Basic Phreaking Skills. NeonDreamer of -=(PHILA)=- 10/5/1996
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I've been around for a while now, and there is AFAIK only one general
phreaking phile specific to the U.K. It is written by Pharlin J. Hack and
available at http://www.paranoia.com/~coldfire - a site to which I owe a
lot. This is no attempt to outdo it, but rather to complement available
information. Some of the information will be from cut-down versions of
philes I have written, you are encouraged to go out and learn something and
release the information yourself. If anyone needs a distro site we will be
happy to 'publish' your stuff with full credits.
Needless to say this information is not to be used for illegal purposes
and I cannot accept any responsibility in the event you get busted.
So what are we going to cover?
-Beige boxing
-Blue boxing
-VMB hacking
-Payfone vunerabilities
-Ansafone hacking
-Other boxes
-The line monitor
-What else is there?
-Resources and references
If I start to include anything else this is going to become a monster
phile and I have to do this in half an hour before I get kicked off the
computer.
Beige Boxing
~~~~~~~~~~~~
This is really the only thing you'll ever need to know if you're just into
free calls. It is the simplest phreaking technique known to man, and here
is a cut down version of a very long phile due for release in August :
If you're contemplating a move into the world of boxes, there can be no
easier, or ultimately rewarding mini-project than the beige box. Why is it
called a beige box? Why is a blue box called a blue box? It's all
historical, the first person to make a beige box made theirs from a beige
coloured handset. If we were all going to name boxes after their true
colour, then I would use an 'Off-White' box.
So before we go into the rather basic construction details, why do you need
a beige? Well first and foremost for using BT PCP's (them green boxes) as a
convenient launching pad for your exploits, either from the PCP internal
line, or off a customer who is connected in that box.
Firstly go and buy a fone. Get a self contained handset type one - like
the cheapest ones out of the Argos catalogue. Check for : tone/pulse
switching, a ringer on/off switch and PABX compatibility.
Now cut the modular jack from the fone lead with wireclippers. Leave
about 30cm of cord attached to the jack. Strip back a couple of inches of
insulation from the cord ends. It is possible to do this without getting all
cut up, because the gold pins of the jack can be prised out and new wires
added in, extending the reach of your fone; rather than diminishing it.
Inside the cord you will find three wires. I have finally torn up enough
fones to know that there is no attempt at convention in these matters. Get
some colour coded crocodile clips and solder them or crimp them on to the
wires of both the fone and the plug, after you expose a centimetre or so of
the wires core. This can be a pain, and is not really necessary if using
with an arsenal of dedicated line monitors. More later...
Now you need to determine which wire does what. Plug the jack into a wall
socket and attach up the crocodile clips to their coloured counterparts. You
will notice that only two wires are required for a dial tone. Make a note
of it so you aren't fumbling around on the job. I removed the crocs from
the third wire (which is basically your ring indication) to make life easy.
Ring indication is not necessary with a line monitor.
You now have a pristine beige box. Take it apart, put it back together,
slap some tape and dirt on it so you look like a pro and then get to a fone
line/PCP.
In order to get into a PCP beg, borrow or steal a hex wrench. The 13mm
one will fit the triangular bolt on a PCP. Find a quiet box, it's not easy,
but when you find *the* box ;-). Make it at night. Unscrew the bolts and
pocket them. Have your beige connected to the modular jack, and open the
PCP. Look around and find the BT socket. Plug yourself in and listen. You
should hear a dialtone, if you don't you screwed up somewhere along the line.
These lines are normal BT lines. It is inadvisable to call your mates, but
bring along a laptop and you can dial up boards, scan numbers, wardial etc.
This kind of stuff will get you noticed. Assuming that BT does actually
monitor these lines for unusual activity, international calls will be
noticed. Mind you I have heard BT engineers yabbering away on them to their
mates/wives/mistresses etc.
All those wires in the box will take you into subscribers fone lines.
Now is *not* the time to go into pair localisation etc. because it is
covered on Coldfire's site and besides in the full phile we have a number of
nice tricks to reveal. So what can you do with someone elses fone line? If
you haven't got any thoughts in your head - retire.
As a matter of courtesy, bolt up the PCP when you've finished. This is
going to extend your boxing life. Now sometimes you will hit a box with
wiring diagrams, anything from specific diagrams for the PCP internals to
(more frequently) a cable diagram for the PCP area. This can be anything
from an A4 sheet up to 3 or 4 A3 sheets. These will give you a map reference
(although for what map I don't know), the 'PCP Area', which exchange the
cables are routed to, the location of PCP's and manholes in the area (down
to the numbers of the houses they are outside). They also have a history of
amendments to the original map. With a little local knowledge and a single
one of these maps it is possible to find the next box with a map, and so
on - until you know the local area better than BT. If you're feeling very
nice you can photocopy and return them, or consult them on the spot and
never remove them from the PCP.
Ever heard of a Beagan box? Me neither until last week, but it is
something that can be done. It's a fairly lame idea, but it works. Think
many feet of cable.... Think drill... Think back of a junction box and under
a hedge.... Makes a real difference from standing in the middle of nowhere
clipped into a PCP to being sat in a car nice and warm, but doing the same
thing.
Using the beige you can also use domestic lines, payfone lines etc. All
you need to do is cut a razor thin cut into a wire and hook the beige wires
around... A favourite place is train stations - because there are fone
wires all over the place. Try schools and hospitals (where they plug their
payfones into the wall using standard BT plugs (haha)). There are a lot of
things you can do.
Blue Boxing
~~~~~~~~~~~
This is either impossible or possible, depending on who you speak to. I
dabbled ages ago, but it's worth playing around with.
Blue boxing is the art of seizing lines in another country with the affect
that you have operator control over the line.
BT and Mercury have 'country direct' numbers which basically route you to
an internal operator of another country. A recent list of numbers for BT
follows :
COUNTRY NUMBER
~~~~~~~ ~~~~~~
o AT&T USA direct 0800 890 011
o Australia direct 0800 890 061
o Austria direct 0800 890 943
o Bahamas direct 0800 890 135
o Bahrain direct 0800 890 973
o Belgium direct 0800 890 032
o Bermuda direct 0800 890 123
o Bolivia direct 0800 890 059
o Brazil direct 0800 890 055
o Brunei direct 0800 890 673
o Canada direct 0800 890 016
o Chile direct 0800 890 056
o Colombia direct 0800 890 057
o Denmark direct 0800 890 045
o Finland direct 0800 890 358
o France direct 0800 890 033
o Gabon direct 0800 890 241
o Germany Direct 0800 890 049
o Greece Direct 0800 890 030
o Hawaii direct 0800 890 808
o Hong Kong direct 0800 890 852
o Hungary direct 0800 890 036
o Iceland direct 0800 890 354
o Indonesia direct 0800 890 062
o Ireland direct 0800 890 353
o Italy direct 0800 890 039
o Japan direct (KDD) 0800 890 081
o Japan straight (IDC) 0800 890 080
o Korea South direct 0800 890 082
o Korea South (DACOM) 0800 890 820
o Luxembourg direct 0800 890 352
o Macao direct 0800 890 853
o Malaysia direct 0800 890 060
o MCI Call USA 0800 890 222
o Netherlands direct 0800 890 031
o New Zealand direct 0800 890 064
o New Zealand (C COMMS) 0800 890 640
o Norway direct 0800 890 047
o Paraguay direct 0800 890 595
o Philipines direct 0800 890 063
o Philipines (PHILICOM) 0800 890 633
o Phone USA TRT 0800 890 456
o Portugal direct 0800 890 351
o Singapore direct 0800 890 065
o South Africa direct 0800 890 027
o Spain direct 0800 890 034
o Sweden direct 0800 890 046
o Switzerland direct 0800 890 041
o Taiwan direct 0800 890 886
o Thailand direct 0800 890 082
o Turkey direct 0800 890 090
o U.A.E direct 0800 890 971
o Uraguay direct 0800 890 598
o USA Sprint Express 0800 890 977
o Venezuela direct 0800 890 058
What you are looking for is a country that has a CCITT-5 line. But how do
you tell this line from Adam? Well when the line is picked up there is a
distinctive 'cheep'. Put it this way, you wont hear it if you start
dialling so called 'developed' countries. When you have a CCITT-5 line it
is sometimes possible to seize it. This requires the generation of tones.
On the PC then BlueBeep is the definitive blue box program, if you have a
Mac, then try one of the blueboxes from Kaos and Logix of the Network
(Fone Tone Pro and Blubox respectively).
Seizing involves sending a 2600Hz/2400Hz tone down the lines for about
100ms-500ms. This is generally followed by a 2400Hz tone for the same
time. Some systems require a 2600/2400 clear forward for 100-150ms and then
the seize tones. There are no hard and fast rules for this EXCEPT THE
TONES, so you will need to experiment with the timings of both the tones and
the delay between them. Signalling is a two way thing, so each burst is
replied to with an acknowledgement.
Now you can place a call. The convention is :
KP2+countrycode+0+areacode+number+ST for international calls
KP1+0+number+ST for placing a call in the country
KP1+2+Code11+ST should connect you to the inward operator
So what are all theses cryptic acronyms?
KP = Start of pulsing, indicates whether a national or international call
is being placed.
ST = End of pulsing, ie no more digits to follow
Now for the tones :
Digit Freqs (Hz)
~~~~~ ~~~~~~~~~~
1 700/900
2 700/1100
3 900/1100
4 700/1300
5 900/1300
6 1100/1300
7 700/1500
8 900/1500
9 1100/1500
0 1300/1500
KP1 1100/1700
KP2 1300/1700
ST 1500/1700
C11 700/1700
C12 900/1700
The timings are supposed to be critical and the standards are:
Between seize and KP = 80+/-10ms
KP signal duration = 100+/-10ms
Other signals = 55+/-1ms
Delay between digits = 55+/-1ms
Points to note : if at first you don't succeed, try and try again because :
o Some countries allow international calls via KP1 routings
o Others differ in KP2 routing conventions (eg KP2+00+countrycode+number+ST)
o The ubiquitous +0+ can be replaced with other digits
o Timings can vary quite dramatically. You need to experiment!
VMB hacking
~~~~~~~~~~~
Right voicemail may be the bane of a lot of peoples lives, but for the
phreak it is a joy. A voicemail system is a glorified ansafone with enough
fun things to play with to keep you occupied.
How do you find a voicemail system? First of all, unless you are
phreaking the call *already* stick to 0800 and 0500 numbers. Now here it
starts to get a bit repetitive because you need to sequentially dial a few
hundred numbers to glean a good set of voicemail systems. Do not confuse
voicemail with an ansafone! A voicemail system will either tell you it is
the voicemail system of company X or it will just prompt you for a mailbox
number and password. Scanning will also provide you with carriers to
explore and a number of funky things to play with... such as Department of
Defence dialups :-)
Not all systems are up 24hrs a day, and it is nice to find one that is.
If you find a VMB in say the US, then remember the time difference.... you
may simply be calling in the middle of the night rather than finding a
permanent VMB. When you get a system you are generally presented with the
option of leaving a message "Please dial the extension of the person you are
trying to reach" or given instructions to press '#' if you have a mailbox on
the system. Listen to all the prompts and write them down, because mapping
a VMB is very important in discovering all the phun things.
You will now need to find a valid mailbox... This can be achieved by
stepping up in blocks of 500 from 0000 to 9500 if it is a four digit mailbox
system or 000 to 950 in steps of 50 on a three digit system. Be warned,
some 4 digit systems will reject an incorrect mailbox number after 3 digits
which is very confusing. The trick is to learn the delay between an
incorrect number and the system warning you it is wrong, because if you hit
three digits and it takes longer than usual to kick you out try adding a
fourth digit. Some systems require you to enter the '#' after the box
number. Now a quick and dirty way of doing this on some systems is to use
the user directory - which enables you to search for people on the system by
using the keypad letters (1 = ABC etc.). If you find this facility then
just plug stuff randomly into it - eventually it will credit you with a hit
and give you an extension or voicemail box.
When you hit a box, map around it by trying sequential boxes up and down
from the one you find. Boxes are usually in clumps, but a canny sysadmin
will dot them around in no particular order. When doing this kind of
internal wardialling simply press the '*' after every mailbox you try -
this generally backs you up a level and allows you to plug away for hours
without redialling the VMB number.
It is generally not advisable to hack peoples voicemail, but rather to
find an empty box. An empty box will either have no name associated with
it, or on ASPEN systems a message saying "Voicemail can significantly
increase your productivity....". When you get this, pat yourself on the
back, because you're nearly home and dry. Empty boxes are often very simple
to hack, but you need to work out how many digits the passcode is. ASPENs /
OCTELS etc. are generally four digits, ASPENS especially have the default
login code the same as the empty box number. Again smart sysadmins will
change the default code, but try 1000,2000 etc... and other simple
combinations and permutations to access the box. Be warned though NYNEX
VMB's have been found to have up to seven digit passwords, and one system
has nine digit codes :-(
Eventually you will have a box under your control. Now you need to map
the system thoroughly, exploring every menu option, setting up your personal
greeting (hint: don't set up a box with your handle, because if someone
accidentally dials your box to be greeted by an effusive |<in9pHr3aK, then
they are going to report you). Try out options that it doesn't offer you,
because all it is going to do is tell you that option doesn't exist if it is
invalid. What you are looking for is an outdial. This will enable you to
dial up your VMB, and from your mailbox dial to the outside world. Some
outdials are national, some global. If you need ideas on what to do with
unlimited free fonecalls......
OK now you are going to get locked out eventually.... So find another
one. If you are using a VMB to keep in contact with your group it is best
to dial their box direct, rather than sending mail from your own box. Why?
Because on some systems the internal system does *not* play you the
pre-recorded message of the box you mail, whereas doing it direct will....
This is important if one of your group has been kicked off the system and
you don't know about it. The fastest way to lose your box is to send mail
to a legitimate user.
One way to avoid getting locked out is to hack the systems administrators
box (0800 892 888 box 7745 anyone?) and set up your own boxes and lock them
out. An easy way is to dial 0 when you enter the VMB to get an operator and
then social engineer the sysadmin box number. Then it's 1000 to 10,000
numbers to dial to get in.... Call a few favours in from your friends and
it is perfectly possible.
To get started : 0800 892 888 ASPEN
0800 892 932 NYNEX
0800 892 705 OCTEL
0800 318 407 MERIDIAN
0800 318 409 MERIDIAN
You are going to find hundreds more...... Practice!
Note: for Meridian systems check out Coldfire's phile at Paranoia
Payfone vunerabilities
~~~~~~~~~~~~~~~~~~~~~~
Right, unless you have a very good understanding of BT payfones give up
dreaming about phreaking them at will a la U.S. redbox. I have been
informed that redboxing is possible but unreliable in the U.K. but there
should be a demo of at least one at AAA II.
Simply put, the only payfones you are liklely to hack are the kind of
'add-on' boxes in pubs and student houses, that keep the money in the box
integral to the fone. Particularly the grey BT boxes if left in their
default state are very easy to hack. All you need is a DTMF tone dialler -
because the handset does not disable tones before money is put in unless
specifically set up to do so. Now think - this is how BT street payfones,
stop you from pulling the same trick, so how do you activate the mouthpiece
before placing money in? Also the cuckoo tone in the grey boxes (identifying
the unit as a payfone) is disabled by this method.
If you press the '#' on these boxes then you are prompted for a password,
the default being 1234 (!). Now you can press a number and access hidden
functions, such as tone/pulse switching, time and billing rate. One trick
is to use the fone at peak rate times, but set the clock to 6pm so you are
billed at cheap rate, or more effectively just changed the amount of money
you are billed per unit. These things make a big profit..... Rip them off
as much as you can.
A word on the new payfones popping up.... These are AFAIK tethered to
cable lines and have programmable speed dialling. Needless to say these can
be reprogrammed. Again experimentation is the key.
One final fone of note is the taxi-fone, resident in many supermarkets,
airports and hospitals. These generally have the dial pad covered, with the
number of the tax firm stored on a memory button. They may not have a pad,
but with a tone dialler or an accurate finger for loop-disconnect calling,
you should be able to extract free external calls. Be warned that people are
aware that you don't always need to spend 20 minutes on the fone to call a
taxi :-)
Ansafone hacking
~~~~~~~~~~~~~~~~
Not really phreaking, but fone related nevertheless. Again they can be
found out of hours on many 0800/0500 numbers. All they are useful for are
eavsdropping on messages. They come in two flavours digital and tape. A
digital ansafone will generally allow you to interfere with the recorded
message by hitting '#' or '*'. From here you can rewind or resume the
message. These do offer the most functions, but tape ones are probably more
easily hacked. They generally have one, two, three or four digit passcodes
for remote message playback and simple finger hacking will get you through.
Knowing what machine is at the other end is an advantage. You need to learn
a few machines timings and default messages before you can do this. Some
batches of machines have default passcodes (note this does not apply to BT
ResponseXXX ansafones) and the easyiest way to learn lots of machines is to
fone up manufacturers and claim to have bought the machine second hand, but
the manual was misplaced - so could you have a copy? After playing back
messages you can generally delete them, repeat them - digital ansafones offer
more options.
Here are the instructions for a Response 100 machine (tape) :
Basically to access the R100 remotely you need a fone with TouchTone (tm)
Telephone signalling or a DTMF pad, or failing that a new fone.
The easiest way to (ab)use this machine is to get a peek at the 'security
code'. The code is hidden under the lid of the machine covering the
microcassette, and with this 2 digit knowledge you can command the fone
remotely.
To access messages on a machine you simply dial the telephone number. The
time it takes to answer the fone indicates how many messages have been
taken. If the fone answers after two rings messages have been taken. If it
answers after four rings no messages have been taken.
After the announcement, instead of leaving a message you need to enter the
first digit of the security code (press and hold for at least three seconds).
You should hear a single beep. Enter the second digit of the security code
in the same manner and you should hear two beeps if the code is correct,
four beeps if the code is wrong. You only get two attempts to try the code.
If the code is entered correctly then the RESPONSE 100 gives a series of
beeps whilst the tape rewinds.
If no messages have been recorded then 4 beeps are given and the machine
hangs up, otherwise messages are played automatically. Message replay stops
every 2.5 minutes and you must press the 2 key for at least three seconds
from your remote location in order to hear the remaining message.
At the end of the messages you will hear three bleeps. You have three
options:
Press '2' to replay the messages again
Press '6' to reset the messages (ie delete them)
Hang up - this saves the messages and sets the machine to set calls.
*BUT* you must remember to enter commands within 8 seconds of being
prompted.
Another feature of the fone is the fact it can also be switched on
remotely. After 20 rings the fone will be answered by the machine,
regardless of whether it is switched on. It is worth remembering that some
payfones do not allow an unanswered call to be connected that long. Also
note it stops recording after a few seconds silence.
Just a word on the 'security code'. It is a two digit number, so there
are 10x10 combinations. BT isn't so daft as to put the same codes on each
fone, or even make the machine kick you out if the first digit is entered
incorrectly. Perseverance is the key, or a sneaky look at the code. There
is an audible record of your intrusion - namely about half a second of the
first security digit (if ou entered it correctly), but you can happily
listen in on messages undetected - providing the owner is out. Just so you
don't get caught on a 1471 trick, please remember to dial 141 before placing
your call or use a fonebox.
Other boxes
~~~~~~~~~~~
For the technically minded there is the creation (or more often adaptation)
of boxes that are US specific. Personally I leave this to someone else, but
you can still blackbox in the U.K with an up2date unit, and the US goldbox
can be heavily modified to work in the UK. Basically you need a good
understanding of electronics and to be able to decode all those bloody ascii
diagrams ;-)
For those of you wanting to adapt boxes the alt.ph.uk FAQ gives a list of
boxes that may possibly be adapted for UK use, and here is some basic
information you may find useful. This is technically pre-release and
apologies to T.J.UK because it is his *preliminary* phile to be not mine:
==========================================================
Phone state | what happens T.J.UK
==========================================================
Normal: | -50v pulsing 50 times a second
| Polarity:
| Pin 5 = -
| Pin 2 = +
| High Resistance in Ohms
| 0.01 mA (almost nothing at all)
----------------------------------------------------------
Ringing | -80v pulsing 50 times a second
| Polarity:
| Pin 5 = +
| Pin 2 = -
| High Resistance in Ohms
| (not sure) mA
----------------------------------------------------------
Pickup: | Voltage drop occurs.
| Loop is created to notify exchange
| someone has picked up the phone.
| Lower Resistance in Ohms
----------------------------------------------------------
While | -8v pulsing 50 times a second
Talking | Polarity:
| Pin 5 = -
| Pin 2 = +
| Lower Resistance in Ohms
| 30 mA
----------------------------------------------------------
Hanging up: | Voltage rise occurs.
| Loop is turned off.
| High Resistance in Ohms
----------------------------------------------------------
Back to | -50v pulsing 50 times a second
normal state | Polarity:
| Pin 5 = -
| Pin 2 = +
| High Resistance in Ohms
| 0.01 mA (almost nothing at all)
==========================================================
I hope this is some use.
The line monitor
~~~~~~~~~~~~~~~~
This is the most useful piece of kit - especially when tapping lines. Make
at least three of them - one with crocs, one with pins and one with razor
blades. They are tiny devices (they can easily be built into a secondary
line jack (MAPLIN code JK47R #2.49) and consist of two 33k resistors and two
LED's. All they do is use the voltage on the line to light LED's with
results based on the line status. They provide silent ring indication when
out in the field, and a warning if the fone on a line you are tapping is in
use...
First the schematic :
2--------------------+----------+
| |
R1 R2
| |
* |
D1 D2
| *
| |
5--------------------+----------+
The asterisk indicates the positive end of the LED. If you make R1 red
and R2 green, then when tapping a line you can sort out which is 5 and which
is 2 and make your life easier : right way = green LED on, wrong way = red
LED on. If the fone is ringing, then both LED's flash on and off. If the
fone is in use the green LED will be dim. At this stage you can attach a
fone and listen in. If it is ringing do not plug in a fone! You will pick
up the line!
What else is there?
~~~~~~~~~~~~~~~~~~~
Well if I covered everything there would be nothing to do! So there is
PBX hacking, ie when you dial into a company PBX and reroute your call out
(in on a local call and able to dial internationally, or in on an 0800 and
out internationally). There's fax-jacking (interception and decoding of fax
transmissions) and remote reprogramming, cellular cloning (not my bag),
cellular eavsdropping, CCITT7, R2 signalling, chargecards - bill your calls
to someone else (this is so easy I can't even bear to describe it here).
Anyway I have been sat here to long and I still have to write some
webpages. I trust this is going to introduce people into the wonderful
world of phreaking. Feel free to email me (PGP *only* please - see the keys
page for my key) if you want to know more, or have something to add... I
can't be faffed to read this all over again. If any bits don't make sense
then tough :-) See y'all at London 2600 and AAA II ;-)
Resources & references
~~~~~~~~~~~~~~~~~~~~~~
http://www.paranoia.com/~coldfire The phreaking resource
uk.telecom FAQ 1/2/3 Essential
alt.ph.uk FAQ Where the hell is version 1!!!!
BT Basics Pharlin J Hack's intro (Paranoia)
Blueboxing in '94 Maelstrom/PHaTE phile (Paranoia)
2600 magazine Vol11 no1 CCITT-5 article
Blacklisted 411! Vol2 issue3 Simple Voicemail hacking
On the Essentials of Voice Mail
Hacking Kryptic Night (-S M C)- phile
Introduction to the Meridian
Mail Voice Mail System Coldfire (Paranoia)
Field Phreaking The Third Cartel
Shouts :
~~~~~~~~
-=(PHILA)=- : Gauss, Dr No., Drifter, HaWzA, Cholo and Payola Jim
T.J.UK (the only phreak I know who can build fones in cassette boxes)
Agents of a Hostile Power
Logix and Kaos (the Network)
DreamshadoW
The BlaK BloK distro centre
Wintermute (where are you man?)
Legion of Lamerzzzz.... we know who you are - and what you've done :)
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
