=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- \\ \ |\ __________ \\ \ _________ |\ //// \ \\ \ ||| \ |\ ________ //// ___ | \\ \ ||| ___ \ |\ // \ \\\\ /\\\\/ \\ \ ||| |\\\ \ |\ // _____/ \\\\ \ \\ \ ||| | \\\ | |\ || /```` \\\\ \ __ \\ _\ ||| | ||| | || || `----, \\\\ \ ////\ ////\ ||| | ||| | |/ \\____ \ ___ \\\\ | ||| |:|| | ||| | ||| | |/ ````\\ | //// \/_// / ||| |:|| |\||| | ||| | |/ _____|| | \\\\ / \\\ \// / ||| |/// / |/ \\ / \\\\______/ \\\____/\\ |||_______/ |/ \`-------' =-=-=-=- =-=-=- \\ =-=-=-=-= |/ ``````` \\ \ |/ \\_/ |/ ` |/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= h0h0, It's been such a fine time on the internet that I got way too lazy to even start on SuD V, but at last, here it is. Things on the scene are as lame as ever, give me a list of all those underground boards you run, so I can send my european friends in to wake you all up ;) 5 months of intensive scanning and trying finally paid off, so I'll be calling all of you a lot more than ever ;) I really working on getting you some internet access, at the moment I think all those Beltel hackers out there should get a docnet account on EACH and every mailno they get, there's a JHB dialup number for docnet, where you can log in with that account. The sysadm can see from where the logins was made, so he'll complain about the dialling in, without paying the Beltel port fees, and kill the account, but well, that's how it works with Compuserve doesn't it (fake credit cards are not condsidered eleet by me, so I urge you to stop using them, there are lots of more eleet ways) All of you U/G board runners should consider getting at least internet mail, that way we can start a mail network that's not confined to the limits of most of our phone bill, we just mail the packets over (I'm no good with BBS netmail n stuph, I live with TCP/IP, have NNTP to read with my break- fast and replace the Post Office with SMTP) Anyone who would like to get a 'little' internet access, not hang on there (like me) for 16 hours per day, then just pay that R60 per month most IP's charge, and the R2 per hour, Telkom charge you R1,44 per hour for the phone call if it's after hour. Included in the package you got SLIP software you can run under MS-Windows (I hate MS-Wind0ze, but well, all you warez d00dz just luv it) and make you able to chat on IRC (internet relay chat) while ftp'ing all those warez down (I just HaTe WaReZ!@#!), all at the same time, each in it's own window. There's the same stuff for DOS aswell, if you can't stand windoze. Well, to just f0rc3 most of you into the internet I'll tell you that you could have gotten WiN95 or WiN94 or whatever that eleet ware is called, ages before it was officially released, if you have the right contacts, like little friends you made in #warez and #warez2-#warez9 on IRC, then you can get all those pirated goodies you want to challenge the BSA with. Again, I say I HaTe WaReZ, and DONT support it in any way, but getting you all on the internet that way will make you realise soon what 'other' things you have been missing. Game cracks are no problem on the internet, you can get the crack a month before the game is officially released. I figure a lot of you can't stop the wish to hack the Novell network at school, so I'll get a very good friend of mine to write you some stuff on it. Ah, and I forgot x.25 aswell, you all want to feel usefull with that NUI you got, except for being lame and using that, yech, dialout thingie to connect to boards all over South Africa. have phun and keep on hacking n stuph Z0rpHix=-. ----------------------------------------------------------------------------- ----------------------------------------------------------------------------- A friend of mine in Pittsburgh, in the USA, who calls himself t00ph, almost got into deep trouble, ' brackets> POLICE PULL PLUG ON PHONE SCHEME [FRONT PAGE] When scott policeman Edward Pivick and Robert Zimmerman arrived on the scene, the trail was still warm and talking. Responding to a womans call about voices in the woods near her home, the officers discovered 100 feet of cable leading into the woods from an open telephone junction box outside her apartment building. At the other end of the cable, they found a metal folding chair and a phone, chattering with what sounded like four teenagers talking. Since that discovery Aug. 6 police and Bell Atlantic security officials have been trying to find out who used the illegal tap in to make hours long conference calls to people around the United States and the world and bill them to Scott residents' private lines. In a month or two, participants racked up more than 60 hours and thousands of dollars worth of calls to New Zealand, Israel, Germany,Florida, New Jersey, Texas and Colorado. Bell Atlantic workers have sealed and buried the junction box at the 270-unit Kings Grant Condominiums off Cochran Road and plan to bury another one. The Boxes usually stand about 3 feet above the ground and join undergrond phones lines. Police have yet to make any arrests. "At one point, I heard one of the males say, "The cops came, but I don't think they saw me,'" said Povirk, who listened to the Aug. 6 conversation for about 20 minutes. Povick said he beleives the person who broke into the box and made the illegal tap-in ran home after seeing patrolmen in the area. Since then, Bell Atlantic and AT&T security officials have been matching condominuim residents' phone bills against phone records to try to find where the calls went. One resident's phone bill last month was more than $4,000. On it was a 293 minute call to New Zealand costing $306 and a 110 minute call to Germany costing $86. So far, only one local number has been identified as a conference call participant. That number is assigned to a residence in Ross that has several phone lines and a computer. No one there has been charged, but the calls could constitute a felony because they were valued at more than $2,000. Stephen Capp, senior investigator for Bell Atlantic Security in Pittsburgh, said the investigation would continue. "We'll exhaust every possibility. We're not giving up," Capp said yesterday. The Scott case is more sophisticated than most cases of phone service theft, Capp said. "They opened up the box and used something like alligator clips to clip onto the phone [line] itself." Capp said all calls were made during the middle of the night, when most people are asleep and their phones are not in use. He said Bell Atlantic had received several complaints from people in the Kings Grant Area about erroneous phone charges prior to Aug. 6. He said calls were placed in July and possibly June. Kevin Montaque of AT&T corporate security in Bridgewater, N.J., said AT&T routinely monitors its lines for unusual activity and had picked up excessive usuage on at least two Kings Grant residents, including the woman who reported the voices. Though Capp said no reports of phone fraud had been reported since Aug 6, Argall Management Inc., which operates the condominiums, said a resident yesterday reported receiving a bill for calls to 900 number sex lines. Capp said some of the conference calls could have been to 900 numbers but most were not. -- There was also a report about this on the news that I recorded, but I have not even thought about trying to record all the words from it.. /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ Maelstrom (who got bust for hacking a while ago, he still doesn't know for exactly 'what' he was bust for, but they had the raid at his house for the 1990 ANTI-HACKING act of the UK (be smart so we wont get something like that around here, we only have the COMPUTER FRAUD law, that counts for Beltel hacking (the lame one like taking over mailnos) and Saponet NUI abusing, and some others. He wrote this neat piece of work for CoTNo [Communications of The New Order] a while back. -=- Blueboxing in '94 -=- - (C5 for the masses) - -=- by Maelstrom/PHaTE! -=- Well, I've been promising DeadKat an article since COTNO #1, and was searching frantically for a subject that I could write a useful/informative article on...having failed dismally in my quest, I decided to turn my attention to a beginners guide to present day blueboxing. This article will only deal with the practical uses of CCITT 5 (C5) signalling systems, and NOT with the more advanced systems such as R2. Becoming familiar with C5 signalling will provide you with a good grounding in blueboxing, therefore making understanding a guide on a future system easier. And so to the main text... "You just blast 2600hz right?" ------------------------------ No. All too often when blueboxing is mentioned in the context of actually doing it today, some dolt pipes up with this. Treasure your old Mark Tabas files, for they contain some excellent information even today, especially concerning routing codes, but forget all about the R1 signalling described within his 'Better Homes and Blueboxing' guide. The system we are concerned with today is C5, so swiftly clear the limited space available in your mind. The first point I would like to make is that you will NOT be siezing trunks within your own country. The focus of your attentions will be those 1-800 wonders known as 'Country Direct' numbers, which will connect you to the telephone system of some far-off nation for the princely sum of $0.00. While these are certainly not the only countries you should experiment with, South American and Asian countries are usually the best bet for a C5 connection that you can seize. From nearly all European locations it is possible to bluebox over Chile for example, and lines to Columbia, the Philipines, Taiwan and Thailand are also often C5 connections to your country. While these provide a good starting point for your adventures with C5, don't restrict your attempts to only the aforementioned places...You never know what you might find... "So, uhh, what next?" --------------------- After dialling a country direct number to a country on C5, you will usually hear a very audible 'chirp' (some may choose to call it a 'ping' even...) when the line is picked up. This is the moment to start sending the tones required to manipulate the line for your purposes. A few countries using C5 may not give you a 'chirp' when your call is connected, but when the call is disconnected. Before you can start to signal your call, you will need to 'sieze a trunk'. To do this you send a compound signal of 2600hz and 2400hz for approx. 150-450ms. On sending this signal the line should respond with a sound similar to the one you heard when your call to the country direct was completed. Next you send a 2400hz signal, usually for approximately the same length of time as the first compound signal. The delay between these two tones is often crucial, so experimentation is essential. There are no concrete rules for siezing a C5 line, although I usually use 150ms length for both tones as a starting point. If playing the first tone leads to immediate disconnection then decrease the length of the tone - if the opposite is the case, and the line ignores your first signal, then increase its length (personally I use steps of 10ms but feel free to jump up 50ms if you feel the urge). BillSF of HackTic Holland informs me that newer C5 systems nearly always require timings of 150ms per signal +/-20ms, and with an inter-signal delay of 10/20ms, and I have also found this to be true. When you have successfully gained control of the line, you will have by this time heard two acknowledgements from the line, one per signal sent. At this point you are ready to begin signalling your call. The first digit you must dial is the KP1 or KP2 signal. This determines that the call is either terminal (local), or transit (international) respectively. An international call is usually what we want, so we send the following dialstring: KP2+countrycode+0+acn+ST. For example, if we wanted to dial the Colorado office of the Secret Service, we would send KP2+103038661010+ST. If we wanted to place a call to a number in a European country then the dialing format is identical. This is the correct dialing format in accordance with all the technical CCITT 5 texts I have read, but not always the correct method in practice. Macao (country code 853) was long known to be breakable from the United Kingdom before anyone figured out that the correct routing was KP2+00+countrycode+number+ST, so again the key word is experiment. Not all countries will 'play fair' in terms of their accepted routings. To place a call to within the country you are calling couldn't be simpler however. The correct format is KP1+0+number+ST, and I have never found any nation deviating from this template. One interesting route to note at this point is KP1+2+Code11+ST (see freq. list for Code11), which will nearly always connect you with the inward operator in the country whose country direct number you have dialled. Lots of interesting information may be gleaned from a conversation with these operators, such as correct routings, and most operators are more than willing to furnish you with the routings for their technical assistance/engineering departments, who will further assist you, often to the point of telling you the exact timings you require. Remember that their equipment is telling them that you are an operator, so feel free to spin any suitable yarn about testing international connections etc., and also bear in mind that in 99% of cases the operator's limited grasp of the english language is in your favour. Also, be prepared to try other digits in place of 0 between ccode and number in the dialstring for a transit call. KP2+ccode+2+number+ST will usually work for example, and in some cases is the only way to route the call (the country direct to Taiwan from the UK was a good example of this). The digits 0,1,2 and 9 are the only ones I have found to be acceptable in this way, but I wouldn't discount the possibility of being able to use others over some nations. "It doesn't work?" ------------------ Then you're doing something wrong. Not all countries will allow you to place transit calls over their lines so if you really have experimented with that line and had little or no success then move on, there's no real shortage of country direct numbers on C5... You might want to try sending a short burst of 2400hz previous to breaking/siezing the trunk to 'free' the transit lines. I have found this to be neccessary on the country directs from the UK to Brazil and French Guiana in order to place a transit call successfully. Another thing to bear in mind is the fact that the country you are trying to (ab)use may only call: a) Countries in close proximity, and/or b) One or two countrycodes. This is true of certain lines in Canada, and also of most South American C5 links to the UK. Trial and error is the only way to establish if this is the case on any given dialup. "D3Y M0Ni+0R D3 LiN3Z" & "They have 2600hz detectors you know..." ----------------------------------------------------------------- Well, what can I say? You never make use of a pure 2600hz tone, so even if it IS filtered/detected you don't have to worry. The most obvious way I can see of being detected blueboxing is to make 10hrs of international calls per day over whichever 1-800 direct you're using. Very few telco's are going to ignore 140 calls/day to Guyana Direct per month. Use your common sense to avoid detection, that's it. CCITT 5 Signalling frequencies ------------------------------ Digit Freqs 1 700 & 900 hz 2 700 & 1100 hz 3 900 & 1100 hz 4 700 & 1300 hz 5 900 & 1300 hz 6 1100 & 1300 hz 7 700 & 1500 hz 8 900 & 1500 hz 9 1100 & 1500 hz 0 1300 & 1500 hz KP1 1100 & 1700 hz KP2 1300 & 1700 hz ST 1500 & 1700 hz C11 700 & 1700 hz C12 900 & 1700 hz (These are the C5 signalling frequencies I use nearly every day, so if you spot an inaccuracy in the above frequency set you are cordially invited to blend your phallic muscle...) Now to the timings. All the normal digits (0-9) should be 55ms in length and have a 55ms delay in accordance with the technical specificiations laid out in the CCITT manuals. However, in practice these timings may be decreased to as little as 30ms per digit, perhaps even less in exceptional cases. The command and operator digits (KP1/2, ST, C11/12) are usually 100ms in length, with the delay the same as that set for the normal digits. Certain South-American countries that I have (ab)used have required that the command digits, more specifically the KeyPulse signals and the ST, be much shorter than this, although usually still with a length longer than that of digits 0-9. End note. --------- That's all folks. If you don't know how to produce these tones then you shouldn't really be reading this - go read your SimCity 2k docs... If anyone has any questions regarding anything contained in the above text, or indeed any C5 queries, you can mail me at: mael@phantom.com or if you're lucky you can catch me on IRC in #phreak. If there's any interest I might even write a sequel to this rather hurried guide... QUICK NOTE: This author of this article is Scottish, and as such I have used correct English spellings rather than the American versions...8)... DEDICATION: This article is dedicated to Coaxial/PHaTE, who has had a rather torrid time of it lately (legally...). Good luck and I hope everything works out for you. -Maelstrom/PHaTE ---------------------------------------------------------------------------- Okay with that ^ in mind, think about this 'bluebox' My comments will be given in '< >' like always ;) Welcome to the BlueBOX creations! ^^^^^^^- This box has been tested by myself and I have found it to work 100%, Telkom didnt know it was me! and my phone bill was the lowest it has ever been! Here is the rundown!, Cut [A] and replace with a switch, B is a plain vanilla LED! and C is a 20K variable resistor and D is a 470uf Cap All you do is make your phone call, when the other guy picks up, switch the box on (A goes open curcuit), the LED should go on..the PBX thinks the phone was put down but was it really!? ..to set the VR up, pick up the line and turn the POT until the line goes dead...then turn it back a bit.. on the threshold. tnx! Binary Surgeons --- er....ya...figure this one for youself, on a tone exchange, the one where you modem/telephone can dial DTMF tones, it works like this: when the current drops(or voltage) it resets and when you pick up the phone and it draws current again it sends you a dialtone. On a pusle.....er....about the same, whatever, what this circuit actually do is: When you pick up the phone, most of the current goes through the phone, so you can dial n stuph, when you turn on the box, the current is redirected to the LED, and well, the POT keeps the balance between the phone and the LED, so the phone will still work while the LED is consuming some of the current, er, doesn't that mean the current RISE? I this circuit closely resembles a Blackbox circuit I've seen, and another 'joke' circuit that was inteded for AOL users. Everyone has his own modifications of the circuit aswell, if this thing works, then be glad....but NEVER EVER call it a bluebox, because that's not what it is. ---------- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Friendly warning to all those Beltel hackers I learned to hate by now... Errol Lewis got a lot of death threats and are rather paranoid about putting a large amount of people in jail, and YES, they can trace, so watch out, and I mean they really CAN trace! -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ---------- okay awl, happy hpav without the w (because there's no way the w are legal ;) ) AND SEND ME FORMS OF ATTENTION!@# (I'm an attention pup) ---