26                                               The Boxing Book
_______________________________________________________________________
                            Chapter 3

                      International Dialing
                      ---------------------

INTERNATIONAL DIALING by Dr Jimmy and Mr Jim
---------------------

                The Phun of International Calling
                ---------------------------------
                              -or-
        How you can be an diplomat for the United States
        ------------------------------------------------

     There are several ways to complete the overseas connection.

     One is to use extenders (800 #s) with international calling 
capability, this is easy for most people since it can be done 
from fortress phones (payphones), what a mind blower, calling a 
overseas payphone from a payphone. But 800 #s can be traced.

     Another bummer is that they can not be called from the 
Lyons' Teleconferencing Network, well not directly that is. 
Another alternative is to use a PBX or PABX system which will 
dial an outside line, well the 800 extenders are also PBXs usual
ly, but PBXs which do not have an NPA of 800 are only good for 
local calls can be called in from the teleconference, but the 
connection is not that great. I know, because on a recent tele
conference we called a girl in London and the American Embassy in 
Iran, and a couple of Australian payphones. Another problem with 
bringing PBXs and extenders into the teleconference is getting 
rid of them if the phone answers busy or doesn't answer. You have 
to blast 2600Hz on the teleconference, this can trunk many people 
on line. Unfortunately at the present time, international calling 
and Lyons' teleconferencing do not go well together. This fact 
shattered this phreak's dream of a worldwide teleconference.

     Enough about that. Here are some ways to calling interna
tionally with a Blue Box or anything that generates MF tones.  
First of all, seize a tandem in the usual way and perform this 
sequence of events:

     KP + NPA + ZZZ + ST

     Where KP and ST are the standard tones you all familiar 
with, and NPA, ZZZ are the Number Planning Area and number of the 
overseas sender respectively. (They will be listed later.) Now 
you should here a slight clunk-cheep or CLUNK, depending on where 
you are. Then a continuous carrier is heard. This is what you 
want. Now do this sequence of events:

     KP + XCC + SC + LN + ST

Where X is a 1 for cable connection
             0 for satellite connection


_______________________________________________________________________
                        Copyright 1990
27                                        International Dialing 
_______________________________________________________________________
CC is the two or three digit country code
SC is the City Code of the city you wish to call
LN is the Local Number, this can be from three to eight digits.

     Also since you are using a MFer you can reach inward opera
tors. I do not know if this can be done from an PBX or extender.

     The list of some the country codes and city codes are listed 
at the end of this file, or are available from the phone book 
(medium to large cities with direct international calling avail
able through 011, usually are listed in the front few pages.)

     OR you can do it as the Doctor does, make the phone company 
operators work for their money, use Rate and Route.

     To call up Rate and Route, get on your favorite trunk and 
beep this:

    KP + 800 + 141 + 1212 + ST

     Now you may note, this has a NPA of 800, but it cannot be 
directly dialed through DTMF or rotary since it is an invalid 
exchange to you the subscriber.

     When you call this up, you will be connected with a TSPS 
position and if all the positions are busy, it will give you a 
recording: 'Please hold on. All positions are busy at the moment 
and your request will be answered as soon as possible.' Wait, it 
really does answer.

     When you are hooked up to the Rate and Route operator ask 
for:

TSPS International Inward Operators Route to ....., or
TSPS International Directory Assistance Route to .....

where ..... is the city and country NAME, not code. and she/he 
will say: "Right. That's  county code CC, city code SC, and then 
the number is #####."

     And these numbers do vary. London information is:

           44 + 1 + 986 + 3611

     and Sydney, Australia is:

            61 + 2 + 0143

     I am not completely certain, but I believe when you MF into 
a non-English speaking country, Inward and D. A. Ops speak Eng
lish because I believe they know it is coming from the United 
States. At least this happened with me when I called German D. A.

     I have not called any country, other than Germany, which 
does not have English as its main language.


_______________________________________________________________________
                       M & M Enterprises
28                                               The Boxing Book
_______________________________________________________________________

A list of the overseas senders:

      Location       NPA         Number
      --------       ---         ------
White Plains, NY     914          182
New York City        212          183
Pittsburgh, PA       412          184
Orlando, FL          305          185
Oakland, CA          415          186
Denver, CO           303          187



Overseas Boxing By King Blotto
---------------

     The miracles of a blue box can't unfold, until one takes 
full advantage of it by calling overseas. There has been much 
speculation about boxing overseas, and alot of B.S.

     First off, there is no such thing as KP2! Or 11 or 12 tones. 
This is just somebody's ramblings! There is a KP special tone, 
but more on that some other day. Anyways, the correct procedure 
to calling international via blue box is:

     KP011CCCS <- where CCC is the country code. And it
                  must be 3 digits long. If the code is
                  only 2 (e.g. England), then a '0' must
                  prefix it.

     Second sequence is :

     KP01CCXXXxxxx <- where CC is the 2 digit city code
                  with a '0' used as a prefix if less than
                  two digits. XXX-xxxx is the local number.
                  Don't forget the ST tone at the end.

     Anyways, an example call to England, to the Kelshire Hilton 
in London would go:

      KP011044ST
      KP01016035342ST

     You should already know how to seize a tandem. But, as a 
tip, you should use something that is used to being used for long 
periods of time:










_______________________________________________________________________
                        Copyright 1990
29                                        International Dialing 
_______________________________________________________________________
The History Of British Phreaking by Lex Luthor
--------------------------------

     (With thanks to Peter McIvers for the list of frequencies 
mentioned later in this file.)

     NOTE: the British Post Office, is the U.S. equivalent of Ma 
Bell.

     In Britain, phreaking goes back to the early fifties, when 
the technique of 'Toll A drop back' was discovered. Toll A was an 
exchange near St. Paul's which routed calls between London and 
nearby non-London exchanges. The trick was to dial an unallocated 
number, and then depress the receiver-rest for 1/2 second. This 
flashing initiated the 'clear forward' signal, leaving the caller 
with an open line into the Toll A exchange. He could then dial 
018, which forwarded him to the trunk exchange- at that time, the 
first long distance exchange in Britain- and follow it with the 
code for the distant exchange to which he would be connected at 
no extra charge.

     The signals needed to control the UK network today were 
published in the "Institution of Post Office Engineers Journal" 
and reprinted in the Sunday Times (15 Oct. 1972).

     The signaling system they use: signaling system No. 3 uses 
pairs of frequencies selected from 6 tones separated by 120Hz. 
With that info, the phreaks made "Bleepers" or as they are called 
here in the U.S. "Blue Box", but they do utilize different MF 
tones then the U.S., thus, your U.S. blue box that you smuggled 
into the UK will not work, unless you change the frequencies.

     In the  early seventies, a simpler system based on different 
numbers of pulses with the same frequency (2280Hz) was used. For 
more info on that, try to get ahold of: Atkinson's "Telephony and 
Systems Technology".

     The following are timing and the frequencies for boxing in 
the UK and other foreign countries. Special thanks to Peter 
McIvers for the following info:

     British "bleeper" boxes have the very same layout as U.S. 
blue boxes. The frequencies are different, though. They use two 
sets of frequencies, forward and backward. Forward signals are 
sent out by the bleeper box; the backward signals may be ignored 
(it's sort of like using full duplex). The frequencies are as 
follows:

U.S.:
UK:	     700    900    1100   1300	 1500	1700
Forward:    1380   1500    1620   1740	 1860	1980 Hz
Backward:   1140   1020    900	   780	  660	 540 Hz





_______________________________________________________________________
                       M & M Enterprises
30                                               The Boxing Book
_______________________________________________________________________
     For example, change the 900 Hz potentiometers in your box to 
1500 Hz. All numbers 1-0 (10) are in the same order as in an 
American box. The ones after this are their codes for operator 
11, operator 12, spare 13, spare 14, and 15. 

     One of these is KP, one (probably 15) is Star; it won't be 
too hard to figure out. The signals should carry -11.5dBm +/- 1dB 
onto the line; the frequencies should be within +/- 4Hz (as is 
the British equipment). Also, the 1VF system is still in opera
tion in parts of the U.K. This would encode all signals 1 to 16 
as binary numbers; for instance, a five is 0101. There are six 
intervals per digit, each 50ms long for a total of 300ms. First 
is a start pulse of 2280 for 50ms. Then, using the example of 
five (0101), there is a 50ms pause, a 50ms pulse of 2280, a 50ms 
pause, and a 50ms pulse of 2280. Finally, there is a 50ms pause 
that signals the end of the digit. The frequency tolerance on the 
2280 Hz is +/- 0.3%; it is sent at -6 +/- 1dBm.  An idle line is 
signaled by the presence of a 3825Hz tone for more than 650ms. 
This must be within 4Hz.

     France uses the same box codes as the US, with an additional 
1900Hz acknowledgement signal, at -8.7 +/- 1dBm per frequency.

     Spain uses a 2 out of 5 mf code (same frequencies as US), 
with a 1700 Hz acknowledge signal.

     Other places using the 1VF system are:

Australia, 2280Hz +/-6Hz, 35ms/digit at -6dB.

Germany, France: same as Australia; also, some 1VF systems in the 
UK.

Switzerland: same as Australia, only it uses 3000Hz, not 2280.

Sweden: same as above, but at 2400Hz.

Spain: some parts use 1VF with 2500Hz.

     There is one other major system: the 2VF system. In this 
system, each digit is 35ms long. The number is encoded in binary 
as with the 1VF system. Using the example of five (0101), here's 
how the American 2VF system was sent:

2400 pulse, pause, 2040 pulse, pause, 2400 pulse, pause, 2040 
pulse, pause. The digits and pauses are all 35ms long, for a 
total of 280ms per digit. Other countries are still using a 
similar high/low pair with the same timings. Some parts of Italy 
use the 1VF system with 2040Hz; some use the 2VF system with 2040 
and 2400 (same as original US) Hz. The Netherlands uses a 2VF 
system with 2400 and 2500 Hz pulses. With the 2VF system, all 
frequencies should be within 2Hz.





_______________________________________________________________________
                        Copyright 1990
31                                        International Dialing 
_______________________________________________________________________
     Also, here are some specs for American phone equipment:

Dial Tone: 350+440Hz, -17.5 to -14.5 dBm/tone.

Off-Hook (ROH): 1400+2060+2450+2600(!) on/off 5 times per second

Busy: 480+620Hz; slow busy: 0.5 +/- 0.05 sec = 1 period
(about twice a second), at -28.5 to -22.5 dBm/tone.

Ring: 440+480 Hz at -23.5 to -20.5 dBm/tone.
A ring is modulated at 20 +/- 3Hz, 2sec on, 4sec off.

Call waiting: 440Hz, on 1 second.

Recorder Connection: 1400Hz, beeps every 15minutes.

Multiparty line ring: same frequency and modulation as ring, but 
1sec on, 2sec off (twice as fast).

     Now, back to British Phreaking:In the early days of British 
phreaking, the Cambridge University Titan Computer was used to 
record and circulate numbers found by the exhaustive dialing of 
local networks. These numbers were used to create a chain of 
links from local exchange to local exchange across the country, 
bypassing the trunk circuits. Because the internal routing codes 
in the UK network are not the same as those dialed by the caller, 
the phreaks had to discover them by 'probe and listen' techniques 
or more commonly known in the U.S.--SCANNING. What they did was 
put in likely signals and listened to find out if they succeeded. 
The results of scanning were circulated to other phreaks. Discov
ering each other took time at first, but eventually the phreaks 
became organized. The "TAP" of Britain was called "Undercurrents" 
which enabled British phreaks to share the info on new numbers, 
equipment etc.

     To understand what the British phreaks did, think of the 
phone network in three layers of lines: Local, trunk, and inter
national. In the UK, Subscriber Trunk Dialing (STD), is the 
mechanism which takes a call from the local lines and (legiti
mately) elevates it to a trunk or international level. The UK 
phreaks figured that a call at trunk level can be routed through 
any number of exchanges, provided that the right routing codes 
were found and used correctly. They also had to discover how to 
get from local to trunk level either without being charged (which 
they did with a bleeper box) or without using (STD). Chaining has 
already been mentioned but it requires long strings of digits and 
speech gets more and more faint as the chain grows, just like it 
does when you stack trunks back and forth across the U.S. The way 
the security reps snagged the phreaks was to put a simple 'print
ermeter' or as we call it: a pen register on the suspects line, 
which shows every digit dialed from the subscribers line.






_______________________________________________________________________
                       M & M Enterprises
32                                               The Boxing Book
_______________________________________________________________________
     The British prefer to get onto the trunks rather than chain
ing. One way was to discover where local calls use the trunks 
between neighboring exchanges, start a call and stay on the trunk 
instead of returning to the local level on reaching the distant 
switch. This again required exhaustive dialing and made more work 
for Titan; it also revealed 'fiddles', which were inserted by 
Post Office Engineers. What fiddling means is that the engineers 
rewired the exchanges for their own benefit. The equipment is 
modified to give access to a trunk with out being charged, an 
operation which is pretty easy in Step by Step (SXS) electrome
chanical exchanges, which were installed in Britain even in the 
1970s (NOTE: I know of a back door into the Canadian system on a 
4A CO., so if you are on SXS or a 4A, try scanning 3 digit ex
changes, i.e.,: dial 999,998,997 etc. and listen for the beep-
kerchink, if there are no 3 digit codes which allow direct access 
to a tandem in your local exchange and bypasses the AMA so you 
won't be billed, not have to blast 2600 every time you wish to 
box a call.

     A famous British 'fiddler' revealed in the early 1970s 
worked by dialing 173. The caller then added the trunk code of 1 
and the subscribers local number. At that time, most engineering 
test services began with 17X, so the engineers could hide their 
fiddles in the nest of service wires. When security reps started 
searching, the fiddles were concealed by tones signaling: 'number 
unobtainable' or 'equipment engaged' which switched off after a 
delay. The necessary relays are small and easily hidden.

     There was another side to phreaking In the UK in the six
ties. Before STD was widespread, many 'ordinary' people were 
driven to occasional phreaking from sheer frustration at the 
inefficient operator controlled trunk system. This came to a head 
during a strike about 1961 when operators could not be reached. 
Nothing complicated was needed. Many operators had been in the 
habit of repeating the codes as they dialed the requested numbers 
so people soon learnt the numbers they called frequently. The 
only 'trick' was to know which exchanges could be dialed through 
to pass on the trunk number. Callers also needed a pretty quiet 
place to do it, since timing relative to clicks was important. 

     The most famous trial of British phreaks was called the Old 
Baily trial. Which started on 3 Oct. 1973. What they phreaks did 
was to dial a spare number at a local call rate but involving a 
trunk to another exchange. Then they send a 'clear forward' to 
their local exchange, indicating to it that the call is finished; 
but the distant exchange doesn't realize because the caller's 
phone is still Off the hook. They now have an open line into the 
distant trunk exchange and sends to it a 'seize' signal: '1' 
which puts him onto its outgoing lines. Now, if they know the 
codes, the world is open to them. All other exchanges trust his 
local exchange to handle the billing; they just interpret the 
tones they hear. 





_______________________________________________________________________
                        Copyright 1990
33                                        International Dialing 
_______________________________________________________________________
     Meanwhile, the local exchange collects only for a local 
call. The investigators discovered the phreaks holding a confer
ence somewhere in England surrounded by various phone equipment 
and bleeper boxes, also printouts listing 'secret' Post Office 
codes. (They probably got them from trashing?) The judge said: 
"some take to heroin, some take to telephones" for them phone 
phreaking was not a crime but a hobby to be shared with fellow 
enthusiasts and discussed with the Post Office openly over dinner 
and by mail. Their approach and attitude to the worlds largest 
computer, the global telephone system, was that of scientist s 
conducting experiments or programmers and engineers testing 
programs and systems. The judge appeared to agree, and even asked 
them for phreaking codes to use from his local exchange!!!












































_______________________________________________________________________
                       M & M Enterprises
