Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Phreaking General Information :: phreakbi.txt

Beginners guide to phreaking, how and why it works




Unauthorised Access UK  0636-708063  10pm-7am  12oo/24oo

=============================================
INTRODUCTION TO PHONE-PHREAKING by The Wizard
=============================================

Preface
=======
LEGAL REQUIREMENTS: I have done, won't do, don't actually know anything about
anything in this document (this message and those following it). I have
absolutely no intention of doing so and all that is here is completely
fictional - Any resemblance to reality is coincidental or guesswork or public
knowledge. I in no way do I advice the reading let alone following of the
information below and it is not in any way to be construed as instructions -
simply a literary excercise in the fiction of intellectual guesswork.

DESCRIPTION: This in an introduction to what is called 'Phreaking'. It has
interested many people, and may be illegal (perhaps stealing electricity or
breach of BT licence). I DO NOT BY ANY MEANS CLAIM ALL THE INFO BELOW TO BE MY
OWN AND THUS TAKE NO RESPONSIBILITY FOR INACURACY! However I must send my
thanks to everyone / anyone who has contributed - They will know who they are.
About 1/3 to 1/2 the info came to my knowledge through TowerNet:- There are
some pretty good brains out there so SUPPORT THE SYSTEM! I would be most
grateful for any corrections / criticisms / updates or even compliments.

SOURCE & DISTRIBUTION: This file was written by 'The Wizard' of 'The Wizard's
Tower' Bulletin Board. Permission is granted to distribute this file on the
following conditions:
        1) The actual text remains unammended. Any additions are added at the
           end with notes describing their source and date in a readable. The
           only possible exception to this is where a portion of the text is
           refered to a note at the end where the line <See note XXXX> may be
           added.
        2) It is understood that the Legal Requirements above are abided by by
           both the distributors, any intermediate distributors and 'The Wizard'

The Wizard's Tower is a TowerNet BBS and can be accessed as follows:
        Number (UK) : 0295 721532 (thats +44 295 721532 internationally).
        Baud rates  : V21,22,22bis,23
        Protocol    : 8n1, configurable, ARQ available if wanted.
        Times       : 6pm to 9am, Local Time.

What is Phreaking
=================
     Phreaking is the process by which free or reduced rate calls, or other
interesting effects may be obtained from phone companies. Ofcourse dialling
numbers that aren't ones you know is in breach of contract with BT, which is
probably breaking the law, as is (ofcourse) attaching naughty circuits to your
phone, so thats why ofcourse I have never done any of it myself as breaking the
law is very naughty and if you deprive monopolies of thier profits you deserve
to have your botty spanked.
     There are 2 kinds of phreaking (basically speaking) - one involves
actually intercepting the phone-line with devices to fool the charging
equiptment, and the other confusing BT and other things with exchanges by
dialling wierd and wonderful numbers or making devices to sing merrilly down
the line.
     The trouble with 'black-boxes' (devices to fool the charging equipment) is
though it is actually illegal for BT to trace any calls without a license etc.,
and they can't tell you are phreaking, most if not all black boxes light up a
fault light on older exchanges (which all true blooded BT engineers ignore!).
This lights status could I suppose be used as evidence against you if they ever
felt like suing you. The other major problem, is by their very nature, the way
most black-boxes work is they tell the charging equipment that you have not yet
picked up the phone, thus incoming calls are free (to those who ring you), but
not out-going calls, which is not particularly helpful for some purposes (e.g.
hacking remote systems). Thus their use is limitted, but they do come in
useful. For legal reasons and the fact this is a public-ish 'place' I can't
really give any ciruits away that do this directly.
     Use of circuits attached directly to the telephone lines not approoved by
BT is in breach of your license agreement. This has not bothered many people
before, but as honest citizens you really ought not use them....

Line Signals
============
     Noises (like engaged, ringing tones etc. and voices) are on the line as
A.C., say down to about 200Hz officially speaking. The peak to peak voltage
signal is smallish, about 1/2 a volt-ish, so in DC terms you can ignore this.
For dialling and charging purposes DC is used. DC voltages are listed below.
There is no set polarity on your line (as BT often swap Line A and Line B -
even when they repair the lines! Thus it is a good idea to have a change over
switch mounted in any circuitry you might make), so set the imaginary meter in
your brain to think of the polarity as 'postive' (+ve) when you pick the phone
up to dial outwards.

How a call works
================
     Normally on a phone line there is 50V accross the line. When you pick the
phone up for the first time to make an outward going call, the line polarity is
+ve about 12V-ish. Normally (i.e. if the phone wasn't connected) there'd be
about 50V-ish accross the line, but because the phone has a lowish resistance
compared to the series resistance in the exchange, when the phone is in the
circuit 50-100ma is drawn and the voltage accross the line falls.
     What happens on LD (Loop-Disconnect or click dialling) is that pulses are
sent down the line by breaking the line once to dial a 1, twice to dial a 2
etc., 9 times to dial a nine and ten to dial a zero. There are ten pulses sent
down per second, of which 33% is mark (i.e. the line disconnected), and 67%
space (i.e. line normal). In each pulse the line voltage rises to 50 volts +ve,
as theres no current taken by the phone.
     Then hopefully BT will connect you to the number. It rings (which on their
phone is a 50V peak either side of zero (ish)) and on your phone is a tone from
their exchange. Their bell takes a little current when it rings and the
exchange notices this ringing (if theres no current flowing it gives number
unobtainable the implication being normally speaking that the lines broken:- On
the new sockets theres an opt-out of service resistor that makes the line draw
current if you don't connect your phone so it seems as though its ringing to
whoevers calling so hundreds of faults reported as broken lines which are only
people unplugging their phone aren't reported if you know what I mean...).
     The exchange notices that the phone is picked up (all this info is
possibly more relevant only to the old exchanges) because when the guy you are
ringing picks the reciever up a largish current (50ma or so) flows. Now as the
signal of the ringing is AC of a large voltage (Not quite sure if all this is
completely exact but its pretty near) suddenly on both sides of the cycle a
largish current flows. One side of the cycle simply turns off the ringing tone
at the exchange, the other side is more interesting. If its a local call it
simply activates the your charging meter, otherwise it makes the exchange of
the guy you are ringing send a 2280Hz bleep down the line to your exchange
which activates your charging meter. That is why (a) 2280Hz signalling (see
later) only works on Trunk type calls and (b) you often hear a little blip when
you pick the phone up. 2280Hz.ARC in this room generates a 2280 Hz signal (and
others aswell) from an IBM PC's internal speaker. You will need a machine with
a loud speaker e.g. an Amstrad PC.
     If you can't work out how phreak potentials arise from this hotch-potch of
technology then I suggest you sit down and think about it some more....

Internal communication over trunk lines
=======================================
     All internal communcation between trunk excahnges used to use AC9 (AC
signalling cicuit number 9) to communicate between them. The first thing to
understand about exchanges is that making a call from A to B you are likely to
pass through technology from any period between 1920 to 1988. Each is different
in its characteristics (see Atkinsons Telephony - very helpful on the subject)
but most understand AC9 codes though many will not accept them from the line.
     AC9 is a dialling follows internal rather than external dialling codes.
I.e. the numbers exchanges send to eachother to route a call from A to B are
not the same as the numbers you dial on the phone to get from A to B which
presents a problem (In the USA internal dialling codes are very similar to
external dialling codes - very useful) the reason for this is that the internal
dialling codes include routing information. AC9 dialling is very similar to
loop disconnect dialling except that instead of breaking the line, 2280Hz is
sent down, again at 10pps with a 33% / 67% mark space ratio.
     Before any AC9 dialling is done, the master tone must be sent down - this
is just a long, loud burst of 2280Hz which will clear the line to an eerie
silence. It also (see above) activates the charging aparatus. 2280Hz master
tones for the reasons above only work on non-local calls (or atleast
non-own-exchange). Thus at first glance AC9ing may seem pointless. However if
you then AC9 elsewhere, you will ofcouse be charged only at the rate at which
you rang out. I.e. if you ring an 'A' rate number or possibly a local number
starting with an '0' (yes there are some) and then AC9ed down the code for
international dialling (it may not be 010 as again internal codes are
different) then you would suddenly find yourself with a dialling tone and be
able to dial abroad at 'L' or 'A' rates (in theory).
     In practise the internal dialling codes complexities are often a great
problem (I THINK the last 4 5 or 6 digits of the internal & external dialling
codes are normally identical but I dunno much about internal dialling codes -
best ask a BT engineer who is corrupt!), and so is the fact that a LOUD 2280Hz
is needed as it is filtered out at exchanges. It is rumoured that if these
filters capacity is exceeded, in some exchanges alarms go off but this seems a
little unlikely especially with the old exchanges.
     What I can give you is a little hint - the internal code for a number
which is in the same district is 1, i.e. to dial 01-234-5678 after clearing the
line on ringing 01-987-6543, the code would be 1-234-5678 (I think). Also you
will find various internal operators on 1105, 1107 (presumably equal to what
would happen if you dialled 105 & 107 normally if it weren't blocked by the
exchange??) and other wierd things on other 11XX numbers e.g. 1100 & 1107. You
might try all the standard test no.s prefixed by a 1.

 Internal Communication for AC9 and normal pulse dialling specifications:
          Pulse rate          : 10 pps
          % break             : 67%
          % pulse             : 33%
          Interdigit interval : 800ms
          Cycle time          : Digit dependant

     The newer system X type exchanges and the US exchanges use a different
system for signalling. Again they use a master tone to clear the line, and then
what happens is dual tone multi-frequency dialling is used (i.e. like normal
tone dialling but with different frequencies). Below follows a list of
frequencies as far as I know. The way they work, is as above in terms of
dialling codes I think, but the stuff you send is <Master Tone> <Start Keying>
<Number to dial> <End Keying>. The tones are shortish in duration (as in tone
dialling. Tone dialling freqs are also listed below.

 Internal frequencies
 ====================
 Frequency Hz| Tone dialling (US & UK)  UK Internal    US Internal
 ==================================================================
 Master      | ----                   | 2280         | 2600       |
 1           | 697, 1209              | 1380, 1500   |  700,  900 |
 2           | 697, 1336              | 1380, 1620   |  700, 1100 |
 3           | 697, 1477              | 1500, 1620   |  900, 1100 |
 4           | 770, 1209              | 1380, 1740   |  700, 1300 |
 5           | 770, 1336              | 1500, 1740   |  900, 1300 |
 6           | 770, 1477              | 1620, 1740   | 1100, 1300 |
 7           | 852, 1209              | 1380, 1860   |  700, 1500 |
 8           | 852, 1336              | 1500, 1860   |  900, 1500 |
 9           | 852, 1477              | 1620, 1860   | 1100, 1500 |
 0           | 941, 1366              | 1740, 1860   | 1300, 1500 |
 Start Keying| 941, 1209 (*)    (1740)| 1620, 1980   | 1100, 1700 |
 End Keying  | 941, 1477 (#)    (1860)| 1740, 1980   | 1300, 1700 |
 A           | 697, 1633              | 1380, 1980   |  700, 1700 |
 B           | 770, 1633              | 1500, 1980   |  900, 1700 |
 C           | 852, 1633        (1620)|?1860, 1980   |?1500, 1700 |
 D           | 941, 1633              |     -        |     -      |
 ==================================================================
 Those figures bracketted indicate 'alternative' values of the 1st UK frequency
 for internal dialling from a different source:- though they seem less likely
 to be accurate in terms of correspondance with the US frequencies, they are
 included in the interests of completeness.

 Tone dialling specifications
 ============================
      Tone duration       : 100ms
      Interdigit interval : 100ms
      Cycle Time          : 200ms (total time to dial a digit).
 Example figures. These are for a Quattro modem but your equiptment should try
 & approach these.
      Freq. deviation     : 1.5% Max
      Transmit level      : -7dB to +1dB
      Tone pair amp. bal. : Higher tone about 2dB greater in amplitude than
                            lower tone.

     A, B, & D, are used for various purposes. In the older system X type Bell
exchanges in the US, touch tone A,B,C & D are used by the engineers to call up
various test services - just ring the operator there with 1 of the keys A B C
or D held down (especially D) - if it works you will get to a test, if it
doesn't the operator will swear and curse at you.
     In internal exchanges such as the Merlin, A, B, C & D touch tones call up
additional services. If your phone for your exchange does not have these
buttons on it, then getting a phone with this '4th column' may add extra
facilities - could be useful! Though I don't (as usual) guarantee anything.
     In the US military phone system (AUTOVON), A, B, C & D provide various
military prorities: Flash, Flash Override, Priority and Priority interrupt -
what does what who knows but its meant to speed wartime & wargame
communication.
     What A,B & C frequencies do on the internal network I am afraid I don't
know. I am not sure the frequency allocated to C is even used! But I have
heard they are used as control signals and for the routing mechanism in the UK.
Someone even told me that they did




TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH