9 In this article, I wanna write a little bit about BB in Germany. This phile
\r
10 is NOT a `how 2 do it' essay.... It`s 4 phreaks to show what has done and
\r
11 what is still possible. I also won`t describe any signalling systems like
\r
12 C5/R2/C7, cause everyone who reads this phile should know how they work. I
\r
13 have put the TXT into several groups like the following:
\r
15 - Overview: breakable countries
\r
16 - Why are other countrys not breakable ?
\r
17 - The story `bout C4
\r
18 - You don`t get a busy flash....ahahaha!
\r
19 - How the TELECOM filters work
\r
21 - Problems with Transit/Routings
\r
22 - How 2 get Routing Codes
\r
26 1.) Overview: the breakable countries
\r
28 At the 1st point, I wanna give you a short list of the easy breakable
\r
29 countrys. As u can see, there are many ones u can break, but most of them
\r
30 are not very interesting (seen in the aspect of getting out of those
\r
31 fucking desert-countries....). The only exception are the C5/R2 countries.
\r
32 but at the moment, there are only very few people who can phreak them...
\r
34 Okay, here are the breakable ones (alphabetical order)
\r
41 > Emmirates of Arabia (+971)
\r
44 > Indonesia (+62) [not available from everywhere]
\r
46 > Japan (+81) !! hard 2 seize !!
\r
47 > Jordania (+962) !! still offline !!
\r
49 > Malaysia (+60) [not any more !]
\r
54 > South Africa (+27)
\r
58 At 1st, I wanted to add the frequs for each country....no, not exactly, but
\r
59 at least a description like: Cl.Fwd/EOf/Seize. But I decided that its not
\r
60 very useful because you should be able to find them out by yourself. Besi-
\r
61 des, all these ones are C5 and quite simple 2 break (more or less.... arghh
\r
62 I hate the Phillipines !!!!!!). U can reach them via HCD (standard) with
\r
63 the exception of HawaII.
\r
64 NOTE: These are not all the existing countrys you can reach by a toll free
\r
65 number... but these ones are the easiest to call. If you wan`t to
\r
66 call other countries by direct (=local) breaking, start scanning !
\r
68 * Concerning the Thailand HCD (+66), I`m not sure what is is, but I think it
\r
69 should be C7. If not and if you can break it, please contact me !
\r
71 * At MCI and AT&T, I already had sume argues with other phreaks, but I know
\r
72 that at least AT&T _IS_ breakable ! [note: or WAS breakable until 12/95]
\r
74 The problem with R2 is that it`s mostly PCM (in Germany). This means that
\r
75 there`s used a multiplex system to mix information and signalling signals.
\r
76 So you use 1 channel each, but it seems as if you are just on one channel.
\r
77 At the moment, I still don`t cope with those systems... Sumetimes, I get a
\r
78 Hgup, but I don`t know whether it`s caused from my BB or from that fuCkiNg
\r
80 Another problem is: theres no absolute standard on R2. It depends on the area
\r
81 you live in and the country u wanna break 2 get a success. Just start scan-
\r
82 ning... Some hints: Of course, u should only scan the effective signalling
\r
83 band....it would be quite senseless to scan from 500 up to 1500 Hz. And al-
\r
84 ways remember: R2 is not an international system. It`s always combined with
\r
85 at least one signalling frequency of another system (like C5) !
\r
94 2.) Why are other countries not breakable ?
\r
96 aaaahahahhah!!! stupid question. Cause they changed to C7.
\r
98 Anyway, there is a possible exception: The "Fiiieep" linez. If you are not
\r
99 from Germany, you can`t imagine what this means to the phreaker: You know,
\r
100 some switches (e.g. the Siemens-Alcatel) require an exact timing. The Cl.
\r
101 Fwd. must be sent on exact the time when you can hear the 2nd "click" (or
\r
102 some milliseconds after). There is one problem now: The Telco has changed
\r
103 that click to a noisy "fiiieek" now on some nuMbAs. That noise is inter-
\r
104 modulating the break you send. The result is: No result.
\r
105 The only thing you can do: (except when you live in area 03....ggrrr...I
\r
106 hate everyone in there...) increase the volume of your break to a maximum
\r
107 and try to find a guard tone that fixes that interference...this should be
\r
108 not too easy.... after some minutes of experimenting, you may be able to
\r
109 achieve a HgUp, but seizing will be quite complicated !
\r
118 3.) Phunny story bout C4
\r
120 Just a few words 2 the phreaks who wanna start scanning C4 lines,
\r
121 inspired by the Scavenger dialer: Yes, u can call via C4 lines, if u
\r
122 a) break an oversea line (e.g. Germany => Paraguay...aaeh..no...Paraguay uses
\r
123 R2 at the country itself...)
\r
124 b) call a C4 based numba in that country, break it and have phun...
\r
125 But there are 2 major problems:
\r
127 b) there are nearly (I said nearly, in fact, I don`t know _ANY_) no C4 linez
\r
128 left... perhaps, u will find someones in South America or Africa.
\r
130 So, forget the C4 shit and concentrate to the future... and future is defini-
\r
139 3.) U don`t get a Busy Flash.... ahahhahahahaha!!
\r
141 If you are unable to recieve a Busy Flash, then you`ve got a problem: the
\r
142 TELEKOM filters. These phunny devices are sitting in the toll-free oversea
\r
143 trunk groups just for one purpose: Killing the Clear Forward and the Seize
\r
144 signal to avoid line manipulation. In my area, there were 2 different kinds
\r
146 The first ones were just inverters, which lowered or highered the specific
\r
147 signals sent in the line. This means, that a 2400/2600 tone will be recogni-
\r
148 zed from the switch as, e.g., a 2350/2650 signal... This means that you can
\r
149 easily pass those filters when sending e.g. a 2450/2550 tone. This is, of
\r
150 course, not a very effective protection !
\r
151 At the next step, a more complicated system was installed: a Schmitt-Trigger
\r
152 system, combined with a selective switch. I will explain later how it works
\r
154 At this time, just remember: It`s IMPOSSIBLE 2 install any protection that
\r
155 will avoid inband line manipulation 100% . There`s always a way to pass it !
\r
163 4.) How the telecom filters work:
\r
165 The function of those devices is quite simple: the filters are put in the
\r
166 line subscriber ----> german switch. This (should) avoid a line manipulation
\r
167 from the side of the subscriber`s line.
\r
168 The filter consists of a simple notch filter that blocks the 2400 signal if
\r
169 the installed frequency counter counts the critical frequs.
\r
170 The bandwidth is all over the tolerance of the frequency used for inter-
\r
171 national trunks. This is achived by a strong damping of the circuit. Just
\r
172 find an international exchange and let it give you a nice echo. Then, start
\r
173 scanning and draw a function of the filtered tones. U should draw that func-
\r
174 tion in dependence of the frequency and the volume.
\r
175 The tricky thing is the following: the filters are "normally" not enabled.
\r
176 They are only activated when recieving a signal that is in tolerance of their
\r
177 setting. The control of "enabled"-"not enabled" is taken by a simple Schmitt-
\r
178 Trigger circuit. Just watch sume electronic-book for further information.
\r
179 To activate the Trigger, a tone of a certain frequency _and_ a certain length
\r
180 must be recieved (Trigger-Level).
\r
181 So: when u add a third tone to your Cl.Fwd., there is obtained an inter-
\r
182 modulation: the volume increases and decreases in the same frequency as the
\r
183 guard tone. So, u just need to find the correct guard tone(s), and u will be
\r
184 able to pass the filter.
\r
185 Sometimes, its a little bit more tricky: If this method doesnt work, just use
\r
186 some fuzzy tones (mix the tones with colored noise). This changes the wave-
\r
187 form from sinus to something un-definable. That sort of signal is much harder
\r
188 to trigger (if you`ve got an oscillograph, u can see it quite good). So, the
\r
189 chances of "confusing" the trigger are much better....
\r
190 Finally, there`s a third method: Just create a trunk that you play _before_
\r
191 the "real" trunk....the more tones, the better ! I use the nice TLO444 and
\r
192 wrote a tiny script that will do this job quite good...it has `bout 20 tones,
\r
193 played with 3 or 4 frequencys each. If you set the right frequs (TIP: use the
\r
194 frequs near the signalling area, add a DHLS sumetimes, play a 2000 Hz and so
\r
195 on). If you have done it right, that filter will be "confused" (you can com-
\r
196 pare it with drinking 10 beers and going to bed immediately) and it can get
\r
197 passed much easier.
\r
207 It`s always useful to have some hardware that can support you while whistling
\r
208 around....the good old walkman-headphones are fine for checking out a line
\r
209 you can break not yet, but it`s not possible to get a 100% great result. Just
\r
210 call your favourite HPA board and leech the schematic of a standard BlueBox.
\r
211 I use a more comfortable method. This has two reasons:
\r
212 1.) When using a transformator that is connected to the phone line directly,
\r
213 your ears will be bloody after a hole night of scanning
\r
214 2.) Connecting the soundcard in another way will offer you much more comfort.
\r
216 If you`ve got some idea about electronics, connect the output of your computer
\r
217 to the microphone in the telefone. The ECM-Micros work best. Normally, it`s
\r
218 necessary to limit the signal with a resistor of about 50K. And if you want to
\r
219 record the line, connect the mic. input to the speaker of your phone. Depen-
\r
220 ding on your circuit, it may be useful to add a small capacitator (.1uF). This
\r
221 offers a much better quality and the tones sent out of the speaker while brea-
\r
222 king are much more calm. This allows you to listen better to any reaction of
\r
223 the line. And if you`ve already done that piece of work, then you can make a
\r
224 device that allows you to hang up the line and release it again automatically.
\r
225 I built a switch that is controlled by the tones sent out of my dialer. I just
\r
226 reserved a frequency (ca. 3900 Hz) and adjusted that phunny device to exactly
\r
227 that value. So, if I send a 3900 Hz tone, my line hangs up automatically and
\r
228 releases again after a free-definable time. If you are interested in that
\r
229 device, just contact me !
\r
230 Also phunny is a circuit that can decode the special-info sequence (you know,
\r
231 that tuuu-tuuuu-tuuuuu you recieve when calling a not-existing number). I
\r
232 don`t know whether this is also possible by a powerful realtime-software; but
\r
233 when connecting that circuit to the parallel port, you may increase the rate
\r
234 of success while scanning to the maximum. When using that device, you needn`t
\r
235 sitting in front of your screen anymore... you just wait for a "success-beep"
\r
236 from the computer when getting a number that does not result in the special-
\r
237 info-tone. The only condition for this is a well-programmed software.
\r
239 Another phunny toy is an oscilloscope, because:
\r
240 - You look so cool when sitting in front of it, dialing, phreaking, pushing
\r
241 all the buttons at the scope (and only you know what they are good for) and
\r
242 watching the great waves appearing on the screen when getting a connect ...
\r
243 - Hmmm..and, besides, an oscilloscope is EXTREMLY useful to find out every-
\r
244 thing that has to do with waveform, amplitude and delay of the signal sent
\r
245 in the line, and, more important, coming out of it. E.g., you can search a
\r
246 number, kill the exchange, sending a signal which will give you an echo and
\r
247 start analysing the behavior of the switch.
\r
249 The last point about hardware: A device that can send a variable (coloured)
\r
250 noise into the line. A very simple noise generator is an old radio. Just put
\r
251 it on AM and search an area with a good, strong noise. By turning the knob in
\r
252 any direction, the sound of the noise should change a little bit. To find the
\r
253 best position, set your dialer to a 60s Cl.Fwd. and mix it with the noise ob-
\r
254 tained by the reciever. Believe it or not, it works !
\r
255 BTW : Yes, I know, the Scavenger dialer has this feature, too. But the noise
\r
256 routine seems to be a little buggy...besides, it`s much easier to use
\r
257 a little hardware, because you can find out the correct setting very
\r
258 fast just by turning a knob is any direction. The only thing you`ve got
\r
259 to do is to connect the speaker of the radio (or, in other words, the
\r
260 two wires leading to the speaker) with the phone line using direct
\r
261 connection or transformator. A 50K resistor prevents the noise from get-
\r
262 ting too loud. Just play a little bit for optimal results.
\r
270 6.) Problems with Transit/Routings
\r
272 some years ago, finding out a routing or using transit was no problem (I say
\r
273 this not out of my own experience; I`m not doing BB as long that I can con-
\r
274 firm this....but I was told so).
\r
275 Now, things have changed a little bit. The old standard of using <KP2>-CC-DD
\r
276 is working only to some boring countries with boring lines. The "good" coun-
\r
277 tries (like HK/USA etc.) are extremely well protected now. But in spite of
\r
278 that, you can still get a success if you have a free afternoon and some luck.
\r
279 For exemple, the toll free lines of some countries can sometimes be called
\r
280 from an international exchange. To give you an exemple:
\r
282 a) you call the HCD of a country that has <KP2> disabled
\r
284 c) after breaking, you call the Op. of another country (e.g.: A02-800-XXX)
\r
285 d) you wait for the "chick" and break the line country --> next country
\r
286 e) perhaps this country you are in now has <KP2> open ....
\r
288 The disadvantage of this is that you MUST set your trunk very exactly. If your
\r
289 break for the 2nd country is in tolerance of the switch of the 1st country,
\r
290 your line kicks off...hahaha....try it again.
\r
291 Perhaps, you find a country that is breakable with 2400 and 2600 Hz, sent
\r
292 seperately. On HawaII, you will remark that you can send the tones seperately.
\r
293 If you`ve found a Transit or a Route, you can try to find a gate in the
\r
294 following way [just for exemple !!!]:
\r
295 a) You can do transit via XXXXXX to russia
\r
296 b) You want to call YYYYYY
\r
297 c) Just dial <KP2>7-00-YYY-nuMbA<ST>
\r
299 The success of this method depends on the "transit power" of the country you
\r
300 can do transit to. Perhaps you can try it out by calling directly.
\r
302 Another way of calling is to change the exchange you are in by sending a
\r
303 loooong signalling tone....the more experienced phreaks will know what I mean
\r
304 when talking about this..... This method only works on quite old switches.
\r
311 7.) How 2 get Routing Codes
\r
313 At the beginnig of this article, I wanted to tell you how to find out which
\r
314 country offers which routes to kall out. With this method it`s not often
\r
315 possible to get the routes directly, but you will know whether it`s senseful
\r
316 to start scanning around.
\r
317 But now I decided not to tell you that possibility, because it wont work any-
\r
318 more if too many people use it. BTW, forget the old trick with <KP2>-2F-<ST>
\r
319 The operators are still incredibly stupid, but they won`t give out their
\r
320 Operator routes to someone who says: "....Hi, lines are busy,...please gimme
\r
321 your routing for calling Canada...".
\r
329 Okay, thats it....I think that you knowed most of the things I told, but per-
\r
330 haps you found a little hint that may be useful for you. Have a nice life !
\r
349 P.S.: This article didn`t grow out of my free volunteer....
\r
350 I was forced to write it....hahaa... ...and remember: J.F.K. is dead !
\r
351 <yeah and i'll do it again for the next mag hehehehe! [vH]>
\r
projects / oweals / thc-archive.git / blob