Hitchhikers guide to the phone system.. Phreaking in the nineties

(By Billsf)

 

Introduction

 

 

In this article I will try to introduce you to the most complex machine on earth: the phone system. It's a guide to having fun with the technology, and I hope it will help you on your travels through the network. It is by no means a definitive manual: If you really want to get into this, there are lots of additional things you must learn and read.

This article assumes you know a little bit about the history of phreaking. It is meant as an update for the sometimes very outdated documents that can be downloaded from BBS's. In here I'll tell you which of the old tricks might still work today, and what new tricks you may discover as you become a phone phreak.

As you learn to phreak you will (hopefully) find ways to make calls that you could not make in any other way. Calls to test numbers that you cannot reach from normal network, calls to ships (unaffordable otherwise), and much more. As you tell others about the hidden world you have discovered, you will run into people who have been brainwashed into thinking that all exploration into the inner workings of the phone system is theft or fraud. Convincing these people of your right to explore is probably a waste of time, and does not advance your technical knowledge.

Phreaking is like magic in more than one way. Those people who are really good share their tricks with each other, but usually don't give out these tricks to anyone walking by. This will be somewhat annoying at first, but once you're really good you'll understand that it's very unpleasant if the trick you just discovered is wasted the very next day. I could tell you at least twenty new tricks in this article but I prefer to teach you how to find your own.

Having said this, the best way to get into phreaking is to hook up with other phreaks. Unlike any other sub-culture, phreaks are not bound by any geographical restrictions. You can find other phreaks by looking for hacker/phreak BBS's in your region. Having made contact there you may encounter these same people in teleconferences that are regularly set up. These conferences usually have people from all over the planet. Most phreaks from other contries outside the United States speak Englisch, so language is not as much of a barrier as you might think.

If you live in a currently repressed area, such as the United States, you should beware that even the things that you consider "harmless exploring" could get you into lots of trouble (confiscation of computer, fines, probation jail, loss of job, etc.). Use your own judgement and find your protection.

 

Getting Started

 

The human voice contains components as low as 70Hz, and as high as 8000Hz. Most energy however is between 700 and 900Hz. If you cut off the part under 200 and above 3000, all useful information is still there. This is exactly what phone companies do on long distance circuits.

If you think all you have to do is blow 2600Hz and use a set of twelve MF combinations, you have a lot of catching up to do. One of the first multi-frequency systems was R1 with 2600Hz as the line signalling frequency, but for obvious reasons it is rarely used anymore, except for some very small remote communities. In this case its use is restricted, meaning it will not give you access to all the world in most cases.

To begin with, all experimenting starts at home. As you use your phone, take careful note as what it does on a variety of calls. Do you hear "dialing" in the background of certain calls as they are set up? Do you hear any high pitched beeps while a call is setting up, as it's answered or at hangup of the called party?

Can you make your CO fial to complete a call either by playing with the switchhook or dialing strange numbers? If you are in the United States, did you ever do something that will produce a recording:"We're sorry, your call did not go through..." after about 15 seconds of nothing?

If you can do the last item, you are "in" for sure! Any beeps on answer or hang-up of the called party also means a sure way in. Hearing the actual MF tones produced by the telco may also be your way in. While it would be nice to find this behavior on a toll-free circuit, you may consider using a national toll circuit to get an overseas call or even a local circuit for a bigger discount. Every phone in the world has a way in. All you have to do is find one!

An overview of Systems

First we must start with numbering plans. The world is divided up into eight separate zones. Zone 1 is the United States, Canada and some Caribbean nations having NPA 809. Zone 2 is Africa. Greenland (299) and Faroe Islands (298) do not like their Zone 2 assignment, but Zones 3 and 4 (Europe) are all taken up. Since the DDR is now unified with BRD (Germany) the code 37 is up for grabs and will probably be subdivided into ten new country codes to allow the new nations of Europe, including the Baltics, to have their own codes. Greenland and the Faroe Islands should each get a 37x country code. Zone 5 is Latin America, including Mexico (52) and Cuba (53). Zone 6 is the south Pacific and includes Australia (61), New Zealand (64) and Malaysia (60). Zone 7 is now called CIS (formerly the Soviet Union), but may become a third European Code. Zone 8 is Asia and includes Japan (81), Korea (82), Vietnam (84), China (86), and many others. Zone 9 is the sub-continent of India (91) and surrounding regions. A special sub-zone is 87, which is the maritime satellite service (Inmarsat). Country code 99 is reserved as a test code for international and national purposes and may contain many interesting numbers.

In zone 1, a ten digit number follows with a fixed format, severely limiting the total number of phones. NPA's like 310 and 510 attest to that. The new plan (beginning in 1995) will allow the middle digit to be other than 1 or 0, allowing up to five times more phones. This is predicted to last into the 21st century. After that Zone 1 must move to the fully extensible system used in the rest of the world.

The "rest of the world" uses a system where "0" precedes the area code for numbers dialed within the country code. France and Denmark are notable ex-ceptions, where there are no area codes or just one as in France (1 for Paris and just eight digits for the rest). This system has proven to be a total mess - worse than the Zone 1 plan!

In the usual numbering system, the area code can be of any length, but at this time between one and five digits are used. The phone number can be any length too, the only requirement being that the whole number, including the country code but not the zero before the area code, must not exceed fourteen digits. Second dialtones are used in some systems to tell customers they are connected to the area they are calling and are to proceed with the number. With step-by-step, you would literally connect to the distant city and then actually signal it with your pulses. Today, if second dialtones are used it's only because they were used in the past. They have no meaning today, much like the second dialtones in the custom calling features common in the United States. The advantages of the above "linked" system is that it allows expansion where needed without affecting other numbers. Very small villages may only have a three digit number while big cities may have eight digit numbers. Variations of this basic theme are common. In Germany, a large company in Hamburg may have a basic five digit number for the reception and eight digit numbers for the employee extensions. In another case in this same town, analog lines have seven digits and ISDN lines have eight digits. In many places it common to have different length numbers coming to the same place. As confusing as it sounds, it really is easier to deal with than the fixed number plan!

International Signalling Systems

CCITT number four (C4) is an early system that linked Europe together and connected to other systems for overseas calls. C4 uses two tones: 2040 and 2400. Both are played together for 150mS (P) to get the attention of the distant end, followed by a "long" (XX or YY = 350mS) or a "short" (X or Y = 100mS) of either 2040 (x or X) or 2400 (y or Y) to indicate status of the call buildup. Address data (x=1 or y=0, 35 ms) is sent in bursts of four bits as hex digits, allowing 16 different codes. One hundred milliseconds of silence was placed between each digit in automatic working. Each digit there- fore took 240mS to send. This silence interval was non-critical and often had no timeout, allowing for manual working. C4 is no longer in wide use, but it was, due to its extreme simplicity a phreak favorite.

CCITT number five (C5) is still the world's number one overseas signalling method; over 80 percent of all overseas trunks use it. The "plieks" and tones on Pink Floyd's "The Wall" are C5, but the producer edited it, revealing an incomplete number with the old code for Londen. He also botched the cadance of the address signalling very badly, yet it really sounds OK to the ear as perhaps the only example most Americans have of what an overseas call sounds like!

In actual overseas working, one-half second of 2400 and 2600Hz, compound, is sent (clear forward) followed by just the 2400Hz (seize), which readies the trunk for the address signalling. All address signals are preceded with KP1 (code 13) for terminal traffic, plus a discriminating digit for the class of call and the number. The last digit is ST (code 15) to tell the system signalling is over. For international transit working, KP2 (code 14) is used to tell the system a country code follows, after which the procedure is identical to the terminal procedure.

CCITT six and seven (C6 and C7) are not directly accessible from the customer's line, yet many "inband" systems interface to both of thes. C6 is also called Common Channel Interoffice Signalling (CCIS) and as its name implies, a dedicated line carries all the setup information for a group of trunks. Modems (usually 1200 Bps) are used at each end of the circuit. CCIS is cheaper, and as an added benefit, killed all the child's play blue boxing that was common in the states in the 60's and early 70's. In the early 80's fiber and other digital transmission became commonplace, and a new signalling standard was required. C7 places all line, address, and result (backward) signalling on a Time Division Multiplexed Circuit (TDM and TDMC) along with everything else like data and voice. All ISDN systems require the use of SS7 to communicate on all levels from local to worldwide.

The ITU/CCITT has developed a signalling system for very wide and general use. One called "The European System", R2 has become a very widespread international system used on all continents. R2 is the most versatile end-to-end system ever developed. It is a two-way system like C7 and comes in two forms, analog and digital, both fully compatible with each other. R2 has completely replaced C4, with the possible exception of a few very remote areas where it works into R2 using using registers. Two groups of fifteen, two of six MF tones are used for each direction, the high frequency group forward and the low group backward. Line signalling can be digital with two channels or out- of-band at 3825Hz, DC, or in cases of limited bandwidth on trunks, can use the C4 line signals, just the 2040 + 2400Hz or 3000Hz or even backward signals sent in a forward direction. The signals can be digitally quantised using the A-law or u-law codec standards, resulting in compatible signals for analog lines. In international working, only a small part of the standard is mandatory with a massive number of options available. For national working, an ample number of MF combinations are "reserved for national use", providing an expandable system with virtually limitless capabilities. R2 is the "system of the nineties" and mastering this, for the first time, allows the phone phreak "to hold the whole world in his hands" in a manner that the person who coined this phrase could have only dreamed of in the early seventies!

With the exception of bilateral agreements between neighboring countries to make each other's national systems compatible, especially in border regions, all international systems in use are: C5, C6, C7, and R2. R2 is limited to a single numbering region by policy and must use one of the three remaining systems for overseas working. There are few technical limitations to prevent R2 from working with satellites, TASI, or other analog/digital underseas cables. The spec is flexible enough to allow overseas working, but is not done at the present time. R2 is likely to displace C5 on the remaining analog trunks in the near future.

DTMF is on a 4x4 matrix, one tone from a row and one from a column.

1=697+1209, etc.

1209 1336 1477 1633

697 1 2 3 A

770 4 5 6 B

852 7 8 9 C

941 * 0 # D

MF signalling, often used to signal between points, uses a 2 of 6 matrix.

Each tone has a weighting which adds up to an unique number.

The three standard sets of tones use this system.

Digit Weighting

1 0+1

2 0+2

3 1+2

4 0+4

5 1+4

6 2+4

7 0+7

8 1+7

9 2+7

0 (Code 10) 4+7

11 (Code 11) 0+12

12 (Code 12) 1+12

KP1 (Code 13) 2+12

KP2 (Code 14) 3+12

ST (Code 15) 7+12

For C5, either KP is 100mS and each digit lasts 50mS. A 50mS off time is used between each digit. For older R1 systems, the KP is 100mS and each digit is 68mS on and 68mS off. Modern systems are C5 compatible and use the C5 timing. In North America, an additional 50 or 68mS pause is inserted before the lastdigit.

Example: KP18(pause)2ST.....KP03120600148(pause)0ST. This pattern was added about 15 years ago and appears to be unnecessary, except to give an audible indication of false (blue box) signalling. Its is is HIGHLY recommended for phreaks where it is normally used by the telco! R2 is a COMPELLED system where reception of the forward signal produces a backward signal, which at its reception, stops the forward signal. The stopping of the forward signal stops the backward signal, and when the stopping of the backward signal is detected, a new forward signal is generated. This goes back and forth until all the information is transmitted. The backward signal (usually "1", send next digit) tells the sendig end what to send next. See the CCITT Red Book or Welch for complete information on both systems.

Weight

MFC

R2 forward

R2 Backward

0

700

1380

1140

1

900

1500

1020

2

1100

1620

900

4

1300

1740

780

7

1500

1860

660

12

1700

1980

540

C4 is the old European signalling system. The address signals have 35mS pause between each beep and 100mS pause (minimum) between each digit. Minimum time to send a digit (including pause) is 345mS. This system is limited use today, if at all.

x: 2040 35mS (binary "1")

y: 2400 35mS (binary "0")

X: 2040 100mS

Y: 2400 100mS

XX: 2040 350mS

YY: 2400 350mS

P: 2040+2400 150mS

Clear Forward: PXX

Transit Seizure: PX

Forward Transfer: PYY

Terminal Seizure: PY

1: yyyx

2: yyxy

3: yyxx

...

14: xxxy

15: xxxx

16: yyyy

Place

Event

Freq

Cadance

N. America

dialtone

350+440

Continuous

 

ring

440+480

2s on 4s off

 

busy

480+620

0.5s on 0.5s off

 

0.5s on 0.5s off

480+620

0.25 on 0.25 off

England

ring

450+500

0.25 on 0.5 off

(Australia,New Zealand, etc.)

 

 

0.25 on 2.0 off

Japan

ring

450+500

1.0 on 2.0 off

Holland

dialtone

150+450

Continuous

 

 

(450 at -8dB)

 

(450 at -8dB)

all

400 or 440

(See text)

 

SIT

950, 1400, 1800

(See text)

Most of the world's phone systems use only one low pitched tone to represent all calling status. The most common tones in use are 400Hz, 440Hz and 450Hz. In some cases the tones are modulated, usually AM, at 25 or 50Hz at variable depths. In some old switches, the ring modulates the tone, or it is just the harmonics of the ring frequency, which is usually 25Hz, but can be other frequencies, producing the "fart ring". Cadances for the busy are either the fast at 0.25 on and 0.25 off, or the slow at 0.5 on and 0.5 off. Ring signals are usually on one second and off for two, but can vary. In Iraq, the ring is continuous! The SIT (Subscriber Information Tone) is 950 then 1400 and then 1800Hz. The total length is about one second. The lengths of the individual tones are sometimes variable to impart different meanings for automatic detection.

 

National Signalling Systems

CCITT 1, 2 and 3 are early international standards for signalling the distant end. C1 is just a 500Hz line signalling tone, and was used to alert the operator at a distant switchboard that there was traffic and no DC path, due to amplifiers or repeaters on a relatively long circuit. C1 has only one line signalling function (forward transfer) and no address signalling. It is probably used nowhere.

CCITT 2 was the first international standard that used address signalling, allowing automatic completion of calls. Two frequencies, 600Hz and 750Hz, were used for line signalling and by pulsing between the two frequencies, representing make and break, of the loop current at the distant end during signalling, calls were automatically pulse dialable. You may actually find this system in limited use in very remote parts of Australia or South Africa. Fairly high signalling levels are required and may very well make customer signalling impossible, unless you are right there. Travel to both the above countries should be fascinating however for both phone play and cultural experience!

CCITT 3 is an improved pulse system. Onhook is represented by the presence of 2280Hz and offhook by the absence of 2280Hz. This exact system is still used in a surprising number of places. Pulse-dial PBX's often use C3 to signal distant branches of a company over leased lines. Signalling for this system is generally at a much lower level than C2: The tones will propagate over any phone line.

A system from the early 50's is called R1. Many people remember R1 as the Blue boxes of the 60's and 70's . R1 is still in wide use in the United States, Canada and Japan. The use of 2600Hz for line signalling is quite rare in the 90's, but can be found in all of the above countries. Address signalling uses the MFC standard which is a combination of two of six tones between 700Hz and 1700Hz as in CCITT 5. Alsmost all R1 used either "out of band" signalling at 3825Hz or 3350Hz or some form of digital or DC line signalling. To use this system from home one must find an indirect method of using the "out of band" signalling. In North America, most signalling from your central office to your long distance carrier is R1, as is most OSPS/TSPS/TOPS operator traffic.

Pulse systems like CCITT 2 and 3 are still used in national systems. In North America, the C3 standard using 2600Hz in place of 2280 for national working was commonplace through the 70's and still has limited end-to-end use today. "End-to-end" use refers to sending just the last few digits (usually five) to complete the call at the distant end. The only use this may have to the phreak would be to make several calls to a single locality on one quarter. It may be possible that a certain code would drop you into an R1, but you just have to experiment! This type of system is referred to as 1VF, meaning "one Voice Frequency". The other standard frequency, for use outside North America, is 2400Hz. A national system using two voice frequencies (2VF) may still be used in remote areas of Sweden and Norway. The two frequencies are 2400Hz and 2600Hz. Playing these two systems in Europe predates the cracking of the R1 and C5 systems in the late 50's and early 60's respectively. The first phone phreak was probably in Sweden.

Common Channel Interoffice Signalling (CCIS) is CCITT 6 developed for national use and employing features that are of interest to national administrations. R1 often plays into a gateway being converted to CCIS and CCIS will play into a gateway that converts to C5, C6 or C7 for international working. The bulk of the ATT net is CCIS in North America, while R1 is often used by your CO talk to it and the lessel networks. CCITT 7 is the digital system and is the same nationally as internationally. C7 allows the greatest efficiency of all systems and will in time be the world system. C7 has much more speed and versatility than R2, but is a digital only system. All fiber optic systems employ SS7 (C7).

No discussion of systems is complete without mentioning Socotel. Socotel is a general system developed by the French. It is a hodgepodge of many systems, using MFC, pulse tone, pulse AC and pulse DC system. Most (all?) line signalling tones can be used. An inband system can use 2500Hz as a clear forward and 1700 or 1900Hz for seize or, in Socotel terms, "confirm". Most line signalling today is "out of band", but unlike normal outband signalling, it is below band: DC, 50Hz or 100Hz. It is a "brute force" system using 100V levels, insuring no customer has a chance of getting it directly! Call setup on the AC systems often has a very characteristic sound of of short bursts of 50Hz or 100Hz buzz, followed by the characteristic French series of 500 Hz beeps to alert the customer that the call has been received from the Socotel by the end office and is now being (pulse) dialed. Calls often don't make it through all the gateways of a Socotel system, sometimes giving the French phreak a surprise access where it stuck!

On a national level there are even more systems and some are very bizarre. Some use backward R2 tones in the forward direction for line signalling, giving analog lines the versatility of digital line signalling. There have been some interlocal trunks that actually used DTMF in place of MF! The "Silicon Valley" was once served by DTMF trunks for instance. When I visited my local toll office and was told this and pressed for an answer as to why, I was told "We had extra (expensive then) DTMF receivers and used them!" As a phreak, be ready for anything as you travel the world.

 

Stuff to read

 

Signalling in Telecommunications Networks, S. Welch, 1979

ISBN 0 906048 044

The Institution of Electrical Engineers, Londen & New York

CCITT Red Book, Blue Book, Green Book and whatever other colors of books

they have, Concentrate on the Q norms.

Telecommunications Engineering, Roger L. Freeman

 

- EOF -