The THC Hack/Phreak Archives: PH28.TXT (173 lines)
Note: I did not write any of these textfiles.  They are being posted from
the archive as a public service only - any copyrights belong to the
authors.  See the footer for important information.
==========================================================================
                               HACK AND PHREAK
                               =-=-=-=-=-=-=-=
                                   FILE #4

                                BY: THE HYAENA

                      P/C/P -- PERFECTLY CRUMMY PIRATES

          NO PARTICULAR NAME ][   416-480-1377   9600 BAUD   50 MEGS
          PANDEMONIUM GS          416-273-7619   9600 BAUD   60 MEGS


PLEASE BE CAREFUL WHO YOU GIVE THIS FILE TOO...

OK LET'S GO INTO SOME BOXING NOW, WELL THE ONE THAT SEEMS THE MOST INTERESTING
TO ME IS THE SILVER BOX, SO I'LL TELL YOU EXACTLY HOW TO BUILD A SILVER BOX
AND WHAT YOU CAN USE IT FOR, BUT FIRST I GUESS I SHOULD TELL YOU A LITTLE BIT
ABOUT THE HISTORY OF THIS BOX.

WELL, ONE DAY SOME ENGINEER OVER AT BELL LABS GOT THE BRIGHT IDEA TO SING TO
HIS COMPUTER AND FOUND OUT THAT THE COMPUTER RESPONDED BY DIALING A PHONE
NUMBER, WELL SORT OF.  ANYWAYS, WITH THAT THE 10 DIGIT TOUCH TONE PAD WAS
BORN, THE OLD TYPE WITH THE # AND * BLOCKED OUT.  BUT OF COURSE 2 SETS OF
PEOPLE DECIDED THAT 10 BUTTONS (NOW 12, WITH THE # AND *) JUST WASN'T ENOUGH.
THEY NEEDED MORE.  THE 2 PEOPLE THAT I AM TALKING ABOUT ARE MA BELL AND PA
AUTOVON (THE MILITARY PHONE NETWORK).  WELL MA BELL THEN DECIDED TO ADD AN
EXTRA COLUMN TO HER PHONES WITH A 1633 HZ TONE, TO PROVIDE THE MYSTICAL DTMF.
THESE IMAGINATE PEOPLE AT BELL NAMED THESE NEW BUTTONS A, B, C, AND D, WHILE
THE ARMY NAMED THEM FLASH, FLASH OVERRIDE, PRIORITY, AND PRIORITY OVERRIDE.
THE MILITARY USES THESE AS VARYING DEGREES OF PRIORITY DURING WARTIME (AND
WARGAME) ACTIVITIES, SO GENERALS CAN CALL THEIR SECRETARIES VERY QUICKLY.
HOWEVER, I'M NOT SO CLEAR OF BELL'S USES OF THESE 4 NEW BUTTONS.  BUT THE LAST
BUTTON D, HAS AN INTERESTING PROPERTY.  ON ABOUT 50% OF THE INFORMATION LINES,
IT WILL GIVE YOU A PULSING DIAL TONE, AND YOU CAN THEN ENTER COMMANDS TO WHAT
APPEARS TO BE A TEST SYSTEM FOR 4A BOXES.  WELL THAT'S ALL I GOT TO SAY ABOUT
THE HISTORY, SO ON WITH THE BUILDING OF A SILVER BOX.

I HOPE YOU KNOW HOW TO SOLDER, OTHERWISE YOU COULD PERMANTLY DAMAGE YOUR
PHONE.
YOU WILL NEED THE FOLLOWING:
3 1-2 FEET LENGTHS OF WIRE
1 SINGLE POLE/DOUBLE THROW (SPDT) SWITCH, THE SMALLEST THAT YOU CAN FIND.
1 STANDARD TELEPHONE
YOU WILL ALSO NEED A SOLDERING IRON, SOLDER, FLAT-TIP SCREWDRIVER AND VERY
STEADY HANDS.

FIRST UNSCREW THE TWO LARGE SCREWS ON THE BASE OF YOUR PHONE.  NOW TAKE THE
COVER OFF AND PLACE IT, ALONG WITH THE SCREWS, IN A SAFE PLACE.  NOW YOU HAVE
TO LOOSEN (DO NOT REMOVE) THE SCREWS THAT ARE ON THE SIDE OF THE TOUCH TONE
KEY PAD.  THESE SCREWS IF YOU DON'T KNOW ARE ATTACHED TO THE MOUNTING
BRACKETS.  CAREFULLY REMOVE THE PAD FROM IT'S BRACKETS, MAKE SURE AS NOT TO
RIP THE WIRES.  YOU WILL NOTICE A PLASTIC COVER ON THE PAD.  SEPERATE THESE
TWO HALVES AND GET THEM OUT OF YOUR WAY BY MOVING THEM DOWN THE WIRE HARNESS
THAT GOES THROUGH THEM, BEING CAREFUL NOT TO DESTROY THEM.  NOW TAKE A LOOK AT
THE TOP OF THE PAD, SO THAT THE 123 ROW IS FACING AWAY, AND THE *0# ROW IS
TOWARDS YOU.  NOW TURN OVER THE PAD AND YOU SHOULD SEE A BUNCH OF WIRES, GOLD
PLATED CONTACTS (YES, IT'S REAL GOLD), DISCRETE COMPONENTS, AND TWO LARGE,
BLACK, DOUGHNUT SHAPED THINGS.  THESE ARE THE COILS THAT GENERATE THE
FREQUENCIES.  SINCE MA BELL WAS ALWAYS ONE FOR STANDARDS, ALL THE COILS THAT
SHE MANUFACTURES ARE CAPABLE OF GENERATING ALL 4 PRIMARY TONES, OF WHICH SHE
ONLY GIVES YOU CONNECTIONS TO THREE OF THEM.  YOUR JOB IS TO MAKE THE
CONNECTION TO THE FOURTH, AND MAKE THE THIRD COLUMN OF KEYS BANK SWITCHED
BETWEEN NORMAL AND FOURTH ROW.  CUT THREE LENGTHS OF WIRE.  EACH WIRE SHOULD
BE ABOUT 1 TO 2 FEET LONG, IT IS ALWAYS BETTER TO CUT THEM A LITTLE LONGER
JUST IN CASE.  LOOK AT THE COIL ON THE LEFT, WITH THE 5 SOLDER CONTACTS FACING
YOU, RATHER THAN BEING PERPENDICULAR TO YOU.  COUNT OVER 4 CONTACT FROM THE
LEFT OR 2 FROM THE RIGHT, IT DOESN'T REALLY MATTER, AND SOLDER A WIRE TO THE
FOURTH POST FROM THE LEFT.  THIS IS THE 1633 HZ OUTPUT.  SOLDER THE OTHER END
OF THIS WIRE TO THE LEFT POLE OF THE SMALLEST SPDT SWITCH THAT YOU CAN FIND.
NOW TAKE A LOOK AT THE BOTTOM EDGE OF THE KEYPAD.  YOU SHOULD SEE A ROW OF
GOLD PLATED CONTACTS TO THE RIGHT OF 2 VERY LARGE CAPACITORS.  LOOK AT THE ONE
ON THE LEFT, THIS ONE CONTROLS THE RIGHT MOST BANK OF KEYS ON THE PHONE.
GENTLY SEPERATE THE TWO TOUCHING CONNECTORS, WHICH ARE SOLDERED TOGETHER WITH
A DROP OF SOLDER, AND SPREAD THEM APPART.  SOLDER ANOTHER WIRE TO THE TOP
CONTACT, THE ONE THAT IS FURTHEST FROM YOU, AND SOLDER THE OTHER END TO THE
RIGHT POLE OF THE SPDT.  NOW TAKE THE LAST WIRE AND SOLDER IT TO THE BOTTOM
CONTACT, THAT IS CLOSEST TO YOU AND SOLDER THE OTHER END OF THIS WIRE TO THE
CENTER POLE OF THE SPDT.  YOU HAVE NOW FINISHED ALL OF THE MODICATIONS TO THE
PHONE.  WHEN THE SWITCH IS IN ONE POSITION, YOU WILL GET NORMAL TONES, AND
WHEN IT IS IN THE OTHER POSITION, YOU WILL GET 1633 HZ TONES, USING THE 3, 6,
9, AND # KEYS.  IF YOU WANT TO MAKE THINGS NEAT, YOU CAN PASS THE THREE WIRES
THROUGH THE PLASTIC COVER AND IN THROUGH THE GAP IN THE CASE OF YOUR PHONE
UNDER THE PLACE WHERE YOU HANG IT UP.  NOW SOLDER THE WIRES TO THE SWITCH IN
THE PROPER PLACES, AND YOU CAN NOW GLUE THE SWITCH TO THE WALL ON THE INSIDE
OF THE SMALL ALCOVE IN THE PHONE AFTER TAKING THE SLACK WIRE BACK INTO THE
PHONE.  MAKE SURE THAT YOUR PHONE IS BACK TOGETHER AND YOU NOW HAVE MADE A
SILVER BOX.
NOW CALL DIRECTORY ASSISTANCE USING NORMAL TONES, XXX-555-1212, AND QUICKLY
SWITCH TO 1633 AND PRESS DOWN THE THE # KEY (WHICH NOW IS REPRESENTING THE D
KEY).  IF YOU ARE ON AN OLD SWITCHBOX (4A), YOU WILL GET A PULSING DIAL TONE.
YOU CAN THEN SWITCH BACK TO NORMAL AND TRY DIALING DIFFERENT NUMBERS.  TWO OF
THE MOST INTERESTING ARE 6 AND 7.  THESE OFTEN FORM A LOOP-AROUND TYPE
CONNECTION, AND TWO PEOPLE CAN CALL IN, ONE USING 6 AND THE OTHER USING 7 AND
TALK IN THIS MANNER.
ONE LAST NOTE IS THAT YOU WILL NOT RECIEVE A PULSING TONE UNTIL THE OPERATOR
ACTUALLY PICKS UP ON THE LINE.  IF YOU HEAR RINGING, KEEP PRESSING.  THE TONE
MUST BE ON AT THE SAME TIME AS THE OPERATOR GIVES HER BEEP.  IF YOU HEAR THE
OPERATOR CURSING ABOUT PEOPLE WITH STUCK BUTTONS, ODDS ARE THAT THIS ONE
DOESN'T WORK, SO TRY A DIFFERENT AREA CODE.
OH AND I FORGOT TO MENTION THAT THE C KEY MESSES UP THE BILLING TIMERS ON
INTERNATIONAL CALLS.

HOW TO DOWN A BBS.  DOWNING A BBS, ESPECIALLY ONE THAT IS ONLY RUN ON 2
DRIVES, IS THE MOST EASIEST THING TO DO,  ALL YOU HAVE TO DO IS FILL UP THE
DRIVES, BY SENDING MAIL, POSTING MESSAGES, UPLOADING, CONTINUALLY LOGGING ON
AS A NEW USER, OR ANY OTHER METHODS THAT WRITES ADDITIONAL DATA TO THE
SYSTEM'S DRIVES.  WITH GBBS "PRO" THIS IS ESPECIALLY EASY, ALL YOU HAVE TO DO
IS SEND BULK MAIL TO EVERYBODY, AND THAT WILL QUICKLY FILL UP THE DRIVES.

THE SAME THING APPLIES TO AN AE-LINE, ALL YOU HAVE TO DO AS IN DOWNING A BBS,
IS FILL UP THE DRIVES, BUT IN AN AE'S CASE, YOU HAVE TO FILL UP THE FIRST
DRIVE, WHICH IS USUALLY S6, D1.  JUST CHECK OUT HOW MANY FREE SECTORS THERE
ARE ON THE FIRST DRIVE/VOLUME AND THEN UPLOAD SOMETHING THAT IS GREATER THAN
THE FREE SPACE, NOW WHEN THE NEXT PERSON CALLS, THERE WON'T BE ANY ROOM TO
WRITE THE PERSON IN THE LOG.

HERE ARE A FEW MORE DATAPAC ADDRESSES...

100050 = SDC SEARCH SERVICE
123426325915900 = UNIVERSITY OF N.E.
13106 = TYMNET
13106,DELPHI = DELPHI
13110060700012 = CORNELL UNIVERSITY
131102010002414 = NEW YORK TIMES INFO II
13110202200202 = COMPUSERVE
1311020600050 = UNIVERSITY OF WASH-CYBER
1311020600051 = UNIVERSITY OF WASH-LOCKE

HERE'S ANOTHER STRANGE NUMBER...416-857-1674
IT HAS A RECORDED MESSAGE, BUT I DON'T KNOW WHAT IT MEANS, AND IT'S ALWAYS THE
SAME.  I WON'T TELL YOU WHAT IT SAYS, JUST GIVE IT A RING IF YOU WANT TO
LISTEN TO IT.

HERE'S JUST ONE OF THE WAYS TO TEST IF YOUR PHONE HAS BEEN BUGGED.
FIRST YOU DISCONNECT THE PHONE LINE(S) AT BOTH ENDS.  THEN UNDO THE PHONE
INSTRUMENT AND HOOK IT UP TO THE ENTRY POINT OF THE PHONE LINE FROM THE
OUTSIDE WORLD.  THE PLAN IS TO PHYSICALLY ISOLATE YOUR HOME FROM THE OUTSIDE
WORLD, WHICH OF COURSE MA BELL DOES NOT LIKE, BECUASE SHE IS NOW COMPLETELY
CUT OFF FROM YOUR HOME.  BUT BEFORE YOU DO THIS, YOU SHOULD MEASURE THE LINE
VOLTAGE, WHICH SHOULD BE APPROXIMATELY 48 VOLTS.  NOW WITH THE WIRES
DISCONNECTED AT BOTH ENDS, SET YOUR RESISTANCE SCALE TO A HIGH READING AND
MEASURE THE RESISTANCE OF YOUR PHONE LINE.  IT SHOULD BE VERY HIGH, LIKE A
MILLION OHMS OR MORE.  THIS IS A NORMAL CONDITION SINCE YOU ARE MEASURING THE
RESISTANCE OF AN OPEN CIRCUIT.  IF IT IS MUCH LESS, LIKE 50000 TO 100000 OHMS
THEN YOU HAVE A DEVICE ON THE LINE THAT DOES NOT BELONG THERE, PROBABLY A
PARALLEL BUG.  NOW TWIST THE END OF THE DISCONNECTED WIRE AND GO TO THE OTHER
END AND MEASURE THE RESISTANCE OF THIS.  THE RESISTANCE SHOULD BE ABOUT 1 OHM,
OR 2 OHMS AT THE MOST IF YOU HAVE A BIG HOUSE WITH A LOT OF PHONES.  IF IT IS
MORE, THEN YOU PROBABLY HAVE A SERIES BUG.  IF IN THE FIRST CASE, TAKING
PARALLEL MEASUREMENTS USING A LCD METER, NOT LED, YOU NOTICE A KICK IN THE
NEEDLE, YOU PROBABLY HAVE A LINE TAP.  NOW IF YOU ALSO MAKE A MEASUREMENT
WITHT HE WIRE END TWISTED TOGETHER, AND YOU NOTICE THAT THE RESISTANCE READS
ABOUT 1000 TO 2000 OHMS, THEN YOU MAY HAVE A DROP-OUT RELAY.  A DROP-OUT RELAY
IS A RELAY THAT SENSES A PHONE GOING OFF HOOK, AND SIGNALS A TAPE RECORDER TO
START RECORDING.
ANOTHER WAY TO TEST FOR BUGS, IS WHILE THE PHONE IS STILL CONNECTED TO THE
OUTSIDE WORLD, THE VOLTAGE AGAIN IS ABOUT 48 VOLTS, WHILE IF THE PHONE IS NOT
CONNECT TO THE OUTSIDE WORLD, IT SHOULD ONLY BE ABOUT 6 TO 10 VOLTS.  IF YOU
GET ANY OTHER VOLTAGE READING, THEN IT MAY MEAN THAT YOUR TELEPHONE LINE IS
BEING MONITORED.
ALSO, IF YOU USE A WIDE RANGE AUDIO FREQUENCY GENERATOR AND CALL YOUR HOUSE
FROM ANOTHER PHONE AND SWEEP UP AND DOWN THE SPECTRUM, AND IF YOU NOTICE THAT
THE PHONE ANSWERS ITSELF SOMEWHERE IN THE SWEEP, YOU PROBABLY HAVE A INFINITY
TRANSMITTER ON YOUR LINE.
THE INFORMATION THAT I MENTIONED ABOVE TELLS YOU NOTHING ABOUT TELEPHONE
COMPANY TAPS AT THE CENTRAL OFFICE OR ANYWHERE ELSE ALONG THE LINE, BUT THIS
INFORMATION WILL TELL YOU IF SOMEONE LIKE AN ENEMY OR BUSINESS ASSOCIATE IS
MONITORING YOUR TELEPHONE ACTIVITIES.  AN INFINITY TRANSMITTER IS A NEAT
LITTLE DEVICE THAT ALLOWS YOU TO CALL THE BUGGED PLACE AND IT SHUTS OFF THE
RINGER AND DEFEATS THE SWITCHHOOK, SO THE MOUTHPIECE NOW BECOMES A ROOM BUG.
IT WAS ORIGINALLY VERY EASY TO GET AN INFINITY TRANSMITTER, SO THAT YOU COULD
MONITOR YOUR OWN PHONE LINES IF YOU WANTED TO, WHILE YOU WERE OUT OF TOWN.
WELL THAT'S ENOUGH FOR NOW ON TELEPHONE MONITORING.