30 BOCOTS could be Red Boxed (utilize inband ACTS tones to signal coin insertion) It s probably still possible in certain regions of the US but most RBOCs have outsourced to private companies.
31 COCOT Payphones can not be Red Boxed without Operator Intervention (as far as *I* know) because they don t use ACTS
32 With Smart Payphones all of the call regulation, coin counting and management, etc, is done inside the payphone. Telco payphones do all the magic at the Central Office.
33 Telling the difference? Most (All?) BOCOT Payphones use the General Electric style housing
34 Coin Return is on the Left and the armored cable connects to the front of the housing.
35 COCOTS often use the GTE style housing with the coin return slot on the right and the armored cable connects on the side. This is definitely not always the case, though.
36 This Payphone. Elcotel Series 5 Line-Powered Payphone Internal Battery, trickle charges from voltage on the telephone line Smart Phone, Programming/Rates are handled internal to the Payphone
37 Elcotel used to be prolific with the private coin phone market Now they re all but gone from most places
38 Now that I have one
39 Problem? No keys. No battery. No documentation. Phone was from different area code.
40 How to do? Get the phone open Replace the battery Reprogram for free calls.
41 Opening the phone
48 Preserving the tomb. No destructive entry, wanted to keep the phone as intact as possible.
50 Three types of Keys Upper Housing Lower housing (coin vault) T wrench for torque. You need all three.
51 Upper Housing Lock 3 pins, no security Pins. Easy enough to pick in a short period of time. Anti-impressioning divots. Note: These locks tend to only rotate a quarter of a turn or less. Check, you may have already picked it.
52 Coin Vault Lock? Not so much. 4 Pins, several spool pins. Medeco Locks, though not biaxial At that time, I was unable to pick it.
53 Hacker Con Took the phone to Bay Threat in Mountain View 30 people tried, failed.
54 Except one guy. Dude picked this lock in 10 seconds, by accident. Fuuuuuuuuuuu.
55 Opening the housing Didn t have a T wrench, time to hack harder.
56 Opening the housing Vyrus001 and I were able to hack something together. Badge clip, wrench, faith.
57 Opening the housing
59 Dead battery.
61 u mad bro?
62 Now that it is alive How do I use it?
63 How to do? Different area code means local (to me) calls were $$$$$$$ Unacceptable.
64 GOALS: The goals: Zero out the rates tables to make free calls Find vulnerabilities in payphone software... Profit?
65 First Hack: Payphone -> ATA -> Asterisk -> 911 Payphones are legally required to make 911 a free call. Dial plan magic allowed me to get a usable dial tone if I first dialed 911. Neat hack, but sloppy.
66 Documentation? Nearly non-existent. Archive.org was helpful, to an extent. I learned how to reset phone to default, but that s pretty much it.
70 Incomplete. Was only able to find part 2 of a 3 part series of manuals. Basically, this was the rosetta stone.
71 Part 2 was useful, but I still didn t have the software to reprogram it.
72 3 Ways to Program: 1. Software based reprogramming 2. Local telemetry 3. Remote Telemetry
73 Software Ideal solution, but requires the software and a license from a dead company.
74 Local Telemetry Open the Phone (which WILL set off alarms and call the phone owner if you try this in the field) Default the Phone Listen to voice prompts and dial to set values.
75 Remote Telemetry Can allegedly reprogram remotely? (More on this later)
76 Software based programming Eventually I was able to acquire a demo through alternative means. Time to try and crack the software.
77 Cracking 10 year old software is actually pretty hard. 16-bit Windows NE Binary Even IDA Pro was all WTF Mate?
78 I had a lot of help. And by help, I mean that someone did it for me. Eventually able to hook the installer, jump the serial number check, uncompress the installer archives. Thanks to Vyrus001, int0x80, Frank^2
80 Phone has onboard modem called a PCM (Payphone Control Module) Need to be able to dial it though. Ironically, I don t have a landline.
81 Voice over IP Unlocked Linksys Analog Telephone Adapter (ATA) USB Modem
82 Voip Settings Dial up modem over VoIP is a pain in the ass. Ulaw or Alaw, accept no substitions. Disable Noise Cancellation + Echo suppression Really slow, ~ 9600 baud
83 A HUGE Thanks! to the Telephreak guys (Hi Beave!) and the Oldskoolphreak.com guys for helping me get this sorted out.
84 Default the phone Press and hold the button inside the phone. Flash the hook. Listen to onboard prompts
85 Local Telemetry Press the button, flash the hook, enter the code, follow the voice prompts. Super easy, but requires you to physically open the phone. If the phone is not yours, this is dubious.
86 Now we can connect.
87 Once you are able to connect, the rest is pretty easy. But this talk is also about hacks, not using software.
89 Elcotel Engineers? Not total idiots. Anti-fraud Mechanisms: Secondary Dialtone Detection Red box detection Chassis Alarms Brute Force Protection
90 Need to build a harness to fuzz the phone. Intercept modem audio? Easy enough with SIP, but then what?
91 FSK Demodulation is crazy hard.
92 Blackbox RE of Protocol If I could intercept and analyze how the software does it, I can do it myself. How do I hook a USB Modem?
93 Advanced Serial Port Monitor Pro Able to treat USB Modem as virtual serial port Spy Mode allows you to pass through and watch Displays output in either Hex or ASCII
94 Password? Default password for software reprogramming is Default password for local and remote telemetry is
95 Performing actions using the PNM Plus Elcotel application enabled me to see what actions look like in Hexadecimal From there I was able to make *some* sense of how the handshake worked Phone ID is usually the last 4 digits of the phone number. Passwords are almost never changed from defaults.
97 Demo Oh dear $deity please work.
98 Auth Protocol Breakdown
99 Success vs. Fail When authentication fails, the Phone sends a hexadecimal NAK (Negative Acknowledgement) 0x15 When authentication is successful, Phone sends hexadecimal ACK (Acknowledge) 0x06
100 Problem. After 3 invalid attempts, the phone drops the call. However, the PNM software is responsible for interpreting the disconnect message. If we use our own code we can ignore that and keep trying until we get the right PIN.
102 Pseudo Code: PIN = 0000 send $PIN while ($auth_response!= 0x06) $PIN++ send $PIN if $auth_response = 0x06, print GREAT SUCCESS!
103 Python has a good serial interaction library, but I don t code because I m an idiot.
104 So Gene Erik jumped in. Man I love having smart friends. https://github.com/savantdc949/ Code will be online some time after Defcon hangover clears.
105 User ID? Check. Pin? Check.... Proft?
106 Enter: Remote Telemetry Call payphone from any landline phone Wait 30 seconds for Modem to stop screaming at you Have 10 seconds to enter telemetry password Listen to voice prompts
107 Reprogramming using DTMF (Remote Telemetry) Registers = Strings Options = On or Off Reg = Antifraud. Set to 0 to disable. Reg , 412, and 414 = Disable alarms
108 More registers 404 = Phone number 402 = Phone ID# 403 = PNM Plus Password 400 = Telemetry Password 116 = Disable battery (DoS) 338 = Number for service desk
109 Service Desk Sudo/Operator status for Payphones Apply credit Issue refunds Dump the coin escrow ($$$$) If you divert this number to yourself, you can do cool stuff. Force phone to dial number for free
110 We can set the coin escrow to $5. As people use the phone, up to $5 in coins collect in the escrow hopper. Service desk can cause hopper to empty into coin return slot.
112 Now what? How can we use this information in a novel way?
113 ProjectMF Blue Box simulation of Inband signalling over TDM trunks.
114 Red Boxing Use sox and Asterisk EAGI to record and analyze inbound audio. Filter out all frequencies that are not 1700 Hz and 2200 Hz tones together If not null, incremend $coin_value If $coin_value >= $.25, make call
115 Now what? How can we use this information in a malicious ways?
116 Unlocked Linksys PAP2 ATA + PwnPlug + Alfa Wireless USB wireless = PayPwn! Asterisk system() command lets us pass OS calls from DTMF Macro the most popular pentesting tools Cepstral/Festival TTS to receive responses
117 Nmap by Phone Demo!
118 PwnPlug has built in support for slimmed down Asterisk. Use Alfa to hook into a wireless network DTMF to initiate scans, cracking, etc etc
120 There *are* easier ways to do this, but what the hell? This is fun.
121 Be honest with me. If you saw a Payphone, would you expect it to be a covert adventurer/badass?
122 Call Interception Using the Asterisk ChanSpy() application we can monitor *all* voice traffic that goes through PBX. Roll payphone into a Casino. Wait for people to use the phone. Listen. Magic.
123 Demo. Volunteer?
124 In summary Using this information we can utilize Remote Telemetry to own any Elcotel Payphone Like any archaeological dig, we can learn a lot about the way developers used to think We can then apply this logic to other legacy systems still in the field (SCADA, etc) PayPwn = Only limited by your imagination
125 If I have my way, they will live forever.
126 More information (Hack Canada Elcotel Archive) (some Elcotel docs) https://github.com/innismir/asterisk-scripts (nmap by phone) https://github.com/savantdc949/ Payphone.com (thieving bastards)
128 Thanks! Defcon Tiffany and Gene Erik (for the payphone and code) docwho76 for the title image Hack Canada for the docs DC949 Innismir, BlackRatchet, DaBeave, Strom Carlson, Binrev.com hackers, oldskoolphreak.com You!
User Guide i table of contents iii Getting Started...2 Using the ooma System with a Landline... 2 Landline Provisioning... 2 Basic Calling...4 Verify ooma Service is Working... 4 Placing Calls... 4 Answering
Single-User VoIP Service User Manual Version 20080501 Revised 20110202 Table of Contents Table of Contents... 2 Your VoIP Service... 2 Who Should Read this Manual... 2 Basic Features... 2 Optional Features...
A Division of Cisco Systems, Inc. Phone Adapter with 2 Ports for Voice-over-IP User Guide VoIP Model No. PAP2-NA Copyright and Trademarks Specifications are subject to change without notice. Linksys is
Single-User VoIP Service User Manual Version 20090901 Table of Contents Table of Contents...1 Your VoIP Service...2 Who Should Read this Manual...2 Basic Features...2 Optional Features...2 Terminology...2
1 A Complete Guide To: VOIP Phone Solutions, Broadband & Must Know Business Technology About This Guide. This guide aims to give you the key facts about our hosted VOIP solution as well as impartial, factual
VoIP User Guide - Setting up your VoIP system from Gradwell dot com VoIP User Guide Author: Communication Arts, for Gradwell Effective from: August 2006 Document version: Edition 2 Gradwell dot com ltd,
IP Telephony Contact Centers Mobility Services Avaya IP Deskphones 9620/9620L, 9630, 9640, 9650/ 9650C connected to Integral Enterprise Bedienungsanleitung Operating User Manual instructions Version 1.1-022010
Programming from the Ground Up Jonathan Bartlett Edited by Dominick Bruno, Jr. Programming from the Ground Up by Jonathan Bartlett Edited by Dominick Bruno, Jr. Copyright 2003 by Jonathan Bartlett Permission
Modbus for Field Technicians Revision 1.0 Any reproduction or re-transmission in whole or in part of this work is expressly prohibited without the prior consent of Chipkin Automation Systems Inc. Copyright
AN INTRODUCTION TO Data Science Jeffrey Stanton, Syracuse University INTRODUCTION TO DATA SCIENCE 2012, Jeffrey Stanton This book is distributed under the Creative Commons Attribution- NonCommercial-ShareAlike
Firebird Conference Prague 2005 The Power of Firebird Events Milan Babuškov http://fbexport.sf.net About the author Education: 2001 - B.Sc. In Business Information System Engineering 2003 - M.Sc. In Internet
Grandstream Networks, Inc. Analog IP Gateway GXW42XX series 16, 24, 32 or 48 FXS Ports GXW42XX User Manual Firmware Version 184.108.40.206 www.grandstream.com firstname.lastname@example.org This page is intentionally
What would you most ideally like to see developed in the next 10 years? Sometime in the next 10 years, I would love to see some kind of development that allows me to listen to any material that is available
CAN Primer: Creating Your Own Network ARM Keil MDK toolkit featuring Simulator, Serial Wire Viewer and ETM Trace For the NXP LPC1700 Cortex -M3 V 2.02 Robert Boys email@example.com Using the Keil Simulator
Table of Contents Introduction... 3 What is VoIP... 3 What is Asterisk... 4 Benefits and Costs... 6 Design... 9 Setting Requirements... 9 Core Selection/Distribution Selection... 9 VoIP, PSTN, Internet...
Grandstream Networks, Inc. HT502 Dual FXS Port Analog Telephone Adaptor HT502 User Manual Firmware Version 220.127.116.11 www.grandstream.com firstname.lastname@example.org TABLE OF CONTENTS HT502 User Manual WELCOME...
480i SIP IP PHONE Release 1.4 41-000098-00-08 User Guide Aastra Telecom will not accept liability for any damages and/or long distance charges, which result from unauthorized and/or unlawful use. While
A beginners guide in how to make a Laptop/PC more secure. This guide will go through the common ways that a user can make their computer more secure. Here are the key points covered: 1) Device Password
VoIP Services User Guide Table of Contents Overview of Services 3 Service Numbers 4 Line Services and Codes 5 Voice Mail 12 Overview of Services This guide is about Tera-Byte's VoIP services for residential
VOIP THEFT OF SERVICE: PROTECTING YOUR NETWORK ====== Table of Contents Introduction to VoIP Theft of Service... 2 Meet Our Expert Phone Power... 2 The Anatomy of International Revenue Sharing Fraud...
VAG-COM Diagnostic Software for VW/Audi/SEAT/Skoda User s Manual Version 311.2 See our Website for an Interactive Online version of this manual: http://www.ross-tech.com/vag-com/tour/ Copyright (c) 2000-2003
GH3000 Quick Start Guide Document version 2.06 L t d. T e l t o n i k a S a l t o n i š k i ų s t. 1 0 c LT- 0 8 1 0 5, V i l n i u s, L i t h u a n i a Contents 1. Preface... 5 1.1 Introduction... 5 1.2
BEC 6300VNL GigaConnect 4G/LTE VoIP Wireless Broadband Router User Manual Version release: v1.07 Last revised: November, 2014 TABLE OF CONTENTS CHAPTER 1: INTRODUCTION... 1 INTRODUCTION TO YOUR ROUTER...
TomTom ONE XL 1. What s in the box What s in the box a Your TomTom ONE XL A B C D E F G H A Charging LED B Touchscreen C On/Off button D Speaker E External antenna connector F USB connector G RDS-TMC connector
Voipswitch Manual for version 340 and higher by Gabriel Georgescu 1 OVERVIEW 3 SOFTSWITCH 4 REQUIREMENTS. 10 PROGRAM INSTALLATION. 10 LAUNCHING THE MAIN APPLICATION VOIPSWITCH 12 GATEWAYS 18 GK/REGISTRAR
X-Lite 4 for Windows User Guide CounterPath Corporation CounterPath Corporation Suite 300, One Bentall Centre 505 Burrard Street, Box 95 Vancouver, BC V7X 1M3 Tel: 604.320.3344 email@example.com www.counterpath.com