=======================================
| Key Pulse Issue 63 |
| Orange Boxing - The half-assed guide |
| Written by: Cuebiz (Team Black Sheep) |
=======================================
In the beginning
=================
This is actually the 3rd revision of this very file. I would greatly like
to thank Lucky225 for actually helping me weed out most of the clarical errors
(I say most because any day now, someone is going to send me more corrections
to make). Lucky225, once down with the 809 grew, writter for the Hacker
Quarterly (2600), and the maker of the first Orange box ever put to actual use.
He's written TWO articles on the subject, both of which have been questioned
and analysed to death. Many people are still trying to figure out the exact
mechanics of it or if it really works. In this file, I'll make a theoretical disection
of Lucky225's FSK session capture, attempting to put some or many questions to rest.
First and foremost, in his first file, he explained that an Orange box is a box
made to "spoof" the name/number/date/etc displayed on standard US CLID units.
He explains that you blast a mixture of 2130Hz+2750Hz (aka a CAS tone), waiting for
a response tone from the remote CLID unit (AUTOVON "D"), and then to blast through your
captured FSK session or a computer simulation of a FSK session. Now, what THIS
file was ment to teach you is; how to create your own FSK sessions (at least
know what is being sent when you blast someone elses captured FSK sessions), how to
know the difference between a CIDCW spoof and regular CID spoof, and how to get
your hands on an actual WORKING Orange Box.
Now, if you've used Lucky's FSK captured recording, then this is what should be
displayed on the remote CLID unit.
==============
| Out of Area |
| 6:46P Sep 11 |
==============
Now, before I go any further, I'd like to go over some basic FREQUENTLY
asked questions. So you'll know What Iam talking about through out this file.
* WTF is FSK?
FSK Abreviation for Frequency Shift Keyed (Alternating Keyed, and Keys); FSK
is the name given to the modem tones that your local C.O uses to communicate
to subscriber loop CLID units to display your CLID information.
* WTF is a CAS tone?
CAS = Acronym for the CPE Alert Signal. Used to alert the CLID unit that there
is an incoming call on call-waiting, once the remote CLID unit heres a CAS tone,
it mutes the whole handset to receive the CLID information of the new caller.
* What does MDMF stand for?
MDMF = Acronym for Multi-Data Message Format, transmission used to display CID
information, INCLUDING the name of the person calling, (Opposed to SDMF).
Now, Lets disect Lucky's FSK tones
===================================
FSK tones are merly a series of binary equivilents of the information to be
displayed. Which is usually sent about 500-600ms after the first ring (before
the second ring). So, Why is an "Out of Area" FSK capture SO short compared to
other 'normal' FSK captures that you've probably heard? Lets take a good look:
Description Decimal ASCII FSK Binary
--------------------- ------ ----- ---------------
Transmission: SDMF 4 0 0 0 0 0 1 0 0
9 Character Minimum 9 0 0 0 0 1 0 0 1
9th month (sep) 48 0 0 0 1 1 0 0 0 0
57 9 0 0 1 1 1 0 0 1
11th day 49 1 0 0 1 1 0 0 0 1
49 1 0 0 1 1 0 0 0 1
18 hours (6pm) 49 1 0 0 1 1 0 0 0 1
56 8 0 0 1 1 1 0 0 0
46 minutes 53 4 0 0 1 1 0 1 0 0
54 6 0 0 1 1 0 1 1 0
Out of Area 79 O 0 1 0 0 1 1 1 1
Checksum 5 0 0 1 1 0 1 0 1
Note: 1200Hz represents the mark also known as the "1"
2200Hz represents the space also known as the "0"
Both tones sent at -13.0 db (because they're checked)
Okay, in the above EXAMPLE, I used SDMF for the mere reason that it's
shorter,and thus easier to explain. An MDMF transmission is MUCH MUCH longer,
but follows the same basic principles mentioned above, so that means that you
should be able to do all of this on your own. An MDMF transmission would go
in this order (well, not always in this exact order):
128 (MDMF)
Length of CID transmission
1
Month
Day
Hour
Minutes
2
10 (length of number)
Line number (broken down into binary)
7
Length of name
Name (broken down into binary)
Checksum
Anyway, I've included the decimal values for reasons of computing the checksum. As
you can see, by looking at the ASCII values, the FSK Binary tones are just as I said,
the binary equivilent of the information to be displayed ;) Now, how did I get that
checksum? Simple (I recommend you use a calculator for your first several times just
till you get it right), by adding up the Decimal Value (excluding the checksum),
you'll come up with 507. now, open up your scientific calculator and display the
modulus of 507 (your total) / and 256 (Standard for computing CID checksums), and you
should get ... 251. Now, the binary equivilent of 251 is 11111011. So you must replace
all of the 1's with 0's and 0's with ones, except the last number which must always be
a 1 , so 11111011 turns into 00000101 which is the binary equivilent of 5. And thats
how you compute a CID checksum. Get it? Now, the reason why you have to turn the number
around like that is that when the C.O "checks" the checksum, it should result in "0"
meaning, zero errors - and everythings fine. If the C.O messes up, most likely,
it'll just give out errors on the remote CLID unit's display.
Spoofing -
==========
So, an ideal CID "spoof" attack one would send through a channel seizure of a
continuous flow of alternating 1's and 0's for 255ms immediatly followed by 180ms
of continuous 1's, send the cid information, and then a checksum. This would make
everything so fun and simple if SS7 allowed us to send signals via our voicelines
before the initial pick-up on the other end, but we can't ; but if we could, then
a sample CID "spoof" call would go as follows:
===== =================
| You | | Remote CID Unit |
===== =================
Dial XXX-xxxx ---------------->
Ring ...
Send channel Seizure ----------->
Send Continuous 1's -------------->
Send CLID Info ----------------->
Send CheckSum ------------------->
Ring ...
So, seeing that you cannot actually "spoof" a CLID unit via *ring* -spoof- *ring*,
you would have to establish an actual voice connection with the person of whom's CLID
unit you want to "spoof", a sample CIDCW spoof would go something like this:
===== =================
| You | | Remote CID Unit |
===== =================
Dial XXX-xxxx -------------------->
Ring ...
<------------------- "Hello?"
You talk -----------------> "ATNT, please hold"
* Send channel Seizure ----------->
Send SAS Tone ------------------>
Send CAS Tone -------------------->
<------------------- Sends seizure Wink
Send CLID Info ---------------->
Send CheckSum -------------------->
Still on callers line ------------> "Still there?"
* Lucky225 has explained to me that CIDCW actually DOES have a "channel seizure"
which is 80ms of 1's.
The Orange Box Theory
=====================
The only way to actually fool someone into thinking you're someone else would be
to op-divert the call, and once connected, spoof your CLID info. Of course, they
would first see "Out of Area" (whatever), and then your "new" CLID info; if they
know nothing about CallerId, then this should be enough to trick 'em.
Getting these tones
===================
FSK Session Tones:
Recently, The Fixer has created a program called "SOB - Software Orange Box" which
should work. I've listened to an exported .wav; and it seems normal. Iam yet to test
it out. You can download SOB from Http://artofhacking.com.
You can download Lucky225's FSK capture from www.home.dal.net/verizown/orange.html
I personally recommend that you try creating these tones on your own, using the
calculations featured here; but heh, it doesn't matter what I think, its whatever
floats your boat. I guess you could try creating your own tones with CoolEdit or
something similar (you could probably use BlueBeep).
SAS/CAS Tones:
Both tones can be downloaded from my soon to be released "Nothing Dialer", which
is just a clone of Cuebiz's Wacky Dialer (except it just plays .wav's), or you could
use Lucky's idea to get a CAS tone by opening up your Radio Shack tone dialer and
soldering a 8.192Mhz crystal (assuming you've previously made a redbox) in place of
your 3.579545mhz crystal, and using the "*" button to play the CAS tone.
Readers Note
=============
Initially, I typed up this file JUST to show you how to calculate CID checksums,
and then, Lucky225 emailed me; asking for corrections. So, now that most of the
tragic errors have been taken into consideration; I would consider this file a semi-
complete write-up on what an Orange Box does, and how to use it. I would like to give
a big thank you to Lucky225 for helping this file grow.
Readers Resources
=================
Telco Inside (of coures) - www.t1s.8k.com
Verizown - www.home.dal.net/verizown
The Art of Hacking - www.artofhacking.com
http://www.testmark.com/develop/tml_callerid_cnt.html
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
