______ _____ _____ ___.-___ __ _____ _____ ______ _) _Y _Y _Y (__) | _Y __Y _Y (_ \_ | \_ | \_ l_\_ _/\_ \_ _/\_ l_\_ | _/ | | | | | | l | | | l | | | | | l__| l_____l__| l__ l__| l__ l__| l__| | `--' `--' `--' `--' `--' ______ _____ ___.-______ _____ _____ _) ._ Y_ _Y (__) _Y _Y __| \_ |/ / | \_ | \_ | \_ |_\_ _/_ | __/ . | l | . | l | l | l__| l__| l__ l__| l__ l__ | 2F `--' `--' `--' `--' `--' 5nds Ringdown loaded with AMIGA/ASCII/CONSOLE/C64/MAC 4040 26mb 9.5gb cd-rom 3/33.6ds 2/ISDN 3/TELNET * TRISTAR AND RED SECTOR INC. HQ * MELON DEZIGN WHQ * * TRSI RECORDZ DKHQ * AFTERSHOCK HQ * HOODLUM DK HQ * * MOT!ON HQ * ROYAL WHQ * TRADERS DREAM HQ * STYLE HQ * * LSD HQ * LIGHTFORCE HQ * POLKA BROS. WHQ * PUZZLE WHQ * * KEFRENS WHQ * SAVE OUR SOULS HQ * X-TREK WHQ * OLDSKOOL HQ * * 5TH DYNASTY HQ * TWILIGHT * LOOKER HOUSE EHQ * RAMJAM EHQ * * CRUX & BAD KARMA HQ * CPU HQ * ABUSE HQ * OMA HQ * THE PROTECTORS ARE: ZINKO^PLAYMATE^SISko^BILBO BAGGIn^NEIL/FLT^BLACK PANTHER/PSG UFOK/MsT^LsD^PsG^iHS^FURY/PSG/M!^SON DOOBIE^KELDON/HF/LFC <0> +45 58ASK4IT <0> <0> +FIND ON IRC <0> __. _____ _____ _____ _____ _) | _____ _( ___/_ _. _\__ )_ _( ___/_ _( ___/ | _( ___/ | . _( |__ / ._/)_ | . . __)__. |____. __)__. | | __/ . -| . | | | | | ` l_ | | ` l_ |____| | l_ | ` l_ | ` l_____ / ` l_____ / ` l____| / |_____ / l_____ /---l____/_____ /---l____/_____ /---l____/____|----l____/ ©dtA!____/ - - -----l____/ - - -----l____/ ______ _____ _____ ___. .___ _\__ /_ _____ _\__ )_ _\__ )_ _____ _) |.| (_ | _\__ )_ / ._/)_ | . _\__ )_ . ||| . . / . -| . | | / . | ||| | | l_ -| | l_ | ` l_ -| | `|' l____| / | l____| / |_____ / | l_ l_____| /---l____/____| /---l____/____|----l____/____| / l_____/ - - -----l____/ - - -----l____/ .------------------------------------------------. | tHIS fILE aRRiVED hERE aT 02:30:05 oN 01-Feb-:0| `------------------------------------------------' @BEGIN_FILE_ID.DIZ _______ __________ ________ / /\ / /\ / /\ / / / // /_____/ // ______/ / ____/ _/ / // / / //_____ / / / / // / // / / \_________/ //_________/ //_______/ / \________\/.\_________\/.\_______\/ n 809 Guide To Blue Boxing from the US in 99 By Dynamics/809 @END_FILE_ID.DIZ >>---------------------------------------------------------------------------<< >> BrUtAl CoNfLiCt +64-PRI-VATE BrUtAl CoNfLiCt << >>---------------------------------------------------------------------------<< · :................. .. . : tHe CrEw: __ . ..:.:__ __ :.. / /_ ____ __ _ : / /_ ____ / / :.:... . ReD^BlAdE _/ __ \_ _/ _/_\ \ˇ \_ _/ __/__ __\__ \_ _/ | ... NyNeX pHrEaK ˇ `) ˇ |ˇ (! ˇ `) ˇ (' ˇ | · : `--------^----'`--------^--------^--------^----' : : ..:.. . __ . · __ ____ ____ : ____ _______ / / __ ____ ·L / /_ _/ __/__ _/ __ \_ _/ __ \_ _\ ___/_/ |_\´_ _/ __/__ _/ __/__ ˇ `) ˇ (' ˇ |) ˇ _/ ˇ | ˇ `) ˇ `) ˇ `--------^--------^---!____!----' `----^----^--------^--------' CCiTT xx . ..: :............. ... .. : :. .. >>---------------------------------------------------------------------------<< >> BrUtAl CoNfLiCt +64-PRI-VATE BrUtAl CoNfLiCt << >>---------------------------------------------------------------------------<< ..:::::::::::.. ______ _____ ______ ,;:::::::::::::::::;, /||__||\----|::_::|--|:: _::| ;:::::::::::::::::::::; /::|__|__\___|_|_|:|__|__|_|_| ;::::;;;;;;''-;;::::::::; \ / ____/ / /|/ / _ / \ ;:::;;;'' 'O' ';::::::::; \_\___ / X / /_/ / _ / X | ;;;;;'O' , ';:::::::::. /______/_ /_____/_/ /_/_____/ ;;;, /' ,',-'''-';;:; /::|__|::\\ \|_|_|:|-----/:/ ;;::::;-,,-;'; ;; \......../ \../.$.$|----/./ ,;;:::::::::::; , , '. ...::$$[The 809 Squad]$$::... ,;::::::::::::; ' , , '. ,;;::::::::::; ' , , ', .,,,--,,, .[Members] ;;::::::::::; ; ' / ' ,' , .[NynexPhreak]..$$[p1mp ';;:::::::: / '; '; , , .[Dynamics] ..$$[809k1ng ,,,---''''''----;,',,; ;', ,' , .[Red^Blade] ..$$[l00z3r ''') ,-'''-,__ , ; '-,, ,' , .[Michella] ..$$[ph0n3 slut \/' '''''-, ; ,,',,,,' , Calling local? / / ../' ; ,' ; Why not box global? ; ,-' ; , .' - THE 809 SQUAD - , /' ,,' .' _.;__;_________, ,___________, http://www.809.cjb.net /-------------------------------------------------------\ 8-0-9 MCI PHEER PHACTOR 809 INTERNATIONAL COMMUNICATIONS PRESENTS.... \-------------------------------------------------------/ greetz to: Telegroup Baltic Call Card,MCI,Cable&Wireless Barclays Offshore Banking,International Data Proc(Nevis) Trinidad & Tobago Tourism and Codetel (Dominican Rep) more greetz to: Redblade, GPI, _dave, Psyclone, Pathogen809, Kuji, Polymorph, hybrid, Shadow, [JaSuN], jaqu, michella ;) --------------------------------------------------------- BLUEBOXING FROM THE U.S IS POSSIBLE, AND THIS IS '99 Version 1.0beta --------------------------------------------------------- @begin_file_id.diz ______ _____ ______ /||__||\----|::_::|--|:: _::| /::|__|__\___|_|_|:|__|__|_|_| \ / ____/ / /|/ / _ / \ \_\___ / X / /_/ / _ / X | /______/_ /_____/_/ /_/_____/ /::|__|::\\ \|_|_|:|-----/:/ \......../ \../.$.$|----/./ ...::$$[The 809 Squad]$$::... Blueboxing From USA in 99. By Dynamics/809 squad. www.809.cjb.net@end_file_id.diz "lOsEnTiMoS! es de nUmErO nO eSt a iN serfisios, pOr fAvOrE pEr eFiCiO eT tRaPo eNuEbO - CODETEL" BACKGROUND ========== Now, a long time ago, and to some extent nowadays, system R1 was the system that linked the US. It used a single frequency 2600hz tone for controlling the status of trunks, using a tone-on (free) and a tone-off (in use) system. It used interregister signals comprised of MF (multifrequency) tones which were compound tones and were used to route calls between trunk exchanges. It was a pretty basic system, and can be found in some VERY remote parts of the US/Canada, and is used to some extent in the Caribbean region. It may be found in other parts of the world too, especially in poorer countries, and in some parts of Eastern Europe. I heard from a friend that Italy uses R1 as the signalling system in some rural towns. A similar system is used by the French, called Socotel, which uses MF and single frequency tones. The UK once used a single freqency system, CCITT 3, although every digit was prefixed with a Code14 while routing. People used to bluebox the R1 system, by sending the 2600hz tone to tell the trunk the call had hung up, when in fact it hadn't meaning that they had an open trunk to dial out of using the MF dialset. This is theoretically achievable, but the US is mainly SS7, and muting of forward audio can be a problem. This is NOT the system this guide will describe. I aim to inform the reader how blueboxing FROM the U.S is achievable using international toll-free numbers, which are toll-free numbers that terminate in foreign countries. The main set of numbers being used in this guide will be the HOME COUNTRY DIRECT numbers, and are used for collect calls by tourists of these countries to call home, and for calling card services. CCITT SYSTEM No. 5 - KNOW THY ADVERSARY! ======================================== CCITT System No. 5, was specified in 1964 by the CCITT for use as an intercontinental signalling system - to link continents. The first application of CCITT5 (C5), was in the TAT-1 system, that linked the United Kingdom with the U.S. It is similar to R1 in many ways: a) It has a near identical dialset. b) It uses INBAND (within the band of the phone line) tones for control. This is what makes it blueboxable. c) Routing using C5 is the same as routing with R1, except that there is a new signal with C5, Kp2 (transit KP). In short, CCITT 5 could be described as: International R1, although that is really only a rather tongue-in-cheek definition as 'R' stands for "regional" anyway, meaning it's a contradiction... CCITT 5 is used on cable, satellite, microwave and radio connections world-wide. It would be fair to say that just under half the world uses this system, because it is used extensively by a large number of countries. Unfortunately, most developed countries are mostly digitally switched, using system 7/SS7/CCIS7. Thankfully, AT&T/MCI/SPRINT and other carriers have devised a system whereby people in other countries can get US toll-free numbers. These numbers terminate in these countries, and many foreign telcos have developed Home Country Direct services for their citizens to call home from the US at cheaper rates. As said before, many countries use CCITT 5 as their international switching system. Therefore a new type of blueboxing has arisen, blueboxing home directs on CCITT 5 is the GLOBAL blueboxing method. CCITT 5 CONTROL TONES AND DIALSET ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Dialset: - Digits 0 - 9 - Control tones, Code11, Code12, Kp1, Kp2, ST Forward Trunk Tones: - Clear Forward/Ahead --> 2600hz+2400hz - Seize --> 2400hz This is how a call is set up using CCITT 5.... STEP 1 YOU------------------LOCAL C.O--------------INT GATEWAY-1 Dial number using------>Digits translated------>Digital routing DTMF digits to digital routing translated, you are 011 505 864 444 "0110110101010" calling a C5 connection therefore translated to MF digits.... Kp2-505-1-864444-ST STEP 2 ------------------INT GATEWAY-2----------------LOCAL C.O--------HIM MF tones sent--->MF translated to------------->Call setup------>Answer dialset for that country Kp1 - Terminal Kp (i.e calls inside the called country) Kp2 - Transit Kp (international calls from that country) In CCITT 5, address information is comprised: -* LOCAL/NATIONAL IN THE TERMINATING COUNTRY: Kp1-dd-ac-number-ST "Key Pulse One, discriminating digit, area code, number, Start" -* TRANSIT INTERNATIONAL CALLS FROM THE COUNTRY: Kp2-cc-dd-ac-number-ST "Key Pulse Two, country code, discriminating digit, area code, number Start" ac ---> area code (NPA) of the place your calling cc ---> country code dd ---> descriminating digit tells the trunk HOW to route Descriminating Digits... CABLE - 0 SATELLITE - 1 OPERATOR - 2 MIL - 3 MICROWAVE/RADIO - 9 The signalling is sent as: It is assumed that this communication is purely between gateways, and leaves the subscriber out of the picture.... ]U.S[ ]Nicaragua[ OUTGOING INT GATEWAY----------------------------INCOMING INT GATEWAY [ DMS / 5ESS ] | [DMS / ESS / XBAR ] | seizure f1 | |--------------------------->| | proceed-to-send f2 | |<---------------------------| | address info (MF) | |--------------------------->|-TRANSLATED AND ROUTED | answer f1 | |<---------------------------| | acknowledgement f1 | |--------------------------->| | | | S P E E C H | | | | clear back f2 | |<---------------------------| | acknowledgement f1 | |--------------------------->| | clear forward f1/f2 | |--------------------------->| | release guard f1/f2 | |<---------------------------| | | In short, blueboxing is simply emulating the tones that are used to hang-up the call to an extent that the call you are on will clear but the equipment back home will think you are still online to the 800 number you called. This means you now have an open trunk to play with and route as you wish.... So... In order to bluebox a call, for example: "BUZZZZZZZ....WOO...WOO....WOO...PLEEP! PLEEP! "Aloha Nicaragua..." SEND CLEAR FORWARD (2600hz+2400hz) PLEEP! SEND SEIZE (2400hz) ROUTE CALL In some cases, it will pleep after the Clear Forward and again after the Seize. In other cases, it will make a double-pleep after sending of the two tones. As for generating the tones... If you have a PC, then I'd recommend using TLO (THE LITTLE OPERATOR), Bluebeep, or Bluedial. As for Amiga users, a friend of mine recommends Arested Dialer Workshop or The Dialer. A typical set of tones for seizing a trunk would be: TONE1 TONE2 DUR DEL CLR FRW 2600 2400 180 50 SEIZE 2400 2400 200 -- In some cases, a GUARD TONE, is required. The guard tone is a device used in the filtering process and is supposed to make signalling more acurate and minimise false release. The guard tone may be added to the Clear Forward and Seize or played at the end or beginning of the sequence. SOME GUARD TONES: 2100hz, 280hz, 1800hz, 500hz, 210hz, 440hz, 3900hz Of those, the 2100hz is the most popular. Bear in mind that the use of some guard tones can result in interesting "function seizes" these are seizes that have a function, such as, resetting all trunks, or dropping you onto special control and verification trunks (see the 809 doc on verification)... A working example of this is the NICARAGUA DIRECT seize (from UK): TONE1 TONE2 GUARD DUR DEL CLR FRW 2600 2400 2100 130 800 SEIZE 2400 2100 330 --- Although blueboxing this one a lot is _not_ reccomended as the reason why the that seize is still functional, even after a file written about 2 years ago on the subject, is that British Telecom (BT) monitor the line in conjunction with Nicaragua Telecom in order to catch blueboxers, :( COUNTRY DIRECT NUMBERS ====================== Why not try out your new found knowledge on these....? Note that most of these will probably be SS7 switched, but an inband trunk is always indentifiable by the PLEEP made on answer and/or hangup. On occasions this may be a click, but the general rule is that a pleep is made. I didn't scan these myself, and therefore I can only speculate as to what switching system these use... Guess: Australia Direct 800-682-2878 SS7 Austria Direct 800-624-0043 SS7 Belgium Direct 800-472-0032 SS7 Belize Direct 800-235-1154 C5/SS7 Bermuda Direct 800-232-2067 C5/SS7 Brazil Direct 800-344-1055 C5/SS7/C4-R2 British VI Direct 800-248-6585 SS7/C5 Cayman Direct 800-852-3653 SS7 Chile Direct 800-552-0056 C5/SS7/SS7-R2 China Direct 800-532-4462 C5 or in RARE occasions SS7 Costa Rica Direct 800-252-5114 C5/SS7/C4-R2 Denmark Direct 800-762-0045 SS7 El Salvador Direct 800-422-2425 C5 Finland Direct 800-232-0358 SS7 France Direct 800-537-2623 SS7 Germany Direct 800-292-0049 SS7 Greece Direct 800-443-5527 C5/SS7 Guam Direct 800-367-4826 SS7 HK Direct 800-992-2323 SS7 Hungary Direct 800-352-9469 C5/SS7/C4-R2 Indonesia Direct 800-242-4757 C5 (IndoSAT) SS7/C5 (Satelindo) Ireland Direct 800-562-6262 SS7 Italy Direct 800-543-7662 SS7 Japan Direct 800-543-0051 SS7 Korea Direct 800-822-8256 SS7 Macau Direct 800-622-2821 SS7/C5 Malasia Direct 800-772-7369 SS7/C5 Netherlands Direct 800-432-0031 SS7 Norway Direct 800-292-0047 SS7 New Zealand Direct 800-248-0064 SS7 Portugal Direct 800-822-2776 C5 Panama Direct 800-872-6106 SS7 Philippines Direct 800-336-7445 C5/SS7 Singapore Direct 800-822-6588 C5/SS7 Spain Direct 800-247-7246 C4-R2/SS7/C5 Sweden Direct 800-345-0046 SS7 you can find C5 :) Taiwan Direct 800-626-0979 SS7/C5 Thailand Direct 800-342-0066 SS7/C5 Turkey Direct 800-828-2646 SS7/C5/R2-C4 UK Direct 800-445-5667 SS7 :( Uruguay Direct 800-245-8411 SS7 :( "WTF??? SS7? Uruguay?!" Yugoslavia Direct 800-367-9841/9842 C4-R2/C5/SS7 The guesses I made are based on what the home directs are from the UK and other countries where we have contacts in. The UK is a bit of an exception, because BT generally select the SS7 routes due to the "fraud" that goes on via C5 lines... Some of the HCDs I checked myself. China is an excellent example of this. From nearly every country, China is C5, because C5 is the main signalling system used. BUT the BT 0800 to China is SS7. The reason behind this is that BT had problems with "fraud" via China, most probably. They most probably pay a premium price for the SS7 trunks in China... As for the "xxx-R2" notation, that means that it may be R2 (digital or analogue out-band [3825hz]). Because R2 is a REGIONAL system, it needs to be interworked with an INTERCONTINENTAL system, and if the R2 is analogue-switched-R2, then it is generally interworked with C4/C5/SS7. R2 is complex, and it really needs another file to explain. In short, it can be signalled using up to 6 different methods, broadly either digital, analogue outband or on occasions hybrid-C4 connections using some CCITT 4 tones. I really recommend reading the CCITT-4 and R2 manuals to get a better idea of these systems. [check www.echelon1.cjb.net -> see FILEBASE] CONCLUSION ========== This guide is by no means the definitive guide to this method of blueboxing. I hope that it has given you a basic grounding in this and has got you to do some experimenting. The best way of getting into this is by experimentation and by pooling knowledge with other blueboxers. This method is pretty new to a lot of you in the U.S, and I hope that this doc will better inform you of this. dynamics -=809=- 07/12/1999 17:52 (UK TIME) "tHaNk-yOu, aNd gOoDbYe!....PLEEP" ...]mAnIc tElEcoM pEoPlE iNtErCePt bOxEd cAll: ...]"wE sTill rEcIevE an ack. tOne fRoM tHe gAtEway" ...]"hEllo?" ...]"(tHeY rEaLiSe tHaT wE kNoW...) Aaaah! PLEEP PLEEP" >>---------------------------------------------------------------------------<< >> BrUtAl CoNfLiCt +64-6-BoX-tOiT BrUtAl CoNfLiCt << >>---------------------------------------------------------------------------<< · :................. .. . : tHe CrEw: __ . ..:.:__ __ :.. / /_ ____ __ _ : / /_ ____ / / :.:... . ReD^BlAdE _/ __ \_ _/ _/_\ \ˇ \_ _/ __/__ __\__ \_ _/ | ... NyNeX pHrEaK ˇ `) ˇ |ˇ (! ˇ `) ˇ (' ˇ | · : `--------^----'`--------^--------^--------^----' : : ..:.. . __ . · __ ____ ____ : ____ _______ / / __ ____ ·L / /_ _/ __/__ _/ __ \_ _/ __ \_ _\ ___/_/ |_\´_ _/ __/__ _/ __/__ ˇ `) ˇ (' ˇ |) ˇ _/ ˇ | ˇ `) ˇ `) ˇ `--------^--------^---!____!----' `----^----^--------^--------' CCiTT xx . ..: :............. ... .. : :. .. >>---------------------------------------------------------------------------<< >> BrUtAl CoNfLiCt +64-6-BoX-tOiT BrUtAl CoNfLiCt << >>---------------------------------------------------------------------------<< ___ : _____________ ____________ _/ /________ __ ______ |(_ ____\_ /(_ _____ _/ \_ __/\_ _ \(__)\_ _/---------------------| |/ __)_/ /\/ _)_/ / \/ / \/ / /| |/ / \ A1200^O3O^22MB-RAM| / / / / \_ / / / / / _ \| / / \ 3.6GIG-ONLINE^2NODE| \___ /\_______/__ \______\______\__/ \__\______/ USR^COURIER^V90| | \__/ \__/ /______/ | | _____._ _____ ____________ __ ____________ | | MADcAP:AXL \_ /| \\___ \ \_ _ \_ _ \(__)\_ _ /\_ _ \ | |MaNaGEMENT:NEXUS2 / /\| / | \/ / / / /| |/ | \/ / / | | / / _ / _ \ _ \| / | / _ \ | |------------------------\___/\__\___| \__/ \_/ \_ \_____\__/ \_-| |___|/______/_____/_| ˝GoTE­/______/ [AˇRaDDer v3.4 By AˇRcř] ÷ n O R T H E R N p A L A C E ÷ ________ _______ ________ ____ ______ _______ _______ ________ ____\_ // _ \\_ // |_ ___| //_ //_ /_\_ / \ / / / _/ / _/ _| /____/ _/ / / / /____/______\_________\ _____\_____|____\. _________\ _______/______\ \/ cDr|_____|m's \/ ________ _______ _______ _______ ______ _______ ____\_ // _ \\ // _ \\ _//_ /____ \ /____/ ./ / ./ \ /____/ / /_______|_______|_______________|_______________________\ A4040/26mB/9.5gB/cD-rOM/3x33.6dS/2xiSDN/tELNET/aMIGA/aSCII/cONSOLE/mAC tRISTAR aND rED sECTOR INC. HQ ÷ mELON dEZIGN wHQ tRSI rECORDZ hQ ÷ aFTERSHOCK hQ ÷ hOODLUM hQ ÷ mOT!ON hQ ÷ rOYAL wHQ tRADERS dREAM hQ ÷ sTYLE hQ ÷ lSD hQ ÷ 5tH dYNASTY hQ ÷ aBUSE hQ x-TREK wHQ ÷ oLDSKOOL hQ ÷ rAMjAM eHQ ÷ tWILIGHT hQ ÷ oMA hQ pOLKA bROS. wHQ ÷ pUZZLE wHQ ÷ kEFRENS wHQ ÷ lOOKER hOUSE eHQ rOYAL MAC SCHQ ÷ cRUX & bAD kARMA hQ ÷ lIGHTFORCE hQ cPU hQ ÷ sAVE oUR sOULS hQ zINKO/pLAYMATE/sISKO/bILBO bAGGINS/bLACK pANTHER/uFOK/fURY/kELDOn 3 nODEZ rINGDOWN / tELNET aVAILABLE / aSK 4 nUMBERS!