informis/textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/phreak/SWITCHES/r2.txt
root@procul 278a90f7ce Initial commit
2021-04-15 13:31:59 -05:00

300 lines
13 KiB
Plaintext
Raw Permalink Blame History

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
& &
& SIGNALLING SYSTEMS & THE BLUE BOX REVAMPED &
& &
& By &
& &
& Lazlo 20/07/92 &
& &
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
NOTE: This file is for informational purposes only and in no way is
any toll-fraud suggested by the author.
INTRODUCTION
============
I will in this file discuss some of the international trunk-signalling systems
used and methods to box over them. The main reason for writing this article
is the downfall of US boxing due to:
* 2400 & 2600 detectors on trunks
* CCIS
* Snooping on subscribers who place several (lengthy) calls to 800 numbers
Detection could simply by avoided by boxing off another country (on a tollfree
line of course) and then calling globally using a signalling system other than
the ones used in the states.
I have also included an in-depth review of the R2.
USAGE
=====
The signalling systems used widely today are: CCIS, CCITT 4, R1, R2 and SOCOTEL.
CCITT 4 can be found mainly in African and South American countries and is very
seldom worth boxing off due to the long routing needed and the poor quality
acheived. R1 and R2 is still very popular in Europe and the US and is really
worth boxing with, especially R2, which offers a multitude of options yet
uncovered for the enthusiastic phreak. The only system listed here that I
haven't boxed off myself is SOCOTEL, which, according to my knowledge is used
somewhere in Europe (who knows where).
.Using R1 to box off Europe (or any other country) from the US is not
recommended. US trunks are maybe not used to route the call, but the fraud
detectors do not know this and sooner or later you *will* be in trouble.
Using systems like R2 from the US is a good idea, since no detector in the
US is looking for R2 tones, and boxing off 800 numbers that offer Country
Direct services should not seem suspicous.
The CCITT R1 system
===================
-----------------------------------------------------
Freq. 700 900 1100 1300 1500 1700 [Hz]
-----------------------------------------------------
Digit
1 x x
2 x x
3 x x
4 x x
5 x x
6 x x
7 x x
8 x x
9 x x
0 x x
11 x x
12 x x
KP x x
KP2 x x
ST x x
-----------------------------------------------------
50/50ms timing can be used with all digits, even 20/20 is possible on some
systems if you want fast dialing.
One problem with R1 is trunk seizure. The normal procedure would be sending
2400/2600, waiting a while, then blowing 2400, and the trunk would be seized.
This is very unlikely to work, though. Even more so is sending 2400 or
2600 directly. The telco equipment is nowadays very exact with timing and
the only way to find it out is by testing. Usually the 2400/2600 (hangup tone)
should be sent for at least 80ms and no more than 200ms, if 200 ms is not
enough, you probably aren't on r1. A way to find out the timing is to send
2400/2600 starting with 200ms, then decreasing the timing with 1ms steps.
With 200ms, the trunk is likely to hang up when you send the hangup tone.
Find the timing that hangs up, but leaves you on the trunk (this can be heard
by a wink), then keep the 2400/2600 timing that way and adjust the delays
and the 2400 timing. Timings suggested for AT&T + MCI trunks are as follows:
2400/2600 delay 2400 delay [ms]
------------------------------------------
137 100 137 1200
100 100 100 100
140 400 140 1200
120 100 60 300
150 0 150 150
The delay before KP or KP2 is sent may/may not be important and must sometimes
be very accurate. this can be adjusted by ear. If the line hangs up before you
start dialing, then make the last delay shorter.
NOTE:Not all trunks work with the same timing, and sometimes when dialing
the same number you are routed another way. This is a problem, but if you have
a trained boxing-ear, you can learn to separate trunks from each other.
The KP2 is used for international dialing.
KP2-CC-0/1-NPA-PREF-SUF-ST
Where 0 = Connect by cable
1 = Connect by satellite
Thus, a call to the US via cable would appear like:
KP2-1-0-NPA-PREF-SUFF-ST
SOCOTEL
=======
This system is identical to R1, except for that the line signals are
out of band, and are hard to produce on the foneline.
Hangup is 3850 and is sent with 50ms pulses.
Dial timing is the same as is for r1 (50/50)
CCITT R2
--------
This is probably the most complicated signalling system (with the exception of
Common Channel Signalling systems) and offers a very wide range of
possibilities for phreaking. One of the problems with R2 is that it is more
or less based around PCM, and on such systems all the line signalling info
(the important tones such as seize and hangup) is sent over a different
timeslot (PCM uses a timesharing method for sending voice/signals) and
is then difficult to control. On some R2 systems the PCM method is not
implemented at all and this is the one I will discuss in detail. The
supervisory tone (3825Hz) can normally also be a mess to send over the lines.
There have been test numbers for telco personnel that connects to a trunk,
but this does not help much, since the seize signal must be sent before
dialing anyway and is, as I said before, a mess to get through.
.The R2 uses special signalling methods not seen elsewhere, e.g
there is a separate set of backward tones that the receiving CO sends back
between each digit. I have, merely for the sake of accuracy, included these.
The backward signals may seem unnecessary but there might be some room for
phreaking with them too. Another feature of R2 is that no specific timing
exists. Every digit should be sent until the receiving CO responds with
another Backward digit, which could in turn have some other meaning. A
specification for R2 is that it should handle 6/7 signals per second, this
is quite slow, though, and usually much faster speed can be acheived than
with for instance R1.
.On R2, register signals are two frequencies from a group of 6
separated by 120Hz. Line signals are all 3825Hz and vary in pulsing length.
Register signals are not only split in Backward/Forward groups, but also
in groups I/II on forw. signals and A/B on backward signals. Group I is
mainly normal dialing digits while group II signals are messages that specify
Subscriber types etc. I have tried to include as much as I know about the
messages, if anyone has got more info on this or anything else in this
phile, please contact me.
R2 Register signals
------------------------------------------------------------
Forward 1380 1500 1620 1740 1860 1980 [Hz]
------------------------------------------------------------
Backward 1140 1020 900 780 660 540 [Hz]
------------------------------------------------------------
Digit
1 x x
2 x x
3 x x
4 x x
5 x x
6 x x
7 x x
8 x x
9 x x
10 x x
11 x x
12 x x
13 x x
14 x x
15 x x
-----------------------------------------------------------
These are translated as:
-----------------------------------------------------------
Forward Signals
-----------------------------------------------------------
Digit Group I Group II
-----------------------------------------------------------
1 1 Normal subscriber
2 2 Priviledged subscriber
3 3 Test subscriber
4 4 Payfone
5 5 Operator
6 6 ?
7 7 Normal subscriber
8 8 ?
9 9 Priviledged subscriber
10 10 Operator
11 KP2E Forwarded call
12 KP2 Reserved
13 Reserved Reserved
14 Reserved Reserved
15 ST Reserved
----------------------------------------------------------
-----------------------------------------------------------------------------
Backward signals
-----------------------------------------------------------------------------
Digit Group A Group B
-----------------------------------------------------------------------------
1 Send next digit (x+1) Sub.vacant, call tracing (BAD)
2 Send previous digit (x-1) Send guide tone
3 Receive group B signals Subscriber busy
4 National net failure Net Failure
5 Specify subscriber type Disconnected number
6 Connect voicechannel Subscriber vacant - Sup
7 Send (x-2) Subscriber vacant - Non-Sup
8 Send (x-3) Subscriber malfunction
9 ? ?
10 Reserved The number has changed
-----------------------------------------------------------------------------
R2 Line signals, non-PCM (3825Hz)
---------------------------------------------------------------
Signal Direction Duration[ms]
---------------------------------------------------------------
Seizing --> 50 or 150
Seizing ACK (wink) <-- 50 (or longer)
Answer <-- 150
Metering (count) <-- 100
Clear back <-- 600
Clear Forward --> 1500
---------------------------------------------------------------
The backward signals are used to ask the calling CO questions while
dialing. This may cause problems since you may not know when to send
digits and when to send info, especially signals like send x-2 may
cause headaches. One way to find this out is usually by testing
different orders. Usually the subscriber type question is only sent when
making national calls and is asked after all the digits have been sent.
On intl. calls the subscriber type is asked after the CC (like on R1).
The thing is that the Telco knows these things and are trying their best to
make life hard for boxers by programming their equipment to send questions
at unexpected times.
A boxed call may take place as follows:
Dial number 555-1212
CO1 CO2
---------------------------
Clear Forward ->
Seize ->
<- Seizing ACK
I-5 ->
<-A-1 (send next digit)
I-5 ->
<-A-1
I-5 ->
<-A-1
I-1 ->
<-A-1
I-2 ->
<-A-1
I-1 ->
<-A-1
I-2 ->
<-A-5 or A-3 (specify subscriber)
II-5 -> (operator)
<-B-6 (no ST needed on local calls)
----------------------------
Any1 with more info on this, please contact me.
<End of File>
Reference in New Issue View Git Blame Copy Permalink