bb-ger.txt 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352
  1. January 1996
  2. BB in Germany
  3. written by Dr. Fraud
  4. Hi Phreaks !
  5. In this article, I wanna write a little bit about BB in Germany. This phile
  6. is NOT a `how 2 do it' essay.... It`s 4 phreaks to show what has done and
  7. what is still possible. I also won`t describe any signalling systems like
  8. C5/R2/C7, cause everyone who reads this phile should know how they work. I
  9. have put the TXT into several groups like the following:
  10. - Overview: breakable countries
  11. - Why are other countrys not breakable ?
  12. - The story `bout C4
  13. - You don`t get a busy flash....ahahaha!
  14. - How the TELECOM filters work
  15. - About Hardware
  16. - Problems with Transit/Routings
  17. - How 2 get Routing Codes
  18. 1.) Overview: the breakable countries
  19. At the 1st point, I wanna give you a short list of the easy breakable
  20. countrys. As u can see, there are many ones u can break, but most of them
  21. are not very interesting (seen in the aspect of getting out of those
  22. fucking desert-countries....). The only exception are the C5/R2 countries.
  23. but at the moment, there are only very few people who can phreak them...
  24. congratulations !
  25. Okay, here are the breakable ones (alphabetical order)
  26. > Argentinia (+54)
  27. > Brasilia (+55)
  28. > Chile (+56)
  29. > China (+86)
  30. > Columbia (+57)
  31. > Emmirates of Arabia (+971)
  32. > Guatemala (+502)
  33. > Hawaii (+1-808)
  34. > Indonesia (+62) [not available from everywhere]
  35. > Iceland (+354)
  36. > Japan (+81) !! hard 2 seize !!
  37. > Jordania (+962) !! still offline !!
  38. > Macau (+853)
  39. > Malaysia (+60) [not any more !]
  40. > Nicaragua (+505)
  41. > Paraguay (+595)
  42. > Phillipines (+63)
  43. > Singapore (+65)
  44. > South Africa (+27)
  45. > Uruguay (+589)
  46. > Venezuela (+58)
  47. At 1st, I wanted to add the frequs for each country....no, not exactly, but
  48. at least a description like: Cl.Fwd/EOf/Seize. But I decided that its not
  49. very useful because you should be able to find them out by yourself. Besi-
  50. des, all these ones are C5 and quite simple 2 break (more or less.... arghh
  51. I hate the Phillipines !!!!!!). U can reach them via HCD (standard) with
  52. the exception of HawaII.
  53. NOTE: These are not all the existing countrys you can reach by a toll free
  54. number... but these ones are the easiest to call. If you wan`t to
  55. call other countries by direct (=local) breaking, start scanning !
  56. * Concerning the Thailand HCD (+66), I`m not sure what is is, but I think it
  57. should be C7. If not and if you can break it, please contact me !
  58. * At MCI and AT&T, I already had sume argues with other phreaks, but I know
  59. that at least AT&T _IS_ breakable ! [note: or WAS breakable until 12/95]
  60. The problem with R2 is that it`s mostly PCM (in Germany). This means that
  61. there`s used a multiplex system to mix information and signalling signals.
  62. So you use 1 channel each, but it seems as if you are just on one channel.
  63. At the moment, I still don`t cope with those systems... Sumetimes, I get a
  64. Hgup, but I don`t know whether it`s caused from my BB or from that fuCkiNg
  65. switch.
  66. Another problem is: theres no absolute standard on R2. It depends on the area
  67. you live in and the country u wanna break 2 get a success. Just start scan-
  68. ning... Some hints: Of course, u should only scan the effective signalling
  69. band....it would be quite senseless to scan from 500 up to 1500 Hz. And al-
  70. ways remember: R2 is not an international system. It`s always combined with
  71. at least one signalling frequency of another system (like C5) !
  72. 2.) Why are other countries not breakable ?
  73. aaaahahahhah!!! stupid question. Cause they changed to C7.
  74. Anyway, there is a possible exception: The "Fiiieep" linez. If you are not
  75. from Germany, you can`t imagine what this means to the phreaker: You know,
  76. some switches (e.g. the Siemens-Alcatel) require an exact timing. The Cl.
  77. Fwd. must be sent on exact the time when you can hear the 2nd "click" (or
  78. some milliseconds after). There is one problem now: The Telco has changed
  79. that click to a noisy "fiiieek" now on some nuMbAs. That noise is inter-
  80. modulating the break you send. The result is: No result.
  81. The only thing you can do: (except when you live in area 03....ggrrr...I
  82. hate everyone in there...) increase the volume of your break to a maximum
  83. and try to find a guard tone that fixes that interference...this should be
  84. not too easy.... after some minutes of experimenting, you may be able to
  85. achieve a HgUp, but seizing will be quite complicated !
  86. 3.) Phunny story bout C4
  87. Just a few words 2 the phreaks who wanna start scanning C4 lines,
  88. inspired by the Scavenger dialer: Yes, u can call via C4 lines, if u
  89. a) break an oversea line (e.g. Germany => Paraguay...aaeh..no...Paraguay uses
  90. R2 at the country itself...)
  91. b) call a C4 based numba in that country, break it and have phun...
  92. But there are 2 major problems:
  93. a) linez are shit
  94. b) there are nearly (I said nearly, in fact, I don`t know _ANY_) no C4 linez
  95. left... perhaps, u will find someones in South America or Africa.
  96. So, forget the C4 shit and concentrate to the future... and future is defini-
  97. tively NOT C4 !
  98. 3.) U don`t get a Busy Flash.... ahahhahahahaha!!
  99. If you are unable to recieve a Busy Flash, then you`ve got a problem: the
  100. TELEKOM filters. These phunny devices are sitting in the toll-free oversea
  101. trunk groups just for one purpose: Killing the Clear Forward and the Seize
  102. signal to avoid line manipulation. In my area, there were 2 different kinds
  103. of filters:
  104. The first ones were just inverters, which lowered or highered the specific
  105. signals sent in the line. This means, that a 2400/2600 tone will be recogni-
  106. zed from the switch as, e.g., a 2350/2650 signal... This means that you can
  107. easily pass those filters when sending e.g. a 2450/2550 tone. This is, of
  108. course, not a very effective protection !
  109. At the next step, a more complicated system was installed: a Schmitt-Trigger
  110. system, combined with a selective switch. I will explain later how it works
  111. exactly.
  112. At this time, just remember: It`s IMPOSSIBLE 2 install any protection that
  113. will avoid inband line manipulation 100% . There`s always a way to pass it !
  114. 4.) How the telecom filters work:
  115. The function of those devices is quite simple: the filters are put in the
  116. line subscriber ----> german switch. This (should) avoid a line manipulation
  117. from the side of the subscriber`s line.
  118. The filter consists of a simple notch filter that blocks the 2400 signal if
  119. the installed frequency counter counts the critical frequs.
  120. The bandwidth is all over the tolerance of the frequency used for inter-
  121. national trunks. This is achived by a strong damping of the circuit. Just
  122. find an international exchange and let it give you a nice echo. Then, start
  123. scanning and draw a function of the filtered tones. U should draw that func-
  124. tion in dependence of the frequency and the volume.
  125. The tricky thing is the following: the filters are "normally" not enabled.
  126. They are only activated when recieving a signal that is in tolerance of their
  127. setting. The control of "enabled"-"not enabled" is taken by a simple Schmitt-
  128. Trigger circuit. Just watch sume electronic-book for further information.
  129. To activate the Trigger, a tone of a certain frequency _and_ a certain length
  130. must be recieved (Trigger-Level).
  131. So: when u add a third tone to your Cl.Fwd., there is obtained an inter-
  132. modulation: the volume increases and decreases in the same frequency as the
  133. guard tone. So, u just need to find the correct guard tone(s), and u will be
  134. able to pass the filter.
  135. Sometimes, its a little bit more tricky: If this method doesnt work, just use
  136. some fuzzy tones (mix the tones with colored noise). This changes the wave-
  137. form from sinus to something un-definable. That sort of signal is much harder
  138. to trigger (if you`ve got an oscillograph, u can see it quite good). So, the
  139. chances of "confusing" the trigger are much better....
  140. Finally, there`s a third method: Just create a trunk that you play _before_
  141. the "real" trunk....the more tones, the better ! I use the nice TLO444 and
  142. wrote a tiny script that will do this job quite good...it has `bout 20 tones,
  143. played with 3 or 4 frequencys each. If you set the right frequs (TIP: use the
  144. frequs near the signalling area, add a DHLS sumetimes, play a 2000 Hz and so
  145. on). If you have done it right, that filter will be "confused" (you can com-
  146. pare it with drinking 10 beers and going to bed immediately) and it can get
  147. passed much easier.
  148. 5.) About Hardware
  149. It`s always useful to have some hardware that can support you while whistling
  150. around....the good old walkman-headphones are fine for checking out a line
  151. you can break not yet, but it`s not possible to get a 100% great result. Just
  152. call your favourite HPA board and leech the schematic of a standard BlueBox.
  153. I use a more comfortable method. This has two reasons:
  154. 1.) When using a transformator that is connected to the phone line directly,
  155. your ears will be bloody after a hole night of scanning
  156. 2.) Connecting the soundcard in another way will offer you much more comfort.
  157. If you`ve got some idea about electronics, connect the output of your computer
  158. to the microphone in the telefone. The ECM-Micros work best. Normally, it`s
  159. necessary to limit the signal with a resistor of about 50K. And if you want to
  160. record the line, connect the mic. input to the speaker of your phone. Depen-
  161. ding on your circuit, it may be useful to add a small capacitator (.1uF). This
  162. offers a much better quality and the tones sent out of the speaker while brea-
  163. king are much more calm. This allows you to listen better to any reaction of
  164. the line. And if you`ve already done that piece of work, then you can make a
  165. device that allows you to hang up the line and release it again automatically.
  166. I built a switch that is controlled by the tones sent out of my dialer. I just
  167. reserved a frequency (ca. 3900 Hz) and adjusted that phunny device to exactly
  168. that value. So, if I send a 3900 Hz tone, my line hangs up automatically and
  169. releases again after a free-definable time. If you are interested in that
  170. device, just contact me !
  171. Also phunny is a circuit that can decode the special-info sequence (you know,
  172. that tuuu-tuuuu-tuuuuu you recieve when calling a not-existing number). I
  173. don`t know whether this is also possible by a powerful realtime-software; but
  174. when connecting that circuit to the parallel port, you may increase the rate
  175. of success while scanning to the maximum. When using that device, you needn`t
  176. sitting in front of your screen anymore... you just wait for a "success-beep"
  177. from the computer when getting a number that does not result in the special-
  178. info-tone. The only condition for this is a well-programmed software.
  179. Another phunny toy is an oscilloscope, because:
  180. - You look so cool when sitting in front of it, dialing, phreaking, pushing
  181. all the buttons at the scope (and only you know what they are good for) and
  182. watching the great waves appearing on the screen when getting a connect ...
  183. - Hmmm..and, besides, an oscilloscope is EXTREMLY useful to find out every-
  184. thing that has to do with waveform, amplitude and delay of the signal sent
  185. in the line, and, more important, coming out of it. E.g., you can search a
  186. number, kill the exchange, sending a signal which will give you an echo and
  187. start analysing the behavior of the switch.
  188. The last point about hardware: A device that can send a variable (coloured)
  189. noise into the line. A very simple noise generator is an old radio. Just put
  190. it on AM and search an area with a good, strong noise. By turning the knob in
  191. any direction, the sound of the noise should change a little bit. To find the
  192. best position, set your dialer to a 60s Cl.Fwd. and mix it with the noise ob-
  193. tained by the reciever. Believe it or not, it works !
  194. BTW : Yes, I know, the Scavenger dialer has this feature, too. But the noise
  195. routine seems to be a little buggy...besides, it`s much easier to use
  196. a little hardware, because you can find out the correct setting very
  197. fast just by turning a knob is any direction. The only thing you`ve got
  198. to do is to connect the speaker of the radio (or, in other words, the
  199. two wires leading to the speaker) with the phone line using direct
  200. connection or transformator. A 50K resistor prevents the noise from get-
  201. ting too loud. Just play a little bit for optimal results.
  202. 6.) Problems with Transit/Routings
  203. some years ago, finding out a routing or using transit was no problem (I say
  204. this not out of my own experience; I`m not doing BB as long that I can con-
  205. firm this....but I was told so).
  206. Now, things have changed a little bit. The old standard of using <KP2>-CC-DD
  207. is working only to some boring countries with boring lines. The "good" coun-
  208. tries (like HK/USA etc.) are extremely well protected now. But in spite of
  209. that, you can still get a success if you have a free afternoon and some luck.
  210. For exemple, the toll free lines of some countries can sometimes be called
  211. from an international exchange. To give you an exemple:
  212. a) you call the HCD of a country that has <KP2> disabled
  213. b) you break it
  214. c) after breaking, you call the Op. of another country (e.g.: A02-800-XXX)
  215. d) you wait for the "chick" and break the line country --> next country
  216. e) perhaps this country you are in now has <KP2> open ....
  217. The disadvantage of this is that you MUST set your trunk very exactly. If your
  218. break for the 2nd country is in tolerance of the switch of the 1st country,
  219. your line kicks off...hahaha....try it again.
  220. Perhaps, you find a country that is breakable with 2400 and 2600 Hz, sent
  221. seperately. On HawaII, you will remark that you can send the tones seperately.
  222. If you`ve found a Transit or a Route, you can try to find a gate in the
  223. following way [just for exemple !!!]:
  224. a) You can do transit via XXXXXX to russia
  225. b) You want to call YYYYYY
  226. c) Just dial <KP2>7-00-YYY-nuMbA<ST>
  227. The success of this method depends on the "transit power" of the country you
  228. can do transit to. Perhaps you can try it out by calling directly.
  229. Another way of calling is to change the exchange you are in by sending a
  230. loooong signalling tone....the more experienced phreaks will know what I mean
  231. when talking about this..... This method only works on quite old switches.
  232. 7.) How 2 get Routing Codes
  233. At the beginnig of this article, I wanted to tell you how to find out which
  234. country offers which routes to kall out. With this method it`s not often
  235. possible to get the routes directly, but you will know whether it`s senseful
  236. to start scanning around.
  237. But now I decided not to tell you that possibility, because it wont work any-
  238. more if too many people use it. BTW, forget the old trick with <KP2>-2F-<ST>
  239. The operators are still incredibly stupid, but they won`t give out their
  240. Operator routes to someone who says: "....Hi, lines are busy,...please gimme
  241. your routing for calling Canada...".
  242. Okay, thats it....I think that you knowed most of the things I told, but per-
  243. haps you found a little hint that may be useful for you. Have a nice life !
  244. Greetz,
  245. Dr. Fraud
  246. P.S.: This article didn`t grow out of my free volunteer....
  247. I was forced to write it....hahaa... ...and remember: J.F.K. is dead !
  248. <yeah and i'll do it again for the next mag hehehehe! [vH]>
  249.