Preview
______ _____ _____ ___.-___ __ _____ _____ ______
_) _Y _Y _Y (__) | _Y __Y _Y (_
\_ | \_ | \_ l_\_ _/\_ \_ _/\_ l_\_ | _/
| | | | | | l | | | l | | | | |
l__| l_____l__| l__ l__| l__ l__| l__| |
`--' `--' `--' `--' `--'
______ _____ ___.-______ _____ _____
_) ._ Y_ _Y (__) _Y _Y __|
\_ |/ / | \_ | \_ | \_ |_\_ _/_
| __/ . | l | . | l | l |
l__| l__| l__ l__| l__ l__ |
2F `--' `--' `--' `--' `--'
3nds Ringdown loaded with AMIGA/ASCII/CONSOLE/C64/MAC
4040 26mb 9.5gb cd-rom 3/33.6ds 1/28.8ds 3/TELNET
* TRISTAR AND RED SECTOR INC. HQ * MELON DEZIGN WHQ *
* TRSI RECORDZ DKHQ * AFTERSHOCK HQ * HOODLUM DK HQ *
* MOT!ON HQ * ROYAL WHQ * TRADERS DREAM HQ * STYLE HQ *
* LSD HQ * LIGHTFORCE HQ * POLKA BROS. WHQ * PUZZLE WHQ *
* KEFRENS WHQ * SAVE OUR SOULS HQ * X-TREK WHQ * OLDSKOOL HQ *
* 5TH DYNASTY HQ * TWILIGHT * LOOKER HOUSE EHQ * RAMJAM EHQ *
* CRUX & BAD KARMA HQ * CPU HQ * ABUSE HQ * OMA HQ *
THE PROTECTORS ARE:
ZINKO^PLAYMATE^SISko^BILBO BAGGIn^NEIL/FLT^BLACK PANTHER/PSG
UFOK/MsT^LsD^PsG^iHS^FURY/PSG/M!^SON DOOBIE^KELDON/HF/LFC
<0> +45 58ASK4IT <0>
<0> +FIND ON IRC <0>
@BEGIN_FILE_ID.DIZ___________ ________/_____/\ _____ _____
\___ \__ \_\__/ _/__ __ \/ ___/__\___/
| /__/ / / __\___ \ |\__/ \_ / __\
|rd| |__\ \__________/ || \____ \______\
`--' \__/ PRESENT `--'`--' `--:------>
809 Presents A blueboxing guide by Dynamics
Blueboxing in UA and yes this is 99
@END_FILE_ID.DIZ
____. _______ ____. ____. ________ ____. bRUTAL
_\ |_____\____ /_\ |_____\ |_____\_____ /_\ |_____
/_ _|_ __ |__/ _|_ / .____/ _._ / / | __
\ l/ /_ |mute \l /_ l /_ \l /_ l /_
--// /__________/____| /__________/_________/________/_________/
/
//- - -- > > - - ------- - \ -
_______ _______ _______ _______ ____. _______ _______ ____.
_ _\_. /__\___. /__\___. /__\ ___/__\ |____\ .__/__\_. /__\ |____
_/_ |_____/ \| __ \| __ ___/ | ____\\ __ |_____/ ,____/
_ \ l /_ l /_ | /_ | l /_ \ /_ l /_ l /_
/__________/________/___l____/______|__________/________/________/________/
// - - - \ cONFLICT
/ ___
_ - ---. \ / -- - > Brutal Conflict BBS \\ ---
`--- -- \
Blue Box - X 25 - Ezines - Hacking - Phreaking
Sysops ReD^BlAdE - Nynex Phreak - Dynamics
..:::::::::::.. ______ _____ ______
,;:::::::::::::::::;, /||__||\----|::_::|--|:: _::|
;:::::::::::::::::::::; /::|__|__\___|_|_|:|__|__|_|_|
;::::;;;;;;''-;;::::::::; \ / ____/ / /|/ / _ / \
;:::;;;'' 'O' ';::::::::; \_\___ / X / /_/ / _ / X |
;;;;;'O' , ';:::::::::. /______/_ /_____/_/ /_/_____/
;;;, /' ,',-'''-';;:; /::|__|::\\ \|_|_|:|-----/:/
;;::::;-,,-;'; ;; \......../ \../.$.$|----/./
,;;:::::::::::; , , '. ...::$$[The 809 Squad]$$::...
,;::::::::::::; ' , , '.
,;;::::::::::; ' , , ', .,,,--,,, .[Members]
;;::::::::::; ; ' / ' ,' , .[NynexPhreak]..$$[p1mp
';;:::::::: / '; '; , , .[Dynamics] ..$$[809k1ng
,,,---''''''----;,',,; ;', ,' , .[Red^Blade] ..$$[l00z3r
''') ,-'''-,__ , ; '-,, ,' , .[Michella] ..$$[ph0n3 slut
\/' '''''-, ; ,,',,,,' , Calling local?
/ / ../' ; ,' ; Why not box global?
; ,-' ; , .' - THE 809 SQUAD -
, /' ,,' .'
_.;__;_________, ,___________, http://www.809.cjb.net
/-------------------------------------------------------\
8-0-9
MCI PHEER PHACTOR
809 INTERNATIONAL COMMUNICATIONS PRESENTS....
\-------------------------------------------------------/
greetz to: Telegroup Baltic Call Card,MCI,Cable&Wireless
Barclays Offshore Banking,International Data Proc(Nevis)
Trinidad & Tobago Tourism and Codetel (Dominican Rep)
more greetz to:
Redblade, GPI, _dave, Psyclone, Pathogen809, Kuji,
Polymorph, hybrid, Shadow, [JaSuN], jaqu, michella ;)
---------------------------------------------------------
BLUEBOXING FROM THE U.S IS POSSIBLE, AND THIS IS '99
Version 1.0beta
---------------------------------------------------------
@begin_file_id.diz ______ _____ ______
/||__||\----|::_::|--|:: _::|
/::|__|__\___|_|_|:|__|__|_|_|
\ / ____/ / /|/ / _ / \
\_\___ / X / /_/ / _ / X |
/______/_ /_____/_/ /_/_____/
/::|__|::\\ \|_|_|:|-----/:/
\......../ \../.$.$|----/./
...::$$[The 809 Squad]$$::...
Blueboxing From USA in 99.
By Dynamics/809 squad.
www.809.cjb.net@end_file_id.diz
"lOsEnTiMoS! es de nUmErO nO eSt a iN serfisios, pOr fAvOrE pEr eFiCiO
eT tRaPo eNuEbO - CODETEL"
BACKGROUND
==========
Now, a long time ago, and to some extent nowadays, system R1 was the
system that linked the US. It used a single frequency 2600hz tone for
controlling the status of trunks, using a tone-on (free) and a tone-off
(in use) system.
It used interregister signals comprised of MF (multifrequency) tones
which were compound tones and were used to route calls between trunk
exchanges.
It was a pretty basic system, and can be found in some VERY remote
parts of the US/Canada, and is used to some extent in the Caribbean
region. It may be found in other parts of the world too, especially
in poorer countries, and in some parts of Eastern Europe. I heard from
a friend that Italy uses R1 as the signalling system in some rural
towns. A similar system is used by the French, called Socotel, which
uses MF and single frequency tones. The UK once used a single freqency
system, CCITT 3, although every digit was prefixed with a Code14 while
routing.
People used to bluebox the R1 system, by sending the 2600hz tone to
tell the trunk the call had hung up, when in fact it hadn't meaning
that they had an open trunk to dial out of using the MF dialset. This
is theoretically achievable, but the US is mainly SS7, and muting of
forward audio can be a problem.
This is NOT the system this guide will describe.
I aim to inform the reader how blueboxing FROM the U.S is achievable
using international toll-free numbers, which are toll-free numbers that
terminate in foreign countries. The main set of numbers being used in
this guide will be the HOME COUNTRY DIRECT numbers, and are used for
collect calls by tourists of these countries to call home, and for
calling card services.
CCITT SYSTEM No. 5 - KNOW THY ADVERSARY!
========================================
CCITT System No. 5, was specified in 1964 by the CCITT for use as an
intercontinental signalling system - to link continents. The first
application of CCITT5 (C5), was in the TAT-1 system, that linked the
United Kingdom with the U.S.
It is similar to R1 in many ways:
a) It has a near identical dialset.
b) It uses INBAND (within the band of the phone line) tones for
control. This is what makes it blueboxable.
c) Routing using C5 is the same as routing with R1, except that there
is a new signal with C5, Kp2 (transit KP).
In short, CCITT 5 could be described as: International R1, although
that is really only a rather tongue-in-cheek definition as 'R' stands
for "regional" anyway, meaning it's a contradiction...
CCITT 5 is used on cable, satellite, microwave and radio connections
world-wide. It would be fair to say that just under half the world uses
this system, because it is used extensively by a large number of
countries. Unfortunately, most developed countries are mostly digitally
switched, using system 7/SS7/CCIS7.
Thankfully, AT&T/MCI/SPRINT and other carriers have devised a system
whereby people in other countries can get US toll-free numbers. These
numbers terminate in these countries, and many foreign telcos have
developed Home Country Direct services for their citizens to call home
from the US at cheaper rates.
As said before, many countries use CCITT 5 as their international
switching system. Therefore a new type of blueboxing has arisen,
blueboxing home directs on CCITT 5 is the GLOBAL blueboxing method.
CCITT 5 CONTROL TONES AND DIALSET
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dialset:
- Digits 0 - 9
- Control tones, Code11, Code12, Kp1, Kp2, ST
Forward Trunk Tones:
- Clear Forward/Ahead --> 2600hz+2400hz
- Seize --> 2400hz
This is how a call is set up using CCITT 5....
STEP 1
YOU------------------LOCAL C.O--------------INT GATEWAY-1
Dial number using------>Digits translated------>Digital routing
DTMF digits to digital routing translated, you are
011 505 864 444 "0110110101010" calling a C5 connection
therefore translated to
MF digits....
Kp2-505-1-864444-ST
STEP 2
------------------INT GATEWAY-2----------------LOCAL C.O--------HIM
MF tones sent--->MF translated to------------->Call setup------>Answer
dialset for that
country
Kp1 - Terminal Kp (i.e calls inside the called country)
Kp2 - Transit Kp (international calls from that country)
In CCITT 5, address information is comprised:
-* LOCAL/NATIONAL IN THE TERMINATING COUNTRY:
Kp1-dd-ac-number-ST
"Key Pulse One, discriminating digit, area code, number, Start"
-* TRANSIT INTERNATIONAL CALLS FROM THE COUNTRY:
Kp2-cc-dd-ac-number-ST
"Key Pulse Two, country code, discriminating digit, area code, number
Start"
ac ---> area code (NPA) of the place your calling
cc ---> country code
dd ---> descriminating digit tells the trunk HOW to route
Descriminating Digits...
CABLE - 0
SATELLITE - 1
OPERATOR - 2
MIL - 3
MICROWAVE/RADIO - 9
The signalling is sent as:
It is assumed that this communication is purely between gateways, and
leaves the subscriber out of the picture....
]U.S[ ]Nicaragua[
OUTGOING INT GATEWAY----------------------------INCOMING INT GATEWAY
[ DMS / 5ESS ] | [DMS / ESS / XBAR ]
| seizure f1 |
|--------------------------->|
| proceed-to-send f2 |
|<---------------------------|
| address info (MF) |
|--------------------------->|-TRANSLATED AND ROUTED
| answer f1 |
|<---------------------------|
| acknowledgement f1 |
|--------------------------->|
| |
| S P E E C H |
| |
| clear back f2 |
|<---------------------------|
| acknowledgement f1 |
|--------------------------->|
| clear forward f1/f2 |
|--------------------------->|
| release guard f1/f2 |
|<---------------------------|
| |
In short, blueboxing is simply emulating the tones that are used to
hang-up the call to an extent that the call you are on will clear but
the equipment back home will think you are still online to the 800
number you called. This means you now have an open trunk to play with
and route as you wish....
So...
In order to bluebox a call, for example:
"BUZZZZZZZ....WOO...WOO....WOO...PLEEP! PLEEP! "Aloha Nicaragua..."
SEND CLEAR FORWARD (2600hz+2400hz)
PLEEP!
SEND SEIZE (2400hz)
ROUTE CALL
In some cases, it will pleep after the Clear Forward and again after
the Seize. In other cases, it will make a double-pleep after sending
of the two tones.
As for generating the tones... If you have a PC, then I'd recommend
using TLO (THE LITTLE OPERATOR), Bluebeep, or Bluedial. As for Amiga
users, a friend of mine recommends Arested Dialer Workshop or The
Dialer.
A typical set of tones for seizing a trunk would be:
TONE1 TONE2 DUR DEL
CLR FRW 2600 2400 180 50
SEIZE 2400 2400 200 --
In some cases, a GUARD TONE, is required. The guard tone is a device
used in the filtering process and is supposed to make signalling more
acurate and minimise false release. The guard tone may be added to the
Clear Forward and Seize or played at the end or beginning of the
sequence.
SOME GUARD TONES: 2100hz, 280hz, 1800hz, 500hz, 210hz, 440hz, 3900hz
Of those, the 2100hz is the most popular. Bear in mind that the use
of some guard tones can result in interesting "function seizes" these
are seizes that have a function, such as, resetting all trunks, or
dropping you onto special control and verification trunks (see the 809
doc on verification)...
A working example of this is the NICARAGUA DIRECT seize (from UK):
TONE1 TONE2 GUARD DUR DEL
CLR FRW 2600 2400 2100 130 800
SEIZE 2400 2100 330 ---
Although blueboxing this one a lot is _not_ reccomended as the reason
why the that seize is still functional, even after a file written about
2 years ago on the subject, is that British Telecom (BT) monitor the
line in conjunction with Nicaragua Telecom in order to catch
blueboxers, :(
COUNTRY DIRECT NUMBERS
======================
Why not try out your new found knowledge on these....?
Note that most of these will probably be SS7 switched, but an inband
trunk is always indentifiable by the PLEEP made on answer and/or
hangup. On occasions this may be a click, but the general rule is that
a pleep is made.
I didn't scan these myself, and therefore I can only speculate as to
what switching system these use...
Guess:
Australia Direct 800-682-2878 SS7
Austria Direct 800-624-0043 SS7
Belgium Direct 800-472-0032 SS7
Belize Direct 800-235-1154 C5/SS7
Bermuda Direct 800-232-2067 C5/SS7
Brazil Direct 800-344-1055 C5/SS7/C4-R2
British VI Direct 800-248-6585 SS7/C5
Cayman Direct 800-852-3653 SS7
Chile Direct 800-552-0056 C5/SS7/SS7-R2
China Direct 800-532-4462 C5 or in RARE occasions SS7
Costa Rica Direct 800-252-5114 C5/SS7/C4-R2
Denmark Direct 800-762-0045 SS7
El Salvador Direct 800-422-2425 C5
Finland Direct 800-232-0358 SS7
France Direct 800-537-2623 SS7
Germany Direct 800-292-0049 SS7
Greece Direct 800-443-5527 C5/SS7
Guam Direct 800-367-4826 SS7
HK Direct 800-992-2323 SS7
Hungary Direct 800-352-9469 C5/SS7/C4-R2
Indonesia Direct 800-242-4757 C5 (IndoSAT) SS7/C5 (Satelindo)
Ireland Direct 800-562-6262 SS7
Italy Direct 800-543-7662 SS7
Japan Direct 800-543-0051 SS7
Korea Direct 800-822-8256 SS7
Macau Direct 800-622-2821 SS7/C5
Malasia Direct 800-772-7369 SS7/C5
Netherlands Direct 800-432-0031 SS7
Norway Direct 800-292-0047 SS7
New Zealand Direct 800-248-0064 SS7
Portugal Direct 800-822-2776 C5
Panama Direct 800-872-6106 SS7
Philippines Direct 800-336-7445 C5/SS7
Singapore Direct 800-822-6588 C5/SS7
Spain Direct 800-247-7246 C4-R2/SS7/C5
Sweden Direct 800-345-0046 SS7 you can find C5 :)
Taiwan Direct 800-626-0979 SS7/C5
Thailand Direct 800-342-0066 SS7/C5
Turkey Direct 800-828-2646 SS7/C5/R2-C4
UK Direct 800-445-5667 SS7 :(
ruguay Direct 800-245-8411 SS7 :( "WTF??? SS7? Uruguay?!"
Yugoslavia Direct 800-367-9841/9842 C4-R2/C5/SS7
The guesses I made are based on what the home directs are from the UK
and other countries where we have contacts in. The UK is a bit of an
exception, because BT generally select the SS7 routes due to the "fraud"
that goes on via C5 lines... Some of the HCDs I checked myself.
lChina is an excellent example of this. From nearly every country, China
is C5, because C5 is the main signalling system used. BUT the BT 0800
to China is SS7. The reason behind this is that BT had problems with
"fraud" via China, most probably. They most probably pay a premium
price for the SS7 trunks in China...
As for the "xxx-R2" notation, that means that it may be R2 (digital or
analogue out-band [3825hz]). Because R2 is a REGIONAL system, it needs
to be interworked with an INTERCONTINENTAL system, and if the R2 is
analogue-switched-R2, then it is generally interworked with C4/C5/SS7.
R2 is complex, and it really needs another file to explain. In short,
it can be signalled using up to 6 different methods, broadly either
digital, analogue outband or on occasions hybrid-C4 connections using
some CCITT 4 tones. I really recommend reading the CCITT-4 and R2
manuals to get a better idea of these systems.
[check www.echelon1.cjb.net -> see FILEBASE]
CONCLUSION
==========
This guide is by no means the definitive guide to this method of blueboxing.
I hope that it has given you a basic grounding in this and has got you to do
some experimenting. The best way of getting into this is by experimentation
and by pooling knowledge with other blueboxers.
This method is pretty new to a lot of you in the U.S, and I hope that this
doc will better inform you of this.
dynamics
-=809=-
07/12/1999
17:52 (UK TIME)
"tHaNk-yOu, aNd gOoDbYe!....PLEEP"
...]mAnIc tElEcoM pEoPlE iNtErCePt bOxEd cAll:
...]"wE sTill rEcIevE an ack. tOne fRoM tHe gAtEway"
...]"hEllo?"
...]"(tHeY rEaLiSe tHaT wE kNoW...) Aaaah! PLEEP PLEEP"
>>---------------------------------------------------------------------------<<
>> BrUtAl CoNfLiCt +64-6-BoX-tOiT BrUtAl CoNfLiCt <<
>>---------------------------------------------------------------------------<<
·
:................. .. . : tHe CrEw:
__ . ..:.:__ __ :..
/ /_ ____ __ _ : / /_ ____ / / :.:... . ReD^BlAdE
_/ __ \_ _/ _/_\ \¡ \_ _/ __/__ __\__ \_ _/ | ... NyNeX pHrEaK
¡ `) ¡ |¡ (! ¡ `) ¡ (' ¡ | · :
`--------^----'`--------^--------^--------^----' : :
..:.. . __ . · __
____ ____ : ____ _______ / / __ ____ ·L / /_
_/ __/__ _/ __ \_ _/ __ \_ _\ ___/_/ |_\´_ _/ __/__ _/ __/__
¡ `) ¡ (' ¡ |) ¡ _/ ¡ | ¡ `) ¡ `) ¡
`--------^--------^---!____!----' `----^----^--------^--------'
CCiTT xx . ..: :............. ... .. : :. ..
>>---------------------------------------------------------------------------<<
>> BrUtAl CoNfLiCt +64-6-BoX-tOiT BrUtAl CoNfLiCt <<
>>---------------------------------------------------------------------------<<
÷ n O R T H E R N p A L A C E ÷
________ _______ ________ ____ ______ _______ _______ ________
____\_ // _ \\_ // |_ ___| //_ //_ /_\_ /
\ / / / _/ / _/ _| /____/ _/ / / /
/____/______\_________\ _____\_____|____\. _________\ _______/______\
\/ cDr|_____|m's \/
________ _______ _______ _______ ______ _______
____\_ // _ \\ // _ \\ _//_ /____
\ /____/ ./ / ./ \ /____/ /
/_______|_______|_______________|_______________________\
A4040/26mB/9.5gB/cD-rOM/3x33.6dS/1x28.8dS/tELNET/aMIGA/aSCII/cONSOLE/mAC
tRISTAR aND rED sECTOR INC. HQ ÷ mELON dEZIGN wHQ
tRSI rECORDZ hQ ÷ aFTERSHOCK hQ ÷ hOODLUM hQ ÷ mOT!ON hQ ÷ rOYAL wHQ
tRADERS dREAM hQ ÷ sTYLE hQ ÷ lSD hQ ÷ 5tH dYNASTY hQ ÷ aBUSE hQ
x-TREK wHQ ÷ oLDSKOOL hQ ÷ rAMjAM eHQ ÷ tWILIGHT hQ ÷ oMA hQ
pOLKA bROS. wHQ ÷ pUZZLE wHQ ÷ kEFRENS wHQ ÷ lOOKER hOUSE eHQ
rOYAL MAC SCHQ ÷ cRUX & bAD kARMA hQ ÷ lIGHTFORCE hQ
cPU hQ ÷ sAVE oUR sOULS hQ
zINKO/pLAYMATE/sISKO/bILBO bAGGINS/bLACK pANTHER/uFOK/fURY/kELDOn
3 nODEZ rINGDOWN / tELNET aVAILABLE / aSK 4 nUMBERS!