Analogue Signalling Systems - An overview by NeonDreamer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Why only analogue? Why not digital? Well let me tell you now, the number of phreaks who know more than '.' about digital signalling over ISDN lines is next to nothing. I don't know much myself, let alone how to exploit it, so I'll restrict my ramblings to what can realistically be played with. Firstly a note on naming conventions. Most of us are used to dealing with American texts, and we are used to signalling systems be referred to in terms of their CCITT code. The UK has their own codes SSAC and SSMF for describing signalling. For ease of use I'll stick to what we are familiar with - CCITT conventions. If you need to know the equivalent UK code refer to the table below. CCITT UK 4 SSAC4 5 SSAC10/SSMF1 Non CCITT standards will be referred to in the UK style. OK, before the good days of auto switching and subscriber trunk dialling (STD) all trunk switching was performed by operators on Strowger or related equipment. Inter-exchange signalling was performed by the operators. Obviously an automatic network needs to perform a number of functions. 1) It needs to signal the exchange to connect caller A to recipient B 2) It needs to supervise the call 3) It needs to give caller A feedback (ringing tone / engaged tone) 4) It needs to bill the call Signalling data can be transmitted as pulse breaks, tones or binary. The following methods are still used today: 1) Level and direction of current (in 2 wire DC systems) 2) Pulse duration (DC) 3) Pulse combination (DC) 4) AC signal frequency 5) Frequency combination 6) Binary Signalling across local lines has evolved from two-wire DC systems - except ringing current and standard tones. Tones were initially produced electromechanically as follows: Ringing tone 133Hz interrupted Engaged tone 400Hz interrupted Out of order 400Hz continuous Ringing current 17Hz ( @ 75V ) Probably what we are all familiar with in the first instance is called loop disconnect calling. Anyone who ever used a rotary fone as a kid (and even on crappy payfones now) will remember the 'click click click' that signalled the numbers to the exchange. Remember when you first sussed that the number of clicks indicated the number you had dialled? Remember when you found out that by tapping the handset rest you could dial a number without using the dial? Did you ever wonder how it worked? For the sake of completeness - here is the answer. When a fone is off the hook, it allows DC current to flow through it. When you dial, you interrupt this DC current at 10 pulses / second (3 pulses for a 3, 10 for a 0 etc.) - hence the term loop disconnect calling - you dial by momentarily disrupting a DC current flow, only flowing off hook. When your call is answered the recipients exchange reverses the direction of current flow. Correct dialling using this method is achieved by disrupting the DC current for 66.7 ms with 33 ms between pulses indicating the same number, and a >400ms of DC flow between pulses indicating a different number. DC signalling is limited distance wise due to the resistance in copper wires. Consequently due to the relatively high power requirements other signalling systems have been developed. DTMF dialling and electronic exchanges give a greater signalling speed. The DTMF frequencies used are listed below : Digit Frequencies (Hz) ~~~~~ ~~~~~~~~~~~~~~~~ 1 697 1209 2 697 1336 3 697 1477 4 770 1209 5 770 1336 6 770 1477 7 852 1209 8 852 1336 9 852 1477 * 941 1209 0 941 1336 # 941 1447 In payfone systems the call charging signal is a 50 Hz common mode or longitudinal voltage in which both wires of a two wire pair are driven in phase. Blimey, we're only just on to analogue signalling. Hang on and bear with me.... Between network switching centres parallel signalling is used in the form of AC signals which may be single frequency (1VF), dual voice frequency (2VF) or multifrequency (MVF). The system has evolved from SSAC9 (1VF) in the 1950's the identically featured, but transistorised 1980's version. Part of the adaptation has been from 2-wire (metallic pair) to a 4-wire system. SSAC9 uses the 'magic' 2280Hz signal frequency. This was exploited by phreakers in the good old days and it is nothing more than a historical curiosity now... Multifrequency signalling is now the standard. In our system an out of band signal of 3825Hz is used for supervisory purposes - and enables continuous supervision. This is due to a CCITT recommendation (Q351) and is referred to as R2 signalling. This is the system of signalling that '3l33t3' phreaks have taken to playing with... So here are the signals used : | ______Direction______ Condition of circuit | Forward Return --------------------------------------------------- Idle | Tone on Tone on Seized | off on Answered | off off Clear back | off on Released | on on or off Blocked | on off CCITT4 is an end 2 end signalling system using 2VF and two tones : 2040Hz (from now on read 'x' [binary 0]) and 2400Hz (from now on read 'y' [binary 1]). It is used for line signalling and interregister signalling (with serial transmission in binary). Consequently a 4 element code in binary gives 16 characters. 10 of these are for digits and four are supervisory. These are given below... 1 2 3 4 1 y y y x 2 y y x y 3 y y x x 4 y x y y 5 y x y x 6 y x x y 7 y x x x 8 x y y y 9 x y y x 0 x y x y Call operator code 11 x y x x Call operator code 12 x x y y Spare code x x y x Incom. half echo sup. reqd. x x x y End of pulsing x x x x Spare y y y y OK - now each line signal is prefixed with a signal called 'P' followed by a control element ( x or y ). The prefix is a combination of both frequencies and the control element plays its constituent tones consecutively with the durations as follows : P = 150 +- 30ms (2040Hz/2400Hz) x and y = 100 +- 20ms There are more supervisory signals too which use X and Y which are 350ms +- 70ms. So signalling in the forward direction we have : Terminal seizing PX Transit seizing PY Digits Shown in above table (are you paying *no* attention?) Clear forward PXX Forward transfer PYY and in the backward direction we have : Proceed to send X International transit Y Engaged PX Answer PY Acknowledge P Phew (that's all for CCITT4). To find better explanations of the operator codes finish reading the next section (CCITT5) and then go and get some deeper articles on signalling (2600 have an excellent CCITT5 article - I'll Xerox a copy for anyone who is interested). CCITT5 is the system most abused by phreaks. This system is generally abused over international 'country direct' lines. 0800 numbers connecting you to a foreign operator - which gives you the chance to break their trunk, seize their line and control their system (yeah!). The definitive guide to BlueBoxing CCITT5 is on my (growing) list of projects, I have read the rest and will write the best both technically and practically ;-) CCITT5 is a 2VF system using 2400Hz / 2600Hz for line signalling on a link by link basis. Interregister signalling is 2MF (2 out of 6 frequency type). The 6 frequencies are spaced 200Hz apart from 700Hz to 1700Hz. In the USA a similar, but not identical, system is used (R-1). The CCITT5 code is : Digit Frequencies 1 700Hz 900Hz 2 700 1100 3 900 1100 4 700 1300 5 900 1300 6 1100 1300 7 700 1500 8 900 1500 9 1100 1500 0 1300 1500 The supervisory tones (ie the useful ones!) are: Prefix digit sequence 1100Hz 1700Hz End of digit sequence 1500 1700 Operator code 11 700 1700 Operator code 12 900 1700 700 1100 Payfone coin control 1100 1700 700 1700 Final point - there is a modified CCITT5 system floating around which uses a 2 out of 6 MF signal, but has two different sets of frequencies for forward and return signalling. The tones are spaced at 120Hz from 540Hz to 1980Hz. NeonDreamer '95 (just)