##################################### + /## T h e W o r d O f G o d ## + |/## A -=MINISTRY=- Production ## +++++ |/## Hotel Chelsea - Sam Hain ## + |/## Fungus Land - Malignant ## + |/## Growth ## + |/## Ulterior Motives - GenesyS ## + |/##+.+.+.+.+.+.+.+.+.+.+.+.+.+.+.+.+## + |/## ## /#########|/##################################### |/## Issue |///////////////////////////////////// |/## Number ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |/## ------ FOUR (4) ## |/## January 1990 ## |/######################### |////////////////////////// ~~~~~~~~~~~~~~~~~~~~~~~~~~ This is it!!! Our FOURTH issue. I never thought it would last this long. HAPPY NEW YEAR!! As a 1990 special issue, we are including HACKING Voice Mail Box systems, a BIG list of GOOD numbers to call, and some other ideas we have... A bit of the information in this issue has been printed elsewhere, but ALL will have new ideas and techniques, making them a seperate article. Well, Enough TALK - More INFORMATION!!! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hotel Chelsea - (206)/pri-vate -Now an uncensored information bulletin board. Any legal (remember the first amendment) information can be posted. Call! Fungus Land - (206)/pri-vate -a TRIAD distribution Site. Running at 9600+ (I believe.) One of the best pirate boards in Washington State. Ulterior Motives - (206)/pri-vate -Former home of NSoC, but now (after the merge) they are in with FFA in a new group called THE GUiLD. They have put a few items out, and more are coming. Very promising. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ LOCKPICKLOCKPICKLOCKPICKLOCKPICKLOCKPICKLOCKPICKLOCKPICKLOCKPICKLOCKPIC You know those round keyholes that look like a bitch to pick? (you see them on pop machines and IBM-AT console locks.) Well, fret not anymore, since all you need to open them up is some art supplies. INGREDIENTS: ------------ 1 small ball of air hardening clay (steal this from Art 101) 1 pair of shoes Now... take this lump of soft clay and, after making sure no one is looking, push it into the keyhole. After packing it in good, pull it out. It should be in the shape of the keyhole. If not, roll it up and try again. Now, leave for a while and let the clay harden fully (usually an hour or three.) Then, go back, check for unwanted viewers, open up the machine, and grab the dough and whatever inside turns you on. Now, you may be asking yourself, 'What does my pair of shoes have to do with this?' WELL, they are very important in case you ARE seen. If Principal Bob comes-a-runnin', just drop key, and give with a step. NO evidence. "But the machine was open already sir..." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ HACKING VOICE MAIL SYSTEMS Most VMS's are similar in the way that they work. They store the voice in different ways: digitally compressed, magnetic tape, etc. There are many different VMB companies, but I will just examine a few of the more popular systems... CENTAGRAM ~~~~~~~~~ These are direct-dial (you do not have to enter a box number.) To get on one of these, first have a number to ANY box on the system (scan randomly.) All of the other boxes will be on the same prefix. Just start scanning them until you get a message saying that the person you are calling is not yet available. This means that the box has been created, but is not owned by anyone yet. Before the lady tells you to leave a message, press the # button You will then be asked for your password.The password will usually be the same as the last 4 digits of the box number, or easy-to-remember #'s like 1000, 2000, etc.... Once you get on, they are very user-friendly, and you will get a list of options. If you can't find any empty boxes, or you want to create some for yourself, the system administrators box # is 9999 on the same prefix as the other boxes. SPERRY LINK ~~~~~~~~~~~ These are very nice systems, but very hard to hack because you must get a user ID (different from a box number) and a password. When it answers, if it says "This is a Sperry Link voice station. Please enter your user ID," you will have to start trying to find a valid user ID. On most Sperry's, it will be a five digit numebr. If it answers and says, "This is an XXX answering Service." You first have to dial *# to get the user number prompt. Once you get a valid user number, you will have to get the password. It will be 4 digits long. RSVP ~~~~ This is the WORST VMB, but VERY easy to get an account. When it answers, hit * for a directory of the boxes on it (it only holds 23.) If yo hit # you will be given a menu of choices, and when you choose an option, you will be asked for your ID number. This is usually the same as your User number, which are always only 2 digits long. A.S.P.E.N. ~~~~~~~~~~ OCTEL TELECOMMUNICATIONS makes the Aspen system, and it is one of the best VMS's around. To get a box on Aspen, you need to find an empty box. To find an empty box, just scan box numbers. If one says "You entered XXX. Please leave a message at the tone." then this is an empty box. Just press # and when prompted for your box number, enter the number of the empty box. The lady will guide you through setting up your box. She will then ask for "Your temporary password." This is usually the same as the box number, 4 digits long, or a number like 1000,2000, etc... You can make a Distribution list for where you want a message to go, set it up so that a password must be entered before a caller hears your greeting, etc.. The System Managers account gives you complete control over the system. LIST OF VMB SYSTEMS ACROSS THE US- 1-800-222-0311 1-800-321-6366 1-800-759-5000 ______________________________________________________________________ Hacking CABLE - (This is written from MANY different Text files. Not all techniques have been tested yet. If you have a different way to hack CABLE, then call one of the -=Ministry=- Nodes and tell us!) There are four methods of pay-channel security that are used most commonly. Each type has different methods of using the cable-ready receivers. JAMMING: ~~~~~~~~ A Jamming signal is placed between the picture carrier and the aural carrier of the secured channel. The Cable operator supplies a filter for each customer for each pay-channel they subscribe to. This type of security can be defeated by using homemade NOTCH filters (discussed later.) TRAPPING: ~~~~~~~~~ In this system, frequency filters are installed in-line with the cable drops on telephone poles. The traps are removed for customers paying for the premium channels. Cable Ready Tc's work fine in these systems. SCRAMBLING: ~~~~~~~~~~~ THE GATED SYNC METHOD Scrambling in Cable TV still means pulled sync suppression. In it's simplist form, amplitude of the picture carrier is reduced by 6 db during the horizontal blanking intervals and sometimes during the vertical blaking intervals. The resulting video signal has sync tips between the black and white levels. Sync seperators in the set cannot operate properly with this signal, nor can AGC and colour circuits, so the picture is scrambled. A decoder compensates by antennuating the signal during the time in which the transmitted signal was not antennuated. In order to accomplish this, the logic controlled gain switch must get timing information. In-Band systems transmit pulses as amplitude modulation of aural carrier or a seperate carreir in out-of-band systems. OUT-OF-BAND-SCRAMBLING The usualt set-up is that the decoder is connected directly into the cable ahead of the channel converter. Decoding is done at the pay channel frequency. The decoder is likely to be in a seperate box, added to an old system to provide pay channels. The box consists of a simple (90-1290 Mhz) receiver for the our-of-band data carrier and a broad band 6Db gain switch. There is provision for several scrambled channels, each with a different data carrier. This system is directly compatible with cable-ready receivers. Without the cable converter, the decoder is connected to the TV. Tuning and remote features of the TV are preserved with the only inconvenience being the need to operate the switch on the decoder when changing to and from any scrambled channel. Out-of-band systems tend to last untilt he operators using them rebuild to provide for a large increase in the number of channels. IN-BAND-SCRAMBLING: In this system, any number of the available channels can be scrambled. Because the data carrier for each scrambled channel is in it's own aural carrier, only one data reciever (at the aural carrier - i.e. Channel 3) is required. The decoder detects the presence or absence of data automatically switching itself in or out. The convertor-decoder box can be hardwired to decode just the channels ordered, using a prom-like device. Alternatively, the transmitted channels can be tagged by time division multiplexing binary tag (program identification) data with the sync data on the aural carrier. The decoder boxes can be wired for tiers (groups of programs the cable operator sells together) rather than fixed channels, giving the operator more flexibility. The decoder boxes can be addressable. These boxes have a seperate out-of-band data channel for data from the head end. Each box has a serial number burned into it's logic or otherwise available to its logic circuitry (EPROM), and it's channel or tier authorization stored in volatile RAM. A computer at the head end periodically addresses all decoders in the system individually and loads each with the channel or tier capacity ordered by the customer. The need for house calls is reduced, Pay-per-view is possible, and missing boxes can be turned off, rendering them useless for premium channel viewing. Some, but not all, of these features can be programmed into out-of-band systems Aside from their ability to generate sync pulses, thus foiling the scrambling system, cable ready TV's have presented another difficult problem for in-band systems. Because the decoder operates at the converted channel, a channel converter is required ahead of it. Whether the TV reciever is cable-ready or not, it operates only at the converted channel,w asting the tuning and remote control features. *YAWN* So, now you're wondering how to bypass all those security methods, right? Well, there are MANY ways, and each depends ont he type of system you have. How to figure out if you have GATED SYNC SCRAMBLING. This is characterized by correct sound (you hear everyone talking just fine), and a picutre that is ALMOST normal, but looks like the vertical hold needs to be adjusted. If you want to be 100% sure, call up your cable companies customer help line and ask. They will answer you, so you won't sound stupid. Where to pick up GATED SYNC decoder-units. Look in the back of elctronic magazines. Not the yuppie ones like Popular Electronics, but the dedicated ones like Radio-Electronics or The Amateur Radio Tech Journal. You can get them for $35-60 from : J & W Electronics Inc. P.O. Box 800 Mansfield, Ma. 02048 (800)/227-8529 (orders) (617)/339-5372 (Tech info) How to figure out if you have SSAVI Scrambling. (Suppressed Sync Audio Video Inversion) The picture will look like a photograph negative, with the first 14 lines scrambling all around and very bad sound. All the information is sent in the first 14 lines, so you DEFINITELY need a hardware device to sort through all this. THEORY - The suppressed sync signal is transfered from the first few lines of video transmitted (which are transmitted normally.) The box "sees" these 14 normal sync pulses and calibrates itself to reproduce these sync pulses for the rest of the frame of video. It then inserts these pulses where needed in the signal to produce a normal picture. This re-calibration for every frame is necessary, though. Sync pulses over 500 times a second, and if the clock were not constantly re-vamped, it could get out-of-sync with itself. The Audio is transmitted on a subcarrier at about 15 Khz. All the box does is re-transmit the audio on the proper frequency. The video signal is randomly inverted, but the mode can only be switched between frames, not between fields, making the job of detection, and re-inversion, easier. The ZENITH SSAVI Decoder (the inventor of the SSAVI system) is 11" x 7" and about 2 1/2" tall (including rubber feet.) IT has a round, vertical travel pushbutton switch in the rear left top corner, and in a samll metal label on the top center of the box is engraved ZENITH SSAVI-1. There are 3 female F connectors on the left rear and a 3-pin power connector on the bottom right rear. The case is brown, with a wood-grain strip running around the side. You can get a Anti-SSAVI box by writing to: Video Electronics 3083 Forest Glade Dr. Windsor, Ontario N8R 1W6 (519)/944-6443 You can also obtain SSAVI boxes from them. This is the REAL thing. That's why they are selling from Canada. They guarantee that the SSAVI will work on these channels: Ann Arbor 31 Baltimore 54 Wash. DC 50 Chicago 66 Dallas 27 Minneapolis/St Paul 23 San Jose 48 St. Louis 30 Tulsa 41 Boston 27 They want $130 for the box, and a $21/month fee. But htere are ways around that. Another trick is to call up your local Cable company and tell them what services you currently subscribe to. Ask them if you would have to get a new box in order to get more channels. They will say "no", because most of the boxes haev a small coputer in them which can be told over the cable which channels you are authorized to recieve. This is the same computer that decides wheteher the channel you want to watch needs the descrambler. If they say yes however, you are in good luck. If they say no, then you will have to change the authorization codes inside the box itself. There are 2 ways to do this... Inside some of the boxes, there are 4 little dials (potentiometres.) Change to the station you would like to watch that is scrambled and adjust these until you gewt a good picture.. Howver, you may have to change them back when you want to watch a different station. Second way - Get a new box (whether stealing it, buying it hot, or whatever.) open it up without destroying it (harder than it sounds) and look for a set of sockets without chips in them. It will have wires in it instead. Try to correspond the wires with the channels you pay for. Then, try moving excess wires around in.. out.. other holes.. etc.. until you get some of the channels you want. If it is programmed by the cable company, you have 2 more ways to avoid payment. open up the box and find where the computer, descrambler, and receiver are. unplug the computer and just hook the output of the receiver to the input of the descrambler. This does not permit the computer to say which channels to block. The second way is to call your cable company and ask for ALL the services that you don't pay for. They will program your box from the Hq's and bill you for it. A week or so later, call back and ask for the poor-man's packagae again. Tellt hem you didn't like the stations that you paid for. Then, IMMEDIATELY, unplug your box from the CABLE in the wall. Keep it unplugged for 2 or 3 days, then plug it back in. You will have to pay for one month service, but after that, it's just the normal price. Now, if the box doesn't get power, it might run down and erase the authorization codes. One way around this is to find out what voltage it is running with and plug it in with a voltage converter until the few days are up. This would make the box think it was still running, but not actually receiveing any information. --------------------------------------------------------------------- Well, shit. I didn't think I was going to get this one out this year. This may be the last issue until summer next year since I will be in Norway until June. If you have any good hacking tips for Scandinavia, please tell me at either SAMHAIN @ UWACDC (Bitnet) or RAVER @ MAX.ACS.WASHINGTON.EDU (internet) BTW - Good job on the internet hackers directory PHRACK. That's a really good idea. Anyone know how to use the chat relays on any of the UoW systems? Sam Hain