============================================= INTRODUCTION TO PHONE-PHREAKING by The Wizard ============================================= Preface ======= LEGAL REQUIREMENTS: I have done, won't do, don't actually know anything about anything in this document (this message and those following it). I have absolutely no intention of doing so and all that is here is completely fictional - Any resemblance to reality is coincidental or guesswork or public knowledge. I in no way do I advice the reading let alone following of the information below and it is not in any way to be construed as instructions - simply a literary excercise in the fiction of intellectual guesswork. DESCRIPTION: This in an introduction to what is called 'Phreaking'. It has interested many people, and may be illegal (perhaps stealing electricity or breach of BT licence). I DO NOT BY ANY MEANS CLAIM ALL THE INFO BELOW TO BE MY OWN AND THUS TAKE NO RESPONSIBILITY FOR INACURACY! However I must send my thanks to everyone / anyone who has contributed - They will know who they are. About 1/3 to 1/2 the info came to my knowledge through TowerNet:- There are some pretty good brains out there so SUPPORT THE SYSTEM! I would be most grateful for any corrections / criticisms / updates or even compliments. SOURCE & DISTRIBUTION: This file was written by 'The Wizard' of 'The Wizard's Tower' Bulletin Board. Permission is granted to distribute this file on the following conditions: 1) The actual text remains unammended. Any additions are added at the end with notes describing their source and date in a readable. The only possible exception to this is where a portion of the text is refered to a note at the end where the line may be added. 2) It is understood that the Legal Requirements above are abided by by both the distributors, any intermediate distributors and 'The Wizard' The Wizard's Tower is a TowerNet BBS and can be accessed as follows: Number (UK) : 0295 721532 (thats +44 295 721532 internationally). Baud rates : V21,22,22bis,23 Protocol : 8n1, configurable, ARQ available if wanted. Times : 6pm to 9am, Local Time. What is Phreaking ================= Phreaking is the process by which free or reduced rate calls, or other interesting effects may be obtained from phone companies. Ofcourse dialling numbers that aren't ones you know is in breach of contract with BT, which is probably breaking the law, as is (ofcourse) attaching naughty circuits to your phone, so thats why ofcourse I have never done any of it myself as breaking the law is very naughty and if you deprive monopolies of thier profits you deserve to have your botty spanked. There are 2 kinds of phreaking (basically speaking) - one involves actually intercepting the phone-line with devices to fool the charging equiptment, and the other confusing BT and other things with exchanges by dialling wierd and wonderful numbers or making devices to sing merrilly down the line. The trouble with 'black-boxes' (devices to fool the charging equipment) is though it is actually illegal for BT to trace any calls without a license etc., and they can't tell you are phreaking, most if not all black boxes light up a fault light on older exchanges (which all true blooded BT engineers ignore!). This lights status could I suppose be used as evidence against you if they ever felt like suing you. The other major problem, is by their very nature, the way most black-boxes work is they tell the charging equipment that you have not yet picked up the phone, thus incoming calls are free (to those who ring you), but not out-going calls, which is not particularly helpful for some purposes (e.g. hacking remote systems). Thus their use is limitted, but they do come in useful. For legal reasons and the fact this is a public-ish 'place' I can't really give any ciruits away that do this directly. Use of circuits attached directly to the telephone lines not approoved by BT is in breach of your license agreement. This has not bothered many people before, but as honest citizens you really ought not use them.... Line Signals ============ Noises (like engaged, ringing tones etc. and voices) are on the line as A.C., say down to about 200Hz officially speaking. The peak to peak voltage signal is smallish, about 1/2 a volt-ish, so in DC terms you can ignore this. For dialling and charging purposes DC is used. DC voltages are listed below. There is no set polarity on your line (as BT often swap Line A and Line B - even when they repair the lines! Thus it is a good idea to have a change over switch mounted in any circuitry you might make), so set the imaginary meter in your brain to think of the polarity as 'postive' (+ve) when you pick the phone up to dial outwards. How a call works ================ Normally on a phone line there is 50V accross the line. When you pick the phone up for the first time to make an outward going call, the line polarity is +ve about 12V-ish. Normally (i.e. if the phone wasn't connected) there'd be about 50V-ish accross the line, but because the phone has a lowish resistance compared to the series resistance in the exchange, when the phone is in the circuit 50-100ma is drawn and the voltage accross the line falls. What happens on LD (Loop-Disconnect or click dialling) is that pulses are sent down the line by breaking the line once to dial a 1, twice to dial a 2 etc., 9 times to dial a nine and ten to dial a zero. There are ten pulses sent down per second, of which 33% is mark (i.e. the line disconnected), and 67% space (i.e. line normal). In each pulse the line voltage rises to 50 volts +ve, as theres no current taken by the phone. Then hopefully BT will connect you to the number. It rings (which on their phone is a 50V peak either side of zero (ish)) and on your phone is a tone from their exchange. Their bell takes a little current when it rings and the exchange notices this ringing (if theres no current flowing it gives number unobtainable the implication being normally speaking that the lines broken:- On the new sockets theres an opt-out of service resistor that makes the line draw current if you don't connect your phone so it seems as though its ringing to whoevers calling so hundreds of faults reported as broken lines which are only people unplugging their phone aren't reported if you know what I mean...). The exchange notices that the phone is picked up (all this info is possibly more relevant only to the old exchanges) because when the guy you are ringing picks the reciever up a largish current (50ma or so) flows. Now as the signal of the ringing is AC of a large voltage (Not quite sure if all this is completely exact but its pretty near) suddenly on both sides of the cycle a largish current flows. One side of the cycle simply turns off the ringing tone at the exchange, the other side is more interesting. If its a local call it simply activates the your charging meter, otherwise it makes the exchange of the guy you are ringing send a 2280Hz bleep down the line to your exchange which activates your charging meter. That is why (a) 2280Hz signalling (see later) only works on Trunk type calls and (b) you often hear a little blip when you pick the phone up. 2280Hz.ARC in this room generates a 2280 Hz signal (and others aswell) from an IBM PC's internal speaker. You will need a machine with a loud speaker e.g. an Amstrad PC. If you can't work out how phreak potentials arise from this hotch-potch of technology then I suggest you sit down and think about it some more.... Internal communication over trunk lines ======================================= All internal communcation between trunk excahnges used to use AC9 (AC signalling cicuit number 9) to communicate between them. The first thing to understand about exchanges is that making a call from A to B you are likely to pass through technology from any period between 1920 to 1988. Each is different in its characteristics (see Atkinsons Telephony - very helpful on the subject) but most understand AC9 codes though many will not accept them from the line. AC9 is a dialling follows internal rather than external dialling codes. I.e. the numbers exchanges send to eachother to route a call from A to B are not the same as the numbers you dial on the phone to get from A to B which presents a problem (In the USA internal dialling codes are very similar to external dialling codes - very useful) the reason for this is that the internal dialling codes include routing information. AC9 dialling is very similar to loop disconnect dialling except that instead of breaking the line, 2280Hz is sent down, again at 10pps with a 33% / 67% mark space ratio. Before any AC9 dialling is done, the master tone must be sent down - this is just a long, loud burst of 2280Hz which will clear the line to an eerie silence. It also (see above) activates the charging aparatus. 2280Hz master tones for the reasons above only work on non-local calls (or atleast non-own-exchange). Thus at first glance AC9ing may seem pointless. However if you then AC9 elsewhere, you will ofcouse be charged only at the rate at which you rang out. I.e. if you ring an 'A' rate number or possibly a local number starting with an '0' (yes there are some) and then AC9ed down the code for international dialling (it may not be 010 as again internal codes are different) then you would suddenly find yourself with a dialling tone and be able to dial abroad at 'L' or 'A' rates (in theory). In practise the internal dialling codes complexities are often a great problem (I THINK the last 4 5 or 6 digits of the internal & external dialling codes are normally identical but I dunno much about internal dialling codes - best ask a BT engineer who is corrupt!), and so is the fact that a LOUD 2280Hz is needed as it is filtered out at exchanges. It is rumoured that if these filters capacity is exceeded, in some exchanges alarms go off but this seems a little unlikely especially with the old exchanges. What I can give you is a little hint - the internal code for a number which is in the same district is 1, i.e. to dial 01-234-5678 after clearing the line on ringing 01-987-6543, the code would be 1-234-5678 (I think). Also you will find various internal operators on 1105, 1107 (presumably equal to what would happen if you dialled 105 & 107 normally if it weren't blocked by the exchange??) and other wierd things on other 11XX numbers e.g. 1100 & 1107. You might try all the standard test no.s prefixed by a 1. Internal Communication for AC9 and normal pulse dialling specifications: Pulse rate : 10 pps % break : 67% % pulse : 33% Interdigit interval : 800ms Cycle time : Digit dependant The newer system X type exchanges and the US exchanges use a different system for signalling. Again they use a master tone to clear the line, and then what happens is dual tone multi-frequency dialling is used (i.e. like normal tone dialling but with different frequencies). Below follows a list of frequencies as far as I know. The way they work, is as above in terms of dialling codes I think, but the stuff you send is . The tones are shortish in duration (as in tone dialling. Tone dialling freqs are also listed below. Internal frequencies ==================== Frequency Hz| Tone dialling (US & UK) UK Internal US Internal ================================================================== Master | ---- | 2280 | 2600 | 1 | 697, 1209 | 1380, 1500 | 700, 900 | 2 | 697, 1336 | 1380, 1620 | 700, 1100 | 3 | 697, 1477 | 1500, 1620 | 900, 1100 | 4 | 770, 1209 | 1380, 1740 | 700, 1300 | 5 | 770, 1336 | 1500, 1740 | 900, 1300 | 6 | 770, 1477 | 1620, 1740 | 1100, 1300 | 7 | 852, 1209 | 1380, 1860 | 700, 1500 | 8 | 852, 1336 | 1500, 1860 | 900, 1500 | 9 | 852, 1477 | 1620, 1860 | 1100, 1500 | 0 | 941, 1366 | 1740, 1860 | 1300, 1500 | Start Keying| 941, 1209 (*) (1740)| 1620, 1980 | 1100, 1700 | End Keying | 941, 1477 (#) (1860)| 1740, 1980 | 1300, 1700 | A | 697, 1633 | 1380, 1980 | 700, 1700 | B | 770, 1633 | 1500, 1980 | 900, 1700 | C | 852, 1633 (1620)|?1860, 1980 |?1500, 1700 | D | 941, 1633 | - | - | ================================================================== Those figures bracketted indicate 'alternative' values of the 1st UK frequency for internal dialling from a different source:- though they seem less likely to be accurate in terms of correspondance with the US frequencies, they are included in the interests of completeness. Tone dialling specifications ============================ Tone duration : 100ms Interdigit interval : 100ms Cycle Time : 200ms (total time to dial a digit). Example figures. These are for a Quattro modem but your equiptment should try & approach these. Freq. deviation : 1.5% Max Transmit level : -7dB to +1dB Tone pair amp. bal. : Higher tone about 2dB greater in amplitude than lower tone. A, B, & D, are used for various purposes. In the older system X type Bell exchanges in the US, touch tone A,B,C & D are used by the engineers to call up various test services - just ring the operator there with 1 of the keys A B C or D held down (especially D) - if it works you will get to a test, if it doesn't the operator will swear and curse at you. In internal exchanges such as the Merlin, A, B, C & D touch tones call up additional services. If your phone for your exchange does not have these buttons on it, then getting a phone with this '4th column' may add extra facilities - could be useful! Though I don't (as usual) guarantee anything. In the US military phone system (AUTOVON), A, B, C & D provide various military prorities: Flash, Flash Override, Priority and Priority interrupt - what does what who knows but its meant to speed wartime & wargame communication. What A,B & C frequencies do on the internal network I am afraid I don't know. I am not sure the frequency allocated to C is even used! But I have heard they are used as control signals and for the routing mechanism in the UK. Someone even told me that they did