6. c5 Trunks Today | Written By: phractal (email@example.com) | Written For: NPANXX010 (www.teamphreak.net) | Written On: 09.10.03 | | ______________________________________________________________________| __ __ __ ----------------------------------------------||&%;;:'. |1 | |2 | |3 | -Intro ||&%;;:'. __ __ -C5? ||&%;;:'. |4 | |5 | |6 | -How can we bluebox from an SS7 served area? ||&%;;:'. __ _ -Packet/MF signalling translation ||&%;;:'. |7 | |8 | |9 | -C5 Links Today (from US) ||&%;;:'. -Dialing Direct To Seize ||&%;;:'. |KP | |0 | |ST | -Bouncing your Call To Seize ||&%;;:'. -List Of Terms ||&%;;:'. |KP2| |C11| |C12| ----------------------------------------------||&%;;:'. Ok, if you haven't heard about CCITT5 Trunks, I would hardly consider yourself an "international phreak". Basically, CCITT5 or System 5 is a software protocol used to route telephone traffic. What is interesting to phreaks is that it is an INTERNATIONAL PROTOCOL, and also it is analog. CCITT5 is the system loved by phreaks when they can get on it, because it is vulnerable and powerful. C5? It is a blueboxable system. If you want to learn how to bluebox it, I'm going to refer you to Echelon Magazine, which a UK zine focused on CCITT5 blueboxing, but since it deals with international phreaking, it can be applied over here as well. You should be able to find issues in the downloads section of TeamPhreak. How can we bluebox from an SS7 served area? The global PSTN, which the internet actually heavily relies on, connects various continents and countries together with important gateways which then route to smaller offices. Each countries trunking throughout its land can be organized differently for differeant areas. A common generic example is the T-1 trunks used in North America and Japan and the E-1 Trunks used over in Europe. US country Directs Switch software also varies from place to place around the globe. Because of this, gateways need to be able to 'talk' to eachother and be able to translate information from digital to analog when necessary. An SS7 gateway has the capability of talking to a C5 system. When you call any of these numbers below your digital signalling from the SS7 packets is actually converted to an analog format, into audible tones. 1-800-532-4462 China Direct (nice ringing!) -Live Operator -they hang up on me now! I call and hear "pleep!... plip!" 1-800-235-1154 Belize Direct: -Automated Menu -Press 1 for Calling Card Call -Press 2 for Collect or Operator (ask to speak to a technician) 1-800-680-7622 Palau Direct: (quite possibly routed via sattelite) -NCC Palau Direct Service -Automated Prompt for Card #, 3 tries sucka :( 1-800-680-8363 Venezuela Direct -Recording, but i believe asks to dial a number in spanish Packet/MF Translation: The tones they are translated to are commonly called MF tones which are NOT the same as on the normal DTMF dialset. analog digital digital incoming analog dial dtmf tones SS7 packets translated to MF digits outbound MF tones 1-800-532-4462---->C.O.----------->International Gateway------------------>Inbound C5 system It is commonly known that there are toll free numbers called "Home Country Directs" which terminate in other countries. The previous numbers I gave you are all well-secured C5 country directs. Toll free calls to other country? Pretty nice eh? Country Directs are heavily monitored because keep in mind, they are still US numbers, the 1-800 number is still located in the US. Thus Blueboxing off these is hard. What we are interested in are Directs that go through a C5 link. These are clearly recognizable by their "pleep" upon pickup and hangup. But if you find a C5 link that's only half the battle. C5 links today: Country Directs seem to be a waning, but ever slowly dying door to C5 boxing. They are nice because you need to pass through a C5 link and it's totally free :) Abuse of Country Directs has driven up monitoring and hanging up any call that passes "blocked tones" , which would be any bluebox tones. I'm not sure if the US international gateways are doing the monitoring, or if it is a little more specific to the number itself. I know DMS-100's have BlueBox detection software to look for MF digits, but it isn't enabled by default. It is covered in an article by di9ital in Ch4x Magazine Issue 5. Most Country Directs are actually digital all the way through, to avoid any funny business to begin with. Unfortunatly for phreaks, this means that probably calling directly to the country rather than using a 1-800 is probably going to work out better. There are countries that are C5 but have no 1-800 that take us there. Such as Libya and parts of Russia. There are even still trunks that accept incoming MF signalling INTO the United States, but there are no outgoing stations that use analog signalling anymore. The real battle seems to be getting into analog area when it seems like most of the gateways have been made to ensure digital only signalling. Dialing Direct To Seize: What needs to be done is different routing. Certain routes pass through C5 while others don't. Venezuela actually has two directs, which both go to the same automated operator, but only one goes through a C5 link, as obvious by the pleep. +1-800-488-0058 "..Bienvenidos a servicio Venezuela Direto.." +1-800-680-8363 "PLEEP!.. Bienvenidos...." From some beige box experience and helping myself to dial various countries, I've discovered that routes are a little more variable, sometimes I go through C5, sometimes I don't, whereas the Country Directs pretty much have set routes. Bouncing Your Call To Seize: You might try bouncing your call via PBX, calling card or op that is located in another country. Other countries have country directs as well, that are toll free as well. The US and UK directs are pretty much brick walls when trying to bluebox today, but directs from other countries still offer possibilities. From Australia(CC +61) the following directs are C5: 1800881860 China Direct 1800881973 Bahrain Direct (SS7 from here) (nice ringing!) 1800881701 Russia Direct (SS7 from here) 1800881682 Cook Islands Direct 1800881688 Tuvalu Direct All SE'd by yours truly from the lovely Australia Telstra Direct operator. So if you wanted to attempt to seize Russia? First, lose your ANI for good measure, as once you reach inband trunks from overseas, without an ANI, it really isn't about to be found without serious tracing methods like tracing through electricity. Your call would look like ______ ___________________ | US |---------ss7------->|Australian Outdial (ANIF packet sent) | ss7 (ANI of Outdial unless you diverted) | \|/ ___________________ ___________________ |Australian Gateway|------c5-------->| Russian Gateway | (no packets sent!) LIST OF TERMS: ANI-Automatic Number Identification ANIF-Automatic Number Identification Failure, 02 is sent as ANI II digits CCITT5/C5-Consultative Commitee for International Telegraphy and Telephony # 5 (outdated term, as c5 is an outdated system :)) CC-Country Code MF Digits-MultiFrequency, Audible Tones used in analogue routing, can be spoofed! SS7-Signaling System 7, Routing sent in packet form, not audibly spoofable
Edited by StankDawg: Use the "CODE" function to maintain formatting/spacing and to ignore some source code from being executed.