TUCoPS :: Phreaking General Information :: phreak3.txt

Phreaking #3


            Brought to you by: The World of Cryton  [414] 246-3965
              Formatted for 80 colunms - Use your damn printer !

This is the tone matrix for a box which generates tones that operators
use to dial. Rotary works as well, on operator lines, but this is
technological (!). Now I agree with the opinion of a well known phreak
that 'boxing' is/will be for the most part dead, but this is
tradition... First, you dial dir.asst, or an oper. Etc , then you blast
the line with a 2600hz tone. This gives you the line, this is also how
Ma Bell tracks down blue boxers... There are 2600hz detectors systems,
and even on old #4 crossbars... Once on a oper.trunk line, you use your
Blue box/rotary to dial...

So, if you use 2600hz, which is necessary, unless you are *very*
careful, you will be snagged.

Finally, this is what you read! So long and hard for:

700   :   1   :   2   :   4 :   7   : 11   :
900   :   +   :   3   :   5 :   8   : 12   :
1100  :   +   :   +   :   6 :   9   : kp   :
1300  :   +   :   +   :   + :  10   : kp2  :
1500  :   +   :   +   :   + :   +   : st   :
      : 700  :  900  : 1100  : 1300 : 1500 :

Use KP to start a call, and ST to stop, with the beloved 2600hz tone to
disconnect. I also hear that 2600hz resets Sprint nodes and gives you
their initial tone..

Now, if you're wondering about what to call from an operator trunk, here
are some goodies to help you out:

XXX+101 - Toll switching
XXX+121 - Local operator
XXX+131 - Information
XXX+141 - Rate & route
XXX+181 - Coin refund operator
XXX+11501 - Mobile operator
XXX+11521 - Mobile operator
XXX+11511 - Conference operator

These work with rotary or operators tones, but only on oper.

                             Blue boxing - Part II

     While reading the fine article on the blue box I saw that there a
lot of data left out of the document. I hope this a DDS, in some small
way, to the information.

     First the tones. While all the information is correct, the timing
specs were not included. The tone pairs are to remain on for 1/10 sec.
With 1/10 sec. Of slience between digits. The 'KP' tones should be sent
for 2/10 sec. A way to defeat the 2600hz traps is to send along with the
2600hz some pink noise (most of the energy in this signal should be
above 3000hz, this side won't make it over the toll network, but should
carry as far as your local toll center) so that the traps won't find
'pure' 2600hz on the trunk. This Is not a perfectly safe way to box, but
it should slow down the discovery.

     As to use, the first thing you need to understand is that there are
two (2) types of toll completing trunk, inward and outward. The names
are reference to the office that is switching the call (the toll center
that serves the wats line you called) and each type of trunk has a
different class of service. From an inward toll completing trunk, you
can reach the different service operators, the toll test board, and the
inward operator. Some offices also allow remote testing and it is in
these offices that you can access the outward toll completing trunks.
The outward trunks allow you to make verification (emergency) calls, do
service monitoring (tapping), stack trunks (busy out all trunks between
LA and NYC), enable and disable TSPS positions, and in some cases (on
some 4A's) issue temporary rerouting instructions (send all calls from
LA to NYC via Miami, Boston, or any other class 5 office or offices).
Both type of trunk allow you to place a 'standard' call with a box.

     In some offices, mostly the small ones with a toll test board that
is unattended at night and on weekends, you change to an outward toll
completing trunk as well as performing other test and routing functions.
You do this by using three digit codes that are invalid exchanges (not
of the pattern NNX [see note 1]). During the sixites the codes used were
fairly standard and consistent, however when the boxes became popular
and the phreaks started doing things like routing all calls from Dallas
to Ft. Worth via Washtngton DC, Mother started changing the test codes
on a random (as far as I know ) basis. What I would suggest is that
everybody interested in doing this sort of thing pick out a nice quiet
little office somewhere and work on discovering the codes acceptable to
that office. Numbering Plan Area (NPA, also known as area code) has an
office designated as its master office. This office controls all of the
other toll offices in the area as well as serving as a concentration
point for most out of area calls. To access the services of a non master
office you need its 'city  code', this is a three (3) digit code that is
of the form 0XX, and is sent after the area code [see note 2 ]. As an
example, the 'city code' for Canton, OH. Is 042; thus to reach the
inward operator in Canton, you would send 'KP-216-042-121-S' where as if
you wanted the inward operator in Cleveland, you would send
'KP-216-121-S'. The reason this is necessary is that the operator in
Cleveland can't verify a number in Canton, so if you want to verify
someone in Canton you need the city code. Also, most area master offices
have dedicated data trunks to the network control center and thus don't
accept test and rerouting commands over the switched network. In
conclusion, the switching network will do a lot more for you then
connect you to people and the small offices that require a 'city code'
are the type of office to try to break.

                       Nickie Haflinger, The Coven.



     Note 1: The normal format for telephone numbers is as follows:
NYN/NNX-XXXX.  Where N=any digit except 1 and 0; Y=0 or 1, and X=any
digit. Yes I know that in some area codes the NNX format has changed to
NXX.  This is a new occurrence and only occur where there has be an
outrageous population increase in the last few years and all of the
funny exchanges are connected directly to master offices and thus don't
conflict with the 'city code' format

     Note 2: You can obtain the 'city code' for a number by calling rate
and route and asking for the 'numbers route' to NYN/NNX (IE. 914/725).
Or if you leave me a message with the area code and first three of a
number, I will get you the 'city code'.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH