Joyrider Issue One

All you've ever wanted to know about Phreaking. Many of the actions described in these tuts are illegal. They are presented for informational purposes only.
Post Reply
User avatar
Net Battle Bot
Owns you
Posts: 1816
Joined: Fri Jun 04, 2004 6:44 am
Location: Groom Lake

Joyrider Issue One

Post by Net Battle Bot » Tue Feb 22, 2005 7:23 pm

Code: Select all


The Ezine for the Aussie Phreaking Elite

Issue One


Editoral - Boris Grishenko
Basic Electronics - Thrashbarg
Modems - Bluefire
Argus Telecommunications - Boris Grishenko
DTMF - Hector
Ethics - Hector (edited by Boris Grishenko)
Networking - Shyft
SS7 Speech - Boris Grishenko


Editorial - Boris Grishenko

Well folks, its that time of the year again, when I have to crank out an editorial. 
In this editorial I hope to make sense of the political infighting in the Ausphreak 
forum. As we all know, Ausphreak was being administered by Xen0crates. I have known 
Xen0 ever since the original Zaleth board. He came across as a bit of 
a newbie, but eager to learn.
There were many incarnations of the Ausphreak forum, some good, some bad. There have 
also been talks about a secret group, which doesn't surprise me. Then finally, Xen0 
got wise, and made his own Ausphreak, the present
The Ausphreak forum is a phpBB board, which isn't really administered properly. There 
might be over 700 people using it, but how many of them post? How many of them WANT 
to post? I try to be active as I can, but even I have been told I am flogging a dead 
Just recently, NyCoN, the other admin of the board, took control away from Xen0. Under 
normal circumstances, I would say "yay." But this time, I have to disagree. NyCoN is 
proving he's just as bad an admin as Xen0. Plus he's in it for the power games. Politics 
have been described to me as the second oldest profession, and its remarkably similar 
to the oldest profession (for those of you who don't know what I'm talking about, I mean 
Now power is ok, in the hands of the right people. But you give the wrong person the 
power, and you have a disaster on your hands. Look at Hitler... Stalin... Sadaam... 
These people and more are prime examples of power going to peoples heads. And in our 
own phreaking community, N3t and $GX have let the power that the ESA afforded them 
go to their heads, and thus expelling me when they learnt the "truth" about my 
knowledge of the Avatar incident.
The ESA was a move in the right direction, but once again, politics intervened 
and people went mad. They had very active plans to bring Ausphreak down. I no 
longer talk to N3t or $GX, so I don't have to worry about their shit any longer. 
Plus the ESA, which was mostly my idea, was a good idea, but its implementation, 
especially with the php Nuke interface, was fucked up.
So, now, what do we have? A meeting place for over 700 people, that is not being 
run the way it should be. In older times, I'd say come over to the ESA, but being 
expelled from my own idea really pissed me off. Well, I can't really suggest a 
future of Ausphreak. That's not my place. But there are a few interested people 
gathering, and seeing what they can mould out of the eventual ashes of Ausphreak.
This ezine is the combined effort of the Aussie Phreaking Elite guys, and I'm proud 
of all them. We hope to be able to bring you more quality articles soon. For the 
time being, have a read, and enjoy our efforts. We intend to start off basic, and 
work our way up. Cause thats how you learn, right?


Basic Electronics - Thrashbarg

     When you begin to look at electronics on this level, then compare its
relative simplicity to what it is capable of in satellites, fibre optics,
radio and computers, it really shows how much technology has advanced over
the past one hundred years. No, it is not essential to understand what is
going on in electronics at this level, but to have a little extra
understanding about what electronics precisely is, you will have an edge on
your knowledge that others don't. Enough with the yabbering, on with the

     To have a good understanding of what electricity is it is necessary to
have an understanding of matter. All matter in the Universe is created from
atoms. Atoms are composed of three founding particles -- the electron, the
proton and the neutron.

     The electron is the lightest of all the particles and can move around
freely. It has a negative charge. The proton and the neutron are much heavier
and sit in the middle of atoms to form the nucleus. The proton has a positive
charge and is about eighteen hundred times heavier than electrons.

     There are two rules that apply to charges:

          - Opposites attract
          - Likes repel

     This simply means that two positively charged protons will repel each
other, or two negatively charged electrons will repel, but a proton and an
electron will attract each other.

     These three particles are arranged much like our Solar System. The
heavy, immovable nucleus sits in the middle and the light, mobile electrons
orbit the nucleus very quickly. Different amounts of protons in the nucleus
are responsible for the different types of elements that exist in the
Universe. Hydrogen has only one proton in its nucleus, helium has two,
lithium has three and so on. The neutrons are there to space out the protons
so they don't repel and destroy the atom. They can also create isotopes,
which I won't go into here.  The electrons are responsible for what charge
the atom has. An atom with no charge is just that - an atom. An atom with a
charge is called an ion. Atoms become ions when electrons are removed or
added to the orbiting rings. If there are fewer atoms than protons, there is
a positive charge and if there are more electrons, there is a negative charge.

     What this creates is static electricity. Static electricity is different
to the flowing electricity that is used every day. As its name suggests, it
simply sits there. A charge exists with static electricity but there is no
movement of electrons. This force can have affects on other materials that
surround the charged material. For example, a statically charged balloon will
stick to the wall for a short time. It doesn't stick for long because the
charge is soon lost through the wall itself.

     In the case of a battery, there is a constant pull which causes
electrons to flow from the negative terminal to the positive. There is a lack
of electrons at the positive terminal or an excess of electrons at the
negative terminal. This is created by a chemical reaction that involves the
movement of electrons. This movement of electrons is directed to the batteries
terminals where it can be used for what ever purpose you want. The pull on
the batteries terminals is called an electromotive force, or EMF. It is
measured in volts or V.

	There are three commonly used terms in simple electronics:

          - Current
          - Voltage
          - Resistance

     Current is a flow of electrons in a circuit, which is measured in
Amperes (Amps or A). Voltage is the force that pushes or pulls electrons
between two terminals, which is measured in Volts (V). Resistance is the
opposition to the movement of the electrons in a circuit, which is measured
in Ohms. Its symbol is the Greek letter Omega.

     Anyway, I hope you have learnt something from this, perhaps some new
terms or just for some catching up on the founding theory. I'll get into
something slightly more interesting next issue. Until then, have fun.

     Oh, and I don't guarantee that this information is 100% accurate either.
Don't go using this as a reference for physics tests or anything. :P


Modems - BlueFire

Modems got their name from putting two words together (Modeulator and Demodulator). 
The Sending modem "Modeulator" the digital data into a signal so it can be passed 
over the telephone network then the receiving modem "Demodulators" the signal back 
into digital data.

Modems are called "Data Communication Equipment"(DCE) and computer are called "Data 
Terminal Equipment"(DTE)

Computer        Modem       Telephone lines      Modem        Computer
         ______       --------------------------       _______
 (DTE)          (DCE)                            (DCE)         (DTE)

----= Telephone line and the Teleco network
____= Cable betwen ur modem and computer 

Between the Computer(DTE) and the modem (DCE) need a signaling standards the three main 
ones are 
RS-232 (EIA/TIA-232)
HSSI(High-Speed Serial Interface)

RS-232 (EIA/TIA-232)
8 pins are used to connect the DTE-to-DCE For Data transfer, Flow control and modem 

For DB 25 pins are
Pin       Definition            Description                         
 2        transmits Data        DTE-to-DCE data transfer
 3        Receives Data         DCE-to-DTE data transfer
 4        Request to send       DTE signal buffer available
 5        Clear to send         DCE signal buffer available
 6        Data set ready        DCE is ready
 7        Signal ground
 8        Carrier detect        DCE senses Carrier
 20       Data Termainal ready  DTE is ready

When the DTE raises the voltage on Pin 4, The DTE is telling the DCE that is has buffer
 space and to start sending data. When the DCE raises voltage on Pin 5, The DCE is 
telling the DTE that it can start sending data.

When the modem is turned on, voltage is raise on Pin 6  to tell the DTE that the DCE 
is available to send and receive data. When the computer is turned on and the drivers 
are loaded, voltag us raise on Pin 20 to tell the DCE the DTE is available to send and 
receive data. Pin 8 is controlled by the DCE and voltage is raises when it has established 
an acceptable carrier signal with a remote DCE

Modem Modulation Standards
Modulalation techniques determine how modems convert digital data into signals. 
an analog waveform can be modulated in terms of Amplitude (Which is it hight of the signal) 
its Frequency , its phase (position of the sine waves), or a combination of these qualities.

The V.?? series modulation standards use now days but befor V.?? series were the AT&T Bell 
103 and Bell 212A But these supported the low speed of 300 bps(b. By altering the height
(amplitude), Frequency, and the phase(positiion) of analog waveforms, the V.?? series 
has higher speeds

ITU-T Modulation Standards

Standard                            Maximum Transfer Rate
 V.22                               1200 bps
 V.22Bis                            2400 bps
 V.32                               9600 bps
 V.32Bis                            14,400 bps
 V.34                               28,800 bps
 V.34bis                            33,600 bps
 V.90                               56,000 bps

When Modems initially connect sometimes called the handshake, they agree on the highest 
standard tranfer rate that both can achieve

Modems can have a range of 300 bps to 56 Kbps. Most modem can adapt their transmission 
rate to meet the remote modem and speed the local loop(the telephone line between you 
and the exchange) can support

They do this by the modem frist try its highest rate and see if the remote modem talks 
back, if it doesnt it lows the rate and trys again.

Error Control and Data Compression
Data Comperssion algorithms typically require a error-correction algoithms. So of the 
many use Compression algorithms are V.42bis, MNP 5 and V.44 these three Compression 
algorithms operate with the error correction algoithms LAPM and MNP 4

Data Comperssion depends on the type of file being transfered a standard text file 
can be compression by 50%. but compression algorithms cant com compress a file well 
if it has already been compress by software, what may lead to larger files need to 

Hardware comperssion is alot faster than software comperssion so the modem should do 
the compression not software.

Most people muck up the speed of the modem with the speed at which the computer talks 
to the modem.
DTE to DCE is how fast the computer communicataion to attack modem
DCE to DCE is how fast the two modems communicataion with each other over the telephone 

To get full benefit out of ur compreesion. The computer should be set to clock the modem 
at its fastest rate, to take advantages of compression

  DTE                DCE                DCE          DTE
           ______         ------------       ______
Computer            Modem              Modem        Computer
       <------------>       28.8 kbps      <---------->
         115.2 Kbps   <------------------>  115.2 Kbps  

Part 2 to come later


Argus Telecommunications - Boris Grishenko

Argus Telecommunications is the telecommunications arm for the NSW State Railways. 
The government are trying to merge it back with the Rail Infrastructure Corporation 
(RIC), but at the moment, they exist as a separate entity. They supply and maintain 
the telecommunications network for the railway, which is becoming ever more complex.
Most of the information I have in this document is from a railway telephone directory 
from 1992, someone who works for Argus (who doesn't like saying anything, but will 
confirm what I already know), and someone who was contracted to Argus. While this is 
"slim pickings" its better then knowing nothing at all.
The exchanges used by Argus (at least in 1992) were Ericsson M110s, and Philips 1200s. 
The Philips systems are actually over glorified PABXes. I found one scrap of information 
about the Philips systems, a Year 2000 compliance statement. It pretty much said that 
they weren't Year 2000 compliant.
As for the Ericsson switches, they are now called the Ericsson MD110. No wonder I 
couldn't find out any information about them. They did support call waiting and other 
advanced features, which was real news for 1992. Not even Telstra had this kind of 
capabilities at this time, even with the roll out of Ericsson AXE and Alcatel System 
12. The MD110 is also an over glorified PABX.
Now, the systems exist over an ATM backbone up each of the main lines. This document 
will mainly focus on my observations on the Blue Mountains line. This ATM backbone is 
probably capable of about 155Mbit/sec. Most of the traffic is digital camera data, 
from each station, which is piped into a head end in Sydney, and then into a 
monitoring room.
There are a few head ends up the lines, Katoomba has been mentioned to me, but 
there are enough Argus installations to sink a battleship. What to look for? The 
distinctive "Welcome to Argus Telecommunications" sign.
At major places, like Lithgow, Blackheath, and Lawson, there are actual "exchange" 
buildings. Other places, there are the "older" style huts, green, with concrete 
walls, and metal doors. These usually have a vent on the top, with a cage around 
it. There is also a demountable, also green, with two doors (one is a metal bar 
type). These are usually in their own compound. Then finally there are the green 
concrete huts with a "car port" over them, and an extraordinarily large air vent 
on the top.
These usually exist within 500metres of a station, so if you are looking, don't 
look too far. Usually the green hut types are near sectioning huts, which aren't 
always near the station. The demountable type has a guard around the bottom, so 
pesky people like phreaks can't get under there, and cut the cables. Trying to 
find the cables in a cable loom (in the ducts) would be nigh on impossible, and 
would be in the raw fibre/ ATM format, requiring fibre tools and an ATM switch. 
This is beyond the means of most phreaks, although, if you have the money, and 
time, I'm willing to try.
Onto the computers, I wasn't able to get the actual types out of my contacts, 
although I am trying. I do know, however, that Argus runs their own OS and 
software, and these are developed by the RIC at Lidcombe. To tell the truth, 
I wouldn't mind getting into this facility, and having a look through their 
computers and manuals. Perhaps I will release errata to this document, as 
more information comes to hand.
There are a few other exchanges and facilities in Sydney, namely, Petersham 
(an office if I recall correctly), Central Station (on the south side there 
is a large exchange, on the north side there is the monitoring room), and a 
few others, which my contacts did not explain to me.
My interest in Argus? When I was a kid, I was interested in trains. Now I've 
grown up, I'm interested in computers and phones (which have more a future 
then trains, which I am told are losing money everyday). However, this allows 
me to combine two of my loves, even though I'm not that interested in trains 
anymore. Plus, their network interests me, how they've set it up, and 
maintained it. The software development place would be an absolute gem to 
visit, even if part of a TAFE course or something. I am told there are monitors 
there larger then I can imagine (I've seen a 21inch CRT in real life, that 
was pretty cool).
In conclusion, Argus are a company that have braved the tough Australian 
conditions, and come back with one hell of a network. They are doing quite 
well, even though they charge twice as much as most other government 
departments. And, even though they are probably working with primitive 
gear, they still maintain this network, and keep it running.
Argus would be one hell of a phreak/ hack opportunity. Their system is 
unique, and spread out over a physically large area. I haven't touched 
on the radio communications used by the railways, because I'm not sure 
if that falls under Argus. I would expect it would, but I don't have 
anyone in my family or friends who still work for the railways.

Boris Grishenko.


I have gained another contact in Argus, and had a good talk to him. 
Hopefully, I will find out more from him, as he seems quite talkative 
and knowledgable. He gave me the impression that Argus workers are akin 
to line techies from Telstra. He also went on to say the ATM link that 
was installed had equipment from Siemens. "Their only big contract."
He used to work at the Central Exchange in Sydney for a period of time, 
back in the days when it was an actual crossbar system. (That same system 
is now used in computers, like SGIs Octane). He said that it took three 
semitrailer loads to take the old crossbar out.
The software development centre at Lidcombe isn't actually part of Argus. 
Apparently, its a part of RIC, and they develop signalling system software 
there (and I don't mean SS7).
Argus also take care of the station Public Address systems, and the Digital 
Voice Annoucement systems. There is a centralised control for the DVA, but 
most of the time, it plays automatic messages (waiting for the next train 
to Blue Mountains, and having the DVA say its at the platform, when its 
actually 5 minutes away, really pisses me off).


DTMF - Hector

 º                                                                         º
 º                         Dual Tone Multiple Frequency                    º
 º                                                                         º
 º            A Guide to Understanding and Exploiting Australia's          º
 º              Most Common Telecommunications Signaling Method            º
 º                                                                         º
 º                Written by Hector of SCP December 10th 2003              º
 º                                                                         º
 º            Editited for 80 columns and DOS ASCII by Thrashbarg          º
 º                                                                         º








    This text was written for the purpose of others who wish to further
  their knowledge on Australia's most common telecommunications signaling
  method - DTMF. Most Australian phreak enthusiasts who have little
  experience in the field of phreaking will find this text very useful.
  However a more experienced phreaker will most probably find that they
  know most of the information within this text. If this is the case,
  please do not complain to the author of this text, as it was intended for
  inexperienced phreakers who are only in the beginning stages of learning
  the art of phreaking. In this guide you will learn the basics of DTMF as
  well as more advanced and complex uses for DTMF.

    The information included in this text is in no way intended to be used
  to defy any laws of any sort. All topics covered in this text are for
  informational purposes only and informational purposes only.

    In this article you will learn the basic and advanced uses of
  Australia's most common voice communications signaling method, DTMF.
  From basics of DTMF through to its advanced uses, you will learn some
  important information, exploits and flaws in the telephone system
  regarding DTMF.

    DTMF is the most common telecommunications signaling method used in
  Australia. DTMF stands for Dual Tone Multiple Frequency; it is used to
  send information through phone lines to and from your local exchange.
  Dual Tone Multiple Frequency (DTMF) is also known as Touch-tone, Tone
  Dialling, VF Signaling and MF Dialling.

    Each DTMF tone consists of two simultaneous tones (one from the high
  group and one from the low group), which are used to indicate which
  number or symbol you press on your telephone's keypad. For example if
  you press number 5 on your telephone's keypad, the tone you will hear
  is 1336hz and 770hz played simultaneously.

    DTMF is an extremely reliable signaling method used by all Australian
  telecommunications companies to receive information from their customers.
  Whenever a number is dialled on a home phone, office phone, public or
  private payphone, DTMF is decoded and used by certain equipment inside
  that particular area's local exchange to call the number you have
  dialled. DTMF tones travel through the Red and Green wires (or Blue and
  White) wires on your standard home and office telephone line, as do voice

    Dual Tone Multiple Frequency is the basis of voice communications
  control. Modern telephone circuits use DTMF to dial numbers, configure
  telephone exchanges (switchboards) from remote locations, program certain
  equipment and so on.

    Almost any mobile phone is capable of generating DTMF, providing a
  connection has already been established. This is for the use of phone
  banking; voicemail services and other DTMF controlled applications. If
  your mobile phone can not generate DTMF (or your home or office telephone
  uses Decadic Dialling (Pulse Dialling) you can use a standalone Tone
  Dialler or White Box, which you may or may not be able to find on the

    DTMF was designed so that it is possible to use acoustic transfer. The
  DTMF tones can be sent from a standard speaker and be received using a
  standard microphone (providing it is connected to a decoding circuit of
  some type).

    DTMF tones are simply two frequencies played simultaneously by a
  standard home phone/fax or mobile phone. Each key on your telephone's
  keypad has a unique frequency assigned to it. When any key is pressed on
  your telephone's keypad the circuit plays the corresponding DTMF tone
  and sends it to your local exchange for processing.

    DTMF tones can be imitated by using a White Box or Tone Dialler. It
  is also possible to record DTMF tones using a tape recorder or computer
  microphone, then played into the mouthpiece of your telephone to dial
  numbers. However if there is a significant amount of background sound
  behind the recorded DTMF tones, the tones may not work properly and cause
  problems when trying to dial numbers. You can also download DTMF tones
  via the S.C.P website in WAV or MP3 format.

    Below is a Dual Tone Multi Frequency (DTMF) map for a 4X4-matrix
  keypad, the map shows each unique frequency which is assigned to each
  key on a standard 4X4 telephone keypad. The frequencies are exactly the
  same for a 3X4 Matrix keypad, without the keys A, B, C and D.

     ³ FREQUENCY ³  1209hz   ³  1336hz   ³  1477hz   ³  1633hz   ³
     ³   697hz   ³     1     ³     2     ³     3     ³     A     ³
     ³   770hz   ³     4     ³     5     ³     6     ³     B     ³
     ³   852hz   ³     7     ³     8     ³     9     ³     C     ³
     ³   941hz   ³     *     ³     0     ³     #     ³     D     ³

    As you will notice this is not a standard keypad, this keypad has 4
  more keys than a standard keypad (3X4-matrix). The keys A, B, C and D
  are not commonly used on standard home phone/fax, office phone or
  payphone. Each of the keys A, B, C and D are system tones/codes and are
  mainly used to configure telephone exchanges or to perform other special
  functions at an exchange. For example, the corresponding tone/code
  assigned to the A key is used on some networks to move through various
  carriers (this function is prohibited by most carriers).

    When DTMF was created individual and unique frequencies were chosen so
  that it would be quite easy to design frequency filters, and so that the
  tones could easily pass through telephone lines (the maximum guaranteed
  bandwidth for a standard telephone line extends from around 300 Hz to
  3.5 kHz). DTMF was not intended for data transfer; it was designed for
  control signals only. With a standard DTMF encoder/decoder, it is
  possible to signal at a rate of around 10 tones/signals per second. A
  standard DTMF tone should always be played for at least 50ms with a
  further 50ms space duration for maximum reliability.


    Exploiting DTMF is a relatively easy task to accomplish.

    First of all some general knowledge about DTMF is required, as well
  as a device which will produce at least the 12 standard DTMF tones.
  Although a DTMF decoder is not always essential when performing simple
  DTMF exploits, it will save you a lot of time if DTMF decoding is
  required. If you are unable to obtain a Tone Dialler and you are also
  unable to build a White Box, it is possible to use a CD with each of
  the 12 or 16 DTMF tones assigned to each track, then played through a
  portable CD player. Another possible substitute for a DTMF producing
  device is a portable MP3 player used in the same manner as the CD method.

    Numbers which have been blocked from being dialled on a payphone (by
  the specific telecommunications company who owns the payphone) can be
  easily be bypassed with a simple DTMF exploit (so long as it is a
  software block and not blocked at the exchange level). When a number is
  blocked on a payphone the only thing that is preventing the payphone
  user from dialling that specific number is the payphone's software.
  This software can be easily bypassed by using a DTMF emitting device.
  For example, if the payphone which the user is using has the number
  1234567890 blocked from being dialled, you can bypass the payphone's
  software block by dialling 123, then with your DTMF emitting device dial
  the rest of the number (4567890). This should connect the payphone user
  to the blocked number, regardless of any software the payphone might
  have to prevent that specific number from being dialled.

    The theory behind this DTMF exploit procedure is that the lowest
  number prefix that is possible to be dialled from a payphone is three
  digits long. The most common payphone you will come across is the Telstra
  Smartphone. These specific payphones only enable the microphone
  (mouthpiece) to be used after 3 DTMF tones have been registered and
  decoded at the payphone's local exchange. After the third DTMF tone/signal
  has been played, the mouthpiece must be able to receive voice signals (and
  other signals such as DTMF) because if someone dialled 000, they would
  not be able to speak to the operator, because the microphone would be
  disabled. You are unable to use your DTMF emitting device to play the
  first three DTMF tones/signals because the Smartphone's microphone
  (mouthpiece) is disabled. To enable the Smartphone's mouthpiece you
  will need to dial the 3 DTMF tones via the payphone's keypad itself.
  Once the mouthpiece is enabled you are now able to send your DTMF
  tones/signals into the mouthpiece via your DTMF emitting device.

    Decoding DTMF is a relatively easy task to accomplish, providing you
  have access to DTMF decoding hardware and or software. DTMF tones are
  always used for entering PIN numbers, ID numbers and other similar
  personal information via a telephone keypad. All that is involved to gain
  a PIN number via DTMF is some general telephone social engineering skills
  and a DTMF decoder of some sort (hardware or Software), as well as a tape
  recorder or other audio recording device.

    First of all, to gain a PIN number using DTMF you will need to know
  what company or business the account holder (victim) is using and find
  out if the account can be accessed via a telephone. If you already know
  what business your victim has an account with, try to find a members
  access number with a login facility. For example, if you are attempting
  to gain a corresponding PIN number for a FAST (Field Access to Sultan
  Testing) ID number, the access number would be the number for FAST
  (notdisclosed here for certain reasons). Dial the access number for the
  certain company in which your victim owns an account, then record the
  welcome message. If you do not think the welcome message is appropriate
  for your social engineer (which you will be performing to your victim),
  you should either edit the welcome message or use a good text to speech
  program. If you do use a Text to Speech program, try to make sure you
  use a program with an Australian accent (female voices sound more
  convincing and professional).

    Once you have successfully accomplished the above tasks you are now
  ready to begin your social engineer. Use a fake name in full (last name
  and first name), and make sure you tell your victim exactly what you
  want them to do, without stuttering or pausing in your speech. Try to
  make your voice sound as if you have already done this a million times
  and you are looking forward to it all being done with. Never ask straight
  out for your victim's PIN number. Make sure you always ask a couple of
  simple questions then play the recorded welcome message asking the
  customer to enter their PIN and or ID number, you will need to record
  the DTMF sequence your victim enters, this is for later decoding.

    Once your victim is done entering their personal information (in this
  case their FAST ID number and their corresponding PIN), either hang up if
  appropriate or begin to talk with them once again. The following script
  is an example of gaining a corresponding PIN for a FAST account.

    Ring Luke Gresham - Telstra Employee

    Victim: Hello, Luke speaking.

    Phreak: Good afternoon Luke, my name is George Bualic, I am one of
        Telstra's administrators for the FAST system. I have been scanning
        through some FAST access statistics and have found your ID number,
        34750086 has been experiencing some problems when attempting to
        login. Have you had any trouble accessing FAST?

    Victim: No

    Phreak: Ok, I will just need to perform some tests on our system to
        clear up some of these errors, would you be so kind as to enter
        the required information once I forward you through to our test

    Victim: Yeah, I guess that is ok.

    Phreak: Ok, thank you Luke.

    Play your edited FAST message. Example: Welcome to Telstra's FAST test
    facility, please enter your employee number followed by your PIN.

    Once your victim has entered the required information hang up.

    Now that you have recorded the previous tones your victim pressed, use
  your DTMF decoding hardware or software to decode the frequencies. Your
  DTMF decoding equipment or software should now display the digits your
  victim previously entered via his or her keypad in DTMF format, thus
  showing the PIN they had previously entered.

    There are multiple different DTMF sequences to program the same
  character, it depends on the equipment, system or application you are
  using and or programming. For example, on a standard 3X4-matrix keypad
  the (1) key has no alphabetic value, only numeric. So no alphabetic
  characters can be programmed using the (1) key. The (2) key will usually
  have 4 different values, A, B, C and 2 whereas a differently designed
  keypad may have alphabetic value assigned to the (1) key, thus changing
  the alphabetic value of the (2) key.

    When programming alphanumeric characters with DTMF, the tones are most
  commonly repeated until the specific character is displayed on the LCD
  screen or other type of monitor. Then either * or # (depending on the
  DTMF receiving equipment) is used to enter the currant character and
  begin to program the next. The * and # keys are used for entering
  characters and deleting characters, most commonly * is used for deleting
  and exiting and # is used for entering. Not all equipment, applications
  or systems use DTMF to program words, they also use DTMF strings for
  different commands to perform certain functions on a system, application
  or piece of equipment. The table below shows the alphabetic values and
  functions assigned to each of the 12 standard numeric keys on a standard
  alphanumeric keypad.

   ³ Key   ³ Character      º Key   ³ Character   º Key  ³ Character     ³
   ³ 1     ³ 1              º 2     ³ A, B, C, 2  º 3    ³ D, E, F, 3    ³
   ³ 4     ³ G, H, I, 4     º 5     ³ J, K, L, 5  º 6    ³ M, N, O, 6    ³
   ³ 7     ³ P, Q, R, S, 7  º 8     ³ T, U, V, 8  º 9    ³ W, X, Y, Z, 9 ³
   ³ *     ³ (Clear)        º 0     ³ (Zero)      º #    ³ (Enter)       ³

    Note: This is the most common layout of an alphanumeric keypad. There
  are many different variations of keypads but generally all DTMF
  programming software and hardware run under the same principles. On this
  specific design of alphanumeric keypad the DTMF sequence to type the
  letters DTMF is 3#8#6#333#. To type the word PHREAK, the DTMF sequence
  is 7#44#777#33#2#55#.

    The table below shows each standard DTMF sequence and the assigned
  alphanumeric values and functions of each tone and tone sequence.

    ³ DTMF Sequence ³   Alphanumeric Character  ³
    ³               ³        or Function        ³
    ³ 0             ³       0                   ³
    ³ 1             ³       1                   ³
    ³ 2222          ³       2                   ³
    ³ 3333          ³       3                   ³
    ³ 4444          ³       4                   ³
    ³ 5555          ³       5                   ³
    ³ 6666          ³       6                   ³
    ³ 77777         ³       7                   ³
    ³ 8888          ³       8                   ³
    ³ 99999         ³       9                   ³
    ³ 2             ³       A                   ³
    ³ 22            ³       B                   ³
    ³ 222           ³       C                   ³
    ³ 3             ³       D                   ³
    ³ 33            ³       E                   ³
    ³ 333           ³       F                   ³
    ³ 4             ³       G                   ³
    ³ 44            ³       H                   ³
    ³ 444           ³       I                   ³
    ³ 5             ³       J                   ³
    ³ 55            ³       K                   ³
    ³ 555           ³       L                   ³
    ³ 6             ³       M                   ³
    ³ 66            ³       N                   ³
    ³ 666           ³       O                   ³
    ³ 7             ³       P                   ³
    ³ 77            ³       Q                   ³
    ³ 777           ³       R                   ³
    ³ 7777          ³       S                   ³
    ³ 8             ³       T                   ³
    ³ 88            ³       U                   ³
    ³ 888           ³       V                   ³
    ³ 9             ³       W                   ³
    ³ 99            ³       X                   ³
    ³ 999           ³       Y                   ³
    ³ 9999          ³       Z                   ³
    ³ *             ³ Clear, Reset, Back,       ³
    ³               ³ Exit (equipment varies)   ³
    ³ #             ³ Enter, Ok, Next           ³
    ³               ³ (equipment varies)        ³

    Before DTMF was created, telephone networks used a dialling system
  called Decadic (also known as Pulse Dial). The Decadic system was used
  extensively in modern telephone networks to dial numbers, which were
  entered by the telephone companies users. The Decadic (Pulse Dialling)
  system used a series of clicks (which could be heard through the speaker
  of the phone) to dial the numbers which were dialled via a keypad or
  rotary dial. The clicking sounds were actually the connection of the
  phone line being connected, disconnected, and reconnected again in a
  certain pattern. The Decadic (Pulse Dialling) system was very useful,
  but was limited to the local exchange connections, requiring an operator
  to connect long distance calls.

    In the late years of 1950, DTMF was being developed at Bell Labs for
  the purpose of allowing tone signals to dial long distance numbers, which
  could be potentially be dialled not only via standard wire networks, but
  also via radio links and or satellites.

    DTMF was being developed for the future of electronic telecommunications
  switching systems, as opposed to the mechanical crossbar systems, which
  were currently in use at the time. After DTMF was created, Decadic
  dialling was made pointless to continue, it made no sense to continue
  using that particular dialling system in the equipment circuits which the
  telephone exchanges were using at the time. Plans were then made to begin
  the manufacture of DTMF controlled switching systems in the communications
  exchanges and later standard customer owned telephones were upgraded to
  using DTMF circuits rather than Decadic (Pulse Dial). After various tests
  were performed on the DTMF system throughout the 1960s (when DTMF became
  known as Touch-Tone), DTMF was made official, and was then used as the
  main telecommunications dialling and switching system, and remains that
  way to this day.

    Throughout this text, technical language and acronyms were used to
  specify certain equipment and types of systems. The acronyms and technical
  language definitions below are for the use of better understanding the
  technical language and acronyms used in this text.

 ³ Acrony    ³ Meaning                                                      ³
 ³ DTMF      ³ Dual Tone Multiple Frequency                                 ³
 ³ FAST      ³ Field Access to Sultan Testing                               ³
 ³ ID        ³ Identification                                               ³
 ³ MF        ³ Multiple Frequency                                           ³
 ³ PIN       ³ Personal Identification Number                               ³
 ³ VF        ³ Voice Frequency                                              ³

 ³Technical Term    ³Definition                                             ³
 ³ Acoustic         ³The sending of DTMF tones/signals from a standard      ³
 ³ Transfer         ³speaker to a standard telephone or decoder microphone. ³
 ³ Carrier          ³A company that offers telecommunications services      ³
 ³                  ³either interstate or internationally via a telephone   ³
 ³                  ³network.                                               ³
 ³ Decadic          ³The dialling and switching system used by              ³
 ³                  ³telecommunications companies prior to Dual Tone        ³
 ³                  ³Multiple Frequency.                                    ³
 ³ Decode           ³To visually see the corresponding digits assigned to   ³
 ³                  ³each unique frequency via a decoder circuit of some    ³
 ³                  ³sort.                                                  ³
 ³ Encoder          ³A specific piece of hardware or software, which is     ³ 
 ³                  ³used to play the unique frequencies assigned to each   ³
 ³                  ³of the keys on a telephone's keypad.                   ³
 ³ Exploit          ³A way of bypassing and or breaching some kind of       ³
 ³                  ³security, which has been intentionally put in place by ³
 ³                  ³someone else.                                          ³
 ³ Flaw             ³A security hole is a specific system or application,   ³
 ³                  ³which is a fault in the equipment, application or      ³
 ³                  ³system.                                                ³
 ³ Frequency        ³The number of cycles, oscillations or vibrations of a  ³
 ³                  ³wave motion or oscillation which is measured in unit   ³
 ³                  ³time.                                                  ³
 ³ Keypad           ³A device consisting of the 12 or 16 standard           ³
 ³                  ³alphanumeric keys, which is  part of a telephone's     ³
 ³                  ³dialling mechanism.                                    ³
 ³ Phreak           ³One who studies and exploits telephone systems and     ³
 ³                  ³networks to further their knowledge of its workings.   ³
 ³ Pulse Dial       ³The non-technical term for Decadic, a system where     ³
 ³                  ³numbers are dialled by connecting, disconnecting, then ³
 ³                  ³reconnecting the phone line.                           ³
 ³ Rotary Dial      ³The dialling mechanism used prior to keypads. A Rotary ³
 ³                  ³Dial is a circular piece of plastic, which it turned   ³
 ³                  ³by your fingers to dial numbers.                       ³
 ³ Social           ³The art of tricking certain people (in this case,      ³
 ³ Engineering      ³Telsra employees) into doing something they would not  ³
 ³                  ³usually do.                                            ³
 ³ Tone Dialler     ³A standard handheld DTMF producing device, which is    ³
 ³                  ³used to control applications and equipment remotely    ³
 ³                  ³using acoustic transfer.                               ³
 ³ Touch-Tone       ³The name given to the DTMF system in the 1960s,        ³
 ³                  ³Touch-Tone is the non-technical name for Dual Tone     ³
 ³                  ³Multiple Frequency.                                    ³
 ³ White Box        ³The name given to a homemade Tone Dialler, a White Box ³
 ³                  ³is used in exactly the same way as a standard Tone     ³
 ³                  ³Dialler.                                               ³


Ethics - Hector (edited by Boris Grishenko)

S.C.P has very strong beliefs that knowledge can be found and acquired without 
any malicious behavior what so ever. Respect for Telco employees should always 
be shown. You may lie to and social engineer a telco employee without doing any 
damage to his / her job or reputation in the process.
Trashing is stealing, but it is stealing rubbish - papers and devices which 
others do not wish to keep any longer. When you trash you are trespassing on 
private property, but if you think about it, what harm are you doing?
Care should always be taken when beige boxing so as to not cut any lines. Beige 
boxing is an important part of phreaking, however, you do not have to use your 
Beige Box to charge a random person for your calls, if you are using a line which 
belongs to a random person only dial toll free numbers (1800s). Remember these 
people are just people - with jobs and a family to look after. Try to use your 
Beige Box on a payphone line if you are wanting a free call and not a random 
person's line.
Never endanger a telco employee in any way. You must never physically or verbally 
abuse a telco employee because of something you do not like about the company they 
are apart of. Remember they are just doing their job.

The S.C.P Code.
1) Telephone lines must never be cut under any circumstances while beige boxing.
2) You must never vandalise any telecommunications equipment, payphones or anything 
else which belongs to a telco company.
3) You must never do anything to discredit the reputation of Australian phreakers 
by doing anything which is inappropriate - e.g Vandalism.
4) Phreaking is not anarchy, phreaking is an art learned by those with a particular 
interest in the workings of telephone systems and finding exploits and holes.
5) An S.C.P member must never use their skills to make profit of any kind. Whether 
it be at their own expense or anothers.
6) Try your best to leave everything to look as if it has been untouched - e.g 
Exchange bin, Cables after beige boxing.

These are all very good ethics. As Hector mentioned, phreaking is an art, learned
and perfected after many years of study and experimentation. I *ALWAYS* show respect
for the gear that I phreak from, or break into. And you should too. Without the 
telephone network, how would you talk to your mate down the road? Or across the world?
You take it for granted that the telephone system is there for you, a modern miracle.
Now, why should you deny someones right to use the network, by cutting their line,
or running up their phone bill?
I've been asked by a number of people "why haven't you smashed up the GSM base station
at TAFE?" I was digusted. Sure, it isn't mine, but I treat it like it is. You do not
learn by smashing the shit out of something. And how am I supposed to learn about
hacking SMSCs like I want to, if someone else takes to it with a sledgehammer? Phreak
to learn, because this is the essence of phreaking.
Sure, the free calls are nice. So is the free SMS. But wishing and hoping for another
straw trick and smashing up random bits of telco equipment in the meantime? This isn't
phreaking, and if you're one of these people, go away. We don't want you. Respect is the
key word. The authorities and telco companies believe we don't have respect. But like
any group, there is always a small few who try to bring down the whole house.
Practice moderation. If you start running up calls to 1900/ 1902 numbers on someones line
how are they expected to pay it? You know you wouldnt like it, so why do it to someone
else, soneone you probably don't even know.
I'm not trying to sound all preachy and shit. I'm just helping lay down the ground rules
for our exciting hobby. Or, for some of us, our life. So yes, phreak, but please,


Networking - Shyft

What is networking?

Networking is basically connecting two or more computers so they can communicate, share 
internet connections, applications, printers, etc. In this tutorial i will be explaining 
what equipment you need and how to put it all together. This is designed to be a beginners 
guide so if you've ever set uo a network there will be nothing new for you.


NIC (network interface card)
A network card allows you to plug a network cable (see below) into your your computer. 
Every computer you want to have on the network need a NIC. Some motherboards have onboard 
NIC's so if you have theis then you don't need a NIC. They are pretty dam cheap and the 
plug straight into a PCI slot on your motherboard. NIC's are rated at how fast they can 
transmit/recieve data. 10 means 10 Mbits/sec, 10/100 means its compatible with 10 and 
100 Mbits/sec networks.

You need one cable per computer. There are many different types of cables available but 
i suggest using Cat5e. This cable will support 10 and 100 Mbit LAN's. There are two 
different types of Cat5e. They are straight through and crossover. A crossover cable is 
used to connect only two computers. A straight through cable is used to connect a computer 
to a hub or switch (see below).

Hubs and switches are devices that allow a lot of computers to communicate at once. The 
only difference between a hub and a switch is that a hub shares bandwidth and a switch 
dedicates bandwidth. This means that if you have a 100 Mbit hub with 5 computers connected 
to it, then each computer will get 20 Mbit/sec badwidth. On the other hand with a 100 Mbit 
switch with 5 computers connected, each computer will have 100 Mbit/sec bandwidth. Hubs 
are pretty much obsolete nowdays and you can pick up an 8 port switch really cheap.


Now that you have all your equipment it's time to put it all together. This is extremely 
easy. First you put your NIC into your computer. If you dont know how to put a card onto 
the motherboard find someone who does. Next, if you are using a crossover cable for only 
2 computers you just simply plg one end of the cable into one NIC and the other end into 
the other NIC. If you are using 2 or more computers and a hub or switch just plug a cable 
from the NIC to one of the hub/switch ports. Do this for every computer.

Well thats pretty much it. A LAN at home is pretty cheap and simple. Although i will make 
a note here. At this point you network will NOT be working becaus configuration of the 
software side still needs to be done. Stay posted for my next tutorial which will be 
configuring a network using windows 2000.


SS7 Speech - Boris Grishenko


My name is Boris Grishenko. I am the leader of a group known as EMHi Research and Development.
We operate in the Sydney and Blue Mountains areas. Our main focus is programming and
development of software. We have a few members, and hope to get some more. We are all phreaks,
and hackers of sorts. Our common interests are what links us together.
Why am I so qualified to talk about SS7? Because I have been studying the subject for about a
year now, and wish to get right into, if my mother gives me the money she owes me. I have an
interest in OpenSS7, and HPs OpenCall. These are switching platforms.

What is SS7?

SS7, or Signalling System 7, is a relatively new development in the world of telephony. It has
been around for almost 15 years in one form or another. It is a switching system, which uses
"out of band" signalling. This is opposed to the older CCITT signalling that used "in band"
signalling. Since the signalling was in band, it could be easily phreaked, and was easily
phreaked. This is where the Blue Box came in.
Although more expensive to implement, SS7 has the benefits of using the out of band signalling.
This means you can't blow a 2600Hz tone, and drop onto the carrier. As the world converges into
the digital age, the line between hacking and phreaking is becoming more and more blurred.
Practically everything on a telephone network that you can think of hangs off SS7, including
SMSCs, exchanges, and other network elements. They communicate to each other using X25 links.
For reference, X25 is a packet switching system, akin to the internet, but much harder to use.
You don't have URLs on X25! X25 was introduced in the 70s, and alot of the Telstra core systems
hang off it. The core systems are mostly HP9000s and IBM RS6000s.

Network Elements

There are many network elements in SS7. I've described some, and will go into detail in this
section. I've heard this described as an Acronym Intensive Network, which is what it is.
The SSP, or Service Switching Point, is your basic, butt ugly exchange. These are usually
Ericsson AXE, although I have heard of Alcatel System 12 exchanges too. I'm not really
familiar with the Alcatel ones, but I know a little bit about AXE. I was lucky to find a file
that kind of describes the interior layout of an AXE exchange.
The STP, or Signaling Transfer Point, is the next step up. These control the exchanges. They
make sure that the links are made between exchanges, in the correct order, and make sure calls
go through. They are akin to a router. The data links, as described earlier, take place on a 
different circuit to the voice links, so trying to phreak from your phone line is impossible.
The SCP, or Service Control Point, is the database servers for the IN, or Intelligent
Network. I expect this is where billing is recorded, and sent out from. Other nice things,
like whom you called, how long you were on the phone, and what colour your toilet is would
be recorded in this. If you were looking to modify data on a persons link status, such as
upgrading your phone line service from incoming calls only, to full link, then this is where
you would attack.
The SMS, not to be confused with Short Message Service, is the Service Managment System. I
expect this to be a mainframe, with a bunch of terminals hooked up to it. It controls,
updates and otherwise maintains the Intelligent Network. It would be from here that the commands
to update status of phone lines would be issued.
The references I have don't go into mobile phone switching. It is a whole new ballgame, having
such network elements as the SMSC, the Short Message SErvice Centre, the HLR, the Home Location
Register, and other database type elements.

So how would I phreak the SS7 Network?

Well, Telstra have a X25 network that I have heard referred to as the CDN, or the Corporate Data
Network. This was in a document I have about security in exchanges, and how the security system
interacts with some Digital Equipment Corporation VAX servers. Apart from that, there is no 
information. Then again, there isn't much information about Transcend, the banks X25 network,
but I do know it exists.
To phreak the SS7 network, you would need to hack into the CDN, get the right core server that
you want, and I bet theres quite a few, and make the changes from there. In theory, you could
make it that whole exchanges get free phone calls until Telstra get wise, and stop it.
The phreaking, or hacking, if you will, of the SS7 network will give you more power then the
blue boxers of the olden days. They were restricted to the limitations of the networks of the
time. Now we have an increasingly complex telephone system, with more and more options and
featured being added everyday.
For example, the "101" service, it is an intelligent service, run on a few database servers 
in the core systems. This pretty much made the answering machine redundant, and its being
offered free to Telstra subscribers. I'm with AAPT, and haven't used it, so I don't know how
it works. I just know its a recent example of an intelligent service.
Other intelligent services are things such as *10#. This is a nifty little program that I use 
a lot. As long as it isn't my mother calling, I pretty much know whos calling. Its almost
essential now, and you wonder how you got along without it. All these services and features
are programs being run on exchanges and the core servers.


Now you know a little about the SS7 network. I hope you found this interesting and informative.
If you have any more questions, I'll be happy to answer them later on, or on the board after
this meeting. And I hope it inspires you to go out and do something about this new generation
in phreaking. Even if you try something like OpenSS7 on a Linux box, and muck around with that,
which is exactly what I'm going to do until I get my hands on a copy of OpenCall.
Until the next time gentlemen...
Without practice one cannot prove; without proof one cannot be trusted; without trust one cannot be respected.

Post Reply