³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÚÄÄ°±²ÛÛÛ²±°Ä°±²ÛÛÛÛÜÄÛ²±°Ä°±²ÛÛÛÛÛ²±°Ä°±²ÛÛÛÛÛÛÛ²±°Ä°±²ÛÛÛ²±°ÄÄ¿ ÚÄÄ°±²ÛÛÛ²±°Ä°±²ÛÛÄÛÛÛÄÛÛ²±°Ä°±²ÛÛÛ²±°Ä°±²ÛÛÛßÄßÛÛÛ²±°Ä°±²ÛÛÛ²±°ÄÄ¿ ÄÄÄ°±²ÛÛÛ²±°Ä°±²ÛÛÛÄÛÛÛÄÛÛÛ²±°Ä°±²Û²±°Ä°±²ÛÛÛÄÄÄÄÄÄÄÄÄÄÄÄ°±²ÛÛÛ²±°ÄÄÄ ÀÄÄ°±²ÛÛÛ²±°Ä°±²ÛÛÄÛÛÛÄÛÛ²±°Ä°±²ÛÛÛ²±°Ä°±²ÛÛÛÜÄÜÛÛÛ²±°Ä°±²ÛÛÛ²±°ÄÄÙ ÀÄÄ°±²ÛÛÛ²±°Ä°±²ÛÄßÛÛÛÛ²±°Ä°±²ÛÛÛÛÛ²±°Ä°±²ÛÛÛÛÛÛÛ²±°Ä°±²ÛÛÛ²±°ÄÄÙ ³ "Optik surfer is not a hero!" ³ ÀÅÙ NeuroCactus Bulletin Number Six ÀÅÙ - BLaDe - FRaCTaL iNSaNiTY - RiPMaX - DaTa KiNG - ³ ³ ³ N ³ E ³ U ³ R ³ O ³ ³ ³ C ³ A ³ C ³ T ³ U ³ S ³ ³ ³ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ [6.1] - Contents and Disclaimer ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ [6.1] - Contents and Disclaimer ................... Fractal Insanity [6.2] - Neurocactus News ................. Fractal Insanity & Ripmax [6.3] - VoiceMail, The Final Frontier .... Fractal Insanity & Ripmax [6.4] - Crimes Act 1914: Electronic Crimes ........ Fractal Insanity [6.5] - Scanning PBX's ................................... Anonymous [6.6] - Perth Payphone Update ............................... Ripmax [6.7] - Canning for Dollars ............................. Bad Sector [6.8] - The Crunch Man ................................... Data King [6.9] - Cellular Reprogramming ........................... Data King [6.10] - Greets and Contacting us .................. Neurocactus Team Disclaimer: The content of this magazine (NC-006) isfor informational purposes only and the articles described below cannot be condoned by NeuroCactus and NeuroCactus does not partake in any of the succeeding activities. The authors accept no responsibility for loss of friends, loss of freedom or loss of life due to the illegal use of the activities described beyond. We do NOT do ANYTHING ILLEGAL!!! If you think you have malicious intentions towards the law or any other establishment, please do not read this file. This magazine in its electronic form can not be sold without prior permission from the authors. It also may not be spread via any sort of Public Domain, Shareware or CD-ROM package. ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ - [6.2] - NeuroCactus News - [6.2] - - Written by Fractal Insanity and Ripmax - ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ Well where do we start? Welcome to Issue 6. Since the last issue alot of stuff has been happening. Busts! Well it seems to be a growing trend! Perth has had its share recently all to do with VMB hacking though (LAME!) and also a few guys for Kiddie Porn (LAME!). Also we have seen what one Hacker with a Big Ego can do to the internet community with the recent AUSNET hack by OPTIC SURFER.There has been several people accused of being this weird person whos handles wont be mentioned for obvious reasons. In the other states, there are busts of a very high magnitude. Proff and Traxx currently in legal proceedings for hacking and phreaking in the 80's and now being accused of hacking the AFP and leaving a rather vile message telling the fedz to "Get off our backs". This rumor has not been substantiated as Proff, wisely I might add, does not want to comment over the net or phone... By hearsay, Proff is looking at oZ's largest sentence yet with regards to computer crimes. For all you people who are VERY behind the times, Captain Crunch was in oZ and has visited all the states. By the way, later in this issue we have some humours information about his tour. Also with all the official specs on cable / microwave tv being released, expect all the info we can get within the next episode or two. Hopefully with some work NC can discover how to scam oZ cable cheaply and effectively. Unofficially, DS][ has a data tap on the line and this information is based solely on rumor and some security incidents which have occurred. As a precaution, use PGP on vital messages unless you want to send the fedz on a wild goose chase (heheheheheh). Scene wise, Perth has been in a slump with very little activity BBS wise or action-wise. It appears that Perth is in a recession in regards to knowledge... We haven't seen any new up-comers that show that 'knack' to become a successful AFP hurter. There also has been a change to the Neurocactus membership. Data King has joined the ranks after a debut with some interesting articles, and a humourous stint... Also Grudge has resigned his commission along with Dataphobia. So read on and enjoy this issue. Remember, information is power. ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ - [6.3] - VoiceMail... the Next Generation - [6.3] - - Written by Fractal Insanity and Ripmax - ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ Commanders log, stardate 1800022999.4237.We are currently en-route to a secret meeting between Admiral T. Pick and Captain Ripmax. I am trying to organise the ship while we are still cruising the BHP steel hotline system,to try to hack some of the remaining boxes left behind after the destruction of the starship HARDCORE DESIGN. Consequently, we found the ships captain, Unique-oNE in a jettisoned escape pod and have put him to work fixing the chicken soup dispenser. ABOARD THE R2 "Thanks for saving me guys, a few minutes longer and they would have got me", cried the Unique-one. "Who would have 'got' you Unique-one?", asked Commander FRaC. "I think his name was Captain Buttner aboard the fed class starship the UNDERCOVER!", squealed Unique-one. "Captain, we have numerous fed class starships approaching from all directions!", shouted Ensign Grudge frantically. "Captain, alert intruders have beamed onboard", yelled Commander FRaC "Fire at will, crew", screamed Captain Ripmax "Warp factor 9, Officer Blade. Get us out of here and cover our tracks", ordered Captain Ripmax. ABOARD THE FLAGSHIP 2600 "Captain Ripmax please step forward onto the stage", called Fleet Admiral Theodore Pick. "Ripmax, we recognise that you have been a long time scene member and have brought many young officers into the ranks of the UFNC. And we also realise that you have served NC and the whole HPA universe with your BBS, through thick and thin.", said a very enthusiastic Admiral Pick. "Well i dont really know what to say! Ummm do I get a pay rise or something?", questioned Captain Ripmax. "Yes, i think you do Captain... On behalf of Neurocactus oZ, you are hereby promoted to the rank of Admiral to accept all priviliges and responsibilities from hereafter", said Admiral Pick. "You are now in command charge of the R2 and the LSD. Your first officer aboard the R2 who is not present will receive promotion to captain upon your return to the vessel", exclaimed Admiral Pick. "But sir, what is the LSD?", asked a confused Ripmax. "The LSD is a new ship to be commissioned for the next generation of scene members, the crew is being assembled as we speak, it is your job to pick a fine crew that will be able to take on the Missing Link with its new technology like SxS, Crossbar and ARE", mentioned Admiral Pick. "I would like you all to have a minutes silence for the brave Ensign Grudge, who died fighting against the enemys of UFNC" ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ - [6.4] - Crimes Act 1914: Electronic Crimes - [6.4] - - Written by Fractal Insanity - ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ CRIMES ACT 1914 - Part VIA SECTION 76A (1) In this Part, unless the contrary intention appears: "carrier" means: (a) a general carrier within the meaning of the Telecommunications Act 1994; or (b) a mobile carrier within the meaning of that Act; or (c) a person who supplies eligible services within the meaning of that Act under a class licence issued under section 209 of that Act; "Commonwealth" includes a public authority under the Commonwealth; "Commonwealth computer" means a computer, a computer, a computer system or a part of a computer system, owned, leased or operated by the Commonwealth; "data" includes information, a computer program or part of a computer program. (2) In this Part: (a) a reference to data stored in a computer includes a reference to data entered or copied into a computer; and (b) a reference to data stored on behalf of the Commonwealth in the computer includes a reference to: (i) data stored in the computer at the direction or request of the Commonwealth; and (ii) data supplied by the Commonwealth that is stored in the computer under, or in the course of performing, a contract with the Commonwealth. SECTION 76B (1) A person who intentionally and without authority obtains access to: (a) data stored in a Commonwealth computer; or (b) data stored on behalf of the Commonwealth in a computer that is not a Commonwealth computer; is guilty of an offence. Penalty: Imprisonment for 6 months (2) A person who: (a) with intent to defraud any person and without authority obtains access to data stored in a Commonwealth computer, or to data stored on behalf of the Commonwealth in a computer that is not a Commonwealth computer; or (b) intentionally and without authority obtains access to data stored in a Commonwealth computer, or to data stored on behalf of the Commonwealth in a computer that is not a Commonwealth computer, being data that the person knows or ought reasonably to know relates to: (i) the security, defence or international relations of Australia; (ii) the existence or identity of a confidential source of information relating to the enforcement of a criminal law of the Commonwealth or of a State or Territory; (iii) the enforcement of a law of the Commonwealth or of a State or Territory; (iv) the protection of public safety; (v) the personal affairs of any person; (vi) trade Secrets; (vii) records of a financial institution; or (viii) commercial Information the disclosure of which could cause advantage or disadvantage to any person. is guilty of an offence Penalty: Imprisonment for 2 years (3) A person who: (a) has intentionally and without authority obtained access to data stored in a Commonwealth computer, or to data stored on behalf of the Commonwealth in a computer that is not a Commonwealth computer; (b) after examining part of that data, knows or ought reasonably to know that the part of the data which the person examined relates wholly or partly to any of the matters referred to in paragraph (2) (b); and (c) continues to examine that data; is guilty of an offence. Penalty for a contravention of this subsection: Imprisonment for 2 years SECTION 76C A person who intentionally and without authority or lawful excuse: (a) destroys, erases or alters data stored in, or inserts data into a Commonwealth computer; (b) interferes with, or interrupts or obstructs the lawful use of, a Commonwealth computer; (c) destroys, erases, alters or adds data stored on behalf of the Commonwealth in a computer that is not a Commonwealth computer; or (d) impedes or prevents access to, or impairs the usefulness or effectiveness of, data stored in a Commonwealth computer or data stored on behalf of the Commonwealth in a computer that is not a Commonwealth computer; is guilty of an offence. Penalty: Imprisonment for 10 years SECTION 76D (1) A person who, by means of a facility operated or provided by the Commonwealth or by a carrier, intentionally and without authority obtains access to data stored in a computer, is guilty of an offence. Penalty: Imprisonment for 6 months (2) A person who: (a) by means of a facility operated or provided by the Commonwealth or by a carrier, with intent to defraud any person and without authority obtains access to data stored in a computer; or (b) by means of such a facility, intentionally and without authority obtains access to data stored in a computer, being data that the person knows or ought reasonably to know relates to: (i) the security, defence or international relations of Australia; (ii) the existence or identity of a confidential source of information relating to the enforcement of a criminal law of the Commonwealth or of a State or Territory; (iii) the enforcement of a law of the Commonwealth or of a State or Territory; (iv) the protection of public safety; (v) the personal affairs of any person; (vi) trade Secrets; (vii) records of a financial institution; or (viii) commercial Information the disclosure of which could cause advantage or disadvantage to any person. is guilty of an offence Penalty: Imprisonment for 2 years (3) A person who: (a) by means of a facility operated or provided by the Commonwealth or by a carrier, has intentionally and without authority obtained access to data stored in a computer; (b) after examining part of that data, knows or ought reasonably to know that the part of the data which the person examined relates wholly or partly to any of the matters referred to in paragraph (2) (b); and (c) continues to examine that data; is guilty of an offence. Penalty for a contravention of this subsection: Imprisonment for 2 years SECTION 76E A person who, by means of a facility operated or provided by the Commonwealth or by a carrier, intentionally and without authority or lawful excuse: (a) destroys, erases or alters data stored in, or inserts data into a computer; (b) interferes with, or interrupts or obstructs the lawful use of, a computer; (c) impedes or prevents access to, or impairs the usefulness or effectiveness of, data stored in a computer; is guilty of an offence. Penalty: Imprisonment for 10 years ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ - [6.5] - Scanning PBX's - [6.5] - - Written by Anonymous Author - ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ The Author of this article has now left the scene, and would like to sever all ties with it. Given this, this article has now become the intellectual property of NeuroCactus (with the author's consent). Nuff Said. What is a PBX? -------------- A PBX comes in many varieties. There are ones with codes, ones without codes. There are automated front ends on some of them, and some are just a back door into a companies phone system. There are two ways to hack a PBX. The first is to dial into it by modem and re-program them. The other way is to brute force them by dialling into the front-end. I will mainly deal with hacking the front end. When you dial a front-end of a PBX, you'll either get some variant of a dial-tone, or something like 'Please enter the extension number and press pound'. Code based PBX's ---------------- A code-based PBX is normally one where you dial a number, get a dial-tone, then dial a code of a specific length (normally 4-6 digits). Then you dial the number you want and bingo! If you want more info on this type of PBX, check out a code-hacking proggy such as CodeTheif. Automated front ends Again, rather basic. All you need do with these is scan out all the extensions on it. Also, try combinations including *, # & 0 first. You'll be looking for voice-mail, dial tones & carriers. If you get a carrier, it may just be a dial-in to hack the PBX using your modem. This is common for PBX's such as IBM's ROLM and Nortel's MERIDIAN, as well as ASPEN's that are connected to a switch (PBX). Back door, front-ends (BDFE) ---------------------------- Ok, this brings me to the main part of this file. Back-door type PBX's, with a dial-tone based front-end. These are the type I love, and you can find all sorts of shit on them. Hacking a BDFE PBX requires a brute-force method of hacking them, that is, dialling them repetitively belting different combinations of DTMF (touch-tones) at them each time you ring. On BDFE PBX's, there are certain messages you get from 'em, in the form of tones, such as a ring or busy tone. This can vary greatly but on the majority of them, it is rather straight forward. Usually, when you pick up the phone, and start dialling, you will get a 'busy' tone if you stop dialling before you give the exchange enough digits. Well, this is also the case with a BDFE PBX. If you haven't dialled enough digits, you'll get (after a pause) a busy signal. Again, when you pick up the phone normally, and dial a disconnected number, you get a message saying that the number is wrong. Well, this is also the case with BDFE PBX's, except instead of the message, you normally get an error tone, normally something like .... There are other things you can get on a BDFE PBX. Things such as a dial-tone (no shit) on an extension. When you get a dial-tone, it can be one of 3 things: loopback, sub-PBX or fake. A loopback dialtone will loopback to the beginning again, so say you rung a PBX and dialled *0 to get a loopback dialtone. At the second dialtone you can again dial *0 to get the same dialtone again. ad-finitum. The dialtone on a loopback is normally the same as the original dialtone, but don't take that literally - there are always exceptions to the rule. A sub-PBX dialtone could be one of two things again. It could be a code-based PBX, or it could be yet another BDFE PBX. A fake dialtone won't accept tones at all. I am yet to discover what the deep and inner meaning behind these are, other than pointless. (any suggestions are welcome). Ok, now you got the basics, lets got to the important bit. Scanning/Hacking BDFE PBX's --------------------------- This normally takes fucking ages. Bad luck, you wanna phreak right? To hack a BDFE PBX, I suggest you find a good text editor that makes good use of the enter, tab and cursor keys. MS-DOS Editor I have found also need a phone with big buttons, a comfortable handset and at least one programmable memory button. Program the number of the BDFE PBX into the memory button, along with a code if it costs money to call it. Now, what your going to need to do is dial the PBX over and over again, trying patterns of numbers, incriminated slightly each time you call. The best way for me to explain this is with a case study. Ok, we've got an imaginary PBX, with the phone number 1-800-IMA-HACKER (Compliments of *****). Ok dial the number, you get a dialtone. hit 0. You get an error tone. Write this down, eg: -- SCAN.TXT -- 0 err ---- Hang up & ring back. This time hit a 9. nothing happens, silence. Hit another number, 0. You get an error. so... -- SCAN.TXT -- 0 err 9; 0 err ---- Ok, where gonna check out the rest of the 9X range. Ring back, belt 9, then another number, 9. you get an error. so... -- SCAN.TXT -- 0 err 9; 0 err 9 err ---- Ring back, belt 9, 1. error. -- SCAN.TXT -- 0 err 9; 0 err 9 err 1 err ---- Ring back, belt 9, 2. it start's ringing. Joe Blow picks up the phone. -- SCAN.TXT -- 0 err 9; 0 err 9 err 1 err 2 Joe Blow's Extension ---- Ring back, belt 9, 3. error. -- SCAN.TXT -- 0 err 9; 0 err 9 err 1 err 2 Joe Blow's Extension 3 err ---- Ring back, belt 9, 4. Nothing but silence. After a while you get a busy so it wants another dig it. so... -- SCAN.TXT -- 0 err 9; 0 err 9 err 1 err 2 Joe Blow's Extension 3 err 4; ---- Notice the semi-colons? They mean there are more digits needed. Ring back, belt 9, 4, 0. Dialtone. -- SCAN.TXT -- 0 err 9; 0 err 9 err 1 err 2 Joe Blow's Extension 3 err 4; 0 Dialtone ---- Ok, while your still on the phone, belt another tone at it. Nothing happens, the dialtone still remains, belt lots a tones. Nothing. Obviously a dead tone. lets skip the 9, 4, X bit for now and continue onto 9, 5. -- SCAN.TXT -- 0 err 9; 0 err 9 err 1 err 2 Joe Blow's Extension 3 err 4; 0 Dead Dial ---- Ring back, belt 9, 5. Dialtone. so... -- SCAN.TXT -- 0 err 9; 0 err 9 err 1 err 2 Joe Blow's Extension 3 err 4; 0 Dead Dial 5 Dial ---- belt 0. error. so... -- SCAN.TXT -- 0 err 9; 0 err 9 err 1 err 2 Joe Blow's Extension 3 err 4; 0 Dead Dial 5; 0 err ---- Ring back, belt 9, 5, 9. 0. Error again. Seems similar to the first dialtone. Ringback, try Joe Blows extension. so belt 9, 5, 9, 5 for a dialtone, then hit 9, 5, 9, 2. You get Joe Blow. So... -- SCAN.TXT -- 0 err 9; 0 err 9 err 1 err 2 Joe Blow's Extension 3 err 4; 0 Dead Dial 5; 0 err 9 loopback ---- Get the picture? I'll finish off the scan list. -- SCAN.TXT -- 0 err 9; 0 err . 9 err . 1 err . 2 Joe Blow's Extension . 3 err . 4; 0 Dead Dial . . 9 err . . 1 err . . 2 err . . 3 err . . 4; 0 Dead Dial . . 9 dialout (accepts 1-800-XXX-XXX only) . . 1 err . . 2 err . . 3 err . . 4 err . . 5 err . . 6 err . . 7 err . . 8 err . . * busy . . # busy . 5 err . 6 err . 7 err . 8 err . * err . # err . 5; 0 err . 9 loopback . 1 err . 2 err . 3 operator . 4 operator . 5 err . 6 operator . 7 err . 8 err . * busy . # busy . 6; 0 err . 9; 0; 0; (Dial 6-900-XXX-XXX for 1-900-XXX-XXX) . . 9 err . . 1 err . . 2 err . . 3 err . . 4 err . . 5 err . . 6 err . . 7 err . . 8 err . . * busy . . # busy . . 9 err . . 1 err . . 2 err . . 3 err . . 4 err . . 5 err . . 6 err . . 7 err . . 8 err . . * busy . . # busy . 1 err . 2 err . 3 err . 4 err . 5 err . 6 err . 7 err . 8 err . * busy . # busy . 7 err . 8 'Please enter the mail-box number, and press . hash'. Voicemail system, default=1234. . *; Dial tone . 0 err . 9 err . 1; 0 err . . 9 err . . 1; 0 err . . 9 err . . 1; 0 err . . 9 err . . 1 Modem - Looks like PBX dial-in . . 2 err . . 3 err . . 4 err . . 5 err . . 6 err . . 7 err . . 8 err . . * err . . # err . . 2 err . . 3 err . . 4 err . . 5 err . . 6 err . . 7 err . . 8 err . . * busy . . # busy . . 2 err . . 3 err . . 4 err . . 5 err . . 6 err . . 7 err . . 8 err . . * busy . . # busy . 2 err . 3 err . 4 err . 5 err . 6 err . 7 err . 8 err . * busy . # busy . # Operator 1 err 2 err 3 err 4 'Please enter the mailbox number, and press hash' - Voicemail 5 err 6 err 7 err 8 err * Operator # Operator ---- Ok, so this PBX has now been scanned out. Here's a list of what was found. Dial For 92 Joe Blow's Extension 94 Fake/Dead Dialtone 9440 Fake/Dead Dialtone 9449 Dialout to 1-800-XXX-XXX 959 Loopback to beginning 953 Operator/Switch Board 954 Operator/Switch Board 956 Operator/Switch Board 96900... For 1-900-XXX-XXX 98 For Voicemail - Default = 1234 9*,1111 For PBX Dial-In 9# Operator/Switch Board 4 For Voicemail - Default = 1234 * Operator # Operator It's as simple as that. Oh, and use common sense when doing this shit, that way, you'll find a hell of a lot more. ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ - [6.6] - Perth Payphone Update - [6.6] - - Written by Ripmax - ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ Ok people heres a few more payphones in West Australia which those of you who know what they are for will appreciate. I also grabbed a South Australia number on my recent journey to South Australia. All new numbers for this issue are marked with a *. We'll continue to bring you more numbers in future issues. West Australia ~~~~~~~~~~~~~~ 09-490-3530 Telecom Payphone Gosnells Shopping Centre Carpark, Ashburton Road,Gosnells 09-322-4510 Telecom Payphone 1 Murry St Perth (Opposite Fast Eddies/Zone3) 321-061P2 09-322-4512 Telecom Card Phone 2 Murry St Perth (Opposite Fast Eddies/Zone3) 321-060S2 09-339-8054 Private Blue Phone Action Food Barns East Fremantle Foyer 09-300-0419 Telecom Payphone 1 (Closest to Ticket Counter) Joondalup Train Station 09-300-0417 Telecom Payphone 2 Joondalup Train Station 09-276-7645 Cant Remember Morley Area * 09-384-7799 Telecom Payphone Outside Red Rooster at Robinson Pavillion , Perth Royal Show * 09-221-3427 Telecom Payphone Outside Sinatras Pub, Perth Train Station * 09-221-2748 Telecom Payphone Next to vending Machine at Perth Train Station Main Platform * 09-325-8686 Telecom Payphone Hay St Mall (Cinema City End) * 09-221-5886 Telecom Payphone Hay St Mall (Opposite Hoyts Cinema) * 09-316-2160 Telecom Payphone Garden City Shopping Centre (Food Hall) * 09-339-5277 Telecom Payphone Outside Red Rooster in East Fremantle South Australia ~~~~~~~~~~~~~~~ * 08-642-3447 Private Blue Phone BP Port Augusta (The Right One) ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ - [6.7] - Canning for Dollars - [6.7] - - Written by Bad Sector - ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ Ok, cans are almost always on exposed areas next to roads, no buts about it. This is because they are easily spotted and a piece of veritable piss to phreak off once in. Equipment: 1 - Telecom Can Key or facsimile 2 - Hex wrench or Crescent (Adjustable wrench) Ok cans come in a few varieties, most common are 1 meter high or so cans, there are also 1.5meter monsters with handles to lift off the cylinder. Frac states that hardly any are pressurised anymore and that telco probably never bother chasing down depressurizations on cans, as they have a small alarm switch, so you are basically safe as houses, well maybe. _______ / \ |___[o]___| <-- Lid with keyhole | .| | '.| | '.| | '.| <-- Cylinder, grey in color | '.| | '.| | '.| | '.| _________ | '.| | \ <-- Bit like a telco | '.| |o --\/\/ key. | '.| |___/ | ' | \ '/ Locate a can that is in a well hidden spot, bit of a search but worth finding. I suggest a small one as they are easier to handle. Use your telco key or a fake to turn the can lid lock and take the lid off. Then with the hex wrench or adjustable spanner just unscrew the bignut while holding the cylinder down, as it may fly up when depressurized. Ok, once in then you will see a number of racks of terminals, bit like pie segments all around the can. Rack diagram may be a bit incorrect. Front View Top View ______ _oooo_ <--- Subscriber terminals ___________ _oooo_ \ / _oooo_ \_______/ _oooo_ _oooo_ _oooo_ Metal spacers are also _oooo_ thoughtfully provided :) _oooo_ Same sorta shape. _oooo_ _oooo_ _oooo_ _oooo_ _oooo_ Simple really, hook up your alligator clips to the correct terminals. They are arranged horizontally I think. You might be able to listen to people chatting etc. depending on the hour, but according to all intelligence people most phone conversations are dead boring so don't bother. The disadvantage of cans is they are usually almost next to a road and are a bit difficult to reassemble in a hurry as the NC crew found, but there is no chopping/damage involved so your chances of detection are minimal. Remember some poor suck picks up the bill for your calls so always use different pits and cans for safety, as they WILL complain to Telco about that $90 phone call to Upper Tanzania, and telco will probably check there first. Ok, that concludes the canning/pitting tutorial I guess. I've been as accurate as memory serves, no doubt I've made mistakes, but I don't take tape measures into pits and cans. I know there is new information there for ya all. :) ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ - [6.8] - The Crunch Man - [6.8] - - Written by Data King - ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ 26 hundred I found how to blow With a toy whistle dont you know Now I live by my reputation Treated like a God by every nation These days even my radio confuses me Its probably from all this L S D Cum, cum and do the crunchman with me It's the kewlest dance you ever will see A step to the left, a shimmy to the right I could dance like this all fuqing night I hear that dewd FRaC from the land down under Is pissed coz my smell made his mum chunder I'm too kewl to keep myself clean I wash only after sex and not in between Wont you be my friend, be my pal Bend over and let me learn your anus well I meet someone and demand gimme a socket, gimme a fone I gotta check my mail, a guy might want to suck my bone I'm unique, I'm definitely one of a kind For some reason the doctors say I'm outta my mind It could be the drugz, don't you see I've been high since nineteen seventy three Let me tune you up, no no do as I say If your really good we'll have sex all day With FRaC I went raving, thats the guy from WA But that stoopid club, they wouldn't let me stay They said I couldn't get naked out on the floor When I did, the bouncer threw me out the door I'll sue them, I'll take them down Don't they know I'm the Kewlest in town I met the man himself, Ripmax is his name At his house where Amber babe said I was lame There is this dewd, Deicidal was his nick I didn't get him, damn I wanted his prick Down in Old Melbourne Town Slogic I did meet He talked tech, his body, Oh boy, what a treat I lie on the floor with my hand up my ass Sucking on some guys dick, oh man what class Now I'm back in the good old usa Its just not fair they wouldnt let me stay Some day I want to go back Coz those dewds over there, boy they can hack Their so kewl and know their stuff, I'm in awe Please explain why they showed me the door I'm a druggie, a raver, a pedophile I guess those dewds didn't like my style If your young and male, call my 1-800 Then I can fuq you over, so you'll look one hundred I'm The Crunchman, and I'm no fewl Let me teach you how to be so kewl ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ - [6.9] - Cellular Reprogramming - [6.9] - - Written by Data King - ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ In the Australian Scene there has been quite a bit of interest recently in Cellular Telephones. There is a lot of confusion and mis-information out there on this subject. What follows is the result of quite a bit of work, by myself and several other people, We did this not for any illegal purpose, but purely in an effort to proove Telecom wrong and show that it is possible. Usage of Cellular Telephones ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I do not condone or encourage any person, living or dead, to use the information contained with in this article for any illegal purpose. (See NeuroCactus Main Disclaimer) If you are considering reprogramming a cellular phone with another persons details and then fraudulently calling your friends all over the world, forget it! Every number you call will show up in their records as well as the cellular cell that you called from and any subsequent cells you moved to. You will get caught, don't do it. Equipment Used ~~~~~~~~~~~~~~ The following equipment is a list of the equipment that I have personally used to reprogram a Motorola Bag Fone. 1 x Motorola Bag Fone 1 x Reprogramming Cable (See next Section) 1 x Mot911 Software (Motorola V9.11 Reprogramming SW) 1 x 386sx 16 PC running MS-DOS 1 x 9 Volt DC Powerpack (I used a Smart2 500mA Regulated Unit) 1 x Pre 9122 Motorola EPROM (I used v9023 of the EPROM) Building a Reprogramming Cable ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A reprogramming cable is not difficult to make, I used the following components: 1 x Male D Connector (25 Pin) 1 x Female D Connector (25 Pin) 2 x D Shells (25 Pin) 1 x 30cm of 9 Core Cable 3 x Short Pieces of Insulated Wire. 1 x Power Connector Lead (Female Version of the connector on the Power Supply) The diagram of the cable I used is slightly different to what is commonly available on the net: Computer Transceiver Printer Port Port (Male DB 25) (Female DB 25) 3 ------------ (-9 Volt Supply) 4 -\ 5 -------------(+9 Volt Supply) 1 --------------- 18 2 --------------- 21 /- 3 | 4 --------------- 1 | 12 --------------- 12 | 13 --------------- 11 \- 14 --------------- 17 17 --------------- 20 18 --------------- 14--\ 20 --------------- 23--/ Once I had everything correctly assembled, I spent sometime testing the connections, as my computer wouldnt like 9 volts pumped into its printer port. Hardware Modifications ~~~~~~~~~~~~~~~~~~~~~~ With this type of transceiver there is no need for any fancy modifications to the unit, although my phone had a post 9122 eprom so I had to find and burn an earlier version of the eprom, this was not a difficult task as the unit uses a standard 27c512, which I obtained from my local electronics shop. To identify what version of the ROM I had in the phone, I hooked everything up and then had the MOT911 software read the unit, The software reported that my ROM version was post 9122, so I had to change the ROM. This then presented me with problem to solve, getting the cover off of the unit, as I didn't have the correct driver for the screw, I simply drilled the heads off of the screws with a power drill on the low speed setting, the cover then lifted straight off, allowing me access to the circuit board. To reattach the cover, I went through my screw draw and found some screws with the same thread, removed the headless screws from the base and screwed the lid back on using the new screws. Interestingly enough once the unit has been reprogrammed I found that I could remove the 9023 version of the rom and put the post 9122 version back in and the unit continued to operate correctly. Reprogramming ~~~~~~~~~~~~~ Now that I had everything correctly set, it was time to attempt to reprogram the phone, so I connected it all up and started the motorola software on my PC, I followed the instructions and then selected the last option from the type of fone to reprogram (any black/silver box). The program read the NAM details from the phone, displayed them on the screen and it wouldnt allow me to edit any of the options, interesting I thought to myself, and then I remembered that the earlier version of the program had a batch file to start the program. I got the old version and unzipped it, viewed the batch file, it contained a single line: MOTOROLA /NAM /ESN /NVR /LPT1 /E7 Using these command line options allowed the software to go into edit mode and I could now edit all of the fields displayed on the screen. /NAM - Allow edit of the NAM table /ESN - Allow edit of the ESN details /NVR - Non Volatile RAM Clearing /LPT1 - Use parallel port number 1 /E7 - I believe this to be which IRQ the parallel port is on, but I am not certain. Before going into what I did to reprogram the unit, I will first briefly explain some of the terms and also give examples of the common settings for them. Not having any technical manuals from Australian Cellular Carriers has meant that I have had to gather this information from trial and error based on what people overseas have done or have found from their cellular carriers. ESN: Electronic Serial Number This is what they use to identify whether a unit is stolen or not. There should never be more than one phone with the same ESN. Each ESN is unique. The ESN is represented by a hexadecimal number. The first two digits of the ESN represent the manufacturer of that phone, This is a complete list of all the manufacturers and their codes that I currently know. Company Decimal Hex AudioVox 138 8A (Toshiba) Alpine 150 96 Antel 146 92 Antel 175 AF ARA 146 92 AstroTEL 129 81 (Oki) AT&T 132 84 (Hitachi) AT&T 129 81 (Oki) Cellquest 174 AE Clarion 140 8C CM Telecom 153 99 Colt 174 AE DiamonTel 134 86 Ericcson 143 8F General Electric 146 92 General Electric 134 86 (Mitsubishi) General Electric 157 9D Goldstar 141 8D Hitachi 132 84 Infa 152 98 MEI 167 A7 Mitsubishi 134 86 Mobira 156 9C Motorola 130 82 NEC 135 87 Nokia 165 A5 Nokia 142 8E Novatel 142 8E Oki 129 81 Panasonic 136 88 Pioneer 130 82 (Motorola) Quantum 176 B0 Radio Shack 165 A5 Radio Shack 172 AC (Uniden) Sanyo 175 AF Shintom 174 AE Sony 154 9A Sun Moon Star 178 B2 Technophone 162 A5 Uniden 172 AC Walker 162 A5 (Technophone) You will notice that in this list there are several manufacturers who have the same number, this is due to one company badge engineering another companies phones, if I know which is the true manufacturer of the unit I have put their name in brackets after the hex code. MIN: Mobile Identification Number. This is the telephone number of the phone, BUT it is not exactly the same as they number you know for your phone, the actual area code part of this field is represented differently. In Australia we currently have 3 area codes for analog mobile phones 015, 018, & 019. The machine versions of these numbers are 5050, 5060, and 5070. So for example if my telephone number was 018-123-456, in the MIN field it would be entered as 5050-123-456. 5050 is the equivalent of 018 and not 015 due to the order of use of the mobile prefix's. 018 was the first to be used, hence the 5050 number is it's machine representation, followed by 015 (5060) and then 019 (5070). SIDH: System Identification (for) Home System This is a five digit number that is provided by carrier. The last digit should match the Preferred System Mark (0 or 1) AOIC: Access Overload Class This is not used like it was designed to be, but its purpose is to allow the system to decide who should be dropped in an overload situation. Usually the last number of you phone number preceeded by a 0, In America 15 in this field identifies your phone as Military/Police and your phone is the last to be dropped in an overload situation. I am still trying to find out if here in Australia there is an equivalent of 15, I suspect if there is it maybe 01 as this seems to give the clearest and least number of "drop outs". PS: Preferred System A single digit that determines which set of channels the mobile scans. The A system (Channels 1-333) or the B system (334-666). This should match the last digit of the SIDH. SCM: Station Class Mark This 4 bit binary field specifies the power output, number of channels, and vox capabilities of the unit. Some of the common settings are: Number of Power Binary Decimal Channels Output Vox 0000 00 666 3.0 NO 0010 02 666 0.6 NO 0100 04 666 3.0 YES 0110 06 666 0.6 YES 1000 08 832 3.0 NO 1010 10 832 0.6 NO 1100 12 832 3.0 YES 1110 14 832 0.6 YES The power output is measured in watts. Generally your in Car phones are 3 watts and your hand helds are 0.6 watts. This is what makes Motorola bag phones so attractive, they are portable, and they are 3 watts. The part of the reprogramming procedure that is of most interest was changing the phone to look like another, as I did not want to do anything illegal I wrote down the current ESN & MIN and then replaced them with garbage numbers. Once I had done this, I pressed escape to tell the software I had finished changes, at this point it is VITAL that nothing prevents the software from completing its calculations and writing to the phone. If such an interruption was to occur, then the phone would end up with bad data stored in its table, and will not work. This happened to me several times, and I found that there is no permanent damage, if you correct the fields that are corrupt and write everything out to the phone successfully then everything will be ok. Once this step had completed, the software asked me several questions about altering defaults and clearing the NVR, as this was not to be a permanent change I left them as they were. After the above questions were answered, the software disconnects itself from the phone and informs you that you can now remove the phone from the programming adapter. I now had a reprogrammed phone, however I had no way to test it as the information contained in it was deliberately bogus, so I repeated the programming steps above, this time removing the bogus data, and in its place entering the correct details that I had written down earlier. After completion of the programming I disconnected the telephone from the programming adapter, reconnected it to it's battery and successfully called people on it under its original ESN and MIN, which I had just programmed into the unit. Conclusion ~~~~~~~~~~ The title of this section could be "Yes, Telstra are lying when the say it is not possible", but then we all know from past experience that Telstra lie about anything to do with "phreaking". To reprogram a Motorola cellular telephone is quite easy once you know how, however it is highly illegal to change the ESN & MIN for fraudulent purposes, take my advice and do not do it. To the best of my knowledge however there is nothing to stop you changing the other details within the phone, so long as you do not change an option that causes any problems with the cellular network. One of the things that can be done using this software and programming adapter is inform your telephone of any new accessories that you get, for example you might buy a VOX kit. Normally you would have to pay your local dealer a fee to change the option within your telephone so that the VOX kit would work, now you can do it yourself, save the cash, and buy me a scotch with it if we ever meet! ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ - [6.10] - Greets and Contacting us - [6.10] - ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ If you would like to contact us call any of the following places : Bulletins Boards ---------------- Destiny Stone II (+61-9) -=- (+61-8) The Temple Jesta's BBS (+61-7) -=- (+61-3) Rewted LogiK Voicemail --------- Destiny Stone II Voice Mail System +61-9-246-2553 Box No 2 WWW Homepage ------------ http://suburbia.apana.org.au/~dking Our Special Regards go out to (In Alphabetical Order) Anubis : Thanks for the accommodation! Bad Sector : Come out of hiding yet? Captain Crunch : How weird can one guy be? Cairo : Lets see you out and about more Enigma : Ready for another NCR? Freestyle : See you on the Net again soon! Hook : Good to see you around still Jesta : Advertising in Phrack are we? Slash : kh89775jkhgk! (Comment PGP encrypted) Stylemaster DJ : Welcome back to Perth! Xstatic : Nice to meet you in SA, Rave on! ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ ÀÅÙ