OoO=o=oOO=o=O=OoO=o=oOO=o=O=OoO=o=oOO=o=O=> OoO=o=oOO=o=O=OoO=o=oOO=o=O=OoO=o=oOO=o=O=> OoO=o=oOO=o=O=> : -`- -`- OoO=o=oOO=o=O=> ; _|_--oOO--(_)--OOo--_|_ OoO=o=oOO=o=O=OoO=o=oOO=o=O=> | ¡ K-1ine Zine ! | OoO=o=oOO=o=O=> ! issue 10, volume 4 ¡ OoO=o=oOO=o=O=OoO=o=oOO=o=O=> ---------O^O---- OoO=o=oOO=o=O=OoO=o=oOO=o=O=> ;. |__|__| OoO=o=oOO=o=O=OoO=o=oOO=o=O=OoO=o=oOO=o=O=> || || OoO=o=oOO=o=O=OoO=o=oOO=o=O=OoO=o=oOO=o=O=> ooO Ooo OoO=o=oOO=o=O= OoO=o=oOO=o=O=OoO=o=oOO=o=O=> OoO=o=oOO=o=O=OoO=o=oOO=o=O= OoO=o=oOO=o=O=OoO=o=> ¡ December 2000 ¡ "Analogue Loop" _____________________________________________________________________________ [Words from the Editor] | | | *: [-] Introduction .......................................... The Clone :* *: (-) Contact Information ................................... The Clone :* *: (-) Affiliate Web-Links ................................... The Clone ____________________________________________________________________________ [Docs] | | | *: (x) 'Xandor Speaks: MIND KONTROL ULTRA' ................... Nettwerked :* *: (x) 'A model of the brain in eight circuits' .............. Anonymous :* *: (x) '1-877-888-99XX Scan' ................................. Magma :* *: (x) 'Numbers' ............................................. Untoward :* *: (x) 'Flaw in ESN/MIN tracking creates opportunities for ... root@opentelco hijacking and denial of service attacks' *: (x) 'Millennium Payphone - Power Out Exploit V2.0' ........ PsychoSpy :* *: (x) 'Millennium Desktop Payphone; A How-to Guide on ....... The Clone :* Circuit Frying' *: (x) 'OCR #2: NORTEL NORSTAR; MICS-XC' ..................... The Clone :* ______________________________________________________________________________ [Conclusion] | | | *: [-] Credits ............................................... The Clone :* *: [-] Shouts ................................................ The Clone :* _______________________________________________________________________________ -- Introduction The winter of 2000 is now finally among us. It's hard to believe that the year is almost over, it felt like just yesterday when the world was preparing for the Y2K crisis. This year was quite the year for myself and my colleagues as a lot happened that I would like to quickly go over. In the beginning of the year, several of us from the January 2600 meeting were involved in the "STOP THE MPAA" leafletting campaign which in my humble opinion was a complete success (read our story at: http://www.2600.net/news/2000/0207.html). In the months following, I received an emmense amount of e-mail from visitors of my web-site who all asked the same question "what happened to K-1ine and when are you coming out with more issues?" The original reason why I stopped writing the issues that I started in the spring of 1999 was because I wasn't receiving enough feedback and contributions so I felt like, in a sense, I was wasting my time. By April, the e-mail had been building up and the demand for K-1ine was beyond anything I had ever expected so I decided to do the right thing and release the third issue. From then on the 15th day of the month, every month, I was to release a new issue of K-1ine. Now I'm in my 10th issue, and I can't tell you how happy I am with all the people who have contributed articles, codes, and poetry to me to place in the e-zine issues. It really is a joy to see that people really do care about the underground h/p scene... which brings me to my next subject; CPU. After attending my second Def Con convention this summer in Las Vegas (which by the way was incredible! Pics available: http://www.hackcanada.com/cons/) the inspiration I got from the wonderful people I spoke (shouts to: Stevyn, The Prophet) with persuaded a force inside of me to do more for phreaking scene than I already have been doing (yeah a lot). So around mid-September, the Canadian Phreakers Union was founded by BenCode and myself. The Canadian Phreakers Union is a loose-knit organization dedicated to unify- ing the Canadian phreaking scene in Canada. The reason we started CPU is because we felt that the people involved in phone phreaking throughout Canada are just too scattered out and no one seemed to want to do anything about it. We all meet up on IRC on the server irc.at0mix.net in the locked channel #cpu and discuss everything and anything that involves phones and telecommunications technology, have voice-conferences, and just have fun! Since September, CPU has grown substantially... we have group projects going on (www.nettwerked.net/TFA/projects.html) as well as semi-private projects such as 'OpenTelco' and G.U.T.S.C.I (Global Underground Technology Secure Communication Infrastructure). What is coming up in the New Year of 2001? [ H C - T V ] Tune out the mass-media propaganda of television programming, and tune into the 100% webcast net-show; HC-TV. HC-TV is Hack Canada's very first international coast-to-coast premier. We will focus on h/p, culture, politics, humour sketches, and all the stuff that mainstream news outlets won't show you. We are the new MEDIA players in da house and we DO plan to take over your conscious, subconscious and unconscious minds, so be prepared! --> Contact Information; Comments/Questions/Submissions: theclone@hackcanada.com On IRC: irc.at0mix.net, #cpu (key required) and #hackcanada Shoot me an ICQ message: (UIN) 79198218 Check out my site: (Nettwerked) http://www.nettwerked.net --> Affiliate Web-Links: B0G http://www.b0g.org Damage Incorporated http://www.freeyellow.com/members6/damage-inc/index.html Grass Hopper Unit http://www.haxordogs.net/ghu/index.html Hack Canada http://www.hackcanada.com PyroFreak http://www.multimania.com/pyrozine/index.html QHA http://www.qha.cjb.net/ --> _-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-_ - u dumb sorry no whitty shitty poop breath turtle tits licker - "Xandor Speaks: MIND KONTROL ULTRA" Date: 11.29.00 [Featured on end page: 'Mondo 2000' Issue 11, (c)1993] DEAR DEHUMANIZED DIGITAL DILETTANTES: Hello, hello, are we asleep again? Are we nodding off at the wheel as we trundle down the data superhighway? As CompuServe hails a "New World Order" of "altered ideologies" and ecofascist Al Gore unveils his Trojan Horse data superhighway designed to trap millions of cognitive dissidents into revealing their interests and knowledge online to NSA digital snoops. Don't you realize PGP really means Pretty Good Prison? That deep-cover NSA datacops have been behind it all along? We live in interesting times. Did you know that the mars Observer was shut down when it sent back pictures of pyramids and cities? Or that Comet Shoemaker-Levy 9, scheduled to impact Jupiter on July 22, 1994 is really the ultimate doomsday "Alternative 3" scenario of the New World Order? And if that doesn't fry your synapses how about the Office of Naval Intelligence and the DIA's massive cover ELF weather-and mind-control war amongst Russia, Japan, France, and Israel, creating massive floods, earthquakes, cancer, AIDS, and other plagues in the process? Remember, when you wake up agitated at 3:00 in the morning, that's when they're running ELF transmitters to program your dreams. It's also the time when most UFOs appear - quelle coincidence! Let me explain: They send out subliminal signals over all radio and TV channels and use microwave antennas to beam instructions via ELF modulation into your heads to reinforce hypnotic screen memories of alien doctors in spaceships, when they're actually Franken- steinian Nazi scientists running bizarre eugenics experiments in underground tunnels created by massive subterreaning machines which are the cause of the slowly moving hum you hear underground in Taos and other parts of the South- west. But you don't have to have an intranasal brain implant to be under their control. Hemisync tone sequences, subliminal instructions, reverse-speech hidden messages, magnetic signals, infrasonics, ultrasonics (like Hitler) are all part of the total panoply. And throw away your Synchro-Energizer: the CIA programs mind-machine circuitry to create zombie automatons. In- fact, the entire candybrain New Age movement, invented by LSD-monger Willis Harman under directions from the British Tavistock Institute in London, is a massive MI6-controlled deception operation designed to hypnotize millions and convert them into slaves to the New World Order. Gurus are operatives duped by hypnosis and taught occult magic tricks by the Illuminati who formed the Thule Society which programmed Hitler and the Nazi Star Wars Dr.Stranglelove Wernher von Braun and psychofascist Werner Erhard and Oscar Ichazo. Incidentally, Oscar's daddy was Brazil's war minister and Oscar used Arica mind-control techniques to convert Esalen into a New World Order training camp, working with Willis Harman of the notorious Stanford Research Institute (which runs the Internet). Chief propagandist for the Aquarian Conspiracy, he proclaimed in Global Mind Change that "the only way for the U.S. to regain moral leadership" was to focus on the Illuminati-designed Great Seal (on all U.S. paper money). By these signs shall ye know them: the Orb and Compass, the Eye and Pyramid. Have you figured it out yet? OK, let me spell it out for all you pathetic autists: They know exactly which ELF frequencies, waveforms, and code sequences (brainwave-frequency region pulse-code modulation superimposed widely on power lines, radio, TV, and microwave transmissions) to use and can create any emotion or pathology they please. You don't. And you probably down own a real ELF detector! You poor bleating sheep don't even know they're ALREADY using ELF generators in malls, restaurants, and bars to maximize throughput and revenues - even magnetizing fans in air conditioners and refrigerators to create pulsed ELF waves to zap you. It will all be duly captured by Hillary's SmartCard which will store your brainwaves and monitor all transactions everywhere you go, so the Thought Police can download it any old time via the data superhighway and issue the ultimate ACCESS DENIED. By the way, you can't escape ELF - there's no way to shield low-frequency magnetic waves - but I'll reveal secret techniques for defending yourself in the next MONDO... unless they get to me first. - Xandor Korzybski w w w . n e t t w e r k e d . n e t _-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-_ - i have a problem and im scared to ask for help - A model of the brain in eight circuits according to Robert Anton Wilson and Timothy Leary THE EIGHT CIRCUITS: 1. Bio-Survival 2. Enotional-Territorial 3. Laryngeal-Manual 4. Socio-Sexual 5. Neurosomatic 6. Neuro-Electric 7. Neurogenetic 8. Neuro-Atomic BIO-SURVIVAL (Autonomic) (physical Intelligence) Level of Reality: Invertebrate Drug Trigger: Opiates Function: Mother-Child bonding Circuit #:384 Gurdjieff Center: Movement Center Life form: Uni-cellular Dimension: forward-back Description: "baby-brain"; fight-or-flight [Instincts:] Passivity, safety, nourishment Medium: the organism (Bios) Some humans never become aware of any level of reality beyond this one. There is no reason to call them human. EMOTIONAL-TERRITORIAL (Power) (emotional intelligence) Level of Reality: mammalian Drug Trigger: alcohol Function: fighting, politics, pack-forming Circuit#:192 Gurdjieff Center: False Emotional Life form: vertebrates Dimension: right-left Description: "toddler brain"; rule-or-be-ruled [Bias:] self-expression, status, power Medium: belief systems (memes) Some humans (ideologues and fanatics) see this as the supreme level of reality. It is the most attained by most politicians and military leaders. LARYNGEAL-MANUAL (Semantic, Dextero-Symbolic) (conceptual intelligence) Level of Reality: paleolithic Drug Trigger: cocaine Function: learning, skill, creativity Circuit#: 96 Gurdjieff Center: False Intellectual Life Form: hominids Dimension: up-down Description: "ego status"; tool-making, problem-solving [Worldview:] paying attention, mapmaking, naming, articulation Medium: conceptual frameworks (paradigms, metamemes) This is the level of reality at which most academics and intellectuals operate. Reality consists of nails; we must find the right hammers. SOCIO-SEXUAL (Domestic) (social intelligence) Level of Reality: civilized Drug Trigger: norepinephrine Function: hive-unity, society, parenting Circuit#: 48 Gudjieff Center: False Personality Life Form: Humankind Dimension: past-future Description: "social self"; transmission of culture [Ethos:] adolescence/individuation; adulthood/maturation; collectivization/socialization Medium: code of ethics (ethos) Attained eight thousand years ago, this level of reality ("culture") may be the one at which humanity is stuck, unaware anything lies beyond... ------------------------------------------------------------------------ WARNING: Here lies the CHAPEL PERILOUS. Beyond here you may have to SMI2LE. Because if you do not escape the gravity well of the planet, use your HEAD, and extend your life, you may not be able to activate the higher four circuits. ------------------------------------------------------------------------ NEUROSOMATIC (Hedonic) (Sensory intelligence) Level of Reality: hedonic Drug Trigger: marijuana Function: hedonic engineering: Tantra, Yoga, etc. Circuit#: 24 Gurdjieff Center: Magnetic center Life Form: Free-fall (cosmic migration) Dimension: Linear-cyclic Description: "free floating"; the turn-on [Pleasures:] Rapture, ritual, charisma Medium: the five senses Aesthetes, epicureans, space travellers, and libertines discover the awakened possibilites of the higher circuits - but then often forget that such pleasures are a means, and not an end. NEURO-ELECTRIC (Metaprogramming, Psychotronic) (Psychic Intelligence) Level of Reality: Psionic Drug Trigger: peyote Function: neurologic: precognition, ESP Circuit#: 12 Gurdjieff Center: True Emotional Life Form: I squared (intelligence exponentiated) Dimension: here-there Description: "metaprogramming"; awareness of possibilities [Perspectives:] clairvoyance, reality selection, precognition Medium: CNS (central nervous system) People attaining this level of reality may become aware of the contingency of their particular reality-tunnels; but may not see the way OUT. Knowing that reality is a Glass Bead Game, they may lose their vision in the sparkle of the beads. NEUROGENETIC (Evolutionary) (Mythic intelligence) Level of Reality: Immortal Drug Trigger: LSD Function: DNA awareness, ecological symbiosis Circuit#: 6 Gurdjieff Center: True Intellectual Life Form: Immortality Dimension: life-death Description: "collective unconscious"; species-memory [Collective unconscious:] synchronicity, alchemy, astrology Medium: DNA & Gaia (the Planet) At this level, one becomes aware of Intelligences besides their own. Such Intelligences may be Higher or Lower; but they are certain to be Alien. Synchronicity begins to overcome the Law of Accident. Planetary noosphere becomes visible. NEURO-ATOMIC (Metaphysiological) (Spiritual intelligence) Level of Reality: Cosmic Drug Trigger: Katamine Function: cosmic engineering Circuit#: 3 Gurdjieff Center: The Essence Life Form: Cosmic union Dimension: microcosm-macrocosm Description: "extraterrestrial unconscious"; cosmic mind [Being:] Paradox, dreaming, factor 'X' Medium: subatomic mysteries (quantum reality) This is the level of the Bodhisattva and the Taoist Immortal, and of it, only they can speak. It is said by Antero Alli that this system provides the basis for Angel Tech. The left hemisphere is tech and the right hemisphere is the Holy Guardian Angel. Under such a system, each circuit is also a grade, and the goal of each student is to have Absorbed, Organized, and Communicated each grade. This is why Schools exist. Seeker1 _-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-_ - ð cyb0rg_asm/#hackcanada sings "his name is cloney -- cloney -- cloney -- faster than lightning... no one you seeeee... is swifter than heeeeeeee..." - * 1-877-888-99XX Scan * by: Magma * Started: 12/12/00 * Completed: 12/12/00 1.877.888.9901 - not in service 1.877.888.9902 - not in service 1.877.888.9903 - Drops, then busy 1.877.888.9904 - not in service 1.877.888.9905 - Imagine Venture. 1.877.888.9906 - Eric's Answering machine. 1.877.888.9907 - not in service 1.877.888.9908 - Tone, Break, Tone 1.877.888.9909 - not in service 1.877.888.9910 - Some Sleepy Guy 1.877.888.9911 - Home Office something. 1.877.888.9912 - Another sleepy person. 1.877.888.9913 - Foster Associates 1.877.888.9914 - "We're sorry, the number have dailed is not in service, SCT14" 1.877.888.9915 - Busy 1.877.888.9916 - "Your call did not go thru" 1.877.888.9917 - not in service 1.877.888.9918 - SEK Electric - you may send them a fax, they told me too. 1.877.888.9919 - "we're sorry, the toll free number you have dialed is not available from your calling area." 1.877.888.9920 - not in service 1.877.888.9921 - not in service 1.877.888.9922 - not in service 1.877.888.9923 - "Enter telephone number or numeric message" 1.877.888.9924 - not in service 1.877.888.9925 - not in service 1.877.888.9926 - not in service 1.877.888.9927 - not in service 1.877.888.9928 - not in service 1.877.888.9929 - not in service 1.877.888.9930 - not in service 1.877.888.9931 - "Please Enter your authorization code now" 1.877.888.9932 - not in service 1.877.888.9933 - not in service 1.877.888.9934 - United Parcel Service 1.877.888.9935 - Busy 1.877.888.9936 - not in service 1.877.888.9937 - not io service 1.877.888.9938 - not in service 1.877.888.9939 - not in service 1.877.888.9940 - not in service 1.877.888.9941 - not in service **1.877.888.9942 - GTE Airphone (talk to ppl on an airplane) **1.877.888.9943 - GTE Airphone (talk to ppl on an airplane) **1.877.888.9944 - GTE Airphone (talk to ppl on an airplane) **1.877.888.9945 - GTE Airphone (talk to ppl on an airplane) **1.877.888.9946 - GTE Airphone (talk to ppl on an airplane) **1.877.888.9947 - GTE Airphone (talk to ppl on an airplane) **1.877.888.9948 - GTE Airphone (talk to ppl on an airplane) **1.877.888.9949 - GTE Airphone (talk to ppl on an airplane) **1.877.888.9950 - GTE Airphone (talk to ppl on an airplane) **1.877.888.9951 - GTE Airphone (talk to ppl on an airplane) 1.877.888.9952 - not in service 1.877.888.9953 - "Your call cannot be completed as dialed" 1.877.888.9954 - not in service 1.877.888.9955 - not in service 1.877.888.9956 - Some woman with a high voice. 1.877.888.9957 - not in service 1.877.888.9958 - "Your call cannot be completed as dialled" 1.877.888.9959 - not in service 1.877.888.9960 - Busy 1.877.888.9961 - Busy 1.877.888.9962 - "Your call cannot be completed as dialed" 1.877.888.9963 - Busy 1.877.888.9964 - "Your call cannot be completed as dialed" 1.877.888.9965 - not in service 1.877.888.9966 - not in service 1.877.888.9967 - 47-k 1.877.888.9968 - not in service 1.877.888.9969 - Personal 800 number, again 1.877.888.9970 - Silent line 1.877.888.9971 - Silent line 1.877.888.9972 - not in service 1.877.888.9973 - not in service 1.877.888.9974 - not in service 1.877.888.9975 - not in service 1.877.888.9976 - not in service 1.877.888.9977 - "Your call cannot be completed as dialed" 1.877.888.9978 - Tone, Break, Tone 1.877.888.9979 - not in service 1.877.888.9980 - Busy 1.877.888.9981 - not in service 1.877.888.9982 - UA Trucking 1.877.888.9983 - Get in touch with Georgio via two way wireless Help@pc-911.net 1.877.888.9984 - No Answer 1.877.888.9985 - Answering Machine 1.877.888.9986 - Flight Dept. 1.877.888.9987 - not in service 1.877.888.9988 - not in service 1.877.888.9989 - Fax Machine 1.877.888.9990 - not in service 1.877.888.9991 - not in service 1.877.888.9992 - No Answer 1.877.888.9993 - not in service 1.877.888.9994 - not in service 1.877.888.9995 - Some transport company 1.877.888.9996 - "Employment, this is Crista" 1.877.888.9997 - No Answer 1.877.888.9998 - Another personal 800 number 1.877.888.9999 - TalkLine. ** - Number to take note of. _-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-_ - neon you are a girl? - 'Numbers' By: Untoward This tiny room with a feeling of dark and lost and a tiny light lighting and a tiny computer humming and i just want to be back beneath the covers and of course i want everything right now, and i can see that the oxygen masks aren't working, it's like a placebo... you only think you're breathing you only need to think you're breathing. you don't need to breathe to live. you don't need to live to breathe. slow down, slow down I don't want to be figuring out nested brackets, I don't want these interpolations to deal with and I can see how your car door isn' really closed and i can see the waves building up behind you, they don't come from anywhere = they just wash over you and they try to take you back, back to nowhere. slow down, back to nowhere I don't want it here, in me i want it there in me in me I can't spark, but i'm sparking the same way as this machine i just like telling stories that's the only difference the machine can't tell stories of it's own but the machine knows me better than I know myself I can lie, but I try not to, I can add but I stay away from math Numbers just wash over you, take you back to nowhere. _-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-_ Keywords: ESN, MIN, Cellular, PCS, Telus, Clearnet, flaw, exploit, hijack, DoS, fraud, security Synopsis: A flaw in the ESN/MIN tracking creates opportunities for hijacking and denial of service attacks. Overview: Since Time Immemorial, customers of telcos have made determined efforts to improve their cost-to-service ratio, through means such as switching carriers, upgrading equipment, and possibly attacking the network itself. To protect their "commitment to shareholder value", (translation: too cheap to give you vaseline before the shafting) the telcos have implemented various security systems to prevent or at least minimize the effects of toll fraud. Cellular systems are prime targets for fraudulent use, since a given Mobile Terminal can be quite difficult to locate once deployed, and when used to commit fraud, the guilty party can be very difficult to locate. Since cellular and PCS/GSM MTs necessarily broadcast their credentials, a window of opportunity is created. It is my cynical guess that about 15 minutes after the first cell phone was demonstrated, the first ESN/MIN snarfer was designed, and 15 minutes after the first cell phone was purchased, the first cloned cell phones were available. With the current price of airtime, there's not much of a reason to doubt the lack of incentive to send your cell bill to someone else every month. Of course, Ma Bell hates it when we say "Suck it down, bitch!" so she's cleverly come up with ways to suck on her own terms. Being Ma Bell though, she's a history of making mistakes, and we have no reason that today's the day she gets a clue. Today's problem lies with the notion that a system that will "fail safe" ... well, will, at some point, fail. And anything that can fail, can at least become some kind of denial of service attack. The interesting part about this attack is the fact that it's a remote attack and that there are possibilities for unauthorized intercepts, even on supposedly secure digital networks. "A remote denial of service and a remote intercept," you say? "Gosh, I'd hate for that to happen to me." Yes, this isn't a nice thing to do. You probably don't want to reproduce this attack at all, nevermind while out in front of the local telco's building, lest they become sufficiently peeved and get the notion of shoving your phone up your ass, sideways. Reference: We shall consider this attack from two perspectives: what the MSSC thinks, and also from the perspective of an IP/MAC conflict. In order to prevent fraudulent use, the MSSC (Mobile Services Switching Center) keeps a record (as entered by the operator) of what MIN is assigned to a given ESN and in what cell a given mobile terminal is found. This is also necessary to allow features such as automatic call delivery (the fact that your phone rings when you call it). Obviously this database is a prime target for all sorts of attacks, and the designers of cellular telephony infrastructure, as well as the carriers who deploy it have chosen a failsafe model of operation. Granted, "safe" is is define by the implementors of a system, and as such failsafe may not be operational at all, but rather a known-stable configuration under adverse circumstances. Contrast this behaviour with the more permissive actions of ARP and IP whereby most IP stacks will accept hostile ARP broadcasts. When a phone powers up and registers its presence on the network, part of that login sequence is the MIN (known as MSISDN to GSM fans). This is similar to an xterm making a bootp request to get its IP address based on its hardware address. After the bootp exchange, most of the hosts on the network now have a valid mapping between IP and MAC address. If another host claims to have the same IP address, many IP stacks will issue a warning about an address conflict ("ARP info for A.B.D.C overwritten by c:0:f:f:e:e") but will continue to accept packets from these conflicting hosts. This allows both hosts to continue communicating, albeit incredibly slowly. Cellular switching systems respond to this threat by delivering paging information to only one terminal at a time. It seems that the only time the switch system will accept a new ESN/MIN pair is when a handset enters a service area. It also seems that switch systems do not like it when a given ESN changes its MIN on the fly without direction from an operator's console (read: this sets off loud alarms and you should get ready to run from the hounds of hell.) It seems a reasonable thing to do, on the assumption that a Revenue Unit (shafted customer) will only be on one physical handset at a time. At this point the network knows that it is to send messages for "A.B.C.D" to ESN c:0:f:f:e:e, and it obligingly does so. Once a page gets sent to the attacking handset, it might need to reply. It is this reply that will actually trigger the DoS, since this is what notifies the switch that the address has changed. And it is this change that causes the fraud detection code to trigger and disable outgoing calls from the attacking handset. This does nothing for the victim who is now unable to receive calls since his MIN is now registerered to someone else's ESN. Exploit: There are two ways to make this attack work. One takes a little bit of big-blue-room detective work, the other takes some luck. The end result is the same though; the victim's phone does not receive any incoming calls, SMS notices or system broadcasts, even though it is able to make calls. As an added bonus, there's a better than even chance that this particular attack session will cause the victim's messages to be sent to the attacker's handset. This can add quite a bit of confusion for the victim who "knows" everything is OK because he can make calls. He finds it odd though that he hasn't got a single text message or phone call or voicemail alert for days. And no telco I know of makes any guarantees about the performance of their network. Furthermore, it's not likely to be a really huge issue meaning that it will be a long time before an analyst ever gets around to checking the problem out. You will need, for each victim either the handset they previously had activated on that account, or a handset which uses the same radio interface (CDMA, TDMA, GSM) and has a modifiable MIN. 1) Wait for the victim to power up his phone and log on to the network. It's probably a safe bet to assume that the phone is on and vulnerable. Why would someone have a cell phone if they weren't going to use it? 2) Ensure that the attacking phone has the same MIN as the victim phone. You can do this by going trashing (to find a slip of paper with the MIN and ESN on it), by buying the victim's old cell phone with that MIN (not really wise; people will ask questions) or by programming the same MIN into another handset enabled on the victim's network. This is best done while out of coverage areas (ie. subway stations or parkades) 3) Turn on the attacking phone, and wait for a digital signal to be acquired. Make sure you have a relatively strong signal - the victim and attacker phones will be getting into a virtual shouting match, and it is important that the attacking phone wins. 4) dial *228 or *2280? (where ?=[0-9]). *228 spells '*ACT' which is, of course a call to activate the phone. Clearnet and Telus don't support this feature; trying this from a deactivated phone will get you a fast busy, other phones will give you a message saying that you should call customer service to have your phone activated. 5) leave the phone on for as long as you want the attack to continue. I have seen this attack persist over eight hours, and several reboots of the victim phone. Once the attacker goes away, either another reboot of the victim phone is needed or a delay of at least $LocUpdate. $LocUpdate is a network parameter which controls how often a phone rebroadcasts its presence on the network. You now have a phone that is capable of intercepting messages bound for your victim's handset. Enjoy! Personally, I don't recommend doing this much if at all. It sucks when your phone goes out of service, and you also break a number of laws regarding telecommunications security, and risk stiff penalties. Consider yourself warned. root@opentelco.net 11.30.00 _-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-_ - ma mhre dit que je mange trop de barres de chocolat - Millennium Payphone - Power Out Exploit V2.0 - By PsychoSpy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ What's new in V2.0.... Added a section on how to turn the power out without cutting lines. This was one of the most common questions people have had after I originally wrote this file. Intro/Story.... Recently while carousing the halls at my local educational facility, I noticed that the LCD Displays on the phone had gone completely blank. I couldn't believe my eyes! The power on the phones had gone out! Can we say damn lucky?!? I then walked up to the phone and picked it up, as I put my ear to the slightly chilly earpeice, I heard the distinct noise of the dial tone. You may say "Well hey! What else do you expect to hear when you pick up the phone?!? You forgot something you psycho! The Millennium dial tones are all pre-recorded." Well, that's right, the dial tones ARE pre-recorded, however, with the power out, the recorded dial tone isn't played due to lack of power. In fact, you can hear the physical switch inside the Millennium switch over. This my friend is a REAL DIAL TONE!! WOOO!! I then proceeded to try to dial a well known number (Clones pager). The damn payphone wouldn't let me though. It turns out that when the power goes out, the payphone initializes a failsafe mode which dissables the dialing of ANY numbers on the key-pad until the 1 and 8 have been pressed first. This is meant to make it so that you cannot dial any numbers other than 800, which you could do when the power was on anyways. Onto the exploits.... First what you have to do is either cut the power to the Millennium, or find one with the power out. The first option is the most likely of the two. It was out of pure luck that I found the payphones with the power out. Just be VERY VERY careful when snipping the power. Make sure you've got rubber gloves, the wire cutters have rubber handles etc. If you fry yourself because of this, IT'S YOUR OWN DAMN FAULT!! DON'T COME CRYING TO ME!! Now for the real exploit stuff.... The numbers are only dissabled on the physical key-pad. This means that we can pull out our trusty tone dialer, and dial away any number we please. I actually didn't have a tone dialer with me, so I used a mini-audio recorder. To use the audio recorder, you just dial 18 and then press record, and dial the rest of the numbers with the mic up to the ear piece. Then, hang-up, and play the tones back into the phone. NOTE: The tones must be played as fast as possible. This is due to the dial-tone going dead in around 10 to 15 seconds. The second exploit is based on the line seizing exploit on the Protel's which The Clone found awhile back. With the power out, the Millennium no longer protects against this attack. This means that you can dial a 800 number that will drop you to a dial-tone, and will be able to use it. You can also try phoning up the operator and pissing her off so much that she hangs up, therefor giving you an unlimited dial-tone once again. Once you get this dial-tone, you can dial any number your little heart desires. How exactly do I turn the power off without cutting lines?.... This was the most common question after originally writing this file. I found the answer to this from Kybo_Ren and I would like to thank him for it. Here's the solution for the phones on pedestals and in booths. Walk up to the phone. See that nice little Bell sign at the top? The one that lights up at night? Pry that off. Behind that there is a little breaker switch. Flip the switch and voila, the power is out, and you can carry out this exploit. Outro/Shouts/To Come.... Well, that's it kiddies! Have fun! This is only the FIRST of MANY files to come in the near future on the Millennium Pay- phones which have spread across Canada like a technological plague. Kinda interesting new frontier of phones though. The Telcos are actually getting somewhat smarter. Who'd of ever thought?!!? Shouts out to The Clone, Cyb0rg/asm, Semtex, Kybo_Ren, and Niteshade. -- PsychoSpy psychospy@hushmail.com ICQ#: 5057653 11/05/00 Updated: 11/21/00 _-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-_ - i think i need a girlfriend or you clone - 'Millennium Desktop Payphone; A How-to Guide on Circuit Frying' -[Date: 12/01/00]- -[Handle: The Clone]- -[Type: Millennium Desktop Article]- -[EMAIL: theclone@hackcanada.com]- -[URL: http://www.nettwerked.net]- Introduction; This paper is a progressive follow-up to the recent Millennium file ('Millennium Payphone - Power Out Exploit V2.0') by my associate PsychoSpy which exposed some major flaws in the so-called "secure payphone". The reason why the Millennium has been thought of as secure is because it has been relatively successful in stopping phreakers who attempt to use older well known payphone vulnerabilities against it. In order for phreakers to keep steps ahead of telecom carriers they must be willing to learn the architecture, use their creativity in a constructive manner, inspire and become inspired by those who posess similar interests. This guide is here for like-minded audiences to learn about the latest of many Millennium "sploit's" to come. Although I don't consider this file a true exploit guide, keeping this potentially damaging (for Nortel and LECs) information from the public would more or less make me an STO advocate. Information wants to be free... so as a provider of open Enterprise and Carrier-class telecommunications security solutions, with great honor I present to you (more or less) my guide to frying Millennium Desktop Circuits. - What do Millennium Desktop Payphones look like? ----------------------------------------------- The Millennium Desktop's are easy enough to spot *IF* you know what to look for. You'll never be confused between a 'Universal', 'Card Phone', and 'Desktop' again if you look for these distinguishing physical traits: * Desktop's look similar to the Nortel Vista 3000 phone (used for small business and residential land-line customers) * Desktop's have an RJ-11 data jack on the side of it so that users can plug their laptop's into it. Where are Millennium Desktop Payphones present? ----------------------------------------------- * Airports * Hotel Lobbies * Convention Centers and other locations where business travelers require access to a device with an RJ-11 data jack, which is a powerful option that lets them connect their laptop computer and access network services (such as electronic mail, the Internet, or information services.) Tools needed to exert angst on NorHell Desktops ----------------------------------------------- * 1 Screwdriver - every phreakers tool for surgical procedures * 1 Camera - for taking pictures of the random acts of 'fone-terrorism' that you can show your girlfriend, boyfriend, children, or defense lawyer. * A desire to commit a criminal act The Procedure, Step-By-Step --------------------------- Step 1 - Find the target Millennium Desktop, and be sure to check around for nearby authoritative figures and security cameras. Step 2 - Sit in front of the Millennium Desktop, and look for a little 4cm by 7cm metal panel underneath the phone. Step 3 - Using your screwdriver you should be able to, with ease, pop it off. Step 4 - At this point you'll see the circuit board with various leads. Now with your screwdriver in hand, begin to touch it to the leads on the circuit board. Also, try touching an IC555 lead to a resistor lead. Step 5 - If you followed Step 4 properly the circuit board should be shorted out. Approximately 5-10 seconds later (if not earlier) the phone will set off its internal alarm that plays at half-second intervals... "beedley-boop-beedley-boop". Step 6 - Now you can either leave the premises immediately (recommended), or you can be a real phone-ninja and attempt to shut the alarm up. To shut off the alarm what you'll have to do is look for a wire-mesh cord that is covering the phone line, pull it as hard as you can (because it's anchored to the wall), and within 5 hard tugs the cord will break and the alarm will shut off. Step 7 - Leave the premises. Closing Words ------------- Now that you've read this, I advise that you use extreme caution when performing RAFT (Random Acts of Fone Terrorism). RAFT can get you arrested, kicked out of school. No colleges will take you, No future! Exiled from everything and everyone you love! A Nettwerked/CPU Production _-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-_ - whatever... i can be bought i don't come cheap but i'm a pretty good investment. - ======================= OCR #2: NORTEL NORSTAR; MICS-XC Norstar-Companion System Coordinator Guide ======================= By: The Clone Date: December 15, 2000 EMAIL: theclone@hackcanada.com URL: http://www.nettwerked.net --- _________________ Table of Contents -Norstar Companion basics 1- New features in Norstar Companion 2 Hunt Groups 2 Wireless call pickup features 3 Wireless Portable Language Selection 3 Wireless Call Forward No Answer enhancement 3 Wireless Twinning enhancement 4 -Programming 5- Programming tools 5 A Norstar telephone 5 The programming overlay 6 The Norstar display buttons 7 Special characters on the display 7 The Norstar Programming Record 8 Exiting programming 8 The update display 8 Entering numbers 8 Programming headings 9 Registration password 10 Changing the Registration password 11 Companion programming 12 Registration 12 Radio data 14 Registering individual portables 17 -System programming 19- Twinning between Companion portables and Norstar wireline telephones 20 Using Answer DNs 20 Using target lines 21 -Using your portable telephone 23- Using Norstar features 24 Using new features 27 Directed Call Pickup 27 Group Pickup 28 Wireless Portable Language Selection 28 Wireless Call Forward No Answer enhancement 29 Supporting additional features for Companion portables 29 -Troubleshooting 31- -Glossary 33- -Index 39- _______________________ Norstar Companion basics - Your Companion portable telephone allows you toleave your desk without missing important telephone calls. You can carry it with you to make and receive calls on the Norstar system. The portable telephones can access most Norstar business features such as call forward, call transfer, conferencing, and voice mail. Companion on Norstar consists of four main components: ICS and Norstar XC software - Modular ICS XC software manages the telephone traffic between Companion Base Stations and portable telephones. Base Stations are connected to the ICS in the sameway that Norstar sets are. Companion portable telephones are registered on the system and do not take up any ports on the system. Up to 60 portable telephone and up to 32 Base Stations (32 cells) can be connected to the system. Companion Base Stations - Base Stations are positioned throughout the coverage area to send and receive calls between the portable telephones and the ICS. The Base Stations use advanced digital radio technology and support handoff and roaming within the coverage area which can be up to 160,000 square meters (three million square feet) when using the maximum number of Base Stations. Companion portable telephones - The portable telephones used with Companion are small, lightweight units with fully digital performance to provide clear voice quality. Companion portable telephones feature a two line, 16-character, alphanumeric display. For more information on portable used with your MICS XC system, refer to the Companion Portable Telephone User Guide that is supplied with it. Administration and Maintenance Tools - Programming of the Companion system is easily and quickly done through a M7310 or M7324 digital telephone set. You can assign portable telephones to the system, check Base Station para- meters, and enable and disable registration through programming. Companion Diagnostic Software allows you to run diagnostics on the wireless system. This can be done either locally or remotely using a personal computer (PC). New features in Norstar Companion - Norstar introduces Hunt Groups capability plus two new features including two wireless call pickup features, Directed Call Pickup and Group Pickup, and wireless Portable Language Selection. Enhancements have been made to wireless Call Forward No Answer and wireless Twinning. For a complete list of other features supported on Companion portables refer to "System programming" on page 19. Hunt Groups Your Norstar system now allows you to establish Hunt Groups in your system. Hunt Groups are a group of Norstar sets that can be called by a single direc- tory number. The Hunt Groups feature ensures calls are easily routed to the appropriate people. For more information about which features are affected by Hunt Groups see "System programming" on page 19. For information on how to program Hunt Groups see the Modular ICS System Coordinator Guide. Wireless call pickup features - The wireless call pickup features allow portable handset users to use a feature to use a feature code to answer internal or external calls which are ringing at other sets. Two types of wireless call pickup are supported: Direct Call Pickup Directed Call Pickup allows you to answer any telephone that is ringing in your Norstar system by entering a feature code and specifying that set's DN. For more information see "Directed Call Pickup" on page 27. Group Pickup Group Pickup allows the portable user to answer a call ringing on another set in the same pickup group by entering a feature code. For more information see "Group Pickup" on page 28. Wireless Portable Language Selection - This feature allows you to change the language of the prompts controlled by the ICS as they appear on the portable's display, including both the display prompts and voice prompts from voice mail. Norstar supports English, French and Spanish. For more information see "Wireless Portable Language Selection" on page 28. Wireless Call Forward No Answer enhancement - This enhancement stops the Companion portable from ringing when the call has been forwarded to its new destination. The portable user can still answer the call, but it does not ring. For more information see "Wireless Call Forward No Answer enhancement" on page 29. Wireless Twinning enhancement - Wireless twinning is improved now that up to eight Answer Keys can be assigned to each portable telephone. In addition, more types of calls can be received on the Answer Keys, depending on their programming. For more information see "Twinning between Companion portables and Norstar wireline telephones" on page 20. PROGRAMMING - Tip - With the addition of Hunt Groups some features may be affected. See "Features supported by Companion for Norstar" on page 25. For information on how to program Hunt Groups refer to Modular ICS System Coordinator Guide. For general programming intructions, please refer to the "Getting Started" section in the Modular ICS System Coordinator Guide. [Useless Diagram Omitted] PROGRAMMING TOOLS - A Norstar telephone Programming is done at an M7310 or M7324 telephone. Use the buttons on the telephone to program a setting or to request a specific programming action. Norstar guides you with step-by-step instructions on the telephone display while you are programming. [Useless Diagram Omitted] The indicators ( > ) on the M7310 or M7324 telephone show which buttons can be used at that programming step. The functions on these buttons allow you to move through the headings and subheadings of Norstar programming. [ Heading ] moves to a higher level in the hierarchy of headings and subheadings. [ Show ] moves to a lower level in the hierarchy of headings and subheadings, or begins programming for a heading or subheading. [ Next ] moves forward at the same level in the hierarchy of headings and subheadings. [ Back ] moves backward at the same level in the hierarchy of headings and subheadings. The Norstar display buttons - Display buttons on the M7310 and M7324 telephones perform many functions. One, two, or three display buttons may be available at any one time depending on where you are in programming. Press one of the display buttons to select the function that you want. [Useless Diagram Omitted] Special characters on the display - When a triangle ( > ) is at the end of a programming heading or subheading, it means you can press [ Show ] to see settings. When an ellipsis (...) is at the end of a heading or subheading, is means you can press [ Show ] to see the setting for that heading. The Norstar Programming Record - The Programming Record provides a convenient way to record what you have programmed. It also helps you to plan your programming. You may photocopy pages from the record as necessary for programming many telephones or lines. Exiting programming - Norstar stores your changes automatically as soon as you alter any settings; you do not need to "save" your changes. Press [ Rls ]. The display briefly reads 'End of session'. The update display - If any of the changes you have made to programming have not immediately taken effect, you see an UPDATE display button when you leave programming. The display shows you how many telephones have no been currently updated due to the system being busy with other programming or the telephone is in use. Press DNs to see the specific sets where programming changes have no been updated. Items disappear from the list as they are updated, and UPDATE disappears once all changes are complete. Entering numbers - Enter numbers from the Norstar telephone dial pad. The backspace display button may be used to edit the number. A line number must always be entered as a three-digit number. Line numbers from 10 to 99 must be entered with a leading zero (line 020, or example). Similarly, line numbers less than 10 must be entered with two leading zeros (line 002, for example). Internal telephone numbers, also reffered to as directory numbers (DNs), can be three to seven digits long. The DN length can be changed in programming. [Useless Diagram Omitted] Programming headings Programming specific to Norstar Companion System Coordinators is covered in this guide. Refer to Modular ICS System Coordinator Guide for all other System Coordinator programming. After pressing [ Feature ] * * C O N F I G and entering the password (the default password is A D M I N or 2 3 6 4 6), you see the following programming headings. Terminal&Sets Terminals and sets - Customize the many features used by telephones. You can change where a call is forwarded, give a telephone a name, or allow certain features to be used at a telephone. You can also change the button programming on any telephone on the system. Lines Lines - Program names for each line. Services Services - Turn services on or off. Services include Ringing service (often called night service) that allows additional telephones to ring, Restriction service that blocks certain kinds of calls and Routing Service that decides what lines a call uses. Sys speed dial System speed dial - Program up to 70 different telephone numbers so that people in your office can dial them with a two-digit code. Passwords Passwords - Change the password you use for programming, or erase a Call log password. On a XC system, you can also change the password for Companion portable telephone registration. Time&Date Time and date - Change the time, date, or both. System PrGrming System programming - On a XC system, you can enable or disable registration for Companion portable telephones. Registration Password - The portable telephones must be registered with the Norstar system before they can be used. The recommended steps are as follows: 1. Change the registration password for your system. 2. Enable registration for the system. 3. Confirm the availability of directory numbers (DNs) for each Companion portable telephone. 4. Individually register each Companion portable telephone. 5. Disable registration for the system. Changing the Registration password - To ensure unauthorized portables are not registered to your system, a separate level of password access is provided. You can, and should, set your own password to prevent unauthorized handsets from registering on your system. You can change the Registration password under the Passwords heading in programming. _____________________________________________________________________ WARNING: Change password to avoid incorrect registration. To ensure accurate registration, change the Registration password before registering any portables. If there is another wireless system in radio range, and both systems have the same Registration password and registration enabled, you may accidentally register on the other system instead of your own. ______________________________________________________________________ The default Registration password is RADIO ( 7 2 3 4 6 ). Use CHANGE, the dial pad and OK to program the Registration password. Record the password in the Programming Record. Tip - You can choose any combination of one to six digits. It is easier to remember the password if the digits spell a word. Provide this password only to selected personnel to prevent unauthorized access to programming. The implications of such access may include the rearrangement of line assignments, which could affect the operation of the Norstar system. Companion programming - Perform Companion programming in System programming. Registration _________________________________________________________________________ WARNING - Software Keys are required to activate wireless capabilities (U.S. only) To take advantage of the wireless capabilities available to your Norstar sytem, you must first enable a certain number of portable credits using Software Keys purchased through Northern Telecom. Keys are obtained and entered into the system by the installer. For more detailed information on enabling Norstar Companion, see the Norstar-Companion MICS-XC Installer Guide. _________________________________________________________________________ You must enable registration for the entire Norstar system to allow regist- ation of individual portables. The options are Yes (Y) and No (N). Yes indicates that Registration is enabled. No is the default and indicates that Registration is not enabled. Use [ Show ] and CHANGE to enable or disable registration. ____________________________________________________________________ WARNING - Registration should normally be disabled. For security reasons, and to prevent unauthorized users from being registered to your system, set registration to N when you have finished registering the portables. ____________________________________________________________________ Portable DNs Once registration is enabled for your Norstar Companion system, a series of extension numbers (637 to 696) automatically becomes available for registration. Check that an extension number is available before register- ing a portable telephone to it. If the extension number shows a status of Available, it is ready for regis- tering a Companion portable telephone. If the extension number shows a status of Registered, a Companion portable telephone is already registered to that extension number. In this case, you can either pick a different extension number, or deregister the current port- able telephone. You must perform deregistration both at the portable and dur- ing either an Installer or System Coordinator programming session. Press [ Show ] to view registered and available DNs. Note: The DN range 637 to 696 can be used by either portable telephones or IDSN S loops. You can assign all 60 of the DNs to S loops and non to portable telephones. You can assign up to 30 DNs to portable telephones, leaving 30 for S loops. Within these two limits you can choose a combination of ISDN and portable telephone DNs. For more information, refer to Modular ICS Installer Guide. Deregistering a portable - Deregister an extension number when: * you must replace the portable due to loss or breakage * you want to assign the handset to someone with a different telephone number than the previous user. Press [ Show ] and DEREG to deregister a DN. Tip - This procedure does not clear the registration data in the portable. You must also deregister from the portable telephone ("on-the-air" deregistration). For intructions, see the Portable Telephone Registration Instructions that is supplied with the portable. Radio data - Re-evaluation - Re-evaluation automatically assigns Base Station radios to cells and determines which cells are neighbors. When adding or removing Base Stations, Re-evaluation must be applied to the system. Re-evaluation Status - Press [ Show ] to see the Re-evaluation status. If the display reads required, you can carry out the re-evaluation by pressing CONTINUE and following the prompts. Radios - Radio programming settings apply to Base Stations. Cell assignment - A cell is the area covered by one or more radios in close proximity. As you move around your office while on a call with your portable, the call is handed off from one cell to another. A call on a portable can be handed off from one cell to another only if those cells are programmed as neighbors. The Norstar system automatically assigns cell neighbors and re-evaluates the cell-to-cell configuration when Base Stations are added or removed. The cell assignment setting allows you to see if a Base Station radio is assigned to a cell in the Companion system. Press [ Show ] and enter the 5-digit radio number to see the setting: Assigned or Unassigned or select LIST to see all radios in sequence. Cells - Cell programming allows you to examine the cell radio, cell neighbor, and cell radio neighbor configurations. Choose the cell you want to examine by pressing [ Show ] and the cell number (01 to 32) or select LIST to see all in sequence. When in the list mode, there is a softkey that allows you to FIND a specific cell number. Then select [ Show ] to see all Cell radios, Cell neighbors and Cell radio neighbors. Cell radios - This subheading allows you to view the 5-digit number of any radios assi- gned to this cell. For example, if radio 07012 asgned. Press [ Show ] and enter the 5-digit radio number to view the setting: Assigned or Unassigned. Select LIST to see all in sequence. Select SCAN to go to the list or next radio with a setting "Assigned". Cell nghbrs - This subheading allows you to view the 2-digit number of any cells that border a particular cell in a system. Press [ Show ] and enter the cell number to see the settings: Assigned or Unassigned. Select LIST to see each neighbor in sequence. Select SCAN to see the first/next cell "Assi- gned." For example cell 01, the display shows Nghbr:03 and Nghbr:04. This means that cells 03 and 04 have been assigned as cell neighbors. Cell rad nghbrs - This subheading allows you to view the 2-digit number of any cells that border a particular cell in a system (the cell neighbors) plus any cells that border the cell neighbors. Press [ Show ] and enter the cell number to see the settings: Assigned or Unassigned. Select LIST to see each neig- bor in sequence. Select SCAN to see the first/next cell "Assigned". For example cell 01, the display shows Rad nghbr:03, Rad nghbr:04, and Rad nghbr:11. Cell 11 does not appear as a cell neighbor (see the example under Cell nghbr), therefore it must be a neighbor of a cell 03 or 04. Registering individual portables - You must do two things to register each portable with the Norstar system: * Register the portables by entering the Registration password on each one. * Verify that the portable operates properly. For instructions on registering and verifying each Norstar Companion port- able with the Norstar-PLUS Modular ICS system, refer to MICS-XC Norstar- Companion Installer Guide. For instructions on operating a Norstar Companion portable, see the Compan- ion Portable Telephone User Guide that is supplied with the portable. When you distribute the portables, tell the users that the portables are registered and give them the corresponding extension numbers. Tip - You can register a portable to more than one system. You cannot regi- ster a portable to more than one extension number per system. You cannot register more than one portable to one extension number. If a portable telephone is to be used in more than one Norstar or Companion system, its owner must know which registration slot number was used to reg- ister the portable telephone with each system. (It is preferable that each user have the system they used most often registered in slot 1.) If a portable telephone is lost or broken, deregister it from the system before replacing it with another portable telephone. System programming - Once the registration process is complete, portable telephone programming is much the same as it is for Norstar desk telephones. Some of the program- ming settings do not affect the operation of the portable. See your Modular ICS System Coordinator Guide for detailed instructions on how to program your Norstar system. The following table shows the recommended settings for your Norstar system: _--------------------------------------------------------_ | | | | | H E A D I N G | S E T T I N G | N o t e s | ---------------------------------------------------------- | Terminals&Sets | | | Capabilities | Fwd no answer | Fwd to: | | Fwd delay: | Fwd on busy | Y | | | DND on Busy | N | | | Handsfree | N | | | HF answerback | None | | | Pickup group | | A portable can be part of a pickup group and answer calls ringing at telephones in the same group when the user enters * 7 6 . | | Paging | Y | | | Page zone | 1 | | ___________________________________________________________ _--------------------------------------------------------_ | | | | | H E A D I N G | S E T T I N G | N o t e s | ---------------------------------------------------------- | D-Dial | Set 1 |A portable cann- | ot be a Direct- Dial telephone. It can use the Direct-Dial digit | Hotline | None | | | Priority call | Y |Requires special | configuration of hardware and pro- gramming. ____________________________________________________________ | Restrictions | | | Set restrictions | Set lock | Y |Does not apply to| portables. ____________________________________________________________ | Allow last no | Y |Does not apply to| portables. | Allow saved no | Y |Does not apply to| portables. | Allow link | Y |This can be set 2| to N for portbles ____________________________________________________________ Twinning between Companion portables and Norstar wireline telephones - Using Answer DNs - If you have both a wireline (desk) telephone and Companion portable telephone you can answer calls from either device by using Norstar's Answer DN feature. Any call that normally rings at your desk can also appear and ring at your portable if it is assigned the desk telephone DN as an Answer DN. This arrangement is called twinning. It is also possible to have calls to the portable appear on the desk telephone as an Answer DN. An Answer DN for a desk telephone and portable is programming exactly the same way as for two desk telephones. An installer or customer service representative programs Answer DNs. You can have up to eight Answer Keys assigned to your portable. The types of calls that your portable's Answer Keys receive are program- mable. See the Modular ICS System Coordinator Guide for more information. Tip - Hunt Group calls cannot be forwarded using the Call Forward features. Tip - An Answer DN is the recommended method for twinning a portable with a desk set. This ensures that all calls arriving at the desk telephone appear and ring at the portable. A twinned portable using An Answer DN does not ring for an incoming call if it is currently on another call. Norstar Voice Mail message waiting indication occurs on the twinned port- able only if it has been assigned a voice mail box. If your Norstar Voice Mail box has been assigned to your desk set, log on using the desk set DN when accessing the voice mail box from the twinned portable. For more detailed information on how to access Norstar Voice Mail using your Norstar Companion portable, refer to Portable Telephone Feature Card that is supplied with the portable telephone. Using taget lines - Wireline and wireless telephones can be twinned using target lines. The line for the desk telephone can be configured to appear on the portable, or the line for the portable can appear on the desk telephone. Incoming external calls ring at both. When you twin wireline and wireless telephones using line assignments, each telephone has its own internal DN. When someone wants to call you or forwards a call to you internally, they must choose between the desk telephone and the portable DN. The call appears and rings only at the internal DN that was dialed. Tip - A portable can have an Answer DN and share a line assignment with a desk telephone. Using your portable telephone You Companion portable telephone communicates with the Norstar system using radio waves. The radio tranceivers for the system are located in the Companion Base Stations installed around your office. Each Base Station contains two radio transceivers and can handle two portable telephone calls at once. Your portable telephone is truly portable. Not only can you start a telephone conversation anywhere in the office, you can continue that conversation while you walk through the building. As you move from one part of your office to another, you call is handed off from one Base Station to another. If you notice a decrease in voice quality while moving with a portable telephone, you are moving out of range of your system's Base Stations. There are three possible reasons for this: * The Base Stations that cover the area you are moving into may already be busy and therefore cannot pick up your call. * Large pieces of furniture or movable partitions may have been moved into a position that blocks the signal between you and the Base Station. * You may have moved out of the area covered by your Companion system. (Retrace your steps until you are back in range.) In rare instances, during a Norstar Voice Mail session, softkey display prompts on your portable may disappear. This is a normal condition and is minimized by staying within the Companion coverage area. While moving within a Companion coverage area, a slight "clipping" may be heard during a call. This indicates that your call has been "handed off" from one radio cell to the next. Problems with lost connections are rare, but if you notice an increase of such incidents after making large changes in the layout of your office, your Base Stations may need to be moved or reprogrammed to accommodate the new arrangement. In this case, contact your installer or customer service representative to change the Base Station configuration. (In the U.S. you need to obtain UTAM Inc. approval before making changes to the system config- uration.) Refer to MICS-XC Norstar-Companion Installer Guide for more infor- mation. Tip - If you try to send a message from a desk telephone to a portable tele- phone, the display of the desk telephone shows Can't send msg. Using Norstar features - It is possible to use many of the same Norstar features available to a Norstar telephone on your portable telephone. The table below lists which features are available for use on your portable telephone. For additional information on fe- atures and the special key sequences required to use them, refer to the feature card that is supplied with your portable telephone. Features supported by Companion for Norstar __________________________________________________ Features | Description __________________________________________________ Call Forward | Send calls to another telephone in your Norstar system. The display does not indicate that calls are being forwarded. Hunt Group calls override all Call Forward features. A Hunt Group DN can be a Call Forward destination. Call Information | Display the name or extension of an internal caller. Call Park | On your portable, park a call. Call Park Retrieval | On your portable, retrieve a parked call. Cancel Call Forward | Cancel the Call Forward feature, where calls are automatically sent to another telephone in your Norstar system. Conference | See your Portable Telephone Feature Card. Directed Call Pickup | Answer any telephone that is ringing in your Norstar system. Group Pickup | Answer a call ringing on another set in the same pickup group. Host System | Link and pause are available. See the Telephone Signaling Features section of the Modular ICS System Coordin- ator Guide for more information. Line Pool | On your portable, use line pools the same way a desk telephone does. Mute | Prevent the person you are on the portable telephone with from hearing you. Also, you can mute a portable's ringing from an incoming call. Page | On your portable, page an individual telephone, several telephones, external speakers, or the entire system. A Hunt Group DN cannot be in a page zone. Pause | Program in an external autodial sequence to insert a 1.5 second delay. Prime Line | On your portable, may be either an Intercom Line, an Assigned Line or a Line Pool. Priority call | See "Supporting additional features for Companion portables" on page 29. Hunt Groups reject priority calls. Privacy | In programming, change the privacy setting for an external line assignment to the portable. This does not give the ability to change the privacy setting on a call by call basis. Release | See your Portable Telephone Feature Card. Speed Dial | System speed dial codes only. No personal speed dial codes. The portable has a directory that you can use to store up to 50 entries for telephone numbers. Switching between | When on a portable call, switch to another incoming two calls call. You can then switch back to the first call. See your Portable Telephone Feature Card. Transfer | See your Portable Telephone Feature Card. Transfer using | Transfer a call using your portable's directory. See directory your Portable Telephone Feature Card. Trunk Answer | Grab a ringing call for lines placed in a Service Mode. Voice call | See "Supporting additional features for Companion portables" on page 29. Hunt Groups reject voice calls. Wireless Portable | Change the language of the prompts controlled by the Langague Selection ICS as they appear on the portable's display. Wireless Call | Stop the portable from ringing when the call has been Forward No Answer forwarded to its new destination. The portable user can still answer the call but it does not ring. -- Using new features - Directed Call Pickup To answer any telephone that is ringing in your Norstar system: 1. Press [*] [7] [6] 2. Enter the internal number (DN) of the ringing telephone. You must turn on the Directed Call pickup feature for the system in Modular ICS programming before a user can use the feature. The MICS-XC Norstar-Comp anion Installer Guide contians a programming template and complete programm ing information. To turn on Directed Call pickup for an ICS: 1. Press [ Feature ] [*] [*] [2] [6] [6] [3] [4] [4] on a Norstar telephone with a two-line display. 2. Press [2] [6] [6] [3] [4] [4] (the default Installer password), [7] [2] [7] [5] [8] [7] (the default System Coordinator Plus password), or the current Installer or System Coordinator Plus password. 3. Press [ Next ] six times. The display shows System prgrming. 4. Press [ Show ]. The display shows Hunt groups. 5. Press [ Next ]. The display shows Featr settings. 6. Press [ Show ]. The display shows Backgrnd music. 7. Press [ Next ] 11 times. The display shows Directd pickup. 8. Press CHANGE to select the setting Y (Yes) or N (No). Group Pickup Group Pickup allows the portable user to answer a call ringing on another set in the same pickup group. To answer a call ringing at a telephone in your pickup group, press [*] [7] [5]. Modular ICS programming allows you to place all telephones, including port able telephones, into pickup groups. To assign a portable telephone to a Call Pickup group: 1. Press [ Feature ] [*] [*] [2] [6] [6] [3] [4] [4] on a Norstar telephone with a two-line display. 2. Press [2] [3] [6] [4] [6] (the default System Coordinator password), or enter the current password. 3. Press [ Show ] and enter the internal number (DN) of the telephone. 4. Press [ Show ] twice. The display shows Fwd no answer. 5. Press [ Next ] five times. The display shows Pickup grp: 6. Press the CHANGE display button to assign the telephone to pickup group (1 through 9), or to None. See the Modular ICS System Coordinator Guide for more information about Directed Pickup and Group pickup. Wireless Portable Language Selection - This feature allows you to change the language of the prompts controlled by the ICS as they appear on the portable's display, including both the display prompts and voice prompts from voice mail. Norstar supports English, French and Spanish. English Press [*] [*] [5] [0] [1]. French Press [*] [*] [5] [0] [2]. Spanish Press [*] [*] [5] [0] [3]. See the Modular ICS System Coordinator Guide for more information about choosing a language for the display. Wireless Call Forward No Answer enhancement - This improvement stops the Companion portable from ringing when the call has been forwarded to its new destination. The portable user can still answer the call, but it does not ring. The settings for Call Forward No Answer are found under Terminals & Sets in ICS programming. See the Modular ICS System Coordinator Guide for more information. Supporting additional features for Companion portables - Two additional Norstar features can be used with a portable if lines and hardware (an analog terminal adapter (ATA)) are specifically configured to support them: * Voice Call ([*][6][6]) * Priority Call ([*][6][9]) Your installer or customer service representative can set up and program your system to support these features. Refer to the Portable Telephone Feature Card that is supplied with the port- able for the special key sequence required to use this set of features. Troubleshooting - When there is a problem with a portable, follow these steps: 1. Make sure the portable is compatible with the Norstar software version. 2. Verify that the portable is ON and that the battery is not low. 3. Establish a radio connection to get a dial tone. If no dial tone is present: * Verify that dial tone is available from the ICS. * The portable may not be registered. Try to register the portable again. For more information, refer to the "Registering individual portables" on page 17. * Check that the portable is using the correct registration slot. * Verify that the portable has been assigned the correct internal number by calling it from another telephone. Glossary - A C __________ __________ Answer button: A telephone button Call Forward: A feature that with an indicator that is used to forwards all the calls arriving monitor another telephone. The at your telephone to another answer button indicates incoming telephone in your Norstar system. calls destined for the other To have calls forwarded outside telephone. Someone working at a the system, use Line Redirection. telephone with answer buttons (an attendant, for example) can rece- Call Park: A feature that allows ive all ringing and visual indic- you to place a call on hold so ation of incoming calls for other that someone can retrieve it from telephones, and answer those any other telephone in the Norstar calls when necessary. system by selecting an internal line and entering a retrieval code. One telephone can have up to four The retrieval code appears on the Answer buttons. An Answer button display of your telephone when you is automatically assigned to a park the call. You can park up to telephone when that telephone is twenty-five calls on the system at assigned an Answer DN. one time. Answer DN: The internal or direc- Cell: The area covered by one or tory number (DN) of a telephone more radios in close proximity within that is monitored by an Answer a Norstar Companion system. Calls button. You can assign up to four on portable telephones are passed Answer DNs to a telephone under from one cell to another as the user Line Access in Terminals and Sets moves around the office. programming. Companion: The name for Northern Telecom communication systems which B use radio technology to transmit and __________ receive signals between its components and the Norstar System. Base Station: A Companion component that is mounted on Companion Wireless provides mobility walls and ceilings to provide a in the workplace. Calls that used to radio link to an office or other ring just at your Nostar set can also area where Companion portable appear and ring at your portable. telephonesare used. Each Base Sta- tion houses two radios that allow Companion ID: An eight character portablesto send and receive calls (alphanumeric) number assigned by through the ICS. Northern Telecom to identify each Companion wireless system. This See also UTAM. Companion ID is sent to each customer once radio or portable credits have been purchased. The Companion ID must D be provided each time codes or credits __________ are obtained using the Northern Telecom Customer Response Center. Directory number (DN): A unique number that is automatically Companion portable telephone: assigned to each telephone or Hand-held wireless telephone which data terminal. The DN, also refer- allows complete mobility within the red to as an internal number, is reach of Companion Base Stations or often used to identify a telephone an external antenna. Portables offer when settings are assigned during many but not all Norstar features and programming. Default DN assignments share much of the same programming as start at 21 in two-digit (non-expa- "wired" desk sets. nded) system and 221 in three-digit (expanded) system. Conference: A feature that allows you to establish a three-person call at your DN: See Directory number. Norstar telephone. credits: See Portable Credits. E H __________ __________ even message: Even messages are handoff: An activity of Companion wire- stored in the system log and displ- less components. Handoff occurs when the ayed during a Maintenance session. system "finds" a new cell to maintain the They record a variety of events and link between a portable telephone and the activities in the Norstar system. ICS. I K __________ __________ ICS (integrated communications sys- Key Service Unit (KSU): Please see tem): The central hardware compon- Integrated Communication System (ICS). ent in the Norstar system. The ICS has its own processor and memory, L and provides a physical point of __________ connection for the various types of devices, telephones, and expan- Line pool: A group of lines used for sion modules used in Norstar. making external calls. Line pools The ICS can function on its own as provide an efficient way of giving a a basic system (with 32 Norstar telephone access to external lines telephones and up to 48 external without taking up many line buttons. lines), or with the addition of A line is assigned to be a member of Trunk Modules (TM) that supports a line pool by your customer service more external lines, or Station representative. Modules (SM) that support more Norstar telephones. M __________ Integrated Services Digital Network (ISDN): A digital telephone service M7310 telephone: A telephone that has a that allows for a combination of two-line display, three display buttons, voice and data connection over a 10 programmable memory buttons with single, high-speed connection. ISDN indicators, and 12 dual-memory programm- service can operate over the same able buttons without indicators. An copper twisted-pair telephone line M7310 telephone can be equipped with a as analog telephone service. Busy Lamp Field. P M7324 telephone: A telephone with a two- ________ line display, three display buttons, and 24 programmable memory buttons with ind- Portable Credits (U.S. only): icators. An M7324 telephone can be equi- Predefine the maximum number of pped with a CAP module. portables that can be registered to the system. Systems can only regis- R ter as many portables as there are ________ available Portable Credits. To register additional portables, you Radio Credits (U.S. only): The XC must obtain Portable Credit Codes 2.0 system recognizes Base Stations for the number of additional as Radio credits. The number of Radio portables you need. You can obtain Credits licensed to be supported by additional codes whenever you need the system is embedded in the UTAM to expand the number of portables, Activation Code. Two radio credits up to a maximum of 60 portables for are needed for each Base Station. each XC 2.0 system. Radio Data: The selection of Companion portable telephone: See Companion programming that contains all the head- portable telephone. ings to set up cells and radios in your Norstar Companion system. Prime line: A line on your teleph- one that is automatically selected Receive Signal Strength Indicator (RSSI): when you lift the receiver, press A measurement of the signal strength that the Handsfree/Mute button or use the Base Station receives from a partic- an external dialing feature. A ular portable. The strongest value is Prime line is assigned to a teleph- about -35 dBm; the weakest value is one by your customer service repre- approximately -94 to -100 dBm. sentative. Recovery Key (U.S. only): See UTAM programming: A series of procedures Recovery Key. that set the way the Norstar system works. Programming includes system- Registration: The procedure for assigning wide settings and individual telep- an extension on the Norstar system to a hone and line settings. Companion portable telephone. Registration is controlled using system programming and programming overlay: A paper temp- performed "over the air" using the portable late that is placed over the top telephone. four memory buttons with indicators on the M7310 or M7324 telephone Registration password: A password that pre- during programming. The overlay vents unauthorized users from registering labels indicate the special function portables on the Norstar Companion system. that each of the four buttons takes on during programming. The overlay Regression Key (U.S. only): Restores the is found at the front of this guide. previous system security number so that previously applied UTAM Activation Keys S and Portable Credit Keys can be reentered ________ to restore full system operation. Also required in cases of system recovery. This Set lock: A feature that allows you key cannot be reused. to limit the number of features that may be used or programmed at a tele- Remote Power Interconnect (RPI) device: phone. Full telephone lock allows An interface providing remote power for very few changes or features, Part- the Base Stations. Each RPI can power up ial telephone lock allows some to 8 or 16 Base Stations. changes and features, and No tele- phone lock allows any change to be Roaming: Roaming is the ability of a port- made and any feature to be used. able telephone to make and receive calls Telephone lock is assigned during anywhere within the coverage area of a Nor- Terminals&Sets programming. star Companion system. Software keys (U.S. only): RSSI: See Receive Signal Strength Indicator. Software keys administered by UTAM Inc. to control user capacity and to ensure system location verific- T ation for unlicensed, personal ________ wireless communication devices. They must be obtained and entered Target line: A line dedicated to receiving into your Norstar Companion system calls from outside the Norstar system. in order to activate wireless capability. Transfer: A feature that lets you redirect a call to another telephone in your Norstar System Coordinator password: A system, over a network or outside your Nor- one- to six-digit password that star system. prevents unauthorized access to system programming. The system Twinning: With the XC 2.0 system, the ability coordinator password can be assign- of users who have both a wireline (desk) ed and changed in programming. telephone and Companion portable telephone to answer calls from either device. Twinning U is made possible either through assigning ________ Answer DNs or configuring target lines. UTAM Activation Code (U.S. only): W Activates the wireless capability ________ on a new system and in system upgrades involving a change to the wireless: See Companion. number of Base Stations supported. UTAM Inc. (U.S. only): The Federal Communications Commission (FCC) has appointed UTAM Inc. as the body responsible for coordinating and verifying the installation or relocation of personal wireless communication devices operating bet- ween 1.92 GHz and 1.93 GHz. This allows UTAM Inc. to monitor and con- trol the level of wireless activity within this band for a specified geographical location. UTAM Recovery Code (U.S. only): Reactivates a Companion wireless system that has been disabled and re- stores the Companion system to its previous radio credit capasity. _-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-__-_ - I'm fucking cheap.. I'll do anything to get some experience right now.. That's the hardest thing, is getting the first jobs.. - -- Credits Without the following contributions this zine issue would be fairly delayed or not released, so thank you to the following people: Anonymous, Magma, PsychoSpy, root@opentelco.net, The Clone (;p), Untoward -- Shouts: Hack Canada, #CPU, k-rad-bob @ b0g, Blackened @ Damage Inc., The Grasshopper Unit, Pyrofreak, Quebec Hacker's Alliance, Yellowdot and lastly to everyone and anyone who contributes to the Canadian H/P scene. ;. .;.. ; ;. ;.. ;.. .;..; .;.; .;; ;.. .;..;. .;..; .;.;...; ;..;.. .;. A .;. .;. ;.. N E T T W E R K E D ;.. ;..;.. P R O D U C T ;..;.. .;..; ;..;.. ; .;..;.;.. .; . .;. ..;.. .;.. . .; ..;..;..;.. .; ;..;. .;.. . .;.. .;.;. ..;. ..;.. .;. ;.;..;;..;.; ;.;;..;.. ;.;.; .; . ;.;..;. .;. ;.;:.;. ,;....;. .;.;. .;.; .;.;.; .;.; ;..;. .;.; ;.; .;. ..; ;. > > > *z0nk*