::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: :: :: Combat in the field - Field Phreaking :: :: By :: :: Keltic Phr0st :: :: :: :: For 2280 Magazine :: :: :: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: INTRODUCTION ============ Hopefully this file should serve as an introduction to the dodgey art of field phreaking. Phreaking is a shadey art at best, but when it involves physical attack on telco equipment and B&E, then it's truly reached a new level. This file assumes that the reader knows -nothing- about the subject at hand [Hey, so what's new these days?], and will take you from the very basics up to an acceptable degree of aptitude with respect to furthering your activities. Field phreaking is fun - nothing beats B&Eing, then running through about 50 or so pairs, stealing docs and basically being a shady bugger. If you fancy a bit of athletics as well, you can also have a chase with the coppers when theyr'e called out to the site! Seriously - It's free, it's educational [You get down and dirty with the physical side of phreaking], and it's always guaranteed to lead to bigger and better things. YOUR REQUIRED EQUIPMENT ======================= You will need the following to gain any real degree of success here : 1. A simple one piece telephone ------------------------------- The phone -must- be able to handle both LD [Pulse] and MF [Tone] dialling. It may also be worth your while to procure one which also allows EBR/TBR [Earth Break Recall / Time Break Recall] selection for use on varying systems. Try to get a reasonably up-market model - the investment is truly worth it; over the next months, your'e going to be treating this phone like a piece of shit and butchering it to "upgrade" it, so choose wisely. Steer clear of the shit that Tandy sells on, and try and get one designed and manafactured by one of the larger telcos. 2. Wire strippers ----------------- Make 'em as small as possible, with an adjustable gauge [ie : they should have a small wheel marked with digits on one side]. Make sure that theyr'e fully insulated against current and voltage. 3. Long nose pliers ------------------- Needle nosed pliers would be handy here - get them if you can. As above, make sure theyr'e fully insulated. Some may have a side hole for wire snipping - this isn't much use unless you like being clumsy, so try and avoid utilising them and invest in some... 4. Wire snips ------------- As above, make sure theyr'e small and fully insulated. 5. Philips screwdriver ---------------------- No specific gauge, just make sure it isn't the size of a mans fist or as thin as a piece of spaghetti. Fully Insulated. 6. Jewellers screwdrivers ------------------------- In the following sizes: 1/32" 3/64" 5/64" 5/32" 1/8" 9/64" You'll pay more for an insulated set, but there really isn't the need - they aren't going to be probing around any current or voltage. 7. Pencil Torch --------------- A bonus for working in hatches or buildings - one with as small a beam as possible, but if you can get them, try and get a set of inspection goggles, the glasses with the pencil torches on each ear. 8. Simple multimeter -------------------- It doesn't have to be a œ250 RS BABT approved unit - a simple device to light a bulb or led in the presence of a voltage will do. Desired values should be a resilience of surge voltages approx 90v (+/- 5). Any decent piece of kit should have surge protection, or selective metering built in. 9. 2 Crocodile clips -------------------- You'll use these to make the bridging jack for the phone itself. 10. Masking tape ---------------- As above, you'll use this for making the handset, but it does come in handy in the field sometimes. 11. An IDC tool --------------- None of this disposable 99p crap - go for a quality tool with a hardened bit and a removal hook. The investment is worth it in the long run. 12. Gloves ---------- Wear these at -all- times to avoid leaving your fingerprints on any surfaces. 13. Telco cabling ----------------- No hi-grade four wire pairs, just some scatter wire for making a quick bridging adaptor when your'e working with a modular frame. This can usually be obtained on site, but bring some just in case. 14. Sharp Knife --------------- Preferably a heavy duty stanley knife, strong enough to slice through 1/2" rubber. ::::: The above is what you'll definitely need for emabraking out into the night; what follows isn't strictly neccesary, but I've often found to be useful. ::::: Multi pocketed combat trousers or flak jacket --------------------------------------------- To hold all of the above... Fuck rucksacks, you wanna travel light, and if you want to be able to reach all you gear quickly without looking like your'e heading out to go trashing, then get a set. It sorta adds to the miltaristic feel of the whole operation. :) Small jemmy [Crowbar] --------------------- For when that DP Cabinet just -refuses- to open for you, and also to facilitate entry into the desired premises, if your target happens to be in some sort of enclosure. Comfortable trainers -------------------- For running in. I highly reccomend Black Nike Air Jordans or AirWalks. Black hooded top and / or black shirt and Monkey hat ---------------------------------------------------- To look inconspicuous [yuh, right...] Gas soldering iron / solder [Rosin core, NOT acid] -------------------------------------------------- I've yet to come across any installations that use solder connections, but I suppose you should always come prepared. The only place I've seen them is inside an exchange, on the distribution frames, but even that seems to be getting rare these days. Make sure it's rosin core and not the heavy duty acid crap that's used for plumbing. Hayes Accura phone jack ----------------------- Not hard to find, it's simply a jack that changes an American style RJ11 jack plug into a BT socket. Very useful if you just paid œ50 for your newly carded SouthWestern bell handset, and you don't want to massacre the plug on it. You could also sacrifice an extension cable, although the strain relief is poor on these at the best of times. Various LEDs ------------ Red, green, yellow, whatever takes your fancy for customising the phone and building in status indicators - It's purely cosmetic. GETTING DOWN TO IT ================== OK, you should [hopefully] have most, if not all of the above equipment sitting in front of you, waiting to be brutalised for your aims. Follow the simple instructions below to make your linesmans handset... Step One -------- Whether you managed to get the adaptor is irrelevant; the conversion for the phone and adaptor is exactly the same, and requires the minimum of effort to effect, the only difference being that the adaptor allows you to continue using your new phone. If you have the adaptor, cut of the RJ11 end [the smaller of the two]. If you have the bare phone, cut off the BT plug on the end of the cable. For those of you new to all the CCITT and FCC terminology, here's which is which - . . ÚÄÄÄÄÄÄ¿ This is the BT modular plug. It is used ³³³³³³³³³ almost exclusively by British Telecom ³ ÚÄÄ¿ ³³ in domestic applications, and in some ³ ³ ³ ³³ networking applications. Note the 6 ³ ÀÄÄÙ ³³ contact pins - very rarely are more ³ÚÂÄÄ¿³ than 4 used. The two pins marked . are ÀÄÂÄÄÂÄÙ the A&B wires, and the two external to ³ ³ that are empty. Ignore the rest for now. ³ . . ÚÄÄÄÄ¿ This is the RJ11 modular plug. It is ³³³³³³ commonly used by most major telcos in ÃÄÄÄÄ´ both networking and telephony. If youv'e ³ Ú¿ ³ never seen one, try looking at how your À³³ÂÙ desktop phone is connected to the base ³ÀÙ³ set. The two contacts marked . are the ³ A&B wires. Step Two -------- You should now be looking at four wires protruding from the end of the cable like so: A B ³ ³ ³³³³ ÚÁÁÁÁ¿ ³ ³ ³ ³ ³ ³ Strip the cable down by an inch or two, until you have the four wires hanging loose and easy to manipulate. The wires we're currently interested in in this case are the two wires which are on either side of the cable. They may be Red and Black, Black and Yellow, Blue and White, Blue / White striped, whatever. Tape these wires down, and snip the two in the middle so they retract back into the cable when it is straightened. The A&B wires will be your cable 'pair', and will henceforth be referred to as such. Step Three ---------- Now take your crocodile clips, and attach one to each exposed wire, A and B. Colour doesn't really matter at this stage. If you want to maintain some degree of security in your connection, solder them down, but make sure that the connection is a clean one - try and avoid a dull solder. Step Four --------- Wrap some masking tape around the base of each clip, to act as a strain relief on the connections. Congratulations, if youv'e followed the above to the letter, then you should have a working linesmans handset. Ain't much to look at, but it does the job. RIGHT, NOW WHAT? ================ Well, now we're ready to have some fun. But before you get tooled up and head out into the gloom to run up massive bills on someone elses behalf, it's important that you know -exactly- what to go for, and what to avoid like the plague. Sites to hit ------------ Look for the following shapes or boxes in your area: A)ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ B)ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ C)ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÃÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄ´ ÃÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄ´ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ ³ ³ ³ ³ ³ ³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ ³ o ³ ³ o³ ³ ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ³ ³ ³ ³ ³ ³ ³ ³o o³ ³ ³ ³ ³ ³ ³ ³ ³ ³ o ³ ³ o³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ÃÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄ´ ÃÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄ´ ³ ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ D)ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄ¿ E)ÚÄÄÄÄÄÄÄÄÄÄÄ¿ F) ÚÄÄÄÄÄ¿ ÃÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄ´ ÃÄÄÄÄÄÄÄÂÄ´ ³ÄÄÄÄÄÄÄÄÄÄij ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ o³ o³o ³ ³ o³ ³ ³ ³ ³ T ³ ³ ³ ³ ³ ³ ³ ³ ³ o ³ ³ o ³ ³ ³ ³ ³ ³ ³ ³ ÀÂÄÄÄÄÄÄÄÄÄÂÙ ÀÂÄÄÄÂÙ ³ ³ ³ ³ ³ ³ ³ ÃÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄ´ ÃÄÄÄÄÄÄÄÁÄ´ None of these are strictly ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÙ drawn to any real sense of scale - the authors memory [ Front ] [ Side ] is sketchy at best, and not really keen on working to G) ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ H) ÚÂÄÄÄ¿ some idiotic specification purely for the ³ ³ ÃÙ À´ sake of accuracy. The above may crop up in ³ ³ ³ O ³ many, many different places - it's really ³ o ³ ÿ Ú´ a case of being able to identify what type ³ ³ ÀÁÄÄÄÁÙ of installation you have found or is ³ ³ I) ÚÄÄÄÄÄ¿ predominant in your local area. ³ ³ ³ T ³ ³ ³ ÀÄÄÄÄÄÙ Obviously, if you live in a major ³ o ³ metropolitan area, you'll have seen many ³ ³ J) /ÄÄÄ\ of these on a frequent basis, and possibly ³ ³ ³³ ³³ ignored them in the past. If it doesn't ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ³³ ³³ appear here, ignore it - It's probably ³³ T ³³ either for traffic light signalling, (C) Keltic Phr0st ³³ ³³ domestic electrity test access, or street ÀÄÄÄÄÄÙ lighting. In any case, think once, think twice, think cooking in your boots because you picked the wrong box and completely forgot your torch... The above boxes all represent what are known in the trade as 'network appearances'. If you want that explained, try and think of it this way - the network of telephone cables only appears at this point, and it's here that any maintennance, test or works access is carried out, up to the exchange. Such appearances include PCPs [Primary Crossing Point - the first wire cross and access point past the exchange], SCPs [Secondary Crossing Points], DPs [Distribution Points - the point at which the customers pair is brought into contact with the PCP/SCP wire plant] NTTPs [Network Testing and Termination Point - commonly found in large offices and buildings, much like a small scale internal crossing point] and Distribution Frames [only really found in large apartments and businesses with lots of telecom equipment]. Here's a key for the above. A) Old Post Office [Usually marked GPO with a crown] DP/PCP/SCP. Very messy inside, difficult to open, very heavy doors, made from cast iron. [Usually marked with black army style digits to indicate to the engineer which area the box refers to - ignore these unless you happen to know someone within survey control at BT]. The cables inside are simply tied off to each other at the cross point after being brought up from vertical bars for each trunk cable, and are connected with very fiddly, messy plastic snaplocks. You may strike it lucky and get a box used by a lazy engineer, in which case, one of the lock mechanisms may be loose or even missing completely. Not very common in major urban areas. Variations on the above include those with modular frame systems [See below] and those that have a padlock bracket on the front, between the two locking heads. Colour : Green / Black B) Newer BT DP/PCP/SCPs. Sometimes use very annoying locks not unlike tubular locks to stop access - BT seem to realise that the old triangular style locks are easy to bypass and offer little in the way of security. Very tidy inside, they utilise a modular frame unit for crossing and reference, which allows for easier pair identification and test access. Theyr'e painted British Racing Green, and have a black or white BT logo stamped on the side at the top with the plant number underneath, and an indication, either handwritten or stamped, as to what the function of the box is, ie: PCP, SCP, DP, etc. Made from a sturdy but lightweight metal, very easy to work with. Colour : Green. C) Very much the same as B, but the entire front of this unit comes off. Normally painted green, but may be grey in some cities, depending on how conspiratorial BT feel, or how badly the council feel they affect the overall look of the place. Not usually marked, but on opening the plant number may be written on the inside of the hatch. These are commonly made from fibreglass, as the entire front hatch is usually seperated from the main unit to facilitate access, and has to be easy to move for a single engineer. Uses the triangular lock system, so a prime target - just watch out for cameras. Colour : Green / Grey. D) CableTel / Cable and Wireless / Mercury network appearance, although it may occaisonally be used by BT for large scale suburban application. Try and avoid these - theyr'e hard to open, and they have little of interest inside - just some simple TPON mulitlplex equipment, and a couple of fibre optics terminators. When CablTel finally get their act together and start supplying carrier instead of just digging up our roads, I might take a proper look inside one of these. As you can see, there are many doors on this unit - a side view is also provided. In the side, there is usually a test set or pressurisation equipment, with the rest of the box usually being left empty, save for one cabinet [usually the middle] being allocated rack space for the MUXs. Bearing in mind that CableTel are pretty much dragging their heels right now, this may explain why most of them seem to be empty - I'm just waiting for 'em to start blowing fibre down those lovely green tubes. Colour : Green. E) CableTel again, but for what purpose I'm not 100% sure. It appears to allow test set access, and on cursory inspection seemed to have a facility for plugging in a supplementary modular jack. Looked -very- like a small scale version of (D), possibly the Cable equivalent of the Distribution point [they tend to enjoy the same dispersal that external small scale DPs do]. Colour : Green. F) Rural DP. Looks not entirely unlike a small silver box, about a foot high, with a circled T logo, and a triangular lock on the base. Easy to open, but messy as hell - go for the thinner ones rather than the wide flat ones, and you'll find them less messy and generally better maintainned. The thinner ones are commonly used in smaller cabling drops - the wide ones can be found at the bases of poles and hidden in ditches. After unscrewing the lock, the case slides up and off. Remember to replace the card that drops out, to stop the pairs snagging on the box and being severed when you re-close it. Colour : Grey / Silver G) Distribution Frame. Bliss, although the locks can be a bit of a pain. They actually use proper locks on these, so it looks like the jemmy may be in order if it's for once only use. The top, bottom and side panel can be knocked through to draw in cabling, and inside, there is almost half the capacity of B) or C). All the wires are terminated and crossed on a modular frame, which makes your life very easy, and if theyr'e feeling generous, they may even put some site documentation in the pocket on the inside of the door. Take it, it'll save you having to check each pair out individually. I'm currently trying to pick the locks on one of these, and managed to secure a set of keys - I haven't had a chance to check them in other boxes, but I doubt they'd all be the same - Work order sheets usually have an entry denoting who is the key holder on site, and in most cases, this will be the landlord or telecoms manager. Mug him and steal the keys if your'e that desperate. Colour : Grey. H) Network Termination and Testing Point. Never locked, opens easily using the largest jewellers screwdriver in your set. The screws are recessed on each corner of the box, and once open, the removed panel should have a written indication as to what each pair is, and the number assigned to it. Uses a bare modular frame, usually, oooh, 20 pairs or so, with maybe a three pair module as well for test cabling. Commonly found near or beside G). Colour : Grey, made from plastic. I) Radial Distribution point box and / or customer dropline termination. This can be found on walls and poles, and serves as an interface point for test access, or to draw cable off from a larger trunk into a building. Piss easy to access, the case slides up and off, and is stopped from crashing to the ground by a neat little chain. If memory serves me correctly [very rarely have I found myself working with these] the connections inside are screw terminations. Theyr'e commonly stamped with the circled T logo to identify them as BT plant, and can often be found near hastily installed patch points, which resemble a large black cucumber. Don't go climbing a pole or scaling a wall to acces these - if you can't reach it, or it looks like it's been zipplocked shut, then just leave it. Colour : Black / Grey, made from plastic. J) See above. D) may frequently have B) beside it in large scale applications, possibly as a feasible entry point into the PSTN from an optical network. LET'S GET BUSY! =============== Now your'e probably wanting to know what a modular distribution frame is. Well, a single unit may look like this. ÚÄÄÄÄÄÄÂÄÄÄÄÄÄÂÄÄÄÄÄÄÂÄÄÄÄÄÄÂÄÄÄÄÄÄÂÄÄÄÄÄÄÂÄÄÄÄÄÄÂÄÄÄÄÄÄÂÄÄÄÄÄÄÂÄÄÄÄÄÄ¿ ³ 0001 ³ 0002 ³ 0003 ³ 0004 ³ 0005 ³ 0006 ³ 0007 ³ 0008 ³ 0009 ³ 0010 ³ ÀÄÄÄÄÄÄÁÄÄÄÄÄÄÁÄÄÄÄÄÄÁÄÄÄÄÄÄÁÄÄÄÄÄÄÁÄÄÄÄÄÄÁÄÄÄÄÄÄÁÄÄÄÄÄÄÁÄÄÄÄÄÄÁÄÄÄÄÄÄÙ Nice and tidy, all labelled and ready to use. This holds ten pairs, and they are IDed by the cable number written on the slide paper at the front of the panel your'e currently gawking at. Slip your index finger under the bottom of the panel and pull towards you... . Hey, it's open! Push this up until it clicks into place against the one above [if it doesnt stick, open that one, and then try again with this one]. You should now be looking at something like: Ú Ú Ú ³ ¿ ³ ÚĺÄĺÄÂĺÄĺÄÂĺÄĺÄÂĺÄĺÄÂĺÄĺÄÂĺÄĺÄÂĺÄĺÄÂĺÄĺÄÂĺÄĺÄÂĺÄĺĿ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ÀĺÄĺÄÁĺÄĺÄÁĺÄĺÄÁĺÄĺÄÁĺÄĺÄÁĺÄĺÄÁĺÄĺÄÁĺÄĺÄÁĺÄĺÄÁĺÄĺÄÙ ÄÄÀÄ¿³ÄÄijÄijÄÄÄÙ ³ ³ ÀÄÄÄÄÄ ÄÄÄij³ÄÄijÄijÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄ . . It's rough as hell, but it gives you the general idea. Pairs either come in from the top or bottom of each little numbered box, and are then cabled out to whatever equipment they may be connected to, a telephone, a PBX, whatever. Let's take box 0002 in this case, indicated by the two dots below it [you should have some spare wire to hand for this]. Strip the ends of your spare cabling, and then using the IDC tool, insert the wires into the grooves and push. They should slide home no problem. You should now have two exposed wires pointing towards you. Get your handset, and clip onto the wires, one clip for each wire. [You'd be surprised how many people fuck this up...]. You should be able to hear a dialtone in the earpiece of the phone [as per usual]. Tip : If your phone has a 'MUTE' or 'S' button, keep it depressed when you connect the final clip - if someone is making a call, the worst they'll hear from your end is a slight crackle as the clip goes on. If you hear someone, get off straight away, unless you actually specifically intend to eavesdrop. If you didn't get a dialtone, check: No-one is currently calling on that line. Your connection's polarity is right [try swapping the clips around]. It isn't an unallocated circuit [there should be a steady voltage thru it]. If you do get a dialtone, then youv'e achieved your aim. Youv'e 'bridged' that persons telephone circuit, and you can now call, for free, anywhere you want. Cool. Have a wonder around the frame, and see what else is there. You never know, you might find some computer systems tied off the frame, or even some zippy little in-house test facilties. Anything can turn up here, because all the lines are concentrated at this point before leaving the premises. Hence the rather tough security on some comms rooms and sites. Always remember to tidy up after yourself, and not to leave suspicious little snips of wire all around. Older Systems ------------- Those were the days... Fortunately, BT has seen sense now and utilises the modular system for most field operations. The old system was -appalling-. Nothing was worse than getting out to a box, opening it, and having to spend bloody hours trying to find what you were looking for because of someone elses sloppy work. Thank fuck I don't have to do that anymore. If, however, you are thinking of attacking one, take note. To access a pair, take your long nose pliers and grip the pair firmly below the connection point. Take your strippers, and draw them firmly up the wire, to expose the copper, but not to sever the connection. Clip on to the exposed pair, and proceed as normal. The same goes for the rural DPs and any system backward enough not to be actually bloody organised. Manholes and subs ----------------- Now we're talking. dodgey as hell, and I strongly reccomend against doing so [they can be decidedly unhealthy places], but if your'e willing to take a risk, go for it. Simply slash open the large black jointing chambers with your knife to expose the wires inside - be prepared to slash a lot of rubber before you get through though. A lot of crap gets put in there to seal the chamber as well, so remember to wear your gloves. You'll need some heavy equipment to move the hatch - I don't know where to find this, but drag some friends and crowbars along, and you should have less problems. Unless you live in London or some other sprawl, then it's unlikely you'll actually be able to hide in the manhole - look for the larger, three panelled hatches. NTTPs ----- Very easy - just apply what youv'e learnt about modular frames to this, and you'll be sorted. Always remember to check out the test circuits as well, you never know what you might find. LOCKING SYSTEMS =============== Keys are very hard to find for this type of plant equipment. The lock itself on the older triangular system consists of a rectangular bar, held in place by a screw with a triangular head. When the head is loosened, the bar can be rotated, and the door opened. Before you start huffing and puffing, you should always try pushing the door with your knee and turning the triangle with your fingers. 6 times out of 10, it'll spin open with relative ease. The bar can be forced to rotate, but a half-hearted attempt may lead to it locking still tighter. Try and make your own key for these - a simple one can be made from an old tin can and some ducting tape. I built one a couple of years ago before I could get my hands on a proper wrench set, and it worked a treat. Circular socket wrenches are beatifully smooth at opening up the boxes as well. Just find a size that sits comfortably on the head, plug in the lever, and twist - - et voila, one open cabinet. Distribution frame locks are pretty feeble as well - the lock bar metal consists of a 1/2" strip of steel held onto the mechanism by one nut/bolt arrangement. Use plenty of force directly beside one of these, and it'll pop right open a treat. I have absolutely no idea how to circumvent the newer locks - I'm not a proficient locksmith, and I don't want to have to learn simply to gain access to some wiring. I just borrow a friends cordless hammer action drill, and take the lock out of the picture completely. Brutal and messy, but it gets me what I want. Luckily, BT havent gone nuts with locks yet, so I'll refrain from my mindless vandalism until such time as I can either afford a lockpicking gun or steal one of the locks to dissassemble. The newer triangular locks which sit flush to the box surface open with the same tools as used for the older ones - the only difference seeming to be the lack of the rectangular locking bar, and the radically smaller size. The newer ones also have less clearance between the locking head and the lock housing. WORDS OF WISDOM =============== I've heard some crap about alarm systems in these boxes - quite simply, don't believe the hype. I've nailed well over 27 of these boxes in a major urban area and not seen anything of it's type. There's also some paranoia about alarmed pairs that'll ring the police when theyr'e accessed(?) I don't know who the fuck puts this stuff out, but it's flagrant bullshit. Secondly, ignore The Nomad's file on Beige Boxing. After reading it and generally taking the piss out of it, I came to the conclusion that he's never actually engaged in the act, has never seen inside one of the boxes, and just wrote the file to look good. Damn, the price of fame, eh? Thirdly, if you open a box and it doesn't hold what your'e looking for, but is full of pressurisation equipment, or power equipment, don't play around with it. This is A) Dangerous and B) Stupid. Not only will you -immediately- attract attention if something goes wrong, but you could easily be killed / dismembered / brutalised if a gasket decides to rupture, or a bare cable arcs against the case. It's not uncommon to find the above in these boxes - some remote DP/PCP/SCP looking boxes often hold pressure equipment to keep air in the lines, and some very heavy duty power related stuff has been found in these once or twice. If you don't know what it is, and it isn't detailed here, proceed with caution. CUSTOMISATION ============= Professional equipment for testing always comes laden down with masses of visual and aural indicators to assertain what is going on upon connection. One simple mod you could make consists of a pair of LEDs on each leg of the cable pair, to show ringing current flow [if youv'e disabled the bell] and polarity reversal, as well as substantial voltage decrementation and surge. Try the following: ÚÄÄÄÄÄÄÄÄ¿ ÚÄijÄÄÄ´ÄÄijĿ ³ ÀÄÄÄÄÄÄÄÄÙ ³ ÚÄAÄÄ´ ÚÄÄÄÄÄÄÄÄ¿ ÃÄÄÄAÄ¿ ³ ÀÄijÄÄÄÄÃÄijÄÙ ³ ³ ÀÄÄÄÄÄÄÄÄÙ ³ ÄÄÄÄÙ ÚÄÄÄÄÄÄÄÄ¿ ÀÄÄÄ ÄÄÄÄ¿ ÚÄijÄÄÄ´ÄÄijĿ ÚÄÄÄ ³ ³ ÀÄÄÄÄÄÄÄÄÙ ³ ³ ÀÄBÄÄ´ ÚÄÄÄÄÄÄÄÄ¿ ÃÄÄÄBÄÙ ÀÄijÄÄÄÄÃÄijÄÙ ÀÄÄÄÄÄÄÄÄÙ The more observant among you will notice that this circuit will light a respective LED on each pair leg, depending on the polarity of the current. This is simple, easy to make, and very handy. Simply take 4 LEDs, 2 green, 2 Red, whatever, and make two sets of Red and Green, arranging them in series with the cable pair in the arrangement shown above. The more pedantic amongst you might consider including voltmeters as well, for that added 'look and feel'. BTW, when considering a professional handset, choose an unapproved model if possible. Very often, the handsets will only pass BABT approval if they place monitor tones on the line when theyr'e connected. Now, this may be easy to bypass, but it means the added hassle of brutalising a brand new piece of equipment. Try Nimans for their range of handsets, or failing that, Jensens. Jensens do an excellent range of portable handsets, commonly used by BT, and also provide Frame Jacks with some of the more upmarket models. Nimans supply a superlative miltary grade model, complete with rotary dialler and keypad, as well as a host of built-in grounding and signalling testing facilities. ATTITUDE ======== Please don't go under the misconception that your'e not doing anyone any harm here - what you are doing is highly -illegal- and should be thought of as such at all times. Don't pretend to be an engineer - unless you know what your'e saying, your'e gonna sound damn stupid. Don't climb bloody poles to go beige boxing either. Surprisingly enough, this also draws peoples attention. Just use your common sense, apply a bit of stealth at all times, and your'e days in the field should be healthy and long. ::::: APPENDIX A : FRB, SALT, CPI =========================== The following tests are commonly used in day to day line testing and evaluation within BT. They are Faultsman RingBack, which is used to test customer / exchange / customer signalling, ringer voltage and REN, Systems and Lines Test which is used for extensive testing of DTMF signalling, pulse signalling, Ground / Earth voltage and CallBox pulsing, and Calling Pair ID, which is used to check for an engaged or free line without engaging in a call to that subscriber. Test numbers may vary radically between exchange systems, although those presented here are known to work on generic System X and AXE 10 switching systems. What follows is not my own work, but merely a collation of readily available resources. Exchange Test Numbers --------------------- Abbreviations ------------- SPM = Subscriber Pulse Metering CPI = Cable Pair Indicator (Loud tones on line to identify cable) LPI = Line Pair Indicator (Gives telephone number connected to) SALT = Subscriber automatic line test FRB = Ringback Test ::::: TXE4 - Electronic Equipment: SALT Dial 175 and wait for "Start Test" message Replace handset. Rings Message: "Line Testing Ok" or fault if present. Continue, wait for dial tone for dial test. Dial 1 3 0 5. Rings. Message "Testing Ok" or fault if present FRB Dial 174 LPI Dial 188 gives directory number & equipment, or if not, Dial 187 gives equipment number. CPI 176 plus full national code (i.e. 176 081 553 7104) Tone is present on line when dialled. Replace receiver to cancel tone. ::::: TXD-X - System X Equipment SALT Dial 175 FRB Await ringback and listen for message. Continuation tests. Await interrupted dial tone. Dial "1" for dial test. On LD phone, dial 1-0. On MF phone, dial 1-9*0#. Dial "4" for SPM test. 10 metering pulses are sent, then NU tone, followed by 10 more pulses. CPI Dial 176 plus full national code (i.e. 176 081 553 7104) (This will only work from same processor) Wait for short burst of tone reminder, then tone is transferred to the specified line. To disconnect tone, replace handset. ::::: TXD-Y - System Y Equipment SALT Dial 175 Await ringback and listen for tone. Dialtone = OK Engaged = Suspect Faulure = Fault Dial next test if required, tests as follows: 2 Low A/B Insulation test | 3 A/B to earth | Insulation tests 4 A/B to battery | 5 A/B loop to earth | 9 Bell answer before 5th ring 11 SPM test 7 Loop Res test 8 Dial test. LD Dial 0. MF Dial 1-9 0 10 Rec all pre 6 Line reversal for diode check Dialtone = OK Engaged = Suspect Failure = Fault FRB 174 ::::: APPENDIX B : SOURCES AND EQUIPMENT ================================== I'm afraid only the best will do for me, so I get all my gear from Nimans or Jensens, both wholesale and consumer telecoms suppliers. If you want their addresses, ask around, or pick up a copy of Communicate - your'e guaranteed to see an advert for them in there somewhere. For those of you with less of other peoples money to spend, try your local Maplins and ask for the following: REQUIRED EQUIPMENT : Item Price Maplins Code ==== ===== ============ Rimini One-piece telephone œ9.99 CN11M Digital Multimeter œ22.99 KW10L Telecom Impact Tool œ14.99 BP42V 130mm Long Nose Pliers œ2.99 GW99H Miniature Side Cutters œ3.99 GW96E Side-Action Wire Strippers [8B] œ2.99 BR94C Precision ScrewDriver Set œ1.99 BR58N Standard Crocodile Clips 26p [Each] FS48C/FS49D Standard Crosspoint Screwdrivers 60-99p JH03D/4E/6G Rubber Torch œ4.49 ZC09K Black PVC Insulation tape 99p FM84F Digital Multimeter œ19.99 GW17T Riggers Gloves œ2.19 RJ04E Retractable Blade Knife œ2.79 FY03D Blades for the above 89p FY04E ::::: OPTIONAL EQUIPMENT : Electricians Bolster Chisel œ4.79 RJ05F Gas Soldering Iron Kit œ34.99 AJ97F US to BT adaptor œ2.99 AR34M Combat Trousers, Monkey Hat, Flak Jacket, Webber shirts, etc, all available from War and Peace, or any good army surplus or wholesale store. Try not to look shifty when you go in... ::::: GREETINGS ========= Heading out to : Atrocity, Z-n0te, Cherokee, Bully, Krew-L-T, Van Hauser [THC Rocks BTW, keep it up], Mini Master, Greytor, Coldfire and Oedo. ::::: "How else can you explain The erosion of talent and the vision thing to the point where the best that they can come up with for our future role models and leaders are vicious blind machines Like Albert Gore and Dan Quayle?" :::::