TUCoPS :: AOH Originals :: datapac.txt

DataPac Hacking by The Fixer (v1.1)

$$                                                                          $$
$$                            A Guide to DataPAC                            $$
$$                                                                          $$
$$           A Technical Information File for the Canadian Hacker           $$
$$                                                                          $$
$$            (C) 1989,1990 The Fixer - A Free Press Publication            $$
$$                                                                          $$
$$                       Edition 1.1 - April 18, 1990                       $$
$$                                                                          $$


Welcome to the exciting world of Packet Switched Data Communications.  Your 
position as an outside hacker makes Telecom Canada's Packet Switched
Network -- DATAPAC -- an even more magical place for you and all those close 
to you.  Isn't life grand...

What is DataPac?

DataPac is the Packet Switched Network of Telecom Canada, a consortium of 
major telephone companies across Canada.  Originally brought into being in the 
late 1970's, Datapac's main purpose is to provide effective, reliable, high-
speed data transfer to the business computing community nationwide.  Several 
different levels of service are available on Datapac, from public-access PACX 
access that resembles a digital telephone system, to dedicated high-speed 
point-to-point leased lines.  Since most hackers aren't likely to have a 
leased line in their homes, this file will be mainly concerned with Datapac's
Public Network.

Logging on:

Firstly, find the phone number of the DataPac public dial port in your locale.  
DataPac has provided dial ports in almost every town with a population higher 
than the average IQ, and has WATS access ports for the rest of Canada.  You 
will find the phone number for the appropriate modem speed in the white pages 
under DATAPAC PUBLIC DIAL PORT 3101 (at least that is where it is in BC Tel's 
phonebooks.)  The WATS numbers are available in Telecom Canada's annual 800 
service directory, or to this 800 scanner, The Bible.  Tommy's Canadian WATS 
phonebook also carries a set of WATS DataPac dial ports.

Once you have connected, raise DataPac's attention by typing a period (.) 
followed by a carriage return.

You should now have a prompt resembling this:

DATAPAC: 6470 0138

You have entered a whole new world.

Basic addressing:

To the remote user (YOU), DataPac works pretty much like a normal phone system 
would, except that communications are data, not voice, and to connect to a 
system, you type an ADDRESS rather than a phone number.  

Perhaps the first system a hacker new to DataPac should connect to is 
DataPac's own information service.  Its address is 92100086.  This service 
provides documentation and information relative to DataPac, and is invaluable 
to all DataPac users.  This file will (attempt to) avoid duplicating the DIS 
and simply explain the basics of hacking it.

As you see, 92100086 is eight digits (nice base-2 number...).  On DataPac, 
addresses are commonly shown in two parts, i.e. 9210 0086.  This clarifies the 
TRUE MEANING of the address and shows its similarity to a phone number: the 
first four digits are the "prefix" and the last four are the "suffix."  The 
prefix is unique to a given location in Canada, for example all DataPac 
addresses staring with 6470 are located in Victoria, British Columbia.  A 
given location may have one or several prefices, depending on the "population 
density" of subscribing systems in each area.  So, as you might imagine, 
Ottawa is far from being our largest city but has the second highest number of 
subscribing systems, thanks to our Beloved leadership (the Loony Mulroney).  
Toronto, Montreal, Vancouver, Edmonton and Ottawa all have several DataPac 
prefices.  This will become important to you later in this file.

The last four digits, the suffix, is as arbitrary as a phone number suffix 
would be.  Although the range is 0000 to 9999, it is very rare to find a 
DataPac subscriber system with a suffix higher than 2000.  This too will be 
explained later.

DataPac Outdial and the NUI

DataPac offers users of the public switched network NUIs, or Network User 
Identifications.  These are identification codes for a monthly charge that 
entitle the DataPac user to greater access to the system.  DataPac charges by 
the month, by the minute, and by the KiloPacket (256,000 bytes) for access.  
If you have a NUI, these charges are billed to you (or the owner of the NUI, 
heh heh heh).  If you don't, all your connections on DataPac are treated as 
"collect", or billed to the system you connect to.  Obviously, a great number 
of systems will not accept your collect "call" and you will find this a common 
message from DataPac as your exploits on the system wear on.  Needless to say, 
this makes NUIs a cherished asset among DataPac hackers.

DataPac offers a service to NUI subscribers called DataPac Outdial.  DataPac 
currently has dial-out modems in 18 major centres (NOT VICTORIA!  ARGH!)
through which calls within the local area of these modems can be placed at
300 or 1200 baud.  Needless to say, you M U S T have a NUI to use DataPac
Outdial, or be calling from a system with a dedicated line into DataPac
(some systems on DataPac let you "shell" back into the network; these are
real gems because you get NUI privileges).  The restrictions are that bauds
can only be 300 or 1200, and many off-network systems will cause DataPac to
drop the connection and give a "Remote Procedure Error."  Caveat Emptor.

Scanning DataPac

This is what you are reading this file for...

To scan DataPac, you pick a target city and prefix to scan.  Say Toronto, 
3910 XXXX.  For now, XXXX represents the suffix.  So, you want to start with 
zero.  The proper syntax would be 3910 0000 (or just 39100000).  ALWAYS PAD 
THE SUFFIX WITH ZEROES.  The address must be eight digits long.  Type this 
address in.  If you connect, you will be informed so.  If not, try the next 
one: 39100001 and then the next...
and so on.

You are likely to get several messages during the course of scanning DataPac, 
including Call Connected (the one you really want), Destination Busy (try 
later), Address Not In Service (no system there), Access Barred (either you 
need an NUI or it is originate only), Collect Call Refused (You need an NUI).
If you really screw up, you might get one of these:

Invalid Address: You typed less than 8 digits.

Comma required before Data Characters: Usually seen when the hacker makes a 
"typo".  DataPac allows you to pass parameters to the host system by following 
the address with a comma and one or more data characters.  This is 
infrequently used so nothing more will be said.

Now, DataPac has some anti-scanning mechanisms in place, which can be defeated 
readily.  If you get more than 9 error messages in a row, DataPac will hang up 
on you.  Also if you are connected to DataPac for a certain period of time (it 
almost seems random but it averages about a minute) without successfully 
connecting to a system, you will also be dumped.  So robotically scanning one 
number after the next will result in many re-dials, as DataPac is not densely 
populated enough to guarantee a connection for every nine or fewer scan 
attempts, even if you are using an NUI.  So, what you need to do is insure 
that you DO successfully connect often enough to avoid having to redial often.  
You are much more visible to the phone comapny when you scan than you are to 
DataPac, so minimising your redial "profile" is to your benefit.  You can 
assure minimal redial if you connect, say, every 5 dial attempts, to a KNOWN-
GOOD address, and then disconnect from it.  Disconnecting is not difficult, 
just type CTRL-P followed by the letters CLR or CLEAR.  The ^P CLR string will 
result in the message: Call Cleared - Local Directive, and more importantly, 
will reset that hack-counter and hack-timer so you can continue scanning 
without actually phoning DataPac multiple times.  

In the course of testing my own scanner programs, I have come across a few 
addresses which I connect to normally, then immediately clear the connection, 
giving the messages:
DATAPAC: Call connected to 5550 0039
         (001) remote charging,n,128

DATAPAC: Call Cleared - Remote Request

This is a good number if you use an automatic scanner because you just call 
that address say every 8 calls and continue scanning.  At this writing, 
55500039 is no longer a "working" address, so you'll have to find one on your 

To save time, you will probably want to end your scan of a given prefix at 
XXXX2000.  It has been my own experience that little or nothing lies ABOVE 

Once You Connect

After you have performed a scan of a DataPac and you have a list of addresses, 
you're halfway finished.  Now yo want to manually dial each of these systems 
to find out what they hold.  Many will just freeze, some will have computers 
such as VAXes and System/370s running a wide variety of operating systems.  
Truly DataPac is an Eden for hackers.  

Some systems will have PACXs of their own; these always have more than one 
computer connected and many have dialout ports.  DIALOUT ports, although 
usually password protected, are the elusive Fata Morgana of the DataPac 
scanner.  Private dialouts are usually free of the kludges and restrictions of 
DataPac's dialout and can call anywhere in the world.  No wonder most of them 
have passwords.  If you find an unprotected private dialout, or the password 
and address of a protected one, you Sir have hit the proverbial jackpot.
The Gandalf PACX has DIALOUT as a DEFAULT, and few PACXs have removed it, but 
almost all have protected it.

Now I am about to tell you something that may seem to contradict my earlier 
writing: A datapac address with a system on it MAY have sub-addresses.  The 
syntax is thus:
3910 0156 XX
3910 0156 X
You can place a ninth or even tenth digit on a known-valid address and you 
will usually connect with something that is often quite different from the 
prime address.  This is for systems without PACXs that want to have several 
machines on DataPac at the same address.  So much for only eight digits...

One final thing to try on a PACX is PAD or PAC.  Many PACX's allow you to re-
enter DataPac through the host system.  In most cases this gives you all the 
privileges of an NUI because DataPac has someone to bill now.  Your 
connections are no longer "collect" and the REAL fun, including DataPac 
Outdial, begins.

Other Networks

Yes, there is life beyond DataPac.  There are many Packet Switched Networks in 
existence around the globe, most of which can communicate with most of the 
rest.  In the United States, two major ones are Tymnet and Telenet (damned 

Now, you will find that even FEWER addresses from other networks will be 
available to Canadian hackers due to the fact that inter-network collect 
charges can be astronomical.  But since the US has a higher density in its 
networks than Canada, you will also find your scans of other networks can 
easily be as rich or better than DataPac scans.

The syntax for connecting to an address on a foreign network via DataPac is 
1 indicates an "OtherNet" call.  XXXX is the DNIC, Data Network ID Code.  
There is a text file on Tommy's Holiday Camp and other hacking BBSes listing 
the names and DNICs of the major networks worldwide; the number of them may 
surprise you.  YYYYYYYY can vary in length; different networks have different 
addressing syntaxes.  Telenet, like DataPac, uses an eight-digit address with 
possible extensions and data characters.  Tymnet uses a six digit address, 
also allowing extensions.  Finding the syntaxes for other networks may require 
a little ingenuity on your part; but you're a hacker, AREN'T YOU. 

Here is an example of a call into Telenet:
1 3110 31200061

1 was the Othernet indicator; it is the only circumstance in which a DataPac 
address may be LESS than eight digits (try 13106; you WILL connect).
3110 was the DNIC for Telenet.

31200061 was the Telenet address.  It works like DataPac, except that the 
Prefix is based on the area code in which the remote system resides.  Very, 
VERY helpful to scanners, and this makes Telenet a joy to scan.
When scanning a foreign network (and foreign can mean Canadian too; CNCP has a 
network with its own DNIC separate from DataPac) you will often get the 
following message:
DATAPAC: Call cleared - temporary network problem
This is usually an error message generated by the foreign network that DataPac 
doesn't support.  With 200 networks all claiming to be "THE Data 
Communications Authority", it's not surprising that their messages are not 
always compatible.

DataPac's DNIC is 3020.  Tymnets's is 3106.  Telenet's is 3110.

Legal Implications of DataPac

At this point, it is not at all illegal merely to be ON DataPac.  It is 
uncertain at this time whether SCANNING DataPac is a crime, or if the 
network's keepers know what is going on.  It is DEFINITELY an offence to try 
to hack a password on a system on DataPac just as on any other computer, but 
the question remains as to whether or not DataPac knows where you are.  Thus 
far no DataPac-related busts have been reported but there have been some major 
crackdowns on American networks.  The same advice can be given to DataPac 
hacking as to regular telephone hacking: (1) Scan randomly. (2) Scan with 
friends; this confounds investigations. (3) Hack passes at your own risk. 
(4) Remember the first law of bragging: Your friends turn you in


What you get out of this file will depend entirely on what you do with it.  As 
with all forms of hacking, a great deal of effort is required on your part to 
have a truly satisfying hacking experience, and you must be prepared to take 
certain risks, even to the jeopardy of your freedom.  If you have more than a 
rodent-level understanding of telecomputing you should now be able to hack any 
network in the world through DataPac, and with the right amount of initiative 
and ingenuity, the world is yours.....
 [][] The Fixer [][]

This file is copyrighted and wholly owned by The Fixer of The Free Press.
You are licensed to distribute this file on bulletin boards as long as the
bylines and copyright notices remain intact.  All rights reserved.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH