home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
TAP YIPL
/
TAP_and_YIPL_Collection_CD.iso
/
PHREAK
/
GENERAL
/
PHREAKFQ.TXT
< prev
next >
Wrap
Text File
|
2000-01-09
|
64KB
|
1,755 lines
The Alt.Phreaking FAQ 1.41
Much thanks to Itris, Mohawk, MMX, Thomas Icom, Black Axe, Tom Farley and
the OCPP for their contributions, encouragement, and bitching. Special
thanks to Jenn Martino for the sound files and her patience.
Table of Contents
A: Starting out/ Politics
Introduction/Info
The Basics
B: Technical
PBXs/Extenders/VMBs
Call Number Identification
Cable plant/Switching/Transmission
Test numbers
LATAs/IntraLATA carriers/InterLATA carriers
COCOTS/BOCOTS/Pay Phones
Numbering
C: Reference
Reference
Tools and Toys
D: Fun and Games
Dirty Tricks
Trashing
Scanning
0.0 Introduction/Info
0.1 What is this FAQ?
The beginner's alt.phreaking FAQ was established to help answer the
questions that beginner phreaks often have. This FAQ is maintained and
edited by Seuss. This file can be downloaded at
http://members.tripod.com/~SeusslyOne.
0.2 What is alt.phreaking for?
Alt.Phreaking is a newsgroup for the discussion and exchange of phreaking
information, hints, tips, and general knowledge. It is supposed to be a way
for people to discuss phreaking without feeling like a moron, whether
asking or answering questions. It is also a good way for phreaks around the
world to communicate easily. It is NOT a place for warez, tech support,
spamming etc.
0.3 What is a phreak?
Phreak is short for phone phreak, a hacker of the telephone system. A
phreak, (or a phreaker) is someone who wants to learn about the telephone
system. Some people who claim to be phreaks are thieves who do nothing but
rip off long distance service. Others are only interested in sneaky tricks
and screwing other people. A phreak is not someone who destroys phone
property if it's not necessary for the advancement of their knowledge of
said system. Boxing and other ways of hacking the telco does not make
someone a phreak. Being a phreak is a way of life. There are many different
views on what is a phreak, so two people may call themselves "phreaks" yet
have two totally different view points.
0.4 Additions, Suggestions, etc.
Even though Seuss maintains and edits the alt.phreaking FAQ, much of the
content comes from regular contributors to alt.phreaking. If you would like
something added, changed, or if you just have a suggestion, we invite you
to email me at Seuss@Cryogen.com. Your comments will greatly improve the
quality of the FAQ.
1.0 The Basics
1.1 Your new status in the underground
Welcome to the phone phreak underground. We're a fairly decent, not overly
judgmental pack, as you'll see if you stick around long enough. You're new
here, so try and remember that newbie phone phreaks are a dime-a-dozen. As
much as we'd like to see you stay, coming in with a bad attitude won't help
you any. Just remember to be polite and say please and thank you and that
you're in absolutely no position to rag on someone for asking what seems
like an obvious question to you now. We only tell you to RTFM because we
love you. Finally please try and keep your sense of humor, it will help
enormously.
1.2 I'm a newbie please help!!
The first mistake you'll make as a newbie is to assume that everyone will
jump to spoon-feed you answers. That only happens in books and movies. Lots
of us really DO want to help you, but we have better things to do than
tutor your ass non-stop. First and foremost, try and learn as much as you
can about phreaking by yourself. Visit as many related web pages as
possible, read books about telephony and experiment. If you hit a snag
along the way then by all means ask for help, but for the love of Christ
don't go to alt.phreaking and ask for 'phreaking texts'. Try and observe
the common courtesies: don't post in ALL CAPS (oR aLtErNaTiNg caps either),
don't post HTML, and spare us the superfluous punctuation. Also, don't get
discouraged if you get flamed and everyone calls you a lamer.
1.3 What should I read?
Good question, but let's start with what NOT to read. Ignore the
anarchist's cookbook. The phreaking information in it is so dated as to be
useless and everything else is dangerously wrong. The BIOC files are
probably older than you are... read them if you must but the ideas are
pretty much dead.
What you WILL want to get a hold of:
- A book about installing your own phone.
- The file "Outside Loop Distribution Plant" by Phucked Agent 04. Its a
little old now (so don't expect to hear much about SLCs), but still an
excellent refference for explaining the inner workings of the
inside/outside plant.
- Glossaries of telecommunications and phreaking terms. We highly recommend
Newton's Telecom Dictionary, but there are a lot of text files that list
the lingo.
- A BRIEF explanation of the more common boxes. Don't worry about these too
much, but it will help you understand some of the posts. Fixer has a great
list of boxes on his site, along with what does and does not work and why.
- A cheap TAB book on basic electronics. TRUST me. Phone phreaks all babble
about electronics for some weird reason, and it's a pain following them
without a reference.
- The better zines. 2600, Phrack and Phone Punx Magazine are all still
being printed or posted. Shuffle through back issues of the now defunct
THTJ magazine, Cybertek, OCPP, Private Line magazine and Phantasy magazine
too. The Phone Punx Network has a zine archive where you can find some of
these zines
- A little bit of history on the underground. Get a hold of The Hacker
Crackdown, it makes for fascinating reading, will give you an idea of what
the scene was like before the WWW. Read Takedown in order to understand the
basis of the Kevin Mitnick saga.
1.4 I need help with phreaking in a foreign country
It's tough to find phreaks in the same state, let alone the same place in a
foreign country. One place to look is in 2600's meeting section to see if
there are any meetings in your area. Check question 13 for foreign phreak
websites.
Try the UK's phreaking newsgroup: alt.ph.uk
and Germany's phreaking newsgroup: de.org.ccc
1.5 Is phreaking (or any method of or related to) legal?
Excercise your own common sense. Toll fraud is stealing and is very
illegal. If you're caught ripping off phone service you'll probably be
prosecuted. After that, what is and isn't legal is still rather vague when
it comes to hacking and phreaking. Whether you get in trouble depends on
where you live, who you're pissing off, and what you're doing. For example
we've seen kids get kicked out school for just having certain texts in
their possession. If you respect property and just keep a bunch of text
files on your computer then you should be fine. If you go out and tap
someone's phone you could get in a lot of trouble. Your local police will
probably just tell you to stop, mainly because they don't know what you're
doing. However, the Secret Service can just make stuff up and charge you
with anything. Some states actually have laws making some methods of
phreaking illegal. For instance, there are trashing laws in certain areas
and scanning has been outlawed in Colorado. Also remember that phone
company installations (including wiring cabinets) are private property, and
Bell is awfully touchy about trespassing.
2.0 PBXs\ Extenders\VMBs
2.1 PBXs
2.1.1 What is a PBX?
A PBX is a private phone switch used by large companies and other
institutions that require a flexible internal phone system (such as college
campuses or big office buildings). PBXs are the devices that ask you to
dial an extension or operator when you connect to them. A subset of PBXs
are key systems; PBXs with less than 50 users. For more in-depth answers
check the entry for switch.
PBXs consist of a small phone switch (say a DMS 10) or specifically PBX
switch (An AT&T System 75), a group of outbound trunks, which are nothing
more than phone lines to the outside (often fractional T's or even T-1's on
the larger systems), a set of telephones and a bunch of users.
2.1.2 Why does everyone make a big deal about PBXs?
When people are seen groveling for PBXs, they're asking for dialouts on
that particular PBX. These numbers allow them to call up, seize an outbound
line and make their call on the PBX owner's tab. Because the PBX has to be
called, PBXs connected to toll-free numbers are the most popular.
2.1.3 What is a DISA port and what is it for?
A DISA port (Direct Inward System Access port) is a maintenance feature on
a PBX. When you connect to it and input a pass code you seize an outbound
trunk of that PBX. Hacking DISA ports is a relatively simple and effective
way to get free service plus someone else's number on the ANI controller.
DISA port attention tone
2.2 Extenders
2.2.1 What's an extender?
Unlike most systems exploited by phreaks, a WATS extender is designed to be
used for making phone calls without directly billing the caller. WATS
extenders are 800 numbers connected to bulk rate billed telephone lines and
guarded by a pass code (usually a VERY LONG one). "950s" are another common
form of extender. The most common incarnation of extenders today is the
dialup used for prepaid phonecards. Be warned: extenders VERY often utilize
real time ANI, and do not react well to abuse. These things are dangerous
and should be treated with care.
2.3 Voice Mail
2.3.1 What is voice mail?
Voicemail is a sort of bulk answering machine. Its effectively a small
computer that will record phone messages, and often allow for more advanced
features (like forwarding of messages etc.).
2.3.2 What's a VMB?
Voice Mail Boxes (VMB's) are separate user's accounts on a voice mail
system. Among the standard user boxes are administrator boxes, privileged
accounts that allow for the creation and deletion of boxes, changing of
routing features, etc.
2.3.3 How do I hack a VMB?
The specific techniques used for hacking voice mail boxes varies from
system to system. However, the general procedure is to dial up a voice mail
system, input a box number, and guess at the pass code (usually with a
wardialer). Once the box is cracked it can be taken over (the outgoing
message and pass code changed), the messages spied on, dialed out from by
inputting the correct commands, or new accounts can be created (from
administrative boxes).
3.0 Calling Number Identification
3.1 ANI
3.1.1 What is ANI?
ANI stands for Automatic Number Identification. It is a service feature in
which the directory or equipment number of a calling station (read as
'telephone') is automatically obtained. Enhanced 911 systems, 800/888
numbers and big companies make the most use out of this feature. 'ANI' is
often used interchangeably with 'ANAC' by the less educated, don't do that.
3.1.2 How is ANI transmitted?
Numbers receiving realtime ANI are connected to their CO or toll center via
digital trunks which send data packets back and forth. The ANI data is sent
from the office to an ANI controller on the premises of the site receiving
ANI in the packet's headers. ANI if MFed to the ANI controller if SS7 isn't
in use in the format KP-I-(Thats the letter 'I', not a 1)-NXX-XXXX-ST. The
'I' in the MF sequence represents the information digit.
3.1.3 What is ANI II?
ANI II is an additional feature of ANI. ANI II adds a pair of digits to the
ANI readout that labels what type of service the number is (i.e. if it's a
pay phone, a PBX line, etc.). There's ONE ANAC (to the best of my
knowledge) that reads back ANI II. 1-800-487-9240. PLEASE don't use it
unless you have to, as overused ANACs will die. A list of ANI II digits can
be obtained at www.NANPA.com.
3.1.4 What is 'real time' ANI?
Real time ANI is yet another kink in ANI. Not all ANI subscribers get their
ANI as soon as they're called. Some ANI subscribers get a call record at of
the end of the month that lists all their incoming calls. Subscribers who
get their ANI as the call comes in have what's called "real time ANI".
Think of it as beefed up caller ID.
3.1.5 What's a "Dark call"?
A 'dark call' indicates an ANI failure. Dark calls throw up a "NO ANI
RECEIVED" message on a TSPS console, which triggers ONI.
3.1.6 What is ONI?
ONI (Operator Number Identification) is when a live operator asks you for
the phone number you're calling from. Now, certain unscrupulous people
could tell the operator that they were from a number other than the one
they were actually calling from...
3.2 ANAC
3.2.1 What is an ANAC?
ANAC stands for Automatic Number Announcement Circuit. An ANAC number
refers to a number that you call that tells you what number you're calling
from. This has a variety of uses. Lineman call them to find out the number
of the line they are working on. Phreaks use them when they are beige
boxing for the same reason. There are a million other uses for the things.
3.2.2 I need an ANAC number for my area.
ANAC numbers are different in all areas. Try to find your local ANAC and
use that one. If you can't find one you can always use a national one like
1-800-487-9240. National ANAC numbers come and go so don't use it a hundred
times a day to impress your friends because they'll shut it down if it's
used too much.
3.3 Caller ID
3.3.1 What is Caller ID?
Caller ID is a service that delivers the number of the calling party. A
separate unit or special phone is used to display the number. Caller ID
service can be ordered from you local telephone company. There is a monthly
charge of about $6 to $8 a month. Caller ID Deluxe has the same features of
normal Caller ID but it also displays the name and address of the person
who calls along with their number. This service costs about a $1 more per
month.
3.3.2How does Caller ID work?
This next section is from the Fixer's article "beating Caller ID".
Caller ID is a data stream sent by the Phone Company to your line between
the first and second ring. The data stream conforms to Bell 202, which is a
1200 baud half-duplex FSK modulation. That is why serial Caller ID boxes
run at 1200 baud.
The data stream itself is pretty straightforward. Here's an example:
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUĆ'^D 032415122503806467x
The first thing of note is the 30 U's. Those are actually sync pulses. A
"U" is 55 hex, or 01010101 binary. This is called the "Channel Seizure
Signal."
After that comes 130 milliseconds of 1200 Hz (the Bell 202 "mark"
frequency) which usually shows up in the datastream as a character or two
of garbage.
That is followed by the "message type word", which is 04 hex for standard
Caller ID, 07 hex for Name & Number. A word, by the way, is 8 bits for our
purposes.
That is followed by the "message length word" which tells us how many bytes
follow.
The next four bytes are the date, in ASCII. In the example above, the date
is 0324, or March 24th.
The next four bytes after the date are the time, also in ASCII. In the
example, the time is 1512, or 3:12pm.
The next 10 digits is the phone number that is calling. In the example, the
phone number is 250-380-6467. The number is also in ASCII and doesn't
contain the hyphens. Some phone companies will leave out the area code and
only transmit 7 digits for a local call, others will always send the area
code as well.
If this were a name-and-number Caller ID data stream, the number would be
followed by a delimiter (01h) and another message length byte to indicate
the number of bytes in the name. This would be followed by the name itself,
in ASCII.
If this call originated from an area that doesn't support Caller ID, then
instead of the phone number, a capital "O" is transmitted (4F hex).
If the call was marked "private" as a result of the caller using *67 or
having a permanent call blocking service, then instead of the phone number,
a capital "P" (50 hex) would be sent.
The very last byte of the data stream is a checksum. This is calculated by
adding the value of all the other bytes in the data message (the message
type, length, number and name data, and any delimiters) and taking the
two's complement of the low byte of the result (in other words, the two's
complement of the modulo-256 simple checksum of the CID data).
3.4 *67
3.4.1 What is *67
*67 is the vertical service code for per call ID blocking. It will block
your number from being displayed on the Caller ID unit of the person that
you called. If the person has Caller ID Deluxe, it will also block your
address. *67 DOES NOT AFFECT ANI!!!
3.4.2 Does *67 block *69?
In some areas *69 now has a feature that reads back the number of the
person that called you and then gives you the option to call them back. *67
will block your number from being read to them, but they can still call you
back. Just shell out the 75 cents and test it out for yourself.
3.4.3 Anonymous Call Rejection
Anonymous Call Rejection or ACR is provided to Caller ID customers for
free. This service allows Caller ID customers to block calls from people
who use per call blocking (*67). When someone that blocks their number
calls a person with Caller ID who has activated ACR, they hear a message
telling them that they do not accept calls from people that block their
number.
3.5 Caller ID blockers
3.5.1 What is a Caller ID blocker?
A Caller ID blocker is a device that will block your name and number from
being shown on Caller ID boxes. It is sold at Radio Shack and the product
number is 43-925. It costs $29.99. Basically, your paying $30 or so for
something that will dial *67 for you.
4.0 Cable plant/Transmission
4.1 Cable Plant
4.1.1 What is the inside/outside cable plant?
The inside cable plant refers to all hardware and wiring in a telco office.
The outside cable plant is all cables, wires, breakout boxes, and
transmission hardware between the phone jack and the office.
4.1.2 What is the layout of the cable plant?
[Image]
This graphic doesn't cover everything, but its nice to have a picture to
work with. Once the cable hits the house in the upper left, it will be
connected to the protector block (which protects the inside wiring, the
phone, and you from lightening strikes). From there it goes to the rate
demarcation "demarc" point, usually a little gray box on the side of your
house. This is where the Phone Company's responsibility for the wiring
ends. The pair should then be strung to a minimum point of penetration, so
wiring the other side of the house is a little easier, and from there it
goes to the jack.
4.1.3 Canning and beige boxing
The average phone phreak cuts their teeth on a steady diet of beige-boxing,
hooking up a phone to someone else's line and making calls. The principle
is that in the mid 1970s, AT&T started billing to the line instead of to
the phone, so anyone who hooked up a phone to another person's line would
be free to call on their dial tone. As breaking into someone's house to
plug a cordless base into a spare wall jack is rather impractical, most
phreaks plug their beige-box into an outside plant wiring cabinet of some
sort. If you're hell-bent on opening a wiring cabinet remember that while
they're usually not locked, you'll probably need to unscrew something to
get in. A can wrench is handy, though a 3/8th nut-driver and a 7/16th hex
driver will do you just fine.
[Image]
Boots: These are splice points found in aerial distributions. Nothing too
special here, and a pain to get at unless they're stuck to the side of a
building, but simple to let oneself into. Just disconnect the clips at the
bottom and lift off the vinyl cover.
[Image]
Pedestal terminals: This happy little fellow can be found in areas where
underground distribution is used. Usually you can just grab the lip at the
bottom and pull it forward to get at the lines.
[Image] [Image]
Serving Area Interfaces: This monster is a serving area interface. It
breaks out every pair in a particular serving area. The wiring in these
things is kinda funny, as they use punch down blocks to secure the wires.
The interesting thing about these is that some of these have 'floater
pairs' that aren't hooked up to customer lines. These pairs are used solely
by telco personnel.
4.2 Transmission
4.2.1 What media are phone conversations transmitted on?
Customer loops are usually copper analog. In many places this will be
converted to fiber after about a thousand feet before it continues on it's
merry way to the CO. Some WAY out of the way places have their loops
converted to microwave for transmission to the CO (this method is often
referred to as wireless local loop). Trunks are usually immense fiber optic
lines, though PBX trunks are usually T-1s or fractional T-1 lines.
4.2.2 What's the average resistance of a phone line?
Maximum Conductor Resistance in Ohms
AWG Per Kilometer Per 1000 Feet
19 28.5 8.7
22 57.1 17.4
24 90.2 25.5
26 144.4 44.0
4.2.3 How do I measure the length of my analog loop?
There are two ways to measure loop length. The first is to use a time
domain reflectometer, a very expensive and complicated instrument similar
to an oscilloscope and about as hard to use. The simpler method is to
measure the capacitance of the line using the constant .83 micro-farads per
1000 feet of wire. Keep in mind this value is an average, and that wet
sections affect capacitance.
4.2.4 What is a trunk?
A trunk is a fixed line between 2 telephone offices, a telephone office and
a PBX (or similar hardware), or two PBXs (again, or similar hardware).
Trunks are usually immense fiber optic lines, though PBX trunks are usually
T-1s or fractional T-1 lines.
4.2.5 What's in a manhole?
Rats. Dirty water. Roaches. Splicing boots that you can't open. Methane
gas.
4.2.6 Why shouldn't I go peeking in a manhole?
Methane builds up in manholes, risking suffocation or explosion unless the
air is vented; and running a blower is rather obvious. When it rains water
tends to buildup in holes. You probably don't have the right tools to open
the splicing boots, and why bother anyway?
4.2.7 Can I tap/beige off of a fiber optic line?
Sure you can, but it's too much work to be worthwhile. You'll need to
connect an add/drop wavelength division multiplexer to the line, and cycle
through the traffic.
4.3 What is a switch?
A switch is a large, expensive piece of hardware that connects telephone
calls. There are 3 types of switch: the dial tone switch (also called the
end office or class 5 office), the remote switch and the toll switch (also
known as a tandem switch or class 4 switch). Dial tone switches are the
switches that interface directly with your telephone and provide you with
your dialtone. The old books and files that talk about regional, sectional
and area switches are dated, so ignore them. Toll switches connect end
offices with toll switches and toll switches with other toll switches. The
third type of switch is a remote switch. These are large PBX switches
slaved to a CO that is a good distance away. The switches are implemented
in areas too small to warrant their own offices, but require a switch to
themselves. Remote switches are switches only, and carry none of the other
computer equipment necessary for a full scale office. Remotes do NOT have
their own AMA systems, customer databases, etc. These 'big' functions are
handled by the office the remote is slaved to.
Phone calls typically follow a path like this: the end office will first
look to see if it can complete the call internally, if not it hands off the
call to either another end office (if its not that far off) or to a toll
switch (for a long haul call). From the toll office it can proceed to
another toll office or an end office for completion.
4.35 What are some common switches?
*Dial tone Switches*
1AESS
5ESS
5ESS 2000
5ESS 2000 DCS (Supposed to be a cellular switch, but sometimes foolishly
deployed for landlines)
DMS 10
DMS 100
*Toll Switches*
DMS 200
DMS 250
DMS 500
*Remote switches*
GTD-5 EAX
4.4 What is SS7?
SS7 (Signaling System 7) is a system for telephone offices to communicate
with each other. . In the good old days offices would send information
about a call's routing by in band signaling (audible tones sent along with
your voice). In band signaling was slow, unreliable, and subject to wild
amounts of fraud. Then the phone company tried out of band signalling,
where the tones were outside the audible bandwidth of the phone.
Eventually, SS7 came into play. SS7 (Signalling System 7) is a packet
switched network that transmits voice and signalling information in the
telephone network.
4.4.5 Do blue boxes still work?
Supposedly yes, blue boxes still work given the right conditions. Don't
just try and use one from your home, as it would be both foolish and
frustrating. Theres perpetual scuttlebutt about MFing through country
direct numbers, or blue boxing through extenders, but both are labor
intensive processes and are of questionable value.
5.0 Test numbers and offices
5.1 What are test numbers?
Test numbers are dialups to testing equipment or test features set up by
the phone company or private entities. There are about a billion kinds of
test numbers, so PLEASE don't just start asking for test numbers,
especially on newsgroups like comp.dcom.telecom.tech.
5.2 What are some common test numbers and their uses?
- 5.2.1 Sweep Tones: Tone sweeps are a test tone ranging from 304hz to
3204hz. A common use for sweep tones is to check for infinity-transmitter
style taps. Dial up a sweep tone. If an audible clicking is heard during
the sweep then a transmitter could be installed on your line. Telco
maintenance uses sweep tones to check for the presence of loading coils,
and other such nasties that eat high frequency tones in order to qualify a
line for high speed services.
- 5.2.2 Milliwatt test: These are 1004 hz tones sent out at 0 db. Milliwatt
tests are used to check for line loss and other complex tests.
- 5.2.3 1004 hz test tone: This is a vanilla 1004 hz tone. Nothing too
useful here, without a loop analyzer anyway.
- 5.2.4 Quiet termination: This feature connects the caller to a port with
fixed resistance, 600 ohms or 900 ohms being the most common. There should
be nothing but dead silence on connection. Clicks, static or crosstalk will
be clearly evident if a noisy line is used to dial this test.
- 5.2.5 Ringback: Calls back the originating number in an annoying fashion.
Dialing all the touch-tone digits in order (starting with 1 and ending in #
going across the keypad rows) will generate 2 tones saying the keypad is
ok.
- 5.2.6 Loops: These numbers exist in linked pairs. Call one number and
you'll get a tone. Call the other number and you get dead silence. If both
are called at the same time they make a connection. It used to be that you
could then talk over this connection, but now there are filters that block
speech placed on most loops.
- 5.2.7 ANAC: This test dialup will read off the number of the line you're
calling from. On rare occasions you will find ANACs with a DTMF response
for use with remote test terminals.
- 5.2.8 DATUs: DATUs (Digital Audio Test Units) are a godsend to
technicians and phone phreaks everywhere. DATUs allow a caller to monitor
lines (don't get too excited), open and short pairs, and put trace tones on
the pair. While it might not sound too exciting, it has more applications
than most people think.
5.3 Internal Offices
5.3.1 What is an internal office?
An internal office is an office that the general public doesn't know about.
Internal offices are usually used to access complex test systems (such as
Switching Control) or in applications where automation would be impractical
(such as Customer Name and Address offices).
5.4 Customer Name and Address office
5.4.1 What is a CNA number?
A CNA (Customer Name and Address) number is the number to the CNA office.
This office provides the name and address of the owner of a particular
telephone number to telephone techs.
5.42 Where can I get a working CNA number?
Normal CNA numbers that list every number in the area are available only to
telephone company personnel. Private citizens must now rely on CNA
information from private companies such as Unidirectory (900-933-3330) and
Telename (900-884-1212) to give them their info at a buck a minute. If you
are in 312 or 708, Ameritech has a pay-for-play CNA service available to
the general public. The number is 796-9600. The cost is $.35/call and can
look up two numbers per call. If you are in 415, Pacific Bell offers a
public access CNA service at (415)705-9299. If you are in Bell Atlantic
territory you can call (201)555-5454 or (908)555-5454 for automated CNA
information. The cost is $.50/call with 3 look ups per call. You can also
do reverse look ups if you know the telephone number using Database America
(http://adp.infousa.com/cgi-bin/abicgi/abicgi.pl?BAS_session={bas_session}&BAS_vendor=402&BAS_type=ADP&BAS_page=1&BAS_action=search)
6.0 LATAs/ IntraLATA Carriers/ InterLATA Carriers
6.1 LATAs
6.1.1 What's a LATA?
LATA's are the geographical areas where a single RBOC (local phone company)
can connect a call. If a call passes across the boundaries of a LATA it
must be handed off to an Inter-Exchange Carrier and then back to another
Local Exchange Carrier for completion
6.2 Inter-LATA carriers.
6.2.1 What are Inter-LATA carriers?
Inter-LATA is just another name for a long distance companies such as AT&T,
Sprint or MCI.
6.2.2 How are alternate InterLATA carriers accessed?
Inter-LATA carriers are accessed through 950 numbers (feature group B
access codes), or 10XXX/101XXXX numbers (feature group D access codes).
6.2.3 Where can I get a list of Inter-LATA carriers and their dialups?
You can get a list of them at http://www.NANPA.com
7.0 COCOTS \ BOCOTS \ Pay Phones
7.1 COCOTs
7.1.1 What is a COCOT?
COCOT is an acronym for Customer Owned Coin Operated Telephone. This is a
phone that is owned by a private business or person. Even though they look
enough like phones that are owned by your local telephone company, they are
very different. COCOT's are known for maximum security and minimum
convenience.
7.1.2 What is a Coin Line?
In the good old days COCOTs were connected to normal POTS (home phone)
lines. Sadly, there is a growing trend of connecting them to specially
leased lines from the phone company that allow for greater fraud protection
by blocking 900/976 and an option to block international calls along with
coin supervision and disposal features and extended operator services.
Different RBOC's offer different features and different names for this
service.
7.2 BOCOT's
7.2 What is a BOCOT?
A BOCOT is an updated telco coin station. BOCOTs utilize superior
technology to the standard fortress phone, but have the problem of needing
to interface with the older technology of the ACTS system.
7.3 Millenium Phones
7.3.1 What is a Millennium Phone?
A Millennium Phone is a newish offering from Nortel to the COCOT/BOCOT
market. Millennium Phones are ultra computerized, high security phones
mostly deployed in Canada and the Midwest (anyone know different?) at the
moment. For more info on Millennium Phones read OCPP issue 7 and visit
www.nortel.com.
7.3.2 Programming on the Millenium Phone
YES Milleniums can be programmed from their keypads. You can feed them so
called "OP CODES" that have as-yet unknown uses. Put the phone ON-HOOK, and
dial "CRASERV" and inputing a 5 digit PIN (The default is 12345). OP CODES
are 3 digits long.
7.4 Pay phones
7.4.1 What is a pay phone?
Pay phones, fortress phones, telco phones are all the same thing. These are
Western Electric dial tone first coin stations. These phones are still
mostly electromechanical, as opposed to COCOTS, which are computers with
handsets.
7.4.2 Coin Signaling
RBOC pay phones need their CO to tell them that enough money has been
deposited to make a call. They do this by sending a signal to their CO
whenever a coin has been deposited. They do this by generating a pulsed MF
tone whenever a coin is deposited that corresponds to the type of coin
deposited. This is why red boxes work(ed).
7.4.3 Redbox tones
Coin Nickel Dime Quarter
Frequencies 1700&2200 Hz 1700&2200 Hz 1700&2200 Hz
Duration
7.4.4 Why doesn't my redbox work?
Assuming you've checked for glaring problems like incorrect assembly and
programming, and that you're trying to use your box on an RBOC Western
Electric coin phone, theres still a potential problem. After losing an
ungodly amount of virtual money from redbox use, telcos began incorporating
band-stop filters into phones in the form of 'PIN Fraud Devices'; a tiny
sliver of firmware that bars redboxes, among other things. Payphones have
also been known to mute mouthpieces.
7.4.4 Coin collection
Hypothetical situation: you just got paged, so you wander over to a handy
RBOC pay phone. You pick up the receiver, and deposit 35 of your
hard-earned cents into the coin slot. Where did your money just disappear
to? Your money has passed through a slug test, gone through a sorter,
tripped a sensor to generate the appropriate (redbox) tone and fallen into
the temporary hopper in the phone. Once your coins are in the temp hopper
they can only go to two places: into the return chute, or into the cash
box. Where the money goes next depends on a relay in the phone. If -130 VAC
is fed into the loop the coinage is returned, if +130 VAC is fed into the
loop the coins are whisked away into the coin box.
7.4.5 Coin boxes
What happens when a payphone fills up with coins? The phone will shut
itself off, call it's CO with the message 'I'm full. Come empty me.', and a
coin collection tech will come (eventually) to empty the coins.
8.0 Numbering
8.1 Area codes
8.1.1 Who assigns area codes?
Bellcore used to issue area codes, but sadly another era in
telecommunications has ended. Lockheed Martin now administers NPAs, but
it's the FCC that has final say in any telecom-related matter. What we've
lost in the way of tradition we gained in accessibility. Lockheed Martin is
very open with their info, while Bellcore insisted on charging ridiculous
amounts for their paperwork. All their public documents are on NANPA.com
8.2 Special Area Codes (SACs)
8.2.1 What are the special area codes and what are they for?
200: Rumored to be reserved for test purposes. (Anyone want to comment on
this?)
300: Rumored to be reserved for test purposes. (Anyone want to comment on
this?)
400: Rumored to be reserved for test purposes. (Anyone want to comment on
this?)
456:International inbound routing. (Your guess is as good as mine.)
500: 'Follow me' forwarding services (A subject of constant debate.)
600: ISDN
700: Carrier defined (All sorts of fun and games here).
710: U.S. Government (Only 2 numbers in the entire NPA!!)
800/888/877: Toll free services
866/855: Reserved for future toll free services
900: Pay for play call services ($ex $ex $ex!!!).
8.2.3 Where are in the world *are* the 500/700/800/888/877/900 NPAs?
SACs are everywhere and nowhere at the same time. Forgive my attempt at
being Zen. 500/700/800/888/877/900 numbers are "translated" at the dial
tone office into standard NPA-NXX-XXXX and then routed in the normal
fashion. SACs are converted translated according to the Line Information
and Routing Database. This is why you'll occasionally see someone on a
newsgroup say they found a "900 backdoor". In reality they found the normal
phone number that that 900 connects to. Telco types call these numbers
"Plant test dialups"
8.3 Test prefixes
8.3.1 What are test prefixes?
Test prefixes are exchanges reserved by the RBOC for special purposes such
as testing, special routing, TTY access, etc.
8.3.2 What are some test prefixes?
*555 is reserved for special purposes such as directory assistance,
pay-for-play CNA, etc.
*959 is a holdout from the Ma Bell days, and supposedly still reserved for
test purposes. We've had some bizarre findings here.
*855 is reserved for TTY services. Not really a test prefix though.
8.3.3 Are there unpublished (secret) exchanges?
Yes, there are exchanges that aren't published but still in use for various
purposes. Some sensitive test numbers are likely in hidden exchanges.
8.3.4 How do I find unpublished (secret) exchanges?
If you happen to get test numbers out of the trash or out of trucks check
to see if the exchanges they're in are listed in the phone book. A better
way to fetch special exchanges is to go to NANPA.com and download the
'Central Office Code Assignments' in whatever area (as of this distribution
of the FAQ only California and Nevada exchanges are available), and compare
the utilized exchange list against a list of published exchanges. Keep in
mind that "Utilized" means exchanges assigned, reserved, protected, held
for future use, test, and special-use prefixes
8.3.4 Where can I find a list of exchanges that labels who's assigned what?
Telephone Prefix Location List
http://www.thedirectory.org/pref/
9.0 Reference
9.1 What are some phreak IRC channels?
Keep in mind that many of these chatrooms follow the same rule that most
chatrooms follow. No one talks about the subject that they are suppose to
talk about. If you want to have a *gasp* intellectual discussion try to
find some telco personel chatrooms.
Channels with an (I) are usually invite only
Channels with a (K) usually require a channel key
-EFNet-
#2600
#cellular
#hack (I)
#rock
#peng (I)
#realhack
#root
#npa
-Undernet-
#phonez
9.2 What are some newsgroups that deal with phreaking?
Alt.Phreaking is your best bet as far as general phreaking is concerned.
Scary thought.
Alt.2600 A zoo
Alt.Phoneloser
Alt.2600.phreakz
Alt.hackers
alt.hack.nl
alt.hacker
de.org.ccc -German H/P newsgroup run mainly by the Chaos Computer Club
9.3 What are some newsgroups that deal with telephony?
comp.dcom.telecom
comp.dcom.telecom.tech
9.4 What are some good phreak websites?
Rancho Nevada (Fixer's Site)
http://phreaking.iscool.net
Textfiles.com
http://www.textfiles.com
The Phone Punx Network
http://fly.to/ppn
ITRIS
9.5 What are some good phreak ezines?
Phone Losers of America
http://www.phonelosers.org
Security Breach
availible from the PPN website
Phrack
http://www.phrack.com
Phone Punx Magazine
http://fly.to/ppn
9.6 What are some good phreak print zines?
2600
www.2600.com
Subsciption info-
2600 Subscription Dept
PO Box 752
Middle Island, NY 11953-0752
Subscrition fees: United States: $21/yr individual, $50corporate.
Overseas: $30/yr individual, $65 corporate.
Root zine
http://www.openix.com/~mutter/
Subscription info-
root zine
PO Box 1178
Maplewood,
07040
Regular Subscription U.S. Resident Non-U.S. Corporate
1 Issue Sampler $2.00 $2.50 $10.00
2 Issue Subscription $4.00 $5.00 $20.00
Back Issue
Each $2.50 $3.00 $20.00
Volume $9.00 $10.00 $70.00
(please make checks payable to "Root Zine")
9.7 What are some good telecom sites?
The FCC: The government agency that regulates us. Take a peek at their
site, as they publish some neat stuff. (http://www.FCC.gov)
Telecom Archives: This page is an archive of the comp.dcom.telecom
newsgroup. The FAQ is excellent, the articles are good and if all else
fails you can post to the newsgroup.
(http://hyperarchive.lcs.mit.edu/telecom-archives/)
Telecom Information Resources: This is simply a monstrous list of
telecom/networking FAQs and sites. Don't bother unless you're looking into
arcane topics and have a good working knowledge of the topic already; most
people listed on this site never heard about KISS.
(http://www.spp.umich.edu/telecom/technical-info.html)
PacBell Search: Surprisingly helpful, PacBell search will outline lots of
InterLATA carrier information for you (including the law), COCOTs, and
other sundry phone related
info.(http://www.pacbell.com/ir/search/index.html)
LexiCat Search Demo: This site is a REAL gem. It offers a searchable index
of terms (it cross references everything), as well as articles and reports
on related topics. Warning: This is a demo for a product. After 10 searches
it resets itself and won't allow you back. Reload the page after every few
searches or
else.(http://www.tra.com/cgi-bin/ft-LexiMot/ID=19970912152925603/lexi7800.html)
Blackbox Search: Try their search if you need info on LANs or direct
connection. This is an online catalog, but you can still extract enough
useful stuff to make going here worthwhile. (http://www.blackbox.com)
Lucent: These people are pretty straightforward about what they offer.
Lucent makes STUFF, unlike Bellcore which peddles information. Accordingly,
Lucent will talk and talk and talk about their
products.(http://www.lucent.com/search/search.html)
Raytheon: These people unsettle me a bit. Raytheon is a blanket electronics
firm that holds primarily DoD contracts. If you have a morbid interest in
missile guidance you'll LOVE this site. They also hold the contracts on
encrypted voice switches used in the
DSN.(http://www.electrospace.com/business/telecomm.htm)
Lockheed Martin: Now controls NPA allocation (They bought it from Bellcore.
Here ends an era.), and is happily distributing for free all sorts of
useful information Bellcore used to sell for A LOT of money. This site
lists all SACs, NPAs, and some stuff I didn't think was publicly available.
(http://www.nanpa.com/)
Country/Area/City/Code/Decoder: Pretty self explanatory.
(http://www.xmission.com/~americom/aclookup.html)
International payphone
index:(http://www.cybercafe.org/cybercafe/pubtel/pubtel.html)
AT&T Toll Free Directory: I use the print edition for browsing in general,
but this is a handy site to have around.(http://att.net/dir800/)
- Outside Plant Magazine is a great reference. Subscriptions may be
obtained from http://www.ospmag.com Fill out a reader response card too,
the manufacturers have some really cool promo materials.
- Jensen Tools sells every piece of gear you could ever want, including
lots of strange specialized stuff like tools to open payphone housings.
http://www.jensentools.com
9.8 What's a newsline?
Newslines are tape recorders connected to phones.... sorta. When you call a
newsline it will play the tape, which will be information pertinent to the
company or organization who runs the service. Most if not all of the RBOCs
have newslines to keep personnel informed in the field. A few union locals
have newslines too. They're a good way of keeping up on what's going on in
the company. These things used to be really popular (Nynex had 20 separate
ones once upon a time), but are consolidating into RBOC newslines now.
10.0 Tools and Toys
10.1 What tools should I have in my 'kit'?
Every so often, someone asks what sort of tools they should be carrying, or
writes an article on 'Field Phreaking Kits'. There are myriad tools that a
phone phreak might find useful depending on what they're doing. Below is a
short list of what you might want to have either on your person or in your
shop and why.
A Leatherman, Paratool, Power Pliers or other multi-tool: These things are
the greatest. Depending on what you purchase you'll have a selection of
screwdrivers, a pair of pliers, a knife, a wire stripper, and awl, and all
sorts of other good things.
A can wrench: If you do a lot of beige boxing you might want to invest in
the tool that linemen use to open enclosures. Can wrenches can be hard to
find, but they're sold by specialty telecom companies. Look in the back of
Outside Plant magazine for ads. Failing that, a 7/16 hex driver and a 3/8
nut driver will open any can.
A handset or beigebox: The uses for these things abound.
A Mini-Maglite: How can you expect to get anything done without a
flashlight?
A tone tracer and an induction probe: I've found some neat uses for
these... though they're hardly necessary for standard work.
A good multi-meter: A good multi-meter will be a great help to you at one
point or another, especially if wiretapping is your thing or you get called
on to install some phones.
10.2 Where can I get a lineman's handset?
For more info on handsets and other telco tools visit Lineside's Telecom
Site - http://www.angelfire.com/ga/linesidetelco/index.html
Contacteast Contact East 335 Willow Street North Andover, MA 01845-5995
(508)682-2000
Jensen Tools 7815 S. 46th Street Phoenix, AZ 85044-5399 (800)426-1194
Specialized Products 3131 Premier Drive Irving, TX 75063 (800)866-5353
Time Motion Tools 12778 Brookprinter Place Poway, CA 92064 (619)679-0303
10.3 Where can I get a DTMF decoder?
Before you sink a few hundred bucks into a DTMF decoder, ask yourself if
you really need a dedicated decoder. Beepers will serve rather well as DTMF
decoders. Simply record the number you want decoded and play it into your
beeper. Many customer service numbers or voicemail numbers will decode
touchtones too. Honest to god DTMF decoders can be purchased at Ham radio
shops, better electronics stores, and spy shops if you're REALLY desperate.
Most phreak zines will publish schematics for them once or twice during
their production.
10.4 Where can I get a good scanner?
Hamfests are a great resource for radio gear. Online auctions also seem to
have the damndest things.
10.5 Where can I get an acoustic coupler?
Telecoupler.com and Blackbox.com both sell acoustic couplers for a bit more
than $100 a piece. Keep in mind that using a coupler is very obvious, and
throughput over a payphone blows no matter how fast your modem is.
10.6 Where can I get (Some specific telephone related tool or device)?
Central Office Equiptment/Heavy Stuff: http://www.telecombids.com/
Military/Esoteric Stuff (If you can't find it elsewhere try here):
http://www.drms.dla.mil/
Contacteast Contact East 335 Willow Street North Andover, MA 01845-5995
(508)682-2000
Jensen Tools 7815 S. 46th Street Phoenix, AZ 85044-5399 (800)426-1194
Specialized Products 3131 Premier Drive Irving, TX 75063 (800)866-5353
Time Motion Tools 12778 Brookprinter Place Poway, CA 92064 (619)679-0303
11.0 Dirty Tricks
11.1 Tapping
11.1.1 How do I tap a phone?
Naughty naughty. Wiretapping is very very illegal. The most obvious is to
use an in line tap: splicing another phone, tape recorder, or transmitter
into the circuit you want tapped. For the more technically inclined: using
an induction coil will spare you having to cut through a lot of insulation,
and capactitatively isolated taps are VERY hard to detect.
For a good overview of phone tapping go to:
http://www.tscm.com/outsideplant.html
11.1.2 How do I tap a cell phone?
*** This entry was gleaned from the Motorola Bible.***
You have a few options here too. The cheapest is to get an old TV capable
of picking up UHF. Set a TV to UHF channel 82 or 83 and crank up the
volume; you should intercept cellular. The most reliable but most expensive
and annoying is to get a scanner. A simple, easy way to tap cellular is to
modify a flip phone.
1. Get a Motorola Flip phone, one of the ugly gray blocky things.
2. Take off the battery and look real hard at the back of the phone
towards the bottom. You should see two gold pins with a space in
between them. Get a little piece of foil and wedge it into the hollow
to create a third pin. Now put the battery back on.
3. Dial 68#. You should see a prompt to the affect of ' US CODE
4. Dial 08## to open a frequency.
5. Input a frequency. (111234, 11223, 11224, 11411 are common)
Note: the Motorola Bag Phone works infinitely better for cellular
monitoring. The reception is clearer, and the range is far greater than the
low powered flip phone, particularly when a real antenna is attached.
Thanks to Tom Icom for that tidbit.
*** This entry was gleaned from the Motorola Bible.***
Tapping cellphones is more fun when you can keep tracking a conversation
as it gets handed off from cell to cell. To accomplish this, its nesecary
to hack the Forward Voice Channel. When you hit on a good conversation,
dial 40#. If the phone is handed off to another cell, the channel number
will be broadcast to the phone along with alot of junk. If you see a string
of numbers scroll by, the phone has been handed off. Look at your display
and write down the second, third and fourth characters (it should be two
digits and a letter). You'll need to convert these from hex into binary.
Throw away the first two bits. Now convert whats left into decimal. This is
the new channel number. Dial 110XXX#, where XXX is the channel number.
11.1.3 How do I know if someone is tapping me?
This section will get a nice boost depending on the publication of an
article i'm currently writing. Anyway, the most basic tool you'll need for
detecting phone taps is a volt ohm meter, preferably with a cap checker.
11.2 Can I really turn someone's phone into a payphone? I saw it in a
movie!!
Sure you can turn a normal phone into a payphone. Of course, it isn't easy.
To alter someone's class of service you need to access RCMAC or switching
control and add a 'DTF' flag to that line.
12.0 Trashing
12.1.1 What is trashing?
Trashing is the practice of digging through people's trash, usually for
credit card information, damaging personal information, useful goods that
have been thrown out carelessly, for the fun of it, etc. In the phreaking
sense, trashing is done to gather telco documents, phone numbers,
equipment, and the always treasured bell hard hat. Some phreaks also trash
other places such as electronic stores to try and find equipment. The most
popular places for phreaks to trash are central offices, celcos and various
computer stores.
12.1.2 Is trashing illegal?
If you do not belong on the property that you are trashing, then its
trespassing. Some states have even passed laws that have separate penalties
for trashing. If you get caught trashing and you're not on overtly private
property (i.e. no fences), be polite and tell the truth... sorta. You're
recycling stuff, and was hoping to make a neat find in this dumpster (which
is the complete truth). The paper is only printed on one side, so you were
going to use it for scratch paper. Whatever you do, try to be neat about
it. Don't make it look like you were there and do not damage other people's
property.
12.2.1 How do I find my local central office?
Keep an eye out. COs are usually very conspicuous (Bell Atlantic is fond of
gargantuan banners and signs), often having a large sign with the name of
the local telco outside. If you have the means, there are a handful of
programs for locating COs.
CO Finder for Windows at www.stuffsoftware.com/cofinder.html.
NPA for Windows at www.pcconsultant.com/dlnpa.htm
LATTIS PRO at http://www.triquad.com/wire.html
They will supply you with all sorts of neat facts about the office too.
Beware, these things are EXPENSIVE.
13.0 Scanning
13.1 What is scanning?
In phreaking terms, there are two different types of scanning. The first
one is called exchange scanning. This is where you scan an exchange in
hopes of finding a certain type of number. Most of the time exchange
scanning is done with a wardialer, or a program that scans that exchange
for you and saves the numbers for you in a separate file to review the
results later. Scanning can also be done by hand which called manual
scanning. Most of the time people scan exchanges for terminal numbers.
However, test numbers, voice mail boxes, and other such numbers are often
scanned for. Another type of scanning is frequency scanning. This type of
scanning is the same type radio frequency scanning that Ham radio buffs do
using scanners that you can get in Radioshack and other electronic places.
The phreaking purpose of this is to pick up cordless and cell phone
conversations. Some use this just to hear other people's conversations but
others use it to get credit card numbers and other personal information
that people carelessly say on wireless phones. Visit the PLA at
http://www.phonelosers.org for more information on frequency scanning.
13.2 Exchange scanning
13.2.1 Where should I be scanning?
Most test numbers are concentrated in the -00XX and -99XX ends of an
exchange. If you're looking for dialups, RBOCs are starting to dedicate
entire exchanges to businesses. Locating one of these and wardialing here
is a good tactic for finding business carriers.
13.2.2 How did the phone company find out I was wardialing?
Wardialers are a good way to get the phone companies attention. They have
equipment that notifies them of repeated sequential dialing and abnormal
amounts of toll free calls. If you want to wardial, make sure your program
does the following: randomizes times between calls and that it randomizes
sequence of calls (so they're non-sequential). You might want to beige it
too...
13.3 Frequency scanning
13.3.1 Selecting a Scanner/Receiver
If you're new at scanning, and don't have a scanner, this is essential:
after all, in order to listen in, you're going to need a radio! One decent
place to get a scanner is Radio Shack. Avoid their cheaper models - you
want to get a scanner with at least 100 channels and 800mhz coverage (this
will be explained later). If you are buying at Radio Shack, wait for a
sale, as you will save a load of cash. A distinct advantage with buying
from Radio Shack is that you can return scanners within 30 days (with
receipt) and get your cash back, in the event that you don't like that
particular scanner.
With any scanner you buy new from RS, bear in mind that you're not going to
be able to receive cell, and there are no modifications available (by
federal law) that will make new scanners receive cell.
One can acquire more exotic receivers over the Internet. Generally, these
receivers are expensive, but you will get full frequency coverage
(inculding cellular). Some highly esteemed radios are the Yupiteru MVT-7100
and the AOR AR-8000.
13.3.2 What can I listen to?
Some of this hinges on your scanner. Pretty much every scanner around today
can receive standard 43mhz cordless phones. In addition to this, these
"standard" scanners will receive VHF and UHF communications. This typically
includes: -Police -Fire -EMS -Business Communications -Ham Radio
If you have purchased a better receiver with 800mhz coverage, you might be
able to listen to: -800mhz police/fire/ems transmissions -900mhz analog
cordless phones -929mhz paging signals (will be covered later) -Analog
Cellphones (if you have an imported receiver - more on this later)
13.3.3 How do I listen to xxxxxx?
-43mhz (lowband) cordless phones
First of all, you need to know the 25 cordless phone channels. They are
listed at the end of this section. Program your scanner with these channels
and scan through them - you should start hearing people talking on the
phone. That's it, easy as that. A few troubleshooting tips for poor
reception:
-If it's a handheld scanner, try holding the scanner in your hand rather
than letting it sit on a table. Your arm will act as a ground for the
scanner (kinda like an antenna), enabling better reception.
-The "rubber ducky" antenna that came with your handheld scanner sucks for
receiving these types of signals. A quick and dirty fix is to take a long
(maybe 10-15ft) piece of wire, wrap it around the attached rubber ducky a
few times, and then tack it up onto the wall. Experiment with different
winding techniques and antenna placements for best results.
-Get a real antenna. The Radio Shack 9-section telescoping whip works great
for cordless reception. Just attach it to your scanner, extend it all the
way, and you're cooking with gas. This antenna should only run you about
$10.
-Police Transmissions (along with fire, ems, etc)
First of all, you need to know the frequency of the police department you
wish to monitor. These frequencies are generally public knowledge (i.e.
shouldn't be hard to find). First, browse through the Police Call books
found in Radio Shack - you will probably find the frequencies there.
Alternatively, check around the net for the correct frequencies. Sometimes
the people at RS might even know the frequencies themselves, or they might
know somebody who does.
Once you get the right frequency, program it into your scanner and you are
set.
13.3.4 Other Public Service and Business Communications
Maybe you want to listen to taxicabs, mall security, or maybe school buses.
First try looking through Police Call for the right frequency. If you have
no luck there, try the net - there are many frequency resource pages
around. If you're still coming up with nothing, try the FCC's Wireless
Telecommunications Bureau records search. It's slow and a pain in the ass
to use, but it has the frequency of EVERY licensed radio user in the USA.
Sometimes you just can't find the frequency you want: maybe it's not
listed, and those bastards aren't licensed, or maybe you want to monitor
one specific part of a large agency. Example: My local community college
has a little dinky police force who use radios for communication. Since
they are part of the county government, their frequencies are listed in the
FCC database only as being an agency of the county I live in. Since there
are a gazillion county agencies, all with radio frequencies licensed to
them, it would be impossible to know which frequencies they used. But not
all hope is lost yet. Enter the frequency counter. When somebody transmits,
all I have to do is get close enough to get a real strong signal into the
frequency counter, and voila! On the frequency counter's LCD display the
transmitting frequency will appear. This frequency will indicate the
general range of where one would look around to receive that agency's radio
traffic.
13.3.5 Cellular Telephones
Listening to cell can sometimes be very, very difficult. If your scanner is
old, it might receive cell out of the box. Some older scanners have
cellular frequencies blocked, but can be modified (read: screwdriver and
soldering iron) for cellular reception. Scanners sold in the US today,
however, simply can't tune into the cellular frequencies or be modified to
do so. But, you can still listen to cellular calls with your newer scanner.
Due to a particular scanner's design characteristics, it might receive
_image frequencies_ of cellular transmissions. For example, a cellular call
might take place on 870mhz. Now, since 870mhz is in the cellular band, it
will be blocked on my new scanner. But if I tune around 896mhz, I will
receive the cellular call. There are certain spots on some scanners where
cell traffic can be heard outside of the (blocked) cellular bands; you will
have to tune around to see if your scanner has this "bug", and where. This
is an advantage to buying from Radio Shack, as you can see if a particular
scanner can receive cellular image frequencies without risk of blowing $200
on a scanner that doesn't get cellular.
13.4 Digital Stuff
After using a scanner for a little while, tuning around, you will probably
notice lots of non-voice signals. Some of these signals contain digital
information which can be decoded with the help of your computer. Basically,
there are 3 types of digital data that can be decoded and is also of
interest to the phreaker.
13.4.1 The Discriminator Mod
In order to decode digital data with accuracy, a listener needs the raw
radio signal from the transmitter. Your scanner does some funky shit to the
signals it receives, which in the end, make voice signals sound much nicer.
These same circuits, which improve sound quality, wreak havoc on digital
signals. In order to get a clean signal, you will have to tap the
discriminator output of your scanner. Basically, this consists of
installing a new jack into your scanner and soldering 2 wires on the inside
of the scanner: one to ground, and one to the discriminator output. Believe
me, it's easier than it sounds. You can find a URL which gives the specific
points where you must tap the output and other information pertaining to
discriminator modifications at the end of this section.
13.4.2 POCSAG transmissions
POCSAG is the most widely used digital paging format. If you have a beeper,
it's probably using POCSAG. Most POCSAG signals are heard in the
929mhz-931mhz range and are VERY strong. Once you have performed the
discriminator mod on your scanner, simply connect the discriminator output
to your sound card line in jack. Then fire up your preferred POCSAG
decoding software and monitor who is getting paged. My personal favorite
program is POC32; it has a nice interface and provisions for labeling each
capcode (a capcode is a beeper's individual identification number; this
lets paging companies cram many pagers onto a single frequency) with an
alphanumeric tag. You can also search for specific phone numbers and/or
capcodes.
13.4.3 MDT transmissions
MDT stands for Mobile Data Terminal. MDT's are those terminal-like thingys
that are mounted in some cop cars. The cops assume that nobody has the
ability to monitor these transmissions, and so they are MUCH more
descriptive about what's going on with MDT messages. To decode MDTs, you
will need a scanner with a discriminator mod, and the appropriate software.
Fire up your scanner and tune it to an MDT frequency, and listen away.
Please note that there is only software (currently) for monitoring MDT's
using the Motorola MDC-4800 protocol, so if your cops aren't using
MDC-4800, you're out of luck.
13.5 Cellular phone data
It is possible to snag analog cellular ESN/MIN numbers off of the air as
they are transmitted by the cellular phone to the telco. This is a fairly
complex subject, and it requires a significant degree of technical skill.
Basically, one must build something called a Hamcomm interface to convert
the discriminator output into a format that a serial port can interpret.
Then, software such as Snarf can be used to decode the cellular data
streams into usable ESN/MIN numbers. The exact process involved, however,
is beyond the scope of this FAQ. More information on this can be accessed
through Brian Oblivion's Radiotelephony Archive.
