Blue boxes use a 2600hz tone to size control of telephone switches that use in-band signaling. The caller may then access special switch functions, with the usual purpose of making free long distance phone calls, using the tones provided by the Blue Box.
To quote Karl Marx, blue boxing has always been the most noble form of phreaking. As opposed to such things as using an MCI code to make a free phone call, which is merely mindless pseudo-phreaking, blue boxing is actual interaction with the Bell System toll network. It is likewise advisable to be more cautious when blue boxing, but the careful phreak will not be caught, regardless of what type of switching system he is under.
In this part, I will explain how and why blue boxing works, as well as where. In later parts, I will give more practical information for blue boxing and routing information. To begin with, blue boxing is simply communicating with trunks. Trunks must not be confused with subscriber lines (or “customer loops”) which are standard telephone lines. Trunks are those lines that connect central offices. Now, when trunks are not in use (i.e., idle or “on-hook” state) they have 2600Hz applied to them. If they are two-way trunks, there is 2600Hz in both directions. When a trunk IS in use (busy or “off-hook” state), the 2600Hz is removed from the side that is off-hook. The 2600Hz is therefore known as a supervisory signal, because it indicates the status of a trunk; on hook (tone) or off-hook (no tone). Note also that 2600Hz denoted SF (single frequency) signaling and is “in-band.” This is very important. “In-band” means that is within the band of frequencies that may be transmitted over normal telephone lines. Other SF signals, such as 3700Hz are used also. However, they cannot be carried over the telephone network normally (they are “out-of-band” and are therefore not able to be taken advantage of as 2600Hz is. Back to trunks. Let’s take a hypothetical phone call. You pick up your phone and dial 1+806-258-1234 (your good friend in Amarillo, Texas). For ease, we’ll assume that you are on #5 Crossbar switching and not in the 806 area. Your central office (CO) would recognize that 806 is a foreign NPA, so it would route the call to the toll centre that serves you. [For the sake of accuracy here, and for the more experienced readers, note that the CO in question is a class 5 with LAMA that uses out-of-band SF supervisory signaling]. Depending on where you are in the country, the call would leave your toll centre (on more trunks) to another toll centre, or office of higher “rank”. Then it would be routed to central office 806-258 eventually and the call would be completed.
Illustration A—CO1——-TC1——TC2—-CO2—-B A = You CO1 = Your central office TC1 = Your toll office. TC2 = Toll office in Amarillo. CO2 = 806-258 central office. B = Your friend (806-258-1234)
In this situation it would be realistic to say that CO2 uses SF in-band (2600Hz) signaling, while all the others use out-of-band signal- ling (3700Hz). If you don’t understand this, don’t worry. I am pointing this out merely for the sake of accuracy. The point is that while you are connected to 806-258-1234, all those trunks from YOUR central office (CO1) to the 806-258 central office (CO2) do *NOT* have 2600Hz on them, indicating to the Bell equipment that a call is in progress and the trunks are in use.
Now let’s say you’re tired of talking to your friend in Amarillo, so you send a 2600Hz down the line. This tone travels down the line to your friend’s central office (CO2) where it is detected. However, that CO thinks that the 2600Hz is originating from Bell equipment, indicating to it that you’ve hung up, and thus the trunks are once again idle (with 2600Hz present on them). But actually, you have not hung up, you have fooled the equipment at your friend’s CO into thinking you have. Thus, it disconnects him and resets the equipment to prepare for the next call. ll this happens very quickly (300-800ms for step-by-step equipment and 150-400ms for other equipment). When you stop sending 2600Hz (after about a second), the equipment thinks that another call is coming towards
–> on hook, no tone –>off hook.
Now that you’ve stopped sending 2600Hz, several things happen:
- A trunk is seized.
- A “wink” is sent to the CALLING end from the CALLED end indicating that the CALLED end (trunk) is not ready to receive digits yet.
- A register is found and attached to the CALLED end of the trunk within about two seconds (max).
- A start-dial signal is sent to the CALLING end from the CALLED end indicating that the CALLED end is ready to receive digits.
Now, all of this is pretty much transparent to the blue boxer. All he really hears when these four things happen is a . So, seizure of a trunk would go something like this:
- Send a 2600Hz
- Terminate 2600Hz after 1-2 seconds
- [beep][kerchunk]
Once this happens, you are connected to a tandem that is ready to obey your every command. The next step is to send signaling information in order to place your call. For this you must simulate the signaling used by operators and automatic toll-dialing equipment for use on trunks. There are mainly two systems, DP and MF. However, DP went out with the dinosaurs, so I’ll only discuss MF signaling. MF (multi-frequency) signaling is the signaling used by the majority of the inter- and intralata network. It is also used in international dialing known as the CCITT no.5 system. MF signals consist of 7 frequencies, beginning with 700Hz and separated by 200Hz. A different set of two of the 7 frequencies represent the digits 0 thru 9, plus an additional 5 special keys. The frequencies and uses are as follows:
Frequencies (Hz)DomesticInternational
700+900 | 1 | 1 |
700+1100 | 2 | 2 |
900+1100 | 3 | 3 |
700+1300 | 4 | 4 |
900+1300 | 5 | 5 |
1100+1300 | 6 | 6 |
700+1500 | 7 | 7 |
900+1500 | 8 | 8 |
1100+1500 | 9 | 9 |
1300+1500 | 0 | 0 |
700+1700 | ST3p | Code 1 |
900+1700 | STp | Code 1 |
1100+1700 | KP | KP1 |
1300+1700 | ST2p | KP2 |
1500+1700 | ST | ST |
The timing of all the MF signals is a nominal 60ms, except for KP, which should have a duration of 100ms. There should also be a 60ms silent period between digits. This is very flexible however, and most Bell equipment will accept outrageous timings. In addition to the standard uses listed above, MF pulsing also has expanded usages known as “expanded in-band signaling” that include such things as coin collect, coin return, ringback, operator attached, and operator attached, and operator released. KP2, code 11, and code 12 and the ST_ps (STart “primes” all have special uses which will be mentioned only briefly here.
To complete a call using a blue box once seizure of a trunk has been accomplished by sending 2600Hz and pausing for the , one must first send a KP. This readies the register for the digits that follow.
For a standard domestic call, the KP would be followed by either 7 digits (if the call were in the same NPA as the seized trunk) or 10 digits (if the call were not in the same NPA as the seized trunk). [Exactly like dialing normal phone call]. Following either the KP and 7 or 10 digits, a STart is sent to signify that no more digits follow. Example of a complete call:
- Dial 1-806-258-1234
- Wait for a call-progress indication (such as ring, busy, recording, etc…)
- Send 2600Hz for about 1 second.
- Wait for about ll-pogress indication (such as ring, busy, recording, etc…)
- Send KP+305+994+9966+ST
The call will then connect if everything was done properly. Note that if a call to an 806 number were being placed in the same situation, the are code would be omitted and only KP + seven digits + ST would be sent. Code 11 and code 12 are used in international calling to request certain types of operators. KP2 is used in international calling to route a call other than by way of the normal route, whether for economic or equipment reasons. STp, ST2p, and ST3p (prime, two prime, and three prime) are used in TSPS (Traffic Service Position System) signaling to indicate calling type of call (such as coin-direct dialing.)
Do Blue Boxes Still Work
This is an excerpt from a message posted to Usenet by Marauder of the Legion of Doom:
Somewhere along the line I have seen reference to something similar to “Because of ESS Blue boxing is impossible”. This is incorrect. When I lived in Connecticut I was able to blue box under Step by Step, #1AESS, and DMS-100. The reason is simple, even though I was initiating my call to an 800 number from a different exchange (Class 5 office, a.k.a. Central Office) in each case, when the 800 call was routed to the toll network it would route through the New Haven #5 Crossbar toll Tandem office. It just so happens that the trunks between the class 5 (CO’s) and the class 4 (toll office, in this case New Haven #5 Crossbar), utilized in-band (MF) signaling, so regardless of what I dialed, as long as it was an Interlata call, my call would route through this particular set of trunks, and I could Blue box until I was blue in the face. The originating Central Offices switch (SXS/ESS/Etc..) had little effect on my ability to box at all. While the advent of ESS (and other electronic switches) has made the blue boxers task a bit more difficult, ESS is not the reason most of you are unable to blue box. The main culprit is the “forward audio mute” feature of CCIS (out of band signaling).
Unfortunately for the boxer 99% of the Toll Completion centers communicate using CCIS links, This spells disaster for the blue boxer since most of you must dial out of your local area to find trunks that utilize MF signaling, you inevitably cross a portion of the network that is CCIS equipped, you find an exchange that you blow 2600hz at, you are rewarded with a nice “winkstart”, and no matter what MF tones you send at it, you meet with a re-order. This is because as soon as you seized the trunk (your application of 2600hz), your Originating Toll Office sees this as a loss of supervision at the destination, and Mutes any further audio from being passed to the destination (i.e.: your waiting trunk!). You meet with a reorder because the waiting trunk never “hears” any of the MF tones you are sending, and it times out. So for the clever amongst you, you must somehow get yourself to the 1000’s of trunks out there that still utilize MF signaling but bypass/disable the CCIS audio mute problem. (Hint: Take a close look at WATS extenders).
An interesting page on blue boxing is The SARTS Blue Boxing Journal.
Ern
How do i get that blue box to buy?
get back to me on
ekmot@eyou.com
thanks.
{phr4ckr}
Excellent article on the workings of Blue Boxing. Hack The Universe!!!