Code: Select all
"JOYRIDER"
The Ezine for the Aussie Phreaking Elite
Issue One
Contents
Editoral - Boris Grishenko
Basic Electronics - Thrashbarg
Modems - Bluefire
Argus Telecommunications - Boris Grishenko
DTMF - Hector
Ethics - Hector (edited by Boris Grishenko)
Networking - Shyft
SS7 Speech - Boris Grishenko
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Editorial - Boris Grishenko
Well folks, its that time of the year again, when I have to crank out an editorial.
In this editorial I hope to make sense of the political infighting in the Ausphreak
forum. As we all know, Ausphreak was being administered by Xen0crates. I have known
Xen0 ever since the original Zaleth onecentre.com board. He came across as a bit of
a newbie, but eager to learn.
There were many incarnations of the Ausphreak forum, some good, some bad. There have
also been talks about a secret group, which doesn't surprise me. Then finally, Xen0
got wise, and made his own Ausphreak, the present Ausphreak.com.
The Ausphreak forum is a phpBB board, which isn't really administered properly. There
might be over 700 people using it, but how many of them post? How many of them WANT
to post? I try to be active as I can, but even I have been told I am flogging a dead
horse.
Just recently, NyCoN, the other admin of the board, took control away from Xen0. Under
normal circumstances, I would say "yay." But this time, I have to disagree. NyCoN is
proving he's just as bad an admin as Xen0. Plus he's in it for the power games. Politics
have been described to me as the second oldest profession, and its remarkably similar
to the oldest profession (for those of you who don't know what I'm talking about, I mean
prostitution).
Now power is ok, in the hands of the right people. But you give the wrong person the
power, and you have a disaster on your hands. Look at Hitler... Stalin... Sadaam...
These people and more are prime examples of power going to peoples heads. And in our
own phreaking community, N3t and $GX have let the power that the ESA afforded them
go to their heads, and thus expelling me when they learnt the "truth" about my
knowledge of the Avatar incident.
The ESA was a move in the right direction, but once again, politics intervened
and people went mad. They had very active plans to bring Ausphreak down. I no
longer talk to N3t or $GX, so I don't have to worry about their shit any longer.
Plus the ESA, which was mostly my idea, was a good idea, but its implementation,
especially with the php Nuke interface, was fucked up.
So, now, what do we have? A meeting place for over 700 people, that is not being
run the way it should be. In older times, I'd say come over to the ESA, but being
expelled from my own idea really pissed me off. Well, I can't really suggest a
future of Ausphreak. That's not my place. But there are a few interested people
gathering, and seeing what they can mould out of the eventual ashes of Ausphreak.
This ezine is the combined effort of the Aussie Phreaking Elite guys, and I'm proud
of all them. We hope to be able to bring you more quality articles soon. For the
time being, have a read, and enjoy our efforts. We intend to start off basic, and
work our way up. Cause thats how you learn, right?
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Basic Electronics - Thrashbarg
bsd_beats_ms@hotmail.com
When you begin to look at electronics on this level, then compare its
relative simplicity to what it is capable of in satellites, fibre optics,
radio and computers, it really shows how much technology has advanced over
the past one hundred years. No, it is not essential to understand what is
going on in electronics at this level, but to have a little extra
understanding about what electronics precisely is, you will have an edge on
your knowledge that others don't. Enough with the yabbering, on with the
article.
To have a good understanding of what electricity is it is necessary to
have an understanding of matter. All matter in the Universe is created from
atoms. Atoms are composed of three founding particles -- the electron, the
proton and the neutron.
The electron is the lightest of all the particles and can move around
freely. It has a negative charge. The proton and the neutron are much heavier
and sit in the middle of atoms to form the nucleus. The proton has a positive
charge and is about eighteen hundred times heavier than electrons.
There are two rules that apply to charges:
- Opposites attract
- Likes repel
This simply means that two positively charged protons will repel each
other, or two negatively charged electrons will repel, but a proton and an
electron will attract each other.
These three particles are arranged much like our Solar System. The
heavy, immovable nucleus sits in the middle and the light, mobile electrons
orbit the nucleus very quickly. Different amounts of protons in the nucleus
are responsible for the different types of elements that exist in the
Universe. Hydrogen has only one proton in its nucleus, helium has two,
lithium has three and so on. The neutrons are there to space out the protons
so they don't repel and destroy the atom. They can also create isotopes,
which I won't go into here. The electrons are responsible for what charge
the atom has. An atom with no charge is just that - an atom. An atom with a
charge is called an ion. Atoms become ions when electrons are removed or
added to the orbiting rings. If there are fewer atoms than protons, there is
a positive charge and if there are more electrons, there is a negative charge.
What this creates is static electricity. Static electricity is different
to the flowing electricity that is used every day. As its name suggests, it
simply sits there. A charge exists with static electricity but there is no
movement of electrons. This force can have affects on other materials that
surround the charged material. For example, a statically charged balloon will
stick to the wall for a short time. It doesn't stick for long because the
charge is soon lost through the wall itself.
In the case of a battery, there is a constant pull which causes
electrons to flow from the negative terminal to the positive. There is a lack
of electrons at the positive terminal or an excess of electrons at the
negative terminal. This is created by a chemical reaction that involves the
movement of electrons. This movement of electrons is directed to the batteries
terminals where it can be used for what ever purpose you want. The pull on
the batteries terminals is called an electromotive force, or EMF. It is
measured in volts or V.
There are three commonly used terms in simple electronics:
- Current
- Voltage
- Resistance
Current is a flow of electrons in a circuit, which is measured in
Amperes (Amps or A). Voltage is the force that pushes or pulls electrons
between two terminals, which is measured in Volts (V). Resistance is the
opposition to the movement of the electrons in a circuit, which is measured
in Ohms. Its symbol is the Greek letter Omega.
Anyway, I hope you have learnt something from this, perhaps some new
terms or just for some catching up on the founding theory. I'll get into
something slightly more interesting next issue. Until then, have fun.
Oh, and I don't guarantee that this information is 100% accurate either.
Don't go using this as a reference for physics tests or anything. :P
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Modems - BlueFire
BlueFire_jack@hotmail.com
www.TheJack.2ya.com
Modems got their name from putting two words together (Modeulator and Demodulator).
The Sending modem "Modeulator" the digital data into a signal so it can be passed
over the telephone network then the receiving modem "Demodulators" the signal back
into digital data.
Modems are called "Data Communication Equipment"(DCE) and computer are called "Data
Terminal Equipment"(DTE)
Computer Modem Telephone lines Modem Computer
______ -------------------------- _______
(DTE) (DCE) (DCE) (DTE)
----= Telephone line and the Teleco network
____= Cable betwen ur modem and computer
Between the Computer(DTE) and the modem (DCE) need a signaling standards the three main
ones are
RS-232 (EIA/TIA-232)
V.35
HSSI(High-Speed Serial Interface)
RS-232 (EIA/TIA-232)
8 pins are used to connect the DTE-to-DCE For Data transfer, Flow control and modem
control
For DB 25 pins are
Pin Definition Description
2 transmits Data DTE-to-DCE data transfer
3 Receives Data DCE-to-DTE data transfer
4 Request to send DTE signal buffer available
5 Clear to send DCE signal buffer available
6 Data set ready DCE is ready
7 Signal ground
8 Carrier detect DCE senses Carrier
20 Data Termainal ready DTE is ready
When the DTE raises the voltage on Pin 4, The DTE is telling the DCE that is has buffer
space and to start sending data. When the DCE raises voltage on Pin 5, The DCE is
telling the DTE that it can start sending data.
When the modem is turned on, voltage is raise on Pin 6 to tell the DTE that the DCE
is available to send and receive data. When the computer is turned on and the drivers
are loaded, voltag us raise on Pin 20 to tell the DCE the DTE is available to send and
receive data. Pin 8 is controlled by the DCE and voltage is raises when it has established
an acceptable carrier signal with a remote DCE
Modem Modulation Standards
Modulalation techniques determine how modems convert digital data into signals.
an analog waveform can be modulated in terms of Amplitude (Which is it hight of the signal)
its Frequency , its phase (position of the sine waves), or a combination of these qualities.
The V.?? series modulation standards use now days but befor V.?? series were the AT&T Bell
103 and Bell 212A But these supported the low speed of 300 bps(b. By altering the height
(amplitude), Frequency, and the phase(positiion) of analog waveforms, the V.?? series
has higher speeds
ITU-T Modulation Standards
Standard Maximum Transfer Rate
V.22 1200 bps
V.22Bis 2400 bps
V.32 9600 bps
V.32Bis 14,400 bps
V.34 28,800 bps
V.34bis 33,600 bps
V.90 56,000 bps
When Modems initially connect sometimes called the handshake, they agree on the highest
standard tranfer rate that both can achieve
Modems can have a range of 300 bps to 56 Kbps. Most modem can adapt their transmission
rate to meet the remote modem and speed the local loop(the telephone line between you
and the exchange) can support
They do this by the modem frist try its highest rate and see if the remote modem talks
back, if it doesnt it lows the rate and trys again.
Error Control and Data Compression
Data Comperssion algorithms typically require a error-correction algoithms. So of the
many use Compression algorithms are V.42bis, MNP 5 and V.44 these three Compression
algorithms operate with the error correction algoithms LAPM and MNP 4
Data Comperssion depends on the type of file being transfered a standard text file
can be compression by 50%. but compression algorithms cant com compress a file well
if it has already been compress by software, what may lead to larger files need to
transfered.
Hardware comperssion is alot faster than software comperssion so the modem should do
the compression not software.
Most people muck up the speed of the modem with the speed at which the computer talks
to the modem.
DTE to DCE is how fast the computer communicataion to attack modem
DCE to DCE is how fast the two modems communicataion with each other over the telephone
network
To get full benefit out of ur compreesion. The computer should be set to clock the modem
at its fastest rate, to take advantages of compression
DTE DCE DCE DTE
______ ------------ ______
Computer Modem Modem Computer
<------------> 28.8 kbps <---------->
115.2 Kbps <------------------> 115.2 Kbps
Part 2 to come later
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Argus Telecommunications - Boris Grishenko
Argus Telecommunications is the telecommunications arm for the NSW State Railways.
The government are trying to merge it back with the Rail Infrastructure Corporation
(RIC), but at the moment, they exist as a separate entity. They supply and maintain
the telecommunications network for the railway, which is becoming ever more complex.
Most of the information I have in this document is from a railway telephone directory
from 1992, someone who works for Argus (who doesn't like saying anything, but will
confirm what I already know), and someone who was contracted to Argus. While this is
"slim pickings" its better then knowing nothing at all.
The exchanges used by Argus (at least in 1992) were Ericsson M110s, and Philips 1200s.
The Philips systems are actually over glorified PABXes. I found one scrap of information
about the Philips systems, a Year 2000 compliance statement. It pretty much said that
they weren't Year 2000 compliant.
As for the Ericsson switches, they are now called the Ericsson MD110. No wonder I
couldn't find out any information about them. They did support call waiting and other
advanced features, which was real news for 1992. Not even Telstra had this kind of
capabilities at this time, even with the roll out of Ericsson AXE and Alcatel System
12. The MD110 is also an over glorified PABX.
Now, the systems exist over an ATM backbone up each of the main lines. This document
will mainly focus on my observations on the Blue Mountains line. This ATM backbone is
probably capable of about 155Mbit/sec. Most of the traffic is digital camera data,
from each station, which is piped into a head end in Sydney, and then into a
monitoring room.
There are a few head ends up the lines, Katoomba has been mentioned to me, but
there are enough Argus installations to sink a battleship. What to look for? The
distinctive "Welcome to Argus Telecommunications" sign.
At major places, like Lithgow, Blackheath, and Lawson, there are actual "exchange"
buildings. Other places, there are the "older" style huts, green, with concrete
walls, and metal doors. These usually have a vent on the top, with a cage around
it. There is also a demountable, also green, with two doors (one is a metal bar
type). These are usually in their own compound. Then finally there are the green
concrete huts with a "car port" over them, and an extraordinarily large air vent
on the top.
These usually exist within 500metres of a station, so if you are looking, don't
look too far. Usually the green hut types are near sectioning huts, which aren't
always near the station. The demountable type has a guard around the bottom, so
pesky people like phreaks can't get under there, and cut the cables. Trying to
find the cables in a cable loom (in the ducts) would be nigh on impossible, and
would be in the raw fibre/ ATM format, requiring fibre tools and an ATM switch.
This is beyond the means of most phreaks, although, if you have the money, and
time, I'm willing to try.
Onto the computers, I wasn't able to get the actual types out of my contacts,
although I am trying. I do know, however, that Argus runs their own OS and
software, and these are developed by the RIC at Lidcombe. To tell the truth,
I wouldn't mind getting into this facility, and having a look through their
computers and manuals. Perhaps I will release errata to this document, as
more information comes to hand.
There are a few other exchanges and facilities in Sydney, namely, Petersham
(an office if I recall correctly), Central Station (on the south side there
is a large exchange, on the north side there is the monitoring room), and a
few others, which my contacts did not explain to me.
My interest in Argus? When I was a kid, I was interested in trains. Now I've
grown up, I'm interested in computers and phones (which have more a future
then trains, which I am told are losing money everyday). However, this allows
me to combine two of my loves, even though I'm not that interested in trains
anymore. Plus, their network interests me, how they've set it up, and
maintained it. The software development place would be an absolute gem to
visit, even if part of a TAFE course or something. I am told there are monitors
there larger then I can imagine (I've seen a 21inch CRT in real life, that
was pretty cool).
In conclusion, Argus are a company that have braved the tough Australian
conditions, and come back with one hell of a network. They are doing quite
well, even though they charge twice as much as most other government
departments. And, even though they are probably working with primitive
gear, they still maintain this network, and keep it running.
Argus would be one hell of a phreak/ hack opportunity. Their system is
unique, and spread out over a physically large area. I haven't touched
on the radio communications used by the railways, because I'm not sure
if that falls under Argus. I would expect it would, but I don't have
anyone in my family or friends who still work for the railways.
Boris Grishenko.
ERRATA:
I have gained another contact in Argus, and had a good talk to him.
Hopefully, I will find out more from him, as he seems quite talkative
and knowledgable. He gave me the impression that Argus workers are akin
to line techies from Telstra. He also went on to say the ATM link that
was installed had equipment from Siemens. "Their only big contract."
He used to work at the Central Exchange in Sydney for a period of time,
back in the days when it was an actual crossbar system. (That same system
is now used in computers, like SGIs Octane). He said that it took three
semitrailer loads to take the old crossbar out.
The software development centre at Lidcombe isn't actually part of Argus.
Apparently, its a part of RIC, and they develop signalling system software
there (and I don't mean SS7).
Argus also take care of the station Public Address systems, and the Digital
Voice Annoucement systems. There is a centralised control for the DVA, but
most of the time, it plays automatic messages (waiting for the next train
to Blue Mountains, and having the DVA say its at the platform, when its
actually 5 minutes away, really pisses me off).
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
DTMF - Hector
ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
º º
º Dual Tone Multiple Frequency º
º º
º A Guide to Understanding and Exploiting Australia's º
º Most Common Telecommunications Signaling Method º
º º
º Written by Hector of SCP December 10th 2003 º
º º
º Editited for 80 columns and DOS ASCII by Thrashbarg º
º º
ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
CONTENTS
~~~~~~~~
SECTION 1: INTRODUCTION
SECTION 2: UNDERSTANDING DTMF
SECTION 3: DTMF EXPLOITS
SECTION 4: PROGRAMMING WITH DTMF
SECTION 5: HISTORY OF DTMF
SECTION 6: ACRONYMS AND TECHNICAL LANGUAGE DEFINITIONS
FOREWORD
~~~~~~~~
This text was written for the purpose of others who wish to further
their knowledge on Australia's most common telecommunications signaling
method - DTMF. Most Australian phreak enthusiasts who have little
experience in the field of phreaking will find this text very useful.
However a more experienced phreaker will most probably find that they
know most of the information within this text. If this is the case,
please do not complain to the author of this text, as it was intended for
inexperienced phreakers who are only in the beginning stages of learning
the art of phreaking. In this guide you will learn the basics of DTMF as
well as more advanced and complex uses for DTMF.
The information included in this text is in no way intended to be used
to defy any laws of any sort. All topics covered in this text are for
informational purposes only and informational purposes only.
INTRODUCTION
~~~~~~~~~~~~
In this article you will learn the basic and advanced uses of
Australia's most common voice communications signaling method, DTMF.
From basics of DTMF through to its advanced uses, you will learn some
important information, exploits and flaws in the telephone system
regarding DTMF.
DTMF is the most common telecommunications signaling method used in
Australia. DTMF stands for Dual Tone Multiple Frequency; it is used to
send information through phone lines to and from your local exchange.
Dual Tone Multiple Frequency (DTMF) is also known as Touch-tone, Tone
Dialling, VF Signaling and MF Dialling.
Each DTMF tone consists of two simultaneous tones (one from the high
group and one from the low group), which are used to indicate which
number or symbol you press on your telephone's keypad. For example if
you press number 5 on your telephone's keypad, the tone you will hear
is 1336hz and 770hz played simultaneously.
DTMF is an extremely reliable signaling method used by all Australian
telecommunications companies to receive information from their customers.
Whenever a number is dialled on a home phone, office phone, public or
private payphone, DTMF is decoded and used by certain equipment inside
that particular area's local exchange to call the number you have
dialled. DTMF tones travel through the Red and Green wires (or Blue and
White) wires on your standard home and office telephone line, as do voice
signals.
Dual Tone Multiple Frequency is the basis of voice communications
control. Modern telephone circuits use DTMF to dial numbers, configure
telephone exchanges (switchboards) from remote locations, program certain
equipment and so on.
Almost any mobile phone is capable of generating DTMF, providing a
connection has already been established. This is for the use of phone
banking; voicemail services and other DTMF controlled applications. If
your mobile phone can not generate DTMF (or your home or office telephone
uses Decadic Dialling (Pulse Dialling) you can use a standalone Tone
Dialler or White Box, which you may or may not be able to find on the
market.
DTMF was designed so that it is possible to use acoustic transfer. The
DTMF tones can be sent from a standard speaker and be received using a
standard microphone (providing it is connected to a decoding circuit of
some type).
UNDERSTANDING DTMF
~~~~~~~~~~~~~~~~~
DTMF tones are simply two frequencies played simultaneously by a
standard home phone/fax or mobile phone. Each key on your telephone's
keypad has a unique frequency assigned to it. When any key is pressed on
your telephone's keypad the circuit plays the corresponding DTMF tone
and sends it to your local exchange for processing.
DTMF tones can be imitated by using a White Box or Tone Dialler. It
is also possible to record DTMF tones using a tape recorder or computer
microphone, then played into the mouthpiece of your telephone to dial
numbers. However if there is a significant amount of background sound
behind the recorded DTMF tones, the tones may not work properly and cause
problems when trying to dial numbers. You can also download DTMF tones
via the S.C.P website in WAV or MP3 format.
Below is a Dual Tone Multi Frequency (DTMF) map for a 4X4-matrix
keypad, the map shows each unique frequency which is assigned to each
key on a standard 4X4 telephone keypad. The frequencies are exactly the
same for a 3X4 Matrix keypad, without the keys A, B, C and D.
ÚÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄ¿
³ FREQUENCY ³ 1209hz ³ 1336hz ³ 1477hz ³ 1633hz ³
ÃÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄ´
³ 697hz ³ 1 ³ 2 ³ 3 ³ A ³
ÃÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄ´
³ 770hz ³ 4 ³ 5 ³ 6 ³ B ³
ÃÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄ´
³ 852hz ³ 7 ³ 8 ³ 9 ³ C ³
ÃÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄ´
³ 941hz ³ * ³ 0 ³ # ³ D ³
ÀÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÙ
As you will notice this is not a standard keypad, this keypad has 4
more keys than a standard keypad (3X4-matrix). The keys A, B, C and D
are not commonly used on standard home phone/fax, office phone or
payphone. Each of the keys A, B, C and D are system tones/codes and are
mainly used to configure telephone exchanges or to perform other special
functions at an exchange. For example, the corresponding tone/code
assigned to the A key is used on some networks to move through various
carriers (this function is prohibited by most carriers).
When DTMF was created individual and unique frequencies were chosen so
that it would be quite easy to design frequency filters, and so that the
tones could easily pass through telephone lines (the maximum guaranteed
bandwidth for a standard telephone line extends from around 300 Hz to
3.5 kHz). DTMF was not intended for data transfer; it was designed for
control signals only. With a standard DTMF encoder/decoder, it is
possible to signal at a rate of around 10 tones/signals per second. A
standard DTMF tone should always be played for at least 50ms with a
further 50ms space duration for maximum reliability.
DTMF EXPLOITS
~~~~~~~~~~~~~
Exploiting DTMF is a relatively easy task to accomplish.
First of all some general knowledge about DTMF is required, as well
as a device which will produce at least the 12 standard DTMF tones.
Although a DTMF decoder is not always essential when performing simple
DTMF exploits, it will save you a lot of time if DTMF decoding is
required. If you are unable to obtain a Tone Dialler and you are also
unable to build a White Box, it is possible to use a CD with each of
the 12 or 16 DTMF tones assigned to each track, then played through a
portable CD player. Another possible substitute for a DTMF producing
device is a portable MP3 player used in the same manner as the CD method.
Numbers which have been blocked from being dialled on a payphone (by
the specific telecommunications company who owns the payphone) can be
easily be bypassed with a simple DTMF exploit (so long as it is a
software block and not blocked at the exchange level). When a number is
blocked on a payphone the only thing that is preventing the payphone
user from dialling that specific number is the payphone's software.
This software can be easily bypassed by using a DTMF emitting device.
For example, if the payphone which the user is using has the number
1234567890 blocked from being dialled, you can bypass the payphone's
software block by dialling 123, then with your DTMF emitting device dial
the rest of the number (4567890). This should connect the payphone user
to the blocked number, regardless of any software the payphone might
have to prevent that specific number from being dialled.
The theory behind this DTMF exploit procedure is that the lowest
number prefix that is possible to be dialled from a payphone is three
digits long. The most common payphone you will come across is the Telstra
Smartphone. These specific payphones only enable the microphone
(mouthpiece) to be used after 3 DTMF tones have been registered and
decoded at the payphone's local exchange. After the third DTMF tone/signal
has been played, the mouthpiece must be able to receive voice signals (and
other signals such as DTMF) because if someone dialled 000, they would
not be able to speak to the operator, because the microphone would be
disabled. You are unable to use your DTMF emitting device to play the
first three DTMF tones/signals because the Smartphone's microphone
(mouthpiece) is disabled. To enable the Smartphone's mouthpiece you
will need to dial the 3 DTMF tones via the payphone's keypad itself.
Once the mouthpiece is enabled you are now able to send your DTMF
tones/signals into the mouthpiece via your DTMF emitting device.
Decoding DTMF is a relatively easy task to accomplish, providing you
have access to DTMF decoding hardware and or software. DTMF tones are
always used for entering PIN numbers, ID numbers and other similar
personal information via a telephone keypad. All that is involved to gain
a PIN number via DTMF is some general telephone social engineering skills
and a DTMF decoder of some sort (hardware or Software), as well as a tape
recorder or other audio recording device.
First of all, to gain a PIN number using DTMF you will need to know
what company or business the account holder (victim) is using and find
out if the account can be accessed via a telephone. If you already know
what business your victim has an account with, try to find a members
access number with a login facility. For example, if you are attempting
to gain a corresponding PIN number for a FAST (Field Access to Sultan
Testing) ID number, the access number would be the number for FAST
(notdisclosed here for certain reasons). Dial the access number for the
certain company in which your victim owns an account, then record the
welcome message. If you do not think the welcome message is appropriate
for your social engineer (which you will be performing to your victim),
you should either edit the welcome message or use a good text to speech
program. If you do use a Text to Speech program, try to make sure you
use a program with an Australian accent (female voices sound more
convincing and professional).
Once you have successfully accomplished the above tasks you are now
ready to begin your social engineer. Use a fake name in full (last name
and first name), and make sure you tell your victim exactly what you
want them to do, without stuttering or pausing in your speech. Try to
make your voice sound as if you have already done this a million times
and you are looking forward to it all being done with. Never ask straight
out for your victim's PIN number. Make sure you always ask a couple of
simple questions then play the recorded welcome message asking the
customer to enter their PIN and or ID number, you will need to record
the DTMF sequence your victim enters, this is for later decoding.
Once your victim is done entering their personal information (in this
case their FAST ID number and their corresponding PIN), either hang up if
appropriate or begin to talk with them once again. The following script
is an example of gaining a corresponding PIN for a FAST account.
Ring Luke Gresham - Telstra Employee
Victim: Hello, Luke speaking.
Phreak: Good afternoon Luke, my name is George Bualic, I am one of
Telstra's administrators for the FAST system. I have been scanning
through some FAST access statistics and have found your ID number,
34750086 has been experiencing some problems when attempting to
login. Have you had any trouble accessing FAST?
Victim: No
Phreak: Ok, I will just need to perform some tests on our system to
clear up some of these errors, would you be so kind as to enter
the required information once I forward you through to our test
section?
Victim: Yeah, I guess that is ok.
Phreak: Ok, thank you Luke.
Play your edited FAST message. Example: Welcome to Telstra's FAST test
facility, please enter your employee number followed by your PIN.
Once your victim has entered the required information hang up.
Now that you have recorded the previous tones your victim pressed, use
your DTMF decoding hardware or software to decode the frequencies. Your
DTMF decoding equipment or software should now display the digits your
victim previously entered via his or her keypad in DTMF format, thus
showing the PIN they had previously entered.
PROGRAMMING WITH DTMF
~~~~~~~~~~~~~~~~~~~~~
There are multiple different DTMF sequences to program the same
character, it depends on the equipment, system or application you are
using and or programming. For example, on a standard 3X4-matrix keypad
the (1) key has no alphabetic value, only numeric. So no alphabetic
characters can be programmed using the (1) key. The (2) key will usually
have 4 different values, A, B, C and 2 whereas a differently designed
keypad may have alphabetic value assigned to the (1) key, thus changing
the alphabetic value of the (2) key.
When programming alphanumeric characters with DTMF, the tones are most
commonly repeated until the specific character is displayed on the LCD
screen or other type of monitor. Then either * or # (depending on the
DTMF receiving equipment) is used to enter the currant character and
begin to program the next. The * and # keys are used for entering
characters and deleting characters, most commonly * is used for deleting
and exiting and # is used for entering. Not all equipment, applications
or systems use DTMF to program words, they also use DTMF strings for
different commands to perform certain functions on a system, application
or piece of equipment. The table below shows the alphabetic values and
functions assigned to each of the 12 standard numeric keys on a standard
alphanumeric keypad.
ÚÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÒÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÒÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Key ³ Character º Key ³ Character º Key ³ Character ³
ÃÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ×ÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄ×ÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 1 ³ 1 º 2 ³ A, B, C, 2 º 3 ³ D, E, F, 3 ³
ÃÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ×ÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄ×ÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 4 ³ G, H, I, 4 º 5 ³ J, K, L, 5 º 6 ³ M, N, O, 6 ³
ÃÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ×ÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄ×ÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 7 ³ P, Q, R, S, 7 º 8 ³ T, U, V, 8 º 9 ³ W, X, Y, Z, 9 ³
ÃÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ×ÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄ×ÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ * ³ (Clear) º 0 ³ (Zero) º # ³ (Enter) ³
ÀÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÐÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÐÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
Note: This is the most common layout of an alphanumeric keypad. There
are many different variations of keypads but generally all DTMF
programming software and hardware run under the same principles. On this
specific design of alphanumeric keypad the DTMF sequence to type the
letters DTMF is 3#8#6#333#. To type the word PHREAK, the DTMF sequence
is 7#44#777#33#2#55#.
The table below shows each standard DTMF sequence and the assigned
alphanumeric values and functions of each tone and tone sequence.
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ DTMF Sequence ³ Alphanumeric Character ³
³ ³ or Function ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 0 ³ 0 ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 1 ³ 1 ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 2222 ³ 2 ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 3333 ³ 3 ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 4444 ³ 4 ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 5555 ³ 5 ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 6666 ³ 6 ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 77777 ³ 7 ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 8888 ³ 8 ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 99999 ³ 9 ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 2 ³ A ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 22 ³ B ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 222 ³ C ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 3 ³ D ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 33 ³ E ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 333 ³ F ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 4 ³ G ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 44 ³ H ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 444 ³ I ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 5 ³ J ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 55 ³ K ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 555 ³ L ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 6 ³ M ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 66 ³ N ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 666 ³ O ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 7 ³ P ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 77 ³ Q ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 777 ³ R ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 7777 ³ S ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 8 ³ T ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 88 ³ U ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 888 ³ V ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 9 ³ W ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 99 ³ X ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 999 ³ Y ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 9999 ³ Z ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ * ³ Clear, Reset, Back, ³
³ ³ Exit (equipment varies) ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ # ³ Enter, Ok, Next ³
³ ³ (equipment varies) ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
HISTORY OF DTMF
~~~~~~~~~~~~~~~
Before DTMF was created, telephone networks used a dialling system
called Decadic (also known as Pulse Dial). The Decadic system was used
extensively in modern telephone networks to dial numbers, which were
entered by the telephone companies users. The Decadic (Pulse Dialling)
system used a series of clicks (which could be heard through the speaker
of the phone) to dial the numbers which were dialled via a keypad or
rotary dial. The clicking sounds were actually the connection of the
phone line being connected, disconnected, and reconnected again in a
certain pattern. The Decadic (Pulse Dialling) system was very useful,
but was limited to the local exchange connections, requiring an operator
to connect long distance calls.
In the late years of 1950, DTMF was being developed at Bell Labs for
the purpose of allowing tone signals to dial long distance numbers, which
could be potentially be dialled not only via standard wire networks, but
also via radio links and or satellites.
DTMF was being developed for the future of electronic telecommunications
switching systems, as opposed to the mechanical crossbar systems, which
were currently in use at the time. After DTMF was created, Decadic
dialling was made pointless to continue, it made no sense to continue
using that particular dialling system in the equipment circuits which the
telephone exchanges were using at the time. Plans were then made to begin
the manufacture of DTMF controlled switching systems in the communications
exchanges and later standard customer owned telephones were upgraded to
using DTMF circuits rather than Decadic (Pulse Dial). After various tests
were performed on the DTMF system throughout the 1960s (when DTMF became
known as Touch-Tone), DTMF was made official, and was then used as the
main telecommunications dialling and switching system, and remains that
way to this day.
ACRONYMS AND TECHNICAL LANGUAGE DEFINITIONS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Throughout this text, technical language and acronyms were used to
specify certain equipment and types of systems. The acronyms and technical
language definitions below are for the use of better understanding the
technical language and acronyms used in this text.
ÚÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Acrony ³ Meaning ³
ÃÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ DTMF ³ Dual Tone Multiple Frequency ³
ÃÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ FAST ³ Field Access to Sultan Testing ³
ÃÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ ID ³ Identification ³
ÃÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ MF ³ Multiple Frequency ³
ÃÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ PIN ³ Personal Identification Number ³
ÃÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ VF ³ Voice Frequency ³
ÀÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³Technical Term ³Definition ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ Acoustic ³The sending of DTMF tones/signals from a standard ³
³ Transfer ³speaker to a standard telephone or decoder microphone. ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ Carrier ³A company that offers telecommunications services ³
³ ³either interstate or internationally via a telephone ³
³ ³network. ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ Decadic ³The dialling and switching system used by ³
³ ³telecommunications companies prior to Dual Tone ³
³ ³Multiple Frequency. ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ Decode ³To visually see the corresponding digits assigned to ³
³ ³each unique frequency via a decoder circuit of some ³
³ ³sort. ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ Encoder ³A specific piece of hardware or software, which is ³
³ ³used to play the unique frequencies assigned to each ³
³ ³of the keys on a telephone's keypad. ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ Exploit ³A way of bypassing and or breaching some kind of ³
³ ³security, which has been intentionally put in place by ³
³ ³someone else. ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ Flaw ³A security hole is a specific system or application, ³
³ ³which is a fault in the equipment, application or ³
³ ³system. ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ Frequency ³The number of cycles, oscillations or vibrations of a ³
³ ³wave motion or oscillation which is measured in unit ³
³ ³time. ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ Keypad ³A device consisting of the 12 or 16 standard ³
³ ³alphanumeric keys, which is part of a telephone's ³
³ ³dialling mechanism. ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ Phreak ³One who studies and exploits telephone systems and ³
³ ³networks to further their knowledge of its workings. ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ Pulse Dial ³The non-technical term for Decadic, a system where ³
³ ³numbers are dialled by connecting, disconnecting, then ³
³ ³reconnecting the phone line. ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ Rotary Dial ³The dialling mechanism used prior to keypads. A Rotary ³
³ ³Dial is a circular piece of plastic, which it turned ³
³ ³by your fingers to dial numbers. ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ Social ³The art of tricking certain people (in this case, ³
³ Engineering ³Telsra employees) into doing something they would not ³
³ ³usually do. ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ Tone Dialler ³A standard handheld DTMF producing device, which is ³
³ ³used to control applications and equipment remotely ³
³ ³using acoustic transfer. ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ Touch-Tone ³The name given to the DTMF system in the 1960s, ³
³ ³Touch-Tone is the non-technical name for Dual Tone ³
³ ³Multiple Frequency. ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ White Box ³The name given to a homemade Tone Dialler, a White Box ³
³ ³is used in exactly the same way as a standard Tone ³
³ ³Dialler. ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Ethics - Hector (edited by Boris Grishenko)
S.C.P has very strong beliefs that knowledge can be found and acquired without
any malicious behavior what so ever. Respect for Telco employees should always
be shown. You may lie to and social engineer a telco employee without doing any
damage to his / her job or reputation in the process.
Trashing is stealing, but it is stealing rubbish - papers and devices which
others do not wish to keep any longer. When you trash you are trespassing on
private property, but if you think about it, what harm are you doing?
Care should always be taken when beige boxing so as to not cut any lines. Beige
boxing is an important part of phreaking, however, you do not have to use your
Beige Box to charge a random person for your calls, if you are using a line which
belongs to a random person only dial toll free numbers (1800s). Remember these
people are just people - with jobs and a family to look after. Try to use your
Beige Box on a payphone line if you are wanting a free call and not a random
person's line.
Never endanger a telco employee in any way. You must never physically or verbally
abuse a telco employee because of something you do not like about the company they
are apart of. Remember they are just doing their job.
The S.C.P Code.
1) Telephone lines must never be cut under any circumstances while beige boxing.
2) You must never vandalise any telecommunications equipment, payphones or anything
else which belongs to a telco company.
3) You must never do anything to discredit the reputation of Australian phreakers
by doing anything which is inappropriate - e.g Vandalism.
4) Phreaking is not anarchy, phreaking is an art learned by those with a particular
interest in the workings of telephone systems and finding exploits and holes.
5) An S.C.P member must never use their skills to make profit of any kind. Whether
it be at their own expense or anothers.
6) Try your best to leave everything to look as if it has been untouched - e.g
Exchange bin, Cables after beige boxing.
These are all very good ethics. As Hector mentioned, phreaking is an art, learned
and perfected after many years of study and experimentation. I *ALWAYS* show respect
for the gear that I phreak from, or break into. And you should too. Without the
telephone network, how would you talk to your mate down the road? Or across the world?
You take it for granted that the telephone system is there for you, a modern miracle.
Now, why should you deny someones right to use the network, by cutting their line,
or running up their phone bill?
I've been asked by a number of people "why haven't you smashed up the GSM base station
at TAFE?" I was digusted. Sure, it isn't mine, but I treat it like it is. You do not
learn by smashing the shit out of something. And how am I supposed to learn about
hacking SMSCs like I want to, if someone else takes to it with a sledgehammer? Phreak
to learn, because this is the essence of phreaking.
Sure, the free calls are nice. So is the free SMS. But wishing and hoping for another
straw trick and smashing up random bits of telco equipment in the meantime? This isn't
phreaking, and if you're one of these people, go away. We don't want you. Respect is the
key word. The authorities and telco companies believe we don't have respect. But like
any group, there is always a small few who try to bring down the whole house.
Practice moderation. If you start running up calls to 1900/ 1902 numbers on someones line
how are they expected to pay it? You know you wouldnt like it, so why do it to someone
else, soneone you probably don't even know.
I'm not trying to sound all preachy and shit. I'm just helping lay down the ground rules
for our exciting hobby. Or, for some of us, our life. So yes, phreak, but please,
consider...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Networking - Shyft
pun_croc@hotmail.com
What is networking?
Networking is basically connecting two or more computers so they can communicate, share
internet connections, applications, printers, etc. In this tutorial i will be explaining
what equipment you need and how to put it all together. This is designed to be a beginners
guide so if you've ever set uo a network there will be nothing new for you.
Equipment
NIC (network interface card)
A network card allows you to plug a network cable (see below) into your your computer.
Every computer you want to have on the network need a NIC. Some motherboards have onboard
NIC's so if you have theis then you don't need a NIC. They are pretty dam cheap and the
plug straight into a PCI slot on your motherboard. NIC's are rated at how fast they can
transmit/recieve data. 10 means 10 Mbits/sec, 10/100 means its compatible with 10 and
100 Mbits/sec networks.
Cables
You need one cable per computer. There are many different types of cables available but
i suggest using Cat5e. This cable will support 10 and 100 Mbit LAN's. There are two
different types of Cat5e. They are straight through and crossover. A crossover cable is
used to connect only two computers. A straight through cable is used to connect a computer
to a hub or switch (see below).
Hubs/Switches
Hubs and switches are devices that allow a lot of computers to communicate at once. The
only difference between a hub and a switch is that a hub shares bandwidth and a switch
dedicates bandwidth. This means that if you have a 100 Mbit hub with 5 computers connected
to it, then each computer will get 20 Mbit/sec badwidth. On the other hand with a 100 Mbit
switch with 5 computers connected, each computer will have 100 Mbit/sec bandwidth. Hubs
are pretty much obsolete nowdays and you can pick up an 8 port switch really cheap.
Installation
Now that you have all your equipment it's time to put it all together. This is extremely
easy. First you put your NIC into your computer. If you dont know how to put a card onto
the motherboard find someone who does. Next, if you are using a crossover cable for only
2 computers you just simply plg one end of the cable into one NIC and the other end into
the other NIC. If you are using 2 or more computers and a hub or switch just plug a cable
from the NIC to one of the hub/switch ports. Do this for every computer.
Well thats pretty much it. A LAN at home is pretty cheap and simple. Although i will make
a note here. At this point you network will NOT be working becaus configuration of the
software side still needs to be done. Stay posted for my next tutorial which will be
configuring a network using windows 2000.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
SS7 Speech - Boris Grishenko
Introduction
My name is Boris Grishenko. I am the leader of a group known as EMHi Research and Development.
We operate in the Sydney and Blue Mountains areas. Our main focus is programming and
development of software. We have a few members, and hope to get some more. We are all phreaks,
and hackers of sorts. Our common interests are what links us together.
Why am I so qualified to talk about SS7? Because I have been studying the subject for about a
year now, and wish to get right into, if my mother gives me the money she owes me. I have an
interest in OpenSS7, and HPs OpenCall. These are switching platforms.
What is SS7?
SS7, or Signalling System 7, is a relatively new development in the world of telephony. It has
been around for almost 15 years in one form or another. It is a switching system, which uses
"out of band" signalling. This is opposed to the older CCITT signalling that used "in band"
signalling. Since the signalling was in band, it could be easily phreaked, and was easily
phreaked. This is where the Blue Box came in.
Although more expensive to implement, SS7 has the benefits of using the out of band signalling.
This means you can't blow a 2600Hz tone, and drop onto the carrier. As the world converges into
the digital age, the line between hacking and phreaking is becoming more and more blurred.
Practically everything on a telephone network that you can think of hangs off SS7, including
SMSCs, exchanges, and other network elements. They communicate to each other using X25 links.
For reference, X25 is a packet switching system, akin to the internet, but much harder to use.
You don't have URLs on X25! X25 was introduced in the 70s, and alot of the Telstra core systems
hang off it. The core systems are mostly HP9000s and IBM RS6000s.
Network Elements
There are many network elements in SS7. I've described some, and will go into detail in this
section. I've heard this described as an Acronym Intensive Network, which is what it is.
The SSP, or Service Switching Point, is your basic, butt ugly exchange. These are usually
Ericsson AXE, although I have heard of Alcatel System 12 exchanges too. I'm not really
familiar with the Alcatel ones, but I know a little bit about AXE. I was lucky to find a file
that kind of describes the interior layout of an AXE exchange.
The STP, or Signaling Transfer Point, is the next step up. These control the exchanges. They
make sure that the links are made between exchanges, in the correct order, and make sure calls
go through. They are akin to a router. The data links, as described earlier, take place on a
different circuit to the voice links, so trying to phreak from your phone line is impossible.
The SCP, or Service Control Point, is the database servers for the IN, or Intelligent
Network. I expect this is where billing is recorded, and sent out from. Other nice things,
like whom you called, how long you were on the phone, and what colour your toilet is would
be recorded in this. If you were looking to modify data on a persons link status, such as
upgrading your phone line service from incoming calls only, to full link, then this is where
you would attack.
The SMS, not to be confused with Short Message Service, is the Service Managment System. I
expect this to be a mainframe, with a bunch of terminals hooked up to it. It controls,
updates and otherwise maintains the Intelligent Network. It would be from here that the commands
to update status of phone lines would be issued.
The references I have don't go into mobile phone switching. It is a whole new ballgame, having
such network elements as the SMSC, the Short Message SErvice Centre, the HLR, the Home Location
Register, and other database type elements.
So how would I phreak the SS7 Network?
Well, Telstra have a X25 network that I have heard referred to as the CDN, or the Corporate Data
Network. This was in a document I have about security in exchanges, and how the security system
interacts with some Digital Equipment Corporation VAX servers. Apart from that, there is no
information. Then again, there isn't much information about Transcend, the banks X25 network,
but I do know it exists.
To phreak the SS7 network, you would need to hack into the CDN, get the right core server that
you want, and I bet theres quite a few, and make the changes from there. In theory, you could
make it that whole exchanges get free phone calls until Telstra get wise, and stop it.
The phreaking, or hacking, if you will, of the SS7 network will give you more power then the
blue boxers of the olden days. They were restricted to the limitations of the networks of the
time. Now we have an increasingly complex telephone system, with more and more options and
featured being added everyday.
For example, the "101" service, it is an intelligent service, run on a few database servers
in the core systems. This pretty much made the answering machine redundant, and its being
offered free to Telstra subscribers. I'm with AAPT, and haven't used it, so I don't know how
it works. I just know its a recent example of an intelligent service.
Other intelligent services are things such as *10#. This is a nifty little program that I use
a lot. As long as it isn't my mother calling, I pretty much know whos calling. Its almost
essential now, and you wonder how you got along without it. All these services and features
are programs being run on exchanges and the core servers.
Conclusion
Now you know a little about the SS7 network. I hope you found this interesting and informative.
If you have any more questions, I'll be happy to answer them later on, or on the board after
this meeting. And I hope it inspires you to go out and do something about this new generation
in phreaking. Even if you try something like OpenSS7 on a Linux box, and muck around with that,
which is exactly what I'm going to do until I get my hands on a copy of OpenCall.
Until the next time gentlemen...