after it rings is because in
some areas, people were using ringback
as an in-house intercom. They would
dial ringback, and when it stopped
ringing, they would pick-up & talk with
the person who picked up the other
extension. Bell didn't like this since
there is usually only 1 piece of
equipment in each exchange that does
the ringback. When people used this as
an intercom, linemen & repairmen
couln't get through! In some areas,
especially those under step-by-step,
ringback can still be used as an
intercom. Also, under step-by-step,
the ringback procedure it usually
simple. For example, in one area you
would dial 26011 and hang-up; it would
then ringback.
Touch-Tone Test:
----------------
In areas that have a Touch-Tone test,
you dial the ringback #. At the first
tone, you touch-tone digits 1-0. If
they are correct it will beep twice.
I have also seen a TT test in some
areas at: 890-751-5191
Coming Soon:
------------
In the next part, we will look at
various switching equipment and The
Network.
Break up of Bell:
-----------------
The operating companies are not going
to change all the switching equipment
around. While there will be some
changes, most of the information
provided here will remain pertinent
after January 1, 1984. Just substitute
the word "fone network" for Bell
System.
******BIOC Agent 003's course in*******
* *
* ========================== *
* =BASIC TELECOMMUNCIATIONS= *
* ========================== *
* PART II *
***************************************
PREFACE:
--------
Part II will deal with the various
types of operators, office hierarchy,
& switching equipment.
OPERATORS:
----------
There are many types of operators in
The Network and the more common ones
will be discussed.
TSPS Operator:
The TSPS (Traffic Service Position
System) Operator is probably the bitch
(or bastard for the phemale liberation-
ists) that most of us are use to having
to deal with.
Here are her responsibilities:
1) Obtaining billing information for
Calling Card or 3rd number calls.
2) Identifying called customer on
person-to-person calls.
3) Obtaining acceptance of charges on
collect calls.
4) Identifying calling numbers. This
only happens when the calling # is not
automatically recorded by CAMA
(Centralized Automatic Message
Accounting) & forwarded from the local
office. This could be caused by
equipement failures or if the office is
not equipped for CAMA (most are).
<I once had an equipment failure
happen to me & the TSPS operator came
on and said, "What # are you calling
FROM?" Out of curiosity, I gave her
the # to my CO, she thanked me & then
I was connected to a conversion that
appeared to be between a frameman & his
wife. Then it started ringing the
party I originally wanted to call &
everyone phreaked out (excuse the pun).
I immediately dropped this dual line
conference!>
You shouldn't mess with the TSPS
operator since she KNOWS where you are
calling from. She also knows whether
or not you are at a fortress fone & she
can trace calls quite readily. Out of
all the operators, she is one of the
MOST DANGEROUS.
INWARD Operator:
This operator assists your local TSPS
("O") operator in connecting calls.
She will never question a call as long
as the call is within HER SERVICE AREA.
She can only be reached via other
operators or by a Blue Box. From a BB,
you would dial KP+NPA+121+ST for the
INWARD operator that will help you
connect any calls within that NPA area
only. (Blue Boxing will be discussed in
a future part of BASIC TELCOM)
DIRECTORY ASSISTANCE Operator:
This is the operator that you are
connected to when you dial: 411 or
NPA-555-1212. She does not readily
know where you are calling from. She
does not have access to unlisted #'s,
but she does know if an unlisted #
exists for a certain listing.
There is also a directory assistance
for deaf people who use Teletypewriters
If you modem can transfer BAUDOT (the
Apple Cat can), then you can call her
up and have an interesting conversation
with her. The # is: 800- 855-1155.
She uses the standard Telex
abbreviations such as GA for Go Ahead.
They tend to be nicer & will talk
longer than your regular operators.
Also, they are more vulnerable into
being talked out of information through
the process of "social engineering" as
Cheshire Catalyst would put it.
Other operators have access to their
own DA by dialing KP+NPA+131+ST (MF).
This is a little out of the scope of
this tutorial, but many telco's are
now charging for calls to dir. asst.
You can beat this by:
(1) count how many calls you make to
directory assistance in a billing
period. Go to a fortress fone & dial
DA. When the operator comes on, give
her a name that you know has an
unlisted # or ask for a town that isn't
in the NPA. She will then ask for your
# so she can credit the call to you.
Give her your home #; she doesn't know
that you are making a free call from
the fortress. Just make sure that you
don't credit yourself for more calls
than you actually made or you might
have a few problems!
(2) If you have a BAUDOT terminal, use
the 800 #; it's free & there is one #
for all requests.
C/NA Operators:
C/NA operators are operators that do
exactly the opposite of what directory
assistance operators are for. See part
II, for more info on C/NA & #'s. In my
experiences, these operators know more
than the DA op's do & they are more
susceptible to "social engineering." It
is possible to bullshit a C/NA operator
for the NON-PUB DA # (ie, you give them
the name & they give you the unlisted
#). This is due to the fact that they
assume your are a phellow company
employee.
INTERCEPT Operator:
The intercept operator is the one that
you are connected to when there are not
enough recordings available to tell you
that the # has been disconnected or
changed. She usually says, "What # you
callin'?" with a foreign accent. This
is the lowest operator lifeform. Even
though they don't know where you are
calling from, it is a waste of your
time to try to verbally abuse them
since they usually understand very
little English.
OTHER Operators:
And then there are the: Mobile,
Ship-to-Shore, Conference, Marine
Verify, "Leave Word & Call Back," Rout
& Rate (KP+NPA+141+ST), & other special
operators who have one purpose or
another in the Network.
Problems with an Operator? Ask to
speak to their supervisor...Which is
the equivalent of the Madame in a
whorehouse (if you will excuse the
analogy).
By the way, some CO's that will allow
you to dial a 1 or 0 as the 4th digit,
will also allow you to call special
operators without a blue box. This is
very rare though! For example, 212-
121-1111 will get you a NY Inward
Operator.
==================
=OFFICE HIERARCHY=
==================
Every switching office office in North
America (the NPA system), is assigned
an office name & class. There are five
classes of offices numbered 1 through
5. Your CO is most likely a class 5 or
end office. All Long-Distance (Toll)
calls are switched by a toll office
which can be a class 4, 3, 2, or 1
office. There is also a 4X office
called an intermediate point. The 4X
office is a digital one that can have
an unattended exchange attached to it
(known as a Remote Switching Unit-RSU).
The following chart will list the
Office #, name, & how many of those
offices existed in North America in
1981.
Class Name Abb # Existing
----- ---------------- --- ------------
1 Regional Center RC 12
2 Sectional Center SC 67
3 Primary Center PC 230
4 Toll Center TC 1,300
4P Toll Point TP
4X Intermediate Pt IP
5 End Office EO 19,000
R RSU RSU
When connecting a call from one party
to another, the switching equipment
usually tries to find the shortest
route between the Class 5 end office of
the caller & the Class 5 end office of
the called party. If no inter-office
trunks exist between the 2 parties, it
will then move upto the next highest
office for servicing (Class 4). If the
Class 4 office cannot handle the call
by sending it to another Class 4 or 5
office, it will be sent to the next
office in the hierarchy (3). The
switching equipment first uses the
high-usage interoffice trunk groups, if
they are busy it then goes to the final
trunk groups on the next highest level.
If the call cannot be connected then,
you will probably get a re-order
(120IPM busy signal) signal. At this
time, the guys at Network Operations
are probably shitting in their pants
and trying to avoid the dreaded Network
Dreadlock (as seen on TV!).
It is also interesting to note that 9
connections in tandem is called
ring-around-the rosy and it has never
occurred in telephone history. This
would case an endless loop connection.
[ a neat way to really screw-up the
Network]
The 10 regional centers in the US & the
2 in Canada are all interconnected.
They form the foundation of the entire
telephone network. Since there are
only 12 of them, they are listed below:
Class 1 Regional Office Location NPA
---------------------------------- ---
Dallas 4 ESS 214
Wayne, PA 215
Denver 4T 303
Regina No.2 SP1-4W [Canada] 306
St. Louis 4T 314
Rockdale, GA 404
Pittsburgh 4E 412
Montreal No.1 4AETS [Canada] 504
Norwich, NY 607
San Bernardino, CA 714
Norway, IL 815
White Plains 4T, NY 914
The following diagram demonstrates how
the various offices may be connected:
^----------^----------^ Regional
_|_ _|_ _|_Offices
-----|1| <----> |1| <----> |1|-----
--- --- ---
| Others\/
-^-------^-------^------^---------^
_|_ _|_ _|_ _|__ _|_
|2| |3| |4| |4P| |5|
--- --- --- -^^- ---
| | | |
^----^ | ^----^ |
_|_ _|_ | __|_ _|_ |
|3| |4| | |4X| |5| ^-----^
--- -^- | ---- --- _|__ _|_
^ | |4X| |5|
__|_ | ---- ---
|5R| |-------------^
-^^- /--------|---------\
_|_ _|_ _|_ _|__
|R| |4| |5| |5R|
--- --- --- ----
NOTE: The preceding diagram used
certain lower case characters
that may not be viewed as I
intended them if you are not
using as lower case terminal.
=====================
=SWITCHING EQUIPMENT=
=====================
In the Network, there are 3 major types
of switching equipment. They are known
as: Step, Crossbar, & ESS.
STEP-BY-STEP (SxS)
The Step-By-Step, a/k/a the Strowger
switch or two-motion switch, was
invented in 1889 by an undertaker named
Almon Strowger. He invented this
mechanical switching equipment because
he felt that the biased operator was
routing all requests for an
'undertaker' to her husband's business.
Bell started using this system in 1918
& as of 1978, over 53% of the Bell
exchanges used this method of
switching.
Step-by-Step switching is controlled
directly by the dial pulses which move
a series of switches (called the switch
train) in order. When you first pick
up the fone under SxS, a linefinder
acknowledges the request (sooner or
later) by sending a dial tone. If you
then dialed 1234, the equipment would
first find an idle selector switch. It
would then move vertically 1 pulse, it
would then move horizontally to find a
free second selector, it would then
move 2 vertical pulses, step
horizontally to find the next selector,
etc. Thus the first switch in the
train takes no digits, the second
switch takes 1 digit, the third switch
takes 1 digit, & the last switch in the
train (called the connector) takes the
last 2 digits & connects your calls.
A normal (10,000 line) exchange
requires 4 digits (0000-9999) to
connect a local call & thus it takes
4 switches to connect every call
(linefinder, 1st & 2nd selectors, & the
connector) .
While it was the first, SxS sucks for
the following reasons:
[1] The switched often become jammed
thus the calls often become blocked.
[2] You can't use DTMF (Dual-Tone
Multi-Frequency a/k/a Touch-Tone)
directly. It is possible that the Telco
may have installed a conversion kit but
then the calls will go through just as
slow as pulse, anyway!
[3] They use a lot of electricity &
mechanical maintenance. (bad from Telco
point of view)
[4] Everything is hardwired.
They can still hook up pen registers &
other shit on the line so it is not
exactly a phreak haven.
You can identify SxS offices by:
(1) Lack of DTMF or pulsing digits
after dialing DTMF.
(2) If you go near the CO, it will
sound like a typewriter testing
factory.
(3) Lack of speed calling, call
forwarding, & other customer
services.
(4) Fortress fones that want your
money first (as opposed to dial tone
first ones).
The preceding don't necessarily imply
that you have SxS but they surely give
evidence that it might be. Also, if
any of the above characteristics exist,
it certainly isn't ESS! Also, SxS have
pretty much been eradicated from large
metropolitan areas such as NYC (212).
CROSSBAR:
There are 3 major types of Crossbar
systems called: No. 1 Crossbar (1XB),
No. 4 Crossbar (4XB), & No. 5 Crossbar
(5XB). 5XB has been the primary end
office switch of Bell since the 60's
and thus it is in wide-use.
Crossbar uses a common control
switching method. When there is an
incoming call, a stored program
determines its route through the
switching matrix.
In Crossbar, the basic operation
principle is that a horizontal &
a vertical line are energized in a
matrix known as the crosspoint matrix.
The point where these 2 lines meet in
the matrix is the connection.
+===+
=ESS=
+===+
Electronic Switching System (ESS)
The Phreak's Nightmare Come True
(or Orwell's Prophecy as 2600 puts it)
ESS is Bell's move towards the Airstrip
One society depicted in Orwell's 1984.
With ESS, EVERY single digit that you
dial is recorded--even if it is a
mistake. They know who you call, when
you call, how long you talked for, &
probably what you talked about (in some
cases). ESS can (and is) also
programmed to print out #'s of people
who make excessive calls to 800 #'s or
directory assistance. This is called
the "800 Exceptional Calling Report."
ESS could also be programmed to print
out logs of who calls certain #'s--like
a bookie, a known communist, a BBS, etc
The thing to remember with ESS is that
it is a series of programs working
together. These programs can be very
easily changed to do whatever they want
it to do. One phreak whom I know has
some ESS source code listing which is
incredibly complex (as well as
documented--Gracias Dios). This system
makes the job of Bell Security, the
FBI, NSA, & other organizations that
like to invade privacy incredibly easy.
With ESS, tracing is done in
microseconds (Eine Augenblick) & the
results are printed at the console of a
Bell Gestapo officer. ESS will also
pick up any "foreign" tones on the line
such as 2600 Hz!
Bell predicts that the country will
become totally ESS by the 1990's.
You can identify ESS by the following
which are usually ESS functions:
[1] Dialing 911 for help.
[2] Dial-Tone-First fortresses.
[3] Custom Calling Services such as:
Call Forwarding, Speed Dialing, &
Call Waiting. (Ask your business
office if you can get these.)
[4] ANI (Automatic Number
Identification) on LD calls.
Phreaking does not come to a complete
halt under ESS though--just be very
careful, though!!!
Due to the fact that ESS sends a
computer generated "artificial ring,"
where the voice is not connected
directly to the called parties line
until he picks up, Black Boxes &
Infinity Transmitters will not work!
NOTE: Another interesting way to find
out what type of equipment you
are on is to raid the trash can
of you local CO--this art will
discussed in a separate article
soon.
Coming Soon:
In the part V, we will start to take
a look at telephone electronics.
Further Reading:
For more information on the above
topics, I suggest the following:
Notes on the Network, AT&T, 1980.
Understanding Telephone Electronics,
Texas Instruments, 1983.
And subscriptions to:
2600, Box 752, Middle Island, NY 11953.
Subscriptions are $10/year. Back
issues are $1 each. The current issue
is #4 (April 1984).
They are both excellent sources of all
sorts of information (primarily
phreaking/hacking).
****** Agent Berg's course in *******
* *
* ========================== *
* =BASIC TELECOMMUNICATIONS= *
* ========================== *
* Part VI *
***************************************
REVISED: 27-OCT-84
Preface:
This article will focus primarily on
the standard Western Electric single-
slot coin telephone (aka fortress fone)
which can be divided into 3 types:
- Dial-Tone First (DTF)
- Coin-First (CF): (ie, it wants your
$ before you receive a dial tone)
- Dial Post-Pay Service (PP): you pay
after the party answers
Depositing Coins (Slugs):
-------------------------
Once you have deposited your slug into
a fortress, it is subjected to a
gamut of tests.
The first obstacal for a slug is the
magnetic trap. This will stop any
light-weight magnetic slugs and coins.
If it passes this, the slug is then
classified as a nickel, dime, or
quarter. Each slug is then checked for
appropriate size and weight. If these
tests are passed, it will then travel
through a nickel, dime, or quarter
magnet as appropriate. These magnets
set up an eddy current effect which
causes coins of the appropriate
characteristics to slow down so they
will follow the correct trajectory. If
all goes well, the coin will follow the
correct path (such as bouncing off of
the nickel anvil) where it will
hopefully fall into the narrow accepted
coin channel.
The rather elaborate tests that are
performed as the coin travels down the
coin chute will stop most slugs and
other undesirable coins, such as
pennies, which must then be retrieved
using the coin release lever.
If the slug miraculously survives the
gamut, it will then strike the
appropriate totalizer arm causing a
ratchet wheel to rotate once for every
5-cent increment (eg, a quarter will
cause it to rotate 5 times).
The totalizer then causes the coin
signal oscillator to readout a dual-
frequency signal indicating the value
deposited to ACTS (a computer) or the
TSPS operator. These are the same tones
used by phreaks in the infamous red
boxes.
For a quarter, 5 beep tones are
outpulsed at 12-17 pulses per second
(PPS). A dime causes 2 beep tones at
5 - 8.5 PPS while a nickel causes one
beep tone at 5 - 8.5 PPS. A beep
consists of 2 tones: 2200 + 1700 Hz.
A relay in the fortress called the "B
relay" (yes, there is also an 'A
relay') places a capacitor across the
speech circuit during totalizer read-
out to prevent the "customer" from
hearing the red box tones.
In older 3 slot phones: one bell (1050
-1100 Hz) for a nickel, two bells for a
dime, and one gong (800 Hz) for a
quarter are used instead of the modern
dual-frequency tones.
=============
=TSPS & ACTS=
=============
While fortresses are connected to the
CO of the area, all transactions are
handled via the Traffic Service
Position System (TSPS). In areas that
do not have ACTS, all calls that
require operator assistance, such as
calling card and collect, are
automatically routed to a TSPS operator
position.
In an effort to automate fortress
service, a computer system known as
Automated Coin Toll Service (ACTS) has
been implemented in many areas. ACTS
listens to the red box signals from the
fones and takes appropriate action. It
is ACTS which says, "Two dollars please
(pause) Please deposit two dollars for
the next ten seconds" (and other
variations). Also, if you talk for more
than three minutes and then hang-up,
ACTS will call back and demand your
money. ACTS is also responsible for
Automated Calling Card Service.
ACTS also provide trouble diagnosis for
craftspeople (repairmen specializing in
fortresses). For example, there is a
coin test which is great for tuning up
red boxes. In many areas this test can
be activated by dialing 09591230 at a
fortress (thanks to Karl Marx for this
information). Once activated it will
request that you deposit various coins.
It will then identify the coin and
outpulse the appropriate red box
signal. The coins are usually returned
when you hang up.
To make sure that there is actually
money in the fone, the CO initiates a
"ground test" at various times to
determine if a coin is actually in the
fone. This is why you must deposit at
least a nickel in order to use a red
box!
Green Boxes:
------------
Paying the initial rate in order to
use a red box (on certain fortresses)
left a sour taste in many red boxer's
mouths thus the GREEN BOX was invented.
The green box generates useful tones
such as COIN COLLECT, COIN RETURN, and
RINGBACK. These are the tones that
ACTS or the TSPS operator would send to
the CO when appropriate. Unfortunately,
the green box cannot be used at a
fortress station but it must be used by
the CALLED party.
Here are the tones:
COIN COLLECT 700 + 1100 Hz
COIN RETURN 1100 + 1700 Hz
RINGBACK 700 + 1700 Hz
Before the called party sends any of
these tones, an operator released
signal should be sent to alert the MF
detectors at the CO. This can be
accomplished by sending 900 + 1500 Hz
or a single 2600 Hz wink (90 ms)
followed by a 60 ms gap and then the
appropriate signal for at least 900 ms.
Also, do not forget that the initial
rate is collected shortly before the 3
minute period is up.
Incidentally, once the above MF tones
for collecting and returning coins
reach the CO, they are converted into
an appropriate DC pulse (-130 volts for
return & +130 volts for collect). This
pulse is then sent down the tip to the
fortress. This causes the coin relay
to either return or collect the coins.
The alleged "T-Network" takes advantage
of this information. When a pulse for
COIN COLLECT (+130 VDC) is sent down
the line, it must be grounded
somewhere. This is usually either the
yellow or black wire. Thus, if the
wires are exposed, these wires can be
cut to prevent the pulse from being
grounded. When the three minute
initial period is almost up, make sure
that the black & yellow wires are
severed; then hang up, wait about 15
seconds in case of a second pulse,
reconnect the wires, pick up the fone,
hang up again, and if all goes well it
should be "JACKPOT" time.
Physical Attack:
----------------
A typical fortress weighs roughly 50
lbs. with an empty coin box. Most of
this is accounted for in the armor
plating. Why all the security? Well,
Bell contributes it to the following:
"Social changes during the 1960's
made the multislot coin station a prime
target for: vandalism, strong arm
robbery, fraud, and theft of service.
This brought about the introduction of
the more rugged single slot coin
station and a new environment for coin
service."
As for picking the lock, I will quote
Mr. Phelps: "We often fantasize about
'picking the lock' or 'getting a master
key.' Well, you can forget about it.
I don't like to discourage people, but
it will save you from wasting alot of
your time--time which can be put to
better use (heh, heh)."
As for physical attack, the coin plate
is secured on all four side by hardened
steel bolts which pass through two
slots each. These bolts are in turn
interlocked by the main lock.
One phreak I know did manage to take
one of the 'mothers' home (which was
attached to a piece of plywood at a
construction site; otherwise, the
permanent ones are a bitch to detach
from the wall!). It took him almost
ten hours to open the coin box using a
power drill, sledge hammers, and crow
bars (which was empty -- perhaps next
time, he will deposit a coin first to
hear if it slushes down nicely or hits
the empty bottom with a clunk.)
Taking the fone offers a higher margin
of success. Although this may be
difficult often requiring brute force
and there has been several cases of
back axles being lost trying to take
down a fone! A quick and dirty way to
open the coin box is by using a
shotgun. In Detroit, after ecologists
cleaned out a municipal pond, they
found 168 coin phone rifled.
In colder areas, such as Canada, some
shrewd people tape up the fones using
duct tape, pour in water, and come back
the next day when the water will have
froze thus expanding and cracking the
fone open.
In one case, "unauthorized coin
collectors" where caught when they
brought $6,000 in change to a bank and
the bank became suspicious...
At any rate, the main lock is an eight
level tumbler located on the right side
of the coin box. This lock has 390,625
possible positions (5 ^ 8, since there
are 8 tumblers each with 5 possible
positions) thus it is highly pick
resistant! The lock is held in place
by 4 screws. If there is sufficient
clearance to the right of the fone, it
is conceivable to punch out the screws
using the drilling pattern below
(provided by Alexander Mundy in TAP
#32):
====================================
!! ^
!! !
! 1- 3/16 " !! !
!<--- --->!! 1-1/2"
-------------------- !
! ! !! ! !
! (+) (+)-! -----------
---! !! ! ^
! ! !! ! !
! ! (Z) !! ! !
! ! !! ! 2-3/16"
---! !! ! !
! (+) (+) ! !
! !! ! !
-------------------- -----------
!!
!!
(Z) Keyhole (+) Screws
!!
===================================
After this is accomplished, the lock
can be pushed backwards disengaging
the lock from the cover plate. The
four bolts of the cover plate can then
be retracted by turning the boltworks
with a simple key in the shape of the
hole on the coin plate (see diagram
below). Of course, there are other
methods and drilling patterns.
:-------------------------------------:
_
! !
( )
!_!
[roughly]
Diagram of cover plate keyhole
:-------------------------------------:
The top cover uses a similar (but not
as strong) locking method with the
keyhole depicted above on the top left
side and a regular lock (probably
tumbler also) on the top right-hand
side. It is interesting to experiment
with the coin shute and the fortresses
own "red box" (which Bell didn't have
the 'balls' to color red).
Miscellaneous:
--------------
In a few areas (rural & Canada), post-
pay service exists. With this type of
service, the mouthpiece is cut off
until the caller deposits money when
the called party answers. This also
allows for free calls to weather and
other DIAL-IT services! Recently, 2600
magazine announced the CLEAR BOX which
consists of a telephone pickup coil and
a small amp. It is based on the
principal that the receiver is also a
weak transmitter and that by amplifying
your signal you can talk via the
transmitter thus avoiding costly
telephone charges!
Most fortresses are found in the 9xxx
area. Under former Bell areas, they
usually start at 98xx (right below the
99xx official series) and move
downward.
Since the line, not the fone,
determines whether or not a deposit
must be made, DTF & Charge-A-Call fones
make great extensions!
Finally, fortress fones allow for a new
hobby--instruction plate collecting.
All that is required is a flat-head
screwdriver and a pair of needle-nose
pliers. Simply use the screwdriver to
lift underneath the plate so that you
can grab it with the pliers and yank
downwards. I would suggest covering the
tips of the pliers with electrical tape
to prevent scratching. Ten cent plates
are definitely becoming a "rarity!"
Fortress Security:
------------------
While a lonely fortress may seem the
perfect target, beware! The Gestapo
has been known to stake out fortresses
for as long as 6 years according to the
Grass Roots Quarterly. To avoid any
problems, do not use the same fones
repeatedly for boxing, calling cards, &
other experiments. The telco knows how
much money should be in the coin box
and when its not there they tend to get
perturbed (read: pissed off).
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Disclaimer:
-----------
The preceding is intended for
"information purposes only" and I do
not advocate that you participate in
any subversive activities...
Coming sooner or later:
-----------------------
Part VII will deal with blue boxing.
References/Suggested Reading:
-----------------------------
Various hard-to-find Bell System
publications.
"Alternate Method of Opening the
Fortress Phone Coin Box," Alexander
Mundy, TAP #32.
"Build a T-Network for Fun & Profit,"
TAP #15.
"Coiners & Other Thieves," The Phone
Book, J. Edgar Hyde, pp 88-91.
"Fortress Fun-ding," TAP #66.
"The Green & Brown Box," Ted Veil &
Nick Haflinger, TAP #68.
"Introducing the Clear Box!," 2600,
July 1984.
"More Fortress Fun," TAP #49
"Notes on the Network," AT&T, 1980,
[The definitive technical reference
guide!].
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
2600:
Box 752
Middle Island, NY 11953
Subscriptions: $10/year
(published monthly)
Last Issue (as of 10/27/84):
October 1984
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
TAP:
Room 603
147 W 42 Street
New York, NY 10036
Subscriptions: $10/10 issues or so
(published sporadically since 1971)
Last Issue (as of 10/27/84):
January/February 1984 [#90]
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Acknowledgements: Hertz Tone, Tuc,
******BIOC Agent 003's course in*******
* *
* ========================== *
* =BASIC TELECOMMUNICATIONS= *
* ========================== *
* Part VII *
***************************************
Preface:
After most neophyte phreaks overcome
their fascination with Metro codes and
WATS extenders, they will usually seek
to explore other avenues in the vast
phone network. Often they will come
across references such as "simply dial
KP + 2130801050 + ST for the Alliance
teleconferencing system in LA."
Numbers such as the one above were
intended to be used with a blue box;
this article will explain the
fundamental principles of the fine art
of blue boxing.
Genesis:
--------
In the beginning, all long distance
calls were connected manually by
operators who passed on the called
number verbally to other operators in
series. This is because pulse (aka
rotary) digits are created by causing
breaks in the DC current (see Basic
Telcom V). Since long distance calls
require routing through various
switching equipment and AC voice
amplifiers, pulse dialing cannot be
used to send the destination number to
the end local office (CO).
Eventually, the demand for faster and
more efficient long distance (LD)
service caused Bell to make a
multi-billion dollar decision. They
had to create a signaling system that
could be used on the LD Network.
Basically, they had two options:
[1] To send all the signaling and
supervisory information (ie, ON & OFF
HOOK) over separate data links. This
type of signaling is referred to as
out-of-band signaling.
-or-
[2] To send all the signaling
information along with the conversation
using tones to represent digits. This
type of signaling is referred to as
in-band signaling.
Being the cheap bastard that they
naturally are, Bell chose the latter
(and cheaper) method -- IN-BAND
signaling. They eventually regretted
this, though (heh, heh)...
IN-BAND SIGNALING PRINCIPLES:
-----------------------------
When a subscriber dials a telephone
number, whether in rotary or touch-tone
(aka DTMF), the equipment in the CO
interprets the digits and looks for a
convenient trunk line to send the call
on its way. In the case of a local
call, it will probably be sent via an
inter-office trunk; otherwise, it will
be sent to a toll office (class 4 or
higher -- see Telcom IV) to be
processed.
When trunks are not being used there is
a 2600 Hz tone on the line; thus, to
find a free trunk, the CO equipment
simply checks for the presence of 2600
Hz. If it doesn't find a free trunk the
customer will receive a re-order signal
(120 IPM busy signal) or the "all
circuits are busy..." message. If it
does find a free trunk it "seizes" it
-- removing the 2600 Hz. It then sends
the called number or a special routing
code to the other end or toll office.
The tones it uses to send this
information are called multi-frequency
(MF) tones. An MF tone consists of two
tones from a set of six master tones
which are combined to produce 12
separate tones. You can sometimes hear
these tones in the background when you
make a call but they are usually
filtered out so your delicate ears
cannot hear them. These are NOT the
same as touch-tones.
To notify the equipment at the far end
of the trunk that it is about to
receive routing information, dhe
originating end first sends a Key Pulse
(KP) tone. At the end of sending the
digits, the originating end then sends
a STart (ST) tone. Thus to call
914-359-1517, the equipment would send
KP + 9143591517 + ST in MF tones. When
the customer hangs up, 2600 Hz is once
again sent to signify a disconnect to
the distant end.
History:
--------
In the November 1960 issue of The Bell
System Technical Journal, an article
entitled "Signaling Systems for
Control of Telephone Switching" was
published. This journal, which was
sent to most university libraries,
happened to contain the actual MF tones
used in signaling. They appeared as
follows:
Digit Tones
----- -----
1 700 + 900 Hz
2 700 + 1100 Hz
3 900 + 1100 Hz
4 700 + 1300 Hz
5 900 + 1300 Hz
6 1100 + 1300 Hz
7 700 + 1500 Hz
8 900 + 1500 Hz
9 1100 + 1500 Hz
0 1300 + 1500 Hz
KP 1100 + 1700 Hz
ST 1500 + 1700 Hz
11 (*) 700 + 1700 Hz
12 (*) 900 + 1700 Hz
KP2 (*) 1300 + 1700 Hz
(*) Used only on CCITT SYSTEM 5 for
special international calling.
Bell caught wind of blue boxing in 1961
when it caught a Washington state
college student using one. They
originally found out about blue boxes
through police raids and informants.
In 1964, Bell Labs came up with
scanning equipment, which recorded all
suspicious calls, to detect blue box
usage. These units were installed in
CO's where major toll fraud existed.
AT&T Security would then listen to the
tapes to see if any toll fraud was
actually committed. Over 200
convictions resulted from the project.
Surprisingly enough, blue boxing is not
solely limited to the electronics
enthusiast; AT&T has caught
businessmen, film stars, doctors,
lawyers, college students, high school
students and even a millionaire
financier (Bernard Cornfeld) using the
device. AT&T also said that nearly
half of those that they catch are
businessmen.
Of course, phone phreaks have achieved
an almost cult status. They have also
had their fair share of media. In
October 1971, Esquire published the
infamous "Secrets of the Little Blue
Box" article which featured phreaks
such as Captain Crunch, who took his
name from the cereal which one gave
away whistles that produced a perfect
2600 Hz pitch; Joe Engressia, the blind
phreak; and Mark Bernay, one of the
nation's first and oldest phreaks.
Others such as Apple computer
co-founders Steve Wozniak & Steve Jobs
have also had blue box backgrounds.
1971 also saw the publication of the
first issue of YIPL, the phone phreak
newsletter, (now TAP) under the
editorship of supreme yippie Abbie
Hoffman.
Usage:
------
To use a blue box, one would usually
make a free call to any 800 number or
distant directory assistance (NPA-555-
1212). This, of course, is legitimate.
When the call is answered, one would
then swiftly press the button that
would send 2600 Hz down the line. This
has the effect of making the distant CO
equipment think that the call was
terminated and it leaves the trunk
hanging. Now, the user has about 10
seconds to enter in the telephone
number he wished to dial -- in MF, that
is. The CO equipment merely assumes
that this came from another office and
it will happily process the call.
Since there are no records (except on
toll fraud detection devices!) of these
MF tones, the user is not billed for
the call. When the user hangs up, the
CO equipment simply records that he
hung up on a free call.
DETECTION:
----------
Bell has had 20 years to work on
detection devices; therefore, in this
day and age, they are rather well
refined. Basically, the detection
device will look for the presence of
2600 Hz where it does not belong. It
then records the calling number and all
activity after the 2600 Hz. If you
happen to be at a fortress fone,
though, and you make the call short,
your chances of getting caught are
significantly reduced (see Telcom VI).
Incidentally, there have been rumors of
certain test numbers (see Telcom II)
that hook directly into trunks thus
avoiding the need for 2600 Hz and
detection!
Another way that Bell catches boxers is
to examine the CAMA (Centralized
Automatic Message Accounting) tapes.
When you make a call, your number, the
called number, and time of day are all
recorded. The same thing happens when
you hang up. This tape is then
processed for billing purposes.
Normally, all free calls are ignored.
But Bell can program the billing
equipment to make note of lengthy calls
to directory assistance. They can then
put a pen register (aka DNR) on the
line or an actual full-blown tap. This
detection can be avoided by making
short-haul (aka local) calls to box off
of.
It is interesting to note that NPA+555-
1212 originally did not return answer
supervision. Thus the calls were not
recorded on the AMA/CAMA tapes. AT&T
changed this though for "traffic
studies!"
CCIS:
-----
Besides detection devices, Bell has
begun to gradually redesign the network
using out-of-band signaling. This is
known as Common Channel Inter-office
Signaling (CCIS). Since this signaling
method sends all the signaling
information over separate data lines,
blue boxing is impossible under it.
While being implemented gradually, this
multi-billion dollar project is still
strangling the fine art of blue boxing.
Of course until the project is totally
complete, boxing will still be
possible. It will become progressively
harder to find places to box off of,
though. In areas with CCIS, one must
find a directory assistance office that
doesn't have CCIS yet. Area codes in
Canada and predominately rural states
are the best bets. WATS numbers
terminating in non-CCIS cities are also
good prospects.
Pink Noise:
-----------
Another way that may help to avoid
detection is too add some "pink noise"
to the 2600 Hz tone.
Since 2600 Hz tones can be simulated in
speech, the detection equipment must be
careful not to misinterpret speech as
a disconnect signal. Thus a virtually
pure 2600 Hz tone is required for
disconnect.
Keeping this in mind, the 2600 Hz
detection equipment is also probably
looking for pure 2600 Hz or else is
would be triggered every time someone
hit that note (highest E on a piano =
2637 Hz). This is also the reason that
the 2600 Hz tone must be sent rapidly;
sometimes, it won't work when the
operator is saying "Hello, hello." It
is feasible to send some "pink noise"
along with the 2600 Hz. Most of this
energy should be above 3000 Hz. The
pink noise won't make it into the toll
network (where we want our pure 2600 Hz
to hit) but it should make it past the
local CO and thus the fraud detectors.
CONSTRUCTION:
-------------
While step-by-step details for the
construction of a blue box is beyond
the scope of this tutorial, it is
worthwhile to mention some of the
details.
First there are some alternatives but
they are not as good as an actual blue
box. Many computers are capable of
generating MF tones. Thus, your local
phriendly software pirate should have a
program compatible for your computer.
However, it is highly advisable not to
box from home as stated in The Ten
Commandments (as interpreted for
phreaks by Fred Steinbeck -- TAP #86).
I. Box thou not over thine home
telephone wires, for those who
doest must surely bring the full
wrath of the Chief Special Agent
down upon thy heads.
Another alternative that has a moderate
success rate involves recording the
tones from a phriend with a box or
computer onto a cassette tape. They
can then be used at a fortress.
As for actual construction techniques,
TAP has devoted many issues to blue
boxing. Basically, a blue box is
merely a device capable of generating
two different tones simultaneously.
There are two basic construction
methods that I will outline below for
the electronics hobbyist.
The first involves the use of two 555
timer chips (or a 556 -- i.e., two
555's in one chip). It offers
excellent frequency and voltage
stability. Also, it does not need a
diode matrix keypad but used double-
pole switches instead. Schematics for
this type of box can be found in TAP
issue #29.
The other common box makes use of two
Intersil 8038CC Function Generators.
It also requires a diode matrix keypad,
potentiometers, an LM-100 voltage
regulator, a 741 Op-amp, and a handful
of other parts. The schematics for
this type of blue box can be found in
TAP #26.
Both designs draw about 20 ma of
current.
Also, most blue boxes use telephone
earpieces (with the varistor removed)
for speakers. These can be easily
liberated from fortress fones with a
small coping saw.
Usually, the hardest part about
building a blue box is the calibration.
A frequency counter is a must and an
oscilloscope won't hurt.
Some boxes also take timing into
account. It is feasible on the ESS
systems that they check to see if the
digits are of uniform length. If they
aren't, they are probably from a blue
box and a trouble card may be dropped.
With this in mind, the Bell standard
for MF pulses and interdigit intervals
is around 75 ms. It varies with the
equipment used since ESS can handle
higher speeds and doesn't need
interdigit intervals.
APPLICATIONS:
-------------
Besides dialing normal calls free,
i.e., KP+NPA+NNX+XXXX+ST, blue boxes
offer the entire network for
exploration. Emergency break-ins,
service monitoring (aka taps), stacking
tandems (the art of busying out all
trunks between two points), re-routing
calls, conference calls, and much, much
more are all feasible. Although, Bell
frequently changes these codes due to
phreaks.
Here are some standard ones, though:
OPERATOR & OTHER CODES:
-----------------------
(an optional NPA may proceed all of the
numbers; otherwise, you will reach the
one local for the area where the call
is originated)
001 -- Trunk Access System
009 -- Rate Quote System
101 -- toll office test board
121 -- INWARD Operator
This operator assists the local "0"
operator in completing calls. (S)he
will do virtually anything for you
providing it is within her NPA.
131 -- Operator Directory
assistance
141 -- Rout & Rate
(141 defunct -- use KP + 800 + 141 +
1212 + ST)
These operators are very useful if you
know how to mumble a few cryptic
phrases as compiled below (with thanks
to Fred Steinbeck):
To find out...
...Area Codes
For example say , "Miami, Florida,
numbers route, please." The R&R
operator will tell you "305 plus,"
meaning that 305 plus the seven digit
number will get you Miami.
... Inward Operator City Codes
Usually, the INWARD operator for an
area is simply KP + NPA + 121 + ST. In
some area codes, though, there are
several large cities and thus several
inwards. To find the inward for a
specific city, you would say "916 756,
operator route, please" to the R&R
operator who will then tell you "916
plus 001 plus." This means that KP+
916 + 001 + 121 + ST will get you an
inward for Sacramento, CA (916-756).
... City names
If you want to know the city that
corresponds to an area code and
exchange, you simply tell the R&R,
"Place name, 914 390, please." In this
example, the R&R operator will respond
with "White Plains, NY."
... International Directory Assistance
If you need a directory route for
London, you could say "International,
London, England. TSPS directory route,
please." The R&R operator will respond
with "Directory to London, England.
Country code 44 plus 1 plus 986 plus
3611." Therefore to get a DA operator
in London, you would route yourself to
an international sender and KP +
04419863611 + ST.
... Country & City codes
If you need to know the country and
city code for an international number
you can say "International, Sydney,
Australia, TSPS numbers route, please"
and get "Country code 61 plus 2."
... International Inwards Routes
To get routing codes for international
inwards say "International, London,
England, TSPS inward route, please."
The R&R Operator will respond with
"Country code 44 plus 121."
Finally, to get language assistance for
completing a foreign call you can tell
the foreign inward, "United States
calling. Language assistance in
completing a call to (called party) at
(called number)."
151 -- overseas incoming (212 +
& 914+)
160-XX0 -- Various Overseas Operators
161 -- trouble reporting operator
(defunct)
181 -- Coin Refund Operator
18X -- Overseas senders
To make an international call, one
would KP + 011 + 0CC + ST where CC is
the country code. This will route you
to the appropriate overseas sender.
You will then receive a 480 Hz dial
tone. Here you enter KP + 0CC + city
code + local number + ST and the call
is on its way.
Country codes can be either 1, 2, or 3
digits but they must be padded for
three digits to create a pseudo-country
code with extra zero's if necessary.
For example, England, country code 44,
becomes 044.
To see which international sender a
certain country (lets use French
Guiana, country code 594, for example)
goes through, you can dial KP + 011 +
594 + ST, wait for the Proceed to Send
tone then KP + 000 + 0000 + ST and you
will receive a recording saying which
ISC (International Switching Center) it
is. For the example it will say, "This
is the international switching center
in Pittsburg, PA -- This is a recording
- 4121." You can actually route calls
to certain senders yourself (KP + NPA +
18X + ST) but it is better off not to
since it may look suspicious if a call
is sent through a sender that it
shouldn't go through. Here are the
senders:
182 -- White Plains, NY
183 -- New York, NY
184 -- Pittsburg, PA
185 -- Orlando, FL
186 -- Oakland, CA
187 -- Denver, CO
188 -- New York, NY
Also, there tends to be alot of talk
about the Code 11, Code 12, KP2, STP,
ST3P, & ST2P keys. While they do exist
the blue boxer need not concern himself
with them. The first three are used on
CCITT System 5. This is the signaling
system that the International Senders
use to send information to other
countries. These codes are usually
added automatically just like the
language assistance digit [which
distinguishes operator (or blue box)
dialed calls from customer dialed
calls]. The STP, ST3P, & ST2P tones
are used when equipment is
communicating with the TSPS. These
also are automatically added when
needed in most cases.
[see Telcom III for more on
International Switching Centers (ISC)]
11XXX -- miscellaneous operators
11501 -- universal cordboard
operator
11511 -- conference operator
11521 -- mobile operator
11531 -- marine operator
11541 -- LD incoming switchboard
11551 -- leave word for time &
charges (neat stuff)
11561 -- same as 11551 but for
hotel/motels
11571 -- overseas operators --
language assistance
The 11XXX series is interesting
scanning material.
Miscellaneous Routing Codes :
-----------------------------
Alliance Teleconferencing has several
numbers, a few of which are listed
below:
KP + 213 080 XXXX + ST
KP + 305 025 XXXX + ST
KP + 312 001 XXXX + ST
XXXX = 1050, 1100, or a few others
Also, at KP + 317 009 + ST there is a
MF tone checker. After the
beep-kerclunk, dial in KP + 999 1234567
890 + ST and it will repeat the digits
that you pulsed if they are of the
right frequency.
Tandem Scanning:
----------------
To find all e sold on a "cash and carry" basis. Instead each sale would
require all the face-to-face contact appropriate to purchasing a
car or life insurance. The legal contract would then be properly
reviewed and SIGNED by the customer. Sound Preposterous? Now
realch-tone, send it 2600 Hz, rip
it apart. You never know, you may run
into something phun, like a computer
that checks CC numbers.
Incidentally, in some exchange you can
dial inwards and other box codes
directly! For example, 914-121-1111
will get you a NY inward. The only
problem is that a 0 or 1 as the first
digit of the exchange is usually
prohibited in customer dialing.
Somebody may have "accidentally"
changed this screening code on your
ESS's computer, though -- you never
know and it can't hurt to try. WATS
translation numbers also take up some
of the 0XX & 1XX codes.
Finally, certain tones on the blue box
can also be used for other purposes.
An MF "2" corresponds to COIN COLLECT
while "KP" corresponds to COIN RETURN.
Thus every blue box is also a green box
(see Telcom VI).
---------------------------------------
The preceding was intended for
informational purposes only. The
implementation of some of the above
mentioned information may be a
violation of state and/or federal laws.
---------------------------------------
PPS Any and all threats, comments,
suggestions, and/or subpoenas are
welcome.
