|
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& & & & SIGNALLING SYSTEMS & THE BLUE BOX REVAMPED & & & & By & & & & Lazlo 20/07/92 & & & &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& NOTE: This file is for informational purposes only and in no way is any toll-fraud suggested by the author. INTRODUCTION ============ I will in this file discuss some of the international trunk-signalling systems used and methods to box over them. The main reason for writing this article is the downfall of US boxing due to: * 2400 & 2600 detectors on trunks * CCIS * Snooping on subscribers who place several (lengthy) calls to 800 numbers Detection could simply by avoided by boxing off another country (on a tollfree line of course) and then calling globally using a signalling system other than the ones used in the states. I have also included an in-depth review of the R2. USAGE ===== The signalling systems used widely today are: CCIS, CCITT 4, R1, R2 and SOCOTEL. CCITT 4 can be found mainly in African and South American countries and is very seldom worth boxing off due to the long routing needed and the poor quality acheived. R1 and R2 is still very popular in Europe and the US and is really worth boxing with, especially R2, which offers a multitude of options yet uncovered for the enthusiastic phreak. The only system listed here that I haven't boxed off myself is SOCOTEL, which, according to my knowledge is used somewhere in Europe (who knows where). Using R1 to box off Europe (or any other country) from the US is not recommended. US trunks are maybe not used to route the call, but the fraud detectors do not know this and sooner or later you *will* be in trouble. Using systems like R2 from the US is a good idea, since no detector in the US is looking for R2 tones, and boxing off 800 numbers that offer Country Direct services should not seem suspicous. The CCITT R1 system =================== ----------------------------------------------------- Freq. 700 900 1100 1300 1500 1700 [Hz] ----------------------------------------------------- Digit 1 x x 2 x x 3 x x 4 x x 5 x x 6 x x 7 x x 8 x x 9 x x 0 x x 11 x x 12 x x KP x x KP2 x x ST x x ----------------------------------------------------- 50/50ms timing can be used with all digits, even 20/20 is possible on some systems if you want fast dialing. One problem with R1 is trunk seizure. The normal procedure would be sending 2400/2600, waiting a while, then blowing 2400, and the trunk would be seized. This is very unlikely to work, though. Even more so is sending 2400 or 2600 directly. The telco equipment is nowadays very exact with timing and the only way to find it out is by testing. Usually the 2400/2600 (hangup tone) should be sent for at least 80ms and no more than 200ms, if 200 ms is not enough, you probably aren't on r1. A way to find out the timing is to send 2400/2600 starting with 200ms, then decreasing the timing with 1ms steps. With 200ms, the trunk is likely to hang up when you send the hangup tone. Find the timing that hangs up, but leaves you on the trunk (this can be heard by a wink), then keep the 2400/2600 timing that way and adjust the delays and the 2400 timing. Timings suggested for AT&T + MCI trunks are as follows: 2400/2600 delay 2400 delay [ms] ------------------------------------------ 137 100 137 1200 100 100 100 100 140 400 140 1200 120 100 60 300 150 0 150 150 The delay before KP or KP2 is sent may/may not be important and must sometimes be very accurate. this can be adjusted by ear. If the line hangs up before you start dialing, then make the last delay shorter. NOTE:Not all trunks work with the same timing, and sometimes when dialing the same number you are routed another way. This is a problem, but if you have a trained boxing-ear, you can learn to separate trunks from each other. The KP2 is used for international dialing. KP2-CC-0/1-NPA-PREF-SUF-ST Where 0 = Connect by cable 1 = Connect by satellite Thus, a call to the US via cable would appear like: KP2-1-0-NPA-PREF-SUFF-ST SOCOTEL ======= This system is identical to R1, except for that the line signals are out of band, and are hard to produce on the foneline. Hangup is 3850 and is sent with 50ms pulses. Dial timing is the same as is for r1 (50/50) CCITT R2 -------- This is probably the most complicated signalling system (with the exception of Common Channel Signalling systems) and offers a very wide range of possibilities for phreaking. One of the problems with R2 is that it is more or less based around PCM, and on such systems all the line signalling info (the important tones such as seize and hangup) is sent over a different timeslot (PCM uses a timesharing method for sending voice/signals) and is then difficult to control. On some R2 systems the PCM method is not implemented at all and this is the one I will discuss in detail. The supervisory tone (3825Hz) can normally also be a mess to send over the lines. There have been test numbers for telco personnel that connects to a trunk, but this does not help much, since the seize signal must be sent before dialing anyway and is, as I said before, a mess to get through. The R2 uses special signalling methods not seen elsewhere, e.g there is a separate set of backward tones that the receiving CO sends back between each digit. I have, merely for the sake of accuracy, included these. The backward signals may seem unnecessary but there might be some room for phreaking with them too. Another feature of R2 is that no specific timing exists. Every digit should be sent until the receiving CO responds with another Backward digit, which could in turn have some other meaning. A specification for R2 is that it should handle 6/7 signals per second, this is quite slow, though, and usually much faster speed can be acheived than with for instance R1. On R2, register signals are two frequencies from a group of 6 separated by 120Hz. Line signals are all 3825Hz and vary in pulsing length. Register signals are not only split in Backward/Forward groups, but also in groups I/II on forw. signals and A/B on backward signals. Group I is mainly normal dialing digits while group II signals are messages that specify Subscriber types etc. I have tried to include as much as I know about the messages, if anyone has got more info on this or anything else in this phile, please contact me. R2 Register signals ------------------------------------------------------------ Forward 1380 1500 1620 1740 1860 1980 [Hz] ------------------------------------------------------------ Backward 1140 1020 900 780 660 540 [Hz] ------------------------------------------------------------ Digit 1 x x 2 x x 3 x x 4 x x 5 x x 6 x x 7 x x 8 x x 9 x x 10 x x 11 x x 12 x x 13 x x 14 x x 15 x x ----------------------------------------------------------- These are translated as: ----------------------------------------------------------- Forward Signals ----------------------------------------------------------- Digit Group I Group II ----------------------------------------------------------- 1 1 Normal subscriber 2 2 Priviledged subscriber 3 3 Test subscriber 4 4 Payfone 5 5 Operator 6 6 ? 7 7 Normal subscriber 8 8 ? 9 9 Priviledged subscriber 10 10 Operator 11 KP2E Forwarded call 12 KP2 Reserved 13 Reserved Reserved 14 Reserved Reserved 15 ST Reserved ---------------------------------------------------------- ----------------------------------------------------------------------------- Backward signals ----------------------------------------------------------------------------- Digit Group A Group B ----------------------------------------------------------------------------- 1 Send next digit (x+1) Sub.vacant, call tracing (BAD) 2 Send previous digit (x-1) Send guide tone 3 Receive group B signals Subscriber busy 4 National net failure Net Failure 5 Specify subscriber type Disconnected number 6 Connect voicechannel Subscriber vacant - Sup 7 Send (x-2) Subscriber vacant - Non-Sup 8 Send (x-3) Subscriber malfunction 9 ? ? 10 Reserved The number has changed ----------------------------------------------------------------------------- R2 Line signals, non-PCM (3825Hz) --------------------------------------------------------------- Signal Direction Duration[ms] --------------------------------------------------------------- Seizing --> 50 or 150 Seizing ACK (wink) <-- 50 (or longer) Answer <-- 150 Metering (count) <-- 100 Clear back <-- 600 Clear Forward --> 1500 --------------------------------------------------------------- The backward signals are used to ask the calling CO questions while dialing. This may cause problems since you may not know when to send digits and when to send info, especially signals like send x-2 may cause headaches. One way to find this out is usually by testing different orders. Usually the subscriber type question is only sent when making national calls and is asked after all the digits have been sent. On intl. calls the subscriber type is asked after the CC (like on R1). The thing is that the Telco knows these things and are trying their best to make life hard for boxers by programming their equipment to send questions at unexpected times. A boxed call may take place as follows: Dial number 555-1212 CO1 CO2 --------------------------- Clear Forward -> Seize -> <- Seizing ACK I-5 -> <-A-1 (send next digit) I-5 -> <-A-1 I-5 -> <-A-1 I-1 -> <-A-1 I-2 -> <-A-1 I-1 -> <-A-1 I-2 -> <-A-5 or A-3 (specify subscriber) II-5 -> (operator) <-B-6 (no ST needed on local calls) ---------------------------- Any1 with more info on this, please contact me. <End of File>