informis/textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/phreak/SWITCHES/analss.txt
root@procul 278a90f7ce Initial commit
2021-04-15 13:31:59 -05:00

258 lines
10 KiB
Plaintext
Raw Permalink Blame History

Analogue Signalling Systems - An overview by NeonDreamer
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Why only analogue? Why not digital? Well let me tell
you now, the number of phreaks who know more than '.' about
digital signalling over ISDN lines is next to nothing. I
don't know much myself, let alone how to exploit it, so I'll
restrict my ramblings to what can realistically be played
with.
Firstly a note on naming conventions. Most of us are
used to dealing with American texts, and we are used to
signalling systems be referred to in terms of their CCITT
code. The UK has their own codes SSAC and SSMF for
describing signalling. For ease of use I'll stick to what
we are familiar with - CCITT conventions. If you need to
know the equivalent UK code refer to the table below.
CCITT UK
4 SSAC4
5 SSAC10/SSMF1
Non CCITT standards will be referred to in the UK style.
OK, before the good days of auto switching and
subscriber trunk dialling (STD) all trunk switching was
performed by operators on Strowger or related equipment.
Inter-exchange signalling was performed by the operators.
Obviously an automatic network needs to perform a
number of functions.
1) It needs to signal the exchange to connect caller A
to recipient B
2) It needs to supervise the call
3) It needs to give caller A feedback (ringing tone /
engaged tone)
4) It needs to bill the call
Signalling data can be transmitted as pulse breaks,
tones or binary. The following methods are still used
today:
1) Level and direction of current (in 2 wire DC
systems)
2) Pulse duration (DC)
3) Pulse combination (DC)
4) AC signal frequency
5) Frequency combination
6) Binary
Signalling across local lines has evolved from two-wire
DC systems - except ringing current and standard tones.
Tones were initially produced electromechanically as
follows:
Ringing tone 133Hz interrupted
Engaged tone 400Hz interrupted
Out of order 400Hz continuous
Ringing current 17Hz ( @ 75V )
Probably what we are all familiar with in the first
instance is called loop disconnect calling. Anyone who ever
used a rotary fone as a kid (and even on crappy payfones
now) will remember the 'click click click' that signalled
the numbers to the exchange. Remember when you first sussed
that the number of clicks indicated the number you had
dialled? Remember when you found out that by tapping the
handset rest you could dial a number without using the dial?
Did you ever wonder how it worked?
For the sake of completeness - here is the answer.
When a fone is off the hook, it allows DC current to flow
through it. When you dial, you interrupt this DC current
at 10 pulses / second (3 pulses for a 3, 10 for a 0 etc.) -
hence the term loop disconnect calling - you dial by
momentarily disrupting a DC current flow, only flowing off
hook. When your call is answered the recipients exchange
reverses the direction of current flow.
Correct dialling using this method is achieved by
disrupting the DC current for 66.7 ms with 33 ms between
pulses indicating the same number, and a >400ms of DC flow
between pulses indicating a different number.
DC signalling is limited distance wise due to the
resistance in copper wires. Consequently due to the
relatively high power requirements other signalling systems
have been developed.
DTMF dialling and electronic exchanges give a greater
signalling speed. The DTMF frequencies used are listed
below :
Digit Frequencies (Hz)
~~~~~ ~~~~~~~~~~~~~~~~
1 697 1209
2 697 1336
3 697 1477
4 770 1209
5 770 1336
6 770 1477
7 852 1209
8 852 1336
9 852 1477
* 941 1209
0 941 1336
# 941 1447
In payfone systems the call charging signal is a 50 Hz
common mode or longitudinal voltage in which both wires of a
two wire pair are driven in phase.
Blimey, we're only just on to analogue signalling. Hang
on and bear with me....
Between network switching centres parallel signalling
is used in the form of AC signals which may be single
frequency (1VF), dual voice frequency (2VF) or
multifrequency (MVF). The system has evolved from SSAC9
(1VF) in the 1950's the identically featured, but
transistorised 1980's version. Part of the adaptation has
been from 2-wire (metallic pair) to a 4-wire system.
SSAC9 uses the 'magic' 2280Hz signal frequency. This was
exploited by phreakers in the good old days and it is
nothing more than a historical curiosity now...
Multifrequency signalling is now the standard. In our
system an out of band signal of 3825Hz is used for
supervisory purposes - and enables continuous supervision.
This is due to a CCITT recommendation (Q351) and is
referred to as R2 signalling. This is the system of
signalling that '3l33t3' phreaks have taken to playing
with...
So here are the signals used :
| ______Direction______
Condition of circuit | Forward Return
---------------------------------------------------
Idle | Tone on Tone on
Seized | off on
Answered | off off
Clear back | off on
Released | on on or off
Blocked | on off
CCITT4 is an end 2 end signalling system using 2VF and
two tones : 2040Hz (from now on read 'x' [binary 0]) and
2400Hz (from now on read 'y' [binary 1]). It is used for
line signalling and interregister signalling (with serial
transmission in binary).
Consequently a 4 element code in binary gives 16
characters. 10 of these are for digits and four are
supervisory. These are given below...
1 2 3 4
1 y y y x
2 y y x y
3 y y x x
4 y x y y
5 y x y x
6 y x x y
7 y x x x
8 x y y y
9 x y y x
0 x y x y
Call operator code 11 x y x x
Call operator code 12 x x y y
Spare code x x y x
Incom. half echo sup. reqd. x x x y
End of pulsing x x x x
Spare y y y y
OK - now each line signal is prefixed with a signal
called 'P' followed by a control element ( x or y ). The
prefix is a combination of both frequencies and the control
element plays its constituent tones consecutively with the
durations as follows :
P = 150 +- 30ms (2040Hz/2400Hz)
x and y = 100 +- 20ms
There are more supervisory signals too which use X and
Y which are 350ms +- 70ms. So signalling in the forward
direction we have :
Terminal seizing PX
Transit seizing PY
Digits Shown in above table (are you
paying *no* attention?)
Clear forward PXX
Forward transfer PYY
and in the backward direction we have :
Proceed to send X
International transit Y
Engaged PX
Answer PY
Acknowledge P
Phew (that's all for CCITT4). To find better
explanations of the operator codes finish reading the next
section (CCITT5) and then go and get some deeper articles on
signalling (2600 have an excellent CCITT5 article - I'll
Xerox a copy for anyone who is interested).
CCITT5 is the system most abused by phreaks. This
system is generally abused over international 'country
direct' lines. 0800 numbers connecting you to a foreign
operator - which gives you the chance to break their trunk,
seize their line and control their system (yeah!). The
definitive guide to BlueBoxing CCITT5 is on my (growing)
list of projects, I have read the rest and will write the
best both technically and practically ;-)
CCITT5 is a 2VF system using 2400Hz / 2600Hz for line
signalling on a link by link basis. Interregister
signalling is 2MF (2 out of 6 frequency type). The 6
frequencies are spaced 200Hz apart from 700Hz to 1700Hz. In
the USA a similar, but not identical, system is used (R-1).
The CCITT5 code is :
Digit Frequencies
1 700Hz 900Hz
2 700 1100
3 900 1100
4 700 1300
5 900 1300
6 1100 1300
7 700 1500
8 900 1500
9 1100 1500
0 1300 1500
The supervisory tones (ie the useful ones!) are:
Prefix digit sequence 1100Hz 1700Hz
End of digit sequence 1500 1700
Operator code 11 700 1700
Operator code 12 900 1700
700 1100
Payfone coin control 1100 1700
700 1700
Final point - there is a modified CCITT5 system
floating around which uses a 2 out of 6 MF signal, but has
two different sets of frequencies for forward and return
signalling. The tones are spaced at 120Hz from 540Hz to
1980Hz.
NeonDreamer '95 (just)
Reference in New Issue View Git Blame Copy Permalink