💾 Archived View for clemat.is › saccophore › library › ezines › textfiles › ezines › NPANXX › npanxx… captured on 2021-12-04 at 18:04:22.

View Raw

More Information


              $**********************$L. \\\\\\\\\/
     $**$$ $$$$$$$$$ $$$$****$******$
      ~~ $$    %%$$$$%%    $$$$$$$****$                      Volume 
2 Issue 1 - 05/28/2002
          $$   %%  $$  %%   $$$$$$$*#$*$                            "
Null and Void"
          $$Sprint $$Sprint $$$$$$$*#****$
          $$$    $$$    $$$$$$$*#*****$
        {body}amp;&&&&$$$npa nxx$$$$$$%**#******$
      {body}amp;&&&&&&&&&% ~T$$$$$$$T~********$
      {body}amp;&&&&&&&T'        OOOOOOOOOOOO********$
:::::::::::::::::::::::TABLE OF CONTENTS::::::::::::::::::::::::::::
::                                                                ::
$.$.$.$. Introduction and Updates. $.$.$.$.$.$.$.$.$.$           
::                                                                 ::
:: 1. DSS Card Programming and Opcodes for programming...bikr      ::
:: 2. Wireless Beige boxing..............................captain_b ::
:: 3. Hiding Running Services from Portscanners Part I...phractal  ::
:: 4. A taste of "their" own medicine....................bor       ::
:: 5. VERIZON TELECONFERENCING...........................ic0n      ::
:: 6. Care for your SecurID card.........................Bryan     ::
::                                                                 ::
.$.$.$.$. Links and Advertisment .$.$.$.$.$.$.$.$.$.$.$  
::                    (see end of issue)                           ::
ooOoOoOoOoOoOoOoOoOoOO-Staff Emails-OoOoOOOoOoOoOOOOoOoOOoOoOoOoOOoO8
88                                                                  O
OO    bor                         bor@teamphreak.net                8
88    mcphearson                  parenomen@teamphreak.net          O
OO    phractal                    phractal@teamphreak.net           8
OO    stain                       stain@teamphreak.net              8
88    Article submission          articles@teamphreak.net           O
OO    To email the entire staff   staff@teamphreak.net              8       
88                                                                  O
OO By the way if there is some dying need to get in touch with us,  8    
88 and it cant wait you may do so by phone. You can call the        O  
OO teamphreak toll free information hotline/msg center at           8    
88 1-866-248-7671 ext: 3974 after you enter in the pin you          O   
OO must wait a little bit before it will connect. Also, there       8
88 is no # at the end of that pin                                   O          
OO                                                                  8
88                                                                  O
ooOoOoOoOoOoOoOoOoOoOOo-Shout Outs-OoOoOOOoOoOoOOOOoOoOOoOoOoOoOOoOOo
OO                                                                  8    
88      bikr       wildsmile       zylone        Captain_B          O   
OO      vap0r      lynx            b4b0          1337secuirty       O   
88      gizmo      ic0n            awnex         goodbyte           8  
OO      rotary     deadcode        janus         bryan              O    
88      lucky225   setient         ppchq                            8  
OO      iluffu     overlord ddrp   tek250                           O   
88                                                                  8 
ooOoOoOoOoOoOoOoOoOoOOo-Note from editor-OoOoOoOOOOoOoOOoOoOoOoOOoOOo
88                                                                  0
OO Team Phreak contributes to the scene. We write our own articles  8   
88 and do not rely heavily on outside sources for our issues,       O
OO unlike some other groups (unless other wise noted). We may       8
88 use other materials for news articles or in research purposes    O
OO to verify what we type is fact,  but we guarantee that all       8
88 articles are written by us and anyone who wishes to contribute   O
OO original texts. Also please come and vist us on irc at           8
88 irc.teamphreak.net or irc.phelons.org and join us on the         O
OO world wide web at www.teamphreak.net                             8    
88                                                                  O   
                    ______  /_/\
                 /-/ / / /-/  \_| _________________
                / /==//=/_/    `-'               //|
                |/=====/            EFnet       // |
                /=====/_                       // 0|
               //    ///----------------------//  /
              //    /// .----O   #TEAMPHREAK  || /
             //    /(/ //\__/ ________________/|/
            //    /   //\ \/ /
           //    /  '-----' /
          //    /  / _____./
         //    /  / /
        //    /_ / /
       //  /''/-\\/
      //  / //  //
     //__/ //  /
   /| _  \//_ /
   [ |_|   . | www.teamphreak.net

 _  _    ___  _   _   _       _  ___  _  _    _    ========               
 | | \ |  |  | ) | | | \ | | /    |   | | |  | \ | ========                    
 | |  \|  |  | \ |_| |_/ |_| \_   |   | |_|  |  \| ========               

Team Phreak's here, kicking it in summer 2002. Summer is always
a treasured time for phreaks and hackers alike, as it is usually 
the end of school, temporarily. Summer means more free time, more 
free time, to try and find that format string overflow,seize that trunk, 
go on that 3 week long conf, or better yet, attend an actual
physical hacker conference. Anyway, enjoy the issue. - phractal (phractal@teamp


  _   _   _   _   _   _   _   _   _   _
 / \ / \ / \ / \ / \ / \ / \ / \ / \ / \
( T | e | a | m | P | h | r | e | a | k )
 \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/
              _   _   _   _   _   _   _   
             / \ / \ / \ / \ / \ / \ / \ 
            ( U | p | d | a | t | e | s |
             \_/ \_/ \_/ \_/ \_/ \_/ \_/ 

- [03/02/02] - Listed on www.ppchq.org
- [03/10/02] - New Npa-nxx Layout!!!
- [03/22/02] - New site layout up!!
  _   _   _  
 / \ / \ / \ 
( E | N | D |
 \_/ \_/ \_/ 

1."DSS Card Programming and Opcodes for programming" ---===============---
Written By: bikr (bikr@bikr.net) ----=================================----
Written For: NPANXX 005 (www.teamphreak.net) ----=====================----
Written On: 04/xx/02------===========================================-----

Part one will explain What dss is and how it works And 
part two will have the Op Codes for programming DSS.


   Yo. What's up , I'm writing this for my boy Bor.. He's the shit and has 
helped me out many times so, when he asked me to write an article I 
said no prob.. Anyways.. If you haven't read the title of the article then 
you don't know what it's about , so look up at the writing in between 
the *'s up top.. Go ahead I'll wait......... Got it? good.. now your 
filled in..  Ok, to understand how to work with satellite piracy , you 
must understand what's going on.. take this schematic to heard as it is 
the heart and sould of what we are messing with...

|Direc| --- Satellite ---- dish ---- house -- reciever -- ird - card

Ok.. i started to draw it and i got bored so i just typed it.. 
Basically Direc-tv sends their signal up to a satellite and the satellite just 
rains down the signal 24/hours a day.. any dish that points in the 
right direction can pick up the signal.  Once the signal hits the dish it 
travels via coaxial cable to the reciever the reciever is bascaills a 
box between to cables with a break in it..  -----signal---- BREAK 
----signal----    now.. the box is what determines if you are alowed to view 
what's being sent , and interputs it accordingly.. To do this , it uses 
a smartcard programmed with which channels you are allowed to view 
etc.. That is why your reciever stays plugged into the phone line.. So alot 
of people are thinking .. Hey call up , order service , then unplug the 
phone line and cancel subscription right? *beep* wrong.. Ok.. here's 
what they do when you cancel.. They'll put a signal on the stream that 
has your cards serial number on it and it'll basacailly tell the reciever 
to format your card..  

Now.. in the past cards were duped , and eventually decompiled and we 
figured out how they worked.. Started a BIG scene of piracy and then 
Dave - Directv said.. Nope sorry, and sent down an ECM that attacked all 
non subcribed cards and cleared the boot load sector of the cards.. The 
only way to fix this was to get a new card.. Untill someone figured out 
a way to buypass the boot loader and boot from a seperate device.. 
"Boot Strap Loader"  if you had a "black sunday" <--called that because the 
ECM happened on a sunday and everyone's screen went black.. Anyway if 
you had a black sunday card and a bootstrap loader you could again watch 
TV!! yay!!!!  well.. Guess what.. eventually dave started issuing new 
cards.. aka Football player cards.. They have a picture of a football 
player on the front..  Another name for the new cards is "HU Card" that 
name came from the letters in front of the cards serial number ex.. 
HU-123423--234234 etc..  The old cards were called H cards.. They have a 
picture of a satellite on the front.  

These new cards have presented a larger challenge to break through due 
to heavier encryption although eventually someone did it.. And TV on 
the new cards was fee too.. The H cards never really died out though.. 
Direc-tv left the H stream and the HU stream on at the same time so not 
to disrupt the H card subscribers.. recently Dave has said that they are 
sending all subscribers the newer card to replace the H card.. If you 
have an H card and don't send it back it'll be useless within a month 
they say.. So in this discussion we'll concentrate soley on HU cards..aka 
football player cards..  

Lets' think about what happens.. You put your card in the reciever , it 
says ok what channel is bikr on? channel 595 <--porno.. it checks the 
card to see , hmm.. is bikr allowed to watch porno? now if you ask Prin 
<--bikr's fiance.. The answer is no , but if you ask bikr's hu card.. 
the answer is yes..  I know what your saying , but how do i get porn on 
mine Bikr how how how .. Ok slow down.. It's not too hard to get into , 
but if you wanna keep your card from getting knocked down by Dave 
you'll have to study hard..  Here is a list of things i suggest you purchase 
or aquire....

1. Extra cards 
cards get looped and as of right now , there is no fix for a looped HU 
card.. loop basically means that the boot loader tells the card to jump 
to a certain register for example register a1  then the a1 register has 
the code to revert back to the bootloader.. AKA LOop.. alrighty.. lets 
go on..

2. HU Loader
This is a neccesity , it's a box you plug into your computer , it is 
the card programmer , you insert your card in and then run a lil program 
and boom , your card is loaded.. 

3. Private HU Script
These are hard to come by. why you ask? well cuz they are private 
stupid.. Best bet? learn low level assembly and make your own.. I'll discuss 
this later..

4. Extra cards
I can't stress this enough.  You are going to ruin a few cards if you 
write your own scripts.  And if your letting someone else write them , 
then get twice as many cards cuz they are gonna get shot down alot.. 
never throw them out though, eventaully unlooping will be possible and 
this is when you will make mad cheddar selling your unlooped old cards..

OK now that you have the stuff needed we can start..  Once you get your 
Huloader installed you'll want to grab an app called  "Extreme HU" the 
newest version is 2.0.. Lots of good stuff check it out.. Once you have 
that installed grab the latest script floating around from 
www.dssware.com make sure you grab a HU script and not an H cuz that'd be bad..
<--insert new card here.. Anyways.. If you have your hu script , put the 
card into the loader and hit <clean card> in huextreme.. This will whipe 
the current krap off the card and get it ready to be loaded.. Now you 
want to click the button up top that says  HEX and use extreme hex 
file.. Then just browse and find the file.. Once you find it , go through 
the popups and check marks and fill in the stuff custom to you , ie.. 
time zone etc..  

Once your done hit ok and it'll write the card with the program.. If 
this worked properly you can take the card out put it in your reciever 
and watch tv.. Most likely if it worked your card will get zapped within 
a day or 2..  Sux eh?? Well that's what you get for putting a script on 
your card from a website directv visits daily and grabs fixes so they 
can zap them.. Makes you wish you made your own eh??

Well if you know Hex and assembly it's pretty simple to make your own 
script.. just grab someone elses and fix the jumppoints to work against 
the current hash.. You can find a detail of the current hash at 
www.pirateden.com just read the hash , it's all assembly.. The opcode list to 
what the hash is doing has been given to Bor.. I'm sure he posted it 
somewhere on the site by now. find it.. =)... Once you see what jump 
points are being attacked , just set your script up to jump to a different 
register than the ones being hacked and your golden.. 

There is another way to get around this and not have to write your own 
script.. But it requires you to re-program your card every 2-4 days... 
It's called activation , you can find activation scripts all over the 
place.  You bascailly write this script to your card and it pretends 
that your a new customer previewing prorated channels.. Eventually though 
the channels start falling off the tiers.. And you'll slowley lose all 
channels.. Another shitty thing is you have to use your remote to 
"purchase" the payperviews, and the card will only let you do 20 before you 
have to use the toilet paper icon in hu-extreme to "wipe the ppv log" 
on your card..  Just remember everytime you write to your card.. you 
risk looping it cuz if the glitch point from the programmer hits a bad 
spot on the card , boom done.. =)  Hope this has been knowledgable , I'd 
write more but my wrists hurt.. So enjoy and i'll think about sending 
another one to bor for next issue.. 



TMS370-P3 Opcodes Quick Reference
by aol6945 v1.0
Op   B Mnemonic       | Op   B Mnemonic        | Op   B Mnemonic         
| Op   B Mnemonic
00h  2 JMP ra8        | 40h  4 MOV Rd,&ad16    | 80h  2 MOV Ps,A         
| C0h  1 MOV A,B
01h  2 JN ra8         | 41h  - ----            | 81h  - ----             
| C1h  - ----
02h  2 JZ ra8         | 42h  3 MOV Rs,Rd       | 82h  - ----             
| C2h  1 SWAP B
03h  2 JC ra8         | 43h  3 XOR Rs,Rd       | 83h  2 AND A,Pd         
| C3h  1 INC B
04h  2 JP ra8         | 44h  3 OR Rs,Rd        | 84h  2 OR A,Pd          
| C4h  1 POP B
05h  2 JPZ ra8        | 45h  3 AND Rs,Rd       | 85h  2 XOR A,Pd         
| C5h  1 CLR B
06h  2 JNZ ra8        | 46h  4 BTJO Rs,Rd,ra8  | 86h  3 BTJO A,Pd,ra8    
| C6h  1 TST B / XCHB B
07h  2 JNC ra8        | 47h  4 BTJZ Rs,Rd,ra8  | 87h  3 BTJZ A,Pd,ra8    
| C7h  1 DEC B
08h  2 JV ra8         | 48h  3 SBB Rs,Rd       | 88h  4 MOVW #im16,Rpd   
| C8h  1 PUSH B
09h  2 JL ra8         | 49h  3 ADC Rs,Rd       | 89h  3 JMPL ra16        
| C9h  1 INV B
0Ah  2 JLE ra8        | 4Ah  3 MPY Rs,Rd       | 8Ah  3 MOV &ad16,A      
| CAh  2 DJNZ B,ra8
0Bh  2 JHS ra8        | 4Bh  3 ADD Rs,Rd       | 8Bh  3 MOV A,&ad16      
| CBh  1 COMPL B
0Ch  2 JNV ra8        | 4Ch  3 SUB Rs,Rd       | 8Ch  3 BR ad16          
| CCh  1 RR B
0Dh  2 JGE ra8        | 4Dh  3 CMP Rs,Rd       | 8Dh  3 CMP &ad16,A      
| CDh  1 RRC B
0Eh  2 JG ra8         | 4Eh  - ----            | 8Eh  3 CALL ad16        
| CEh  1 RL B
0Fh  2 JLO ra8        | 4Fh  - ----            | 8Fh  3 CALLR ra16       
| CFh  1 RLC B
10h  - ----           | 50h  - ----            | 90h  - ----             
| D0h  2 MOV A,Rd
11h  - ----           | 51h  2 MOV B,Pd        | 91h  2 MOV Ps,B         
| D1h  2 MOV B,Rd
12h  2 MOV Rs,A       | 52h  2 MOV #im8,B      | 92h  2 SETRK Rs         
| D2h  2 SWAP Rn
13h  2 XOR Rs,A       | 53h  2 XOR #im8,B      | 93h  2 AND B,Pd         
| D3h  2 INC Rn
14h  2 OR Rs,A        | 54h  2 OR #im8,B       | 94h  2 OR B,Pd          
| D4h  2 POP Rn
15h  2 AND Rs,A       | 55h  2 AND #im8,B      | 95h  2 XOR B,Pd         
| D5h  2 CLR Rd
16h  3 BTJO Rs,A,ra8  | 56h  3 BTJO #im8,B,ra8 | 96h  3 BTJO B,Pd,ra8    
| D6h  2 XCHB Rn
17h  3 BTJZ Rs,A,ra8  | 57h  3 BTJZ #im8,B,ra8 | 97h  3 BTJZ B,Pd,ra8    
| D7h  2 DEC Rn
18h  2 SBB Rs,A       | 58h  2 SBB #im8,B      | 98h  3 MOVW Rps,Rpd     
| D8h  2 PUSH Rs
19h  2 ADC Rs,A       | 59h  2 ADC #im8,B      | 99h  2 JMPL *Rpd        
| D9h  2 INV Rn
1Ah  2 MPY Rs,A       | 5Ah  2 MPY #im8,B      | 9Ah  2 MOV *Rps,A       
| DAh  3 DJNZ Rn,ra8
1Bh  2 ADD Rs,A       | 5Bh  2 ADD #im8,B      | 9Bh  2 MOV A,*Rpd       
| DBh  2 COMPL Rn
1Ch  2 SUB Rs,A       | 5Ch  2 SUB #im8,B      | 9Ch  2 BR *Rpd          
| DCh  2 RR Rn
1Dh  2 CMP Rs,A       | 5Dh  2 CMP #im8,B      | 9Dh  2 CMP *Rps,A       
| DDh  2 RRC Rn
1Eh  - ----           | 5Eh  - ----            | 9Eh  2 CALL *Rpd        
| DEh  2 RL Rn
1Fh  - ----           | 5Fh  - ----            | 9Fh  2 CALLR *Rpd       
| DFh  2 RLC Rn
20h  - ----           | 60h  - ----            | A0h  - ----             
| E0h  1 TRAP 15
21h  2 MOV A,Pd       | 61h  - ----            | A1h  - ----             
| E1h  1 TRAP 14
22h  2 MOV #im8,A     | 62h  1 MOV B,A         | A2h  3 MOV Ps,Rd        
| E2h  1 TRAP 13
23h  2 XOR #im8,A     | 63h  1 XOR B,A         | A3h  3 AND #im8,Pd      
| E3h  1 TRAP 12
24h  2 OR #im8,A      | 64h  1 OR B,A          | A4h  3 OR #im8,Pd       
| E4h  1 TRAP 11
25h  2 AND #im8,A     | 65h  1 AND B,A         | A5h  3 XOR #im8,Pd      
| E5h  1 TRAP 10
26h  3 BTJO #im8,A,ra8| 66h  2 BTJO B,A,ra8    | A6h  4 BTJO 
#im8,Pd,ra8 | E6h  1 TRAP 9
27h  3 BTJZ #im8,A,ra8| 67h  2 BTJZ B,A,ra8    | A7h  4 BTJZ 
#im8,Pd,ra8 | E7h  1 TRAP 8
28h  2 SBB #im8,A     | 68h  1 SBB B,A         | A8h  4 MOVW 
#im16[B],Rpd| E8h  1 TRAP 7
29h  2 ADC #im8,A     | 69h  1 ADC B,A         | A9h  3 JMPL *ra16[B]    
| E9h  1 TRAP 6
2Ah  2 MPY #im8,A     | 6Ah  1 MPY B,A         | AAh  3 MOV *ad16[B],A   
| EAh  1 TRAP 5
2Bh  2 ADD #im8,A     | 6Bh  1 ADD B,A         | ABh  3 MOV A,*ad16[B]   
| EBh  1 TRAP 4
2Ch  2 SUB #im8,A     | 6Ch  1 SUB B,A         | ACh  3 BR *ad16[B]      
| ECh  1 TRAP 3
2Dh  2 CMP #im8,A     | 6Dh  1 CMP B,A         | ADh  3 CMP *ad16[B],A   
| EDh  1 TRAP 2
2Eh  - ----           | 6Eh  - ----            | AEh  3 CALL *ad16[B]    
| EEh  1 TRAP 1
2Fh  - ----           | 6Fh  - ----            | AFh  3 CALLR *ra16[B]   
| EFh  1 TRAP 0
30h  4 MOV &ad16,Rd   | 70h  3 INCW #im8,Rpd   | B0h  1 TST A / CLRC     
| F0h  2 LDST #im8
31h  - ----           | 71h  3 MOV Rs,Pd       | B1h  - ----             
| F1h  2 MOV #off8[SP],A
32h  2 MOV Rs,B       | 72h  3 MOV #im8,Rd     | B2h  1 SWAP A           
| F2h  - ----
33h  2 XOR Rs,B       | 73h  3 XOR #im8,Rd     | B3h  1 INC A            
| F3h  - ----
34h  2 OR Rs,B        | 74h  3 OR #im8,Rd      | B4h  1 POP A            
| F4h  <Extended Opcodes>
35h  2 AND Rs,B       | 75h  3 AND #im8,Rd     | B5h  1 CLR A            
| F5h  - ----
36h  3 BTJO Rs,B,ra8  | 76h  4 BTJO #im8,Rd,ra8| B6h  1 XCHB A           
| F6h  - ----
37h  3 BTJZ Rs,B,ra8  | 77h  4 BTJZ #im8,Rd,ra8| B7h  1 DEC A            
| F7h  3 MOV #im8,Pd
38h  2 SBB Rs,B       | 78h  3 SBB #im8,Rd     | B8h  1 PUSH A           
| F8h  1 SETC
39h  2 ADC Rs,B       | 79h  3 ADC #im8,Rd     | B9h  1 INV A            
| F9h  1 RTS
3Ah  2 MPY Rs,B       | 7Ah  3 MPY #im8,Rd     | BAh  2 DJNZ A,ra8       
| FAh  - ----
3Bh  2 ADD Rs,B       | 7Bh  3 ADD #im8,Rd     | BBh  1 COMPL A          
| FBh  1 PUSH ST
3Ch  2 SUB Rs,B       | 7Ch  3 SUB #im8,Rd     | BCh  1 RR A             
| FCh  1 POP ST
3Dh  2 CMP Rs,B       | 7Dh  3 CMP #im8,Rd     | BDh  1 RRC A            
| FDh  1 LDSP
3Eh  - ----           | 7Eh  - ----            | BEh  1 RL A             
| FEh  1 STSP
3Fh  - ----           | 7Fh  - ----            | BFh  1 RLC A            
| FFh  1 NOP

Extended Opcodes
Op     B Mnemonic           Notation
-------------------------   --------                                           
F400h  4 BRL ad16           Ps      Source Peripheral Register
F401h  4 BN ad16            Pd      Destination Peripheral Register
F402h  4 BZ ad16            Rs      Source Register
F403h  4 BC ad16            Rd      Destination Register
F404h  4 BP ad16            Rn      Register Used as both Source and 
F405h  4 BPZ ad16           Rps     Source Register Pair (referred to 
by the high register)
F406h  4 BNZ ad16           Rpd     Destination Register Pair (referred 
to by the high register)
F407h  4 BNC ad16           im8     8-bit Immediate Value
F408h  4 BV ad16            im16    16-bit Immediate Value
F409h  4 BL ad16            ra8     8-bit Relative Offset
F40Ah  4 BLE ad16           ra16    16-bit Relative Offset 
F40Bh  4 BHS ad16           ad16    16-bit Absolute Address                    
F40Ch  4 BNV ad16           off8    8-bit Signed Offset
                            SP      stack pointer
F40Dh  4 BGE ad16           #       Immediate operator-used to clearly 
identify immediate operands                                                    
F40Eh  4 BG ad16            *       Dereference operator
F40Fh  4 BLO ad16                   *Rp   -> Byte contained address 
contained in Rp                 
F4CAh  5 CMPW Rpd,#im16 (1) [ ]     Addition of two arguments                  
F4CCh  4 CMPW Rps,Rpd       (1)     Operands reversed from standard 
F4CEh  4 SUBW Rps,Rpd                              
F4D9h  5 MOV *off8[Rps],Rd          All opcodes on this sheet are those 
that are verified to work                    
F4DAh  5 MOV Rs,*off8[Rpd]          correctly on the TMS370/P3 
microcontroller.  Non-verified
F4E8h  5 MOVW #off8[Rps],Rpd        opcodes are not included.
F4E9h  4 JMPL *off8[Rps]         
F4EAh  4 MOV *off8[Rps],A        
F4EBh  4 MOV A,*off8[Rpd]            
F4ECh  4 BR *off8[Rps]           
F4EDh  4 CMP *off8[Rps],A        
F4EEh  4 CALL *off8[Rps]
F4EFh  4 CALLR *off8[Rps]
F4F8h  3 DIV Rn,A                

2."Wireless Beige boxing" ---==========================================---
Written By: captain_b (unkown) ----===================================----
Written For: NPANXX 005 (www.teamphreak.net) ----=====================----
Written On: 04/xx/02 -----===========================================-----

One thing I've come to realize is that many things in electronics use 
fairly low voltage on average, and tend to run on DC (Direct Current) 
power. Cordless phones are no exception. In case you didn't already know, 
batteries also run on DC. Can you tell where I'm going with this yet? 
Most cordless phones I've seen thus far use 9 volts to power the base. 
(You know, the unit you put your cordless phone on to charge it). So 
far, I seen one that used 12 volts to power it. But, I think those that 
use more than 9 volts to power the base mainly tend to have built in 
answering machines, speakerphones, or other extras you wouldn't need during 
wireless beige boxing, anyway. To be sure a given cordless phone's base 
uses 9VDC (9 volts DC) to power it, look either on the AC adapter plug 
for what It's voltage "rating" is (Displayed as 9VDC or whatever next 
to "output"). Disregard the input stats. 

That's the voltage/current coming into the AC adapter from the electrical 
outlet before the ad! apter lowers the voltage and current and converts 
it to DC. Or, you can also check on the back of cordless phone's base 
where the power cord connects to the back. Usually, you'll see something 
like "9V in", or simply "9V". Just as long as the phone's base uses 9 volts 
to power it, you can power it with a 9v battery. There's more than one way 
to go about this. With the 1st method, you'll sacrifice your AC adapter, 
since it involves modifying it for the purpose. So, you you may want to think 
twice, With the 2nd method, you can buy a rechargeable battery charger 
called Power Bank from Radio Shack that doubles as a DC power source to 
power electronics. The 3rd method, which is probably the most complex of 
the three involves an adaptaplug, an adaptacord attached to it leading 
to a 9v battery clip soldered on at the end where the AC adapter would 
be. (Which, is basically the same as the 1st method described, except 
you won't have to ruin the AC adapter that came with the cordless)!

Anyway, I'll describe only the 1st method here. But, you can always 
do it another way, too. By the way, you're going to need a wire cutter, 
wire stripper, 9v battery clip (Sold in packs of 5 at Radio Shack), 
standard 60/40 solder, and a soldering iron (30 watts should be fine for 
the job), and possibly electrical tape. First, get AC adapter and cord 
for the cordless phone. (Remove it from the back of the cordless phone). 
What you'll need to do first is cut the AC adapter off of the power 
cord. Now, I've come to know more recently that sometimes AC adapters 
sometimes retain some electric current even after being unplugged for a 
bit. With 9v of power, I doubt It'd be a bad shock if there's leftover 
current. But, there's a way to remove leftover current if you happen to 
have an insulated alligator clips jumper cable (Also sold at Radio 
Shack). Just connect one of the alligator clips to one of the 2 prongs on the 
AC adapter, and touch the metal part of the other alligator clip!
 on the other end of the jumper cable to the other prong on the AC 
adapter, thereby shorting it. If there was leftover current, there will be 
a little bit of a spark. Okay, with that said, let's move on. As stated 
before, you'll have to cut the AC adapter off of the power cord. Then, 
cut a fairly small notch vertically downward on the power cord right 
between the 2 wires. Now, slowly and carefully, seperate the power cord 
by pulling the 2 wires apart from each other a bit. Then, carefully 
strip about an half and inch of insulation off each of the wires. Now, you 
can attach it to the 9v battery clip to the bare wire leads of the 
power cord. There's 2 ways this can be done: With the 1st method, you can 
solder the bare wire leads from the power cord to bare wire leads from 
the 9v battery clips. 

In which case, you'll want to wrap the exposed section of soldered wire 
with electrical tape afterward. Or, you can use the 2nd method and solder
the wire leads from the power cord directly to the 9v battery connector clip. 
If you go with that way, It may be better not to buy the heavy duty 9v battery
clips as I think they can be a bit harder to solder the wire leads to.
At any rate, once you have the 9v battery connector soldered up to the power
cord, It's just a matter of connecting a 9v battery to the 9v battery connector
to power the cordless phone's base. Optionally, you could also remove the circu
board from inside the casing of cordless phone's base. Afterall, you 
don't need the interior components and not the chasis casing to operate the 
cordless phone's base. If you've bought a cordless phone that has a 
particularly small base, it may even be the case that you could fit it all 
inside something. Like say inside a TNI, or inside the bottom base part 
of a fortress payphone. Use your imagination, have phun, and as always, 
be careful with everything phreaking related that you do.

3."Hiding Running Services from Portscanners Part I" ---===============---
Written By: Phractal (phractal@teamphreak.net) ----===================----
Written For: NPANXX 005 (www.teamphreak.net) ----=====================----
Written On: 04/xx/02 -----===========================================-----

Hiding Running Services from Portscanners Part I

by phractal

/* parts of this article are theoretical and some
is proven with code, feel free to get in touch
to comment or point out flaws in my theories */

Hey there. Have you ever wished to run a certain daemon or backdoor
but have it hidden from the eyes of network scannners. Suppose you
want to run a private ssh server for only a select few, but they
don't always have the same hostname, or perhaps a backdoor to a 
unix that you worked hard to get to. Well, I got to thinking of
ways to have an actual service running and yet being undetectable
to people snooping in on your network. 

Here's what I will discuss

        -'port tripwire'
          -how it works
          -end notes

Port Tripwire:

Port tripwire is a name i came up with for opening up a low port in
an attempt to catch a port scanner before he reaches any ports that
you want to hide. 

If you or your borrowed remote host are running:

Port       State       Service
23/tcp     open        telnet
53/udp     open        domain
80/tcp     open        http
3557/tcp   open        BACKDOOR

You might want to hide this machine from scanning kiddies to hide
anyone who might want to abuse your server if they want to get in
via telnet, or maybe you don't want it known that you run a web
server, and of course, that backdoor is supposed to be hidden from 
view of scanners as well. How can we prevent a scanner, of whom
we will have no idea of his IP address, from finding these running
services via scanning? Well, port scanners will generally scan ports
in sequence or in rough sequence. They will or will usually access 
the low ports first, and then proceed to connect/request ACK replys
of higher and higher ports. We can intervene on the scanning process
if we stop the scanner midway. We can do that by looking for him
where he'll come in, the low ports. We should choose a fairly obscure
port to try and detect the scanner, because otherwise it could be
a legitimate session, a normal user accessing a known service. For
my little port tripwire program, I chose port 3, it is a low port, 
and almost no one runs it. If you wish to hide common services, you
may wish to change that to port 7(echo), as that is obscure, but it
is also listeded in nmap's services to scan for.

The way that Port Tripwire works is, it opens up a socket and 
listens on that low port. If any connection is made to that port,
the program identifies who that host is, and immediatly issues
a command to firewall out any further attempted connections made
by the scanner. It blocks him out, turns the computer silent on
him. The following code proves this concept. It is however 
incomplete, not a full security program, and most likely has
plenty of vulnerabilities itself. It is used just to demonstrate
this concept.

#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>       

#define PORT 3
#define BACKLOG 1

//Port Tripwire BETA
//made for BSD or any ipfw firewalled OS
//by phractal

int main() {

        //printf("PortScan Tripwire BETA by phractal \n");
        int fd=socket(AF_INET,SOCK_STREAM,0);
        int fd2;

        struct sockaddr_in server;
        struct sockaddr_in client;
        int sin_size;

        server.sin_family = AF_INET;
        server.sin_port = htons(PORT); 
        server.sin_addr.s_addr = INADDR_ANY;

        bind(fd,(struct sockaddr*)&server,sizeof(struct sockaddr));


                sin_size=sizeof(struct sockaddr_in);
                if((fd2=accept(fd,(struct sockaddr *)&client,&sin_size))>-1) {
                //printf("connection from %s\n",inet_ntoa(client.sin_addr) );
                //printf("DENY! \n");
                char cmd[150];
                char cmdpt1[] = "ipfw add 01234 deny tcp from ";
                char cmdpt2[] = " to any";
                sprintf(cmd, "%s%s%s", &cmdpt1, inet_ntoa(client.sin_addr), &cm

        return 0;

While this program is running, if i nmapped a server running it with a 
normal TCP connect() scan then I would see port 3 as the only running

There are some problems with this program. Since it uses accept() to 
determine that a scan is in place, SYN scans will not be picked up,
and if a scanner was lucky or smooth enough, maybe he might scan a 
certain block of ports that is outside the port that the tripwire
program runs on.

In Part 2, I will discuss more advanced port scan detection methods.
I will focus on using promiscuous mode to sniff for SYN packets
and will be using methods different from the tripwire approach.


greetz go out to h/pers and coders better than me:

stain, team phreak, awnex, dvdman, l33tsecurity, pare, bor, trunklord
linear, 9x, subz, hybrid, datawar, downt1me, notten, telec
and people i forgot

4."Sprint: A Taste Of Their Own Medicine." ---=========================---
Written By: bor (bor@teamphreak.net) ----===================----
Written For: NPANXX 005 (www.teamphreak.net) ----=====================----
Written On: 04/02/02 -----===========================================-----

1.) What exactly are we talking about?

Several days ago, I had been scanning google for open teleconferences that
could be used for various fun, when a friend and myself stumbled onto something
that at that time, and now seems kind of big.

It seems that we stumbled onto a teleconference of sprint employees discussing
the current contract that they have with HBF Group Inc. It seemed that they wer
dissatisfied with the care that they had gotten from HBF, and were looking for
a way to weasel out of the contract.

And so the story goes...

2.) Who is HBF?

HBF Group, Inc. is a company which sells and installs wireless 911 systems for
various telephone companies and emergency services. Basically, if you call 911
from your cell phone, and the cops can find you...It's their software/hardware
which enabled them to find you.

Basically, they run a database which stores cellular information for every cell
phone that they can track, and sell the capability to access this database to
telephone companies and emergency services.

There you have it. That is HBF for you.

3.) What is sprint's problem?

According to the people on the conference (namely Linda...who seems to be a bit
HBF has been violating some simple rules laid down by Sprint. Sprint simply ask
them to notify them before installing new software, working on their novell
servers, and not to make any serious changes to the hardware that sprint owns i
general. However according to the people on the conference, HBF did exactly the
opposite. HBF has been rude, crude, and has screwed with everything on the spri
servers without any notification of sprint officials.

Not only this, but HBF charges about $2500 for every trip they take to sprint t
fix something. From what we heard on the conference, it's cost sprint about
$150,000 so far in this contract. So there is only one option that they have le

4.) We Want Out

The overwhelming reason that we saw for the conference which these sprint offic
called, was to find a way to get out of their contract with HBF. It seemed that
nearly everything that they talked about involving problems with HBF, included 
sentence or two about terminating the contract early.

Although the consensus of the group agreed that they needed to find a way to ge
out of the contract, it seemed that everyone on the call was more or less fight
with Linda over whether they really should terminate the contract or not. There
seemed to be a lot of fighting on this conference between associates for the
same company. tisk tisk.

5.) Conclusion

In conclusion, it seems that sprint can't take a taste of their own medicine. I
seems that they have no problem in giving shitty customer service, and having a
history of simply not listening to their customers, however once something to t
same effect happens to them...it's time to terminate the contract.

In my opinion, I think that all sprint customers should take the same approach
sprint has taken. Are you dissatisfied with your service? Maybe you should thin
about terminating that contract.

-bor (bor@telcobox.net)


- If you've been reading NPANXX from the start (and i mean the original issues)
then you know our history with sprint. WE LOVE SPRINT!

- All of the material gathered in this article was obtained on a sprint
teleconference. We obtained the information for this teleconference through the
google search engine. It was a pure fluke that people were actually on this
conference at the time which we found it.

- This information is to be used for educational purposes only. We are in no wa
responsible for what you do with this information. We only have the expressed
point of spreading information. We do not wish harm upon any person/company
mentioned in this article. However all information in this article is to be
presumed for entertainment purposes only :-D


3." \/ERIZON |ELECONFERENCING " ---====================================---
Written By: k00p$ta Phr34k and ic0n ----==============================----
Written For: NPANXX 005 (www.teamphreak.net) ----=====================----
Written On: 05/xx/02 -----===========================================-----


BY: k00p$ta Phr34k and ic0n

Before we begin this file I (ic0n&k00p$ta) are not going to give you any info o

setting up the conference. For a few reasons but it's not hard at all the setup

once since everyone @ verizon is crazy or just dumb minus a selected few. (they

who they are) Now on with the file. 

Verizon now offers a new service, Conference Connections.These Conferences's ar

reservation-less, which means around the clock availability. The Conference is 

24 hours a day, 7 days a week, and 365 days out of the year. This makes confere
ncing very 

easy. Thanks Verizon! 

There's 2 ways to dial into a verizon conference.

1.Toll Free dial in number (866-441-2942)

2. Direct (972-717-2043) Npa 972 is in Texas   

There are no setup fees, no cancellation fees, and no monthly charges. Which me
an you can 

setup a teleconference and your victim will not even know he's got a teleconfer
ence being 

billed to him. The minutes your participants used are logged separately logged 
by differnt 

ports. There are 20 of these ports but I'm sure there is a way to get more. Any
ways the 

minutes are added together to simplify the subscriber's bill, in addition are r

taxes. There is a separate bill for toll free service as well. 

States that need to use the direct number to the conference:




4.New Jersey

5.New Hampshire



8.Washinton D.C.

9.West Virginia

The resoning behind the direct numbers is that Verizon provides long distance s
ervices for 

calls originating in most states outside the mid-Atlantic and new England state
s. Until 

government approval is obtained, Verizon cannot carry long distance in the stat
es listed 

above. Verizon is in the works on getting the necessary states and federal perm
issions to 

offer long distance in every state. 

Rates Cents per minute per port

Until 3/30/02  Normal 

Toll Free $0.22 $0.31

Direct $0.09 $0.18 

Feature Descriptions

Announcements for Entry and Exit

At your option, the reservation-less Conference Connections system can sound a 

or have silence when participants enter or exit a conference. 

Attendant Request

The Subscriber or Participants can request attendant assistance for private or 

consultation. The person requesting assistance remains in the conference until 
the attendant 

handles the request. 

Conference Continuation

This feature allows the subscriber to exit a conference after it begins without

disconnection the participants and must be activated for each conference call.



Conference Lock/Unlock

 This feature lets subscriber lock a conference once all parties are present to

the conference private. Attendants cannot enter locked conferences, but can rin
g the conference 

requesting that the subscriber unlock for attend entry. 

Help Menu 

 Help with using conference commands is available to every conference Subcriber

Participant. The system plays a private help message to the requester that list
 the available 

features and their associated touch-tone (dtmf) commands. 


 The Subscriber can collectively mute or un-mute all lines in the conference ex

for the subscriber's line. The participants can mute and un-mute there own line
s to help 

control distractions and interruptions. 

Participant Count

The system automatically tracks the number of participants on a conference. Any

Subscriber or Participant can check the number of people in conference at any t
ime. The 

system announces the count privately to the requester. 

Quick Start

 As a rule, conferences do not begin until the subscriber the conference. Howev
er your 

account can be configured to allow the subscriber to use this feature so that b
egins as soon 

as the first participant arrives. In this scenario, Participants who arrive bef
ore the 

subscriber may talk to one another before the conference actually begins. Thoug
h the quick 

start features offers less security, it allows unplanned meetings to occur when
ever needed 

or permits conferencing when the subscriber is unavailable to start the confere



Subscriber Conference Commands 

This is how you Begin a conference:

1. Dial into conference system

2. Enter Pass code, then the # (pound) key

3. Then Press the * (star) key

4. Enter Subscriber Pin (4 digits)

5. Press 1 to start the conference or press 2 to change account options. 

To Change Account Options:

Press 1 to chance subscriber pin

Press 2 to configure roll call options

Presses 3 to change quickly start options

Press 4 to change auto continuation options 

Conference Control options (while in conference)

Press *0 to speak privately with an operator

Press 00 to request an operator to join the conference

Press *4 to lock conference

Press *5 to unlock the conference

Press *6 to mute your line

Press *7 to un-mute your line

Press *8 to allow the conference to continue after you disconnect

Press *9 to privately play a list of participants on conference

Press *# to hear the number of participants in the conference

Press ## to mute all lines except the subscriber

Press 99 to un-mute all lines

Press ** to play this list of commands 


How to end a Conference

Say whatever then hang up the phone a short message will be played for them and

disconnects them. 

ion to 

write this article. Shout Outs....Lucky225, Dark_Fairytale, The Borish One,Xeno
cide, Cuebiz, 

MaddjimBeam, Whit3rav3n, Reaver,Captain_B, Mr. Poop, RBCP, Everyone Who was on 
$kytel back 

in 96-97...well okay only some people from skytel and everyone else we know.***

3."Care for your SecurID card" ---=====================================---
Submited By: Bryan ----===============================================----
Written For: NPANXX 005 (www.teamphreak.net) ----=====================----
Written On: 05/xx/02 -----===========================================-----

        Your new SecurID card is part of a security dynamics system that protec
your organization valuable resources.  Follow your systems admin instructions 
for using your assigned SecurID card and for getting your own personal iden 
number (pin).  

        In addition for your own protection and that of the system, 
always take the following precautions * never reveal your pin to 
anyone do not write it down IF you think someone has learned your 
PIN notify the security admin who will clear the pin immediately 
at your next login you will have to receive or create a new pin to use

        Exercise care not to lose your SecurID card or to allow it to be stolen
if you card is missing tell and admin immediately the admin will disable it so 
that it is useless to unauthorized users do not let anyone access the system
under identity always follow your systems standard logoff procedures failure
to log off prop can create a route into the system that is completely unprotect

      / ________/
     / /          _____    _____    _   __    _   _______
    / /________  / __  \  / __  \  / / /  |  / / /__  __/
    \_______  / / /__/ / / /__/ / / / / | | / /    / /
           / / / ____ / / 0wned! / / / /| |/ /    / /        ==================
  ________/ / / /      / / | |  / / / / | / /    / /         ===========T=H=E==
 /_________/ /_/      /_/  |_| /_/ /_/  |__/    /_/          =================E
                                   <==$Phractal$==>          ==================

Teamphreak toll free information hotline/msg center is now OPEN. The number is:
 1-866-248-7671 ext: 3974 

====_==_============_=====================   Special Thanks to our good friends
 at .............
|   | | \  | |  /  /======================
|   | |  \ | |_/   |======================  ***      ***  **********  *********

|__ | |   \| | \  _/======================  ****     ***  **********  *********

==========================================  *****    ***  ***    ***  ***    **

                                            ******   ***  ***    ***  ***    **

 http://9x.tc                               *** ***  ***  ***    ***  *********
       ***     ***********  ***
 http://f41th.com                           ***  *** ***  ***    ***  ******** 
       ***     ***********  ***
 http://phonelosers.org/.net                ***   ******  ***    ***  ***  *** 
       ***     ***          ***
 http://blacksun.box.sk                     ***     ****  **********  ***    **

 http://verizonfears.com                    ***      ***  **********  ***     *

 http://ghettosoldier.com                Quote of the issue :                  
 http://ppchq.org                                              "If consequence 
dictate the course of action and it 
                                                                doesnt matter w
hats right it only matters if you 
Proud Supporters of the .....                                   get caught, the
n I should play God and shoot you myself."
       - Maynard 
     _   _ _   _ ____  _____ ____   ____ ____   ___  _   _ _   _ ____    _   _ 
_____ _         _  _____
    | | | | \ | |  _ \| ____|  _ \ / ___|  _ \ / _ \| | | | \ | |  _ \  | \ | |
 ____\ \       / /|___  | 
    | | | |  \| | | | |  _| | |_) | |  _| |_) | | | | | | |  \| | | | | |  \| |
  _|  \ \  _  / /    / /
    | |_| | |\  | |_| | |___|  _ <| |_| |  _ <| |_| | |_| | |\  | |_| | | |\  |
 |___  \ \| |/ /    / <_   
     \___/|_| \_|____/|_____|_| \_\\____|_| \_\\___/ \___/|_| \_|____/  |_| \_|
_____|  \_____/    /____| 
             _   _ ____    _    _         _  ___   ____
            | \ | | ___|__| |__\ \       / // _ \ |  _ \ | | / /  http://UnderG
            |  \| |  _||__   __|\ \  _  / /| | | || |_)  |  / /   http://UnderG
            | |\  | |__   | |    \ \| |/ / | |_| ||  _ < | |\ \   http://UnderG
            |_| \_|____|  |_|     \_____/   \___/ |_| \_\| | \ \  http://Underg