--- /dev/null
+ January 1996\r
+\r
+ BB in Germany\r
+ written by Dr. Fraud\r
+\r
+\r
+Hi Phreaks !\r
+\r
+In this article, I wanna write a little bit about BB in Germany. This phile \r
+is NOT a `how 2 do it' essay.... It`s 4 phreaks to show what has done and \r
+what is still possible. I also won`t describe any signalling systems like \r
+C5/R2/C7, cause everyone who reads this phile should know how they work. I \r
+have put the TXT into several groups like the following:\r
+\r
+ - Overview: breakable countries\r
+ - Why are other countrys not breakable ?\r
+ - The story `bout C4\r
+ - You don`t get a busy flash....ahahaha!\r
+ - How the TELECOM filters work\r
+ - About Hardware\r
+ - Problems with Transit/Routings\r
+ - How 2 get Routing Codes \r
+ \r
+\r
+\r
+ 1.) Overview: the breakable countries\r
+\r
+ At the 1st point, I wanna give you a short list of the easy breakable \r
+ countrys. As u can see, there are many ones u can break, but most of them \r
+ are not very interesting (seen in the aspect of getting out of those \r
+ fucking desert-countries....). The only exception are the C5/R2 countries. \r
+ but at the moment, there are only very few people who can phreak them... \r
+ congratulations !\r
+ Okay, here are the breakable ones (alphabetical order)\r
+\r
+ > Argentinia (+54)\r
+ > Brasilia (+55)\r
+ > Chile (+56)\r
+ > China (+86)\r
+ > Columbia (+57)\r
+ > Emmirates of Arabia (+971)\r
+ > Guatemala (+502)\r
+ > Hawaii (+1-808)\r
+ > Indonesia (+62) [not available from everywhere]\r
+ > Iceland (+354)\r
+ > Japan (+81) !! hard 2 seize !! \r
+ > Jordania (+962) !! still offline !!\r
+ > Macau (+853)\r
+ > Malaysia (+60) [not any more !]\r
+ > Nicaragua (+505)\r
+ > Paraguay (+595)\r
+ > Phillipines (+63)\r
+ > Singapore (+65)\r
+ > South Africa (+27)\r
+ > Uruguay (+589)\r
+ > Venezuela (+58)\r
+\r
+ At 1st, I wanted to add the frequs for each country....no, not exactly, but\r
+ at least a description like: Cl.Fwd/EOf/Seize. But I decided that its not\r
+ very useful because you should be able to find them out by yourself. Besi-\r
+ des, all these ones are C5 and quite simple 2 break (more or less.... arghh \r
+ I hate the Phillipines !!!!!!). U can reach them via HCD (standard) with \r
+ the exception of HawaII.\r
+ NOTE: These are not all the existing countrys you can reach by a toll free\r
+ number... but these ones are the easiest to call. If you wan`t to\r
+ call other countries by direct (=local) breaking, start scanning !\r
+ \r
+ * Concerning the Thailand HCD (+66), I`m not sure what is is, but I think it\r
+ should be C7. If not and if you can break it, please contact me ! \r
+\r
+ * At MCI and AT&T, I already had sume argues with other phreaks, but I know\r
+ that at least AT&T _IS_ breakable ! [note: or WAS breakable until 12/95]\r
+\r
+The problem with R2 is that it`s mostly PCM (in Germany). This means that\r
+there`s used a multiplex system to mix information and signalling signals.\r
+So you use 1 channel each, but it seems as if you are just on one channel.\r
+At the moment, I still don`t cope with those systems... Sumetimes, I get a\r
+Hgup, but I don`t know whether it`s caused from my BB or from that fuCkiNg\r
+switch.\r
+Another problem is: theres no absolute standard on R2. It depends on the area\r
+you live in and the country u wanna break 2 get a success. Just start scan-\r
+ning... Some hints: Of course, u should only scan the effective signalling \r
+band....it would be quite senseless to scan from 500 up to 1500 Hz. And al-\r
+ways remember: R2 is not an international system. It`s always combined with \r
+at least one signalling frequency of another system (like C5) !\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+2.) Why are other countries not breakable ?\r
+\r
+ aaaahahahhah!!! stupid question. Cause they changed to C7.\r
+\r
+ Anyway, there is a possible exception: The "Fiiieep" linez. If you are not\r
+ from Germany, you can`t imagine what this means to the phreaker: You know,\r
+ some switches (e.g. the Siemens-Alcatel) require an exact timing. The Cl.\r
+ Fwd. must be sent on exact the time when you can hear the 2nd "click" (or \r
+ some milliseconds after). There is one problem now: The Telco has changed \r
+ that click to a noisy "fiiieek" now on some nuMbAs. That noise is inter-\r
+ modulating the break you send. The result is: No result. \r
+ The only thing you can do: (except when you live in area 03....ggrrr...I \r
+ hate everyone in there...) increase the volume of your break to a maximum\r
+ and try to find a guard tone that fixes that interference...this should be\r
+ not too easy.... after some minutes of experimenting, you may be able to\r
+ achieve a HgUp, but seizing will be quite complicated !\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+3.) Phunny story bout C4\r
+\r
+Just a few words 2 the phreaks who wanna start scanning C4 lines,\r
+inspired by the Scavenger dialer: Yes, u can call via C4 lines, if u\r
+a) break an oversea line (e.g. Germany => Paraguay...aaeh..no...Paraguay uses\r
+ R2 at the country itself...)\r
+b) call a C4 based numba in that country, break it and have phun...\r
+But there are 2 major problems:\r
+a) linez are shit\r
+b) there are nearly (I said nearly, in fact, I don`t know _ANY_) no C4 linez\r
+ left... perhaps, u will find someones in South America or Africa.\r
+\r
+So, forget the C4 shit and concentrate to the future... and future is defini-\r
+tively NOT C4 !\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+3.) U don`t get a Busy Flash.... ahahhahahahaha!!\r
+\r
+If you are unable to recieve a Busy Flash, then you`ve got a problem: the\r
+TELEKOM filters. These phunny devices are sitting in the toll-free oversea\r
+trunk groups just for one purpose: Killing the Clear Forward and the Seize\r
+signal to avoid line manipulation. In my area, there were 2 different kinds\r
+of filters:\r
+The first ones were just inverters, which lowered or highered the specific\r
+signals sent in the line. This means, that a 2400/2600 tone will be recogni-\r
+zed from the switch as, e.g., a 2350/2650 signal... This means that you can\r
+easily pass those filters when sending e.g. a 2450/2550 tone. This is, of \r
+course, not a very effective protection !\r
+At the next step, a more complicated system was installed: a Schmitt-Trigger\r
+system, combined with a selective switch. I will explain later how it works\r
+exactly.\r
+At this time, just remember: It`s IMPOSSIBLE 2 install any protection that\r
+will avoid inband line manipulation 100% . There`s always a way to pass it !\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+4.) How the telecom filters work:\r
+\r
+The function of those devices is quite simple: the filters are put in the \r
+line subscriber ----> german switch. This (should) avoid a line manipulation\r
+from the side of the subscriber`s line.\r
+The filter consists of a simple notch filter that blocks the 2400 signal if\r
+the installed frequency counter counts the critical frequs.\r
+The bandwidth is all over the tolerance of the frequency used for inter-\r
+national trunks. This is achived by a strong damping of the circuit. Just\r
+find an international exchange and let it give you a nice echo. Then, start\r
+scanning and draw a function of the filtered tones. U should draw that func-\r
+tion in dependence of the frequency and the volume.\r
+The tricky thing is the following: the filters are "normally" not enabled.\r
+They are only activated when recieving a signal that is in tolerance of their\r
+setting. The control of "enabled"-"not enabled" is taken by a simple Schmitt-\r
+Trigger circuit. Just watch sume electronic-book for further information.\r
+To activate the Trigger, a tone of a certain frequency _and_ a certain length\r
+must be recieved (Trigger-Level).\r
+So: when u add a third tone to your Cl.Fwd., there is obtained an inter-\r
+modulation: the volume increases and decreases in the same frequency as the\r
+guard tone. So, u just need to find the correct guard tone(s), and u will be\r
+able to pass the filter.\r
+Sometimes, its a little bit more tricky: If this method doesnt work, just use\r
+some fuzzy tones (mix the tones with colored noise). This changes the wave-\r
+form from sinus to something un-definable. That sort of signal is much harder\r
+to trigger (if you`ve got an oscillograph, u can see it quite good). So, the\r
+chances of "confusing" the trigger are much better....\r
+Finally, there`s a third method: Just create a trunk that you play _before_\r
+the "real" trunk....the more tones, the better ! I use the nice TLO444 and\r
+wrote a tiny script that will do this job quite good...it has `bout 20 tones,\r
+played with 3 or 4 frequencys each. If you set the right frequs (TIP: use the\r
+frequs near the signalling area, add a DHLS sumetimes, play a 2000 Hz and so\r
+on). If you have done it right, that filter will be "confused" (you can com-\r
+pare it with drinking 10 beers and going to bed immediately) and it can get \r
+passed much easier.\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+5.) About Hardware\r
+\r
+It`s always useful to have some hardware that can support you while whistling\r
+around....the good old walkman-headphones are fine for checking out a line\r
+you can break not yet, but it`s not possible to get a 100% great result. Just \r
+call your favourite HPA board and leech the schematic of a standard BlueBox.\r
+I use a more comfortable method. This has two reasons:\r
+1.) When using a transformator that is connected to the phone line directly, \r
+ your ears will be bloody after a hole night of scanning\r
+2.) Connecting the soundcard in another way will offer you much more comfort.\r
+\r
+If you`ve got some idea about electronics, connect the output of your computer \r
+to the microphone in the telefone. The ECM-Micros work best. Normally, it`s \r
+necessary to limit the signal with a resistor of about 50K. And if you want to \r
+record the line, connect the mic. input to the speaker of your phone. Depen-\r
+ding on your circuit, it may be useful to add a small capacitator (.1uF). This \r
+offers a much better quality and the tones sent out of the speaker while brea-\r
+king are much more calm. This allows you to listen better to any reaction of \r
+the line. And if you`ve already done that piece of work, then you can make a\r
+device that allows you to hang up the line and release it again automatically.\r
+I built a switch that is controlled by the tones sent out of my dialer. I just\r
+reserved a frequency (ca. 3900 Hz) and adjusted that phunny device to exactly \r
+that value. So, if I send a 3900 Hz tone, my line hangs up automatically and \r
+releases again after a free-definable time. If you are interested in that\r
+device, just contact me !\r
+Also phunny is a circuit that can decode the special-info sequence (you know,\r
+that tuuu-tuuuu-tuuuuu you recieve when calling a not-existing number). I \r
+don`t know whether this is also possible by a powerful realtime-software; but\r
+when connecting that circuit to the parallel port, you may increase the rate\r
+of success while scanning to the maximum. When using that device, you needn`t\r
+sitting in front of your screen anymore... you just wait for a "success-beep"\r
+from the computer when getting a number that does not result in the special-\r
+info-tone. The only condition for this is a well-programmed software.\r
+\r
+Another phunny toy is an oscilloscope, because:\r
+- You look so cool when sitting in front of it, dialing, phreaking, pushing\r
+ all the buttons at the scope (and only you know what they are good for) and\r
+ watching the great waves appearing on the screen when getting a connect ...\r
+- Hmmm..and, besides, an oscilloscope is EXTREMLY useful to find out every-\r
+ thing that has to do with waveform, amplitude and delay of the signal sent\r
+ in the line, and, more important, coming out of it. E.g., you can search a\r
+ number, kill the exchange, sending a signal which will give you an echo and\r
+ start analysing the behavior of the switch.\r
+\r
+The last point about hardware: A device that can send a variable (coloured)\r
+noise into the line. A very simple noise generator is an old radio. Just put \r
+it on AM and search an area with a good, strong noise. By turning the knob in\r
+any direction, the sound of the noise should change a little bit. To find the\r
+best position, set your dialer to a 60s Cl.Fwd. and mix it with the noise ob-\r
+tained by the reciever. Believe it or not, it works !\r
+BTW : Yes, I know, the Scavenger dialer has this feature, too. But the noise \r
+ routine seems to be a little buggy...besides, it`s much easier to use\r
+ a little hardware, because you can find out the correct setting very\r
+ fast just by turning a knob is any direction. The only thing you`ve got\r
+ to do is to connect the speaker of the radio (or, in other words, the \r
+ two wires leading to the speaker) with the phone line using direct \r
+ connection or transformator. A 50K resistor prevents the noise from get-\r
+ ting too loud. Just play a little bit for optimal results.\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+6.) Problems with Transit/Routings\r
+\r
+some years ago, finding out a routing or using transit was no problem (I say\r
+this not out of my own experience; I`m not doing BB as long that I can con-\r
+firm this....but I was told so).\r
+Now, things have changed a little bit. The old standard of using <KP2>-CC-DD\r
+is working only to some boring countries with boring lines. The "good" coun-\r
+tries (like HK/USA etc.) are extremely well protected now. But in spite of\r
+that, you can still get a success if you have a free afternoon and some luck.\r
+For exemple, the toll free lines of some countries can sometimes be called\r
+from an international exchange. To give you an exemple:\r
+\r
+ a) you call the HCD of a country that has <KP2> disabled\r
+ b) you break it\r
+ c) after breaking, you call the Op. of another country (e.g.: A02-800-XXX)\r
+ d) you wait for the "chick" and break the line country --> next country\r
+ e) perhaps this country you are in now has <KP2> open ....\r
+\r
+The disadvantage of this is that you MUST set your trunk very exactly. If your\r
+break for the 2nd country is in tolerance of the switch of the 1st country, \r
+your line kicks off...hahaha....try it again.\r
+Perhaps, you find a country that is breakable with 2400 and 2600 Hz, sent\r
+seperately. On HawaII, you will remark that you can send the tones seperately.\r
+If you`ve found a Transit or a Route, you can try to find a gate in the\r
+following way [just for exemple !!!]:\r
+ a) You can do transit via XXXXXX to russia\r
+ b) You want to call YYYYYY\r
+ c) Just dial <KP2>7-00-YYY-nuMbA<ST>\r
+\r
+The success of this method depends on the "transit power" of the country you\r
+can do transit to. Perhaps you can try it out by calling directly.\r
+\r
+Another way of calling is to change the exchange you are in by sending a \r
+loooong signalling tone....the more experienced phreaks will know what I mean\r
+when talking about this..... This method only works on quite old switches.\r
+\r
+\r
+\r
+\r
+\r
+\r
+7.) How 2 get Routing Codes\r
+\r
+At the beginnig of this article, I wanted to tell you how to find out which\r
+country offers which routes to kall out. With this method it`s not often \r
+possible to get the routes directly, but you will know whether it`s senseful\r
+to start scanning around.\r
+But now I decided not to tell you that possibility, because it wont work any-\r
+more if too many people use it. BTW, forget the old trick with <KP2>-2F-<ST>\r
+The operators are still incredibly stupid, but they won`t give out their\r
+Operator routes to someone who says: "....Hi, lines are busy,...please gimme\r
+your routing for calling Canada...".\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+Okay, thats it....I think that you knowed most of the things I told, but per-\r
+haps you found a little hint that may be useful for you. Have a nice life !\r
+\r
+\r
+\r
+ Greetz,\r
+ Dr. Fraud\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+P.S.: This article didn`t grow out of my free volunteer....\r
+ I was forced to write it....hahaa... ...and remember: J.F.K. is dead !\r
+<yeah and i'll do it again for the next mag hehehehe! [vH]>\r
+\1a
\ No newline at end of file
projects / oweals / thc-archive.git / blobdiff