____________________________________ ! ! ! Pirate Trek Systems Presents ! ! ! ! The Book of BIOC ! ! ! ! A Compiled Phreaking Tutorial ! !____________________________________! How to be a Real Phreak In the phone phreak society there are certain values that exist in order to be a true phreak, these are best summed up by the Magician: "Many people think of phone phreaks as slime, out to rip off Bell for all she is worth. Nothing could be further from the truth! Granted, there are some who get their kicks by making free calls; however, they are not true phone phreaks. Real phone phreaks are 'Telecommunications Hobbyists' who Experiment, play with and learn from the phone system. Occasionally this experimenting, and a need to communicate with other phreaks (without going broke), leads to free calls. The free calls are but a small subset of a >true< phone phreaks activities." The Ten Commandments Reprinted from TAP Issue #86. (TAP, Room 603, 147 W 42 Street, New York, NY 10036. Send a SASE for their info sheet "What the hell is TAP?" and tell them that BIOC Agent 003 told you about it.) The Phone Phreak's Ten Commandments I. Box thou not over thine home telephone wires, for those who doest must surely bring the wrath of the chief special agent down upon thy heads. II. Speakest thou not of important matters over thine home telephone wires, for to do so is to risk thine right of freedom. III. Use not thine own name when speaking to other phreaks, for that every third phreak is an FBI agent is well known. IV. Let not overly many people know that thy be a phreak, as to do so is to use thine own self as a sacrificial lamb. V. If thou be in school, strive to get thine self good grades, for the authorities well know that scholars never break the law. VI. If thou workest, try to be a good employee, and impressest thine boss with thine enthusiasm, for important employees are often saved by their own bosses. VII. Storest thou not thine stolen goodes in thine own home, for those who do are surely nonbeleivers in the Bell System Security Forces, and are not long for this world. VIII. Attractest thou not the attention of the authorities, as the less noticeable thou art, the better. IX. Makest sure thine friends are instant amnesiacs and will not remember that thou have called illegally, for their cooperation with the authorities will surely lessen thine time for freedom on this earth. X. Supportest thou TAP, as it is thine newsletter, and without it, thy work will be far more limited. CN/A Numbers Customer Name & Address Bureaus exist so that authorized Bell Employees may obtain the Name & Address of any customer in the Bell System by giving the CN/A Operator the customer's telephone number. All customers are maintained on file including unlisted number's. These bureaus have many uses for phreaks. Here is how an employee might go about calling CN/A: "Hi, this is John Doe from the Miami Residential Service Center, can I have the customers name at (123) 555-1212." The employees usually use these for checking who belongs to a number that someone claimed they didn't call. If you sound cheery and natural the operator will never ask any questions. If you don't sound like a mature adult, don't use it! Always practice first and have a script ready so you don't screw up and make the operator suspicious. Use a name that sounds real, not your pirate name either! Also say that you are from a city that is far away from the one that you are calling. The CN/A number for the NY area and vicinity (212, 315, 516, 518, 607, 716, & 914) is >>>>>>>>>(518) 471-8111<<<<<< and is open during business hours. Don't abuse it! AT&T Newslines AT&T newslines are numbers at area phone offices that Telco employees call to find out the latest info on new technology, stocks, etc. The recorded reports range from very boring to very interesting. Here are a few of the numbers: *(201) 483-3800 NJ (518) 471-2272 NY (203) 771-4920 CN (717) 255-5555 PA (212) 393-2151 NY (717) 787-1031 PA (516) 234-9941 NY *(914) 948-8100 NY Some of these numbers are toll-free, but you can't always count on it. * These numbers are not always up! Numbers from other areas are available by request from F)Bioc L)Agent 003. ANI Numbers ANI numbers identify the phone number that you are calling from. It is that doesn't have it printed on it. In the 914 area code the ANI # is 990. If you just have to dial the last 4 digits for a local #, ie Congers (268), dial 1-990-1111, where 1111 are dummy digits. There is also a less useful type of ANI # which will identify the area code & exchange. It is NXX-9901, where NXX is the exchange. In the 212 & 516 area codes the ANI # is 958. Phreak Newsletter TAP is the "Official" phone phreak newsletter, and has existed since 1971. Each 4 page issue is crammed full of information on phone phreaking, computer phreaking, free gas, free electricity, free postage, breaking and entering info, etc. It is largely phone phreak oriented, however. A 10 issue subscription costs $8.00, if you get a bulk rate sealed envelope subscription. I would recommend the first class subscription, which is $10. As of this writing (7-16-83), the current issue is #86, and issue #50 is 8 pages instead of the usual 4. Back issues are $0.75 each, and issue #50 is $1.50. A brief index to the first 80 issues is available for a SASE, or free with a subscription order. TAP is non-profit, and in desperate need of material (articles), money, and volunteers. TAP Room 603 147 West 42nd Street New York, NY 10036 Believe me: It will be the best $10 you will ever spend... Black Box The Black Box is a device that attached to a called parties phone allows him/her to receive free long distance calls from friends who call. You only need 2 parts: A SPST toggle switch and a 10,000 OHM (10 K), 1/2 watt, 10% resistor. Any electronics place should have these. Now, cut two pieces of wire, about 6 inches, and attach these to the two screws on the switch. Turn your normal DDSide down and unscrew the two screws. Locate the "F" and "RR" screws on the network box. Wrap the resistor between these two screws and make sure that the wires touch only the proper terminals! Now connect one wire from the switch to the RR terminal. Finally, attach the remaining wire to the green wire (disconnect it from its terminal). Now bring the switch out the rear of the phone and close it up. Put the switch in a position where you get a dialtone, and mark this normal. Mark the other side free. When your friends call (at a prearranged time), quickly lift and drop the receiver as fast as possible. This will stop the ringing, if not try again. It is very important that you do it fast! Now put the switch in the free position and pick up the phone. Keep all calls short and under 15 minutes. When someone calls you long-distance, they are billed from the moment you answer. The Telco knows when you answer due to a certain amount of voltage that flows when you pick up the phone. However, the resistor cuts down on the voltage so it is below the billing range but sufficient enough to operate the mouthpiece. Answering the phone for a fraction of a second stops the ring but it is not enough for billing to start. If the phone is answered for even one full second, billing will start and you will be cut off when you hang up and switch to free. Warning: Bell can randomly look for Black boxes so be careful! --------------------------------------- : : ***Blue wire**>>F< : : * * : **White wire**** * : : * : : Resistor : : * : : * : : >RR<*******Switch*** : : * : ****Green Wire********************* : : : --------------------------------------- DIAL LOCKS Have you ever been in an office or somewhere and wanted to make a free fone call but some asshole put a lock on the fone, well fret no more phellow phreak *******BIOC Agent 003's course in****** * * * ========================== * * =BASIC TELECOMMUNICATIONS= * * ========================== * * PART II * *************************************** Preface: In part II, we will explore the various special Bell #'s, such as: CN/A, AT&T Newslines, loops, 99XX #'s, ANI, ringback, and a few others. AT&T NEWSLINES: --------------- Newslines are recordings that Bell employees call up to find out the latest info on stock, technology, etc. concerning the Bell System. Here are the #'s that are currently known to phreaks (at least me, anyway): 201-483-3800 NJ 513-421-9060 OH 203-771-4920 CT 516-234-9914 NY 212-393-2151 NY 518-471-2272 NY 213-621-4141 CA 617-955-1111 MA 213-829-0111 CA (GTE) 702-789-6711 NV 213-449-8830 CA 713-224-6116 TX 312-368-8000 IL 714-238-1111 CA 313-223-7223 MI 717-255-5555 PA 314-247-5511 MO 717-787-1031 PA 408-493-5000 CA 802-955-1111 VT 412-633-3333 PA 808-533-4426 HI 414-678-3511 WI 813-223-5666 FL 416-929-4323 ONT. 914-948-8100 NY 503-228-6271 OR 916-480-8000 CA ======= =LOOPS= ======= First of all, you must understand the concept of loops. I think that the best way that this is understood is the way that Phred Phreak explained it... "No self-respecting Phone Phreak can go through life without knowing what a loop is, how to use one, and the types that are available. The loop is a great alternative communication medium that has many potential uses that haven't even been tapped yet. In order to explain what a loop is, it would be helpful to visualize two phone numbers (lines) just floating around in the Telco central office (CO). Now, if you (and a friend perhaps) were to call these two numbers at the same time, POOOOPFFF!!!, you are now connected together. I hear what you're saying out there..., "Big deal" or "Why should Ma Bell collect here two MSU'S (message units) for one lousy phone call!?" Well... think again. Haven't you ever wanted someone to call you back but, were reluctant to give out your home phone number (like the last time you tried to get your friend's unlisted # from the business office)? Or how about a collect call to your friend waiting on a loop, who will gladly accept the charges? Or better yet, stumbling upon a loop that you discover that has multi-user capability (for those late-night conferences). Best of all is finding a non-supervised loop that doesn't charge any MSU's or tolls to one or both parties. Example: many moons ago, a loop affectionately known as 'the 332 Loop' was non-sup (ie, nonsupervised) on the tone side. I had my friend in Calif/rgia dial the free (non-sup) side, (212) 332-9906 and I dialed the side that charged, 332-9900. As you can see, I was charged one MSU, and my friend was charged zilch, for as long as we wished to talk!!!" ***** Ahhh...have I perked your interest yet? If so, here is how to find a loop of you very own. First, do all of you loop searching at NIGHT! This is because the loops serve a genuine test function which Telco uses during the day. (We don't want to run into an irate lineman now, do we?) To find a loop, having 2 #'s is a definite plus. If not, have a friend to dial #'s at his location. Last resort, try dialing from two adjacent pay phones. Now get your trusty white pages (*), and turn to the page where it lists the # of MSU's from your exchange (or exchanges in your primary calling area) The idea is to find a loop that is within your primary calling area or is only 1 MSU in your area (call area A). This is so you don't go bankrupt trying to find a loop. Write down all of these exchanges and do a 99XX scan of those exchanges (99XX scanning will be discussed shortly). Before we get up to 99XX scanning, we will look at some other loop info: Loops are found pairs which are usually close to each other. For example, in NPA 212, where the infamous loops are found, there is a standard loop format: Manhattan & Bronx-------NNX-9977/9979 Brooklyn & Queens-------NNX-9900/9906 NNX is the exchange to be scanned. Here are some loops that have been found in NYC. These are used mostly by Phreaks and call-in lines for pirate radio stations: 212-220-9900/9906 212-283-9977/9979 212-352-9900/9906 212-365-9977/9979 212-529-9900/9906 212-562-9977/9979 212-982-9977/9979 212-986-9977/9979 The lower # is the tone side (singing switch). The higher # is always silent. The tone disappears on the lower # when somebody dials in the other side of the loop. If you are on the higher #, you'll have to listen to the clicks to see if somebody dialed-in. The NYC 982 & 986 loops are different from others. Usually when you park on a loop, you will hear who ever calls in on the other half. When they're done, the next caller (if any) will be queued in, one after another. On the NYC 982 & 986, you sometimes can't get any more callers in after the first. Furthermore, if you park one of these loops and there is nobody on the other end for more than 4 minutes, you may be automatically disconnected. These loops are good for back-up purposes when all other loops are busy. 99XX Scanning: -------------- Most every exchange in the Bell System has a wide variety of test #'s and other "goodies," such as loops. These "goodies" are usually found between 9900 and 9999 in your local exchange. If you have the time and initiative, scan your exchange and you may become lucky! Here are my findings in the 914-268: 9901 - Verification (recording of a/c and exchange) 9936 - Voice # to the Telco CO 9937 - Voice # to the Telco CO 9941 - Carrier 9960 - Osc. Tone (tone side loop) 9963 - Tone (stops: muted) 9966 - Carrier 9968 - Tone that disappears--responds to certain touch-tone keys Most of the #'s between 9900 & 9999 will ring, be busy, go to a special intercept operator ("what #, please?"), or will go to a "the # you have reached..." recording. What you find depends upon the switching equipment in the exchange and the Telco operating company. When searching for loops, you may find one of the following possibilities when you find one: 1. You can hear through the loop (not muted), but there is a 1/2 second click every 10 seconds that interrupts the audio. This type is good for back-up use but the %$#'&" click is super annoying. 2. One side of the loop is busy; try it again later. 3. The tone disappears, but you cannot hear through it (the loop is muted, try again in a month or so) 4. You get "The # you have reached recording." No loop there! Most loops are muted (#3), but their status does changes from time-to-time. It all depends if the Telco maintenance personnel remember to "throw the sw)tjh", ie, turn off the loop. Since I have done the above 914-268 99XX scan, Congers (268) has installed new switching equipment (DMS100). Some of the numbers are the same, but I have noticed that on the DMS100, the recordings are also stored in this area. 268-9903, 9906, 9909, & 9912 are all different recordings. Also, there are 2 fortress fone recordings at 268-9911 (deposit 5 cents or else) and 268- 9913 (deposit 10 cents). None of these recordings supe and a lot of other 99XX #'s don't supe either. In some areas (like MD), 9906-7 is ringback. In Washington, there is a sweep tone test at (202) 560-9944. In NYC (212), you'll find the infamous loop lines (as mentioned above). It will be easier to scan your exchange if you make up a chart like the one below: NPA-NNX-99XX SCAN -------------------------------------- !99X X>:0 :1 :2 :3 :4 :5 :6 :7 :8 :9 ! -------------------------------------- !990 : : : : : : : : : : ! -------------------------------------- !991 : : : : : : : : : : ! -------------------------------------- !992 : : : : : : : : : : ! -------------------------------------- !993 : : : : : : : : : : ! -------------------------------------- !994 : : : : : : : : : : ! -------------------------------------- !995 : : : : : : : : : : ! -------------------------------------- !996 : : : : : : : : : : ! -------------------------------------- !997 : : : : : : : : : : ! -------------------------------------- !998 : : : : : : : : : : ! -------------------------------------- !999 : : : : : : : : : : ! -------------------------------------- This leaves you with 100 boxes (1 for each # between 9900 & 9999). You should make your boxes big enough so you can write some sort of shorthand in them. For example: B - busy (try again at another time) R - rings (try again at another time) O - intercept operator ("what # you calling?) R1- recording 1 (make a margin note of the types of recordings you get) T - tone } tone at a lower # + ignore I - ignore } at a higher # = loop V - voice # to Telco CO - they usually answer with the city name or area. C - carrier There will be others and you should use other characters that you can understand. Now, back to loops! As you may have noticed in my 914-268 scan, I found a muted loop and a tone side. 914-268 failed to come up with the silent side of a loop! Therefore, there is no loop in that exchange. I then scanned another exchange in my primary calling area (914-634) and I found a loop!! (914) 634-9923/9924 So, if at first you don't succeed, move onto another exchange. If you use the box method that I have outlined above, you will see a T & I next to each other for a loop. Some exchanges are special. For example, 914-623 is a testing bureau. In this exchange, not only did I find a loop, but I also found several interesting tones, noises, and other test functions. Also, the more important the exchange is, the more you will find. For example, in 914-623, I found well over 10 voice #'s! Also, loops are usually, but not exclusively, found in the 99XX series. For example: (713) 324-1799/1499 is a loop. The perfect loop? Here is what I would look for: 1. Non-sup on one or both sides. To check for a non-sup loop, go to a tone-first fortress fone and dial the #. If it asks for a dime, it is supervised. If the call goes through, then it is non-suped! 2. 800 loops would be a plus. They are not necessarily found between 9900 & 9999 though. I would check the 1XXX series first. 3. Multi-user lo/pz are also a plus for those late night conferences. Finally, remember it is only a local call to find out what you CO has in store for you. If you find anything interesting, be sure to drop me a line. NOTE: Your local white pages can be a valuable asset. You can also order other fone books from your business office (usually free for books within your operating company's district). A large fone book, such as Manhattan, contains much more info in the first few pages than other books. ===== =ANI= ===== Automatic Number Identification (ANI), is a number that you call up that will tell you what # you are calling from. This has a few uses. First, were you ever somewhere and the fone didn't have a # printed on it? Or perhaps you were fooling around in some cans (those large boxes on fone poles that contain terminals for lineman use--to be discusses in a future chapter.) and you want to know what what the line # is. In NPA 914, the ANI is 990. In NPA's 212 & 516, ANI is 958. This varies from area to area. Here are some other ANI's that I have seen: 890-751-5191 2022222222 1-XXX-1111 (in some 914 areas, esp. under step-by-step switching equipment, you have to dial 1-990-1111) To find ANI for other areas, check 3 digits #'s first, usually in the 9XX series (excluding 911). In areas under step-by-step (to be discussed in the next part), try 1-9XX-1111. ANI may also be in 99XX. Last resort, try to get friendly with your neighbor who works for the fone company. Ringback: --------- Ringback, as its name implies, calls back the # you are at when you dial the ringback number. Ringback, in NPA 914, is 660. You dial 660 + the last 4 digits of the fone. You will then get a tone, hang-up quickly and pick-up in about 2 seconds. You will then get a second tone, hang-up again and the fone will ring. In NYC, it is also 660, but you may have to press 6 or 7 before you hang up for the first time (ie, at the first tone). Other ringback #'s that I have seen are: 26011 - This 5 digit format is used primarily on step-by-step. The last 2 digits (11) are dummy digits. 890-897-XXXX - XXXX are the last 4 digits of the fone #. 119911/11911/1199911 - GTE NNX-9906/9907 - NPA 301, NNX is the exchange The reason you get the tone when you pick-up after it rings is because in some areas, people were using ringback as an in-house intercom. They would dial ringback, and when it stopped ringing, they would pick-up & talk with the person who picked up the other extension. Bell didn't like this since there is usually only 1 piece of equipment in each exchange that does the ringback. When people used this as an intercom, linemen & repairmen couldn't get through! In some areas, especially those under step-by-step, ringback can still be used as an intercom. Also, under step-by-step, the ringback procedure it usually simple. For example, in one area you would dial 26011 and hang-up; it would then ringback. Touch-Tone Test: ---------------- In areas that have a Touch-Tone test, you dial the ringback #. At the first tone, you touch-tone digits 1-0. If they are correct it will beep twice. I have also seen a TT test in some areas at: 890-751-5191 Coming Soon: ------------ In the next part, we will look at various switching equipment and The Network. Break up of Bell: ----------------- The operating companies are not going to change all the switching equipment around. While there will be some changes, most of the information provided here will remain pertinent after January 1, 1984. Just substitute the word "fone network" for Bell System. Au Revoir, *****BIOC *=$=*Agent *****003 December 8, 1983 Acknowledgements: TAP, Phred Phreek, Judas Gerard, The Magician, Dark Priest, & myself. I would also like to thank the Mulcher }{ for his assistance. ----------------------------------------------------------------------------- --------------------------------------- BOOK OF BIOC III --------------------------------------- as international dialing. We will also take a look at the telephone numbering plan. =============================== =North American Numbering Plan= =============================== In North America, the telephone numbering plain is as follows: A) A 3 digit Numbering Plan Area (NPA) code, [ie, Area code] B) A 7 digit telephone # consisting of a 3 digit central office (CO) code plus a 4 digit station number. These 10 digits are called the network address or destination code. It is in the format of: Area Code Telephone # --------- ----------- N*X NXX-XXXX Where: N = A digit from 2-9 * = The digit 0 or 1 X = A digit 0-9 Area Codes: ----------- Check your telephone book or the separate listing of area codes found on many BBS's. Here are the special area codes (SAC's): 510 - TWX (USA) 610 - TWX (Canada) 700 - New service 710 - TWX (USA) 800 - WATS 810 - TWX (USA) 900 - Dial-it Services 910 - TWX (USA) The other area codes never cross state lines, therefore each state must have at least one exclusive NPA code. When a community is split by a state line, the CO #'S are often interchangeable (ie, you can dial the same # from 2 different area codes) TWX: TWX (Telex II) consists of 5 teletypewriter area codes. They are owned by Western Union. These SAC'S may only be reached via other TWX machines. These run at 110 baud. Besides the TWX #'s, these machines are routed to normal telephone #'s. TWX machines always respond with an answerback. For example: WU's FYI TWX # is (910) 988-5956, the corresponding real number to this is (201) 279-5956. The answerback for this service is "WU FYI MAWA." If you don't want to buy a TWX machine, you can still send TWX messages using Easylink [800/325-4112 - see TUC'S and my article entitled "Hacking Western Union's Easylink] 700: At the time of this writing, the 700 exchange does not yet exist. AT&T plans to use it soon though. They plan to make it a type of fancy call forwarding service. It will be targeted towards salesmen on the run. To understand how it works, I'll explain it with an example. Let's say Joe Q. Salespig works for AT&T Security and he is on the run chasing a phreak around the country who royally screwed up an important Cosmos system. Let's say that Joe's 700 # is (700) 382-5968. Everytime Joe goes to a new hotel, he dials a special 700 #, enters a code, and the # where he is staying. Now, if his boss received some important info, all he would do is dial (700) 382-5968 and it would ring wherever Joe last programmed it to. Neat, huh? 800: This SAC is one of my favorites since it allows for toll-free calls. Inward WATS (INWATS): Inward Wide-Area Telecommunications service is the 800 #'S that we are all familiar with. 800 #'S are set up in service areas or bands. There are 6 of these. Band 6 is the largest and you can call a band 6 # from anywhere in the US except the state where the call is terminated (this is why most companies have one 800 # for the country and then another for just one state). Band 5 includes the 48 contiguous states. All the way down to band 1 which includes only the states contiguous to that one. Therefore, less people can reach a band 1 INWATS # than a band 6 #. Intrastate INWATS #'s (ie, you can call it from only 1 state) always have a 2 as the last digit in the exchange (ie, 800-NX2-XXXX). The NXX on 800 #'s represent the area where the business is located. For example, a # beginning with 800-431 would terminate at a NY co. 800 #'s always end up in a Hunt series in a Co. This means that it tries the first # allocated to the company for their 800 lines; if this is busy it will then try the next #, etc.). You must have a minimum of two lines per each 800 #. For example: Travelnet uses a Hunt series - if you dial (800) 521-8400, it will first try the # associated with 8400; if it is busy it will be billed by the # of hours of calls that are made to their #. Outwats (Outward WATS): OUTWATS are for making outgoing calls only. Large companies use OUTWATS since they receive bulk-rate discounts. Since Outwats # cannot have incoming calls, they are in the format of: (800) *XX-XXXX Where * is the digit 0 or 1 which cannot be dialed unless you box the call. The *XX identifies the type of service and the areas that the company can call. Remember: INWATS + OUTWATS = WATS Extender (See part I) 900: This dial-it SAC is a nationwide dial-it service. It is used for taking television polls and other stuff. The first minute currently costs an outrageous 50 cents and each additional minute costs 35 cents. Bell takes in a lot of revenue this way. Dial (900) 555-1212 to find out what is currently on the service. CO Codes: --------- These identify the switching office where the call is to be routed. The following CO codes are reserved nationwide: 555 - Directory Assistance 844 - Time ] These are now in 936 - Weather ] the 976 exchange 950 - Future services 958 - Plant Test 959 - Plant Test 970 - Plant Test (temporary) 976 - Dial-it services Also, the 3 digit ANI & Ringback #'S are regarded as plant test and are this reserved. These numbers vary from area to area. 950: [Also see part I] Here are the services that are currently on the 950 exchange: 1000 - SPC 1022 - MCI Execunet 1033 - US Telephone 1044 - ALLNET 1066 - LEXITEL 1088 - SBS Skyline These SCC'S (Specialized common carriers) are free from Fortresses! Plant Tests: These include ANI, Ringback, and other various tests. 976: Dial 976-1000 to see what is currently on the service. Also, many BBS'S have a listing of these #'s. N11 Codes: ---------- Bell is trying to phase some of these out, but they still exist in many areas. 011 - International Dialing Prefix 211 - Coin Refund Operator 411 - Directory Assistance 611 - Repair Service 811 - Business Office 911 - Emergency ======================= =International Dialing= ======================= With International Dialing, the world has been divided into 9 numbering zones. To make an international call, you must dial: Int. Prefix + Country code + Nat. # In North America, the international dialing prefix is 011 for station-to- station calls and 01 for operator-serviced calls. IDDD stands for International Direct Distance Dialing. The country code, which varies from 1 to 3 digits, always has the world numbering zone as the first digit. For example, the country code for the United Kingdom is 44, thus it is in world numbering zone 4. Some boards may contain a complete listing of other country codes, but here are a few: 1 - North America (US, Canada, etc.) 20 - Egypt 258 - Mozambique 34 - Spain 49 - Germany 52 - Mexico (Southern Portion) 61 - Australia 7 - USSR 81 - Japan 98 - Iran If you call from an area other than North America, the format is generally the same. For example, let's say you wanted to call the White House from Switzerland. First you would dial 00 (the Swiss International Dialing Prefix), then 1 (the US country code), followed by 202-456-1414 (the national # for the White House). Also, country code 87 is required for maritime mobile service, is calling ships: 871 - Marisat (Atlantic) 872 - Marisat (Pacific) 873 - Marisat (Indian ) International Switching: In North America, there are currently 7 no. 4 ESS's that perform the duty of ISC (Internation Switching Centers). All international calls dialed from numbering zone 1 will be routed through one of these "Gateway cities." They are: 182 - WHITE PLAINS, NY 183 - NEW YORK, NY 184 - PITTSBURGH, PA 185 - ORLANDO, FL 186 - OAKLAND, CA 187 - DENVER, CO 188 - NEW YORK, NY system called CCITT. It is an international standard for signaling. ------------------------------------------------------------------------------ ] *> Title: Agent Biocs [File 4] *> Date: 4/1/88 *> Time: 7:05 pm ******BIOC Agent 003's course in******* * * * ========================== * * =BASIC TELECOMMUNCIATIONS= * * ========================== * * PART IV * *************************************** PREFACE: -------- Part IV will deal with the various types of operators, office hierarchy, & switching equipment. OPERATORS: ---------- There are many types of operators in The Network and the more common ones will be discussed. TSPS Operator: The TSPS (Traffic Service Position System) Operator is probably the bitch (or bastard for the phemale liberationists) that most of us are use to having to deal with. Here are her responsibilities: 1) Obtaining billing information for Calling Card or 3rd number calls. 2) Identifying called customer on person-to-person calls. 3) Obtaining acceptance of charges on collect calls. 4) Identifying calling numbers. This only happens when the calling # is not automatically recorded by CAMA (Centralized Automatic Message Accounting) & forwarded from the local office. This could be caused by equipement failures or if the office is not equipped for CAMA (most are). You shouldn't mess with the TSPS operator since she KNOWS where you are calling from. She also knows whether or not you are at a fortress fone & she can trace calls quite readily. Out of all the operators, she is one of the MOST DANGEROUS. INWARD Operator: This operator assists your local TSPS ("O") operator in connecting calls. She will never question a call as long as the call is within HER SERVICE AREA. She can only be reached via other operators or by a Blue Box. From a BB, you would dial KP+NPA+121+ST for the INWARD operator that will help you connect any calls within that NPA area only. (Blue Boxing will be discussed in a future part of BASIC TELCOM) DIRECTORY ASSISTANCE Operator: This is the operator that you are connected to when you dial: 411 or NPA-555-1212. She does not readily know where you are calling from. She does not have access to unlisted #'s, but she does know if an unlisted # exists for a certain listing. There is also a directory assistance for deaf people who use Teletypewriters If you modem can transfer BAUDOT (the Apple Cat can), then you can call her up and have an interesting conversation with her. The # is: 800- 855-1155. She uses the standard Telex abbreviations such as GA for Go Ahead. They tend to be nicer & will talk longer than your regular operators. Also, they are more vulnerable into being talked out of information through the process of "social engineering" as Cheshire Catalyst would put it. Other operators have access to their own DA by dialing KP+NPA+131+ST (MF). This is a little out of the scope of this tutorial, but many telco's are now charging for calls to dir. asst. You can beat this by: (1) count how many calls you make to directory assistance in a billing period. Go to a fortress fone & dial DA. When the operator comes on, give her a name that you know has an unlisted # or ask for a town that isn't in the NPA. She will then ask for your # so she can credit the call to you. Give her your home #; she doesn't know that you are making a free call from the fortress. Just make sure that you don't credit yourself for more calls than you actually made or you might have a few problems! (2) If you have a BAUDOT terminal, use the 800 #; it's frwe & there is one # for all requests. C/NA Operators: C/NA operators are operators that do exactly the opposite of what directory assistance operators are for. See part II, for more info on C/NA & #'s. In my experiences, these operators know more than the DA op's do & they are more susceptible to "social engineering." It is possible to bullshit a C/NA operator for the NON-PUB DA # (ie, you give them the name & they give you the unlisted #). This is due to the fact that they assume your are a phellow comxany employee. INTERCEPT Operator: The intercept operator is the one that you are connected to when there are not enough recordings available to tell you that the # has been disconnected or changed. She usually says, "What # you callin'?" with a foreign accent. This is the lowest operator lifeform. Even though they don't know where you are calling from, it is a waste of your time to try to verbally abuse them since they usually understand very little English. OTHER Operators: And then there are the: Mobile, Ship-to-Shore, Conference, Marine Verify, "Leave Word & Call Back," Rout & Rate (KP+NPA+141+ST), & other special operators who have one purpose or another in the Network. Problems with an Operator? Ask to speak to their supervisor...Which is the equivalent of the Madame in a whorehouse (if you will excuse the analogy). By the way, some CO's that will allow you to dial a 1 or 0 as the 4th digit, will also allow you to call special operators without a blue box. This is very rare though! For example, 212-121-1111 will get you a NY Inward Operator. ================== =OFFICE HIERARCHY= ================== Every switching office office in North America (the NPA system), is assigned an office name & class. There are five classes of offices numbered 1 through 5. Your CO is most likely a class 5 or end office. All Long-Distance (Toll) calls are switched by a toll office which can be a class 4, 3, 2, or 1 office. There is also a 4X office called an intermediate point. The 4X office is a digital one that can have an unattended exchange attached to it (known as a Remote Switching Unit-RSU). The following chart will list the Office #, name, & how many of those offices existed in North America in 1981. Class Name Abb # Existing ----- ---------------- --- ------------ 1 Regional Center RC 12 2 Sectional Center SC 67 3 Primary Center PC 230 4 Toll Center TC 1,300 4P Toll Point TP 4X Intermediate Pt IP 5 End Office EO 19,000 R RSU RSU When connecting a call from one party to another, the switching equipment usually tries to find the shortest route between the Class 5 end office of the caller & the Class 5 end office of the called party. If no inter-office trunks exist between the 2 parties, it will then move upto the next highest office for servicing (Class 4). If the Class 4 office cannot handle the call by sending it to another Class 4 or 5 office, it will be sent to the next office in the hierarchy (3). The switching equipment first uses the high-usage interoffice trunk groups, if they are busy it then goes to the final trunk groups on the next highest level. If the call cannot be connected then, you will probably get a re-order (120IPM busy signal) signal. At this time, the guys at Network Operations are probably shitting in their pants and trying to avoid the dreaded Network Dreadlock (as seen on TV!). It is also interesting to note that 9 connections in tandem is called ring-around-the rosy and it has never occurred in telephone history. This would case an endless loop connection. [A neat way to really screw-up the Network] The 10 regional centers in the US & the 2 in Canada are all interconnected. They form the foundation of the entire telephone network. Since there are only 12 of them, they are listed below: Class 1 Regional Office Location NPA ---------------------------------- --- Dallas 4 ESS 214 Wayne, PA 215 Denver 4T !0 303 Regina No.2 SP1-4W [Canada] 306 St. Louis 4T 314 Rockdale, GA 404 Pittsburgh 4E 412 Montreal No.1 4AETS [Canada] 504 Norwich, NY 607 San Bernardino, CA Norway, IL 815 White Plains 4T, NY 914 The following diagram demonstrates how the various offices may be connected: ^----------^----------^ Regional _|_ _|_ _|_Offices ~~~~~|1| <----> |1| <----> |1|~~~~~ --- --- --- | Others\/ -^-------^-------^------^---------^ _|_ _|_ _|_ _|__ _|_ |2| |3| |4| |4P| |5| --- --- --- -^^- --- | | | | ^----^ | ^----^ | _|_ _|_ | __|_ _|_ | |3| |4| | |4X| |5| ^-----^ --- -^- | ---- --- _|__ _|_ ^ | |4X| |5| __|_ | 0 ---- --- |5R| |-------------^ -^^- /--------|---------\ _|_ _|_ _|_ _|__ |R| |4| |5| |5R| --- --- --- ---- NOTE: The preceding diagram used certain lower case characters that may not be viewed as I intended them if you are not using as lower case terminal. ===================== =SWITCHING EQUIPMENT= ===================== In the Network, there are 3 major types of switching equipment. They are known as: Step, Crossbar, & ESS. STEP-BY-STEP (SxS) The Step-By-Step, a/k/a the Strowger switch or two-motion switch, was invented in 1889 by an undertaker named Almon Strowger. He invented this mechanical switching equipment because he felt that the biased operator was routing all requests for an 'undertaker' to her husband's business. Bell started using this system in 1918 & as of 1978, over 53% of the Bell exchanges used this method of switching. Step-by-Step switching is controlled directly by the dial pulses which move a series of switches (called the switch train) in order. When you first pick up the fone under SxS, a linefinder acknowledges the request (sooner or later) by sending a dial tone. If you then dialed 1234, the equipment would first find an idle selector switch. It would then move vertically 1 pulse, it would then move horizontally to find a free second selector, it would then move 2 vertical pulses, step horizontally to find the next selector, etc. Thus the first switch in the train takes no digits, the second switch takes 1 digit, the third switch takes 1 digit, & the last switch in the train (called the connector) takes the last 2 digits & connects your calls. A normal (10,000 line) exchange requires 4 digits (0000-9999) to connect a local call & thus it takes 4 switches to connect every call (linefinder. 1st & 2nd selectors, & the connector) . While it was the first, SxS sucks for the following reasons: [1] The switched often become jammed thus the calls often become blocked. [2] You can't use DTMF (Dual-Tone Multi-Frequency a/k/a Touch-Tone) directly. It is possible that the Telco may have installed a conversion kit but then the calls will go through just as slow as pulse, anyway! [3] They use a lot of electricity & mechanical maintenance. (bad from Telco point of view) [4] Everything is hardwired. They can still hook up pen registers & other shit on the line so it is not exactly a phreak haven. You can identify SxS offices by: (1) Lack of DTMF or pulsing digits after dialing DTMF. (2) If you go near the CO, it will sound like a typewriter testing factory. (3) Lack of speed calling, call forwarding, & other customer services. (4) Fortress fones that want your money first (as opposed to dial tone first ones). The preceding don't necessarily imply that you have SxS but they surely give evidence that it might be. Also, if any of the above characteristics exist, it certainly isn't ESS! Also, SxS have pretty much been eradicated from large metropolitan areas such as NYC (212). CROSSBAR: There are 3 major types ofrossbar systems called: No. 1 Crossbar (1XB), No. 4 Crossbar (4XB), & No. 5 Crossbar (5XB). 5XB has been the primary end office switch of Bell since the 60's and thus it is in wide-use. Crossbar uses a common control switching method. When there is an incoming call, a stored program determines its route through the switching matrix. In Crossbar, the basic operation principle is that a horizontal & a vertical line are energized in a matrix known as the crosspoint matrix. The point where these 2 lines meet in the matrix is the connection. +===+ =ESS= +===+ Electronic Switching System (ESS) The Phreak's Nightmare Come True (or Orwell's Prophecy as 2600 puts it) ESS is Bell's move towards the Airstrip One society depicted in Orwell's 1984. With ESS, EVERY single digit that you dial is recorded--even if it is a mistake. They know who you call, when you call, how long you talked for, & probably what you talked about (in some cases). ESS can (and is) also programmed to print out #'s of people who make excessive calls to 800 #'s or directory assistance. This is called the "800 Exceptional Calling Report." ESS could also be programmed to print out logs of who calls certain #'s--like a bookie, a known communist, a BBS, etc The thing to remember with ESS is that it is a series of programs working together. These programs can be very easily changef to do whatever they want it to do. One phreak whom I know has some ESS source code listing which is incredibly complex (as well as documented--Gracias Dios). This system makes the job of Bell Security, the FBI, NSA, & other organizations that like to invade privacy incredibly easy. With ESS, tracing is done in microseconds (Eine Augenblick) & the results are printed at the console of a Bell Gestapo officer. ESS will also pick up any "foreign" tones on the line such as 2600 Hz! Bell predicts that the country will become totally ESS by the 1990's. You can identify ESS by the following which are usually ESS functions: [1] Dialing 911 for help. [2] Dial-Tone-First fortresses. [3] Custom Calling Services such as: Call Forwarding, Speed Dialing, & Call Waiting. (Ask your business office if you can get these.) [4] ANI (Automatic Number Identification) on LD calls. Phreaking does not come to a complete halt under ESS though--just be very careful, though!!! Due to the fact that ESS sends a computer generated "artificial ring," where the voice is not connected directly to the called parties line until he picks up, Black Boxes & Infinity Transmitters will not work! NOTE: Another interesting way to find out what type of equipment you are on is to raid the trash can of you local CO--this art will discussed in a separate article soon. Coming Soon: In the part V, we will start to take a look at telephone electronics. Further Reading: For more information on the above topics, I suggest the following: Notes on the Network, AT&T, 1980. Understanding Telephone Electronics, Texas Instruments, 1983. And subscriptions to: TAP, Room 603, 147 W 42 St, New York, NY 10036. Subscriptions are $10/year. Back issues are $0.75. The current issues is #90 (Jan/Feb 1984) 2600, Box 752, Middle Island, NY 11953. Subscriptions are $10/year. Back issues are $1 each. The current issue is #4 (April 1984). They are both excellent sources of all sorts of information (primarily phreaking/hacking). NOTE: For the most part, I have assumed that you have read my previous 3 courses in the BASIC TELCOM series. Hasta Luego, *****BIOC *=$=*Agent *****003 April 13, 1984 {The Year of Big Brother} ------------------------------------------------------------------------------- ******BIOC Agent 003's course in******* * * * ========================== * * =BASIC TELECOMMUNCIATIONS= * * ========================== * * PART IV * *************************************** PREFACE: -------- Part IV will deal with the various types of operators, office hierarchy, & switching equipment. OPERATORS: ---------- There are many types of operators in The Network and the more common ones will be discussed. TSPS Operator: The TSPS (Traffic Service Position System) Operator is probably the bitch (or bastard for the phemale liberationists) that most of us are use to having to deal with. Here are her responsibilities: 1) Obtaining billing information for Calling Card or 3rd number calls. 2) Identifying called customer on person-to-person calls. 3) Obtaining acceptance of charges on collect calls. 4) Identifying calling numbers. This only happens when the calling # is not automatically recorded by CAMA (Centralized Automatic Message Accounting) & forwarded from the local office. This could be caused by equipement failures or if the office is not equipped for CAMA (most are). You shouldn't mess with the TSPS operator since she KNOWS where you are calling from. She also knows whether or not you are at a fortress fone & she can trace calls quite readily. Out of all the operators, she is one of the MOST DANGEROUS. INWARD Operator: This operator assists your local TSPS ("O") operator in connecting calls. She will never question a call as long as the call is within HER SERVICE AREA. She can only be reached via other operators or by a Blue Box. From a BB, you would dial KP+NPA+121+ST for the INWARD operator that will help you connect any calls within that NPA area only. (Blue Boxing will be discussed in a future part of BASIC TELCOM) DIRECTORY ASSISTANCE Operator: This is the operator that you are connected to when you dial: 411 or NPA-555-1212. She does not readily know where you are calling from. She does not have access to unlisted #'s, but she does know if an unlisted # exists for a certain listing. There is also a directory assistance for deaf people who use Teletypewriters If you modem can transfer BAUDOT (the Apple Cat can), then you can call her up and have an interesting conversation with her. The # is: 800- 855-1155. She uses the standard Telex abbreviations such as GA for Go Ahead. They tend to be nicer & will talk longer than your regular operators. Also, they are more vulnerable into being talked out of information through the process of "social engineering" as Cheshire Catalyst would put it. Other operators have access to their own DA by dialing KP+NPA+131+ST (MF). This is a little out of the scope of this tutorial, but many telco's are now charging for calls to dir. asst. You can beat this by: (1) count how many calls you make to directory assistance in a billing period. Go to a fortress fone & dial DA. When the operator comes on, give her a name that you know has an unlisted # or ask for a town that isn't in the NPA. She will then ask for your # so she can credit the call to you. Give her your home #; she doesn't know that you are making a free call from the fortress. Just make sure that you don't credit yourself for more calls than you actually made or you might have a few problems! (2) If you have a BAUDOT terminal, use the 800 #; it's frwe & there is one # for all requests. C/NA Operators: C/NA operators are operators that do exactly the opposite of what directory assistance operators are for. See part II, for more info on C/NA & #'s. In my experiences, these operators know more than the DA op's do & they are more susceptible to "social engineering." It is possible to bullshit a C/NA operator for the NON-PUB DA # (ie, you give them the name & they give you the unlisted #). This is due to the fact that they assume your are a phellow comxany employee. INTERCEPT Operator: The intercept operator is the one that you are connected to when there are not enough recordings available to tell you that the # has been disconnected or changed. She usually says, "What # you callin'?" with a foreign accent. This is the lowest operator lifeform. Even though they don't know where you are calling from, it is a waste of your time to try to verbally abuse them since they usually understand very little English. OTHER Operators: And then there are the: Mobile, Ship-to-Shore, Conference, Marine Verify, "Leave Word & Call Back," Rout & Rate (KP+NPA+141+ST), & other special operators who have one purpose or another in the Network. Problems with an Operator? Ask to speak to their supervisor...Which is the equivalent of the Madame in a whorehouse (if you will excuse the analogy). By the way, some CO's that will allow you to dial a 1 or 0 as the 4th digit, will also allow you to call special operators without a blue box. This is very rare though! For example, 212-121-1111 will get you a NY Inward Operator. ================== =OFFICE HIERARCHY= ================== Every switching office office in North America (the NPA system), is assigned an office name & class. There are five classes of offices numbered 1 through 5. Your CO is most likely a class 5 or end office. All Long-Distance (Toll) calls are switched by a toll office which can be a class 4, 3, 2, or 1 office. There is also a 4X office called an intermediate point. The 4X office is a digital one that can have an unattended exchange attached to it (known as a Remote Switching Unit-RSU). The following chart will list the Office #, name, & how many of those offices existed in North America in 1981. Class Name Abb # Existing ----- ---------------- --- ------------ 1 Regional Center RC 12 2 Sectional Center SC 67 3 Primary Center PC 230 4 Toll Center TC 1,300 4P Toll Point TP 4X Intermediate Pt IP 5 End Office EO 19,000 R RSU RSU When connecting a call from one party to another, the switching equipment usually tries to find the shortest route between the Class 5 end office of the caller & the Class 5 end office of the called party. If no inter-office trunks exist between the 2 parties, it will then move upto the next highest office for servicing (Class 4). If the Class 4 office cannot handle the call by sending it to another Class 4 or 5 office, it will be sent to the next office in the hierarchy (3). The switching equipment first uses the high-usage interoffice trunk groups, if they are busy it then goes to the final trunk groups on the next highest level. If the call cannot be connected then, you will probably get a re-order (120IPM busy signal) signal. At this time, the guys at Network Operations are probably shitting in their pants and trying to avoid the dreaded Network Dreadlock (as seen on TV!). It is also interesting to note that 9 connections in tandem is called ring-around-the rosy and it has never occurred in telephone history. This would case an endless loop connection. [A neat way to really screw-up the Network] The 10 regional centers in the US & the 2 in Canada are all interconnected. They form the foundation of the entire telephone network. Since there are only 12 of them, they are listed below: Class 1 Regional Office Location NPA ---------------------------------- --- Dallas 4 ESS 214 Wayne, PA 215 Denver 4T !0 303 Regina No.2 SP1-4W [Canada] 306 St. Louis 4T 314 Rockdale, GA 404 Pittsburgh 4E 412 Montreal No.1 4AETS [Canada] 504 Norwich, NY 607 San Bernardino, CA Norway, IL 815 White Plains 4T, NY 914 The following diagram demonstrates how the various offices may be connected: ^----------^----------^ Regional _|_ _|_ _|_Offices ~~~~~|1| <----> |1| <----> |1|~~~~~ --- --- --- | Others\/ -^-------^-------^------^---------^ _|_ _|_ _|_ _|__ _|_ |2| |3| |4| |4P| |5| --- --- --- -^^- --- | | | | ^----^ | ^----^ | _|_ _|_ | __|_ _|_ | |3| |4| | |4X| |5| ^-----^ --- -^- | ---- --- _|__ _|_ ^ | |4X| |5| __|_ | 0 ---- --- |5R| |-------------^ -^^- /--------|---------\ _|_ _|_ _|_ _|__ |R| |4| |5| |5R| --- --- --- ---- NOTE: The preceding diagram used certain lower case characters that may not be viewed as I intended them if you are not using as lower case terminal. ===================== =SWITCHING EQUIPMENT= ===================== In the Network, there are 3 major types of switching equipment. They are known as: Step, Crossbar, & ESS. STEP-BY-STEP (SxS) The Step-By-Step, a/k/a the Strowger switch or two-motion switch, was invented in 1889 by an undertaker named Almon Strowger. He invented this mechanical switching equipment because he felt that the biased operator was routing all requests for an 'undertaker' to her husband's business. Bell started using this system in 1918 & as of 1978, over 53% of the Bell exchanges used this method of switching. Step-by-Step switching is controlled directly by the dial pulses which move a series of switches (called the switch train) in order. When you first pick up the fone under SxS, a linefinder acknowledges the request (sooner or later) by sending a dial tone. If you then dialed 1234, the equipment would first find an idle selector switch. It would then move vertically 1 pulse, it would then move horizontally to find a free second selector, it would then move 2 vertical pulses, step horizontally to find the next selector, etc. Thus the first switch in the train takes no digits, the second switch takes 1 digit, the third switch takes 1 digit, & the last switch in the train (called the connector) takes the last 2 digits & connects your calls. A normal (10,000 line) exchange requires 4 digits (0000-9999) to connect a local call & thus it takes 4 switches to connect every call (linefinder. 1st & 2nd selectors, & the connector) . While it was the first, SxS sucks for the following reasons: [1] The switched often become jammed thus the calls often become blocked. [2] You can't use DTMF (Dual-Tone Multi-Frequency a/k/a Touch-Tone) directly. It is possible that the Telco may have installed a conversion kit but then the calls will go through just as slow as pulse, anyway! [3] They use a lot of electricity & mechanical maintenance. (bad from Telco point of view) [4] Everything is hardwired. They can still hook up pen registers & other shit on the line so it is not exactly a phreak haven. You can identify SxS offices by: (1) Lack of DTMF or pulsing digits after dialing DTMF. (2) If you go near the CO, it will sound like a typewriter testing factory. (3) Lack of speed calling, call forwarding, & other customer services. (4) Fortress fones that want your money first (as opposed to dial tone first ones). The preceding don't necessarily imply that you have SxS but they surely give evidence that it might be. Also, if any of the above characteristics exist, it certainly isn't ESS! Also, SxS have pretty much been eradicated from large metropolitan areas such as NYC (212). CROSSBAR: There are 3 major types ofrossbar systems called: No. 1 Crossbar (1XB), No. 4 Crossbar (4XB), & No. 5 Crossbar (5XB). 5XB has been the primary end office switch of Bell since the 60's and thus it is in wide-use. Crossbar uses a common control switching method. When there is an incoming call, a stored program determines its route through the switching matrix. In Crossbar, the basic operation principle is that a horizontal & a vertical line are energized in a matrix known as the crosspoint matrix. The point where these 2 lines meet in the matrix is the connection. +===+ =ESS= +===+ Electronic Switching System (ESS) The Phreak's Nightmare Come True (or Orwell's Prophecy as 2600 puts it) ESS is Bell's move towards the Airstrip One society depicted in Orwell's 1984. With ESS, EVERY single digit that you dial is recorded--even if it is a mistake. They know who you call, when you call, how long you talked for, & probably what you talked about (in some cases). ESS can (and is) also programmed to print out #'s of people who make excessive calls to 800 #'s or directory assistance. This is called the "800 Exceptional Calling Report." ESS could also be programmed to print out logs of who calls certain #'s--like a bookie, a known communist, a BBS, etc The thing to remember with ESS is that it is a series of programs working together. These programs can be very easily changef to do whatever they want it to do. One phreak whom I know has some ESS source code listing which is incredibly complex (as well as documented--Gracias Dios). This system makes the job of Bell Security, the FBI, NSA, & other organizations that like to invade privacy incredibly easy. With ESS, tracing is done in microseconds (Eine Augenblick) & the results are printed at the console of a Bell Gestapo officer. ESS will also pick up any "foreign" tones on the line such as 2600 Hz! Bell predicts that the country will become totally ESS by the 1990's. You can identify ESS by the following which are usually ESS functions: [1] Dialing 911 for help. [2] Dial-Tone-First fortresses. [3] Custom Calling Services such as: Call Forwarding, Speed Dialing, & Call Waiting. (Ask your business office if you can get these.) [4] ANI (Automatic Number Identification) on LD calls. Phreaking does not come to a complete halt under ESS though--just be very careful, though!!! Due to the fact that ESS sends a computer generated "artificial ring," where the voice is not connected directly to the called parties line until he picks up, Black Boxes & Infinity Transmitters will not work! NOTE: Another interesting way to find out what type of equipment you are on is to raid the trash can of you local CO--this art will discussed in a separate article soon. Coming Soon: In the part V, we will start to take a look at telephone electronics. Further Reading: For more information on the above topics, I suggest the following: Notes on the Network, AT&T, 1980. Understanding Telephone Electronics, Texas Instruments, 1983. And subscriptions to: TAP, Room 603, 147 W 42 St, New York, NY 10036. Subscriptions are $10/year. Back issues are $0.75. The current issues is #90 (Jan/Feb 1984) 2600, Box 752, Middle Island, NY 11953. Subscriptions are $10/year. Back issues are $1 each. The current issue is #4 (April 1984). They are both excellent sources of all sorts of information (primarily phreaking/hacking). NOTE: For the most part, I have assumed that you have read my previous 3 courses in the BASIC TELCOM series. Hasta Luego, *****BIOC *=$=*Agent *****003 April 13, 1984 {The Year of Big Brother} ------------------------------------------------------------------------------- *******BIOC Agent 003's course in****** * * * ========================== * * =BASIC TELECOMMUNICATIONS= * * ========================== * * PART V * *************************************** Revised: 08-AUG-84 PREFACE: Previous installments of this series were focused on telephony from a Network point-of-view. Part V wih,deal with telephone electronics focusing primarily on the subscriber's telephone. Hereinafter simply referred to as "fone." Wiring: ------- Assuming a standard one-line fone, there are usually 4 wires that lead out of the fone set. These are standardly colored red, green, yellow, & black. The red & green wires are the two that are actually hooked up to your CO. The yellow wire is sometimes used to ring different fones on a party line (ie, one #, several families--found primarily in rural areas where they pay less for the service and they don't use the fone as much); otherwise, the yellow is usually just ignored. On some two-line fones, the red & green wires are used for the first fone # and the yellow & black are used for the second line. In this case there must be an internal or external device that switches between the two lines and provides a hold function. (Such as Radio Shack's outrageously priced 2 line & hold module). In telephony, the green & red wires are often referred to as tip (T) & ring (R), respectively. The tip is the more positive of the two wires. This naming goes back to the old operator cord boards where one of the wires was the tip of the plug and the other was the ring (of the barrel). A rotary fone (aka dial or pulse) will work fine regardless of whether the red (or green) wire is connected the tip(+) or ring(-). A touch-tone (TM) fone is a different story, though. It will not work except if the tip(+) is the green wire. [Although, some of the more expensive DTMF fones do have a bridge rectifier which compensates for polarity reversal.] This is why under certain (non-digital) switching equipment you can reverse the red & green wires on a touch-tone fone and receive free DTMF service. Even though it won't break dial tone, reversing the wires on a rotary line on a digital switch will cause the tones to be generated. Voltages, Etc. -------------- When your telephone is on-hook (ie, hung up) there is approximately 48 volts of DC potential across the tip & ring. When the handset of a fone is lifted a few switches close which cause a loop to be connected (known as the "local loop") between your fone & the CO. Once this happens DC current is able to flow through the fone with less resistance. This causes a relay to energize which causes other CO equipment to realize that you want service. Eventually, you should end up with a dial tone. This also causes the 48 VDC to drop down into the vicinity of 12 volts. The resistance of the loop also drops below the 2500 ohm level, though FCC licensed telephone equipment must have an off-hook impedance of 600 ohms. As of now, you ahands of our "friends" at D&B. To say the least, they were n't exactly thrilled about it. In fact, they did not even believe that they had a security problem! (Well, that just goes to prove that if you are good, no one knows that you are there!) In a big effort to defeat us, they called in an outside service to spruce up their "security." Well, fortunately for u s, we were able to find out about the new system! (Which wasn't really a problem. First, they had the new dial-ups when you logged on, and as a lways they have a nice little place on Telenet! ( Where we do most of our work: C 20188). Now, they have set up a new system they like to call DunsNet. They are trying to pass it off as a ectionately call this mute a black box. The following are instructions on how to build a simple black box. Of course, anything that prevents the voltage from dropping would work. You only need two parts: A SPST toggle switch and a 10,000 ohm (10 K), 1/2 watt resistor. Any electronics store should stock these parts. Now, cut 2 pieces of wire (about 6 inches long) and attach one end of each wire to one of the terminals on the switch. Now turn your K500 (standard desk fone) upside down and take off the cover. Locate wire (disconnect it from its terminal). Now bring the switch out the rear of the fone and replace the cover. Put the switch in a position where you receive a dial tone> D5I-"!%M5R=M%Q%=9ruJU*J $SX9k the other side FREE. When your phriends call (at a prearranged time), quickly lift & drop the receiver as fast a possible. This will stop the ringing (do it again if it doesn't) with out starting the billing. It is important that you do it quickly (less than 1 second). Then put the switch in the FREE position and pick up the fone. Keep all calls short and preferably under 15 minutes. NOTE: If someone picks up an extension in the called parties house and that fone is not set for FREE then billing will start. NOTE: An old way of signalling a phriend that you are about to call is making a collect call to a non-existent person in the house. Since your friend will not accept the charges, he will know that you are about to call and thus prepare the black box (or visa versa). WARNING: The Telco can detect black boxes if they suspect one on your line. This is done due to the presence of AC voice signal at the wrong DC level! Pictorial Diagram: (Standard Rotary K500 fone) --------------------------------------- ! ! ***BLUE WIRE**>>F< ! ! * * ! **WHITE WIRE** * ! ! * ! ! RESISTOR ! ! * ! ! * ! ! >RR<*******SWITCH**** ! ! * ! ****GREEN WIRE********************** ! ! ! --------------------------------------- NOTE: The Black Box will not work under ESS or other similar digital switches since ESS does not connect the voice circuits until the fone is picked up (& billing starts). Instead, ESS uses an "artificial" computer generated ring. Ringing: -------- To inform a subscriber of an incoming call, the Telco sends 90 volts (PK) of pulsing DC down the line (at around 15 to 60 Hz; usually 20 Hz). In most fones this causes a metal armature to be attracted alternately between two electro-magnets thus striking 2 bells. Of course, the standard bell (patented in 1878 by Tom A. Watson) can be replaced by a more modern electronic bell or signaling device. Also, you can have lights and other similar devices in lieu of (or in conjunction with) the bell. A simple neon light (with its corresponding resistor) can simply be connected between the red & green wires (usually L1 & L2 on the network box) so that it lights up on incoming calls. WARNING: 90 VDC can give quite a shock. Exercise extreme caution if you wish to further pursue these topics. Also included in the ringing circuit is a capacitor tbig savings of time since the hassle of using a a time shared public netwo rk does not exist. We're sure that Mr. J.W.P. of DU NSPRINT had more on his mind when he wrote the let ter (on the system)! DunsNet is accessible from a regular dial-up. We have not been able to g et a number yet for this system, but once on it allegedly works just like Telenet! Two carriage returns and you will see "DunsNet" then the fa miliar "@" symbol. To use the system like we showe d you, type "RPTS" at thiup to drop a trouble card for long periods of ringing then a "no-no" detection device may be placed on the line. Incidentally, the term "ring trip" refers to the CO process involved to stop the AC ringing signal when the calling fone goes off hook. NOTE: It is suggested that you actually dissect fones to help you better understand them. It will also help you to better understand the concepts here if you actually prove them to yourself. For example, actually take the voltage readings on your fone line [any simple multi-tester (a must) will do.] Phreaking is an interactive process not a passive one! Dialing: -------- On a standard fone, there are two common types of dialing: pulse & DTMF. Of course, some people insist upon being different and do7ot use the DT thus leaving them with MF (Multi Frequency, aka operator, blue box) tones. This is another "no-no" and the Telco Security gentlemen have a special knack for dealing with such "phreaks" on the network. When you dial rotary, you are actually rapidly breaking & reconnecting (breaking & making) the local loop once for each digit dialed. Since the physical connection must be broken, you cannot dial if another extension (of that #) is off-hook. Neither of the fones will be able to dial pulse unless the other hangs up. Another term often referred to in telephone electronics is the break ratio. In the US, the standard is 10 pulses per second. When the circuit is opened it is called the break interval. When it is closed it is called the make interval. In the US, there is a 60 millisecond (ms) make period and a 40 ms break period. (60+40=100 ms = 1/10 second). This is referred to as a 60% make interval. Some of the more sophisticated electronic fones can switch between a 60% & a 67% make interval. This is due to the fact that many foreign nations use a 67% break interval. Have you ever been in an office or a similar facility and saw a fone waiting to be used for a free call but some asshole put a lock on it to prevent outgoing calls? Well, don't fret phellow phreaks, you can simulate pulse dialing by rapidly depressing the switchhook. (If you depress it for longer than a second it will be construed as a disconnect.) By rapidly switchooking you are causing the local loop to be broken & made similar to rotary dialing! Thus if you can manage to switchhook rapidly 10 times you can reach an operator to place any call you want! This takes a lot of practice, though. You might want to practice on your own fone dialing a friend's # or something else. Incidentally, this method will also work with DTMF fones since all DTMF lines can also handle rotary. Another problem with pulse dialing is that it produces high-voltage spikes that make loud clicks in the earpiece and cause the bell to "tinkle." If you never noticed this then your fone has a special "anti-tinkle" & earpiece shorting circuit (most do). If you have ever dissected a rotary fone (a must for any serious phreak) you would have noticed that there are 2 sets of contact that open and close during pulsing (on the back of the rotary dial under the plastic cover). One of these actually opens and closes the loop while the other mutes the earpiece by shorting it out. The second contacts also activates a special anti-tinkle circuit that puts a 340 ohm resistor across the ringing circuit which prevents the high voltage spikes from interfering with the bell. Dual Tone Multi Frequency (DTMF) is a modern day improvement on pulse dialing in several ways. First of all, it is more convenient for the user since it is faster and can be used for signaling after the call is completed (ie, SCC's, computers, etc.). Also, it is more up to par with modern day switching equipment (such as ESS) since pulse dialing was designed to actually move relays by the number of digits dialed (in SxS offices). Each key on a DTMF keypad produces 2 frequencies simultaneously (one from the high group and another from the low group). ------------------------- Low Group ! Q ! ABC ! DEF ! ! 697 Hz-! 1 ! 2 ! 3 ! A ! ! ! ! ! ! !-----!-----!-----!-----! ! GHI ! JKL ! MNO ! ! 770 Hz-! 4 ! 5 ! 6 ! B ! ! ! ! ! ! !-----!-----!-----!-----! ! PRS ! TUV ! WXY ! ! 852 Hz-! 7 ! 8 ! 9 ! C ! ! ! ! ! ! !-----!-----!-----!-----! ! ! OPER! ! ! 941 Hz-! * ! 0 ! # ! D ! ! ! Z ! ! ! !-----!-----!-----!-----! 1209 1336 1477 1633 (High Group--in Hz) A portable DTMF keypad is known as a white box. The fourth column (1633 Hz) is not normally found on regular fones but it does have several special uses. For one, it is used to designate the prIo;ity of calls on AUTOVON, the military fone network. These key are called: Flash, Immediate, Priority, & Routine (with variations) instead of ABCD. Secondly, these keys are used for testing purposes by the Telco. In some area you can find loops as well as other neat tests (see Part II) on the 555-1212 directory assistance exchange. For this, you would call up an DA in certain areas [that have an Automatic Call Distributor (ACD)] and hold down the "D" key which should blow the operator off. You will then hear a pulsing dial tone which indicates that you are in the ACD internal testing mode. You can get on one side of a loop by dialing a 6. The other side is 7. Some phreaks claim that if the person on side 6 hangs up, occasionally the equipment will screw up and start directing directory assistance calls to the other side of the loop. Another alleged test is called REMOB which allows you to tap into lines by entering a special code followed by the 7 digit number you want to monitor. Then there is the possibility of mass conferencing. ACD's are become rare though. You will probably have to make several NPA-555- 1212 calls before you find one. You can modify regular fones quite readily so that they have a switch to change between the 3rd and 4th columns. This is called a silver box (aka grey box) and plans can be found in Tap as well as on many BBS's. Transmitter/Receiver: --------------------- When you talk into the transmitter, the sound waves from your voice cause a diaphragm to vibrate and press against the carbon granules (or another similar substance). This causes the carbon granules to compress and contract thus changing the resistance of the DC coupled path through it. Therefore, your AC voice signal is superimposed over the DC current of the local loop. The receiver works in a similar fashion where the simple types utilize a magnet, armature, & diaphragm. Hybrid/Induction Coil: ---------------------- As you may have noticed, there are two wires for the receiver and two for the transmitter in the fone, yet the local loop consists of 2 wires instead of 4. This 4-wire to 2-wire conversion is done inside the fone by a device known as an induction coil which uses coupling transformers. All of the internal Telco trunks also use 4 wires. It is only the local loop that uses 2 since it is cheaper. A device in the CO known as a hybrid converts between 4 and 2 wire set-ups similar to the induction coil inside the fone. Special data transmission lines require extremely low signal to noise ratios, they require the full four wires--two for transmission and two for receiving (even on the local loop). Miscellaneous: -------------- In the telephone, there is also a balancing network consisting of a few capacitors & resistors which provide sidetone. Sidetone allows the caller to hear his own volume in the receiver. He can then adjust his voice accordingly. This prevents people from shouting or speaking too softly without noticing it. Hold: When a telephone goes off hook, the resistance drops below 2500 ohms. At this point, the Telco will send a dial tone. To put someone on hold you must put a 1000 ohm resistor (1 watt) across the Tip & Ring before it reaches the switchhook. In this way, when the fone is hung up (for hold) the resistance remains below 2500 ohms which causes the CO to believe that you are still off-hook. You can build a simple hold device using the following pictorial diagram: / (RED) O-------------------------/ [L1] ! ! ! ! ! ! 1000 Ohm ! ! Resistor Ringing ! ! Circuit ! ! ! ! / ! Switch- / SPST Switch ! Hook ! ! ! ! ! ! ! ! !/ (GREEN) O------------------------/ [L2] --> To Rest of Fone This hold devicw is only effective if you also hang up the fone. To make a hold/mute switch, simple connect a wire in place of the 1K resistor to effect a short circuit (who cares if you damage CO equipment?). Conclusion: ----------- NOTE: Many of the electronics components of normal fones (K500) are enclosed in the network box (which shouldn't be opened). I have assumed that the reader has a basic knowledge of electronics. Also, I have assumed that you have read the 4 previous installments of this series (and hopefully enjoyed them). In part VI, we will take a look at fortress fones. Suggested Further Reading: -------------------------- Electronics Courses A-D, TAP, @ $.75 each. Electronic Telephone Projects, A.J. Caristi, Howard Sams Books. Everything you Always Wanted to Know About 1633 Hz Tones but Were Afraid to Ask, The Magician, TAP, issue #62. Free BELL phone calls, TAP, Fact sheet #2, @ $.50. Free GTE phone calls, TAP, Fact sheet #3, @ $.50. How to modify your Bell Touch Tone Fone to Have 1633 Cycle Tones, TAP, Issue #63. Modifying Your Phone For 1633 Hz (new electronic keypads), Fred Steinbeck, TAP, issue #84. Notes on the Network, AT&T. The Phone Book, J. Edgar Hyde. Regulating The Telephone Company In Your Home, Ramapart Magazine, June 1972. REMOBS, TAP #91 (not yet published as of this writing). Understanding Telephone Electronics, Texas Instruments. Acknowledgement: Big Brother for his technical critique. & other assorted sources... TAP/Room 603/147 W 42 St./New York, NY 10036. Please specify by backissue #'s (not article names). All back - issues are $1 each. Subscriptions are $10/year (10 issues). Say that BIOC Agent 003 sent you. Another good phreak publication: 2600/Box 752/Middle Island, NY 11953. Subscriptions are $10/year. Backissues are $1 each. Excelsior, *****BIOC (P) 1984 BIOC *=$=*Agent International *****003 July 18, 1984 <<=-FARGO 4A-=>> Knights of Shadow [RACS III - xxx/xxx-xxxx] [Sherwood Forest ][ - xxx/xxx-xxxx] PS Sysops of other BBS's are welcome to use this phile on their board providing none of the information is altered.  ******BIOC Agent 003's course in******* * * * ========================== * * =BASIC TELECOMMUNICATIONS= * * ========================== * * Part VI * *************************************** REVISED: 27-OCT-84 Preface: This article will focus primarily on the standard Western Electric single- slot coin telephone (aka fortress fone) which can be divided into 3 types: - Dial-Tone First (DTF) - Coin-First (CF): (ie, it wants your $ before you receive a dial tone) - Dial Post-Pay Service (PP): you pay after the party answers Depositing Coins (Slugs): ------------------------- Once you have deposited your slug into a fortress, it is subjected to a gamut of tests. The first obstacal for a slug is the magnetic trap. This will stop any light-weight magnetic slugs and coins. If it passes this, the slug is then classified as a nickel, dime, or quarter. Each slug is then checked for appropriate size and weight. If these tests are passed, it will then travel through a nickel, dime, or quarter magnet as appropriate. These magnets set up an eddy current effect which causes coins of the appropriate characteristics to slow down so they will follow the correct trajectory. If all goes well, the coin will follow the correct path (such as bouncing off of the nickel anvil) where it will hopefully fall into the narrow accepted coin channel. The rather elaborate tests that are performed as the coin travels down the coin chute will stop most slugs and other undesirable coins, such as pennies, which must then be retrieved using the coin release lever. If the slug miraculously survives the gamut, it will then strike the appropriate totalizer arm causing a ratchet wheel to rotate once for every 5-cent increment (eg, a quarter will cause it to rotate 5 times). The totalizer then causes the coin signal oscillator to readout a dual- frequency signal indicating the value deposited to ACTS (a computer) or the TSPS operator. These are the same tones used by phreaks in the infamous red boxes. For a quarter, 5 beep tones are outpulsed at 12-17 pulses per second (PPS). A dime causes 2 beep tones at 5 - 8.5 PPS while a nickel causes one beep tone at 5 - 8.5 PPS. A beep consists of 2 tones: 2200 + 1700 Hz. A relay in the fortress called the "B relay" (yes, there is also an 'A relay') places a capacitor across the speech circuit during totalizer read- out to prevent the "customer" from hearing the red box tones. In older 3 slot phones: one bell (1050-1100 Hz) for a nickel, two bells for a dime, and one gong (800 Hz) for a quarter are used instead of the modern dual-frequency tones. ============= =TSPS & ACTS= ============= While fortresses are connected to the CO of the area, all transactions are handled via the Traffic Service Position System (TSPS). In areas that do not have ACTS, all calls that require operator assistance, such as calling card and collect, are automatically routed to a TSPS operator position. In an effort to automate fortress service, a computer system known as Automated Coin Toll Service (ACTS) has been implemented in many areas. ACTS listens to the red box signals from the fones and takes appropriate action. It is ACTS which says, "Two dollars please (pause) Please deposit two dollars for the next ten seconds" (and other variations). Also, if you talk for more than three minutes and then hang-up, ACTS will call back and demand your money. ACTS is also responsible for Automated Calling Card Service. ACTS also provide trouble diagnosis for craftspeople (repairmen specializing in fortresses). For example, there is a coin test which is great for tuning up red boxes. In many areas this test can be activated by dialing 09591230 at a fortress (thanks to Karl Marx for this information). Once activated it will request that you deposit various coins. It will then identify the coin and outpulse the appropriate red box signal. The coins are usually returned when you hang up. To make sure that there is actually money in the fone, the CO initiates a "ground test" at various times to determine if a coin is actually in the fone. This is why you must deposit at least a nickel in order to use a red box! Green Boxes: ------------ Paying the initial rate in order to use a red box (on certain fortresses) left a sour taste in many red boxer's mouths thus the GREEN BOX was invented. The green box generates useful tones such as COIN COLLECT, COIN RETURN, and RINGBACK. These are the tones that ACTS or the TSPS operator would send to the CO when appropriate. Unfortunately, the green box cannot be used at a fortress station but it must be used by the CALLED party. Here are the tones: COIN COLLECT 700 + 1100 Hz COIN RETURN 1100 + 1700 Hz RINGBACK 700 + 1700 Hz Before the called party sends any of these tones, an operator released signal should be sent to alert the MF detectors at the CO. This can be accomplished by sending 900 + 1500 Hz or a single 2600 Hz wink (90 ms) followed by a 60 ms gap and then the appropriate signal for at least 900 ms. Also, do not forget that the initial rate is collected shortly before the 3 minute period is up. Incidentally, once the above MF tones for collecting and returning coins reach the CO, they are converted into an appropriate DC pulse (-130 volts for return & +130 volts for collect). This pulse is then sent down the tip to the fortress. This causes the coin relay to either return or collect the coins. The alleged "T-Network" takes advantage of this information. When a pulse for COIN COLLECT (+130 VDC) is sent down the line, it must be grounded somewhere. This is usually either the yellow or black wire. Thus, if the wires are exposed, these wires can be cut to prevent the pulse from being grounded. When the three minute initial period is almost up, make sure that the black & yellow wires are severed; then hang up, wait about 15 seconds in case of a second pulse, reconnect the wires, pick up the fone, hang up again, and if all goes well it should be "JACKPOT" time. Physical Attack: ---------------- A typical fortress weighs roughly 50 lbs. with an empty coin box. Most of this is accounted for in the armor plating. Why all the security? Well, Bell contributes it to the following: "Social changes during the 1960's made the multislot coin station a prime target for: vandalism, strong arm robbery, fraud, and theft of service. This brought about the introduction of the more rugged single slot coin station and a new environment for coin service." As for picking the lock, I will quote Mr. Phelps: "We often fantasize about 'picking the lock' or 'getting a master key.' Well, you can forget about it. I don't like to discourage people, but it will save you from wasting alot of your time--time which can be put to better use (heh, heh)." As for physical attack, the coin plate is secured on all four side by hardened steel bolts which pass through two slots each. These bolts are in turn interlocked by the main lock. One phreak I know did manage to take one of the 'mothers' home (which was attached to a piece of plywood at a construction site; otherwise, the permanent ones are a bitch to detach from the wall!). It took him almost ten hours to open the coin box using a power drill, sledge hammers, and crow bars (which was empty -- perhaps next time, he will deposit a coin first to hear if it slushes down nicely or hits the empty bottom with a clunk.) Taking the fone offers a higher margin of success. Although this may be difficult often requiring brute force and there has been several cases of back axles being lost trying to take down a fone! A quick and dirty way to open the coin box is by using a shotgun. In Detroit, after ecologists cleaned out a municipal pond, they found 168 coin phone rifled. In colder areas, such as Canada, some shrewd people tape up the fones using duct tape, pour in water, and come back the next day when the water will have froze thus expanding and cracking the fone open. In one case, "unauthorized coin collectors" where caught when they brought $6,000 in change to a bank and the bank became suspicious... At any rate, the main lock is an eight level tumbler located on the right side of the coin box. This lock has 390,625 possible positions (5 ^ 8, since there are 8 tumblers each with 5 possible positions) thus it is highly pick resistant! The lock is held in place by 4 screws. If there is sufficient clearance to the right of the fone, it is conceivable to punch out the screws using the drilling pattern below (provided by Alexander Mundy in TAP #32): ==================================== !! ^ !! ! ! 1- 3/16 " !! ! !<--- --->!! 1-1/2" -------------------- ! ! ! !! ! ! ! (+) (+)-! ----------- ---! !! ! ^ ! ! !! ! ! ! ! (Z) !! ! ! ! ! !! ! 2-3/16" ---! !! ! ! ! (+) (+) ! ! ! !! ! ! -------------------- ----------- !! !! (Z) Keyhole (+) Screws !! =================================== After this is accomplished, the lock can be pushed backwards disengaging the lock from the cover plate. The four bolts of the cover plate can then be retracted by turning the boltworks with a simple key in the shape of the hole on the coin plate (see diagram below). Of course, there are other methods and drilling patterns. :-------------------------------------: _ ! ! ( ) !_! [roughly] Diagram of cover plate keyhole :-------------------------------------: The top cover uses a similar (but not as strong) locking method with the keyhole depicted above on the top left side and a regular lock (probably tumbler also) on the top right-hand side. It is interesting to experiment with the coin shute and the fortresses own "red box" (which Bell didn't have the 'balls' to color red). Miscellaneous: -------------- In a few areas (rural & Canada), post- pay service exists. With this type of service, the mouthpiece is cut off until the caller deposits money when the called party answers. This also allows for free calls to weather and other DIAL-IT services! Recently, 2600 magazine announced the CLEAR BOX which consists of a telephone pickup coil and a small amp. It is based on the principal that the receiver is also a weak transmitter and that by amplifying your signal you can talk via the transmitter thus avoiding costly telephone charges! Most fortresses are found in the 9xxx area. Under former Bell areas, they usually start at 98xx (right below the 99xx official series) and move downward. Since the line, not the fone, determines whether or not a deposit must be made, DTF & Charge-A-Call fones make great extensions! Finally, fortress fones allow for a new hobby--instruction plate collecting. All that is required is a flat-head screwdriver and a pair of needle-nose pliers. Simply use the screwdriver to lift underneath the plate so that you can grab it with the pliers and yank downwards. I would suggest covering the tips of the pliers with electrical tape to prevent scratching. Ten cent plates are definitely becoming a "rarity!" Fortress Security: ------------------ While a lonely fortress may seem the perfect target, beware! The Gestapo has been known to stake out fortresses for as long as 6 years according to the Grass Roots Quarterly. To avoid any problems, do not use the same fones repeatedly for boxing, calling cards, & other experiments. The telco knows how much money should be in the coin box and when its not there they tend to get perturbed (read: pissed off). -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Disclaimer: ----------- The preceding is intended for "information purposes only" and I do not advocate that you participate in any subversive activities... Coming sooner or later: ----------------------- Part VII will deal with blue boxing. References/Suggested Reading: ----------------------------- Various hard-to-find Bell System publications. "Alternate Method of Opening the Fortress Phone Coin Box," Alexander Mundy, TAP #32. "Build a T-Network for Fun & Profit," TAP #15. "Coiners & Other Thieves," The Phone Book, J. Edgar Hyde, pp 88-91. "Fortress Fun-ding," TAP #66. "The Green & Brown Box," Ted Veil & Nick Haflinger, TAP #68. "Introducing the Clear Box!," 2600, July 1984. "More Fortress Fun," TAP #49 "Notes on the Network," AT&T, 1980, [The definitive technical reference guide!]. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 2600: Box 752 Middle Island, NY 11953 Subscriptions: $10/year (published monthly) Last Issue (as of 10/27/84): October 1984 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- TAP: Room 603 147 W 42 Street New York, NY 10036 Subscriptions: $10/10 issues or so (published sporadically since 1971) Last Issue (as of 10/27/84): January/February 1984 [#90] -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- *****BIOC (p) 1984 BIOC *=$=*Agent International, Ltd. *****003 October 6, 1984 <<=-FARGO 4A-=>> [Sherwood Forest ][ - (xxx) xxx-xxxx] [20 Megs On-Line] PS Sysops of BBS's are welcome to use this material providing that nothing is altered. PPS Any and all threats, comments, corrections, suggestions, & subpoenas are welcome.  ******BIOC Agent 003's course in******* * * * ========================== * * =BASIC TELECOMMUNICATIONS= * * ========================== * * Part VII * *************************************** Preface: After most neophyte phreaks overcome their fascination with Metro codes and WATS extenders, they will usually seek to explore other avenues in the vast phone network. Often they will come across references such as "simply dial KP + 2130801050 + ST for the Alliance teleconferencing system in LA." Numbers such as the one above were intended to be used with a blue box; this article will explain the fundamental principles of the fine art of blue boxing. Genesis: -------- In the beginning, all long distance calls were connected manually by operators who passed on the called number verbally to other operators in series. This is because pulse (aka rotary) digits are created by causing breaks in the DC current (see Basic Telcom V). Since long distance calls require routing through various switching equipment and AC voice amplifiers, pulse dialing cannot be used to send the destination number to the end local office (CO). Eventually, the demand for faster and more efficient long distance (LD) service caused Bell to make a multi-billion dollar decision. They had to create a signaling system that could be used on the LD Network. Basically, they had two options: [1] To send all the signaling and supervisory information (ie, ON & OFF HOOK) over separate data links. This type of signaling is referred to as out-of-band signaling. -or- [2] To send all the signaling information along with the conversation using Ptones to represent digits. This type of signaling is referred to as in-cheap basaper) method -- IN-BAND signaling. They eventually regretted this, though (heh, heh)... IN-BAND SIGNALING PRINCIPLES: ----------------------------- When a subscriber dials a telephone number, whether in rotary or touch-tone (aka DTMF), the equipment in the CO interprets the digits and looks for a convenient trunk line to send the call on its way. In the case of a local call, it will probably be sent via an inter-office trunk; otherwise, it will be sent to a toll office (class 4 or higher -- see Telcom IV) to be processed. When trunks are not being used there is a 2600 Hz tone on the line; thus, to find a free trunk, the CO equipment simply checks for the presence of 2600 Hz. If it doesn't find a free trunk the customer will receive a re-order signal (120 IPM busy signal) or the "all circuits are busy..." message. If it does find a free trunk it "seizes" it -- removing the 2600 Hz. It then sends the called number or a special routing code to the other end or toll office. The tones it uses to send this information are called multi-frequency (MF) tones. An MF tone consists of two tones from a set of six master tones which are combined to produce 12 separate tones. You can sometimes hear these tones in the background when you make a call but they are usually filtered out so your delicate ears cannot hear them. These are NOT the same as touch-tones. To notify the equipment at the far end of the trunk that it is about to receive routing information, the originating end first sends a Key Pulse (KP) tone. At the end of sending the digits, the originating end then sends a STart (ST) tone. Thus to call 914-359-1517, the equipment would send KP + 9143591517 + ST in MF tones. When the customer hangs up, 2600 Hz is once again sent to signify a disconnect to the distant end. History: -------- In the November 1960 issue of The Bell System o most university libraries, happened to contain the actual MF tones used in signaling. They appeared as follows: Digit Tones ----- ----- 1 700 + 900 Hz 2 700 + 1100 Hz 3 900 + 1100 Hz 4 700 + 1300 Hz 5 900 + 1300 Hz 6 1100 + 1300 Hz 7 700 + 1500 Hz 8 900 + 1500 Hz 9 1100 + 1500 Hz 0 1300 + 1500 Hz KP 1100 + 1700 Hz ST 1500 + 1700 Hz 11 (*) 700 + 1700 Hz 12 (*) 900 + 1700 Hz KP2 (*) 1300 + 1700 Hz (*) Used only on CCITT SYSTEM 5 for special international calling. Bell caught wind of blue boxing in 1961 when it caught a Washington state college student using one. They originally found out about blue boxes through police raids and informants. In 1964, Bell Labs came up with scanning equipment, which recorded all suspicious calls, to detect blue box usage. These units were installed in CO's where major toll fraud existed. AT&T Security would then listen to the tapes to see if any toll fraud was actually committed. Over 200 convictions resulted from the project. Surprisingly enough, blue boxing is not solely limited to the electronics enthusiast; AT&T has caught businessmen, film stars, doctors, lawyers, college students, high school students and even a millionaire financier (Bernard Cornfeld) using the device. AT&T also said that nearly half of those that they catch are businessmen. Of course, phone phreaks have achieved an almost cult status. They have also had their fair share of media. In October 1971, Esquire published the infamous "Secrets of the Little Blue Box" article which featured phreaks such as Captain Crunch, who took his name from the cereal which one gave away whistles that produced a perfect 2600 Hz pitch; Joe En's first and oldest phreaks. Others such as Apple computer co-founders Steve Wozniak & Steve Jobs have also had blue box backgrounds. 1971 also saw the publication of the first issue of YIPL, the phone phreak newsletter, (now TAP) under the editorship oj supreme yippie Abbie Hoffman. Usage: ------ To use a blue box, one would usually make a free call to any 800 number or distant directory assistance (NPA-555- 1212). This, of course, is legitimate. When the call is answered, one would then swiftly press the button that would send 2600 Hz down the line. This has the effect of making the distant CO equipment think that the call was terminated and it leaves the trunk hanging. Now, the user has about 10 seconds to enter in the telephone number he wished to dial -- in MF, that is. The CO equipment merely assumes that this came from another office and it will happily process the call. Since there are no records (except on toll fraud detection devices!) of these MF tones, the user is not billed for the call. When the user hangs up, the CO equipment simply records that he hung up on a free call. DETECTION: ---------- Bell has had 20 years to work on detection devices; therefore, in this day and age, they are rather well refined. Basically, the detection device will look for the presence of 2600 Hz where it does not belong. It then records the calling number and all activity after the 2600 Hz. If you happen to be at a fortress fone, though, and you make the call short, your chances of getting caught are significantly reduced (see Telcom VI). Incidentally, there have been rumors of certain test numbers (see Telcom II) that hook directly into trunks thus avoiding the need for 2600 Hz and detection! Another way that Bell catches boxers is to examine the CAMA (Centralized Automatic Message Accounting) tapes. When you make a call, your number, the called number, and time of day are all recorded. The same thing happens wrposes. Normally, all free calls are ignored. But Bell can program the billing equipment to make note of lengthy calls to directory assistance. They can then put a pen register (aka DNR) on the line or an actual full-blown tap. This detection can be avoided by making short-haul (aka local) calls to box off of. It is interesting to note that NPA+555- 1212 originally did not return answer supervision. Thus the calls were not recorded on the AMA/CAMA tapes. AT&T changed this though for "traffic studies!" CCIS: ----- Besides detection devices, Bell has begun to gradually redesign the network using out-of-band signaling. This is known as Common Channel Inter-office Signaling (CCIS). Since this signaling method sends all the signaling information over separate data lines, blue boxing is impossible under it. While being implemented gradually, this multi-billion dollar project is still strangling the fine art of blue boxing. Of course until the project is totally complete, boxing will still be possible. It will become progressively harder to find places to box off of, though. In areas with CCIS, one must find a directory assistance office that doesn't have CCIS yet. Area codes in Canada and predominately rural states are the best bets. WATS numbers terminating in non-CCIS cities are also good prospects. Pink Noise: ----------- Another way that may help to avoid detection is too add some "pink noise" to the 2600 Hz tone. Since 2600 Hz tones can be simulated in speech, the detection equipment must be careful not to misinterpret speech as a disconnect signal. Thus a virtually pure 2600 Hz tone is required for disconnect. Keeping this in mind, the 2600 Hz detection equipment is also probably looking for pure 2600 Hz or else is would be triggered every time someone hit that note (highest E on a piano = 2637 Hz). This is also the reason that the 2600 Hz tone must be sent rapidly; sometimes, it wend some "pink noise" along with the 2600 Hz. Most of this energy should be Hz. The pink noise won't make it into the toll network (where we want our pure 2600 Hz to hit) but it should make it past the local CO and thus the fraud detectors. CONSTRUCTION: ------------- While step-by-step details for the construction of a blue box is beyond the scope of this tutorial, it is worthwhile to mention some of the details. First there are some alternatives but they are not as good as an actual blue box. Many computers are capable of generating MF tones. Thus, your local phriendly software pirate should have a program compatible for your computer. However, it is highly advisable not to box from home as stated in The Ten Commandments (as interpreted for phreaks by Fred Steinbeck -- TAP #86). I. Box thou not over thine home telephone wires, for those who doest must surely bring the full wrath of the Chief Special Agent down upon thy heads. Another alternative that has a moderate success rate involves recording the tones from a phriend with a box or computer onto a cassette tape. They can then be used at a fortress. As for actual construction techniques, TAP has devoted many issues to blue boxing. Basically, a blue box is merely a device capable of generating two different tones simultaneously. There are two basic construction methods that I will outline below for the electronics hobbyist. The first involves the use of two 555 timer chips (or a 556 -- i.e., two 555's in one chip). It offers excellent frequency and voltage stability. Also, it does not need a diode matrix keypad but used double- pole switches instead. Schematics for this type of box can be found in TAP issue #29. The other common box makes use of two Intersil 8038CC Function Generators. It also requires a diode matrix keypad, potentiometers, an LM-100 voltage regulator, a 741 Op-amp, and a handful of other parts. The schematics forgns draw about 20 ma of current. Also, most blue boxes use telephone earpieces (with the varistor removed) for speakers. These can be easily liberated from fortress fones with a small coping saw. Usually, the hardest part about building a blue box is the calibration. A frequency counter is a must and an oscilloscope won't hurt. Some boxes also take timing into account. It is feasible on the ESS systems that they check to see if the digits are of uniform length. If they aren't, they are probably from a blue box and a trouble card may be dropped. With this in mind, the Bell standard for MF pulses and interdigit intervals is around 75 ms. It varies with the equipment used since ESS can handle higher speeds and doesn't need interdigit intervals. APPLICATIONS: ------------- Besides dialing normal calls free, i.e., KP+NPA+NNX+XXXX+ST, blue boxes offer the entire network for exploration. Emergency break-ins, service monitoring (aka taps), stacking tandems (the art of busying out all trunks between two points), re-routing calls, conference calls, and much, much more are all feasible. Although, Bell frequently changes these codes due to phreaks. Here are some standard ones, though: OPERATOR & OTHER CODES: ----------------------- (an optional NPA may proceed all of the numbers; otherwise, you will reach the one local for the area where the call is originated) 001 -- Trunk Access System 009 -- Rate Quote System 101 -- toll office test board 121 -- INWARD Operator This operator assists the local "0" operator in completing calls. (S)he will do virtually anything for you providing it is within her NPA. 131 -- Operator Directory assistance 141 -- Rout & Rate (141 defunct -- use KP + 800 + 141 + 1212 + ST) These operators are very useful if you know how to mumble a few cryptic phrases as compiled below (with thanks to Fred Steinbeck): To find out... te, please." The R&R operator will tell you "305 plus," meaning that 305 plus the seven digit number will get you Miami. ... Inward Operator City Codes Usual|y(*Qoperator for an area is simply KP + NPA + 121 + ST. In some area codes, though, there are several large cities and thus several inwards. To find the inward for a specific city, you would say "916 756, operator route, please" to the R&R operator who will then tell you "916 plus 001 plus." This means that KP+ 916 + 001 + 121 + ST will get you an inward for Sacramento, CA (916-756). ... City names If you want to know the city that corresponds to an area code and exchange, you simply tell the R&R, "Place name, 914 390, please." In this example, the R&R operator will respond with "White Plains, NY." ... International Directory Assistance If you need a directory route for London, you could say "International, London, England. TSPS directory route, please." The R&R operator will respond with "Directory to London, England. Country code 44 plus 1 plus 986 plus 3611." Therefore to get a DA operator in London, you would route yourself to an international sender and KP + 04419863611 + ST. ... Country & City codes If you need to know the country and city code for an international number you can say "International, Sydney, Australia, TSPS numbers route, please" and get "Country code 61 plus 2." ... International Inwards Routes To get routing codes for international inwards say "International, London, England, TSPS inward route, please." The R&R Operator will respond with "Country code 44 plus 121." Finally, to get language assistance for completing a foreign call you can tell the foreign inward, "United States calling. Language assistance in completing a call to (called party) at (called number)." 151 -- overseas incoming (212 + & 914+) 160-XX0 -- Various Overseas Operators 161 -- trouble reporting operatothree digits to create a pseudo-country code with extra zero's if necessary. For example, England, country code 44, becomes 044. To see which international sender a certain country (lets use French Guiana, country code 594, for example) goes through, you can dial KP + 011 + 594 + ST, wait for the Proceed to Send tone then KP + 000 + 0000 + ST and you will receive a recording saying which ISC (International Switching Center) it is. (file ends here...will get rest soon.)