k-18-(8)-01 OoO=o=oOO=o=O=OoO=o=oOO=o=O=OoO=o=oOO=o=O=> OoO=o=oOO=o=O=OoO=o=oOO=o=O=OoO=o=oOO=o=O=> OoO=o=oOO=o=O=> : -`- -`- OoO=o=oOO=o=O=> ; _|_--oOO--(_)--OOo--_|_ OoO=oOO==OoO=o=oOO=o=O=> | ¡ K-1ine Zine ! | OoO=o=oOO=o=O=> ! issue 18, volume 8 ¡ OoO=o=oOO=o=O=OoO=o=oOO=o=O=> ---------O^O---- OoO=o=oOO=o=O=OoO=o=oOO=o=O=> ;. |__|__| OoO=o=oOKill=o=OYourOoO=o=ParentsoOO=o=O=OoO=o=oOO=o=O=> || || OoO=o=oOO=o=O=OoO=o=oOO=o=O=OoO=o=oOO=o=O=> ooO Ooo OoO=o=oOO=o=O= OoO=o=oOO=o=O=OoO=o=oOO=o=O=> OoO=o=oOO=o=O=OoO=o=oOO=o=O=KillO=o=ooOYourself=o=OoO=o=> ;`-.> August 2001 <=o=O=o=O=o=O 'Too Many Secrets' "The belief that enhanced understanding will necessarily stir a nation to action is one of mankind's oldest illusions." _____________________________________________________________________________ » .- Words from the Editor -. « | *: [-] Introduction .......................................... The Clone :* *: (-) Contact Information ................................... The Clone :* *: (-) Affiliate Web-Links ................................... Nettwerked :* *: (-) Advertisment .......................................... HackerSalvage:* *: (-) Advertisment .......................................... FlipperSmack :* *: (-) The Canadian Phreakers Union - Same Name, New Look .... The Clone :* *: (-) TRAPFONE - now online ................................. The Clone :* *: (-) Link of the Month ..................................... RT :* *: (-) K-1ine Mirrors ........................................ The Clone :* *: (-) Nettwerked Movie Mirrors .............................. Nettwerked :* ____________________________________________________________________________ » .- Documents -. « | *: (x) 'CRTC ASSIGNS ACCESS NUMBER 211 TO PUBLIC' ............ "CRTC" :* *: (x) 'Additional TracFone Documentation' ................... The Clone :* *: (x) "Miscellaneous Switching Source-Code" ................. M4chine :* *: (x) 'An Introductory Guide to DATU Systems' ............... The Clone :* *: (x) 'Rogers AT&T Billing Vulnerability; Part II' .......... The Clone :* _____________________________________________________________________________ » .- Conclusion -. « | *: [-] Credits ............................................... The Clone :* *: [-] Shouts ................................................ The Clone :* _____________________________________________________________________________ Introduction - Welcome to another addition of K-1ine 'zine. This month I have a nice bunch of files for you all - lots of telecommunications information for your intake. Well well, I'm fuckin' hot as hell sitting in this stuffy and non-air circulated room while listening to Orbital's "Insides" album, drinking Silent Sam vodka, and writing... thinking about my utter disgust for humanity and society. Here's an interesting piece of information I was told about today: Emmanuel Goldstein from 2600 magazine has been making a lot of reference to 2600sucks.com (the domain I currently own and have directing to Nettwerked.net) such as last weeks "Off The Hook", and more recently this past weekend at a hacker conference ('HAL2001') where he had a speech about CyberSquatting. I'll be sure to post the speech transcripts on a future issue of K-1ine when I get a hold of them. Now sit back, relax, and enjoy this goddamn motherfuckin' issue... --> Contact Information; =-=-=-=-=-=-==-=-=-= Comments/Questions/Submissions: theclone@hackcanada.com On IRC: irc.2600.net - #hackcanada, #cpu (key) Shoot me an ICQ message: (UIN) 79198218 Check out my site: (Nettwerked) http://www.nettwerked.net --> =-=-=-=-=-=-==-=-=-= Affiliate Web-Links: =-=-=-=-=-=-==-=-=-= CPU http://www.nettwerked.net/cpu * Damage Incorporated http://www.freeyellow.com/members6/damage-inc/index.html Grass Hopper Unit http://www.ghu.ca Hack Canada http://www.hackcanada.com H410G3N-dot-com http://www.h410g3n.com Phreak BC http://www.phreakbc.com PyroFreak http://www.multimania.com/pyrozine/index.html TRAPFONE http://www.trapfone.com * * = featured sites of Nettwerked Incorporated -- -- Advertisment -- +++ WWW.HACKERSALVAGE.COM +++ HackerSalvage.com is a non-profit website dedicated to keeping old hardware in circulation. Many of us have piles of it sitting around but can't just toss it out. Here you can post computer items for sale or post a want ad for items you are looking for. A perfect place to get rid of perfectly good junk.... and get some new stuff to rebuild the pile. +++ +++ -- Flippersmack AD - "Flippersmack is a culturemag for a penguin generation. What does this mean? Articles and reviews from your favorite writers. The low-down on what's fresh in tech, comics, movies, and music. Wrapped in a style all its own." "We will strive to release Flippersmack every week; a taste of insanity to inspire, inform, and entertain. From the creators of System Failure and Avalanche, there's a new zine out on the net: FLIPPERSMACK!" You can read the first fourteen issues at: http://www.nettwerked.net/flippersmack001.txt http://www.nettwerked.net/flippersmack002.txt http://www.nettwerked.net/flippersmack003.txt http://www.nettwerked.net/flippersmack004.txt http://www.nettwerked.net/flippersmack005.txt http://www.nettwerked.net/flippersmack006.txt http://www.nettwerked.net/flippersmack007.txt http://www.nettwerked.net/flippersmack008.txt http://www.nettwerked.net/flippersmack009.txt http://www.nettwerked.net/flippersmack010.txt http://www.nettwerked.net/flippersmack011.txt http://www.nettwerked.net/flippersmack012.txt http://www.nettwerked.net/flippersmack013.txt http://www.nettwerked.net/flippersmack014.txt -- The Canadian Phreakers Union - Same Name, New Look "The Canadian Phreakers Union is a last attempt to revive the underground culture from which we began: CPU, which stands for "Canadian Phreakers Union" is a Canadian based phone phreak organization with headquarters in Edmonton, Alberta, Canada. Telecom information is something we believe should be exchanged between a small number of people who are interested in the similar things. Basically what we exchange between each other are codes, exploits, numbers, scans, tricks, tips and just about anything that has to do with the telephone system; all discussed in a private irc channel." http://www.nettwerked.net/cpu - TRAPFONE - now online HELP BOYCOTT TRACFONE WIRELESS, INC. FOR MORE INFORMATION PLEASE VISIT: WWW.TRAPFONE.COM "TRAPFONE; Your Wireless Savour" - --=[ LINK OF THE MONTH ]=-- Every month I post one really great "link of the month" on every issue of K-1ine magazine. The link can be anything in the technology industry, music scene, rave scene, punk scene, or even a good article you read on a news site. I'll be taking submissions via e-mail, ICQ, or IRC right away; so get your links in and maybe you'll see it in the next issue of K-1ine! For the month of August, the link of the month is: http://www.tron-movie.com/2.0/ A Newer, Slicker version of the movie you loved as a kid! [submitted by: RT] -- K-1ine Mirrors: http://the.wiretapped.net/security/info/textfiles/k1ine/ "Wiretapped.net is an Australian site offering an archive of open source software, informational and advisory textfiles and radio/conference broadcasts covering the areas of network security, network operations, host integrity, cryptography and privacy. We aim to become the largest archive of this nature in the Asia/Pacific region through steady growth of our archives and regular updates to them (most updated nightly). We are proudly telehoused on a 10Mbit/sec connection by Connect.com.au using OneGuard hardware donated by eSec Limited. The archive, along with its sister site on the same machine, The AusMac Archive, generates between 10 and 60 gigabytes of outbound traffic daily. Wiretapped.net is hosted in Sydney, Australia." -- Def Con 9 coverage for 'Nettwerked: The Movie' is now online! Please download from the following mirrors: Disclaimer: If you're under 18, don't watch this video. Contains scenes of nudity and drunkin' hackers 'n' phreakers acting silly. * Mirror #1: http://lumo.eghetto.ca/~theclone/defcon9.wmv (the_p0pe's server, Nova Scotia, Canada, 4Mbps) * Mirror #2: http://www.pstis.com/defcon9.wmv (h410g3n's server, Edmonton, Canada, 4Mbps) * Mirror #3: http://www.h410g3n.com/defcon9.wmv (h410g3n's server, Leduc, Canada, 4Mbps) * Mirror #4: http://www.plappy.com/defcon.wmv (Plappy's server, Edmonton, Canada, 2Mbps) * Mirror #5: http://the.wiretapped.net/multimedia/defcon9.wmv (Wiretapped.net server, Sydney, Australia, 10Mbps) * Mirror #6: http://sniperwolf.powersurfr.com/~theclone/defcon9.wmv (son4r's server, Edmonton, Canada, 2Mbps) * Mirror #7: http://www.nurotek.net/linux/media/defcon9.wmv (Nurotek Networks server, California, USA, via two 45Mbps pipes) Help mirror my video! 32.1MB's, 103 kb's / sec, 43:36 minutes, Windows Media Format; MPEG-4. Send all new mirror URLs to: theclone@hackcanada.com -- CRTC ASSIGNS ACCESS NUMBER 211 TO PUBLIC INFORMATION AND REFERRAL SERVICES August 9, 2001 OTTAWA-HULL The Canadian Radio-television and Telecommunications Commission (CRTC) has assigned access number 211 to a new, toll free service that will supply information and referrals about community, social, health and government services. The United Way of Canada and a number of other agencies brought the application for three-digit dialling access to the Commission last year. In its bid for the access number, the United Way group was supported by many parties, including municipalities, regional and provincial governments, local distress centres, Kids Help Phone, volunteer centres and community medical services. "Canadians gain in two ways," says David Colville, chairman of the CRTC. "First, the 211 service will help the public find the right person or agency much faster. Second, we now have guidelines in place for allocating the three-digit access numbers." Access numbers In North America, three-digit access numbers are reserved for specific services. Until now, in Canada, the only access numbers left were 211 and 311. 411 service is used for directory assistance. 511 has been held in reserve in Canada for access to Message Relay Service (MRS) by hearing persons to communicate with deaf persons, and 711 provides access to MRS by the deaf. 611 is used for telephone repair assistance, 811 is currently reserved for telecommunications service providers' business offices and 911 is used for emergency services. Guidelines for assigning three-digit access numbers In mid-2000, the United Way and the Canadian National Institute for the Blind applied to the CRTC for the use of three-digit access numbers. In November 2000 the CRTC asked for public comment on how to make the best use of the unassigned three-digit access numbers. Respondents included telecommunication companies, government representatives, non-profit organizations, various enterprises and private citizens. Applicants and other parties took advantage of the opportunity to contribute to the development of these guidelines. Taking all the input into account, the CRTC established the following guidelines for assigning a three-digit access number: * There is a compelling need to serve the broad public interest that would not be satisfied as effectively or efficiently by other dialling arrangements; * The number is to a specific service or services, not to an organization; * Assigning the number will serve the broad public interest (including providing access to the telephone network to disadvantaged individuals or groups); * The service does not confer a competitive advantage on those providing it; * The services reached by the number are available over a wide geographical area and are provided for full-time or extended hours; and, * Where possible, the number does not pose a conflict with the North American Numbering Plan and is in keeping the guidelines of the Canadian Steering Committee on Numbering. United Way group application The United Way group applied in June 2000 for the use of 211 to provide non-commercial, Canada-wide access to information and referrals. In its application, the United Way group said organizations taking part in the information and referral services would have to meet standards developed by social service agencies and would have to be endorsed by local government. Providers of information and referral services will have specialists to assist callers and a database of information about community and government services. There will also be standards for the use of various call centre technologies, access for people with disabilities and multilingual access. At first, the service will be offered 70 hours a week. The aim is to extend this to 24 hours a day, seven days a week. It is expected that the services will be established nation-wide over the next ten years. While access to the 211 service will be free to the public, long-distance charges will be negotiated with the carrier and paid for by the information and referral service provider. Telecom carriers will be responsible for implementing 211 dialling. The Commission directed parties involved in implementing 211 access to use the CRTCs Interconnection Steering Committee (CISC) to address any technical issues that arise. CNIB application While it approved the application of the United Way group, the CRTC did not approve an application by the CNIB for a three-digit access number for its information service. The CNIB currently operates a reading and information service for blind and print-impaired persons, consisting of access to newspapers, magazines, reference and information services. The Commission recognizes the value of CNIB's information service, however it does not meet the guidelines for assigning three-digit access numbers. CNIB did not demonstrate that three-digit dialling is necessary for access to its service, which is currently available via conventional dialling arrangements. Furthermore, a password would be required for access to the service, thus limiting its use to specific people. These and other concerns with the CNIB application were noted by many opposing parties including some groups representing blind and disabled Canadians. The Commission encourages information and referral service providers to assist blind and print-impaired callers to make effective use of the CNIB's existing information services. Reference document: Decision CRTC 2001-475 General Inquiries: Ottawa, Ontario K1A 0N2 Tel: (819) 997-0313, TDD: (819) 994-0423, Fax: (819) 994-0218 Toll-free # 1-877-249-CRTC (2782), eMail: info@crtc.gc.ca TDD - Toll-free # 1-877-909-2782 Media Relations: Denis Carmel, Tel: (819) 997-9403, eMail: denis.carmel@crtc.gc.ca -- Additional TracFone Documentation - Written by: The Clone Last Modified: July 31, 2001 Reference file: www.nettwerked.net/trapfone.txt Official Web-site: www.trapfone.com Add 22 Units, example PIN pattern: *#33248# 351113928640001534XXXXXXXXXX *00##0 SEND 0108508300003015 SEND Reset Codes: *#33248# **00##0 SEND END 20144471340001534XXXXXXXXXX "CODE ACCEPTED" 1836127313041701 SEND - Example: TracFone has a deal going on that gives you 30 free minutes to your phone if you purchase three cards in a row before their expiry dates kick in... - Customer purchases a $7.99 TracFone pre-paid phone card, expires June 30 - Customer purchases another $7.99 Tracfone pre-paid phone card, expires June 30 - Customer purchases a $20 out-of-state TracFone pre-paid card from Hawaii, expires June 30 - Customer enters: *#32248# and the PIN codes affiliated with the cards he purchased. - Customer verifies the free time deal on TracFone's official web-site: www.tracfone.com Customers original total was: 152 Units Customers total with deal should be: 182 Units Customers actual total: 212 Units Q: Where did the additional 30 free minutes come from? A: Who knows. My guess is the FCC... ;) Q: What are we dealing with here? A: We're dealing with a flaw in TracFone's HLR-like (Home Location Register) billing system. This flaw, though very beneficial to customers, proves to be quite a large one. With enough patience, one could really exploit in a way that would allow them to make a lot of free phone calls. This, among thousands of other telco bugs have been discovered (and are waiting to be discovered) throughout the industry's many years of existance. Telco bugs are slowly patched after years of exploitation by phone phreaks, but patching doesn't do anything but spring up a dozen or so more bugs just waiting to be patched by the slow and (often) lazy phone companies. The real problem lays in the hands of the telco engineers and programmers. By keeping the software the programmers write and the hardware the engineers develop in a completely proprietary format, the progression in security and overall functionality of the finished product is less than acceptable. What the telecommunications industry needs to do, is to start releasing their developed software and hardware in open-source or open-source-like format. Start by having a large group of telecom security experts as well as engineers and programmers from around the world help to improve the product - this will create whole new jobs, improve functionality and security 10-fold, and destroy the software monopolies companies like Nortel and Lucent have over us. -- clone and I were unfing years before space robots did :) -- "Miscellaneous Switching Source-Code" Date: 08/14/01 From: M4chine E-mail:m4chine@fucktelus.com LINETOOLS version 1.2 send sink % LINETOOLS % version 1.2 % This profile is designed to provide very restricted access to LTP commands % xxx users of this profile require a privclass of 9 and only 9 % Note the "PROFILE" command itself requires privclass of 0 this privclass shou ld % be removed from the user once the profile has been set. % LINETOOLS uses dump unsafe commands and should not be used between 21:55 and 23:00hrs % Please refer any queries regarding the operation of this program to the NSC % directory linetools attach linetools erase dnfbs erase goltp erase forcebusy erase linestate erase busy erase rets erase fbusyX send previous COMMAND lt (PRINT 'LINETOOLS:') PRINT 'Type HELPSTATE for linestate details' PRINT 'Type HELPTOOLS for commands' PRINT ' '; PRINT 'Linestate does not remain live. '; PRINT 'To see changes in line state you must repeat the linestate command. '; % COMMAND helpSTATE ( PRINT 'STATE meaning'; PRINT 'IDL Okay, no call in progress '; PRINT 'CPB Call probably in progress / faulty if CPB from r ets '; PRINT ' DO NOT Forcebusy a line in the CPB state'; PRINT 'BSY INB Line not put into service '; PRINT 'MB Manually busy '; PRINT 'PLO Permanent loop '; PRINT 'SB System busy ';lt;) % COMMAND helpTOOLS ( PRINT 'COMMAND meaning'; PRINT 'LINESTATE XXXXXXX Displays the state of line XXXXXXX'; PRINT 'BUSY XXXXXXX Takes line XXXXXXX out of service '; PRINT 'FORCEBUSY XXXXXXX Forces the line XXXXXXX into the MB state'; PRINT 'RETS XXXXXXX Attempts to return line XXXXXXX to service';HQDN) COMMAND HQDN (PRINT 'QDN XXXXXXX Displays directory number details'; PRINT 'QLEN HOST/MUXS XX X XX XX Displays line equipment details'; PRINT 'ABORT IF YOU GET STUCK';lt) % COMMAND dnfbs (send sink;'UNSPECIFIED LINE'->dnfb;erase yes;erase no;send previous) COMMAND goltp (mapci nodisp;mtc;lns;ltp;) COMMAND forcebusy (dnfbs;send sink;@1->dnfb; If (dnfb ^= 'UNSPECIFIED LINE') then (COMMAND yes (fbusyX dn fb)); COMMAND no (Print 'No action taken';lt); send previous; Print ' Never FORCEBUSY a line that is in the CPB state '; Print ' Are you sure you want to forcebusy?' dnfb ' yes/no ' ;) COMMAND linestate (send sink;@1->dnq;goltp;send previous;post d dnq PRINT;quit mapci;dnfbs;lt;) COMMAND busy (send sink;@1->dnq;goltp;post d dnq;bsy;send previous;post d dnq PRINT;quit mapci;dnfbs;lt;) COMMAND fbusyX (send sink;@1->dnq;goltp;post d dnq;frls;send previous;post d dnq PRINT;quit mapci;dnfbs;lt;) COMMAND rets (send sink;@1->dnq;goltp;post d dnq;rts;send previous;sleep 4 ;post d dnq PRINT;quit mapci;dnfbs;lt;) - Permissions send sink % PERMISSIONS % THIS FILE CONTAINS THE PERMISSIONS FOR USER TYPES IN A COMMAND FORM % USER MUST BE ADMIN % uname MUST BE AN EXISTING USER listsf all erase PN PS PP PV PE PL PC PD PT send previous % print 'PN uname permit as Network Operations user' print 'PS uname permit as Switch user' print 'PP uname permit as Provisioning user' print 'PV uname permit as Provisioning tool (Viper)' print 'PE uname permit as Planning and Engineering' print 'PL uname permit as for LINETOOLS (DESPATCH)' print 'PC uname permit as CDC user' print 'PD uname permit as Digitech' print 'PT uname permit as TAS' % send sink command PN (permit @1 4 7000 ENGLISH 0 1 2 3 4 5 6 10 11 13 16 17 20 21 23 24 25) command PS (permit @1 4 7000 ENGLISH 0 1 2 3 4 5 6 10 11 13 16 17 20 21 23) command PP (permit @1 4 7000 ENGLISH 0 1 2 3 5 10 11 12 13 17 20 21 22 23) command PV (permit @1 4 5000 ENGLISH 0 1 2 5 10 12 20 21 22) command PE (permit @1 4 5000 ENGLISH 1 5 20) command PL (permit @1 4 5000 ENGLISH 9) command PC (permit @1 4 5000 ENGLISH 14) command PD (permit @1 4 5000 ENGLISH 0 1 2 5) command PT (permit @1 4 7000 ENGLISH 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29) send previous - PLO line posting for switch send sink % % PLOCURE % This program posts all the PLO lines % on the switch. % It then determines the number of lines posted % It then force releases and returns each line to service. % It then returns the user to the CI prompt % PLEASE DO NOT MODIFY THIS PROGRAM IN ANY WAY % listsf all erasesf PLOLINES send sfdev PLOLINES quit all;mapci nodisp;mtc;lns;ltp;post s PLO print send previous edit PLOLINES end; linestr->lastline quit strsize lastline -> ssize if (ssize < 38) then ('0'->num) else + (substr lastline 38 (ssize-38) -> num) (decstrtonum num) -> nlines repeat nlines (frls;rts;next) erasesf PLOLINES quit all send previous print 'The number of lines found PLO and force released = ' nlines - System Busy Line Posting for Switch send sink % This program posts all the system busy lines % on the switch. % It then determines the number of lines posted % It then busies and returns each line to service. % It then returns the user to the CI prompt % PLEASE DO NOT MODIFY THIS PROGRAM IN ANY WAY % listsf all erasesf sbsylines send sfdev sbsylines quit all;mapci nodisp;mtc;lns;ltp;post s sb print send previous edit sbsylines end; linestr->lastline quit strsize lastline -> ssize if (ssize < 38) then ('0'->num) else + (substr lastline 38 (ssize-38) -> num) (decstrtonum num) -> nlines repeat nlines (bsy;rts;next) erasesf sbsylines quit all send previous print 'The number of lines found system busy and restored = ' nlines -- An Introductory Guide to DATU Systems - By: The Clone URL: www.nettwerked.net Date: Monday, August 6, 2001 - * - Disclaimer * - Introduction * - Locating * - Administrating * - Credit * - Contact Disclaimer: The content within this file is for informational and entertainment purposes only. Unauthorized access of the systems spoken about in this file may get you in trouble with local and/or national law enforcement. - Introduction: DATU (pronounced 'dat-you') stands for Direct Access Testing Unit. A DATU unit is a physical device which is located at the local CO on a wiring card that is connected to a "no test trunk"), that allows field technicians and linesman to dial up to the trunk and perform various tests on a subscribers line. The DATU system itself extends the field technician and linesmans testing capabilities of subscriber lines through a non-metallic pair gain system. DATU was once manufactured and marketed by Hekemian Labs, but is now currently manufactured and marketed by Harris-Dracon division. Even though newer systems exist, DATU is still the most used analog, menu driven dial up test-board out there. - Locating: Locating and administrating a DATU system can be easy if you know the default suffixes your local phone company places them on. Many phone companies (Bell South) went through the unneeded liberty of changing the name of DATU either for the sake of unethical renaming of standard components, or for security reasons. Below is a list of regions, regional specific default suffixes, and the test system names associated with the specific regions. Note: 4-Tel is not a DATU, however it does function in a similar way to the DATU therefore I feel it belongs on this list... Canada: Name: '4-TEL' (manufactured by: Teradyne) Region: Alberta Area-Code: 403, 780 Default: XXX-9935, XXX-DATU (3288), XXX-4TEL (4835) Name: '4-TEL' (manufactured by: Teradyne) Region: British Columbia Area-Code: 250, 604 Default: XXX-9935, XXX-DATU (3288), XXX-4TEL (4835) United States: Name: 'DATU' Region: New Jersey Area-Code: 908 Default: XXX-9935, XXX-DATU Name: 'DATU' Region: New York Area-Code: 212 Default: XXX-9935, XXX-DATU Name: 'VoiceComplete Service' Region: Bell South Area-Code: 205, 229, 251, 321, 334, 386, 404, 407, 470, 478, 504, 606, 678, 704, 731, 754, 770, 859, 901, 904, 912, 919, 954, 980, 984, 985 Default: XXX-0000 Info: Default VoiceComplete Service Admin PIN: (area code) You can ONLY administrate a VoiceService system if you have a Nortel 3580A capable of transmitting the KP tone. - KP Entry: XXXX KP pwd: XXX - When you get the pseudo recording, enter KP XXXX, and then KP PS, then KP XXX. The recording (ST) will say: "Remote Access VoiceService Completion Center 83E" - Enter Service or Subscriber number, then press * or to get a live supervisor press 1 KP #. Options: - Add service - Remote Service - Change Type of Service - Remove CID information from line-set - Add Bunker - Remove Bunker - Administrating (From Harris DATU Manual): 1. Dial Datu Access Number 2. Enter Password 3. Dial Seven digit subscriber number 4. DATU will respond: "connected to xxx-xxxx.", "OK", or "connected to xxx-xxxx, busy line, audio monitor". Non-Pair gain lines proceed to step 7. Note: If busy line, DATU will not access the DC By-Pass Pair or the metallic Access Unit. 5. SLC lines: If line is idle DATU will respond "Pair Gain Line" followed by "processing" ("Processing" may be repeated for up to 25 seconds) DATU will give voice message: Single Party line\ (Good) | Multi-Party Line | Followed by Coin Line / *ENTER RT NUMBER* Channel Not Available (No/Bad channel test results) PGTC Failure/By-Pass If same recording is heard Pair Busy repeatedly alert supervisor Pair Gain System Alarm (Alert Supervisor) 6. If Good (or bad) Channel test results enter the RT number dial "*" to end ("**" toggle on or off the Alpha mode). Enter Pair Number, Dial "*" to end. Dial "0 *" to use existing DC TEST pair. DATU will connect to the By-Pass Pair or call the Metallic Access Unit in the RT, except when By-Pass is busy or Pair Gain System is in alarm. See Step 7 after connection to the remote site. 7. LINE PREPARATION FUNCTION DIAL CODES: 2 = Audio Monitor 33 = Short Tip and Ring to Ground 37 = Short Ring to ground (Tip Open) 38 = Short Tip to ground (Ring Open) 44 = High Level Tone on Tip and Ring 47 = High Level Tone On Ring (Tip Grounded) 48 = High Level Tone on Tip (Ring Grounded) 5 = Low Level Tone 6 = Open Line 7 = Short Line (Tip to Ring Short) 9 = Permanent Signal Release # = New Subscriber Line ## = Force Disconnect * = Connect preparation function after disconnect (system programmable from 1 to 99 minutes enter number of minutes); enter number of minutes after "*" Single Line Access: 1. Dial the DATU access number 2. Enter the user password 3. Enter the "*" and subscriber number for non pair gain lines or Enter "**" and subscriber's number for pair gain lines and then enter RT number. Dial "*" to end. Enter pair number. Dial "*" to end. 4. Enter Function Desired 5. Enter number of minuets to apply condition 6. Hang up and wait 30 seconds for DATU to access and condition line, (90 seconds for RT connection). Alpha Character Codes (when physically at DATU station): (space) = 11 A = 21 B = 22 C = 23 D = 31 F = 33 G = 41 H = 42 I = 43 K = 52 L = 53 M = 61 N = 62 P = 71 Q = 74 R = 72 S = 73 U = 82 V = 83 W = 91 X = 92 Y = 93 Z = 94 = 13 = = 12 / = 15 Generic DATU commands: 2 - Audio Monitor (allows you to monitor traffic on a busy line) 3 - Short To Ground (establishes connection between tip, ring, and ground) 4 - High Level Tone (injects 577MHz tone onto subscriber line to assist linemen in locating your pair at remote terminal. 577MHz tone is interrupted four times per second for identification purposes) 5 - Low Level Tone (injects 577MHz tone to locate pair on remote terminal when subscriber line is busy) 6 - Open Line (opens the subscriber line by removing the battery and ground thereby dropping voltage from line and disabling pair) 7 - Short Line (places short across the tip and ring of the subscriber line at the Central Office) 8 - Read Menu 9 - Permanent Signal Release 33 - Short Tip and Ring to ground 37 - Short Ring to ground (Tip open) 38 - Short Tip to ground (Ring open) 44 - High Level Tone on Tip and Ring 47 - High Level Tone on Ring (Tip grounded) 48 - High Level Tone on Tip (Ring grounded) * - Line Preparation Function (used to continue line preparation function after disconnecting from the systems access line. Specify 1-9 minutes) # - New Subscriber Line (disconnects you from the current subscriber line and allows you to specify another subscriber line) ## - Force Disconnect (for up to twenty minutes) - Credit: Thank you to POS_RLS (irc.2600.net #hellsouth) for the additional Bell South VoiceComplete Service information. - Contact: theclone@hackcanada.com irc.2600.net #cpu (key), #hackcanada .eof -- Windows is for people who barely know how to use a twist-tie -- 'Rogers AT&T Billing Vulnerability; Part II' Written by: The Clone Date: Monday, August 6, 2001 As mentioned in: The Edmonton Journal (08/05/01) "Rogers cellphone network crippled by mystery glitch" -=[The Glitch] -=[Glitch Details] -=[Conclusion] -=[References] -=[Contact] - The Glitch: What has been said as this nations largest cellular service interruption ever; up to 2.6 million Rogers AT&T wireless customers throughout Canada lost communication on Saturday evening. Customers reportedly were able to make calls, yet they were unable to receive them. This problem apparently started at 1:30pm and was fixed by Rogers staff later on that evening at around 11:00pm. - Glitch Details: One thing that we noticed last night, was that we were not getting billed for any local or long distance outbound calls that we made. This is quite similar to another billing vulnerability that we discovered about 9 months ago; basically if you were a Rogers AT&T Pay-As-You-Go subscriber and you wanted to make yourself a free local or long distance call, all you would have to do is enter the phone number you wished to call and wait for it to dial. If you did not hear the automated voice telling you how much time you had left on your account, you didn't get time taken off - if you heard the voice, you did. What caused this problem was simple; if too many calls were incoming to to Rogers' HLR (Home Location Register) system which screens the subscribers ESN, MIN, phone number, and number dialed, your call would divert and directly connect you to your called party for free. This problem was recently fixed when Rogers AT&T upgraded their faulty billing system. However, last night just showed us something: that Rogers AT&T's supposed new "billing system" has larger software problems than before with their lack-of-ability to handle a high volume of incoming calls. Spokesperson for Rogers AT&T, Heather Armstrong, told The Edmonton Journal: "this kind of an issue is very, very rare. This is receiving our utmost priority and attention." This claim, of course, is completely untrue. - Conclusion: Do you think it's about time that the cellular carriers start investing in and taking the first steps into adopting and developing open-source based billing module? This would help to stop the revenue-loss caused by simple proprietary programming errors, and open up a new industry for telecom security professionals ("phreaks"). - References: "Rogers/AT&T Pay-As-You-Go Billing Vulnerability" http://www.nettwerked.net/rogersatt_exploit.txt Edmonton Journal: "Rogers cellphone network crippled by mystery glitch" Sunday, August 5, 2001 - [A1] / (continued on) [A12] - Contact: E-mail: theclone@hackcanada.com URL: www.nettwerked.net -- -- Credits Without the following contributions this zine issue would be fairly delayed or not released, so thank you to the following people: "CRTC", M4chine, RT, (and myself) The Clone -- Shouts: Hack Canada (#HackCanada), Canadian Phreakers Union (#cpu), #PhreakBC, Blackened @ Damage Inc., The Grasshopper Unit, Flippersmack, Pyrofreak, plappy, soap, papercut, Kybo_ren, Flopik, POS_RLS and lastly to everyone and anyone who contributes to the Canadian H/P scene. ;. .;.. ; ;. ;.. ;.. .;..; .;.; .;; ;.. .;..;. .;..; .;.;...; ;..;.. .;. A .;. .;. ;.. N E T T W E R K E D ;.. ;..;.. P R O D U C T ;..;.. .;..; ;..;.. ; .;..;.;.. .; . .;. ..;.. .;.. . .; ..;..;..;.. .; ;..;. .;.. . .;.. .;.;. ..;. ..;.. .;. ;.;..;;..;.; ;.;;..;.. ;.;.; .; . ;.;..;. .;. ;.;:.;. ,;....;. .;.;. .;.; .;.;.; .;.; ;..;. .;.;;.; .;. ..; ;. > > > i r leet!