Telco Inside - Click here to print this entire page Check out our Yahoo group: Files - Photo-Gallery - Links - Calender - Discussions - MORE...

The SARTS BlueBoxing journal
  Hi, Iam SARTS, Cuebiz's pet Yorkshire Terrier and the official mascot of Telco Inside. You see, Cuebiz thought it would be funny to have a dog type up infoz on blueboxing and I didn't want to do it until he threatened to stop feeding me bacon and hotdogs, so here it is; you fucking HOMOsapiens!

For the n00bs
  The year is 1955, when the Bell Technical Journal published an article entitled "In Band Signal Frequency Signalling", which described the process used for basic routing, and hanging up trunks for the (back then) current signalling system; R1. In the year 1964, TBTJ published the remaining half of its "key ring" by releasing the frequencies used for hanging up, and routing long distance calls.

  This article was ment for use by Bell techs, though they hadn't realized that 90% of the US engineering schools also had subscriptions to TBTJ. In 6 months time, they recalled all issues; with hopes that noone took notice to their mistake ....

  A year later, Bell engineers were sent over to Washington State College; to investigate a massive ammount of lengthly calls being made to an "out of area" WATS number. Upon arrival they discovered ... a strange device with a blue metal chassis connected to a public payphone;. The device was later nicknamed the "Blue Box" .... Read more about this here

  Then, in November 1988, The CCITT (now known as ITU-T) published recommendation Q.140, which goes over System No. 5's international functions, and once again giving away its "secret key".

  When making a call in the 60's, you would actually be able to hear your exchange talking to your buddy's exchange when making a long distance call (ie: via WATS or direct dial), and the theory is: If we can hear it, we can try to imitate it. This is the basic idea that brings about blueboxing.

  Now, the basic principle with R1 signalling was that when a trunk was NOT in use, it whistled at 2600hz, or 2600 cycles per second. The exploit is obvious from here.

  If one could find a way to imitate the 2600hz whistle, then he'd would be able to trick a long distance trunk into thinking that the other person on the line "hung up". Now, by releasing the tone, the trunk will hear silence - and think that its once again "in use" and ready to route another call.

  From there, the "blueboxer" is in fact, his own operator. Free to route calls via terminal or transit as he/she wished (please note that this was obviously before the creation of ESS).

  System R1 was exploited up right until Ron Rosenbaum's Esquire article was published, it's available for you to read @ Http:// Of course, abuse sky-rocketed, which forced the telco to take action with its "secret weapon", CCIS, also known as Common Channel Interoffice Signalling, specifically SS6. This in turn killed system R1 exploration in the US except for several remote areas (which was later killed off in the late 80s).

The ReBirth
  In the late 80's - early 90's - trans-atlantic cable routes were publicly available and fairly common, the US switched from SS6 to SS7 connections (our current signalling system) which gave us fast, clear, and totally "unboxable" lines. This also brought about new advances in the telco; and they started to intigrate Home Country Direct WATS numbers, which allowed the US to have WATS numbers directly routed to other countries with different types of transit signalling systems, of which 90% were analogue (similar to R1, in the sense that signalling takes place via voice). This opened up a new way to blue-box for *FREE*.

1. The US (or whereever) gateway would first seize a trunk (2400hz) to start routing; the recommended seizure time is approximately 125ms. Once a trunk has been seized, the remote switch will respond back with a "proceed to send" to prompt the US gateway to start sending route information. The address information is then send to tell the international switch where to route the call ... Once the international switch hears an ST, it routes the call. You'll then get an audible cheep upon answer, of which the US international gateway would acknowledge

2. This is when speach takes place. The guard circuit "listens" to makes sure that the call wont end prematurely if someone accidentally whistles into the line or something.

3. If *they* hang-up, the remote switch will send a clear-back signal to tell the US switch that the caller on its end had hung up and so the call has ended. The US switch would then audibly acknowledge it. The US switch would almost immediately try to "clear" the trunk by sending a "clear-forward" to tell the international switch that the trunk is now free, and then the international switch would respond back with a release guard and set the trunk to idle (it can once again be seized).

System No. 5 synapses
  C5 is one of the most affordable, versitile signalling systems in the world today, as well as the worlds MOST used system for intercontinental operations. It allows for interworking between regional systems such as R1 and R2, while also being able to encode/decode digital (SS7) via transit with D-CCITT#5. To prevent false release - it intigrates (strongly suggested since the updated CCITT #5 recommendation) the use of a release guard tone to be sent in comound with the clear forward - something that is unique to System No. 5. Its also able to turn PCM with neat little add-on's such as DSU600-type platforms. Setup and take-down of trunks are unbelievable when taking into consideration that its an analogue system.

  TASI clipping can be bypassed, BLV trunks are able to VFY via transit, digits are sent in the forward position (with the exception of C5-bis) with 55ms durations and spacing that varies between regions (areas in Zone 1 tend to use faster dialings; commonly being 80ms).

  Dialing is exactly the same as System R1, but with a Transit signal (kp2), a Code-11 signal (INWARDS), and a Code-12 signal (Directory Assistance op) used for faster routing. Routing is also done similar to System R1 (able to route via cable/sattelite/microwave/or radio with its descriminating digit) except for the fact that you can route intercontinental with kp2, and reach operators with C11 and C12.

  C5 connections tend to use a broad spectrum of other signalling systems when being converted to digital. By far one of the most interesting was when Dynamics explained the old route from Belize to the US. Which went through a bunch of DMS-100's then to the national gateway via SS7, then using an R1 connection to the 5ESS international switch which was then encoded to a digital C5 connection going to the US. *sigh* C5 being used in its prime, how friggin beautiful. (unlike the US who has the same boring SS7 routes and then finally a digital C5 Belize link in Miami, bleh - boring!). The C5 dial-set and control chart is put together below:

[screenshot-bluelink.jpg] BlueLink v1.1 by Ramses III
  This isn't a very popular dialer. Slut139 bought this very program back in '95 from Urmel and we haven't seen it online since. The tones are displayed as they are sent to your sound card (works excellent on my Adlib sound card), which isn't a very bad idea; it has a nice dialing speed that works great with today's faster (*cough* *cough*) c5 trunks. The bad thing about BlueLink is that it was made for private use in the early 90's - so it only supports two tones being played at once (ie: the recommended ccitt5 standard seize/clear) which is a bitch to use on #s that require a guard tone. If anyone has a higher version please email me at

[screenshot-scavenger-dial.jpg] Scavenger dialer by Scavenger
  This is yet another rare gem that seemed to have faded away along with the pstn-bbs scene. It was written in the early 90s and went through three previous versions. It has a scripting language three times better than BlueBeep, it has a timer that allows you to run scripts at a specified time while working in the Scavenger GUI, it has the ability to dial your c5 number (wats/direct dial) without having to change your dial-set (anything in the "toll free numbers" section will be dialed with DTMF and everything else is dialed with c5 dialing), it by default lets you use c4 dial pulsing (more tones), it has a program to convert TLO/BlueBeep phonebooks into Scavenger format,

its compatable with several THC products (Hi Van Hauser!), and it has a feature to log your break tone actions. I know some of you are thinking, wtf am I going to do with a logging feature? Well, here's a scenerio that's happened to me at least twice, you finally get a line to double pleep back, but being the curious phreak that you are, you change the tones/durations to look for a better seize and find that the first sieze is the only one that'll get the line to even respond back, you look through your "trunks" to find that it isn't there and you can't remember the old sieze! With this logging feature its bound to save your ass at least once. Volume and speed isn't a problem - even from my old shitty laptop with a 100mhz processor, If you can get this to work, I advise you to use it!

Scavenger Drawbacks: This would be the worlds best dialer if not for several important things. 1. I can't get the breaktone to work - AT ALL. I dont know about you, but its very important that my bluebox program actually be able to bluebox (It does dial c5 digits, and DTMF and the scripting language works like a dream). 2. The GUI is kind of cluttered, its good that Scavenger was able to fit all of this into a nice and neat GUI, but its just my personal preference.

Telekom Bluebox System -BKA- German Bluebox
  Some of you may remember this program. Its neat, simple and to the point. This one works perfectly on my Adlib card (iam starting to see a pattern here), so anyone can use it. Everything is squished into 5 options, you're either breaking, dialing, or choosing/entering a number for the phonebook. The words are in German; which makes it easier for our german/english bilinquals. For those of you who NEED to know what it says, it roughly translates to:"Telecom BlueBox System - A new service of the german Ptt Administration-telecom; 'A' for present; 'W' for select; 'V' for directory; 'E' for input number; and 'Q' for quit ;)

MF Dial version 1.0~beta by Vic
  MF-Dial has a simple UI, it DOES break a line that uses typical c5 break tones. I dont recommend using it unless you're forced to. It works fine with my Adlib sound card, allows manual dialing (I dont know why, but it does), and isn't half bad compared to other bluebox programs. If you want, make a boot-disk and run this off that old DOS laptop you bought off of ebay. Take it to a payphone - and if you get chased by a curious telco security agent, just ditch/destroy the disk (in a nut-shell, its small enough to fit uncompressed on a 1.44mb floppy; with enough room for your DOS startup files).

The Little Operator - TSPS for the masses! By Urmel
  Just like BlueBeep, TLO has several 100 # phonebooks, allows use of the mouse, has a nice interface (well, not better than bluebeep, but better than most) - allows the production of purple noise, war-dials, frequency scans, includes a timer (for no real reason - but it looks cool that way!), multiple dial sets, and it follows the common format (A=Kp1 B=Kp2 C=ST) that we all have come accustomed to. If you dont want to use BlueBeep because you hate Onkel Deitmeyer, then use TLO - it'll give you almost the same funtionality - and a bonus for the lazy people; purple noise!

TLO drawbacks:
  It doesn't have its own scripting language, which drastically limits its capabilities (a program this good should have its own scripting language) and at higher speeds - it skips digits (same problem with BlueBeep). I like the ability to change your volume level, and the coolness of the purple noise feature; if you can't get can't get Scavenger to work, and dont like BlueBeep - TLO is the best.

Tank4 Dialer by Tank4
  This dialer was made for personal use, but was sold to Cuebiz in '98 for about 50 US cents. It works great with my adlib sound card and even worked on a Windows[tm] 3.1 box, which has a software based sound card. So I guess it varies from machine to machine whether it'll run through Windows. Its great for Kp1'ing into Venezuela CompuServe because it comes with its own full featured Terminal program (or you could use it to shell to DOS and use your own Terminal program, yes it lets you shell to DOS!), you can edit your modem commands if need be, it allows up to 5 simultaneous tones, which means you can utilize c4 dialing, and it has an easy to use frequency scanner (sweeper) that any idiot could run.

If you're on LYNX or didn't look at the screenshot to your left, then you'll need to know that this program DOES have its own phonebook which is pretty cool. You wont be able to transfer it to any other program like BlueBeep, Scav, or TLO which kinda sucks; but the program itself is awesome.

Tank04 Dialer drawbacks: The default c5 dial-set was too SLOW, and had to be modified for re-release on Telco Inside (not purposly, but I had to use it to review it, right). When looking at timing, you'll notice that "50" doesn't literally mean 50ms; but rather just Tank4 timing standards, so it'll take a bit of fiddling around to figure everything out (it could be because of the shitty 100mhz processor Cuebiz gave me to work with, but I could be wrong). I had to add my own break-tone, because Tank04 didn't include an average c5 break string. This program is nice and made for calling Venezuela country direct.

P-80 Box by The Researcher
  Though it looks like this box was made in VB-DOS, it isn't as fancy as it looks like. It doesn't have it's own phonebook, it doesn't have a scripting language, it was made mainly for System R1 dialing (you're CCITT5 break, is labeled "European Break"), it uses different standards for representing the C**, KP*, and ST digits (K=kp1, p=kp2, E=c11, T=c12, and S=ST) and it's US specific (ACTS) when it comes to its red-box capabilities. Its strange; but able to make a decent call to an average c5 line (since you can't change the break tones). You enter the dial-string and press enter. You can then watch the magic happen.

On the plus side: If you dial into a country that uses R1 as its regional signalling, then you could BlueBox locally (within that country) and try out those ol' GreenBox tones (why not? They're in the prog, right?).

[screenshot - bluebeep.jpg] BlueBeep V1.0 by Onkel Deitmeyer!
  We here at Telco Inside like BlueBeep, for several reasons. We like the interface, we like the programmer, we like its recommended sound card (Adlib beey0tch!), we like its GUI, and of course - we like all of the goodies that BlueBeep has to offer (including v1.0's .exe overlay system). Its gone through three previous versions and I personally love all of them! It supports the use of the mouse (*sigh* alas ...), has its own "not-so-bad" scripting language, has its 100 # phonebook interchangable with TLO (Urmel, admit it - you did use BlueBeep's phonebook routine), and has all the tones that'll bring you closer to a 10 year sentence ;) What is this I hear? You dont want to take a 10 year vacation with your new boyfriend, Bubba? Well, Onkel thought

of covering your ass with BlueBeep's password protection system. Now what other evidence will the pigs have besides that fact that you have BlueBeep on your computer? Have BlueBeep questions? Check out BlueBeep's ueber-leeto help files! Dont forget to read the cool stories in its HoHoCon release and V1.0!

BlueBeep drawbacks: It's scripting language is rather general, which stops users from getting specific with it (clear_screen doesn't clear the screen!). "Flight through space" should of been put as a DOS "screen-saver", but I guess thats just Mr. Deitmeyer's personal preference as to not crash a DOS screen in Windows[tm]. It can only handle 3 simultaneous tones, which is good for guard tones but makes it unable to utilize c4 dialing. At faster speeds, BlueBeep skips tones (c5 dialing) and causes calls to be hung up or reordered - this often kills me when I finally get two pleeps from a line I've been playing with for days. Besides, that - BlueBeep is the WORLD's BEST software bluebox, EVER!

Blue-Dial v6.2 by Casanova
  This program is fairly popular. Its been through 3+ versions, and each time, its GUI changed. I'd like to thank Casanova for confusing me like that. It was a blast finding a new interface each time. I like this program because it allows you to CHOOSE what kind of sound card you're using, which really makes support better than others. Another good thing about it is, its one of the few that actually (by default) has a working break-tone with perfect, CCITT5 standard timings. As you can see, I tried this on Venezuela to see if it works and it does (at times) when you dial in direct. It supports multiple dial-sets/trunks and has a well thought-out help

menu system. The phonebook lay-out isn't that bad either, ie: you can dial a number by just hitting a key on your keyboard, *BUT* one big drawback is that the display on this program is really distracting ("it flashes Blue-Dial v6.2" -then- "Please help me to improve BlueDial"). Its a good program, though - its just distracting. Now, all of you LYNX/command-line people; dont download BlueDial v6.2 *JUST* to find out the numbers for Venezuela CompuServe carriers (*hint* *hint*).

WhiteBox v11 by Quasar/Liberty
  You didn't think I'd forget the loyal Amiga users, right? I decided to throw up some of the old Amiga programmes that I had hiding on disks; since the only "popularly" distributed Amiga phreaking progs on the net are either HellsHacker (*NOT* a phreaking prog - why are there tons of people distributing this as a "kick-ass phreaking program for the amiga"?), or those stupid DTMF-only dialers. I recommend using this with older Amiga OS's because it looks fucked up on mine. It supports manual dialing of both DTMF and CCITT5, has a decent phonebook, and has premade break tones. I personally dont like it, the layout looks cluttered.

Dial-o-Mat by Jolly Roger
  I dont think you'll find this program on the internet anymore. I got this off of Innuendo BBS, which I doubt is still running. It supports 8 tones played at once (Amiga, remember?) Has the option to show the tones in plain text, has 20 phonebooks, comes with pre-made dialsets (c5, dtmf, c4, and "B-Netz"?), has a WORKING spectrum analysis tool, and it even works well with modems (*cough* Venezuela compuserve *cough*) - allowing you to configure your own baud rate, pickup, hangup and answer modem commands. Just like above, I haven't gotten around to trying this out - seeing that I dont want to lug my Amiga across the street *just* to see if it'll work on China Direct.

Note: These are all the Amiga dialers that I have right now, if you still have copies of Arrested Dialer Workshop, Cdial or the like - send 'em on over to me @

Conferencing, BLV/EMER-INT, and other "tricks"
  Now, common knowledge: CCITT5 signalling cannot send CLID, ANI, or DNIS information because it wasn't ment to use the ISDN "D" channel or rather ISDN via international. So, this in general causes an ANI-Failure upon calling US operators or anyone able to read/forward ANI. So, this will allow you to fake out AT&T once again - and spoof your ANI. By requesting an op-divert to a non-WATS conference setup operator (Iam not giving out numbers, fool!) - you'd be able to bill the call to an enemy and also have them catch the bill for the conference (only if they dont do call-backs, if they do you'll have to use the next method). OR, if you're really good at social engineering - you could ring up the "local" line that gives you the AT&T conference operator and set it up that way (as an operator).

  BLV or Busy Line Verification is a treat that system R1 phreaks had a little fun with. You'd bluebox to an area's INWARDS op and tell her you need a busy line interrupt on xxx-xxxx, she'd then punch out VFY+kp1+[BLV screening code]+[prefix]+[suffix]+ST and then be able to hear gargled noise if the line was in use and silence if it wasn't. It was cool, and even better when you got them to interrupt the call. The bad thing about *that* method was that you'd have to talk to an op. You could still do it by KP2'ing into the US as an operator, BUT thanks to NynexPhreak we're able to do TRANSIT verifies. It was found that seizing a c5 BLV trunk was just the same as seizing any other trunk - except a third tone was to be sent with your clear forward (280hz, 240hz are norm) that would elavate you to VFY status. Routing would then go Kp2-CC-0-[npa-prefix-suffix]-ST with Kp2 and STart being sent at 115ms and each digit being sent at 95ms. If the line is busy you'll hear "rubbish-noise" and if its not, you'll hear silence.

  Emergency Interrupt on system R1 would still have to be done through an INWARDS/TSPS op, which was cool when you got it to work. On c5 trunks, you'd BY-VFY a line then use 440hz to "call intercept".

  Route a call around the world (reorder several trunks) to the payphone next to you. Thats right! This was last done in the 60s - and now you can do it just like the Captain. Please note that I dont recommend that you do this because you'll really piss people off. This was known as "trunk stacking", which is really just seizing multiple lines and stringing them together. This is pretty cool, because this'll allow you to be totally anonymous when hitting the last "link" (*hint* *hint* it'll take the pentagon a while to find you). You'd start off by calling a country, seizing a trunk, then calling another country with a different duration seize. You could do this forever and then finally kp2 to the payphone next to you. The voice-delay time should sound pretty interesting (ie: say "who0t" into one payphone and wait for it to reach you on the other one as "*static* ........... *static* who0t").

Note: My buddy NynexPhreak first PUBLICLY released information on c5 BLV trunk seizing in '99 (though it was rumoured through the underground for months before); so he deserves the credit.

Area code / Prefix changes
  Within the past two years, there have been area code and area prefix changes that usually screwed up someone trying to kp1 calls into the country or trying to get an international sender. Two countries of which this has happened are Slovakia and Honduras. Here's how everythings setup now:

Slovakia Location Area Code
Bratislava 2
DunaJska' Streda 31
Trene'in 32
Trnava 33
Senica 34
Nove' Za'mky 35
Levice 36
Nitra 37
Topoe'any 38
Zilinia 41
Povazska Bystrica 42
Martin 43
Liptovsky' Mikul'as 44
Zvolen 45
Prievidza 46
Lue`enec 47
Banska Bystrica 48
Presov 51
Poprad 52
Spisska Nova ves 53
Bardejov 54
Kosice 55
Michalovce 56
Humenne' 57
Rozoava 58

Nicaragua (505) Area Code
Boaco 54
Chinandega 341
Diriamba 4222
Esteli 71
Granada 55
Jinotepe 41
Leon 311
Managua 2
Masatepe 44
Masaya 52
Nandaime 4522
Rivas 46
San Juan Del Sur 4682
San Marcos 43
Tipitapa 53

Belize (501) Area Code
August Pine Ridge 3
Belize City 2
Belmopan 8
Benque Viejo Del Carmen 93
Blue Creek 3
BurrelBoom 28
Caye Caulker 22
Corozal Town 4
Dangriga 5
Guinea Grass 3
Hattieville/ Tropical Park 25
Independence 6
Ladyville 25
Orange Walk 3
Patchakan 4
Placencia 6
Progresso 3
Punta Gorda 7
Sand Hill 25
San Estevan 3
San Ignacio 92
San Joaquin 4
San Jose/ San Pablo 3
San Narciso 4
San Pedro 26
Sareneja 4
Spanish Lookout 8
Stan Creek 5
Yo Creek 3

Honduras Prefix change

* Note: Added Belize and Nicaragua area codes for further reference, more will be posted when asked.

Why is my HCD call routed SS7, through VA or MO?
  Iam assuming you're talking about all AT&T country direct routes, which as of '98 (actually it only RECENTLY started becoming a pain in the ass) are routed via AT&T's International Call Services. This little bastard was created to have WATS numbers terminating in other countries monitored 24/7, as along with setting up better connections (ie: SS7) to international countries. So, all countries joined into this alliance (*ahem* I mean, subscribed to this service) will 99% of the time be switched off to SS7. Who's signed up? KDD (Japan), Singapore Telecom, AT&T-Unisource, Telstra (australia), NZ Telecom, Alestra of Mexico, HongKong telecom, AT&T Canada, Korea Telecom, Philipines PLDT, Bezeq International (Israel), CHT-I (Taiwan), CAT (Thailand), Telekom Malaysia, Indosat (indonesia), Telebras of Brazil and VSNL (india). Does this mean bye bye, c5 philipines? Uh huh :(

  Want proof? By looking up Philpines direct in AT&T's anywho database, you'll notice that you'll get "Philipines Country Direct via Philco - Reston, VA 20190 TF", TF meaning Toll Free. Hrrrm. Its located in Virginia, but yet when calling it at 2am, the ringback isn't US standard (420Hz modulated by a sine wave of 25Hz played for 2 seconds - 4second silence - then recycle). Why? AT&T's International Call Service Summit is located in Reston, VA - so; all calls go through this gateway for monitoring, then via SS7, its sent off over seas. In MO, Iam not 100% sure where its call service summit is located, so I've narrowed it down a possibiliy. A CLEC in Blue Springs run by SW Bell (Verizon) located at 300 S 15th st

  Other lines that route through VA (besides the obvious mentioned above) are Belize (still c5?), Hungary, and Turkey. Lines that route through Montana are calls going to Croatia, Czech, Baharain, and Fiji. Of all these lines, the only one that gives a c5 route is Belize. If anyone has a real, CONFIRMED answer as to whats up with the MO route, email me about it - because Iam really curious here.

Why do you care about routing?
  Some times, you'll encounter problems and wonder why. You'll start to realise that blueboxing is much like hacking "blindly". You dont know the location of this switch (well, except what country its in), and you dont know how you got from point A to point B. Cable and sattelite routing is an essential lesson that you'll slowly learn by reading, and talking to other phreaks. When traveling through these intercontinental connections, its important you know how it all stacks up. Below is a map out of sattelite and cable links.

[cable/sattelite map], click to enlarge or LYNX download
World map, up to date as of '99 (this is a map *just* to start you off, some things have changed)

Africa One cable map, for those of you who kept asking for it

Questions and answers

Whats TASI clipping?
  T.A.S.I was made to clear up intercontinental idle trunks when voice isn't passing through. So, lets say that you call up your friend in China where TASI clipping is enabled and you stop talking for about 4 minutes, it uses "your" trunk to route another call and when you start talking again, it reassigns you another trunk. This results in about half a second of missing voice, thus it being "clipped" off.

Whats international sender?
  This is mostly found on R1/c5 hybrid systems. Where you CANNOT kp2 out! So, to make international calls, they'd use international senders to specify what country they'd be calling - the format went kp1+011+country code+ST, you'd then hear one pleep then you could proceed to punch out the AreaCode and Phone Number to go international (without country code, because you already specified it), routing went something like: kp1+dd+AreaCode+PhoneNumber+ST.

I want free long distance, is blueboxing the way to go?
  To make it simple. No. If you want free long distance; stick to k0dez. BlueBoxing was ment for explorers. People who find telephone signalling absolutely the most remarkable thing in the world. Stop killing our lines with your abusive intentions and BlueBeep'ing joy-sticks.

Can I bluebox with Verizon country directs?
  Yes, but maybe not for long. I got a hold of a 15mb .ra recording of a MeetingPlace conference that sounded relivent to these "recent" changes. The attendees went over GSI's responsibility to setup Level 3 comm gateways for Verizon's new network. From what I heard, as of late 2001; there's two new gateways in Los Angeles. One which will act as a hub for connecting customers to Western Canada, Asia and Mexico, and another *private* gateway that'll connect LA with the inernational gateway in New York (Eastern Canada and Europe route). Then, I rang up my contact in Miami and he let me know that the Miami international gateway will now be a hub for connections to the Caribbean, and South America. These changes are said to save Verizon close to 300 million US dollars over a period of 5 years. Iam not 100% sure if this will effect anything when it comes to c5 calls. I dont think so, but I could be wrong.

How do I get US ops?
  LOD and Phrack covered this tons of times, but I guess I'll go over it once again. To get INWARDS, you'd punch out kp2+1+2+NPA+121+ST, to get the toll test board you'd do kp2+1+2+NPA+101+ST, Oversea's completion goes kp2+1+2+NPA+151+ST, and Directory Assist. goes kp2+1+2+NPA+131+ST.

Why dont you give out c5 #s anymore?
  Please note that everytime you bluebox off a HCD - you're bringing the line one step closer to being shut down. No, they wont know that YOU'RE doing it, but ... okay, here's how it goes. Most US HCD's belong to calling card companies that are offering their services to tourists visiting the US, wanting to call home with their international calling card. THEY'RE TRYING TO DO A GOOD DEED HERE! Now, here you come tricking their system into thinking you called them and hung up. While the US is still billing THEM for this call. Now, they'll report to AT&T that they only used about 300 hours of call time (which they believe is true) - then AT&T would have on their print-outs that it was closer to 900 hours; AT&T would accuse the foreign telecom of trying to rip them off and shut-down the line. THAT is why Honduras directo doesn't work anymore, THAT is why China found it cheaper to switch off to SS7. So, when I find a line being heavily abused - AT&t will get a call from a helpful phone phreak who WANTS SS7 used! bey0tch!

What references do you recommend I read?
  I *did* do several write-ups on the subject of blueboxing - of which all Iam pretty embarrased of (I used to be into abusing them). I dont recommend that you read the files I've written on it if you're looking for rock-solid, responsible information. I DO have ITU-T recomm. CCITT5 related "Q" files for your reading, along with a list of international area codes for China, Belize, and Nicaragua (Slovakia and Honduras area codes and code changes are listed above). Read them @ /files/bluebox.

Note: This file isn't far from done. Iam currently re-doing the old Jolly-Box writeup, testing out linux blueboxing software, and I'll be adding more international exchange stuff when the time is right.

"Stop the distr0 of HellsHacker; you sons of bitches!"
If you want to download any of the programs featured (and more), click here.