informis/textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
master
textfiles/phreak/BLUEBOXING/blue6.box
root@procul 278a90f7ce Initial commit
2021-04-15 13:31:59 -05:00

582 lines
30 KiB
Plaintext
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Blue Boxing
Part I
To begin with, blue boxing is simply communicating with trunks. Trunks must
not be confused with subscriber lines (or "customer loops") which are standard
telefone lines. Trunks are those lines that connect central offices. Now, when
trunks are not in use (i.e., idle or "on-hook" state) they have 2600Hz applied
to them. If they are two-way trunks, there is 2600Hz in both directions. When a
trunk IS in use (busy or "off-hook" state"), the 2600Hz is removed from the
side that is off-hook. The 2600Hz is therefore known as a supervisory signal,
because it indicates the status of a trunk; on hook (tone) or off-hook (no
tone). Note also that 2600Hz denoted SF (single frequency) signalling and is
"in-band." This is very important. "In-band" means that is is within the band
of frequencies that may be transmitted over normal telefone lines. Other SF
signals, such as 3700Hz are used also. However, they cannot be carried over the
telefone network normally (they are "out-of- band") and are therefore not able
to be taken advantage of as 2600Hz is.
Back to trunks. Let's take a hypothetical phone call. You pick up your fone
and dial 1+806-258-1234 (your good friend in Armarillo, Texas). For ease, we'll
assume that you are on #5 Crossbar switching and not in the 806 area. Your
central office (CO) would recognize that 806 is a foreign NPA, so it would
route the call to the toll centre that serves you. [For the sake of accuracy
here, and for the more experienced readers, note that the CO in question is a
class 5 with LAMA that uses out-of-band SF supervisory signalling]. Depending
on where you are in the country, the call would leave your toll centre (on more
trunks) to another toll centre, or office of higher "rank". Then it would be
routed to central office 806-258 eventually and the call would be completed.
Illustration:
A---CO1-------TC1------TC2----CO2----B
A=you CO1=your central office
TC1=your toll office.
TC2=toll office in Amarillo.
CO2=806-258 central office.
B=your friend (806-258-1234)
In this situation it would be realistic to say that CO2 uses SF in-band
(2600Hz) signalling, while all the others use out-of-band signalling (3700Hz).
If you don't understand this, don't worry too much. I am pointing this out
merely for the sake of accuracy. The point is that while you are connected to
806-258-1234, all those trunks from YOUR central office (CO1) to the 806-258
central office (CO2) do *NOT* have 2600Hz on them, indicating to the Bell
equipment that a call is in progress and the trunks are in use.
Now let's say you're tired of talking to your friend in Amarillo
(806-258-1234) so you send a 2600Hz down the line. This tone travels down the
line to your friend's central office (CO2) where it is detected. However, that
CO thinks that the 2600Hz is originating from Bell equipment, indicating to it
that you've hung up, and thus the trunks are once again idle (with 2600Hz
present on them). But actually, yot have not hung up, you have fooled the
equipment at your friend's CO into thinking you have. Thus, it disconnects him
and resets the equipment to prepare for the next call. All this happens very
quickly (300-800ms for step-by-step equipment and 150-400ms for other
equipment).
When you stop sending 2600Hz (after about a second), the equipment thinks
that another call is coming towards it (e.g. it thinks the far end has come
"off-hook" since the tone has stopped. It could be thought of as a toggle
switch: tone --> on hook, no tone -->off hook. Now that you've stopped sending
2600Hz, several things happen:
1) A trunk is seized.
2) A "wink" is sent to the CALLING end from the CALLED end indicating that the
CALLED end (trunk) is not ready to receive digits yet.
3) A register is found and attached to the CALLED end of the trunk within about
two seconds (max).
4) A start-dial signal is sent to the CALLING end from the CALLED end
indicating that the CALLED end is ready to receive digits.
Now, all of this is pretty much transparent to the blue boxer. All he really
hears when these four things happen is a <beep><kerchunk>. So, seizure of a
trunk would go something like this:
1> Send a 2600Hz
2> Terminate 2600Hz after 1-2 secs.
3> [beep][kerchunk]
Once this happens, you are connected to a tandem that is ready to obey your
every command. The next step is to send signalling information in order to
place your call. For this you must simulate the signalling used by operators
and automatic toll-dialing equipment for use on trunks. There are mainly two
systems, DP and MF. However, DP went out with the dinosaur, so I'll only
discuss MF signalling. MF (multi-frequency) signalling is the signalling used
by the majority of the inter- and intra-lata network. It is also used in
international dialing known as the CCITT no.5 system.
MF signalling consists of 7 frequencies, beginning with 700Hz and separated
by 200Hz. A different set of two of the 7 frequencies represent the digits 0
thru 9, plus an additional 5 special keys. The frequencies and uses are as
follows:
Frequencies (Hz) Domestic Int'l
--------------------------------------
700+900 1 1
700+1100 2 2
900+1100 3 3
700+1300 4 4
900+1300 5 5
1100+1300 6 6
700+1500 7 7
900+1500 8 8
1100+1500 9 9
1300+1500 0 0
700+1700 ST3p Code 11
900+1700 STp Code 12
1100+1700 KP KP1
1300+1700 ST2p KP2
1500+1700 ST ST
The timing of all the MF signals is a nominal 60ms, except for KP, which
should have a duration of 100ms. There should also be a 60ms silent period
between digits. This is very flexible, however, and most Bell equipment will
accept outrageous timings.
In addition to the standard uses listed above, MF pulsing also has expanded
usages known as "expanded inband signalling" that include such things as coin
collect, coin return, ringback, operator attached, and operator released. KP2,
code 11, and code 12 and the ST_ps (STart "primes") all have special uses which
will be mentioned only briefly here.
To complete a call using a blue box, once seizure of a trunk has been
accomplished by sending 2600Hz and pausing for the <beep><kerchunk>, one must
first send a KP. This readies the register for the digits that follow. For a
standard domestic call, the KP would be followed by either 7 digits (if the
call were in the same NPA as the seized trunk) or 10 digits (if the call were
not in the same NPA as the seized trunk). [Exactly like dialing a normal fone
call]. Following either the KP and 7 or 10 digits, a STart is sent to signify
thap no more digits follow. Example of a complete call:
1> Dial 1-806-258-1234
2> wait for a call-progress indication (such as ring, busy, recording, etc.)
3> Send 2600Hz for about 1 second.
4> Wait for about 2 seconds while a trunk is seized.
5> Send KP+305+994+9966+ST
The call will then connect if everything was done properly. Note that if a
call to an 806 number were being placed in the same situation, the area code
would be omitted and only KP+seven digits+ST would be sent.
Code 11 and code 12 are used in international calling to request certain
types of operators. KP2 is used in international calling to route a call other
than by way of the normal route, whether for economic or equipment reasons.
STp, ST2p, and ST3p (prime, two prime, and three prime) are used in TSPS
signalling to indicate calling type of call (such as coin-direct dialed).
This has been Part I of Better Homes and Blue Boxing. I hope you enjoyed and
learned from it. If you have any questions, comments, threats or insults,
please fell free to drop me a line. If you have noticed any errors in this text
(yes, it does happen), please let me know and perhaps a correction will be in
order. Part II will deal mainly with more advanced principles of blue boxing,
as well as routings and operators.
Note 1: other highly trunkable areas include: 816,305,813,609,205. I
personally have excellent luck boxing off of 609-953-0000. Try that if you have
any trouble.
Part II
The dssential purpose of blue boxing in the beginning was merely to receive
toll services free of charge. Though this can still be done, blue boxing has
essentially outlived its usefulness in this area. Modern day "extenders" and
long distance services provide a safer and easier way to make free fone calls.
However, you can do things with a blue box that just can't be done with
anything else. For ordinary toll-fraud, a blue box is impractical for the
following reasons:
1. Clumsy equipment required (blue box or equivalent)
2. Most boxed calls must be made through an extender. Not for safety reasons,
but for reasons I'll explain later.
3. Connections are often sacrificed because considerable distances must be
dialed to cross a seizable trunk, in addition to awkward routing.
As stated in reason #2, boxed calls are usually made through an extender.
This is for billing reasons. If you recall from Part I, 2600Hz is used as a
"supervisory" signal. That is, it signals the status of a trunk-- "on-hook" or
"off-hook." When you seize a trunk (by briefly sending 2600Hz), your end (the
CALLING end) goes on hook for the duration of the 2600Hz and then goes off-hook
once again when the 2600Hz is terminated. The CALLED end recognizes that a call
is on the way and attaches a register, which inerprets the digits which are to
be sent. Now, understand that even though your end has come off-hook (no 2600Hz
present), thE other end is still on-hook. You may wonder then, why, if the
other end (the CALLED end) is still on-hook, there is no 2600Hz coming the
other way on the trunk, when there should be. This is correct. 2600Hz *IS*
present on the trunk when you seize it and afterwards, but you cannot hear it
because of a Band Elimination Filter (BEF) at your central office.
Back to the problem. Remember that when you seize a trunk, 2600Hz is indeed
coming the other way on the trunk because the CALLED end is still on-hook, but
you don't actually hear it because of a filter. However, the Bell equipment
knows it's there (they can "hear" it). The presence of the 2600Hz is telling
the billing equipment that your call has not yet been completed (i.e., the
CALLED end is still on-hook). When finally you do connect with your boxed call,
the 2600Hz from the called end terminates. This tells the billing equipment
that someone picked up the fone at the CALLED end and you should begin to be
billed. So you do start to get billed, but for the call to the trunk, NOT the
boxed call. Your billing equipment thinks that you've connected with the number
you used to seize the trunk.
Illustration:
1. You call 1+806-258-2222 (directly)
2. Status of trunks:
<----------------------------------->
(You) 806-258-2222
No 2600Hz-------> <------------2600Hz
When you seize a trunk (before the number you called answers) there is no
affect on your billing equipment. It simply thinks that you're still waiting
for the call to complete (the CALLED end is still on-hook; it is ringing, busy,
going to recorder or intercept operator).
Now, let's say that you've seized a trunk (806-258-2222) and for example,
KP+314+949+1705+ST. The call is routed from the tandem you seized to:
314-949-1705.
Illustration:
<------------------>O<--------------->
(You) 806 314-949
tandem
No 2600Hz----------> <----------2600Hz
Note that the entire path tovards the right (the CALLED end) has no 2600Hz
present and is therefore "off-hook." The entire path towards the left (the
CALLING end) does have 2600Hz present on it, indicating that the CALLED end has
not picked up (or come "off-hook"). When 314-949-1705 answers, "answer
supervision" is givelthe 2600Hz towards the left (the CALLING end)
terminates. This tells your billhng equipment, which thinks that you're still
waiting to be connected with 806-258-2222, that you've finally connected
Billing then begins to 806-258-2222. Not exactly an auspicious beginning for an
aspiring young phone phreak.
To avoid this, several actions may be taken. As previously mentioned, one may
avoid being charged for the number called to seize a trunk by using an extender
(in which case the extender will get billed). In some areas, b%9may be
accomplished using an 800 number, generally in the format of 800-858-xxxx (many
Amarillo numbers) or 800-NN2-xxxx (special intra-statE class in-WATS numbers).
However, boxing off of 800 numbers s=MM% 1in many areas. In my area,
Denver, I am served by #1A ESS and it is impossible for me to box off of any
800 number.
Years ago, in the early days of blue boxing (before my time), phreaks often
used directory assistance to box off of because they were "free" long distance
calls. However, because of competetive long distance companies, directory
assistance surcharges are now $0.50 in many areas. It is additionally advised
that directory assistance numbers not be used to box from because of the
following:
Average DA calls last under 2 minutes. When you box a call, chances are that
it will last considerably longer. Thus, the Bell billing equipment will make a
note of calls to directory assistance that last a long time. A call to a
directory assistant lasting for 4 hours and 17 minutes may appear somewhat
suspicious.
Although the date, time, and length of a DA call do not appear on the bill,
it is recorded on AMA tape and will trip a trouble report if it were to last
too long. This is how most phreaks were discovered in the old days. Also,
sometimes too many calls lasting too long to one 800 number may raise a few
eyebrows at the local security office.
Assuming you can complete a blue box call, the following are listed routings
for various Bell internal operators. These are in the format of KP+NPA+special
routing+1X1+ST, which I will explain later. The 1X1 is the actual operator
routing, and NPA and NPA+special routing are used for out-of-area code calls
and out-of-area code calls requiring special routing, respectively.
KP+101+ST ...... toll test board
KP+121+ST ...... inward op
KP+131+ST ...... directory assistance
KP+141+ST ...... was rate & route. Now only works in 312,815, 717, and a few
others. It has been replaced with a universal rate & route number,
800+141+1212.
KP+151+ST ...... overseas completiozAIQ=I(inbound). Works only in certain
NPAs, such as 303.
KP+181+ST ...... in some areas, toll station for small towns.
Thus, if you seize a trunk in 806 NPA and wanted an inward (in 806), then you
would dial KP+121+ST. If you wanted a 312 inward and were dialing on an 806
trunk, an area code would be required. Thus, you would dial KP+312+121+ST.
Finally, some places in the network require special routing, in addition to an
area code. An example is Franklin Park, Ill. It requires a special routing of
032. For this, yoa1dial KP+312+032+121+ST for a Franklin Park inward
operator.
Special routings are in the format of 0XX. They are used primarily for load
balance, so that traffic flow may be evenly distributed. About half of the
exchanges in the network require special routing. Note that special routings
are NEVER EVER EVER used to dial normal telephone numbers, only operators.
Operator functions:
TOLL TEST BOARD- Generally a cordboard position that assists in trunk testing.
They are not used by operators, only switchmen.
INWARD- Assists the normal TSPS (0+) operator in completing calls out of the
TSPS's area. Also, inwards perform emergency inerrupts when the number to be
interrupted is out of the area code of the original (TSPS) operator. For
example, a 303 operator has a customer that needs an emergency interrupt on
215-647-6969. The 303 operator gets the routing for the inward that covers
215-647, since she cannot do the interrupt herself. The routing is found to be
only 215+ (no special routing required). So, the 303 operator keys
KP+215+121+ST. An inward answers and the 303 says to her, "Inward, this is
Denver. I need an emergency interrupt on 215-647-6969. My customer's name is
Mark Tabas." The inward will then do the interrupt (off the line, of course).
If the number to be interrupted had required special routing, such as, say,
312-456-1234 (spec routing 032), then the 303 operator would dial
KP+312+032+121+ST for the inward to do that interrupt.
DIRECTORY ASSISTANCE- These are the normal NPA+555+1212 operators that assist
customers with obtaining telefone directory listings. Not much toll-fraud
potential here, except maybe $0.50.
RATE AND ROUTE- These operators are reached by dialing KP+800+141+1212+ST. They
assist normal (TSPS) operators with rates and routings (thus the name). The
only uses I typically have for them are the following:
1. Routing information. In the above example, when the 303 operator needed to
dial an inward that served 215-647, she needed to know if any special routing
was required and, if so, what it was. Assuming she would use rate and route,
she would dial them and say nicely, "Operator's route, please, for 215-647."
Rate & route would respond with "215 plus." This means that the operator would
dial KP+215+121+ST to reach the inward that serves 215-647. If there were
special routing required, such as in 312-456, rate & route would respond with
"312 plus 032 plus." In that case, the operator would dial KP+312+032+ST for
the inward that serves 312-456.
It is good practice to ask for "operator's route" specifically, as there are
also "numbers route" and "directory routes." If you do not specifically ask for
operator's route, rate & route will generally assume that is what you want
anyway.
"Numbers" route refers to overseas calls. Example, you want to know how to
reach a number in Geneva, Switzerland (and you already have the number). You
would call routing and say "Numbers route, please, Geneva, Switzerland." The
operator would respond with:
"Mark 41+22. 011+041+ST (plus) 041+22". The "Mark 41+22" has to do with
billing, so disregard it. The 011+041 is access to the overseas gateway (to be
discussed in Part iii) and the 041+ 22+ is the routing for Geneva from the
overseas sender.
"Directory" routings are for directory assistance overseas. Example:
You want a DA in Rome, Italy. You would call rate & route and say, "Directory
routing please, for Rome, Italy." They would respond with "011+039+ST (plus)
039+1108 STart." As in the previous example, the 011+039 is access to the
overseas gateway. The 039+1108 is a directory assistant in Rome.
2. Nameplace information. Rate & Route will give you the location of an NPA+
exchange. Example: "Nameplace please, for 215-648." The operator would respond
with "Paoli, Pennsylvania." This isn't especially useful, since you can get the
same information (legally) by dialing 0, but using rate & route is often much
faster and it avoids having to hang up when you are already on a trunk.
*NOTE on Rate & Route: As a blue boxer, always ask for "IOTC" routings. (e.g.,
"IOTC operator's route", "IOTC numbers route", etc.) This tells them that you
want cordboard-type routings, not TSPS, because a blue boxer is actually just a
cordboard position (that Bell doesn't know about).
OVERSEAS COMPLETION OPERATOR (inbound)- These operators (KP+151+ST) assist in
the completion of calls coming in to the United States from overseas. There are
KP+151+ST operators only in a few NPAs in the country (namely 303). To use one,
you would seize a trunk and dial KP+303+151+ST. Then you would tell the
operator, for example, "This is Bangladesh calling. I need U.S. number
215-561-0562 please." [in a broken Indian accent]. She would connect you, and
the bill would be sent to Bangladesh (where I've been billing my KP+151+ST
calls for two years).
Other internal Bell Operators.
KP+11501+ST ...... universal operator
KP+11511+ST ...... conference op
KP+11521+ST ...... mobile op
KP+11531+ST ...... marine op
KP+11541+ST ...6distance terminal
KP+11551+ST ...... time & charges op
KP+11561+ST ...... hotel/motel op
KP+11571+ST ...... overseas (outbound) op
These 115X1 operators are identical in routing to the 1X1 operators listed
previously, with one exception. If special routing is required (0XX), then the
trailing 1 is left off.
Examples:
A 312 universal op ... KP+312+11501+ST
A Franklin Park (312-456) universal op (special routing 032 required)....
................... KP+312+032+1150+ST
[The trailing 1 of 11501 is left off].
Purposes of 115X1 operators.
UNIVERSAL- Used for collect/callback calls to coin stations.
CONFERENCE- This is a cordboard conference operator who will set up a
conference for a customer on a manual operation basis.
MOBILE- Assists in completion of calls to mobile (IMTS) type telefones.
MARINE- Assists in completion of calls to ocean going vessels.
LONG DISTANCE TERMINAL- Now obsolete. Was used for completion of long distance
calls.
TIME & CHARGES- Will give exact costs of calls. Used to time calls and inform
customer of exactly how much it cost.
HOTEL/MOTEL- Handles calls to/from hotels and motels.
OVERSEAS COMPLETION (outbound)- assists in completion of calls to overseas
points. Only works in some, if any NPAs, because overseas assistance has been
centralized to IOCC (covered in part III).
Note that all KP+1X1+ST and KP+115X1+ST operators automatically assume that
you are a TSPS or cordbord operator assisting a customer with a call. DO NOT DO
ANYTHING TO JEOPARDIZE THIS! If you do not know what to do, don't call these
operators! Find out what to do first.
Part III
Overseas Direct Boxing.
Calling outside of the United States and Canada is accomplished by using an
"overseas gateway." There are 7 over- seas gateways in the Bell System, and
each one is designated to serve a certain region of the world. To initiate an
overseas call, one must first access the gateway that the call is to be sent
on. To do this automatically, decide which country you are calling and find its
country code. Then, pad it to the left with zeros as required so it is three
digits. [Add 1, 2, or 3 zeros as required].
Examples:
Luxembourg (352) is 352 (stays the same)
Spain (34) becomes 034 (1 zero added)
U.S.S.R. (7) becomes 007 (2 zeros added)
Next, seize a trunk and dial KP+011+CC+ST. Note that CC is the three digit
padded country code that you just determined by the above method. [For
Luxembourg, dial KP+011+352+ST, Spain KP+011+034+ST, and the U.S.S.R.
KP+011+007+ST]. This is done to route you to the appropriate overseas gateway
that handles the country you are dialing. Even though every gateway will allow
you to dial every dialable country, it is good practice to use the gateway that
is designated for the country you are calling.
After dialing KP+011+CC+ST (as CC is defined above) you should be connected
to an overseas gateway. It will acknowledge by sending a wink (which is audible
as a <beep><kerchink>) and a dial tone. Once you receive international dial
tone, you may route your call one of two ways: a) as an operator-originated
call, or b) as a customer-originated call. To go as a operator-originated call,
key KP+ country code (NOT padded with zeros)+city code+number+ST. You will
then be connected, providing the country you are calling can receive
direct-dialed calls. The U.S.S.R. is an example of a country that cannot.
Example of a boxed int'l call:
To make a call to the Pope (Rome, Italy), first obtain the country code, which
is 39. Pad it with zeros so that it is 039. Seize a trunk and dial
KP+011+039+ST. Wait for sender dial tone and then dial KP+39+6+6982+ST. 39 is
the country code, 6 is the city code, and 6982 is the Pope's number in Rome. To
go as an operator-originated call, simply place a zero in front of the country
code when dialing on the gateway. Thus, KP+0+39+6+6982+ST would be dialed at
sender dial tone. Routing your call as operator-originated does not affect much
unless you are dialing an operator in a foreign country.
To dial an operator in a foreign country, you must first obtain the operator
routing from rate & route for that country. Dial rate & route and if you're
trying to get an operator in Yugoslavia, say nicely, "IOTC Operator's route,
please, for Yugoslavia." [In larger countries it may be necessary to specify a
city]. Rate & route will respond with, "38 plus 11229". So, dial your over-
seas gateway, KP+011+038+ST, wait for sender dial tone, and key
KP+0+38+11029+ST. You should then get an operator in Yugoslavia. Note that you
must prefix the country code on the sender with a 0 because presumably only an
operator here can dial an operator in a foreign country.
When you dial KP+011+CC+ST for an overseas gateway, it is translated to a
3-digit sender code of the format 18X, depending on which sender is designated
to handle the country you are dialing. The overseas gateways and their 3-digit
codes are listed below.
182 ..... White Plains, NY
183 ..... New York, NY
184 ..... Pittsburg, PA
185 ..... Orlando, FL
186 ..... Oakland, CA
187 ..... Denver, CO
188 ..... New York, NY
Dialing KP+182+ST would get you the sender in White Plains, and KP+183+ST
would get the sender in NYC, etc., but the KP+011+CC+ST is highly suggested (as
previously mentioned). To find out what sender you were routed to after dialing
KP+011+CC+ST, dial (at int'l dial tone): KP+0020000+ST.
If you have difficulty in reaching a sender, call rate and route and ask for
a numbers route for the country you're dialing. Sometimes, KP+011+padded
country code+ST will not work. I have found this in many 3-digit country codes.
Luxembourg, country code 352, for example, should be KP+011+352+ST
theoretically. But it is not. In this case, dial KP+011+003+ST for the overseas
gateway. If you have trouble, try dialing KP+00+first digit of country code+ST,
or call rate The IOCC.
Sometimes when you call rate and route and ask for an "IOTC numbers route" or
"IOTC operators route" for a foreign country, you will get something like
"160+700" (as in the case of the Soviet Union). This means that the country is
not dialable directly and must be handled through the International Overseas
Completion Centre (IOCC). For an IOCC routing, pad the country code to the
RIGHT with zeros until it is 3 digits. Then KP+160 is dialed, plus the padded
country code, plus ST.
Examples:
The U.S.S.R. (7) ...... KP+160+700+ST
Japan (81) ............ KP+160+810+ST
Uraguay (598) ......... KP+160+598+ST
You will then be routed to the IOCC in Pittsburg, PA, who will ask for
country, city, and number being dialed. Many times they will ask for a ringback
[thanks to Telenet Bob] so have a loop ready. They will then place the call and
call you back (or sometimes put you through directly). Some calls, such as to
Moscow, take several hours.
The Rate Quote System (RQS).
The RQS is the operator's rate/quote system. It is a computer used by TSPS
(0+) operators to get rate and route information without having to dial the
rate and route operator. In Part II, I discussed getting an inward routing for
dialing-assistance and emergency interrupts from the rate and route operators
(KP+800+141+1212+ST). The same information is available from RQS. Say you want
the inward routing for 305-994. You would seize a trunk and dial KP+009+ST (to
access the RQS). Sometimes, if you seize a trunk in an NPA not equipped with
RQS, you need to dial an NPA that is equipped with RQS first, such as 303.
Anyway, after you dial KP+009+ST or KP+303+009+ST, you will receive a wink
(<beep><kerchink>) and then RQS dial tone. At RQS dial tone, for an inward
routing for 305-994 you would dial KP+06+305+994+ST. That is,
KP+06+NPA+exchange+ST. RQS will respond with "305 plus 033 plus". This means
you would dial KP+305+033+121+ST for an inward that services 305-994. If no
special routing were required, RQS would have responded with "305 plus" and you
would simply dial: KP+305+121+ST for an inward.
Another RQS feature is the echo feature. You can use it to test your blue
box. Dial RQS (KP+009+ST) and then key KP+07+1234567890+ST. RQS will respond
with voice identification of the digits it recognized, between the KP+07 and
ST.
RQS can also be used for rates and directory routings, but those are seldom
needed, so they have been omitted here.
Simple Scanning.
If you're interested in scanning, try dialing on a trunk, routings in the
format of KP+11XX1+ST. Begin with 11001 and scan to 11991. There are lots of
interesting things to be found there, as Doctor Who (413 area) can tell you.
Those 11XX1 routings can also be prefixed with an NPA, so if you want to scan
area code 212, dial KP+212+11XX1+ST.
There, now you know as much about blue boxing as most phreaks. If you read
and understand the material, and put aside preconceived ideas of what blue
boxing is that you may have aquired from inexperienced people or other bulletin
boards, you should be well on you way to an enlightening career in blue boxing.
If you follow the guidelines in Part I to box, you should have no problem with
the fone company. Comments made by "phreaks" on bulletin boards that proclaim
"tracing" of blue boxers are nonsense and should be ignored (except for a
passing chuckle).
NOTE 1: CCIS and the downfall of blue boxing.
CCIS stands for Common Channel Inter-office Signalling. It is a signalling
method used between electronic switching systems that eminiates the use of
2600Hz and 3700Hz supervisory signals, and MF pulsing. This is why many places
cannot be boxed off of; they employ CCIS, or out-of-band signalling, which will
not respond to any tones that you generate on the line. Eventually, all
existing toll equipment will be upgraded or replaced with CCIS or T-carrier. In
this case, we'll all be boxing with microwave dishes.
Reference in New Issue View Git Blame Copy Permalink