TUCoPS :: Phreaking Technical System Info :: r2.txt

Info about CCITT#5-R2 Signalling System



           &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
           &                                                  & 
           &   SIGNALLING SYSTEMS & THE BLUE BOX REVAMPED     &
           &                                                  &
           &                       By                         &
           &                                                  &
           &                  Lazlo 20/07/92                  &
           &                                                  &
           &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

NOTE: This file is for informational purposes only and in no way is
      any toll-fraud suggested by the author.

INTRODUCTION
============

I will in this file discuss some of the international trunk-signalling systems
used and methods to box over them. The main reason for writing this article
is the downfall of US boxing due to:


 *  2400 & 2600 detectors on trunks
 *  CCIS
 *  Snooping on subscribers who place several (lengthy) calls to 800 numbers


Detection could simply by avoided by boxing off another country (on a tollfree
line of course) and then calling globally using a signalling system other than
the ones used in the states.

I have also included an in-depth review of the R2.


USAGE
=====

The signalling systems used widely today are: CCIS, CCITT 4, R1, R2 and SOCOTEL.
CCITT 4 can be found mainly in African and South American countries and is very
seldom worth boxing off due to the long routing needed and the poor quality
acheived. R1 and R2 is still very popular in Europe and the US and is really
worth boxing with, especially R2, which offers a multitude of options yet
uncovered for the enthusiastic phreak. The only system listed here that I
haven't boxed off myself is SOCOTEL, which, according to my knowledge is used 
somewhere in Europe (who knows where).
	Using R1 to box off Europe (or any other country) from the US is not
recommended. US trunks are maybe not used to route the call, but the fraud
detectors do not know this and sooner or later you *will* be in trouble.
Using systems like R2 from the US is a good idea, since no detector in the
US is looking for R2 tones, and boxing off 800 numbers that offer Country
Direct services should not seem suspicous.


The CCITT R1 system
===================


-----------------------------------------------------
Freq.     700   900   1100   1300   1500   1700  [Hz]
-----------------------------------------------------
Digit
  1        x     x
  2        x           x
  3              x     x
  4        x                  x
  5              x            x
  6                    x      x
  7        x                         x
  8              x                   x
  9                    x             x
  0                           x      x
 11        x                                x
 12              x                          x
 KP                    x                    x
KP2                           x             x
 ST                                  x      x
-----------------------------------------------------

50/50ms timing can be used with all digits, even 20/20 is possible on some
systems if you want fast dialing.

One problem with R1 is trunk seizure. The normal procedure would be sending
2400/2600, waiting a while, then blowing 2400, and the trunk would be seized.
This is very unlikely to work, though. Even more so is sending 2400 or
2600 directly. The telco equipment is nowadays very exact with timing and 
the only way to find it out is by testing. Usually the 2400/2600 (hangup tone)
should be sent for at least 80ms and no more than 200ms, if 200 ms is not
enough, you probably aren't on r1. A way to find out the timing is to send
2400/2600 starting with 200ms, then decreasing the timing with 1ms steps.
With 200ms, the trunk is likely to hang up when you send the hangup tone. 
Find the timing that hangs up, but leaves you on the trunk (this can be heard
by a wink), then keep the 2400/2600 timing that way and adjust the delays
and the 2400 timing. Timings suggested for AT&T + MCI trunks are as follows:

2400/2600 delay     2400    delay     [ms]
------------------------------------------
   137     100       137    1200
   100     100       100    100
   140     400       140    1200
   120     100       60     300
   150     0         150    150

The delay before KP or KP2 is sent may/may not be important and must sometimes
be very accurate. this can be adjusted by ear. If the line hangs up before you
start dialing, then make the last delay shorter. 

NOTE:Not all trunks work with the same timing, and sometimes when dialing 
the same number you are routed another way. This is a problem, but if you have
a trained boxing-ear, you can learn to separate trunks from each other.


The KP2 is used for international dialing.

KP2-CC-0/1-NPA-PREF-SUF-ST

Where 0 = Connect by cable
      1 = Connect by satellite

Thus, a call to the US via cable would appear like:

KP2-1-0-NPA-PREF-SUFF-ST



SOCOTEL
=======

This system is identical to R1, except for that the line signals are
out of band, and are hard to produce on the foneline.

Hangup is 3850 and is sent with 50ms pulses.

Dial timing is the same as is for r1 (50/50)


CCITT R2
--------

This is probably the most complicated signalling system (with the exception of
Common Channel Signalling systems) and offers a very wide range of 
possibilities for phreaking. One of the problems with R2 is that it is more
or less based around PCM, and on such systems all the line signalling info
(the important tones such as seize and hangup) is sent over a different 
timeslot (PCM uses a timesharing method for sending voice/signals) and
is then difficult to control. On some R2 systems the PCM method is not
implemented at all and this is the one I will discuss in detail. The 
supervisory tone (3825Hz) can normally also be a mess to send over the lines.
There have been test numbers for telco personnel that connects to a trunk,
but this does not help much, since the seize signal must be sent before
dialing anyway and is, as I said before, a mess to get through.
	The R2 uses special signalling methods not seen elsewhere, e.g
there is a separate set of backward tones that the receiving CO sends back
between each digit. I have, merely for the sake of accuracy, included these.
The backward signals may seem unnecessary but there might be some room for
phreaking with them too. Another feature of R2 is that no specific timing
exists. Every digit should be sent until the receiving CO responds with 
another Backward digit, which could in turn have some other meaning. A 
specification for R2 is that it should handle 6/7 signals per second, this 
is quite slow, though, and usually much faster speed can be acheived than
with for instance R1.
	On R2, register signals are two frequencies from a group of 6 
separated by 120Hz. Line signals are all 3825Hz and vary in pulsing length.
Register signals are not only split in Backward/Forward groups, but also
in groups I/II on forw. signals and A/B on backward signals. Group I is 
mainly normal dialing digits while group II signals are messages that specify
Subscriber types etc. I have tried to include as much as I know about the
messages, if anyone has got more info on this or anything else in this 
phile, please contact me.




                      R2 Register signals

------------------------------------------------------------
Forward   1380    1500    1620    1740    1860    1980  [Hz]
------------------------------------------------------------
Backward  1140    1020    900     780     660     540   [Hz]
------------------------------------------------------------
Digit
  1        x       x
  2        x               x
  3                x       x
  4        x                       x
  5                x               x
  6                        x       x
  7        x                               x
  8                x                       x
  9                        x               x
  10                               x       x
  11       x                                       x
  12               x                               x
  13                       x                       x
  14                               x               x 
  15                                       x       x
-----------------------------------------------------------

These are translated as:


-----------------------------------------------------------                    
                    Forward Signals
-----------------------------------------------------------
Digit         Group I               Group II
-----------------------------------------------------------
  1             1                   Normal subscriber
  2             2                   Priviledged subscriber
  3             3                   Test subscriber 
  4             4                   Payfone 
  5             5                   Operator
  6             6                      ?
  7             7                   Normal subscriber
  8             8                      ?
  9             9                   Priviledged subscriber
 10            10                   Operator
 11            KP2E                 Forwarded call
 12            KP2                  Reserved
 13            Reserved             Reserved
 14            Reserved             Reserved
 15            ST                   Reserved
----------------------------------------------------------


-----------------------------------------------------------------------------
                        Backward signals
-----------------------------------------------------------------------------
Digit         Group A                       Group B
-----------------------------------------------------------------------------
  1           Send next digit (x+1)         Sub.vacant, call tracing (BAD) 
  2           Send previous digit (x-1)     Send guide tone
  3           Receive group B signals       Subscriber busy       
  4           National net failure          Net Failure
  5           Specify subscriber type       Disconnected number
  6           Connect voicechannel          Subscriber vacant - Sup
  7           Send (x-2)                    Subscriber vacant - Non-Sup
  8           Send (x-3)                    Subscriber malfunction
  9              ?                                ?
 10           Reserved                      The number has changed
-----------------------------------------------------------------------------



                  R2 Line signals, non-PCM (3825Hz)


---------------------------------------------------------------
 Signal                           Direction        Duration[ms]
---------------------------------------------------------------
 Seizing                            -->               50 or 150
 Seizing ACK (wink)                 <--               50 (or longer)
 Answer                             <--               150
 Metering (count)                   <--               100
 Clear back                         <--               600
 Clear Forward                      -->               1500
---------------------------------------------------------------

The backward signals are used to ask the calling CO questions while
dialing. This may cause problems since you may not know when to send
digits and when to send info, especially signals like send x-2 may
cause headaches. One way to find this out is usually by testing
different orders. Usually the subscriber type question is only sent when
making national calls and is asked after all the digits have been sent.
On intl. calls the subscriber type is asked after the CC (like on R1).
The thing is that the Telco knows these things and are trying their best to
make life hard for boxers by programming their equipment to send questions
at unexpected times.

A boxed call may take place as follows:

Dial number 555-1212

 CO1                   CO2
---------------------------
 Clear Forward ->
 Seize         ->
           <- Seizing ACK

 I-5 ->
                     <-A-1 (send next digit)
 I-5 ->             
                     <-A-1
 I-5 ->              
                     <-A-1
 I-1 ->               
                     <-A-1
 I-2 ->               
                     <-A-1
 I-1 ->          
                     <-A-1
 I-2 ->               
                     <-A-5 or A-3 (specify subscriber)
 II-5 -> (operator)
                     <-B-6 (no ST needed on local calls)
----------------------------

Any1 with more info on this, please contact me.
                                                
<End of File>



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH