Much thanks to BigH, Itris, Mohawk, MMX, Thomas Icom, Black Axe, Tom Farley and the OCPP for their contributions, encouragement, and bitching. Special thanks to Jenn Martino for the sound files and her patience.
A: Alt.Phreaking
B: Technical Matters
Cable plant/Switching/Transmission
LATAs/IntraLATA carriers/InterLATA carriers
C: Fraud
D: Reference Materials
E: Fun and Games
0.1 What is this FAQ?
The alt.phreaking FAQ was established to help answer the questions that pop up from time to time (or at least should come up) on Alt.Phreaking. This FAQ is currently maintained and edited by Seuss and can be viewed or downloaded at http://members.tripod.com/~SeusslyOne.
0.2 What is alt.phreaking for?
Alt.Phreaking is a newsgroup for the discussion and exchange of phreaking information, hints, tips, and general knowledge. It is supposed to be a way for people to discuss phreaking without feeling like a moron, whether asking or answering questions. It is also a good way for phreaks around the world to communicate easily. It is NOT a place for warez, tech support, advertising, etc.
0.3 Why is everyone flaming me?
You're likely being flamed for asking what someone sees as a stupid question. Try and avoid topics like making free phonecalls, C12 mods, why your redbox won't work or politics in any way shape or form. For the love of Christ don’t go to alt.phreaking and ask for ‘phreaking texts’. Try and observe the common courtesies: don't post in ALL CAPS oR aLtErNaTiNg caps (it's not funny, even when you think it is), don't post HTML, and spare us the superfluous punctuation.
0.4 What is a phreak?
Philosophical questions are no longer being fielded by this document.
0.5 Additions, Suggestions, etc.
Even though Seuss maintains and edits the alt.phreaking FAQ, much of the content comes from regular contributors to alt.phreaking. If you would like something added, changed, or if you just have a suggestion, mail me. There is a prize for everything I find useful. Your comments will greatly improve the quality of the FAQ.
0.6 FAQ conventions.
There are alot of acronyms in use. If you don't what they are look them up.
'Ninja factor' (NF) is used to note something that requires a high degree of stealth.
1.1 Your new status in the underground
Welcome to the phone phreak underground. We're a fairly decent, not overly judgmental pack, as you'll see if you stick around long enough. You're new here, so try and remember that newbie phone phreaks are a dime-a-dozen. As much as we'd like to see you stay, coming in with a bad attitude won’t help you any. Just remember to be polite and say please and thank you and that you're in absolutely no position to rag on someone for asking what seems like an obvious question to you now. We only tell you to RTFM because we love you. Finally please try and keep your sense of humor, it will help enormously.
1.2 I'm a newbie please help!!
Don't assume that everyone will jump to spoon-feed you answers... that only happens in books and movies. Lots of us really DO want to help you, but we have better things to do than tutor your ass non-stop. First and foremost, try and learn as much as you can about phreaking by yourself. Visit as many related web pages as possible, read books about telephony and experiment. If you hit a snag along the way then by all means ask for help, remembering the rules stated above.
1.3 What should I read?
Good question, but let's start with what NOT to read. Ignore the anarchist's cookbook. The phreaking information in it is so dated as to be useless and everything else is dangerously wrong. The BIOC files are probably older than you are... read them if you must but the most of the ideas are pretty much dead.
What you WILL want to get a hold of:
- A book about installing your own phone.
- The file "Outside Loop Distribution Plant" by Phucked Agent 04. Its a little old now (so don't expect to hear much about SLCs), but still an excellent refference for explaining the inner workings of the inside/outside plant.
- Glossaries of telecommunications and phreaking terms. I highly recommend Newton's Telecom Dictionary, but there are a lot of text files that list the lingo.
- A BRIEF explanation of the more common boxes. Don't worry about these too much, but it will help you understand some of the posts. Fixer has a great list of boxes on his site, along with what does and does not work and why.
- A cheap TAB book on basic electronics.
- The better zines. 2600, Phrack Phone Punx Magazine, Phantasy and BlackBox. are all still being printed or posted. Shuffle through back issues of the now defunct THTJ magazine, Cybertek, OCPP, Private Line magazine. The Phone Punx Network has a zine archive where you can find some of these zines. Textfiles.com also has an impressive archive of zines.
- A little bit of history on the underground. Get a hold of The Hacker Crackdown, it makes for fascinating reading, will give you an idea of what the scene was like before the WWW.
1.4 I need help with phreaking in *a foreign country*
This is a question this FAQ will never be able to answer. If you're in Canada, you're in luck. There is an excellent resource at <http://www.hackcanada.com. UK phreaks have their own FAQ at (http://www.hackhull.com/phuk/faq.html)
1.5 Is phreaking (or any method of or related to) legal?
Excercise your own common sense. Toll fraud is stealing and is very
illegal (and anyone who mails me saying that "Information wants to be free"
will have an angry letter sent to their upstream provider). If you're caught
ripping off phone service in a serious way you'll probably be prosecuted.
Trespass is also illegal (this counts distribution cabinets). After that,
what is and isn't legal can still rather vague when it comes to
hacking and phreaking. Some areas have laws against trashing and wardialing.
Some don't. Look and see.
2.1.1 What is a PBX?
A PBX is a private phone system used by large companies and other institutions
that require a flexible internal phone system (such as college campuses
or big office buildings). PBXs are the devices that ask you to dial an
extension or operator when you connect to them. PBXs consist of a small
phone
switch (say a DMS 10) or a switch that caters directly to the PBX market
(like an AT&T System X5), a group of trunks, a set of telephones and
a group of users.
2.1.2 So whats the big deal about PBXs?
When people are seen asking for "PBXs", they're asking for dialouts
on that particular PBX. These numbers allow them to call up, seize an outbound
line and make their call on the PBX owner's tab. Because the PBX has to
be called, PBXs connected to toll-free numbers are the most popular.
2.1.3 What is a DISA port and what is it for?
A DISA port (Direct Inward System Access port) is a feature on a PBX that allows an outside caller to access internal features and external dialtones of a PBX.
Using DISA hinges on a few different factors. You're going to need to know the DISA number (most places are smart enough to keep this quiet), any PINs nesecary (barrier code and or auth code), and the admin has to have DISA enabled (look out, some DISA ports are deactivated during certain hours). Call the DISA number, make a nod toward system security (which can be either non-existant, a PIN of variable length or totally impossible), and you can function as an internal user on said PBX, calling extensions, engaging in local features (like call park and barge-in) and placing outgoing calls.
Hacking DISA ports is a relatively simple and effective way to get free service plus someone else's number on the ANI controller.
2.1.4 Is there any other way to exploit a PBX?
Dial at the automated attendant. Sometimes there are unannounced dialout
codes, or dialed digits will be passed directly to the switch (as opposed
to the external attendant hardware).
2.1.5 Why can't I divert through this PBX?
The administrator probably got a clue and set up an integral routing
feature (class of service or class of restriction) to prevent DISA users
from accessing outgoing dialtones. Alternatvely, the number you're calling
could be blocked (after the first major ripoff, most admins get wise to
the Defcon Voice Bridge and most conferencing services)
2.1.6 How do I set up my own outdial codes?
Setting up DISA outdials varies from system to system. Try Phrack back
issues.
2.1.7 What is a key system (KTS)?
A key system (KTS) is a smaller automated telephone system. The big
difference between KTSs and PBXs is where the control lies. PBXs put as
much processing as they can in the switch, while most key systems put alot
of control into each telephone (like selecting an available trunk by pushing
a button) but retain major interconnection functions at the switch.
2.1.8 What is a hybrid system?
A hybrid is a phone system that combines features from both a PBX and
a key system.
2.1.9 What is Centrex?
Centrex is a monstrosity left over from pre-divestiture days. Its a
service that leases out part of a local end office switch as a PBX to a
subscriber.
2.2 Extenders
2.2.1 What’s an extender?
Unlike most systems exploited by phreaks, a WATS extender is designed
to be used for making phone calls without directly billing the caller.
WATS extenders are 800 numbers connected to bulk rate billed telephone
lines and guarded by a pass code (usually a VERY LONG one). "950s" (those
using FGB 950-XXXX dialups) are another common form of extender. While
the extenders of old have mostly diapeared, extenders have been reincarnated
as the dialup used for prepaid phonecards. Be warned: extenders VERY often
utilize real time ANI, and do not react well to abuse.
These things can be dangerous and should be treated with care.
2.3 Voice Mail
2.3.1 What is voice mail?
Voicemail is a centralized, flexible answering machine. VM can be either a feature of a PBX, or a function provided by a dedicated voice mail system.
2.3.2 What's a VMB?
Voice Mail Boxes (VMB's) are separate user's accounts on a voice mail system. Among the standard user boxes are administrator boxes, privileged accounts that allow for the creation and deletion of boxes, changing of routing features, etc.
2.3.3 How do I hack a VMB?
The specific techniques used for hacking voice mail boxes varies from
system to system. However, the general procedure is to dial up a voice
mail system, input a box number, and guess at the pass code (usually with
a wardialer). Once the box is cracked it can be taken over (the outgoing
message and pass code changed), the messages spied on, dialed out from
by inputting the correct commands, or new accounts can be created (from
administrative boxes). Clone has an excellent set of articles
on hacking voice mail.
3.1 ANI
* A note on ANI: Throughout the explanation of ANI, comparisons will be made to Caller ID. This is just to make things a little easier to understad. ANI is not Caller ID, nor is Caller ID ANI.
3.1.1 What is ANI?
ANI stands for Automatic Number Identification. It is a service feature in which the directory or equipment number of a calling station (read as "telephone") is automatically obtained and transmitted to the called party. Enhanced 911 systems, 800/888 numbers and big companies are amongst the most frequest consumers of ANI, though it can be served up to anyone with the nesecary equipment. "ANI" is often used interchangeably with "ANAC" by the less educated; don't do that.
3.1.2 How is ANI transmitted?
Numbers receiving real time ANI are connected to their CO or toll center via digital trunks which send data packets back and forth. The ANI data is sent from the office to a computer called an ANI controller on the premises of the site receiving ANI in the packet's headers. ANI can be MFed to the customer (in the format KP-I-<Information digit>-NXX-XXXX-ST), sent in SS7 packet headers, or across E+M leads.
3.1.3 What is ANI II?
ANI II is an additional feature of ANI. ANI II adds a pair of digits to the ANI readout that labels what type of service the number is (i.e. if it's a pay phone, a PBX line, etc.). There was an ANAC that read back ANI II (1.800.487.9240), but was beaten to death by the denizens of alt.phreaking. A list of ANI II digits can be obtained from www.NANPA.com.
3.1.4 What is "real time" ANI?
Real time ANI is yet another kink in ANI. Not all ANI subscribers get their ANI as soon as they're called. Some ANI subscribers get a call record at of the end of the month that lists all their incoming calls. Subscribers who get their ANI as the call comes in have what's called "real time ANI". Think of it as beefed up caller ID.
3.1.5 What's a "Dark call"?
A "dark call" is a slang-ish term for an ANI failure. Dark calls throw up a "NO ANI RECEIVED" message on a TSPS console, which triggers ONI.
3.1.6 What is ONI?
ONI (Operator Number Identification) is when a live operator asks you for the phone number you're calling from. Now, certain unscrupulous people could tell the operator that they were from a number other than the one they were actually calling from... ONI is becoming less common due to advances in telephone technology.
3.1.7 How do I spoof ANI?
ANI can be spoofed through a technique called op-diversion. Pick up the phone and dial 0. Tell the operator that you have handicap dial privlege (if they argue with you, tell them you were in a car wreck or something), and ask them to put you through to 1-800-225-5288 (pick whatever LD carrier you like). When the operator asks for you number, give them something thats listed. This technique is dying a slow death.
3.2 ANACs
3.2.1 What is an ANAC?
ANAC stands for Automatic Number Announcement Circuit. An ANAC number refers to a number that you call that tells you what number you're calling from. This has a variety of uses. Lineman call them to find out the number of the line they are working on. Phreaks use them when they are beige boxing for the same reason. There are a million other uses for the things.
3.2.2 I need an ANAC number for my area.
ANAC numbers are different in all areas. Try to find your local ANAC
and use that one but some ANACs (the 800 number) are available on a national
level. The alt.2600
FAQ has a listing of local ANACs.
3.3 Caller ID
3.3.1 What is Caller ID?
Caller ID is a service that delivers the number of the calling party. A separate unit or special phone is used to display the number. Caller ID service can be ordered from you local telephone company. There is a monthly charge of about $6 to $8 a month. Caller ID Deluxe has the same features of normal Caller ID but it also displays the name and address of the person who calls along with their number. This service costs about a $1 more per month.
3.3.2 How does Caller ID work?
*This next section is from the Fixer's excellent article "Beating Caller
ID".*
| Caller ID is a data stream sent by the Phone Company to your line between
the first and second ring. The data stream conforms to Bell 202, which
is a 1200 baud half-duplex FSK modulation. That is why serial Caller ID
boxes run at 1200 baud.
The data stream itself is pretty straightforward. Here's an example: UUUUUUUUUUUUUUUUUUUUUUUUUUUUUU€'^D 032415122503806467x The first thing of note is the 30 U's. Those are actually sync pulses. A "U" is 55 hex, or 01010101 binary. This is called the "Channel Seizure Signal." After that comes 130 milliseconds of 1200 Hz (the Bell 202 "mark" frequency) which usually shows up in the datastream as a character or two of garbage. That is followed by the "message type word", which is 04 hex for standard Caller ID, 07 hex for Name & Number. A word, by the way, is 8 bits for our purposes. That is followed by the "message length word" which tells us how many bytes follow. The next four bytes are the date, in ASCII. In the example above, the date is 0324, or March 24th. The next four bytes after the date are the time, also in ASCII. In the example, the time is 1512, or 3:12pm. The next 10 digits is the phone number that is calling. In the example, the phone number is 250-380-6467. The number is also in ASCII and doesn't contain the hyphens. Some phone companies will leave out the area code and only transmit 7 digits for a local call, others will always send the area code as well. If this were a name-and-number Caller ID data stream, the number would be followed by a delimiter (01h) and another message length byte to indicate the number of bytes in the name. This would be followed by the name itself, in ASCII. If this call originated from an area that doesn't support Caller ID, then instead of the phone number, a capital "O" is transmitted (4F hex). If the call was marked "private" as a result of the caller using *67 or having a permanent call blocking service, then instead of the phone number, a capital "P" (50 hex) would be sent. The very last byte of the data stream is a checksum. This is calculated by adding the value of all the other bytes in the data message (the message type, length, number and name data, and any delimiters) and taking the two's complement of the low byte of the result (in other words, the two's complement of the modulo-256 simple checksum of the CID data). |
3.4 *67
3.4.1 What is *67
*67 is the vertical service code for per call ID blocking. It will block your number from being displayed on the Caller ID unit of the person that you called. If the person has Caller ID Deluxe, it will also block your address. *67 DOES NOT AFFECT ANI!!! Note: there are rumors that all calls placed with *67 are flagged on the switches record, making it unattractive.
3.4.2 Does *67 block *69?
In some areas *69 now has a feature that reads back the number of the person that called you and then gives you the option to call them back. *67 will block your number from being read to them, but they can still call you back. Just shell out the 75 cents and test it out for yourself.
3.4.3 Anonymous Call Rejection
Anonymous Call Rejection or ACR is provided to Caller ID customers for
free. This service allows Caller ID customers to block calls from people
who use per call blocking (*67). When someone that blocks their number
calls a person with Caller ID who has activated ACR, they hear a message
telling them that they do not accept calls from people that block their
number.
3.5 Caller ID blockers
3.5.1 What is a Caller ID blocker?
A Caller ID blocker is a device that will block your name and number
from being shown on Caller ID boxes. It is sold at Radio Shack and the
product number is 43-925. It costs $29.99. Basically, your paying $30 or
so for something that will dial *67 for you.
4.1 Cable Plant
4.1.1 What is the inside cable plant/outside cable plant/CPE?
The inside cable plant refers to all hardware and wiring in a telco office. The outside cable plant is all cables, wires, breakout boxes, and transmission hardware between the phone jack and the office. CPE stands for customer premises equipment, everything on the customer's side of the demark point.
4.1.2 What is the layout of the cable plant?
This graphic doesn't cover everything, but its nice to have a picture to work with. Once the cable hits the house in the upper left, it will be connected to the protector block (which protects the inside wiring, the phone, and you from lightening strikes). From there it goes to the rate demarcation "demark" point, usually a little gray box on the side of your house. This is where the Phone Company’s responsibility for the wiring ends. The pair should then be strung to a minimum point of penetration, so wiring the other side of the house is a little easier, and from there it goes to the jack.
4.1.3 Canning and beige boxing
The average phone phreak cuts their teeth on a steady diet of beige-boxing, hooking up a phone to someone else's line and making calls. As breaking into someone's house to plug a cordless base into a spare wall jack is rather impractical, most phreaks plug their beige-box into an outside plant wiring cabinet of some sort. If you're hell-bent on opening a wiring cabinet remember that while they're usually not locked, you'll probably need to unscrew something to get in. A can wrench is handy, though a 3/8th nut-driver and a 7/16th hex driver will do you just fine. Note: the Krone company has recently announced a new alarm system for wiring cabinets designed to eliminate vandalism. This system could put a real dent in beige boxing.
Splice housings: These are splice points found in aerial distributions. Nothing too special here, and a pain to get at unless they're stuck to the side of a building, but simple to let oneself into. Just disconnect the clips at the bottom and lift off the vinyl cover.
Pedestal terminals: This happy little fellow can be found in areas
where underground distribution is used. Usually you can just grab the lip
at the bottom and pull it forward to get at the lines. Should that fail,
there are restraining bolts on the sides. Remove them with a nutdriver.
| Serving Area Interfaces: This monster is a serving area interface, a cabinet that breaks out every pair in a particular serving area. The wiring in these things is kinda funny as they use all sorts of different ways to secure wires (66-type punch down blocks, Krone blocks, screw terminals, etc). The interesting thing about these is that some of these have 'floater pairs' that aren't hooked up to customer lines. These pairs are used solely by telco personnel in areas where they aren't issued cellphones. |
| Demarcation Points: The Phone Company has thoughtfully provided an insecure point outside almost every building that has access to the phone lines. There enclosures, called demarcation points or simply 'demarks' take a wide range of shapes and sizes. |
4.2 Transmission
4.2.1 What media are phone conversations transmitted on?
Customer loops are usually copper analog. In some places this will be
converted to fiber after about a thousand feet before it continues on it’s
merry way to the CO, though this isn't always true. (Thanks to MMX for
pointing this out.) Other areas will utilize subscriber loop carriers (SLCs),
which multiplex a large number of dialtones onto a few cable pairs part
way between the CO and the customer. Some WAY out of the way places have
their loops converted to microwave for transmission to the CO (this method
is often referred to as wireless local loop).
4.2.2 What's the average resistance of a phone line?
Average Conductor Resistance in Ohms
| AWG | Per 100 Feet (Loaded) | Per 1000 Feet (Unloaded) |
| 19 | 17.43 | 16.10 |
| 22 | 33.72 | 32.39 |
| 24 | 52.89 | 51.89 |
| 26 | 84.33 | 83.33 |
4.2.3 How do I measure the length of my analog loop?
There are two ways to measure loop length. The first is to use a time domain reflectometer, a very expensive and reasonably complicated instrument similar to an oscilloscope and about as hard to use. The simpler method is to measure the capacitance of the line using the constant .083 micro-farads per 1000 feet of wire. Keep in mind this value is an average, and that wet sections (areas where water has seeped into a cable) affect capacitance.
4.2.4 What is a trunk?
A trunk is a fixed connection between 2 telephone offices, a telephone office and a PBX (or similar hardware), or two PBXs (again, or similar hardware). Interoffice trunks are usually high-speed data lines (almost exclusively fiber) though PBX trunks are usually channelized T-1s or even banks of POTS lines.
4.2.5 Manholes
What’s in a manhole?
Rats. Dirty water. Roaches. Splicing boots that you can’t open. Methane gas.
4.2.6 Why shouldn't I go peeking in a manhole?
Methane builds up in manholes, risking suffocation or explosion unless
the air is vented; and running a blower is rather obvious. When it rains
water tends to buildup in holes. You probably don't have the right tools
to open the splicing boots, and why bother anyway?
4.3 What is a switch?
A switch is a large, expensive piece of hardware that connects telephone calls. There are 3 types of switch: the dial tone switch (also called the end office or class 5 office), the remoted switch and the toll switch (also known as a tandem switch or class 4 switch). The old books and files that talk about regional, sectional and area switches are outdated, so ignore them. The toll switching hierarchy was 'flattened' with the advent of SS7
Dial tone switches are the switches that interface directly with your telephone and provide you with your dialtone. Toll switches connect end offices with toll switches and toll switches with other toll switches. The third type of switch is a remote switch. These are usually large PBX switches (though there is a 5ESS model) slaved to a CO that is a good distance away. The switches are implemented in areas too small to warrant their own offices, but require a switch to themselves. Remote switches are switches only, and carry none of the other computer equipment necessary for a full scale office. Remotes do NOT have their own AMA systems, customer databases, etc. These "big" functions are handled by the office the remote is slaved to.
4.3.1 What are some common switches?
*Dial tone Switches*
1AESS
5ESS
5ESS 2000
5ESS 2000 DCS (Supposed to be a cellular switch, but sometimes foolishly deployed for landlines)
DMS 10
DMS 100
ericsson PRX-a
*Toll Switches*
Nortel
DMS 200
DMS 250
DMS 500
*Remote switches*
GTD-5 EAX
5ESS Family
Remote Switching Module
Distinctive Remote Module
Extended Switching Module 2000
4.4 What is SS7?
SS7 (Signaling System 7) is a system for telephone offices to communicate with each other. In the good old days offices would send information about a call's routing by in band signaling (audible tones sent along with your voice). In band signaling was slow, unreliable, and subject to wild amounts of fraud. Then the phone company tried out of band signalling, where the tones were outside the audible bandwidth of the phone. Eventually, SS7 came into play. SS7 (Signalling System 7) is a packet switched network that exists between telephone offices and transmits voice and signalling information in the telephone network.
4.4.5 Do blue boxes still work?
No. PLEASE stop asking.
5.0 Test numbers and offices
5.1 What are test numbers?
Test numbers are dialups to testing equipment or test features set up
by the phone company or private entities. There are about a billion kinds
of test numbers, so PLEASE don't just start asking for "test numbers",
especially on newsgroups like comp.dcom.telecom.tech.
5.2 What are some common test numbers and their uses?
- Sweep Tones[sweep.wav - MISSING]: Tone sweeps are a test tone ranging from 304hz to 3204hz. A common use for sweep tones is to check for infinity-transmitter style taps. Dial up a sweep tone. If an audible clicking is heard during the sweep then a transmitter could be installed on your line. Telco maintenance uses sweep tones to check for the presence of loading coils, and other such nasties that eat high frequency tones in order to qualify a line for high speed services.
- Milliwatt test: These are 1004 hz tones sent out at 0 db gain. Milliwatt tests are used to check for line loss and make other complex tests.
- Quiet termination: This feature connects the caller to a port with fixed resistance, 600 ohms or 900 ohms being the most common. There should be nothing but dead silence on connection. Clicks, static or crosstalk will be clearly evident if a noisy line is used to dial this test.
- Ringback: Calls back the originating number in an annoying fashion. Dialing all the touch-tone digits in order (starting with 1 and ending in # going across the keypad rows) will generate 2 tones saying the keypad is ok.
- Loops: These numbers exist in linked pairs, sometimes consecutive and sometimes not. Call one number and you'll get a tone[loophigh01.wav - MISSING]. Call the other number and you get dead silence. If both are called at the same time they make a connection. It used to be that you could then talk over this connection, but now there are filters that block speech placed on most loops. Try passing TTY data.
- ANAC: This test dialup will read off the number of the line you’re calling from. On rare occasions you will find ANACs with a DTMF response for use with remote test terminals.
- DATUs[440hz.wav - MISSING]: DATUs (Digital Audio Test Units) are a godsend to technicians and phone phreaks everywhere. DATUs allow a caller to monitor lines (don't get too excited), open and short pairs, and put trace tones on the pair. While it might not sound too exciting, it has more applications than most people think. Several articles about DATUs have surfaced recently, and all should be read with a grain of salt.
- Reflectors: Reflectors do exactly what the name implies, listen for anything coming down the line and reflect it back after a brief delay.
5.2.1 Acquiring Test Numbers
Getting test number is a tricky business. You can scan them out, con
telco personnel out of them or bum them off of other phone phreaks. Good
resources for numbers include Blue
Fuzzy Telephonics and the UPL's Phone
Directory.
5.3 Internal Offices
5.3.1 What is an internal office?
An internal office is an office that the general public doesn’t know
about. Internal offices are usually used to access complex test systems
(such as Switching Control) or in applications where automation would be
impractical (such as Customer Name and Address offices).
5.4 Customer Name and Address office
5.4.1 What is a CNA number?
A CNA (Customer Name and Address) number is the number to the CNA office.
This office provides the name and address of the owner of a particular
telephone number to telephone techs.
5.4.2 Where can I get a working CNA number?
Normal CNA numbers that list every number in the area are available only to telephone company personnel. Private citizens must rely on CNA information from private companies such as Unidirectory (900-933-3330) and Telename (900-884-1212) to give them their info at a buck a minute. If you are in 312 or 708, Ameritech has a pay-for-play CNA service available to the general public. The number is 796-9600. The cost is $.35/call and can look up two numbers per call. If you are in 415, Pacific Bell offers a public access CNA service at (415)705-9299. If you are in Bell Atlantic territory you can call (NPA)555-5454 for automated CNA information. The cost is $.50/call with 3 look ups per call.
Reverse lookups over the Internet can attempted, but theres no gaurentee that they will work.
http://www.555-1212.com
http://www.anywho.com
http://www.four11.com
http://www.switchboard.com
Reverse Directories
http://www.555-1212.com/look_up_number.cfm
http://www.anywho.com/telq.html
International Directories
http://www.teldir.com/
Actual CNA numbers are becoming rare, as companies are consolidating their CNA directories.
6.0 LATAs/ IntraLATA Carriers/ InterLATA Carriers
6.1 LATAs
6.1.1 What's a LATA?
LATA's are the geographical areas where a single RBOC (local phone company)
can connect a call. If a call passes across the boundaries of a LATA it
must be handed off to an Inter-Exchange Carrier and then back to another
Local Exchange Carrier for completion. A map of the US showing the LATA
breakdown can be viewed here
(warning, its bloody huge).
6.2 Inter-LATA carriers
6.2.1 What are Inter-LATA carriers?
An "Inter-LATA carrier" is just another name for a long distance companies
such as AT&T, Sprint or MCI.
6.2.2 How are alternate InterLATA carriers accessed?
Inter-LATA carriers are accessed through 950 numbers (feature group
B access codes) or 101XXXX numbers (feature group D access codes).
6.2.3 Where can I get a list of Inter-LATA carriers and their access numbers?
You can get a list of them at http://www.NANPA.com
7.0 COCOTS \ BOCOTS \ Pay Phones
7.1 COCOTs and BOCOTs
7.1.1 What is a COCOT?
COCOT is an acronym for Customer Owned Coin Operated Telephone. Due to the efforts of modernization, COCOTs differ from ILEC coin stations only in business terms now.
7.1.2 What is a Coin Line?
In the good old days COCOTs were connected to normal POTS (home phone) lines.There is a growing trend to connect COCOTs to specially leased lines from the phone company that allow for greater fraud protection by blocking 900/976 and an option to block international calls, along with coin supervision and disposal features, not returning a wink (which would reset older COCOTs, giving an unrestricted dialtone) and extended operator services. Different RBOC's offer different features and different names for this service.
7.1.3 Why isn't my redbox going to work on a COCOT?
COCOTs are un-redboxable. It has nothing to do with muted mouthpieces,
coin grounds, or any counter-fraud tactic. COCOTs do their own coin handling;
verifying and tallying input coins and comparing the amount entered to
an internal rate chart.
7.1.4 Who makes COCOTs?
There are a healthy number of COCOT manufacturers.
Elcotel, Intellicall, Protel and Tatung are major manufacturers, but there are others.
7.1.5 What is a BOCOT?
BOCOT is a not especially popular term for a computerized local-carrier
coin station. These phones offer superior fraud protection, and more features.
7.2 Millenium Phones
7.2.1 What is a Millennium Phone?
A Millennium Phone is a newish offering from Nortel to the COCOT/BOCOT market. Millennium Phones are ultra computerized, high security phones mostly deployed in Canada and the Midwest (anyone know different?) at the moment. For more info on Millennium Phones read OCPP issue 7 and visit www.nortel.com.
7.2.2 Programming on the Millenium Phone
YES Milleniums can be programmed from their keypads. You can feed them
so called "OP CODES" that have as-yet unknown uses. Put the phone ON-HOOK,
and dial "CRASERV" and inputing a 5 digit PIN (The default is 12345). OP
CODES are 3 digits long.
7.4 Pay phones
7.4.1 What is a pay phone?
The venerable Western Electric coin station is almost totally gone. Elcotel has outstripped WE in production and features, making their pay phones almost universal in new installations. There will likely be many legacy sets around for a while yet. Elcotel's pay stations encorporate many COCOT features, but have the option to still permit coin handling by the central office.
7.4.2 Coin Signaling
RBOC pay phones running bright mode need their CO to tell them that enough money has been deposited to make a call. When the phone goes off-hook, it is connected to the Automated Coin Toll System (ACTS). ACTS 'listens' for coin-specific tones called "coin-sent-paid tones" (you call them redbox tones), tallys them, and compares the figure against a rate database. When enough money has been deposited your call is connected. Should the time threshold between coins be exceeded a coin operator will be added to your call to prompt you.
7.4.3 Redbox tones
| Coin | Nickel | Dime | Quarter |
| Frequencies | 1700&2200 Hz | 1700&2200 Hz | 1700&2200 Hz |
| Duration | 0.060s on | 0.060s on, 0.060s off, twice repeating | 33ms on, 33ms off, 5 times repeating |
7.4.4 Why doesn't my redbox work?
Assuming you've checked for glaring problems like incorrect assembly and programming, and that you're trying to use your box on an RBOC coin phone, theres still a potential problem. After losing an ungodly amount of virtual money from redbox use, telcos began incorporating band-stop filters into phones (Elcotel refers to this feature as 'Tone Fraud Deterrent').
7.4.4 Coin collection
Hypothetical situation: you just got paged, so you wander over to a handy RBOC pay phone. You pick up the receiver, and deposit 35 of your hard-earned cents into the coin slot. Where did your money just disappear to? Your money has passed through a slug test, gone through a sorter, tripped a sensor to generate the appropriate CSP (redbox) tone and fallen into the temporary hopper in the phone. Once your coins are in the temp hopper they can only go to two places: into the return chute, or into the cash box. Where the money goes next depends on a relay in the phone. If -130 VAC is fed into the loop the coinage is returned, if +130 VAC is fed into the loop the coins are whisked away into the coin box.
7.4.5 Coin boxes
What happens when a payphone fills up with coins? It depends on the
phone. MARS II sets will shut themselves off, call it’s serving office
with the message ‘I’m full. Come empty me.’, and a coin collection tech
will come (eventually) to empty the coins.
8.0 Numbering
8.1 Area codes
8.1.1 Who assigns area codes?
Bellcore used to issue area codes, but sadly another era in telecommunications
has ended. Lockheed Martin now administers NPAs, but it’s still the FCC
that has final say in any telecom-related matter. What we’ve lost in the
way of tradition we gained in accessibility. Lockheed Martin is very open
with their info, while Bellcore insisted on charging ridiculous amounts
for their paperwork. All their public documents are on NANPA.com
8.2 Service Access Codes (SACs)
8.2.1 What are the special area codes and what are they for?
200: Rumored to be reserved for test purposes. (Anyone want to comment on this?)
300: Rumored to be reserved for test purposes. (Anyone want to comment on this?)
400: Rumored to be reserved for test purposes. (Anyone want to comment on this?)
456: International inbound routing. (Your guess is as good as mine.)
500: ‘Follow me’ forwarding services (A subject of constant debate, especially now that AT&T has revoked their service)
600: Canadian Datalink
700: Carrier defined (All sorts of fun and games here).
710: U.S. Government (Only 2 numbers in the entire NPA!!)
800/888/877: Toll free services
866/855: Reserved for future toll free services
900: Pay for play call services ($ex $ex $ex!!!).
8.2.3 Where are in the world *are* the 500/700/800/888/877/900 NPAs?
SACs are everywhere and nowhere at the same time. Forgive my attempt
at being Zen. 500/700/800/888/877/900 numbers are "translated" at the dial
tone office into standard NPA-NXX-XXXX and then routed in the normal fashion.
SACs are converted translated according to the Line Information and Routing
Database. This is why you'll occasionally see someone on the newsgroup
say they found a "900 backdoor". In reality they found the normal phone
number that that 900 connects to. Telco types call these numbers "Plant
test dialups"
8.3 Special prefixes
8.3.1 What are special prefixes?
Special prefixes are exchanges reserved by the RBOC for special purposes
such as testing, special routing, TTY access, etc.
8.3.2 What are some special prefixes?
*0XX/1XX actually exists. You just can't dial it unless you're on an operator position.
*555 is reserved for special purposes such as directory assistance, pay-for-play CNA, etc.
*959 is a holdout from the Ma Bell days, and supposedly still reserved for test purposes. We’ve had some bizarre findings here.
*855 is reserved for TTY services in the 800 NPA.
8.3.3 Are there unpublished (secret) exchanges?
Yes, there are exchanges that aren’t published but still in use for
various purposes. Some sensitive test numbers are likely in hidden exchanges.
Sadly, hidden exchanges are becoming more rare due to pressure for more
phone nmbers and
8.3.4 How do I find unpublished (secret) exchanges?
If you happen to get test numbers out of the trash or out of trucks check to see if the exchanges they’re in are listed in the phone book. A better way to fetch special exchanges is to go to NANPA.com and download the ‘Central Office Code Assignments’ in whatever area (as of this distribution of the FAQ only California and Nevada exchanges are available), and compare the utilized exchange list against a list of published exchanges. Keep in mind that "Utilized" means exchanges assigned, reserved, protected, held for future use, test, and special-use prefixes
8.3.4 Where can I find a list of exchanges that labels who's assigned what?
Telephone Prefix Location
List
http://www.thedirectory.org/pref/
What boxes still work?
Fixer comes to the rescue of the rank and file once again. Fixer's
Box Review
How do I build box X?
Check here.
What is cloning?
Cloning is a method of fraudulent billing via a cellular phone.
How does cloning work?
How do I clone?
13.5 Cellular phone data
It is possible to snag analog cellular ESN/MIN numbers off of the air
as they are transmitted by the cellular phone to the telco. This is a fairly
complex subject, and it requires a significant degree of technical skill.
Basically, one must build something called a Hamcomm interface to convert
the discriminator output into a format that a serial port can interpret.
Then, software such as Snarf can be used to decode the cellular data streams
into usable ESN/MIN numbers. The exact process involved, however, is beyond
the scope of this FAQ. More information on this can be accessed through
Brian Oblivion's Radiotelephony Archive.
Ground Start Fraud
Inserting a pin into the center of a payphone receiver will do nothing. Bright mode payphones don't use a coin ground to signal payment, and most BOCOTs (Elcotel for sure) have a specific counter to this.
C12
Has its own FAQ file.
9.1 What are some newsgroups that deal with phreaking?
Alt.Phreaking is your best bet as far as general phreaking is concerned. Scary thought.
Alt.2600 A zoo.
Alt.2600.phreakz has supposedly fallen apart
de.org.ccc -German H/P newsgroup run mainly by the Chaos Computer Club
Alt.ph.uk is an excellent group for those in the UK, good FAQ file too.
9.3 What are some newsgroups that deal with telephony?
9.4 What are some good phreak websites?
Rancho Nevada (Fixer's Site)
http://phreaking.iscool.net
Textfiles.com
http://www.textfiles.com
The Phone Punx Network
http://fly.to/ppn
Nettwerked
http://www.nettwerked.net
Hack Canada
http://www.hackcanada.com
9.5 What are some good phreak ezines?
Phone Losers of America is
good not only for a laugh, but it will give you an idea of how easily exploited
people can be.
http://www.phonelosers.org
Security Breach
availible from the PPN
website
Phrack
http://www.phrack.com
Phone Punx Magazine
http://fly.to/ppn
9.6 What are some good phreak print zines?
2600
www.2600.com
Subsciption info-
2600 Subscription Dept
PO Box 752
Middle Island, NY 11953-0752
Subscrition fees: United States: $21/yr individual, $50corporate.
Overseas: $30/yr individual, $65 corporate.
9.7 What are some good telecom sites?
The FCC: The government agency that regulates us. Take a peek at their site, as they publish some neat stuff. (http://www.FCC.gov)
Telecom Archives: This page is an archive of the comp.dcom.telecom newsgroup. The FAQ is excellent, the articles are good and if all else fails you can post to the newsgroup. (http://hyperarchive.lcs.mit.edu/telecom-archives/)
Telecom Information Resources: This is simply a monstrous list of telecom/networking FAQs and sites. Don't bother unless you're looking into arcane topics and have a good working knowledge of the topic already; most people listed on this site never heard about KISS. (http://www.spp.umich.edu/telecom/technical-info.html)
PacBell Search: Surprisingly helpful, PacBell search will outline lots of InterLATA carrier information for you (including the law), COCOTs, and other sundry phone related info.(http://www.pacbell.com/ir/search/index.html)
LexiCat Search Demo: This site is a REAL gem. It offers a searchable index of terms (it cross references everything), as well as articles and reports on related topics. Warning: This is a demo for a product. After 10 searches it resets itself and won't allow you back. Reload the page after every few searches or else.(http://www.tra.com/cgi-bin/ft-LexiMot/ID=19970912152925603/lexi7800.html)
Blackbox Search: Try their search if you need info on LANs or direct connection. This is an online catalog, but you can still extract enough useful stuff to make going here worthwhile. (http://www.blackbox.com)
Lucent: These people are pretty straightforward about what they offer. Lucent makes STUFF, unlike Bellcore which peddles information. Accordingly, Lucent will talk and talk and talk about their products.(http://www.lucent.com/search/search.html)
Raytheon: These people unsettle me a bit. Raytheon is a blanket electronics firm that holds primarily DoD contracts. If you have a morbid interest in missile guidance you'll LOVE this site. They also hold the contracts on encrypted voice switches used in the DSN.(http://www.electrospace.com/business/telecomm.htm)
Lockheed Martin: Now controls NPA allocation (They bought it from Bellcore. Here ends an era.), and is happily distributing for free all sorts of useful information Bellcore used to sell for A LOT of money. This site lists all SACs, NPAs, and some stuff I didn't think was publicly available. (http://www.nanpa.com/)
- Outside Plant Magazine is a great reference. Subscriptions may be obtained from http://www.ospmag.com Fill out a reader response card too, the manufacturers have some really cool promo materials.
- Jensen Tools sells every piece of gear you could ever want, including
lots of strange specialized stuff like tools to open payphone housings.
(http://www.jensentools.com)
9.8 What's a newsline?
Newslines are tape recorders connected to phones.... sorta. When you call a newsline it will play the tape, which will be information pertinent to the company or organization who runs the service. Most if not all of the RBOCs have newslines to keep personnel informed in the field. A few union locals have newslines too. They're a good way of keeping up on what's going on in the company. These things used to be really popular (Nynex had 20 separate ones once upon a time, when there was a Nynex), but are consolidating into RBOC newslines now.
1-800-893-LINE: Ameritech News
1-800-647-NEWS: Bell Atlantic News
1-800-879-8632: US West News
10.1 What tools should I have in my 'kit'?
Every so often, someone asks what sort of tools they should be carrying,
or writes an article on 'Field Phreaking Kits'. There are myriad tools
that a phone phreak might find useful depending on what they're doing.
Below is a short list of what you might want to have either on your person
or in your shop and why.
10.2 Handsets
10.2.1 Whats a handset/buttset/test set?
A handset is a telecom test device that pretty much serves as a normal phone. Some of the flashier ones have extra features (loss/voltage/impedance measurements, redial, a ringer, speakerphone, caller-ID), but the point is to be able to connect a phone to a pair of wires. A handset will allow you to make 'free' phone calls, tap lines, and diagnose troubles.
10.2.2 Where shouldn't I get a handset?
From a truck. If you snitch a tech's handset he'll be out the cost of the set, and likely be suspended for a week.
10.2.3 Where should I get a lineman's handset?
Contacteast Contact East 335 Willow Street North Andover, MA 01845-5995 (508)682-2000
Jensen Tools 7815 S. 46th Street Phoenix, AZ 85044-5399 (800)426-1194
Specialized Products 3131 Premier Drive Irving, TX 75063 (800)866-5353
Time Motion Tools 12778 Brookprinter Place Poway, CA 92064 (619)679-0303
10.3 Where can I get a DTMF decoder?
Before you sink a hundred bucks into a DTMF decoder, ask yourself if you really need a dedicated decoder. Beepers will serve rather well as DTMF decoders. Simply record the number you want decoded and play it into your beeper. Many customer service numbers or voicemail numbers will decode touchtones too. Honest to god DTMF decoders can be purchased at Ham radio shops, better electronics stores, and spy shops if you’re REALLY desperate. Most phreak zines will publish schematics for them once or twice during their production.
10.4 Where can I get a good scanner?
Hamfests are a great resource for radio gear. Online auctions also seem to have the damndest things.
10.5 Where can I get an acoustic coupler?
Telecoupler and Blackbox
both sell acoustic couplers for a bit more than $100 a piece. Keep in mind
that using a coupler is very obvious, and throughput over a payphone
blows no matter how fast your modem is.
10.6 Where can I get (Some specific telephone related tool or device)?
Central Office Equiptment/Heavy Stuff: http://www.telecombids.com/
Military/Esoteric Stuff (If you can't find it elsewhere try here): http://www.drms.dla.mil/
Contacteast Contact East 335 Willow Street North Andover, MA 01845-5995 (508)682-2000
Jensen Tools 7815 S. 46th Street Phoenix, AZ 85044-5399 (800)426-1194
Specialized Products 3131 Premier Drive Irving, TX 75063 (800)866-5353
Time Motion Tools 12778 Brookprinter
Place Poway, CA 92064 (619)679-0303
11.1 Tapping
All questions regarding telephone surveillance have been transferred to another project.
11.2 Can I really turn someone's phone into a payphone? I saw it in a movie!!
Sure you can turn a normal phone into a payphone. Of course,
it isn't easy. To alter someone's class of service you need to access RCMAC
or switching control and add a 'DTF' flag to that line.
12.1.1 What is trashing?
Trashing is the practice of digging through people's trash, usually for credit card information, damaging personal information, useful goods that have been thrown out carelessly, for the fun of it, etc. In the phreaking sense, trashing is done to gather telco documents, phone numbers, equipment, and the always treasured bell hard hat. Some phreaks also trash other places such as electronic stores to try and find equipment. The most popular places for phreaks to trash are central offices, celcos and various computer stores.
12.1.2 Is trashing illegal?
If you do not belong on the property that you are trashing, then its
trespassing. Some states have even passed laws that have separate penalties
for trashing. If you get caught trashing and you're not on overtly private
property (i.e. no fences), be polite and tell the truth... sorta. You're
recycling stuff, and was hoping to make a neat find in this dumpster (which
is the complete truth). The paper is only printed on one side, so you were
going to use it for scratch paper. Whatever you do, try to be neat about
it. Don't make it look like you were there and don't damage other people's
property.
12.2.1 How do I find my local central office?
Keep an eye out. COs are usually very conspicuous (Bell Atlantic is fond of gargantuan banners and signs), often having a large sign with the name of the local telco outside.
If you have the means there are a handful of programs for locating COs. They provide a neat set of facts about the office, too.
CO Finder for Windows at www.stuffsoftware.com/cofinder.html.
NPA for Windows at www.pcconsultant.com/dlnpa.htm
LATTIS PRO at http://www.triquad.com/web-uai/text.html
MapQuest's telephone search feature
homes in on the location of the serving central office.
13.1 What is scanning?
In phreaking terms, there are two different types of scanning. The first
one is called exchange scanning. This is where you scan an exchange in
hopes of finding a certain type of number. Most of the time exchange scanning
is done with a wardialer, or a program that scans that exchange for you
and saves the numbers for you in a separate file to review the results
later. Scanning can also be done by hand which called manual scanning.
Most of the time people scan exchanges for terminal numbers. However, test
numbers, voice mail boxes, and other such numbers are often scanned for.
Another type of scanning is frequency scanning. This type of scanning is
the same type radio frequency scanning that Ham radio buffs do using scanners
that you can get in Radioshack and other electronic places. The phreaking
purpose of this is to pick up cordless and cell phone conversations. Some
use this just to hear other people's conversations but others use it to
get credit card numbers and other personal information that people carelessly
say on wireless phones. Visit the PLA at http://www.phonelosers.org
for more information on frequency scanning.
13.2 Exchange scanning
13.2.1 Where should I be scanning?
Most test numbers are concentrated in the -00XX and -99XX ends of an exchange. If you're really serious about it though, plugging a list of residential phone numbers into a wardialer's blacklist and having at it is an insanely effective method.
13.2.2 How did the phone company find out I was wardialing?
Wardialers are a good way to get the phone companies attention. They have equipment that notifies them of repeated sequential dialing and abnormal amounts of toll free calls. If you want to wardial, make sure your program does the following: randomizes times between calls and that it randomizes sequence of calls (so they’re non-sequential). You might want to beige it too.