Jump to content


Photo
- - - - -

c5 Trunks Today


  • Please log in to reply
1 reply to this topic

#1 ic0n

ic0n

    Fear teh phone!

  • Agents of the Revolution
  • 1,210 posts
  • Gender:Male
  • Location:NPA 216/440

Posted 11 September 2003 - 09:53 PM

*note* acsii art is funked up *note*
6. c5 Trunks Today                                                    |
Written By: phractal (phractal@teamphreak.net)                        |
Written For: NPANXX010 (www.teamphreak.net)                           |
Written On: 09.10.03                                                  |
                                                                      |
______________________________________________________________________|



                                                            __    __    __
----------------------------------------------||&%;;:'.    |1  | |2  | |3  |
-Intro                                        ||&%;;:'.     __    __
-C5?                                          ||&%;;:'.    |4  | |5  | |6  |
-How can we bluebox from an SS7 served area?  ||&%;;:'.     __    _
-Packet/MF signalling translation             ||&%;;:'.    |7  | |8  | |9  |
-C5 Links Today (from US)                     ||&%;;:'.
-Dialing Direct To Seize                      ||&%;;:'.    |KP | |0  | |ST |
-Bouncing your Call To Seize                  ||&%;;:'.  
-List Of Terms                                ||&%;;:'.    |KP2| |C11| |C12|
----------------------------------------------||&%;;:'.

Ok, if you haven't heard about CCITT5 Trunks, I would hardly consider yourself an 
"international phreak". Basically, CCITT5 or System 5 is a software protocol used to route
telephone traffic. What is interesting to phreaks is that it is an INTERNATIONAL PROTOCOL,
and also it is analog. CCITT5 is the system loved by phreaks when they can get on it, 
because it is vulnerable and powerful. 

C5?

It is a blueboxable system. If you want to learn
how to bluebox it, I'm going to refer you to Echelon Magazine, which a UK zine focused on
CCITT5 blueboxing, but since it deals with international phreaking, it can be applied over
here as well. You should be able to find issues in the downloads section of TeamPhreak.


How can we bluebox from an SS7 served area?

The global PSTN, which the internet actually heavily relies on, connects various continents
and countries together with important gateways which then route to smaller offices. Each 
countries trunking throughout its land can be organized differently for differeant areas.
A common generic example is the T-1 trunks used in North America and Japan and the E-1
Trunks used over in Europe.

US country Directs

Switch software also varies from place to place around the globe. Because of this, gateways
need to be able to 'talk' to eachother and be able to translate information from digital to 
analog when necessary. An SS7 gateway has the capability of talking to a C5 system. When 
you call any of these numbers below your digital signalling from the SS7 packets is actually
converted to an analog format, into audible tones.

1-800-532-4462   China Direct (nice ringing!)
                 -Live Operator
        -they hang up on me now! I call and hear "pleep!... plip!"

1-800-235-1154   Belize Direct:
                 -Automated Menu
 	 -Press 1 for Calling Card Call
 	 -Press 2 for Collect or Operator (ask to speak to a technician)

1-800-680-7622   Palau Direct: (quite possibly routed via sattelite)
   -NCC Palau Direct Service
   -Automated Prompt for Card #, 3 tries sucka :(

1-800-680-8363   Venezuela Direct
   -Recording, but i believe asks to dial a number in spanish

Packet/MF Translation:

The tones they are translated to are commonly called MF tones which are NOT the same as on
the normal DTMF dialset. 

analog             digital        digital incoming                        analog
dial dtmf tones    SS7 packets    translated to MF digits outbound        MF tones
1-800-532-4462---->C.O.----------->International Gateway------------------>Inbound C5 system


It is commonly known that there are toll free numbers called "Home Country Directs" which
terminate in other countries. The previous numbers I gave you are all well-secured C5 country
directs. Toll free calls to other country? Pretty nice eh? Country Directs
are heavily monitored because keep in mind, they are still US numbers, the 1-800 number is
still located in the US. Thus Blueboxing off these is hard. What we are interested in are
Directs that go through a C5 link. These are clearly recognizable by their "pleep" upon
pickup and hangup. But if you find a C5 link that's only half the battle.

C5 links today:

Country Directs seem to be a waning, but ever slowly dying door to C5 boxing. They are nice
because you need to pass through a C5 link and it's totally free :) Abuse of Country Directs
has driven up monitoring and hanging up any call that passes "blocked tones" , which would be
any bluebox tones. I'm not sure if the US international gateways are doing the monitoring, or
if it is a little more specific to the number itself. I know DMS-100's have BlueBox detection
software to look for MF digits, but it isn't enabled by default. It is covered in an article
by di9ital in Ch4x Magazine Issue 5.

Most Country Directs are actually digital all the way through, to avoid any funny business to
begin with. Unfortunatly for phreaks, this means that probably calling directly to the country
rather than using a 1-800 is probably going to work out better. There are countries that are
C5 but have no 1-800 that take us there. Such as Libya and parts of Russia. 

There are even still trunks that accept incoming MF signalling INTO the United States, but
there are no outgoing stations that use analog signalling anymore. The real battle seems to
be getting into analog area when it seems like most of the gateways have been made to ensure
digital only signalling. 

Dialing Direct To Seize:

What needs to be done is different routing. Certain routes pass through C5 while others don't.
Venezuela actually has two directs, which both go to the same automated operator, but only one
goes through a C5 link, as obvious by the pleep.

+1-800-488-0058 "..Bienvenidos a servicio Venezuela Direto.."
+1-800-680-8363 "PLEEP!.. Bienvenidos...."

From some beige box experience and helping myself to dial various countries, I've discovered 
that routes are a little more variable, sometimes I go through C5, sometimes I don't, whereas
the Country Directs pretty much have set routes. 

Bouncing Your Call To Seize:

You might try bouncing your call via PBX, calling card or op that is located in another country.
Other countries have country directs as well, that are toll free as well. The US and UK directs
are pretty much brick walls when trying to bluebox today, but directs from other countries still
offer possibilities.

From Australia(CC +61) the following directs are C5:

1800881860            China Direct
1800881973            Bahrain Direct (SS7 from here) (nice ringing!)
1800881701            Russia Direct (SS7 from here) 
1800881682            Cook Islands Direct
1800881688            Tuvalu Direct

All SE'd by yours truly from the lovely Australia Telstra Direct operator.


So if you wanted to attempt to seize Russia?
First, lose your ANI for good measure, as once you reach inband trunks from overseas, 
without an ANI, it really  isn't about to be found without serious tracing methods like
tracing through electricity.

Your call would look like

______                    ___________________
| US |---------ss7------->|Australian Outdial
        (ANIF packet sent)        |
                                 ss7 (ANI of Outdial unless you diverted)
                                  |
                                 \|/
                          ___________________                  ___________________
                          |Australian Gateway|------c5-------->| Russian Gateway  |
                                              (no packets sent!)



LIST OF TERMS:

ANI-Automatic Number Identification
ANIF-Automatic Number Identification Failure, 02 is sent as ANI II digits
CCITT5/C5-Consultative Commitee for International Telegraphy and Telephony # 5
          (outdated term, as c5 is an outdated system :))
CC-Country Code
MF Digits-MultiFrequency, Audible Tones used in analogue routing, can be spoofed!
SS7-Signaling System 7, Routing sent in packet form, not audibly spoofable

Edited by StankDawg: Use the "CODE" function to maintain formatting/spacing and to ignore some source code from being executed. ;)

#2 decoder

decoder

    Very Friendly

  • Agents of the Revolution
  • 1,609 posts
  • Country:
  • Gender:Male
  • Location:New York

Posted 11 September 2003 - 10:44 PM

I thought that China Direct disconnected if you tried to seize...




BinRev is hosted by the great people at Lunarpages!