------------------------------------------------------------------
     The Mark Tabas encounter
         series presents:
 
       -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
           Better Homes and Blue Boxing
                      Part I
                 Theory of Operation
      =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 
   To quote Karl Marx, blue boxing has always been the most
noble form of phreaking. As opposed to such things as using an
MCI code to make a free fone call, which is merely mindless
pseudo-phreaking, blue boxing is actual interaction with the
Bell System toll network. It is likewise advisable to be more
cautious when blue boxing, but the careful phreak will not be
caught, regardless of what type of switching system he is under.
 
   In this part, I will explain how and why blue boxing works,
as well as where. In later parts, I will give more practical
information for blue boxing and routing information.
 
   To begin with, blue boxing is simply communicating with
trunks. Trunks must not be confused with subscriber lines (or
'customer loops') which are standard telefone lines. Trunks are
those lines that connect central offices. Now, when trunks are
not in use (i.e., idle or 'on-hook' state) they have 2600Hz
applied to them. If they are two-way trunks, there is 2600Hz in
both directions. When a trunk IS in use (busy or 'off-hook'
state'), the 2600Hz is removed from the side that is off-hook.
The 2600Hz is therefore known as a supervisory signal, because
it indicates the status of a trunk; on hook (tone) or off-hook
(no tone). Note also that 2600Hz denoted SF (single frequency)
signalling and is 'in-band.' This is very important. 'In-band'
means that is is within the band of frequencies that may be
transmitted over normal telefone lines. Other SF signals, such
as 3700Hz are used also. However, they cannot be carried over
the telefone network normally (they are 'out-of- band') and are
therefore not able to be taken advantage of as 2600Hz is.
 
   Back to trunks. Let's take a hypothetical phone call. You
pick up your fone and dial 1+806-258-1234 (your good friend in
Armarillo, Texas). For ease, we'll assume that you are on #5
Crossbar switching and not in the 806 area. Your central office
(CO) would recognize that 806 is a foreign NPA, so it would
route the call to the toll centre that serves you. [For the sake
of accuracy here, and for the more experienced readers, note
that the CO in question is a class 5 with LAMA that uses
out-of-band SF supervisory signalling]. Depending on where you
are in the country, the call would leave your toll centre (on
more trunks) to another toll centre, or office of higher 'rank'.
Then it would be routed to central office 806-258 eventually and
the call would be completed.
 
 Illustration:
 
 A---CO1-------TC1------TC2----CO2----B
 
 A=you  CO1=your central office
 TC1=your toll office.
 TC2=toll office in Amarillo.
 CO2=806-258 central office.
 B=your friend (806-258-1234)
 
   In this situation it would be realistic to say that CO2 uses
SF in-band (2600Hz) signalling, while all the others use
out-of-band signalling (3700Hz). If you don't understand this,
don't worry too much. I am pointing this out merely for the sake
of accuracy. The point is that while you are connected to
806-258-1234, all those trunks from YOUR central office (CO1) to
the 806-258 central office (CO2) do *NOT* have 2600Hz on them,
indicating to the Bell equipment that a call is in progress and
the trunks are in use.
 
   Now let's say you're tired of talking to your friend in
Amarillo (806-258-1234) so you send a 2600Hz down the line. This
tone travels down the line to your friend's central office (CO2)
where it is detected. However, that CO thinks that the 2600Hz is
originating from Bell equipment, indicating to it that you've
hung up, and thus the trunks are once again idle (with 2600Hz
present on them). But actually, yot have not hung up, you have
fooled the equipment at your friend's CO into thinking you have.
Thus, it disconnects him and resets the equipment to prepare for
the next call. All this happens very quickly (300-800ms for
step-by-step equipment and 150-400ms for other equipment).  When
you stop sending 2600Hz (after about a second), the equipment
thinks that another call is coming towards it (e.g. it thinks
the far end has come 'off-hook' since the tone has stopped. It
could be thought of as a toggle switch: tone --> on hook, no
tone -->off hook. Now that you've stopped sending 2600Hz,
several things happen:
 
 1) A trunk is seized.
 
 2) A 'wink' is sent to the CALLING end from the CALLED end
indicating that the CALLED end (trunk) is not ready to receive
digits yet.
 
 3) A register is found and attached to the CALLED end of the
trunk within about two seconds (max).
 
 4) A start-dial signal is sent to the CALLING end from the
CALLED end indicating that the CALLED end is ready to receive
digits.
 
 Now, all of this is pretty much transparent to the blue boxer.
All he really hears when these four things happen is a
<beep><kerchunk>. So, seizure of a trunk would go something like
this:
 
   1> Send a 2600Hz
   2> Terminate 2600Hz after 1-2 secs.
   3> [beep][kerchunk]
 
   Once this happens, you are connected to a tandem that is
ready to obey your every command. The next step is to send
signalling information in order to place your call. For this you
must simulate the signalling used by operators and automatic
toll-dialing equipment for use on trunks. There are mainly two
systems, DP and MF. However, DP went out with the dinosaur, so
I'll only discuss MF signalling. MF (multi-frequency) signalling
is the signalling used by the majority of the inter- and
intra-lata network. It is also used in international dialing
known as the CCITT no.5 system.  MF signalling consists of 7
frequencies, beginning with 700Hz and separated by 200Hz. A
different set of two of the 7 frequencies represent the digits 0
thru 9, plus an additional 5 special keys. The frequencies and
uses are as follows:
 
 Frequencies (Hz)  Domestic    Int'l
 --------------------------------------
  700+900             1          1
  700+1100            2          2
  900+1100            3          3
  700+1300            4          4
  900+1300            5          5
 1100+1300            6          6
  700+1500            7          7
  900+1500            8          8
 1100+1500            9          9
 1300+1500            0          0
 
  700+1700            ST3p       Code 11
  900+1700            STp        Code 12
 1100+1700            KP         KP1
 1300+1700            ST2p       KP2
 1500+1700            ST         ST
 
   The timing of all the MF signals is a nominal 60ms, except
for KP, which should have a duration of 100ms. There should also
be a 60ms silent period between digits. This is very flexible,
however, and most Bell equipment will accept outrageous timings.
 
   In addition to the standard uses listed above, MF pulsing
also has expanded usages known as 'expanded inband signalling'
that include such things as coin collect, coin return, ringback,
operator attached, and operator released. KP2, code 11, and code
12 and the ST_ps (STart 'primes') all have special uses which
will be mentioned only briefly here.
 
   To complete a call using a blue box, once seizure of a trunk
has been accomplished by sending 2600Hz and pausing for the
<beep><kerchunk>, one must first send a KP. This readies the
register for the digits that follow. For a standard domestic
call, the KP would be followed by either 7 digits (if the call
were in the same NPA as the seized trunk) or 10 digits (if the
call were not in the same NPA as the seized trunk). [Exactly
like dialing a normal fone call]. Following either the KP and 7
or 10 digits, a STart is sent to signify thap no more digits
follow. Example of a complete call:
 
   1> Dial 1-806-258-1234
   2> wait for a call-progress indication (such as ring, busy,
recording, etc.) 3> Send 2600Hz for about 1 second.  4> Wait for
about 2 seconds while a trunk is seized.  5> Send
KP+305+994+9966+ST
 
   The call will then connect if everything was done properly.
Note that if a call to an 806 number were being placed in the
same situation, the area code would be omitted and only KP+seven
digits+ST would be sent.
 
   Code 11 and code 12 are used in international calling to
request certain types of operators. KP2 is used in international
calling to route a call other than by way of the normal route,
whether for economic or equipment reasons.
 
   STp, ST2p, and ST3p (prime, two prime, and three prime) are
used in TSPS signalling to indicate calling type of call (such
as coin-direct dialed).
 
    This has been Part I of Better Homes and Blue Boxing. I hope
you enjoyed and learned from it. If you have any questions,
comments, threats or insults, please fell free to drop me a
line. If you have noticed any errors in this text (yes, it does
happen), please let me know and perhaps a correction will be in
order. Part II will deal mainly with more advanced principles of
blue boxing, as well as routings and operators.
 
   Note 1: other highly trunkable areas include:
816,305,813,609,205.  

......................................
(c) January 7, 1985     Mark Tabas
......................................
 
