Part Two - The Guide To Mostly Chirpy Phreaking
Revised (not much corrections in Part two) on Febuary 2nd 2001

                     - Introduction to GTMCP 2 -

Welcome once again to The Guide to Mostly Chripy Phreaking. Iam Your very
happy host, Cuebiz. I would like to dedicate this chapter to the whole
Key Pulse staff for being so supportive during this whole time. Kandy Acid,
This ones for you!

Manual Wardialing and Auto-Wardialing
Wardialing is just dialing a whole bunch of numbers to see what you can find
interesting. You can check out some of my scans at Http://www.Fonez.8k.Com.
Okay, Wardialing is best done by hand but many people think that this is just
shit-work. Well, To be honest, It is. There are only two ways to actually do
this manually, or Automatically and thats sequential or random. 5ESS does have
alarms to notify people that you are dialing seqential numbers and after a
while, You will get a phone call from a representative asking you to please
stop it, And if you continue, Beware, Since some states have made this a law,
That means that you can go to court and be fined for this. I highly recommend
that you scan at random from your home and sequentially when at payphones.
Sequentially is way easier to mark while random numbers are harder to write
up on paper. If you are going to a payphone, You really should bring a paper
marked something like this. . .

Update: My scans are now available at Http://takiweb.com/~jfaith

 1-800-756-23xx
00
01
02
03
04
05
06
07
08
09
10

Your numbers should go all the way till you reach 99. Thats 100 numbers. See,
A random scan would be much, Much harder to write out since you have to
actually write out all four numbers in a random order. Well, I leave it up to
you. I only random scan from my house, And sequential from payphones. Its
common sense, Heh. Okay, Autowardialers are those programs that you can get
from the Key Pulse webpage and others. They are actually not any good since
they only find carriers and tones (Yes, fax numbers count as carriers and
aren’t much use to you but, All wardialers will mark them as carriers). Tone-
Loc is still the best war-dialer out there since the numbers that it scans
are at random and it will make it easier to scan a whole exchange without
setting off any alarms with the telco. I still feel that scanning by hand is
better because you can tell the differene from a fax, a real carrier, And a
tty by its sound. A fax would sound like a carrier but it would pause for a
while and then hit a carrier tone once again, A tty would state what it is
before it sends its carrier, And a real carrier would send a straight carrier
tone with NO pauses at all. Well, Hope this was informative for someone. On
to the next section.


Text Telephones (TTY’s)
TTY is an abreviation for a text telephone. In a nutshell, Its one of those
little machines that def-people use to place phone calls. A call on one of
these would sorta be like, You call the TTY operator, The operator answers,
You type  what number you want to dial, The operator dials and tells you when
someone picks up, You type what you want to say, The operator tells your
called party what you are typing and vice versa. TTY machines are only
available to people who are certified as def-people. I couldn’t get one (I
wanted to open it up to see what’s inside, Heh). Well, What I did do though,
Was set my computer to emulate one. To me, If you want to make one of these,
I would use an old computer with a modem that you really aren’t using at the
moment. Now throw on DOS-Navigator. DOS-Navigator V 1.51 (I dont know about
the rest) is Freeware by RIT Research Labs and is available at
Http://www.ritlabs.com or you can do a boolean search for it on Altavista.com
(Search DOS+Navigator+download), I was suprised to find out that DOS-Navigator
supports TTY emulation and I could call the TTY operator with ease, Just be
sure to set your modem to 300 baud, 7 data, No Parity, and 1 stop , Heh, That
was simple. I read a file that requires that you actually open up your
computer to make TTY modifications. Dont touch the insides of your computers,
People!, Just use DOS-Navigator, Its much, Much easier.
Okay, Now, You’ve called your TTY-Operator (Most likely its 711). Just so you
can actually carry a conversation with the TTY operator, Read below.

Using TTY-Syntax.
If you are familiar with IRC, You’ll know that people like to shorten words
and create some what of a slang that would later become common knowledge,
Remember, You’re supposed to know this already since you’re supposed to be a
def-person.
GA = Go Ahead, Use this for ending sentences. Like when you’re waiting for
     them to respond.
SK = Stop Keying
GA OR SK =  Go Ahead or Stop Keying, This is being polite when you want to
	    end a call.
HO =  Hold On
MTG = Meeting (This is just an abreviation)
CUL = See You Later
OIC = Oh, I see.
GTG = Got To Go

Closing of  TTY Section
Well, Maybe, Just maybe, 711 doesn’t work in your city or town, Well, Here
is a TTY WATS number to have fun with for now,  1-800-735-2929 (California).


Construction Of a ghetto Blue-box +  Blueboxing For Newbies
Okay, This is what you all have been waiting for. What started it all. In
this section, I’ll be discussing  the topic of Blueboxing. Most of this was j
ust moved off the Key Pulse webpage so please don’t mind. Well, here it is...

BlueBoxing
Thanks to the glorious inband signalling, Blueboxing in the US is practically
impossible. This has sent alot of us blueboxers to look for international
WATS numbers, Mostly South America Direct lines that utilize CCITT 4 or
5. Blueboxing is not really hard either, The timing doesn't always have to be
exact and you have no operators to trick to listening to those tones. Its just
you and the trunk.

How do I identify a Blueboxable line?
C5 (or CCITT 5) lines tend to have a little more static on the lines, And when you first
hear a ring, You will hear some beeping/chirping noises. This is what you must look
out for when scanning (I mean manual scanning, Dont use Tone-Loc!).

What do I do when I find one?
Of course if you are reading this section, You are wanting to seize a telco
trunk. So, I'll go straight to it. You first send a 2400/2600/2100hz tone
through the line for about 800ms, This will tell your trunk that you are ready
to send signals to it, Wait about a 800ms to a second. Now, You send a
cool 2400/2100hz tone through the line for about 300ms, This is what
actually siezes the trunk. You now can use it to blast off to anywhere in the
world via satalite or underwater cables.

How Do I get those tones?
Okay, There are many options for you. I do have WATS numbers that
emite those tones, But the recordings are really not so good. I advise you to
go and download BlueBeep and construct these tones on your own. Now
you just must possess a DAT card and record everything you need on all 5
"messages" and you're set. You can download BlueBeep at :Http://Fonez.8k.Com.
 
Update: BlueBeep can be downloaded from l0pht.com an other 'hacker' sites.
Its NO LONGER available from me. 

How do I make a call with this thing?
Okay, I now assume you have no idea how to call anyone or what to do
with all this power. Okay, The format of an international call would go like
this: KP2 + Country Code + Area Code + Prefix + Suffix + ST. You can
get all the country codes At the End of this file.

Key Pulse Chirpy Numbers
Here are some little chirpies so you can hear how they sound like. Please
take into consideration that these numbers can be blueboxed off of, And if
you get busted, Its not my fault. Iam only giving out these numbers for
educational purposes. Anyway, Probably when you get to read this, These
numbers won't be in service anymore. ;)
1-800-235-1154
1-800-737-3275
1-800-418-9393

Note : The tones are actually only 2400/2600mhz to send the wink, And then
2400mhz to sieze the trunk. But unfortunatly filters have been active lately
and cut you off once it identifies you sending hardcore MF's through the line.
To get past this, You add the 2100hz tone to add some line noise to the line
to make it harder to detect. Simple, Huh? Please take into consideration that
color-noise will work also! (Purple noise, Pink noise, Ect..)

Voice-Mail Hacking
Okay, Hacking a Voice-Mail system isn’t very hard. Most of this is done due to
weak passcodes that they have no idea exists. In this section, I’ll discuss
the types of voicemail systems. Oh, And from now on, I’ll be refering to a
voicemail system as VMS and a voicemail box as a VMB. Okay, Here we go....

What is VoiceMail?
Voicemail is surely a common thing nowadays. A VMS is just a computer hooked
up to some recorders and some other things. Its main purpose is that of a big
answering machine that holds little answering machines. Okay, Say you’re at
work, You leave your office of just a second and when you get back, Someone
tells you that your phone was ringing for a long time but, They hung up,
If you have a voicemail box, All you have to do is dial the extension of YOUR
voicemail box and enter your passcode and hopefully they left you a message.
You see? What most companies dont realize is that you can also access your VMB
remotely. Some offices have a special number that the VMS sits on, waiting for
calls, And some are only active when the business is closed so as if to tell
people that they are closed at the moment but you can leave them a message.
This is when the VMS will transfer you to a VMB and you can leave a recorded
message. What they dont want you to know is that when you press # or * or 00
you will get a prompt that says something like this, "Enter your MailBox
Number please", This is what they can use to check their messages from home,
But, What they dont know is that us nasty little phreakers can take this to
our advantage, Well, Ever want to give someone a phone number to call so you
guys can get in contact with eachother, But, You dont want to give out YOUR
phone number? Well, With a VMB number, You can give out that number and be
practically anonymous. Another thing would be, If you have a WATS VMB number,
You can talk to friends all around the country for free by calling their VMB
and them responding on YOUR VMB. Get it? Okay.

CINDY Systems
Now, A CINDY System is a type of  VMS. You can recognize these VMS’s by the
begining recording. These will have a woman saying something like this, "Good
Morning, Please enter the mailbox number you wish...". This is very distinct
and I doubt you’ll have trouble finding one of these.  If you happen to find
one that noone is using, Once you press "0", You’re in!

OCTEL Systems
OCTEL systems are obviously made by OCTEL comm. I like this system. When you
press # to get the login prompt, You get a friendly, "hello (Your Name),
please enter your passcode". Remember that defaults that I always seem to
find on OcTel’s are the last four digits of their VMB , Yeah, Thats right,
The most common. Anyways. If you want to be serious about VMB’s Iam  telling
you, The only thing better that this is a One-Connect.....

Commonly Used Passcodes
Here are the most commonly used passcodes that I’ve witnessed on a VMS.
Please consider that another one included with this list is the first one you
should always try. Its the last four digits of their VMB number. Remember
that. THE LAST FOUR DIGITS! The most commonly used passcodes are as follows:
1234,  9999, 1111, 4321

Other types of VMS’s
ASPEN (Same make as OCTEL), One-Connect,  AUDIX, Phone-Mail, RSVP, And
CENTAGRAM

NOTE: The reason why I didn’t give out info on the VMS’s mentioned above is
because I have never actually owned a VMB on any of these systems, I can’t
say if I actually hacked one, But I can honestly say that I have never been
subscribed to any of these, Though, The same commonly used  passcodes pertain
to these VMS’s also. You can get a nice list of VMS’s by checking out the Key
Pulse PhoneBook.



PBX’s And Extenders -Hmmm. Whats up with that?

PBX’s
Okay, I have come to the understanding that there are alot of people confused
on the differences of what a PBX is, and what an Extender is. So, Here you
will learn exactly whats the difference.
PBX stands for Private Branch eXchange. Sum’d up, Its when some private
company pays the telco a whole bunch of money to sort-of  "rent" out some of
their trunks. PBX’s are controlled via a small switch that is fully
configurable to the sys.admin’s pleasures. Some companies set up dialup lines
that allow employees to make business calls on the company bill. Most of the
time, When you call one of these dialup numbers, You’ll get one of three
things:

1) A voice asking you to enter your extension (Just like a VMS)
2) A dialtone

This is when it’s waiting for its code. Well, Some don’t have any and in that
case, You just dial 9 to get another dialtone, And you can dial out. Why do
phreakers find PBX dialups so cool? Well, If any company sets up a line that
allows someone to get a dialtone "remotely", Then that means you can make a
call and they pick up the tab. Interesting, Huh?

Extenders
An Extender is owned by the phone company. The way they work is practically
identical to a calling card. You call a certain WATS number and you get a
steady tone that pauses after a while or a dialtone, This is when its waiting
for you to first enter your access code and then 1 then the number you’re
wanting to call. This is when you’re call is placed on the subscriber’s bill
and you get away with a bunch of free phone calls. Weeeeeeeee!

Closing of   PBX \ Extender  Section
Okay, One more time, I’ll try to make things a bit more clear. If you get a
tone, Its an extender. If you get a dialtone, Its most likely a PBX. When you
finally make a call with it, You’ll know.


Brief understanding of  Switching
Switching. You are not a phreak until you understand the system. Here I will
give you a brief understanding of what kind of Switching Systems are out
there and even a brief introduction to the insides of some of ‘em.

What is a switch?
Okay, A switch is a system that figuires out where certain information goes
in the whole network and how to get it there (ie, Aiding in placing your
phonecalls). This is the basics of what a switch does. Here you will learn
some of the extras that have been put into switches to help aid in making
services faster and catching telco fraud (Yes, That means you!).  Switches
that are well known in the US of  are as follows DMS (10-100) product of
Northern Telecom , 5ES Systems Product of Lucent, and GTD product of GTE.
5ESS is the most common and most feared (Well, Most feared because its so
common, Heh). Okay..... Ready or not.........

Electronic Switching System
As you know by now, ESS stands for Electronic Switching System. There has
been many, Many types of  ESS’s out there during its time, 5ESS2000 being
one of the most recent and most popular with RBOC’s (ie, SWBell, Canada Bell,
All the *Bells, Hehe) for the reasons of it being versitile or in other words
its more "plug n play" (Good Analogy, Huh?). Other forms of ESS that may be
still active somewhere are 1AESS, 2ESS, 4ESS, 5ESS, And 7ESS (Iam not really
sure about 7, Never really had proof of it).

Why is 5ESS so fjeared?
For good reason, Of course. Okay, This is the low down on 5ESS-2000. 5ES
System is a fully configurable switch that can be updated at any given time
with little or no need to interupt its  productivity and so it being more
economic and thus, being the least expensive to maintain. It also is one of
the ONLY switches to handle BOTH wireless and landline services. Okay, Okay,
Lets get to the part that concerns you, Huh? Now, Since a standard 5ES System
can be "upgraded" at any given time to a 5ESS-2000, I’ll just explain wtf
(What the fuck) an 5ESS-2000 is and what it does. A 5ESS-2000 is all in all,
A super-5ES System. Some of its features include, Logging EVERY number you
dial, How much ms (MiliSeconds) it took for each digit, What time the call
was completed, How long the call was, Ect... Ect... Ect.... (The list goes on
and on). This is why I typed earlier that you never should sequencitally scan
from your home. 5ESS-2000 will send this information to someone in
administration and most likely, You’ll get a call from your telco asking you
to stop it, OR they could just take your ass to court if its illegal in your
state (In most states, WarDialing counts as harrassment. I advise you to check
out your state laws to find this info out).

Digital Multiplexing Systems
DMS’s are of course, Products of Northern Telecom. You may find an RBOC
utilizing this switching system, But I haven’t. I really dont know much about
these so I can only give you a brief discription of what these things do.
DMS-200’s are able to hold at least 300 to 65,000 trunks. Hmmm.Okay, here is
where I c&p a bunch of stuff from some file,

"DMS switches are divided into four "Functional" areas designed to do
certain, operations. These areas are: Central Control Complex (CCC),
Network (NET), Peripheral Modules (PM) and Maintenance and Administration (MAP)"

 I really dont know where this came from, But it pretty much explains
some of the inner-workings of a DMS-200. Well, Since I have never actually
worked on one of these machines (Yeah, I know PHRACK had a couple of articles
on DMS’s but I can’t really explain something that I haven’t experienced
"first-hand"). So, Well, Since Iam such a ditz when it comes to DMS’s. This
is the end of this section.

Other Types Of  Switching Systems
These are the more or less "uncommon" types of switching systems that they
have out there. The only reason why they’re here, Is well... Its nice to know
that this type of switching exists (or did at one time or another).

ATNT’s (Later passed on to be known as Lucent’s) 1AES System, 1ES System,
2BES System, 2ES System, 3ES Systems, 3XB, 4ES System, 5AXB, 5ES System,
5ORM (Optical Remote Module), 5RSM (Remote Switching Module), RS System,
SXS  And 5XB

Ericsson’s AXE10, And AXRSS

Northern Telecom’s DMS1/200, DMS10, DMS100, DMS200, DPN, RLCM (Remote Line
Conc Module), RLCM-10, RSLE (Remote Subscribter Line Equiptment), And RSC
(Remote Switching Center)

Note: There ARE many, Many other types of switching systems that I haven’t
even began to explain. But,Well, Iam a very lazy person and dont have the
time or energy to type out a super long guide with elite ascii art and shit
with nice fancy fonts and all that. No bells and chimes here. Just straight
to the basics. If you want to know more about the assortment of switches out
there, I recommend you go out on the net and look up this information on your
own. Iam NOT going to do everything for you!


A Brief Understanding of Signalling
Signalling is what tells telco equiptment where your calls going and how to
get there. In the US I say that 99.9% of all switching systems are utilizing
SS7 (Signalling System 7) which is what some of you may know as In-Band
Signalling. What is In-Band Signalling? Well, I’ll tell you. Okay, Back in
the day when blueboxes worked in the US, They were utilizing MF’s, Right?
Okay, This ment that a call would go like something like this:
You--->Trunk#1--->Switch--->Switch--->Trunk#1--->Your friend
This means that you’re still on the same trunk and how does the switch tell
the trunk that you’re making a call? Through audible signals of course. This
is what made blueboxing possible. If you would of called any WATS (800)
number, and send through a 2600hz tone, The trunk will think that the switch
is telling it that you hung up and then it will wait for the switch to tell it
when it needs to be used again, And when you stop sending the tone, It will
think, "Oh, My master wants me to make a call and I shall obey its wishes",
This is when you can route your own call. But, Of course, The telco changed
its whole signalling to what we now call In-Band Signalling. A call on SS7
would go something like this:
You--->Trunk#1--->data-link--->Switch--->data-link--->switch--->Trunk#2--->Your friend
Okay, This "Data-Link" that I speak of is exactly what it sounds like. The
trunk speaks to the switch via ADSL or some other high speed connection to
tell it what you want it to do and then theswitch talks to another switch in
your friends area and that switch throws you on another trunk that will later
make your connection with your friend. In-Band means that it doesn’t use MF’s
as its signalling anymore, Its all done by transmitted data.


Closing of Chapter Two
I know that this chapter sucked and I really feel bad about it (Heh, NOT!).
Well, This is pretty good for the time I took to actually type this all out
(About 10 minutes or so..). Well, I’ll see you in the next chapter. Smell
yah later....

CUEBIZ - Fonez@ca.tc
Http://Fonez.8k.Com (g0ne forever) -- Http://www.TIS.8k.com
Quote From the Author: -My middle finger wont go down, How do I wave?