******************************************* * PHED-ONE's ULTIMATE GUIDE TO BLUEBOXING * * IN THE (LATE) 90s * * [FULL STOP] * ******************************************* This series of files will introduce you to the concept blueboxing, how it is achieved, the signalling systems involved and how it all started. Part 1 will discuss the basics of signalling and introduce the concept of blueboxing. Part 2 will inform the reader of blueboxing, how it is achieved and to what extent it is possible. Part 3 will discuss CCITT-5 in depth and advanced signalling and routing issues. Part 4 will discuss the possibilities for blueboxing nowadays and future ideas in the field of blueboxing. See DISCLAIMER AT THE BOTTOM PART-1 All about blueboxing, why you should care, and basic signalling Blueboxing is widely considered amongst hackers and phreakers as one of the best ways of phreaking. Unlike PBXing and payphone tricks, blueboxing is phreaking in the purest sense of the word. It obtains free calls, but, except for that you can have a lot of fun with routings (military lines, operator status, blueboxing around the world). And it's that that stikes it out from the lesser methods of phreaking. Sure, with a PBX you can get free calls, but is that all you want? If free calls are all you are interested in, then you are not a phreaker - your just a thief. On the other hand, PBXs are useful for hacking activities in order to cover your tracks, but blueboxing is even better as you can bluebox through several countries and route via military lines. Afterall, what could be more legitimate than calling into Area 51 via military lines - it's far more convincing. The Social Engineering oportunities with blueboxing are also enhanced. (Skip the R1 bit if you know it already....) Blueboxing began during the 1960s when it was discovered by an engineering student reading a Bell technical journal about the R1 signalling system - used as the main long distance signalling system in the US at the time. In 1954, an article named "In-band Signal Frequency Signalling" appeared in the Bell System Technical Journal, which described the electronic signals used for routing long distance calls, for billing and hanging up. In November 1960, Bell described the frequencies required for dialling numbers. Bell intended this journal to reach the engineering staff only, but Bell, in all its stupidity, forgot that most of America's engineering colleges subscribed to it as well. This information was effectively the key to the Bell system. Bell realised the mistake they made and immediately red-tagged all issues of the journal and recalled them. But it was too late, the journals had already been photocopied and distibuted amongst students all over America. The first bluebox was constructed soon after. According to Bell, the first bluebox to be discovered was in 1961, after a local office manager in the company's Pacific North-West division noticed lenghthy calls to an out of area directory number. The calls originated from Washington State College, Bell engineers went to investigate and discovered "a strange looking device on a blue metal chasis" attached to the phone. From then on it was nicknamed the blue box. In essence, the device that they constructed, was used to imitate the tones used to hang-up on the Bell system and the multifrequency digits used to dial. It relied on the principle that Bell trunks whistled at 2600 hertz when not in use. When the trunk was in use, 2600hz was not present. When a call was placed from Los Angeles to Las Vegas, the person calling (call him John) would dial the number he wanted, his local trunk would stop whistling at 2600hz and begin to dial the Las Vegas trunk, on reaching that trunk, it would stop whistling at 2600hz as he would be on it. The trunk would then ring his friend's number, on answer his friend's side of the trunk would stop whistling at 2600hz - and the caller would hear a "pleep" - the acknowledging signal of pickup. By sending a 2600hz tone during the call to his friend, the trunk would think that he had hung up, but he hadn't, he was still on the line. His toll office in Los Angeles would think he was still on the line to his friend and would still be charging him at whatever rate he was paying. But John has sent a 2600hz, the trunk thinks he has hung up, but because he only sends the 2600hz for a short period of time, the trunk thinks that it is being used again. John is now on a trunk, he can call anywhere he likes now, and during the 60s he could even call the UK, before everyone else could (1971 - the trans-atlantic service began). In order to route his call, he has to speak trunk language. His trunk in the US doesen't use DTMF, it uses CCITT-R1 dialing. The signalling system (the way the calls are routed - the language of the phone system he is on), used at that time was CCITT-R1. CCITT stands for Consultative Commitee for International Telephone and Telegraph, it is based in Geneva. The CCITT specify different telecommunications systems for different circumstances, R1 was a system that the CCITT specified as a national system, using in-band signalling (signals on the same channel as voice) and Multifrequency dialling (for the trunks). CCITT-R1 dialling used multifrequency tones, or MF tones for short. The digits are comprised from two tones, but unlike DTMF, MF uses different tones. The actual tones will be described later on in the guide. To dial his call; In the country he is in (US) KP1-descriminating digit-areacode-number-ST International KP2-descriminating digit-ccode-areacode-number-ST (Descriminating digit: 0 for Cable ; 1 For Satellite ; 2 For Military ; 9 For Microwave) From the trunk in Las Vegas, John makes a call to his friend in the UK. It's easy enough if you know how to speak trunk language - R1 dialling. If John waanted a completely free call, he could dial an 800 number, and "bluebox" that one - send a 2600hz to get on the trunk and dial from there. Apart from dialling, he could specify whether he wanted a cable, satellite, or military connection. But all that was 20 years ago, I recommend you read "The Secrets of the Little Blue Box" by Ron Rosenbaum to find out all the fun they had, they could set up conferences, call all around the world, get operator status - the lot. But, like I mentioned, that was 20 years ago. Welcome to 1999, your now in the UK, we don't use R1. We used to be able to be able to bluebox our national system, but that was when we used MF2. With MF2, a 2280 hertz tone was used, although in order to route a call, Code14 was placed in front of each digit. Nowhere in the UK uses MF2 (CCITT-3), BT began replacing our MF2 trunks with common channel signalling in 1987. You really don't need to concern yourself much with MF2, although knowledge of it would be useful if you ever go to a country that uses it, so I'll mention more on the subject later. Back to the present ~~~~~~~~~~~~~~~~~~~ The system we use in the UK now is COMMON CHANNEL SIGNALLING (CCIS). Our digital exchanges (all exchanges that actually route are now digital) use CCITT-7 - otherwise know as OPTIMISED COMMON CHANNEL SIGNALLING, and our analogue exchanges use CCITT-6 - simpler version that can be analogue or digital. Common channel signalling means that all line signals are transmitted on a separate channel from the speech path. Therefore, a common channel signalled link: a) Makes no signalling "pleeps" or "cheeps" that you can hear. b) You can't hear it dialling the number in the background (as you could with R1). C) Sending signalling tones does nothing (except for when you're on a dial tone) d) You can't bluebox this system easily, and no method is known of as yet. In fact, blueboxing this system is theoretically impossible - how would you get onto the signalling channel? And then you'd need to know the kind of data packets they use. But blueboxing is still possible nowadays.... How? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well, British Telecom had the great idea of having freephone numbers that terminate in other countries. These numbers fall into either: a) Operators and Calling Card Numbers: 0800 890 xxx (last 3 dids of country code) b) Businesses: 0800 96x xxx 0800 891-9 xxx Some businesses are on the 890 range, and some calling card numbers can be found on the 96x range. Other ranges on the 0800 list can also terminate abroad. The great thing is these numbers are free, they are international connections that terminate abroad, this means that you'll meet interesting phone systems that you probably have never used before. The system we concern ourselves with blueboxing nowadays is CCITT-5, which is actually quite similar to R1, only it can be used for international working. With some CCITT-5 connections you can hear the number being dialled. In fact CCITT-5 and R1 share similar MF dialsets for routing calls as well. But, CCITT-5 uses different methods of signalling than R1. You can't just blast a 2600hz and hope for the best, CCITT-5 is quite different. The tones used in CCITT-5 (or C5 for short), are compund tones. Compound tones are tones made up of two or more frequencies, compound tones are generally used on international working, except in digital of course which uses packets. Therefore, seizing a C5 trunk is a little harder. In fact, if you've just gone and built yourself an R1 bluebox, you'd better bin it (unless you live in the few places left in the US or abroad where R1 is used). Plans for a C5 bluebox are included in the appendix of the guide. C5 uses two "main" control tones: a) Clear Forward b) Seize Clear forward is comprised of: 2600hz + 2400hz (compound) and Seize is comprised of 2400hz + 2400hz (compound). (Durations and delays are included later) In order to seize a trunk, you would send a clear forward followed by a seize tone. After each tone, an acknowlegment is sent (like a pleep or cheep or click). Two pleeps mean that the two tones have been acknowledged and the trunk is seized. Calls are routed in a similar fashion to R1; Calls in the country you are calling: KP1-descriminating digit-areacode-number-ST International: KP2-descriminating digit-ccode-areacode-number-ST The descriminating digits are the same : 0 for Cable ; 1 For Satellite ; 2 For Military ; 9 For Microwave. THE MF TONES ~~~~~~~~~~~~ Digit Freqs 1 700 & 900 hz 2 700 & 1100 hz 3 900 & 1100 hz 4 700 & 1300 hz 5 900 & 1300 hz 6 1100 & 1300 hz 7 700 & 1500 hz 8 900 & 1500 hz 9 1100 & 1500 hz 0 1300 & 1500 hz Control Digit Freqs KP1 1100 & 1700 hz KP2 1300 & 1700 hz ST 1500 & 1700 hz C11 700 & 1700 hz C12 900 & 1700 hz DIGITS ~~~~~~ DURATION = 55ms DELAY = 55ms CONTROL DIGITS ~~~~~~~~~~~~~~ DURATION = 100ms DELAY = 55ms Bear in mind that some countries require shorter timings for these digits, such as certain South American destinations. Although I don't really see that much harm in keeping to the default digit durations unless you are having problems routing. CONCLUSION ~~~~~~~~~ Therefore, even though Bell spent millions of dollers and a good 20 years trying to modernise their system (mainly due to blueboxers), and BT spend millions of pounds and a few years to replace C3, BT and a load of other telcos now have to worry about international blueboxing - where the stakes are actually higher. I hope this first section has whetted your appetite for more information on the subject of blueboxing. The next part (part 2) will discuss how to bluebox and to what extent it is possible. Blueboxing is one of the best skills any hacker or phreaker could have. On the hacking side of things, it makes you VERY hard to trace, and routing via military lines offers great prospects for Social Engineering passwords etc. PART-2 The Technics of Blueboxing Before we go any further, you will need: - A copy of LittleOperator or Bluebeep (I personnaly prefer LittleOperator "TLO") - A bluebox (OPTIONAL) but it has advantages. A schematic can be found in the appendix - A DictaPhone and a lot of patience (OPTIONAL) similar usefulness as a bluebox but more of a hassle in the long run - A brain The MF tones required are in Part 1. As described earlier, blueboxing is the art of seizing trunks and routing calls in "trunk language" to wherever you want to call. You get operator status, you can seize multiple trunks in different places and go around the world, you are tracable, but not using CLI (Caller Line Identification), it's VERY hard for them to trace you as they have to do the old style trace which envolves following your track from exchange to exchange or sending electricity and working out your distance - or something like that. I'm not really an expert on call tracing, but I do know that blueboxing through about 2/3 countries will give you serious untraceablity, 1/2 would be sufficient for most - but be paranoid and do more. Although I would suggest that if you bluebox through too many countries you will have problems going at any decent speed on your modem. The chances are, this section will be quite popular with newbies, lamers, and even relatively experienced phreakers. The truth is, a lot of people are running around looking for decent info on this subject, or worse, are misinformed on it. The truth of the matter is that there are a lot of blueboxing guides around. In fact everyone thinks blueboxing is so easy they've all gone and wrote articles on it, but we want quality and not quantity. Some guides are even copy+paste's of other guides! Some guides blatently state incorrect information - saying it worked, for instance one guide I read advocated sending a 2600hz and then a 2400hz + 2400hz (In case you didn't read Part-1, the correct tones are 2600+2400hz and then 2400+2400hz). Enough of my rantings and along with the guide... Basically, as mentioned in Part-1, you are looking at international systems to bluebox, not the UK system. Blueboxable connections have a characteristic "pleep" "cheep" or "click" on connection or disconnection. The pleep you are hearing is the trunk signalling, this tells you that it is inband signalled, and inband signalling means blueboxability. The system that this guide is aimed at is CCITT/ITU-T 5 although there is an apendix on R2 which can be boxed as well. The two main tones used in CCITT/ITU-T 5 are Clear Forward and Seize. The Clear Forward tone tells the trunk "I am about to send a seize tone - make ready", the trunk acknowleges it with a "pleep" called a release guard. The Seize tone is then sent which tells the trunk the caller has hung up - the trunk responds by applying 2400hz to itself so that the system knows that the trunk is not in use. Blueboxing constitutes simply imitating these tones and routing a call accordingly. So, for instance you call up MooMoo Land Direct - 0800 890 xxx "PLEEP, PLEEP" (It's a C5 connection) "Alohaoao Serviso MooMoo Land Directo, transferarore au operarore du Telecom Gringo, no quelie, gracias" You send a Clear Foward (2600+2400hz) "PLEEP" You send a Seize (2400+2400) "PLEEP" You dial the number: International KP2: KP2-44-descrim. digit-areacode-number-ST Local KP1 KP1-descrim. digit-areacode-number-ST Descriminating digit - tells the system HOW to route... 0 - Cable Connection (International and Local) 1 - Satellite (International) 2 - Military (International and Local - where available) 9 - Microwave (International - nearby countries) One thing to always remember is that all routings aren't always available. For instance, some can only be international. Some countries only use a cable connection to the UK, others only have satellite connections to the UK. As for military lines, they aren't always available, some countries in the world don't have a military big enough to warrant it, Iceland for example has only Coastguard - no other military. In addition, a lot of South American countries allow international calls to nearby countries only (sometimes on KP1). Some countries connections are on uni-directional trunks. Uni-directional means "in one direction only" - into the country only so the only way you could route a call would be on KP1, then bluebox that connection, then call your KP2 destination. In some cases, the only way to route an international call is with "2" - military lines, as in some places international calls must be booked. The necessity for military lines on KP2 connections was true for Taiwan. In addition, the routing codes are sometimes doubled, i.e 0 would be 00 (this was true for Macao) and 1 would be 11. Not all countries "play fair" with routings - it's an old saying but its very true. Another "trick" sometimes used is the placing of the descriminating digit at the start of the routing (i.e KP2 0 44 xxx xxx). It was once necessary with Iceland Direct (now C7) to enter KP1-KP1-desc digit-number-ST as that was the only way to get the trunk to respond and start routing. Unfortunatly all this achieved was reconnection to the country direct operator, therefore there must be some other way of routing - perhaps two STs or something. Take on the tones ~~~~~~~~~~~~~~~~~ They are vital for blueboxing of any kind. As you already know: System 5 uses two main tones (the ones you should concern yourself with) a) Clear Forward - 2600hz + 2400hz b) Seize - 2400hz + 2400hz But what are the durations? Delays? According to the manual TONE1 TONE2 DUR DELAY Clear Foward 2600 2400 150ms 10/20ms +/-20 Seize 2400 2400 150 80ms +/-20 +20 Above you can see the manuals' specification. I can tell you unequivically that the CCITT5 systems around deviate from this to the extreme. The duration ranges from 100ms - 800ms for the tones and delays range from 10ms - 800ms. Not only that but the tones themselves are sometimes different. You see, telcos have started to realise that people are blueboxing and have put guard circuits in the stop it. Some countries can be blueboxed with the above, others require modification. You should always try to bluebox using the "pure" tones if you can but it isn't always possible. The Basics of Blueboxing Call the blueboxable number "PLEEP" "PLEEP" - "Aloha!" Send tone1 "PLEEP" Send tone2 "PLEEP" Route the call (Kp2-countrycode-descdigit-areacode-number-ST / Kp1-descdigit-areacode-number-ST) If it doesen't work: 1. IF IT THROWS YOU OFF THE LINE..... Then REDUCE the duration, if that still doesent work, add a 2100hz. Try changing the delay - possibly increasing it. 2. IF IT IGNORES YOUR BREAK TONE..... Then INCREASE the duration and volume. You could also try changing the delay - possibly reducing it. 3. IF YOU ONLY GET ONE PLEEP..... Then the chances are you aren't on a trunk, increase the duration of the second tone. 4. IF YOU GET A BUSY TONE STARIGHT AWAY AFTER SEIZE Then you should increase the delay between the first and second tones. 5. IF YOU GET A BUSY TONE AFTER SENDING "ST" Then the line could be busy, or you left it too late before sending KP (wait about 80 - 100ms) or you dialled the call wrongly (try different routings) or it doesent allow KP2 (if you dialled a KP2 call) or it timed out - dial the numbers in a macro so that there is a 55ms gap between each digit. Maybe all the trunks are busy. The routing could be wrong, try different routings, different discriminating digits, and doubling them (i.e 0 - Cable would be 00) For those of you who still can't get this to work, see "The 2100hz, pink noise, white noise, and the 3100hz" below. For those of you who it does work for, well done. You should now be calling the place you dialled. If you did bluebox somewhere - remember to email me, afterall you do owe me that much, don't you? Come on. Email, now - inno6@hotmail.com. When the call gets answered, if you hear a pleep, you never guess what you can do? No? You can bluebox it, and make another call, if its a number inside the country you just blueboxed, you should now be able to make international calls if you previously were unable. If the tones you send don't work, try sending a pure 2600hz as it could be on R1. After you've finished talking, send the tones and make another call if you want, or hangup as usual. You can use the standard C5 manual tones as mentioned above in order to get onto yet another trunk and make a call from there. This can be safer, because if BT see that you made a long call to a C5 trunk and during the time of the call your friend (or someone they know you call sometimes from your monolog report (Monolog = Call logging device)) then they will be very suspicious. For instance, you call Bahamas Direct (0800 890 135) at 14.00, at 14.01 BT see that a known associate of yours recieved an incoming call from the Bahamas - hmmm, doesent take Einstein does it? But more realistically, it's unlikely that BT would bother as it would be too expensive to set up systems to detect this sort of thing. But be on your guard and use your brain. PLEASE REMEMBER TO... 1. VARY THE NUMBERS YOU USE..... Do a scan, you might find some more interesting numbers. Also, you may get detected if they see a million calls to MooMoo Land Directo. 2. REMEMBER, COVER YOUR TRACKS..... It may seem obvious but 141 goes a long way to ensuring that you'll phreak another day. Also, I hear it may be possible to spoof Caller ID which would be even better. Anyway, if the operator connects your call, they can't see your number either, so perhaps one of you could explore that side of things? Although operators do have a habit of eavesdropping. Once you have the tones for somewhere and you want to call a friend, record the tones etc into a dictaphone and do it from a payphone for extra safety. Blueboxing from payphones should be guranteed safe, but never rely on anything. Also, DO NOT EVER EVER EVER, IN ABSOLUTLY ANY CIRCUMSTANCES EVER POST THE TONES/DURATIONS/DELAYS/ROUTINGS ON NEWSGROUPS, THE WEB - THE INTERNET GENERALLY, IRC OR BBS's. BT Security monitor these and change the tones, it could also be used to bust you, possibly. Please don't be an idiot, only give friends - people you have actually met the details, and even then to only a few - tell them not to tell anyone. The three tone seize ~~~~~~~~~~~~~~~~~~~ Some countries require 3 tones in order to seize trunks. In some cases you need a clear forward, another clear forward and a seize. In other cases you need a clear forward, then a seize, then a seize. Some South American countries require a 2400hz for a short duration before you send the clear forward and then the seize in order to free-up international trunks, supposedly, although I've never exprienced that, consider it anyway. A three tone seize *was* required when blueboxing China (0800 890 086) when it was a C5 connection. Generally, try to keep to 2 tones and keep it simple. The 2100hz, pink noise, white noise, and the 3100hz ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Ideally, you should be able to seize trunks easily with the pure compound tones. But this is not always possible. In one example, a duration of 150ms for clear forward (2600+2400) would be ignored, but a duration of 151ms would disconnect you. A no-win situation. Meet pink noise, pink noise helps to get your tones past the filters. Pink noise is all noise above 3000hz (i think). Programs such as LittleOperator allow you to mix in pink noise with the tone. You should only use pink noise if you have tried all the options such as changing duration, delay etc. If, for instance, 150ms for duration of clear forward gets you ignored, but 151ms gets you disconnected, pink noise could help. Set the duration to 151ms, set the pink noise to something like 5 (on LittleOp - TPN). Did it work? Well if it still resulted in you getting disconnected, increase it (pink noise) in steps of about 2, if it ignores you on pink noise of 7, reducing it to 6 might work. If the pink noise makes no difference, i.e it keeps disconnecting you all the time even if you set it at something like 32, you'll need to try something else. Incidently, there are actually two weapons that a trunk can use to stop blue boxing, the filter and the guard circuit. The filter stops the pure tones - filters them and the guard circuit guards against accidental generation of the tones - it detects the tones to within a 30hz range and sends them to the tone detector. If the tones are two garbled up, the guard circuit will just stop them, although they will get past the filter. For instance.... :-) ---------> Seize tones ----------> FILTER | -------- GUARD CIRCUIT ------ TONE BBOXER (PURE) | DETECTOR DETECTED AND FILTERED :-) ---------> Seize tones ----------> FILTER --------> GUARD CIRCUIT ------ TONE BBOXER (MESSED UP) DETECTOR DOESEN'T DETECT TOO MESSED-UP :-) ---------> Seize tones ----------> FILTER --------> GUARD CIRCUIT ------> TONE BBOXER (WITH A BIT DOESEN'T DETECT DOESN'T DETECT DETECTOR OF PINK NOISE) SUCCESS!! In the first diagram, you'll see that the filter has detected the tones and filtered them in some cases this can result in being disconnected, but most cases of disconnection are because the tones are too long and the trunk disconnects. In the second diagram, the blue boxer has sent really messed up tones with loads of noise and the incorrect tones. The filter lets it through, the guard circuit just thinks it's speach as they are not within its range. In the third diagram, the correct tones are sent but with a little pink noise. The filter thinks it's speach, the guard circuit can only "hear" pure tones and because they are within it's range, it passes them to the tone detector, and your now on a trunk. The 2100hz tone is another weapon in your armory. It can be used like pink noise and tends to have a greater effect. Some countries use filtering systems that can be got around using the 2100hz, with pink noise aswell or on it's own, sent mixed in with the first tone (clear forward). The 2100hz helps to get you past the filter, but in order for it to be used successully, you should increase the duration of the tones. If you don't do this, then the tones may well be ignored, so expect to increase the durations until you can seize the trunk. You don't ever need a 2100hz mixed with the second compound tone (seize) and it's better if you can keep the seize tone as pure as possible as most detectors are only looking out for the first tone - clear forward. The 2100hz is white noise, but one trick using white noise is to blow down the line when sending the tones, this can sometimes help if you aren't using a 2100hz or pink noise. On the subject of pink noise, a 3000 - 3900hz tone mixed with the clear forward can sometimes help as well. The advantage of this is that it is out of the range of the tone detector and so it won't garble-up the tones too much - at least not to the detectors "ears" anyway. Another idea is to slightly "mutate" the tones, i.e 2600hz = 2590hz, but remember to keep them within 30ms of the correct tone so that they are likely to work. Some people have found this to be necessary with certain places, notably, China Direct (0800 890 086 - Which is now CCIS, no boxing here). The seize used to be something like: TONE1 TONE2 DUR DEL TONE1 2600 + 2400 180 30 TONE2 2100 + 2100 180 30 TONE3 2400 + 2397 180 30 Although I wouldn't really recommend putting the 2100hz as a totally seperate compound tone while blueboxing, China has a very messed-up phone system and so maybe that was the reason it required such a weird seize. Incidently, the 2100hz is known as EOF in the dialset, I'm not entirely sure of its function. On the subject of tone "mutating" some destinations in the Caribbean that use R1 extensively employ filters that "mutate" the tones. For instance, calls to Trinidad and Tobago went through a filter that bumped down the frequency for the tones by 50hz. Therefore, it was necessary to bump up the frequency by 50hz to get it to seize the trunk. See this example from LoK, below: TONE1 TONE2 DUR DEL TONE1 2450 2650 150 25 TONE2 2400 --- 75 The reason that the trunks use this kind of tone mutating filter is the fact that they are on R1 for their local calls. These kind of filters are a feature of the R1 system in the US and nearby and help to stop people from being able to get on to trunks accidently and blueboxers :). If you do ever find yourself dispairing to break a trunk in the Caribbean that is on the US zone 1 or Latin America it might be worth trying this out as it is used by MCI a lot. As far as I know it's not used in Europe. As I'm discussing blueboxing in zone 1 at present, you might well be interested in a little bit of information regarding routing. With R1 in the US it is nearly always necessary to route calls with: KP1-18..2-ST before you actally route your call. Basically, this little prefix combination distinguishes a REAL call from a boxed call. Even if you don't put this in, the call will still route, only it will be flagged. This *may* also be applied to the CCITT/ITU-T 5 systems in use in zone 1 and may be worth thinking about. As you can see, these little zone 1 tricks all go to show that the US/Canada/Caribbean telcos have learned from the R1 lesson. Genrally, you'll find that places in Zone1 are the hardest to box. So, from this you can see the hurdles that have to be jumped in order to successfully seize a trunk. Seizing trunks is an aquired skill and it should become second nature. Remember to always think like a trunk, and use your ears to try and hear what noises are made. Some countries with a slight delay in the speach require longer delays between clear forward and seize and longer tones. You should now be able to seize a trunk, there are plenty of C5 trunks out there in South American countries, Asia, the Caribbean, and even Europe. There are no country directs that work in Africa, except South Africa which changed to C7. Gabon Direct (0800 890 241) used to work and was C5 (ITU-T5), but it's now been discontinued. I reccomend a look in the Phone Book in the international section for Country Direct numbers or an 0800 890 scan. But remember, you can find C5 on all the international ranges, there is more to blueboxing than country direct numbers. After you've seized a trunk, you now should also be able to route a nice little call as well. If you can't, try sending all the MF's in a macro and within the 80 - 100ms accepted delay after seizing. If you'r still stuck, Part 3 is going to be all about routing, so its only a few weeks away. Another thing to bear in mind is that the best numbers aren't always in the 0800 890 range. BT have now begun to scatter some international numbers throughout all their 0800 ranges. The 0808 ranges proove to be very interesting as well. 0808 calls are free and a scan really wouldn't go amiss, so if anyone's got a copy of PhoneTag or a wardialler or just a phone and a lot of time, you know who to send the scan to. End of Part 2 PART-3 CCITT 5/ITU-T 5 in Depth, and Signalling This part of the "Ultimate Guide" will discuss CCITT5/ITU-T 5 (they're the same), the way the system works in-depth and variations on it in todays telephone network. By now, you should know the basic principals of blueboxing and how to seize a trunk and route a call. This section will discuss CCITT5 and advanced signalling and routing issues. This whole guide was written by a CCITT5 junkie (me) and so you'll have to forgive me if I get carried away. But, this section is just as important as 1 and 2 because if you want to crack a system you have to know the system better than the system itself. You'll find a lot of the information here in various manuals and it is very useful when social engineering international exchange personnel because you'll know CCITT 5 better than they do after this. System 5 was specified in 1964 by the CCITT. An analogue system, it has seperate line and interregister signalling. The line signalling is 2 v.f (Two Voice Frequency) and uses two main tones, 2600hz and 2400hz, inband, compound, and simple frequency continious signalling and link-by-link. The interregister signalling is 2/6m.f, link-by-link in the forward direction only. No digital version of the system existed, but recently a digitally encoded system was devised, using E1 circuits and is used extensively. CCITT5 is a versitile system, many operations may apply, unidirectional, bothway, terminal, transit, automatic and semiautomatic. The system is suitable for 3khz and 4khz spaced submarine, land cable, microwave radio and satellite circuits, with or without t.a.si (when you're not talking, it uses the trunk for another call to use, when you start talking again, it re-assigns you a trunk. This takes about 0.5 seconds and sometimes you get 0.5 seconds "clipped" off the voice answering when making international calls). To begin with, the system was intended as a joint development between the GPO and Bell Labs (AT&T USA) for dialling over t.a.s.i equipped transoceanic Atlantic cables, the first application of intercontinental dialling and the t.a.s.i technology. The system was then specified by the CCITT and since then was applied to other intercontinental circuits, at one point being the main system for international calling. In the early nineties, one estimate stated that 80% of the international infrustructure used system 5, in my opinion that estimate was a little generous. I'd say that about 65% of international trunks at the most are CCITT5 at present (1999) from my experience. [Afterall, if you consider 70% of African countries, 50% of Latin American Countries and the Caribbean, 60% of Asian Countries and 25% of European Countries (Russia Included) use CCITT 5 for international dialling you get a very high figure for the amount of C5 infrustructure used today. But if you check out the 0800 89 and 96 ranges you'll find a lot of C7 stuff, so it would be fair to say that most C5 countries are less developed and make less use of international communications. This isn't always true, though, as Malta and Iceland use C5 for some of their international connections. Don't get me wrong, I'm not "dissing" C5 as a system for poor countries, I think that C5 is a great system. But, C7 is more efficient and is a much better system when employed on fibre optic cabling, as it has greater compression and can accomodate more calls.] As this was the first system used in intercontinental dialling, the aim was to create a simple and robust system for the new service. The TAT-1 cable from London to New York was the first application of CCITT 5. As transoceanic cables were and still are expensive, t.a.s.i dictated the features of the system. As a result, the signals and facilites of CCITT5 were kept to a minimum consistent with the intercontinental dialling service. In fact, you could call the US via a CCITT5 connection up until 1995, until the TAT-6 and TAT-7 were retired. The longevity of CCITT5 is much longer than most signalling systems to date, this is testament to the flexible, reliable, and robust system that the CCITT specified over 30 years ago. All line signals in system 5 are continuous-compelled, trunk-channel association always being assured in the actual time required for this function. The acknowledgement signalling in continuous-compelled increases the t.a.s.i signalling time and activity, but some signals normally give rise to return signals (seizure/proceed-to-send, release guard/clear forward etc) and no penalty results from the adoption of continuous-compelled for these signals. Other signals (for instance, answer) do not normally require a return signal and the adoption of continuous-compelled, instead of pulse, could be a penalty when t.a.s.i os heavily loaded, but an advantage when light. So, on balance, continuous compelled was preferred for these signals. The system 5 interregister m.f (multi-frequency) signalling is pulse forward only, in order to minimise the t.a.s.i signalling time and activity. A small amount of backward signalling is used. The arrangement requires that t.a.s.i channel be prior-associated for address signalling in order to ensure that the first address signal is not clipped. Because sytem 5 was the first intercontinental signalling system in use, they wanted the cicuits to be used in the most efficent way possible and in order to ensure that circuits were not being used on incomplete dialled calls as much validity checking of the address information as possible was used at the outgoing international exchange before seizing an intercontinental circuit. The complete en bloc of the address information to enable a measure of validity-checking to be performed, and thus en bloc transmission. En-bloc means that all the signalling information for the call is send in one burst: Kp2-44-0-181-000-1212-ST. In this mode, the t.a.s.i speech detector stays on the trunk during the gaps between successive address signals so that clips do not occur and mess up the signals. If an alternative mode was used, where clipping could occur after recieving line signals, a t.a.s.i locking tone would be required to avoid clipping of pulse-address signals. In actual fact, a t.a.s.i lock tone is used in some cases, for the transfer of data etc - 1887hz and disables t.a.s.i clipping. CCITT system 5 line signals ~~~~~~~~~~~~~~~~~~~~~~~~~~~ --------------------------------------------------------------------------------------------- SIGNAL DIRECTION FREQ SEND DURATION RECOGNITION TIME ms SEIZURE ---> f1 Continuous 40 +/- 10 PROCEED-TO-SEND <--- f2 Continuous 40 +/- 10 BUSY FLASH <--- f2 Continuous 125+/- 25 ACKNOWLEDGEMENT ---> f1 Continuous 125+/- 25 ANSWER <--- f1 Continuous 125+/- 25 ACKNOWLEDGEMENT ---> f1 Continuous 125+/- 25 CLEAR BACK <--- f2 Continuous 125+/- 25 ACKNOWLEDGEMENT ---> f1 Continuous 125+/- 25 FORWARD TRANSFER ---> f2 850ms+/-200ms 125+/- 25 (pulse) CLEAR FORWARD ---> f1+f2 Continuous 125+/- 25 (compound) RELEASE GUARD <--- f1+f2 Continuous 125+/- 25 (compound) --------------------------------------------------------------------------------------------- f1 = 2400 Hz f2 = 2600 Hz ---> forward signal <--- backward signal, continuous-compelled mode Notes on the table ~~~~~~~~~~~~~~~~~~ (1) By taking advantage of the fixed order of ocurrence of specific signals, signals of the same frequency are used to characterise different functions, e.g in the backward direction f2 is used to indicate proceed-to-send, busy flash and clear back without conflict. The signalling equipment must operate in a sequential manner, retaining memory of the precedung signalling states and the direction of signalling to differentiate between signals of the same frequency. All signals except the forward transfer are acknowledged in continuous -compelled manner. The order of transmission of backward signals is subject to the following: (i) busy flash; only after a proceed-to-send signal after an answer signal. (ii) answer: never after a busy flash signal (iii) clear back: only after an answer The receipt of the answer signal (f1) permits discrimination between the busy flash and clear-back signals (both f2). (2) Except for the recognition time (40ms) of the seizure/proceed-to-send signal sequence, which can be short as this sequence is not subject to signal imitation by speech and a rapid seizure is desired to minimise the postdialling delay and the probability of double seizure on bothway working, all recognition times are the same (125 ms). This simplifies terminal design. (3) The use of compound for the clear forward/release guard sequence improves the immunity to false release by signal imitation (signal imitation, hmmmmm!), this being particularly necessary as the recognition time (125 ms) of these important signals is relatively short for uniformity. The compound clear forward, which must always be acknowledged by a release -guard signal under all conditions, is completely overriding. (4) The use of different frequencies of the seizure (f1) and the proceed-to-send (f2) facilitates double seizure detection on bothway working. The seizure signal continues until acknowledged by the proceed-to-send, which is returned when an incoming register is associated and continues until acknowledged by the cessation of the seizure signal. As there is no backward interregister signalling, the proceed-to-send signal must be a line signal, which is convenient in system 5 acknowledge the seizure signal. (5) There is a frequency discrimination between all the line signals except busy flash and clear back, which are both f2 acknowledged by f1. As the busy flash will be recieved without an answer signal, the answer signal is used to bring about a change of condition in the outgoing equipment to permit the discrimination. (6) The forward transfer signal f2 (a rarely used signal and used in semiautomatic operation only) is an unacknowledged pulse. The nonacknowledgment avoids possible confusion with the f1 answer and the f2 busy flash and clear back. (7) The proceed-to-send ceases the seizure signal. The outgoing register pulses out the address information en bloc and a silent period of 80 +/- 20ms is arranged between cessation of the seizure signal and the beginning of the register pulse out. The tunk-channel association is maintained by the t.a.s.i speech-detector hangover during this interval. This, together with the speech-detector hangover maintaining trunk-channel association during the gaps between successive interregister address signals, avoids the requirement for locking trunk-channel association (lock tone etc) during interregister signalling, although, as mentioned earlier a t.a.s.i lock tone is available, useful for data transmission - 1887hz. (8) In transit (international) operation, the line equipment at the transit exchange is informed by the interregister KP signal that the condition is transit (KP2). This descriminates between terminal (local) calls and transit calls. (9) Should the called party flash his switchhook faster than the equipment can transmit a succession if clear-back (on-hook - hangup) and answer (off-hook) signals, the correct indication of the final position of the switchhook must always be given by the appropriate signal. (10) If, after 1-2min of receipt of the clear-back signal there is no clear-forward signal, the international connection is released by a system-manufactured clear-forward signal, and the measurement of call charge ceased. (11) The clear-forward signal continues until acknowledged by the release guard, which, depending on the administration's choice, may be sent: (a) on recognition of the clear-forward signal, and continues until acknowledged by the cessation of the clear-forward signal, or until the relevant incoming equipment at the international exchange has released, whichever occurs later, (b) in response to the clear-forward signal, to indicate that this signal has brought about the release of the relevant incoming equipment at the international exchange, the release-guard signal continuing until cessation of the clear-forward is recognised/ On a bothway circuit, the outgoing access at the incoming end is maintained busy for 200-300ms after the end of transmission of the release-guard signal to cover the responses to the cessation of the release-guard at the outgoing end. (12) Busy flash is transmitted for any of the following reasons: (This bit could be useful if you get a busy flash during boxing attempts:) (i) congestion at a transit or at an incoming international (terminal) exchange (ii) error detected in the receipt of register signals (iii) busy flash, if recieved, from the interworking international signalling system(s) or from the incoming national network. (iv) time out of an incoming international register Receipt of the busy-flash signal at the outgoing international exchange causes appropriate indication (for instance, tone) to be sent to the caller and the release of the international connection using a system manufactured clear-forward signal. (13) In inband v.f signalling such as C5, a quick verbal answer may be clipped, partially or completely, by the line splitting on transmission of the electrical-answer signal. Failing to repeat the verbal answer could end up with each party expecting the other to respond and hanging each other up (hehehehe). Multilink connections increase the danger. So, it is preferred that the transmission of the electrical-answer signal should be as fast as possible to ensure that line splits are terminated prior to the person answering the call. As a contribution to this, the answer signal of system 5 is trasmitted in the overlap- compelled, instead of normal-compelled mode at transit exchanges. In this technique, the process of transmitting the answer signal from the transit exchnage to a preceding exchange is initiated as soon as the transit signal receiver response to the incoming answer signal has caused the receive line split (35ms maximum), the onward transmission not awaiting the full signal recognition time of the answer signal as would be the case in normal -compelled. The normal signal recognition is complete. The answer signal on each link is ceased by its acknowledgment on that link. If the incoming answer signal duration is less than the signal recognition time, the transmission of the ongoing answer signal recognition time, the transmission of the ongoing answer signal already insituted from that transit exchange is ceased. After signal recognition of the incoming answer, there is no control at the transit exchange of the ongoing answer signal by the incoming answer signal. The busy flash and clear-back signals are returned in the normal compelled manner mode at transit points, onward transmission not commencing until the incoming signal recognition is complete. (14) The acknowledgments of the busy flash, answer and clear-back signals are sent after signal recognition (125 +/- 25ms) of the relevant primary signal. The primary signal is not ceased until the recognition time of the acknowledgment is complete (125 +/- 25ms). Signal cessation recognition time, primary or acknowledgment, is at least 40ms. Bothway Operation ~~~~~~~~~~~~~~~~~ The extreme of t.a.s.i trunk-channel association time (about 500ms) combined with the long reaction and propagation times of the equipment, there can be a long unguarded interval in bothway operation. Double seizure is when the same frequency (f1 seizure signal) is recieved as it is being transmitted. On detection of this double seizure, the transmitted signal is ceased 850 +/- 200ms after commencement, this makes sure that both ends of the t.a.s.i equipped bothway circuit will detect the double seizure. The signalling equipment is released on cessation of both the outgoing and incoming seizure signals. A clear-forward signal is not sent. Either of these conditions may apply on detection of double seizure, depending on the telco's choice: (a) an automatic repeat attempt to set up the call, (b) a reorder tone given to the callers (reorder - similar to an engaged tone) "(a)" is the preferred option. But is flexible as to allow the repeat attempt to be made on a different circuit than that used for the first attempt. If the first circuit is seized on the second search over the circuits, a minimum time of 100ms elapses between the termination of the first-attempt outgoing seizure signal (or recognition of the cessation of the incoming signal, whichever occurs later) and the commencement of the second-attempt seizure signal. To minimise the probability of double seizure (and thats a bad thing, believe me), the cicuit selection at the two ends should be such that, as far as possible, double seizure can occur only when a single circuit remains free (woohoo!) (e.g by selection of circuits in opposite order at the two ends). Transmit line split ~~~~~~~~~~~~~~~~~~~ The exchange side of the circuit is disconnected 30 - 50ms before a v.f signal is transmitted. The split persists with signal and is terminated 30 - 50ms following the end of sending of the v.f signal. Recieve line split ~~~~~~~~~~~~~~~~~~ The circuit is split at the international exchange when either a single or compound frequency is recieved so that the spillover does not exceed 35ms. The split persists with signal and is terminated within 25ms following the end of the signal. The splitting device may be a physical line disconnection, high-impedence device, insertion of signal frequency bandstop filter, etc. Leak current in the split condition should be at least 40dB below the recieved signal level. Relevant data: Line signalling ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ TRANSMIT: f1 2400 +/- 6Hz f2 2600 +/- 6Hz Transmitted level - 9dBm0 +/1 1dB per frequency For compound the difference in transmitted level between f1 and f2 not to exceed 1dB. The difference in the time between f1 and f2 of a compound signal on sending and ceasing not to exceed 5ms RECIEVER: Operate: f1 2400 +/- 15Hz f2 2600 +/- 15Hz The absolute power level 'N' of each recieved signal to be within the limits (-16 + n < N < (- 2 + n)dBm, where 'n' is the relative power level at the reciever input. The limits give a margin of +/- 7dB on the nominal absolute level of recieved signal at the reciever input. The absolute level of the two frequencies of a compound signal not different by more than 5dB Nonoperate: Reciever not to operate outside: f1 2400 +100/-150Hz f2 2600 +150/-100Hz Reciever not to operate on signal: 2400 +/-15Hz or 2600 +/-15Hz whose absolute power level at the point of reciever input is (-17 -9 + n)dBm. This limit is 17dB below nominal absolute level of signal at reciever input. SIGNALS: a) Should the transmission of any seizure, busy flash, answer answer, clear back or clear-forward signal persist beyond a maximum of 10 - 20s, the signal is terminated and the condition alarmed. b) If the transmission of any proceed-to-send, release guard, or any other acknowledgment signal persist beyond a maximum of 4-9s the signal is terminated and the condition alarmed. c) After signal recognition, interruptions of up to 15ms in a signal or acknowledgement are to be ignored. Interruptions of more than 40ms are recognised as the end of the appropriate signal (primary or acknowledgment) in the compelled sequence. d) Once the sending of a signal, pulse, or continuous, has begun, it should be completed except when the clear-forward signal overrides. e) An interval of at least 100ms should seperate two successive signals in the same direction. [Side note: see point (e), on some trunks, the clear-forward and seize are sent successively and the two then acknowledged.... Clear forward Seize PLEEP...PLEEP In the case below, according to this manual, 100ms should be the delay. This has been true in some cases. Generally, the two are acknowledged seperately... Clear foward PLEEP Seize PLEEP But this is something to consider anyway, despite the fact that many C5 systems don't adhere to the standard spec.] TABLE - CCITT system 5 interregister signals ----------------------------------------------------------------- SIGNAL PULSE FREQs DURATION (compound) ms Hz KP1 (terminal traffic) 1100+1700 100 KP2 (transit traffic) 1300+1700 100 Digit 1 700+900 55 2 700+1100 55 3 900+1100 55 4 700+1300 55 5 900+1300 55 6 1100+1300 55 7 700+1500 55 8 900+1500 55 9 1100+1500 55 0 1300+1500 55 Code 11 Operator 700+1700 100 Code 12 Operator 900+1700 100 ST (end of pulsing) 1500+1700 100 ------------------------------------------------------------------ Interregister Signals: Automatic access to the international circuits is used for outgoing traffic, the address signals from the operator or subscriber being stored is an outgoing system 5 register before the international circuit is seized. As soon as ST (end-of-pulsing) is available to the outgoing register, a free international circuit on the appropriate route is selected and a seizure signal sent. The seizure signal is terminated on receipt of a proceed-to-send, and KP (start of pulsing), address signals, and ST, transmitted by the register. Both forward and backward interregister signalling is normally preferred in networks This in turn, implies end-to-end signalling for reasons of reduced register holding time, reduced register provision, and leading register control. Backward interregister signalling, however, would increase t.a.s.i signalling time and activity and would require some arrangement to assure t.a.s.i trunk-channel association during the interregister signalling. It was assessed that t.a.s.i efficiency was the first priority for system 5 and backward interregister signalling would just reduce this efficiency and therefore hasn't been adopted. This means that compelled signalling and end-to-end signalling are not used in system 5, because there is no backward interregister signal to release the registers. The line answer signal can't be used to release registers and set-up speech conditions because an answer signal is not always given, and further, the transmission path is required prior to answer to pass the ring tone. For those reasons, the system 5 interregister signalling in link-by-link, pulse, forward signalling only, the registers releasing in sequence after transmission of ST. The signalling is 2/6 m.f in the range 700-1700Hz and 200Hz spaced. The address information is always sent "en-bloc" from the originating system 5 register and overlap from the transit and incoming system 5 registers. The KP signal may be used to prepare the distant system 5 register on the link for the receipt of the subsequent address signals. It may also be used to discriminate between terminal (national) and transit (international) traffic: Terminal KP (KP1): Used to create conditions at the next exchange so that equipment used exclusively for switching the call to the national network of the incoming country is brought into circuit. Transit KP (KP2): Used to bring into circuit at the next exchange, equipment required to switch the call to another international exchange. In system 5, the ST signal is transmitted from the register at the end of address signalling in both automatic and semiautomatic operation. Both outgoing and transit system 5 registers must determine the routing, and send the appropriate KP signal, by analysis of the early digits of the address information. The interregister signalling information in system 5 in the international automatic service comeprises: KP + country code (I digits) + characteristic digit (Z digit) + national significant number (N digits) + ST In local routing, the country code may be left out. The characteristic digit in the discriminating digit (D) in automatic operation, or the language digit (I) in semiautomatic operation. The discriminating digit was mentioned earlier with the following default assignments: 0 - CABLE 1 - SATELLITE 2 - OPERATOR 3 - MILITARY 9 - MICROWAVE [Above differs from previous mentions with Military being given '3'] This may very from country to country, and the pattern of routing above can also vary. In some countries, 2 is for operator routing. Other countries such as Nicaragua use a different routing pattern: GLOBAL KP2-01-country code-national significant number-ST All calls are routed using the Westar satellite. Analysis of the country code of the destination country is generally sufficient to determine the forward routing, the code consisting in one, two or three digits. Exceptionally, early digits of the national number may need to be included in the analysis to permit forward routing to any one of a number of locations in the other country. An example of this would be the North American numbering plan, where calls from Europe to the Caribbean can go via mainland US and Florida or direct via satellites or cables. Calls to mainland US from Europe generally go straight on one of the transatlantic cables, whereas calls to the Caribbean can go via different and more direct routes, meaning more analysis is needed when routing to offshore areas of the North American numbering plan. The maximum number of digits to be analysed in a system 5 outgoing transit register would be six, i.e, I1 I2 I3 Z N1 N2, which assumes a maximum three digit country code. An exception is the routing of calls the the North American Numbering Plan, where the NPA is taken into account. The country code will be the first digit(s) follwing KP2 recieved by a transit register. In system 5, the country code is not sent to the incoming international register, and here the first digit recieved following the KP1 will be the Z digit. The "Code11" and "Code 12" operators (given those assignments as they are the 11th and 12th signals in the dialset) are special international operators accessed by interregister signals. The Code 11 operator is known as the "Inward Operator", nearly every country has one of these, and her job is to assist foreign operators in making calls to the country and provide information. Code 12 is known as the "Delay Operator" or the "International Operator" and her job is to assist operators make international calls via her country, and to provide similar information to the Code11 operator. Code 12 is also used for directory assistance by many countries. System 5 Register Arrangements Concerning ST ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (a) Semiautomatic operation: The ST condition is determined by the reciept of the "sending finished" signal from the operator. (b) Automatic operation: (1) When the ST signal is provided by the originating national network, this signal is transmitted to the outgoing system 5 register and no further arrangements are necessary. (2) The outgoing system 5 register is required to determine the ST condition when this is not recieved from the originating national network. This determination may be on time delay or on digit count. When on time delay, ST is determined when the cessation of the address information input to the register exceeds a period of 4s (5 +/- 1) in either of the following conditions as preferred by the administration: (i) after the minimum number of digits in the world numbering plan, or (ii) after the minimum number of digits in the destination country numbering plan. In (i) and (ii), prolonged cessation of the address information input before the minimum number of digits results in time-out release of the regitser without production of the ST condition/ An immediate ST condition may be produced by digit count to avoid the 4s delay when the destination numbering plan has a fixed number of digits, or when the maximum number of digits in the numbering plan of the destination country has been recieved. Under all circumstances, the outgoing international circuit is not seized until the ST condition is available to the register. Thus, when operative, the 4s delay to determine ST, while increasing the post-dialling delay, does not react on t.a.s.i signalling time and activity. RELEVANT DATA: Interregister signalling ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Transmit: Frequencies 700, 900, 1100, 1300, 1500, 1700hz tolerance +/- 6hz Transmitted level -- 7 dBm0 +/- 1 dB per frequency Difference in transmitted level between the two frequencies of a signal not to exceed 1dB Signal duration: KP1 and KP2 100 +/- 10ms All other signals 55 +/- 5ms Interval between all signals 55 +/- 5ms Interval between cessation of seizure line signal and transmission of KP interregister signal 80 +/- 20ms. Reciever: Operate Frequency variation +/- 15 hz of the nominal Recieve level. The absolute power level N of each signal to be within the limits (-- 14 + n) < N < n dBm, where n is the relative power level at the recieve input. These limits give a margin of +/- 7dB on the nominal absolute level of each signal at the reciever input. The absolute levels of the two frequencies comprising a signal not to differ from each other by more than 4 dB Minimum signal duration 30ms Minimum interval between signals 30ms Nonoperate Reciever not to operate to a signal whose absolute power level at its input is (--17 --7 + n) dBm. This limit is 17 dB below the absolute power level of the signal at the reciever input. Reciever not to operate to a signal of 10ms duration or less. Interruptions to signal, and intervals between successive signals of 10ms or less ignored. Release of system 5 registers Normal Release (a) An outgoing system 5 register releases when it has transmitted ST. (b) An incoming system 5 register releases in either of the two cases: (i) on transmitting ST, on receipt of a number recieved condition from the destination national network, etc, depending on the arrangement adopted by administration (ii) when the bust flash signal is returned. (c) A transit system 5 register releases in either of the two cases: (i) when it has transmitted ST (ii) when the busy flash signal is returned. Abnormal release (a) An outgoing system 5 register releases, and clears forward connection in any one of the following cases: (i) after a 15 - 30s time-out, after seizure, none, or less than the minimum number of address signals, recieved. (ii) proceed-to-send signal is not recieved within 10 - 20s time-out of the seizure signal (iii) proceed-to-send recieved, but, due to fault, the outgoing register has not pulsed out. The outgoing register will be released by the clear forward/release guard sequence prompted by the busy flash signal sent from the incoming end on non-reciept of register signals within 4 - 9s. This assumes that the busy flash signal is recieved at the outgoing end before the termination of any forced release delay that administrations may wish to incorporate to the outgoing register. (b) An incoming system 5 register releases in any one of the following cases: (i) no interregister signals recieved within 4 - 9s after the start of sending the proceed-to-send signal (ii) ST not recieved within 20 - 40s after the start of sending the proceed-to-send signal (iii) on return of the busy flash signal from the incoming end when an error is detected in the receipt of interregister signals. (c) A transit system 5 register releases in any one of the cases stated for the release of the outgoing and incoming (terminal) registers. BRIEF GUIDE TO THE MANY DIFFERENT VERSIONS OF CCITT 5 ===================================================== CCITT 5bis: This system is broadly based around CCITT5. It was specified in 1968 and designed for use on non t.a.s.i equipped transoceanic cables. It was devised so that it would operate in overlap mode at all incoming and outgoing system 5bis registers and therefore reduce the postdialling delay. It does not require ST as a mandatory condition in automatic operation, and incorporates both forward and backward interregister signalling to permit greater facility exploitation. The system was never widely adopted, but rumour has it Denmark purchased some 5bis equipment in the early 80s but never used it. In many ways, this was a first step in devising R2, a similar system, which uses outband tones to signal it. CCITT 5 Digitally Encoded: This is a fairly recent system. It follows the standard CCITT 5 specification although all signals are encoded digitally. There is a lower post-dialling delay and all signalling is handled on separate trunks. Interworking this system has some difficulties, and in many cases it is interworked with R1 resulting in a single "pleep" on answer, recived from the national network. CCITT 5 encoded is a formidable alternative to SS7 especially when taking into account the cost of SS7. At present digital CCITT 5 does not carry CLI data, although I'm sure someone could invent a modification for it to carry CLI. PART-4 Advanced Routing and trunk verification and appendices Well, this is the last and final part of my guide to blueboxing. By now you should be pretty much well skooled on c5 and blueboxing from the UK using Home Direct and International 0800s. In fact, you'r probably right now thinking about going out and blueboxing every c5 you come across... Well, actually, as mentioned earlier, there are a lot of hurdles to conquer before you can go out and do that, but then again, you read part-1 and should know most of the tricks. This section will describe some of the more advanced routing tricks around, and because blueboxing is a whole lot more than just getting free calls, you might like to have some fun with the stuff I'm going to mention. ADVANCED ROUTING ~~~~~~~~~~~~~~~~ As mentioned throughout the guide, C5 trunks are routed as: Terminal calls: Kp1-desc digit-area code-number-ST Transit calls: Kp2-cc-desc digit-area code-number-ST Some countries route slightly differently for Kp2, sometimes having the descriminating digit in front of the country code, Macau (853) and Brunei (673) were examples of this, although Macau used a double-zero.... Macau Transit: Kp2-00-cc-area code-number-ST Brunei Transit: Kp2-0-cc-area code-number-ST Zero is usually the best place to start when routing a call from a newly seized number, zero is almost universal to all countries, and even if a cable routing isn't available, zero will often just route according to what is available, rather than hang-up or give a reorder. Just to recap on the digits: SATELLITE: 1 |=| ||------|=|------|| |=| MILITARY: 3 /|OPERATOR: 2 \______ || / **** \=========== | ||"Connecting you now" ___/>US ARMY\_____ | || |(---------------)| | ------| \________________/ | \-----| \------ | | | | | /-\ | CABLE: 0 MICROWAVE/RADIO: 9 |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| |[:::::::::::::::::::::::::::::]|[:: | | | | | | | | | | | | ------------------------------------------------------------------------------------------------- Some countries will attempt to distinguish real routing and "false" routing using codes. Some time ago the "182 trick" was introduced to the R1 signalled trunks in the US. All calls would route: KP18(pause)2ST.....KPnumber(pause)last digitST A pause of around 68ms is generally used. This may have been applied to countries of the Caribbean and Canada, and is worth noting in case you find yourself blueboxing in these regions. Calls routed without the 182 would still route, although they were flagged. Some countries double-up the descriminating digits, so 0 would be 00 (see Macau above). In addition, a zero is prefixed before each digit in some cases, with 1 becoming 01. Very often the doubling and adding of the zero in the descriminating digits occurs when the digits are in front of the country-code, in order to avoid difficulties with routing. LOCAL LEVEL, NATIONAL LEVEL AND INTERNATIONAL LEVEL ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ It is important when routing calls to understand the principle that most of the worlds phone systems use "levels" for routing and switching calls. Local level would be the "local loop", i.e the lines from houses and businesses to the local exchange. National level would be the trunks interconnecting the exchanges, although national level could be split further into low-national level, the trunks between local exchanges and main switching units, and high-national level being the trunks interconnecting the main switches. International level is self explanitory, and would be the trunks between international gateways. In the UK, when using an ordinary subscriber phone, these levels are expressed in 0s... /-------\ LOCAL LEVEL /-------\ /-------\ [ ' |HOUSE |~~~~~~~~~~~~~~~|~~~~~~~| TEL | | INT | \ ' | | | | EXCHG | Trunk Level 0 |SWITCH |''''\/ Trunk Level 00 |_______| | |_______|-----------------------|_______| \ (International) (National Level) \] When a C5 call is made from, let's say, Sweden, to the UK, the SS7 trunks become temporarily signalled using CCITT 5, because the originating country is using C5 and SS7 is backwards compatible (it has to be). Therefore, re-seizing the trunk would result in the UK end being seized, and you would then be free to route Kp1 within the UK. But, it gets a lot better. It is possible to route to the "area code sender" of each exchange, for instance, from a UK trunk, you would route: Kp1-2-area code without 0-ST for instance: Kp1-2-1597-ST (1597 - Llandrindod Wells) You would route 2 as an operator, and this would give you a single "pleep". From area code level you could then route to the individual exchanges: Kp1-2-exchange-ST for instance: Kp1-2-82-ST (82 - Llandrindod Wells town) From local exchange level, you could then try routing to the 4 digit numbers within the exchange code: Kp1-2-number-ST for instance: Kp1-2-4467-ST Re-seizure could be possible from there, allowing a considerable ammount of fun routing C5 local microwave/cable/satellite!/military/ calls. The keyword in all this is EXPERIMENT and have fun with it. There are probably a lot of tricks out there still unknown of, perhaps someone could work out how to do 3 way calling on C5.... INTERNATIONAL SENDERS ~~~~~~~~~~~~~~~~~~~~~ A feature of many C5 systems is the "international sender", these are primarily designed for operators to manually route calls to the specified country. These were used a lot in the American R1 system, mainly due to the lack of a Kp2 signal in the standard dialset. They are still usable, even though many countries don't actually have a use for them. The format for using the international senders is: Kp1-011-countrycode-ST From there, a single "pleep" is given, and you can Kp1 a number in the country the sender is for, following the format: Kp1-desc digit-ac-number-ST For some countries which disallow Kp2, a sender can be used to get around this. AND NOW... THE MOST CLOSELY GUARDED SECRET AMONG TELCOS TODAY! V E R I F I C A T I O N T R U N KS Verification trunks are special operator trunks that are used to clip onto calls to check the status of the line. They can be used as line taps as well, by "them". When someone calls an operator saying that a line has been engaged for a very long time, they can check using these trunks to see if the person is talking on the line (and hear the call). If no call is in progress, it will be silent. In countries that use inband systems, verification trunks are accessed using a special combination of tones, known as a VERIFICATION SEIZE. In short, a verification tone of 280hz is added to either f1 (2600hz) or f2 (2400hz) and the combination is played twice. For instance: 2400+280 for 200ms delay 50ms 2400+280 for 200ms delay 50ms Another example would be: 2600+280 for 200ms delay 50ms 2600+280 for 200ms delay 50ms Verification Seizes are very often features of hybrid R1-C5 connections, as R1 has room for many more features than system 5. After recieving the acknowledgement "PLEEP", routing can commence using elongated durations for the MF digits, with control digits being around 120ms in duration (i.e Kp1, Kp2, ST etc) and standard digits at around 90ms, with delays of around 55ms - 68ms, this is mainly because verification trunks were designed for use by operators. For a more detailed explaination, see www.809.cjb.net, in the files section and excellent guide was written by NynexPhreak. APPENDICES ========== Corrections: I mentioned 2 as being for military lines in earlier versions of Part 1 and 2. This is wrong, 2 is for operator lines and 3 is for military in most cases. Earlier on in the guide I mentioned "mutating the tones", this is related to the tolerance of the line. As for mixing in tones with the seize, these are known as GUARD TONES, I don't think I made that clear enough. Other examples of guard tones include: 2100, 210, 550, 1800, 2800, 440, 280, 3100, 3900, and many others. In fact almost any tone could be used as a guard tone. While on the subject of guard tones, some countries do require guard tones to be placed as a middle tone in some cases. The function of this is to keep the line in the same state before the seize is sent: TONE DUR DEL 2600+2400 - 180 30 2100 - 180 30 2400+2397 - 180 30 This example was for when China was on C5, it's not C5 anymore, but this seize may be used by other nations, who knows. Another example is Nicaragua, on their C5 trunks they use (according to Destructive Jungle.. :)) TONE DUR DEL 2600+2400+2100 - 130 800 2400+2400+2100 - 330 This would result, I'm told, in a single "chirp" acknowledging the second tone only, and allow Kp1 routing. This seize apparently still works, although not reccomended as the route is heavily monitored due to people caning it. CCITT R1 ~~~~~~~~ Now, a long time ago, and to some extent nowadays, system R1 was the system that linked the US. It used a single frequency 2600hz tone for controlling the status of trunks, using a tone-on (free) and a tone-off (in use) system. It used interregister signals comprised of MF (multifrequency) tones which were compound tones and were used to route calls between trunk exchanges. It was a pretty basic system, and can be found in some VERY remote parts of the US/Canada, and is used to some extent in the Caribbean region. It may be found in other parts of the world too, especially in poorer countries, and in some parts of Eastern Europe. I heard from a friend that Italy uses R1 as the signalling system in some rural towns. A similar system is used by the French, called Socotel, which uses MF and single frequency tones. People used to bluebox the R1 system, by sending the 2600hz tone to tell the trunk the call had hung up, when in fact it hadn't meaning that they had an open trunk to dial out of using the MF dialset. This is theoretically achievable, but the US is mainly SS7, and muting of forward audio can be a problem. Mark Tabas wrote an excellent series of files on blueboxing R1, known as "Better Homes and Blueboxing". BillSF's "Hitchikers Guide to the Phone System" describes R1 as well as Neondreamers "Analogue Siganalling Systems". Also, "Signalling Systems and the Bluebox Revamped" has an excellent section on R1. These files contain more information on R1 than I aim to include here. The R1 dialset is similar to the CCITT 5 dialset, although Kp2 is not included. In older R1 systems MF digits had a duration of 68ms, although it has since been updated to except digits with a 55ms duration for greater compatibility with CCITT 5. CCITT R2 ~~~~~~~~ CCITT R2 is an extremely complicated system, it can be signalled using up to 6 different methods! There are digital versions, which use timeslot signalling, and are pretty much un-blueboxable. The many analogue versions are blueboxable, but seem not to be as blueboxed as heavily as R1 and C5 are. R2 uses outband tones to signal it, these are theoretically above the voice frequency band of the connection. 3825hz is used in Brazil for the signalling of analogue R2 calls. It is send as: 3825hz for 150ms delay around 35ms 3825hz for 1500ms A pause would result, and then the R2 digits would be send. The convention with R2 is that each digit is send in a long burst until the switch "replies" requesting the next digit. Because of this two-directional signalling, R2 is a comparatively slow system. It (R2 digital) is used by Belize Telecom for interworking with PBXs and for their Voice-Over IP services, and apparently adds up to 8 seconds onto the routing time of the call for every switch it travels through. But it has advantages to the telco as it can be digital, and the out-of-band analogue version is less susceptable to false realease (such as wistling causing it to hang-up). R2 has more features than conventional in-band systems, and this is one of the reasons why it is being used increasingly accross the world. Most CCITT 4 trunks in Europe have been replaced with R2, and it is used extensively on the PSTNs of many Latin American countries. It can also be set-up to use the same tones as CCITT 4, apparently for low-bandwidth connections. Many different and strange R2 systems have been set-up by telcos, sometimes with forward tones in the backward direction and sometimes with just forward tones being sent in an en bloc fashion. BillSF: " R2 is the most versatile end-to-end system ever developed. It is a two-way system like C7 and comes in two forms, analog and digital, both fully compatible with each other. R2 has completely replaced C4, with the possible exception of a few very remote areas where it works into R2 using using registers. Two groups of fifteen, two of six MF tones are used for each direction, the high frequency group forward and the low group backward. Line signalling can be digital with two channels or out- of-band at 3825Hz, DC, or in cases of limited bandwidth on trunks, can use the C4 line signals, just the 2040 + 2400Hz or 3000Hz or even backward signals sent in a forward direction. The signals can be digitally quantised using the A-law or u-law codec standards, resulting in compatible signals for analog lines. In international working, only a small part of the standard is man- datory with a massive number of options available. For national working, an ample number of MF combinations are "reserved for national use", providing an expandable system with virtually limitless capabilities. " (Taken from "Signalling systems and the bluebox revamped") R2 Register signals ------------------------------------------------------------ Forward 1380 1500 1620 1740 1860 1980 [Hz] ------------------------------------------------------------ Backward 1140 1020 900 780 660 540 [Hz] ------------------------------------------------------------ Digit 1 x x 2 x x 3 x x 4 x x 5 x x 6 x x 7 x x 8 x x 9 x x 10 x x 11 x x 12 x x 13 x x 14 x x 15 x x ----------------------------------------------------------- These are translated as: ----------------------------------------------------------- Forward Signals ----------------------------------------------------------- Digit Group I Group II ----------------------------------------------------------- 1 1 Normal subscriber 2 2 Priviledged subscriber 3 3 Test subscriber 4 4 Payfone 5 5 Operator 6 6 ? 7 7 Normal subscriber 8 8 ? 9 9 Priviledged subscriber 10 10 Operator 11 KP2E Forwarded call 12 KP2 Reserved 13 Reserved Reserved 14 Reserved Reserved 15 ST Reserved ---------------------------------------------------------- ----------------------------------------------------------------------------- Backward signals ----------------------------------------------------------------------------- Digit Group A Group B ----------------------------------------------------------------------------- 1 Send next digit (x+1) Sub.vacant, call tracing (BAD) 2 Send previous digit (x-1) Send guide tone 3 Receive group B signals Subscriber busy 4 National net failure Net Failure 5 Specify subscriber type Disconnected number 6 Connect voicechannel Subscriber vacant - Sup 7 Send (x-2) Subscriber vacant - Non-Sup 8 Send (x-3) Subscriber malfunction 9 ? ? 10 Reserved The number has changed ----------------------------------------------------------------------------- R2 Line signals, non-PCM (3825Hz) --------------------------------------------------------------- Signal Direction Duration[ms] --------------------------------------------------------------- Seizing --> 50 or 150 Seizing ACK (wink) <-- 50 (or longer) Answer <-- 150 Metering (count) <-- 100 Clear back <-- 600 Clear Forward --> 1500 --------------------------------------------------------------- The backward signals are used to ask the calling CO questions while dialing. This may cause problems since you may not know when to send digits and when to send info, especially signals like send x-2 may cause headaches. One way to find this out is usually by testing different orders. Usually the subscriber type question is only sent when making national calls and is asked after all the digits have been sent. On intl. calls the subscriber type is asked after the CC (like on R1). The thing is that the Telco knows these things and are trying their best to make life hard for boxers by programming their equipment to send questions at unexpected times. A boxed call may take place as follows: Dial number 555-1212 CO1 CO2 --------------------------- Clear Forward -> Seize -> <- Seizing ACK I-5 -> <-A-1 (send next digit) I-5 -> <-A-1 I-5 -> <-A-1 I-1 -> <-A-1 I-2 -> <-A-1 I-1 -> <-A-1 I-2 -> <-A-5 or A-3 (specify subscriber) II-5 -> (operator) <-B-6 (no ST needed on local calls) ---------------------------- ---> Taken from "Signalling Systems and the Bluebox Revamped" CCITT 3 (MF2/AC9) ~~~~~~~~~~~~~~~~~ This was the old system used in the UK. The last MF2 trunks were removed in 1991 when the UK became fully common channel signalled using CCITT 6 and 7. It used a 2280hz tone to signal calls on a tone-on/tone-off basis as with R1. This was phreaked extensively by phone phreakers throughout the 70s, 80s and very early 90s. It was a very simple system to bluebox, and involved sending: 2280hz for 1000 delay 60 --> Disconnect tone 2280hz for 80 delay 60 --> Trigger tone 2280hz for 80 delay 60 --> Trigger tone This would result in a wink from the trunk, from where routing could be achieved with CCITT 3 address digits. The digits would then be send, preceeded by Code14, and waiting for the step-by-step acknowledgement by the exchange. In some cases, pulse dialling could be used. This system may be found on national networks in parts of Eastern Europe, Russia, Africa, in remote areas of Asia and South America. Rumour has is that it is in use in South Africa, the outback in Australia and Sweden to some extent. +-------------------------+------+------+------+------+-----+-------+ |UK MF2 Forward signalling| 1 | 1380 | 1500 | 0 | 400 | 50 | | | 2 | 1380 | 1620 | 0 | 400 | 50 | | | 3 | 1500 | 1620 | 0 | 400 | 50 | | | 4 | 1380 | 1740 | 0 | 400 | 50 | | | 5 | 1500 | 1740 | 0 | 400 | 50 | | | 6 | 1620 | 1740 | 0 | 400 | 50 | | | 7 | 1380 | 1860 | 0 | 400 | 50 | | | 8 | 1500 | 1860 | 0 | 400 | 50 | | | 9 | 1620 | 1860 | 0 | 400 | 50 | | | 0 | 1740 | 1860 | 0 | 400 | 50 | | | 11 | 1380 | 1980 | 0 | 400 | 50 | | | 12 | 1500 | 1980 | 0 | 400 | 50 | | | 13 | 1620 | 1980 | 0 | 400 | 50 | | | 14 | 1740 | 1980 | 0 | 400 | 50 | | | 15 | 1860 | 1980 | 0 | 400 | 50 | +-------------------------+------+------+------+------+-----+-------+ |UK MF2 Back/w signalling | 1 | 1140 | 1020 | 0 | 400 | 50 | | | 2 | 1140 | 900 | 0 | 400 | 50 | | | 3 | 1020 | 900 | 0 | 400 | 50 | | | 4 | 1140 | 780 | 0 | 400 | 50 | | | 5 | 1020 | 780 | 0 | 400 | 50 | | | 6 | 900 | 780 | 0 | 400 | 50 | | | 7 | 1140 | 660 | 0 | 400 | 50 | | | 8 | 1020 | 660 | 0 | 400 | 50 | | | 9 | 900 | 660 | 0 | 400 | 50 | | | 0 | 780 | 660 | 0 | 400 | 50 | | | 11 | 1140 | 540 | 0 | 400 | 50 | | | 12 | 1020 | 540 | 0 | 400 | 50 | | | 13 | 900 | 540 | 0 | 400 | 50 | | | 14 | 780 | 540 | 0 | 400 | 50 | | | 15 | 660 | 540 | 0 | 400 | 50 | +-------------------------+------+------+------+------+-----+-------+ CCITT 4 ~~~~~~~ Hardly used in modern systems, CCITT4 is a binary digit based system. It is inband and uses voice frequencies to signal it. It was the old "European System" that linked Europe together. It predates CCITT 5, and is from the 1950s. It was designed with operators in mind, and the result is it is very simple to bluebox if you use the correct tones and routings. It is extensively used in Africa, but may be found in remote places in Russia and Eastern Europe such as the Urals where many exchanges date back to the 1920s. It may also be found in limited use in remote parts of Asia, in developing nations. CCITT 4 has had somewhat of a renaisance, as R2 can be configured to use the CCITT4 signals on low bandwidth connections or when it needs to be interworked. The address signals have 35mS pause between each beep and 100mS pause (minimum) between each digit. Minimum time to send a digit (including pause) is 345mS. x: 2040 35mS (binary "1") y: 2400 35mS (binary "0") X: 2040 100mS Y: 2400 100mS XX: 2040 350mS YY: 2400 350mS P: 2040+2400 150mS Clear Forward: PXX Transit Seizure: PX Forward Transfer: PYY --> Sometimes used in R2 as a break tone Terminal Seizure: PY ADDRESS SIGNALS: 1 2 3 4 1 y y y x 2 y y x y 3 y y x x 4 y x y y 5 y x y x 6 y x x y 7 y x x x 8 x y y y 9 x y y x 0 x y x y SOCOTEL ~~~~~~~ I've never encountered Socotel, as far as I know... BillSF wrote the following on the subject of the French SOCOTEL system. As for its uses today, it's probably only used in rural areas of France and/or French colonies or former French colonies, it may well be found in Ivory Coast and other such places. Socotel is a general system developed by the French. It is a hodgepodge of many systems, using MFC, pulse tone, pulse AC and pulse DC system. Most (all?) line signalling tones can be used. An inband system can use 2500Hz as a clear forward and 1700 or 1900Hz for seize or, in Socotel terms, "confirm". Most line signalling today is "out of band", but unlike normal outband signalling, it is below band: DC, 50Hz or 100Hz. It is a "brute force" system using 100V levels, insuring no customer has a chance of getting it directly! Call setup on the AC systems often has a very characteristic sound of of short bursts of 50Hz or 100Hz buzz, followed by the characteristic French series of 500 Hz beeps to alert the customer that the call has been received from the Socotel by the end office and is now being (pulse) dialed. Calls often don't make it through all the gateways of a Socotel system, sometimes giving the French phreak a surprise access where it stuck! "No fair, this trunk won't route!" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well, there are lots of nasties that telcos use to prevent you from routing there trunks... The Basics: -* Unidirectional trunks, these only call Kp1 or nearby on Kp2. HOW TO GET AROUND THEM: Kp1 into the country, re-seize then route Kp2 according to the template the country uses. Also, try using an international sender: Kp1-011-cc-ST and then you can Kp1 to the country the sender is for. -* Non standard routing, i.e discriminating digit in the wrong place, doubling of the dd etc. HOW TO GET AROUND THEM: Experiment! Move the descriminating digit to the front of the dialstring. Also, try adding a 0 to the digit, Kp2-00-44-181-811-8181-ST... 01 has been known to work as well. Social engineer the Code11 is need be... -* Calls terminate after about 5 minutes, they just hang-up! HOW TO GET AROUND THEM: Try sending the seize AFTER answer. -* Trunks wait... pause... and then give an reorder. HOW TO GET AROUND THEM: Make sure it's hearing the digits, esp the Kp. Also, maybe the dialling is too quick or too slow. Zone 1 c5s use quick dialling. -* After hearing the first few digits, it makes a noise and hangs up... HOW TO GET AROUND THEM: Either you are on a unidirectional trunk, or it uses non-standard routing. Try those tips first. If you still get a problem, try routing to Code11... Kp1-2-Code11-ST If that doesen't work, then the country you are boxing could use a routing "trick" such as Iceland used to use (c5 until about July 1999). As one time: Kp1-01-44-number-ST would work. The code then changed to some bizarre pattern that meant you had to MF in the route from the UK your call was coming from (?) something like: Kp1-01-44-ST-Kp2-44-0-areacode you want to call-number you want to call-ST This was given to me by an anonymous party. Other problems may be that FORWARD AUDIO MUTING is used. The CCIS protion of the route detects the loss of surpervision at the distant C5 end and mutes forward audio. This is a problem R1 blueboxers have in the US. Also, a friend of mine who is on Telewest and who used to be on NTL tells me that cable digital local loops and switches are ultra-sensitive to calls being hung-up "PLEEP PLEEP" and therefore give errors if seizes are sent before answer on certain routes and are known to be VERY temperamental. CONCLUSION ========== Well that just about wraps up this detailed guide. A lot of this info was typed/passed on to me by an associate who would like to remain anonymous. I have no details for this guy, so don't ask. It's been... ok, writing this guide. It took a lot of time but I feel it makes a nice file to end the 20th century with. It'd be nice to see some people starting with R2 blueboxing, it would be good to develop that. I hope you've all enjoyed reading this guide, and have learned about the joys of international switching. I have one final note before I leave you to experiment with this: **-BLUEBOXING IS NOT JUST ABOUT FREE CALLS-** When people see blueboxing in this light it REALLY makes my blood boil. I didn't spend half a year or more writing a guide so that some theif can get "get free callz". The point of this guide is to educate people on the fun that can be had routing calls, and learning hands-on about switching and signalling. The information in here is hot, and I really would hate it if someone started abusing this information for the single purpose of free calls. Yes, free calls are nice, and part of blueboxing is getting a free call. Afterall, British Telecom deserve it because they bleed the nation dry with such overpriced call charges and services. But I'd like to think that this guide would inspire you people (yes, YOU) to take an interest in the systems I've discussed. When blueboxing, I really do reccomend you spread your calls over several numbers to minimise the impact and keep you out of trouble. Bear in mind that "they" _do_ know what you are doing, and if you have ever done a scan of numbers, they will have a monolog on your line. Also, they do have logs of you, and they can set-up CCITT 5/MF logging, although these logs are known to be innaccurate (afterall MF is voice frequency, and line faults do occur in international switching) and therefore are not fully admisable for a conviction. So my advice is, have fun, take care and please don't just use it for free calls, it's worth more than that surely. Well, it's December the 27th, 16:58 and the year is 1999. I expect some people will be reading this in maybe in even 10 years time, such is the longevity of a long guide to this sort of thing. - de-phone/phed-one/dynamics blue.box@nicaragua.com