people by what they say and think, not what they look like. My crime is that of outsmarting
you, something that you will never forgive me for. I am a hacker, and this is my manifesto.
You may stop this individual, but you can't stop us all... after all, we're all alike.
+++The Mentor+++
May the members of the phreak community never forget his words -JR
76. The Myth of the 2600hz Detector by The Jolly Roger
Just about everyone I talk to these days about ESS seems to be scared witless about the
2600hz detector. I don't know who thought this one up, but it simply does not exist. So
many of you people whine about this so-called phreak catching device for no reason.
Someone with AT&T said they had it to catch phreakers. This was just to scare the blue-
boxers enough to make them quit boxing free calls. I'm not saying ESS is without its hang-
ups, either. One thing that ESS can detect readily is the kick-back that the trunk
circuitry sends back to the ESS machine when your little 2600hz tone resets the toll
trunk. After an ESS detects a kickback it turns an M-F detector on and records any M-F
tones transmitted.
Defeating the kick-back detector
As mentioned in my previous note, kick-back detection can be a serious nuisance to anyone
interested in gaining control of a trunk line. The easiest way to by-pass this detection
circuitry is not really by-passing it at all, it is just letting the kick-back get detected on
some other line. This other line is your local MCI, sprint, or other long distance carrier
(except AT&T). The only catch is that the service you use must not disconnect the line
when you hit the 2600hz tone. This is how you do it: call up your local extender, put in the
code, and dial a number in the 601 area code and the 644 exchange. Lots of other
exchanges work across the country, I'm sure, but this is the only one that I have found so
far. Anyway, when it starts ringing, simply hit 2600Hz and you'll hear the kick-back, (ka-
chirp, or whatever). Then you are ready to dial whoever you want (conferences, inward,
route and rate, overseas, etc.) From the trunk line in operator tones! Since blowing
2600Hz doesn't make you a phreaker until the toll equipment resets the line, kickback
detection is the method AT&T chooses (for now) this information comes as a result of my
experiments & experience and has been verified by local AT&T employees I have as
acquaintances. They could only say that this is true for my area, but were pretty sure that
the same idea is implemented across the country.
Now that you know how to access a trunk line or as operators say a loop, I will tell you the
many things you can do with it. Here is a list of AT&T services accessible to you by using a
blue box.
A/C+101 TOLL SWITCHING
A/C+121 INWARD OPERATOR
A/C+131 INFORMATION
A/C+141 ROUTE & RATE OP.
A/C+11501 MOBILE OPERATOR
A/C+11521 MOBILE OPERATOR
Starting conferences:
This is one the most useful attributes of blue boxing. Now the confs. are up 24 hours/day
and 7 days/week and the billing lines are being billed. Since I believe the above is true
(about the billing lines being billed) I would recommend that you never let your number
show up on the conf. If you started it, put it on a loop and then call the loop. Enough
bullshit! ! ! To start the conf. Dial one of these three numbers in m-f while you are on the
trunk.
213+080+XXXX
XXXX=1050,3050
SPECIAL XXXX=1000,1100,1200,1500,2200,2500.
These numbers are in LA and are the most watched, I do not advise using this
NPA.
312+001+1050 OR 3050
914+042+1050 OR 1100,1200 ECT..
I believe only 914 works at the moment.
Once connected with one of these you will either hear a re-order, busy, or chirp. When you
hear the chirp enter the billing line in M-F. I use the conf. dial- up. A billing line example:
kp312+001+1050st you will then hear two tutes and a recording asking you for the number
of conferees including yourself. Enter a number between 20 and 30. If you ever get over
30 people on a conference all you will hear is jumbled voices. After the it says "your
conference size is xx" then hit the pound (#) sign. Add your favorite loop on and hit 6 to
transfer control to it. After it says control will be transferred hang up and call the other
side of the loop, hit the pound sign (#) and follow the instructions. A bonus for conf. is to
add an international number dial 1+011+cc+number pretty cool ehhh. A few extra notes. Do
not add numbers that you will want to hang up, add these through MCI or Sprint. You
cannot blow anyone off with 2600hz unless they are in an old x-bar or older system. Many
DA operators will stay on after you abuse them; you may have to start another or at least
don't say any numbers. Never add the tone side of a loop onto a conf. never add more than
one MCI node on your conf.
Route & rate:
Note route & rate and RQS perform the same service. R&R simply tells you route and rate
info which is very valuable, ex. Such as the inward routing for an exchange in an area code.
An inward routing will let you call her and she can do an emergency interrupt for you. She
can tell you how to get international operators, ect. Here are the terms you are required
to use:
International,
-Operator route for [country, city]. -gives you inward op.
-Directory route for [country, city]. -gives you directory ass.
-City route for [country, city].
-gives you country and city code.
Operator route for [a/c]+ [exchange] -gives you inward op. Route
Ex. [a/c]+ or [a/c]+0xx+ when she says plus she means plus 121.
Numbers route for [state, city]
-gives you a/c.
Place name [a/c]+[exchange]
-gives you city/state for that a/c and
Exchange.
International calls:
To call international over cable simply access a trunk and dial kp011xxxst wait for sender
tone, kpxxxcc-numberst xxx - a 3 digit country code, it may not be 3 digits so just put 1
or 2 0's in front of it. Cc - is the city code to go by satellite:
Dial kp18xst x - numbers 2-8 wait for sender tone then Kpxxxccnumberst
77. Blue Box by The Jolly Roger
To quote Karl Marx, blue boxing has always been the most noble form of phreaking. As
opposed to such things as using an MCI code to make a free fone call, which is merely
mindless pseudo-phreaking, blue boxing is actual interaction with the Bell System toll
network. It is likewise advisable to be more cautious when blue boxing, but the careful
phreak will not be caught, regardless of what type of switching system he is under. In this
part, I will explain how and why blue boxing works, as well as where. In later parts, I will
give more practical information for blue boxing and routing information. To begin with,
blue boxing is simply communicating with trunks. Trunks must not be confused with
subscriber lines (or "customer loops") which are standard telefone lines. Trunks are those
lines that connect central offices. Now, when trunks are not in use (i.e., idle or "on-hook"
state) they have 2600Hz applied to them. If they are two-way trunks, there is 2600Hz in
both directions. When a trunk IS in use (busy or "off-hook" state), the 2600Hz is removed
from the side that is off-hook. The 2600Hz is therefore known as a supervisory signal,
because it indicates the status of a trunk; on hook (tone) or off-hook (no tone). Note also
that 2600Hz denoted SF (single frequency) signaling and is "in-band." This is very
important. "In-band" means that is within the band of frequencies that may be
transmitted over normal telefone lines. Other SF signals, such as 3700Hz are used also.
However, they cannot be carried over the telefone network normally (they are "out-of-
band" and are therefore not able to be taken advantage of as 2600Hz is. Back to trunks.
Let's take a hypothetical phone call. You pick up your fone and dial 1+806-258-1234 (your
good friend in Amarillo, Texas). For ease, we'll assume that you are on #5 Crossbar
switching and not in the 806 area. Your central office (CO) would recognize that 806 is a
foreign NPA, so it would route the call to the toll center that serves you. [For the sake of
accuracy here, and for the more experienced readers, note that the CO in question is a
class 5 with LAMA that uses out-of-band SF supervisory signaling]. Depending on where
you are in the country, the call would leave your toll center (on more trunks) to another
toll center, or office of higher "rank". Then it would be routed to central office 806-258
eventually and the call would be completed.
Illustration
A---CO1-------TC1------TC2----CO2----B
A. . you
CO1.. your central office
TC1.. your toll office.
TC2.. toll office in Amarillo.
CO2.. 806-258 central office.
B.. . your friend (806-258-1234)
In this situation it would be realistic to say that CO2 uses SF in-band (2600Hz) signaling,
while all the others use out-of-band signaling (3700Hz). If you don't understand this,
don't worry. I am pointing this out merely for the sake of accuracy. The point is that while
you are connected to 806-258-1234, all those trunks from YOUR central office (CO1) to
the 806-258 central office (CO2) do *NOT* have 2600Hz on them, indicating to the Bell
equipment that a call is in progress and the trunks are in use. Now let's say you're tired of
talking to your friend in Amarillo, so you send a 2600Hz down the line. This tone travels
down the line to your friend's central office (CO2) where it is detected. However, that CO
thinks that the 2600Hz is originating from Bell equipment, indicating to it that you've
hung up, and thus the trunks are once again idle (with 2600Hz present on them). But
actually, you have not hung up, you have fooled the equipment at your friend's CO into
thinking you have. Thus, it disconnects him and resets the equipment to prepare for the
next call. All this happens very quickly (300-800ms for step-by-step equipment and 150-
400ms for other equipment). When you stop sending 2600Hz (after about a second), the
equipment thinks that another call is coming towards --> on hook, no tone -->off hook. Now
that you've stopped sending 2600Hz, several things happen:
A trunk is seized.
A "wink" is sent to the CALLING end from the CALLED end indicating that the CALLED
end (trunk) is not ready to receive digits yet.
A register is found and attached to the CALLED end of the trunk within about two seconds
(max).
A start-dial signal is sent to the CALLING end from the CALLED end indicating that the
CALLED end is ready to receive digits. Now, all of this is pretty much transparent to
the blue boxer. All he really hears when these four things happen is a
Send a 2600Hz
Terminate 2600Hz after 1-2 secs.
[beep][kerchunk]
Once this happens, you are connected to a tandem that is ready to obey your every
command. The next step is to send signaling information in order to place your call. For this
you must simulate the signaling used by operators and automatic toll-dialing equipment for
use on trunks. There are mainly two systems, DP and MF. However, DP went out with the
dinosaurs, so I'll only discuss MF signaling. MF (multi-frequency) signaling is the signaling
used by the majority of the inter- and intra-lata network. It is also used in international
dialing known as the CCITT No« system. MF signals consist of 7 frequencies, beginning
with 700Hz and separated by 200Hz. A different set of two of the 7 frequencies
represent the digits 0 thru 9, plus an additional 5 special keys. The frequencies and uses
are as follows:
Frequencies(Hz)DomesticInternational
700+90011700+110022900+110033700+130044900
+1300551100+130066700+150077900+1500881100+1500991300+150000700+1700ST3pCo
de 1900+1700StpCode 11100+1700KPKP11300+1700ST2pKP21500+1700STST
The timing of all the MF signals is a nominal 60ms, except for KP, which should have a
duration of 100ms. There should also be a 60ms silent period between digits. This is very
flexible however, and most Bell equipment will accept outrageous timings. In addition to
the standard uses listed above, MF pulsing also has expanded usages known as "expanded
inband signaling" that include such things as coin collect, coin return, ringback, operator
attached, and operator attached, and operator released. KP2, code 11, and code 12 and the
ST_ps (STart "primes" all have special uses which will be mentioned only briefly here. To
complete a call using a blue box once seizure of a trunk has been accomplished by sending
2600Hz and pausing for the
register for the digits that follow. For a standard domestic call, the KP would be followed