Some blueboxing timps form Ch4x magazine

[ SECTION un : Blue Boxing CCITT5 Trunks ]--------------------------------

BlueBoxing C5 Trunks (c) demos
-Turn The Other Cheek And I'll Break Your Fucking Chin-
ch4x 1998.  Canada h4xor.

[ What Do you Mean? ]-----------------------------------------------------

As we do know, Blue Boxing is the proceedure of emitting tones into your
phone's reciever, in order to sieze a trunk, and gain the status of being
able to dial out from that trunk.  Whats a trunk?  My definition for a trunk
is the virtual circuit which connects you to the rest of the CO's /
telephone networks from your local CO.

>Your Home Phone ---Dialing---> CO1 ---TS---> ---CO2-->

Your Home Phone, is self explanitory.  As you dial, you are put through to
your local Central Office (CO1), which makes a trunk selection(TS), which
connects you to the Central Office where your dialed party is located (CO2).

[ But All My K-RAD Friends At 2600 Meets Say BlueBoxing Don't Work! ]-----

Well, what these elite d00dz are thinking is that you want to be boxing
trunks off your local CO.  With this being the 1990's, most CO's in Canada
run DMS-100 (Bell Canada) Switching, and do not allow blueboxing.  With
under-developed countries running old standards for their switching (CCITT5),
blueboxing is possible.

[ I Dont Want To Dial Over-Seas To Bluebox! ]------------------------------

Well, one day, while trying to dial collect over-seas, I could not do so, for
oversea's calls require a '011' before dialing.  On top of that, to dial
collect, i had to have another '0' to do so.  The string I was dialing was
0-011-Country-City-Number, which simply connected me with the local operator.
I was stumped on how to make a collect call overseas - until one friendly
Bell Canada operator told me about Home Country Direct lines, which are
inward WATS (+1-800), which are used to place collect calls.  Most overseas
countries offer these lines, which are toll free!

[ So, Now What Do I Do? ]--------------------------------------------------

Now that you understand how overseas collect calls function with inward
WATS lines, you might want to consider how you can actually box them.
Most of these Home Country Directs use old sets of standards, known as
CCITT5, which are boxable.  So, how do you find these HCDs?  Simple, dial
Toll Free directory (usually 1-800-555-1212), and ask them for the number of
the Home Country Direct for the country you feel is liable to Blue Boxing.
Most countries liable for Blue Boxing are those of South American countries
(from my experience).

[ How Do I Know If This HCD Is C5?! ]--------------------------------------

Well, as you compile your list of suspectable HCDs for boxing, give them a
ring.  If you hear a chirp, most likely it is C5.

[ Lets Sieze These Dirty Foreigners' Trunks! ]-----------------------------

I will tell you now, that I will not release delays and lengths, but I will
tell you the freq's used to sieze most C5 HCDs' trunks.  From my experience,
they have been a mixture of 2400 / 2600 hz, then a 2400 hz freq.  Now, if you
find the lengths and delays, and get a sieze, you will use KP1 to start
dialing, 0-city-localnumber then ST to stop dialing.  Remember, when dialing
off a C5 trunk, yur gonna need the C5 dialsets, which have the same function
of DTMF, but use different frequencies, and work on C5 trunks.

[ Now, How Do I Generate These Tones? ]------------------------------------

You are going to need a dialer.  I recommend :

Break Machine / Linux / http://c5.hakker.com
Scavenger     / DOS   / http://???

Both these dialers have the same interface, yet, run off different operating
systems.  Read their FAQ's for information on running them.  Both these
dialers offer different signalling dialsets, an HCD list menu, tone player
(in which you specify frequencies and timings yourself), timing/freq scanner,
and a dialing list.

d4 m4d gl4d, /<-r4d blueb0x0ring tipz0rz (c) phaceman
-turn the other cheek, and i'll turn your fucking asshole around-
ch4x 1999.  canada h4xor.

[ introduction ]----------------------------------------------------------

ye0w ye0w.  too many lamers are fucking around with scavenger lately, and
too few of them actually know what the fuck is going on.  i'll leave them in 
the dark.  for the beginners who actually have an idea of what a 
clear-forward and a sieze is, this article will help you.

i too suffered from the pain of backne and scavenger-settings syndrome a
while back.  i had my info all set up, i knew how to use scavenger, but the
problem was the setup of volume and dialing, etc.  this should help most
canadians fix0r their scavenger dialer up so that it works for most HCDs. 
Keep in mind that this article was done quickly.  Success varies according
to your phone system as well as hardware setup.

also keep in mind that i'm not a phreaker.  what little i know about 
blueboxing i've picked up from the c5 masters of disasters around the world.
if you are a hacker, nothing is more useful to you than a kp2 trunk!  it will
make your life a lot easier, as tracing an digital-to-analogue call is harder
than a pedophile's erection while viewing the 8-year old pr0n0z.

as a sidenote.  i really didn't want to write this article.  i'm just trying
to hog more ch4x space.

[ softwarez ]-------------------------------------------------------------

there are two BIG things you need to setup in order to get scavenger working
even slightly.  they are dialing delay and volume.  +50/+50 works for 416.

A lot of nutbusters, when editing the sieze-trunk tones, like to make the
volume 63 because it needs to "get through" all the way to darussalam or
wherever the fuck you're dialling.  this is incredibly stupid, because ppl
who haven't done their research don't realize that ccitt5s will take any
tone louder than 1db as bullf00kinchit.  so if you go blastin your tones
with mega-boosting to a c5 that picks up audio fairly well, you're gonna be
wasting your time.

Start with tone volume of 50.  If you know the freq/lengths are correct,
then you can go in increments to see what works, what doesn't.

i've also found that the toll-free dialing function is quite quiet, so quiet
that my lines can't even pick it up.  This could be an error in the program,
or my driver, or my cheapass soundblaster clone card.  If this happens to
you too, don't phr3t.  just dial using the touch-tone fone you have beside
you.  The c5 functions all work at normal volume, so there's nothing to be
afraid of.

[ hardwarez ]-------------------------------------------------------------

the first thing you need is a decent audio output system.  This doesn't mean
that you should go out and buy a $5000 pair of speakers.  You should,
though, ensure that you've got a high quality set of earphones.  I find that
AIWA earphones provide decent quality, at the $10 range.  Make sure that
your set comes with the (poly)foam coverings, because they aid in siezing. 
In order to use your earphones, just hold them together, shove them as close
to the phone's mic as possible, and play your tones.  You can see how loud
it's coming through simply by listening to your phone while doing this.

There are a few things that you must be sure of before blueboxing.  These
small details fux0red me up for a few days before i was finally informed of
my mistakes.  *ALWAYS* turn off stereo/3D sound for your sound card.  If
not, the tones may not be evenly distributed/etc, and this will cause your

Finally, make damn well certain that you're not equalizing your sound at
all.  People who wire their output through a stereo system often face this
problem without even realizing it.  Equalizing will distort the sound, which
will cause unpure t0nez.

[ filters ]---------------------------------------------------------------

sooner or later, you will run into a c5 that has built-in filters.  this
could spell trouble for your whole damn siezing operation.  there are
several methods of bypassing filters, but only the easiest will be
described here because they're all i know.. 8)

the obvious method is to mask your tones.  There are three simple methods to
mask them:

    1. changing the tones
    2. playing side tones
    3. adding noise

the first method works rarely, but it's an easy thing to do.  basically,
your phone system (most likely a DMS-100 in canada) listens in for the rad
tones, and doesn't let them get through, if they are the almighty blue
b0x0ring tones.  To avoid this, you change the tone slightly, and hope that
they can pass.  The following substitution values work:

                |  t0nez  | try this |..or this |
                |   2400  |   2380   |   2410   |
                |   2600  |   2580   |   2610   |

These work sometimes.  You can always fiddle with the numbers, but i find
that these are the "breaking" values for DMS-100s.

The second method is to play side tones along with your sieze, in order to
confuse the system.  adding 2100 alongside/before/after your sieze will
sometimes turn the filter off, or mask your tones, i'm not sure which.

The final method is to add noise.  This can be done by simply tweaking the
"noise" option in your trunk-editing screen in scavenger.  Remember that if
the tone is too impure, it won't be recognized, so don't go "63" for this
feature all the time.

[ closing stuff ]---------------------------------------------------------

of course, a large part of blueboxing is trial and error.  this is something
i don't have time for, so i just leech the mad codes off demos.  if you
can't afford to do the same, then you've got some work cut out for you.. 8)
Remember that finding the breaking kodes relies on three things, really:

     1. length of 2400+2600
     2. length of delay
     3. length of 2400

you can tell if one tone worked and not the other simply by listening.  to
fully break the c5, you should hear 2 blips.  If only one tone worked and
not the other, you'll hear one beep only.

These tips, along with some patience and brains, should get you going in the
fantastical world of blueb0x0ring and make-believe.  later skaters.

