Security Breach #3 Summer 1998 Editor in chief: Maniac Contributors: Harvester of Souls Editor's note: This issue marks the first time I've had any help writing this. Security Breach has a new writer on board, namely Harvester of Souls. He came up with some interesting frequency stuff for this issue, which I hope proves useful to people in some way or another. I'm also looking for contributions from anybody who has anything to write about(except lame stuff and redboxing articles)NO GODDAMN REDBOXING ARTICLES!...okay, I'll stop ranting now.. Anyways, this issue we start a new series of articles on various types of cans. I hope to cover at least one type of can per issue, and I'm going to try to go into as much depth and detail as possible. Shout-outs to the following people: Mohawk, Mr. Seuss, Slapayoda, Phen0m, Hatredonalog, anybody who carries SB on their website, The more knowledgeable people in alt.phreaking, Matty Acid for hooking me up with the DS-1 tutorial, Plik, StikSickly, #peng crew, esp. squirrel and the other conf regulars..Hell Atlantic (for providing me with a phone system to play with), and of course Mailboxes Etc. for making shipping a PBX a couple thousand miles much less of a pain in the ass...Greets also to anyone I forgot.. CONTENTS: 1.Motorola Micro Tac -Harvester of Souls 2.The Finer Points of Canning, Vol.1 -Maniac 3.Line Recording Indicator -Harvester of Souls 4.Radio Frequencies -Harvester of Souls 5.Tip of the Month -Maniac 6.Maniac's Guide to Lock-picking and Forced Entry -Maniac Motorola Micro TacBy (Harvester Of Souls) This article is about the Motorola Micro Tac flip fones. This may vary from fone to fone. Here are the basics you need to know to begin. To look at the system ID, fone #, & station class marks and much more, do the following. 1) Turn power ON. 2) Immediately press FCN, 0. 3) Type the Security Code. (Factory standard is 000000). 4) Scroll through the options with the * key. 5) Only make changes that are accurate! ----------------------------------------------------- To put the phone into test mode do the following: Disconnect any & all power from the phone. There will be 3 contact leads on the back of the phone. Short the middle pin to ground. The ground is usually the contact lead to the right of it. (Test with a DMM to be sure). DMM - Digital Multi Meter. When you apply power, you will find that the screen is flashing hexadecimal numbers. Press the # key. The display should show US ' IF it just shows a ' and not us ' don't worry. From either of those points you may type in commands to the phone. To listen in on a conversation: Type 11xxx, # xxx = Channel number. NOTE: This is illegal & I don't recommend this since they have triangulation methods. You have been warned! The channels that I have listen to are anywhere from 112 to 999. I believe the phone will go up to channel 9999. You may not be able to do anything, but I personally think that it has the capabilities to do so. I found that the most popular channels around the suburban Boston area and up to Boston also are these: 112 298 299 300 301 999 This may not be true for all areas. Just scan the channels & see what you find. :) The Finer Points of Canning (Volume 1) ***This is the first of a series of articles devoted to the purposes and contents of various types of cans. There will be plenty more written about other types of cans, but I've decided to only do one for this issue, as it's long overdue*** -Maniac It would probably be safe to assume that any phreak worth their salt has opened plenty of cans in their career. Cans come in many different shapes and sizes(and even colors), and contain all sorts of interesting stuff....and it's not all just wires. The most basic can is the TNI, which stands for Telephone Network Interface. Also known as the SNI, as well as several other names, it serves a the point where the telco wiring ends and the customer wiring begins. This is technically known as the point of demarcation. These boxes can be found on any home or business which has above ground telephone service. The contents of these boxes varies somewhat, depending on the exact model of TNI. They're all pretty similar, though, generally speaking. My TNI is a Nynex model that dates back about 3 years. It's about 6 or 8 inches square with a two-section door to provide different levels of access. The outer section of the door is marked "customer access" and opens with a flathead screwdriver. It provides access to the RJ-11 jack that connects the telco wiring to the customer wiring. This is a convenient place to beige box from, since any normal phone can connect to an RJ-11 jack. However, to do this, you must unplug the customer wiring from the jack, which renders the phones in the building useless. People might notice this, but this is an easy problem to fix. Simply buy (or steal) a dual male to single male RJ-11 adapter. This has two female RJ-11 connectors on one side and a single male RJ-11 on the other side. You can buy/steal this at Radio Shit..er..Shack. To use it requires little intelligence and absolutely no instructions, however, for those who are REALLY new to the field, plug it into the jack in the TNI(after unplugging the customer wiring) and plug both your phone and the customer wiring into it. Now you can connect with out disabling the phones in the building. Under the customer access door, there's another door marked "telco access". It gives access to the entire contents of the TNI. This door opens with a 3/8 inch nutdriver/socket wrench/etc... The customer access door is just a part of the telco access door. It's screwed down onto the telco access door, not the box itself, so when the telco access door is opened, the customer access door goes with it. The best tool for opening this and many other cans is the can wrench sold by Harris-Dracon. It is double ended, with 3/8 on one end and 7/16 on the other. They also manufacture security bit inserts in 5/32 and 5/16 sizes. The use for these will be discussed much later. Underneath the telco access door, things get a bit more interesting. There are 5 large bolt terminals, each with a number of wires and washers on them, which are tightened down with a 3/8 nut. The terminals are arranged as a square, with a bolt at each corner, with the fifth bolt in the center. These terminals are where the drop line from the pole interfaces with the wires leading the RJ-11 jack the customer wiring plugs into. The drop line is a 2 pair cable that could easily be mistaken for a power line of some sort. The pairs are laid out as follows: Pair one: Orange/Orange-White. Pair two: Blue/Blue-White. (I have two lines)..Pair one connects to the upper post, and pair two connects to the lower pair of posts. The last piece of the TNI is a small rectangular circuit board, about 1 3/4 inches by 3/4 of an inch. It has color coded leads with spade lugs for tip and ring, with 4 components in series between tip and ring. The board is wired across the bolt terminals for tip and ring, so it is in parallel with the customer wiring. The components are arranged as follows. (yes, I know ASCII art sucks, but try to bear with me) TIP----cathode|<|anode(1N5229)---47pf---anode|>|cathode (1N5229)---10k 1/2 watt resistor---RING Here's what's going on: The 10k 1/2 watt resistor is for current limiting, so the diodes don't get fried during ringing pulses. The diodes are arranged so that the anodes are pointing towards each other. The important thing about the diodes is that 1N5229 is a 4.3 volt zener diodes. The way they are wired, one of them will be reverse biased at all times, no matter which way the polarity of the voltage is oriented. A zener diode, when reverse biased, will block current from passing through it just like any other rectifier diode, UNTIL the voltage reaches the breakdown voltage of the zener diode, which in this case is 4.3 volts. Once that voltage is reached, the diode will limit the voltage going through it to 4.3 volts, even if the reverse biased voltage goes higher than that. The capacitor in the middle is to isolate the two zener diodes from each other. The capacitor will not allow voltage to pass through it under any circumstances, except for a small leakage voltage(no dielectric is perfect) As far as I can tell, this circuit board serves as overvoltage protection for the phones attached to the customer wiring. Since the circuit is in parallel with the customer wiring, the whole thing acts as a voltage divider, and the zener diodes help to regulate the voltage. Note: I may be wrong about the purpose of the board, but this seems to be what it's doing , to the best of my knowledge. Line Recording Indicator By (Harvester OF Souls) This is for a telephone-to-recorder. NOTE: Listening in is illegal unless authorized by at least one party on the phone line. Equipment: Soldering iron, solder, electrical tape or heat shrink. Needs: Double Female RJ-11 Plug adapter, 1 LED, 1 SPDT switch, 1 Stereo plug. Instructions: Open up the RJ-11 plug & cut the YELLOW & BLACK wires in the CENTER. If there isn't a yellow wire, cut the white. Twist the two wires together on each end & solder them together. now tape up the exposed wires with electrical tape, or use heat shrink. Cut the RED & GREEN wires directly in the center. Solder 1 red lead of the wire to 1 lead on the switch. on the lead furthest away from the red, solder one lead of the LED on it. Take the stereo plug & solder 1 lead to the lead on the LED that is left. Now solder the second pole of the stereo plug to the green wire. USAGE: When the switch is flipped, & the plug is attached, the LED will light up. That means that it is in use. (Recording or listening). When the plug is in and the LED is OFF, then the device is off. Plug it into a recorder & next time someone is on the phone, hit record & flip the switch. Happy listening! :) Harvester Of Souls _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ Radio Frequencies By Harvester Of Souls Major 2 Way Radio Bands ----------------------- Medium Frequency (mf) 1.6 - 25 MHz High Frequency (hf) 25- 30 MHz Very High Frequency (vhf1) 108 - 136 MHz Very High Frequency (vhf2) 150 - 174 MHz Ultrahigh Frequency (uhf1) 450 - 512 MHz Ultrahigh Frequency (uhf2) 806 - 821 MHz Ultrahigh Frequency (uhf3) 851 - 866 MHz ---------------------- HF Inter-ship Frequencies Frequency (kHz) Geographic Area ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ ŻŻŻŻŻŻŻŻŻŻŻŻŻ 2003 Great Lakes only. 2082.5 All areas. 2142 Pacific coast area south of latitude 42° (degrees) north, on a day only basis. 2203 Gulf of Mexico. 2638 All areas. 2670 All areas. 2738 All areas except Great Lakes and the Gulf of Mexico. 2830 Gulf of Mexico only. ----------------------------------------------------------------------- VHF - FM Channel Designation Channel Type ------- ---- 16 (Mandatory) Distress, Safety, calling. 06 (Mandatory) Inter-ship Safety. 65, 66, 12, 73, 14, 74, 20 Port Operations 13 Navigational 22 Liaison Communications only. 07, -9, 10, 11, 18, 19, 79, 80 Commercial 67, 08, 77 , 88 Commercial - Inter-ship 70, 72 Non - Commercial 24, 84, 25, 85, 26, 86, 27, 87, 28, 88 Public Correspondence. 162.4MHz & 162.55MHz NOAA Weather Service. ---------------------------------------------- Citizen's Band Radio (CB) Note: all frequencies are in AM (Amplitude Modulation). Channels marked with an 'a' are illegal channels that can be used with a simple CB modification to the RF tuner. Channel # Freq. --------- ----- 1 26.965 2 26.975 3 26.985 3A 26.995 4 27.005 5 27.015 6 27.025 7 27.035 7A 27.045 8 27.055 9 27.065 (Emergency & road assistance) 10 27.075 11 27.085 11A 27.095 12 27.105 13 27.115 14 27.125 15 27.135 15A 27.145 16 27.155 17 27.165 18 27.175 19 27.185 19A 27.195 20 27.205 21 27.215 22 27.225 23 27.235 24 27.245 25 27.255 26 27.265 27 27.275 28 27.285 29 27.295 30 27.305 31 27.315 32 27.325 33 27.335 34 27.345 35 27.355 36 27.365 37 27.375 38 27.385 39 27.395 40 27.405 ------------------------------ Other Frequencies VLF (very low frequency) below 30 kHz LF (low Frequency) 30 to 300 kHz MF (medium Frequency) 300 to 3000 kHz HF (high frequency) 3000 to 30,000 kHz VHF (very high frequency) 30,000 kHz to 300 MHz SHF (super high frequency) 3000 to 30,000 MHz EHF (extremely high frequency) 30,000 to 300,000 MHz ------------------------------ ***Tip of the month(or whatever the fuck)*** When running two lines over 4 conductor cable that isn't twisted pair, watch out for crosstalk. I did this a while back, and it works just fine electrically of course, but the crosstalk is a pain. Note: this could also be used to listen in on conversations, and is almost undetectable, since inductive coupling will not produce an appreciable voltage drop in a phone line...You'd probably do well to get a ferrite rod from an radio tuning circuit and wind both pairs around it for better coupling. Maniac's Guide to Lockpicking and Forced Entry By: Maniac (who else?) Preface Much of the stuff in here is knowledge I absorbed from documents like The MIT Guide to Lockpicking and Jolly Roger's lockpicking file. Of course, a lot of it is random stuff I've figured out of learned from various people over the years. I'm not trying to rip off anybody's work here. Thanx to people who had a hand in writing all the files I've learned stuff from. Thanx to Rat for the dent puller idea. First, I'll address lockpicking. Picking a conventional lock usually involves applying torque to the lock cylinder while manipulating the pins with a pick. The goal is to push up each pin so that the split between each pin and the driver pin above it is lined up with the edge of the cylinder, and make it stick in that position. This is known as setting the pins. You must apply torque to the cylinder in order to set the pins and keep them set. Once all the pins are set, the cylinder will rotate and the lock will open. Some locks have pins on both sides of the keyway (keyhole). There are a couple of varieties of this type of lock. The high-security version has a larger number of pins (like 5 or 6) on each side of the keyway. It is frequently used on auto ignitions. The lower-security version is used in less critical applications. It has fewer pins (typically 3 or 4 pins) than the high security version. This type of lock is often used for turning vending machines on and off, securing glass cases in retail stores, and on most garden-variety display cases. Now that we've covered the basics of picking and some common types of locks, let's concentrate on opening the suckers, since that's what everyone wants to do.. Locks can be picked using a torque wrench and a thin steel pick with a triangular or rounded end...however, picking a decent lock takes time, even when done by someone who knows what they're doing. Sure, you've seen locks opened in seconds in the movies, but in real life it doesn't tend to work that way. That's why we have forced entry, which works on the principle of "screw picking it, just break the fu#*ing thing" To break into things, you need some tools. A good swift kick and some bodyweight can often be a useful tool. I also recommend the following stuff. You don't need it all at once, but it's good to have around. Bolt cutters 18" are very portable and good for getting through fences 30" are good for bigger stuff, especially cutting locks on dumpsters when dumpster diving Crowbars Great for Jimmying doors and cabinets Short ones for little stuff Long ones for heavy duty stuff Hacksaw Lots of uses Screwdrivers Pliers Slide Hammer(dent puller) Screw it into lock cylinders, then bam! Rips em out when you throw the slide(supposedly) I've never tried it before, so I don't know for sure, but it might work. Hammers Chisels Wrenches Tamper-Torx bits for removing security screws Tamper hex (a must for stealing payphones without making a mess) Allen Wrenches Whatever other hand tools you might need to take something apart Parting Words I'm sure I a lot of you though Security Breach was no longer around, since it's been so long since the last issue. I hope this issue dispels that notion...We're still here. I've just been busy, that's all. Hopefully issue 4 will come out in a more timely fashion. Well, anyways....until next time , keep exploring and exploiting...And remember, say YES to software reverse engineering. The legislators can shove that bill where it fucking belongs... ~~Maniac