|
UHF MOBILE PHONE TECHNOLOGY AND YOU ME, YOU, AND THE REPEATER ~~~~~~~~~~~~~~~~~~~~~~~~~ What you will be accessing is the repeaters in your local area. Most large cities have at very least 5, and some have upwards of 15. Now each repeater usually is accessable throughout the city, although they get better reception in certain areas. Soo, once you estabish the region that works best for you, that will be the target repeater. Now, when you dial the repeater, you will get another tone, much like a PBX, where you are supposed to enter the extension of the mobile phone you wish to reach. Remember that each repeater is independant, so you will need to program yourself on all the ones you wish to use. Also, choose one as your base channel, usually the one that is in the region you will be around the most, and program this one for ringing capab- ilities. One of the real benifits of this is you can set up multiple extentions on each repeater, and have tons of phone numbers and extensions. You can also access the voice paging feature, and capture a voice mail box. This is accomplished by simply assigning yourself a 5-tone pager id, and then finding the phone number of the VMB that corresponds to it. This is especially nice when you don't necessarily want people to realize where you are, or when you want to call screen losers. HACKING THE ZETRON ~~~~~~~~~~~~~~~~~~ Here's the big joke of this... The 'hacking' process. The admin extension is usually 7 digits, and usually starts with 000. Now that's still quite a few possibilities, right? Nope, the shitty designers of this system made it so when you enter a incorrect number it gives you that wrong tone. So say the password is 0004311, when you call up, you enter 0, no tone? Enter 0 again. Still no tone? Enter 0 a third time. No tone again. Now enter 0 a fourth time. Ding-dong... Wrong tone. Now just repeat the first three, and try 1 for the fourth, and so on. Basic. And once you're in, there are no other passwords... Boy these people sure are security concious. THE SUPREME MENU ~~~~~~~~~~~~~~~~ Here's a 'flow-chart' of the menu structure for most Zetron-series repeaters. I include the main and sub-menus, and also all the possible selections for each command. Now remember, the system is hot-key, and you can type '!' anywhere in it to get back to the main menu. It's formatted a little past 80 columns since it is more useful printed and I wanted it even-looking. Here we go... [S]YSTEM --+--- [C]OR -------+------- P. Polarity active high Yes/No | +------- H. Hold time (*100ms) 0-50 | +------- Q. Quiet time (*100ms) 0-100 | +------- M. Mob Tx-to-Rx time (*100ms) 0-20 | +------- A. Mob act time (*sec) 15-255 | +------- V. COR validation active high Yes/No | +------- B. Channel busy active high Yes/No | +--- [A]CCESS ------+----- S. Sign-on mode 0-2 | +----- D. DTMF timeout (*100ms) 30-250 | +----- R. Min. regenerated digits 1-15 | +----- U. Phone-to-mobile use ANI Yes/No | +----- M. Mobile-to-mobile use ANI Yes/No | +----- P. #+ANI disconnect Yes/No | +----- C. Dial click decode mode 0-3 | +--- [H] DISPATCH ---+---- H. Repeater Hold Time (*100ms) 0-250 | +---- S. CTCSS Hold Time (*100ms) 1-30 | +---- T. Timeout (*min) 1-10 | +---- I. Hog Idle Time (*sec) 1-25 | +---- L. Hog Limit Time (*min) 1-99 | +---- P. Hog Penalty Time (*10sec) 1-250 | +---- R. Dispatch ID Rate (*min) 1-99 | +---- D. CTCSS for dispatch Yes/No | +---- O. Courtesy tone Yes/No | +---- M. Stuck Mic ID Yes/No | +--- [P]AGING ----+------- D. Keyup delay (*25ms) 0-200 | +------- T. Talk time (*sec) 5-25 | +------- V. Vox hold time (*100ms) 0-50 | +--- STATION [I]D ----+--- M. Mode 0-3 | +--- I. Interval (*min) 1-99 | +--- S. Call sign (chrs) CCCC### | +--- AUTO[D]IALS ---+----- 1. (chrs) 0-16 chars | +----- 2. (chrs) 0-16 chars | +----- 3. (chrs) 0-16 chars | +----- 4. (chrs) 0-16 chars | +----- 5. (chrs) 0-16 chars | +----- 6. (chrs) 0-16 chars | +----- 7. (chrs) 0-16 chars | +----- 8. (chrs) 0-16 chars | +----- 9. (chrs) 0-16 chars | +--- [V] TOLL RESTRICT -+- 1. Max toll digits 1 1-30 | +- 2. 1st digit restrict 1 (chrs) 0-4 chars | +- 3. 2nd digit restrict 1 (chrs) 0-4 chars | +- 4. Max toll digits 2 1-30 | +- 5. 1st digit restrict 2 (chrs) 0-4 chars | +- 6. 2nd digit restrict 2 (chrs) 0-4 chars | +--- [T]ELCO CONTROL --+-- 1. Call limit timer-1 (*min) 1-60 | +-- 2. Call limit timer-2 (*min) 1-60 | +-- 3. Channel ringouts-1 1-25 | +-- 4. Channel ringouts-2 1-25 | +-- O. Delay before dialout (*100ms) 5-100 | +-- D. Disconnect on 2nd dialtone Yes/No | +-- M. Dialout mode 0-3 | +-- V. Override dispatch Yes/No | +--- LINE [1] SETTING --+- A. Rings until answer 1-20 | +- D. Channel busy rings 1-25 | +- M. Answer mode 0-2 | +- U. Auto call user 0-99 | +--- LINE [2] SETTING --+- A. Rings until answer 1-20 | +- D. Channel busy rings 1-25 | +- M. Answer mode 0-2 | +- U. Auto call user 0-99 | +- P. Priority override Yes/No | +--- [L]OCAL PHONE ---+--- D. Channel busy rings 1-25 | +--- M. Answer mode 0-1 | +--- U. Auto call user 0-99 | +--- [M]ISCELLANEOUS --+-- D. Courtesy tone duration (*25ms) 1-10 +-- F. Courtesy tone frequency (*10Hz) 35-100 +-- A. Automatic gain (AGC) on Yes/No +-- H. High pass filter on Yes/No +-- S. CTCSS add-in Yes/No +-- R. ANI for system relays (chrs) 1-8 chars +-- 1. User relay 1 mode 0-4 +-- 2. User relay 2 mode 0-4 +-- B. Run modem at 300 baud Yes/No [U]SERS ---+--- [A]CCESS -------+---- U. User range 1-325 | +---- E. User enabled Yes/No | +---- M. Mobile-to-phone Yes/No | +---- P. Phone-to-mobile Yes/No | +---- B. Mobile-to-mobile Yes/No | +---- H. Dispatch Yes/No | +---- C. COR to answer Yes/No | +---- S. * to answer Yes/No | +---- D. # to disconnect Yes/No | +---- F. Fast ANI required Yes/No | +---- L. Line select Yes/No | +---- 2. Line 2 default Yes/No | +---- A. Autodial mode 0-15 | +--- [O]PERATION -----+--- U. User range 1-325 | +--- E. User enabled Yes/No | +--- Q. Equipment type 0-4 | +--- N. Number of ringouts mode 1-2 | +--- S. Ringout style 0-7 | +--- O. Courtesy tone Yes/No | +--- X. Full-duplex mobile Yes/No | +--- P. Privacy Yes/No | +--- M. Call timer mode 0-2 | +--- T. Toll mode 0-2 | +--- D. DTMF thru Yes/No | +--- F. Page format 0-5 | +--- C. Tone/code drop mode 0-2 | +--- 1. Enable relay 1 Yes/No | +--- 2. Enable relay 2 Yes/No | +--- [S]PECIFIC ----+----- U. Current user 1-325 | +----- E. User enabled Yes/No | +----- A. ANI code (chrs) 0-8 chars | +----- F. Page format 0-5 | +----- P. Page code (chrs) (Above #) | +----- X. Tx tone/code 0-38 | +----- R. Rx tone/code 0-38 | +--- [T]ONE DISPATCH -+--- U. Current user 1-325 | +--- E. Enabled Yes/No | +--- R. Reserved Yes/No | +--- X. Tx tone/code 0-38 | +--- T. Tone in tail Yes/No | +--- V. Privacy Yes/No | +--- O. Courtesy tone Yes/No | +--- H. Hog Mode Yes/No | +--- M. Morse ID (chrs) | +--- [L]IST ------+------- U. User range 1-325 +------- A. List ANI users Yes/No +------- T. List tone dispatch users Yes/No SUPER[V]ISOR +- A. Program mode ANI (chrs) 1-7 chars +- N. Supervisor user number 0-99 +- S. Reset system programming Yes/No +- D. Reset dispatch programming Yes/No +- U. Reset ANI user programming Yes/No +- M. Logon message 0-34 chars +- L. List system programming Yes/No [A]CCOUNTING +- M. Minimum call time (*sec) 0-180 +- U. User range 1-325 +- 2. List ANI accumulated Yes/No +- 1. Clear ANI accumulated Yes/No +- 4. List tone dispatch accumulated Yes/No +- 3. Clear tone dispatch accumulated Yes/No [T]EST ----+--- A. Tone 1 frequency (*10Hz) 35-100 +--- B. Tone 2 frequency (*10Hz) 35-100 +--- 1. Single tone (=Telco:1,Tx:2) 0-2 +--- 2. Dual tone (=Telco:1,Tx:2) 0-2 +--- 3. CTCSS tone (=Tone) 0-38 +--- 4. Emphasis (=Off,On) Yes/No +--- H. Hybrid adjust (=Off,On) Yes/No +--- D. DTMF/Click detect (=Telco:1,Rx:2) 0-2 +--- C. COR detect Yes/No +--- K. Click calibrate Yes/No +--- S. Sense line states Yes/No +--- T. CTCSS Decode Yes/No +--- M. Memory Yes/No [O]PTIONS --------- Lists the Tone and Normal Users [E]XIT ------------ Hangs up the modem PROGRAMMING THE SYSTEM ~~~~~~~~~~~~~~~~~~~~~~ Ok, Here's a default settings buffer for the system, and I will explain what each thing means in the next section, so read and absorbe... SYSTEM PROGRAMMING FOR phone # (repeater name) AS OF date COR MENU P. Polarity active high = Yes H. Hold time (*100ms) = 1 Q. Quiet time (*100ms) = 50 M. Mob Tx-to-Rx time (*100ms) = 2 A. Mob act time (*sec) = 32 V. COR validation active high = Yes B. Channel busy active high = No ACCESS MENU S. Sign-on mode = 0 D. DTMF timeout (*100ms) = 50 R. Min. regenerated digits = 7 U. Phone-to-mobile use ANI = Yes M. Mobile-to-mobile use ANI = Yes P. #+ANI disconnect = Yes C. Dial click decode mode = 0 DISPATCH MENU H. Repeater Hold Time (*100ms) = 30 S. CTCSS Hold Time (*100ms) = 8 T. Timeout (*min) = 3 I. Hog Idle Time (*sec) = 5 L. Hog Limit Time (*min) = 5 P. Hog Penalty Time (*10sec) = 30 R. Dispatch ID Rate (*min) = 15 D. CTCSS for dispatch = Yes O. Courtesy tone = No M. Stuck Mic ID = Yes PAGING MENU D. Keyup delay (*25ms) = 40 T. Talk time (*sec) = 10 V. Vox hold time (*100ms) = 1 STATION ID MENU M. Mode = 2 I. Interval (*min) = 15 S. Call sign (chrs) = xxxxxxx AUTODIALS MENU 1. (chrs) = 2. (chrs) = 3. (chrs) = 4. (chrs) = 5. (chrs) = 6. (chrs) = 7. (chrs) = 8. (chrs) = 9. (chrs) = TOLL RESTRICT MENU 1. Max toll digits 1 = 15 2. 1st digit restrict 1 (chrs) = 1111 3. 2nd digit restrict 1 (chrs) = 0000 4. Max toll digits 2 = 7 5. 1st digit restrict 2 (chrs) = 00 6. 2nd digit restrict 2 (chrs) = 00 TELCO CONTROL MENU 1. Call limit timer-1 (*min) = 3 2. Call limit timer-2 (*min) = 3 3. Channel ringouts-1 = 4 4. Channel ringouts-2 = 4 O. Delay before dialout (*100ms) = 20 D. Disconnect on 2nd dialtone = Yes M. Dialout mode = 1 V. Override dispatch = No LINE 1 MENU A. Rings until answer = 2 D. Channel busy rings = 6 M. Answer mode = 1 U. Auto call user = 0 LINE 2 MENU A. Rings until answer = 2 D. Channel busy rings = 6 M. Answer mode = 1 U. Auto call user = 1 P. Priority override = No LOCAL PHONE MENU D. Channel busy rings = 6 M. Answer mode = 1 U. Auto call user = 0 MISCELLANEOUS MENU D. Courtesy tone duration (*25ms) = 3 F. Courtesy tone frequency (*10Hz) = 54 A. Automatic gain (AGC) on = No H. High pass filter on = Yes S. CTCSS add-in = No R. ANI for system relays (chrs) = *1 1. User relay 1 mode = 0 2. User relay 2 mode = 0 B. Run modem at 300 baud = Yes ** End of list ** IMPORTANT COMMANDS TO KNOW ~~~~~~~~~~~~~~~~~~~~~~~~~~ Ok, Now I'll discuss some of the more necessary commands, and what they do. Most of the others are pretty easy to figure out, or are not necessary. The only really useful area is in the TOLL RESTRICT, TELCO CONTROL, and menus. The system is usually split into two different systems, although on MOST they only use one of them. So, what you want to do is configure the [2] settings for you, and leave the [1] settings untouched (so they are not aware of the usage. You will want to change the following in the TOLL RESTRICT menu: 4. Max toll digits 2 = 20 (Amount of numbers) 5. 1st digit restrict 2 (chrs) = (Non-allowed first digit) 6. 2nd digit restrict 2 (chrs) = (Non-allowed second digit) This will allow you to call oversears or special numbers with no hassle. Next in the TELCO CONTROL menu: 2. Call limit timer-2 (*min) = 99 (The Maximum call time) 4. Channel ringouts-2 = 9 (Number of rings before giving up) This will configure your phone to allow 99 minutes per call, and let you ring someone nine times. Make sure not to edit anything within the STATION ID menu, since this will bring the FCC down on the operators head, and we don't want the repeater to get shut down. Also, if you were wondering what they do if they find out that you're in the system, well, that's easy. They disable the phone modem and enable the packet one, so only people with HAM setups are able to call up and alter information. This is a little extreme, but most of the time it will happen if you're billing an enormous amount of calls to it, or taking up a massive amount of airtime (and neglecting to cover it up). VIEWING USER INFORMATION ~~~~~~~~~~~~~~~~~~~~~~~~ This is one of the nicer and more useful functions of the system, this way you can get a complete listing of all the repeater users, and what services they have available. Here's a list of the most common (and most important abbreviations used in the user list... A = Privacy B = User enabled C = * to Answer D = # to disconnect E = DTMF thru F = Number of ringouts mode K = Call timer mode P = Mobile-to-phone Q = Phone-to-mobile R = Mobile-to-Mobile U = Toll mode PRIVACY means whenever you speak, the repeater will transmit a beeping sound, so anyone listening will only be able to hear the person you call. USER ENABLED is self explanitory, * TO ANSWER means you will only need to dial '*' to answer calls, instead of '*' plus your ANI. # to disconnect is the same an answer, but to cancel a call. DTMF thru means the repeater will allow DTMF tones to be transmitted. NUMBER OF RINGOUTS MODE is which phone callout mode you have (set this to [2], your custom callout setting). P,Q,and R all pretty much are the same, allowing users to call from on to the other. TOLL MODE is another you set to [2], altering from the default toll settings. Ok, and now here's what the user printout looks like. USR is the actual user number, the letters A-X correspond to the above list, ANI is the extension number, RX is the recieve tone, TX is the transmit tone, TYPE is the type of paging service, and PAGE is their 5 tone sub-audible... Model xx (xxxxxxx) Usr Programming ANI Rx Tx Type Page --- ABCDEFGHIJKLMNOPQRSTUVWX -------- ---- ---- ------ -------- 1 nYYnY100nn1nnnnYYYnn200n D 0 0 *None* 2 nYYnY100nn1nnnnYYYnn200n 1000 2 2 *None* 3 nYYnY100nn1nnnnYYYnn200n D 3 3 *None* 4 YYYnY100nn1nnnnYYYnn200n 1001 4 4 *None* 5 nYnnY100nn1nnnnYYYnn200n 1002 5 5 *None* 6 nYYYY100nn1nnnnYYYnn200n 1003 6 6 *None* 7 nnYnY100nn1nnnnYYYnn200n D 7 7 *None* 8 nYYnY200nn1nnnnYYYnn200n 1004 8 8 *None* 9 nYYYY100nn1nnnnYYYnn200n 1005 9 9 *None* 10 nYYYY100nn1nnnnYYYnn200n 1006 10 10 *None* 11 nnYYY100nn1nnnnYYYnn200n D 0 0 *None* 12 nYYYY100nn1nnnnYYYnn200n 1007 12 12 *None* 13 YYYnY100nn1nnnnYYYnn200n 1008 13 13 *None* 14 nnYYY100nn1nnnnYYYnn200n D 14 14 *None* 15 nnYYY100nn1nnnnYYYnn200n D 0 0 *None* 16 nYYYY100nn1nnnnYYYnn200n 1009 16 0 2 Tone 12345 17 nnYYY100nn1nnnnYYYnn200n D 17 17 *None* 18 nnYYY100nn1nnnnYYYnn200n D 18 0 *None* 19 nYYYY100nn1nnnnYYYnn200n 1010 19 19 *None* 20 nYYYY100nn1nnnnYYYnn200n D 20 20 *None* 21 nnYYY100nn1nnnnYYYnn200n D 0 0 *None* ** End of list ** The ANI is what people calling you need to dial (i.e. your extension), and the number you need to dial in order to make calls out. The best way to use this is to just piggy-back someones existing account. They definantly won't complain when they get all the wonderful features, and then that also leaves a very obvious (and innocent) scapegoat... My favorite kind. The tone userlist is a little different than the mobile users... This is mainly for pagers that happen to be using the same repeater, although that is highly uncommon. Here it is... TONE DISPATCH LIST FOR xxx-xxxx (xxxxxxxxx) Model xx (xxxxxxx) Usr Programming Out Tone ID ------ ABCDEFG ------------------------- 1 nnnnnnn 1 2 nnnnnnn 2 3 nnnnnnn 3 4 nnnnnnn 4 5 nnnnnnn 5 6 nnnnnnn 6 7 nnnnnnn 7 8 nnnnnnn 8 9 nnnnnnn 9 10 nnnnnnn 10 11 nnnnnnn 11 12 nnnnnnn 12 13 nnnnnnn 13 14 nnnnnnn 14 15 nnnnnnn 15 16 nnnnnnn 16 17 nnnnnnn 17 18 nnnnnnn 18 19 nnnnnnn 19 20 nnnnnnn 20 21 nnnnnnn 21 ** End of list ** There has never been any configured on any of the systems I've been on, so I can't really tell you too much about the configuration information, although that would lead me to believe that the feature isn't very exciting. THE CALLER LOG... THE ENEMY ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Unfortunantly, as with everything in life, there's always a snag... The caller log, although in this case it just takes a little extra effort to trick the ever present enemy. Every space means there were some accounts inbetween the used accounts that are deactivated. Here's what the log looks like... CALLER LOG FOR xxx-xxxx (xxxxxxxxx) User 6 01:22:30 87 Access(es) User 12 00:37:02 48 Access(es) User 13 00:27:01 40 Access(es) User 16 00:23:56 49 Access(es) User 19 00:28:26 33 Access(es) User 21 00:11:18 14 Access(es) ** End of list ** On the surface this may appear to be fairly useless, but there is something to be feared here. Many of the companies take it upon themselves to total the time used, and then divide by the number of accesses. Now what this tells them is the average call length... And if you're making 45 minute calls, this is going to boost the call time just a LITTLE past 3 minutes, then all they do is the same thing on a user by user basis and wala, they know whose account you're on. It only takes a little bit of extra effort to cancel this out though. Just place a shitload of small calls, like 10 secs, and one of those for every 2 or 3 minutes you've used on your long call. This safely masks your using of the system, as long as you aren't calling Alliance or making LD calls. It is true that you can zero this list in the accounting menu, and that's another way you can get around it, although this alerts them as to there is either someone else on the system (and they're trying to hid something), or that there is some sort of problem with the system, and they either try to fix what is not wrong, or give up and write off the problem (and this is what you hope). For those who wish to have all the reference, here's the Tone Dispatch Log... TONE DISPATCH LOG FOR xxx-xxxx (xxxxxxxxxxxxx) User 1 00:07:53 User 2 00:13:53 User 3 00:23:14 User 4 00:01:23 User 5 00:13:09 User 6 00:02:04 User 7 00:05:14 User 8 00:01:00 User 10 00:03:43 User 11 00:00:02 User 12 00:42:40 User 13 00:02:07 User 15 00:00:03 User 16 00:15:46 User 17 00:01:22 User 18 00:14:22 User 19 00:01:34 User 20 00:01:55 User 21 00:00:33 ** End of list ** FREQUENCIES ~~~~~~~~~~~ Here's the technical description of the frequencies they use: 405-425, 440-460, 450-470 (in 12.5kHz steps) Now since this even though this isn't dual-synchronis, is does use two freqencies per channel. Now, is the first frequency was 405.000kHz, the sister frequency would be 405.900kHz. Pretty basic, eh? The second frequency (your transmit one) is always 0.900 kHz above the recieve. Usually you can call up your local mobile phone company and find out their repeater frequencies... Hell, several have faxed me complete listings and their effective range, I sure do love companies with great customer service! The tones which are used by the repeaters (both audible and subaudible) are FCC regulated, so they are a standard... Meaning the repeaters tone 13 will be the same as the Yaesu's tone 13. For more information on the tones, simply go to your local library and see what the government has regulated for your area. CAN YOU SAY... YAESU? ~~~~~~~~~~~~~~~~~~~~~ Now there are many different manufactures of UHF phones out there, but the one I would recommend over Motorola and Maxon would be Yaesu. They started out as a pro equiptment dealer only, selling some of the best HAM radio gear around, then about 2 years ago they entered into the commercial market. Now they heave several handheld units available, but I would recommend above all the others the FTH-7008. It sells for around $500 (but who's paying? (Refer to Carding, My Way series)), and has a Priority Channel, Scan, Hi/Lo Power settings, Auto-Squelch, and 15 channels (not crystals, but synthesis). Now, you will also need the FTT-4DT (make SURE it's the 4DT not just the 4, because otherwise it won't work). Now the FTT-4DT is a DTMF pad which goes on the unit between the battery and the body, you can easily do the instilation yourself, and the unit runs around $280. Now what this gives you above and beyond the keypad is a squelch which will only turn off when it recieves a certain 2-tone combination or a 5-tone sub- audible. These are used to make the unit either ring for an incoming call, or to respond when a page comes through. Now here's the beauty of Yaesu. Your dealer can AND WILL sell you the software and hardware necessary to program it yourself. It runs around $80 and is for the IBM XT or better. This drives the FCC CRAZY and gives you TOTAL power... Now all you need to do is hack into the repeater and wala... Phone service. USES AND ABUSES ~~~~~~~~~~~~~~~ Now here's the payoff... Not only can you make calls out, long distance or otherwise, and not have to worry about being billed or located, but you can recieve calls in an almost totally secure way. Now you must keep in mind that this is only half duplex, so the modem is out of the picture, but for voice communication, from anywhere in you city and most likely ajacent cities, this is the best thing since sliced bread! Now you can assign yourself as many different extensions as you want, and I would recommmend changing them fairly frequently. Also try to be away from home and/or on the move when calling, since this will reduce the chances of being located if they should somehow become suspicious. About the only way they will is if you do bill long distance numbers to the Repeater, or if you dominate the airtime on it. Once a month the owner of the repeater goes out on sight and gets a usage log. Usually calls are limited to 3 minutes, so the average call is 2 minutes. Now, if you're dominating the system, the average call is going to be quite alot more than 3 mins, and he's going to know something strange is going on. Of course, all he can do is change the password, and we all know how 'secure' that is... hehe. Now there are also companies (real bastard ones, who deserve to be fucked) that run mobile like it was cellular, and charge minutely. Now these guys are EASY to fuck with, since you can create yourself an account, take it off the minutely billing cycle, and just don't make LD calls, only recieve calls... Wala now you have a RADICAL phone, which will most likely never be discovered (mine hasn't been for close to 4 months, and boy is it nice!). Now one note on this... Usually it isn't the cops who deal with this, it's the FCC, and believe it or not, they actually do get the job done fairly well. But this by no means says it's dangerous... On the offical Vindicator Danger scale this only rates a 3... And even lower if you're cautious.