💾 Archived View for gemini.spam.works › mirrors › textfiles › phreak › tl-user.txt captured on 2023-01-29 at 10:49:58.

View Raw

More Information

⬅️ Previous capture (2020-10-31)

-=-=-=-=-=-=-

                              ToneLoc v0.96

                                   by

                        Minor Threat & Mucho Maas

     ToneLoc is short for Tone Locator, and is a bit of a wild thing.
What it does is simple: it dials numbers, looking for some kind of tone.
It can also look for carriers like an ordinary wardialer.

It is useful for:

   1. Finding PBX's.
   2. Finding loops.
   3. Finding dial-up long distance carriers.
   4. Finding any number that gives a constant tone, or something
      that your modem will recognize as one.
   5. Finding carriers.
   6. Hacking PBX's.

     You will need an additional program to make ToneLoc work: a FOSSIL
driver. If you don't have one, you can probably find one on any local
public domain board.  Some popular (and good) ones are X00 and BNU (just
search for those and download them).

Here are the command line options for ToneLoc:

ToneLoc  [DataFile]  /M:[Mask] /R:[Range] /D:[ExRange] /X:[ExMask]
         /C:[Config] /S:[StartTime] /E:[EndTime] /H:[Hours] /T[-] /K[-]

    You can use ":" or "-" as a delimiter. If you don't use ":" or "-",
ToneLoc will assume there is no delimiter. Example:  ToneLoc [DataFile]
/M[Mask] ...

     When you run ToneLoc you need to give it at least one command line
parameter.  The only required parameter is a data filename; the rest are
optional.  The optional parameters can come in any order.  If you only
provide a filename, the filename is also used as the mask.  A mask tells
ToneLoc what numbers to dial.  A mask will look something like this:
555-1XXX.  The X's are replaced by ToneLoc with random numbers.  It will
never dial the same random number twice in the same mask.  If you exit
before the mask has been exhausted, ToneLoc will save the array of
numbers dialed and their results in the data file.  You should never
have more than 4 X's in a mask.  ToneLoc will run, but since ToneLoc
uses integer variables, the numbers will be all screwed up, since 5 X's
would have 100,000 possible numbers which is more than 32,768 (integer)
and 65,536 (word).  If you have no idea what I'm talking about, just
trust me and don't put 5 X's in the mask.

    The next command line parameter is the Mask.  If you use this, your
data filename can be anything you want, and the mask will be taken from
the string following /M.

     The next parameter is the range to dial (/R).  This makes it easier
to specify a range of numbers without having to exclude numbers.  Say
you want to dial 835-1000 - 835-2000, you would run:
TONELOC 835-xxxx /R:1000-2000.

     The next parameter is the range to NOT dial (/D).  Say you want to
dial 345-xxxx, but you know that 345-9000 - 345-9999 is all payphones.
Run:  TONELOC 345-XXXX /D:9000-9999.  ToneLoc would dial everything
except the 9000-9999 range.


     The next parameter is an Exclude mask.  (/X) This should be no more
than four characters, unlike the dial mask. It maps out which numbers NOT
to dial.  For example, /X:1XXX will exclude numbers 1000-1999 from the dial
scan. You can specify multiple exclude masks, up to 10. Excluded numbers
are only excluded for the current run of ToneLoc - the flagging is not
permanent. Between your dial mask and negative masks you should be able
to obtain a good degree of specificity in your scan.

     The next command line parameter (/C) is which configuration file to
use (.CFG).  This file contains all of the configuration data for ToneLoc,
such as which COM port to use, the baud rate, window colors, dial string,
etc.  See the configuration file for details.

     The next parameter is the starting time.  ToneLoc will wait until
this time to begin the dial scan.  You can use either standard time
notation (5:30p) or military time (17:30) for any time parameter. You
can hit any key to start early.

     The next parameter is the ending time.  When this time is reached
ToneLoc will end the current scan.

     The next parameter is a useful shortcut.  It specifies an end time
at a certain number of hours and minutes past the start time.  If you
specify a start time and a number of hours (/S:10:00p /H:5:30), the end
time will be the start time plus the number of hours desired (3:30 AM).
If you specify both an end time and a number of hours, the number of
hours will take precedence.

     The next few parameters are overrides for the scan type.  This
is usually set in the config file, but this parameter overrides it. To
scan for tones you'd use /T, to scan for everything except tones use /T-.
To scan for carriers you'd use /C, to scan for everything except carriers
use /C-. The inverted scan modes are useful for hacking a PBX; see
below on hacking PBX's.

     The datafile should be 10012 bytes at all times.  It ain't the most
efficient way, but it sure is the fastest!  There can be as many data
files in the directory as you want.  Don't forget to SAVE your data files,
they don't take too much space, and they are great with ToneMap.

     Here are a few example command lines:

 ToneLoc 346-XXXX           - Dial 346-0000 to 346-9999 using the
                              default configuration file, logging
                              dialed numbers to the data file 346-XXXX.DAT.

 ToneLoc 950-5XXX /C:NINE5  - Dial 1000 numbers, from 950-5000 to 950-5999
                              (randomly), and use the configuration file
                              NINE5.CFG. This configuration file might
                              skip rings and have a short wait. This
                              could be used for dialups.

 ToneLoc 474-9XXX /X:1xx    - Dial 1000 numbers, from 474-9000 to 474-9999
                              (randomly), using the default configuration
                              file TONELOC.CFG, but exclude 474-9100 to
                              474-9199.  Also see next example

 ToneLoc 474-XXXX /R:9000-9999 /X:91XX - Same as above, but easier to
                              understand.

 ToneLoc 836-99XX /C:LOOP /S:21:30
                            - Dial 100 numbers, from 836-9900 to 836-9999
                              (randomly), using the config file LOOP.CFG,
                              waiting until 9:30 PM to begin dialing.
                              Notice the use of military time.

 ToneLoc TEST /M555-1XXX /H:5:00 /x:3XX /x:1XX
                             - Dial the numbers from 555-1000 to 555-1999
                               for five hours maximum, saving the dialed
                               numbers to TEST.DAT, and excluding the
                               ranges 1300-1399 and 1100-1199.

 ToneLoc 677-8xxx /E:8:30a   - Dial the numbers 677-8000 to 677-8999
                               until 8:30 AM, saving the dialed numbers
                               to 677-8XXX.DAT.

     The optional parameters can come in any order, but the name of the
datafile MUST be the first parameter.  If there is no mask specified, the
data file name is used as the mask.

     We hope you are impressed by the way the screen looks while dialing.
The screen is split up into 3 major windows.  The first window, called the
Activity Log, takes up the entire left half of the screen.  It tells you
what is going on.  Everything that appears here also goes to the log
file.  The following messages may appear in the message log:

     22:54:09 ?
          This is written at the beginning of each run.  It makes it
          easier for you to separate ToneLoc runs in the log file.

     22:53:53 ToneLoc started on 12-Nov-91
          This is self explanatory.

     22:53:53 Data file:   403-XXXX.DAT
          This shows which file ToneLoc is using to store the dialed
          numbers.

     22:53:53 Config file: TONELOC.CFG
          This shows which file ToneLoc has loaded the configuration
          information from.  TONELOC.CFG is the default configuration
          file.

     22:53:53 Log file:    TONE.LOG
          This shows which file ToneLoc is logging the scan to.  This
          file name is set in the configuration file and can be changed
          there.

     22:53:53 Mask used:   403-XXXX
          This tells what mask you used for the current run.

     22:53:53 Exclude mask 1:  8XXX
          Shows which numbers you AREN'T dialing in the current run.

     22:53:53 Initializing modem ...
          ToneLoc is trying to initialize the modem.  It will either
          give a "Done" message or a "Failed" Message.  Toneloc will
          try 3 times to initialize the modem.

     22:53:53 Waiting until 09:30:00
          ToneLoc is waiting until 9:30 AM to start the current scan.
          You can hit any key to start early.

     23:30:44 474-5294 - Timeout (0)
          This means the number was dialed, and nothing was found during
          the WaitDelay.

     23:30:56 474-5335 - Timeout (3)
          This means the number was dialed, and nothing was found during
          the WaitDelay. The (3) indicates there were three rings.

     23:31:00 474-5978 - No Fucking Dialtone
          This means when ToneLoc tried to dial, there was no
          dial tone found (your dialtone).  When this happens,
          ToneLoc tries the same number that it tried previously,
          as to not skip any.

     23:39:02 474-5685 - Busy
          This means the number dialed was busy.

     00:24:26 474-5989 - ** TONE **
          Holy Shit!  You found a tone.  It is probably either a loop,
          PBX, or dial-up LD carrier.  Now it is your job to hack it
          out and use it!

     00:24:26 474-5489 - Voicexx (1)
          This means your modem detected a voice answer.  Good modems
          like the USR HST/DS can detect voice.  X5 or X6 in your
          init string will enable this on a HST/DS.  CAUTION: Detecting
          voice can many times accidentally detect some dialtones as
          voices.

     06:45:43 Ringout (3)
          This means MaxRings (in this case 3) was reached and the dial
          was aborted. See below for a discussion of rings.

     15:11:23 474-5555 - * Blacklisted #5 *
          This means the number was found in the BlackList file
          (the 5th entry), so it was not dialed.  This is highly
          recommended for areas with Caller ID and ex-girlfriends.

     00:45:21 Autosaving
          This means Toneloc is backing up the .DAT file after the interval
          set in the config file.

     04:53:12 Stopping at 10:00:21
          ToneLoc has reached the stop time specified after /E and is
          exiting the current scan.

     03:00:32 All 10000 codes exhausted
          Damn, you dialed every possible number!  3 X's means 1000
          numbers are possible.  4 X's means 10,000 numbers are
          possible, etc.  Like this: 10^X, where X is the number of X's
          in the mask.  Math sucks.

Other messages are in response to input:

     00:25:31 474-5629 - Speaker ON
          By hitting S you can toggle the speaker on and off DURING
          a scan.  ToneLoc will beep high (ON) or low (OFF) depending
          on the status of the speaker.  ToneLoc waits until it is
          finished with the current dial to toggle the speaker.

     00:28:45 474-9091 - Volume set to 3
          By hitting a number 0-9 you can set the volume level with the
          commands defined in the Config file. You can also use them for
          customized commands.

     00:25:59 474-5985 - * Noted *
          You can hit N to make a note in the log next to this number.
          Aborts current number.  Use it when you find something
          interesting like a drunk cowboy yelling at you through the
          phone.  Other note keys are:
             C - Carrier
             F - Fax
             G - Girl
             K - Custom note (you can type a note yourself)
             V - VMB
             Y - Yelling asshole

     00:27:23 474-5239 - Jumped to DOS
          Hit J to shell to DOS.  Just type EXIT to return.  This will
          abort the current number being dialed, but ToneLoc will redial
          it after you return from DOS.

     00:27:45 474-5722 - Redialing
          Hit R to redial the current number.  Useful if a number doesn't
          "take" or you want to fuck with that drunk cowboy who answered
          last time.

     00:30:45 474-5123 - Escaped
     03:30:45 Dials/hour : 225
     00:30:46 ToneLoc Exiting ...
          Hitting escape will abort the current number and exit the
          program. ToneLoc writes the average number of dials per hour
          to the log file.

     00:28:12 474-5756 - Aborted
          Hitting any other key will abort the current number.

     00:45:23 454-5365 - Paused
          Pressing P will stop the current dial and wait for another
          keypress before continuing.  Good in case you want to use
          the phone for a sec.

A few keys don't have screen responses:

  X : Adds 5 seconds to the WaitDelay time for this dial only. Can be
      used multiple times on the same dial.

     Ok, on to the next window.  The top-right corner of your screen is
the modem window.  Everything that is returned from your modem is shown
here.  This isn't very useful, except maybe for debugging, but it looks
neat.  The last window is in the bottom-right part of the screen.  It is
called the Statistics window.  It shows a bunch of cool stuff like....

     ? The time you began scanning.
     ? The current time
     ? The maximum number of possible numbers,
       based on your mask and negative mask
     ? Your current Dials per Hour
     ? The number of numbers already dialed
     ? Number of responses for CD, Tone, Voice, Busy, & Ringout
     ? The average number of dials per hour.
     ? ETA - Estimated Time to Arrival (or completion)
       based on your current dials per hour and numbers left.
     ? The number of rings so far in the current dial.
     ? Last 5 tones or carriers found.

     You'll also notice (you better!) the meter at the bottom right.
Pretty cool huh?  It just shows the progress of the current call.  This
is a graphic representation of the elapsed wait time as set in the config
file.  If you can't stand to look at a still screen, set a fancy meter
wipe option in the config file.

The Black List File:
--------------------

     This is a file of up to 100 numbers that ToneLoc should not dial.
Put your own numbers here, your friends numbers, the police station,
fire department, etc.  The numbers should be each on one line exactly as
ToneLoc will dial them. For example the entry "555-1212" will only
blacklist the number "555-1212", not "1-555-1212" or "5551212". If
ToneLoc comes up with one of these numbers as a candiate for a dial
attempt, it will skip it and move on to the next number.

Rings And The X Parameter:
--------------------------

     This discussion refers in particular to USR modems. If you are
using another brand of modem you'll probably have to sort through the
details yourself.

     This can get a little confusing so a little detail is in order.
There are several ways to deal with the RINGING message that your modem
can generate. The simplest is to simply disable it with the X4 command
in your modem init string. With X4, RINGING and VOICE will be supressed
as responses. This is simple enough, but you won't get much diagnostic
detail in your logs. You can enable these messages with the X6 flag,
which will respond with VOICE and RINGING when it is detected.
Unfortunately, the USR is no AppleCat, and VOICE is more often than not
a false response. Of particular importance, the 2600 hz divert tone
which precedes many PBX's (namely AT&T System 75/85s) initial dialtone
will cause a VOICE response.

     X7 supresses the VOICE response, but leaves the RINGING response.
In our experience RINGING is seldom a false response, and any potential
VOICE responses will show up as BUSY's. If you decide to use X7, you'll
need to adjust the MaxRings parameter in your config file. Experiment a
little bit to decide how to set it. If you set it to 0, the number of
rings will be recorded after Timeout messages, but it will never abort
because of rings.

After the Scan:
---------------

    Well now that I have some dial tones, what the fuck do I do with
them?  First, figure out what kind of a number it is.

    PBX's usually have a 0-6 digit code, but they can be longer.  If you
enter the correct code and you will hear a second dial tone, otherwise
you will probably get a reorder (fast busy), busy, a hangup, or ringing.
Sometimes it will ring the PBX operator (ugh).  Once you get the second
dialtone, dial 9+ACN (sometimes 8+ACN or even 7+ACN) to make a long
distance call.  (NOTE: ACN = Area Code & Number) Some PBX's have no code,
you just need to dial 9.  Sometimes the code will follow the number in
the format 9+ACN+Code. Many will also call international. See below on
hacking them.

    It might also be a long-distance extender dial-up. You'll find many
of them in the prefix 950-xxxx. Sometimes it is easy to hack a code, but
please be careful!  They are easy to get busted on.  MCI people are dicks.
They get off on busting people, and announcing it to the world.  Sprint
doesn't fuck around either, they'll bust you, but they like to keep it
quiet.  Consult with local phreaks before experimenting with an
unfamiliar extender.

   Here's a tip. If you scan 950's you'll find most will give either a
result of Voice, Ring, or Busy. A few will be Tones, but also a few will
be Timeouts. Investigate these - you may find something interesting,
like a voice-prompted dialup or a modem carrier.

    You may also find "Phantoms".  In Mucho's area there are several MCI
dialup ports that are no longer in use since the full implementation of
Equal Access.  Hack all day, you won't find a code. Try and figure out
what you are hacking before you waste time on a dead end.

    Now, for an explanation of loops.  We'll tell you what we know about
them, which ain't a whole lot.  Loops are a pair of phone numbers,
usually consecutive, like 836-9998 and 836-9999.  They are used by the
phone company for some kind of testing, but we aren't sure what.  What
good do loops do us?  Well, they are cool in a few ways.  Here is a
simple use of loops.  Each loop has two ends, a 'high' end, and a 'low'
end.  One end gives a (usually) constant, loud tone when it is called.
The other end is silent.  Loops don't usually ring either.  When BOTH ends
are called, the people that called each end can talk through the loop. Some
loops are voice filtered and won't pass anything but a constant tone;
these aren't much use to you.  Here's what you can use working loops for:
billing phone calls!  First, call the end that gives the loud tone.
Then if the operator or someone calls the other end, the tone will go
quiet.  Act like the phone just rang and you answered it ... say "Hello"
or whatever.  The operator thinks that she just called you, and that's
it!  Now the phone bill will go to the loop, and the Telephone Company
will get the bill!  Use this technique in moderation, or the loop may go
down.  Loops are probably most useful when you want to talk to someone to
whom you don't want to give your phone number.

     As for carriers.. well, we would hope you know what to do with a
carrier by now.  But if you don't, I highly recommend The Mentor's
Guide to Hacking (Phrack, I forget which issue).

ToneMap - A new science?
------------------------

    When we first wrote and ran ToneMap, we were amazed by what we saw.
ToneMap reads a ToneLoc .DAT file, and displays the data visually on the
screen.  Big deal, right?  Actually, it is a big deal.  We saw more than
just scattered colors.  We saw definate patterns within the prefixes we
scanned.  Hopefully you took the time to print this doc file out, because
I am going to go over one of the example .DAT files with you.  Ok, run
ToneMap like this: "TONEMAP 555-XXXX" and press Enter.  (You need VGA)
You should see a square of colors that takes about 2/3 of the screen.
This is a prefix.  It starts at the top left (0000) and works down and to
the right (9999), so each vertical column is 100 numbers.

    Here's an explanation of the colors:

    BLACK        = Not yet dialed by ToneLoc
    GREY         = Timeout.  Lighter = more rings before timeout
    ORANGE       = Busy number.
    DARK BLUE    = Blacklisted number.
    DARK GREEN   = RingOut. (rang too many times)
    LIGHT GREEN  = TONE FOUND
    CYAN         = NOTED Number ('N' was pressed)
    DARK RED     = Aborted (spacebar pressed)

     Unless you're colorblind, you have probably already noticed a pattern
to this prefix.  There are some vertical bands in the middle of the prefix
(from about 3900-5900).  In fact, one ENTIRE column (3900) is all BUSY
NUMBERS!  Oh by the way, you can use your cursor keys to move the white
cursor around to see where you are.  The number is shown on the bottom
right corner of the screen.
     What does this mean?  Well, I haven't thought too hard about it yet,
but if you think about it for a little while, it starts to make a little
bit of sense.  A large range of numbers that are BUSY (like 3900 column)
are most likely a set of test numbers.  Several RINGOUTS are harder to
explain.  They could be residential, or they could be disconnected.
Whatever it means, one thing is for sure, there is definately a pattern
to the way ma bell assigns the phone numbers.  It may be up to each
individual Central Office.  I scanned a prefix that is over 20 years
old, and there was NO PATTERN WHATSOEVER.  The sample .DAT data files
are from an exchange using 5ESS equipment, if that matters.

     It behooves you (I LOVE that word!) to scan your prefixes and study
your results.  It is best to scan a prefix in one big scan (555-xxxx
rather than 555-0xxx, 555-1xxx, etc) so you can see the whole prefix at
once.  I would appreciate it if you could get in contact with me
(Minor Threat or Mucho Maas) via CelerityNet and share your results with
us.

Hacking PBX's:
--------------

     If the PBX code is 4 digits or less you can use ToneLoc to hack it.
The simplest way is to use ToneLoc to look for an internal dialtone.
Lets say you found a 3 digit PBX at 555-9999 which hangs up on you after
you enter a bad code.  You'd use ToneLoc like this:

ToneLoc Example1 /m:555-9999Wxxx

(EXAMPLE1.DAT will be the .dat file, /m: specifies the mask.)

     This will produce dialing strings like this: ATDT 555-9999Wxxx W;.
ToneLoc will dial the number, wait for a dialtone, try a code, then wait
for a second dialtone.  If you get the right code, you'll get the second
dialtone, otherwise you'll just get a timeout.

    Some PBX's have alert tones for invalid codes which the W command
will hear as a dialtone.  You can't look for a second dialtone directly
with the W command on these PBX's, but Toneloc has a scan mode
specifically for this problem.  Set the scan mode to look for everything
except tones, either in the config file or on the command line, and use
toneloc like this:

ToneLoc example2 /m:555-8999WxxxW1

    This will produce dialing strings like this: ATDT 555-8999WxxxW1 W;.
Toneloc will dial the number, wait for the first dialtone, dial the
code, wait for a dialtone, dial 1, then wait for a dialtone.  If the
code is invalid, the second W command will hear the alert tones as a
dialtone and dial 1.  The tones should keep playing, and the third W
will respond to the alert tones too, giving a final response of Tone.
If the code is valid, the second W command will hear the internal
dialtone and the 1 will immediately quiet it since 1xx or 1xxx is a
valid extension on most PBX's.  This would give a final response of
Timeout since the third W command won't find a tone - and voila, you
have your code.

     This method might not work if 1xx or 1xxx isn't a valid extension
on the PBX you are trying to hack, since some PBX's will immediately
give an alert tone if you dial the first digit of an invalid extension.
If you fail the first time around, and think you might have this
problem, have a look at the phone number for the PBX indial. For
example, if the PBX indial is 555-6444, it's a good bet that some valid
extensions are in or near 4xx.

     Apparently some PBX's will respond with a carrier blast to an
invalid code, although we've never found one.  You can use the
everything-but-a-carrier scan mode for these, or just look for an
internal dialtone since carriers don't appear as tones to the W command.

Cautions & Usage Notes:
-----------------------

     We do not have personal experience scanning 800 exchanges with
ToneLoc but we recommend that you exercise caution. First of all, if you
are looking for tones you may not get anything. Many of the PBX's or
extenders you would be looking for will answer with a short tone, about
the length of a ring. That's how ToneLoc will perceive those tones - as
a ring. Local PBX's can answer like this as well, however the 800
exchanges are more likely to have better security since they are under
constant pressure from call-sell operations as well as every code abuser
in the nation. Second, MCI and Sprint can get irritated when someone
makes thousands of calls into their 800 exchange, and, unlike a local
number, they WILL have easy access to at least your area code and
exchange, and probably your entire phone number. Since each 800 call
costs somebody money, and you aren't conducting legitimate business
during these calls, it might also be considered theft of service. I have
heard AT&T is less attentive than their competitors, but I wouldn't
trust my freedom to a rumor.

     Hacking an 800 system of any kind, be it a computer, long distance
extender, PBX, or even a VMB system, can be extremely risky. We urge you
to use good judgment.

     If you live in an area with the Call Return and Call Trace
functions of Caller ID active, you will definitely experience some call
returns with ToneLoc.  Politely explain to anyone who calls back that you
dialed a wrong number - don't provoke them into a Call Trace.  Who knows,
you may even meet a fellow hacker.  If Caller ID is active, use more
caution - they could have your phone number and scanning could be
construed as harrassment, especially if it happens at 3:00 am.

     In any case, please use some intelligence if you are scanning
a range that belongs to a large company.  Often the same operator will
have to answer dozens of incoming phone numbers, and your strange
hangups may get tiresome enough in the course of the day that he or she
might decide to do something about it.  Listen in on ToneLoc to figure
out what kind of an exchange you are scanning.  If it is principally a
business exchange, consider only scanning at night when the affected
businesses are closed.  If it is mostly residential you might want to
scan during the day.  Make intelligent use of the exclude mask to
eliminate ranges that will most likely be unproductive - pager numbers,
answering services, cellular phones, etc.  If you want an overview of
your local exchanges, first try the yellow pages. You will quickly
discover where promising exchanges are.  If you want greater depth, go
to your local public library and ask at the reference desk for the
criss-cross directory.  A section of this directory is a listing of the
telephone numbers in an exchange.  It does not list unlisted or
nonpublished numbers (PBX's will not show up, although the PBX billing
number might), but it will show you if the exchange is a residential one
or not.  Ten minutes of thought can save you 40 hours of scanning.

     When hacking a PBX, have some sense and do it late at night when
nobody is using the PBX.  Have a little patience; you'll be glad you
did.  Make sure you hack RANDOMLY - sequential hacking is a good way to
get noticed, and besides Toneloc has a better chance of finding it
sooner.

Is Scanning Illegal?  (Who cares)
--------------------

     We don't know.  We've heard it is legal to scan during business
hours when the call would not be harrasment.  We've heard it's not
illegal if you only call once.  We've heard that scanning with intent to
hack is illegal, as if such a thing could be proven.  (Some people
suggest not using the same phone line for hacking and scanning).
Remember, the most important thing is not whether it is illegal, but
whether you piss someone off or attract attention.

Here's what the staff at 2600 magazine have to say about wardialing:

     "In some places, scanning has been made illegal.  It would be hard,
though, for someone to file a complaint against you for scanning since
the whole purpose is to call every number once and only once.  It's not
likely to be thought of as harassment by anyone who gets a single phone
call from a scanning computer.  Some central offices have been known to
react strangely when people start scanning.  Sometimes you're unable to
get a dialtone for hours after you start scanning.  But there is no
uniform policy.  The best thing to do is to first find out if you've got
some crazy law saying you can't do it.  If, as is likely, there is no
such law, the only way to find out what happens is to give it a try."
[2600, Spring 1990, Page 27.]

Problems?
---------

     ToneLoc's tone scanning mode may not work for everyone's modem.
ToneLoc looks for tones by dialing strings like this: "ATDT 555-1234
W;".  This tells the modem to dial the number 555-1234, wait for
dialtone, and then return to the command line. ToneLoc then waits for a
result code.  If it gets Ringing, Voice, Busy, etc. it moves on to the
next number.  If it gets nothing, the modem never heard a dialtone, so
ToneLoc hangs up and moves on - this is a timeout. If it gets "OK" as a
result code the modem has heard a tone (W waits for a dialtone) and
returned to the command line (; returns to the command line).

     ToneLoc won't work if your modem isn't discriminative.  Some cheap
modems "detect" dial tones just fine, but they also "detect" everything
else - rings, busys, even silence.  Other modems won't wait long enough,
and will move from W to ; very quickly. If you have a problem that
doesn't stem from either of these, let us know and we'll see what we can
do to help.

     We hope you find this program useful. Give it to anyone and
everyone who deserves to have it.  If you think it is very cool and
useful, try to contact us somehow.  If you think it is a piece of shit
and the directions totally misguided, try to contact us anyway.  Our
handles are Minor Threat and Mucho Maas.  Minor Threat can be reached on
CelerityNet, Midian, Solsbury hill, and sometimes he has a VMB or two.
(There is a separate program Minor wrote that hacks VMB's).  Mucho can
be reached on RipCo, Solsbury Hill, or on IRC.

     ToneLoc is written in C and assembly.  Assembled by Turbo
Assembler, and compiled by Borland C++ 2.0.  Window routines are from
CXL v5.2.

Minor Threat Sez:

     Thanks to Alexis Machine and Marko Ramius for teaching me most of what
I know about the phone system.  Thanks to our beta testers, Dead Cow, The
Raging Golem, The Monk, Gentry, Nat X, and anyone else who I forgot (tell
me if I did).  And thanks to whoever invented the telephone for doing
so.  Life wouldn't be as fun without it!

[uhm, ever heard of Alexander Graham Bell?.. he's kinda famous.. sheesh...]

Mucho Maas Sez:

     Thanks to Minor Threat for helping me work on ToneLoc.  It should be
noted that the lion's share of the programming was done by him, and that
his code is a hell of a lot cleaner than mine.  Still, somebody had to
get Minor off his ass.

For something entirely different many, many thanks to Whodo.
------------------------------------------------------------------------------
One last quote: from a newspaper editorial in the 1870's

'... carrying human voice over copper wires is impossible, and even if
 it was possible, the thing would have no practical use.'

 HA!