
                17-JUN-1987 Blue box plans, part I
                ----------------------------------

            THE MARK TABAS ENCOUNTER SERIES PRESENTS:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
                   BETTER HOMES AND BLUE BOXING
                             PART I
                      THEORY OF OPERATION
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


TO QUOTE KARL MARX, BLUE BOXING HAS ALWAYS BEEN THE MOST NOBLE FORM OF
PHREAKING. AS OPPOSED TO SUCH THINGS AS USING AN MCI CODE TO MAKE A FREE
PHONE CALL, WHICH IS MERELY MINDLESS PSEUDO-PHREAKING, BLUE BOXING IS
ACTUAL INTERACTION WITH THE BELL SYSTEM TO  LL NETWORK. IT IS LIKEWISE
ADVISABLE TO BE MORE CAUTIOUS WHEN BLUE BOXING, BUT THE CAREFUL PHREAK
WILL NOT BE CAUGHT, REGARDLESS OF WHAT TYPE OF SWITCHING SYSTEM HE IS UNDER.

IN THIS PART, I WILL EXPLAIN HOW AND WHY BLUE BOXING WORKS, AS WELL AS
WHERE. IN LATER PARTS, I WILL GIVE MORE PRACTICAL INFORMATION FOR BLUE
BOXING AND ROUTING INFORMATION.

COMMUNICATING WITH TRUNKS. TRUNKS MUST NOT BE CONFUSED WITH SUBSCRIBER LINES
(OR "CUSTOMER LOOPS") WHICH ARE STANDARD TELEFONE LINES. TRUNKS ARE
THOSE LINES THAT CONNECT CENTRAL OFFICES. NOW, WHEN TRUNKS ARE NOT IN
USE (I.E., IDLE OR "ON-HOOK" STATE) THEY HAVE 2600HZ APPLIED TO THEM. IF
THEY ARE TWO-WAY TRUNKS, THERE IS 2600HZ IN BOTH DIRECTIONS. WHEN A
TRUNK IS IN USE (BUSY OR "OFF-HOOK" STATE"), THE 2600HZ IS REMOVED FROM
THE SIDE THAT IS OFF-HOOK. THE 2600HZ IS THEREFORE KNOWN AS A SUPERVISORY
SIGNAL, BECAUSE IT INDICATES THE STATUS OF A TRUNK; ON HOOK (TONE) OR
OFF-HOOK (NO TONE). NOTE ALSO THAT 2600HZ DENOTED SF (SINGLE FREQUENCY)
SIGNALLING AND IS "IN-BAND." THIS IS  VERY IMPORTANT. "IN-BAND" MEANS THAT
IS IS WITHIN THE BAND OF FREQUENCIES THAT MAY BE TRANSMITTED OVER NORMAL
TELEFONE LINES. OTHER SF SIGNALS, SUCH AS 3700HZ ARE USED ALSO. HOWEVER, THEY
CANNOT BE CARRIED OVER THE TELEFONE NETWORK NORMALLY (THEY ARE "OUT-OF-
BAND AND ARE THEREFORE NOT ABLE TO BE TAKEN ADVANTAGE OF AS 2600HZ IS.

BACK TO TRUNKS. LET'S TAKE A HYPOTHETICAL PHONE CALL. YOU PICK UP
YOUR FONE AND DIAL 1+806-258-1234 (YOUR GOOD FRIEND IN AMARILLO)
TEXAS). FOR EASE, WE'LL ASSUME THAT YOU ARE ON #5 CROSSBAR SWITCHING AND
NOT IN THE 806 AREA. YOUR CENTRAL OFFICE (CO) WOULD RECOGNIZE THAT
806 IS A FOREIGN NPA, SO IT WOULD ROUTE THE CALL TO THE TOLL CENTRE
THAT SERVES YOU. [FOR THE SAKE OF EXPERIENCED READERS, NOTE THAT THE
CO IN QUESTION IS A CLASS 5 WITH LAMA THAT USES OUT-OF-BAND SF
SUPERVISORY SIGNALLING]. DEPENDING ON WHERE YOU ARE IN THE COUNTRY, THE
CALL WOULD LEAVE YOUR TOLL CENTRE (ON MORE TRUNKS) TO ANOTHER TOLL
CENTRE, OR OFFICE OF HIGHER "RANK". THEN IT WOULD BE ROUTED TO CENTRAL
OFFICE 806-258 EVENTUALLY AND THE CALL WOULD BE COMPLETED. ILLUSTRATION:

A---CO1-------TC1------TC2----CO2----B

A=YOU  CO1=YOUR CENTRAL OFFICE
TC1=YOUR TOLL OFFICE.
TC2=TOLL OFFICE IN AMARILLO.
CO2=806-258 CENTRAL OFFICE.
B=YOUR FRIEND (806-258-1234)

IN THIS SITUATION IT WOULD BE REALISTIC TO SAY THAT CO2 USES SF
IN-BAND (2600HZ) SIGNALLING, WHILE ALL THE OTHERS USE OUT-OF-BAND
SIGNALLING (3700HZ). IF YOU DON'T UNDERSTAND THIS, DON'T WORRY TOO MUCH.
I AM POINTING THIS OUT MERELY FOR THE SAKE OF ACCURACY. THE POINT IS THAT
WHILE YOU ARE CONNECTED TO 806-258-1234, ALL THOSE TRUNKS FROM YOUR
CENTRAL OFFICE (CO1) TO THE 806-258 CENTRAL OFFICE (CO2) DO *NOT* HAVE
2600HZ ON THEM, INDICATING TO THE BELL EQUIPMENT THAT A CALL IS IN
PROGRESS AND THE TRUNKS ARE IN USE.

NOW LET'S SAY YOU'RE TIRED OF TALKING TO YOUR FRIEND IN AMARILLO
(806-258-1234) SO YOU SEND A 2600HZ DOWN THE LINE. THIS TONE TRAVELS DOWN
OFFICE (CO2) WHERE IT IS DETECTED. HOWEVER, THAT CO THINKS THAT THE
2600HZ IS ORIGINATING FROM BELL EQUIPMENT, INDICATING TO IT THAT
YOU'VE HUNG UP, AND THUS THE TRUNKS ARE ONCE AGAIN IDLE (WITH 2600HZ
PRESENT ON THEM). BUT ACTUALLY, YOU HAVE NOT HUNG UP, YOU HAVE FOOLED THE
EQUIPMENT AT YOUR FRIEND'S CO INTO THINKING YOU HAVE. THUS,IT DISCONNECTS
HIM AND RESETS THE EQUIPMENT TO PREPARE FOR THE NEXT CALL. ALL THIS
HAPPENS VERY QUICKLY (300-800MS FOR STEP-BY-STEP EQUIPMENT AND 150-400MS
FOR OTHER EQUIPMENT).

WHEN YOU STOP SENDING 2600HZ (AFTER ABOUT A SECOND), THE EQUIPMENT THINKS
THAT ANOTHER CALL IS COMING  TOWARDS IT (I.E., IT THINKS THE FAR END HAS
COME "OFF-HOOK" SINCE THE TONE HAS STOPPED). IT COULD BE THOUGHT OF AS A
TOGGLE SWITCH: TONE --> ON HOOK, NO TONE -->OFF HOOK. NOW THAT YOU'VE
STOPPED SENDING 2600HZ, SEVERAL THINGS HAPPEN:

  1) A TRUNK IS SEIZED.

  2) A "WINK" IS SENT TO THE CALLING END FROM THE CALLED END INDICATING THAT
     THE CALLED END (TRUNK) IS NOT READY TO RECEIVE DIGITS YET.

  3) A REGISTER IS FOUND AND ATTACHED TO THE CALLED END OF THE TRUNK WITHIN
     ABOUT TWO SECONDS (MAX).

4) A START-DIAL SIGNAL IS SENT TO THE CALLING END FROM THE CALLED END
   INDICATING THAT THE CALLED END IS

NOW, ALL OF THIS IS PRETTY MUCH TRANSPARENT TO THE BLUE BOXER. ALL HE
REALLY HEARS WHEN THESE FOUR THINGS HAPPEN IS A <BEEP><KERCHUNK>. SO,
SEIZURE OF A TRUNK WOULD GO SOMETHING LIKE THIS:

  1> SEND A 2600HZ

  2> TERMINATE 2600HZ AFTER 1-2 SECS.

  3> [BEEP][KERCHUNK]

  ONCE THIS HAPPENS, YOU ARE CONNECTED TO A TANDEM THAT IS READY TO OBEY YOUR
EVERY COMMAND. THE NEXT STEP IS TO SEND SIGNALLING INFORMATION IN ORDER
TO PLACE YOUR CALL. FOR THIS YOU MUST SIMULATE THE SIGNALLING USED BY
OPERATORS AND AUTOMATIC TOLL-DIALING EQUIPMENT FOR USE ON TRUNKS. THERE
ARE MAINLY TWO SYSTEMS, DP AND MF. HOWEVER, DP WENT OUT WITH THE DINOSAUR
, SO I'LL ONLY DISCUSS MF SIGNALLING. MF (MULTI-FREQUENCY) SIGNALLING IS THE
SIGNALLING USED BY THE MAJORITY OF THE INTER- AND INTRA-LATA NETWORK. IT IS
ALSO USED IN INTERNATIONAL DIALING KNOWN AS THE CCITT NO.5 SYSTEM.
MF SIGNALLING CONSISTS OF 7 FREQUENCIES, BEGINNING WITH 700HZ AND
SEPARATED BY 200HZ. A DIFFERENT SET OF TWO OF THE 7 FREQUENCIES REPRESENT THE
DIGITS 0 THRU 9, PLUS AN ADDITIONAL 5 SPECIAL KEYS. THE FREQUENCIES AND USES
ARE AS FOLLOWS:

FREQUENCIES (HZ)  DOMESTIC    INT'L
--------------------------------------
 700+900             1          1
 900+1100            3          3
 700+1300            4          4
 900+1300            5          5
1100+1300            6          6
 700+1500            7          7
 900+1500            8          8
1100+1500            9          9
1300+1500            0          0
 700+1700           ST3P       CODE 11
 900+1700           STP        CODE 12
1100+1700           KP         KP1
1300+1700           ST2P       KP2
1500+1700           ST         ST


  THE TIMING OF ALL THE MF SIGNALS IS A NOMINAL 60MS, EXCEPT FOR KP,120MS



NOTE TO SYSOPS: YOU ARE WELCOMED TO DOWNLOAD THIS FILE AND USE IT ON
                YOUR SYSTEM, PROVIDING YOU DO NOT REMOVE THE CREDITS
                FOR MARK TABAS OR KAOS.
                IN OTHER WORDS, TRY TO ACT LIKE A HUMAN BEING!

--- The World of Cryton (UK)--- +44 4584 7608

