Blue Boxing Revisited - A CCITT System #5 Interpretation

by Kevin Crow

This article will attempt to teach the reader basic CCITT-5 international signaling.  More technical readers may enjoy reading the original CCITT-5 "Red Book," and can use this as a supplement.

During the time I've been working on this article, the ITU has changed the names of a few departments.  CCITT is now known as the ITU-T, however for the sake of avoiding any coining in terms, I will still refer to the signaling as CCITT-5, or C5, or SS5.

CCITT-5 signaling is still known as the international signaling standard.  CCITT-5 is related to R1 signaling, a substandard used from within North America.  A highly stripped down version, R1 doesn't include any trunk signaling involving 2400 Hz, and I won't be discussing it in this article.  R2 signaling, another substandard, is widely used in Europe, however I will not be covering R2 signaling in this article.

I have heard over and over again that C5 is no longer available for use in the United States, "since being the well-advanced country that we are" we have moved on to bigger and better things, such as CCIS, and eventually SS7, and its Digital Hysteria.  I find it amusing that the U.K. has had ISDN for far longer than we have, I still prefer vinyl over CD's, and I've been able to get near-perfect connections with C5 that sound better than the new stuff (although this is strictly medium dependent, it's still worth mentioning).  The reason I am addressing this issue is simply to remove any sort of beliefs you might have because of AT&T's propaganda over the years - boxing is possible from anywhere.

Back in 1976, when CCIS started hitting the scenes, there were many problems that immediately crept up.  AT&T's breakup in the 1980s didn't make the transition phase any easier, and in parts of the new Baby Bells (even today) you can find R1 signaling.  AT&T has since scrapped their implementation of CCIS and is now using SS7 wherever it is possible.  Do not let this confuse you however - no matter what switch you're on, or how you're being routed to/through a C5 connection, in most cases you will still be able to signal yourself.  On with the show...

C5 signaling is broken down into eleven major groups of signals.  It is with these signals that all the necessary operations and functions are executed for (almost) error-free international switching.  For two switches to communicate with each other they require the ability to send signals, as well as receive them.  They need to know which signals are being sent, and they need to know what to do with them.

For the scope of this article, let us assume that all signals being sent from the originating switch are known as "forward signals," and likewise, all signals being received by the originating switch (or sent by the switch on the other side) are known as "backward signals."  Of the eleven signal groups, six are signaled in the forward direction, and the remaining five are signaled in the backwards direction.  The dialogue that happens between these two switches is really quite primitive, and therefore can be mimicked with $20 worth of parts, as in the case of the Blue Box.

Let's take a look at the signal groups:

1.)  Seizing Signal  - The seizing signal is sent in the forward direction by the originating switch.  Its purpose is to initiate circuit operation at the incoming end of a circuit.  It "seizes" the equipment for switching the call.

2.)  Proceed to Send  - This signal is sent back in response to the seize, and indicates that the equipment is now ready to receive the numerical set of signals.

3.)  Start-of-Pulsing  - Also known as Key Pulse (KP).  The KP signal is a forward signal.  KP is actually broken down into two types of signals.  KP1 is "terminal," that is, it is used in placing domestic calls.  The KP2 signal is a "transit" signal, and is used in international signaling.  The purpose of the KP signal is to prepare the incoming switch's registers to let it know what kind of call it will be handling.

4.)  Numerical Signal  - This signal is also a forward signal, and it provides the information necessary to effect the switching in the desired location.  The numerical signal includes the actual phone number of the desired location, as well as some extra information that will be discussed later on.

5.)  End-of-Pulsing  - This is also known as the Start (ST) signal.  It's a forward signal, and its purpose is simply to show that there are no more numerical digits to follow.  In a sense, at this point, the call has "started switching."

6.)  Busy-Flash  - This is a backward signal, and it is sent to the outgoing exchange to show that a.) the route or b.) the called subscriber is busy.  The International Transit exchange sends this signal after the register association to indicate that there is congestion at that exchange, or the appropriate outgoing routes.  This signal is optional if there is congestion beyond that exchange.  Upon its receipt, there is usually an indication to the outgoing operator or to the calling subscriber that causes the sending of a Clear Forward signal by the outgoing exchange to release the connection.  This signal is never supposed to be sent after an Answer Signal, and only after a proceed to send signal (see below).

7.)  Answer Signal  - Another backward signal, this one is sent to the outgoing exchange to indicate that the called party has answered the call.  In a semi-automatic working, it also has a supervisory function, that is, it begins the initiation of watching over the connection.  In automatic working, it is used to a.) start metering the charge to the calling subscribe, and b.) to start the measurement of the call duration for accounting purposes.  Receipt of this signal also permits discrimination between the Busy-Flash and Clear Back signals.  It also must never be sent after a Busy-Flash signal (see below).

8.)  Clear Back  - Obviously a backward signal, it is sent to the outgoing exchange to indicate that the called party has cleared, or "hung-up."  In semi-automatic working, it performs a supervisory function as well, and must not permanently keep the speech path from being open at the exchange.  In automatic working, if the calling party has not cleared within one or two minutes of the Clear Back signal, arrangements are made to clear the connection, stop charging, and stop measurement of the call duration.  It should also only be sent after the Answer Signal.

9.)  Clear Forward  - This signal plays a very important role in both exchange signaling, and Blue Boxing.  In exchange signaling, it is sent at the end of a call a.) in semi-automatic working when the operator at the outgoing exchange pulls her plug, or if an equivalent operation is performed and in b.) automatic working when the calling subscriber hangs up or otherwise clears.  It is also sent after the receipt of the busy-flash signal by the outgoing exchange and when there is a forced release of the connection, or when an abnormal release of an outgoing register occurs.  The Clear Forward signal must be acknowledged by a Release Guard signal under all conditions of equipment, including its idle condition (Blue Box enters, left stage).  It also may be sent from an outgoing end at any time to initiate the release of a circuit.  It is completely overriding, and it will break any other signal sequence.

10.)  Release Guard  - This is a backward signal, and is sent in response to a Clear Forward.  It also serves to protect a circuit against subsequent seizure.  It will do so as long as disconnection operations (controlled by the reception of the Clear Forward signal) have not been completed at the incoming end.

11.)  Forward Transfer  - The Forward Transfer signal is sent to the incoming exchange when an outgoing operator wants the help of an inward operator at the incoming exchange.

You may have already noticed a few laws that must exist in order for this whole procedure to work.  These "laws" are known as the "Signal Code."

I will spare you the boring drudgery of these laws, and will not go into too much detail, except where is needed.

General Information on Signal Code

In the early days, you may not have heard much about the 2400 Hz signal behind the famed 2600 Hz signal, since most people were boxing domestically from within the U.S. using R1.

The 2400 Hz signal plays a very important role in international signal-coding arrangement, and for reference is known as frequency F1.  2600 Hz is known as frequency F2.

These signals may be transmitted individually or in combination.  With today's high-technology DSPs and signal generators, there is no reason at all why these signals should be transmitted individually.  Yet, the specs allow for them (an example of drudgery).

The purpose of these two tones being played in tandem (no pun intended), or simultaneously, is to increase the immunity from what is known as "false release by signal imitation."  Hopefully this doesn't include you Amiga lamers.

One of the most important aspects of the Signal Code is what happens when these laws aren't followed, or something goes wrong.  In events such as a "double seizing," F1 is seen as being transmitted by both sides.  This condition is usually detected, and according to the holy Red Book, if it persists attention must be given.  Obey your laws.

Finally, the signaling frequencies and operating limits.  I'm going to quote right out of the Red Book, since it's fast, and quick(er).  This information may or may not be useful to you:

2.3.1 Signaling Frequencies

2400 Hz (f1) and 2600 Hz (f2).  These frequencies are applied separately or in combination.

... stuff cut out

2.4.3 Efficiency of the guard circuit

The signal receiver must be protected by a guard circuit against false operation due to speech currents, 
circuit noise, or other currents of miscellaneous origin circulating in the line.  The purpose of the guard 
circuit is to prevent:

  a) signal imitation.  (Signals are imitated if the duration of the resulting direct-current pulses at 
     the output of the signal receiver is long enough to be recognized as signals by the switching 
	 equipment);
  b) operation of the splitting device from interfering with speech.

To minimize signal imitation by speech currents it is advisable that the guard circuit be tuned.  To minimize 
signal interference by low-frequency noise it is advisable that the response of the guard circuit falls off 
towards the lower frequencies and that the sensitivity of the guard circuit at 200 Hz be least 10 dB less 
than that at 1000 Hz.

An indication of the efficiency of the guard circuit is given by the following:

   a) during 10 hours of speech, normal speech currents should not, on the average, cause more than one false 
      operation of the f1 or f2 signal circuit lasting more than 90 ms (the minimum recognition time of a 
      signal liable to imitation is 100 ms);

   b) the number of false splits of the speech path caused by speech currents should not cause an appreciable
      reduction in the transmission quality of the circuit.

Note: Since Signaling System No. 5 and V.22 modems (among others things) are using the same frequency,
additional tests where speech is replaced by data transmission should be performed so that the connection is 
not released at the start of data transmission.

... stuff cut out

3.3.1 Signaling Frequencies

[The Publishing "error"]

        Freq. (Hz)
        700  900  1,100  1,300  1,500  1,700
Digit
1         *    *  
2         *           *
3              *      *
4         *                  *
5              *             *
6                     *      *
7         *                         *
8              *                    *
9                     *             *
C10                          *      *
ST3P, C11 *                                *
STP, C12       *                           *
KP1                   *                    *
ST2P, KP2                    *             *
ST                                  *      *

A signal shall consist of a combination of any two of these six frequencies. The frequency variation shall 
not exceed 10 Hz of each nominal frequency.

3.3.2 Transmitted signal level

-7 +/- 1 dBm per frequency.

The difference in transmitted level between the two frequencies comprising a signal shall not exceed 1 dB.

...

3.3.3 Signal duration

KP1 and KP2 signals: 100 +/- 10 ms

All other signals: 55 +/- 1 ms

Interval between all signals: 55 +/- 1 ms

Interval between cessation of the seizing line signal and transmission of the register KP signal: 80 +/- 10 ms

3.3.4 Compound signal tolerance

The interval of time between the moments when each of the two frequencies comprising a signal is sent must 
not exceed 1 ms. The interval of time between the moments when each of the two frequencies ceases must not 
exceed 1 ms.

...

Now that you've seen the laws behind C5 signaling, you may be interested in knowing that there are some interesting switch "characteristics" that become apparent when you break some of them.  Crossed-lines, and "dropping in" on conversations have been known to occur during such errors.  There is a wide variety of non-dialable numbers that become "dialable," operators who actually know what they're talking about can be reached, and other random phreaks of nature have been known to occur.

Earlier on I sketched out the plans for the "numeric" digits, but never went into much detail.  Some countries have additional digits in their numeric field to represent different situations that occur.  For instance, during a time of war, or serious network congestion, there are usually open connection paths that are accessible through special routes.  Other countries have devised ways to allow for international dialing via KP1 routes (perhaps for lower level compatibility reasons, or accounting).

Oftentimes there is an additional routing number that can provide extra security for abused [MCI] networks.  Having additional routes also allows companies to use a variety of pathways for connecting calls (cross-Atlantic, satellite, copper, fiber, etc).

I have heard rumors that indicate a formula exists for locating "important" customers to make sure they're routed through the cleanest way possible.  If you're getting a 1.5 second delay on your conversations, perhaps you should find another way.

On the whole, countries must have a continuity in signaling, otherwise we wouldn't be able to communicate.  As in the case of the metric system vs. America, there exist differences even in signaling (however minute).  The actual routes involving operators, and operator-assisted calls, vary (Code 11 vs. 121) but overall the damned thing works out pretty well.  I don't expect CCITT SS5 to disappear anytime soon.

Now that you've learned a little about what's been going on for the last couple of decades, you may be interested in learning a little more about the way things work firsthand.  Even without a box to generate tones, you can do a few things simply with the hook-switch of your telephone (those of you with Three-Way Calling may experience a little difficulty with this experiment).

Below are a handful of 800 numbers that are available to citizens of foreign countries while they stay in the States.  These have been termed "country direct" numbers, and can be found by dialing 800 information, or by speaking with the international division of AT&T:

     Belize: 235-1154
     Brazil: 344-1055
      Chile: 552-0056
      China: 532-4462
 Costa Rica: 252-5114
El Salvador: 422-2425
    Germany: 292-0049
     Greece: 443-5527
       Guam: 367-4826
    Hungary: 352-9469
  Indonesia: 242-4757
      Macau: 622-2821
   Malaysia: 772-7369
   Portugal: 822-2776
     Panama: 872-6106
    Uruguay: 245-8411
 Yugoslavia: 367-9841 (having trouble)

If you actually make a call into one of these countries, one of the first things you will hear is a C5 Supervisory signal.  Have the person at the other end experiment with the hook-switch (make sure they don't hang up for more than a minute or so).  You will actually hear the Supervisory signals going off and on.

As in the case of the Blue Box, people have been able to trick switches into thinking that they were another exchange somewhere off in the distance.  This is basically accomplished by dialing through a C5 connection into another exchange (which is what happens when you dial those 800 numbers), and sending a Clear Forward signal.  This will bring the switch out of idle mode (or whatever mode it was in).

It will respond with a Release Guard signal notifying the boxer to proceed.  The boxer then sends a Seize signal, and again gets a response with a Proceed-to-Send signal.  This is usually the hardest part for the boxer, since timing here is very critical.  Countries differ in timings and sensitivity, so usually what works for one country won't for another.

The Clear Forward sent by the boxer usually consists of 2600 Hz + 2400 Hz for 110-150 ms, followed by a Seize of around 150-400 ms.  Simply seizing a trunk on the other side isn't enough, however, since the boxer must also know the correct routing to get the calls through.

Typically, international "transit" routes are of the most interest, and the boxer may send a traditional:

KP2 (indicating international call) + Country Code + 0 (for good luck) + City Code (or Area Code) + number + ST

Signaling numbers like KP2 12 415 121 ST will get them to an AT&T Inward operator, whose job is to talk with other operators and settle business by voice if it's not possible via direct routing.  Alliance Teleconferencing used to be a big thing in the past, and is still dialable today via Blue Box.

I am not happy to say that Blue Boxing has gone into the wrong hands.  Like all good tricks, they eventually become harder and harder to do until eventually they disappear - well, almost.

Kids from all around the world have used the Blue Box for their own amusement, making calls to girlfriends they'll never meet, and to "warez" boards to do some software pirating.  Even the great people who were at Apple Computers have been known to have played their part in releasing the beast.  Now that the technology has fallen into the lower echelons, countries have had to make adjustments to their systems to combat these problems.

The German Telecom has spent many marks on British Telecom "filters" that they've placed on C5 connections to try and stop some of the chaos - nice try.  (The Germans have already figured out long ago that the systems on the other side will actually perform just fine out of spec, and, for example, instead of sending a 2600 Hz or a 2400 Hz signal, they'd send a 2650 Hz or a 2450 Hz - right out of the filtering bands.)

Slowly things are going towards SS7, and the signaling is disassociated.  By the time C5 is completely scrapped, there will probably be new ways to approach this blue box mystique.  I haven't even begun to cover R2 signaling which yields much more fascinating results, (faking ANI, billing to others) but, unfortunately, it is out of the scope of this article.

Maybe next time kids.
Return to $2600 Index