informis/textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/phreak/PHREAKING/pkmanual4.phk

2277 lines
90 KiB
Plaintext
Raw Normal View History

Initial commit
2021-04-15 13:31:59 -05:00
MUTED LOOP AND A TONE SIDE. 914-268 FAILED TO COME UP WITH THE SILENT SIDE OF
A LOOP! THEREFORE, THERE IS NO LOOP IN THAT EXCHANGE. I THEN SCANNED ANOTHER
EXCHANGE IN MY PRIMARY CALLING AREA (914-634) AND I FOUND A LOOP!! "(914)
634-9923/9924" SO, IF AT FIRST YOU DON'T SUCCEED, MOVE ONTO ANOTHER EXCHANGE.
IF YOU USE THE BOX METHOD THAT I HAVE OUTLINED ABOVE, YOU WILL SEE A "T" & "I"
NEXT TO EACH OTHER FOR A LOOP.
SOME EXCHANGES ARE SPECIAL. FOR EXAMPLE, 914-623 IS A TESTING BUREAU. IN
THIS EXCHANGE, NOT ONLY DID I FIND A LOOP, BUT I ALSO FOUND SEVERAL INTERESTING
TONES, NOISES, AND OTHER TEST FUNCTIONS. ALSO, THE MORE IMPORTANT THE EXCHANGE
IS, THE MORE YOU WILL FIND. FOR EXAMPLE, IN 914-623, I FOUND WELL OVER 10 VOICE
#'S!
ALSO, LOOPS ARE USUALLY, BUT NOT EXCLUSIVELY, FOUND IN THE 99XX SERIES. FOR
EXAMPLE: "(713) 324-1799/1499" IS A LOOP.
THE PERFECT LOOP? HERE IS WHAT I WOULD LOOK FOR:
1. NON-SUP ON ONE OR BOTH SIDES. TO CHECK FOR A NON-SUP LOOP, GO TO A
TONE-FIRST FORTRESS FONE AND DIAL THE #. IF IT ASKS FOR A DIME, IT IS
SUPERVISED. IF THE CALL GOES THROUGH, THEN IT IS NON-SUPED!
2. 800 LOOPS WOULD BE A PLUS. THEY ARE NOT NECESSARILY FOUND BETWEEN 9900 &
9999 THOUGH. I WOULD CHECK THE 1XXX SERIES FIRST.
3. MULTI-USER LOOPS ARE ALSO A PLUS FOR THOSE LATE NIGHT CONFERENCES.
FINALLY, REMEMBER IT IS ONLY A LOCAL CALL TO FIND OUT WHAT YOU CO HAS IN
STORE FOR YOU. IF YOU FIND ANYTHING INTERESTING, BE SURE TO DROP ME A LINE.
NOTE: YOUR LOCAL WHITE PAGES CAN BE A VALUABLE ASSET. YOU CAN ALSO ORDER OTHER
FONE BOOKS FROM YOUR BUSINESS OFFICE (USUALLY FREE FOR BOOKS WITHIN YOUR
OPERATING COMPANY'S DISTRICT). A LARGE FONE BOOK, SUCH AS MANHATTAN, CONTAINS
Page 98
The Official Phreaker's Manual
MUCH MORE INFO IN THE FIRST FEW PAGES THAN OTHER BOOKS.
ANI
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
AUTOMATIC NUMBER IDENTIFICATION (ANI), IS A NUMBER THAT YOU CALL UP THAT
WILL TELL YOU WHAT # YOU ARE CALLING FROM.
THIS HAS A FEW USES. FIRST, WERE YOU EVER SOMEWHERE AND THE FONE DIDN'T
HAVE A # PRINTED ON IT? OR PERHAPS YOU WERE FOOLING AROUND IN SOME CANS (THOSE
LARGE BOXES ON FONE POLES THAT CONTAIN TERMINALS FOR LINEMAN USE--TO BE
DISCUSSES IN A FUTURE CHAPTER.) AND YOU WANT TO KNOW WHAT WHAT THE LINE # IS.
IN NPA 914, THE ANI IS 990. IN NPA'S 212 & 516, ANI IS 958. THIS VARIES FROM
AREA TO AREA.
HERE ARE SOME OTHER ANI'S THAT I HAVE SEEN:
890-751-5191
202-222-2222
1-XXX-1111 (IN SOME 914 AREAS, ESP. UNDER STEP-BY-STEP SWITCHING, YOU HAVE
TO DIAL 1-990-1111)
TO FIND ANI FOR OTHER AREAS, CHECK 3 DIGITS #'S FIRST, USUALLY IN THE 9XX
SERIES (EXCLUDING 911). IN AREAS UNDER STEP-BY-STEP (TO BE DISCUSSED IN THE
NEXT PART), TRY 1-9XX-1111.
ANI MAY ALSO BE IN 99XX. LAST RESORT, TRY TO GET FRIENDLY WITH YOUR
NEIGHBOR WHO WORKS FOR THE FONE COMPANY.
RING BACK
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
RINGBACK, AS ITS NAME IMPLIES, CALLS BACK THE # YOU ARE AT WHEN YOU DIAL
THE RINGBACK #. RINGBACK, IN NPA 914, IS 660. YOU DIAL 660+THE LAST 4 DIGITS OF
THE FONE. YOU WILL THEN GET A TONE, HANG-UP QUICKLY AND PICK-UP IN ABOUT 2
SECONDS. YOU WILL THEN GET A SECOND TONE, HANG-UP AGAIN AND THE FONE WILL
RING.
IN NYC, IT IS ALSO 660, BUT YOU MAY HAVE TO PRESS 6 OR 7 BEFORE YOU HANG UP
FOR THE FIRST TIME (IE, AT THE FIRST TONE).
OTHER RINGBACK #'S THAT I HAVE SEEN ARE:
26011 - THIS 5 DIGIT FORMAT IS USED PRIMARILY ON STEP-BY-STEP.
THE LAST 2 DIGITS (11) ARE DUMMY DIGITS.
890-897-XXXX - XXXX ARE THE LAST 4 DIGITS OF THE FONE #.
119911/11911/1199911 - GTE
NNX-9906/9907 - NPA 301, NNX IS THE EXCHANGE
THE REASON YOU GET THE TONE WHEN YOU PICK-UP AFTER IT RINGS IS BECAUSE IN
SOME AREAS, PEOPLE WERE USING RINGBACK AS AN IN-HOUSE INTERCOM. THEY WOULD
DIAL RINGBACK, AND WHEN IT STOPPED RINGING, THEY WOULD PICK-UP & TALK WITH THE
PERSON WHO PICKED UP THE OTHER EXTENSION. BELL DIDN'T LIKE THIS SINCE THERE IS
USUALLY ONLY 1 PIECE OF EQUIPMENT IN EACH EXCHANGE THAT DOES THE RINGBACK. WHEN
PEOPLE USED THIS AS AN INTERCOM, LINEMEN & REPAIRMEN COULDN'T GET THROUGH! IN
SOME AREAS, ESPECIALLY THOSE UNDER STEP-BY-STEP, RINGBACK CAN STILL BE USED AS
AN INTERCOM. ALSO, UNDER STEP-BY-STEP, THE RINGBACK PROCEDURE IT USUALLY
Page 99
The Official Phreaker's Manual
SIMPLE. FOR EXAMPLE, IN ONE AREA YOU WOULD DIAL 26011 AND HANG-UP; IT WOULD
THEN RINGBACK.
TOUCH-TONE TEST:
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
IN AREAS THAT HAVE A TOUCH-TONE TEST, YOU DIAL THE RINGBACK #. AT THE
FIRST TONE, YOU TOUCH-TONE DIGITS 1-0. IF THEY ARE CORRECT IT WILL BEEP
TWICE.
I HAVE ALSO SEEN A TT TEST IN SOME AREAS AT: 890-751-5191
COMING SOON:
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
IN THE NEXT PART, WE WILL LOOK AT VARIOUS SWITCHING EQUIPMENT AND THE
NETWORK.
BREAK UP OF BELL:
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
THE OPERATING COMPANIES ARE NOT GOING TO CHANGE ALL THE SWITCHING EQUIPMENT
AROUND. WHILE THERE WILL BE SOME CHANGES, MOST OF THE INFORMATION PROVIDED
HERE WILL REMAIN PERTINENT AFTER JANUARY 1, 1984. JUST SUBSTITUTE THE WORD
"FONE NETWORK" FOR BELL SYSTEM.
AU REVOIR,
*****BIOC
*=$=*AGENT
*****003
DECEMBER 8, 1983
ACKNOWLEDGEMENTS: TAP, PHRED PHREEK, JUDAS GERARD, THE MAGICIAN, DARK PRIEST,
& MYSELF. I WOULD ALSO LIKE TO THANK THE MULCHER ][ FOR HIS ASSISTANCE IN
DISTRIBUTING THIS TUTORIAL.
Page 100
The Official Phreaker's Manual
************* << BIOC AGENT 003'S COURSE IN >> *************
* *
* $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ *
* %$ BASIC TELECOMMUNICATIONS $% *
* $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ *
* PART III *
* *
************************************************************
PREFACE:
IN PART III, WE WILL DISCUSS THE DIALING PROCEDURES FOR DOMESTIC AS WELL AS
INTERNATIONAL DIALING. WE WILL ALSO TAKE A LOOK AT THE TELEPHONE NUMBERING
PLAN.
NORTH AMERICAN NUMBERING PLAN
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
IN NORTH AMERICA, THE TELEPHONE NUMBERING PLAN IS AS FOLLOWS:
A) A 3 DIGIT NUMBERING PLAN AREA (NPA) CODE, [IE, AREA CODE]
B) A 7 DIGIT TELEPHONE # CONSISTING OF A 3 DIGIT CENTRAL OFFICE (CO) CODE PLUS
A 4 DIGIT STATION #.
THESE 10 DIGITS ARE CALLED THE NETWORK ADDRESS OR DESTINATION CODE. IT IS
IN THE FORMAT OF:
AREA CODE TELEPHONE #
--------- -----------
N*X NXX-XXXX
WHERE: N = A DIGIT FROM 2-9
* = THE DIGIT 0 OR 1
X = A DIGIT 0-9
AREA CODES
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
CHECK YOUR TELEPHONE BOOK OR THE SEPARATE LISTING OF AREA CODES FOUND ON
MANY BBS'S. HERE ARE THE SPECIAL AREA CODES (SAC'S):
510 - TWX (USA)
610 - TWX (CANADA)
700 - NEW SERVICE
710 - TWX (USA)
800 - WATS
810 - TWX (USA)
900 - DIAL-IT SERVICES
910 - TWX (USA)
THE OTHER AREA CODES NEVER CROSS STATE LINES, THEREFORE EACH STATE MUST
HAVE AT LEAST ONE EXCLUSIVE NPA CODE. WHEN A COMMUNITY IS SPLIT BY A STATE
LINE, THE CO #'S ARE OFTEN INTERCHANGEABLE (IE, YOU CAN DIAL THE SAME # FROM 2
DIFFERENT AREA CODES)
TWX:
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
Page 101
The Official Phreaker's Manual
TWX (TELEX II) CONSISTS OF 5 TELETYPE-WRITER AREA CODES. THEY ARE OWNED BY
WESTERN UNION. THESE SAC'S MAY ONLY BE REACHED VIA OTHER TWX MACHINES. THESE
RUN AT 110 BAUD. BESIDES THE TWX #'S, THESE MACHINES ARE ROUTED TO NORMAL
TELEPHONE #'S. TWX MACHINES ALWAYS RESPOND WITH AN ANSWERBACK. FOR EXAMPLE,
WU'S FYI TWX # IS (910) 988-5956, THE CORRESPONDING REAL NUMBER TO THIS IS
(201) 279-5956. THE ANSWERBACK FOR THIS SERVICE IS "WU FYI MAWA."
IF YOU DON'T WANT TO BUY A TWX MACHINE, YOU CAN STILL SEND TWX MESSAGES
USING EASYLINK [800/325-4112 - SEE TUC'S AND MY ARTICLE ENTITLED "HACKING
WESTERN UNION'S EASYLINK]
700:
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
AT THE TIME OF THIS WRITING, THE 700 EXCHANGE DOES NOT YET EXIST. AT&T
PLANS TO USE IT SOON THOUGH. THEY PLAN TO MAKE IT A TYPE OF FANCY CALL
FORWARDING SERVICE. IT WILL BE TARGETED TOWARDS SALESMEN ON THE RUN.
TO UNDERSTAND HOW IT WORKS, I'LL EXPLAIN IT WITH AN EXAMPLE. LET'S SAY JOE
Q. SALESPIG WORKS FOR AT&T SECURITY AND HE IS ON THE RUN CHASING A PHREAK
AROUND THE COUNTRY WHO ROYALLY SCREWED UP AN IMPORTANT COSMOS SYSTEM. LET'S
SAY THAT JOE'S 700 # IS (700) 382-5968. EVERY TIME JOE GOES TO A NEW HOTEL, HE
DIALS A SPECIAL 700 #, ENTERS A CODE, AND THE # WHERE HE IS STAYING. NOW, IF
HIS BOSS RECEIVED SOME IMPORTANT INFO, ALL HE WOULD DO IS DIAL (700) 382-5968
AND IT WOULD RING WHEREVER JOE LAST PROGRAMMED IT TO. NEAT, HUH?
800:
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
THIS SAC IS ONE OF MY FAVORITES SINCE IT ALLOWS FOR TOLL-FREE CALLS.
INWARD WATS (INWATS): INWARD WIDE AREA TELECOMMUNICATIONS SERVICE IS THE 800
#'S THAT WE ARE ALL FAMILIAR WITH. 800 #'S ARE SET UP IN SERVICE AREAS OR
BANDS. THERE ARE 6 OF THESE. BAND 6 IS THE LARGEST AND YOU CAN CALL A BAND 6
# FROM ANYWHERE IN THE US EXCEPT THE STATE WHERE THE CALL IS TERMINATED (THIS
IS WHY MOST COMPANIES HAVE ONE 800 # FOR THE COUNTRY AND THEN ANOTHER FOR JUST
ONE STATE). BAND 5 INCLUDES THE 48 CONTIGUOUS STATES. ALL THE WAY DOWN TO
BAND 1 WHICH INCLUDES ONLY THE STATES CONTIGUOUS TO THAT ONE. THEREFORE, LESS
PEOPLE CAN REACH A BAND 1 INWATS # THAT A BAND 6 #.
INTRASTATE INWATS #'S (IE, YOU CAN CALL IT FROM ONLY 1 STATE) ALWAYS HAVE A 2
AS THE LAST DIGIT IN THE EXCHANGE (IE, 800-NX2-XXXX). THE NXX ON 800 #'S
REPRESENT THE AREA WHERE THE BUSINESS IS LOCATED. FOR EXAMPLE, A # BEGINNING
WITH 800-431 WOULD TERMINATE AT A NEW YORK CO.
800 #'S ALWAYS END UP IN A HUNT SERIES IN A CO. THIS MEANS THAT IT TRIES THE
FIRST # ALLOCATED TO THE COMPANY FOR THEIR 8P0 LINES; IF THIS IS BUSY IT WILL
THEN TRY THE NEXT #, ETC). YOU MUST HAVE A MINIMUM OF TWO LINES PER EACH 800
#. FOR EXAMPLE, TRAVELNET USES A HUNT SERIES. IF YOU DIAL (800) 521-8400, IT
WILL FIRST TRY THE # ASSOCIATED WITH 8400; IF IT IS BUSY IT WILL GO TO THE NEXT
AVAILABLE PORT, ETC. INWATS CUSTOMERS ARE BILLED BY THE # OF HOURS OF CALLS
THAT ARE MADE TO THEIR #.
OUTWATS (OUTWARD WATS): OUTWATS ARE FOR MAKING OUTGOING CALLS ONLY. LARGE
COMPANIES USE OUTWATS SINCE THEY RECEIVE BULK-RATE DISCOUNTS. SINCE OUTWATS #
CANNOT HAVE INCOMING CALLS, THEY ARE IN THE FORMAT OF:
Page 102
The Official Phreaker's Manual
(800) *XX-XXXX
WHERE * IS THE DIGIT 0 OR 1 WHICH CANNOT BE DIALED UNLESS YOU BOX THE CALL.
THE *XX IDENTIFIES THE TYPE OF SERVICE AND THE AREAS THAT THE COMPANY CAN
CALL.
REMEMBER: INWATS + OUTWATS = WATS EXTENDER (SEE PART I)
900:
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
THIS DIAL-IT SAC IS A NATIONWIDE DIAL-IT SERVICE. IT IS USED FOR TAKING
TELEVISION POLLS AND OTHER STUFF. THE FIRST MINUTE CURRENTLY COSTS AN
OUTRAGEOUS 50 CENTS AND EACH ADDITIONAL MINUTE COSTS 35 CENTS. BELL TAKES IN
ALOT OF REVENUE IN THIS WAY.
DIAL (900) 555-1212 TO FIND OUT WHAT IS CURRENTLY ON THE SERVICE.
CO CODES:
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
THESE IDENTIFY THE SWITCHING OFFICE WHERE THE CALL IS TO BE ROUTED.
THE FOLLOWING CO CODES ARE RESERVED NATIONWIDE:
555 - DIRECTORY ASSISTANCE
844 - TIME ] THESE ARE NOW IN
936 - WEATHER ] THE 976 EXCHANGE
950 - FUTURE SERVICES
958 - PLANT TEST
959 - PLANT TEST
970 - PLANT TEST (TEMPORARY)
976 - DIAL-IT SERVICES
ALSO, THE 3 DIGIT ANI & RINGBACK #'S ARE REGARDED AS PLANT TEST AND ARE
THUS RESERVED. THESE NUMBERS VARY FROM AREA TO AREA.
950: [ALSO SEE PART I]
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
HERE ARE THE SERVICES THAT ARE CURRENTLY ON THE 950 EXCHANGE:
1000 - SPC
1022 - MCI EXECUNET
1033 - US TELEPHONE
1044 - ALLNET
1066 - LEXITEL
1088 - SBS SKYLINE
THESE SCC'S (SPECIALIZED COMMON CARRIERS) ARE FREE FROM FORTRESSES!
Publishers note: Most 950's now require the station code (1022, 1000, 1088,
etc.) to be five digits long. MCI 950-10222, US telefone 10333, ALLNET 10444,
etc. Look in "Equal Access and the American Dream" p. for a complete list.
PLANT TESTS:
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
THESE INCLUDE ANI, RINGBACK, AND OTHER VARIOUS TESTS.
Page 103
The Official Phreaker's Manual
976:
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
DIAL 976-1000 TO SEE WHAT IS CURRENTLY ON THE SERVICE. ALSO, MANY BBS'S
HAVE A LISTING OF THESE #'S.
N11 CODES:
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
BELL IS TRYING TO PHASE SOME OF THESE OUT, BUT THEY STILL EXIST IN MANY
AREAS.
011 - INTERNATIONAL DIALING PREFIX
211 - COIN REFUND OPERATOR
411 - DIRECTORY ASSISTANCE
611 - REPAIR SERVICE
811 - BUSINESS OFFICE
911 - EMERGENCY
INTERNATIONAL DIALING
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
WITH INTERNATIONAL DIALING, THE WORLD HAS BEEN DIVIDED INTO 9 NUMBERING
ZONES.
TO MAKE AN INTERNATIONAL CALL, YOU MUST DIAL: INT. PREFIX + COUNTRY CODE + NAT.
#
IN NORTH AMERICA, THE INTERNATIONAL DIALING PREFIX IS 011 FOR
STATION-TO-STATION CALLS AND 01 FOR OPERATOR- SERVICED CALLS. IDDD STANDS FOR
INTERNATIONAL DIRECT DISTANCE DIALING.
THE COUNTRY CODE, WHICH VARIES FROM 1 TO 3 DIGITS, ALWAYS HAS THE WORLD
NUMBERING ZONE AS THE FIRST DIGIT. FOR EXAMPLE, THE COUNTRY CODE FOR THE
UNITED KINGDOM IS 44, THUS IT IS IN WORLD NUMBERING ZONE 4.
SOME BOARDS MAY CONTAIN A COMPLETE LISTING OF OTHER COUNTRY CODES, BUT HERE
ARE A FEW:
001 - NORTH AMERICA (US, CANADA,ETC)
020 - EGYPT
258 - MOZAMBIQUE
034 - SPAIN
049 - GERMANY
052 - MEXICO (SOUTHERN PORTION)
061 - AUSTRALIA
007 - USSR
081 - JAPAN
098 - IRAN
IF YOU CALL FROM AN AREA OTHER THAN NORTH AMERICA, THE FORMAT IS GENERALLY
THE SAME. FOR EXAMPLE, LET'S SAY YOU WANTED TO CALL THE WHITE HOUSE FROM
SWITZERLAND. FIRST YOU WOULD DIAL 00 (THE SWISS INTERNATIONAL DIALING PREFIX),
THEN 1 (THE US COUNTRY CODE), FOLLOWED BY 202-456-1414 (THE NATIONAL # FOR THE
WHITE HOUSE).
ALSO, COUNTRY CODE 87 IS RESERVED FOR MARITIME MOBILE SERVICE, IE CALLING
Page 104
The Official Phreaker's Manual
SHIPS:
871 - MARISAT (ATLANTIC)
872 - MARISAT (PACIFIC)
873 - MARISAT (INDIAN )
INTERNATIONAL SWITCHING:
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
IN NORTH AMERICA, THERE ARE CURRENTLY 7 NO. 4 ESS'S THAT PERFORM THE DUTY
OF ISC (INTERNATIONAL SWITCHING CENTERS). ALL INTERNATIONAL CALLS DIALED FROM
NUMBERING ZONE 1 WILL BE ROUTED THROUGH ONE OF THESE "GATEWAY CITIES." THEY
ARE:
182 - WHITE PLAINS, NY
183 - NEW YORK, NY
184 - PITTSBURGH, PA
185 - ORLANDO, FL
186 - OAKLAND, CA
187 - DENVER, CO
188 - NEW YORK, NY
THE 18X SERIES ARE OPERATOR ROUTING CODES FOR OVERSEAS ACCESS (TO BE
FURTHER DISCUSSED WITH BLUE BOXES). ALL INTERNATIONAL CALLS USE A SIGNALING
SYSTEM CALLED CCITT. IT IS AN INTERNATIONAL STANDARD FOR SIGNALING.
COMING SOON:
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
IN PART IV, WE WILL DISCUSS SWITCHING EQUIPMENT, VARIOUS OPERATORS, CO
TYPES, ETC.
PHREAKING LIVES IN '84,
*****BIOC
*=$=*AGENT
*****003
<<=-FARGO 4A-=>>
23-FEB-84
REFERENCES/
ACKNOWLEDGEMENTS: NOTES ON THE NETWORK (AT&T), TAP (ROOM 603, 147W 42 ST,
NEW YORK, NY 10036),UNDERSTANDING TELEPHONE ELECTRONICS,AND MANY OTHERS/TUC,
MULCHER...
Page 105
The Official Phreaker's Manual
************* << BIOC AGENT 003'S COURSE IN >> *************
* *
* $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ *
* %$ BASIC TELECOMMUNICATIONS $% *
* $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ *
* PART IV *
* *
************************************************************
PREFACE:
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
PART IV WILL DEAL WITH THE VARIOUS TYPES OF OPERATORS, OFFICE HIERARCHY, &
SWITCHING EQUIPMENT.
OPERATORS:
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
THERE ARE MANY TYPES OF OPERATORS IN THE NETWORK AND THE MORE COMMON ONES
WILL BE DISCUSSED.
TSPS OPERATOR:
____________________________________________________________
THE TSPS (TRAFFIC SERVICE POSITION SYSTEM) OPERATOR IS PROBABLY THE BITCH
(OR BASTARD FOR THE PHEMALE LIBERATIONISTS) THAT MOST OF US ARE USE TO HAVING
TO DEAL WITH.
HERE ARE HER RESPONSIBILITIES:
1) OBTAINING BILLING INFORMATION FOR CALLING CARD OR 3RD NUMBER CALLS.
2) IDENTIFYING CALLED CUSTOMER ON PERSON-TO-PERSON CALLS.
3) OBTAINING ACCEPTANCE OF CHARGES ON COLLECT CALLS.
4) IDENTIFYING CALLING NUMBERS. THIS ONLY HAPPENS WHEN THE CALLING # IS NOT
AUTOMATICALLY RECORDED BY CAMA (CENTRALIZED AUTOMATIC MESSAGE ACCOUNTING) &
FORWARDED FROM THE LOCAL OFFICE. THIS COULD BE CAUSED BY EQUIPMENT FAILURES OR
IF THE OFFICE IS NOT EQUIPPED FOR CAMA (MOST ARE).
<I ONCE HAD AN EQUIPMENT FAILURE HAPPEN TO ME & THE TSPS OPERATOR CAME ON
AND SAID, "WHAT # ARE YOU CALLING FROM?" OUT OF CURIOSITY, I GAVE HER THE # TO
MY CO, SHE THANKED ME & THEN I WAS CONNECTED TO A CONVERSION THAT APPEARED TO
BE BETWEEN A FIRE MAN & HIS WIFE. THEN IT STARTED RINGING THE PARTY I
ORIGINALLY WANTED TO CALL & EVERYONE PHREAKED OUT (EXCUSE THE PUN). I
IMMEDIATELY DROPPED THIS DUAL LINE CONFERENCE!>
YOU SHOULDN'T MESS WITH THE TSPS OPERATOR SINCE SHE KNOWS WHERE YOU ARE
CALLING FROM. SHE ALSO KNOWS WHETHER OR NOT YOU ARE AT A FORTRESS FONE & SHE
CAN TRACE CALLS QUITE READILY. OUT OF ALL THE OPERATORS, SHE IS ONE OF THE
MOST DANGEROUS.
INWARD OPERATOR:
____________________________________________________________
THIS OPERATOR ASSISTS YOUR LOCAL TSPS ("0") OPERATOR IN CONNECTING CALLS.
Page 106
The Official Phreaker's Manual
SHE WILL NEVER QUESTION A CALL AS LONG AS THE CALL IS WITHIN HER SERVICE AREA.
SHE CAN ONLY BE REACHED VIA OTHER OPERATORS OR BY A BLUE BOX. FROM A BB, YOU
WOULD DIAL KP+NPA+121+ST FOR THE INWARD OPERATOR THAT WILL HELP YOU CONNECT ANY
CALLS WITHIN THAT NPA AREA ONLY. (BLUE BOXING WILL BE DISCUSSED IN A FUTURE
PART OF BASIC TELCOM)
DIRECTORY ASSISTANCE OPERATOR:
____________________________________________________________
THIS IS THE OPERATOR THAT YOU ARE CONNECTED TO WHEN YOU DIAL: 411 OR
NPA-555-1212. SHE DOES NOT READILY KNOW WHERE YOU ARE CALLING FROM. SHE DOES
NOT HAVE ACCESS TO UNLISTED #'S, BUT SHE DOES KNOW IF AN UNLISTED # EXISTS FOR
A CERTAIN LISTING.
THERE IS ALSO A DIRECTORY ASSISTANCE FOR DEAF PEOPLE WHO USE
TELETYPEWRITERS IF YOU MODEM CAN TRANSFER BAUDOT (THE APPLE CAT CAN), THEN YOU
CAN CALL HER UP AND HAVE AN INTERESTING CONVERSATION WITH HER. THE #
IS:800/855-1155. SHE USES THE STANDARD TELEX ABBREVIATIONS SUCH AS GA FOR GO
AHEAD. THEY TEND TO BE NICER & WILL TALK LONGER THAN YOUR REGULAR OPERATORS.
ALSO, THEY ARE MORE VULNERABLE INTO BEING TALKED OUT OF INFORMATION THROUGH THE
PROCESS OF "SOCIAL ENGINEERING" AS CHESHIRE CATALYST WOULD PUT IT.
OTHER OPERATORS HAVE ACCESS TO THEIR OWN DA BY DIALING KP+NPA+131+ST (MF).
THIS IS A LITTLE OUT OF THE SCOPE OF THIS TUTORIAL, BUT MANY TELCO'S ARE
NOW CHARGING FOR CALLS TO DIR. ASST. YOU CAN BEAT THIS BY:
(1) COUNT HOW MANY CALLS YOU MAKE TO DIRECTORY ASSISTANCE IN A BILLING PERIOD.
GO TO A FORTRESS FONE & DIAL DA. WHEN THE OPERATOR COMES ON, GIVE HER A NAME
THAT YOU KNOW HAS AN UNLISTED # OR ASK FOR A TOWN THAT ISN'T IN THE NPA. SHE
WILL THEN ASK FOR YOUR # SO SHE CAN CREDIT THE CALL TO YOU. GIVE HER YOUR HOME
#, SHE DOESN'T KNOW THAT YOU ARE MAKING A FREE CALL FROM THE FORTRESS. JUST
MAKE SURE THAT YOU DON'T CREDIT YOURSELF FOR MORE CALLS THAN YOU ACTUALLY MADE
OR YOU MIGHT HAVE A FEW PROBLEMS!
(2) IF YOU HAVE A BAUDOT TERMINAL, USE THE 800 #, IT'S FREE & THERE IS ONE #
FOR ALL REQUESTS.
C/NA OPERATORS:
____________________________________________________________
C/NA OPERATORS ARE OPERATORS THAT DO EXACTLY THE OPPOSITE OF WHAT DIRECTORY
ASSISTANCE OPERATORS ARE FOR. SEE PART II, FOR MORE INFO ON C/NA & #'S. IN MY
EXPERIENCES, THESE OPERATORS KNOW MORE THAN THE DA OP'S DO & THEY ARE MORE
SUSCEPTIBLE TO "SOCIAL ENGINEERING." IT IS POSSIBLE TO BULLSHIT A C/NA
OPERATOR FOR THE NON-PUB DA # (IE, YOU GIVE THEM THE NAME & THEY GIVE YOU THE
UNLISTED #). THIS IS DUE TO THE FACT THAT THEY ASSUME YOUR ARE A PHELLOW
COMPANY EMPLOYEE.
INTERCEPT OPERATOR:
____________________________________________________________
THE INTERCEPT OPERATOR IS THE ONE THAT YOU ARE CONNECTED TO WHEN THERE ARE
NOT ENOUGH RECORDINGS AVAILABLE TO TELL YOU THAT THE # HAS BEEN DISCONNECTED OR
CHANGED. SHE USUALLY SAYS, "WHAT # YOU CALLIN' ? " WITH A FOREIGN ACCENT.
THIS IS THE LOWEST OPERATOR LIFEFORM. EVEN THOUGH THEY DON'T KNOW WHERE YOU
ARE CALLING FROM, IT IS A WASTE OF YOUR TIME TO TRY TO VERBALLY ABUSE THEM
SINCE THEY USUALLY UNDERSTAND VERY LITTLE ENGLISH.
Page 107
The Official Phreaker's Manual
OTHER OPERATORS:
____________________________________________________________
AND THEN THERE ARE THE:
MOBILE
SHIP-TO-SHORE
CONFERENCE
MARINE VERIFY, "LEAVE WORD & CALL BACK,"
ROUT & RATE (KP+NPA+141+ST) & OTHER SPECIAL OPERATORS WHO HAVE ONE PURPOSE OR
ANOTHER IN THE NETWORK.
PROBLEMS WITH AN OPERATOR? ASK TO SPEAK TO THEIR SUPERVISOR... WHICH IS
THE EQUIVALENT OF THE MADAME IN A WHOREHOUSE (IF YOU WILL EXCUSE THE ANALOGY).
BY THE WAY, SOME CO'S THAT WILL ALLOW YOU TO DIAL A 1 OR 0 AS THE 4TH
DIGIT, WILL ALSO ALLOW YOU TO CALL SPECIAL OPERATORS WITHOUT A BLUE BOX. THIS
IS VERY RARE THOUGH! FOR EXAMPLE, 212-121-1111 WILL GET YOU A NY INWARD
OPERATOR.
OFFICE HIERARCHY
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
EVERY SWITCHING OFFICE OFFICE IN NORTH AMERICA (THE NPA SYSTEM), IS
ASSIGNED AN OFFICE NAME & CLASS. THERE ARE FIVE CLASSES OF OFFICES NUMBERED 1
THROUGH 5. YOUR CO IS MOST LIKELY A CLASS 5 OR END OFFICE. ALL LONG-DISTANCE
(TOLL) CALLS ARE SWITCHED BY A TOLL OFFICE WHICH CAN BE A CLASS 4, 3, 2, OR 1
OFFICE. THERE IS ALSO A 4X OFFICE CALLED AN INTERMEDIATE POINT. THE 4X OFFICE
IS A DIGITAL ONE THAT CAN HAVE AN UNATTENDED EXCHANGE ATTACHED TO IT (KNOWN AS
A REMOTE SWITCHING UNIT-RSU).
THE FOLLOWING CHART WILL LIST THE OFFICE #, NAME, & HOW MANY OF THOSE
OFFICES EXISTED IN NORTH AMERICA IN 1981.
CLASS NAME ABB # EXISTING
----- ---------------- --- ------------
1 REGIONAL CENTER RC 12
2 SECTIONAL CENTER SC 67
3 PRIMARY CENTER PC 230
4 TOLL CENTER TC 1,30
4P TOLL POINT TP ?
4X INTERMEDIATE PT IP ?
5 END OFFICE EO 19,000
R RSU RSU ?
WHEN CONNECTING A CALL FROM ONE PARTY TO ANOTHER, THE SWITCHING EQUIPMENT
USUALLY TRIES TO FIND THE SHORTEST ROUTE BETWEEN THE CLASS 5 END OFFICE OF THE
CALLER & THE CLASS 5 END OFFICE OF THE CALLED PARTY. IF NO INTER-OFFICE TRUNKS
EXIST BETWEEN THE 2 PARTIES, IT WILL THEN MOVE UPTO THE NEXT HIGHEST OFFICE FOR
SERVICING (CLASS 4). IF THE CLASS 4 OFFICE CANNOT HANDLE THE CALL BY SENDING
IT TO ANOTHER CLASS 4 OR 5 OFFICE, IT WILL BE SENT TO THE NEXT OFFICE IN THE
HIERARCHY (3). THE SWITCHING EQUIPMENT FIRST USES THE HIGH-USAGE INTEROFFICE
TRUNK GROUPS, IF THEY ARE BUSY IT THEN GOES TO THE FINAL TRUNK GROUPS ON THE
NEXT HIGHEST LEVEL. IF THE CALL CANNOT BE CONNECTED THEN, YOU WILL PROBABLY GET
A RE-ORDER (120IPM BUSY SIGNAL) SIGNAL. AT THIS TIME, THE GUYS AT NETWORK
OPERATIONS ARE PROBABLY SHITTING IN THEIR PANTS AND TRYING TO AVOID THE DREADED
NETWORK DREADLOCK (AS SEEN ON TV!).
Page 108
The Official Phreaker's Manual
IT IS ALSO INTERESTING TO NOTE THAT 9 CONNECTIONS IN TANDEM IS CALLED
RING-AROUND-THE ROSY AND IT HAS NEVER OCCURRED IN TELEPHONE HISTORY. THIS
WOULD CASE AN ENDLESS LOOP CONNECTION. [ A NEAT WAY TO REALLY SCREW-UP THE
NETWORK].
THE 10 REGIONAL CENTERS IN THE US & THE 2 IN CANADA ARE ALL INTERCONNECTED.
THEY FORM THE FOUNDATION OF THE ENTIRE TELEPHONE NETWORK. SINCE THERE ARE ONLY
12 OF THEM, THEY ARE LISTED BELOW:
CLASS 1 REGIONAL OFFICE LOCATION NPA
---------------------------------- ---
DALLAS 4 ESS 214
WAYNE, PA 215
DENVER 4T 303
REGINA NO.2 SP1-4W [CANADA] 306
ST. LOUIS 4T 314
ROCKDALE, GA 404
PITTSBURGH 4E 412
MONTREAL NO.1 4AETS [CANADA] 504
NORWICH, NY 607
SAN BERNARDINO, CA 714
NORWAY, IL 815
WHITE PLAINS 4T, NY 914
THE FOLLOWING DIAGRAM DEMONSTRATES HOW THE VARIOUS OFFICES MAY BE
CONNECTED:
_________________________
_|_ _|_ _|_ REGIONAL
| | | | | | OFFICES
| 1 | <=--=> | 1 | <=--=> | 1 | <<==------
|___| |___| |___|
| OTHERS\/
_________________|_______________________|
_|_ _|_ _|_ _|__ _|_
| | | | | | | | | |
| 2 | | 3 | | 4 | | 4P | | 5 |
|___| |___| |___| |____| |___|
| | | |
|____ | _|__ |
_|_ _|_ | __|_ _|_ \
| || || | || | |_____
| 3 || 4 || | 4X || 5 | _|__ _|_
|___||___|| |____||___|| || |
| | | 4X || 5 |
__|_ | |____||___|
| ||_____________
| 5R | _______|_________
|____| | | |
_|_ _|_ _|_ __|_
| | | | | | | |
| R | | 4 | | 5 | | 5R |
|___| |___| |___| |____|
NOTE: THE PRECEDING DIAGRAM USED SPECIAL SYMBOLS FROM AN APPLE //E THAT MAY NOT
BE VIEWED AS I INTENDED THEM IF YOU ARE NOT USING AN APPLE//E OR //C.
SWITCHING EQUIPMENT
Page 109
The Official Phreaker's Manual
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
IN THE NETWORK, THERE ARE 3 MAJOR TYPES OF SWITCHING EQUIPMENT. THEY ARE
KNOWN AS: STEP, CROSSBAR, & ESS.
STEP-BY-STEP (SXS)
____________________________________________________________
THE STEP-BY-STEP, A/K/A THE STROWGER SWITCH OR TWO-MOTION SWITCH, WAS
INVENTED IN 1889 BY AN UNDERTAKER NAMED ALMON STROWGER. HE INVENTED THIS
MECHANICAL SWITCHING EQUIPMENT BECAUSE HE FELT THAT THE BIASED OPERATOR WAS
ROUTING ALL REQUESTS FOR AN 'UNDERTAKER' TO HER HUSBAND'S BUSINESS. BELL
STARTED USING THIS SYSTEM IN 1918 AS OF 1978, OVER 53% OF THE BELL EXCHANGES
USED THIS METHOD OF SWITCHING.
STEP-BY-STEP SWITCHING IS CONTROLLED DIRECTLY BY THE DIAL PULSES WHICH MOVE
A SERIES OF SWITCHES (CALLED THE SWITCH TRAIN) IN ORDER. WHEN YOU FIRST PICK UP
THE FONE UNDER SXS, A LINEFINDER ACKNOWLEDGES THE REQUEST (SOONER OR LATER) BY
SENDING A DIAL TONE. IF YOU THEN DIALED 1234, THE EQUIPMENT WOULD FIRST FIND
AN IDLE SELECTOR SWITCH. IT WOULD THEN MOVE VERTICALLY 1 PULSE, IT WOULD THEN
MOVE HORIZONTALLY TO FIND A FREE SECOND SELECTOR, IT WOULD THEN MOVE 2 VERTICAL
PULSES, STEP HORIZONTALLY TO FIND THE NEXT SELECTOR, ETC. THUS THE FIRST
SWITCH IN THE TRAIN TAKES NO DIGITS, THE SECOND SWITCH TAKES 1 DIGIT, THE THIRD
SWITCH TAKES 1 DIGIT, & THE LAST SWITCH IN THE TRAIN (CALLED THE CONNECTOR)
TAKES THE LAST 2 DIGITS & CONNECTS YOUR CALLS. A NORMAL (10,000 LINE) EXCHANGE
REQUIRES 4 DIGITS (0000-9999) TO CONNECT A LOCAL CALL & THUS IT TAKES 4
SWITCHES TO CONNECT EVERY CALL (LINEFINDER, 1ST & 2ND SELECTORS, & THE
CONNECTOR) .
WHILE IT WAS THE FIRST, SXS SUCKS FOR THE FOLLOWING REASONS:
[1] THE SWITCHED OFTEN BECOME JAMMED THUS THE CALLS OFTEN BECOME BLOCKED.
[2] YOU CAN'T USE DTMF (DUAL-TONE MULTI-FREQUENCY A/K/A TOUCH-TONE) DIRECTLY.
IT IS POSSIBLE THAT THE TELCO MAY HAVE INSTALLED A CONVERSION KIT BUT THEN THE
CALLS WILL GO THROUGH JUST AS SLOW AS PULSE, ANYWAY!
[3] THEY USE A LOT OF ELECTRICITY & MECHANICAL MAINTENANCE. (BAD FROM TELCO
POINT OF VIEW)
[4] EVERYTHING IS HARDWIRED.
THEY CAN STILL HOOK UP PEN REGISTERS & OTHER SHIT ON THE LINE SO IT IS NOT
EXACTLY A PHREAK HAVEN.
YOU CAN IDENTIFY SXS OFFICES BY:
(1) LACK OF DTMF OR PULSING DIGITS AFTER DIALING DTMF.
(2) IF YOU GO NEAR THE CO, IT WILL SOUND LIKE A TYPEWRITER TESTING FACTORY.
(3) LACK OF SPEED CALLING, CALL FORWARDING, & OTHER CUSTOMER SERVICES.
(4) FORTRESS FONES THAT WANT YOUR MONEY FIRST (AS OPPOSED TO DIAL TONE FIRST
ONES).
THE PRECEDING DON'T NECESSARILY IMPLY THAT YOU HAVE SXS BUT THEY SURELY
Page 110
The Official Phreaker's Manual
GIVE EVIDENCE THAT IT MIGHT BE. ALSO, IF ANY OF THE ABOVE CHARACTERISTICS
EXIST, IT CERTAINLY ISN'T ESS! ALSO, SXS HAVE PRETTY MUCH BEEN ERADICATED FROM
LARGE METROPOLITAN AREAS SUCH AS NYC (212).
CROSSBAR:
____________________________________________________________
THERE ARE 3 MAJOR TYPES OF CROSSBAR SYSTEMS CALLED: NO. 1 CROSSBAR (1XB),
NO. 4 CROSSBAR (4XB), & NO. 5 CROSSBAR (5XB). 5XB HAS BEEN THE PRIMARY END
OFFICE SWITCH OF BELL SINCE THE 60'S AND THUS IT IS IN WIDE-USE.
CROSSBAR USES A COMMON CONTROL SWITCHING METHOD. WHEN THERE IS AN INCOMING
CALL, A STORED PROGRAM DETERMINES ITS ROUTE THROUGH THE SWITCHING MATRIX.
IN CROSSBAR, THE BASIC OPERATION PRINCIPLE IS THAT A HORIZONTAL & A
VERTICAL LINE ARE ENERGIZED IN A MATRIX KNOWN AS THE CROSSPOINT MATRIX. THE
POINT WHERE THESE 2 LINES MEET IN THE MATRIX IS THE CONNECTION.
ESS
____________________________________________________________
ELECTRONIC SWITCHING SYSTEM (ESS) THE PHREAK'S NIGHTMARE COME TRUE (OR ORWELL'S
PROPHECY AS 2600 PUTS IT)
ESS IS BELL'S MOVE TOWARDS THE AIRSTRIP ONE SOCIETY DEPICTED IN ORWELL'S
1984. WITH ESS, EVERY SINGLE DIGIT THAT YOU DIAL IS RECORDED--EVEN IF IT IS A
MISTAKE. THEY KNOW WHO YOU CALL, WHEN YOU CALL, HOW LONG YOU TALKED FOR, &
PROBABLY WHAT YOU TALKED ABOUT (IN SOME CASES). ESS CAN (AND IS) ALSO
PROGRAMMED TO PRINT OUT #'S OF PEOPLE WHO MAKE EXCESSIVE CALLS TO 800 #'S OR
DIRECTORY ASSISTANCE. THIS IS CALLED THE "800 EXCEPTIONAL CALLING REPORT." ESS
COULD ALSO BE PROGRAMMED TO PRINT OUT LOGS OF WHO CALLS CERTAIN #'S--LIKE A
BOOKIE, A KNOWN COMMUNIST, A BBS, ETC THE THING TO REMEMBER WITH ESS IS THAT IT
IS A SERIES OF PROGRAMS WORKING TOGETHER. THESE PROGRAMS CAN BE VERY EASILY
CHANGED TO DO WHATEVER THEY WANT IT TO DO. ONE PHREAK WHOM I KNOW HAS SOME ESS
SOURCE CODE LISTING WHICH IS INCREDIBLY COMPLEX (AS WELL AS DOCUMENTED--GRACIAS
DIOS). THIS SYSTEM MAKES THE JOB OF BELL SECURITY, THE FBI, NSA, & OTHER
ORGANIZATIONS THAT LIKE TO INVADE PRIVACY INCREDIBLY EASY.
WITH ESS, TRACING IS DONE IN MICROSECONDS (EINE AUGENBLICK) & THE RESULTS
ARE PRINTED AT THE CONSOLE OF A BELL GESTAPO OFFICER. ESS WILL ALSO PICK UP
ANY "FOREIGN" TONES ON THE LINE SUCH AS 2600 HZ!
BELL PREDICTS THAT THE COUNTRY WILL BECOME TOTALLY ESS BY THE 1990'S.
YOU CAN IDENTIFY ESS BY THE FOLLOWING WHICH ARE USUALLY ESS FUNCTIONS:
[1] DIALING 911 FOR HELP.
[2] DIAL-TONE-FIRST FORTRESSES.
[3] CUSTOM CALLING SERVICES SUCH AS:CALL FORWARDING, SPEED DIALING, & CALL
WAITING. (ASK YOUR BUSINESS OFFICE IF YOU CAN GET THESE.)
[4] ANI (AUTOMATIC NUMBER IDENTIFICATION) ON LD CALLS.
PHREAKING DOES NOT COME TO A COMPLETE HALT UNDER ESS THOUGH--JUST BE VERY
CAREFUL, THOUGH!!!
DUE TO THE FACT THAT ESS SENDS A COMPUTER GENERATED "ARTIFICIAL RING,"
WHERE THE VOICE IS NOT CONNECTED DIRECTLY TO THE CALLED PARTIES LINE UNTIL HE
Page 111
The Official Phreaker's Manual
PICKS UP, BLACK BOXES & INFINITY TRANSMITTERS WILL NOT WORK!
NOTE: ANOTHER INTERESTING WAY TO FIND OUT WHAT TYPE OF EQUIPMENT YOU ARE ON IS
TO RAID THE TRASH CAN OF YOU LOCAL CO--THIS ART WILL DISCUSSED IN A SEPARATE
ARTICLE SOON.
COMING SOON:
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
IN THE PART V, WE WILL START TO TAKE A LOOK AT TELEPHONE ELECTRONICS.
FURTHER READING:
FOR MORE INFORMATION ON THE ABOVE TOPICS, I SUGGEST THE FOLLOWING:
NOTES ON THE NETWORK, AT&T, 1980.
UNDERSTANDING TELEPHONE ELECTRONICS,TEXAS INSTRUMENTS, 1983.
AND SUBSCRIPTIONS TO:
TAP, ROOM 603, 147 W 42 ST, NEW YORK, NY 10036. SUBSCRIPTIONS ARE
$10/YEAR.#BACK ISSUES ARE $0.75. THE CURRENT ISSUES IS #90 (JAN/FEB 1984)
2600, BOX 752, MIDDLE ISLAND, NY 11953. SUBSCRIPTIONS ARE $10/YEAR. BACKISSUES
ARE $1 EACH. THE CURRENT ISSUE IS #4 (APRIL 1984).
THEY ARE BOTH EXCELLENT SOURCES OF ALL SORTS OF INFORMATION (PRIMARILY
PHREAKING/HACKING).
NOTE: FOR THE MOST PART, I HAVE ASSUMED THAT YOU HAVE READ MY PREVIOUS 3
COURSES IN THE BASIC TELCOM SERIES.
HASTA LUEGO,
*****BIOC
*=$=*AGENT
*****003
APRIL 13, 1984 [THE YEAR OF BIG BROTHER]
<<=-FARGO 4A-=>>
Page 112
The Official Phreaker's Manual
************* << BIOC AGENT 003'S COURSE IN >> *************
* *
* $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ *
* %$ BASIC TELECOMMUNICATIONS $% *
* $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ *
* PART V *
* *
************************************************************
PREFACE:
PREVIOUS INSTALLMENTS OF THIS SERIES WERE FOCUSED ON TELEPHONY FROM A
NETWORK POINT-OF-VIEW. PART V WILL DEAL WITH TELEPHONE ELECTRONICS FOCUSING
PRIMARILY ON THE SUBSCRIBER'S TELEPHONE. HERE-IN-AFTER SIMPLY REFERRED TO AS
"FONE."
WIRING:
____________________________________________________________
ASSUMING A STANDARD ONE-LINE FONE, THERE ARE USUALLY 4 WIRES THAT LEAD OUT
OF THE FONE SET. THESE ARE STANDARDLY COLORED RED, GREEN, YELLOW, & BLACK.
THE RED & GREEN SIRES ARE THE TWO THAT ARE ACTUALLY HOOKED UP TO YOUR CO. THE
YELLOW WIRE IS SOMETIMES USED TO RING DIFFERENT FONES ON A PARTY LINE (IE, ONE
#, SEVERAL FAMILIES--FOUND PRIMARILY IN RURAL AREAS WHERE THEY PAY LESS FOR THE
SERVICE AND THEY DON'T USE THE FONE AS MUCH); OTHERWISE, THE YELLOW IS USUALLY
JUST IGNORED. ON SOME TWO-LINE FONES, THE RED & GREEN WIRES ARE USED FOR THE
FIRST FONE # AND THE YELLOW & BLACK ARE USED FOR THE SECOND LINE. IN THIS CASE
THERE MUST BE AN INTERNAL OR EXTERNAL DEVICE THAT SWITCHES BETWEEN THE TWO
LINES AND PROVIDES A HOLD FUNCTION. (SUCH AS RADIO SHACK'S OUTRAGEOUSLY PRICED
2 LINE & HOLD MODULE-9.
IN TELEPHONY, THE RED & GREEN WIRES ARE OFTEN REFERRED TO AS TIP (T) & RING
(R). THE TIP IS USUALLY THE MORE POSITIVE OF THE TWO WIRES. THIS NAMING GOES
BACK TO THE OLD OPERATOR CORD BOARDS WHERE ONE OF THE WIRES WAS THE TIP OF THE
PLUG AND THE OTHER WAS THE RING (OF THE BARREL).
A ROTARY FONE (AKA DIAL OR PULSE) WILL WORK FINE REGARDLESS WHETHER THE RED
(OR GREEN) WIRE IS CONNECTED THE TIP(+) OR RING(-). A TOUCH-TONE (TM) FONE IS
A DIFFERENT STORY, THOUGH. IT WILL NOT WORK EXCEPT IF THE TIP(+) IS THE GREEN
WIRE. [ALTHOUGH, SOME OF THE MORE EXPENSIVE DTMF FONES DO HAVE A RECTIFIER
BRIDGE WHICH COMPENSATES FOR POLARITY REVERSAL.] THIS I WHY UNDER CERTAIN
(NON-DIGITAL) SWITCHING EQUIPMENT YOU CAN REVERSE THE RED & GREEN WIRES ON A
TOUCH-TONE FONE AND RECEIVE FREE DTMF SERVICE. EVEN THOUGH IT WON'T BREAK DIAL
TONE, REVERSING THE WIRES ON A ROTARY LINE ON A DIGITAL SWITCH WILL CAUSE THE
TONES TO BE GENERATED.
VOLTAGES, ETC.
____________________________________________________________
WHEN YOUR TELEPHONE IS ON-HOOK (IE, HUNG UP) THERE IS APPROXIMATELY 48
VOLTS OF DC CURRENT (VDC) FLOWING THROUGH THE TIP & RING. WHEN THE HANDSET OF
A FONE IS LIFTED A FEW SWITCHES CLOSE WHICH CAUSE A LOOP TO BE CONNECTED (KNOWN
AS THE "LOCAL LOOP") BETWEEN YOUR FONE & THE CO. ONCE THIS HAPPENS DC CURRENT
IS ABLE TO FLOW THROUGH THE FONE WITH LESS RESISTANCE. THIS CAUSES A RELAY TO
ENERGIZE WHICH CAUSES OTHER CO EQUIPMENT TO REALIZE THAT YOU WANT SERVICE.
EVENTUALLY, YOU SHOULD END UP WITH A DIAL TONE. THIS ALSO CAUSES THE 48 VDC TO
DROP DOWN INTO THE VICINITY OF 13 VOLTS. THE RESISTANCE OF THE LOOP ALSO DROPS
BELOW THE 2500 OHM LEVEL.
Page 113
The Official Phreaker's Manual
AS OF NOW, YOU ARE PROBABLY SAYING TO YOURSELF THAT THIS IS ALL NICE AND
TECHNICAL BUT WHAT THE HELL GOOD IS THE INFORMATION. WELL, ALSO CONSIDER THAT
THIS VOLTAGE (& RESISTANCE) DROP IS HOW THE CO DETECTS THAT A FONE WAS TAKEN
OFF HOOK (PICKED UP). IN THIS WAY, THEY KNOW WHEN TO START BILLING THE CALLING
NUMBER. NOW WHAT DO YOU SUPPOSE WOULD HAPPEN IF A DEVICE SUCH AS A RESISTOR OR
A ZENER DIODE WAS PLACED ON THE CALLED PARTIES LINE SO THAT THE VOLTAGE WOULD
DROP JUST ENOUGH TO ALLOW TALKING BUT NOT ENOUGH TO START BILLING? FIRST OFF,
THE CALLING PARTY WOULD NOT BE BILLED FOR THE CALL BUT CONVERSATION COULD BE
PURSUED. SECONDLY, THE CO EQUIPMENT WOULD THINK THAT THE FONE JUST KEPT ON
RINGING. THE TELCO CALLS THIS A "NO-NO" (TOLL FRAUD TO BE MORE SPECIFIC) WHILE
PHONE PHREAKS AFFECTIONATELY CALL THIS MUTE A BLACK BOX.
THE FOLLOWING ARE INSTRUCTIONS ON HOW TO BUILD A SIMPLE BLACK BOX. OF
COURSE, ANYTHING THAT PREVENTS THE VOLTAGE FROM DROPPING WOULD WORK.
YOU ONE OR TWO PARTS: A SPST TOGGLE SWITCH AND A 10,000 OHM (10 K), 1/2
WATT RESISTOR. ANY ELECTRONICS STORE SHOULD STOCK THESE PARTS.
NOW, CUT 2 PIECES OF WIRE (ABOUT 6 INCHES LONG) AND ATTACH ONE END OF EACH
WIRE TO ONE OF THE TERMINALS ON THE SWITCH. NOW TURN YOUR K500 (STANDARD DESK
FONE) UPSIDE DOWN AND TAKE OFF THE COVER. LOCATE THE 2 SCREWS ON THE NETWORK
BOX LABELED >F< AND >RR<. WRAP THE RESISTOR BETWEEN THE 2 SCREWS MAKING SURE
THAT IT DOESN'T TOUCH ANY OTHER TERMINALS!. NOW CONNECT ONE WIRE FROM THE
SWITCH TO THE RR TERMINAL. FINALLY, ATTACH THE REMAINING WIRE TO THE GREEN WIRE
(DISCONNECT IT FROM ITS TERMINAL). NOW BRING THE SWITCH OUT THE REAR OF THE
FONE AND REPLACE THE COVER.
PUT THE SWITCH IN A POSITION WHERE YOU RECEIVE A DIAL TONE. MARK THIS
POSITION NORMAL. MARK THE OTHER SIDE FREE.
WHEN YOUR PHRIENDS CALL (AT A PREARRANGED TIME), QUICKLY LIFT & DROP THE
RECEIVER AS FAST A POSSIBLE. THIS WILL STOP THE RINGING (DO IT AGAIN IF IT
DOESN'T) WITH OUT STARTING THE BILLING. IT IS IMPORTANT THAT YOU DO IT QUICKLY
(LESS THAN ONE SECOND THEN PUT THE SWITCH IN THE FREE POSITION AND PICK UP THE
FONE. KEEP ALL CALL SHORT AND PREFERABLY UNDER 15 MINUTES.
NOTE: IF ANYONE PICKS UP AN EXTENSION IN THE CALLED PARTIES HOUSE AND THAT
FONE IS NOT SET FOR FREE THEN BILLING WILL START.
NOTE: AN OLD WAY OF SIGNALING A PHRIEND THAT YOU ARE ABOUT TO CALL IS
MAKING A COLLECT CALL TO A NON-EXISTENT PERSON IN THE HOUSE. SINCE YOUR FRIEND
WILL NOT ACCEPT THE CHARGES, HE WILL KNOW THAT YOU ARE ABOUT TO CALL AND THUS
PREPARE THE BLACK BOX (OR VISA VERSA).
WARNING: THE TELCO CAN DETECT BLACK BOXES IF THEY SUSPECT ONE ON YOUR LINE.
THIS IS DONE DUE TO THE PRESENCE OF AC VOICE SIGNAL AT THE WRONG DC LEVEL!
PICTORIAL DIAGRAM: (STANDARD ROTARY K500 FONE)
____________________________________________________________
_____________________________________
| |
***BLUE WIRE**>>F< |
| * * |
**WHITE WIRE** * |
| * |
| RESISTOR |
| * |
Page 114
The Official Phreaker's Manual
| * |
| >RR<*******SWITCH**** |
| * |
****GREEN WIRE********************** |
| |
|_____________________________________|
NOTE: THE BLACK BOX WILL NOT WORK UNDER ESS OR OTHER SIMILAR DIGITAL
SWITCHES SINCE ESS DOES NOT CONNECT THE VOICE CIRCUITS UNTIL THE FONE IS PICKED
UP (& BILLING STARTS). INSTEAD, ESS USES AN "ARTIFICIAL" COMPUTER GENERATED
RING.
RINGING:
____________________________________________________________
TO INFORM A SUBSCRIBER OF AN INCOMING CALL, THE TELCO SENDS 90 VOLTS (RMS)
OF AC CURRENT DOWN THE LINE (AT AROUND 15 TO 60 HZ) IN STANDARD FONES, THIS
CAUSES A METAL ARMATURE TO BE ATTRACTED ALTERNATELY BETWEEN TWO ELECTRO-MAGNETS
THUS STRIKING 2 BELLS. OF COURSE, THE STANDARD BELL (PATENTED IN 1878 BY TOM
A. WATSON) CAN BE REPLACED BY A MORE MODERN ELECTRONIC BELL OR SIGNALING
DEVICE.
ALSO, YOU CAN HAVE LIGHTS AND OTHER SIMILAR DEVICES IN LIEU OF (OR IN
CONJUNCTION WITH) THE BELL. A SIMPLE NEON LIGHT (WITH ITS CORRESPONDING
RESISTOR) CAN SIMPLY BE CONNECTED BETWEEN THE RED & GREEN WIRES (USUALLY L1 &
L2 ON THE NETWORK BOX) SO THAT IT LIGHTS UP ON INCOMING CALLS. A REGULAR 60
WATT LIGHT BULB CAN ALSO BE HOOKED UP USING A SIMPLE (120 VAC) RELAY.
WARNING: 90 & 120 VAC CAN GIVE QUITE A SHOCK. EXERCISE EXTREME CAUTION IF
YOU WISH TO FURTHER PURSUE THESE TOPICS.
ALSO INCLUDED IN THE RINGING CIRCUIT IS A CAPACITOR TO PREVENT THE DC
CURRENT FROM INTERFERING WITH THE BELL [A CAPACITOR WILL PASS AC CURRENT WHILE
IT WILL PREVENT DC CURRENT FROM FLOWING (BY STORING IT)].
ANOTHER REASON THAT THE TELCO HATES BLACK BOXES IS BECAUSE RINGING USES
ALOT OF COMMON-CONTROL EQUIPMENT, IN THE CO, WHICH USE ALOT OF ELECTRICITY.
THUS THE RINGING GENERATORS ARE BEING TIED UP WHILE A FREE CALL IS BEING MADE.
USUALLY CALLS THAT ARE ALLOWED TO RING FOR A LONG PERIOD OF TIME MAY BE
CONSTRUED AS SUSPICIOUS. SOME OFFICES MAY BE SET UP TO DROP A TROUBLE CARD FOR
LONG PERIODS OF RINGING THEN A "NO-NO" DETECTION DEVICE MAY BE PLACED ON THE
LINE.
INCIDENTALLY, THE TERM "RING TRIP" REFERS TO THE CO PROCESS INVOLVED TO
STOP THE AC RINGING SIGNAL WHEN THE CALLING FONE GOES OFF HOOK.
NOTE: IT IS SUGGESTED THAT YOU ACTUALLY DISSECT FONES TO HELP YOU BETTER
UNDERSTAND THEM. IT WILL ALSO HELP YOU TO BETTER UNDERSTAND THE CONCEPTS HERE
IF YOU ACTUALLY PROVE THEM TO YOURSELF. FOR EXAMPLE, ACTUALLY TAKE THE VOLTAGE
READINGS ON YOUR FONE LINE [ANY SIMPLE MULTI-TESTER (A MUST) WILL DO.]
PHREAKING IS AN INTERACTIVE PROCESS NOT A PASSIVE ONE!
DIALING:
____________________________________________________________
ON A STANDARD FONE, THERE ARE TWO COMMON TYPES OF DIALING: PULSE & DTMF.
OF COURSE, SOME PEOPLE INSIST UPON BEING DIFFERENT AND DON'T USE THE DT THUS
LEAVING THEM WITH MF (MULTI FREQUENCY, AKA OPERATOR, BLUE BOX) TONES. THIS IS
ANOTHER "NO-NO" AND THE TELCO SECURITY GENTLEMEN HAVE A SPECIAL KNACK FOR
DEALING WITH SUCH "PHREAKS" ON THE NETWORK.
Page 115
The Official Phreaker's Manual
WHEN YOU DIAL ROTARY, YOU ARE ACTUALLY RAPIDLY BREAKING & RECONNECTING
(MAKING) THE LOCAL LOOP ONCE FOR EVERY DIGIT DIALED. SINCE THE PHYSICAL
CONNECTION MUST BE BROKEN, YOU CANNOT DIAL IF ANOTHER EXTENSION (OF THAT #) IS
OFF-HOOK. NEITHER OF THE FONES WILL BE ABLE TO DIAL PULSE UNLESS THE OTHER
HANGS UP.
ANOTHER TERM OFTEN REFERRED TO IN TELEPHONE ELECTRONICS IS THE BREAK RATIO.
IN THE US, THERE ARE 10 PULSES PER SECOND (MAX). WHEN THE CIRCUIT IS OPENED IT
IS CALLED THE BREAK INTERVAL. WHEN IT IS CLOSED IT IS CALLED THE MAKE INTERVAL.
IN THE US, THERE IS A 60 MILLISECOND (MS) BREAK PERIOD AND A 40 MS MAKE PERIOD.
(60+40=100 MS = 1/10 MINUTE). THIS IS REFERRED TO AS A 60% BREAK INTERVAL.
SOME OF THE MORE SOPHISTICATED ELECTRONIC FONES CAN SWITCH BETWEEN A 60% & A
67% BREAK INTERVAL. THIS IS DUE TO THE FACT THAT MANY FOREIGN NATIONS USE A
67% BREAK INTERVAL.
HAVE YOU EVER BEEN IN AN OFFICE OR A SIMILAR FACILITY AND SAW A FONE
WAITING TO BE USED FOR A FREE CALL BUT SOME ASSHOLE PUT A LOCK ON IT TO PREVENT
OUTGOING CALLS?
WELL, DON'T FRET PHELLOW PHREAKS, YOU CAN SIMULATE PULSE DIALING BY RAPIDLY
DEPRESSING THE SWITCHOOK. (IF YOU DEPRESS IT FOR LONGER THAN A SECOND IT WILL
BE CONSTRUED AS A DISCONNECT.) BY RAPIDLY SWITCHOOKING YOU ARE CAUSING THE
LOCAL LOOP TO BE BROKEN & MADE SIMILAR TO ROTARY DIALING! THUS IF YOU CAN
MANAGE TO SWITCHOOK RAPIDLY 10 TIMES YOU CAN REACH AN OPERATOR TO PLACE ANY
CALL YOU WANT! THIS TAKES ALOT OF PRACTICE, THOUGH. YOU MIGHT WANT TO PRACTICE
ON YOUR OWN FONE DIALING A FRIEND'S # OR SOMETHING ELSE. INCIDENTALLY, THIS
METHOD WILL ALSO WORK WITH DTMF FONES SINCE ALL DTMF LINES CAN ALSO HANDLE
ROTARY.
ANOTHER PROBLEM WITH PULSE DIALING IS THAT IT PRODUCES HIGH-VOLTAGE SPIKES
THAT MAKE LOUD NOISES IN THE EARPIECE AND CAUSE THE BELL TO "TINKLE." IF YOU
NEVER NOTICED THIS THEN YOUR FONE HAS A SPECIAL "ANTI-TINKLE" & EARPIECE
SHORTING CIRCUIT (MOST DO). IF YOU HAVE EVER DISSECTED A ROTARY FONE (A MUST
FOR ANY SERIOUS PHREAK) YOU WOULD HAVE NOTICED THAT THERE ARE 2 SETS OF CONTACT
THAT OPEN AND CLOSE DURING PULSING (ON THE BACK OF THE ROTARY DIAL UNDER THE
PLASTIC COVER). ONE OF THESE ACTUALLY OPENS AND
CLOSES THE LOOP WHILE THE OTHER MUTES THE EARPIECE BY SHORTING IT OUT. THE
SECOND CONTACTS ALSO ACTIVATES A SPECIAL ANTI-TINKLE CIRCUIT THAT PUTS A 340
OHM RESISTOR ACROSS THE RINGING CIRCUIT WHICH PREVENTS THE HIGH VOLTAGE SPIKES
FROM INTERFERING WITH THE BELL.
DUAL TONE MULTI FREQUENCY (DTMF) IS A MODERN DAY IMPROVEMENT ON PULSE
DIALING IN SEVERAL WAYS. FIRST OF ALL, IT IS MORE CONVENIENT FOR THE USER
SINCE IT IS FASTER AND CAN BE USED FOR SIGNALING AFTER THE CALL IS COMPLETED
(IE, SCC'S, COMPUTERS, ETC.). ALSO, IT IS MORE UPTO PAR WITH MODERN DAY
SWITCHING EQUIPMENT (SUCH AS ESS) SINCE PULSE DIALING WAS DESIGNED TO ACTUALLY
MOVE RELAYS BY THE NUMBER OF DIGITS DIALED (IN SXS OFFICES).
EACH KEY ON A DTMF KEYPAD PRODUCES 2 FREQUENCIES SIMULTANEOUSLY (ONE FROM
THE HIGH GROUP AND ANOTHER FROM THE LOW GROUP).
_______________________________________________
LOW GROUP | | | | |
697 HZ-| Q | ABC | DEF | |
| 1 | 2 | 3 | A |
|___________|___________|___________|___________|
| | | | |
770 HZ-| GHI | JKL | MNO | |
| 1 | 2 | 3 | B |
|___________|___________|___________|___________|
| | | | |
852 HZ-| PRS | TUV | WXY | |
| 1 | 2 | 3 | C |
Page 116
The Official Phreaker's Manual
|___________|___________|___________|___________|
| | OPERATOR | | |
941 HZ-| | Z | | |
| * | 0 | # | D |
|___________|___________|___________|___________|
| | | |
1209 HZ 1336 HZ 1477 HZ 1633 HZ
HIGH GROUP
A PORTABLE DTMF KEYPAD IS KNOWN AS A WHITE BOX.
THE FOURTH COLUMN (1633 HZ) IS NOT NORMALLY FOUND ON REGULAR FONES BUT IT
DOES HAVE SEVERAL SPECIAL USES. FOR ONE, IT IS USED TO DESIGNATE THE PRIORITY
OF CALLS ON AUTOVON, THE MILITARY FONE NETWORK. THESE KEY ARE CALLED: FLASH,
IMMEDIATE, PRIORITY, & ROUTINE (WITH VARIATIONS) INSTEAD OF ABCD. SECONDLY,
THESE KEYS ARE USED FOR TESTING PURPOSES BY THE TELCO. IN SOME AREA YOU CAN
FIND LOOPS AS WELL AS OTHER NEAT TESTS (SEE PART II) ON THE 555-1212 DIRECTORY
ASSISTANCE EXCHANGE. FOR THIS, YOU WOULD CALL UP AN DA IN CERTAIN AREAS [THAT
HAVE AN AUTOMATIC CALL DISTRIBUTOR (ACD)] AND HOLD DOWN THE "D" KEY WHICH
SHOULD BLOW THE OPERATOR OFF. YOU WILL THEN HEAR A PULSING DIAL TONE WHICH
INDICATES THAT YOU ARE IN THE ACD INTERNAL TESTING MODE. YOU CAN GET ON ONE
SIDE OF A LOOP BY DIALING A 6. THE OTHER SIDE IS 7. SOME PHREAKS CLAIM THAT
IF THE PERSON ON SIDE 6 HANGS UP, OCCASIONALLY THE EQUIPMENT WILL SCREW UP AD
START DIRECTING DIRECTORY ASSISTANCE CALLS TO THE OTHER SIDE OF THE LOOP.
ANOTHER ALLEGED TEST IS CALLED REMOB WHICH ALLOWS YOU TO TAP INTO LINES BY
ENTERING A SPECIAL CODE FOLLOWED BY THE 7 DIGIT NUMBER YOU WANT TO MONITOR.
THEN THERE IS THE POSSIBILITY OF MASS CONFERENCING.
ACD'S ARE BECOME RARE THOUGH. YOU WILL PROBABLY HAVE TO MAKE SEVERAL
NPA-555- 1212 CALLS BEFORE YOU FIND ONE.
YOU CAN MODIFY REGULAR FONES QUITE READILY SO THAT THEY HAVE A SWITCH TO
CHANGE BETWEEN THE 3RD AND 4TH COLUMNS. THIS IS CALLED A SILVER BOX (AKA GREY
BOX) AD PLANS CAN BE FOUND IN TAP AS WELL AS ON MANY BBS'S.
TRANSMITTER/RECEIVER:
____________________________________________________________
WHEN YOU TALK INTO THE TRANSMITTER, THE SOUND WAVES FROM YOUR VOICE CAUSE A
DIAPHRAGM TO VIBRATE AND PRESS AGAINST THE CARBON GRANULES (OR ANOTHER SIMILAR
SUBSTANCE). THIS CAUSES THE CARBON GRANULES TO COMPRESS AND CONTRACT THUS
CHANGING THE RESISTANCE OF THE DC CURRENT FLOWING THROUGH IT. THEREFORE, YOUR
AC VOICE SIGNAL IS SUPERIMPOSED OVER THE DC CURRENT OF THE LOCAL LOOP. THE
RECEIVER WORKS IN A SIMILAR FASHION WHERE THE SIMPLE TYPES UTILIZE A MAGNET,
ARMATURE, & DIAPHRAGM.
HYBRID/INDUCTION COIL:
____________________________________________________________
AS YOU MAY HAVE NOTICED, THERE ARE TWO WIRES FOR THE RECEIVER AND TWO FOR
THE TRANSMITTER IN THE FONE, YET THE LOCAL LOOP CONSISTS OF 2 WIRES INSTEAD OF
4. THIS 4-WIRE TO 2-WIRE CONVERSION IS DONE INSIDE THE FONE BY A DEVICE KNOWN
AS AN INDUCTION COIL WHICH USES COUPLING TRANSFORMERS.
THE REASON 2 SIRES ARE USED ON THE LOCAL LOOPS ARE BECAUSE IT IS ALOT
CHEAPER FOR THE TELCO. ALTHOUGH, ALL OF THE INTER-OFFICE TRUNKS UTILIZE 4
WIRES. THIS IS NECESSARY FOR FULL DUPLEX (IE, SIMULTANEOUS CONVERSATION ON
BOTH SIDES) AND FOR AMPLIFICATION DEVICES. THERE ARE SIMILAR DEVICES IN THE
CO'S, KNOWN AS A HYBRID, THAT COUPLE THE 4-WIRE TRUNKS TO THE 2-WIRE LOCAL
LOOPS AND VISA-VERSA.
Page 117
The Official Phreaker's Manual
MISCELLANEOUS:
____________________________________________________________
IN THE TELEPHONE, THERE IS ALSO A BALANCING NETWORK CONSISTING OF A FEW
CAPACITORS & RESISTORS WHICH PROVIDE SIDETONE. SIDETONE ALLOWS THE CALLER TO
HEAR HIS OWN VOLUME IN THE RECEIVER. HE CAN THEN ADJUST HIS VOICE ACCORDINGLY.
THIS PREVENTS PEOPLE FROM SHOUTING OR SPEAKING TOO SOFTLY WITHOUT NOTICING IT.
HOLD:
____________________________________________________________
WHEN A TELEPHONE GOES OFF HOOK, THE RESISTANCE DROPS BELOW 2500 OHMS. AT
THIS POINT, THE TELCO WILL SEND A DIAL TONE. TO PUT SOMEONE ON HOLD YOU MUST
PUT A 1000 OHM RESISTOR (1 WATT) ACROSS THE TIP & RING BEFORE IT REACHES THE
SWITCHOOK. IN THIS WAY, WHEN THE FONE IS HUNG UP (FOR HOLD) THE RESISTANCE
REMAINS BELOW 2500 OHMS WHICH CAUSES THE CO TO BELIEVE THAT YOU ARE STILL
OFF-HOOK. YOU CAN BUILD A SIMPLE HOLD DEVICE USING THE FOLLOWING PICTORIAL
DIAGRAM:
(RED) O_________________________
[L1] | | |
| | |
1000 OHM | \
| | \
RESISTOR RINGING |
| CIRCUIT | -SWITCH
| | | HOOK
/ | |
/ SPST SWITCH | \
| | \
| | |
| | |
(GREEN) O__|_____________|______|
[L2]
--> TO REST OF FONE
CONCLUSION:
____________________________________________________________
NOTE: MANY OF THE ELECTRONICS COMPONENTS OF NORMAL FONES (K500) ARE
ENCLOSED IN THE NETWORK BOX (WHICH SHOULDN'T BE OPENED).
I HAVE ASSUMED THAT THE READER HAS A BASIC KNOWLEDGE OF ELECTRONICS. ALSO,
I HAVE ASSUMED THAT YOU HAVE READ THE 4 PREVIOUS INSTALLMENTS OF THIS SERIES
(AND HOPEFULLY ENJOYED THEM).
IN PART VI, WE WILL TAKE A LOOK AT FORTRESS FONES.
SUGGESTED FURTHER READING:
____________________________________________________________
ELECTRONICS COURSES A-D, TAP, @ $.75 EACH.
ELECTRONIC TELEPHONE PROJECTS, A.J. CARISTI, HOWARD SAMS BOOKS.
EVERYTHING YOU ALWAYS WANTED TO KNOW ABOUT 1633 HZ TONES BUT WERE AFRAID TO
ASK, THE MAGICIAN, TAP, ISSUE #62.
Page 118
The Official Phreaker's Manual
FREE BELL PHONE CALLS, TAP, FACT SHEET #2, @ $.50.
FREE GTE PHONE CALLS, TAP, FACT SHEET #3, @ $.50.
HOW TO MODIFY YOUR BELL TOUCH TONE FONE TO HAVE 1633 CYCLE TONES, TAP, ISSUE
#63.
MODIFYING YOUR PHONE FOR 1633 HZ (NEW ELECTRONIC KEYPADS), FRED STEINBECK, TAP,
ISSUE #84.
NOTES ON THE NETWORK, AT&T.
THE PHONE BOOK, J. EDGAR HYDE.
REGULATING THE TELEPHONE COMPANY IN YOUR HOME, RAMAPART MAGAZINE, JUNE 1972.
REMOBS, TAP #91 (NOT YET PUBLISHED AS OF THIS WRITING).
UNDERSTANDING TELEPHONE ELECTRONICS, TEXAS INSTRUMENTS.
& OTHER ASSORTED SOURCES...
TAP: ROOM 603/147 W 42 ST./NEW YORK, NY 10036. PLEASE SPECIFY BY BACKISSUE
#'S (NOT ARTICLE NAMES). ALL BACK-ISSUES ARE $1 EACH. SUBSCRIPTIONS ARE
$10/YEAR (10 ISSUES). SAY THAT BIOC AGENT 003 SENT YOU.
Page 119
The Official Phreaker's Manual
************* << BIOC AGENT 003'S COURSE IN >> *************
* *
* $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ *
* %$ BASIC TELECOMMUNICATIONS $% *
* $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ *
* PART VI *
* *
************************************************************
REVISED: 27-OCT-84
Preface:
This article will focus primarily on the standard Western Electric
single-slot coin telephone (aka fortress fone) which can be divided into 3
types:
- Dial-Tone First (DTF)
- Coin-First (CF): (ie, it wants your $ before you receive a dial tone)
- Dial Post-Pay Service (PP): you pay after the party answers
Depositing Coins (Slugs):
____________________________________________________________
Once you have deposited your slug into a fortress, it is subjected to a
gamut of tests. The first obstacle for a slug is the magnetic trap. This will
stop any light-weight magnetic slugs and coins. If it passes this, the slug is
then classified as a nickel, dime, or quarter. Each slug is then checked for
appropriate size and weight. If these tests are passed, it will then travel
through a nickel, dime, or quarter magnet as appropriate. These magnets set up
an eddy current effect which causes coins of the appropriate characteristics to
slow down so they will follow the correct trajectory. If all goes well, the
coin will follow the correct path (such as bouncing off of the nickel anvil)
where it will hopefully fall into the narrow accepted coin channel.
The rather elaborate tests that are performed as the coin travels down the
coin chute will stop most slugs and other undesirable coins, such as pennies,
which must then be retrieved using the coin release lever.
If the slug miraculously survives the gamut, it will then strike the
appropriate totalizer arm causing a ratchet wheel to rotate once for every
5-cent increment (eg, a quarter will cause it to rotate 5 times).
The totalizer then causes the coin signal oscillator to readout a
dual-frequency signal indicating the value deposited to ACTS (a computer) or
the TSPS operator. These are the same tones used by phreaks in the infamous red
boxes.
For a quarter, 5 beep tones are outpulsed at 12-17 pulses per second (PPS).
A dime causes 2 beep tones at 5 - 8.5 PPS while a nickel causes one beep tone
at 5 - 8.5 PPS. A beep consists of 2 tones: 2200 + 1700 Hz.
A relay in the fortress called the "B relay" (yes, there is also an 'A
relay') places a capacitor across the speech circuit during totalizer read-out
to prevent the "customer" from hearing the red box tones.
In older 3 slot phones: one bell (1050-1100 Hz) for a nickel, two bells
for a dime, and one gong (800 Hz) for a quarter are used instead of the modern
dual-frequency tones.
TSPS & ACTS
____________________________________________________________
Page 120
The Official Phreaker's Manual
While fortresses are connected to the CO of the area, all transactions are
handled via the Traffic Service Position System (TSPS). In areas that do not
have ACTS, all calls that require operator assistance, such as calling card and
collect, are automatically routed to a TSPS operator position.
In an effort to automate fortress service, a computer system known as
Automated Coin Toll Service (ACTS) has been implemented in many areas. ACTS
listens to the red box signals from the fones and takes appropriate action. It
is ACTS which says, "Two dollars please (pause) Please deposit two dollars for
the next ten seconds" (and other variations). Also, if you talk for more than
three minutes and then hang-up, ACTS will call back and demand your money.
ACTS is also responsible for Automated Calling Card Service.
ACTS also provide trouble diagnosis for craftspeople (repairmen
specializing in fortresses). For example, there is a coin test which is great
for tuning up red boxes. In many areas this test can be activated by dialing
09591230 at a fortress (thanks to Karl Marx for this information). Once
activated it will request that you deposit various coins. It will then identify
the coin and outpulse the appropriate red box signal. The coins are usually
returned when you hang up.
To make sure that there is actually money in the fone, the CO initiates a
"ground test" at various times to determine if a coin is actually in the fone.
This is why you must deposit at least a nickel in order to use a red box!
Green Boxes:
____________________________________________________________
Paying the initial rate in order to use a red box (on certain fortresses)
left a sour taste in many red boxer's mouths thus the GREEN BOX was invented.
The green box generates useful tones such as COIN COLLECT, COIN RETURN, and
RINGBACK. These are the tones that ACTS or the TSPS operator would send to the
CO when appropriate. Unfortunately, the green box cannot be used at a fortress
station but it must be used by the CALLED party.
Here are the tones:
COIN COLLECT 700 + 1100 Hz
COIN RETURN 1100 + 1700 Hz
RINGBACK 700 + 1700 Hz
Before the called party sends any of these tones, an operator released
signal should be sent to alert the MF detectors at the CO. This can be
accomplished by sending 900 + 1500 Hz or a single 2600 Hz wink (90 ms) followed
by a 60 ms gap and then the appropriate signal for at least 900 ms.
Also, do not forget that the initial rate is collected shortly before the 3
minute period is up.
Incidentally, once the above MF tones for collecting and returning coins
reach the CO, they are converted into an appropriate DC pulse (-130 volts for
return & +130 volts for collect). This pulse is then sent down the tip to the
fortress. This causes the coin relay to either return or collect the coins.
The alleged "T-Network" takes advantage of this information. When a pulse
for COIN COLLECT (+130 VDC) is sent down the line, it must be grounded
somewhere. This is usually either the yellow or black wire. Thus, if the wires
are exposed, these wires can be cut to prevent the pulse from being grounded.
When the three minute initial period is almost up, make sure that the black &
yellow wires are severed; then hang up, wait about 15 seconds in case of a
second pulse, reconnect the wires, pick up the fone, hang up again, and if all
goes well it should be "JACKPOT" time.
Page 121
The Official Phreaker's Manual
Physical Attack:
____________________________________________________________
A typical fortress weighs roughly 50 lbs. with an empty coin box. Most of
this is accounted for in the armor plating. Why all the security? Well, Bell
contributes it to the following:
"Social changes during the 1960's made the multislot coin station a
prime target for: vandalism, strong arm robbery, fraud, and theft of service.
This brought about the introduction of the more rugged single slot coin station
and a new environment for coin service."
As for picking the lock, I will quote Mr. Phelps:
"We often fantasize about 'picking the lock' or 'getting a master
key.' Well, you can forget about it. I don't like to discourage people, but it
will save you from wasting alot of your time--time which can be put to better
use (heh, heh)."
As for physical attack, the coin plate is secured on all four side by
hardened steel bolts which pass through two slots each. These bolts are in
turn interlocked by the main lock.
One phreak I know did manage to take one of the 'mothers' home (which was
attached to a piece of plywood at a construction site; otherwise, the permanent
ones are a bitch to detach from the wall!). It took him almost ten hours to
open the coin box using a power drill, sledge hammers, and crow bars (which was
empty -- perhaps next time, he will deposit a coin first to hear if it slushes
down nicely or hits the empty bottom with a clunk.)
Taking the fone offers a higher margin of success. Although this may be
difficult often requiring brute force and there has been several cases of back
axles being lost trying to take down a fone! A quick and dirty way to open the
coin box is by using a shotgun. In Detroit, after ecologists cleaned out a
municipal pond, they found 168 coin phones rifled.
In colder areas, such as Canada, some shrewd people tape up the fones using
duct tape, pour in water, and come back the next day when the water will have
froze thus expanding and cracking the fone open.In one case:
"unauthorized coin collectors" where caught when they brought $6,000 in
change to a bank and the bank became suspicious...
At any rate, the main lock is an eight level tumbler located on the right
side of the coin box. This lock has 390,625 possible positions (5 ^ 8, since
there are 8 tumblers each with 5 possible positions) thus it is highly pick
resistant! The lock is held in place by 4 screws. If there is sufficient
clearance to the right of the fone, it is conceivable to punch out the screws
using the drilling pattern below (provided by Alexander Mundy in TAP)
Page 122
The Official Phreaker's Manual
Chapter 5
What is covered in these last few articles, is the essence of phreaking,
blue boxing & equal access. These last articles, I hope will be the final
stage of phreak education for now. Basic telecommunications 7 is a brief intro
to the art of blue boxing, while Better Homes & Blue Boxing will cover it in
full. Equal access will be an interesting switch, it is installed in my area
already and I have been investigating it. One thought is to call MCI operators
and box through them, over MCI lines...
Page 123
The Official Phreaker's Manual
************* << BIOC AGENT 003'S COURSE IN >> *************
* *
* $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ *
* %$ BASIC TELECOMMUNICATIONS $% *
* $%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$ *
* PART VII *
* *
************************************************************
Preface:
After most neophyte phreaks overcome their fascination with Metro codes and
WATS extenders, they will usually seek to explore other avenues in the vast
phone network. Often they will come across references such as "simply dial KP
+ 2130801050 + ST for the Alliance teleconferencing system in LA.". Numbers
such as the one above were intended to be used with a blue box; this article
will explain the fundamental principles of the fine art of blue boxing.
Genesis:
____________________________________________________________
In the beginning, all long distance calls were connected manually by
operators who passed on the called number verbally to other operators in
series. This is because pulse (aka rotary) digits are created by causing
breaks in the DC current (see Basic Telcom V). Since long distance calls
require routing through various switching equipment and AC voice amplifiers,
pulse dialing cannot be used to send the destination number to the end local
office (CO).
Eventually, the demand for faster and more efficient long distance (LD)
service caused Bell to make a multi-billion dollar decision. They had to create
a signaling system that could be used on the LD Network. Basically, they had
two options:
[1] To send all the signaling and supervisory information (ie, ON & OFF
HOOK) over separate data links. This type of signaling is referred to as
out-of-band signaling.
-or-
[2] To send all the signaling information along with the conversation
using tones to represent digits. This type of signaling is referred to as
in-band signaling.
Being the cheap bastard that they naturally are, Bell chose the latter (and
cheaper) method -- IN-BAND signaling. They eventually regretted this, though
(heh, heh)...
IN-BAND SIGNALING PRINCIPLES:
____________________________________________________________
When a subscriber dials a telephone number, whether in rotary or touch-tone
(aka DTMF), the equipment in the CO interprets the digits and looks for a
convenient trunk line to send the call on its way. In the case of a local
call, it will probably be sent via an inter-office trunk; otherwise, it will be
sent to a toll office (class 4 or higher -- see Telcom IV) to be processed.
When trunks are not being used there is a 2600 Hz tone on the line; thus,
to find a free trunk, the CO equipment simply checks for the presence of 2600
Hz. If it doesn't find a free trunk the customer will receive a re-order signal
Page 124
The Official Phreaker's Manual
(120 IPM busy signal) or the "all circuits are busy..." message. If it does
find a free trunk it "seizes" it -- removing the 2600 Hz. It then sends the
called number or a special routing code to the other end or toll office.
The tones it uses to send this information are called multi-frequency (MF)
tones. An MF tone consists of two tones from a set of six master tones which
are combined to produce 12 separate tones. You can sometimes hear these tones
in the background when you make a call but they are usually filtered out so
your delicate ears cannot hear them. These are NOT the same as touch-tones.
To notify the equipment at the far end of the trunk that it is about to
receive routing information, the originating end first sends a Key Pulse (KP)
tone. At the end of sending the digits, #he originating end then sends a STart
(ST) tone. Thus to call 914-359-1517, the equipment would send KP + 9143591517
+ ST in MF tones. When the customer hangs up, 2600 Hz is once again sent to
signify a disconnect to the distant end.
History:
____________________________________________________________
In the November 1960 issue of The Bell System Technical Journal, an article
entitled "Signaling Systems for Control of Telephone Switching" was published.
This journal, which was sent to most university libraries, happened to contain
the actual MF tones used in signaling. They appeared as follows:
Digit Tones
----- -----
1 700 + 900 Hz
2 700 + 1100 Hz
3 900 + 1100 Hz
4 700 + 1300 Hz
5 900 + 1300 Hz
6 1100 + 1300 Hz
7 700 + 1500 Hz
8 900 + 1500 Hz
9 1100 + 1500 Hz
0 1300 + 1500 Hz
KP 1100 + 1700 Hz
ST 1500 + 1700 Hz
11 (*) 700 + 1700 Hz
12 (*) 900 + 1700 Hz
KP2 (*) 1300 + 1700 Hz
(*) Used only on CCITT SYSTEM 5 for special international calling.
Bell caught wind of blue boxing in 1961 when it caught a Washington state
college student using one. They originally found out about blue boxes through
police raids and informants. In 1964, Bell Labs came up with scanning
equipment, which recorded all suspicious calls, to detect blue box usage.
These units were installed in CO's where major toll fraud existed. AT&T
Security would then listen to the tapes to see if any toll fraud was actually
committed. Over 200 convictions resulted from the project. Surprisingly
enough, blue boxing is not solely limited to the electronics enthusiast; AT&T
has caught businessmen, film stars, doctors, lawyers, college students, high
school students and even a millionaire financier (Bernard Cornfeld) using the
device. AT&T also said that nearly half of those that they catch are
businessmen.
Page 125
The Official Phreaker's Manual
Of course, phone phreaks have achieved an almost cult status. They have
also had their fair share of media. In October 1971, Esquire published the
infamous "Secrets of the Little Blue Box" article which featured phreaks such
as Captain Crunch, who took his name from the cereal which one gave away
whistles that produced a perfect 2600 Hz pitch; Joe Engressia, the blind
phreak; and Mark Bernay, one of the nation's first and oldest phreaks. Others
such as Apple computer co-founders Steve Wozniak & Steve Jobs have also had
blue box backgrounds. 1971 also saw the publication of the first issue of YIPL,
the phone phreak newsletter, (now TAP) under the editorship of supreme yippie
Abbie Hoffman.
Usage:
____________________________________________________________
To use a blue box, one would usually make a free call to any 800 number or
distant directory assistance (NPA-555-1212). This, of course, is legitimate.
When the call is answered, one would then swiftly press the button that would
send 2600 Hz down the line. This has the effect of making the distant CO
equipment think that the call was terminated and it leaves the trunk hanging.
Now, the user has about 10 seconds to enter in the telephone number he wished
to dial -- in MF, that is. The CO equipment merely assumes that this came from
another office and it will happily process the call. Since there are no records
(except on toll fraud detection devices!) of these MF tones, the user is not
billed for the call. When the user hangs up, the CO equipment simply records
that he hung up on a free call.
Detection:
____________________________________________________________
Bell has had 20 years to work on detection devices; therefore, in this day
and age, they are rather well refined. Basically, the detection device will
look for the presence of 2600 Hz where it does not belong. It then records the
calling number and all activity after the 2600 Hz. If you happen to be at a
fortress fone, though, and you make the call short, your chances of getting
caught are significantly reduced (see Telcom VI). Incidentally, there have been
rumors of certain test numbers (see Telcom II) that hook directly into trunks
thus avoiding the need for 2600 Hz and detection!
Another way that Bell catches boxers is to examine the CAMA (Centralized
Automatic Message Accounting) tapes. When you make a call, your number, the
called number, and time of day are all recorded. The same thing happens when
you hang up. This tape is then processed for billing purposes. Normally, all
free calls are ignored. But Bell can program the billing equipment to make note
of lengthy calls to directory assistance. They can then put a pen register
(aka DNR) on the line or an actual full-blown tap. This detection can be
avoided by making short-haul (aka local) calls to box off of.
It is interesting to note that NPA+555-1212 originally did not return
answer supervision. Thus the calls were not recorded on the AMA/CAMA tapes.
AT&T changed this though for "traffic studies!"
CCIS:
____________________________________________________________
Besides detection devices, Bell has begun to gradually redesign the network
using out-of-band signaling. This is known as Common Channel Inter-office
Signaling (CCIS). Since this signaling method sends all the signaling
information over separate data lines, blue boxing is impossible under it.
Page 126
The Official Phreaker's Manual
While being implemented gradually, this multi-billion dollar project is
still strangling the fine art of blue boxing. Of course until the project is
totally complete, boxing will still be possible. It will become progressively
harder to find places to box off of, though. In areas with CCIS, one must find
a directory assistance office that doesn't have CCIS yet. Area codes in Canada
and predominately rural states are the best bets. WATS numbers terminating in
non-CCIS cities are also good prospects.
Pink Noise:
____________________________________________________________
Another way that may help to avoid detection is too add some "pink noise"
to the 2600 Hz tone. Since 2600 Hz tones can be simulated in speech, the
detection equipment must be careful not to misinterpret speech as a disconnect
signal. Thus a virtually pure 2600 Hz tone is required for disconnect.
Keeping this in mind, the 2600 Hz detection equipment is also probably
looking for pure 2600 Hz or else is would be triggered every time someone hit
that note (highest E on a piano =2637 Hz). This is also the reason that the
2600 Hz tone must be sent rapidly; sometimes, it won't work when the operator
is saying "Hello, hello." It is feasible to send some "pink noise" along with
the 2600 Hz. Most of this energy should be above 3000 Hz. The pink noise
won't make it into the toll network (where we want our pure 2600 Hz to hit) but
it should make it past the local CO and thus the fraud detectors.
Construction:
____________________________________________________________
While step-by-step details for the construction of a blue box is beyond the
scope of this tutorial, it is worthwhile to mention some of the details.
First there are some alternatives but they are not as good as an actual
blue box. Many computers are capable of generating MF tones. Thus, your local
phriendly software pirate should have a program compatible for your computer.
However, it is highly advisable not to box from home as stated in The Ten
Commandments (as interpreted for phreaks by Fred Steinbeck -- TAP #86).
I. Box thou not over thine home telephone wires, for those who doest must
surely bring the full wrath of the Chief Special Agent down upon thy heads.
Another alternative that has a moderate success rate involves recording the
tones from a phriend with a box or computer onto a cassette tape. They can
then be used at a fortress.
As for actual construction techniques, TAP has devoted many issues to blue
boxing. Basically, a blue box is merely a device capable of generating two
different tones simultaneously. There are two basic construction methods that I
will outline below for the electronics hobbyist.
The first involves the use of two 555 timer chips (or a 556 -- i.e., two
555's in one chip). It offers excellent frequency and voltage stability.
Also, it does not need a diode matrix keypad but used double-pole switches
instead. Schematics for this type of box can be found in TAP issue #29.
The other common box makes use of two Intersil 8038CC Function Generators.
It does require a diode matrix keypad though, potentiometers, an LM-100 voltage
Page 127
The Official Phreaker's Manual
regulator, a 741 Op-amp, and a handful of other parts. The schematics for this
type of blue box can be found in TAP #26. Both designs draw about 20 ma of
current.
Also, most blue boxes use telephone earpieces (with the varistor removed)
for speakers. These can be easily liberated from fortress fones with a small
coping saw.
Usually, the hardest part about building a blue box is the calibration. A
frequency counter is a must and an oscilloscope won't hurt.
Some boxes also take timing into account. It is feasible on the ESS
systems that they check to see if the digits are of uniform length. If they
aren't, they are probably from a blue box and a trouble card may be dropped.
With this in mind, the Bell standard for MF pulses and interdigit intervals is
around 75 ms. It varies with the equipment used since ESS can handle higher
speeds and doesn't need interdigit intervals.
Applications:
____________________________________________________________
Besides dialing normal calls free, i.e., KP+NPA+NNX+XXXX+ST, blue boxes
offer the entire network for exploration. Emergency break-ins, service
monitoring (aka taps), stacking tandems (the art of busying out all trunks
between two points), re-routing calls, conference calls, and much, much more
are all feasible. Although, Bell frequently changes these codes due to
phreaks. Here are some standard ones, though:
Operator & Other Codes:
____________________________________________________________
(an optional NPA may proceed all of the numbers; otherwise, you will reach
the one local for the area where the call is originated)
001 -- Trunk Access System
009 -- Rate Quote System
101 -- toll office test board
121 -- INWARD Operator
This operator assists the local "0" operator in completing calls. (S)he
will do virtually anything for you providing it is within her NPA.
131 -- Operator Directory assistance
141 -- Rout & Rate
141 defunct -- use KP + 800 + 141 +1212 + ST)
These operators are very useful if you know how to mumble a few cryptic
phrases as compiled below (with thanks to Fred Steinbeck): To find out.....Area
Codes
For example say , "Miami, Florida, numbers route, please." The R&R
operator will tell you "305 plus," meaning that 305 plus the seven digit number
will get you Miami.
... Inward Operator City Codes
Usually, the INWARD operator for an area is simply KP + NPA + 121 +
ST. In some area codes, though, there are several large cities and thus
Page 128
The Official Phreaker's Manual
several inwards. To find the inward for a specific city, you would say "916
756, operator route, please" to the R&R operator who will then tell you "916
plus 001 plus." This means that KP+ 916 + 001 + 121 + ST will get you an
inward for Sacramento, CA (916-756).
... City names
If you want to know the city that corresponds to an area code and
exchange, you simply tell the R&R, "Place name, 914 390, please." In this
example, the R&R operator will respond with "White Plains, NY."
... International Directory Assistance
If you need a directory route for London, you could say
"International, London, England. TSPS directory route, please." The R&R
operator will respond with "Directory to London, England. Country code 44 plus
1 plus 986 plus 3611." Therefore to get a DA operator in London, you would
route yourself to an international sender and KP + 04419863611 + ST.
... Country & City codes
If you need to know the country and city code for an international
number you can say "International, Sydney, Australia, TSPS numbers route,
please" and get "Country code 61 plus 2."
... International Inwards Routes
To get routing codes for international inwards say "International,
London, England, TSPS inward route, please." The R&R Operator will respond with
"Country code 44 plus 121."
Finally, to get language assistance for completing a foreign call you can
tell the foreign inward, "United States calling. Language assistance in
completing a call to (called party) at (called number)."
151 -- Overseas incoming (212 +& 914+)
160-XX0 -- Various Overseas Operators
161 -- Trouble reporting operator (defunct)
181 -- Coin Refund Operator
18X -- Overseas senders
To make an international call, one would KP + 011 + 0CC + ST where CC is
the country code. This will route you to the appropriate overseas sender. You
will then receive a 480 Hz dial tone. Here you enter KP + 0CC + city code +
local number + ST and the call is on its way.
Country codes can be either 1, 2, or 3 digits but they must be padded for
three digits to create a pseudo-country code with extra zero's if necessary.
For example, England, country code 44, becomes 044.
To see which international sender a certain country (lets use French
Guiana, country code 594, for example) goes through, you can dial KP + 011 +
594 + ST, wait for the Proceed to Send tone then KP + 000 + 0000 + ST and you
will receive a recording saying which ISC (International Switching Center) it
is. For the example it will say, "This is the international switching center
in Pittsburg, PA -- This is a recording - 4121." You can actually route calls
to certain senders yourself (KP + NPA + 18X + ST) but it is better off not to
since it may look suspicious if a call is sent through a sender that it
Page 129
The Official Phreaker's Manual
shouldn't go through. Here are the senders:
182 -- White Plains, NY
183 -- New York, NY
184 -- Pittsburg, PA
185 -- Orlando, FL
186 -- Oakland, CA
187 -- Denver, CO
188 -- New York, NY
Also, there tends to be alot of talk about the Code 11, Code 12, KP2, STP,
ST3P, & ST2P keys. While they do exist the blue boxer need not concern himself
with them. The first three are used on CCITT System 5. This is the signaling
system that the International Senders use to send information to other
countries. These codes are usually added automatically just like the language
assistance digit [which distinguishes operator (or blue box) dialed calls from
customer dialed calls]. The STP, ST3P, & ST2P tones are used when equipment is
communicating with the TSPS. These also are automatically added when needed in
most cases.
[see Telcom III for more on International Switching Centers (ISC)]
11XXX -- miscellaneous operators
11501 -- universal cordboard operator
11511 -- conference operator
11521 -- mobile operator
11531 -- marine operator
11541 -- LD incoming switchboard
11551 -- leave word for time & charges (neat stuff)
11561 -- same as 11551 but for hotel/motels
11571 -- overseas operators (language assistance)
The 11XXX series is interesting scanning material.
Miscellaneous Routing Codes :
____________________________________________________________
Alliance Teleconferencing has several numbers, a few of which are listed
below:
KP + 213 080 XXXX + ST
KP + 305 025 XXXX + ST
KP + 312 001 XXXX + ST
XXXX = 1050, 1100, or a few others
Also, at KP + 317 009 + ST there is a MF tone checker. After the
beep-kerclunk, dial in KP + 999 1234567 890 + ST and it will repeat the digits
that you pulsed if they are of the right frequency.
Tandem Scanning:
____________________________________________________________
To find all sorts of interesting things, you must look. Begin scanning
three digit codes in your area (i.e., KP + 000 + ST, KP + 001 + ST, etc.). Keep
track of all of your results. Sometimes you must probe things, send additional
digits and see what happens, send touch-tone, send it 2600 Hz, rip it apart.
You never know, you may run into something phun, like a computer that checks CC
numbers.
Page 130
The Official Phreaker's Manual
Incidentally, in some exchange you can dial inwards and other box codes
directly! For example, 914-121-1111 will get you a NY inward. The only problem
is that a 0 or 1 as the first digit of the exchange is usually *prohibited in
customer dialing. Somebody may have "accidentally" changed this screening code
on your ESS's computer, though -- you never know and it can't hurt to try.
WATS translation numbers also take up some of the 0XX & 1XX codes.
Finally, certain tones on the blue box can also be used for other purposes.
An MF "2" corresponds to COIN COLLECT while "KP" corresponds to COIN RETURN.
Thus every blue box is also a green box (see Telcom VI).
Coming soon:
Telcom VIII will deal with cordless phones, mobile phones, and other neat
things.
Be careful and have phun,
*****BIOC
*=$=*Agent
*****003
Page 131
The Official Phreaker's Manual
The Mark Tabas encounter series presents:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Better Homes and Blue Boxing
Part I
Theory of Operation
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
To quote Karl Marx, blue boxing has always been the most noble form of
phreaking. As opposed to such things as using an MCI code to make a free fone
call, which is merely mindless pseudo-phreaking, blue boxing is actual
interaction with the Bell System toll network. It is likewise advisable to be
more cautious when blue boxing, but the careful phreak will not be caught,
regardless of what type of switching system he is under.
In this part, I will explain how and why blue boxing works, as well as where.
In later parts, I will give more practical information for blue boxing and
routing information.
To begin with, blue boxing is simply communicating with trunks. Trunks must
not be confused with subscriber lines (or "customer loops") which are standard
telefone lines. Trunks are those lines that connect central offices. Now, when
trunks are not in use (i.e., idle or "on-hook" state) they have 2600Hz applied
to them. If they are two-way trunks, there is 2600Hz in both directions. When a
trunk IS in use (busy or "off-hook" state"), the 2600Hz is removed from the
side that is off-hook. The 2600Hz is therefore known as a supervisory signal,
because it indicates the status of a trunk; on hook (tone) or off-hook (no
tone). Note also that 2600Hz denoted SF (single frequency) signalling and is
"in-band." This is very important. "In-band" means that is is within the band
of frequencies that may be transmitted over normal telefone lines. Other SF
signals, such as 3700Hz are used also. However, they cannot be carried over the
telefone network normally (they are "out-of-band") and are therefore not able
to be taken advantage of as 2600Hz is.
Back to trunks. Let's take a hypothetical phone call. You pick up your fone
and dial 1+806-258-1234 (your good friend in Armarillo, Texas). For ease, we'll
assume that you are on #5 Crossbar switching and not in the 806 area. Your
central office (CO) would recognize that 806 is a foreign NPA, so it would
route the call to the toll centre that serves you. [For the sake of accuracy
here, and for the more experienced readers, note that the CO in question is a
class 5 with LAMA that uses out-of-band SF supervisory signalling]. Depending
on where you are in the country, the call would leave your toll centre (on more
trunks) to another toll centre, or office of higher "rank". Then it would be
routed to central office 806-258 eventually and the call would be completed.
Illustration:
A---CO1-------TC1------TC2----CO2----B
A=you
CO1=your central office
TC1=your toll office.
TC2=toll office in Amarillo.
CO2=806-258 central office.
B=your friend (806-258-1234)

Downloaded From P-80 International Information Systems 304-744-2253
Reference in New Issue Copy Permalink