Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Phreaking Technical System Info :: 9x_sglng.txt

Signaling Methods by: Khelbin

STATION ID - 7047/3.12

9x Datakit Network

This is a 9x system, restricted to authorized persons and for
official 9x business only. Anyone using this system, network or data
is subject to being monitored at any time for system administration and
for identifying unauthorized users or system misuse. Anyone using this
system expressly consents to such monitoring and is advised that any
evidence of criminal activity revealed through such monitoring may be
provided to law enforcement for prosecution.

Credit Where Credit is Due

Before I begin I would like to give credit to my sources Harry Newton,
Travis Russell, Jared Hall, and the Internet. This file would not be 
here without them. 

                     |      SIGNALING METHODS      |
                     |         By: Khelbin         |
                     |  Email:  |

This file is an introduction to different signaling methods which have
been, and are, utilized today. In no way is it a complete guide to such 
methods however, it should be a great place to start. 

All phone systems need signaling. Signaling has three basic functions.

SUPERVISING. This is basically just the telco monitoring the status of
~~~~~~~~~~~  your line (or circuit). This is done to see if your line
is busy, idle, requesting service, etc. The term "supervision" was
originally given to the job that operators performed by manually 
monitoring circuits on a switchboard (we've all seen ancient black and white 
film of operators doing this back in the early/mid 1900's). On the 
switchboards, supervisory signals were shown by a lit/unlit diode indicating 
the lines status. Obviously more sophisticated methods are in use today.

*Info* - If you're in a hotel, use an unknown long distance carrier, or are 
         in an area that has a very old phone system (some 3rd-world country)
         do *not* give your friend a chance to answer and do *not* let the
         phone ring at least ten times. The reason being supervision. Some 
         older systems still in use by most hotels or terribly out of date 
         long distance carriers will not recognize answer supervision and 
         cannot tell when the called party goes off-hook (answers the phone). 
         They bill you in this manner..."He's dialed a number and been off-
         hook for over 8 seconds.. he must have connected... start billing." 
         This is obviously inaccurate but they don't mind.

ADDRESSING. Transmitting routing and destination signals over the 
~~~~~~~~~~  telecommunications network. Addressing signals can be in
the form of dial pulses, tone pulses, or data pulses over loops, trunks,
and signaling networks. 
 1. Address - The destination of a message sent through a communications
              system. A phone number itself is considered to be an address
              of the called party.

ALERTING. Alerting is what indicates the arrival of an incoming call to
~~~~~~~~  the called party. The first form of alerting was simply a 
speaker in which the caller would have to yell for someone to pick up the
fone. Today alerting is done through tones, bells, buzzers, flashing 
lights, etc.


 1. DC Signaling / E&M Signaling / CX/DX Signaling
 2. In-Band Signaling
 3. Out-of-Band Signaling
 4. Digital Signaling / Robbed-Bit Signaling
 5. Common Channel (Interoffice) Signaling / Signaling System 7
 6. Start Dial Supervision Signaling
 7. The Future of Signaling 
 8. Terms


DC (Direct Current) --An electric current flowing in one direction only
                      and substantially constant value.
                      The flow of free electrons in one direction within an
                      electrical conductor, such as wire.

As the name states, DC signaling relies upon direct current to signal 
distant offices. An example of DC signaling is in Plain Old Telephone 
Service (POTS) where is it used in signaling between the subscriber and 
the local end office. 

  POTS: Plain Old Telephone Service. The basic service supplying standard
        single line telephones, telephone lines, and access to the public
        switched network. No additional features and nothing fancy. You 
        can receive/place calls. That's it. No (Custom) Local Area Signaling 
        Services (C/LASS) or anything like that. 
         1. Public Switched Network - This term generally refers to the 
                                      public telephone network but can be
                                      used in refering to other switched

With some terminology out of the way, I will continue with the POTS example
expressed above. When a subscriber lifts up the handset, DC from the CO 
begins to flow through the telephone and back to the CO. The CO switch
has a DC detector and knows that a connection is being requested.

The CO notices your request for service and responds by seizing a line/trunk
for you and sending dialtone. This signals you to begin dialing. Once the 
number is dialed and thendecoded by the CO switch, the switch determines how 
to route your call in order to connect to the destination in which you have 
requested. A circuit must be connected between every telco office involved in 
the call. Each one of these circuits must remain connected until either party 
hangs up.

When the circuits are all connected (all the way up to the called parties
CO), 80-90V AC at 20Hz is sent from their CO out to their telephone line.
This refered to as generator and is what activates the ringer inside the
telephone. Simultaneuosly, the distant telco switch is sending ringback
to the originator of the call, alerting him that the phone is ringing.
If the called party answers the phone,  the ringback tone is broken and
the circuits then carry the voice.

If the called party is busy, the same circuits are used so that the far
end office (the distant CO of the called party) can send a busy signal
back to the caller. Thus, the circuits cannot be used for other calls
and are being tied up by the busy signal.


 1. Signaling is limited to seizing circuits, disconnect, and call 
 2. DC signaling uses the voice trunk so the trunks are kept busy even 
    when the two parties are never connected.
 3. The phone number of the originator cannot be sent to the called party
    without long delays in setup.
 4. Highly limited in that there is a limitation as to the number of states 
    which can be represented by voltage and current.

DC Signaling - A collection of ways of transmitting communications signals
               using direct current. DC signaling is only used on cable
               (no, not as in the cable company! in not wireless).


E&M signaling is another form of DC signaling. Trunks under this form of
signaling utilize a separate pair of wires for signaling and supervisory
purposes. These wires are labeled "E" and "M" for "ear" and "mouth" (this 
may or may not be what the letters originally stood for but this is often 
used in describing their functions). The Ear lead is used for receiving 
ground or battery conditions to the signaling equipment. Contrast with the
M lead which transmits ground or battery conditions to the signaling 

The "M" lead of the near end is connected to the "E" lead of the far end and
vice versa ("end" meaning switch). The "M" lead of the near end is used to 
send -48 VDC (Volts DC) to the distant switch's E lead. When the distant 
switch detects current on its E lead, it closes a relay contact and allows 
the current to flow back to the sending switch through its M lead.

When the sending switch detects the current flow on its E lead, the 
connection is considered established and transmission can begin on the 
separate voice pairs. This type of trunk is often used between two PBXs, and 
is often referred to as tie lines.

E&M signaling provides full time, two way, two level supervision.

E&M Types
There are different types of E & M interfaces. Jared Hall, a WAN consultant, 
has written the following "type" information regarding E & M signaling.

Type 1 Signaling
   In the Type 1 interface, battery is provided to the transmission
   equipment on both the E and M leads. NOTE THAT THE VOLTAGE MEASURED ON
   This interface causes high return current through the grounding
   system. This can even cause problems between two floors of a building
   if the amount of return current is high enough. This asymmetrical
   signaling scheme is thought to be a potential source of interference.

Type 5 (Type V) Signaling
   In the Type 5 interface, both the switch and the transmission
   equipment supply battery. While this interface does not provide
   isolation between power systems, there is minimal (or none) return
   currents in this symmetrical signaling scheme. THIS IS THE MOST

Type 2 (Type II) Signaling

   The Type 2 interface provides almost complete isolation of signaling
   power systems. Along with Type 4 signaling, this interface is LEAST
   LIKELY to cause interference problems in sensitive environments. IT IS
Type 3 (Type III) Signaling
   Type 3 signaling is very similar to Type 1, except that the battery
   and ground source for the M-Lead is supplied by the facility
   (transmission equipment). Complete power isolation is provided with
   the M-Lead and the facility can establish and control the amount of
   E-Lead current. There is no evidence that Type 3's unbalanced E-Lead
   has caused any interference problems.
   This interface is the most widely used in 1/1AESS, 2/2BESS, and 3ESS
   One drawback of this interface is the inability to operate in a
   "back-to-back" configuration.

Type 4 (Type IV) Signaling
   The Type 4 interface appears similar to Type 2, with the difference in
   the operation of the M-Lead. In Type 2, the M-Lead states are
   OPEN/BATTERY, while for Type 4, the states are GROUND/OPEN. With Type
   4, there are no expected fault currents for the M/SB leads. Type 4 is
   therefore a little bit easier to interface with since accidental
   shorting (during cable wiring, etc.) of the SB lead will not cause
   excessive current flow.
   A Type 4 interface can interconnect to a Type 2 device. Additionally,
   the interface can operate in a "back-to-back" configuration.
   The only drawback for using Type 4 signaling is that it is difficult
   to obtain test and supporting equipment for the interface (difficult
   for an external monitor to distinguish between OPEN/GROUND).

Type SSDC5 Signaling (British Telecom)
   This interface is very similar to Type 5, and can usually be tested
   using equipment that can support the Type 5 interface. THIS IS WIDELY


CX signaling is a DC signaling system that separates the signal from the
voice band. It accomplishes this by filters and is also referred to as 
Composite Signaling. Composite signaling provides DC signaling beyond the
range of conventional loop signaling. It still permits simultaneous two-
way signaling (duplex).

DX signaling is also a form of DC signaling. In DX signaling, the 
differences in voltage on two pairs of a four-wire trunk trunk indicate
the supervision information. DX, or Duplex Signaling, transmits signaling
directly onto the cable pair. The two signaling circuit leads use the
same cable pair as the voice circuit and no filter is needed to separate
control information and voice transmission.


In-band signaling utilizes tones instead of DC current. The tones may be 
Single Frequency (SF), Multi-Frequency (MF), or Dual-Tone Multi-Frequency
(DTMF). The tones are transmitted with the voice and thus, must be within
the voice band of 0 to 4 kHz. Signal delays are used to prevent the 
possibility of voice frequencies duplicating these tones however, it is not 
100% effective (especially if one is trying to duplicate them).

SF signaling is used for interoffice trunks. On-hook (idle line) or off-hook
(busy line) are the two possible states that exist. To keep a connection, no
tone is sent while the circuit is up. When either party hangs up, a 
disconnect is signalled to all interconnecting offices by sending a tone of
2.6 kHz over the circuit. Detectors at each end of the circuits detect the 
tone and drop the circuit.

SF signaling is the most popular of all in-band techniques and is still used
today in parts of the telephone network. With the advent of Signaling System 
7 (SS7), it is no longer needed and is being phased out.

Here are Mr. Jared Hall's notes on SF signaling.

   SF (Single Frequency) signaling systems are designed for transport
   over all 4-wire analog systems, and where metallic interconnection is
   not possible (e.g. Wideband FDM microwave systems). SF signaling is a
   type of 'Inband' signaling scheme, where all information is
   transmitted in the voice band.
   In these SF systems, a frequency of 2600 Hz or 2280 Hz is used for
   signaling. When in an on-hook state, a 2600 Hz (US) or 2280 Hz (UK)
   tone is transmitted to the remote site. When in an off-hook state, the
   2600/2280 Hz tone is dropped. The 2280 Hz SF signaling is used in
   British Telecom's SSAC15 signaling specification.
   These tones are transmitted at either HIGH or LOW ranges, although the
   Low Level tones (-20 dBM0) are typically implemented:
   Note that there are some 2-wire SF systems that typically operate
   using different transmit and receive frequencies. Also, SF units are
   available for FXS (Ground/Loop Start), FXO, and E&M signaling systems.
   SF units can pass dial pulse address signaling at speeds from 8 to 12
   PPS with 56 to 69 percent break.
   The receiver can detect the SF tone in the range of -1 to -31 dBm0. 
MF is quite similar to DTMF and it's used to send dialed digits through the
telephone network to the destination end office.  Because voice transmission
is blocked until a connection to the called party is established, their is
no need for mechanisms that prevent the possibility of voice imitating 
signaling tones. MF is also an interoffice signaling method used to send
the dialed digits from the near end office to the destination end office.

C5, R1, and R2 signaling protocols all utilize in-band signaling. C5 is 
the most commonly abused system by the bluebox.

For the most part, AC signaling and in-band signaling can be used as 
synonyms. In-band signaling uses AC signals and AC signaling is an in-band
technique that uses AC signals. Pretty much synonymous.

In-Band Signaling - Signaling made up of tones which pass within the voice
                    frequency band and are carried along the same circuit
                    as the talk path that is being established by the 
                    signals. Most of the signaling is MF.

*Info* - UUI (User to User Information - ANI is UUI) is passed along the D
         channel of an ISDN line. We all have heard this. One might think 
         that unless you have an ISDN link, that you cannot have ANI. Wrong.
         While most long distance companies provide ANI via the D channel in
         a PRI ISDN loop, some still provide this information through in-band
         signaling. ANI has been around longer than ISDN has.


The original out-of-band signaling was never as popular or widespread as 
in-band signaling and is of little use today. Out-of-band signaling was 
designed for analog carrier systems which do not use the full 4 kHz voice 
bandwidth. Instead, they use up to 3.5 kHz and can send "out-of-band" tones 
in the 3.7 kHz band and not worry about false signaling.

Since the signaling tones and voice were separated, people have changed the
meaning of "out-of-band" signaling to mean *any* type of signaling which
has the signaling separate from the information (such as in Common Channel
Signaling System 7 [ CCS/SS7 ] ) no matter what the information may be
(voice, data, video, etc) and no matter how it is accomplished.

Originally, it would not have been correct to call CCS a form of "out-of-
band" signaling however, out-of-band signaling has been broadened to mean
that the signalig information is separate from the voice. It even appears in 
dictionaries and Bellcore definitions this way. 

|                          | Signaling System  |CCITT | CCITT |CCITT | CCITT |
|         FEATURE          |-------------------|  R1  |  R1   |  R2  |  R2   |
|                          |# 3|# 4|# 5|# 6|# 7|Analog|Digital|Analog|Digital|
|Inband Signaling          | X | X | X | - | - |  X   |   -   |  X   |   -   |
|Outband Signaling         | - | - | - | - | - |  -   |   -   |  X   |   -   |
|Common Channel Signaling  | - | - | - | X | X |  -   |   -   |  -   |   -   |
|Digital Transmission      | - | - | - | X | X |  -   |   X   |  -   |   X   |
|MF                        | - | - | X | - | - |  X   |   X   |  X   |   X   |
|Operation over Satellites | - | - | X | X | X |  X   |   X   |  -   |   -   |

As you can see (chart defined by the CCITT), SS6 and SS7 do not support out-
of-band signaling (only R2 analog does). They *do* support CCS however, which 
technically and historically is different. This barrier has since been 


Digital trunks are becoming more popular so you'd think that digital 
signaling would also become more popular. It's here at least. That's about
how popular it has gotten. CCS/SS7 has kept digital signaling quiet (and 
all other new forms of signaling as of late) and digital signaling also has

A technique I find pretty neat in digital trunks (like the T1/DS1) is 
signaling bits. A signaling bit can be inserted into the voice bit stream. 
This is sometimes refered to as "robbed-bit signaling" because one voice bit 
is robbed. The voice quality does not suffer from only one bit being robbed
and it is undetectable by the human ear. Robbed-bit signaling is considered 
to be "in-band" since the signaling and voice are sent together. 

A T-1 (DS1) circuit typically uses two signaling bits known as the "A" and 
"B" bits. A and B bits are sent by each side of a DS1 termination and mixed
on with the voice (switched 56 utilizes robbed-bit signaling). Sometimes, 
4 signaling bits are used (labeled A, B, C, and D bits). 

Again, there are limitations in robbed-bit signaling. Since only so many
bits can be robbed before the voice quality goes down, only so many 
signaling states can exist. Signaling is limited to pulse and DTMF dialing,
hang-up, ringing, and wink.

  WINK - A signal sent between two devices as part of a hand-shaking 
         protocol. In telecommunications it is a interruption in SF
         that indicates the distant end office is ready to receive the
         digits that have just been dialed. In switching systems it is
         a single supervisory pulse. The wink is accomplished on the DS1 
         through it's signaling bits. On analog lines, the polarity 
         wink - A timed momentary off hook pulse. The interruption
                indicates that the CO is ready to receive data or that
                the local station has detected an incoming call.

Dialed Number Identification Service (DNIS) and ANI are sent as DTMF tones
which is a huge problem with robbed-bit signaling. 

  DNIS - Dialed Number Identification Service. Say you answer phones for 
         a business. Your business has 20 lines across the state and they
         terminate in one group on your Automatic Call Distributor (ACD).
         You could serve your customers better if you knew which phone
         number they dialed (what area they're in) or maybe you're just
         nosy. DNIS tells you what phone number the distant party dialed
         to get to you.

Each DTMF tone takes at least 100 milliseconds to send. If you want DNIS
and ANI, that's twenty DTMF tones or at least two seconds. There is a 
margin of error in transmission and detection which results in DNISF and
ANIF (failure). Digital signaling does not use messages.

These limitations are what have made ISDN PRI much more popular than the
T-1 circuit alone.

Although it is limited, digital signaling is more cost effective than SF
signaling. This has fueled the switchover from analog to digital in the
telecommunications industry. 

Another type of digital signaling, Auto-Ringdown Signaling (ARD Signaling) 
uses the "A" bit of a DS1. As soon as a phone goes offhook, a loop is 
connected and the far end phone begins to ring. Two states exist for the "A" 
bit. On-hook (loop not connected) and off-hook (loop connected) or 0 and 1 

This is also refered to as Automatic Ringdown Tie Trunking as opposed to 
Manuel Ringdown Tie Trunking.


Common Channel Signaling (CCS) was first introduced into the U.S. as Common
Channel Interoffice Signaling (CCIS). It uses a digital facility but 
separates the signaling information from the voice or data it is related to.
The signaling information is placed in its own "channel" thus the name CCS.
CCS is what makes SS7 and ISDN possible (CCS and CCIS are not the same thing
although they are closely related. CCS by Bellcore definition is a network
architecure which uses the SS7 protocol. CCIS was the original "out-of-band"
signaling first introduced to the United States in the 1970s as SS6... long 
before SS7).

CCS keeps the voice circuits open because the signaling is sent on it's own 
network apart from the voice. Voice circuits are kept open when the 
distant party is busy or not home. CCS is also capable of sending and 
receiving messages thus it supports an unlimited number of signaling states
or values. CCS can even transfer information from a remote database. Setting
up and tearing down a phone call is drastically faster with CCS as opposed
to in-band signaling techniques. 

CCIS has paved the way for a special version of it called SS7. Once CCIS/
CCS/SS7 is everywhere, it will be near impossible to bluebox terminal 
(within the United States) and country directs will be the only type of 
blueboxing which is done in the U.S. 

SS7 plays a huge role in ISDN. SS7 also provides fast call setup and remote
data base interactions. Without SS7, there would be no "portable" 800 
numbers, cellular roaming, E911, or (Custom) Local Area Signaling System 
(C/LASS). The Advanced Intelligent Network (AIN) would not be possible.

C7 is Europes version of SS7. Both are not 100% compatible but gateway
switches "translate" for each other. 

It would truly take a whole book to cover all of SS7 (as well as it would 
take more to cover the other signaling methods). Just reminding you that
this is just an introduction.


This refers to the manner in which a phone line is seized by the subscriber
once they go off-hook. The two main types of trunks are loop or ground 
start. Ground start seizes a line by grounding the ring momentarily. This is
a supervisory signal which notifies your local office to seize a trunk for
you and send out a dialtone. Ground start is often used in PBXs.

 -- Advantages/Disadvantages by Jared Hall
      Advantages of Ground Start:
      Minimizes the possibility of "Glare".
      Provides FAR-END Disconnect Supervision (e.g. the remote user can
      disconnect and the local PBX can be made aware of this and also

      Disadvantages of Ground Start:

      TIP/RING leads cannot be reversed.

      C.O./FXS and PBX/Telephone grounds must be at the same potential (Earth

      There is limited support for the Ground Start interface in most PBXs.
      If it is available, Ground Start is usually only incorporated on Trunk
      Interface Cards (e.g. no Line/Station Cards).  Also, it is likely that
      only FX Trunk applications are supported; that is to say, that the PBX
      acts like a station.

Loop start is used in regular single line telephones and most key systems.
With loop start, the supervisory signal which seizes a trunk is a bridging
through the tip and ring. 

   Bridging - one conductor of a circuit (here the circuit is your phone) is
              placed on a circuit of another conductor (a circuit at the
              telcos office in this case). Then it's repeated to the second
              conductor (the two conductors on your end are the tip and 
              ring). This is bridging across a circuit and is refered to as
              plain bridging.
                 Loop Signaling--Any of the three signaling methods which use 
                                 the metallic loop formed by the trunk 
                                 conductors and the terminating equipment 

*Info* - Reverse battery signaling falls under the loop signaling category.
         Battery and ground are "reversed" on the tip and ring of the loop.
         This plays a roll in supervision as it will indicate when the 
         called party goes off-hook. This signaling is sometimes used to
         indicate a toll call. Reverse battery supervision can play an 
         important roll in telemarketing systems which must know when to
         transfer the computer-dialed call over to the representative, 
         accounting systems which must know when to begin billing, etc.

 --Advantages/Disadvantages by Jared Hall
     Advantages of Loop Start:

     No need for accurate ground references between the Central Office/FXS and
     the PBX/Telephone.

     Generally, TIP/RING wires may be reversed at the PBX/Telephone with no
     adverse impact on operations - (some older DTMF keypads may have problems
     with a T/R reversal, causing no output of tones).

     Disadvantages of Loop Start:

     There is no FAR-END Disconnect Supervision.  When the remote
     handset/line hangs-up, there is no provision for the local CO/FXS to
     notify the PBX of the disconnection (Not a problem with a telephone).

     There is poor "glare" resolution.  "Glare" occurs when both the local end
     (PBX/Telephone) and the remote end (CO/FXS) attempt to access the circuit
     at the same time. Unfortunately, with Loop Start, the PBX/Telephone is
     not informed of an inbound seizure until ringing is detected; The ring
     "cadence" is normally 2-seconds ON, 4-seconds OFF (U.S.).


The now of signaling is SS7. Maybe the ITU-TS will come out with SS8 in 
a year or so and SS7 will be a thing of the past.

Still, signaling will remain digital and out-of-band in nature for quite 
some time (in my views). It will just get better. Call setup and teardown
will be much quicker, caller id/ANI/DNIS information will be able to be 
routed throughout the network (diverting won't hide your identity... someone
will find out a different way to do it tho), etc.

A huge AIN will be everywhere, and our privacy may be much less. Possibly,
the phone company may offer a new ANI blocking code as they have with
caller id (*67) however, there would also be the same option not to accept
anonymous calls.

It just gets better and more efficient. Use your imagination.

  | (not covered) |

Network Control Signaling - The transmission of signals used in the 
                            telecommunications system which perform
                            functions such as supervision, address 
                            signaling, and audible tone signals to
                            control the operation of switching machines
                            in the telecommunication system.

Signal - An electrical wave used to convey information.

Signaling - Pertains to the transmission of electrical signals to and 
            from the user's premises and the telephone company (telco)
            central office (CO). Examples of CO signals to the user's
            premises are ringing (audible alerting) signals, dial tone,
            speech signals, etc. Signals from the user's telephone
            include off-hook (request for service), dialing (network
            control signaling), speech to the distant party, on-hook
            (disconnect signal), etc.
   signaling: 1. The use of signals for controlling communications. 2. In
   a telecommunications network, the information exchange concerning the
   establishment and control of a connection and the management of the
   network, in contrast to user information transfer. 3. The sending of 
   a signal from the transmitting end of a circuit to inform a user at the 
   receiving end that a message is to be sent. 
               The process of transferring information between two parts of
               a telephone network to control the establishment of
               communications between long distance carrier terminal
               points, and customer equipment required for voice grade
               dedicated circuits. 
   Signaling - Method of communication between network components to
               provide control management and performance monitoring.

Signaling Converter (SC) - A device with input and output signals that 
                           contain the same information but employ different 
                           electrical systems for transmitting that 
                           information. Used at the terminal of a trunk to 
                           convert the equipment signals to the system used 
                           on the trunk.  Examples are:  (1) ring down to SF, 
                           (2) E&M to SF. 

Signaling Point (SP) - Processor designed for handling the signaling function 
                       of a switch in a common channel signaling network.

Signal To Noise Ratio (SNR) - Ratio of the signal power to the noise power in a 
                              specified bandwidth, usually expressed in db. 

Signal Transfer Point (STP) - Node in the interoffice (CCS7) network that 
                              communicates with central offices to assist in 
Simplex (SX) Signaling - A signaling path over a dry talking circuit which 
                         uses the two sides of the circuit in parallel, 
                         derived by connecting the midpoints of repeating 
                         coils or retardation coils which are across the 

   Simplex Signaling - Signaling using two conductors for a single channel.  
                       A center tapped coil or its equivalent is used at both 
                       ends for this purpose.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH