ÜÛßßßßßßßßßßßßßÛÜ ÜßßßßßßÜ ÜßßßßßßßßßßÜ ÛßßßßßßßßßßÜ Û.ÅÄijÄÄ¿³ÀijÄø Û Û Ä¿úÀ¿ ßÜ Üß ÚÄÄijÄÄÄÄ Û Û .ÃÄÄÄÂÄÂÄ ßÜ ÛÜÜÜÜÜ Ä³ÙúÜÜÜÜÜÛ Û ³ÚÄÄÄ¿ ßÜ Üß ³ú ÜÜÜÜÜÜÜß Û Ä³ÄÄÙ. ÀÄ¿ Û Û Ú³Ä Û Û úÀÅijÄÁ úßÜ Û ÄÁ ³ Û Û Ä³ ÛßßÜ ¿³úÛ Û À³Ä Û Û ÄijÂÁÄÄÄÂÄÄ Û Û ÄÄÂÙ ßßßßßßßÜ Û Ã Û Û ³³ Û Û úÃÄ Û Û ÄÄÙ³ ÚÄÁÄ¿ .Û Û ÄÄÀÄijÄÄÁÄ¿³ Û Û Ä´ Û Û ³À Û Û ÄÙÄ.ÛÝ Û ÄÂÄÙúÀÄijÃÄ Û ÛÜÜÜÜÜÜÜÜ ÄijÙ.Û Û ³úÛ Û ÀÄ Û ÜÛßßßÜÜßßúßÜ Û .³ ÞÛßÛ Ã³ú ÛÜ ÜÜÜÜÜÜÜÜÛúÄÄÁÄ Û ÛÝÄÁÄÛ Û ÂÄ.Û ßÛ° Þß ßß ÛÛßÜ ÜßÜ.ÛÜ Þß ßÝ ÜÜ°ßÛÜ ÛÜ ÜÜÜ ÜÜß ÜÛÝ ÛßÜ ÜÝÜÜß ³ÜßÛÜ ß .Û±ß ß .ß þÜÝÛ Ûßß±ß úßßÛ°ÛþÛß ßßÝÛßÝÛß úÛÛÛÛ.ÛÛ ÞÜ ßßÜÜß ßßÝÛ.ÛÝ ß ÞßßÛÛÛÛß ßÛÛßÛÛþÛÛÛßßßßÜ ßßÛ. ßßßÞ ßÛÜß ßÛ. ÛúÝ ÛþÛÛÛ ÛÛ ú Þßßß Ý ß ßÛÛÜßßßÛ.ÛÜß . . ß ßÝ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[ The Association of Social Disorder Presents : ]ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ The TASD newsletter number 002 ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ Contents of this newsletter - CELLULAR PHREAKING CARDING SCAMS/PROBLEMS QUICK 'N EASY BOMBING PART 2 HACKING SYSTEM 75/85 PBX'S CELLULAR PHREAKING - This is an area that has brought up some serious questions about how on earth can we scam the people who thought having a phone to call and order pizza from their car would be 'neat'. Cellular phreaking is a fairly new area and should continue to grow with the large number of people now buying their very own mobile phones, I mean they have to eat pizza too you know. Anyhow, there are some basic ideas in the way that a car phone works that would allow a person to be able to scam some free air time if so desired. 1) Changing of the actual data within the phone and calling with someone else's phone number and letting them get billed. 2) Making your area's cellular carrier believe that you are from another area code and that you are a valid number, regardless if you are or are not. Ok, lets assume here that you would wish to do number one, and that you are not dumb enough to still use a blue box. Now, still assuming the previous, you would need to be able to have some sort of ability to scan the higher 800-900 mghtz radio freq range where cellular phones operate, blank PROMs 256 bit capacity, PROM programmer, and the ability to decode the phase-key shifted information passed from the phone to the receiving station. The information is sent in the following order : 1 The caller's ESN (serial number) 2 Caller's home system number (2 digits long) 3 Caller's AC+N 4 Number caller wishes to dial When the cellular system recieve's the caller's data it will check and make sure that the ESN and caller's ACN match, if not, no go. If so, then the call will go through and the bill is later sent to the home system of the caller. Now with this information you are wondering how on earth you could change the ESN and home system number in your own car phone, that now follows. [ THE FOLLOWING DATA LOCATIONS ORIGINALY COMPILED BY THE MAD PHONE MAN ] NOTE - NAM = PROM The NAM contains the subscriber number and lock code, the home system identification and other system required information. You may wonder how this info is arranged. The NAM is organized into 32 rows and 8 columns. It is 32 words of 8 bits each. (256 bits total) Starting from the top of the NAM (address 00) you will find the abreviation SIDH, This means "system id number home" , a number starting at 0001 assigned by the FCC. Each market allows two systems. Even for the wire-line and odd for the non-wireline. At address 03 we find LU (Local use) on the left and MIN on the right these are usualy set to 1. Locations with zeros are reserved. Going down the map, there's MIN1 and MIN2 the subscriber number and the area code respectivly Dont try to read them from a raw printout of the NAM data, they are scrambled beond recognition. The reason? The way they are arranged is the way they must be transmitted to the cellular systems receivers. The programmer does this to make the radio's job easier. Next is the station class mark, which identifys the class and power capability of the phone. The system will treat a handheld (low power) differently than a standard 3 watt mobile. - IPCH is the inital paging channel. The radio listens for a page on this channel. Wirelines use 334 and non-wirelines use 333. - ACCOLC (ACCess Overload Class) is designed in throwing off customers in the event of an overload. Thru neglect this standard has been largely unused. (A class 15 station is supposed to be police, fire, or military) Usualy its set to 0 plus the last digit of the phone number to provide random loading. PS- Prefered system. This is always 1 in non-wireline and 0 in wireline. The lock code is about the only thing you can read directly by studying the NAM data. The "spare" bit must be a 0 if the radio contains a 3 digit code. Because the number of clicks when you dial 0 on a (dial) phone equals 10 zeros in the lock code are represented by an "A" the hexadecimal equiv of 10. EE,REP,HA, and HF correspond to end-to-end signaling (DTMF tones possible you talk) REPeratory dialing (provision for 10 or more numbers in memory) Horn Alert and hands free. Like all options, they are 1, if turned on and 0 if (all these numbers are in hex) are supposed to be used by radio mfgrs to store option switches. Usualy 13 is used, 14 sometimes and the rest less often. Last you will find checksum adjustment and checksum. These numbers are calculated automaticly after the data has been edited for the NAM. The sum of all words in the nam plus these last two must equal a number with 0's in the last two digits. The radio checks this sum and if it isnt correct the radio assumes the NAM is bad or tampered with. In the case the radio refuses to operate until a legal NAM is installed. MARK most BIT SIGNIFICANCE least Hex DEFINITION address ---------------------------------------------------------------------------- | 0 SIDH (14-8) | 00 ---------------------------------------------------------------------------- | SIDH (7-0) | 01 ---------------------------------------------------------------------------- LU=Local use | LU | 0 0 0 0 0 0 | MIN | 02 ---------------------------------------------------------------------------- | 0 0 MIN2 (33-28) | 03 ---------------------------------------------------------------------------- | MIN2 (27-24) | 0 0 0 0 | 04 ---------------------------------------------------------------------------- | 0 0 0 0 | MIN1 (23-20) | 05 ---------------------------------------------------------------------------- | MIN1 (19-12) | 06 ---------------------------------------------------------------------------- | MIN1 (11-4) | 07 ---------------------------------------------------------------------------- | MIN1 (3-0) | 0 0 0 0 | 08 ---------------------------------------------------------------------------- | 0 0 0 0 | SCM (3-0) | 09 ---------------------------------------------------------------------------- | 0 0 0 0 0 | IPCH (10-8) | 0A ---------------------------------------------------------------------------- | ICPH (7-0) | 0B ---------------------------------------------------------------------------- | 0 0 0 0 | ACCOLC (3-0) | 0C ---------------------------------------------------------------------------- PS=Perf Syst | 0 0 0 0 0 0 0 | PS | 0D ---------------------------------------------------------------------------- | 0 0 0 0 | GIM (3-0) | 0E ---------------------------------------------------------------------------- | LOCK DIGIT 1 | LOCK DIGIT 2 | 0F ---------------------------------------------------------------------------- | LOCK DIGIT 3 LOCK SPARE BITS | 10 ---------------------------------------------------------------------------- EE=End/End | EE | 0 0 0 0 0 0 | REP | 11 ---------------------------------------------------------------------------- REP=Reprity | HA | 0 0 0 0 0 0 | HF | 12 ---------------------------------------------------------------------------- HF=Handsfree | | HA=Horn Alt | Spare Locations (13-1D) | | contain all 0's | 13 | | to | | 1D ---------------------------------------------------------------------------- | NAM CHECKSUM ADJUSTMENT | 1E ---------------------------------------------------------------------------- | NAM CHECKSUM | 1F ---------------------------------------------------------------------------- [ END DATA ADDRESSING ] Now that we know soooo much about how the cellular phones work, what else could we come up with? Well this is where we talk about number two scam idea from up above. Lets say you didn't feel like scamming someone in particular, so instead of putting the real phone number and ESN of someone, just put a fake one in and make it from a diffferent area code. The cellular services don't have a way of checking the validity of outside area code phones. Use this to your advantage. The number you put has to be a real exchange, the companys DO have this information. Anyway, go have fun ordering some pizza's. CARDING SCAMS/PROBLEMS - Well something that most everyone should at least know a little bit about is carding. Now, there are plenty of text files out there on the subject of making fraudulant credit card orders, so I won't get into that part of it. What I will talk about it the way that some of the companies are now checking cards better, and faster than ever. Lets say you were thumbing through your new issue of the PC Mag, and there is a brand new 17.3 Terrabyte hard drive you really want. Ok, you call up the company and you have credit slip in hand and tell them all your info. First problem, they won't ship to anything but the card's billing address. Next thing you run into, they want to have lots of the card owner's information that you don't have. Now if you manage to give that to 'em in a few hours, they CALL the call holder's billing number and confirm the order. Plus many other little 'tactics and tricks' that you have to deal with. So what is a carder to do? First choice, call somewhere else that looks a little easier, but if that is not an option this is some things you can do to get around little annoyances. P> Won't ship to non-billing address A> Tell them it is a gift or is for your brother or something, this is where you get to have a good chance to "Social Engineer" P> Need card owner's address and phone number A> Call directory assistance, and hope ther are not unlisted, if they are, look around for a text file about info on anyone, and try some of those tactics P> They call the card owner later A> You can try a few things here, give them the phone number to something that never answers, or is always busy. Or really give them the phone number for the card owner and call right after you know no one will be home at the card owner's place and hope they try to call when no one is home. P> They want the bank that issued the card. A> This is usually bull shit, and you can just tell them a bank in your area, most of the time they don't have a clue. There is a listing of bank numbers around, so look if you really want them. Few other hints : Don't order overnight, sound older than 10, act like you know what the hell you are doing, and always dial up from a payphone or PBX, etc. QUICK 'N EASY BOMBS PART 2 [Bomb installment number 2 Written by Dark Illusion] OK, well here are a few bombs, that are simple to make, and can be fun to use on enemies or just for the fuck of it.. [The Flaming Smoke Bomb] Take an empty ketchup bottle and wash it out. Now add in about 2/3 of saflower oil. Next add about 1/4 (vol) of gasoline. Now, with the top to the ketchup bottle, make a fuse. I perfer to use those nice ketchup the best fuse holder and all. After you made the fuse, screw the cap back onto the bottle. Give the bottle a little shake to mix the gas and saflower combo. Then light the fuse and throw it. Once the gas catches, and burns off, you'll end up with the saflower. Salflower wont cause a "flaming" effect, but will smoke like hell. [Car Tire Bomb] Mix some solid nitric iodine with your every day household ammonia. Let the mixture sit for at least 24hrs. After that, pour off the liquidy top. And what you'll have left is a mud like substance. Take that mud substance, and place it on your enimies car tires. Make sure that the substance will have a time to dry. So do it at night. The next day when when he starts his car and rolls a few few. The tires with that will blow out. Pretty nice. Another trick to do is, make little golf ball size bricks of the mixture. Then once it drys out, throw it off the roof of a building or throw it into a crowd of people. 'Just be creative and careful, and don't sue me if you lose a hand!' HACKING SYSTEM 75/85 PBX'S This is not going to go into any great detail about the workings of a system 75/85 as they have some really good on-line help features that should allow you to play with most anything. A system 75/85 is a relativly popular system to run PBX's off of and most are quite hackable. First step in this process is to find a system 75/85, you can achieve this using any number of the prefix scanners availible today, I prefer ToneLoc. A system 75/85 is almost always a 1200 BPS connect, and will usually have an 8N1 setting. Identifiable also if the prompt you recieve is a "Login:" with an upper case L. It is at this point you rely on the system default password and user names to get you into the system. I am not going to tell you any except the following - User name "browse", password "looker". This is usually a low level account allowed to look around and not much else. Use this to figure things out. I will leave it up to you to get the system default passwords, as not many people wish to give them out. After you log in, it will ask for a terminal type, I recommend using the 4410 terminal, as I like it the best. The following is the terminal emulation keys that you must know to operate within the system... (Turn caps lock on at this point to enter in the codes) ESC OP - CANCEL ESC OT - HELP ESC OR - SAVE ESC OV - Next page ESC OW - Back page ESC OQ - Refresh ESC OS - Clear fields Once you know this, use help when you need it, and look around. I recommend looking at the "Change Rem Acc" command for setting/changing/looking at the outdial barrier code that you must know to use the PBX to call out. I will cover more of the actual system 75/85 operations in a future edition, so until then, use this to your advantage. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ The previous was a TASD production.... For the latest TASD articles/textfiles you can call Realm of Warriors [201] 728.0941 NUP:DARKNESS (14.4k) Countdown to Extinction [212] 765.1701 (14.4k) If you would like to get in touch with the TASD team, you can call the above boards and leave mail to Wilco. ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º º º If you would like to become a TASD courier/distro/writer please look at º º the included TASD.APP file. º º º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ