         -----------------------------------------------------------

                              Blueboxing in '94

                             (C5 for the masses)

                             by Maelstrom/PHaTE!

         -----------------------------------------------------------
taken from CoTNo issue 4

Well, I've been promising DeadKat an article since COTNO #1, and was
searching frantically for a subject that I could write a useful/informative
article on...having failed dismally in my quest, I decided to turn my
attention to a beginners guide to present day blueboxing. This article will
only deal with the practical uses of CCITT 5 (C5) signalling systems, and
NOT with the more advanced systems such as R2. Becoming familiar with C5
signalling will provide you with a good grounding in blueboxing, therefore
making understanding a guide on a future system easier. And so to the main
text...

"You just blast 2600hz right?"

No. All too often when blueboxing is mentioned in the context of actually
doing it today, some dolt pipes up with this. Treasure your old Mark Tabas
files, for they contain some excellent information even today, especially
concerning routing codes, but forget all about the R1 signalling described
within his 'Better Homes and Blueboxing' guide. The system we are concerned
with today is C5, so swiftly clear the limited space available in your mind.
The first point I would like to make is that you will NOT be siezing trunks
within your own country. The focus of your attentions will be those 1-800
wonders known as 'Country Direct' numbers, which will connect you to the
telephone system of some far-off nation for the princely sum of $0.00. While
these are certainly not the only countries you should experiment with, South
American and Asian countries are usually the best bet for a C5 connection
that you can seize. From nearly all European locations it is possible to
bluebox over Chile for example, and lines to Columbia, the Philipines,
Taiwan and Thailand are also often C5 connections to your country. While
these provide a good starting point for your adventures with C5, don't
restrict your attempts to only the aforementioned places...You never know
what you might find...

"So, uhh, what next?"

After dialling a country direct number to a country on C5, you will usually
hear a very audible 'chirp' (some may choose to call it a 'ping' even...)
when the line is picked up. This is the moment to start sending the tones
required to manipulate the line for your purposes. A few countries using C5
may not give you a 'chirp' when your call is connected, but when the call is
disconnected. Before you can start to signal your call, you will need to
'sieze a trunk'. To do this you send a compound signal of 2600hz and 2400hz
for approx. 150-450ms. On sending this signal the line should respond with a
sound similar to the one you heard when your call to the country direct was
completed. Next you send a 2400hz signal, usually for approximately the same
length of time as the first compound signal. The delay between these two
tones is often crucial, so experimentation is essential. There are no
concrete rules for siezing a C5 line, although I usually use 150ms length
for both tones as a starting point. If playing the first tone leads to
immediate disconnection then decrease the length of the tone - if the
opposite is the case, and the line ignores your first signal, then increase
its length (personally I use steps of 10ms but feel free to jump up 50ms if
you feel the urge). BillSF of HackTic Holland informs me that newer C5
systems nearly always require timings of 150ms per signal +/-20ms, and with
an inter-signal delay of 10/20ms, and I have also found this to be true.
When you have successfully gained control of the line, you will have by this
time heard two acknowledgements from the line, one per signal sent. At this
point you are ready to begin signalling your call. The first digit you must
dial is the KP1 or KP2 signal. This determines that the call is either
terminal (local), or transit (international) respectively. An international
call is usually what we want, so we send the following dialstring:
KP2+countrycode+0+acn+ST. For example, if we wanted to dial the Colorado
office of the Secret Service, we would send KP2+103038661010+ST. If we
wanted to place a call to a number in a European country then the dialing
format is identical. This is the correct dialing format in accordance with
all the technical CCITT 5 texts I have read, but not always the correct
method in practice. Macao (country code 853) was long known to be breakable
from the United Kingdom before anyone figured out that the correct routing
was KP2+00+countrycode+number+ST, so again the key word is experiment. Not
all countries will 'play fair' in terms of their accepted routings. To place
a call to within the country you are calling couldn't be simpler however.
The correct format is KP1+0+number+ST, and I have never found any nation
deviating from this template. One interesting route to note at this point is
KP1+2+Code11+ST (see freq. list for Code11), which will nearly always
connect you with the inward operator in the country whose country direct
number you have dialled. Lots of interesting information may be gleaned from
a conversation with these operators, such as correct routings, and most
operators are more than willing to furnish you with the routings for their
technical assistance/engineering departments, who will further assist you,
often to the point of telling you the exact timings you require. Remember
that their equipment is telling them that you are an operator, so feel free
to spin any suitable yarn about testing international connections etc., and
also bear in mind that in 99% of cases the operator's limited grasp of the
english language is in your favour. Also, be prepared to try other digits in
place of 0 between ccode and number in the dialstring for a transit call.
KP2+ccode+2+number+ST will usually work for example, and in some cases is
the only way to route the call (the country direct to Taiwan from the UK was
a good example of this). The digits 0,1,2 and 9 are the only ones I have
found to be acceptable in this way, but I wouldn't discount the possibility
of being able to use others over some nations.

"It doesn't work?"

Then you're doing something wrong. Not all countries will allow you to place
transit calls over their lines so if you really have experimented with that
line and had little or no success then move on, there's no real shortage of
country direct numbers on C5... You might want to try sending a short burst
of 2400hz previous to breaking/siezing the trunk to 'free' the transit
lines. I have found this to be neccessary on the country directs from the UK
to Brazil and French Guiana in order to place a transit call successfully.
Another thing to bear in mind is the fact that the country you are trying to
(ab)use may only call: a) Countries in close proximity, and/or b) One or two
countrycodes. This is true of certain lines in Canada, and also of most
South American C5 links to the UK. Trial and error is the only way to
establish if this is the case on any given dialup.

"D3Y M0Ni+0R D3 LiN3Z" & "They have 2600hz detectors you know..."

Well, what can I say? You never make use of a pure 2600hz tone, so even if
it IS filtered/detected you don't have to worry. The most obvious way I can
see of being detected blueboxing is to make 10hrs of international calls per
day over whichever 1-800 direct you're using. Very few telco's are going to
ignore 140 calls/day to Guyana Direct per month. Use your common sense to
avoid detection, that's it.

CCITT 5 Signalling frequencies

Digit                           Freqs

  1                              700 & 900  hz
  2                              700 & 1100 hz
  3                              900 & 1100 hz
  4                              700 & 1300 hz
  5                              900 & 1300 hz
  6                             1100 & 1300 hz
  7                              700 & 1500 hz
  8                              900 & 1500 hz
  9                             1100 & 1500 hz
  0                             1300 & 1500 hz
 KP1                            1100 & 1700 hz
 KP2                            1300 & 1700 hz
 ST                             1500 & 1700 hz
 C11                             700 & 1700 hz
 C12                             900 & 1700 hz

(These are the C5 signalling frequencies I use nearly every day, so if you
spot an inaccuracy in the above frequency set you are cordially invited to
blend your phallic muscle...)

Now to the timings. All the normal digits (0-9) should be 55ms in length and
have a 55ms delay in accordance with the technical specificiations laid out
in the CCITT manuals. However, in practice these timings may be decreased to
as little as 30ms per digit, perhaps even less in exceptional cases. The
command and operator digits (KP1/2, ST, C11/12) are usually 100ms in length,
with the delay the same as that set for the normal digits. Certain
South-American countries that I have (ab)used have required that the command
digits, more specifically the KeyPulse signals and the ST, be much shorter
than this, although usually still with a length longer than that of digits
0-9.

End note.

That's all folks. If you don't know how to produce these tones then you
shouldn't really be reading this - go read your SimCity 2k docs... If anyone
has any questions regarding anything contained in the above text, or indeed
any C5 queries, you can mail me at: mael@phantom.com or if you're lucky you
can catch me on IRC in #phreak. If there's any interest I might even write a
sequel to this rather hurried guide...

QUICK NOTE
     This author of this article is Scottish, and as such I have used
     correct English spellings rather than the American versions...8)...
DEDICATION
     This article is dedicated to Coaxial/PHaTE, who has had a rather torrid
     time of it lately (legally...). Good luck and I hope everything works
     out for you.

-Maelstrom/PHaTE

