TUCoPS :: Phreaking Technical System Info :: analss.txt

Analog Signaling Systems - An overview

       Analogue Signalling Systems - An overview by NeonDreamer
       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     
	   Why only analogue?  Why not digital?  Well let me tell
      you now, the number of phreaks who know more than '.' about
      digital signalling over ISDN lines is next to nothing.  I
      don't know much myself, let alone how to exploit it, so I'll
      restrict my ramblings to what can realistically be played
      with.
	   
	   Firstly a note on naming conventions.  Most of us are
      used to dealing with American texts, and we are used to
      signalling systems be referred to in terms of their CCITT
      code.  The UK has their own codes SSAC and SSMF for
      describing signalling.  For ease of use I'll stick to what
      we are familiar with - CCITT conventions.  If you need to
      know the equivalent UK code refer to the table below.

      CCITT   UK
      4       SSAC4
      5       SSAC10/SSMF1

      Non CCITT standards will be referred to in the UK style.

	   OK, before the good days of auto switching and
      subscriber trunk dialling (STD) all trunk switching was
      performed by operators on Strowger or related equipment.
      Inter-exchange signalling was performed by the operators.
	   
	   Obviously an automatic network needs to perform a
      number of functions.

	   1) It needs to signal the exchange to connect caller A
	   to recipient B
	   2) It needs to supervise the call
	   3) It needs to give caller A feedback (ringing tone /
	   engaged tone)
	   4) It needs to bill the call

	   Signalling data can be transmitted as pulse breaks,
      tones or binary.  The following methods are still used
      today:
	   
	   1) Level and direction of current (in 2 wire DC
	   systems)
	   2) Pulse duration (DC)
	   3) Pulse combination (DC)
	   4) AC signal frequency
	   5) Frequency combination
	   6) Binary

	   Signalling across local lines has evolved from two-wire
      DC systems - except ringing current and standard tones.
      Tones were initially produced electromechanically as
      follows:

	   Ringing tone        133Hz     interrupted
	   Engaged tone        400Hz     interrupted
	   Out of order        400Hz     continuous
	   Ringing current     17Hz      ( @ 75V )

	   Probably what we are all familiar with in the first
      instance is called loop disconnect calling.  Anyone who ever
      used a rotary fone as a kid (and even on crappy payfones
      now) will remember the 'click click click' that signalled
      the numbers to the exchange.  Remember when you first sussed
      that the number of clicks indicated the number you had
      dialled?  Remember when you found out that by tapping the
      handset rest you could dial a number without using the dial?
      Did you ever wonder how it worked?
	   
	   For the sake of completeness - here is the answer.
      When a fone is off the hook, it allows DC current to flow
      through it.  When you dial, you interrupt this DC current
      at 10 pulses / second (3 pulses for a 3, 10 for a 0 etc.) -
      hence the term loop disconnect calling - you dial by
      momentarily disrupting a DC current flow, only flowing off
      hook.  When your call is answered the recipients exchange
      reverses the direction of current flow.
	   
	   Correct dialling using this method is achieved by
      disrupting the DC current for 66.7 ms with 33 ms between
      pulses indicating the same number, and a >400ms of DC flow
      between pulses indicating a different number.
	   
	   DC signalling is limited distance wise due to the
      resistance in copper wires.  Consequently due to the
      relatively high power requirements other signalling systems
      have been developed.

	   DTMF dialling and electronic exchanges give a greater
      signalling speed.  The DTMF frequencies used are listed
      below :

		Digit          Frequencies (Hz)
		~~~~~          ~~~~~~~~~~~~~~~~
		1              697  1209
		2              697  1336
		3              697  1477
		4              770  1209
		5              770  1336
		6              770  1477
		7              852  1209
		8              852  1336
		9              852  1477
		*              941  1209
		0              941  1336
		#              941  1447

	   In payfone systems the call charging signal is a 50 Hz
      common mode or longitudinal voltage in which both wires of a
      two wire pair are driven in phase.

	   Blimey, we're only just on to analogue signalling. Hang
      on and bear with me....

	   Between network switching centres parallel signalling
      is used in the form of AC signals which may be single
      frequency (1VF), dual voice frequency (2VF) or
      multifrequency (MVF).  The system has evolved from SSAC9
      (1VF) in the 1950's the identically featured, but
      transistorised 1980's version.  Part of the adaptation has
      been from 2-wire (metallic pair) to a 4-wire system.
      SSAC9 uses the 'magic' 2280Hz signal frequency.  This was
      exploited by phreakers in the good old days and it is
      nothing more than a historical curiosity now...
	   Multifrequency signalling is now the standard.  In our
      system an out of band signal of 3825Hz is used for
      supervisory purposes - and enables continuous supervision.
	   This is due to a CCITT recommendation (Q351) and is
      referred to as R2 signalling.  This is the system of
      signalling that '3l33t3' phreaks have taken to playing
      with...
      So here are the signals used :

			     |      ______Direction______
      Condition of circuit   |      Forward        Return
      ---------------------------------------------------
      Idle                   |      Tone on        Tone on
      Seized                 |      off            on
      Answered               |      off            off
      Clear back             |      off            on
      Released               |      on             on or off
      Blocked                |      on             off

	   
	   CCITT4 is an end 2 end signalling system using 2VF and
      two tones : 2040Hz (from now on read 'x' [binary 0]) and
      2400Hz (from now on read 'y' [binary 1]). It is used for
      line signalling and interregister signalling (with serial
      transmission in binary).
	   Consequently a 4 element code in binary gives 16
      characters.  10 of these are for digits and four are
      supervisory.  These are given below...

		      1    2    3    4
      
      1               y    y    y    x
      2               y    y    x    y
      3               y    y    x    x
      4               y    x    y    y
      5               y    x    y    x
      6               y    x    x    y
      7               y    x    x    x
      8               x    y    y    y
      9               x    y    y    x
      0               x    y    x    y
      
      Call operator code 11         x    y    x    x
      Call operator code 12         x    x    y    y
      Spare code                    x    x    y    x
      Incom. half echo sup. reqd.   x    x    x    y
      End of pulsing                x    x    x    x
      Spare                         y    y    y    y

	   OK - now each line signal is prefixed with a signal
      called 'P' followed by a control element ( x or y ).  The
      prefix is a combination of both frequencies and the control
      element plays its constituent tones consecutively with the
      durations as follows :

      P = 150 +- 30ms (2040Hz/2400Hz)
      x and y = 100 +- 20ms

	   There are more supervisory signals too which use X and
      Y which are 350ms +- 70ms.  So signalling in the forward
      direction we have :

      Terminal seizing         PX
      Transit seizing          PY
      Digits            Shown in above table (are you
			paying *no* attention?)
      Clear forward            PXX
      Forward transfer         PYY

      and in the backward direction we have :

      Proceed to send          X
      International transit    Y
      Engaged                  PX
      Answer                   PY
      Acknowledge              P

	   Phew (that's all for CCITT4).  To find better
      explanations of the operator codes finish reading the next
      section (CCITT5) and then go and get some deeper articles on
      signalling (2600 have an excellent CCITT5 article - I'll
      Xerox a copy for anyone who is interested).

	   CCITT5 is the system most abused by phreaks.  This
      system is generally abused over international 'country
      direct' lines. 0800 numbers connecting you to a foreign
      operator - which gives you the chance to break their trunk,
      seize their line and control their system (yeah!).  The
      definitive guide to BlueBoxing CCITT5 is on my (growing)
      list of projects, I have read the rest and will write the
      best both technically and practically ;-)

	   CCITT5 is a 2VF system using 2400Hz / 2600Hz for line
      signalling on a link by link basis.  Interregister
      signalling is 2MF (2 out of 6 frequency type).  The 6
      frequencies are spaced 200Hz apart from 700Hz to 1700Hz.  In
      the USA a similar, but not identical, system is used (R-1).

	   The CCITT5 code is :

	 Digit       Frequencies

	   1         700Hz     900Hz
	   2         700       1100
	   3         900       1100
	   4         700       1300
	   5         900       1300
	   6         1100      1300
	   7         700       1500
	   8         900       1500
	   9         1100      1500
	   0         1300      1500

      The supervisory tones (ie the useful ones!) are:

      Prefix digit sequence         1100Hz    1700Hz
      End of digit sequence         1500      1700
      Operator code 11              700       1700
      Operator code 12              900       1700
				    700       1100
      Payfone coin control          1100      1700
				    700       1700

	   Final point - there is a modified CCITT5 system
      floating around which uses a 2 out of 6 MF signal, but has
      two different sets of frequencies for forward and return
      signalling.   The tones are spaced at 120Hz from 540Hz to
      1980Hz.

      NeonDreamer '95 (just)


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH