======================================= | Key Pulse Issue 63 | | Orange Boxing - The half-assed guide | | Written by: Cuebiz (Team Black Sheep) | ======================================= In the beginning ================= This is actually the 3rd revision of this very file. I would greatly like to thank Lucky225 for actually helping me weed out most of the clarical errors (I say most because any day now, someone is going to send me more corrections to make). Lucky225, once down with the 809 grew, writter for the Hacker Quarterly (2600), and the maker of the first Orange box ever put to actual use. He's written TWO articles on the subject, both of which have been questioned and analysed to death. Many people are still trying to figure out the exact mechanics of it or if it really works. In this file, I'll make a theoretical disection of Lucky225's FSK session capture, attempting to put some or many questions to rest. First and foremost, in his first file, he explained that an Orange box is a box made to "spoof" the name/number/date/etc displayed on standard US CLID units. He explains that you blast a mixture of 2130Hz+2750Hz (aka a CAS tone), waiting for a response tone from the remote CLID unit (AUTOVON "D"), and then to blast through your captured FSK session or a computer simulation of a FSK session. Now, what THIS file was ment to teach you is; how to create your own FSK sessions (at least know what is being sent when you blast someone elses captured FSK sessions), how to know the difference between a CIDCW spoof and regular CID spoof, and how to get your hands on an actual WORKING Orange Box. Now, if you've used Lucky's FSK captured recording, then this is what should be displayed on the remote CLID unit. ============== | Out of Area | | 6:46P Sep 11 | ============== Now, before I go any further, I'd like to go over some basic FREQUENTLY asked questions. So you'll know What Iam talking about through out this file. * WTF is FSK? FSK Abreviation for Frequency Shift Keyed (Alternating Keyed, and Keys); FSK is the name given to the modem tones that your local C.O uses to communicate to subscriber loop CLID units to display your CLID information. * WTF is a CAS tone? CAS = Acronym for the CPE Alert Signal. Used to alert the CLID unit that there is an incoming call on call-waiting, once the remote CLID unit heres a CAS tone, it mutes the whole handset to receive the CLID information of the new caller. * What does MDMF stand for? MDMF = Acronym for Multi-Data Message Format, transmission used to display CID information, INCLUDING the name of the person calling, (Opposed to SDMF). Now, Lets disect Lucky's FSK tones =================================== FSK tones are merly a series of binary equivilents of the information to be displayed. Which is usually sent about 500-600ms after the first ring (before the second ring). So, Why is an "Out of Area" FSK capture SO short compared to other 'normal' FSK captures that you've probably heard? Lets take a good look: Description Decimal ASCII FSK Binary --------------------- ------ ----- --------------- Transmission: SDMF 4 0 0 0 0 0 1 0 0 9 Character Minimum 9 0 0 0 0 1 0 0 1 9th month (sep) 48 0 0 0 1 1 0 0 0 0 57 9 0 0 1 1 1 0 0 1 11th day 49 1 0 0 1 1 0 0 0 1 49 1 0 0 1 1 0 0 0 1 18 hours (6pm) 49 1 0 0 1 1 0 0 0 1 56 8 0 0 1 1 1 0 0 0 46 minutes 53 4 0 0 1 1 0 1 0 0 54 6 0 0 1 1 0 1 1 0 Out of Area 79 O 0 1 0 0 1 1 1 1 Checksum 5 0 0 1 1 0 1 0 1 Note: 1200Hz represents the mark also known as the "1" 2200Hz represents the space also known as the "0" Both tones sent at -13.0 db (because they're checked) Okay, in the above EXAMPLE, I used SDMF for the mere reason that it's shorter,and thus easier to explain. An MDMF transmission is MUCH MUCH longer, but follows the same basic principles mentioned above, so that means that you should be able to do all of this on your own. An MDMF transmission would go in this order (well, not always in this exact order): 128 (MDMF) Length of CID transmission 1 Month Day Hour Minutes 2 10 (length of number) Line number (broken down into binary) 7 Length of name Name (broken down into binary) Checksum Anyway, I've included the decimal values for reasons of computing the checksum. As you can see, by looking at the ASCII values, the FSK Binary tones are just as I said, the binary equivilent of the information to be displayed ;) Now, how did I get that checksum? Simple (I recommend you use a calculator for your first several times just till you get it right), by adding up the Decimal Value (excluding the checksum), you'll come up with 507. now, open up your scientific calculator and display the modulus of 507 (your total) / and 256 (Standard for computing CID checksums), and you should get ... 251. Now, the binary equivilent of 251 is 11111011. So you must replace all of the 1's with 0's and 0's with ones, except the last number which must always be a 1 , so 11111011 turns into 00000101 which is the binary equivilent of 5. And thats how you compute a CID checksum. Get it? Now, the reason why you have to turn the number around like that is that when the C.O "checks" the checksum, it should result in "0" meaning, zero errors - and everythings fine. If the C.O messes up, most likely, it'll just give out errors on the remote CLID unit's display. Spoofing - ========== So, an ideal CID "spoof" attack one would send through a channel seizure of a continuous flow of alternating 1's and 0's for 255ms immediatly followed by 180ms of continuous 1's, send the cid information, and then a checksum. This would make everything so fun and simple if SS7 allowed us to send signals via our voicelines before the initial pick-up on the other end, but we can't ; but if we could, then a sample CID "spoof" call would go as follows: ===== ================= | You | | Remote CID Unit | ===== ================= Dial XXX-xxxx ----------------> Ring ... Send channel Seizure -----------> Send Continuous 1's --------------> Send CLID Info -----------------> Send CheckSum -------------------> Ring ... So, seeing that you cannot actually "spoof" a CLID unit via *ring* -spoof- *ring*, you would have to establish an actual voice connection with the person of whom's CLID unit you want to "spoof", a sample CIDCW spoof would go something like this: ===== ================= | You | | Remote CID Unit | ===== ================= Dial XXX-xxxx --------------------> Ring ... <------------------- "Hello?" You talk -----------------> "ATNT, please hold" * Send channel Seizure -----------> Send SAS Tone ------------------> Send CAS Tone --------------------> <------------------- Sends seizure Wink Send CLID Info ----------------> Send CheckSum --------------------> Still on callers line ------------> "Still there?" * Lucky225 has explained to me that CIDCW actually DOES have a "channel seizure" which is 80ms of 1's. The Orange Box Theory ===================== The only way to actually fool someone into thinking you're someone else would be to op-divert the call, and once connected, spoof your CLID info. Of course, they would first see "Out of Area" (whatever), and then your "new" CLID info; if they know nothing about CallerId, then this should be enough to trick 'em. Getting these tones =================== FSK Session Tones: Recently, The Fixer has created a program called "SOB - Software Orange Box" which should work. I've listened to an exported .wav; and it seems normal. Iam yet to test it out. You can download SOB from Http://artofhacking.com. You can download Lucky225's FSK capture from www.home.dal.net/verizown/orange.html I personally recommend that you try creating these tones on your own, using the calculations featured here; but heh, it doesn't matter what I think, its whatever floats your boat. I guess you could try creating your own tones with CoolEdit or something similar (you could probably use BlueBeep). SAS/CAS Tones: Both tones can be downloaded from my soon to be released "Nothing Dialer", which is just a clone of Cuebiz's Wacky Dialer (except it just plays .wav's), or you could use Lucky's idea to get a CAS tone by opening up your Radio Shack tone dialer and soldering a 8.192Mhz crystal (assuming you've previously made a redbox) in place of your 3.579545mhz crystal, and using the "*" button to play the CAS tone. Readers Note ============= Initially, I typed up this file JUST to show you how to calculate CID checksums, and then, Lucky225 emailed me; asking for corrections. So, now that most of the tragic errors have been taken into consideration; I would consider this file a semi- complete write-up on what an Orange Box does, and how to use it. I would like to give a big thank you to Lucky225 for helping this file grow. Readers Resources ================= Telco Inside (of coures) - www.t1s.8k.com Verizown - www.home.dal.net/verizown The Art of Hacking - www.artofhacking.com http://www.testmark.com/develop/tml_callerid_cnt.html