[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]


..[ Phrack Magazine ]..
.:: Phreak/Hack Sub ::.

Issues: [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ 16 ] [ 17 ] [ 18 ] [ 19 ] [ 20 ] [ 21 ] [ 22 ] [ 23 ] [ 24 ] [ 25 ] [ 26 ] [ 27 ] [ 28 ] [ 29 ] [ 30 ] [ 31 ] [ 32 ] [ 33 ] [ 34 ] [ 35 ] [ 36 ] [ 37 ] [ 38 ] [ 39 ] [ 40 ] [ 41 ] [ 42 ] [ 43 ] [ 44 ] [ 45 ] [ 46 ] [ 47 ] [ 48 ] [ 49 ] [ 50 ] [ 51 ] [ 52 ] [ 53 ] [ 54 ] [ 55 ] [ 56 ] [ 57 ] [ 58 ] [ 59 ] [ 60 ] [ 61 ] [ 62 ] [ 63 ] [ 64 ] [ 65 ] [ 66 ] [ 67 ] [ 68 ] [ 69 ] [ 70 ]
Current issue : #20 | Release date : 1988-10-12 | Editor : Taran King
Phrack XX IndexKnight Lightning & Taran King
Phrack Pro-Phile XX on Taran KingTaran King
Timeline FeaturingCheap Shades & Knight Lightning & Taran King
Welcome To Metal Shop PrivateCheap Shades & Knight Lightning & Taran King
Metal/General Discussionvarious
Phrack Inc./Gossipvarious
Phreak/Hack Subvarious
Social Engineeringvarious
New Usersvarious
The Royal Courtvarious
Acronymsvarious
Phrack World News XX Featuring SummerCon '88Phrack Staff
Title : Phreak/Hack Sub
Author : various
                                ==Phrack Inc.==

                      Volume Two, Issue 20, File 7 of 12


                    Metal Shop Private's -- Phreak/Hack Sub
                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This subboard contained all technical questions and conversations about
phreaking and hacking.  If something was illegal on it (occasionally some idiot
would post codes and then soon after be deleted), it was removed as soon as I
saw it.


1/70: Red Box......
Name: The Disk Jockey 13
Date: 4:24 am  Sun Apr 26, 1987

Back at the private school I went to, everyone lived pretty much out of state,
and would always be calling their girlfriends back at home, thus making a
pretty big investment into the local payphones.  After reading the files on
how a red box worked, took my little dictation recorder and went to a payphone
and found that I could record the tones that were made when you dropped
quarters in.  I recorded about $4 worth of quarters, and it worked great.
Every time the computerized voice would say "Please deposit $1.70 for the past
5 minutes" you could just play the tape via a pair of sony walkman headphones
into the mouthpiece, and the phone would think that you deposited money in it.
It was pretty neat back then (several years ago.....) but every now and then
you would get the regular operator on instead of that synthasized voice.


                                            -The Disk Jockey

Yes, not really important, but I saw "red box" in that last message and it
reminded me of that.  Those were the days when there were lots of extenders
with 3 and 4 digit codes, and PBX's with NO codes.....



2/70: Since
Name: The Leftist 71
Date: 5:26 am  Mon Apr 27, 1987

Since non-sup seems to be popular these days
404-289-0000-0009 test recordings, non-supd.. I beleive 0004 is deposit coin..
anyway, these are fun to forward to when you dont want people to be able to
reach you..
Ltist




3/70: Teleco numbers
Name: Mad Hatter 51
Date: 5:36 pm  Mon Apr 27, 1987

Would most(all) of the Teleco numbers(i.e. 99xx series) be non-suped?  That
would seem at semi-logical atleast, eh?

-Hatter




4/70: Tuning Fork
Name: Knight Lightning 2
Date: 7:34 pm  Mon Apr 27, 1987

How succesful would you be if you tried to use a tuning fork to simulate 2600
Hertz?  And if so, what would be good to use for MF?  Fun, no?  Heh!

Also, what does anyone know about the 508 NPA.

:Knight Lightning


5/70: Supvision Xlation
Name: Doom Prophet 21
Date: 10:13 pm  Mon Apr 27, 1987

The best way to box is to pull a cat's tail after making a call, then get a
rubber band and twang it in your teeth like Snoopy for MF.

Since we were talking about supervision a little bit, I went through some
stuff I had on translations. What I think makes a number unsupervised  (besies
the fact that there is no return of supervision, or reverse battery
signalling) is the charging translation in the terminating office. The
screening code of a chart class (charges and route are determined by the chart
class I believe) that denotes the call charge type would register to not make
either a detailed or bulk AMA entry at the toll office (if the number is 1+
for someone), since it as if the number never answered. A 'detailed' AMA entry
shows the calling and called numbers, whereas a bulk AMA entry shows only the
calling number.

Something else about translations, it doesn't mean an 800 to POTS or special
BTN when people talk about ESS translations, but the information on particular
Directory Numbers that finds and identifies the line equipment of the called
number (calling also I believe) that would provide any special info that is
needed by the switch to process the call, for example, whether a call is
coming from one or two party lines, or whether it is a four party line with
full selective ringing (which can't be tested by MLT equipment which is why I
remember it). If no translation influenced the way the call is processed, then
how would the switch know to route tthe calling party to an operator for ONI
if the calling line was more than two party (with the specifications talkd
about earlier about the R and T leads status determining the billing also
taken into consideration).

Anyway, this post is basically correct but if anyone finds any errors then
please correct me.

Doom



6/70: Things
Name: Phantom Phreaker 46
Date: 10:41 pm  Mon Apr 27, 1987

  Well, RC's on an ESS are called translations too, at least when done by an
RC-MAC clerk. RC data involving a line that is changed can be called
translations. Don't ask me why this is so, but it's what I've heard.

  Does anyone here know what an ANIF-7 is? As far as I can tell, it is an ANI
failure to TSPS, but that's all I know about it...it can probably happen
anytime, but I do know that it was a specific problem with an early 5ESS
generic.

  Oh yeah, another unsuped signusoid is at (618)235+0090..this was found by
Syntax Error a long time ago. A neat thing about these 'tone sweeps' is that
if you call through an OCC that uses an OUTWATS line that is set up on an
inband signalling trunk, the OUTWATS linne will be trunked from the other end.
This happens as the tone gets near 2600Hz, but it is more sensitive on an OCC
switch, as something like 2710 and 2500 will also reset or trunk their
equipment, or at least that's what I've found.

Phantom



7/70: FALFALAFL
Name: Taran King 1
Date: 11:01 pm  Mon Apr 27, 1987

I'd like to congradulate Doom Prophet on his extremely witty response to KL's
absolutely out-of-place post.  REFRAIN

Question...Most test numbers are unsuped, but I have at least one tone sweep
that I can think of off-hand that is suped.  What would be the purpose either
way?  Later
-TK




8/70: repair number
Name: The Scanner 20
Date: 2:34 pm  Tue Apr 28, 1987

 Would the repair number used for a payphone be the same as a residence repair
number?  Also, Doesnt the place that houses the phone (say a gas station) don't
they get a cut of the profits from the phone?  If they do,
wouldnt they have the repair number?

                    _-The Scanner




9/70: 2 Q's
Name: Circuit Breaker 5
Date: 12:11 pm  Wed Apr 29, 1987

Why are there PBXs that give a loud tone before the code.  And does anyone
know what the difference is between the ANI-D jack and regular ANI is?




10/70: Red-boxing
Name: Icarus 15
Date: 11:32 am  Thu Apr 30, 1987

I saw before that someone mentioned that the amount of money entered into a
payphone of some kind is not kept track of.  If this is true then it would
seem impossible for MA DUMBELL to ever catch on to red-boxing.  That is if
AT&T phones don't have a money counter in them.  TK-When the money was
collected from the payphone, did you notice whether he had the amount of money
that was "supposed" to be in there?  Or whether he even checked it?

If the money is counted then it is possible that the person who collects the
coins would get in trouble for not reporting all the money that was
registered.  The money not being there because of redboxing.

It is also possible to red box off of blue AT&T payphones (without a money
slot).  I am curious whether that can EVER be found out, since there is no
money counter (obviously) to check.

Icarus




11/70: Well...
Name: Taran King 1
Date: 2:41 pm  Thu Apr 30, 1987

Next time I see the guy there, I'll ask him, but I did see him write a few
things down.  None that I could decipher meant anything related to money so
I'm not sure if there was a counter in it.  I'll have to check it out though
-TK




12/70: Payfone Mutin
Name: Jester Sluggo 31
Date: 6:49 pm  Thu Apr 30, 1987

That was supposed to be "Payfone Muting".

    In anycase, on most new payfones, they have what is called "Muting"
which "mutes"-out any red box tones from entering through the Mouthpiece.
Those new non-coin-slot payfones should have those, but I've never tried.

 /
 \
 / luggo !!




13/70: DNR/Pen Registers
Name: Knight Lightning 2
Date: 7:04 pm  Thu Apr 30, 1987

Are there any noticable effects from having one of these on your line? Static,
a low hum in the background, or line noise where there shouldn't be?

:Knight Lightning




14/70: well...
Name: Lucifer 666 43
Date: 7:40 pm  Thu Apr 30, 1987

about the tuning fork...it does work.. i've used a harmonica..

also, how exactly do the bandwiths switch in multiplexing...

L666




15/70: From what I've heard
Name: The Scanner 20
Date: 8:30 am  Fri May 01, 1987

 That there isnt any way to detect a Pen register. No humm, buzz, or any thing
else. But hey, what do I know?
  Dont answer that.

Anyway, 2 more questions,

  Im sure momma bell knows all about red box tones and stuff like that. But,
what about those independent co's that make pay telephones and just kinda hook
them up to normal lines in stores and stuff.  Wouldnt they be easy to box off
of or do they work in a different way altogether? Well, that was only one but
an answer is appreciated.
                        _-The Scanner



16/70: 'Round here...
Name: Taran King 1
Date: 2:41 pm  Fri May 01, 1987

In this region, you can't just play the tones into the mouthpiece and get cred
(credit) for whatever you've played into the phone...you CAN, though, dial a
long distance number, it will then say, "Please deposit $x.xx".  You put in
(play the tones for) the money and it says something like, "Thank you for
using AT&T."  Ta da
-TK




17/70: Muxing, Etc
Name: Doom Prophet 21
Date: 4:56 pm  Fri May 01, 1987

Lucifer, I think what you mean about the bandwidths changing in Multiplexing,
you are referring to voice frequency bandwidths. Multiplexing is just a method
of sending more than one converstation down the same transmission path. In
analog and older switches the method is called Frequency Division
Multiplexing, or FDM, when the signals are seperated on basis of frequency, as
opposed to newer switches which do it on a Time division basis (TDM). There's
also something called Space DM but I don't think it has a whole lot to do with
telephones (maybe stuff like digital Xmission). But anyway, a normal VF voice
bandwidth goes from 300 to 3000 Hz which is SF in band, although the VF
channel goes from 0 to 4000 Hz. Anything above 3000 is out of band signalling
(like 3700 Hz). CCIS uses a seperate nettwork composed of STP's and varioius
links and channels for independent signalling methods.

About the red boxing, the circuits that keep track of the coins that have been
entered are called Coin Detection & Announcement circuits (if the fortress is
in an ACTS serving area), which are a part of the Station Signalling
Announcement Subsystem which work out of local offices and in conjunction with
TSPS (not TOPS as far as I have seenn,  a flash of the switchook anytime
during the initial charge announcements and an operator is connected. Playing
the tones to a live operator wouldn't be a good idea as they can obviously
tell the difference.

Something else, there was a little discussion about AMA and all (isn't there
everywhere?) a while back. The way a local office (LAMA) would keep track of
the billing data is to use a few AMA circuits (there are always two, AMA0 and
AMA1 but can be more for big offices) that reverse positions (from an active
to standby mode at midnight when the datta in the buffer is recorded onto the
actual tapes). So the AMARC computers can format the data to where it is
recognnized by the RAO, the tapes have to be specially customized for that
particular officere. A header label on the tape (put on at the beginning of
each new tape entry (12)) tells the originating NPA, the office number, date
and tape transport dates. A tape trailer is added on at the end of the tape
entry for that day, which has the info about how many total calls were AMA
recorded. The tape mark is some digit (?) that tells the RAO that the useful
info (that they need to look at) is ended. The billing data itself is in a
binary coded decimal form (0's and 1's) along with check and dummy codes. A
noncheck dummy code fills the spaces on the tape to signigy that there wasn't
a problem, but the space is supposed tobe there. A check dummy code is because
the info wasn't received or sent from the Peripheral Adress bus or from the
originating register into the charge buffer. If you ever come across AMA
records (like in the call store section of SCCS) it won't look like anything
that can determine billing (AMARC and RAO do that). They aren't too hard to
read though, just takes a while.

Doom



Read:(1-70,^17),T,R,Q,P,A,? :


18/70: Correction
Name: Doom Prophet 21
Date: 5:52 pm  Fri May 01, 1987

Damn, what I got that I thought was some type of AMA records are not AMA
records (I think), so that means that I haven't been reading AMA records.
Shit, that's something that I want to do. Have to get some.

Doom



19/70: well...
Name: Sir Francis Drake 56
Date: 8:15 pm  Fri May 01, 1987

You mentioned the third time of multiplexing as Stad DM or something, I
believe  what you mean is Stattistcal Time Division (STDM).  A STDM is just
a normal TDM improved so that empty bandwiths (which occur on TDM) are used
by busy ones.  This allows a hell of alot more efficient use of the line then
TDM's.  STDM is mainly used when you have alot of terminals/whatever that
wont always be being used.

Hmm, I have some good stuff on pay phone accounting somewhere....

sfd




20/70: Payf0nez
Name: Phantom Phreaker 46
Date: 10:57 pm  Sat May 02, 1987

  There are some types of payphones that are attached to a normal cable pair,
a normal line, and in this case the payphone like usage would be determined in
the phone and not in an office. I can't remember the exact type, or even where
I read it but if I should find it by any chance then I'll put it p.

Phantom





21/70: P-Phones
Name: Jester Sluggo 31
Date: 12:19 pm  Sun May 03, 1987

Well, there are several manufacturers of payfones that make several different
type of payfones.  If someone could call up the factory, or a salesman, or
dealer of these products, and pose as a perspective buyer, then that'd solve
these questions..   (shit..)
It perhaps might make a good file for Phrack.   But I don't have the time do
to do those things.)

 /
 \
 / luggo !!




22/70: AMA
Name: Circuit Breaker 5
Date: 10:43 pm  Sun May 03, 1987

There is some AMA info on LMOS.  The audit file is under /dev/smlog /smlog.

I got a list for two different streams ST1 and ST2.  You should see,
office id
days until expiration
process start time
        stop time
the ama default
ama teleprocessing
its also will have some stuff such as HOC password and a backup HOC password,
Also look under /dev/unixabf /unixa/users, this will give you the termination
codes after the stream code like:
S# (#)=termination code + date + time

  Circuit Breaker




23/70: audit file
Name: Circuit Breaker 5
Date: 10:49 pm  Sun May 03, 1987

One more thing to check on the audit file dump /no5text/rcv/aimrc.
I would think the audit file is like audit on a VAX it just checks your access
level if your insuficient you can't read that file.




24/70: Circuit Breaker
Name: Phantom Phreaker 46
Date: 1:11 am  Mon May 04, 1987

 (Trying hard to leave an intelligble post)

 Circuit Breaker, what LMOS system do you have access to? Do you (it looks
like it to me) have access to only the unix Front End system, or do you have
the IBM VM370 host processor? Anyway, not all front ends are the same, try
accessing the Cross Front End (XFE) via the Network Manager program
(/usr/lbin, I think) nmx or the NMstatus program and checking for those
specific files you posted about. I'll have to check the LMOS I have access to
and see if those particular files you posted about exist. You also might want
to look at the CRSAB RSA's help files for asyncronous terminal connections in
the help directories. You are probably already good at unix, but try this to
locate those help dirs:

$ cd /
$ du *>/dev/du.txt&

 Then in a few minutes, do

$ cd /dev
$ cat du.txt


 That will give you a listing of all the directories on that system, and if
you see any that resemble help files then go there and cat everything...

Phantom



25/70: Payphones (again)
Name: Icarus 15
Date: 3:08 am  Mon May 04, 1987

If the wires are exposed leading up to the payphone, and you hooked up handset
to the appropriate wires, can you make direct calls?  If the case is that you
can, there are many phones I know of that do not have the metal encasing
around the wires.  I have to try it.  I am pretty sure that bypassing the
simple hardware of the payphone console itself does not grant open access to
all outside lines.  Or does it?



26/70: LMOS/Unix
Name: Evil Jay 26
Date: 4:18 am  Mon May 04, 1987

    Could someone print out some commands to do on LMOS? What exactly can
be done on the system. Please explain. Also, how do you turn off the log
when logging into a Unix, and if possible, could someone leave me a C prg
to give my account root priveledges. Terminus was playing around, and
letting me check out one of these prgs but I never got a chance to save/copy
it. Thanks/...

-Jay




27/70: Payphone Wires.....
Name: The Disk Jockey 13
Date: 7:33 am  Mon May 04, 1987

At the school in Indiana that I went to, there were tunnels that connected
every building in the school together and dated back to the early 1900's, so
we would get drunk and cruise down there and check out old crap that you find
laying around in the basements that some of these tunnels went to.

ANYWAYS,  in one of these tunnels there was a HUGE phone block with hundreds
of cable pair.  I brought the dandy test-set one night and started trying
different connectors to get a dialtone.  When I did get a dialtone, I tried to
dial a local number, only to get a "please deposit 20 cents" recording, so my
guess from that experiance would be that the phone doesn't make much of a
difference, and that you would NOT be able to dial direct calls on it.

I have a driver's license that says I'm like 24, and I look it, so I too can
buy for any who need it.  Michigan licenses are the easiest to change, just as
(ask) any Michigan person who was born in 1967.


                                                 -The Disk Jockey





28/70: Fortresses/LMOS commands
Name: Phantom Phreaker 46
Date: 7:22 pm  Mon May 04, 1987

  Come to think of it, it is the actual line and not the phone in most cases,
take a look at the Class of Service or Universal Service Order Code in an ISVH
(ISH) or an INQ from COSMOS or get it via an Basic Output Report (BOR). Now,
if you really wanted to go out of your way to 'fix' a payphone to where you
could dial out normally, you might be able to accomplish this via RC-MAC, or
maybe an SCC. But if you did do this it would almost certainly die when the
bill came.

Phantom

PS-I will post up pertinent data from an ISH upon various payphones next time
I log on, if anyone would like to see it.





29/70: Payphone ISH
Name: Phantom Phreaker 46
Date: 7:43 pm  Mon May 04, 1987

  Ok, I ISHed a few payphones and here's the results:

  The STatus was (of course) WK (Working), the TYPE was C (Coin), the Class of
Service (CS) is CN (CoiN), the Universal Service Order Code (US) is 1PC, which
means single party something.. can't remember. The Line Class Code (LCC) field
contained CDF, I don't know what  CDF means though.

  On older post-pay telephones (the kind where it either gives you a loud
annoying 'buzz' when the calling party answers, or the kind that allows you to
hear them but them not hear you until you put your coins in) probably have a
US of 1PP (Single party, Post Pay), and Coin First phones (the kind that you
must put money in to get a dialtone) have a US of 1CF (Single party, Coin
First).

Hope that helped,
Phantom



30/70: Question
Name: Cap'N Crax 10
Date: 3:43 am  Tue May 05, 1987

Does anyone know why, and how, it
is allowable to place collect calls
to loop lines.  I know that this
does work, as I have done it.  I
was wondering how it (loop) is
classified, why it passes the billing
verify, and to whom is the billing
allocated?  It is obviously recorded
on AMA, and it apparently pissed
off Bell.  No more loop...

C^2





31/70: --------
Name: Circuit Breaker 5
Date: 10:25 pm  Tue May 05, 1987

Phantom what do you mean 'trying for an inteligible post'?  I was telling Doom
how to get some AMA data from LMOS.  I am sure the LMOS you have access to has
an AMA audit file, its just a security feature.




32/70: Call Blocking....
Name: The Mad Hacker 47
Date: 7:06 pm  Wed May 06, 1987

What Is Call Blocking? It has something to do with a condition in ANI/ONI. I
read it in My Cama Manual and It was vague. Any Help?

          -TMH




33/70: A few LMOS commands
Name: Control C 8
Date: 8:46 pm  Wed May 06, 1987

Here's some /FOR commands

TV - Trouble Verification
RJR and DMLR are jepordary reports..

Shit I had some more, but I can't rember..

Control




34/70: datakits...
Name: Slave Driver 58
Date: 11:56 am  Thu May 07, 1987


  Does anyone have any experience
hacking datakits?

NODE dkeasta   blah blah

NETWORK ACCESS PASSWORD:

  any ideas on the password?  Anyone have -any- idea of the format, length etc?

any help appreciated..

Steve Driver

ps.  I know what they do, I just need to get on famous last words|





35/70: More LMOS
Name: Doom Prophet 21
Date: 8:28 pm  Thu May 07, 1987

Ok, I hadn't seen that in LMOS yet, CB, thanks for the info. There are other
ways to access the info in an intermediate call store section/buffer of sorts
from SCCS, and of course the AMARC systems. On another board, Phantom asked
what AMASE was, I would think that it could be an abbreviated form of 'AMA
Sensor', you know, BDT's,  CDA's, and ESS software format sensors, or special
VSS sensors maybe.

On LMOS..some of the things are common knowledge (in BSTJ's and all) but I
will post a few and what they do.

Let's see, to screen status troubles, ttry /FOR MSCR. You may have to know
employee codes of the screener and the MC code, it's been a while since I've
been on.
                                                                        
The different actions in the Mechanized Screener transactions are run an MLT
test, get job and work info, run RST transaction, read mail, clear the mask
(indicating no action), review desk items, return to original status, put item
on the Local Test Desk (used to test lines that the MLT/LTS equipment can't
for some reason, such as selective ringing multiparty lines), put screener in
the off duty status (returning work items into the pool I believe). Others are
/Te (Trouble Entry), DISP, etc.

Something somewhat interesting,  in the /tmp direcoty for an FE, look at the
Console/log0 file, which contains countters and info on how many certain
transactions have been done for a certain time period (RBOR is in there but
I'm not sure about the rest). Other commands do things like add changes to
LMOS tables, look at work summaries, check all jobs related to a certain CTTN
(cable trouble ticket number) or TTN, and review all work items for specific
FE's. If anyone wants anything specific about some of these commands leave ma
(me) a letter or post since it seems  the discussion is going good. I'm sure
Marauder or others could proably correct me on a few points, but oh well.

Doom



36/70: Call Blocking/Loops/etc.
Name: Phantom Phreaker 46
Date: 11:09 pm  Thu May 07, 1987

    Circuit Breaker, what I meant was that I was fucked up, and having a hard
time typing legibly. That's all.

    Call blocking is a vague term, can you tell us what it relates to, CAMA,
ANI, PBX's, or what? A basic description is that it is what happens when the
network is operating at peak, and all trunks are busy, and thus the caller
gets a re-order or is left sitting there.

 Be more specific if you can, because there is also a thing called 'blocking'
on PBX's which is similar but on a smaller scale.

  To whoever asked about the collect call to the loop, well loop-around
numbers are probably either an Official or a Test line, at least the ones I
have seen. So unless they set some type of screening to it so it can't accept
collect calls then you could collect call a loop, but hope that you didn't
dial direct from your home because your number would be on their phone bill.

 Control C, since you seem to have a manual or something on ESS, could you
tell me what a RC15 report is, I am very confused about them. Thanks...

Phantom



37/70: Coin Tests...
Name: The Mad Hacker 47
Date: 12:07 am  Fri May 08, 1987

SFD posted in the previous sub abour coin tests. I ask you this. The CO, upon
completion of a call, removes -48 volts from the ring, ground from the tip and
either a -130 volts(Refund) or +130 Volts(Collect) is applied to the tip to
operate the cion relay in the phone. If Someone were to have acces to the
exposed wires outside of the phone, wouldn't they be able to simulate the
voltage necessary to refund their own money(Theoretically speaking if they
could simulate the voltage in a Phone Booth of course)? Would that Be
Possible? I also broke out my testboard, Station, and network Manuals and
Found that their is some significance in turning the handset of the payphone
upside down. I can't find out exactly why yet, but it is all over the "Coin
Maintenance Check Booklet" that bell uses as reference for Coin Stations. I
will search more through the book and see what I can find.

                              The Mad Hacker


38/70: Collect call
Name: Icarus 15
Date: 12:52 am  Fri May 08, 1987

If you hack a mailphone system of some kind that only requires the number to
be called and the initia message will be played, then you can have the message
say, "Hello?........Sure. hangup|" This will enable you to make a third party
billing call to anyone and use the mailphone system as the party paying for
the call.  The operator will cal up the mailphone, the msg will play and
she'll hear the person being billed say, "Sure." when asked if they accept the
charge.

In any case if you want to make a call bill it to 312-410-7132, and it will go
straight through.

Icarus



39/70: Call blocking
Name: Lotus 38
Date: 3:44 am  Fri May 08, 1987

I know that in parts of Florida that a new system uses the term "call
blocking" simply to stop someone in your co's area from calling you.  You would
do something like "*80+number to block" and when that number calls you , a
"You can not dial XXX-XXXX at this time. Try again later"

Other features include immediate call back.  This allows you to hit a few
keys on the phone and call back whomever just called you (again, only if
they are in your local co).

Anyone else have info on this?



40/70: Collect Calls.....
Name: The Disk Jockey 13
Date: 6:55 am  Fri May 08, 1987

A few years ago, in school (out of state) everyone had their ways  making free
calls, someone had a number to a recording, something like that VMS, and it
said "This number accepts all collect and 3rd party billing calls" and it
worked all the time.

Another way is to make a collect call to an out-of-state extender.  Let me say
it this way....

I'm calling from 219 (Indiana) and I call the local MCI node in Chicago
collect.  The operator asks "your name" and you say in a fem voice
"Brenda"....the call will go through, and you will here the usual MCI tone.
RIGHT AWAY, you press a number on t touch tone pad, this will silent the MCI
tone.  Then you say in your own voice "Hello?"  for all the operator knows,
you are the one that answered!  The only problem is that you have to work
fast, else you get a re-order in about 15 seconds.

                                            -The Disk Jockey





41/70: Call Blocking...
Name: The Mad Hacker 47
Date: 9:19 am  Fri May 08, 1987

I will get more specific on the Call Blocking I am refering to. It isn't what
Lotus suggested. That Sounds more like DMS-100 Options(Sounds Exactly like
them, in fact). I thought that the FCC wouldn't allow AT&T to use those
options, though. Maybe I was mistaken. I think that the call blocking I was
refering to is more towards the overload on any paticular circuit as was
mentioned before.

                 The Mad Hacker




42/70: toll phone
Name: Circuit Breaker 5
Date: 10:46 pm  Fri May 08, 1987

In most areas in Europe, the wire to payphones hang out below the phone if you
splice those wires to you handset, you can dial direct without any imitation
tones.




43/70: Call Blocking
Name: Phantom Phreaker 46
Date: 2:23 am  Sat May 09, 1987

 Call Blocking is indeed a feature of (C)LASS....but that CLASS feature is
LATA based around LCCIS, not upon a CO and intraoffice calls. For more info
read any CLASS file, or check out LOD/H TJ 1, file 1, CLASS, by Videosmith.
It explains it pretty clearly. There was a PBX test number in 305 (the testing
grounds of CLASS) that I had gotten somewhere that had a demo of CLASS
features on it, such as Call trace, selective call forwarding, call blocking,
etc. It was called Touch-Star, I think, or maybe Touch-Tel, one of the two.
Anyway, LASS is used in the 717 (Harrisburg, PA) NPA.

Phantom



44/70: Addition.
Name: Phantom Phreaker 46
Date: 2:32 am  Sat May 09, 1987

 (I forgot something)

 DMS-100 does have something like it's own call blocking. It can be used to
restrict certain types of lines from calling other types. The destination
switch checks the information sent in from the (intraoffice) DN, (I think the
Screening Code, probably) or from an INC (incoming trunk). This can be done to
restrict access to official lines and such.

Phantom





45/70: i thought
Name: Lucifer 666 43
Date: 2:26 am  Sun May 10, 1987

none of the DMS features blocking other people from calling you, etc| were
not implemented.... I thought that the user-choice stuff was never put in...

was I wrong?

L666




46/70: RC15?
Name: Control C 8
Date: 11:17 am  Sun May 10, 1987

Phantom,

    Are you sure the RC15 exists?  RC's start at 16 and end at 29..
Maby I'm just screwed...



47/70: FACS
Name: Mad Hatter 51
Date: 5:57 pm  Tue May 12, 1987

Can anyone fill me in on FACS?  I got the file by Sharp Razor and Doom Prophet
has told me about it somewhat, but can anyone explain detailed info on it?
Thanks (d00d)...

-Hatter
.s




48/70: TC15
Name: Phantom Phreaker 46
Date: 7:21 pm  Tue May 12, 1987

 Actually, it's a TC15 report on a 1AESS... not RC15. Sorry about that. A TC15
is very long and has a few acronyms in it that I don't recognize. About the
only one I can remember right now was PUC, Peripheral Unit Controller.

  For those of you who have problems with the acronyms posted here, you might
want to check the N)eed acronyms option from the main menu on this board. This
is an acronym list that I made a while back and gave to TK, and he put a few
in himself. It's basically correct as far as I know, so please let's not add
one unless you are sure.

Phantom





49/70: Carot, etc.
Name: Doom Prophet 21
Date: 4:41 pm  Fri May 15, 1987

Well, I don't know that much about FACS, although I don't believe that it
really acts as a replacement for COSMOS, more like an integration/mini datakit
sort of thing for the different systems related to cosmos.

Mad Hatter was asking about CAROT in mail, and I looked through some stuff and
here is some info about the system. It consists of the two processors for the
CAROT (database section), the data and the test processor. The TP controls and
directs the ROTL's and the Circuit Maintenance System (I've seen CMS-1B and
also CMS-3A, don't know what the current version is). CMS 3A is used with
TIRKS also. Anyway, the CAROT controller (which is supported by the two
processors) can do something like 14 tests at the same time (at night when
their is less traffic on the trunks). The CC also analyzes and sends out the
test results to the appropriate departments or offices (the CO, an SCC or a
CTTU station). The ROTL is accessed just by the technician dialing it, which
is why anyone can dial them. The ROTL is controlled by MF input of the trunk
group and network numbers. I have seen TNN's as being three digits,  but I
guess it depends upon the office size. The ROTL seizes the trunk to be tested.
The ATMS responder (Automated Trunk Measurement System) is connected to the
ends of the tested trunk to receive tthe test measurements. The ROTL somehow
attaches test equipment to the origiinating end of the trunk. Other test lins
are used for the terminating end (going into another CO or switch)...I'm sure
everyone knows there are dialups to CAROT, these are from the Remote User
Multiplex, the ports for remote terminals to call in through (unless the
dialup serves for some type of diagnostics testing upon the test equimpment
itself). 16 people can be on the same RUM....I don't know if that means 16
people can dial the same dialup and somehow still connect (highly improbable).
Lex would probably know more about it.

Doom




50/70: Advanced 800
Name: Taran King 1
Date: 5:00 pm  Fri May 15, 1987

Well, I know that many people have been told that to get translations for 800
numbers, they should call an office that has access to the NCP database.  I
just read a bit about it in CO which I thought was sort of interesting.  It's
part of DSDC (Direct Services Dialing Capabilities).  The subscriber dials the
800 number which is then routed to a 4E.  From there, it goes to the ACP
(Action Control Point or is it ACtion Point?|) which is software that
determines the special type of call (toll free/976/etc.).  The ACP gets it's
(its) information from the NCP which is the Network Control Point.  The NCP
database receives the call information through CCS and checks on the customer
service information that the call information goes with, thereby determining
how to route the call and sends the info back to the ACP.  The SMS (Service
Management System) is used to update information and for definition of that
information.  The NCP database can contain various information such as where
the translation routes determined by origin of call or time of day too.

I have a question about CCS.  What is signifigant about the number version? I
mean, is the information transmitted done differently (different protocol or
manner of sending) or is it just updates to the way it's wired up?  McBlah
-TK




51/70: CCS
Name: Mad Hatter 51
Date: 6:02 pm  Fri May 15, 1987

Randy- I can't seem to find that ancronym or any mention of it.  I've followed
your post all they way up to that.  The Advanced 800 Service you read had to
do with the SPC Network?  The paragraph you typed was the same(not word for
word) as the one here in the Tech on SPC Net.  ACP stands for ACtion Point.

-Hatter

Excuse the time/date of this call..




52/70: CCS
Name: Taran King 1
Date: 11:05 pm  Fri May 15, 1987

The CCS that I mentioned (CCS7 presently) is like the modern term for CCIS.
I'm not sure why they changed it, but that's the accepted acronym now.  The
information that I got from CO magazine was discussing the BOCs' involvement
in 800 services now.  It's highly possible (and probable) that they use the
same method of signaling for this.  Hmm...Oh well, still, I want to know about
the different versions of CCS.  Later
-TK



53/70: CCS
Name: Phantom Phreaker 46
Date: 12:52 pm  Sat May 16, 1987

   Ok, the international version of CCS is known as as CCITT6, (or 'the CCITT
signalling system No. 6) which are centered around an International Switching
Center (ISC). CCITT No. 6 can identify 2048 trunks (CCS can ID 8192 trunks).


   I have some pages from an old BSTJ on CCIS in front of me, they have a good
amount of information about CCITT6 in here. One interesting table inn here is
Calling parties categries, which are in bits 13-16 of a CCITT No. 6 'message',
there are provisions for operators in French, English, German, Russian, and
Spanish, and other user selectable languages, data call, test call, spare,
etc. I'll have to read more about this, it would be interesting to find out
how you could make an int'l call over CCITT No. 6 (or maybe 7 now as someone
said) as a test call.

Phantom




54/70: Badgers...
Name: Taran King 1
Date: 7:38 pm  Sat May 16, 1987

A long, long time ago, Jester Sluggo found some stuff about Badgers while
trashing.  Just today, in conversation, I found out a bit about what these
are.  It is a piece of machinery (Badger is the brand name) which is located
in the SCC (supposedly).  It is used for remote trunk testing and it grabs the
circuit to be tested and runs whatever on it.  I have a feeling this is more
for the independant telcos but I couldn't say for sure.  Later
-TK




55/70: Here's......
Name: The Disk Jockey 13
Date: 12:40 am  Mon May 18, 1987

..an employee numthat I guess is sort of a Sprint Newsline.

It was LEECHED off of another board, so it remains ted: 8-332-0111





56/70: Anyone know?
Name: Cap'N Crax 10
Date: 2:22 am  Mon May 18, 1987

Does anyone know if either/both 900's and 976's terminate in POTS number?
(Ever?)  Something tells me that they probably do..

C^2



57/70: 976/900s
Name: Taran King 1
Date: 6:35 am  Mon May 18, 1987

I believe that I asked someone that already and neither of them did.  They
both were arranged really strangely and didn't have POTS numbers (or at least
not standard POTS numbers).  If you could log onto the switch for the 900 or
976 number, you could probably find out, anyway, if it's got a POTS
translation, but then again, that's a whole different baby.  I'll ask again
and repost when I find out unless Phantom and DP beat me to it (likely). Later
-TK




58/70: 900 and 976
Name: Kerrang Khan 34
Date: 4:37 pm  Mon May 18, 1987

Do not terminate in POTS numbers.
  k



59/70: I think..
Name: Slave Driver 58
Date: 10:21 am  Tue May 19, 1987


 that 900s as in the kind you see on TV, like voting things| terminate in a
4e office.  There is some special device that totals the calls if needed| and
then the people who are using it just call and ask about the numbers...

Steve





60/70: 900 numbers explained
Name: Phantom Phreaker 46
Date: 9:35 pm  Tue May 19, 1987

   I was really interested in how 900 numbers worked, it is not common phreak
knowledge, so I researched via a BSTJ and a little bit of engineering.
Actually, I wrote a file on the Mass Announcement System (MAS) that is  about
80 sectors, but I never released it because I thought no one gave a fuck. If
anyone here wants this file, mail me and I'll get it to you somehow, or upload
it here.

   900 numbers do terminate in a Number 4 ESS, the 4E that has been allocated
as your MAS node. As of 1980 (old info, I know) there were 7 No. 4 ESS
switches that were MAS nodes. That number might be more now, butt the nodes
were in Atlanta, Chicago, Dallas, Denver, LA, Newar,  and Philly. Each one of
these covers a particular part of the country. (oops, that 'Newar' up there is
supposed to be 'Newark'). For instance, if Randy dialed 1-900-555-1212 (the
Dial it 900 service information line) his call would be sent to the Atlanta
No. 4 ESS MAS node. If Mad Hatter dialed the same number, his call would be
sent to the Philly MAS node. (Oh, Alaska and Hawaii are also included in
this).

  Back to the original question by Crax, 900 numbers can terminate in a POTS
number, but I have never seen it done, so I would guess that it's not a common
occurance. This is called cut through calling, or technically, Media
Stimulated Calling (MSC). MSC basically sends one call per some unit of time
to a DDD number.

  The place that handles the maintenance and administration of all No. 4 ESS
MAS offices is called ONAC, Operations Network Administration Center. I think
the ODAC are centralized in Kansas City, Mo, which seems kind of strange
because there isn't a MAS node there (that I know of).

  One interesting thing about MAS services is the way Recent Changes are done,
through an RCRRT2 (Remote Recent Change, don't ask me why the acronym doesn't
match) channel, which is hardwired to ONAC. If one ever trashed ONAC or a 4E
MAS node, you could probably find some actual switch output messages. Those
would be interesting to see. So if anyone ever does any trashing like this
then let me know.

Phantom





61/70: UNIX logs...
Name: Ax Murderer 7
Date: 5:33 pm  Wed May 20, 1987

I haven't been on for awhile, but anyways, whoever was questioning UNIX's,
which log are you talking about, the one of Berkley (HIST?). There's quite
a few logs. To get superuser privs on some systems, first go into the /dev/
section and scan through the files. Almost always there will be a program
in there which will be UNPROTECTED and allow even the lowest scum to use
it. The main point is, in case for some emergency reason, he must log on
from a remote location, and has difficulties, he may process another account.

 Ax Murderer

Also, I got TONS of "C" programs. I also am pretty fluent in this.



62/70: Unix
Name: Phantom Phreaker 46
Date: 9:02 pm  Fri May 22, 1987

  Does anyone know a way to implement something similar to some common unix
commands on a cosnix OS? For instance, the grep command, the find comma the
file command, and a few others. What I wanted to do was list the ascii files
in a cosnix directory (assume the /usr/cosmos directory, where COSMOS three
letter command source is kept, but there couldcii or English Text in it). I
would do it like this on unix:

$ ls -a</tmp/asciick&

 Then when that process was done:

$ grep ascii /tmp/asciic/tmp/final&

 Then check that file when it was done and it would have a listing of the
ascii files. Since you cuse the type command, and can't use file, I'd rather
not look through a long directory listing, and even then it's ot always ascii.
So does anyone have any shell scripts that might help me out?

Phantom


PS-Sorry for the line noise.



63/70: RA1 Channel 6
Name: Icarus 15
Date: 3:54 am  Sun May 24, 1987

I dialed 1074654 and I heard "RA1 channel 6" repeated 8 times.  Then I found
out that I could dial 107xxxx and get the recording.  Does anyone know what
that means?

This only worked on some phones.  Others, after I dialed 10, I would get the
operator.

Icarus




64/70: PHREE CALLZ D00DZ
Name: The Leftist 71
Date: 10:57 pm  Sun May 24, 1987

heh, about the easiest way to bill 3rd party or collect is to call spri nt
operator.. they are dumb, and have no info on you whatsoever.. but you knew
that didnt you??




65/70: centrex
Name: The Leftist 71
Date: 4:52 pm  Mon May 25, 1987

Is there anyone that has any good info, <bell manuals etc..> on Centrex, or
maybe someone out there knows a few things about it that could post?? Centrex
in the home is pretty nice thing to have..only costs about 10 bucks to have it
installed, but its well worth it... more info later..





66/70: WELL...
Name: Sir Francis Drake 56
Date: 7:05 pm  Mon May 25, 1987

I HAVE SOME NON TECH CENTREX MANUALS SOMEWHERE...

I dont think its all that great right now but when the RBOC's are allowed to
do all their software stuff it will be pretty cool.  There are allread some
keen centrex packages for voice mail and stuff.

Ill go look for them.


sfd




67/70: Centrex
Name: Phantom Phreaker 46
Date: 5:59 pm  Sat May 30, 1987

  Leftist, what do you want to know about centrex? I know a bit about the
workings of them, the general description, how they are set up in a CO, etc.
Be more specific in your question...

Phantom



68/70: Blue boxing
Name: Icarus 15
Date: 3:28 am  Sun May 31, 1987

I have found that kp and st are not necessary when dialing off of a trunk.
After seizing the trunk, ac+ is all that is needed to call out.  This seems
strange.  Any comments?

Icarus




69/70: Reply^
Name: The Executioner 19
Date: 4:15 pm  Sun May 31, 1987

You are not seizing an interoffice trunk.

What you are doing is kind of pseudo-boxing, which is what we used to do
here in New Jersey. What would happen is that we would use MCI, get a
destination and then blow 2600. Since there were no restrictions on the
band width, and no filters, we would blow back a dial tone that was possible
to make international as well as alliance calls with crystal clarity.

I don't know the exact name of this but just that we weren't
seizing a trunk.

Ex y
  ^ nice space




70/70: DP Boxing
Name: Phantom Phreaker 46
Date: 8:41 am  Mon Jun 01, 1987

  Icarus, what you are talking about sounds like boxing using a DP (Dial
Pulse) trunk. DP 'boxing' doesn't use KP and ST, they use a time-out feature.
DP is made up of short bursts of 2600Hz tone. It isn't all that common as far
as I know, but some older SxS offices supposedly use it for outpulsing on
interoffice calls and to CAMA for billing. This means that either the homing
CAMA office can record dial pulse trunk signalling, or there is some sort of
sensor to translate it to MF before reception by the CAMA MF digit recievers.

Phantom




Post on Phreak/Hack Sub? No

                                      ^*^
=========================================================================
[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]
© Copyleft 1985-2021, Phrack Magazine.