**** **** ***** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **** ** ** ***** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **** ** **** ** ***** ** S.O.B. - Software Orange Box 1.9.4 Caller ID Generator for Windows Originally Written by The Fixer - (C) 2009 Whirlwind Software This program may be distributed freely. DISCLAIMER S.O.B. is not intended to be used to harass, deceive, or defraud anyone. It is released as a proof-of-concept tool only. It may be fun, for example, to put George W. Bush's name and home phone number on your own Caller ID Display Terminal but it may be criminal to do the same thing to one belonging to someone else, especially without their permission. Furthermore, S.O.B. is NOT guaranteed to work with every Caller ID terminal on the market. IMPORTANT S.O.B. saves its configuration in your Windows Registry. If you need to uninstall S.O.B. in such a way that there is no evidence that this tool was there, you will need to run REGEDIT.EXE, and search for the key HKEY_LOCAL_MACHINE/Software/TheFixer/SOB. Overwrite all the data in that key and its subkeys, then rename them, and only then delete them. Then (and this is potentially dangerous) overwrite and delete the hidden file SYSTEM.DA0. There are a number of good commercial and freeware file shredders that can do this for you. USING S.O.B. S.O.B. is a small and very straightforward Windows application which should be extremely self-explanatory to anyone who has worked with Caller ID at the programming level. Certainly the Play button, near the bottom of the application, is self-explanatory - click Play and the sound of the Caller ID signal you have specified is played through your sound card. For the rest of us, however, some of the fields and controls require some explanation. NAME AND NUMBER CALLER ID The two main fields - Number and Name - are the two fields you are most likely to want to change before generating a Caller ID signal. These fields are, of course, the phone number and subscriber name that would be displayed on a Caller ID box if your Caller ID signal were to be played into it. Although the new interface is designed to resemble a physical Caller ID box, with a liquid crystal display representing the name and number to be spoofed, in fact you can edit the name, number, date and time right on the display. In fact, you may right-click on the name or number to select from a list of recently-played names and numbers. The phone number can be any length but it is strongly recommended that you ensure that the area code is included. Any hyphens are automatically removed. The name can be up to 15 characters and must be in upper case. The program will truncate the name to 15 characters if you supply one that is too long, and it will convert to upper case for you. Phone companies usually transmit the surname first followed by the initials or as many characters as they can get of the first name. CALL DATE AND TIME Below the number and name are the date and time fields. All flavours of Caller ID supported by this program include the date and time of the call. You can enter these values yourself in four-digit MMDD (month/date) and HHMM (hour/minute) formats, or you can let S.O.B. fill these in for you. To have S.O.B. use the current date and time, click the Timestamp button. The "Actual Time" light will turn on to indicate that S.O.B. will use the current time and date. CALLER ID FORMAT There are three Caller ID formats supported by S.O.B. These are standard MDMF Name-And-Number Caller ID, which is the most common type used in North America; the older SDMF Caller ID format which can only transmit the caller's phone number and the date and time of the call; and the Call Waiting Caller ID format which is similar to the MDMF format but contains additional signaling protocol to enable delivery of new-caller information during an existing call. The Format button switches between these three formats.The three Format lights beside the Name display indicate which format is being used. PRIVACY OPTIONS Toward the lower left of the program you will find the Privacy Button. When you click this you will notice that the Private and Out of Area lights beside the Number display change. When the Private light is on, S.O.B. will spoof the "Private Caller" message instead of the name and number you have specified. When the Out of Area light is on, S.O.B. will spoof the "Out of Area" message instead of the name and number you have specified. If both lights are off, then the name and number you have specified will be spoofed. Repeatedly clicking the Privacy button will cycle between these three modes. OPTIONS The Options Menu is accessed by clicking the button near the upper-right corner of the program that has the "wrench" icon. In the first versions, only two parameters could be changed with the Options menu item: the sound Amplitude (its overall volume) and the clipping level (which shouldn't be changed unless you are technically familiar with digital audio and have a good reason to change it...) By default the amplitude is 63, about half of the maximum level of 127. This should be loud enough for most applications. If the amplitude is set too high, clipping could occur on certain parts of the Call Waiting Caller ID handshaking, possibly causing enough distortion that the signal no longer works. As of version 1.9, several more options are available. You can now set markout bits (we found in testing that this produces more reliable results), and tweak the SAS and CAS frequencies and cadences, although it should be pointed out that the default settings are the only ones that comply with the specification that remote Caller ID boxes will be expecting. No support is available for these settings. RAW OUTPUT The contents of the data stream generated by S.O.B. can be viewed in the status bar near the very bottom of the application. This display is updated every time you play or save a Caller ID Stream. Note that the Channel Seizure and other handshaking signals are not shown there because they include non-data audio tones. SAVING TO A .WAV FILE You may find it useful, after you have built and examined a Caller ID data stream with this tool, to save the audio output to a .WAV file so that you can share it with others, put it on a portable device, etc. The Save button near the bottom-right of the application brings up a Save File dialog box allowing you to do this. USING THE COMMAND LINE VERSION In response to requests, we have finally implemented a command-line build of the program. In addition to having a considerably smaller memory foot- print, the command line version will allow you to use S.O.B. from a batch file or even as a CGI on your website! The Command line program will use any settings you have changed in the Options menu of the main program, except the "Force Uppercase Name" and "Allow Only Alphanumerics In Name" options. And of course, if you have registered S.O.B., the command line program can save your Caller ID streams to a WAV file just as the main program does. The command line program, SOBCon.exe, contains its own help. Just type SOBCon at the command line prompt for a summary of command line options. SOBCon 1.9.4 ¸ 2009 Whirlwind Software Options: /name Joe Blow /num=800-555-1212 /time=06132338 /mode=CWCID /file=output.wav /pri /ooa /? for detailed help For detailed help, type SOBCon /? at the command line prompt. SOBCon 1.9.4 ¸ 2009 Whirlwind Software Command Line Options /name followed by one or more words separated by spaces sets the displayed name in name-and-number MDMF Caller ID This should not exceed 15 characters total. e.g. /name George Bush /num= This sets the displayed number. e.g. /num=800-555-1212 /time= This sets the time of the Caller ID message The timestamp is always 8 characters in the format MMDDHHmm where MM is the month, DD is the date, HH is the hour and mm is the minute. e.g. /time=06132338 means June 13, 11:38pm If this option is not used, SOBCon will use the current time. /mode= This sets the Caller ID mode. Valid values are CWCID (for Call Waiting), SDMF (for early number-only Caller ID), and MDMF (for name-and-number Caller ID) e.g. /mode=CWCID /pri This sets "Private Call" mode instead of sending a name and number /ooa This sets "Out of Area" mode instead of sending a name and number /file= Using this option causes SOBCon to output a WAV file with the specified filename instead of playing the Caller ID signal through your sound card. If this is not used, you will hear the sound immediately. This feature is only available to registered users. A few examples: This example will produce a caller ID stream with "George W. Bush" for the name, "202-555-1234" for the number, September 12 at 5:51pm for the time stamp, using Call Waiting Caller ID: SOBCon /name George W. Bush /num=202-555-1234 /time=09121751 /mode=CWCID This example produces a caller ID stream that indicates that the call is marked "Private", as if the caller had dialed *67 before calling. This also uses Call Waiting Caller ID, although this time we didn't use the /mode option as Call Waiting Caller ID is the default mode. SOBCon /pri This example produces a caller ID stream with "250-953-9000" for the number, with no name, in the early SDMF (number only) format. In this example, and the one above, the /time switch was not used, so both will have your computer's current time and date included in the Caller ID stream. SOBCon /num=250-953-9000 /mode=SDMF This example produces a caller ID stream with "Barney Rubble" for the name, 606-555-2666 for the phone number, and the current time and date, in the default Call Waiting format. But instead of playing the stream through the sound card, it will instead write the stream to barney.wav for later playback. If the software is not registered, this feature is not enabled and the program will just play the sound through the sound card. SOBCon /name Barney Rubble /num=606-555-2666 /file=barney.wav USING S.O.B. IN THE REAL WORLD This program is an educational tool, it is not designed to remotely spoof Caller ID. Nevertheless, I have received many questions on how to do that. The only way to successfully spoof Caller ID with this program without being directly connected to the Caller ID terminal is through the emulation of Call Waiting Caller ID - or, the Orange Box. To do this you would set up the name, number, and call time you wish to have displayed in advance, select Call Waiting Caller ID, call the number, and then any time after the line is picked up, play the signal. To emulate regular Caller ID, you have to be physically present at the Caller ID Terminal, where you would have to connect a phone line emulator (expensive piece of test equipment) to generate the ringing voltage that the terminal uses to know when to expect a Caller ID signal to come in. Almost immediately after the ring voltage is applied, you would send the emulated Caller ID signal. In all cases it is strongly recommended that the sound card be directly connected to the line through a Part 68 interface, rather than by acoustic methods which will distort the signal enough to render it useless. For more information, seek out the text file on Orange Boxing by Lucky225 on the net. Also, the Orange Boxing FAQ maintained on artofhacking.com at http://artofhacking.com/obfaq.htm is a compilation of answers to nearly every question we have received about the technique. ------------------------------------------------------------------------ Visit www.artofhacking.com - Get some before it's too late!