informis
/
textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/hacking/rowdy_dl.man

1215 lines
62 KiB
Groff
Raw Permalink Blame History

MANUAL TO VERSION 1.1 OF
THE
ROWDY DIALER
(By RowdyB)
1st Release: April '93
-------------------------------------------------------------------------
Please don't hesitate to bother me at either: at073@cleveland.freenet.edu
or: RowdyB@utopia.hacktic.nl
for bug reports, comments, bad poetry etc.
Take note that the latter address may yield slower responses! - RowdyB -
-------------------------------------------------------------------------
INDEX
1 INTRODUCTION
1.1 About the dialer
1.2 Features
1.3 About this manual
1.4 Disclaimer
2 USING YOUR DIALER
2.1 Alpha-numerical editing in general
2.2 Usage and editing of the Multi-Frequency keys
2.3 Usage and editing of songs
2.4 Number scanning
2.5 Guard banding
2.6 Sweep test
2.7 Key logging
2.8 Miscellaneous functions
2.8.1 Doorbell mode
2.8.2 Adapting key buffers
2.8.3 Program execution
2.8.4 Resetting your dialer
2.8.5 Saving your modifications
3 PROGRAMMING EXAMPLES
3.1 A word on the presets
3.2 Programming examples
3.2.1 Some signalling sequences
3.2.2 Pulse signalling
3.2.3 Dividing phreak stages
3.2.4 Auto-phreaking
3.2.5 Scanning country codes
APPENDICES
A: Trouble shooting
B: Where to get the Demon Dialer?
C: Acknowledgements
1 INTRODUCTION
1.1 About the dialer
Early '92 I programmed a quick and dirty tool to play around a bit
with C5 only. Shortly after that I came in touch with an ingenious
hardware multi-box; the Demon Dialer (aka Bill's Box) by Hack-Tic
Technologies. It offers a maximum of flexible control over all types
of phreaking through easy to learn and smart keycombinations, giving
audio feedback whenever needed. It features DTMF, C3, C4, C5/R1, R2
(forward/backward), ATF1, tone slots, a palette of other frequencies
to be found in automatic telephony and datacommunication, as well as
guard banding, advanced (nested) macro programming, user-definable
mark/space timings and frequencies, tone sweep and stepping, number-
scanning, password protection, RAM battery backup, auto shut off,
hookswitch control and an RS232 interface.
It's about the size of a pack of cigarettes.
I understood I either had to buy it or add some of its features to my
C5-thingy. Due to a cashflow problem ''at the time'' I chose the
latter option. As time passed it sort of became most of the features,
since I started all over again programming an empty, programmable box
that afterwards could be divided to my personal taste. It again
offers a maximum of flexible support to phreaking, since basically
phreaking is a lot of work which one is more inclined to perform when
well supported (especially when one confuses laziness and life-style,
as yours truly does).
For information on how to order a Demon Dialer ($250 US or 350 DM/Gld
for a very complete do-it-yourself package) see Appendix B.
This is a =PIZZAWARE= program,
meaning that if you enjoy working with it, I'd like you to send a
Pizza Salame Xtra cheese (no anchovy) to the following adress:
Rowdy Blokland
Schotdeuren 52
4241 BS ARKEL
The Netherlands
(Bank-account: PostBank (ING) 3366741, The Netherlands)
If it's likely to arrive cold, I'd rather have *oh surprise* the cash
equivalent. (Advice: Get 'm cheap!)
In the tradition of all xxx-WARE clauses I should now waste a few
lines on a fruitless effort to convince you, the potential user,
what's so smart about sending money to a total and utter (quite
probably bad-breathed and perverted as well) stranger. As a matter of
fact, I don't even know this myself. French kissing an AT&T operator
sounds like a smarter thing to do.
Rather than crippling features, withholding manuals or promising
surprisingly uninteresting sourcecodes or an occasional successive
version I simply trust you to go bananas completely during a possible
adrenaline-boost that correct appliance of this program may inflict
on your body which will make your local pizza-dealer cry happy tears.
You'll regret it though.
1.2 Features
The Rowdy Dialer (RD) offers in short 10 fields of 16 Multi-Frequency
keys, to be applied in up to 99 songs. All values and attributes with
respect to songs and MF-keys are fully user-definable,
thus allowing you to program anything ranging from Morsecode to your
national anthem. Initially you'd be satisfied with the following
concerts your RD is already composed with:
* DTMF
* CCITT 3 (audio), 4 and 5 (/R1)
* R2 forward/backward
* Red-/greenbox
* ATF1
* Tone slots
* Several line- and other signals
and features a.o.
* Number scanning
* Guard banding
* Sweeptest
* Frequency stepping
* Song programming and invocation
* Preprogrammable songkeys (10*10)
* User-definable timings/frequencies per song/MF-key
* Direct marktime/volume stepping
* (Password protected) key logging
* Program execution
presented through a macho and informative graphical interphace.
1.3 About this manual
This manual is NOT a manual on phreaking as such. There's already a
truckload of files out there supplying information on history,
folklore, terminology, box-schemes etcetera w.r.t. this, and your
local technical library can also be of help. In this textfile your
dialer's various functions and possibilities are described step-by-
step and how to make good use of them. All keycombinations have been
chosen with some logic and all input is made foolproof - or so I'd
like to think ..
Btw: don't bother to memorize what keypress goes with what function,
it's all runtime available in short under <HELP>.
1.4 Disclaimer
"The amount of time people waste to get something for nothing is
highly remarkable" - Robert Lynd
The user of this program is solely responsible for his or her use of
it - legal or illegal. I'm merely a poor toolmaker and simply cannot
and will not take any responsibility. This argument works for the
arms industry, so why wouldn't it do the job for me! (Of course, I do
lack relevance in the highest echolons of any government.)
As a matter of fact, I would strongly advice against use of this tool
at all. It has rumour that getting a job and paying your bills might
work as well, but I wouldn't know.
2 USING YOUR DIALER
2.1 Alpha-numerical editing in general
All alpha-numerical editing is taken care of by GFA's standard
formatted-input routine. Unfortunately it is not fit for a graphical
environment and has the irritating habit of adding 1 or 2 blanks when
entering/editing fullsized input; temporarily giving the interface a
rather silly look. On the other hand it's quite a luxurious input
routine and making one of my own just to meet this would be too big
an effort.
DO NOT report this to me as a bug! After entering your string all
possible damage will be restored.
The editing commands are:
<ARROW LEFT/RIGHT> Move cursor left/right
<ARROW UP/DOWN> Move cursor to begin/end
<CTRL><ARROW LEFT/RIGHT> Move cursor to begin/end
<INSERT> Toggle insert/replace mode
<BACKSPACE> Delete character left of cursor
<DELETE> Delete character right of cursor
<ESCAPE> Clear string
<ENTER/RETURN> Enter string
Don't worry about entering incorrect, out-of-range or no data.
Depending on the situation the data will be mapped in range (absolute
value or bottom/top of range etc.), replaced by the last value (e.g.
when entering nothing) or an error message will appear.
Accidentally including control-codes in your comments on songs, MF-
keys or fields however can sometimes fuck up the look of the
interface; so don't. If you did, remove them. When needed, you can
redraw the entire screen by pressing
<CONTROL><R> Redraw screen
2.2 Usage and editing of the Multi-Frequency keys
The use of the MF-keys is to both define (interregister-)signals for
use in songs and to (a.o.) provide a way to explore line signalling
directly. Especially immediate marktime- and volumestepping can be of
great help w.r.t. the latter.
The attributes of each Multi-Frequency key (MF-key) are two frequen-
cies, its duration or marktime, its volume and a twelve character
comment. Each MF-key corresponds to the numerical keyboard as shown.
The frequencies and marktime are printed on each key, the volume and
comment show up in the infobox at the right when pressing an MF-key.
As said before, there are 10 fields of 'em. Simply use the <ARROW
LEFT/RIGHT> keys to change to a previous or next field. When you get
to know the fields it's often handier to jump directly to the one you
need. For this press <CLR HOME> and enter the desired fieldnumber.
Different signalling systems are spread over different fields when-
ever possible to facilitate simple field-usage in songs (see below).
For clarity each field is commented upon in the upper infobox to the
right.
How to change an MF-key's attributes:
Frequencies: Can be changed by entering a value directly or by
frequency stepping.
First press <CTRL> together with the MF-key you wish to
edit to enter the MF-key editing box at the left. Freq1
can now be changed. Press <ENTER> or <RETURN> to enter a
new value. The allowed range is 31 .. 4000 Hz; from the
lowest frequency the ST can produce to the upper border
in outband signalling (voiceband 300-3400, outband 3400-
4000). Entering 0 Hz is also allowed and interpreted as
silence. Pressing <CTRL><ARROW LEFT/RIGHT> swaps from
freq1 to freq2 and back. This swapping takes place
automatically when entering values directly, in order to
facilitate entering lengthy multi-frequency tables.
To decrease/increase a frequency with a certain stepsize
(default 10 Hz) press <ARROW LEFT/RIGHT>. This frequency
stepping can be made audible by pressing <A> which
toggles audio on/off, using the MF-key's volume. Press
<S> to change the current frequency's stepsize (Range: 1
.. 999 Hz).
Btw: Make sure the two frequencies are not identical -
soundwave interference may muffle the volume from time
to time.
Marktime: Can be changed in three ways: Entering a value via the
MF-key editing box, entering a new value directly or
changing it according to a desired stepsize.
When already editing frequencies in the MF-key edit box,
changing the marktime as well can be done by pressing
<CTRL><ARROW DOWN> (Range: 1 .. 999 milliseconds).
Entering a new value directly is done by pressing
<SHIFT><MF-key>.
When exploring the timing required for a certain line
signal (e.g. starting low and increasing with a certain
step) it's best to use the <+/-> keys to achieve fast
results. The MF-key you pressed last (actually: about
which info is updated in the info box - eventual field
changes are taken into account as well) will be affec-
ted. Initially the <+/-> keys are switched off. Activate
them by pressing <CTRL><+/->. This toggles them on/off,
indicated by the bold or grey look of 'em. (ADVICE: When
you don't need them, switch them OFF. You don't want to
accidentally change timings unseen).
Default the stepsize of the <+/-> marktimes is 5 ms.
Press <RIGHT SHIFT><+/-> to change either one (Range: 1
.. 99 ms).
Volume: Can only be altered by use of the <+/-> keys. Press
<LEFT SHIFT><+/-> to toggle between MARK or VOLUME
stepping (only when they're active). As with markstep-
ping the MF-key last pressed is affected. Range is 0 ..
15 (logarithmically scaled of course, to match human
hearing).
Comment: The comments on both a single MF-key and a field of MF-
keys can be changed. Press <ALT><MF-key> to change the
former or <CTRL><ARROW LEFT/RIGHT> to change the latter.
Comments can be up to 12 characters. Range is technotalk
to sexual explicits, yet unnecessary and gross abuse is
recommended.
ONE IMPORTANT EXCEPTION:
If one wishes to play C4 signals one should formally use songs under
preprogrammed keys (see below), since those signals are combined
ones. Nevertheless, an obscure option has been added to enable you to
play C4 signals comfortably via MF-keys:
* When the first three characters of the comment field match 'C4:',
the RD will overrule the timing and frequencies belonging to that
MF-key. Instead, the following characters immediately after 'C4:'
will be examined and played:
Char: Freq1: Freq2: Marktime:
P 2040 2400 150
X 2040 0 100
Y 0 2400 100
Q 2040 0 350
R 0 2400 350
x 2040 0 35
y 0 2400 35
(Actually, Q and R should read XX and YY to match the notation used
in CCITT Rec. Q.121; I prefer straightforward parsing though.)
The interpretation of these C4 strings is, of course, case-sensi-
tive. The first character not matching one in the table marks the
end of the sequence. To improve readability, this can e.g. be a
blank followed by a remark, as done in field #1. (Btw: MF-
characters in a song still refer to the normally specified
frequencies and timing of an MF-key (see below).)
Intervals are 35 ms and the MF-key's volume still applies.
Of course, unless low-cost timetravel is added to the list of human
rights real soon, I could have saved myself the trouble of implemen-
ting this.
2.3 Usage and editing of songs
To create and play strings of (combined) signalling systems the use
of macro's or songs is provided. In the songbox at the bottom of the
screen you'll find the songlist. You can scroll it using the <ARROW
UP/DOWN> keys. Scrolling 10 songs up/down at once is done by pressing
<CTRL><ARROW UP/DOWN>, and jumping directly to the top or bottom of
the songlist by pressing <SHIFT><ARROW UP/DOWN>.
Each song can contain up to 25 characters that may refer to the MF-
keys, indicate song invocation(s), song expansion or field overruling
(see below).
Attributes per song are a fieldnumber (FLD:), mark- (MRK:) and
spacetiming (SPC:) and an 18 character comment. The fieldnumber
indicates the field the MF-characters correspond with, the mark- and
spacetime indicate the duration of the signals and their intervals
(in milliseconds). If FLD: or MRK: are printed grey instead of bold,
their specifications do not apply. Instead, the currently displayed
field or the marktimes of the MF-keys themselves are used, respecti-
vely.
Playing the current song can be done by pressing <INSERT>.
It's also possible to preprogram keys 1 .. 0 on the main keyboard
with your favorite songs. This way you can directly play songs
without having to look them up first in the songlist:
- Scroll to the song you wish to preprogram. Now simply press <CTRL>
and one of the <1 .. 0> keys you want to store it under.
- When pressing <1 .. 0>, the stored song is jumped to and played
immediately. If you just want to check what song is under what key
and don't want to hear a (possibly lengthy, e.g. ATF1-) song; press
<CTRL><D>. This toggles Direct play on/off. Songs will now only be
played by either pressing the <1 .. 0> key again (after the jump),
or by pressing <INSERT>.
- Actually, there are 10 groups of keys <1 .. 0>, each keygroup again
indexed by <1 .. 0>. To change from one keygroup to another just
press <ALT><1 .. 0>. Initially keygroup 0 is active.
Of course one most likely won't need 10*10 preprogrammable keys as
such. The idea is to spread several phreakstages over a few keys, in
order to facilitate repeating a stage whenever needed,
(e.g. Key 1: DTMF sequence; Key 2: Line signal A; Key 3: Line signal
B; Key 4: Interregister signal sequence (Keys 5 .. 0: as Key 4))
and several of these (possibly similarly looking) phreakstages can in
turn be divided among different keygroups.
Changing a song's attributes:
Fieldnumber: To toggle specified field usage on/off press <CTRL><F>.
When off, the currently displayed field applies instead
of the specified fieldnumber.
To change the fieldnumber press <F> (Range 0 .. 9).
Marktime: To toggle specified marktime usage on/off press
<CTRL><M>. Press <M> to change the marktime (Range 1 ..
999 ms). When switched on you can easily adapt the mark
time of signals needing a uniform length only, otherwise
you'd rather switch it off and use the MF-key mark times
instead.
Spacetime: Press <S> to change the spacetime (Range 7 .. 999 ms).
Information: Press <I> to change the information on a song. Up to 18
characters can be entered (For range see MF-key's
comment attribute).
Song itself: To change the contents of a song press <RETURN>, after
which up to 25 characters may be entered.
Allowed entries are:
- All MF-key characters, where an E represents the
ENTER-key.
- Song invocation: is established by entering an 's'
followed by a two-digit song number (Range 01 .. 99).
Invocations can be inserted repeatedly and anywhere
within a string. As with playing an MF-character, the
invoked song is bordered by the space times of the
invoking song. Invocations allow you to e.g. combine
different signalling systems with different timings,
to create pulse signals with an interval of their own
within a sequence having larger intervals, to invoke a
stringpart that is subject to number scanning (see
below) etcetera.
Invoking an undefined song has the same effect as
leaving the invocation out.
- Song expansion: To expand a song simply enter a ';' at
the end of your (possibly empty) string (in fact,
it'll always be at the end - what tails it is
removed). The song is now concatenated to the next
one. Effectively this is parsed up to 4 times. Apart
from possibly using this as an alternative to song
invocation, it's main purpose is to enable you to
enter up to 5*25 characters. If those are e.g. 40
successive invocations (8 times 'sXX' plus a ';' in 5
concatenated songs) this yields up to 5*8*25 or 1000
characters (plus one, if you end the last song with a
character instead of a ';') - especially of use to
ATF1.
When concatenated, the space time between the last
signal of song N and the first signal of song N+1 is
equal to the space time of song N. An empty song
containing only the expansion character transparently
glues the previous and next song together.
- Field overruling: To pick an MF-character from a field
different from the specified (or current, when FLD: is
switched off) field, enter an 'f' followed by the
desired fieldnumber (0 .. 9) and the MF-character.
Everything following this will be subject to the
normal field specification again. This allows you to
use signals not included in the same field, such as
signals not fitting the 16 MF-key field or pauses to
be found in line signalling field #8.
Of course, this can also be solved by use of invoca-
tion, expansion, or even reprogramming a field, pen-
ding the situation. Overruling will come in handy
though.
Restrictions with respect to song programming are:
- Songs may not invoke themselves, simply to avoid loops.
- Nesting may only be 1 level deep, i.e. an invoked song may not
contain further invocations, and
- An invoked song may not be expanded.
Since a song is parsed and transformed to a bunch of arrays just
before playing, these restrictions make sure there's a predictable
limit to the sequence to be played (1001 signals).
Apart from that, you'll have a hard time making up a phreaksequence
that couldn't be realized using the offered flexibility - if at all !
You DON'T need to bother memorizing these restrictions yourself; your
RD keeps track of whether a song is invoked by others and howmany
times, whether a song may be invoked, expanded or invoke others
etcetera. If you enter out-of-range, invalid or conflicting data the
RD will display the erratic input within the string in grey and sing
a two-tone beep alert. Pressing <HELP> will show a few tiny
helpscreens recapitulating the correct songformat, and removes the
erratic parts upon exiting; pressing <RETURN> will simply remove the
errors at once. (Btw: Input is not case-sensitive, solely to improve
readability an e/E is always mapped to uppercase and f/F, s/S to
lowercase.)
TWO IMPORTANT EXCEPTIONS:
As mentioned before, a song's minimum spacetime is 7 ms. This is
simply the smallest amount of time the compiled code uses to
initialize the next signal's frequency, volume and timer routines.
Shorter, say near-zero spacetimes would involve a totally different
approach by use of an assembler.
In practice, you'll never need spacetimes even close to 7 ms. Only
ATF1 and tone slots (100 baud and 70ms marktime respectively) don't
need a spacetime whatsoever. For those two the following exceptions
have been implemented:
* To play a song at 100 baud (10ms mark, no intervals), make sure the
first five characters of the information on a song match 'ATF1:'.
Mark and spacetiming are now overruled, and only freq1 of an MF-
character is taken into account - all other parameters still apply.
* To play tone slots, simply type 'TSL:' at the beginning of the
information field. Marktime is now 70ms with zero spacetime, songs
are further dealt with as with 'ATF1:'.
2.4 Number scanning
Songs that consist of digits only can be sequentially in- or
decreased with a specified stepsize for scanning purposes. Also a
part of a (not necessarily numerical) song can be made subject to
scanning, in behalf of e.g. scanning interregister subscriber num-
bers, countrycodes, routingcodes etc.
When pressing <N>, number scanning is applied to the current song.
The songparameters above the songbox are now replaced by the current
play song number and stepsize. The play song number indicates the
song that is played during scanning. This can be a song different
from the one to be scanned, in which case the latter should be part
of the play song by means of invocation or expansion. (Btw: the
scanned song may contain max. 12 digits (and an eventual semi-colon
at the end); this in connection with straightforward integer calculus
- dealing with larger numbers would be useless anyhow, until
automatic interplanetary telephony is a fact.)
During this mode the following controls rule:
<ARROW LEFT/RIGHT> Decrease/increase number with the current
stepsize. This never affects the amount of
digits in a number; 000..0 is followed by
999..9 and vice versa. Initially, the play
song is played each time as well.
<A> When you wish to in- or decrease the number
several times without playing the play
song, toggle <A>udio on/off.
<ARROW DOWN> or <INSERT> both play the current number again, in case
it needs to be repeated. <INSERT> simply
matches the usual play key - see what suits
you.
<P> Enter a new play song number (Range 1 ..
99). Initially the play song number always
matches the song number of the song subject
to scanning. Having changed this number
once will fix it on your own choice perma-
nently.
<S> Enter a new stepsize. Range is 0 .. 999,
yet the number of digits can never exceed
those of the scanned number. The stepsize
remains fixed unless you'll scan another
song with lesser digits - the stepsize will
then be adjusted accordingly.
<1 .. 0> To combine scanning and phreaking, the
preprogrammable keys of the currently
active keygroup are also available. (This
of course implicitly offers a second way to
define a play song.)
When exiting this mode, the number song is fixed at the last scan
value.
2.5 Guard banding
Adding an extra tone when signalling may fool filters into believing
you are speaking rather than signalling, and thus will not disconnect
your link. Such a tone is called a guard tone. You can choose from
and redefine up to three guard tones (G1, G2 and G3) by means of
frequency stepping or entering the desired value, each having its own
volume. A guard tone can be played either continuously or only when
signalling.
To toggle the current guard tone on/off press <G>. The field in the
infobox at the right above which 'CURR. GUARD:' is printed displays
which guard tone is active. Also the GUARD switch is set Y/N
accordingly. Initially the tone will be played continuously, indica-
ted by a (C) between brackets tailing the GUARD switch. Playing it
only during an MF-key's marktime or a song's mark- and spacetime is
achieved by pressing <CTRL><G>. This toggles between continuous or
marktime play of a guard tone, indicated by a (C) or an (M) behind
the GUARD switch respectively.
Picking or redefining a guard tone:
<C> is pressed to enter the guard tone editing pop-up
box, and must be read as <C>hoose guard tone.
<G> still applies and toggles guard tone on/off, and
<CTRL><G> still toggles continuous/marktime play.
<ARROW UP/DOWN> keys make you choose between G1, G2 or G3. The
currently active guard tone changes accordingly.
<ARROW LEFT/RIGHT> de-/increases the current guard tone with the step
size shown in the upper-right corner. Each guard
tone has its own step size. Press
<S> to enter a new step size (Range 1 .. 999 Hz).
Default G1, G2 and G3 have step sizes 25, 50 and
100 HZ respectively.
<ENTER> / <RETURN> allows you to enter a new guard tone frequency.
Range is 31 .. 4000 Hz.
<V> toggles between the frequency- and volume list of
G1, G2 and G3. When the latter is shown, <ARROW
LEFT/RIGHT> keys de-/increase the current guard's
volume (ranging from 0 to 15) with step 1.
2.6 Sweep test
To scan a line for filters the full ST's in- and out-band range (31
to 4000 Hz) can be sounded, during which the callee should listen for
gaps. Pressing <T> makes the sweep-test box appear. The following
controls now apply:
<ARROW LEFT/RIGHT> changes the direction of the sweep. When the upper
or lower border is reached the direction always
swaps.
<ARROW DOWN> holds the sweep at the current frequency.
<+/-> in-/decreases the sweep delay (Range: 0 to 99)
both when sweeping and when holding the sweep.
Default is 3, yielding a sweep that takes about 16
seconds back and forth.
* As the sweep increases the frequency resolution displays conside-
rable gaps. This is due to the way the ST's soundchip (Yamaha YM
2149 or the identical AY-3-8910 from General Instruments) generates
its frequencies. The three voices or sound-generators each have an
output frequency of 125 Khz that can be divided by a 12 bit period.
This yields a frequency range of 31 to 125000 Hz, with a rather
restricted resolution of (125000/1 .. 4095) Hz ; part of which are
the ones used during the sweep.
As a result of this, any desired frequency is actually
125000/ROUND(125000/frequency) Hz. Pending the desired frequency,
deviations under 1000 Hz can range from 0 to 5 Hz (10 is the
largest step, and frequencies in between are automatically rounded
to the nearest (higher or lower) resolution point); deviations in
the 1000-2000 Hz can range from 0 to 16 Hz and at the upper border
of 4000 hz the highest step is 118 Hz (deviation up to 59 hz).
This need not be a problem for phreaking purposes. Central Offices
(CO's) can theoretically deal with deviations of up to 1.5 %,
whereas e.g. the ST's C5 signals have deviations 0.11 to 0.64 % and
R2 has deviations 0.11 to 0.43 %.
To have an MF-key's frequency deviation displayed press <V> to toggle
this display on/off. Now each time an MF-key is played the deviations
in [+/- Hz] of freq1 and freq2 are printed in the MF-key edit box.
Note that it is useless to attempt to use the actual ST's frequen-
cies: desired frequencies are automatically mapped to the nearest
(higher or lower) resolution point and readability would just be
unnecessarily compromised.
2.7 Key logging
Suppose you guessed a Voice Mail Box access right, stumbled upon a
phun number, hacked an answering machine or phreaked a CO success-
fully by chance - and forgot what exactly it was you did. Logging
your key strokes would come in handy then, which is exactly what
happens when the 'LOGGING' switch is set to 'Y' (default). The last
256 MF-key strokes or song plays (whether via the songlist, a
preprogrammed keygroup or during number scanning) are recorded, as
well as the idle times in between. (Btw: In case you wonder why 256:
Don't. I chose this size at random, found it to be not too cheap nor
overabundant, and gave it a power-of-two-touch to make dyed-in-the-
wool users nod with mundane understanding rather than ask embarassing
questions.)
Let's have a look at the log report:
<R> is pressed to enter the report, which has log
entries numbered from 0 to 255. When entering
the report, always the most recent log entry is
displayed.
<ARROW UP/DOWN> keys scroll the report one entry up/down.
<CTRL><ARROW UP/DOWN> scrolls the report ten entries up/down.
<SHFT><ARROW UP/DOWN> jumps to the tail or head of the report.
<ESC> exits (- as it does from all subroutines).
As you can see the standard format of a log entry is:
"LOG: KEY: FLD: FRQ1: FRQ2: MARK: VOL: IDLE:"
which actually is the format of a logged MF-key, and indicates from
left to right:
LOG : the number of the log entry, ranging from 000 to 255, where
lower numbers mean going back in history,
KEY : the symbol of the pressed MF-key,
FLD : the active fieldnumber during the keystroke,
FRQ1: the value of freq1 at the time, in case it's been altered
meanwhile,
FRQ2: ditto for freq2,
MARK: the MF-key's mark time, e.g. of interest when stepping mark
times of a line signal (btw: when doorbell mode is active then
the doorbell time is recorded - see below),
VOL : the MF-key's volume at the time, concluded by
IDLE: the idle time between log entry n and log entry n+1, formatted
as "seconds:milliseconds", e.g. of use to check the timings you
used when phreaking using a preprogrammed keygroup or other-
wise. The largest interval measured is 99:999 ms; everything
exceeding that is fixed at that number. When phreaking,
intervals are never that big - if a CO allows you to play
around with an uncompleted line longer dan 1.5 minutes at all.
To convert MF-key strokes to songs according to the logged data
in a straightforward manner, the actual silences ('space
times') between the signals are measured, NOT the key stroke
intervals.
In the following situations this precise format does not apply and is
treated otherwise:
- MF-keys instructed to play C4 signals as demonstrated at the end of
paragraph 2.2 do not sound freq1 and freq2, nor do they use the MF-
key's mark time. Therefore information on FRQ1:, FRQ2: and MARK:
for these log entries is replaced by the contents of the MF-key's
comment field, which contains the used C4 string.
- Played songs are indicated under KEY: as SXX, with XX being the
song number. FLD: is filled in pending the type of field specifica-
tion used (see paragraph 2.3). Since a song has no specific
frequencies or volume only the mark and space time are recorded
(unless mark time specification is switched off, in which case that
log entry field reads 'OFF').
- Songs with timings overruled by an ATF1 or tone slot timing, as
discussed at the end of paragraph 2.3, have a log entry matching
'ATF1 Timing [100 bit/s]' and 'Tone Slots [70ms MARK]' respec-
tively.
Switching logging on/off: Suppose you wish to complete a few
international calls but don't want the phreakholes you worked so hard
for displayed on the screen, e.g. in case your younger brother -
always seeking for a way to become immensely popular at high school -
pretends to string his shoes right behind your back. Unless he has
perfect hearing, pressing <L> may offer some minimal protection. This
toggles logging on/off, and causes the following to happen:
- The MF-key editing box, the information fields on MF-keys in the
info box at the right and the information in the song box will no
longer be updated and therefore turn grey. All editing functions
with respect to this information are now blocked.
- MF-keys no longer light up when pressed.
- Dialer reset, disk I/O, exiting the RD, calling the log report and
program execution (for some of these, see below) are blocked as
well, to prevent your relative from saving your ROWDY_DL.DAT
datafile on a disk of his own, checking it under GEM, nosing about
your logged activities or simply executing your dialer again
through program execution respectively. Instead, the two-tone beep
alert is sung.
- And last but not least, the log report itself is no longer updated.
Functions with respect to preprogrammable keygroups etcetera are
still active, allowing you to phreak as usual yet without visual
feedback.
In case you need to leave your ST you can switch logging off pressing
<CTRL><L> instead. You are now prompted for a case-sensitive, alpha-
numerical password that can contain up to 15 characters, echoed as
X's. Only <BACKSPACE> applies as an edit key. Avoid typo's and
remember what you entered, since you won't be asked twice or anything
- way to annoying. When switching logging on again pressing <L>,
you'll be prompted for it again. Upon forgetting your password, reset
your ST or ask your brother in detail how his crack-patch works.
Again, this only offers a minimal run-time protection. Having your
harddisk password protected or encrypting your disks to make your
datafile unaccessible would still be necessary. (I've elaborated a
bit on a possible encryption of the datafile to go with the password
and concluded it'd be best not to wind up in a tiresome and fruitless
arms race with my fellow c0de hackers.)
The most recently played MF-key and song information are updated when
switching logging on again.
2.8 Miscellaneous functions
2.8.1 Doorbell mode
Pressing <D> toggles the doorbell mode on/off (default off). When
on, all MF-keys are played whilst pressed. The time you held down
an MF-key is counted in the 'D.TIME:' field at the right, in
milliseconds. (In combination with a silent (0 Herz or volume) MF-
key this could also be used as a simple stopwatch, e.g. when
measuring CO responses - of use only for those who can afford a
watch NOT having that function.) This allows you to signal longer
then 999 ms whenever needed.
* During the doorbell mode all keypresses are scanned about 50
times a second (thus giving the D.TIME a resolution of about 20
ms) without a pause after the first hit. As an unfortunate result
of this, all input routines that prompt for input directly after
a single keypress or -combination would immediately be filled to
the brim with a (control-)character. Changing the keyboard rate
and clearing the buffer can't meet this problem - the keyboard
processor only takes the new parameters into account with respect
to keypresses following the current one.
Rather than facing this irritating side effect I chose to unele-
gantly BLOCK all input routines yielding a prompt after a single
keypress. Those comprise song editing, comment editing, direct
mark time editing and changing the <+/-> mark steps. Remember
this when using the doorbell mode !
All two-step input (e.g. via the MF-key edit box or other pop-up
boxes) is not affected by this side effect and thus normally
available. All other functions as <+/-> stepping, switching func-
tions Y/N etc. are buffered from the high sample rate, resulting in
a slightly different 'feel'.
Preferrably, you'd switch the doorbell mode off when not needed.
Changes made to an MF-key's mark time will of course only be
effective when leaving this mode.
2.8.2 Adapting key buffers
Controls with respect to MF-key and song usage can be influenced by
toggling the BUFFER switch Y/N by pressing <B>. Swapping between
BUFFER1 and BUFFER2 to reach their setting is done by pressing
<CTRL><B>.
BUFFER1: is the MF-key buffer. Subsequently playing MF-keys or
ploughing through MF-key fields is buffered when switched
on.
BUFFER2: is the song buffer. Playing preprogrammed keygroups or the
current song, as well as in-/decreasing, repeating and
playing keygroups during number scanning are buffered.
The settings of those two is totally subject to personal taste.
Usually buffering commands gives a smooth feel, but if you haven't
grown used to the controls yet and find yourself repeating signals
by mistake too frequently, switch either one off.
The buffers are switched off automatically when the doorbell mode
is switched on - the direct and high key sample rate would just
stuff them beyond reason. Their original switch settings are
restored upon quitting the doorbell mode.
Both buffers are active by default.
2.8.3 Program execution
In case you wish to possibly read/update a scanlist when phreaking
or control your modem after hooking up to a carrier, executing an
editor or a terminal program whilst keeping the RD resident is
possible by means of program execution. Pressing <E> makes a
fileselector box pop up, showing the contents of the current
drive's root directory. Simply seek your favorite executable and
double-click it. (The created path will be stored for later use.)
Upon finishing you'll return to the RD as it was.
(Using a Kuma Switch-oid tool can of course do the same for you !)
Executing resident programs is not allowed.
2.8.4 Resetting your dialer
Pressing <F2> shows the reset box. Use the <ARROW UP/DOWN> keys to
choose the data set you wish to reset, and confirm with <RETURN>.
By doing so your RD resets to (part of) the data it initializes
with when starting up.
ALL CHANGES you made with respect to the chosen data set WILL BE
*LOST*; if needed SAVE your changes first (see below).
The three data sets comprise:
ALL : current field 0, field comment, MF-key attributes: freq1,
freq2, mark times, volumes, comment, song attributes:
songs, their fields and mark times (plus setting on/off),
space times, song comment, current song 01, preprogrammed
keygroups, current keygroup 0, guard attributes: frequen-
cies, volumes, step sizes and current guard G3.
SONGS : Song attributes: songs, fields and mark times, space times,
song comment, current song 01, preprogrammed keygroups,
current keygroup 0.
MFKEYS: current field 0, field comment, MF-key attributes: freq1,
freq2, mark times, volumes, comment.
The values of 'ALL' match those in the initial 'ROWDY_DL.DAT'
datafile that came with the dialer. (I furnished the dialer
according to my own taste using the various editing functions
described, then saved and merged it with the source in the same
format.)
For comments upon these presets see chapter 3.
2.8.5 Saving your modifications
The disk I/O box pops up by pressing <F1>. As with resetting the
<ARROW UP/DOWN> keys apply for choosing, and <RETURN> for executing
a disk command. The choices are:
LOAD : Loads all data from the datafile 'ROWDY_DL.DAT', to be
present in the (sub)directory you executed the RD from.
When it's missing the beep alert will sound whilst printing
'NO.DAT'.
The restored data equals the summary concerning data set
'ALL' in paragraph 2.8.4., except the information on
current field, current song, current guard and current
keygroup. Those four parameters contain the values active
when you last saved your changes; thus allowing you to pick
up phreaking exactly where you left it.
SAVE : Saves all data as described above to 'ROWDY_DL.DAT'. Your
last save (if present) will be moved to a last but one
version named 'ROWDY_DL.BCK' for eventual backup recovery.
VERIFY: Compares the contents of the datafile with the current
settings, except for the relatively unimportant (cosmetic)
parameters: current field, current song and current guard.
'NO.DAT' appears when the datafile is missing, 'NOT OK'
when the datafile doesn't completely match the settings and
'OK' when it does.
3 PROGRAMMING EXAMPLES
3.1 A word on the presets
This section comments upon the initial values your RD starts up with
or was resetted to. Since the various frequencies and their meanings
are displayed quite clearly through the user interface, frequency
tables and redundant commentary have been left out. Though subject to
my personal taste, you'll find the current division quite workable.
FIELD 0: Contains CCITT #5 signals. 14 Interregister and 2 line
signals are present. The missing 'code 12' signal (delay
operator) can be found in field 4, and could (when program-
ming a song) be invoked by means of field overruling.
FIELD 1: Is programmed with CCITT #4 forward signals as demonstrated
in paragraph 2.2. Again the four missing (interregister)
signals (two space codes, code 12 and incoming half-echo
suppressor required) are stored at field 4.
Backward signals are not included. For those interested they
are:
Proceed-to-send (Terminal) X
Proceed-to-send (International transit) Y
Number-received P
Busy-flash PX
Answer PY
Clear-back PX
Release-guard PR (read: PYY)
Blocking PX
Unblocking PR (read: PYY)
The specified single frequencies on these MF-keys (overruled
by the C4 specification and thus for use in songs only) are
the tone slot frequencies.
FIELD 2: Contains all R2 forward interregister signals, and
FIELD 3: contains all R2 backward interregister signals. The forward
signals can have three and the backward two possible
meanings (group 0, I or II and group A, B respectively),
pending the phase of the quite talkative protocol (which is
way too comprehensive to elaborate on in this document).
FIELD 4: Apart from the missing C4 and C5 signals as mentioned above,
this field contains the C4 signal elements as shown in the
table in paragraph 2.2 for use in songs, a 2280 Hz MF-key
for use in C3 sequences and the bit 0 and 1 frequencies for
use in ATF1 (B-Netz) bitstrings.
FIELD 5: Contains three types of redbox frequencies for different
systems (named ACTS, IPTS and non ACTS) and the greenbox
frequencies alert, coin collect, coin return and ringback.
The remainder of this field as well as both FIELD 6 and
FIELD 7 are filled with modem tones, subscriber information
tones and several other frequencies that may be of use to
fool operators (some should be combined first), make shy
modems answer, reprogram private switches or whatever use
you would have for them.
When for some reason you feel like 'adding' other signalling
systems (better: shuffling the current division on behalf of
e.g. Italian OOB-MFC, French SOCOTEL, German IKZ 50 or C4
backward stuff), field 6 and 7 are probably most appro-
priate. You can always regain the original values by
resetting your RD as illustrated in section 2.8.4.
FIELD 8: is filled with several line signals, to be used in various
signalling systems. To fill the comment fields highly
uncreative and straightforward meanings have been added.
FIELD 9: concludes this summary and contains all DTMF (or Touch Tone)
frequencies. The use of A, B, C and D tones can be stumbled
upon in a number of occasions. In military networks their
meanings are Flash Override, Flash, Immediate and Priority.
In contrast with all volume settings elsewhere applied, the
DTMF volumes are default 13 instead of 15. This is done to
avoid recognition problems that easily occur when DTMF-ing
too loud.
The following songs are preprogrammed with systems using signals
consisting of several signal elements rather than a single signal:
38 .. 40: Redbox payphone coin signals indicating a nickel, dime and
quarter (non ACTS system).
41 .. 43: Same as 38 .. 40, using the ACTS system MF-tone.
44 .. 46: Same as 38 .. 40, using the IPTS system MF-tone.
47 .. 61: CCITT #3 pulse signals.
66 .. 85: CCITT #4 forward signals.
86 .. 99: ATF1 signals.
To sequence these signals by means of song invocation more comfor-
tably, effort has been made to make digits match the second digit of
the song number.
3.2 Programming examples
To illustrate a few practical appliances of your RD some programming
examples have been added. They are commented upon in the next
paragraphs. Realizing a desired sequence can of course be performed
in a variety of ways given the flexibility w.r.t. song programming;
the examples only display one possible way to do so.
Songs that are still '-- undefined --' will play strings from field
0, using MF-key mark times and 50 ms space times by default; i.e. the
popular C5 interregister signals and timings. Filled with both
educational and possibly useful songs as it is, the songlist
initially contains only 25 undefined entries. Don't hesitate to
overwrite all songs you have no use for, since resetting your RD (see
2.8.4) will restore them whenever needed.
After discussing all functions in detail as I have by now, the
following better be a blunt insult to your intelligence.
3.2.1 Some signalling sequences
Song 01: To turn an undefined (FLD: 0, MRK: 50, SPC: 50) song into
a DTMF number press:
<F> <9> <RETURN> to use field 9 DTMF tones, and
<CTRL> <M> to overrule the MF-keys' 80 ms mark times
(smooth when dialing manually) with speedier
50 ms mark times,
<RETURN> to edit / enter your (DTMF) string, and
<I> to eventually add a comment.
Song 27: plays a C5 string and thus uses the default parameters.
Song 28 and 29: song 28 invokes its country code part in song 29;
together they equal song 27.
Song 37: To play tone slots press
<F> <1> <RETURN> to use field 1 tone slot frequencies,
<I> <'TSL: ..'> to overrule the timings with tone slot
timings as mentioned in paragraph 2.3.
<RETURN> to edit / enter tone slots.
3.2.2 Pulse signalling
Song invocation can a.o. be of use to play pulses with an interval
of their own within a sequence having a different (larger)
interval:
Song 30: Plays C3 pulses by means of invocations. Each C3 digit
(song 51 through 56) has its own field specification and timings -
only the space time of song 30 applies and spaces the digits. The
space time was enlarged by pressing <S> <500> <RETURN>.
Song 31: Plays C4 signals (song 71 through 76) spaced by 140 ms.
Song 62 .. 65: Use invocations to play an ATF1 string. Since one
song can contain 8 invocations only, extra songs are concatenated
by use of the song expansion character ';'. The 600 ms preamble can
not fit one song (25 ATF1 0-bits on a row only last 250 ms) and is
realized by three times invoking a 200 ms preamble (song 86).
To extend this ATF1 string song 66 could be added as well (e.g. to
make a double ATF1 string; not to add 8 more digits to the bogus
22-digit phone number in this example), since expansion is parsed
effectively up to 4 times as mentioned in paragraph 2.3.
To program an ATF1 string, make sure the timings of the first song
are overruled by the 100 baud ATF1 timing by pressing <I>
<'ATF1: ..'> (again: see 2.3 for more detail). This overrules the
timings of both invoked and concatenated songs, so you'll only have
to enter it once.
3.2.3 Dividing phreak stages
Four typical C5 phreak stages have been split up under keys <1 ..
4> on the main keyboard, belonging to keygroup 0 (which is active
by default). They illustrate the generic idea w.r.t. keygroup usage
as mentioned in paragraph 2.3. When pressed, they jump to and play
song 01 (DTMF number), song 32 (clear forward signal), song 33
(seize signal) and song 28 (C5 string) respectively. This way you
can repeat a stage whenever needed, e.g. by using your left hand's
little- through forefinger whilst stretching a nostril with the
right one.
Song 32 and 33 have their specified mark time switched off, so that
the MF-key's mark time they refer to can be altered by means of the
<+/-> keys as shown in paragraph 2.2.
Preprogramming these keys was done by first scrolling to the
desired song, followed by pressing <CTRL> <1 .. 0>.
All other preprogrammable keys will initially jump to and play song
'XY', where X is the number of the current keygroup and Y is the
digit of the pressed key (e.g. pressing <ALT><3> and <7> reaches
song 37). (Necessary exception: key 0 of keygroup 0 is mapped to
song 01.)
3.2.4 Auto-phreaking
When a phreakhole has stable responses and you know the intervals
and timings, you can easily combine several signalling systems in
order to phreak by means of a single keypress. Song 34 shows one
possible way to do this. This song first plays a DTMF number
followed by a 12.5 second pause, three clear forwards of 120 ms
with intervals of 0.5 second, a 120 ms seize, another 0.5 second
pause and ends with a C5 string. In detail this song reads:
s01 : invokes the 50 ms mark and space timed DTMF number in
song 01.
........ : plays eight times the dot MF-key in field 8, which is
a 999 ms pause (silence), spaced by nine times the
song's 500 ms space time. This adds up to an almost
12.5 second pause.
f0(f0(f0( : plays the '(' MF-key of field 0 three times (a 120 ms
clear forward) by temporarily overruling the song's
field specification. Intervals are still 500 ms.
f0); : plays the ')' MF-key of field 0 (a 120 ms seize) using
field overruling as well. The expansion character ';'
concatenates song 34 to song 35, spaced by song 34's
500 ms space time.
s27 : invokes the C5 string in song 27 which uses MF-key
mark times and 50 ms space times.
In this example, completing calls to different destinations using
the same phreakhole can be done by invoking different C5 songs in
song 35 rather than changing the contents of song 27.
3.2.5 Scanning country codes
If you wish to examine what countries you can reach via a certain
CO using C5, number scanning combined with song invocation comes in
handy. As an example, song 28 and song 29 contain C5 strings with
identical timings. Song 28 plays its country code part by invoking
song 29. Simply scroll to the latter and press <N> to make it
subject to number scanning. All controls as explained in paragraph
2.4 now apply. When in-/decreasing the country code the complete C5
string can be played by pressing <P> <28>, which redefines the play
song to song 28.
When using the preprogrammed phreak stages under keys <1 .. 4> on
the main keyboard as demonstrated in paragraph 3.2.3, it is handier
to use key <4> to play the play song. In that case you should
toggle <A>udio off to in-/decrease the country code silently.
APPENDICES
A: Trouble shooting
Some of your RD's features can have puzzling side effects, e.g.
functions overruling standard procedure. They have already been
described in detail in this manual, which is probably the reason you
missed them:
* Some songs don't seem to respond to the specified mark and space
timings.
Remove the 'ATF1:' or 'TSL:' string heading their comment fields.
These overrule the specified timings as discussed at the end of
paragraph 2.3.
* Editing song parameters, comments, mark times or the <+/-> mark
steps suddenly seems impossible.
These functions are blocked when the doorbell mode is active. See
2.8.1 for an explanation, or just toggle it off by pressing <D>.
* The volume of an MF-key varies now and then.
Make sure that freq1 and freq2 have different values. If not,
soundwave interference may muffle the volume.
* Some MF-keys persistently play C4 signals, no matter what frequen-
cies or mark times I enter.
Remove the 'C4:' string heading their comment fields. These make
them signal C4 strings as mentioned at the end of paragraph 2.2. In
songs the specified frequencies and mark time still apply.
* The user interface looks like a mess since tear-gas bombs are fired
through the window.
Burn your notes and deny everything.
B: Where to get the Demon Dialer?
For ordering Demon Dialers dial Hack-Tic's Voice Mail Box number:
+31-20-6001480
The do-it-yourself package includes a preprogrammed MC68HC705C8P/DD
chip, a keyboard print, a processor print (both 65 x 72 mm), keys,
all necessary analogue parts, a battery holder, an operation and
reference manual and a very clear construction manual.
Hack-Tic's address is:
Hack-Tic (Technologies)
P.O. Box 22953
1100 DL Amsterdam
The Netherlands
Fax: +31-20-6900968
C: Acknowledgements
I would like to thank CarloKid for his (sounder than GFA's) sound
routines, Hackbear for his (non-loop) timer routine, Arie for his
scanning gear, the Hack-Tic illustrator KoHo who's fun drawings I
digitized without asking, Troed and Zaphod for their excellent BBS-
services, ItsMe for making me go astray and Pieter for pretending
sincere interest during the development of this program. Thanks guys!
Reference in New Issue View Git Blame Copy Permalink