..the eye of the storm.. $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $ $ $ ------------------- $ $ ! tandem scanning ! $ $ ------------------- $ $ $ $ reprinted from tap issue # 50 $ $ written by dr. john $ $ $ $ typed and uploaded by: $ $ $ $$$$$$$$$$$$-=>lex luthor<=-$$$$$$$$$$$ tandem scanning is the most risky of all because it has to be done with a blue box. it is recommended that you use pay phones. tandems usually have some rather interesting codes. so let's talk about them for a while - there are routing codes, operator codes, exchange codes, area codes, translation codes, and service codes (special). each will be discussed in detail. operator codes - usually the last few digits sent - follows the -------- ----- routing codes. here are the standard operator codes: 101 - test board for the specific toll office. their purpose is to do trunk measurement and testing. 121 - inward operator - usually assists your local "0" operator in connecting to party. the 121 operator will not dial anything out of the toll area. as long as requests of assistance in dialing is in the local dialing area or her serving area, the operator will never question a call. 131 - directory assistance operator - this is similar to a 555-1212 type except it is what the operator dials. 141 - route and rate - this is what the operator dials to get: 1. rate information 2. routing information such as special overseas operator etc. the routing usually is to an overseas op. - usually to get them to connect you to a strange country not on the iotc list of direct dial countries. 3. 800-141 is a special wats information service where the op. gets alternate routing info on wats. 160-xx0 - overseas ops. to various countries. 11xxx - special marine verify operators where there are non standard codes. this is good scanning material! - ie. from 11000 to 11999 can yield very interesting ops. such as "leave word and call back" also "confernce operators" translation codes - used for inwats and overseas dialing - also in ----------- ----- verify. most all translation codes start with a "1". inwats - some typical inwats codes are: 125, 135, 145, 163, 164, 165. the third digit is the "band" of the wats. 08x - is also used where x is the band number. for example you can reach any 800 number regardless of where you are disregarding what band it is by dialing 085-424-9337 - you are band 5 to 800-424-9337, 084-424-9337 - you are band 4 to 800-424-9337. you can also dail 145-9337 or 144-9337, etc. if you are in the 202 area code. the complete number is 202-145-9337. overseas - 18x codes are overseas ops. access codes. to dial over -------- seas, the standard op. code is: kp 011 + 0cc st where cc is the country code. you then get routed to an appropriate "sender" at one of the gateway cities and then you key in the country code + city code + number. the senders are: 182 = white plains, ny 183 = n.y. city 184 = pittsburgh, pa 185 = orlando, fl 186 = oakland, ca 187 = denver, co 188 = ny (not montreal) to find out what "sender" you get, key in kp + 000-0000 + st to any of the above senders. for example, suppose you wanted to find out the sender that new zealand is routed through. the cc for new zealand is 064 so you would key in kp + 011 + 064 + st, wait for your beep - click - tone, then key in kp+ 000-0000 + st. you would then hear "this is the international switching center in denver, colo. - this is a recording - 3031 " you now know that 187 was used. service routing - these codes go to route and rate computers, credit ------- ------- card check computers, etc. in l.a. bell installed a computer to check credit cards. this computer not only checks the rao code with the actual credit card number (ccn) but it actually checks its actual validity. a considerable amount of scanning was done to retrieve the code. it is kp-213-000-st or kp-000-st into any california tandem. you get a brief tone followed by a kachunk, then you key in a 3 digit office code which identifies the operator office that has asked for the check followed with the actual credit card number without the area code. for example, to check a credit card whose phone number is 264-2999 and the rao code is 293, you'd make up an 3 digit office code (any will do) and dial 375-264-2999-293-j and the computer would give one of the following four responces: 1. "negative, negative 264-2999-293 negative. 2. "ok ok (reorder)" 3. "re-key re-key" (you must key in the ccn again). 4. "re-dail re-dial" (you must redo the kp-000-st or kp-213-000-st) a complete scan was done on the 3 digit office codes. this was done in 1972 when the computer went into service. no one has done it since then. it might be possible now to remotely program it - to make it say ok ok to your favorite phone number. another special code is 317-009. this is affectionately known as the "golden goose" computer. it is very handy and i'm going to explain what has been found, again by scanning. kp-317-009-st gets you beep kerchunck. then kp-999+xxxxxxxxxxx-st where xx are from 2 to 11 digits. if you key in less than 2 digits it will say "short short" and if you key in more than 11 digits it will say "long long". however, if you stay within the range, it will repeat back each digit you sent to it. the purpose is to check the operation of your blue box! yes! i kid you not! it is an mf checker that works great! for example, if you key in kp-317-009-st then kp-999-1234567890-st and it says"one, two, three, five, six, eight, nine, zero", you know that four and seven aren't getting through and guess what - yeah, you guessed it - the 700hz oscillator is either off-frequency or lower in amplitude than the rest. the tolerance on the 317-009 is much tighter than the regular tandems so it is great to use to keep your mf equipment up to par, however, getting through to 317-009 is possible and getting it to respond might be hard if all your tones are off frequency so try to time your "little blue toy organ" as close to frequency as possible before you tie up the line checking with the 317-009. it would be criminal to tie up this line checking your out-of-tune organ while other young boxers are eagerly awaiting to check their handy work.. now let's suppose you are having trouble getting 202-456-1212 to work and you want to find the routing code. first you key in kp-317-009-st or kp-009-st if you're already in 317. then key in kp-202-456-st and it will say "route area plus one two one" which means that 202-121 will get you the proper operator. to get the proper operator for the number 707-777-9999 you key in kp-317-009-st then kp-707-777-st and you should hear "route area plus zero zero one"-"check nine" which means that 707-001 will get you the operator for the 777 exchange. the "check nine" tells you that 707-777-9999 is a pay phone. (after the three digit area code and the three digit exchange the first digit in the last four digits is usually a "9" indicating a pay phone although some of the newer pay phone exchanges are starting to use "8"). maybe now i should clarify the difference between scanning and hacking. scanning is usually *sequentually* trying numbers while hacking is *randomly* trying the *best bet* numbers. while scanning or hacking up tandems, the thing to remember is never stay on longer than 3-5 minutes at a time!!! always use *working* numbers when scanning and *stay away* from all 800 numbers or 555-1212 numbers as they are *very* unsafe! do your scanning after 11pm your time and remember if the trunk or code supes it can only cost you a quarter at the most. most of the time you will be getting tandem recordings and *droping cards like crazy* which is why you should dial back in every 3 minutes or so. normally, you don't ring numbers more than 3-5 minutes if there's no answer. the"shmuck" in the 4a will probably try to track you down because of all your card droppings and you shouldn't want to stay there sitting like a "duck"beeping into the phone. you could be traced but that takes time, at least 2-3 minutes. it usually takes 30 seconds to determine which city you are coming from but quite a lot longer to get your exchange. (this issue is a little old and i believe they can trace quite a bit faster than 2-3 minutes. your best bet is to get a scanner and find out the frequency that bell security uses and listen in on the local police channel, if they find out where you are, you will definitly hear some activity over the scanner.) this ties up at least 3 people on your end and at 11pm or later, those "shmucks" got better things to do. since you are not ripping them off by using 800 numbers or 555-1212 numbers, they really couldn't bust you anyway, and if you fuck up and supe a phew - so what! your ama won't look funny so the security department won't catch on. if someone does come on the line you will hear a high pitched tone around 2,000hz and a few "clicking" noises. remember, the guy in the 4a has to send an identifying tone to trace. this is a very *soft* 2,000 hz tone. if this happens **stop**!!!! hang up and do it again a few hours later or scan another tandem from another pay phone. other uses include automatic rate information. for example, if you can scan around and determine the codes for any day rate, evening rate, weekend rate, and coin control, you can scan by keying kp-(rate codes)-(area code)-000-0000-(area code)-000-0000-st. the first area code and number are yours and the second area code and number are the number you're calling. the computer will then say "rate-one, four, five - coast to coast current pay phone rate." this means $1.45 for the first 3 minutes. here are some progressions to try: 000-009, 022-029, 032-039, 092-099. skip 011 because it is for the overseas sender and skip 010 and 012-019 because these are reserved for twx. (see tap issue #49 or the reprint phile on this bbs for more info on twx phreaking.) follow each code with 121. if it goes to an operator and she picks up, blow it off. don't worry about not blowing her off fast enough. if you do your scanning from a pay phone, there's not a damn thing that she can do about it. keep a log of all numbers and codes tried with results: pass 1 (121) pass 2 (111) toll verify ------------ ------------ ---- ------ 022 opr 9143 yes ---- 027 opr 9148 no ---- 033 opr 9145 yes ---- 034 busy 2039 no yes 056 busy 2167 yes no 099 opr 9144 no ---- step 1 - go through the 3 digit codes via the progression above using "121" after each code: kp-000-121-st,kp-001-121-st, etc. if an op. answers with the name of the city she is in, blow her off and mark "opr" next to the code. if you get a busy signal, mark "busy". step 2 - go through *only* the *opr* ones and add 111 instead of 121 after the code. these will give different tandem recordings. for example, 022 will give 9143. step 3 - find out which of the codes are for toll switching. to do this, add 182, 186, or 001-0cc and see if it switches overseas. mark "yes" under toll column. step 4 - now go through all "0" and "1" codes with the suffix of a "busy" number. for example, let's suppose that 936-1212 is "busy" for you. start keying in kp-000-936-1212-st, kp-001-936-1212-st, etc. if you hear a click and then silence, or a conversation, you have *auto-verify*! and should mark a "yes" under the verify column. some of the codes in the "182" col. will go through into the busy. there will be ones marked "yes" under the "182" column. after going through "0" codes, start on the "1" codes omitting 101, 121, 131, etc. then try the 18x codes and wats translation codes. if youdon't know them, it's easy to find them, just dial 800-xxx-yyyy. you get the xxx from your 800 prefix scan sheet. suppose you're scanning 9141. you look for a 9141 on your scan sheet and presto! you have 800-431-yyyy. get a working number, preferably a computer or aru if you found one and dial it. blow it off and try: kp-125-xxxx-st where xxxx is the last 4 digits of the aru kp-135-xxxx-st-tandem kp-145-xxxx-st-tandem kp-155-xxxx-st-tandem kp-165-xxxx-st- ring - beep found it!! make sure you log down this 165 code, remembering that the "5" is the band #. after scanning the var code, do some further testing. you are looking for a click and if you find it, you've found a verification code. now you can tap lines in that area. record the exchanges it works on. will it work for the whole area code or just a specific city? get to know its limitations. is it scrambled? does it drop off in 10 seconds? next you should scan the 5 and 6 digit codes. this takes the longest. try these codes; 11000,11999, 160-xxx, and 150-xxx where xxx is 000 thru 999. who knows? you might find all kindsa neat things!!!! if you find something strange, play with it! sweep it with a signal generator. ask yourself, does it take mf, touch tone, 2600? shake it apart! take every little piece and shake that! after you "tore it apart", then go looking for more. use your imagination, intuition, and common sense. a further note on tandem scanning - you might want to try to make contact with a "friend" at the 4a office. the phone numbers to the 4a offices are ac+958+xxxx if there are more than one 4a offices in the area code in question. san diego is 714-958-042 while if all you dial is 714-958, you'll get san bernadino. by the way, some central offices- #5xb, 1xb, and step - will allow you to dial "1" and "0" as a 4th digit. for example: 914-027-1211 will get you peakskill, ny. 914-182-1111 will get you an overseas sender. 914-121-1111 will get you a n.y. inward opr.