Phreaking-FAQ: Unterschied zwischen den Versionen

aus dem Wiki des Entropia e.V., CCC Karlsruhe
K (Änderungen von JaniceJones (Diskussion) rückgängig gemacht und letzte Version von Neingeist wiederhergestellt)
 
(4 dazwischenliegende Versionen von 2 Benutzern werden nicht angezeigt)
Zeile 340: Zeile 340:


==== [http://members.tripod.com/SeusslyOne/305.wav Sweep Tones]: ====
==== [http://members.tripod.com/SeusslyOne/305.wav Sweep Tones]: ====
Tone sweeps are a test tone ranging from 304hz to 3204hz. A common use for sweep tones is to check for infinity-transmitter style taps. Dial up a sweep tone. If an audible clicking is heard during the sweep then a transmitter could be installed on your line. Telco maintenance uses sweep tones to check for the presence of loading coils, and other such nasties that eat high frequency tones in order to qualify a line for high speed services.
 
Tone sweeps are a test tone ranging from 304hz to 3204hz. A common use for sweep tones is to check for infinity-transmitter style taps. Dial up a sweep tone. If an audible clicking is heard during the sweep then a transmitter could be installed on your line. Telco maintenance uses sweep tones to check for the presence of loading coils, and other such nasties that eat high frequency tones in order to qualify a line for high speed services.


==== Milliwatt test: ====
==== Milliwatt test: ====
Zeile 396: Zeile 397:
Inter-LATA is just another name for a long distance companies such as AT&T, Sprint or MCI.  
Inter-LATA is just another name for a long distance companies such as AT&T, Sprint or MCI.  


==== How are alternate [[Main_InterLATA|InterLATA]] carriers accessed? ====
==== How are alternate InterLATA carriers accessed? ====


Inter-LATA carriers are accessed through 950 numbers (feature group B access codes), or 10XXX/101XXXX numbers (feature group D access codes).  
Inter-LATA carriers are accessed through 950 numbers (feature group B access codes), or 10XXX/101XXXX numbers (feature group D access codes).


==== Where can I get a list of Inter-LATA carriers and their dialups? ====
==== Where can I get a list of Inter-LATA carriers and their dialups? ====
Zeile 700: Zeile 701:
Telecom Information Resources: This is simply a monstrous list of telecom/networking FAQs and sites. Don't bother unless you're looking into arcane topics and have a good working knowledge of the topic already; most people listed on this site never heard about KISS. ([http://www.spp.umich.edu/telecom/technical-info.html http://www.spp.umich.edu/telecom/technical-info.html])  
Telecom Information Resources: This is simply a monstrous list of telecom/networking FAQs and sites. Don't bother unless you're looking into arcane topics and have a good working knowledge of the topic already; most people listed on this site never heard about KISS. ([http://www.spp.umich.edu/telecom/technical-info.html http://www.spp.umich.edu/telecom/technical-info.html])  


[[Main_PacBell|PacBell]] Search: Surprisingly helpful, [[Main_PacBell|PacBell]] search will outline lots of [[Main_InterLATA|InterLATA]] carrier information for you (including the law), COCOTs, and other sundry phone related info.([http://www.pacbell.com/ir/search/index.html http://www.pacbell.com/ir/search/index.html])  
PacBell Search: Surprisingly helpful, PacBell search will outline lots of InterLATA carrier information for you (including the law), COCOTs, and other sundry phone related info. (http://www.pacbell.com/ir/search/index.html)  


[[Main_LexiCat|LexiCat]] Search Demo: This site is a REAL gem. It offers a searchable index of terms (it cross references everything), as well as articles and reports on related topics. Warning: This is a demo for a product. After 10 searches it resets itself and won't allow you back. Reload the page after every few searches or else.([http://www.tra.com/cgi-bin/ft-[[Main_LexiMot|LexiMot]]/ID=19970912152925603/lexi7800.html http://www.tra.com/cgi-bin/ft-[[Main_LexiMot|LexiMot]]/ID=19970912152925603/lexi7800.html])  
LexiCat Search Demo: This site is a REAL gem. It offers a searchable index of terms (it cross references everything), as well as articles and reports on related topics. Warning: This is a demo for a product. After 10 searches it resets itself and won't allow you back. Reload the page after every few searches or else. (http://www.tra.com/cgi-bin/ft-LexiMot/ID=19970912152925603/lexi7800.html)  


Blackbox Search: Try their search if you need info on LANs or direct connection. This is an online catalog, but you can still extract enough useful stuff to make going here worthwhile. ([http://www.blackbox.com/ http://www.blackbox.com])  
Blackbox Search: Try their search if you need info on LANs or direct connection. This is an online catalog, but you can still extract enough useful stuff to make going here worthwhile. ([http://www.blackbox.com/ http://www.blackbox.com])  
Zeile 708: Zeile 709:
Lucent: These people are pretty straightforward about what they offer. Lucent makes STUFF, unlike Bellcore which peddles information. Accordingly, Lucent will talk and talk and talk about their products.([http://www.lucent.com/search/search.html http://www.lucent.com/search/search.html])  
Lucent: These people are pretty straightforward about what they offer. Lucent makes STUFF, unlike Bellcore which peddles information. Accordingly, Lucent will talk and talk and talk about their products.([http://www.lucent.com/search/search.html http://www.lucent.com/search/search.html])  


Raytheon: These people unsettle me a bit. Raytheon is a blanket electronics firm that holds primarily [[Main_DoD|DoD]] contracts. If you have a morbid interest in missile guidance you'll LOVE this site. They also hold the contracts on encrypted voice switches used in the DSN.([http://www.electrospace.com/business/telecomm.htm http://www.electrospace.com/business/telecomm.htm])  
Raytheon: These people unsettle me a bit. Raytheon is a blanket electronics firm that holds primarily DoD contracts. If you have a morbid interest in missile guidance you'll LOVE this site. They also hold the contracts on encrypted voice switches used in the DSN.([http://www.electrospace.com/business/telecomm.htm http://www.electrospace.com/business/telecomm.htm])  


Lockheed Martin: Now controls NPA allocation (They bought it from Bellcore. Here ends an era.), and is happily distributing for free all sorts of useful information Bellcore used to sell for A LOT of money. This site lists all SACs, NPAs, and some stuff I didn't think was publicly available. ([http://www.nanpa.com/ http://www.nanpa.com/])  
Lockheed Martin: Now controls NPA allocation (They bought it from Bellcore. Here ends an era.), and is happily distributing for free all sorts of useful information Bellcore used to sell for A LOT of money. This site lists all SACs, NPAs, and some stuff I didn't think was publicly available. ([http://www.nanpa.com/ http://www.nanpa.com/])  
Zeile 720: Zeile 721:
* Outside Plant Magazine is a great reference. Subscriptions may be obtained from [http://www.ospmag.com/ http://www.ospmag.com] Fill out a reader response card too, the manufacturers have some really cool promo materials.  
* Outside Plant Magazine is a great reference. Subscriptions may be obtained from [http://www.ospmag.com/ http://www.ospmag.com] Fill out a reader response card too, the manufacturers have some really cool promo materials.  


* Jensen Tools sells every piece of gear you could ever want, including lots of strange specialized stuff like tools to open payphone housings. [http://www.jensentools.com/ http://www.jensentools.com]  
* Jensen Tools sells every piece of gear you could ever want, including lots of strange specialized stuff like tools to open payphone housings. [http://www.jensentools.com/ http://www.jensentools.com]


=== What's a newsline?  ===
=== What's a newsline?  ===

Aktuelle Version vom 26. Juni 2010, 17:11 Uhr

The Alt.Phreaking FAQ 1.41

Much thanks to Itris, Mohawk, MMX, Thomas Icom, Black Axe, Tom Farley and the OCPP for their contributions, encouragement, and bitching. Special thanks to Jenn Martino for the sound files and her patience.

What is this FAQ?

The beginner's alt.phreaking FAQ was established to help answer the questions that beginner phreaks often have. This FAQ is maintained and edited by Seuss. This file can be downloaded at http://members.tripod.com/~SeusslyOne.

What is alt.phreaking for?

Alt.Phreaking is a newsgroup for the discussion and exchange of phreaking information, hints, tips, and general knowledge. It is supposed to be a way for people to discuss phreaking without feeling like a moron, whether asking or answering questions. It is also a good way for phreaks around the world to communicate easily. It is NOT a place for warez, tech support, spamming etc.


What is a phreak?

Phreak is short for phone phreak, a hacker of the telephone system. A phreak, (or a phreaker) is someone who wants to learn about the telephone system. Some people who claim to be phreaks are thieves who do nothing but rip off long distance service. Others are only interested in sneaky tricks and screwing other people. A phreak is not someone who destroys phone property if it's not necessary for the advancement of their knowledge of said system. Boxing and other ways of hacking the telco does not make someone a phreak. Being a phreak is a way of life. There are many different views on what is a phreak, so two people may call themselves "phreaks" yet have two totally different view points.


Additions, Suggestions, etc.

Even though Seuss maintains and edits the alt.phreaking FAQ, much of the content comes from regular contributors to alt.phreaking. If you would like something added, changed, or if you just have a suggestion, we invite you to email me at Seuss@Cryogen.com. Your comments will greatly improve the quality of the FAQ.


The Basics

Your new status in the underground

Welcome to the phone phreak underground. We're a fairly decent, not overly judgmental pack, as you'll see if you stick around long enough. You're new here, so try and remember that newbie phone phreaks are a dime-a-dozen. As much as we'd like to see you stay, coming in with a bad attitude won't help you any. Just remember to be polite and say please and thank you and that you're in absolutely no position to rag on someone for asking what seems like an obvious question to you now. We only tell you to RTFM because we love you. Finally please try and keep your sense of humor, it will help enormously.


I'm a newbie please help!!

The first mistake you'll make as a newbie is to assume that everyone will jump to spoon-feed you answers. That only happens in books and movies. Lots of us really DO want to help you, but we have better things to do than tutor your ass non-stop. First and foremost, try and learn as much as you can about phreaking by yourself. Visit as many related web pages as possible, read books about telephony and experiment. If you hit a snag along the way then by all means ask for help, but for the love of Christ don't go to alt.phreaking and ask for ?phreaking texts'. Try and observe the common courtesies: don't post in ALL CAPS (oR aLtErNaTiNg caps either), don't post HTML, and spare us the superfluous punctuation. Also, don't get discouraged if you get flamed and everyone calls you a lamer.


What should I read?

Good question, but let's start with what NOT to read. Ignore the anarchist's cookbook. The phreaking information in it is so dated as to be useless and everything else is dangerously wrong. The BIOC files are probably older than you are... read them if you must but the ideas are pretty much dead.


What you WILL want to get a hold of:

  • A book about installing your own phone.
  • The file "Outside Loop Distribution Plant" by Phucked Agent 04. Its a little old now (so don't expect to hear much about SLCs), but still an excellent refference for explaining the inner workings of the inside/outside plant.
  • Glossaries of telecommunications and phreaking terms. We highly recommend Newton's Telecom Dictionary, but there are a lot of text files that list the lingo.
  • A BRIEF explanation of the more common boxes. Don't worry about these too much, but it will help you understand some of the posts. Fixer has a great list of boxes on his site, along with what does and does not work and why.
  • A cheap TAB book on basic electronics. TRUST me. Phone phreaks all babble about electronics for some weird reason, and it's a pain following them without a reference.
  • The better zines. 2600, Phrack and Phone Punx Magazine are all still being printed or posted. Shuffle through back issues of the now defunct THTJ magazine, Cybertek, OCPP, Private Line magazine and Phantasy magazine too. The Phone Punx Network has a zine archive where you can find some of these zines
  • A little bit of history on the underground. Get a hold of The Hacker Crackdown, it makes for fascinating reading, will give you an idea of what the scene was like before the WWW. Read Takedown in order to understand the basis of the Kevin Mitnick saga.

I need help with phreaking in a foreign country

It's tough to find phreaks in the same state, let alone the same place in a foreign country. One place to look is in 2600's meeting section to see if there are any meetings in your area. Check question 13 for foreign phreak websites.

Try the UK's phreaking newsgroup: alt.ph.uk and Germany's phreaking newsgroup: de.org.ccc

Is phreaking (or any method of or related to) legal?

Excercise your own common sense. Toll fraud is stealing and is very illegal. If you're caught ripping off phone service you'll probably be prosecuted. After that, what is and isn't legal is still rather vague when it comes to hacking and phreaking. Whether you get in trouble depends on where you live, who you're pissing off, and what you're doing. For example we've seen kids get kicked out school for just having certain texts in their possession. If you respect property and just keep a bunch of text files on your computer then you should be fine. If you go out and tap someone's phone you could get in a lot of trouble. Your local police will probably just tell you to stop, mainly because they don't know what you're doing. However, the Secret Service can just make stuff up and charge you with anything. Some states actually have laws making some methods of phreaking illegal. For instance, there are trashing laws in certain areas and scanning has been outlawed in Colorado. Also remember that phone company installations (including wiring cabinets) are private property, and Bell is awfully touchy about trespassing.


2.0 PBXs ExtendersVMBs

What is a PBX?

A PBX is a private phone switch used by large companies and other institutions that require a flexible internal phone system (such as college campuses or big office buildings). PBXs are the devices that ask you to dial an extension or operator when you connect to them. A subset of PBXs are key systems; PBXs with less than 50 users. For more in-depth answers check the entry for switch.

PBXs consist of a small phone switch (say a DMS 10) or specifically PBX switch (An AT&T System 75), a group of outbound trunks, which are nothing more than phone lines to the outside (often fractional T's or even T-1's on the larger systems), a set of telephones and a bunch of users.


Why does everyone make a big deal about PBXs?

When people are seen groveling for PBXs, they're asking for dialouts on that particular PBX. These numbers allow them to call up, seize an outbound line and make their call on the PBX owner's tab. Because the PBX has to be called, PBXs connected to toll-free numbers are the most popular.


What is a DISA port and what is it for?

A DISA port (Direct Inward System Access port) is a maintenance feature on a PBX. When you connect to it and input a pass code you seize an outbound trunk of that PBX. Hacking DISA ports is a relatively simple and effective way to get free service plus someone else's number on the ANI controller.

DISA port attention tone

Extenders

What's an extender?

Unlike most systems exploited by phreaks, a WATS extender is designed to be used for making phone calls without directly billing the caller. WATS extenders are 800 numbers connected to bulk rate billed telephone lines and guarded by a pass code (usually a VERY LONG one). "950s" are another common form of extender. The most common incarnation of extenders today is the dialup used for prepaid phonecards. Be warned: extenders VERY often utilize real time ANI, and do not react well to abuse. These things are dangerous and should be treated with care.


Voice Mail

What is voice mail?

Voicemail is a sort of bulk answering machine. Its effectively a small computer that will record phone messages, and often allow for more advanced features (like forwarding of messages etc.).

What's a VMB?

Voice Mail Boxes (VMB's) are separate user's accounts on a voice mail system. Among the standard user boxes are administrator boxes, privileged accounts that allow for the creation and deletion of boxes, changing of routing features, etc.

How do I hack a VMB?

The specific techniques used for hacking voice mail boxes varies from system to system. However, the general procedure is to dial up a voice mail system, input a box number, and guess at the pass code (usually with a wardialer). Once the box is cracked it can be taken over (the outgoing message and pass code changed), the messages spied on, dialed out from by inputting the correct commands, or new accounts can be created (from administrative boxes).

Calling Number Identification

ANI

What is ANI?

ANI stands for Automatic Number Identification. It is a service feature in which the directory or equipment number of a calling station (read as ?telephone') is automatically obtained. Enhanced 911 systems, 800/888 numbers and big companies make the most use out of this feature. 'ANI' is often used interchangeably with 'ANAC' by the less educated, don't do that.

How is ANI transmitted?

Numbers receiving realtime ANI are connected to their CO or toll center via digital trunks which send data packets back and forth. The ANI data is sent from the office to an ANI controller on the premises of the site receiving ANI in the packet's headers. ANI if MFed to the ANI controller if SS7 isn't in use in the format KP-I-(Thats the letter 'I', not a 1)-NXX-XXXX-ST. The 'I' in the MF sequence represents the information digit.

What is ANI II?

ANI II is an additional feature of ANI. ANI II adds a pair of digits to the ANI readout that labels what type of service the number is (i.e. if it's a pay phone, a PBX line, etc.). There's ONE ANAC (to the best of my knowledge) that reads back ANI II. 1-800-487-9240. PLEASE don't use it unless you have to, as overused ANACs will die. A list of ANI II digits can be obtained at http://www.NANPA.com/.

What is 'real time' ANI?

Real time ANI is yet another kink in ANI. Not all ANI subscribers get their ANI as soon as they're called. Some ANI subscribers get a call record at of the end of the month that lists all their incoming calls. Subscribers who get their ANI as the call comes in have what's called "real time ANI". Think of it as beefed up caller ID.

What's a "Dark call"?

A 'dark call' indicates an ANI failure. Dark calls throw up a "NO ANI RECEIVED" message on a TSPS console, which triggers ONI.

What is ONI?

ONI (Operator Number Identification) is when a live operator asks you for the phone number you're calling from. Now, certain unscrupulous people could tell the operator that they were from a number other than the one they were actually calling from...

ANAC

What is an ANAC?

ANAC stands for Automatic Number Announcement Circuit. An ANAC number refers to a number that you call that tells you what number you're calling from. This has a variety of uses. Lineman call them to find out the number of the line they are working on. Phreaks use them when they are beige boxing for the same reason. There are a million other uses for the things.

I need an ANAC number for my area.

ANAC numbers are different in all areas. Try to find your local ANAC and use that one. If you can't find one you can always use a national one like 1-800-487-9240. National ANAC numbers come and go so don't use it a hundred times a day to impress your friends because they'll shut it down if it's used too much.

Caller ID

What is Caller ID?

Caller ID is a service that delivers the number of the calling party. A separate unit or special phone is used to display the number. Caller ID service can be ordered from you local telephone company. There is a monthly charge of about $6 to $8 a month. Caller ID Deluxe has the same features of normal Caller ID but it also displays the name and address of the person who calls along with their number. This service costs about a $1 more per month.

How does Caller ID work?

This next section is from the Fixer's article "beating Caller ID".

Caller ID is a data stream sent by the Phone Company to your line between the first and second ring. The data stream conforms to Bell 202, which is a 1200 baud half-duplex FSK modulation. That is why serial Caller ID boxes run at 1200 baud.

The data stream itself is pretty straightforward. Here's an example:


UUUUUUUUUUUUUUUUUUUUUUUUUUUUUU?'^D 032415122503806467x

The first thing of note is the 30 U's. Those are actually sync pulses. A "U" is 55 hex, or 01010101 binary. This is called the "Channel Seizure Signal."

After that comes 130 milliseconds of 1200 Hz (the Bell 202 "mark" frequency) which usually shows up in the datastream as a character or two of garbage.

That is followed by the "message type word", which is 04 hex for standard Caller ID, 07 hex for Name & Number. A word, by the way, is 8 bits for our purposes.

That is followed by the "message length word" which tells us how many bytes follow.

The next four bytes are the date, in ASCII. In the example above, the date is 0324, or March 24th.

The next four bytes after the date are the time, also in ASCII. In the example, the time is 1512, or 3:12pm.

The next 10 digits is the phone number that is calling. In the example, the phone number is 250-380-6467. The number is also in ASCII and doesn't contain the hyphens. Some phone companies will leave out the area code and only transmit 7 digits for a local call, others will always send the area code as well.

If this were a name-and-number Caller ID data stream, the number would be followed by a delimiter (01h) and another message length byte to indicate the number of bytes in the name. This would be followed by the name itself, in ASCII.

If this call originated from an area that doesn't support Caller ID, then instead of the phone number, a capital "O" is transmitted (4F hex).

If the call was marked "private" as a result of the caller using *67 or having a permanent call blocking service, then instead of the phone number, a capital "P" (50 hex) would be sent.

The very last byte of the data stream is a checksum. This is calculated by adding the value of all the other bytes in the data message (the message type, length, number and name data, and any delimiters) and taking the two's complement of the low byte of the result (in other words, the two's complement of the modulo-256 simple checksum of the CID data).

*67

What is *67

  • 67 is the vertical service code for per call ID blocking. It will block your number from being displayed on the Caller ID unit of the person that you called. If the person has Caller ID Deluxe, it will also block your address. *67 DOES NOT AFFECT ANI!!!

Does *67 block *69?

In some areas *69 now has a feature that reads back the number of the person that called you and then gives you the option to call them back. *67 will block your number from being read to them, but they can still call you back. Just shell out the 75 cents and test it out for yourself.

Anonymous Call Rejection

Anonymous Call Rejection or ACR is provided to Caller ID customers for free. This service allows Caller ID customers to block calls from people who use per call blocking (*67). When someone that blocks their number calls a person with Caller ID who has activated ACR, they hear a message telling them that they do not accept calls from people that block their number.

Caller ID blockers

What is a Caller ID blocker?

A Caller ID blocker is a device that will block your name and number from being shown on Caller ID boxes. It is sold at Radio Shack and the product number is 43-925. It costs $29.99. Basically, your paying $30 or so for something that will dial *67 for you.

Cable plant/Transmission

Cable Plant

What is the inside/outside cable plant?

The inside cable plant refers to all hardware and wiring in a telco office. The outside cable plant is all cables, wires, breakout boxes, and transmission hardware between the phone jack and the office.

What is the layout of the cable plant?

<img src="/osp.gif" alt="osp.gif osp.gif" width="350" height="225" />

This graphic doesn't cover everything, but its nice to have a picture to work with. Once the cable hits the house in the upper left, it will be connected to the protector block (which protects the inside wiring, the phone, and you from lightening strikes). From there it goes to the rate demarcation "demarc" point, usually a little gray box on the side of your house. This is where the Phone Company's responsibility for the wiring ends. The pair should then be strung to a minimum point of penetration, so wiring the other side of the house is a little easier, and from there it goes to the jack.

Canning and beige boxing

The average phone phreak cuts their teeth on a steady diet of beige-boxing, hooking up a phone to someone else's line and making calls. The principle is that in the mid 1970s, AT&T started billing to the line instead of to the phone, so anyone who hooked up a phone to another person's line would be free to call on their dial tone. As breaking into someone's house to plug a cordless base into a spare wall jack is rather impractical, most phreaks plug their beige-box into an outside plant wiring cabinet of some sort. If you're hell-bent on opening a wiring cabinet remember that while they're usually not locked, you'll probably need to unscrew something to get in. A can wrench is handy, though a 3/8th nut-driver and a 7/16th hex driver will do you just fine.

<img src="/buggedboot21.jpeg" alt="buggedboot21.jpeg buggedboot21.jpeg" width="203" height="125" />

Boots: These are splice points found in aerial distributions. Nothing too special here, and a pain to get at unless they're stuck to the side of a building, but simple to let oneself into. Just disconnect the clips at the bottom and lift off the vinyl cover.

<img src="/pedastal67.jpeg" alt="pedastal67.jpeg pedastal67.jpeg" width="124" height="125" />

Pedestal terminals: This happy little fellow can be found in areas where underground distribution is used. Usually you can just grab the lip at the bottom and pull it forward to get at the lines.

<img src="/ped1800closed.jpeg" alt="ped1800closed.jpeg ped1800closed.jpeg" width="114" height="125" /> nbsp; <img src="/ped1800p.jpeg" alt="ped1800p.jpeg ped1800p.jpeg" width="123" height="125" />

Serving Area Interfaces: This monster is a serving area interface. It breaks out every pair in a particular serving area. The wiring in these things is kinda funny, as they use punch down blocks to secure the wires. The interesting thing about these is that some of these have 'floater pairs' that aren't hooked up to customer lines. These pairs are used solely by telco personnel.

Transmission

What media are phone conversations transmitted on?

Customer loops are usually copper analog. In many places this will be converted to fiber after about a thousand feet before it continues on it's merry way to the CO. Some WAY out of the way places have their loops converted to microwave for transmission to the CO (this method is often referred to as wireless local loop). Trunks are usually immense fiber optic lines, though PBX trunks are usually T-1s or fractional T-1 lines.

What's the average resistance of a phone line?

Maximum Conductor Resistance in Ohms

AWG Per Kilometer Per 1000 Feet
19 28.5 8.7
22 57.1 17.4
24 90.2 25.5
26 144.4 44.0


How do I measure the length of my analog loop?

There are two ways to measure loop length. The first is to use a time domain reflectometer, a very expensive and complicated instrument similar to an oscilloscope and about as hard to use. The simpler method is to measure the capacitance of the line using the constant .83 micro-farads per 1000 feet of wire. Keep in mind this value is an average, and that wet sections affect capacitance.

What is a trunk?

A trunk is a fixed line between 2 telephone offices, a telephone office and a PBX (or similar hardware), or two PBXs (again, or similar hardware). Trunks are usually immense fiber optic lines, though PBX trunks are usually T-1s or fractional T-1 lines.

What's in a manhole?

Rats. Dirty water. Roaches. Splicing boots that you can't open. Methane gas.

Why shouldn't I go peeking in a manhole?

Methane builds up in manholes, risking suffocation or explosion unless the air is vented; and running a blower is rather obvious. When it rains water tends to buildup in holes. You probably don't have the right tools to open the splicing boots, and why bother anyway?

Can I tap/beige off of a fiber optic line?

Sure you can, but it's too much work to be worthwhile. You'll need to connect an add/drop wavelength division multiplexer to the line, and cycle through the traffic.


What is a switch?

A switch is a large, expensive piece of hardware that connects telephone calls. There are 3 types of switch: the dial tone switch (also called the end office or class 5 office), the remote switch and the toll switch (also known as a tandem switch or class 4 switch). Dial tone switches are the switches that interface directly with your telephone and provide you with your dialtone. The old books and files that talk about regional, sectional and area switches are dated, so ignore them. Toll switches connect end offices with toll switches and toll switches with other toll switches. The third type of switch is a remote switch. These are large PBX switches slaved to a CO that is a good distance away. The switches are implemented in areas too small to warrant their own offices, but require a switch to themselves. Remote switches are switches only, and carry none of the other computer equipment necessary for a full scale office. Remotes do NOT have their own AMA systems, customer databases, etc. These ?big' functions are handled by the office the remote is slaved to.

Phone calls typically follow a path like this: the end office will first look to see if it can complete the call internally, if not it hands off the call to either another end office (if its not that far off) or to a toll switch (for a long haul call). From the toll office it can proceed to another toll office or an end office for completion.


What are some common switches?

  • Dial tone Switches*

1AESS

5ESS

5ESS 2000

5ESS 2000 DCS (Supposed to be a cellular switch, but sometimes foolishly deployed for landlines)

DMS 10

DMS 100

P? ericsson PRX-a

  • Toll Switches*

DMS 200

DMS 250

DMS 500

  • Remote switches*

GTD-5 EAX

What is SS7?

SS7 (Signaling System 7) is a system for telephone offices to communicate with each other. . In the good old days offices would send information about a call's routing by in band signaling (audible tones sent along with your voice). In band signaling was slow, unreliable, and subject to wild amounts of fraud. Then the phone company tried out of band signalling, where the tones were outside the audible bandwidth of the phone. Eventually, SS7 came into play. SS7 (Signalling System 7) is a packet switched network that transmits voice and signalling information in the telephone network.


Do blue boxes still work?

Supposedly yes, blue boxes still work given the right conditions. Don't just try and use one from your home, as it would be both foolish and frustrating. Theres perpetual scuttlebutt about MFing through country direct numbers, or blue boxing through extenders, but both are labor intensive processes and are of questionable value.


Test numbers and offices

What are test numbers?

Test numbers are dialups to testing equipment or test features set up by the phone company or private entities. There are about a billion kinds of test numbers, so PLEASE don't just start asking for test numbers, especially on newsgroups like comp.dcom.telecom.tech.


What are some common test numbers and their uses?

Sweep Tones:

Tone sweeps are a test tone ranging from 304hz to 3204hz. A common use for sweep tones is to check for infinity-transmitter style taps. Dial up a sweep tone. If an audible clicking is heard during the sweep then a transmitter could be installed on your line. Telco maintenance uses sweep tones to check for the presence of loading coils, and other such nasties that eat high frequency tones in order to qualify a line for high speed services.

Milliwatt test:

These are 1004 hz tones sent out at 0 db. Milliwatt tests are used to check for line loss and other complex tests.

1004 hz test tone:

This is a vanilla 1004 hz tone. Nothing too useful here, without a loop analyzer anyway.

Quiet termination:

This feature connects the caller to a port with fixed resistance, 600 ohms or 900 ohms being the most common. There should be nothing but dead silence on connection. Clicks, static or crosstalk will be clearly evident if a noisy line is used to dial this test.

Ringback:

Calls back the originating number in an annoying fashion. Dialing all the touch-tone digits in order (starting with 1 and ending in # going across the keypad rows) will generate 2 tones saying the keypad is ok.

Loops:

These numbers exist in linked pairs. Call one number and you'll get a tone. Call the other number and you get dead silence. If both are called at the same time they make a connection. It used to be that you could then talk over this connection, but now there are filters that block speech placed on most loops.

ANAC:

This test dialup will read off the number of the line you're calling from. On rare occasions you will find ANACs with a DTMF response for use with remote test terminals.

DATUs:

DATUs (Digital Audio Test Units) are a godsend to technicians and phone phreaks everywhere. DATUs allow a caller to monitor lines (don't get too excited), open and short pairs, and put trace tones on the pair. While it might not sound too exciting, it has more applications than most people think.


Internal Offices

What is an internal office?

An internal office is an office that the general public doesn't know about. Internal offices are usually used to access complex test systems (such as Switching Control) or in applications where automation would be impractical (such as Customer Name and Address offices).

Customer Name and Address office

What is a CNA number?

A CNA (Customer Name and Address) number is the number to the CNA office. This office provides the name and address of the owner of a particular telephone number to telephone techs.

Where can I get a working CNA number?

Normal CNA numbers that list every number in the area are available only to telephone company personnel. Private citizens must now rely on CNA information from private companies such as Unidirectory (900-933-3330) and Telename (900-884-1212) to give them their info at a buck a minute. If you are in 312 or 708, Ameritech has a pay-for-play CNA service available to the general public. The number is 796-9600. The cost is $.35/call and can look up two numbers per call. If you are in 415, Pacific Bell offers a public access CNA service at (415)705-9299. If you are in Bell Atlantic territory you can call (201)555-5454 or (908)555-5454 for automated CNA information. The cost is $.50/call with 3 look ups per call. You can also do reverse look ups if you know the telephone number using Database America (http://adp.infousa.com/cgi-bin/abicgi/abicgi.pl?BAS_session={bas_session}&BAS_vendor=402&BAS_type=ADP&BAS_page=1&BAS_action=search)

LATAs/IntraLATA Carriers/InterLATA Carriers

LATAs

What's a LATA?

LATA's are the geographical areas where a single RBOC (local phone company) can connect a call. If a call passes across the boundaries of a LATA it must be handed off to an Inter-Exchange Carrier and then back to another Local Exchange Carrier for completion


Inter-LATA carriers.

What are Inter-LATA carriers?

Inter-LATA is just another name for a long distance companies such as AT&T, Sprint or MCI.

How are alternate InterLATA carriers accessed?

Inter-LATA carriers are accessed through 950 numbers (feature group B access codes), or 10XXX/101XXXX numbers (feature group D access codes).

Where can I get a list of Inter-LATA carriers and their dialups?

You can get a list of them at http://www.NANPA.com

COCOTS BOCOTS Pay Phones

COCOTs

What is a COCOT?

COCOT is an acronym for Customer Owned Coin Operated Telephone. This is a phone that is owned by a private business or person. Even though they look enough like phones that are owned by your local telephone company, they are very different. COCOT's are known for maximum security and minimum convenience.


What is a Coin Line?

In the good old days COCOTs were connected to normal POTS (home phone) lines. Sadly, there is a growing trend of connecting them to specially leased lines from the phone company that allow for greater fraud protection by blocking 900/976 and an option to block international calls along with coin supervision and disposal features and extended operator services. Different RBOC's offer different features and different names for this service.


What is a BOCOT?

A BOCOT is an updated telco coin station. BOCOTs utilize superior technology to the standard fortress phone, but have the problem of needing to interface with the older technology of the ACTS system.


Millenium Phones

What is a Millennium Phone?

A Millennium Phone is a newish offering from Nortel to the COCOT/BOCOT market. Millennium Phones are ultra computerized, high security phones mostly deployed in Canada and the Midwest (anyone know different?) at the moment. For more info on Millennium Phones read OCPP issue 7 and visit www.nortel.com.


Programming on the Millenium Phone

YES Milleniums can be programmed from their keypads. You can feed them so called "OP CODES" that have as-yet unknown uses. Put the phone ON-HOOK, and dial "CRASERV" and inputing a 5 digit PIN (The default is 12345). OP CODES are 3 digits long.


Pay phones

What is a pay phone?

Pay phones, fortress phones, telco phones are all the same thing. These are Western Electric dial tone first coin stations. These phones are still mostly electromechanical, as opposed to COCOTS, which are computers with handsets.


Coin Signaling

RBOC pay phones need their CO to tell them that enough money has been deposited to make a call. They do this by sending a signal to their CO whenever a coin has been deposited. They do this by generating a pulsed MF tone whenever a coin is deposited that corresponds to the type of coin deposited. This is why red boxes work(ed).


Redbox tones

Coin Nickel Dime Quarter
Frequencies 1700&2200 Hz 1700&2200 Hz 1700&2200 Hz
Duration


Why doesn't my redbox work?

Assuming you've checked for glaring problems like incorrect assembly and programming, and that you're trying to use your box on an RBOC Western Electric coin phone, theres still a potential problem. After losing an ungodly amount of virtual money from redbox use, telcos began incorporating band-stop filters into phones in the form of 'PIN Fraud Devices'; a tiny sliver of firmware that bars redboxes, among other things. Payphones have also been known to mute mouthpieces.


Coin collection

Hypothetical situation: you just got paged, so you wander over to a handy RBOC pay phone. You pick up the receiver, and deposit 35 of your hard-earned cents into the coin slot. Where did your money just disappear to? Your money has passed through a slug test, gone through a sorter, tripped a sensor to generate the appropriate (redbox) tone and fallen into the temporary hopper in the phone. Once your coins are in the temp hopper they can only go to two places: into the return chute, or into the cash box. Where the money goes next depends on a relay in the phone. If -130 VAC is fed into the loop the coinage is returned, if +130 VAC is fed into the loop the coins are whisked away into the coin box.



Coin boxes

What happens when a payphone fills up with coins? The phone will shut itself off, call it's CO with the message ?I'm full. Come empty me.', and a coin collection tech will come (eventually) to empty the coins.



Numbering

Area codes

Who assigns area codes?

Bellcore used to issue area codes, but sadly another era in telecommunications has ended. Lockheed Martin now administers NPAs, but it's the FCC that has final say in any telecom-related matter. What we've lost in the way of tradition we gained in accessibility. Lockheed Martin is very open with their info, while Bellcore insisted on charging ridiculous amounts for their paperwork. All their public documents are on NANPA.com


Special Area Codes (SACs)

What are the special area codes and what are they for?

200: Rumored to be reserved for test purposes. (Anyone want to comment on this?)

300: Rumored to be reserved for test purposes. (Anyone want to comment on this?)

400: Rumored to be reserved for test purposes. (Anyone want to comment on this?)

456:International inbound routing. (Your guess is as good as mine.)

500: ?Follow me' forwarding services (A subject of constant debate.)

600: ISDN

700: Carrier defined (All sorts of fun and games here).

710: U.S. Government (Only 2 numbers in the entire NPA!!)

800/888/877: Toll free services

866/855: Reserved for future toll free services

900: Pay for play call services ($ex $ex $ex!!!).


Where are in the world *are* the 500/700/800/888/877/900 NPAs?

SACs are everywhere and nowhere at the same time. Forgive my attempt at being Zen. 500/700/800/888/877/900 numbers are "translated" at the dial tone office into standard NPA-NXX-XXXX and then routed in the normal fashion. SACs are converted translated according to the Line Information and Routing Database. This is why you'll occasionally see someone on a newsgroup say they found a "900 backdoor". In reality they found the normal phone number that that 900 connects to. Telco types call these numbers "Plant test dialups"


Test prefixes

What are test prefixes?

Test prefixes are exchanges reserved by the RBOC for special purposes such as testing, special routing, TTY access, etc.


What are some test prefixes?

  • 555 is reserved for special purposes such as directory assistance, pay-for-play CNA, etc.
  • 959 is a holdout from the Ma Bell days, and supposedly still reserved for test purposes. We've had some bizarre findings here.
  • 855 is reserved for TTY services. Not really a test prefix though.


Are there unpublished (secret) exchanges?

Yes, there are exchanges that aren't published but still in use for various purposes. Some sensitive test numbers are likely in hidden exchanges.


How do I find unpublished (secret) exchanges?

If you happen to get test numbers out of the trash or out of trucks check to see if the exchanges they're in are listed in the phone book. A better way to fetch special exchanges is to go to NANPA.com and download the ?Central Office Code Assignments' in whatever area (as of this distribution of the FAQ only California and Nevada exchanges are available), and compare the utilized exchange list against a list of published exchanges. Keep in mind that "Utilized" means exchanges assigned, reserved, protected, held for future use, test, and special-use prefixes


Where can I find a list of exchanges that labels who's assigned what?

Telephone Prefix Location List http://www.thedirectory.org/pref/

Reference

What are some phreak IRC channels?

Keep in mind that many of these chatrooms follow the same rule that most chatrooms follow. No one talks about the subject that they are suppose to talk about. If you want to have a *gasp* intellectual discussion try to find some telco personel chatrooms.

Channels with an (I) are usually invite only

Channels with a (K) usually require a channel key


  • EFNet-
  1. 2600
  2. cellular
  3. hack (I)
  4. rock
  5. peng (I)
  6. realhack
  1. npa
  • Undernet-
  1. phonez


What are some newsgroups that deal with phreaking?

Alt.Phreaking is your best bet as far as general phreaking is concerned. Scary thought.

Alt.2600 A zoo

Alt.Phoneloser

Alt.2600.phreakz

Alt.hackers

alt.hack.nl

alt.hacker

de.org.ccc -German H/P newsgroup run mainly by the Chaos Computer Club


What are some newsgroups that deal with telephony?

comp.dcom.telecom

comp.dcom.telecom.tech

What are some good phreak websites?

[phreaking.iscool.net Rancho Nevada (Fixer's Site)] http://phreaking.iscool.net

Textfiles.com http://www.textfiles.com

The Phone Punx Network http://fly.to/ppn

ITRIS



What are some good phreak ezines?

Phone Losers of America http://www.phonelosers.org


Security Breach availible from the PPN website


Phrack http://www.phrack.com


Phone Punx Magazine http://fly.to/ppn


What are some good phreak print zines?

2600 www.2600.com

Subsciption info- 2600 Subscription Dept PO Box 752 Middle Island, NY 11953-0752

Subscrition fees: United States: $21/yr individual, $50corporate. Overseas: $30/yr individual, $65 corporate.


Root zine http://www.openix.com/~mutter/

Subscription info- root zine PO Box 1178 Maplewood, 07040 Regular Subscription U.S. Resident Non-U.S. Corporate

1 Issue Sampler $2.00 $2.50 $10.00 2 Issue Subscription $4.00 $5.00 $20.00


Back Issue Each $2.50 $3.00 $20.00 Volume $9.00 $10.00 $70.00

(please make checks payable to "Root Zine")


What are some good telecom sites?

The FCC: The government agency that regulates us. Take a peek at their site, as they publish some neat stuff. (http://www.FCC.gov)

Telecom Archives: This page is an archive of the comp.dcom.telecom newsgroup. The FAQ is excellent, the articles are good and if all else fails you can post to the newsgroup. (http://hyperarchive.lcs.mit.edu/telecom-archives/)

Telecom Information Resources: This is simply a monstrous list of telecom/networking FAQs and sites. Don't bother unless you're looking into arcane topics and have a good working knowledge of the topic already; most people listed on this site never heard about KISS. (http://www.spp.umich.edu/telecom/technical-info.html)

PacBell Search: Surprisingly helpful, PacBell search will outline lots of InterLATA carrier information for you (including the law), COCOTs, and other sundry phone related info. (http://www.pacbell.com/ir/search/index.html)

LexiCat Search Demo: This site is a REAL gem. It offers a searchable index of terms (it cross references everything), as well as articles and reports on related topics. Warning: This is a demo for a product. After 10 searches it resets itself and won't allow you back. Reload the page after every few searches or else. (http://www.tra.com/cgi-bin/ft-LexiMot/ID=19970912152925603/lexi7800.html)

Blackbox Search: Try their search if you need info on LANs or direct connection. This is an online catalog, but you can still extract enough useful stuff to make going here worthwhile. (http://www.blackbox.com)

Lucent: These people are pretty straightforward about what they offer. Lucent makes STUFF, unlike Bellcore which peddles information. Accordingly, Lucent will talk and talk and talk about their products.(http://www.lucent.com/search/search.html)

Raytheon: These people unsettle me a bit. Raytheon is a blanket electronics firm that holds primarily DoD contracts. If you have a morbid interest in missile guidance you'll LOVE this site. They also hold the contracts on encrypted voice switches used in the DSN.(http://www.electrospace.com/business/telecomm.htm)

Lockheed Martin: Now controls NPA allocation (They bought it from Bellcore. Here ends an era.), and is happily distributing for free all sorts of useful information Bellcore used to sell for A LOT of money. This site lists all SACs, NPAs, and some stuff I didn't think was publicly available. (http://www.nanpa.com/)

Country/Area/City/Code/Decoder: Pretty self explanatory. (http://www.xmission.com/~americom/aclookup.html)

International payphone index:(http://www.cybercafe.org/cybercafe/pubtel/pubtel.html)

AT&T Toll Free Directory: I use the print edition for browsing in general, but this is a handy site to have around.(http://att.net/dir800/)

  • Outside Plant Magazine is a great reference. Subscriptions may be obtained from http://www.ospmag.com Fill out a reader response card too, the manufacturers have some really cool promo materials.
  • Jensen Tools sells every piece of gear you could ever want, including lots of strange specialized stuff like tools to open payphone housings. http://www.jensentools.com

What's a newsline?

Newslines are tape recorders connected to phones.... sorta. When you call a newsline it will play the tape, which will be information pertinent to the company or organization who runs the service. Most if not all of the RBOCs have newslines to keep personnel informed in the field. A few union locals have newslines too. They're a good way of keeping up on what's going on in the company. These things used to be really popular (Nynex had 20 separate ones once upon a time), but are consolidating into RBOC newslines now.


Tools and Toys

What tools should I have in my 'kit'?

Every so often, someone asks what sort of tools they should be carrying, or writes an article on 'Field Phreaking Kits'. There are myriad tools that a phone phreak might find useful depending on what they're doing. Below is a short list of what you might want to have either on your person or in your shop and why.


A Leatherman, Paratool, Power Pliers or other multi-tool: These things are the greatest. Depending on what you purchase you'll have a selection of screwdrivers, a pair of pliers, a knife, a wire stripper, and awl, and all sorts of other good things.

A can wrench: If you do a lot of beige boxing you might want to invest in the tool that linemen use to open enclosures. Can wrenches can be hard to find, but they're sold by specialty telecom companies. Look in the back of Outside Plant magazine for ads. Failing that, a 7/16 hex driver and a 3/8 nut driver will open any can.

A handset or beigebox: The uses for these things abound.

A Mini-Maglite: How can you expect to get anything done without a flashlight?

A tone tracer and an induction probe: I've found some neat uses for these... though they're hardly necessary for standard work.

A good multi-meter: A good multi-meter will be a great help to you at one point or another, especially if wiretapping is your thing or you get called on to install some phones.


Where can I get a lineman's handset?

For more info on handsets and other telco tools visit Lineside's Telecom Site - http://www.angelfire.com/ga/linesidetelco/index.html

Contacteast Contact East 335 Willow Street North Andover, MA 01845-5995 (508)682-2000

Jensen Tools 7815 S. 46th Street Phoenix, AZ 85044-5399 (800)426-1194

Specialized Products 3131 Premier Drive Irving, TX 75063 (800)866-5353

Time Motion Tools 12778 Brookprinter Place Poway, CA 92064 (619)679-0303


Where can I get a DTMF decoder?

Before you sink a few hundred bucks into a DTMF decoder, ask yourself if you really need a dedicated decoder. Beepers will serve rather well as DTMF decoders. Simply record the number you want decoded and play it into your beeper. Many customer service numbers or voicemail numbers will decode touchtones too. Honest to god DTMF decoders can be purchased at Ham radio shops, better electronics stores, and spy shops if you're REALLY desperate. Most phreak zines will publish schematics for them once or twice during their production.


Where can I get a good scanner?

Hamfests are a great resource for radio gear. Online auctions also seem to have the damndest things.


Where can I get an acoustic coupler?

Telecoupler.com and Blackbox.com both sell acoustic couplers for a bit more than $100 a piece. Keep in mind that using a coupler is very obvious, and throughput over a payphone blows no matter how fast your modem is.


Where can I get (Some specific telephone related tool or device)?

Central Office Equiptment/Heavy Stuff: http://www.telecombids.com/

Military/Esoteric Stuff (If you can't find it elsewhere try here): http://www.drms.dla.mil/

Contacteast Contact East 335 Willow Street North Andover, MA 01845-5995 (508)682-2000

Jensen Tools 7815 S. 46th Street Phoenix, AZ 85044-5399 (800)426-1194

Specialized Products 3131 Premier Drive Irving, TX 75063 (800)866-5353

Time Motion Tools 12778 Brookprinter Place Poway, CA 92064 (619)679-0303



Dirty Tricks

Tapping

How do I tap a phone?

Naughty naughty. Wiretapping is very very illegal. The most obvious is to use an in line tap: splicing another phone, tape recorder, or transmitter into the circuit you want tapped. For the more technically inclined: using an induction coil will spare you having to cut through a lot of insulation, and capactitatively isolated taps are VERY hard to detect.

For a good overview of phone tapping go to: http://www.tscm.com/outsideplant.html


How do I tap a cell phone?

      • This entry was gleaned from the Motorolla Bible.***

You have a few options here too. The cheapest is to get an old TV capable of picking up UHF. Set a TV to UHF channel 82 or 83 and crank up the volume; you should intercept cellular. The most reliable but most expensive and annoying is to get a scanner. A simple, easy way to tap cellular is to modify a flip phone.

  1. Get a Motorola Flip phone, one of the ugly gray blocky things.
  2. Take off the battery and look real hard at the back of the phone towards the bottom. You should see two gold pins with a space in between them. Get a little piece of foil and wedge it into the hollow to create a third pin. Now put the battery back on.
  3. Dial 68#. You should see a prompt to the affect of ? US CODE
  4. Dial 08## to open a frequency.
  5. Input a frequency. (111234, 11223, 11224, 11411 are common)

Note: the Motorola Bag Phone works infinitely better for cellular monitoring. The reception is clearer, and the range is far greater than the low powered flip phone, particularly when a real antenna is attached.

Thanks to Tom Icom for that tidbit.


      • This entry was gleaned from the Motorolla Bible.***

Tapping cellphones is more fun when you can keep tracking a conversation as it gets handed off from cell to cell. To accomplish this, its nesecary to hack the Forward Voice Channel. When you hit on a good conversation, dial 40#. If the phone is handed off to another cell, the channel number will be broadcast to the phone along with alot of junk. If you see a string of numbers scroll by, the phone has been handed off. Look at your display and write down the second, third and fourth characters (it should be two digits and a letter). You'll need to convert these from hex into binary. Throw away the first two bits. Now convert whats left into decimal. This is the new channel number. Dial 110XXX#, where XXX is the channel number.


How do I know if someone is tapping me?

This section will get a nice boost depending on the publication of an article i'm currently writing. Anyway, the most basic tool you'll need for detecting phone taps is a volt ohm meter, preferably with a cap checker.


Can I really turn someone's phone into a payphone? I saw it in a movie!!

Sure you can turn a normal phone into a payphone. Of course, it isn't easy. To alter someone's class of service you need to access RCMAC or switching control and add a 'DTF' flag to that line.


Trashing

What is trashing?

Trashing is the practice of digging through people's trash, usually for credit card information, damaging personal information, useful goods that have been thrown out carelessly, for the fun of it, etc. In the phreaking sense, trashing is done to gather telco documents, phone numbers, equipment, and the always treasured bell hard hat. Some phreaks also trash other places such as electronic stores to try and find equipment. The most popular places for phreaks to trash are central offices, celcos and various computer stores.


Is trashing illegal?

If you do not belong on the property that you are trashing, then its trespassing. Some states have even passed laws that have separate penalties for trashing. If you get caught trashing and you're not on overtly private property (i.e. no fences), be polite and tell the truth... sorta. You're recycling stuff, and was hoping to make a neat find in this dumpster (which is the complete truth). The paper is only printed on one side, so you were going to use it for scratch paper. Whatever you do, try to be neat about it. Don't make it look like you were there and do not damage other people's property.


How do I find my local central office?

Keep an eye out. COs are usually very conspicuous (Bell Atlantic is fond of gargantuan banners and signs), often having a large sign with the name of the local telco outside. If you have the means, there are a handful of programs for locating COs.

CO Finder for Windows at www.stuffsoftware.com/cofinder.html. NPA for Windows at www.pcconsultant.com/dlnpa.htm LATTIS PRO at http://www.triquad.com/wire.html

They will supply you with all sorts of neat facts about the office too. Beware, these things are EXPENSIVE.



Scanning

What is scanning?

In phreaking terms, there are two different types of scanning. The first one is called exchange scanning. This is where you scan an exchange in hopes of finding a certain type of number. Most of the time exchange scanning is done with a wardialer, or a program that scans that exchange for you and saves the numbers for you in a separate file to review the results later. Scanning can also be done by hand which called manual scanning. Most of the time people scan exchanges for terminal numbers. However, test numbers, voice mail boxes, and other such numbers are often scanned for. Another type of scanning is frequency scanning. This type of scanning is the same type radio frequency scanning that Ham radio buffs do using scanners that you can get in Radioshack and other electronic places. The phreaking purpose of this is to pick up cordless and cell phone conversations. Some use this just to hear other people's conversations but others use it to get credit card numbers and other personal information that people carelessly say on wireless phones. Visit the PLA at http://www.phonelosers.org for more information on frequency scanning.


Exchange scanning

Where should I be scanning?

Most test numbers are concentrated in the -00XX and -99XX ends of an exchange. If you're looking for dialups, RBOCs are starting to dedicate entire exchanges to businesses. Locating one of these and wardialing here is a good tactic for finding business carriers.


How did the phone company find out I was wardialing?

Wardialers are a good way to get the phone companies attention. They have equipment that notifies them of repeated sequential dialing and abnormal amounts of toll free calls. If you want to wardial, make sure your program does the following: randomizes times between calls and that it randomizes sequence of calls (so they're non-sequential). You might want to beige it too...


Frequency scanning

Selecting a Scanner/Receiver

If you're new at scanning, and don't have a scanner, this is essential: after all, in order to listen in, you're going to need a radio! One decent place to get a scanner is Radio Shack. Avoid their cheaper models - you want to get a scanner with at least 100 channels and 800mhz coverage (this will be explained later). If you are buying at Radio Shack, wait for a sale, as you will save a load of cash. A distinct advantage with buying from Radio Shack is that you can return scanners within 30 days (with receipt) and get your cash back, in the event that you don't like that particular scanner.

With any scanner you buy new from RS, bear in mind that you're not going to be able to receive cell, and there are no modifications available (by federal law) that will make new scanners receive cell.<RS scanner evaluations/prices>

One can acquire more exotic receivers over the Internet. Generally, these receivers are expensive, but you will get full frequency coverage (inculding cellular). Some highly esteemed radios are the Yupiteru MVT-7100 and the AOR AR-8000.<Foreign dealers/radios/prices>

What can I listen to?

Some of this hinges on your scanner. Pretty much every scanner around today can receive standard 43mhz cordless phones. In addition to this, these "standard" scanners will receive VHF and UHF communications. This typically includes: -Police -Fire -EMS -Business Communications -Ham Radio

If you have purchased a better receiver with 800mhz coverage, you might be able to listen to: -800mhz police/fire/ems transmissions -900mhz analog cordless phones -929mhz paging signals (will be covered later) -Analog Cellphones (if you have an imported receiver - more on this later)

How do I listen to xxxxxx?

  • 43mhz (lowband) cordless phones

First of all, you need to know the 25 cordless phone channels. They are listed at the end of this section. Program your scanner with these channels and scan through them - you should start hearing people talking on the phone. That's it, easy as that. A few troubleshooting tips for poor reception:

  • If it's a handheld scanner, try holding the scanner in your hand rather than letting it sit on a table. Your arm will act as a ground for the scanner (kinda like an antenna), enabling better reception.
  • The "rubber ducky" antenna that came with your handheld scanner sucks for receiving these types of signals. A quick and dirty fix is to take a long (maybe 10-15ft) piece of wire, wrap it around the attached rubber ducky a few times, and then tack it up onto the wall. Experiment with different winding techniques and antenna placements for best results.
  • Get a real antenna. The Radio Shack 9-section telescoping whip works great for cordless reception. Just attach it to your scanner, extend it all the way, and you're cooking with gas. This antenna should only run you about $10.
  • Police Transmissions (along with fire, ems, etc)

First of all, you need to know the frequency of the police department you wish to monitor. These frequencies are generally public knowledge (i.e. shouldn't be hard to find). First, browse through the Police Call books found in Radio Shack - you will probably find the frequencies there. Alternatively, check around the net for the correct frequencies. Sometimes the people at RS might even know the frequencies themselves, or they might know somebody who does.

Once you get the right frequency, program it into your scanner and you are set.

Other Public Service and Business Communications

Maybe you want to listen to taxicabs, mall security, or maybe school buses. First try looking through Police Call for the right frequency. If you have no luck there, try the net - there are many frequency resource pages around. If you're still coming up with nothing, try the FCC's Wireless Telecommunications Bureau records search. It's slow and a pain in the ass to use, but it has the frequency of EVERY licensed radio user in the USA.

Sometimes you just can't find the frequency you want: maybe it's not listed, and those bastards aren't licensed, or maybe you want to monitor one specific part of a large agency. Example: My local community college has a little dinky police force who use radios for communication. Since they are part of the county government, their frequencies are listed in the FCC database only as being an agency of the county I live in. Since there are a gazillion county agencies, all with radio frequencies licensed to them, it would be impossible to know which frequencies they used. But not all hope is lost yet. Enter the frequency counter. When somebody transmits, all I have to do is get close enough to get a real strong signal into the frequency counter, and voila! On the frequency counter's LCD display the transmitting frequency will appear. This frequency will indicate the general range of where one would look around to receive that agency's radio traffic.

Cellular Telephones

Listening to cell can sometimes be very, very difficult. If your scanner is old, it might receive cell out of the box. Some older scanners have cellular frequencies blocked, but can be modified (read: screwdriver and soldering iron) for cellular reception. Scanners sold in the US today, however, simply can't tune into the cellular frequencies or be modified to do so. But, you can still listen to cellular calls with your newer scanner. Due to a particular scanner's design characteristics, it might receive _image frequencies_ of cellular transmissions. For example, a cellular call might take place on 870mhz. Now, since 870mhz is in the cellular band, it will be blocked on my new scanner. But if I tune around 896mhz, I will receive the cellular call. There are certain spots on some scanners where cell traffic can be heard outside of the (blocked) cellular bands; you will have to tune around to see if your scanner has this "bug", and where. This is an advantage to buying from Radio Shack, as you can see if a particular scanner can receive cellular image frequencies without risk of blowing $200 on a scanner that doesn't get cellular.

Digital Stuff

After using a scanner for a little while, tuning around, you will probably notice lots of non-voice signals. Some of these signals contain digital information which can be decoded with the help of your computer. Basically, there are 3 types of digital data that can be decoded and is also of interest to the phreaker.

The Discriminator Mod

In order to decode digital data with accuracy, a listener needs the raw radio signal from the transmitter. Your scanner does some funky shit to the signals it receives, which in the end, make voice signals sound much nicer. These same circuits, which improve sound quality, wreak havoc on digital signals. In order to get a clean signal, you will have to tap the discriminator output of your scanner. Basically, this consists of installing a new jack into your scanner and soldering 2 wires on the inside of the scanner: one to ground, and one to the discriminator output. Believe me, it's easier than it sounds. You can find a URL which gives the specific points where you must tap the output and other information pertaining to discriminator modifications at the end of this section.

POCSAG transmissions

POCSAG is the most widely used digital paging format. If you have a beeper, it's probably using POCSAG. Most POCSAG signals are heard in the 929mhz-931mhz range and are VERY strong. Once you have performed the discriminator mod on your scanner, simply connect the discriminator output to your sound card line in jack. Then fire up your preferred POCSAG decoding software and monitor who is getting paged. My personal favorite program is POC32; it has a nice interface and provisions for labeling each capcode (a capcode is a beeper's individual identification number; this lets paging companies cram many pagers onto a single frequency) with an alphanumeric tag. You can also search for specific phone numbers and/or capcodes.

MDT transmissions

MDT stands for Mobile Data Terminal. MDT's are those terminal-like thingys that are mounted in some cop cars. The cops assume that nobody has the ability to monitor these transmissions, and so they are MUCH more descriptive about what's going on with MDT messages. To decode MDTs, you will need a scanner with a discriminator mod, and the appropriate software. Fire up your scanner and tune it to an MDT frequency, and listen away. Please note that there is only software (currently) for monitoring MDT's using the Motorola MDC-4800 protocol, so if your cops aren't using MDC-4800, you're out of luck.

Cellular phone data

It is possible to snag analog cellular ESN/MIN numbers off of the air as they are transmitted by the cellular phone to the telco. This is a fairly complex subject, and it requires a significant degree of technical skill. Basically, one must build something called a Hamcomm interface to convert the discriminator output into a format that a serial port can interpret. Then, software such as Snarf can be used to decode the cellular data streams into usable ESN/MIN numbers. The exact process involved, however, is beyond the scope of this FAQ. More information on this can be accessed through Brian Oblivion's Radiotelephony Archive.







osp.gif

buggedboot21.jpeg

pedastal67.jpeg

ped1800closed.jpeg

ped1800p.jpeg